Hello all!
We have the below setup of MikroTik Devices (correction, hAP ax2 is actually a hAP ac2):The CCR and both hAPs are running RouterOS. Both CRS devices are running SwOS. The CCR is doing all the routing via IP and interfaces and does not have any bridges. The hAPs are both doing bridges for the Wi-Fi/Ports. I have included the configs of the CCR and both hAPs at the bottom. The switches do some port isolation and have STP enabled. For STP, the CRS328 has a bridge priority of 4000 and the CRS317 is 5000. The CRS317 shows the port connected to the CRS328 (Uplink) as the root in STP. The CRS328 does not have any port labelled as root.
My issue is that network scanning software like Zabbix and Auvik show network trees wrong, and hardware tools like LinkSprinter and Netool show the wrong device for connection. For example, when connecting a Netool directly to Ether7 of the CRS328, the Netool will show it is connected to Ether1/Bridge of the hAP Ac2. Zabbix and Auvik also show similar where it can't decide the chained order of devices and shows things connected directly to the CRS328 or CRS317 as connected to one of the hAP devices.
I know the devices/software aren't perfect, but I'm curious if there is something that can be done to correct this on the MikroTik side since multiple different software and devices show the same bad data. I do not know how these tools determine what is connected to what (R/STP, MACs, etc.)
Hoping someone has ran into this before or has an idea to try. Thanks!
Netool example. Device is connected to Ether7 on the CRS328 (10.0.0.2)
Configs
-----------
CCR2004:Will post the additionals in a comment. They were not collapsing into a code block in the main post for some reason.
We have the below setup of MikroTik Devices (correction, hAP ax2 is actually a hAP ac2):The CCR and both hAPs are running RouterOS. Both CRS devices are running SwOS. The CCR is doing all the routing via IP and interfaces and does not have any bridges. The hAPs are both doing bridges for the Wi-Fi/Ports. I have included the configs of the CCR and both hAPs at the bottom. The switches do some port isolation and have STP enabled. For STP, the CRS328 has a bridge priority of 4000 and the CRS317 is 5000. The CRS317 shows the port connected to the CRS328 (Uplink) as the root in STP. The CRS328 does not have any port labelled as root.
My issue is that network scanning software like Zabbix and Auvik show network trees wrong, and hardware tools like LinkSprinter and Netool show the wrong device for connection. For example, when connecting a Netool directly to Ether7 of the CRS328, the Netool will show it is connected to Ether1/Bridge of the hAP Ac2. Zabbix and Auvik also show similar where it can't decide the chained order of devices and shows things connected directly to the CRS328 or CRS317 as connected to one of the hAP devices.
I know the devices/software aren't perfect, but I'm curious if there is something that can be done to correct this on the MikroTik side since multiple different software and devices show the same bad data. I do not know how these tools determine what is connected to what (R/STP, MACs, etc.)
Hoping someone has ran into this before or has an idea to try. Thanks!
Netool example. Device is connected to Ether7 on the CRS328 (10.0.0.2)
Configs
-----------
CCR2004:
Code:
# 2024-01-04 10:57:11 by RouterOS 7.13## model = CCR2004-16G-2S+/interface ethernetset [ find default-name=ether1 ] name=ether1-FiberWANset [ find default-name=ether2 ] name=ether2-CellWAN/interface vlanadd interface=sfp-sfpplus2 name=vlan10-Cameras vlan-id=10add interface=sfp-sfpplus2 name=vlan20-Untrusted vlan-id=20add interface=sfp-sfpplus2 name=vlan40-PublicIPs vlan-id=40/diskset pcie1 type=hardwareset pcie1-usb1 type=hardwareadd parent=pcie1-usb1 partition-number=1 partition-offset=512 partition-size="32 080 199 680" type=partition/interface listadd name=WANadd name=ACL-ACCESS-WAN/interface wireless security-profilesset [ find default=yes ] supplicant-identity=MikroTik/ip pooladd name=Trusted ranges=10.0.0.100-10.0.0.200add name=Guest/IOT ranges=10.0.20.100-10.0.20.200add name=Cameras ranges=10.0.10.0/24add name=PublicIPs ranges=PublicIPBlock.250-PublicIPBlock.254/ip dhcp-serveradd address-pool=Trusted interface=sfp-sfpplus2 lease-time=10m name=dhcp-Trustedadd address-pool=Guest/IOT interface=vlan20-Untrusted lease-time=10m name=dhcp-Untrustedadd address-pool=Cameras interface=vlan10-Cameras lease-time=10m name=dhcp-Camerasadd address-pool=PublicIPs interface=vlan40-PublicIPs lease-time=10m name=dhcp-PublicIPs/portset 0 name=serial0set 1 name=serial1/ipv6 settingsset disable-ipv6=yes/interface detect-internetset detect-interface-list=all/interface list memberadd interface=ether1-FiberWAN list=WANadd interface=ether2-CellWAN list=WANadd interface=sfp-sfpplus2 list=ACL-ACCESS-WANadd interface=vlan20-Untrusted list=ACL-ACCESS-WANadd interface=vlan40-PublicIPs list=ACL-ACCESS-WAN/ip addressadd address=192.168.88.1/24 comment=defconf interface=ether15 network=192.168.88.0add address=FiberIP/24 interface=ether1-FiberWAN network=FiberNetworkadd address=10.0.10.1/24 interface=vlan10-Cameras network=10.0.10.0add address=10.0.20.1/24 interface=vlan20-Untrusted network=10.0.20.0add address=PublicIPBlock.249/29 interface=vlan40-PublicIPs network=PublicIPBlock.248add address=10.0.0.1/24 interface=sfp-sfpplus2 network=10.0.0.0/ip dhcp-clientadd add-default-route=no interface=ether2-CellWAN use-peer-dns=no/ip dhcp-server networkadd address=10.0.0.0/24 dns-server=10.0.0.42,10.0.0.62,10.0.0.82 domain=REDACTED gateway=10.0.0.1add address=10.0.10.0/24 dns-server=1.1.1.1,1.0.0.1 domain=cams gateway=10.0.10.1add address=10.0.20.0/24 dns-server=1.1.1.1,1.0.0.1 domain=iso gateway=10.0.20.1add address=PublicIPBlock.248/29 dns-server=1.1.1.1,1.0.0.1 gateway=PublicIPBlock.249/ip dnsset servers=1.1.1.1,1.0.0.1/ip firewall address-listadd address=PublicIPBlock.251 list=MattAccessadd address=PublicIPBlock.252 list=MattAccessadd address=10.0.20.10 list=InternalAppAllow/ip firewall filteradd action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yesadd action=accept chain=forward comment="Accept Established Connections on Forward and Input Chains" connection-state=established,relatedadd action=accept chain=input connection-state=established,relatedadd action=drop chain=forward comment="Drop Invalid from WAN" connection-state=invalidadd action=drop chain=input connection-state=invalidadd action=accept chain=forward comment="Accept DSTNAT Packets" connection-nat-state=dstnat in-interface=ether1-FiberWANadd action=accept chain=forward comment="Allow WAN ACL to WAN" in-interface-list=ACL-ACCESS-WAN out-interface-list=WANadd action=accept chain=forward comment="Allow Trusted to Everything" in-interface=sfp-sfpplus2 src-address=10.0.0.0/24add action=accept chain=input in-interface=sfp-sfpplus2 src-address=10.0.0.0/24add action=accept chain=forward comment="Allow Access to MattAccess from WAN except specific ports" dst-address-list=MattAccess dst-port=!0-5900 in-interface=ether1-FiberWAN protocol=tcpadd action=accept chain=forward dst-address-list=MattAccess dst-port=!0-5900 in-interface=ether1-FiberWAN protocol=udpadd action=accept chain=forward comment="Allow InternalAppAllow Address List to InternalApp Server" dst-address=10.0.0.61 dst-port=32400 protocol=tcp src-address-list=InternalAppAllowadd action=accept chain=output comment="Allow Router Output"add action=drop chain=forward comment="Drop Not Matched"add action=drop chain=inputadd action=drop chain=output/ip firewall natadd action=masquerade chain=srcnat comment="Fiber WAN Masquerade" out-interface=ether1-FiberWANadd action=masquerade chain=srcnat comment="Cellular WAN Masquerade" out-interface=ether2-CellWANadd action=dst-nat chain=dstnat comment="DSTNAT Port 25 to PMG" dst-address=FiberIP dst-port=25 in-interface=ether1-FiberWAN protocol=tcp to-addresses=10.0.0.90 to-ports=25add action=dst-nat chain=dstnat comment="DSTNAT Port 32400 to SM-2U - InternalApp" dst-address=FiberIP dst-port=32400 protocol=tcp to-addresses=10.0.0.61 to-ports=32400add action=masquerade chain=srcnat comment="Hairpin NAT" disabled=yes dst-address=10.0.0.0/24 out-interface=sfp-sfpplus2 src-address=10.0.0.0/24/ip firewall service-portset sip disabled=yes/ip routeadd check-gateway=ping disabled=no distance=5 dst-address=0.0.0.0/0 gateway=FiberISPGateway pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10add check-gateway=ping disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.12.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10add disabled=no dst-address=8.8.8.8/32 gateway=FiberISPGateway routing-table=main suppress-hw-offload=noadd disabled=no dst-address=8.8.4.4/32 gateway=192.168.12.1 routing-table=main suppress-hw-offload=no/ip serviceset telnet disabled=yesset ftp disabled=yesset www address=10.0.0.0/24set ssh address=10.0.0.0/24set api disabled=yesset winbox address=10.0.0.0/24set api-ssl disabled=yes/ipv6 dhcp-clientadd disabled=yes interface=ether2-CellWAN pool-name=Cellv6 request=address/system clockset time-zone-name=America/Chicago/system identityset name=DH-CoreRouter/system noteset show-at-login=no/system ntp clientset enabled=yes/system ntp client serversadd address=0.pool.ntp.orgadd address=1.pool.ntp.orgadd address=2.pool.ntp.orgadd address=3.pool.ntp.org/tool netwatchadd comment="Fiber WAN Monitor" disabled=no down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=FiberISPGateway]\r\ \n:log error \"Fiber WAN is Down!\"\r\ \n/ip firewall connection remove [find]" host=8.8.8.8 http-codes="" interval=10s test-script="" timeout=1s type=simple up-script=\ "ip route enable [find dst-address=0.0.0.0/0 gateway=FiberISPGateway]\r\ \n:log error \"Fiber WAN is Up!\"\r\ \n/ip firewall connection remove [find]"add comment="Cellular WAN Monitor" disabled=no down-script="ip route disable [find dst-address=0.0.0.0/0 gateway=192.168.12.1]\r\ \n:log error \"Cell WAN is Down!\"" host=8.8.4.4 http-codes="" interval=10s test-script="" timeout=1s type=simple up-script="ip route enable [find dst-address=0.0.0.0/0 gateway=192.168.12.1]\r\ \n:log error \"Cell WAN is Up!\""Statistics: Posted by themrdrprof — Thu Jan 04, 2024 7:29 pm