Umm, too much complex to understand ;(
I guess i will have to experiment it first and see where i can reach
Re-read slowly with a pen and paper and make a drawing.
1 Like
Will do. Thank you for your help!
Hello guys,
So, on the switch (CRS520-4XS-16XQ-RM), which is going to be my main switch, other than the firewall switch, how do i give the switch access to internet? The switch does have a 10G MGMT/Boot port. Can that be used to give the switch access to internet via DHCP or i will have to sacrifice any 25GbE/100GbE port on the switch?
Any idea why there is 10GbE port for management purposes? It seems way too much, if that’s for the management purposes! Can that be used as a regular LAN port? Is there any difference between the regular LAN port and the Management port?
The switch also have a Boot port, just right next to the Management port, which is also a 10GbE. What is the purpose of Boot port?
Secondly, as per the block diagram of the switch, it seems that the link between the A5200 CPU and the main switch chip is 2x25Gbps but the ports are 16x100Gbps and 4x25Gbps and then also 2x10Gbps Base-T ports. Will the performance not be limited to 50Gbps only? Or is it because the main switch has something like SAS expander or the multiplexer/PLX switch types where it splits into multiple ports, have its own lanes, then creates enough bandwidth for the devices to connect.
I would take that topic to the Mikrotik forums. I don’t have that device, so “no idea”. I would be willing to answer general RouterOS questions after I have familiarised myself with that to some degree, but again - that’s very hardware/device specific and everyone not running the switch in question will probably be unable to help.
1 Like
Got it!
Any idea, if i can use the Management port to give the switch access to internet?
No, because I do not have a switch with a dedicated management port.
On my CSR326-24G-2S+IN the bridge0 interface is a DHCP client in my network and receives the management and update IP address from my OPNsense.
But probably yes. Connect it to your network and it should configure itself via DHCP - no? What does the quick start document say?
1 Like
Yes, will try that. Maybe i will have to reset the switch.
Here’s what manual says:
The MGMT/BOOT Ethernet port is used for the Netinstall process
If I had to guess, it’s mostly meant as a WAN port, meaning that everything would go through the CPU anyway. Yeah, 10G is pretty crazy for “management”, but it’s not a full-featured port from the switch chip.
For anything resembling nominal performance, the vast majority of packets hitting the switch chip cannot and should not touch the CPU. Some amount of L3 routing can be offloaded to the switch chip, subject to hardware and software limitations - more details in Mikrotik’s L3 docs.
What do you mean by full featured port?
I see
Hey guys,
Hope y’all doing good. So, after doing the diagram and other thingy, i realized that i would need at least 24 ports and my CRS312 has only 8 ports as i’m using the 10G SFP+ for other purposes. While browsing the Mikrotik catalog, i found CRS354-48G-4S+2Q+RM which seemed quite nice to me.
What i’m not sure is whether i should ditch the old CRS312 and use this one as most of the devices i would need to connect are 1GbE and the high performance clients and servers are connected to the another 25GbE and 100GbE switch. Also, one thing i’m not sure of is whether CRS354-48G-4S+2Q+RM supports VLAN or not. Can anyone help?
One that is provided by the switch chip and is this not constrained by the CPU for at least some tasks.
Of course it does, that’s the most basic of features on a managed switch.
1 Like
Okay, so i checked some reviews and the heatsink is so small on this switch and people have reported that it has too much heat issues.
So, i think i need to look for some other model.
Hey guys,
Hope y’all doing good. So, as mentioned previously that i would need like 24 ports (1GbE) and prefer Mikrotik brand, i couldn’t find any good switch from the catalog. I did find CRS354-48G-4S+2Q+RM which seemed quite nice to me but when i looked for review, many people mentioned that it has hot temperature and sometimes the switch go down randomly. I’m not sure if the guy who reviewed had the issue in particular or its for all the manufactured units. Moreover, i’m not sure if the issue was addressed and resolved later by Mikrotik with the help of a newer firmware. So, my eyes are on the CRS326-4C+20G+2Q+RM. Its a 2.5GbE switch mainly and has 20 ports which would be exactly fit for my use case. I know, this switch is expensive, but i don’t have any idea what to pick from Mikrotik catalog.
What my question is: When requiring more ports, can I connect the additional switch (CRS326-4C+20G+2Q+RM) to the main switch (CRS312-4C+8XG-RM) which is connected to the firewall (pfSense box) directly or I should connect the additional switch/second switch (CRS326-4C+20G+2Q+RM) to the firewall directly and configure it as a separate switch instead?
Please help!!
I would think the crs326-24g-2s+in and crs326-24g-2s+rm fit that requirement perfectly?
If you connect the two switches instead of each one to the firewall independently and if you use higher speed (10G+) for that connection, then you will probably get a way better performance across your entire “fabric” then by messing with the pfSense bridge or similar. If you have VLANs, a switch to switch connection can perfectly carry them. You can link 2 ports in an LACP based bond interface for redundancy … leave switching to the switches.
1 Like
Yes, i think they would fit for my use case.
So, one should always hook/connect the rest of the switches to the main switches and not to the firewall directly (except for the main switch)? Is that what you mean friend?
Also, can you please explain what do you mean by fabric here?
Yes, these switches VLANs but i’m new to them and will be start learning soon.
Yes, that’s the current setup!
A small question lastly, at home, the systems are not exposed to the internet, would the firewall benefit in that use case?
Yes.
“Fabric” is a term to sum up all your layer 2 infrastructure, i.e. all your switches in case you have more than one.
But you are not using VLANs at the moment? One less thing to worry about. You can modify your infrastructure later.
I don’t understand. It’s
Internet → Firewall → all your private infrastructure,
regardless of how many switches you use. The firewall protects your network. Your switches are layer 2 devices, they are not reachable over the Internet.
Oh, i didn’t know before. Thank you so much for explaining and making it clear!
Ah ok. Cool
Yes, not at the moment.
That’s nice. I still have your reference and i need to learn more and more about VLAN and how to properly set that up.
Yes, but what i mean is for example a NAS device exposed to internet (WAN), if i’m not wrong, so that it can be accessible from anywhere. So, if there’s no such use case, like at home, does the firewall still protects the private network from being hacked and provide benefits?
The question is if you should buy an additional firewall device? But you already have one. How are you accessing the internet otherwise?
If you have a router provided by your ISP, that contains among other things … a firewall.
As long as you don’t need VLANs or other advanced features like a VPN connection back home, you are perfectly fine. And even then many consumer routers also support that, so you should check first. You need to do that, anyway, because the question if you can install your own firewall device instead of the ISP router at all, depends on your ISP.
No, no. Maybe i’m not able to explain properly. What i mean to say is. Let’s say i have a NAS and that can be only accessed locally. For example, if i have a NAS at home, and want to put some file or read from the NAS from office, i cannot do it right? Unless that NAS has domain name set, static IP set and exposed to internet. Now, when the NAS is exposed to internet, there will be brute force attacks which is quite common.
So, my question is the firewall benefits in such use case or if a device is not exposed to internet (means in local network), does the firewall still benefits? I’m asking cause, at home, it will be local network and not exposed to internet but the office one will be exposed.
I hope i was able to explain properly this time. If not, please let me know and thank you for your guidance.