This is my first time using a MicroTik router (RB2011UiAS-2HnD) and Router OS 7.8, so stil getting my head around how its all setup up. I have read over many guides and watched plenty of videos, but unfortunately there are new features etc in OS 7.x that just aren't covered and contradict other articles I read, so Im reaching out to the community for some guidance to set me on the right path.
My main issue is trying to get VLANs and NAT working. The VLANs are setup on the bridge interface and the NAT is on the IP Firewall.
Here is a basic network diagram of my setup:
TD1/2 and 3 end devices all have the same IP address (192.168.1.10), as these are test devices and can't be changed. So I'd like to NAT and VLAN these, so PC1 and PC2 can access these independently/ simultaneously.
eg:
Eth4 - VLAN 40 - NAT - 192.168.1.40 > TD1 (192.168.1.10)
Eth5 - VLAN 50 - NAT - 192.168.1.50 > TD1 (192.168.1.10)
For the moment I am just using PC1 and TD1 and TD2 for the initial configuration, before implementing the rest of the network.
Bridge VLAN Issues
- Created VLANs on the "bridge" and would then change the appropriate port PVID to match the VLAN eg: ETH4-TD1 pvid 40.
- Then enabling "vlan filtering" kills the path to TD1 from PC1. I have tried adding to "tagged and untagged" ports.
- I can't get the VLAN to work, on the bridge, and from the guides I have read this should work.
NAT Issues
192.168.1.40 - Even though this should translate to 192.168.1.10, I did have it working at some stage, but now its just going to 192.168.1.254 (Router Interface IP). Though I have lost track of why this was happening. I will isolate and setup a management port to try and fix this fault, but would be great if someone could point out why this is currently happening. I'm thinking because its on the bridge interface, but don't understand why its going to 192.168.1.254 instead of 192.168.1.10, essentially NAT isn't working.
Please see attached config:
Code: Select all
[b]/interface bridge[/b]
add admin-mac=4H:5E:0C:7G:0F:AC auto-mac=no comment=defconf name=bridge protocol-mode=none vlan-filtering=yes
[b]/interface ethernet[/b]
set [ find default-name=ether1 ] comment="Connection to CISCO switch 2960" name="ETH1-SW LAN"
set [ find default-name=ether2 ] name=ETH2-PC1
set [ find default-name=ether4 ] name=ETH4-TD1
set [ find default-name=ether5 ] name=ETH5-TD2
set [ find default-name=ether6 ] name=ETH6-TD3
[b]/interface list[/b]
add comment=defconf name=WAN
add comment=defconf name=LAN
[b]/port[/b]
set 0 name=serial0
[b]/interface bridge port[/b]
add bridge=bridge comment=defconf interface=ETH2-PC1
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ETH4-TD1
add bridge=bridge comment=defconf interface=ETH5-TD2
add bridge=bridge comment=defconf interface=ETH6-TD3
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface="ETH1-SW LAN"
[b]/interface bridge settings[/b]
set use-ip-firewall=yes
[b]/ip neighbor discovery-settings[/b]
set discover-interface-list=LAN
[b]/interface bridge vlan[/b]
add bridge=bridge tagged=ETH2-PC1,ETH4-TD1 vlan-ids=40
add bridge=bridge vlan-ids=50
add bridge=bridge disabled=yes vlan-ids=60
[b]/interface list member[/b]
add comment=defconf interface=bridge list=LAN
[b]/ip address[/b]
add address=192.168.1.254/24 comment="RT Interface" interface=bridge network=192.168.1.0
add address=192.168.1.50/24 interface=ETH5-TD2 network=192.168.1.0
add address=192.168.1.60/24 interface=ETH6-TD3 network=192.168.1.0
add address=192.168.1.40/24 interface=ETH4-TD1 network=192.168.1.0
add address=192.168.1.150/24 interface=ETH2-PC1 network=192.168.1.0
[b]/ip firewall filter[/b]
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
[b]/ip firewall nat[/b]
add action=masquerade chain=srcnat disabled=yes out-interface=bridge
add action=src-nat chain=srcnat src-address=192.168.1.40 to-addresses=192.168.1.10
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.1.10 to-addresses=192.168.1.40