Share cable IPTV & Internet RB951G/CRS125

Sparkling · Sat Jul 12, 2014 5:01 pm

Hi guys,

I've been using a RB951G-2HnD for about a year now, as my primary router.

My ISP sends 2 VLANs for the services:
-VLAN 6 as transport for the PPPoE session
-VLAN 4 for multicast IPTV traffic

My RB951G has 2 bridges (bridge-local & bridge-iptv). This means I have to connect 2 wires from the router to my apartment: 1 is connected to bridge-local and the other to bridge-iptv, obviously.
This configuration works, however it would be great if I could share both services on 1 UTP cable. I've ordered a CRS125 to accomplish this, yet I'm not sure how to set it all up.

I don't use a VLAN for my local network & VLAN 4 is delivered to my STB's, untagged.

Is it possible to configure the RB951G the way I would like, or should I use the CRS125 for it?

This is the relevant config of my RB951G:

/interface ethernet
#
# Port 1 (ether1) = NTU 
#
set 0 arp=proxy-arp auto-negotiation=yes  \
    disabled=no full-duplex=yes l2mtu=1598  \
    mtu=1500 name=ether1-gateway speed=1Gbps
#
# Port 2 (ether2) = LAN
#

set 1 arp=enabled auto-negotiation=yes \
    disabled=no full-duplex=yes l2mtu=1598 \
    mtu=1500 name=ether2 speed=1Gbps

#
# VLAN 4 = iptv
# VLAN 6 = internet
#

/interface vlan
add arp=enabled disabled=no interface=ether1-gateway l2mtu=1594 mtu=1500 \
    name=vlan1.6 use-service-tag=no vlan-id=6
add interface=ether1-gateway l2mtu=1594 name=vlan1.4 vlan-id=4

#
# PPPoE profile
#

/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=\
    default use-encryption=default use-mpls=default use-vj-compression=\
    default

#
# PPPoE Client
#

/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 \
    dial-on-demand=no disabled=no interface=vlan1.6 keepalive-timeout=20 max-mru=1480 max-mtu=1480 \
    mrru=disabled name=pppoe password=xxx profile=default \
    use-peer-dns=no user=xx-xx-xx-xx-xx-xx
	
#
# Bridges
#

/interface bridge
add name=bridge-local arp=proxy-arp
add name=bridge-iptv

/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=wlan1
add bridge=bridge-iptv interface=vlan1.4
add bridge=bridge-iptv interface=ether5

Etz · Thu Jul 17, 2014 12:33 am

Well, IGMP Proxy should resolve that problem, so you can put everything behind the NAT...

For example I use CRS125 for the very same purpose, only difference is that my ISP doesnt use PPPoE but plain DHCP.
And 10.0.0.0/23 is ISP IPTV servers network.

Relevant config:

ros code

/interface vlan
add interface=sfp1 l2mtu=1584 name=sfp1.4 vlan-id=4

/ip dhcp-client
add default-route-distance=0 dhcp-options=clientid,hostname disabled=no \
    interface=sfp1
add add-default-route=special-classless dhcp-options=clientid,hostname disabled=no \
    interface=sfp1.4

/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp1
add action=masquerade chain=srcnat out-interface=sfp1.4

/routing igmp-proxy
set query-interval=1m5s

/routing igmp-proxy interface
add alternative-subnets=10.0.0.0/23 interface=sfp1.4 upstream=yes
add interface=ether01

This is CRS specific and as Mikrotik doesnt support IGMP Snooping I`m forced to use multicast-fdb
As I dont want to flood multicast out to all interfaces, but only to STB`s. (Filtering by STB MAC addresses)

ros code

/interface ethernet switch multicast-fdb
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes

As a sidenote, I dont use bridge interface. Local network IP and DHCP is directly configured to ether01, which is master for all other ports.
SFP1 is is Internet vlan form ISP which is untagged, SFP1.4 is IPTV vlan 4 tagged.
Local network is "flat", no separate vlan`s, everything is in the same subnet (very same way as you want to achieve this)

i4jordan · Thu Jul 17, 2014 2:13 am

Sharing multiple networks one cable can be done with VLAN's.
But you need a VLAN capable device on both sides of the network.
There are simple 8 of 16 port switches which support Layer2 VLAN. Like TPLInk TL-SG1016DE (http://nl.tp-link.com/products/details/ ... 016DE#spec)
Pricing around € 95 (https://www.4launch.nl/shop/#p-4-productid-347477)

On the MKT side you maken 2 tagged VLAN interfaces on a ethernet port.
And add those tagged VLAN interface to the bridges you have.
On the switch side you define 2 VLAN and put those tagged on the single uplink port and untaged on the other ports you wish to use for TV and for computer/LAN.
The VLAN ID's on the link between teh MKT and the switch are free to choose. Like 100 and 200. They do not need to be the same as the VLAn4/6 you have on your WAN side.

Etz · Thu Jul 17, 2014 9:37 am

IMHO, I dont see any reasonable point to use different internal vlan`s on a such small network...especially when you only have couple of STB`s...

Also that would require changing switch config every time, when you unplug STB and plug it in somwhere else.

When you have one "flat" Lan, you can just connect and disconnect devices without even logging in into router or switch and it would just work.

i4jordan · Thu Jul 17, 2014 12:59 pm

@Etz

Yes flat would be perfect but is not working in his situation.
The STB's are not using a 'standard' internet connection. They have a separate network on the provider network and should have direct IP's from the provider. So also no NAT.
The LAN devices require a 'normal' internet connection and also should use NAT.
This is why you need 2 separate networks internally. The 2 internal networks must be connected to the 2 external ISP VLAN networks.

I have made a lot of this kind of constructions for customers who have KPN or XS4ALL (Dutch ISP's) who are working with VLAN 4 (TV), 6 (PPPoE internet) and 7 (VoIP).

Etz · Thu Jul 17, 2014 1:04 pm

Yes flat would be perfect but is not working in his situation.

Why not?

The STB's are not using a 'standard' internet connection. They have a separate network on the provider network and should have direct IP's from the provider. So also no NAT.

Actually they do not. I have pretty similar setup myself, and it will work just fine behind the NAT you just need to provide connectivity for STB`s via IGMP Proxy.
Also UDP connectivity is needed to recieve stream.

The LAN devices require a 'normal' internet connection and also should use NAT.
This is why you need 2 separate networks internally. The 2 internal networks must be connected to the 2 external ISP VLAN networks.

You dont need multiple Internal networks for this, routes received via DHCP or even static routes would resolve this.
Only thing you need is 2 NAT`s one for every uplink and IGMP Proxy for IPTV vlan.

I have made a lot of this kind of constructions for customers who have KPN or XS4ALL (Dutch ISP's) who are working with VLAN 4 (TV), 6 (PPPoE internet) and 7 (VoIP).

I have done multiple setups in Telia networks also worked for years of one of ISP`s belonging to Telia.

i4jordan · Thu Jul 17, 2014 1:28 pm

@Etz

I do not say your solution is not working.
It is more that I have not worked with IGMP Proxy. I will take some time to learn more about these features.

Thank you for your explanations.

Sparkling · Mon Jul 28, 2014 12:28 am

Well, IGMP Proxy should resolve that problem, so you can put everything behind the NAT...

For example I use CRS125 for the very same purpose, only difference is that my ISP doesnt use PPPoE but plain DHCP.
And 10.0.0.0/23 is ISP IPTV servers network.

Relevant config:
ros code
/interface vlan
add interface=sfp1 l2mtu=1584 name=sfp1.4 vlan-id=4

/ip dhcp-client
add default-route-distance=0 dhcp-options=clientid,hostname disabled=no \
    interface=sfp1
add add-default-route=special-classless dhcp-options=clientid,hostname disabled=no \
    interface=sfp1.4

/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp1
add action=masquerade chain=srcnat out-interface=sfp1.4

/routing igmp-proxy
set query-interval=1m5s

/routing igmp-proxy interface
add alternative-subnets=10.0.0.0/23 interface=sfp1.4 upstream=yes
add interface=ether01
This is CRS specific and as Mikrotik doesnt support IGMP Snooping I`m forced to use multicast-fdb
As I dont want to flood multicast out to all interfaces, but only to STB`s. (Filtering by STB MAC addresses)

ros code
/interface ethernet switch multicast-fdb
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes
As a sidenote, I dont use bridge interface. Local network IP and DHCP is directly configured to ether01, which is master for all other ports.
SFP1 is is Internet vlan form ISP which is untagged, SFP1.4 is IPTV vlan 4 tagged.
Local network is "flat", no separate vlan`s, everything is in the same subnet (very same way as you want to achieve this)

At the last rules, which port(s) did you add, since it seems to be required? I've tried ether2, ether2 & ether22 (connected to STB) and just ether22. None of those combinations worked. My ISP sends me encrypted multicast traffic (I _need_ the STB do decrypt & watch tv), would that matter regarding this configuration?

ros code

/interface ethernet switch multicast-fdb
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes

I've changed my setup & configured my CRS125 as switch, ether1 as gateway, the other ports use master-port=ether2. Althought I've still created a bridge, to add to wlan1. Could I also use the dhcp-server of ether2 on wlan1 (configured as AP) without creating a bridge?

Etz · Mon Jul 28, 2014 8:34 am

At the last rules, which port(s) did you add, since it seems to be required? I've tried ether2, ether2 & ether22 (connected to STB) and just ether22. None of those combinations worked.

What do you mean by last rules?
If you use firewall then you have to allow IGMP & UDP trough it. (My example doesnt contain those)

My ISP sends me encrypted multicast traffic (I _need_ the STB do decrypt & watch tv), would that matter regarding this configuration?

Doesnt matter, it will still work. My ISP does exactly the same.

I've changed my setup & configured my CRS125 as switch, ether1 as gateway, the other ports use master-port=ether2. Althought I've still created a bridge, to add to wlan1. Could I also use the dhcp-server of ether2 on wlan1 (configured as AP) without creating a bridge?

Without bridge, your WLAN probably wont work, so you need a bridge. (I dont, as my device doesnt have Wireless AP built-in)
And if you use Bridge, just replace ether01 in my configs with corresponding bridge interface

Sparkling · Mon Jul 28, 2014 11:50 pm

At the last rules, which port(s) did you add, since it seems to be required? I've tried ether2, ether2 & ether22 (connected to STB) and just ether22. None of those combinations worked.
What do you mean by last rules?
If you use firewall then you have to allow IGMP & UDP trough it. (My example doesnt contain those)

After entering the command regarding multicast-fdb, the console echo'ed "Ports:", so I assumed it was required.

I've reverted to a bridge configuration, to attach wlan1 to the bridge. This time, my STB receives a lease in the same pool of my LAN: 192.168.2.244/24.
Normally, the STB is connected with IP 10.15.69.146/16, gateway 10.15.0.1. This time the STB seemed to boot like it should: normal bootscreen (loading software - loading EPG) and when it would normally switch to a broadcast, an error code appears, stating the STB isn't connected to the IPTV network.

ros code

/ip dhcp-client print 
Flags: X - disabled, I - invalid 
 #   INTERFACE                                     USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS        ADDRESS           
 0   vlan1.4                                       yes          special-classless searching...

ros code

/interface vlan
add interface=ether1-gateway l2mtu=1594 name=vlan1.4 vlan-id=4
add interface=ether1-gateway l2mtu=1594 name=vlan1.6 vlan-id=6

/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 \
    dial-on-demand=no disabled=no interface=vlan1.6 keepalive-timeout=20 max-mru=1480 max-mtu=1480 \
    mrru=disabled name=pppoe password=xxx profile=default \
    use-peer-dns=no user=xx-xx-xx-xx-xx-xx

/ip dhcp-client
add add-default-route=special-classless dhcp-options=clientid,hostname \
    disabled=no interface=vlan1.4

/routing igmp-proxy
set query-interval=1m5s

/routing igmp-proxy interface
add alternative-subnets=10.0.0.0/16 interface=vlan1.4 upstream=yes
add interface=br-local

/interface ethernet switch multicast-fdb
add address=00:02:9b:88:20:05 bypass-vlan-filter=yes svl=yes

/interface bridge
add arp=proxy-arp l2mtu=1588 name=br-local

/interface bridge port
add bridge=br-local interface=ether2
add bridge=br-local interface=ether3
add bridge=br-local interface=wlan1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan1.4

/ip firewall filter
add chain=input comment="iptv igmp" in-interface=vlan1.4 protocol=igmp
add chain=input comment="iptv udp" in-interface=vlan1.4 protocol=udp

/interface ethernet switch multicast-fdb
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes

Flags: X - disabled, R - radius, D - dynamic, B - blocked 
 #   ADDRESS                                                                        MAC-ADDRESS       HOST-NAME                                       SERVER                                       RATE-LIMIT                                       STATUS 
 0 D 192.168.2.250                                                                  XX:XX:XX:XX:XX:XX                                                 dhcp-lan                                                                                      bound  
 1 D 192.168.2.244                                                                  00:02:XX:XX:XX:XX                                                 dhcp-lan                                                                                      bound

ps. In the above config, 192.168.2.250 is my own PC.

Etz · Tue Jul 29, 2014 1:17 am

ros code

/ip dhcp-client print 
Flags: X - disabled, I - invalid 
 #   INTERFACE                                     USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS        ADDRESS           
 0   vlan1.4                                       yes          special-classless searching...

Aparently your IPTV upstream interface didnt obtain IP from ISP

ros code

/ip firewall filter
add chain=input comment="iptv igmp" in-interface=vlan1.4 protocol=igmp
add chain=input comment="iptv udp" in-interface=vlan1.4 protocol=udp

This may be rather unsafe, I for example use those rules in conjunction with src-adress, permitting them only from Multicast servers, here is the example:

ros code

chain=input action=accept protocol=igmp src-address=10.0.0.0/23 in-interface=sfp1.4

And don`t forget to add them to forward chain aswell, if you use it.

tapalcapo · Fri Aug 01, 2014 9:46 pm

Hi, I need help please.

It's simple:

PC1 192.168.7.254 WITCH VLC STREAMING UDP 224.0.23.10 In router eth2 192.168.7.1

PC2 192.168.6.254 With VLC CLient in router eth3 192.168.6.1

Igmp proxy set up.
But in client I can't see the streaming.
I test all.
[img]1.jpg[/img]
[img]2.jpg[/img]
[img]3.jpg[/img]

freshworks · Thu Sep 04, 2014 3:49 pm

At the last rules, which port(s) did you add, since it seems to be required? I've tried ether2, ether2 & ether22 (connected to STB) and just ether22. None of those combinations worked.
What do you mean by last rules?
If you use firewall then you have to allow IGMP & UDP trough it. (My example doesnt contain those)

My ISP sends me encrypted multicast traffic (I _need_ the STB do decrypt & watch tv), would that matter regarding this configuration?
Doesnt matter, it will still work. My ISP does exactly the same.

I've changed my setup & configured my CRS125 as switch, ether1 as gateway, the other ports use master-port=ether2. Althought I've still created a bridge, to add to wlan1. Could I also use the dhcp-server of ether2 on wlan1 (configured as AP) without creating a bridge?
Without bridge, your WLAN probably wont work, so you need a bridge. (I dont, as my device doesnt have Wireless AP built-in)
And if you use Bridge, just replace ether01 in my configs with corresponding bridge interface

Hi,

Currently i'am trying to accomplish the very same situation, using the fiber from KPN on my CRS125. I Switched from a RB2011 to a CRS125. The main reason was to get more speed of my router. We have 500/500mbit over here, but with the RB2011 we only get ~200mbit d/u. So i though the CRS125 could accomplish more cause of the switch function.

Already tried some config's but still i only got around 200/mbit up/down. Almost same config as the RB2011 with bridges and firewall rules. I would like to see that my CRS125 is using more of it's switch-cpu capacities so i can get a higher speed down and up.

@Sparkling Could you probably share your config, so i could test it on my CRS125 (With WLAN1), thanks!

Etz · Thu Sep 04, 2014 7:43 pm

Currently i'am trying to accomplish the very same situation, using the fiber from KPN on my CRS125. I Switched from a RB2011 to a CRS125. The main reason was to get more speed of my router. We have 500/500mbit over here, but with the RB2011 we only get ~200mbit d/u. So i though the CRS125 could accomplish more cause of the switch function.

What did you expect?
Thy have the same CPU which means routing performance is pretty much equal.

If you want higher performance you should have bought RB1100AHx2 or CCR.
CRS series is a switch with additional routing capability, mainly included for management purposes.

freshworks · Thu Sep 04, 2014 8:04 pm

Currently i'am trying to accomplish the very same situation, using the fiber from KPN on my CRS125. I Switched from a RB2011 to a CRS125. The main reason was to get more speed of my router. We have 500/500mbit over here, but with the RB2011 we only get ~200mbit d/u. So i though the CRS125 could accomplish more cause of the switch function.
What did you expect?
Thy have the same CPU which means routing performance is pretty much equal.

If you want higher performance you should have bought RB1100AHx2 or CCR.
CRS series is a switch with additional routing capability, mainly included for management purposes.

Yup indeed, qualify me as a rookie

i thought it would be possible with the switch-cpu inside, but rather i have mistaken,. Time te sell the CRS125 then and go for the RB1100AHx2 then i guess.

Will the RB1100AHx2 put trough 500/500mbit with NAT and a couple of firewall rules ? Just so nice to have an all in one router with onboard WIFI and learning capabilities in it

Thanks

Etz · Fri Sep 05, 2014 11:00 pm

Will the RB1100AHx2 put trough 500/500mbit with NAT and a couple of firewall rules ? Just so nice to have an all in one router with onboard WIFI and learning capabilities in it

RB1100AHx2m should do it, but it does not have wireless so either you have to keep your CRS or buy separate access point.

If I would you, I would keep CRS aswell...it is actually very capable switch with very nice feature set...

Only thing it lacks is raw routing performance, hence its primary purpose is switching so it has lots of switch features which other RB`s are missing.

Sparkling · Sat Mar 28, 2015 3:46 pm

Due to some other things, I haven't had the time to continue working on this configuration. So I still have 2 cables per apartment

Yesterday, I've started from scratch. Unfortunately, the setup still isn't working. With some help of wireshark (the pcap file: https://www.dropbox.com/s/kb6lv3335kx12 ... capng?dl=0, captured while the STB was connected to a bridge), I've been able to narrow down the actual STB subnet, yet the upstream interface still won't obtain an IP. The STB still receives an IP in my LAN.

/ip dhcp-client print
Flags: X - disabled, I - invalid
 #   INTERFACE                                     USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS        ADDRESS
 0   vlan1.4                                       yes          special-classless searching...

14:53:06 dhcp,debug,packet dhcp-client on vlan1.4 sending discover with id 811880031 to 255.255.255.255
14:53:06 dhcp,debug,packet     secs = 7
14:53:06 dhcp,debug,packet     flags = broadcast
14:53:06 dhcp,debug,packet     ciaddr = 0.0.0.0
14:53:06 dhcp,debug,packet     chaddr = D4:CA:6D:FA:6C:AE
14:53:06 dhcp,debug,packet     Msg-Type = discover
14:53:06 dhcp,debug,packet     Parameter-List = Subnet-Mask,Classless-Route,Router,Static-Route,Domain-Server,NTP-Server,CAPWAP-Server
14:53:06 dhcp,debug,packet     Client-Id = 01-D4-CA-6D-FA-6C-AE
14:53:06 dhcp,debug,packet     Host-Name = "MikroTik"

ros code

# mar/28/2015 13:58:02 by RouterOS 6.27
# software id = 2BXK-1C8B
#
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] speed=1Gbps
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether16 ] master-port=ether2
/interface vlan
add interface=ether1-gateway l2mtu=1584 name=vlan1.4 vlan-id=4
add interface=ether1-gateway l2mtu=1584 name=vlan1.6 vlan-id=6
/routing igmp-proxy
set query-interval=1m5s
/routing igmp-proxy interface
add alternative-subnets=10.32.128.0/17 interface=vlan1.4 upstream=yes
add interface=ether2
/interface ethernet switch multicast-fdb
add address=00:02:xx:xx:xx:05 bypass-vlan-filter=yes svl=yes
/ip address
add address=192.168.2.254/24 interface=ether2 network=192.168.2.0
/ip dhcp-client
add add-default-route=special-classless dhcp-options=clientid,hostname \
    disabled=no interface=vlan1.4
/ip dhcp-server config
set store-leases-disk=15m
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254 domain=local gateway=\
    192.168.2.254
/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 disabled=no interface=vlan1.6 \
    keepalive-timeout=2 name=pppoe password=xxx user=\
    xx-xx-xx-xx-xx-xx
/ip neighbor discovery
set pppoe discover=no
set ether1-gateway discover=no
set vlan1.6 discover=no
/ip pool
add name=default ranges=192.168.2.50-192.168.2.240
/ip dhcp-server
add address-pool=default authoritative=yes disabled=no interface=ether2 \
    lease-time=1h30m name=default
/routing bgp instance
set default disabled=yes
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=8.8.4.4,8.8.8.8
/ip firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input connection-state=invalid
add chain=input in-interface=ether2
add chain=input in-interface=vlan1.4 protocol=igmp src-address=10.32.128.0/17
add chain=input in-interface=vlan1.4 protocol=udp src-address=10.32.128.0/17
add chain=forward in-interface=vlan1.4 protocol=igmp src-address=\
    10.32.128.0/17
add chain=forward in-interface=vlan1.4 protocol=udp src-address=\
    10.32.128.0/17
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=vlan1.4
/tool sniffer
set filter-interface=vlan1.4 streaming-enabled=yes streaming-server=\
    192.168.2.239

jkaberg · Wed Jul 27, 2016 8:57 am

I'd suggest dropping the /interface vlan and other CPU stuff, and doing this via the switch chip: http://forum.mikrotik.com/viewtopic.php ... 87#p549269

mjsabri · Wed Jul 27, 2016 9:15 am

Hello
you used from Bridge for this scenario but it has overload on cpu.
i offer you , you use Switch Chip instead of Bridge.
Good Luck

jgerek · Thu Jan 28, 2021 7:36 pm

Hi Guys,

did someone resolved that case?
Is there any procedure how to setup the CRS1xx router to use the chip load instead of the CPU?

My ISP is working via PPPoE Client
I also use the IPTV

Before I bought that router I was hope, that CRS will solve my issue with overloading the CPU on old hEX router.

So we've setup PPPoE in the interface
600Mhz CPU is working in range 5 - 30%, when I measure the internet speed it can jump to 80%
In time when I measure the internet speed, IPTV lagging! Here I'm really wonder WHY? This router use the 3 switches - on each is separated chip

In first 8 ports I've connected ISP cable and IPTV, no more devices, other LAN ports are used in 2nd and 3dt section, see image

Here is my configuration export:

/interface bridge
add admin-mac=B8:69:F4:7A:5E:4D auto-mac=no name=bridge-dsi-iptv protocol-mode=none
add name=bridge-local protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] name=ether01-dsi
set [ find default-name=ether2 ] name=ether02-iptv
set [ find default-name=ether3 ] disabled=yes name=ether03
set [ find default-name=ether4 ] disabled=yes name=ether04
set [ find default-name=ether5 ] disabled=yes name=ether05
set [ find default-name=ether6 ] disabled=yes name=ether06
set [ find default-name=ether7 ] disabled=yes name=ether07
set [ find default-name=ether8 ] disabled=yes name=ether08
set [ find default-name=ether9 ] name=ether09
set [ find default-name=sfp1 ] disabled=yes

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether01-dsi keepalive-timeout=60 name=pppoe-dsi-data password=XXXXXX use-peer-dns=yes user=XXXXXX

/interface vlan
add interface=ether01-dsi name=vlan1-dsi-iptv vlan-id=250
add disabled=yes interface=ether01-dsi name=vlan2 use-service-tag=yes vlan-id=1

/interface list
add name=dsi
add name=local

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=pool-local ranges=10.0.0.200-10.0.0.249

/ip dhcp-server
add address-pool=pool-local disabled=no interface=bridge-local name=dhcp-local

/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp

/interface bridge port
add bridge=bridge-dsi-iptv interface=ether02-iptv learn=no pvid=250
add bridge=bridge-local interface=ether09
add bridge=bridge-local interface=ether10
add bridge=bridge-local interface=ether11
add bridge=bridge-local interface=ether12
add bridge=bridge-local interface=ether13
add bridge=bridge-local interface=ether14
add bridge=bridge-local interface=ether15
add bridge=bridge-local interface=ether16
add bridge=bridge-local interface=ether17
add bridge=bridge-local interface=ether18
add bridge=bridge-local interface=ether19
add bridge=bridge-local interface=ether20
add bridge=bridge-local interface=ether21
add bridge=bridge-local interface=ether22
add bridge=bridge-local interface=ether23
add bridge=bridge-local interface=ether24
add bridge=bridge-dsi-iptv interface=vlan1-dsi-iptv multicast-router=disabled
add bridge=bridge-dsi-iptv disabled=yes interface=ether01-dsi

/ip neighbor discovery-settings
set discover-interface-list=local

/interface bridge vlan
add bridge=bridge-dsi-iptv disabled=yes tagged=ether01-dsi untagged=ether02-iptv vlan-ids=250

/interface list member
add comment="2 switch" interface=ether09 list=local
add comment="1 switch" interface=ether01-dsi list=dsi
add interface=ether02-iptv list=dsi
add interface=ether10 list=local
add interface=ether11 list=local
add interface=ether12 list=local
add interface=ether13 list=local
add interface=ether14 list=local
add interface=ether15 list=local
add interface=ether16 list=local
add interface=ether17 list=local
add interface=ether18 list=local
add interface=ether19 list=local
add interface=ether20 list=local
add interface=ether21 list=local
add interface=ether22 list=local
add interface=ether23 list=local
add interface=ether24 list=local

/ip address
add address=10.0.0.1/24 interface=bridge-local network=10.0.0.0

/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1 netmask=24

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=10.0.0.1 name=router

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related

Can someone help me setup my CRS125-24G-1S-2HnD that it will use internal CHIP instead of CPU ? It's enough if IPTV will be routed somehow using switch CHIP instead of CPU

THX

mkx · Fri Jan 29, 2021 4:55 pm

CRS125 has single switch chip. Which means only one of bridges you created can be HW offloaded. If you want to be deterministic about which one, you should set hw=no on the rest of bridges. My guess is that having HW offload on bridge-local would be more beneficial than on the bridge-dsl-iptv interface.

If you want to get IPTV switched rather than bridged, you'll have to dive into VLANs and how to properly configure them on CRS125' switch chip ... in that case you'll end up with single bridge, you'll re-use ISP's VID 250 for IPTV and you'll use two more internal to CRS only, one for internet and one for LAN ports. All interfaces will be untagged (access) ports for corresponding VLANs so no other device will ever know you're using VLANs.

All of it assuming your problems with IPTV are actually due to CPU load on CRS and not due to some up-stream traffic bottleneck.

BTW, I certainly hope you did not post full /interface firewall config, because posted config does not protect neither router itself nor your LAN.

jgerek · Fri Jan 29, 2021 8:35 pm

Hi @mkx

regarding the single chip, according to the board schema look like it has 3 wire chips, each single wire chip for 8-eth ports, see bellow:

and next to this structure, all these 3 wire chips are connected to one single switch chip

my question is:

Am I able to bridge "ISP input port" using hardware wire chip and direct it "Multicast IP TV port" > avoiding the main CPU functionality?

As I've mentioned, my Internet is running over PPPoE client, so my problem is that Multicast TV is freeze for a milliseconds in the time when I measure my internet speed, everything looks like that main CPU rise to 80% and seems that Multicast is using also main CPU

mkx · Fri Jan 29, 2021 10:48 pm

regarding the single chip, according to the board schema look like it has 3 wire chips

No, these are only converters between QSGMII (interconnect protocol) and ethernet ... they are not switches. Only single block is marked with "Switch chip" and it spans 24 ethernet ports, SFP port and interconnect to CPU.

Am I able to bridge "ISP input port" using hardware wire chip and direct it "Multicast IP TV port" > avoiding the main CPU functionality?

You can configure device with single bridge and 3 VLANs (as I mentioned) so that VLAN 250 passes freely between e.g. interfaces ether1 and ether2. Something like this (only part of config shown):

/interface bridge 
add name=bridge vlan-filtering=yes

/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether1 pvid=100  # WAN port, hybrid (tagged IPTV, untagged internet)
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=250  # IPTV untagged port
# if IPTV box actually expects tagged frames, replace the line above with
#add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge ingress-filtering=yes interface=ether3 pvid=300  # LAN port, untagged
... #repeat the above line for the rest of ether ports which are to be used as LAN access ports

/interface bridge vlan
# bridge interface has to be enumerated as tagged member of VLANs with which router is
# going to interact: LAN and WAN. Doesn't have to interact with IPTV VLAN (only switch it)
add bridge=bridge tagged=bridge vlan-ids=100  # ports with PVID set are added as untagged members automatically
add bridge=bridge tagged=ether1 vlan-ids=250
# if IPTV box actually expects tagged frames, replace the line above with
#add bridge=bridge tagged=ether1,ether2 vlan-ids=250
add bridge=bridge tagged=bridge vlan-ids=300 # LAN

/interface vlan
# allow ROS to interact with some of VLANs
add interface=bridge name=vlan_WAN vlan-id=100
add interface=bridge name=vlan_LAN vlan-id=300

/interface list
add name=WAN
add name=LAN
/interface list member
add list=WAN interface=vlan_WAN
add list=LAN interface=vlan_LAN

Then configure any WAN setup (e.g. PPPoE client) on vlan_WAN interface. And configure any LAN setup (e.g. LAN IP address, DHCP server, ...) on vlan_LAN interface.

And add some sensible firewall rules!

As I've mentioned, my Internet is running over PPPoE client, so my problem is that Multicast TV is freeze for a milliseconds in the time when I measure my internet speed, everything looks like that main CPU rise to 80% and seems that Multicast is using also main CPU

With current setup, it's highly likely that CPU moves IPTV frames between ether1 and ether2 ... and when CPU load gets high (whcih is easy on CRS3xx with its weak CPU), there are delays which can mean dropped packets. If you convert setup to single bridge as proposed, IPTV traffic will be entirely handled by switch chip which should be able to deal with the traffic just fine.

Edit: scrap the answer above, just noticed you have CRS125 ... CRS125 can not offload bridge vlan setup to hardware, you need to configure everything on switch chip under /interface ethernet switch. Concept is similar to the one outlined in my post (using 3 VLANs, most ports are untagged members), the details are in this article - read the Port based VLAN section.

jgerek · Mon Feb 01, 2021 10:48 am

Hi @mkx

We've setup my router similar as you advised. That principle of basic VLAN structure

But next to this, we've setup also PPPoE client, and set interface to vlan20

Next to this we've setup masquerade and set the Out . Interface to PPPoE client

Now PPPoE client is in status disconnected and cant connect.

When I've tested internet doesn't work, also Multicast doesn't work. Do you think we've forgot something? Bellow you can find the whole /export.\
Can you advice what to do?


/interface bridge
add admin-mac=B8:69:F4:7A:5E:4D auto-mac=no comment=defconf name=bridge
add name=bridge1

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b
/g
/n channel-width=20
/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-7A5E65 wireless-protocol=802.11

/interface ethernet
set [ find default-name=sfp1 ] disabled=yes

/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20

/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan20 keepalive-timeout=60 name=pppoe-dsi-data password=XXXXXXXX use-peer-dns=yes user=XXXXXXXX

/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=servis-pool-levik ranges=192.168.1.10-192.168.1.254

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=servis-pool-levik disabled=no interface=vlan10 name=levik

/interface bridge port
add bridge=bridge interface=ether9
add bridge=bridge interface=ether10
add bridge=bridge interface=ether11
add bridge=bridge interface=ether12
add bridge=bridge interface=ether13
add bridge=bridge interface=ether14
add bridge=bridge interface=ether15
add bridge=bridge interface=ether16
add bridge=bridge interface=ether17
add bridge=bridge interface=ether18
add bridge=bridge interface=ether19
add bridge=bridge interface=ether20
add bridge=bridge interface=ether21
add bridge=bridge interface=ether22
add bridge=bridge interface=ether23
add bridge=bridge interface=ether24
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=10
add tagged-ports=switch1-cpu vlan-id=20
add tagged-ports=ether1 vlan-id=250

/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether1
add customer-vid=250 new-customer-vid=250 ports=ether1
add customer-vid=250 new-customer-vid=250 ports=ether2
add customer-vid=0 new-customer-vid=10 ports=ether3
add customer-vid=0 new-customer-vid=10 ports=ether4
add customer-vid=0 new-customer-vid=10 ports=ether5
add customer-vid=0 new-customer-vid=10 ports=ether6
add customer-vid=0 new-customer-vid=10 ports=ether7
add customer-vid=0 new-customer-vid=10 ports=ether8

/interface ethernet switch vlan
add comment=LAN ports=ether3,ether4,ether5,ether7,ether8,switch1-cpu vlan-id=10
add comment=Internet ports=ether1,switch1-cpu vlan-id=20
add comment=IPTV ports=ether1,ether2 vlan-id=250

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/ip address
add address=192.168.88.1
/24 interface=bridge network=192.168.88.0
add address=192.168.1.1
/24 interface=vlan10 network=192.168.1.0

/ip dhcp-client
add comment=defconf interface=ether1

/ip dhcp-server network
add address=192.168.1.0
/24 gateway=192.168.1.1
add address=192.168.88.0
/24 comment=defconf gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface=pppoe-dsi-data

/system clock
set time-zone-name=Europe
/Bratislava

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

Thank you

regarding the single chip, according to the board schema look like it has 3 wire chips
No, these are only converters between QSGMII (interconnect protocol) and ethernet ... they are not switches. Only single block is marked with "Switch chip" and it spans 24 ethernet ports, SFP port and interconnect to CPU.

Am I able to bridge "ISP input port" using hardware wire chip and direct it "Multicast IP TV port" > avoiding the main CPU functionality?

You can configure device with single bridge and 3 VLANs (as I mentioned) so that VLAN 250 passes freely between e.g. interfaces ether1 and ether2. Something like this (only part of config shown):
Code: Select all
/interface bridge 
add name=bridge vlan-filtering=yes

/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether1 pvid=100  # WAN port, hybrid (tagged IPTV, untagged internet)
add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=250  # IPTV untagged port
# if IPTV box actually expects tagged frames, replace the line above with
#add bridge=bridge ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge ingress-filtering=yes interface=ether3 pvid=300  # LAN port, untagged
... #repeat the above line for the rest of ether ports which are to be used as LAN access ports

/interface bridge vlan
# bridge interface has to be enumerated as tagged member of VLANs with which router is
# going to interact: LAN and WAN. Doesn't have to interact with IPTV VLAN (only switch it)
add bridge=bridge tagged=bridge vlan-ids=100  # ports with PVID set are added as untagged members automatically
add bridge=bridge tagged=ether1 vlan-ids=250
# if IPTV box actually expects tagged frames, replace the line above with
#add bridge=bridge tagged=ether1,ether2 vlan-ids=250
add bridge=bridge tagged=bridge vlan-ids=300 # LAN

/interface vlan
# allow ROS to interact with some of VLANs
add interface=bridge name=vlan_WAN vlan-id=100
add interface=bridge name=vlan_LAN vlan-id=300

/interface list
add name=WAN
add name=LAN
/interface list member
add list=WAN interface=vlan_WAN
add list=LAN interface=vlan_LAN
Then configure any WAN setup (e.g. PPPoE client) on vlan_WAN interface. And configure any LAN setup (e.g. LAN IP address, DHCP server, ...) on vlan_LAN interface.

And add some sensible firewall rules!

As I've mentioned, my Internet is running over PPPoE client, so my problem is that Multicast TV is freeze for a milliseconds in the time when I measure my internet speed, everything looks like that main CPU rise to 80% and seems that Multicast is using also main CPU

With current setup, it's highly likely that CPU moves IPTV frames between ether1 and ether2 ... and when CPU load gets high (whcih is easy on CRS3xx with its weak CPU), there are delays which can mean dropped packets. If you convert setup to single bridge as proposed, IPTV traffic will be entirely handled by switch chip which should be able to deal with the traffic just fine.

Edit: scrap the answer above, just noticed you have CRS125 ... CRS125 can not offload bridge vlan setup to hardware, you need to configure everything on switch chip under /interface ethernet switch. Concept is similar to the one outlined in my post (using 3 VLANs, most ports are untagged members), the details are in this article - read the Port based VLAN section.

Mon Feb 01, 2021 11:18 am

@jgerek ... could you be so kind and please do not quote whole posts? Use "Post reply" instead of "Quote"
See link in my footer.
That is why I am asking for ... look at the screenshot .. more than 50% of your post is not worth reading

post2021.PNG

jgerek · Mon Feb 01, 2021 11:21 am

Hi, Ok sorry for that, will do this way for the future :)

mkx · Mon Feb 01, 2021 3:05 pm

But next to this, we've setup also PPPoE client, and set interface to vlan20

What does log show regarding PPPoE? Probably there's some error ... which doesn't relate to NAT.