Greetings,
Looking to see a fully working config for a /29 network. Maybe even different examples if you have them. Rough network diagram attached.
Can someone share a full working /29 config
You do not have the required permissions to view the files attached to this post.
Re: Can someone share a full working /29 config
your diagram/networks It's fine as it is but really depends on what you are doing and trying to achieve, but i will do it differently because public ip is very scarce i will conserve it if i have to as much as possible, if some servers or workstation can be behind a NAT i'll do it.
You do not have the required permissions to view the files attached to this post.
Re: Can someone share a full working /29 config
You can create a new bridge and put Ether1-Ether4 in it. Assign x.x.x.178/29 as /ip/address the new bridge, and the desired static assign on servers. Assuming you have the default firewall/config, you need to add the new bridge interface to the "WAN" interface list (under Interfaces > Lists) to protect the router.
Same approach is possible using VLAN as the WAN, instead of new bridge. You need to be using vlan-filtering=yes in bridge, assign x.x.x.178/29 to a new VLAN, and tag ether1 to ether4 with the new VLAN ID. This be useful if you servers need both the WAN and LAN (assuming servers are VLAN-aware).
@loloski advice isn't bad and some way also safer (since you'd defining the ports needed). Basically, approach is you essentially assign all the IPs the router and use either action=dst-nat for ports, or even action=netmap to map all ports to specific host in /ip/firewall/nat (e.g. NAT defines the mappings, including which of the public IPs to map it to). The servers only see there LAN address in this case & all access is gated through the Mikrotik router.
In all cases you'd need an /ip/route for 0.0.0.0/0 to x.x.x.177.
Same approach is possible using VLAN as the WAN, instead of new bridge. You need to be using vlan-filtering=yes in bridge, assign x.x.x.178/29 to a new VLAN, and tag ether1 to ether4 with the new VLAN ID. This be useful if you servers need both the WAN and LAN (assuming servers are VLAN-aware).
@loloski advice isn't bad and some way also safer (since you'd defining the ports needed). Basically, approach is you essentially assign all the IPs the router and use either action=dst-nat for ports, or even action=netmap to map all ports to specific host in /ip/firewall/nat (e.g. NAT defines the mappings, including which of the public IPs to map it to). The servers only see there LAN address in this case & all access is gated through the Mikrotik router.
In all cases you'd need an /ip/route for 0.0.0.0/0 to x.x.x.177.
Re: Can someone share a full working /29 config
I have a CCR2004, it came without a config. I want this monolithic ip per server setup to support FTP server. If I'm doing the simple setup as mentioned in the first paragraph, what do I do with the sfp+1 interface? If .178 is assigned to the bridge, can it also exist on the sfp+1 port?Assuming you have the default firewall/config, you need to add the new bridge interface to the "WAN" interface list (under Interfaces > Lists) to protect the router.
Right now I have
/interface list member
add interface=bridge1 list=WAN
/ip address
add address=x.x.x.178/29 interface=bridge1 network=x.x.x.176
>>> do I add this??: add address=x.x.x.178 interface=sfp-sfpplus1 network=x.x.x.177
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
>>> do I add this??: add bridge=bridge1 interface=sfp-sfpplus1
Re: Can someone share a full working /29 config
No. Leave the address as /29./ip address
add address=x.x.x.178/29 interface=bridge1 network=x.x.x.176
>>> do I add this??: add address=x.x.x.178 interface=sfp-sfpplus1 network=x.x.x.177
But you need a route:
Code: Select all
/ip route add gateway=x.x.x.177
If you want to make it a switch for the WAN, then yes:/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
>>> do I add this??: add bridge=bridge1 interface=sfp-sfpplus1
Code: Select all
/interface bridge port add bridge=bridge1 interface=sfp-sfpplus1Re: Can someone share a full working /29 config
Does this look like it would work? Any advice? (I should mention that the LAN network is needed only for the various management interfaces. I want to VPN in to this network which I will ask about in a different thread.)
Code: Select all
/interface bridge
add name=bridge1
add name=bridge2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.150
/ip dhcp-server
add address-pool=dhcp interface=bridge2 lease-time=1d name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge2 interface=ether9
add bridge=bridge2 interface=ether10
add bridge=bridge2 interface=ether11
add bridge=bridge2 interface=ether12
add bridge=bridge2 interface=ether13
add bridge=bridge2 interface=ether14
add bridge=bridge2 interface=ether15
add bridge=bridge2 interface=ether16
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge1 list=WAN
add interface=bridge2 list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge2 network=192.168.1.0
add address=x.x.x.178/29 interface=bridge1 network=x.x.x.176
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.1.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=x.x.x.177 routing-table=main \
suppress-hw-offload=noRe: Can someone share a full working /29 config
There is no firewall is main thing.
See https://help.mikrotik.com/docs/display/ ... t+Firewall
but personally the default firewall is better than the docs:
Also, if you don't have IPv6, you may want to disable it:
See https://help.mikrotik.com/docs/display/ ... t+Firewall
but personally the default firewall is better than the docs:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Code: Select all
/ipv6/settings/set disable-ipv6=yes Who is online
Users browsing this forum: jaclaz, PacketSwitchedNerd and 19 guests