I was configuring a routerboard RB2011UiAS MikroTik RouterOS 6.44.3 and I have a question about it. The config is the default one.
#Escenario
RB2011UiAS Eth9 is conected a smart switch branding Netgear to the switchport 22 in a tagged port Vlan100, pvid 100 and I allow all kind of packets.
From branding switch UI:
VLAN Membership
VLAN ID vlan100
Port 1 22
Interface PVID Configured Current PVID Acceptable Frame Types Ingress Filtering Port Priority
g1 100 100 VLAN Only Enable 0
g22 100 100 VLAN Only Enable 0
Desktop is conected with Net1 to switch port 1 and tags packets with vlan100.
(I temporary conect another link directly from Net2 to eth2 in Ros in order to do the setup)
i follow examples on:
Ping flow in both direcctions. I put down the NET2 link. Just Net1 VLAN100 is linked. From desktop OS I can ping router:
ping -t 10.0.100.1
Haciendo ping a 10.0.100.1 con 32 bytes de datos:
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
Respuesta desde 10.0.100.1: bytes=32 tiempo<1m TTL=64
EstadĂsticas de ping para 10.0.100.1:
Paquetes: enviados = 7, recibidos = 7, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
MĂnimo = 0ms, MĂĄximo = 0ms, Media = 0ms
But I'm unable to launch winbox/ssh to continue config. I get time outs.
ÂżCan anyone give me please any advice to where I can look for ? I'm fairly new to this UI.
If I remember correctly, admin access is restricted to 192.168.88.0/24 in the default config, so access from 10.0.0.0/8 will be dropped and youâre seeing the timeouts.
Try adding your vlan100 range under IP â Services in the âavailable fromâ field.
To do so, either connect from a 192.168.88.0/24 range to it or by MAC address from WinBox or via console.
Hello Chris, thanks a lot for your answer. I added the Network 10.0.100.0/24 but the problem wasnât solved.
you gave me an idea so I reset the configuration but this time with no default config and I can now connect with the vlan setup I posted from the vlan network segment.
something on default config avoided to log from vlan network.
Now I wan to do the same restricction on this interface so I will use the âtipâ you told me about services and maybe some firewall rules.
Iâm watching this video from mikrotik, in the minute 5 Tomas Kirnak explains that the default config has not been exploited, so Iâm interested on just move those restricctions onto the vlan interface and leave as much as Iâm able of default config.
finally I found a way to do use managmment tools on other network segment instead of LAN default one:
there is a firewall rule you ned to chek in default config:
defconf: drop all not coming from LAN
So what ever ip range is your lan network (1.1.1.1/24) if you put another ip range on one interface (2.2.2.2/24) you will never reach the service because of that rule.[/list][/list]
services by default are bound to LAN interfaces by rules like:
/ip neighbor discovery-settings set discover-interface-list=LAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
Actually the proper way is to adjust /interface list member ports grouped in LAN list ⌠and WAN as well if WAN port is not the default one. This would fix firewall filter rules, NAT rules, MAC server rules ⌠all at the same time.
