Hi, I purchased 2 SXT 5 AC to replace a radio bridge with faulty antennas.
It’s the first time I have Mikrotik in my hands and I’m quite confused.
The radio bridge is located in Italy and the distance between the two antennas is 175 meters and they will be mounted on the roof.
They connect the main office with a detached warehouse.
In the main office there is a switch with the port assigned to the antenna in TRUNK with 3 tagged VLANs.
One VLAN is the one for managing the network devices.
The other 2 are, one dedicated to VoIP, the other to a wifi network spread throughout the warehouse by other antennas.
I need to configure the master antenna with a static IP address on the tagged Ethernet network port.
Then I have to transport all the VLANs through the radio bridge.
The slave antenna must also have the Ethernet network port configured with static IP on VLAN Management.
The warehouse switch has the uplink port in TRUNK connected on the slave antenna. I need to be able to reach it on the same VLAN as the antennas (same IP class).
Then there are 4 CISCO APs that publish a wifi network and a VOIP DECT antenna with its dedicated VLAN.
As often happens I may be wrong, but if there is no particular need to “filter” or block VLAN(s) you don’t need to care about them, a simple “wireless wire” setup between the two devices would be enough.
I.e., as I see it, the two devices should behave like a two ports unmanaged switch (pure L2) and let the other equipment on both sides deal with VLANs.
In a typical “wireless wire” the two radios/antennas have an IP only for management access but if using Winbox via MAC, even those are not necessary.
I believe the management IP can be in a VLAN as well.
The SXT 5 ac is discontinued, did you get some old ones, or are they the newer SXTsq 5 ac?
Thanks for the reply.
The APs are the SXT SA5 ac (RBSXTG-5HPacD-SA), I realize that with the 90° it is not very efficient as PTP but they were ready for delivery and we cannot wait.
The 60GHz Cubes are available at the end of the month.
Our entire network is segmented into different isolated VLANs and the switches are in L2. The firewall takes care of the L3 and there are rules that allow filtered communication between the different vlans.
Here’s an example of my network (the IPs are examples):
VLAN management: 192.168.1.*/24
IP FW VLAN management: 192.168.1.254
IP SXT master: 192.168.1.199
IP SXT slave: 192.168.1.200
IP main office switch: 192.168.1.99
IP warehouse switch: 192.168.1.100
If instead of a wireless link you had the possibility of running 175 m of ethernet cable, which kind of special cable would you have used to manage properly the VLANs?
As I see it a wireless link is a replacement for an ethernet cable, whatever enters it on one end should arrive on the other end (and viceversa), so I don’t understand what the difference can be if you have 0, 1 or 42 VLANs.
The problem is that I have to be able to manage the “cable”. It must have a network address on a defined vlan and I have to be able to reach the other end of the cable from the main office even if the switch on the other side is dead.
Mikrotik APs are not simple commercial APs with a simple gui and four parameters in crode. They are routers with ethernet and wireless network cards. It is not enough to configure the wireless link, you also have to configure the routing part.
To simplify the matter, I need the antenna management part to be reachable on a specific IP and VLAN and that the tagged and untagged packets arrive on the other side as they left.
Splitting that in two, and inverting the two requirements it becomes:
the tagged and untagged packets arrive on the other side as they left ← this is exactly what an ethernet wire or “dumb” switch (or a Mikrotik “wireless wire” couple of devices) would do[1]
the antenna management part to be reachable on a specific IP and VLAN ← this is what should be doable without problems[2] ( remembering that Mikrotik devices can also normally be accessed via Winbox even if they don’t have any IP address assigned, via MAC)
Everything continues to be cryptic.
The theory is simple, the practice is not at all clear.
Many have tried to obtain this configuration but I have not found a step by step guide.
Disabled DHCP
Created the bridge
Added the ethernet and wireless interfaces to the bridge
Added the VLAN10 to the bridge (MGMT)
Created an IP address and assigned it to the MGMT VLAN
Added the DNS servers
Added the NTP server
Default firewall
Created NV2 connection
With the ping command I cannot reach any IP of the network whatever interface I use.
Date and time are correctly configured by both APs, therefore, somehow they communicate with the network.
WinBox connects only with the MAC and not with the IP, it detects the AP IP as 0.0.0.0.
The radio bridge apparently works, I connected a notebook to the other antenna configured in the same way (vlan1 untagged by the switch). I need to try to set up a test switch and add a client, an AP and a DECT antenna to simulate warehouse use.
OK, now that you have something even if incomplete and not (yet) working, follow the instructions here: http://forum.mikrotik.com/t/forum-rules/173010/1
and post the configuration of both devices (AP and “station”), so that it can be reviewed and - hopefully - the issue(s) can be - hopefully - found by some of the more knowledgeable members.
I attach the master and slave configurations.
If you have any suggestions on how to improve security, they will be welcome. I will evaluate the possibility of changing the default username and the WinBox port.
The next step is to make the snmp work properly so that the PRTG can monitor the antennas.
Master
# 2024-10-16 11:35:43 by RouterOS 7.16
# software id = 0000-AAAA
#
# model = RBSXTG-5HPacD
# serial number = MySerial
/interface bridge
add name=bridge protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
antenna-gain=20 band=5ghz-onlyac country=italy disabled=no frequency=5700 \
installation=outdoor max-station-count=1 mode=bridge nv2-cell-radius=10 \
nv2-mode=sync-master nv2-security=enabled nv2-sync-secret=\
MySecret radio-name=Master ssid=MySSID wireless-protocol=\
nv2
/interface vlan
add interface=bridge name=MGMT vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes \
forward=no
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=defconf interface=wlan1 list=WAN
/ip address
add address=10.10.10.10/24 interface=MGMT network=10.10.10.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=ether1 name=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=10.10.10.1,10.10.10.2,10.10.10.3
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.10.10.254 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set www-ssl disabled=no
/snmp
set enabled=yes trap-generators=start-trap trap-interfaces=all trap-version=2
/system clock
set time-zone-name=Europe/Rome
/system gps
set set-system-time=no
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.10.10.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
So, the two configuration you posted are working? Good.
The general advice is to not use the default “admin” as username, what is happening at large is that on devices on which there is not a valid (secure) password set and the (only) user is “admin” and the device is accessible from outside (WAN in the sense of “internet”) there are running botnets that automatically:
create a new user “System” giving it all authorizations/privileges
demote the user “admin” to a very limited set of authorizations/privilege
change configuration in whatever way the bot sees fit
On an “edge” router this is a concrete risk, hopefully for devices that (besides the “internal”, “relative” definitions of WAN and LAN) are all actually LAN, the risk is IMHO much less, as there should be not any access to them because of the general firewall on the edge router or on a device just behind it.
For the same reason, having Winbox enabled is not (IMHO) such a huge risk, even if a lot of people disable it on their configurations, access to the device configuration is anyway protected by username and password.
There is still the risk of any user on the LAN being capable to connect via Winbox to the device, but I wouldn’t go further than limiting the connection to a given static IP, like in the help document “Securing your router”: https://help.mikrotik.com/docs/display/RKB/Securing+your+router
Yes, it works fine on the bench.
Next week the weather will be nice and I will go and mount them on the roof.
Now I just have to fix the snmp service. I read the manual but it doesn’t cooperate and I don’t understand why.
In any case I used the command “/interface print oid”, I’m surprised that there are so few entries available.
I would like to know the temperature, the CPU load, if the wireless link is up or down, the bandwidth available on the link, the bandwidth used, the channel used
from the list I only see these:
name=.1.3.6.1.2.1.2.2.1.2.2
actual-mtu=.1.3.6.1.2.1.2.2.1.4.2
mac-address=.1.3.6.1.2.1.2.2.1.6.2
admin-status=.1.3.6.1.2.1.2.2.1.7.2
oper-status=.1.3.6.1.2.1.2.2.1.8.2
bytes-in=.1.3.6.1.2.1.31.1.1.6.2
packets-in=.1.3.6.1.2.1.31.1.1.1.7.2
discards-in=.1.3.6.1.2.1.2.2.1.13.2
errors-in=.1.3.6.1.2.1.2.2.1.14.2
bytes-out=.1.3.6.1.2.1.31.1.1.1.10.2
packets-out= .1.3.6.1.2.1.31.1.1.1.11.2
discards-out=.1.3.6.1.2.1.2.2.1.19.2
errors-out=.1.3.6.1.2.1.2.2.1.20.2
.