Rb960 pgs at EON highspeed connection

RouterOS General
1

Hi,

a friend of mine aquired the above mentioned router for the new EON Highspeed connection. However, EON require a VLAN for the connection. Currently the ONT do not establish the WAN connection, hence the router do not get any IP address.

But the question: Is it sufficient to configure a vlan tagged 132 - required by EON - on the WAN interface or is there another table required to connect the vlan 132 to the bridge?

Thanks,

Michael

2

RB960PGS (a.k.a. hEX PoE) is still a nice gigabit PoE switch but router with only moderate capacity in year 2026 (in real life it is capable of routing speeds around 300Mbps give or take).

What excatly needs to be fone regarding VLAN ID depends on exact use scenario. But most of times it's enough to create vlan interface, anchored to physical WAN interface (e.g. sfp interface) and with appropriate VLAN ID set (132 in your case). Then set up services required (e.g. DHCP client or PPPoE client) on this vlan interface. Add eventual WAN interface (might be PPPoE interface if that is used ... or vlan interface) as member of WAN interface list (so that firewall and NAT rules get effective).

3

Thanks for telling me some hints.

The only conecrn is: Is it enough to assign the vlan ID 132 to the WAN interface or is there anyhting else necessary. Since the ONT has no glowing green LED for LAN active I assume the ONT is either misconfigured or not fully functional. But the ONT won't be very clever.....

4

Regarding ONT: depends on how particular FO connection (e.g. GPON) is handled ... but usually ONTs will establish connection towards OLT (provider side) and usually there's a led indicating this connection. It is up to FO network operator to make sure this link works.

Then you connect your router to ONT. When using 3rd party router (such as in your case using hEX PoE), it is recommended to have ONT in "bridge mode" which makes it pretty much transparent to traffic.

Regarding VLAN: there are two major configuration locations where one can configure VLANs: bridge/switch settings (with newer devices there's only bridge) and interface. One sets VLAN stuff on bridge/switch if VLANs are used in LAN ... But one has to use /interface/vlan to create VLAN-aware interfaces which will then carry IP (and IPv6) traffic. Without such VLAN interface, router (as in: device running RouterOS and interacting with other devices, members of particular VLAN) can not communicate over VLANs (IP layer doesn't know anything about ethernet and/or VLANs and vlan interface provides required abstraction layer which deals with VLAN tags).

5

OK, the ONT is part of the provider and as end customer there no other chance then calling the support. That'll happen today.

VLAN is a logical separation of LAN segments. I'll see what will run if the ONT is working properly and tune some switches to make it working.

6

We had contact to the 1st level support which is only referring to a fritzbox. This won't help but since still the ONT light is off for LAN, the issue is very likely this ONT.

The config is not complete but can't be tested since no physical connection is detected by the ONT.

7

No.
As mkx stated you need to create a new vlan interface "on top" of the existing WAN interface.
On the RB960PGS the default is to use ether1 as WAN interface (or alternatively, but of course it depends on the ONT, the SFP port).

The default configuration can be found here:
https://tangentsoft.com/mikrotik/dir/defconf

The relevant parts should be these lines (if ether1 is used, if sfp1 is used it must be additionally taken off the bridge), on the left the default, on the right the modified:

vlan132
vlan132750×273 5.01 KB

8

Thanks for this quick reply, but this configuration is already applied. But no reaction from the ISP and no light for LAN on the ONT.

9

it's me again: we checked the configuration for any flaws but couldn't find any- Still the light for a LAN connecitvity on the ONT ist not working. So far, we couldn't reach the support and the support of EON is abit of strange. However, we hope they either change the ONT or fix it anyhow.

10

Check settings on both ONT and hEX ... are port settings (autonegotiation, advertised speeds) compatible on both sides?

11

I can't access the ONT. Hence there is no chance to determine any settings there..

12

some news:

The EON ONT now is working, but the router do not aquire an ip address from EON. An older Fritzbox is working properly.

But the dhcp client is just searching and apparently do not get any IP address. The vlan for eth1 (WAN) ist set to 132, as requested by EON.

I'm a bit lost, what's missing....

Thanks.

13

And without seeing your current configuration we may provider any number of wild guesses.

Or you could post your configuration for review, instructions here:

which may allow for some valid advice or at least more educated guesses.

14

Here is the config:

/interface bridge
add admin-mac=D0:EA:11:6D:68:3F auto-mac=no comment=defconf name=bridge
/interface vlan
add comment=EON interface=ether1 name=vlan132-inet use-service-tag=yes \
    vlan-id=132
add comment=tk-anlage interface=ether3 name=vlan232-voip use-service-tag=yes \
    vlan-id=232
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.100.70-192.168.100.90
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge disabled=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.100.250/24 comment=defconf interface=bridge network=\
    192.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1
add interface=vlan132-inet use-peer-ntp=no
add disabled=yes interface=vlan232-voip use-peer-ntp=no
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=192.168.100.250 \
    gateway=192.168.100.250 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.250 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \
    in-interface=lo src-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none log=yes out-interface=vlan132-inet \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment=telefonie log=yes out-interface=\
    vlan232-voip out-interface-list=LAN
add action=masquerade chain=srcnat out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
15

I see in the config, the eth1 ist still bound to the bridge.... I think this is the culprit....

16

changing the bridge assigments didn't help. A Fritzbox connected to the ONT as getting an IP address. Switching to the Mikrotik ends up with no IP. Switching back to FritzBox immediatly get an IP. Hence the changing mac address is no problem.

I guess, the VLAN isn't detected by the ONT, for whatever reason.

17

Normally one should use "normal" VLAN tags ... that's IEEE 802.1Q with ethertype set to 0x8100. Service tags (or S-tags) are usually used for VLAN stacking inside ISP's network ... that's IEEE 802.1ad with ethertype set to 0x88A8.

So set use-service-tag=no on both VLAN interfaces and see if things get any better.

Ether1 is configured as bridge port but that setting is marked as disabled, so it should be inactive (i.e. ether1 should be independent). But yes, remove ether1 from list of bridge ports.

18

Ah, thank's a lot.

I'll inform the guy having the problem this night und will give feedback.

19

He checked the config but VLAN tagging was disabled at all. He made some changes for a brief attempt to try to achieve an IP address. But I got the latest config now.

# 2026-06-06 18:57:41 by RouterOS 7.21.4
# software id = GWL4-IFWV
#
# model = RB960PGS
# serial number = xyzxyxz
/interface bridge
add admin-mac=D0:EA:11:6D:68:3F auto-mac=no comment=defconf name=bridge
/interface vlan
add comment=EON interface=ether1 name=vlan132-inet use-service-tag=yes \
    vlan-id=132
add comment=tk-anlage interface=ether3 name=vlan232-voip use-service-tag=yes \
    vlan-id=232
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.100.70-192.168.100.90
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge disabled=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.100.250/24 comment=defconf interface=bridge network=\
    192.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1
add interface=vlan132-inet use-peer-ntp=no
add disabled=yes interface=vlan232-voip use-peer-ntp=no
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=192.168.100.250 \
    gateway=192.168.100.250 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.250 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \
    in-interface=lo src-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none log=yes out-interface=vlan132-inet \
    out-interface-list=WAN
add action=masquerade chain=srcnat comment=telefonie log=yes out-interface=\
    vlan232-voip out-interface-list=LAN
add action=masquerade chain=srcnat out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
20

Interesting: The config file just show use-service-tag=yes but within Winbox the flag is not set. Can't I rely on the GUI settings and have always to double check within the terminal settings?