Hello everyone,


This is my current setup. I recently installed RB450 at Tower 2 and its running in bridge mode.

How do I setup OSPF in my case?

Thanks

Sent from my SAMSUNG-SM-G935A using Tapatalk

You need to supply more information, like IP assignments etc.

Case studies here should give you a starting point.

https://wiki.mikrotik.com/wiki/Manual:OSPF_Case_Studies

@Rudios I have not setup any IP's or areas.
Ether 2: x.x.x.218 (WAN IP)
Ether 3: x.x.x.10 (PPOE server)
Ether 4: connected to switch (users connected to switch)

How do I start?



Sent from my SAMSUNG-SM-G935A using Tapatalk

Case studies here should give you a starting point.

https://wiki.mikrotik.com/wiki/Manual:OSPF_Case_Studies

I have tried using these
http://wiki.mikrotik.com/wiki/Manual:OSPF-examples

But on my tower 2 router I see a neighbor but won't see neighbor on my core router.

Sent from my SAMSUNG-SM-G935A using Tapatalk

Case studies here should give you a starting point.

https://wiki.mikrotik.com/wiki/Manual:OSPF_Case_Studies

I have tried using these
http://wiki.mikrotik.com/wiki/Manual:OSPF-examples

But on my tower 2 router I see a neighbor but won't see neighbor on my core router.

Sent from my SAMSUNG-SM-G935A using Tapatalk

Can you ping the CCR LAN facing interface from your Tower2 RTR?
Is that network part or your OSPF config on both routers?


https://wiki.mikrotik.com/wiki/Manual:OSPF-examples

Go back through the example for Simple OSPF Configuration and replicate it using R1 and R2.
After doing that make sure you go through the log on both routers.

Yes I can ping the CCR LAN facing interface from Tower2 RTR.

Help me understand with the above example.
R1 - ether 2 where is this connected to?
R1 - ether 3 where is this connected to?

R2 - ether 1 where is this connected to?
R2 - ether 3 where is this connected to?

Sent from my SAMSUNG-SM-G935A using Tapatalk

are the lan ports connected to the switch and ptp links in the same lan as the lan ports of the AP's. can you share a bit more information about you setup. We understand your router lan connects to the switch but need to know further information so we can give you an example.

are the lan ports connected to the switch and ptp links in the same lan as the lan ports of the AP's. can you share a bit more information about you setup. We understand your router lan connects to the switch but need to know further information so we can give you an example.

Here is my setup:

Office
Router A:
Ether 1 - wan
Ether 3 - IMS(radius/billing etc)
Ether 4 - Switch X
Router A is my PPoE server

Customers connected to Switch X

Now to connect to my second tower I have already established a link from office to Tower 2. Everything is fine with the link and I have installed a RB450 here.

Now the PTP in the office is connected to the Switch X

Tower 2:
Router B
Ether 1 - PTP

Ether 2, 3,4 are currently bridged where the AP's are connected

Hope this helps.


Sent from my SAMSUNG-SM-G935A using Tapatalk

Case studies here should give you a starting point.

https://wiki.mikrotik.com/wiki/Manual:OSPF_Case_Studies

I have tried using these
http://wiki.mikrotik.com/wiki/Manual:OSPF-examples

But on my tower 2 router I see a neighbor but won't see neighbor on my core router.

Sent from my SAMSUNG-SM-G935A using Tapatalk

Can you ping the CCR LAN facing interface from your Tower2 RTR?
Is that network part or your OSPF config on both routers?


https://wiki.mikrotik.com/wiki/Manual:OSPF-examples

Go back through the example for Simple OSPF Configuration and replicate it using R1 and R2.
After doing that make sure you go through the log on both routers.

Can I run OSPF on the same PPoE router?

Sent from my SAMSUNG-SM-G935A using Tapatalk

Can I run OSPF on the same PPoE router?

Sent from my SAMSUNG-SM-G935A using Tapatalk

Can you post export for both routers?

Can I run OSPF on the same PPoE router?

Sent from my SAMSUNG-SM-G935A using Tapatalk

Can you post export for both routers?

As in?

Sent from my SAMSUNG-SM-G935A using Tapatalk

As in?

Sent from my SAMSUNG-SM-G935A using Tapatalk

Simply type export in a terminal window.

https://wiki.mikrotik.com/wiki/Manual:C ... figuration

As in?

Sent from my SAMSUNG-SM-G935A using Tapatalk

Simply type export in a terminal window.

https://wiki.mikrotik.com/wiki/Manual:C ... figuration

Code: Select all

/export

Ok will.

Can you tell me if I can run OSPF on the same router as the PPoE server?

That is what I am trying to do.
R1 - PPoE server
R2 - TOWER 2

Yes you can run pay on same router.

Router 2:
/interface bridge
add name=bridge1
add name=loopback
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/ip neighbor discovery
set ether1 discover=no
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/routing ospf instance
set [ find default=yes ] redistribute-connected=as-type-1 \
redistribute-other-ospf=as-type-1 redistribute-static=as-type-1 router-id=\
2.2.2.2
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2-master
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
192.168.88.0
add address=2.2.2.2 interface=loopback network=2.2.2.2
add address=10.10.10.2/30 interface=ether1 network=10.10.10.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall address-list
add address=10.10.1.4/30 list=ALLOW
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
# in/out-interface matcher not possible when interface (ether1) is slave - use mas
er instead (bridge1)
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
# in/out-interface matcher not possible when interface (ether1) is slave - use mas
er instead (bridge1)
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
# in/out-interface matcher not possible when interface (ether1) is slave - use mas
er instead (bridge1)
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
ether1
/ip traffic-flow
set cache-entries=128k enabled=yes
/routing ospf interface
add interface=ether1 network-type=point-to-point
/routing ospf network
add area=backbone network=10.10.10.0/30
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master

Main router 1:
/interface bridge
add name=loopback
/interface ethernet
set [ find default-name=ether2 ] name=ether2
set [ find default-name=ether3 ] name=ether3
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether1 ] comment=wan name=WAN-ether1
set [ find default-name=ether5 ] name=ether5
set [ find default-name=ether6 ] name=ether6
set [ find default-name=ether7 ] disabled=yes
/ip neighbor discovery
set WAN-ether1 comment=wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dynamic ranges=172.20.1.1-172.20.1.254
/ppp profile
set *0 change-tcp-mss=no dns-server=8.8.8.8,4.2.2.2 local-address=103.231.218.218 only-one=no remote-address=dynamic
/routing ospf instance
set [ find default=yes ] redistribute-connected=as-type-1 redistribute-other-ospf=as-type-1 redistribute-static=as-type-1 router-id=1.1.1.1
/snmp community
add addresses=0.0.0.0/0 name=Margao
/interface bridge settings
set use-ip-firewall=yes
/interface pppoe-server server
add authentication=pap disabled=no interface=UBNT-ether4 keepalive-timeout=300 max-mru=1492 max-mtu=1492 one-session-per-host=yes service-name=alegra
add authentication=pap disabled=no interface=UBNT-ether4 keepalive-timeout=30 max-mru=1492 max-mtu=1492 one-session-per-host=yes
/ip address
add address=103.231.218.218/30 interface=WAN-ether1 network=103.231.218.216
add address=10.1.0.1/24 disabled=yes interface=ether5-vcb network=10.1.0.0
add address=103.237.56.9/30 interface=SYNEFO-ether3 network=103.237.56.8
add address=103.237.56.13/30 disabled=yes interface=MSG-ether2 network=103.237.56.12
add address=172.30.21.1/30 interface=ether5-vcb network=172.30.21.0
add address=45.123.1.41/29 disabled=yes interface=UBNT-ether4 network=45.123.1.40
add address=192.168.10.5/24 interface=ether6-tata network=192.168.10.0
add address=1.1.1.1 interface=loopback network=1.1.1.1
add address=10.10.10.1/30 interface=UBNT-ether4 network=10.10.10.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.0.0.0/16 list=ALLOW
add address=103.237.56.8/29 list=ALLOW
add address=172.17.1.0/24 list=ALLOW
add address=45.123.1.40/29 list=ALLOW
add address=172.17.1.0/24 list=NAT
add address=10.0.0.0/16 list=DeactiveUser
add address=172.20.1.0/24 list=NAT
add address=172.20.1.0/24 list=ALLOW
add address=172.16.1.0/24 list=ALLOW
add address=172.16.1.0/24 list=NAT
add address=172.30.21.0/30 list=ALLOW
add address=172.30.21.0/30 list=NAT
add address=192.168.2.0/24 list=NAT
add address=192.168.2.0/24 list=ALLOW
/ip firewall filter
add action=accept chain=input comment="Allow Established connections" connection-state=established
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=drop chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=yes
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input in-interface=!WAN-ether1 src-address=172.30.21.0/30
add action=accept chain=input comment="WinBox IP address Login" disabled=yes dst-port=8291 protocol=tcp
add action=accept chain=input comment="Synnefo API Port" dst-port=8728 protocol=tcp
add action=accept chain=input comment="Synnefo Authentication & Auditing Port - 2" dst-port=1813 protocol=udp
add action=accept chain=input comment="Synnefo Authentication & Auditing Port - 1" dst-port=1812 protocol=tcp
add action=accept chain=input comment="Synnefo Authentication & Auditing Port - 1" dst-port=1812 protocol=udp
add action=accept chain=input comment="Synnefo Authentication & Auditing Port - 2" dst-port=1813 protocol=tcp
add action=accept chain=input comment="Synnefo Authentication & Auditing Port - 3" dst-port=3799 protocol=tcp
add action=accept chain=input comment="Synnefo Authentication & Auditing Port - 3" dst-port=3799 protocol=udp
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop everything else"
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp \
src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp \
src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp \
src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=forward comment=1434 dst-port=1434 protocol=udp
add action=drop chain=forward comment=1434 dst-port=1434 protocol=tcp
add action=drop chain=forward comment=135 dst-port=135 protocol=udp
add action=drop chain=forward comment=135 dst-port=135 protocol=tcp
add action=drop chain=forward comment=136 dst-port=136 protocol=udp
add action=drop chain=forward comment=136 dst-port=136 protocol=tcp
add action=drop chain=forward comment=137 dst-port=137 protocol=udp
add action=drop chain=forward comment=137 dst-port=137 protocol=tcp
add action=drop chain=forward comment=138 dst-port=138 protocol=udp
add action=drop chain=forward comment=138 dst-port=138 protocol=tcp
add action=drop chain=forward comment=139 dst-port=139 protocol=udp
add action=drop chain=forward comment=139 dst-port=139 protocol=tcp
add action=drop chain=forward comment=444 dst-port=444 protocol=udp
add action=drop chain=forward comment=444 dst-port=444 protocol=tcp
add action=drop chain=forward comment=445 dst-port=445 protocol=udp
add action=drop chain=forward comment=445 dst-port=445 protocol=tcp
add action=drop chain=forward comment=DROP dst-address-list=DROP
add action=drop chain=forward comment=DROP src-address-list=DROP
add action=accept chain=forward comment=ALLOW dst-address-list=ALLOW
add action=accept chain=forward comment=ALLOW src-address-list=ALLOW
add action=drop chain=forward comment="DEFAULT POLICY"
/ip route
add check-gateway=ping distance=1 gateway=172.30.21.2 routing-mark=vcbox
add distance=3 gateway=192.168.10.1 routing-mark=LAN1ToWAN2
add distance=1 gateway=103.231.218.217
add distance=1 gateway=103.231.218.217
add distance=1 dst-address=103.237.56.8/29 gateway=loopback pref-src=103.237.56.9
/ip service
set www disabled=yes
/ip traffic-flow
set cache-entries=4M enabled=yes interfaces=WAN-ether1,UBNT-ether4
/ppp aaa
set interim-update=3m use-radius=yes
/radius
add address=103.237.56.10 comment="added by synnefo on 2017-01-24 03:25:29" secret=****** service=ppp,login,hotspot
/radius incoming
set accept=yes
/routing ospf interface
add interface=UBNT-ether4 network-type=point-to-point
/routing ospf network
add area=backbone network=10.10.10.0/30

But on my tower 2 router I see a neighbor but won't see neighbor on my core router.

My perfect working OSPF setup stoped working after upgrade to 6.38.3.

I dont see your network under you need to add the networks to the area in order for ospf to work.

He has network just for link. Look at the last line.

He has network just for link. Look at the last line.

So what am I doing wrong?

Sent from my SAMSUNG-SM-G935A using Tapatalk

In my experience you need to have a network under ospf network that covers the inter connectivity between routers. then on each of the routers you should put the network that is behind that router that you would like to share. from what I can see you have missing networks on the routers. https://wiki.mikrotik.com/wiki/Manual:OSPF-examples The only network you have added is your loopback network.

In my experience you need to have a network under ospf network that covers the inter connectivity between routers. then on each of the routers you should put the network that is behind that router that you would like to share. from what I can see you have missing networks on the routers. https://wiki.mikrotik.com/wiki/Manual:OSPF-examples The only network you have added is your loopback network.

How many more networks... I already have a network for the 2 routers...

Please can you from each router and then tell us what the ip address of each router is on the side that is connected to the switch and main router.

Guys.. it was my rule that was not allowing OSPF. I diasbaled all my filter rules and it OSPF is running.

Can you help me identify which rule it may be ?

Thanks

Sent from my SAMSUNG-SM-G935A using Tapatalk

I dont see your network under

Code: Select all

/routing ospf network

you need to add the networks to the area in order for ospf to work.

Guys.. it was my rule that was not allowing OSPF. I diasbaled all my filter rules and it OSPF is running.

Can you help me identify which rule it may be ?

Thanks

Sent from my SAMSUNG-SM-G935A using Tapatalk

He has network just for link. Look at the last line.

Guys.. it was my rule that was not allowing OSPF. I diasbaled all my filter rules and it OSPF is running.

Can you help me identify which rule it may be ?

Thanks

Sent from my SAMSUNG-SM-G935A using Tapatalk

I added this rule to my firewall to allow ospf

you must have some rules to allow ospf in firewall like

$IPTABLES -A INPUT -i eth1 -p 2 -j ACCEPT # IGMP
$IPTABLES -A INPUT -i eth1 -p 89 -j ACCEPT # OSPF

(its protocol 2-egp and 89-ospf, NOT tcp ports)

I added this rule to my firewall to allow ospf

Code: Select all

add action=accept chain=input comment=OSPF dst-address=224.0.0.5

Let me try this.. thanks

Sent from my SAMSUNG-SM-G935A using Tapatalk

you must have some rules to allow ospf in firewall like

$IPTABLES -A INPUT -i eth1 -p 2 -j ACCEPT # IGMP
$IPTABLES -A INPUT -i eth1 -p 89 -j ACCEPT # OSPF

(its protocol 2-egp and 89-ospf, NOT tcp ports)

Here eth1 is the outgoing port of OSPF correct?

Sent from my SAMSUNG-SM-G935A using Tapatalk

yes, this was example from iptables, but rule is for incoming

Guys.. it was my rule that was not allowing OSPF. I diasbaled all my filter rules and it OSPF is running.

Can you help me identify which rule it may be ?

Thanks

Sent from my SAMSUNG-SM-G935A using Tapatalk

The rule that was causing your headaches is:
If you want to drop everything in the input chain the you must allow OSPF communication. To get a better idea of how this works you could use Wireshark in a lab environment or download a cap from their Sample Captures Library.

Simple OSPF initialization
https://wiki.wireshark.org/SampleCaptur ... t=ospf.cap

In the capture you will notice four important addresses:

• Router A
  Router B
  224.0.0.5
  224.0.0.6

Since you are only dropping traffic on the Input chain then that is were you should create a new set of rules; above the drop all rule. If you were to do the same on the output chain the a separate set of filter rules must be applied to that chain as well for OSPF to communicate properly.

Hope this helps!

Guys.. it was my rule that was not allowing OSPF. I diasbaled all my filter rules and it OSPF is running.

Can you help me identify which rule it may be ?

Thanks

Sent from my SAMSUNG-SM-G935A using Tapatalk

The rule that was causing your headaches is:

Code: Select all

add action=drop chain=input comment="Drop everything else"

If you want to drop everything in the input chain the you must allow OSPF communication. To get a better idea of how this works you could use Wireshark in a lab environment or download a cap from their Sample Captures Library.

Simple OSPF initialization
https://wiki.wireshark.org/SampleCaptur ... t=ospf.cap

In the capture you will notice four important addresses:

• Router A
  Router B
  224.0.0.5
  224.0.0.6

Since you are only dropping traffic on the Input chain then that is were you should create a new set of rules; above the drop all rule. If you were to do the same on the output chain the a separate set of filter rules must be applied to that chain as well for OSPF to communicate properly.

Hope this helps!

Thanks.. let me look into this...

Sent from my SAMSUNG-SM-G935A using Tapatalk

Guys.. it was my rule that was not allowing OSPF. I diasbaled all my filter rules and it OSPF is running.

Can you help me identify which rule it may be ?

Thanks

Sent from my SAMSUNG-SM-G935A using Tapatalk

The rule that was causing your headaches is:

Code: Select all

add action=drop chain=input comment="Drop everything else"

If you want to drop everything in the input chain the you must allow OSPF communication. To get a better idea of how this works you could use Wireshark in a lab environment or download a cap from their Sample Captures Library.

Simple OSPF initialization
https://wiki.wireshark.org/SampleCaptur ... t=ospf.cap

In the capture you will notice four important addresses:

• Router A
  Router B
  224.0.0.5
  224.0.0.6

Since you are only dropping traffic on the Input chain then that is were you should create a new set of rules; above the drop all rule. If you were to do the same on the output chain the a separate set of filter rules must be applied to that chain as well for OSPF to communicate properly.

Hope this helps!

So what does the firewall rule need to look like to allow the OSPF communication? I am also have a problem as I have a drop all rule in place