Initial Internet configuration ( via SFP port)

Hi All,

I am new on the forum.

I have bought the MikroTik hex S and I’m trying to install in my network.
I have attached the fiber cable to the SFP port and, for what I can see, it works correctly (SKYLANE SFP Bi. Tx1310/Rx1490 adapter).

My ISP gave me a username&password to use to set up the internet connection while I’m using my fritzbox 7590 as modem/router.

Which kind of setup should I do on the MikroTik hex S to enable the connection?

Please let me know if I have to add more info.

Thanks in advance

Sounds like a PPPOE setup?

So its mostly done in the PPP menu settings instead of mostly IP DHCP CLient.
If there is no PPP you have to download extra packages to find it and load it.
Choose the PPPOE-client settings.

Hi anav,

Thanks for your message.

Should I have to reset the MikroTik and cancel the default conf before setting the pppoe connection?

NO! do not cancel default (protection) configuration

Grazie

Just to know, why in all YouTube videos they always delete it? Which could be the issues in doing so?

It depends on what videos and who the target audience is, also depends on whether they cover that topic at a later stage.

In most general purpose, home user cases, you shouldn't remove any default config unless you know exactly what to do to secure your network.

Well....I just searched for tutorials to understand how to configure the mikrotik and in the majority of them it's suggested to cancel the default config. So my question.
I would follow your suggestion and keep it since I'm still far away to really know how to secure my network

Going back on my first question, I can read this on my fritzbox:

This means that should be a PPPoE setup as suggested by anav?

It should indeed be PPPoE as described by anav. I work for an ISP who stock the FritzBox in their standard package, it is a PPPoE modem.

Thanks for confirming.

Sorry if I’m keep referring to the YouTube tutorials, but there, in the configuration process, they always start with the WAN IP setting.

Based on the picture I sent before, if the IP is 83.222.83.151 should I have to setup 83.222.83.151/24?

It may be silly question but I will be grateful if you can help and/or point me to docs where I can learn.

That depends as to whether you have a static or dynamic IP from your ISP.

What may be easier, in your case, is to access the router via the web portal and use the Quick Configuration to connect via PPPoE then retrieve a dynamic IP. This will configure your DHCP client for the WAN interface.

I will do as soon as the other users go to bed
Btw I’m paying to have a static IPv4 and to not be anymore under their CGNAT

That doesn’t mean you should not allow automatic IP address acquisition. Depends how your ISP delivers internet, but they should instruct you what to do. I don’t think you can actually statically set IP address when using PPPoE, but your ISP might have reserved IP address for you (and you then receive the same adress every time the pppoe session establishes). With “normal IPoE” it’s possible both that ISP makes static DHCP lease for you or that they instruct you to statically configure address (in the later case instructions have to include subnet mask, gateway address as well as DHCP server address and possibly NTP server address … these are all data otherwise obtained with DHCP lease).

Hi all

Trying to get a mikrotik up and running as well, I’m using currently the router provided by telecom Italian with a technicolor gpon onu.

I plugged it in, added a vlan (835) to sfp and created a ppoe client on vlan1, no connection. Tried the same via easy configure and created a ppoe. Nothing either.

Any recommendations?

Thanks all for your answers.

So, I have made some progress.
It appears that to be able to connect via pppoe I have to first setup a vlan_id=35 on ethernet1 (the info I found were for setup on ether1 as WAN, I will try afterwards to replicate on port SFP).

Hereafter my conf:

[admin@MikroTik] > export 
# jun/16/2021 23:59:05 by RouterOS 6.48.3
# software id = DW36-0XQ9
#
# model = RB760iGS
# serial number = D4500D9CDA6F
/interface bridge
add admin-mac=08:55:31:76:53:30 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=LuxFibre_LOL
/interface vlan
add interface=ether1 name=luxfiber_lol35 vlan-id=35
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes name=pppoe-luxfibre_lol use-mpls=no
/interface pppoe-client
add add-default-route=yes comment=LuxFibre_LOL disabled=no interface=luxfiber_lol35 max-mru=1492 max-mtu=1492 name=pppoe-luxfibre_lol password=MY_PASSWORD profile=pppoe-luxfibre_lol user=MY_USER
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Luxembourg
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

With this configuration, I’m able to:

• ping Google dns from the mikrotik terminal
  
  
  
• ping any other website from the microtik terminal
  
  
  
• ping the mikrotik ip (192.168.88.1) from my macbook

Unfortunately, I can’t ping the Google dns from the macbook although the dhcp setup seems fine

It may be an issue with the NAT conf?

Thanks for your help

And finally, I have my internet connection setup and working on my first MikroTik

I have slightly changed the conf and most important the NAT rules (I was pointing to the wrong interface).

Hereafter my conf, hopefully, will be helpful to someone:

[admin@MikroTik] > export
# jun/17/2021 23:53:56 by RouterOS 6.48.3
# software id = DW36-0XQ9
#
# model = RB760iGS
# serial number = D4500D9CDA6F

/interface bridge
add name=bridge1

/interface ethernet
set [ find default-name=ether1 ] comment=LuxFibre

/interface vlan
add interface=ether1 name=luxfiber35 vlan-id=35

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool0 ranges=10.10.10.50-10.10.10.254

/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1

/ppp profile
add change-tcp-mss=yes name=pppoe-luxfibre use-mpls=no

/interface pppoe-client
add add-default-route=yes comment=LuxFibre disabled=no interface=luxfiber35 max-mru=1492 max-mtu=1492 \
    name=pppoe-luxfibre password=MY_PASSWORD profile=pppoe-luxfibre user=MY_USER

/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5

/ip address
add address=10.10.10.1/24 interface=bridge1 network=10.10.10.0

/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1

/ip dns
set servers=8.8.8.8,8.8.4.4

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-luxfibre src-address=10.10.10.0/24

/system clock
set time-zone-name=Europe/Luxembourg
[admin@MikroTik] >

My question now is: “Why the cpu goes to 100% when I run the speedtest on MikroTik terminal?”

[admin@MikroTik] > /tool speed-test address=10.10.10.1       
                  ;;; results can be limited by cpu, note that traffic generation/termination performance 
                      might not be representative of forwarding performance
              status: done
      time-remaining: 0s
    ping-min-avg-max: 157us / 189us / 507us
  jitter-min-avg-max: 0s / 26us / 291us
                loss: 0% (0/200)
        tcp-download: 1.15Gbps local-cpu-load:99%
          tcp-upload: 1.15Gbps local-cpu-load:99% remote-cpu-load:99%
        udp-download: 36.6Gbps local-cpu-load:87% remote-cpu-load:87%
          udp-upload: 34.6Gbps local-cpu-load:85% remote-cpu-load:85%

Also, the tcp/udp speeds are the ones I can get in my LAN, isn’t it?
How can I check the speed outside?

Try with my conf (adapting to your needs) and let me know if it works.
It took a bit to me to understand how to set it up

Can you also help me understand why I’m receiving this error message and how can I fix it?

[admin@MikroTik] > 
00:17:08 echo: system,error,critical login failure for user enable from 31.163.164.248 via telnet
[admin@MikroTik] > 
00:17:09 echo: system,error,critical login failure for user system from 31.163.164.248 via telnet
[admin@MikroTik] > 
00:17:11 echo: system,error,critical login failure for user root from 31.163.164.248 via telnet
[admin@MikroTik] > 
00:17:13 echo: system,error,critical login failure for user enable from 31.163.164.248 via telnet
[admin@MikroTik] > 
00:17:14 echo: system,error,critical login failure for user system from 31.163.164.248 via telnet
[admin@MikroTik] > 
00:17:16 echo: system,error,critical login failure for user root from 31.163.164.248 via telnet
[admin@MikroTik] > 
00:17:18 echo: system,error,critical login failure for user enable from 31.163.164.248 via telnet
[admin@MikroTik] > 
00:17:20 echo: system,error,critical login failure for user system from 31.163.164.248 via telnet
[admin@MikroTik] >

Thanks

Perché hai CANCellato, o non messo, le regole di DEFAULT del FIREWALL!!!...

Hai tutti i servizi www / SSH / Telnet / ftp / api / Winbox OPEN TO THE WORLD...

And is not need to translate all for understand what happen...

Incolla questo nel NEW TERMINAL

You're right.
I have cancelled the conf to check whether one of that rules was causing the issue and forgot to try again with the defalut conf.

Grazie per l'aiuto

Hi,

Not sure if I have to open a new thread.

I have attached my fritzbox (in IP client mode) to the MikroTik and I can correctly get an IP and surf the internet.

However, if I run the “/tool ip-scan” command from the terminal I can see these IPs assigned to the clients wired/wireless connected to the fritzbox

But if I check in the “IP → DHCP Server → Leases” menu I can see only these ones:

Can you please explain to me the reason why?

Can you also please suggest to me which MikroTik wireless router should I have to buy to be able to get the best from my Gigabit Fiber connection?

Again, thanks for your precious help

There are plenty of devices whose MAC addresses start with cc:50:e3 and which aren’t on the DHCP lease list … that MAC address range belongs to Espressif Inc, seems like they produce smart home gadgets. How these devices obtained their IP addresses is beyond my imagination. One reason might be that you changed active DHCP server while many devices had valid DHCP lease and those devices will appear on the lease list only after they renew lease which happens around half of lease lifetime.

Regarding wireless router: all devices have test results published as part of product pages. When looking at the numbers, many forum members find number under “Routing - 25 ip filter rules - 512 byte” to represent real-life performance pretty good.
And my advice: go for separate router (can be wired only) and for separate wireless AP. You’ll be able to place both devices at respective ideal locations and you’ll be able to replace AP with better model in (relatively) short time (or select different vendor) while router will likely perform fine for longer period of time.