Hello,

i need to make the following setup:

i have two SXT LTE's with two different providers (SIM cards). Each of those SXT's should provide internet connection for two different subnets: office and guests.
3011 should act as the router and should provide DHCP servers for those two subnets.
Now, two AP's should provide two WLAN networks with those subnets. I know, i need to mangle internet traffic from those two SXT's but... and thats my question, how must i configure 3011 resp my router to be able to provide different subnets on VLAN's?

so, SXT1 -> DHCP1/VLAN10 -> WLAN1
SXT2 -> DHCP2/VLAN20 -> WLAN2

Here the picture:
For any help i am very thankful

Korg

It's networking basics. At L3 (IP), you need each of the two WLANs to have its own subnet and DHCP pool to make it easy to use dedicated sets of firewall and QoS rules for each of them. If the APs are Mikrotik ones, you can use CAPsMAN to control them, which means that you don't even need VLANs at the links between the 3011 and the APs if no traffic is expected to run between the clients of the APs; if it is, it may make sense to use VLANs but only if you also use the switch chip of the 3011 to forward frames between the two APs. So hardware accelerated forwarding on the bridge must be enabled in this case, and both APs must be connected to 3011's ports served by the same switch chip.

So for the first possibility, you'd create one bridge per each subnet at the 3011, and one physical and one virtual wireless interface per each cAP (and per each frequency band if the APs are dual-band ones). Wireless interfaces controlled by CAPsMAN appear as if they were local ones of the machine running the CAPsMAN manager side, i.e. the 3011. Then, you make all the interfaces with SSID=OFFICE member ports of bridge-office and all the interfaces with SSID=GUESTS member ports of bridge-guest. Next, you attach a distinct IP configuration (own IP address and subnet, own DHCP server linked to own ip pool) to each of the two bridges, and define the firewall rules.

For the second possibility, you configure a single bridge on the 3011, attach two /interface vlan to it, and attach the distinct IP configurations to those /interface vlan, not to the bridge. At the AP side, you connect the wireless interfaces with different SSIDs to different VLANs (if they are Mikrotik ones, you create a bridge, make the ethernet interface connected to the 3011 a member port of it, and make all the wireless interfaces member ports of the bridge too; the membership in VLAN will be configured on the wireless interfaces themselves. Stay with vlan-filtering=no everywhere (3011 and both APs) as you don't need tagging and untagging to happen on the wired ports and as vlan-filtering=yes brings more complexity than benefits in this particular case.

Regardless the approach chosen, routing between any two connected subnets always works automatically, so you have to use firewall filter rules if you want to prevent traffic from flowing between OFFICE and GUEST subnets.

To link each (W)LAN subnet to another WAN interface, it is enough to use a single /ip route rule to choose a non-default routing table for one of the LAN subnets, whereas the other LAN subnet may use the default routing table.

Thank you Sindy.

I know .. its 'network basic'.. and i understand and know 'how and what' i need to config.. the issue is.. how.. i mean how must i config 3011 to act as a router, firewall, VLAN.. and so on...i know that i need to mangle traffic from every SXT to be able to define 'which traffic should be connected to what subnet'..

i dont have MT AP's but UBNT.. two mesh pro.

It would be great if i could have/get a 'simple' config file which i could adapt...

tx

korg

i dont have MT AP's but UBNT.. two mesh pro.

Which means the VLAN approach is mandatory. From what I have learned here at the forum, UBNT can link each SSID to a VLAN but the management must be tagless. So you need three subnets/VLANs - one tagless for management of UBNT, one tagged for "office", one tagged for "guest". Please confirm.

i know that i need to mangle traffic from every SXT to be able to define 'which traffic should be connected to what subnet'..

I'm not sure we're at the same page here. If I got your goal right, you don't need to mangle traffic from each SXT, as all the connections will be initiated by the clients of the wireless APs. You would need to mangle traffic from SXT if you would want to access your network remotely via the SXT's public IPs which is not a typical scenario with LTE (unless you have a special contract with your mobile provider which e.g allows you to connect to the LTE WAN of the SXT from other LTE modems by means of using a dedicated private APN).

So please confirm that each WLAN (office,guest) should use exclusively one SXT uplink (no failover, no load distribution) and that there is no need to access the network remotely where one of the SXTs would act as a server for that connection.

i dont have MT AP's but UBNT.. two mesh pro.
Which means the VLAN approach is mandatory. From what I have learned here at the forum, UBNT can link each SSID to a VLAN but the management must be tagless. So you need three subnets/VLANs - one tagless for management of UBNT, one tagged for "office", one tagged for "guest". Please confirm.

korg: correct...

i know that i need to mangle traffic from every SXT to be able to define 'which traffic should be connected to what subnet'..
I'm not sure we're at the same page here. If I got your goal right, you don't need to mangle traffic from each SXT, as all the connections will be initiated by the clients of the wireless APs. You would need to mangle traffic from SXT if you would want to access your network remotely via the SXT's public IPs which is not a typical scenario with LTE (unless you have a special contract with your mobile provider which e.g allows you to connect to the LTE WAN of the SXT from other LTE modems by means of using a dedicated private APN).

So please confirm that each WLAN (office,guest) should use exclusively one SXT uplink (no failover, no load distribution) and that there is no need to access the network remotely where one of the SXTs would act as a server for that connection.

korg: So.. yes and no...

each LTE device should provide internet connectivity to one subnet which is (also) a WLAN network resp VLAN20 (for example). With other words, a guest. connected to WLAN Guest with VLAN30 will use internet connection through LTE2 device... and the same for WLAN Office with VLAN20 ..through LTE1. Management VLAN10 should be able to connect to 'everywhere'.

No failover, no load distribution... and yes.. i will need to connect to the MT Gateway via LTE1.

tx

korg

Please export the current configuration of the 3011 and one of the SXTs (see my automatic signature below for a hint). I'm not familiar with the default configuration of every model and they differ.

And specify how exactly do you plan to access the network from outside via the LTE.

ok... ... i have understood the riddle

tx

korg

Don't get me wrong - I have a configuration script for the 3011 ready for you, but it needs to fit into the existing environment to make sense.

Really? wow! thanks a lot....

could you post it here .. resp send me a pm?

tx

korg

send me a pm?

Doesn't work here, probably because MT is afraid everyone would be sending PMs to Mikrotik staff members.

So you are responsible yourself for adapting the configuration below for your environment.

Assumptions taken:

• the LAN address of the 3011 is changed from the default 192.168.88.1/24 to something which does not conflict with anything in 192.168.0.0/18, e.g. 192.168.188.1/24, and your management PC is manually configured into the same subnet (e.g. 192.168.188.2/24) and connected to ether5 and above of the 3011
• both SXT are in the default configuration, i.e. their WAN is LTE with NAT and on LAN side, they use 192.168.88.1/24 and run a DHCP server, and they have the default firewall rules active
• the SXT providing internet access to office network is connected to ether1 of the 3011, the SXT for guest network is connected to ether2
• the two UBNT boxes are connected to ether3,ether4 of the 3011
• office SSID at both UBNT boxes is linked to VLAN 20, guest SSID is linked to VLAN 30
• UBNT boxes expect to get IP address for management access via DHCP from the 3011

The default firewall rules in the SXTs protect the internal network from attacks from outside, but you have to add your own firewall rules to the 3011 to protect the 3011, the SXTs and the UBNTs from management access from the WLANs while allowing the VLAN clients to use DNS.
With vlan-filtering=no on the bridge, the frames cannot be tagged/untagged on ingress/egress through the member ports of the bridge, and no filtering by VLAN ID is done, but you don't need any of that in this arrangement. The IP subnet for management of the UBNTs is attached to the bridge itself so it is tagless on ether3, ether4; the subnets for office and guest networks are attached to VLAN interfaces so they run tagged via ether3, ether4.

Hi Sindy,

thank you very very much for your help... i really appreciate it ... ...

i haver configured the setup in a bit different way.. and will paste my config later today... i would be curious to hear it from you...

tx

korg

Hi Sindy,

here is my code...

GW:

/interface bridge
add name=WIFI-br0 protocol-mode=none
add name=bridge1
/interface ethernet
set [ find default-name=ether7 ] comment="AP 1" name=AP1-NET-eth7 speed=\
100Mbps
set [ find default-name=ether8 ] comment=AP2 name=AP2-NET-eth8 speed=100Mbps
set [ find default-name=ether5 ] name=MGMT-eth5 speed=100Mbps
set [ find default-name=ether9 ] comment="sxt tele2" name=WAN1-eth9-Tele2 \
speed=100Mbps
set [ find default-name=ether10 ] comment="sxt vip" name=WAN2-eth10-VIP \
speed=100Mbps
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=WIFI-br0 name=WIFI-CORP-VLAN20 vlan-id=20
add interface=WIFI-br0 name=WIFI-GUEST-VLAN30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=POOL_VLAN20_CORP ranges=10.0.20.10-10.0.20.254
add name=POOL_VLAN30_GUESTS ranges=172.16.30.10-172.16.31.254
add name=POOL_MGMT_VLAN10 ranges=10.254.10.10-10.254.10.100
/ip dhcp-server
add address-pool=POOL_VLAN20_CORP disabled=no interface=WIFI-CORP-VLAN20 \
lease-time=4h name=DHCP_VLAN20_CORP
add address-pool=POOL_VLAN30_GUESTS disabled=no interface=WIFI-GUEST-VLAN30 \
name=DHCP_VLAN30_GUEST
add address-pool=POOL_MGMT_VLAN10 disabled=no interface=WIFI-br0 name=\
DHCP_VLAN10_MGMT
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=WIFI-br0 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=WIFI-br0 interface=AP1-NET-eth7
add bridge=WIFI-br0 interface=AP2-NET-eth8
add bridge=WIFI-br0 interface=MGMT-eth5
/interface bridge vlan
add bridge=WIFI-br0 tagged=AP1-NET-eth7,AP2-NET-eth8 untagged=WIFI-br0 \
vlan-ids=""
/ip address
add address=10.0.20.1/24 comment="WIFI VLAN 20 corporate network" interface=\
WIFI-CORP-VLAN20 network=10.0.20.0
add address=172.16.30.1/23 comment="WIFI VLAN 30 guest network" interface=\
WIFI-GUEST-VLAN30 network=172.16.30.0
add address=10.254.10.1/24 comment="Managment VLAN 10" interface=WIFI-br0 \
network=10.254.10.0
add address=192.168.250.1/24 comment="Interconnect WAN1" interface=\
WAN1-eth9-Tele2 network=192.168.250.0
add address=192.168.251.1/24 comment="Interconnect WAN2" interface=\
WAN2-eth10-VIP network=192.168.251.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge1
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1 netmask=24
add address=10.254.10.0/24 dns-server=10.254.10.1 gateway=10.254.10.1 \
netmask=24
add address=172.16.30.0/23 dns-server=172.16.30.1 gateway=172.16.30.1 \
netmask=23
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.222.220
/ip firewall address-list
add address=10.0.20.0/24 list=NET_VLAN20_CORP
add address=172.16.30.0/23 list=NET_VLAN30_GUEST
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="Allow Inbound to mikrotik" dst-port=\
22,80,8291 in-interface=WIFI-br0 protocol=tcp
add action=accept chain=input comment=\
"Allow DHCP, DNS, NTP from internal networks only" dst-port=123,53,67,68 \
in-interface=!WAN1-eth9-Tele2 protocol=udp
add action=accept chain=input comment=\
"Allow DHCP, DNS, NTP from internal networks only" dst-port=53,123,67,68 \
in-interface=!WAN2-eth10-VIP protocol=udp
add action=accept chain=input comment="Allow PIng" protocol=icmp
add action=drop chain=input comment=\
"GLOBAL DENY RULE DON'T MOVE OR CHANGE IT"
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface=WIFI-GUEST-VLAN30 out-interface=\
WAN1-eth9-Tele2
add action=accept chain=forward in-interface=WIFI-CORP-VLAN20 out-interface=\
WAN2-eth10-VIP
add action=drop chain=forward comment=\
"GLOBAL DENY RULE DON'T MOVE OR CHANGE IT"
/ip firewall mangle
add action=route chain=prerouting comment=GUEST dst-address-type=!local \
passthrough=yes route-dst=192.168.250.2 src-address=172.16.30.0/23
add action=route chain=prerouting comment=CORP dst-address-type=!local \
passthrough=yes route-dst=192.168.251.2 src-address=10.0.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1-eth9-Tele2
add action=masquerade chain=srcnat out-interface=WAN2-eth10-VIP
/ip route
add distance=1 gateway=192.168.251.2
add distance=1 gateway=192.168.250.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name="MT 3011"
/system ntp client
set enabled=yes primary-ntp=161.53.123.5


one SXT:

/interface lte
set [ find ] mac-address=AC:FF:FF:00:00:00 mtu=1500 name=lte1 network-mode=\
lte
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.251.2/24 comment="Interconnect WAN2" interface=ether1 \
network=192.168.251.0
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input dst-port=80,22,8291 in-interface=ether1 \
protocol=tcp
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward in-interface=ether1 out-interface=lte1
add action=accept chain=input dst-port=80,22,82 in-interface=ether1 protocol=\
tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name="SXT A1"
/tool graphing interface
add
/tool graphing resource
add

Pls give me your thoughts.

korg

Hi Sindy,

did you see my code?

tx

korg

Da, video sam, but found it too complex to analyse in the time frame available at that time, and then I forgot about it.

You are one of few people in the world who directly assign a gateway IP address rather than routing-mark using a mangle rule

This part indicates you haven't understood the VLAN handling on bridges really well:
The configuration section above defines, per vlan or per group of vlans, whether a given port will be a tagged (trunk) or untagged (access) member of that vlan or group; as only one vlan may run tagless on a port, each vlan with at least one access port must have a separate row in that section.

In your case, nothing happens if you forward frames tagged with vlan 20 to the port to which the ubnt for guest network as it will simply ignore them. All (two) ports of the bridge use the tagless frames to deliver the management subnet. So all in all you never need to tag/untag frames as they enter/leave the bridge, neither you need to policy which VLAN will enter through which port, so you don't need vlan-filtering=yes on the bridge, and hence you don't need the section above.

The rest is fine. It could be done using VRF too, where each of the two /interface vlan would be in its own VRF along with its respective WAN and the management would use the "normal" routing. The advantage of VRF is that you need special configuration to provide leaks between the VRFs whereas with normal routing you need the firewall to prevent leaks between the subnets, and the fact that you don't need mangle rules which slow things down a little bit or a lot, depending on whether you need fasttracking or not. But as we talk about 3011 here, loading it so much that you could benefit from use of fasttracking by just two LTE uplinks seems unreal to me.

Hvala ti ...

I see.. Could you maybe.. upon your experience ... change my code with your suggestions? VLAN and so... My logic was.. ok.. i have a bridge and those two ports VLAN20_Office and VLAN30_Guests should be tagged... and MGMT not tagged...

or... if you can... maybe to write me (a mail) with some tipps...

thanks anyhow for your help...

korg

As said I don't think your VLAN setup is wrong given your particular scenario. If you bother about performance (which, as also said, should not be a particular concern where the main router is a 3011 and the uplinks are just LTEs) and thus use fasttracking, you have to get rid of mangle rules as a class because fasttracking bypasses mange rules (along with other firewall processing steps).
Of the two possible ways of taking the source into account when routing, I wouldn't dare to design a leaky VRF setup without practically testing it first as I don't do it daily. So you may use /ip route rule to assing the routing-mark / choose the routing table (which are essentially two names for the same thing).

All the above (minus the VRF part) has already been suggested in my post #10 in detail.