Community discussions

MikroTik App
 
Shazbot
just joined
Topic Author
Posts: 6
Joined: Sun Jul 17, 2022 9:49 pm

Beginner help regarding home LAN

Sun Jul 17, 2022 11:20 pm

Hello. I don't know anything of networking but I need to solve the home LAN issue. I've tried to read up on articles and posts here and watched hours of Youtube but I need more help than that.I need you.

We had until recently a mesh WIFI solution from ASUS. We also have IPTV which the WIFI can't handle. More on that later. The WIFI isn't up to par so the solution is to wire the house with Cat6 to all stationary clients. As I need to resolve the IPTV issue I looked around for a router with functionality. When reading up on different brands it came down to MikroTik and I purchased a hEX RB 750Gr router. Now that I got it... let's say the entry skill level is professional.

The IPTV can't be behind a NAT(?). The IPTV control box must communicate with the ISP directly. Currently we have a long network cable going directly from the patch box to the IPTV control box in the living room to make it work. My wish is to cram IPTV and regular internet traffic inside that one cable (VLAN?).

The equipment I've got is:
1x MikroTik hEX RB 750Gr
1x Netgear GS108E 8 port switch
2x Netgear GS105E 5 port switch
1x ASUS Lyra Mesh WIFI (3 nodes)

This is the diagram of the intended network. Not particulary good at drawing diagrams so bear with me. Disregard the arrows, it was supposed to be simple lines:
:
network diagram.drawio (1).png
KITCHEN:
Intention here is to hook up the Lyra somehow to the LAN. I do believe DHCP can be turned off on the Lyra so the nodes only act as AP. Either way, the wired network must be reachable from any WIFI clients. From the kitchen the network cable (TRUNK?) goes to...

HALLWAY
Here the intention is to have one of the GS105E switches to split up the traffic to the living room on the same floor and to the basement below.

LIVING ROOM
The other GS105E switch will end up here and servicing the clients, one of them an IPTV box.

BASEMENT
Same deal as the living room.

What conclusions I've reached
Ok, this is where my lack of knowledge of networks really starts to show. Information I've found regarding the ISP patch panel is that the ports are bridged and thus every port have the same functionality (Internet, IP-Phone, IPTV etc). So conclusion here is to simple feed the ROUTER from one of the PATCH PANEL ports to ROUTER WAN. This here is where my mind gets stuck. How can I isolate the IPTV traffic from the WAN cable? Instead, is it possible to go PATCH PANEL 1 to ROUTER WAN and PATCH PANEL 2 to ROUTER ETHERNET 1 and then merge the 2 "streams" from the PATCH PANEL and send it from ROUTER ETHERNET 3 as tagged VLAN towards the SWITCH in the hallway? In my mind I need 2 VLAN, regular internet and IPTV and somehow present the IPTV boxes to the ISP without any interference of subnet(?) and NAT(?).

I'll stop here and see if anyone cares to help me solve this in a proper way.

Thank you.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Beginner help regarding home LAN

Mon Jul 18, 2022 6:16 am

Hello. I don't know anything of networking but I need to solve the home LAN issue. I've tried to read up on articles and posts here and watched hours of Youtube but I need more help than that.

The IPTV can't be behind a NAT(?). The IPTV control box must communicate with the ISP directly. Currently we have a long network cable going directly from the patch box to the IPTV control box in the living room to make it work. My wish is to cram IPTV and regular internet traffic inside that one cable (VLAN?).

What conclusions I've reached
Ok, this is where my lack of knowledge of networks really starts to show. Information I've found regarding the ISP patch panel is that the ports are bridged and thus every port have the same functionality (Internet, IP-Phone, IPTV etc). So conclusion here is to simple feed the ROUTER from one of the PATCH PANEL ports to ROUTER WAN. This here is where my mind gets stuck. How can I isolate the IPTV traffic from the WAN cable? Instead, is it possible to go PATCH PANEL 1 to ROUTER WAN and PATCH PANEL 2 to ROUTER ETHERNET 1 and then merge the 2 "streams" from the PATCH PANEL and send it from ROUTER ETHERNET 3 as tagged VLAN towards the SWITCH in the hallway? In my mind I need 2 VLAN, regular internet and IPTV and somehow present the IPTV boxes to the ISP without any interference of subnet(?) and NAT(?).
First, if you are looking for a cookbook recipe that is going to work with your exact equipment, ISP, etc. I doubt you will find one, unless you bought your "ingredients" from a recipe you found under your ISP's forum. But if that was the case, you probably wouldn't be here. And if you don't know what a subnet, NAT, VLANs etc. are (going by your inclusion of (?) after them, it is going to be quite frustrating until you learn the fundamentals.

Your diagram is "how you want it". How is it currently connected?
What do you mean by "ISP patch panel". Can you take a picture of it and post as attachment?

How many things are currently connected to it, and what are they? My guess is that there are different ports for IPTV and internet, i.e. not bridged. But without more info, that is just a guess.

Here's a link to a post on the Ubiquiti forum with a diagram for a similar problem. It's using a different router and switch, but I see no reason that the same problem could not be solved with the equipment you have. The RB750Gr3 has an integrated switch chip that can be configured in vlan-aware mode (the bridge with vlan-filtering enabled). But before going further, we need to know more about your setup.

And this isn't a good first project if you really "don't know anything of networking". What technical background do you have? What "hours of Youtube" have you watched. "Driving in Russia" doesn't count.
Last edited by Buckeye on Sat Jul 23, 2022 12:38 am, edited 1 time in total.
 
Shazbot
just joined
Topic Author
Posts: 6
Joined: Sun Jul 17, 2022 9:49 pm

Re: Beginner help regarding home LAN

Mon Jul 18, 2022 12:51 pm

First, if you are looking for a cookbook recipe that is going to work with your exact equipment, ISP, etc. I doubt you will find one, unless you bought your "ingredients" from a recipe you found under your ISP's forum. But if that was the case, you probably wouldn't be here. And if you don't know what a subnet, NAT, VLANd etc. are (going by your inclusion of (?) after them, it is going to be quite frustrating until you learn the fundamentals.

I'll read up on the fundamentals that you provided me with. Thank you. There's no specific "recipe" afaik. The ISP does not own the fiber, ISP is just one of many different providers on that fiber network so I assume standards are adhered to. The physical fiber network belongs to a single provider where I can select from different ISP that provides the actual internet service. It looks like this:

A - Owns the physical fiber network my house is connected to. Does nothing else but to maintain the functionality of that specific network. They have monopoly in this specific area.

B - I can at A's website select from a list of multiple ISP's that I want to provide me with the kind of service of my liking. My chosen ISP only provides internet connection.

C - This ISP can provide internet, IPTV and IP telephony. I've chosen their IPTV package only.

Your diagram is "how you want it". How is it currently connected?
What do you mean by "ISP patch panel". Can you take a picture of it and post as attachment?
How many things are currently connected to it, and what are they? My guess is that there are different ports for IPTV and internet, i.e. not bridged. But without more info, that is just a guess.

Today the mesh WIFI is connected to the patch box and each node around the house are connected to the Netgear switches. Nodes are in the kitchen, basement and living room. Besides not able to handle the IPTV it works but the ASUS Lyra suffers from instability. Living room IPTV box is connected directly to the patch box via a long network cable routed thru the house.
Inteno fiber switch.png
This is the CPE (what I call patch box) and is the unit inside our home that the fiber network is connected to. It's also the part that the ISP can connect to and configure from their side. We have currently IPTV connected to port 3 and WIFI to port 4. I've read a list (that I can't find atm) that on this fiber network I'm on, internet and IPTV has no specific port assigned to it.

Here's a link to a post on the Ubiquiti forum with a diagram for a similar problem. It's using a different router and switch, but I see no reason that the same problem could not be solved with the equipment you have. The RB750Gr3 has an integrated switch chip that can be configured in vlan-aware mode (the bridge with vlan-filtering enabled). But before going further, we need to know more about your setup.

And this isn't a good first project if you really "don't know anything of networking". What technical background do you have? What "hours of Youtube" have you watched. "Driving in Russia" doesn't count.

I thank you for that link as well. I'll study their solution and see if it is applicable to this problem. My background is technical. When I was younger I've been working with computers in IT departments but never deep into network such as designing, building and configuring networks. Years ago I've left the IT area and moved on into industrial where IT solutions are more or less stagnant compared. I know that I'm no longer is up-to-date with the newest stuff being released and developed.

Youtube is an amazing source of information but many content providers sticks to the "15-minute format" where not much about anything can be explained properly. I never had any issues with solving problems by reading and learning on systems that I've had no previous experience with but when I entered the MIkroTik main page I knew that I'm way short of necessary prior knowledge. I do believe that this can be solved and that I've got the right gear for it.
You do not have the required permissions to view the files attached to this post.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Beginner help regarding home LAN

Mon Jul 18, 2022 8:41 pm

This is the CPE (what I call patch box)

It's an Ethernet switch, not a "patch panel." More specifically, it's a fiber to Ethernet media converting switch. Your picture doesn't show the fiber SFP, which is on the left side from this viewpoint.

The SFP port is shown in the datasheet of its close cousin here. It doesn't show the USB port, but other models do have it, as seen elsewhere on that site.

FYI, these are patch panels. They're 1:1 passive devices for cable management. The only characteristic they share with a switch is that their front panel has a bunch of RJ45 ports on it. A patch panel has no power supply, and it doesn't interconnect any of the ports to the others, as a switch does. Patch panels are often found as the last step in a wiring closet before the switch, fanning that out to cable trays for distribution throughout the building. The long cables don't connect directly to the switch, but through the patch panel.

I point all this out because you shouldn't misuse that term. There are people here who know what patch panels are, and you're confusing them.

internet and IPTV has no specific port assigned to it.

That sounds right. If I understand this Inteno product properly, the only thing that makes it special with regard to your Netgear switches is the added fiber port.

Indeed, I suspect a hEX S (RB760iGS) could fill the same role, obviating the need for the Inteno switch. If you'd asked here before going shopping, you might've gotten that advice instead.

I'm not suggesting that you go out and buy a hEX S immediately. It's just an option to consider for later, if you're willing to experiment after you've got things up and running with what you have now.

We also have IPTV which the WIFI can't handle.

You're right to be moving IPTV off the WiFi. It isn't an ASUS problem, it's a problem of guaranteed real-time bandwidth. I don't care how badass your WiFi system is, proper streaming IPTV is an inappropriate application. If it works, it will work conditionally at best, breaking at the silliest things, such as having a house party. (Details in the link.)

I believe the core of your problem is that you're putting your IPTV boxes behind a NAT layer, being the hEX's default configuration. That's the correct thing to do for all the other hosts in your network, so you need to bypass it for the IPTV boxes only.

The simplest way out of this trap is to home-run the IPTV boxes back to the Inteno box, bypassing the hEX entirely.

If you insist on routing the IPTV traffic through the hEX, the only way I can figure out how to do it is to configure the NetGear switches for VLANs, tagging the IPTV ports only and leaving everything else untagged, then use those tags on the hEX to apply a switch rule that should make that traffic bypass the NAT firewall:

/interface bridge
set bridge1 vlan-filtering=yes
/interface bridge vlan
add bridge=bridge1 untagged=ether1

/interface/ethernet/switch/rule
add vlan-id=99 new-dst-ports=ether1

The first command is a modification to the stock configuration, turning on VLAN filtering so the next command will take effect.

The second command undoes the VLAN tagging applied by the NetGear switches, stripping the VLAN tags off when traffic is going out ether1, the hEX port I presume is connected to the Inteno switch, being the "Internet" port by convention. (You don't have to do it that way, but that's how it's marked on the device's front panel.)

The configuration to this point would be useless, but then we have the next part, the Ethernet switch chip rule, which makes special decisions for tagged traffic. I haven't tested it, but I believe this will take effect ahead of the bridge VLAN filtering.

In combination, this says, "Take VLAN 99 traffic and send it out ether1 without a VLAN tag." Everything else gets normal processing.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Beginner help regarding home LAN

Mon Jul 18, 2022 9:01 pm

Actually wouldnt it be easier to do something like just take one of the ports on the ISP device and plug into ether2 for example.
I dont use switch chip so just thinking bridge vlan filtering method.

Add vlan interface=bridge vlan=66

Then in interface bridge ports
add bridge=bridge interface=ether2 pvid=66

Then in interface bridge vlans
add bridge=bridge tagged=bridge,etherX untagged=ether2 vlan-ids=6

The idea here is you take the stream from one of the ISP ports, add vlan66 tag to it, carry it to another port on the mikrotik as a vlan (etherX) and carry it to the IPTV boxes through the managed switches in the house. When the last port is reached, aka smart switch port X leading to the TV box, just untagg the vlan and you have successfully carried and un-natted traffic flow from ISP to IPTV box.
Last edited by anav on Sun Jul 24, 2022 4:01 pm, edited 1 time in total.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Beginner help regarding home LAN

Mon Jul 18, 2022 9:08 pm

Actually wouldnt it be easier…

If I'm right about the core problem being the NAT layer added by the hEX, how does this bypass the NAT?

However, having said that, it might be that the ISP is doing something like CGNAT, giving any DHCP client on the WAN a private address. We can infer that from the fact that the ISP delivers a switch as CPE, rather than a router.

In that case, simply disabling the NAT rule on the hEX might solve everything.

On the other-other hand, my VLAN isolation method might still be useful because it keeps the IPTV boxes from talking to anything else on the home LAN. If they're insecure or snoopy, this may be of real, practical help.
Last edited by tangent on Mon Jul 18, 2022 9:12 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Beginner help regarding home LAN

Mon Jul 18, 2022 9:11 pm

Actually wouldnt it be easier…

If I'm right about the core problem being the NAT layer added by the hEX, how does this bypass the NAT?
Because I am not passing vlan66 through the WAN to LAN interface stream. Using the hex on ether2 to ehterX simply as a switch and use vlan to move the traffic over the hex, and through the managed switches to the IPTV device.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Beginner help regarding home LAN

Mon Jul 18, 2022 9:23 pm

I am not passing vlan66 through the WAN to LAN interface stream.

Yes, I get all that. What I'm asking is, if I'm right that a srcnat firewall rule exists on the hEX:

/ip firewall nat
add chain=srcnat src-address=$LAN/24 action=src-nat to-addresses=$WAN \
out-interface=ether1

…doesn't your VLAN configuration still apply NAT to the IPTV traffic?

My switch rule advice is based on the assumption that it applies down at the bridging decision layer, ahead of the firewall.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Beginner help regarding home LAN

Mon Jul 18, 2022 10:29 pm

I try not to guess the config of the OP,
Best if he exports it here (minus any public IPs)
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Beginner help regarding home LAN

Mon Jul 18, 2022 11:28 pm

In principle, sure, but he's a self-confessed newbie and almost certainly running on defconf. The only question in my mind is whether he chose the "bridge" or "router" quick-set config before posting for help here. One has the NAT rule, the other does not.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Beginner help regarding home LAN

Tue Jul 19, 2022 1:58 am

It's an Ethernet switch, not a "patch panel." More specifically, it's a fiber to Ethernet media converting switch. Your picture doesn't show the fiber SFP, which is on the left side from this viewpoint.

The SFP port is shown in the datasheet of its close cousin here. It doesn't show the USB port, but other models do have it, as seen elsewhere on that site.
If that image is the exact product you have, here's a data sheet for it. And a Configuration Manual XG6846 Revision E

So it seems like something similar to the RB260GS CSS106-5G-1S (but on steroids, it supports Q-in-Q too and vlan remapping, as well as secure management and ssh cli access)
internet and IPTV has no specific port assigned to it.
That sounds right. If I understand this Inteno product properly, the only thing that makes it special with regard to your Netgear switches is the added fiber port.
The Inteno XG6846 at least has the capability to have different access ports for different vlans. I don't have IPTV, but from what I have learned on networking forums, the IPTV is usually distinct from the internet, and usually delivered on a separate vlan. The ISPs usually provide a CPE device that will provide separate ports for the IPTV vlan (to connect to the Set Top Box) and for internet. Some also have a separate vlan for VoIP, possibly with a better Class of Service priority. This is why I would not be surprised if swapping the port connected to the ASUS Lyra and the port going to the set top box would not work. But perhaps it does, it would be easy to verify one way or the other by swapping the cables in the Green (LAN3) and Blue (LAN4) ports. If both internet and IPTV still work, the ports are probably in the same broadcast domain (V)LAN.
I believe the core of your problem is that you're putting your IPTV boxes behind a NAT layer, being the hEX's default configuration. That's the correct thing to do for all the other hosts in your network, so you need to bypass it for the IPTV boxes only.
I agree. This would be true whether LAN3 and LAN4 are a single LAN or not.
Actually wouldnt it be easier to do something like just take one of the ports on the ISP device and plug into ether2 for example.
I dont use switch chip so just thinking bridge vlan filtering method.

Add vlan interface=ether2 vlan=66

Then in interface bridge ports
add bridge=bridge interface=ether2 pvid=66

Then in interface bridge vlans
add bridge=bridge tagged=bridge,etherX untagged=ether2 vlan-ids=6

The idea here is you take the stream from one of the ISP ports, add vlan66 tag to it, carry it to another port on the mikrotik as a vlan (etherX) and carry it to the IPTV boxes through the managed switches in the house. When the last port is reached, aka smart switch port X leading to the TV box, just untagg the vlan and you have successfully carried and un-natted traffic flow from ISP to IPTV box.
That's essentially what the link to the post using the ER-10X was doing (the ER-10X is similar to a hEX S but with the second link going to a second switch chip that handles the upper 5 ether ports, The ER-X is based on the MT7621 SoC used in the RB750Gr3 and RB760iGS). The primary difference between this thread and the linked case is that in that case, the internet interface port had tags for both internet and a VoIP vlan, so the WAN interface was moved to vlan subinterface on switch0 (in ROS a vlan interface on the bridge device), and also in that case the Inteno XG6846 is providing different networks on different ports, (see this link), and on the ER-10X internet was given vlan 666, IPTV vlan 500, VoIP 855 and internal LAN 10 (untagged on switch-ports). This link has the annotated vlan portion of the "mock up" config (and a link to the complete config).

I see no reason for adding a layer 3 vlan interface, or even a bridge connection to the IPTV vlan. We don't want the router to do anything, we just want to use the layer 2 integrated switch ASIC to allow the IPTV traffic to bypass the Router unscathed on its own dedicated vlan (lane) and exit tagged to be delivered on the existing wires to the vlan-aware switches, where they will strip the tag and present to an access port for the STB (set top box). (BTW I think there is a typo with a the vlan-ids=6 (I think you meant vlan-ids=66).

Here is how I would approach it. This assumes the IPTV connection is connected to ether2 and it is using 666 as the vlan (to indicate it is unsafe, unfiltered to be connected only to STB), and ether5 is the hybrid trunk going to the first NetGear GS105E. It also assumes that the NetGear switches are configured with IEEE 802.1Q vlans and the trunks have vlan 666 tagged. The only ports on the NetGear switches with 666 membership should be the trunk ports, and the vlan 666 access ports to the STBs (set top boxes).

/interface bridge port
add bridge=bridge interface=ether2 pvid=666
add bridge=bridge interface=ether5
/interface bridge vlans
add bridge=bridge tagged=ether5 untagged=ether2 vlan-ids=666

But as others have said, we need to see your config. This thread NEW USER POSTING FOR ASSISTANCE is a good starting place, it gives instructions on how to export your config. It should request removing the router's SN as well (so @rextended won't need to clean it). I remove # software id = xxxxxxxx and # serial number = xxxxxxxx as well as MAC addresses, and do a global replace the first three octets of any global ip addresses with the first three octets of the rfc5737 TEST-NET-x addresses. This lets the user's know it represents a globally valid ip address, while "cloaking" your real ip address.
Last edited by Buckeye on Sat Jul 23, 2022 12:51 am, edited 3 times in total.
 
Shazbot
just joined
Topic Author
Posts: 6
Joined: Sun Jul 17, 2022 9:49 pm

Re: Beginner help regarding home LAN

Fri Jul 22, 2022 8:38 pm

Hello and first of all, a big thank you guys for the replies.

I've read your replies and I'm digesting it (you are on a level where I need to read up on the matter to understand). I'm in the middle of watching thru networks fundamentals (big thank you Buckeye for that link). Reading your replies it's apparent that I'll need to read up on RouterOS and how actually configurating MikroTik devices as well. The only thing I've done to the hEX is to update the software, the rest is as it came out of the box.

I need to learn some more about network and about RouterOS before I can reply my findings. Again, big thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Beginner help regarding home LAN

Fri Jul 22, 2022 9:12 pm

Sounds like a plan, when you do have a starter config and need help dont forget to post the complete config here minus any actual public IP related info.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Beginner help regarding home LAN

Sat Jul 23, 2022 11:31 am

I'm in the middle of watching thru networks fundamentals (big thank you Buckeye for that link). Reading your replies it's apparent that I'll need to read up on RouterOS and how actually configurating MikroTik devices as well.
Have you tried swapping the cables in the Green (LAN3) and Blue (LAN4) ports to see if both ports are part of the same lan? Because knowing that will affect the way the RB750Gr3 should be connected and configured.

Ed Harmoush's Practical Networking videos and website won't help with the configuration syntax that RouterOS uses, but the networking principles apply to any vendor's equipment, and learning RouterOS is complex enough when you do understand the principles. So watching and understanding info will be time well spent if you want to understand how things work, and why certain configuration decisions are made.

After you go through the fundamentals, he also has good information about vlans. Here is his vlan index. Once you understand how vlans work, then things like tagged frames and untagged frames will make sense, and then when you are configuring your router, and reading the MikroTik documentation, you will be able to understand what it is talking about. Then the learning will be fun instead of frustrating.

Good luck on you learning journey. @anav maintains a very worthwhile starting point with links to material that has proven to be worthwhile. New User Pathway To Config Success These topics are (I believer) in the order in which he added them more than the order you should probably read them in. But since he references the sections in other post, it is best to not change the ordering, But there is a "table of contents" at the top. I would start with section M. First Time Access & WINBOX (must watch videos for the new user.)

Note that the topic isn't static, he is adding more new things to it, so you may want to keep a link to it in your browser's bookmarks, so you can easily find it in the future.
Last edited by Buckeye on Sat Jul 30, 2022 12:36 pm, edited 1 time in total.
 
Shazbot
just joined
Topic Author
Posts: 6
Joined: Sun Jul 17, 2022 9:49 pm

Re: Beginner help regarding home LAN

Sun Jul 24, 2022 7:24 am

I'm in the middle of watching thru networks fundamentals (big thank you Buckeye for that link). Reading your replies it's apparent that I'll need to read up on RouterOS and how actually configurating MikroTik devices as well.
Have you tried swapping the cables in the Green (LAN3) and Blue (LAN4) ports to see if both ports are part of the same lan? Because knowing that will affect the way the RB750Gr3 should be connected and configured.

I swapped the cables with each other on the CPE and the functionality of the IPTV signal and the Internet remained. I swapped the cables to ports 1 and 2 with the same result. Internet and IPTV is on the same LAN at it seems. On that information, what would be the best way to configure the Hex router?
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Beginner help regarding home LAN

Sun Jul 24, 2022 1:25 pm

When you said the STB wouldn't work over wifi, does that mean it won't work at all, or it doesn't work well?

If if doesn't work at all, it is possible that the STB is using a vlan and tagged frames. I agree with tangent that running you TV over wifi is not a good idea,

Also if the TV box had a wired ethernet connection, how were you getting the wireless signal to it?

If it is using IEEE 802.1Q tagged frames, then you will need to preserve the tags.

See this thread. IPTV and VLAN

I will be gone for the next 10 hours, so I won't be seeing any response until then. But there will be others that may be able to answer any questions you have.
 
Shazbot
just joined
Topic Author
Posts: 6
Joined: Sun Jul 17, 2022 9:49 pm

Re: Beginner help regarding home LAN

Sun Jul 24, 2022 3:29 pm

When you said the STB wouldn't work over wifi, does that mean it won't work at all, or it doesn't work well?

If if doesn't work at all, it is possible that the STB is using a vlan and tagged frames. I agree with tangent that running you TV over wifi is not a good idea,

Also if the TV box had a wired ethernet connection, how were you getting the wireless signal to it?

If it is using IEEE 802.1Q tagged frames, then you will need to preserve the tags.

See this thread. IPTV and VLAN

I will be gone for the next 10 hours, so I won't be seeing any response until then. But there will be others that may be able to answer any questions you have.

Thank you for taking time to help me with this. I bought that mesh solution shortly after I bought this house and I had an idea that I could connect the STB to 1 of the 2 ports on the Lyra node in the living room and the node in the basement and presto, IPTV over wifi. That worked with the other hosts (connected to a Netgear switch that is connected to a port on the Lyra node) so why wouldn't it work with the STB? Well it didn't.

I'm not sure why the stream breaks. I suspected that by inserting a router (NAT) between CPE and STB breaks the IPTV stream as the IP address on the STB must be 10.xxx.xx.xxx. Searching the internet on similar cases with the IPTV provider I have I suspected tagged VLANS were in play. But all those cases were on different fiber network operated by an other company so It's not a perfect analogy (they use dedicated ports on their CPE for the different services). The installation guide the IPTV provider have regarding multiple STB looks like this:
Allente IPTV.png
It's in Swedish but basically says what it shows: Add a switch (not provided by the IPTV provider) between STB's and CPE (not provided by the IPTV provider). It does not mention anything about VLAN, tagged frames or IEEE 802.1Q in the instructions. What do I make of that? I'm guessing here but since there are no dedicated service ports on the CPE there must be VLAN involved that the STB is pre-configured to. My following question to is it possible to detect that VLAN tag with the Hex router?
You do not have the required permissions to view the files attached to this post.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Beginner help regarding home LAN

Sun Jul 24, 2022 4:15 pm

Add a switch (not provided by the IPTV provider)

The fact that their system works with random switches tells us they aren't depending on VLAN routing or special RJ45 port assignments on the Inteno box to make it work. This is the purpose behind @Buckeye's suggestion to swap the blue and green ports' cables: if nothing changes, it confirms the same hypothesis.

That isn't to say that there aren't VLAN tags in use, however. If there are, the routing is done past the Inteno box. Your task is to find out whether that's the case.

One of the things you can use a RouterOS box for is a network tap, with a built-in packet sniffer. You can capture an IPTV stream to a file on the box, then download it to a local copy of Wireshark and simply see if it has VLAN tags in use, and if so, what VLAN IDs it needs.

This will require work on your part. We can't give you a stock configuration, boom, "Install this and everything will work." We don't use your ISP, your eqiupment, or your IPTV system. We're restricted to generalities and analogous experience. We've therefore given you a bunch of information instead, and links to gain more information. This is the path.

If you can't handle that, I'm back to my earlier suggestion: pull home-run wires from the Inteno box straight to the IPTV boxes, bypassing the RouterOS box. Use the RouterOS box for your PCs, IoT devices, and such only.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19100
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Beginner help regarding home LAN

Sun Jul 24, 2022 4:44 pm

What the diagram shows is that the switch does nothing but pass the signal coming in from the provider directly to the STBs.............
Therefore its not necessary to capture an incoming tagged vlan stream.

As others have probably stated, the idea is you take two ports from the white box. Both go to the MT router.
The one for IPTV alone (looks like ether2 on the white box) , lets say goes into ether2 on the MT and another port for internet from the white box goes into ether1 of the MT.
One should also note that both your netgear switches are vlan capable.

The plan is to assign a vlan66 to the incoming traffic on ether2, not dhcp or routing or anything, just to trunk it along to the managed switches.

Bridge will consist of ether3,4 ETHER3, goes to First Managed Switch, ETHER4 goes to AP, ETHER5 is spare at the moment,
Suggest you take ether 5 and do this for configuring purposes - viewtopic.php?t=181718

WAN ether1
IPTV ether2
To switch ether3
To access point ether4
config off bridge ether5

Going to assume flat LAN for the rest of the home network and assigned to vlan id 11
+++++++++++++++++++++++++++++++++++++
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge name=vlanIPTV  vlan-id=66
add interface=bridge name=vlanHOME  vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=vlanHOME name=homelan
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=66 { coming from ISPs ether2 only for IPTV }
add bridge=bridge comment=defconf interface=ether3 ingress-filtering=yes frame=types=admit-only-tagged { going to first managed switch }
add bridge=bridge comment=defconf interface=ether4 pvid=11 ingress-filtering=yes frame=types=admit-priority-and-untagged  { going to access point }
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3  untagged=ether2  vlan-ids=66
add bridge=bridge tagged=bridge,ether3  untagged=ether4  vlan-ids=11
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlanHome list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlanHOME network=\
    192.168.88.0
add address=192.168.5.1/24 comment="off bridge config"  interface=ether5  network=\
  192.168.5.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward  connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
.............

Proper setup of the GS switches is necessary, TRUNK port coming in from the MT device,
a. Trunk ports if going to next managed switch
b. Access ports going to STBs (untag 66), and
c. Access ports going to other dumb devices such as PCs (untag 11).
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Beginner help regarding home LAN

Mon Jul 25, 2022 9:16 am

I had an idea that I could connect the STB to 1 of the 2 ports on the Lyra node in the living room and the node in the basement and presto, IPTV over wifi. That worked with the other hosts (connected to a Netgear switch that is connected to a port on the Lyra node) so why wouldn't it work with the STB? Well it didn't.

I'm not sure why the stream breaks. I suspected that by inserting a router (NAT) between CPE and STB breaks the IPTV stream as the IP address on the STB must be 10.xxx.xx.xxx. Searching the internet on similar cases with the IPTV provider I have I suspected tagged VLANS were in play. But all those cases were on different fiber network operated by an other company so It's not a perfect analogy (they use dedicated ports on their CPE for the different services). The installation guide the IPTV provider have regarding multiple STB looks like this:

Allente IPTV.png

It's in Swedish but basically says what it shows: Add a switch (not provided by the IPTV provider) between STB's and CPE (not provided by the IPTV provider). It does not mention anything about VLAN, tagged frames or IEEE 802.1Q in the instructions. What do I make of that? I'm guessing here but since there are no dedicated service ports on the CPE there must be VLAN involved that the STB is pre-configured to. My following question to is it possible to detect that VLAN tag with the Hex router?
Sorry for the novel length response, but details matter.

There are multiple possible reasons why the router could be causing problems. It may be NAT, it may be just the fact that it is going through a router (not on the same L2 network), it may be that there is a vlan tag, and the Lyra just ignored tagged traffic (and besides, it may need to be on the same L2 network too).

While the sniffer that @tangent recommended is a powerful debugging tool, I am not convinced it will help here, because my reading of the documentation is that it can only sniff what is going through the routing engine, and the IPTV traffic won't be. So I am not convinced it is the correct tool for this specific troubleshooting job. And if it doesn't work, then the assumption that it is working can lead to a big time sink trying to troubleshoot the wrong problem. I've been there, done that.

And we need to know for sure whether the STB is expecting tags or not. Because that will affect how the RB750Gr3 needs to be configured.

BTW, you do have the RB750Gr3, correct? What version of firmware are you using? If you haven't upgraded to v7 (probably best to use v7.4 stable at this time) I recommend doing so. v6 doesn't support hardware assisted vlan-filtering on the bridge with the MT7621A Soc that the RB750Gr3 uses, but v7.2 and above do, and doing bridging and vlans in software will adversely affect your router's performance.

I assume from the attachment name the provider is Allente. What type of STB do you have? What is the link to the support page you found the instructions on?

What seems odd to me is that in the diagram you provided:
  • They connect to a different port than you did (the yellow one) port 2 instead of what you said you are using (port 3 for IPTV and port 4 for your Lyra Router/mesh wifi
  • If all ports in the Inteno XG6846 are configured in the same LAN/broadcast domain, then why would there be any need for an external switch? I suppose one reason would be that you had two STBs at the end of a long single cable, and you wanted to avoid pulling another cable.
  • What is the * after the switch representing? Is that leading to a footnote stating that the switch is not provided, or does it list some requirements for the switch e.g. vlan-transparency
  • The only thing they show being connected to the switch is STBs. Which could imply that only IPTV was available on that connection, or it could just be a "simplified diagram" to reduce confusion for non-technical folks, and increase the confusion for the technical audience.

Does the "WAN" ip address on your "internet router" agree with what you get when you browse to ipchicken.com? If they agree, then your router is getting a globally valid ip address, and there is no other layer of NAT between your router and the "internet". If you get a different address, then your ISP is adding another layer of NAT between you and the internet. (Another indication would be if your "WAN" interface has an ip address between 100.64.0.0 and 100.127.255.255, as this is the 100.64.0.0/10 CGNAT private block).

I don't have IPTV, and have never worked on a network with it, so I am not really qualified to be giving advice. However looking at this from a "black box" point of view, we don't know if tagged vlans are being used of not, given the information we have. Most "consumer" "dumb" plug and play switches made in the last ten years (e.g. NetGear GS105 (not E), TP-Link TL-SG105 (not E), Trendnet, Dlink, Tenda) are all vlan-transparent, meaning they ignore the ethertype field immediately following the SRC MAC address in the Ethernet frame, and treat it only as data and it is excluded from any forwarding decision made by the switch. When there is an IEEE 802.1Q tag in the frame, the ethertype immediately following the SRC MAC address will have the value 0x8100, which is an indication this is a tagged frame.

If you already own the Netgear GS105E switch, and if it is similar to the GS908E switch I have, then you can use it to easily determine if tagged vlans are being used. In the Switching Menu, there should be a VLAN submenu, and under that 3 modes, (1) no vlans, (2) port based vlans (basic), and (3) 802.1Q vlans (advanced) The "factory default out of the box configuration", the GS908E is in "No VLANs" mode, so it behaves like a vlan-transparent ethernet switch, i.e. it just passes ethernet frames as is and chooses which ports to forward to based only on mac addresses it has seen and the destination mac address in the frame it receives (as described in Everything Switches do - Part 1 - Networking Fundamentals - Lesson 4). But to drop all ethernet frames with IEEE 802.1Q tags, you can use 802.1Q VLANs, which will configure all ports to be access ports in VLAN 1. It this mode, untagged traffic will pass as is, but tagged traffic will be dropped. (I didn't test the special case of vlan id 0 (priority only tags), so I am not sure what it would do in that case). My GS908E has a "Port based VLAN mode" that can partition the switch into multiple broadcast domains and affects what ports it will forward frames to based on port numbers, not tags. This mode is also IEEE 802.1Q tag transparent, i.e. it will forward tagged frames as well as untagged frames to other ports, as long as the ports are members of a common "vlan". I had never used this until today when I was responding to this post, and I had wrongly assumed that it was just using IEEE 802.1Q "under the covers", but that turned out to be a false assumption.

So the test you could do to determine if your STB is using tagged frames or not, would be to configure a laptop with the "public" windows firewall (where it blocks inbound communication it did not initiate, RDP and other "dangerous" protocols should be blocked), connect to the GS105E with the browser (you will need to determine what IP address it has; if it is connected to your MikroTik, you can look as the leases it has given out /ip dhcp-server/lease/print, and if you have made any configuration changes to the GS105E, make a backup of the configuration, because the next steps will be making changes and you could lose work. After you are satisfied with your GS105E backup, put a secure password on the GS105E if it doesn't have one, configure the GS105E with a static ip address in a private network you are not using and isn't in the 10 network used by your ISP (e.g. 172.23.253.100/24). When you change the switches IP address, you will loose access to the switch until you manually change the ip address of your laptop to an address in the same subnet, e.g. 172.23.253.101/24 (and leave Default gateway blank, so the laptop can only communicate with ip addresses in 172.23.253.0/24) then plug it into one of the Inteno XG6846 ports you were using, and then plug both of the wires you removed from the Inteno XG6846 into other ports of the GS105E (e.g. the connection to the huvudbox (main STB) and to your current internet router. Both should work if the GS105E is in the default "No VLANs" mode. But if you then use the laptop to change the GS105E into IEEE 802.1Q VLAN mode, then until more configuration is done, only untagged traffic will pass. If the IPTV STB still works, then the STB is not using tagged ethernet frames.

This is the testing layout I am trying to describe, except that you should use one of the ports you know works with the STB and Router, so either port 3 or port 4.

Note well: Make sure you have your windows firewall enabled, because the laptop will be directly connected to your internet feed, which may be a on the internet. Although if you have manually set your ip address to 172.23.253.101/24 with no default gateway set, it will limit what the PC can talk to.
172.23.253.101 internet protocol version 4 no gateway.png
from output of ipconfig /all

Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : ASIX AX88772 USB2.0 to Fast Ethernet Adapter
   Physical Address. . . . . . . . . : 8C-AE-4C-F5-19-E8
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d475:2f63:851f:cbd4%18(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.23.253.101(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 546090572
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-EB-E8-D9-BC-30-5B-A4-E5-01
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

C:\WINDOWS\system32>
vlan_testing.png
If the IPTV works with both "No VLANs" mode and the default "IEEE 802.1Q VLAN (advanced)" mode, then everything is in the same broadcast domain and using untagged ethernet frames. Which makes we wonder how the ISP hands out ip addresses, but it is possible they only give out ip addresses in the IPTV range to "registered" mac addresses for the STBs they provide (but that seems like weak authentication).

But if the IPTV does not work when the GS105E is in "default config" of IEEE 802.1Q mode where everything is an access port in the same broadcast domain, then that would be an indication that the STB is using tagged vlans, and you would need to take further action to determine which tagged vlan is being used. The method I would recommend would be to use the port mirroring capability in the GS105E (on my GS908E this is under "Monitoring"), and loading wireshark on your PC to capture the data. But this can be a relatively steep learning curve too, if you have never used wireshark.

Here was my test setup with my GS908E to test the different vlan modes on my switch (to verify that the "no VLANs mode" was vlan-transparent and did pass ethernet frames with vlan tags). Note that being able to relay tagged frames is different than being vlan-aware with the ability to tag and untag ethernet frames, that capability will be required whether or not the STB needs IEEE 802.1Q tags, or does not use tags, because we want to use the same wire to pass two separate LANS, and be able to extract the correct LAN at the other end of the cable. So you will need to configure the GS105E switches to be in the 802.1Q vlan mode, and you will need to add at least one additional vlan to the switch (for the "IPTV" lan).

I have a Raspberry Pi 4 with the vlan package loaded; eth0 is untagged, eth0.241 is tagged for vlan 241. I have a single cable connected to an ER-X with 192.168.101.0/24 and 192.168.241 on tagged vlan 241. I inserted the GS908E in "No VLANs" mode between the Raspberry Pi 4 and the ER-X, and connected to the Raspberry Pi 4 with the untagged interface 192.168.101.78/24 with ssh, then from Raspberry Pi pinged ER-X on tagged vlan 241 (192.168.241.1/24). This shows that the GS908E is vlan-transparent in "No VLANS" mode, since the tagged traffic passed through. I then selected the IEEE 802.1Q VLAN mode and pings stopped working. This shows that when in default IEEE 802.1Q mode, all ports are configured as access ports for the default vlan 1 (and since untagged it is the switch that is determining what vlan it is in). Tagged packets are blocked. Selecting the Port based VLAN mode also allowed the tagged frames to pass through.

If you made it this far... Here's a great short Swedish documentary about how things can turn out to be more difficult than you first thought it would be. Not network related but very interesting.

HOPPTORNET (TEN METER TOWER) by Axel Danielson & Maximilien Van Aertryck
You do not have the required permissions to view the files attached to this post.
Last edited by Buckeye on Mon Jul 25, 2022 11:25 am, edited 1 time in total.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Beginner help regarding home LAN

Mon Jul 25, 2022 10:19 am

…the sniffer…can only sniff what is going through the routing engine

Minor correction: it can only sniff what's going through the CPU. While that is where routing happens, packets don't have to be affected by a RouterOS routing rule for the sniffer to see them.

I make the distinction for two reasons:

First, if you're doing this on a router-class box, your traffic might indeed be crossing the CPU already, even if it's just taking the forwarding path. You might not need to go out of your way to sniff the traffic at all.

Second, if your traffic is being fast-tracked past the CPU in any way, there's usually a way to disable it. The most drastic is to disable bridge hardware offloading, forcing all bridged traffic through the CPU. You may then have to do something at the switch chip level to prevent FDB-level decisions from sending traffic past the CPU anyway.

With some switch models, you do this by appling a redirect-to-cpu switch chip rule. The match criteria for those rules aren't as powerful as for the packet filter, but you should be able to cut a flood of traffic down to a reasonable stream for further filtering by the packet sniffer.

All of this does mean running the packet sniffer on a RouterOS box isn't as simple as running Wireshark on a desktop host, but it generally can be done, if you know what you're doing.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 887
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Beginner help regarding home LAN

Mon Jul 25, 2022 1:05 pm

…the sniffer…can only sniff what is going through the routing engine

Minor correction: it can only sniff what's going through the CPU. While that is where routing happens, packets don't have to be affected by a RouterOS routing rule for the sniffer to see them.
I concede that point. Especially if he is using a version of ROS between v6.41 and v7.1rc4 (with v7.1rc5 we got hardware asssist in MT7621 and in there have been other bridge enhancements since then). Before v7.1rc5 the bridge was all software, and therefore would have been going through the CPU. And it would be easier to use sniffer than lo install and learn wireshark.

But if v7.2+ is being used, and hw=yes is in effect, and the switch is forwarding to the MAC address of the STB, then this traffic won't ever hit the CPU. You may be able to force the processing to go through the CPU, but I have wasted time troubleshooting trying to determine where traffic was getting lost (because I didn't see it on a router based "sniffer", in that case it was using tcpdump on an ER-X, but the principle is the same), when in fact the traffic was leaving the router's switch-port, but was bypassing the CPU and therefore tcpdump). So when observing traffic going through a router, I prefer to use an external switch with mirror port (my favorite for this purpose is the CSS106-5G-1S).

Since i have the tools, I like to use the best tool for the job. There are cases where the sniffer is the best tool for the job; but I don't think this is necessarily one of those cases. If Shazbot doesn't have wireshark installed, then learning how to use it is much more complex than installing it. So in this case using the sniffer tool built into the router may be the easiest solution, even if he has to disable hardware assist. And I am new enough to ROS that I can't say with certainty how to do that (disable bridge hw assist in v7.1rc5+ no MediaTek MT7621 based routers like the RB750Gr3 and RB760iGS).
 
Shazbot
just joined
Topic Author
Posts: 6
Joined: Sun Jul 17, 2022 9:49 pm

Re: Beginner help regarding home LAN

Mon Aug 08, 2022 6:11 pm

What the diagram shows is that the switch does nothing but pass the signal coming in from the provider directly to the STBs.............
Therefore its not necessary to capture an incoming tagged vlan stream.

As others have probably stated, the idea is you take two ports from the white box. Both go to the MT router.
The one for IPTV alone (looks like ether2 on the white box) , lets say goes into ether2 on the MT and another port for internet from the white box goes into ether1 of the MT.
One should also note that both your netgear switches are vlan capable.

The plan is to assign a vlan66 to the incoming traffic on ether2, not dhcp or routing or anything, just to trunk it along to the managed switches.

Bridge will consist of ether3,4 ETHER3, goes to First Managed Switch, ETHER4 goes to AP, ETHER5 is spare at the moment,
Suggest you take ether 5 and do this for configuring purposes - viewtopic.php?t=181718

WAN ether1
IPTV ether2
To switch ether3
To access point ether4
config off bridge ether5

Going to assume flat LAN for the rest of the home network and assigned to vlan id 11
+++++++++++++++++++++++++++++++++++++
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge name=vlanIPTV  vlan-id=66
add interface=bridge name=vlanHOME  vlan-id=11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=vlanHOME name=homelan
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=66 { coming from ISPs ether2 only for IPTV }
add bridge=bridge comment=defconf interface=ether3 ingress-filtering=yes frame=types=admit-only-tagged { going to first managed switch }
add bridge=bridge comment=defconf interface=ether4 pvid=11 ingress-filtering=yes frame=types=admit-priority-and-untagged  { going to access point }
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3  untagged=ether2  vlan-ids=66
add bridge=bridge tagged=bridge,ether3  untagged=ether4  vlan-ids=11
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=vlanHome list=LAN
add interface=ether5 list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=vlanHOME network=\
    192.168.88.0
add address=192.168.5.1/24 comment="off bridge config"  interface=ether5  network=\
  192.168.5.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward  connection-nat-state=dstnat
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/tool mac-server
set allowed-interface-list=NONE
/tool mac-server mac-winbox
set allowed-interface-list=LAN
.............

Proper setup of the GS switches is necessary, TRUNK port coming in from the MT device,
a. Trunk ports if going to next managed switch
b. Access ports going to STBs (untag 66), and
c. Access ports going to other dumb devices such as PCs (untag 11).

Hello again. Sorry for the late reply. End of vaccation, back to work and backlog from the summer to take care of. I've manufactured new Cat6 wires and wired the house up. The switches are all up as well. It's just configuration left to do. That code you provided, how to I input it to the router? By making a file and uploading it at WebFig/Files? The same for that ether5 config port you linked to, how do I configure that? Do I do that first?. edit: I read thru the code and saw that the efter5 was configured there as a config port for the router if I understood it correctly.

edit 2: I tried inporting the code into a .rsc file but the terminal didn't find the file (did not exist)

My router OS it at version 6.49.6. Nothing has been configured on it.

I've never got the time to study ROS to the necessary level to complete this by myself and I need the instructions to be dumbed down.

And again, big thanks for your time in helping me with this task.

edit 3: I've now updated the router to 7.4.1. I thought I got the code imported properly but after struggling with the Netgear switches I suspected that something was wrong with the MikroTik router. I can't find the VLANS anywhere when looking around in the settings. We had power outage this night, not sure if the router drops the script when it powers down. Any way, I tried to upload the file again (this after upgrading the ROS) and this time the terminal gives me a syntax error at line 16 column 80 in the code that Anav posted. Not familiar with ROS language, maybe someone could clarify this syntax error for me?

edit 4:
Importing the file with verbose=yes gives this result:

[admin@RouterOS] > import RouterConfig.rsc verbose=yes
#line 1
/interface bridge
#line 2
add name=bridge1 vlan-filtering=yes
#line 3
/interface vlan
#line 4
add interface=bridge name=vlanIPTV vlan-id=66
#line 5
add interface=bridge name=vlanHOME vlan-id=11
#line 6
/interface list
#line 7
add comment=defconf name=WAN
failure: already have interface list with such name
[admin@RouterOS] >

Who is online

Users browsing this forum: GoogleOther [Bot], svmk and 47 guests