Community discussions

 
thegoop
just joined
Topic Author
Posts: 20
Joined: Mon Jan 07, 2019 7:21 am

Cannot access RouterOS using WebFig

Thu Jan 10, 2019 2:03 am

I am repurposing my CRS-125 to be a switch (was prior used as a router). Specifically, a managed switch.

- I cannot access the CRS using WebFig (I can via Winbox and the MAC address. Interestingly, it doesn't show up as a neighbor ).
- All ports are bridged.
- I've tried setting the CRS's network config statically, I know the IPv4 configuration is correct. I have a DHCP server setup on a box on ether1, but the CRS is not getting an address. I have to set the interface as my bridge, as setting it to be any specific port interface errors out with "cannot set on a slave."
- CRS seems to be ignoring all level 2, including ping.
- WebFig with this box was working fine when it was setup as a router.

Any thoughts/help/advice? I am a linux/mac shop, so using WinBox is a bit of a pain.

Thanks!
 
Van9018
Long time Member
Long time Member
Posts: 505
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Cannot access RouterOS using WebFig

Thu Jan 10, 2019 3:01 am

You can reset the device configuration back to default to make it back into a managed switch. Or if you want to do it manually anyway:

- Remove your bridge
- Set master-port to ther1 for ports 2-24.
- Remove all port forwarding from firewall > NAT, also remove any mangle rules. Delete firewall rules too.
- Remove all (if any) routes
- Disable DHCP Server
- Enable DHCP Client, set interface to ether1 since it's the master port
- Did you get an IP? Try connecting via webfig via that IP.

I think that's it...
 
thegoop
just joined
Topic Author
Posts: 20
Joined: Mon Jan 07, 2019 7:21 am

Re: Cannot access RouterOS using WebFig

Thu Jan 10, 2019 3:25 am

1- if I reset the configuration to get close to a managed switch, which Quick Set option do I take? I believe - from a different thread - that it's "WISP AP" with Mode=Bridge, but can you please confirm?
2- I thought that there was no such thing as a master port anymore (as of 6.40). The way to get hw switching is to put all interfaces into a bridge. Am I confused?

Thanks.
 
mkx
Forum Guru
Forum Guru
Posts: 2420
Joined: Thu Mar 03, 2016 10:23 pm

Re: Cannot access RouterOS using WebFig

Thu Jan 10, 2019 7:53 am

1. Perhaps even easier would be to go with no default config. Then create a bridge, add all ether ports to it, add wireless to it and add IP address for management access. If you plan to use VLANs, configure all VLAN stuff on switch chip and add vlan interface only for management VLAN prior to adding address (in this case address goes to vlan interface).

2. You're not confused, master-port is gone since ROS 6.42.
BR,
Metod
 
thegoop
just joined
Topic Author
Posts: 20
Joined: Mon Jan 07, 2019 7:21 am

Re: Cannot access RouterOS using WebFig

Thu Jan 10, 2019 2:59 pm

Thanks -

Perhaps even easier would be to go with no default config. Then create a bridge, add all ether ports to it, add wireless to it and add IP address for management access.

Where do I add the IP address for management access, and can that be a DHCP client?

If you plan to use VLANs, configure all VLAN stuff on switch chip and add vlan interface only for management VLAN prior to adding address (in this case address goes to vlan interface).]/i]

Is there a special place to configure a VLAN on the switch chip, vs. RouterOS generally? If I want the flexibility of possibly running DNS and DHCP server from the CRS, would I be better off creating a management VLAN or also putting these services on the bridge interface?

Much appreciated!
 
mkx
Forum Guru
Forum Guru
Posts: 2420
Joined: Thu Mar 03, 2016 10:23 pm

Re: Cannot access RouterOS using WebFig

Thu Jan 10, 2019 3:20 pm

Perhaps even easier would be to go with no default config. Then create a bridge, add all ether ports to it, add wireless to it and add IP address for management access.

Where do I add the IP address for management access, and can that be a DHCP client?
Without using VLANs config goes to bridge interface, e.g.
/ip address
add address=<wanted IP address>/24 interface=bridge
It can be dynamic (using DHCP client) as well, but I strongly advise against it. Such setup adds complexity as you have to either find out the current IP address (from DHCP server's lease table) or you have to make sure it's static lease (DHCP server config). In addition to that, if DHCP server is not available when AP restarts, it will end up in undefined state ... which doesn't help in case you need to reconstruct your network after some major disaster.

If you plan to use VLANs, configure all VLAN stuff on switch chip and add vlan interface only for management VLAN prior to adding address (in this case address goes to vlan interface).]

Is there a special place to configure a VLAN on the switch chip, vs. RouterOS generally? If I want the flexibility of possibly running DNS and DHCP server from the CRS, would I be better off creating a management VLAN or also putting these services on the bridge interface?
It depends on particular device model, as this is switch chip specific, the actual commands will wary. The new way of doing it is unified across different HW types, but mostly means degraded performance (things are done in software rather than in switch chip). CRS switches in particular suffer as they feature many ports while their CPU is relatively slow..

In a SOHO environment using VLANs mostly means enhanced security by separating devices into different VLANs and using a firewall for connectivity between subnets. When you start to roll-out VLANs, you have to think of what support services are needed by each VLAN ... and provide those. VLANs are (in general) quite complex topic, so I suggest you do some reading. VLANs on Mikrotik are done in yet another way (almost every vendor has some peculiarities) so it does take some understanding of topic in general, thinking about how ROS implements it and decisions on how to implement it in your environment. Again, with CRS it's advisable to use external device (i.e. router) to perform inter-VLAN routing and firewalling.
BR,
Metod
 
thegoop
just joined
Topic Author
Posts: 20
Joined: Mon Jan 07, 2019 7:21 am

Re: Cannot access RouterOS using WebFig

Thu Jan 10, 2019 6:39 pm

So here is what I have cobbled together with your help, and some other posts. I expect this will get me:
  • Basic switch, wireless enabled, with hw offloaded for ethernet switching
  • Addressable at 10.10.2.1 for WebFig
  • Able to access the internet though the upstream 10.10.1.1 router, using public DNS's
  • Later: Can turn on DNS peer-request (to make this a server), or DHCP server (I like MT's handling more than the current upstream server)
Any other thing you'd recommend?
/interface wireless 
set [find] ssid=YourWifiName frequency=auto disabled=no
/interface wireless security-profiles 
set [find default=yes] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=YourWifiPassword disable-pmkid=yes
/interface bridge 
add fast-forward=no name=bridge_all
/interface bridge port 
add bridge=bridge_all interface=all
/ip address
add address=10.10.2.1/22 interface=bridge_all
/ip route 
add gateway=10.10.1.1
/ip dns
set servers=1.1.1.1,8.8.8.8
Is it better to add each interface 1 by 1 to the bridge (so each of the 24 ethernet, wlan1, and sfp1)?

I saw that the best way to do this is to put the above commands into a default.rsc file (in a new "flash" subdirectory) and run:
/system reset-configuration no-defaults=yes run-after-reset=flash/default.rsc
I've only ever put files into wherever the "files" WebFig button points to. Is this the "flash" folder, or does my system not have a flash folder (so everything is flash vs. ramdrive)?

Thanks in advance.
 
mkx
Forum Guru
Forum Guru
Posts: 2420
Joined: Thu Mar 03, 2016 10:23 pm

Re: Cannot access RouterOS using WebFig

Thu Jan 10, 2019 8:26 pm

Your config seems sane.

FWIW, default setup script on my hAP ac2 builds list of bridge member ports like this:
:foreach k in=[/interface find where !(slave=yes  || name="ether1" || name~"bridge")] do={
    :local tmpPortName [/interface get $k name];
    /interface bridge port
    add bridge=bridge interface=$tmpPortName comment=defconf;
}

In your case you would omit exclusion of ether1 from the list.

I've no experience with using my own setup script used right after reset. I guess it should contain much more config than contained in posted script. Check (if CRS has it, I'd expect it does) output of /system default-configuration print to see what is done by default.
BR,
Metod
 
thegoop
just joined
Topic Author
Posts: 20
Joined: Mon Jan 07, 2019 7:21 am

Re: Cannot access RouterOS using WebFig

Fri Jan 11, 2019 1:45 am

Perfect, thank you. I used WebFig to do a reset, executing a script immediately after restart against only what was posted. Worked like a champ and didn't require anything else.

Thanks for the pointer on /system default-configuration print, I am adding a few things and cleaning up using some scripting code/flow control.

I love MT, and thanks for your help.

Who is online

Users browsing this forum: No registered users and 22 guests