Hi,
I am using a Mikrotik RB2011UiAS-2HnD-IN as the central DHCP server for a wireless network. The wireless equipment is using Ruckus.
I am trying to achieve this setup which I need help on. There are 2 VLANs (10, 20) and they should be able to see each other. The SSIDs in the Ruckus AP is setup accordingly. Here is the info:
SSID1 (VLAN 10) - 172.16.10.0/24
SSID2 (VLAN 20) - 172.16.20.0/24
For these DHCP networks, the gateway is 172.16.10.1, 172.16.20.1 respectively.
So far, this is working well and all is good. But now there is an extra requirement where all VLAN 20 traffic must go through an external network. The objective is that all VLAN20, traffic and internet goes to another WAN which is passed via this LAN network. Other VLANs will go through ether-1 as default.
The external LAN network is plugged in to ether-4. The external network is not a Mikrotik and I do not have any visibility over the settings or equipment. I am given the IP by customer as follows:
Gateway: 192.168.0.253
Given IP: 192.168.0.244
So currently, I was planning to set ether-4 with the IP above and set master to none. Then inside mangle mark the packets and then route all traffic from 172.16.20.0/24 to 192.168.1.252. I did some test and it seems to work however sometimes it feels like its slow. Am I doing this right? I also read that mangle may cause performance to drop. The traffic we are expecting is about 600 users at peak period.
Below is my configuration:
/interface vlan
add interface=ether2 l2mtu=1594 name=VLAN10 vlan-id=10
add interface=ether2 l2mtu=1594 name=VLAN20 vlan-id=20
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=172.16.10.2-172.16.10.254
add name=dhcp_pool2 ranges=172.16.20.2-172.16.20.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local lease-time=\
10m name=default
add address-pool=dhcp_pool1 disabled=no interface=VLAN10 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=VLAN20 name=dhcp2
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local disabled=yes interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
add bridge=bridge-local disabled=yes interface=VLAN10
add bridge=bridge-local disabled=yes interface=VLAN20
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
bridge-local network=192.168.88.0
add address=172.16.10.1/24 interface=VLAN10 network=172.16.10.0
add address=172.16.20.1/24 interface=VLAN20 network=172.16.20.0
add address=192.168.0.244/32 interface=ether4 network=192.168.0.253
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether1-gateway
/ip dhcp-server network
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.20.0/24 dns-server=172.16.20.1 gateway=172.16.20.1 \
netmask=24
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway
add chain=forward comment="default configuration" connection-state=\
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="Prevent VLAN 20 from using WAN" log=\
yes out-interface=ether1-gateway src-address=172.16.20.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=wan2 src-address=\
172.16.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether4
/ip route
add distance=1 gateway=192.168.0.253 routing-mark=wan2
/ip upnp
set allow-disable-external-interface=no
/lcd interface pages
set 0 interfaces=sfp1,ether1-gateway,ether2,ether3,ether4
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local