i am struggling for 2 days how to proceed with my provider settings and Mikrotik. My ISP provided me dlink router DIR-2150 on this router i specify/enable igmpv2 and interface for IP TV (untagged) and WAN tagged with vlan 388 and it is working fine. I replaced this router with Mikrotik but nothing works for me expect internet…configured 2 Bridges 1 VLAN1 - all devices except isp tv decoder, and second bridge vlan388 and iptv doesn’t work, I tried all settings not tv doesn’t even started Will anyone of you help me to fix that ? thanks in advance.
My current config:
# jul/02/2023 09:14:56 by RouterOS 6.49.8
# software id = **ELIDED**
#
# model = RB760iGS
# serial number = **ELIDED**
/interface bridge
add name=Bridge_VLAN1
add arp=proxy-arp igmp-snooping=yes multicast-querier=yes name=Bridge_VLAN388
/interface ethernet
set [ find default-name=ether4 ] name=Dekoder_TV
set [ find default-name=ether1 ] mac-address=A8:63:7D:9C:AA:B6 name=WAN_Internet
set [ find default-name=ether3 ] name=Wifi_Router
set [ find default-name=sfp1 ] mac-address=A8:63:7D:9C:AA:B6
/interface vlan
add interface=WAN_Internet name=VLAN1 vlan-id=1
add interface=WAN_Internet name=VLAN388 vlan-id=388
/interface ethernet switch port
set 3 default-vlan-id=388
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool2 ranges=192.168.90.2-192.168.90.254
add name=dhcp_pool3 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool4 ranges=192.168.0.2-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=Bridge_VLAN1 name=dhcp2
add address-pool=dhcp_pool4 disabled=no interface=Bridge_VLAN388 name=dhcp1
/interface bridge port
add bridge=Bridge_VLAN1 interface=ether2
add bridge=Bridge_VLAN1 interface=Wifi_Router
add bridge=Bridge_VLAN1 interface=ether5
add bridge=Bridge_VLAN388 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes \
interface=Dekoder_TV pvid=388
add bridge=Bridge_VLAN388 disabled=yes interface=WAN_Internet pvid=388
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=Bridge_VLAN388 tagged=Bridge_VLAN388,WAN_Internet untagged=Dekoder_TV vlan-ids=388
add bridge=Bridge_VLAN1 untagged=Wifi_Router,ether2,ether5 vlan-ids=1
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=\
WAN
/interface list member
add comment=defconf interface=ether5 list=LAN
add interface=ether2 list=LAN
add interface=WAN_Internet list=WAN
/ip address
add address=192.168.88.1/24 interface=Bridge_VLAN1 network=192.168.88.0
add address=192.168.0.1/24 interface=Bridge_VLAN388 network=192.168.0.0
/ip dhcp-client
add disabled=no interface=WAN_Internet
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward protocol=udp
add action=accept chain=input protocol=udp
add action=accept chain=forward protocol=igmp
add action=accept chain=input protocol=igmp
add action=accept chain=forward dst-address=239.239.0.0/16
add action=accept chain=input dst-address=239.239.0.0/16
add action=accept chain=input dst-address=224.0.0.0/4
add action=accept chain=forward dst-address=224.0.0.0/4
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=VLAN388
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=WAN_Internet upstream=yes
add interface=Bridge_VLAN388
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MikrotikRouterSzafa
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=test.pcap streaming-enabled=yes streaming-server=192.168.0.136
You’ve got quite a mess here, and I’m not the best one to advise on VLANs, but since no one else seems to be responding, please accept this list of random points of advice for what good it may do:
I believe the core problem with your setup is that you aren’t configuring the GPON uplink (ether1) as a trunk port. It needs to carry traffic for all VLANs, with tags preserved. The router then strips tags as part of deciding which LAN leg to send incoming packets to, and it reapplies them for packets going back out to the Internet, depending on where the traffic came from.
Use one bridge for VLAN aggregation/disaggregation. RouterOS boxes can hardware-offload only a single bridge per switch chip, and your hEX S has but one such chip.
RouterOS 6 lacks hardware-offload of VLAN filtering in the hEX S. That was added in RouterOS 7.1. I presume from “GPON” that you’re talking about gigabit class speeds, which is on the borderline of what a hEX is capable of to begin with. You should upgrade if you want to get full capability from this device.
Your diagram and your prose are mutually inconsistent. You say IPTV is untagged and regular internet traffic is VLAN 388, but then you show the IPTV decoder on the VLAN 388 leg and the PC on VLAN 1. Which is it? I’m betting that the diagram is correct, but you tell us; don’t make us second-guess you.
Although I said “one bridge” above, there’s an exception for gateway type routers: you generally want the uplink to be outside the main bridge, and it is often convenient to put that single port into its own separate bridge. This causes everything going out that port to run through the CPU, not be hardware-offloaded, but that’s what a router does anyway, so it causes no net harm. The single bridge principle applies to the LAN side, allowing your hEX to switch that traffic without CPU intervention.
IGMPv2, really? I thought everyone moved on to IGMPv3 a decade and more ago. It’s important because some OSes (macOS and the BSDs) obey the spec and degrade to IGMPv2 when they see the first v2 packet even if they start out on v3, in the name of compatibility. Windows doesn’t care, and I don’t remember what Linux does. (Your IPTV decoder is almost certainly running Linux.) This may amount to quibbling in your case, but be sure you get this right in case it matters.
Why is your DHCP server issuing addresses on five different subnets, but two VLANs? Simplify this. I suggest using 192.168.1.0/24 for VLAN 1 and 192.168.88.0/24 for VLAN 388. This shows the common scheme of reusing the VLAN IDs in the third octet of the IP to make reading IPs easier. Since your ISP-assigned 388 ID doesn’t fit, you can use either 38 or 88, based solely on your preference. If you had control of the VLAN IDs, you’d pick values in the 0-255 range to simplify this, but your ISP has made that decision for you, so…
Why are you sending IPTV traffic (VLAN 388) to the WiFi? I don’t care how badass your WiFi is, traditional IPTV — meaning multicast MPEG-TS over raw UDP or RTP — is all but doomed when run over WiFi unless you go way out of your way to fix the problems in the defaults. If you have to do video over WiFi, at least use unicast TCP protocols such as HLS, RTMP, and WebRTC which were designed to paper over its weaknesses, as used by most of the OTT services. (NetFlix, Prime Video, YouTube…)
I’m tired of typing. Fixing that list of problems should keep you busy for a while.
first of all thanks for yours reply really appreciate. I play again a bit with Mikrotik hex S but still not very lucky upgraded device, removed unused pools but this vlan stuff makes me crazy… lets assume. We have only two VLANs on LAN side, VLAN 100 - all LAN devices (PC’s, WiFi access point, printer - interface=Wifi_Router ) i need DHCP for that, and VLAN 388 - only IPTV (ether4) decoder and need other DHCP range, interface facing WAN configured as trunk with tagged only VLAN388 - regarding this point i am a bit confused if this port should be added under same bridge with PVID 1 ? Or as you suggested create new bridge with only this port ? Regarding DHCP how to accomplish that ? i need to create vlan interface for each vlan id and assign it to bridge ? or physical port ? Thanks in advance for any advise.
[admin@MikroTik] > interface export
# 1970-01-02 01:50:01 by RouterOS 7.10.1
# software id = P08D-5xxx
#
# model = RB760iGS
# serial number = HDH08Sxxxx
/interface bridge
add admin-mac=48:A9:8A:15:34:B7 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=A8:63:7D:9C:AA:B6 name=\
WAN_Internet
set [ find default-name=ether3 ] name=Wifi_Router
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=Wifi_Router \
pvid=100
add bridge=bridge comment=defconf interface=ether4 pvid=388
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/interface bridge vlan
add bridge=bridge tagged=WAN_Internet untagged=ether4 vlan-ids=388
add bridge=bridge untagged=Wifi_Router vlan-ids=100
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=WAN_Internet list=WAN
fixed all issues on LAN side… hosts works, get ips and internet works fine… only problem is with TV not sure how to add vlan 388 to tag on WAN and how to enable IGMP working as it was on my dlink router.
Lack of ideas right now, anyone will be able and help me to correct my config ? right now tv works perfect but… no internet on my vlans
Below my config. VLAN388 tagged on ISP link. Added WAN int to bridge.
I would expect a single bridge. Can you please supply all the information how of the ISP? Where should you use VLAN’s? Only IPTV, or is it for Internet?
The WAN interface with Internet should be NAT-ted, the WAN internface with IPTV should be added to the bridge (tagged if it is on a VLAN or untagged to seperate it from the rest of the network).
thanks for your reply, tagged vlan 388 on ISP link plus untagged vlan 1 (by means of trunk ?), ISP provides static ip and need to have NAT. If i add WAN interface to bridge IPTV works but internet doesn’t if i disable it internet works on all hosts but no IPTV. Based on this tutorial i fixed internet, dhcp, natting fw etc. but still iptv doesn’t work as WAN link is not on bridge… when i added it iptv starts working as i said but internet dropped from LAN.
Configure 2 Bridges and all vlan interface, assign access interfaces to lets say BR1 and one vlan facing ISP, under physicall interface towards ISP in my case unerd eth1. Under BR1 ports you must add all access ports but physicall ones i means eth2,3, etc. for example all as untagged. Next BR2 ports you must add physicall interface of end host (it wont be tagged, tv decoder etc.) and interface vlan configured previously towards ISP. Last step under bridge vlans add access vlan nr and under tagged use BR1 and BR1 as bridge, under isp/tv vlan add BR2 as bridge and BR2 as tagged. Turn on vlan filtering under each bridge. In my case i also enabled igmp snooping under BR2 and it starter working. Regarding ip/dhcp you myst add networks and vlan interface. You can paste screens will try to help you.
Great i asked guys and no one was able to help me on my exact config, right now you are writing this is wrong… hm… okay so maybe you will be so kind and based on my config correct it and provide me what is wrong ?
@erlinden posted a link in post #8 above. The thread gives enough insights on how to do it properly.
If you try to implement single bridge concept and run into problems, I’ll be more than happy to help you overcome hurdles. But I’m not going to try fixing your config which goes against “good practices” and I’m not going to spoon-feed you with a completely new configuration. I’m not saying it can’t be done the way you started (I strongly believe it can be), but I’m not willing to. And I guess many of experienced forum members feel similarly.
Below prepared config based on yours tips. This is what you was thinking about ? I have one thing which is not working i mean tv dhcp and not sure how to sort this out (tv works now, without internal ip assigned).
Will anyone of you help me to fix that ? thanks in advance.
