Webserver in vlan on RB450G

tabaloch · November 23, 2010, 11:51pm

Hi
i need help regarding following senerio on RB450G i have clients configured to use pppoe also created vlan from 11-15 and enabled dhcp for each vlan

DHCP Networks

vlan 11 - 172.16.11.0/24 gateway 172.16.11.1
vlan 12 - 172.16.12.0/24 gateway 172.16.12.1
vlan 13 - 172.16.13.0/24 gateway 172.16.13.1
vlan 14 - 172.16.14.0/24 gateway 172.16.14.1
vlan 15 - 172.16.15.0/24 gateway 172.16.15.1

after dialing pppoe

vlan 11 - 10.10.11.0/24
vlan 12 - 10.10.12.0/24
vlan 13 - 10.10.13.0/24
vlan 14 - 10.10.14.0/24
vlan 15 - 10.10.15.0/24

vlan and pppoe config are working fine i want my users to communicate with webserver without going through router interface i have also created a vlan 100 for webserver

Vlan100
172.16.100.100 = webserver

when client pc enter’s 172.16.100.100 in his web browser i want my clients request to go directly to 172.16.100.100 what should be the configuration to access webserver without going through my router interface my network design is below

(( Internet )) ||| ||| |
((( Router Board ))
|||
|||
| [======= Layer 2 Switch Managable ============= ] | | | |` ` ` ` ` ` |` ` ` `|
|`````` | | `` | | ``| Vlan11```Vlan12```Vlan13```Vlan14```` Vlan15``` Vlan100
ClientClientClient````ClientClientWebserver

and help would be appreciated thanks.

fewi · November 24, 2010, 12:15am

You can’t. VLANs are layer 2 broadcast domains. To leave a layer 2 broadcast domain you need to go through a layer 3 interface that can route traffic between broadcast domains. In your case that layer 3 interface resides on the RouterBOARD, so traffic must pass through it.

tabaloch · November 24, 2010, 10:39pm

if i replace layer 2 managable switch with cisco 3550 a layer 3 switch what shud be the configuration?

fewi · November 24, 2010, 10:54pm

You put a /30 between the switch and the router, and create all the VLAN interfaces on the Cisco switch with the router as its uplink.

tabaloch · November 24, 2010, 11:14pm

i did created all the vlan’s on cisco everything works fine until i dial pppoe and get pppoe ip on client machine after that when i enter my webserver ip on web browser my request goes directly to my RB. is there any configuration i shud do on my RB ?

before dialing pppoe dialer i can access my webserver directly cisco is routing request directly but after pppoe it’s going directly to RB what i m missing please guide.

fewi · November 25, 2010, 1:09am

Once you start the PPPoE client the customer will have a default route through the PPPoE server on the Mikrotik router.

Why is it so important to you that traffic doesn’t go through the router? What are you actually trying to achieve?
Does it have something to do with trying to exempt traffic to that server from rate limits?

tabaloch · November 25, 2010, 1:29am

it’s important because i dont want my clients to limit on given taffic bandwidth over pppoe and want them to directly access any local machine on vlan100 i m planning to add game servers also so that would be a problem if it goes through RB interface

fewi · November 25, 2010, 1:42am

I wish you had said that earlier. You’re approaching it wrong.

PPPoE implements rate limits via dynamic simple queues. Queue trees attached to globals override them.

/ip firewall adress-list
add list=override address=172.16.100.100
/ip firewall mangle
add chain=prerouting src-address-list=override action=mark-packet new-packet-mark=from-override
add chain=prerouting dst-address-list=override action=mark-packet new-packet-mark=to-override

/queue tree
add queue=default limit-at=1000000000 packet-mark=from-override parent=global-out
add queue=default limit-at=1000000000 packet-mark=to-override parent=global-in

Again, those override the existing simple queues for traffic that matches, and will rate limit traffic to and from the web server at 1Gbps, which is line speed. If you add more services just add the hosts to the address list.

This was written away from any router so it is off the top of my head, and there maybe errors in that. The theory works, though.

In the network layout you have you cannot avoid going through the router. But you can work around the rate limit problem.

You can take this further and use RADIUS authentication for PPPoE and use dynamic address lists and do away with simple queues completely, and do everything manually and customize your rate limiting. But that may be overkill for you at this moment.

tabaloch · November 25, 2010, 1:57am

thanks for the reply,

i have done this in queue tree but after transfering data over 20mbps RB goes timedout and client cant even browse wesite’s while downloading some movie from local webserver.

thats also a problem is there any other possible way that local addresses shouldnt go through router interface after dialing pppoe or there’s any other configuration that i should do in Cisco [L3 Switch] or is there any other hardware that should help in this scenario?