Community discussions

MikroTik App
 
rjow2021
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Nov 19, 2020 6:26 pm

Move WAN from ether1 to ether6?

Mon Mar 29, 2021 11:14 am

This is so I can power the RB4011 from the CRS328 switch using "ether1".

I have removed "ether6" from the bridge.
I have added "ether6" to the "Interface list" as WAN.
Added "ether6" to the "DHCP client" list.

But on the "Quick set" page I cannot select "ether6" Port in the "Internet" section. Just "Eth1" and "SFP+" are available.

Any help with this appreciated.
Last edited by rjow2021 on Mon Mar 29, 2021 11:24 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Move WAN from ether1 to ether6?

Mon Mar 29, 2021 11:19 am

Dont use quickset, use winbox to configure MT device
 
rjow2021
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Nov 19, 2020 6:26 pm

Re: Move WAN from ether1 to ether6?

Mon Mar 29, 2021 11:24 am

Dont use quickset, use winbox to configure MT device
Yep, I use WinBox every time.

Just wanted to see if Quick set is irrelevant when setting a different WAN port. Because it doesn't show "ether6" as an option.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Move WAN from ether1 to ether6?

Mon Mar 29, 2021 11:53 am

QuickSet is, in my opinion, great for new MikroTik users to configure a basic configuration. After that, don't use it anymore at all.

In addition to your adjustments, in the IP > Firewall > NAT tab you have to change your masquerade rule as well.
 
rjow2021
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Nov 19, 2020 6:26 pm

Re: Move WAN from ether1 to ether6?

Mon Mar 29, 2021 12:17 pm

QuickSet is, in my opinion, great for new MikroTik users to configure a basic configuration. After that, don't use it anymore at all.

Excellent, so I will ignore the "Quickset options" now.

In addition to your adjustments, in the IP > Firewall > NAT tab you have to change your masquerade rule as well.

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none log=yes out-interface-list=WAN

Not sure what to change here, if anything, as the rule isn't port specific. I will test shortly.
 
rjow2021
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Nov 19, 2020 6:26 pm

Re: Move WAN from ether1 to ether6?

Mon Mar 29, 2021 12:54 pm

WAN connected via "ether6" with the settings above.

"ether1" connected to CRS328 for PoE only, and is working. I disabled "ether1" in the RB4011 to stop any traffic flow, PoE still works. SFP+ link to CRS328.

CRS328 confirms ~190mA @ ~52V on "ether1" to the RB4011.
Last edited by rjow2021 on Mon Mar 29, 2021 3:01 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Move WAN from ether1 to ether6?

Mon Mar 29, 2021 2:40 pm

post config
/export hide-sensitive file=anynameyouwish
 
rjow2021
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Nov 19, 2020 6:26 pm

Re: Move WAN from ether1 to ether6?

Mon Mar 29, 2021 2:52 pm

post config
/export hide-sensitive file=anynameyouwish

# mar/29/2021 12:48:07 by RouterOS 6.48.1
# software id = FW5U-5K9I
#
# model = RB4011iGS+
# serial number = ***************
/interface bridge
add admin-mac=48:8F:5A:C2:F6:90 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="WAN >>>" disabled=yes
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] comment="WAN >>>"
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] comment=">>> CRS328"
/interface ethernet switch port
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=6 name=pihole value="'192.168.50.11'"
/ip pool
add name=dhcp ranges=192.168.50.100-192.168.50.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1h name=defconf
/ppp profile
set *FFFFFFFE dns-server=192.168.50.1 local-address=192.168.89.1 \
remote-address=vpn
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled
add action=create-dynamic-enabled
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set one-session-per-host=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=ether6 list=WAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.50.1/24 comment=defconf interface=bridge network=\
192.168.50.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment="internet detect" disabled=no interface=ether6
/ip dhcp-server lease
add address=192.168.50.15 client-id=1:0:18:dd:25:f:d1 mac-address=\
00:18:DD:25:0F:D1 server=defconf
add address=192.168.50.16 client-id=1:0:18:dd:25:12:1e mac-address=\
00:18:DD:25:12:1E server=defconf
add address=192.168.50.41 client-id=1:0:2a:2a:4b:8d:a8 comment=cctv1 \
mac-address=00:2A:2A:4B:8D:A8 server=defconf
add address=192.168.50.42 client-id=1:b4:a3:82:f:7:29 comment=cctv2 \
mac-address=B4:A3:82:0F:07:29 server=defconf
add address=192.168.50.43 client-id=1:b4:a3:82:f:5:da comment=cctv3 \
mac-address=B4:A3:82:0F:05:DA server=defconf
add address=192.168.50.44 client-id=1:b4:a3:82:f:6:1b comment=cctv4 \
mac-address=B4:A3:82:0F:06:1B server=defconf
add address=192.168.50.11 client-id=1:78:24:af:82:df:b2 mac-address=\
78:24:AF:82:DF:B2 server=defconf
add address=192.168.50.18 client-id=1:74:da:88:14:2d:b9 mac-address=\
74:DA:88:14:2D:B9 server=defconf
add address=192.168.50.21 client-id=1:0:4:4b:b1:da:f9 comment=Shield \
dhcp-option=pihole mac-address=00:04:4B:B1:DA:F9 server=defconf
add address=192.168.50.7 client-id=1:84:d8:1b:59:0:92 mac-address=\
84:D8:1B:59:00:92 server=defconf
add address=192.168.50.19 client-id=1:60:32:b1:b9:79:ae mac-address=\
60:32:B1:B9:79:AE server=defconf
add address=192.168.50.31 dhcp-option=pihole mac-address=C8:3A:6B:F6:74:D4 \
server=defconf
add address=192.168.50.29 dhcp-option=pihole mac-address=40:06:A0:A7:CD:E0 \
server=defconf
add address=192.168.50.28 dhcp-option=pihole mac-address=10:CE:A9:50:87:C0 \
server=defconf
add address=192.168.50.27 client-id=1:64:16:66:8f:d4:46 dhcp-option=pihole \
mac-address=64:16:66:8F:D4:46 server=defconf
add address=192.168.50.26 client-id=1:38:f7:3d:a9:c4:dc dhcp-option=pihole \
mac-address=38:F7:3D:A9:C4:DC server=defconf
add address=192.168.50.25 client-id=1:3c:5c:c4:43:a:14 dhcp-option=pihole \
mac-address=3C:5C:C4:43:0A:14 server=defconf
add address=192.168.50.12 client-id=1:78:24:af:82:df:b3 mac-address=\
78:24:AF:82:DF:B3 server=defconf
add address=192.168.50.9 client-id=1:0:15:17:dd:cf:ac mac-address=\
00:15:17:DD:CF:AC server=defconf
add address=192.168.50.10 client-id=1:0:15:17:dd:cf:ad mac-address=\
00:15:17:DD:CF:AD server=defconf
add address=192.168.50.32 client-id=1:5c:a3:9d:2d:a8:ad comment=\
Small_SamsungTV dhcp-option=pihole mac-address=5C:A3:9D:2D:A8:AD server=\
defconf
add address=192.168.50.35 client-id=1:fc:45:96:c6:8c:3c comment=my_watch \
dhcp-option=pihole mac-address=FC:45:96:C6:8C:3C server=defconf
add address=192.168.50.37 client-id=1:a4:db:30:50:f1:d7 dhcp-option=pihole \
mac-address=A4:DB:30:50:F1:D7 server=defconf
add address=192.168.50.23 client-id=1:d6:2d:76:4e:aa:21 dhcp-option=pihole \
mac-address=D6:2D:76:4E:AA:21 server=defconf
add address=192.168.50.2 client-id=1:8:55:31:26:f8:1d mac-address=\
08:55:31:26:F8:1D server=defconf
add address=192.168.50.6 client-id=1:60:32:b1:d1:63:40 mac-address=\
60:32:B1:D1:63:40 server=defconf
add address=192.168.50.4 client-id=1:60:32:b1:97:a4:70 mac-address=\
60:32:B1:97:A4:70 server=defconf
add address=192.168.50.5 client-id=1:60:32:b1:97:a4:86 mac-address=\
60:32:B1:97:A4:86 server=defconf
add address=192.168.50.38 client-id=1:24:4b:fe:b7:35:57 mac-address=\
24:4B:FE:B7:35:57 server=defconf
add address=192.168.50.33 client-id=1:ae:b6:6a:cd:4a:88 dhcp-option=pihole \
mac-address=AE:B6:6A:CD:4A:88 server=defconf
/ip dhcp-server network
add address=192.168.50.0/24 comment=defconf dns-server=1.1.1.1,1.0.0.1 \
gateway=192.168.50.1 netmask=24
/ip dns static
add address=192.168.50.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" \
in-interface-list=!LAN log=yes log-prefix=not_from_LAN
add action=drop chain=forward comment="Block IPs to WAN" log=yes log-prefix=\
"IP blocked from WAN" src-address-list="Block IP"
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related
add action=accept chain=forward comment=\
"accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=Invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN \
log=yes log-prefix="not DSTNATed"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none log=yes out-interface-list=WAN
add action=dst-nat chain=dstnat comment="emby forwarding" dst-port=8096 \
in-interface=ether6 log=yes log-prefix=emby_CONNECT protocol=tcp \
to-addresses=192.168.50.11 to-ports=8096
add action=dst-nat chain=dstnat comment="channels forwarding" disabled=yes \
dst-port=8089 in-interface=ether1 log=yes protocol=tcp to-addresses=\
192.168.50.11 to-ports=8089
/ip route rule
add action=lookup-only-in-table dst-address=192.168.50.0/24 table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.50.9/32 disabled=yes
set ssh disabled=yes port=2369
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=WORKGROUP enabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/London
/system identity
set name=RB4011
/system ntp client
set enabled=yes primary-ntp=185.57.191.229 secondary-ntp=162.159.200.1
/system ntp server
set broadcast=yes enabled=yes
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.50.10/32
add allow-address=192.168.50.18/32
add allow-address=192.168.50.9/32
/tool graphing queue
add allow-address=192.168.50.10/32
/tool graphing resource
add allow-address=192.168.50.10/32
add allow-address=192.168.50.18/32
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no
 
rjow2021
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Nov 19, 2020 6:26 pm

Re: Move WAN from ether1 to ether6?

Mon Mar 29, 2021 2:57 pm

I feel there's a few things that can be removed, but that's the next bit I'm working on. I don't use CAPsMAN, and don't have any VLANS.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Move WAN from ether1 to ether6?

Mon Mar 29, 2021 3:28 pm

(1) Should be removed.
add action=drop chain=forward comment="Block IPs to WAN" log=yes log-prefix=\
"IP blocked from WAN" src-address-list="Block IP"

(2) This may not be necessary or more likely wrong, not sure why you are routing on the LAN????
ip route rule
add action=lookup-only-in-table dst-address=192.168.50.0/24 table=main ?????????
 
rjow2021
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Nov 19, 2020 6:26 pm

Re: Move WAN from ether1 to ether6?  [SOLVED]

Mon Mar 29, 2021 3:47 pm

(1) Should be removed.
add action=drop chain=forward comment="Block IPs to WAN" log=yes log-prefix=\
"IP blocked from WAN" src-address-list="Block IP"

(2) This may not be necessary or more likely wrong, not sure why you are routing on the LAN????
ip route rule
add action=lookup-only-in-table dst-address=192.168.50.0/24 table=main ?????????

(1) Was to block CCTV cameras from WAN. Not needed anymore, then never have tried to access WAN.
(2) I think was in the early days of tinkering.

Both removed.

RB4011 now powered from the CRS328 and all working.

Thanks for your help.

Who is online

Users browsing this forum: Allison10, Amazon [Bot], BioMax, nickiv and 36 guests