Community discussions

MikroTik App
 
Solnse
just joined
Topic Author
Posts: 12
Joined: Sun Mar 26, 2023 11:19 pm

Added 2nd rb5009 to my setup and lost internet connectivity.

Sun Nov 03, 2024 2:05 am

So, I had a 2nd rb5009 sitting in a box and I've been thinking about the efficiency of my system. My ISP modem has a 2.5G port which is connected to eth1 on the first router. Then I have a SFP cable to like to the second router. Then, I wanted to connect my Proxmox/NAS box to the second router's eth1 port. When I set it up that way, I had no connectivity to the internet. The modem had it, but it was unreachable from anything inside my network.

So, I disconnected the second rb5009 even though I had done nothing in the configuration to connect the 2 (I don't know how, yet). Then, having put the cables back into what I thought were the original ports, I still couldn't reach the internet. My APs became unstable, and I couldn't even stay connected to Winbox for more than 30 seconds at a time. So, I happened to have a new modem from my ISP so I went through that setup, and am currently using it's Wifi to connect. I have not yet put it into Bridge mode and would like some help in case my rb5009 configuration is blocking access. The WAN is in eth1. I didn't think any of the other ports mattered for where I had APs connected.

In any case, I have added to my config over time, adding VLANs to separate CCTV, IoT, and guests. Did I mess it up?
# nov/02/2024 16:33:03 by RouterOS 7.8
# software id = NVZC-831S
#
# model = RB5009UPr+S+
# serial number = HDA08CJZJ94
/interface bridge
add admin-mac=18:FD:74:CF:67:FC auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface veth
add address=172.17.0.2/16 gateway=172.17.0.1 name=veth1
/interface vlan
add interface=bridge name=CimCam vlan-id=30
add interface=bridge name=CimGuest vlan-id=20
add interface=bridge name=CimIoT vlan-id=40
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    "31 004 294 656" type=partition
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk group-key-update=8h mode=dynamic-keys name=\
    DevoRoxy supplicant-identity=""
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.20.20.2-10.20.20.254
add name=dhcp_pool2 ranges=10.30.30.2-10.30.30.254
add name=dhcp_pool3 ranges=10.40.40.2-10.40.40.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=8h name=defconf
add address-pool=dhcp_pool1 interface=CimGuest lease-time=8h name=dhcp1
add address-pool=dhcp_pool2 interface=CimCam lease-time=8h name=dhcp2
add address-pool=dhcp_pool3 interface=CimIoT lease-time=8h name=dhcp3
/container config
set ram-high=512 registry-url=https://registry-1.docker.io tmpdir=\
    usb1-part1/pull
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=\
    bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=20
add bridge=bridge tagged=\
    bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=30
add bridge=bridge tagged=\
    bridge,ether2,ether3,ether4,ether5,ether6,ether7,ether8 vlan-ids=40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=172.17.0.1/16 interface=bridge network=172.17.0.0
add address=10.20.20.1/24 interface=CimGuest network=10.20.20.0
add address=10.30.30.1/24 interface=CimCam network=10.30.30.0
add address=10.40.40.1/24 interface=CimIoT network=10.40.40.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=30m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.107 client-id=1:dc:a6:32:3c:d0:bf mac-address=\
    DC:A6:32:3C:D0:BF server=defconf
add address=192.168.88.137 client-id=1:78:45:58:87:a7:93 mac-address=\
    78:45:58:87:A7:93 server=defconf
add address=192.168.88.73 client-id=\
    ff:ca:53:9:5a:0:2:0:0:ab:11:95:be:bd:77:e0:89:97:6c mac-address=\
    0E:9F:CA:CE:7D:91 server=defconf
add address=192.168.88.71 client-id=1:6:f:21:98:21:7e comment=\
    "Turnkey Fileserver (Samba)" mac-address=06:0F:21:98:21:7E server=defconf
add address=192.168.88.30 client-id=\
    ff:ca:53:9:5a:0:2:0:0:ab:11:44:68:85:44:bd:d9:e5:18 mac-address=\
    E2:9E:BA:61:5B:E1 server=defconf
add address=192.168.88.26 client-id=1:2:87:17:8d:c7:1d mac-address=\
    02:87:17:8D:C7:1D server=defconf
add address=192.168.88.27 client-id=\
    ff:9f:14:8e:bf:0:2:0:0:ab:11:7d:b5:1c:bc:c:28:b7:ad mac-address=\
    D6:24:14:FE:0B:8D server=defconf
add address=192.168.88.49 client-id=1:ac:8b:a9:24:89:85 mac-address=\
    AC:8B:A9:24:89:85 server=defconf
add address=192.168.88.24 client-id=1:66:4f:f7:53:b7:34 comment=\
    "HIS Pixel 8" mac-address=66:4F:F7:53:B7:34 server=defconf
add address=192.168.88.33 client-id=1:ea:ee:35:4b:c1:c8 comment=\
    "HER Pixel 8" mac-address=EA:EE:35:4B:C1:C8 server=defconf
add address=192.168.88.44 client-id=1:a0:a3:b3:7a:c8:eb mac-address=\
    A0:A3:B3:7A:C8:EB server=defconf
add address=192.168.88.50 client-id=1:ec:71:db:3d:2:d4 mac-address=\
    EC:71:DB:3D:02:D4 server=defconf
add address=192.168.88.55 client-id=\
    ff:11:a9:9e:e2:0:1:0:1:2e:59:39:2:bc:24:11:a9:9e:e2 mac-address=\
    BC:24:11:A9:9E:E2 server=defconf
add address=10.30.30.3 client-id=1:2c:aa:8e:91:83:6a comment=\
    "Frontroom RTSP WyzeCam V2" mac-address=2C:AA:8E:91:83:6A server=dhcp2
add address=192.168.88.91 client-id=\
    ff:ca:53:9:5a:0:2:0:0:ab:11:d1:e1:f2:6e:c1:74:7a:a5 mac-address=\
    BC:24:11:05:E7:5D server=defconf
add address=192.168.88.92 client-id=\
    ff:c1:e8:29:5e:0:2:0:0:ab:11:bd:11:37:bc:90:d0:e0:98 mac-address=\
    BC:24:11:95:AD:05 server=defconf
/ip dhcp-server network
add address=10.20.20.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.20.20.1
add address=10.30.30.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.30.30.1
add address=10.40.40.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.40.40.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall address-list
add address=hda08cjzj94.sn.mynetname.net list=mycloud
add address=192.168.88.108 list=exception
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward dst-address=10.30.30.0/24 src-address=\
    192.168.88.55
add action=drop chain=forward comment=\
    "drop all traffic from Guest LAN to main LAN" dst-address=192.168.88.0/24 \
    src-address=10.20.20.0/24
add action=accept chain=input comment="only from LAN" in-interface-list=LAN
add action=accept chain=forward in-interface=CimGuest
add action=accept chain=forward comment="Accept traffic from CimCam VLAN" \
    in-interface=CimCam
add action=drop chain=input comment="drop all else - input"
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else - forward"
/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin dst-address=\
    192.168.88.0/24 src-address=192.168.88.0/24
add action=dst-nat chain=dstnat comment="Port forwarding with cloud" \
    dst-address-list=mycloud dst-port=443 protocol=tcp to-addresses=\
    192.168.88.30 to-ports=443
add action=dst-nat chain=dstnat dst-address-list=mycloud dst-port=80 \
    protocol=tcp to-addresses=192.168.88.30 to-ports=80
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=\
    tcp src-address-list=!exception to-addresses=192.168.88.108
add action=dst-nat chain=dstnat dst-port=53 in-interface-list=LAN protocol=\
    udp src-address-list=!exception to-addresses=192.168.88.108
/ip service
set telnet disabled=yes
set ssh disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-autodetect=no time-zone-name=America/Los_Angeles
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12856
Joined: Thu Mar 03, 2016 10:23 pm

Re: Added 2nd rb5009 to my setup and lost internet connectivity.

Sun Nov 03, 2024 10:43 am

One thing that might cause problems: by default all ROS devices (IIRC only some PtP devices are exception) cone configured with 192.168.88.1 as their LAN IP address. So it's almost essential to perform basic configuration (e.g. setting IP addresses, admin user's password, etc.) before connecting it to the final place (be it internet-facing router, LAN switch or AP). What might have happened is that both RB5009s had same LAN IP address and thus both advertised their MAC addresses as answer to ARP queries. Other LAN devices then cached the answer and some used the wrong RB for accessing internet. Such instability should rectify by itself a while after the offending device is removed from network (ARP entries have timeouts, duration is client-side specific but usually it's tens of seconds).

BTW, I recommend you to upgrade ROS verdion on your router (and the second RB5009 after you finish basic configuration on it) to latest stable ROS (currently that's 7.16.1).
 
User avatar
tangent
Forum Guru
Forum Guru
Posts: 1654
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Added 2nd rb5009 to my setup and lost internet connectivity.

Sun Nov 03, 2024 10:58 am

The damage from having duplicate IPs can last ~10 minutes after disconnecting the offending device as the ARP caches time out.

When you try this again, you likely want to configure the second RB5009 as a smart switch, not as a router.
 
Solnse
just joined
Topic Author
Posts: 12
Joined: Sun Mar 26, 2023 11:19 pm

Re: Added 2nd rb5009 to my setup and lost internet connectivity.

Mon Nov 04, 2024 10:20 pm

This must've been the issue. I got everything back up and running. I'll have to find out how to attach the second rb5009 as a switch instead of a router and try again.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12856
Joined: Thu Mar 03, 2016 10:23 pm

Re: Added 2nd rb5009 to my setup and lost internet connectivity.

Mon Nov 04, 2024 10:26 pm

I'll have to find out how to attach the second rb5009 as a switch instead of a router and try again.

SOP when comissioning new device is to connect management computer directly to comissioned device ... and nothing else.
It may be necessary to configure IP address on management computer manually (if managed device by default doesn't run DHCP server). If you use Winbox as GUI, then matching IP address is not a requirement, Winbox can work with ROS device using MAC address.
In any case it's preferable to connect to any port except ether1 (this one is in many default configurations used as WAN port and thus heavily firewalled).

Who is online

Users browsing this forum: afuente26 and 23 guests