Community discussions

MikroTik App
 
kf7yrs
just joined
Topic Author
Posts: 3
Joined: Sun Jul 14, 2024 12:52 am

Can a PowerBOX RB750P-PBr 2 do this?

Mon Jul 15, 2024 12:03 am

I'm not trained in IT but I am learning, slowly. We are working on an Aredn mesh using mostly Mikrotik radios. This involves having multiple co-located nodes (LHGs) on a tower, for instance. I've been using Ubiquiti NanoSwitches (N-SW) to distribute POE and generate DtD linking between the radios. This allows the use of only one data/POE cable from the radios on a tower to the building below. The N-SW is outdoor rated but getting harder to find, so I wanted to find a Mikrotik alternative. The RB260GSP works well in this role but is indoor only. I bought a PowerBOX (PB) thinking that might be the solution. If I run both a POE cable (port 1) and a data cable (port 2-5) to the PB, it works fine and I can access the co-located nodes and the mesh. If I try combining data and POE in the same cable into port 1, it doesn't work. In fact, I don't seem to be able to reach the PB at all (192.168.88.1) with the computer plugged into the POE injector. I've read there is a firewall between the WAN port (1) and the LAN ports (2-5). Maybe this is blocking the data on port 1? Since this will never be connected to the internet, is there a way to allow data traffic from port 1 to the LAN ports?

Thanks for any suggestions, Lee
 
jaclaz
Forum Guru
Forum Guru
Posts: 1459
Joined: Tue Oct 03, 2023 4:21 pm

Re: Can a PowerBOX RB750P-PBr 2 do this?

Tue Jul 16, 2024 11:44 am

You need to change your configuration, adding ether1 to the bridge and removing its categorization as WAN.
Then you can remove or disable the firewall rules.
And change a few other settings. like DHCP client and server, etc..
The result will essentially be a "switch".
Or, if you need the routing functions, you can "exchange" ether1 with ether5, adding ether1 to the bridge and removing ether 5 from it.
If you don't need all the ports, a good idea is to have anyway a (normally unused) port out of the bridge used for connection/management in case of issues with the bridge configuration.
In any case follow this:
viewtopic.php?t=203686#p1051720
and post your configuration.
 
kf7yrs
just joined
Topic Author
Posts: 3
Joined: Sun Jul 14, 2024 12:52 am

Re: Can a PowerBOX RB750P-PBr 2 do this?

Wed Jul 17, 2024 12:44 am

Thanks for your reply!

I changed the mode to Bridge in the Quick Set tab.
I added ethernet 1 to the bridge
I removed the WAN categorization
I turned off the DHCP server (actually it disappeared when I went to Bridge Mode).

Once these changes were made, the PowerBOX is working exactly the way I want it to. I didn't disable or remove the firewall rules. The firewall tab under "IP" is complicated and a bit scary for a novice. If I end up with a problem, I'll tackle it then. As for now, the device is doing what I want. I don't know how to post my configuration but would be glad to if you still want it. I might need some instruction. I still need to read the link you posted, looks like lots of good info.

Thanks again for the help!!!
Lee
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 12332
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Can a PowerBOX RB750P-PBr 2 do this?

Wed Jul 17, 2024 1:19 am

when the device must be a plain switch, if you are able to use winbox with MAC address, reset the configuration without the defaults, set a strong password and do not use "admin" but create another one with no stupid names like "root" and disable "admin", add one bridge, put all interfaces on the bridge, assign the IP to the bridge, add gateway on routes, add DNS, NTP and you have done.
 
jaclaz
Forum Guru
Forum Guru
Posts: 1459
Joined: Tue Oct 03, 2023 4:21 pm

Re: Can a PowerBOX RB750P-PBr 2 do this?

Wed Jul 17, 2024 11:13 am

The link I posted earlier:
viewtopic.php?t=203686#p1051720
are the set of instructions to retrieve and post on the forum the export of your configuration (for review by other members).

The default firewall rules are usually just fine, but depending on the specific use of the device, they (or at least a part of them) might be either unneeded or (rare case) preventing something from working the way you need/want, if the use is just that of a "dumb" or "almost dumb" switch they shouldn't be a problem.

Depending on the exact way/sequence you did the changes, the previous DHCP settings may have become sort of "orphaned", (it can happen sort of pulling the rug from under someone's feet) when this happens you will notice that some lines contains references to items starting with an asterisk, like *4 or *B, this is not a problem, it is only a way for RoS to show that something is not "right", but it is better to check and remove those occurrences (if any), to have everything "clean".

If the use is just that of a switch, you can remove all IP addresses (and then connect to the device via WInbox through MAC) or have anyway (as said much better/safer) a dedicated port for management out of the bridge with an IP address in a different network than the one you use.

Then - as always - the advice by rextended is sound, besides some added security, I would highlight particularly the importance of setting up properly NTP, so that when/if you need to access logs the entries will have correct date/time, not a 1970 date.

Unless you invite anav's three friends (tom, dick and harry) :wink:
viewtopic.php?p=1085975&#p1085975
you shouldn't need to overdo it with security provisions, that may backfire and become an obstacle in accessing the router/switch for management, sometimes too much of a good thing is just too much, I still believe that if "they" are after you, "they" can get you.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10486
Joined: Mon Jun 08, 2015 12:09 pm

Re: Can a PowerBOX RB750P-PBr 2 do this?

Wed Jul 17, 2024 12:04 pm

When I understand the scenario correctly, the best is to use the switch combined with a couple of VLANs.
This is how we do it in our HAMNET installations as well. We use different makes and models of switches, but all MikroTik routers.
When there is some tower or platform with antennas, we have the router inside and some PoE switch outside.
Between the router and switch a VLAN trunk is used, with a separate VLAN for each antenna.
So the outdoor switch is configured with some VLANs which are "tagged" on the cable to the router, and "untagged" on the ports where the links are connected.
In the router a port is configured with those tagged VLANs. That way you have a dedicated (VLAN) interface for each of your antennas, and still a single cable or fiber to inside.

In some MikroTik equipment it is best to configure all that in the "switch" menu, in newer types you can just to it in the "bridge" and it will magically configure the switch chip so it still does it all in hardware (without CPU attention).
The firewall rules for "forward" are not used when the MikroTik is used as a switch. Only the "input" rules are used, and only for access to the management of the device. So you can put some protection against unwanted logins there. It will not affect the traffic being passed from inside to/from the link radios.
 
kf7yrs
just joined
Topic Author
Posts: 3
Joined: Sun Jul 14, 2024 12:52 am

Re: Can a PowerBOX RB750P-PBr 2 do this?

Wed Jul 17, 2024 9:53 pm

Here is the configuration file.
# jan/02/1970 02:27:55 by RouterOS 6.48.6
# software id = 
#
# model = RB750Pr2
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
jaclaz
Forum Guru
Forum Guru
Posts: 1459
Joined: Tue Oct 03, 2023 4:21 pm

Re: Can a PowerBOX RB750P-PBr 2 do this?

Thu Jul 18, 2024 11:27 am

Yep, it is more or less as it was expected to be, not updated date/time, error (irrelevant) on DHCP client, a few unneeded/unused configuration lines.

It is up to you which (if any) of the previous suggestions you want to implement, taking a port out of the bridge and set it for management only makes a lot of sense if the device is easily accessible, i.e. you can insert an ethernet cable into it, if it is mounted up a pole or on a roof, the "right" thing to do (from a good security practice viewpoint) would be to add a management VLAN.

Not exactly easy-peasy, but doable, check:
viewtopic.php?t=189555

DO NOT use VLAN 1.

I would still temporarily take a port out of the bridge to make sure you don't lock yourself out when configuring the VLAN, see:
viewtopic.php?t=164774
 
pe1chl
Forum Guru
Forum Guru
Posts: 10486
Joined: Mon Jun 08, 2015 12:09 pm

Re: Can a PowerBOX RB750P-PBr 2 do this?

Thu Jul 18, 2024 11:34 am

We normally have the device management on untagged (default VLAN) and all traffic is on other VLANs (tagged).
So you can still manage it from a cable plugged in port 1 (also via the router where that is normally plugged in).

So there is a "bridge" configuration with an IP address assigned to "bridge" as well, some "bridge VLAN" configurations, and some "bridge ports" with a PVID set each to a different VLAN. Quite easy, but everything is easy once you've got the hang of it.
It always requires some study and hairpulling to get things running.

Who is online

Users browsing this forum: jaclaz and 21 guests