Community discussions

 
sandy55
just joined
Topic Author
Posts: 9
Joined: Thu Nov 24, 2016 9:13 pm

rb2011uias-2hnd-in in/out-interface matcher switch error

Mon Dec 12, 2016 6:43 pm

Hello have one question
I've just received my new rb2011uias-2hnd-in , i setup on it home ap default configuration and after i moved firewall filter and nat configuration from my old RB951 to it i got 2 errors in nat and firewall section and i got disconnections from lan side of the router:
error - in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
There looked like is something wrong with switch configuration but this switch configuration working correctly with default settings on it without my firewall rules and nat setup :)

Does anybody can look and help ?
I am just beginner
Thanks

full configuration ROUTEROS 6.36:
/interface bridge
add admin-mac=D4:CA:6D:51:20:81 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors frequency=auto mode=station-pseudobridge ssid=MikroTik-7090D7 \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d
/ip firewall filter
add action=add-src-to-address-list address-list=KNOCK1 address-list-timeout=2m chain=input comment=PortKnock1 dst-port=5678 protocol=tcp
add action=add-src-to-address-list address-list=KNOCK2 address-list-timeout=2m chain=input comment=PortKnock2 dst-port=4321 protocol=tcp src-address-list=KNOCK1
add action=add-src-to-address-list address-list=Trusted address-list-timeout=30m chain=input comment="defconf: PortKnock3 >> Trust" dst-port=2345 protocol=tcp \
    src-address-list=KNOCK2
add action=accept chain=input comment="defconf: Allow Trusted IPs" src-address-list=Trusted
add action=accept chain=input comment="defconf: Allow Local IPs" src-address=192.168.1.0/24
add action=accept chain=input comment="defconf: Allow 8.8.8.8" src-address=8.8.8.8
add action=drop chain=input comment="defconf: Drop winbox from Internet" dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: Drop BTest from Internet" dst-port=2000 protocol=tcp
add action=drop chain=input comment="defconf: Drop ICMP from Internet" protocol=icmp src-address=!192.168.1.0/24
add action=drop chain=input comment="defconf: Drop telnet from Internet" dst-port=23 protocol=tcp src-address=!192.168.1.0/24
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="defconf: Detect Port-Scanners" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="defconf: Dropp Port-Scanners" src-address-list="port scanners"
ERROR1:
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=add-src-to-address-list address-list=DNS_Exploit address-list-timeout=1d chain=input comment="defconf: Log remote DNS request" dst-port=53 in-interface=ether1 \
    log-prefix="" protocol=udp
add action=drop chain=input comment="defconf: Drop remote DNS request" dst-port=53 protocol=udp src-address=!192.168.1.0/24
add action=drop chain=input comment="defconf: Drop SSH BruteForce" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=7w1d chain=input comment="defconf: ssh-stage3 >> blacklist" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=15m chain=input comment=ssh-stage2 connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=10m chain=input comment=ssh-stage1 connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="defconf: Drop All From Blacklisted" src-address-list=ssh_blacklist
add action=accept chain=forward comment="defconf: allow established connections" connection-state=established
add action=accept chain=forward comment="defconf: allow related connections" connection-state=related
add action=drop chain=forward comment="defconf: drop invalid connections" connection-state=invalid
add action=drop chain=forward comment="defconf: Blokada internetu" disabled=yes log-prefix="" src-address=192.168.1.10
/ip firewall nat
add action=src-nat chain=srcnat comment="defconf: AccessList NAT" src-address-list=Trusted to-addresses=192.168.1.1
ERROR2:
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix="" out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd interface pages
set 0 interfaces=sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master,ether7,ether8,ether9,ether10
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
[admin@MikroTik] > 
 
tr00g33k
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: rb2011uias-2hnd-in in/out-interface matcher switch error

Mon Dec 12, 2016 7:49 pm

You have ether1 in bridge, on firewall rules use bridge as in/out interface, or remove ether1 from bridge.
 
sandy55
just joined
Topic Author
Posts: 9
Joined: Thu Nov 24, 2016 9:13 pm

Re: rb2011uias-2hnd-in in/out-interface matcher switch error

Mon Dec 12, 2016 7:56 pm

You have ether1 in bridge, on firewall rules use bridge as in/out interface, or remove ether1 from bridge.
ok i removed ether1 from bridge but after removing it there is something wrong now with dhcp server it does not working i can connect only by using mac adress in winbox
in winbox i see dhcp server in red colour
/interface bridge
add admin-mac=D4:CA:6D:51:20:81 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors frequency=auto mode=station-pseudobridge ssid=MikroTik-7090D7 \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d
/ip firewall filter
add action=add-src-to-address-list address-list=KNOCK1 address-list-timeout=2m chain=input comment=PortKnock1 dst-port=5678 protocol=tcp
add action=add-src-to-address-list address-list=KNOCK2 address-list-timeout=2m chain=input comment=PortKnock2 dst-port=4321 protocol=tcp src-address-list=KNOCK1
add action=add-src-to-address-list address-list=Trusted address-list-timeout=30m chain=input comment="defconf: PortKnock3 >> Trust" dst-port=2345 protocol=tcp \
    src-address-list=KNOCK2
add action=accept chain=input comment="defconf: Allow Trusted IPs" src-address-list=Trusted
add action=accept chain=input comment="defconf: Allow Local IPs" src-address=192.168.1.0/24
add action=accept chain=input comment="defconf: Allow 8.8.8.8" src-address=8.8.8.8
add action=drop chain=input comment="defconf: Drop winbox from Internet" dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: Drop BTest from Internet" dst-port=2000 protocol=tcp
add action=drop chain=input comment="defconf: Drop ICMP from Internet" protocol=icmp src-address=!192.168.1.0/24
add action=drop chain=input comment="defconf: Drop telnet from Internet" dst-port=23 protocol=tcp src-address=!192.168.1.0/24
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="defconf: Detect Port-Scanners" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="defconf: Dropp Port-Scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list=DNS_Exploit address-list-timeout=1d chain=input comment="defconf: Log remote DNS request" dst-port=53 in-interface=ether1 \
    log-prefix="" protocol=udp
add action=drop chain=input comment="defconf: Drop remote DNS request" dst-port=53 protocol=udp src-address=!192.168.1.0/24
add action=drop chain=input comment="defconf: Drop SSH BruteForce" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=7w1d chain=input comment="defconf: ssh-stage3 >> blacklist" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=15m chain=input comment=ssh-stage2 connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=10m chain=input comment=ssh-stage1 connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="defconf: Drop All From Blacklisted" src-address-list=ssh_blacklist
add action=accept chain=forward comment="defconf: allow established connections" connection-state=established
add action=accept chain=forward comment="defconf: allow related connections" connection-state=related
add action=drop chain=forward comment="defconf: drop invalid connections" connection-state=invalid
add action=drop chain=forward comment="defconf: Blokada internetu" disabled=yes log-prefix="" src-address=192.168.1.10
/ip firewall nat
add action=src-nat chain=srcnat comment="defconf: AccessList NAT" src-address-list=Trusted to-addresses=192.168.1.1
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix="" out-interface=ether1 src-address=192.168.1.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd interface pages
set 0 interfaces=sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master,ether7,ether8,ether9,ether10
/system clock
set time-zone-name=Europe/Warsaw
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
 
sandy55
just joined
Topic Author
Posts: 9
Joined: Thu Nov 24, 2016 9:13 pm

Re: rb2011uias-2hnd-in in/out-interface matcher switch error

Tue Dec 13, 2016 12:28 am

configuration is now ok but however this freakin routeros had some errors
everytime when i change some in wirelles the ip pool setups and dhcp switching automatically from bridge to ether1 and othervise !!! thats why i been playing with it for since 6 hours - later than i obtain where is the problem....
simply question for future - can i somehow disable this automatic switching setups in winbox ?
thanks...
 
th0massin0
Member Candidate
Member Candidate
Posts: 144
Joined: Sun May 11, 2014 4:16 am
Location: Poland

Re: rb2011uias-2hnd-in in/out-interface matcher switch error

Tue Dec 13, 2016 1:46 am

Don't get me wrong, but that's NOT a hardware nor software problem :)
in wirelles the ip pool setups and dhcp switching automatically from bridge to ether1 and othervise
DHCP server is a thing that should be set on master interface (yes, on bridge if ether1 is added to that bridge)


simply question for future - can i somehow disable this automatic switching setups in winbox ?
Yes, you can start from empty config: http://wiki.mikrotik.com/wiki/Manual:Co ... tion_Reset
 
sandy55
just joined
Topic Author
Posts: 9
Joined: Thu Nov 24, 2016 9:13 pm

Re: rb2011uias-2hnd-in in/out-interface matcher switch error

Tue Dec 13, 2016 1:56 am

Don't get me wrong, but that's NOT a hardware nor software problem :)
in wirelles the ip pool setups and dhcp switching automatically from bridge to ether1 and othervise
DHCP server is a thing that should be set on master interface (yes, on bridge if ether1 is added to that bridge)


simply question for future - can i somehow disable this automatic switching setups in winbox ?
Yes, you can start from empty config: http://wiki.mikrotik.com/wiki/Manual:Co ... tion_Reset
hehe i start with empty config thousands of times! but this doesnt matter
the matter is that each time while i write and add new functions in cli terminal mostly some of wirelles settings then each time winbox or routeros adding itself new other functions to my config
sometimes it disable nat masquerade , sometimes it change the dhcp settings and sometimes it switch beetwen bridge than ether1 finally i loose connection with router
however finally i setup everything and everything is ok now but it wasnt easy like on RB951 with just one shot command line copy + paste
there is finall correct config of my RB2011:
/interface bridge
add admin-mac=xxxxxx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-Ce country=poland disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-7090D7 \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key=xxxxxxx wpa2-pre-shared-key=xxxxxxx
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.1.5 mac-address=xxxxx
add address=192.168.1.10 mac-address=xxxxx
add address=192.168.1.15 mac-address=xxxxx
add address=192.168.1.20 mac-address=xxxxx
add address=192.168.1.25 mac-address=xxxxx
add address=192.168.1.30 mac-address=xxxxx
add address=192.168.1.35 mac-address=xxxxx
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d
/ip firewall filter
add action=add-src-to-address-list address-list=KNOCK1 address-list-timeout=2m chain=input comment=PortKnock1 dst-port=5678 protocol=tcp
add action=add-src-to-address-list address-list=KNOCK2 address-list-timeout=2m chain=input comment=PortKnock2 dst-port=4321 protocol=tcp src-address-list=KNOCK1
add action=add-src-to-address-list address-list=Trusted address-list-timeout=30m chain=input comment="defconf: PortKnock3 >> Trust" dst-port=2345 protocol=tcp \
    src-address-list=KNOCK2
add action=accept chain=input comment="defconf: Allow Trusted IPs" src-address-list=Trusted
add action=accept chain=input comment="defconf: Allow Local IPs" src-address=192.168.1.0/24
add action=accept chain=input comment="defconf: Allow 8.8.8.8" src-address=8.8.8.8
add action=drop chain=input comment="defconf: Drop winbox from Internet" dst-port=8291 protocol=tcp
add action=drop chain=input comment="defconf: Drop BTest from Internet" dst-port=2000 protocol=tcp
add action=drop chain=input comment="defconf: Drop ICMP from Internet" protocol=icmp src-address=!192.168.1.0/24
add action=drop chain=input comment="defconf: Drop telnet from Internet" dst-port=23 protocol=tcp src-address=!192.168.1.0/24
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="defconf: Detect Port-Scanners" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="defconf: Dropp Port-Scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list=DNS_Exploit address-list-timeout=1d chain=input comment="defconf: Log remote DNS request" dst-port=53 in-interface=ether1 \
    log-prefix="" protocol=udp
add action=drop chain=input comment="defconf: Drop remote DNS request" dst-port=53 protocol=udp src-address=!192.168.1.0/24
add action=drop chain=input comment="defconf: Drop SSH BruteForce" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=7w1d chain=input comment="defconf: ssh-stage3 >> blacklist" connection-state=new \
    dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=15m chain=input comment=ssh-stage2 connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=10m chain=input comment=ssh-stage1 connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="defconf: Drop All From Blacklisted" src-address-list=ssh_blacklist
add action=accept chain=forward comment="defconf: allow established connections" connection-state=established
add action=accept chain=forward comment="defconf: allow related connections" connection-state=related
add action=drop chain=forward comment="defconf: drop invalid connections" connection-state=invalid
add action=drop chain=forward comment="defconf: Blokada internetu" disabled=yes log-prefix="" src-address=192.168.1.10
/ip firewall nat
add action=src-nat chain=srcnat comment="defconf: AccessList NAT" src-address-list=Trusted to-addresses=192.168.1.1
add action=masquerade chain=srcnat comment="defconf: masquerade" log-prefix="" out-interface=ether1 src-address=192.168.1.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd interface pages
set 0 interfaces=sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master,ether7,ether8,ether9,ether10
/system clock
set time-zone-name=Europe/Warsaw
and about the Post#1 - really i doesnt know from beginning about that each time after i setup RB2011 with my custom settings winbox or routeros adding itself ether1 to the bridge port :)
then after six hours of battle i found the main problem with it
 
th0massin0
Member Candidate
Member Candidate
Posts: 144
Joined: Sun May 11, 2014 4:16 am
Location: Poland

Re: rb2011uias-2hnd-in in/out-interface matcher switch error

Tue Dec 13, 2016 2:09 am

Practise makes perfect. Pozdrawiam :)

Who is online

Users browsing this forum: No registered users and 21 guests