Fast router with VLAN
- Thread starter lukaszg
- Start date
I received the router and the access point on Friday and over the weekend I mounted them and made some basic configuration. Fast link works as expected, the web interface is super fast and the touch screen on router is a nice addition (it can display current bandwidth usage).
I didn't really used any advanced functions, just some basic configuration (static dhcp addresses, port forwarding), and everything was quite straightforward to configure.
However I am stuck with ipv6 configuration. Cannot find that submenu in the web interface. Command line interface has /ipv6 submenu but it seems there are no other commands there.
I don't believe this router doesn't have ipv6 so it must be my fault by for now I am out of ideas, where to look for...
I didn't really used any advanced functions, just some basic configuration (static dhcp addresses, port forwarding), and everything was quite straightforward to configure.
However I am stuck with ipv6 configuration. Cannot find that submenu in the web interface. Command line interface has /ipv6 submenu but it seems there are no other commands there.
I don't believe this router doesn't have ipv6 so it must be my fault by for now I am out of ideas, where to look for...
System Error Message
Part of the Furniture
above the ipv6 should be ip which is for ipv4. If it is missing refresh as it means not everything loads. if there is a quick config or configuration wizard that can help you get started.
Fast path is hardware acceleration for bridging and routing while fasttrack is for nat acceleration.
If you open the terminal it is /ip
If you still cant find it try to update the firmware and see if it helps. I suggest you enable the ftp service and use a good ftp client like filezilla to upload the firmware. First upload the system package to the root folder of the router storage, reboot and than do the same with the extra packages.
If you use windows there is winbox but i suggest against file transfers using web and winbox.
For basic home config the firewall rule is simple
allow output DNS server (tcp and udp) port 53 out interface WAN
allow input DNS server (tcp and udp) port 53 in interface WAN
allow (tcp and udp) port 53 in out interface LAN
drop input on interface WAN
drop output on interface WAN
This is for securing the router for basic use. Every service the router uses you will need to add an allow rule and to be specific such as for ntp.
Than add other firewall rules for forwarding and routing such as dropping invalid packets (see mikrotik wiki for example firewall config). Intercepting DNS and NTP helps and improves performance since google chrome is hardwired to use google DNS but your own router has its own cache. 4-8MB of DNS cache is sufficient. This process is done in NAT and is also used to do transparent proxy.
If you use vlans or PPP for WAN you will need to add the rules on those interfaces too.
Use address lists so you can minimise number of rules. So you could add 8.8.8.8 and 8.8.4.4 into the list of same name for them to be in the same list and in the advanced section of firewall you can use lists there. Lists help with a lot of things.
If you have ipv6 running you must do the same for ipv6 firewall.
Fast path is hardware acceleration for bridging and routing while fasttrack is for nat acceleration.
If you open the terminal it is /ip
If you still cant find it try to update the firmware and see if it helps. I suggest you enable the ftp service and use a good ftp client like filezilla to upload the firmware. First upload the system package to the root folder of the router storage, reboot and than do the same with the extra packages.
If you use windows there is winbox but i suggest against file transfers using web and winbox.
For basic home config the firewall rule is simple
allow output DNS server (tcp and udp) port 53 out interface WAN
allow input DNS server (tcp and udp) port 53 in interface WAN
allow (tcp and udp) port 53 in out interface LAN
drop input on interface WAN
drop output on interface WAN
This is for securing the router for basic use. Every service the router uses you will need to add an allow rule and to be specific such as for ntp.
Than add other firewall rules for forwarding and routing such as dropping invalid packets (see mikrotik wiki for example firewall config). Intercepting DNS and NTP helps and improves performance since google chrome is hardwired to use google DNS but your own router has its own cache. 4-8MB of DNS cache is sufficient. This process is done in NAT and is also used to do transparent proxy.
If you use vlans or PPP for WAN you will need to add the rules on those interfaces too.
Use address lists so you can minimise number of rules. So you could add 8.8.8.8 and 8.8.4.4 into the list of same name for them to be in the same list and in the advanced section of firewall you can use lists there. Lists help with a lot of things.
If you have ipv6 running you must do the same for ipv6 firewall.
Right. According the documentation ipv6 is missing because I didn't enable the package (BTW that should be first thing on the MikroTik ipv6 wiki page).
Regarding the firewall - there is a quick start page and some default settings. It included firewall rules, so I didn't have to setup everything myself (apart from redirecting port for nat etc).
I am not sure how to use the dual switch thing. Is traffic between these switches routed? If not I guess it logically works lik I would have two switches connected to another switch. In this case the actual configuration shouldn't really matter for home network.
Regarding the firewall - there is a quick start page and some default settings. It included firewall rules, so I didn't have to setup everything myself (apart from redirecting port for nat etc).
I am not sure how to use the dual switch thing. Is traffic between these switches routed? If not I guess it logically works lik I would have two switches connected to another switch. In this case the actual configuration shouldn't really matter for home network.
System Error Message
Part of the Furniture
the traffic between the 2 switches arent switched or routed by default, you would need to create a bridge.
If you use both switches as LAN than use a bridge and apply your rules on the bridge and use the bridge as your LAN interface in your rules
When i create NAT rules i dont use the in interface, Just the out interface and an address list. This way if someone uses a static IP on your network cant get internet unless its in one of the subnets/IP in your list.
If you use both switches as LAN than use a bridge and apply your rules on the bridge and use the bridge as your LAN interface in your rules
When i create NAT rules i dont use the in interface, Just the out interface and an address list. This way if someone uses a static IP on your network cant get internet unless its in one of the subnets/IP in your list.
Take a look at the following block diagram for your router:
For best performance you will want to do the following:
Keep your LAN devices on Eth1-5
Keep your WAN connection on Eth6-10
This is so that any traffic being routed goes in and out of different CPU ports while any traffic passing just over Layer 2 stays on the same switch chip.
Thanks for all the help. I have few more issues/questions.
Firewall (both ipv4 and ipv6):
I understand that "forward" chain is for packets being forwarded in any direction and to select the direction I should choose the source and the destination.
So basically the rules for forwarding should be following:
- accept new connections from Ethernet bridge to sfp1
- accept established and related connections in both directions
- block everything else
Even if UDP doesn't have such thing as "established connection", I understand that it will be caught by the "related" rule.
as for connections to the router, the example you gave is pretty obvious. Can I also block DNS traffic (I still want my router to act as local dns and resolve some host names - i.e. by default "router" host name is pointed to routers local ip - 10.1.1.1 in my case)?
Are NAT rules separate from firewall? I set up port forwarding, and didn't have to add an exception to the forward firewall chain (i.e. I forwarded TCP 5001 to my synology, and didn't have to add "accept incoming connection to port 5001" to forward chain).
IP v6
I obtained /48 PD network from my ISP (using DHCP Client under IPv6 menu), e.g:
2001:db8:a0b::/48
The devices inside my network are not getting IPv6, I assume I have to configure something else.
My previous router didn't have much IPv6 configuration options, after getting the IP from ISP, LAN devices assigned themselves stateless IP (2001:db8:a0b:0:[mac address]).
I tried different approaches I found in the internet (either with DHCPv6 server or neighbour discovery) of which none seemed to work. Can you recommend some good tutorial on how to configure IPv6 with PD?
Simply setting up the DHCP server didn't work (I've chosen the pool from ISP and different flag settings).
It would be enough for me to have a stateless IPs, but I would like to choose prefix, as in the example I am getting 2001:db8:a0b::/48 from ISP and the last 64 bits are reserved for the stateless configuration.
I would like to configure it this way:
2001:db8:a0b:1::/64 is prefix for my internal devices (differentiated by WLAN that I didn't configure yet).
2001:db8:a0b:e::/64 is prefix for external devices
But I wasn't able to add new pool (it was complaining that the pool I want to add is already included in the pool I received from ISP).
The pool from ISP is static, but it has to be obtained by the DHCPv6 client.
Firewall (both ipv4 and ipv6):
I understand that "forward" chain is for packets being forwarded in any direction and to select the direction I should choose the source and the destination.
So basically the rules for forwarding should be following:
- accept new connections from Ethernet bridge to sfp1
- accept established and related connections in both directions
- block everything else
Even if UDP doesn't have such thing as "established connection", I understand that it will be caught by the "related" rule.
as for connections to the router, the example you gave is pretty obvious. Can I also block DNS traffic (I still want my router to act as local dns and resolve some host names - i.e. by default "router" host name is pointed to routers local ip - 10.1.1.1 in my case)?
Are NAT rules separate from firewall? I set up port forwarding, and didn't have to add an exception to the forward firewall chain (i.e. I forwarded TCP 5001 to my synology, and didn't have to add "accept incoming connection to port 5001" to forward chain).
IP v6
I obtained /48 PD network from my ISP (using DHCP Client under IPv6 menu), e.g:
2001:db8:a0b::/48
The devices inside my network are not getting IPv6, I assume I have to configure something else.
My previous router didn't have much IPv6 configuration options, after getting the IP from ISP, LAN devices assigned themselves stateless IP (2001:db8:a0b:0:[mac address]).
I tried different approaches I found in the internet (either with DHCPv6 server or neighbour discovery) of which none seemed to work. Can you recommend some good tutorial on how to configure IPv6 with PD?
Simply setting up the DHCP server didn't work (I've chosen the pool from ISP and different flag settings).
It would be enough for me to have a stateless IPs, but I would like to choose prefix, as in the example I am getting 2001:db8:a0b::/48 from ISP and the last 64 bits are reserved for the stateless configuration.
I would like to configure it this way:
2001:db8:a0b:1::/64 is prefix for my internal devices (differentiated by WLAN that I didn't configure yet).
2001:db8:a0b:e::/64 is prefix for external devices
But I wasn't able to add new pool (it was complaining that the pool I want to add is already included in the pool I received from ISP).
The pool from ISP is static, but it has to be obtained by the DHCPv6 client.
System Error Message
Part of the Furniture
sourcenat and destination nat are not directions, its what to look for and what actions you can do. Forwarding works in both directions.
You have to allow DNS and NTP to work externally from your router but you can limit it to only work with the IP addresses you choose (read a few posts back for my example)
To give your devices ipv6 you have to configure the DHCP server under ipv6. If you are getting a static ip from your ISP you can configure for static IP for the router. If your ISP gives you lots of IP that you want to assign to your internal devices you can use DHCP relay.
I've tried IPV6 on mikrotik before and it works just like ipv4. If your devices arent getting an IP from DHCP that means it is not broadcasting. If i remember correctly you have to broadcast in order for it to work. If you drop output/input on LAN than you may be dropping this.
Heres a tutorial
https://major.io/2012/01/11/native-ipv6-connectivity-in-mikrotiks-routeros/
You have to allow DNS and NTP to work externally from your router but you can limit it to only work with the IP addresses you choose (read a few posts back for my example)
To give your devices ipv6 you have to configure the DHCP server under ipv6. If you are getting a static ip from your ISP you can configure for static IP for the router. If your ISP gives you lots of IP that you want to assign to your internal devices you can use DHCP relay.
I've tried IPV6 on mikrotik before and it works just like ipv4. If your devices arent getting an IP from DHCP that means it is not broadcasting. If i remember correctly you have to broadcast in order for it to work. If you drop output/input on LAN than you may be dropping this.
Heres a tutorial
https://major.io/2012/01/11/native-ipv6-connectivity-in-mikrotiks-routeros/
In the tutorial no DHCP server is used, only neighbour discovery.
The problems with IPv6 were caused by firewall configuration, but I am a bit confused now. After configuring ND, my LAN hosts assigned themselves addresses like this:
::211:32ff:fe1d:e922/64
which is basically second part of IPv6 without prefix. They are not reachable from outside (if I prepend prefix from ISP). Do you know what type of address is it and how to use it?
(apart from it they have regular fe80::211:32ff:fe1d:e922 prefixlen 64 address assigned)
The problems with IPv6 were caused by firewall configuration, but I am a bit confused now. After configuring ND, my LAN hosts assigned themselves addresses like this:
::211:32ff:fe1d:e922/64
which is basically second part of IPv6 without prefix. They are not reachable from outside (if I prepend prefix from ISP). Do you know what type of address is it and how to use it?
(apart from it they have regular fe80::211:32ff:fe1d:e922 prefixlen 64 address assigned)
System Error Message
Part of the Furniture
Check your routes as well.
Check that your clients can reach your router, your router can reach outside.
Than check the routes on your router. Check your clients that they are expecting to use ipv6 and not ipv4 for internet.
ipv6 is just like ipv4 except that it uses hex instead of decimal and has a larger address space.
the /64 is the address pace or subnet just like /24 or /20 for ipv4
Check that your clients can reach your router, your router can reach outside.
Than check the routes on your router. Check your clients that they are expecting to use ipv6 and not ipv4 for internet.
ipv6 is just like ipv4 except that it uses hex instead of decimal and has a larger address space.
the /64 is the address pace or subnet just like /24 or /20 for ipv4
System Error Message
Part of the Furniture
just drag and drop the rules.
Thanks.
This page explains how to forward external port to the internal IP. I don't have static external IP, so instead of specifying dst-address, I specified interface (sfp1).
I have own DDNS domain that is updated by the router. If I use that domain name from the internal network, then forwarding does not work, because I am not using sfp1 interface.
I also cannot use static local dns (and simply map my DDNS domain directly to internal IP) because external port is different than internal port (synology https server is on port 5001, I want to have it on 443 but it is not possible to configure synology this way, so the only option is to use port forwarding external_ip:443 -> intrnal_ip:5001).
OK, found the answer:
http://wiki.mikrotik.com/wiki/Hairpin_NAT
This page explains how to forward external port to the internal IP. I don't have static external IP, so instead of specifying dst-address, I specified interface (sfp1).
I have own DDNS domain that is updated by the router. If I use that domain name from the internal network, then forwarding does not work, because I am not using sfp1 interface.
I also cannot use static local dns (and simply map my DDNS domain directly to internal IP) because external port is different than internal port (synology https server is on port 5001, I want to have it on 443 but it is not possible to configure synology this way, so the only option is to use port forwarding external_ip:443 -> intrnal_ip:5001).
OK, found the answer:
http://wiki.mikrotik.com/wiki/Hairpin_NAT
Last edited:
System Error Message
Part of the Furniture
I did write a simple tutorial for the firewall here
http://www.snbforums.com/threads/mikrotik-configuration-example.30783/
Some of it can be applied to ipv6
You can hijack DNS and use static local entries so that way even google chrome will follow.
Im not so sure if the IP firewall also works for ipv6 as it has its own firewall.
When I setup VLANs I can choose switch and port. But even if I choose switch1, all the ports (eth1 - eth10) are available. Aren't ports assigned to a switches, so that 1-5 is switch1 and 6-10 is switch2?
What is the meaning of switch setting?
I think I also don't understand the difference between:
Interfaces->VLAN and Switch->VLAN.
What is the meaning of switch setting?
I think I also don't understand the difference between:
Interfaces->VLAN and Switch->VLAN.
Last edited:
System Error Message
Part of the Furniture
VLAN on interfaces is done on the CPU whereas VLAN on the switch is done on the switch chip and the CPU doesnt see it. So if you do vlan on the switch you still have to address the individual interfaces in your rules but if you do it on interfaces than you address the vlan in your rules.
The ports are assigned to both switches and CPU. To get a port to switch simply set the other ports to use one port in that switch as a master port. Im not sure why you're seeing all ports in the first switch.
If you go to system--routerboard--settings does it let you increase the frequency?
The ports are assigned to both switches and CPU. To get a port to switch simply set the other ports to use one port in that switch as a master port. Im not sure why you're seeing all ports in the first switch.
If you go to system--routerboard--settings does it let you increase the frequency?
This router is harder to configure that I imagined, and there are times when I hate it so much, but at the end of the day it is great 
.
What I didn't configure so far is VLAN and IPv6.
I spent some time on VLANs but without much luck (what I tried was to create a VLAN, assigned it to a port, created DHCP pool and assigned it to VLAN - I expected devices connected to that port, to get the IPs from that pool but they didn't).
Before I try again, I'd like to first check what is exactly possible with the VLAN. I know it separates traffic on layer 2 level.
I would like to use VLANs to separate guest network traffic and block it from accessing printers etc. It is now done on Ubiquity AP level (it allows only internet access to devices connected to guest network). I also have a few chromecasts - guest network does not have an access to it, but it is wrong. Google Cast protocol needs devices to be in the same local network in order to work.
So I have two solutions
1. Simpler one:
use static IPs for chromecasts and configure the Ubiquity AP to allow access from guest network to them (+ there is one multicast IP that should be allowed too). Do not use VLANs at all
2. Not sure if this is possible:
Use VLANs to separate the traffic, but give both VLANs addresses from the same subnet. Router would have to filter the traffic if it is coming between the same subnets but different VLANs.
.What I didn't configure so far is VLAN and IPv6.
I spent some time on VLANs but without much luck (what I tried was to create a VLAN, assigned it to a port, created DHCP pool and assigned it to VLAN - I expected devices connected to that port, to get the IPs from that pool but they didn't).
Before I try again, I'd like to first check what is exactly possible with the VLAN. I know it separates traffic on layer 2 level.
I would like to use VLANs to separate guest network traffic and block it from accessing printers etc. It is now done on Ubiquity AP level (it allows only internet access to devices connected to guest network). I also have a few chromecasts - guest network does not have an access to it, but it is wrong. Google Cast protocol needs devices to be in the same local network in order to work.
So I have two solutions
1. Simpler one:
use static IPs for chromecasts and configure the Ubiquity AP to allow access from guest network to them (+ there is one multicast IP that should be allowed too). Do not use VLANs at all
2. Not sure if this is possible:
Use VLANs to separate the traffic, but give both VLANs addresses from the same subnet. Router would have to filter the traffic if it is coming between the same subnets but different VLANs.
System Error Message
Part of the Furniture
IPv6 should be much easier.
Just use tagged vlan from the CPU all the way to the AP and have the AP terminate the vlan there so guest dont need to add vlans. Simple way to check if vlan is working is with the mikrotik bandwidth tester. Assign IP address to both the physical and vlan interface, use the bandwidth tester and watch the traffic flowing through which interface in order to test. Even though you assign the vlan to the port both the port and vlan must have seperate IP addresses. They can be the same and routerOS wont complain but thats for routerOS, not your network. Assign the tagged vlan to the master port of the switch.
Its simple as assigning the vlan value and using the service tag and using those same settings on the AP for the guest network. Check the AP to see if it can use any vlan value or a specific one.
Once you have vlans working its up to you how you want to do your layer 3 but if you want to prevent communication between the 2 LANs you must either use static routes with unreachable or use the firewall filter to drop packets. The best way to check if vlan is working isnt to see if interLAN is possible but if traffic flows through the right interface based on the source and mikrotik bandwidth tester server running on the router (you need windows on the client), have the client run bandwidth test at a low limit like 5Mb/s for example to prevent full CPU use and monitor the interface traffic bandwidth on winbox. 5Mb/s should be clear which interface it is coming from. Mikrotik routerOS likes to make weirdly configured networks work so you have to add those filters/routes to prevent communication.
When configuring your NAT you can use address lists and than use source address list and destination address list as !source address list. Its a step in preventing reverse NAT for intercommunication if you have multiple subnets and it helps to put your configs into less rules using address lists if you have multiple IPs requiring the same config.
Just use tagged vlan from the CPU all the way to the AP and have the AP terminate the vlan there so guest dont need to add vlans. Simple way to check if vlan is working is with the mikrotik bandwidth tester. Assign IP address to both the physical and vlan interface, use the bandwidth tester and watch the traffic flowing through which interface in order to test. Even though you assign the vlan to the port both the port and vlan must have seperate IP addresses. They can be the same and routerOS wont complain but thats for routerOS, not your network. Assign the tagged vlan to the master port of the switch.
Its simple as assigning the vlan value and using the service tag and using those same settings on the AP for the guest network. Check the AP to see if it can use any vlan value or a specific one.
Once you have vlans working its up to you how you want to do your layer 3 but if you want to prevent communication between the 2 LANs you must either use static routes with unreachable or use the firewall filter to drop packets. The best way to check if vlan is working isnt to see if interLAN is possible but if traffic flows through the right interface based on the source and mikrotik bandwidth tester server running on the router (you need windows on the client), have the client run bandwidth test at a low limit like 5Mb/s for example to prevent full CPU use and monitor the interface traffic bandwidth on winbox. 5Mb/s should be clear which interface it is coming from. Mikrotik routerOS likes to make weirdly configured networks work so you have to add those filters/routes to prevent communication.
When configuring your NAT you can use address lists and than use source address list and destination address list as !source address list. Its a step in preventing reverse NAT for intercommunication if you have multiple subnets and it helps to put your configs into less rules using address lists if you have multiple IPs requiring the same config.
Similar threads
Similar threads
Similar threads
-
-
-
Something to place in-between modem and router for traffic stats?
- Started by hyelton
- Replies: 10
-
-
-
-
-
-
-
Wired router recommendation to connect two subnets with a modem
- Started by uzala10
- Replies: 16