I recently bought a Mikrotik hEX POE router and I am now trying to configure it. I have the basics figured out.
My setup: I have an SFP module with fiber cable and I will connect 2 Unifi AC in-wall access points plus 2 LAN devices. The APs and LAN devices will get internet via a VLAN, because my ISP requires two VLANS, one for internet (id 300) and one for IPTV (id 640). I will also connect an IPTV settop box via LAN.
All fine, the help I need now to is get basic internet connection + bridge working. The steps I have taken:
SFP interface added.
created a vlan named “vlan-internet” with id 300.
menu IP > DHCP client, created a DHCP client for vlan-internet. → issue 1: status says “Searching…”
Configure NAT Masquerade → issue 2: I have no clue how to do this!
Create a bridge to make sure SFP and the LAN ports are all connected → issue 3: I don’t know how this should look like.
issue 2: I know I need to “create a masquerade action on my srcnat for the vlan-internet” but I have no idea what that means and how to do it. I have seen the NAT section of Webfig but I can’t figure out what to do here.
issue 3: Can anyone help with at least figuring out how a basic bridge and the ports should be configured?
Screenshot of issue 3, the bridge:
With this, I have no internet on the LAN connected laptop.
Issue 1: either something is wrong on RB or ISP doesn’t actually run internet natively with DHCP server, but perhaps some other type (PPPoE or somesuch). Please post relevant part of configuration, e.g. result of commands
/interface ethernet export
/interface vlan export
/interface bridge port export
.
Verify with ISP that running DHCP client on VLAN ID=300 is the right thing to do.
.
There are slight variations of the above command, but the one above should work just fine.
Issue 3: are you sure you want to bridge LAN and sfp ports just like that? My guess is that you want to pass VLAN ID=640 to certain LAN ports. As SFP port and ether ports are not served by same switch chip you’ll need to bridge them via CPU. How to do it exactly depends on what exactly is your target on LAN side? Do you want to have LAN untagged and IPTV tagged? Do you want to firewall also VLAN ID=640 traffic or you just want to pass it through?
You have been extremely helpful!
I will share a little guide on this forum for everyone who needs to setup their RouterOS with T-Mobile fiber in NL.
I do still have one issue: TV. Now that internet is working perfectly. Via a lot of trial and error, I discovered ether1 is by default used in IP>Addresses as gateway.
That should not be the case, I want to connect the tv settopbox to Ether1.
What I have done:
In IP>Addresses, I tried SFP1, vlan-internet and bridge as interface. Only bridge worked, the other two got me disconnected immediately.
Created a secondary vlan:id 640, name vlan-tv.
Created a secondary bridge: “bridge-tv”.
Added a port to the Bridge/Port screen. This port has interface vlan-tv and bridge bridge-tv
Ether1 is disabled (because of the change I made in my first step. I edit Ether1, change port to bridge-tv.
.
I expect my tv settopbox to get online now. It doesn’t. Could it be because sfp1 is not included in bridge-tv? But I can only include it in 1 bridge.
At home I have a setup that has some things in common with yours: IP TV multicast delivered in VLAN. But the similarity ends here. I’ve VDSL line, ISP is using PPPoE to deliver internet. As I’m using ethernet port to connect to VDSL modem, I could pass IP TV VLAN through switch chip. Set-top box needs internet, but I’m letting it to get it through my RB. As it can play media from DLNA sources I could use it even for that as I happen to have a DLNA server in my LAN (linux and MiniDLNA). I’m not doing it actually, I rather dedicated whole new subnet for that device thus isolating it from my evil household, but that’s another story
Anyway, here’s what I’d try:
remove both interfaces from bridge-tv, remove bridge-tv and add both interfaces to bridge
create vlan300 interface on bridge and run DHCP client on it. This would be the internet.
go with VLAN filtering on bridge. Read manual here. In essence: sfp1 port should be trunk port with VLANs 300 and 640, ether1 port should be hybrid port (tagged for VLAN640 and untagged for VLAN1), other ports should be access ports for VLAN1. While you’re at it, you may want to go with some other VLAN id for your LAN, a few forum members (myself included) have had bad experience using VLAN id 1. Any number between 2 and 4095 other than 300 and 640 will do. If in doubt, use 42.
secure your LAN and router with appropriate firewall rules
All of the above should be done without SFP being connected to the internet fibre or else somebody from internet could be faster than you.
Thanks for this alternative setup. I am going to try it if I can’t get the current setup to work. Because I believe it should work but it makes total sense the TV box does not get an IP address:
Under “Addresses”, I have selected bridge, which means bridge-tv is not part of the gateway so no IP address will be handed out.
I tried other interfaces under “addresses”, but then the laptop I had connected didn’t receive an IP.
I believe the issue is really with this particular setting. How can I get 2 bridges to get an IP? On my ISP router, the TV box just gets an IP within the same range as other devices.
How are 2 bridges suppose to get IP addresses? If I solve that, I think it’s done and I don’t need to go for a different setup.
