RB2011 behind U-Verse Gateway

packetmonster · December 13, 2012, 5:16pm

Hello,

Thank you in advance for any help!

I am brand new to RouterOS, but not to networking (Cisco and Juniper). I have a friend who needs help setting up his new RB2011 behind his U-Verse router. He wants 2 VLANs: 1 for wifi and one for a wired LAN. These two VLANs should be able to communicate with one another. The Wifi VLAN should also be able to communicate with the outside world, but not the wired-LAN VLAN should not.

Here is what I was thinking:

create the VLANs
create separate subnets for each VLAN.
create SVI for each VLAN w/in respective subnet.
Move wifi into VLAN-wifi
set up the RouterOS equivalent of an ACL denying outbound traffic for the wired-LAN.

Thanks again.

tomaskir · December 14, 2012, 11:24am

You want communication between the wlan and lan to be routed (separate subnets on each) or bridged?

Also, are the vlans supposed to be trunked to the U-Verse router? Why not just do with routing and not use vlans at all?

packetmonster · December 15, 2012, 2:18pm

I suppose that I want wlan and lan to have separate subnets and for them to be routed. And, if you believe just routing is a more viable option than using VLANs I am interested.

My vision was to utilize the Mikrotik as a l3 switch (if it even has that capability) and route to the U-verse gateway while blocking outbound communication on the LAN subnet.

But like I said, if routing is the way to go a point in the right direction would be sincerely appreciated.

Thanks.

tomaskir · December 16, 2012, 11:31am

Simply add the correct addresses and their subnets and insert a default route into the routing table. Configure the wlan and lan ports however you like and you are done.

Do not forget to add the routes to the U-Verse router as well, or it will not work. Before you do any of this, make sure your Mikrotik has no config on it. Use “system reset-configuration no-defaults=yes”

“/ip address add address=x.x.x.x/xx interface=wlan1” for wlan
“/ip address add address=x.x.y.y/xx interface=ether1” for lan
“/ip address add address=x.x.z.z/xx interface=ether6” for the connection with the U-Verse, its an address in its subnet

“/ip route add gateway=x.x.x.x” default route with GW as the U-Verse

“/ip firewall filter add in-interface=ether1 out-interface=ether6 action=drop”
block communication from LAN port to U-Verse port, effectivelly denying internet. Lan → wlan will still work.

packetmonster · December 16, 2012, 4:10pm

This looks perfect. Thank you so much kind sir!