orcon mikrotik UFB dhcp settings

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › orcon mikrotik UFB dhcp settings

sirex

10 posts

Wannabe Geek

#240270 30-Aug-2018 09:02

Sorry for the potentially dumb question, but i'm struggling to get UFB fiber from orcon working with a mikrotik 750GL.

I understand that all that's needed is a dhcp client on vlan 10 ? I can't for the life of me get that working. It's a pretty simple setup, just eth3 going to the ONT device, and eth2 going to a mikrotik switch.

My config is

[admin@MikroTik-RT] > ip dhcp-client export
/ip dhcp-client
add disabled=no interface=vlan10

[admin@MikroTik-RT] > interface export
/interface bridge
add admin-mac=00:60:64:D8:A2:8B auto-mac=no comment="created from master port" name=lan-br protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name=ether3-orcon
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface vlan
add interface=ether3-orcon name=vlan10 vlan-id=10
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=lan-br interface=ether4
add bridge=lan-br interface=ether5
add bridge=lan-br interface=ether2-LAN
add bridge=lan-br interface=ether1
/interface list member
add interface=lan-br list=discover
add interface=ether3-orcon list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=lan-br list=mactel
add interface=ether3-orcon list=mactel
add interface=lan-br list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3-orcon list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether5 list=mac-winbox

If that config is all correct, all i can think it might be is firewalling on the vlan interface maybe ? I'm assuming i'd need to allow dhcp traffic on that interface rather than the eth3 device ? I haven't tried that yet but currently i can't get it to get a dhcp address so that's all i can think of right now. I'm at work so if anyone has any other suggestions do let me know and i'll give it a go tonight. The posts i've seen saying to use vlan 10 are from 2015 so just wanted to confirm i've not fallen at the first hurdle or something.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2081213 30-Aug-2018 09:33

What is your firewall config, do the firewall rules include interface list references, if so do they reflect the interface re arrangement you have made.

Cyril

sirex

10 posts

Wannabe Geek

#2081589 30-Aug-2018 17:32

have just tried setting rules in forward and input chains to allow all traffic on every interface, still no joy - so i can rule out firewalling.

Which leaves me with a big fat empty basket of ideas to try :-(

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2081596 30-Aug-2018 17:50

Did you try adding the vlan10 interface to the wan list

Cyril

sirex

10 posts

Wannabe Geek

#2081599 30-Aug-2018 17:57

that may very well be the missing bit of the puzzle. Because i don't know what the wan list is ? I'm assuming you mean interfaces->Interface lists ? All i have there are 'mactel' 'macwinbox' and 'discover' ? You might need to clue me up a bit more, sorry.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2081601 30-Aug-2018 18:00

Can you post the firewall config?

Cyril

sirex

10 posts

Wannabe Geek

#2081603 30-Aug-2018 18:03

from reading it seems like the lists are just for grouping interfaces in the firewall, right ? in which case i'm not using them at all.

wondering if that masquerade line might be an issue, which pre-dates me trying to get the vlan 10 and UFB config working. I'll try again in an hour or two when i'm home. Gah, this should be so easy ! lol.

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related in-interface=all-ethernet
add chain=input comment="allow icmp" protocol=icmp
add action=accept chain=input comment="allow established or related" connection-state=established,related in-interface=all-vlan
add action=accept chain=input in-interface=all-ethernet
add action=accept chain=forward in-interface=all-vlan
add action=accept chain=forward in-interface=all-ethernet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether3-orcon

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2081604 30-Aug-2018 18:05

Change the last line, ie the Nat/mascerade rule from interface3 to vlan10

Please excuse spelling as I am waiting inan airport on my phone 😁

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2081610 30-Aug-2018 18:09

You should probably disable the forward rules from any interface or vlan also, but get it running first, then pare back the rules

Cyril

sirex

10 posts

Wannabe Geek

#2081639 30-Aug-2018 19:42

bingo ! that was it :-) needed to change the src-nat rule to be on the vlan interface outbound instead of the physical. Awesome ! thanks for the help. :-)

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2081640 30-Aug-2018 19:46

Sweet, as mentioned you might like to tighten you firewall rules will pm you mine tomorrow when I get back to NZ for you to reference.

Cyril

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#2081646 30-Aug-2018 20:09

While it won't affect things on that model router is there a reason why you decided to use ether3 for your WAN while having 1-2 and 4-5 for your LAN?

The ports you use on some routers is critical for optimum performance and you can see this when you look at the block diagram. The 750GL is a very low spec router though and everything is tied to the switch chip.

cyril7

9058 posts

Uber Geek

ID Verified

Trusted

Subscriber

#2081660 30-Aug-2018 20:34

Yep agree with Steve, my next suggestion would have been a factory reset, and just add vlan and DHCP and see what transpired, that would also sort the firewall rules.

Cyril

sirex

10 posts

Wannabe Geek

#2081773 31-Aug-2018 08:59

its just historical legacy hangover. Years ago there were many other links going into this unit.

Have locked down the firewall, and got ipv6 going too while i was at it. Thanks all.