Community discussions

 
usdmatt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Tue Oct 29, 2013 6:18 pm

RB2011 Default Port Configuration (Master/Bridge)

Wed Oct 30, 2013 3:42 pm

Hello,

I'm slowly getting up to speed on the intricacies or RouterOS/RouterBoards but one thing intrigues me about the default configuration on RB2011 devices (and maybe others).

My understanding is that bridging ports involves the CPU (unless any RouterBoard's have fancy bridging hardware I'm not aware of), and that to get real hardware switching you need to use the master/slave port options. (This is backed up by the Mikrotik WIKI on master/slave ports)

We use quite a few RB750's and they are configured as expected, with port 2 as a master and 3,4,5 slaves. This should allow switching between the 4 LAN ports to be entirely in hardware.

However, we've also starting using the RB2011 units recently and they appear to default as follows:

6: Master
7,8,9,10: Slaves of 6
2,3,4,5,6: Bridged

This effectively puts all ports other than 1 onto the same broadcast domain, but I'm confused why they chose to bridge the gigabit ports separately.

Would it not be more efficient to configure it like so?:

2,6: Master
3,4,5: Slaves of 2
7,8,9,10: Slaves of 6
2,6: Bridged
 
User avatar
JJCinAZ
Member
Member
Posts: 473
Joined: Fri Oct 22, 2004 8:03 am
Location: Tucson, AZ
Contact:

Re: RB2011 Default Port Configuration (Master/Bridge)

Wed Oct 30, 2013 4:39 pm

Yes, it could be more efficient depending on traffic patterns. You could also use one of the 10/100 ports as the Internet or upstream port instead of ether1 which is 10/100/1000, thus keeping your Lan ports all on the gigabit ports.
 
usdmatt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Tue Oct 29, 2013 6:18 pm

Re: RB2011 Default Port Configuration (Master/Bridge)

Wed Oct 30, 2013 5:06 pm

Yes, for my home RB2011 I've set port 6 as the gateway (BT's VDSL Modem only links at 100Mbps max by the look of it anyway) and I'm using 1-5 as a straight gigabit switch. For most purposes defaulting to WAN on port 1 is probably a waste of a gig port, although it's consistent with all other RouterBoard hardware.

I just find it strange that the default config bridges ports 2-5 rather than using master/slave.
 
User avatar
dunga
Member Candidate
Member Candidate
Posts: 254
Joined: Fri Jan 23, 2009 9:51 am
Location: Nigeria

Re: RB2011 Default Port Configuration (Master/Bridge)

Thu Nov 07, 2013 4:40 pm

hello all,
I am interested in this topic, cus i have a bandwidth of 2meg down and 1meg up, but the fibre link is connecte thru the port1 on my RB2011LS. At times i notice that the link will stop and later pick up again. I dont understand what actually you guys are saying about the ports. Are u saying that port 1 is not good to use as the wan port to carry that size of bandwidth cus it is just 1000/100/10 while others are better used.

Please i need calrification so as to understand where the proble might be coming from.

Thanks your response will be apprecaited
 
CTrain
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Thu Nov 07, 2013 4:41 am

Re: RB2011 Default Port Configuration (Master/Bridge)

Sun Nov 10, 2013 2:37 am

The RB2011 has two hardware switch chips, these are the 1Gb/s switch and the 100Mb/s switch. I generally do a master slave configuration of the entire switch chip together followed by the two hardware chips bridged in software with the wireless LAN. If the RB2011 is used as a gateway to the internet, it will probably be more efficient to use the 100Mb/s port as a gateway rather than the 1Gb/s port if the internet speeds are below 100Mb/s. Only due to the ability to gain another 1Gb/s port for LAN utilization.

The default setup of having the 1Gb/s ports CPU bridged is not taking the best advantage of the hardware, it in fact limits the LAN through put in the real world to below 1Gb/s.

Let me know if this is not clear.
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: RB2011 Default Port Configuration (Master/Bridge)

Sun Nov 10, 2013 6:18 am

CTrain has explained it well. What is truly needed is 10 1000MB ports instead of one side 100MB. Who uses 100MB anymore?
 
robdeep
just joined
Posts: 8
Joined: Thu Oct 04, 2012 6:33 pm

Re: RB2011 Default Port Configuration (Master/Bridge)

Tue Nov 12, 2013 3:40 am

Sort of related question... can you connect anything to the Master switch port? The Mikrotik wiki says "Interfaces for which the 'master' port is specified become inactive - no traffic is received on them and no traffic can be sent out." So, is the port not usable if it's set as a master port?
 
CTrain
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Thu Nov 07, 2013 4:41 am

Re: RB2011 Default Port Configuration (Master/Bridge)

Tue Nov 12, 2013 9:11 am

On all the router boards that I own the Master port is still fully functioning (RB2011, CRS & RB493G), I believe that the line in the wiki page is a typo.
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: RB2011 Default Port Configuration (Master/Bridge)

Tue Nov 12, 2013 9:48 am

Sort of related question... can you connect anything to the Master switch port? The Mikrotik wiki says "Interfaces for which the 'master' port is specified become inactive - no traffic is received on them and no traffic can be sent out." So, is the port not usable if it's set as a master port?
Has to be an error in the wiki... In fact, I always use the master port to connect the device that will be up most often (as I did with software bridges long time ago).
 
robdeep
just joined
Posts: 8
Joined: Thu Oct 04, 2012 6:33 pm

Re: RB2011 Default Port Configuration (Master/Bridge)

Wed Nov 13, 2013 2:24 am

Good to know. That wiki sentence has been like that for as long as I can remember. :(
 
leonset
Member Candidate
Member Candidate
Posts: 256
Joined: Wed Apr 01, 2009 9:09 pm

Re: RB2011 Default Port Configuration (Master/Bridge)

Wed Nov 13, 2013 9:27 am

I've read it again and it has to refer to the fact that no traffic is shown in / passes by *slave* interfaces, all goes by the *master* one.

Say you have master port eth2 (internet gateway) and slave port eth5 (computer): if you put a firewall rule or use torch to match traffic going through eth5 you'll see *nothing*. Even in Winbox/Interfaces you'll see 0 packets.

It does make sense, because enslaving an iface makes it go through routerboard's switch chip, which is before RouterOS Kernel (at least regarding traffic flow).
 
red6
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sun Nov 17, 2013 7:10 pm
Location: Toronto, Canada

Re: RB2011 Default Port Configuration (Master/Bridge)

Tue Nov 19, 2013 6:09 am

Yes, for my home RB2011 I've set port 6 as the gateway (BT's VDSL Modem only links at 100Mbps max by the look of it anyway) and I'm using 1-5 as a straight gigabit switch. For most purposes defaulting to WAN on port 1 is probably a waste of a gig port, although it's consistent with all other RouterBoard hardware.

I just find it strange that the default config bridges ports 2-5 rather than using master/slave.
First of all I am a MikroTik newbie but not new to networks and routers such as OpenWrt and DD-WRT (not to mention Linux IPTables/Filter).

I agree with your approach for this situation and my situation is very similar (5 Mbits down, 600Kbits up). I just wish I knew how to configure my brand new RB2011 as you have done. I am using Webfig and have no experience with the RouterOS command line interface. (I did get the PPPoE link up and am connected to my ISP)

What surprises me is that the default configuration that shipped with the unit does not firewall ports 22 or 21 or 80 (and some others I suspect like the Winbox port) on the WAN. AND, I don't see any firewall rules that are explicitly allowing these connections to succeed. It appears that the default DROP filter rule is not working or these are very special ports indeed in RouterOS.

What am I missing? And what are the 3 default items in the NAT rules? The second entry shows an Outbound Interface of "Unkown". Have we got some bugs here folks?

This is liking climbing Mt. Everest.

Any suggestions, scripts, screen shots would be appreciated.

red6
"I can't get no Karma" - M. Jagger and K. Richards
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: RB2011 Default Port Configuration (Master/Bridge)

Tue Nov 19, 2013 4:43 pm

First of all I am a MikroTik newbie but not new to networks and routers such as OpenWrt and DD-WRT (not to mention Linux IPTables/Filter).

This is liking climbing Mt. Everest. Any suggestions, scripts, screen shots would be appreciated.
Don't despair, RouterOS is worth learning, it took me about two weeks of constant study to get to where I'm at. However, I came from IPCop and other GUI distros. Here is a minimal firewall to get you going. You should be able to follow along in the GUI if you desire. The order here and input type (input & forward) is important. Make sure you remove any preexisting rules before applying these. Change ether-LAN to match your name (ether2 or bridge1 ???).

ros code

#Router and internal network protection, no internal servers, LAN is friendly
/ip firewall filter
add chain=input   action=drop   connection-state=invalid                            comment="Disallow weird packets" 
add chain=input   action=accept connection-state=new         in-interface=ether-LAN comment="Allow LAN access to the router itself"
add chain=input   action=accept connection-state=established                        comment=" ^^ that originated from LAN"
add chain=input   action=accept connection-state=related                            comment=" ^^ that originated from LAN"
add chain=input   action=accept protocol=icmp                                       comment="Allow ping ICMP from anywhere"
add chain=input   action=drop                                                       comment="Disallow anything else" 
add chain=forward action=drop   connection-state=invalid                            comment="Disallow weird packets" 
add chain=forward action=accept connection-state=new         in-interface=ether-LAN comment="Allow LAN access to move through the router"
add chain=forward action=accept connection-state=established                        comment=" ^^ that originated from LAN"
add chain=forward action=accept connection-state=related                            comment=" ^^ that originated from LAN"
add chain=forward action=drop                                                       comment="Disallow anything else"
 
red6
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sun Nov 17, 2013 7:10 pm
Location: Toronto, Canada

Re: RB2011 Default Port Configuration (Master/Bridge)

Tue Nov 19, 2013 5:10 pm

Thanks for the encouragement and the router script. Can I cut and paste that into a file with an editor in the command line and what file would it be? (Pretty dumb questions!)
"I can't get no Karma" - M. Jagger and K. Richards
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: RB2011 Default Port Configuration (Master/Bridge)

Tue Nov 19, 2013 5:20 pm

Thanks for the encouragement and the router script. Can I cut and paste that into a file with an editor in the command line and what file would it be? (Pretty dumb questions!)
Use the "winbox" tool. Go to "IP / Firewall / Firewall" tab and delete anything there. Then go to "New Terminal" and paste in the commands I've shown.
 
red6
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sun Nov 17, 2013 7:10 pm
Location: Toronto, Canada

Re: RB2011 Default Port Configuration (Master/Bridge)

Tue Nov 19, 2013 5:48 pm

Sounds good.

So using Winbox tool or Webfig tool and "new terminal" is a nice way to subvert or get around a potentially closed port 22 I guess (especially after loading your basic firewall script) ?
"I can't get no Karma" - M. Jagger and K. Richards
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: RB2011 Default Port Configuration (Master/Bridge)

Tue Nov 19, 2013 7:36 pm

So using Winbox tool or Webfig tool and "new terminal" is a nice way to subvert or get around a potentially closed port 22 I guess (especially after loading your basic firewall script)?
Well, if you press "Safe Mode" at the top it's supposed to help keep you from locking yourself out. Most people lock themselves out by adding/removing ports under the bridge interface. Regarding port 22, go to "IP / Services" and make sure SSH is available from 192.168.0.0/24 or whatever your network is.
 
red6
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sun Nov 17, 2013 7:10 pm
Location: Toronto, Canada

Re: RB2011 Default Port Configuration (Master/Bridge)

Tue Nov 19, 2013 10:19 pm

I loaded that script put pasting thru webfig terminal.

Then lost connection to router on webfig. Can get into router thru winbox but i have really hosed things up with that script because I can't even use the router to get out to the internet.

Should I have deleted the default NAT entries that came with RB2011?

Two steps forward, one back.
"I can't get no Karma" - M. Jagger and K. Richards
 
red6
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sun Nov 17, 2013 7:10 pm
Location: Toronto, Canada

Re: RB2011 Default Port Configuration (Master/Bridge)

Tue Nov 19, 2013 11:30 pm

I loaded that script put pasting thru webfig terminal.

Then lost connection to router on webfig. Can get into router thru winbox but i have really hosed things up with that script because I can't even use the router to get out to the internet.

Should I have deleted the default NAT entries that came with RB2011?

Two steps forward, one back.
My dumb mistake... I set the lan to ether1-gateway in the script instead of bridge-local.

Now I can get back in thru WebFig and I can get out to the internet.
"I can't get no Karma" - M. Jagger and K. Richards

Who is online

Users browsing this forum: No registered users and 64 guests