Hello- new to Mikrotik devices, have seen them but not used them… so forgive my ignorance.
We have had several clients utilizing Fiber solutions - when they have a circuit with multiple IP’s the ISP basically hands them a DHCP address and then they must setup the Static Gateway and Usable IP’s behind that.
We are looking to use the Mikrotik to grab the dhcp on port 1, set a static IP address on Port 4, then connect the clients existing Firewall to port 4 (with one of the static IP’s provided by the ISP).
Do not want any firewalling - just all traffic to route in and out as smoothly as possible. If anyone can provide this new with a plan I would greatly appreciate it.
Thank you!
rplant
December 8, 2024, 11:14pm
2
Hi,
The following was made on a hex, based on its default configuration.
I removed all the firewall rules (so fastpath is active)
Disabled all admin services except winbox
Moved ssh and winbox access to a new vrf vrfAdmin, active on ether5.
I have put a static ip (100.100.100.101/30) onto the bridge interface.
It seems to work ok, and access to the router appears to be only available from vrfAdmin (ether5).
I have removed all the ipv6 rules, but have disabled ipv6, and not tested it.
It seems to be able to move traffic at near 1Gbps.
# 2024-12-08 21:09:06 by RouterOS 7.16.2
# software id = XXX-XXX
#
# model = RB750Gr3
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=ADMIN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.31.20/31
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=ether5 lease-time=1h name=dhcp1
/ip vrf
add interfaces=ether5 name=vrfAdmin
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf disabled=yes interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=ADMIN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether5 list=ADMIN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
network=192.168.88.0
add address=192.168.31.1/24 interface=ether5 network=192.168.31.0
add address=100.100.100.101/30 interface=bridge network=100.100.100.100
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server config
set store-leases-disk=2h
/ip dhcp-server network
add address=192.168.31.0/24 dns-server=192.168.31.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes vrf=vrfAdmin
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.31.0/24 disabled=yes vrf=vrfAdmin
set api disabled=yes
set winbox address=192.168.31.0/24 vrf=vrfAdmin
set api-ssl disabled=yes
/system clock
set time-zone-name=Australia/Melbourne
/system identity
set name=RouteOnly
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=ADMIN