First post ever! Help me migrate to RouterOS from EdgeOS

macandcheese · March 3, 2017, 3:46am

Hi all!

I’m trying to gauge the viability of migrating from Ubiquiti EdgeOS to Mikrotik RouterOS. I have gigabit internet at home from AT&T that uses dot1.x authentication with a certificate on the router they provided. With Ubiquiti I’m able to duplicate all traffic from the ISP, send the dot1.x traffic to the AT&T router, while all the other traffic goes to my router. Can I do the same with Mikrotik? Below are the steps for EdgeOS… please advise if I can accomplish the same in RouterOS.

Taken from: http://bzsparks.com/2016/10/05/using-an-ubiquiti-edgerouter-with-att-gigapower-fiber/

Create the bridge interface:

set interfaces bridge br0

Add eth1 and eth2 to br0

set interfaces ethernet eth1 bridge-group bridge br0
set interfaces ethernet eth2 bridge-group bridge br0

create a sub-interface on br0 with your static IP.

set interfaces bridge br0 vif 0 address X.X.X.X/X

set your routing

set protocols static route 0.0.0.0/0 next-hop X.X.X.X

define a source NAT masquerade rule for the br0.0 interface

set service nat rule 5000 outbound-interface br0.0
set service nat rule 5000 type masquerade

Next we need to allow the gateway to pass auth traffic through the bridge

echo 8 > /sys/class/net/br0/bridge/group_fwd_mask

Because of the nature of an interface bridge all traffic is copied to both interfaces. Running a tcpdump on the Arris interface shows all ingress and egress traffic. To only allow 802.1X/EAP traffic to the gateway we need to use ebtables.

ebtables -t filter -A FORWARD -i eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -i eth2 -p 802_1Q -j DROP
ebtables -t filter -A FORWARD -o eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -o eth2 -p 802_1Q -j DROP

Finally, we need to spoof our br0.0 MAC address so that it presents itself as the AT&T gateway. Run these commands as root.

ip link set br0.0 down
ip link set br0.0 address XX:XX:XX:XX:XX:XX
ip link set br0.0 up

Remember every time that br0.0 is created it needs to have its MAC spoofed, this means on every reboot. To accomplish this we will create a simple script in /config/scripts/post-config.d/

#!/bin/bash
echo 8 > /sys/class/net/br0/bridge/group_fwd_mask
ip link set br0.0 down
ip link set br0.0 address XX:XX:XX:XX:XX:XX
ip link set br0.0 up
ebtables -t filter -A FORWARD -i eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -i eth2 -p 802_1Q -j DROP
ebtables -t filter -A FORWARD -o eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -o eth2 -p 802_1Q -j DROP

macandcheese · March 3, 2017, 7:28pm

Thoughts anyone?!

Sob · March 3, 2017, 11:22pm

My thought is that you should experiment. I don’t know EdgeOS, but from what I see, you can surely create bridge in RouterOS, assign IP address, default route, do masquerade and set bridge MAC address. Just open WinBox/WebFix and you must figure these things out in few minutes tops.

There are also bridge filters that probably can do what those ebtables rules do.

I’m not sure about the purpose of sub-interface on bridge and what exactly it does.

Possibly the most problematic seems to be “echo 8 > /sys/class/net/br0/bridge/group_fwd_mask”. It should override some default blocking in bridge. I don’t see that option in RouterOS. But it could possibly have different defaults, so that traffic might pass without any overrides if you’re lucky.

phin · December 4, 2017, 9:26pm

Sorry to rehash an old thread, but did you ever get this sorted out?

Thanks!