Hello, I am a new member of the Mikrotik community.
I installed a router CRS328-24P-4S.
The different pcs are on the network. They have an IP address via the dhcp.
Network : 10.40.10.0/24. Internet connection : OK. Pings between pcs work. Firewall OK.
But I can’t ping the gateway, and I can’t connect to the router (except through the console cable).
Config :
# jan/29/1970 04:17:51 by RouterOS 6.47.10
# software id = ZPXU-5LQU
#
# model = CRS328-24P-4S+
# serial number = <CENSORED>
/interface bridge
add name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
set [ find default-name=ether13 ] disabled=yes
set [ find default-name=ether14 ] disabled=yes
set [ find default-name=ether15 ] disabled=yes
set [ find default-name=ether17 ] disabled=yes
set [ find default-name=ether20 ] disabled=yes
set [ find default-name=ether23 ] disabled=yes
set [ find default-name=ether24 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] comment="bond vers fwp (prise 1)"
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface vlan
add interface=bridge name=MGMT99 vlan-id=99
/interface bonding
add mode=active-backup name=bond_swp1_fwp1 primary=sfp-sfpplus1 slaves=sfp-sfpplus1,sfp-sfpplus3
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface bridge port
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether6 pvid=10
add bridge=bridge interface=ether7 pvid=10
add bridge=bridge interface=ether8 pvid=10
add bridge=bridge interface=ether9 pvid=10
add bridge=bridge interface=ether10 pvid=10
add bridge=bridge interface=ether11 pvid=10
add bridge=bridge interface=ether12 pvid=10
add bridge=bridge interface=ether13 pvid=10
add bridge=bridge interface=ether14 pvid=10
add bridge=bridge interface=ether15 pvid=10
add bridge=bridge interface=ether16 pvid=10
add bridge=bridge interface=ether17 pvid=10
add bridge=bridge interface=ether18 pvid=10
add bridge=bridge comment="BORNE WIFI" interface=ether19 pvid=10
add bridge=bridge interface=ether20 pvid=10
add bridge=bridge interface=ether21 pvid=10
add bridge=bridge interface=ether22 pvid=10
add bridge=bridge interface=ether23 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=bond_swp1_fwp1
add bridge=bridge interface=ether1 pvid=10
add bridge=bridge interface=ether2 pvid=10
/interface bridge vlan
add bridge=bridge tagged=bond_swp1_fwp1 untagged=ether22,ether21,ether1,sfp-sfpplus2,ether5,ether16,ether6,ether19 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1 untagged=ether3,bond_swp1_fwp1 vlan-ids=99
add bridge=bridge tagged=bond_swp1_fwp1 vlan-ids=20
add bridge=bridge tagged=bond_swp1_fwp1 vlan-ids=30
add bridge=bridge tagged=bond_swp1_fwp1 vlan-ids=40
add bridge=bridge tagged=bond_swp1_fwp1 vlan-ids=50
add bridge=bridge tagged=bond_swp1_fwp1 vlan-ids=60
add bridge=bridge tagged=bond_swp1_fwp1 vlan-ids=70
add bridge=bridge tagged=bond_swp1_fwp1 vlan-ids=80
add bridge=bridge tagged=bond_swp1_fwp1 vlan-ids=90
add bridge=bridge tagged=bond_swp1_fwp1 vlan-ids=98
/interface l2tp-server server
set ipsec-secret=<CENSORED> use-ipsec=yes
/interface list member
add interface=sfp-sfpplus1 list=WAN
add interface=bridge list=LAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=10.40.99.0/24 interface=bridge network=10.40.99.0
/ip arp
add address=10.40.99.1 interface=bridge
/ip cloud
set ddns-enabled=yes
/ip dns
set servers=10.40.99.254
/ppp secret
add name=<CENSORED> password=<CENSORED>
/system identity
set name=SWP1
/system routerboard settings
set boot-os=router-os
I am blocked ! Can you please help me?
Thank you !
Anthony
There are two sites. The problem is on the second site. It is connected in ipsec tunnel to the first site.
There is the WAN for the Internet connection. The LAN for the different VLANs that will be set up (for the moment the user vlan = user10). And there is the MGMT vlan to manage the router.
So, should I put: ip route add dst-address=0.0.0.0/0 gateway=10.40.10.1?
Address 10.40.99.0/24 is not a valid device address, rather it’s network address. Change last octet of address to something valid (i.e. anything between 1 and 254).
But I still have the problem. My pc cannot connect and ping to the router (10.40.99.1)
ping 10.40.99.254 → OK
ping 10.40.10.254 → OK
ping 10.40.10.64 → OK
ping 10.40.99.1 → NOK
Do you see any other configuration errors ?
EDIT : my pc is connected to wifi (wifi = ether19)
Yup. The VLAN-related config is a slight mess. The bridge interface (to which said IP address is bound) is untagged member of VLAN 1 (the implicit default configuration is to have every interface, including bridge interface set with pvid=1).
Read article about different bridge personalities. You have to treat bridge interface as bridge member port to make interaction of ROS with VLANs possible. In particular, you have to move IP setup (address, …) from bridge interface to interface MGMT99.
For MAC access via winbox, check configuration under /tool mac-server … by default access is allowed via LAN interface list, you might want to change it to MGMT99 interface or create another interface list with MGMT99 member or add MGMT99 to LAN interface list (whichever suits you best).
There are still some contradicting settings that can affect connectivity … not sure to what extent as it also depends on configuration of other devices.
/interface bridge
add ingress-filtering=yes name=bridge vlan-filtering=yes
# the above sets implicit PVID=1
/interface bridge port
add bridge=bridge comment="BORNE WIFI" ingress-filtering=yes interface=ether19 pvid=10
# the above is fine if VID=10 is actually intended
/interface bridge vlan
add bridge=bridge tagged=bond_swp1_fwp1 untagged=ether22,ether21,sfp-sfpplus2,ether5,ether16,ether1,ether6,ether19 vlan-ids=10
add bridge=bridge tagged=bridge,ether19,bond_swp1_fwp1 vlan-ids=99
# OK, so the last one makes ether19 hybrid port - tagged VID=99 and untagged VID=10
/ip address
add address=10.40.99.1/24 interface=MGMT99 network=10.40.99.0
add address=10.40.10.1/24 interface=bridge network=10.40.10.0
# if 10.40.10.1/24 is intended for VLAN 10 (that's just my gut feeling), then it can't work because bridge interface is neither tagged nor untagged member of VLAN 10
So … device connected to ether19, is it configured for hybrid access as well? Or is it only working as untagged … and due to port configuration thus becomes part of VID=19 … of which bridge isn’t?
If you want your CRS328 to actually interact with VID 10, I suggest you to make bridge tagged member of said VLAN … the same way as it’s part of VID 99.