New router (CCR2004-1G-12S+2XS) - can't set up LAN

NSimpraga · September 2, 2020, 12:24pm

Hi all,

I have an issue with a new device refusing to assign IP address as I have configured it. The device is CCR2004-1G-12S+2XS, the one with 12 SFP ports.
Below you can find the exported configuration.

/interface bridge
add arp=proxy-arp name=SFP1-3_Bridge
add arp=proxy-arp name=SFP4-10_Bridge
/interface ethernet
set [ find default-name=sfp-sfpplus11 ] auto-negotiation=no
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="Public Subnet" ranges=10.100.10.2-10.100.10.254
add name="Private Subnet" ranges=10.100.20.2-10.100.20.254
/ip dhcp-server
add address-pool="Public Subnet" disabled=no interface=SFP1-3_Bridge \
    lease-time=30m name="Public DHCP"
add address-pool="Private Subnet" disabled=no interface=SFP4-10_Bridge \
    lease-time=30m name="Private DHCP"
/interface bridge port
add bridge=SFP1-3_Bridge interface=sfp-sfpplus1
add bridge=SFP1-3_Bridge interface=sfp-sfpplus2
add bridge=SFP1-3_Bridge interface=sfp-sfpplus3
add bridge=SFP4-10_Bridge interface=sfp-sfpplus4
add bridge=SFP4-10_Bridge interface=sfp-sfpplus5
add bridge=SFP4-10_Bridge interface=sfp-sfpplus6
add bridge=SFP4-10_Bridge interface=sfp-sfpplus7
add bridge=SFP4-10_Bridge interface=sfp-sfpplus8
add bridge=SFP4-10_Bridge interface=sfp-sfpplus9
add bridge=SFP4-10_Bridge interface=sfp-sfpplus10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=SFP1-3_Bridge list=LAN
add interface=SFP4-10_Bridge list=LAN
add interface=sfp-sfpplus12 list=WAN
/ip address
add address=10.100.10.1/24 interface=SFP1-3_Bridge network=10.100.10.0
add address=10.100.20.1/24 interface=SFP4-10_Bridge network=10.100.20.0
add address=xxx.xxx.xxx.xxx interface=sfp-sfpplus12 network=xxx.xxx.xxx.xxx
/ip dhcp-server network
add address=10.100.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.100.10.1
add address=10.100.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.100.20.1
/ip dns
set allow-remote-requests=yes
/ip route
add distance=1 gateway=sfp-sfpplus12
add distance=1 dst-address=xxx.xxx.xxx.xxx/32 gateway=\
    SFP1-3_Bridge,SFP4-10_Bridge

I’ve hidden the public IP with the xxx.xxx.xxx.xxx signs.

Basically, I have two subnets (10.100.10.0/24 and 10.100.20.0/24) which each need to be on different interfaces. Interfaces 1-3 are bridged into one and interfaces 4-10 into a second bridge.
I created two DHCP servers, two IP pools and two networks with the above mentioned IP ranges and assigned them each to the DHCP servers which each assign local IPs to their respective bridges.
The detailed configuration is above.

Problem is, when I plug in a device into port 3 for example, it doesn’t get an IP. The leases table is empty and the laptop doesn’t detect a connection.
A bit of a trick is that the network is not even in my country, so I don’t really have direct physical access to it but I have someone on the site helping me.
Nevertheless, I mirrored this setup at my own site with a small rb2011uias Mikrotik and it works flawlessly. Difference is only the device.

Is it maybe because of the SFP ports? Do they need some extra configuring? What else am I missing here?
I would be very thankful for any advice!

NSimpraga · September 2, 2020, 3:56pm

Okay, an update: I tried disabling the bridges and only assigning a DHCP server to a single port with some pool. When I’ve done that it works properly, the computer connected gets a proper IP.

The question is, why is it not working with bridged interfaces?

anav · September 2, 2020, 6:10pm

Where are your firewall rules??

NSimpraga · September 2, 2020, 7:19pm

Currently I disabled the WAN port so I am not connected to the internet at all, so no firewall rules needed yet.

I am reading a lot about DHCP not working on bridges due to MSTP, I set the protocol to None on the bridges but still no success.

Ideas? I really am running out of them

anav · September 3, 2020, 12:34am

It should work, what physical cage and wiring are connected to the sfp ports?
Can you look at the status of the cages ??

NSimpraga · September 3, 2020, 7:33am

SFP12 is used as the WAN port, it’s connected via an SFP module for a regular patch cable.
I have a laptop on the ether1 (management) port connected which I RDP into to configure the router.
And a test laptop on SFP3 which is also connected over an SFP module with a regular patch cable.

What exactly do you mean by ‘status of the cages’?
As I said, when the DHCP is set only for one port it works properly, only when the interfaces are bridged it stops. I’ve read a lot about this specific issue and mostly the solution is to set the bridge protocol to ‘None’ from MSTP. I did that but it didn’t work for me.

erlinden · September 3, 2020, 7:56am

I’m used to working with a single bridge, together with multiple VLAN’s. Perhaps you can start over and be inspired by this great tutorial:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

NSimpraga · September 3, 2020, 8:49am

Thanks for the guide, but that does not really solve the issue since I can’t get any of my devices to get an IP on a bridge - single or multiple ones.

NSimpraga · September 4, 2020, 11:19am

Figured it out, it was due to auto-negotiation being turned on on the interfaces that were bridged. Turning auto-negotiation off solved it for me.

anav · September 4, 2020, 11:52am

Interesting, so auto-negotiation by RoS for the SFP ports with an ethernet cage didn’ work?
What did you set them too??

NSimpraga · September 4, 2020, 1:01pm

Yep, all the interfaces which are bridged I turned the auto-negotiation off for and suddenly it started working. I set them all to 10Gbps since that’s actually the max throughput for these SPF+ ports.

Another pair of questions not related to the thread per se.
Now I am working on establishing a connection to the outside. This router is in a datacenter behind a Cisco router, which is connected to our router via port SPF12. The datacenter people say that the connection on their router is set as passthrough from the outside to our router (port SPF12).

Question 1: This should mean that our Mikrotik should be accessible directly via the public IP, which I have been provided?

Problem is, I created the public IP I was provided under IP->addresses and assigned it to port SPF12, which also created a route which said it was reachable, but I still couldn’t ping 8.8.8.8 from the router.
Then I’ve tried creating a DHCP client on port SPF12 which DID get an IP address but it was a local one - 192.168.x.x .

Question 2: What the heck does this mean? I concluded that the datacenter people actually are wrong in assuming it’s set up as a passthrough, since their router is obviously assigning our router a local IP address.

Am I correct here?

mrz · September 4, 2020, 1:34pm

It is possible that public IP subnet is actually routed to you over local addresses. But only ISP can give you definite answer.

NSimpraga · September 4, 2020, 1:49pm

Hm, if what you say is possibly true, what configuration do I need to set up on our router to get internet access?

Do I enable the DHCP client to get the local IP address? What then?
Still learning the basics so bear with me