CRS125-24G please help me get started

If there is a required sequence to get a basic and simple configuration working with crs125 and routerOS 6.11, would you please answer with the steps? I can then learn how to type the code, make a script, or use WinBox to implement.

I’m having many problems getting my router working even in the most simple setup. Graphic of my network is attached… is 192.168.2.0/24 with pfSense as DHCP server. Had so many problems with hp Procurve, thought I would try Mikrotik. I fell in love with how rapidly WebFig responds to clicking and also really appreciate WinBox. Now I really want the hp replaced!

• My goals:
• Replace hp Procurve switch and pfSense with Mikrotik crs125
• Set up QoS for VoIP
• Put VoIP on its own VLAN
• Make VLANs or subnets for different functions of computers

My first try using the crs125, but got no help. I can only spend time with the crs125 on the weekend, and girlfriend was kind enough to come and play WoW, which was how I found the first problems.

Now, two weeks later, I read the forums, learn more, and spend 5 hours accomplishing little yesterday.

• What I’ve done yesterday:
• Unplug pfSense/hp + network from Surfboard modem.
• Turn off Surfboard, connect crs125 on ether1 (is on bottom!, not like hp), turn on Surfboard.
• Set Win7 computer with static 192.168.88.15 ip address & plug in to ether2 of MikroTik.
• Connect to Webfig, update to routerOS 6.11.
• Reset default configuration.
• Using Winbox, update bios.
• Reset default configuration, set password.
• After reset configuration made ether1-master and all other ports slave to it. Is this correct?
• Try WebFig but its “simple” setup wants to set up wifi and there is no wifi on my crs125, so I do not use WebFig anymore.
• Using Winbox, basic setup to connect to Surfboard, Win7 computer sees internet perfectly.
• Using Winbox, basic setup to change from 192.168.88.0 to my 192.168.2.0/24 network.
• Set Win7 computer with static 192.168.2.15 ip address, connect with WinBox and the internet again ok.
• Set up DHCP via WinBox but the DHCP server line stays red.
• Read and try to implement MikroTik wiki instructions from two ago but DHCP server line stays red.
• Watch youtube of someone setting up DHCP but no mention of setting up a Bridge.
• Read MikroTik wiki about bridge, but no solutions for ONE uplink to internet, all have complicated network layouts.
• Try to set up bridge, not sure what is happening…

How do I set up a bridge? Nothing in WinBox is making sense.
I read the forum and try to make ether1 with no master and ether2 the master, but typing the set command returns an error about ether3 already having a master.

Thanks for helping me not take crs125 to the gun range…
Chris

A single subnet CRS setup is easy enough to achieve. we will need to configure eth1 as the internet gateway (ie NAT traffic to the port, create a firewall etc) then we need to create a switch group to allow network switching functions between eth2-eth24. If you create a bridge in winbox it will do the switching on the CPU, however the CRS has a hardware switch chip, thus it will perform switching tasks better in a master slave configuration. You can create a master slave config in the winbox gui or at the Command line. I will give you the command line commands.
/interface ethernet
set ether1 master-port=none
set ether2 master-port=none
set ether3 master-port=ether2
set ether4 master-port=ether2
set ether5 master-port=ether2
set ether6 master-port=ether2
set ether7 master-port=ether2
set ether8 master-port=ether2
set ether9 master-port=ether2
set ether10 master-port=ether2
set ether11 master-port=ether2
set ether12 master-port=ether2
set ether13 master-port=ether2
…continue the patter until all 24 ports are in the switch group. Please be aware if the ports name are something other than ether2 etc they will need to be renamed to this standard or alter the script to suit. As of now you will have a working unmanaged switch between ports 2-24. with port on currently separated to allow it to be connected on the internet side.


Once the switch group is created a DHCP server and DNS server will need to be created. you can use the GUI or the command line, either method is acceptable and their is a large number of documentation available to do that (http://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server). Also don’t forget the firewall and NAT.

Once that is completed the basic network should be functioning for all devices, (no vlans as of yet). Once you have that working I will talk you through VLAN’s.

Let me know when you are ready or if you have any problems. Why don’t you test and setup the CRS separate to the main network.

Thanks for your help! I was working more and have been recording every command as to be a setup/configuration script. I notice the default configuration isn't ideal for me, so when I reset the configuration, I choose no configuration instead of the default. I do interact with the CRS125 when not on my network, but to test connectivity, I unplug the existing LAN from the cable modem and work off the MikroTik. Biggest reason is so I don't need a 2nd computer to google answers...

Thank you for telling me the bridge isn't required when there is a switch chip! This was lost on me.
/interface ethernet
set ether1 name=WAN
set ether2 name=LAN
set WAN comment="Cable Provider"
set LAN comment="My network on ether2"

/ip address
add address=98.175.240.13/28 interface=WAN
add address=192.168.88.1/24 interface=LAN

/ip route
add dst-address=0.0.0.0/0 gateway=98.175.240.13

/interface ethernet
set ether3 master-port=LAN
set ether4 master-port=LAN
... and so on ...
set ether24 master-port=LAN

I need to remove these:

/interface bridge
add name=bridge-local
/interface bridge port
add bridge=bridge-local interface=LAN

/ip pool
add name=default-dhcp ranges=192.168.88.193-192.168.88.249

/system clock
set time-zone-name=America/Los_Angeles
/system ntp client
set enabled=yes mode=unicast primary-ntp=198.199.100.18 secondary-ntp=
71.19.157.118
set enabled=no
set enabled=yes... and that's as far as I've gotten.

You are correct so far you will now need to remove the Bridge unless you have a AP on the CRS. Also you need to add the firewall and NAT entries to allow masqueraded internet access.
/ip firewall nat add chain=srcnat action=masquerade out-interface=WANOnce you added that line you will have internet access in all the normal computers again if DHCP is currently functioning however I just see a IP Pool and no server so you may also need.
/ip dhcp-server add address-pool=default-dhcp disabled=no interface=LAN name=default

/ip dhcp-server network
add address=192.168.88.0/24 comment=“default configuration” dns-server=
192.168.88.1 domain=CRS.local gateway=192.168.88.1 ntp-server=192.168.88.1

/ip dns
set allow-remote-requests=yes cache-size=1024KiB servers=8.8.8.8That will definitely have a router and switch setup created.

You might also want to added a firewall but that is not a requirement for internet access.

here is a basic script that I sometimes use
/ip firewall filter
add chain=input comment=“Allow limited pings” limit=20,5 protocol=icmp
add action=drop chain=input comment=
“Drop incoming management connections on this firewall from Cloud”
dst-port=21,22,23,80,443,8291,8728 in-interface=ether1-gateway protocol=
tcp
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=
“Add Port scanners (Intrusion Detection)” protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“Add NMAP FIN Stealth scan”
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“Add SYN/FIN scan” protocol=
tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“Add SYN/RST scan” protocol=
tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“Add FIN/PSH/URG scan”
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“Add ALL/ALL scan” protocol=
tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“Add NMAP NULL scan”
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“Block TCP Null scan”
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=“port scanners”
address-list-timeout=2w chain=input comment=“Block TCP Xmas scan”
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment=“Drop port scanners” src-address-list=
“port scanners”
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” in-interface=
ether1-gatewayreplace ether1 -gateway with WAN.

http://wiki.mikrotik.com/wiki/Basic_universal_firewall_script

Let me know when all that is working and I will demonstrate a simple VLAN setup for you use.
Also how are you doing the VLAN’s MAC based or Port Based. If you are trying to do port based I would actually build two separate switch groups as you will get better performance and it will be easier to administer. Further more in a Mikrotik if you execute the “export” command it will give you a list of commands to rebuild your router exactly useful if you want to use the GUI for initial setup but scripts for subsequent device deployment. All of my firewall/NAT rules are created in winbox then exported along with DNS server and DHCP servers and bridges. About the only thing I don’t configure the first time in the GUI is switch based commands such as VLANs and Switch Groups because I can use a text editor to quickly run find and replace to build a script that does all 24 ports fast.

Your reply is great, thank you very, very much! Give me a couple days and I hope to have progress before Monday. I really appreciate your help, thanks.

I actually prefer command line, as I have the text file that I know I can cut and paste; I do know about export command, but wasn’t sure about how reliable it is so advice about your experience and preference is again appreciated. I do not mind using GUI when it is fast and also reliable - but normally have more trust in command line.

Thanks!
Chris

I spent time with the CRS125 this past Sunday, however, I could not establish any connection. Not to it, not to the internet. I could not “pick up where I left off” from last week. Same settings, same laptop, and MikroTik wasn’t turned off or disturbed. To recap, when I left it two Sunday’s ago, with the static IP on the laptop, I was able to connect winbox to the crs125 and also had internet access & browsing.

» CRS125 display says it is still on 192.168.88.1 (as before).
» Same laptop from last time, with the wired ethernet manually configured as last connection.

Is this behavior normal or is there a problem with my CRS125?

In case we worry about how complicated this network is, I made a drawing:

After reading the CRS documentation and Switching with RouterOS / CRS Questions, I have given up on the CRS125 altogether, as it is obviously not ready for production. And I do not believe it will be as reliable as the pfSense + hp v1910 that are currently in place and working well without need for rebooting or unplugging over 5 months now.

I will unplug the crs125 and put in box and not think consider how the $200+ was a waste … or the precious after hours spent trying to make this work.

CTrain, thanks for trying to help.

+1, the same here, still in the box

Yes mines is in the Junk box still buggy a crappy product.
Bring’s Mikrotix’s reputation down

What are you using to create the diagrams?

I use open source Inkscape. For the products, I’ll either import from product PDFs or trace images. Inkscape is fast and flexible enough that making custom graphics like all those icons only takes about a day. Faster if you use Inkscape more than once a month.

Anything new on CRS125? Should I open up the box and try it?

Chris

I use open source Inkscape. For the products, I’ll either import from product PDFs or trace images. Inkscape is fast and flexible enough that making custom graphics like all those icons only takes about a day. Faster if you use Inkscape more than once a month.

Anything new on CRS125? Should I open up the box and try it?

Chris