Community discussions

MikroTik App
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Using hAP ac^2 as a Multi-LAN-Router

Tue Jun 09, 2020 3:22 pm

I wonder whether I can replace my Ubiquiti 3 port Gigabit router (all 3 ports are fully independent) with an hAP ac^2 ?
The hAP ac^2 has 5 Gigabit ports (plus WiFi AP for 2.4GHz and 5GHz). Ie. it has 2 ports more than the Ubi.
If we take 1 of the ports for WAN, can the remaining 4 ports be configured for attaching 4 independent LANs to it?
Like this:
     ether1            ether2            ether3            ether4            ether5
    WAN/LAN1            LAN2              LAN3              LAN4              LAN5
 192.168.127.253   192.168.128.254   192.168.129.254   192.168.130.254   192.168.131.254
 192.168.127.0/24  192.168.128.0/24  192.168.129.0/24  192.168.130.0/24  192.168.131.0/24
How to set-up this in RouterOS? Do I need to assign the IP+netmask to ether1..4 ?
Last edited by mutluit on Wed Jun 10, 2020 4:50 pm, edited 2 times in total.
 
User avatar
Paternot
Forum Veteran
Forum Veteran
Posts: 953
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: Using hAP ac^2 as a Multi-LAN-Router  [SOLVED]

Tue Jun 09, 2020 3:37 pm

Yes, You can do it. Just remove the ports from the bridge.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Using hAP ac^2 as a Multi-LAN-Router

Tue Jun 09, 2020 3:44 pm

Yes, You can do it. Just remove the ports from the bridge.
Thanks.
Do you happen to know what happens to Hardware Offloading feature if I remove the ports from the bridge?
Or asked differently: what happens if I leave the ports in the bridge? Which negative effects can happen, if any?
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Using hAP ac^2 as a Multi-LAN-Router

Tue Jun 09, 2020 4:20 pm

Do you happen to know what happens to Hardware Offloading feature if I remove the ports from the bridge?
Or asked differently: what happens if I leave the ports in the bridge? Which negative effects can happen, if any?
If ports in the bridge could benefit from hw-offloading, nothing changes if you remove some of them to work independently, the rest will still work the same way as before.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Using hAP ac^2 as a Multi-LAN-Router

Tue Jun 09, 2020 4:21 pm

Keeping the ports in bridge would mean that all the 4 subnets would be up on the bridge itself, i.e. on each of its ports, even if you attached each subnet to a distinct member port of the bridge.

The hardware offloading on hAP ac² is only an L2 one, so as you want a different IP subnet per port, it is not applicable anyway.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Using hAP ac^2 as a Multi-LAN-Router

Tue Jun 09, 2020 5:31 pm

If all ports are removed from the bridge, should the now empty bridge still be kept in the config, or should it (the bridge itself) rather be removed?

Btw, a correction to my drawing above: in this hAP the ports are named ether1 to ether5 plus wlan1 and wlan2, ie. there is no ether0.
ether1 is in the list "WAN", the rest is in "LAN".

On a similar case with a CRS305 I today experienced the following:
The CRS305 has the ports ether1 plus sfp-sfpplus1 to sfp-sfpplus4 and by default comes in Bridge Mode.
Via QuickSet I changed it to Router Mode by choosing ether1 as the WAN port.
But: ether1 still remains in the bridge it by default belongs to. I mean I would have expected that ROS removes it from the bridge, but it didn't. Should I remove it manually?
Ie. the generic question here is: should in RouterMode the WAN port be taken off of the bridge?
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Using hAP ac^2 as a Multi-LAN-Router

Tue Jun 09, 2020 6:08 pm

If all ports are removed from the bridge, should the now empty bridge still be kept in the config, or should it (the bridge itself) rather be removed?
You can remove the bridge, as there is no longer any purpose in it.
Ie. the generic question here is: should in RouterMode the WAN port be taken off of the bridge?
Yes, you need to remove a port from a bridge for it to serve as a WAN port.
It won't work properly if you don't.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Using hAP ac^2 as a Multi-LAN-Router

Tue Jun 09, 2020 6:20 pm

I prefer to work with VLAN's, especially because of the control within the firewall. You might want to look at this tutorial:
viewtopic.php?t=143620
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Using hAP ac^2 as a Multi-LAN-Router

Tue Jun 09, 2020 6:24 pm

If all ports are removed from the bridge, should the now empty bridge still be kept in the config, or should it (the bridge itself) rather be removed?
You can remove the bridge, as there is no longer any purpose in it.
Ie. the generic question here is: should in RouterMode the WAN port be taken off of the bridge?
Yes, you need to remove a port from a bridge for it to serve as a WAN port.
It won't work properly if you don't.
Ok, now everything's clear. Many thanks to everybody for the useful inputs,
I now will try to replace the Ubi by this hAP. It requires some considerable work: on the uplink router (yes there is one other immediate router in the uplink), as well "migrating" the Ubi-config to this hAP...
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Using hAP ac^2 as a Multi-LAN-Router

Tue Jun 09, 2020 6:43 pm

I prefer to work with VLAN's, especially because of the control within the firewall. You might want to look at this tutorial:
viewtopic.php?t=143620
Thanks, but I feel myself not that fit yet for VLAN; I need some more time (some months) & studying until I'm fit for VLAN usage & setup.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Using hAP ac^2 as a Multi-LAN-Router

Tue Jun 09, 2020 8:23 pm

It works! :-)
The Ubi ER has now been successfully replaced by this hAP.
But performance tests not done yet.

Hmm... wait.. I haven't changed the bridge settings yet, but it still works fine as it seems... :-)

But what I didn't know and learned by accident during this exercise:
with "/ip address add ..." one can assign even more than 1 IP+mask+network to each port.
Ie. like alias IPs on a normal NIC.

The current bridge, switch, and IP settings (as said just set some addresses but not changed anything in bridge nor switch settings yet, but it seems ok as is).
Currently 3 LANs: LAN1/ether1=192.168.254.0/24 (as uplink "WAN"), LAN2/ether2=192.168.127.0/17, LAN3/ether3=192.168.128.0/24, LAN4/ether4 and LAN5/ether5 not configured yet.
[admin2@MikroTik-AP] > /interface bridge print 
Flags: X - disabled, R - running 
 0 R ;;; defconf
     name="bridge" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=XX:XX:XX:XX:XX:XX protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no 
     admin-mac=XX:XX:XX:XX:XX:XX ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no 


[admin2@MikroTik-AP] > /interface bridge port print 
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE           BRIDGE          HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ;;; defconf
       ether2              bridge          yes    1     0x80         10                 10       none
 1 I H ;;; defconf
       ether3              bridge          yes    1     0x80         10                 10       none
 2 I H ;;; defconf
       ether4              bridge          yes    1     0x80         10                 10       none
 3 I H ;;; defconf
       ether5              bridge          yes    1     0x80         10                 10       none
 4 I   ;;; defconf
       wlan1               bridge                 1     0x80         10                 10       none
 5 I   ;;; defconf
       wlan2               bridge                 1     0x80         10                 10       none
 6 XI   ether1              bridge                 1     0x80         10                 10       none


[admin2@MikroTik-AP] > /interface ethernet print             
Flags: X - disabled, R - running, S - slave 
 #    NAME               MTU MAC-ADDRESS       ARP             SWITCH
 0 R  ether1            1500 XX:XX:XX:XX:XX:XX enabled         switch1
 1 RS ether2            1500 XX:XX:XX:XX:XX:XX enabled         switch1
 2  S ether3            1500 XX:XX:XX:XX:XX:XX enabled         switch1
 3  S ether4            1500 XX:XX:XX:XX:XX:XX enabled         switch1
 4  S ether5            1500 XX:XX:XX:XX:XX:XX enabled         switch1


[admin2@MikroTik-AP] > /interface ethernet switch print 
Flags: I - invalid 
 #   NAME          TYPE             MIRROR-SOURCE       MIRROR-TARGET           SWITCH-ALL-PORTS
 0   switch1       Atheros-8327     none                none


[admin2@MikroTik-AP] > /ip address print 
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE
 0   ;;; same as on ER3
     192.168.128.254/24 192.168.128.0   ether3
 1   192.168.254.253/24 192.168.254.0   ether1
 2   192.168.127.254/17 192.168.0.0     ether2

IMO then this hAP by default behaves similar to the CRS3xx switch-routers.
 
jebz
Member
Member
Posts: 366
Joined: Sun May 01, 2011 12:03 pm
Location: Australia

Re: Using hAP ac^2 as a Multi-LAN-Router

Wed Jun 10, 2020 3:37 am

It works! :-)
The Ubi ER has now been successfully replaced by this hAP.
But performance tests not done yet.

Hmm... wait.. I haven't changed the bridge settings yet, but it still works fine as it seems... :-)
.
I think you should start again with your configuration as it is potentially unsafe from a firewall perspective. This bridge addition is not standard and is a firewall bypass -
"6 XI ether1 bridge 1 0x80 10 10 none"

I'd reset to default configuration then make careful modifications. In your case you don't need the bridge because the ports are being assigned to different networks. It's easier to remove one port from the bridge and configure it then adjust your configuration PC to this new network and then configure the next.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Using hAP ac^2 as a Multi-LAN-Router

Wed Jun 10, 2020 2:22 pm

It works! :-)
The Ubi ER has now been successfully replaced by this hAP.
But performance tests not done yet.

Hmm... wait.. I haven't changed the bridge settings yet, but it still works fine as it seems... :-)
.
I think you should start again with your configuration as it is potentially unsafe from a firewall perspective. This bridge addition is not standard and is a firewall bypass -
"6 XI ether1 bridge 1 0x80 10 10 none"

I'd reset to default configuration then make careful modifications. In your case you don't need the bridge because the ports are being assigned to different networks. It's easier to remove one port from the bridge and configure it then adjust your configuration PC to this new network and then configure the next.
Ok, thanks.
I now removed all ports under "/interface bridge port": it's now empty.
And also removed the bridge itself under "/interface bridge".

Under "/interface ethernet" all ports belong to "switch1". I guess this is not meaning that all ports are setup as a switch, but only reminding that these ports are managed by the switch chip "switch1", as indicated in this posting viewtopic.php?t=101299#p503501
.
It's easier to remove one port from the bridge and configure it then adjust your configuration PC to this new network and then configure the next.
Yeah, true, indeed. Good tip, thx.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Using hAP ac^2 as a Multi-LAN-Router

Wed Jun 10, 2020 3:26 pm

Encountered a problem:

as said:
ether1 is WAN
ether2 is LAN2
ether3 is LAN3

From LAN2 I can ping everything (WAN, LAN2, LAN3) well.
But from LAN3 I can ping all but the WAN. Very mysterious IMO.
The firewall is empty.
Any diagnose tips/hints to look after?

Update: SOLVED! A static route to LAN3 on the uplink router ("WAN") was missing. Now it works ok.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Using hAP ac^2 as a Multi-LAN-Router

Wed Jun 10, 2020 4:41 pm

To summarize & conclude:
I now have managed to configure each of the 5 Gigabit ports of the hAP ac^2 with an independent LAN, ie. 5 independent wired LANs in total (1x WAN + 4x LAN).
For this to work the ports had to be removed from the bridge, and then the bridge itself removed as well.
Each port plays the role of the gateway for its LAN, ie. each port has to be assigned a LAN gateway IP and the netmask set appropriately.
ether1 is used as the WAN link --> goes to an uplink router (gateway).
On the uplink router (ISP router) one has to set static routes to these LANs as otherwise pings to WAN/Internet from these LANs can't work as the return path would be unknown.
Again, thanks to everybody for the useful tips & help I got.
Case successfully closed :-)
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Using hAP ac^2 as a Multi-LAN-Router

Wed Jun 10, 2020 5:14 pm

On the uplink router (ISP router) one has to set static routes to these LANs as otherwise pings to WAN/Internet from these LANs can't work as the return path would be unknown.
In 99% of the cases (and in 100% if we are talking about home use) ISP won't care about you LAN's and won't set any static routes.
So you need to perform src-nat/masquerade on the packets leaving your WAN port.
 
User avatar
mutluit
Forum Veteran
Forum Veteran
Topic Author
Posts: 821
Joined: Wed Mar 25, 2020 4:04 am

Re: Using hAP ac^2 as a Multi-LAN-Router

Wed Jun 10, 2020 9:25 pm

On the uplink router (ISP router) one has to set static routes to these LANs as otherwise pings to WAN/Internet from these LANs can't work as the return path would be unknown.
In 99% of the cases (and in 100% if we are talking about home use) ISP won't care about you LAN's and won't set any static routes.
So you need to perform src-nat/masquerade on the packets leaving your WAN port.
No, no, my WAN router (it's not MT) by default handles that NAT stuff. I loosely call it "uplink router", but it's just a simple WAN router in my premises.
In the rest of the LAN, NAT is disabled everywhere, and this simplifies things enormously.
Yes, the setting-up of any necessary LAN-internal static routes is of course the user's job, not of the ISP.
Ie. I use 2 routers connected to each other in a cascaded fashion, ie. "in series".
This is also due to the fact that I have cable Internet, and I think MT does not have any cable Internet routers, or does it?
That cable internet router one can say is like a toy router with very limited config capabilities, doesn't have even a CLI... :-) It's the "AVM FritzBox 6951 Cable", ie. a consumer device. But it's one of few devices that brings Gigabit Internet via cable. By "cable" I mean the same link the cable TV etc. uses...
 
User avatar
xvo
Forum Guru
Forum Guru
Posts: 1237
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Using hAP ac^2 as a Multi-LAN-Router

Wed Jun 10, 2020 10:02 pm

Well, in case you have control over the "upstream router" you don't want to have additional NAT, that's for sure :)
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Using hAP ac^2 as a Multi-LAN-Router

Wed Jun 10, 2020 10:18 pm

To summarize & conclude:
I now have managed to configure each of the 5 Gigabit ports of the hAP ac^2 with an independent LAN, ie. 5 independent wired LANs in total (1x WAN + 4x LAN).
For this to work the ports had to be removed from the bridge, and then the bridge itself removed as well.
Each port plays the role of the gateway for its LAN, ie. each port has to be assigned a LAN gateway IP and the netmask set appropriately.
ether1 is used as the WAN link --> goes to an uplink router (gateway).
On the uplink router (ISP router) one has to set static routes to these LANs as otherwise pings to WAN/Internet from these LANs can't work as the return path would be unknown.
Again, thanks to everybody for the useful tips & help I got.
Case successfully closed :-)
Hi Mutluit, let me confuse you a bit. Your previous experience with a CRS3xx device and the swicth chip did already complicate matters, to see what you have in your hands.
Think of a usual home gateway ( router or gateway, router is without NAT, gateway is with NAT to the WAN direction). The LAN's may be combined and switched, but that can be disabled here.
This is disabled by taking all interfaces off the bridge.

So now you have a classical router with a firewall and with 7 interfaces : 5 ethernet and 2 WLAN (well there is still even the USB, as 8th interface with an adaptor). There could be extra interfaces (virtual WLAN, VPN, VLAN ...)
As in any router if it has a central role you have to set IP address and netmask (or as you know secondary and terrtiary addresses), and a DHCP server per interface (could be in another device)
Actually in this setup with the default config all interfaces belong to the "LAN interface list". Because the LAN/WAN list is used in the default config in the firewall and some other settings for MAC access. (The interface lists are used to filter incoming traffic from the WAN interface list, doing NAT/masquerading towards the WAN interface list, allow full LAN interface list access)
As this is all your internal network all interfaces are handled as LAN interface list members (allow initiated access to pass through, allow input to the router), or you have to drop the default firewall rules and NAT rules. (And then the WAN interface list is used nowhere in the config, and has lost its meaning).


The only difference for your ether1 is the default route towards internet. Not the handling and filtering of the traffic.
As a manual configured routed network care must be taken to have all the paths defined in all routers. Or one must use routing protocols to do that dynamically (RIP, OSPF).

Only if you do remove everything that is not used then indeed there is no bridge, no WAN interface list, no NAT rule.

I said I would confuse you a bit. (And no the switch plays no role in a router setup, its just bringing the L2 connectivity.) You could combine 2 or more interfaces on a bridge, and handle this as one (bridge) interface just as the other interfaces, but this goes beyond what simple home gateways can do.


EDIT: FYI: a cable modem is a router with a special interface, that converts the broadband cable signal and extracts one of the baseband ethernet signals. Other ISPs use xDSL signal over phone lines. That also is a special interface.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: Using hAP ac^2 as a Multi-LAN-Router

Wed Jun 10, 2020 10:40 pm


Under "/interface ethernet" all ports belong to "switch1". I guess this is not meaning that all ports are setup as a switch, but only reminding that these ports are managed by the switch chip "switch1", as indicated in this posting viewtopic.php?t=101299#p503501
Be careful with descriptions/postings that are older than ROS 6.44. "master-port" is an OLD way of handling ports on a bridge, removed since 6.44.

Who is online

Users browsing this forum: adrianmartin16, almdandi, Bing [Bot], somebilly and 73 guests