Router in wired bridge mode, main router resets streaming ends

RouterOS Beginner Basics
1

NB question…

I have a Mikrotik hex refresh in bridge mode and another device serves as a home router.

Bridge is set between NAS and couple of Android TVs with KODI. All involved IP addresses are static, set on the target devices.

If i just disconnect the cable from the router, streaming will continue to work, no IP address loss or reset, just internet connection is lost. This is expected behavior.

However if I reboot the router, the streaming will stop.

Should I setup DHCP server on Mikrotik hEX bridge, or there is something related to ARP or IP settings?

Thanks.

2

Well, if all the involved devices have static IP's, adding a DHCP server (on the hex or elsewhere) won't change much.

You posted a small fraction of the information needed to even begin thinking what could be the issue.

What "another device" (serving as home router)?

If you disconnect the cable from the router (which likely has also running a DHCP server on the LAN) nothing will change (besides the loss of internet) until the DHCP lease half-time has passed.

When rebooting the router it is possible that something is reset/changed (but it has to be seen from the router configuration).

But all this of course only if one or more of the involved devices have a dynamic IP assigned through a DHCP client.

If everything is "static", it is static, when you remove one of the devices from the network, everything will work exactrly as before (minus the removed device and the services/connections that go through it).

3

No idea what you mean?
Do you mean the hex is acting as a switch between the router and other devices??
Do you have more than one subnet or just one subnet…………

4

Its Asus rt-ac68u. It has dhcp running, but mostly for guest devices. Did not changed when turned off.

Previously there was l2 switch sg-105e, and rebooting asus was not an issue.

It loolks like devices will lose ip adress for a while or disconnect cable from Mikrotik. Read something about changing mac address when main router reboots, made it fixed but did not help

5

Yes, mikrotik hex acts as a switch. Just one subnet.

6

/export file=anynameyouwish ( minus device serial number )

7

Moved Asus from port 4 to port 1 ( off the switch chip).

Problem solved.

There was like 3 seconds link down on all 4 ports. Maybe Asus sent reset command to its internal switch and it was recognized by hEX?

8

Glad its working for ya!

1 Like
9

How did you see the link down for 3 seconds? LEDs on hex refresh?

Was there anything in the log on the hex refresh? Did the hex refresh reboot/restart?

It is good you found a work around, but it seems like a bug; I am not aware of anything the Asus could do that should cause all switch ports to drop link.

If you disable rstp on the hex refresh, does it have any effect when the Asus is connected to eth4?

What ROS version (from /system/resource/print) and RouterBoard current firmware (from /system/routerboard/print) is in use on the hex refresh?

/system/resource/print
/system/routerboard/print
10

I wonder why routerboard/print tells there is 7.22.1 version, while most other commands claim its 7.22.2.

Reconnected Asus router back to Port 4, and its still perfectly repeatable.

/system/resource/print
uptime: 6h1m31s
version: 7.22.2 (stable)
build-time: 2026-04-22 08:03:57
factory-software: 7.20
free-memory: 442.9MiB
total-memory: 512.0MiB
cpu: ARM
cpu-count: 2
cpu-load: 0%
free-hdd-space: 104.2MiB
total-hdd-space: 128.0MiB
write-sect-since-reboot: 82
write-sect-total: 59403
bad-blocks: 0%
architecture-name: arm
board-name: hEX
platform: MikroTik

/system/routerboard/print
routerboard: yes
board-name: hEX
model: E50UG
serial-number: *******
firmware-type: en7562
factory-firmware: 7.20.4
current-firmware: 7.22.1
upgrade-firmware: 7.22.2

2026-05-04 11:36:32 by RouterOS 7.22.2

software id = YLQD-W62S

model = E50UG

serial number = ****

/interface bridge
add comment=defconf name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] rx-flow-control=on tx-flow-control=on
set [ find default-name=ether2 ] comment="Tv Thomson" loop-protect=off
rx-flow-control=on
set [ find default-name=ether3 ] comment=NAS rx-flow-control=on
tx-flow-control=on
set [ find default-name=ether4 ] loop-protect=on rx-flow-control=on
tx-flow-control=on
set [ find default-name=ether5 ] comment="Tv Strong" loop-protect=off
rx-flow-control=on
/interface ethernet switch port-isolation
set 0 forwarding-override=ether3,ether4
set 1 forwarding-override=ether2,ether4,ether5
set 3 forwarding-override=ether3,ether4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip dns forwarders
add dns-servers=**** name=HA verify-doh-cert=no
/ip pool
add name=pool1 ranges=.5,.9
/port
set 0 baud-rate=38400 name=usb0
/queue type
add kind=pcq name=queue1 pcq-burst-rate=145M pcq-classifier=dst-address
pcq-dst-address-mask=27 pcq-rate=144M pcq-src-address-mask=27
add kind=red name=queue2 red-avg-packet=1460
set 10 mq-pfifo-limit=800
/queue interface
set ether1 queue=multi-queue-ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=multi-queue-ethernet-default
set ether4 queue=multi-queue-ethernet-default
set ether5 queue=ethernet-default
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge comment=defconf edge=yes ingress-filtering=no interface=
ether2 internal-path-cost=1 learn=no multicast-router=disabled
point-to-point=yes unknown-multicast-flood=no
add bridge=bridge comment=defconf edge=yes ingress-filtering=no interface=
ether3 learn=no multicast-router=disabled point-to-point=yes
unknown-multicast-flood=no
add bridge=bridge comment=defconf edge=yes ingress-filtering=no interface=
ether4 learn=no multicast-router=disabled unknown-multicast-flood=no
add bridge=bridge comment=defconf edge=yes ingress-filtering=no interface=
ether5 learn=no multicast-router=disabled point-to-point=yes
unknown-multicast-flood=no
add bridge=bridge hw=no ingress-filtering=no interface=ether1 learn=no
multicast-router=disabled unknown-multicast-flood=no
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set secure-redirects=no send-redirects=no tcp-timestamps=enabled
/ipv6 settings
set disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=ether1 list=LAN
add comment=Thomson interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add comment=Strong interface=ether5 list=LAN
/ip address
add address=.2/27 comment=bridge1 interface=bridge network=
.0
/ip arp
add address=*** interface=bridge mac-address=****
add address=***** interface=bridge mac-address=****
/ip cloud
set update-time=no
/ip dhcp-server config
set store-leases-disk=immediately
/ip dns
set allow-remote-requests=yes servers=*****
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes
protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid disabled=yes
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=****
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=internal
add interface=ether2 type=internal
add interface=ether3 type=external
add interface=ether4 type=internal
add interface=ether5 type=internal
add interface=lo type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/snmp
set trap-interfaces=all
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Bratislava
/system gps
set coordinate-format=dd enabled=yes port=usb0
/system leds
add interface=ether1 leds=user-led type=interface-activity
/system ntp server
set enabled=yes local-clock-stratum=1 use-local-clock=yes
/system ntp client servers
add address=127.127.1.0
add address=ntp1.cesnet.cz
add address=ntp.slovanet.net
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

11

If thats your switch setup then you are confused.
Here is a typical hex switch setup……
It takes the single subnet from the router on port2 and distributes it to ports 3,4,5
Ether1 is used if their is lost comms to the router via the bridge and one simply plugs the laptop into ether1, and manually changes IPV4 settings to 192.167.75.2 and with username and password gain access.

/interface bridge
add name=bridgeSW port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=emergaccess
/interface list
add name=MGMT
/interface bridge port
add bridge=bridgeSW interface=ether2 comment=”port to router”
add bridge=bridgeSW interface=ether3 comment=”port to PC”
add bridge=bridgeSW interface=ether4 comment=”port to printer”
add bridge=bridgeSW interface=ether5 comment=”port to NAS”
/ip neighbors discovery
set discover-interface-list=MGMT
/interface list member
add interface=bridgeSW list=MGMT
add interface=emergaccess list=MGMT
/ip address
add address=192.168.0.2/24 interface=bridgeSW network=192.168.0.0
add address=192.168.75.1/30 interface=emergaccess network=192.168.75.0
/ip dns
set servers=192.168.0.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-table=main
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

12

RouterOS=!Firmware

You likely updated the Ros to 7.22.2 but did not upgrade the firmware which remained at 7.22.1.

1 Like
13

Not his fault that almost every other vendor calls the "system" update a "firmware" update.

14

Yep, Mikrotik calls the same thing as any of:
RouterOS
system package
software

The procedure is called either of:
upgrade
update

and the "thing that is seen in /routerboard" is called either:
firmware
routerboot

The command to actually upgrade routerboot is
/system/routerboard/upgrade
which prompts you
Do you really want to upgrade firmware? [y/n]

15

I agree the bridge configuration is messy, but i need all 5 ports in one subnet/interface. Some of settings were edited out.

Current configuration works as intended, maybe a bit limited towards Asus router and devices in this part, but highest bitrates are between NAS and TVs.

16

not saying these are related, but I noticed that you have a non-default setting for loop-protect on some of your ethernet ports.

/interface ethernet
set [ find default-name=ether1 ] rx-flow-control=on tx-flow-control=on
set [ find default-name=ether2 ] comment="Tv Thomson" loop-protect=off
rx-flow-control=on
set [ find default-name=ether3 ] comment=NAS rx-flow-control=on
tx-flow-control=on
set [ find default-name=ether4 ] loop-protect=on rx-flow-control=on
tx-flow-control=on
set [ find default-name=ether5 ] comment="Tv Strong" loop-protect=off
rx-flow-control=on

In addition, a you are using a seldom used switch "port-isolation" feature.

/interface ethernet switch port-isolation
set 0 forwarding-override=ether3,ether4
set 1 forwarding-override=ether2,ether4,ether5
set 3 forwarding-override=ether3,ether4

Do loops exist in your setup?

You stated that if you replace the hex refresh with a an sg-105e, that things work. How was the sg-105e configured (loop protection)? Were you using the "MTU vlan" which is a poor man's port-isolation with it? (MTU in this context is Multi-Tenant Unit VLAN, not Max Transmission Unit) If you are not using vlans (i.e. you have a flat network) but you still want to limit what other ports are able to communicate with each other, you can use port-isolation on the hex refresh (or on the sg-105e asymmetric vlans (with all ports untagged, as a poor-man's pvlan, although I haven't seen this documented except here).

What is the purpose of using the switch port-isolation? Do you want some devices not to be able to communicate with each other?

17

No loops.

It was off, but during weekend I went through bunch of settings in order to identify which one affects the issue with reboot. No change whatsoever (until router was moved to ether1cpu)

Port Isolation - yeah… I dont want TVs to see each other, and one device should be able to communicate only in direction of ASUS router. (to be installed)

On SG-105e - MTU wasnt the right solution, because TVs were able to see just one uplink port - usually router, not the NAS, with flat LAN without any Vlan. I went for Port Based VLAN. Loop protection was off. A

(SG-105e was losing Flow Control setup (was on, but not active), and when i finally managed Vlans to work, it was reporting errors (probably not real issue with data). Operating bunch of Android TVs while using DVD ISOs or 4k UHDs is a mess (8.8mbit was putting ports into sleep, and 4k can go as high as 144mbit), so using 1gbit USB adapters on TVs helps - up to 480mbit, but requires Flow control, currently giving a try to Queues).

hEX refresh resolved all above

Ports 2-5 on hEX refresh allow 800mbit easily, no issues with Flow Control, 4+ clients streaming up to 100mbit and scrolling through the video.

Ether1CPU is limited to 320mbit, so I wanted it reserved for future use, but its not an issue only when i upload new movies.

The issue…

basically when Asus Router reboots and its connected to ports 2-5, hEX reports link down on these ports for 3 seconds, client devices lose their connection too and all appears like the LAN cable was yanked out for a while. Connection does not restore until router is up, and starts working. Setting up DHCP server on hEX solved that only partially - network was operational earlier than Asus router was fully up again.

And it was ocurring before I tried port isolation.

18

What I don't understand is what is triggering the other ports in the bridge to drop link when the Asus reboots.

You said that disconnnecting from the Asus (pulling wire connecting the hex refresh port 4 to Asus) did not cause the stream from NAS to TV to be interrupted. Is it also true that reconnecting the cable (after say 5 seconds) did not adversly affect the streams?

What you are seeing does seem odd to me.

Not suggesting you try this, but it is possible to manually configure the sg-105e so you have two "uplink" ports by using asymmetric vlans. In the example I linked to, what you would do is set two of the ports like port #1 (where they would use vlan 1 to transmit frames). Then the other ports would remain the same as far as PVID, but would include themselves and the other two "uplink" ports in the vlan membership.

The port-isolation in ROS can have the same effect, and I am reasonably sure it does so without using vlans (I think it blocks forwarding at the port level, not vlan level). So at least in theory, you should be able to use port-isolation simultaneously with vlans.