I’ve recently pulled my CCR1009-7G-1C out of hiding for a project. I am beginning with a test in my home lab but here is my objective. I currently have an Arris Modem → Asus Router that is working very well and I am trying to do some port inspection between the Modem and Router.
On the Mikrotik I have the brdige1 built, disabled arp on the bridge and all associated interfaces since I’m aiming for layer 2 transparent pass-through, DHCP Snooping is disabled, fast forward enabled, STP disabled and no VLAN tagging is configured. Ether1 and Ether2 are the ports associated to Bridge1. I have DHCP server/client disabled on the bridge/ports and I also am not using an IP assignment on the bridge to prevent layer 3 activity. I do not have any routes built as I intend this to be used for bridging only and i also do not have Firewall enabled on the bridge, yet.
After rebooting all of the equipment above I cannot obtain WAN DHCP on my Asus router WAN interface from the cable modem like it normally would without the mtk in between. What am I missing here? I can’t seem to get the bridge1 to act as a dumb pass-through switch. My ultimate goal is to monitor the traffic real-time and apply firewall rules to prevent access to and from specific ip destinations.
When directly connected to the modem, everything works well. I would have to disagree with you slightly regarding the mikrotik being the dedicated router/gateway for my network. I am able to do passive inspection with traditional switches and i’m trying to emulate a true switch using a bridge.
For the sake of this post, i’d prefer to focus on the issue of the bridge breaking the communications between the modem and router. With my main objective aside, i can grave a dumb switch and insert it between the modem and router and everything works fine. Once I try to build that “switch” within the CCR on ports ether1 and ether2, it kills the communication between the modem and router.
Reset the CCR to no-default config, create the Bridge with ports ether1 and ether2 and nothing else… then test again…
I would have to disagree with you slightly regarding the mikrotik being the dedicated router/gateway for my network. I am able to do passive inspection with traditional switches and i’m trying to emulate a true switch using a bridge.
no problem… but… a switch is a Layer 2 Device, it does not do Firewalling… a Firewall captures Layer 3 traffic… so, saying you will configure a switch to inspect Layer 3 traffic sounds not so correct… but sure lets stay to the post…
That’s exactly the steps i’ve taken last night before bugging you all. I performed the system reset-config command.
When I stated firewall, the mikrotik has the ability to enable firewall on layer2 bridging, i’ll save that troubleshooting for later, i’m with you a 100% on that topic, it’s iffy and the purpose behind my testing.
As it stands now, the mikrotik was factory reset, a bridge1 was created with 2 ports ether1 and ether2, no ip address assignment and my asus router cannot obtain a wan IP through the modem as it does when its directly connected to the modem.
0 I ether1-modem bridge-wan yes 1 0x 1 1 none
1 I ether2-router bridge-wan yes 1 0x 10 10 none
Route table is strictly for my management access on the 192.168.1.0/24 subnet and i’m accessing with winbox using MAC address.
[admin@MikroTik] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
I’m going to just put the device in as the primary gateway and convert the Asus router to AP mode only, i’m not sure why this isn’t working but i think there are more benefits to just using this Mikrotik as my main gateway and setting up some scripts for dynamic blocking.