wn/minimal-setups
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
9ad8103eea384ac4758a71f09b250a45b1b202d1
minimal-setups/content/snippets/0250-configuring-a-mikrotik.md
Wolfgang Hottgenroth 9ad8103eea
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Mikrotik, 3
2025-04-15 22:15:27 +02:00

5.9 KiB
Raw Blame History

Configuring a Mikrotik Router

Experiments have been made on a hEX S, RB760iGS, in the final deployment a CCR2004-1G-12S+2XS will be used.

Setup is

  • FTTH connection
  • Several VLANs for
    • Intranet (highly protected, for laptops, mobile phones, printer, scanner, NAS, ..., access from here to more or less everywhere, no access at all into this network)
    • Guest net (just access to the Internet, no access into this network)
    • IoT network (all IoT devices are here, no access to the Internet (to avoid calling-home of devices), access from Intranet is allowed)
    • TV network (TVs, Alexas, ..., access to the Internet)
    • Network for Kubernetes cluster hosting several public and private services, restricted access from the Internet)
    • Network for time servers, restricted access from the Internet)

First Challenge: Internet Connection using FTTH

I'm using a GPON module, plugged into the SFP cage.

First step, to establish an "Ethernet" connection to the provider:

/interface/vlan
add comment="2. Layer for Telekom FTTH" interface=sfp1 name=telekom-layer2 vlan-id=7

Important: the serial number of the GPON module shall be communicated to the provider (here: Telekom). It will be used as a first authentication layer. Wrong serial number: no connection.

Second step, PPPoE:

/interface/pppoe-client
add comment="3. Layer for Telekom FTTH" interface=telekom-layer2 name=telekom-layer3 user=XXX password=YYY

Here, the earlier created VLAN interface telekom-layer2 to used.

The username is the concatenation of Anschlusskennung, Zugangsnummer, Mitbenutzernummer and @t-online.de.

The password is the Persönliches Kennwort.

The configuration establishes the connection to the provider. You can check it in /ip/address, here you should see a dynamically assigned address to the interface telekom-layer3.

However, this is just the connection, to get to the Internet via this connection a route, in particular a default route is required.

/ip/route
add dst-address=0.0.0.0/0 gateway=telekom-layer3

Additional a masquarading rule in the firewall configuration is required:

/ip/firewall/nat
add action=masquerade chain=srcnat comment="nat on wan" log=no log-prefix=masq out-interface=telekom-layer3

And finally a DNS server (I was a bit surprised that it was not configured dynamically.):

/ip/dns
add dns-servers=8.8.8.8 name=default

Second Task, no Challenge

Providing the services on the Kubernetes cluster to the Internet requires a port-forwarding setup. On Mikrotik it is call destination NAT (dstnat).

This was an easy task, however, since I had to rework the whole firewall filter and nat configuration due to the next task/challenge, only a sample rule is here:

/ip/firewall/nat
add action=dst-nat chain=dstnat comment="http server" dst-address-type=local dst-port=80 log=no log-prefix=http-server protocol=tcp to-addresses=10.0.1.100

This rule says: any access to a local address (one that is configured directly on the router) on port 80/tcp is forwarded to the address 10.0.1.100. That is the address of the http server.

Third Task, Second Challenge: Accessing Servers behind the Router from Clients behind the Router via the public Address of the Router

This was a hard one.

I've this Kubernetes cluster providing services like Nextcloud and Bitwarden, which I want to access from my mobile from my Intranet WLAN but also from off-road via 5G.

This is working perfectly in the current setup using a LANCOM router. But when switching to Mikrotik with naively the same rules, I was able to access the Internet from my Intranet and I was able to access the services on the Kubernetes cluster from the world (using my mobile via 5G), but I was not able to access the services on the Kubernetes cluster from the Intranet using the public address of my Internet connection.

It was a lot of debugging to understand the problem: the masquarading rule (srcnat), which is bound to the outgoing interface WAN is not triggered, because packets are no leaving the router through the WAN interface since they are addressed to an address which is configured directly on the router. Those, the source address of the packets will not be rewritten. The port-forwarding rule (dstnat) in turn is triggered, because a configured port is accessed via the public address of the router. The service itself consequently sees the original source address of the packet (the actual client address, which is in the scope of the router) and sends response packets to this address. These packets will be routed directly to the client without passing the connection handling of the masquarading engine. And then, the client sends to the public address of the router and receives directly from the service and thereby can not associate the request and response packet to the same connection.

The solution is to setup a dedicated masquarading rule which has the service addresses as dst-address condition and the addresses of the internal client networks as src-address condition. This rule will be triggered in the above described scenario and the source address is replaced by the local address of the interface, where the packet is leaving the router. That in turn will be used by the server to send responses to and then is handling correctly by the masquarading engine.

In the end I came to this rule:

/ip/firewall/nat
add action=masquerade chain=srcnat comment="Generic Hairpin NAT Rule, remember to maintain the lists CLIENTS and SERVICES" \
    dst-address-list=SERVICES log=yes log-prefix=hairpin1 src-address-list=CLIENTS

The both mentioned lists CLIENTS and SERVICES are maintained at /ip/firewall/address-list.

To be honest, this special case is described in the Mikrotik documentation, but I didn't understood it and had to learn it myself with an interesting test setup