Community discussions

MikroTik App
 
patelmmp
just joined
Topic Author
Posts: 8
Joined: Fri Aug 27, 2021 12:59 pm

Remove port 5 from the bridge

Mon Sep 20, 2021 12:27 pm

I have a quick set configuration WISP AP in BRIDGE.

Port 1 is connected to my ISP router for internet access. I would like to remove port 5 from the bridge and assign IP address 10.0.0.10. I also need internet access to Port 5.

Is it possible to remove port 5 from the bridge and have internet access? Below is my code from the MikroTik router.
[admin@MikroTik] > export
# sep/20/2021 09:54:41 by RouterOS 6.48.4
# software id = TIZB-FW7H
#
# model = RB952Ui-5ac2nD
# serial number = AAAAAAAAAAAA
/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-ABF815 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    country="united kingdom" disabled=no distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-ABF814 wireless-protocol=\
    802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=MikroTik-814 \
    wpa2-pre-shared-key=MikroTik-814
/ip pool
add name=dhcp ranges=0.0.0.1-0.0.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
    network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridge
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/London
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] > 
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Remove port 5 from the bridge

Mon Sep 20, 2021 12:54 pm

You can remove it. In CLI run the following command:
/interface bridge port
remove [ find interface=ether5 ]

Then proceed by configuring IP settings on ether5. In case if you want to control/limit connectivity between your current LAN and the new one you'll have to add some firewall filter rules, your current rules allow all traffic between current and new LAN. If you want to offer any services of router to the new subnet, you'll have to adjust firewall settings as well (how in particular depends on the level of trust in devices on new LAN).

BTW, your IP setup is a bit hosed right now:
/interface bridge
# MAC address should not be all-zeroes
add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf name=bridge
/ip pool
# having LAN with that many zeroes is weird ... and private IP address space doesn't contain it. 
# Most often people choose 192.168.x.y/24 And should use appropriate address space for use with DHCP server.
add name=dhcp ranges=0.0.0.1-0.0.0.254
# The following two settings don't make sense as they are
/interface bridge port
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=ether1 list=WAN
# Static IP address and dynamic IP address on same interface don't make much sense.
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=bridge
# it's not sensible to run DHCP server on same interface as DHCP client. Running DHCP client implies there's DHCP server available on that network already.
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip dhcp-server network
add address=0.0.0.0/24 comment=defconf gateway=0.0.0.0 netmask=24
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remove port 5 from the bridge

Mon Sep 20, 2021 2:43 pm

So you have a HAPAC Lite that you want to setup as an access point / switch.
What is the main router brand/model connected to the hapac lite?
Did you only have the option of one cable to the device from the router.

Why is it that ethernet5 should not be on the bridge..........
In ohter words the requirements are not clear and therefore the design could probably be improved.
 
patelmmp
just joined
Topic Author
Posts: 8
Joined: Fri Aug 27, 2021 12:59 pm

Re: Remove port 5 from the bridge

Mon Sep 20, 2021 7:07 pm

Thanks for the quick response.

My main router is DrayTek and an ethernet cable is connected from DrayTek to MikroTik (Ether 1) for internet access. My eWON IoT device is connected to MikroTik. The eWON device has two ethernet ports - LAN for the local access and WAN for the remote access. (VPN tunnel in the eWON is pre-configured, just requires an internet connection). LAN and WAN subnets must be different for eWON.

I am using MikroTik Ether 5 to eWON WAN port for remote access and Ether 2 to eWON LAN for local access. For that reason, I need to remove MikroTik ether port 5 from the bridge and assign a different IP address than LAN. Port 2 is already in the bridge and accessible using LAN.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remove port 5 from the bridge

Mon Sep 20, 2021 9:01 pm

Interesting, ewon devices eh.
Okay so the WANPORT just needs internet access and is used for the vpn hearbeat and any remote access from the cloud.
Remote users with ewon software at their pc, access the ewon cloud and then a tunnel is established with the ewon, permitting remote access to the iot devices connected to the EWON either through serial port or ethernet port.
The IP structure of the WANPORT is not critical just needs access to the internet.

The lan ethernet ports can have a dual function,
a. either connected to iot devices (as are the serially connected devices)
b. normal LAN connectivity (like a switch) FOR LOCAL ACCESS to the devices behind the ewon on serial connections or other lan ports.
This LAN local network usage can be on any subnet that the IT admin establishes for the company network.

With all that in mind,
I would create three vlans at the draytek.
vlan10 for WAN connection of EWON
vlan20 for the LAN subnet you wish to attribute to the EWON as a switch/local access and for the PCs/folks to have access too it, if they are authorized.
vlan99 for management of hapac or if you already have a trusted lan, could be vlan20 or lets say another lan network the admin uses vlan30.

HAPAC
One bridge
ether1 - to draytek
ether2 - on vlan20 (AUTHORIZED local access to EWON - lan access)
ether5 - on vlan10 (WAN for remote access to EWON -wan access)

ether4 off the bridge and for emergency access to hapac in case the bridge configuration goes squirrly.

Assumues
DRAYTEK creates and hands out DHCP for the following vlans
vlan10, vlan20, vlan 99
Etherport 3 unused, wlan1 and wlan2 unused
Etherport 4 is setup to be able to access the hapac for config purposes locally in case bridge goes down. Just plug in your pc give it an ipv4 address of 192.168.66.3 or .5 etc.........
Manage interface is designed so that you can access the hapac from any location served by the draytek via winbox, or locally via pc direct.
(change etherport interface names to match below)

The setup for hapac as follows:
/interface bridge
add name=bridgewon vlan-filtering=yes  {initially set to no, until config is complete aka the last step}
/interface vlan
add interface=bridgewon name=ewonWAN vlan-id=10
add interface=bridgewon name=ewonLAN vlan-id=20
add interface=bridgewon name=manage-90 vlan-id=90
/interface list
add name=manage
/ip neighbor discovery-settings
set discover-interface-list=manage
/interface bridge port
add bridge=bridgewon comment=defconf interface=ether1-trunk ingress-filtering=yes frame-types=admit-only-tagged  {assuming trunk port to draytek}
add bridge=bridgewon comment=defconf  interface=ether5-wan pvid=10 ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged
add bridge=bridgewon comment=defconf interface=ether2-lan pvid=20 ingress-filtering=yes  frame-types=admit-only-untagged-and-priority-tagged
/interface bridge vlan
add bridge=bridgewon tagged=bridgewon,ether1-trunk  untagged=ether5-wan vlan-ids=10
add bridge=bridgewon tagged=bridgewon,ether1-trunk  untagged=ether2-lan  vlan-ids=20
add bridge=bridgewon  tagged=bridge,ether1-trunk   vlan-ids=90
/interface list member
add interface=eth4-emergaccess list=manage
add interface=manage-90 list=manage
/ip address
add address=192.168.??.xx/24 interface=manage-90 network=192.168.??.0  {this is the address of the hapac on the manage-90 vlan subnet}
add address=192.168.66.2/24 interface=eth4-emergaccess network=192.168.66.0
/ip dns
set allow-remote-requests=yes servers=192.168.??.1   {use gateway of manage-90 vlan subnet}
/ip route
add distance=1 gateway=192.168.??.1  {Dst. Address: 0.0.0.0/0 - use gateway of manage-90 vlan subnet}
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=manage
...

The rest is up to draytek settings I suppose or better refined requirements at your end.
What model do you have??
 
patelmmp
just joined
Topic Author
Posts: 8
Joined: Fri Aug 27, 2021 12:59 pm

Re: Remove port 5 from the bridge

Wed Sep 22, 2021 8:28 pm

Thanks, Anav.

I reset the router to factory default and remove all the scripts. Copied the code as you advised - line by line.

I am getting syntax error when add following line:

add bridge=bridgewon comment=defconf interface=ether1-trunk ingress-filtering=yes frame-types=admit-only-tagged {assuming trunk port to draytek}

What could be wrong?

  MikroTik RouterOS 6.48.4 (c) 1999-2021       http://www.mikrotik.com/

[admin@MikroTik] > export
# jan/02/1970 00:03:31 by RouterOS 6.48.4
# software id = TIZB-FW7H
#
# model = RB952Ui-5ac2nD
# serial number = 
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
[admin@MikroTik] > /interface bridge
[admin@MikroTik] /interface bridge> add name=bridgewon vlan-filtering=no
[admin@MikroTik] /interface bridge> /interface vlan
[admin@MikroTik] /interface vlan> add interface=bridgewon name=ewonWAN vlan-id=10
[admin@MikroTik] /interface vlan> add interface=bridgewon name=ewonLAN vlan-id=20
[admin@MikroTik] /interface vlan> add interface=bridgewon name=manage-90 vlan-id=9
0
[admin@MikroTik] /interface vlan> /interface list
[admin@MikroTik] /interface list> add name=manage
[admin@MikroTik] /interface list> /ip neighbor discovery-settings
[admin@MikroTik] /ip neighbor discovery-settings> set discover-interface-list=mana
ge
[admin@MikroTik] /ip neighbor discovery-settings> /interface bridge port
[admin@MikroTik] /interface bridge port> /                                        
[admin@MikroTik] > export                                             
# jan/02/1970 00:07:36 by RouterOS 6.48.4
# software id = TIZB-FW7H
#
# model = RB952Ui-5ac2nD
# serial number = 
/interface bridge
add name=bridgewon
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridgewon name=ewonLAN vlan-id=20
add interface=bridgewon name=ewonWAN vlan-id=10
add interface=bridgewon name=manage-90 vlan-id=90
/interface list
add name=manage
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip neighbor discovery-settings
set discover-interface-list=manage
[admin@MikroTik] > 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remove port 5 from the bridge

Wed Sep 22, 2021 9:32 pm

Observations:

Probably because you may be copying verbatim.
The instructions here { are not part of any script but to explain to you certain points about that entry !!

add bridge=bridgewon comment=defconf interface=ether1-trunk ingress-filtering=yes frame-types=admit-only-tagged {assuming trunk port to draytek}
 
patelmmp
just joined
Topic Author
Posts: 8
Joined: Fri Aug 27, 2021 12:59 pm

Re: Remove port 5 from the bridge

Wed Sep 22, 2021 10:10 pm

Hi Anav,

I did remove the instruction {assuming trunk port to draytek}. Still getting the syntax error. The error is on frame-types=admit-only-tagged where the cursor is marked on a of admit.

BR
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remove port 5 from the bridge

Wed Sep 22, 2021 10:25 pm

Ahhh,
okay sorry
admit-only-vlan-tagged
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Remove port 5 from the bridge

Wed Sep 22, 2021 10:30 pm

Hint if your getting a red return on a script line, its a good practice to go to the winbox entry that corresponds.
for example

when I go to bridge ports for a particular ethernetport this is what comes up and one can check if script matches.....
bports.jpg
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: No registered users and 44 guests