Why does disabling 'bridge' make it impossible to connect to my router?

jvanhambelgium · August 5, 2022, 7:55pm

You don’t even need one. You are connecting to a device (Mikrotik) which has an IP in the same network-range.
Even if you take a wrong one like 10.50.50.27, it would never be used in your case :

PC = 10.50.50.253 mask 255.255.255.0
Mikrotik = 10.50.50.254

TheLorc · August 5, 2022, 8:00pm

To do that you just go to Bridge → Ports → Delete Ether7 (for example) , then go to IP → Addresses → Create new address → In the entries, leave ‘Network’ blank, and fill in 10.10.10.254 for Address, and select Ether7 for the interface. Now, even if I disable the bridge or do anything to the router, I can simply connect an ethernet cable to Ether7, and be able to access Winbox, is that correct? Or is there more stuff you have to do?

If you did not set IP-restrictions under the /ip service/winbox (to limit from which IP’s you can connect) and the same for a /system/users (on a user, you can also set from which IP’s it can login) you should only check the firewall INPUT-chain (INPUT = traffic targetted at router itself, Winbox for example)
Make sure you have some rule allowing ether7 (or source-IP 10.10.10.0/24) to target the the RouterOS control plane.

And that should be it, give it a try to connect PC to ether7 after giving it 10.10.10.1 , connect with Winbox and disable your Bridge you won’t get kicked out.

“you should only check the firewall INPUT-chain (INPUT = traffic targetted at router itself, Winbox for example). Make sure you have some rule allowing ether7 (or source-IP 10.10.10.0/24) to target the the RouterOS control plane.”

To do this firewall rule, I go to IP → Firewall → Filter Rules → Add →

Chain: Input
Src Address: 10.10.10.0/24
In. Interface List: all
Action: accept

Is this correct? Also, what is the purpose of this, does this simply stop other PCs from accessing this ethernet port? For example, lets say a PC with IP address 50.50.50.1 tried to access ether7 port. It would block them because the source-IP is not 10.10.10.0/24?

Thanks again

TheLorc · August 5, 2022, 8:29pm

To do that you just go to Bridge -> Ports -> Delete Ether7 (for example) , then go to IP -> Addresses -> Create new address -> In the entries, leave 'Network' blank, and fill in 10.10.10.254 for Address, and select Ether7 for the interface. Now, even if I disable the bridge or do anything to the router, I can simply connect an ethernet cable to Ether7, and be able to access Winbox, is that correct? Or is there more stuff you have to do?

If you did not set IP-restrictions under the /ip service/winbox (to limit from which IP's you can connect) and the same for a /system/users (on a user, you can also set from which IP's it can login) you should only check the firewall INPUT-chain (INPUT = traffic targetted at router itself, Winbox for example)
Make sure you have some rule allowing ether7 (or source-IP 10.10.10.0/24) to target the the RouterOS control plane.

And that should be it, give it a try to connect PC to ether7 after giving it 10.10.10.1 , connect with Winbox and disable your Bridge you won't get kicked out.

Still can't see the Mikrotik Router when I connect to ether7 port physically.

To clarify what I have done is:

On Mikrotik routerOS:

Bridge -> Ports -> Delete Ether7

IP -> Addresses -> Add ->

Address: 10.10.10.254
Network: 10.10.10.254 (this is auto generated when you leave it blank)
Interface: ether7-access

Now on my PC:

Go to Network Connections -> Ethernet Network -> Properties -> IpV4 -> Properties -> Use the following IP address:

IP address: 10.10.10.1
Subnet mask: 255.255.255.0
Default gateway: 10.10.10.254

DNS: 8.8.8.8
Secondary DNS: 8.8.4.4

This still does not work.

Here is my config incase that helps.. I am pretty sure I followed your steps as you said but it won't find the router on Winbox -> Neighbours.

I know the config has a lot of crap in it, I added wireguard and probably some other stupid stuff too but I doubt that is the problem here

aug/05/2022 21:26:41 by RouterOS 7.4

software id = JCY8-AFLA

model = RB2011iL

serial number = E7DD0F73B4C5

/interface bridge
add admin-mac=DC:2C:6E:4C:59:6F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether7 ] name=ether7-access
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1
use-peer-dns=yes user=eircom
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=defconf name=MANAGE
add comment=defconf name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/ppp profile
set *FFFFFFFE dns-server=192.168.88.1 local-address=192.168.89.1
remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
add interface=ether7-access list=MANAGE
/interface pptp-server server

PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead

set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/interface wireguard peers
add allowed-address=192.168.88.0/24 interface=wireguard1 public-key=
"1Of5xcGq53sXm6h8TKvkn7eGxNHEqom6fhBI8XDPg2I="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=10.10.10.254 interface=ether7-access network=10.10.10.254
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.232 mac-address=00:21:9B:3C:13:ED server=defconf
add address=192.168.88.218 client-id=1:0:1f:c1:1c:c9:80 mac-address=
00:1F:C1:1C:C9:80 server=defconf
add address=192.168.88.216 client-id=1:0:1f:c1:1c:c4:20 mac-address=
00:1F:C1:1C:C4:20 server=defconf
add address=192.168.88.215 client-id=1:0:1f:c1:1c:c4:1b mac-address=
00:1F:C1:1C:C4:1B server=defconf
add address=192.168.88.214 client-id=1:0:1f:c1:1c:c4:1c mac-address=
00:1F:C1:1C:C4:1C server=defconf
add address=192.168.88.213 client-id=1:0:1f:c1:1c:c4:8b mac-address=
00:1F:C1:1C:C4:8B server=defconf
add address=192.168.88.212 client-id=1:0:1f:c1:1c:c4:91 mac-address=
00:1F:C1:1C:C4:91 server=defconf
add address=192.168.88.211 client-id=1:0:1f:c1:1c:c9:7b mac-address=
00:1F:C1:1C:C9:7B server=defconf
add address=192.168.88.209 client-id=1:38:22:e2:9f:d:91 mac-address=
38:22:E2:9F:0D:91 server=defconf
add address=192.168.88.207 client-id=1:0:1f:c1:1c:c4:90 mac-address=
00:1F:C1:1C:C4:90 server=defconf
add address=192.168.88.206 client-id=1:0:1f:c1:1c:c4:8d mac-address=
00:1F:C1:1C:C4:8D server=defconf
add address=192.168.88.205 client-id=1:0:1f:c1:1c:c4:8f mac-address=
00:1F:C1:1C:C4:8F server=defconf
add address=192.168.88.204 client-id=1:0:1f:c1:1c:c4:92 mac-address=
00:1F:C1:1C:C4:92 server=defconf
add address=192.168.88.203 client-id=1:0:1f:c1:1c:c4:89 mac-address=
00:1F:C1:1C:C4:89 server=defconf
add address=192.168.88.202 client-id=1:0:1f:c1:1c:c4:1e mac-address=
00:1F:C1:1C:C4:1E server=defconf
add address=192.168.88.201 client-id=1:0:1f:c1:1c:c4:22 mac-address=
00:1F:C1:1C:C4:22 server=defconf
add address=192.168.88.200 client-id=1:0:1f:c1:1c:c4:8c mac-address=
00:1F:C1:1C:C4:8C server=defconf
add address=192.168.88.199 client-id=1:0:1f:c1:1c:c4:1f mac-address=
00:1F:C1:1C:C4:1F server=defconf
add address=192.168.88.198 client-id=1:0:1f:c1:1c:c4:23 mac-address=
00:1F:C1:1C:C4:23 server=defconf
add address=192.168.88.196 client-id=1:90:9:d0:0:9:11 mac-address=
90:09:D0:00:09:11 server=defconf
add address=192.168.88.194 client-id=1:0:11:32:ae:a2:7f mac-address=
00:11:32:AE:A2:7F server=defconf
add address=192.168.88.165 client-id=1:0:1f:c1:1c:c4:8e mac-address=
00:1F:C1:1C:C4:8E server=defconf
add address=192.168.88.163 client-id=1:34:f6:2d:89:e4:82 mac-address=
34:F6:2D:89:E4:82 server=defconf
add address=192.168.88.154 client-id=1:0:1f:c1:1c:c4:8a mac-address=
00:1F:C1:1C:C4:8A server=defconf
add address=192.168.88.92 client-id=1:b8:ec:a3:fd:1d:1f mac-address=
B8:EC:A3:FD:1D:1F server=defconf
add address=192.168.88.91 client-id=1:b8:ec:a3:fd:1d:1c mac-address=
B8:EC:A3:FD:1D:1C server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="FreePBX Media UDP" dst-port=
2000-65001 in-interface-list=WAN protocol=udp to-addresses=192.168.88.XXX
to-ports=2000-65001
add action=dst-nat chain=dstnat comment="FreePBX Tunnel TCP" dst-port=5090
protocol=tcp to-addresses=192.168.88.XXX to-ports=5090
add action=dst-nat chain=dstnat comment="FreePBX SIP TCP" dst-port=5060
protocol=tcp to-addresses=192.168.88.XXX to-ports=5060
add action=dst-nat chain=dstnat comment="FreePBX SIP TLS" dst-port=5061
protocol=tcp to-addresses=192.168.88.XXX to-ports=5061
add action=dst-nat chain=dstnat dst-port=5500-5501 in-interface-list=WAN
protocol=tcp to-addresses=192.168.88.XXX to-ports=5500-5501
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
192.168.89.0/24
/ip firewall service-port
set sip disabled=yes sip-timeout=59w3d15h
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=
33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/ppp secret
add name=vpn profile=default-encryption
/system clock
set time-zone-name=Europe/Dublin
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

anav · August 6, 2022, 12:16pm

(1) Try this instead AFTER implementing steps 2 and beyond!
IP address: 10.10.10.5
Subnet mask: 255.255.255.0
Default gateway: 10.10.10.254

DNS: 10.10.10.254
Secondary DNS: 8.8.4.4

(2) Why do you have interfaces list of TRUSTED and MANAGE when you only have one subnet??
Okay I see ether7 is part of MANAGE which is not a bad idea…

(3) YOu should remove this as its a left over from default config…
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan

(4) The idea of the trusted subnet is also to use the associated interfaces in a couple of spots so you should do this as well. The idea being you want to use one interface list entry for the input chain to access the router and the interface list to use twice elsewhere. We dont want to lump in ether7 with the rest of the LAN interface and its associated firewall rules, but just the input chain one etc…
SO
add interface=bridge list=MANAGE

Thus you should do this after:
/ip neighbor discovery-settings
set discover-interface-list=MANAGE

THEN it will be matter of firewall rules to match!!

(5) From:
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
TO:
add action=accept chain=input in-interface-list=MANAGE **** scr-address-list=Authorized
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment=“Drop all else”

Optional but I recommend it since you only have one subnet is to limit the access to the router for config purposes to only specific IP addresses
/ip firewall address lsit { assumes you have set the below to fixed static leases! }
add address=10.10.10.5/32 list=Authorized comment=“ether7 access”
add address=Admin-Desktop-IP list=Authorized
add address=Admin-laptoip-IP list=Authorized
add address=Admin-lpad-IP list=Authorized
add address=Admin-smartphone-IP list=Authorized

(6) From:
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment=“Drop all else”

(7) From:
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
TO
/tool mac-server
set allowed-interface-list=NONE { this is not a secure protocol and thus dont use }
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

+++++++++++++++++++++++++++++++++++++++++++++

In summary the confusion you have between the bridge, the lan interface and the manage/trusted is what is causing the issues.
Above is the straightforward approach to get you working safely.

kevinds · August 7, 2022, 2:47am

This is wrong.