I've been working with a cisco switch and the commands are very simple;
eg/ vlan 100 (will add a vlan called 100)
interface 1/0/1 vlan 100 (will assign the vlan 100 to the port)
It seems mikrotik isn't the same. I don't have a mikrotik switch, but the commands given to me are:
//add name=vlan200 interface=ether2 vlan-id=200
//add ports=switch1-cpu, ethernet vlan-id=200 learn=yes
These seem overly complex. Are these the correct commands? Does any Mikrotik guru know where I can test the commands without a switch?
So I've found the answer. After managing to obtain a Mikrotik switch. There is a great class for connecting to MK command prompt - it's linked here: API in C Sharp
The commands are:
/interface ethernet switch vlan add switch="[yourswitch]" vlan-id="[yourvlan]" ports="[porttoassign]"
To assign the port:
/interface ethernet switch port set [yourport] vlan-mode=secure vlan-header=always-strip default-vlan-id=[yourvlan]
If you are using the MK class you need to write it separately. It looks more like this:
MK mikrotik = new MK("192.168.188.1");
if (mikrotik.Login("admin", "admin"))
{
mikrotik.Send("/interface/ethernet/switch/vlan/add");
mikrotik.Send("=switch=switch1");
mikrotik.Send("=vlan-id=333");
mikrotik.Send("=ports=ether4", true);
foreach (string h in mikrotik.Read())
{
Console.WriteLine(h);
}
There are several ways on Mikrotik to use the VLANs depending on the device. If is a Router or a Switch and if the Switch can do hardware offloading or not. In the Mikrotik Wiki you'll have detailed information.
The most simple way I found to manage the vlans is:
Create a bridge with all the interfaces you want to manage (trunk and access ports)
Create the vlans you want
Add the ports to the bridge port setting a pvid if they are access ports
Add the ports to the bridge vlan allowing the vlans you want
Here the Mikrotik code with an example with two vlans 10, 20. One access port per vlan (ether1 and ether2) and one trunk port on ether4 passing both vlans.
Be careful, and ensure to have at least one port without vlans or a serial cable to access the device if something goes wrong.
/interface bridge
add name=bridge-vlans vlan-filtering=yes
/interface vlan
add interface=bridge-vlans name=private-users-vlan vlan-id=10
add interface=bridge-vlans name=public-users-vlan vlan-id=20
/interface bridge port
add bridge=bridge-vlans comment="Access port on vlan10" interface=ether1 pvid=10
add bridge=bridge-vlans comment="Access port on vlan20" interface=ether2 pvid=20
add bridge=bridge-vlans comment="Trunk port vlan 10&20" interface=ether4
/interface bridge vlan
add bridge=bridge-vlans tagged=bridge-vlans,ether1 untagged=ether1 vlan-ids=10
add bridge=bridge-vlans tagged=bridge-vlans,ether1 untagged=ether2 vlan-ids=20
If your device is a router and you want a DHCP server on a VLAN you have to:
Set vlan interface as interface in the DHCP
Assign an IP address the VLAN interface (as any other interface)
Here the Mikrotik code:
/ip dhcp-server
add address-pool=private-ips disabled=no interface=private-users-vlan lease-time=2h name=private-dhcp
add address-pool=public-ips disabled=no interface=public-users-vlan lease-time=2h name=public-dhcp
/ip address
add address=192.168.1.1/24 interface=private-users-vlan
add address=192.168.2.1/24 interface=public-users-vlan
There is no need to use switch in Mikrotik to accomplish that.
You can create a vlan Interface on a specific port like this:
int vlan add vlan-id=1 interface=ether1 use-service-tag=yes
* With use-service-tag=yes option it acts like switch port access vlan1, * Without it or with use-service-tag=no it acts like trunk port allowing vlan1
Related
I have an RB750 with the follow setup:
- Interface 1 = WAN static IP
- Interface 2 = Static IP from a LAN network (LAN provided by another FW)
- MK as a IPSec/L2TP working well providing to clients the subnet x.x.x.x
I would like to redirect all traffic from VPN clients to the LAN network provided in Interface 2.
I mean; User setup in his computer the VPN with success, when connected they need to access the server z.z.z.z located inside the network provided in Interface 2.
Any ideas how to configure it?
You provide not much information, but if im not wrong
you can try NAT for example
/ip firewall nat add chain=srcnat action=masquerade out-interface="your Interface 2" src-address="your l2tp subnet x.x.x.x"
I need to set up a solution which is for routing specific TCP/UDP packets between the devices in two separate VLANs through a proxy server. For eg: all my computers are connected to one VLAN(1) and my printers are one another VLAN(2). I can reroute all the packets from VLAN(1) to VLAN(2). My objective is to only reroute packets which generated for printers in VLAN (2) from computers in VLAN (1).
Is there any way in Layer 3 routing for achieving this?
Normal routing is based on the destination IP address. If you need to select routes based on source IP address or source/destination port numbers you require policy-based routing.
What you're describing though is simple, destination-based routing. Just add a route to VLAN 2 on your default gateway (or connect it directly) and you're set. (Obviously, the printers in VLAN 2 need to have a route back as well.)
If you want to limit the routed protocols to the printing specific ones or filter by source address you need to use a firewall or switch/router ACLs.
I have mikrotik.
Not Away From Home There are People Who Have Hotspot Network Via Mikrotik.
I Want to Log in from mikrotik system because I use it for some people
topology like this:
Mikrotik[with Hotspot system] --> My Mikrotik [Log in And Share] --> My PC
First Mikrotik : RB1200 (belongs to someone else)
Last Mikrotik : RB951Ui (my own)
if your mikrotik have internet connection, you can use feature cloud on your mikrotik.
IP -> Cloud, then thick DDNS Enable.
*) For some reference :
https://wiki.mikrotik.com/wiki/Manual:IP/Cloud
Did you mean to share the hotspot connection with your own mikrotik ?
So the topology will be like this.
Mikrotik Outside [With Hotspot] --[By Cable or Wifi] -- eth1 Your Own Mikrotik
The main parameter just like this.
Make your own mikrotik DNS are set to Mikrotik Outside IP address.
/ip dns set allow-remote-requests=yes servers=1.2.3.4
IP 1.2.3.4 is Mikrotik Outside IP
and Makesure your own mikrotik gateway set the same servers too.
/ip route add gateway=1.2.3.4
don't forget make some NAT
/ip firewall nat out-interface=eth1 chain=srcnat action=masquerade
Hope it Helps !
I have a macbook, connected with ethernet, and wifi.
A site (lets call it facebook) is blocked on one of the interface (ethernet)
but is open on the other (wifi), on the other hand eth is better (fastest and more reliable than the wifi) so I use eth as a priority interface (on top of network preferences), but in this way there is no access to the blocked site.
I would know if there is a way to say to the operating system or browser or other
software components that it must use the connection of wifi if and only if a connection on :80 over eth fail. this would be perfect...or any other means to solve the problem..
It's a matter of configuring a proper proxy?
Thanks in advance.
You could modify routing table to pass traffic to given host or network through chosen gateway.
List your routing table:
$ netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 10.0.0.1 UGSc 15 0 en0
default 192.168.0.1 UGScI 1 0 en1
[...]
In this case en1 is wifi. So to use wifi connection to a host x.x.x.x, route traffic to this host through 192.168.0.1 gateway:
sudo route add -host x.x.x.x 192.168.0.1
Or better add routing to entire network used by given service:
sudo route add -net x.x 192.168.0.1
The downside is that it may be difficult to determine an ultimate list of IPs, networks used by the service.
See man route.
I hope this isn't too basic a question. The title kind of asks it all. :-)
The ping command will allow strict source routing so you can specify the default gateway to use on the way out. (This assumes your interfaces have distinct gateways i.e. are on different networks)
ping -k 192.169.1.1 microsoft.com
^ default gateway for desired interface
Using WMI Win32_PingStatus you can do the same thing where you specify SourceRoute and SourceRouteType (This is essentially the same as using ping -k)
Alternatively:
If your network interfaces are on the same network, like a LAN card and a wireless adapater
you can add a custom ROUTE to your machine, which can send all traffic through a specific interface.
From ROUTE HELP:
route ADD 207.46.0.0 MASK 255.255.0.0 192.168.1.1 METRIC 3 IF 2
destination^ ^mask ^gateway metric^ ^
Interface^
ping also has an option in Windows:
-S srcaddr Source address to use.
So you can do something like
ping 10.10.10.1 -l 0 -S 192.168.1.1
where 10.10.10.1 is the destination address and 192.168.1.1 is the address of the source adapter