Community discussions

MUM Europe 2020
 
Mehuge
just joined
Topic Author
Posts: 5
Joined: Wed May 16, 2018 12:06 am

isolated lans using multiple bridges?

Fri Nov 29, 2019 6:39 pm

What I ultimately want to achieve is:

WAN -> Internet (ether1, PPPoE)
HOME_LAN (ether2,ether3,ether4, SSID HOME)
WORK_LAN (ether5, SSID WORK, IPSEC VPN)

HOME_LAN and WORK_LAN must not be able to see each other, but must be able to access the internet.
WORK_LAN must also be able to route down a VPN.

I am trying to get my head around this still, so have been experimenting with a routerOS vm and some linux vms as clients. What I have so far is what seem to be isolated LANS and both able to access the internet.

My question is, is isolating the LANS using two bridges a legitimate / sensible setup given what I eventually want to achieve?

[admin@MikroTik] /interface bridge> /export
# nov/29/2019 17:42:42 by RouterOS 6.45.7
# software id =
/interface bridge
add name=bridge1_home
add name=bridge2_work
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.6.10-192.168.6.150
add name=dhcp_pool1 ranges=10.119.104.2-10.119.104.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1_home name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=bridge2_work name=dhcp2
/interface bridge port
add bridge=bridge1_home interface=ether2
add bridge=bridge1_home interface=ether3
add bridge=bridge2_work interface=ether4
/ip address
add address=192.168.6.1/24 interface=bridge1_home network=192.168.6.0
add address=10.119.104.1/24 interface=bridge2_work network=10.119.104.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.119.104.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.119.104.1
add address=192.168.6.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.6.1
/ip firewall filter
add action=drop chain=forward in-interface=bridge1_home out-interface=bridge2_work
add action=drop chain=forward in-interface=bridge2_work out-interface=bridge1_home
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.6.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.119.104.0/24
Last edited by Mehuge on Sat Nov 30, 2019 6:20 pm, edited 1 time in total.
 
mkx
Forum Guru
Forum Guru
Posts: 3345
Joined: Thu Mar 03, 2016 10:23 pm

Re: isolated lans using multiple bridges?

Fri Nov 29, 2019 8:34 pm

Your setup seems fine. A few minor things:
  • in the text you write you want to have ether1 part of HOME_LAN while in setup it's not (and has DHCP client running as if it was still used as WAN interface, src-nat rules imply the same)
  • you probably don't need two masquerade rules, you can probably masquerade just anything going out through WAN interface
BR,
Metod
 
Zacharias
Forum Guru
Forum Guru
Posts: 1075
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: isolated lans using multiple bridges?

Fri Nov 29, 2019 10:44 pm

Why not use VLANs ?
 
mkx
Forum Guru
Forum Guru
Posts: 3345
Joined: Thu Mar 03, 2016 10:23 pm

Re: isolated lans using multiple bridges?

Fri Nov 29, 2019 11:22 pm

Why not use VLANs ?

WORK_LAN consists of one ether port, one wireless interface and one IPSEC interface. The mix won't benefit from doing the whole stuff using VLANs (all of it would be handled by CPU even on CRS3xx). None of ports are trunk so no benefit of doing it with VLANs either. Doing it with two bridges doesn't have any benefits either. Other than the fact that enabling vlan-filtering on bridge disables HW offload (except on CRS3xx), but current config allows it on bridge1_home, traffic between ether2 and ether3 will be handled by switch chip alone.

As OP did it already, I don't see any good reason to tear current config apart. If I were doing it, I'd do it using VLANs though.

@Mehuge: I just remembered a thing which might be of concern in your case: bridge xan offload certain tasks to switching hardware. But it can only be done for ethernet interfaces and single bridge. The bridge2_work knly contains a single ether interface and thus can't benefit from HW offload. To make sure that HW offload remains available for bridge1_home, set hw=no on line where ether4 gets added to bridge (add bridge=bridge2_work interface=ether4 hw=no).
BR,
Metod
 
Zacharias
Forum Guru
Forum Guru
Posts: 1075
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: isolated lans using multiple bridges?

Sat Nov 30, 2019 1:18 pm

@mkx i didnt read the whole post to be honest...
 
Mehuge
just joined
Topic Author
Posts: 5
Joined: Wed May 16, 2018 12:06 am

Re: isolated lans using multiple bridges?

Sat Nov 30, 2019 6:08 pm

  • in the text you write you want to have ether1 part of HOME_LAN while in setup it's not (and has DHCP client running as if it was still used as WAN interface, src-nat rules imply the same)

My mistake. I meant ether2,3,4 on HOME and 5 on WORK with ether1 being WAN

  • you probably don't need two masquerade rules, you can probably masquerade just anything going out through WAN interface

I wondered about that, makes sense.

Why not use VLANs ?
As OP did it already, I don't see any good reason to tear current config apart. If I were doing it, I'd do it using VLANs though.

TBH, I didn't use VLANs because I could not find an example that seemed to fit with what I wanted to do.

@Mehuge: I just remembered a thing which might be of concern in your case: bridge xan offload certain tasks to switching hardware. But it can only be done for ethernet interfaces and single bridge. The bridge2_work knly contains a single ether interface and thus can't benefit from HW offload. To make sure that HW offload remains available for bridge1_home, set hw=no on line where ether4 gets added to bridge (add bridge=bridge2_work interface=ether4 hw=no).

Thanks, will add that.

Thanks for the input.
Last edited by Mehuge on Sat Nov 30, 2019 6:14 pm, edited 1 time in total.

Who is online

Users browsing this forum: No registered users and 25 guests