Community discussions

MikroTik App
 
Josephny
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Sep 20, 2022 12:11 am

Need help with ether3

Mon Oct 24, 2022 6:56 pm

I have a Hex connected on Ether1 to the FIOS ONT. And, a CSS324 connected to Ether2. All is working great.

I would like to connect FIOS router to Ether3 just to provide internet access for the set top boxes (connected to the FIOS router via coax).

The main LAN (all of CSS324) is 192.168.2.x

I thought I would make the FIOS router 192.168.30.1/24 and Hex's Ether3 192.168.30.2/24

I just want to keep all 192.168.30.x traffic off of the switch.

Can someone please help?

Thanks!
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 566
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Need help with ether3

Thu Oct 27, 2022 3:01 am

When posting, you need to think more like a successful fisherman, and use enticing bait instead of dangling an empty hook into the water and expecting to get any nibbles.

You have provided insufficient information. You haven't even included a link to your previous post that at least has some infomation about your setup.

Some questions. Does the "FIOS router" need to have a direct connection to the L2 network the FIOS ONT provides?

Or does it work in the configuration you posted here?

What have you tried? What was your expectation and how was it different than the result?

What resources have you studied? Have you skimmed the official documentation? used Google to search? Watched youtube videos?

Some recommendations for adding bait to your request for help post follow:

A quote from George Pólya's book How To Solve It "It is foolish to answer a question that you do not understand. It is sad to work for an end that you do not desire."
So be sure to give enough infomation so we understand the problem and your requirements. And avoid The XY_problem
See Getting Answers and How to Report Bugs Effectively
@anav's New User Posting For Assistance
Getting the most out of this forum
 
Josephny
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Sep 20, 2022 12:11 am

Re: Need help with ether3

Thu Oct 27, 2022 11:05 am

Buckeye,

I am deeply grateful for your help.

Here is what I am trying to accomplish (although there very well might be a smarter goal to have that I am not aware of):

I have FIOS ONT that has Coax for TV and twister-pair/ethernet for data.

The Verizon router (G3100) needs to have both a coax connection (to communicate data (TV guide/listing/etc.) to the TVs and an ethernet connection to the Internet.

The ONT is connected to a hex via ethernet. The hex to a CSS326.

On the network are a bunch of cable boxes (getting IP addresses via DHCP from the G3100), a bunch of TV, a AV receiver, Roku boxes, printers, doorbell (Comelit), a Home Assistant server, a couple of Windows workstations, a Unifi AUP-AC AP, Xbox, Playstation, 2 vonage modems.

There is no VLAN set up, and I'm just now playing with port isolation making the G3100 able to communicate solely with the port on the switch that the hex is on.

Right now, everything works well (thanks to your help and others here!).

I'm curious and eager to learn and improve the network.

My thinking is that the G3100 does not need to communicate with anything else on the LAN (the set top boxes communicate on the coax), so why not isolate it and reduce traffic. At first I thought VLANs were the way to go (and I still suspect it is), but I failed at following yours and other's guidance to get it working. So I played with port isolation. But I see (Wireshark) that port isolation is still allowing broadcast/multicast traffic across).

So, I thought maybe move the G3100 to it's own port on the hex. Then I wondered if maybe I should put the AP on it's own hex port -- for the purposes of improving performance.

Then I'm wondering if other devices should be "isolated" in some way, such as the vonage modems, receiver, TV, etc.

I have watched loads of videos, read tons of articles and posts, and my understanding is increasing daily.

Thank you for your patience.
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 566
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Need help with ether3

Fri Oct 28, 2022 5:48 am

I'm sorry, I still don't understand how things are connected, and what role the GS3100 plays. In the diagram you did post here, you show only a single connection to the GS3100 (no cables connected to anything but the CCS326).

If you are an "extra class ham also and have been in tech for 30 years", haven't you ever had deal with poor problem reports and troubleshooting? Specific details and a precise problem description will help you get an answer.

Maybe I am using too much jargon, when I asked 'Does the "FIOS router" need to have a direct connection to the L2 network the FIOS ONT provides?', I meant "does the GS3100 has to be connected to the same local area network and subnet that the FIOS ONT provides. In other words, does the GS3100 expect to get its ip address via dhcp directly from the ISP?"

You stated "Right now, everything works well". So what problem are you trying to fix? You state "So, I thought maybe move the G3100 to it's own port on the hex. Then I wondered if maybe I should put the AP on it's own hex port -- for the purposes of improving performance." Can you explain why you think that would improve performance? If you can't, don't change anything until you can.

I see no reason to making changes without having some good reason, and with a good expectation that the change will have the desired outcome. How To Solve It

I also don't generally recommend using your primary router to learn with. Much better to get a dedicated router or use GNS3 or EVE-ng to emulate routers to play with. The Network Berg has some good intro videos
New to MikroTik? An introduction for you!
EVE-NG Videos playlist

Since I am evidently not communicating clearly, perhaps there is someone else that is a better mind reader than I am that can assist you.

I expected you to post more info, like your /export on the hex and the CCS326. And an up to date diagram.

From your response, it isn't clear to me that you even looked at any of the links I posted.
Last edited by Buckeye on Fri Oct 28, 2022 10:21 pm, edited 1 time in total.
 
Josephny
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Sep 20, 2022 12:11 am

Re: Need help with ether3

Fri Oct 28, 2022 3:12 pm

I am doing the best I can -- and will continue to try as hard as possible to make it easier for you to help me. I am grateful.

"what role the GS3100 plays."

The G3100 is the Verizon router. It provides data (such as TV listings) to the set top boxes. It connects using TCP/IP to the STBs via coax. It needs to have Internet access to get the data needed by the STBs, and therefore has an ethernet connection on one of its switch ports (not a WAN port). I gave it a static IP of 192.168.2.1 (for the LAN or switch side).

It does not need to be on the same subnet, nor does it need any communication with any other device on my LAN (except for management purposes which would be nice). It only needs Internet access.

"So what problem are you trying to fix?"

With the G3100 on the same subnet as all my other devices (and no VLANs set up), all broadcast/multicast traffic is heard by all devices. Further, all traffic between the G3100 and the Internet is going through the same CSS326 switch as all other Internet-bound traffic. My thinking is that isolating the broadcast/multicast traffic, and removing from the CSS326 the traffic between the G3100 and the Internet might improve performance a little.

On the back burner is still creating VLANs for media/entertainment devices such as TVs, Rokus, etc. in order to reduce the broadcast/multicast traffic and improve security.

"I also don't generally recommend using your primary router to learn with."

That makes perfect sense. I actually bought the Hex as an interim router until the RB5009s are available.

I was thinking about buying a HAP ax3 to experiment with and then deploy as an AP (I'm not clear if it also runs RouterOS and functions as a router).

I understand how it looks like I haven't tried to learn this, but I have. I've watched a ton of videos.

"Since I am evidently not communicating clearly, perhaps there is someone else that is a better mind reader than I am that can assist you."

I apologize for it feeling like you have to read my mind. I will work harder to be clearer.

I attach the hex export and various CSS326 screen shots, as well as a current diagram.
# oct/28/2022 07:56:11 by RouterOS 6.49.7
# software id = C3RH-692B
#
# model = RB750Gr3
# serial number = 
/interface bridge
add name=Bridge-Port3
add admin-mac=111111111 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1w3d name=\
    defconf
/ppp profile
set *FFFFFFFE bridge-learning=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.2.2/24 comment=defconf interface=bridge network=\
    192.168.2.0
add address=192.168.30.2/24 interface=ether3 network=192.168.30.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.2 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.2.2 comment=defconf name=router.lan
/ip firewall address-list
add address=11111.dyndns.org list=WAN
add address=192.168.2.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment=\
    "NEW defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="NEW defconf: accept ICMP" protocol=\
    icmp
add action=drop chain=input comment="NEW defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment=NEW in-interface-list=LAN
add action=drop chain=input comment="NEW drop all else"
add action=fasttrack-connection chain=forward comment=\
    "NEW defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
    "NEW defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="NEW allow port forwarding" \
    connection-nat-state=dstnat log=yes
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="NEW defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=NEW
/ip firewall mangle
add action=mark-connection chain=prerouting comment=\
    "Mark connection for hairpin NAT" dst-address-list=WAN \
    new-connection-mark="Hairpin NAT" passthrough=yes src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark=\
    "Hairpin NAT"
add action=masquerade chain=srcnat comment="NEW defconf: masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=192.168.2.176 dst-port=8123 log=\
    yes protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 8123" disabled=yes dst-address=\
    192.168.2.176 dst-port=8123 protocol=tcp to-addresses=192.168.2.176
add action=src-nat chain=srcnat comment="new 5800" disabled=yes dst-port=5800 \
    protocol=tcp to-addresses=192.168.2.22
add action=src-nat chain=srcnat comment="new 5900" disabled=yes dst-port=5900 \
    protocol=tcp to-addresses=192.168.2.22
add action=dst-nat chain=dstnat comment="PORT FWD:  8123" dst-address-list=\
    WAN dst-port=8123 protocol=tcp to-addresses=192.168.2.176 to-ports=8123
/ip route
add disabled=yes distance=1 gateway=192.168.2.1
/system clock
set time-zone-name=America/New_York
/system identity
set name=RouterOS
/system ntp client
set enabled=yes primary-ntp=216.239.35.4 secondary-ntp=104.16.132.229
/system scheduler
add interval=1h name=Daily on-event=dyndns policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/18/2022 start-time=02:00:00
/system script
add dont-require-permissions=no name=DynDNS owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Set needed variables\r\
    \n\t:local username \"11111r\"\r\
    \n\t:local clientkey \"111118bc3\"\r\
    \n\t:local hostname \"11111.dyndns.org\"\r\
    \n\r\
    \n\t:global dyndnsForce\r\
    \n\t:global previousIP\r\
    \n\r\
    \n# get the current IP address from the internet (in case of double-nat)\r\
    \n\t/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" ds\
    t-path=\"/dyndns.checkip.html\"\r\
    \n\t:delay 1\r\
    \n\t:local result [/file get dyndns.checkip.html contents]\r\
    \n\r\
    \n# parse the current IP result\r\
    \n\t:local resultLen [:len \$result]\r\
    \n\t:local startLoc [:find \$result \": \" -1]\r\
    \n\t:set startLoc (\$startLoc + 2)\r\
    \n\t:local endLoc [:find \$result \"</body>\" -1]\r\
    \n\t:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
    \n\t:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
    \n\r\
    \n# Remove the # on next line to force an update every single time - usefu\
    l for debugging,\r\
    \n# but you could end up getting blacklisted by DynDNS!\r\
    \n\r\
    \n#:set dyndnsForce true\r\
    \n\r\
    \n# Determine if dyndns update is needed\r\
    \n# more dyndns updater request details https://help.dyn.com/remote-access\
    -api/perform-update/\r\
    \n\t:log info \"UpdateDynDNS: previousIP = \$previousIP\"\r\
    \n\t:if (\$dyndnsForce = true) do={ :log warning \"UpdateDynDNS: Forced up\
    date on\" }\r\
    \n\r\
    \n\t:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
    \n\t\t:set dyndnsForce false\r\
    \n\t\t:set previousIP \$currentIP\r\
    \n\r\
    \n\t\t/tool fetch mode=https \\\r\
    \n\t\turl=\"https://\$username:\$clientkey@members.dyndns.org/v3/update\?h\
    ostname=\$hostname&myip=\$currentIP\" \\ \r\
    \n\t\tdst-path=\"/dyndns.txt\"\r\
    \n\r\
    \n\t\t:delay 1\r\
    \n\t\t:local result [/file get dyndns.txt contents]\r\
    \n\t\t:log info (\"UpdateDynDNS: Dyndns update needed\")\r\
    \n\t\t:log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
    \n\t\t:put (\"Dyndns Update Result: \".\$result)\r\
    \n\t} else={\r\
    \n\t\t:log info (\"UpdateDynDNS: No dyndns update needed\")\r\
    \n\t}"
/tool graphing interface
add interface=bridge
add interface=bridge
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether1 name=tmon1
network-diagram.jpg
css326-link.jpg
css326-igmp.jpg
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 566
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Need help with ether3

Fri Oct 28, 2022 10:20 pm

So I played with port isolation. But I see (Wireshark) that port isolation is still allowing broadcast/multicast traffic across).
What procedure did you use to capture packets with Wireshark? Where were packets captured? What was used as a "wireshark tap"?

Please upload current screenshots from the CSS326 VLAN, VLANS, Forwarding, and Port Isolation Tabs

Because port isolation should limit what ports a broadcast sent from a device connected to a port can send to.

E.g. for the example in this port isolation, if you look at the middle example (copied below for easy reference), if a device connected to port 2 sends a broadcast (e.g. ARP, DHCP discover, etc.) the only other port to receive the broadcast will be port 1. If port 1 sends a broadcast then all other ports will receive it (assuming in the same vlan). I don't like MikroTiks use of the term "Private VLAN" because this is not the same as what Cisco RFC 5517 Private VLAN is. (rfc5517 pvlan uses 802.1Q tags but is proprietary and can cause issues if used in networks with non cisco switches, rfc5517 is not a standard it is a "FYI") It is similar to the difference between RSTP and the TP-Link SG108E "loop prevention", both are meant to prevent loops, but the SG108E uses a simplified (proprietary) way that you have no settings to affect which redundant link will be disabled.
Multi Tenant Unit isolation.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 566
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Need help with ether3

Sat Oct 29, 2022 2:50 am

"So what problem are you trying to fix?"

With the G3100 on the same subnet as all my other devices (and no VLANs set up), all broadcast/multicast traffic is heard by all devices. Further, all traffic between the G3100 and the Internet is going through the same CSS326 switch as all other Internet-bound traffic. My thinking is that isolating the broadcast/multicast traffic, and removing from the CSS326 the traffic between the G3100 and the Internet might improve performance a little.

On the back burner is still creating VLANs for media/entertainment devices such as TVs, Rokus, etc. in order to reduce the broadcast/multicast traffic and improve security.
With the number of devices you have, unless there is a malicious device, broadcast traffic should not be a problem. You also have IGMP which should limit multicast traffic. If you look at the statistics tab on your CSS326, you should be able to see how much broadcast and multicast traffic there is on each port. On my CSS106 the stats tab has everything that is on the stats and Hist. tabs on the CSS326, because it has only 6 ports (5 RJ45 and 1 SFP) and the stats/histogram are in colum format, where on the CSS326 if is one port per row.

The point being, security is a much more meaningful goal than reduction of ethernet packet flooding is.
 
Josephny
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Sep 20, 2022 12:11 am

Re: Need help with ether3

Sat Oct 29, 2022 2:02 pm

I set up a Win10 PC running Winshark connected to port 7 of the CSS326. The isolation settings allow traffic between the Winsharp Win10 PC on port 7 and the G3100 on port 17 and the hex on port 4. I very well may be wrong about the traffic captured.

I have included screenshots of VLAN, VLANS, PORT ISOLATION, FORWARDING AND STATISTICS.

I've had the port isolation enabled for the G3100 for close to a couple of days.

Thank you for clarifying that I shouldn't have any concerns with packet flooding and that port isolation means no broadcast traffic pass between isolated ports.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Long time Member
Long time Member
Posts: 566
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Need help with ether3

Sun Oct 30, 2022 3:50 am

I set up a Win10 PC running Winshark connected to port 7 of the CSS326. The isolation settings allow traffic between the Winsharp Win10 PC on port 7 and the G3100 on port 17 and the hex on port 4. I very well may be wrong about the traffic captured.
You have only half of the "port isolation" done. The "rows" specify what ports can be sent to. Therefore the columns represent what ports data can be received from. If you want 4 and 17 to be isolated from other ports, then you need to prevent the other ports from sending to 7 and 17. The "matrix" in default state has all enabled except for the diagonal, because ports should not forward to themselves.

My guess is the broadcast traffic you were seeing was not from a mac address behind port 7 or port 17. You can see the "learned" mac addresses by looking at the output of the hosts tab, and look for all mac addresses associated with ports 7 and 17. My guess is that there will only be two, the PC on port 7 and the mac address of the GS3100. In wireshark you an add a column with the source mac address (remember from Ed's fundamentals, that mac addresses have significance only on the local LAN segment. So any traffic from the internet will have the hex's mac address associated with the bridge.

For example if you clear all the boxes outlined in red, then 4, 7 and 17 will be able to communicate with each other, but 7 and 17 will only be able to communicate with each other and the hex. The hex can still talk to all the other ports.
These need unchecked.png
If you are interested in seeing traffic for a specific port, the proper place to plug in the PC running wireshark would be the "designated mirror port". Then you can tell the switch what traffic (ingress or egress from set of selected ports). Looking at your "forwarding" tab screen, you can see you have port 3 selected as mirror, and nothing is being copied.
You do not have the required permissions to view the files attached to this post.
 
Josephny
Member Candidate
Member Candidate
Topic Author
Posts: 162
Joined: Tue Sep 20, 2022 12:11 am

Re: Need help with ether3

Tue Nov 01, 2022 8:59 am

Thank you so much for the explanation of the rows and columns in port isolation. I get it now and have configured it as needed.

And, thank you for the instruction on running Wireshark on a port that has the desired traffic forwarded to it.

Who is online

Users browsing this forum: nichky, tarana, tishri and 7 guests