We have the below setup of MikroTik Devices (correction, hAP ax2 is actually a hAP ac2):
The CCR and both hAPs are running RouterOS. Both CRS devices are running SwOS. The CCR is doing all the routing via IP and interfaces and does not have any bridges. The hAPs are both doing bridges for the Wi-Fi/Ports. I have included the configs of the CCR and both hAPs at the bottom. The switches do some port isolation and have STP enabled. For STP, the CRS328 has a bridge priority of 4000 and the CRS317 is 5000. The CRS317 shows the port connected to the CRS328 (Uplink) as the root in STP. The CRS328 does not have any port labelled as root.
My issue is that network scanning software like Zabbix and Auvik show network trees wrong, and hardware tools like LinkSprinter and Netool show the wrong device for connection. For example, when connecting a Netool directly to Ether7 of the CRS328, the Netool will show it is connected to Ether1/Bridge of the hAP Ac2. Zabbix and Auvik also show similar where it can’t decide the chained order of devices and shows things connected directly to the CRS328 or CRS317 as connected to one of the hAP devices.
I know the devices/software aren’t perfect, but I’m curious if there is something that can be done to correct this on the MikroTik side since multiple different software and devices show the same bad data. I do not know how these tools determine what is connected to what (R/STP, MACs, etc.)
Hoping someone has ran into this before or has an idea to try. Thanks!
Netool example. Device is connected to Ether7 on the CRS328 (10.0.0.2)
Configs
CCR2004:
# 2024-01-04 10:57:11 by RouterOS 7.13
#
# model = CCR2004-16G-2S+
/interface ethernet
set [ find default-name=ether1 ] name=ether1-FiberWAN
set [ find default-name=ether2 ] name=ether2-CellWAN
/interface vlan
add interface=sfp-sfpplus2 name=vlan10-Cameras vlan-id=10
add interface=sfp-sfpplus2 name=vlan20-Untrusted vlan-id=20
add interface=sfp-sfpplus2 name=vlan40-PublicIPs vlan-id=40
/disk
set pcie1 type=hardware
set pcie1-usb1 type=hardware
add parent=pcie1-usb1 partition-number=1 partition-offset=512 partition-size="32 080 199 680" type=partition
/interface list
add name=WAN
add name=ACL-ACCESS-WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Trusted ranges=10.0.0.100-10.0.0.200
add name=Guest/IOT ranges=10.0.20.100-10.0.20.200
add name=Cameras ranges=10.0.10.0/24
add name=PublicIPs ranges=PublicIPBlock.250-PublicIPBlock.254
/ip dhcp-server
add address-pool=Trusted interface=sfp-sfpplus2 lease-time=10m name=dhcp-Trusted
add address-pool=Guest/IOT interface=vlan20-Untrusted lease-time=10m name=dhcp-Untrusted
add address-pool=Cameras interface=vlan10-Cameras lease-time=10m name=dhcp-Cameras
add address-pool=PublicIPs interface=vlan40-PublicIPs lease-time=10m name=dhcp-PublicIPs
/port
set 0 name=serial0
set 1 name=serial1
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1-FiberWAN list=WAN
add interface=ether2-CellWAN list=WAN
add interface=sfp-sfpplus2 list=ACL-ACCESS-WAN
add interface=vlan20-Untrusted list=ACL-ACCESS-WAN
add interface=vlan40-PublicIPs list=ACL-ACCESS-WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether15 network=192.168.88.0
add address=FiberIP/24 interface=ether1-FiberWAN network=FiberNetwork
add address=10.0.10.1/24 interface=vlan10-Cameras network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-Untrusted network=10.0.20.0
add address=PublicIPBlock.249/29 interface=vlan40-PublicIPs network=PublicIPBlock.248
add address=10.0.0.1/24 interface=sfp-sfpplus2 network=10.0.0.0
/ip dhcp-client
add add-default-route=no interface=ether2-CellWAN use-peer-dns=no
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.42,10.0.0.62,10.0.0.82 domain=REDACTED gateway=10.0.0.1
add address=10.0.10.0/24 dns-server=1.1.1.1,1.0.0.1 domain=cams gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=1.1.1.1,1.0.0.1 domain=iso gateway=10.0.20.1
add address=PublicIPBlock.248/29 dns-server=1.1.1.1,1.0.0.1 gateway=PublicIPBlock.249
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=PublicIPBlock.251 list=MattAccess
add address=PublicIPBlock.252 list=MattAccess
add address=10.0.20.10 list=InternalAppAllow
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept Established Connections on Forward and Input Chains" connection-state=established,related
add action=accept chain=input connection-state=established,related
add action=drop chain=forward comment="Drop Invalid from WAN" connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=accept chain=forward comment="Accept DSTNAT Packets" connection-nat-state=dstnat in-interface=ether1-FiberWAN
add action=accept chain=forward comment="Allow WAN ACL to WAN" in-interface-list=ACL-ACCESS-WAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Trusted to Everything" in-interface=sfp-sfpplus2 src-address=10.0.0.0/24
add action=accept chain=input in-interface=sfp-sfpplus2 src-address=10.0.0.0/24
add action=accept chain=forward comment="Allow Access to MattAccess from WAN except specific ports" dst-address-list=MattAccess dst-port=!0-5900 in-interface=ether1-FiberWAN protocol=tcp
add action=accept chain=forward dst-address-list=MattAccess dst-port=!0-5900 in-interface=ether1-FiberWAN protocol=udp
add action=accept chain=forward comment="Allow InternalAppAllow Address List to InternalApp Server" dst-address=10.0.0.61 dst-port=32400 protocol=tcp src-address-list=InternalAppAllow
add action=accept chain=output comment="Allow Router Output"
add action=drop chain=forward comment="Drop Not Matched"
add action=drop chain=input
add action=drop chain=output
/ip firewall nat
add action=masquerade chain=srcnat comment="Fiber WAN Masquerade" out-interface=ether1-FiberWAN
add action=masquerade chain=srcnat comment="Cellular WAN Masquerade" out-interface=ether2-CellWAN
add action=dst-nat chain=dstnat comment="DSTNAT Port 25 to PMG" dst-address=FiberIP dst-port=25 in-interface=ether1-FiberWAN protocol=tcp to-addresses=10.0.0.90 to-ports=25
add action=dst-nat chain=dstnat comment="DSTNAT Port 32400 to SM-2U - InternalApp" dst-address=FiberIP dst-port=32400 protocol=tcp to-addresses=10.0.0.61 to-ports=32400
add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes dst-address=10.0.0.0/24 out-interface=sfp-sfpplus2 src-address=10.0.0.0/24
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=FiberISPGateway pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.12.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no dst-address=8.8.8.8/32 gateway=FiberISPGateway routing-table=main suppress-hw-offload=no
add disabled=no dst-address=8.8.4.4/32 gateway=192.168.12.1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24
set ssh address=10.0.0.0/24
set api disabled=yes
set winbox address=10.0.0.0/24
set api-ssl disabled=yes
/ipv6 dhcp-client
add disabled=yes interface=ether2-CellWAN pool-name=Cellv6 request=address
/system clock
set time-zone-name=America/Chicago
/system identity
set name=DH-CoreRouter
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/tool netwatch
add comment="Fiber WAN Monitor" disabled=no down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=FiberISPGateway]\r\
\n:log error \"Fiber WAN is Down!\"\r\
\n/ip firewall connection remove [find]" host=8.8.8.8 http-codes="" interval=10s test-script="" timeout=1s type=simple up-script=\
"ip route enable [find dst-address=0.0.0.0/0 gateway=FiberISPGateway]\r\
\n:log error \"Fiber WAN is Up!\"\r\
\n/ip firewall connection remove [find]"
add comment="Cellular WAN Monitor" disabled=no down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.12.1]\r\
\n:log error \"Cell WAN is Down!\"" host=8.8.4.4 http-codes="" interval=10s test-script="" timeout=1s type=simple up-script="ip route enable [find dst-address=0.0.0.0/0 gateway=192.168.12.1]\r\
\n:log error \"Cell WAN is Up!\""
Will post the additionals in a comment. They were not collapsing into a code block in the main post for some reason.
Searched there and engaged Auvik support before posting here. Couldn’t get anything figured out either side, other than seems to be something with the config of the MTik equipment and network. Posted here since seeing it across multiple different applications and a hardware test tool.
For anyone who finds this in the future, this was indeed a MikroTik issue and not an issue with Zabbix, Auvik, or Netool.
SwOS does not support LLDP, so the tools were passing LLDP from other connected devices on. 99% of the time, it was the hAP, but very rarely, it would see the CoreRouter.
Since the switches support RouterOS, I switched them over and setup the switching via bridges. Everything now works exactly as intended.
