Hi!
I have the below setup:
ISP - R1 - R2
R2 is a ac2 router and R1 is a 751G.
What I would like to do is to put the two devices on the same layer 2 segment. I have all interfaces (including wlan1) on both routers added to a bridge. The address of the devices is configured on the bridge-local as well. What happens is that I get no traffic when I connect both devices.
If I set the uplink interface on R2 to not be part of the bridge and then add the IP address in the interface, it works as it should be, but not if the uplink is part of the bridge.
Yes, I could create another network behind R2 and then use standard routing to do that, but it would be best for me to have all my wireless devices (and cable connected devices) on the same network. I tried to configure the uplink ports as non-edge or as a point-to-point, but the result was the same.
Any hints?
Thanks in advance.
Re: 2 Mikrotiks on same layer 2
On R2 all interfaces need to be part of the bridge if you want L2 communication and you must not assign
any IP address to that bridge or interface.
IP addressed should then be handed out by the bridge on R1 via DHCP server for instance running on that bridge.
To access the R2 via Winbox you can use MAC server or Neighbourhood discovery or you add a VLAN somewhere on R2.
Make sure you remove the "uplink" interface from the R2 address list "WAN" (basically your WAN address list is empty) and add it into LAN on R2.
any IP address to that bridge or interface.
IP addressed should then be handed out by the bridge on R1 via DHCP server for instance running on that bridge.
To access the R2 via Winbox you can use MAC server or Neighbourhood discovery or you add a VLAN somewhere on R2.
Make sure you remove the "uplink" interface from the R2 address list "WAN" (basically your WAN address list is empty) and add it into LAN on R2.
Re: 2 Mikrotiks on same layer 2
Not following what you are trying to accomplish. Can you draw a picture of what you want to do?
Re: 2 Mikrotiks on same layer 2
Hallo,
do you want to implement router redundancy in the event of a hardware failure?
In this case you should have a look to https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP.
do you want to implement router redundancy in the event of a hardware failure?
In this case you should have a look to https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP.
Re: 2 Mikrotiks on same layer 2
All of the ether and wlan interfaces should be members of one bridge and an IP address assigned to the bridge, can be either static or DHCP client. All of the usual NAT rules, DHCP server, etc. should be removed.If I set the uplink interface on R2 to not be part of the bridge and then add the IP address in the interface, it works as it should be, but not if the uplink is part of the bridge.
Re: 2 Mikrotiks on same layer 2
I'm trying to give wifi for all over my house. R2 would be just another standard AP + switch.Not following what you are trying to accomplish. Can you draw a picture of what you want to do?
That is exatcly what I wanted to do: Manage all addresses via DHCP server on R1. I though I could use an management address on that bridge on R2 as well.On R2 all interfaces need to be part of the bridge if you want L2 communication and you must not assign
any IP address to that bridge or interface.
IP addressed should then be handed out by the bridge on R1 via DHCP server for instance running on that bridge.
To access the R2 via Winbox you can use MAC server or Neighbourhood discovery or you add a VLAN somewhere on R2.
Make sure you remove the "uplink" interface from the R2 address list "WAN" (basically your WAN address list is empty) and add it into LAN on R2.
Just tested here: put all interfaces on R2 on the bridge and removed the IP. Then, connected my PC to a port on R2 and wasn't able to reach R1.
Re: 2 Mikrotiks on same layer 2
There is no problem with an IP address on the R2 bridge. It is even very useful.
Just add all interfaces of R2 to the R2 bridge. Remove the DHCP server from the R2 bridge. Add a DHCP client to the R2 bridge, or set it all static yourselves (unique IP address in the R1 subnet range, R1 address as default route, DNS to R1 address). Make sure the R2 bridge is in the LAN 'interface list' if default setting was the starting point. Remove the default IP address 192.168.88.1 from the R2 bridge if needed/conflicting or to clean up. As all R2 interfaces are slaves of the R2 bridge their membership in the 'interface list', and the firewall rules and NAT settings, don't matter, but you may want to clean this up. (This IP address/route/DNS via DHCP client or static is only used by the R2 device itself, not by the clients. For the clients this R2 is just a bridge/switch/L2 connection.)
The clients connecting to R1 and to R2 should get their IP address/route/DNS entries from the R1 DHCP server in exact the same way.
Just add all interfaces of R2 to the R2 bridge. Remove the DHCP server from the R2 bridge. Add a DHCP client to the R2 bridge, or set it all static yourselves (unique IP address in the R1 subnet range, R1 address as default route, DNS to R1 address). Make sure the R2 bridge is in the LAN 'interface list' if default setting was the starting point. Remove the default IP address 192.168.88.1 from the R2 bridge if needed/conflicting or to clean up. As all R2 interfaces are slaves of the R2 bridge their membership in the 'interface list', and the firewall rules and NAT settings, don't matter, but you may want to clean this up. (This IP address/route/DNS via DHCP client or static is only used by the R2 device itself, not by the clients. For the clients this R2 is just a bridge/switch/L2 connection.)
The clients connecting to R1 and to R2 should get their IP address/route/DNS entries from the R1 DHCP server in exact the same way.
Re: 2 Mikrotiks on same layer 2
Hi bpwl!
Just did that, no success.
Only to check it up:
R1
ether1 connected to the ISP router. Address 192.168.100.2. ISP is .1
wlan, ether2, ether3, ether4 and ether5 added to the bridge local. Bridge address 192.168.0.254/24
Default route is ISP.
DNS to the internet.
R2 is at the ether5 interface.
R2
All interfaces (wlan including) added to the bridge-local. Address 192.168.0.253/30
Defaut route is 192.168.0.254
R1 is at the ether2 interface.
No connectivity to the R1.
I'll try to wype the old 751G box to see if it can be any older config.
Just did that, no success.
Only to check it up:
R1
ether1 connected to the ISP router. Address 192.168.100.2. ISP is .1
wlan, ether2, ether3, ether4 and ether5 added to the bridge local. Bridge address 192.168.0.254/24
Default route is ISP.
DNS to the internet.
R2 is at the ether5 interface.
R2
All interfaces (wlan including) added to the bridge-local. Address 192.168.0.253/30
Defaut route is 192.168.0.254
R1 is at the ether2 interface.
No connectivity to the R1.
I'll try to wype the old 751G box to see if it can be any older config.
Re: 2 Mikrotiks on same layer 2
IP address 192.168.0.253/30 should be 192.168.0.253/24
Netmask defines what's local and what is remote. It's better to have them equal in the subnet.
R1 DHCP server also should distribute network 192.168.0.0/24 for the clients, and some range in that subnet. (That would be seen as remote by R2 with the /30, and failing in both directions with clients)
But don't understand why you cannot Tools/ PING R1 from R2 and R2 from R1 if both bridges are in the LAN 'interface list'. with addresses 253 and 254 ( = firewall allows access)
Tools/PING is using the tool ping of the router, not the client
Netmask defines what's local and what is remote. It's better to have them equal in the subnet.
R1 DHCP server also should distribute network 192.168.0.0/24 for the clients, and some range in that subnet. (That would be seen as remote by R2 with the /30, and failing in both directions with clients)
But don't understand why you cannot Tools/ PING R1 from R2 and R2 from R1 if both bridges are in the LAN 'interface list'. with addresses 253 and 254 ( = firewall allows access)
Tools/PING is using the tool ping of the router, not the client
Re: 2 Mikrotiks on same layer 2
You are right. That was a typing mistake. It is already /24.IP address 192.168.0.253/30 should be 192.168.0.253/24
Netmask defines what's local and what is remote. It's better to have them equal in the subnet.
R1 DHCP server also should distribute network 192.168.0.0/24 for the clients, and some range in that subnet. (That would be seen as remote by R2 with the /30, and failing in both directions with clients)
That's the thing. I don't know as well. It seems to me some kind of loop protection or something like that. They even see each other via neighbors list.But don't understand why you cannot Tools/ PING R1 from R2 and R2 from R1 if both bridges are in the LAN 'interface list'. with addresses 253 and 254 ( = firewall allows access)
Tools/PING is using the tool ping of the router, not the client
There is something about the 'interface list'. ON R2 I see interfaces in list, but not in R1.
R2
Code: Select all
[admin@R2] /interface list member> print
Flags: X - disabled, D - dynamic
# LIST INTERFACE
0 discover ether1-uplink
1 discover ether2
2 discover ether3
3 discover ether4
4 discover ether5
5 discover bridge-local
6 discover *F
7 discover *14
8 discover *15
9 mactel ether2
10 mactel ether3
11 mac-winbox ether2
12 mactel ether4
13 mac-winbox ether3
14 mactel ether5
15 mac-winbox ether4
16 mactel wlan1
17 mac-winbox ether5
18 mactel bridge-local
19 mac-winbox wlan1
20 mac-winbox bridge-localR1
Code: Select all
[admin@R1] > interface list member print
Flags: X - disabled, D - dynamic
# LIST INTERFACE
I noted as well that in the R1 there is only Rx packets on the interface with R2. On the R2 there is only TX on the interface with R1.
Re: 2 Mikrotiks on same layer 2
Check the firewall filters in R1. If interfaces are not in the LAN list then there are no rules to allow access to R1 with the default firewall.
Your discover interface list is not the LAN list!
The words "LAN" and "WAN" are used in the default config !
(extract from default config)
It would be more efficient if you post both configs here (/export hide-sensitive file=yourfilename) as yourfilename.rsc file attachments
Your discover interface list is not the LAN list!
The words "LAN" and "WAN" are used in the default config !
(extract from default config)
Code: Select all
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
/ip firewall filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LANRe: 2 Mikrotiks on same layer 2
Hello!
I'm attaching the configurations. As I put the both routers in my desk, now the interfaces between them are ether2 in R2 and ether5-pc on R1.
I'm attaching the configurations. As I put the both routers in my desk, now the interfaces between them are ether2 in R2 and ether5-pc on R1.
Last edited by LuizMeier on Sat Jan 23, 2021 5:17 am, edited 1 time in total.
Re: 2 Mikrotiks on same layer 2
Using /export hide-sensitive is generally recommended, and as you also appear to have left login credentials for external services in scripts you may wish to change them.
R2 has lots of unnecessary configuration for a simple bridged access point (ipsec, ppp, firewall rules, dhcp-server, static dns, queues, bgp, metarouter, hotspot) - I would remove all of that as a starting point as there may be something unexpected interfering with what should be a simple setup.
R2 has lots of unnecessary configuration for a simple bridged access point (ipsec, ppp, firewall rules, dhcp-server, static dns, queues, bgp, metarouter, hotspot) - I would remove all of that as a starting point as there may be something unexpected interfering with what should be a simple setup.
Re: 2 Mikrotiks on same layer 2
I did that, but forgot the scripts. I made a factory reset on R2 and the behaviour remains the same.Using /export hide-sensitive is generally recommended, and as you also appear to have left login credentials for external services in scripts you may wish to change them.
R2 has lots of unnecessary configuration for a simple bridged access point (ipsec, ppp, firewall rules, dhcp-server, static dns, queues, bgp, metarouter, hotspot) - I would remove all of that as a starting point as there may be something unexpected interfering with what should be a simple setup.
Just posting again the configs.
You do not have the required permissions to view the files attached to this post.
Re: 2 Mikrotiks on same layer 2
Was still reading these rather complex configs. :-) Even if R2 was not using almost any of the settings (all is bridged).
Cleaned up version:
R2 has the DHCP server enabled. Should not.
R2 Ether1 has the DHCP-client (and is not on the bridge). OK if you are NOT using ether1.
IP route missing in R2. But that's no problem for the R1-R2 communication.
Remark: using R2/ether1 with the posted config will make this R2 network an independent subnet, filtered and protected from R1, but should be able to reach all in R1 and internet.
R1 is long to analyze if any of the firewall rules would block traffic. But 192.168.0.0/24 is in the "allowed-to-router" list and OK.
Maybe as you stated in the beginning it is something at the L2 level ((R)STP protocol disabling interface?) What is the status of your bridge ports? Are there any loops in your network setup (e.g. common switch between R1 and R2?)
(and yes as @tdw says "hide-sensitive" is not smart enough to hide passwords in scripts)
Cleaned up version:
R2 has the DHCP server enabled. Should not.
R2 Ether1 has the DHCP-client (and is not on the bridge). OK if you are NOT using ether1.
IP route missing in R2. But that's no problem for the R1-R2 communication.
Remark: using R2/ether1 with the posted config will make this R2 network an independent subnet, filtered and protected from R1, but should be able to reach all in R1 and internet.
R1 is long to analyze if any of the firewall rules would block traffic. But 192.168.0.0/24 is in the "allowed-to-router" list and OK.
Maybe as you stated in the beginning it is something at the L2 level ((R)STP protocol disabling interface?) What is the status of your bridge ports? Are there any loops in your network setup (e.g. common switch between R1 and R2?)
(and yes as @tdw says "hide-sensitive" is not smart enough to hide passwords in scripts)
Re: 2 Mikrotiks on same layer 2
Hello!Was still reading these rather complex configs. :-) Even if R2 was not using almost any of the settings (all is bridged).
Cleaned up version:
R2 has the DHCP server enabled. Should not.
R2 Ether1 has the DHCP-client (and is not on the bridge). OK if you are NOT using ether1.
IP route missing in R2. But that's no problem for the R1-R2 communication.
Remark: using R2/ether1 with the posted config will make this R2 network an independent subnet, filtered and protected from R1, but should be able to reach all in R1 and internet.
R1 is long to analyze if any of the firewall rules would block traffic. But 192.168.0.0/24 is in the "allowed-to-router" list and OK.
Maybe as you stated in the beginning it is something at the L2 level ((R)STP protocol disabling interface?) What is the status of your bridge ports? Are there any loops in your network setup (e.g. common switch between R1 and R2?)
(and yes as @tdw says "hide-sensitive" is not smart enough to hide passwords in scripts)
I wiped both devices and re-configured it all from scratch. Everything came back to work as intended. I still don't know why that happened and what caused the issue.
Who is online
Users browsing this forum: LunaticRv, panzermaster18, phascogale, scoobyn8, Sob, UkRainUa and 42 guests