Mom & Pop Network

Category: MikroTik

  • Doing VLAN trunk and access ports on MikroTik CRS/RouterOS

    Most of the switches in my homelab are MikroTik CRS switches, although I am getting a UniFi PoE switch (MikroTik didn’t make a 2.5G PoE switch, that’s why).

    I use two CRS304-4XG-IN switches to connect desktop computers to the 10G LAN, but wanted my desktops on a separate VLAN.

    On my network, I use VLAN 4 for desktops.

    The configuration you need is:

    /interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2 pvid=4
add bridge=bridge comment=defconf interface=ether3 pvid=4
add bridge=bridge comment=defconf interface=ether4 pvid=4
add bridge=bridge comment=defconf interface=ether5
/interface bridge vlan
add bridge=bridge tagged=ether1 untagged=ether2,ether3,ether4 vlan-ids=4

    The bold parts are important, and I will explain what they are:

    • vlan-filtering=yes in the /interface bridge means you will filter for VLANs. This is required for VLAN trunk/access ports.
    • pvid=4 in the /interface bridge port means the specific port will use VLAN 4.
    • tagged=ether1 in the /interface bridge vlan means the trunk/tagged port is ether1.
    • untagged=ether2,ether3,ether4 means the ether2-4 ports are access ports
    • vlan-ids=4 means we are establishing a bridge on VLAN 4.

    Hopefully, this helps you set up VLAN trunking on a MikroTik CRS/RouterOS switch.

  • MikroTik: Add DNS Forwarding Entry for Active Directory DNS

    Also, why didn’t anyone tell me about match-subdomain=yes?

    For almost two years, my homelab’s core router has been a MikroTik, namely a CCR2004-16G-2S+ and then a CCR2004-16G-2S+PC. I also run a FreeBSD Samba Active Directory domain controller.

    The common ‘solution’ is to use domain wildcard regex and that’s usually not pretty.

    Then I learned about the match-subdomain=yes and it worked wonders, that combined with ttl=0s.

    Keep in mind that by using this guide, I am assuming you’re using the DNS server on a MikroTik router, versus an external resolver.

    If you’re using MikroTik’s resolver, add the following configuration:

    /ip dns static
    add forward-to=IP match-subdomain=yes name=DOMAIN ttl=0s type=FWD

    Replace IP with your DC’s IP address, and DOMAIN with the domain name used by AD.

    Note: you need ttl=0s, otherwise it gets out of sync. match-subdomain=yes is a shortcut Google never told us about (even without “AI” responses), but is ultra useful here.

    If you wish to forward reverse DNS entries, you can do:

    /ip dns static
    add forward-to=IP match-subdomain=yes name=xx.in-addr.arpa ttl=0s type=FWD
    add forward-to=IP match-subdomain=yes name=yy.ip6.arpa ttl=0s type=FWD

    Replace IP with the IP address of the DNS server, and xx (IPv4) and yy (IPv6) with the Reverse DNS zones used by your network.

    This should give you AD DNS using MikroTik’s DNS server.