I'd like to begin by mentioning I'm not even remotely good at networking, I'm a web dev by trade and I don't even remember why I thought this was a good idea... My end goal is to have some domains hosted on some "servers" that are in my house, accessible by me and everyone else using a static IP from my second isp, while my house has internet provided by first isp
The setup is as follows:
ISP1 -> 1000/500mbps up/down pppoe connection. Really good connection but will not provide static ips to home users.
ISP2 -> 1000/500mbps up/down dhcp connection. Decent connection and are providing static ip to home users.
Both the isps have fiber in my house and that fiber gets converted to copper through their gpons. The connections come in to my HEXs on ports eth1 and eth2 respectively.
Following that, port eth3 has a dhcp server configured to serve out 10.10.1.0/24 ips and a 8 port switch connected, that then has my servers.
Ports eth4 and eth5 are bridged as my home lan with their own dhcp server configured to serve out 10.10.0.0/24. Port 4 has another 8 port switch and port 5 has a tplink wifi router in access point mode. All my personal devices are on this network.
Ideally I would like these two networks to be separated from each other, and the router to not even allow me to connect to 10.10.1.x from 10.10.0.x, but not send the requests that come in to isp2's public ip from my home network through the internet. Right now I have it somewhat working, but it's not what I wanted, and I seem to be stumped. There are a lot of weird issues that I don't know where they come from. The only thing that properly works so far is that every lan uses their designated connection for accessing the internet. A list of issues so far:
- public ips are not responding to ping even though I have the accept incoming icmp rule.
- connecting to isp2's public ip from any lan just hangs. Tried hairpin nat, masquerading lan when connecting directly to static ip, I can't seem to get it to work.
- tried configuring local dns entries to route my domains to servers lan on the mikrotik, that did nothing. Mikrotik's dns server forwarded me directly when accessing those.
I'm doing this mostly to learn docker swarm, kubernetes, ci/cd, networking, security, but right now I'm only met with frustration trying to understand low level details in networking that I feel I understand but when trying to put these in practice I'm shooting myself in the head. I've probably made life more difficult for me by running this weird config.
Any new idea, criticism is welcome. I've reached a point where I'm about to just throw everything out and keep the connections separate on their own routers and deal with the latency, that right now I can't even measure...
I'll attach my config here.
Code: Select all
/interface bridge
add name=bridge1-home
/interface ethernet
set [ find default-name=ether2 ] name=WAN-ether2-isp2
set [ find default-name=ether1 ] name=ether1-isp1
set [ find default-name=ether3 ] name=ether3-servers
set [ find default-name=ether4 ] name=ether4-home-wifi
set [ find default-name=ether5 ] name=ether5-home-switch
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add disabled=no interface=ether1-isp1 name=WAN-pppoe-isp1 password=xxxxxxx user=xxxxxxx
/interface list
add name=LAN
add name=WAN
/ip pool
add name=home ranges=10.10.0.2-10.10.0.254
add name=servers ranges=10.10.1.2-10.10.1.254
/ip dhcp-server
add add-arp=yes address-pool=home disabled=no interface=bridge1-home lease-time=1d name=dhcp-home
add add-arp=yes address-pool=servers disabled=no interface=ether3-servers lease-time=1w name=dhcp-server
/interface bridge port
add bridge=bridge1-home interface=ether4-home-wifi
add bridge=bridge1-home interface=ether5-home-switch
/ip neighbor discovery-settings
set discover-interface-list=*2000014
/interface list member
add interface=WAN-ether2-isp2 list=WAN
add interface=WAN-pppoe-isp1 list=WAN
add interface=ether3-servers list=LAN
add interface=bridge1-home list=LAN
/ip address
add address=10.10.0.1/24 interface=bridge1-home network=10.10.0.0
add address=10.10.1.1/24 interface=ether3-servers network=10.10.1.0
/ip dhcp-client
add add-default-route=no disabled=no interface=WAN-ether2-isp2 use-peer-dns=no
/ip dhcp-server lease
add address=10.10.0.254 client-id=1:b0:95:75:7e:fb:f7 mac-address=B0:95:75:7E:FB:F7 server=dhcp-home
/ip dhcp-server network
add address=10.10.0.0/24 gateway=10.10.0.1
add address=10.10.1.0/24 gateway=10.10.1.1
add address=x.x.x.0/26 dns-server=1.1.1.1 gateway=x.x.x.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=10.10.0.1 name=home.lan
add address=10.10.1.1 name=servers.lan
/ip firewall address-list
add address=10.10.0.0/24 list=LAN-dst
add address=10.10.1.0/24 list=LAN-dst
/ip firewall filter
add action=accept chain=input comment=" defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment=" defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" src-address-list=!LAN-dst
add action=accept chain=forward connection-state=new src-address-list=LAN-dst
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment="mark home LAN connections" dst-address-list=!LAN-dst \
new-routing-mark=home-LAN-route-mark passthrough=no src-address=10.10.0.0/24
add action=mark-routing chain=prerouting comment="mark servers LAN connections" dst-address-list=!LAN-dst \
new-routing-mark=servers-LAN-route-mark passthrough=no src-address=10.10.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=WAN-pppoe-isp1
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 out-interface=WAN-ether2-isp2
/ip route
add distance=1 gateway=WAN-pppoe-isp1 routing-mark=home-LAN-route-mark
add distance=1 gateway=x.x.x.1 routing-mark=servers-LAN-route-mark
/ip service
set telnet address=10.10.0.0/24
set ftp address=10.10.0.0/24
set www disabled=yes
set ssh address=10.10.0.0/24
set api address=10.10.0.0/24
set winbox address=10.10.0.0/24
set api-ssl address=10.10.0.0/24
/system clock
set time-zone-name=Europe/Bucharest
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN