ISP gave me two separate PPPoE accounts but they are both set on same ISP ethernet cable, I get a dedicated public IP on each connection.
I want to separate the two connections so that I have one group of computers for home use and the other group of computers for office/business use, each group using a different public IP (and local ip class I guess ?!).
It works OK if I put a switch at the ISP cable, then have one PPPOE on the Mikrotik and one PPPOE on another router (see attached image), but I want to just use the mikrotik and remove the switch and the extra router.
I assume I need to create two vlans for this ? (unless there is an easier and more reliable way), I also did it with connection marking but I thought it was too complicated (now I find vlans method complicated).
- made two different dhcp servers, two different classes of local IPs: 192.168.3.0/16 192.168.4.0/16, I thought /16 instead of /24 would also allow computers from two networks to see each other, I am lost here.
- made two bridges and added second vlan on the second bridge
- tried to move the internet ISP eth port/interface on the second bridge, but it doesn't work in "slave" mode, I am lost :/
- under main menu bridge > ports, I linked one ETH (eth3) port with bridge-2, expecting for computers connected here to get second ISP connection (not working).
Maybe without getting in the details...
- does the "one cable" thing prevent me from properly separating these two connections ?
- do I (can I) somehow mirror the actual cable port into two and then associate each one with one of the vlans ?
- is "tagged port" something that should be used in this case ?
- what do I need in order for computers from the two subnets see each other ? (e.g 192.168.3.11 and 192.168.4.11) ?
This one is a HAPac2, another one I have appears to have two separate hardware "switches" in it, that might help in this case ?!
Edit, the config, I tried to edit-out some parts for simplicity and privacy:
/interface bridge
add admin-mac=48:8F:XX:XX:XX:28 auto-mac=no comment=defconf name=bridge-1-home
add name=bridge-2-for-vlan-business
/interface ethernet
set [ find default-name=ether1 ] name=ether1-rds
set [ find default-name=ether2 ] advertise=1000M-half,1000M-full disabled=yes \
mac-address=B0:95:XX:XX:XX:62 name=ether2-SOME-OTHER-ISP
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-rds name=\
pppoe-rds-business user=CRPTM13592XXXX
add add-default-route=yes disabled=no interface=ether1-rds name=pppoe-rds-home \
user=TM18839XXXX
/interface vlan
add interface=bridge-2-for-vlan-business name=vlan-2-business vlan-id=1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=adr-dhcp-pool ranges=192.168.3.101-192.168.3.255
add name=adr-dhcp-pool-business ranges=192.168.4.100-192.168.4.255
/ip dhcp-server
add address-pool=adr-dhcp-pool disabled=no interface=bridge-1-home name=\
adr-dhcp-server-1
add address-pool=adr-dhcp-pool-business disabled=no interface=\
bridge-2-for-vlan-business name=adr-dhcp-server-2-business
/ppp profile
set *FFFFFFFE local-address=adr-dhcp-pool remote-address=adr-dhcp-pool
/interface bridge port
add bridge=bridge-2-for-vlan-business interface=ether3
add bridge=bridge-1-home interface=ether4
add bridge=bridge-1-home interface=ether5
add bridge=bridge-1-home disabled=yes interface=wlan1_2g_interface
add bridge=bridge-1-home disabled=yes interface=wlan2_5g_interface
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set allow-fast-path=yes enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge-1-home list=LAN
add interface=ether2-SOME-OTHER-ISP list=WAN
add list=WAN
add list=WAN
add interface=pppoe-rds-home list=WAN
add interface=ether1-rds list=WAN
add interface=pppoe-rds-business list=WAN
add list=WAN
/interface ovpn-server server
set certificate=EXAMPLE_cert.pem_0 cipher=blowfish128,aes128,aes256 \
enabled=yes require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-1-home network=\
192.168.88.0
add address=192.168.3.1/24 interface=bridge-1-home network=192.168.3.0
add address=192.168.4.1/24 interface=bridge-2-for-vlan-business network=\
192.168.4.0
/ip arp
add address=192.168.3.10 interface=bridge-1-home mac-address=64:76:XX:XX:XX:02
add address=192.168.3.16 interface=bridge-1-home mac-address=88:D7:F6:XX:XX:D1
add address=192.168.3.9 interface=bridge-1-home mac-address=D0:37:XX:XX:XX:85
add address=192.168.3.100 interface=bridge-1-home mac-address=B0:95:XX:XX:XX:B1
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add disabled=no interface=ether2-SOME-OTHER-ISP use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.3.10 mac-address=64:76:XX:XX:XX:02 server=adr-dhcp-server-1
add address=192.168.3.16 client-id=1:88:D7:F6:XX:XX:D1 mac-address=\
88:D7:F6:XX:XX:D1 server=adr-dhcp-server-1
add address=192.168.4.0/24 dns-server=192.168.4.1,8.8.8.8,1.1.1.1 gateway=\
192.168.4.1 netmask=16
add address=192.168.88.0/24 dns-server=192.168.88.1,8.8.8.8,1.1.1.1 gateway=\
192.168.88.1 netmask=16
/ip dns
set allow-remote-requests=yes cache-size=8192KiB servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="allow OpenVPN ?!" dst-port=1194 \
protocol=tcp
add action=accept chain=input comment="UDP vpn ports ?!" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="UDP vpn ports ?!" dst-port=1723 \
protocol=tcp
add action=accept chain=input comment=\
"UDP vpn port with additional IPsec condition ?!" dst-port=1701 \
ipsec-policy=in,ipsec protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-port="" protocol=udp src-address=\
192.168.0.0/16 src-port=67
add action=drop chain=forward dst-port="" protocol=udp src-address=\
192.168.0.0/16 src-port=68
add action=drop chain=forward comment="trying to block a rogue UPC dhcp server" \
disabled=yes src-mac-address=90:5C:XX:XX:XX:F1
add action=drop chain=input disabled=yes src-address-type="" src-mac-address=\
90:5C:XX:XX:XX:F1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade for wifi repeater" \
disabled=yes ipsec-policy=out,none out-interface=bridge-1-home