Hello, I recently started working with a MikroTik router and switches configuration. the first order of business was to get access from my station to the management of the switches without having to physically plug my ethernet port into them or change my VLAN.
So, since their management is on a different VLAN, I configured a nat, and a firewall rule that allows input traffic from my station’s reserved IP with my mac address.
I can ping the default gateway of that VLAN, but I can’t access the switches either via ping or via the web browser.
I tried looking at the documentation but it’s all for the terminal and not for the web, and I’m still trying to figure out the web before I dive into learning the whole terminal.
Webfig (I hope you’re not still using QuickSet) has almost identical hierarchical structure as CLI. So when you get some command for CLI, you should be able to configure the same through GUI (both Webfig and Winbox).
Sorry, I am on a switch port and that switch is connected to the router. i am in vlan A and have 1 subnet, and the switches are managed via vlan B which has a different subnet. all the switches are connected to the router. hope this helps.
So when you get some command for CLI, you should be able to configure the same through GUI
Well I tried port mirroring on both ingress and egress from the switch bridge to the sfp port, but there’s no traffic. and that’s pretty much what the guide said about CLI.
Depending on which particular switch model there are two ways of getting port mirrored … so if you want to get some concrete advice, give us some details.
CSS326-24G-2S+ this is the switches model number, I don’t have ssh access to the router yet and the terminal option in the web browser is borked.
hope this helps.
Hey, turns out the switch is running a routerOS, which might explain (might not) why the command for set did not have switch1 like the manual showed.
anyway I’ve attached a screenshot of the web config I managed to find and try, it doesn’t work but maybe it’s something that will clarify why it doesn’t.
I’m not going to look at some random screenshots. I suggest you to start using CLI real quick and post text export of configuration (execute /export hide-sensitive and copy-paste ouptut inside [__code] [/code] environment).
Are you sure you want to mirror traffic originating from (and terminating at) switch’ own management interface? Interface switch1-cpu is interconnect between switch chip and device’s CPU and when device is strictly used as ethernet switch, then the only traffic passing the interconnect will be management of device.
Ok but that’s a bit off-topic, since I started this topic trying to get access to the switches management network from my vlan, and the span is just a reply to a comment regarding the cli vs gui. once I solve the problem of reaching those switches from my station I could do all the things from cli, but right now the switches are in the middle of a narrow and busy hallway the I can’t sit connected to with a cable to manage all day.
so I think the top priority is to understand why I can’t reach the switches but I can reach the default gateway of their vlan, and we can proceed from there.
Well … as @anav already wrote: show us text export of configuration and we might be able to tell you where things went wrong. Without that we can only guess.
That’s the problem, i don’t have ssh into the router, and it doesn’t want to launch the terminal in the web browser.
it does not accept the credentials of the web admin so I’m guessing there’s a private key somewhere that someone needs to send me.
so what you’re saying is wait until I have access to the terminal to export this file?
Well, i have the config of one of the switches, it’s the switch I want to run port mirroring on as well.
so the things I need help with are 1 why can’t I reach this switch from the network unless my cable is physically plugged in to it. and 2 why is my mirroring not working.
also I found out it does not have the ntp module installed and I could not find which package to download and install.
i would be most grateful for your help with this. export190921.rsc (8.95 KB)
So I got it to somehow work, and I exported the file. I must say the hide sensitive is crap. It does not remove comments, and does not obfuscate the IP address and other things that might be sensitive.
After a ton of manually censoring the file, I’ve attached to this post.
Well the only thing that would be sensitive someitimes the WANIP creeps in, otherwise, pretty decent.
Not sure I will have time today to look but will try.
In general, being able to access all devices successfully at least via winbox is to ensure that a managment type vlan exists (
for a business a separate vlan, at home I juse use my trusted home vlan). In any case, the point is
a. every smart device needs an IP address on the management vlan.
b. every device needs a management type interface created/identified on the interface list with appropriate assignments
this interface list shouyld be entered into tools winmac server (at least for winbox).
plus an IP route on each non router smart device pointing to the gateway of the management vlan helps.
When I do this, I can see any MT device from the management network.
It will take some tweaking to ensure you have that access.
Hey, so did you have a chance to look at the file?
I also have an update, I upgraded the router to the latest LTS, had a small heart attack when it was stuck in a boot loop and had 2 hours downtime.
