The 951 has a built-in ethernet switch chip.
When you set one port as slave to another, it “connects” them - so anything you configure on the master, the slave behaves the same way - like a 2, 3, 4, or 5 port Linksys unmanaged switch…
These interface names make it obvious which interfaces are linked, and whether they are WAN or LAN.
bridge-local is a software bridge. Before there was a hardware switch chip in Mikrotiks, you always used a bridge. These are much slower than a hardware switch because they use the CPU. However, since the wireless interface is not on the switch chip, if you want the wireless network to be the same LAN as the 4 ethernet ports, then the only way to connect these is with the CPU bridge.
So now, the CPU bridge is the official LAN interface of the Mikrotik. This is the interface you use in firewall rules, you configure as DHCP server, etc.
Well, when you consider that many SOHO routers come with a single WAN interface, and a 4-port LAN switch, this is the behavior that this 951 router is using (951 is targeted at SOHO customers).
Disabling it couldn’t be easier.
Just go into interfaces > ethernet and configure each interface, set the master=none.
Now all 5 interfaces will act as stand-alone interfaces.
You might want to rename them all to just ether1 ether2 ether3 ether4 and ether5 while you’re at it.
(renaming it won’t break any other configs that reference the interface - in fact, those references all get updated too)
If you also want the wireless to be its own routed-only network (no broadcast visibility onto wired interfaces) then you can just remove the LAN bridge entirely. You’ll need to put an IP address and DHCP server onto the wlan1 interface after doing that, though.
That is very clear now. You are a big help !
I’m going through Stephen Discher’s book now to build some configs from scratch pg. 40.
Starting to have some fun now.
I’m sure I will return with more questions. Thanks for the quick replies.
ZeroByte has covered this well but if you run into difficulty like I have done when I first did this and forget to go to the DHCP Networks screen to set GW and DNS then there is a good step by step instruction here
You need to look in the bridge > ports screen to see which interfaces are attached to which bridge, but I can already guess what the guy is doing. (I’ve been in the business long enough to know a workaround when I see one).
His solution is to basically connect his box directly to the WAN and bypass the Mikrotik entirely as a router.
Note that ether1-gateway has a ‘S’ flag (slave). This means that it’s either running slave on the switch chip (unlikely) or else connected to a bridge.
I love stuff like this. (very sarcastic here - I hate it with a burning passion). It reminds me of how much we hated sonicwall at a previous job of mine - it always screwed up our SCCP-based IP-pbx service, and there were certain “voip-friendly” firmware revisions that would fix it, but we would almost always just bypass the SonicWall for our phones. It always made me mad when the service manager would do that in stead of making the customers’ IT company learn to properly configure the Sonicwalls that they just LOVED to install at our customers’ sites.
I’m not entirely sure what you mean by that…
Do you mean you used wlan as a wan interface and did masquerade on traffic going out that interface?
Do you mean that you concealed the IP addresses of the wireless clients when they talk to the other LAN networks, masquerading them as the Mikrotik’s lan interface?
Do you mean that you didn’t bridge wlan and lan into a single network, but allowed both ranges to be masqueraded when going to the Internet?
generally you only NEED to masquerade when the true source’s address is not reachable to the rest of the network, a way to fool “Security” by obscuring the true source address of a packet, or else a way to force return-path routing (as in a NAT hairpin, for instance).
I was hoping you would recognize this. I’d love to re-build these correctly, but I can’t because there are a lot of NAT and Mangle rules I need to understand before I can start messing with his default configs.
Bridge ports.jpg
You are correct in your assumption, Ether1-gateway (WAN) is running slave to the bridge (bridge pass-through).
And Ether5 is also running slave to the bridge pass-through.
However Ether2 is the Master Local. Which leaves Ether3 and Ether4 as it’s slaves. I don’t use those ports anyway.
So now I know from you great advice that 24.x.x.x listed as bridge-passthrough is really Ether1-gateway (WAN)
and 192.168.88.1 is Bridge Local is Ether2.
I think that means that any packet to/from the Ether1 WAN (gateway 24.x.x.x.) will be duplicated out Ether5 (just like a soho switch.
Yes. That’s correct. They are connected exactly like with a soho switch.
Enhancing your knowledge of switching just a bit more: Switch / bridge ports don’t ‘duplicate’ traffic. Switches only forward frames to whichever port has the destination MAC address connected to it. They forward a frame to all ports if the destination is a broadcast or if they don’t know which port has the destination MAC address. If the destination is known, though, only the correct port gets the traffic.
A little more about your ‘tik’s configuration: ether3 and ether4 are “soho switch duplicates” of ether2. If you look at the ethernet interfaces’ configuration screens, you’ll see they have master port = ether2… This means that traffic for these 3 ports is a hardware switch, which can pass traffic at wire speed w/o burdening the CPU.
The bridge-local, bridge-bypass bridges are run by the CPU, and it takes CPU load to forward traffic between ports of a CPU bridge.
Even though they have different performance characteristics, and different available features for fancy things, they ultimately perform the same function.
Nope. These changes take effect immediately when configuration changes are issued in winbox/command-line/webfig
I’ve found CDP sometimes takes a while to update certain things - and perhaps there’s a bug in the Neighbor protocol code where the Mikrotik failed to update the local interface name that it is sending in CDP messages.
Thanks, but it hasn’t worked for me. I have moved some of the interfaces out of the local bridge but I am unable to use them as layer3.
The switch where the interfaces of the MT are connected to, still sees the bridge-local mac address on those ports and it shows as bridge local as cdp neighbour (see below, ether3 is physically connected to gi 1/0/7). I have assigned an ip address on the interface but I am unable to ping the other side. ether3 is the one I am working on, the S meaning slave is no longer showing but the R for running is not there. Any help would be greatly appreciated. Apart for moving them out of the bridge, is there something else I should do to make the interface Running?
Many Thanks
/interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ether1 ether 1500 1580 10222 6C:3B:6B:60:28:5A
1 RS ether2 ether 1500 1580 10222 6C:3B:6B:60:28:5B
2 ether3 ether 1500 1580 10222 6C:3B:6B:60:28:5C
3 ether4 ether 1500 1580 10222 6C:3B:6B:60:28:5D
4 ether5 ether 1500 1580 10222 6C:3B:6B:60:28:5E
5 ether6 ether 1500 1580 10222 6C:3B:6B:60:28:5F
6 ether7 ether 1500 1580 10222 6C:3B:6B:60:28:60
7 RS ether8 ether 1500 1580 10222 6C:3B:6B:60:28:61
sw-lon-01#sh cdp n
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
rtr-lon-02 Gig 1/0/7 119 R MikroTik bridgeLocal
rtr-lon-02 Gig 1/0/6 119 R MikroTik XXXXXXX
rtr-lon-02 Gig 1/0/6 119 R MikroTik bridgeLocal
rtr-lon-02 Gig 1/0/5 119 R MikroTik YYYYYYY
rtr-lon-02 Gig 1/0/5 119 R MikroTik ether1
I am still unable to put an ip address on ether 3 and ping it. I have posted the status of the interface, is there anything else I should be doing? I basically want to use ether 3 (and others in the future) as layer 3, I am already doing this on ether1.
The routers is behaving like ether1 is the only “independent” interface and all other interfaces are in the bridge. I have removed them frorm the bridge but I am still not able to use them.
reloaded the router but not joy. It seems to me that ether1 is the WAN internaface and all other interface are in the bridge and removing them from it does really allow me to use the interfaces as I need to. Any suggestions?