Community discussions

MikroTik App
 
cwachs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Apr 29, 2014 5:55 am

Trying to duplicate a SwOS feature on ROS...

Fri May 01, 2020 4:00 pm

Due to some software issues with SwOS, we are wanting to move our CRS326 series switches to ROS. We use these to feed Internet to apartment units and really need the "Lock on First" and "Port Lock" features that SwOS has that only allow a single MAC address to associate with a switch port. This prevents an apartment resident from plugging in a switch in their apartment and using dozens of our public IPs.

I don't see any way to duplicate that feature in ROS. Am I missing a feature somewhere to allow that?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Trying to duplicate a SwOS feature on ROS...

Fri May 01, 2020 8:14 pm

May i ask a little more details about the topology ?
Does the Client have an equipment managed by you ? No ?
 
cwachs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Apr 29, 2014 5:55 am

Re: Trying to duplicate a SwOS feature on ROS...

Fri May 01, 2020 8:30 pm

No. Client is an apartment resident that hooks up any kind of router they own to the network jack we provide in each unit.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Trying to duplicate a SwOS feature on ROS...

Fri May 01, 2020 8:37 pm

Yes but the Client might have 2 different laptops and in some cases work with one or the other... So, if you limit the MAC address that can access the network, simply you deny him the use of any other equipment might have... So does the client know that can only use 1 specific device and nothing else ?
 
cwachs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Apr 29, 2014 5:55 am

Re: Trying to duplicate a SwOS feature on ROS...

Fri May 01, 2020 8:57 pm

The client is supposed to only hook up the WAN port of their own personal router. We serve public IPs to the customers and each customer should only get one IP per apartment. That is what the lock on first and port lock feature allows. It works perfectly for us in SwOS and we are trying to duplicate that feature in ROS (due to stability issues with SwOS).
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Trying to duplicate a SwOS feature on ROS...

Fri May 01, 2020 9:08 pm

You can make use of the Bridge Firewall under Bridge Settings...
Then you could restrict access to your Network only to a Specific MAC address...
 
User avatar
grusu
Member Candidate
Member Candidate
Posts: 129
Joined: Tue Aug 13, 2013 7:35 am
Location: Bucharest, Romania

Re: Trying to duplicate a SwOS feature on ROS...

Fri May 01, 2020 9:27 pm

If you do this for authentication reasons, it doesn't mean much. The MAC address can be easily changed in a router or in a computer.
You could install a pppoe server on the network, maybe even on CRS326. If there are few apartments, I don't think it's a problem for the switch processor.
Then each client logs in with the user / password.
 
cwachs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Apr 29, 2014 5:55 am

Re: Trying to duplicate a SwOS feature on ROS...

Fri May 01, 2020 9:38 pm

I don't know the MAC of each customer device and each time they buy a new router, I will have to get the MAC in advance to authorize the port. This is where "lock on first" is perfect in SwOS. It allows any MAC address to connect to the switch but it only allows one MAC address per port. Pull the device and plug a new one in - it now authorizes THAT device and only that device until it is physically disconnected. It does exactly what we want to do and we are using this feature on over 20 switches in many buildings. But, due to issues with SwOS (another thread for that problem), we want to move to ROS on the switches. But, this "lock on first" feature does not seem to be possible with ROS nor does another similar solution.

Yes, we can run PPPOE but now we have to give every resident a user/password and explain to them how to enter that into their routers, etc. That is going to cost us more in tech support than this is worth. The current solution works brilliantly but seems to be a SwOS only feature, I am afraid.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10194
Joined: Mon Jun 08, 2015 12:09 pm

Re: Trying to duplicate a SwOS feature on ROS...

Fri May 01, 2020 10:02 pm

Maybe you could write a script that does a similar thing, but of course it will take some time to debug it and it will not be as convenient as a built-in feature...
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Trying to duplicate a SwOS feature on ROS...

Fri May 01, 2020 11:09 pm

But, this "lock on first" feature does not seem to be possible with ROS nor does another similar solution.
Something similar i do not think you will find in ROS...
But it is possible with many other ways...
Bridge Firewall as suggested earlier, with Bridge Reply-Only etc..., VLANs, PPPoE as others suggested ....
 
Irco
just joined
Posts: 4
Joined: Wed Feb 26, 2020 11:52 pm

Re: Trying to duplicate a SwOS feature on ROS...

Wed Mar 31, 2021 1:28 pm

Due to some software issues with SwOS, we are wanting to move our CRS326 series switches to ROS. We use these to feed Internet to apartment units and really need the "Lock on First" and "Port Lock" features that SwOS has that only allow a single MAC address to associate with a switch port. This prevents an apartment resident from plugging in a switch in their apartment and using dozens of our public IPs.

I don't see any way to duplicate that feature in ROS. Am I missing a feature somewhere to allow that?
at the end, could you to find a solutions for this issue? I have the same problem...
Regards
 
cwachs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 84
Joined: Tue Apr 29, 2014 5:55 am

Re: Trying to duplicate a SwOS feature on ROS...

Thu Apr 01, 2021 4:47 pm

No solution. Seems to be a SwOS feature that is not duplicated in ROS.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to duplicate a SwOS feature on ROS...

Thu Apr 01, 2021 6:47 pm

I would use vlans......,
IP POOL OF 1 or 2,
Each bridge port will get a specific PVID.
Each bridge port has ingress filtering applied,
Where is the issue??

Would have to provide some sort of bw management queuing etc so every vlan had equal access to internet etc.......
 
Irco
just joined
Posts: 4
Joined: Wed Feb 26, 2020 11:52 pm

Re: Trying to duplicate a SwOS feature on ROS...

Thu Apr 01, 2021 9:50 pm

I would use vlans......,
IP POOL OF 1 or 2,
Each bridge port will get a specific PVID.
Each bridge port has ingress filtering applied,
Where is the issue??

Would have to provide some sort of bw management queuing etc so every vlan had equal access to internet etc.......
This is not solution for me.
I can put an simple switch, under the CRS, and all the tráfic under the same switch will have the same vlan, and acces to the network.
I need only one mac have acces to the network.
regards
 
Irco
just joined
Posts: 4
Joined: Wed Feb 26, 2020 11:52 pm

Re: Trying to duplicate a SwOS feature on ROS...

Thu Apr 01, 2021 9:52 pm

No solution. Seems to be a SwOS feature that is not duplicated in ROS.
Ok thanks. I don´t like to use swos for this job.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Trying to duplicate a SwOS feature on ROS...

Thu Apr 01, 2021 10:07 pm

I would use vlans......,
IP POOL OF 1 or 2,
Each bridge port will get a specific PVID.
Each bridge port has ingress filtering applied,
Where is the issue??

Would have to provide some sort of bw management queuing etc so every vlan had equal access to internet etc.......
This is not solution for me.
I can put an simple switch, under the CRS, and all the tráfic under the same switch will have the same vlan, and acces to the network.
I need only one mac have acces to the network.
regards
can you please elaborate?
If someone puts anything but a router there, for example an unmanaged switch, only one device attached to the switch will get an IP address with a dhcp pool of only 1.
The rest of devices connected will not pull an IP??
One can define the network such that the pool defined and the network only allow one or two IPs for example.

What am I missing here??

Who is online

Users browsing this forum: Fl3tch, maigonis, sebus46 and 40 guests