Hi,
I want to use two Mikrotik rb2011 to connect two houses together with one cable. Each house has its own internet service. My goal is to use dual WAN on both routers. The attached diagram shows my setup.
Router A has two WAN ports, ETH_1 and ETH_2. ETH_2 uses Router B as a gateway for internet connection. The remaining 8 ports on Router A are bridged as Bridge-LAN. Bridge-LAN have IP address 192.168.80.0/24. This part is working fine. But I do have a question. Bridge-LAN is using software switching (this is my understanding). How do I use the switch chip in the bridge? RB2011 have two switch chips. Now there are no master or slave ports. What is the new way of configuring it?
Router B, ETH1 and ETH2 are there to serve as the second WAN to Router A. This part is working fine.
For Router B, I want it to use Router A as a gateway. For both routers, I have created a VLAN on ETH2. Router A VLAN has IP address 192.168.81.1. Router B VLAN has IP address 192.168.81.2. This part is working. I can use the IP addresses to ping each VLANs. This VLAN is to link Router A back to Router B. So Router B have internet traffic through this VLAN.
For the remaining 8 ports in Router B, I want it to be a switch to Router A's Bridge-LAN. So the 8 ports in Router B are on the same subnet as Router A's Bridge-LAN 192.168.80.0/24. I don't know how to do this part. First, how do I setup Router B as a transparent bridge to Router A? Second, how I do use the hardware switch chip to do the switching on the remaining 8 ports?
Thank you for your help
Jake He
VLAN SWITCH
You do not have the required permissions to view the files attached to this post.
Last edited by zhex900 on Mon Jun 04, 2018 6:50 am, edited 1 time in total.
Re: VLAN SWITCH
You won't be able to fully switch your 8 remaining ports, because there are 2 physical switches in this RB.
There are for sure some workarounds. I've written recently some investigations here.
And regarding gateways. I assume it should be possible to add default routes via different interfaces using different metrics. Something like this:
0.0.0.0/0 via eth1 distance 1
0.0.0.0/0 via eth2 distance 5
With this setup each home would use it's own RB to access internet via eth1, and use other RB as a fail-over connection to internet.
There are for sure some workarounds. I've written recently some investigations here.
And regarding gateways. I assume it should be possible to add default routes via different interfaces using different metrics. Something like this:
0.0.0.0/0 via eth1 distance 1
0.0.0.0/0 via eth2 distance 5
With this setup each home would use it's own RB to access internet via eth1, and use other RB as a fail-over connection to internet.
Re: VLAN SWITCH
5 ports for the switch is fine with me too. Port eth6 to eth10. How do I do this? I will read you post soon.
Re: VLAN SWITCH
I can't see the diagram. (EDIT: I can see it now) It says I'm not authorized to download it for whatever reason. Can you fix that?
A few things:
There's no need to worry about if the hardware switch is being used as of 6.41. See the release notes for 6.41: https://mikrotik.com/download/changelogs
If both houses are using the same network, you don't need a vlan unless there is other traffic you aren't talking about here.
You're talking about "dual lan" and 2 wan ports, but I'm not sure if that concept is correct based on your description.
From your description, this configuration is calling out for VRRP failover when one of the wan links fails to me. The physical link between the routers is ideal for that. Detecting that the wan link failed is the problem, you would have to script that or maybe someone has a better idea. Adding the ability to track an interface and have that trigger VRRP failover would be a really nice feature. Unless it already exists and I'm missing it...
A few things:
There's no need to worry about if the hardware switch is being used as of 6.41. See the release notes for 6.41: https://mikrotik.com/download/changelogs
If both houses are using the same network, you don't need a vlan unless there is other traffic you aren't talking about here.
You're talking about "dual lan" and 2 wan ports, but I'm not sure if that concept is correct based on your description.
From your description, this configuration is calling out for VRRP failover when one of the wan links fails to me. The physical link between the routers is ideal for that. Detecting that the wan link failed is the problem, you would have to script that or maybe someone has a better idea. Adding the ability to track an interface and have that trigger VRRP failover would be a really nice feature. Unless it already exists and I'm missing it...
Re: VLAN SWITCH
Yeah, looking at your description I think you should look into VRRP failover. You wouldn't need the extra networks, you would just have the 2 wans and 1 subnet below connected by the link between the routers. Figuring out how to failover based on wan link failure is the problem you would have to work out.
I think what the other person said is your router has 2 separate hardware switches. One for the 10/100 ports, one for the gigabit ports (I think). As long as you use one or the other, they will be hardware switched. But you can use a software bridge and it would be fine as long as you're not expecting maximum bandwidth.
I think what the other person said is your router has 2 separate hardware switches. One for the 10/100 ports, one for the gigabit ports (I think). As long as you use one or the other, they will be hardware switched. But you can use a software bridge and it would be fine as long as you're not expecting maximum bandwidth.
Re: VLAN SWITCH
ExactlyAs long as you use one or the other, they will be hardware switched. But you can use a software bridge and it would be fine as long as you're not expecting maximum bandwidth.
Re: VLAN SWITCH
Thank you for your reply. Ok, I can stick with software bridge. How do I setup Router B Bridge-LANB as a switch to Router A? I mean, using VLAN-HOUSELINK as the link between the two routers. Do I need to set up a static route from Router B?
Re: VLAN SWITCH
Forget what I said about VRRP if you're trying to use PCC. I didn't see that.
If you absolutely need to use both uplinks to get enough bandwidth, then PCC is correct. If not, a master/backup failover setup would be more reliable.
I have much better luck with users if the know the uplink bandwidth is some given amount that everyone needs to share. Expecting both links to work reliably and then running across problems with one and getting half bandwidth for some period of time could be a worse problem depending on what you're doing.
If you absolutely need to use both uplinks to get enough bandwidth, then PCC is correct. If not, a master/backup failover setup would be more reliable.
I have much better luck with users if the know the uplink bandwidth is some given amount that everyone needs to share. Expecting both links to work reliably and then running across problems with one and getting half bandwidth for some period of time could be a worse problem depending on what you're doing.
Re: VLAN SWITCH
Basically, I want both houses to share their internet. Sometimes, the internet connection is slow on one of the houses. When the internet is slow I want the traffic to be routed to the better connection.
My thought is to use Router A as dual WAN for both houses. Router B does not directly get the internet connection from itself. It gets it from Router A via the VLAN. I guess this idea would not work right?
My thought is to use Router A as dual WAN for both houses. Router B does not directly get the internet connection from itself. It gets it from Router A via the VLAN. I guess this idea would not work right?
Re: VLAN SWITCH
Why not? In house A set route 0.0.0.0/0 to 192.168.0.1 and in house B set route 0.0.0.0/0 to 192.168.81.1. Router A will always sent packets to Internet through his ISP and B will always sent packets to Internet through vlan tag. Easy 
Re: VLAN SWITCH
I finally, got it working. I have added a static route on Router B, 0.0.0.0 with gateway 192.168.81.1. Router B has an internet connection and are switching for Router A. But I am not sure PCC is working probably on Router A.
My understanding is that internet traffic is shared between wan1 and wan2. But I only can see wan1 having traffic and wan2 is idle. When I disconnect wan1. Wan2 gets traffic. What am I doing wrong?
My understanding is that internet traffic is shared between wan1 and wan2. But I only can see wan1 having traffic and wan2 is idle. When I disconnect wan1. Wan2 gets traffic. What am I doing wrong?
Code: Select all
/ip firewall mangle export
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=wan1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=wan2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=wan1_conn per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=wan2_conn per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=wan1_conn in-interface=bridge-local new-routing-mark=to_wan1
add action=mark-routing chain=prerouting connection-mark=wan2_conn in-interface=bridge-local new-routing-mark=to_wan2
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=to_wan1
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=to_wan2
/ip route export
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=to_wan1
add check-gateway=ping distance=2 gateway=192.168.88.1 routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=192.168.0.1
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat src-address=10.0.0.0/24
[admin@MT-MAIN] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.80.1/24 192.168.80.0 bridge-local
1 10.0.0.1/24 10.0.0.0 COOKST
3 D 192.168.0.20/24 192.168.0.0 ether1
4 D 192.168.88.252/24 192.168.88.0 ether2
Re: VLAN SWITCH
I deleted my old routes and these again. Now I get more traffic on wan2, but little on wan1.
Create the unmarked default routes
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=1
add dst-address=0.0.0.0/0 gateway=192.168.88.1 distance=2
Create the marked default routes
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1 check-gateway=ping distance=1 routing-mark=to_wan1
add dst-address=0.0.0.0/0 gateway=192.168.88.1 check-gateway=ping distance=1 routing-mark=to_wan2
Create the unmarked default routes
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=1
add dst-address=0.0.0.0/0 gateway=192.168.88.1 distance=2
Create the marked default routes
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.0.1 check-gateway=ping distance=1 routing-mark=to_wan1
add dst-address=0.0.0.0/0 gateway=192.168.88.1 check-gateway=ping distance=1 routing-mark=to_wan2
Re: VLAN SWITCH
You have to add passthrough=yes to the rules with per-connection-classifier. Without it, the initial packet of outbound connection gets the connection mark but doesn't get the routing mark, so the connections establish through one WAN and continue through the other one, so they fail.
Re: VLAN SWITCH
Hi,
I have added the passthrough. But I only see traffic on WAN1. Nothing on WAN2.
I have added the passthrough. But I only see traffic on WAN1. Nothing on WAN2.
Code: Select all
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.80.0/24 in-interface=bridge-local
add action=accept chain=prerouting dst-address=192.168.88.0/24 in-interface=bridge-local
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=wan1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=wan2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=wan1_conn in-interface=bridge-local new-routing-mark=to_wan1
add action=mark-routing chain=prerouting connection-mark=wan2_conn in-interface=bridge-local new-routing-mark=to_wan2
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=to_wan1
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=to_wan2
You do not have the required permissions to view the files attached to this post.
Re: VLAN SWITCH
I'm afraid I'd have to see the complete configurations from both machines to spot any issue. The PCC handling seems fine to me, so I suspect some routing problem at the other router which causes packets intended to go out its uplink to get lost or, more likely, looped.
The idea is that WAN1 is the physical WAN of router X, and WAN2 is locally represented at X by the VLAN towards the other router Y. Router Y must make sure that packets which come from router X through that VLAN will not be handled the same like packets from local LAN but will be routed straight to its own physical WAN.
The idea is that WAN1 is the physical WAN of router X, and WAN2 is locally represented at X by the VLAN towards the other router Y. Router Y must make sure that packets which come from router X through that VLAN will not be handled the same like packets from local LAN but will be routed straight to its own physical WAN.
Re: VLAN SWITCH
I really appreciate your help. Kindly look at my configures.
Router B is a simple configure. I started with reset configurations. I selected a standard router configuration with NAT and bridged all ports.
I added a new bridge. Rename the bridges into bridge-wan and bridge-lan. bridge-wan have eth1, eth2, and wlan1. All other ports belong to bridge-lan. My thought is to separate the traffic by using these two bridges.
In bridge-wan, eth1 is the wan port. eth2 is to direct internet to router A. bridge-wan are in the ip range 192.168.88.0/24.
in bridge-lan, only vlan-200 have an ip address 192.168.83.3. This is used to talk to the vlan in router A. This is done by a static router, dst-address 0.0.0.0/0 with gateway 192.168.83.2
Router A and Router B are connected by eth2.
I have CapsMAN enabled on Router A. When I connect APs on Router B ports, CapsMAN can register them.
Router B
interface bridge print
interface bridge port print
ip address
Router B is a simple configure. I started with reset configurations. I selected a standard router configuration with NAT and bridged all ports.
I added a new bridge. Rename the bridges into bridge-wan and bridge-lan. bridge-wan have eth1, eth2, and wlan1. All other ports belong to bridge-lan. My thought is to separate the traffic by using these two bridges.
In bridge-wan, eth1 is the wan port. eth2 is to direct internet to router A. bridge-wan are in the ip range 192.168.88.0/24.
in bridge-lan, only vlan-200 have an ip address 192.168.83.3. This is used to talk to the vlan in router A. This is done by a static router, dst-address 0.0.0.0/0 with gateway 192.168.83.2
Router A and Router B are connected by eth2.
I have CapsMAN enabled on Router A. When I connect APs on Router B ports, CapsMAN can register them.
Router B
Code: Select all
[admin@MikroTik] /ip> /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ether1 ether 1500 1598 4074 00:0C:42:F8:A5:77
1 RS ether2 ether 1500 1598 4074 00:0C:42:F8:A5:78
2 S ether3 ether 1500 1598 4074 00:0C:42:F8:A5:79
3 S ether4 ether 1500 1598 4074 00:0C:42:F8:A5:7A
4 S ether5 ether 1500 1598 4074 00:0C:42:F8:A5:7B
5 S ether6 ether 1500 1598 2028 00:0C:42:F8:A5:7C
6 S ether7 ether 1500 1598 2028 00:0C:42:F8:A5:7D
7 S ether8 ether 1500 1598 2028 00:0C:42:F8:A5:7E
8 S ether9 ether 1500 1598 2028 00:0C:42:F8:A5:7F
9 S ether10 ether 1500 1598 2028 00:0C:42:F8:A5:80
10 sfp1 ether 1500 1598 4074 00:0C:42:F8:A5:76
11 S wlan1 wlan 1500 1600 2290 00:0C:42:F8:A5:81
12 R bridge-lan bridge 1500 1594 00:0C:42:F8:A5:7A
13 R bridge-wan bridge 1500 1598 00:0C:42:F8:A5:78
14 RS vlan-200 vlan 1500 1594 00:0C:42:F8:A5:78
Code: Select all
0 R name="bridge-lan" mtu=auto actual-mtu=1500 l2mtu=1594 arp=enabled arp-timeout=auto mac-address=00:0C:42:F8:A5:7A protocol-mode=rstp fast-forward=no igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no
1 R name="bridge-wan" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=00:0C:42:F8:A5:78 protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=00:0C:42:F8:A5:78 ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no
Code: Select all
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 ether2 bridge-wan no 1 0x80 10 10 none
1 I ether3 bridge-wan no 1 0x80 10 10 none
2 I H ether4 bridge-lan yes 1 0x80 10 10 none
3 I H ether5 bridge-lan yes 1 0x80 10 10 none
4 I ether6 bridge-lan no 1 0x80 10 10 none
5 I H ether7 bridge-lan yes 1 0x80 10 10 none
6 I H ether8 bridge-lan yes 1 0x80 10 10 none
7 I H ether9 bridge-lan yes 1 0x80 10 10 none
8 I wlan1 bridge-wan 1 0x80 10 10 none
9 I ether10 bridge-lan no 1 0x80 10 10 none
10 vlan-200 bridge-lan 1 0x80 10 10 none
Code: Select all
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.88.1/24 192.168.88.0 bridge-wan
1 192.168.88.1/24 192.168.88.0 ether2
2 192.168.83.3/24 192.168.83.0 vlan-200
3 D 192.168.0.18/24 192.168.0.0 ether1
[admin@MikroTik] /ip> route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.0.1 1
1 A S 0.0.0.0/0 192.168.83.2 1
2 ADC 192.168.0.0/24 192.168.0.18 ether1 0
3 ADC 192.168.83.0/24 192.168.83.3 bridge-lan 0
4 ADC 192.168.88.0/24 192.168.88.1 bridge-wan 0
Re: VLAN SWITCH
Router A
COOKST bridge is used for CapsMAN. All ports are on the bridge-local. I am not sure whether vlan should also be on it. For now, I disabled it. I don't see any difference.
routes
COOKST bridge is used for CapsMAN. All ports are on the bridge-local. I am not sure whether vlan should also be on it. For now, I disabled it. I don't see any difference.
Code: Select all
[admin@MT-MAIN] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
# INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON
0 I ether3 bridge-local no 1 0x80 10 10 none
1 I ether4 bridge-local no 1 0x80 10 10 none
2 I ether5 bridge-local no 1 0x80 10 10 none
3 I ether6 bridge-local no 1 0x80 10 10 none
4 I wlan1 bridge-local 1 0x80 10 10 none
5 I H ether7 bridge-local yes 1 0x80 10 10 none
6 I H ether8 bridge-local yes 1 0x80 10 10 none
7 I H ether9 bridge-local yes 1 0x80 10 10 none
8 XI vlan-200 bridge-local 1 0x80 10 10 none
9 D MT-MAIN-1 COOKST 1 0x80 10 10 none
Code: Select all
[admin@MT-MAIN] > /ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.0.1 1
1 A S 0.0.0.0/0 192.168.88.1 1
2 A S 0.0.0.0/0 192.168.0.1 1
3 DS 0.0.0.0/0 192.168.0.1 1
4 DS 0.0.0.0/0 192.168.88.1 1
5 S 0.0.0.0/0 192.168.88.1 2
6 ADC 10.0.0.0/24 10.0.0.1 COOKST 0
7 ADC 192.168.0.0/24 192.168.0.20 ether1 0
8 ADC 192.168.80.0/24 192.168.80.1 bridge-local 0
9 ADC 192.168.83.0/24 192.168.83.2 vlan-200 0
10 ADC 192.168.88.0/24 192.168.88.252 ether2 0
Last edited by zhex900 on Wed Jun 06, 2018 9:46 am, edited 1 time in total.
Re: VLAN SWITCH
Instead of print and description in own words, please post the output of /export hide-sensitive from both devices, it is really much easier to understand the configurations and their interaction from the standard format. hide-sensitive only removes passwords from the output, so if there are any public IP addresses you don't want to publish, systematically replace all occurrences of each of them with a distinctive pattern like my.public.ip.1.
Re: VLAN SWITCH
Router A
Code: Select all
[admin@MT-MAIN] > export hide-sensitive
# jun/06/2018 16:47:11 by RouterOS 6.42.3
# software id = 6I1X-92CP
#
# model = 2011UAS-2HnD
# serial number = 402602239286
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz name=2G
add band=5ghz-a/n/ac control-channel-width=20mhz name=5G
/interface bridge
add fast-forward=no name=COOKST
add admin-mac=D4:CA:6D:97:45:9F auto-mac=no fast-forward=no mtu=1500 name=bridge-local
/interface wireless
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(36dBm), SSID: COOKST, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC country=australia distance=indoors frequency=auto mode=ap-bridge ssid=EDEN wireless-protocol=802.11
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes name=sfp1-gateway
/interface pppoe-client
add add-default-route=yes interface=ether1 keepalive-timeout=60 max-mru=1480 max-mtu=1480 name=pppoe-out1 use-peer-dns=yes user=30cookstreet
/interface vlan
add interface=ether2 name=vlan-200 vlan-id=200
/caps-man datapath
add bridge=COOKST name=COOKST
/caps-man security
add authentication-types=wpa-psk,wpa2-psk comment=jesusislord encryption=aes-ccm,tkip name=COOKST
/caps-man configuration
add channel=2G country=australia datapath=COOKST distance=indoors mode=ap name=COOKST-2G security=COOKST ssid=COOKST
add channel=5G country=australia datapath=COOKST distance=indoors mode=ap name=COOKST-5G security=COOKST ssid=COOKST
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.80.10-192.168.80.254
add name=COOKST ranges=10.0.0.10-10.0.0.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local name=default
add address-pool=COOKST disabled=no interface=COOKST lease-time=20h10m name=COOKST
/queue type
add kind=pcq name=DSL-download pcq-classifier=dst-address
add kind=pcq name=DSL-upload pcq-classifier=src-address
/queue tree
add max-limit=2030k name=Download parent=ether1 priority=2 queue=DSL-download
add name=Q_Download packet-mark=users parent=Download
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=COOKST-2G name-format=identity name-prefix=COOKST
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=COOKST-5G name-format=identity
/interface bridge port
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5
add bridge=bridge-local hw=no interface=ether6
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether7
add bridge=bridge-local interface=ether8
add bridge=bridge-local interface=ether9
add bridge=bridge-local interface=vlan-200
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=sfp1-gateway list=discover
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=wlan1 list=discover
add interface=bridge-local list=discover
add interface=pppoe-out1 list=discover
add interface=ether2 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether3 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether5 list=mac-winbox
add interface=ether6 list=mactel
add interface=ether6 list=mac-winbox
add interface=wlan1 list=mactel
add interface=wlan1 list=mac-winbox
add interface=sfp1-gateway list=mactel
add interface=sfp1-gateway list=mac-winbox
add interface=ether1 list=WAN
add interface=bridge-local list=mactel
/interface wireless cap
#
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1
/ip accounting web-access
set address=192.168.80.2/32
/ip address
add address=192.168.80.1/24 comment="default configuration" interface=bridge-local network=192.168.80.0
add address=10.0.0.1/24 interface=COOKST network=10.0.0.0
add address=192.168.83.2/24 interface=vlan-200 network=192.168.83.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1
add dhcp-options=hostname,clientid disabled=no interface=ether2
/ip dhcp-server lease
add address=192.168.80.253 client-id=1:8c:85:90:86:a6:1d mac-address=8C:85:90:86:A6:1D server=default
add address=192.168.80.248 client-id=1:cc:2d:e0:6f:53:3d mac-address=CC:2D:E0:6F:53:3D server=default
add address=192.168.80.249 client-id=1:cc:2d:e0:6f:50:79 mac-address=CC:2D:E0:6F:50:79 server=default
add address=192.168.80.247 client-id=1:cc:2d:e0:6f:53:b mac-address=CC:2D:E0:6F:53:0B server=default
add address=192.168.80.246 client-id=1:cc:2d:e0:6f:50:6f mac-address=CC:2D:E0:6F:50:6F server=default
add address=192.168.80.245 client-id=1:cc:2d:e0:6f:53:6f mac-address=CC:2D:E0:6F:53:6F server=default
add address=192.168.80.244 client-id=1:4c:5e:c:f8:8d:42 mac-address=4C:5E:0C:F8:8D:42 server=default
add address=192.168.80.243 client-id=1:0:c:42:f8:a5:77 mac-address=00:0C:42:F8:A5:77 server=default
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.1,8.8.8.8 gateway=10.0.0.1
add address=192.168.80.0/24 comment="default configuration" dns-server=192.168.80.1 gateway=192.168.80.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=forward disabled=yes dst-address=192.168.88.1 src-address=192.168.88.1
add action=accept chain=forward comment="default configuration" connection-state=established
add action=accept chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.80.0/24 in-interface=bridge-local
add action=accept chain=prerouting dst-address=192.168.88.0/24 in-interface=bridge-local
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1 new-connection-mark=wan1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2 new-connection-mark=wan2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=wan1_conn in-interface=bridge-local new-routing-mark=to_wan1
add action=mark-routing chain=prerouting connection-mark=wan2_conn in-interface=bridge-local new-routing-mark=to_wan2
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=to_wan1
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=to_wan2
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat src-address=10.0.0.0/24
/ip route
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=192.168.88.1 routing-mark=to_wan2
add distance=1 gateway=192.168.0.1
add distance=2 gateway=192.168.88.1
/ip service
set ssh address=0.0.0.0/0
/lcd
set time-interval=weekly
/system clock
set time-zone-name=Australia/Sydney
/system identity
set name=MT-MAIN
/system ntp client
set enabled=yes primary-ntp=150.101.176.226 secondary-ntp=45.76.113.31
/system routerboard settings
set auto-upgrade=yes silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Re: VLAN SWITCH
Router B
Code: Select all
[admin@MikroTik] > /export hide-sensitive
# jun/06/2018 16:48:06 by RouterOS 6.42.1
# software id = YSFQ-H9GG
#
# model = 2011UAS-2HnD
# serial number = 419E0125FDC1
/interface bridge
add fast-forward=no name=bridge-lan
add admin-mac=00:0C:42:F8:A5:78 auto-mac=no comment=defconf name=bridge-wan
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-F8A581 wireless-protocol=802.11
/interface vlan
add interface=ether2 name=vlan-200 vlan-id=200
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-wan name=defconf
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge-wan comment=defconf hw=no interface=ether2
add bridge=bridge-wan comment=defconf hw=no interface=ether3
add bridge=bridge-lan comment=defconf interface=ether4
add bridge=bridge-lan comment=defconf interface=ether5
add bridge=bridge-lan comment=defconf hw=no interface=ether6
add bridge=bridge-lan comment=defconf interface=ether7
add bridge=bridge-lan comment=defconf interface=ether8
add bridge=bridge-lan comment=defconf interface=ether9
add bridge=bridge-wan comment=defconf interface=wlan1
add bridge=bridge-lan hw=no interface=ether10
add bridge=bridge-lan interface=vlan-200
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-wan list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
set discovery-interfaces=vlan-200 interfaces=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-wan network=192.168.88.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=192.168.83.3/24 interface=vlan-200 network=192.168.83.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.80.0/24 gateway=192.168.80.14 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=ping distance=1 gateway=192.168.83.2
/lcd interface pages
set 0 interfaces=sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10
/system clock
set time-zone-name=Australia/Sydney
/system routerboard settings
set auto-upgrade=yes silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool user-manager database
set db-path=user-manager
Re: VLAN SWITCH
The first thing I've spotted is that on Router B, you have configured ether2 as both a member port of a bridge (bridge-wan in this case) and a carrier interface for /interface vlan (vlan-200 in this case) and an IP configuration. This cannot work properly. If you need ether2 and ether3 to be bridged together, you must make bridge-wan the carrier interface of /interface vlan name=vlan-200 and the IP configuration.
Also, you have to assign the address to just one of the interfaces depending on the choice, so delete one of the two configuration lines below:
I don't say these are the reasons why it doesn't work the way you expect but it needs to be fixed in any case.
Also, you have to assign the address to just one of the interfaces depending on the choice, so delete one of the two configuration lines below:
Code: Select all
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-wan network=192.168.88.0
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0Re: VLAN SWITCH
I changed the vlan interface to bridge-wan on router B. Is this what you are referring to? I don't need eth2 and eth3 to be bridged together. eth1 and eth2 are together. rest are all bridge-local.
I can't touch the ip address on bridge-wan and eth0. If I disable one I will lose the router connection. I have to use winebox to connect via mac.
I can't touch the ip address on bridge-wan and eth0. If I disable one I will lose the router connection. I have to use winebox to connect via mac.
Code: Select all
[admin@MikroTik] > /interface vlan export
/interface vlan
add interface=bridge-wan name=vlan-200 vlan-id=200
Re: VLAN SWITCH
I'm a bit lost, you speak about eth0 but there is none.
Other than that - you currently have the address 192.168.88.1/24 attached to both bridge-wan and its member port ether2. If you don't need ether3 to be in the same bridge like ether2, you may remove bridge-wan completely, but in such case, 192.168.88.1/24 and /interface vlan name=vlan-200 have to be attached to ether2 directly. In such case, you can detach the 192.168.88.1/24 from bridge-wan. Or vice versa, you can keep the bridge-wan, just remove ether3 from it, and attach vlan-200 and 192.168.88.1/24 to bridge-wan, but in that case, detach the 192.168.88.1/24 from ether2. You can do all changes in safe mode, which means that if you lose connection due to the change, it is enough to wait 30-60 seconds and the change will revert automatically.
Next, on router B, you have two default routes with the same priority (distance), one added dynamically by the DHCP on ether1 (WAN2) and the other one added manually:
This means that if router A sends a packet to router B using
router B either sends it out via 192.168.0.1 or sends it back to router A via 192.168.83.2 (I think in this case the routes are chosen in a round-robin fashion and cached).
That's what I wrote earlier, you have to make sure that if a packet comes from router A, router B never sends it back to router A.
Assuming that the final goal is to distribute traffic between own and remote WAN using PCC on both machines, I would implement the astro clock for PCC also on Router B and assign the connection-mark enforcing use of the local WAN also to packets coming in from Router A, and do the same on router A for packets coming from router B of course.
Other than that - you currently have the address 192.168.88.1/24 attached to both bridge-wan and its member port ether2. If you don't need ether3 to be in the same bridge like ether2, you may remove bridge-wan completely, but in such case, 192.168.88.1/24 and /interface vlan name=vlan-200 have to be attached to ether2 directly. In such case, you can detach the 192.168.88.1/24 from bridge-wan. Or vice versa, you can keep the bridge-wan, just remove ether3 from it, and attach vlan-200 and 192.168.88.1/24 to bridge-wan, but in that case, detach the 192.168.88.1/24 from ether2. You can do all changes in safe mode, which means that if you lose connection due to the change, it is enough to wait 30-60 seconds and the change will revert automatically.
Next, on router B, you have two default routes with the same priority (distance), one added dynamically by the DHCP on ether1 (WAN2) and the other one added manually:
Code: Select all
[admin@MikroTik] /ip> route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.0.1 1
1 A S 0.0.0.0/0 192.168.83.2 1Code: Select all
/ip route
add check-gateway=ping distance=1 gateway=192.168.88.1 routing-mark=to_wan2That's what I wrote earlier, you have to make sure that if a packet comes from router A, router B never sends it back to router A.
Assuming that the final goal is to distribute traffic between own and remote WAN using PCC on both machines, I would implement the astro clock for PCC also on Router B and assign the connection-mark enforcing use of the local WAN also to packets coming in from Router A, and do the same on router A for packets coming from router B of course.
Re: VLAN SWITCH
So the resulting configuration would be symmetric like this:
And the connection-marking rules would look like this on both machines (simplifying to only illustrate the different handling of the three types of traffic, i.e. initiated from the local LAN, initiated from the remote LAN, and initiated from outside).
Code: Select all
Router A Router B
WAN1 WAN2
|\ /|
| \______________________________________________________ / |
| ether2 ether2 \/ |
| ______________________________________________________/\ |
| / \ |
|/ \|
PCC PCC
| |
bridge-lan A bridge-lan B
Code: Select all
mark-connection new-connection-mark=local-WAN in-interface=local-WAN
mark-connection new-connection-mark=local-WAN in-interface=ether2
mark-connection new-connection-mark=local-WAN in-interface=bridge-lan pcc=x:2/0
mark-connection new-connection-mark=remote-WAN in-interface=bridge-lan pcc=x:2/1Re: VLAN SWITCH
I am not sure I understand everything.
I will remove eth3 from bridge wan and delete bridge wan.
eth2 remain as 192.168.88.1. Vlan will have interface eth2.
I will add pcc rules on both routers. I only had them on router A.
What route rules should I have ? Avoid the problem of round- robin.
I will remove eth3 from bridge wan and delete bridge wan.
eth2 remain as 192.168.88.1. Vlan will have interface eth2.
I will add pcc rules on both routers. I only had them on router A.
What route rules should I have ? Avoid the problem of round- robin.
Re: VLAN SWITCH
You would have an interconnection subnet between routers A and B, let's say 192.168.123.1/30 on ether2 of router A and 192.168.123.2/30 on ether2 of router B. I know you currently have someting else but I strongly recommend that the subnet be dedicated for the interconnection. The LAN subnets of both routers should be separate from this interconnection subnet (and from each other of course), such as 192.168.1.0/24 for router A and 192.168.2.0/24 for router B.
In that case, you would assign no routing-mark to packets from bridge-LAN marked with connection-mark=local-WAN, and you would assign routing-mark remote-WAN to packets from bridge-LAN marked with connection-mark=remote-WAN, and you would add the following routes to each router:
(x=2 for router B and x=1 for router A).
The reason why I suggest not to use a routing-mark for local-WANs is that the IP address of the WAN gateway is added dynamically by the DHCP client as a default route to the default routing table (the one with no routing-mark). So if you would need to use that gateway address in a manually added route with a routing-mark, you would risk that if the DHCP assigns you a different address and gateway in half a year from now, the manually added route via the old address of the gateway will stop working.
In that case, you would assign no routing-mark to packets from bridge-LAN marked with connection-mark=local-WAN, and you would assign routing-mark remote-WAN to packets from bridge-LAN marked with connection-mark=remote-WAN, and you would add the following routes to each router:
Code: Select all
/ip route
add gateway=192.168.123.x routing-mark=remote-WAN
add dst-address=192.168.x.0/24 gateway=192.168.123.x
The reason why I suggest not to use a routing-mark for local-WANs is that the IP address of the WAN gateway is added dynamically by the DHCP client as a default route to the default routing table (the one with no routing-mark). So if you would need to use that gateway address in a manually added route with a routing-mark, you would risk that if the DHCP assigns you a different address and gateway in half a year from now, the manually added route via the old address of the gateway will stop working.
Re: VLAN SWITCH
It depends on the purpose, I didn't go further into details as I've seen the issues listed until now. But if you are happy with devices in each house being able to access internet via the local WAN if a crocodile bites the interconnection cable, the setup where the interconnection subnet is used for both the communication between devices in the two LANs and for using the routers as each other's second WAN is sufficient without the VLAN.
Re: VLAN SWITCH
While my purpose is for both routers have two WAN. Like what you suggested. My initial thinking was to have two interconnection links eth2 and vlan. Eth2 will direct internet A to B. Vlan will direct internet B to A.
Is vlan still necessary?
Is vlan still necessary?
Re: VLAN SWITCH
No, the VLAN is not necessary. Even if you would dedicate a different subnet for each role (one in ether2 tagless for internet for A via B's WAN and another one in vlan-200 for internet for B via A's WAN), you would have to use some routing marks to prevent the traffic from looping back. So only keep the VLAN there if it makes the overall picture clearer for you.
Re: VLAN SWITCH
Hi,So the resulting configuration would be symmetric like this:
And the connection-marking rules would look like this on both machines (simplifying to only illustrate the different handling of the three types of traffic, i.e. initiated from the local LAN, initiated from the remote LAN, and initiated from outside).Code: Select allRouter A Router B WAN1 WAN2 |\ /| | \______________________________________________________ / | | ether2 ether2 \/ | | ______________________________________________________/\ | | / \ | |/ \| PCC PCC | | bridge-lan A bridge-lan B
Code: Select allmark-connection new-connection-mark=local-WAN in-interface=local-WAN mark-connection new-connection-mark=local-WAN in-interface=ether2 mark-connection new-connection-mark=local-WAN in-interface=bridge-lan pcc=x:2/0 mark-connection new-connection-mark=remote-WAN in-interface=bridge-lan pcc=x:2/1
Code: Select all
mark-connection new-connection-mark=local-WAN in-interface=ether2
Re: VLAN SWITCH
No. The initial packets of connections which came in from the remote box via ether2 must not be sent back to the remote box. As they came to the local box, it means the PCC on the remote box has sent them to the local box to forward them to the WAN.Hi,So the resulting configuration would be symmetric like this:
And the connection-marking rules would look like this on both machines (simplifying to only illustrate the different handling of the three types of traffic, i.e. initiated from the local LAN, initiated from the remote LAN, and initiated from outside).Code: Select allRouter A Router B WAN1 WAN2 |\ /| | \______________________________________________________ / | | ether2 ether2 \/ | | ______________________________________________________/\ | | / \ | |/ \| PCC PCC | | bridge-lan A bridge-lan B
Code: Select allmark-connection new-connection-mark=local-WAN in-interface=local-WAN mark-connection new-connection-mark=local-WAN in-interface=ether2 mark-connection new-connection-mark=local-WAN in-interface=bridge-lan pcc=x:2/0 mark-connection new-connection-mark=remote-WAN in-interface=bridge-lan pcc=x:2/1
The new-connection-mark should be remote-WAN right?Code: Select allmark-connection new-connection-mark=local-WAN in-interface=ether2
The only connections marked for routing via remote WAN is 1/2 of locally originated connections. What came to the local box from outside (from the internet via WAN or from the remote box) must be marked to use local WAN.
Also, don't forget that an exception from the above are packets for devices on local LAN, i.e. the rules above must not be applied on packets with dst-address=local.LAN.subnet/mask.
Re: VLAN SWITCH
Hi Sindy,
I tried my best to follow your suggestions. Unfortunately, I cannot get to work. To make things clear, I have made a separate post. Your help is much appreciated.
viewtopic.php?f=2&t=136302&p=671393#p671393
I tried my best to follow your suggestions. Unfortunately, I cannot get to work. To make things clear, I have made a separate post. Your help is much appreciated.
viewtopic.php?f=2&t=136302&p=671393#p671393
Re: VLAN SWITCH
Sorry for not being able to explain it better. I assume I shouldn't bid for the second round, to give way to someone else whose way of explaining is closer to your way of understanding things, correct?
Re: VLAN SWITCH
Hi Sindy,
I do understand the concept of it. But I just don't know how to implement it. Please have another go at it. I am close to solving it.
I do understand the concept of it. But I just don't know how to implement it. Please have another go at it. I am close to solving it.
Re: VLAN SWITCH
Just an idea....
Is not possible for running another wire?
With two wires... no "hard" config....
Is not possible for running another wire?
With two wires... no "hard" config....
Re: VLAN SWITCH
And whats is the maximum speed needed? One wire is possible for 2 links repated at 100 Mbps
Re: VLAN SWITCH
You mean one cable, not one wire, right? So you would use two wire pairs for one FastEthernet link and another two wire pairs for another FastEthernet link. But that wouldn't remove the need to handle the traffic to/from these two physical links in a specific way in routing, and for the purpose required, a single link is sufficient with proper routing settings.And whats is the maximum speed needed? One wire is possible for 2 links repated at 100 Mbps
Leaving aside that using two VLANs on a 1000 Mbit/s link is more bandwidth efficient than splitting the cable into two 100 Mbit/s links.