THIS TEXT HAS BEEN TRANSLATED FROM RUSSIAN WITH THE HELP OF A GOOGLE TRANSLATOR!
Hello. A rather difficult (for me) task has appeared. I will try to describe in detail what is available and what needs to be done. Device - Mikrotik RB3011UiAS-RM
There are 2 provider cables (one provider, but on different lines and different PPPoE accounts). One comes to the SFP port with the Mikrotik S-RJ01 transceiver (in fact, an additional ethernet RJ45 port), the second comes to the Ethernet1 port. For convenience, we will call PPPoE-sfp and PPPoE-eth1.
The device is already fully configured to work with one cable (via eth1), it contains all the necessary settings (dhcp, firewall, fully configured CAPsMAN, etc.). It is important that when configuring add. network in the previous one, nothing has changed. Subnet 192.168.88.1, currently used ports - eth1 (PPPoE), eth2, eth3, eth4, eth5, eth10.
I need to create a new network on the basis of this device (in fact, it is already ready on RB951, I need to transfer it to RB3011) with the 192.168.10.1 subnet, its dhcp, firewall and so that it takes the Internet only from PPPoE-sfp and uses SFP ports (PPPoE), eth6, eth7, eth8, eth9.
Networks should not touch each other (you need to deny access from one to another and vice versa), have their own autonomous settings, etc. But access to the router settings must be from both networks (from one at 192.168.88.1, on the other at 192.168.10.1)
I tried to do it through setting up two Bridges, but when you add ports to it, on which PPPoE clients hang, PPPoE is cut off. For a long time and a lot I tried to shamanize under various articles, but in the end nothing came of it.
I would be immensely grateful for help, because himself in microtics is rather weak.
Original text:
Здравствуйте. Появилась довольно непростая (для меня) задача. Постараюсь расписать подробно что имеется и что нужно сделать. Устройство - Mikrotik RB3011UiAS-RM
Есть 2 провайдерских кабеля (один провайдер, но по разным линиям и разные PPPoE аккаунты). Один приходит в SFP порт с трансивером Mikrotik S-RJ01 (по сути дополнительный ethernet RJ45 порт), второй приходит в порт Ethernet1. Для удобства будем называть PPPoE-sfp и PPPoE-eth1.
Устройство уже полностью настроено для работы с одним кабелем (по eth1), в нём прописаны все необходимые настройки (dhcp, firewall, полностью настроенный CAPsMAN и т.д.). Важно, чтобы при настройке доп. сети в предыдущей ничего не изменилось. Подсеть 192.168.88.1, используемые в данный момент порты - eth1 (PPPoE), eth2, eth3, eth4, eth5, eth10.
Мне нужно на базе этого устройства создать новую сеть (по сути она уже есть готовая на RB951, мне нужно её перенести на RB3011) с подсетью 192.168.10.1, своим dhcp, firewall и чтобы она брала интернет только с PPPoE-sfp и использовала порты SFP (PPPoE), eth6, eth7, eth8, eth9.
Сети не должны друг с другом соприкасаться (нужно запретить доступ из одной в другую и наоборот), иметь свои автономные настройки и т.д. Но доступ к настройкам роутера должен быть с обоих сетей (с одной по адресу 192.168.88.1, с другой по адресу 192.168.10.1)
Пробовал сделать через настройку двух Bridge, но при добавлении в него портов, на которых висят PPPoE клиенты, PPPoE отрубаются. Долго и много пытался шаманить по разным статьям, но по итогу ничего не вышло.
Буду безмерно благодарен помощи, т.к. сам в микротиках довольно слаб.
How to make 2 isolated networks on 2 different PPPoE interfaces?
You do not have the required permissions to view the files attached to this post.
Re: How to make 2 isolated networks on 2 different PPPoE interfaces?
Please post your config
/export hide-sensitive file=anynameyouwish
Also provide a network diagram so we can better understand .
/export hide-sensitive file=anynameyouwish
Also provide a network diagram so we can better understand .
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
MTUNA Certified, by the Ascerbic Llama!
Re: How to make 2 isolated networks on 2 different PPPoE interfaces?
Я перевел англисйкий текст гугл транслейтом на русский и поменял слова в английском в тех случаях, когда автоматический перевод совсем испортил значение. Мелочи остались, но мне они кажутся некритичными.
Starting from the end - the PPPoE clients should stay directly attached to their respective Ethernet ports, placing them to bridges whоse other members are LAN ports is a bad idea not only on Mikrotik.
What you ask for could be best accomplished using VRF - virtual routing and forwarding functionality. You can see it as partitioning the router, where each group of interfaces has their own routing table fully independent from the other groups of interfaces. So in theory, you would just create a list of interfaces with a routing-mark:
/ip route vrf
add routing-mark=R2 interfaces=pppoe-sfp,bridge-rb951
and that would be it for the independent routing (leaving firewall aside for a while). Packets coming in via the listed interfaces get automatically marked with routing-mark R2 and only use routes marked with the same routing-mark value. The routes to subnets attached to these interfaces are automatically created with that routing-mark.
As there is thus no route to 192.168.88.0/24 in routing table R2, packets to this destination coming from bridge-rb951 are routed via R2's default route (pppoe-sfp1); vice versa, the route to 192.168.10.0/24 does not exist in the routing table main, so packets coming from the original bridge of the 3011 are router via main default route (pppoe-eth1). So no special measures need to be taken to prevent traffic leak between the two LAN subnets.
However, pppoe-client interfaces do not play well with VRF - in particular, whilst the route to the remote end of the tunnel is added with the correct routing-mark, the default route added thanks to the add-default-route parameter of the /interface pppoe-client row set to yes is added without any routing-mark:
/ip route add routing-mark=R2 gateway=pppoe-sfp1
But if the packets received on pppoe-sfp1 eventually fail to get the routing-mark, it's another level to take care about. And the routing-mark is not taken into account when the router processes incoming packets for itself, so to test that, you need packets forwarded from one interface to another.
So at a safe time, you can try the complete setup:
/interface pppoe-client
add name=pppoe-sfp1 add-default-route=no ....
/interface bridge
add name=bridge-rb951
/interface bridge port
add interface=ether6 bridge=bridge-rb951
But don't do that before you post the export of the current configuration of your 3011 as @anav has suggested, because some other modifications need to be done so that the firewall rules would protect also the router R2, and for that, we have to know the current firewall setup.
See my automatic signature below for a hint on anonymisation of the configuration export before posting it.
Starting from the end - the PPPoE clients should stay directly attached to their respective Ethernet ports, placing them to bridges whоse other members are LAN ports is a bad idea not only on Mikrotik.
What you ask for could be best accomplished using VRF - virtual routing and forwarding functionality. You can see it as partitioning the router, where each group of interfaces has their own routing table fully independent from the other groups of interfaces. So in theory, you would just create a list of interfaces with a routing-mark:
/ip route vrf
add routing-mark=R2 interfaces=pppoe-sfp,bridge-rb951
and that would be it for the independent routing (leaving firewall aside for a while). Packets coming in via the listed interfaces get automatically marked with routing-mark R2 and only use routes marked with the same routing-mark value. The routes to subnets attached to these interfaces are automatically created with that routing-mark.
As there is thus no route to 192.168.88.0/24 in routing table R2, packets to this destination coming from bridge-rb951 are routed via R2's default route (pppoe-sfp1); vice versa, the route to 192.168.10.0/24 does not exist in the routing table main, so packets coming from the original bridge of the 3011 are router via main default route (pppoe-eth1). So no special measures need to be taken to prevent traffic leak between the two LAN subnets.
However, pppoe-client interfaces do not play well with VRF - in particular, whilst the route to the remote end of the tunnel is added with the correct routing-mark, the default route added thanks to the add-default-route parameter of the /interface pppoe-client row set to yes is added without any routing-mark:
formatted code
[me@myTik] > ip route print detail where gateway~"pppoe" Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 ADC dst-address=192.168.203.1/32 pref-src=192.168.203.16 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=0 scope=10 routing-mark=R2 1 DS dst-address=0.0.0.0/0 gateway=pppoe-out1 gateway-status=pppoe-out1 reachable distance=5 scope=30 target-scope=10If this is the only issue, it can be worked around easily, by setting add-default-route to no for pppoe-sfp1 and manually adding a default route for this virtual router:
/ip route add routing-mark=R2 gateway=pppoe-sfp1
But if the packets received on pppoe-sfp1 eventually fail to get the routing-mark, it's another level to take care about. And the routing-mark is not taken into account when the router processes incoming packets for itself, so to test that, you need packets forwarded from one interface to another.
So at a safe time, you can try the complete setup:
/interface pppoe-client
add name=pppoe-sfp1 add-default-route=no ....
/interface bridge
add name=bridge-rb951
/interface bridge port
add interface=ether6 bridge=bridge-rb951
But don't do that before you post the export of the current configuration of your 3011 as @anav has suggested, because some other modifications need to be done so that the firewall rules would protect also the router R2, and for that, we have to know the current firewall setup.
See my automatic signature below for a hint on anonymisation of the configuration export before posting it.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.