[Help] Access Bridged GPON modem in front of Mikrotik

RouterOS Beginner Basics
1

I have a hap ac router. My ISP run internet and IPTV on VLAN. I configured mikrotik run pppoe on VLAN on eth1 which is connect to LAN port of the GPON modem, GPON modem turn in to bridge mode. The IP address of 2 devices are:
Mikrotik: 100.10.10.0/24
GPON Modem: 192.168.1.1

Now I want to access GPON modem from my PC which is connect directly to Mikrotik router. I tried several config from NAT rule, Routing but I don’t know if I make something wrong there.

At the moment, If I want to config my GPON modem, I must hook my PC to the modem and manually config ip of the PC to 192.168.1.x for the access. BTW, my ISP use GPON modem from DASAN, I believed. The model is H646ew.

2

Add IP address from 192.168.1.x subnet to ether1 interface of your mikrotik. Then construct a src-nat rule for that particular interface.

If you want to get some concrete configuration examples, post complete configuration of your routerboard (/export hide-sensitive).

3

Hi,

I follow some guides in the internet and now I think that I really messing up with the config. Here is my config of the mikrotik.

# mar/19/2019 21:54:18 by RouterOS 6.44.1
# software id = xxxx
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = xxxx
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=eC frequency=\
    2452 name=channel
/interface bridge
add admin-mac=xxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-Ce \
    comment="2.4 GHz" country="viet nam" disabled=no distance=indoors \
    frequency=2452 installation=indoor mode=ap-bridge ssid=lilw2 \
    wireless-protocol=802.11 wps-mode=disabled
/interface wireless nstreme
set wlan1 comment="2.4 GHz"
/interface wireless manual-tx-power-table
set wlan1 comment="2.4 GHz"
/interface vlan
add interface=ether1-WAN name=vlan35 vlan-id=35
/caps-man datapath
add bridge=bridge name=datapath1
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan35 name=isp-pppoe \
    user=xxxx
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=caps_sec
/caps-man configuration
add channel=channel datapath=datapath1 mode=ap name=cfg1 security=caps_sec \
    ssid=lilw2
/caps-man interface
add channel=channel configuration=cfg1 datapath=datapath1 disabled=no l2mtu=\
    1600 mac-address=xxxxxx master-interface=none name=cAP \
    radio-mac=xxxxxxx radio-name=xxxxxxx security=caps_sec
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=lilw \
    supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=guest \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-Ceee comment="5 GHz" disabled=no distance=indoors frequency=\
    auto mode=ap-bridge security-profile=lilw ssid=lilw wireless-protocol=\
    802.11 wps-mode=disabled
add comment="Guest Network" default-ap-tx-limit=500000 \
    default-client-tx-limit=500000 keepalive-frames=disabled mac-address=\
    xxxxxxxx master-interface=wlan1 multicast-buffering=disabled \
    name=wlan3 security-profile=guest ssid="lilw's guest" wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/interface wireless nstreme
set wlan2 comment="5 GHz"
set wlan3 comment="Guest Network"
/interface wireless manual-tx-power-table
set wlan2 comment="5 GHz"
set wlan3 comment="Guest Network"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=100.10.10.2-100.10.10.254
add name=dhcp_guest ranges=192.168.2.1-192.168.2.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12h name=\
    dhcp_home
add address-pool=dhcp_guest disabled=no interface=wlan3 name=dhcp_guest
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=cAP \
    signal-range=-79..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=cAP \
    signal-range=-120..-80 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-disabled master-configuration=cfg1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add disabled=yes interface=*1B
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=sfp1 list=discover
add interface=wlan1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add interface=isp-pppoe list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=isp-pppoe list=WAN
/interface wireless access-list
add allow-signal-out-of-range=1s interface=all signal-range=-79..120
add allow-signal-out-of-range=1s authentication=no forwarding=no interface=\
    all signal-range=-120..-80
/interface wireless cap
set bridge=bridge discovery-interfaces=bridge interfaces=wlan1
/ip address
add address=100.10.10.1/24 comment=defconf interface=bridge network=\
    100.10.10.0
add address=192.168.2.1/24 disabled=yes interface=wlan3 network=192.168.2.0
add address=192.168.1.2/24 interface=ether1-WAN network=192.168.1.0
/ip dhcp-server network
add address=100.10.10.0/24 comment=defconf gateway=100.10.10.1
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=100.10.10.1 name=router
/ip firewall address-list
add address=100.10.10.0/24 list=local
add address=192.168.2.0/24 list=guest
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=3_
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1-WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input comment="defconf drop all from PPPOE" \
    in-interface-list=!mactel log-prefix=8_
add action=drop chain=input comment="Block guest access" dst-port=\
    21,22,23,80,443,8291 log-prefix=guest_ protocol=tcp src-address-list=\
    guest
add action=accept chain=input comment="Local access ssh, telnet" log-prefix=\
    ssh_ src-address-list=local
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
add action=dst-nat chain=dstnat dst-port=xxxx in-interface=isp-pppoe \
    protocol=tcp to-addresses=100.10.10.x to-ports=xxxx
/ip ssh
set allow-none-crypto=yes
/ip upnp
set enabled=yes
/ipv6 address
# address pool error: pool not found: ipv6pool (4)
add from-pool=ipv6pool interface=bridge
/ipv6 dhcp-client
add add-default-route=yes disabled=yes interface=isp-pppoe pool-name=\
    ipv6pool prefix-hint=::/64 request=prefix
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 disabled=yes interface=isp-pppoe \
    upstream=yes
add disabled=yes interface=ether5
/system leds
set 2 disabled=yes
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
4

You don’t want to allow discovery on isp-pppoe … so remove this one:

/interface list member
add interface=isp-pppoe list=discover

Addressing seems OK, so RB should be able to access GPON modem. You can verify by running command /ping 192.168.1.1 on router itself. If it is, then modem should be accessible already also to LAN clients as your masquerade rule is quite permissive (it masks everything that happens to pass router, I’d restrict it by adding out-interface=isp-pppoe … but this really depends on topology of your network). If you do restrict your current masquerade rule, then you have to add another one to make GPON modem reachable from the rest of your LAN:

/ip firewall nat
add action=masquerade chain=srcnat comment="towards GPON modem" out-interface=ether1-WAN

Your firewall needs some reworking … if your internet access is over isp-pppoe, then firewall filter rules should refer to that port. For example the following rule:

add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed"\
    connection-nat-state=!dstnat connection-state=new in-interface=isp-pppoe

My advice would be to use interface lists … in case WAN interface gets changed, it’s not needed to redo many firewall rules, enough is to update WAN list membership.

You might want to restrict access to GPON modem subnet to a few select LAN clients. Without additional FW rules every LAN (and guest) client will be able to connect to GPON modem.

5

Thank you for your help, but I still can’t ping the 192.168.1.1. Everything I did, I suppose it to work already but it still not. Most of my firewall rule is the default from Factory. I use mikrotik for home only since my linksys EA3500 wifi fault. My network is simple:

GPON modem (bridge) --- Mikrotik hap ac (pppoe + iptv + dhcp) --- cAP (eth5 POE from hap ac)
192.168.1.1              gateway: 100.10.10.1                         capsman
                         internet: PPPOE

Oh, I forgot to say. My PC is connected to the dump EA3500 works as switch (eth3 on hap ac), I still can login to mikrotik so I suppose it is not a problem. When I tried your nat rule toward gpon, the log saying this:
Screen Shot 2019-03-20 at 14.14.39.png
I don’t get what unknown 0
BTW, I can’t access mikrotik forum for the last 12 hours because sql errors. And I just figured out the queue limit is not working with ip settings allow fast path. I remembered the limit thing can be done in the interface list without queues limit and not need so much config.

6

Can you ping GPON modem from hAP ac? Until you can, nothing else will work …

Firewall rules in your setup are slight mess … so I suspect they come from a fairly old version of ROS. You might want to consider re-configuring hAP ac from scratch (export config using /export file=exported_config.rsc, copy resulting file off router, upgrade ROS to latest stable (6.44.1 as of today), perform reset to factory default, and change some bits and pieces as needed (VLAN settings, PPPoE details, …).

7

I can’t ping from hAP ac. BTW, my gpon modem DHCP is on, so I tried to setup DHCP client on mikrotik eth1 but it won’t have the IP. If I connect my PC with GPON wifi, it get an IP.

You are right, my configuration is a messed. I think I should spend sometimes with it.

Can you offer me some good firewall rules for home user?

8

Default firewall configuration on recent ROS versions is quite decent one. It only needs some minor tweaking (e.g. some port forwarded), but basics are sound.

If you can’t ping GPON modem from router, then it might be due to some config on GPON modem itself. I can imagine config where if modem is set to bridge mode, it won’t answer to IP on wired interface. Or something completely different…

[edit] Just struck me … I can see that you’re running PPPoE client on vlan interface. Try to move 192.168.1.2 IP address from ether1-WAN to vlan35 interface and see if this makes any difference.

9

Thanks for lighting me up. I appreciate your time with me.

10

Let’s try to help you,
First, connect a port of your hap ac to the GPON, a new port, not the one that you are using for PPPoE.
Second, on that port put a IP from the range of the GPON Modem:
/ip address add 192.168.1.2/24 interface=etherX

Try to ping the GPON modem from Mikrotik
/ping 192.168.1.1

If ping works, now create a NAT Firewall rule to your LAN PC reach the modem
/ip firewall nat add chain=srcnat dst-address=192.168.1.1 action=src-nat to-address=192.168.1.2

Probably it will work. :smiley:

11

Thanks again, I tried it too but it is not working. It stated the same unknown0.


Thanks, I will try when I get home. But I think your guide should work. But what next? I still need the internet on ether1 too.

12

Your ONU only have 1 Ethernet? If it have two you connect two cables on that one for internet and other for management
:smiley:

Sent from my Vivo XI+ using Tapatalk

13

My GPON have 4 ethernets, but the first 2 ports has it own config from ISP, and I can only reach 70% my internet speed with them. So I assume these 2 ports for iptv. The last 2 ports is good for internet. Thanks for your suggestion, but I’m not gonna do that because I will waste one of my port for that management. Right now, my hAP ac have 2 reserve ports that I planned for NAS and another access point.

14

So, you could try to put the IP 192.169.1.2/24 on the Ethernet where you connect for pppoe. It probably works too, but be careful to not put the IP on the interface pppoe, it need to be on the Ethernet interface

Sent from my Vivo XI+ using Tapatalk

15

Yes, that is what I tried at first. But it is not working. Right now, my config is the same as you said, none work.

16

If you put the IP 192.168.1.2/24 in your computer, connect on any port of the ONU you can access the ONU 192.168.1.1?

Sent from my Vivo XI+ using Tapatalk

17

I’ve been resetting my hAP ac to default configuration of ROS v6.44.1. Figured out there is a bunch of new thing in here, took me quite a while to figure thing out. Finally I found that the problem is not with Mikrotik, but with ONU modem. ISP didn’t send DHCP over ethernet port. Instead only wifi will get IP address. If I plug my PC directly and config the IP to match, it still doesn’t have access to ONU. So I tried port mapping here and there, ONU completely block me out cause of my stupid mapping. Reset the ONU is a pain with me.