Hi Guys

Maybe someone knows how to pull this off or if its even possible. imagine the following setup, a routerboard 532 acting as a pppoe server. It has ether1 as the server, and ether2 and ether3 acting as dual gateways. 8 port switch plugged into ether1 and from the switch say 4 firewalls (basic broadband router - dialing up through pppoe). so each firewall could have the same ip range as I would have in effect 4 seperate networks. The WAN port of each firewall is connected to the switch which is connected to the pppoe server. the 4 firewalls get the following addresses from the pppoe server 10.10.11.1, 10.10.12.1, 10.10.13.1, 10.10.14.1

or even say each one get an address on the same range, 10.10.10.2 - 10.10.10.5

this setup is pretty standard I think, but I would like to try get this going using one device, a routerboard 150 "minirouter"

so instead of having 4 firewalls, having one device that is capable of having different ip ranges on each interface?

routerboard 150 ( ether1 - connected to pppoe server ) ether 1 connected to network A, ether 2 connected to network B , etc...

Is this possible?

What you're wanting to do is technically feasible with the RB150, but due to its fairly low clock speed if you have a significant number of Firewall rules you may find throughput will be somewhat restricted. Given the price of the RB150 you're not going to lose much by trying it out.

If you need more bandwidth then use a PC chassis to host the router.

Alright, awesome, this is quite a usefull forum. um, so I have two replies telling me its possible but no hint whatsoever as to how it can be done. hmmmm, ok I should look on the internet for a Mikrotik forum and post a question about this issue and perhaps someone will respond with a possible solution. Any ideas if such a forum exists anyone?

Oops, in my original post I said the following towards the end --

==routerboard 150 ( ether1 - connected to pppoe server ) ether 1 connected to network A, ether 2 connected to network ==B , etc...

==Is this possible?

the the second ether1 should be ether2, so it should have read as --

==routerboard 150 ( ether1 - connected to pppoe server ) ether 2 connected to network A, ether 3 connected to network ==B , etc...

==Is this possible?

there is no problem doing it, no hints needed. as you said - standard setup. as the others said - your bandwidth will be limited. it's impossible to tell you anything else without knowing how much bandwidth you need, what users you have, how many, and what firewall rules you will have (also how many).

And: this IS the MikroTik forum - no need to search

Best regards,
Christian Meis

i know this is the forum!! lol , ok sorry guys. Ignoring bandwidth requirements etc, etc, does anyone know how to assist me with this please?

I really don't understand why the bandwidth requirements need to be known before an answer can be given, also the same for the amount of firewall rules? I am a novice with this mikrotik os but surely the config of the ports, and routing would be the same no matter what the firewall rules would be or bandwidth requirements?

The bandwidth requirements and amount of rules would surely only depict if the deivce would function in a stable fashion?

I did indicate in my original post that I want the minirouter to take the place of 4 "basic broadband router" which should have given some indication that this is a low bandwidth / user setup with no complex firewall rules if any at all.

ether1 needs to have 4 pppoe clients created on it, which depending on the address assigned by the pppoe server route traffic through to ether2 - ether5. ether 2 - ether5 could be 4 DHCP servers, but I will probably use static addresses on each LAN ( ether 2 - ether 5 or lan A - lan D) Having said that though, the underlying config should still be the same and I could add DHCP functionality, port forwarding, etc at a later stage if the device can handle it which would depend on the bandwidth etc etc.

Honestly guys, those of you have responded, yes, its possible but only if "this requirement exists" reply assuming that requirement exists..

If it is possible in a low bandwidth setup with few rules - please reply with a solution for a setup with low bandwidth and few rules.

I am trying to learn mikrotik more and more, I've configured dhcp, nat, inbound port forwarding, load balancing, packet marking, pppoe server and client, WDS links, queues and bridging so I have a basic knowledge of Mikrotik but I'm not quite sure how to get this router setup. So any reply with some sort of config might get me on the right path....

Maybe 4 pppoe clients on one interface is the wrong approach and the client should be on each of the lan interfaces and not the wan, then some how natted or routed through to the wan interface (ether1)?

Thanks guys..

there is no problem doing it, no hints needed. as you said - standard setup. as the others said - your bandwidth will be limited. it's impossible to tell you anything else without knowing how much bandwidth you need, what users you have, how many, and what firewall rules you will have (also how many).

I did say standard setup referring to having 4 individual firewalls. I didin't mean creating 4 firewalls in a routerboard 150 is a standard setup, sorry that I was not very clear in the way I posted my original question. I will try to be very precise in the way I word things and practise my grammar.

And: this IS the MikroTik forum - no need to search

Best regards,
Christian Meis

sarcasm
One entry found for sarcasm.

Main Entry: sar·casm
Pronunciation: 'sär-"ka-z&m
Function: noun
Etymology: French or Late Latin; French sarcasme, from Late Latin sarcasmos, from Greek sarkasmos, from sarkazein to tear flesh, bite the lips in rage, sneer, from sark-, sarx flesh; probably akin to Avestan thwar&s- to cut
1 : a sharp and often satirical or ironic utterance designed to cut or give pain
2 a : a mode of satirical wit depending for its effect on bitter, caustic, and often ironic language that is usually directed against an individual b : the use or language of sarcasm
synonym see WIT

You´re confused getting no answer ?
Maybe cause nobody understood what
the problem ls.
It seems to be only a problem of assigning ips
to interfaces and configuring a pppoe
client.

Stefan

OK. I'll take it - as a penalty for my sarcasm

The problem will be the 4 pppoe-clients on your WAN interface. You have either have to have a static gateway ip address for each one - and a different one for every pppoe-client, not 4 times the same. Actually, not even 2 times the same .
Other possibility is the use the (still beta!!!) RouterOS V3.x. There you can take advantage of a feature called "interface-based routing", where you can use the interface name as the next hop in a routing rule.

I'll try to give a short example for RouterOS v3.x.

This all is from memory, so please check exact syntax etc. You're always welcome back here to ask for further assistance.

You have to configure your ip addresses for the "client" ethernet interfaces. Like: Then add 4 pppoe client interfaces on your WAN side ethernet port (ether1): Please note, that you do NOT accept the default route your pppoe provider is giving to you!

Next, we masquerade traffic leaving the four pppoe client interfaces: Then you need mangle rules to create routing marks to direct the traffic from the different LAN interfaces out the right pppoe client interface: Then ip routing entries to utilize those new shining routing marks: Then you should add some firewall code to disallow the clients from the different LAN interfaces (ether2-5) to talk to each other (unless this is wanted behaviour), secure your router, ...

I'm quite sure that there are some typos etc. in the commands up there, because I'm in a hurry - but they should get you going into the right direction. Without V3.x (interface-based routing) you could try to get the correct routing by some clever src-natting etc. rules. But that's over my head in the hurry right now

Best regards,
Christian Meis

PS: And yes, sarcasm is healthy

Shot, I'll give that a go. I read through it quickly and can't see why that shouldn't work for router os 2.9.43.
Hopefully it will, I'll try it and respond a bit later but I think I follow your thinking. Thanks.

The world is full of healthy people.

Regards

Basil

PS: the guy who wrote something about me being confused, and those who have replied not understanding, read the posts carefully, and slowly, and you might actually see a different picture....

What won't work in 2.9.x is the part where your specify an interface name (like "pppoe-for-ether2") as gateway in a routing rule...

Best regards,
Christian Meis

would it not pick up the gateway from the routing mark that has been added? the last 4 lines in your config are:

Code:
/ip route add dst-address=0.0.0.0/0 routing-mark=out-from-ether2 gateway=pppoe-out-for-ether2
/ip route add dst-address=0.0.0.0/0 routing-mark=out-from-ether2 gateway=pppoe-out-for-ether3
/ip route add dst-address=0.0.0.0/0 routing-mark=out-from-ether2 gateway=pppoe-out-for-ether4
/ip route add dst-address=0.0.0.0/0 routing-mark=out-from-ether2 gateway=pppoe-out-for-ether5

I was thinking of changing them slightly to add 4 routes, each with the different routing mark created earlier in your config, without specifying a gateway interface. As far as I can remember you can't choose a interface in 2.9.43, hence yu suggesting 3.x. I don't want to use a beta release although it would probably work. If you can give it a bit more thought when you have some time and think of a solution for 2.9.43 that would be great. I'll still try come up with a solution using your config. Thanks again.

How about using a src-nat rule to force traffic out a specific interface?

You could try something like this (sorry, no way to test this on real hardware here right now...):
where 1.2.3.4 would be the public ip address you get assigned at the pppoe-client interface you want to use for the LAN at ether2.

This should (could?) force the traffic to go out the right interface because of the right preferred-src-address. This would require a script to change the src-nat rules every time your public ip addresses change (if you don't have static ip addresses assigned on the pppoe clients).

Oh, and in this case you need to have "add-default-gateway" set to "yes" on the pppoe-client interfaces.

This will only work, if you do have different gateway ip addresses on the pppoe-client interfaces (otherwise you will have to use v3.x again with interface-based routing).

Perhaps this is something to tinker with...

Best regards,
Christian Meis