Router on a Stick

Hi,

I’ve brought a Mikrotik Router hEX PoE.

The „First-Step-Configuration“ ist pretty easy to handle.

But I need some help for a VLAN Configuration.

What I want to achieve is a „Router-On-A-Stick“ configuration. Means multiple VLAN on one Port with different DHCP Server /Subnets.
I’ve already configured multiple VLANs (ID 10,20) on ether2 (DHCP not configured yet). With Static IPs it worked fine, but I can’t reach the Internet.

Any clues?

Hey. What address space in a LAN network are you using for Internet access? Private ones with NAT function or global ones?

Most likely the additional networks are not having NAT performed before heading for the ‘WAN’ interface, post the output of /export hide-sensitive after sanitising any public IPs, etc.

Hi,

thanks for the fast reply.

the WAN side gets a 192.168.7.0/24 IP. (NAT) The MikroTik ROuter ist connected to the internet (with the default ports).

Do i need to configure NAT for the VLAN Interfaces? If so, how?

Thanks in advance…

[admin@MikroTik] > export hide-sensitive  
# sep/13/2019 07:57:24 by RouterOS 6.42.12
# software id = 04BT-G76C
#
# model = 960PGS
# serial number = AD8C0AFFD041
/interface bridge
add admin-mac=74:4D:28:AA:C8:04 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether2 name=VLAN10 vlan-id=10
add interface=ether2 name=VLAN20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.99.200-192.168.99.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.99.1/24 comment=defconf interface=ether2 network=192.168.99.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.99.0/24 comment=defconf gateway=192.168.99.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.99.1 name=router.lan
add address=8.8.8.8 name=google
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Your L2 VLAN setup is very far from complete (and what’s done is wrong). I suggest you to read through this nice tutorial. After you’re done and still have problems, come back with questions.

Hi all,

it works!

/interface bridge
add admin-mac=74:4D:28:AA:C8:04 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether2 name=VLAN10 vlan-id=10
add interface=ether2 name=VLAN20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.99.200-192.168.99.254
add name=POOL10 ranges=192.168.10.100-192.168.10.200
add name=POOL20 ranges=192.168.20.100-192.168.20.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=POOL10 disabled=no interface=VLAN10 name=DHCP10
add address-pool=POOL20 disabled=no interface=VLAN20 name=DHCP20
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.99.1/24 comment=defconf interface=ether2 network=192.168.99.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.99.0/24 comment=defconf gateway=192.168.99.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.99.1 name=router.lan
add address=8.8.8.8 name=google
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I’ve added DHCP on the VLANs and turned NAT on as well. I guess NAT was the issue (since DHCP has nothing to do with the Internetconnection with a static IP)

@mkx: Thanks for guide, but it didn’t help (still a good guide for learning about VLAN)

Have a nice day guys!

It still doesn’t look right … but if it works for you, fine.

Might stop working after some ROS upgrade though:

• when an interface is member of bridge, then all the rest of configuration should go to the bridge.
  In your case, ether2 is member of bridge named “bridge”, and vlan interfaces should be anchored on bridge. There’s some plain (non-vlan) configuration dispersed between ether2 and bridge as well.
  If you really don’t intend to use the rest of wired ports (ether3-5, sfp1) in the same “switched” network as ether2, then you should remove ether2 from bridge. Beware that doing so you might loose admin access to RB due to various reasons: bridge admin-mac is set statically, possibly to MAC of ether2 interface. If interface with same MAC address is not member of bridge any more, interesting things can happen. Also, if you remove ether2 from bridge, you’ll loose untagged access to RB as a whole. Could be that currently you actually use untagged for administrative access.
• Default SRC NAT rule should be working just fine. As the order of rules matters, you can check if the additional NAT rule really takes the traffic (check rule stats, e.g. by executing /ip firewall nat print stats … the rule actually servicing your traffic will have considerable numbers recorded).
  Rationale: default rules use interface lists and WAN interface should be member of interface list named “WAN”. Your WAN seems to be ether1 with running DHCP client and that interface was already member of WAN interface list. The same interface list concept is used both by firewall filter rules as well as NAT rules.
  What does matter is that your VLAN interfaces are not members of any interface lists (and should be members of LAN interface list by the functionality of it). So currently rule #4 from the export (last one in chain=input) blocks communication from VLANs (as compared to plain untagged traffic over ether2, which is member of bridge and bridge “interface” is member of LAN interface list).

There are other, potentially dangerous, inconsistencies in the configuration.