Community discussions

MikroTik App
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Help converting pfSense config to RouterOS

Wed Aug 11, 2021 4:27 pm

I have an RB4011iGS+RM on the way (should be here tomorrow). I have a total of 5 VLANs configured on pfSense along with a HE.net IPv6 tunnel. I have started reading through the documents and I feel like I have a good understanding of how to get it online and a PPOE connection up and running. However, I am not 100% sure how to configure VLANs, specifically due to the fact that I will be using one ether port for my WAN and the SFP+ port for my LAN & VLANs. Do I still need to create a bridge, assign the SFP+ port to it, and then the VLANs to it?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help converting pfSense config to RouterOS

Wed Aug 11, 2021 4:33 pm

This should help........
viewtopic.php?f=23&t=143620
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: Help converting pfSense config to RouterOS

Wed Aug 11, 2021 11:03 pm

Is there an easy way to do this in RouterOS?
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Help converting pfSense config to RouterOS

Thu Aug 12, 2021 12:33 am

Yes, as with that you have a physical interface connected to the modem e.g. ether1 plus a PPPoE client e.g. pppoe-out1.

Starting with the default config on recent versions of RouterOS create the PPPoE client interface. Add the new interface to the WAN interface list, this applies the firewall filter & NAT rules to the ISP connection. Leave the existing interface in the list, this applies NAT to traffic to the CPE from your LAN(s).

If your CPE device hands out addresses with DHCP you can leave the default DHCP client BUT change Add Default Route to no and untick the Use Peer DNS & Use Peer NTP options. Otherwise remove/disable the DHCP client and add an IP address to ether1.
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: Help converting pfSense config to RouterOS

Thu Aug 12, 2021 12:44 am

Yes, as with that you have a physical interface connected to the modem e.g. ether1 plus a PPPoE client e.g. pppoe-out1.

Starting with the default config on recent versions of RouterOS create the PPPoE client interface. Add the new interface to the WAN interface list, this applies the firewall filter & NAT rules to the ISP connection. Leave the existing interface in the list, this applies NAT to traffic to the CPE from your LAN(s).

If your CPE device hands out addresses with DHCP you can leave the default DHCP client BUT change Add Default Route to no and untick the Use Peer DNS & Use Peer NTP options. Otherwise remove/disable the DHCP client and add an IP address to ether1.
It does not hand out addresses. It's in full bridge mode. I'm also glad I can configure the RB4011iGS+RM using serial while my pfSense box keeps running.
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: Help converting pfSense config to RouterOS

Fri Aug 13, 2021 5:51 am

This should help........
viewtopic.php?f=23&t=143620
Not sure what I am doing wrong, but I cannot get tagged VLANs on sfp-sfpplus1
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: Help converting pfSense config to RouterOS

Fri Aug 13, 2021 5:41 pm

Here is my current config (minus the port forwards I have already setup). I'm guessing once my PPPoE connection is up the errors about it will go away. ether1 will be my WAN connection, and all LAN/VLAN traffic is supposed to go out on sfp-sfpplus1 with VLANs 7,10,20 & 200 being tagged. Does everything look good so far? The PPPoE username is not correct, I'll get it fixed at some point but I don't care a whole lot right now.
# aug/13/2021 04:36:36 by RouterOS 6.47.10
#
# model = RB4011iGS+
/interface ethernet
set [ find default-name=ether1 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes poe-out=off
set [ find default-name=sfp-sfpplus1 ] advertise=10000M-full rx-flow-control=\
    auto tx-flow-control=auto
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out user=\
    smccloud
/interface vlan
add interface=sfp-sfpplus1 name="Guest Wifi" vlan-id=200
add interface=sfp-sfpplus1 name=IoT vlan-id=10
add interface=sfp-sfpplus1 name=VMs vlan-id=20
add interface=sfp-sfpplus1 name=Wifi vlan-id=7
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.16.6.100-172.16.6.254
add name=dhcp_pool1 ranges=172.16.10.100-172.16.10.254
add name=dhcp_pool2 ranges=172.16.6.100-172.16.6.254
add name=dhcp_pool3 ranges=172.16.200.2-172.16.200.254
add name=dhcp_pool4 ranges=172.16.20.100-172.16.20.254
add name=dhcp_pool5 ranges=172.16.7.100-172.16.7.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=IoT lease-time=1w name=IoT
add address-pool=dhcp_pool2 disabled=no interface=sfp-sfpplus1 lease-time=1w \
    name=LAN
add address-pool=dhcp_pool3 disabled=no interface="Guest Wifi" lease-time=1w \
    name="Guest Wifi"
add address-pool=dhcp_pool4 disabled=no interface=VMs lease-time=1w name=VMs
add address-pool=dhcp_pool5 disabled=no interface=Wifi lease-time=1w name=\
    Wifi
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface="Guest Wifi" list=LAN
add interface=IoT list=LAN
add interface=VMs list=LAN
add interface=Wifi list=LAN
/ip address
add address=172.16.6.1/24 interface=sfp-sfpplus1 network=172.16.6.0
add address=172.16.7.1/24 interface=Wifi network=172.16.7.0
add address=172.16.10.1/24 interface=IoT network=172.16.10.0
add address=172.16.20.1/24 interface=VMs network=172.16.20.0
add address=172.16.200.1/24 interface="Guest Wifi" network=172.16.200.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.6.0/24 dns-server=172.16.6.1 gateway=172.16.6.1 netmask=24
add address=172.16.7.0/24 dns-server=172.16.7.1 gateway=172.16.7.1
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.20.0/24 dns-server=172.16.20.1 gateway=172.16.20.1
add address=172.16.200.0/24 dns-server=172.16.200.1 gateway=172.16.200.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
# pppoe-out not ready
add action=accept chain=input in-interface=pppoe-out protocol=icmp
# pppoe-out not ready
add action=drop chain=input in-interface=pppoe-out
/ip firewall nat
# pppoe-out not ready
add action=masquerade chain=srcnat out-interface=pppoe-out \
    out-interface-list=WAN
# pppoe-out not ready
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB4011iGS+RM
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help converting pfSense config to RouterOS

Fri Aug 13, 2021 10:57 pm

MAIN ISSUE, missing interface list member

/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface="Guest Wifi" list=LAN
add interface=IoT list=LAN
add interface=VMs list=LAN
add interface=Wifi list=LAN


(1) Five of everything but six pool ranges???
\ip pool
add name=dhcp ranges=172.16.6.100-172.16.6.254
add name=dhcp_pool1 ranges=172.16.10.100-172.16.10.254
add name=dhcp_pool2 ranges=172.16.6.100-172.16.6.254
add name=dhcp_pool3 ranges=172.16.200.2-172.16.200.254
add name=dhcp_pool4 ranges=172.16.20.100-172.16.20.254
add name=dhcp_pool5 ranges=172.16.7.100-172.16.7.254

I believe you can delete the first pool\ as pool2 is used in the rest of the config.

(2) Your input firewall rules are a little funny, but okay to do the job. Basically open to the LAN, , allow ICMP from the WAN and block the the rest of the WAN at the end.
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface=pppoe-out protocol=icmp
add action=drop chain=input in-interface=pppoe-out

(3) Nat rule should work but you dont need to put in both WAN and pppoe-out as including pppoe-out as WAN member covers that........
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

(4) Not sure if you need ip dhcp client enabled as that is handled by the PPPOE client settings......????

(5) The total lack of forward chain of firewall rules is disconcerting.
Suggest the following default rules to start.
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: Help converting pfSense config to RouterOS

Fri Aug 13, 2021 11:00 pm

MAIN ISSUE, missing interface list member

/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface="Guest Wifi" list=LAN
add interface=IoT list=LAN
add interface=VMs list=LAN
add interface=Wifi list=LAN


(1) Five of everything but six pool ranges???
\ip pool
add name=dhcp ranges=172.16.6.100-172.16.6.254
add name=dhcp_pool1 ranges=172.16.10.100-172.16.10.254
add name=dhcp_pool2 ranges=172.16.6.100-172.16.6.254
add name=dhcp_pool3 ranges=172.16.200.2-172.16.200.254
add name=dhcp_pool4 ranges=172.16.20.100-172.16.20.254
add name=dhcp_pool5 ranges=172.16.7.100-172.16.7.254

I believe you can delete the first pool\ as pool2 is used in the rest of the config.

(2) Your input firewall rules are a little funny, but okay to do the job. Basically open to the LAN, , and block ICMP from the LAN and block the WAN at the end.
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface=pppoe-out protocol=icmp
add action=drop chain=input in-interface=pppoe-out

(3) Nat rule should work but you dont need to put in both WAN and pppoe-out as including pppoe-out as WAN member covers that........
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

(4) Not sure if you need ip dhcp client enabled as that is handled by the PPPOE client settings......????

(5) The total lack of forward chain of firewall rules is disconcerting.
Suggest the following default rules to start.
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
I noticed the sixth DHCP pool later, and I've deleted it already. I thought I had gotten all the interfaces listed as members, but I do miss stuff ;)
It is a work in progress so I will continue to post my sanitized config as I work on it, I need it to work the first time or the wife and kids will be mad at me :(
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Help converting pfSense config to RouterOS

Fri Aug 13, 2021 11:15 pm

tx and rx flow control are for old generation devices, i do not understand why you enable it. What you expect?

Paste this on terminal
/interface ethernet set [ find ] rx-flow-control=off tx-flow-control=off

Until you do not use VLAN on bridge, instead of extracting VLAN from ethernet with VLAN interface:
/interface ethernet switch port set [ find ] default-vlan-id=auto
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help converting pfSense config to RouterOS

Sat Aug 14, 2021 12:50 am

Hi rextended, hard to understand,,,,
But it looks like you are saying, if one does not use bridge vlan filtering, then use the script you provided to do something, seemingly automated.

In other words, a sentence or two about what those scripts will do, is very helpful.
If too painful to write in english, just use google translate and it will be better than what you usually write. ;-P
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Help converting pfSense config to RouterOS

Sat Aug 14, 2021 1:00 am

Nothing strange, if the user do not use some option or after the version the defaults are changed,
simply I help to set the default on unused functions,
for do not have useless things on export or for mantain the expected default behaviors ;)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help converting pfSense config to RouterOS

Sat Aug 14, 2021 10:20 pm

Okay got it!
For the thread I resisted my gut instinct to provide a bridge vlan filtering solution as it appears it is perfectly
feasible to assign an 'open' subnet to the etherport sfp+1, and assign four vlans to the same etherport, all without a bridge.

I would like to know how the other end of that etherport Cable is configured aka to what device????
 
shaunmccloud
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Tue Jun 02, 2015 5:06 pm

Re: Help converting pfSense config to RouterOS

Mon Aug 16, 2021 3:27 pm

Okay got it!
For the thread I resisted my gut instinct to provide a bridge vlan filtering solution as it appears it is perfectly
feasible to assign an 'open' subnet to the etherport sfp+1, and assign four vlans to the same etherport, all without a bridge.

I would like to know how the other end of that etherport Cable is configured aka to what device????
It will be connected to a CSS326-24G-2S+.

And config as it sits now.
# aug/13/2021 06:11:25 by RouterOS 6.48.3
# software id = QWA9-AWDR
#
# model = RB4011iGS+
# serial number = F0270EAC96D5
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes poe-out=off
set [ find default-name=sfp-sfpplus1 ] advertise=10000M-full
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out user=\
    smccloud
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=\
    174.131.16.190 mtu=1280 name=sit1 remote-address=184.105.253.14
/interface vlan
add interface=sfp-sfpplus1 name="Guest Wifi" vlan-id=200
add interface=sfp-sfpplus1 name=IoT vlan-id=10
add interface=sfp-sfpplus1 name=VMs vlan-id=20
add interface=sfp-sfpplus1 name=Wifi vlan-id=7
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/ip dhcp-server option
add code=42 name=NTPVMs value="'172.16.20.1'"
add code=42 name=NTPLAN value="'172.16.6.1'"
add code=42 name=NTPIoT value="'172.16.10.1'"
add code=42 name=NTPWifi value="'172.16.7.1'"
add code=42 name="NTPGuest Wifi" value="'172.16.200.1'"
/ip dhcp-server option sets
add name=Wifi options=NTPWifi
add name=LAN options=NTPLAN
add name=VMs options=NTPVMs
add name="Guest Wifi" options="NTPGuest Wifi"
add name=IoT options=NTPIoT
/ip pool
add name=IoT_pool ranges=172.16.10.100-172.16.10.254
add name=LAN_pool ranges=172.16.6.100-172.16.6.254
add name="Guest Wifi_pool" ranges=172.16.200.2-172.16.200.254
add name=VMs_pool ranges=172.16.20.100-172.16.20.254
add name=Wifi_pool ranges=172.16.7.100-172.16.7.254
/ip dhcp-server
add address-pool=IoT_pool dhcp-option-set=IoT disabled=no interface=IoT \
    lease-time=1w name=IoT
add address-pool=LAN_pool dhcp-option-set=LAN disabled=no interface=\
    sfp-sfpplus1 lease-time=1w name=LAN
add address-pool="Guest Wifi_pool" dhcp-option-set="Guest Wifi" disabled=no \
    interface="Guest Wifi" lease-time=1w name="Guest Wifi"
add address-pool=VMs_pool dhcp-option-set=VMs disabled=no interface=VMs \
    lease-time=1w name=VMs
add address-pool=Wifi_pool dhcp-option-set=Wifi disabled=no interface=Wifi \
    lease-time=1w name=Wifi
/ipv6 dhcp-server
add address-pool=LAN_pool6 interface=sfp-sfpplus1 lease-time=1w name=LAN6
add address-pool=Wifi_pool6 interface=Wifi lease-time=1w name=Wifi6
add address-pool="Guest Wifi_pool6" interface="Guest Wifi" lease-time=1w \
    name="Guest Wifi6"
add address-pool=IoT_pool6 interface=IoT lease-time=1w name=IoT6
add address-pool=VMs_pool6 interface=VMs lease-time=1w name=VMs6
/ipv6 pool
add name=LAN_pool6 prefix=2001:470:c292:6::/64 prefix-length=64
add name=Wifi_pool6 prefix=2001:470:c292:7::/64 prefix-length=64
add name=IoT_pool6 prefix=2001:470:c292:10::/64 prefix-length=64
add name=VMs_pool6 prefix=2001:470:c292:20::/64 prefix-length=64
add name="Guest Wifi_pool6" prefix=2001:470:c292:200::/64 prefix-length=64
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface="Guest Wifi" list=LAN
add interface=IoT list=LAN
add interface=VMs list=LAN
add interface=Wifi list=LAN
add interface=pppoe-out list=WAN
/ip address
add address=172.16.6.1/24 interface=sfp-sfpplus1 network=172.16.6.0
add address=172.16.7.1/24 interface=Wifi network=172.16.7.0
add address=172.16.10.1/24 interface=IoT network=172.16.10.0
add address=172.16.20.1/24 interface=VMs network=172.16.20.0
add address=172.16.200.1/24 interface="Guest Wifi" network=172.16.200.0
/ip dhcp-server network
add address=172.16.6.0/24 dns-server=172.16.6.1 gateway=172.16.6.1 netmask=24
add address=172.16.7.0/24 dns-server=172.16.7.1 gateway=172.16.7.1
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.20.0/24 dns-server=172.16.20.1 gateway=172.16.20.1
add address=172.16.200.0/24 dns-server=172.16.200.1 gateway=172.16.200.1
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
# no interface
add action=accept chain=input in-interface=pppoe-out protocol=icmp
# no interface
add action=drop chain=input in-interface=pppoe-out
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api-ssl disabled=yes
/ipv6 address
add address=2001:470:1f10:2c7::2 advertise=no interface=sit1
add address=2001:470:c292:6::1 interface=sfp-sfpplus1
add address=2001:470:c292:7::1 interface=Wifi
add address=2001:470:c292:10::1 interface=IoT
add address=2001:470:c292:20::1 interface=VMs
add address=2001:470:c292:200::1 interface="Guest Wifi"
/ipv6 route
add distance=1 gateway=2001:470:1f10:2c7::1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB4011iGS+RM
/system ntp client
set enabled=yes primary-ntp=128.101.101.101 secondary-ntp=134.84.84.84
/system ntp server
set enabled=yes multicast=yes
/tool user-manager database
set db-path=user-manager

Who is online

Users browsing this forum: No registered users and 36 guests