RB2011 dual LAN routing?

I’m trying to figure out to create 2 eth groups, then route NAT’ed traffic from them to eth1, which is a static IP, so here’s a diagram:

Confession: I’ve been working with Juniper boxes, which are very different, so I’m trying to figure out the Mikrotik way of doing this.

Should I create a new bridge, or should I use the default bridge-local?

I tried making ether3 master ether2 and then ether5 master ether4, is that where I should start?

How would I define NAT from p2-3 192.168.10.0/20 to ether1 10.1.10.1/24? I could use VLANs for p2-3 and p4-5, but how would they route out ether1?

Ether2-3 needs a DHCP server as well, which I might be able to get working once I get the other routing working?

The easiest way to group the two sets of ports would be to create two bridges. Then add the two ports to the appropriate bridge. The bridge is now the Master Interface, so when adding IPs (or anything else like the DHCP servers) add them to the bridge interfaces.
Some people prefer using the switching capabilities of the routers instead of bridging like this, but it will work either way. If you switch them, just use the Master Port as the Master Interface as described above.

As far as the NAT goes, I’m not really clear on what you are trying to do. Are you trying to masquerade the traffic? If that is the case create rule in IP->Firewall->NAT that says:

add action=masquerade chain=srcnat comment=“default configuration” out-interface=Ether1

You can create two separate rules with the appropriate subnets in the src-address field if you prefer.

Okay, thanks @ssofet, will try it in a bit.

In switching vs. bridging, which would result in the most throughput, or would they both be similar capacity?

Yes, I want to masquerade outbound packets to eth0, er, 0/0, er, WAN, er ether1 I guess in Mikrotik world

For outbound traffic ether2-3 → ether1, would I need NAT/policy/whatever for each port group (2-3, 4-5) with a destination interface of ether1 (or its upstream gateway), or how would p2-3 outbound traffic know where to go next?

Would ether1 still need to be a member if bridge-local, or should I remove it?

I think I tried to remove ether2 from bridge-local like (from memory)

/interface bridge remove bridge=bridge-local interface=ether2

but I think I have the syntax wrong.

.

That’s debatable, but if you are not maxing out the router, which you really don’t want to do anyway, then no, it really doesn’t matter. With a Cisco or Juniper device, of course you would use the switching features. In this application it is 6 one way and half a dozen the other.

No, you do not need a NAT policy for each port group/ sunbet unless you specify which subnet to NAT. If you add the subnet in the src-address of the rule, then you will need one for each. The rule I posted earlier will NAT all traffic. The port groups are going to know where to go based on the routing table and if you have a default gateway that equals ether1 then the NAT rule with the out-interface of ether1 will compliment it.

No, ether1 should not be in any bridge group. It should have it own IP address.

Use this command to remove the port:
/interface bridge port print
Identify which number or port is assigned to and then:
/interface bridge port remove numbers=X

okay, I got the bridges set up and interfaces assigned to them:

bridge1: 10.0, assigned ports 2-3

bridge2: 5.0, assigned ports 4-5

then added my subnets to those bridges

bridge: 10.0, assigned 192.168.10.0/20

bridge: 5.0, assigned 192.168.5.0/24

so thanks, that helped

But tried to modify the default NAT firewall rule:

chain: srcnat
out. interface: ether1-gateway
action: masquerade

(since it didn’t look like I could ping 10.1.10.1/24 while plugged into ether2/bridge10.0) so I tried changing my default NAT rule to

chain: srcnat
out. interface: ether1-gateway
in. bridge port: 10.0
action: masquerade

and got an error: ingoing interface matching not possible in output and postrouting chains. what am I doing wrong? Do I still need a Filter Rule?

You also should create a default static route for your traffic
You have configured 192.168.10.0/20 and 192.168.5.0/24.
If you want to reach anything else but those two networks, there need to be a route for those other networks.
I also doubt you have your subnet of your 10.0 network correct, is it really /20?

@Rudios: thanks, will add that. I actually do need a /20, this project is part of a project to re-subnet a production /24 that ran out IP’s a couple years before I thought it would, hence the /20, that should carry us until I get the next staging router (catalyst 4500) up and running, then we’ll plan a staging/failover. In the meantime I want to see how the Mikrotik boxes hold up under heavy load while I’m planning ways to phase out the upstream Juniper gear, which is also starting to max out, hence the whole planning on this. If the Mikrotiks are solid, we’ll plan on rolling them out as customer units for this ISP, so we’re also becoming familiar with how they work, and the nuances of really running them.

So you’re really using a 192.168.10.0/20 subnet. That actually means you are using subnet 192.168.0.0/20, reaching from 192.168.0.1 - 192.168.15.254.
This automatically implies that it includes the 192.168.5.0/24 subnet and I do not know how this is handled by the RouterBoard.
For better understanding, could you share your config with us?

@Rudios: thanks for pointing out my insanity I have now changed my subnet to 192.168.16.0/20 and my bridge for ports 2-3 to name 16.0 to avoid problems.

I added a route of 192.168.16.0/20 to 10.1.10.1 (my upstream router) and now I can ping 10.1.10.1 (and others on that upstream subnet) from ports 2-3 from a client IP of 192.168.16.33/20, so thanks for the help there too. For some reason, although I can ping 10.1.10.1 upstream (perimeter FW), it won’t pass traffic to the public Internet, i.e. if I try to:

ping 8.8.8.8

Is this likely a problem with the Mikrotik config, or do I need to add something on my upstream router? Here’s my config (I haven’t reconfigured DHCP yet):

# jan/06/1970 19:01:21 by RouterOS 6.1
# software id = LHKX-UG23
#
/interface bridge
add name=5.0
add l2mtu=1598 name=16.0
add admin-mac=D4:CA:6D:0A:A4:CB auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface ethernet
set 0 name=ether1-gateway
set 5 name=ether6-master-local
set 6 master-port=ether6-master-local name=ether7-slave-local
set 7 master-port=ether6-master-local name=ether8-slave-local
set 8 master-port=ether6-master-local name=ether9-slave-local
set 9 master-port=ether6-master-local name=ether10-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/port
set 1 name=serial0
/interface bridge port
add bridge=bridge-local interface=ether6-master-local
add bridge=16.0 interface=ether2
add bridge=16.0 interface=ether3
add bridge=5.0 interface=ether4
add bridge=5.0 interface=ether5
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.88.0
add address=192.168.16.1/20 comment="16.0 /20 network" interface=16.0 \
    network=192.168.16.0
add address=192.168.5.1/24 comment="legacy 192.168.5.0/24 network" \
    interface=5.0 network=192.168.5.0
add address=10.1.10.20/24 comment="upstream juniper perimeter firewall/router" \
    interface=ether1-gateway network=10.1.10.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,hostname,clientid \
    interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway src-address=192.168.16.0/20
/ip route
add distance=1 dst-address=192.168.16.0/20 gateway=10.1.10.1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=sfp1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=sfp1
add interface=bridge-local

Okay, I got it

I didn’t have a default route for 0.0.0.0/0 to point to my upstream gateway, so I did:

/ip route add dst-address=0.0.0.0/0 gateway=10.1.10.1

Thanks you @Rudios and @ssofet, you guys have been a great source of help! I bumped both of your Karma’s for the help

Your more than welcome and thank you for the karma!