Community discussions

MikroTik App

Search found 490 matches

  • 1
  • 2
by rplant
Fri Oct 11, 2024 1:12 am
Forum: Beginner Basics
Topic: Connection Timeouts UDP / UDP Stream / SIP [SOLVED]
Replies: 6
Views: 338

Re: Connection Timeouts UDP / UDP Stream / SIP [SOLVED]

RDP connection dying was one thread
viewtopic.php?p=992900
by rplant
Fri Oct 11, 2024 12:56 am
Forum: Beginner Basics
Topic: Simple Queues question
Replies: 1
Views: 71

Re: Simple Queues question

Have you disabled fasttrack for the affected/all traffic.

Simplest though blunt option is to disable the default fasttrack forward rule.
CPU usage will increase a lot.

Also, having limit-at on just one queue is probably bad. (Means it is guaranteed 50M, the others are Guaranteed nothing)
by rplant
Wed Oct 09, 2024 10:10 am
Forum: Beginner Basics
Topic: Configure a Single Switch (CRS305-1G-4S+) and ISP Router
Replies: 8
Views: 406

Re: Configure a Single Switch (CRS305-1G-4S+) and ISP Router

I think this might be basically doable, so long as the ISP router can be configured with static routes on it. ie. 10.0.0.x/24 via 192.168.1.2 (the IP address I have assigned to the CRS) If a device on the main ISP LAN wants to connect to a device on your new LAN, it will send the packet to the ISP r...
by rplant
Tue Oct 08, 2024 1:34 pm
Forum: General
Topic: IPsec VPN Mikrotik - Sonicwall not using full internet speed
Replies: 1
Views: 157

Re: IPsec VPN Mikrotik - Sonicwall not using full internet speed

You could perhaps try you iperf (I assume iperf3) With the -V and -M options.

Using custom/reduced MSS settings to see if it is perhaps something to do with reduced MTU at one end due to pppoe.
And add an appropriate mss adjustment rule if it helps
by rplant
Mon Oct 07, 2024 2:03 am
Forum: Beginner Basics
Topic: Connection Timeouts UDP / UDP Stream / SIP [SOLVED]
Replies: 6
Views: 338

Re: Connection Timeouts UDP / UDP Stream / SIP [SOLVED]

The current default is 30S, it was 10S for quite a few versions, but there were plenty of people having issues with the 10S value.
by rplant
Fri Oct 04, 2024 3:03 am
Forum: Beginner Basics
Topic: Can't import the TLS key for OpenVPN
Replies: 2
Views: 596

Re: Can't import the TLS key for OpenVPN

Hi, The tls auth thing is not a certificate. From: https://help.mikrotik.com/docs/display/ROS/OpenVPN OVPN client supports tls authentication. The configuration of tls-auth can be added only by importing .ovpn configuration file. Using tls-auth requires that you generate a shared-secret key, this ke...
by rplant
Thu Oct 03, 2024 10:04 am
Forum: RouterBOARD hardware
Topic: SFP transceivers to connect L009 & RB5009
Replies: 21
Views: 7018

Re: SFP transceivers to connect L009 & RB5009

Hi, From the MikroTik wired interface compatibility page. S+RJ10 devices Use these modules only in 10G SFP+ ports with auto-negotiation enable I am fairly sure the S+RJ10 devices need the SFP Port actually running at 10G (10.3G?) for the somewhat complex base T conversion electronics which likely ne...
by rplant
Sun Sep 29, 2024 3:05 am
Forum: General
Topic: Wanted feature in logging or info about logging issue.
Replies: 3
Views: 363

Re: Wanted feature in logging or info about logging issue.

Hi, I have found script diagnostics leave a bit to be desired. You can put something like: :log info "script scriptname starting" (perhaps also logging parameters if available) and perhaps a similar entry near the scripts exit point(s) With luck the most recent starting log entry will be a...
by rplant
Fri Sep 20, 2024 10:35 am
Forum: Beginner Basics
Topic: correct order of interfaces for PPPoE/VLAN-ISP connections? [SOLVED]
Replies: 3
Views: 787

Re: correct order of interfaces for PPPoE/VLAN-ISP connections? [SOLVED]

Hi, I would suggest you start off with the default mikrotik config. Then Interface <ether1> contains <VLAN7> <pppoe-out1> is attached to <VLAN7> Enable dns client on <pppoe-out1>, (review settings of pppoe-out1) <dhcpv6-client> is running on <pppoe-out1> ** Changed ** <VLAN7> and <pppoe-out1> both m...
by rplant
Wed Sep 18, 2024 5:55 am
Forum: Beginner Basics
Topic: Upgrading router, Wireguard not working
Replies: 4
Views: 511

Re: Upgrading router, Wireguard not working

Perhaps the following on the server /interface detect-internet set detect-interface-list=none /interface list member add comment=defconf interface="WG VPN" list=LAN You may want to eventually restrict it a bit more than giving it full LAN access, but in the short term... Client: Only if th...
by rplant
Sat Sep 14, 2024 6:32 am
Forum: Beginner Basics
Topic: Network two LAN-s through WireGuard
Replies: 3
Views: 572

Re: Network two LAN-s through WireGuard

If you do want full l2 connectivity, perhaps you should investigate ZeroTier
(which is supported by Mikrotik)
I have not tried it, but I believe it will do this.
by rplant
Fri Sep 13, 2024 3:43 pm
Forum: Beginner Basics
Topic: Network two LAN-s through WireGuard
Replies: 3
Views: 572

Re: Network two LAN-s through WireGuard

Some thoughts. A rough outline of what I would do. To hopefully create an approximation to what you appear to want. (Sorry there will likely be errors in this) This assumes somewhere near default config of the Mikrotiks. With a LAN interface list. The 192.168.169.0/24 is broken up into a bunch of /2...
by rplant
Fri Sep 13, 2024 3:33 am
Forum: Beginner Basics
Topic: Is the Mikrotik CRS312-4C+8XG-RM correct for my 10 Gbps ethernet network?
Replies: 9
Views: 1030

Re: Is the Mikrotik CRS312-4C+8XG-RM correct for my 10 Gbps ethernet network?

Hardware: Optical: If you can use prebought optical patch cables or DAC cables things are ok. As soon as you need to make stuff it gets very expensive for the tooling. And yes, copper cables are much more durable. But 10G copper seems to run very hot, so you need fan cooled switches, etc. dac cables...
by rplant
Thu Sep 12, 2024 1:39 pm
Forum: General
Topic: VLANs unable to do DNS lookup [SOLVED]
Replies: 5
Views: 651

Re: VLANs unable to do DNS lookup [SOLVED]

Hi, You have the following rule before your allow dns to vlans. add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN Perhaps put all the input rules together and forward rules together. Sorry there may be other issues, that's just the one I s...
by rplant
Thu Sep 12, 2024 1:47 am
Forum: Beginner Basics
Topic: Poor upload speeds with baby jumbo frames?
Replies: 7
Views: 657

Re: Poor upload speeds with baby jumbo frames?

Not sure, seems like something dubious. One hack possibility (for tcp) might be to clamp the mss of your internal devices to 1452, while letting the outside devices stay at 1460. So your devices upload with shorter packets. /ip firewall mangle add action=change-mss chain=forward comment="clamp ...
by rplant
Wed Sep 11, 2024 10:14 am
Forum: Beginner Basics
Topic: Is the Mikrotik CRS312-4C+8XG-RM correct for my 10 Gbps ethernet network?
Replies: 9
Views: 1030

Re: Is the Mikrotik CRS312-4C+8XG-RM correct for my 10 Gbps ethernet network?

Sorry, not much of an answer but. 2. The speed of the switch mostly does not depend on the type of router. However, broadcast and similar packets will likely cause slowdowns as they have to go to everywhere including the slow bits on the lan segment. Would recommend you minimise the number of slower...
by rplant
Wed Sep 11, 2024 9:53 am
Forum: Beginner Basics
Topic: Poor upload speeds with baby jumbo frames?
Replies: 7
Views: 657

Re: Poor upload speeds with baby jumbo frames?

You could try something like the following from the mikrotik, and see if it replies (and the size at which it stops) /ping size=1500 8.8.8.8 do-not-fragment And with luck some indication of where it stops. (You can also use /tool/traceroute with size and do-not-fragment) Note: Traditionally 8.8.8.8 ...
by rplant
Wed Sep 11, 2024 4:46 am
Forum: Beginner Basics
Topic: Poor upload speeds with baby jumbo frames?
Replies: 7
Views: 657

Re: Poor upload speeds with baby jumbo frames?

You could try an mtu on the vigor of 1508 (to include the pppoe header) or even 1512 (to also include the vlan) and see if that helps.
by rplant
Sat Sep 07, 2024 1:22 pm
Forum: General
Topic: Windows btest.exe super-duper slow
Replies: 3
Views: 1390

Re: Windows btest.exe super-duper slow

You have to type in a speed, and it will try to get to that speed.
(You can't leave it at 0)

eg. 1M 10M 100M
by rplant
Sat Sep 07, 2024 1:04 pm
Forum: Beginner Basics
Topic: Help bridging L2TP to port with external IPs
Replies: 2
Views: 437

Re: Help bridging L2TP to port with external IPs

Hi,
The following topic is very similar to what I think you want (except they were getting the address via pppoe)

viewtopic.php?p=1070581#p1070581
by rplant
Thu Sep 05, 2024 6:45 am
Forum: RouterBOARD hardware
Topic: 2.5 gig RJ45 SFP for L009 router
Replies: 2
Views: 832

Re: 2.5 gig RJ45 SFP for L009 router

The following has their tested items MikroTik wired interface compatibility https://help.mikrotik.com/docs/pages/viewpage.action?pageId=263749679 Pretty much all their 10G optical SFP's and Dac cables are indicated to work in an L009 (in forced 2.5G mode). For low power/temperature/cost You could us...
by rplant
Mon Sep 02, 2024 10:44 am
Forum: Beginner Basics
Topic: Problem with accessibility of sites through WG
Replies: 7
Views: 860

Re: Problem with accessibility of sites through WG

Perhaps something like the following in the central router. /ip firewall filter #existing rules ... #following rules just before existing invalid rule. #(Put them in via terminal, then move them using winbox/webfig) add action=accept chain=forward comment="allow traffic between wg and lan"...
by rplant
Mon Sep 02, 2024 6:41 am
Forum: Beginner Basics
Topic: Problem with accessibility of sites through WG
Replies: 7
Views: 860

Re: Problem with accessibility of sites through WG

My Guess Assuming the internet gateway is a Mikrotik and is using something similar to the default config, asymmetric routing that might be the issue. Wg -> Lan Device and Lan Device -> MainGateway -> Wg If it is this, there are a at least a couple of options: 1. On the WG mikrotik enable masquerade...
by rplant
Sun Aug 25, 2024 2:14 pm
Forum: General
Topic: CRS310-8G+2S+ is choking my internet bandwidth
Replies: 5
Views: 663

Re: CRS310-8G+2S+ is choking my internet bandwidth

It looks like the CRS310 won't do nat or fasttrack connections in hardware, so mostly good for inter vlan routing maybe using some access lists, much less good as an internet gateway, with Nat, Stateful Firewalling, etc. https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOff...
by rplant
Sun Aug 25, 2024 3:54 am
Forum: Beginner Basics
Topic: Forwarding 1 interface to another
Replies: 6
Views: 923

Re: Forwarding 1 interface to another

Hi, I would also include the first routing rule below. It allows devices on your wifi subnet to connect to other local devices, and only internet bound traffic goes via the vpn. (Order matters, put it before the other rule) Note: If using winbox, you likely should have still been able to connect to ...
by rplant
Sun Aug 25, 2024 3:40 am
Forum: Beginner Basics
Topic: hEX on Switch should manage access to printer [SOLVED]
Replies: 20
Views: 1829

Re: hEX on Switch should manage access to printer

You need two or more different vlan's on the hex. The hex needs to have an IP address assigned to it for each vlan. The devices on each vlan need to have the hex as their default gateway. (Alternatively each vlan's default gateway/router could have a static route for the other vlan(s) pointing to th...
by rplant
Sat Aug 24, 2024 8:49 am
Forum: Beginner Basics
Topic: Microtik hotspot with Wavlink AC1200 in mesh mode
Replies: 5
Views: 837

Re: Microtik hotspot with Wavlink AC1200 in mesh mode

If the mesh router has the option to disable it's dhcp server, you could do that.

Then plug the mikrotik's LAN port into one of the lan ports of the router, and see if devices connect to the Mikrotik.
(You may need later to change the ip address of the mesh router as well)
by rplant
Fri Aug 23, 2024 2:34 am
Forum: General
Topic: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wrong
Replies: 20
Views: 2722

Re: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wr

You have to ensure that the appropriate packets don't go via fasttrack. Either by having an accept statement for these packets prior to the fasttrack rule or by disabling the fasttrack rule. One possible option (just prior to fasttrack rule) add action=accept chain=forward comment="accept estab...
by rplant
Wed Aug 21, 2024 7:52 am
Forum: Beginner Basics
Topic: hAP ac3 NAT forwarding issues [SOLVED]
Replies: 9
Views: 1512

Re: hAP ac3 NAT forwarding issues [SOLVED]

Hi, A couple of points, The screenshot doesn't really show what you are doing. Mikrotik doesn't do hairpin nat by default, so it might work from outside but not from inside your network. You could open a terminal window (from webfig, up the top near rhs), and export the entire config, or just the fi...
by rplant
Wed Aug 14, 2024 4:46 am
Forum: Beginner Basics
Topic: lot of sites dont load on the first try
Replies: 16
Views: 2143

Re: lot of sites dont load on the first try

In another thread @mkx mentioned that adjust mss will probably not work if the connection is fasttracked.
You could try and disable the fasttrack rule briefly.
by rplant
Mon Aug 12, 2024 9:12 am
Forum: General
Topic: CCR 1016-12G 2Gbit upgrade recomendation
Replies: 6
Views: 886

Re: CCR 1016-12G 2Gbit upgrade recomendation

Likely you are going to have to go for a ccr with at least 1 SFP+ port, and perhaps 2. eg. CCR1036-8g-2s+ if you can find one. Then how does your ISP provide you with 2Gbe, it seems like a non-standard value. If over a 2.5Gbe ethernet connection, none of the CCR 10xx series supports this directly. Y...
by rplant
Mon Aug 12, 2024 8:48 am
Forum: General
Topic: Wireguard issues; can connect but can't access hosts
Replies: 5
Views: 588

Re: Wireguard issues; can connect but can't access hosts

Have you added 10.0.2.3/32 as an allowed IP address in the Peer setting on the Mikrotik?

When you look at the peer setting on the Mikrotik are you getting updated Tx, Rx and Last Handshake values.
by rplant
Fri Aug 09, 2024 1:09 pm
Forum: General
Topic: UPnP / NAT-PMP question
Replies: 4
Views: 552

Re: UPnP / NAT-PMP question

Upgrade the ccr2116 to the latest beta version,
generate a supout.rif while working, and another when broken.
(Assuming it's not fixed)

And submit them in the ticket.
Support are quite good, and it is one of their flagship products you are having issues with...
by rplant
Thu Aug 08, 2024 2:07 am
Forum: General
Topic: EoIP+bridge Over WAN
Replies: 8
Views: 877

Re: EoIP+bridge Over WAN

One thought,
Do you have appropriate firewall rules to allow gre protocol in from the remote peer?

The default rules cause Traffic wrapped in ipsec to be allowed.
by rplant
Wed Aug 07, 2024 7:59 am
Forum: Beginner Basics
Topic: lot of sites dont load on the first try
Replies: 16
Views: 2143

Re: lot of sites dont load on the first try

Yet another possibility is broken dns.

If on windows open a command prompt,
type nslookup

And try a few sites (including some you haven't recently used)
does it return immediately with a result?

Is the dns server nslookup is using correct?
by rplant
Wed Aug 07, 2024 7:55 am
Forum: Beginner Basics
Topic: Slow speed - basic settings
Replies: 1
Views: 494

Re: Slow speed - basic settings

You appear to have different wireless protocols at each end.
by rplant
Wed Aug 07, 2024 4:34 am
Forum: Beginner Basics
Topic: Hybrid ports and VLAN for tagged and untagged connections.
Replies: 10
Views: 1368

Re: Hybrid ports and VLAN for tagged and untagged connections.

A problem is that out of your switch, every port has both the tagged and the untagged vlans coming out of it and going into it. One Possible option would be to make vlan 1 something else other than 1. eg. 10 Then you could have vlan 20 as the untagged vlan, and vlan 10 as the tagged vlan going to th...
by rplant
Wed Aug 07, 2024 2:29 am
Forum: General
Topic: EoIP+bridge Over WAN
Replies: 8
Views: 877

Re: EoIP+bridge Over WAN

Sorry, not an answer but.

Pretty sure the ipsec is going to be hardware offloaded, so it is going to take minimal cpu.
by rplant
Wed Aug 07, 2024 2:25 am
Forum: General
Topic: Steps to configure CRS326-24S+2Q+RM as a L3 Switch wihtout Router-on-a-stick
Replies: 23
Views: 1554

Re: Steps to configure CRS326-24S+2Q+RM as a L3 Switch wihtout Router-on-a-stick

Mostly the Gui is similar to the way the cli is laid out.
The switch menu is a bit different. It is a top level menu in the Gui.
by rplant
Wed Aug 07, 2024 2:16 am
Forum: General
Topic: 4011 2.5Gb SFP Module
Replies: 1
Views: 430

Re: 4011 2.5Gb SFP Module

I have tried (a few times) and also failed to get a 2.5g connection working on an RB4011 :(

**edit:** Note my RB4011 is an old one, I believe they have had a couple of versions of RB4011.
by rplant
Tue Aug 06, 2024 2:44 am
Forum: General
Topic: RB2011uiAS upgrade backup-routerbooot
Replies: 9
Views: 1378

Re: RB2011uiAS upgrade backup-routerbooot

In the wiki version it notes

The backup RouterBOOT version can not be older than v3.24 version.

So presumably given yours is newer than this, you don't need an upgraded backup routerboot. (so it won't let you upgrade it perhaps)
by rplant
Mon Aug 05, 2024 2:23 am
Forum: RouterBOARD hardware
Topic: How to intentionally make cable that will negotiate at 10 mbps?
Replies: 16
Views: 1933

Re: How to intentionally make cable that will negotiate at 10 mbps?

A possibility is to split the pairs and run it over a few meters, it will give lots of crosstalk and poor performance, but whether it is enough I don't know. eg. Pairs 1,4 2,3 5,8 6,7 or 1,3 2,4 5,7 6,8 (Cable terminated same at both ends) The cables will test as a simple straight cable (with a very...
by rplant
Sun Aug 04, 2024 7:23 am
Forum: General
Topic: question about "wireguard responder"
Replies: 13
Views: 1601

Re: question about "wireguard responder"

It used to (at minimum) stop a lot of annoying log messages on the server, I assume it still might.
by rplant
Sun Aug 04, 2024 7:19 am
Forum: General
Topic: How to setup 10GBit/s copper TP-Link SFP+ modules for CCR2004-16G-2S+.
Replies: 4
Views: 559

Re: How to setup 10GBit/s copper TP-Link SFP+ modules for CCR2004-16G-2S+.

Try it in both negotiated and non negotiated mode, with each of the 3 (current) 10G settings.
10G base T
10G BaseCR
10G BaseSR LR

And see if any of them work.
by rplant
Sun Aug 04, 2024 7:06 am
Forum: Beginner Basics
Topic: Is this vlan setting correct? [SOLVED]
Replies: 9
Views: 2234

Re: Is this vlan setting correct? [SOLVED]

Some minor changes. # cisco interface Ethernet0/0 description trunk from mikrotik switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,20 switchport mode trunk #mikrotik # (Use bridge instead of ether1) /interface vlan add interface=bridge name=vlan10 vlan-id=10 add interface=bridge...
by rplant
Sun Aug 04, 2024 6:35 am
Forum: Beginner Basics
Topic: Basic Router setup on CRS310-1G-5S-4S+
Replies: 8
Views: 774

Re: Basic Router setup on CRS310-1G-5S-4S+

As a switch it will have plenty of speed between your devices. However connections to the internet via your ISP will need routing with firewalling and presumably Nat. For 2.5G you will need a reasonably powerful router performing this task. If your ISP provided a router you can use it for that task ...
by rplant
Fri Aug 02, 2024 6:11 am
Forum: General
Topic: RB2011uiAS upgrade backup-routerbooot
Replies: 9
Views: 1378

Re: RB2011uiAS upgrade backup-routerbooot

look at the protected bootloader section of the above document
by rplant
Fri Aug 02, 2024 5:39 am
Forum: Beginner Basics
Topic: lot of sites dont load on the first try
Replies: 16
Views: 2143

Re: lot of sites dont load on the first try

Another thought, Partially working ipv6 can cause similar problems.

Try turning off ipv6 on the router.

From winbox
ipv6 settings tick the disable ipv6 box and wait a short while.
(May need to reboot PC if want it to update faster)
by rplant
Thu Aug 01, 2024 2:48 am
Forum: General
Topic: Post 7.13 incompatible station bridge versions
Replies: 2
Views: 577

Re: Post 7.13 incompatible station bridge versions

Yes, you could have used the wireless package, and the map could then connect in station bridge. Wifi package does have some niceish features though. Other options: Use Station-Pseudo bridge mode. Ok when it works, need to turn off RSTP. If you go this way and it's not behaving it is worth searching...
by rplant
Wed Jul 31, 2024 8:19 am
Forum: RouterBOARD hardware
Topic: RB5009UG+S+IN dual power power [SOLVED]
Replies: 15
Views: 12114

Re: RB5009UG+S+IN dual power power [SOLVED]

Yes,
If you use poe as an alternate power source, it must be passive/forced on poe or the Mikrotik may lose power when main/other power is lost. (Usually briefly but...)
by rplant
Tue Jul 30, 2024 3:43 am
Forum: Beginner Basics
Topic: Trouble Loading RSC File
Replies: 4
Views: 663

Re: Trouble Loading RSC File

A couple of options. 1. Reset the mikrotik with no default config, (but perhaps keep users), and then try to import the file. 2. Open the file in notepad or similar and copy and paste a section at a time into the terminal. You might be wise to compare the current default config to the config you wan...
by rplant
Mon Jul 29, 2024 5:51 am
Forum: General
Topic: Upgrading Rooterboot factory software
Replies: 25
Views: 7021

Re: Upgrading Rooterboot factory software

I think documentation means devices with version 7 factory firmware, but less than 7.6 get upgraded to a v7.6 factory firmware with protected router boot function. Devices with older (v3, v6) factory firmware get an updated factory firmware (not v7) which has the new protected router boot function. ...
by rplant
Sun Jul 28, 2024 2:31 pm
Forum: Beginner Basics
Topic: help creating "allow" rule via switch ACL
Replies: 5
Views: 834

Re: help creating "allow" rule via switch ACL

You can probably enable dhcp relay on the appropriate switch vlans.
And have your dhcp server managing the vlan (remotely).
by rplant
Sun Jul 28, 2024 2:19 pm
Forum: Beginner Basics
Topic: help creating "allow" rule via switch ACL
Replies: 5
Views: 834

Re: help creating "allow" rule via switch ACL

You could set it up with the CRS317 as the gateway for both VlanA and VlanB The CRS ROUTES packets from vlanA and vlanB to the router. (and between vlan A and vlan B) No firewall rules needed on CRS for internet traffic, so should be L3WH offloaded, (with very few if any ACL's) Rules/ACLs, mostly fo...
by rplant
Sat Jul 27, 2024 11:21 am
Forum: General
Topic: Packets for port 80 disappear before reaching NAT or filtering [SOLVED]
Replies: 6
Views: 2578

Re: Packets for port 80 disappear before reaching NAT or filtering [SOLVED]

A couple of thoughts, The following statement doesn't really seem helpful given your current results, but anyway: Mikrotik doesn't by default do hairpin Nat (you need to add the appropriate src-nat rule), so if you are testing from inside your network it will likely not work. You could download tcpr...
by rplant
Sat Jul 27, 2024 8:20 am
Forum: General
Topic: VPN IPSEC
Replies: 1
Views: 308

Re: VPN IPSEC

Hi,
License wise:
Not sure there is a limit for raw ipsec.
There is a 500 user one for l2tp.

However, the processor on the RB2011 doesn't do ipsec hardware encryption, and does not have much Ram.
So really only a couple maybe. You would be better off with wireguard with the 2011.
by rplant
Sat Jul 27, 2024 8:01 am
Forum: General
Topic: Wireguard setup
Replies: 2
Views: 412

Re: Wireguard setup

When a road warrior client from router 1 is connected it can not reach ip's behind the nat of router 2 (which is possible from within router1 main network (and the other way around). Assuming there is no NAT going on. (ie. The packet from 192.168.35.1 reaches device on router 2 as being from 192.16...
by rplant
Sat Jul 27, 2024 7:51 am
Forum: General
Topic: Packets for port 80 disappear before reaching NAT or filtering [SOLVED]
Replies: 6
Views: 2578

Re: Packets for port 80 disappear before reaching NAT or filtering [SOLVED]

Hi, I think you could start by checking the counters on the dst-nat rules, and see if they increment. (They happen early in the firewall) Typically they will only increment once for each new connection. If they are incrementing, you need to check the 10.0.0.39 (I assume nginx) Perhaps if not increme...
by rplant
Fri Jul 26, 2024 2:37 am
Forum: Beginner Basics
Topic: Connect to L2TP/IPSEC VPN from 2 devices with the same public IP
Replies: 4
Views: 798

Re: Connect to L2TP/IPSEC VPN from 2 devices with the same public IP

Fair enough, Perhaps your option 2 would be a good option, you then effectively have a site to site tunnel, and can tunnel whichever clients you want. Option 1 is doable and will most times be fairly well upgraded. However it is not perfect. (Make a script export and a normal backup onto external st...
by rplant
Thu Jul 25, 2024 3:32 am
Forum: Beginner Basics
Topic: Connect to L2TP/IPSEC VPN from 2 devices with the same public IP
Replies: 4
Views: 798

Re: Connect to L2TP/IPSEC VPN from 2 devices with the same public IP

I would recommend you experiment with wireguard.
(Even if just for this particular instance)
by rplant
Wed Jul 24, 2024 3:04 pm
Forum: Beginner Basics
Topic: IPsec VPN - NAT rule to reach the server
Replies: 6
Views: 712

Re: IPsec VPN - NAT rule to reach the server

You could possibly add a src-nat rule something like

/ip firewall nat
chain=srcnat dst-address=171.11.153.20 src-address=192.168.1.0/24 action=src-nat to-addresses=171.11.153.21

Move it up above any masquerade rules already there.
by rplant
Wed Jul 24, 2024 3:50 am
Forum: General
Topic: Loopback for RFC2544 testing
Replies: 3
Views: 1815

Re: Loopback for RFC2544 testing

For generic case, perhaps not. (maybe a container?)

But for a single source ip sending data, you could probably use a dst-nat and src-nat pair of rules, to send the traffic back.
by rplant
Wed Jul 24, 2024 3:34 am
Forum: General
Topic: Prefix deligation over WireGuard
Replies: 1
Views: 289

Re: Prefix deligation over WireGuard

You can run your eoip or other tunnel inside wireguard. Though I would perhaps attempt to set up ipv6 and associated routing on the Mikrotik manually, using one of the /64's. You would maybe need to somehow mark the prefix as used though, so the VPS does not try to reuse it. You might need to put (n...
by rplant
Tue Jul 23, 2024 2:57 pm
Forum: RouterBOARD hardware
Topic: Doesn't seem to boot no matter what reset mode I try
Replies: 2
Views: 963

Re: Doesn't seem to boot no matter what reset mode I try

beep twice usually means it thinks it is ready to start running. You could try connecting to it via wifi, it may have some mikrotik-XXXX ssid with no password. If it is similar to a map/wap, then Wifi is often the only way to connect to this type of device when factory defaulted, but usually the eth...
by rplant
Tue Jul 23, 2024 2:48 pm
Forum: RouterBOARD hardware
Topic: wAP ac (RBwAPG-5HacT2HnD) rebooting every 10 seconds
Replies: 3
Views: 730

Re: wAP ac (RBwAPG-5HacT2HnD) rebooting every 10 seconds

I would also suggest you get a Low ESR capacitor (as well as of 105° type).
by rplant
Mon Jul 22, 2024 9:05 am
Forum: General
Topic: most "cold" RJ45 SFP+ modules
Replies: 5
Views: 524

Re: most "cold" RJ45 SFP+ modules

fs.com have a few rj45 sfp+ modules.

They range in power consumption from 1.8W to 2.9W
Apparently the S+RJ10s is around 2.7W, so the 1.8W one might be good.
(but quite pricey)

Sorry I don't know how well or hot it works, or if it will work with a Mikrotik.
though fs is usually well supported
by rplant
Mon Jul 22, 2024 8:55 am
Forum: General
Topic: RB-751 failure, and back ups corrupted [SOLVED]
Replies: 18
Views: 2907

Re: RB-751 failure, and back ups corrupted [SOLVED]

It sounds like you are trying to restore a binary backup file to a new router. That rarely works :( You could search your hard disk for .rsc script files. If you can login to the old one at all (though it sounds unlikely), do a /export, stick it onto your laptop, and manually carefully copy the conf...
by rplant
Sat Jul 20, 2024 3:20 am
Forum: General
Topic: Speed Limitation Issues with RB3011.
Replies: 3
Views: 462

Re: Speed Limitation Issues with RB3011.

I tried it running with 6.49.13, and that was much improved.

Unfortunately doesn't have the cake queues, but the other queues I tried
seemed to handle 1G ok.
CPU still seemed to be largely locked to 1 core, and still needed multiple streams
or large window to get to 1G ish.
by rplant
Fri Jul 19, 2024 1:32 pm
Forum: General
Topic: Speed Limitation Issues with RB3011.
Replies: 3
Views: 462

Re: Speed Limitation Issues with RB3011.

I had a try with some of this, just to a local iperf3 server. So very little latency unlike over the internet. I found I had to disable the queue tree for best performance. To hit near a gig download I had to have a large window size, or multiple streams. Perhaps partly a limitation of the iperf3 se...
by rplant
Fri Jul 19, 2024 11:13 am
Forum: General
Topic: Speed Limitation Issues with RB3011.
Replies: 3
Views: 462

Re: Speed Limitation Issues with RB3011.

Hi, It seems unlikely to be good for a 1G connection, Apparently a single connection will only use 1 core. (To reduce out of order packets) From: https://mikrotik.com/product/RB3011UiAS-RM#fndtn-testresults The commonly used 25 IP filter rules, and 512 byte packets lists 452Mbps. Your actual perform...
by rplant
Wed Jul 10, 2024 3:41 am
Forum: General
Topic: SFP port Doesn't work on CCR2004
Replies: 8
Views: 754

Re: SFP port Doesn't work on CCR2004

Yes there have been many many sfp fixes, and complaints of devices that used to work that no longer do. You could get install the latest betas at both ends (including updating routerboot), and assuming it is still not working create a supout.rif and send to support at mikrotik.com The -40db is a wor...
by rplant
Wed Jul 10, 2024 3:30 am
Forum: RouterBOARD hardware
Topic: L009 copper SFPs
Replies: 11
Views: 1395

Re: L009 copper SFPs

The S+RJ10 plugs into a 10G sfp+ interface.
The L009 has a 2.5G sfp interface.
by rplant
Wed Jul 10, 2024 3:26 am
Forum: General
Topic: wifi Multicast flood
Replies: 6
Views: 693

Re: wifi Multicast flood

That feels like a bug.

I think the Mikrotik radio should likely have its own multicast subscriber list and send it to only its subscribed stations.
by rplant
Mon Jul 08, 2024 2:50 pm
Forum: RouterBOARD hardware
Topic: L009 copper SFPs
Replies: 11
Views: 1395

Re: L009 copper SFPs

I gain the impression that the S+RJ10 still runs quite warm, as its backend has to be run at approx 10.3G
(whether connected on the RJ45 side at 1G, 2.5G, or 10G)

While an actual 2.5G unit's backend runs at 2.5G (* 10/8).
(Whether connected on the RJ45 side at 2.5G, 1G or lower speeds)
by rplant
Sun Jul 07, 2024 2:14 pm
Forum: General
Topic: SFP port Doesn't work on CCR2004
Replies: 8
Views: 754

Re: SFP port Doesn't work in CCR2004

Winbox:

Perhaps under ethernet tab for sfp, turn off auto negotiation and set speed to 1G Base X
at both ends.

Make sure fibre is correct, (looks to need single mode fibre)
by rplant
Thu Jul 04, 2024 3:20 am
Forum: General
Topic: Wireguard does not work after reboot
Replies: 19
Views: 1406

Re: Wireguard does not work after reboot

I found out empirically that if you turn off the interfaces and peers on both routers for 10-15 minutes and then turn them on, everything works. I think I have seen something similar in the past, if you turned off the wireguard interface and then turned it back on it fairly soon after. It didn't se...
by rplant
Wed Jul 03, 2024 1:58 pm
Forum: General
Topic: Wireguard does not work after reboot
Replies: 19
Views: 1406

Re: Wireguard does not work after reboot

Sorry, don't know. However I would turn off the persistent-keepalive on router-B. Perhaps trying to connect back to the IP/Port it was last connected too is doing something. Also, you can check the counters on the firewall rule on Router-B, and see if packets are actually getting in, enable logging ...
by rplant
Wed Jul 03, 2024 5:28 am
Forum: Forwarding Protocols
Topic: send udp packet with destination 255.255.255.255 to other subnet In router
Replies: 5
Views: 1035

Re: send udp packet with destination 255.255.255.255 to other subnet In router

I have in the past done the following

/ip arp
add address=192.168.44.252 interface=bridge-local mac-address=\
FF:FF:FF:FF:FF:FF

I was using it for Wake on Lan.
To any device on the 192.168.44.0/24 network

** Edit: on review, this is an answer to a different question :( **
by rplant
Wed Jul 03, 2024 5:18 am
Forum: General
Topic: Loop error even though RSTP is enabled
Replies: 6
Views: 569

Re: Loop error even though RSTP is enabled

My guess is that it is doing what it is supposed to, but perhaps imperfectly.

The spanning tree needs reconfiguring, and it does this, but some looped packets get through.
But it seems to resolve quickly.
by rplant
Wed Jul 03, 2024 4:44 am
Forum: General
Topic: Wireguard: only the last edited peer is working [SOLVED]
Replies: 9
Views: 2107

Re: Wireguard: only the last edited peer is working [SOLVED]

Usually means you have overlapping allowed addresses on your peer configurations. This is an error. If this what you actually need and want, (eg. you want to use ospf to the peers and route via the ospf chosen link, etc) You need to have multiple wireguard interfaces with one (overlapping) peer per ...
by rplant
Tue Jul 02, 2024 2:47 pm
Forum: Beginner Basics
Topic: Mangle Rules with Multi WAN
Replies: 6
Views: 1128

Re: Mangle Rules with Multi WAN

Hi, I have a dhcp-client script that changes some of the routes. /ip dhcp-client add default-route-distance=70 interface=ether2 script="/ip route\r\ \n:if (\$bound = 1) do={\r\ \n set [find where comment~\"altgw\"] gateway=\$\"gateway-address\"\r\ \n}" I also find it be...
by rplant
Tue Jul 02, 2024 2:04 pm
Forum: Beginner Basics
Topic: Tunneling internet traffic through IPsec tunnel
Replies: 8
Views: 1418

Re: Tunneling internet traffic through IPsec tunnel

Perhaps get a hap ac2 as a gateway router in front of the switch at the home end.

Then you can have hardware offloaded ipsec at both ends if you want that.
Or wireguard. (I like wireguard, but hardware offloaded ipsec can be quite fast)
by rplant
Tue Jul 02, 2024 6:54 am
Forum: General
Topic: Please help :| RB5009 with 2.5G Advertise allowed, dramatic speed decrease
Replies: 11
Views: 1189

Re: Please help :| RB5009 with 2.5G Advertise allowed, dramatic speed decrease

You should perhaps change the bucket size on the queue to 0.01

If it works ok, do same for the other ethernet ports. (ether1 with 2.5G max-limit)
by rplant
Mon Jul 01, 2024 9:19 am
Forum: General
Topic: Specify IPsec proposal and profile for IPIP/IPsec
Replies: 4
Views: 498

Re: Specify IPsec proposal and profile for IPIP/IPsec

Or perhaps run the ipip over a wireguard tunnel.

Even better with luck might be able to just use a wireguard tunnel, without ipip.
by rplant
Mon Jul 01, 2024 8:51 am
Forum: General
Topic: Specify IPsec proposal and profile for IPIP/IPsec
Replies: 4
Views: 498

Re: Specify IPsec proposal and profile for IPIP/IPsec

So it is not possible if the peer is on dynamic IP? Yes, You can look at the ipsec setup created when you add ipsec to the ipip tunnel and make something similar. But I think ipip requires a fixed address at each end anyway. You could possibly use an ikev2 tunnel, (where the client can get a fixed ...
by rplant
Mon Jul 01, 2024 8:33 am
Forum: General
Topic: Please help :| RB5009 with 2.5G Advertise allowed, dramatic speed decrease
Replies: 11
Views: 1189

Re: Please help :| RB5009 with 2.5G Advertise allowed, dramatic speed decrease

You could try attaching a queue onto the LAN ethernet port you are using and see what that does. (ether2...) Make a new queue type using cake, probably near default. Create a new queue, (Queue tree) with your new queue type, attach with parent as ether2, and set with a max limit of 1G. Assuming you ...
by rplant
Mon Jul 01, 2024 8:21 am
Forum: General
Topic: Show IP of client connected to each port
Replies: 3
Views: 514

Re: Show IP of client connected to each port

You could do a tool/ ip scan, which should refresh the Arp table.

Arp entries are often only seen/updated when the router/switch needs them.
Which is rarely if running as an L2 switch.
by rplant
Mon Jul 01, 2024 8:17 am
Forum: General
Topic: PPPoE interface address
Replies: 2
Views: 272

Re: PPPoE interface address

Not sure, but possibly if you do that, it can't tell the remote end (client) what the server end IP address is. This usually doesn't matter, except perhaps if you want to ping the server from the client. (I don't know that windows likes it much though)   There is a couple of places to setup the loca...
by rplant
Fri Jun 28, 2024 4:26 am
Forum: Forwarding Protocols
Topic: WireGuard slowdown after minutes
Replies: 6
Views: 1035

Re: WireGuard slowdown after minutes

Hi,

You don't seem to have an IP address on the wireguard interface, but then you are using masquerade on that interface??

The first /ip firewall rule (I assume is filter) seems a bit doubtful.
by rplant
Thu Jun 27, 2024 9:23 am
Forum: General
Topic: RB4011 + GPON
Replies: 2
Views: 397

Re: RB4011 + GPON

You can get GPON ONU sfp modules. However you would need to get the ISP, or their wholesaler to agree to you using the 3rd party module. You would need to provide them with some information about it, perhaps its mac address and/or serial number, not sure. They can then add the ONU information onto t...
by rplant
Wed Jun 26, 2024 7:37 am
Forum: Beginner Basics
Topic: Publishing WebApp through static IP
Replies: 2
Views: 619

Re: Publishing WebApp through static IP

I assume the ISP's router is doing Nat? Or is it handing the IP address off to the Mikrotik in some fashion? If ISP router is doing NAT, it will also need a port forward (likely to the Mikrotik, possibly direct to the web server) The web app server needs to know it is running on port 8080, or more u...
by rplant
Wed Jun 26, 2024 6:20 am
Forum: General
Topic: Possible L2 MTU issues with EoIP Tunnel and Bridge
Replies: 5
Views: 1239

Re: Possible L2 MTU issues with EoIP Tunnel and Bridge

You can set both the wireguard and eoip mtu's to 1500, it becomes less efficient as the larger packets are fragmented, but they get rebuilt at the endpoint. Perhaps set the eoip mtu to 1500 and leave the wireguard one at 1420 (1420 assumes no pppoe). An alternative, you can use a mangle rule to do m...
by rplant
Tue Jun 25, 2024 1:18 pm
Forum: Beginner Basics
Topic: connecting port to the dsl modem [SOLVED]
Replies: 1
Views: 1773

Re: connecting port to the dsl modem [SOLVED]

Hi, Assuming a near default mikrotik configuration. I will make ether2 the second port. You need the ip address and netmask of the Zyxel. Using winbox (or webfig) From Bridge, Ports tab Remove, or disable the ether2 entry from the default bridge. From ip/address, create a new ip address in the same ...
by rplant
Mon Jun 24, 2024 5:45 am
Forum: RouterBOARD hardware
Topic: 10G-LR instability in CCR2116-12G-4S+
Replies: 4
Views: 1184

Re: 10G-LR instability in CCR2116-12G-4S+

Try enabling "Ignore Rx LOS" and see if that helps.

If not, make a supout.rif while broken, running on 7.16b2 and send it to Mikrotik support.

They have been making many changes to the SFP code...
by rplant
Mon Jun 24, 2024 5:35 am
Forum: Beginner Basics
Topic: Mikrotik as OpenVPN client, lan behind mikrotik?
Replies: 1
Views: 682

Re: Mikrotik as OpenVPN client, lan behind mikrotik?

Assuming near default Mikrotik configuration. Likely option is you need to make the openvpn client interface on the Mikrotik a member of the LAN interface list. The following seems likely already done, you need to have routes on the Asus telling it the mikrotik lan network IP's are via the openvpn c...
by rplant
Mon Jun 24, 2024 5:25 am
Forum: Beginner Basics
Topic: Problems with wireguard and Mobile Data
Replies: 3
Views: 990

Re: Problems with wireguard and Mobile Data

Hi, Check the counters on the following rule. /ip firewall filter add action=accept chain=input comment=Wireguard dst-port=54321 protocol=udp If when you try to connect via mobile, it doesn't increment at least the once it cannot work. You could try changing the port. Other things to check (Once the...
by rplant
Mon Jun 24, 2024 5:11 am
Forum: Beginner Basics
Topic: Internet Connectivity Issue with MikroTik Router [SOLVED]
Replies: 6
Views: 2621

Re: Internet Connectivity Issue with MikroTik Router [SOLVED]

Make sure that Vlan832-internet is a member of the WAN interface list.
Double check that bridge is a member of the LAN interface list.

Disable your first srcnat rule.
(Can try reenabling it once you have it working)
by rplant
Sat Jun 22, 2024 4:20 am
Forum: Beginner Basics
Topic: PPPoE offload [SOLVED]
Replies: 3
Views: 2414

Re: PPPoE offload [SOLVED]

The following might help

viewtopic.php?p=1070581#p1070581

Though now days, the hex is not super quick either :(
by rplant
Wed Jun 19, 2024 12:51 pm
Forum: Beginner Basics
Topic: How to set udp-timeout and udp-stream-timeout [SOLVED]
Replies: 2
Views: 2116

Re: How to set udp-timeout and udp-stream-timeout [SOLVED]

ip firewall, choose connections tab, then click on tracking button.
by rplant
Mon Jun 17, 2024 7:52 am
Forum: Forwarding Protocols
Topic: VPLS Bridge but no traffic
Replies: 2
Views: 768

Re: VPLS Bridge but no traffic

Fairly sure that mpls requires a layer 2 equivalent under it, which gre isn't.

You could perhaps use eoip, or vxlan.
Not seeing a lot of point of then running mpls over these.

You could run these 2 protocols over wireguard or ipsec (I like wireguard)
sstp is good, but not very performant.
by rplant
Mon Jun 17, 2024 2:57 am
Forum: Beginner Basics
Topic: IPIP vpn - basic question
Replies: 2
Views: 641

Re: IPIP vpn - basic question

Have a look at wireguard, it is very good, and handles NAT well.

You will likely need something brisk for 20-30 clients at a good speed.
Perhaps an RB5009 (or low end ccr) would be a good starting point.
by rplant
Fri Jun 14, 2024 2:02 pm
Forum: General
Topic: hap aX3 performance issue?
Replies: 8
Views: 905

Re: hap aX3 performance issue?

Hi, I have seen a post for something maybe similar, where the solution was to make the queue on ether1 a multi-queue-ethernet-default queue. (Assumes ether1 is internet) (Maybe you could try multi-queue-ethernet-default on the other interfaces as well) If this doesn't help: You could perhaps experim...
by rplant
Fri Jun 14, 2024 9:20 am
Forum: RouterBOARD hardware
Topic: Beginner Attempt at Fiber a Fail - Help Needed
Replies: 2
Views: 1042

Re: Beginner Attempt at Fiber a Fail - Help Needed

There have been other questions about the 10GTek device, perhaps this might help. https://forum.mikrotik.com/viewtopic.php?p=1067590#p1067590 I have not used this sfp module, (or the css switch), but I find on their routers, using 1G base X is a good choice for connectivity. Also there have been a l...
by rplant
Fri Jun 14, 2024 8:56 am
Forum: General
Topic: How Can I Show A Custom Message When Blocking Sites Using FireWall?
Replies: 6
Views: 4014

Re: How Can I Show A Custom Message When Blocking Sites Using FireWall?

Hi,

You can try using sni

search for tls-host in the following
https://help.mikrotik.com/docs/display/ ... nd+Actions

Unfortunately, sni inspection is becoming unavailable with the advent of TLS 1.3, so is working less and less well.
by rplant
Wed Jun 12, 2024 1:38 pm
Forum: General
Topic: Does CCR2004-16G-2S+ support SFP 2.5Gbps?
Replies: 1
Views: 376

Re: Does CCR2004-16G-2S+ support SFP 2.5Gbps?

Hi The following has the list of devices with assorted compatibilities, including 2.5G https://help.mikrotik.com/docs/display/ROS/MikroTik+wired+interface+compatibility It doesn't (currently) list the CCR2004-16G-2S+ as being compatible with 2.5G, but does have a different CCR2004 device listed. The...
by rplant
Wed Jun 12, 2024 1:25 pm
Forum: General
Topic: Route PPTP Client to another gateway
Replies: 1
Views: 239

Re: Route PPTP Client to another gateway

You could try something like

/ip firewall mangle
add action=mark-routing chain=output new-routing-mark=YOUR_ROUTING_MARK passthrough=no protocol=gre

From a security point of view it would be far better to swap your pptp for wireguard.
by rplant
Tue Jun 11, 2024 3:13 am
Forum: Beginner Basics
Topic: IPTV setup on WiFi interface
Replies: 4
Views: 3152

Re: IPTV setup on WiFi interface

Hi,

On the wifi, I would enable multicast helper (ideally to full, but perhaps dhcp would be more compatible)
and probably enable multicast buffering.

Also on the bridge enable igmp snooping.

See if that helps.
by rplant
Wed Jun 05, 2024 2:17 pm
Forum: Beginner Basics
Topic: Mikrotik as secondary router - one LAN port bridged to WAN
Replies: 4
Views: 974

Re: Mikrotik as secondary router - one LAN port bridged to WAN

Hi, For not double NAT. If you can change the ISP router, you may be able to add a static route to it. 192.168.88.0/24 via 192.168.1.2 Then from anav's config, change all the WAN interfaces to LAN and let the ISP router pretty much do all the Natting and external firewalling. /interface list members...
by rplant
Wed Jun 05, 2024 11:07 am
Forum: General
Topic: L2tp ipsec vpn network with user connection problems
Replies: 2
Views: 467

Re: L2tp ipsec vpn network with user connection problems

A similar problem here (and solution).

viewtopic.php?p=1045608#p1045608
by rplant
Wed Jun 05, 2024 2:45 am
Forum: General
Topic: CRS510-8XS-2XQ SFP GE transceiver in SFP28 port
Replies: 2
Views: 395

Re: CRS510-8XS-2XQ SFP GE transceiver in SFP28 port

There have been other questions about the 10GTek device, perhaps this might help.

viewtopic.php?p=1067590#p1067590
by rplant
Tue Jun 04, 2024 7:14 am
Forum: Forwarding Protocols
Topic: VRRP + DST-NAT
Replies: 4
Views: 702

Re: VRRP + DST-NAT

Not sure, but

1. They should be using src-nat rather than masquerade
2. dst-nat rules are same on both routers
by rplant
Tue Jun 04, 2024 2:08 am
Forum: RouterBOARD hardware
Topic: AOC SFP module - S+AO0005. Connector type info.
Replies: 2
Views: 1452

Re: AOC SFP module - S+AO0005. Connector type info.

I have a working SF.Com passive DAC which also gives a connector type of copper pigtail.

Perhaps it can't (or doesn't) tell the difference between AOC and Passive (or active) Dacs.
They all use the same copper/active/OM4 link length field.
by rplant
Mon Jun 03, 2024 7:07 am
Forum: RouterBOARD hardware
Topic: GRE tunnel performance with RB4011 vs RB5009
Replies: 3
Views: 1678

Re: GRE tunnel performance with RB4011 vs RB5009

Another thought, perhaps there is some queues configured. I trialled a basic gre tunnel from a 4011 to a hap ax3, Edit: was incorrectly fast path (all fast track and about 2 meters of cable), and tested a bidirectional btest over the gre link at 300M in both directions from my PC through the 4011 (g...
by rplant
Mon Jun 03, 2024 4:39 am
Forum: RouterBOARD hardware
Topic: GRE tunnel performance with RB4011 vs RB5009
Replies: 3
Views: 1678

Re: GRE tunnel performance with RB4011 vs RB5009

Your mtu of 1476 on the at&t service seems highly dubious. I believe the default MTU for at&t it is 1500. (But I could easily be wrong) 1476 matches the normal mtu of a gre tunnel. (Inside a normal 1500 mtu ethernet connection). Then also 1420 seems odd, (looks maybe like an mtu for ipsec en...
by rplant
Mon Jun 03, 2024 3:59 am
Forum: Beginner Basics
Topic: Unable to connect to SMTP service port on WAN IP. [SOLVED]
Replies: 3
Views: 1865

Re: Unable to connect to SMTP service port on WAN IP. [SOLVED]

SMTP is often blocked at the ISP level.
You likely need to jump through at least a few hoops before you can use it as a mail server.
by rplant
Sun Jun 02, 2024 6:31 am
Forum: Beginner Basics
Topic: Device Isolation
Replies: 4
Views: 724

Re: Device Isolation

Private vlan might be a good option.
(Done in hardware)

https://help.mikrotik.com/docs/display/ ... rivateVLAN
by rplant
Tue May 28, 2024 6:59 am
Forum: General
Topic: Client Isolation - Wired and Wireless
Replies: 1
Views: 403

Re: Client Isolation - Wired and Wireless

Hi,
You probably want the private vlan feature.

https://help.mikrotik.com/docs/display/ ... rivateVLAN
by rplant
Fri May 24, 2024 11:00 am
Forum: General
Topic: Certificates generating with invalid invalid-before and invalid-after dates [SOLVED]
Replies: 4
Views: 1200

Re: Certificates generating with invalid invalid-before and invalid-after dates [SOLVED]

You need to have correct time/date/timezone on the mikrotik.
You need to specify number of days valid. (eg. 730 for ~2years)
by rplant
Thu May 23, 2024 6:42 am
Forum: General
Topic: Redirect Communications
Replies: 1
Views: 433

Re: Redirect Communications

One possible option: Configure the router with a separate /32 subnet and interface with device A plugged into it. (Assuming router described is Mikrotik, Probably just remove ETH1 from the bridge) This subnet/interface is added as a member of the LAN interface list. (And removed from WAN interface l...
by rplant
Thu May 23, 2024 6:26 am
Forum: General
Topic: Access Lan Devices through windows Wireguard Client
Replies: 13
Views: 1840

Re: Access Lan Devices through windows Wireguard Client

I think you would be better off using a Mikrotik at both ends.

However, the following may be useful:

https://www.henrychang.ca/how-to-setup- ... n-windows/
by rplant
Thu May 23, 2024 5:21 am
Forum: General
Topic: Need to connect 2 home networks through the ISP GPON
Replies: 9
Views: 1386

Re: Need to connect 2 home networks through the ISP GPON

Hi, I thought about this for a while. It would be easy enough to run 2 VLans through from the hap ax2 to a managed switch or other Mikrotik at the gpon end, and then another cable from there to the TP-Link (or if that cable is also not possible, yet another managed switch at the TP-Link location. Ho...
by rplant
Wed May 22, 2024 9:11 am
Forum: Beginner Basics
Topic: [delete]
Replies: 23
Views: 1611

Re: CRS310-8G+S2 reality check on CPU use when using internet traffic

Example basic setup, my thoughts NOTE: ** I have no experience with CRS so consider with care ** vlan2 + 192.168.2.1 -- Other Devices on vlan2 | TPLink 192.168.1.1 - vlanbase - CRS 192.168.1.2 -- Other Devices on vlanbase | vlan3 + 192.168.3.1 -- Other Devices on vlan3 TPLink (or other suitably powe...
by rplant
Tue May 21, 2024 6:14 am
Forum: Wireless Networking
Topic: Pseudobridge or Pseudobridge clone not work -> dhcp client in searching
Replies: 5
Views: 1377

Re: Pseudobridge or Pseudobridge clone not work -> dhcp client in searching

You could also try turning off bridge fastpath in bridge setting
That caused me some issues a long time ago.
by rplant
Tue May 21, 2024 6:07 am
Forum: Beginner Basics
Topic: Two public addresses from one provider
Replies: 3
Views: 711

Re: Two public addresses from one provider

Yeah, that makes sense.

I think with this option it might be advisable to change the default masquerade rule
to a srcnat rule with to-address of 155.13.35.202

Otherwise, it could possibly choose either ether1 address for the masquerading.
by rplant
Tue May 21, 2024 3:50 am
Forum: RouterBOARD hardware
Topic: HOT S-RJ10
Replies: 25
Views: 4096

Re: HOT S-RJ10

Hi,
If you only need 2.5gb, then you can get a 2.5gbe sfp/rj45 device, which runs at a reasonable temperature.

One option: https://vi.aliexpress.com/item/1005005392025773.html

Note: This needs to be run at 2.5g base X which is available for the RB5009, not so much currently on RB4011 which I have :(
by rplant
Tue May 21, 2024 3:19 am
Forum: Beginner Basics
Topic: What is the USB Port on the LU009 Used For? [SOLVED]
Replies: 7
Views: 2456

Re: What is the USB Port on the LU009 Used For? [SOLVED]

USB Sticks for container store, general storage, Dude Storage Ethernet Adapters (some): Additional ethernet port Serial port adapters (some): Terminal access, Remote Serial port facility Discontinued Woobm (wireless USB serial port) was kind of good could get you out of trouble when you locked yours...
by rplant
Sun May 19, 2024 7:12 am
Forum: Beginner Basics
Topic: Two public addresses from one provider
Replies: 3
Views: 711

Re: Two public addresses from one provider

Assuming something near a default configuration I would create a new bridge, perhaps call it bridgewan2, turn off rstp on this new bridge. It is only to hold ip addresses. /interface bridge add name=bridgewan2 protocol-mode=none Create a new IP address on this bridge 155.133.35.203 network 155.133.3...
by rplant
Sun May 19, 2024 6:50 am
Forum: Beginner Basics
Topic: VxLAN (VLAN over WAN) supported? Which hardware
Replies: 1
Views: 715

Re: VxLAN (VLAN over WAN) supported? Which hardware

Hi, https://mikrotik.com/products/group/ethernet-routers I think an RB5009 would likely do what you need. Or scroll down for faster, better performance, more features. Probably skip the RB1100A's, as they are an older generation, similar to the RB4011 but with more storage. Presumably you are going ...
by rplant
Thu May 16, 2024 2:49 pm
Forum: General
Topic: Slow FTP upload speed via GRE Tunnel
Replies: 16
Views: 1510

Re: Slow FTP upload speed via GRE Tunnel

Some thoughts: It looks like you are not using ipsec, is this correct? From windows, you need to subtract 28 from your length of ping, (Windows makes the data in the packet that big, then has 28 bytes of IP header on top). So for a 1500 byte mtu, ping -f -l 1472 51.x.x.232 If the MTU the router thin...
by rplant
Thu May 16, 2024 1:21 pm
Forum: Wireless Networking
Topic: Pseudobridge or Pseudobridge clone not work -> dhcp client in searching
Replies: 5
Views: 1377

Re: Pseudobridge or Pseudobridge clone not work -> dhcp client in searching

Does it really need to be bridged?

Putting the wired client(s) behind a Nat would be good.
by rplant
Thu May 16, 2024 12:48 pm
Forum: General
Topic: Any way to see connected client download/upload rates in WinBox?
Replies: 1
Views: 414

Re: Any way to see connected client download/upload rates in WinBox?

I would assume that this is displaying the information from ip firewall connections. (but could easily be wrong) Another option is the kid control which will apparently give statistics. Unfortunately I have not used it. Also you can create (with a script), a bunch of simple queues, one per LAN IP ad...
by rplant
Tue May 14, 2024 9:53 am
Forum: Beginner Basics
Topic: Some sort of tunneling
Replies: 4
Views: 794

Re: Some sort of tunneling

Cool, On review, I have some reservations about the following though /interface bridge vlan add bridge=bridge1 tagged=bridge1,ether3,ether4 untagged=\ ether2,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=10,20,30,40,50 I think you should remove the untagged= section. I am fairly sure the pvid=10 on the...
by rplant
Tue May 14, 2024 6:12 am
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 2852

Re: Winbox IKEv2 strange issue

It feels like an MTU/ mss issue. Can you ping the remote end with 1400 byte packets over the link. /ping something-at-other-end-of-tunnel do-not-fragment size=1400 You could add some mangle rules to change the mss of tcp syn packets that leave or enter router using the IKEv2 policies. (1360 seems co...
by rplant
Mon May 13, 2024 6:20 am
Forum: RouterBOARD hardware
Topic: I cant solve bufferbloat issue with my hap ac2 router.
Replies: 12
Views: 3401

Re: I cant solve bufferbloat issue with my hap ac2 router.

You can put your outbound queue on ether1, and your inbound queue on bridge.

Then you should be able to fasttrack it.

You probably need to set the bucket size in the queue to 0.01 (or maybe less)
Also need to add no-mark and all other packet marks you use to these two queues.
by rplant
Mon May 13, 2024 5:38 am
Forum: RouterBOARD hardware
Topic: Anyone have SFP (not SFP +) working on RB5009?!?!?
Replies: 8
Views: 1590

Re: Anyone have SFP (not SFP +) working on RB5009?!?!?

Hi, I assume you are using 1G baseX at both ends. Auto negotiation turned off. It should work, all parts have been tested from here: https://help.mikrotik.com/docs/display/ROS/MikroTik+wired+interface+compatibility You may need to upgrade your routeros and routerboot if you haven't already, (probabl...
by rplant
Sun May 12, 2024 12:03 pm
Forum: General
Topic: Slow FTP upload speed via GRE Tunnel
Replies: 16
Views: 1510

Re: Slow FTP upload speed via GRE Tunnel

One other thought. If using ipsec, and there is Nat translation,

I think it is uses transport mode, which will likely only work for
1 client per public ip address for GRE.

wireguard is good
by rplant
Sun May 12, 2024 10:12 am
Forum: General
Topic: Slow FTP upload speed via GRE Tunnel
Replies: 16
Views: 1510

Re: Slow FTP upload speed via GRE Tunnel

If using ipsec, possibly worth looking at the installed SA's and check it is using hardware encryption. /ip ipsec installed-sa print Flags in the second column, H for HW-AEAD Also your dst-nat rule, perhaps restrict it to in-interface=gre-2 The mangle rule, forces all packets from the specified addr...
by rplant
Sun May 12, 2024 2:55 am
Forum: Beginner Basics
Topic: Some sort of tunneling
Replies: 4
Views: 794

Re: Some sort of tunneling

Yes, I like your diagram, what did you use to make that? One relatively simple option is to put the lte device onto the vlan 10 IP range, (no dhcp server enabled on lte device). Eg. 192.168.1.10/24 Then put a src-nat firewall rule onto the Router for all traffic going to 192.168.1.10 And a default r...
by rplant
Sun May 12, 2024 2:31 am
Forum: Beginner Basics
Topic: s+rj10 cable connection
Replies: 3
Views: 523

Re: s+rj10 cable connection

The brass fold down tab is likely to lock the rj10 device into the sfp slot.
If you can pull the rj10 out of the slot without unlocking the tab you need to move it
to the locked position.
Seems unlikely to be the issue with the ethernet cable coming out.
Perhaps try another ethernet cable.
by rplant
Sun May 12, 2024 2:23 am
Forum: Beginner Basics
Topic: Can't find a way to connect to my server using wireguard
Replies: 8
Views: 1242

Re: Can't find a way to connect to my server using wireguard

Note:
If your client is a Mikrotik or other router, you will likely need to add some static routes into it.
Ordinary clients will automatically set up routes from the allowed ip settings.
by rplant
Sat May 11, 2024 2:27 pm
Forum: Beginner Basics
Topic: Can't find a way to connect to my server using wireguard
Replies: 8
Views: 1242

Re: Can't find a way to connect to my server using wireguard

If your server is on the 192.168.88.0/24 range Try to ping 192.168.88.1 from your wireguard client. If this doesn't work, 192.168.88.0/24 likely needs to be added to your wireguard client configuration. When this is working, try to ping your server from your wireguard client. If this doesn't work: T...
by rplant
Sat May 11, 2024 7:38 am
Forum: Beginner Basics
Topic: Can't find a way to connect to my server using wireguard
Replies: 8
Views: 1242

Re: Can't find a way to connect to my server using wireguard

Hi, If you have set it up as dmz of your existing router, you should probably rethink your firewall rules completely. and quickly. Go back to factory default rules and add your changes. You seem to have no block rules, so devices on the internet can presumably access the Mikrotik with no restraint. ...
by rplant
Thu May 09, 2024 3:05 am
Forum: Forwarding Protocols
Topic: best approach to mesh-y VPN with OSPF?
Replies: 4
Views: 922

Re: best approach to mesh-y VPN with OSPF?

Hi,

One option is to have multiple wireguard interfaces with one peer each.
Each peer can have 0.0.0.0/0 allowed address.

And then use ospf to route over them.
Can use ospf directly over the wireguards in a point to point mode.
by rplant
Wed May 08, 2024 1:27 pm
Forum: Beginner Basics
Topic: Route a Static IP through Wireguard Tunnel
Replies: 4
Views: 1243

Re: Route a Static IP through Wireguard Tunnel

/interface list member
add interface=WG-Cloud-BLR list=WAN


Possibly also
Change the wireguard MTU on the 5009 to 1412 (because its inside pppoe)
Add a persistent keep alive on the 5009 (somewhere 25-60 seconds is likely good)
by rplant
Wed May 08, 2024 7:43 am
Forum: General
Topic: Dynamic interface list woes
Replies: 3
Views: 729

Re: Dynamic interface list woes

Not sure,

A couple thoughts.

1. Add the pppoe Interface to the WAN interface list.
2. Disable/remove dhcp client on ether1 if it is still present.
3. Reboot the router (maybe something is remembering something from prior to disabling detect internet)
by rplant
Wed May 08, 2024 7:31 am
Forum: General
Topic: DHCP issue with WDS on particular home router brands
Replies: 3
Views: 858

Re: DHCP issue with WDS on particular home router brands

In other sort of vaguely similar situations, RSTP enabled can result in DHCP (and other) issues.
by rplant
Tue May 07, 2024 1:49 pm
Forum: Beginner Basics
Topic: How to block IP range when NATed?
Replies: 11
Views: 2080

Re: How to block IP range when NATed?

Filtering dst-nat ed packets seems to work ok here. One guess: If you copied and modified the default defconf: drop all from WAN not DSTNATed rule and edited it. You need to remove the connection state (! dst-nat) setting from your new rule. Also: You should be using a newer version of RouterOS, (an...
by rplant
Tue May 07, 2024 1:21 pm
Forum: Beginner Basics
Topic: Route a Static IP through Wireguard Tunnel
Replies: 4
Views: 1243

Re: Route a Static IP through Wireguard Tunnel

One solution Set up a route table to go via wireguard, and route entry to go via the wireguard interface. /route table add disabled=no fib name=ViaWG-Cloud /ip route add disabled=no dst-address=0.0.0.0/0 gateway=WG-Cloud routing-table=ViaWG-Cloud Then for setting up the routing of specified IP Addre...
by rplant
Mon May 06, 2024 2:50 am
Forum: General
Topic: Access Mikrotik subnet from modem subnet [SOLVED]
Replies: 18
Views: 5283

Re: Access Mikrotik subnet from modem subnet [SOLVED]

I trialled this at home, and it looks like theCat12's solution is likely the correct one. I connected to a device behind the Mikrotik, and the first couple of packets went via the main gateway, then the main gateway set an icmp redirect for host, giving the ip address of the Mikrotik, and after that...
by rplant
Sun May 05, 2024 2:20 pm
Forum: General
Topic: Changing MTU of 10G SFP Port Drops All Traffic On CCR2216
Replies: 4
Views: 702

Re: Changing MTU of 10G SFP Port Drops All Traffic On CCR2216

If you are using OSPF, all OSPF neigbours (of that interface) will also need to have an mtu of 9000.

Thought not sure why you can't connect to it via IP.
by rplant
Sun May 05, 2024 11:02 am
Forum: General
Topic: Access Mikrotik subnet from modem subnet [SOLVED]
Replies: 18
Views: 5283

Re: Access Mikrotik subnet from modem subnet [SOLVED]

You could try the following: 1. Backup your current mikrotik config, because this may not work... Change the Mikrotik's wan1 interface to be a Lan interface. (Default config would involve removing from WAN interface list, and adding to LAN interface list) Change the IP address on the Lan interface t...
by rplant
Fri May 03, 2024 2:31 am
Forum: General
Topic: CCR + LtAP LTE as backup
Replies: 1
Views: 369

Re: CCR + LtAP LTE as backup

You could use OSPF, and set a higher metric on the LtAP. (both on local route table via pppoe client config, and OSPF) OSPF metric setup is non obvious (v7) Part example is: https://forum.mikrotik.com/viewtopic.php?t=181118 Mine wound up as: /routing filter rule add chain=ospf-metric rule="if (...
by rplant
Tue Apr 30, 2024 7:42 am
Forum: General
Topic: Unable to access Hosts after Mark Routing
Replies: 4
Views: 687

Re: Unable to access Hosts after Mark Routing

Also:

If you have the default firewall fasttrack rule in place, you need to have an accept rule prior to this rule
for the packets using the via-vrrp1 routing.

(or turn off the fasttrack rule)
by rplant
Tue Apr 30, 2024 7:25 am
Forum: General
Topic: Unable to access Hosts after Mark Routing
Replies: 4
Views: 687

Re: Unable to access Hosts after Mark Routing

Hi, You need to be a little bit careful how you mark your routes. If they are marked with via-vrrp1, they WILL use routes using table=use-vrrp1 I would tend to force it to go via routing rules. ip/firewall/mangle/ chain=prerouting action=mark-routing new-routing-mark=rule-vrrp1 passthrough=yes in-in...
by rplant
Sat Apr 27, 2024 9:45 am
Forum: Beginner Basics
Topic: VPN setup question
Replies: 1
Views: 480

Re: VPN setup question

Hi, Some options. Option 1 Push a route to the client (or set it up on OVPN client) of 192.168.10.0/24 via the existing OVPN connection. Then let the (presumably existing) configuration on the Mikrotik route and NAT this to the 192.168.10.0/24 Mikrotik WAN network. The next couple Both basically inv...
by rplant
Fri Apr 26, 2024 5:42 am
Forum: General
Topic: RB911G-5HPacD Time Problem
Replies: 6
Views: 898

Re: RB911G-5HPacD Time Problem

Perhaps netinstall, that often seems to fix assorted "weird" behavior.
(It reformats and bad blocks the flash as part of the operation apparently)
by rplant
Thu Apr 25, 2024 10:14 am
Forum: Beginner Basics
Topic: Need help with setting up WAN and LAN networks
Replies: 1
Views: 405

Re: Need help with setting up WAN and LAN networks

It looks like the lan sfp2 is not running. In winbox, double click on the sfp2 and check its link status. What is it connected too? If a 1G DAC or optical device you possibly need to force it to 1GBaseX, or at least include 1GBaseX in the Auto negotiation settings in the ethernet tab. if 10G probabl...
by rplant
Tue Apr 23, 2024 10:20 am
Forum: General
Topic: how to switch different ISP with Wireguard
Replies: 1
Views: 299

Re: how to switch different ISP with Wireguard

The following are a couple of options. /ip firewall nat chain=dstnat dst-address-type=local in-interface=ISP3 protocol=udp dst-port=wg-port action=dst-nat to-addresses=ip.of.ISP.1 OR /routing rule add action=lookup comment="min-prefix=0, all except 0.0.0.0/0" disabled=no min-prefix=0 table...
by rplant
Sun Apr 21, 2024 12:52 pm
Forum: General
Topic: Trouble with WireGuard.
Replies: 4
Views: 877

Re: Trouble with WireGuard.

Incorrect public key at one or both ends seems to be more common than it should be.
Time/Date at both ends need to be near each other.

You can put in a firewall rule with log enabled on the outbound port as source port, (and interface), to see if anything is leaving for the
remote device.
by rplant
Sun Apr 21, 2024 12:26 pm
Forum: Beginner Basics
Topic: Using RB5009 in bridge mode [SOLVED]
Replies: 16
Views: 7041

Re: Using RB5009 in bridge mode [SOLVED]

But there is. You just have to go to PPP -> Profiles, and make a new one (or a copy of default)
Yay, Thank you :)
by rplant
Sat Apr 20, 2024 3:48 am
Forum: Beginner Basics
Topic: Problem with L2TP connection, partially works
Replies: 7
Views: 807

Re: Problem with L2TP connection, partially works

Not sure, Check that the firewall rule with 500,4500,1701 is counting. Perhaps split it into 3 rules, so you can see if you are getting all three counting (when coming in via isp router) Some ISP routers are annoying with ipsec, and need fiddling to get them to pass it through properly. There is nor...
by rplant
Sat Apr 20, 2024 3:28 am
Forum: Beginner Basics
Topic: Using RB5009 in bridge mode [SOLVED]
Replies: 16
Views: 7041

Re: Using RB5009 in bridge mode [SOLVED]

Also i missed something in the last post. You need to also add a route to your public ip in the "vrf-lan" instance. add dst-address=<public ip> gateway=ether2@vrf-lan routing-table=vrf-lan A problem that could also occur is, if you have a dynamic IPv4 address via pppoe because the the dhc...
by rplant
Fri Apr 19, 2024 12:47 pm
Forum: Beginner Basics
Topic: Problem with L2TP connection, partially works
Replies: 7
Views: 807

Re: Problem with L2TP connection, partially works

Hi, If you are using a windows laptop to connect to your l2tp server, it won't work. Windows doesn't like natted L2TP server endpoints. (unless using certificates) There is a registry hack to make it work. If there is only one person (or less good a very trusted few) know the ipsec password/key it s...
by rplant
Thu Apr 18, 2024 6:36 am
Forum: RouterBOARD hardware
Topic: Mikrotik DAC between SFP and SFP+ ports
Replies: 2
Views: 1399

Re: Mikrotik DAC between SFP and SFP+ ports

Hi, Check: https://help.mikrotik.com/docs/display/ROS/MikroTik+wired+interface+compatibility I have a FS.com 10G DAC which works well (but is not supported) between a 4011 and a 3011 with the 4011 forced to 1G, and is also working well between the 4011 and a 10G sfp+ on a non Mikrotik switch. Virtua...
by rplant
Thu Apr 18, 2024 2:56 am
Forum: General
Topic: question on tunnel performance and getting past single core limits
Replies: 10
Views: 1094

Re: question on tunnel performance and getting past single core limits

I think at this point you know far more than me about vxlan, fragmentation. But anyway... where are you seeing this configuration? dont-fragment (disabled | enabled | inherit; Default: disabled) (default disabled looks correct) I'm not finding anythign allowing for packet re-assembly on mikrotik. I ...
by rplant
Wed Apr 17, 2024 10:25 am
Forum: RouterBOARD hardware
Topic: Best choice for vpn gate
Replies: 3
Views: 1574

Re: Best choice for vpn gate

Possibly worth looking at and comments surrounding

viewtopic.php?p=1063801#p1063801

I like the hap ac2, though with current routeros versions you will likely need to disable and remove wifi packages.
by rplant
Tue Apr 16, 2024 9:15 am
Forum: General
Topic: question on tunnel performance and getting past single core limits
Replies: 10
Views: 1094

Re: question on tunnel performance and getting past single core limits

vxlan has an option to override/force allow fragmentation. It might need working pmtu to work correctly?
by rplant
Tue Apr 16, 2024 3:04 am
Forum: General
Topic: question on tunnel performance and getting past single core limits
Replies: 10
Views: 1094

Re: question on tunnel performance and getting past single core limits

I have seen posters having success using vxlan, apparently it runs multi core and supports fast path. If the above works, For later experimentation: You could somehow have the encrypted traffic in the internal network(s) use bigger than 1500 sized packets. (say 2800+) And let them be fragmented over...
by rplant
Mon Apr 15, 2024 6:48 am
Forum: General
Topic: Wireguard and MTU/MSS issues
Replies: 1
Views: 2589

Re: Wireguard and MTU/MSS issues

A few (hopefully some helpful) thoughts. If your hub is using pppoe, you will need to reduce the size of the wireguard vpn to 1412. (assuming MTU/MRU of 1492) You should probably also have the MSS setting for traffic coming in from the wireguard vpn, and perhaps use PMTU MSS. (rather than fixed size...
by rplant
Mon Apr 15, 2024 6:23 am
Forum: General
Topic: Specific DST-List over VPN
Replies: 2
Views: 426

Re: Specific DST-List over VPN

Not much to go on there. So per @anav /export file=anynameyouwish (minus router serial number and any public WANIP information, keys etc. ) However I will also make a guess. You need to limit the traffic that gets fast tracked. eg. Just before the fasttrack rule. /ip firewall filter .... add action=...
by rplant
Sat Apr 13, 2024 5:59 am
Forum: General
Topic: Modify the DHCP client of an LTE interface
Replies: 11
Views: 1456

Re: Modify the DHCP client of an LTE interface

You can currently 7.15beta8 do the following, (it seems harder than it was) Add a dhcp client for some other interface. (Make a bridge if necessary) Save the new dhcp client and disable it. Then with the lte device plugged in Change the newly created dhcp client to use the lte1 interface (keep it di...
by rplant
Mon Apr 08, 2024 7:43 am
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 22
Views: 2476

Re: BTH BUG Bleeding Into Regular Wireguard.

Wireguard port (Really only applies to server), often for Mikrotik 13231 /routing rule add action=lookup comment="min-prefix=0, all except 0.0.0.0/0" disabled=no min-prefix=0 table=main Just an easy way of making all routes that are not 0.0.0.0/0 use the main routing table This is often a ...
by rplant
Sun Apr 07, 2024 11:46 am
Forum: RouterBOARD hardware
Topic: Gigabit auto-negotiation over 2-pair cable
Replies: 12
Views: 2237

Re: Gigabit auto-negotiation over 2-pair cable

You could perhaps script it with some sort of netwatch or similar script, that if can't connect, after a while it removes the 1G advertisements. (Ideally on the nearest to management end, though unfortunately it looks like you would have to do it on the remote end routers) Though if you are putting ...
by rplant
Sun Apr 07, 2024 11:19 am
Forum: Beginner Basics
Topic: OVPN client connects but no reply
Replies: 7
Views: 1648

Re: OVPN client connects but no reply

On the Mikrotik can you ping 10.81.234.129? On the Mikrotik can you trace route to 10.0.10.119, do you see the intermediate hops? If so, perhaps 10.0.10.119 doesn't respond to pings (from non local subnet)? Could you ping this IP when connected via your computer? You could add openvpn to system/logg...
by rplant
Sun Apr 07, 2024 9:02 am
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 22
Views: 2476

Re: BTH BUG Bleeding Into Regular Wireguard.

At least a part of the problem is that if/when packets/connections are marked coming into the wireguard port, responses, etc are not marked when leaving from the wireguard port. Routing rules do work. (And you then don't need to mark anything for wg routing purposes) However if you have dynamic IP a...
by rplant
Sun Apr 07, 2024 8:32 am
Forum: General
Topic: Queue over PPPoE ISP Client interface not working
Replies: 3
Views: 475

Re: Queue over PPPoE ISP Client interface not working

You need to have some limits on the queue.
eg. max-limit=50M

Also, if marking packets, probably need all possible marks.
Perhaps if use cake for queue, won't need any marking.

Possibly set queue bucket size=0.01
by rplant
Thu Apr 04, 2024 12:10 pm
Forum: General
Topic: IP address invalid [SOLVED]
Replies: 2
Views: 798

Re: IP address invalid [SOLVED]

The network and address should be different for a /32.
for /32 Address is local ip address, network is remote end ip address.
by rplant
Wed Apr 03, 2024 6:28 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Cool, well done, with much patience...
by rplant
Wed Apr 03, 2024 1:56 am
Forum: General
Topic: 10Gtek SFP module ref ASF-GE-T auto negotiation problem with RouterOS > 7.12
Replies: 3
Views: 1561

Re: 10Gtek SFP module ref ASF-GE-T auto negotiation problem with RouterOS > 7.12

A couple of thoughts.

1. Plug the port into a 100M something, does it connect, and work?

2. Set auto negotiation, include 1000 base-x in the list of negotiation items.
(Or even have it as the only item)
by rplant
Fri Mar 29, 2024 5:39 am
Forum: General
Topic: How can I configure my own PPPOE server to access IPV6 under ROS 6.XX?
Replies: 2
Views: 440

Re: How can I configure my own PPPOE server to access IPV6 under ROS 6.XX?

Hi, One possibility is that you create an IPv6 dhcp client, and attach that to the pppoe client interface. With luck you can check prefix and address items and will get both. If you require prefixes (which you probably will) It will require a pool name (which it will auto create) And a prefix length...
by rplant
Mon Mar 25, 2024 11:46 pm
Forum: General
Topic: L2TP client won't connect, from certain routers.
Replies: 3
Views: 964

Re: L2TP client won't connect, from certain routers.

Hi, You can under system logging add an l2tp entry, to get a bunch more logging that might be helpful. /system logging add topics=l2tp I think you will need to change (or remove) the max-mtu and max-mru settings. Perhaps you could set up mrru with some value maybe >1518 (if the provider supports thi...
by rplant
Fri Mar 22, 2024 11:25 am
Forum: Beginner Basics
Topic: Wireguard handshake is succesful but client is unable to access internet
Replies: 3
Views: 1476

Re: Wireguard handshake is succesful but client is unable to access internet

Hi, The following is only if you are running the Mikrotik as a Bridge Device inside your ISP router LAN. Acting as a Wireguard server for remote clients, (and possibly not doing much else) Note: Many of Anav's comments still apply. (If you are doing something else, please ignore all this) 1. Give th...
by rplant
Fri Mar 22, 2024 8:19 am
Forum: Wireless Networking
Topic: HAP AX Lite - WPS not working [SOLVED]
Replies: 9
Views: 6817

Re: HAP AX Lite - WPS not working [SOLVED]

Cool...

One thought about the randomised password, you could connect your laptop to the airport using wps and once connected.
From a command prompt use:

netsh wlan show profile /?

View the password, is it the same (if different my guess is that it will probably some function of mac address)
by rplant
Fri Mar 22, 2024 7:23 am
Forum: General
Topic: UPnP won't work after literal hours of trying - help pls!
Replies: 12
Views: 1151

Re: UPnP won't work after literal hours of trying - help pls!

Literally all I did and voila, it all worked, no changes needed. Is that normal for RouterOS/RB5009? I've only had it a week. Most things work immediately, but there is a small number (Mostly I seem to find by trial and error) where a reboot is required. Perhaps where some service now needs to be r...
by rplant
Fri Mar 22, 2024 7:18 am
Forum: Beginner Basics
Topic: Issue with ping and EoIP
Replies: 2
Views: 479

Re: Issue with ping and EoIP

One possible option is a second eoip for the link over ether4. Ether 4 will likely have a different IP address, that the existing main campus eoip doesn't know about. You can then have both links running and use rstp or similar to prevent loops. Other options might be to setup an l3 vpn (road warrie...
by rplant
Tue Mar 19, 2024 10:00 am
Forum: General
Topic: UPnP won't work after literal hours of trying - help pls!
Replies: 12
Views: 1151

Re: UPnP won't work after literal hours of trying - help pls!

Make the input action for 1900 and 2828 accept and log (for all devices) initially.
Mostly just to see if they count, and what is attempting to send UPNP packets.

Then Reboot the router.
by rplant
Tue Mar 19, 2024 6:24 am
Forum: Beginner Basics
Topic: Wireguard handshake is succesful but client is unable to access internet
Replies: 3
Views: 1476

Re: Wireguard handshake is succesful but client is unable to access internet

I think adding a masquerade rule to the bridge for traffic from the wireguard interface is needed.
/ip firewall nat
add action=masquerade chain=srcnat comment="wireguard: masquerade" \
    out-interface=bridge src-address=192.168.100.0/24
 
by rplant
Sat Mar 16, 2024 4:40 am
Forum: RouterBOARD hardware
Topic: Upgrade from RB750Gr3
Replies: 16
Views: 2540

Re: Upgrade from RB750Gr3

You can see ram used, cpu use, disk used/free space (and other stuff) /system resource print Another couple of cheaper (but less good) router options are: (Note: You can disable, and with current V7 actually remove the wifi/wireless packages) Hap AC2, - CPU quite a bit faster than hex - Only 128M Ra...
by rplant
Tue Mar 12, 2024 12:22 am
Forum: General
Topic: IPsec identities keep getting disabled
Replies: 4
Views: 731

Re: IPsec identities keep getting disabled

Hi, I thought about it some more, perhaps the following might be useful. Make a backup, and export of your current config. Trawl through the export from 1, and make sure there are no dubious scripting entries (system scripts, system scheduler, perhaps dhcp/pppoe scripts) either unknown or (now) inco...
by rplant
Mon Mar 11, 2024 9:50 am
Forum: General
Topic: IPsec identities keep getting disabled
Replies: 4
Views: 731

Re: IPsec identities keep getting disabled

Hi, Sorry I don't know what the problem might be, apart from that I don't think you shouldn't be attempting this in the first place. The CPU isn't very powerful, has no ipsec hardware offload and when you overload it, the switching management functionality will likely suffer. You could try wireguard...
by rplant
Sun Mar 10, 2024 1:31 am
Forum: Beginner Basics
Topic: Logging incoming traffic
Replies: 3
Views: 496

Re: Logging incoming traffic

For the mirror interface, there is also the possibility of using the Switches mirroring function.
(Needs to be a router with a switch chip which is many/most of them)

Need to ensure the destination port is on the same switch as the source port.
In cases where the router has more than 1 switch chip.
by rplant
Sun Mar 10, 2024 12:50 am
Forum: General
Topic: How to get the result of a DHCPv6 client request for an option ?
Replies: 2
Views: 355

Re: How to get the result of a DHCPv6 client request for an option ?

in https://wiki.mikrotik.com/wiki/Manual:IPv6/DHCP_Client it mentions an options array as being one of the variables supplied to the script. This looks like it might actually be present but using it will take some effort/ may not be doable. It appears to mostly be binary. my script /log info $options
by rplant
Sun Mar 10, 2024 12:02 am
Forum: Beginner Basics
Topic: Share WAN port between 2 interfaces
Replies: 1
Views: 665

Re: Share WAN port between 2 interfaces

Yes it is possible. Ideally use Winbox, or webfig to configure the router. Non optimal solution, (but likely near enough) Summary Add a new 2 port bridge for Wan connection, create and connect a pppoe client to it. Roughly what I would do: Starting from the Mikrotik default configuration with a rece...
by rplant
Fri Mar 08, 2024 9:46 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 7147

Re: WireGuard Multi-WAN Policy Routing

Ammo's suggestion appears to work. I made a new bridge, added an IP address to it, put a dst-nat rule for the wireguard traffic to listen on a different port, and forward to the new IP address, and correct wireguard port. Then routing rule to route from new IP address to wan via correct table. /inte...
by rplant
Thu Mar 07, 2024 2:11 am
Forum: Beginner Basics
Topic: Multiple WAN IP addresses on the same interface, forwarding to internal devices
Replies: 2
Views: 1382

Re: Multiple WAN IP addresses on the same interface, forwarding to internal devices

Assuming the Mikrotik's LAN/Bridge address is 192.168.0.xx/24 perhaps apply a src-nat masquerade rule to the LAN/Bridge interface. Unfortunately, this will result in the PLC's not knowing what real IP connected to them. You will likely need to enable Logging on the dst-nat rule, so you can, when nec...
by rplant
Wed Mar 06, 2024 12:27 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Hi, I think you possibly need to revert to the previous separated configuration for the 4011 that connected and worked with the phones. It has the firewall rules you need and want when having an external facing Wan interface (which is what the voip pppoe interface is) From there, you just need to re...
by rplant
Mon Mar 04, 2024 1:01 pm
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Hi, I am not sure if what I am about to describe aligns with what you want to do, but. Outline: Slave the RB4011 to the UDM Pro for internet access, but keeps voip wan. Phones are setup to use the RB4011 for their default gateway and DNS Everything else continues to use the UDM Pro for their default...
by rplant
Mon Mar 04, 2024 10:03 am
Forum: Beginner Basics
Topic: WireGuard Handshake issue protonvpn [SOLVED]
Replies: 20
Views: 5108

Re: WireGuard Handshake issue protonvpn [SOLVED]

Use Anav's config, it seems likely more flexible.

One minor change
(10.2.0.1 seems to be the IP that protonvpn uses for its end)
/ip address
add address=10.2.0.2/30 interface=WG0 network=10.2.0.0
by rplant
Mon Mar 04, 2024 9:45 am
Forum: Wireless Networking
Topic: HAP AX Lite - WPS not working [SOLVED]
Replies: 9
Views: 6817

Re: HAP AX Lite - WPS not working [SOLVED]

If you have an older device that runs the wireless package, you could experiment with that. It has a lot more tweaky options.
by rplant
Mon Mar 04, 2024 12:12 am
Forum: Beginner Basics
Topic: WireGuard Handshake issue protonvpn [SOLVED]
Replies: 20
Views: 5108

Re: WireGuard Handshake issue protonvpn [SOLVED]

One issue with the above is that there is no DNS available when wireguard is turned off.

You could perhaps add 8.8.8.8 and/or 1.1.1.1 as dns servers
by rplant
Sun Mar 03, 2024 1:45 pm
Forum: Beginner Basics
Topic: WireGuard Handshake issue protonvpn [SOLVED]
Replies: 20
Views: 5108

Re: WireGuard Handshake issue protonvpn [SOLVED]

I think your best option is to reset to the default config and work from there. Once reset, You can choose from the following as suits your requirements. Set up the name for the Router Set up the password for the Router. Set up your wireless as required. /ip services, Turn off unneeded services (I r...
by rplant
Sat Mar 02, 2024 11:04 am
Forum: Wireless Networking
Topic: HAP AX Lite - WPS not working [SOLVED]
Replies: 9
Views: 6817

Re: Mitsubishi AC adapters won’t associate or connect through WPS [SOLVED]

Perhaps set the mac address of the wifi interface to the same as the airport and see if it likes that.
(Turn off the airport)
by rplant
Sat Mar 02, 2024 10:42 am
Forum: Forwarding Protocols
Topic: OSPF over Wireguard links
Replies: 11
Views: 2093

Re: OSPF over Wireguard links

This is worth looking at:

viewtopic.php?t=182046

I would be inclined to setup static neighbors to the wireguard peers.
by rplant
Fri Mar 01, 2024 2:36 am
Forum: Beginner Basics
Topic: Transparent bridge, mangle and prerouting
Replies: 3
Views: 820

Re: Transparent bridge, mangle and prerouting

Sorry for the amount of text here. My thoughts. 1. You likely need to take some care with your customers networks. 2. The VPN connection to your server should look like a WAN interface to your client, - ie. Your clients can connect to your server. - Your server can't open connections to devices on ...
by rplant
Thu Feb 29, 2024 7:08 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Well Done :)
by rplant
Thu Feb 29, 2024 6:52 am
Forum: Beginner Basics
Topic: Transparent bridge, mangle and prerouting
Replies: 3
Views: 820

Re: Transparent bridge, mangle and prerouting

Hi, My thought is that you might be better with a different router that has a different switch chip. (eg. A Hap AC^2) With these switch chips, you can set the bridge to be fully hardware forwarding, using switch rules to kick selected switched packets to the CPU. (It then hits the bridge configurati...
by rplant
Thu Feb 29, 2024 12:05 am
Forum: Beginner Basics
Topic: Some websites do not load - PPPOE -
Replies: 1
Views: 1191

Re: Some websites do not load - PPPOE -

Commonly the MTU for pppoe is 1492, Some ISP's do seem to require 1480 though. If you have any max-mru, max-mtu set in your pppoe client you could remove the settings, see if anything changes. You could also try setting them to 1492 (or even 1500, though this is very unlikely to work) See what the m...
by rplant
Wed Feb 28, 2024 2:03 am
Forum: Beginner Basics
Topic: WireGuard Handshake issue protonvpn [SOLVED]
Replies: 20
Views: 5108

Re: WireGuard Handshake issue protonvpn [SOLVED]

Another possibility If you have a routing entry like: /ip route add comment="via wireguard" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 or (not better) /ip route add comment="via wireguard" disabled=no distance=1 dst-address=0.0.0.0/128 gateway=wireguard1 add ...
by rplant
Tue Feb 27, 2024 12:51 pm
Forum: Beginner Basics
Topic: Help routing 1 internal IP address to a different dns server
Replies: 10
Views: 827

Re: Help routing 1 internal IP address to a different dns server

You can make a dhcp server network entry for the specific static ip address,
with required dns server, etc.
by rplant
Tue Feb 27, 2024 5:31 am
Forum: Wireless Networking
Topic: Wireless Bridge with hAP AX3 [SOLVED]
Replies: 6
Views: 5444

Re: Wireless Bridge with hAP AX3 [SOLVED]

Check here: viewtopic.php?p=1025978#p1025970

Try to change bridge protocol from rstp (default) to none.
by rplant
Mon Feb 26, 2024 3:49 am
Forum: Beginner Basics
Topic: WireGuard Handshake issue protonvpn [SOLVED]
Replies: 20
Views: 5108

Re: WireGuard Handshake issue protonvpn [SOLVED]

Needing the raw rule, might indicate some sort of dubiousness. You could fix the port your MT client connects from, (in the example below 13231) Add the following rules, enable them and see what gets logged, and how/if the counters count. (Alternatively, set the firewall rules below to log packets t...
by rplant
Fri Feb 23, 2024 6:30 am
Forum: General
Topic: Wireguard Site-to-Site Route not working
Replies: 3
Views: 1227

Re: Wireguard Site-to-Site Route not working

Assuming Site B is acting as a client to Site A with Wireguard connected over IPv6, it seems like it should work.

Site B has keep-alive configured?
The static route you talk of is for 192.168.1.0/24 via Wireguard1?
You have appropriate black hole routes or filtering for 192.168.1.0/24 otherwise?
by rplant
Wed Feb 21, 2024 11:19 am
Forum: Beginner Basics
Topic: IP connectivity basics
Replies: 2
Views: 441

Re: IP connectivity basics

Perhaps you installed the newer wifi package onto the hap ac2?
It is not compatible with that capsman.
You need the older wireless package instead.

(If it was also running 7.12.1, it would only have the old wireless package)
by rplant
Wed Feb 21, 2024 1:35 am
Forum: Beginner Basics
Topic: RB3011 SFP speed issue
Replies: 8
Views: 1181

Re: RB3011 SFP speed issue

For Mikrotik's S-RJ01 they have the following note: Use these modules only with auto-negotiation enabled, forced link speeds are not supported. They will negotiate to correct duplex and highest possible rate. I would suggest you also do this. Also, try plugging the other end into a normal ethernet p...
by rplant
Wed Feb 21, 2024 12:17 am
Forum: Beginner Basics
Topic: WireGuard Handshake issue protonvpn [SOLVED]
Replies: 20
Views: 5108

Re: WireGuard Handshake issue protonvpn [SOLVED]

Some possible reasons.

The destination IP address or port is wrong.
One (or both) of the Public keys is wrong.
The clock is wrong.

Perhaps your government or ISP blocks protonvpn.
(I would assume you would know if they did though)
by rplant
Tue Feb 20, 2024 12:42 am
Forum: RouterBOARD hardware
Topic: Locked Out
Replies: 12
Views: 1728

Re: Locked Out

Perhaps a router between you and the target router is doing NAT, so the target router is not seeing a 192.168.121.x IP address?
by rplant
Tue Feb 20, 2024 12:34 am
Forum: RouterBOARD hardware
Topic: Locked Out
Replies: 12
Views: 1728

Re: Locked Out

Unless you have disabled this option.
The Mikrotik woobm is handy for this scenario.

Plug into the usb port, looks like a serial console interface to the Mikrotik.
Connect to it wirelessly from your laptop.
by rplant
Sun Feb 18, 2024 2:21 am
Forum: Beginner Basics
Topic: RB3011 SFP speed issue
Replies: 8
Views: 1181

Re: RB3011 SFP speed issue

Sorry, on review it looks like 10G optical modules very likely work in this port. (I had thought they wouldn't) But the Base T modules, not so much probably at least partly because they have a bunch more complexity in them. Mikrotik's S+RJ10 won't work with any SFP only port, only sfp+, I would assu...
by rplant
Sat Feb 17, 2024 12:15 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Cool, Good Luck
by rplant
Fri Feb 16, 2024 12:40 pm
Forum: General
Topic: no NTP update after reboot RouterOS v7 hAP ax³ [SOLVED]
Replies: 4
Views: 953

Re: no NTP update after reboot RouterOS v7 hAP ax³ [SOLVED]

Feb/15/2024 12:37:58 system,error,critical router rebooted without proper shutdown, probably power outage Feb/15/2024 14:20:10 system,critical,info ntp change time Feb/15/2024 12:38:19 => Feb/15/2024 14:20:10 Appears to indicate time change happened <1 minute after reboot. 12:37:58 to 12:38:19 time...
by rplant
Fri Feb 16, 2024 12:21 pm
Forum: Beginner Basics
Topic: MikroTik switch and Unifi Switch can no longer negotiate 10Gb connection over SFP+
Replies: 6
Views: 1319

Re: MikroTik switch and Unifi Switch can no longer negotiate 10Gb connection over SFP+

Lots of sfp things seem to have been fixed in the 7.14 chain, perhaps upgrade to it.
by rplant
Fri Feb 16, 2024 12:12 pm
Forum: Beginner Basics
Topic: RB5009 - invalid mtu 8000 on ether1 any idea why?
Replies: 7
Views: 1232

Re: RB5009 - invalid mtu 8000 on ether1 any idea why?

You could perhaps set ether1 mtu to 8000 and see if it stops.
And see if anything breaks.
by rplant
Fri Feb 16, 2024 12:02 pm
Forum: Beginner Basics
Topic: RB3011 SFP speed issue
Replies: 8
Views: 1181

Re: RB3011 SFP speed issue

RB3011 has a 1G sfp port not 10G.
by rplant
Fri Feb 16, 2024 1:41 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Hi, I found I forgot to setup DNS for the pppoe connections: You can apply the following change. /interface pppoe-client set pppoe-wan use-peer-dns=yes set pppoe-voip use-peer-dns=yes To look at the DNS servers it has received. /ip dns print The dynamic servers it has listed will have been provided ...
by rplant
Thu Feb 15, 2024 10:35 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Sorry for the delay, I had no internet for a while. Apparently you should remove the serial number from your listing. You need to add the following, or the wan side can't work. /interface list member add interface=vlan835 list=WAN add interface=pppoe-wan list=WAN The first section of your log looks ...
by rplant
Tue Feb 13, 2024 2:23 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

More voice stuff: This assumes the pppoe-voip connection is up and connected. Mostly from the BYOD_OneNet_Info document. #Add static routes /ip route add dst-address=62.38.86.32/28 gateway=pppoe-voip add dst-address=62.38.86.48/28 gateway=pppoe-voip add dst-address=62.38.86.144/28 gateway=pppoe-voip...
by rplant
Tue Feb 13, 2024 2:04 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Hi, I think it should be ok, though I have not used an ONT. I gain the impression that the customer side is normal ethernet, (with vlans and pppoe running on it in this case). Offtopic: You could perhaps at some later trial the following config later and perhaps get the internet also running from th...
by rplant
Tue Feb 13, 2024 1:01 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Hi, Yes, the UCM6302 should be configured as static, and not on vlan 838. I have attached a diagram of how I think it will be setup at least initially for testing. vfgr.jpg For testing, use ether1 as the WAN port, as this minimises the amount of changes that need to be configured from the default co...
by rplant
Mon Feb 12, 2024 2:04 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Some (current) configuration setup (hopefully).


https://www.vodafone.gr/ypostirixi/tech ... al-support

Choose the bottom entry.
by rplant
Sun Feb 11, 2024 2:42 am
Forum: Beginner Basics
Topic: L2TP connection and the same LAN subnet IP
Replies: 10
Views: 1535

Re: RDP connection and the same LAN subnet IP

To 192.168.0.XX IP from local PC with 192.168.0.XX IP A possibility is on the Mikrotik to have some dst-nat rules, which say if the destination address from a VPN client is 192.168.200.XX forward it to 192.168.0.XX (netmap?) Then on the local PC with IP address 192.168.0.24 to connect to 192.168.0.2...
by rplant
Sun Feb 11, 2024 2:25 am
Forum: Beginner Basics
Topic: Same address pool in WAN/LAN [SOLVED]
Replies: 9
Views: 3991

Re: Same address pool in WAN/LAN [SOLVED]

Pools shouldn't go through subnet boundaries. You can do something like the following. Set a static IP address on the Wan side of the second router. One of the following should be fine. 192.168.1.2/25 (0 to 127) gateway 192.168.1.1 If only have 2 devices on Wan side of second router. 192.168.1.2/30 ...
by rplant
Sat Feb 10, 2024 11:09 am
Forum: General
Topic: Wireguard doesn't work and no logs
Replies: 24
Views: 5825

Re: Wireguard doesn't work and no logs

The keys are not supposed to change, however now I think about it,
I have seen other posts where it didn't work, so they changed one character in the key, then changed the key back
to what it was, and it started working.

Hopefully newer versions of RouterOS are better.
by rplant
Sat Feb 10, 2024 8:29 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Using the Mikrotik as the voip PPPoE client: I am assuming the UCM6302 is the main phone hub, and phones connect to it, and the UCM6302 connects to the ISP's voip service. The UCM6302 is plugged into a spare port on the RB4011#1 (Not port 9) (At some stage, perhaps want to rejig this a bit, so maybe...
by rplant
Sat Feb 10, 2024 6:23 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Hardware connectivity: I am assuming that the link from the UDM-PRO sfp+1 to the ISP WAN interface is an ethernet cable. You need to get another connection (the voice pppoe) onto this cable and into the ISP WAN. There are a few options. 1. You do it from the UDM, probably best, but sorry I don't kno...
by rplant
Sat Feb 10, 2024 5:38 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Hi, Find some changes to make the router more secure. Copy and paste a bit at a time, pick the bits you want. #Some additions to make router more secure (most from default firewall config). /interface list add comment=defconf name=LAN /interface list member add comment=defconf interface=bridge list=...
by rplant
Fri Feb 09, 2024 12:45 pm
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Hi,

I found the following it looks like it might be very similar to how you are connected.

https://assets.ctfassets.net/b79acpktwv ... t_Info.pdf
by rplant
Fri Feb 09, 2024 8:26 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

Hi, Given you had no Wan list, you likely need to use the following (if you haven't already) /ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN /ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!...
by rplant
Fri Feb 09, 2024 5:53 am
Forum: General
Topic: Access single server across VLANs
Replies: 5
Views: 555

Re: Access single server across VLANs

These look a bit dubious ** add bridge=BR0 tagged=BR0,ether8 untagged=ether7 vlan-ids=20,30,40 Perhaps add bridge=BR0 tagged=BR0,ether8 untagged=ether7 vlan-ids=20 add bridge=BR0 tagged=BR0,ether8 vlan-ids=30,40 Also ** add bridge=BR0 tagged=BR0 vlan-ids=201 Perhaps add bridge=BR0 tagged=BR0 untagge...
by rplant
Thu Feb 08, 2024 12:28 am
Forum: General
Topic: Wireguard doesn't work and no logs
Replies: 24
Views: 5825

Re: Wireguard doesn't work and no logs

I would generally look at the wireguard peer tx, rx and last handshake information. If they aren't changing with incoming it would normally mean the public key you have is wrong. Or the clock has the wrong time at one (or both) ends. You have the private key for the peer, so you can make another wir...
by rplant
Thu Feb 08, 2024 12:01 am
Forum: General
Topic: Is architecture emulation under docker supported?
Replies: 6
Views: 834

Re: Is architecture emulation under docker supported?

If you search the forums, someone has made a docker container for the cli netinstall program.
They have put in a (x64 I think) emulator into the container (it is smaller than the netinstall executable)
by rplant
Tue Feb 06, 2024 11:52 pm
Forum: General
Topic: Feature requests
Replies: 1767
Views: 663155

Re: Feature requests

Bridge-To-Bridge joiner.
You can do that with two local EoIP interfaces.
Whenever I have tried this it never allows me to have 2 with the same tunnel ID.
Also quite a lot of overhead.
by rplant
Tue Feb 06, 2024 8:27 am
Forum: General
Topic: Feature requests
Replies: 1767
Views: 663155

Re: Feature requests

Bridge-To-Bridge joiner. To be assumed it will not be high performance. Uses: - Legacy PPPoE pass through (My ISP uses PPPoE...) - Natting Mac addresses from devices to the CPU. (Multiple devices with the same Mac Address) - mDNS and SSDP pass through in a single router. https://forum.mikrotik.com/v...
by rplant
Tue Feb 06, 2024 1:23 am
Forum: Beginner Basics
Topic: Troubleshooting wireguard S2S VPN
Replies: 3
Views: 736

Re: Troubleshooting wireguard S2S VPN

One (major) issue.

Unless the mikrotik is the networks default gateway, nothing on the network will be attempting to
send packets destined for head office to the Mikrotik, they will send them to the home internet router.

(Unless they have appropriate static routes installed)
by rplant
Tue Feb 06, 2024 12:36 am
Forum: Beginner Basics
Topic: Troubleshooting wireguard S2S VPN
Replies: 3
Views: 736

Re: Troubleshooting wireguard S2S VPN

If that is pretty much the entire configuration (ie. No drop rules in filter) it looks like it should be working. Double check that the rx, tx and last handshake counters in the wireguard peer are all non zero. (Seems likely that is also ok, given you can ping the 10.0.0.0/24 from the PFSense, but c...
by rplant
Sat Feb 03, 2024 8:43 am
Forum: General
Topic: Allow remote-logging input on ROS [SOLVED]
Replies: 12
Views: 2392

Re: Allow remote-logging input on ROS [SOLVED]

What I have works, but it was setup quite a while ago, so there maybe something I have missed here. /system logging action add disk-file-count=10 disk-file-name=disk1/dudeLog/dudeLogNew disk-lines-per-file=4000 name=dudeLog target=\ disk # for testing (later) add name=dudeSyslog remote=127.0.0.1 tar...
by rplant
Sat Feb 03, 2024 2:08 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 5736

Re: Help with configuration of a port.

perhaps /interface/bridge/port disable [find where interface=ether9] /interface vlan add name=voip_vodafone_vlan vlan-id=838 interface=ether9 /interface pppoe-client add name=pppoe_connection_for_vodafone_voip user=guest@onenetvoice.gr password=guest \ interface=voip_vodafone_vlan disabled=no /inter...
by rplant
Sat Feb 03, 2024 1:36 am
Forum: General
Topic: OVPN Windows client disconnecting every 1 minute without internal tunnel traffic
Replies: 3
Views: 794

Re: OVPN Windows client disconnecting every 1 minute without internal tunnel traffic

Sorry, Not sure.

Perhaps you could remove the ping-restart entry on the client and see if the link works ok without it.
(Or make it much bigger)
by rplant
Fri Feb 02, 2024 11:21 am
Forum: General
Topic: OVPN Windows client disconnecting every 1 minute without internal tunnel traffic
Replies: 3
Views: 794

Re: OVPN Windows client disconnecting every 1 minute without internal tunnel traffic

Possibly the keepalive timeout on the server is too long. From help (https://help.mikrotik.com/docs/display/ROS/OpenVPN) its definition looks kind of strange, it appears to do nothing until the timeout expires then sends ping packets one per second until either another timeout occurs or it receives ...
by rplant
Fri Feb 02, 2024 10:45 am
Forum: General
Topic: CCR1009-8G-1S Throughput Speed
Replies: 20
Views: 1239

Re: CCR1009-8G-1S Throughput Speed

You could attach one of these to your 10G sfp+ port maybe with a dac cable.

https://www.aliexpress.com/item/1005006278753506.html
  • 1
  • 2