SXTsq_Lite2 with RB2011 setup

mdkberry · Wed Jun 03, 2020 10:29 am

Hi

I am struggling with a setup. I was using my RB2011 to access a wireless WAN using mode=station-pseudobridge and then provision it to my local Wifi LAN for internet access using a virtual wan port setup. To seperate out the WAN Wifi from the LAN Wifi so the RB2011 is not doing both tasks, I have just bought a SXTsq_Lite2, but cant seem to figure how to get it to work with the RB2011.

I can access the wireless WAN okay with the SXTsq_Lite2, and I can access the internet through it using my computer when plugged into the SXT with a network cable, but when I connect that cable to the RB2011 I am not managing to pass the traffic from the SXT to the RB2011, and so cannot get to the internet from the RB2011 (nor the local LAN Wifi), and I am not sure where I am getting stuck.

I had the NAT and firewalling on the RB2011 originally, but am pretty certain I have set it to fully pass through. NAT is open and firewalling is not set to block anything, I can ping the ip address of the SXT on ether1 of RB2011 but only from the RB2011 terminal, not from a local computer and I cannot get further than that from the RB2011. The SXT has src-nat set to masquerade and firewall is open on it, the RB2011 has src-nat set to accept and firewall open on it. I have tried different configs of both, and disabling/enabling NAT but not managed to get it functioning yet.

Eventually I was going to setup the firewalling and NAT on the SXT and leave the RB2011 LAN side just to act like a switch really but provision the local wireless LAN, but maybe I am approaching this setup wrong and should be creating a bridge with one of them. Annoyingly I cant access the SXT with winbox when I am plugged into the RB2011, so I have to keep physically switching the cables between them and my computer in order to make changes to respective configs, and it's a slow process trying to get it right. I have not been able to find an example of this kind of setup anywhere.

Wireless WAN <---> SXTsq_Lite2 <---> RB2011 <----> Local wireless LAN.

If anyone knows a best practice of how to set this up, it would really help me figure out what I am getting wrong, it is probably something obvious but I have run into a wall with it.

sindy · Wed Jun 03, 2020 9:04 pm

Post the current configurations of both devices (see the hint on anonymisation in my automatic signature below). What you want to do is simple, and I wouldn't recommend to move the firewall from the 2011 to the sxtsq lite, as the CPU of the sxtsq is just a tiny bit better whilst the RAM size is double at the 2011.

mdkberry · Thu Jun 04, 2020 2:09 am

Post the current configurations of both devices (see the hint on anonymisation in my automatic signature below). What you want to do is simple, and I wouldn't recommend to move the firewall from the 2011 to the sxtsq lite, as the CPU of the sxtsq is just a tiny bit better whilst the RAM size is double at the 2011.

Thanks for your help. I have mucked about with it a bit more, but still can only access the internet when plugging my computer directly into the SXT. I have also disabled the wifi for now on the RB2011 and plug my PC into ether3 directly to test this. The connection between the SXT and RB2011 is via ether1. (I know they are on different OS versions but did not think it would matter too much in this case and plan to update the RB2011 when it gets internet access.)

Here is the SXT config...

[admin@SXTsq_Lite2] > export
# jun/04/2020 08:51:59 by RouterOS 6.45.9
# software id = SHMG-9TF5
#
# model = RouterBOARD SXTsq 2nD
# serial number = 887E0A1FA80F
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country=no_country_set disabled=no frequency-mode=manual-txpower mode=station-pseudobridge ssid=\
    "Telstra Air"
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=ether1 name=defconf
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=wlan1 list=WAN
/ip address
add address=192.168.88.254/24 comment=defconf interface=ether1 network=192.168.88.0
/ip dhcp-client
add comment=defconf default-route-distance=2 dhcp-options=hostname,clientid,clientid_duid disabled=no interface=wlan1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Australia/Brisbane
/system identity
set name=SXTsq_Lite2

and here is the RB2011 config....

[admin@MB_Home] > export
# jun/03/2020 12:03:37 by RouterOS 6.44.5
# software id = FQB8-S0M4
#
# model = 2011UAS-2HnD
# serial number = 419E0254245E
/interface bridge
add admin-mac=D4:CA:6D:D8:4C:8D auto-mac=no fast-forward=no mtu=1500 name=bridge-local
add comment=WAN name=bridge1
add comment="internal Music wifi, no wan access required." name=bridge2-noWan
add disabled=yes name=bridge_Vlan60
/interface ethernet
set [ find default-name=ether1 ] comment=Out-To-SXTsq_Lite2 name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes name=ether6-master-local
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes name=ether7-slave-local
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes name=ether8-slave-local
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes name=ether9-slave-local
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes name=ether10-slave-local
set [ find default-name=sfp1 ] disabled=yes name=sfp1-gateway
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=xxxxx wpa2-pre-shared-key=xxxxx
add management-protection=allowed name=none supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=dynamic-keys name=music supplicant-identity=MikroTik wpa-pre-shared-key=xxxxx wpa2-pre-shared-key=\
    xxxxxx
/interface wireless
set [ find default-name=wlan1 ] mode=station-pseudobridge security-profile=none ssid="Telstra Air"
add mac-address=D6:CA:6D:D8:4C:96 master-interface=wlan1 name=wlan2 ssid=Home_Wifi wds-default-bridge=bridge1 wps-mode=disabled
add mac-address=D6:CA:6D:D8:4C:97 master-interface=wlan1 name=wlan3_musicNoWan security-profile=music ssid=MUSIC vlan-id=60 vlan-mode=use-tag wds-default-bridge=bridge2-noWan \
    wps-mode=disabled
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=nowan-pool ranges=192.168.60.10-192.168.60.100
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local lease-time=10h name="default (.88.x)"
add address-pool=nowan-pool authoritative=after-2sec-delay disabled=no interface=bridge2-noWan lease-time=10h name=dhcp-MusicWifi
/queue simple
add disabled=yes max-limit=1M/1M name=J_Phone target=192.168.88.195/32
add disabled=yes max-limit=1M/1M name="M Phone " target=192.168.88.196/32
add disabled=yes max-limit=10M/10M name="HP x360 M" target=192.168.88.199/32
add disabled=yes max-limit=1M/1M name="MB Surface" target=192.168.88.216/32
add disabled=yes max-limit=768k/768k name="R Mobile (J5)" target=192.168.88.180/32
add disabled=yes max-limit=1M/1M name="J PC - Lenovo" target=192.168.88.184/32
/queue type
set 5 pcq-rate=512k
set 6 pcq-rate=2M
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=wlan2
add bridge=bridge2-noWan interface=wlan3_musicNoWan
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
add bridge=bridge1 interface=ether1-gateway
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add list=discover
add interface=bridge1 list=discover
add interface=wlan2 list=discover
add interface=bridge2-noWan list=discover
add interface=wlan3_musicNoWan list=discover
add list=discover
add list=discover
add interface=bridge_Vlan60 list=discover
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether6-master-local list=mactel
add interface=ether5 list=mac-winbox
add interface=ether7-slave-local list=mactel
add interface=ether6-master-local list=mac-winbox
add interface=ether8-slave-local list=mactel
add interface=ether7-slave-local list=mac-winbox
add interface=ether9-slave-local list=mactel
add interface=ether8-slave-local list=mac-winbox
add interface=wlan1 list=mactel
add interface=ether9-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=wlan1 list=mac-winbox
add interface=bridge-local list=mac-winbox
/interface ovpn-server server
set auth=sha1,md5,null cipher=blowfish128,aes128,aes192,aes256,null enabled=yes keepalive-timeout=disabled mode=ethernet require-client-certificate=yes
/interface wireless snooper
set channel-time=2s
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes interface=wlan2 network=192.168.88.0
add address=192.168.89.1/24 comment=backdoor interface=ether4 network=192.168.89.0
add address=192.168.60.1/24 comment="This is for the music internal wifi, no wan access" disabled=yes interface=wlan3_musicNoWan network=192.168.60.0
add address=192.168.88.252/24 interface=ether3 network=192.168.88.0
add address=192.168.88.253/24 interface=bridge1 network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=sfp1-gateway
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
add dhcp-options=clientid,clientid
add default-route-distance=2 dhcp-options=clientid,clientid_duid,hostname interface=bridge1
/ip dhcp-server lease
add address=192.168.88.216 client-id=1:30:59:b7:9:c7:32 mac-address=30:59:B7:09:C7:32 server="default (.88.x)"
add address=192.168.88.205 client-id=1:90:b6:86:bd:22:aa mac-address=90:B6:86:BD:22:AA server="default (.88.x)"
add address=192.168.88.221 always-broadcast=yes client-id=1:0:26:bb:d:c2:b1 mac-address=00:26:BB:0D:C2:B1 server="default (.88.x)"
add address=192.168.88.195 client-id=1:88:75:98:7:48:ca mac-address=88:75:98:07:48:CA server="default (.88.x)"
add address=192.168.88.196 client-id=1:88:75:98:5:36:5a mac-address=88:75:98:05:36:5A server="default (.88.x)"
add address=192.168.88.199 client-id=1:f8:94:c2:8c:30:66 mac-address=F8:94:C2:8C:30:66 server="default (.88.x)"
add address=192.168.88.191 always-broadcast=yes client-id=1:0:90:f5:eb:3f:12 mac-address=00:90:F5:EB:3F:12 server="default (.88.x)"
add address=192.168.60.100 client-id=1:b0:65:bd:d6:c1:7a mac-address=B0:65:BD:D6:C1:7A server=dhcp-MusicWifi
add address=192.168.88.190 client-id=1:5c:ea:1d:5c:41:4f mac-address=5C:EA:1D:5C:41:4F server="default (.88.x)"
add address=192.168.88.187 client-id=1:d8:90:e8:39:2f:58 mac-address=D8:90:E8:39:2F:58 server="default (.88.x)"
add address=192.168.88.184 client-id=1:70:c9:4e:ff:34:41 mac-address=70:C9:4E:FF:34:41 server="default (.88.x)"
add address=192.168.88.180 client-id=1:c0:bd:c8:56:5b:5b mac-address=C0:BD:C8:56:5B:5B server="default (.88.x)"
/ip dhcp-server network
add address=192.168.60.0/24 comment="music wifi no wan access + VLAN60" dns-server=192.168.60.1 gateway=192.168.60.1
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.252 gateway=192.168.88.252
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.254 name=router
/ip firewall address-list
add address=192.168.88.205 comment="Add Internal IP addresses so can drop all other connections" disabled=yes list=LAN_IPs
add address=192.168.88.0/24 comment="Network LAN range, drop all else trying to come into bridge_1" list=LAN_Network
add address=209.53.113.0/24 list=AbsoluteDataProtect
add address=192.168.60.0/24 list=LAN_Network
add address=192.168.80.0/24 disabled=yes list=LAN_Network
/ip firewall filter
add action=accept chain=input comment="default configuration - pings in" log-prefix=icmp protocol=icmp
add action=accept chain=forward comment="Let AbsoluteDataProtect through fwall" disabled=yes in-interface=bridge1 src-address-list=AbsoluteDataProtect
add action=accept chain=forward comment="Traffic allowed between LANS" dst-address-list=LAN_Network src-address-list=LAN_Network
add action=drop chain=forward comment="Drop all across bridge2_nowan to MUSIC Wifi that isnt from Music subnet 192.168.60.x" disabled=yes in-interface=bridge2-noWan log-prefix=\
    DROP_IN_MUSIC src-address=!192.168.60.0
add action=drop chain=forward comment="Drop anything inbound on bridge1 that is not DSTNAT'ed" connection-nat-state=!dstnat connection-state=new in-interface=bridge1 log=yes \
    log-prefix=WAN-Bridge1_drop
add action=passthrough chain=forward comment="Log Traffic out Bridge 1" disabled=yes log=yes log-prefix="Traffic out Bridge 1" out-interface=bridge1
add action=passthrough chain=forward comment="Log Traffic IN to Bridge1" disabled=yes in-interface=bridge1 log=yes log-prefix="Traffic IN Bridge1"
add action=accept chain=input comment=OpenVPN disabled=yes dst-port=1194 protocol=tcp
add action=drop chain=input comment="drop hack ports inbound" disabled=yes dst-port=22-23 in-interface=bridge1 log-prefix=Drop_Hack_Ports protocol=tcp
add action=drop chain=input comment="drop weird SIP stuff" disabled=yes dst-port=5060-5061 in-interface=bridge1 log-prefix=SIP_DROP protocol=udp
add action=accept chain=input comment="default configuration - input established" connection-state=established log-prefix=IN-BOUND
add action=accept chain=forward disabled=yes log=yes log-prefix="from 88 net" src-address=192.168.88.0/24
add action=accept chain=input comment="default configuration" connection-state=related
add action=accept chain=forward comment="default configuration" connection-state=established
add action=accept chain=forward comment="default configuration - forward related" connection-state=related
add action=drop chain=forward comment="default configuration - drop invalid" connection-state=invalid log-prefix=DROP_INVALID_IN
add action=drop chain=input comment="default configuration" in-interface=sfp1-gateway
add action=drop chain=input comment="default configuration - drop all other traffic" in-interface=bridge1 log-prefix=DROP_ALLOTHER_WAN_IN
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=yes out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" log-prefix=NAT_OUT out-interface=bridge1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip traffic-flow
set active-flow-timeout=30s inactive-flow-timeout=30s
/ip traffic-flow target
add disabled=yes dst-address=192.168.88.226 port=1234
/lcd
set default-screen=log time-interval=weekly
/system clock
set time-zone-name=Australia/Brisbane
/system identity
set name=MB_Home
/system ntp client
set enabled=yes server-dns-names=au.pool.ntp.org
/system package update
set channel=long-term
/system scheduler
add comment="sep/23/2018 11:22:52" interval=12m name=Logs4Logins policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/23/2018 start-time=00:55:36
/system script
add comment="Script to check logs for logins" dont-require-permissions=no name=Logs4Logins owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="# BEGIN SETUP\
    \n# This is to check for login attempts\
    \n:local scheduleName \"Logs4Logins\"\
    \n:local emailAddress \"mdkberry@outlook.com\"\
    \n:local startBuf [:toarray [/log find message~\"logged in\" || message~\"login failure\"]]\
    \n:local removeThese {\"not logged txt\";\"whatever string you want\"}\
    \n# END SETUP\
    \n\
    \n# warn if schedule does not exist\
    \n:if ([:len [/system scheduler find name=\"\$scheduleName\"]] = 0) do={\
    \n  /log warning \"[LOGMON] ERROR: Schedule does not exist. Create schedule and edit script to match name\"\
    \n}\
    \n\
    \n# get last time\
    \n:local lastTime [/system scheduler get [find name=\"\$scheduleName\"] comment]\
    \n# for checking time of each log entry\
    \n:local currentTime\
    \n# log message\
    \n:local message\
    \n  \
    \n# final output\
    \n:local output\
    \n\
    \n:local keepOutput false\
    \n# if lastTime is empty, set keepOutput to true\
    \n:if ([:len \$lastTime] = 0) do={\
    \n  :set keepOutput true\
    \n}\
    \n\
    \n\
    \n:local counter 0\
    \n# loop through all log entries that have been found\
    \n:foreach i in=\$startBuf do={\
    \n  \
    \n# loop through all removeThese array items \
    \n  :local keepLog true\
    \n  :foreach j in=\$removeThese do={\
    \n#   if this log entry contains any of them, it will be ignored\
    \n    :if ([/log get \$i message] ~ \"\$j\") do={\
    \n      :set keepLog false\
    \n    }\
    \n  }\
    \n  :if (\$keepLog = true) do={\
    \n\t\
    \n\t:set message [/log get \$i message]\
    \n\
    \n#   LOG DATE\
    \n#   depending on log date/time, the format may be different. 3 known formats\
    \n#   format of jan/01/2002 00:00:00 which shows up at unknown date/time. Using as default\
    \n    :set currentTime [ /log get \$i time ]\
    \n#   format of 00:00:00 which shows up on current day's logs\
    \n\t:if ([:len \$currentTime] = 8 ) do={\
    \n\t  :set currentTime ([:pick [/system clock get date] 0 11].\" \".\$currentTime)\
    \n    } else={\
    \n#     format of jan/01 00:00:00 which shows up on previous day's logs\
    \n\t  :if ([:len \$currentTime] = 15 ) do={\
    \n        :set currentTime ([:pick \$currentTime 0 6].\"/\".[:pick [/system clock get date] 7 11].\" \".[:pick \$currentTime 7 15])\
    \n      }\
    \n\t}\
    \n\t  \
    \n#   if keepOutput is true, add this log entry to output\
    \n\t:if (\$keepOutput = true) do={\
    \n\t  :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\n\")\
    \n\t} \
    \n#   if currentTime = lastTime, set keepOutput so any further logs found will be added to output\
    \n#   reset output in the case we have multiple identical date/time entries in a row as the last matching logs\
    \n#   otherwise, it would stop at the first found matching log, thus all following logs would be output\
    \n    :if (\$currentTime = \$lastTime) do={\
    \n\t  :set keepOutput true\
    \n\t  :set output \"\"\
    \n\t}\
    \n  }\
    \n\
    \n#\tif this is last log entry\
    \n  :if (\$counter = ([:len \$startBuf]-1)) do={\
    \n#   If keepOutput is still false after loop, this means lastTime has a value, but a matching currentTime was never found.\
    \n#   This can happen if 1) The router was rebooted and matching logs stored in memory were wiped, or 2) An item is added\
    \n#   to the removeThese array that then ignores the last log that determined the lastTime variable.\
    \n#   This resets the comment to nothing. The next run will be like the first time, and you will get all matching logs\
    \n\t:if (\$keepOutput = false) do={\
    \n#     if previous log was found, this will be our new lastTime entry\t\t\
    \n\t  :if ([:len \$message] > 0) do={\
    \n        :set output (\$output.\$currentTime.\" \".\$message.\"\\r\\n\")\
    \n      }\
    \n    }\
    \n  }\
    \n  :set counter (\$counter + 1)\
    \n}\
    \n\
    \n# If we have output, save new date/time, and send email\
    \nif ([:len \$output] > 0) do={\
    \n  /system scheduler set [find name=\"\$scheduleName\"] comment=\$currentTime\
    \n  /tool e-mail send to=\"\$emailAddress\" subject=\"MikroTik: MB_Home login alert \$currentTime\" body=\"\$output\"\
    \n  /log info \"[LOGMON] New logs found, send email\"\
    \n}"
/tool e-mail
set address=xxxxx from=xxxx password=xxxx port=587 start-tls=yes user=xxxx
/tool graphing interface
add
add interface=wlan1
add
/tool graphing queue
add
add
add
add
add simple-queue="R Mobile (J5)"
add simple-queue=J_Phone
add simple-queue="M Phone "
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set file-name=sniffed.pcap memory-scroll=no streaming-server=192.168.88.219
[admin@MB_Home] >

solar77 · Thu Jun 04, 2020 1:42 pm

two things I have picked up:
1. both the sXT and the RB2011 are using the same LAN subnet. so for the RB2011, the WAN gateway is 192.168.88.x and the LAN subnet is also 192.168.88.0/24
I would change one of the subnet to something different.

2. on the RB2011, you are using bridge1 as your WAN interface, fine. but the DHCP client is on ether1-gateway, yes it is a member of the bridge but I think this DHCP client should be on the bridge itself.

give it a go.

mdkberry · Thu Jun 04, 2020 6:38 pm

two things I have picked up:
1. both the sXT and the RB2011 are using the same LAN subnet. so for the RB2011, the WAN gateway is 192.168.88.x and the LAN subnet is also 192.168.88.0/24
I would change one of the subnet to something different.

2. on the RB2011, you are using bridge1 as your WAN interface, fine. but the DHCP client is on ether1-gateway, yes it is a member of the bridge but I think this DHCP client should be on the bridge itself.

Some progress...

I made the SXT ether1 interface 192.168.90.1/24. In order for me to reach it from the RB2011 side I made the RB2011 ether1-gateway interface 192.168.90.2/24. I can now access both routers from the PC plugged into RB2011 on ether3. I also changed the RB2011 gateway to 192.168.88.254/24 just for clarity.

I then added in the DCHP client on bridge1 on the RB2011 (This was actually how it was working before the SXT, but I must have deleted it at some point when fiddling with settings). I currently have SXT wan1 picking up the DHCP client address from the wireless wan, but I guess I need that to happen on the RB2011 as you said, not on the SXT. Disabling the DHCP client on the SXT does not make it then automatically pick up on the RB2011, where it is just stuck say "searching" for the DHCP client. I changed the hop number, but that did not make a difference. The routing to 192.168.90.0 seems to be working ok on the RB2011 and is reachable listed as bridge 1.

So any thought for how to make the RB2011 look beyond the SXT for that DHCP client info?

CZFan · Thu Jun 04, 2020 8:01 pm

DHCP works on Layer 2 (LAN) not Layer 3 (Routed)

So the question is why do you need the WAN IP on the 2011?

My suggestion will be to configure firewall, dhcp, etc on the SXT, on the 2011 create a bridge and place all interfaces, ether and wlan in the bridge and use it as a switch

solar77 · Thu Jun 04, 2020 9:50 pm

I'd agree. Unless there is another reason, you don't need two routers both being "router".
you might think the RB2011 is more capable as a router and leaving the SXT just to be CPE. But look at the spec, SXT lite2 actually has got better CPU, same RAM, less storage (yes but you don't really need it)

also I don't fully understand the changes you made. so if you had made the LAN subnet of SXT to be 192.168.90.0/24, where the SXT itself is 192.168.90.1
DHCP client on bridge1 on the RB2011, should pick up a DHCP lease from the SXT, and it would be 192.168.90.x/24, just use add default route and now you should have internet on the RB2011
if not working, post what your routing table looks like.

but ultimately, I'd personaly use the SXT as CPE and router, make the RB2011 to a bridge, Keep it Simple.

mdkberry · Fri Jun 05, 2020 1:46 am

I'd personaly use the SXT as CPE and router, make the RB2011 to a bridge, Keep it Simple.

Okay, have taken this approach and I have now got it working so thank you, I will mark this as solved. One main problem was that I had not changed the default gateway on the SXT DHCP Server when I changed it to provide 192.168.90.0/24 subnet, so traffic was not getting back to it from the RB2011 side properly. This is now resolved.

I have one issue remaining. Even though my setup is now working, and I am using the SXT for firewall and NAT as well as providing connection to the Wireless WAN, I dont understand the NAT setup on my RB2011. It only works if I have an entry for chain: srcnat set to masquerade on the RB2011. I feel this means I am double NATTING, but if I set srcnat to accept or disable the entry on the RB2011, then the outbound to SXT stops working. I have completely disabled all Firewall entries on the RB2011 successfully, but what should I be setting the RB2011 NAT to, given I really only need it to act as a switch at this point, additional NAT is not necessary?

solar77 · Fri Jun 05, 2020 11:50 am

If you only want to use the RB2011 as a switch , NAT needs to be disabled on the RB2011.

disable firewall rule,
remove all NAT rule
add all port to one bridge and enable hardware offloading, beware there are two switch chips on the RB2011. The left 5 Gigabit ports are on one switch chip and the 5 x 100Mbps ports on the righthand side, are on another switch chip. only ports that are on the same switch chip can do hardware offloading between them (meaning the traffic will not go through CPU, thus you get wire-speed.)
disable DHCP server

assign an IP address or use a DHCP client on the bridge, so that the RB2011 has an IP address. I prefer to have an IP but this is not necessery, you can still managed the RB2011 vat MAC address.
if the POE cable to the SXT is within 10-20 meters (rough guess), I would use ether10 on the RB2011 to power the SXT , save you using the POE injector. but for longer cable run, injector is better. some say this way you risk the RB2011 in case the SXT get a lightning strike . so it's up to you

now if you plug a laptop to the RB2011, you should be able to get an lease from the DHCP server on SXT

mdkberry · Sat Jun 06, 2020 2:56 am

If you only want to use the RB2011 as a switch , NAT needs to be disabled on the RB2011.

Thanks for the detailed explanation. I was expecting it to be more simple, like setting NAT to accept or passthrough on the RB2011. Before I do all that you advised, what is the negative impact of leaving it with srcnat set as masquerade on the RB2011. I am not seeing any issues in use, but maybe it is impacting it in some ways?

solar77 · Sun Jun 07, 2020 1:42 pm

what is the negative impact of leaving it with srcnat set as masquerade on the RB2011

check if the traffic counter on this rule is increasing, if yes, it is "effective" and bascaly it means your outgoing traffic is still NATed into the WAN address of the RB2011.
in plain words, this rule changes your source IP address on the LAN side, into the one WAN ip address on your wan interface, whatever that is.
the negative impact is the throughput will be slightly slower, because the router has extra work to do.

if your whole uplink is less than 100Mbps, I would not worry too much, the difference in performance is not much

the other thing, is if you were to set up port forwarding, then you have to forward it through the SXT, and then forward again through the RB2011.
again, performance is slightly slower but that depends on how much the upload and download capacity to the Internet.

mdkberry · Fri Jun 12, 2020 4:50 am

if your whole uplink is less than 100Mbps, I would not worry too much, the difference in performance is not much

it is showing traffic on the NAT but I have not experienced any obvious speed issues since posting intially. the SQLite has boosted overall performance hugely anyway, so I am happy with it. and yes my uplink is way less than 100Mbps.

SXTsq_Lite2 with RB2011 setup [SOLVED]

SXTsq_Lite2 with RB2011 setup

Re: SXTsq_Lite2 with RB2011 setup

Re: SXTsq_Lite2 with RB2011 setup

Re: SXTsq_Lite2 with RB2011 setup

Re: SXTsq_Lite2 with RB2011 setup

Re: SXTsq_Lite2 with RB2011 setup

Re: SXTsq_Lite2 with RB2011 setup [SOLVED]

Re: SXTsq_Lite2 with RB2011 setup

Re: SXTsq_Lite2 with RB2011 setup

Re: SXTsq_Lite2 with RB2011 setup

Re: SXTsq_Lite2 with RB2011 setup

Re: SXTsq_Lite2 with RB2011 setup

Who is online