Now I do have DHCP on 2,3,4 but still no connectivity between 2,3,4 and the ISP (eth1).
(ISP router is 192.168.1.1, eth1 IP 192.168.1.222, VLAN234 IP = 10.10.10.1, DNS 192.168.1.111)
From the connected PC on Eth ports 2,3,4 I can ping eth1 IP but not ISP.
I cant even ping ISP from winbox tools.
Also there is no switching between 1,5. (I would expect PC connected to 5 would get DHCP from ISP connected to 1).
The setup is:
But is it? If it’s not talking tagged, then remove ether1 from list of tagged members of VLAN 15 (and leave pvid setting under /interface/bridge/port). I’d expect for ISP to pass data (internet) untagged, most IP phones take tagged for VoIP and untagged is passed to the second ethernet port.
Another thing: as soon as you configure ether1 as bridge port, you should stop using it as interface:
With VLAN234 for ethernet ports 2,3,4 and no VLAN for ports 1,5 I have the desired “switch” behaviour between 1,5 and the “router” behaviour" for ports 2,3,4 with NAT behind bridge1 (WAN IP address configured on interface bridge1).
The bandwidth between VLAN clients tested with iperf (both servers and clients) between two linux PCs was ideal (almost 1000/1000), (bw.png).
The bandwidth between a VLAN client and a client connected on ethernet 5 was about 360Mbps and CPU usage 63%, (bw 2-5.png).
What is left, is to test the bandwidth between VLAN and ISP of this setup for download and upload, now I am testing at home where ISP dl/ul speeds are 100/10… In the following days I will check if single bridge+VLAN setup improves double bridge speed results (360/90 for download and upload).
I tested this configuration (two VLANs partitioning single bridge containing all ethernet ports except disabled SPF):
/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mac-address=c0:11:22:33:44:55
set [ find default-name=ether5 ] poe-out=forced-on
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=bridge1 name=vlan15 vlan-id=1
add interface=bridge1 name=vlan234 vlan-id=234
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan234 name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2 pvid=234
add bridge=bridge1 interface=ether3 pvid=234
add bridge=bridge1 interface=ether4 pvid=234
add bridge=bridge1 interface=ether5
add bridge=bridge1 disabled=yes interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=none
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether1 vlan-ids=1
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=234
/ip address
add address=192.168.1.222/24 interface=vlan15 network=192.168.1.0
add address=192.168.2.1/24 interface=vlan234 network=192.168.2.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=192.168.1.0/24 gateway=192.168.1.222
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set servers=192.168.1.111
/ip firewall filter
add action=accept chain=input disabled=no dst-address=192.168.2.1 dst-port=\
13022,8194 in-interface=vlan234 protocol=tcp src-address=192.168.2.0/24
add action=drop chain=input disabled=no in-interface=vlan15 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src=\
"" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=13022
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
The speedtest result for single bridge is more symmetrical (350/150Mbps) and with a bit lower CPU usage (60% at most) comparing to double bridge setup (350/90 and 90% at most).
The most efficient method was the default Mikrotik configuration for router but this gives the IP phone a local behind NAT IP and although the phone registers I cannot hear peer’s sound.
So I think that this is the issue to resolve, before buying an additional switch device like for example the https://mikrotik.com/product/RB260GSP.
(Any ideas would be mostly welcomed!)
Also, if I powered this one with the POE from the cisco ISP router, could it deliver POE to both the hEX S and the IP phone?
I already mentioned possible reason for the whole thing not working according to wishes: it can be (IMO it’s even very probable) that phone needs some tagged VLAN which is used to transport VoIP data … and you don’t have it configured. You need that info from trusted source (hopefully ISP can provide you with that, forums of normal users are usually less reliable source of such an advanced information) to make sure that ether1 and ether5 are correctly configured. Without that information no device you may throw into the mix will help as soon as device is not completely transparent (and if you start to configure VLANs, then device is not completely transparent any more).
With this setup the phone is working properly, there is only the reduce of the LAN speed issue. Doesn’t this imply that there are no VLAN headers on the data for the phone?
Ah, I misread the part you are talking about most performant setup (where voice doesn’t work).
I’m not sure how much better this can work, test results for your hEX S indicate that it may be capped at 380Mbps (give or take) of routing speed real life.
Regarding PoE: it might work with some tweaking: hEX S only supports passive PoE which means that it won’t negotiate with PD (your phone). So phone might start if you set hEX S PoE out to forced on. Another issue is power budget, hEX S can only output 500mA, at standard 802.3 af/at voltage this translates to 24W. Is this enough for your phone or not? Even if it is, it depends how hEX S negotiates power class with PSE (cisco router). So you probably just should try and see how it goes. At least your hEX S should survive the experiment as it supports input voltages up to 57V (which is also 802.3af/at requirement).
When testing, make sure you test also the case where phone is connected to MT and power fails (e.g. you disconnect MT from cisco). These gadgets tend to draw highest power during power-up and settle for somehow lower power consumption later on. So if the whole setup reliably starts when you plug the cable between MT and cisco, it will quite probably be just fine.
In the current setup, ISP eth cable delivers POE to hEX S and the latter delivers to IP Phone. They work flawlessly.
I was wondering if I could connect a POE passthrough switch to the ISP (like RB260GSP) and on its ethernet ports connect and power both hEX S and the IP phone. The ISP router delivers 15,4 or 30W per ethernet cable. Phone max power is 3,84W, switch 5-58W (5 without attachments) and hEX S is 6W without attachments.
Is it risky?
