Mikrotik Router act as a switch and transparent firewall?
RouterOS general discussion

39 posts   •   Page 1 of 1
brianlewis
Member Candidate
Member Candidate
 
Posts: 109
Joined: Tue Jul 20, 2004 10:54 am
Location: Irvine, CA

Mikrotik Router act as a switch and transparent firewall?

by brianlewis » Tue Nov 25, 2008 2:16 am

I'm proposing an RB450 Mikrotik router to be used as a transparent firewall for 3 servers.
This device has 4 ethernet ports.

I would like to use PORT 1 to connect as the WAN
I would like to use PORT 2, 3, and 4 for Server 1, Server 2, and Server 3.

I want to use it transparently so that I can firewall these 3 servers from the Internet.

The 3 servers will be assigned each a unique internet ip address, so I don't plan on using NAT.

Can this be done? What particular configuration settings should I be looking at to make this happen? Servers 1, 2, and 3 would need to be able to talk to each other as if they were plugged into the same switch, yet still talk to the common default gateway to get to the internet. Not sure of the exact direction that needs to be taken to make this happen. Appreciate any insight.

Brian

brianlewis
Member Candidate
Member Candidate
 
Posts: 109
Joined: Tue Jul 20, 2004 10:54 am
Location: Irvine, CA

Re: Mikrotik Router act as a switch and transparent firewall?

by brianlewis » Wed Nov 26, 2008 4:43 pm

I emailed Mikrotik support and they gave me this advise for linking multiple ethernet ports together without using the bridge option

Hello,

Lets say wan interface is ether1 and the rest should be switched.
Configuraton:
/interface ethernet
set ether3 master-port=ether2
set ether4 master-port=ether2

Now ether2,ether3 and ether4 are switched together.

Regards,
Maris

User avatar
Chupaka
Forum Guru
Forum Guru
 
Posts: 7229
Joined: Mon Jun 19, 2006 11:15 pm
Location: Home Network Ltd., Minsk, Belarus

Re: Mikrotik Router act as a switch and transparent firewall?

by Chupaka » Wed Nov 26, 2008 7:57 pm

brianlewis wrote:/interface ethernet
set ether3 master-port=ether2
set ether4 master-port=ether2

Now ether2,ether3 and ether4 are switched together.

what version of ROS?.. I do not have such option in 3.14...
For every complex problem, there is a solution that is simple, neat, and wrong.

¡ɹǝ|SOɹǝʇnoɹ ʞıʇoɹʞıW ɯ‚|

MikroTik. Your life. Your routing.

skype: pavel.skuratovich

User avatar
mrz
MikroTik Support
MikroTik Support
 
Posts: 4079
Joined: Wed Feb 07, 2007 1:45 pm
Location: Latvia

Re: Mikrotik Router act as a switch and transparent firewall?

by mrz » Thu Nov 27, 2008 9:28 am

It is available only on boards with switch chip: RB400 series, RB133, RB150 and RB192
and RouterOS v3.x

User avatar
janisk
MikroTik Support
MikroTik Support
 
Posts: 5906
Joined: Tue Feb 14, 2006 10:46 am
Location: Riga, Latvia

Re: Mikrotik Router act as a switch and transparent firewall?

by janisk » Thu Nov 27, 2008 9:51 am

well, not all RB400 series have switch chip, but these boards have - RB450, RB493

User avatar
GlueGuy
Frequent Visitor
Frequent Visitor
 
Posts: 61
Joined: Tue May 16, 2006 10:57 pm
Location: San Francisco Bay Area California (CA)

Re: Mikrotik Router act as a switch and transparent firewall?

by GlueGuy » Wed Feb 04, 2009 8:43 pm

In trying out this "feature" it appears that this does not actually configure the ports as a "switch", but rather as a "hub".

IOW - all the incoming traffic on any of the ports is echoed out the other ports that are grouped together. This seems to be more like port mirroring rather than switching.

A typical switch keeps a table of the MAC addresses on each port, and only sends non-broadcast data to the required port.

This is on an RB493AH. Perhaps it's different on other RBs?
~~~
bp

User avatar
hilton
Long time Member
Long time Member
 
Posts: 628
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: Mikrotik Router act as a switch and transparent firewall?

by hilton » Thu Feb 05, 2009 10:40 am

janisk wrote:well, not all RB400 series have switch chip, but these boards have - RB450, RB493


As does the RB433.
Regards
Hilton

staddon
just joined
 
Posts: 8
Joined: Sun Mar 22, 2009 2:24 pm

Re: Mikrotik Router act as a switch and transparent firewall?

by staddon » Thu Mar 26, 2009 5:28 pm

I'm trying to set up a simple AP with my 493, I thought i'd set up port 2 as the dhcp client but couldn't get it to work, if I switch the client to port 1 it works.

I tried to also make a DCHP Server for port 9, I couldn't get that to work either, but again if i switch that to either on of the WAN's or Ether 1 it works.

Is there someone thing special I need to do on ports 2-9 to get them to work as DHCP? i have no problem with getting this to work on my RB500 or Ether 1 or WAN ports.

Regards

Simon

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19266
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik Router act as a switch and transparent firewall?

by normis » Thu Mar 26, 2009 5:31 pm

stupid question, but ... did you enable those interfaces? does static IP connection work on those ports?
No answer to your question? How to write posts

User avatar
hilton
Long time Member
Long time Member
 
Posts: 628
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: Mikrotik Router act as a switch and transparent firewall?

by hilton » Thu Mar 26, 2009 5:33 pm

No not really. Depends though on what you've configured. Post your settings and let's take a look.
Regards
Hilton

staddon
just joined
 
Posts: 8
Joined: Sun Mar 22, 2009 2:24 pm

Re: Mikrotik Router act as a switch and transparent firewall?

by staddon » Fri Mar 27, 2009 5:24 am

Here's my config

I think the ports are enabled

# jan/01/1970 04:06:37 by RouterOS 3.22
# software id = ACQI-LTT
#
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes \
mac-address=00:0C:42:34:8E:8F mtu=1500 name=ether1 speed=10Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:90 master-port=\
none mtu=1500 name=ether2 speed=10Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:91 master-port=\
none mtu=1500 name=ether3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:92 master-port=\
none mtu=1500 name=ether4 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:93 master-port=\
none mtu=1500 name=ether5 speed=100Mbps
set 5 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:94 master-port=\
none mtu=1500 name=ether6 speed=100Mbps
set 6 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:95 master-port=\
none mtu=1500 name=ether7 speed=100Mbps
set 7 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:96 master-port=\
none mtu=1500 name=ether8 speed=100Mbps
set 8 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:97 master-port=\
none mtu=1500 name=ether9 speed=10Mbps
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" \
group-key-update=5m interim-update=0s mode=none name=default \
radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
none tls-mode=no-certificates unicast-ciphers="" wpa-pre-shared-key="" \
wpa2-pre-shared-key=""
add authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm \
group-key-update=5m interim-update=0s mode=dynamic-keys name=Wireless1 \
radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity="" tls-certificate=none \
tls-mode=no-certificates unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=\
07973676839 wpa2-pre-shared-key=07973676839
/interface wireless
set 0 ack-timeout=dynamic adaptive-noise-immunity=none allow-sharedkey=no \
antenna-gain=0 antenna-mode=ant-a area="" arp=enabled band=2.4ghz-b/g \
basic-rates-a/g=6Mbps basic-rates-b=1Mbps burst-time=disabled comment="" \
compression=no country="united states" default-ap-tx-limit=0 \
default-authentication=yes default-client-tx-limit=0 default-forwarding=\
yes dfs-mode=none disable-running-check=no disabled=no \
disconnect-timeout=3s frame-lifetime=0 frequency=2462 frequency-mode=\
manual-txpower hide-ssid=no hw-retries=4 mac-address=00:0C:42:26:37:7F \
max-station-count=2007 mode=ap-bridge mtu=1500 name=wlan1 \
noise-floor-threshold=default on-fail-retry-time=100ms \
periodic-calibration=default periodic-calibration-interval=60 \
preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=\
000C4226377F rate-set=default scan-list=default security-profile=\
Wireless1 ssid=Wlan station-bridge-clone-mac=00:00:00:00:00:00 \
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tx-power-mode=default \
update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=\
none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \
wmm-support=disabled
set 1 ack-timeout=dynamic adaptive-noise-immunity=none allow-sharedkey=no \
antenna-gain=0 antenna-mode=ant-a area="" arp=enabled band=5ghz \
basic-rates-a/g=6Mbps basic-rates-b=1Mbps burst-time=disabled comment="" \
compression=no country=no_country_set default-ap-tx-limit=0 \
default-authentication=yes default-client-tx-limit=0 default-forwarding=\
yes dfs-mode=none disable-running-check=no disabled=yes \
disconnect-timeout=3s frame-lifetime=0 frequency=5180 frequency-mode=\
manual-txpower hide-ssid=no hw-retries=4 mac-address=00:0C:42:26:37:84 \
max-station-count=2007 mode=station mtu=1500 name=wlan3 \
noise-floor-threshold=default on-fail-retry-time=100ms \
periodic-calibration=default periodic-calibration-interval=60 \
preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=\
000C42263784 rate-set=default scan-list=default security-profile=default \
ssid=MikroTik station-bridge-clone-mac=00:00:00:00:00:00 \
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tx-power-mode=default \
update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=\
none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \
wmm-support=disabled
set 2 ack-timeout=dynamic adaptive-noise-immunity=none allow-sharedkey=no \
antenna-gain=0 antenna-mode=ant-a area="" arp=enabled band=5ghz \
basic-rates-a/g=6Mbps basic-rates-b=1Mbps burst-time=disabled comment="" \
compression=no country=no_country_set default-ap-tx-limit=0 \
default-authentication=yes default-client-tx-limit=0 default-forwarding=\
yes dfs-mode=none disable-running-check=no disabled=yes \
disconnect-timeout=3s frame-lifetime=0 frequency=5180 frequency-mode=\
manual-txpower hide-ssid=no hw-retries=4 mac-address=00:0C:42:23:DC:E7 \
max-station-count=2007 mode=station mtu=1500 name=wlan2 \
noise-floor-threshold=default on-fail-retry-time=100ms \
periodic-calibration=default periodic-calibration-interval=60 \
preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=\
000C4223DCE7 rate-set=default scan-list=default security-profile=default \
ssid=Simons_RB493 station-bridge-clone-mac=00:00:00:00:00:00 \
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tx-power-mode=default \
update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=\
none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \
wmm-support=disabled
/interface wireless manual-tx-power-table
set wlan1 comment="" manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,\
6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps\
:17,HT20-1:0,HT20-2:0,HT20-3:0,HT20-4:0,HT20-5:0,HT20-6:0,HT20-7:0,HT20-8:\
0,HT40-1:0,HT40-2:0,HT40-3:0,HT40-4:0,HT40-5:0,HT40-6:0,HT40-7:0,HT40-8:0"
set wlan3 comment="" manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,\
6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps\
:17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,\
HT20-8:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40\
-7:17,HT40-8:17"
set wlan2 comment="" manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,\
6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps\
:17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,\
HT20-8:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40\
-7:17,HT40-8:17"
/interface wireless nstreme
set wlan1 comment="" disable-csma=no enable-nstreme=no enable-polling=yes \
framer-limit=3200 framer-policy=none
set wlan3 comment="" disable-csma=no enable-nstreme=no enable-polling=yes \
framer-limit=3200 framer-policy=none
set wlan2 comment="" disable-csma=no enable-nstreme=no enable-polling=yes \
framer-limit=3200 framer-policy=none
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=\
1 status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip pool
add name=pool1 ranges=172.17.1.100-172.17.1.200
/ip dhcp-server
add address-pool=pool1 authoritative=after-2sec-delay bootp-support=static \
disabled=no interface=wlan1 lease-time=3d name=server1 src-address=\
172.17.1.1
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none \
stop-bits=1
/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default \
use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption \
only-one=default use-compression=default use-encryption=yes \
use-vj-compression=default
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
set default-small kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes comment="" disabled=no \
ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
redistribute-static=no router-id=0.0.0.0
/routing ospf area
add area-id=0.0.0.0 authentication=none disabled=no name=backbone type=\
default
/snmp
set contact="" enabled=no engine-boots=0 engine-id="" location="" \
time-window=15 trap-sink=0.0.0.0 trap-version=1
/snmp community
set public address=0.0.0.0/0 authentication-password="" \
authentication-protocol=MD5 encryption-password="" encryption-protocol=\
DES name=public read-access=yes security=none write-access=no
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \
disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote bsd-syslog=no name=remote remote=0.0.0.0:514 src-address=0.0.0.0 \
syslog-facility=daemon syslog-severity=auto target=remote
/system routerboard settings
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet \
boot-protocol=bootp cpu-frequency=680MHz enable-jumper-reset=yes \
enter-setup-on=any-key force-backup-booter=no
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet \
boot-protocol=bootp cpu-frequency=680MHz enable-jumper-reset=yes \
enter-setup-on=any-key force-backup-booter=no
/user group
add name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,web,sn\
iff,!ftp,!write,!policy"
add name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,password\
,web,sniff,!ftp,!policy"
add name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
x,password,web,sniff"
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
no
/interface ethernet mirror
set mirror-port=none source-port=none
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
default enabled=no keepalive-timeout=60 mac-address=FE:EA:7C:25:28:50 \
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=172.17.1.1/16 broadcast=172.17.255.255 comment="" disabled=no \
interface=wlan1 network=172.17.0.0
/ip dhcp-client
add add-default-route=yes comment="" default-route-distance=0 disabled=no \
interface=ether1 use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=172.17.0.0/16 comment="" gateway=172.17.1.1 netmask=16
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 primary-dns=192.168.250.253 secondary-dns=0.0.0.0
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
ether1
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set wlan1 discover=no
set wlan3 discover=no
set ether1 discover=yes
set ether2 discover=yes
set ether3 discover=yes
set ether4 discover=yes
set ether5 discover=yes
set ether6 discover=yes
set ether7 discover=yes
set ether8 discover=yes
set ether9 discover=yes
set wlan2 discover=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\
no src-address=0.0.0.0
/ip service
set telnet address=0.0.0.0/0 disabled=no port=23
set ftp address=0.0.0.0/0 disabled=no port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set wlan1 queue=wireless-default
set wlan3 queue=wireless-default
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set ether4 queue=ethernet-default
set ether5 queue=ethernet-default
set ether6 queue=ethernet-default
set ether7 queue=ethernet-default
set ether8 queue=ethernet-default
set ether9 queue=ethernet-default
set wlan2 queue=wireless-default
/radius incoming
set accept=no port=3799
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
0.0.0.0 timeout=1m ttl=50
/routing ospf
set distribute-default=never metric-bgp=20 metric-connected=20 \
metric-default=1 metric-rip=20 metric-static=20 mpls-te-area=unspecified \
mpls-te-router-id=unspecified redistribute-bgp=no redistribute-connected=\
no redistribute-rip=no redistribute-static=no router-id=0.0.0.0
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
redistribute-connected=no redistribute-ospf=no redistribute-static=no \
timeout-timer=3m update-timer=30s
/store
add comment="" disabled=no disk=system name=web-proxy1 type=web-proxy
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00
/system console
add disabled=no port=serial0 term=vt102
/system health
set fan-mode=auto use-fan=main
/system identity
set name=Simons_RB493
/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no mode=broadcast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=10
/tool e-mail
set from=<> password="" server=0.0.0.0:25 username=""
/tool graphing
set store-every=5min
/tool mac-server
add disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sniffer
set file-limit=10 file-name="" filter-address1=0.0.0.0/0:0-65535 \
filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only filter-stream=\
yes interface=all memory-limit=10 only-headers=no streaming-enabled=no \
streaming-server=0.0.0.0
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no

staddon
just joined
 
Posts: 8
Joined: Sun Mar 22, 2009 2:24 pm

Re: Mikrotik Router act as a switch and transparent firewall?

by staddon » Fri Mar 27, 2009 5:42 am

Double post sorry
Last edited by staddon on Sun Mar 29, 2009 12:36 am, edited 1 time in total.

staddon
just joined
 
Posts: 8
Joined: Sun Mar 22, 2009 2:24 pm

Re: Mikrotik Router act as a switch and transparent firewall?

by staddon » Fri Mar 27, 2009 5:51 am

Also I know I set both ports 2 and 9 to 10Mbps as the connection was 10mbps.

I have tried lots of differnt settings before i posted

Thanks again.

Simon

User avatar
hilton
Long time Member
Long time Member
 
Posts: 628
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: Mikrotik Router act as a switch and transparent firewall?

by hilton » Fri Mar 27, 2009 10:48 am

Auto speed is fine. Your mistake was not setting the master port on interfaces ether3-9.

Like this;

/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes \
mac-address=00:0C:42:34:8E:8F mtu=1500 name=ether1 speed=10Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:90 master-port=\
none mtu=1500 name=ether2 speed=10Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:91 master-port=\
ether2 mtu=1500 name=ether3 speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:92 master-port=\
ether2 mtu=1500 name=ether4 speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:93 master-port=\
ether2 mtu=1500 name=ether5 speed=100Mbps
set 5 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:94 master-port=\
ether2 mtu=1500 name=ether6 speed=100Mbps
set 6 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:95 master-port=\
ether2 mtu=1500 name=ether7 speed=100Mbps
set 7 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:96 master-port=\
ether2 mtu=1500 name=ether8 speed=100Mbps
set 8 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:8E:97 master-port=\
ether2 mtu=1500 name=ether9 speed=10Mbps

Then set your DHCP to be active on ether2.

Let me know.
Regards
Hilton

staddon
just joined
 
Posts: 8
Joined: Sun Mar 22, 2009 2:24 pm

Re: Mikrotik Router act as a switch and transparent firewall?

by staddon » Fri Mar 27, 2009 11:41 pm

Hi

I don't want ports 2-9 to work as a switch, I want them to work as different routed type ports.

I believe setting the master port as 2 on ports 3-9 will make them a switch. But i might be wrong and i can't try until tomorrow.

Even with that said I think I should have been able to get port 2 (or port 9) to work as either a DHCP client or Server, and when I switch the DHCP stuff that i set up back to either WAN 1 or port 1 it works.

Regards

Simon

User avatar
hilton
Long time Member
Long time Member
 
Posts: 628
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: Mikrotik Router act as a switch and transparent firewall?

by hilton » Sat Mar 28, 2009 11:02 pm

staddon wrote:I don't want ports 2-9 to work as a switch, I want them to work as different routed type ports.


Ah sorry, misunderstood you. You are right, this should then work. Unfortunately I don't have a 493 but this does work on a 450 and 433 so maybe something funny with the 493.

Have you tried putting the interfaces on separate VLANs?
Regards
Hilton

staddon
just joined
 
Posts: 8
Joined: Sun Mar 22, 2009 2:24 pm

Re: Mikrotik Router act as a switch and transparent firewall?

by staddon » Sun Mar 29, 2009 12:24 am

Hi

Can anyone let me know if there is something different I need to do to get ports 2-9 connected to the DHCP server of the 493AH board.

I already have a 433 and 500 and don't have any problems doing this one those board.

I'm thinking there is something else I need to connect ports 2-9?????

Can anyone help please.

Regards

Simon

staddon
just joined
 
Posts: 8
Joined: Sun Mar 22, 2009 2:24 pm

Re: Mikrotik Router act as a switch and transparent firewall?

by staddon » Thu Apr 02, 2009 11:17 pm

Has anyone else had this problem with there 493?

User avatar
mrz
MikroTik Support
MikroTik Support
 
Posts: 4079
Joined: Wed Feb 07, 2007 1:45 pm
Location: Latvia

Re: Mikrotik Router act as a switch and transparent firewall?

by mrz » Fri Apr 03, 2009 8:58 am

433 works the same as 493. If you have similar setup working on 433 then it should also work on 493. Maybe you misconfigured something, try to reset configuration and start from scratch.

staddon
just joined
 
Posts: 8
Joined: Sun Mar 22, 2009 2:24 pm

Re: Mikrotik Router act as a switch and transparent firewall?

by staddon » Fri Apr 03, 2009 12:31 pm

Hi

I didn't think the 433 had a switch chip on it.

I can get port 1 and the WLAN ports to function as i expect on my 493 but not ports 2-9?

Anything different on them.

you can see my config above.

Regards

Simon

mps01k
Frequent Visitor
Frequent Visitor
 
Posts: 89
Joined: Fri Mar 23, 2007 10:09 pm
Location: HONDURAS

Re: Mikrotik Router act as a switch and transparent firewall?

by mps01k » Sun Apr 05, 2009 4:50 am

hello i have 493 in place and have no problem like you exsplain. see my setting below only I did change the interface names the #9 is WAN named ether1 before and #8 was before Ether2 ect.

/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes \
mac-address=00:0C:42:34:5B:68 mtu=1500 name="WAN SERVER ENTRADA #9" \
speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:5B:69 master-port=\
none mtu=1500 name="AZATEL #8" speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=yes full-duplex=yes mac-address=00:0C:42:34:5B:6A \
master-port=none mtu=1500 name="EXTRA #7" speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:5B:6B master-port=\
none mtu=1500 name="10 dbi ubnt sector #6 ch11h" speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:5B:6C master-port=\
none mtu=1500 name="10 dbi ubnt sector #5 ch6v" speed=100Mbps
set 5 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:5B:6D master-port=\
none mtu=1500 name="10 dbi ubnt sector #4 ch1h" speed=100Mbps
set 6 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:5B:6E master-port=\
none mtu=1500 name="10 dbi ubnt sector #3 ch11v" speed=100Mbps
set 7 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:5B:6F master-port=\
none mtu=1500 name="10 dbi ubnt sector #2 ch6h" speed=100Mbps
set 8 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes mac-address=00:0C:42:34:5B:70 master-port=\
none mtu=1500 name="10 dbi ubnt sector #1 ch1V" speed=100Mbps
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" \
group-key-update=5m interim-update=0s mode=none name=default \
radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
none tls-mode=no-certificates unicast-ciphers="" wpa-pre-shared-key="" \
wpa2-pre-shared-key=""
add authentication-types=wpa2-psk,wpa2-eap group-ciphers=tkip \
group-key-update=5m interim-update=0s mode=static-keys-required name=\
profile1 radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=40bit-wep static-algo-1=none static-algo-2=none \
static-algo-3=none static-key-0=9976e144e6 static-key-1="" static-key-2=\
"" static-key-3="" static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity="" tls-certificate=none \
tls-mode=no-certificates unicast-ciphers=tkip wpa-pre-shared-key="" \
wpa2-pre-shared-key=9976e144e6
/interface wireless
set 0 ack-timeout=dynamic adaptive-noise-immunity=none allow-sharedkey=no \
antenna-gain=0 antenna-mode=ant-a area="" arp=enabled band=5ghz-turbo \
basic-rates-a/g=6Mbps basic-rates-b=1Mbps burst-time=disabled comment="" \
compression=no country=no_country_set default-ap-tx-limit=0 \
default-authentication=yes default-client-tx-limit=0 default-forwarding=\
yes dfs-mode=none disable-running-check=no disabled=no \
disconnect-timeout=3s frame-lifetime=0 frequency=5210 frequency-mode=\
manual-txpower hide-ssid=no hw-retries=4 mac-address=00:0C:42:26:56:48 \
max-station-count=2007 mode=ap-bridge mtu=1500 name=\
"AZACUALPA MACUELIZO 5.8 R52H" noise-floor-threshold=default \
on-fail-retry-time=100ms periodic-calibration=default \
periodic-calibration-interval=60 preamble-mode=both \
proprietary-extensions=post-2.9.25 radio-name=000C42265648 rate-set=\
default scan-list=default security-profile=default ssid=\
"SAMIANET 5.8 AZA MAC" station-bridge-clone-mac=00:00:00:00:00:00 \
supported-rates-a/g=6Mbps supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps \
tx-power-mode=default update-stats-interval=disabled wds-cost-range=\
50-150 wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no \
wds-mode=disabled wmm-support=disabled
/interface wireless manual-tx-power-table
set "AZACUALPA MACUELIZO 5.8 R52H" comment="" manual-tx-powers="1Mbps:17,2Mbps\
:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,3\
6Mbps:17,48Mbps:17,54Mbps:17,HT20-1:0,HT20-2:0,HT20-3:0,HT20-4:0,HT20-5:0,\
HT20-6:0,HT20-7:0,HT20-8:0,HT40-1:0,HT40-2:0,HT40-3:0,HT40-4:0,HT40-5:0,HT\
40-6:0,HT40-7:0,HT40-8:0"
/interface wireless nstreme
set "AZACUALPA MACUELIZO 5.8 R52H" comment="" disable-csma=yes \
enable-nstreme=yes enable-polling=yes framer-limit=3200 framer-policy=\
dynamic-size
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default rate-limit=\
3M/3M shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap,trial name=default rate-limit="" smtp-server=0.0.0.0 \
split-user-domain=no trial-uptime=30m/1d trial-user-profile=default \
use-radius=no
add dns-name="" hotspot-address=192.168.116.1 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap,http-pap,trial name="SECTOR 6" nas-port-type=\
wireless-802.11 radius-accounting=yes radius-default-domain="" \
radius-interim-update=received radius-location-id="" \
radius-location-name="" rate-limit="" smtp-server=0.0.0.0 \
split-user-domain=no trial-uptime=10m/4w2d trial-user-profile=default \
use-radius=yes
add dns-name="" hotspot-address=192.168.111.1 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap,trial name="SECTOR 1" nas-port-type=wireless-802.11 \
radius-accounting=yes radius-default-domain="" radius-interim-update=\
received radius-location-id="" radius-location-name="" rate-limit="" \
smtp-server=0.0.0.0 split-user-domain=no trial-uptime=10m/4w2d \
trial-user-profile=default use-radius=yes
add dns-name="" hotspot-address=192.168.112.1 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap,trial name="SECTOR 2" nas-port-type=wireless-802.11 \
radius-accounting=yes radius-default-domain="" radius-interim-update=\
received radius-location-id="" radius-location-name="" rate-limit="" \
smtp-server=0.0.0.0 split-user-domain=no trial-uptime=10m/4w2d \
trial-user-profile=default use-radius=yes
add dns-name="" hotspot-address=192.168.113.1 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap,trial name="SECTOR 3" nas-port-type=wireless-802.11 \
radius-accounting=yes radius-default-domain="" radius-interim-update=\
received radius-location-id="" radius-location-name="" rate-limit="" \
smtp-server=0.0.0.0 split-user-domain=no trial-uptime=10m/4w2d \
trial-user-profile=default use-radius=yes
add dns-name="" hotspot-address=192.168.114.1 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap,trial name="SECTOR 4" nas-port-type=wireless-802.11 \
radius-accounting=yes radius-default-domain="" radius-interim-update=\
received radius-location-id="" radius-location-name="" rate-limit="" \
smtp-server=0.0.0.0 split-user-domain=no trial-uptime=10m/4w2d \
trial-user-profile=default use-radius=yes
add dns-name="" hotspot-address=192.168.115.1 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap,trial name="SECTOR 5" nas-port-type=wireless-802.11 \
radius-accounting=yes radius-default-domain="" radius-interim-update=\
received radius-location-id="" radius-location-name="" rate-limit="" \
smtp-server=0.0.0.0 split-user-domain=no trial-uptime=10m/4w2d \
trial-user-profile=default use-radius=yes
add dns-name="" hotspot-address=192.168.117.1 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap,trial name="OMNI 8" nas-port-type=wireless-802.11 \
radius-accounting=yes radius-default-domain="" radius-interim-update=\
received radius-location-id="" radius-location-name="" rate-limit="" \
smtp-server=0.0.0.0 split-user-domain=no trial-uptime=10m/4w2d \
trial-user-profile=default use-radius=yes
/ip hotspot
add disabled=no idle-timeout=5m interface="AZATEL #8" keepalive-timeout=none \
name="AZATEL #8" profile="OMNI 8"
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip pool
add name="SECTOR 1" ranges=192.168.111.2-192.168.111.99
add name="SECTOR 2" ranges=192.168.112.2-192.168.112.99
add name="SECTOR 3" ranges=192.168.113.2-192.168.113.99
add name="SECTOR 4" ranges=192.168.114.2-192.168.114.99
add name="SECTOR 5" ranges=192.168.115.2-192.168.115.99
add name="SECTOR 6" ranges=192.168.116.2-192.168.116.99
add name="EXTRA 7" ranges=192.168.117.2-192.168.117.99
add name="EXTRA 8" ranges=192.168.250.2-192.168.250.99
add name="AZA MAC 5.8" ranges=10.10.10.10
/ip dhcp-server
add add-arp=yes address-pool="SECTOR 1" always-broadcast=yes authoritative=\
after-2sec-delay bootp-support=static disabled=no interface=\
"10 dbi ubnt sector #1 ch1V" lease-time=3d name="SECTOR #1"
add add-arp=yes address-pool="SECTOR 2" always-broadcast=yes authoritative=\
after-2sec-delay bootp-support=static disabled=no interface=\
"10 dbi ubnt sector #2 ch6h" lease-time=3d name="SECTOR #2"
add add-arp=yes address-pool="SECTOR 3" always-broadcast=yes authoritative=\
after-2sec-delay bootp-support=static disabled=no interface=\
"10 dbi ubnt sector #3 ch11v" lease-time=3d name="SECTOR #3"
add add-arp=yes address-pool="SECTOR 4" always-broadcast=yes authoritative=\
after-2sec-delay bootp-support=static disabled=no interface=\
"10 dbi ubnt sector #4 ch1h" lease-time=3d name="SECTOR #4"
add add-arp=yes address-pool="SECTOR 5" always-broadcast=yes authoritative=\
after-2sec-delay bootp-support=static disabled=no interface=\
"10 dbi ubnt sector #5 ch6v" lease-time=3d name="SECTOR #5"
add add-arp=yes address-pool="SECTOR 6" always-broadcast=yes authoritative=\
after-2sec-delay bootp-support=static disabled=no interface=\
"10 dbi ubnt sector #6 ch11h" lease-time=3d name="SECTOR #6"
add add-arp=yes address-pool="EXTRA 7" always-broadcast=yes authoritative=\
after-2sec-delay bootp-support=static disabled=no interface="AZATEL #8" \
lease-time=3d name="EXTRA #7"
add add-arp=yes address-pool="AZA MAC 5.8" always-broadcast=yes \
authoritative=after-2sec-delay bootp-support=static disabled=no \
interface="AZACUALPA MACUELIZO 5.8 R52H" lease-time=3d name="AZA MAC 5.8"
/ip hotspot
add address-pool="SECTOR 6" disabled=no idle-timeout=5m interface=\
"10 dbi ubnt sector #6 ch11h" keepalive-timeout=none name=\
"SECTOR 6 CH11H" profile="SECTOR 6"
add address-pool="SECTOR 1" disabled=no idle-timeout=5m interface=\
"10 dbi ubnt sector #1 ch1V" keepalive-timeout=none name="SECTOR 1 CH1V" \
profile="SECTOR 1"
add address-pool="SECTOR 2" disabled=no idle-timeout=5m interface=\
"10 dbi ubnt sector #2 ch6h" keepalive-timeout=none name="SECTOR 2 CH6H" \
profile="SECTOR 2"
add address-pool="SECTOR 3" disabled=no idle-timeout=5m interface=\
"10 dbi ubnt sector #3 ch11v" keepalive-timeout=none name=\
"SECTOR 3 CH11V" profile="SECTOR 3"
add address-pool="SECTOR 4" disabled=no idle-timeout=5m interface=\
"10 dbi ubnt sector #4 ch1h" keepalive-timeout=none name="SECTOR 4 CH1H" \
profile="SECTOR 4"
add address-pool="SECTOR 5" disabled=no idle-timeout=5m interface=\
"10 dbi ubnt sector #5 ch6v" keepalive-timeout=none name="SECTOR 5 CH6V" \
profile="SECTOR 5"
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none \
stop-bits=1
/ppp profile
set default change-tcp-mss=yes comment="" name=default only-one=default \
use-compression=default use-encryption=default use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption \
only-one=default use-compression=default use-encryption=yes \
use-vj-compression=default
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
set default-small kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes comment="" disabled=no \
ignore-as-path-len=no name=default out-filter="" redistribute-connected=\
no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
redistribute-static=no router-id=0.0.0.0
/routing ospf area
add area-id=0.0.0.0 authentication=none disabled=no name=backbone type=\
default
/snmp
set contact="" enabled=no engine-boots=0 engine-id="" location="" \
time-window=15 trap-sink=0.0.0.0 trap-version=1
/snmp community
set public address=0.0.0.0/0 authentication-password="" \
authentication-protocol=MD5 encryption-password="" encryption-protocol=\
DES name=public read-access=yes security=none write-access=no
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-lines=100 disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote name=remote remote=0.0.0.0:514 target=remote
/system routerboard settings
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet \
boot-protocol=bootp cpu-frequency=680MHz enable-jumper-reset=yes \
enter-setup-on=any-key
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet \
boot-protocol=bootp cpu-frequency=680MHz enable-jumper-reset=yes \
enter-setup-on=any-key
/user group
add name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,web,sn\
iff,!ftp,!write,!policy"
add name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,password\
,web,sniff,!ftp,!policy"
add name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
x,password,web,sniff"
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-vlan=no
/interface ethernet mirror
set mirror-port=none source-port=none
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
default enabled=no keepalive-timeout=60 mac-address=FE:F5:91:BF:E7:BB \
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.111.1/24 broadcast=192.168.111.255 comment="" disabled=no \
interface="10 dbi ubnt sector #1 ch1V" network=192.168.111.0
add address=192.168.112.1/24 broadcast=192.168.112.255 comment="" disabled=no \
interface="10 dbi ubnt sector #2 ch6h" network=192.168.112.0
add address=192.168.113.1/24 broadcast=192.168.113.255 comment="" disabled=no \
interface="10 dbi ubnt sector #3 ch11v" network=192.168.113.0
add address=192.168.114.1/24 broadcast=192.168.114.255 comment="" disabled=no \
interface="10 dbi ubnt sector #4 ch1h" network=192.168.114.0
add address=192.168.115.1/24 broadcast=192.168.115.255 comment="" disabled=no \
interface="10 dbi ubnt sector #5 ch6v" network=192.168.115.0
add address=192.168.116.1/24 broadcast=192.168.116.255 comment="" disabled=no \
interface="10 dbi ubnt sector #6 ch11h" network=192.168.116.0
add address=192.168.117.1/24 broadcast=192.168.117.255 comment="" disabled=no \
interface="AZATEL #8" network=192.168.117.0
add address=10.10.10.9/30 broadcast=10.10.10.11 comment="" disabled=no \
interface="AZACUALPA MACUELIZO 5.8 R52H" network=10.10.10.8
/ip dhcp-client
add add-default-route=yes comment="" default-route-distance=0 disabled=no \
interface="WAN SERVER ENTRADA #9" use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server lease
add address=192.168.111.3 always-broadcast=yes client-id=1:0:15:6d:a9:c5:4a \
comment="BRENDA GUEVARA CPE" disabled=no mac-address=00:15:6D:A9:C5:4A \
server="SECTOR #1"
add address=192.168.111.4 client-id=1:0:18:d2:0:54:83 comment=\
"HOGAR DE NINOS CPE" disabled=no mac-address=00:18:D2:00:54:83 server=\
"SECTOR #1"
add address=192.168.111.5 client-id=1:0:15:6d:a9:c5:57 comment=\
"TECHNOLOGY CPE" disabled=no mac-address=00:15:6D:A9:C5:57 server=\
"SECTOR #1"
add address=192.168.116.3 client-id=1:0:15:6d:a9:c5:55 comment=\
"JOSE FRANCISCO CPE" disabled=no mac-address=00:15:6D:A9:C5:55 server=\
"SECTOR #6"
add address=192.168.116.4 client-id=1:0:15:6d:a7:68:98 comment=\
"NATIVIDAD CPE" disabled=no mac-address=00:15:6D:A7:68:98 server=\
"SECTOR #6"
add address=192.168.114.4 client-id=1:0:15:6d:a9:c5:3a comment=\
"DR MANATIYAS CPE" disabled=no mac-address=00:15:6D:A9:C5:3A server=\
"SECTOR #4"
add address=192.168.114.5 client-id=1:0:15:6d:a9:c5:54 comment=\
"DARWIN TRIMINIO" disabled=no mac-address=00:15:6D:A9:C5:54 server=\
"SECTOR #4"
add address=192.168.111.7 client-id=1:0:15:6d:a9:c5:3f comment=\
"CYBER EL SHADAI CPE" disabled=no mac-address=00:15:6D:A9:C5:3F server=\
"SECTOR #1"
add address=192.168.116.5 client-id=1:0:15:6d:a7:69:17 comment="MUNI AZA CPE" \
disabled=no mac-address=00:15:6D:A7:69:17 server="SECTOR #6"
add address=192.168.111.9 client-id=1:0:15:6d:a9:c3:f1 comment=\
"FREDDY DIARACEL CPE" disabled=no mac-address=00:15:6D:A9:C3:F1 server=\
"SECTOR #1"
add address=192.168.111.10 client-id=1:0:15:6d:a9:c5:8 comment="SAMUEL CPE" \
disabled=no mac-address=00:15:6D:A9:C5:08 server="SECTOR #1"
add address=192.168.115.3 client-id=1:0:15:6d:a9:c4:7 comment="IHCAFE CPE" \
disabled=no mac-address=00:15:6D:A9:C4:07 server="SECTOR #5"
add address=192.168.111.11 client-id=1:0:e0:4d:5c:c:ca comment=\
"NELSY LICONA PC" disabled=no mac-address=00:E0:4D:5C:0C:CA server=\
"SECTOR #1"
add address=192.168.111.13 comment="NELSY LICONA DLINK" disabled=no \
mac-address=00:1C:F0:A8:30:BD server="SECTOR #1"
add address=192.168.111.14 client-id=1:0:18:d2:0:21:fa comment=\
"CASA DE FELIPE CPE" disabled=no mac-address=00:18:D2:00:21:FA server=\
"SECTOR #1"
add address=192.168.115.6 client-id=1:0:18:d2:0:20:df comment="CASM CPE" \
disabled=no mac-address=00:18:D2:00:20:DF server="SECTOR #5"
add address=192.168.114.8 client-id=1:0:15:6d:a9:c4:fc comment=\
"REAL WAYSIDE CPE" disabled=no mac-address=00:15:6D:A9:C4:FC server=\
"SECTOR #4"
add address=192.168.117.5 comment="AZATEL PC" disabled=no mac-address=\
00:E0:4D:5B:FA:96 server="EXTRA #7" use-src-mac=yes
add address=192.168.117.4 client-id=1:0:13:46:58:1d:c4 comment="AZATEL PC 2" \
disabled=no mac-address=00:13:46:58:1D:C4 server="EXTRA #7"
add address=10.10.10.10 always-broadcast=yes client-id=1:0:c:42:26:56:47 \
comment="MACUELIZO MK" disabled=no mac-address=00:0C:42:26:56:47 server=\
"AZA MAC 5.8"
/ip dhcp-server network
add address=10.10.10.8/30 comment="" gateway=10.10.10.9
add address=192.168.111.0/24 comment="" gateway=192.168.111.1
add address=192.168.112.0/24 comment="" gateway=192.168.112.1
add address=192.168.113.0/24 comment="" gateway=192.168.113.1
add address=192.168.114.0/24 comment="" gateway=192.168.114.1
add address=192.168.115.0/24 comment="" gateway=192.168.115.1
add address=192.168.116.0/24 comment="" gateway=192.168.116.1
add address=192.168.117.0/24 comment="" gateway=192.168.117.1
add address=192.168.250.0/24 comment="" gateway=192.168.250.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 primary-dns=10.10.10.5 secondary-dns=\
65.167.31.143
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
/ip hotspot ip-binding
add address=192.168.250.47 comment="fredy casa" disabled=yes mac-address=\
00:16:EC:2C:C0:42 server="SECTOR 6 CH11H" to-address=192.168.250.47 type=\
bypassed
add address=192.168.111.10 comment="SAMUEL CPE" disabled=no mac-address=\
00:15:6D:A9:C5:08 server="SECTOR 1 CH1V" to-address=192.168.111.10 type=\
bypassed
add address=192.168.116.3 comment="JOSE FRANSICO CPE" disabled=no \
mac-address=00:15:6D:A9:C5:55 server="SECTOR 6 CH11H" to-address=\
192.168.116.3 type=bypassed
add address=192.168.111.9 comment="FREDDY DIARACEL CPE" disabled=no \
mac-address=00:15:6D:A9:C3:F1 server="SECTOR 1 CH1V" to-address=\
192.168.111.9 type=bypassed
add address=192.168.111.7 comment="CYBER ELSHADAI CPE" disabled=no \
mac-address=00:15:6D:A9:C5:3F server="SECTOR 1 CH1V" to-address=\
192.168.111.7 type=bypassed
add address=192.168.111.3 comment="BRENDA GUEVARA CPE" disabled=no \
mac-address=00:15:6D:A9:C5:4A server="SECTOR 1 CH1V" to-address=\
192.168.111.3 type=bypassed
add address=192.168.111.5 comment="TECHONOGY CPE" disabled=no mac-address=\
00:15:6D:A9:C5:57 server="SECTOR 1 CH1V" to-address=192.168.111.5 type=\
bypassed
add address=192.168.111.100 comment="SECTOR #1 CH1V" disabled=no mac-address=\
00:15:6D:A9:C6:00 server="SECTOR 1 CH1V" to-address=192.168.111.100 type=\
bypassed
add address=192.168.111.4 comment="HOGAR DE NINOS CPE" disabled=no \
mac-address=00:18:D2:00:54:83 server="SECTOR 1 CH1V" to-address=\
192.168.111.4 type=bypassed
add address=192.168.116.100 comment="SECTOR #6 11H" disabled=no mac-address=\
00:15:6D:A9:C4:FD server="SECTOR 6 CH11H" to-address=192.168.116.100 \
type=bypassed
add address=192.168.116.4 comment="NATIVIDAD CPE" disabled=no mac-address=\
00:15:6D:A7:68:98 server="SECTOR 6 CH11H" to-address=192.168.116.4 type=\
bypassed
add address=192.168.116.5 comment="MUNI AZA CPE" disabled=no mac-address=\
00:15:6D:A7:69:17 server="SECTOR 6 CH11H" to-address=192.168.116.5 type=\
bypassed
add address=192.168.114.100 comment="SECTOR 4" disabled=no mac-address=\
00:15:6D:A9:C5:E8 server="SECTOR 4 CH1H" to-address=192.168.114.100 type=\
bypassed
add address=192.168.114.4 comment="DR MANATIYAS CPE" disabled=no mac-address=\
00:15:6D:A9:C5:3A server="SECTOR 4 CH1H" to-address=192.168.114.4 type=\
bypassed
add address=192.168.114.5 comment="DARWIN TRIMINIO CPE" disabled=no \
mac-address=00:15:6D:A9:C5:54 server="SECTOR 4 CH1H" to-address=\
192.168.114.5 type=bypassed
add address=192.168.115.100 comment="SECTOR 5" disabled=no mac-address=\
00:15:6D:A9:C5:01 server="SECTOR 5 CH6V" to-address=192.168.115.4 type=\
bypassed
add address=192.168.115.3 comment="IHCAFE CPE" disabled=no mac-address=\
00:15:6D:A9:C4:07 server="SECTOR 5 CH6V" to-address=192.168.115.3 type=\
bypassed
add address=192.168.112.100 comment="SECTOR #2" disabled=no mac-address=\
00:15:6D:A9:C5:4B server="SECTOR 2 CH6H" to-address=192.168.112.100 type=\
bypassed
add address=192.168.113.100 comment="SECTOR #3" disabled=no mac-address=\
00:15:6D:A9:C4:FE server="SECTOR 3 CH11V" to-address=192.168.113.100 \
type=bypassed
add address=192.168.111.11 comment="NELSY LICONA PC" disabled=no mac-address=\
00:E0:4D:5C:0C:CA server="SECTOR 1 CH1V" to-address=192.168.111.11 type=\
bypassed
add address=192.168.111.13 comment="NELSY LICONA DLINK" disabled=no \
mac-address=00:E0:4D:5C:0C:CA server="SECTOR 1 CH1V" to-address=\
192.168.111.13 type=bypassed
add address=192.168.111.14 comment="CASA DE MAMA DE FELIPE CPE" disabled=no \
mac-address=00:18:D2:00:21:FA server="SECTOR 1 CH1V" to-address=\
192.168.111.14 type=bypassed
add address=192.168.115.6 comment="CASM CPE" disabled=no mac-address=\
00:18:D2:00:20:DF server="SECTOR 5 CH6V" to-address=192.168.115.6 type=\
bypassed
add address=192.168.114.8 comment="REAL WAYSIDE CPE" disabled=no mac-address=\
00:15:6D:A9:C4:FC server="SECTOR 4 CH1H" to-address=192.168.114.8 type=\
bypassed
add address=192.168.117.5 comment="AZATEL PC" disabled=no mac-address=\
00:E0:4D:5B:FA:96 server="AZATEL #8" to-address=192.168.117.5 type=\
bypassed
add address=192.168.117.4 comment="azatel pc 2" disabled=no mac-address=\
00:13:46:58:1D:C4 server="AZATEL #8" to-address=192.168.117.4 type=\
bypassed
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add comment="" disabled=no name=mike password=sennm profile=default
/ip neighbor discovery
set "WAN SERVER ENTRADA #9" discover=yes
set "AZATEL #8" discover=yes
set "EXTRA #7" discover=yes
set "10 dbi ubnt sector #6 ch11h" discover=yes
set "10 dbi ubnt sector #5 ch6v" discover=yes
set "10 dbi ubnt sector #4 ch1h" discover=yes
set "10 dbi ubnt sector #3 ch11v" discover=yes
set "10 dbi ubnt sector #2 ch6h" discover=yes
set "10 dbi ubnt sector #1 ch1V" discover=yes
set "AZACUALPA MACUELIZO 5.8 R52H" discover=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\
no src-address=0.0.0.0
/ip service
set telnet address=0.0.0.0/0 disabled=no port=23
set ftp address=0.0.0.0/0 disabled=no port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set "WAN SERVER ENTRADA #9" queue=ethernet-default
set "AZATEL #8" queue=ethernet-default
set "EXTRA #7" queue=ethernet-default
set "10 dbi ubnt sector #6 ch11h" queue=ethernet-default
set "10 dbi ubnt sector #5 ch6v" queue=ethernet-default
set "10 dbi ubnt sector #4 ch1h" queue=ethernet-default
set "10 dbi ubnt sector #3 ch11v" queue=ethernet-default
set "10 dbi ubnt sector #2 ch6h" queue=ethernet-default
set "10 dbi ubnt sector #1 ch1V" queue=ethernet-default
set "AZACUALPA MACUELIZO 5.8 R52H" queue=wireless-default
/radius
add accounting-backup=no accounting-port=1813 address=10.10.10.5 \
authentication-port=1812 called-id="" comment="" disabled=no domain="" \
realm="" secret=1234 service=hotspot timeout=300ms
/radius incoming
set accept=yes port=3799
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
0.0.0.0 timeout=1m ttl=50
/routing ospf
set distribute-default=never metric-bgp=20 metric-connected=20 \
metric-default=1 metric-rip=20 metric-static=20 mpls-te-area=unspecified \
mpls-te-router-id=unspecified redistribute-bgp=no redistribute-connected=\
no redistribute-rip=no redistribute-static=no router-id=0.0.0.0
/routing rip
set distribute-default=always garbage-timer=2m metric-bgp=1 metric-connected=\
1 metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=yes \
redistribute-connected=yes redistribute-ospf=yes redistribute-static=yes \
timeout-timer=3m update-timer=30s
/routing rip interface
add authentication=none authentication-key="" disabled=no in-prefix-list="" \
interface=all key-chain="" out-prefix-list="" passive=no receive=v1-2 \
send=v1-2
/routing rip neighbor
add address=10.10.10.10 disabled=no
add address=10.10.10.14 disabled=no
add address=10.10.10.5 disabled=no
/store
add comment="" disabled=no disk=system name=web-proxy1 type=web-proxy
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00
/system console
add disabled=no port=serial0 term=vt102
/system health
set fan-mode=auto use-fan=main
/system identity
set name=AZACUALPA
/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=10.10.10.5 secondary-ntp=0.0.0.0
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=10
/tool e-mail
set from=<> server=0.0.0.0
/tool graphing
set store-every=5min
/tool graphing interface
add allow-address=0.0.0.0/0 disabled=no interface=all store-on-disk=yes
/tool graphing resource
add allow-address=0.0.0.0/0 disabled=no store-on-disk=yes
/tool mac-server
add disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sniffer
set file-limit=10 file-name="" filter-address1=0.0.0.0/0:0-65535 \
filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only filter-stream=\
yes interface=all memory-limit=10 only-headers=no streaming-enabled=no \
streaming-server=0.0.0.0
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no
setting up small WISP in Honduras over Satelite connections

User avatar
Chupaka
Forum Guru
Forum Guru
 
Posts: 7229
Joined: Mon Jun 19, 2006 11:15 pm
Location: Home Network Ltd., Minsk, Belarus

Re: Mikrotik Router act as a switch and transparent firewall?

by Chupaka » Mon Apr 06, 2009 9:39 am

:)

/ip hotspot user
add comment="" disabled=no name=mike password=sennm profile=default
For every complex problem, there is a solution that is simple, neat, and wrong.

¡ɹǝ|SOɹǝʇnoɹ ʞıʇoɹʞıW ɯ‚|

MikroTik. Your life. Your routing.

skype: pavel.skuratovich

mps01k
Frequent Visitor
Frequent Visitor
 
Posts: 89
Joined: Fri Mar 23, 2007 10:09 pm
Location: HONDURAS

Re: Mikrotik Router act as a switch and transparent firewall?

by mps01k » Mon Apr 06, 2009 9:49 am

hmm i thought that there was no sensative info in there. anyways hope none of my cleints are here reading this , haha they would have free internet wouldnt they.

mike
setting up small WISP in Honduras over Satelite connections

User avatar
normis
MikroTik Support
MikroTik Support
 
Posts: 19266
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Mikrotik Router act as a switch and transparent firewall?

by normis » Mon Apr 06, 2009 10:00 am

Code: Select all
[demo@demo.mt.lv] > export hide-sensitive file=
No answer to your question? How to write posts

miahac
Member
Member
 
Posts: 482
Joined: Wed Dec 14, 2005 6:04 pm
Location: Wichita, KS

Re: Mikrotik Router act as a switch and transparent firewall?

by miahac » Thu Jul 16, 2009 9:51 pm

@OP, did you ever get this to work? im trying to figure out how to do the same thing and then i found your post, but it doesnt really say if the setup worked.
Network Administrator
Kansas Hosting and Wichita Data Centers

User avatar
NetworkPro
Forum Guru
Forum Guru
 
Posts: 1345
Joined: Mon Jan 05, 2009 7:23 pm
Location: The World

Re: Mikrotik Router act as a switch and transparent firewall?

by NetworkPro » Sun Jul 19, 2009 7:15 pm

brianlewis wrote:I'm proposing an RB450 Mikrotik router to be used as a transparent firewall for 3 servers.
This device has 4 ethernet ports.

I would like to use PORT 1 to connect as the WAN
I would like to use PORT 2, 3, and 4 for Server 1, Server 2, and Server 3.

I want to use it transparently so that I can firewall these 3 servers from the Internet.

The 3 servers will be assigned each a unique internet ip address, so I don't plan on using NAT.

Can this be done? What particular configuration settings should I be looking at to make this happen? Servers 1, 2, and 3 would need to be able to talk to each other as if they were plugged into the same switch, yet still talk to the common default gateway to get to the internet. Not sure of the exact direction that needs to be taken to make this happen. Appreciate any insight.

Brian


(As mentioned in post 2 of this topic) This is done through adding a bridge and asigning ports 2 3 and 4 to it. After that you can use bridge filters or enable use-ip-firewall=yes and use regular firewall rules.

The other thing with the switch chip can not be controlled, RouterOS does not have control over what is communicated when master-port is set. This makes it faster, I am using it like that for clients that I know play nice with eachother and I dont need to firewall them from eachoter.
wiki.mikrotik.com/wiki/UPnP_Multi-WAN <- CONTRIBUTORS WANTED
wiki.mikrotik.com/wiki/NetworkPro_on_Quality_of_Service <- contributors welcome

miahac
Member
Member
 
Posts: 482
Joined: Wed Dec 14, 2005 6:04 pm
Location: Wichita, KS

Re: Mikrotik Router act as a switch and transparent firewall?

by miahac » Wed Jul 22, 2009 6:12 pm

I have my WAN plugged into eth1 and I have a bridge setup on Eth2-5. These servers needs public IPs, so how would I go about setting those? Just manually assign it the IP like usual or do I have to do anything else?

Thanks for the help.
Network Administrator
Kansas Hosting and Wichita Data Centers

Maggiore81
Member Candidate
Member Candidate
 
Posts: 123
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy

Re: Mikrotik Router act as a switch and transparent firewall

by Maggiore81 » Sat Sep 08, 2012 7:43 pm

I agree with the post where is said that the switch is acting as a HUB.

I have a RB450 with 5.20

I created one wan port (port1)
and a switch for port 2-3-4 (master port eth2)

the problem is that is acting as a hub, with the traffic replicated on all ports.

I have a ftp download from port 2 to an host on "wan" and I see 10mbit stream on port 2,3,4 even it is coming from port 2.

What can I do?
Dott. Elia Spadoni
---
Network Administrator
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com

User avatar
Chupaka
Forum Guru
Forum Guru
 
Posts: 7229
Joined: Mon Jun 19, 2006 11:15 pm
Location: Home Network Ltd., Minsk, Belarus

Re: Mikrotik Router act as a switch and transparent firewall

by Chupaka » Sat Sep 08, 2012 7:57 pm

do you see both MAC addresses in Host tab?..
For every complex problem, there is a solution that is simple, neat, and wrong.

¡ɹǝ|SOɹǝʇnoɹ ʞıʇoɹʞıW ɯ‚|

MikroTik. Your life. Your routing.

skype: pavel.skuratovich

Maggiore81
Member Candidate
Member Candidate
 
Posts: 123
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy

Re: Mikrotik Router act as a switch and transparent firewall

by Maggiore81 » Sat Sep 08, 2012 8:09 pm

Yes I see the mac of the FTP SERVER and the client in the ARP list.

(wan int) 172.16.0.69/23
(eth2) master port of eth2,3,4,5 172.16.6.254/24
RB450 is doing only routing, no NAT.


-ftp server is 172.16.0.204/23 (there is the mac in the arp table)

client is behind NAT of 172.16.6.203/24 - cisco 851w (there is the mac in the arp table)
Dott. Elia Spadoni
---
Network Administrator
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com

User avatar
Chupaka
Forum Guru
Forum Guru
 
Posts: 7229
Joined: Mon Jun 19, 2006 11:15 pm
Location: Home Network Ltd., Minsk, Belarus

Re: Mikrotik Router act as a switch and transparent firewall

by Chupaka » Sat Sep 08, 2012 8:26 pm

I mean, in Switch -> Host, do you see client's MAC on appropriate interface?..
For every complex problem, there is a solution that is simple, neat, and wrong.

¡ɹǝ|SOɹǝʇnoɹ ʞıʇoɹʞıW ɯ‚|

MikroTik. Your life. Your routing.

skype: pavel.skuratovich

Maggiore81
Member Candidate
Member Candidate
 
Posts: 123
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy

Re: Mikrotik Router act as a switch and transparent firewall

by Maggiore81 » Sat Sep 08, 2012 8:30 pm

No.
On the 450 the host list is blank.

I have a 750 configured exactly as the 450, and I see a populated host table.
Dott. Elia Spadoni
---
Network Administrator
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com

User avatar
Chupaka
Forum Guru
Forum Guru
 
Posts: 7229
Joined: Mon Jun 19, 2006 11:15 pm
Location: Home Network Ltd., Minsk, Belarus

Re: Mikrotik Router act as a switch and transparent firewall

by Chupaka » Sat Sep 08, 2012 8:32 pm

I think, that's the reason: any switch not knowing 'MAC-Port' binding acts like a hub
For every complex problem, there is a solution that is simple, neat, and wrong.

¡ɹǝ|SOɹǝʇnoɹ ʞıʇoɹʞıW ɯ‚|

MikroTik. Your life. Your routing.

skype: pavel.skuratovich

User avatar
Chupaka
Forum Guru
Forum Guru
 
Posts: 7229
Joined: Mon Jun 19, 2006 11:15 pm
Location: Home Network Ltd., Minsk, Belarus

Re: Mikrotik Router act as a switch and transparent firewall

by Chupaka » Sat Sep 08, 2012 8:37 pm

according to http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features:
RB450 has ICPlus175D chip, which has no Host table (is actually a hub?)
For every complex problem, there is a solution that is simple, neat, and wrong.

¡ɹǝ|SOɹǝʇnoɹ ʞıʇoɹʞıW ɯ‚|

MikroTik. Your life. Your routing.

skype: pavel.skuratovich

Maggiore81
Member Candidate
Member Candidate
 
Posts: 123
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy

Re: Mikrotik Router act as a switch and transparent firewall

by Maggiore81 » Sat Sep 08, 2012 8:48 pm

I really dont know. It is called switch chip!

On the RB750 I have the host table corretly populated.
Dott. Elia Spadoni
---
Network Administrator
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com

User avatar
Chupaka
Forum Guru
Forum Guru
 
Posts: 7229
Joined: Mon Jun 19, 2006 11:15 pm
Location: Home Network Ltd., Minsk, Belarus

Re: Mikrotik Router act as a switch and transparent firewall

by Chupaka » Sat Sep 08, 2012 8:52 pm

RB750 uses Atheros7240, which has 2k entries in Host table...
For every complex problem, there is a solution that is simple, neat, and wrong.

¡ɹǝ|SOɹǝʇnoɹ ʞıʇoɹʞıW ɯ‚|

MikroTik. Your life. Your routing.

skype: pavel.skuratovich

Maggiore81
Member Candidate
Member Candidate
 
Posts: 123
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy

Re: Mikrotik Router act as a switch and transparent firewall

by Maggiore81 » Sat Sep 08, 2012 9:35 pm

According to http://www.icplus.com.tw/pp-ip175c.html

the IP175C is a switch chip but pratically no.

Bah! I won't change the 450 for the 750 because my 450 have 64Mb RAM vs 32Mb of the 750... but the problem of replicated traffic as in a HUB is a really big issue.

ANy official response from MT ?

I can see now with dude, the traffic is perfectly replicated throgout the 4 ports of the switch group..
I could put an unmanaged switch 5 port (maybe a tplink or similar) in the ETH2 of the 450
Dott. Elia Spadoni
---
Network Administrator
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com

User avatar
Chupaka
Forum Guru
Forum Guru
 
Posts: 7229
Joined: Mon Jun 19, 2006 11:15 pm
Location: Home Network Ltd., Minsk, Belarus

Re: Mikrotik Router act as a switch and transparent firewall

by Chupaka » Sat Sep 08, 2012 10:35 pm

Maggiore81 wrote:According to http://www.icplus.com.tw/pp-ip175c.html

2k MAC address

well, seems like should work like a switch. try to ask support@ :)
For every complex problem, there is a solution that is simple, neat, and wrong.

¡ɹǝ|SOɹǝʇnoɹ ʞıʇoɹʞıW ɯ‚|

MikroTik. Your life. Your routing.

skype: pavel.skuratovich

Maggiore81
Member Candidate
Member Candidate
 
Posts: 123
Joined: Sun Apr 15, 2012 12:10 pm
Location: Italy

Re: Mikrotik Router act as a switch and transparent firewall

by Maggiore81 » Wed Nov 28, 2012 1:29 am

I got an answer from MT Support.

Dont use the eth1 as WAN port, if you want the 2-5 being used as a switch. It behaves as a hub then. It is a cpu port (told me)

I solved NOT using the port 1, and using 2 as WAN end 3-5 as LAN. It worked perfectly.
Dott. Elia Spadoni
---
Network Administrator
Spadhausen Internet Provider
Ravenna, ITALY
http://www.spadhausen.com

39 posts   •   Page 1 of 1

Who is online

Users browsing this forum: bahamot and 29 guests

It is currently Mon Nov 24, 2014 3:59 am