I have following network up and running without any problems.
However, I would like to add a second LAN with it's own IP address and DHCP server. I scrambled through the forum and couldn't find
the exact information I would understand to implement on my router.
Someone please inform me about what is required to implement a second LAN to separate office PC's traffic from the WiFi Unifi Lan.
Here's the existing setup - ROS V6.7
ISP-Internet
|
RB 951G
|
Ether Port 1: WAN 199.9.60.xxx
|
Ether Port 2: LAN - UniFi WiFi - 192.168.0.x
|
Ether Port 3, 4, 5 are switched of Master Port 3.
\
/interface bridge
add l2mtu=1598 name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=
"LAN - All ports are switched off Ether2"
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/interface wireless
set [ find default-name=wlan1 ] ht-rxchains=0 ht-txchains=0 l2mtu=2290 ssid=
MikroTik
/ip neighbor discovery
set ether1 comment=WAN
set ether2 comment="LAN - All ports are switched off Ether2"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2 name=dhcp1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
/ip address
add address=192.168.0.1/24 comment="LAN IP Subnet" interface=ether2 network=
192.168.0.0
add address=199.9.60.xxx/24 interface=ether1 network=199.9.60.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,4.2.2.2 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.0.0/24 list=OurLocalLAN
/ip firewall filter
add chain=input comment="Allow access to the router from the LAN using address
list - PROTECTING ROUTER" src-address-list=OurLocalLAN
add action=drop chain=forward comment="Drop invalid connections"
connection-state=invalid
add chain=forward comment="Allow Connections from LAN" connection-state=new
in-interface=bridge1
add chain=forward comment="Allow Established Connection from LAN"
connection-state=established
add chain=forward comment="Allow Related Connection" connection-state=related
add action=drop chain=forward comment=
"Drop all other traffic through the router"
add chain=input comment="Allow established connection to the router"
connection-state=established
add chain=input comment="Allow related connection to the router"
connection-state=related
add action=drop chain=input comment=
"Drop All Other Traffic to Router - PROTECTING ROUTER"
/ip firewall nat
add action=masquerade chain=srcnat comment="PAT outside" dst-address=
0.0.0.0/0 out-interface=ether1 src-address=192.168.0.0/24
/ip route
add comment="default route" distance=1 gateway=199.9.60.1
/ip service
set api disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB951ui
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=63.44.154.34 secondary-ntp=
63.240.161.99
I followed your instructions (pictures only, I can’t read the language) from the links and got the best I could do. Please see the config below and let me know what I did wrong.
I couldn’t get IP when I had port 5 independent and assigned DHCP to the port.
/interface bridge
add l2mtu=1598 name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ht-rxchains=0 ht-txchains=0 l2mtu=2290
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=
“LAN - All ports are switched off Ether2”
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
/ip neighbor discovery
set ether1 comment=WAN
set ether2 comment=“LAN - All ports are switched off Ether2”
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool2 ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp2 relay=
192.168.1.0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
/ip address
add address=192.168.0.1/24 comment=“LAN IP Subnet” interface=ether2 network=
192.168.0.0
add address=199.9.60.xxx/24 interface=ether1 network=199.9.60.0
add address=192.168.1.0/24 interface=ether5 network=192.168.1.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,4.2.2.2 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.0,4.2.2.2 gateway=192.168.1.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.0.0/24 list=OurLocalLAN
/ip firewall filter
add chain=input comment=“Allow access to the router from the LAN using addres
list - PROTECTING ROUTER” src-address-list=OurLocalLAN
add action=drop chain=forward comment=“Drop invlaid cnnections”
connection-state=invalid
add chain=forward comment=“Allow Connections from LAN” connection-state=new
in-interface=bridge1
add chain=forward comment=“Allow Established Connection from LAN”
connection-state=established
add chain=forward comment=“Allow Related Connection” connection-state=related
add action=drop chain=forward comment=
“Drop all other traffice throught the router”
add chain=input comment=“Allow established connection to the router”
connection-state=established
add chain=input comment=“Allow related connection to the router”
connection-state=related
add action=drop chain=input comment=
“Drop All Other Traffice to Router - PROTECTING ROUTER”
/ip firewall nat
add action=masquerade chain=srcnat comment=“PAT outside” dst-address=
0.0.0.0/0 out-interface=ether1 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment=“PAT outside” dst-address=
0.0.0.0/0 out-interface=ether5 src-address=192.168.1.0/24
/ip route
add comment=“default route” distance=1 gateway=199.9.60.1
/ip service
set api disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB951g
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=63.44.154.34 secondary-ntp=
63.240.161.99
reply to @ efaden
No, I am not trying to have multiple wifi. I am not even using the Wireless interface on RB951. The UniFi AP I have are being
used for guest wifi only.
I see that ether 3,4,5 is bridged.
Remove an interface from the bridge, for example ether5 and add than an IP address to this interface. en configure the DHCP server.
This is the reason that it fails
Ether5 becomes your new network
The screenshots that I made to my website will help you without the text to configure the routerboard.
Hello!
I did as you mentioned using the screen shot. However, I am not sure if it’s done correctly.
I have doubt about the NAT rules on Port 5 and I also, created second bridge.
Please let me know…
Sandip
/interface bridge
add l2mtu=1598 name=bridge1
add name=bridge2
/interface wireless
set [ find default-name=wlan1 ] ht-rxchains=0 ht-txchains=0 l2mtu=2290
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=
“LAN - ports 3,4 are switched off Ether2”
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
/ip neighbor discovery
set ether1 comment=WAN
set ether2 comment=“LAN - ports 3,4 are switched off Ether2”
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool2 ranges=192.168.0.100-192.168.0.254
add name=dhcp_pool1 ranges=192.168.1.100-192.168.1.254
add name=dhcp_pool3 ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool3 disabled=no interface=bridge2 name=dhcp2
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan1
add bridge=bridge2 interface=ether5
/ip address
add address=192.168.0.1/24 comment=“LAN IP Subnet” interface=ether2 network=
192.168.0.0
add address=199.9.xx.xxx/24 interface=ether1 network=199.9.60.0
add address=192.168.1.1/24 interface=ether5 network=192.168.1.0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1,4.2.2.2 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.1,4.2.2.2 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.0.0/24 list=OurLocalLAN
/ip firewall filter
add chain=input comment=“Allow access to the router from the LAN using addres
list - PROTECTING ROUTER” src-address-list=OurLocalLAN
add action=drop chain=forward comment=“Drop invlaid cnnections”
connection-state=invalid
add chain=forward comment=“Allow Connections from LAN” connection-state=new
in-interface=bridge1
add chain=forward comment=“Allow Established Connection from LAN”
connection-state=established
add chain=forward comment=“Allow Related Connection” connection-state=related
add action=drop chain=forward comment=
“Drop all other traffic through the router”
add chain=input comment=“Allow established connection to the router”
connection-state=established
add chain=input comment=“Allow related connection to the router”
connection-state=related
add action=drop chain=input comment=
“Drop All Other Traffic to Router - PROTECTING ROUTER”
/ip firewall nat
add action=masquerade chain=srcnat comment=“PAT outside” dst-address=
0.0.0.0/0 out-interface=ether1 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment=PORT-5_NETWORK dst-address=
0.0.0.0/0 out-interface=ether1 src-address=192.168.1.0/24
/ip route
add comment=“default route” distance=1 gateway=199.9.60.1
/ip service
set api disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB951ui
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=63.44.154.34 secondary-ntp=
63.240.161.99
