Hello, I've got 2 mikrotik routers, the second attached to the first and I would like to make it work as a (completely passive) switch + wifi access point.
I can always see and manage the main router from winbox, but not the second router. It does not even appear on the list.
My main router has some eth ports dedicated to specific subnets, and the ethernet port I use for my second router is one of them. if I attach the second router to its proper eth port then it's not shown on winbox, while if I attach it to a wrong eth port then it suddenly appears, but with messed up ip leases etc.
Do anyone know what configuration is required to make mikrotik devices always discoverable? Maybe command line argumennts to launch winbox with? Some configuration file?
Or in other words, under what circumstances winbox doesn't show one or more of the devices in the local network?
Re: winbox, managing TWO mikrotik routers in cascade
First of all, assuming you are using vlans please read this reference: viewtopic.php?t=143620
One bridge for each device.
Second device gets its IP from the management vlan
Only the management vlan need be identified
Only the management vlan is tagged on the bridge for /interface bridge vlan settings.
Best thing for you do to is show your requirements
a. identify all the users/devices (internal, external including admin)
b. identify what traffic flow each require
c. provide a network diagram of equipment being used, ports, vlans etc...
Lastly after creating a plan, and attempting a config, post it here for review
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)
One bridge for each device.
Second device gets its IP from the management vlan
Only the management vlan need be identified
Only the management vlan is tagged on the bridge for /interface bridge vlan settings.
Best thing for you do to is show your requirements
a. identify all the users/devices (internal, external including admin)
b. identify what traffic flow each require
c. provide a network diagram of equipment being used, ports, vlans etc...
Lastly after creating a plan, and attempting a config, post it here for review
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)
Re: winbox, managing TWO mikrotik routers in cascade
I can always see and manage the main router from winbox, but not the second router. It does not even appear on the list.
Winbox builds the list of compatible devices using broadcast packets. The problem is that this only works inside same IP subnet (i.e. switched ethernet network). But you have a router between your management PC and the second device which blocks broadcast traffic.
The other possibility is to (manually) enter IP address of the second MT device. This way winbox connectivity may work but with a few limitations:
- you have to know device's IP address ... which can be a PITA if it's not static
- if there's firewall set up on first router, it has to allow winbox traffic between management PC and second device
- the second MT device needs IP properly set up (including default route)
- if the second device runs firewall, it has to allow winbox (over IP) connection from management PC
Re: winbox, managing TWO mikrotik routers in cascade
Thank you Anav, but no I'm not using any vlans. I only need the main mikrotik router to manage everything, including subnets on differente ports. Before having the 2nd mikrotik router in cascade I had an Asus ax88u, in wich I disabled dhcp server, and set it as a plain access point. I replaced that asus with an hAP ax2 and I only need it to act as a passive switch + access point. Anything that is connected there is supposed to end up on the subnet provided by the specific ethernet port of the main router.
I have this configuration at the moment, but I'm constantly changing here and there as the connection isn't stable. At one moment the devices attached have local lan connectivity (but not internet, for reasons), some other times neither the local lan is available. In this moment I'm not sure if it's just a dns problem or what. Please have a look at these lines and tell me if there's somethin obviously wrong, that prevents winbox from discovering my second router. This configuration is from the second router, the first main router is ok, as it already works with any switches or routers in access point mode. The specific subnet is 192.168.2.X, the main subnet is 192.168.0.X, please note that I use winbox from a pc in the main subnet. It's entirely possible, as far as I don't know, that THIS is the reason I cannot see the other router in winbox, because they are on different subnets.
I have this configuration at the moment, but I'm constantly changing here and there as the connection isn't stable. At one moment the devices attached have local lan connectivity (but not internet, for reasons), some other times neither the local lan is available. In this moment I'm not sure if it's just a dns problem or what. Please have a look at these lines and tell me if there's somethin obviously wrong, that prevents winbox from discovering my second router. This configuration is from the second router, the first main router is ok, as it already works with any switches or routers in access point mode. The specific subnet is 192.168.2.X, the main subnet is 192.168.0.X, please note that I use winbox from a pc in the main subnet. It's entirely possible, as far as I don't know, that THIS is the reason I cannot see the other router in winbox, because they are on different subnets.
Code: Select all
# 1970-01-02 13:41:57 by RouterOS 7.16.2
# software id = 64Q3-N3T4
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=Italy .mode=ap .ssid=password_5G security.authentication-types=\
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.country=Italy .mode=ap .ssid=password datapath.bridge=bridge disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk .encryption="" .ft=yes .ft-over-ds=yes .sae-pwe=hunting-and-pecking
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=sec1
/ip pool
add name=default-dhcp ranges=192.168.2.10-192.168.2.254
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.2.1/24 comment=defconf interface=wifi2 network=192.168.2.0
/ip dhcp-client
# Interface not active
add comment=defconf interface=ether1
add comment=test interface=bridge
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system identity
set name="MikroTik 2"
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: winbox, managing TWO mikrotik routers in cascade [SOLVED]
I kinda think long-term be better to get the routing/VLANs setup between the two routers. But RoMON is handy & description is kinda the main use case.The third possibility is to use RoMON. I'm don't have experience with it, but AFAIK it should be fairly easy to set up, most of setup is on first (router) device.
So enabling RoMON still help if one did try to setup VLANs, since you can use RoMON to get back in even if you FUBAR the config.
RoMON setup is simple:
1. on BOTH/more routers enable RoMON in Tools > RoMON
2. optional: you can set a secret, but if you do it should be the same on both note: since RoMON itself only transport things, the secret only "hides" the existence/cabilities of a device — authentication always use same winbox protocol
3. optional: in same RoMON dialog you can configure what interface to use, by default it's all interfaces if RoMON is enable - note: RoMON is not IP so it cannot go over the internet, so being "all" is not as bad as seems... still you likely what to "forbid" your WAN interface. RoMon is done backwards, so you "forbid" an interface, not allow
To use it, you use winbox to select your 1st router but instead of "Login" use "Connect to RoMON". If you don't see the "Connect to RoMON" button, you may have to enable "Advanced" in the winbox menubar. At this point, you'll still be in the winbox login but the "neighbors" are from RoMON, and should include your 2nd router in that list. You can then provide the 2nd router's user/passwd after selecting from "RoMON Neighbors" and you'll be connect to winbox on the 2nd routers.
Essentially the 1st router just "proxies" winbox protocol to the RoMON connected router & even across multiple hops since it builds its own spanning tree. Internally it uses a different L2 ether-type, so it does not care about IP address or firewalls.
Re: winbox, managing TWO mikrotik routers in cascade
Thank you all, Amm0/Mkx your romon suggestion was perfect!
Re: winbox, managing TWO mikrotik routers in cascade
You do know AMMO, that romon is an anagram................ 