Page 1 of 1
Eth1 vlan 911 tagging for ISP connection
Posted: Thu Apr 25, 2024 9:20 pm
by Airiasas
Hi,
I am after some guidance.
Basically I am unable to connect my router: MikroTik RB5009UPr+S+IN
to ISP's network.
ISP's requirements:
"You basically need to provision the WAN/Internet interface for IP over Ethernet.
Second requirement is that VLAN tagging needs to be enabled on the interface and set to vlan 911.
Third requirement is that the interface IP needs to be set to DHCP. That way it automatically gets assigned an IP from our DHCP server."
My config (it seems that I cannot get an address from DHCP):
I would appreciate if someone would help me to get my router connected. Thanks
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Thu Apr 25, 2024 9:47 pm
by Benzebub
Do you have any firewall rules that might block?
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Thu Apr 25, 2024 11:45 pm
by anav
You need to go to IP DHCP client next.....
and select vlan 911 as the interface ( not vlanfiber! )
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 2:53 am
by Airiasas
vlanfibre is a vlan created and set to vlan 911 the only other option I have is Fiber_eth1, I cannot add vlan 911 as you mentioned in DHCP client?
Even when I switch dhcp client up to Fiber_eth1,same issue it does not seem to get and address
Can you advise further? sorry
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 3:42 am
by Amm0
The 1st requirement is kinda odd: "IP over ethernet". If that mean PPPoE (or perhaps Mikrotik specific EoIP?) that be different story, but I presume they just mean it has VLAN. But step 1 is an odd way to state a requirement.
One thing might help here, is if you can use /tool/torch on the fiber or VLAN, and just see what kinda of packets are flowing over the line and/or what VLAN they appear.
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 3:42 am
by Airiasas
Do you have any firewall rules that might block?
Does not seem like there is anything that could block it?
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 3:45 am
by Amm0
Did you add "vlanfiber" VLAN interface as a LAN in /interface/list?
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 3:52 am
by Airiasas
Did you add "vlanfiber" VLAN interface as a LAN in /interface/list?
Torch results:
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 4:04 am
by Amm0
Yeah I meant WAN. So that's right.
Try the ether1 in torch, to see if you getting any traffic from upstream. The torch above shows your dhcp-client looking for an address on VLAN 911.
Might want to post your config too. In terminal, :export file=config.rsc then download from Files.
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 4:10 am
by Airiasas
Yeah I meant WAN. So that's right.
Try the ether1 in torch, to see if you getting any traffic from upstream. The torch above shows your dhcp-client looking for an address on VLAN 911.
Might want to post your config too. In terminal, :export file=config.rsc then download from Files.
ether1 results in torch:
config:
# apr/26/2024 02:08:43 by RouterOS 7.8
# model = RB5009UPr+S+
/interface bridge
add admin-mac=********** auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=Port1 name=Fiber_eth1
/interface vlan
add interface=Fiber_eth1 name=vlanfiber vlan-id=911
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlanfiber list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add interface=vlanfiber
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 4:33 am
by Amm0
This all looks right. The odd thing is that it does look like the ISP thinks your IP is 10.2.118.106 on VLAN 911.
You're running an older version. And I want to say some version had some bug in dhcp-client around that time.
You may want to download latest stable release, and copy it to the root of Files, then reboot:
https://download.mikrotik.com/routeros/ ... -arm64.npk
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 4:48 am
by Airiasas
This all looks right. The odd thing is that it does look like the ISP thinks your IP is 10.2.118.106 on VLAN 911.
You're running an older version. And I want to say some version had some bug in dhcp-client around that time.
You may want to download latest stable release, and copy it to the root of Files, then reboot:
https://download.mikrotik.com/routeros/ ... -arm64.npk
After the update torch results:
config:
# 2024-04-26 02:38:02 by RouterOS 7.14.3
# model = RB5009UPr+S+
/interface bridge
add admin-mac=********** auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
# poe-out status: short_circuit
set [ find default-name=ether1 ] comment=Port1 name=Fiber_eth1
/interface vlan
add interface=Fiber_eth1 name=vlanfiber vlan-id=911
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlanfiber list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add interface=vlanfiber
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I am at a bit of a loss, it's never easy...
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 5:06 am
by Amm0
Maybe disable PoE on ether1? e.g. you have this message:
# poe-out status: short_circuit
Possible that interfering with the traffic, since your not getting anything back (or at least only a few packets).
Can also look at Logs, and see if anything there has errors/warning.
But I'm kinda out of suggestions here. Maybe someone else has an idea here.
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 5:18 am
by Airiasas
Maybe disable PoE on ether1? e.g. you have this message:
# poe-out status: short_circuit
Possible that interfering with the traffic, since your not getting anything back (or at least only a few packets).
Can also look at Logs, and see if anything there has errors/warning.
But I'm kinda out of suggestions here. Maybe someone else has an idea here.
Disabled it, rebooted the router - error disappeared
did another torch scan:
I hope someone can help, I raised this with ISP too, will see what they say as I am out of ideas
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 5:27 am
by Amm0
I supose you can try disabling the "input" firewall filter rule with "drop" and "!LAN" & see if you get a DHCP address after that.
If that works, then you might have to allow DHCP from the VLAN 911 to the firewall to allow it I guess.
And/or, just assign the IP address it's showing torch as an /ip/address for the VLAN. e.g.
/ip/address/add interface=vlanfiber address=10.2.118.106/24
Then see if /ping 10.2.118.1 works from RouterOS Terminal?
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 5:43 am
by Airiasas
I supose you can try disabling the "input" firewall filter rule with "drop" and "!LAN" & see if you get a DHCP address after that.
If that works, then you might have to allow DHCP from the VLAN 911 to the firewall to allow it I guess.
And/or, just assign the IP address it's showing torch as an /ip/address for the VLAN. e.g.
/ip/address/add interface=vlanfiber address=10.2.118.106/24
Then see if /ping 10.2.118.1 works from RouterOS Terminal?
Disabled the "input" firewall filter rule with "drop" and "!LAN" & rebooted the router, did not get DHCP address after that
I assigned the IP address, does not seem to ping:
sent=180 received=0 packet-loss=100%
SEQ HOST SIZE TTL TIME STATUS
180 10...... timeout
181 10....... timeout
182 10....... timeout
183 10....... 84 64 31ms535us host unreac...
sent=200 received=0 packet-loss=100%
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 6:05 am
by Amm0
Okay, that all I got. I was guessing at the default gateway, and it's unclear why touchthe dst-addr of 10.x.x.x
Is there a modem to reboot? But I think you're going to have to confirm with your ISP the needed settings. As I said, the first step "IP over ethernet" is just pretty vague.
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 6:21 am
by Airiasas
Okay, that all I got. I was guessing at the default gateway, and it's unclear why touchthe dst-addr of 10.x.x.x
Is there a modem to reboot? But I think you're going to have to confirm with your ISP the needed settings. As I said, the first step "IP over ethernet" is just pretty vague.
Am I missing PPPoe settings or set up on the router? can they use PPPoe without a username and password? would I have to potentially clone the MAC address of the ISP's router on my Mikrotik router (if that's even possible)? as I assume they would have provided it when I contacted them regarding router set-up...
as I have seen this forum post of someone setting up a tp-link router same provider they seem to have a similar issue
https://forums.thinkbroadband.com/fibre ... .html?vc=1
I have contacted the ISP again for clarification and support, but if anyone else has any ideas I would appreciate your support. Thanks
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 7:18 am
by Amm0
Yeah, they may need to know your MAC address. You can "clone it" but simply entering your old router's MAC address on the ether1 interface, obviously your older router have be unplugged after.
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Fri Apr 26, 2024 9:56 pm
by Airiasas
Cloning MAC address of ISP's router did not work, still seems to be doing the same thing where it does not pick up IP from DHCP, still waiting for a response from ISP...
Re: Eth1 vlan 911 tagging for ISP connection
Posted: Sun Apr 28, 2024 1:37 am
by Airiasas
Just and update for anyone who might be experiencing or going through a similar issue, ISP advised that router config seems to be fine they reduced DHCP lease to 5 min and advised to connect Mikrotik router, o have restarted the ONT & Mikrotik router, unfortunately it still appears to be searching for IP address and did not receive one yet 30 minutes later, router will be left plugged in overnight and will see if anything changes by tomorrow...
Asked ISP what further steps will be taken to resolve the issue if this won't fix it, currently waiting for further guidance...
Re: Eth1 vlan 911 tagging for ISP connection [SOLVED]
Posted: Sun Apr 28, 2024 3:02 pm
by Airiasas
Eventually, the Mikrotik router seemed to pick up the IP from DHCP after ISP reduced the lease time from DHCP to 5 minutes, not entirely sure why it took so long...