wn/minimal-setups
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

mikrotik 1
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source
This commit is contained in:
Wolfgang Hottgenroth
2025-04-15 19:04:23 +02:00
parent 87fd3c39b9
commit bba9247f3e
1 changed files with 69 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
content/snippets/0250-configuring-a-mikrotik.md Normal file
View File

@ -0,0 +1,69 @@
<!--
title: Configuring a Mikrotik Router
date: 2025-04-15
-->
# Configuring a Mikrotik Router
Experiments have been made on a hEX S, RB760iGS, in the final deployment a CCR2004-1G-12S+2XS will be used.
Setup is
- FFTH connection
- Several VLANs for
- Intranet (highly protected, for laptops, mobile phones, printer, scanner, NAS, ..., access from here to more or less everywhere, no access at all into this network)
- Guest net (just access to the Internet, no access into this network)
- IoT network (all IoT devices are here, no access to the Internet (to avoid calling-home of devices), access from Intranet is allowed)
- TV network (TVs, Alexas, ..., access to the Internet)
- Network for Kubernetes cluster hosting several public and private services, restricted access from the Internet)
- Network for time servers, restricted access from the Internet)
## First Challenge: Internet Connection using FTTH
I'm using a GPON module, plugged into the SFP cage.
First step, to establish an "Ethernet" connection to the provider:
```
/interface/vlan
add comment="2. Layer for Telekom FTTH" interface=sfp1 name=telekom-layer2 vlan-id=7
```
Important: the serial number of the GPON module shall be communicated to the provider (here: Telekom). It will be used as a first authentication layer. Wrong serial number: no connection.
Second step, PPPoE:
```
/interface/pppoe-client
add comment="3. Layer for Telekom FTTH" interface=telekom-layer2 name=telekom-layer3 user=XXX password=YYY
```
Here, the earlier created VLAN interface `telekom-layer2` to used.
The username is the concatenation of _Anschlusskennung_, _Zugangsnummer_, _Mitbenutzernummer_ and `@t-online.de`.
The password is the _Persönliches Kennwort_.
The configuration establishes the connection to the provider. You can check it in `/ip/address`, here you should see a dynamically assigned address to the interface `telekom-layer3`.
However, this is just the connection, to get to the Internet via this connection a route, in particular a default route is required.
```
add dst-address=0.0.0.0/0 gateway=telekom-layer3
```
Additional a masquarading rule in the firewall configuration is required:
```
add action=masquerade chain=srcnat comment="nat on wan" log-prefix=masq out-interface=telekom-layer3
```
And finally a DNS server (I was a bit surprised that it was not configured dynamically.):
```
add dns-servers=8.8.8.8 name=default
```