Some basic configurations on RB2011UIAS-2HnD-IN - Equivalent Cisco commands on Mikrotik

RouterOS Beginner Basics
1

Hello.

First, I did found some tutorials, but they are GUI based.

Two weeks ago I bought a Mikrotik RB2011UIAS-2HnD-IN and coming from Cisco and Alcatel, I want to know some equivalent configuration commands (CLI).

First, I assume that on RB2011UIAS-2HnD-IN all the ports are in the same broadcast domain.

Let’s imagine I want to place each port on its own broadcast domain. On a Cisco L3 switch I would:

Enable IP routing, in Global Configuration Mode:

Switch (config)#ip routing

Then, I would enter a interface, and enable L3 on that interface:

Switch(config)#interface fastEthernet 0/1
Switch(config-if)#no switchport

After that, I would configure an IP address:

Switch(config)#interface fastEthernet 0/1
Switch(config-if)#ip address 192.168.2.2 255.255.255.0

Then, let’s say I want to enable NAT overload (PAT) in order to translate all addresses on the F0/1 interface to the Gig0/1 interface (assume the Gig0/1 has already been configured with an IP address):

Switch(config)#access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside source list 1 interface GigabitEthernet0/1 overload

Then, on Fa0/1 interface:

Switch(config-if)#ip nat inside

On Gig0/1:

Switch(config-if)#ip nat outside

And that’s it.

In alternative, I could configure the routing to be vlan based, instead of configuring the Fa0/1 as a L3 interface:

Switch(config)#vlan 3

The interface would be:

Switch(config)#interface Vlan3
Switch(config-if)#ip address 192.168.2.254 255.255.255.0
Switch(config-if)#ip nat inside

Then, the only config change from the other one would be the nat inside on interface vlan 3 instead of Fa0/1:

Switch(config)#interface vlan 3
Switch(config-if)#ip nat inside

What are the equivalent configuration commands on a Mikrotik Router?

I did try to follow one config, but I was getting the following error:

 1 I  ;;; in/out-interface matcher not possible when interface (ether4) is slave - use master instead (bridge-local)

Which I assume is related to the fact that port is not yet configured to be a L3 interface (the no switchport equivalent command has not yet been ran). The thing is, even without being configured as a L3 interface, I could set an IP address on that same interface.

So, I found some conflicting tutorials and information, if you can clear this out and explain what are the equivalent commands on a Mikrotik Router, so I can use it as a baseline, I would be glad :slight_smile:

Best regards.

2

RouterOS is a routing platform by default. All interfaces will be layer3 interfaces unless you have added any master/slave relationships or added ports to a bridge interface.

To set an IP address on an interface:

ip address add interface=ether1 address=192.168.1.1/24 netmask=255.255.255.0

To NAT that traffic:

ip firewall nat add src-address=192.168.1.0/24 action=masquerade out-interface=ether4 chain=forward

It might help to post your current configuration, or at least

interface ethernet print

so we can see how your router is currently configured.

3

Hello.

First, the current configuration is the following (I took out interfaces 3 and 4 of bridge mode using the

/interface bridge port remove numbers=X

command:

[admin@MikroTik] > ip firewall nat print       
Flags: X - disabled, I - invalid, D - dynamic 
 0 X  ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 

 1    chain=forward action=masquerade src-address=192.168.3.0/24 out-interface=ether2 log=no log-prefix="" 
[admin@MikroTik] > [admin@MikroTik] > /interface bridge port remove 0
syntax error (line 1 column 7)
[admin@MikroTik] > [admin@MikroTik] > /interface bridge port remove 1
syntax error (line 1 column 7)
[admin@MikroTik] > ip firewall nat print                             
Flags: X - disabled, I - invalid, D - dynamic 
 0 X  ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 

 1    chain=forward action=masquerade src-address=192.168.3.0/24 out-interface=ether2 log=no log-prefix="" 
[admin@MikroTik] > export
# sep/01/2015 01:07:58 by RouterOS 6.23
# software id = 0EEC-KFU2
#
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=indoors frequency=auto l2mtu=2290 mode=ap-bridge ssid=Epson wireless-protocol=802.11
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa-pre-shared-key=yaGExu@4spUceRe wpa2-pre-shared-key=yaGExu@4spUceRe
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local name=default
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.2.249/24 comment="default configuration" interface=ether2 network=192.168.2.0
add address=192.168.3.200/24 interface=ether3 network=192.168.3.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.2.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=yes out-interface=ether1-gateway
add action=masquerade chain=forward out-interface=ether2 src-address=192.168.3.0/24
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local

Then, I followed your commands but the problem is that even so it is not translating the addresses.

The command were:

[admin@MikroTik] > ip address add interface=ether3 address=192.168.3.200/24 netmask=255.255.255.0




ip firewall nat add src-address=192.168.3.0/24 action=masquerade out-interface=ether2 chain=forward

The addresses on network 192.168.3.0/24 (ether3), are not being translated to 192.168.2.0/24 (ether2)

Here is the output of the ip firewall nat print command:

[admin@MikroTik] > ip firewall nat print 
Flags: X - disabled, I - invalid, D - dynamic 
 0 X  ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 

 1    chain=forward action=masquerade src-address=192.168.3.0/24 out-interface=ether2 log=no log-prefix=""

Output of the ip addresses print command:

[admin@MikroTik] > ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                
 0   ;;; default configuration
     192.168.2.249/24   192.168.2.0     ether2                                                                                                                                                                   
 1   192.168.3.200/24   192.168.3.0     ether3                                                                                                                                                                   
[admin@MikroTik] >

Can you please tell me what I’m doing wrong?

Regards.

4

Your config looks good, but I made a mistake. The NAT entry should be srcnat not forward.

ip firewall nat add src-address=192.168.3.0/24 action=masquerade out-interface=ether2 chain=srcnat
5

Hi.

Thank you, that was it :slight_smile:

Regards.