Community discussions

MikroTik App
 
digger
just joined
Topic Author
Posts: 1
Joined: Fri Oct 16, 2020 5:41 pm

Building LAN from scratch: 4 mikrotiks - 4 networks

Fri Oct 16, 2020 6:07 pm

Hello guys, i am using RB951G-2HnD to my satisfaction but as time goes things has changed and i need to "rewire" my lan.
I have bought 3 additional RB760iGS's in order to achieve something like this:
LAN_topology_iteration_1.jpg
This is basic diagram and in the first step what i would like to know is how to make services hosted on srv1-3 available to networks 30 and 40.
What would be the correct and safe way to do this?

In the next steps i would need to define the DMZ and multiple VM's and containers will be siting in their respective VLAN's but that is quest for another day.

Could someone please kickstart me here and provide me with some hints and points how to start building this?

Thank you
You do not have the required permissions to view the files attached to this post.
 
tdw
Long time Member
Long time Member
Posts: 510
Joined: Sat May 05, 2018 11:55 am

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Fri Oct 16, 2020 10:33 pm

There are different approaches - you could route between subnets on mikrotik2-4 and have static routing rules on mikrotik1 so traffic is directed to the correct mikrotik, or you could use mikrotik2-4 as switches with VLANs and perform all of the routing/firewalling on mikrotik1 which is probably the more common method. viewtopic.php?f=13&t=143620 is a good starting point.
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1037
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Fri Oct 16, 2020 11:32 pm

There are different approaches - you could route between subnets on mikrotik2-4 and have static routing rules on mikrotik1 so traffic is directed to the correct mikrotik, or you could use mikrotik2-4 as switches with VLANs and perform all of the routing/firewalling on mikrotik1
RB760iGS won't be good as switches in vlan setup - they lack hardware vlan support, so there will be no benefit in performance compared to routed network.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Fri Oct 16, 2020 11:41 pm

I would use the router with the most oomph in terms of CPU ram/etc..... the one interfacing with the ISP and the rest acting as switches or ap/switches via VLAN routing.
For example I would have bought a hap AC2 perhaps as the main router or even an RB450Gx4 (no wifi). If you know the rest will be switches then acquiring tailored managed switches of any vendor will do fine and return the hexes. In general, I find it less than amusing when someone says this is what I would like to accomplish and here is what I bought to do it with, what should I do>

The right course of action is........hey I am thinking of designing the following network, this is what I have, what should I procure to complete the design and how should I configure it..................
Much less expensive and more likely to meet expectations.]


Be that as it may I am currently using my hexes as switches and happy as a pig in shit. I also have 2 mT 260GS switches, three non-MT managed switches, 2 capacs,and 1 non MT AP in my home network.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mkx
Forum Guru
Forum Guru
Posts: 4721
Joined: Thu Mar 03, 2016 10:23 pm

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Sun Oct 18, 2020 3:30 pm

RB760iGS won't be good as switches in vlan setup - they lack hardware vlan support, so there will be no benefit in performance compared to routed network.

Performance-wise you're right. Configuration-wise, VLANs and centralized routing config is much simpler than distributed routing. Plus it would make a good basis for expansion (much easier to add another subnet or increase number of ports within subnet or replacement of RB760iGS with a proper managed switch). Also routing-only subnet (10.10.20.0/24) wouldn't be needed.
BR,
Metod
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1037
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Sun Oct 18, 2020 3:41 pm

Performance-wise you're right. Configuration-wise, VLANs and centralized routing config is much simpler than distributed routing. Plus it would make a good basis for expansion (much easier to add another subnet or increase number of ports within subnet or replacement of RB760iGS with a proper managed switch). Also routing-only subnet (10.10.20.0/24) wouldn't be needed.
Sure. But then it makes perfect sense to sell/return 2 of the 3 hEXes and buy 3 managed switches instead (or even one managed and two unmanaged will do), and use the remaining hEX for routing only.
 
mkx
Forum Guru
Forum Guru
Posts: 4721
Joined: Thu Mar 03, 2016 10:23 pm

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Sun Oct 18, 2020 4:09 pm

Sure. But then it makes perfect sense to sell/return 2 of the 3 hEXes and buy 3 managed switches instead (or even one managed and two unmanaged will do), and use hEX for routing only.
Sure. I'd go for managed switches, that way topology can be changed from star-like (as OP currently plans it) to anything else (can be linear, can be star but with different/multiple VLANs present at same hubs and/or spokes, combination of both, sky is the limit). If those switches-to-be will be physically co-located, then it can be single switch with larger number of ports (16, 24, ...).
BR,
Metod
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1037
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Sun Oct 18, 2020 4:20 pm

Yes, that's exactly my point.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Sun Oct 18, 2020 5:29 pm

Wrong, the point is.
a. ask first before purchasing
b. nail down requirements and then ask help here for a design
c. purchase products
d. blame xvo and sob when things dont work
e. get advice from the llama to fix the config
or something like that... ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
aesmith
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Wed Mar 27, 2019 6:43 pm

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Sun Oct 18, 2020 6:12 pm

That's quite a complex network for a home. If it's being done as a learning exercise then I'd suggest adding something else into the mix, variable length subnets. Typically in a corporate network we'd use /30 or /31 for any point to point links that will only ever have two devices. I'm not sure if Mikrotik supports /31 but I thought I'd mention it.

I assume you are aware that 20.0.0.0/8, 30.0.0.0/8 and 40.0.0.0/8 are not private addresses, there are real users out there on the Internet with those addresses. Using them internally would mean you can't reach those real users if the need ever arose. It may be far fetched but we did have a customer who found he couldn't reach certain site, the reason was that his internal use of something like 128.1.0.0/16 stopped him accessing particular name servers.

Tony S
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1037
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Sun Oct 18, 2020 6:36 pm

I'm not sure if Mikrotik supports /31 but I thought I'd mention it.
It doesn't. You need to use pair of /32 addresses with network specified as the "opposite" one.
 
mkx
Forum Guru
Forum Guru
Posts: 4721
Joined: Thu Mar 03, 2016 10:23 pm

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Sun Oct 18, 2020 7:30 pm

I'm not sure if Mikrotik supports /31 but I thought I'd mention it.
It doesn't. You need to use pair of /32 addresses with network specified as the "opposite" one.
And it works like a charm. The best thing about using /32 addressing: if a router has multiple such links, it doesn't have to have different local IP addresses, same IP address can be reused multiple times (with different network part). An example using IPIP links, but should work for straight ethernet as well:
/interface ipip
add allow-fast-path=no name=ipip1 #other IPIP parameters come here
add allow-fast-path=no name=ipip2 #other IPIP parameters for another endpoint
/ip address
add address=192.168.42.1/23 interface=LAN network=192.168.42.0
add address=192.168.42.1 interface=ipip1 network=192.168.37.1 # note that default network mask is /32
add address=192.168.42.1 interface=ipip2 network=192.168.13.1
/ip route
add distance=1 dst-address=192.168.36.0/23 gateway=ipip1
add distance=1 dst-address=192.168.13.0/24 gateway=ipip2
which ends up as
/ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
...
 3   192.168.42.1/23    192.168.42.0    LAN

 5   192.168.42.1/32    192.168.37.1    ipip1
 6   192.168.42.1/32    192.168.13.1    ipip2

/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
...
 2 A S  192.168.13.0/24                    ipip2                     1
 3 ADC  192.168.13.1/32    192.168.42.1    ipip2                     0
 4 A S  192.168.36.0/23                    ipip1                     1
 5 ADC  192.168.37.1/32    192.168.42.1    ipip1                     0
...
 8 ADC  192.168.42.0/23    192.168.42.1    LAN                       0
When doing traceroute (any direction), it's always "native" IP address shown. If WAN IP addresses were static on both tunnel ends, then one could use those when setting up address of a tunnel, in that case when doing traceroute only public addresses would be shown in printout ...
user@192.168.42.10:~$ traceroute 192.168.37.7
traceroute to 192.168.37.7 (192.168.37.7), 64 hops max
  1   192.168.42.1  0.386ms  0.201ms  0.168ms
  2   192.168.37.1  7.100ms  6.866ms  6.479ms
  3   192.168.37.7  6.938ms  6.458ms  6.921ms
user@192.168.42.10:~$

If using routing subnets, then routing IP address of next hop (depending on direction) will be shown in the list of hops, e.g. instead of 192.168.37.1 on the example above.

Or an example using both tunels (site2 is reacheable from site3 via shown ipip tunnels, joined on site1):
user@192.168.37.7:~$ traceroute 192.168.13.2
traceroute to 192.168.13.2 (192.168.13.2), 30 hops max, 60 byte packets
 1  192.168.37.1 (192.168.37.1)  0.311 ms  0.317 ms  0.294 ms
 2  192.168.42.1 (192.168.42.1)  7.748 ms  7.770 ms  7.861 ms
 3  192.168.13.1 (192.168.13.1)  15.798 ms  15.870 ms  16.485 ms
 4  192.168.13.2 (192.168.13.2)  48.111 ms  49.034 ms  49.373 ms
user@192.168.37.7:~$
BR,
Metod
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1037
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Sun Oct 18, 2020 7:54 pm

And it works like a charm.
Yes it does! And another great thing about that - the addresses doesn't have to be adjacent, so I have all my PTP links like 172.27.XXX.YYY - 172.27.YYY.XXX (where XXX is some unique identifier for this particular router). That is perfect for 1) ease of reading 2) the ability to refer to all "other ends" at once as 172.27.XXX.0/24 (for example in ospf/networks).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Sun Oct 18, 2020 8:08 pm

Totally lost LOL, a simple vlan networks turns into an IPIP parameters and PTP links nightmare. Will go back to munching my grass.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
mkx
Forum Guru
Forum Guru
Posts: 4721
Joined: Thu Mar 03, 2016 10:23 pm

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Sun Oct 18, 2020 8:10 pm

Where did you see VLANs in original post?

Ah, I forgot about MTUNA certificate :lol:

But you're right ... @digger, please describe the network layout you'd like to have and we may be able to give you some good advice. Surely what you sketched can fly with some static routes on each of involved routers, but as you can see, many of us think the setup you sketched is probably sub-optimal.
BR,
Metod
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Building LAN from scratch: 4 mikrotiks - 4 networks

Sun Oct 18, 2020 8:14 pm

Easy, mkx, you have to read between the synapses!!
Any time you want to email me with your dissertation of IPIP parameters in such a setup that would be swell. ;-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!

Who is online

Users browsing this forum: anav, CZFan and 34 guests