Hey guys,

Mirkotik newbie here..

I've recently installed a second hand routerboard 951-2n with latest OS with the help of a friend who has been using Mikrotiks for years. I have a moderate understanding of networking but some of the switching/bridging options are confusing me a bit.

My set up is simple:

* Billion ADSL Router going out to the internet. DHCP/Wireless disabled (acting as a modem)
* DHCP Server and wireless AP configured on Mikrotik. Working fine
* ADSL Router plugged in Mikrotik Eth1 as gateway
* PC and a small switch taking up Eth ports 2 & 3
* Eth4 and Eth5 not currently in use but will be later on
* Bridge created ("bridge-local)" contains all 5 Ethernet ports + wireless ("wlan1")

I was then told to create a switch ("switch1") which contains all 5 Eth ports. Mirror target is set to "switch1 cpu" and mirror source is set to "Eth5" (port is currently not in use)

I have no idea why this is necessary... lol.

I just want to use this mikrotik as a regular router - plug in machines/devices to available ethernet ports or connect via WLAN and have an IP assigned. I use queues to manage traffic and may configure a VPN and some routes later on, but nothing too fancy.

My question really is - do I need to be using a bridge and/or a switch in this scenario? Are there any advantages or even a need for either/both?

Thanks in advance...
WB

Your wan port should typically not be bridged or switched with your lan ports. Bridging is CPU intesive. Port mirroring should be unnecessary unless you want to sniff/monitor traffic with something like Wireshark. Here is the Wiki page on Mirroring.
http://wiki.mikrotik.com/wiki/Manual:Sw ... _Mirroring

I would recommend making port 2 master and 3-5 slaves to port 2.You can bridge port 2 with WLAN1 and set your DHCP server to the bridge port.

Are you leaving the default firewall and NAT rules in place? If building your config from scratch make sure you put something in there. Let us know if you need help with that.

Thanks a lot gerakon

Apologies in advance for all the following questions. lol

---

So I'll remove that switch altogether then?

If I make ports 3-5 slaves to port 2, can I still use port 2 as normal? I assume so if it's bridged with wlan and DHCP is being pushed out via this bridge.

Also, do I need to do anything to eth port 1 (WAN) ?

My only NAT rule currently is:

*chain: srcnat
*Out interface: bridge-local
*Action: masquerade

Does that sound right?

I have no Firewall filter rules enabled whatsoever.

Thanks again

Yes remove that switch.

Yes port 2 is still used as normal. Anytime you make configuration changes to port 2 it will affect all ports slaved to it (as far as I know). If you disable port 2 it disables all of the slaves as well. (I found that out the hard way). I don't think NAT is usually used on a bridge. Delete your NAT rule. You can copy the code below and paste into the terminal and it will add it to your configuration.

I did as you said but couldnt figure out how to remove the switch / de-assign switch from ports 2-5

Once I'd done everything else, I lost internet access. Still cant figure out how to get rid of the switch. Have restored old config in the mean time

Any ideas?

Also, should I have any routes configured by default?

Thanks again man

Just to add to that -

When editing an interface, I am unable to edit the "switch" field. It's greyed out and is set to "switch1"

Just to add to that -

When editing an interface, I am unable to edit the "switch" field. It's greyed out and is set to "switch1"

You don't edit the "switch" itself, you select a "Master Port". If it is part of a switch, select the master port. If you want to remove from the switch, select none.

rg2 -

my interfaces/ports have both the switch and master port fields under the GENERAL tab. If I choose a master port, it does nothing to change the value of the "switch" field

rg2 -

my interfaces/ports have both the switch and master port fields under the GENERAL tab. If I choose a master port, it does nothing to change the value of the "switch" field

The switch field never changes. It shows you on what physical switch chip that ethernet port is connected to. Some routerboards have switch1 and switch2.

To activate/deactivate the switch functionality you must set the "Marter Port". Choose none to remove from switch funcionality.

ok thanks a lot man...

Will give it another crack

Just need to know what my route list should look like with gerakon's proposed config...

currently I have 2 rules:

Rule1.
AS
Dest address=0.0.0.0/0
Gateway=192.168.0.2 - reachable bridge-local
Type=unicast

Rule2.
DAC
Dst. Address=192.168.0.0./16
Gateway=bridge-local - reachable
Type=unicast

192.168.0.2 is my ADSL router on port Eth1 (WAN)

Rule 2 looks to be default/unchageable

I think we're maybe missing a few details. This 192.168.0.0./16 makes it look like your WAN and LAN subnets overlap which is going to cause problems for the router. Usually a /24 (255.255.255.0) on the LAN side is normal. If 192.168.0.2 is your DSL modem (or router at the ISP) you are doing double NAT which isn't a big deal unless you are trying to forward ports for access from the outside.

I think you will need to change your internal network IP range so it doesn't conflict with the external. 10.0.0.0/24 is probably safe.

At this point it may be easier if you could post your config and remove any sensitive information. You can do this from the terminal using the export command. Paste the sanitized result using the Code button at the top of the forum.

The out-of-box config would've been adequate if all you want is a basic router.

With a factory reset your switch will be a basic router. Port 1 for WAN, Ports 2-5 for LAN. It should just work, nothing to configure.

If your modem's IP is 192.168.0.2 then that means it's not acting as just a modem, it's a router as well. But not a big deal. Your Modem/Router needs to have a different subnet than the Mikrotik router. With default config, this is the case - the default subnet for the LAN (ports 2-5) is 192.168.88.0/24

To reset config to factory default, go to System > Reset Configuration. Or use the physical button on the device.

Also, only the wireless and port 2 should be bridged. You'll see this with default config. This is because ports 3-5 are slaves and therefore already switched with port 2. This means Ports 2-5 can be used for your local network.

The out-of-box config would've been adequate

Hmm, yep I guess I made that more difficult than it needed to be..... Thanks Van9018

Thanks guys. I think I am the one that made it more difficult than it needed to be. But I appreciate your help and I'm at least learning the a bit about RouterOS which is a good thing. YOu have therefore not wasted your time on me.

I promise to leave you all alone after this... last question...

My internal LAN subnet is GOING to be 10.0.0.x (just at 192.168 for now) for various reasons .

My "modem" (which is indeed a router - ive just disabled DHCP and WLAN so its not doing much else right now) is going to sit on 10.0.0.2, while the mikrotik will be 10.0.0.253

Only thing I don't get here is why they need to be on different subnets. My DHCP Pool would only be from say... .100-.200 so that isnt a reason

So question is - why is it an issue if my ADSL router (sitting on Eth1) has an IP of 10.0.0.2 and therefore same subnet as the rest of my network?

The world needs more people like you guys for real.

It's because of how routing works. Look in IP > Routes, you'll see three routes that tell the Mikrotik where to forward packets.

A packet is matched to a route via the dst-address field, and chooses the most restrictive match.

If your modem/router IP is 10.0.0.1/24 then you'll see these 3 routes:

dst-address: 0.0.0.0/0 Gateway: 10.0.0.1 reachable ether1-gateway
dst-address: 10.0.0.0/24 Gateway: ether1-gateway
dst-address: 192.168.88.0/0 Gateway: bridge-local

Now for example if 192.168.88.100 tries to send a packet to 192.168.88.101, the Mikrotik determines the packet should go out on bridge-local (bridge-local is ports 2-5 and wifi)

If 192.168.88.100 tries to send a packet to 8.8.8.8, the Mikrotik determines the packet should be forwarded to 10.0.0.1. Then it checks the route list again on where is 10.0.0.1 and determines it's down ether1-gateway.

If your modem and mikrotik are both on the 10.0.0.0/24 subnet, then your route list will look like this:
dst-address: 0.0.0.0/0 Gateway: 10.0.0.1 reachable ether1-gateway
dst-address: 10.0.0.0/24 Gateway: ether1-gateway
dst-address: 10.0.0.0/24 Gateway: bridge-local

Now for example if 10.0.0.100 tries to send to 10.0.0.101, the packet matches both route rules equally. It is undefined on which the Mikrotik will pick so you can expect your network to not work correctly.

You can definately expect the internet to not work, because the modem is expecting 10.0.0.0/24 packets to be on its network and not forward them through your Mikrotik's IP....

You can leave your modem as 192.168.0.1, set your Mikrotik ether1-gateway IP to 192.168.0.2 and then set 192.168.0.2 in the DMZ of the modem. Then don't plug anything else into the modem, all devices should be connected through the Mikrotik. Setting your Mikrotik in the modem's DMZ means you don't have to do port forwarding twice if you wish to have inbound connections.

Thanks Van

At the moment I've got my adsl router on eth1 and it has an IP on the same subnet as everything else (there's only one subnet on this network atm) and everything works 100%

I'm guessing this is because my routes arent set to "best practise" at the moment - I only have 2 routes configured as per my previous post.

I'm just going to factory reset and do it myself from scratch.. I'm assuming the 3 routes you mentioned are there by default after a reset

Gonna give the ADSL router a strange IP as I need 192.168 for my work VPN and 10.0.0 for my LAN.

Just hope this setup allows me to manage the ADSL router's web interface even though my PC and the router are on different subnets. I'm guessing the route rules will take care of this though.

Again worrth mentioning - it's an ADSL router not a modem. Just has DHCP and WLAN disabled as Mikrotik is taking care of this now

If I'm wrong please correct me. Otherwise ignore. You've all been super helpful

Cheers
WB

OK guys need your help again

So I took your advice and did the following:

* Reset Mikrotik to default config
* Set my ADSL router's IP to 192.168.2.1 | DHCP and WLAN are off
* Set the Miktorik's IP > addresses to:
- Address: 10.0.0.253/24
- Network: 10.0.0.0
- Interface: bridge-local
* Set up DHCP correctly on bridge-local. Set up a DHCP pool from 10.0.0.100-10.0.0.200
* bridge-local is default (port 2 and wlan bridged, port 3-5 slaves of port 2)

Did not touch anything else...

Under routes, there was only one default route:

* Dst. Address = 10.0.0.0/24 Gateway = bridge.local (reachable)

What do I need to configure under routes for all other traffic to hit my ADSL router? (192.168.2.1)
I tried all sorts of combos but clearly I'm not quite grasping this.

Also, should the IP > DNS setting be set to my ADSL router's IP under "Servers" (i.e. 192.168.2.1)

Thanks once again in advance...
WB

Put on ether1-wan the ip 192.168.2.2/24

In ip routes add

/ip route
add distance=1 gateway=192.168.2.1

In ip firewall nat add

/ip firewall nat
add action=masquerade chain=srcnat src-address=10.0.0.0/24

Thanks JB172

when you say:

"Put on ether1-wan the ip 192.168.2.2/24"

do you mean go to the address list and assign this CIDR to ether1-wan ?

if so, what should the "network" field be - 192.168.2.0 ?

I was under the impression I had to add some routes for 0.0.0.0/0 as the "dst address" (as I only have the 1 route present)

Thanks JB172

when you say:

"Put on ether1-wan the ip 192.168.2.2/24"

do you mean go to the address list and assign this CIDR to ether1-wan ?

if so, what should the "network" field be - 192.168.2.0 ?

I was under the impression I had to add some routes for 0.0.0.0/0 as the "dst address" (as I only have the 1 route present)

Yes, you can leave empty the "network" and the RouterOS will filled it with 192.168.2.0

Thanks guys. All working perfectly.

You're awesome

You are welcome !