RB1100AHx2 switch hybrid vlan setup

cflee · May 30, 2014, 5:52am

I am trying to configure my RB1100AHx2 such that it reaches this end state:

port 01 untagged to bridge0 + tagged to vlan 10,20,30
port 02 untagged to bridge0 + tagged to vlan 10,20,30
port 03 untagged to bridge0 + tagged to vlan 10,20,30
port 04 untagged to bridge0 + tagged to vlan 10,20,30
port 05 untagged to bridge0 + tagged to vlan 10,20,30
port 06 untagged to bridge0 + tagged to vlan 10,20,30
port 07 untagged to vlan 10
port 08 untagged to vlan 20
port 09 untagged to vlan 30
port 10 untagged to vlan 40
port 11 no vlan (WAN)
port 12 no vlan (spare)
port 13 no vlan (mgmt)

Ports 6 to 13 are all ok.

The problem is with ports 1 to 5: I am able to access vlan 10,20,30 on it, but unable to access bridge0 untagged.

Strangely enough, port 6 is ok. Untagged works fine. Therefore I suspect that this is related to enabling the switch chip.

I have tried to add ether2,ether3,ether4,ether5 to bridge0, but it is not successful as they are slaved to ether1.

[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                              
 0 D 192.168.1.100/24   192.168.1.0     ether11                                
 1   10.20.0.1/16       10.20.0.0       bridge20                               
 2   10.0.0.1/16        10.0.0.0        bridge0                                
 3   10.10.0.1/16       10.10.0.0       bridge10                               
 4   10.30.0.1/16       10.30.0.0       bridge30                               
 5   10.40.0.1/16       10.40.0.0       bridge40                               
 6   192.168.88.1/24    192.168.88.0    ether13

Interface/bridge related config

[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE         MTU L2MTU  MAX-L2MTU
 0  RS ether1                              ether       1500  1598       9498
 1   S ether2                              ether       1500  1598       9498
 2  RS ether3                              ether       1500  1598       9498
 3   S ether4                              ether       1500  1598       9498
 4   S ether5                              ether       1500  1598       9498
 5   S ether6                              ether       1500  1598       9498
 6   S ether7                              ether       1500  1598       9498
 7   S ether8                              ether       1500  1598       9498
 8   S ether9                              ether       1500  1598       9498
 9   S ether10                             ether       1500  1598       9498
10  R  ether11                             ether       1500  1600       9500
11     ether12                             ether       1500  1600       9116
12     ether13                             ether       1500  1600       9116
13  R  bridge0                             bridge      1500  1598
14  R  bridge10                            bridge      1500  1594
15  R  bridge20                            bridge      1500  1594
16  R  bridge30                            bridge      1500  1594
17  R  bridge40                            bridge      1500  1594
18  RS ether1_vlan10                       vlan        1500  1594
19  RS ether1_vlan20                       vlan        1500  1594
20  RS ether1_vlan30                       vlan        1500  1594
21  RS ether1_vlan40                       vlan        1500  1594
22   S ether6_vlan10                       vlan        1500  1594
23   S ether6_vlan20                       vlan        1500  1594
24   S ether6_vlan30                       vlan        1500  1594
25   S ether6_vlan40                       vlan        1500  1594

[admin@MikroTik] > /interface ethernet print
Flags: X - disabled, R - running, S - slave 
 #    NAME        MTU MAC-ADDRESS       ARP        MASTER-PORT      SWITCH     
 0  S ether1     1500 D4:CA:6D:15:56:10 enabled    none             switch2    
 1  S ether2     1500 D4:CA:6D:15:56:11 enabled    ether1           switch2    
 2  S ether3     1500 D4:CA:6D:15:56:12 enabled    ether1           switch2    
 3  S ether4     1500 D4:CA:6D:15:56:13 enabled    ether1           switch2    
 4  S ether5     1500 D4:CA:6D:15:56:14 enabled    ether1           switch2    
 5  S ether6     1500 D4:CA:6D:15:56:15 enabled    none             switch1    
 6  S ether7     1500 D4:CA:6D:15:56:16 enabled    none             switch1    
 7  S ether8     1500 D4:CA:6D:15:56:17 enabled    none             switch1    
 8  S ether9     1500 D4:CA:6D:15:56:18 enabled    none             switch1    
 9  S ether10    1500 D4:CA:6D:15:56:19 enabled    none             switch1    
10 R  ether11    1500 D4:CA:6D:15:56:1A enabled   
11    ether12    1500 D4:CA:6D:15:56:1B enabled   
12    ether13    1500 D4:CA:6D:15:56:1C enabled

[admin@MikroTik] > /interface bridge print
Flags: X - disabled, R - running 
 0  R name="bridge0" mtu=1500 l2mtu=1598 arp=enabled 
      mac-address=D4:CA:6D:15:56:10 protocol-mode=rstp priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 1  R name="bridge10" mtu=1500 l2mtu=1594 arp=enabled 
      mac-address=D4:CA:6D:15:56:10 protocol-mode=rstp priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 2  R name="bridge20" mtu=1500 l2mtu=1594 arp=enabled 
      mac-address=D4:CA:6D:15:56:10 protocol-mode=rstp priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 3  R name="bridge30" mtu=1500 l2mtu=1594 arp=enabled 
      mac-address=D4:CA:6D:15:56:10 protocol-mode=rstp priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m 

 4  R name="bridge40" mtu=1500 l2mtu=1594 arp=enabled 
      mac-address=D4:CA:6D:15:56:10 protocol-mode=rstp priority=0x8000 
      auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s 
      forward-delay=15s transmit-hold-count=6 ageing-time=5m

[admin@MikroTik] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic 
 #    INTERFACE              BRIDGE              PRIORITY  PATH-COST    HORIZON
 0    ether1_vlan10          bridge10                0x80         10       none
 1 I  ether6_vlan10          bridge10                0x80         10       none
 2    ether1_vlan20          bridge20                0x80         10       none
 3 I  ether6_vlan20          bridge20                0x80         10       none
 4    ether1_vlan30          bridge30                0x80         10       none
 5 I  ether6_vlan30          bridge30                0x80         10       none
 6    ether1_vlan40          bridge40                0x80         10       none
 7 I  ether6_vlan40          bridge40                0x80         10       none
 8    ether1                 bridge0                 0x80         10       none
 9 I  ether6                 bridge0                 0x80         10       none
10 I  ether7                 bridge10                0x80         10       none
11 I  ether8                 bridge20                0x80         10       none
12 I  ether9                 bridge30                0x80         10       none
13 I  ether10                bridge40                0x80         10       none

Switch related config

[admin@MikroTik] > /interface ethernet switch port print 
Flags: I - invalid 
 #   NAME            SWITCH            VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   ether1          switch2           secure    leave-as-is               auto
 1   ether2          switch2           secure    leave-as-is               auto
 2   ether3          switch2           secure    leave-as-is               auto
 3   ether4          switch2           secure    leave-as-is               auto
 4   ether5          switch2           secure    leave-as-is               auto
 5   ether6          switch1           secure    leave-as-is               auto
 6   ether7          switch1           secure    always-strip                10
 7   ether8          switch1           secure    always-strip                20
 8   ether9          switch1           secure    always-strip                30
 9   ether10         switch1           secure    always-strip                40
10   switch1-cpu     switch2           disabled  leave-as-is               auto
11   switch2-cpu     switch2           disabled  leave-as-is               auto

[admin@MikroTik] > /interface ethernet switch vlan print
Flags: X - disabled, I - invalid 
 #   SWITCH                            VLAN-ID PORTS                           
 0   switch2                                 0 switch2-cpu                     
                                               ether1                          
                                               ether2                          
                                               ether3                          
                                               ether4                          
                                               ether5                          
 1   switch2                                10 switch2-cpu                     
                                               ether1                          
                                               ether2                          
                                               ether3                          
                                               ether4                          
                                               ether5                          
 2   switch2                                20 switch2-cpu                     
                                               ether1                          
                                               ether2                          
                                               ether3                          
                                               ether4                          
                                               ether5                          
 3   switch2                                30 switch2-cpu                     
                                               ether1                          
                                               ether2          
                                               ether3                          
                                               ether4                          
                                               ether5                          
 4   switch2                                40 switch2-cpu                     
                                               ether1                          
                                               ether2                          
                                               ether3                          
                                               ether4                          
                                               ether5                          
 5   switch1                                 0 switch1-cpu                     
                                               ether6                          
 6   switch1                                10 switch1-cpu                     
                                               ether6                          
                                               ether7                          
 7   switch1                                20 switch1-cpu                     
                                               ether6                          
                                               ether8                          
 8   switch1                                30 switch1-cpu                     
                                               ether6                          
                                               ether9                          
 9   switch1                                40 switch1-cpu                     
                                               ether6                          
                                               ether10

Edit: added /interface ethernet print

cflee · May 30, 2014, 8:12am

I just found that setting vlan-mode on ether2,3,4,5 to ‘fallback’ resolves the issue. That leads me to the following.

From http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features:

Packets without vlan tag are treated just like if they had a vlan tag with vlan id = 0. This means that if “vlan-mode=check or secure” to be able to forward packets without vlan tags you have to add a special entry to vlan table with vlan id set to 0.

There is an entry in vlan table with vlan-id=0, ports=switch2-cpu,ether1,ether2,ether3,ether4,ether5. Is this a bug or is there some other misconfiguration?

pedroporco · August 28, 2015, 10:52pm

Hi, I need some help trying to do something similar.
My current connfig is:

RB1100AHx2

port 01 WAN
port 02 untagged to bridge0
port 03 untagged to bridge0
port 04 untagged to bridge0
port 05 untagged to bridge0
port 06 untagged to bridge0
port 07 untagged to bridge0
port 08 untagged to bridge0
port 09 untagged to bridge0
port 10 untagged to bridge0
port 11 untagged to bridge0
port 12 untagged to bridge0
port 13 untagged to bridge0 + vlan 102 (ubiquiti unifi. Default traffic must be untagged so I would be able to manage ubiquiti unifi.
vlan 102 is for guest and needs to be isolated and also clients shouln´t be able to see each other.
I couldn´t make it work.
Guest vlan get ip but can´t surf the web.
Also on the local lan I have IP phones (offsite server). Ip phones can make calls outside, but can´t talk to each other inside de lan.

Code:

Code: Select all
/interface bridge
add comment="Local Bridge" mtu=1598 name=bridge-local
add comment="Vlan1 Bridge" mtu=1594 name=bridge-vlan1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-local
set [ find default-name=ether13 ] name=ether13-trunk
/ip neighbor discovery
set ether1-gateway discover=no
set bridge-local comment="Local Bridge"
set bridge-vlan1 comment="Vlan1 Bridge" discover=no
/interface vlan
add interface=bridge-local l2mtu=1594 mtu=1594 name=vlan-vlan1-ether13 \
    vlan-id=101

/ip neighbor discovery
set vlan-vlan1-ether13 discover=no

/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
add name=pool-vlan1 ranges=192.168.2.2-192.168.2.254

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=23h59m59s \
    name=local
add address-pool=pool-vlan1 disabled=no interface=bridge-vlan1 name=vlan1

/interface bridge port
add bridge=bridge-local interface=ether2-local
add bridge=bridge-local interface=ether13-trunk
add bridge=bridge-local interface=ether3
add bridge=bridge-vlan1 interface=vlan-vlan1-ether13
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
add bridge=bridge-local interface=ether9
add bridge=bridge-local interface=ether10
add bridge=bridge-local interface=ether11
add bridge=bridge-local interface=ether12

/ip address
add address=192.168.1.1/24 interface=ether2-local network=192.168.1.0
add address=192.168.2.1/24 interface=bridge-vlan1 network=192.168.2.0

/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    ether1-gateway
/ip dhcp-server lease
add address=192.168.1.6 mac-address= server=local
add address=192.168.1.3 mac-address= server=local
add address=192.168.1.4 mac-address= server=local
add address=192.168.1.5 mac-address= server=local
add address=192.168.1.10 mac-address= server=local
add address=192.168.1.7 mac-address= server=local
add address=192.168.1.8 mac-address= server=local
add address=192.168.1.9 mac-address= server=local
add address=192.168.1.11 mac-address= server=local
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8

/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment=vpn disabled=yes dst-port=1723 protocol=tcp
add chain=input comment=vpn disabled=yes protocol=gre
add action=drop chain=input comment="default configuration" connection-state=\
    invalid in-interface=ether1-gateway
add action=drop chain=forward disabled=yes
add action=jump chain=input in-interface=bridge-vlan1 jump-target=input-vlan1
add action=jump chain=input in-interface=bridge-vlan2 jump-target=input-vlan2
add chain=input in-interface=bridge-local
add action=drop chain=forward comment="mozos-pc\r\
    \n" src-mac-address=
add action=drop chain=forward comment="PC2\r\
    \n" src-mac-address=
add action=drop chain=forward comment="PRIMERO-PC\r\
    \n" src-mac-address=
add action=drop chain=forward comment="NPC\r\
    \n" src-mac-address=
add action=drop chain=forward comment="note-PC eth\r\
    \n" src-mac-address=
add action=drop chain=forward comment="cocina1ero\r\
    \n" src-mac-address=
add action=drop chain=input

add chain=forward out-interface=ether1-gateway
add chain=input-vlan1 dst-port=53 protocol=tcp
add chain=input-vlan1 dst-port=53 protocol=udp
add chain=input-vlan1 dst-port=67 protocol=udp
add chain=input-vlan1 dst-port=68 protocol=udp

add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0

/system package update
set channel=current
/tool romon port

To achieve this I tried another approach:
ether1-gateway
ether2-local
ether3: master-port=ether2-local
ether4: master-port=ether2-local
ether5: master-port=ether2-local
ether7: master-port=ether6
ether8: master-port=ether6
ether9: master-port=ether6
ether10: master-port=ether6
ether13: name=ether13-trunk
bridge between ether2, ether6 and ether13.

The code:

Code: Select all
/interface bridge
add comment="Local Bridge" mtu=1598 name=bridge-local
add comment="Vlan1 Bridge" mtu=1594 name=bridge-vlan1

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-local
set [ find default-name=ether3 ] master-port=ether2-local
set [ find default-name=ether4 ] master-port=ether2-local
set [ find default-name=ether5 ] master-port=ether2-local
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6
set [ find default-name=ether13 ] name=ether13-trunk
/ip neighbor discovery
set ether1-gateway discover=no
set bridge-local comment="Local Bridge"
set bridge-vlan1 comment="Vlan1 Bridge"
set bridge-vlan2 comment="Vlan2 Bridge" discover=no
/interface vlan
add interface=bridge-local l2mtu=1590 mtu=1594 name=vlan-vlan1-ether13 \
    vlan-id=101
add interface=bridge-local l2mtu=1590 mtu=1594 name=vlan-vlan2-ether13 \
    vlan-id=102
/ip neighbor discovery
set vlan-vlan2-ether13 discover=no

/interface ethernet switch port
set 1 default-vlan-id=101 vlan-header=add-if-missing vlan-mode=fallback
set 2 default-vlan-id=101 vlan-header=add-if-missing vlan-mode=fallback
set 3 default-vlan-id=101 vlan-header=add-if-missing vlan-mode=fallback
set 4 default-vlan-id=101 vlan-header=add-if-missing vlan-mode=fallback
set 5 default-vlan-id=101 vlan-header=add-if-missing vlan-mode=fallback
set 6 default-vlan-id=101 vlan-header=add-if-missing vlan-mode=fallback
set 7 default-vlan-id=101 vlan-header=add-if-missing vlan-mode=fallback
set 8 default-vlan-id=101 vlan-header=add-if-missing vlan-mode=fallback
set 9 default-vlan-id=101 vlan-header=add-if-missing vlan-mode=fallback

/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
add name=pool-vlan1 ranges=192.168.2.2-192.168.2.254
add name=pool-vlan2 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=23h59m59s \
    name=local
add address-pool=pool-vlan1 disabled=no interface=bridge-vlan1 name=vlan1
add address-pool=pool-vlan2 disabled=no interface=bridge-vlan2 name=vlan2
/interface bridge port
add bridge=bridge-local interface=ether2-local
add bridge=bridge-local disabled=yes interface=ether13-trunk
add bridge=bridge-local disabled=yes interface=ether3
add bridge=bridge-local interface=vlan-vlan1-ether13
add bridge=bridge-local disabled=yes interface=ether4
add bridge=bridge-local disabled=yes interface=ether5
add bridge=bridge-local interface=ether6
add bridge=bridge-local disabled=yes interface=ether7
add bridge=bridge-local disabled=yes interface=ether8
add bridge=bridge-local disabled=yes interface=ether9
add bridge=bridge-local disabled=yes interface=ether10
add bridge=bridge-local interface=ether11
add bridge=bridge-local interface=ether12
add bridge=bridge-vlan2 disabled=yes interface=vlan-vlan2-ether13

/interface ethernet switch vlan
add independent-learning=no ports=\
    ether2-local,ether3,ether4,ether5,switch2-cpu switch=switch2 vlan-id=101
add independent-learning=no ports=\
    ether6,ether7,ether8,ether9,ether10,switch1-cpu switch=switch1 vlan-id=\
    101
add independent-learning=no ports=ether10,switch1-cpu switch=switch1 vlan-id=\
    102
/ip address
add address=192.168.1.1/24 interface=ether2-local network=192.168.1.0
add address=192.168.2.1/24 interface=bridge-vlan1 network=192.168.2.0
add address=192.168.3.1/24 interface=bridge-vlan2 network=192.168.3.0

/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    ether1-gateway
/ip dhcp-server lease
add address=192.168.1.6 mac-address= server=local
add address=192.168.1.3 mac-address= server=local
add address=192.168.1.4 mac-address= server=local
add address=192.168.1.5 mac-address= server=local
add address=192.168.1.10 mac-address= server=local
add address=192.168.1.7 mac-address= server=local
add address=192.168.1.8 mac-address= server=local
add address=192.168.1.9 mac-address= server=local
add address=192.168.1.11 mac-address= server=local

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment=vpn disabled=yes dst-port=1723 protocol=tcp
add chain=input comment=vpn disabled=yes protocol=gre
add action=drop chain=input comment="default configuration" connection-state=\
    invalid in-interface=ether1-gateway
add action=drop chain=forward disabled=yes
add action=jump chain=input in-interface=bridge-vlan1 jump-target=input-vlan1
add action=jump chain=input in-interface=bridge-vlan2 jump-target=input-vlan2
add chain=input in-interface=bridge-local
add action=drop chain=forward comment="mozos-pc\r\
    \n" src-mac-address=
add action=drop chain=forward comment="PC2\r\
    \n" src-mac-address=
add action=drop chain=forward comment="PRIMERO-PC\r\
    \n" src-mac-address=
add action=drop chain=forward comment="NPI8EC7BC\r\
    \n" src-mac-address=
add action=drop chain=forward comment="note-PC eth\r\
    \n" src-mac-address=
add action=drop chain=forward comment="cocina1ero\r\
    \n" src-mac-address=
add action=drop chain=input
add chain=forward out-interface=ether1-gateway
add chain=input-vlan1 dst-port=53 protocol=tcp
add chain=input-vlan2 dst-port=53 protocol=tcp
add chain=input-vlan1 dst-port=53 protocol=udp
add chain=input-vlan1 dst-port=67 protocol=udp
add chain=input-vlan1 dst-port=68 protocol=udp
add chain=input-vlan2 dst-port=67 protocol=udp
add chain=input-vlan2 dst-port=68 protocol=udp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
 /system package update
set channel=current
/tool romon port
add

Can someone help me?

Also i need to add some por forwardig. In wich part of the firewall or the NAT should I add it?

thanks you very much for your help