hapLite VLAN trunk fails with no default vlan defined.

amcrs · Wed Apr 27, 2022 10:04 pm

I'm trying to get a trunk working between a hapLite and a CRS 125. The hapLite is the Atheros 8227 chipset, which should work.

I have 2 vlans (2 and 17) defined on the hap Lite. I want vlan 2 on eth1, and vlan 17 on eth 2, with the trunk on eth4 (trunked to the CRS 125)

/interface bridge
add name=bridgeVLAN
/interface vlan
add interface=bridgeVLAN name=vlanGUEST vlan-id=17
add interface=bridgeVLAN name=vlanLAN vlan-id=2
/interface ethernet switch port
set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=17 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=2 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface bridge port
add bridge=bridgeVLAN interface=ether1
add bridge=bridgeVLAN interface=ether2
add bridge=bridgeVLAN interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch vlan
add ports=ether4,ether1,switch1-cpu switch=switch1 vlan-id=2
add ports=ether2,switch1-cpu,ether4 switch=switch1 vlan-id=17

The above config works, because of this line:
set 3 default-vlan-id=2 vlan-header=add-if-missing vlan-mode=secure

A vlan 2 system on eth1 can ping across the trunk to an IP address on the CRS or laptop plugged into vlan 2 or 17 on the CRS.

However, a vlan 17 system on eth2 can't ping across the trunk.

If I change that line to vlan 0 (or 1):
set 3 default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure

then the eth1 vlan 2 system can no longer ping across the trunk. The configs I find on line don't specify a default-vlan-id, but in my case, if it's not default to vlan 2, ping fails.

Ideas? that one change on the hapLite makes the trunk fail makes me think it's on the hapLite side of the config.

amcrs · Wed Apr 27, 2022 11:31 pm

Well, I though Id' found what I'd forgotten:

/interface bridge vlan
add bridge=bridgeVLAN tagged=vlanGUEST vlan-ids=17
add bridge=bridgeVLAN tagged=vlanLAN vlan-ids=2

/interface bridge port
add bridge=bridgeVLAN interface=ether1 pvid=2
add bridge=bridgeVLAN interface=ether2 pvid=17
add bridge=bridgeVLAN interface=ether4

but it didn't make any difference. Still doesn't work
set 3 default-vlan-id=2 vlan-header=add-if-missing vlan-mode=secure
works for vlan 2, but I can't change that to default-vlan-id=1.

amcrs · Thu Apr 28, 2022 12:37 am

/interface bridge port
add bridge=bridgeVLAN interface=vlanGUEST pvid=17
add bridge=bridgeVLAN interface=vlanLAN pvid=2

Now I'm probably making a mess of things, but still not helping.

anav · Thu Apr 28, 2022 1:31 am

When you decide NOT to use these settings I can certainly help.
/interface ethernet switch port
set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=17 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=2 vlan-header=add-if-missing vlan-mode=secure

As well I would have to see the complete config
/export hide-sensitive file=anynameyouwish (and just ensure no public iP addresses are displayed).

Buckeye · Thu Apr 28, 2022 1:34 am

The problem my be the 8227 switch chip, if I understood what @tdk said about them in post #79 of this thread Vlan configuration issue

This is the relevant part:

Mikrotiks will exhibit this performance with ingress-filtering=no or ingress-filtering=yes frame-types=admit-all. The OpenWRT UI fibs for devices with Atheros fast (100Mbit) switch chips as they are incapable of hybrid operation, a port with a PVID set actually leaves packets with that ID tagged on egress but will accept both untagged and tagged with that ID on ingress.

On ether2 is vlan 17 untagged or tagged? Have you tried making it a pure trunk with both 2 and 17 tagged? What type of access point do you have?

amcrs · Thu Apr 28, 2022 1:45 am

When you decide NOT to use these settings I can certainly help.
/interface ethernet switch port
set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=17 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=2 vlan-header=add-if-missing vlan-mode=secure

As well I would have to see the complete config
/export hide-sensitive file=anynameyouwish (and just ensure no public iP addresses are displayed).

I'm glad to use any settings that will work! I pulled those settings from the wiki:
https://wiki.mikrotik.com/wiki/Manual:B ... _switching

it just won't let me not set the default-vlan-id for interface 3 (eth4). If I set it for 2, vlan 2 works. If I set it for 17, vlan 17 works.

# jan/02/1970 20:42:13 by RouterOS 6.49.6
# software id = 2UIZ-IVIF
#
# model = RB941-2nD
/interface bridge
add name=bridgeVLAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=bridgeVLAN name=vlanGUEST vlan-id=17
add interface=bridgeVLAN name=vlanLAN vlan-id=2
/interface ethernet switch port
set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=17 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=17 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeVLAN interface=ether1 pvid=2
add bridge=bridgeVLAN interface=ether2 pvid=17
add bridge=bridgeVLAN interface=ether4
add bridge=bridgeVLAN interface=vlanGUEST pvid=17
add bridge=bridgeVLAN interface=vlanLAN pvid=2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridgeVLAN tagged=vlanGUEST vlan-ids=17
add bridge=bridgeVLAN tagged=vlanLAN vlan-ids=2
/interface ethernet switch vlan
add ports=ether4,ether1,switch1-cpu switch=switch1 vlan-id=2
add ports=ether2,switch1-cpu,ether4 switch=switch1 vlan-id=17
/ip address
add address=192.168.2.3/24 interface=vlanLAN network=192.168.2.0
add address=192.168.17.3/24 interface=vlanGUEST network=192.168.17.0
/system identity
set name=B941-2nD

amcrs · Thu Apr 28, 2022 1:49 am

On ether2 is vlan 17 untagged or tagged? Have you tried making it a pure trunk with both 2 and 17 tagged? What type of access point do you have?

I have a haplite. I need you to tell me if it's tagged or untagged.

The config is above

In theory I want ether 4 to be the trunk.

rextended · Thu Apr 28, 2022 1:53 am

For your security, remove serial number from export...

tdw · Thu Apr 28, 2022 2:14 am

The entire /interface bridge vlan section and the pvid= settings in the /interface bridge port are ignored when the bridge has vlan-filtering=no.

The switching setup should work with
/interface ethernet switch port
....
set 3 vlan-header=add-if-missing vlan-mode=secure
i.e. with default-vlan-id=0. Are you sure the CRS configuration is correct?

Buckeye · Thu Apr 28, 2022 2:22 am

Watch this youtube video. It is using two hap lites with trunk from one to the other. The haplite on the right should be similar to your haplite, the haplite on the left is more like your CRS 125 switch.

Configuring VLAN's on MikroTik RouterBoard using the Switch Chip by Maher Haddad.

amcrs · Thu Apr 28, 2022 3:01 am

Are you sure the CRS configuration is correct?

Well, I would say yes with the obvious caveat that the darned thing doesn't work , which means it's broken _somewhere_.

Here are the configs of the two devices. I've removed the changes I noted, and watched the video, where I think everything is right on the hAP Lite side.

Same problem. If I set the default vlan id on the hAPLite on the trunk interface to a particular vlan, it works for that vlan only. Setting it to 0 it doesn't work.

# jan/02/1970 21:55:47 by RouterOS 6.49.6
# software id = 2UIZ-IVIF
#
# model = RB941-2nD
/interface bridge
add name=bridgeVLAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=bridgeVLAN name=vlanGUEST vlan-id=17
add interface=bridgeVLAN name=vlanLAN vlan-id=2
/interface ethernet switch port
set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=17 vlan-header=always-strip vlan-mode=secure
set 3 vlan-header=add-if-missing vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeVLAN interface=ether1 pvid=2
add bridge=bridgeVLAN interface=ether2 pvid=17
add bridge=bridgeVLAN interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch vlan
add ports=ether4,ether1,switch1-cpu switch=switch1 vlan-id=2
add ports=ether2,switch1-cpu,ether4 switch=switch1 vlan-id=17
/ip address
add address=192.168.2.3/24 interface=vlanLAN network=192.168.2.0
add address=192.168.17.3/24 interface=vlanGUEST network=192.168.17.0
/system identity
set name=B941-2nD

And the CRS

 jan/02/1970 07:30:56 by RouterOS 6.49.6
# software id = AKR0-XZSF
#
# model = CRS125-24G-1S-2HnD
/interface bridge
add name=bridgeVLAN
/interface wireless
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
/interface vlan
add interface=bridgeVLAN name=vlanGUEST vlan-id=17
add interface=bridgeVLAN name=vlanLAN vlan-id=2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=poolLAN ranges=192.168.2.100-192.168.2.199
add name=poolGUEST ranges=192.168.17.100-192.168.17.199
/ip dhcp-server
add address-pool=poolLAN disabled=no interface=vlanLAN name=dhcpLAN
add address-pool=poolGUEST disabled=no interface=vlanGUEST name=dhcpGUEST
/interface bridge port
add bridge=bridgeVLAN interface=ether2
add bridge=bridgeVLAN interface=ether3
add bridge=bridgeVLAN interface=ether4
add bridge=bridgeVLAN interface=ether5
add bridge=bridgeVLAN interface=ether6
add bridge=bridgeVLAN interface=ether7
add bridge=bridgeVLAN interface=ether8
add bridge=bridgeVLAN interface=ether9
add bridge=bridgeVLAN interface=ether10
add bridge=bridgeVLAN interface=ether11
add bridge=bridgeVLAN interface=ether12
add bridge=bridgeVLAN interface=ether13
add bridge=bridgeVLAN interface=ether14
add bridge=bridgeVLAN interface=ether15
add bridge=bridgeVLAN interface=ether16
add bridge=bridgeVLAN interface=ether17
add bridge=bridgeVLAN interface=ether18
add bridge=bridgeVLAN interface=ether20
add bridge=bridgeVLAN interface=ether21
add bridge=bridgeVLAN interface=ether22
add bridge=bridgeVLAN interface=ether24
add bridge=bridgeVLAN interface=sfp1
add bridge=bridgeVLAN interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether23,switch1-cpu vlan-id=2
add tagged-ports=ether23,switch1-cpu vlan-id=17
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=2 ports=\
    ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8
add customer-vid=0 new-customer-vid=17 ports=\
    ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16
add customer-vid=0 new-customer-vid=2 ports=\
    ether17,ether18,ether20,ether21,ether22,ether24
/interface ethernet switch vlan
add ports="ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether17,ether\
    18,ether20,ether21,ether22,ether24,switch1-cpu" vlan-id=2
add ports="ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether2\
    4,switch1-cpu" vlan-id=17
/ip address
add address=192.168.2.1/24 interface=vlanLAN network=192.168.2.0
add address=192.168.17.1/24 interface=vlanGUEST network=192.168.17.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1 netmask=24
add address=192.168.17.0/24 dns-server=8.8.8.8 gateway=192.168.17.1 netmask=24
/system identity
set name=RS125-24G-1S-2

With the goal to have a trunk between the two on hAPLite: ether 4 and CRS125 on ether 24 for VLANs 2 and 17, with (for the moment) full connectivity across all the ports and vlans. I'm using ether3 on the hAP to manage it, and ether 19 on the CRS, specifically so I don't cut myself off at the knees with other configuration.

rextended · Thu Apr 28, 2022 3:16 am

For your security, remove serial number from export... also from previous posts....

tdw · Thu Apr 28, 2022 3:33 am

ether23 is missing from the definitions under /interface ethernet switch vlan on the CRS

amcrs · Thu Apr 28, 2022 3:34 am

For your security, remove serial number from export... also from previous posts....

I did that on my most previous post, and just did for the earlier one.

While I do appreciate your point, why does my serial make the device less secure?

amcrs · Thu Apr 28, 2022 3:38 am

ether23 is missing from the definitions under /interface ethernet switch vlan on the CRS

Good catch, but you caught my typo, not my problem. I updated the above post to correct that my trunk should be on eth24 on the CRS. (Mikrotik has the ports upsidedown from what I'm used to)

amcrs · Thu Apr 28, 2022 3:47 am

well, the CRS had ether24 configured for Ingress VLAN translation under Switch > In. Vlan Trans, which as a trunk port it shouldn't have? Removed it. Didn't fix things, but perhaps a step closer.

amcrs · Thu Apr 28, 2022 7:49 am

Seeing several threads here about the Atheros 8227 chipset and VLAN issues, I replaced my hAP Lite with a hAP AC (QCA 8337 chip) and effectively dropped the config in place onto the (blank) hAP AC.

I still have that same problem. The only difference is that the hAP AC permits me to set the VLAN to blank for switch > port > ether4 on the hapAC. I'd get an error trying that on the hAP lite.

amcrs · Thu Apr 28, 2022 9:42 pm

It's clear to me that tagging is wrong somewhere, because I'm assigning a tag to ether 4 if there isn't one, and that "add if missing" default vlan ID when added works for that vlan

		vlan-id=2	vlan-id=17	vlan-id=0
192.168.2.34 (hapAC, eth1, vlan 2)				
	192.168.2.1	-	+	-
	192.168.2.3	+	+	+
	192.168.2.34			
	192.168.2.100	-	+	-
	192.168.17.1	-	+	-
	192.168.17.3	-	+	-
	192.168.17.35	-	+	-
192.168.17.35 (hAP AC, eth 2, vlan 17)				
	192.168.2.1	+	-	
	192.168.2.3	-	+	
	192.168.2.34	+	-	
	192.168.2.100	+	-	
	192.168.17.1	+	-	
	192.168.17.3	+	+	
	192.168.17.35			
192.168.2.100 (CRS, eth8, vlan 2)				
	192.168.2.1	+	+	+
	192.168.2.3	-	+	-
	192.168.2.34	-	+	-
	192.168.2.100			
	192.168.17.1	+	+	+
	192.168.17.3	+	-	-
	192.168.17.35	+	-	-

So traffic exiting out of ether4 isn't tagged?

Yet:
/interface ethernet switch vlan ports=ether4, ether1, switch-cpu switch=switch1 vlan-id=2
/interface ethernet switch vlan ports=ether4, ether2, switch-cpu switch=switch1 vlan-id=17

If I enable vlan-filtering on the hAP AC and CRS
/interface bridge name=bridge1 vlan-filtering=yes
I lose connectivity. Which I think makes sense, because enabling that would be using CPU instead of the switch chip.

tdw · Thu Apr 28, 2022 11:39 pm

With the gigabit atheros switch chips you should leave vlan-header=leave-as-is as described in the documentation.

Enabling VLAN filtering on the bridge will disable hardware switching, so you will not get wire-speed switching between ports, and requires the bridge port PVID and bridge VLANs to be defined. Do not attempt to mix software VLAN filtering and hardware switch configuration, they interact in undocumented ways.

rextended · Thu Apr 28, 2022 11:42 pm

While I do appreciate your point, why does my serial make the device less secure?

If I reveal something, can be use against users...
But obviously someone can track you with that information...

amcrs · Thu Apr 28, 2022 11:53 pm

In the CRS 1xx doc: https://wiki.mikrotik.com/wiki/Manual:C ... s_examples
it says:

Note: When an entry is created under /interface ethernet switch ingress-vlan-translation, then the switch chip will add a VLAN tag on ingress frames on the specified port. To remove the VLAN tag on the same port for egress frames, an /interface ethernet switch egress-vlan-tag entry should be created for the same VLAN ID where only tagged ports are specified. If specific VLAN is forwarded only between access ports, the /interface ethernet switch egress-vlan-tag entry should still be created without any tagged ports. Another option is to create extra entries under /interface ethernet switch egress-vlan-translation menu to set untagged (VLAN0) traffic.

Doesn't the /interface ethernet switch egress-vlan-tag command add a tag? "To remove the VLAN tag on the same port for egress frames, an /interface ethernet switch egress-vlan-tag entry should be created for the same VLAN ID where only tagged ports are specified " Why does the above say it removes tags?

amcrs · Thu Apr 28, 2022 11:56 pm

With the gigabit atheros switch chips you should leave vlan-header=leave-as-is as described in the documentation.

Enabling VLAN filtering on the bridge will disable hardware switching, so you will not get wire-speed switching between ports, and requires the bridge port PVID and bridge VLANs to be defined. Do not attempt to mix software VLAN filtering and hardware switch configuration, they interact in undocumented ways.

Ahh, so I have the trunk set to add if missing (which I thought was the docs).

https://wiki.mikrotik.com/wiki/Manual:S ... s_Ports.29 shows "add if missing"

Will try "Leave as is"

amcrs · Thu Apr 28, 2022 11:57 pm

If I reveal something, can be use against users...
But obviously someone can track you with that information...

How can someone track me with the serial? Unless it's part of determining the MAC, how is it visible if someone isn't logged in beyond physically on the device?

How does the Mikrotik surface the serial?

rextended · Fri Apr 29, 2022 12:03 am

Use some imagination where you already have see RouterBOARD .sn.
If the attacker know your address, your router and the router configuration and know some not revealed flaw........

MAC address is never a sensitive data (until the device is stolen...), because if is that, your enemy is inside your network, not outside...

tdw · Fri Apr 29, 2022 12:06 am

Ahh, so I have the trunk set to add if missing (which I thought was the docs).

https://wiki.mikrotik.com/wiki/Manual:S ... s_Ports.29 shows "add if missing"

Scroll to the note at the bottom of that section in the Wiki.

amcrs · Fri Apr 29, 2022 12:35 am

Scroll to the note at the bottom of that section in the Wiki.

Brilliant, that fixes is for the hAP AC!! thank you very much for bearing with me.

(doesn't explain why it wasn't working for the hAP Lite? ).

So one minor change for VLAN config that's incredibly system dependent. Ahh, for the days of the same commands working everywhere

For those who stumble across this, the configs for a CRS 125 and the hAP AC, for 2 VLANs and a trunk between them.

CRS 125

# model = CRS125-24G-1S-2HnD
/interface bridge
add name=bridgeVLAN
/interface wireless
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
/interface vlan
add interface=bridgeVLAN name=vlanGUEST vlan-id=17
add interface=bridgeVLAN name=vlanLAN vlan-id=2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=poolLAN ranges=192.168.2.100-192.168.2.199
add name=poolGUEST ranges=192.168.17.100-192.168.17.199
/ip dhcp-server
add address-pool=poolLAN disabled=no interface=vlanLAN name=dhcpLAN
add address-pool=poolGUEST disabled=no interface=vlanGUEST name=dhcpGUEST
/interface bridge port
add bridge=bridgeVLAN interface=ether2
add bridge=bridgeVLAN interface=ether3
add bridge=bridgeVLAN interface=ether4
add bridge=bridgeVLAN interface=ether5
add bridge=bridgeVLAN interface=ether6
add bridge=bridgeVLAN interface=ether7
add bridge=bridgeVLAN interface=ether8
add bridge=bridgeVLAN interface=ether9
add bridge=bridgeVLAN interface=ether10
add bridge=bridgeVLAN interface=ether11
add bridge=bridgeVLAN interface=ether12
add bridge=bridgeVLAN interface=ether13
add bridge=bridgeVLAN interface=ether14
add bridge=bridgeVLAN interface=ether15
add bridge=bridgeVLAN interface=ether16
add bridge=bridgeVLAN interface=ether17
add bridge=bridgeVLAN interface=ether18
add bridge=bridgeVLAN interface=ether20
add bridge=bridgeVLAN interface=ether21
add bridge=bridgeVLAN interface=ether22
add bridge=bridgeVLAN interface=ether24
add bridge=bridgeVLAN interface=sfp1
add bridge=bridgeVLAN interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24,switch1-cpu vlan-id=2
add tagged-ports=ether24,switch1-cpu vlan-id=17
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=2 ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8
add customer-vid=0 new-customer-vid=17 ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16
/interface ethernet switch vlan
add ports=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether24,switch1-cpu vlan-id=2
add ports=ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ether24,switch1-cpu vlan-id=17
/ip address
add address=192.168.2.1/24 interface=vlanLAN network=192.168.2.0
add address=192.168.17.1/24 interface=vlanGUEST network=192.168.17.0
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8 gateway=192.168.2.1 netmask=24
add address=192.168.17.0/24 dns-server=8.8.8.8 gateway=192.168.17.1 netmask=24
/system identity
set name=CRS125-24G-1S-2

And the hAP

# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge
add name=bridgeVLAN
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface vlan
add interface=bridgeVLAN name=vlanGUEST vlan-id=17
add interface=bridgeVLAN name=vlanLAN vlan-id=2
/interface ethernet switch port
set 0 default-vlan-id=2 vlan-header=always-strip vlan-mode=secure
set 1 default-vlan-id=17 vlan-header=always-strip vlan-mode=secure
set 3 vlan-mode=secure
set 5 vlan-mode=secure
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeVLAN interface=ether1
add bridge=bridgeVLAN interface=ether2
add bridge=bridgeVLAN interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch vlan
add independent-learning=no ports=ether4,ether1,switch1-cpu switch=switch1 \
    vlan-id=2
add independent-learning=no ports=ether2,switch1-cpu,ether4 switch=switch1 \
    vlan-id=17
/ip address
add address=192.168.2.3/24 interface=vlanLAN network=192.168.2.0
add address=192.168.17.3/24 interface=vlanGUEST network=192.168.17.0
/system identity
set name=hapAC

rextended · Fri Apr 29, 2022 12:38 am

Delete serial number from export......
This is not a mikrotik / moderator / someother request,
but a personal advice about your security...

amcrs · Fri Apr 29, 2022 12:41 am

Use some imagination where you already have see RouterBOARD .sn.
If the attacker know your address, your router and the router configuration and know some not revealed flaw........

MAC address is never a sensitive data (until the device is stolen...), because if is that, your enemy is inside your network, not outside...

I'm aware the MAC is visible. My question as to relevance was whether the serial was in part used to determine the MAC addresses. Knowing the serial doesn't tell anything else about me unless they're connected.

While I (sort of) take your point about serial, none of these configs have any public information or connectivity, so I think I'm ok.

Having my identity on the forum is a much higher risk.

rextended · Fri Apr 29, 2022 12:46 am

The serial number can reveal your IP...

The MAC address has nothing to do with it, and then again, it is not a sensitive data...

amcrs · Fri Apr 29, 2022 12:48 am

The serial number can reveal your IP...

The MAC address has nothing to do with it, and then again, it is not a sensitive data...

good grief, it would be sensitive if it was tied to the mac. Certainly the serial isn't tied to my IP, and seems unlikely to reveal my IP address. So thanks for your advice, but I'm not going to worry overly much about it.

rextended · Fri Apr 29, 2022 12:52 am

You have used at least once the Cloud MikroTik service on the "hAP ac" and your Public IP address, which you are using now, is written there...
As already written, the serial number goes back to the Public IP address...

Buckeye · Fri Apr 29, 2022 1:24 am

While I do appreciate your point, why does my serial make the device less secure?
If I reveal something, can be use against users...
But obviously someone can track you with that information...

I am not disagreeing with what you state, but if it is "sensitive" information, why is it shown in output of /export hide-sensitive ?

And if the serial number is unique (therefore trackable), then why is it ok to show software id = xxxx-xxxx or admin mac-address? As I think these are also unique (although you can override admin mac-address).

Does anyone have a python/perl/awk/script to sanitize exports before posting? Ideally replacing global ip addresses with rfc5737 documentation addresses, and if 3 were insufficient, possibly using the 198.18.0.0/15 "benchmarking test" block from rfc2544, in addition to redacting dyndns, pppoe or vpn identifying info.

rextended · Fri Apr 29, 2022 1:29 am

I am not disagreeing with what you state, but if it is "sensitive" information, why is it shown in output of /export hide-sensitive ?

Because the export is not for be putted on forums... Is for human readable backup...

And if the serial number is unique (therefore trackable), then why is it ok to show software id = xxxx-xxxx or admin mac-address?

The MAC address is near useless. You can be reachable over Internet at least only by IP...
About software id is "casual" and do not give you the serial number or mac address...

amcrs · Fri Apr 29, 2022 5:20 am

You have used at least once the Cloud MikroTik service on the "hAP ac" and your Public IP address, which you are using now, is written there...
As already written, the serial number goes back to the Public IP address...

Very useful to know that the serial number from a cloud backup is visible to others. Thanks!

Buckeye · Fri Apr 29, 2022 5:37 am

I am not disagreeing with what you state, but if it is "sensitive" information, why is it shown in output of /export hide-sensitive ?
Because the export is not for be putted on forums... Is for human readable backup...

But if I want to use the export for backup, I can /export show-sensitive
I realize you didn't design it, so don't take this as a complaint directed at you. And this isn't a problem unique to MikroTik.
My only point is that since MikroTik went to the bother of making two switches, show-sensitive and hide-sensitive, why doesn't hide-sensitive hide more? But I guess then some users would want it to hide global ip addresses, etc.

For cisco there are at least two "scripts" to sanitize configs, one in awk (cisco-config-sanitizer), one in python.(cisco-config-cleaner). I just wish there was something we could point users to sanitize their export configs without making them useless for troubleshooting.

And if the serial number is unique (therefore trackable), then why is it ok to show software id = xxxx-xxxx or admin mac-address?
The MAC address is near useless. You can be reachable over Internet at least only by IP...
About software id is "casual" and do not give you the serial number or mac address...

I don't understand why the serial number is any more sensitive than the mac address. How would someone reach my hEX given only the serial number? Is there something I am unaware of?

hapLite VLAN trunk fails with no default vlan defined. [SOLVED]

hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined. [SOLVED]

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Re: hapLite VLAN trunk fails with no default vlan defined.

Who is online