Mikrotik Router device switch ports

jensbab · June 21, 2023, 6:48am

Hi Community,
there is another question coming up....you may notice i am not an expert.

My Setup: DSL-> Zyxel Modem -> Mikrotik router (pppoe) -> client

i have an config port on the zyxel which i would like to get connected through the LAN.

Like having one specific client which is able to connect to this zyxel config port.

The wiring is clear and i plan to use one port on the mikrotik and isolate this to connect to the zyxel config port. Then with firewall and routing config i allow one client from lan to connect there.

Is it possible to "unconfigure" one of the mikrotik switch ports to have it as a single port only for this purpose?

thanks
br
Jens

trendy · June 21, 2023, 9:09am

Does that mean that you'll lay down a second cable from the Zyxel to the Mikrotik and you want to create a bridge between the uplink to the Zyxel and the downlink to the PC?

jensbab · June 21, 2023, 9:59am

Not really.
On the zyxel is an Management port from which i can reach the manegement website of the zyxel. It the only port.
And though connecting this to a free port of my mikrotik which runs openwrt. Then to reach the Management ui - just for convenience and interest if this is soemthing feasible

AndrewZ · June 21, 2023, 10:06am

Yes, that is possible. I have something similar with my ZTE MF286D running in a bridge mode. I have one port/cable for data and another port/cable for management.

jensbab · June 21, 2023, 10:14am

did you use an openwrt router? and how did you confiure

trendy · June 21, 2023, 10:18am

Then you only need to configure one of the Mikrotik interfaces to be in a new network which is in the same subnet as the management of Zyxel. Add it in wan zone, connect the second cable, and you are good.

jensbab · June 21, 2023, 10:22am

oh, thx. thats it. An the router knows then if i try to connect from the lan to this ip thtat it is to find on the specific port?
There is no specific routing te setup for that?

AndrewZ · June 21, 2023, 10:23am

Here is an example that is inline with what @trendy just said:

config interface 'mgmt'
        option proto 'dhcp'
        option device 'lan4'
        option defaultroute '0'
        option peerdns '0'
        option delegate '0'

The port used above was detached from the bridge:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

On top of that I have a redirect rule that allows me to access the modem (192.168.3.1) through http://{router address/hostname}:3333

config redirect
        option dest 'wan'
        option target 'DNAT'
        list proto 'tcp'
        option src 'lan'
        option src_dport '3333'
        option dest_ip '192.168.3.1'
        option dest_port '80'
        option name 'Modem access'
        option family 'ipv4'

jensbab · June 21, 2023, 10:27am

ah, yes very cool. thats easy. thx.
And i may filter the traffic from lan to that port with a firewall rule.

thx
i try to set it up

jensbab · June 21, 2023, 10:48am

so did the config but with static ip.
interface on the configured lan port was coming up. but from a lan client i can not reach. But i will check some things

trendy · June 21, 2023, 10:56am

You need to add masquerade on the new interface, the zyxel doesn't know about the lan network behind the mikrotik.

AndrewZ · June 21, 2023, 11:04am

Was the port assigned to the WAN zone (where masquerading is already enabled)?

jensbab · June 21, 2023, 1:14pm

yeah thats it. i wasnt sure about this. But now it works

jensbab · June 21, 2023, 1:47pm

trying to restrict the access only to my laptop but actually it doenst work with firewall rules...maybe iĺl do it later

trendy · June 21, 2023, 5:52pm

It can be restricted with a firewall rule. If in doubt post here the firewall config uci export firewall

jensbab · June 22, 2023, 8:44am

This is my rule:
the 100 is the zyxel and the 1. the lan.

config rule
	option name 'ManagementZyxel'
	list proto 'tcp'
	option src 'lan'
	list src_ip '192.168.1.51'
	option dest 'wan'
	list dest_ip '192.168.100.1'
	option target 'ACCEPT'

there is maybe an deny missing

trendy · June 22, 2023, 8:55am

Delete the other rule and add this

uci add firewall rule
uci set firewall.@rule[-1].name='Zyxel Mgmt'
uci add_list firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src='lan'
uci add_list firewall.@rule[-1].src_ip='!192.168.1.51'
uci set firewall.@rule[-1].dest='wan'
uci add_list firewall.@rule[-1].dest_ip='192.168.100.1'
uci set firewall.@rule[-1].target='DROP'
uci commit firewall
service firewall restart

jensbab · June 22, 2023, 8:57am

ok, thanks.
i will try

system · July 2, 2023, 8:57am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.