Community discussions

MikroTik App
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

New to Mikrotik

Sun Aug 15, 2021 9:49 pm

Hi to all,
i buy my first Mikrotik Router and i am new to this devices. i try to make with my new router ccr2004 Vlan trunk to this router i look many sites and you tube videos but i not getting it to work.
i have 2 Ubiquiti switches and wanna attach them to this router over trunk port for routing the vlans best was when can be done a LACP Trunk. Can someone give any hints or a example config examples. Thx in advance
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: New to Mikrotik

Sun Aug 15, 2021 10:41 pm

There are many examples around the Wiki according to VLANs...
Ofcorse you can create a VLAN trunk on your CCR...

What have you tried so far ?
Network diagram ?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: New to Mikrotik

Sun Aug 15, 2021 10:53 pm

It is generally not advisable to get your info from youtube videos or "many other sites". There is a lot of garbage going around. It is outdated or unsafe.
You should check the wiki or help sites: wiki.mikrotik.com and help.mikrotik.com

And of course, when you want specific help, you first need to describe what you want to do.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik

Sun Aug 15, 2021 11:01 pm

Hi there,
I dont know what is the best option for you to
a. do vlans, either vlan filtering bridge method ( i prefer), or
b. switch chip method. ****

***** Your unit diagram shows a fancy PIPE connections between ports and I dont think there is any specific method to optimize those, at least I have not read anything. So I dont think the switch chip method applies anyway.

Here is the link for bridge vlan filtering which I use for many vlans myself, \
viewtopic.php?f=23&t=143620

Stick with the default firewall rules until you understand them as they keep you safe from the start.
When you have a first config kind of done, do not hesitate to post the config here for review.
/export hide-sensitive file=anynameyouwish

Default rules in case your router didnt come with any. IP FIREWALL
all you have to do is copy and paste this in your winbox Terminal selection window ( without the { _____ chain part} of course )
/ip firewall filter
{input chain part}
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input in-interface-list=!LAN

{forward chain part}
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

If there are no NAT rules, this is the default rule for that as well.

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Sun Aug 15, 2021 11:07 pm

Hi mate i tried many things vlans under port, vlans under bridge, looked wiki and so on but not realy anything functions. my diagram is easy need have 8 vlans for seperating my netwoks in segments and wanna give them from router to the switches over trunk. As router to switches it was even much better if i can do some LACP for the 2 switches.

Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
# NAME MTU ARP VL INTERFACE
0 R vlan5 1500 enabled 5 Trunk_bridge
1 R vlan10 1500 enabled 10 Trunk_bridge
2 R vlan30 1500 enabled 30 Trunk_bridge
3 R vlan40 1500 enabled 40 Trunk_bridge
4 R vlan50 1500 enabled 50 Trunk_bridge
5 R vlan60 1500 enabled 60 Trunk_bridge
6 R vlan70 1500 enabled 70 Trunk_bridge
7 R vlan80 1500 enabled 80 Trunk_bridge
8 R vlan90 1500 enabled 90 Trunk_bridge


Flags: X - disabled, R - running
0 R name="Trunk_bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=08:55:31:DF:AF:E3 protocol-mode=rstp
fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6
vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all ingress-filtering=no dhcp-snooping=no

1 R name="bridge1" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=08:55:31:DF:AF:D8 protocol-mode=rstp
fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6
vlan-filtering=no dhcp-snooping=no


Flags: R - RUNNING; S - SLAVE
Columns: NAME, MTU, MAC-ADDRESS, ARP, SWITCH
# NAME MTU MAC-ADDRESS ARP SWITCH
;;; WAN
0 R ether1 1500 08:55:31:DF:AF:D7 enabled
1 S sfp-sfpplus1 1500 08:55:31:DF:AF:D8 enabled switch1
2 S sfp-sfpplus2 1500 08:55:31:DF:AF:D9 enabled switch1
3 S sfp-sfpplus3 1500 08:55:31:DF:AF:DA enabled switch1
4 S sfp-sfpplus4 1500 08:55:31:DF:AF:DB enabled switch1
5 S sfp-sfpplus5 1500 08:55:31:DF:AF:DC enabled switch1
6 S sfp-sfpplus6 1500 08:55:31:DF:AF:DD enabled switch1
7 S sfp-sfpplus7 1500 08:55:31:DF:AF:DE enabled switch1
8 S sfp-sfpplus8 1500 08:55:31:DF:AF:DF enabled switch1
9 S sfp-sfpplus9 1500 08:55:31:DF:AF:E0 enabled switch1
10 S sfp-sfpplus10 1500 08:55:31:DF:AF:E1 enabled switch1
11 S sfp-sfpplus11 1500 08:55:31:DF:AF:E2 enabled switch1
12 RS sfp-sfpplus12 1500 08:55:31:DF:AF:E3 enabled switch1
13 S sfp28-1 1500 08:55:31:DF:AF:E4 enabled switch1
14 S sfp28-2 1500 08:55:31:DF:AF:E5 enabled switch1

Trunk bridge is on SFP+12 port for testing purpuse for configuration i try it with 1 port but even this not get to run.
many thx and kind regards
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Sun Aug 15, 2021 11:16 pm

Many thx for fast answers i have it now behind my real firewall till i am sure and safe to take this wan interface to public until it is behind a firewall for now first role is the 10gb routing capabilitys what i wanna use bridge or port based i dont know what is the best i think to make 2 LACP ports each for 1 switch to get fastest as possible for routing for routing i thing this will much faster do it or?

@anav i read this its is awesome info there but get it not work, idk for the CCR2004 is not much info my firewall rules are empty there mybe firewall block? Empty means all block?
By the way how i get this config?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik

Mon Aug 16, 2021 12:11 am

Okay, lets walk before running. Lets ignore LACP and added stuff for now.
Lets get a safe clean firewall up and working VLAN setup.

So the config is best handled by using WINBOX.
Once you have been able to access winbox.

The find the left hand menu TERMINAL selection.
When in there type
/export hide-sensitive file=anynameyouwish

It will create and send a file TO FILES.
So on winbox find FILES on teh left hand menu.
Then right or left click it to download to your pc.

Then using notepad++ open it up and paste it here.
You may want to use the code tags up top as good etiquette ( to the right of BOLD UNDERLINE etc (black square with white brackets)

When its open in notepadd plus plus just remove any serial numbers that identify the router,
and sometimes if a pppoe setup there may be information that has to be removed first (aka a password)
In addition just make NO PUBLIC IP addresses are exposed....
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Mon Aug 16, 2021 12:16 am

# aug/15/2021 22:48:55 by RouterOS 7.1beta6
# software id = KIHW-0X4S
#
# model = CCR2004-1G-12S+2XS
# serial number =
/interface bridge
add name=Trunk_bridge vlan-filtering=yes
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface vlan
add interface=Trunk_bridge name=vlan5 vlan-id=5
add interface=Trunk_bridge name=vlan10 vlan-id=10
add interface=Trunk_bridge name=vlan30 vlan-id=30
add interface=Trunk_bridge name=vlan40 vlan-id=40
add interface=Trunk_bridge name=vlan50 vlan-id=50
add interface=Trunk_bridge name=vlan60 vlan-id=60
add interface=Trunk_bridge name=vlan70 vlan-id=70
add interface=Trunk_bridge name=vlan80 vlan-id=80
add interface=Trunk_bridge name=vlan90 vlan-id=90
/interface list
add name=WAN
add name=LAN
add name=Gast
add name=Server
add name=WLAN
add name=IOT
add name=SECURITY
add name=IPMI
add name=MGMT
add name=DMZ
add name=Cluster
add name=HA
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_vlan1 ranges=172.16.1.100-172.16.1.254
add name=dhcp_IPMI ranges=172.16.5.100-172.16.5.254
add name=dhcp_security ranges=172.16.30.100-172.16.30.254
add name=dhcp_IoT ranges=172.16.40.100-172.16.40.254
add name=dhcp_10 ranges=172.16.10.100-172.16.10.254
add name=dhcp_50 ranges=172.16.50.2-172.16.50.254
add name=dhcp_60 ranges=172.16.60.100-172.16.60.254
add name=dhcp_70 ranges=172.16.70.100-172.16.70.254
add name=dhcp_80 ranges=172.16.80.100-172.16.80.254
add name=dhcp_90 ranges=172.16.90.50-172.16.90.254
/ip dhcp-server
# DHCP server can not run on slave interface!
add address-pool=dhcp_vlan1 disabled=no interface=sfp-sfpplus12 lease-time=2h \
name=dhcp_1
add address-pool=dhcp_IPMI disabled=no interface=vlan5 lease-time=2h name=\
dhcp_5
add address-pool=dhcp_security disabled=no interface=vlan30 lease-time=2h \
name=dhcp_30
add address-pool=dhcp_IoT disabled=no interface=vlan40 lease-time=2h name=\
dhcp_40
add address-pool=dhcp_10 disabled=no interface=vlan10 lease-time=2h name=\
dhcp_10
add address-pool=dhcp_50 disabled=no interface=vlan50 lease-time=2h name=\
dhcp_50
add address-pool=dhcp_60 disabled=no interface=vlan60 lease-time=2h name=\
dhcp60
add address-pool=dhcp_70 disabled=no interface=vlan70 lease-time=2h name=\
dhcp70
add address-pool=dhcp_80 disabled=no interface=vlan80 lease-time=2h name=\
dhcp80
add address-pool=dhcp_90 disabled=no interface=vlan90 lease-time=2h name=\
dhcp90
/interface bridge port
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
add bridge=Trunk_bridge interface=sfp-sfpplus12
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=vlan50 list=Gast
add interface=vlan30 list=SECURITY
add interface=vlan90 list=WLAN
add interface=vlan40 list=IOT
add interface=vlan5 list=IPMI
add interface=vlan60 list=DMZ
add interface=vlan80 list=Cluster
add interface=vlan70 list=HA
/ip address
add address=172.16.1.1/24 interface=sfp-sfpplus12 network=172.16.1.0
add address=172.16.5.1/24 interface=vlan5 network=172.16.5.0
add address=172.16.30.1/24 interface=vlan30 network=172.16.30.0
add address=172.16.40.1/24 interface=vlan40 network=172.16.40.0
add address=172.16.10.1/24 interface=vlan10 network=172.16.10.0
add address=172.16.50.1/24 interface=vlan50 network=172.16.50.0
add address=172.16.60.1/24 interface=vlan60 network=172.16.60.0
add address=172.16.70.1/24 interface=vlan70 network=172.16.70.0
add address=172.16.80.1/24 interface=vlan80 network=172.16.80.0
add address=172.16.90.1/24 interface=vlan90 network=172.16.90.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
add address=172.16.5.0/24 gateway=172.16.5.1
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.30.0/24 gateway=172.16.30.1
add address=172.16.40.0/24 gateway=172.16.40.1
add address=172.16.50.0/24 gateway=172.16.50.1
add address=172.16.60.0/24 gateway=172.16.60.1
add address=172.16.70.0/24 gateway=172.16.70.1
add address=172.16.80.0/24 gateway=172.16.80.1
add address=172.16.90.0/24 gateway=172.16.90.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
set pptp disabled=yes
set dccp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=cr1
/system ntp client
set enabled=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik

Mon Aug 16, 2021 2:00 am

FIrst thing you are using a beta firmware.
All bets are off, nothing or everything make work as advertised and some settings are different from version6,
I would recommend not experimenting with beta firmware if this is for a production environment!!!!


Okay a bit confusing to name a vlan after its vlanid, but not the end of the world.
However I dont get your ip pool designation of vlan1 as there is no vlan1 that I can see and one should never use VLAN1 as that is a default vlan on most equipment.
It will be the default vlan of the bridge so best not to use elsewhere. You can get rid of bridge1 as its not needed.


You have 9 vlans.
You have 10 IP pools, and 10 dhcp networks where is the disconnect??
Where are IP pools for 30 40, (this is what I mean about a disconnect in your naming conventions).

Note Interface member lists are good idea if you have TWO or more VLANs you want to identify for specific purposes be it access to the internet or access to a common printer in another vlan etc.)
The one time one may want to define a single subnet as an interface is if its the management interface which is used in a couple of different config locations.
For single subnets, just use the subnet in firewall rules..............
The good time to use firewall address lists is for when you have
a. a selection of IPs only within a subnet (not all of them).
b. a selection of IPs across several subnets.
c. a whole subnet and a selection of IPs from one or more other subnets

Your first /dhcp server line is suspect. its not happy with the interface chosen?
What is your purpose or plan for sfp-sfpplus12 ??

Ahh so now I see what you have done,
You have a NON VLAN which you want to run on all the SFP PLUS ports and then RUN ALL VLANS on the bridge interface TRUNK thru sfp-plus12

SO, GET RID OF BRIDGE 1, you do not use it anywhere according to the config ???????
PUT ALL INTERFACES ON THE BRIDGE TRUNK
now you have two choices
a. create another VLAN (what I would do) call in vlan99-home or whatever purpose it is.
b. assign to interface bridge trunk like all the others.

OR
just get the bridge trunk as the interface for the subnet and let the bridge hand out leases for the subnets on all spf ports.
I prefer to let the bridge be a bridge and let vlans to do the work!!

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Over all so far, we need clarity.
What are you putting over all the SFP ports other than spf-1212
What are you putting over SPF-12
What is the purpose of your vlan-1 but not really a vlan ???

WARNING;;Missing this rule on the default rule set at the bottom of the forward chain!!
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN


There is no NAT rule the default typically is......
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

Also you have no route rules it seems, so the router has no direction where to send packets to the internet.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Mon Aug 16, 2021 2:41 am

So i downgrade it to 6.48 get rid of bridge1 ah sfp+12 is the vlan trunk i try to make vlan1 was for default vlan1 adress if put some devices get dhcp adress for them from sfp+9 to 12 try to make thoose lacp for the 2 switches with sfp+ links from sfp1 to 8 wanna do nothing for now mybe i put my proxmox cluster there. This
There is no NAT rule the default typically is......
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
i put extra not i thing mybe can not acces the device later i have 2 vlans after this my home network and my server vlan this i can put only later if all works

I do instead vlan1 put the adress of default to trunk_bridge port and used the dhcp pool for it so whenever need a dhcp from vlan1 can get it, or bad idea?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik

Mon Aug 16, 2021 4:49 am

If you dont follow the link provided and think you know the rules better, no I cannot help much further.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Mon Aug 16, 2021 4:01 pm

hi mate, i try to follow what you say me my config so far
# jan/02/1970 14:23:49 by RouterOS 6.48.3
# software id = 
#
# model = CCR2004-1G-12S+2XS
# serial number = 
/interface bridge
add name=Trunk_bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface vlan
add interface=Trunk_bridge name=vlan5 vlan-id=5
add interface=Trunk_bridge name=vlan10 vlan-id=10
add interface=Trunk_bridge name=vlan30 vlan-id=30
add interface=Trunk_bridge name=vlan40 vlan-id=40
add interface=Trunk_bridge name=vlan50 vlan-id=50
add interface=Trunk_bridge name=vlan60 vlan-id=60
add interface=Trunk_bridge name=vlan70 vlan-id=70
add interface=Trunk_bridge name=vlan80 vlan-id=80
add interface=Trunk_bridge name=vlan90 vlan-id=90
/interface list
add name=WAN
add name=LAN
add name=Gast
add name=Server
add name=WLAN
add name=IOT
add name=SECURITY
add name=IPMI
add name=MGMT
add name=DMZ
add name=Cluster
add name=HA
/interface lte apn
set [ find default=yes ] ip-type=ipv4-ipv6
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_vlan1 ranges=172.16.1.100-172.16.1.254
add name=dhcp_IPMI ranges=172.16.5.100-172.16.5.254
add name=dhcp_security ranges=172.16.30.100-172.16.30.254
add name=dhcp_IoT ranges=172.16.40.100-172.16.40.254
add name=dhcp_10 ranges=172.16.10.100-172.16.10.254
add name=dhcp_50 ranges=172.16.50.2-172.16.50.254
add name=dhcp_60 ranges=172.16.60.100-172.16.60.254
add name=dhcp_70 ranges=172.16.70.100-172.16.70.254
add name=dhcp_80 ranges=172.16.80.100-172.16.80.254
add name=dhcp_90 ranges=172.16.90.50-172.16.90.254
/ip dhcp-server
add address-pool=dhcp_IPMI disabled=no interface=vlan5 lease-time=2h name=\
    dhcp_5
add address-pool=dhcp_security disabled=no interface=vlan30 lease-time=2h \
    name=dhcp_30
add address-pool=dhcp_IoT disabled=no interface=vlan40 lease-time=2h name=\
    dhcp_40
add address-pool=dhcp_10 disabled=no interface=vlan10 lease-time=2h name=\
    dhcp_10
add address-pool=dhcp_50 disabled=no interface=vlan50 lease-time=2h name=\
    dhcp_50
add address-pool=dhcp_60 disabled=no interface=vlan60 lease-time=2h name=\
    dhcp60
add address-pool=dhcp_70 disabled=no interface=vlan70 lease-time=2h name=\
    dhcp70
add address-pool=dhcp_80 disabled=no interface=vlan80 lease-time=2h name=\
    dhcp80
add address-pool=dhcp_90 disabled=no interface=vlan90 lease-time=2h name=\
    dhcp90
/interface bridge port
add bridge=Trunk_bridge interface=sfp-sfpplus1
add bridge=Trunk_bridge interface=sfp-sfpplus2
add bridge=Trunk_bridge interface=sfp-sfpplus3
add bridge=Trunk_bridge interface=sfp-sfpplus4
add bridge=Trunk_bridge interface=sfp-sfpplus5
add bridge=Trunk_bridge interface=sfp-sfpplus6
add bridge=Trunk_bridge interface=sfp-sfpplus7
add bridge=Trunk_bridge interface=sfp-sfpplus8
add bridge=Trunk_bridge interface=sfp-sfpplus9
add bridge=Trunk_bridge interface=sfp-sfpplus10
add bridge=Trunk_bridge interface=sfp-sfpplus11
add bridge=Trunk_bridge interface=sfp28-1
add bridge=Trunk_bridge interface=sfp28-2
add bridge=Trunk_bridge interface=sfp-sfpplus12
/interface list member
add interface=ether1 list=WAN
add list=LAN
add interface=vlan50 list=Gast
add interface=vlan30 list=SECURITY
add interface=vlan90 list=WLAN
add interface=vlan40 list=IOT
add interface=vlan5 list=IPMI
add interface=vlan60 list=DMZ
add interface=vlan80 list=Cluster
add interface=vlan70 list=HA
/ip address
add address=172.16.1.1/24 interface=Trunk_bridge network=172.16.1.0
add address=172.16.5.1/24 interface=vlan5 network=172.16.5.0
add address=172.16.30.1/24 interface=vlan30 network=172.16.30.0
add address=172.16.40.1/24 interface=vlan40 network=172.16.40.0
add address=172.16.10.1/24 interface=vlan10 network=172.16.10.0
add address=172.16.50.1/24 interface=vlan50 network=172.16.50.0
add address=172.16.60.1/24 interface=vlan60 network=172.16.60.0
add address=172.16.70.1/24 interface=vlan70 network=172.16.70.0
add address=172.16.80.1/24 interface=vlan80 network=172.16.80.0
add address=172.16.90.1/24 interface=vlan90 network=172.16.90.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
add address=172.16.5.0/24 gateway=172.16.5.1
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.30.0/24 gateway=172.16.30.1
add address=172.16.40.0/24 gateway=172.16.40.1
add address=172.16.50.0/24 gateway=172.16.50.1
add address=172.16.60.0/24 gateway=172.16.60.1
add address=172.16.70.0/24 gateway=172.16.70.1
add address=172.16.80.0/24 gateway=172.16.80.1
add address=172.16.90.0/24 gateway=172.16.90.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall nat
add action=accept chain=srcnat out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
set pptp disabled=yes
set dccp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=cr1
/system ntp client
set enabled=yes
/system resource irq rps
set ether1 disabled=yes
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik

Mon Aug 16, 2021 4:37 pm

I see improvements on a quick look, busy for the next part of the day but will look in detail later.
Its a work in progress patience is a good thing.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Mon Aug 16, 2021 4:40 pm

Hi mate as so far you are awesome help i would give you from 5 stars 25 stars many many thx what you till now even did for me, and have a nice day :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik

Mon Aug 16, 2021 8:44 pm

No worries lets simplify and build back up where necessary.

(1) You had an error in your interface list member. LAN did not have any interfaces assigned. So we assign the bridge to the LAN interface and this includes all 9 vlans.
I got rid of all the rest as I dont see any role for them yet on your config. If we need them then we can add them.

/interface list member
add interface=ether1 list=WAN
add interface=Trunk_bridge list=LAN

Thats it, and for the 'parent' nterface list, remove all except WAN and LAN.

(2) This item is still in the pool, which would be okay..
add name=dhcp_vlan1 ranges=172.16.1.100-172.16.1.254
but where is the corresponding dhcp server setting (there are only 9, but you have 10 IP pools and 10 IP addresses.......).

Suggesting you probably meant to add this.
add dhcp_vlan1
add address-pool=dhcp_vlan1 disabled=no interface=Trunk_bridge lease-time=2h name=bridge-dhcp\

(3) Okay, you have 14 ports but you dont state what is going on each port??
The only things so far that is going out on all ports, is the subnet you have assigned to the bridge. 176.16.1.0/24
You have not assigned any vlans to go out on any bridge ports??

(4) You have not stated what is the purpose of the Bridge sponsored subnet???

(5) Still missing one default firewall rule that needs to be added to the bottom of the forward chain!!!
WARNING;;Missing this rule on the default rule set at the bottom of the forward chain!!
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

This should be the first thing you do!


(6) The NAT rule is in the wrong format despite the fact that I had already provided the rule properly for you as well as the firewall rule above...... You need to pay closer attention to detail.....:-)
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Mon Aug 16, 2021 8:54 pm

Hi mate i get it now working with this config,
# aug/16/2021 19:50:11 by RouterOS 6.48.3
# software id = KIHW-0X4S
#
# model = CCR2004-1G-12S+2XS
# serial number = 
/interface bridge
add name=Trunk_bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
/interface vlan
add interface=Trunk_bridge name=vlan5 vlan-id=5
add interface=Trunk_bridge name=vlan10 vlan-id=10
add interface=Trunk_bridge name=vlan20 vlan-id=20
add interface=Trunk_bridge name=vlan30 vlan-id=30
add interface=Trunk_bridge name=vlan40 vlan-id=40
add interface=Trunk_bridge name=vlan50 vlan-id=50
add interface=Trunk_bridge name=vlan60 vlan-id=60
add interface=Trunk_bridge name=vlan70 vlan-id=70
add interface=Trunk_bridge name=vlan80 vlan-id=80
add interface=Trunk_bridge name=vlan90 vlan-id=90
add interface=Trunk_bridge name=vlan100 vlan-id=100
/interface list
add name=WAN
add name=LAN
add name=Gast
add name=Server
add name=WLAN
add name=IOT
add name=SECURITY
add name=IPMI
add name=MGMT
add name=DMZ
add name=Cluster
add name=HA
/interface lte apn
set [ find default=yes ] ip-type=ipv4-ipv6
/ip pool
add name=dhcp_pool_ipmi ranges=172.16.5.100-172.16.5.254
add name=dhcp_pool_security ranges=172.16.30.100-172.16.30.254
add name=dhcp_pool_IoT ranges=172.16.40.100-172.16.40.254
add name=dhcp_pool_mgmt ranges=172.16.10.100-172.16.10.254
add name=dhcp_pool_guest ranges=172.16.50.2-172.16.50.254
add name=dhcp_pool_dmz ranges=172.16.60.100-172.16.60.254
add name=dhcp_pool_ha ranges=172.16.70.100-172.16.70.254
add name=dhcp_pool_cluster ranges=172.16.80.100-172.16.80.254
add name=dhcp_pool_wlan ranges=172.16.90.50-172.16.90.254
add name=dhcp_pool_LAN ranges=172.16.100.2-172.16.100.254
add name=dhcp_pool_server ranges=172.16.20.11-172.16.20.20
/ip dhcp-server
add address-pool=dhcp_pool_ipmi disabled=no interface=vlan5 lease-time=2h \
    name=dhcp_ipmi
add address-pool=dhcp_pool_security disabled=no interface=vlan30 lease-time=\
    2h name=dhcp_security
add address-pool=dhcp_pool_IoT disabled=no interface=vlan40 lease-time=2h \
    name=dhcp_IoT
add address-pool=dhcp_pool_mgmt disabled=no interface=vlan10 lease-time=2h \
    name=dhcp_mgmt
add address-pool=dhcp_pool_guest disabled=no interface=vlan50 lease-time=2h \
    name=dhcp_guest
add address-pool=dhcp_pool_dmz disabled=no interface=vlan60 lease-time=2h \
    name=dhcp_dmz
add address-pool=dhcp_pool_ha disabled=no interface=vlan70 lease-time=2h \
    name=dhcp_ha
add address-pool=dhcp_pool_cluster disabled=no interface=vlan80 lease-time=2h \
    name=dhcp_cluster
add address-pool=dhcp_pool_wlan disabled=no interface=vlan90 lease-time=8h \
    name=dhcp_wlan
add address-pool=dhcp_pool_LAN disabled=no interface=vlan100 lease-time=8h \
    name=dhcp_LAN
add address-pool=dhcp_pool_server disabled=no interface=vlan20 lease-time=8h \
    name=dhcp_server
/interface bridge port
add bridge=Trunk_bridge interface=sfp-sfpplus1
add bridge=Trunk_bridge interface=sfp-sfpplus2
add bridge=Trunk_bridge interface=sfp-sfpplus3
add bridge=Trunk_bridge interface=sfp-sfpplus4
add bridge=Trunk_bridge interface=sfp-sfpplus5
add bridge=Trunk_bridge interface=sfp-sfpplus6
add bridge=Trunk_bridge interface=sfp-sfpplus7
add bridge=Trunk_bridge interface=sfp-sfpplus8
add bridge=Trunk_bridge interface=sfp-sfpplus9
add bridge=Trunk_bridge interface=sfp-sfpplus10
add bridge=Trunk_bridge interface=sfp-sfpplus11
add bridge=Trunk_bridge interface=sfp28-1
add bridge=Trunk_bridge interface=sfp28-2
add bridge=Trunk_bridge interface=sfp-sfpplus12
/interface bridge vlan
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=10
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=5
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=20
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=30
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=40
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=50
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=60
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=70
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=80
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=90
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,sfp-sfpplus8,sfp\
    -sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2" \
    vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=vlan100 list=LAN
add interface=vlan50 list=Gast
add interface=vlan30 list=SECURITY
add interface=vlan90 list=WLAN
add interface=vlan40 list=IOT
add interface=vlan5 list=IPMI
add interface=vlan60 list=DMZ
add interface=vlan80 list=Cluster
add interface=vlan70 list=HA
/ip address
add address=172.16.1.1/24 interface=Trunk_bridge network=172.16.1.0
add address=172.16.5.1/24 interface=vlan5 network=172.16.5.0
add address=172.16.30.1/24 interface=vlan30 network=172.16.30.0
add address=172.16.40.1/24 interface=vlan40 network=172.16.40.0
add address=172.16.10.1/24 interface=vlan10 network=172.16.10.0
add address=172.16.50.1/24 interface=vlan50 network=172.16.50.0
add address=172.16.60.1/24 interface=vlan60 network=172.16.60.0
add address=172.16.70.1/24 interface=vlan70 network=172.16.70.0
add address=172.16.80.1/24 interface=vlan80 network=172.16.80.0
add address=172.16.90.1/24 interface=vlan90 network=172.16.90.0
add address=172.16.20.1/24 interface=vlan20 network=172.16.20.0
add address=172.16.100.1/24 interface=vlan100 network=172.16.100.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
add address=172.16.5.0/24 gateway=172.16.5.1
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=172.16.30.0/24 gateway=172.16.30.1
add address=172.16.40.0/24 gateway=172.16.40.1
add address=172.16.50.0/24 gateway=172.16.50.1
add address=172.16.60.0/24 gateway=172.16.60.1
add address=172.16.70.0/24 gateway=172.16.70.1
add address=172.16.80.0/24 gateway=172.16.80.1
add address=172.16.90.0/24 gateway=172.16.90.1
add address=172.16.100.0/24 dns-server=172.16.20.5,172.16.100.1 domain=\
    xxx.xxx gateway=172.16.100.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input protocol=icmp
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall nat
add action=accept chain=srcnat out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
set pptp disabled=yes
set dccp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=xxxx
/system identity
set name=xxx
/system ntp client
set enabled=yes primary-ntp=xx.xx.xx.xx secondary-ntp=xx.xx.xx.xx
/system ntp server
set broadcast=yes enabled=yes
/system resource irq rps
set ether1 disabled=yes
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Mon Aug 16, 2021 9:04 pm

i make for each vlan own list for better controll it later from firewall rules
Firewall, Thx for the info changed nat to masquarade
Now i realized no need bridge tunk adress remove it can manage this device from mgmt address, was scray that i loose access to this device :)
Ports are now all as trunk is better for me need only trunk when later use them for mybe VM ports
now this works but how can i now let say port 9 and 10 LACP for 1st switch and 11 and 12 LACP for 2nd switch, and activating all for Jumbo frames?
Put thhose ports out of trunk bridge bond them and put bonded interfaces to trunk bridge?
After CCR2004 i have a Firewall ccr gets a ip from this this is the wan dhcp 172.16.0.100 Nat doing this firewall still should do this on the ccr too? Well i did it now i see no connection loose from internet its ok
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: New to Mikrotik

Tue Aug 17, 2021 4:00 am

If you have a mangement vlan all smart devices (switches etc) should have an IP from this subnet.

I already stated how to efficiently use vlans, interface lists and firewall address lists....
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Tue Aug 17, 2021 1:49 pm

thank you for your advices very helpfull, now need to check how to turn on mtu for jumbo frames my devices all are running on jumbo frames and find how to LACP thoose 2 switches to ports 9-10 and 11-12 this router is for core network router
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Thu Sep 09, 2021 12:47 pm

I have a problem on this config on the interface where goes to my firewall this natting how can i disable this nat that my devices use its own ip instead the interface ip who goes to this firewall?
As this device will be used as internal core router and 1 interface goes to the firewall where all natting to the network is done. Config should passthrough my adresses to the firewall side as normal and not natted. Thx for any help
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Thu Sep 09, 2021 2:01 pm

If device is going to be used as internal core router, then you can (or should) remove all config under /ip firewall (and sub-tree).
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Thu Sep 09, 2021 2:07 pm

Hi mkx thx for response first :)
if i disable all irules and nat i have no connection to firewall plus internet
Couldn't remove Firewall rule <> Connot remove builtin (6) says on some and let not remove it. Special dummy rules this
Last edited by 3dgfx on Thu Sep 09, 2021 2:19 pm, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Thu Sep 09, 2021 2:18 pm

There are two possibilities:

  1. keep firewall config as is, but you have to keep using NAT on core router for traffic towards firewall (I assume it's behind ether1).
    This means firewall will keep seeing router's (dynamic) IP address as source for all traffic
  2. configure number of static routes on firewall ... direct all internal subnets using router's (dynamic) IP address as gateway.
    In this case having router dynamic address on any of interfaces is not acceptable.

If I understand you right, option #1 is not an option, so you'll have to assign static address on "WAN" interface of router and add static routes on firewall. And verify that firewall does whatever it needs to do (e.g. NAT) also for subnets behind core router.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Thu Sep 09, 2021 2:24 pm

My firewall have the ip 172.16.16.1 and mikrotik have fixep ip of 172.16.16.2 and all the routes have to mikrotik on firewall side are configured so routes going to 172.16.16.2 Mikrotik have default route to 172.16.16.1 to firewall. This is the right way or?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Thu Sep 09, 2021 2:59 pm

ROS won't let you remove the dummy rule (which is for counting fasttracked traffic), but will disappear when you reboot the router if there is no "normal" fast track rule.

Re. static routing: right. If your firewall was Mikrotik, it would need the following routes:
/ip route
add dst-address=172.16.1.1/24 gateway=172.16.16.2
add dst-address=172.16.5.1/24 gateway=172.16.16.2
add dst-address=172.16.30.1/24 gateway=172.16.16.2
add dst-address=172.16.40.1/24 gateway=172.16.16.2
add dst-address=172.16.10.1/24 gateway=172.16.16.2
add dst-address=172.16.50.1/24 gateway=172.16.16.2
add dst-address=172.16.60.1/24 gateway=172.16.16.2
add dst-address=172.16.70.1/24 gateway=172.16.16.2
add dst-address=172.16.80.1/24 gateway=172.16.16.2
add dst-address=172.16.90.1/24 gateway=172.16.16.2
add dst-address=172.16.20.1/24 gateway=172.16.16.2
add dst-address=172.16.100.1/24 gateway=172.16.16.2

If it's not mikrotik, adjust the commands above accordingly.

Even easier would be to run a BGP/OSPF between core router and firewall if firewall can do it, this way core router would push routes to firewall automatically (e.g. when you add another LAN subnet, firewall routes would be updated automatically). I'm not intimate with routing protocols so if you decide to go that way, somebody else will have to jump in with some guidance.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Thu Sep 09, 2021 3:01 pm

My firewall is on opnsense it is like pfsense need to make this ospf seems good idea than i check if its working
This is exactly what is configured on the Firewall all routes and gateways are pingable from firewall side let say my monitoring server are monitoring my firewall but firewall gets always 172.16.16.2 adresses whatever is going out to wan or firewall side so Mikrotik is natting but i need the real adress what connecting to this service so the server ip need to be here.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Thu Sep 09, 2021 3:42 pm

I'm pretty sure that if you set static IP address on ether1 (the last configuration you showed had DHCP client running on that interface) nad then you remove all /ip firewall setup, then things should work ... perhaps a good reboot of CRS has to be performed to get rid of any non-removeable entries in firewall section. The most important being getting rid of the /ip firewall nat entry.

Later on you might want to add a few firewall filter rules to protect router. That's the rules for chain=input. But nothing like the current rules you have, they are canibalized fragment of default SOHO config which doesn't really apply in your case.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Thu Sep 09, 2021 4:48 pm

Sry mate forget to mention, this is the config right now.
# sep/09/2021 15:43:47 by RouterOS 6.48.4
# software id = xxxx
#
# model = CCR2004-1G-12S+2XS
# serial number = xxxxx
/interface bridge
add name=Trunk_bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=sfp-sfpplus1 ] l2mtu=9578 mtu=9000
set [ find default-name=sfp-sfpplus2 ] l2mtu=9578 mtu=9000
set [ find default-name=sfp-sfpplus3 ] l2mtu=9578 mtu=9000
set [ find default-name=sfp-sfpplus4 ] l2mtu=9578 mtu=9000
set [ find default-name=sfp-sfpplus5 ] l2mtu=9578 mtu=9000
set [ find default-name=sfp-sfpplus6 ] l2mtu=9578 mtu=9000
set [ find default-name=sfp-sfpplus7 ] l2mtu=9578 mtu=9000
set [ find default-name=sfp-sfpplus8 ] l2mtu=9578 mtu=9000
set [ find default-name=sfp-sfpplus9 ] l2mtu=9578 mtu=9000
set [ find default-name=sfp-sfpplus10 ] l2mtu=9578 mtu=9000
set [ find default-name=sfp-sfpplus11 ] l2mtu=9578 mtu=9000
set [ find default-name=sfp-sfpplus12 ] l2mtu=9578 mtu=9000
set [ find default-name=sfp28-1 ] l2mtu=9578 mtu=9000
set [ find default-name=sfp28-2 ] l2mtu=9578 mtu=9000
/interface vlan
add interface=Trunk_bridge mtu=9000 name=vlan5 vlan-id=5
add interface=Trunk_bridge mtu=9000 name=vlan10 vlan-id=10
add interface=Trunk_bridge mtu=9000 name=vlan20 vlan-id=20
add interface=Trunk_bridge mtu=9000 name=vlan30 vlan-id=30
add interface=Trunk_bridge mtu=9000 name=vlan40 vlan-id=40
add interface=Trunk_bridge mtu=9000 name=vlan50 vlan-id=50
add interface=Trunk_bridge mtu=9000 name=vlan60 vlan-id=60
add interface=Trunk_bridge mtu=9000 name=vlan70 vlan-id=70
add interface=Trunk_bridge mtu=9000 name=vlan80 vlan-id=80
add interface=Trunk_bridge mtu=9000 name=vlan90 vlan-id=90
add interface=Trunk_bridge mtu=9000 name=vlan100 vlan-id=100
/interface bonding
add comment="T6202 bond" mtu=9000 name=bonding1 slaves=\
    sfp-sfpplus9,sfp-sfpplus10
add comment="t620 bond" mtu=9000 name=bonding2 slaves=\
    sfp-sfpplus7,sfp-sfpplus8
add comment="t320 bond" mtu=9000 name=bonding3 slaves=\
    sfp-sfpplus5,sfp-sfpplus6
/interface list
add name=WAN
add name=LAN
add name=Gast
add name=Server
add name=WLAN
add name=IOT
add name=SECURITY
add name=IPMI
add name=MGMT
add name=DMZ
add name=Cluster
add name=HA
/interface lte apn
set [ find default=yes ] ip-type=ipv4-ipv6
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_ipmi ranges=172.16.5.100-172.16.5.254
add name=dhcp_pool_security ranges=172.16.30.100-172.16.30.254
add name=dhcp_pool_IoT ranges=172.16.40.100-172.16.40.254
add name=dhcp_pool_mgmt ranges=172.16.10.100-172.16.10.254
add name=dhcp_pool_guest ranges=172.16.50.2-172.16.50.254
add name=dhcp_pool_dmz ranges=172.16.60.100-172.16.60.254
add name=dhcp_pool_ha ranges=172.16.70.100-172.16.70.254
add name=dhcp_pool_cluster ranges=172.16.80.100-172.16.80.254
add name=dhcp_pool_wlan ranges=172.16.90.50-172.16.90.254
add name=dhcp_pool_LAN ranges=172.16.100.2-172.16.100.254
add name=dhcp_pool_server ranges=172.16.20.11-172.16.20.20
/ip dhcp-server
add address-pool=dhcp_pool_ipmi disabled=no interface=vlan5 lease-time=2h \
    name=dhcp_ipmi
add address-pool=dhcp_pool_security disabled=no interface=vlan30 lease-time=\
    2h name=dhcp_security
add address-pool=dhcp_pool_IoT disabled=no interface=vlan40 lease-time=2h \
    name=dhcp_IoT
add address-pool=dhcp_pool_mgmt disabled=no interface=vlan10 lease-time=2h \
    name=dhcp_mgmt
add address-pool=dhcp_pool_guest disabled=no interface=vlan50 lease-time=2h \
    name=dhcp_guest
add address-pool=dhcp_pool_dmz disabled=no interface=vlan60 lease-time=2h \
    name=dhcp_dmz
add address-pool=dhcp_pool_ha disabled=no interface=vlan70 lease-time=2h \
    name=dhcp_ha
add address-pool=dhcp_pool_cluster disabled=no interface=vlan80 lease-time=2h \
    name=dhcp_cluster
add address-pool=dhcp_pool_wlan disabled=no interface=vlan90 lease-time=8h \
    name=dhcp_wlan
add address-pool=dhcp_pool_LAN disabled=no interface=vlan100 lease-time=8h \
    name=dhcp_LAN
add address-pool=dhcp_pool_server disabled=no interface=vlan20 lease-time=8h \
    name=dhcp_server
/interface bridge port
add bridge=Trunk_bridge interface=sfp-sfpplus1
add bridge=Trunk_bridge interface=sfp-sfpplus2
add bridge=Trunk_bridge interface=sfp-sfpplus3
add bridge=Trunk_bridge interface=sfp-sfpplus4
add bridge=Trunk_bridge interface=sfp-sfpplus11
add bridge=Trunk_bridge interface=sfp28-1
add bridge=Trunk_bridge interface=sfp28-2
add bridge=Trunk_bridge interface=sfp-sfpplus12
add bridge=Trunk_bridge interface=bonding1
add bridge=Trunk_bridge interface=bonding2
add bridge=Trunk_bridge interface=bonding3
/interface bridge vlan
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,sfp-sfpplus12,bonding1,bonding2,bonding3,sfp28-1,sfp28-\
    2,sfp-sfpplus11" vlan-ids=10
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,bonding3,sfp-sfpplus11,sfp-sfpplus12,bonding1,bonding2,\
    sfp28-1,sfp28-2" vlan-ids=5
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,bonding3,sfp-sfpplus9,sfp-sfpplus10,sfp-sfpplus11,sfp-s\
    fpplus12,sfp28-1,sfp28-2,bonding1,bonding2" vlan-ids=20
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,bonding3,sfp-sfpplus11,sfp-sfpplus12,bonding1,bonding2,\
    sfp28-1,sfp28-2" vlan-ids=30
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,bonding3,sfp-sfpplus11,sfp-sfpplus12,bonding1,bonding2,\
    sfp28-1,sfp28-2" vlan-ids=40
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,bonding3,sfp-sfpplus11,sfp-sfpplus12,bonding1,bonding2,\
    sfp28-1,sfp28-2" vlan-ids=50
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,bonding3,sfp-sfpplus11,sfp-sfpplus12,bonding1,bonding2,\
    sfp28-1,sfp28-2" vlan-ids=60
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,bonding3,sfp-sfpplus11,sfp-sfpplus12,bonding1,bonding2,\
    sfp28-1,sfp28-2" vlan-ids=70
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,bonding3,sfp-sfpplus11,sfp-sfpplus12,bonding1,bonding2,\
    sfp28-1,sfp28-2" vlan-ids=80
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,bonding3,sfp-sfpplus11,sfp-sfpplus12,bonding1,bonding2,\
    sfp28-1,sfp28-2" vlan-ids=90
add bridge=Trunk_bridge tagged="Trunk_bridge,sfp-sfpplus1,sfp-sfpplus2,sfp-sfp\
    plus3,sfp-sfpplus4,bonding3,sfp-sfpplus11,sfp-sfpplus12,sfp28-1,sfp28-2,bo\
    nding1,bonding2" vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=vlan100 list=LAN
add interface=vlan50 list=Gast
add interface=vlan30 list=SECURITY
add interface=vlan90 list=WLAN
add interface=vlan40 list=IOT
add interface=vlan5 list=IPMI
add interface=vlan60 list=DMZ
add interface=vlan80 list=Cluster
add interface=vlan70 list=HA
/ip address
add address=172.16.5.1/24 interface=vlan5 network=172.16.5.0
add address=172.16.30.1/24 interface=vlan30 network=172.16.30.0
add address=172.16.40.1/24 interface=vlan40 network=172.16.40.0
add address=172.16.10.1/24 interface=vlan10 network=172.16.10.0
add address=172.16.50.1/24 interface=vlan50 network=172.16.50.0
add address=172.16.60.1/24 interface=vlan60 network=172.16.60.0
add address=172.16.70.1/24 interface=vlan70 network=172.16.70.0
add address=172.16.80.1/24 interface=vlan80 network=172.16.80.0
add address=172.16.90.1/24 interface=vlan90 network=172.16.90.0
add address=172.16.20.1/24 interface=vlan20 network=172.16.20.0
add address=172.16.100.1/24 interface=vlan100 network=172.16.100.0
add address=172.16.16.2/30 interface=ether1 network=172.16.16.0
/ip dhcp-server network
add address=172.16.1.0/24 gateway=172.16.1.1
add address=172.16.5.0/24 gateway=172.16.5.1
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=172.16.30.0/24 gateway=172.16.30.1
add address=172.16.40.0/24 gateway=172.16.40.1
add address=172.16.50.0/24 gateway=172.16.50.1
add address=172.16.60.0/24 gateway=172.16.60.1
add address=172.16.70.0/24 gateway=172.16.70.1
add address=172.16.80.0/24 gateway=172.16.80.1
add address=172.16.90.0/24 dns-server=172.16.90.1,172.16.16.1 gateway=\
    172.16.90.1
add address=172.16.100.0/24 dns-server=172.16.20.5,172.16.100.1 domain=\
    xxx.local gateway=172.16.100.1
/ip dns
set allow-remote-requests=yes servers=172.16.16.1,1.1.1.1
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input comment=" defconf:  drop  invalid" \
    connection-state=invalid disabled=yes
add action=accept chain=input protocol=icmp
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf:  drop  invalid" \
    connection-state=invalid disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set sip disabled=yes
set pptp disabled=yes
set dccp disabled=yes
/ip route
add distance=1 gateway=172.16.16.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=cr1
/system leds
set 18 disabled=yes
set 19 disabled=yes
set 20 disabled=yes
set 21 disabled=yes
set 22 disabled=yes
set 23 disabled=yes
set 24 disabled=yes
set 25 disabled=yes
/system ntp client
set enabled=yes primary-ntp=xxxxxxxx secondary-ntp=xxxxxxxx
/system ntp server
set broadcast=yes enabled=yes
/system resource irq rps
set ether1 disabled=yes
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool mac-server ping
set enabled=no
and in Firewall the routes for them
172.16.50.0/24 cr1 - 172.16.16.2
172.16.10.0/24 cr1 - 172.16.16.2
172.16.30.0/24 cr1 - 172.16.16.2
172.16.80.0/24 cr1 - 172.16.16.2
172.16.40.0/24 cr1 - 172.16.16.2
172.16.60.0/24 cr1 - 172.16.16.2
172.16.90.0/24 cr1 - 172.16.16.2

everything is perfect working except
failed to accept an incoming connection: connection from "172.16.16.2" rejected, allowed hosts: "172.16.20.3"
because monitoring servers ip is 172.16.16.2 because of natting it should be the original ip 172.16.20.3
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Thu Sep 09, 2021 5:43 pm

So the relevant (if I didn't forget to include anything else) configuration part, which does things you don't want to see, is this:
/interface list
add name=WAN

/interface list member
add interface=ether1 list=WAN

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

Essentially whatever leaves router through ether1 (towards your firewall), regardless the source (any of VLAN subnets), and including traffic originating router itself (any of own IP addresses), gets SRC NATed. And per your discussion so far you really don't want to have SRC NAT.

So either remove NAT rule or remove ether1 from WAN interface list. As I mentioned earlier, you'll have to reboot router so that connection state clears (configuration changes often don't affect existing connections).
The both alternatives from previous sentence are not exactly identical, but the effect with your particular firewall filter rules will be the same. I still think you should remove all filter rules for chain=forward unless you really want to filter traffic between different subnets. If you don't care about that, and additionally you don't want/need to protect router from LAN users, you can remove all filter rules (including those for chain=input) ... if you have any filter rules (regardless for which chain), firewall will perform connection tracking and that is quite a burden on CPU. Even though CCR2004 has a pretty powerful CPU, routing speed is not exactly wire-speed (real-life performance might peak around 10Gbps on all ports combined) and removing part of burden will definitely help.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Thu Sep 09, 2021 6:06 pm

Hi mate yes i just wanna route between those local subnets as performance as max as possible for storage area network and for my home lab have 4 proxmox server in a cluster so i decide to get as maximum routing performance 20 gbit and up would be fine. No firewall in plan mybe i try later to cut vlans from talking each other with rules but first need to be working ether1 side and many many thx for your suggestions :) I will try it now hope not loose internet again.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Thu Sep 09, 2021 6:25 pm

I disabled the all firewall rules removed NAT restart no connections to firewall side and to Internet. Put the NAT again back all working but not understand why withount nat not works
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Thu Sep 09, 2021 6:56 pm

I strongly suspect that some bit of configuration is off on firewall. Can you perform traceroute from firewall towards one of LAN servers to see whether packets actually reach as far as CCR?

BTW, even though for now you seem to need NAT, remove firewall filter rules so that they don't interfere with traffic.

Another test is from router's side:
/tool traceroute 172.16.16.1
/tool traceroute 172.16.16.1 src-address=172.16.50.1

The first line should succeed since all will stay inside "routing subnet". The second one (src-address should be one of router's addresses otger than 172.16.16.2) will succeed if firewall is correctly configured for the rest of LAN subnets. If the second one succeeds while you can't access firewall from other hosts in same VLAN, then ....
Last edited by mkx on Thu Sep 09, 2021 7:04 pm, edited 1 time in total.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Thu Sep 09, 2021 7:03 pm

From firewall
traceroute to 172.16.20.3 (172.16.20.3) from 172.16.16.1, 18 hops max, 40 byte packets
1 172.16.16.2 0.303 ms 0.204 ms 0.160 ms
2 172.16.20.3 1.372 ms 3.121 ms 2.303 ms
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Thu Sep 09, 2021 7:07 pm

Right. So from connectivity point of view everything works without NAT. Which means you should review firewall rules on your firewall .... does it allow input (ping) and forward from LAN interface where src address is not covered by LAN interface address/netmask?
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Thu Sep 09, 2021 7:09 pm

oh this was with nat
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Thu Sep 09, 2021 7:15 pm

But wasn't needed. SRC-NAT only does the trick for traffic leaving router (through that particular interface) of connections marked for NAT and only un-NATs traffic identified as being part of nat-ed connection (or "connection" in case of stateless protocols such as ICMP or UDP). And only marks connection for NATing when it's new.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Thu Sep 09, 2021 7:33 pm

here the rules on firewal LAN where the Mikrotik is connected

Protocol Source Port Destination Port Gateway Schedule Description
Automatically generated rules
IPv4 * LAN net * * * * * Default allow LAN to any rule
IPv4 * LocalNetwork * * * * * Allow Local LAN to IN any rule
IPv4 * LocalNetwork * * * * * Allow Local LAN to OUT any rule

LocalNetwork is Alias where the local Networks are
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Thu Sep 09, 2021 7:41 pm

I've no idea about how to configure opensense, sorry.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Thu Sep 09, 2021 8:28 pm

On firewall lan site is all to all allowed and as the says it is expecting the server ip but get Mikrotik ip
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Thu Sep 09, 2021 8:39 pm

I'll write it once again: as long as you have that NAT rule enabled, firewall won't see anything but router's address. However, when you disable (or remove) that rule, nothing in router's config blocks traffic from flowing between firewall and any of subnets. So if you remove NAT rule and traffic doesn't flow while you can traceroute from firewall to LAN server (but not in the other direction), then it's almost 100% something on firewall blocking traffic (not routing config).

Did you try traceroute from router the way I explained in my post #32 above?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Thu Sep 09, 2021 8:44 pm

You can either run wireshark/tcpdump on firewall - the interface towards router. Or add a simpke linux host without any firewall into same subnet with firewall and router (you'll have to make it larger than /30 though) and test connectivity between servers and test host. Router will behave the same way for both test host and firewall. You'll have to configure router's address as default gateway on test host to make sure firewall is not in the way.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Sat Sep 11, 2021 11:58 am

Hi mate you are the man of the day i found why not working now. It was the OPNSense Firewall after an update this block on Floating rules you can not move the rules down weird devolopment and they wanna make with such things Enterprise Firewall. But now the weirdest problem i forget my password to this device and idk how to come inside tryed over Console connection but there is password too. Gives Such thing to recover the password without loosing config? I have not a backup.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: New to Mikrotik

Sat Sep 11, 2021 12:03 pm

Good moment to erase everything and start from scratch!
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Sat Sep 11, 2021 12:19 pm

:) Yes i thing the same but after so much work and now the routing is there this will be an pain lol if i can not fins the password. What can i expect for routing performance for this device? When i make m a bond with 4 sfp+ ports? But the question is then which mode rr or lacp. Underhood will be the CRS326-24S-2Q.

I try to to make this so the CCR2004 is main core router for max routing performance.
downlink is an CRS326-24G-2S+ i am configuring this right now wanna 2 sfp+ ports to CCR with bond but mode lacp or rr for max performance idk at the moment
downlink is an CRS326-24S-2Q minimum with 2 sfp+ but preffer with 4 sfp+ for 40 gb links routing but again which mode made the bond will i don't know. But i thing for max performance rr mode good right? And sry for my bad english. By the many thx for any help :)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Sat Sep 11, 2021 3:17 pm

Official performance numbers are here: https://mikrotik.com/product/ccr2004_1g ... estresults

If you go without any firewall rule, then I guess the relevant line will be Routing, none (fast path) configuration. And performance will probably be somewhere between the first and second column (1518 and 512 byte packets), probably nearer the second due to VLAN decapsulation and encapsulation, so something like 25G bps to 30 Gbps. Unless vast majority of traffic will indeed use jumbo frames, in which case routing speed might be nearer 40 Gbps.

And I agree with @pe1chl, this is ideal opportunity to configure stuff again from scratch. For simple router, setup will be pretty simple: only bridge with appropriate interfaces as ports, VLAN interfaces, IP addresses and default route. None of firewall configuration.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Sat Sep 11, 2021 3:56 pm

Hi mate many thx for tips i get my password back,
i have all firewall rules deleted so no rule is present at the moment now, just only this nat is enabled even not any port is seledted this working. Till this firewall not blocks will be so if not more block will be delete this too but i am searching an option mybe to change another firewall who this works. For bonding is the right way rr mode or lacp?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Sat Sep 11, 2021 4:16 pm

For bonding make sure you select bonding mode well supported by both link partners. CRS3xx series supports LACP (803.2ad) and RR modes in hardware (others include switch CPU meaning miserable throughputs). With 803.2ad, you have possibility to choose between different transmit-hash-policy settings which affect bond performance depending on traffic pattern. The RR mode has one advantage which is not available with other modes: it will distribute traffic between member links also for single L4 connection (TCP or UDP) whereas other modes will keep single L4 connection on single link member.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Sat Sep 11, 2021 4:27 pm

Very nice thx all this devices support rr mode so i will make between them rr bond 2 links from 1 gb switch and 4 links from 10 gb switch this was my idea to make this so Proxmox servers will have each 40 gb links this way i can make max throughput out of them i think.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Sat Sep 11, 2021 8:55 pm

hi mate a question on rr mode it show link as connected but when i go to port no dhcp and with manual ip adress nothing can ping. on lacp ad mode it works both was with Layer 2 need by rr layer 3 and 4?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Sun Sep 12, 2021 11:22 am

I don't have any good ideas about RR not working, I've been using RR between linux hosts in the past. One gotcha I already mentioned: out-of-order delivery. TCP in theory should be able to deal with out-of-order packets (some TCP implementations are not exactly happy about it, reducing throughput and increasing retransmission counts), but for other protocols (UDP, ICMP, ..,) that's definitely an issue. In your particular case (jumbo frames on LAN segments, normal frames on ethernet) it's even harder on router (and consequently on the rest) because if MTU change ... either router has to perform fragmentation or it has to drop packets if those are marked with DF flag. Fragmentation means more delay and delay jitter for each packet in router and greater chance to end up with out-of-order delivery.

Personally I'd test to see if using jumbo frames actually improves LAN performance considerably enough to warrant bothering with different MTU sizes.
 
3dgfx
newbie
Topic Author
Posts: 28
Joined: Sun Aug 15, 2021 8:22 pm

Re: New to Mikrotik

Sun Sep 12, 2021 1:42 pm

Hi mate many thx for answer i had to to change Switch to CCR2004 uplinks to LACP to in order it works. One of my proxmox Server didn't play the rr game and not worked but the other 2 Working don't know what to say half working half not lol. Btw i changed my Firewall with a cheap EdgeRouer and i is working like a charm without nat now. :)
On qsfp ports i see 4 10 gb links you need to bond them? to get the full 40 gb speed?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: New to Mikrotik

Sun Sep 12, 2021 5:44 pm

@mkx,
Only 802.3ad and balance-xor mode are hardware offloaded on CRS3xx devices...
https://wiki.mikrotik.com/wiki/Manual:C ... es#Bonding

I 've not used balance-rr on a CRS3xx device only 802.3ad, so i can't tell if that is true or not, but according to the manual rr is not hardware offloaded.. Unless i understand something wrong ....
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: New to Mikrotik

Sun Sep 12, 2021 9:09 pm

I stand corrected.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: New to Mikrotik

Sun Sep 12, 2021 9:14 pm

I stand corrected.
ok, any reference on that?
That rr is hardware offloaded on CRS3xx devices ? I can't find any reference on the wiki my self...
Also viewtopic.php?t=144407#p713296
 
karthickk
just joined
Posts: 8
Joined: Sun Aug 22, 2021 2:44 pm

Re: New to Mikrotik

Thu Sep 16, 2021 8:00 am

Can someone help me on the below post ? I have posted on Aug 22nd but nobody helped.

**HELP NEEDED** RB750Gr3- Load balancing and Failover configuration
viewtopic.php?f=13&t=177773

Who is online

Users browsing this forum: Bing [Bot] and 29 guests