MikroTik

nscheffer

Hi All, I have the following use case with outdoor devices only : - site is in Palma de Majorque with 3 buildings and one gate, max distance is ~500m - i want to have in the middle an internet access with LTE/5G router and provide internet to the other building - on each building local Access Points...

nscheffer

Hi Sindy,

Finally it's more complex than I was expecting, missing SFP+ port on FortiGate to enable EMAC, EMAC is not possible at the Switch I got where I got plenty of SFP+ ports !
Need to re-organize my setup....

nscheffer

Yes this is the goal where each Fiber has a dedicated EMAC and CRS305 (one or two) swap original VLAN on Fortigate side (11 or 12) to the same number (832) for each Fiber adding also CoS 6 on DHCPv4 request...

nscheffer

Didn't check and/or pay attention when I did it. I can use EMAC VLAN (Enhanced MAC) on the Firewall for each Fiber to force different MAC but I am loosing 10Gbps speed (don't have engohu SFP+ port on the Firewall), but I can aggregate two Gig port if success without loosing the full 2Gbps speed on e...

nscheffer

Hi Sindy, Not enough time and competences to correctly investigate and troubleshoot the problem when using both Fiber without their Telcos Box using GPON ONU directly on CRS305 SFP+ ports. Problem was the same with one CRS305 handling both Fiber and two CRS305 for each Fiber, the Firewall Fortinet (...

nscheffer

Hi Sindy, Quick update, I restart from scratch all my config and in the same time got feedback on my case with Mikrotik support. It seems the problem was with MAC learning enabled by default on each port inside the bridge, by disabling each I got now one Fiber with the ONU GPON into the CRS305 conne...

nscheffer

Hi Sindy, I did a chat session today with Fortinet support and after many tests and verifications it seems the Mikrotik CRS305 is not able to handle both Fiber with Switch Rules ! Here is what we agree : - i am gooing to receive a second CRS305 (I order it yesterday) to do the following - scenario 1...

nscheffer

Hi Sindy, I did many check and try to understand what's wrong and I suspect that CRS305 (or Firewall) does not accept packet back from ONU, you see TX packets going to ONU from CRS305 but the switch rule who is supposed to catch traffic back from ONU to Firewall is resulting a zero in term of packet...

nscheffer

Hi Sindy, You are wright, using Architecture 1 it seems the Firewall is blocking one wan port (but I cannot identify it and confirm it, could be the CRS305 also blocking alternatively one port), why I don't know. I just open a ticket at Fortinet and also at Mikrotik (SUP-82564) providing the link to...

nscheffer

Architecture 1 - I am going to try to force a different MAC for each vlan of each wan on the Firewall side and let you know the result. Architecture 2 - I just try again 5mn again and this time both are blocked, none are working !!!! I suspect the Firewall to see the same MAC on different port and/o...

nscheffer

I am gong to try again Architecture 2 and I will pay attention on the Firewall to see if there is no blocking point !
On the CRS305 can I force a different MAC when I will use sfpplus3 to carry the second wan to the Firewall ?

nscheffer

Switch Rules is not easy to troubleshoot, no stats no monitoring and If I am correct when there is a Switch Rule matching I cannot have packet capture with streaming ? Here is a diagram for the first scenario, one cable to share both wan. I am going to check on the Firewall too if there is nothing w...

nscheffer

Hi Sindy, First thanks for your reply. Let me try to give you a summary about what I did and learn : I try 2 different architecture with same result : 1) Single connection to Firewall - a DAC cable on sfpplus1 going to firewall to carry wan 1 (with vlan 111 for orange tagged) and and wan2 (with vlan...

nscheffer

Hi Sindy, I got one problem ! It seems both Fiber cannot be handle in the same time, Switch Rule could process TX and RX flow for one Fiber but on the second only TX is process not RX back packets... Flags: R - RUNNING; S - SLAVE Columns: NAME, RX-BYTE, TX-BYTE, RX-PACKET, TX-PACKET, RX-DROP, TX-DRO...

nscheffer

Hi Sindy, Finally I solved it, GPON ONU serial was incorrect !!! Switch Rule diagnostic is not easy, no stats, no logs, nothing, ocular due improved in the future ! I am going to create a full documentation about all my setup, share it internally at Fortinet and post the config on the French forum l...

nscheffer

Hi Sindy, I don't know if it's the latest beta 7.3 Beta 40 but I got today (2 days in advance !) GPON ONU from fs.com. I try just one and it seems Switch Rule are not working anymore ! I check with my laptop using Wireshark on the FortiGate 10Gbs interface and I got with respective vlan 111 and 112 ...

nscheffer

Hi Sindy, Finally ONU GPON from fs.com will be delivered this Friday, keep you updated with final configuration starting this weekend... Tuning the config, should I enable the ingress filtering on all sfpplusx ports ? Here is my current config : /interface bridge add admin-mac=18:FD:74:00:44:70 auto...

nscheffer

Perfect, I am all good ! For the limitation with a single link at 10G it's not really a problem because I am using SFP ONU limited to 2.5G max each, so dual will be maximum at 5G so enough bandwidth. CRS305 has been ordered and I should have it in less than one week, but for the ONU from fs.com actu...

nscheffer

Hi Sindy, Thank you for your very quick answer, Mikrotik support is rock ! All my current Mikrotik devices are used, it's why I bough a new CRS305 for this come back... Actually on the Firewall, I got each Livebox connected to a physical port and each wan is mapped into a separate vlan (11 and 12). ...

nscheffer

Yes, it will work with hardware forwarding, hence at fiber speed. You probably have to make sure no traffic will leak between the two uplinks, or at least ensuring that should cause no harm. So assuming the management interface of the CRS305 is ether1 , the management IP subnet of the CRS305 is att...

nscheffer

Ok I receive from Amazon a new CRS305 tomorrow, I try first on IPv4 and when it works try IPv6.
I let you know results.
Thanks a lot again.
Nicolas

nscheffer

I didn't understood correctly, sorry ! It's more clear and make sense, very good. Regarding the rule to change Cos 6 to DHCPv4 Request, I suppose I could just add after another one for DHCPv6-PD Solicit ? add switch=switch1 ports=sfp-sfpplus2 vlan-id=832 protocol=udp dst-port=67 new-dst-ports=sfp-sf...

nscheffer

If I create two different bridge one with sfpplus1 and sfpplus2, the other sfpplus3 and sfpplus4.
Inside each bridge I add a vlan id 832, same for each bridge.
Does each bridge could act and handle each vlan 832 as separate vlan ?

nscheffer

One important point each Fiber must be isolated together because they use the same vlan id 832, If I put everyone into the same vlan it will be confusing for all ! So can I create 2 bridge, one for each fiber (SFP ONT and Firewall port) where inside each bridge vlan id 832 is used by the provider to...

nscheffer

Hi Sindy, Unfortunatly I was not successful to have my internet access working. I decide to try with OpenWRT giving me more flexibility and features. Thanks a lot for your help. Regards, Nicolas Hi Sindy, Finally i could be back !! SFP ONT Nokia G-010S-A are not correctly recognized with the RB2011...

nscheffer

Hi Sindy,

Unfortunatly I was not successful to have my internet access working.
I decide to try with OpenWRT giving me more flexibility and features.
Thanks a lot for your help.
Regards,
Nicolas

nscheffer

Hi Sindy,

Sorry for the late reply, I was busy on some works.
I will try to reach a working solution this weekend.
I let you know the result.

Regards,

Nicolas

nscheffer

I have a problem with mac-protocol=ip in the switch chip rule, because mac-protocol is vlan here if tagging is done before the rule is applied. In bridge filter rules, the IP and port matching is only possible when mac-protocol=ip , but if I remember correctly, this is not the case with switch rule...

nscheffer

I have a problem with mac-protocol=ip in the switch chip rule, because mac-protocol is vlan here if tagging is done before the rule is applied. In bridge filter rules, the IP and port matching is only possible when mac-protocol=ip , but if I remember correctly, this is not the case with switch rule...

nscheffer

I have a problem with mac-protocol=ip in the switch chip rule, because mac-protocol is vlan here if tagging is done before the rule is applied. In bridge filter rules, the IP and port matching is only possible when mac-protocol=ip , but if I remember correctly, this is not the case with switch rule...

nscheffer

As you want it wirespeed, the switch chip must do all the job. Hence you have to make sfp1 and etherX member ports of a bridge with hw=yes on the respective /interface bridge port rows, and if you ever add any other port of that switch chip to any other bridge, it must be added with hw=no (only a s...

nscheffer

As you want it wirespeed, the switch chip must do all the job. Hence you have to make sfp1 and etherX member ports of a bridge with hw=yes on the respective /interface bridge port rows, and if you ever add any other port of that switch chip to any other bridge, it must be added with hw=no (only a s...

nscheffer

Agree that the hEX S will be the bottleneck and switch rules are not supported for vlan and also for sfp1. On MT7621 based routers, RouterOS doesn't support switch chip rules at all, not only on sfp1. I plan to replace my hEX S for each box by : - RB2011iLS-IN - or RB935GS-5HnT-RP Both should work ...

nscheffer

Sindy, Thanks a lot for the first part of answer. Concerning the CRS305, agree, seems to be the perfect match for me and I was thinking to use it for both fiber isolating each dual group of ports needed (SFP ONT into sfp1 and sfp2 going to firewall for Fiber 1 and Fiber 2 with sfp3 and sfp4 for exam...

nscheffer

Thanks for the answer, seems to be clear for me. My bridge filter will be applied between ether3 and the bridge using forward chain and got my vlan832... If I got switch rule with a compatible hardware it's the same where I need to apply the switch rule instead a bridge filter ? Agree that the hEX S...

nscheffer

Nobody knows how to do this ?

nscheffer

Hi, I got two internet fiber access in with a provider and I would like to remove their box and use my own Firewall. Actually my firewall cannot change vlan priority for a paquet send by himself (dhcpv4 request and dhcpv6-pd solicit). I would like to insert in a transparent way a Mikrotik hEX S on e...

nscheffer

Suggest you send a report to MT,, supout etc explaining your issue,

Done.

nscheffer

I did a couple of others tests and it seems impossible to have switch rules working correctly for IPv6 DHCP request and impossible to catch only UDP trafic on a specific port for IPv6 ! Any comments and/or suggestions ? Is it a bug ? May I need to fill something ? Sorry pretty new with a Mikrotik pr...

nscheffer

I assume that you found fasttracking which is not available for IPv6. or: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Fast_Forward Hi, Is there any plan to have it ? Also It seems that switch rules for IPv6 traffic to set Cos to 6 on DHCP solicit seems to be not working as it should be !...

nscheffer

Hi, I have a RB960PGS (hEX PoE) connected to a 1Gb/s Fiber internet access with Orange Pro in France. To be able to have a link we need : - for IPv4 set CoS to 6 on DHCP request + custom DHCP option code - for IPv6 set CoS to 6 on DHCP solicit + custom DHCP option code For IPv4 I got the following s...

nscheffer

I assume that you found fasttracking which is not available for IPv6. or: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Fast_Forward Hi, Is there any plan to have it ? Also It seems that switch rules for IPv6 traffic to set Cos to 6 on DHCP solicit seems to be not working as it should be !

nscheffer

Finally I got Ipv4 working with a switch rule but nothing for IPv6 !! I don't use anymore sfp1 because switch rule are not available for sfp1 and switch to ether1. Using a bridge for both IPv4 and IPv6 it was working perfectly but max speed top at 300Mb/s and CPU at 100% Now with switch rule working...

nscheffer

+1 because I got 2x fiber access with IPv4 and IPv6 with different prefix.

nscheffer

Hi all, I just received my Mikrotik hEX PoE to replace my current Orange Livebox for a 1Gb/s Fiber access with Orange in France. I did the following : Orange OLT -> Huawei ONT -> Mikrotik SFP RJ45 -> sfp1 on hEX PoE Orange is doing some twist on DHCP v4 request and DHCP v6 where you need to use a sp...

Search found 45 matches