Computer

Mikrotik Vlan network with DMZ

Leave a comment

Last Updated or created 2023-05-10

UPDATE: 20230227 Static ip script

Example network with DMZ part, using VLANs and trunks.
Tested in my network, but not my current setup.

VLAN 3 – DMZ
VLAN 10 – Homenetwork
VLAN 128 – MGT

Modem : fritzbox, is dhcp server for 192.168.1.1 network
CRS: is dhcp server for wlan, home network, management, Also a firewall with NAT is configured here. ( No block examples below, only NAT )
RB: (Routerboard 2011) has no IPs except for a management IP (not in config below)
Server and Reverse proxy are in the 192.168.1.1 network.
(dhcp requests in a dmz vlan (3) get their IP from the modem DHCP pool.

Example ip’s server and PC

server: gets dhcp from modem, 192.168.1.10/24 gateway 192.168.1.1 DNS 192.168.1.1
PC: gets dhcp from CRS, 10.10.0.1/24 gateway 10.10.0.253 DNS 1.1.1.1

Config CRS

# feb/04/2023 14:55:22 by RouterOS 6.49.5
# software id = xxxx-xxxx
#
# model = CRS125-24G-1S
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=4C:5E:0C:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=trunk
set [ find default-name=ether3 ] comment=trunk
set [ find default-name=ether9 ] comment=vlan3
set [ find default-name=ether10 ] comment=vlan10
set [ find default-name=ether24 ] comment="MGMT - untagged"
/interface vlan
add interface=bridge name=vlan3 vlan-id=3
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan128 vlan-id=128
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vlan128-pool ranges=10.128.0.100-10.128.0.200
add name=vlan10-pool ranges=10.10.0.100-10.10.0.200
/ip dhcp-server
add address-pool=vlan128-pool disabled=no interface=vlan128 name=mgt-dhcp
add address-pool=vlan10-pool disabled=no interface=vlan10 name=gen-dhcp
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether1
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp1
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether2,ether3,switch1-cpu vlan-id=128
add tagged-ports=ether2,ether3,switch1-cpu vlan-id=10
add tagged-ports=ether2,ether3,switch1-cpu vlan-id=3
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=128 ports=ether2,ether3,ether24
add customer-vid=0 new-customer-vid=3 ports=ether1,ether2,ether3,ether9
add customer-vid=0 new-customer-vid=10 ports=ether10,ether2,ether3
/interface ethernet switch vlan
add ports=ether2,ether3,ether24,switch1-cpu vlan-id=128
add ports=ether2,ether3,ether10,switch1-cpu vlan-id=10
add ports=ether1,ether2,ether3,ether9,switch1-cpu vlan-id=3
/interface list member
add interface=ether1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.1.253/24 comment=defconf interface=vlan3 network=192.168.1.0
add address=10.128.0.253/24 interface=vlan128 network=10.128.0.0
add address=10.10.0.253/24 interface=vlan10 network=10.10.0.0
/ip dhcp-server network
add address=10.1.0.0/24 dns-server=1.1.1.1 gateway=10.1.0.253
add address=10.128.0.0/24 dns-server=1.1.1.1 gateway=10.128.0.253
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip dns
set servers=1.1.1.1
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.10.0.0/24
add action=masquerade chain=srcnat src-address=10.128.0.0/24 src-address-list=""
/ip route
add distance=1 gateway=192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
/lcd
set time-interval=hour
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=crs125
/system ntp client
set enabled=yes primary-ntp=194.109.6.67 secondary-ntp=194.109.9.100

RB2011 config

# software id = xxxx-xxxx
#
# model = 2011iL
# serial number = xxxxxxxxxxxx
/interface bridge
add name=bridge1
/interface ethernet switch port
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=3 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=128 vlan-header=always-strip vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch vlan
add independent-learning=yes ports=ether2,ether3 switch=switch1 vlan-id=3
add independent-learning=yes ports=ether2,ether4 switch=switch1 vlan-id=10
add independent-learning=yes ports=ether2,ether5 switch=switch1 vlan-id=128

Additional info

Create a static dhcp entry :  IP->DHCP Server->Leases->Make Static
OR
add address=10.1.0.2 mac-address=00:1E:EC:xx:xx:xx server=gen-dhcp comment=”laptop”

Connected device gets ip from pool
Change into static
Waiting until lease expires
D – Dynamic flag is gone, now also comments are enabled

Converting above from a dhcpd.conf file

cat dhcpd.conf | egrep "host|fixed-address|hardware" | grep -v \# | grep -A1 -B1 fixed-address |  sed -e 'N;N;s/\n/ /g' | awk '{ print $5" "$8" "$2 }' | tr -d ';' | cut -f-4 -d. | awk '{ print "add address="$1" mac-address="$2" server=gen-dhcp comment=\""$3"\"" }'

will give you:
add address=10.1.0.41 mac-address=2C:F4:32:xx:xx:xx server=gen-dhcp comment="tasmotawifiusb"
add address=10.1.0.42 mac-address=b8:27:eb:xx:xx:xx server=gen-dhcp comment="ledserver"
add address=10.1.0.46 mac-address=CC:50:E3:xx:xx:xx server=gen-dhcp comment="kliko"
etc

Static DNS

/ip dns static
add address=10.1.0.1 name=brewpi.example.com

from the dhcpd.conf static entries
cat dhcpd.conf | egrep "host|fixed-address|hardware" | grep -v \# | grep -A1 -B1 fixed-address |  sed -e 'N;N;s/\n/ /g' | awk '{ print $5" "$8" "$2 }' | tr -d ';' | awk '{ print "add address="$1" name="$3 }'

from bind service
cat zonefile | grep "10.1" | awk '{ print "add address="$3" name="$1".example.com" }'

FreeIPA

ipa dnsrecord-find exampel.lab | grep -B1 "A rec" | grep -v "\-\-" | sed 'N;s/\n//' | awk '{ print "add address="$6" name="$3".example.lab" }'


Faster DNS
Add 2 firewall rules
forward chain, udp 53 action fasttrack
forward chain, tcp 53 action fasttrack

Leave a Reply

Your email address will not be published. Required fields are marked *