Change internet port - RB2011UiAS-RM

Hi All,

I need help changing the port used for the internet, I need to change to as GB port to utilize our new 1gb connection. I look after the basic IT needs in my work but never setup the router or had anything to do with it because we used a IT company and they have now gone MIA and I’m a noob with this type of router and i want to learn it. I have a RouterBOARD RB2011UiAS-RM, the internet is running off port 6 and i want to change it to to port 4 or any other GB port.

we have a VPN setup, a bridge connection, a bunch of port forwards, WAN is sfp 1, LAN is Bridge 1 but I’m not sure exactly what modules in winbox i need to change, can someone help me out please?

Thanks

Post current config in full:

1. open terminal window
2. execute /export file=anynameyouwish hide-sensitive (the last command line option is necessary in ROS v6, in v7 that’s default
3. copy resulting file over to your management computer
4. open it using favourite text editor, redact any remaining sensitive data (such as serial number, static public IP address, wireless SSID and PSK, etc.)
5. copy-paste it in forum reply, place it inside [__code] [/code] environment (the “” icon in the third group of icons above post editing window)

After we see current config, we’ll be able to advise you how to “move” the internet connection.

Beware, your router will probably peak at around 250Mbps routing speed (give or take, depends on how optimal is the config) which may come as an unpleasant surprise …

Thanks

# aug/27/2024 08:39:13 by RouterOS 6.48.2
# software id = AALN-R52Q
#
# model = 2011UiAS
# 
/interface bridge

    "created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=LAN speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] comment="WAN - Fibre" speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether6-NBN
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.1.50-192.168.1.150
add name=vpn ranges=192.168.1.180-192.168.1.190
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 lease-time=12h \
    name=dhcp1
/ppp profile
set *FFFFFFFE dns-server=192.168.1.254 local-address=192.168.89.1 \
    remote-address=vpn
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes use-ipsec=yes
/interface list member
add interface=sfp1 list=WAN
add interface=bridge1 list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no disabled=no interface=ether6-NBN
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.1
/ip dns
set servers=192.168.1.254
/ip firewall address-list
add address=192.168.1.0/24 list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
add address=119.18.37.215 list=support
add address=167.179.174.119 list=support
/ip firewall filter
add action=accept chain=input comment="TEST - BIT allow all" src-address=\
    167.179.174.119
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="Allow VPN L2TP IPSEC" dst-port=\
    1701,500,4500 protocol=udp
add action=accept chain=input comment="Allow VPN IPSEC ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment="Allow VPN IPSEC AH" protocol=ipsec-ah
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="Drop to syn flood list" \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=\
    ICMP protocol=icmp
add action=drop chain=input comment=\
    "Block all access to the winbox - except to support list" dst-port=8291 \
    protocol=tcp src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" \
    jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=\
    25,587 limit=30/1m,0 protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 \
    protocol=tcp src-address-list=spammers
add action=drop chain=input comment="Drop DNS - WAN UDP" in-interface=ether5 \
    port=53 protocol=udp
add action=drop chain=input comment="Drop DNS - WAN TCP" in-interface=ether5 \
    port=53 protocol=tcp
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" \
    src-address-list=support
add action=drop chain=input comment="Drop anything else!"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    icmp-options=8:0 limit=1,5 protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP \
    protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="MASQ local" src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether5 src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether6-NBN
add action=dst-nat chain=dstnat comment="iLO - Support list" dst-port=8081 \
    in-interface=ether5 protocol=tcp src-address-list=support to-addresses=\
    192.168.1.252 to-ports=443
add action=dst-nat chain=dstnat comment="CARHOST - Support list" dst-port=\
    4001 in-interface=ether5 protocol=tcp src-address-list=support \
    to-addresses=192.168.1.250 to-ports=3389
add action=dst-nat chain=dstnat comment="CARFS - Support list" dst-port=4002 \
    in-interface=ether5 protocol=tcp src-address-list=support to-addresses=\
    192.168.1.254 to-ports=3389
add action=dst-nat chain=dstnat comment=CCTV1 dst-port=8000 in-interface=\
    ether6-NBN protocol=tcp to-addresses=192.168.1.199 to-ports=8000
add action=dst-nat chain=dstnat comment="RTI UDP" dst-port=5053 in-interface=\
    ether6-NBN protocol=udp to-addresses=192.168.1.200 to-ports=5053
add action=dst-nat chain=dstnat comment="RTI TCP" dst-port=5056 in-interface=\
    ether6-NBN protocol=tcp to-addresses=192.168.1.200 to-ports=5056
add action=dst-nat chain=dstnat comment=CCTV2 dst-port=8008 in-interface=\
    ether6-NBN protocol=tcp to-addresses=192.168.1.199 to-ports=8008
add action=dst-nat chain=dstnat comment=CCTV3 dst-port=5554 in-interface=\
    ether6-NBN protocol=tcp to-addresses=192.168.1.199 to-ports=5554
add action=dst-nat chain=dstnat comment="RTI_ACCESS TCP" dst-port=5056 \
    in-interface=ether6-NBN protocol=tcp to-addresses=192.168.1.200 to-ports=\
    5056
add action=dst-nat chain=dstnat comment="RTI_ACCESS UDP" dst-port=5053 \
    in-interface=ether6-NBN protocol=udp to-addresses=192.168.1.200 to-ports=\
    5053
add action=dst-nat chain=dstnat comment=ALARM dst-port=9050 in-interface=\
    ether6-NBN protocol=tcp to-addresses=192.168.1.90 to-ports=9050
add action=dst-nat chain=dstnat comment=ALARM dst-port=9051 in-interface=\
    ether6-NBN protocol=tcp to-addresses=192.168.1.90 to-ports=9051
add action=dst-nat chain=dstnat comment=RTI dst-port=4110 in-interface=\
    ether6-NBN protocol=tcp to-addresses=192.168.1.200 to-ports=4110
add action=dst-nat chain=dstnat comment=RTI dst-port=5053 in-interface=\
    ether6-NBN protocol=udp to-addresses=192.168.1.200 to-ports=5053
add action=dst-nat chain=dstnat comment=RTI dst-port=5056 in-interface=\
    ether6-NBN protocol=tcp to-addresses=192.168.1.200 to-ports=5056
add action=dst-nat chain=dstnat comment=RTI dst-port=2113 in-interface=\
    ether6-NBN in-interface-list=all protocol=tcp src-port="" to-addresses=\
    192.168.1.200 to-ports=2113
add action=dst-nat chain=dstnat comment=RTI dst-port=2113 in-interface=\
    ether6-NBN protocol=udp to-addresses=192.168.1.200 to-ports=2113
add action=dst-nat chain=dstnat comment=RTI dst-port=4110 in-interface=\
    ether6-NBN protocol=udp src-port="" to-addresses=192.168.1.200 to-ports=\
    4110
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip route

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set time-interval=daily
/lcd interface
add interface=bridge1
/lcd interface pages
set 0 interfaces="sfp1,bridge1,ether2,ether3,ether4,ether5,ether6-NBN,ether7,e\
    ther8,ether9,ether10"
/ppp aaa
set use-radius=yes
/ppp secret
add name=vpn
/radius
add address=192.168.1.254 service=ppp src-address=192.168.1.1
/system clock
set time-zone-name=Australia/Brisbane
/system logging
add disabled=yes topics=ipsec
add action=disk topics=ipsec

Your setup currently uses ether2, ether3 and ether4 in a “switch group” for LAN purpose. Your setup also uses ether6 as WAN interface. The rest of ports seem to not be in use, but there are some remains of config (it seems that ether5 was used as WAN interface in some past).

I’d use ether5 as new WAN port. To prepare router for that, a few tasks need to be done:

1. absolutely first thing to do is to create a backup and transfer backup file off device. If something goes wrong, you can use it to restore device into current state (and try reconfiguration again)
2. clear all rules which target ether5
   use text editor and search function … then visit all configuration items found and do something about them. Some will be left intact (like the settings in /interface/ethernet), bost will be simply removed (like firewall rules)
3. add firewall rules for ether5 which will closely resemble current rules for ether6-NBN. That’s easiest to do via command line as you can copy relevant rules and only replace “ether6-NBN” with “ether5”.
   Make sure that rule order is kept as they are now, so go from beginning of firewall rule list towards the end and create new rules as you go.
   For readability of text export it’s great if rules are grouped by chain value (i.e. first input, then forward). Firewall rules are only executed from one chain, depending on final destination of packets (input is for packets which will eventually hit router … and ingress interface doesn’t matter … and forward is for packets which will eventually leave router … in any direction, so same chain deals with packets from LAN towards WAN and for packets from WAN towards LAN)
4. add other IP settings, again you can mirror settings for ether6-NBN (e.g. add DHCP client to ether5, etc)
5. etc.

After you’re done, you should be able to disconnect your current ISP line from ether6-NBN and plug it in ether5 … and internet should continue to work (you may get different WAN IP address since MAC address of WAN interface will change).

Thanks mkx. much appreciated with you using your time with your detailed response. ill let you know how i go.

Hi mkx, you were right about the speed, I’m capped at about 200mbs, does Mikrotik do a router that can handle a GB internet connection?

Many of modern device models can do 1Gbps (or very close to it) routing. Just a few examples: RB5009 or hAP ax3. And most (if not all) CCR devices. If you need only wired router, you can still go for wireless device (their routing perfomance / price ratio tends to be a bit better than of “proper” routers) and simply disable wireless interfaces (with recent ROS v7 versions you also have option to uninstall wireless/wifi drivers with net effect of saving some storage space).

Every product page includes “Test Results” tab … these are official test results, obtained by running some synthetic tests. The number, which resembles real-life performance the most, is the one listed under “Ethernet test results - Routing - 25 ip filter rules - 512 byte [packet size]” … but, as I already mentioned, this figure is not absolute, depends also on particular device setup (so it can be significantly higher or quite a bit lower). Also mind that these numbers are more or less valid for IPv4 with fasttrack enabled (which is enabled by default on SoHo models), but fasttrack doesn’t exist for IPv6 (yet) which means that with IPv6, routing speed will be considerably lower (my experience is that numbers drop by a factor of around 3).

Thanks for the info, I have now enabled Fastrack and I’m getting around 800mbps, the RB2011 seems to be holding up well for now