MikroTik

Posted: **Sat Aug 17, 2019 3:37 am**

I run a network at my church as a volunteer and as a learning project. I'm trying to break up the various devices for security and to get familiar with subnetting and VLANs. Currently everything is on a /24 private IP address range. I have defined several subnets and, using the Wiki, have assigned interfaces and IP addresses to them. Where I'm getting lost is implementing the subnets, assigning trunk lines to my main switch (an Adtran NetVanta 1534P), and activating the new configuration without losing connectivity.

Current configuration: ISP Gateway (public static IPs, /29) >ether1> MikroTik RB3011 Router >ether2> Netvanta 1534P > devices. (Note: several devices are currently plugged directly in to the spare ports of the RB3011; I'm intending to move them after everything is up and running properly.)

Where I'd like to get to:

Data subnet, /24, for trusted devices...some wired, some Wi-fi...which should be able to access everything on the internal network plus access to Internet.
Guest subnet, /25, for guest WI-fi access through a Unifi portal. Should only have access to the Internet...filtered access, at that (we use SafeDNS).
IoT subnet, /25, for smart thermostats and similar devices, on a separate WI-fi SSID. Should only have access to the Internet.
VoIP subnet, /26, for wired PoE IP phones. Needs access to Internet. Interesting complication, some computers are plugged into IP phones and should have access to the data subnet. Is there a way to allow the same switch port to access two separate VLANs?
Camera subnet, /26, for wired PoE surveillance cameras. Needs to communicate with the surveillance controller which is on the data network but should not have direct access to or from the WAN.

Could someone with experience provide some pointers to help me get there?

Posted: **Sat Aug 17, 2019 4:48 pm**

Where I'd like to get to:

Data subnet, /24, for trusted devices...some wired, some Wi-fi...which should be able to access everything on the internal network plus access to Internet.

Guest subnet, /25, for guest WI-fi access through a Unifi portal. Should only have access to the Internet...filtered access, at that (we use SafeDNS).

IoT subnet, /25, for smart thermostats and similar devices, on a separate WI-fi SSID. Should only have access to the Internet.

VoIP subnet, /26, for wired PoE IP phones. Needs access to Internet. Interesting complication, some computers are plugged into IP phones and should have access to the data subnet. Is there a way to allow the same switch port to access two separate VLANs?

Camera subnet, /26, for wired PoE surveillance cameras. Needs to communicate with the surveillance controller which is on the data network but should not have direct access to or from the WAN.

That's all do-able. I'd suggest sticking with /24s and matching one of the octets in the private IP with the VLAN ID - it makes it obvious which VLAN an address is associated with, e.g. 192.168.11.0/24 and VLAN11, 192.168.12.0/24 and VLAN12, etc.

As you are only intending using one LAN port you could attach VLAN interfaces directly to ether2, but I would suggest using a VLAN-aware bridge so you can add additional LAN ports in future without major upheaval.

The internet-only subnets can be implemented with a firewall filter rule allowing forwarded traffic in from the VLAN interface and corresponding source IP address range out of the WAN port (or out of the WAN interface list), followed by one dropping all forwarded traffic in from the VLAN interface. Similarly for the cameras, instead of an 'allow to internet' rule you can have one to allow forwarded traffic in from the camera VLAN interface and corresponding source IP address range out of the data VLAN interface to the specific address of the controller and ports (you would need separate rules if you wish to allow a rand of TCP plus a range of UDP ports).

I usually specify the Mikrotik as the DNS server and NTP server in the dhcp-server network declarations, e.g add address=192.168.11.0/24 dns-server=192.168.11.1 gateway=192.168.11.1 ntp-server=192.168.11.1 and you can use firewall nat redirect rules to force any DNS (requires separate rules for UDP and TCP), and NTP if desired, requests with a destination which is different to the Mikrotik.

That is fine if the Mikrotik is set to use the SafeDNS service for its own lookups, otherwise you can specify the SafeDNS servers in the DHCP server configuration which require it and use firewall nat src-nat rules instead of redirect.

Many VoIP phones with two ethernet ports allow separate VLANs to be configured for a locally-attached PC and the voice traffic. This can be done by manually configuring the phones to tag the voice traffic and configure the switch to match, or as your switch appears to support LLDP-MED it may be possible to automate this if the phones do too.

You haven't mentioned what WiFi system you are using, but as long as you can create multiple SSIDs and associate them with tagged VLANs they are just a counduit for the traffic from the client device to the Mikrotik.

Posted: **Sat Aug 17, 2019 5:14 pm**

Suggest clear whatever you have and start fresh from defaults.
Then using the below resource (has great examples) you should be good to go!

viewtopic.php?f=13&t=143620

There is one decent Wiki Reference to read.......if not already have...
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

Once you have a fleshed out config, post it here for review
/export hide-sensitive file=yourconfig17Aug

Posted: **Sat Aug 17, 2019 5:35 pm**

You haven't mentioned what WiFi system you are using, but as long as you can create multiple SSIDs and associate them with tagged VLANs they are just a counduit for the traffic from the client device to the Mikrotik.
Thanks for the very helpful answer. I'm planning to spend some time working on the network later today.

Our Wi-fi access points are all Ubiquiti UniFi devices, and I have Unifi Controller installed and running on a Raspberry Pi connected to the network.

Posted: **Sat Aug 17, 2019 5:45 pm**

Regarding DNS: Our primary server (a Synology RackStation) is running the DNS Server package and I'm planning to make it the authoritative master DNS record for our domain. What rules would I need to implement to have all devices on the network look to that unit as the DNS server, and then to force any DNS lookup requests which it makes for the WAN to the SafeDNS servers?

Editing To Add: By the way, the RackStation has dual LAN ports; currently only one is in use. I was planning to use the other as a failover, but would it be better to split internal and external traffic between the two so that only one port is exposed to access from WAN?

Posted: **Sat Aug 17, 2019 7:03 pm**

You haven't mentioned what WiFi system you are using, but as long as you can create multiple SSIDs and associate them with tagged VLANs they are just a counduit for the traffic from the client device to the Mikrotik.
Thanks for the very helpful answer. I'm planning to spend some time working on the network later today.

Our Wi-fi access points are all Ubiquiti UniFi devices, and I have Unifi Controller installed and running on a Raspberry Pi connected to the network.

That's fine, the APs themselves require an untagged network connection for management, the SSIDs can be linked to VLAN tags as required.

Posted: **Sat Aug 17, 2019 7:28 pm**

Regarding DNS: Our primary server (a Synology RackStation) is running the DNS Server package and I'm planning to make it the authoritative master DNS record for our domain. What rules would I need to implement to have all devices on the network look to that unit as the DNS server, and then to force any DNS lookup requests which it makes for the WAN to the SafeDNS servers?

Either set the Mikrotik DNS to use the IP address of your server, DHCP server network statements specify the Mikrotik as DNS server to clients, nat redirect any requests to other addresses. The server IP address would have to be excluded from the redirect rules or you will never be able to make any external lookups.

Or, you could specify the IP address of your server in the DHCP server network statements and src-nat requests to a different address

There have been some forum posts about how to redirect client DNS requests to a pi-hole server, your setup is analogous with the NAS replacing the pi-hole server in this case.

Edit: Further thoughts, if you use the Mikrotik as a DNS proxy it will continue to serve any resolved requests it has already received if your authoritative server goes away. With either method you would ideally have a secondary DNS server too.

Editing To Add: By the way, the RackStation has dual LAN ports; currently only one is in use. I was planning to use the other as a failover, but would it be better to split internal and external traffic between the two so that only one port is exposed to access from WAN?

Myself I wouldn't expose a NAS to the outside world - there have been several stories of buggy firmware allowing people access to things they shouldn't. Using one port for external traffic rather than sharing it with one for internal traffic makes little difference, a DoS attack on externally accessible services could cripple all the services on the device, and it is easy to misconfigure a DNS server which should be authoritative for your domain and recursive for requests only from your internal device - you really don't want a recursive resolver accessible from the internet.

Posted: **Sat Aug 17, 2019 7:33 pm**

Myself I wouldn't expose a NAS to the outside world - there have been several stories of buggy firmware allowing people access to things they shouldn't. Using one port for external traffic rather than sharing it with one for internal traffic makes little difference, a DoS attack on externally accessible services could cripple all the services on the device, and it is easy to misconfigure a DNS server to be authoritative for your domain and recursive for requests only from your internal device - you really don't want a recursive resolver accessible from the internet.

For better or worse I've taken the plunge; no nasty to recover from yet (fingers crossed), but my logs are full of hack attempts. I have an auto block enabled which helps. The DNS server is indeed configured to be authoritative for the domain from all (LAN & WAN) views but recursive only for requests from the internal network.

Posted: **Sun Aug 18, 2019 12:42 am**

Once you have a fleshed out config, post it here for review
/export hide-sensitive file=yourconfig17Aug

Thanks for the assistance. Attached is where I'm at right now. Currently all Internet access is broken in and out, but I haven't yet configured the switch ports on the NetVanta for the VLANs. I have RS-232 access to that machine, but so far the web access is broken. Still in learning mode, but I'll take another crack at it after I've had a chance to get some rest.

Edit To Add: There's a lot of garbage in there which needs to be cleared out; it represents two years of trial-and-error learning how to configure RouterOS.

Edit 2019-08-18: Removed attachment due to unnecessary configuration info; will provide via PM if requested by those making constructive suggestions.

Posted: **Sun Aug 18, 2019 2:32 am**

exactly it will be far easier to start from fresh defaults using the linked resource to guide you.
First ensure routing and access to ISP is established.
Ensure basic internet access working for the basic lan connected PC.
Then setup up the vlans and lans etc............
Ensure all APs are working.

Then the firewall rule changes can be made.

Posted: **Sun Aug 18, 2019 6:40 pm**

All right. It's kicking my you-know-what-but-I-can't-say-it-out-loud-in-church. My first uploaded effort was a miscarriage, to put it bluntly; I was trying to do things piecemeal through Winbox while keeping connectivity. I erased it and tried again in the terminal using the provided examples. My problem then was the default configuration; the default bridge and DHCP kept intercepting all the traffic and assigning all of the IPs and if I tried to disable it I immediately lost all connectivity and had to perform a hard reset. If I tried rejecting the default configuration, I couldn't communicate with the router at all.

For the present I've restored my latest backup of the old configuration and everything is on line again, albeit with no segregation. I'm looking for suggestions as to how to proceed the next time. Rather than doing things while connected and having to fight the default configuration, is it possible to prepare a batch file, upload it all at once, hope that it works, and edit it and retry again if it doesn't? Or what other steps can I take to make this effort more productive?

MikroTik

First Attempt at VLANs; Need Help!

First Attempt at VLANs; Need Help!

Re: First Attempt at VLANs; Need Help!

Re: First Attempt at VLANs; Need Help!

Re: First Attempt at VLANs; Need Help!

Re: First Attempt at VLANs; Need Help!

Re: First Attempt at VLANs; Need Help!

Re: First Attempt at VLANs; Need Help!

Re: First Attempt at VLANs; Need Help!

Re: First Attempt at VLANs; Need Help!

Re: First Attempt at VLANs; Need Help!

Re: First Attempt at VLANs; Need Help!