I'm looking at the default config that comes loaded in my RB951G.
I'm confused.

Question 1)
My WinBox GUI > Interface List shows "Name: Bridge-Local" "Type: Bridge"
What does bridge-local mean ?


My WinBox GUI > Interface List shows "Name: ether1-gateway" "Type: Ethernet" - I understand this.

Question 2)
My WinBox GUI > Interface List shows....
"Name: ether2-master-local" "Type: Ethernet"
"Name: ether3-slave-local" "Type: Ethernet"
"Name: ether4-slave-local" "Type: Ethernet"
"Name: ether5-slave-local" "Type: Ethernet"

What does Master-Local and Slave-Local mean?

Thanks, Brett

The 951 has a built-in ethernet switch chip.
When you set one port as slave to another, it "connects" them - so anything you configure on the master, the slave behaves the same way - like a 2, 3, 4, or 5 port Linksys unmanaged switch...

These interface names make it obvious which interfaces are linked, and whether they are WAN or LAN.

bridge-local is a software bridge. Before there was a hardware switch chip in Mikrotiks, you always used a bridge. These are much slower than a hardware switch because they use the CPU. However, since the wireless interface is not on the switch chip, if you want the wireless network to be the same LAN as the 4 ethernet ports, then the only way to connect these is with the CPU bridge.

So now, the CPU bridge is the official LAN interface of the Mikrotik. This is the interface you use in firewall rules, you configure as DHCP server, etc.

Hi ZeroByte,
I'd like to use this router to be able to apply a different network on each of the interfaces ether2, ether 3, ether 4 and ether 5.

Is this possible?

I don't understand why a default config would be one that acts like a switch.

I'm not trying to be facetious, it just seems a bit odd to me to have that kind of default.

Thanks, Brett

I'm not trying to be facetious, it just seems a bit odd to me to have that kind of default.

Thanks, Brett

Well, when you consider that many SOHO routers come with a single WAN interface, and a 4-port LAN switch, this is the behavior that this 951 router is using (951 is targeted at SOHO customers).

Disabling it couldn't be easier.
Just go into interfaces > ethernet and configure each interface, set the master=none.
Now all 5 interfaces will act as stand-alone interfaces.
You might want to rename them all to just ether1 ether2 ether3 ether4 and ether5 while you're at it.
(renaming it won't break any other configs that reference the interface - in fact, those references all get updated too)

If you also want the wireless to be its own routed-only network (no broadcast visibility onto wired interfaces) then you can just remove the LAN bridge entirely. You'll need to put an IP address and DHCP server onto the wlan1 interface after doing that, though.

Thanks Zero,

That is very clear now. You are a big help !
I'm going through Stephen Discher's book now to build some configs from scratch pg. 40.
Starting to have some fun now.
I'm sure I will return with more questions. Thanks for the quick replies.

Brett

Hi ZeroByte,
I'd like to use this router to be able to apply a different network on each of the interfaces ether2, ether 3, ether 4 and ether 5.
Thanks, Brett

ZeroByte has covered this well but if you run into difficulty like I have done when I first did this and forget to go to the DHCP Networks screen to set GW and DNS then there is a good step by step instruction here

http://networkingforintegrators.com/201 ... -mikrotik/

I'm going through Stephen Discher's book now to build some configs from scratch pg. 40.

Thanks Timo,

That's a great link.

Can you or Zero help me understand something else.

First of all, my hosted VoIP provider has his own way of configuring these MikroTik's so I'm just working off his configs.

Please take a look at the attached screen shot.

I don't understand how to determine which interface is the address of 24.x.x.x.

And which is the 192.168.88.1

Bridge pass-through and Bridge Local, don't mean anything to me.

You need to look in the bridge > ports screen to see which interfaces are attached to which bridge, but I can already guess what the guy is doing. (I've been in the business long enough to know a workaround when I see one).

His solution is to basically connect his box directly to the WAN and bypass the Mikrotik entirely as a router.
Note that ether1-gateway has a 'S' flag (slave). This means that it's either running slave on the switch chip (unlikely) or else connected to a bridge.

I love stuff like this. (very sarcastic here - I hate it with a burning passion). It reminds me of how much we hated sonicwall at a previous job of mine - it always screwed up our SCCP-based IP-pbx service, and there were certain "voip-friendly" firmware revisions that would fix it, but we would almost always just bypass the SonicWall for our phones. It always made me mad when the service manager would do that in stead of making the customers' IT company learn to properly configure the Sonicwalls that they just LOVED to install at our customers' sites.

if you want the wireless network to be the same LAN as the 4 ethernet ports, then the only way to connect these is with the CPU bridge.

.

That's right. but the question came to my mind... I've masquerade home's router Ether1.
Is there any need to masquerade WLAN?

if you want the wireless network to be the same LAN as the 4 ethernet ports, then the only way to connect these is with the CPU bridge.

.

That's right. but the question came to my mind... I've masquerade home's router Ether1.
Is there any need to masquerade WLAN?

I'm not entirely sure what you mean by that...
Do you mean you used wlan as a wan interface and did masquerade on traffic going out that interface?
Do you mean that you concealed the IP addresses of the wireless clients when they talk to the other LAN networks, masquerading them as the Mikrotik's lan interface?
Do you mean that you didn't bridge wlan and lan into a single network, but allowed both ranges to be masqueraded when going to the Internet?

generally you only NEED to masquerade when the true source's address is not reachable to the rest of the network, a way to fool "Security" by obscuring the true source address of a packet, or else a way to force return-path routing (as in a NAT hairpin, for instance).

Hi Zero,

I was hoping you would recognize this. I'd love to re-build these correctly, but I can't because there are a lot of NAT and Mangle rules I need to understand before I can start messing with his default configs.
You are correct in your assumption, Ether1-gateway (WAN) is running slave to the bridge (bridge pass-through).
And Ether5 is also running slave to the bridge pass-through.

However Ether2 is the Master Local. Which leaves Ether3 and Ether4 as it's slaves. I don't use those ports anyway.

So now I know from you great advice that 24.x.x.x listed as bridge-passthrough is really Ether1-gateway (WAN)
and 192.168.88.1 is Bridge Local is Ether2.


I think that means that any packet to/from the Ether1 WAN (gateway 24.x.x.x.) will be duplicated out Ether5 (just like a soho switch.

And Ether2 is subject to it's own routing rules.

I'm I getting this right?

Thanks, Brett

I think that means that any packet to/from the Ether1 WAN (gateway 24.x.x.x.) will be duplicated out Ether5 (just like a soho switch.

And Ether2 is subject to it's own routing rules.

I'm I getting this right?

Thanks, Brett

Yes. That's correct. They are connected exactly like with a soho switch.

Enhancing your knowledge of switching just a bit more: Switch / bridge ports don't 'duplicate' traffic. Switches only forward frames to whichever port has the destination MAC address connected to it. They forward a frame to all ports if the destination is a broadcast or if they don't know which port has the destination MAC address. If the destination is known, though, only the correct port gets the traffic.

A little more about your 'tik's configuration: ether3 and ether4 are "soho switch duplicates" of ether2. If you look at the ethernet interfaces' configuration screens, you'll see they have master port = ether2... This means that traffic for these 3 ports is a hardware switch, which can pass traffic at wire speed w/o burdening the CPU.

The bridge-local, bridge-bypass bridges are run by the CPU, and it takes CPU load to forward traffic between ports of a CPU bridge.

Even though they have different performance characteristics, and different available features for fancy things, they ultimately perform the same function.

if you want the wireless network to be the same LAN as the 4 ethernet ports, then the only way to connect these is with the CPU bridge.

.

That's right. but the question came to my mind... I've masquerade home's router Ether1.
Is there any need to masquerade WLAN?

I'm not entirely sure what you mean by that...
Do you mean you used wlan as a wan interface and did masquerade on traffic going out that interface?
Do you mean that you concealed the IP addresses of the wireless clients when they talk to the other LAN networks, masquerading them as the Mikrotik's lan interface?
Do you mean that you didn't bridge wlan and lan into a single network, but allowed both ranges to be masqueraded when going to the Internet?

generally you only NEED to masquerade when the true source's address is not reachable to the rest of the network, a way to fool "Security" by obscuring the true source address of a packet, or else a way to force return-path routing (as in a NAT hairpin, for instance).

The last part was good. I get my point....

@ZeroByte

Going to the beginning of this post.

If interfaces are members of the bridge local and then are moved out, does the router need a reboot?

show cdp n on the switch says:
rtr-lon-02 Gig 1/0/7 100 R MikroTik bridgeLocal

wher port 1/0/7 is the port connected to the MT that has been moved out of the bridge local, ehter3

[iiiiiiiiiiiiiiiiii@rtr-abd-02] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ether1 ether 1500 1580 10222 6C:3B:6B:60:28:5A
1 RS ether2 ether 1500 1580 10222 6C:3B:6B:60:28:5B
2 ether3 ether 1500 1580 10222 6C:3B:6B:60:28:5C

Looks like is still being seen as part of the bridge local by the Cisco switch.

BTW running
/system> export
# sep/15/2017 11:05:14 by RouterOS 6.39.1
# software id = TKF9-KLBU

on

/system routerboard> print
routerboard: yes
model: CCR1036-8G-2S+
serial-number: 7429060A35F4
firmware-type: tilegx
factory-firmware: 3.33
current-firmware: 3.33
upgrade-firmware: 3.33


Thanks

looking forward for 6.41 release so no more master, slave ports. just bridge!

If interfaces are members of the bridge local and then are moved out, does the router need a reboot?

Nope. These changes take effect immediately when configuration changes are issued in winbox/command-line/webfig

I've found CDP sometimes takes a while to update certain things - and perhaps there's a bug in the Neighbor protocol code where the Mikrotik failed to update the local interface name that it is sending in CDP messages.

Thanks, but it hasn't worked for me. I have moved some of the interfaces out of the local bridge but I am unable to use them as layer3.

The switch where the interfaces of the MT are connected to, still sees the bridge-local mac address on those ports and it shows as bridge local as cdp neighbour (see below, ether3 is physically connected to gi 1/0/7). I have assigned an ip address on the interface but I am unable to ping the other side. ether3 is the one I am working on, the S meaning slave is no longer showing but the R for running is not there. Any help would be greatly appreciated. Apart for moving them out of the bridge, is there something else I should do to make the interface Running?
Many Thanks

Hi Zero/all,

I am still unable to put an ip address on ether 3 and ping it. I have posted the status of the interface, is there anything else I should be doing? I basically want to use ether 3 (and others in the future) as layer 3, I am already doing this on ether1.

The routers is behaving like ether1 is the only "independent" interface and all other interfaces are in the bridge. I have removed them frorm the bridge but I am still not able to use them.

What am I doing wrong?


Many Thanks
Fulvio

reloaded the router but not joy. It seems to me that ether1 is the WAN internaface and all other interface are in the bridge and removing them from it does really allow me to use the interfaces as I need to. Any suggestions?

OK, remote hands have confirmed that the cable had been plugged in a different interface working as expected now