Mikrotik and Bridges

[Thor]

Please bear with me (I have used unifi all my life.)

In my home, I have a Telkom Netgear VDSL modem connected to that I have a Tenda AC1200

The wifi on the Netgear is disabled as I use the Tenda to do the WiFi.

On the Netgear I have 3 PCs connected and the Tenda on which is 4 wifi devices.

I bought myself a Mikrotik Routerboard rb951ui-2hnd

What I want to do is have the Netgear act only as a modem and dail up the ISP from the Mikrotik and I want the Tenda to still do the wireless.

So, I put the Netgear in bridge mode, connected it to eth1 and configured the PPPOE credentials on the Mikrotik now all the Mikrotik ports eth2 - 5 have Internet access.

My question how do I get the 3 PCs that is connected to the Netgear (bridged modem) to still have internet?

Perhaps I don't understand how bridging works?

Question two, how do I get the Tenda AC1200 into Bridge mode.

Question three, is it possible to enable Mikrotik's Hotspot functionality only on one specific port example Eth5 and then plug a WiFi AP into Eth5 and have a wireless Hotspot (for testing, I want to learn the functionality).

Question four, what is eth2-master?

 

[irBosOtter]

You unplug them from the netgear and plug them into the lan ports on the mikrotik, if they are setup as lan ports, or switch ports
You can try running another cable from one of the lan ports on the mikrotik to a netgear lan port but might not have success

 

[Thor]

You unplug them from the netgear and plug them into the lan ports on the mikrotik, if they are setup as lan ports, or switch ports
You can try running another cable from one of the lan ports on the mikrotik to a netgear lan port but might not have success

Okay so to clarify, does that man when a router is in bridge mode it is no longer able to use its other lan ports?

 

[RoganDawes]

Okay so to clarify, does that man when a router is in bridge mode it is no longer able to use its other lan ports?

When a router is in bridge mode, it turns into a dumb media adapter. It translates packets received via ethernet into packets which can be sent over ADSL. That's it.

Of course, the other end of the ADSL line is a DSLAM, that is only expecting PPPoE packets, and has no idea how to handle anything else. Normally when the router is not in bridge mode, the router establishes the PPPoE connection and then tunnels everything from connected devices in that PPPoE session. When it is in bridge mode, you need something else to establish that PPPoE connection, and handle the tunneling of IP packets over that session. In your case, this will now be the Mikrotik.

With that in mind, any devices physically connected to the NetGear MUST only send PPPoE packets. Your Mikrotik would be one such device, but you can also establish a PPPoE connection from the PC's that were connected to ports on the Netgear, should you need to. Of course, your PC's won't have an IP address to talk to each other, other than via the publicly routable internet address that they are issued when establishing that PPPoE session. When in bridge mode, the netgear will (most likely) not be assigning DHCP addresses at all.

So, in theory, if you have two households wanting to share an ADSL line, each with their own ISP account, you could have a device (a.k.a modem) in bridge mode connection to the Telkom line, two routers connected to the modem, and each establishing their own PPPoE connection to their own ISP. There would be a degree of contention on the line, and they would share the negotiated line speed based on how much traffic each is generating/receiving. (This all as an aside to explain bridge mode).

To answer your question about putting the Tenda in bridge mode, I think you are using the wrong terminology.

What you want to do is have the Tenda as an Access Point, not a router, if I understand correctly. In this mode, the Tenda has its own DHCP server disabled, and simply bridges the Ethernet interfaces to the WiFi interface (much like your NetGear is bridging the Ethernet interface to the ADSL interface). Since wireless devices will be issued DCHP allocations by the Mikrotik, they will all want to use the Mikrotik as their default route, and the Tenda will send Internet-bound traffic to the Mikrotik for routing over its PPPoE connection.

One complication that using a router in bridge mode introduces is difficulty in reaching the modem's status page. If your modem is at 192.168.1.1, and your Mikrotik is at 192.168.2.1, any attempt to reach 192.168.1.1 will generally result in that packet being routed out via the PPPoE connection to the Internet, rather than via Ethernet to the modem. This will obviously not be successful!

I've only ever done this with OpenWRT, and I have no Mikrotik experience, but what you will need to do is set up the Mikrotik with an IP address on the Ethernet interface connected to the NetGear (e.g. 192.168.1.2), as well as NAT any traffic to 192.168.1.1 to appear as if it is coming from 192.168.1.2. This is because the modem will not have a route to know how to get back to 192.168.2.*. Also, some consumer modems do not like having their management interfaces accessed from outside their local subnet (c.f. DLink 2500U)

Apologies for the wall of text, and if any of this is old hat. Perhaps it will be useful for other people wanting to do something similar.

 

[Thor]

@RoganDawes

Thank you for that detailed response. It makes sense, it's incredibly clear now and for the first time, I actually understand wtf I am doing and attempted to do.

----
Therefore, what I need to do is buy a switch (https://scoop.co.za/tenda-8-port-gigabit-ethernet-desktop-switch-768.html) then with that conencted to the Mikrotik and all the PCs that was connected to the netgear I will now connect to that switch and then the Mikrotik will be able to route traffic again.

So network will look like this:

Netgear (Bridge) -> (eth1)MikroTik(eth3) -> Switch -> PCs
-> MikroTik(eth4)-> Tenda (AP mode) -> Wifi

----
Then on eth5 I will play around with Radius and the hotspot functionality. Will need to buy another AP probably something like so (https://scoop.co.za/mikrotik-rbsxt2ndr2-outdoor-2ghz-wifi-cpe.html)

 

[RoganDawes]

@RoganDawes

Thank you for that detailed response. It makes sense, it's incredibly clear now and for the first time, I actually understand wtf I am doing and attempted to do.

----
Therefore, what I need to do is buy a switch (https://scoop.co.za/tenda-8-port-gigabit-ethernet-desktop-switch-768.html) then with that conencted to the Mikrotik and all the PCs that was connected to the netgear I will now connect to that switch and then the Mikrotik will be able to route traffic again.

So network will look like this:

Netgear (Bridge) -> (eth1)MikroTik(eth3) -> Switch -> PCs
-> MikroTik(eth4)-> Tenda (AP mode) -> Wifi

----
Then on eth5 I will play around with Radius and the hotspot functionality. Will need to buy another AP probably something like so (https://scoop.co.za/mikrotik-rbsxt2ndr2-outdoor-2ghz-wifi-cpe.html)

You're welcome, glad to help.

Yup, your plan seems reasonable. You may prefer to just get the AP you mention, rather than trying to turn the Tenda into one (not sure how easy it is to turn off the DHCP server, etc), but of course feel free to play with it and see if you can get it working! We don't always do what makes the most sense, but to see what is possible! (and what makes sense to one ignores financial constraints and reluctance to spend money on new kit when existing kit should be able to do the job, dammit! :grin: )

 

[irBosOtter]

They don't all go into go into "dumb mode" depending on which one you have. You can ping the IP on the netgear from one of the pc's plugged into it right, how else would one get to the web interface and configure it...

Anyway, that's why I said use another cable and test, I had a cheap Billion router (10 years ago) that I used like that. On some of these one you can also setup vlan's, they might call it "binding" or "bridging" interfaces together. You can bind the one interface to the adsl port where the mikrotik dials through and bind the other ones together, then you can use them as switch ports, but one of the ports will have to run to a lan port on another switch/router, be it the mikrotik or other AP's lan port.

But just to much of a mission so go with what RoganDawes said

 

[Thor]

They don't all go into go into "dumb mode" depending on which one you have. You can ping the IP on the netgear from one of the pc's plugged into it right, how else would one get to the web interface and configure it...

Anyway, that's why I said use another cable and test, I had a cheap Billion router (10 years ago) that I used like that. On some of these one you can also setup vlan's, they might call it "binding" or "bridging" interfaces together. You can bind the one interface to the adsl port where the mikrotik dials through and bind the other ones together, then you can use them as switch ports, but one of the ports will have to run to a lan port on another switch/router, be it the mikrotik or other AP's lan port.

But just to much of a mission so go with what RoganDawes said

I understand what you are saying, that is what I tried, but I think Telkom's firmware does not show all the functionality.

I have this Telkom Netgear - Netgear vevg2660. Would I be able to loas other firmware on this? Like DD-WRT?

This is the router -> http://www.netgear.co.za/telkom/vevg2660.html

 

[Slootvreter]

AFAIK, you can use the Mikrotik Hotspot service on a specific port.

But what do you actually want to use it for? Captive portal, etc etc?

 

[irBosOtter]

Think you will have to check DD-WRT's site if it supports that, but I know my TP link D7 does not support it last time I checked, but that I only use as an AP. Their site says it only supports router models and not ones with ADSL modems built in, not sure if that has changed by now.

Using a fortigate firewall for routing and internet breakout at home, used to dial PPoE from it through a old ADSL modem but that one was thrown away when fibre got installed

 

[Thor]

AFAIK, you can use the Mikrotik Hotspot service on a specific port.

But what do you actually want to use it for? Captive portal, etc etc?

I know the Ubiquiti ecosystem by heart I can create complex setups with little knowledge of what is actually happening thanks to the USG and unify software.

I think I am ready to dive a little deeper, so bought myself some Mikrotik equipment and I want to start fiddling. I have the RAIN LTE and B18 modem as well ordered a raspberry pi now so will be trying my hand at proxy and cache servers as well.

So it's all just learning, for now using my home. The hotspot I want to see what is possible and security etc, aim 1 is to setup a Wifi link called "XXX" if you connect to that page X opens you need to create yourself an account and then I want to see what usermanager can do so I will need to learn how Radius works as well then later on.

For now, I want to just familarize myself with how this all works.

 

[Thor]

Think you will have to check DD-WRT's site if it supports that, but I know my TP link D7 does not support it last time I checked, but that I only use as an AP. Their site says it only supports router models and not ones with ADSL modems built in, not sure if that has changed by now.

Using a fortigate firewall for routing and internet breakout at home, used to dial PPoE from it through a old ADSL modem but that one was thrown away when fibre got installed

Thanks I checked now - Telkom's one is not supported.

Oh well expensive bridge then

 

[Thor]

What does that eth2-master means and what makes port two different to the others?

 

[SauRoNZA]

You are basically looking for Split Bridge mode where the Router opens it's own PPPoE connection and the other Router device "behind" it also offers the same.

Very few Routers allow this and I'm betting the Netgear doesn't, but it's worth showing the listing of options where you selected the Bridge mode.

But it's a silly way to do it if you have a Mikrotik. Rather just let the Mikrotik do everything. You can run the Hotspot independently on it's own port.

You can run a completely separate network on each port for that matter.

 

[SauRoNZA]

What does that eth2-master means and what makes port two different to the others?

View attachment 471456

Look under the "swich" option.

Ether2 is probably the Master of Ether3,4,5 which are all slaves to it. Basically it's a switch between those ports.

It's just the standard RouterOS config.

Eth1 = WAN

Eth2 + Others = LAN.

 

[Thor]

Look under the "swich" option.

Ether2 is probably the Master of Ether3,4,5 which are all slaves to it. Basically it's a switch between those ports.

It's just the standard RouterOS config.

Eth1 = WAN

Eth2 + Others = LAN.

Aha! That makes sense now, the "Master" bit threw me off.

Okay so plan A is Netgear Dumb Bridge -> Eth1 Of MikroTik will be WAN/PPPOE

Eth2 on MikroTik will plug into a Tenda 8 port Gagabit switch, that switch will run my home network. So Eth2 = Home network - 10.0.0.0/24

Eth3 will be Wifi so Tenda AC1200 will be put into AP mode and then Eth3 = Wifi Network 10.0.10.0/24

Eth4 will be connected to another AP and I will explore the hotspot functionality on there.

----
Off topic, can you get a Raspberry Pi with 2 Lan Ports? I want use the raspberry as a proxy server.

 

[SauRoNZA]

Aha! That makes sense now, the "Master" bit threw me off.

Okay so plan A is Netgear Dumb Bridge -> Eth1 Of MikroTik will be WAN/PPPOE

Eth2 on MikroTik will plug into a Tenda 8 port Gagabit switch, that switch will run my home network. So Eth2 = Home network - 10.0.0.0/24

Eth3 will be Wifi so Tenda AC1200 will be put into AP mode and then Eth3 = Wifi Network 10.0.10.0/24

Eth4 will be connected to another AP and I will explore the hotspot functionality on there.

----
Off topic, can you get a Raspberry Pi with 2 Lan Ports? I want use the raspberry as a proxy server.

View attachment 471476

Why do you want Wifi and Ethernet on two different networks? (Eth 2 + 3). Just make it one thing.

Splitting off Eth4 for the Hotspot makes sense of course.

And why on earth do you want yet ANOTHER device for a Proxy server when you have RouterOS.

The entire idea is to have LESS stuff not more.

Run the Proxy on RouterOS.


You are really building the most unnecessarily complex and potentially unreliable network in the world there.

 

[Thor]

Why do you want Wifi and Ethernet on two different networks? (Eth 2 + 3). Just make it one thing.

Splitting off Eth4 for the Hotspot makes sense of course.

And why on earth do you want yet ANOTHER device for a Proxy server when you have RouterOS.

The entire idea is to have LESS stuff not more.

Run the Proxy on RouterOS.


You are really building the most unnecessarily complex and potentially unreliable network in the world there.

Wasn't sure how much the RouterOS can handle (the physical routerboard) I assumed for the Cache server I will need a lot more space than what the routerboard has, so was thinking of buying a 256GB class 10 SD card and make that Raspberry cache all there is to cache and then plug the RAIN LTE modem in there (WAN), Rain being mobile data is expensive and limited so the cache server should help...

As for Wifi, I want to understand IP and subnetting a little better what can Wifi see and do vs wired PCs later on it will all be one network Home Wifi and Home network so all can access the NAS/Plex

^It's mainly just for me learning, this ain't production.

 

[SauRoNZA]

Wasn't sure how much the RouterOS can handle (the physical routerboard) I assumed for the Cache server I will need a lot more space than what the routerboard has, so was thinking of buying a 256GB class 10 SD card and make that Raspberry cache all there is to cache and then plug the RAIN LTE modem in there (WAN), Rain being mobile data is expensive and limited so the cache server should help...

^Mainly just for me learning, this ain't production.

Nee man.

I have Routerboard RB750's running entire oil tankers with 10's of people on board and way more devices with Private Networks, Public Networks, Hotspots and Proxies.

You don't need any external storage or more processing.

Besides you can't cache HTTPS and you aren't exactly going to store ISO files in caches.

Regardless of that proxy caches are less and less relevant these days with faster internet and your browser doing it's own caching anyway.

If you were trying to optimize a 56K modem or satellite link as I need to do that's a different story.

 

[Thor]

Nee man.

I have Routerboard RB750's running entire oil tankers with 10's of people on board and way more devices with Private Networks, Public Networks, Hotspots and Proxies.

You don't need any external storage or more processing.

Besides you can't cache HTTPS and you aren't exactly going to store ISO files in caches.

Regardless of that proxy caches are less and less relevant these days with faster internet and your browser doing it's own caching anyway.

If you were trying to optimize a 56K modem or satellite link as I need to do that's a different story.

Fck the squid and the cache then, can I load a Radius server on the PI and make the hotspot be a captive portal (I want to build the hotspot pages myself with PHP + Foundation.) I want users to create an account (Name, email, password) and then buy another mikotrik and they both talk to the radius on the PI thus 1 account, two physical hotspots.

Wait, is this not a wisp? Guess I want to build a basic wisp.