without running Winbox does not work internet

RouterOS General
1

Hi, faced with the problem if I do not run winbox, I have not worked with штеуктуе access to, and the local area network and routing works

2

Winbox does not put any configuration to your router, when you are connected to it.
Make sure you have proper configuration for at least,
/ip address;
/ip route;
/ip firewall nat

3

the router itself acts as the core network, it does not give the Internet, on the first port I accept the external network , followed by a trunk I bring to the proxy server , respectively, from the proxy server pings go out only when running Winbox.

4

[manager@MikroTik] > export compact

jan/02/1970 01:18:26 by RouterOS 6.4

software id = DN59-T7ZR

/interface bridge
add l2mtu=1594 name=bridge1
/interface ethernet
set 1 bandwidth=40000/40000
/interface vlan
add interface=ether5 l2mtu=1594 name=vlan5 vlan-id=5
add interface=ether5 l2mtu=1594 name=vlan10 vlan-id=10
add interface=ether5 l2mtu=1594 name=vlan11 vlan-id=11
add interface=ether5 l2mtu=1594 name=vlan12 vlan-id=12
add interface=ether5 l2mtu=1594 name=vlan13 vlan-id=13
add interface=ether5 l2mtu=1594 name=vlan14 vlan-id=14
add interface=ether5 l2mtu=1594 name=vlan20 vlan-id=20
add interface=ether2 l2mtu=1594 name=vlan20_proxy vlan-id=20
add interface=ether5 l2mtu=1594 name=vlan99 vlan-id=99
add interface=ether5 l2mtu=1594 name=vlan100 vlan-id=100
add interface=ether9 l2mtu=1594 name=vlan100_cisco1 vlan-id=100
add interface=ether10 l2mtu=1594 name=vlan100_cisco2 vlan-id=100
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=vlan20
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=vlan100
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=vlan20_proxy
add bridge=bridge1 interface=vlan100_cisco1
add bridge=bridge1 interface=vlan100_cisco2
/interface ethernet switch port
set 5 default-vlan-id=0
/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.11.1/24 interface=vlan11 network=192.168.11.0
add address=192.168.12.1/24 interface=vlan12 network=192.168.12.0
add address=192.168.13.1/24 interface=vlan13 network=192.168.13.0
add address=192.168.14.1/24 interface=vlan14 network=192.168.14.0
add address=192.168.5.1/24 interface=vlan5 network=192.168.5.0
/ip dhcp-relay
add dhcp-server=192.168.10.4 disabled=no interface=vlan11 name=dhcp_relay11
add dhcp-server=192.168.10.4 disabled=no interface=vlan12 name=dhcp_relay12
add dhcp-server=192.168.10.4 disabled=no interface=vlan13 name=dhcp_relay13
add dhcp-server=192.168.10.4 disabled=no interface=vlan14 name=dhcp_relay14
/ip route
add distance=1 gateway=192.168.10.14
/lcd
set backlight-timeout=never default-screen=informative-slideshow
read-only-mode=yes touch-screen=disabled
/lcd interface
set sfp1 interface=sfp1
set ether1 interface=ether1
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6 interface=ether6
set ether7 interface=ether7
set ether8 interface=ether8
set ether9 interface=ether9
set ether10 interface=ether10

5

Winbox or any other tool (SSH/Telnet) does not add any configuration to your router, that might stop Internet connection working.

6

I am ready to provide the video :slight_smile:

7

Look, I found a picture of a compound through MikroTik Winbox and using the Mac Address when you connect , everything works when I connect by IP address , MikroTik, namely through the gateway VLAN, such as 11.1 , then all at once falls

8

You have some very strange things going on in your configuration
I think you need more than 1 bridge interface.

All of these interfaces are one flat network:
ether1
ether2

  • vlan20_proxy
    ether5
  • vlan20
  • vlan100
    ether9
  • vlan100_cisco1
    ether10
  • vlan100_cisco2

All of these are bridged together, so any device on any of them can see everything, regardless of the VLAN tag.
Proxy ARP and other things can be messing things up further. (Cisco does proxy arp by default, for instance)

I think you need to break it up:
Bridge20
ports = vlan20, vlan20_proxy
Bridge100
ports = vlan100_cisco1, vlan100_cisco2

I am supposing that you don’t want any untagged traffic on ether2, ether5, ether9, or ether10 - only tags?
Adding the untagged interface to the same bridge as the tagged sub-interface causes some strange ways things can see each other, so you shouldn’t do that. The only interface that looks different to me is ether1…
If whatever is connected to ether1 should be in vlan100, then put ether1 on bridge100 / if on vlan20, bridge20.

A cleaner network configuration is going to make troubleshooting easier.

9

ethe1 to come without tags vlan20, the need to drive into vlan 20 to ethe 5 in the trunk port , vlan 10 - 14 are each network gateways . VLAN 100 while you can not take in account , I can not properly configured trunk port ?

10

Thank you very much for your help, I redid the config , I have everything working , so just in case I spread my config .


[manager@MikroTik] > export compact

jan/02/1970 00:03:50 by RouterOS 6.4

software id = DN59-T7ZR

/interface bridge
add l2mtu=1594 name=bridge_20
/interface ethernet
set 1 bandwidth=40000/40000
/interface vlan
add interface=ether5 l2mtu=1594 name=vlan5 vlan-id=5
add interface=ether5 l2mtu=1594 name=vlan10 vlan-id=10
add interface=ether5 l2mtu=1594 name=vlan11 vlan-id=11
add interface=ether5 l2mtu=1594 name=vlan12 vlan-id=12
add interface=ether5 l2mtu=1594 name=vlan13 vlan-id=13
add interface=ether5 l2mtu=1594 name=vlan14 vlan-id=14
add interface=ether5 l2mtu=1594 name=vlan20 vlan-id=20
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
mac-cookie-timeout=3d
/port
set 0 name=serial0
/queue simple
add max-limit=1M/1M name=test target=ether2
/interface bridge port
add bridge=bridge_20 interface=ether1
add bridge=bridge_20 interface=vlan20
/interface ethernet switch port
set 5 default-vlan-id=0
/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.11.1/24 interface=vlan11 network=192.168.11.0
add address=192.168.12.1/24 interface=vlan12 network=192.168.12.0
add address=192.168.13.1/24 interface=vlan13 network=192.168.13.0
add address=192.168.14.1/24 interface=vlan14 network=192.168.14.0
add address=192.168.5.1/24 interface=vlan5 network=192.168.5.0
/ip dhcp-relay
add dhcp-server=192.168.10.4 disabled=no interface=vlan11 name=dhcp_relay11
add dhcp-server=192.168.10.4 disabled=no interface=vlan12 name=dhcp_relay12
add dhcp-server=192.168.10.4 disabled=no interface=vlan13 name=dhcp_relay13
add dhcp-server=192.168.10.4 disabled=no interface=vlan14 name=dhcp_relay14
/ip route
add distance=1 gateway=192.168.10.14
/lcd
set backlight-timeout=never default-screen=informative-slideshow
read-only-mode=yes touch-screen=disabled
/lcd interface
set sfp1 interface=sfp1
set ether1 interface=ether1
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6 interface=ether6
set ether7 interface=ether7
set ether8 interface=ether8
set ether9 interface=ether9
set ether10 interface=ether10

11

Glad that you got it working.
Bridging is very nice, but it can make strange things if you’re not careful. :slight_smile:

12

would be grateful if you could suggest how to port , you can create a rule that allows the use of certain IP- addresses on this port

13

IP filter table rules.

You can do it with src-interface = where you want specific IP, src-address = ! specific IP, action = drop
Remember forward chain blocks traffic going /through/ the Mikrotik.
input chain blocks traffic going TO the mikrotik.

a rule is actually a very simple thing - if each and every field you specify some value for is true, then the action is done.
If even one field is not true, then the rule is ignored and the next one is tried.
It’s like chess - there are only a few simple moves to learn, but the strategy can be improved over an entire lifetime.

14

port 5 acts as a trunk port , how can I make a 4 port trunking as well

15

thank you very much for your answers

16

The most efficient way would be to use the switch configurations, but I’ve never bothered learning this because any VLAN behavior I’m asking of Mikrotik is bare minimum. To me, Mikrotik is best as a router (it is called RouterOS for a reason), and if I want a switch, I go buy a switch.

In general, for each VLAN you need to create a unique bridge interface.
For each “untagged” port on the VLAN, attach etherX to it.
For each tagged / trunk port, build the vlan sub-interfaces on each trunk interface and then connect them all to the appropriate bridge.

If you make a bunch of bridge interfaces and crazy rules, then remember that this all goes through the CPU

This is an example of how to have multiple VLANs on a variety of trunks and access interfaces:

Ether1
- vlan1.12
- vlan1.22
- vlan1.33
Ether2
Ether3
- vlan3.12
- vlan3.44
Ether4
- vlan4.22
- vlan4.33
Ether5

Bridge12 -> vlan1.12, vlan3.12
Bridge22 -> ether2, vlan1.22, vlan4.22
Bridge33 -> vlan1.33, vlan4.33
Bridge44 -> ether5, vlan3.44

Notice the naming scheme is consistent - if you’re making a firewall rule, you don’t want to see twelve “Vlan101” interfaces to pick from when you click the drop-down for “in-interface” right? If you choose “vlan3.12” you expect that you’re using vlan-tag 12 on interface ether3…

Any IP configs you want the Mikrotik to use on a vlan, apply them to BridgeXX interfaces.