It does not hand out addresses. It's in full bridge mode. I'm also glad I can configure the RB4011iGS+RM using serial while my pfSense box keeps running.Yes, as with that you have a physical interface connected to the modem e.g. ether1 plus a PPPoE client e.g. pppoe-out1.
Starting with the default config on recent versions of RouterOS create the PPPoE client interface. Add the new interface to the WAN interface list, this applies the firewall filter & NAT rules to the ISP connection. Leave the existing interface in the list, this applies NAT to traffic to the CPE from your LAN(s).
If your CPE device hands out addresses with DHCP you can leave the default DHCP client BUT change Add Default Route to no and untick the Use Peer DNS & Use Peer NTP options. Otherwise remove/disable the DHCP client and add an IP address to ether1.
Not sure what I am doing wrong, but I cannot get tagged VLANs on sfp-sfpplus1This should help........
viewtopic.php?f=23&t=143620
# aug/13/2021 04:36:36 by RouterOS 6.47.10
#
# model = RB4011iGS+
/interface ethernet
set [ find default-name=ether1 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes poe-out=off
set [ find default-name=sfp-sfpplus1 ] advertise=10000M-full rx-flow-control=\
auto tx-flow-control=auto
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out user=\
smccloud
/interface vlan
add interface=sfp-sfpplus1 name="Guest Wifi" vlan-id=200
add interface=sfp-sfpplus1 name=IoT vlan-id=10
add interface=sfp-sfpplus1 name=VMs vlan-id=20
add interface=sfp-sfpplus1 name=Wifi vlan-id=7
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=172.16.6.100-172.16.6.254
add name=dhcp_pool1 ranges=172.16.10.100-172.16.10.254
add name=dhcp_pool2 ranges=172.16.6.100-172.16.6.254
add name=dhcp_pool3 ranges=172.16.200.2-172.16.200.254
add name=dhcp_pool4 ranges=172.16.20.100-172.16.20.254
add name=dhcp_pool5 ranges=172.16.7.100-172.16.7.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=IoT lease-time=1w name=IoT
add address-pool=dhcp_pool2 disabled=no interface=sfp-sfpplus1 lease-time=1w \
name=LAN
add address-pool=dhcp_pool3 disabled=no interface="Guest Wifi" lease-time=1w \
name="Guest Wifi"
add address-pool=dhcp_pool4 disabled=no interface=VMs lease-time=1w name=VMs
add address-pool=dhcp_pool5 disabled=no interface=Wifi lease-time=1w name=\
Wifi
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface="Guest Wifi" list=LAN
add interface=IoT list=LAN
add interface=VMs list=LAN
add interface=Wifi list=LAN
/ip address
add address=172.16.6.1/24 interface=sfp-sfpplus1 network=172.16.6.0
add address=172.16.7.1/24 interface=Wifi network=172.16.7.0
add address=172.16.10.1/24 interface=IoT network=172.16.10.0
add address=172.16.20.1/24 interface=VMs network=172.16.20.0
add address=172.16.200.1/24 interface="Guest Wifi" network=172.16.200.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.6.0/24 dns-server=172.16.6.1 gateway=172.16.6.1 netmask=24
add address=172.16.7.0/24 dns-server=172.16.7.1 gateway=172.16.7.1
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.20.0/24 dns-server=172.16.20.1 gateway=172.16.20.1
add address=172.16.200.0/24 dns-server=172.16.200.1 gateway=172.16.200.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
# pppoe-out not ready
add action=accept chain=input in-interface=pppoe-out protocol=icmp
# pppoe-out not ready
add action=drop chain=input in-interface=pppoe-out
/ip firewall nat
# pppoe-out not ready
add action=masquerade chain=srcnat out-interface=pppoe-out \
out-interface-list=WAN
# pppoe-out not ready
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB4011iGS+RM
I noticed the sixth DHCP pool later, and I've deleted it already. I thought I had gotten all the interfaces listed as members, but I do miss stuffMAIN ISSUE, missing interface list member
/interface list member
add interface=ether1 list=WAN
add interface=pppoe-out list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface="Guest Wifi" list=LAN
add interface=IoT list=LAN
add interface=VMs list=LAN
add interface=Wifi list=LAN
(1) Five of everything but six pool ranges???
\ip pool
add name=dhcp ranges=172.16.6.100-172.16.6.254
add name=dhcp_pool1 ranges=172.16.10.100-172.16.10.254
add name=dhcp_pool2 ranges=172.16.6.100-172.16.6.254
add name=dhcp_pool3 ranges=172.16.200.2-172.16.200.254
add name=dhcp_pool4 ranges=172.16.20.100-172.16.20.254
add name=dhcp_pool5 ranges=172.16.7.100-172.16.7.254
I believe you can delete the first pool\ as pool2 is used in the rest of the config.
(2) Your input firewall rules are a little funny, but okay to do the job. Basically open to the LAN, , and block ICMP from the LAN and block the WAN at the end.
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface=pppoe-out protocol=icmp
add action=drop chain=input in-interface=pppoe-out
(3) Nat rule should work but you dont need to put in both WAN and pppoe-out as including pppoe-out as WAN member covers that........
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
(4) Not sure if you need ip dhcp client enabled as that is handled by the PPPOE client settings......????
(5) The total lack of forward chain of firewall rules is disconcerting.
Suggest the following default rules to start.
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/interface ethernet set [ find ] rx-flow-control=off tx-flow-control=off
/interface ethernet switch port set [ find ] default-vlan-id=auto
It will be connected to a CSS326-24G-2S+.Okay got it!
For the thread I resisted my gut instinct to provide a bridge vlan filtering solution as it appears it is perfectly
feasible to assign an 'open' subnet to the etherport sfp+1, and assign four vlans to the same etherport, all without a bridge.
I would like to know how the other end of that etherport Cable is configured aka to what device????
# aug/13/2021 06:11:25 by RouterOS 6.48.3
# software id = QWA9-AWDR
#
# model = RB4011iGS+
# serial number = F0270EAC96D5
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes poe-out=off
set [ find default-name=sfp-sfpplus1 ] advertise=10000M-full
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out user=\
smccloud
/interface 6to4
add comment="Hurricane Electric IPv6 Tunnel Broker" !keepalive local-address=\
174.131.16.190 mtu=1280 name=sit1 remote-address=184.105.253.14
/interface vlan
add interface=sfp-sfpplus1 name="Guest Wifi" vlan-id=200
add interface=sfp-sfpplus1 name=IoT vlan-id=10
add interface=sfp-sfpplus1 name=VMs vlan-id=20
add interface=sfp-sfpplus1 name=Wifi vlan-id=7
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
/ip dhcp-server option
add code=42 name=NTPVMs value="'172.16.20.1'"
add code=42 name=NTPLAN value="'172.16.6.1'"
add code=42 name=NTPIoT value="'172.16.10.1'"
add code=42 name=NTPWifi value="'172.16.7.1'"
add code=42 name="NTPGuest Wifi" value="'172.16.200.1'"
/ip dhcp-server option sets
add name=Wifi options=NTPWifi
add name=LAN options=NTPLAN
add name=VMs options=NTPVMs
add name="Guest Wifi" options="NTPGuest Wifi"
add name=IoT options=NTPIoT
/ip pool
add name=IoT_pool ranges=172.16.10.100-172.16.10.254
add name=LAN_pool ranges=172.16.6.100-172.16.6.254
add name="Guest Wifi_pool" ranges=172.16.200.2-172.16.200.254
add name=VMs_pool ranges=172.16.20.100-172.16.20.254
add name=Wifi_pool ranges=172.16.7.100-172.16.7.254
/ip dhcp-server
add address-pool=IoT_pool dhcp-option-set=IoT disabled=no interface=IoT \
lease-time=1w name=IoT
add address-pool=LAN_pool dhcp-option-set=LAN disabled=no interface=\
sfp-sfpplus1 lease-time=1w name=LAN
add address-pool="Guest Wifi_pool" dhcp-option-set="Guest Wifi" disabled=no \
interface="Guest Wifi" lease-time=1w name="Guest Wifi"
add address-pool=VMs_pool dhcp-option-set=VMs disabled=no interface=VMs \
lease-time=1w name=VMs
add address-pool=Wifi_pool dhcp-option-set=Wifi disabled=no interface=Wifi \
lease-time=1w name=Wifi
/ipv6 dhcp-server
add address-pool=LAN_pool6 interface=sfp-sfpplus1 lease-time=1w name=LAN6
add address-pool=Wifi_pool6 interface=Wifi lease-time=1w name=Wifi6
add address-pool="Guest Wifi_pool6" interface="Guest Wifi" lease-time=1w \
name="Guest Wifi6"
add address-pool=IoT_pool6 interface=IoT lease-time=1w name=IoT6
add address-pool=VMs_pool6 interface=VMs lease-time=1w name=VMs6
/ipv6 pool
add name=LAN_pool6 prefix=2001:470:c292:6::/64 prefix-length=64
add name=Wifi_pool6 prefix=2001:470:c292:7::/64 prefix-length=64
add name=IoT_pool6 prefix=2001:470:c292:10::/64 prefix-length=64
add name=VMs_pool6 prefix=2001:470:c292:20::/64 prefix-length=64
add name="Guest Wifi_pool6" prefix=2001:470:c292:200::/64 prefix-length=64
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface list member
add interface=ether1 list=WAN
add interface=sfp-sfpplus1 list=LAN
add interface="Guest Wifi" list=LAN
add interface=IoT list=LAN
add interface=VMs list=LAN
add interface=Wifi list=LAN
add interface=pppoe-out list=WAN
/ip address
add address=172.16.6.1/24 interface=sfp-sfpplus1 network=172.16.6.0
add address=172.16.7.1/24 interface=Wifi network=172.16.7.0
add address=172.16.10.1/24 interface=IoT network=172.16.10.0
add address=172.16.20.1/24 interface=VMs network=172.16.20.0
add address=172.16.200.1/24 interface="Guest Wifi" network=172.16.200.0
/ip dhcp-server network
add address=172.16.6.0/24 dns-server=172.16.6.1 gateway=172.16.6.1 netmask=24
add address=172.16.7.0/24 dns-server=172.16.7.1 gateway=172.16.7.1
add address=172.16.10.0/24 dns-server=172.16.10.1 gateway=172.16.10.1
add address=172.16.20.0/24 dns-server=172.16.20.1 gateway=172.16.20.1
add address=172.16.200.0/24 dns-server=172.16.200.1 gateway=172.16.200.1
/ip dns
set allow-remote-requests=yes servers=\
1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
# no interface
add action=accept chain=input in-interface=pppoe-out protocol=icmp
# no interface
add action=drop chain=input in-interface=pppoe-out
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api-ssl disabled=yes
/ipv6 address
add address=2001:470:1f10:2c7::2 advertise=no interface=sit1
add address=2001:470:c292:6::1 interface=sfp-sfpplus1
add address=2001:470:c292:7::1 interface=Wifi
add address=2001:470:c292:10::1 interface=IoT
add address=2001:470:c292:20::1 interface=VMs
add address=2001:470:c292:200::1 interface="Guest Wifi"
/ipv6 route
add distance=1 gateway=2001:470:1f10:2c7::1
/system clock
set time-zone-name=America/Chicago
/system identity
set name=RB4011iGS+RM
/system ntp client
set enabled=yes primary-ntp=128.101.101.101 secondary-ntp=134.84.84.84
/system ntp server
set enabled=yes multicast=yes
/tool user-manager database
set db-path=user-manager