VLANS creation and testing-AX2

antoniocerasuolo · Fri Feb 09, 2024 8:37 pm

hi,

I created 4 VLAN interface under a bridge directly , this bridge contains the trunk eth port.

Therefore i didnt bring the VLAN interfaces under the bridge but are created under the bridge interface, is this correct?

second question one of the VLANS is a VLAN = 1 , i created this VLAN so i could see if the DHCP would assign an IP to my Laptop which of course is sitting opn the default VLAN =1.. this is not happening as there must be some root issue.

any ideas?

ciao,
Antonio

gigabyte091 · Fri Feb 09, 2024 8:43 pm

Hello, can you export your configuration here so we can see what did you do. It's hard to say anything without config.

I wouldn't use VLAN1 at all, define some other VLAN for management. VLAN1 should work only in the background.

Also this ax2 is your router or is it used as AP/switch ?

antoniocerasuolo · Fri Feb 09, 2024 8:57 pm

Hi,

the router is my router, so i took out some details like MAC addresses etc..
like I stated the reason for creating VLAN1 is because i wanted to have a proof of concept as my lapton is not under any switch.

If I define another VLAN for managment hoiw can I fool the computer that he is under that Management VLAN?

ciao,
Antonio

*****************************************************************************************

# 2024-02-09 19:49:48 by RouterOS 7.13.3
# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/interface bridge
add comment=mikrotik_lan_bridge_wifi_1_2 name=bridge1_LAN_eth_2_3_wifi_1_2 \
    port-cost-mode=short
add comment=mikrotik_lan_bridge_ports_3_4 name=bridge2_LAN_eth_4 \
    port-cost-mode=short
add name=bridge3_VLAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=bridge3_VLAN name=vlan1_default_test vlan-id=1
add interface=bridge3_VLAN name=vlan_3 vlan-id=3
add interface=bridge3_VLAN name=vlan_4 vlan-id=4
add interface=bridge3_VLAN name=vlan_5 vlan-id=5
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
    .skip-dfs-channels=disabled configuration.country=Italy .mode=ap .ssid=\
    Mikrotik_5 disabled=no name=wifi1_5ghz security.authentication-types=\
    wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
    20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 disabled=\
    no name=wifi2_2ghz security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
     master-interface=wifi2_2ghz name=wifi3_guest \
    security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool0 ranges=172.22.22.10-172.22.22.200
add name=dhcp_pool1 ranges=172.22.0.10-172.22.0.200
add name=dhcp_pool2 ranges=172.22.1.10-172.22.1.200
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_1_default ranges=172.22.11.10-172.22.11.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1_LAN_eth_2_3_wifi_1_2 \
    lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 interface=wifi3_guest lease-time=1d name=dhcp2
add address-pool=dhcp_pool2 interface=bridge2_LAN_eth_4 lease-time=1d name=\
    dhcp3
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
    dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
    dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
    dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_1_default interface=vlan1_default_test \
    lease-time=1d name=dhcp_VLAN_1
/interface bridge port
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=ether2_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=ether3_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=wifi1_5ghz \
    internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=wifi2_2ghz \
    internal-path-cost=10 path-cost=10
add bridge=bridge2_LAN_eth_4 interface=ether4_LAN internal-path-cost=10 \
    path-cost=10
add bridge=bridge3_VLAN disabled=yes interface=vlan_3
add bridge=bridge3_VLAN interface=ether5_LAN
add bridge=bridge3_VLAN disabled=yes interface=vlan_4
add bridge=bridge3_VLAN disabled=yes interface=vlan_5
add bridge=bridge3_VLAN disabled=yes interface=vlan1_default_test
/interface bridge vlan
add bridge=bridge3_VLAN vlan-ids=3
add bridge=bridge3_VLAN vlan-ids=4
add bridge=bridge3_VLAN vlan-ids=5
/ip address
add address=172.22.22.1/24 interface=bridge1_LAN_eth_2_3_wifi_1_2 network=\
    172.22.22.0
add address=172.22.0.1/24 interface=wifi3_guest network=172.22.0.0
add address=172.22.1.1/24 interface=bridge2_LAN_eth_4 network=172.22.1.0
add address=172.22.3.1/24 interface=vlan_3 network=172.22.3.0
add address=172.22.4.0/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.0/24 interface=vlan_5 network=172.22.5.0
add address=172.22.11.0/24 interface=vlan1_default_test network=172.22.11.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=bridge1_LAN_eth_2_3_wifi_1_2 on-alert=\
    ": log error= \"not valid DHCP server Bridge_1\"" valid-server=\
   
add disabled=no interface=bridge2_LAN_eth_4 on-alert=\
    ":log error= \" not valid DHCP server bridge_2\"" valid-server=\
    
add disabled=no interface=wifi3_guest on-alert=\
    ":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
    
/ip dhcp-server network
add address=172.22.0.0/24 gateway=172.22.0.1
add address=172.22.1.0/24 gateway=172.22.1.1
add address=172.22.3.0/24 gateway=172.22.3.1
add address=172.22.4.0/24 gateway=172.22.4.1
add address=172.22.5.0/24 gateway=172.22.5.1
add address=172.22.11.0/24 gateway=172.22.11.1
add address=172.22.22.0/24 comment=LAN_HOME gateway=172.22.22.1
/ip firewall address-list
add address=172.22.0.0/24 list=block_porn
add address=172.22.1.0/24 list=block_porn
add address=172.22.3.0/24 list=block_porn
add address=172.22.22.0/24 list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
    protocol=icmp src-address=172.22.0.0/24
add action=drop chain=input comment="block port scanners" src-address-list=\
    port_scanners
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1d chain=input comment="port scanner detector" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
    invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
    53 protocol=udp src-address-list=block_porn to-addresses=208.67.222.123 \
    to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.22.0/24 port=2222
set api disabled=yes
set winbox address=172.22.1.0/24,172.22.22.0/24,172.22.3.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no

gigabyte091 · Fri Feb 09, 2024 9:15 pm

You should use only one bridge, you have 3 bridges here !!

You need 4 VLANs right ? so use VLANs 2,3,4,5. Don't use VLAN1

/interface vlan
add interface=bridge name=vlan_2 vlan-id=2
add interface=bridge name=vlan_3 vlan-id=3
add interface=bridge name=vlan_4 vlan-id=4
add interface=bridge name=vlan_5 vlan-id=5

You created DHCP servers and assign them to VLAN interfaces, that's good, only change I would made here is from this:

add address-pool=dhcp_pool_VLAN_1_default interface=vlan1_default_test \
lease-time=1d name=dhcp_VLAN_1

To this:

add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 \
lease-time=1d name=dhcp_VLAN_2

And rename address pool for that DHCP server to:

add name=dhcp_pool_VLAN_2 ranges=172.22.11.10-172.22.11.200

You messed up here:

/interface bridge port
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=ether2_LAN \
internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=ether3_LAN \
internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=wifi1_5ghz \
internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=wifi2_2ghz \
internal-path-cost=10 path-cost=10
add bridge=bridge2_LAN_eth_4 interface=ether4_LAN internal-path-cost=10 \
path-cost=10
add bridge=bridge3_VLAN disabled=yes interface=vlan_3
add bridge=bridge3_VLAN interface=ether5_LAN
add bridge=bridge3_VLAN disabled=yes interface=vlan_4
add bridge=bridge3_VLAN disabled=yes interface=vlan_5
add bridge=bridge3_VLAN disabled=yes interface=vlan1_default_test

You should add only ports here, not VLAN interfaces and it should look like this without VLANs:

/interface bridge port
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=wifi2 internal-path-cost=10 path-cost=10

Then you need specify which port will be used as trunk, which ports will be untagged for which VLAN and which VLAN will be management VLAN. On that VLAN should be your PC or device you will use to access to your router. Then we will continue as I can't configure your VLANs without additonal information.

antoniocerasuolo · Fri Feb 09, 2024 9:54 pm

hi,

I complewted the tyasks as you suggested..

mainly created VLAN 2 and then took out the VLANS from the VLAN bridge

"Then you need specify which port will be used as trunk, which ports will be untagged for which VLAN and which VLAN will be management VLAN. On that VLAN should be your PC or device you will use to access to your router. Then we will continue as I can't configure your VLANs without additonal information.
"

I can't put all those ports under a commeon bridge as they are already under other bridges..

can't we just use the VLAN bridge i created with port 5 as the trunk port transporting all the VLANS?

I attached a picture with how i crewated the VLANS and the rest..

*************************************************************************************************

2024-02-09 20:39:46 by RouterOS 7.13.3

# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# s
/interface bridge
add comment=mikrotik_lan_bridge_wifi_1_2 name=bridge1_LAN_eth_2_3_wifi_1_2 \
    port-cost-mode=short
add comment=mikrotik_lan_bridge_ports_3_4 name=bridge2_LAN_eth_4 \
    port-cost-mode=short
add name=bridge3_VLAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=bridge3_VLAN name=vlan_2 vlan-id=2
add interface=bridge3_VLAN name=vlan_3 vlan-id=3
add interface=bridge3_VLAN name=vlan_4 vlan-id=4
add interface=bridge3_VLAN name=vlan_5 vlan-id=5
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
    .skip-dfs-channels=disabled configuration.country=Italy .mode=ap .ssid=\
    Mikrotik_5 disabled=no name=wifi1_5ghz security.authentication-types=\
    wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
    20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 disabled=\
    no name=wifi2_2ghz security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
    master-interface=wifi2_2ghz name=wifi3_guest \
    security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool0 ranges=172.22.22.10-172.22.22.200
add name=dhcp_pool1 ranges=172.22.0.10-172.22.0.200
add name=dhcp_pool2 ranges=172.22.1.10-172.22.1.200
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_2 ranges=172.22.11.10-172.22.11.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1_LAN_eth_2_3_wifi_1_2 \
    lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 interface=wifi3_guest lease-time=1d name=dhcp2
add address-pool=dhcp_pool2 interface=bridge2_LAN_eth_4 lease-time=1d name=\
    dhcp3
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
    dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
    dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
    dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 lease-time=1d name=\
    dhcp_VLAN_2
/interface bridge port
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=ether2_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=ether3_LAN \
    internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=wifi1_5ghz \
    internal-path-cost=10 path-cost=10
add bridge=bridge1_LAN_eth_2_3_wifi_1_2 interface=wifi2_2ghz \
    internal-path-cost=10 path-cost=10
add bridge=bridge2_LAN_eth_4 interface=ether4_LAN internal-path-cost=10 \
    path-cost=10
add bridge=bridge3_VLAN interface=ether5_LAN
/interface bridge vlan
add bridge=bridge3_VLAN vlan-ids=3
add bridge=bridge3_VLAN vlan-ids=4
add bridge=bridge3_VLAN vlan-ids=5
add bridge=bridge3_VLAN vlan-ids=2
/ip address
add address=172.22.22.1/24 interface=bridge1_LAN_eth_2_3_wifi_1_2 network=\
    172.22.22.0
add address=172.22.0.1/24 interface=wifi3_guest network=172.22.0.0
add address=172.22.1.1/24 interface=bridge2_LAN_eth_4 network=172.22.1.0
add address=172.22.3.1/24 interface=vlan_3 network=172.22.3.0
add address=172.22.4.0/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.0/24 interface=vlan_5 network=172.22.5.0
add address=172.22.11.0/24 interface=vlan_2 network=172.22.11.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=bridge1_LAN_eth_2_3_wifi_1_2 on-alert=\
    ": log error= \"not valid DHCP server Bridge_1\"" valid-server=\
    
add disabled=no interface=bridge2_LAN_eth_4 on-alert=\
    ":log error= \" not valid DHCP server bridge_2\"" valid-server=\
    
add disabled=no interface=wifi3_guest on-alert=\
    ":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
    
/ip dhcp-server network
add address=172.22.0.0/24 gateway=172.22.0.1
add address=172.22.1.0/24 gateway=172.22.1.1
add address=172.22.3.0/24 gateway=172.22.3.1
add address=172.22.4.0/24 gateway=172.22.4.1
add address=172.22.5.0/24 gateway=172.22.5.1
add address=172.22.11.0/24 gateway=172.22.11.1
add address=172.22.22.0/24 comment=LAN_HOME gateway=172.22.22.1
/ip firewall address-list
add address=172.22.0.0/24 list=block_porn
add address=172.22.1.0/24 list=block_porn
add address=172.22.3.0/24 list=block_porn
add address=172.22.22.0/24 list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
    protocol=icmp src-address=172.22.0.0/24
add action=drop chain=input comment="block port scanners" src-address-list=\
    port_scanners
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1d chain=input comment="port scanner detector" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
    invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
    53 protocol=udp src-address-list=block_porn to-addresses=208.67.222.123 \
    to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.22.0/24 port=2222
set api disabled=yes
set winbox address=172.22.1.0/24,172.22.22.0/24,172.22.3.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no

Mesquite · Fri Feb 09, 2024 9:58 pm

One should read this article before proceeding. viewtopic.php?t=143620

Dont bother posting with three bridges again.

gigabyte091 · Fri Feb 09, 2024 10:01 pm

Why are you insisting on multiple bridges ? They are not needed in your case. @anav... I mean @Mesquite provided you with good tutorial on VLANs.

Mesquite · Fri Feb 09, 2024 10:33 pm

Which one is Dr. Jekyll and.......

anav · Fri Feb 09, 2024 10:33 pm

Which one is Mr. Hyde?

jaclaz · Fri Feb 09, 2024 10:46 pm

Once said that the two most common mistakes people make (according to Mikrotik experts) are:
1) use VLAN 1
2) use more than one bridge
it doesn't seem to me like new users making these mistakes deserve this kind of unpolite and snarky replies.

We are seemingly back to where we were in (utter lack of basic) politeness.

A rose by any other name ...

gigabyte091 · Fri Feb 09, 2024 10:53 pm

Please, without forum politeness posts again. This topic is about VLANs on ax2.

Mr. Hyde here was direct, no need for three bridges. If OP wants it can be solved with one bridge.

Mesquite · Fri Feb 09, 2024 10:57 pm

I was referring to the fact that gigabyte recommended one bridge and the OP didnt seem to understand.
I provided some guidance in PC unites excellent article.
Perhaps you would have the OP continue trying to use three bridges? To me that would be rude and sub-standard assistance.
Each to his own I guess.

jaclaz · Fri Feb 09, 2024 11:20 pm

I guess it is time to invoke Dukhat:
http://jdebp.info/FGA/dukhat-on-foolishness.html

Being direct is one thing, "Don't bother to ..." is another.

Asking rethorical questions such as "Why are you insisting on ..." doesn't add anything meaningful to a reply.

Mesquite · Fri Feb 09, 2024 11:51 pm

If you wish to help the op solve his issues using three bridges then by all means, and I will step aside and assist others.
If not, then your just wasting all of our time.

jaclaz · Sat Feb 10, 2024 12:29 am

You can well ignore my comments, no time wasted.

Mesquite · Sat Feb 10, 2024 2:47 am

I wish I could.....
to the OP antonio........ my apologies for angst you may feel due to my posts.
I am excusing myself from this thread and you are in good hands with jaclaz.
He is quite knowledgeable and will help you with a successful three bridge configuration, which is totally possible.

gigabyte091 · Sat Feb 10, 2024 6:55 am

@jaclaz

You can as well ignore other people's comments and not turn some topic into another discussion. Not defending someone here but I don't but there was a topic about that, this is about VLANs and I think we should stick to it until we go completely off topic.

@OP

You need to understand that what are you doing is wrong and will have impact on your performance, for eg. Only one bridge per device can be HW offloaded, that means that other bridges needs to be handled by CPU.

You can take them out of the bridge and add to another bridge. When one bridge have no member ports you just delete him.

The simpler the better, you will complicate your life.

antoniocerasuolo · Sat Feb 10, 2024 9:46 am

hi Gurus' ,

don't worry!!

I'm an engineer and like rigor!

i want to do this the right way, have been struggling all night without any success.

i just was fond of my baby

I will create one bridge as the standard proposes and then le't take it from there..ok guys

for now I need some coffee

ciao,
Antonio

antoniocerasuolo · Sat Feb 10, 2024 10:25 am

Guys,

here is the config with only one bridge

i just left the guest wifi out as am using that ip as part of management of the winbox as you can see below

the DHCP was saying cant have Dhcp on a slave interface, that wifi guest is created uinder the 2GHZ wifi.

I can clean up everything later or nopw if you thionk better but just want to get the thing running

my PC is running on eth port 5 so was thinking that could be the TRUNK for all the VLANS.

I ordered a mikrotik CRS112-8G-4S-IN but that will come in two weeks so can fine tune this thing to get it working.

ciao,
Antonio

**************************************************************************

# 2024-02-10 09:16:58 by RouterOS 7.13.3
# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# serial number = 

/interface bridge
add comment=mikrotik_lan_bridge_wifi_1_2 disabled=yes name=\
    bridge1_LAN_eth_2_3_wifi_1_2 port-cost-mode=short
add comment=mikrotik_lan_bridge_ports_3_4 disabled=yes name=bridge2_LAN_eth_4 \
    port-cost-mode=short
add disabled=yes name=bridge3_VLAN vlan-filtering=yes
add name=main_bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=main_bridge name=vlan_2 vlan-id=2
add interface=main_bridge name=vlan_3 vlan-id=3
add interface=main_bridge name=vlan_4 vlan-id=4
add interface=main_bridge name=vlan_5 vlan-id=5
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
    .skip-dfs-channels=disabled configuration.country=Italy .mode=ap .ssid=\
    Mikrotik_5 disabled=no name=wifi1_5ghz security.authentication-types=\
    wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
    20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 disabled=\
    no name=wifi2_2ghz security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
    master-interface=wifi2_2ghz name=wifi3_guest \
    security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool0 ranges=172.22.22.10-172.22.22.200
add name=dhcp_pool1 ranges=172.22.0.10-172.22.0.200
add name=dhcp_pool2 ranges=172.22.1.10-172.22.1.200
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_2 ranges=172.22.11.10-172.22.11.200
add name=dhcp_pool9 ranges=172.22.9.10-172.22.9.200
add name=dhcp_pool10 ranges=10.2.2.10-10.2.2.200
add name=dhcp_pool11 ranges=171.22.2.10-171.22.2.200
add name=dhcp_pool12 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool13 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool14 ranges=172.22.5.10-172.22.5.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=yes interface=\
    bridge1_LAN_eth_2_3_wifi_1_2 lease-time=1d name=dhcp1
add address-pool=dhcp_pool1 interface=wifi3_guest lease-time=1d name=\
    dhcp_wifi_guest
add address-pool=dhcp_pool2 disabled=yes interface=bridge2_LAN_eth_4 \
    lease-time=1d name=dhcp3
add address-pool=dhcp_pool9 disabled=yes interface=bridge3_VLAN lease-time=1d \
    name=dhcp4
add address-pool=dhcp_pool10 disabled=yes interface=ether5_LAN lease-time=1d \
    name=dhcp5
add address-pool=dhcp_pool11 interface=vlan_2 lease-time=1d name=dhcp_VLAN_2
add address-pool=dhcp_pool12 interface=vlan_3 lease-time=1d name=dhcp_VLAN_3
add address-pool=dhcp_pool13 interface=vlan_4 lease-time=1d name=dhcp_VLAN_4
add address-pool=dhcp_pool14 interface=vlan_5 lease-time=1d name=dhcp_VLAN_5
/interface bridge port
add bridge=main_bridge interface=ether2_LAN internal-path-cost=10 path-cost=\
    10
add bridge=main_bridge interface=ether3_LAN internal-path-cost=10 path-cost=\
    10
add bridge=main_bridge interface=wifi1_5ghz internal-path-cost=10 path-cost=\
    10
add bridge=main_bridge interface=wifi2_2ghz internal-path-cost=10 path-cost=\
    10
add bridge=main_bridge interface=ether4_LAN internal-path-cost=10 path-cost=\
    10
add bridge=main_bridge interface=ether5_LAN
add bridge=main_bridge disabled=yes interface=wifi3_guest
/interface bridge vlan
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=3
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=4
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=5
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=2
/ip address
add address=172.22.22.1/24 disabled=yes interface=\
    bridge1_LAN_eth_2_3_wifi_1_2 network=172.22.22.0
add address=172.22.0.1/24 interface=wifi3_guest network=172.22.0.0
add address=172.22.1.1/24 disabled=yes interface=bridge2_LAN_eth_4 network=\
    172.22.1.0
add address=172.22.3.1/24 interface=vlan_3 network=172.22.3.0
add address=172.22.4.1/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.1/24 interface=vlan_5 network=172.22.5.0
add address=172.22.9.1/24 disabled=yes interface=bridge3_VLAN network=\
    172.22.9.0
add address=10.2.2.1/24 disabled=yes interface=ether5_LAN network=10.2.2.0
add address=171.22.2.1/24 interface=vlan_2 network=171.22.2.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=bridge1_LAN_eth_2_3_wifi_1_2 on-alert=\
    ": log error= \"not valid DHCP server Bridge_1\"" valid-server=\
    
add disabled=no interface=bridge2_LAN_eth_4 on-alert=\
    ":log error= \" not valid DHCP server bridge_2\"" valid-server=\
    
add disabled=no interface=wifi3_guest on-alert=\
    ":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
   
/ip dhcp-server network
add address=10.2.2.0/24 gateway=10.2.2.1
add address=10.22.22.0/24 gateway=10.22.22.1
add address=171.22.2.0/24 gateway=171.22.2.1
add address=172.22.0.0/24 gateway=172.22.0.1
add address=172.22.1.0/24 gateway=172.22.1.1
add address=172.22.3.0/24 gateway=172.22.3.1
add address=172.22.4.0/24 gateway=172.22.4.1
add address=172.22.5.0/24 gateway=172.22.5.1
add address=172.22.9.0/24 gateway=172.22.9.1
add address=172.22.11.0/24 gateway=172.22.11.1
add address=172.22.22.0/24 comment=LAN_HOME gateway=172.22.22.1
/ip firewall address-list
add address=172.22.0.0/24 list=block_porn
add address=172.22.1.0/24 list=block_porn
add address=172.22.3.0/24 list=block_porn
add address=172.22.22.0/24 list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
    protocol=icmp src-address=172.22.0.0/24
add action=drop chain=input comment="block port scanners" src-address-list=\
    port_scanners
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1d chain=input comment="port scanner detector" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
    invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
    53 protocol=udp src-address-list=block_porn to-addresses=208.67.222.123 \
    to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.22.0/24 port=2222
set api disabled=yes
set winbox address=\
    172.22.1.0/24,172.22.22.0/24,172.22.3.0/24,172.22.0.0/24,10.22.22.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no

gigabyte091 · Sat Feb 10, 2024 11:33 am

Yes, so assign DHCP server to the VLAN interface, then untag wanted interfaces to desired VLAN.

For eg VLAN2 is for guest wifi, untag desired interface for that VLAN and when guests connects to that interface they will be in correct VLAN.

Your configuration is a mess right now.

antoniocerasuolo · Sat Feb 10, 2024 12:06 pm

hi Giga,

I cleaned it up hope it looks better, once I

as soon as I get this to work I will also get my guest wifi under the bridge and assign a VLAN!

for now I want to get VLAN5 across to port5 where my laptop is sitting so i untagged as you mentionedd but still nothing, the DHCP server needs some gas

not sure what I'm doing wrong

***********************************************************************************************************

# 2024-02-10 11:00:09 by RouterOS 7.13.3
# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/interface bridge
add name=main_bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=main_bridge name=vlan_2 vlan-id=2
add interface=main_bridge name=vlan_3 vlan-id=3
add interface=main_bridge name=vlan_4 vlan-id=4
add interface=main_bridge name=vlan_5 vlan-id=5
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
    .skip-dfs-channels=disabled configuration.country=Italy .mode=ap .ssid=\
    Mikrotik_5 disabled=no name=wifi1_5ghz security.authentication-types=\
    wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
    20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 disabled=\
    no name=wifi2_2ghz security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
     master-interface=wifi2_2ghz name=wifi3_guest \
    security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool_wifi_guest ranges=172.22.0.10-172.22.0.200
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_2 ranges=171.22.2.10-171.22.2.200
/ip dhcp-server
add address-pool=dhcp_pool_wifi_guest interface=wifi3_guest lease-time=1d \
    name=dhcp_wifi_guest
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
    dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
    dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
    dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 lease-time=1d name=\
    dhcp_VLAN_2
/interface bridge port
add bridge=main_bridge interface=ether2_LAN internal-path-cost=10 path-cost=\
    10
add bridge=main_bridge interface=ether3_LAN internal-path-cost=10 path-cost=\
    10
add bridge=main_bridge interface=wifi1_5ghz internal-path-cost=10 path-cost=\
    10
add bridge=main_bridge interface=wifi2_2ghz internal-path-cost=10 path-cost=\
    10
add bridge=main_bridge interface=ether4_LAN internal-path-cost=10 path-cost=\
    10
add bridge=main_bridge interface=ether5_LAN
add bridge=main_bridge disabled=yes interface=wifi3_guest
/interface bridge vlan
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=3
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=4
add bridge=main_bridge tagged=main_bridge untagged=ether5_LAN vlan-ids=5
add bridge=main_bridge tagged=ether5_LAN,main_bridge vlan-ids=2
/ip address
add address=172.22.0.1/24 interface=wifi3_guest network=172.22.0.0
add address=172.22.3.1/24 interface=vlan_3 network=172.22.3.0
add address=172.22.4.1/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.1/24 interface=vlan_5 network=172.22.5.0
add address=171.22.2.1/24 interface=vlan_2 network=171.22.2.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=*8 on-alert=\
    ": log error= \"not valid DHCP server Bridge_1\"" valid-server=\
    
add disabled=no interface=*A on-alert=\
    ":log error= \" not valid DHCP server bridge_2\"" valid-server=\
    
add disabled=no interface=wifi3_guest on-alert=\
    ":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
    
/ip dhcp-server network
add address=171.22.2.0/24 comment=VLAN2 gateway=171.22.2.1
add address=172.22.0.0/24 comment="wifi guest" gateway=172.22.0.1
add address=172.22.3.0/24 comment=VLAN3 gateway=172.22.3.1
add address=172.22.4.0/24 comment=VLAN4 gateway=172.22.4.1
add address=172.22.5.0/24 comment=VLAN5 gateway=172.22.5.1
/ip firewall address-list
add address=172.22.0.0/24 list=block_porn
add address=172.22.1.0/24 list=block_porn
add address=172.22.3.0/24 list=block_porn
add address=172.22.22.0/24 list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
    protocol=icmp src-address=172.22.0.0/24
add action=drop chain=input comment="block port scanners" src-address-list=\
    port_scanners
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1d chain=input comment="port scanner detector" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
    invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
    53 protocol=udp src-address-list=block_porn to-addresses=208.67.222.123 \
    to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.22.0/24 port=2222
set api disabled=yes
set winbox address=\
    172.22.1.0/24,172.22.22.0/24,172.22.3.0/24,172.22.0.0/24,10.22.22.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no

gigabyte091 · Sat Feb 10, 2024 1:20 pm

Much cleaner, but it's not enough to just untag him, you need to set what VLAN ID port use. Under bridge ports open port 5 and under VLAN tab select frame types to admit all and set PVID to 5, this way you will create something called hybrid port where VLAN 5 is untagged and other VLANs are tagged.

Also you need to enable VLAN filtering on your bridge for VLANS to work

antoniocerasuolo · Sat Feb 10, 2024 3:08 pm

hi Giga,

all is working fine thanks.

I created Vlans for the wifis also, they seem to work fine!

can you take one quick look at the config if you think anything could be fine tuned?

*********************************************************************************************

# 2024-02-10 14:04:24 by RouterOS 7.13.3
# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/interface bridge
add name=main_bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=main_bridge name=vlan_2 vlan-id=2
add interface=main_bridge name=vlan_3 vlan-id=3
add interface=main_bridge name=vlan_4 vlan-id=4
add interface=main_bridge name=vlan_5 vlan-id=5
add interface=main_bridge name=vlan_wifi_2 vlan-id=10
add interface=main_bridge name=vlan_wifi_5 vlan-id=20
add interface=main_bridge name=vlan_wifi_guest vlan-id=30
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
    .skip-dfs-channels=disabled configuration.country=Italy .mode=ap .ssid=\
    Mikrotik_5 disabled=no name=wifi1_5ghz security.authentication-types=\
    wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
    20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 \
    datapath.interface-list=all disabled=no name=wifi2_2ghz \
    security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
    master-interface=wifi2_2ghz name=wifi3_guest \
    security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_2 ranges=172.22.2.10-172.22.2.200
add name=dhcp_pool_wifi_2 ranges=10.22.22.10-10.22.22.200
add name=dhcp_pool_wifi_5 ranges=10.22.20.10-10.22.20.200
add name=dhcp_pool18 ranges=10.22.0.10-10.22.0.200
/ip dhcp-server
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
    dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
    dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
    dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 lease-time=1d name=\
    dhcp_VLAN_2
add address-pool=dhcp_pool_wifi_2 interface=vlan_wifi_2 lease-time=1d name=\
    dhcp_wifi_2
add address-pool=dhcp_pool_wifi_5 interface=vlan_wifi_5 lease-time=1d name=\
    dhcp_wifi_5
add address-pool=dhcp_pool18 interface=vlan_wifi_guest lease-time=1d name=\
    dhcp_wifi_guest
/interface bridge port
add bridge=main_bridge interface=ether2_LAN internal-path-cost=10 path-cost=\
    10 pvid=2
add bridge=main_bridge interface=ether3_LAN internal-path-cost=10 path-cost=\
    10 pvid=3
add bridge=main_bridge interface=wifi1_5ghz internal-path-cost=10 path-cost=\
    10 pvid=20
add bridge=main_bridge interface=wifi2_2ghz internal-path-cost=10 path-cost=\
    10 pvid=10
add bridge=main_bridge interface=ether4_LAN internal-path-cost=10 path-cost=\
    10 pvid=4
add bridge=main_bridge interface=ether5_LAN pvid=5
add bridge=main_bridge interface=wifi3_guest pvid=30
/interface bridge vlan
add bridge=main_bridge tagged=main_bridge untagged=ether3_LAN vlan-ids=3
add bridge=main_bridge tagged=main_bridge untagged=ether4_LAN vlan-ids=4
add bridge=main_bridge tagged=main_bridge untagged=ether5_LAN vlan-ids=5
add bridge=main_bridge tagged=main_bridge untagged=ether2_LAN vlan-ids=2
add bridge=main_bridge tagged=main_bridge untagged=wifi2_2ghz vlan-ids=10
add bridge=main_bridge tagged=main_bridge untagged=wifi1_5ghz vlan-ids=20
add bridge=main_bridge tagged=main_bridge untagged=wifi3_guest vlan-ids=30
/ip address
add address=172.22.3.1/24 interface=vlan_3 network=172.22.3.0
add address=172.22.4.1/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.1/24 interface=vlan_5 network=172.22.5.0
add address=172.22.2.1/24 interface=vlan_2 network=172.22.2.0
add address=10.22.22.1/24 interface=vlan_wifi_2 network=10.22.22.0
add address=10.22.20.1/24 interface=vlan_wifi_5 network=10.22.20.0
add address=10.22.0.1/24 interface=vlan_wifi_guest network=10.22.0.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=*8 on-alert=\
    ": log error= \"not valid DHCP server Bridge_1\"" valid-server=\
    
add disabled=no interface=*A on-alert=\
    ":log error= \" not valid DHCP server bridge_2\"" valid-server=\
    
add disabled=no interface=wifi3_guest on-alert=\
    ":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
    
/ip dhcp-server network
add address=10.22.0.0/24 gateway=10.22.0.1
add address=10.22.20.0/24 comment=wifi_5 gateway=10.22.20.1
add address=10.22.22.0/24 comment=wifi_2 gateway=10.22.22.1
add address=172.22.0.0/24 comment="wifi guest" gateway=172.22.0.1
add address=172.22.2.0/24 comment=VLAN2 gateway=172.22.2.1
add address=172.22.3.0/24 comment=VLAN3 gateway=172.22.3.1
add address=172.22.4.0/24 comment=VLAN4 gateway=172.22.4.1
add address=172.22.5.0/24 comment=VLAN5 gateway=172.22.5.1
/ip firewall address-list
add address=10.22.0.0/24 list=block_porn
add address=10.22.20.0/24 list=block_porn
add address=10.22.22.0/24 list=block_porn
add address=172.22.2.0/24 list=block_porn
add address=172.22.3.0/24 list=block_porn
add address=172.22.4.0/24 list=block_porn
add address=172.22.5.0/24 list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
    protocol=icmp src-address=10.22.0.0/24
add action=drop chain=input comment="block port scanners" src-address-list=\
    port_scanners
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1d chain=input comment="port scanner detector" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
    invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
    53 protocol=udp src-address-list=block_porn to-addresses=208.67.222.123 \
    to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.22.0/24 port=2222
set api disabled=yes
set winbox address="172.22.3.0/24,172.22.4.0/24,172.22.5.0/24,172.22.0.0/24,10\
    .22.22.0/24,10.22.20.0/24,10.22.0.0/24"
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no

gigabyte091 · Sat Feb 10, 2024 3:53 pm

Delete ip pools and dhcp servers you don't need, you have 4 VLANs, leave 4 dhcp servers.

antoniocerasuolo · Sat Feb 10, 2024 3:56 pm

guys,

so thanks ...like in a little bit over 12 hours and the thing seems to be working.

I was going to ask just one question what if for example I want to get both the physical wifi_port and one other physical eth port on the same VLAN?
so that would be two ports with the same VLAN?

what should be the steps to accomplish that ?

ciao,
Antonio

antoniocerasuolo · Sat Feb 10, 2024 3:59 pm

Delete ip pools and dhcp servers you don't need, you have 4 VLANs, leave 4 dhcp servers.

I have 7 dhcp pools becaseu i have 7 VLANS

4 eth port VLANS

3 WIFI VLANS

antoniocerasuolo · Sat Feb 10, 2024 4:20 pm

hi Giga ok!

so basiocally included the PVID of VLAN 2 for wifi 2G & 5G and included the PVID of VLAN 3 for the Guest wifi!

so yes now I only have 4 VLANS!!!!

thanks!!

do I get a prize for this?

jaclaz · Sat Feb 10, 2024 4:29 pm

do I get a prize for this?

No, but you don't get anymore the stern look of disapproval.

antoniocerasuolo · Sat Feb 10, 2024 4:32 pm

do I get a prize for this?
No, but you don't get anymore the stern look of disapproval.

well thats already something..

antoniocerasuolo · Sat Feb 10, 2024 4:52 pm

]Giga& team,

this is the last version below.

sometime next week I will be copying this config to the HAP AX3 and installing the CRS112 downstream.

so the next step will be understanding how to send all those VLANS down the same trunk to the CRS

ciao!

*****************************************************************************************************************
2024-02-10 15:46:24 by RouterOS 7.13.3

# software id = METC-NDW4
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/interface bridge
add name=main_bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=main_bridge name=vlan_2 vlan-id=2
add interface=main_bridge name=vlan_3 vlan-id=3
add interface=main_bridge name=vlan_4 vlan-id=4
add interface=main_bridge name=vlan_5 vlan-id=5
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2
/interface wifi
set [ find default-name=wifi1 ] channel=channel2 channel.band=5ghz-ax \
    .skip-dfs-channels=disabled configuration.country=Italy .mode=ap .ssid=\
    Mikrotik_5 disabled=no name=wifi1_5ghz security.authentication-types=\
    wpa-psk,wpa2-psk
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
    20/40mhz configuration.country=Italy .mode=ap .ssid=Mikrotik_2 \
    datapath.interface-list=all disabled=no name=wifi2_2ghz \
    security.authentication-types=wpa-psk,wpa2-psk
add configuration.mode=ap .ssid=Mikrotik_guest_appa disabled=no mac-address=\
    master-interface=wifi2_2ghz name=wifi3_guest \
    security.authentication-types=wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool_VLAN_3 ranges=172.22.3.10-172.22.3.200
add name=dhcp_pool_VLAN_4 ranges=172.22.4.10-172.22.4.200
add name=dhcp_pool_VLAN_5 ranges=172.22.5.10-172.22.5.200
add name=dhcp_pool_VLAN_2 ranges=172.22.2.10-172.22.2.200
add name=dhcp_pool_wifi_2 ranges=10.22.22.10-10.22.22.200
add name=dhcp_pool_wifi_5 ranges=10.22.20.10-10.22.20.200
add name=dhcp_pool18 ranges=10.22.0.10-10.22.0.200
/ip dhcp-server
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
    dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
    dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
    dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 lease-time=1d name=\
    dhcp_VLAN_2
/interface bridge port
add bridge=main_bridge interface=ether2_LAN internal-path-cost=10 path-cost=\
    10 pvid=2
add bridge=main_bridge interface=ether3_LAN internal-path-cost=10 path-cost=\
    10 pvid=3
add bridge=main_bridge interface=wifi1_5ghz internal-path-cost=10 path-cost=\
    10 pvid=2
add bridge=main_bridge interface=wifi2_2ghz internal-path-cost=10 path-cost=\
    10 pvid=2
add bridge=main_bridge interface=ether4_LAN internal-path-cost=10 path-cost=\
    10 pvid=4
add bridge=main_bridge interface=ether5_LAN pvid=5
add bridge=main_bridge interface=wifi3_guest pvid=3
/interface bridge vlan
add bridge=main_bridge tagged=main_bridge untagged=ether3_LAN vlan-ids=3
add bridge=main_bridge tagged=main_bridge untagged=ether4_LAN vlan-ids=4
add bridge=main_bridge tagged=main_bridge untagged=ether5_LAN vlan-ids=5
add bridge=main_bridge tagged=main_bridge vlan-ids=2
add bridge=main_bridge tagged=main_bridge untagged=wifi2_2ghz vlan-ids=10
add bridge=main_bridge tagged=main_bridge untagged=wifi1_5ghz vlan-ids=20
add bridge=main_bridge tagged=main_bridge untagged=wifi3_guest vlan-ids=30
/ip address
add address=172.22.3.1/24 comment=eth3_port/wifi_guest interface=vlan_3 \
    network=172.22.3.0
add address=172.22.4.1/24 interface=vlan_4 network=172.22.4.0
add address=172.22.5.1/24 interface=vlan_5 network=172.22.5.0
add address=172.22.2.1/24 comment="eth2_port /wifi_2G/wifi_5G" interface=\
    vlan_2 network=172.22.2.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server alert
add disabled=no interface=vlan_2 on-alert=\
    ": log error= \"not valid DHCP server VLAN_2\"" valid-server=\
    
add disabled=no interface=vlan_3 on-alert=\
    ":log error= \" not valid DHCP server VLAN_3\"" valid-server=\
   
add disabled=no interface=vlan_4 on-alert=\
    ":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
    
add disabled=no interface=vlan_5 on-alert=\
    ":log error=\"not valid DHCP server wifi_guest\"" valid-server=\
    
/ip dhcp-server network
add address=10.22.0.0/24 gateway=10.22.0.1
add address=10.22.20.0/24 comment=wifi_5 gateway=10.22.20.1
add address=10.22.22.0/24 comment=wifi_2 gateway=10.22.22.1
add address=172.22.0.0/24 comment="wifi guest" gateway=172.22.0.1
add address=172.22.2.0/24 comment=VLAN2 gateway=172.22.2.1
add address=172.22.3.0/24 comment=VLAN3 gateway=172.22.3.1
add address=172.22.4.0/24 comment=VLAN4 gateway=172.22.4.1
add address=172.22.5.0/24 comment=VLAN5 gateway=172.22.5.1
/ip firewall address-list
add address=10.22.0.0/24 list=block_porn
add address=10.22.20.0/24 list=block_porn
add address=10.22.22.0/24 list=block_porn
add address=172.22.2.0/24 list=block_porn
add address=172.22.3.0/24 list=block_porn
add address=172.22.4.0/24 list=block_porn
add address=172.22.5.0/24 list=block_porn
/ip firewall filter
add action=drop chain=input comment="if not 172.22.22.0/24 drop ping" \
    protocol=icmp src-address=10.22.2.0/24
add action=drop chain=input comment="block port scanners" src-address-list=\
    port_scanners
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=no
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1d chain=input comment="port scanner detector" \
    protocol=tcp psd=21,3s,3,1
add action=drop chain=forward connection-nat-state="" connection-state=\
    invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1_WAN
add action=dst-nat chain=dstnat comment="block porn on guest wifi" dst-port=\
    53 protocol=udp src-address-list=block_porn to-addresses=208.67.222.123 \
    to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=172.22.22.0/24 port=2222
set api disabled=yes
set winbox address=172.22.2.0/24,172.22.3.0/24,172.22.4.0/24,172.22.5.0/24
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no

[/code

Mesquite · Sat Feb 10, 2024 5:11 pm

Still needs work, not ready.
Go over each line and see if you can find it. Its very plain.
Hint: As gigabyte noted: Remove all old settings, that clutter up the config and hide errors.

antoniocerasuolo · Sat Feb 10, 2024 5:46 pm

Hi Mesquite..

yes i thougt i took out all those old ips and cleaned up the config..!!
maybe i picked up not the most recent config file!

thanks will check it tomorrow..

Mesquite · Sat Feb 10, 2024 6:34 pm

Thats what it looks like, a repost of an old file.

gigabyte091 · Sat Feb 10, 2024 10:08 pm

One thing that catches my eye, how do you plan to block porn ? Do you have local DNS or something ?

antoniocerasuolo · Sun Feb 11, 2024 12:06 am

hey Giga..

not drinking a nice glass of wine..?

yes got that destnat idea with the opendns dns
all those vlans are in the ip list.

works like a charm!!!

Sun Feb 11, 2024 12:14 am

@antoniocerasuolo

Please DO use proper "code" tags when you post configuration and do please edit and correct your latest posts as they are "1 meter long" and hard to read.
I have edited some of your posts already.

jaclaz · Sun Feb 11, 2024 12:54 am

One thing that catches my eye, how do you plan to block porn ? Do you have local DNS or something ?

He wants to use OpenDNS (family shield) DNS 208.67.222.123
https://en.wikipedia.org/wiki/OpenDNS

antoniocerasuolo · Sun Feb 11, 2024 1:28 am

@antoniocerasuolo

Please DO use proper "code" tags when you post configuration and do please edit and correct your latest posts as they are "1 meter long" and hard to read.
I have edited some of your posts already.

thanks bartosz will do!!

antoniocerasuolo · Sun Feb 11, 2024 1:34 am

One thing that catches my eye, how do you plan to block porn ? Do you have local DNS or something ?
He wants to use OpenDNS (family shield) DNS 208.67.222.123
https://en.wikipedia.org/wiki/OpenDNS

hi Jclaz still awake st this time?

..
do you agree with opendns??

Mesquite · Sun Feb 11, 2024 2:17 am

Kids will find porn if they want too, if not at your house at a friends house, the best advice is education and talk about it.

gigabyte091 · Sun Feb 11, 2024 4:37 am

Let the people have some fun...

Why don't you block porn on all networks then

Didn't even noticed OP is using OpenDNS. For winbox access you surely don't need access from all VLANs. You don't even have interface lists ?

antoniocerasuolo · Sun Feb 11, 2024 8:17 am

Kids will find porn if they want too, if not at your house at a friends house, the best advice is education and talk about it.

..the original idea was to limit porn etc.. only in my guest network.. but i liked the way it works so i applied to all my networks.. but yes I may take it off… your approach to the matter is also my view.. people are empowered and should know what they’re doing ..

antoniocerasuolo · Sun Feb 11, 2024 8:25 am

Let the people have some fun... Why don't you block porn on all networks then

Didn't even noticed OP is using OpenDNS. For winbox access you surely don't need access from all VLANs. You don't even have interface lists ?

Hey Giga,

yes the firewall IP list contains all the Ip ranges therefore all VLAN’s.

True for winbox I don’t need access from all VlAN’s i just put them all there in this initial phase but yes i plan to have my VLAN 2 on hich is also my wifi as the only winbox access.

can you please elaborate on the ainterface list concept? not sure if hat you mean where this list should be applied

gigabyte091 · Sun Feb 11, 2024 8:37 am

In short, interface list enables you to have easier management of your interfaces in for eg. firewall, you have input rule to drop all traffic coming to the router that is not originated from LAN. With interface list you just add all of your LAN side interfaces to the LAN interface list and then when making such rule in firewall you just specify interface list instead of interfaces.

Also when managing your router you can for eg create interface list mgmt and specify your mgmt vlan in it. Then you can specify that router can be accessed by winbox only on interfaces that are in that list.

antoniocerasuolo · Sun Feb 11, 2024 11:53 am

In short, interface list enables you to have easier management of your interfaces in for eg. firewall, you have input rule to drop all traffic coming to the router that is not originated from LAN. With interface list you just add all of your LAN side interfaces to the LAN interface list and then when making such rule in firewall you just specify interface list instead of interfaces.

Also when managing your router you can for eg create interface list mgmt and specify your mgmt vlan in it. Then you can specify that router can be accessed by winbox only on interfaces that are in that list.

am trying to create the interface Lists, but in the interfaces section there is the interface list tab but it only allows me to add an interface under an already existing interface list, how do I create the names of the lists??

gigabyte091 · Sun Feb 11, 2024 12:08 pm

Under Interface List you have button Lists. Here you can create your lists

antoniocerasuolo · Sun Feb 11, 2024 12:09 pm

Under Interface List you have button Lists. Here you can create your lists

thank you!

antoniocerasuolo · Sun Feb 11, 2024 12:29 pm

ok done the block porn rule now uses trhe VLAN interface list.

a little bit m,ore difficult how to manage thje winbox through an interface list.

can you help here?

gigabyte091 · Sun Feb 11, 2024 12:40 pm

Go to Tools -> MAC server -> MAC Winbox server. Here you can select allowed interface list.

BE AWARE: Changing this could result in lockout... Be careful

antoniocerasuolo · Sun Feb 11, 2024 1:56 pm

Go to Tools -> MAC server -> MAC Winbox server. Here you can select allowed interface list.

BE AWARE: Changing this could result in lockout... Be careful

ok thanks i’ll think about it..

jaclaz · Sun Feb 11, 2024 2:14 pm

I have no experience with OpenDNS, nor with this approach, it is better than nothing, but I doubt that it is particularly effective, I would classify it as a mitigation, not as a solution.

It will be interesting to see how (not when, not if) the kids will bypass or workaround the limitation.

Interface lists are - I believe - very useful as long (like all the other names you attribute to elements in RoS) as you are good at naming things in such a way that is clear today and will be clear (at least to you) in 6 months or one year from now when you'll want to change something, from the configurations I have seen it is sometimes very difficult to understand the naming.

antoniocerasuolo · Sun Feb 11, 2024 5:41 pm

I have no experience with OpenDNS, nor with this approach, it is better than nothing, but I doubt that it is particularly effective, I would classify it as a mitigation, not as a solution.

It will be interesting to see how (not when, not if) the kids will bypass or workaround the limitation.

Interface lists are - I believe - very useful as long (like all the other names you attribute to elements in RoS) as you are good at naming things in such a way that is clear today and will be clear (at least to you) in 6 months or one year from now when you'll want to change something, from the configurations I have seen it is sometimes very difficult to understand the naming.

hi Jcalz

try it implement a rule with the OPEN DNS you may be surprised.. i'm new to all this so everything is good..

I agree but the configuration as suggestred by mesquite & Giga are by far the simplest and have created a power point document withb the network diagram & particular details

antoniocerasuolo · Sun Feb 11, 2024 6:21 pm

just something I wanted to note:

seems that my VLAN 2 DHCP is assigning the IPs from the first in the range and not the last.

why is this happening? does this have something to do with the facy that this VLAn is assigned to eth port2 ,wifi_2ghz & wifi_5ghz?

gigabyte091 · Sun Feb 11, 2024 7:18 pm

Mikrotik usually give out addresses from end of the pool but this shouldn't present any problem for you.

antoniocerasuolo · Sun Feb 11, 2024 7:56 pm

Mikrotik usually give out addresses from end of the pool but this shouldn't present any problem for you.

absolutely not an issue.. an IP is an IP...

Sun Feb 11, 2024 8:45 pm

Thank you for edits Antonio. Now it's much easier to read

Mesquite · Sun Feb 11, 2024 8:54 pm

I quite like scrolling through a long config, keeps my mouse finger in shape...............j/k much better!!

antoniocerasuolo · Sun Feb 11, 2024 8:58 pm

Thank you for edits Antonio. Now it's much easier to read

just want to make everyones life easier

antoniocerasuolo · Sun Feb 11, 2024 9:01 pm

guys

as you know on the ax2,I currently have:

VLAN2 -> wifi2ghz,Wifi5ghz,eth_port2
VLAN3-> wifi_guest,eth_port3
VLAN4->eth_port4
VLAN5->eth_port5

working perfectly!

i should be receiving the CRS112 switch Next week , and was thinking of also sending all the VLANs down through eth_port5, and wanted have a heads up to know what to do on the ax2 not to waste too much time.

will the fact that each VLAN already has designated ports be an issue?

will I still be able to have VLAN's remain as coinfigured above and stillsend to the switch?

what would be the steps to achieve this on the ax2 ,would this simply mean adding the eth_port5 as untagged to each VLAN, except VLAN5 as it's already on that port??

antoniocerasuolo · Sun Feb 11, 2024 9:02 pm

I quite like scrolling through a long config, keeps my mouse finger in shape...............j/k much better!!

don't you get stiff arm or tennis elbow scrolling too much??

gigabyte091 · Mon Feb 12, 2024 7:08 am

guys

as you know on the ax2,I currently have:

VLAN2 -> wifi2ghz,Wifi5ghz,eth_port2
VLAN3-> wifi_guest,eth_port3
VLAN4->eth_port4
VLAN5->eth_port5

working perfectly!

i should be receiving the CRS112 switch Next week , and was thinking of also sending all the VLANs down through eth_port5, and wanted have a heads up to know what to do on the ax2 not to waste too much time.

will the fact that each VLAN already has designated ports be an issue?

will I still be able to have VLAN's remain as coinfigured above and stillsend to the switch?

what would be the steps to achieve this on the ax2 ,would this simply mean adding the eth_port5 as untagged to each VLAN, except VLAN5 as it's already on that port??

You need to tag VLANs that you want to send via trunk port, not untag them. You untag VLAN when you have access port, so port where your PC connects, or some other device.

When you get your device then we will continue. While waiting read this post from @Mesquite: viewtopic.php?p=1055523#p1055523

antoniocerasuolo · Mon Feb 12, 2024 9:55 am

guys

as you know on the ax2,I currently have:

VLAN2 -> wifi2ghz,Wifi5ghz,eth_port2
VLAN3-> wifi_guest,eth_port3
VLAN4->eth_port4
VLAN5->eth_port5

working perfectly!

i should be receiving the CRS112 switch Next week , and was thinking of also sending all the VLANs down through eth_port5, and wanted have a heads up to know what to do on the ax2 not to waste too much time.

will the fact that each VLAN already has designated ports be an issue?

will I still be able to have VLAN's remain as coinfigured above and stillsend to the switch?

what would be the steps to achieve this on the ax2 ,would this simply mean adding the eth_port5 as untagged to each VLAN, except VLAN5 as it's already on that port??
You need to tag VLANs that you want to send via trunk port, not untag them. You untag VLAN when you have access port, so port where your PC connects, or some other device.

When you get your device then we will continue. While waiting read this post from @Mesquite: viewtopic.php?p=1055523#p1055523

hi Giga,

thanks sounds straightforward let's see what happens when i put hands on the thingy...

thanks for the post from Mesquite!

in truth I just received also the AX3 for my second home (this is the real device i will use) , this is where I will install it upstream from the CRS112

I'm currently copying my AX2 config to the AX3 while waiting for the CRS112 to arrive!

If it wasn't for the simplified configuration for the VLAN's you guys showed me , it would have been a mess with 3 bridges and a sloppy configuration!

Thanks!!

gigabyte091 · Mon Feb 12, 2024 10:02 am

hi Giga,

thanks sounds straightforward let's see what happens when i put hands on the thingy... thanks for the post from Mesquite!

in truth I just received also the AX3 for my second home (this is the real device i will use) , this is where I will install it upstream from the CRS112

I'm currently copying my AX2 config to the AX3 while waiting for the CRS112 to arrive!

If it wasn't for the simplified configuration for the VLAN's you guys showed me , it would have been a mess with 3 bridges and a sloppy configuration!

Thanks!!

Be careful, do not copy whole configuration from ax2 to ax3 because they are not same device !!

antoniocerasuolo · Mon Feb 12, 2024 10:33 am

hi Giga,

I just printed the A2 config and am inserting into the AX3 basically the same config.

yes when i say copy i mean conceptually copying everything as much as possible ad hoc by hand.

I'll finish it this week but already got the VLAN2 working on the AX3

gigabyte091 · Mon Feb 12, 2024 11:28 am

Just saying...

If you broke something you owe me pizza in Trieste

antoniocerasuolo · Mon Feb 12, 2024 12:51 pm

Just saying... If you broke something you owe me pizza in Trieste

Trieste....i'm in Milano!! ok next time if ever I'm in Trieste pizza and beer is on me!!

gigabyte091 · Mon Feb 12, 2024 12:58 pm

Deal, i will bring ketchup

antoniocerasuolo · Mon Feb 12, 2024 1:15 pm

Giga,

something strange just happened on my ax2 a few mins ago .

I lost the 5 GHZ wifi.

the log says radar detected on 5660/ax/ceee

i have this frequency in the list of frequencies!!

what would be the reccomendation here? should I just take this frequency out of the list and it will work again?

gigabyte091 · Mon Feb 12, 2024 1:27 pm

You are using CH132 which is DFS channel: https://www.aami.org/medical-device-con ... 20seconds.

If radar signal is detected router must immediately stop transmitting on 5GHz radio so there is no interference.

Move to some channel that is not DFS so you avoid getting this problem again.

antoniocerasuolo · Mon Feb 12, 2024 1:43 pm

You are using CH132 which is DFS channel: https://www.aami.org/medical-device-con ... 20seconds.

If radar signal is detected router must immediately stop transmitting on 5GHz radio so there is no interference.

Move to some channel that is not DFS so you avoid getting this problem again.

thanks!

there are 4 frequencies in the list , why didn’t the ap just move to a different one in the list which is not DFS?

gigabyte091 · Mon Feb 12, 2024 1:48 pm

AP will stop transmitting then it will preform DFS check to see if channel is available. What are other frequencies ?

jaclaz · Mon Feb 12, 2024 1:53 pm

What are other frequencies ?

viewtopic.php?t=204313#p1055121

/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500,5660,5580,5180 name=channel2

antoniocerasuolo · Mon Feb 12, 2024 2:02 pm

thanks jclaz!!!!

jaclaz · Mon Feb 12, 2024 2:05 pm

Maybe useful:
https://systemzone.net/mikrotik-wifi-fr ... planation/

antoniocerasuolo · Mon Feb 12, 2024 2:32 pm

Maybe useful:
https://systemzone.net/mikrotik-wifi-fr ... planation/

i changed the frequiencies to the following:

Channel Number Frequency MHz

36 5180 Indoors
40 5200 Indoors
44 5220 Indoors
48 5240 Indoors

problem seems solved got my 5 GHZ wifi back..

antoniocerasuolo · Wed Feb 14, 2024 10:47 am

hi Giga/Team,

I should be getting the CR112 today and have a quick question.

therefore I'm guessing it will be configured as all the other Mikrotik devices with a base configuration with IP 192.168.88.1?

so I will just clean this configuration and work through the mac address until i guess I configure the VLANS? then i guess I can keep configuring through a Management VLAN or management VLANs.

Initially honestly i prefer not to configure management VLANs until the thing is fully running for a few weeks, when secure will configure a management VLAN.

gigabyte091 · Wed Feb 14, 2024 1:57 pm

Your switch has to get IP address from somewhere so if there is no management VLAN simply use VLAN you trust the most and that's it. That is how I do.

Delete configuration so you have clean start. And you can take one port off bridge and assign it with static IP. That port you can use for configuration and to prevent lockout.

All of that you can read in post i linked you here from Mr. Hyde

antoniocerasuolo · Wed Feb 14, 2024 2:59 pm

Your switch has to get IP address from somewhere so if there is no management VLAN simply use VLAN you trust the most and that's it. That is how I do.

Delete configuration so you have clean start. And you can take one port off bridge and assign it with static IP. That port you can use for configuration and to prevent lockout.

All of that you can read in post i linked you here from Mr. Hyde

thanks!! good idea!!

antoniocerasuolo · Wed Feb 14, 2024 3:19 pm

Giga,

can't I create a DHCP server on this management port of this port out of the bridge on the Switch?

instead of creating a static IP and then changing configs on my PC??

gigabyte091 · Wed Feb 14, 2024 3:20 pm

You can, can't see the reason why not

antoniocerasuolo · Wed Feb 14, 2024 3:27 pm

You can, can't see the reason why not

thanks .. I owe you a pizza. in Milano non Trieste ..

Mesquite · Wed Feb 14, 2024 4:35 pm

The reason I dont create a dhcp, is then anyone can plug into that port and get instant access.
Only you should know that the LAN subnet is 192.168.55.0.24 for example.
You choose, laziness or security

So disagree with giga, I do not recommend this approach

gigabyte091 · Wed Feb 14, 2024 4:44 pm

Yea, there is security aspect. What I usually do is I have USB NIC that I use for that. On laptop I assigned IP to that NIC and that's it.

So you have to decide here, safety or convenience.

Don't forget one pizza for @Mesquite

jaclaz · Wed Feb 14, 2024 5:26 pm

The reason I don't create a dhcp, is then anyone can plug into that port and get instant access.

To be fair, with a DHCP anyone can plug into that port and can start brute-forcing the login and password, not really instant.

It would be however be logical (as a little added security element) to allow connection from only a single given IP (to be manually assigned to the PC used to connect).

The usual problem to this (and many other) security provisions (used outside professional environments) is that it is very likely that - before or later - the authorized user will be locked out.

Outside stories and TV series, in real life I would be much more preoccupied of what else an intruder with physical access to my house can steal or damage than to the possibility that he will connect to my router and gain access to it.

And remember, if "they" are after you, "they" will get you (or more likely "they" already got you).

Mesquite · Wed Feb 14, 2024 9:16 pm

Fair points, I typically restrict access ( on top of no DHCP) to a single IP , which is put in the source address list allowed on the input chain (admin IPs).

gigabyte091 · Wed Feb 14, 2024 9:26 pm

In some corporate network or business network that is valid but at home, I mean... like @jaclaz said, if someone have access inside my house that shouldn't have then access to the router is least of my problems.

Good, strong password is great starting point. DHCP or not router will be visible in Winbox.

Mesquite · Wed Feb 14, 2024 10:17 pm

As I said fair points, I have habits.......... regardless of where router is located.

antoniocerasuolo · Thu Feb 15, 2024 9:54 am

guys,

my switch is in my kitchen ..

no one ever comes into my kitchen with a lan cable and a laptop..

antoniocerasuolo · Thu Feb 15, 2024 9:55 am

The reason I don't create a dhcp, is then anyone can plug into that port and get instant access.

To be fair, with a DHCP anyone can plug into that port and can start brute-forcing the login and password, not really instant.

It would be however be logical (as a little added security element) to allow connection from only a single given IP (to be manually assigned to the PC used to connect).

The usual problem to this (and many other) security provisions (used outside professional environments) is that it is very likely that - before or later - the authorized user will be locked out.

Outside stories and TV series, in real life I would be much more preoccupied of what else an intruder with physical access to my house can steal or damage than to the possibility that he will connect to my router and gain access to it.

And remember, if "they" are after you, "they" will get you (or more likely "they" already got you).

who are "they"?

gigabyte091 · Thu Feb 15, 2024 12:42 pm

guys,

my switch is in my kitchen ..

no one ever comes into my kitchen with a lan cable and a laptop..

Maybe someone wants to steal your pizza dough recipe...

Be careful...

jaclaz · Thu Feb 15, 2024 1:12 pm

who are "they"?

Anyone with (much) more capabilities and power than you can imagine (legal, technical, financial. sheer force) , typically (in the US) three letters agencies, but also international hackers, the mafia, etc.

If you are a target, you will be hit.

Half to three quarter of the time security experts and researchers spend is about inventing possible (often overly complex) menaces/vulnerabilities in order to show off how good they are, and find some way to harass everyone, everyday, in real life a $5 spanner or wrench is easier and more effective, famous related xkcd's:
https://xkcd.com/538/
https://xkcd.com/936/

antoniocerasuolo · Thu Feb 15, 2024 1:32 pm

guys,

my switch is in my kitchen ..

no one ever comes into my kitchen with a lan cable and a laptop..
Maybe someone wants to steal your pizza dough recipe... Be careful...

hey Giga,

i'm doing the unboxing video in my kitchen this evening.. while i'm cooking spaghetti & tomato sauce!

antoniocerasuolo · Thu Feb 15, 2024 1:34 pm

who are "they"?
Anyone with (much) more capabilities and power than you can imagine (legal, technical, financial. sheer force) , typically (in the US) three letters agencies, but also international hackers, the mafia, etc.

If you are a target, you will be hit.

Half to three quarter of the time security experts and researchers spend is about inventing possible (often overly complex) menaces/vulnerabilities in order to show off how good they are, and find some way to harass everyone, everyday, in real life a $5 spanner or wrench is easier and more effective, famous related xkcd's:
https://xkcd.com/538/
https://xkcd.com/936/

hey Jclaz

yep I'm worried about the mafia!!!.. I'm in Italy they are the boss..so I gotta watch out!!

gigabyte091 · Thu Feb 15, 2024 3:54 pm

hey Giga,

i'm doing the unboxing video in my kitchen this evening.. while i'm cooking spaghetti & tomato sauce!

Will you break spaghetti in half so they can fit in cooking pot ??

antoniocerasuolo · Thu Feb 15, 2024 4:02 pm

hey Giga,

i'm doing the unboxing video in my kitchen this evening.. while i'm cooking spaghetti & tomato sauce!
Will you break spaghetti in half so they can fit in cooking pot ??

hey Giga,

no i never break in half!! my mother breaks in half

gigabyte091 · Thu Feb 15, 2024 4:32 pm

I hope there is no much Italians reading this... I thought it's a sin to break them in half...

On topic, is your switch working ?

jaclaz · Thu Feb 15, 2024 4:44 pm

I hope there is no much Italians reading this... I thought it's a sin to break them in half...

Not really, it is a sin only if you do it, in Italian culture a mother is always right, by definition.

antoniocerasuolo · Thu Feb 15, 2024 5:41 pm

I hope there is no much Italians reading this... I thought it's a sin to break them in half...

On topic, is your switch working ?

Hi Giga,

no I will unbox it this evening.. I'll post here as soon as i see some signs of life..

by the way the router connecting to the switch this time is the AX3 not AX2 as in the title

gigabyte091 · Thu Feb 15, 2024 7:34 pm

There is no difference in VLANs on ax2 and ax3

antoniocerasuolo · Thu Feb 15, 2024 8:28 pm

hi Giga ,

so here I am apparently all seems to be working as planned
here below you can see the ax3 coinfig and the switch config, I tested all the ports and are getting the correct ip addresses and hooking to internet perfectly.

but just one thing i wanted to upodate software& firmware but of course the management port is set to a DHCP and not connecting to internet through my trunk port

not sure how to get internet also on the management port..

can you help?

# 2024-02-15 19:12:16 by RouterOS 7.13.4
# software id = Y9KM-R2BS
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface bridge
add name=main_bridge_sacco port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2_LAN
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface vlan
add interface=main_bridge_sacco name=vlan_2 vlan-id=2
add interface=main_bridge_sacco name=vlan_3 vlan-id=3
add interface=main_bridge_sacco name=vlan_4 vlan-id=4
add interface=main_bridge_sacco name=vlan_5 vlan-id=5
/interface list
add name=VLANS
/interface wifi channel
add band=2ghz-ax disabled=no name=channel1 width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240 name=channel2 \
    skip-dfs-channels=all
/interface wifi
set [ find default-name=wifi2 ] channel=channel1 channel.band=2ghz-ax .width=\
    20/40mhz-Ce configuration.country=Italy .mode=ap .ssid=mikrotik_2_sacco \
    disabled=no name=wifi_2ghz security.authentication-types=\
    wpa2-psk,wpa3-psk
set [ find default-name=wifi1 ] channel=channel2 configuration.country=Italy \
    .mode=ap .ssid=mikrotik_5_sacco disabled=no name=wifi_5ghz \
    security.authentication-types=wpa2-psk,wpa3-psk
/ip pool
add name=dhcp_pool_VLAN_3 ranges=172.11.3.10-172.11.3.200
add name=dhcp_pool_VLAN_4 ranges=172.11.4.10-172.11.4.200
add name=dhcp_pool_VLAN_5 ranges=172.11.5.10-172.11.5.200
add name=dhcp_pool_VLAN_2 ranges=172.11.2.10-172.11.2.200
/ip dhcp-server
add address-pool=dhcp_pool_VLAN_3 interface=vlan_3 lease-time=1d name=\
    dhcp_VLAN_3
add address-pool=dhcp_pool_VLAN_4 interface=vlan_4 lease-time=1d name=\
    dhcp_VLAN_4
add address-pool=dhcp_pool_VLAN_5 interface=vlan_5 lease-time=1d name=\
    dhcp_VLAN_5
add address-pool=dhcp_pool_VLAN_2 interface=vlan_2 lease-time=1d name=\
    dhcp_VLAN_2
/interface bridge port
add bridge=main_bridge_sacco interface=ether2_LAN internal-path-cost=10 \
    path-cost=10 pvid=2
add bridge=main_bridge_sacco interface=ether3_LAN internal-path-cost=10 \
    path-cost=10 pvid=3
add bridge=main_bridge_sacco interface=ether4_LAN internal-path-cost=10 \
    path-cost=10 pvid=4
add bridge=main_bridge_sacco interface=ether5_LAN internal-path-cost=10 \
    path-cost=10 pvid=5
add bridge=main_bridge_sacco interface=wifi_2ghz internal-path-cost=10 \
    path-cost=10 pvid=2
add bridge=main_bridge_sacco interface=wifi_5ghz internal-path-cost=10 \
    path-cost=10 pvid=2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=main_bridge_sacco tagged=main_bridge_sacco,ether5_LAN untagged=\
    ether2_LAN vlan-ids=2
add bridge=main_bridge_sacco tagged=main_bridge_sacco,ether5_LAN untagged=\
    ether3_LAN vlan-ids=3
add bridge=main_bridge_sacco tagged=main_bridge_sacco,ether5_LAN untagged=\
    ether4_LAN vlan-ids=4
add bridge=main_bridge_sacco tagged=main_bridge_sacco,ether5_LAN vlan-ids=5
/interface list member
add interface=vlan_2 list=VLANS
add interface=vlan_3 list=VLANS
add interface=vlan_4 list=VLANS
add interface=vlan_5 list=VLANS
/ip address
add address=172.11.3.1/24 interface=vlan_3 network=172.11.3.0
add address=172.11.4.1/24 interface=vlan_4 network=172.11.4.0
add address=172.11.5.1/24 interface=vlan_5 network=172.11.5.0
add address=172.11.2.1/24 interface=vlan_2 network=172.11.2.0
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server network
add address=172.11.2.0/24 gateway=172.11.2.1
add address=172.11.3.0/24 gateway=172.11.3.1
add address=172.11.4.0/24 gateway=172.11.4.1
add address=172.11.5.0/24 gateway=172.11.5.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1d chain=input protocol=tcp
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=ether1_WAN
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=VLANS protocol=\
    udp to-addresses=208.67.222.123 to-ports=53
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome
/system note
set show-at-login=no



# jan/02/1970 01:16:05 by RouterOS 6.49.10
# software id = D234-TTJK
#
# model = CRS112-8G-4S
# serial number = 
/interface bridge
add name=main_bridge_switch vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_management
set [ find default-name=ether2 ] name=ether2_trunk
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
set [ find default-name=ether6 ] name=ether6_LAN
set [ find default-name=ether7 ] name=ether7_LAN
set [ find default-name=ether8 ] name=ether8_LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool_management ranges=10.11.11.10-10.11.11.200
/ip dhcp-server
add address-pool=dhcp_pool_management disabled=no interface=ether1_management \
    lease-time=1d name=dhcp_management
/interface bridge port
add bridge=main_bridge_switch ingress-filtering=yes interface=ether3_LAN \
    pvid=3
add bridge=main_bridge_switch ingress-filtering=yes interface=ether4_LAN \
    pvid=3
add bridge=main_bridge_switch ingress-filtering=yes interface=ether5_LAN \
    pvid=4
add bridge=main_bridge_switch ingress-filtering=yes interface=ether6_LAN \
    pvid=4
add bridge=main_bridge_switch ingress-filtering=yes interface=ether7_LAN \
    pvid=5
add bridge=main_bridge_switch ingress-filtering=yes interface=ether8_LAN \
    pvid=5
add bridge=main_bridge_switch ingress-filtering=yes interface=ether2_trunk
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=main_bridge_switch tagged=ether2_trunk untagged=\
    ether3_LAN,ether4_LAN vlan-ids=3
add bridge=main_bridge_switch tagged=ether2_trunk untagged=\
    ether5_LAN,ether6_LAN vlan-ids=4
add bridge=main_bridge_switch tagged=ether2_trunk untagged=\
    ether7_LAN,ether8_LAN vlan-ids=5
/ip address
add address=10.11.11.1/24 interface=ether1_management network=10.11.11.0
/ip dhcp-server network
add address=10.11.11.0/24 gateway=10.11.11.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

gigabyte091 · Thu Feb 15, 2024 8:42 pm

You can't update because your CRS didn't recieve IP address from upstream router and have no route to the internet.

Use for eg VLAN 5 as trusted VLAN. Create VLAN interface in interface/vlan

Then in interface/bridge/vlans tag bridge only to VLAN 5 and create dhcp client on interface VLAN 5. Then your CRS will recieve IP from upstream router and be able to access internet.

Internet on mgmt port you can't get. That port is just that, management. It's only purpose is to access switch.

antoniocerasuolo · Thu Feb 15, 2024 9:42 pm

Giga,

i'm still working on this!!

will update again soon.

antoniocerasuolo · Fri Feb 16, 2024 12:52 am

Giga,

I made the changes as you suggested but its just not working...no idea why the DHCP client isnt getting the IP.. i must be doing something wrong in the config.
i vreated a VLAN 5 interface under the bridge

then under VLANs i tagged VLAN 5 only to the bridge nothing uintagged.

i created the DHCP client on the VLAN 5 but its just not working.. no IP assigned by DHCP!

antoniocerasuolo · Fri Feb 16, 2024 1:01 am

ok after playing around for hours i figured it out...

i first of all had to read right and create a client and not a server

then what was missing from the VLAN was the untagging of the trunk port!!!

seems to work am pinging google dns fine. so i got internet on the switch..

ok now i can hopefully go to sleep sooner than later..

gigabyte091 · Fri Feb 16, 2024 7:03 am

Post configuration, this untagging of the trunk port raises some concern..

antoniocerasuolo · Fri Feb 16, 2024 8:29 am

hi Giga,

here is the config.

basicaly this morning i tried taking out the untagging of the trunk port , the switch kept the IP from upstream on the dhcp client and didn't disappear but what happened was that the switch lost connectivity to internet.

by the way i tagged also ports 7 & 8 as VLAN 5 for simplicity for now so I can use those ports to get internet and move back and forth between the ax3 & the CRS configs easily.

the config below contains the tagging of the trunk as you can see.

let me know if you can find the issue , I'm going to work this morning and will be back this evening to test eventual modifications

# feb/16/2024 01:12:04 by RouterOS 6.49.13
# software id = D234-TTJK
#
# model = CRS112-8G-4S
# serial number = 
/interface bridge
add ingress-filtering=yes name=main_bridge_switch vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_management
set [ find default-name=ether2 ] name=ether2_trunk
set [ find default-name=ether3 ] name=ether3_LAN
set [ find default-name=ether4 ] name=ether4_LAN
set [ find default-name=ether5 ] name=ether5_LAN
set [ find default-name=ether6 ] name=ether6_LAN
set [ find default-name=ether7 ] name=ether7_LAN
set [ find default-name=ether8 ] name=ether8_LAN
/interface vlan
add interface=main_bridge_switch name=vlan5_management vlan-id=5
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.2.2.10-10.2.2.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether1_management \
    lease-time=1d name=dhcp_management
/interface bridge port
add bridge=main_bridge_switch ingress-filtering=yes interface=ether3_LAN \
    pvid=2
add bridge=main_bridge_switch ingress-filtering=yes interface=ether4_LAN \
    pvid=2
add bridge=main_bridge_switch ingress-filtering=yes interface=ether5_LAN \
    pvid=3
add bridge=main_bridge_switch ingress-filtering=yes interface=ether6_LAN \
    pvid=3
add bridge=main_bridge_switch ingress-filtering=yes interface=ether7_LAN \
    pvid=5
add bridge=main_bridge_switch ingress-filtering=yes interface=ether8_LAN \
    pvid=4
add bridge=main_bridge_switch ingress-filtering=yes interface=ether2_trunk
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=main_bridge_switch tagged=ether2_trunk untagged=\
    ether3_LAN,ether4_LAN vlan-ids=2
add bridge=main_bridge_switch tagged=ether2_trunk untagged=\
    ether5_LAN,ether6_LAN vlan-ids=3
add bridge=main_bridge_switch tagged=main_bridge_switch untagged=ether2_trunk \
    vlan-ids=5
add bridge=main_bridge_switch tagged=ether2_trunk untagged=\
    ether7_LAN,ether8_LAN vlan-ids=4
/ip address
add address=10.2.2.1/24 interface=ether1_management network=10.2.2.0
/ip dhcp-client
add disabled=no interface=vlan5_management
/ip dhcp-server network
add address=10.2.2.0/24 gateway=10.2.2.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Rome

gigabyte091 · Fri Feb 16, 2024 9:07 am

add bridge=main_bridge_switch tagged=main_bridge_switch untagged=ether2_trunk \
    vlan-ids=5

You should tag ether2_trunk here, not untag it.

antoniocerasuolo · Fri Feb 16, 2024 10:11 am

hi Giga,

ok i will tag it when i get home this evening and let you know!

antoniocerasuolo · Fri Feb 16, 2024 6:54 pm

hey Giga,

problem solved!!!

antoniocerasuolo · Fri Feb 16, 2024 7:35 pm

Hi Giga,

i ran two speedtests fast.com
1) pc connected to port on my old cisco switch 220 business series connected directly downstream from my isp router
max speed 1G!!
2) pc connected to port on my CRS which is connected to my AX3 which is connected downstream from my isp router
max speed capping at 280/290 Mb!!!

when my AX2 was connected downstream from that cisco switch and my pc connected directly to the AX2 port it was pushing 1G also!!!!

I just connected my computer to the port on the ax3 and is pushing 1G!!!

the problem here in my view is not the ax3 it's the CRS!!!

can you help understand what could be the issue?

antoniocerasuolo · Fri Feb 16, 2024 7:51 pm

looking at the specs therefore guessing that this is the max speed this baby can do?

i hope I'm wrong and there is a config issue?

I will be installing in my second home where my isp pushes max 75 Mb .. but still...

Help ...

gigabyte091 · Fri Feb 16, 2024 8:20 pm

Do you have hardware offloading enabled ?

antoniocerasuolo · Fri Feb 16, 2024 8:28 pm

Do you have hardware offloading enabled ?

hey Giga,

where do I enable the HW offloading can't find it now....

gigabyte091 · Fri Feb 16, 2024 9:04 pm

When you open each interface you added to the bridge you will find check box hardware offloading. Its under general tab

antoniocerasuolo · Fri Feb 16, 2024 9:16 pm

When you open each interface you added to the bridge you will find check box hardware offloading. Its under general tab

yes its checked on each general tab for each interface..

so must be something else?

anyhow the cpu is really going to 100% during the ping tests!! so doesn't seem to be HW offloading...

antoniocerasuolo · Fri Feb 16, 2024 10:03 pm

Giga,
maybe I need to configure L3 HW offloading??

I was trying to watch some videos about the HW offloading and they show that on the switch tab there is L3 HW offloading.

going crazy trying to find this , i have a dropdown menu when i click on switch and L3 Hw offloading nowhere to be found!!!!!!!

antoniocerasuolo · Fri Feb 16, 2024 10:55 pm

... have I heard right? watched some videos.. and seems that the CRS112 doesn't have L3 HW offloading?

but shouldn't the HW offloading ticked in the ports of the bridge do it anyway???

mkx · Fri Feb 16, 2024 11:04 pm

CRSxxx are switches. And all have L2 HW offload. It's just that on CRS1xx and 2xx bridge can HW offload only basic switching (non-VLAN aware, etc.) while on CRS3xx and CRS5xx bridge can offload VLANs as well. This is what HW property on bridge ports is all about.

But we didn't mention routing yet. Because: if device can run ROS, it can also route. But performance can be extremely low if CPU is not fast and CRS devices (out of a box) have terribly low routing performance. Alas, CRS3xx (and 5xx) support L3HW offload in certain scenarios and in this case they may route at wire speed.

antoniocerasuolo · Fri Feb 16, 2024 11:20 pm

CRSxxx are switches. And all have L2 HW offload. It's just that on CRS1xx and 2xx bridge can HW offload only basic switching (non-VLAN aware, etc.) while on CRS3xx and CRS5xx bridge can offload VLANs as well. This is what HW property on bridge ports is all about.

But we didn't mention routing yet. Because: if device can run ROS, it can also route. But performance can be extremely low if CPU is not fast and CRS devices (out of a box) have terribly low routing performance. Alas, CRS3xx (and 5xx) support L3HW offload in certain scenarios and in this case they may route at wire speed.

thanks!!

pretty mind boggling dilemma!!!

this is cool if my isp is pushing 75 Mb but if my ISP is pushing +1G it's pretty bad....

anyhow this was all an experiment so all is good!

the ISP at the place where I will install this switch is running at 75Mb so no issues.. but was expecting more legs for the $$

the last thing i would have expected was a cap on the BW!

gigabyte091 · Sat Feb 17, 2024 7:21 am

It's easy to make a mistake with Mikrotik. You really need to be careful when deciding what device you will buy.

There was a lot of topics where people bought CRS devices and use them as routers. As you can imagine it didn't go well...

I thought you said you will buy CRS310, my mistake

antoniocerasuolo · Sat Feb 17, 2024 10:02 am

hey Giga..

good morning..

would the CRS310 push 1 G?

gigabyte091 · Sat Feb 17, 2024 10:19 am

It would push 2.5

https://mikrotik.com/product/crs310_8g_ ... stresults

Mesquite · Sat Feb 17, 2024 3:06 pm

Actually, the 310-8G, as a router should provide you somewhere around 180-200Mbps
If you are talking switching throughput 38Gigs.

The $$ as you call it is not for the routing capacity its for the switching capacity and unique 2.5 gig ports etc.....
The moral of the story is research before your purchase, not after.

Giga ---> What kind of math do they teach in Croatia?

Just kidding, typically to match real world performance most look at 512byte size packets with 25 filter rules applied.

gigabyte091 · Sat Feb 17, 2024 4:26 pm

I know, but that is for routing performance. I hope OP here plan to use it strictly as switch. Not router.

Mesquite · Sat Feb 17, 2024 4:33 pm

I know, but that is for routing performance. I hope OP here plan to use it strictly as switch. Not router.

You are still wrong, the 310 has two SFP+ ports, so its more like 10Gigs at least not 2.5!!

antoniocerasuolo · Sat Feb 17, 2024 4:49 pm

hi Guys,

yes my bad!

yes of course i need pure switching , upsrtream from the switch i already have the ax3!

but i may just think about purchasing the CRS310 for my home where i have 1 G through my ax2 connected to my cisco business 220 switch.

so i couid substitute my Cisco220 with the mikrotik310 and in the end i would have all around Mikrotik..

gigabyte091 · Sat Feb 17, 2024 5:39 pm

In that case, it's capable of almost 40Gbps if you look at the test results

Mesquite · Sat Feb 17, 2024 6:15 pm

Actually, the 310-8G, as a router should provide you somewhere around 180-200Mbps
If you are talking switching throughput 38Gigs.

Point of repeating already provided information???

gigabyte091 · Sat Feb 17, 2024 7:03 pm

I missed that part... But anyway for OP is more than enough

antoniocerasuolo · Sat Feb 17, 2024 7:24 pm

I missed that part... But anyway for OP is more than enough

yes it's enough i don't plan on opening an ISP company soon

gigabyte091 · Sat Feb 17, 2024 7:52 pm

Nah, it's just Mr.Hyde screwing with me

But on CRS310, have one in my living room and soon one in my work room. Great little devices.

jaclaz · Sat Feb 17, 2024 8:01 pm

But on CRS310, have one in my living room and soon one in my work room. Great little devices.

Yeah, sure, they make very good company.

gigabyte091 · Sat Feb 17, 2024 8:28 pm

Until fan speeds up

Mesquite · Sun Feb 18, 2024 5:41 am

Sorry giga, I guess the green & bold didnt grab your attention, next time I will make it larger 38Gigs

gigabyte091 · Sun Feb 18, 2024 6:10 am

Yea, I know... It was my mistake, I admit it. I wasn't at home at the time so quick read at the phone cause mistake.

But now when you make it larger makes it so much better to read on the phone.

antoniocerasuolo · Sun Feb 18, 2024 11:21 am

guys,

want to laugh??

this morning my brand new ASUS ROG stix got the BIOS upgrade!!

guess what.. after upodate it wouldn't reboot.. thats worse panic then when you get locked out of the ax3!!!

had to play with it for a while before it decided to give signs of life again!!! I hope that never happens again or to anyone!!!

gigabyte091 · Sun Feb 18, 2024 1:11 pm

Golden rule for BIOS, if it's working don't upgrade it

Today motherboard pretty much all of them have dual BIOS so no problem there.

But once I had to remove BIOS chip and flash it with programmer because there was a power fail in the middle of update. So two lessons learned there. One, never, ever update BIOS without a UPS and two, don't upgrade it if it's working.

jaclaz · Sun Feb 18, 2024 2:35 pm

@gigabyte091
I would presume that the ASUS ROG strix[1] has no need for a UPS (unless antonio is running it without a battery or a completely depleted one)

Back in the (good) ol' days, when the CIH virus struck:
https://en.wikipedia.org/wiki/CIH_(computer_virus)
we had no fancy dual Bioses, nor programmers (luxury!) and we did a lot of hot-swapping

of the BIOS chips.
https://tinyapps.org/blog/200702250700_ ... y_day.html

... kids today ...

[1] it is a laptop

antoniocerasuolo · Sun Feb 18, 2024 2:46 pm

@gigabyte091
I would presume that the ASUS ROG strix[1] has no need for a UPS (unless antonio is running it without a battery or a completely depleted one)

Back in the (good) ol' days, when the CIH virus struck:
https://en.wikipedia.org/wiki/CIH_(computer_virus)
we had no fancy dual Bioses, nor programmers (luxury!) and we did a lot of hot-swapping of the BIOS chips.
https://tinyapps.org/blog/200702250700_ ... y_day.html

... kids today ...

[1] it is a laptop

correct it’ a laptop so no battery issues.. but went into panic mode for some minutes!!

gigabyte091 · Sun Feb 18, 2024 4:43 pm

Didn't google it, sorry..

antoniocerasuolo · Sun Feb 18, 2024 8:35 pm

i thought the hole in the back of the CRS112 was for the fan.. .. theres no fan

Mesquite · Sun Feb 18, 2024 9:09 pm

Designed as a router and a home for a mouse.

antoniocerasuolo · Mon Feb 19, 2024 1:41 pm

..as a router ..

probably more as a home for a mouse

antoniocerasuolo · Thu Feb 22, 2024 2:24 pm

hi Giga, Mesquite,

I'm investigating home use firewalls with NEXT GEN capabilities.

I'm trying to find one that could be a good product to put downstream from my ISP.

I'm looking for something that generally doesn't come with a yearly license and is relatively cheap

do you have any suggestions??

Mesquite · Thu Feb 22, 2024 2:36 pm

Please define NEXT GEN - using cute buzz words means nothing to me.
If you looking for DPI and IDP subscription services, your barking up the wrong tree here.
Again, being vague is not helpful. Stating "relatively cheap" is another bogus statement that has no real meaning. WHat is your budget

antoniocerasuolo · Thu Feb 22, 2024 2:50 pm

Please define NEXT GEN - using cute buzz words means nothing to me.
If you looking for DPI and IDP subscription services, your barking up the wrong tree here.
Again, being vague is not helpful. Stating "relatively cheap" is another bogus statement that has no real meaning. WHat is your budget

yes DPI /IDP for home use of course budget .. max 400Euro

mozerd · Thu Feb 22, 2024 3:06 pm

yes DPI /IDP for home use of course budget .. max 400Euro

https://eu.store.ui.com/eu/en/pro/products/ucg-ultra

Yes there is a yearly license fee and to find that out you will need to contact UI

gigabyte091 · Thu Feb 22, 2024 3:38 pm

I have one question, why all of that ?

antoniocerasuolo · Thu Feb 22, 2024 3:55 pm

I have one question, why all of that ?

I want a secure home free from attacks and hackers..

jaclaz · Thu Feb 22, 2024 4:04 pm

I have one question, why all of that ?

Not knowing how to spend 400 Euro in excess?

I want a secure home free from attacks and hackers..

I am not a hacker, but if I were one, I would first find a way to get the list of IDS/IPS customers, they should be at the same time rich enough to be able to pay the service and gullible enough to believe that they are safe because of IDS/IPS (even if IDS/IPS protects them from some attacks they will be vulnerable in some other ways).

gigabyte091 · Thu Feb 22, 2024 4:07 pm

If someone wants to hack you they will find a way. There is no perfect security but i think it's much better to educate your family how internet can be a dangerous place instead of buying expensive equipment.

I have VLANs and Adguard and never had any problem. IoT devices have their own VLAN. Cameras another, IPTV third and my trusted network fourth.

gigabyte091 · Thu Feb 22, 2024 4:12 pm

I have one question, why all of that ?
Not knowing how to spend 400 Euro in excess?

Then OP should ask his wife, she will know how to spend it

antoniocerasuolo · Thu Feb 22, 2024 4:29 pm

If someone wants to hack you they will find a way. There is no perfect security but i think it's much better to educate your family how internet can be a dangerous place instead of buying expensive equipment.

I have VLANs and Adguard and never had any problem. IoT devices have their own VLAN. Cameras another, IPTV third and my trusted network fourth.

agree..

the money would probably be much much more well spent on the fully manageable CRS310 !!!

Mesquite · Thu Feb 22, 2024 8:13 pm

Concur, the 310 is CRS3XX series and thus setting up vlans is like vlan bridge filtering in routers and works great.
If one asked their spouse to spend $$ on IT, none of us would be here!!

gigabyte091 · Fri Feb 23, 2024 5:35 am

Save a little bit more money and buy this beauty: https://mikrotik.com/product/crs326_4c_20g_2q_rm

To bad it isn't poe...

Thank God my wife don't ask to many questions, she just doesn't want to see cables on the floor

antoniocerasuolo · Fri Feb 23, 2024 2:32 pm

Save a little bit more money and buy this beauty: https://mikrotik.com/product/crs326_4c_20g_2q_rm

To bad it isn't poe...

Thank God my wife don't ask to many questions, she just doesn't want to see cables on the floor

hi Giga,

wow why is that switch with 24 eth ports etc. costing less than the 310 ?

https://mikrotik.com/product/crs310_8g_2s_in

Mesquite · Fri Feb 23, 2024 2:38 pm

What? the new switch is $999 us.

jaclaz · Fri Feb 23, 2024 3:33 pm

@antonio

CRS326-4C+20G+2Q+RM $999

not:to be confused with:
CRS326-24G-2S+IN $199
or
CRS326-24G-2S+RM $209

I love the way Mikrotik devices are clearly and uniquely named, it is practically impossible to mistake a model for another ...

gigabyte091 · Fri Feb 23, 2024 8:49 pm

I would like to see cheaper version, for eg 16 x 2.5gbit ports, two sfp+ and one mgmt port aaaand poe

desktop or RM. Price 350-450$

Mesquite · Fri Feb 23, 2024 11:07 pm

You will have to wait for netgear,tplink, etc to start making prosumer 2.5 gig smart switches LOL.

gigabyte091 · Sat Feb 24, 2024 6:49 am

I hope not... I mean they have routers for home and small business users, so why not switch that they can use. Not everyone needs switch with that kind of bandwidth and redundancy.

antoniocerasuolo · Sun Feb 25, 2024 10:40 am

guys,

I was saying why is this model CSS326-24G-2S+RM -> 159$ which has 24 ports cost less than the CRS310-8G+2S+IN which has 8 ports and costs 219$??

probably becasue the CRS310 has the 2.5 Gibit ports?

gigabyte091 · Sun Feb 25, 2024 10:51 am

And CRS have RouterOS where CSS is SWOS only device.

mozerd · Sun Feb 25, 2024 1:01 pm

probably becasue the CRS310 has the 2.5 Gibit ports?

@antoniocerasuolo
The Switch Chip is the reason

Mesquite · Sun Feb 25, 2024 6:28 pm

Nice article, what caught my eye, was the comment ......why is MT using such old switch chips.....
I read the MT product info and all it says --> the amazing Marvell 98DX226S switch-chip

I go to the marvell website, and put in 98DX226S and I get NOTHING..........
I also notice that the AX3 router has no switch chips but two PHYs, so wondering how these stack up LOL.

mkx · Sun Feb 25, 2024 10:08 pm

I also notice that the AX3 router has no switch chips ...

Has one ... it's part of SoC, but needs external PHYs.

antoniocerasuolo · Mon Feb 26, 2024 11:47 am

Guys,

thanks for you your ongoing support on all types of questions.

I have a question which I wasn't thinking of asking.. but why not...

I have a NAS sitting downstream from my AX2, and i have abilitated the synology quick connect from internet.

therefore in theory anyone knowiug the url can at least reach my NAS and can try to hack it..

is there any firewall rule I could create to have added protection somehow??

Mesquite · Mon Feb 26, 2024 1:27 pm

Like any server, if its not en encrypted type of connection, you are screwed LOL.
I would get users to wireguard in, then access NAS.

mozerd · Mon Feb 26, 2024 3:03 pm

and i have abilitated the synology quick connect from internet

How secure is the quick connect on Synology?

QuickConnect Web Portal is secured by end-to-end encryption when the browser is redirected to the Synology NAS using LAN or WAN connection. Otherwise, the request is directed to the Portal Server.

Its a good practise to learn about the technology you are using and not simply being a blind mouse

antoniocerasuolo · Mon Feb 26, 2024 5:40 pm

and i have abilitated the synology quick connect from internet
How secure is the quick connect on Synology?
QuickConnect Web Portal is secured by end-to-end encryption when the browser is redirected to the Synology NAS using LAN or WAN connection. Otherwise, the request is directed to the Portal Server.
Its a good practise to learn about the technology you are using and not simply being a blind mouse

thanks

but iguess anyone that finds my url on the internet somehow.. can at lkeast gain access to my NAS and from there try to hack it?

gigabyte091 · Mon Feb 26, 2024 5:46 pm

That's why @Mesquite proposed access via wireguard

antoniocerasuolo · Mon Feb 26, 2024 5:58 pm

That's why @Mesquite proposed access via wireguard

thanks Giga,

ok sorry read that too quickly .. well wireguard

... not fmaliar with that.. but got any tutorial on how to set that up ?

gigabyte091 · Mon Feb 26, 2024 7:39 pm

There was a tutorial but it was taken down. But of you open new topic with description on what are you trying to do im sure that @Mesquite will help you. He's reincarnation (3rd i believe

) of this forums wireguard guru.

mozerd · Mon Feb 26, 2024 8:25 pm

but iguess anyone that finds my url on the internet somehow.. can at lkeast gain access to my NAS and from there try to hack it?

@ antoniocerasuolo
Apparently you do not comprehend how quick connect works …. And apparently All you want is to be hand held by others …
Without the proper userdID and Password that quick connect URL you speak of is utterly useless to a hacker

antoniocerasuolo · Wed Feb 28, 2024 10:26 pm

but iguess anyone that finds my url on the internet somehow.. can at lkeast gain access to my NAS and from there try to hack it?
@ antoniocerasuolo
Apparently you do not comprehend how quick connect works …. And apparently All you want is to be hand held by others …
Without the proper userdID and Password that quick connect URL you speak of is utterly useless to a hacker

to some extent you're right.. but struggling just the same as all of us..

antoniocerasuolo · Sat Mar 02, 2024 9:30 pm

hi Giga,

would you know how I could check if my ISP is blocking the following ports below?

4335
6667
443
123

is there a way I could check on the AX2 itself?

gigabyte091 · Sun Mar 03, 2024 8:48 am

I highly doubt that ISP is blocking 443 and 123 as those are used for HTTPS and NTP.

Did you do port forward on ax2 ?

antoniocerasuolo · Sun Mar 03, 2024 10:16 am

hi Giga,

after hours of checking i found this portquiz :

http://portquiz.net:4335/ -> OK
http://portquiz.net:6667/ -> not working
http://portquiz.net:443/-> OK
http://portquiz.net:123/ _> Not working

I Need :

6667 TCP
123 UDP

so for example my device needs to send information on port 6667 which is blocked how can we create a port forwarding to fix this?

is there any way to really get around this issue using the AX2 without having to call ISP asking to open ports??

gigabyte091 · Sun Mar 03, 2024 2:09 pm

Did you port forward those ports on your ax2 ?

jaclaz · Sun Mar 03, 2024 2:10 pm

So, your NTP is not working?

Just in case:
viewtopic.php?t=185530

antoniocerasuolo · Sun Mar 03, 2024 2:38 pm

Did you port forward those ports on your ax2 ?

Giga,

not sure what is the process to achieve this port forwarding.. can you help? how do I achieve port forwarding?

I want to try on 6667..

gigabyte091 · Sun Mar 03, 2024 3:33 pm

Follow this video from Mikrotik: https://youtu.be/a_8AV6vIDYQ?si=hbNL6aQfUyM73luG

antoniocerasuolo · Sun Mar 03, 2024 5:04 pm

hi Giga

I'm trying to play with this to get it to work

so basically I have
DST NAT
DST PORT: 6667
protocol TCP

ACTION
TO ADDRESS: PUBLIC IP
TO PORT... not sure what to do here i made up a port 12121

not sure if i'm doing this right,

*****
ok so I got control of my ISP router finally and it's giving me a chance to set the IP address to do a change between internal PORT to External Port, but not sure what to enter into the options.. this is probabaly just a muuucch more simpler version of what the AX2 can do with port forwarding..

but if the port blocking is not happening at this router level then even if i make changes will it work?

I was expecting to find a list of blocked ports or something but i guess the port blocking is done at a higher level?

gigabyte091 · Mon Mar 04, 2024 5:28 am

You can't just made up any port. To address means to internal IP address where your device you want to forward port resides not your public IP.

Think a little, you have DST-NAT, so you are forwarding all traffic coming to th router on port 6667 to your INTERNAL IP on that port (or it caen be different port but i don't think that's the case here.)

I think Normis did a great job explaining this in video.

Also to port is port you want to forward to, usually you put here in your case 6667.

For ISP router it's best to put it in bridge mode if possible... No need for double routers and double NAT.

antoniocerasuolo · Mon Mar 04, 2024 9:00 am

You can't just made up any port. To address means to internal IP address where your device you want to forward port resides not your public IP.

Think a little, you have DST-NAT, so you are forwarding all traffic coming to th router on port 6667 to your INTERNAL IP on that port (or it caen be different port but i don't think that's the case here.)

I think Normis did a great job explaining this in video.

Also to port is port you want to forward to, usually you put here in your case 6667.

For ISP router it's best to put it in bridge mode if possible... No need for double routers and double NAT.

hi Giga,

there are other people using the main isp router so never really play with it or put it in brige mode, my ax2 is just that i created my network!

anyway i tried putting the device directly under the isp router gave it static ip and seemingly i have opened up port 6667 for this device on my isp touter..still dome issue persists

Mikrotik is such a beautiful world.. million things to configure.. find the right one it works.. on the isp router. 2 things you can change

I opened the port 6667 in TCP protocol but someone on the forum is sayinng that I should also open the port in UDP protocol for it to work..

antoniocerasuolo · Thu Mar 07, 2024 11:13 am

Hi Giga,

don't ask me how but the device started to work on it's own no real config changes on anything.

it may have been a DNS issue on ISP.

it's working let's not wake the sleeping dog..

gigabyte091 · Thu Mar 07, 2024 3:16 pm

Problems like this are the best, self solving one