Community discussions

MikroTik App
 
NewStackLearner
just joined
Topic Author
Posts: 9
Joined: Sat Apr 03, 2021 1:30 pm

Looking for help in setting up IoT Hub

Tue Apr 13, 2021 6:41 am

Hello Together,

I am new to physical network engineering and currently working on setting up a private IoT hub. I took references from an interesting conversation on mikrotik forum to get me started in setting up my hEXs. I am using it as a Gateway/Router/Firewall and using L2 managed jetstream switch from TPLink. I have connected a 16 GB microSD card on the hEXs with additional packages and router configuration script

Currently I have configured all the DHCP servers on L2 switch except NetAdmin (192.168.30.0/24). I am able to access internet "only" when I am on VLAN 30 when physically connected to hEXs OR L2 switch

Problems:
I am unable to create connection between other vlans on switch to reach internet
I am unsure about the intervlan routing such that PXE and Storage is visible to all the local network devices
I am unsure about the firewall rules that PXE and Storage are not directly accessible from internet

I would appreciate any guidance/hints on the implementation and impediments.

Network diagram:
SoHoNetworkMap.png

Configuration script:
###############################################################################
#Script:		RouterBOARD configuration script
#RouterOS:		6.47.8
#Date:			Apr 03, 2021
#Notes:		Start with a reset (/system reset-configuration)
###############################################################################

#Setup VLANs
/interface vlan
add interface=bridge name=VLAN10-Guest vlan-id=10
add interface=bridge name=VLAN20-IoT-Devices vlan-id=20
add interface=bridge name=VLAN30-NetAdmin vlan-id=30
add interface=bridge name=VLAN11-Storage vlan-id=11
add interface=bridge name=VLAN12-AuthNBoot vlan-id=12
add interface=bridge name=VLAN13-DevAdmin vlan-id=13
add interface=bridge name=VLAN14-PXE vlan-id=14
add interface=bridge name=VLAN101-MySpace vlan-id=101
add interface=bridge name=VLAN201-DevOps vlan-id=201

/interface list
add name=VLAN
add name=MGMT

/interface list member
#add to the exiting list so we maintain access to router
add interface=VLAN10-Guest list=LAN
add interface=VLAN20-IoT-Devices list=LAN
add interface=VLAN30-NetAdmin list=LAN
add interface=VLAN11-Storage list=LAN
add interface=VLAN12-AuthNBoot list=LAN
add interface=VLAN13-DevAdmin list=LAN
add interface=VLAN14-PXE list=LAN
add interface=VLAN101-MySpace list=LAN
add interface=VLAN201-DevOps list=LAN

#this is our new list
add interface=VLAN10-Guest list=VLAN
add interface=VLAN20-IoT-Devices list=VLAN
add interface=VLAN30-NetAdmin list=VLAN
add interface=VLAN11-Storage list=VLAN
add interface=VLAN12-AuthNBoot list=VLAN
add interface=VLAN13-DevAdmin list=VLAN
add interface=VLAN14-PXE list=VLAN
add interface=VLAN101-MySpace list=VLAN
add interface=VLAN201-DevOps list=VLAN

#Management list
add interface=VLAN30-NetAdmin list=MGMT


#IP Setup
/ip pool

/ip pool add name=NetAdmin_POOL ranges=192.168.30.2-192.168.30.254


/ip address
add address=192.168.30.1/24 interface=VLAN30-NetAdmin

/ip dhcp-server network
set comment=main-dhcp-network [find comment=defconf]
add address=192.168.30.0/24 gateway=192.168.30.1 comment="NetAdmin-dhcp-network"

/ip dhcp-server
add address-pool=NetAdmin_POOL interface=VLAN30-NetAdmin disabled=no name=NetAdmin-dhcp-network

#set the dns main static and google and cloudflare
/ip dns static
set address=192.168.30.1 [find name=router.lan]
/ip dns 
set servers=1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4
#disable ISP DNS servers obtained through DHCP.
/ip dhcp-client
set  use-peer-dns=no [find interface=ether1]

#Ingress Behavior
/interface bridge port

#Guests and IoT devices
set pvid=10 [find where interface=ether2] ingress-filtering=yes frame-types=admit-only-vlan-tagged
#IoT Devices
set pvid=20 [find where interface=ether2] ingress-filtering=yes frame-types=admit-only-vlan-tagged

#Backend clusters
set pvid=11 [find where interface=ether3] ingress-filtering=yes frame-types=admit-only-vlan-tagged
set pvid=12 [find where interface=ether3] ingress-filtering=yes frame-types=admit-only-vlan-tagged
set pvid=13 [find where interface=ether3] ingress-filtering=yes frame-types=admit-only-vlan-tagged

#Front end clusters
set pvid=101 [find where interface=ether3] ingress-filtering=yes frame-types=admit-only-vlan-tagged
set pvid=201 [find where interface=ether3] ingress-filtering=yes frame-types=admit-only-vlan-tagged

#Managament
set pvid=13 frame-types=admit-only-untagged-and-priority-tagged [find bridge=bridge]
set pvid=30 frame-types=admit-only-untagged-and-priority-tagged [find bridge=bridge]

#Egress Behaviour
/interface bridge vlan
#Eth4 and Eth5 can be used for MGMT access
add bridge=bridge tagged=bridge untagged=ether4,ether5,sfp1 vlan-ids=30 comment="NetAdmin VLAN"
add bridge=bridge tagged=bridge untagged=ether4,ether5,sfp1 vlan-ids=13 comment="DevAdmin VLAN"

add bridge=bridge tagged=bridge,ether2  vlan-ids=10 comment="IoT-Devices VLAN"
add bridge=bridge tagged=bridge,ether2  vlan-ids=20 comment="Guest VLAN"

add bridge=bridge tagged=bridge,ether3  vlan-ids=11 comment="Storage VLAN"
add bridge=bridge tagged=bridge,ether3  vlan-ids=12 comment="AuthNBoot VLAN"
add bridge=bridge tagged=bridge,ether3  vlan-ids=14 comment="PXE VLAN"
add bridge=bridge tagged=bridge,ether3  vlan-ids=101 comment="MySpace VLAN"
add bridge=bridge tagged=bridge,ether3  vlan-ids=201 comment="DevOps VLAN"

#enable vlan filtering
/interface bridge
set vlan-filtering=yes [find name="bridge"]

#remove default ip addressing
/ip dhcp-server
remove [find name=defconf]
/ip dhcp-server network
remove [find gateway=192.168.88.1]
/ip pool
remove [find name=default-dhcp]
/ip address
remove [find interface=bridge]

#Clear and re-set the firewall for ease of ordering
/ip firewall filter
remove [find action!="passthrough"]

/ip firewall filter
#Input Chain
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add chain=input action=accept in-interface-list=MGMT comment="Allow NetAdmin-vlan MGMT access to all router services"
add chain=input action=accept in-interface-list=VLAN dst-port=67 protocol=udp comment="Allow VLAN DHCP"
add chain=input action=accept in-interface-list=VLAN dst-port=53 protocol=udp comment="Allow VLAN DNS UDP"
add chain=input action=accept in-interface-list=VLAN dst-port=53 protocol=tcp comment="Allow VLAN DNS TCP"
add chain=input action=accept in-interface-list=VLAN protocol=icmp comment="Allow VLAN ICMP Ping"
add chain=input action=drop comment="Drop all other traffic"
#Forward Chain
add chain=forward action=accept comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add chain=forward action=accept comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access Only"
add action=accept chain=forward connection-nat-state=dstnat connection-state=new in-interface-list=WAN disabled=yes comment="Allow Port Forwarding - DSTNAT - enable if need server" 
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all other traffic"

#Security

#Disable all the configuration methods except ssh, www-ssl and winbox
/ip service enable ssh,www-ssl,winbox
/ip service disable telnet,ftp,www,api,api-ssl

#Ensure only winbox MAC Address based access from MGMT aka NetAdmin-vlan
/ip neighbor discovery-settings set discover-interface-list=MGMT
/tool mac-server mac-winbox set allowed-interface-list=MGMT
/tool mac-server set allowed-interface-list=MGMT

#Disable unused wireless related packages
/system package
disable hotspot
disable wireless

#create a self signed cert for www-ssl
/certificate
add name=local-cert common-name=local-cert key-usage=key-cert-sign,crl-sign
sign local-cert

add name=webfig common-name=192.168.30.1
sign webfig

/ip service
set www-ssl certificate=webfig

#Allow viewing resource and usage graphs on main-vlan for each main interface
/tool graphing resource
add allow-address=192.168.30.0/24
/tool graphing interface
add allow-address=192.168.30.0/24 interface=ether1
add allow-address=192.168.30.0/24 interface=VLAN10-Guest
add allow-address=192.168.30.0/24 interface=VLAN20-IoT-Devices
add allow-address=192.168.30.0/24 interface=VLAN30-NetAdmin
add allow-address=192.168.30.0/24 interface=VLAN11-Storage
add allow-address=192.168.30.0/24 interface=VLAN12-AuthNBoot
add allow-address=192.168.30.0/24 interface=VLAN13-DevAdmin
add allow-address=192.168.30.0/24 interface=VLAN13-PXE
add allow-address=192.168.30.0/24 interface=VLAN101-MySpace
add allow-address=192.168.30.0/24 interface=VLAN201-DevOps

#Setup a new administrative account
/user add name=USERNAME password=PASSWORD group=full
/user remove admin

/dude set enabled=yes

#create download and update script
/system script add name=DownloadAndUpdate source="/system upgrade\r\
\nrefresh\r\
\n:delay 20\r\
\ndownload 0\r\
\n/\r\
\n/system reboot \r\
\n:delay 60\r\
\ny\r\
\n/"

#schedule script to run every 2 days
/system scheduler
add interval=2d name=Upgrade_Router on-event="run DownloadAndUpdate" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=apr/05/2021 start-time=02:45:00

#all done reboot to confirm
/system reboot

#/system backup save name=MyConfig
You do not have the required permissions to view the files attached to this post.
Last edited by NewStackLearner on Tue Apr 13, 2021 8:21 pm, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8465
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Looking for help in setting up IoT Hub

Tue Apr 13, 2021 2:42 pm

Send the config as per the router not your interpretation....
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
NewStackLearner
just joined
Topic Author
Posts: 9
Joined: Sat Apr 03, 2021 1:30 pm

Re: Looking for help in setting up IoT Hub

Tue Apr 13, 2021 8:19 pm

Send the config as per the router not your interpretation....
/export hide-sensitive file=anynameyouwish

Attached my router config after running the above script.

MyRouterConfiguration.rsc
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8465
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Looking for help in setting up IoT Hub

Tue Apr 13, 2021 9:21 pm

You have not defined all the vlans.
Where is their ip address, ip pool, dhcp-server and dhcp-server-network settings??


/interface bridge port
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether2 pvid=30

WHY, ether2 is stated on your diagram as a trunk port!! Should be
add bridge=bridge comment=defconf frame-types=\
admit-only-tagged ingress-filtering=yes interface=\
ether2


Same FOR ETHER3 to a managed switch!~!!
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
ether3 pvid=30


Seems reasonable for ether4,5 and sfp1, assuming all going to dumb devices!
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 pvid=30
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=sfp1 pvid=30


NOTE: FOR BOTH ETHER2 and ETHER3, if you wanted somehow for them to be hybrid vlans to accept untagged vlan30 traffic, then you should not use any frame delineation (meaning accepting all frames). Furthermore if vlan30 is your managment vlan (and all devices should get an IP from this managment vlan, what you want is to tag them with vlan30 not untag them, in other words keeep them as straight trunk ports with only tagged frames allowed.


As for bridge vlans..............Cannot have two untagged vlans on same etherport!!!
Where is vlan13 defined as an access port on your bridge port setup??

/interface bridge vlan
add bridge=bridge comment="NetAdmin VLAN" tagged=bridge untagged=\
ether4,ether5,sfp1
vlan-ids=30
add bridge=bridge comment="DevAdmin VLAN" tagged=bridge untagged=\
ether4,ether5,sfp1
vlan-ids=13

You really need to use this reference.
viewtopic.php?f=23&t=143620
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
NewStackLearner
just joined
Topic Author
Posts: 9
Joined: Sat Apr 03, 2021 1:30 pm

Re: Looking for help in setting up IoT Hub

Tue Apr 13, 2021 10:59 pm

Many thanks Anav,
.You have not defined all the vlans.
Where is their ip address, ip pool, dhcp-server and dhcp-server-network settings??
I started with ip address, ip pool, dhcp-server and DHCP network for all vlans. But, I noticed it does not work. Additionally, I am of the opinion that if i configured DHCP server and related configuration for all vlan domains via router. I will be overloading my router cpu and under utilising my L2 managed switch. My switch is currently configured to run DHCP server for all lan domains other than vlan30.

Do you mean, i should split the DHCP server range between router and switch? I still do not see a clear picture. Pardon my ignorance on the subject. I was of the opinion that, i will need to do some static routing, maybe configure OSPF. Have i understood this, totally wrong? Would you be so kind give some hints on my thoughts?

Really appreciate your prompt feedback. I know, i have a lot to read through.

.You really need to use this reference.
viewtopic.php?f=23&t=143620

I am quite slow as Iam on a day job and this work is a pet project. I will read the thread you just recommended.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8465
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Looking for help in setting up IoT Hub

Tue Apr 13, 2021 11:04 pm

Hi there, I have not contemplated running the DHCP servers on the switch for the majority of vlans, but if the switch can do it, I would be most interested in
seeing how that works out.
However you said it was an L2 managed switch and to my knowledge you need an L3 managed switch to do DHCP??
Can you point me to the right jetstream switch (mine does not do dhcp for example).
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
NewStackLearner
just joined
Topic Author
Posts: 9
Joined: Sat Apr 03, 2021 1:30 pm

Re: Looking for help in setting up IoT Hub

Wed Apr 14, 2021 5:35 am

Sincere apologies for the confusion. I noticed that i have not mentioned about dhcp and ip pools for all other vlans except vlan30, configured on switch. Additionally, L3 routers are home Wifi routers with Wifi disabled. These routers are sharing the dhcp pool with L2/L3 managed switch. Quite late i realised, I made a mistake of not buying a more convenient 24 port switch instead of these L3 routers.

I am using 8 port T2500G-10TS from Tplink. This is a L2 managed switch with L3 features.

https://www.tp-link.com/us/business-net ... 500g-10ts/
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8465
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Looking for help in setting up IoT Hub

Wed Apr 14, 2021 2:26 pm

Nice, I have this one.
https://www.tp-link.com/us/business-net ... 00g-10mps/
and just bought off ebay an older switch but fits what I need.......
https://www.tp-link.com/us/business-net ... l-sg3424p/

I am no expert but it appears your switch is capable of DHCP relay whatever that is, but is NOT a DHCP Server?
So I ask again how were intending to assign IP addresses to clients??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
NewStackLearner
just joined
Topic Author
Posts: 9
Joined: Sat Apr 03, 2021 1:30 pm

Re: Looking for help in setting up IoT Hub

Wed Apr 14, 2021 4:30 pm

Hi Anav,
So I ask again how were intending to assign IP addresses to clients??

On T2500G-10ts i confirm that, i am able to not only configure DHCP server(s). But also, test all the ports for different ip subnets as per configuration. Using wireshark for example, I am yet to check if vlan tags have been assigned correct.


I am no expert but it appears your switch is capable of DHCP relay whatever that is, but is NOT a DHCP Server?
I configured DHCP relay service only for vlan 30. This is working

That is why I am able to access internet via vlan30 on port 2 (wrongly mentioned on soho network diagram, should be 7) of switch.

Appreciate your patience.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8465
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Looking for help in setting up IoT Hub

Wed Apr 14, 2021 5:08 pm

DHCP relay is to let the device know that DHCP is assigned elsewhere correct??
Thus my question remains, where is the DHCP server??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
NewStackLearner
just joined
Topic Author
Posts: 9
Joined: Sat Apr 03, 2021 1:30 pm

Re: Looking for help in setting up IoT Hub

Wed Apr 14, 2021 5:22 pm


Thus my question remains, where is the DHCP server??

DHCP server for 192.168.30.0/24 is on hEXs.
All others are on switch.

I noticed from the conversation that my network diagram has a lot of scope for improvement.

I hope that i gave a clearer picture. Problem that i don't know what a need to know makes me wonder if OSPF would be something to look into. I have already configured hEXs as default gateway for all DHCP servers on the switch. Ping test of these DHCP servers on switch via hEXs is failing.

Any suggestions on what could i possibly explore, to configure to let my router know, that several DHCP servers can be reached via trunk port 1 of hEXs?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8465
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Looking for help in setting up IoT Hub

Wed Apr 14, 2021 8:23 pm

LIke I said, I cannot find your DHCP servers, other than vlan30, I dont see any device that is capable of DHCP serving?
Do you have a PC that is acting as a dedicated DHCP server.

Relay is used when there is a separate DHCP server from the router (Switches are not normally DHCP servers).
Clearly there is something I am not understanding LOL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
NewStackLearner
just joined
Topic Author
Posts: 9
Joined: Sat Apr 03, 2021 1:30 pm

Re: Looking for help in setting up IoT Hub

Thu Apr 15, 2021 4:33 am

(Switches are not normally DHCP servers)
T2500G-10TS has this feature.
https://www.tp-link.com/us/support/faq/887/

On the page from link above, it is written in red.

Note: For T2500G-10TS V2, Only the firmware 20191122 or above supports the DHCP server.

I am not sure, if this is something very new from Tplink, for L2 managed switches. But, I used above reference to configure several subnets for DHCP on my L2 switch.
 
JelleM
just joined
Posts: 10
Joined: Fri Aug 31, 2018 1:33 pm

Re: Looking for help in setting up IoT Hub  [SOLVED]

Thu Apr 15, 2021 10:25 am

Hi NewStackLearner,

So ether2 and ether3 are trunks and 4 and 5 are access. Those are not entirely
configured correctly as anav pointed out. Have you managed to fix that yet?

If you want your trunks to be just trunks you should change it to this:
/interface bridge port
add bridge=bridge comment=Trunk-AP frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface=\
    ether2
add bridge=bridge comment=Trunk-Switch frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface=\
    ether3
add bridge=bridge comment=Access-VLAN30 frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=30
add bridge=bridge comment=Access-VLAN13 frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=13

#Note that I have removed the SFP port since its not in use in your diagram
# Also you don't have to 
/interface bridge vlan
add bridge=bridge comment="NetAdmin VLAN" tagged=bridge,ether2,ether3 untagged=\
    ether4 vlan-ids=30
add bridge=bridge comment="DevAdmin VLAN" tagged=bridge,ether2,ether3 untagged=\
    ether5 vlan-ids=13
add bridge=bridge comment="IoT-Devices VLAN" tagged=bridge,ether2 vlan-ids=10
add bridge=bridge comment="Guest VLAN" tagged=bridge,ether2 vlan-ids=20
add bridge=bridge comment="Storage VLAN" tagged=bridge,ether3 vlan-ids=11
add bridge=bridge comment="AuthNBoot VLAN" tagged=bridge,ether3 vlan-ids=12
add bridge=bridge comment="PXE VLAN" tagged=bridge,ether3 vlan-ids=14
add bridge=bridge comment="MySpace VLAN" tagged=bridge,ether3 vlan-ids=101
add bridge=bridge comment="DevOps VLAN" tagged=bridge,ether3 vlan-ids=201

If you want your "trunks" to be hybrid ports (which means, if untagged traffic presents itself there use a default tag.) use this configuration.
This assumes that the trunks will use an vlan30 for the untagged traffic

/interface bridge port
add bridge=bridge comment=Trunk-AP frame-types=\
    admit-all ingress-filtering=yes interface=\
    ether2 pvid=30
add bridge=bridge comment=Trunk-Switch frame-types=\
    admit-all ingress-filtering=yes interface=\
    ether3 pvid=30
add bridge=bridge comment=Access-VLAN30 frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether4 pvid=30
add bridge=bridge comment=Access-VLAN13 frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    ether5 pvid=13
# Note that I have removed the SFP port since its not in use in your diagram

/interface bridge vlan
add bridge=bridge comment="NetAdmin VLAN" tagged=bridge untagged=\
    ether4 vlan-ids=30
add bridge=bridge comment="DevAdmin VLAN" tagged=bridge untagged=\
    ether5 vlan-ids=13
add bridge=bridge comment="IoT-Devices VLAN" tagged=bridge,ether2 vlan-ids=10
add bridge=bridge comment="Guest VLAN" tagged=bridge,ether2 vlan-ids=20
add bridge=bridge comment="Storage VLAN" tagged=bridge,ether3 vlan-ids=11
add bridge=bridge comment="AuthNBoot VLAN" tagged=bridge,ether3 vlan-ids=12
add bridge=bridge comment="PXE VLAN" tagged=bridge,ether3 vlan-ids=14
add bridge=bridge comment="MySpace VLAN" tagged=bridge,ether3 vlan-ids=101
add bridge=bridge comment="DevOps VLAN" tagged=bridge,ether3 vlan-ids=201
As anav said, if you run into anything consult this:
viewtopic.php?f=23&t=143620
Now the hex-s could run the DHCP server for all those vlans just fine, I suggest
to move the DHCP stuff to the hex-s later on.

But first, when the switch gives out an DHCP lease
it will include a gateway address that devices will use to send traffic to the
internet (and possibly other vlans). So for example on VLAN201 a device might
recieve a lease for 10.1.201.123/24 and a gateway of 10.1.201.1 (you have
configured a gateway address somewhere in the switch dhcp server settings).

Now when it has traffic to the internet (for example to 1.1.1.1) it will send
that traffic to 10.1.201.1. This gateway is the hex-s in your example, however
this ip address is not configured on the hex-s. You should fix that by adding
the address on the VLAN interface in the hex-s:
/ip address
add address=10.1.201.1/24 interface=VLAN201-DevOps network=10.1.201.0
And you should do that for the gateway addresses for all your other vlans as well.

Kind regards,
Jelle
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8465
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Looking for help in setting up IoT Hub

Fri Apr 16, 2021 2:34 pm

Sounds good to me, yes I read the ref you posted and indeed, it looks like all is possible.
What I am not sure of is on the MT router whether you need to tell it where the DCHP is located??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
NewStackLearner
just joined
Topic Author
Posts: 9
Joined: Sat Apr 03, 2021 1:30 pm

Re: Looking for help in setting up IoT Hub

Sat Apr 17, 2021 11:56 am

Sounds good to me, yes I read the ref you posted and indeed, it looks like all is possible.
What I am not sure of is on the MT router whether you need to tell it where the DCHP is located??

Thank Anav and JelleM for working with me on this case.

Indeed, i have a lot to catch up on my basics here. So much to learn, one life is not enough.

So ether2 and ether3 are trunks and 4 and 5 are access. Those are not entirely
configured correctly as anav pointed out. Have you managed to fix that yet?

I accept that I am taking a lot of short cuts by making my hands dirty, learning, taking suggestions, deciding on next steps. I started with faith on Mikrotik devices and its community base. I am a bit greedy in reaching my goals early, without going through such massive documentation and not knowing what to read. I am very happy that I am able to find so many kind people on this forum ready to support in less than 24 hours. Kudos anav! Take a bow!

I am still trying to understand why the suggestions on forum, do not work by copy pasting on command line. For example: using below line on command line gives error

/interface bridge port
add bridge=bridge comment=Trunk-AP frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface=\
    ether2
add bridge=bridge comment=Trunk-Switch frame-types=\
    admit-only-vlan-tagged ingress-filtering=yes interface=\
    ether3
add bridge=bridge comment=Access-VLAN30 frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=30
add bridge=bridge comment=Access-VLAN13 frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=13

I have to change it like below, to work on command line (SSH session)

set [find where interface=ether2 bridge=bridge] comment=Trunk-AP frame-types=admit-only-vlan-tagged ingress-filtering=yes 
set [find where interface=ether3 bridge=bridge] comment=Trunk-Switch frame-types=admit-only-vlan-tagged ingress-filtering=yes 
set pvid=30 [find where interface=ether4 bridge=bridge] comment=Access-VLAN30 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes 
set pvid=13 [find where interface=ether5 bridge=bridge] comment=Access-VLAN13 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes 
Goal is to be able to develop enough understanding, that I can build my own dream definition of Infrastructure as code. Objective is to be able to easily replicate it in a different geographical location using python script(s) as a part of larger meta configurations for deployment automation.

So far I am using only command line to understand device behavior by SSH sessions with the device. This is taking a quite some time to understand.
 
mkx
Forum Guru
Forum Guru
Posts: 6584
Joined: Thu Mar 03, 2016 10:23 pm

Re: Looking for help in setting up IoT Hub

Sat Apr 17, 2021 12:07 pm

I am still trying to understand why the suggestions on forum, do not work by copy pasting on command line. For example: using below line on command line gives error

Because most of (general) examples/suggestions assume device with no previous configuration. ROS is so versatile it's almost impossible to guess previous configuration. The examples in this case show the final state, not the steps needed to get there.

One way to tackle it is to manually undo previous configuration. Or one has to take appropriate actions to change settings so that final state is as indicated. Yet another way is to reset unit with no configuration ... in the later case the only way to connect for management is using winbox (or MAC telnet). But all configuration examples will work out of the box.

Objective is to be able to easily replicate it in a different geographical location using python script(s) as a part of larger meta configurations for deployment automation.
One way of doing it is to construct configuration script (the same as shown in varius posts) which fully configures device. That code is then uploaded to device, device is reset and instructed to use upliaded code for initial configuration. There are minor gotchas (e.g. timing of the script, dependency on particular device model and available hardware), but it's usually better than running external (python) scripts...
BR,
Metod
 
JelleM
just joined
Posts: 10
Joined: Fri Aug 31, 2018 1:33 pm

Re: Looking for help in setting up IoT Hub

Sat Apr 17, 2021 1:38 pm

Sounds good to me, yes I read the ref you posted and indeed, it looks like all is possible.
What I am not sure of is on the MT router whether you need to tell it where the DCHP is located??
The MT router doesn't need to know where the DHCP server is, since it is the gateway. It has all the information it needs for upstream traffic and for LAN/VLAN traffic it will use ARP to get the correct IP's. However you have to add an static ip to the VLAN interfaces, matching the gateway information the DHCP server gives out. So when the DHCP server tells a client (server/pc/phone/whatever) that the gateway is at 10.1.201.1, that address has to be on the gateway (VLAN Interface on the MT Router). What is happening now is that the client recieves a DHCP lease, wants to send a packet to the internet and performs an ARP Request for 10.1.201.1. Since the MT Router has no address defined on the VLAN Interface it will not send an ARP Reply for 10.1.201.1 and the client ends up not knowing where to send the frames (and thus can't send anything to the internet). Slap the IP on the VLAN:
/ip address add address=10.1.201.1/24 interface=VLAN201-DevOps network=10.1.201.0 
and it will send an ARP Reply with its mac address.

Because most of (general) examples/suggestions assume device with no previous configuration. ROS is so versatile it's almost impossible to guess previous configuration. The examples in this case show the final state, not the steps needed to get there.
Yeah perhaps I should have mentioned that, its the desired end state. Additionally I don't know what you have done in the mean time on the device. Say you changed ingress-filtering=yes to ingress-filtering=no on some bridge port and I post a command to only change the frame-types. You would have a bridge setting with ingress-filtering=no while I assumed ingress-filtering=yes. That leads to strange behavior when trying to debug something. If you only want to change parameters (and not configure from scratch every time) you can easily run an export command (for example /interface bridge port export) to show your current config and compare it with the snippet in a post.
 
NewStackLearner
just joined
Topic Author
Posts: 9
Joined: Sat Apr 03, 2021 1:30 pm

Re: Looking for help in setting up IoT Hub

Sat Apr 17, 2021 7:25 pm

Thank you for your feedback mkx and JelleM. All the inputs have helped me to see the whole thing in a new light. I have made some updates and will need to make some CIDR changes on T2500G-10ts, to stitch some last threads before trying ping tests. Can I call it L2/L3/L4 switch on the network because of the way I am configuring it?

Additionally, I noticed quite late that i forgot to add a line on the original script to locate an internet gateway. That another unsecure router on 192.168.1.1 (WAN on ether1 for hEXs). I was using quick set via winbox, to do this automatically.

One way of doing it is to construct configuration script (the same as shown in various posts) which fully configures device. That code is then uploaded to device, device is reset and instructed to use uploaded code for initial configuration. There are minor gotchas (e.g. timing of the script, dependency on particular device model and available hardware), but it's usually better than running external (python) scripts...

Please share a link. I am trying to move towards VPN and IPSEC on a shoe string budget. From the comments above, I do not understand how a single script can be just imported for every new router instance in a VPC and expected to work. Can this be simulated using GNS3 somehow? Another topic, another day? would you be so kind to share some references?

Additionally, i want to create a new log. Every time router configuration changes. This I want to export this to the attached microsd card. Objective is to track changes in router configuration, with a time stamp concatenated, after successful network time sync or timeout, between router and local computer OR router and NTP server on internet

My search strings are not returning any threads on above topic, in the forum. Any suggestions?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 8465
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Looking for help in setting up IoT Hub

Sat Apr 17, 2021 9:22 pm

Please do not use quickset to configure the router once you are passed the default configuration stage...........aka any changes LOL.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1752
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Looking for help in setting up IoT Hub

Fri Jun 04, 2021 11:49 am

If you try use QuickSet then you reach a problems, it's good only for first config.
Your IoT Hub maybe in future use additional components :)

FCC ID TV7-TB5I
Equipment: TG-BT5-IN
Image
MTCNA + MTCRE + MTCINE | ~800 users at ~150 RouterBoards in EMEA
Knowledge Base about LTE by SiB | Buy me a caffe | Telegram: http://t.me/SiB_PL

Who is online

Users browsing this forum: No registered users and 22 guests