Community discussions

MikroTik App
 
Blotto
just joined
Topic Author
Posts: 3
Joined: Sat Apr 29, 2023 7:20 am

Router VLAN/ NAT configuration

Sun May 14, 2023 1:04 pm

Hi All,
This is my first time using a MicroTik router (RB2011UiAS-2HnD) and Router OS 7.8, so stil getting my head around how its all setup up. I have read over many guides and watched plenty of videos, but unfortunately there are new features etc in OS 7.x that just aren't covered and contradict other articles I read, so Im reaching out to the community for some guidance to set me on the right path.
My main issue is trying to get VLANs and NAT working. The VLANs are setup on the bridge interface and the NAT is on the IP Firewall.
Here is a basic network diagram of my setup:
Image
TD1/2 and 3 end devices all have the same IP address (192.168.1.10), as these are test devices and can't be changed. So I'd like to NAT and VLAN these, so PC1 and PC2 can access these independently/ simultaneously.
eg:
Eth4 - VLAN 40 - NAT - 192.168.1.40 > TD1 (192.168.1.10)
Eth5 - VLAN 50 - NAT - 192.168.1.50 > TD1 (192.168.1.10)
For the moment I am just using PC1 and TD1 and TD2 for the initial configuration, before implementing the rest of the network.

Bridge VLAN Issues
- Created VLANs on the "bridge" and would then change the appropriate port PVID to match the VLAN eg: ETH4-TD1 pvid 40.
- Then enabling "vlan filtering" kills the path to TD1 from PC1. I have tried adding to "tagged and untagged" ports.
- I can't get the VLAN to work, on the bridge, and from the guides I have read this should work.

NAT Issues
192.168.1.40 - Even though this should translate to 192.168.1.10, I did have it working at some stage, but now its just going to 192.168.1.254 (Router Interface IP). Though I have lost track of why this was happening. I will isolate and setup a management port to try and fix this fault, but would be great if someone could point out why this is currently happening. I'm thinking because its on the bridge interface, but don't understand why its going to 192.168.1.254 instead of 192.168.1.10, essentially NAT isn't working.

Please see attached config:
[b]/interface bridge[/b]
add admin-mac=4H:5E:0C:7G:0F:AC auto-mac=no comment=defconf name=bridge protocol-mode=none vlan-filtering=yes
[b]/interface ethernet[/b]
set [ find default-name=ether1 ] comment="Connection to CISCO switch 2960" name="ETH1-SW LAN"
set [ find default-name=ether2 ] name=ETH2-PC1
set [ find default-name=ether4 ] name=ETH4-TD1
set [ find default-name=ether5 ] name=ETH5-TD2
set [ find default-name=ether6 ] name=ETH6-TD3

[b]/interface list[/b]
add comment=defconf name=WAN
add comment=defconf name=LAN

[b]/port[/b]
set 0 name=serial0
[b]/interface bridge port[/b]
add bridge=bridge comment=defconf interface=ETH2-PC1
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ETH4-TD1
add bridge=bridge comment=defconf interface=ETH5-TD2
add bridge=bridge comment=defconf interface=ETH6-TD3
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface="ETH1-SW LAN"
[b]/interface bridge settings[/b]
set use-ip-firewall=yes
[b]/ip neighbor discovery-settings[/b]
set discover-interface-list=LAN
[b]/interface bridge vlan[/b]
add bridge=bridge tagged=ETH2-PC1,ETH4-TD1 vlan-ids=40
add bridge=bridge vlan-ids=50
add bridge=bridge disabled=yes vlan-ids=60
[b]/interface list member[/b]
add comment=defconf interface=bridge list=LAN
[b]/ip address[/b]
add address=192.168.1.254/24 comment="RT Interface" interface=bridge network=192.168.1.0
add address=192.168.1.50/24 interface=ETH5-TD2 network=192.168.1.0
add address=192.168.1.60/24 interface=ETH6-TD3 network=192.168.1.0
add address=192.168.1.40/24 interface=ETH4-TD1 network=192.168.1.0
add address=192.168.1.150/24 interface=ETH2-PC1 network=192.168.1.0

[b]/ip firewall filter[/b]
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
[b]/ip firewall nat[/b]
add action=masquerade chain=srcnat disabled=yes out-interface=bridge
add action=src-nat chain=srcnat src-address=192.168.1.40 to-addresses=192.168.1.10
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.1.10 to-addresses=192.168.1.40
Last edited by Blotto on Tue May 16, 2023 12:12 pm, edited 2 times in total.
 
GrayJay
just joined
Posts: 3
Joined: Sun May 14, 2023 5:16 pm

Re: Router VLAN/ NAT configuration

Sun May 14, 2023 5:25 pm

Hi, I am having the same problem with Cisco 3850 and the VLAN, I have clicked and unclicked the Tag box.

The traffic is up/up I can see OSPF traffic propagating (or trying to), and the IP when I torch but I cannot ping and it will not pass any traffic. It is up at L2

I also put the Cisco in Access mode and it will not ping either...

I read that making sure there were NO firewall rules would allow everything to pass, so there are no firewall rules.

One thing I id learn was that OSPF uses dotted decimal notation but if you want the area to jive with cisco, for instance area 130 in Mikrotik is Area "0.0.0.130" but without L3 there it will not come up either.

Is it maybe because there has to be a mangle or masquerade inside to reach the routing engine? Just putting an IP on there doesnt really make a pingable interface in Mikrotik?

Just a guess.
Last edited by GrayJay on Sun May 14, 2023 5:40 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router VLAN/ NAT configuration

Sun May 14, 2023 6:07 pm

(1) Upgrade to 7.9 stable.

(2) No WAN?

(3) Since you lack clarity in what the purpose of the Mikrotik device, it impossible to assist.

(4) TD1,2,3 cannot be on different VLANS if they are to have the same IP.

(5) Where is DHCP coming from for all vlans reaching Mikrotik from Cisco, or for the ones on Cisco for that matter ( where is the other Router )??

(6) Which subnet is the trusted or managment subnet??
 
Blotto
just joined
Topic Author
Posts: 3
Joined: Sat Apr 29, 2023 7:20 am

Re: Router VLAN/ NAT configuration

Tue May 16, 2023 12:05 pm

Thank you for your reply, I hope I have answered some of your questions, but also to help expand on the setup, the router is in a seperate room to the switch. I would like to use the router for some local management of the 3 Test Devices (TD1 - 3) and then also expand to using the Cisco switch to expand the network to more TD's in another room, and other external equipment.
At the moment I'm trying to build the configuration to get the VLANs/ NAT working, and will then expand from there. This is why some stuff is either still default configuration, or simply hasn't been configured yet.

(2) No WAN?
Currently no need for WAN as this is just a local setup at this point. It was intended to make Eth1 a trunk port to the Cisco switch.
(3) Since you lack clarity in what the purpose of the Mikrotik device, it impossible to assist.
Apologies, at this point I was just trying to illustrate the basic idea, and was just starting with VLAN/ NAT between "PC1" and the "TD#'s" and to get that working before building the rest of the network.
(4) TD1,2,3 cannot be on different VLANS if they are to have the same IP.
Hence I wanted to try and use NAT on each of the router ports (eth4,5,and 6) to translate the 192.168.1.10 address, and VLANs to then isolate the traffic from each.
(5) Where is DHCP coming from for all vlans reaching Mikrotik from Cisco, or for the ones on Cisco for that matter ( where is the other Router )??
Currently this is still "default". Most things on the network will be static, but hadn't got as far as implementing any DHCP policy.
(6) Which subnet is the trusted or management subnet??
As above, hadn't been implemented as yet, nor given much thought as I was just trying to get the basic vlan setup first.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Router VLAN/ NAT configuration

Tue May 16, 2023 9:58 pm

I am reasonably sure you will need a separate router between the RB2011 and each test device to provide NAT for each test device. Something like this post

And you won't need a separate vlan for the connection from the RB2011 to the NAT routers, since the NAT routers will each have a unique address on the RB2011 side.

If you don't need high performance, you could probably get by with hap lite (and turn off radio), just use two ports, and it will probably be limited to v6 due to limited memory in the hap lite.

If you need more performance or the ability to use v7, you could use hex, hap ac 2, or hap ax lite (but still one per test device)

See this thread Problematic destination NAT
Last edited by Buckeye on Tue May 16, 2023 10:47 pm, edited 1 time in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Router VLAN/ NAT configuration

Tue May 16, 2023 10:43 pm

I also found this post, but I haven't figured out how it works yet.

How to allow two devices with same IP access internet

Who is online

Users browsing this forum: Bing [Bot], unhuzpt and 24 guests