Newbie here. I have CRS112-8P-4S-IN and am using 48V input for PoE out. I am having few issues with my network after installing the switch.
My setup on Switch Port 1→ FIOS Router (192.168.188.X) Remaining ports → home network (192.168.166.X)
The issues I see are
1> When I do a ping to MicroTik switch I consistently see ping drops after 10-20 pings.
2> Winbox keep getting disconnected every few minutes when I connect through 192.168.166.X subnet. I suspect bother these issues are related.
3> When I test network speed using speednet.net I get around 26Mbps while I get 100Mbps when connecting directly through FIOS router.
Can somebody help me identify whats wrong with my setting?
For Moderators: My posting hasnt been approved yet. Is there any issue with my posting? I could not find an option to reach the moderators so posting a reply.
CONFUSED as there is no network diagram.
Is this supposed to be acting as a switch or a router.
The reason I ask is you seem to want to state there is a higher order device (router or something) that is of a different subnet??
But then your firewall rules are very incomplete and not really safe for a firewall …
Remove the following"
(1) add disabled=yes name=WAN-bridge1
(5) From
/ip address
add address=192.168.166.1/24 comment=“IP address for LAN Bridge (x.x.166.2)”
interface=ether2 network=192.168.166.0 TO
/ip address
add address=192.168.166.1/24 comment=“IP address for LAN Bridge (x.x.166.2)”
interface**=LAN-bridge** network=192.168.166.0
(6) From
add address=192.168.188.2/24 comment=“IP address for WAN Bridge” interface=
ether1 network=192.168.188.0
TO
add address=192.168.188.2/24 comment=“IP address for WAN” interface=
ether1 network=192.168.188.0
(7) Firewall Rules are very incomplete, suggest installing default firewall rules until its clear what you need.
Thanks Anav for your response,
Here is the diagram. For now I cannot remove the cable router so this is how i have setup my network. Let me know if the changes you suggested will resolve the issue.
For now i would like to resolve my network issues first, I will work on the firewall setup next.
Do you have access to the cable router
(from an ISP provider, or is this like someone giving you an IP on their personal router)??
If its a FIOS router presuming ISP, then, if not shared with others…
a. do you have access to it?
b. can you forward all the ports to you
c. can you put it in passthru mode so you get a public iP.
If its a FIOS router presuming ISP, then, if not shared with others… Yes its a FIOS router which i need to convert coaxial to ethernet. I plan to replace coaxial in future
a. do you have access to it? Yes
b. can you forward all the ports to you Yes
c. can you put it in passthru mode so you get a public iP.: No I am unable to put this router in pass through (tried multiple options)
You make a good point i could forward all FIOS port traffic to Mikrotik router and setup different vlan there. It would be much simpler
This would need me to setup proper firewall which as you mentioned are incomplete. Where can i find information on default firewall rules?
Okay first I will show you the default ones that come from the router and then I will put my variation on them which is similar just a tad more secure. DEFAULT
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1 (if not using capsman this rule can be removed)
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
disabled=yes in-interface-list=!LAN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN MODIFIED
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input dst-address=127.0.0.1 comment=“defconf: accept to local loopback (for CAPsMAN)” {remove if not using capsman}
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“Allow ADMIN to Router” in-interface-list=allowedsubnets
src-address-list=adminaccess
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop anything else! # ONLY ENABLE WHEN ADMIN RULE ABOVE IN PLACE
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=accept chain=forward comment=“ENABLE Internet traffic”
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“Allow Port Forwarding” \ {you can disable this rule until you need it}
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=“DROP ALL other FORWARD traffic”
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
I redid my Mikrotik configuration. As per the suggestion I planned to setup router as bridge (i failed before but wanted to try it again) . But before i set it as bridge i wanted to ensure my Mikrotik configuration is good to handle LAN traffic. For some reason i continue to have issues, there is something i am doing wrong.
With Winbox I am able to connect to the Mikrotik router with MAC id but not the IP. I am also not able to get to internet
As stated dont use quickset to enter in parameters.
(1) Okay I see you have ether1 on bridge ports disabled as its not on the bridge being the dhcp client, thats fine.
(2) You need at least two IP addresses recognized, the one you have for the Bridge (lan) but also (and missing) the eth1 address.
Also not sure why you use DOTFIVE which is probably fine but I am used to DOTONE.
(3) YOu can get rid of funky entry in dhcp server.
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.166.0/24 dns-server=9.9.9.9 gateway=192.168.166.1
netmask=24
(4) Fixed wanip so best to use sourcenat chain and action.
add chain=srcnat action=src=nat to-addresses=192.168.188.165 out-interface=ether1
(5) firewall rules are missing, so not sure if any traffic will move or all traffic moves (no security).
(6) No IP Routes so traffic can not exit the device to get to the upper router.
Because device with IP address 192.168.188.165 needs to communicate with gateway at 192.168.188.1 … the longest netmask covering both addresses is 24-bit long. Because, believe it or not, the link between RB and FIOS router is an entire subnet (because it’s running on top of ethernet which is typical many-to-many L2 technology).
Sure it would be possible to construct a /32 point-to-point addressing, but in that case network address would have to be exactly the address of PtP peer (gateway) … and probably peer would need similar setup on its NIC.
All of the above is a tad too complicated (and in SOHO environment typically unnecessary) so it’s best just to follow the usual /24 addressing.
I made some progress. I made the changes and added firewall rules you suggested. Please let me know if the rules are good. After all the changes, I can now can ping 192.168.166.X but not 192.168.188.1 (FIOS router) or internet. So there is something wrong with my route setup.
Is router successfull in obtaining DHCP lease from FIOS router? Check by running command /ip address print and verify that there’s a dynamic address bound to ether1_WAN.
I could only find one item but dont think it would block traffic?
(1) You should only have one sourcenat rule so get rid of the first one as the second one captures the fixed wanip address.
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=src-nat chain=srcnat out-interface=ether1 to-addresses=
192.168.188.2
(2) The firewall rules are almost there… The forward chain rules have the excellent block all else rule at the bottom and you should do the same with the input chain rules BUT BUT, only after adding a rule to allow you the admin to access the router. If you dont, putting a block all else rule will lock you out as well.
So suggesting
AFTER accept ICMP rule in input chain put this…
add action=accept chain=input comment=“Allow ADMIN to Router” in-interface-list=LAN src-address-list=adminaccess where adminaccess is a firewall address list, and assumes these are static LANIP addresses
/ip firewall address-list
add address=LANIP of admin desktop list=adminaccess
add address=LANIP of admin laptop list=adminaccess
add address=LANIP of admin Ipad/smartphone list=adminaccess
After this rule is in place then put a drop all at the end of the INPUT chain.
Yes MikroTik router has static IP (192.168.188.2). Settings suggested in the video matches my router setting, no changes were needed.
Some more details on my issue
When i ping 192.168.188.2 from 192.168.166.X subnet i see a response
Ping to 192.168.188.2 or any internet connection fail
Route list in the image below shows 192.168.188.1 as reachable.
When i check Fios router i dont see 192.168.188.2 assigned to MikroTik. This suggests Mikrotik router is not talking with FIOS router
The fios didnt give out dhcp and thus it would not be visible, you statically assigned it from the MT side.
Suggest you enter the fios and also statically assign the iP to the router.
