Pentz Knowledge Base

Graph View

Updated · 8 min read

Switches & Hardware

Summary

The lab uses two MikroTik switches chosen after extensive research into affordable PTP-capable 10GbE switches. The CRS326-24G-2S+RM (145 from Amazon) is a fanless 4x SFP+ desktop switch for the 10GbE media plane.

The switch research evaluated 20+ switches across price, PTP support, noise, and port count. Key finding: affordable PTP 10GbE switches essentially don’t exist. The MikroTik CRS317-1G-16S+RM was the ideal single-switch solution (159) was discovered as the best-value dedicated PTP switch at 1GbE, but the CRS326 covers both PTP and internet uplink.

Both switches run RouterOS v7.15+ and require specific configuration for PTP and IGMP coexistence.

Timeline

  • 2026-04-03: Comprehensive switch research completed. 20+ models evaluated.
  • 2026-04-03: Two-switch architecture decided: CRS326 (PTP) + CRS305 (media).
  • 2026-04-03: CRS326 ordered from eBay (pinepeaks), CRS305 from Amazon.
  • 2026-04-10: CRS305 online in studio, configured at 10.21.20.1/24, RouterOS 7.20.7.
  • 2026-04-16: CRS326 online. RouterOS 7.22.1 out of box. DAC arrived, landed on UDM Pro port 11 SFP+ 2 (deviation from plan’s USW-16-PoE target). PTP boundary clock configured. SSH setup with ed25519 pubkey auth after strong-crypto=yes fix. Laptop moved to ether1, printer on ether17. SERVER-PC migration to ether20 deferred post-live-event.

Current State

CRS326-24G-2S+RM (online 2026-04-16):

  • RouterOS 7.22.1 stable (updated out-of-box from 7.22.1 install)
  • Identity: smpte2110-ptp, mgmt IP: 192.168.1.3/24, MAC 04:F4:1C:BC:76:60
  • Bridge: bridge1 with vlan-filtering=yes, protocol-mode=rstp (state as of 2026-04-16; may have changed)
  • PTP instance ptp1, profile=smpte, domain=auto (127 for SMPTE)
  • SSH: enabled with strong-crypto, ed25519 host key. Note (2026-04-17): mpent@SERVER-PC pubkey is currently being rejected (Permission denied (publickey,password)) — authorized-keys list appears to have changed since the initial 2026-04-16 setup.
  • Exported config snapshot: src/smpte-2110-lab/configs/switch/crs326-ptp-config.rsc (dated 2026-04-16 — pre-dates the 2026-04-17 reconfiguration session)

STALE — port assignments, bridge VLAN membership, and static MDB entries have changed in a 2026-04-17 session that is not yet reflected here. Previous assignments removed. To refresh, observe live state from the switch and re-populate this section:

ssh admin@192.168.1.3
/interface ethernet print
/interface bridge port print
/interface bridge vlan print
/ip address print
/system ptp port print
/export compact

Persistent assumptions that are unlikely to have changed:

  • sfp-sfpplus1 is the DAC uplink to UDM Pro port 11 SFP+ 2 (10 GbE)
  • Ports are still 1 GbE RJ45 PTP-capable (hardware limitation, not config-driven)
  • PTP only works on RJ45, not on the SFP+ ports

Planned (2026-04-17 design, not yet applied — see docs/plans/2026-04-17-optiplex-nas-design.md):

  • An RJ45 port dedicated to the incoming OptiPlex 5060 SFF as PTP grandmaster (onboard I219-LM 1 GbE, HW timestamping)
  • SERVER-PC’s PTP role demotes from grandmaster to client once OptiPlex GM is live

CRS305-1G-4S+IN (configured 2026-04-10):

  • RouterOS 7.20.7, mgmt IP 10.21.20.1/24, MAC D0:EA:11:3A:B0:74
  • Basic L2 switching, no PTP, fanless in studio
  • SERVER-PC ConnectX-3 connected via 10m OM3 fiber → SFP+ p1
  • Stream-PC 10GBASE-T transceiver connection planned for SFP+ p2

Key Decisions

  • 2026-04-03: CRS326 over CRS317 — two-switch split-plane has higher interview value, both fanless vs semi-fanless CRS317, cheaper (325-518).
  • 2026-04-03: CRS326 over FS IES3110-8TF-R — CRS326 handles both PTP and internet uplink in one device, reducing total switch count.
  • 2026-04-03: MikroTik over Arista — Arista 7050SX too loud, 7010T has no PTP. MikroTik CRS326 is the only sub-$200 switch with PTP + quiet operation.

Experiments & Results

ExperimentStatusFindingSource
CRS326 PTP HW timestamping accuracyPlannedExpect sub-microsecondSwitch research
CRS305 10GBASE-T SFP+ transceiver heatPlannedMonitor, <80C OKHardware inventory
RouterOS PTP SMPTE profilePlannedRequires v7.14.3+Switch research

Gotchas & Known Issues

  • CRS326 PTP only on RJ45 — the SFP+ ports do NOT support PTP. This is a hardware/chip limitation.
  • CRS354 has no PTP — despite looking similar to CRS326. Different switch chip.
  • CRS305 has no PTP — not on MikroTik’s PTP-supported list at all.
  • IGMP + PTP MDB workaround required — static MDB entry for 224.0.1.129 on all PTP ports + bridge.
  • Netgear M4300 is TC only — no boundary clock despite marketing. Confirmed no BC plans.
  • Both switches default to 192.168.88.1 — must change one during setup to avoid conflict.
  • UDM Pro port 11 expects untagged native VLAN 1 (discovered 2026-04-16). CRS326 default trunk config tags VLAN 1 on sfp-sfpplus1, but UDM Pro port 11 profile is “Native VLAN 1 untagged.” Tagged VLAN 1 frames on that port silently drop broadcast traffic (DHCP Discover/Offer fail) while unicast CRS326 mgmt traffic at 192.168.1.3 still works — misleading. Fix: set sfp-sfpplus1 as untagged on VLAN 1 (not tagged). Other VLANs stay tagged on the trunk for future use. This is standard UniFi convention (native VLAN is untagged on trunks).
  • MikroTik ports= and on-ports= are NOT valid for static MDB add in RouterOS 7.22. Correct parameter is interface= with comma-separated list. Dynamic entries display as on-interface= but the add command uses interface=.
  • MikroTik SMPTE PTP profile accepts 224.0.1.129 but rejects 224.0.0.107 with “address not allowed” — 224.0.0.107 is the peer-delay multicast (only needed for P2P mode). SMPTE 2059-2 uses E2E by default, so 224.0.0.107 isn’t required.
  • Windows OpenSSH 9.5p1 server has a hostbound signature bug with OpenSSH 10+ clients (e.g., Git for Windows bundles OpenSSH 10.2p1). Symptom: Accepted key → Postponed publickey → Connection closed [preauth] with no Failed publickey log line. Fix: either upgrade Windows OpenSSH to 9.8p2+ (from Win32-OpenSSH GitHub release) or use Windows native 9.5p2 client (in C:\Windows\System32\OpenSSH). ~/.bashrc on SERVER-PC prepends native path.
  • MikroTik SSH default host-key-type is RSA with SHA-1 — rejected by OpenSSH 9+ clients as deprecated. Fix: /ip ssh set strong-crypto=yes host-key-type=ed25519; /ip ssh regenerate-host-key.
  • Windows Firewall “Public” network profile blocks inbound SSH/ICMP — after a force-restart or new network path, Windows may auto-classify the network as Public, silently blocking remote access despite the NIC being up and DHCP working. Fix: Set-NetConnectionProfile -InterfaceAlias Ethernet* -NetworkCategory Private. Symptom: ping times out, SSH times out, but ARP is resolved and CRS326 sees the MAC.
  • Windows OpenSSH admin user quirks: (1) administrators_authorized_keys path is only honored when the admin Match block is uncommented in sshd_config. (2) Profile directory path can be suffixed C:\Users\<user>.HOSTNAME if the initial folder existed when first logon happened, breaking %h/.ssh/authorized_keys lookup. Fix: use absolute path AuthorizedKeysFile C:/ProgramData/ssh/authorized_keys/%u to avoid home-dir resolution entirely.
  • WSL2 mirror mode does NOT pass multicast to the Linux guest reliably (discovered 2026-04-16). WSL’s IGMP group joins do not propagate to the Windows NIC’s hardware multicast filter. The NIC drops multicast frames for unjoined groups before they reach WSL, even with promiscuous mode enabled on the Linux side. Unicast works fine. This specifically breaks ptp4l slave operation on WSL2 — the GM can transmit (outgoing works), but the slave receives nothing. Workaround: native Linux (dual-boot or bare metal) on the slave machine. No driver-level “accept all multicast” toggle exists in stock Intel/Realtek adapter properties.

Open Questions

  • Re-enable igmp-snooping=yes after PTP smoke test confirms DHCP/multicast still works?
  • Re-enable fast-forward=yes at some point, or leave off for vlan-filtering safety? (MikroTik docs suggest it’s auto-disabled with vlan-filtering, but disabled explicitly to rule out debugging issue.)
  • Configure QoS/DSCP tagging for PTP and future Dante audio?

Sources

Signal Feed (2026-04-18)

  • Ubiquiti announced an Enterprise AV (EAV) switching line with PTP grandmaster and boundary clock support, targeting Netgear M4350 territory. Endpoint bridges priced at $299. Community response is cautiously optimistic but skeptical of UniFi’s historical IGMP reliability for Dante/NDI/2110 traffic (Not2BeEftWith, 14pts: “UniFi IGMP has been broken for a long time”). Blog post at blog.ui.com/article/introducing-eav-switching does not yet list supported switch SKUs. A r/CommercialAV mod is attending UniFi World Conference and soliciting technical questions. Worth monitoring as a potential in-family path to closing the lab’s PTP grandmaster blocker given the existing UDM Pro + USW-16-PoE deployment. (source: r/VIDEOENGINEERING, https://reddit.com/r/VIDEOENGINEERING/comments/1snbce1/ and r/CommercialAV, https://reddit.com/r/CommercialAV/comments/1sn5m15/)
  • Follow-up technical critique from r/VIDEOENGINEERING operators on the same EAV launch. TravellingWaveTube (23pts): “These are probably fine for small 2110 builds on 1 or maybe 2 switches, but you’re going to run into trouble with multi-switch deployments using IGMP to steer traffic. These aren’t replacing the Arista, Cisco and Mellanox kit you see in large 2110-based facilities.” broken-standard flagged that EAV tops out at 10G links, inadequate for uncompressed 4K60 (12G required) where 25G/100G is the practical floor. Greg_L observed that Ubiquiti technical docs list NDI and SDVoE but not NMOS or ST 2110, while marketing claims 2110 — verification gap to watch before committing. (source: r/VIDEOENGINEERING, https://reddit.com/r/VIDEOENGINEERING/comments/1snpblu/)

Backlinks