Newbie - start from Zero with a CCR

alessioandreis · November 15, 2016, 8:36am

Hi There,
on first, excuse me for my bad English and for my wrong terms but I’m a really newbie.

Annoying from the limitation of DD-WRT I’ve decided to test RouterBoard system.
First step was take a solid base for my home LAN management so I bought a CCR1009-8G-1S-PC.

As first test I want make a very very simple router so my step was:

ETH1 - DHPC client (but for now to modem it’s connected)
ETH2 - with ip: 172.16.33.101

Firewall rule:NAT with chain srcnat e action masquerade between ETH1 and ETH2.

IP POOL defined from 172.16.33.120 to 172.16.33.200
ETH2 as DHCP Server with previously defined pool.

all this work fine, my lapto can correctly get the IP (172.16.33.200) if connected on ETH2.

After then I’ve try to make a bridge including ETH from 2 to 8 but with bridge enabled the DHCP server on ETH2 became red and stop work.

For this reason I’ve only set ETH3 and ETH4 as slave with ETH2 as master and this make the DHCP working also on those 2 port but I’ve no idea how to have working also ETH from 5 to 8 cause I can’t sed as slave on EHT2.

Another strange issue it that my laptop connected on port ETH4 (with ip 172.16.33.200) can’t connect to CCR using winbox on IP (172.16.33.101) but only on MAC adrress, how it possible this ?
Winbox detect correctly the IP of CCR but can’t establish the connection.

Please help me to solve this first issue, after that I have to go on with my project adding also an access point (I’ve already bought an hAP RB962UiGS-5HacT2HnT).

Thanks in advance for all the help.

Regards

Alessio

pe1chl · November 15, 2016, 9:57am

On the CCR it is (contrary to all other MikroTik routers) not wise to use ether1 as your internet uplink.
Change that to ether8 or ether7 now that you still have not done too much.
Then you can configure ether1-ether4 as a switch, not bridge. Do this by setting the master-port in ether2..ether4 to ether1.
ether1 is now your LAN interface where you configure everything, leave ether2-ether4 alone.
When you really want to use all ports for LAN you can make a bridge, but this is not recommended in this kind of router.
If you do so, put only the master port ether1 in the bridge, plus ether5, 6 and 7 or 8.

alessioandreis · November 15, 2016, 12:18pm

Thank for your reply,
I’ve bought the CCR to use it at home, probably this isn’t the rigth use of this item but I bought it and I wanna understand how to use.
This eventing I can try to modify the configuration using ETH1 as master and ETH from 2 to 4 as slave.

In my mind, I wanna connect to this CCR this item:
1 QNAP 4 disk (If I remember TS-431)
1 QNAP 2 disk (if I remember TS-251)
1 HP MicroServer Gen8
1 Access Point (hAP)
2 Computer (at least)
1 Printer
3 Media Player

So, as u can see I need 3 more port, but for this I can use some port of Access Point (hAP) or and external switch. I have to test the different transfer speed of both device.
If I have to use only 4 port of CCR to connect this device, I’ve to have to connect outside 6 device or u think that I could use some of the remaining 3 port to connect some of this device ?
Two of the three NAS must be connecting at the maximum speed cause I use it for work with Photo and with Video, the 3th is only for backup so can be connected to a slower device (like hAP) but for the rest, what’s your suggestion ?

This is the base of my idea but I can develop more in the future.

Regards
Federico

pe1chl · November 15, 2016, 1:57pm

For max speed connections to an internal LAN only use ports 1-4 in switch mode.
Ports 5-8 can be used for internet connections or for a guest wireless network for example,
or when it is at home you can make a second network for questionable devices like IoT, TV etc
that you do not want to have on your LAN because of security risks and that you may want to
have extra firewalling.
When you need more than 4 internal fast devices it is better to add a small gigabit switch.

The problem with the IP is probably due to incorrect setting of master/slave or setting the IP on the
wrong level. Do you still have a bridge? In that case the IP must be on the bridge.

alessioandreis · November 15, 2016, 4:46pm

Ok, now it’s very clear, Thanks.

Ok, but ho I can get device connected to port 6 to 8 accessible from other device ? Bridge ? NAT ? Routing ?

Sure, this is very clear.

I’ve an 8 port managed PoE switch ready for this.

In this moment I haven’t a bridge.
This evening I try to reser my CCR and make a new clean configuration and I’ll report the result.

Thanks again for your help, it’s very appreciate

pe1chl · November 15, 2016, 7:11pm

Preferably routing. You can set a separate subnet on that port and put a separate DHCP server on it if you like, and then
you can talk to the devices on the other network locally using routing, and you can adjust the firwall rules to permit/deny
all kinds of things. E.g. connect from ether1-4 to ether5 network allowd but not from ether5 to ether1-4. This is done by
permitting all established/related traffic but permit new traffic only from ether1 to ether5 and not vice-versa.

/ip firewall filter
add chain=forward comment=Established/related connection-state=established,related
add chain=forward connection-state=new in-interface=ether1
add chain=forward connection-state=new in-interface=ether5 out-interface=ether8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether8

alessioandreis · November 15, 2016, 8:30pm

Thanks for this example but for the moment I don’t need another lan to give to friend or guest.
In is an home scenario and for the moment my daughter it too young and don’t need a controller access to Internet.

For now I only need a very quick way do handle picture and video located on my nas from my computer .

Thanks for the detailed explanation.

Sent from my MI 4S using Tapatalk

pe1chl · November 16, 2016, 10:24am

Of course the CCR is not really for that kind of environment, but it can be used and it is very fast.
I advise to use ports 1-4 and 7 or 8 only, and leave the other ports for possible future expansion.
You could connect the wireless device to one of the other ports when you have no problem that it
is a separate network (not bridged to your LAN). Wireless as a separate subnet with firewall is
good for security, but may be too complicated for the home. Putting it on one of the LAN ports is
easier.

alessioandreis · November 16, 2016, 11:29am

Thanks for reply.
Yesterday I was too tired to make the test. I hope this evening was better.
In the past I had make more WiFi at home during some party, but in the past I do it with a gnu/linux distribution (ZeroShell). I’ve used it for some LAN party in my old house.
Now my house it’s too small to repeat this kind of party

Can I manually set CCT to assign a specific IP to a specific MAC Address ?
I’ve seen that I can set as permanent an IP assigned from DHCP but I want to assign an IP outside the DHCP pool to my computer.

Thanks again for all your support

pe1chl · November 16, 2016, 12:51pm

You can do both things: make a DHCP entry static or set a static address on a computer outside DHCP range but still inside the subnet.
Of course in the 2nd case the router is not involved in that except you may need to make the DHCP range smaller.

alessioandreis · November 16, 2016, 5:01pm

Thanks for reply.
I’ve defined the pool 172.16.33.120 to 172.16.33.200 usually I set the static device from 1 to 90, the printer from 90 to 99, the server and switch from 100 to 119 so the DHCP pool is from 120 to 200 and the rest (201-254) remain free for test.

In any case, how I can to assign a specific IP on a specific Mac address? What’s the specific menu to do this ?

Sent from my MI 4S using Tapatalk

pe1chl · November 16, 2016, 5:38pm

When you don’t use DHCP, the router is not involved in setting the address and it cannot be linked to the MAC address.
When you use DHCP, click on the entry and then on the “Make Static” button.