From bba9247f3ec2ba9b9987c8adf21f8ef50a57c12f Mon Sep 17 00:00:00 2001 From: Wolfgang Hottgenroth Date: Tue, 15 Apr 2025 19:04:23 +0200 Subject: [PATCH] mikrotik 1 --- .../snippets/0250-configuring-a-mikrotik.md | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 content/snippets/0250-configuring-a-mikrotik.md diff --git a/content/snippets/0250-configuring-a-mikrotik.md b/content/snippets/0250-configuring-a-mikrotik.md new file mode 100644 index 0000000..faa8a49 --- /dev/null +++ b/content/snippets/0250-configuring-a-mikrotik.md @@ -0,0 +1,69 @@ + + +# Configuring a Mikrotik Router + +Experiments have been made on a hEX S, RB760iGS, in the final deployment a CCR2004-1G-12S+2XS will be used. + +Setup is +- FFTH connection +- Several VLANs for + - Intranet (highly protected, for laptops, mobile phones, printer, scanner, NAS, ..., access from here to more or less everywhere, no access at all into this network) + - Guest net (just access to the Internet, no access into this network) + - IoT network (all IoT devices are here, no access to the Internet (to avoid calling-home of devices), access from Intranet is allowed) + - TV network (TVs, Alexas, ..., access to the Internet) + - Network for Kubernetes cluster hosting several public and private services, restricted access from the Internet) + - Network for time servers, restricted access from the Internet) + +## First Challenge: Internet Connection using FTTH + +I'm using a GPON module, plugged into the SFP cage. + +First step, to establish an "Ethernet" connection to the provider: + +``` +/interface/vlan +add comment="2. Layer for Telekom FTTH" interface=sfp1 name=telekom-layer2 vlan-id=7 +``` + +Important: the serial number of the GPON module shall be communicated to the provider (here: Telekom). It will be used as a first authentication layer. Wrong serial number: no connection. + +Second step, PPPoE: + +``` +/interface/pppoe-client +add comment="3. Layer for Telekom FTTH" interface=telekom-layer2 name=telekom-layer3 user=XXX password=YYY +``` + +Here, the earlier created VLAN interface `telekom-layer2` to used. + +The username is the concatenation of _Anschlusskennung_, _Zugangsnummer_, _Mitbenutzernummer_ and `@t-online.de`. + +The password is the _Persönliches Kennwort_. + +The configuration establishes the connection to the provider. You can check it in `/ip/address`, here you should see a dynamically assigned address to the interface `telekom-layer3`. + +However, this is just the connection, to get to the Internet via this connection a route, in particular a default route is required. + +``` +add dst-address=0.0.0.0/0 gateway=telekom-layer3 +``` + +Additional a masquarading rule in the firewall configuration is required: + +``` +add action=masquerade chain=srcnat comment="nat on wan" log-prefix=masq out-interface=telekom-layer3 +``` + +And finally a DNS server (I was a bit surprised that it was not configured dynamically.): + +``` +add dns-servers=8.8.8.8 name=default +``` + + + + +