RouterBoard is sufficient for most use cases. It can be the heart of your home lab, unless you pass great amount of traffic which utilize the who throughput of the wires, then there are better product series, like CCR or CRSXXX.
The logic mentioned within this article also applies to CCR series (at least as it goes for the VLAN configuration).
- Mikrotik device from RouterBoard series - in this case RB951-2n (the configuration won’t change if one use another product from RB series)
- There is also an option to virtualize your networking layer by setting up EVE-NG, TheNetworkBerg is detailing the setup on his youtube video.
- There is great change you will cut off yourself from the device, if you do not take care about the order. Comparing to the CCR or CRS series, you have to be much carefull with the configuration steps. Use the safe mode within winbox, save the configuration frequently, when you progress with it, so it is easily possible to revert to it’s previous state when you make the pitfall. There is no serial port, sometimes your only option is to reset the config to it’s defaults and restore the configuration from backup, to it’s previous state.
- When you reset the device to its default configuration, and you apply the initial configuration comming from the vendor, it applies the firewall configuration. Bare in mind that within the configuration showed in this blog post, you need to take care about the Interface list assignments. This configuration will guarantee that you get access to manage the device from the vlan1342 and vlan1345, which are bound to the ether2 and ether5. If this is not in place then the firewall rule which is assigned by default to the device, will drop those frames, and you won’t get access.
By default you can see that someone who wrote the initial script which is being served to you takes care about the bridge level access, so you are save until the point of time, when you get rid of the PVID1 from the bridge. Frequenly, those devices are just plugged in, and someone assign the DHCP on top of the bridge (which also seems to be the default configuration), and all devices connected to the RouterBoard via the ethernet ports are within the same broadcast domain, and you can manage the device via winbox, when you are connected to any of the RB ports within that bridge.
[user@rb951-2n] /interface list> export # apr/13/2022 22:37:52 by RouterOS 6.48.6 # # model = 951-2n /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface list member add comment=defconf interface=bridge-all-vlans list=LAN add comment=defconf interface=vlan70uplink list=WAN add interface=vlan1342 list=LAN add interface=vlan1345 list=LAN
I’m sure there are better ways (firewall rules) never the less, this way (by assigning a VLAN being a member of LAN list) you can also control whether the devices connected to particular vlan can or can not. The VLANS assigned to the LAN list - will be granted to have a chance to manage the device. The following rule is controlling this
[user@rb951-2n] /interface list>/ip firewall filter export add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
It works with combination of IP services, but still the firewall rule takes precedence, which means that if something is not allowed on the firewall level, networks configured on ip services wont change the behaviour. Those needs to go hand in hand, maybe it’s even better not to confiugre any ranges here, but keep the rules within the firewall.
[user@rb951-2n] /interface list>/ip service export /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes #this rule allows you getting access from those subnets over ssh set ssh address=10.0.134.0/24,10.2.134.0/24,10.3.134.0/24,10.4.134.0/24,10.5.134.0/24,10.44.134.0/24 set api disabled=yes #tihs rule alows you getting access using winbox set winbox address=10.0.134.0/24,10.2.134.0/24,10.3.134.0/24,10.4.134.0/24,10.5.134.0/24,10.44.134.0/24 set api-ssl disabled=yes
- DHCP Server / Networks - Network, Netmask is crucial, use the CIDR notation. The winbox interface allows you configuring it without the netmask entry, it wont throw any error. My experience is that it won’t assign the IP Addresses properly towards the devices connected within the vlans, until the netmask field is configured properly. The DHCP servers runs on vlan interfaces.
[user@rb951-2n] /interface list>/ip dhcp-server network export add address=10.5.134.0/24 dns-server=22.214.171.124,126.96.36.199 gateway=10.5.134.254 netmask=24
- Strive towards the configuration where you get the access to manage the device over winbox or ssh, from one of the VLANS, once you get there, you are good to go with getting rid of the PVID 1 from the bridge, and configure the VLAN on the last interface which gave you control to manage the device. (This condition applies when you are connecting to the mikrotik device, using the IP, not MAC - with MAC connectivity, there is some tip to prevent from frequent disconnections, somewhere on the NetworkBerg channel can not recall the fix now).
- When you run PVID 1 on your bridge, then one of the DHCP servers is running on the bridge Interface as well, and all remainig DHCP servers which are meant to serve the clients connected to the ethernet interfaces of the device runs on top of VLAN interfaces.
- The modification of the bridge PVID needs to be done last, otherwise there is great chance of a cut off.
- Correct me if I am wrong, never the less the hardware offloading with VLANs wont work with RB series, when it acts as L3 device. This assumption comes from the Mikrotik table and Bridge VLAN Filtering column
[user@rb951-2n] > /interface ethernet switch print Flags: I - invalid # NAME TYPE MIRROR-SOURCE MIRROR-TARGET SWITCH-ALL-PORTS 0 switch1 Atheros-7240 none none
as well as the fact that when you assign the PVID, the H dissapears from here (which means to me that the CPU is handling the traffic and there is no switch chip offload, to release the efforts from the CPU). If you need it, use the CRS3XX series.
[user@rb951-2n] > /interface bridge port print Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload # INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON 0 I ;;; defconf ether2 bridge-all-vlans yes 1342 0x80 10 10 none 1 ;;; defconf ether3 bridge-all-vlans yes 1343 0x80 10 10 none 2 I ;;; defconf ether4 bridge-all-vlans yes 1344 0x80 10 10 none 3 ;;; defconf ether5 bridge-all-vlans yes 1345 0x80 10 10 none 4 XI ;;; defconf wlan1 bridge-all-vlans 1 0x80 10 10 none 5 ;;; uplink ether1 bridge-all-vlans no 70 0x80 10 10 none
and the configuration export
[user@rb951-2n] > /interface bridge port export /interface bridge port add bridge=bridge-all-vlans comment=defconf interface=ether2 pvid=1342 add bridge=bridge-all-vlans comment=defconf interface=ether3 pvid=1343 add bridge=bridge-all-vlans comment=defconf interface=ether4 pvid=1344 add bridge=bridge-all-vlans comment=defconf interface=ether5 pvid=1345 add bridge=bridge-all-vlans comment=defconf disabled=yes interface=wlan1 add bridge=bridge-all-vlans comment=uplink hw=no interface=ether1 pvid=70
- if you are interested about the CPU utilization it can be quickly checked, by making use of tools -> profile, it is much more specific that the system resource.
/tools profile duration=30 /system resource print
- ip routes - I’ve stumble upon some quirks that the gateway for the Dynamic route was not correct, for some reason it was automatically pointing to the .1 when in my network topology it was .254.
[user@rb951-2n] > /ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 0.0.0.0/0 10.0.70.254 1 1 DS 0.0.0.0/0 10.0.70.254 1 2 ADC 10.0.70.0/24 10.0.70.253 vlan70uplink 0 3 ADC 10.0.134.0/24 10.0.134.254 bridge-all-vlans 0 4 ADC 10.2.134.0/24 10.2.134.254 vlan1342 0 5 ADC 10.3.134.0/24 10.3.134.254 vlan1343 0 6 ADC 10.4.134.0/24 10.4.134.254 vlan1344 0 7 ADC 10.5.134.0/24 10.5.134.254 vlan1345 0
- ip routes - due to the fact that it was that inconvenience with the wrong gateway there was a manual configuration done so the Dst. Address 0.0.0.0/0 goes via gateway 10.0.70.254. In the code below you can also observe, that one extra route is added for one of the networks reachable via OpenVPN tunnel.
[user@rb951-2n] > /ip route export /ip route add distance=1 gateway=10.0.70.254 add comment="network which due to the topology can not be recognized automatically and you need to configure it manually" distance=1 dst-address=172.16.134.0/24 gateway=ovpn
- ip firewall service - if there is a VoIP phone, among the devices connected the SIP-ALG should be disabled, to make the SIP streams working properly.
[user@rb951-2n] > /ip firewall service-port export /ip firewall service-port set sip sip-direct-media=no
- once you have a running configuration, it is a great material to study which elements are the prerequisites for the further blocks built on top of that. If you try configuring things the other way around, or you simply do know the relations between those, it’s much harder to progress.
I’m sure there better ways achieving this result, never the less this configuration worked for me.
- on top of it you can put your firewall rules, as well as try to harden the device configuration, as per the best practices shared on the Internet.
- apart from vlans there are also other virtual interface which can be configured on the device like ppoe, ovpn.
[user@rb951-2n] > /export # apr/13/2022 22:37:52 by RouterOS 6.48.6 # model = 951-2n /interface bridge add admin-mac=(MAC-ADDRESS-OF-THE-BRIDGE) auto-mac=no comment=defconf name=bridge-all-vlans pvid=1345 vlan-filtering=yes /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=poland distance=indoors frequency=auto installation=indoor mode=ap-bridge \ ssid=rb951-2n wireless-protocol=802.11 /interface ethernet set [ find default-name=ether1 ] comment=uplink /interface vlan add interface=bridge-all-vlans name=vlan70uplink vlan-id=70 add disabled=yes interface=bridge-all-vlans name=vlan404mgmt vlan-id=404 add interface=bridge-all-vlans name=vlan1342 vlan-id=1342 add interface=bridge-all-vlans name=vlan1343 vlan-id=1343 add interface=bridge-all-vlans name=vlan1344 vlan-id=1344 add interface=bridge-all-vlans name=vlan1345 vlan-id=1345 /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=dhcp_bridge-all-vlans ranges=10.0.134.200-10.0.134.253 add name=dhcp_vlan1342 ranges=10.2.134.201-10.2.134.253 add name=dhcp_vlan1343 ranges=10.3.134.201-10.3.134.253 add name=dhcp_vlan1344 ranges=10.4.134.201-10.4.134.253 add name=dhcp_vlan1345 ranges=10.5.134.201-10.5.134.253 add name=dhcp_vlan404 ranges=10.44.134.201-10.44.134.253 /ip dhcp-server add address-pool=dhcp_bridge-all-vlans interface=bridge-all-vlans lease-time=12h name=dhcpServer-bridge add address-pool=dhcp_vlan404 interface=vlan404mgmt lease-time=2h name=dhcp-vlan404 add address-pool=dhcp_vlan1342 disabled=no interface=vlan1342 lease-time=8h name=dhcp-vlan1342 add address-pool=dhcp_vlan1343 disabled=no interface=vlan1343 lease-time=8h name=dhcp-vlan1343 add address-pool=dhcp_vlan1344 disabled=no interface=vlan1344 lease-time=8h name=dhcp-vlan1344 add address-pool=dhcp_vlan1345 disabled=no interface=vlan1345 lease-time=8h name=dhcp-vlan1345 /interface bridge port add bridge=bridge-all-vlans comment=defconf interface=ether2 pvid=1342 add bridge=bridge-all-vlans comment=defconf interface=ether3 pvid=1343 add bridge=bridge-all-vlans comment=defconf interface=ether4 pvid=1344 add bridge=bridge-all-vlans comment=defconf interface=ether5 pvid=1345 add bridge=bridge-all-vlans comment=defconf disabled=yes interface=wlan1 add bridge=bridge-all-vlans comment=uplink hw=no interface=ether1 pvid=70 /ip neighbor discovery-settings set discover-interface-list=LAN /interface bridge vlan add bridge=bridge-all-vlans disabled=yes untagged=bridge-all-vlans,ether4 vlan-ids=404 #vlan70 is tagged on ether1 which is the uplink add bridge=bridge-all-vlans tagged=bridge-all-vlans,ether1 vlan-ids=70 #if the uplink is untagged then the ether1 should be untagged #add bridge=bridge-all-vlans tagged=bridge-all-vlans untagged=ether1 vlan-ids=70 add bridge=bridge-all-vlans tagged=bridge-all-vlans untagged=ether2 vlan-ids=1342 add bridge=bridge-all-vlans tagged=bridge-all-vlans untagged=ether3 vlan-ids=1343 add bridge=bridge-all-vlans tagged=bridge-all-vlans untagged=ether4 vlan-ids=1344 add bridge=bridge-all-vlans tagged=bridge-all-vlans untagged=ether5 vlan-ids=1345 /interface list member add comment=defconf interface=bridge-all-vlans list=LAN add comment="this is for the usecase when your uplink serves you tagged vlan" interface=vlan70uplink list=WAN add comment="this allows the vlan1342 to manage the device via winbox and ssh, if you remove this, devices from this vlan can not do it anymore" interface=\ vlan1342 list=LAN add comment="this allows the vlan1345 to manage the device via winbox and ssh" interface=vlan1345 list=LAN /ip address add address=10.0.134.254/24 comment="bridge - LAN" interface=bridge-all-vlans network=10.0.134.0 add address=10.44.134.254/24 disabled=yes interface=vlan404mgmt network=10.44.134.0 add address=10.2.134.254/24 interface=vlan1342 network=10.2.134.0 add address=10.3.134.254/24 interface=vlan1343 network=10.3.134.0 add address=10.4.134.254/24 interface=vlan1344 network=10.4.134.0 add address=10.5.134.254/24 interface=vlan1345 network=10.5.134.0 /ip dhcp-client add comment=uplink disabled=no interface=vlan70uplink use-peer-dns=no use-peer-ntp=no /ip dhcp-server lease add address=10.5.134.253 client-id=1:(DEVICE-MAC-ADDRESS) comment=device mac-address=(DEVICE-MAC-ADDRESS) server=dhcp-vlan1345 /ip dhcp-server network add address=10.0.134.0/24 comment=\ "the bridge vlan PVID has been changed from 1, so it goes hand in hand with the VLAN ID on the ether port, this entry can be removed" dns-server=188.8.131.52,184.108.40.206 gateway=10.0.134.254 netmask=24 ntp-server=220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199 add address=10.44.134.0/24 comment="as the vlan404 is disabled, this entry can be removed" gateway=10.44.134.254 netmask=24 add address=10.5.134.248/32 comment="static reservation for - Cisco SPA502G - with different set of DNS servers" dns-server=188.8.131.52,184.108.40.206 gateway=10.5.134.254 netmask=24 ntp-server=220.127.116.11,18.104.22.168 add address=10.2.134.0/24 dns-server=22.214.171.124,126.96.36.199 gateway=10.2.134.254 netmask=24 ntp-server=188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168 add address=10.3.134.0/24 dns-server=22.214.171.124,126.96.36.199 gateway=10.3.134.254 netmask=24 ntp-server=188.8.131.52,184.108.40.206,220.127.116.11,18.104.22.168 add address=10.4.134.0/24 dns-server=22.214.171.124,126.96.36.199 gateway=10.4.134.254 netmask=24 add address=10.5.134.0/24 dns-server=188.8.131.52,184.108.40.206 gateway=10.5.134.254 netmask=24 /ip dns set allow-remote-requests=yes servers=220.127.116.11,18.104.22.168 /ip dns static add address=10.0.45.254 comment=defconf name=router.lan /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set sip sip-direct-media=no set pptp disabled=yes set dccp disabled=yes set sctp disabled=yes /ip route add distance=1 gateway=10.0.70.254 add comment="network which due to the topology can not be recognized automatically and you need to configure it manually" distance=1 dst-address=172.16.134.0/24 gateway=ovpn /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh address=10.0.134.0/24,10.2.134.0/24,10.3.134.0/24,10.4.134.0/24,10.5.134.0/24,10.44.134.0/24 set api disabled=yes set winbox address=10.0.134.0/24,10.2.134.0/24,10.3.134.0/24,10.4.134.0/24,10.5.134.0/24,10.44.134.0/24 set api-ssl disabled=yes /system clock set time-zone-name=Europe/Warsaw /system identity set name=rb951-2n /system ntp client set enabled=yes primary-ntp=22.214.171.124 secondary-ntp=126.96.36.199 server-dns-names=188.8.131.52,184.108.40.206 /system package update set channel=long-term /tool bandwidth-server set enabled=no /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN
This was tested on RouterOS 6.48.6. Device model 951-2n.
Last update: 2022.04.13