Community discussions

MikroTik App
 
danilabagroff
newbie
Topic Author
Posts: 36
Joined: Sat Sep 09, 2017 10:48 pm

DHCP client doesn't work on SFP(S-RJ01) port

Wed Sep 27, 2017 12:07 pm

Hello!

Could anyone point to a guide(or correct me) how to move "WAN port" from eth1 to sfp1? I just bought S-RJ01 and would like to free other 1Gb ports.
I was trying manually: set dhcp client for sfp1, change bridge ports, enable master port(eth2) for previous WAN port. Finally, I reset to defaults and started from the begining(QuickSet) with HomeAP profile — there was an option to specify WAN port.
I have attached photos to see what's going on now.

The other frustraing thing that backup doesn't work. Before moving to sfp I backed up to quick revert in case of failure. Just nothing happend: DHCP options, Firewall rules, OpenVPN... literally nothing, everything stays as before. Nothing in log as well.

Device: RB2011UiAS-2HnD-IN
Thank you in advance.
You do not have the required permissions to view the files attached to this post.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3051
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: DHCP client doesn't work on SFP(S-RJ01) port

Wed Sep 27, 2017 2:26 pm

How was your WAN setup? Does it use DHCP to get the WAN IP?

Are you sure sfp interface is linked and running? (Look at Interfaces > SFP1 > status)
 
danilabagroff
newbie
Topic Author
Posts: 36
Joined: Sat Sep 09, 2017 10:48 pm

Re: DHCP client doesn't work on SFP(S-RJ01) port

Wed Sep 27, 2017 9:18 pm

How was your WAN setup? Does it use DHCP to get the WAN IP?

Are you sure sfp interface is linked and running? (Look at Interfaces > SFP1 > status)
[admin@MikroTik] /interface list member> print
Flags: X - disabled, D - dynamic 
 #   LIST                                                                            INTERFACE                                                                          
 0   ;;; defconf
     LAN                                                                             bridge                                                                             
 1   ;;; defconf
     WAN                                                                             sfp1   

[admin@MikroTik] /interface ethernet> print
Flags: X - disabled, R - running, S - slave 
 #    NAME                                    MTU MAC-ADDRESS       ARP             MASTER-PORT                                  SWITCH                                 
 0  S ether1                                 1500 64:D1:54:2C:EF:78 enabled         none                                         switch1                                
 1 RS ether2-master                          1500 64:D1:54:2C:EF:79 enabled         none                                         switch1                                
 2 RS ether3                                 1500 64:D1:54:2C:EF:7A enabled         ether2-master                                switch1                                
 3 RS ether4                                 1500 64:D1:54:2C:EF:7B enabled         ether2-master                                switch1                                
 4 RS ether5                                 1500 64:D1:54:2C:EF:7C enabled         ether2-master                                switch1                                
 5 RS ether6-master                          1500 64:D1:54:2C:EF:7D enabled         none                                         switch2                                
 6  S ether7                                 1500 64:D1:54:2C:EF:7E enabled         ether6-master                                switch2                                
 7 RS ether8                                 1500 64:D1:54:2C:EF:7F enabled         ether6-master                                switch2                                
 8 RS ether9                                 1500 64:D1:54:2C:EF:80 enabled         ether6-master                                switch2                                
 9  S ether10                                1500 64:D1:54:2C:EF:81 enabled         ether6-master                                switch2                                
10 R  sfp1                                   1500 64:D1:54:2C:EF:77 enabled         none                                         switch1 

[admin@MikroTik] /ip dhcp-client> print
Flags: X - disabled, I - invalid 
 #   INTERFACE                                                                                           USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS        ADDRESS           
 0   sfp1                                                                                                yes          yes               searching... 

[admin@MikroTik] /ip dhcp-client> /interface ethernet monitor   
numbers: 10
                      name: sfp1
                    status: link-ok
          auto-negotiation: done
                      rate: 1Gbps
               full-duplex: yes
           tx-flow-control: no
           rx-flow-control: no
               advertising: 
  link-partner-advertising: 
        sfp-module-present: yes
               sfp-rx-loss: no
                  sfp-type: SFP-or-SFP+
        sfp-connector-type: LC
    sfp-link-length-copper: 100m
           sfp-vendor-name: Mikrotik
    sfp-vendor-part-number: S-RJ01
       sfp-vendor-revision: 1.0
         sfp-vendor-serial: 61B103BD0A44
    sfp-manufacturing-date: 15-03-11
           eeprom-checksum: good
                    eeprom: 0000: 03 04 07 00 00 00 08 00  00 00 00 01 0d 00 00 00  ........ ........
                            0010: 00 00 64 00 4d 69 6b 72  6f 74 69 6b 20 20 20 20  ..d.Mikr otik    
                            0020: 20 20 20 20 00 20 20 20  53 2d 52 4a 30 31 20 20      .    S-RJ01  
                            0030: 20 20 20 20 20 20 20 20  31 2e 30 20 00 00 00 9e           1.0 ....
                            0040: 00 00 00 00 36 31 42 31  30 33 42 44 30 41 34 34  ....61B1 03BD0A44
                            0050: 20 20 20 20 31 35 30 33  31 31 20 20 00 00 00 87      1503 11  ....
                            0060: 00 00 11 ea 6c 4d 7c 27  11 db 35 ba 1b dc e6 ce  ....lM|' ..5.....
                            0070: 99 dc 97 00 00 00 00 00  00 00 00 00 5a d5 b3 e9  ........ ....Z...
                            0080: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
                            0090: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
                            00a0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
                            00b0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
                            00c0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
                            00d0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ........ ........
 
danilabagroff
newbie
Topic Author
Posts: 36
Joined: Sat Sep 09, 2017 10:48 pm

Re: DHCP client doesn't work on SFP(S-RJ01) port

Thu Sep 28, 2017 11:28 am

ISP says that nothing comes from me, despite this I see in logs that at least Mikrotik is trying to(attached).
You do not have the required permissions to view the files attached to this post.
 
danilabagroff
newbie
Topic Author
Posts: 36
Joined: Sat Sep 09, 2017 10:48 pm

Re: DHCP client doesn't work on SFP(S-RJ01) port

Thu Sep 28, 2017 9:49 pm

I guess this because of interface rate which is 1Gbps now. I tried to set Speed to 100Mbps but nothing has changed.
 
danilabagroff
newbie
Topic Author
Posts: 36
Joined: Sat Sep 09, 2017 10:48 pm

Re: DHCP client doesn't work on SFP(S-RJ01) port

Thu Sep 28, 2017 10:30 pm

Well, I'm back to ether1 and using sfp1 for local NAS. Works like a charm. But still wondering why DHCP client doesn't work via sfp1?
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: DHCP client doesn't work on SFP(S-RJ01) port

Thu Sep 28, 2017 10:39 pm

Please run this command and then paste the output here in code block
/export compact file=MyFile.rsc hide-sensitive
 
danilabagroff
newbie
Topic Author
Posts: 36
Joined: Sat Sep 09, 2017 10:48 pm

Re: DHCP client doesn't work on SFP(S-RJ01) port

Thu Sep 28, 2017 10:50 pm

Please run this command and then paste the output here in code block
/export compact file=MyFile.rsc hide-sensitive
Well, I currently use ether1 as WAN, do you want me to try sfp1 again and then paste a config?
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: DHCP client doesn't work on SFP(S-RJ01) port

Thu Sep 28, 2017 10:54 pm

Well, I currently use ether1 as WAN, do you want me to try sfp1 again and then paste a config?
You might post the ether1 setup (which works) and then the sfp1 setup (which does not). I'll compare them for you.
 
danilabagroff
newbie
Topic Author
Posts: 36
Joined: Sat Sep 09, 2017 10:48 pm

Re: DHCP client doesn't work on SFP(S-RJ01) port

Thu Sep 28, 2017 11:23 pm

You might post the ether1 setup (which works) and then the sfp1 setup (which does not). I'll compare them for you.
Oh, thank you very much.

ether1 as WAN(DHCP)
# sep/28/2017 23:06:20 by RouterOS 6.40.3
# software id = UVM1-F323
#
# model = 2011UiAS-2HnD
# serial number = 7A6707093BBC
/interface bridge
add admin-mac=64:D1:54:2C:EF:79 auto-mac=no comment=defconf name=bridge
add name=openvpn1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=russia disabled=no distance=indoors mode=ap-bridge ssid=danilabagroff \
    wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.1.0.100-10.1.0.254
add name=openvpn1 ranges=10.7.0.2-10.7.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=openvpn1 dns-server=10.1.0.1 local-address=10.7.0.1 name=openvpn1 \
    remote-address=openvpn1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
{...}
/ip address
add address=10.1.0.1/24 comment=defconf interface=ether2-master network=\
    10.1.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease
{...}
/ip dhcp-server network
add address=10.1.0.0/24 comment=defconf gateway=10.1.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
{...}
/ip firewall filter
add action=accept chain=input comment=OpenVPN dst-port=1194 in-interface=\
    ether1 protocol=tcp
add action=accept chain=input comment="Access from VPN network" src-address=\
    10.7.0.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=netmap chain=dstnat comment="HTTP Proxy" dst-port=80 in-interface=\
    ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=80
add action=netmap chain=dstnat comment="HTTPS Proxy" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=443
/ip route
add comment="266 Subnet" distance=1 dst-address=10.2.0.0/24 gateway=10.7.0.2
/ip service
set telnet disabled=yes
set www address=10.1.0.0/24,10.7.0.0/24 port=8080
set ssh address=10.1.0.0/24,10.7.0.0/24
set winbox disabled=yes
/ppp secret
{...}
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=gw1
/system ntp client
set enabled=yes server-dns-names=0.ru.pool.ntp.org,1.ru.pool.ntp.org
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
sfp1 as WAN(DHCP)
# sep/28/2017 23:15:46 by RouterOS 6.40.3
# software id = UVM1-F323
#
# model = 2011UiAS-2HnD
# serial number = 7A6707093BBC
/interface bridge
add admin-mac=64:D1:54:2C:EF:79 auto-mac=no comment=defconf name=bridge
add name=openvpn1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=russia disabled=no distance=indoors mode=ap-bridge ssid=danilabagroff \
    wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.1.0.100-10.1.0.254
add name=openvpn1 ranges=10.7.0.2-10.7.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=openvpn1 dns-server=10.1.0.1 local-address=10.7.0.1 name=openvpn1 \
    remote-address=openvpn1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf disabled=yes interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
/interface ovpn-server server
{...}
/ip address
add address=10.1.0.1/24 comment=defconf interface=ether2-master network=\
    10.1.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip dhcp-server lease
{...}
/ip dhcp-server network
add address=10.1.0.0/24 comment=defconf gateway=10.1.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
{...}
/ip firewall filter
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=accept chain=input comment=OpenVPN dst-port=1194 in-interface=\
    ether1 protocol=tcp
add action=accept chain=input comment="Access from VPN network" src-address=\
    10.7.0.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=masquerade chain=srcnat out-interface=ether1
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=netmap chain=dstnat comment="HTTP Proxy" dst-port=80 in-interface=\
    ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=80
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=netmap chain=dstnat comment="HTTPS Proxy" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=443
/ip route
add comment="266 Subnet" distance=1 dst-address=10.2.0.0/24 gateway=10.7.0.2
/ip service
set telnet disabled=yes
set www address=10.1.0.0/24,10.7.0.0/24 port=8080
set ssh address=10.1.0.0/24,10.7.0.0/24
set winbox disabled=yes
/ppp secret
{..}
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=gw1
/system ntp client
set enabled=yes server-dns-names=0.ru.pool.ntp.org,1.ru.pool.ntp.org
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: DHCP client doesn't work on SFP(S-RJ01) port

Fri Sep 29, 2017 12:01 am

A couple of things stand out.

Under /interface bridge port, disabled=yes is set for the sfp1 interface. However, you might try removing it from the bridge. That might be what is causing the error in/out-interface matcher not possible when interface (ether1) is slave that appear under the nat rules.

That error is your real problem.

So, under /ip firewall filter and /ip firewall nat, you have ether1 as your WAN interface, you need to change it to be sfp1.
Last edited by pcunite on Fri Sep 29, 2017 12:11 am, edited 1 time in total.
 
danilabagroff
newbie
Topic Author
Posts: 36
Joined: Sat Sep 09, 2017 10:48 pm

Re: DHCP client doesn't work on SFP(S-RJ01) port

Fri Sep 29, 2017 12:10 am

A couple of things stand out.

Under /interface bridge port, disabled=yes is set for the sfp1 interface. That is apparently also causing the error in/out-interface matcher not possible when interface (ether1) is slave in the nat rules.
On clean setup(after reset) I did not include sfp in this bridge(even as disabled). How it has to be configured, then?
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: DHCP client doesn't work on SFP(S-RJ01) port

Fri Sep 29, 2017 12:12 am

On clean setup(after reset) I did not include sfp in this bridge(even as disabled). How it has to be configured, then?
I edited my post. Read it again. Then let me know if you have an issue.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: DHCP client doesn't work on SFP(S-RJ01) port

Fri Sep 29, 2017 12:18 am

You have ether1 in your bridge, then you also are setting to use it as your in-interface and out-interface interface under firewall and nat rules. That is incorrect. You need to carefully change over all ether1 references to be sfp1.
 
danilabagroff
newbie
Topic Author
Posts: 36
Joined: Sat Sep 09, 2017 10:48 pm

Re: DHCP client doesn't work on SFP(S-RJ01) port

Fri Sep 29, 2017 12:34 am

I edited my post. Read it again. Then let me know if you have an issue.
I have, actually ;( Hope that I have missed something again.
# sep/29/2017 00:28:14 by RouterOS 6.40.3
# software id = UVM1-F323
#
# model = 2011UiAS-2HnD
# serial number = 7A6707093BBC
/interface bridge
add admin-mac=64:D1:54:2C:EF:79 auto-mac=no comment=defconf name=bridge
add name=openvpn1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=russia disabled=no distance=indoors mode=ap-bridge ssid=danilabagroff \
    wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.1.0.100-10.1.0.254
add name=openvpn1 ranges=10.7.0.2-10.7.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=openvpn1 dns-server=10.1.0.1 local-address=10.7.0.1 name=openvpn1 \
    remote-address=openvpn1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
/interface ovpn-server server
{...}
/ip address
add address=10.1.0.1/24 comment=defconf interface=ether2-master network=\
    10.1.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip dhcp-server lease
{...}
/ip dhcp-server network
add address=10.1.0.0/24 comment=defconf gateway=10.1.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
{...}
/ip firewall filter
add action=accept chain=input comment=OpenVPN disabled=yes dst-port=1194 \
    in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Access from VPN network" src-address=\
    10.7.0.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=sfp1
add action=netmap chain=dstnat comment="HTTP Proxy" disabled=yes dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=80
add action=netmap chain=dstnat comment="HTTPS Proxy" disabled=yes dst-port=\
    443 in-interface=ether1 protocol=tcp to-addresses=10.1.0.51 to-ports=443
/ip route
add comment="266 Subnet" distance=1 dst-address=10.2.0.0/24 gateway=10.7.0.2
/ip service
set telnet disabled=yes
set www address=10.1.0.0/24,10.7.0.0/24 port=8080
set ssh address=10.1.0.0/24,10.7.0.0/24
set winbox disabled=yes
/ppp secret
{...}
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=gw1
/system ntp client
set enabled=yes server-dns-names=0.ru.pool.ntp.org,1.ru.pool.ntp.org
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: DHCP client doesn't work on SFP(S-RJ01) port

Fri Sep 29, 2017 12:37 am

I have, actually ;( Hope that I have missed something again.
This is incorrect. You are using ether1 in your firewall and nat rules. ether1 should not be your wan interface. I'll post some updated rules. But, this should be obvious to you now.
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: DHCP client doesn't work on SFP(S-RJ01) port

Fri Sep 29, 2017 12:49 am

Here is a config that will work. I have removed extraneous settings that don't apply. You'll need to add those back.

Note, that I can't see you ppp settings. Make sure you're using sfp1 there. Also, later, change ether1 to be master (instead of ether2), naturally.
# sfp1

/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master

/ip neighbor discovery
set sfp1 discover=no

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf

/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN

/ip address
add address=10.1.0.1/24 comment=defconf interface=ether2-master network=10.1.0.0

/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1

/ip firewall filter
add action=accept chain=input comment=OpenVPN dst-port=1194 in-interface=sfp1 protocol=tcp
add action=accept chain=input comment="Access from VPN network" src-address=10.7.0.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=sfp1
add action=netmap chain=dstnat comment="HTTP Proxy" dst-port=80 in-interface=sfp1 protocol=tcp to-addresses=10.1.0.51 to-ports=80
add action=netmap chain=dstnat comment="HTTPS Proxy" dst-port=443 in-interface=sfp1 protocol=tcp to-addresses=10.1.0.51 to-ports=443

 
danilabagroff
newbie
Topic Author
Posts: 36
Joined: Sat Sep 09, 2017 10:48 pm

Re: DHCP client doesn't work on SFP(S-RJ01) port

Fri Sep 29, 2017 12:51 am

This is incorrect. You are using ether1 in your firewall and nat rules. ether1 should not be your wan interface. I'll post some updated rules. But, this should be obvious to you now.
I thought disabling is enough. Anyway, still the same – no luck.
# sep/29/2017 00:47:10 by RouterOS 6.40.3
# software id = UVM1-F323
#
# model = 2011UiAS-2HnD
# serial number = 7A6707093BBC
/interface bridge
add admin-mac=64:D1:54:2C:EF:79 auto-mac=no comment=defconf name=bridge
add name=openvpn1
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=russia disabled=no distance=indoors mode=ap-bridge ssid=danilabagroff \
    wireless-protocol=802.11
/ip neighbor discovery
set sfp1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.1.0.100-10.1.0.254
add name=openvpn1 ranges=10.7.0.2-10.7.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=openvpn1 dns-server=10.1.0.1 local-address=10.7.0.1 name=openvpn1 \
    remote-address=openvpn1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=sfp1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=gw1.megrabyan.pro cipher=aes256 default-profile=\
    openvpn1 enabled=yes keepalive-timeout=disabled mode=ethernet \
    require-client-certificate=yes
/ip address
add address=10.1.0.1/24 comment=defconf interface=ether2-master network=\
    10.1.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip dhcp-server lease
{...}
/ip dhcp-server network
add address=10.1.0.0/24 comment=defconf gateway=10.1.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
{...}
/ip firewall filter
add action=accept chain=input comment=OpenVPN disabled=yes dst-port=1194 \
    in-interface=sfp1 protocol=tcp
add action=accept chain=input comment="Access from VPN network" src-address=\
    10.7.0.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=sfp1
add action=netmap chain=dstnat comment="HTTP Proxy" disabled=yes dst-port=80 \
    in-interface=sfp1 protocol=tcp to-addresses=10.1.0.51 to-ports=80
add action=netmap chain=dstnat comment="HTTPS Proxy" disabled=yes dst-port=\
    443 in-interface=sfp1 protocol=tcp to-addresses=10.1.0.51 to-ports=443
/ip route
add comment="266 Subnet" distance=1 dst-address=10.2.0.0/24 gateway=10.7.0.2
/ip service
set telnet disabled=yes
set www address=10.1.0.0/24,10.7.0.0/24 port=8080
set ssh address=10.1.0.0/24,10.7.0.0/24
set winbox disabled=yes
/ppp secret
{...}
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=gw1
/system ntp client
set enabled=yes server-dns-names=0.ru.pool.ntp.org,1.ru.pool.ntp.org
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
 
danilabagroff
newbie
Topic Author
Posts: 36
Joined: Sat Sep 09, 2017 10:48 pm

Re: DHCP client doesn't work on SFP(S-RJ01) port

Fri Sep 29, 2017 1:10 am

Here is a config that will work. I have removed extraneous settings that don't apply. You'll need to add those back.
I think my last one is nearly the same.
Note, that I can't see you ppp settings. Make sure you're using sfp1 there.
There is no such option.
 
spikehome
just joined
Posts: 5
Joined: Tue Mar 14, 2017 9:28 am

Re: DHCP client doesn't work on SFP(S-RJ01) port

Fri Nov 03, 2017 9:27 am

i have the same issue

but starten with a clean config with my 2011.
Only configed the sfp (S-RJ01) get a ip adres.
All ports get a adress but not the sfp
Here is my simple config:
  • # jan/02/1970 00:02:15 by RouterOS 6.40.3
    # software id = EBUE-U1WD
    #
    # model = 2011UiAS-2HnD
    # serial number = 444A01055FD2
    /ip dhcp-client
    add dhcp-options=hostname,clientid disabled=no interface=sfp1
    /lcd
    set enabled=no touch-screen=disabled
    /lcd interface pages
    set 0 interfaces=wlan1
 
User avatar
Magalex
just joined
Posts: 4
Joined: Tue Nov 06, 2018 8:33 pm
Location: Saint-Petersburg, Russia

Re: DHCP client doesn't work on SFP(S-RJ01) port

Tue Nov 06, 2018 8:55 pm

I have same issue. S-RJ01 does not work as WAN-port.

The link status is OK, but there are no RX packets, and the RX FCS error counter grows in the interface info. The problem is not with the firewall rules, the problem is not with routing settings, the problem is not with patchcord or hardware on the other side of the link (optical mediaconverter) - I tried all the available options from the combinations working with the other ports.
Unfortunately, I can not check the module with other internet provider hardware, but as a LAN port, the S-RJ01 works as it should.

HEX-S (RB760iGS), 6.43.4, S-RJ01 (vendor rev. 1.0, manufacturing date 15-03-11)
 
User avatar
Magalex
just joined
Posts: 4
Joined: Tue Nov 06, 2018 8:33 pm
Location: Saint-Petersburg, Russia

Re: DHCP client doesn't work on SFP(S-RJ01) port

Wed Nov 07, 2018 7:59 am

It seems like some hardware compatibility issue with S-RJ01 on the ethernet side. I will try to plug something between S-RJ01 and provider’s mediaconverter. I will make a post about the result. Sorry for bad English...
 
spikehome
just joined
Posts: 5
Joined: Tue Mar 14, 2017 9:28 am

Re: DHCP client doesn't work on SFP(S-RJ01) port

Wed Nov 07, 2018 9:41 am

@Magalex i use now ether1 as wan
the sfp is now a uplink to my second 2011
 
User avatar
Magalex
just joined
Posts: 4
Joined: Tue Nov 06, 2018 8:33 pm
Location: Saint-Petersburg, Russia

Re: DHCP client doesn't work on SFP(S-RJ01) port

Wed Nov 07, 2018 7:07 pm

I can say with a great deal of confidence that we are dealing with poor compatibility on the ethernet side of the S-RJ01 module. I put an old RB951 (as L2 bridge) between the ISP's mediaconverter and my HEX-S with S-RJ01 - everything works as it should (sfp as WAN).
I want to remind, that with the "usual" ethernet ports of the router mediaconverter works without any problems.
Sorry for bad English...

@spikehome, I think that I will do the same
 
nescafe2002
Forum Veteran
Forum Veteran
Posts: 897
Joined: Tue Aug 11, 2015 12:46 pm
Location: Netherlands

Re: DHCP client doesn't work on SFP(S-RJ01) port

Tue Nov 13, 2018 3:39 pm

Could you try adding sfp1 to a new bridge-wan and moving dhcp-client (& interface list / firewall rules) to bridge-wan? Still no connectivity?

Who is online

Users browsing this forum: Google [Bot], GoogleOther [Bot], jookraw, mtest001, rapix61 and 46 guests