Hi guys,

I’ve been using a RB951G-2HnD for about a year now, as my primary router.

My ISP sends 2 VLANs for the services:
-VLAN 6 as transport for the PPPoE session
-VLAN 4 for multicast IPTV traffic

My RB951G has 2 bridges (bridge-local & bridge-iptv). This means I have to connect 2 wires from the router to my apartment: 1 is connected to bridge-local and the other to bridge-iptv, obviously.
This configuration works, however it would be great if I could share both services on 1 UTP cable. I’ve ordered a CRS125 to accomplish this, yet I’m not sure how to set it all up.

I don’t use a VLAN for my local network & VLAN 4 is delivered to my STB’s, untagged.

Is it possible to configure the RB951G the way I would like, or should I use the CRS125 for it?

This is the relevant config of my RB951G:

/interface ethernet
#
# Port 1 (ether1) = NTU 
#
set 0 arp=proxy-arp auto-negotiation=yes  \
    disabled=no full-duplex=yes l2mtu=1598  \
    mtu=1500 name=ether1-gateway speed=1Gbps
#
# Port 2 (ether2) = LAN
#

set 1 arp=enabled auto-negotiation=yes \
    disabled=no full-duplex=yes l2mtu=1598 \
    mtu=1500 name=ether2 speed=1Gbps

#
# VLAN 4 = iptv
# VLAN 6 = internet
#

/interface vlan
add arp=enabled disabled=no interface=ether1-gateway l2mtu=1594 mtu=1500 \
    name=vlan1.6 use-service-tag=no vlan-id=6
add interface=ether1-gateway l2mtu=1594 name=vlan1.4 vlan-id=4

#
# PPPoE profile
#

/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=\
    default use-encryption=default use-mpls=default use-vj-compression=\
    default

#
# PPPoE Client
#

/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 \
    dial-on-demand=no disabled=no interface=vlan1.6 keepalive-timeout=20 max-mru=1480 max-mtu=1480 \
    mrru=disabled name=pppoe password=xxx profile=default \
    use-peer-dns=no user=xx-xx-xx-xx-xx-xx
	
#
# Bridges
#

/interface bridge
add name=bridge-local arp=proxy-arp
add name=bridge-iptv

/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=wlan1
add bridge=bridge-iptv interface=vlan1.4
add bridge=bridge-iptv interface=ether5

Well, IGMP Proxy should resolve that problem, so you can put everything behind the NAT…

For example I use CRS125 for the very same purpose, only difference is that my ISP doesnt use PPPoE but plain DHCP.
And 10.0.0.0/23 is ISP IPTV servers network.

Relevant config:
/interface vlan
add interface=sfp1 l2mtu=1584 name=sfp1.4 vlan-id=4

/ip dhcp-client
add default-route-distance=0 dhcp-options=clientid,hostname disabled=no
interface=sfp1
add add-default-route=special-classless dhcp-options=clientid,hostname disabled=no
interface=sfp1.4

/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp1
add action=masquerade chain=srcnat out-interface=sfp1.4

/routing igmp-proxy
set query-interval=1m5s

/routing igmp-proxy interface
add alternative-subnets=10.0.0.0/23 interface=sfp1.4 upstream=yes
add interface=ether01This is CRS specific and as Mikrotik doesnt support IGMP Snooping Im forced to use multicast-fdb As I dont want to flood multicast out to all interfaces, but only to STBs. (Filtering by STB MAC addresses)
/interface ethernet switch multicast-fdb
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yesAs a sidenote, I dont use bridge interface. Local network IP and DHCP is directly configured to ether01, which is master for all other ports.
SFP1 is is Internet vlan form ISP which is untagged, SFP1.4 is IPTV vlan 4 tagged.
Local network is “flat”, no separate vlan`s, everything is in the same subnet (very same way as you want to achieve this)

Sharing multiple networks one cable can be done with VLAN’s.
But you need a VLAN capable device on both sides of the network.
There are simple 8 of 16 port switches which support Layer2 VLAN. Like TPLInk TL-SG1016DE (http://nl.tp-link.com/products/details/?categoryid=&model=TL-SG1016DE#spec)
Pricing around € 95 (https://www.4launch.nl/shop/#p-4-productid-347477)

On the MKT side you maken 2 tagged VLAN interfaces on a ethernet port.
And add those tagged VLAN interface to the bridges you have.
On the switch side you define 2 VLAN and put those tagged on the single uplink port and untaged on the other ports you wish to use for TV and for computer/LAN.
The VLAN ID’s on the link between teh MKT and the switch are free to choose. Like 100 and 200. They do not need to be the same as the VLAn4/6 you have on your WAN side.

IMHO, I dont see any reasonable point to use different internal vlans on a such small network...especially when you only have couple of STBs…
Also that would require changing switch config every time, when you unplug STB and plug it in somwhere else.

When you have one “flat” Lan, you can just connect and disconnect devices without even logging in into router or switch and it would just work.

@Etz

Yes flat would be perfect but is not working in his situation.
The STB’s are not using a ‘standard’ internet connection. They have a separate network on the provider network and should have direct IP’s from the provider. So also no NAT.
The LAN devices require a ‘normal’ internet connection and also should use NAT.
This is why you need 2 separate networks internally. The 2 internal networks must be connected to the 2 external ISP VLAN networks.

I have made a lot of this kind of constructions for customers who have KPN or XS4ALL (Dutch ISP’s) who are working with VLAN 4 (TV), 6 (PPPoE internet) and 7 (VoIP).

Why not?

Actually they do not. I have pretty similar setup myself, and it will work just fine behind the NAT you just need to provide connectivity for STB`s via IGMP Proxy.
Also UDP connectivity is needed to recieve stream.

You dont need multiple Internal networks for this, routes received via DHCP or even static routes would resolve this.
Only thing you need is 2 NAT`s one for every uplink and IGMP Proxy for IPTV vlan.

I have done multiple setups in Telia networks also worked for years of one of ISP`s belonging to Telia.

@Etz

I do not say your solution is not working.
It is more that I have not worked with IGMP Proxy. I will take some time to learn more about these features.

Thank you for your explanations.

At the last rules, which port(s) did you add, since it seems to be required? I’ve tried ether2, ether2 & ether22 (connected to STB) and just ether22. None of those combinations worked. My ISP sends me encrypted multicast traffic (I need the STB do decrypt & watch tv), would that matter regarding this configuration?
/interface ethernet switch multicast-fdb
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yesI’ve changed my setup & configured my CRS125 as switch, ether1 as gateway, the other ports use master-port=ether2. Althought I’ve still created a bridge, to add to wlan1. Could I also use the dhcp-server of ether2 on wlan1 (configured as AP) without creating a bridge?

What do you mean by last rules?
If you use firewall then you have to allow IGMP & UDP trough it. (My example doesnt contain those)

Doesnt matter, it will still work. My ISP does exactly the same.

Without bridge, your WLAN probably wont work, so you need a bridge. (I dont, as my device doesnt have Wireless AP built-in)
And if you use Bridge, just replace ether01 in my configs with corresponding bridge interface

After entering the command regarding multicast-fdb, the console echo’ed “Ports:”, so I assumed it was required.

I’ve reverted to a bridge configuration, to attach wlan1 to the bridge. This time, my STB receives a lease in the same pool of my LAN: 192.168.2.244/24.
Normally, the STB is connected with IP 10.15.69.146/16, gateway 10.15.0.1. This time the STB seemed to boot like it should: normal bootscreen (loading software - loading EPG) and when it would normally switch to a broadcast, an error code appears, stating the STB isn’t connected to the IPTV network.
/ip dhcp-client print
Flags: X - disabled, I - invalid

INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS

0 vlan1.4 yes special-classless searching…/interface vlan
add interface=ether1-gateway l2mtu=1594 name=vlan1.4 vlan-id=4
add interface=ether1-gateway l2mtu=1594 name=vlan1.6 vlan-id=6

/interface pppoe-client
add add-default-route=yes allow=pap,mschap2
dial-on-demand=no disabled=no interface=vlan1.6 keepalive-timeout=20 max-mru=1480 max-mtu=1480
mrru=disabled name=pppoe password=xxx profile=default
use-peer-dns=no user=xx-xx-xx-xx-xx-xx

/ip dhcp-client
add add-default-route=special-classless dhcp-options=clientid,hostname
disabled=no interface=vlan1.4

/routing igmp-proxy
set query-interval=1m5s

/routing igmp-proxy interface
add alternative-subnets=10.0.0.0/16 interface=vlan1.4 upstream=yes
add interface=br-local

/interface ethernet switch multicast-fdb
add address=00:02:9b:88:20:05 bypass-vlan-filter=yes svl=yes

/interface bridge
add arp=proxy-arp l2mtu=1588 name=br-local

/interface bridge port
add bridge=br-local interface=ether2
add bridge=br-local interface=ether3
add bridge=br-local interface=wlan1

/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan1.4

/ip firewall filter
add chain=input comment=“iptv igmp” in-interface=vlan1.4 protocol=igmp
add chain=input comment=“iptv udp” in-interface=vlan1.4 protocol=udp

/interface ethernet switch multicast-fdb
add address=00:02:XX:XX:XX:XX bypass-vlan-filter=yes svl=yes

Flags: X - disabled, R - radius, D - dynamic, B - blocked

ADDRESS MAC-ADDRESS HOST-NAME SERVER RATE-LIMIT STATUS

0 D 192.168.2.250 XX:XX:XX:XX:XX:XX dhcp-lan bound
1 D 192.168.2.244 00:02:XX:XX:XX:XX dhcp-lan boundps. In the above config, 192.168.2.250 is my own PC.

Aparently your IPTV upstream interface didnt obtain IP from ISP

This may be rather unsafe, I for example use those rules in conjunction with src-adress, permitting them only from Multicast servers, here is the example:
chain=input action=accept protocol=igmp src-address=10.0.0.0/23 in-interface=sfp1.4And don`t forget to add them to forward chain aswell, if you use it.

Hi, I need help please.

It’s simple:

PC1 192.168.7.254 WITCH VLC STREAMING UDP 224.0.23.10 In router eth2 192.168.7.1

PC2 192.168.6.254 With VLC CLient in router eth3 192.168.6.1

Igmp proxy set up.
But in client I can’t see the streaming.
I test all.

Hi,

Currently i’am trying to accomplish the very same situation, using the fiber from KPN on my CRS125. I Switched from a RB2011 to a CRS125. The main reason was to get more speed of my router. We have 500/500mbit over here, but with the RB2011 we only get ~200mbit d/u. So i though the CRS125 could accomplish more cause of the switch function.

Already tried some config’s but still i only got around 200/mbit up/down. Almost same config as the RB2011 with bridges and firewall rules. I would like to see that my CRS125 is using more of it’s switch-cpu capacities so i can get a higher speed down and up.

@Sparkling Could you probably share your config, so i could test it on my CRS125 (With WLAN1), thanks!

What did you expect?
Thy have the same CPU which means routing performance is pretty much equal.

If you want higher performance you should have bought RB1100AHx2 or CCR.
CRS series is a switch with additional routing capability, mainly included for management purposes.

Yup indeed, qualify me as a rookie i thought it would be possible with the switch-cpu inside, but rather i have mistaken,. Time te sell the CRS125 then and go for the RB1100AHx2 then i guess.

Will the RB1100AHx2 put trough 500/500mbit with NAT and a couple of firewall rules ? Just so nice to have an all in one router with onboard WIFI and learning capabilities in it

Thanks

RB1100AHx2m should do it, but it does not have wireless so either you have to keep your CRS or buy separate access point.

If I would you, I would keep CRS aswell…it is actually very capable switch with very nice feature set…
Only thing it lacks is raw routing performance, hence its primary purpose is switching so it has lots of switch features which other RB`s are missing.

Due to some other things, I haven’t had the time to continue working on this configuration. So I still have 2 cables per apartment

Yesterday, I’ve started from scratch. Unfortunately, the setup still isn’t working. With some help of wireshark (the pcap file: https://www.dropbox.com/s/kb6lv3335kx122v/vlan4_boot.pcapng?dl=0, captured while the STB was connected to a bridge), I’ve been able to narrow down the actual STB subnet, yet the upstream interface still won’t obtain an IP. The STB still receives an IP in my LAN.

/ip dhcp-client print
Flags: X - disabled, I - invalid
 #   INTERFACE                                     USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS        ADDRESS
 0   vlan1.4                                       yes          special-classless searching...

14:53:06 dhcp,debug,packet dhcp-client on vlan1.4 sending discover with id 811880031 to 255.255.255.255
14:53:06 dhcp,debug,packet     secs = 7
14:53:06 dhcp,debug,packet     flags = broadcast
14:53:06 dhcp,debug,packet     ciaddr = 0.0.0.0
14:53:06 dhcp,debug,packet     chaddr = D4:CA:6D:FA:6C:AE
14:53:06 dhcp,debug,packet     Msg-Type = discover
14:53:06 dhcp,debug,packet     Parameter-List = Subnet-Mask,Classless-Route,Router,Static-Route,Domain-Server,NTP-Server,CAPWAP-Server
14:53:06 dhcp,debug,packet     Client-Id = 01-D4-CA-6D-FA-6C-AE
14:53:06 dhcp,debug,packet     Host-Name = "MikroTik"

mar/28/2015 13:58:02 by RouterOS 6.27

software id = 2BXK-1C8B

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] speed=1Gbps
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether16 ] master-port=ether2
/interface vlan
add interface=ether1-gateway l2mtu=1584 name=vlan1.4 vlan-id=4
add interface=ether1-gateway l2mtu=1584 name=vlan1.6 vlan-id=6
/routing igmp-proxy
set query-interval=1m5s
/routing igmp-proxy interface
add alternative-subnets=10.32.128.0/17 interface=vlan1.4 upstream=yes
add interface=ether2
/interface ethernet switch multicast-fdb
add address=00:02:xx:xx:xx:05 bypass-vlan-filter=yes svl=yes
/ip address
add address=192.168.2.254/24 interface=ether2 network=192.168.2.0
/ip dhcp-client
add add-default-route=special-classless dhcp-options=clientid,hostname
disabled=no interface=vlan1.4
/ip dhcp-server config
set store-leases-disk=15m
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254 domain=local gateway=
192.168.2.254
/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 disabled=no interface=vlan1.6
keepalive-timeout=2 name=pppoe password=xxx user=
xx-xx-xx-xx-xx-xx
/ip neighbor discovery
set pppoe discover=no
set ether1-gateway discover=no
set vlan1.6 discover=no
/ip pool
add name=default ranges=192.168.2.50-192.168.2.240
/ip dhcp-server
add address-pool=default authoritative=yes disabled=no interface=ether2
lease-time=1h30m name=default
/routing bgp instance
set default disabled=yes
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=8.8.4.4,8.8.8.8
/ip firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input connection-state=invalid
add chain=input in-interface=ether2
add chain=input in-interface=vlan1.4 protocol=igmp src-address=10.32.128.0/17
add chain=input in-interface=vlan1.4 protocol=udp src-address=10.32.128.0/17
add chain=forward in-interface=vlan1.4 protocol=igmp src-address=
10.32.128.0/17
add chain=forward in-interface=vlan1.4 protocol=udp src-address=
10.32.128.0/17
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=vlan1.4
/tool sniffer
set filter-interface=vlan1.4 streaming-enabled=yes streaming-server=
192.168.2.239

I’d suggest dropping the /interface vlan and other CPU stuff, and doing this via the switch chip: http://forum.mikrotik.com/t/vlans-with-switch-chip-crs125/100157/1

Hello
you used from Bridge for this scenario but it has overload on cpu.
i offer you , you use Switch Chip instead of Bridge.
Good Luck

Hi Guys,

• did someone resolved that case?
  Is there any procedure how to setup the CRS1xx router to use the chip load instead of the CPU?

My ISP is working via PPPoE Client
I also use the IPTV

Before I bought that router I was hope, that CRS will solve my issue with overloading the CPU on old hEX router.

So we’ve setup PPPoE in the interface
600Mhz CPU is working in range 5 - 30%, when I measure the internet speed it can jump to 80%
In time when I measure the internet speed, IPTV lagging! Here I’m really wonder WHY? This router use the 3 switches - on each is separated chip

In first 8 ports I’ve connected ISP cable and IPTV, no more devices, other LAN ports are used in 2nd and 3dt section, see image

Here is my configuration export:

/interface bridge
add admin-mac=B8:69:F4:7A:5E:4D auto-mac=no name=bridge-dsi-iptv protocol-mode=none
add name=bridge-local protocol-mode=none

/interface ethernet
set [ find default-name=ether1 ] name=ether01-dsi
set [ find default-name=ether2 ] name=ether02-iptv
set [ find default-name=ether3 ] disabled=yes name=ether03
set [ find default-name=ether4 ] disabled=yes name=ether04
set [ find default-name=ether5 ] disabled=yes name=ether05
set [ find default-name=ether6 ] disabled=yes name=ether06
set [ find default-name=ether7 ] disabled=yes name=ether07
set [ find default-name=ether8 ] disabled=yes name=ether08
set [ find default-name=ether9 ] name=ether09
set [ find default-name=sfp1 ] disabled=yes

/interface pppoe-client
add add-default-route=yes disabled=no interface=ether01-dsi keepalive-timeout=60 name=pppoe-dsi-data password=XXXXXX use-peer-dns=yes user=XXXXXX

/interface vlan
add interface=ether01-dsi name=vlan1-dsi-iptv vlan-id=250
add disabled=yes interface=ether01-dsi name=vlan2 use-service-tag=yes vlan-id=1

/interface list
add name=dsi
add name=local

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=pool-local ranges=10.0.0.200-10.0.0.249

/ip dhcp-server
add address-pool=pool-local disabled=no interface=bridge-local name=dhcp-local

/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp

/interface bridge port
add bridge=bridge-dsi-iptv interface=ether02-iptv learn=no pvid=250
add bridge=bridge-local interface=ether09
add bridge=bridge-local interface=ether10
add bridge=bridge-local interface=ether11
add bridge=bridge-local interface=ether12
add bridge=bridge-local interface=ether13
add bridge=bridge-local interface=ether14
add bridge=bridge-local interface=ether15
add bridge=bridge-local interface=ether16
add bridge=bridge-local interface=ether17
add bridge=bridge-local interface=ether18
add bridge=bridge-local interface=ether19
add bridge=bridge-local interface=ether20
add bridge=bridge-local interface=ether21
add bridge=bridge-local interface=ether22
add bridge=bridge-local interface=ether23
add bridge=bridge-local interface=ether24
add bridge=bridge-dsi-iptv interface=vlan1-dsi-iptv multicast-router=disabled
add bridge=bridge-dsi-iptv disabled=yes interface=ether01-dsi

/ip neighbor discovery-settings
set discover-interface-list=local

/interface bridge vlan
add bridge=bridge-dsi-iptv disabled=yes tagged=ether01-dsi untagged=ether02-iptv vlan-ids=250

/interface list member
add comment="2 switch" interface=ether09 list=local
add comment="1 switch" interface=ether01-dsi list=dsi
add interface=ether02-iptv list=dsi
add interface=ether10 list=local
add interface=ether11 list=local
add interface=ether12 list=local
add interface=ether13 list=local
add interface=ether14 list=local
add interface=ether15 list=local
add interface=ether16 list=local
add interface=ether17 list=local
add interface=ether18 list=local
add interface=ether19 list=local
add interface=ether20 list=local
add interface=ether21 list=local
add interface=ether22 list=local
add interface=ether23 list=local
add interface=ether24 list=local

/ip address
add address=10.0.0.1/24 interface=bridge-local network=10.0.0.0

/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1 netmask=24

/ip dns
set allow-remote-requests=yes

/ip dns static
add address=10.0.0.1 name=router

/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related

Can someone help me setup my CRS125-24G-1S-2HnD that it will use internal CHIP instead of CPU ? It’s enough if IPTV will be routed somehow using switch CHIP instead of CPU

THX