Community discussions

 
macandcheese
just joined
Topic Author
Posts: 2
Joined: Fri Mar 03, 2017 5:39 am

First post ever! Help me migrate to RouterOS from EdgeOS

Fri Mar 03, 2017 5:46 am

Hi all!

I'm trying to gauge the viability of migrating from Ubiquiti EdgeOS to Mikrotik RouterOS. I have gigabit internet at home from AT&T that uses dot1.x authentication with a certificate on the router they provided. With Ubiquiti I'm able to duplicate all traffic from the ISP, send the dot1.x traffic to the AT&T router, while all the other traffic goes to my router. Can I do the same with Mikrotik? Below are the steps for EdgeOS... please advise if I can accomplish the same in RouterOS.

Taken from: http://bzsparks.com/2016/10/05/using-an ... wer-fiber/


Create the bridge interface:
set interfaces bridge br0
Add eth1 and eth2 to br0
set interfaces ethernet eth1 bridge-group bridge br0
set interfaces ethernet eth2 bridge-group bridge br0
create a sub-interface on br0 with your static IP.
set interfaces bridge br0 vif 0 address X.X.X.X/X
set your routing
set protocols static route 0.0.0.0/0 next-hop X.X.X.X
define a source NAT masquerade rule for the br0.0 interface
set service nat rule 5000 outbound-interface br0.0
set service nat rule 5000 type masquerade
Next we need to allow the gateway to pass auth traffic through the bridge
echo 8 > /sys/class/net/br0/bridge/group_fwd_mask
Because of the nature of an interface bridge all traffic is copied to both interfaces. Running a tcpdump on the Arris interface shows all ingress and egress traffic. To only allow 802.1X/EAP traffic to the gateway we need to use ebtables.
ebtables -t filter -A FORWARD -i eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -i eth2 -p 802_1Q -j DROP
ebtables -t filter -A FORWARD -o eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -o eth2 -p 802_1Q -j DROP
Finally, we need to spoof our br0.0 MAC address so that it presents itself as the AT&T gateway. Run these commands as root.
ip link set br0.0 down
ip link set br0.0 address XX:XX:XX:XX:XX:XX
ip link set br0.0 up
Remember every time that br0.0 is created it needs to have its MAC spoofed, this means on every reboot. To accomplish this we will create a simple script in /config/scripts/post-config.d/
#!/bin/bash
echo 8 > /sys/class/net/br0/bridge/group_fwd_mask
ip link set br0.0 down
ip link set br0.0 address XX:XX:XX:XX:XX:XX
ip link set br0.0 up
ebtables -t filter -A FORWARD -i eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -i eth2 -p 802_1Q -j DROP
ebtables -t filter -A FORWARD -o eth2 -p 802_1Q --vlan-encap 0x888e -j ACCEPT
ebtables -t filter -A FORWARD -o eth2 -p 802_1Q -j DROP
 
macandcheese
just joined
Topic Author
Posts: 2
Joined: Fri Mar 03, 2017 5:39 am

Re: First post ever! Help me migrate to RouterOS from EdgeOS

Fri Mar 03, 2017 9:28 pm

Thoughts anyone?!
 
Sob
Forum Guru
Forum Guru
Posts: 4527
Joined: Mon Apr 20, 2009 9:11 pm

Re: First post ever! Help me migrate to RouterOS from EdgeOS

Sat Mar 04, 2017 1:22 am

My thought is that you should experiment. I don't know EdgeOS, but from what I see, you can surely create bridge in RouterOS, assign IP address, default route, do masquerade and set bridge MAC address. Just open WinBox/WebFix and you must figure these things out in few minutes tops.

There are also bridge filters that probably can do what those ebtables rules do.

I'm not sure about the purpose of sub-interface on bridge and what exactly it does.

Possibly the most problematic seems to be "echo 8 > /sys/class/net/br0/bridge/group_fwd_mask". It should override some default blocking in bridge. I don't see that option in RouterOS. But it could possibly have different defaults, so that traffic might pass without any overrides if you're lucky.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply.
 
phin
just joined
Posts: 15
Joined: Mon Dec 04, 2017 11:25 pm

Re: First post ever! Help me migrate to RouterOS from EdgeOS

Mon Dec 04, 2017 11:26 pm

Sorry to rehash an old thread, but did you ever get this sorted out?

Thanks!

Who is online

Users browsing this forum: No registered users and 87 guests