I just purchased CRS354-48G-4S+2Q+RM, to use it as a switch.
First problem: SwitchOS that I planned to use, I found out after 6-7 hours of reboots/reset (no errors, just no port activity) is actually not supported on this switch... Found on on this forum that they said one year ago they might add it later... Guess not! What on earth is going on...
So I go for option two: Use it with the default bridge setup. I just choose defaults and it says "all ports are switched". Great! :) That sounds exactly like I need. I connect my WAN and my LAN-cable at the datacenter to the switch - and nothing happens. No internet - there appears to be some bridge traffic, but seems like the actual internet port 1 has no traffic. I even reset the switch to factory default, get the message that by default, all ports are switched - and still no luck. I have tried to add the ip to the bridge interface, but no luck. Added NAT-rule for all outgoing traffic from bridge (masqarade) to my ISPs gw (even though it should not be needed if it was a switch): No luck.
Finally I gave up, found an "old" enterprise D'link switch, connected LAN and WAN to random ports and all up with no configuration needed. Now I have connected the Mngt interface on Mikrotik to the D'link switch (on a public static ip) so I can configure it remotely. When I tried to connect a normal port to the existing D'link switch that has internet, internet goes down for all machines even on D'link. I need to keep only the management interface port up. So this tells me the Mikrotik-switch is far from a switch as configured now...
How on earth can I just get this switch to work like a ... switch? I know the performance will be bad, but at least I get some joy of of this wrong purchase. My thinking was that 2 powersupplys on a switch in this price range is awesome and that is why I bought this. So funny not to be able to use it easly as a switch ;)
Re: Mikrotik Switch - it is not a switch?
1) As a dumb switch, it should just work.
2) It runs RoS, but can be used as a switch no problem - with all the functionalities. I'm using one CRS328 this way.
3) As it runs RoS, You can connect using Winbox - and it works with or without IP. Just connect the computer to one of the switch ports, and see if Winbox can detect it.
4) I don't know this one - but several Mikrotiks have a fixed IP set. Use Winbox, and it will autodetect the unit, no problem.
5) This unit have one management ethernet port. Have You tried using it? I have no experience with it, but I'm thinking if (out of the box) management is allowed only through it.
2) It runs RoS, but can be used as a switch no problem - with all the functionalities. I'm using one CRS328 this way.
3) As it runs RoS, You can connect using Winbox - and it works with or without IP. Just connect the computer to one of the switch ports, and see if Winbox can detect it.
4) I don't know this one - but several Mikrotiks have a fixed IP set. Use Winbox, and it will autodetect the unit, no problem.
5) This unit have one management ethernet port. Have You tried using it? I have no experience with it, but I'm thinking if (out of the box) management is allowed only through it.
-
-
myselfandme
just joined
- Posts: 21
- Joined:
Re: Mikrotik Switch - it is not a switch?
1. Yeah, I was thinking that also. Direct replacement with "dumb" D-link switch (non-configured) works, but as soon as I put the two cables to Mikrotik, it just doesn't work. It seems like default config is some kind of bridge and somehow, it doesn't want to bridge WAN and LAN. The bridge created by default might have some limits or something..
3. and 5. I can connect with it just fine through both winbox and web (even can connect with the app!) - with and without IP. But only on management port.. I have set it to fixed IP and can manage it remotely. But devices connected to ports on the switch can't get out to the gateway/internet (or the other way). So management port works just fine, it is the 48 ports that is the issue ;)
Could it be that I need to delete the default bridge it creates? While it suggest to create a bridge with all interfaces, maybe that is the problem?
3. and 5. I can connect with it just fine through both winbox and web (even can connect with the app!) - with and without IP. But only on management port.. I have set it to fixed IP and can manage it remotely. But devices connected to ports on the switch can't get out to the gateway/internet (or the other way). So management port works just fine, it is the 48 ports that is the issue ;)
Could it be that I need to delete the default bridge it creates? While it suggest to create a bridge with all interfaces, maybe that is the problem?
-
-
myselfandme
just joined
- Posts: 21
- Joined:
Re: Mikrotik Switch - it is not a switch?
Basically every post on that page shows far more complicated setup than I need. I don't have any vlans and I want to group WAN and LAN on the bridge somehow, so that it behaves like a normal switch basically.
Re: Mikrotik Switch - it is not a switch?
If your config Not work, it has an error
Export it and Show it us
Export it and Show it us
Re: Mikrotik Switch - it is not a switch?
I don't know the device, but it should work if "all ports are switched" really does what it says. You should double check, and find one bridge, with all ethernet ports under tab-"ports" added to that bridge. An IP address can be given to the bridge for management, it has no influence on the payload traffic. If there is a default firewall setup the bridge should be part of the LAN "interface list", to allow and track passing traffic, or the firewall rules should be disabled/removed. Changing firewall (e.g. NAT) or routing will not influence anything in the flow between the interfaces. The traffic never leaves the switches. RouterOS only knows one interface, and that's the bridge. (all other interfaces are slave to the bridge)So I go for option two: Use it with the default bridge setup. I just choose defaults and it says "all ports are switched". Great! :) That sounds exactly like I need. I connect my WAN and my LAN-cable at the datacenter to the switch - and nothing happens. No internet - there appears to be some bridge traffic, but seems like the actual internet port 1 has no traffic. I even reset the switch to factory default, get the message that by default, all ports are switched - and still no luck. I have tried to add the ip to the bridge interface, but no luck. Added NAT-rule for all outgoing traffic from bridge (masqarade) to my ISPs gw (even though it should not be needed if it was a switch): No luck.
Any VLAN will just be forwarded to all active ports. It's just a dump switch now.
What I don't know is how the flow is between the switch chips, but it should not go over the CPU (and not use any of the RouterOS data manipulation or redirection).
https://i.mt.lv/cdn/product_files/CRS35 ... 200122.png
Management via the SFP interfaces was mentioned in the release notes and version discussion in the forum, for some CSS3xx switches AFAIK.
Re: Mikrotik Switch - it is not a switch?
If it's like most Mikrotik routers, with the default configuration, port 1 will be configured as the WAN port and everything else connected in a bridge. Therefore, all ports EXCEPT port 1 should be able to function as if it was a dumb switch. Make sure you are not trying to use port 1 until you change the configuration. As I recall, it will also act as a DHCP server on the bridge, and you will most likely need to disable that if you are going to use this just as a switch.
Re: Mikrotik Switch - it is not a switch?
CRS switches has different default configuration.If it's like most Mikrotik routers, with the default configuration, port 1 will be configured as the WAN port and everything else connected in a bridge.
All ports bridged, and, if I remember correctly, a static IP assigned to that bridge.
Re: Mikrotik Switch - it is not a switch?
So much for what I expected. Never played with a CRS in RouterOS. The only one I have was switched to SwitchOS on day one.CRS switches has different default configuration.If it's like most Mikrotik routers, with the default configuration, port 1 will be configured as the WAN port and everything else connected in a bridge.
All ports bridged, and, if I remember correctly, a static IP assigned to that bridge.
Re: Mikrotik Switch - it is not a switch?
There isn't LAN and WAN. It's just a switch. You have a lot of ports, all of them attached to one bridge. That's the default config.1. Yeah, I was thinking that also. Direct replacement with "dumb" D-link switch (non-configured) works, but as soon as I put the two cables to Mikrotik, it just doesn't work. It seems like default config is some kind of bridge and somehow, it doesn't want to bridge WAN and LAN. The bridge created by default might have some limits or something..
Could it be that I need to delete the default bridge it creates? While it suggest to create a bridge with all interfaces, maybe that is the problem?
I really didn't understand what You wanted wanted to say with "but as soon as I put the two cables to Mikrotik, it just doesn't work". Which two cables? To which Mikrotik? What is "doesn't work"? What should happen, that didn't?
Paste your config here, as already suggested, so we can take a look at.
Re: Mikrotik Switch - it is not a switch?
Reset the switch and start again. Before you connect it to a network...
On a laptop/PC, that you connect to the switch to set it up, manually set its IP to 192.168.88.2.
Log into the switch by browsing to 192.168.88.1 on the same machine.
Set the switch to DHCP auto.
Plug the switch into your network, it should be issued an IP. Done.
Remove "WAN" from /interface list
"interface=ether1 list=WAN" - - - Change this to LAN.
That should be the dumb switch that your wanting with all ports on a single bridge. And you can connect it to the network.
On a laptop/PC, that you connect to the switch to set it up, manually set its IP to 192.168.88.2.
Log into the switch by browsing to 192.168.88.1 on the same machine.
Set the switch to DHCP auto.
Plug the switch into your network, it should be issued an IP. Done.
Remove "WAN" from /interface list
"interface=ether1 list=WAN" - - - Change this to LAN.
That should be the dumb switch that your wanting with all ports on a single bridge. And you can connect it to the network.
Re: Mikrotik Switch - it is not a switch?
Yes.Remove "WAN" from /interface list
"interface=ether1 list=WAN" - - - Change this to LAN.
OR
Add ether1 to the bridge. Make sure the bridge is in the LAN interface list. The "interface list" where the (slave) interface belongs to doesn't matter, if they are ports of the bridge. It's cosmetically better to remove their membership, because it is confusing.
But as the OP speaks of WAN and LAN, it's not clear if this is what the OP wants.
-
-
myselfandme
just joined
- Posts: 21
- Joined:
Re: Mikrotik Switch - it is not a switch?
Do this make things more clear?
My needs are simply layer 2 on same network and not a single VLAN needed. Just pure switch.
At any time, if I just remove the Mikrotik-switch from this flow and replace it with a gigabit switch I had (I have reset it to default), all works with not a single config.
I suspect that somehow the router-part of the switch is blocking Port 1 from being on the bridge with Port 7 (and all other ports on the switch).
If I put my ISPs cable into the dedicated management port (Port 49), I have mikrotik on this static IP as shown in picture and no problem from a management perspective (but no use when the switch ports 1-48 doesn't switch/broadcast). So it is just when putting my ISP on port 1 that nothing works. Port 7 do not get internet, server connected to port 7 does not travel upwards to port 1 to get Internet (it works if I put the ISP cable directly into server 1).
So it is like it is still working like a router - a router would block the flowchart attached and it would be normal for a router. But I need to have same network on both sides (same mask,gw) passed-through from the WAN-side (data center) to the LAN-side (basically all ports on mikrotik).
The default bridge (was there after reset) includes all ports (1-48), including port 1/ether 1 that have my internet (as you can see from the screenshots). So one gigantic bridge with total broadcast on all ports.From my point of view, the setup reflects all the feedback I have gotten here.
Now I'm beginning to think that I might have to put the switch as gw instead of my ISP on the server. Worth a try... Should not be needed if is a transparent bridge/switch as I have assumed, but maybe a special thing since this is combined router and switch.
My needs are simply layer 2 on same network and not a single VLAN needed. Just pure switch.
At any time, if I just remove the Mikrotik-switch from this flow and replace it with a gigabit switch I had (I have reset it to default), all works with not a single config.
I suspect that somehow the router-part of the switch is blocking Port 1 from being on the bridge with Port 7 (and all other ports on the switch).
If I put my ISPs cable into the dedicated management port (Port 49), I have mikrotik on this static IP as shown in picture and no problem from a management perspective (but no use when the switch ports 1-48 doesn't switch/broadcast). So it is just when putting my ISP on port 1 that nothing works. Port 7 do not get internet, server connected to port 7 does not travel upwards to port 1 to get Internet (it works if I put the ISP cable directly into server 1).
So it is like it is still working like a router - a router would block the flowchart attached and it would be normal for a router. But I need to have same network on both sides (same mask,gw) passed-through from the WAN-side (data center) to the LAN-side (basically all ports on mikrotik).
The default bridge (was there after reset) includes all ports (1-48), including port 1/ether 1 that have my internet (as you can see from the screenshots). So one gigantic bridge with total broadcast on all ports.From my point of view, the setup reflects all the feedback I have gotten here.
Now I'm beginning to think that I might have to put the switch as gw instead of my ISP on the server. Worth a try... Should not be needed if is a transparent bridge/switch as I have assumed, but maybe a special thing since this is combined router and switch.
You do not have the required permissions to view the files attached to this post.
Last edited by myselfandme on Thu Apr 08, 2021 3:14 pm, edited 1 time in total.
Re: Mikrotik Switch - it is not a switch?
I prefer to avoid that "internet detect". It changes your configuration. There is absolutely no need for "internet detect".
If the connected ether ports remain disabled with the cable in, something is wrong with the cable or connector. (Did it snap in?).
If the connected ether ports remain disabled with the cable in, something is wrong with the cable or connector. (Did it snap in?).
-
-
myselfandme
just joined
- Posts: 21
- Joined:
Re: Mikrotik Switch - it is not a switch?
I was desperate, so I just tried everything - I did change this when I saw that it didn't work out of the box ;) Since I use the same cable now on a dlink-switch now until I get this fixed, it should rule out any cable errors (then I should see same there). I have also tried to put internet on port 2 and 3.. So it must be a config-mistake. I'm going back to data center today to try and plug everything back on. I will also try a reboot, maybe something is stuck. I just try to collect as much info as possible to see what I can try when I'm there again.I prefer to avoid that "internet detect". It changes your configuration. There is absolutely no need for "internet detect".
If the connected ether ports remain disabled with the cable in, something is wrong with the cable or connector. (Did it snap in?).
Ah, I understand what you see. But the port goes to enable when I connect it. This is just config from when it is not connected on port 1 or 7. I can add that once port 1 is connected, no traffic is shown to flow through it (it only shows bridge traffic), but at least it shows enabled.
Re: Mikrotik Switch - it is not a switch?
Don't call a port "WAN" just based on its number. My "Internet" port on a hEX Gr3 is ether4 - even with ether1 being the default WAN port. Mikrotik gives You almost infinite flexibility (that's what we love on them!), so terminology is important - and not assuming that something is, is. It may very well not be.
So. This IS a switch. It has some low capacity router abilities. But it's a switch. Its default config is to put ALL ports (I think all but the management port) on one single bridge. With this config it works as a dumb switch - at least it should work as one.
In order to understand what is going on, the easiest way is for You to show us the export. It will have all the configs listed. Just open a terminal on the device, and do an "export hide-sensitive file=whatever"
Copy the contents of the file and post here as code. Doing this, we can see where Your config stands and stop the guessing game.
So. This IS a switch. It has some low capacity router abilities. But it's a switch. Its default config is to put ALL ports (I think all but the management port) on one single bridge. With this config it works as a dumb switch - at least it should work as one.
In order to understand what is going on, the easiest way is for You to show us the export. It will have all the configs listed. Just open a terminal on the device, and do an "export hide-sensitive file=whatever"
Copy the contents of the file and post here as code. Doing this, we can see where Your config stands and stop the guessing game.
-
-
myselfandme
just joined
- Posts: 21
- Joined:
Re: Mikrotik Switch - it is not a switch?
I uploaded the config file in previous post.
Note #1: Since I'm operating with fixed public IPs and not local private ips, there is a bit work involved to remove that information from the config-file. So the places with XX or GWIP is my masking of the real IP addresses.
Note #2: This shows config while not having connected anything to it, since I can't afford downtime. So my management-port is set to WAN (port 49) in this case, so that I was able to remotely connect to it and edit config. But shouldn't matter, it shows the config correctly I think. I added trusted to port 1 and others as you see from config, just to see if that changed things.
I'll add it here for ease.Copy the contents of the file and post here as code. Doing this, we can see where Your config stands and stop the guessing game.
Note #1: Since I'm operating with fixed public IPs and not local private ips, there is a bit work involved to remove that information from the config-file. So the places with XX or GWIP is my masking of the real IP addresses.
Note #2: This shows config while not having connected anything to it, since I can't afford downtime. So my management-port is set to WAN (port 49) in this case, so that I was able to remotely connect to it and edit config. But shouldn't matter, it shows the config correctly I think. I added trusted to port 1 and others as you see from config, just to see if that changed things.
Code: Select all
# model = CRS354-48G-4S+2Q+
# serial number =
/interface bridge
add admin-mac=08:55:31:BB:13:B5 auto-mac=no comment=defconf name=bridge
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool1 ranges=10.10.0.60-10.10.10.90
/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge name=server1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 trusted=yes
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment=defconf interface=ether12
add bridge=bridge comment=defconf interface=ether13 trusted=yes
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=ether25
add bridge=bridge comment=defconf interface=ether26
add bridge=bridge comment=defconf interface=ether27
add bridge=bridge comment=defconf interface=ether28
add bridge=bridge comment=defconf interface=ether29
add bridge=bridge comment=defconf interface=ether30
add bridge=bridge comment=defconf interface=ether31
add bridge=bridge comment=defconf interface=ether32
add bridge=bridge comment=defconf interface=ether33
add bridge=bridge comment=defconf interface=ether34
add bridge=bridge comment=defconf interface=ether35
add bridge=bridge comment=defconf interface=ether36
add bridge=bridge comment=defconf interface=ether37
add bridge=bridge comment=defconf interface=ether38
add bridge=bridge comment=defconf interface=ether39
add bridge=bridge comment=defconf interface=ether40
add bridge=bridge comment=defconf interface=ether41
add bridge=bridge comment=defconf interface=ether42
add bridge=bridge comment=defconf interface=ether43
add bridge=bridge comment=defconf interface=ether44
add bridge=bridge comment=defconf interface=ether45
add bridge=bridge comment=defconf interface=ether46
add bridge=bridge comment=defconf interface=ether47
add bridge=bridge comment=defconf interface=ether48
add bridge=bridge comment=defconf interface=ether49
add bridge=bridge comment=defconf interface=qsfpplus1-1
add bridge=bridge comment=defconf interface=qsfpplus1-2
add bridge=bridge comment=defconf interface=qsfpplus1-3
add bridge=bridge comment=defconf interface=qsfpplus1-4
add bridge=bridge comment=defconf interface=qsfpplus2-1
add bridge=bridge comment=defconf interface=qsfpplus2-2
add bridge=bridge comment=defconf interface=qsfpplus2-3
add bridge=bridge comment=defconf interface=qsfpplus2-4
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether49 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=ether25 list=LAN
add interface=ether26 list=LAN
add interface=ether27 list=LAN
add interface=ether28 list=LAN
add interface=ether29 list=LAN
add interface=ether30 list=LAN
add interface=ether31 list=LAN
add interface=ether32 list=LAN
add interface=ether33 list=LAN
add interface=ether34 list=LAN
add interface=ether35 list=LAN
add interface=ether36 list=LAN
add interface=ether37 list=LAN
add interface=ether38 list=LAN
add interface=ether39 list=LAN
add interface=ether40 list=LAN
add interface=ether41 list=LAN
add interface=ether42 list=LAN
add interface=ether43 list=LAN
add interface=ether44 list=LAN
add interface=ether45 list=LAN
add interface=ether46 list=LAN
add interface=ether47 list=LAN
add interface=ether48 list=LAN
add interface=qsfpplus1-1 list=LAN
add interface=qsfpplus1-2 list=LAN
add interface=qsfpplus1-3 list=LAN
add interface=qsfpplus1-4 list=LAN
add interface=qsfpplus2-1 list=LAN
add interface=qsfpplus2-2 list=LAN
add interface=qsfpplus2-3 list=LAN
add interface=qsfpplus2-4 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=XX/26 comment=defconf interface=bridge network=\
XX
add address=XX/26 interface=bridge network=XX
add address=XX/24 comment=LocalAdmin interface=bridge network=\
XX
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add dns-server=8.8.8.8 gateway=XXXX
/ip dns
set servers=XXX,XX
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge
add action=masquerade chain=srcnat dst-address=GWIP
/ip route
add gateway=GWIP
/ipv6 address
add address=XXX interface=bridge
/ppp secret
add name=vpn
/system routerboard settings
set boot-os=router-os
-
-
myselfandme
just joined
- Posts: 21
- Joined:
Re: Mikrotik Switch - it is not a switch?
Does this mean anything? I have tried to click Switch all ports, but after a while, the checkmark disappears (maybe because it is redundant since all ports are in bridge)?
You do not have the required permissions to view the files attached to this post.
Re: Mikrotik Switch - it is not a switch?
Pfff ... if you want a switch, config it as a switch, not as a router please.
Wireless ???? No need for wireless.
No need for a DHCP server on a switch
PPP is for a router
No need for this
Useless, these interfaces have no membership, only the bridge has membership. And the LAN or WAN list is nowhere used in this config.
Router level again
Is for the not needed DHCP server
Traffic does not pass the firewall. And even then you would masquerate way too much (out-interface =bridge is everything!)
Only for management of the switch (and possible firmware download from the internet)
VPN is router level
And ... you touched the Switch menu. Be aware that either you do everything in Bridge (and nothing in Switch), or just add all interfaces to the bridge (nothing else), and do the config in the Switch menu only. This "Smart switch" mode is activated/deactivated with the "VLAN filtering" in the defined bridge, but be VERY CAREFULL to not lock yourselves out when activated!
Code: Select all
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTikCode: Select all
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool1 ranges=10.10.0.60-10.10.10.90
/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge name=server1Code: Select all
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpnCode: Select all
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yesCode: Select all
/interface list member
add interface=ether49 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=ether25 list=LAN
add interface=ether26 list=LAN
add interface=ether27 list=LAN
add interface=ether28 list=LAN
add interface=ether29 list=LAN
add interface=ether30 list=LAN
add interface=ether31 list=LAN
add interface=ether32 list=LAN
add interface=ether33 list=LAN
add interface=ether34 list=LAN
add interface=ether35 list=LAN
add interface=ether36 list=LAN
add interface=ether37 list=LAN
add interface=ether38 list=LAN
add interface=ether39 list=LAN
add interface=ether40 list=LAN
add interface=ether41 list=LAN
add interface=ether42 list=LAN
add interface=ether43 list=LAN
add interface=ether44 list=LAN
add interface=ether45 list=LAN
add interface=ether46 list=LAN
add interface=ether47 list=LAN
add interface=ether48 list=LAN
add interface=qsfpplus1-1 list=LAN
add interface=qsfpplus1-2 list=LAN
add interface=qsfpplus1-3 list=LAN
add interface=qsfpplus1-4 list=LAN
add interface=qsfpplus2-1 list=LAN
add interface=qsfpplus2-2 list=LAN
add interface=qsfpplus2-3 list=LAN
add interface=qsfpplus2-4 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LANCode: Select all
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yesCode: Select all
/ip dhcp-server network
add dns-server=8.8.8.8 gateway=XXXXCode: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge
add action=masquerade chain=srcnat dst-address=GWIPCode: Select all
/ip route
add gateway=GWIP
/ipv6 address
add address=XXX interface=bridgeCode: Select all
/ppp secret
add name=vpn
And ... you touched the Switch menu. Be aware that either you do everything in Bridge (and nothing in Switch), or just add all interfaces to the bridge (nothing else), and do the config in the Switch menu only. This "Smart switch" mode is activated/deactivated with the "VLAN filtering" in the defined bridge, but be VERY CAREFULL to not lock yourselves out when activated!
You do not have the required permissions to view the files attached to this post.
Re: Mikrotik Switch - it is not a switch?
One of the biggest pitfalls with Mikrotik and RouterOS is that you can do anything - and even those things you really don't want to do. You can also do stupid things on a Mikrotik-switch and make all traffic pass trough the CPU instead of the Switch-chip. You can also lock yourself out completly and only be left with serial console. In contrast to a dumb switch where you can either have a trunk or an access-port, and nothing much else.
Never ever use "detect internet" !
For you case, I would simply use a bridge with two VLANs:
10 - Management
20 - Servers1
Since the CRS354 has a very fancy switch chip, you can use the regular bridge fashion. (others need to use the /interface ethernet switch section)
For example:
The Ether49 port seems to be directly attached to the CPU, and should not belong to any bridge. Just put an IP-address of choise on that.
Never ever use "detect internet" !
For you case, I would simply use a bridge with two VLANs:
10 - Management
20 - Servers1
Since the CRS354 has a very fancy switch chip, you can use the regular bridge fashion. (others need to use the /interface ethernet switch section)
For example:
Code: Select all
/interface bridge vlan
add bridge=bridge untagged=ether48 vlan-ids=10 command="Management"
add bridge=bridge untagged=ether1,ether2,ether3,ether4 vlan-ids=20 comment="Servers1"
/interface bridge port
add bridge=bridge interface=ether1 pvid=20 comment="to ISP router"
add bridge=bridge interface=ether2 pvid=20 comment="to some server"
add bridge=bridge interface=ether3 pvid=20
add bridge=bridge interface=ether4 pvid=20
add bridge=bridge interface=ether48 pvid=10 comment="Management"
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/ip address
add address=192.168.88.1/24 interface=vlan10
Last edited by mada3k on Thu Apr 08, 2021 9:43 pm, edited 1 time in total.
-
-
myselfandme
just joined
- Posts: 21
- Joined:
Re: Mikrotik Switch - it is not a switch?
You need to tell that to Mikrotik. It is automatically added. I have not use for wireless and have not configured it. The same for the bridge-layout and the other stuff you mentioned.Wireless ???? No need for wireless.Code: Select all/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
After a few hours of resetting, adjusting config and even removing all bridges - and just activated switch on all ports - nothing worked. I was about to give up. I downgraded the version I used and then I reset it. But this time, I did not connect to it after reset at all. So the default local IP was kept. Usually, I configured the switch so I could manage it from a pre-defined workstation with fixed IP. But likely, when I specified router during first login (so I could get internet on the management interface amoung other things), it activated some router-feature I couldn't turn off. Now I have no internet on the management interface, but at least bridge is working! :) And I have managment on a local ip.
-
-
myselfandme
just joined
- Posts: 21
- Joined:
Re: Mikrotik Switch - it is not a switch?
When I don't have any other switches downwards between this router/switch, I have to add vlan-setting to each servers network card to make it work?For you case, I would simply use a bridge with two VLANs:
10 - Management
20 - Servers1
Since the CRS354 has a very fancy switch chip, you can use the regular bridge fashion. (others need to use the /interface ethernet switch section)
For example:The Ether49 port seems to be directly attached to the CPU, and should not belong to any bridge. Just put an IP-address of choise on that.Code: Select all/interface bridge vlan add bridge=bridge untagged=ether48 vlan-ids=10 command="Management" add bridge=bridge untagged=ether1,ether2,ether3,ether4 vlan-ids=20 comment="Servers1" /interface bridge port add bridge=bridge interface=ether1 pvid=20 comment="to ISP router" add bridge=bridge interface=ether2 pvid=20 comment="to some server" add bridge=bridge interface=ether3 pvid=20 add bridge=bridge interface=ether4 pvid=20 add bridge=bridge interface=ether48 pvid=10 comment="Management" /interface vlan add interface=bridge name=vlan10 vlan-id=10 /ip address add address=192.168.88.1/24 interface=vlan10
Re: Mikrotik Switch - it is not a switch?
No, untagged=ether1,ether2,ether3,ether4 means that those ports will be access ports (no vlan tags) that will work with regular servers and clients. Then pvid=20 will instruct the switch that this ports are member for VLAN20 (as in should be tagged with 20).
Also, you should enable VLAN-filtering on the bridge when done.
Also, you should enable VLAN-filtering on the bridge when done.
Re: Mikrotik Switch - it is not a switch?
# model = CRS354-48G-4S+2Q+
# serial number =
/interface bridge
add admin-mac=08:55:31:BB:13:B5 auto-mac=no comment=defconf name=bridge
-> Up until now, ok.
/interface list
add name=WAN
add name=LAN
-> This shouldn't be here. All interfaces are part of the same bridge, and (at this point) no VLAN is set. All we have is a big dumb switch. Get rid of these interfaces lists.
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
-> This is weird, but harmless. It's more a generic artifact of a default configuration than anything else. You see, it looks for a default wireless interface (find default=yes), but there's none. So it ignores it.
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool1 ranges=10.10.0.60-10.10.10.90
-> Are you using this switch as a DHCP server? Why? How? You have two pools, one bridge and no VLAN. This will not work as it is now. Well, if the DHCP server is off it doesn't matter - won't be used anyway.
/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge name=server1
-> Ah. Found the DHCP server. Why? Don't You have another one on Your network? Just set a fixed IP to the switch, turn off the DHCP server, and be done with this. Later, if needed, You can always turn it one. But let's make the switch act just like a switch first. Walking before running, and all that.
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
->No. Just no. FIRST we make the switch work, THEN we complicate things. And before that, we do an export and a backup.
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 trusted=yes
....
add bridge=bridge comment=defconf interface=sfp-sfpplus4
-> Everything looks fine here. One thing: a trusted port accepts DHCP traffic from the DHCP server - it has nothing to do with DHCP clients. It's main function is to protect Your network from someone plugin a rogue DHCP server in some desktop cable.
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
-> Please, PLEASE, pretty please, with a cherry on top: don't use this.
/interface l2tp-server server
set enabled=yes use-ipsec=yes
-> An L2TP server, on a switch? Why? Turn it off. At least until we learn to run. Now we are crawling, trying to walk.
/interface list member
add interface=ether49 list=WAN
.......
add interface=sfp-sfpplus4 list=LAN
-> Port 49 is for administration only. You DON'T want to route traffic through it, trust me on this. Since all ports (1 - 48) are on the same network segment, makes no sense to use interface list.
/interface pptp-server server
set enabled=yes
-> Again: why?
/interface sstp-server server
set default-profile=default-encryption enabled=yes
-> I don't even know why I keep asking, but... Why?
/ip address
add address=XX/26 comment=defconf interface=bridge network=\
XX
add address=XX/26 interface=bridge network=XX
add address=XX/24 comment=LocalAdmin interface=bridge network=\
XX
-> 3 different addresses on the same interface? Two of them with different masks? Why? What was the idea behind this?
/ip cloud
set ddns-enabled=yes
-> Ok. I mean, if You want to access this switch directly from the internet. But I don't see firewall rules here...
/ip dhcp-server network
add dns-server=8.8.8.8 gateway=XXXX
-> Don't Your network have an DHCP server already?
/ip dns
set servers=XXX,XX
-> Ok
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge
add action=masquerade chain=srcnat dst-address=GWIP
-> No. please no. This is a switch, and this NAT rule will masquerade EVERYTHING that crosses the bridge. Just get rid of these two rules.
/ip route
add gateway=GWIP
-> OK
/ipv6 address
add address=XXX interface=bridge
-> OK
/ppp secret
add name=vpn
-> Why?
/system routerboard settings
set boot-os=router-os
-> OK
# serial number =
/interface bridge
add admin-mac=08:55:31:BB:13:B5 auto-mac=no comment=defconf name=bridge
-> Up until now, ok.
/interface list
add name=WAN
add name=LAN
-> This shouldn't be here. All interfaces are part of the same bridge, and (at this point) no VLAN is set. All we have is a big dumb switch. Get rid of these interfaces lists.
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
-> This is weird, but harmless. It's more a generic artifact of a default configuration than anything else. You see, it looks for a default wireless interface (find default=yes), but there's none. So it ignores it.
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=pool1 ranges=10.10.0.60-10.10.10.90
-> Are you using this switch as a DHCP server? Why? How? You have two pools, one bridge and no VLAN. This will not work as it is now. Well, if the DHCP server is off it doesn't matter - won't be used anyway.
/ip dhcp-server
add address-pool=pool1 disabled=no interface=bridge name=server1
-> Ah. Found the DHCP server. Why? Don't You have another one on Your network? Just set a fixed IP to the switch, turn off the DHCP server, and be done with this. Later, if needed, You can always turn it one. But let's make the switch act just like a switch first. Walking before running, and all that.
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
->No. Just no. FIRST we make the switch work, THEN we complicate things. And before that, we do an export and a backup.
/interface bridge port
add bridge=bridge comment=defconf interface=ether1 trusted=yes
....
add bridge=bridge comment=defconf interface=sfp-sfpplus4
-> Everything looks fine here. One thing: a trusted port accepts DHCP traffic from the DHCP server - it has nothing to do with DHCP clients. It's main function is to protect Your network from someone plugin a rogue DHCP server in some desktop cable.
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
-> Please, PLEASE, pretty please, with a cherry on top: don't use this.
/interface l2tp-server server
set enabled=yes use-ipsec=yes
-> An L2TP server, on a switch? Why? Turn it off. At least until we learn to run. Now we are crawling, trying to walk.
/interface list member
add interface=ether49 list=WAN
.......
add interface=sfp-sfpplus4 list=LAN
-> Port 49 is for administration only. You DON'T want to route traffic through it, trust me on this. Since all ports (1 - 48) are on the same network segment, makes no sense to use interface list.
/interface pptp-server server
set enabled=yes
-> Again: why?
/interface sstp-server server
set default-profile=default-encryption enabled=yes
-> I don't even know why I keep asking, but... Why?
/ip address
add address=XX/26 comment=defconf interface=bridge network=\
XX
add address=XX/26 interface=bridge network=XX
add address=XX/24 comment=LocalAdmin interface=bridge network=\
XX
-> 3 different addresses on the same interface? Two of them with different masks? Why? What was the idea behind this?
/ip cloud
set ddns-enabled=yes
-> Ok. I mean, if You want to access this switch directly from the internet. But I don't see firewall rules here...
/ip dhcp-server network
add dns-server=8.8.8.8 gateway=XXXX
-> Don't Your network have an DHCP server already?
/ip dns
set servers=XXX,XX
-> Ok
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge
add action=masquerade chain=srcnat dst-address=GWIP
-> No. please no. This is a switch, and this NAT rule will masquerade EVERYTHING that crosses the bridge. Just get rid of these two rules.
/ip route
add gateway=GWIP
-> OK
/ipv6 address
add address=XXX interface=bridge
-> OK
/ppp secret
add name=vpn
-> Why?
/system routerboard settings
set boot-os=router-os
-> OK
-
-
myselfandme
just joined
- Posts: 21
- Joined:
Re: Mikrotik Switch - it is not a switch?
Ah, cool :) That would solve a problem I have now, I want a clients server to not see mine. So I just set one client connected to port 10 as VLAN10 for instance, and my to port 20. If I don't set any VLAN on the internet-interface, they will still get into the internet? I was looking around for a way to isolate clients on the switch and I thought horzion-setting was the only thing I could use when having a bridge (and didn't quite understand it). Isolate them to vlan in that way you explain sounds the perfect solution :)No, untagged=ether1,ether2,ether3,ether4 means that those ports will be access ports (no vlan tags) that will work with regular servers and clients. Then pvid=20 will instruct the switch that this ports are member for VLAN20 (as in should be tagged with 20).
Also, you should enable VLAN-filtering on the bridge when done.
-
-
myselfandme
just joined
- Posts: 21
- Joined:
Re: Mikrotik Switch - it is not a switch?
The idea was to access the switch both from Internet AND from a local closed non-internet-connected site. Management was actually the only thing that worked (both internet and local) until I found the solution ;)/ip address
add address=XX/26 comment=defconf interface=bridge network=\
XX
add address=XX/26 interface=bridge network=XX
add address=XX/24 comment=LocalAdmin interface=bridge network=\
XX
-> 3 different addresses on the same interface? Two of them with different masks? Why? What was the idea behind this?
Re: Mikrotik Switch - it is not a switch?
It is not advisable to make the switch accessible (managable) from the internet!
When you really need that, setup a VPN with proper authentication (e.g. L2TP/IPsec) and allow management only from that VPN.
When you really need that, setup a VPN with proper authentication (e.g. L2TP/IPsec) and allow management only from that VPN.
-
-
myselfandme
just joined
- Posts: 21
- Joined:
Re: Mikrotik Switch - it is not a switch?
Yeah, I know. It was only added during debug, so I could mange it somehow. But never mind, this issue is solved now, the error was setting gw during setup it seems.It is not advisable to make the switch accessible (managable) from the internet!
When you really need that, setup a VPN with proper authentication (e.g. L2TP/IPsec) and allow management only from that VPN.
-
-
myselfandme
just joined
- Posts: 21
- Joined:
Re: Mikrotik Switch - it is not a switch?
I have created two VLANs on the bridge: One with port 1,2,10 (pvid 10) and one with 1,2,20 (pvid 20). All untagged. Is it first when I add vlan-filtering that the traffic will be isolated from eachother or should that be it? Port 10 and 20 is two different customers, while port 1/2 is my ISP.No, untagged=ether1,ether2,ether3,ether4 means that those ports will be access ports (no vlan tags) that will work with regular servers and clients. Then pvid=20 will instruct the switch that this ports are member for VLAN20 (as in should be tagged with 20).
Also, you should enable VLAN-filtering on the bridge when done.
Re: Mikrotik Switch - it is not a switch?
Any port can be untagged for at most one VLAN, unfortunately the Mikrotik user interface does not enforce this so you can create nonsensical configurations.
If you are trying to isolate your two customers who are sharing the same public subnet from the ISP then you should be looking at port isolation, not VLANs. I'm not sure why you want to stop the two customers from seeing each others servers if the rest of the world can.
If you are trying to isolate your two customers who are sharing the same public subnet from the ISP then you should be looking at port isolation, not VLANs. I'm not sure why you want to stop the two customers from seeing each others servers if the rest of the world can.