Community discussions

MikroTik App
 
zeroaz
just joined
Topic Author
Posts: 3
Joined: Fri Aug 06, 2021 5:45 am

Total newb, trying to do more than I should!

Fri Aug 06, 2021 6:02 am

Hello!

I'll make things simple and just dive right in since I know I'm a total newb to this. Hopefully I've included everything relevant, if I'm missing anything that may help, please let me know!

Currently, the address scheme for both devices is not set to the way I've listed I'd like to do it below. I'm aware of this and am willing to adjust, just figured I'd try and figure everything out before diving in any deeper.

My Equipment:


Networking:

Mikrotik Hex Router
Mikrotik HAP AC3
NetGear Nighthawk r6900p (Goal of using this as only a wireless repeater / access point eventually, but I'll ignore it for now to get the Mikrotik hardware running first)
Dumb Switch (Managed switch on it's way)

Clients

Gaming PC / Workstation
ThinkStation D30 Proxmox Host
Wired Gaming Laptop
Wired NAS
Wired PiHole for DNS

WiFi Laptop
WiFi Chromebook
WiFi Lights x2
WiFi Video Doorbell
WiFi Cellphone x3
WiFi Kindle
WiFi WiFi iPad
WiFi Various handheld Game Consoles
------------------------------------------------------------------

My starting goal(s):

I'm trying to setup the Hex router as the primary router, with the HAP AC3 as an access point / wireless router for wireless devices since the hex has no built in WiFi.

Alongside the above, I'm also trying to segment my network into pieces for security and management purposes. To clarify I'd like to setup the following (using generic example addresses here):

Router - 192.168.1.1
-- DHCP'd devices on 192.168.1.50 <-> 192.168.1.100
-- Static'd devices on 192.168.1.101 <-> 192.168.1.200

WiFi - 192.168.2.1
-- DHCP'd devices on 192.168.2.50 <-> 192.168.2.100
-- Static'd device on 192.168.2.5 (Ring Doorbell Camera)

Servers - 192.168.3.1
-- Static'd devices on 192.168.3.50 <-> 192.168.3.100

IoT Devices - 192.168.4.1
-- DHCP'd devices on 192.168.4.50 <-> 192.168.4.100

I would like to make it so that devices receiving a DHCP lease or Static IP from the Router (192.168.1.1) can access and communicate with the devices in both WiFi (192.168.2.1) and Servers (192.168.3.1) while leaving the IoT Devices with access to WiFi (192.168.2.1). The reason for IoT to interact with WiFi is so that I can control things such as wireless lights, etc from my cell phone while connected to WiFi.
----------------------------------------------------------

Hex Router 'export hide-sensitive'
# aug/05/2021 19:57:28 by RouterOS 6.48.3
# software id = GR5F-DASV
#
# model = RB760iGS
# serial number = E2090EF86E7B
/interface bridge
add admin-mac=2C:C8:1B:19:0E:5D auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 user=\
   ********
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=WiFi1 supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.90.50-192.168.90.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!all
/interface detect-internet
set detect-interface-list=all lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.90.1/24 comment=defconf interface=bridge network=\
    192.168.90.0
add address=192.168.1.1/24 interface=bridge network=192.168.1.0
add address=192.168.88.1 interface=bridge network=192.168.88.1
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server network
add address=192.168.90.0/24 comment=defconf gateway=192.168.90.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.1.201
/ip dns static
add address=192.168.90.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward dst-address=192.168.90.1 src-address=\
    192.168.1.1
add action=accept chain=forward dst-address=192.168.90.0/24 src-address=\
    192.168.88.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/system clock
set time-zone-name=America/Phoenix
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
HAP AC3 'export hide-sensitive'
# aug/05/2021 19:58:45 by RouterOS 6.47.9
# software id = CFIR-U1HA
#
# model = RBD53iG-5HacD2HnD
# serial number = E7290E1642D8
/interface bridge
add admin-mac=2C:C8:1B:7F:5C:9C auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=ThePromisedLan wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=ThePromisedLan-5GHz wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/system clock
set time-zone-name=**********
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
zeroaz
just joined
Topic Author
Posts: 3
Joined: Fri Aug 06, 2021 5:45 am

Re: Total newb, trying to do more than I should!

Fri Aug 06, 2021 6:31 am

Update:

Got the WiFi working now at least. Needed to add a route to 192.168.88.0/24

This is certainly more than I anticipated when I was planning everything! lol

Update2: I've noticed that there are moments where LAN connections hiccup / load slowly.

E.g. PC on 192.168.1.22 can ping server on 192.168.3.5 but every now and then it has a delay when switching pages, accessing via ssh, etc. Any ideas?

Update 2a: I've been using Uptime Kuma to test (http or ping). I'm seeing that the connection appears to be very unstable, image below.

Update 2b: I've had some serious issues with the WiFi stability. Ended up killing and resetting both the WAP and the Router. Rebuilt both of them without the default configs. It looks like I've now got WiFi back up though with some signal issues. I'll definitely need to figure out how to increase the antennae strength / range (tweaking channels, frequencies, etc?)

I was able to segment the network into some chunks though which was encouraging. I now have the Router itself on 192.168.1.1, the WiFi on 192.168.2.1, and my Servers on 192.168.3.1, still need to add an IoT address block and figure out the proper way to segment / allow access without just using global bridging on all ports (or do I not need to worry about that? I still want to set IoT devices on 192.168.4.x, with no internet access -- Firewall all I need?)

This has been a long 8 hours and I'm too tired to tinker with it too much more at the moment, but hopefully someone will have some ideas for me tomorrow / later today! :)
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Total newb, trying to do more than I should!

Fri Aug 06, 2021 1:33 pm

I would use vlans with bridge vlan filtering in both models.
viewtopic.php?f=23&t=143620
 
zeroaz
just joined
Topic Author
Posts: 3
Joined: Fri Aug 06, 2021 5:45 am

Re: Total newb, trying to do more than I should!

Fri Aug 06, 2021 1:51 pm

I would use vlans with bridge vlan filtering in both models.
viewtopic.php?f=23&t=143620
Thanks for the heads-up! I'll give that a look when I wake up later today and see if it makes things work closer to what I was hoping for.

To make my headache worse, I remembered that I'm switching from a residential to a SMB ISP line in ~4 days which will have two static IP addresses allocated to the account. It's going to be great fun to work through that one I reckon :P

Who is online

Users browsing this forum: onnyloh and 41 guests