Hey guys,
ISP--------->HexS------->CRS----->LAN
Below is my current config.
# jan/21/2022 18:13:13 by RouterOS 6.49.2
# software id =
#
# model = RB760iGS
# serial number =
/interface bridge
add name=local
/interface ethernet
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface list
add name=listBridge
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.100
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=local name=dhcp1
/interface bridge port
add bridge=local interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface list member
add interface=local list=listBridge
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.100 client-id=1:4:d9:f5:84:67:5a mac-address=\
04:D9:F5:84:67:5A server=dhcp1
add address=192.168.88.99 client-id=1:2c:c8:1b:6:4f:bb mac-address=\
2C:C8:1B:06:4F:BB server=dhcp1
add address=192.168.88.97 client-id=1:dc:a6:32:1c:7:24 mac-address=\
DC:A6:32:1C:07:24 server=dhcp1
add address=192.168.88.95 client-id=1:84:a9:38:b7:b4:e mac-address=\
84:A9:38:B7:B4:0E server=dhcp1
add address=192.168.88.94 client-id=1:24:5e:be:20:e9:f6 mac-address=\
24:5E:BE:20:E9:F6 server=dhcp1
add address=192.168.88.98 client-id=1:b8:27:eb:2:53:9f mac-address=\
B8:27:EB:02:53:9F server=dhcp1
add address=192.168.88.96 client-id=1:b8:27:eb:9e:ee:b8 mac-address=\
B8:27:EB:9E:EE:B8 server=dhcp1
add address=192.168.88.92 client-id=1:e8:65:d4:dc:f9:88 mac-address=\
E8:65:D4:DC:F9:88 server=dhcp1
add address=192.168.88.91 mac-address=6C:AD:F8:D4:C5:4A server=dhcp1
add address=192.168.88.90 mac-address=1C:F2:9A:67:CE:6A server=dhcp1
add address=192.168.88.85 client-id=1:50:ed:3c:58:46:76 mac-address=\
50:ED:3C:58:46:76 server=dhcp1
add address=192.168.88.83 client-id=1:b8:27:eb:be:9b:eb mac-address=\
B8:27:EB:BE:9B:EB server=dhcp1
add address=192.168.88.82 client-id=1:e8:65:d4:dc:f9:80 mac-address=\
E8:65:D4:DC:F9:80 server=dhcp1
add address=192.168.88.80 client-id=1:0:e:c6:a3:cd:9c comment=MiBox \
mac-address=00:0E:C6:A3:CD:9C server=dhcp1
add address=192.168.88.79 client-id=1:24:5e:be:20:e9:f7 mac-address=\
24:5E:BE:20:E9:F7 server=dhcp1
add address=192.168.88.78 client-id=1:48:ba:4e:68:4f:d0 mac-address=\
48:BA:4E:68:4F:D0 server=dhcp1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.1.70 gateway=192.168.88.1
/ip dns
set servers=192.168.1.70
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 \
protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 \
port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22 \
protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
ether1
add action=fasttrack-connection chain=forward comment=\
"fast-track for established, related" connection-state=\
established,related
add action=accept chain=forward comment="accept established, related" \
connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
"drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat in-interface=ether1 port=3389 protocol=tcp \
to-addresses=192.168.88.97
/ip proxy
set port=80
/ip proxy access
add action=deny dst-host=*.baidu.*
add action=deny dst-host=*.qq.*
add action=deny dst-host=*.taobao.*
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.88.0/24
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Lisbon
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
Sob
January 23, 2022, 10:04pm
2
It’s not here, communication between different 192.168.88.x devices should not go to HEX S at all.
Ok, so you mean I should check the CRS??
Sob
January 24, 2022, 1:11am
4
Yes. And NAS too, make sure everything is configured correctly.
You see, this is my problem, to me, it is. I have been unable to find the source of the issue, I have set the CRS to “Bridge all ports” where in my understanding would work as a “dumb” switch with the HexS doing all the work.
Sob
January 24, 2022, 5:03pm
6
Try to post CRS’s config. And since you mentioned dumb switch, if you have one, it can be used for simple test. Disconnect both PC and NAS from CRS and connect them to dumb switch. If they can communicate, their config is fine and problem is with CRS. If they can’t, then CRS is most likely innocent.
Thanks for help Sob,
# jan/24/2022 17:15:51 by RouterOS 6.49.2
# software id =
#
# model = CRS326-24G-2S+
# serial number =
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
/ip address
add address=192.168.88.99/24 disabled=yes interface=ether2 network=\
192.168.88.0
/ip dhcp-client
add disabled=no interface=bridge1
/ip dns
set servers=192.168.88.1
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name=MikroTik-Switch
/system routerboard settings
set boot-os=router-os
Sob
January 24, 2022, 6:04pm
8
Hmm, that’s also just like dumb switch, all ports bridged and nothing to filter any traffic. For the lack of better ideas, keep the ping running and check interfaces (where PC and NAS are connected) using Tools->Torch, to see what’s going on there.
Ok, so I tested that and here are the results:https://1drv.ms/u/s!Ag82xGhEC3LRhYACvvCPTbp7fu4J4A?e=QLUY10 https://1drv.ms/u/s!Ag82xGhEC3LRhYADPTg2UOoMu64oww?e=Gh5hx3
Interestingly enough, I can access the NAS via WEB.
Sob
January 25, 2022, 3:06am
10
Well, not seeing packets can be because of hardware offload. I thought that using Torch is supposed to deal with that, but maybe not. As a test, try to set those two bridge ports as hw=no (Hardware Offload checkbox in WinBox). But it’s really weird why some traffic would work and some not.
Could not find where I setup the offloading, sorry
I found a post online about this, and if my understanding is correct, the offloading is “ON”, right?
[admin@MikroTik-Switch] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 H ether1 bridge1 yes 1 0x80 10 10 none
1 H ether2 bridge1 yes 1 0x80 10 10 none
2 H ether3 bridge1 yes 1 0x80 10 10 none
3 H ether4 bridge1 yes 1 0x80 10 10 none
4 I H ether5 bridge1 yes 1 0x80 10 10 none
5 I H ether6 bridge1 yes 1 0x80 10 10 none
6 H ether7 bridge1 yes 1 0x80 10 10 none
7 H ether8 bridge1 yes 1 0x80 10 10 none
8 H ether9 bridge1 yes 1 0x80 10 10 none
9 H ether10 bridge1 yes 1 0x80 10 10 none
10 H ether11 bridge1 yes 1 0x80 10 10 none
11 I H ether12 bridge1 yes 1 0x80 10 10 none
12 I H ether13 bridge1 yes 1 0x80 10 10 none
13 I H ether14 bridge1 yes 1 0x80 10 10 none
14 H ether15 bridge1 yes 1 0x80 10 10 none
15 I H ether16 bridge1 yes 1 0x80 10 10 none
16 I H ether17 bridge1 yes 1 0x80 10 10 none
17 I H ether18 bridge1 yes 1 0x80 10 10 none
18 I H ether19 bridge1 yes 1 0x80 10 10 none
19 I H ether20 bridge1 yes 1 0x80 10 10 none
20 I H ether21 bridge1 yes 1 0x80 10 10 none
21 I H ether22 bridge1 yes 1 0x80 10 10 none
22 I H ether23 bridge1 yes 1 0x80 10 10 none
23 I H ether24 bridge1 yes 1 0x80 10 10 none
24 I H sfp-sfpplus1 bridge1 yes 1 0x80 10 10 none
25 I H sfp-sfpplus2 bridge1 yes 1 0x80 10 10 none
[admin@MikroTik-Switch] >
Sob
January 25, 2022, 9:30pm
13
Yes, it’s the HW column. And it’s configured in Bridge->Ports, properties of individual ports, Hardware Offload checkbox.
OK, so I unchecked it and now I can see the requests.
Sob
January 25, 2022, 11:51pm
15
And with another dumb switch (just plug cables elsewhere and don’t touch anything else) it works. Hmm. I’m afraid I’m running out of sensible ideas (so no magic, ghosts, space aliens, …).
I am thinking of removing the HexS from the network and setting up the CRS as the only “router” and seeing if it works
Sob
January 26, 2022, 12:13am
17
You can try, but I don’t see why it should help. Current config on CRS is as simple as it can be, just all ports bridged and that’s it. Ok, you can make it even simpler by removing everything from “/interface list” (including “/interface list member”), because that’s currently not needed, but it’s also not used, so it’s not breaking anything. Even if you change CRS into router, you’ll still have LAN consisting of the same bridge you have now, and nothing will change for packets flowing between devices connected to ports of this bridge.
Sob
January 26, 2022, 12:47am
19
Go to Interfaces->Interface List, there you have members that you can select and delete (with minus button). To access and possibly delete lists themselves, there’s Lists button. But it won’t change anything.
2frogs
January 26, 2022, 1:45am
20
I would suggest looking on the QNAP/ Control Panel → Security and be sure your local IP is not being blocked.
