Here is the config file:
Code: Select all
# 2024-04-07 01:28:49 by RouterOS 7.14.2
# software id = BKEZ-7BGA
#
# model = CRS305-1G-4S+
# serial number = B9EA-------
/interface bridge
add dhcp-snooping=yes igmp-snooping=yes igmp-version=3 mtu=1500 \
multicast-querier=yes name=local priority=0xB000
/interface ethernet
set [ find default-name=ether1 ] l2mtu=9216
set [ find default-name=sfp-sfpplus1 ] advertise="100M-baseT-half,100M-baseT-f\
ull,1G-baseT-half,1G-baseT-full,1G-baseX,2.5G-baseT,2.5G-baseX,10G-baseT,1\
0G-baseSR-LR,10G-baseCR" l2mtu=9216
set [ find default-name=sfp-sfpplus2 ] l2mtu=9216
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
/interface list
add name=listBridge
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=local interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/interface list member
add interface=local list=listBridge
add interface=ether1 list=listBridge
/ip address
add address=172.16.255.1/30 comment="router port" interface=local network=\
172.16.255.0
add address=10.0.254.88/24 interface=ether1 network=10.0.254.0
/ip dhcp-client
add interface=sfp-sfpplus1
/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="accept established,related" \
connection-state=established,related
add action=accept chain=input in-interface=ether1 protocol=icmp
add action=accept chain=input comment="accept SSH mgmt" dst-port=2222 \
in-interface=ether1 protocol=tcp
add action=accept chain=input comment="accept WWW mgmt" dst-port=80 \
in-interface=ether1 protocol=tcp
add action=accept chain=input comment="accept WinBox mgmt" dst-port=8291 \
in-interface=ether1 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=sfp-sfpplus1 \
port=2222 protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
sfp-sfpplus1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2222
set api disabled=yes
set api-ssl disabled=yes
/ipv6 dhcp-client
add interface=sfp-sfpplus1 pool-name=ipv6-general request=prefix
/ipv6 nd
set [ find default=yes ] interface=local
/system clock
set time-zone-name=America/Chicago
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=50.218.103.254
add address=138.236.128.36
add address=204.17.205.8
add address=192.48.105.15
/system routerboard settings
set boot-os=router-os
/system swos
set identity=MikroTik
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
What I want to do is make ether1 the management port. access the WWW, SSH, and WinBox on VLAN254 10.0.254.0/24 I gave the ip 10.0.254.88. It's connected to a switch set to access mode vlan 254.
sfp-sfpplus1 I want to use it for "WAN" traffic. I am getting DHCP from my provider.
sfp-sfpplus2 I want to use it for "LAN" traffic. I assigned it 172.16.255.1/30 on the other end of that is a L3 Switch port has been assigned ip 172.16.255.2/30 which also contain all the SVI table.
As of right now... any port on vlan254 can get out of the internet. think all the traffic is going through the ether1.
in the config console of the L3 switch, I can ping 1.1.1.1, but any other vlan host won't pass 1.1.1.1 only to their own gateway and other vlan subnet.
Here is a screenshot from a host on 254 doing a speedtest. as you can see one interface is in-bound traffic and the other interface out-bound traffic
Any help/suggestion would be greatly appreciated.