Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


10 posts

Wannabe Geek


Topic # 240270 30-Aug-2018 09:02
Send private message quote this post

Sorry for the potentially dumb question, but i'm struggling to get UFB fiber from orcon working with a mikrotik 750GL.

 

I understand that all that's needed is a dhcp client on vlan 10 ? I can't for the life of me get that working. It's a pretty simple setup, just eth3 going to the ONT device, and eth2 going to a mikrotik switch.

 

My config is 

 

[admin@MikroTik-RT] > ip dhcp-client export
/ip dhcp-client
add disabled=no interface=vlan10

 

 

 


[admin@MikroTik-RT] > interface export
/interface bridge
add admin-mac=00:60:64:D8:A2:8B auto-mac=no comment="created from master port" name=lan-br protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name=ether3-orcon
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
/interface vlan
add interface=ether3-orcon name=vlan10 vlan-id=10
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=lan-br interface=ether4
add bridge=lan-br interface=ether5
add bridge=lan-br interface=ether2-LAN
add bridge=lan-br interface=ether1
/interface list member
add interface=lan-br list=discover
add interface=ether3-orcon list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=lan-br list=mactel
add interface=ether3-orcon list=mactel
add interface=lan-br list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3-orcon list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether5 list=mac-winbox

 

 

 

If that config is all correct, all i can think it might be is firewalling on the vlan interface maybe ? I'm assuming i'd need to allow dhcp traffic on that interface rather than the eth3 device ? I haven't tried that yet but currently i can't get it to get a dhcp address so that's all i can think of right now. I'm at work so if anyone has any other suggestions do let me know and i'll give it a go tonight. The posts i've seen saying to use vlan 10 are from 2015 so just wanted to confirm i've not fallen at the first hurdle or something.


Create new topic
6306 posts

Uber Geek
+1 received by user: 288

Trusted
Subscriber

  Reply # 2081213 30-Aug-2018 09:33
Send private message quote this post

What is your firewall config, do the firewall rules include interface list references, if so do they reflect the interface re arrangement you have made.

Cyril



10 posts

Wannabe Geek


  Reply # 2081589 30-Aug-2018 17:32
Send private message quote this post

have just tried setting rules in forward and input chains to allow all traffic on every interface, still no joy - so i can rule out firewalling.

 

Which leaves me with a big fat empty basket of ideas to try :-(

 

 

 

 


6306 posts

Uber Geek
+1 received by user: 288

Trusted
Subscriber

  Reply # 2081596 30-Aug-2018 17:50
Send private message quote this post

Did you try adding the vlan10 interface to the wan list

Cyril



10 posts

Wannabe Geek


  Reply # 2081599 30-Aug-2018 17:57
Send private message quote this post

that may very well be the missing bit of the puzzle. Because i don't know what the wan list is ? I'm assuming you mean interfaces->Interface lists ? All i have there are 'mactel' 'macwinbox' and 'discover' ? You might need to clue me up a bit more, sorry.


6306 posts

Uber Geek
+1 received by user: 288

Trusted
Subscriber

  Reply # 2081601 30-Aug-2018 18:00
Send private message quote this post

Can you post the firewall config?

Cyril



10 posts

Wannabe Geek


  Reply # 2081603 30-Aug-2018 18:03
Send private message quote this post

from reading it seems like the lists are just for grouping interfaces in the firewall, right ? in which case i'm not using them at all. 

 

wondering if that masquerade line might be an issue, which pre-dates me trying to get the vlan 10 and UFB config working. I'll try again in an hour or two when i'm home. Gah, this should be so easy ! lol.

 

 

 

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related in-interface=all-ethernet
add chain=input comment="allow icmp" protocol=icmp
add action=accept chain=input comment="allow established or related" connection-state=established,related in-interface=all-vlan
add action=accept chain=input in-interface=all-ethernet
add action=accept chain=forward in-interface=all-vlan
add action=accept chain=forward in-interface=all-ethernet
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether3-orcon


6306 posts

Uber Geek
+1 received by user: 288

Trusted
Subscriber

  Reply # 2081604 30-Aug-2018 18:05
Send private message quote this post

Change the last line, ie the Nat/mascerade rule from interface3 to vlan10

Please excuse spelling as I am waiting inan airport on my phone 😁

6306 posts

Uber Geek
+1 received by user: 288

Trusted
Subscriber

  Reply # 2081610 30-Aug-2018 18:09
Send private message quote this post

You should probably disable the forward rules from any interface or vlan also, but get it running first, then pare back the rules

Cyril



10 posts

Wannabe Geek


  Reply # 2081639 30-Aug-2018 19:42
Send private message quote this post

bingo ! that was it :-) needed to change the src-nat rule to be on the vlan interface outbound instead of the physical. Awesome ! thanks for the help. :-)


6306 posts

Uber Geek
+1 received by user: 288

Trusted
Subscriber

  Reply # 2081640 30-Aug-2018 19:46
Send private message quote this post

Sweet, as mentioned you might like to tighten you firewall rules will pm you mine tomorrow when I get back to NZ for you to reference.

Cyril

26950 posts

Uber Geek
+1 received by user: 6392

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 2081646 30-Aug-2018 20:09
Send private message quote this post

While it won't affect things on that model router is there a reason why you decided to use ether3 for your WAN while having 1-2 and 4-5 for your LAN?

 

The ports you use on some routers is critical for optimum performance and you can see this when you look at the block diagram. The 750GL is a very low spec router though and everything is tied to the switch chip.

 

 

 

 


6306 posts

Uber Geek
+1 received by user: 288

Trusted
Subscriber

  Reply # 2081660 30-Aug-2018 20:34
Send private message quote this post

Yep agree with Steve, my next suggestion would have been a factory reset, and just add vlan and DHCP and see what transpired, that would also sort the firewall rules.

Cyril



10 posts

Wannabe Geek


  Reply # 2081773 31-Aug-2018 08:59
Send private message quote this post

its just historical legacy hangover. Years ago there were many other links going into this unit. 

 

Have locked down the firewall, and got ipv6 going too while i was at it. Thanks all.


Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.