Dear all
I'm not very good in networking and completelly new in Mikrotik. I have 2x4011 (one with WiFi [named R2] and one without [named R1]).
On each router I have ports 6 to 10 dedicated to high speed usage so I have created VideoBridge for these ports and this bridge is HW offloaded (anyone can speak to anyone so no routing needed). Each router has DHCP server (for the video bridge) with range .64/26 (router R1) .128/26 (router R2). Range .192/26 is used for fixed IP devices that can be randomly plugged in R1 or R2.
Connection betwen these 2 routers is realized primary by SFP+ fiber/10GB, but secondary on ETH1 (if both works SFP+ should be used)
Conenction to internet is realized by ETH3 on R1 or R2 (if both ETH3 interfaces are connected the one on R1 should be used).
Now I got stuck with 2 problems:

1. How to make sure fixed IP devices (range .192/26) can communicate to any of .0/24 range regardless if they use R1 or R2 (always ports 6 to 10) and vice versa
2. How to make sure .0/24 (DHCP and fixed ranges) can communicate to internet regardless if it is actually connected to ETH3 on R1 or R2

I have seen several posts about multiple gateways and backup internet connections. I feel like this could be the right way to go, but can not put it together

For now I have the HW offloaded bridge and was thinking to create another bridge as bridge between R1 and R2, then to create on each router bridge with ETH3 in. Internet traffic will be NATed to the R1-R2 bridge and from this bridge the 'active' ETH3 one will take it. But it did not work as it will mean that 2 bridges are using the ETH1 and SFP+ that is not allowed.
I tried also playing with VLANs but here I got quickly in the state that HW offloading was gone, so for ow it seems like it must be realized without VLANs.

Attached is export of R2 with admin port configured and video bridge, on top is the attempt with internet and R1-R2 bridge (not working one), ports 1,3,4,5, firewall, WiFi are not yet configured (I'm just starting)

Any ideas?

Hey

A thought: why not use a single bridge with STP enabled, as you have loops, and multiple vlans, across the two devices? The sfpplus/eth1 would become trunk linking them both.

1. that's just routing setup (how to get to specific network) and optional firewall forward limitations you may want (how may go where)
2. again all in routing config, the primary uplink can be local and backup uplink the remote one

I'm sorry but did not get your response, adding few more details to point 1 (fixed range across 2 routers).
This are the networks:

• R1 ranges on ports 6 to 10 are 192.168.43.64/26 (assigned by DHCP) plus 192.168.43.192/26 (fixed devices)
• R2 ranges on ports 6 to 10 are 192.168.43.128/26 (assigned by DHCP) plus 192.168.43.192/26 (fixed devices)

Now imagine 3 devices:

• DHCP device on R1 port 9 gets IP 192.168.43.70
• DHCP device on R2 port 7 gets IP 192.168.43.135
• Fixed IP device 192.168.43.240 is connected to R1 port 6 and in ~10 hours it will be connected to R2 port 8

What should be configured as gateway on R1 and on R2? The 3 above devices should communicate now and also in 10 hours and on top if the devices are on the same physical router the communication should be HW offloaded ( =NO VLAN ).
How to setup routing when I do not know where particular fixed IP target is actually connected?

If there will be no fixed IP range I would pick 192.168.43.65 (for R1 and network .64/26) and 192.168.43.129 (for R2 and network .128/64) as gateways and route it via SFP+ module (I do not know how to link SFP+ with eth1, if I link them together as you are suggesting on both sides there will be loop?)

Why not keep things as simple as possible?
* 1 bridge on both 4011, linked together. The linkage would be of the spf+ (and optionally eth1). If over both, the bridges on both sides would need to have stp enabled to handle the loop: spf+->eth1->spf+.
* multiple vlans on that bridge with different assignment to ports, just as the VLAN are already assigned
* single subnet / vlan: videobridge (and others) would need only one dhcp (second optionally as backup). this also means that you would lose the "range / router" you have right now. But would make configuration & routing easier.
* the static videobridge devices would "just work", irrelevant on which side they are plugged in
* for within-vlan communication no gateway is needed, as any host can reach any other whether on R1 or R2. For outside-vlan, gateway should be the primary router. the other can be backup router (VRRP)
* the "linking of sfp+ & eth1" is already in place: that's your "BridgeToR1"


Just a clarification: multiple vlans can be perfectly offloaded

Sebastia, first of all wishing you and all others happy new year!
Thank you for the answer, this was my initial idea, however it is very slow solution for my usage. The video traffic will fully utilize both devices CPUs and they will be on the edge, as complete traffic will ned to go thru CPU. Because of this I'm afraid of stability and heating issues and also I need the routers for other traffic (cca 10 another networks + 2x IPSEC) so it is not posible to fully load both routers with video traffic only.
Reason for high CPU load are (in your proposal):

• STP is blocking HW offloading (tested)
• VLAN filter on bridge is blocking HW offloading (tested)
• bridge across ports that are served by different chips (can be the same type, but 2nd physical device) blocks HW offloading (tested, but the results have been confusing for me)

So this is no-go option for my setup and because of this I tried to invent something else allowing HW offload, however I can not move it forward as of now. Any other proposals?

Hey

* STP will indeed result in cpu processing https://wiki.mikrotik.com/wiki/Manual:S ... Offloading
* VLAN filtering will also result in cpu processing, but do you need it? you could just make sure the right vlan is untagged...

The limitation is the "cable failover" requirement. Do you really need it? This requires multiple paths -> requires STP -> requires CPU processing on current hardware

So:
* if you only use single link between 4011s: no need for STP
* if you just untag the right vlan: no need for filtering

If you really need all the features you should be using CRS3xx series where all that stuff is in hardware.

OK so I understand this is not possible, have resolved it on the connection level in a way that on each Mikrotik there are 2 physical ports (ETH10 and SFP) connected to bridge and everything is handled by this bridge, however in case both ports are connected it really do not work.
For internet connectivity I use only one port eth2 on R1.
Now I started to configure FW and got problems from the beginning there are 2 simple rules setup:
RULE 1: UDP out to ETH2 to ports 67 and 68
RULE 2: UDP in from eth2 from ports 67 and 68
And to these rules there is DHCP client configured for eth2
Now when I connect this router to box of my provider via ETH2 I got 0 (zero) packets on the out connection and 9 (+ growing) on the incomming connection, obviously I'm asking myself how it is possible that router gets IP address assigned from provider without asking for one?
Thanks for explanation

In dhcp protocol, server is on 67 client on 68, UDP.
So what you should to is, allow outgoing (chain=output) to 67 and then allow "established & related" on inbound (chain=input). Connection tracking will take care of the rest.

Did your config on primary router (connected to isp) change? If so post last version (/export hide-sensitive compact).

Is the isp box doing natting (=> 192.168.1.0/24)?

DHCP broadcast, request, etc is layer 2, firewall is layer 3 of OSI model

DHCP broadcast, request, etc is layer 2, firewall is layer 3 of OSI model

dhcp protocol is in UDP, based on IP, and using broadcast ip's when necessary.
See https://en.wikipedia.org/wiki/Dynamic_H ... n_Protocol

DHCP broadcast, request, etc is layer 2, firewall is layer 3 of OSI model

dhcp protocol is in UDP, based on IP, and using broadcast ip's when necessary.
See https://en.wikipedia.org/wiki/Dynamic_H ... n_Protocol

True, wasn't thinking it through properly

Today We have chained 2 Mikrotics, one of them pretending to be ISP and the second one was my R1. In log of the 'fake ISP' the broadcast packet of my Mikrotik was clearly seen going from port 68 to 67, BUT the firewall counter stays on 0 packets. What I'm doing wrong?

IP firewall does not affect dhcp client.

See also: viewtopic.php?t=140569

Yes it does...
Do you have a dhcp client? Try to firewall it completely in input for UDP...

Corrected. (that's new for me)

Today We have chained 2 Mikrotics, one of them pretending to be ISP and the second one was my R1. In log of the 'fake ISP' the broadcast packet of my Mikrotik was clearly seen going from port 68 to 67, BUT the firewall counter stays on 0 packets. What I'm doing wrong?

Accepted before this rule already?

It used to be necessary, as the packets were processed by IP firewall. Today dhcp client traffic doesn't go through firewall.