Hi all,
I am new to RouterOS and have a CCR1016. Hope, any experts out there can answer questions below.
First, I need CCR1016 to do the following tasks:
1- 1 binding interface (LACP) to the firewall.
2- 2 binding interfaces (LACP ) to D-Link switches. Each binding interface is carrying 3 VLANs.
3- VLAN_1 from bind_switch1 can connect to VLAN_1 from bind_Switch2. vice versa.
VLAN_2 from bind_switch1 can connect to VLAN_2 from bind_Switch2. vice versa.
VLAN_3 from bind_switch1 can connect to VLAN_3 from bind_Switch2. vice versa.
4- Configure an IP on the binding interface and set default route to the firewall/Internet
5- VLAN_1 from any interface can connect to VLAN_2 and VLAN_3
VLAN_2 or VLAN_3 CANNOT initiate connection to VLAN_1
Then with configuration,
A. I am able to create 3 binding interfaces so #1 and #2 task are ok
B. I am able to create 3 bridges for each VLAN so #3 task is ok
(bridge1 interfaces: vlan1_bindSwitch1, vlan1_bindSwitch2)
(bridge2 interfaces: vlan2_bindSwitch1, vlan2_bindSwitch2)
(bridge3 interfaces: vlan3_bindSwitch1, vlan3_bindSwitch2)
C. I am able to add default route to firewall’s IP so #4 is ok
D. I able to use IP firewall to allow only VLAN1 established traffic to VLAN2 and VLAN3 but… I encountered is that by “IP firewall”… CPU usage is high (80-95%) and throughput is not as good (10-20% less) as without IP firewall configured.
My questions are…
1- Is my way of configuration (using bridge for each vlan to connect to 2 trunk to 2 switch) the correct way to do this?
2- IP firewall uses CPU therefore the performance is lower since RouterOS is software based?
Hope any RouterOS can help me!
Thanks in advance,
Douglas
Hi all,
I am new to RouterOS and have a CCR1016. Hope, any experts out there can answer questions below.
First, I need CCR1016 to do the following tasks:
1- 1 binding interface (LACP) to the firewall.
2- 2 binding interfaces (LACP ) to D-Link switches. Each binding interface is carrying 3 VLANs.
3- VLAN_1 from bind_switch1 can connect to VLAN_1 from bind_Switch2. vice versa.
VLAN_2 from bind_switch1 can connect to VLAN_2 from bind_Switch2. vice versa.
VLAN_3 from bind_switch1 can connect to VLAN_3 from bind_Switch2. vice versa.
4- Configure an IP on the binding interface and set default route to the firewall/Internet
5- VLAN_1 from any interface can connect to VLAN_2 and VLAN_3
VLAN_2 or VLAN_3 CANNOT initiate connection to VLAN_1
Then with configuration,
A. I am able to create 3 binding interfaces so #1 and #2 task are ok
B. I am able to create 3 bridges for each VLAN so #3 task is ok
(bridge1 interfaces: vlan1_bindSwitch1, vlan1_bindSwitch2)
(bridge2 interfaces: vlan2_bindSwitch1, vlan2_bindSwitch2)
(bridge3 interfaces: vlan3_bindSwitch1, vlan3_bindSwitch2)
C. I am able to add default route to firewall’s IP so #4 is ok
D. I able to use IP firewall to allow only VLAN1 established traffic to VLAN2 and VLAN3 but… I encountered is that by “IP firewall”… CPU usage is high (80-95%) and throughput is not as good (10-20% less) as without IP firewall configured.
My questions are…
1- Is my way of configuration (using bridge for each vlan to connect to 2 trunk to 2 switch) the correct way to do this?
2- IP firewall uses CPU therefore the performance is lower since RouterOS is software based?
Hope any RouterOS can help me!
Thanks in advance,
Douglas[/quote]
p.s. I attached a diagram that may help explain what I am trying to accomplish and a copy of current configuration.
MikroTik CCR-1036-12G-4S config04302015.rtf