I am looking at purchasing an Mikrotik Router and decided to try out the cloud images to get familiar with the devices before purchasing. I have download the latest 7.10.1 image and tried installing it as a virtual machine using Hyper-V on Windows 11 and VirtualBox on Windows 11 (using appropriate disk images for each virtual machine). Having had some problems with VLANs and bridge ports I have gone back to absolute basics and followed the instructions at https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration with the only change being that I have additional ports to the LAN bridge.
In each case the virtual machines were setup with 4 network interfaces and these are configured so that ether1 is attached to Bridged Adapter (virtualbox) / Network Bridge (hyper-v) and ether2-4 are attached to separate internal networks (virtualbox) / private virtual switches (hyper-v).
The configuration is as follows (this is the output of /export):
As you can see this is simply the commands from the First Time Configuration with the addition of ether3 and ether4 to the bridge ports and skipping over the ‘Protecting the Router’ and ‘Wireless’ steps to keep it as simple as possible.
If I connect other virtual clients to the internal/private switches then everything works fine if I use the switches attached to ether2, however if I connect them to the switches attached to ether3 or ether4 then either the clients don’t get IP addresses (hyper-v) or they get addresses but can’t ping wither the router or devices on the WAN interface (virtualbox).
If instead I leave ether2 attached to the local bridge and create a 2nd bridge with it’s own dhcp-server and address etc. and attach ether3 and ether4 to that bridge then the clients attached to ether3 work ok (as well as ones attached to ether2) but the ones attached to ether4 fail.
It appears that I can only use the first port of a bridge - what I am doing wrong with the other ports?
This obviously isn’t a problem in this config as such in that I can attach all clients to the switch attached to the first port, but when I try setting up vlans and want some ports using pvid 1 and some using say a guest lan (e.g. pvid 10) it becomes a problem.
In each case the virtual machines were setup with 4 network interfaces and these are configured so that ether1 is attached to Bridged Adapter (virtualbox) / Network Bridge (hyper-v) and ether2-4 are attached to separate internal networks (virtualbox) / private virtual switches (hyper-v).
a virtual environment (example: vmware player or virtualbox) their virtual machines uses virtual nic - which it relies on the vm nic setting on their hypervisor app. which can be using :
emulated bridge inside the host machine
or
direct attachment to the physical nic on the host machine.
for the common VM deployment is that vm uses virtual nic which connected to internal bridge inside the host machine.
now, by that bridge definition - each vm should only have 1 virtual nic connected to the bridge - or otherwise you will see a layer 2 loop on both the host and virtual machine.
and then comes the next question:
how should you divide your single virtual nic for multiple segment inside the vm in single bridged hypervisor?
answer:
by doing vlan or intervlan routing for that single interface on your router vm . you need to have vlan tagging as well for every vm connected to that router vm.
2 or… you can create multiple bridges on the hypervisor and attach each of your router virtual nic to each bridge (and every other vms that belongs to that specific interface subnet). you don’t need vlan tagging for this setup.
Thanks, I did realise the problem with network loops etc, which is why I’ve used option 2 and setup multiple bridges in the hypervisor. ether1 is connected to one bridge which includes a bridge to the hypervisors network port, ether2, 3 and 4 are connected to three additional bridges which are isolated from each other and from the hypervisors network ports. If I attach clients to the bridge connected to ether2 everything is OK, but connecting any clients to the bridges connected to ether3 or ether 4 fail.
Virtual machines on ether2, 3 and 4 all have single network interface, nothing complicated. I’ve switched the machines round and they all work fine when attached to the virtual switch attached to ether2, none work when attached to the switch connected to ether3 or ether4.
[admin@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ether1 ether 1500 00:15:5D:04:01:2F
1 RS ether2 ether 1500 00:15:5D:04:01:30
2 RS ether3 ether 1500 00:15:5D:04:01:31
3 RS ether4 ether 1500 00:15:5D:04:01:32
4 R local bridge 1500 65535 00:15:5D:04:01:30
[admin@MikroTik] > interface bridge print
Flags: X - disabled, R - running
0 R name="local" mtu=auto actual-mtu=1500 l2mtu=65535 arp=enabled arp-timeout=auto mac-address=00:15:5D:04:01:30 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes
ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no
[admin@MikroTik] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 ether2 local yes 1 0x80 10 10 none
1 ether3 local yes 1 0x80 10 10 none
2 ether4 local yes 1 0x80 10 10 none
[admin@MikroTik] >
Looking at the above I notice that ether2 and the bridge have the same mac address. Is this normal / significant?
This is nonsense.
Post a network diagram of what you would like to achieve and state specifically the traffic flow requirements.
internal to external for all router users including the admin ( and internal to internal of course if any )
external to internal traffic if any
vpns if any
number and type of WAN connections
THen we can tell you quickly if what you want to accomplish is a good fit for MT devices and which ones and point you in the right configuration direction
Hunting down VM issues is not worth my time anyway.
auto-mac (yes | no; Default: yes) Automatically select one MAC address of bridge ports as a bridge MAC address, bridge MAC will be chosen from the first added bridge port. After a device reboot, the bridge MAC can change depending on the port-number.
So it seems the bridge is expected to get the MAC address of the first port you add to the bridge if auto-mac is ‘yes’ (which is the default). However I did try changing auto-mac to no and then setting a value for the parameter admin-mac but it didn’t help in any way.
In reply to @anav
I’m sorry but I think you missed the point of my post. I’ve done the analysis and know exactly which device I want and I’ve got a good idea of how to configure it. The RB2011 seems ideal but with the L009UiGS coming very shortly and as I’m in no rush, it seemed sensible to wait for it. (My current router is showing it’s age and is starting to struggle, so needs replacing but I can manage with it for a few more months).
I will use it as my main router with ether1 going to my ONT and it will have 2 trunks (on say ether2/3) from it carrying several VLANs to my Proxmox Hypervisor and my main managed switch. I would then use a two or three of the other ports on the router to connect to some other devices, each picking off one of the VLANs to go to devices located nearby without VLAN tags.
I’ve a fair amount of experience with Ubiquiti’s Edge Routers and with pfSense so I thought setting up a virtual router would allow me to get to grips with RouterOS as I’d not used it before and I could use the time to get some experience. This worked fine at first with just a single device added to the bridge and it was still fine when I added VLANs over that port, but when I tried using a second port to a 2nd device which should go on one of the VLANs but not carry vlan tags across the interface things went wrong. I then simplified the config so I was just using 3 ports on a bridge without any vlans and still had problems. I couldn’t see a fault with what I had done, but thought that I might be missing something with my lack of experience.
As far as
Hunting down VM issues is not worth my time anyway.
then please feel free to ignore this thread. I didn’t ask you to hunt down VM issues, I just asked the community if they had any clues as to what I was doing wrong. It may be an issue with Router OS running on a VM and if it is I will have to wait until I get real hardware, but it is a shame if that is the case as running a virtual network on VMs is great way of testing out things before applying it to a real network or simply for learning about networking, especially when you wouldn’t be able to afford the real hardware to implement it. (That is how I taught myself about OSPF).
Sorry, but the RB2011 should not be used in the same phrase, as I need a new router unless the router you are replacing is a 2011.
I could same the same about the LR009, at first blush seemed like a good idea but when you look under the hood, its a lame duck.
If your constraint is budget consider the AX3 as a decent router for the buck, if you want a proper class of router then the RB5009 is very good.
