Used default config w Static DHCP many years at parents place, but realized all ports don't serve switches?

RouterOS Beginner Basics
1

Used default config w Static DHCP many years at parents place, but realized all ports don’t serve switches?

That was largely the single direct connect from Mktk to LAN; a HP ProCruve 24 GigE

Worked fine through the pandemic when I was medically in trouble and am thankful to be alive.

In 2022, my old “hoarder” mum seems to have messed up by putting some stuff that blocked HP’s vents.

Until I “Choose” replacement upgrades (waiting to figure out), Now I am having to route things through a tiny switch, so need the remaining ports to also allow DHCP from same Subnet.

I seem to have read that its not IMPLICIT and I might have to “make it happen”.

Can someone please guide me to simple way it can be done quickly? - Preferably, Video / UI based?

I am still medically recovering and my dad and his rage is something I’d like to move past, fast :smiley:

hAPLite

# oct/11/2023 19:20:00 by RouterOS 6.45.7
# software id = XXX-XXXX
#
# model = RouterBOARD 941-2nD
# serial number = XXXXXXXXX
/interface bridge
add admin-mac=64:D1:54:2E:86:33 auto-mac=no comment=defconf fast-forward=no \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether2-master
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add add-default-route=yes default-route-distance=0 disabled=no interface=\
    ether1 keepalive-timeout=60 name=pppoe-out1 password=XXXXX \
    service-name=XXXXX use-peer-dns=yes user=XXXX
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=XBGN \
    wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=XXXXX \
    wpa2-pre-shared-key=XXXXXXX
/ip pool
add name=dhcp ranges=192.168.10.100-192.168.10.249
/ip dhcp-server
add add-arp=yes address-pool=dhcp authoritative=after-2sec-delay disabled=no \
    interface=bridge lease-time=1m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=wlan1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=bridge list=discover
add interface=pppoe-out1 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.10.4/24 comment=defconf interface=ether2-master network=\
    192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.10.164 client-id=1:0:1f:28:64:6a:80 comment=\
    "NW - HP ProCurve 1800 24 GigE Switch" mac-address=XXXX \
    server=defconf

...lots of add address entries for each device.. cleaned for privacy. 

XXXXXXXX

/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.4 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.4 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
add action=drop chain=forward comment="i6 WiFi MAC - Net Block" log=yes \
    log-prefix="i6: " src-mac-address=70:3E:AC:C7:1A:96
add action=drop chain=forward comment="i5 WiFi MAC - Net Block" log=yes \
    log-prefix="i5: " src-mac-address=28:E1:4C:6B:79:00
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=pppoe-out1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=XXXXXXXX
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
2

Without looking at your config nor knowing what device we’re talking about, it is hard to tell but if you started from pretty default config and slimmed things down, it might be sufficient to simply add remaining ether ports to the bridge again.

Assuming you have a flat network with only one subnet, no VLANs, …

3

Thanks for responding. Apologies as been unwell so just wanted to start the thread before I forgot again.

Its a hAPLite.
Whats the way I can quickly share the config.
Is there a quick good YoutTube video for adding the ports to the bridge?

Is this default behavior for hAPLite? Or it DID so because none of the other ports had anything connected at the start?

I havent changed any core stuff from default - just cosmetic stuff, like AP Name, Password, instead of 0.1 or 1.1 I went with x.x.10.4

Single simple SubNet.

Largely the only feature I truly used was Static DHCP to have some “organizational numbering” for the devices.

Once I had all that I was hoping to learn to play with the features for Subnets/ VLANs and various other ways to make it “more” thorough.

Then I had medical collapse and poof!

4

Open terminal
/export file=anynamyouwish
Move file to desktop.
Edit, remove serial number and any remaining private info (also public IP, if present).
Post contents between [code] [/code] quotes for easier readability.

5

I ran this in the Terminal inside WinBox (I hope thats where you meant it).

[admin@MikroTik] > /export file=BlissConfig
[admin@MikroTik] >>

Since Im not familiar with MkTk file system/ directory structure.

Where would it be dumped (I am guessing a path) and how would I pull it out from there? (Would WinSCP be fine to go there?)

Would the login password to the file system via SCP be same as my admin?

6

In Winbox you have a Files tab.
You can find the file there.

Just drag and drop to your PC.

7

Thank you so much. Look forward to learning more about Mktk.

Thanks & apologies. Update the post.
I cleaned it up a bit, Let me know if I left something PRIVATE or removed WRONGLY that you’d like to see.

Muchos Gracias!

# oct/11/2023 19:20:00 by RouterOS 6.45.7
# software id = XXX-XXXX
#
# model = RouterBOARD 941-2nD
# serial number = XXXXXXXXX
/interface bridge
add admin-mac=64:D1:54:2E:86:33 auto-mac=no comment=defconf fast-forward=no \
    name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether2-master
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add add-default-route=yes default-route-distance=0 disabled=no interface=\
    ether1 keepalive-timeout=60 name=pppoe-out1 password=XXXXX \
    service-name=XXXXX use-peer-dns=yes user=XXXX
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=XBGN \
    wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=XXXXX \
    wpa2-pre-shared-key=XXXXXXX
/ip pool
add name=dhcp ranges=192.168.10.100-192.168.10.249
/ip dhcp-server
add add-arp=yes address-pool=dhcp authoritative=after-2sec-delay disabled=no \
    interface=bridge lease-time=1m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=wlan1 list=discover
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=bridge list=discover
add interface=pppoe-out1 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.10.4/24 comment=defconf interface=ether2-master network=\
    192.168.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.10.164 client-id=1:0:1f:28:64:6a:80 comment=\
    "NW - HP ProCurve 1800 24 GigE Switch" mac-address=XXXX \
    server=defconf

...lots of add address entries for each device.. cleaned for privacy. 

XXXXXXXX

/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.4 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.4 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
add action=drop chain=forward comment="i6 WiFi MAC - Net Block" log=yes \
    log-prefix="i6: " src-mac-address=70:3E:AC:C7:1A:96
add action=drop chain=forward comment="i5 WiFi MAC - Net Block" log=yes \
    log-prefix="i5: " src-mac-address=28:E1:4C:6B:79:00
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=pppoe-out1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/system clock
set time-zone-name=XXXXXXXX
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
8

The part you omitted with the fixed leases, how large is that list and which range is being used ?
If it overlaps with your IP Pool, you may have exhausted that pool (and no free addresses can be used to provide a lease).
Though I would be highly surprised if that list is >150 entries…

You may also want to consider to upgrade to latest long term for ROS6 (6.49.10).

Personal comment:

/interface detect-internet
set detect-interface-list=all

I would disable this. For most it does more harm then good.

On /ip upnp and /interface list member
Why include ppoe-out1 ?
Pppo-out1= WAN and nothing else. Nothing to discover on the Big Bad Web and certainly no UPNP !!

9

It just had a lot of personal names and device macs so I cleaned it for privacy. If you want I can share it. But nothing significant (10-20).

As I said I had no issues previously as I had connected one LAN port to my 24 port Switch which would connect to 2 WiFi routers which largely act as WiFI APs.

Since it went kaput, I am just stuck needing other LAN ports to be working. Are they?

Or is it something else? Is the 8 port switch not passing on things across the network tree? I had studied about STP in college, but I am too far off from remembering. ?

Most of this is default or as it was when I got hAPlite and started to just set it up AS IS with minor “COSMETIC” personalization.

i.e. using x.x.10.4 instead of 1.1 and 0.1 (that could overlap with WiFi routers when they get reset).
WiIFi Name & Password.

The max personalization I did was Static DHCP to have some accounting/ numbering and gauge what all is there if I ever need to debug said devices.

Rest is all as is from CAPsman factory config.

PS: Add - I’ll have to check but ISP uses PPPoE
Mktk001.png
Also: Update issue:

You may also want to consider to upgrade to latest long term for ROS6 (6.49.10).
Update Error.png