wn/minimal-setups
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
54487a35abb17d71c3d39394e23c658398a9038f
minimal-setups/content/snippets/0250-configuring-a-mikrotik.md
Wolfgang Hottgenroth 54487a35ab
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Mikrotik, 3
2025-04-15 19:11:42 +02:00

2.4 KiB
Raw Blame History

Configuring a Mikrotik Router

Experiments have been made on a hEX S, RB760iGS, in the final deployment a CCR2004-1G-12S+2XS will be used.

Setup is

  • FTTH connection
  • Several VLANs for
    • Intranet (highly protected, for laptops, mobile phones, printer, scanner, NAS, ..., access from here to more or less everywhere, no access at all into this network)
    • Guest net (just access to the Internet, no access into this network)
    • IoT network (all IoT devices are here, no access to the Internet (to avoid calling-home of devices), access from Intranet is allowed)
    • TV network (TVs, Alexas, ..., access to the Internet)
    • Network for Kubernetes cluster hosting several public and private services, restricted access from the Internet)
    • Network for time servers, restricted access from the Internet)

First Challenge: Internet Connection using FTTH

I'm using a GPON module, plugged into the SFP cage.

First step, to establish an "Ethernet" connection to the provider:

/interface/vlan
add comment="2. Layer for Telekom FTTH" interface=sfp1 name=telekom-layer2 vlan-id=7

Important: the serial number of the GPON module shall be communicated to the provider (here: Telekom). It will be used as a first authentication layer. Wrong serial number: no connection.

Second step, PPPoE:

/interface/pppoe-client
add comment="3. Layer for Telekom FTTH" interface=telekom-layer2 name=telekom-layer3 user=XXX password=YYY

Here, the earlier created VLAN interface telekom-layer2 to used.

The username is the concatenation of Anschlusskennung, Zugangsnummer, Mitbenutzernummer and @t-online.de.

The password is the Persönliches Kennwort.

The configuration establishes the connection to the provider. You can check it in /ip/address, here you should see a dynamically assigned address to the interface telekom-layer3.

However, this is just the connection, to get to the Internet via this connection a route, in particular a default route is required.

add dst-address=0.0.0.0/0 gateway=telekom-layer3

Additional a masquarading rule in the firewall configuration is required:

add action=masquerade chain=srcnat comment="nat on wan" log=no log-prefix=masq out-interface=telekom-layer3

And finally a DNS server (I was a bit surprised that it was not configured dynamically.):

add dns-servers=8.8.8.8 name=default