Wan interface forward

StarWing01 · Tue Jul 02, 2013 9:56 pm

Hi,

I just received my first 951G-2HnD as a replacement for my old WRT54 router.

So far everything works, but I have a setup question which I cannot solve.

I have a settopbox which requires direct internet access, this device needs to be connected directly to the ISP's cable modem. Thus this device gets a public IP address in a sepparate IP range from the ISP.
On my old WRT54G with custom ddwrt, I managed to put 1 port in the same VLAN as the WAN port, in this way the settopbox got an IP directly from the ISP.

I want to do the same on my routerboard, but I'm a but stuck in the many configuration possibilities. Can someone give me a push in the right direction ?

rjickity · Thu Jul 04, 2013 12:31 am

What sort of subnet did they give you ?

To get a public ip you could create a bridge int. Add the wan interface to that, setup your dhcp client for your internet connection (assuming this is how you need to do it)on the bridge. Then just add the interface your settop box is connected to into that same bridge and it will be a part of the same l2 segment as your wan

Sent from my GT-I9100 using Tapatalk 2

StarWing01 · Thu Jul 04, 2013 8:41 am

Subnet => really don't know. The settopbox just needs an IP provided my the ISP's DHCP server. This IP is in another subnet than the normal IP's.

I've tried to make a new brigde, and putting the eth1 (gateway) and the eth5 in it. This causes the local traffic to stop, but the settopbox does receive his IP.

StarWing01 · Thu Jul 04, 2013 9:14 am

... double :/

cbrown · Thu Jul 04, 2013 2:27 pm

You will need to make sure your dhcp-client is now running on the bridge and not ether1. If you have a static from your provider make sure it is on the bridge and not ether1. Also check your masquerade rule in /ip firewall nat. Make sure it is using the bride interface.

rjickity · Thu Jul 04, 2013 2:30 pm

pop your /export compact in here and we'll take a look

StarWing01 · Thu Jul 04, 2013 4:01 pm

Config, where "digibox port" is the port where the settopbox is connected to.
This is the default config without any changes that I tested (which didn't work).

[admin@MikroTik] > /export compact
# jul/03/2013 19:45:55 by RouterOS 5.25
# software id = PRRI-T8EG
#
/interface bridge
add admin-mac=D4:CA:6D:9A:39:F1 auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n disabled=no distance=indoors frequency=2422 \
    ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=dd-wrt \
    wireless-protocol=802.11
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 name="Digibox Port"
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    wpa-pre-shared-key=xxxxxxxxxxxxxxxxxx wpa2-pre-shared-key=xxxxxxxxxxxxxxx
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=dhcp ranges=192.168.100.10-192.168.100.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.100.254/24 comment="default configuration" interface=\
    wlan1
/ip dhcp-client
add comment="default configuration" disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment=5 dst-address=192.168.100.100 \
    dst-port=5000 in-interface=ether1-gateway packet-mark="" protocol=tcp \
    to-addresses=192.168.100.100 to-ports=xxxxx
/ip neighbor discovery
set ether1-gateway disabled=yes
set wlan1 disabled=yes
/system clock
set time-zone-name=Europe/Brussels
/system clock manual
set time-zone=+02:00
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=78.83.17.35 secondary-ntp=\
    109.74.200.104
/system routerboard settings
set boot-device=try-ethernet-once-then-nand silent-boot=yes
/system scheduler
add interval=20h name=no-ip_ddns_update policy=read,write,test start-date=\
    jul/02/2013 start-time=19:30:08
/system script
SCRIP HERE
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface="Digibox Port"
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface="Digibox Port"
add interface=wlan1
add interface=bridge-local

THG · Thu Jul 04, 2013 4:55 pm

Hi,

I just received my first 951G-2HnD as a replacement for my old WRT54 router.

So far everything works, but I have a setup question which I cannot solve.

I have a settopbox which requires direct internet access, this device needs to be connected directly to the ISP's cable modem. Thus this device gets a public IP address in a sepparate IP range from the ISP.
On my old WRT54G with custom ddwrt, I managed to put 1 port in the same VLAN as the WAN port, in this way the settopbox got an IP directly from the ISP.

I want to do the same on my routerboard, but I'm a but stuck in the many configuration possibilities. Can someone give me a push in the right direction ?

Peace of cake, the simplest configuration would be this one.

1. Create a VLAN interface and assign it to your WAN port.
2. Separate the ethernet port you intend to connect your settopbox from the master switch port.
3. Create a bridge and assign both VLAN interface and the ethernet port to it.

In case you don't need VLAN, just bridge WAN port and the other ethernet port after you separated it from the master switch port.

StarWing01 · Thu Jul 04, 2013 7:50 pm

Got it working:

make a new bridge, put both the wan and the required interface in it
adjust the NAT so that the Natting is done on the new bridge instead of the wan interface.

Thanks for the support !

StarWing01 · Fri Oct 04, 2013 7:15 pm

Strange things.
Today, I did an update to the latest version, but thuis broke my setup in a very strange way.

When I connect an enabled device to eth5 (db port)
I cannot reach the external network anymore.
If I disable the eth5 or disconnect the network cable, normal traffic resumes.

It seems that the update that I did earlier today, broke some things but I am unable to solve this.

I've tried to reset & restore the config, but that didn't help.

This is my current config.

Any suggestions ?

[admin@MikroTik] > export compact
# oct/04/2013 18:11:03 by RouterOS 5.26
# software id = PRRI-T8EG
#
/interface bridge
add admin-mac=D4:CA:6D:9A:39:F1 auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
add l2mtu=1598 name="DB Bridge"
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=\
    indoors ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=\
    dd-wrt wireless-protocol=802.11
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 name="DB Port"
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys wpa-pre-shared-key=xxxxxxxxxxxxxxxxxxxxx wpa2-pre-shared-key=\
    xxxxxxxxxxxxxxxxxxxx
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m
/ip pool
add name=dhcp ranges=192.168.100.10-192.168.100.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge="DB Bridge" interface=ether1-gateway
add bridge="DB Bridge" interface="DB Port"
/ip address
add address=192.168.100.254/24 comment="default configuration" interface=\
    wlan1
/ip dhcp-client
add comment="default configuration" disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.100.0/24 comment="default configuration" dns-server=\
    192.168.100.254 gateway=192.168.100.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface="DB Bridge"
add action=dst-nat chain=dstnat dst-port=5000 protocol=tcp to-addresses=\
    192.168.100.100 to-ports=5000
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface="DB Bridge"
add action=dst-nat chain=dstnat dst-port=5000 protocol=tcp to-addresses=\
    192.168.100.100 to-ports=5000
/ip neighbor discovery
set ether1-gateway disabled=yes
set wlan1 disabled=yes
/system clock
set time-zone-name=Europe/Brussels
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=195.130.132.18 secondary-ntp=\
    64.99.80.30
/system routerboard settings
set silent-boot=yes
/tool mac-server
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface="DB Port"
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface="DB Port"
add interface=wlan1
add interface=bridge-local

Rudios · Fri Oct 04, 2013 7:34 pm

Your ip address is on you wlan interface. Move it to your local bridge.
Also your firewall filter and firewall Nat rules are duplicated. Remove them.

StarWing01 · Fri Oct 04, 2013 8:39 pm

In the meanwhile, I've also upgraded the OS to the latest version, but no solution yet.

I have rebuild the config instead of restoring one, but the config that has worked in the past, does not work anymore.

[admin@MikroTik] > export compact
# oct/04/2013 19:24:04 by RouterOS 6.4
# software id = PRRI-T8EG
#
/interface bridge
add l2mtu=1598 name=bridge-dbox
add admin-mac=D4:CA:6D:9A:39:F1 auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=\
    indoors frequency=2452 ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=\
    ap-bridge ssid=dd-wrt wireless-protocol=802.11
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 name=ether5-slave-dbox
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys wpa-pre-shared-key=xxxxxxxxxxxxxxxxxxxx wpa2-pre-shared-key=\
    xxxxxxxxxxxxxxxxxxxx
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=dhcp ranges=192.168.100.10-192.168.100.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-dbox interface=ether5-slave-dbox
add bridge=bridge-dbox interface=ether1-gateway
/ip address
add address=192.168.100.254/24 comment="default configuration" interface=\
    wlan1 network=192.168.100.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.100.0/24 comment="default configuration" dns-server=\
    192.168.100.254 gateway=192.168.100.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=bridge-dbox to-addresses=0.0.0.0
/ip service
set api disabled=yes
/system clock
set time-zone-name=Europe/Brussels
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=85.10.246.226 secondary-ntp=\
    193.225.118.163
/system routerboard settings
set silent-boot=yes
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-dbox
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-dbox
add interface=wlan1
add interface=bridge-local

The intention is to get eth5 as a sepparate interface, which receives a wan IP.
Using the cfg from above, the dhcp server does not receive an IP address. I can change a few things, but the problem is that I don't really know what I'm dooing

...
If there should be other, simplier ways to achief this, I would be glad to hear them.

Rudios · Fri Oct 04, 2013 11:04 pm

Like I said before, your internal IP is on the wrong interface.
It should be on the bridge!

StarWing01 · Sat Oct 05, 2013 9:59 am

I think I changed the internal IP, but still the same issue, from the moment there is an active interface on eth5, the traffic stops (but its working as expect on eth5)

[admin@MikroTik] > export compact
# oct/05/2013 08:56:38 by RouterOS 6.4
# software id = PRRI-T8EG
#
/interface bridge
add l2mtu=1598 name="bridge dbox"
add admin-mac=D4:CA:6D:9A:39:F1 auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=\
    indoors frequency=2452 ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=\
    ap-bridge ssid=dd-wrt wireless-protocol=802.11
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 name=ether5-slave-dbox
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys wpa-pre-shared-key=xxxxxxxxxxxxxxx wpa2-pre-shared-key=\
    xxxxxxxxxxxxxxxxxx
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=dhcp ranges=192.168.100.10-192.168.100.20
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge="bridge dbox" interface=ether5-slave-dbox
add bridge="bridge dbox" interface=ether1-gateway
/ip address
add address=192.168.100.254/24 comment="default configuration" interface=\
    bridge-local network=192.168.100.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server config
set store-leases-disk=35m
/ip dhcp-server network
add address=192.168.100.0/24 comment="default configuration" dns-server=\
    192.168.100.254 gateway=192.168.100.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.222.220
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface="bridge dbox" to-addresses=0.0.0.0
/ip service
set api disabled=yes
/system clock
set time-zone-name=Europe/Brussels
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=85.10.246.226 secondary-ntp=\
    193.225.118.163
/system routerboard settings
set silent-boot=yes
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-dbox
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-dbox
add interface=wlan1
add interface=bridge-local

Rudios · Sat Oct 05, 2013 1:43 pm

Your DHCP-client should be on your "bridge dobx" and not on your ether 1 interface.