All, I’m a new user of Mikrotik hardware (hEX s router w/RouterOS v6.47), I need help understanding what needs to be done to successfully implement the settings explained below. My findings online have not helped much, I am now reaching out to this group for help.
What configurations need to be in place on my hEX S router to have port 1 as my WAN port and port 2,3,4,5 and SFP as individual subnets on their own VLAN’s with port 1 being each VLAN’s connection to the internet via NAT? I will also need to have the built-in firewall protect all VLAN yet keeping each one from communicating with any other VLAN.
Do I, first create each new individual VLAN interface, then create each individual bridge interface for each VLAN. Next, configure each VLAN port interface with its IP information. No DHCP services needed. Last, pair each VLAN interface with the bridge interface. Next, add the firewall rule set. No clue at all on what need to be configured on the firewall to allow it all to work.
Any and all help is very much appreciated.
Ebot.32
Re: hEX S router Individual ethernet port and VLANs configuration
Best place to start is reading this document.
viewtopic.php?t=143620
If you are using a separate PORT for each subnet, you may not require vlans........ (vlans are usually required when running multiple subnets over a single port).
viewtopic.php?t=143620
If you are using a separate PORT for each subnet, you may not require vlans........ (vlans are usually required when running multiple subnets over a single port).
Re: hEX S router Individual ethernet port and VLANs configuration
That is very similar to what I am doing. I am using my routers (RB750r2 & RB750Gr3) exclusively as routers. The different LAN ports connect to managed switches that handle ALL switching function. I don't know if you will have any downstream switches, or will each port be connected to a single dedicated device, but as far as the router is concerned, it does not really matter. First of all, since no two LAN ports will normally communicate with each other, you do not need a bridge at all. In my case, I am using a combination of LAN subnets that have a physical port on the router and VLANs that come off the router as a VLAN trunk. Here is a piece of my config that should get you started.
Looking first at the five physical Ethernet of the router, port 1 is my cable internet connection. Ports 2 & 3 are my normal home LAN and my private WiFi. Port 4 is a 802.1Q VLAN trunk that carries a bunch of various VLANs, and port 5 is a direct connection to the other router. Oddly, I am not sure where that speed=100Mbps setting is coming from. All of those ports are advertising everything from 10Mbps up to 1Gbps, and except for the router to router tie (which is 100Mbps because of the other router), they are all operating at 1Gbps.
Below that is all the VLANs. The first six are some specialty ham radio stuff.
Each LAN or VLAN has it's own DHCP server and IP address pool:
And each LAN or VLAN has it's own IP address:
In the firewall rules, there are a couple specific allowed connections between the different LANs, but for the most part, each LAN is not allowed to communicate with the others with this rule as the LAST rule in the forward chain:
There is only one masquerade rule required since everything is actually going out to the internet via the same cable connection:
That should be enough to get you started...
Code: Select all
/interface ethernet
set [ find default-name=ether1 ] comment="Spectrum cable internet" name=\
E1-p2_Cable_Internet speed=100Mbps
set [ find default-name=ether2 ] comment="Main cable home LAN" name=E2-p4_101 \
speed=100Mbps
set [ find default-name=ether3 ] comment="Cable Private WiFi" name=E3-p6_103 \
speed=100Mbps
set [ find default-name=ether4 ] comment="802.1Q trunk" name=E4-p8_802.1Q \
speed=100Mbps
set [ find default-name=ether5 ] comment="Router to Router tie" name=\
"E5 to Router 2" speed=100Mbps
/interface vlan
add comment="AREDN WAN" interface=E4-p8_802.1Q name=VLAN_001 vlan-id=1
add comment="AREDN LAN" interface=E4-p8_802.1Q name=VLAN_005 vlan-id=5
add comment="AREDN 3GHz at Johnstone to Pleasants Peak LAN interface" \
interface=E4-p8_802.1Q name=VLAN_011 vlan-id=11
add comment="AREDN 5GHz at Johnstone SW sector LAN interface" interface=\
E4-p8_802.1Q name=VLAN_012 vlan-id=12
add comment="AREDN 5GHz at Johnstone SE sector LAN interface" interface=\
E4-p8_802.1Q name=VLAN_013 vlan-id=13
add comment="AREDN Internal LAN" interface=E4-p8_802.1Q name=VLAN_015 \
vlan-id=15
add comment="Cable Public WiFi" interface=E4-p8_802.1Q name=VLAN_102 vlan-id=\
102
add comment="Cactus" interface=E4-p8_802.1Q name=VLAN_104 vlan-id=\
104
add comment="Scanner feed" interface=E4-p8_802.1Q name=VLAN_105 vlan-id=105
add comment="Internet of Things" interface=E4-p8_802.1Q name=VLAN_106 vlan-id=106
Below that is all the VLANs. The first six are some specialty ham radio stuff.
Each LAN or VLAN has it's own DHCP server and IP address pool:
Code: Select all
/ip pool
add name=".101 DHCP pool" ranges=192.168.101.100-192.168.101.119
add name=".102 DHCP pool" ranges=192.168.102.100-192.168.102.119
add name=".103 DHCP pool" ranges=192.168.103.100-192.168.103.119
add name=".104 DHCP pool" ranges=192.168.104.100-192.168.104.109
add name=".106 DHCP pool" ranges=192.168.106.100-192.168.106.109
add name=".105 DHCP pool" ranges=192.168.105.100-192.168.105.109
add name=".001 DHCP pool" ranges=192.168.1.100-192.168.1.109
/ip dhcp-server
add address-pool=".101 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=E2-p4_101 lease-time=3h name=".101 DHCP server"
add address-pool=".102 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_102 lease-time=3h name=".102 DHCP server"
add address-pool=".103 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=E3-p6_103 lease-time=3h name=".103 DHCP server"
add address-pool=".104 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_104 lease-time=3h name=".104 DHCP server"
add address-pool=".106 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_106 lease-time=3h name=".106 DHCP server"
add address-pool=".105 DHCP pool" authoritative=after-2sec-delay disabled=no \
interface=VLAN_105 lease-time=3h name=".105 DHCP server"
add address-pool=".001 DHCP pool" disabled=no interface=VLAN_001 lease-time=\
3h name=".001 DHCP server"
And each LAN or VLAN has it's own IP address:
Code: Select all
/ip address
add address=192.168.101.251/24 interface=E2-p4_101 network=192.168.101.0
add address=192.168.102.251/24 interface=VLAN_102 network=192.168.102.0
add address=192.168.103.251/24 interface=E3-p6_103 network=192.168.103.0
add address=192.168.211.251/24 interface="E5 to Router 2" network=\
192.168.211.0
add address=192.168.104.251/24 interface=VLAN_104 network=192.168.104.0
add address=192.168.105.251/24 interface=VLAN_105 network=192.168.105.0
add address=192.168.106.251/24 interface=VLAN_106 network=192.168.106.0
add address=192.168.1.251/24 interface=VLAN_001 network=192.168.1.0
In the firewall rules, there are a couple specific allowed connections between the different LANs, but for the most part, each LAN is not allowed to communicate with the others with this rule as the LAST rule in the forward chain:
Code: Select all
add action=drop chain=forward comment=\
"Drop any forward packets that get this far"
There is only one masquerade rule required since everything is actually going out to the internet via the same cable connection:
Code: Select all
add action=masquerade chain=srcnat comment="Masquerade for cable" \
out-interface=E1-p2_Cable_Internet
Re: hEX S router Individual ethernet port and VLANs configuration
The firewall rule is key to your setup as by default the router has a philosophy of allowing anything but blocking what is not required.
So one can see that in the default rule set on the input chain they block all not coming from the LAN and in the forward chain block all from the WAN not dstnatted.
Great for a new user who is learning the ropes and how to config the router (understand each rule and its effects).
Once you go beyond one simple LAN, however it is much more efficient and safe to change the philosophy to block all and specifically only allow desired traffic.
This means ensuring you have the connectivity you desire.
(access to router for admin - input chain)
(access to services such as DNS (port 53) for all LAN users - input chain)
(access to internet for lans - forward chain)
and then at the end of the input chain and the forward chain put the rules "drop all else" as noted above.
In your case, the drop all else rule in the forward chain will ensure that the router doesnt attempt to route traffic between the LANs.
Note: Once you implement the drop all rules you can get rid of the default input chain rule......(block all not coming from the LAN) as you now should have a rule for admin access and for lan services access (much more specific as all lan users do not need full access to the router), and you can drop the WAN default rule ( block all from WAN not dstnatted) as you may not even have any port forwardings required anyway, plus its easy to add a dstnat rule if required in the future.
So one can see that in the default rule set on the input chain they block all not coming from the LAN and in the forward chain block all from the WAN not dstnatted.
Great for a new user who is learning the ropes and how to config the router (understand each rule and its effects).
Once you go beyond one simple LAN, however it is much more efficient and safe to change the philosophy to block all and specifically only allow desired traffic.
This means ensuring you have the connectivity you desire.
(access to router for admin - input chain)
(access to services such as DNS (port 53) for all LAN users - input chain)
(access to internet for lans - forward chain)
and then at the end of the input chain and the forward chain put the rules "drop all else" as noted above.
In your case, the drop all else rule in the forward chain will ensure that the router doesnt attempt to route traffic between the LANs.
Note: Once you implement the drop all rules you can get rid of the default input chain rule......(block all not coming from the LAN) as you now should have a rule for admin access and for lan services access (much more specific as all lan users do not need full access to the router), and you can drop the WAN default rule ( block all from WAN not dstnatted) as you may not even have any port forwardings required anyway, plus its easy to add a dstnat rule if required in the future.
Who is online
Users browsing this forum: ShindigNZ and 76 guests