Routing with VLan

RouterOS Beginner Basics
1

Hello,

I have following simplified network topology:
Screenshot_20241013_131631.png
The FritzBox provides a DHCP & DNS server, with a NAT for internet access. I connected a CRS326 behind it, to handle multiple VLANs. However, I could only get it to work with an additional NAT running on it. Here is my config:

/interface bridge
add comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=management-vlan vlan-id=10
add interface=bridge name=internal-vlan vlan-id=20
add interface=bridge name=sandbox-vlan vlan-id=30
/caps-man configuration
add country=germany datapath.bridge=bridge datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes datapath.vlan-id=20 datapath.vlan-mode=use-tag name=internal-config security.authentication-types=wpa2-psk security.passphrase=****** ssid=******
add country=germany datapath.bridge=bridge datapath.client-to-client-forwarding=no datapath.local-forwarding=yes datapath.vlan-id=30 datapath.vlan-mode=use-tag name=sandbox-config rates.basic="" security.authentication-types=wpa2-psk security.passphrase=****** ssid=******
/interface list
add name=WAN
add name=LAN
/ip pool
add name=management-pool ranges=10.0.1.129-10.0.1.254
add name=internal-pool ranges=10.0.2.129-10.0.2.254
add name=sandbox-pool ranges=10.0.3.129-10.0.3.254
/ip dhcp-server
add address-pool=management-pool disabled=no interface=management-vlan name=management-dhcp
add address-pool=internal-pool disabled=no interface=internal-vlan name=internal-dhcp
add address-pool=sandbox-pool disabled=no interface=sandbox-vlan name=sandbox-dhcp
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=management-vlan
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=internal-config slave-configurations=sandbox-config
/interface bridge port
add bridge=bridge disabled=yes interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether7 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether8 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether9 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether10 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether11 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether12 pvid=20
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether13
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether14
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether15 pvid=20
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether16
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether17
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether18 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether19 pvid=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether20 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether21 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether22 pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether23 pvid=20
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether24
add bridge=bridge interface=sfp-sfpplus1
add bridge=bridge interface=sfp-sfpplus2
/interface bridge vlan
add bridge=bridge tagged=bridge,ether13,ether14,ether16,ether17,ether24 untagged=ether19 vlan-ids=10
add bridge=bridge tagged=bridge,ether13,ether14,ether16,ether17,ether24 untagged="ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12,ether15,ether18,ether20,ether21,ether23" vlan-ids=20
add bridge=bridge tagged=bridge,ether13,ether14,ether16,ether17,ether24 untagged=ether22 vlan-ids=30
/interface ethernet switch rule
add dst-address=10.0.3.1/32 ports=ether24,ether16,ether13,ether17,ether14 switch=switch1 vlan-id=30
add dst-address=10.0.3.0/24 new-dst-ports="" ports=ether24,ether16,ether13,ether17,ether14 switch=switch1 vlan-id=30
/interface list member
add interface=ether1 list=WAN
add interface=internal-vlan list=LAN
add interface=sandbox-vlan list=LAN
/ip address
add address=10.0.1.1/24 interface=management-vlan network=10.0.1.0
add address=10.0.2.1/24 interface=internal-vlan network=10.0.2.0
add address=10.0.3.1/24 interface=sandbox-vlan network=10.0.3.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.1.0/24 domain=management.internal gateway=10.0.1.1
add address=10.0.2.0/24 domain=internal gateway=10.0.2.1
add address=10.0.3.0/24 domain=sandbox.internal gateway=10.0.3.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow dns request from non sandbox vlan" dst-port=53 in-interface=!sandbox-vlan in-interface-list=LAN protocol=udp
add action=accept chain=input comment="allow dns request from non sandbox vlan" dst-port=53 in-interface=!sandbox-vlan in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow dhcp requests" dst-port=67 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow full management access" in-interface=management-vlan
add action=drop chain=input comment="drop everything else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="allow dns requst to gateway" dst-address=10.0.0.1 dst-port=53 protocol=udp
add action=accept chain=forward comment="allow dns requst to gateway" dst-address=10.0.0.1 dst-port=53 protocol=tcp
add action=accept chain=forward comment="allow web interface of gateway to be accessed from management" dst-address=10.0.0.0/24 in-interface=management-vlan
add action=accept chain=forward comment="allow internet access" dst-address=!10.0.0.0/24 in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop not DSTNATed" connection-nat-state=!dstnat connection-state=new
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN

Is the NAT on the CRS326 necessary? Or can I achieve something similar to https://help.mikrotik.com/docs/display/ROS/IP+Routing?

What I have tried is to disable NAT, but then I have no internet access on all clients.

2

You have to decided on who does DHCP on your network.
If the switch will just be a switch that is easily accomplished, no double nat etc…
However if you want the switch to be a second router, then your thoughput may be limited to approx 300-400Mbps…

3

So this first option would not work for me because, the FritzBox has no capability do handle VLan at all.

This second option would be okay, since my internet provider gives me a max download rate of 100Mps and max upload rate of 40Mps. The theoretical max is 250Mps with the best tariff.

A third option is to get rid of the FritzBox, but I have no idea on how to configure DSL login (1&1 is my provider) with the CRS326.

4

IMO your current setup (double NAT) is “the least bad” of all solutions. The only actual drawback is configuration of some DST NAT (port forwarding) because you have to do it on two devices (Fritz and CRS).

If you wanted to bypass NAT on Fritz, you’d have to get Fritz into “bridge mode”, so that it would only act as DSL modem. Which might be or might not be possible. If you wanted to get rid of NAT on CRS, then Fritz would have to be aware of additional IP subnets (and you’d have to configure some static routes on Fritz) … which again might be or might not be possible (I don’t know what functionality Fritz offers).
So whatever you would want to change, it largely depends on what Fritz allows you to do.

5

Okay thanks for clarifying this.

It might be possible for me to set the FritzBox into bridge mode, although there was a warning on the FritzBox’ web-site about “additional costs”. I don’t know how that could work…

So, I then stick with current solution - I was just concerned my setup is not as optimal as it could be.

Thank you!

6

If the fritz box supports static routes, you could avoid the double NAT and setup static routes to the Mikrotik device for the various subnets.

7

I did this, just configured the subnets to be in a range of one parent sub-net, so that I only needed to add one routing entry. I like it. Thank you so much!