I recently took delivery of a Mikrotik Cloud Router Switch (CRS109-8G-1S-2HnD-IN), purchased via their Australian distributor Duxtel ; which happens to be a sponsor of SAGE-Au.
I'd been thinking for while about putting my modem into pure bridge mode and using something smarter to do routing and firewall duties, and with the addition of some new networking kit to our home environment, now was the time to make it happen.
Our existing AP is another Mikrotik unit, the 5-port RB951G-2HnD (also purchased via Duxtel), and we've
been really happy with its performance sitting in the loungeroom under the
tv. Ok, when I say "we" I mean "me" because it's been absolutely rock solid
and very high performance. That makes for a happy userbase.
Back to the new kit. The first thing I did was to set up the pppoe client
(easy) running on port ether1
. Then I proceeded to port mapping, so that
my public services (like the one you're reading this on) were appropriately
mapped to my dmz host. Certain useful firewall rules were added, and then I
tried to get IPv6 setup, and managed to muck things up. Boo.
I'm not exactly sure what I got wrong, but it took me until just a few days
ago to get it right. In that time I've read quite a few blog and forum posts,
all of which helped me get to the right place. I don't recall specifically
whether any one was more useful than another, so I'll just offer a general
thankyou to everybody who posted in any form about their problems and
solutions.
Here's my solution.
Firstly, I've got a bridge, comprised of all the ports except ether1
; and
named allports-1
. Secondly, I run the IPv6 dhcp client on the virtual
interface for the pppoe connection. This is not asking for an address, only
a prefix delegation. Until I turned off asking for an address as well, I
couldn't get the client to bind. That feeds into my local pool, which is
providing a prefix hint of ::/64, and a prefix length of 64. (I get a /56 from
Internode, which I think is more than I'm ever going to need, even if I IoT
all the things under this roof).
Thirdly, while I could run an IPv6 server on one of my Solaris systems, I
choose not to, using the Mikrotik's server instead. This is running on
ether2-master
, and serving out from the local pool.
Fourth, addresses. It was this bit which caused me all the grief. In the
config which now works, I have assigned an address to my bridge allports-1
and an address to my gateway port ether1
. The address I assigned to
ether1
is in fact that of my /56 from Internode.
Finally, firewalling. I'm using the standard set of rules here; accept icmpv6
and https, drop telnet.
Other notes
I've found the serial console to be indispensable, especially since I managed
to muck up the IPv4 routing a few times. The ability to send sniffed packets
to a different system for capture using wireshark is incredibly useful. Just
remember that your wireshark session needs to listen on udp port 37008.
Here's the config export; I hope it's useful to you:
/interface bridge
add name=allports-1 protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=sfp1 ] disabled=yes master-port=ether2-master
/interface wireless
set [ find default-name=wlan1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes default-route-distance=1 disabled=no interface=ether1 keepalive-timeout=disabled name=node-pppoe password=YOURPASSWORD service-name=node \
use-peer-dns=yes user=YOURUSERNAME
/ip neighbor discovery
set ether1 discover=no
/interface ethernet switch
set use-cvid-in-one2one-vlan-lookup=no
/ipv6 dhcp-server
add address-pool=localpool interface=allports-1 name=localserver
/interface bridge port
add bridge=allports-1 interface=ether2-master
add comment=defconf interface=wlan1
add bridge=allports-1 interface=ether3
add bridge=allports-1 interface=ether5
add bridge=allports-1 interface=ether6
add bridge=allports-1 interface=ether7
add bridge=allports-1 interface=ether8
add bridge=allports-1 interface=ether4
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip settings
set accept-redirects=yes accept-source-route=yes
/ipv6 settings
set accept-router-advertisements=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=drop chain=input dst-port=23 in-interface=all-ppp log=yes log-prefix=drop23- protocol=tcp
add action=fasttrack-connection chain=forward connection-state=established,related,new in-interface=!all-ppp
add chain=input connection-state=established,related,new
add action=drop chain=input connection-state=invalid
add action=fasttrack-connection chain=input in-interface=!all-ppp
add chain=forward connection-state=established,related,new
add chain=forward in-interface=!all-ppp
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=25 protocol=tcp to-addresses=DMZHOST to-ports=25
add action=dst-nat chain=dstnat dst-port=53 in-interface=all-ppp protocol=udp to-addresses=DMZHOST to-ports=53
add action=dst-nat chain=dstnat dst-port=443 in-interface=all-ppp protocol=tcp to-addresses=DMZHOST to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=all-ppp protocol=tcp to-addresses=DMZHOST to-ports=80
add action=masquerade chain=srcnat out-interface=node-pppoe
/ip route
add distance=1 dst-address=192.168.0.0/16 gateway=ether2-master pref-src=192.168.1.2
add distance=1 dst-address=192.168.10.0/24 gateway=allports-1
add distance=1 dst-address=192.168.10.0/24 gateway=ether2-master
/ipv6 address
add address=2001:44b8:2188:f001:: from-pool=localpool interface=allports-1
add address=2001:44b8:2188:f000:: from-pool=localpool interface=ether1
/ipv6 dhcp-client
add add-default-route=yes interface=node-pppoe pool-name=localpool prefix-hint=::/64 request=prefix
/ipv6 firewall filter
add action=drop chain=forward dst-port=23 in-interface=node-pppoe protocol=tcp
add chain=input port=443 protocol=udp
add chain=forward port=443 protocol=udp
add chain=input port=443 protocol=tcp
add chain=forward port=443 protocol=tcp
add action=drop chain=forward in-interface=node-pppoe
add chain=input in-interface=node-pppoe protocol=icmpv6
add chain=input dst-port=546 in-interface=node-pppoe protocol=udp
add action=drop chain=input in-interface=node-pppoe
add action=drop chain=input in-interface=ether1
add chain=forward in-interface=node-pppoe log=yes port=9876 protocol=tcp
/ipv6 nd
set [ find default=yes ] advertise-dns=yes hop-limit=64 managed-address-configuration=yes mtu=9000 other-configuration=yes ra-lifetime=10m reachable-time=10s \
retransmit-interval=10s
/ipv6 nd prefix
add interface=ether2-master
/system clock
set time-zone-name=Australia/Brisbane
/system ntp client
set enabled=yes primary-ntp=202.81.208.160 secondary-ntp=119.148.81.6
In a while, once work has quietened down a bit, I'm going to play around with
mac-address based VLANs. Because
they seem cool, and a really neat thing. Who knows, they might even be useful
someday!