I am very new to the Mikrotik RouterOS/SwitchOS. I purchased the Cloud Router Switch CRS317-1G-16S+ and have over 20 hours reading about RouterOS on the Fourms, Wiki.Mikrotik, and from any other source trying to configure the Router without any success. Only processes I have accomplished is getting into the router, upgrading the Firmware & BootOS and nothing else. I have purchased 5 sfp+ modules, and have them plugged into the ports 1, 3, 5, 7, 9. as if I boot into SwitchOS, I can see them under devices, the router see’s all the sfp+ modules correctly. Even in SwitchOS, I cannot get any of these to work as LAN devices, and same in RouterOS. Im stuck!
I know there is a huge learning curve but I have tried every configuration I could find on Mikrotik website, and on the internet without any configuration specific to the CRS317-1G-16S+, not even a basic configuration.
I would appreciate help with either pointing me to the correct online help or help with directing me to get this Router/Switch working.
I want to configure the Mikrotik as follows:
a. Replace my ISP’s Router with the Mikrotik Router Switch.
a. My ISP is Verizon and they issue Dynamic IP from their network.
b. On the Mikrotik, I wanted 3 VLANS.
a. Vlan 3 with an Network IP of 10.10.0.0/24
b. Vlan 2 with an Network IP of 192.168.1.0/24
c. Vlan 1 with an Network IP of 192.168.88.0/24
c. Setup SFP+1 port as the WAN port.
d. Ether1 port as the Admin/Management Port.
Thanks in advance.
Answers to Question A: Replace my ISP’s Router with the Mikrotik Router Switch.
You will need RouterOS and NOT SwitchOS installed on your CRS
Disclaimer:
The Hardware of the CRS317-1G-16S+ isn’t optimized for Routing but for Switching.
Depending on Load (Firewall,Routing, WAN-Speed) it may be a bottleneck.
Answers to Question B: On the Mikrotik, I wanted 3 VLANS.
Step 1: You will need to configure a bridge with all SFP+ as members*.
**EXCEPT WAN / SFP+1
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
...
Step 2: Add VLAN-Interfaces
/interface vlan
add interface=bridge1 name=bridge1_vlan1 vlan-id=1
add interface=bridge1 name=bridge1_vlan2 vlan-id=2
add interface=bridge1 name=bridge1_vlan3 vlan-id=3
Step 3: Add Address & DHCP-Servers
Answers to Question C: Setup SFP+1 port as the WAN port
Step 1: Secure Router (Firewall, Passwords etc..)
Step 2: DHCP-Client**
/ip dhcp-client
add disabled=no interface=sfp-sfpplus1
** Usually PPOE ist used and not just DHCP-Client von ISP-Auth.
Thank you for the help and info. Its much appreciated and I will be giving your info a go tonight or tomorrow. Again Thanks for the response! I will let you know how I am making out with the config.
Ok, your post does not work, i factory defaulted the crs317-1g-16s, left it in bridge mode, no joy with your scripts.
2. I again factory reset, changed to Router in Quick Set, applied your configurations, again no joy.
3. Even tried the above with selecting “No Configuration” on factory reset, applied the configurations, no joy on either method.
4. Last resort, started SwitchOS for laughs, applied the configurations, no joy.
I assume your assuming that Mikrotik has some default configuration on factory reset that defaults the etherboot port as the WAN, and any SFP+ port that has a module plugged into it as a LAN Device?
The CRS317-1G-16S only has the etherboot port configured for WAN / Admin access. None of the other SFP+ ports are configured for anything. They do show up in bridge or router mode as slaves but nothing else. I have 5 SPF+ modules inserted, in different slots, and if I look in "Interfaces and select any port that has a module plugged into it, show the module correctly. Any port without a module shows nothing. Oh, yes, I do have ethernet cables plugged into the ports going to my home switch that would give it a DHCP or allow the try and assign an IP address, but I’m not even seeing lights on any of the panel above the module light up.
I know this all is my lack of understanding, and all the things I have read including Mikrotik RouterOS Manual is written for their routers that are configured out of the box. I am very frustrated with this switch and do not want to give up, but I am at wits end with it.
I need someone for at least once walk me thru for this switch that has no out of the box configuration other than on the etherboot port, and down to pointing out step by step, do I click bridge or router, or something else. I would be happy to get it working as a dumb switch at this point so I can get some idea of how it works.
Thanks for trying to work with an idiot.
We assign conny to all the ‘special’ cases;. You are in good hands!
There are two ways to configure switches in the MT world.
This is the reference for the vlan filtering method
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
This is another way to make use of switch chips but to complex for me, however it may make sense depending upon your unit.
https://www.youtube.com/watch?v=Rj9aPoyZOPo
For CRS3xx (OP mentioned CRS317), only the first one is the right one.
Mikrotik as a steep learning curve, but don't worry it's worth it =)
Step by Step Instruction :
Basic Setup
Step 1: Boot CRS317 into RouterOS
Step 2: Connect via Winbox a reset configuration (no Backup & no default Config)
Step 3: After reboot , reconnect via Winbox
Step 4: Setup Password for "admin"
Milestone #1 achieved
IPv4 WAN Setup
Step 5: Setup Basic Firewall
here's an exemple of a very, very basic Firewall setup.
/interface list
add name=WAN
/interface list member
add interface=sfp-sfpplus1 list=WAN
/ip firewall filter
add action=accept chain=input comment=\
"Accept : Established & Related (Internet --> Router )" connection-state=\
established,related in-interface-list=WAN
add action=drop chain=input comment=\
"Drop : Everything Else (Internet --> Router)\r\
\n" in-interface-list=WAN
Step 6: Connect SFP / SFP+ module in sfp-sfpplus1interface
Step 7: Create DHCP-Client on sfp-sfpplus1 Interface
In Winbox navigate to IP -> DHCP-Client -> Add (+)
Select sfp-sfpplus1 as interface and apply
Step 8: Check IP-Address
In Winbox navigate to IP -> Addresses
sfp-sfpplus1 should now have an IP-Address
Step 9: Check Internet connectivity
In Winbox navigate to IP -> Ping
and enter for exemple 1.1.1.1 as Target ("Ping to" value)
Milestone #2 achieved
Router is Online
When you get this far, i will help you get the Bridge working
merci =)
I suggest executing step #8 (setting admin password) right after step #3 (reconnecting after configuration reset). This step should thus become new step #4. It is extremely dangerous to get router connected to internet without first having at least admin password set.
It would be advisable to make step #9 before configuring WAN interface as well.
Failing to do both steps early in setup procedure makes possibility of getting router hacked unacceptable high. I’m aware that the order I suggested might be unattractive to a new user because specially step #9 (firewall setup) takes some time without apparent progress, but makes life altogether a bit merrier.
@mkx → Thanks for the feedback
To make sure there is no misunderstanding later,
I eddited your suggestion into the Step-by-Step instructions.
Just one more correction needed: the last item is numbered as bullet #7 while it should be #9.
Wow! Thanks for all the help and Config steps!
I will be working on this over the weekend so I will post how its going with the first part! Looking forward to having this working! Again, I really appreciate all the help and posts and wish I could resipricate in some way! Maybe in future I can be some help to others once I have a better understanding of Mikrotik’s RouterOS and Hardware!
I just got some free time and followed the instructions. I completed up to and including Step #7 and as you can see, its telling me the spf-spfplus1 is stopped in red. So I went back to the terminal window and copied the complete command and re-ran the configuration there, and as you can see, it was completed the first time. module is still stopped. Any suggestions ? I did after failure look in Quick Set and it shows I am in RouterOS, Router Mode not Bridge. Is this correct?
What kind of SFP / SFP+ module are you using ?
Please post your config
/export hide-sensitive file=anynameyouwish
Configuration file below, info on the five modules below that:
jan/02/1970 00:20:51 by RouterOS 6.48.4
software id = 6IKB-W9E9
model = CRS317-1G-16S+
serial number = D7EC0E92A3C7
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface list member
add interface=sfp-sfpplus1 list=WAN
/ip dhcp-client
add disabled=no interface=sfp-sfpplus1
/ip firewall filter
add action=accept chain=input comment=
"Accept : Established & Related (Internet --> Router )" connection-state=
established,related in-interface-list=WAN
add action=drop chain=input comment=
"Drop : Everything Else (Internet --> Router)\r
\n" in-interface-list=WAN
add action=accept chain=input comment=
"Accept : Established & Related (Internet --> Router )" connection-state=
established,related in-interface-list=WAN
add action=drop chain=input comment=
"Drop : Everything Else (Internet --> Router)\r
\n" in-interface-list=WAN
add action=accept chain=input comment=
"Accept : Established & Related (Internet --> Router )" connection-state=
established,related in-interface-list=WAN
add action=drop chain=input comment=
"Drop : Everything Else (Internet --> Router)\r
\n" in-interface-list=WAN
add action=accept chain=input comment=
"Accept : Established & Related (Internet --> Router )" connection-state=
established,related in-interface-list=WAN
add action=drop chain=input comment=
"Drop : Everything Else (Internet --> Router)\r
\n" in-interface-list=WAN
/system routerboard settings
set boot-os=router-os
Module # 1: Vendor Name: 10Gtek
1000Base T SFP-RJ-45
Vendor PN#: SFP-GE-T
OM4 Link Length: 100m
Manuf. Date: 17-01-22
Wavelength: 8224 32 nm
Module #2: Vendor Name: 10Gtek
1000Base T SFP COPPER RJ-45
Vendor PN#: SFP-GE-T
OM4 Link Length: 100m
Manuf. Date: 21-03-08
Wavelength: Not Reported
Module #3: Vendor Name: 10GTEK
AXS85-192-M3
Vendor PN#: SFP-10G-SR
OM4 Link Length: 100m
Manuf. Date: 17-02-01
Wavelength: 850.00 nm
THIS MODULE SHOWS OM1/OM2/OM3 LINK LENGTH, VOLTAGE, TX BIAS CURRENT, TX & RX POWER NUMBERS WHEN INSERTED INTO SLOT
Module #4: Vendor Name: 10GTEK
AXS85-192-M3 10GBASE SR SFP+ 850NM 300M
Vendor PN#: SFP-10G-SR
OM4 Link Length: 100m
Manuf. Date: 17-02-01
Wavelength: 850.00 nm
THIS MODULE SHOWS OM1/OM2/OM3 LINK LENGTH, VOLTAGE, TX BIAS CURRENT, TX & RX POWER NUMBERS WHEN INSERTED INTO SLOT
Module #5: Vendor Name: 10GTEK
AXS85-192-M3 10GBASE SR SFP+ 850NM 300M
Vendor PN#: SFP-10G-SR
OM4 Link Length: 100m
Manuf. Date: 17-02-01
Wavelength: 850.00 nm
THIS MODULE SHOWS OM1/OM2/OM3 LINK LENGTH, VOLTAGE, TX BIAS CURRENT, TX & RX POWER NUMBERS WHEN INSERTED INTO SLOT
Again, Thanks for all your help and advise getting this crs317 working!
New Step by Step instruction
Step A: Connect to Router via Winbox
Step B: Connect SFP/SFP+ Module in sfp-sfpplus1
Step C: Connect ISP Kabel to SFP/SFP+ Module
Step D: In Winbox navigate to IP → DHCP-Client
If status in “bound”, Retry original Steps 8 and 9
If status of dhcp-client is still “stopped”, continue to Step E
Step E: In Winbox navigate to Interfaces → sfp-sfpplus1 → Ethernet
Deactivate “auto-negotiate” and select Speed 1Gbps and apply
Interface should now be up and running
Retry original Steps 8 and 9 to make sure the Router is connected to the internet.
Thank You! Thank You! We now have sfp-sfpplus1 working! it’s even pulling an IP address AND I can ping and get responses back!
Wow! You Obviously know this model and RouterOS…
Now I am set for part two (I think!!)…
I plugged the other rj45 into sfp-sfpplus3 and just took the check out of Auto Neg and checked only 1gig and now that one is lit and active (no ethernet cable plugged into it).
I also plugged in the other 3 modules into sfp-sfpplus5, sfp-sfpplus7, and sfp-sfpplus9 and they are showing up in Interfaces/SFP.
Again, thanks and I am bowing to the king (you) and await the next set of instuctions!
New Step-by-Step Instruction 19.09.2020
Step 1: Create Bridge
/interface bridge
add name=bridge1
Step 2: Assign Interfaces to bridge
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp-sfpplus13
add bridge=bridge1 interface=sfp-sfpplus14
add bridge=bridge1 interface=sfp-sfpplus15
add bridge=bridge1 interface=sfp-sfpplus16
Step 3: Create VLAN-Interfaces on Router
/interface vlan
add interface=bridge1 name=bridge1_vlan1 vlan-id=1
add interface=bridge1 name=bridge1_vlan2 vlan-id=2
add interface=bridge1 name=bridge1_vlan3 vlan-id=3
Step 4: Add Network-Addresses
/ip address
add address=192.168.88.1/24 interface=bridge1_vlan1 network=192.168.88.0
add address=192.168.1.1/24 interface=bridge1_vlan2 network=192.168.1.0
add address=10.10.0.1/24 interface=bridge1_vlan3 network=10.10.0.0
Step 5: Allow DNS-Requests
/ip dns set allow-remote-requests=yes
Step 6: Create DHCP-Servers
/ip pool
add name=dhcp_pool_vlan1 ranges=192.168.88.2-192.168.88.99
add name=dhcp_pool_vlan2 ranges=192.168.1.2-192.168.1.99
add name=dhcp_pool_vlan3 ranges=10.10.0.2-10.10.0.99
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=10.10.0.0/24 dns-server=10.10.0.1 gateway=10.10.0.1
/ip dhcp-server
add address-pool=dhcp_pool_vlan1 disabled=no interface=bridge1_vlan1 name=dhcp_vlan1
add address-pool=dhcp_pool_vlan2 disabled=no interface=bridge1_vlan2 name=dhcp_vlan2
add address-pool=dhcp_pool_vlan3 disabled=no interface=bridge1_vlan3 name=dhcp_vlan3
Step 7: Create NAT/Masquerade for WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN