Dear, all,
I have 2 DHCP servers on 2 different bridges.
Bridge_LAN1 has ether16 trusted=Yes &15 trusted=No and IP:172.16.0.1/16 DHCP
Bridge_LAN2 has ether13 trusted=Yes &14 trusted=No and IP:192.168.100.1/24 DHCP
and both ether14 & 15 are connected with wire for some purpose.
My desired work is working fine but how I can stop this error
Could you explain the reason for connecting two ports on one router? Physical connection for virtual bridges? With NAT?
I didn’t use “untrusted” feature, but aren’t these warnings there because the servers are receiving packets from untrusted port? For me it looks like a missconfig somewhere which is routing too much throught this cable connection.
look in this attachment
or tell me how to route
Ok, so:
- What do you mean by site? Is there a switch or a router at the other side of cables on trusted ports?
- Are you using vlans or just the bridges?
on site a and site b i have 24 port switch.
not using vlan. Just using bridges
please help. me. in this regards
don’t want to go for vlan.
just want to resolve this with existing setup.
I just want to communicate 2 Lan network which is splict between 2 interface
I don’t have enough knowledge to help you with this in matter you want, sorry. Maybe someone else will.
It’s not a “communicate two LANs” thing because they are mixed (in site B there is a site A device). Probably you can open bridges to each other by adding some firewall rule/rules and get rid of that cable but it’ll open everything to each other.
Or you can open (accept) forward traffic from src address 172.16.0.11 in. Interface dst.address 172.16.0.0/16 throught ether14. As I said, I’m not familiar with untrusted bridge ports so I don’t know how it will behave - does it drop everything or only DHCP requests? If only requests, making a static IP locally (not a DHCP reservation on the server side) should do the work in this scenario.
The “good” way though in my opinion is to:
- configure vlans on devices,
- use trunk ports between switches (even add a “master” switch connected only by 1 trunk port to router (or a bonding 2 ports setup - a bit more complicated but more HA) and the sites connected to him (also by trunk ports),
- use untagged ports on switches for connecting end devices (in some cases they should be tagged, but I think not in your situation),
- use firewall rules on router to manage inter-vlan routing.
please tell me qhich rule i need to make in firewall?
There are so many issues here, let me see what I can start with.
- Get rid of the cable between ports 13 & 15 - that is NOT how to get two diverse networks to communicate! That is the router’s job.
- Since you are trying to run two networks from the CCR to site B, you have two choices. Either use VLANs to keep them apart or two cables to either two separate switches of if the un-named switches are smart enough, have the one switch operate as two virtual switches.
- Do you really need more than 250 addresses on your 172 network?
Export and post the config for the CCR so we’re not guessing.
To export and paste your configuration (and I’m assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) “/export hide-sensitive file=any-filename-you-wish”. Then open the files section
and right click on the filename you created and select download in order to download the file to your computer.
It will be a text file with whatever name you saved to with an extension of .rsc. Open that file in your favorite
text editor and redact any sensitive information if desired / needed. Then in your message here, click the code
display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks
like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
/interface bridge
add frame-types=admit-only-vlan-tagged ingress-filtering=no mtu=1500 name=
Bridge1 vlan-filtering=yes
add dhcp-snooping=yes mtu=1500 name=Bridge_LAN priority=0x1000
add dhcp-snooping=yes mtu=1500 name=“Bridge_LAN Farmhouse” protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN-1
set [ find default-name=ether2 ] name=ether2_WAN-2
set [ find default-name=ether3 ] name=ether3_WAN-3
set [ find default-name=ether4 ] name=ether4_WAN-4
set [ find default-name=ether5 ] name=ether5_WAN-5
set [ find default-name=ether6 ] name=ether6_WAN-6
set [ find default-name=ether7 ] name=ether7_Trunk
set [ find default-name=ether8 ] name=“ether8_WAN PTCL”
set [ find default-name=ether9 ] disabled=yes name=“ether9_WAN PrimeNet”
set [ find default-name=ether11 ] disabled=yes
set [ find default-name=ether12 ] disabled=yes
/ip pool
add name=dhcp_pool1 ranges=172.16.3.1-172.16.3.254
add name=dhcp_pool2 ranges=192.168.100.10-192.168.100.250
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Bridge_LAN name=dhcp1
add address-pool=dhcp_pool2 interface=“Bridge_LAN Farmhouse” name=dhcp2
/routing table
add disabled=no fib name=“to_Internal Network”
add disabled=no fib name=kamran
add disabled=no fib name=“to_PPPoE Farmhouse”
/interface bridge port
add bridge=Bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether1_WAN-1 pvid=101
add bridge=Bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether2_WAN-2 pvid=102
add bridge=Bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether3_WAN-3 pvid=103
add bridge=Bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether4_WAN-4 pvid=104
add bridge=Bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether5_WAN-5 pvid=105
add bridge=Bridge1 frame-types=admit-only-untagged-and-priority-tagged
interface=ether6_WAN-6 pvid=106
add bridge=Bridge1 frame-types=admit-only-vlan-tagged interface=ether7_Trunk
add bridge=Bridge_LAN interface=ether16 trusted=yes
add bridge=Bridge_LAN interface=ether15
add bridge=“Bridge_LAN Farmhouse” interface=ether14
add bridge=“Bridge_LAN Farmhouse” interface=ether13 trusted=yes
/interface bridge vlan
add bridge=Bridge1 tagged=ether7_Trunk vlan-ids=101
add bridge=Bridge1 tagged=ether7_Trunk vlan-ids=102
add bridge=Bridge1 tagged=ether7_Trunk vlan-ids=103
add bridge=Bridge1 tagged=ether7_Trunk vlan-ids=104
add bridge=Bridge1 tagged=ether7_Trunk vlan-ids=105
add bridge=Bridge1 tagged=ether7_Trunk vlan-ids=106
/interface sstp-server server
set enabled=yes
/ip address
add address=172.16.0.1/16 comment=LAN interface=Bridge_LAN network=172.16.0.0
add address=192.168.0.1/24 comment=LAN interface=Bridge_LAN network=
192.168.0.0
add address=xx.xx.xx.xx comment=“WAN PrimeNet” interface=
“ether9_WAN PrimeNet” network=xx.xx.xx.xx
add address=10.10.10.2/30 comment=“WAN PTCL” interface=“ether8_WAN PTCL”
network=10.10.10.0
add address=192.168.110.254/24 comment=LAN interface=Bridge_LAN network=
192.168.110.0
add address=192.168.100.1/24 comment=LAN interface=“Bridge_LAN Farmhouse”
network=192.168.100.0
OK, so you don’t follow instructions. You did not include a network drawing or at least a good detailed description of the network. You did not post your complete configuration (minus sensitive data), and you did not post it within code blocks as instructed. Lastly you state that you’re not wanting to use VLANs, but the config extract that you posted includes a bunch of VLANs.
So try again.
- Post your COMPLETE config (minus sensitive data), not just a few extracts. Put into code blocks as instructed above.
- Post a network drawing that shows all the networking pieces.
- Tell us what you really are trying to accomplish.
- What hardware and software versions are in use?
- What are the switches at Site A and Site B?
Remember, we only have the data you post to go on - we can’t see into your network (and we’re not mind readers)…
It’s a “do it for me, without knowing almost anything, but in my way” scenario from the beginning, just saying. In the real world you have to pay money for it.
Thank God “I don’t have enough knowledge” for this 