Has to be an error in the wiki... In fact, I always use the master port to connect the device that will be up most often (as I did with software bridges long time ago).Sort of related question... can you connect anything to the Master switch port? The Mikrotik wiki says "Interfaces for which the 'master' port is specified become inactive - no traffic is received on them and no traffic can be sent out." So, is the port not usable if it's set as a master port?
First of all I am a MikroTik newbie but not new to networks and routers such as OpenWrt and DD-WRT (not to mention Linux IPTables/Filter).Yes, for my home RB2011 I've set port 6 as the gateway (BT's VDSL Modem only links at 100Mbps max by the look of it anyway) and I'm using 1-5 as a straight gigabit switch. For most purposes defaulting to WAN on port 1 is probably a waste of a gig port, although it's consistent with all other RouterBoard hardware.
I just find it strange that the default config bridges ports 2-5 rather than using master/slave.
Don't despair, RouterOS is worth learning, it took me about two weeks of constant study to get to where I'm at. However, I came from IPCop and other GUI distros. Here is a minimal firewall to get you going. You should be able to follow along in the GUI if you desire. The order here and input type (input & forward) is important. Make sure you remove any preexisting rules before applying these. Change ether-LAN to match your name (ether2 or bridge1 ???).First of all I am a MikroTik newbie but not new to networks and routers such as OpenWrt and DD-WRT (not to mention Linux IPTables/Filter).
This is liking climbing Mt. Everest. Any suggestions, scripts, screen shots would be appreciated.
#Router and internal network protection, no internal servers, LAN is friendly /ip firewall filter add chain=input action=drop connection-state=invalid comment="Disallow weird packets" add chain=input action=accept connection-state=new in-interface=ether-LAN comment="Allow LAN access to the router itself" add chain=input action=accept connection-state=established comment=" ^^ that originated from LAN" add chain=input action=accept connection-state=related comment=" ^^ that originated from LAN" add chain=input action=accept protocol=icmp comment="Allow ping ICMP from anywhere" add chain=input action=drop comment="Disallow anything else" add chain=forward action=drop connection-state=invalid comment="Disallow weird packets" add chain=forward action=accept connection-state=new in-interface=ether-LAN comment="Allow LAN access to move through the router" add chain=forward action=accept connection-state=established comment=" ^^ that originated from LAN" add chain=forward action=accept connection-state=related comment=" ^^ that originated from LAN" add chain=forward action=drop comment="Disallow anything else"
Use the "winbox" tool. Go to "IP / Firewall / Firewall" tab and delete anything there. Then go to "New Terminal" and paste in the commands I've shown.Thanks for the encouragement and the router script. Can I cut and paste that into a file with an editor in the command line and what file would it be? (Pretty dumb questions!)
Well, if you press "Safe Mode" at the top it's supposed to help keep you from locking yourself out. Most people lock themselves out by adding/removing ports under the bridge interface. Regarding port 22, go to "IP / Services" and make sure SSH is available from 192.168.0.0/24 or whatever your network is.So using Winbox tool or Webfig tool and "new terminal" is a nice way to subvert or get around a potentially closed port 22 I guess (especially after loading your basic firewall script)?
My dumb mistake... I set the lan to ether1-gateway in the script instead of bridge-local.I loaded that script put pasting thru webfig terminal.
Then lost connection to router on webfig. Can get into router thru winbox but i have really hosed things up with that script because I can't even use the router to get out to the internet.
Should I have deleted the default NAT entries that came with RB2011?
Two steps forward, one back.