Thread: Nat 1 to 1, routing dan block DHCP broadcast

Masih dengan konsep mikrotik + ubiquity dengan multiple SSID
Sekarang dengan penambahan
- NAT 1 to 1
- block DHCP broadcast dari server lain ( 172.21.1.200/16 )
- routing vlan ke jaringan 172.21.0.0/16 dengan gateway 172.21.2.240

setting sepeti berikut
/interface bridge
add l2mtu=1598 name=b-LAN
add l2mtu=1594 name=b-W2LAN
add l2mtu=1594 name=b-W2Inet

/interface ethernet
set 0 name=eth1_ISP
set 1 name=eth2_LAN
set 2 name=eth3_W2LAN
set 3 name=eth4_W2Inet
set 4 name=eth5_AP

/interface vlan
add interface=eth3_W2LAN l2mtu=1594 name=W2LAN vlan-id=101
add interface=eth4_W2Inet l2mtu=1594 name=W2Inet vlan-id=102

/ip pool
add name=pool-LAN ranges=172.21.3.81.1-172.21.3.100
add name=pool-W2LAN ranges=172.21.52.1-172.21.52.199
add name=pool-W2Inet ranges=10.206.0.1-10.206.0.199

/ip dhcp-server
add address-pool=pool-LAN disabled=no interface=b-LAN name=DHCP-LAN
add address-pool=pool-W2LAN disabled=no interface=b-W2LAN name=DHCP-W2LAN
add address-pool=pool-W2Inet LAN disabled=no interface=b-W2Inet name=DHCP-W2Inet

/interface bridge port
add bridge=b-LAN interface=eth2_LAN
add bridge=b-LAN interface=eth5_AP

add bridge=b-W2LAN interface=eth3_W2LAN
add bridge=b-W2LAN interface=W2LAN

add bridge=b-W2Inet interface=eth4_W2Inet
add bridge=b-W2Inet interface=W2Inet

/ip address
add address=172.21.3.80/16 interface=b-LAN
add address=172.21.52.240/24 interface=b-W2LAN
add address=10.206.0.240/24 interface=b-W2Inet

/ip dhcp-server network
add address=172.21.0.0/16 dns-server=172.21.2.240 gateway=172.21.2.240
add address=172.21.52.0/24 dns-server=172.21.52.240 gateway=172.21.52.240
add address=10.206.0.0/24 dns-server=10.206.0.240 gateway=10.206.0.240

/ip dns
set allow-remote-requests=yes

/ip route
add dst-address=0.0.0.0/0 disable=no gateway=192.168.1.1

/ip firewall nat
add chain=srcnat action=masquerade out-interface=eth1_ISP

/ip neighbor discovery
set eth1_ISP discover=no
set eth3_W2LAN discover=no
set eth4_W2Inet discover=no
set bridge_W2LAN discover=no
set bridge_PSID_Inet discover=no
set vl-W2LAN-eth5 discover=no
set W2Inet-eth5 discover=no

dan saya akan menambahkan
Untuk memblock DHCP broadcast dari IP 172.21.1.200
/interface bridge filter
add action=log chain=forward comment="log dhcp servers on 172.21.1.200" \
disabled=no dst-address=255.255.255.255/32 ip-protocol=udp log-prefix=\
"blocked dhcp server" mac-protocol=ip src-address=172.21.1.200 \
src-port=67-68
add action=drop chain=forward comment="drop dhcp servers on 172.21.1.200" \
disabled=no dst-address=255.255.255.255/32 ip-protocol=udp mac-protocol=\
ip src-address=172.21.1.200 src-port=67-68

/interface bridge settings
set use-ip-firewall=yes

Untuk routing segment 10.206.0.0/24 ke 192.168.1.1
dan segment 172.21.52.0/24 k3 172.21.2.240
menggantikan setting add dst-address=0.0.0.0/0 disable=no gateway=192.168.1.1

/ip route
add dst-address=10.206.0.0/24 disable=no gateway=192.168.1.1
add dst-address=172.21.52.0/24 disable=no gateway=172.21.2.240

Untuk nat 1 to 1 dari
-segment 10.206.0.0/24 ke eth1_ISP atau 192.168.1.1
-segment 172.21.52.0/24 ke eth2_LAN atau 172.21.2.240
menggantikan setting add chain=srcnat action=masquerade out-interface=eth1_ISP

/ip firewall nat
add chain=srcnat out-interface=eth1_ISP src-address=10.206.0.0/24 action=src-nat to-address=192.168.1.1
add chain=dstnat in-interface=eth1_ISP dst-address=192.168.1.1 action=dst-nat to-address=10.206.0.0/24

add chain=srcnat out-interface=eth2_LAN src-address=172.21.52.0/24 action=src-nat to-address=172.21.2.240
add chain=dstnat in-interface=eth2_LAN dst-address=172.21.2.240 action=dst-nat to-address=172.21.52.0/24

Yang tidak error
-NAT 1 to 1 tidak berjalan
-routing tidak berjalan

Yang sukses
block DHCP

Mohon di bantu untuk setting yang benar nya.
Dan klo block DHCP kurang tepat mohon di koreksi

NAT solved
/ip firewall nat
add chain=srcnat out-interface=eth1_ISP src-address=10.206.0.0/24 action=masquerade
add chain=srcnat out-interface=eth2_LAN src-address=172.21.52.0/24 action=masquerade