Mikrotik - pre zaciatocnikov

[Bono83]

Zajtra sa tam pripojim a postnem ju sem.

[Bono83]

model = C53UiG+5HPaxD2HPaxD

/interface bridge
add admin-mac=F4:1E:57:AE:06:0E arp=proxy-arp auto-mac=no comment=defconf name=\
bridge
/interface wireguard
add comment=back-to-home-vpn listen-port=32851 mtu=1420 name=back-to-home-vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi security
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=sec1
/interface wifi configuration
add channel.skip-dfs-channels=all country=Slovakia disabled=no mode=ap name=\
cfg1 security=sec1 ssid=xxxx
/interface wifi
# operated by CAP F4:1E:57:AF:F9:E9%bridge, traffic processing on CAP
add configuration=cfg1 disabled=no name=AP_FILIP radio-mac=F4:1E:57:AF:F9:EE
# operated by CAP F4:1E:57:AF:F9:E9%bridge, traffic processing on CAP
add configuration=cfg1 disabled=no name=AP_FILIP2 radio-mac=F4:1E:57:AF:F9:EF
# operated by CAP F4:1E:57:AF:F6:4D%bridge, traffic processing on CAP
add configuration=cfg1 disabled=no name=AP_OBYVACKA radio-mac=F4:1E:57:AF:F6:52
# operated by CAP F4:1E:57:AF:F6:4D%bridge, traffic processing on CAP
add configuration=cfg1 disabled=no name=AP_OBYVACKA2 radio-mac=\
F4:1E:57:AF:F6:53
set [ find default-name=wifi2 ] configuration=cfg1 configuration.mode=ap \
disabled=no name=wifi2,4G
set [ find default-name=wifi1 ] configuration=cfg1 configuration.mode=ap \
disabled=no name=wifi5G
/ip pool
add name=default-dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=3h name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi5G
add bridge=bridge comment=defconf interface=wifi2,4G
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg1 name-format=%I
/ip address
add address=192.168.10.1/24 comment=LOKALNA_IP interface=bridge network=\
192.168.10.0
add address=192.168.137.38/24 comment=IP_STATICKA_GOLEMTECH interface=ether1 \
network=192.168.137.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.10.201 mac-address=BC:10:2F:7B:EE:0F server=defconf
add address=192.168.10.198 client-id=1:54:8c:81:14:49:11 comment=NVR_HIK \
mac-address=54:8C:81:14:49:11 server=defconf
add address=192.168.10.197 client-id=1:f4:1e:57:af:f9:e9 mac-address=\
F4:1E:57:AF:F9:E9 server=defconf
add address=192.168.10.196 client-id=1:f4:1e:57:af:f6:4d mac-address=\
F4:1E:57:AF:F6:4D server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=DHCP_LOKALNE dns-server=\
192.168.10.1,8.8.8.8 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,192.168.137.1,185.98.208.2
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ip route
add comment=GATEWAY_GOLEMTECH disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=192.168.137.1 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Bratislava
/system identity
set name=Router_Rack
/system ntp client
set enabled=yes
/system ntp client servers
add address=62.168.94.161
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard settings
set auto-upgrade=yes
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\
\" && disabled=no)] do={\r\
\n /interface/wifi wps-push-button \$iface;}\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

[Bono83]

model = C53UiG+5HPaxD2HPaxD

/interface bridge
add admin-mac=F4:1E:57:AE:06:0E arp=proxy-arp auto-mac=no comment=defconf name=\
bridge
/interface wireguard
add comment=back-to-home-vpn listen-port=32851 mtu=1420 name=back-to-home-vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi security
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=sec1
/interface wifi configuration
add channel.skip-dfs-channels=all country=Slovakia disabled=no mode=ap name=\
cfg1 security=sec1 ssid=xxxx
/interface wifi
# operated by CAP F4:1E:57:AF:F9:E9%bridge, traffic processing on CAP
add configuration=cfg1 disabled=no name=AP_FILIP radio-mac=F4:1E:57:AF:F9:EE
# operated by CAP F4:1E:57:AF:F9:E9%bridge, traffic processing on CAP
add configuration=cfg1 disabled=no name=AP_FILIP2 radio-mac=F4:1E:57:AF:F9:EF
# operated by CAP F4:1E:57:AF:F6:4D%bridge, traffic processing on CAP
add configuration=cfg1 disabled=no name=AP_OBYVACKA radio-mac=F4:1E:57:AF:F6:52
# operated by CAP F4:1E:57:AF:F6:4D%bridge, traffic processing on CAP
add configuration=cfg1 disabled=no name=AP_OBYVACKA2 radio-mac=\
F4:1E:57:AF:F6:53
set [ find default-name=wifi2 ] configuration=cfg1 configuration.mode=ap \
disabled=no name=wifi2,4G
set [ find default-name=wifi1 ] configuration=cfg1 configuration.mode=ap \
disabled=no name=wifi5G
/ip pool
add name=default-dhcp ranges=192.168.10.10-192.168.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=3h name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi5G
add bridge=bridge comment=defconf interface=wifi2,4G
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg1 name-format=%I
/ip address
add address=192.168.10.1/24 comment=LOKALNA_IP interface=bridge network=\
192.168.10.0
add address=192.168.137.38/24 comment=IP_STATICKA_GOLEMTECH interface=ether1 \
network=192.168.137.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-server lease
add address=192.168.10.201 mac-address=BC:10:2F:7B:EE:0F server=defconf
add address=192.168.10.198 client-id=1:54:8c:81:14:49:11 comment=NVR_HIK \
mac-address=54:8C:81:14:49:11 server=defconf
add address=192.168.10.197 client-id=1:f4:1e:57:af:f9:e9 mac-address=\
F4:1E:57:AF:F9:E9 server=defconf
add address=192.168.10.196 client-id=1:f4:1e:57:af:f6:4d mac-address=\
F4:1E:57:AF:F6:4D server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=DHCP_LOKALNE dns-server=\
192.168.10.1,8.8.8.8 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,192.168.137.1,185.98.208.2
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ip route
add comment=GATEWAY_GOLEMTECH disabled=no distance=1 dst-address=0.0.0.0/0 \
gateway=192.168.137.1 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Bratislava
/system identity
set name=Router_Rack
/system ntp client
set enabled=yes
/system ntp client servers
add address=62.168.94.161
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard settings
set auto-upgrade=yes
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\
\" && disabled=no)] do={\r\
\n /interface/wifi wps-push-button \$iface;}\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

[mp3turbo]

no nejake rozdieliky by sa predsalen nasli...

pre wifiny neexistuje datapath.bridge=bridge [!]
mas poprehadzovane MAC adresy klientskych radii, nazvy zostavaju rovnake avsak mozno sa vymenia frekvencie (Filip bol 2.4GHz, teraz je 5GHz alebo nieco podobne), neriesime preskakovanie DFS frekvencii takze obmedzenejsi vyber pre radia
mas radia na AX3 ktore su zaclenene do "všehobridge", na E50UG radia neboli (zda sa to minoritna zmena, ale bridge je bridge ; boli s nim problemy)
v novej konfiguracii nemas prihodenie dynamickych interfejsov do "všehobridge" sa mi zda - nevidim "add bridge=bridge interface=dynamic"
v novej konfiguracii nie je OVPN server

blokovy diagram ukazuje, ze AX3 ma ether1 zapojeny cez samostatny chip [!], E50UG ho ma zadratovany priamo na CPU plus tie CPUcka su samozrejme inej generacie, v principe aj ina platforma a rozhodne iny vykon (co nie je dolezite pokial neroutujes gigabit v jednom kuse).

a to som nepreskumal cele, bol to taky dvojminutovy pohlad a narychlo scrollovanie horedole
takze ta konfiguracia je velmi velmi podobna, ale rozhodne by som ju nenazval identickou.

[Bono83]

Jojo, identicka nie je, ale tie rozdiely ako bridge dynamic som uz skusal zo zufalstva predtym. Aj datapath bridge som nastavoval len tak na skúšku a nepomohlo to nic. Ale ten ovpn server odkial sa nabral v starej konfiguracii nechapem. Ale prave si myslím ze ta rozdielna architektura robila problem. Ax2 aj AX3 su arm64.

[mp3turbo]

velmi lahko to moze byt - nemam tusenie, co bola skutocna pricina ; tipnem si, ze tie skripty a pravidelne pinganie gatewaye by pomohlo.
Najviac ma trapilo zaclenenie dynamic interfaces do bridge - v principe by pohlad na path-cost a internal-path-cost pre interfejsy v bridge mohol napovedat (/interface bridge port print)

a vobec, absolutne najdolezitejsie je vyprdnut sa na bridge a totalne ho nepouzivat. Neexistuje jediny dovod, preco by si nemal mat ethernety kazdy samostatny. Tuto tvoju vec nemam zatial zaradenu do zoznamu "zaujimavych" pretoze som na to nikdy nikde nenarazil, ale velmi lahko sa moze stat, ze som na nu proste nenarazil preto, lebo nerobim vsade so vsetkym bridge. Wirelesska, ethernety ktore sa zmestia, wireguard k tomu, administrativne urcena MAC adresa s proxy-arp...

kdeze priatelia :

https://i.imgur.com/CHoKxYC.png

[totojemojucet]

zdravim borci, nema tu niekto FTTH od Slovak Telekomu cez bridge mode? zaujimalo by ma ze co vsetko treba nastavit v PPPoE klientovi okrem mena/hesla aby to ficalo.

[zoom]

Odpisal som ti aj vedla, ale s Mikrotik vecami mozme kludne pokracovat (aj) tu. Mam FTTH od Orange, ktore ide cez Telekom siet (pausal/program platim Orangu, opticky kabel v zemi patri fyzicky Telekomu). Mam ich konvertor prepnuty do bridge modu a mam Mikrotik ako hlavny router. Cize vsetko, co chces vediet a mat aj ty.

Ked chces rozbehat to PPPoE na Mikrotiku, tak v nom v sekcii PPP pridas interface typu PPPoE Client. V nom potom na karticke Dial Out nastavis akurat prihlasovacie udaje (User, Password). To by malo byt vsetko. Potom uz len standardne nastavenia. S tym PPPoE interfacom pracujes ako s akymkolvek dalsim - ak chces pridas ho do lokalneho bridgu, robis na nom firewall pravidla, pridas ho do interface listu (napr. WAN) a potom az nad tym robis pravidla, ako len chces.

[mp3turbo]

preboha do bridge nie.

Interface, ktory ma na sebe verejne pripojenie, nikdy do ziadneho bridgu aj keby sa ti vyhrazali smrtou.

[zoom]

No jo, to len v ramci quick popisu. Ved ani ja to tak samozrejme nemam. Pekne si zije samostatnym oddelenym zivotom.

[totojemojucet]

preboha do bridge nie.

Interface, ktory ma na sebe verejne pripojenie, nikdy do ziadneho bridgu aj keby sa ti vyhrazali smrtou.

kvoli comu? nebude aj defaultny mikrotik firewall lepsi ako to co je v lacnej krabicke od telekomu co sa tyka bezpecnosti? o vykone ani nehovorim.

[mp3turbo]

kvoli tomu, ze je to nesmierne zle riesenie a snad si neviem predstavit horsie.

Bridge je prepojenie viacerych logickych/fyzickych interfejsov dohromady, vsetko co pride z jednej strany sa rozlieva do vsetkych ostatnych stran. Fuj hroza. Bezpecnost hroza, traffic hroza, akekolvek riesenie cokoholvek vsetko hroza.

Nechapem naco vobec tie bridge existuju, vsetko vzdy malo byt len routovane a hotovo

Neviem povedat, ci defaultny firewall v Mikrotiku je inherentne lepsi nez v lacnej krabicke od Telefónu alebo kohokolvek ineho a to hlavne preto, ze neviem, ako su tie ine firewally nastavene (castokrat proste nevidis pod kapotu toho druheho produktu). Viem povedat, ze firewall Mikrotiku urobi vzdy absolutne presne to, co mu ja poviem a viem povedat, ze mu viem povedat velmi zaujimave veci - toto je pre mna najdolezitejsie. Schopnosti firewallu Mikrotiku preskakuju moznosti 99.9% beznych krabiciek...

[totojemojucet]

kvoli tomu, ze je to nesmierne zle riesenie a snad si neviem predstavit horsie.

Bridge je prepojenie viacerych logickych/fyzickych interfejsov dohromady, vsetko co pride z jednej strany sa rozlieva do vsetkych ostatnych stran. Fuj hroza. Bezpecnost hroza, traffic hroza, akekolvek riesenie cokoholvek vsetko hroza.

Nechapem naco vobec tie bridge existuju, vsetko vzdy malo byt len routovane a hotovo

Neviem povedat, ci defaultny firewall v Mikrotiku je inherentne lepsi nez v lacnej krabicke od Telefónu alebo kohokolvek ineho a to hlavne preto, ze neviem, ako su tie ine firewally nastavene (castokrat proste nevidis pod kapotu toho druheho produktu). Viem povedat, ze firewall Mikrotiku urobi vzdy absolutne presne to, co mu ja poviem a viem povedat, ze mu viem povedat velmi zaujimave veci - toto je pre mna najdolezitejsie. Schopnosti firewallu Mikrotiku preskakuju moznosti 99.9% beznych krabiciek...

ja som si to predstavoval tak ze proste ked zapnem telekomacky ONT/router do bridgu tak to co by prislo do WAN interfacu na nom proste pride do WAN interfacu na mikrotiku ... zle si to predstavujem? vyhodu vidim v tom ze nebudem mat dvojity NAT a nebudem vlastne ani nic vyzadovat od telekomackej 5 korunovej krabicky. v com je ta nevyhoda?

[zoom]

Vidis to dobre a rozpravas o inej veci, inom bridgi.

Bridge, ktory myslis ty: Ano, Telekom konvertor prehodis do bridge/L2 modu, co znamena, ze nebude robit NAT a bude to cisto konvertor z optiky na metaliku (zjednodusene). WAN IP bude tym padom pridelena Mikrotiku a takto by to malo byt a urcite to tak urob. Idealne, ked si este zabezpecis vlastnu verejnu IPv4 adresu.

Bridge, o ktorom sa rozpravalo: Mikrotik v uplne najzakladnejsom nastaveni nic nevie. Dokonca ani jednotlive RJ45 porty nekomunikuju medzi sebou a musis ich dat do *drum roll* bridgu. Vo Winboxe si na Mikrotiku urobis novy Bridge, napriklad "bridge_lan". Do tohto bridgu potom nahadzes jednotlive RJ45 porty. Takto budu medzi sebou komunikovat, rovnako ako keby si pouzil bezny switch. Ide o to, aby si tam dal iba porty z LAN a nie aj ten, ktory pouzijes na WAN (do ktoreho zapojis Telekom konvertor). Aby traffic neprechadzal volne do LAN a opacne.

[mp3turbo]

>> ja som si to predstavoval tak ze proste ked zapnem telekomacky ONT/router do bridgu ...

no moment, potom ale nerozpravame o Mikrotiku a bridge na Mikrotiku.