Wan Bridge on Eth1+2 on RB951-2n

D4RKHORSE95 · November 20, 2018, 6:53am

Hi all,

Im pretty sure this may have been addressed but perhaps not in the same way.
what im trying to achieve is having my mikrotik have a bridge on Eth1+2 (Wan Bridge) and Eth3+4+5+wlan being on another bridge(Default minus the Eth1+2).
Reason being is i need the net to come through on Eth1 with Eth2 being exposed directly to the wan side via the (Wan Bridge)
when i create this bridge though i still cant seem to get them all to talk. The Routerboard im using is an RB951-2n, The configuration was as such
Operating mode=Wisp AP. as a Router. Ports 1-5 currently bridged.with Eth1 being being identified as wan.. its set as firewall router.
My GW on the wan side i point to is 192.168.2.1, with the routers Wan Address as 2.10 on the wan side Eth1. I have a Logging server on
Eth2 that needs to talk directly to wan as there is a Route with ISP to point to 192.168.2.100. the internal network is 192.168.0.x with GW(Router) being .10.
I really hope someone can help with this. i had this setup on my RB2011 and it worked flawlessly with fast path disabled too. Eth 10+9 was used as (Wan Bridge) though.

Jotne · November 20, 2018, 8:14am

Bridge configuration should be some like this:

/interface bridge
add name=bridge-wan
add name=bridge-lan

/interface bridge port
add bridge=bridge-wan interface=ether1
add bridge=bridge-wan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5

It would help if you post the working config on RB2011

D4RKHORSE95 · November 20, 2018, 10:45am

Hey there ,

Thanks for the reply . please see the backed up configuration of my RB2011.
RB2011iL Configuration export.txt (6.75 KB)

Jotne · November 20, 2018, 10:56am

Its better to post your config in the forum using code tags like this:

jul/31/2016 18:43:46 by RouterOS 6.42.6
# software id = 2M6D-8KZS
#
# model = 2011iL
# serial number = 
/interface bridge
add fast-forward=no name="LAN S Bridge"
add fast-forward=no name="WAN S Bridge"
/interface ethernet
set [ find default-name=ether1 ] name="Ether1 (Resa Managed 1)"
set [ find default-name=ether2 ] name="Ether2 (Resa Managed 2)"
set [ find default-name=ether3 ] name="Ether3 N/A"
set [ find default-name=ether4 ] name="Ether4 N/A"
set [ find default-name=ether5 ] name="Ether5 (Resa NVR Server)"
set [ find default-name=ether6 ] name="Ether6 N/A"
set [ find default-name=ether7 ] name="Ether7 (Prestons Office)"
set [ find default-name=ether8 ] name="Ether8 (Sullets G5 Workstation)"
set [ find default-name=ether9 ] name="Ether9 (Temperature Logging Server)"
set [ find default-name=ether10 ] name="Ether10 (BreedeNet Antenna)"
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name="Deny Facebook" regexp="^.+(facebook.com).*\$"
add name="Deny youtube" regexp="^.+(youtube.com).*\$"
add name="Deny Flickr, Tumblr, Pinterest and Reddit" regexp="^.+(flickr.com|tumblr.com|pinterest.com|reddit.com).*\$"
add name="Deny Twitter, Stumble upon and instagram" regexp="^.+(twitter.com|stumbleupon.com|instagram.com).*\$"
add name="Deny Google_PlayStore" regexp="^.+(android.clients.google.com|play.google.com).*\$"
add name="Deny Gumtree" regexp="^.+(gumtree.co.za).*\$"
add name="Deny cars.co.za" regexp="^.+(cars.co.za).*\$"
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.229
/ip dhcp-server
add address-pool=dhcp disabled=no interface="LAN S Bridge" name="DHCP Office Lan"
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge="LAN S Bridge" interface="Ether1 (Resa Managed 1)"
add bridge="LAN S Bridge" interface="Ether2 (Resa Managed 2)"
add bridge="LAN S Bridge" interface="Ether3 N/A"
add bridge="LAN S Bridge" interface="Ether4 N/A"
add bridge="LAN S Bridge" interface="Ether5 (Resa NVR Server)"
add bridge="LAN S Bridge" interface="Ether6 N/A"
add bridge="LAN S Bridge" interface="Ether7 (Prestons Office)"
add bridge="LAN S Bridge" interface="Ether8 (Sullets G5 Workstation)"
add bridge="WAN S Bridge" interface="Ether10 (BreedeNet Antenna)"
add bridge="WAN S Bridge" interface="Ether9 (Temperature Logging Server)"
/interface list member
add interface="WAN S Bridge" list=WAN
add interface="Ether1 (Resa Managed 1)" list=WAN
add interface="Ether2 (Resa Managed 2)" list=LAN
add interface="Ether3 N/A" list=LAN
add interface="Ether4 N/A" list=LAN
add interface="Ether5 (Resa NVR Server)" list=LAN
add interface="Ether6 N/A" list=LAN
add interface="Ether7 (Prestons Office)" list=LAN
add interface="Ether8 (Sullets G5 Workstation)" list=LAN
add interface="Ether9 (Temperature Logging Server)" list=LAN
add interface="Ether10 (BreedeNet Antenna)" list=LAN
/ip address
add address=192.168.2.10/24 interface="Ether10 (BreedeNet Antenna)" network=192.168.2.0
add address=192.168.0.10/24 interface="Ether2 (Resa Managed 2)" network=192.168.0.0
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.10 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=forward comment="Forward connections Note 8-J" src-mac-address=applicable Mac here
add action=accept chain=forward comment="Forward connections Admin Laptop Lan" src-mac-address=applicable Mac here
add action=accept chain=forward comment="Forward connections Admin Laptop Wireless" src-mac-address=applicable Mac here
add action=accept chain=forward comment="Forward connections Resa NVR" src-mac-address=00:18:95:0F:2F:47
add action=drop chain=forward comment="Deny Facebook" in-interface="LAN S Bridge" in-interface-list=all layer7-protocol="Deny Facebook" out-interface="WAN S Bridge" \
    out-interface-list=all src-address=192.168.0.0/24
add action=drop chain=forward comment="Deny Youtube" in-interface="LAN S Bridge" in-interface-list=all layer7-protocol="Deny youtube" out-interface="WAN S Bridge" \
    out-interface-list=all src-address=192.168.0.0/24
add action=drop chain=forward comment="Deny Google Play Store" in-interface="LAN S Bridge" in-interface-list=all layer7-protocol="Deny Google_PlayStore" out-interface=\
    "WAN S Bridge" out-interface-list=all src-address=192.168.0.0/24
add action=drop chain=forward comment="Deny Twitter, Stumble upon and Instagram" in-interface="LAN S Bridge" in-interface-list=all layer7-protocol=\
    "Deny Twitter, Stumble upon and instagram" out-interface="WAN S Bridge" out-interface-list=all src-address=192.168.0.0/24
add action=drop chain=forward comment="Deny Flickr, Tumblr, Pinterest and Reddit" in-interface="LAN S Bridge" in-interface-list=all layer7-protocol=\
    "Deny Flickr, Tumblr, Pinterest and Reddit" out-interface="WAN S Bridge" out-interface-list=all src-address=192.168.0.0/24
add action=drop chain=forward comment="Deny Gumtree" in-interface="LAN S Bridge" in-interface-list=all layer7-protocol="Deny Gumtree" out-interface="WAN S Bridge" \
    out-interface-list=all src-address=192.168.0.0/24
add action=drop chain=forward comment="Deny Cars.co.za" in-interface="LAN S Bridge" in-interface-list=all layer7-protocol="Deny cars.co.za" out-interface="WAN S Bridge" \
    out-interface-list=all src-address=192.168.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.2.1
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="Resa M Router 1"
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set "LAN S Bridge" disabled=yes display-time=5s
set "WAN S Bridge" disabled=yes display-time=5s
set "Ether1 (Resa Managed 1)" disabled=yes display-time=5s
set "Ether2 (Resa Managed 2)" disabled=yes display-time=5s
set "Ether3 N/A" disabled=yes display-time=5s
set "Ether4 N/A" disabled=yes display-time=5s
set "Ether5 (Resa NVR Server)" disabled=yes display-time=5s
set "Ether6 N/A" disabled=yes display-time=5s
set "Ether7 (Prestons Office)" disabled=yes display-time=5s
set "Ether8 (Sullets G5 Workstation)" disabled=yes display-time=5s
set "Ether9 (Temperature Logging Server)" disabled=yes display-time=5s
set "Ether10 (BreedeNet Antenna)" disabled=yes display-time=5s
/system routerboard settings
set silent-boot=no
/tool user-manager database
set db-path=user-manager

.
.
Should not 9 and 10 be in the WAN group like this:

/interface list member
add interface="WAN S Bridge" list=WAN
add interface="Ether1 (Resa Managed 1)" list=WAN
add interface="Ether2 (Resa Managed 2)" list=LAN
add interface="Ether3 N/A" list=LAN
add interface="Ether4 N/A" list=LAN
add interface="Ether5 (Resa NVR Server)" list=LAN
add interface="Ether6 N/A" list=LAN
add interface="Ether7 (Prestons Office)" list=LAN
add interface="Ether8 (Sullets G5 Workstation)" list=LAN
add interface="Ether9 (Temperature Logging Server)" list=WAN
add interface="Ether10 (BreedeNet Antenna)" list=WAN

Since you have used WAN here:

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

.
.
I am not fan of using spaces in name, so would have used naming like this:

/interface bridge
add fast-forward=no name="LAN_S_Bridge"

D4RKHORSE95 · November 20, 2018, 11:09am

Will try to do this in future. Still pretty new here and to using these Routers.
I expected id actually more wrong with the desired configuration. As for Eth9+10 yes i agree it should be ,
I couldn’t really find/understand where this setting was .As both yes Eth9+10 are on the WAN side and need
to have traffic from ISP to that port/device.

this is already in place on the RB951-2n atleast from what i can tell by looking at the router using winbox.
please see configuration of the RB951-2n. Cant seem to ping 2.100 which is on Eth 2 but in bridge with Eth on WAN Bridge.
I can understand the spaces issue.
RB951-2n.txt (5.03 KB)

D4RKHORSE95 · November 20, 2018, 11:22am

I dont know how to add inline code… sorry

Jotne · November 20, 2018, 2:14pm

To use code tags click the button above text box you are writing in. Symbol like </>
Or you adde [ code] before and and [ /code] after. (remove the space in the brackets)

mkx · November 20, 2018, 3:07pm

Address 192.168.0.10/24 should be bound to interface=“Lan Bridge”, not ether4.

Regarding pinging 192.168.2.100 … can you ping it from RB itself (/ping 192.168.2.100)?

D4RKHORSE95 · November 20, 2018, 6:15pm

Jotne> Thanks, Ill try it out. Certainly looks allot cleaner and easier to go through.

mkx> Ive now moved that over thanks, As for the pinging part. i had tried pinging it from the RB itself.
Interestingly though in an IP scan i did on the WAN Bridge it picks up all 3… 2.1(GW) 2.10(RB) and 2.100(Log Server)