I’m a new user of RouterOS (ROS 6.40.6 on CRS-112-8G-4S-IN with QCA8511 chip). After reading docs, examples and forum posts for some days I still struggle with part of my desired configuration, and hope to find help here.
What I wish to achieve is this:
Ports ether2 and ether4 to be trunk ports for VLANs 10 and 20 (192.168.10.0/24 and 192.168.20.0/24). A Linux host is attached to each port. On those hosts I use Linux networking to strip the VLAN-ID, providing one VNIC per VLAN.
VLAN20 is for communication between these two Linux hosts (and additional ones in the future). This part I have configured successfully; the Linux hosts can ping each other on VLAN20.
VLAN10 is to provide internet access to the Linux hosts, and also to provide them an IP address that can receive incoming connections. This is what I struggle with achieving.
Port ether1 is connected to our office network, and can be reached from there at 192.168.0.177. This is the address on which I connect to ROS for configuration.
My question is regarding VLAN10. How can I set-up srd/dst-NAT in such a way, that the Linux hosts can establish connections to the outside, and also be reachable for incoming connections from our office network?
Below I paste output of the /export command. Thank you very much in advance for taking the time to help me
-gerret
# jan/16/2019 09:36:33 by RouterOS 6.40.6
# software id = E54T-4FHN
#
# model = CRS112-8G-4S
# serial number = 94DB074A5535
/interface bridge
add name=bridge10
/interface ethernet
set [ find default-name=ether1 ] name=ether1-master
set [ find default-name=ether3 ] master-port=ether1-master
set [ find default-name=ether5 ] master-port=ether1-master
set [ find default-name=ether6 ] master-port=ether1-master
set [ find default-name=ether7 ] master-port=ether1-master
set [ find default-name=ether8 ] master-port=ether1-master
set [ find default-name=sfp9 ] master-port=ether1-master
set [ find default-name=sfp10 ] master-port=ether1-master
set [ find default-name=sfp11 ] master-port=ether1-master
set [ find default-name=sfp12 ] master-port=ether1-master
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge10 interface=ether2
add bridge=bridge10 interface=ether4
/interface bridge settings
set use-ip-firewall=yes
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether2,ether4 vlan-id=20
add tagged-ports=ether2,ether4 vlan-id=10
/interface ethernet switch vlan
add ports=ether2,ether4 vlan-id=10
add ports=ether2,ether4 vlan-id=20
/ip address
add address=192.168.0.171/24 comment=defconf interface=ether1-master network=192.168.0.0
add address=192.168.10.1/24 interface=ether4 network=192.168.10.0
/ip route
add distance=1 gateway=192.168.0.1
/system clock
set time-zone-name=Europe/Prague
Seems a tad complicated and a diagram would help but are you saying each linux computer/device has two ethernet cards and two ethernet jacks for traffic?
By the way, have you ensured you have the latest version of firmware?
Upgrade your CRS to latest long-term version, which is 6.42.11 at time of writing this. The upgrade affects tge way things are setup, so do it before we get into details.
Another thing to note: CRS has a relatively weak CPU and routed speeds (i.e. to and from internet as well as inter-VLAN) won’t be great. It is a switch with a tad of routing, it’s not a router with built-in switch.
And a question about linux servers: am I right assuming each server has single physical connection to CRS, but you use eth0.10 and eth0.20 interfaces to work with VLANs?
A side question: if all linux servers have connectivity in both VLAN 10 and 20, why do you have two VLANs?
After you upgrade your CRS to 6.42.11, your config will look like a small mess (you’ll hopefully end up with two bridges, but upgrade script has some problems here and there). But ideally the end configutration should look something like this:
/interface bridge
add name=bridge
/interface ethernet
# nothing here, there's no master/slave concept any more and we're not changing any names
/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether2,ether4
/interface bridge port
# note that ether1 is not part of the bridge, traffic towards office will be routed
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=sfp9
add bridge=bridge interface=sfp10
add bridge=bridge interface=sfp11
add bridge=bridge interface=sfp12
# add switch1-cpu "port" to VLAN list for any VLAN which should touch CPU (i.e. CRS has IP address in it)
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether2,ether4,switch1-cpu vlan-id=20
add tagged-ports=ether2,ether4 vlan-id=10
/interface ethernet switch vlan
add ports=ether2,ether4 vlan-id=10
add ports=ether2,ether4,switch1-cpu vlan-id=20
/interface vlan
add interface=bridge name=vlan-20 vlan-id=20
/interface list
add comment="office LAN" name=officeLAN
add comment="linux public LAN" name=linuxPublic
/interface list member
add interface=ether1 list=officeLAN
add interface=vlan-20 list=linuxPublic
/ip address
add address=192.168.0.171/24 interface=ether1 network=192.168.0.0
add address=192.168.20.1/24 interface=vlan-20 network=192.168.20.0
/ip route
add distance=1 gateway=192.168.0.1
# Now NAT functionality
/ip firewall nat
# outgoing for linux servers
add action=src-nat chain=srcnat comment="NAT outgoing traffic" to-addresses=192.168.0.171 out-interface-list=officeLAN
# incoming for particular services
add action=dst-nat chain=dstnat comment="HTTPS goes to server1" in-interface-list=officeLAN dst-port=443 protocol=tcp to-addresses=192.168.20.10
add action=dst-nat chain=dstnat comment="SSH standard port goes to server2" in-interface-list=officeLAN dst-port=22 protocol=tcp to-addresses=192.168.20.20
add action=dst-nat chain=dstnat comment="SSH non-standard port goes to server1" in-interface-list=officeLAN dst-port=2222 protocol=tcp to-addresses=192.168.20.20 to-ports=22
# etc., etc., etc.
#
# Add firewall. At least this should be here
#
/ip firewall filter
add action=fasttrack-connection chain=forward comment="fast-track all regular traffic" connection-state=established,related
add action=accept chain=forward comment="accept all regular traffic" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
# This router should not be used as simple router between officeLAN and linuxPublic ... it could be if some officeLAN user set static route for linuxPublic subnet
add action=drop chain=forward comment="drop all from officeLAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=officeLAN
#
# Perhaps you'd like to allow administration of CRS only from linux servers?
#
add action=accept chain=input comment="accept connections from linuxPublic" in-interface-list=linuxPublic
add action=drop chain=input comment="drop all other connections targeting CRS not accepted before (use as last rule in chain=input)"
#
# Add some more rules to defend CRS from evil linuxPublic users ...
But, as @sebastia hinted, you could get rid of NATing if you could configure main officeLAN router to route towards 192.168.20.0/24 using CRS as gateway … in that case everything past # Now NAT functionality in config example above would have to be skipped.
Here are a few notes, and clarification of my objective before I go home. Then tomorrow I will try to apply your advice and report how it went.
I had upgraded to ROS 6.43.8 (latest Stable from Download page) before reading the advice to upgrade to 6.42.11 (latest Long-Term). So I’ll stick with Stable, unless there’s a strong reason to use Long-Term instead.
I am configuring this device as part of an OpenStack POC where we have very limited hardware resources. The Linux boxes have only one NIC each, therefore I hook them up to a trunk port on the switch, and let Linux networking provide me with VNICs eth0.10 and eth0.20, one for each subnet.
I want to provide multiple VLANs/VNICs on the Linux hosts in order to create a realistic OpenStack practise-ground. A performant OpenStack cluster would operate with multiple networks, e.g. access net, node-communication-net, and data net. I have only one NIC per box, but want to practise cofiguring the OpenStack services as though I had multiple physical networks. So this is not for production and optimized performance, but for practise.
As for routing vs NAT, I’m not sure if that will be possible here, but will check and come back on this.
this morning I reset the router and applied the configuration suggestion from @mkx. TCP connections between hosts on 192.168.10.0/24 and 192.168.20.0/24 networks continue to work fine.
The src-nat doesn’t yet work as expected. The linux hosts on VLAN-20 (e.g. 192.168.20.3) cannot connect to external hosts (ping to 192.168.0.1 or 8.8.8.8 time out). However, I can ping the gateway 192.168.20.1 from the linux host. I suspect that I have made a mistake most likely in the mikrotik setup, or with the host setup. I could not spot what is wrong this morning and so, I’d be very grateful for another round of assistance
I paste relevant configurations below:
/export from mikrotik
/ping 192.168.0.1 from mikrotik
“ip r” output from host
@sebastian: yes for the purposes of this POC, performance is not the #1 consideration, but of course I’d rather set it up in the most performant way possible with the HW and environmental constraints. To be honest I don’t fully understand the networking environment at this office, so for now I’ll go for NATting, and hope to change it later.
default via 192.168.20.1 dev enp7s0.20
192.168.10.0/24 dev enp7s0.10 proto kernel scope link src 192.168.10.3
192.168.20.0/24 dev enp7s0.20 proto kernel scope link src 192.168.20.3
