Community discussions

MikroTik App
 
tomuko
just joined
Topic Author
Posts: 6
Joined: Mon Nov 22, 2021 2:01 pm

SFP Ethernet module as WAN port

Mon Nov 22, 2021 2:26 pm

The device is a hex PoE. On its box both the ether1 and the SFP socket are labeled as internet. Does this mean that when the ISP TP cable is connected to the SFP module, it will act as WAN port with no changes to the default configuration required? Do I have to modify/add any of the default firewall rules to maintain the same level of security as if the ether1 was used for WAN? How should they be modified? Thanks!
 
tomuko
just joined
Topic Author
Posts: 6
Joined: Mon Nov 22, 2021 2:01 pm

Re: SFP Ethernet module as WAN port

Thu Dec 02, 2021 7:20 pm

Can someone help, please? Default configuration has ports ether2-5 and sfp1 on a bridge. I removed sfp1 from the bridge so it wouldn't be a slave and be part of the LAN. Hardware acceleration/offloading is done for ports ether1-5 according to the switch tab from webfig/winbox since those ports are connected to a switch IC. Am I wrong? Sfp1 not being a slave allowed configuring a DHCP client for it, instead of ether1 which is the default WAN port. From the interface tab sfp1 was assigned to WAN instead of ether1. Then, from ip-firewall-nat, I tried to configure masquerade so the LAN ports would be reachable from WAN sfp1. Options chosen are:
srcnat, action:masquerade, in interface list: LAN, out interface list:WAN, in interface: bridge (ether2-5 are part of it, this is the single bridge from default config, with only sfp1 removed from it), out interface: sfp1.
When trying to create this NAT entry, I get this error:
Couldn't add new NAT rule - incoming interface matching not possible in output and post routing chains.
The SFP module is a Mikrotik SRJ01.
Last edited by tomuko on Thu Dec 02, 2021 7:23 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SFP Ethernet module as WAN port

Thu Dec 02, 2021 7:22 pm

Please post your config
/export hide-sensitive file=anynameyouwish

YES, any port should be able to be a LAN port or a WAN port at your choosing.
Compatibility between ISP modem and Router on an SFP or SFP+ port is a crapshoot however.
 
tomuko
just joined
Topic Author
Posts: 6
Joined: Mon Nov 22, 2021 2:01 pm

Re: SFP Ethernet module as WAN port

Thu Dec 02, 2021 8:41 pm

Here it is
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SFP Ethernet module as WAN port

Thu Dec 02, 2021 10:17 pm

The only thing on a quick glance missing is the default source nat rule??

/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface=sfp1
 
tomuko
just joined
Topic Author
Posts: 6
Joined: Mon Nov 22, 2021 2:01 pm

Re: SFP Ethernet module as WAN port

Fri Dec 03, 2021 1:19 am

Your command works, anav but when I check back the NAT rule at webfig (sorry, this is my first time with RouterOS) it says that both in-interface-list and out-interface-list are set to LAN. Shouldn't out list be WAN? If I try adding in and out list to your command like this:
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none in-interface-list=LAN out-interface-list=WAN out-interface=sfp1

it displays "failure" and the same error message as before.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SFP Ethernet module as WAN port

Fri Dec 03, 2021 3:42 am

Your command works, anav but when I check back the NAT rule at webfig (sorry, this is my first time with RouterOS) it says that both in-interface-list and out-interface-list are set to LAN. Shouldn't out list be WAN? If I try adding in and out list to your command like this:
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none in-interface-list=LAN out-interface-list=WAN out-interface=sfp1

it displays "failure" and the same error message as before.
Hi there,
Only the out interface is relevant.
So you can have either out-interface-list=WAN or out-interface=sfp1
(unless its PPPOE-out interface in which case you need to use the name vice the port if using the second option, same with a vlan).

standard ISP connection
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface-list=WAN
OR
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface=sfp1

PPPOE client where the ethernet port is sfp1 but the pppoe-out is the pppoe client interface name.
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface-list=WAN
OR
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface=pppoe-out

WAN CLIENT IS On a VLAN, so lets say vlan-Isp is on etherport sfp1
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface-list=WAN
OR
/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface=vlan-isp

In all cases assuming interface list and interface list members is correct.
Thus its clear why the out-interface-list=WAN is popular as it covers most cases.
 
tomuko
just joined
Topic Author
Posts: 6
Joined: Mon Nov 22, 2021 2:01 pm

Re: SFP Ethernet module as WAN port

Sat Dec 04, 2021 1:41 am

Thank you for the detailed explanation!
Should have internet service next week. Why do ISPs have problems with SFP? I'll report if that is the case for me. Don't have much choice where I live.
Could you tell me if the default firewall rules work with this change for WAN port? They seem to be for interface lists and not specific interfaces but I'm not sure.
Is the advice from this page about additional firewall rules going to improve the security of the default firewall?
https://wiki.mikrotik.com/wiki/Manual:S ... our_Router
Did everything else suggested from it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: SFP Ethernet module as WAN port

Sat Dec 04, 2021 5:12 am

They are more or less okay!
Wont hurt, may be better ways to setup once the config is published and runnning.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: SFP Ethernet module as WAN port

Sat Dec 04, 2021 11:20 am

Why do ISPs have problems with SFP? I'll report if that is the case for me. Don't have much choice where I live.
It's not that ISPs have problems with SFPs, rather it's that fibre can be used in various scenarios: FTTH (dual fibre or BiDi), GPON, .... all of those are different hardware-wise and require appropriate module. Then there's question of wavelength (standard on single-mode fibre is 1310nm, available is range between 1270 and 1610nm). Then some ISPs or infrastructure operators go with some fancy authentication schemes. Add VLANs ... some things can be done in router, some depend on SFP capabilities. Mikrotik is quite notorious of not supporting "just any" SFO, some advanced SFP features require appropriate configuration (ideally supported by device hosting that module). Frequently it's just easier to use ISP-provided device as media converter to plain ethernet over UTP (hopefully in bridge mode).
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: SFP Ethernet module as WAN port

Sat Dec 04, 2021 11:27 am

Could you tell me if the default firewall rules work with this change for WAN port? They seem to be for interface lists and not specific interfaces but I'm not sure.
Indeed default firewall works with interface lists. So the easiest way to use another pirt as WAN port is to add that port to WAN interface list. It should take care of all Ifirewall and NAT issues. One should be careful though to adjust L2 setup. E.g. if you want to use ether2 as WAN interface, you first have to remove ether2 from bridge (bridge is kind of ethernet switch). And you have to move IP settings to the new WAN interface (static IP address or DHCP client in most cases).
If WAN requires working with VLANs, then the (logically) correct WAN interface is VLAN interface, not the physical one (which should still be considered untrusted for firewall purposes, so it should not be member of LAN interface list when talking about default firewall configuration).
 
tomuko
just joined
Topic Author
Posts: 6
Joined: Mon Nov 22, 2021 2:01 pm

Re: SFP Ethernet module as WAN port

Mon Dec 06, 2021 6:03 pm

Anav and mkx, thank you for the answers!
Soon I'll know if there's a problem with the SFP because of the ISP.

Who is online

Users browsing this forum: andrep and 42 guests