I have a RB4011iGS+5HacQ2HnD and what I am trying to do is to configure only one ethernet port to be different than the other. So let’s say that i want to do this on eth9. All the other port sfp+,eth1-8 + eth10 are configured to work as a bridge on the network 192.168.88.0/24. I get the internet connection from the sfp+ port of a udm-pro directly connected to the rb4011 on the sfp+. So recently I changed ISP and the ISP demands from the user to configure one port for VoIP in a specific way in order to telephone service to work. So this is my config:
(DO NOT WORRY ABOUT THE CREDENTIALS!! All users of the ISP use the same credentials they authenticate the service in a different way.)
and the VLAN of this pppoe connection is 838. And also I would specific DNS servers for this port. I do not know exactly the IP addresses of the specific DNS servers, but if you could provide the command and I would apply them myself once the provider calls me back and provides the IP addreses.
Is it possible for you please to help me out to configure this.
I know this is a very noob. But any help given is much appreciated!
Please anyone?
If there is a thread that explains the same thing you can just post it. I tried to find one myself but I could not.
Any help is much appreciated!
I would have thought that voice pppoe config would be done on the UDM Pro.
Probably adding (another)? pppoe client on the same physical port it is currently using as its WAN port.
But anyway.
Assuming you have somewhere to plug ether9 into.
Disable the existing ether9 bridge port entry.
Add a new VLAN interface to ether9, name it appropriately (eg. VLan838-phone)
Then create a pppoe client with specified username/password and attach it to VLan838-phone.
Make the pppoe client have a different (high) default route distance in the Dial Out Tab.
You may want to make a profile specifically for this pppoe client.
In Interface Lists, add your pppoe client to the WAN list.
(Also add ether9 and VLan838-phone interfaces to the WAN list)
You will need to make a WAN Interface list and use something like the default configuration.
WAN interfaces have masquerade applied to outbound traffic, inbound disallowed if no dst-nat rule applies.
See if you can get the pppoe client to connect.
You will then need to need to make some routing rules and route entries, packet marks etc to get your phone(s)
to route via the interface.
A simple routing rule for testing might be for source=phones IP address, dest=0.0.0.0/0, action=lookup ViaPPPoe
Then add an entry in routing table for ViaPPP
Thank you for your reply! Sorry for the delayed response, but I faced some health issues.
You are right that would be the best. If I managed to do it on the side of the udm-pro. Unfortunately, the last time I did something via ssh on the udm-pro it was working great, but after a firmware update it all went south and I had to reset the device and setup it up again.
I know this may be about of scope of this forum, but in case you know how to do it safely on the udm side please let me know.
Ok here is the series of the commands I am about to issue on the mikrotik. Please let me know if I need to change anything or add something:
Step 1: Connect via winbox select Bridge>Ports (tab)> Press red X to disable eth9 from bridge
/interface list member add interface=ether9 list=WAN
/interface list member add interface=voip_vodafone_vlan list=WAN
/interface list member add interface=pppoe_connection_for_vodafone_voip list=WAN
; The following default masquerade rule should already exist
;/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
; Also this rule should already be present in filter
; add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new
in-interface-list=WAN
With luck this will get the voip connection up and running to the ISP but you still have to get the connection to the phones.
/interface list member add interface=ether9 list=WAN
But I get this error:
input does not match any value of interface
I guess this is because there is not WAN interface or there is no interface named WAN?
Basically the mikrotik is connected to the udm-pro on the sfp+ module in the same local network and the DHCP server is the udm-pro. So the mikrotik kinda works like a switch.
Do I have to replace the WAN with something else?
If I issue the command:
/interface list print I get this:
Flags: * - BUILTIN
Columns: NAME
NAME
;;; contains all interfaces
0 * all
;;; contains no interfaces
1 * none
;;; contains dynamic interfaces
2 * dynamic
;;; contains static interfaces
3 * static
If I issue the command: /interface list member print then it outputs blank.
If you need any further info about the config on the mikrotik please let me know.
OK! I have managed to surpass the previous error by going to Interfaces> Interface List > pressing the button List and creating an interface list named “WAN”. (winbox)
I will have to see now what happens on the side of the pbx and I will let you know.
So I have tested it and it does not work. The pbx does not register to the SIP server.
So I have some more information that maybe helpful:
on another greek forum (adslgr.com) a user (astbox) managed to make it work for a home connection on the same provider. The difference is that home connections require vlan=837 and there is no need for an extra dedicated pppoe connection for voip.
However the user indicated some things that are helpful:
MTU of the vlan must 1500.
a dhcp client must be created because the ISP expects the VoIP devices to be on a local network different than the rest of devices. So for example if the “classic” internet devices are on 192.168.88.0/24, the pbx must be on a network 10.x.x.x. It is like the provider isolates completely voice from the rest of devices.
So the user also mentions that the following must be set:
a) IP>DHCP Client>Add new>Interface → vlan that was created (in my case 838 → voip_vodafone_vlan) > Check Add Default Route> Press OK
b)IP>Firewall>Add New, chain → srcnat, οut interface → VLAN interface (voip_vodafone_vlan) , action → masquerade and then press OK.
On step b) I do not know if I have to set on the out interface the VLAN interface (voip_vodafone_vlan) OR the pppoe connection dedicated for the voip registration. (pppoe_connection_for_vodafone_voip)
He also mentioned that if everything goes well then I should see on IP>Routes records like this:
The UCM has a function on the Network settings that called Dual. Basically, because it provides two RJ45 ports then one can be on 192.168.88.0/24 with different settings and the other on another network completely.
So, I do not know if this provides are helpful insight, but if you guys know how can I implement this I would be really grateful! (on the mikrotik side not the UCM)
/ip firewall filter
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new
in-interface-list=WAN
However I really think you should consider starting again from scratch, from a default mikrotik config on your router.
As it has a reasonable basic firewall configuration.
You original is probably ok for inside the UDM, but now you are putting a port directly onto somewhere outside.
And at this time you have no real blocking of anything coming in.
So far this topology has worked with no problems. The problems started when I changed ISP.
My previous ISP (COSMOTE) did not require all these weird setups. Every piece of data (voice or others) was on the same pppoe connection and the same vlan (835).
Sorry for posting and asking for such detailed setup, really. I usually manage to make it work myself, but this time these kind of requirements confuse me a lot…
Hi,
Find some changes to make the router more secure.
Copy and paste a bit at a time, pick the bits you want.
#Some additions to make router more secure (most from default firewall config).
/interface list
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
#Disable unused ip access methods.
#take care, this disables all except winbox.
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
#Only allow mac telnet/winbox access from LAN interfaces.
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
#Hopefully this is already present.
#/ip firewall nat
#add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
# out,none out-interface-list=WAN
### Some additional (Optional) stuff ###
#Limit admin access to router to specific IP addresses
#limit access to winbox by IP address
/ip firewall address-list
add address=YOUR_IP_ADDRESS list=ADMIN
add address=192.168.88.0/24 list=ADMIN
#only allow those on admin IP addresses to access winbox.
/ip firewall filter
add action=accept chain=input comment="allow winbox from admin" dst-port=8291 log=yes log-prefix=winbox protocol=tcp src-address-list=ADMIN
add action=drop chain=input comment="drop all other winbox" dst-port=8291 log=yes log-prefix=winbox-drop protocol=tcp
### dont copy and paste this without careful review ###
# full firewall filter (for review) from 7.13(ish)
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
I am assuming that the link from the UDM-PRO sfp+1 to the ISP WAN interface is an ethernet cable.
You need to get another connection (the voice pppoe) onto this cable and into the ISP WAN.
There are a few options.
You do it from the UDM, probably best, but sorry I don’t know how.
You connect to the voice pppoe of the ISP from either the UCM6302, or the Mikrotik.
You remove the UDM-PRO and use the Mikrotik as the main gateway for both.
At this stage I am going to look at Option 2, and how it might be done.
Conceptually, (and probably actually in the short term)
You put a small Dumb switch between the UDM SFP+1 and the ISP Wan interface.
You then plug the UCM6302 WAN port (In Route mode), or the Mikrotik Wan port (currently ether9) into another
port on the dumb switch. (You then tape up any other unused ports on this switch)
With luck the UCM6302 or Mikrotik can then connect to the ISP Voip PPPoE, after the correct
vlan/pppoe and username/password are all configured.
I need to think a bit more about what happens next. (It might be less easy than I was thinking)
I am assuming the UCM6302 is the main phone hub, and phones connect to it, and
the UCM6302 connects to the ISP’s voip service.
The UCM6302 is plugged into a spare port on the RB4011#1 (Not port 9)
(At some stage, perhaps want to rejig this a bit, so maybe port2 is the pppoe voip client port)
I will assume the UCM6302 has an IP address of 192.168.88.5, change the following
as required to match its actual address (Needs to be a fixed IP Address).
On the 4011#1
# setup pppoe-client (assuming not already done)
# NOT to be used as default gateway (Default Route unticked in winbox)
#(This may already be at least partially done)
/interface pppoe-client
add disabled=no interface=vlan838 name=pppoe-voip password=VoipPassword profile=\
default user=VoipUsername
#check log, see if connecting...
#Setup routing, so only specified IP address(es) that use
#RB4011#1 as default gateway will go via the voip pppoe link.
#RB4011#1 will not use this as its default gateway.
/routing table
add disabled=no fib name=Voip
#The UCM6302 (Assumes it is on .88.5 change as required)
/routing rule
add action=lookup disabled=no dst-address=0.0.0.0/0 src-address=\
192.168.88.5/32 table=Voip
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-voip pref-src="" \
routing-table=Voip scope=30 suppress-hw-offload=no target-scope=10
Finally (hopefully) Set the UCM6302’s default gateway to be be 192.168.88.12
(RB4011 #1)
What troubles me a lot is that I am unable to establish the voice pppoe connection neither on mikrotik nor the udm-pro.
The problem is that I am unable to understand why. The credentials are correct.
I will reset the RB4011 #1. Can you please post again in order (command 1, command 2, command 3, etc…) what should I execute on the terminal of mikrotik RB400 #1 after the reset to configure again
eth9?
Sorry for asking you to spoon feed. I just want to make sure that I am doing exactly as you told me, without mistakes, so we will be able to troubleshoot any problems that may come up.
OFFTOPIC: One of the LAN ports of the UCM6302 should be configured as either DHCP or Static? Not PPPoE. Correct?
Yes, the UCM6302 should be configured as static, and not on vlan 838.
I have attached a diagram of how I think it will be setup at least initially for testing.
For testing, use ether1 as the WAN port, as this minimises the amount of
changes that need to be configured from the default configuration. (You
can also then put the UCM6302 back into ether9 again)
The 4011 is not connected to the UDM.
Configuration:
Changes made to a default configuration from a recentish (12.1) version
of routeros 7.
ether1 initially disconnected.
/ip dhcp-client
disable ether1
/interface vlan
add interface=ether1 name=vlan838 vlan-id=838
/interface pppoe-client
add disabled=no interface=vlan838 name=pppoe-voip password=guest user=guest@onenetvoice.gr
#add vlan838 and pppoe-voip to WAN list for nat, etc.
/interface list member
add interface=vlan838 list=WAN
add interface=pppoe-voip list=WAN
#give a lot more logging for trying to find out what is happening voip wise.
/system logging
add topics=pppoe
#Turn off unneeded services
/ip service
set telnet disabled=yes
set ftp disabled=yes
#set www disabled=yes
#set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
Now connect ether1 to the dumb switch, and see if it will connect. You
should get plenty of pppoe logging to tell you what is happening.
At this stage all you are trying to get is the pppoe working.
Once working you can reconfigure the 4011 a bit more so it is compatible with the rest of the network.
Edit: you also talk about needing 1500 byte mtu, in which case you may need the following:
/interface pppoe-client
set max-mru=1500 [find name=pppoe-voip]
set max-mtu=1500 [find name=pppoe-voip]
#and possibly same for pppoe-wan
Hi,
I think it should be ok, though I have not used an ONT. I gain the impression that the customer side is normal ethernet,
(with vlans and pppoe running on it in this case).
Offtopic:
You could perhaps at some later trial the following config later and perhaps get the internet also running from the 4011.
Though I guess you probably need to get the voice fully working first.
(Unplug the UDM before enabling the pppoe-client)
(on the mikrotik side not the UCM)