I'm trying to do something that should be pretty simple, but I can't get it to work.
What I want to do is use my CRS309 as my internet router (using L3 offload). My provider uses VLAN 300 on the uplink, so I need that on my uplink port (SFP-SFPPLUS8). The rest of the ports need no VLANs/can be access ports in a single VLAN. And I need L3 offload as I have an 8G internet link. With current config (see below) I can't reach the internal IP address on interface VLAN1 and Winbox doesn't see it. If I put the internal IP address on the bridge itself it works, but if I understand correctly, L3 offload won't work in that case. What am I missing? The firewall rules are messy, I know.
What I want to do is use my CRS309 as my internet router (using L3 offload). My provider uses VLAN 300 on the uplink, so I need that on my uplink port (SFP-SFPPLUS8). The rest of the ports need no VLANs/can be access ports in a single VLAN. And I need L3 offload as I have an 8G internet link. With current config (see below) I can't reach the internal IP address on interface VLAN1 and Winbox doesn't see it. If I put the internal IP address on the bridge itself it works, but if I understand correctly, L3 offload won't work in that case. What am I missing? The firewall rules are messy, I know.
Code:
# 2024-01-12 12:24:18 by RouterOS 7.13# software id = 3TW5-3585## model = CRS309-1G-8S+# serial number = HDC085CV1JS/interface bridgeadd admin-mac=18:FD:74:EB:AB:5D auto-mac=no comment=defconf name=bridge \ port-cost-mode=short protocol-mode=none/interface vlanadd interface=bridge name=vlan1 vlan-id=1add interface=bridge name=vlan300 vlan-id=300/interface ethernet switchset 0 l3-hw-offloading=yes/interface ethernet switch portset 7 l3-hw-offloading=noset 8 l3-hw-offloading=no/interface listadd name=LANadd name=WANadd name=MGMT/interface lte apnset [ find default=yes ] ip-type=ipv4 use-network-apn=no/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip hotspot profileset [ find default=yes ] html-directory=hotspot/ip pooladd name=pool1 ranges=192.168.192.2-192.168.192.200/ip dhcp-serveradd address-pool=pool1 disabled=yes interface=bridge lease-time=1d name=dhcp1/portset 0 name=serial0/interface bridge portadd bridge=bridge comment=defconf ingress-filtering=no interface=ether1 \ internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 \ internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2 \ internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus3 \ internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus4 \ internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus5 \ internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus6 \ internal-path-cost=10 path-cost=10add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus7 \ internal-path-cost=10 path-cost=10add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus8 \ pvid=300/ip settingsset max-neighbor-entries=8192/ipv6 settingsset disable-ipv6=yes/interface bridge vlanadd bridge=bridge tagged=bridge,sfp-sfpplus8 vlan-ids=300add bridge=bridge tagged=bridge untagged="sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplu\ s3,sfp-sfpplus4,sfp-sfpplus5,sfp-sfpplus6,sfp-sfpplus7,ether1" vlan-ids=1/interface list memberadd interface=sfp-sfpplus1 list=LANadd interface=sfp-sfpplus2 list=LANadd interface=sfp-sfpplus3 list=LANadd interface=sfp-sfpplus4 list=LANadd interface=sfp-sfpplus5 list=LANadd interface=sfp-sfpplus6 list=LANadd interface=sfp-sfpplus7 list=LANadd interface=sfp-sfpplus8 list=WANadd interface=ether1 list=MGMT/interface ovpn-server serverset auth=sha1,md5/ip addressadd address=192.168.192.249/24 interface=vlan1 network=192.168.192.0/ip dhcp-clientadd interface=vlan300 use-peer-dns=no/ip dhcp-server networkadd address=192.168.192.0/24 dns-server=8.8.8.8 gateway=192.168.192.249/ip dnsset servers=192.168.192.1/ip firewall address-listadd address=192.168.192.2-192.168.192.254 list=allowed_to_routeradd address=0.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=172.16.0.0/12 comment=RFC6890 list=not_in_internetadd address=192.168.0.0/16 comment=RFC6890 list=not_in_internetadd address=10.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=169.254.0.0/16 comment=RFC6890 list=not_in_internetadd address=127.0.0.0/8 comment=RFC6890 list=not_in_internetadd address=224.0.0.0/4 comment=Multicast list=not_in_internetadd address=198.18.0.0/15 comment=RFC6890 list=not_in_internetadd address=192.0.0.0/24 comment=RFC6890 list=not_in_internetadd address=192.0.2.0/24 comment=RFC6890 list=not_in_internetadd address=198.51.100.0/24 comment=RFC6890 list=not_in_internetadd address=203.0.113.0/24 comment=RFC6890 list=not_in_internetadd address=100.64.0.0/10 comment=RFC6890 list=not_in_internetadd address=240.0.0.0/4 comment=RFC6890 list=not_in_internetadd address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\ not_in_internet/ip firewall filteradd action=accept chain=input src-address-list=allowed_to_routeradd action=accept chain=input protocol=icmpadd action=drop chain=inputadd action=fasttrack-connection chain=forward comment=FastTrack \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment="Established, Related" \ connection-state=established,relatedadd action=drop chain=forward comment="Drop invalid" connection-state=invalid \ log=yes log-prefix=invalidadd action=drop chain=forward comment=\ "Drop tries to reach not public addresses from LAN" dst-address-list=\ not_in_internet in-interface=bridge log=yes log-prefix=!public_from_LAN \ out-interface=!bridgeadd action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \ protocol=icmpadd action=drop chain=forward comment=\ "Drop incoming from internet which is not public IP" in-interface=vlan300 \ log=yes log-prefix=!public src-address-list=not_in_internetadd action=drop chain=forward comment=\ "Drop packets from LAN that do not have LAN IP" in-interface=bridge log=\ yes log-prefix=LAN_!LAN src-address=!192.168.192.0/24add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\ icmpadd action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \ protocol=icmpadd action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \ protocol=icmpadd action=accept chain=icmp comment=\ "host unreachable fragmentation required" icmp-options=3:4 protocol=icmpadd action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \ protocol=icmpadd action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \ protocol=icmpadd action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \ protocol=icmpadd action=drop chain=icmp comment="deny all other types"/ip firewall natadd action=masquerade chain=srcnat out-interface-list=WAN/ip routeadd disabled=no dst-address=0.0.0.0/0 gateway=192.168.192.1/routing bfd configurationadd disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5/system identityset name=RouterOS/system noteset show-at-login=no/system routerboard settingsset boot-os=router-osStatistics: Posted by mbovenka — Fri Jan 12, 2024 2:40 pm