How to configure and debug mikrotik CRS326 24 switch to act as a router to starlink?

RouterOS Beginner Basics
1

Hi all, I have Mikrotik mikrotik cRS326-24G-2S+RM.
Goal is to have starlink in bridge mode as I have it today with weaker and limited AP.
I need to connect all house and devices, thus need of more powerful device.

I ran into a problem and I am trying to solve it for 12 hours (clean hours working on it).
Mikrotik gets its IP from starlink, which is in bypass mode.
I can ping from winbox.
NAT firewall set + masquearade.
bridge set and ether1 (WAN) is not part of the bridge.
IP addresses set, dhcp server for WAN a and DHCP client of LAN set.
Client in the lan networks gets IP correctly, but they cant reach internet no matter what I am doing.

Can you please advise?


ROS v7

2

You do realise that CRS326 is a switch, not a router ? You can expect max about 250-270 Mbps bandwidth…

You should export your configuration and post it here.

3

well, yes. I expect basic routing capabilities and stable.

This is non working config

# 2024-03-10 23:35:14 by RouterOS 7.14
# software id = 2XQ4-E7TP
#
# model = CRS326-24G-2S+
# serial number = HES09ERQ493
/interface bridge
add mtu=1500 name=localNet
/interface ethernet
set [ find default-name=ether22 ] name=apObyvak
set [ find default-name=ether16 ] name=desktopTM
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether10 ] name=homeAssistant
set [ find default-name=ether20 ] name=rekuperace
set [ find default-name=ether18 ] name=tepelneCerpadlo
set [ find default-name=ether12 ] name=wifiApRouter
/interface ethernet switch
set 0 l3-hw-offloading=yes
/interface list
add name=WAN
add name=LAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.2-192.168.88.255
add name=dhcp-pool ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp bootp-support=dynamic interface=localNet lease-time=10s \
    name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=localNet interface=ether2 trusted=yes
add bridge=localNet interface=ether3 trusted=yes
add bridge=localNet interface=ether4 trusted=yes
add bridge=localNet interface=ether5 trusted=yes
add bridge=localNet interface=ether6 trusted=yes
add bridge=localNet interface=ether7 trusted=yes
add bridge=localNet interface=ether8 trusted=yes
add bridge=localNet interface=ether9 trusted=yes
add bridge=localNet interface=homeAssistant trusted=yes
add bridge=localNet interface=ether11 trusted=yes
add bridge=localNet interface=wifiApRouter trusted=yes
add bridge=localNet interface=ether13 trusted=yes
add bridge=localNet interface=ether14 trusted=yes
add bridge=localNet interface=ether15 trusted=yes
add bridge=localNet interface=desktopTM trusted=yes
add bridge=localNet interface=ether17 trusted=yes
add bridge=localNet interface=tepelneCerpadlo trusted=yes
add bridge=localNet interface=ether19 trusted=yes
add bridge=localNet interface=rekuperace trusted=yes
add bridge=localNet interface=ether21 trusted=yes
add bridge=localNet interface=apObyvak trusted=yes
add bridge=localNet interface=ether23 trusted=yes
add bridge=localNet interface=ether24 trusted=yes
add bridge=localNet interface=sfp-sfpplus1
add bridge=localNet interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all lan-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=localNet list=LAN
/ip address
add address=192.168.88.0/24 comment=LAN interface=localNet network=\
    192.168.88.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.88.253 client-id=1:20:f8:3b:0:10:56 mac-address=\
    20:F8:3B:00:10:56 server=dhcp1
add address=192.168.88.250 mac-address=60:8A:10:8D:BE:78 server=dhcp1
add address=192.168.88.252 mac-address=28:D1:27:70:2F:A5 server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=log chain=forward dst-address=8.8.8.8 protocol=icmp src-address=\
    192.168.88.254
add action=accept chain=input connection-state=established,related
add action=accept chain=input src-address=192.168.88.0/24
add action=drop chain=input in-interface=ether1
add action=accept chain=input port=67,68 protocol=udp
add action=accept chain=forward comment="allow established and related" \
    connection-state=established,related
add action=drop chain=forward comment="drop invalid connection" \
    connection-state=invalid
add action=accept chain=forward src-address=192.168.88.0/24
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface-list=WAN
/system clock
set time-zone-name=Europe/Prague
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
/tool sniffer
set file-name=test filter-interface=localNet

this is mostly working including wifi AP subnet

# 2024-03-11 11:25:08 by RouterOS 7.14
# software id = 2XQ4-E7TP
#
# model = CRS326-24G-2S+
# serial number = HES09ERQ493
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
add name=listBridge
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp-pool ranges=192.168.50.10-192.168.50.254
/ip dhcp-server
add address-pool=dhcp-pool interface=bridge1 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.31.0/24 interface=bridge1 network=192.168.31.0
add address=192.168.50.1/24 interface=bridge1 network=192.168.50.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=100.64.0.0/10 gateway=100.85.202.158
add address=192.168.50.0/24 dns-server=192.168.31.0 gateway=192.168.50.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 \
    protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 \
    port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22 \
    protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
    ether1
add action=accept chain=forward comment=\
    "accept established,related for forwarding" connection-state=\
    established,related
add action=drop chain=forward comment="drop invalid packets for forwarding" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=bridge1 src-address=\
    192.168.28.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.88.0/24
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=u-potokaMainRouter
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Which router would you recommend, if this should have problem with 2 appartment traffic?
Basic control and little traffic - thats load for this switch.

4

You may want to remove the following, likely harmless, but wrong:
/ip dhcp-server network
add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24
add address=100.64.0.0/10 gateway=100.85.202.158


A single Starlink with a CRS326 as a router should be fine IMO — starlink has variable speeds, and generally not more than 300Mbs down (with upload is WAY less).

But it’s very true CRS326’s routing abilities are far less than even something small like the hAPax2 — which has at least double (or more) the routing capacity of CRS326.

5

I cannot recall if starlink assigns NTP via their DHCP. But if not, you might also want to enable /ip/cloud’s update time option, or add an NTP client.

6

What are you trying to achieve with this ?

/ip address
add address=192.168.31.0/24 interface=bridge1 network=192.168.31.0
add address=192.168.50.1/24 interface=bridge1 network=192.168.50.0

You assigned two IP addresses to the bridge ?

And first one is not assigned good.

Can you ping for eg. 8.8.8.8 ? And then for eg google.com

Also why 3 masq.rules ? In your case you can copy default configuration line by line and it should be enough.

But most importantly, you didn’t specified what you want from your network, you mentioned 2 apartments, so wifi in each of them. Do you want VLANs or not. What do you want to achieve ?