Hello

I'm trying to setup my LHG LTE in bridge mode (Ubiquiti Edgerouter acting as router), but I can't get it to work, and I don't know what I'm doing wrong.
I'm following the instructions written on this page:
https://wiki.mikrotik.com/wiki/Manual:I ... assthrough

[admin@MikroTik] > /interface lte apn add apn=apn1 passthrough-interface=ether1
[admin@MikroTik] > /interface lte set lte1 apn-profiles=apn1

I have also done it over the GUI interface. But nothing happen, I lose connection to the LHG web interface (it's normal) but my real router (Ubiquiti) doesn't get any internet IP.

Can someone help me please?

Thank you

Up please :-/

I also set up the passthrough-mac address parameter, but it hasn't changed anything :-/

There are two types of mobile modems. One of them imitates a network card (Mikrotik manual calls that "direct IP mode"), and that one can be used in bridge mode. The other one imitates a serial modem, and for that one, bridge mode was not possible at least recently. You can find out which modem type you have by setting it up in the usual mode (not in bridge) - if an /ip dhcp-client is automatically created, it's the one imitating the network card. But as the manual states, the DirectIP mode may just be disabled by command, so check that setting first.

Thank you for your answer.

It's a standard Mikrotik R11e-LTE modem card.
The default value for the parameter ignore-directip-modem is NO.

Is that ok?
Should I change it to yes?

(Is PPP = DirectIP mode? It's not clear in the manual)

It's a standard Mikrotik R11e-LTE modem card.

That's probably important but I've never tested one, so I can't say anything based on that fact alone.

The default value for the parameter ignore-directip-modem is NO.
...
Should I change it to yes?

It must be no in order that the Direct IP mode could work if supported by the modem. So it's not important what's the default, it's important what /port firmware print says. If it says ignore-directip-modem: yes, set it to no.

(Is PPP = DirectIP mode? It's not clear in the manual)

No. PPP is used along with the serial line emulator mode, DirectIP is used along with the network card emulator mode.

Thanks

Yes, it's set to no, but it doesn't work

Other people don't seem to have trouble to make Mikrotik's lte modems to work in bridge mode.

So wait - if you don't set the bridge mode, can you see the dynamically created dhcp-client or not? If not, what is the firmware version in the modem?

It could be related to a firmware bug according to this tread:
viewtopic.php?t=148697

I'm using version MikroTik _CP_2.160.000_v008

Apparently this bug has been fixed on version v012.

Where can I download it????

Where can I download it????

You can download it over the air only. The description is e.g. here.

v013

But sill not working :-/

With the command /ip dhcp-client print, I'm getting an empty table:

# INTERFACE USE ADD-DEFAULT-ROUTE STATUS ADDRESS

No more ideas on my side.

Well, there is a crazy one. Set that item to yes, reboot, then set it back to no and reboot again.

You have ONE ethernet and you not must create a Bridge.
Just create two VLAN's at Ether1.
*) vlan id 2 as management
*) vlan id 3 as lte passthrough
Enable RoMon.
Set InterfaceList the LAN additional vlan id 2 "mgmt"

At your RB2=RouterBoard_SecondOne create both vlan at ethernet port who is going to LHGR.
*) at vlan id 2 add it to bridge-local
*) at vlan id 3 create a dhcp-client to receive LTE IP from LHGR.

Create dhcp-client at vlan id 2 as mgmt interface - now you have IP from your LAN and can manage device by IP. By RoMon etc.
Set APN passthrough to vlan id 3 and your RB2 receive LTE IP from LHGR via dhcp client.

I have new SXTR&R11e-LTE6 and do this:

Well, I found the error and totally my fault...
I forget to set up the DHCP on the WAN port of the Edegrouter...

Now it wrong.

Thanks for your help

You have ONE ethernet and you not must create a Bridge.
Just create two VLAN's at Ether1.
*) vlan id 2 as management
*) vlan id 3 as lte passthrough
Enable RoMon.
Set InterfaceList the LAN additional vlan id 2 "mgmt"

At your RB2=RouterBoard_SecondOne create both vlan at ethernet port who is going to LHGR.
*) at vlan id 2 add it to bridge-local
*) at vlan id 3 create a dhcp-client to receive LTE IP from LHGR.

Create dhcp-client at vlan id 2 as mgmt interface - now you have IP from your LAN and can manage device by IP. By RoMon etc.
Set APN passthrough to vlan id 3 and your RB2 receive LTE IP from LHGR via dhcp client.

I have new SXTR&R11e-LTE6 and do this:
winbox_v3.20_64_ciKCg4MDGS.png

Interesting, I will test it later. Having access to the LHG LTE's management interface in bridge mode would be interesting indeed.
But I need to check how to create VLAN on a WAN port on Edgerouter.
I will probably come back later.

Thank you to both of you.

Hello

Well, I'm back. I can't get the management vlan to work.

On RouterOS:
1. LTE as IP passthrough to eth1 with MAC filter
2. Added a Vlan 2 on eth1 for the management.
3. Assigned the IP 192.168.88.100 to the vlan 2 interface

On Ubiquiti Edgerouter:
1. WAN on eth4 + firewall rules
2. Added a Vlan on port eth4 with vlan id 2.
3. Assigned Wan firewall rules to this vlan
4. Assigned the IP address 192.168.88.2/24 to the vlan interface
5. Changed the MAC address of the vlan interface to avoid that the RouterOS LTE interface in passthrough mode, hijack the packets.

But it doesn't work.
The internet connectivity is ok, but the management vlan not.

Any idea?

Thank you

Problem is at MikroTik site, when you mix ether1 and vlan2@ether1 then traffic at ether1 is not work properly, special when the ether1 is a port in bridge-lan. I don't know your setup.
Setup VLANs are always in few method differ to hardware what you have got. This easy topic can be done by few ways.

MikroTik give us info that SXTR & LHGR are on chip QCA9531 but we haven't a "Block Diagram" and not know how it's internal connections look.
At my SXTR in WinBox > Switch I can see the switch1 on chipset Atheros 8227. I have got 2xFE means that I can reach ~195Mbps on two ports but this Atheros 8227 can be connected with QCA9531 by 100Mb bus and this will be my limit of receiving internet - this will be testing by me in future.
Q: What you can see Ethernet Switch at your LHGR?

The best way is to use two vlans at ether1 and not use ether1/bridge-lan itself. Just simple vlans at ether1 directly.
VLAN2 as mgmt with static IP or dhcp-client
VLAN3 as passthrough who is a specific dhcp-server.

Current situation: ether1 as untagged + vlan2 tagged on it have name "Hybrid Port" but this scenario is supported on some 1GbE chips, info: https://wiki.mikrotik.com/wiki/Manual:S ... d_Ports.29

One more option is not use passthrough feature and use LHGR as classic CPE means Router LTE who give you internet just by NAT.

At new v6.46:
*) lte - fixed band setting on R11e-4G;
*) lte - fixed network registration on R11e-LTE-US;
*) lte - fix "operator" names not being displayed properly;
*) lte - improved modem initialization;
*) lte - show "primary-band" only for LTE modems;

Please upgrade and remember to do boot firmware upgrade too.

@Sib : thank you so much for your valuable posts about the LHGR configuration.
It took me only a couple of hours to get the configuration done : LHG LTE6 + RB962
Which one of Passthrough and CPE configs is your favorite?
In few words what would be the pro and cons?
Thanks again!

hb9tub

Which one of Passthrough and CPE configs is your favorite?
In few words what would be the pro and cons?

When I use sim-a with apn=internet.cp (who give me a PublicIPv4) then I use Passthrough mode. Next router has other WAN policy then is better to not duplicate all WAN stuff.
When I use sim-b with apm=internet (Private IPv4) then I use normal NAT.
This way is a "general way by SiB" :)

Passthrough Pro:

• you not duplicate the WAN stuff - just migrate/delegate Public IP to main router who do it a NAT's because he is a main router with other WAN's :)

Passthrough Cons = requirements:

• you disable management if you not use a RoMON or separate vlan to still have a connection via IPv4 WinBox
• when in interface is more then one device you must provide a mac-address of target machine who receive via dhcp the PublicIPv4
• you not have internet and must do a dhcp-client from main router to do a ros/boot/modem firmware upgrade - again, separate vlan with mgmt and passthrough are good way.
• NO Recursive Routing because gateway=lte1 (interface, not IPv4/6)

And one additional stuff. Without passthrough you use NAT and next main router can use Recursive Routing via your LTE device. Double NAT give you a RR and this is biggest "Pro" of 2xNAT.

P.S.) Remember to check what size of package are incomming from your ISP at lte1 interface because your ISP can clear DF, send you MTU smaller then you have setting at lte1 itself. MTUPath are one directional. Be aware of it.
P.S.2) Do a script who give notice you when the modem firmware v22 will be publish because he give many greate fix and anyone with LTE6 need it :).

@SiB

i have this config on all my LHG / SXT

a comment ?

interface list WAN=internet


/interface lte
set [ find ] band=3,7 mac-address=AC:50:43:1A:EE:FD mtu=1480 name=lte1 network-mode=lte
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] mac-address=74:4D:28:4D:0A:71
/interface vlan
add interface=ether1 name=internet vlan-id=1
add interface=ether1 name=management vlan-id=2
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] apn=free passthrough-interface=internet passthrough-mac=auto
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=management
/interface list member
add interface=internet list=WAN
/ip address
add address=192.168.88.2/24 interface=management network=192.168.88.0
/ip dhcp-client
add disabled=no interface=bridge1 use-peer-dns=no use-peer-ntp=no

Thanks !

dad2312

i have this config on all my LHG / SXT
a comment ?

This is not proper post for this question and you should try open new one.
.

/interface bridge
add name=bridge1

I always use a mac-address generator in every new EoIP interface to setup admin-mac in every bridge who have arp enable.
.

/interface vlan
add interface=ether1 name=internet vlan-id=1
add interface=ether1 name=management vlan-id=2

.
I never mix a vlan1 with vlan2-4093. I will use vlan id 2 and 3 but the ether1 for itself use default vlan id 1 and this give me opportunity to use RoMon at physical ether1.
You have bridge1 who have only 1x ethernet = you not must use bridge but just simple ether1.
If you use vlan's and bridge then do vlan's at bridge but not at his children.
.

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=management

You just join vlan's what should separate traffic like non-logic 1+1-1=1.
WinBox should show you red comment at this setup.
.

/interface list member
add interface=internet list=WAN

When you use the passtrough mode then WAN=internet is not working. You not receive internet any more from that vlan.
.

/ip dhcp-client
add disabled=no interface=bridge1 use-peer-dns=no use-peer-ntp=no

I think you should receive adressing from vlan:management but not from bridge1 or ether1.

Your post is similar to viewtopic.php?f=2&t=154854

dad2312

i have this config on all my LHG / SXT
a comment ?

This is not proper post for this question and you should try open new one.
.

/interface bridge
add name=bridge1

I always use a mac-address generator in every new EoIP interface to setup admin-mac in every bridge who have arp enable.
.

/interface vlan
add interface=ether1 name=internet vlan-id=1
add interface=ether1 name=management vlan-id=2

.
I never mix a vlan1 with vlan2-4093. I will use vlan id 2 and 3 but the ether1 for itself use default vlan id 1 and this give me opportunity to use RoMon at physical ether1.
You have bridge1 who have only 1x ethernet = you not must use bridge but just simple ether1.
If you use vlan's and bridge then do vlan's at bridge but not at his children.
.

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=management

You just join vlan's what should separate traffic like non-logic 1+1-1=1.
WinBox should show you red comment at this setup.
.

/interface list member
add interface=internet list=WAN

When you use the passtrough mode then WAN=internet is not working. You not receive internet any more from that vlan.
.

/ip dhcp-client
add disabled=no interface=bridge1 use-peer-dns=no use-peer-ntp=no

I think you should receive adressing from vlan:management but not from bridge1 or ether1.

Your post is similar to viewtopic.php?f=2&t=154854

You are absolutely right, I make it complex when it can be much simpler.

I modified to make something very simple

/interface lte
set [ find ] mac-address=AC:50:43:1A:EE:FD name=lte1 network-mode=lte
/interface vlan
add interface=ether1 name=internet vlan-id=3
add interface=ether1 name=management vlan-id=2
/interface lte apn
set [ find default=yes ] apn=free passthrough-interface=internet passthrough-mac=auto
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.88.2/24 interface=management network=192.168.88.0
/ip dhcp-client
add disabled=no interface=management
/system clock
set time-zone-name=Europe/Paris
[admin@MikroTik] >

It works like older config but much simple !

Thank SiB

You are absolutely right, I make it complex when it can be much simpler.

I modified to make something very simple

/interface lte
set [ find ] mac-address=AC:50:43:1A:EE:FD name=lte1 network-mode=lte
/interface vlan
add interface=ether1 name=internet vlan-id=3
add interface=ether1 name=management vlan-id=2
/interface lte apn
set [ find default=yes ] apn=free passthrough-interface=internet passthrough-mac=auto
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.88.2/24 interface=management network=192.168.88.0
/ip dhcp-client
add disabled=no interface=management
/system clock
set time-zone-name=Europe/Paris
[admin@MikroTik] >

It works like older config but much simple !

Thank SiB

Hello there... Could you help me please? Is this the final code? I was trying it and it's works for the Internet conection (I have internet on RB clients) but I can't manage the LHG LTE as RB client, I must connect to the LHG to manage it again.

Could you show the step by step configuration in each RB and LHG LTE please ?

Thanks in advanced, regards from Chile

labc33

Could you show the step by step configuration in each RB and LHG LTE please ?

But this was posted few times .
It's just one feature and I'm sure you have problems with other stuff and you think that one feature not wrong you correctly.

I think really that I must do one post as living document as F.A.Q. for LTE sutff.. and few person do request to me about some video with how-to....
but realy. That is describe be my in this currect post and others at
viewtopic.php?f=2&t=154231
and
viewtopic.php?f=2&t=155313

You try fix your problems, create a new topic at forum and give details on it.

labc33

Could you show the step by step configuration in each RB and LHG LTE please ?

But this was posted few times .
It's just one feature and I'm sure you have problems with other stuff and you think that one feature not wrong you correctly.

I think really that I must do one post as living document as F.A.Q. for LTE sutff.. and few person do request to me about some video with how-to....
but realy. That is describe be my in this currect post and others at
viewtopic.php?f=2&t=154231
and
viewtopic.php?f=2&t=155313

You try fix your problems, create a new topic at forum and give details on it.

Thank you so much! I will try theese options... Regards from Chile!

You are absolutely right, I make it complex when it can be much simpler.

I modified to make something very simple

/interface lte
set [ find ] mac-address=AC:50:43:1A:EE:FD name=lte1 network-mode=lte
/interface vlan
add interface=ether1 name=internet vlan-id=3
add interface=ether1 name=management vlan-id=2
/interface lte apn
set [ find default=yes ] apn=free passthrough-interface=internet passthrough-mac=auto
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.88.2/24 interface=management network=192.168.88.0
/ip dhcp-client
add disabled=no interface=management
/system clock
set time-zone-name=Europe/Paris
[admin@MikroTik] >

It works like older config but much simple !

Thank SiB

@dad2312 did the above config work for you to use the LHG LTE in passthrough mode?
I currently have LHG LTE6 kit (RBLHGR&R11e-LTE6) upgraded to v6.47 from 6.4.x LTS providing my pfSense firewall internet (it also has my DSL conenction via pppoe).
I was hoping to passthrough the connection directly to the firewall, just like my dsl connection.

I made my config look 99% like yours and Tried the above but pfSense could never bring up the ppp connection.

I see various people asking about the newly supported passthrough mode on these devices, but not really a good post / known working config.

Thanks in advance
Rob

robs :

I made my config look 99% like yours and Tried the above but pfSense could never bring up the ppp connection.

You should say: pfSence could not get IP from dhcp-client from LHGR LTE passtrhrough feature.
Maybe you not read a wiki documentation ? Maybe you not set dhcp-client ? Maybe you have few devices in passtrhroung subnet and you must provide mac to choose who must grab IP from lhgr? Maybe you should setup vlan's at that link to stay connected with lhgr ?

Hi,
Thanks for your reply.
I tried without the passthrough mac, but looking at the running config it filled in my pfsense's mac on that vlan's.
I had a vlan for mgmt on the LHG and kept connectivity to that.
Then vlan for the passthrough

you mention about dhcp, i thought that wouldn't be needed. as mgmt is static and i assume the lte1 interface wouldn't have an IP and my pfsense ppoe nic would have the cellular dynamic address.
Every time i read the wiki, how i read it. its not the best english (almost like i wrote it and i'm english!).
It mentions dhcp 4 times. once in the passthrough comment and 3 times about a normal lte setup.

"where the Passthrough is providing the IP a DHCP-Client should be enabled on that interface to."

then on the examples it doesnt mention dhcp again.

Before the pass through section, i assume when its talking about general non passthrough setup it says.
From RouterOS=>6.41 DHCP client is added automatically. If it's not added - add a DHCP Client to LTE Interface manually:
/ip dhcp-client
add default-route-distance=1 disabled=no interface=lte1


so in the posted example above has
/ip address
add address=192.168.88.2/24 interface=management network=192.168.88.0
/ip dhcp-client
add disabled=no interface=management


can you explain what the ip dhcp-client there does, as the management interface has a static.

lte1 normal receive IP from ISP and ROS use it directly. We say about lte modules like r11e-lte|4g|lte6 etc...

When you setup in APN settings the lte passtrough mode on some interface then ROS do a hidden dhcp-server who will offer that ISP_AddressIP to first host who grab dhcp offer. If you have few devices then you must provide mac-address in configuration. This is similar to dhcp leases.

At target router who want's IP from ISP at LHGR then you must run regular dhcp-client go get IP at that device.

&&&&&&&&&&&&&&&&

If you use two interfaces or two vlans to separate passtrugh from mgmt traffic then you must know that your LHGR not have internet. You must receive it from that router to what you just give ISP IP... . That's why we can say that:
*) passtrugh feature is like dhcp-server. Notice that every https://mikrotik.com/download/changelogs have info "Make sure LTE APN Profile name does not match any of the DHCP server's names if LTE passthrough is used"
*) dhcp-client should be at vlan mgmt to bring internet for own mtk purpose like update ros.

-----------
About lte1 and dhcp-client it's created if lte1 is a common USB Stick modem, that devices are detected as lte1 interface and ROS create automatically dhcp-client at that interface.

Hi,
first I wish everyone best in 2021 :)

I lost nights trying to configure LTE passtrough on RBLHGR R11e-LTE ... i tryed everything VLAN-s, upgrades and downgrades of firmware, modem but nothing seems to work.
Internet works, management works (over IP and MAC) but Unifi on the other end gets private IP address from Mikrotik.
True when lte1 gets in running state dhcp-server is raised and new network is created in 10.x.x.x.
As I am in desperate state planning to leave Mikrotik, and get simple LTE antenna for ny old DWR-921 who has simple bridge mode

you are my last chance to raise bridge mode if possible on this device

Thank you

Jelko

LTE passtrough on RBLHGR R11e-LTE
but Unifi on the other end gets private IP address from Mikrotik.

This means you have still dhcp-server who should be DISABLED. The "passtrough" is like "own internal dhcp-server for itself" and you should not use any other dhcp-server at the same interface.

True when lte1 gets in running state dhcp-server is raised and new network is created in 10.x.x.x.

Congrats, you have your ISP Connection.
Your 10.x.x.x from ISP is a private IP, even you "move/migrate" it to your next device you still be not accessible from internet bcs your ISP not give you Public IP.

you are my last chance to raise bridge mode if possible on this device

In my opinion it's just disable the IP Address and dhcp-server at ether1/bridge interface and setup APN LTE passtrough to ether1 and it's all.

Soooooo I cant seem to figure this out in a concise way. Every post I see seems to have people giving information for different scenarios that are not the same. The instructions are like use the gui then use cli but do it like this and in no particular order...

Is there anyway I can find a guide/walkthrough that doesnt have a million posts adding to the solution that clearly explains how to do LTE passthrough (Making the Mikrotik act as a modem) AND have a management VLAN? Also in these guides things like apn1 is mentioned but is it really apn1 or do I enter my apn? Like these things need explaining.

Thank you.

I'm having the same issue as the person above. My Vlan 3 interface is getting an IP address 10.x and it's also attaching one to my dhcp client on the other router I have. I have passthrough going lte1 --> Vlan3. A dhcp server is automatically brought up when doing so. No traffic flows to lte1 though when this happens.

Anyone have any idea why the passthrough breaks the connection? I want to keep the mgmt vlan.

Anyone have any idea why the passthrough breaks the connection?

Example, then you add more profiles of APN you change internal IP for passthrough.
When you have more then one device as client of passthorugh, then better is to provide mac-address.
When your ISP change a PublicIP every time - some times this is real hidden problem who can be solved by logs and script...

Ok, I have read several time this post, and and can't find the way for solve the problem. I have a PfSense router connect directly to the lhgg on WAN port. The WAN interface is on DHCP and the lhgg is on address 192.168.88.1 as default. I tried the passtrought mode in lhgg, but I'am not able to have a public address on my router wan interface, and also the lhgg become unavailable and every time I have to go on my roof to reset the factory setting. With WinBox I'am not able to connect to the lhgg with the ether1 MAC address I don't know why. I tried to make a management VLAN_100 but no way to make it work... Maybe I need a managed switch between lhgg and PfSense??? There is some simple guide step by step to solve my situation or someone who can help me please?
If the bridge mode is so difficult, would be enough to create a firewall role to redirect all traffic on lte interface to the PfSense router. I'am from Italy if there is someone from Italy who can help me, we arrange a TeamViewer session with me and he can explain me the process, also in English but I'am not very good in English but doesn't matter for me.

The mysterious "passthrough" mode is actually very simple - in fact, it is very close to what you might call "bridge mode". You choose an L2 interface, and RouterOS creates a DHCP server on it, which responds to a request from a single client - either to the very first one to send a DHCPDISCOVER, or to the one whose IP address is specified as the passthrough-mac parameter of the /interface lte apn row.

Internally, RouterOS obtains the IP address provided by the mobile network from the LTE modem, builds the smallest possible subnet (a /30 or, if not possible, a /29) around that address, and assigns another address from that subnet to itself on the L2 interface. But on the Mikrotik itself, this other address cannot be used for any other purpose than being a gateway for the DHCP client, as from the point of view of the mobile network, it is assigned to some other LTE modem.

The above is true if passthrough-subnet-selection is set to auto; if you set it to p2p, the DHCP server delegates the address provided by the mobile network to the client as a /32 one and provides a randomly chosen 10.x.x.x address as a gateway. This way, the adjacent public addresses remain accessible, but some DHCP clients may not accept such an assignment.

I don't know the default configuration of LHGG plus you may have changed it, so post an anonymized export of the LHGG (see my automatic signature below) to get a step-by-step guide which doesn't require climbing to the roof.

Without knowing the minute details, the guide looks like this:

1. on the LHGG, attach an /interface vlan with some vlan-id you like, e.g. 777, either directly to ether1 or, if ether1 is a member of some bridge, to that bridge. Let's name it ether1.777 or bridge.777 to make it self-explanatory, but it's just a name, you can as well call it myLteWanVlan.
2. on the pfSense, attach a VLAN interface with the same VLAN ID to the interface connected to the LHGG
3. on the pfSense, attach a DHCP client to that VLAN interface, and set up firewall rules, as this interface will get the address from the mobile network and get directly connected to the internet in the next step - the LHGG does no firewalling on that interface.
4. on the LHGG, set passthrough-interface on the /interface lte apn row you use to ether1.777 or bridge.777 or whatever name you have assigned to the /interface vlan added in the first step.

That's all - the pfSense now gets the public IP on that VLAN interface.

The above is the simplest way. You may prefer to reverse the role of the "native VLAN" and the "tagged VLAN" on the cable, in terms that the tagged VLAN will be used for management of the LHGG and the tagless one for the passthrough mode, as the tagging and untagging is done in software at both ends so you can save a couple of CPU cycles per packet for the WAN traffic if you don't tag it.

To do it that way, the first and second step are the same, but you have to create another private subnet in the added VLAN (attach static IP addresses from the same subnet, different from 192.168.88.0/24, to the VLAN interfaces at the LHGG and the pfSense), adjust firewall rules at the LHGG, and check that you can connect to the LHGG using its address in this new subnet. Once you've checked that, stay connected to the LHGG that way, remove all the IP configuration (address, dhcp server) from ether1 or bridge on the LHGG and from the physical ethernet on the pfSense, attach a DHCP client to the physical interface on the pfSense, and indicate ether1 or bridge as the passthrough-interface on the LHGG.

Thank you for explaining passthrough subnet selection modes.

What is the optimal/fastest set up for this parameter?

With LGH+LTE6 modem i had about 25-30mbit/s when it was set up as router + dhcp server + firewall + nat.
After configuring LGH+LTE6 modem as a passthrough device with passthrough-subnet-selection set to auto i have now 50-60mbit/s and very stable connection.

Will i get some additional speed with passthrough-subnet-selection is set to p2p? (i will test it in some weeks when will visit my parents in village)

And by the way - will i get better speed if i change lhg to lhgg? Can be the bottleneck in the 1CPU of lhg? I have hap ac2 after the lhg+lte6 modem, that is router + firewall + capsman + nat + dhcp server.

Will i get some additional speed with passthrough-subnet-selection is set to p2p? (i will test it in some weeks when will visit my parents in village)

You have to test, but there is no rational reason why this setting should affect the speed. It's really just that with the /30 or /29 subnet, the 3 or 7 public IPs adjacent to the one assigned by the operator become inaccessible to the DHCP client, whereas some DHCP clients may theoretically be unable to handle the /32 address and a gateway whose address is not in the same subnet like the one assigned by the operator.

will i get better speed if i change lhg to lhgg? Can be the bottleneck in the 1CPU of lhg?

Whereas a dual-core 800 MHz CPU is definitely more powerful than a single-core 650 MHz CPU, I'd expect rather the firewall rules to be the bottleneck at the LHG, especially if they are not optimized. Also we're talking about a mobile network here, so unless you are alone in the sector, the speed depends on what other clients do.

Well, I found the error and totally my fault...
I forget to set up the DHCP on the WAN port of the Edegrouter...

Hi, so looks like I have exactly the same issue.
I've just put the mikrotik into bridge mode and lost connection to it from my udm.
I'm very new to all of this and tbh unifi confuses the hell out of me.
Can you explain how you setup the DHCP on the wan port so the router can see the mikrotik again please?
Many thanks.

Hi, so looks like I have exactly the same issue.

From your description it does not look like the same issue.

There are two points:

1. to let the WAN of the unifi device get its address via DHCP - this is no different to connecting it to any device/network that runs a DHCP server, such as a DSL router
2. to maintain manageability of the Mikrotik via the same physical cable even if it is configured for LTE passthrough, which normally means that you have to attach a VLAN interface to the physical Ethernet at both the Mikrotik side and the other device side.

For help with setting these at the Unifi end, you need the Unifi forum.

Hi I have two Mikrotiks hap ac2 and RBwAPR R11e-LTE. I want to config LTE Mikrotik as brige and connect it to hap ac2. I tried to use this config for LTE Mikrotik:

/interface lte
set [ find ] mac-address=AC:50:43:1A:EE:FD name=lte1 network-mode=lte
/interface vlan
add interface=ether1 name=internet vlan-id=3
add interface=ether1 name=management vlan-id=2
/interface lte apn
set [ find default=yes ] apn=free passthrough-interface=internet passthrough-mac=auto
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.88.2/24 interface=management network=192.168.88.0
/ip dhcp-client
add disabled=no interface=management
/system clock
set time-zone-name=Europe/Paris

I got a message:
expected end of command (line 2 column 23)

What is wrong?

Maybe your version of RouterOS (which one it is?) does not support one of the parameters on some of the lines. Instead of pasting the whole configuration, go line by line, i.e. start from just /interface lte, if it succeeds (it really should ), paste just set [ find ] mac-address=AC:50:43:1A:EE:FD name=lte1 network-mode=lte, and so on until you identify the line that breaks things. If the device is reset to no default configuration (as seems to be the case), I don't think you need to specify the mac-addrress and name parameters for the LTE interface; you also don't need to configure the wireless security profile as you don't use the wifi interface at all. Since you configure the management IP address manually, you should not need the DHCP client attached to the same interface either.

My version of RouterOS is 7.7. I went line by line. If I skipped mac-address=AC:50:43:1A:EE:FD there were no errors. But LTE interface didn't run. How to control it?

Here is my config:

/interface vlan
add interface=ether1 name=internet vlan-id=3
add interface=ether1 name=management vlan-id=2
/interface lte apn
set [ find default=yes ] apn=free passthrough-interface=internet passthrough-mac=auto
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.2.34/24 interface=management network=192.168.2.0
/system clock
set time-zone-name=Europe/Paris

There is no error in it but Internet doesn't work.

What does /interface/lte/monitor lte1 once show?

pin-status: ok
registration-status: registered
functionality: full
manufacturer: "MikroTik"
model: "R11e-LTE"
revision: MikroTik_CP_2.160.000_v020
current-operator: Beeline
lac: 35239
current-cellid: 101117958
enb-id: 394992
sector-id: 6
phy-cellid: 283
access-technology: LTE
imei: 355654092172522
imsi: 250992116549130
uicc: 8970199171203489295f
earfcn: 3300 (band 7, bandwidth 10Mhz)
rsrp: -82dBm
rsrq: -14.5dB
sinr: 13dB

What bothers me is that the apn profile sets the apn name to free whereas the LTE monitor states you are connected to Beeline network, and, more important, that you are using a Beeline SIM, so the APN name should be set to internet.beeline.ru.

If that change doesn't help, the next step is to unset the passthrough-interface in the apn profile and to see whether the RBwAPR itself will get an IP address on the LTE interface and be able to ping some public IP.

1. This config:

/interface vlan
add interface=ether1 name=internet vlan-id=3
add interface=ether1 name=management vlan-id=2
/interface lte apn
set [ find default=yes ] apn=internet.beeline.ru passthrough-interface=internet passthrough-mac=auto
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.2.34/24 interface=management network=192.168.2.0
/system clock
set time-zone-name=Europe/Paris

Interface LTE status isn't run.

Wow. If the only thing you have done was to change the APN proflle settings, disable and re-enable the LTE interface and give it some 3 minutes before sending the monitor command again.

This config:

/interface vlan
add interface=ether1 name=internet vlan-id=3
add interface=ether1 name=management vlan-id=2
/interface lte apn
set [ find default=yes ] apn=internet.beeline.ru
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip address
add address=192.168.2.34/24 interface=management network=192.168.2.0
/system clock
set time-zone-name=Europe/Paris

Interface LTE status now is run. There is a ping some public IP.

I connected LTE Mikrotik to WAN port main Mikrotik instead of provider's line. There was not Internet. I connected LTE Mikrotik to the PC directly. Set manual adress 192.168.2.55, mask 255.255.255.0 There was not Internet

What should I do next?

Since you can ping a public IP from the RBwAPR itself now as the passthrough-interface is unset, we have successfully confirmed that the Beeline service is OK. So you may set the passthrough-interface back to internet.

However, what you wrote regarding the direct connection of the PC suggests that you haven't understood that internet is a VLAN interface, so its traffic will be tagged on ether1 and so the WAN of the hAP ac² has to be configured accordingly. But it should also be possible to just set the passthrough-interface directly to ether1 so the WAN of the hAP ac² may stay as is (which should be a DHCP client directly attached to the WAN ethernet interface, no VLANs required). In this case, you will only have to attach a VLAN interface with vlan-id=2 to the WAN of the hAP ac² to be able to access the RBwAPR's IP address in the management subnet (192.168.2.34).

Just out of curiosity, what makes you want to use the passthrough mode at all? Does the Beeline SIM have a public IP address attached to it? Because if not, the use of passthrough mode is just a pointless laboratory exercise... OK, the CPU of the hAP ac² is more powerful than the one of RBwAPR, but given the LTE throughput limitation, I'd assume you never hit the CPU bottleneck. And you can always do NAT on the RBwAPR and the rest of the fancy stuff on the hAP ac².

I want to use RBwAPR as a reserve channel for hAP ac².
However I dont want to have another network between provider and hAP ac²
I know how to make this configuration:
provider's IP - 192.168.10.1 - 192.168.10.2 - 192.168.2.1 - 192.168.2.N.
I want to make this configuration:
provider's IP - 192.168.2.1 - 192.168.2.N

How can I do it?

What you want cannot be accomplished to the letter. With LTE bridge mode active, the router gets a single /32 IP address from the mobile ISP, and based on that address, it either creates the smallest possible subnet into which this address fits and attaches another IP address from that subnet to the interface configured in passthrough-interface under /interface lte apn (if passthrough-subnet-selection is set to auto), or it assigns to that inteface some 10.x.x.x/32 address not conflicting with any address on itself (if passthrough-subnet-selection is set to p2p). In either case, it also dynamicaly attaches a DHCP server to that interface, which leases out the IP address assigned by the mobile ISP to the first DHCP client that requests it, unless you indicate the MAC address of a particular client you want to get it, and indicates the own address attached to that interface as a default gateway to the client (so some clients may get confused in p2p mode because the gateway address is totally unrelated to the address being assigned, as the latter is a /32 one). Then it forwards the traffic received from that interface with the ISP-assigned LTE address as source via LTE and vice versa.

So in this setup, you cannot affect what address the mobile ISP assigns you, you just get what you get.

My only problem is that on my LtAP LTE6 kit it never actually worked - everything is set up as it should but the packets from the ISP-assigned address only make it to the LtAP.

Maybe it is related to the above, but my LtAP also responds on its own to request incoming to that auxiliary gateway address. So if it is not related, you even don't need the dedicated VLAN and subnet for management.

Thank you for your explanations