Double-check my first hEX PoE configuration

sealouiw · Thu Oct 21, 2021 7:28 pm

I recently purchased a hEX PoE and this is the first time I have done any kind of Layer3 configuration on a MikroTik device. It would be great if someone could take a look at my configuration and tell me if I made any obvious mistakes or if you would have done anything differently.

[admin@MikroTik] > /export hide-sensitive 
# oct/21/2021 17:02:04 by RouterOS 6.48.5
# software id = 9H22-PVVS
#
# model = 960PGS
# serial number = XXXXXXXXXXXX
/interface bridge
add ingress-filtering=yes name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
/interface vlan
add interface=bridge1 name=vlan11 vlan-id=11
add interface=bridge1 name=vlan61 vlan-id=61
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vlan61_pool ranges=192.168.4.100-192.168.4.230
/ip dhcp-server
add address-pool=vlan61_pool disabled=no interface=vlan61 lease-time=3w name=lte
/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 pvid=11
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=64
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=69
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=69
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether4,ether5 vlan-ids=69
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=64
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=61
add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=11
/ip address
add address=192.168.4.1/24 interface=vlan61 network=192.168.4.0
/ip dhcp-client
add add-default-route=no disabled=no interface=bridge1 use-peer-dns=no
add disabled=no interface=vlan11 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.4.0/24 gateway=192.168.4.1 netmask=24
/ip firewall filter
add action=drop chain=input in-interface=vlan11
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vlan11 src-address=192.168.4.0/24
/ip route
add distance=1 dst-address=192.168.20.0/24 gateway=192.168.60.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes primary-ntp=192.168.60.1
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Summary:

eth1 (hybrid trunk port connected to main router / firewall)
eth2 (failover wan, hence the nat to gain a separate gateway ip)
eth3 (access port - vlan 64)
eth4 (access port - vlan 69)
eth5 (access port - vlan 69)

Questions:

Is it possible to simply this config without losing any of the functionality?
What are the advantages and disadvantages of removing eth2 from the bridge?
In this case, is there a better way to allow access to the management interface only via eth1?
In this case, is this one firewall rule sufficient to prevent any access to the managment interface through eth2?
Should I worry about only getting roughly 850 Mbit/s via iperf3 through VLAN64 between eth1 (trunk port) and eth4 (access port)?

anav · Thu Oct 21, 2021 9:59 pm

so you are using the hex as a switch or a router??
In any case here is good article to read.
viewtopic.php?t=143620

sealouiw · Thu Oct 21, 2021 11:23 pm

Actually both, but the sole purpose of the router part is to provide lte fallback:

eth1, eth2 (are supposed to act like a router)
eth1, eth3, eth4, eth5 (are supposed to act like a managed switch)

The above config does exactly what I need, but I'm not really convinced of having found an ideal config yet.

Edit 1: I will try to clarify my third question. There are two dhcp-clients on the hEX. One on vlan1 (my management vlan) and one on vlan11 (my lte vlan). The idea is to route any traffic that does not target RFC1918 to the gateway set by the second dhcp-server (through vlan11) and anything else to the gateway set by the first dhcp-server (through vlan1). How do I do that without having to enter the gateway ips manually, like I did in the above config?

Edit 2: I think I can answer the second question myself now. It simply simplifies the configuration:

[admin@MikroTik] > /export hide-sensitive 
# oct/22/2021 18:51:05 by RouterOS 6.48.5
# software id = 9H22-PVVS
#
# model = 960PGS
# serial number = XXXXXXXXXXXX
/interface bridge
add ingress-filtering=yes name=bridge1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] poe-out=off
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] poe-out=off
/interface vlan
add interface=bridge1 name=vlan61 vlan-id=61
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vlan61_pool ranges=192.168.4.100-192.168.4.230
/ip dhcp-server
add address-pool=vlan61_pool disabled=no interface=vlan61 lease-time=3w name=lte
/interface bridge port
add bridge=bridge1 ingress-filtering=yes interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 pvid=64
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 pvid=69
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 pvid=69
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge1 tagged=ether1 untagged=ether4,ether5 vlan-ids=69
add bridge=bridge1 tagged=ether1 untagged=ether3 vlan-ids=64
add bridge=bridge1 tagged=ether1,bridge1 vlan-ids=61
/ip address
add address=192.168.4.1/24 interface=vlan61 network=192.168.4.0
/ip dhcp-client
add add-default-route=no disabled=no interface=bridge1
add disabled=no interface=ether2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.4.0/24 gateway=192.168.4.1 netmask=24
/ip firewall filter
add action=drop chain=input in-interface=ether2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2 src-address=192.168.4.0/24
/ip route
add distance=1 dst-address=192.168.0.0/16 gateway=192.168.60.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Berlin
/system ntp client
set enabled=yes primary-ntp=192.168.60.1
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

anav · Sat Oct 23, 2021 6:35 pm

Let me get this straight,

Ether1 provides internet how, from another router which provides you a private LANIP, for your HEX WANIP.
One of the main routers lan port connects to the HEX WAN port.
What is the main router make and model and what is travelling on this port (subnet(s)?) and how are they organized (already on a vlan??)

Ether2 provides internet from another Source (presuming LTE device of some sort) and want to confirm its not a router but just passing the LTE signal to the router??
How is this traffic organized ( private IP? is it being passed on a VLAN already)??

sealouiw · Sat Oct 23, 2021 9:58 pm

                        / LAN1 (DSL) ----------- |
Imposed router from ISP                          | Main router (pfSense)
                        \ LAN2 (LTE) - hEX PoE - |

The sole purpose of the hEX PoE connection to the imposed router from the isp is to generate a second gateway ip which is mandatory for proper multi-wan (dsl / lte) in pfSense. LAN1 and LAN2 are in the same subnet (but policy-based routing decides which path to the internet the data takes). The hEX PoE is connected to a dedicated port on my main router. The main router provides internet to the access ports of the hEX PoE via vlan64 and vlan69. vlan1 is only used for management purposes.

anav · Sun Oct 24, 2021 4:48 am

interesting, why not simply connect the LTE device directly to the pfsense router??

sealouiw · Mon Oct 25, 2021 9:09 am

Because pfSense cannot handle having the same gateway IP on both wan interfaces (at least not if automatic failover is desired).

anav · Mon Oct 25, 2021 7:05 pm

Wow so the ISP router provides you two private WANIPs one DSL sourced and one LTE sourced but from the same gateway IP?
So no public IPs involved here right?

So for example your saying the following
the DSL account WANIP is 192.168.50.25 and the gateway is 192.168.4.1
the LTE account WANIP is 192.168.25.10 and the gateway is the same 192.168.4.1 ??

Do these come out on different ports on the ISP router,
If not do they come out on a single port already assigned on VLANs??

sealouiw · Tue Oct 26, 2021 10:44 am

Wow so the ISP router provides you two private WANIPs one DSL sourced and one LTE sourced but from the same gateway IP?

Basically yes.

So no public IPs involved here right?

Right.

Do these come out on different ports on the ISP router

I think the policy-based routing decision (which decides which path the data takes) is actually based on the hostname of the client. But yes, my pfSense box is connected to LAN2 (on the isp router) and my hEX PoE is connected to LAN3 (on the isp router). There are no VLANs involved up until this point.

the DSL account WANIP is 192.168.50.25 and the gateway is 192.168.4.1
the LTE account WANIP is 192.168.25.10 and the gateway is the same 192.168.4.1 ??

The gateway ip of the isp router is 192.168.2.1 (see appendix).

anav · Tue Oct 26, 2021 5:50 pm

I would probably setup it up like
ether1 WAN1
ether2 WAN2
Bridge no dhcp
vlan11
vlan61
vlan64
vlan69
(the number of Subnets you want to have on your network dictates the number of vlans).

IP pool for each vlan
IP address for each vlan
DHCP network for each vlan
DHCP network server for each vlan

Bridge ports - PVID for access ports, allow priority and untagged frames, For trunk ports carrying vlans allow tagged frames only
Bridge vlans as appropriate.

WAN ports ARE NOT on the bridge!!

Interface LIst
WAN
LAN

Interface list members
ether1=wan
ether2 =wan
vlanx=lan
vlany=lan
vlanz=lan

Neighbour discovery=LAN

Firewall filters - use default settings to start then we can go from there.
Source nat - only out-interface-list=WAN is required.

IP route WAN1 distance=5 ping check gateway [primary]
IP Route WAN2 distance=10

/tool mac-server mac-winbox
set allowed-interface-list=none
Change to LAN

sealouiw · Wed Oct 27, 2021 1:13 pm

Sounds like a very reasonable suggestion in case the hEX PoE were my main router, which it currently isn't.

WAN ports ARE NOT on the bridge!!

Yeah, that's what I realized in #3.

/tool mac-server mac-winbox
set allowed-interface-list=none
Change to LAN

I only use Linux.

Double-check my first hEX PoE configuration [SOLVED]

Double-check my first hEX PoE configuration

Re: Double-check my first hEX PoE configuration

Re: Double-check my first hEX PoE configuration

Re: Double-check my first hEX PoE configuration

Re: Double-check my first hEX PoE configuration

Re: Double-check my first hEX PoE configuration

Re: Double-check my first hEX PoE configuration

Re: Double-check my first hEX PoE configuration

Re: Double-check my first hEX PoE configuration

Re: Double-check my first hEX PoE configuration [SOLVED]

Re: Double-check my first hEX PoE configuration

Who is online