Community discussions

MikroTik App
 
ITmedigateio
just joined
Topic Author
Posts: 16
Joined: Sun Sep 05, 2021 8:09 am

Traffic to management of MikroTik switches not going through

Mon Sep 13, 2021 9:51 am

Hello, I recently started working with a MikroTik router and switches configuration. the first order of business was to get access from my station to the management of the switches without having to physically plug my ethernet port into them or change my VLAN.

So, since their management is on a different VLAN, I configured a nat, and a firewall rule that allows input traffic from my station's reserved IP with my mac address.
I can ping the default gateway of that VLAN, but I can't access the switches either via ping or via the web browser.

I tried looking at the documentation but it's all for the terminal and not for the web, and I'm still trying to figure out the web before I dive into learning the whole terminal.

what am I missing?
thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Traffic to management of MikroTik switches not going through

Mon Sep 13, 2021 11:10 pm

Please clarify
1. You are behind the main router (on a router port?) which is connected to all the switches via other ports? ( a network diagram would be nice).
2. /export hide-sensitive file=anynameyouwish

3. :You shouldnt need NAT but until 1 and 2 are published hard to tell.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Traffic to management of MikroTik switches not going through

Mon Sep 13, 2021 11:24 pm

I tried looking at the documentation but it's all for the terminal and not for the web,

Webfig (I hope you're not still using QuickSet) has almost identical hierarchical structure as CLI. So when you get some command for CLI, you should be able to configure the same through GUI (both Webfig and Winbox).
 
ITmedigateio
just joined
Topic Author
Posts: 16
Joined: Sun Sep 05, 2021 8:09 am

Re: Traffic to management of MikroTik switches not going through

Tue Sep 14, 2021 8:02 am

Please clarify
1. You are behind the main router (on a router port?) which is connected to all the switches via other ports? ( a network diagram would be nice).
2. /export hide-sensitive file=anynameyouwish

3. :You shouldnt need NAT but until 1 and 2 are published hard to tell.
Sorry, I am on a switch port and that switch is connected to the router. i am in vlan A and have 1 subnet, and the switches are managed via vlan B which has a different subnet. all the switches are connected to the router. hope this helps.
So when you get some command for CLI, you should be able to configure the same through GUI
Well I tried port mirroring on both ingress and egress from the switch bridge to the sfp port, but there's no traffic. and that's pretty much what the guide said about CLI.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Traffic to management of MikroTik switches not going through

Tue Sep 14, 2021 8:16 am

So when you get some command for CLI, you should be able to configure the same through GUI
Well I tried port mirroring on both ingress and egress from the switch bridge to the sfp port, but there's no traffic. and that's pretty much what the guide said about CLI.

Depending on which particular switch model there are two ways of getting port mirrored ... so if you want to get some concrete advice, give us some details.
 
ITmedigateio
just joined
Topic Author
Posts: 16
Joined: Sun Sep 05, 2021 8:09 am

Re: Traffic to management of MikroTik switches not going through

Tue Sep 14, 2021 9:11 am

CSS326-24G-2S+ this is the switches model number, I don't have ssh access to the router yet and the terminal option in the web browser is borked.
hope this helps.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Traffic to management of MikroTik switches not going through

Tue Sep 14, 2021 12:24 pm

For CRS3xx devices, port mirroring can be configured according to this manual.

I strongly suggest you to get the CLI access working ASAP.
 
ITmedigateio
just joined
Topic Author
Posts: 16
Joined: Sun Sep 05, 2021 8:09 am

Re: Traffic to management of MikroTik switches not going through

Tue Sep 14, 2021 1:39 pm

Hey, turns out the switch is running a routerOS, which might explain (might not) why the command for set did not have switch1 like the manual showed.
anyway I've attached a screenshot of the web config I managed to find and try, it doesn't work but maybe it's something that will clarify why it doesn't.
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Traffic to management of MikroTik switches not going through

Tue Sep 14, 2021 3:25 pm

Two things:
  1. I'm not going to look at some random screenshots. I suggest you to start using CLI real quick and post text export of configuration (execute /export hide-sensitive and copy-paste ouptut inside [code] [/code] environment).
  2. Are you sure you want to mirror traffic originating from (and terminating at) switch' own management interface? Interface switch1-cpu is interconnect between switch chip and device's CPU and when device is strictly used as ethernet switch, then the only traffic passing the interconnect will be management of device.
 
ITmedigateio
just joined
Topic Author
Posts: 16
Joined: Sun Sep 05, 2021 8:09 am

Re: Traffic to management of MikroTik switches not going through

Tue Sep 14, 2021 3:31 pm

Ok but that's a bit off-topic, since I started this topic trying to get access to the switches management network from my vlan, and the span is just a reply to a comment regarding the cli vs gui. once I solve the problem of reaching those switches from my station I could do all the things from cli, but right now the switches are in the middle of a narrow and busy hallway the I can't sit connected to with a cable to manage all day.

so I think the top priority is to understand why I can't reach the switches but I can reach the default gateway of their vlan, and we can proceed from there.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Traffic to management of MikroTik switches not going through

Tue Sep 14, 2021 3:55 pm

Well ... as @anav already wrote: show us text export of configuration and we might be able to tell you where things went wrong. Without that we can only guess.
 
ITmedigateio
just joined
Topic Author
Posts: 16
Joined: Sun Sep 05, 2021 8:09 am

Re: Traffic to management of MikroTik switches not going through

Tue Sep 14, 2021 4:00 pm

That's the problem, i don't have ssh into the router, and it doesn't want to launch the terminal in the web browser.
it does not accept the credentials of the web admin so I'm guessing there's a private key somewhere that someone needs to send me.

so what you're saying is wait until I have access to the terminal to export this file?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Traffic to management of MikroTik switches not going through

Tue Sep 14, 2021 4:25 pm

Yes, until you have access to the webcongfic, CLI, winbox etc and thus have the authority to actually work on the device '-) we will wait patiently.
 
ITmedigateio
just joined
Topic Author
Posts: 16
Joined: Sun Sep 05, 2021 8:09 am

Re: Traffic to management of MikroTik switches not going through

Sun Sep 19, 2021 4:03 pm

Well, i have the config of one of the switches, it's the switch I want to run port mirroring on as well.
so the things I need help with are 1 why can't I reach this switch from the network unless my cable is physically plugged in to it. and 2 why is my mirroring not working.
also I found out it does not have the ntp module installed and I could not find which package to download and install.

i would be most grateful for your help with this.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Traffic to management of MikroTik switches not going through

Sun Sep 19, 2021 4:49 pm

What about the config of the MT router that is used to connect to the switches??
 
ITmedigateio
just joined
Topic Author
Posts: 16
Joined: Sun Sep 05, 2021 8:09 am

Re: Traffic to management of MikroTik switches not going through

Sun Sep 19, 2021 4:50 pm

still don't have the ssh private key for it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Traffic to management of MikroTik switches not going through

Sun Sep 19, 2021 7:12 pm

Well pun intended, knowing what the router is doing and provides to the switch is key !!
 
ITmedigateio
just joined
Topic Author
Posts: 16
Joined: Sun Sep 05, 2021 8:09 am

Re: Traffic to management of MikroTik switches not going through

Sun Oct 10, 2021 10:19 am

So I got it to somehow work, and I exported the file. I must say the hide sensitive is crap. It does not remove comments, and does not obfuscate the IP address and other things that might be sensitive.

After a ton of manually censoring the file, I've attached to this post.

Hope this helps.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Traffic to management of MikroTik switches not going through

Sun Oct 10, 2021 4:08 pm

Well the only thing that would be sensitive someitimes the WANIP creeps in, otherwise, pretty decent.
Not sure I will have time today to look but will try.
In general, being able to access all devices successfully at least via winbox is to ensure that a managment type vlan exists (
for a business a separate vlan, at home I juse use my trusted home vlan). In any case, the point is
a. every smart device needs an IP address on the management vlan.
b. every device needs a management type interface created/identified on the interface list with appropriate assignments
this interface list shouyld be entered into tools winmac server (at least for winbox).
plus an IP route on each non router smart device pointing to the gateway of the management vlan helps.
When I do this, I can see any MT device from the management network.
It will take some tweaking to ensure you have that access.
 
ITmedigateio
just joined
Topic Author
Posts: 16
Joined: Sun Sep 05, 2021 8:09 am

Re: Traffic to management of MikroTik switches not going through

Sun Oct 17, 2021 3:53 pm

Hey, so did you have a chance to look at the file?
I also have an update, I upgraded the router to the latest LTS, had a small heart attack when it was stuck in a boot loop and had 2 hours downtime.
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Traffic to management of MikroTik switches not going through

Sun Oct 17, 2021 4:42 pm

What are you expecting
/ip route
....
add distance=1 dst-address=192.168.0.0/24 gateway=vlan90-SwitchMGMT pref-src=172.16.30.32 scope=10
add distance=1 dst-address=192.168.60.0/24 gateway=vlan60-GuestWiFi pref-src=192.168.60.1 scope=10

to do?

For broadcast interfaces (i.e. not point-to-point PPP-like ones) gateway= should be an address, not an interface. Also attempting to set the source address to something which is not part of the subnet is completely wrong.

The action=accept in the /ip firewall nat rules is likely not what you intended, it accepts the packet as-is in the chain (chain-srcnat in this case), if you wish you perform source NAT use action=src-nat or action=masquerade, see https://help.mikrotik.com/docs/display/ROS/NAT
 
ITmedigateio
just joined
Topic Author
Posts: 16
Joined: Sun Sep 05, 2021 8:09 am

Re: Traffic to management of MikroTik switches not going through

Sun Oct 17, 2021 5:08 pm

Thank you for your response, here's what I plan to do:
Have a way for my machine (172.16.30.32-33) to reach the management port of the switches that are connected to the router.
In that line I tried to just replace the existing rule with my IP. according to what you wrote, the original rule was wrong.

The second thing I am trying to accomplish is have a Wi-Fi guest VLAN 60, with the IP range of 192.168.60.0/24 and have ports on the switches process that tag correctly.

Those are the main issues I want to address. After that, I need to clear up any unused rules, and solve the problem where one of the switches tries to get and IP address from the DHCP 900 times out of 1000 item in the log, and fail.
And later on, have the ability to span a whole switch to an SFP port for diagnostics.

If you can help me through the steps I need to take to make those happen, I would really appreciate it. Especially since the hardware did not respond well to the upgrade last time, I want this to be seamless to the users.

Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Traffic to management of MikroTik switches not going through

Sun Oct 17, 2021 9:32 pm

Okay, so you need all smart devices to get an IP address on what you use as the management VLAN.

If your switches are not Mikrotik then you need to do the following (scenario, home vlan10, guest wifi vlan 20, managment vlan 99)
Lets say a 5 port switch
eth1 - trunk port from router
eth2- trunk port to a smart Access point (carrying vlans 10 home, 20 guest)
eth3-access port to a dumb access point (carrying vlan 10 home)
eth5-access port to a dumb PC (home vlan)

The switch will come set with no IP address so let it be attached to your management vlan in dhcp mode and then make it static in the MT router, or assign it manually in both the mt router and the switch
all ports will be U (untagged for vlan1) and will be set to pvid of 1.
u/u/u/u/u

Trunk Ports:
One does not change pvid or settings for vlan1
For the vlans in going through the trunk port ensure they are tagged for the appropriate vlans.

So for ether1, Tagged ports are 10,20,99
So for ether2, Tagged ports are 10,20,99 ( 99 so that the smart access point can get an IP assigned on the management VLAN)
So for ether3, Change PVID to 10 and make it untagged for vlan 10.
So for ether4 Change PVID to 10 and make it untagged for vlan 10

For ether3 and 4, ensure vlan 1 is no longer Untagged (should have NO tag). the pvid will no longer be one as you have changed that to 10.

If there is a separate management vlan setting on the switch you can set that to 99.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Traffic to management of MikroTik switches not going through

Sun Oct 17, 2021 9:34 pm

For the rest of the config, 7 vlans identified but only 5 IP Pools etc., so you are missing data, so it seems.
Otherwise, its a fairly complex setup so if you have your settings right it should work.
 
ITmedigateio
just joined
Topic Author
Posts: 16
Joined: Sun Sep 05, 2021 8:09 am

Re: Traffic to management of MikroTik switches not going through

Mon Oct 18, 2021 8:27 am

Thank you for the response, the rest of the switches are MikroTik as well. Perhaps now is the time for me to tell you about the topology a bit.
We have 6 MikroTik Switches connected to the Router, with a trunk for each switch occupying 2 router ports.

So if I understood what you wrote correctly, my issue is just that I don't have the new VLANs on the trunk ports in the router? Is that correct?
Also, would creating pools for the other 2 VLANs which are security (which may have been used to do the switch management before to be honest) and the switch management VLAN solve the issue of me reaching the management ports?
Where would I place that IP? Since all the switches are connected via trunks to the router, I'm fairly certain they have an IP on the router's network, but when I try to connect to that IP it times out.

I've attached the router Neighbors screen, as you can see some switches have an IP in the Security VLAN which is 192.168.100.0/24 and some in the MGMT VLAN which is 192.168.0.0/24.

As I mentioned before I inherited this config, so if you find something that's stupid or a security risk that I missed, I would be most appreciative to hear about it.
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Traffic to management of MikroTik switches not going through

Mon Oct 18, 2021 3:04 pm

Unfortunately its overly complex for me to try and unravel the snakes nest.
Follow the guidance here for the router and the switches.
viewtopic.php?t=143620

at least to get ideas.

On the router every vlan has to be identified and its parent interface is the bridge.
On the router every vlan needs 4 things, ip pool, ip address, dhcp server, dhcp server-network

On the switches every vlan has to be identified and its parent interface is a bridge on the switch.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Who is online

Users browsing this forum: SMARTNETTT and 34 guests