MikroTik

rplant

Wifiwave 2 drivers only available for (some?) arm based CPU devices.

There were some discussions and workarounds before wifiwave2 had station-bridge as an option.

eg.
viewtopic.php?t=180369

rplant

Hi, I would initially make the ovpn-profile setting have the following settings. interface-list=LAN and dns-server=192.168.90.1 You can tie it down more (perhaps with a OVPN interface list) and appropriate firewall rules when all is working. /ppp profile add change-tcp-mss=yes dns-server=192.168.90....

rplant

I think in very recent versions, a pvid=10 sets the untagged vlan to 10, and you don't need or want anything else. You can't add an ip address to ether23 when it is part of the bridge. (In this case with no other vlan membership you would add the address to the bridge) All ports with the default vla...

rplant

I struggle with SwitchOS and find the diagnostics on RouterOS well worth the extra complexity. For a 2 CRS326 scenario, I was thinking perhaps the 2 ports to the TrueNas could be part of the redundancy scheme. If not perhaps a 2 cable etherchannel between the 2 CRS's for when the fibre link between ...

rplant

If you have a FB as a gateway firewall router, you may be able to use the CRS326 without any additional routers. You will need to add static routes in the FB so it knows that you have additional IP address ranges inside your LAN. And it should then NAT traffic from these additional IP ranges ok. I a...

rplant

Hi, My thoughts as someone who knows virtually nothing about this higher end of the world. In this instance the 2 * CRS504's seem to add very little to the system apart from cost and complexity. Perhaps you could contact your local Mikrotik Distributor maybe they would loan you a couple, (or even th...

rplant

Hi, With default firewall rules it should normally work with just the sip alg turned off. However I have noticed (Europe ??) that the voip is often provided over a dedicated vlan. So presumably if your voip traffic is not using that dedicated vlan, the voip will not work/connect. If this is the case...

rplant

I think Recent versions of Ros V7 don't have the upgrade from V6 conversion functionality any more. If you upgrade in the Gui from a very recent V6 to V7, it should offer you one of the V7.12.x ROS's. This does have upgrade functionality, (and also sets up for wireless) From 7.12.x you can upgrade t...

rplant

Hi,
It seems difficult.

The following is very similar, and they have some options.

viewtopic.php?t=170694

rplant

Hi, A few thoughts. Does the CRS have a gateway IP address? (ie. Did its DHCP client work) Can you ping 8.8.8.8 from the CRS? Do you have the correct ip address, default gateway on your client device? On a slightly different note. The CRS312 is a switch, it can also route but its CPU is quite low po...

rplant

Hi, I attempted this config on a hex, it mostly worked. I needed the following slight changes. #Not sure how this was missing, perhaps removed from your export for some reason. /interface bridge add name=bridge #websites wouldn't work without allow-remote-requests /ip dns set servers=8.8.8.8,8.8.4.4...

rplant

My thoughts, (and some assumptions) I assume your clients connecting to the MAP might have their default gateway via a wired connection and you might not want to disrupt that. You might not want the industry devices being able to reach back to connect to the LAN devices connecting to them. In additi...

rplant

Sorry I Don't know but a couple of thoughts. 1. Perhaps you can have a scheduled task to take the link down and then restore it each night at some convenient out of hours time. (Hopefully the next 36 hours starts from this time) 2. Perhaps instead of turning off the pppoe you could disable the under...

rplant

Hi, It is not obvious what you want. 2 Options I can think of: Option 1. The endpoints are 192.168.4.1 and 192.168.5.1 The Socks5 proxy is the Mikrotik. Option 2. The endpoints are somewhere completely different, and the Socks proxy's are 192.168.4.1 and 192.168.5.1 Option 1. The endpoints are 192.1...

rplant

Do you have an appropriate allowedips value on your windows client configuration in the [peer] section Something like AllowedIPs = 192.168.1.0/24 (Change as required for your Mikrotik lan range) Perhaps if you want all traffic to go via the VPN (Probably don't use this if your Mikrotik is behind cgn...

rplant

faulty ntp is common (for Mikrotik's). You often need to src-nat the port from your ntp-client (So it looks like it's coming from a high port rather than port 123) As ISP's, ntp servers will often block ntp from port 123. Something like: /ip firewall nat add action=src-nat chain=srcnat out-interface...

rplant

A guess...

You do need to keep the accept rule after the fasttrack rule.

rplant

Hi, I am assuming, the 10.10.10.10 routing rule uses Public as its route table. You could try the following routing rule prior to the 10.10.10.10 rule. /routing rule add action=lookup comment="min-prefix=0, all except 0.0.0.0/0" disabled=no min-prefix=0 table=main Unfortunately there appar...

rplant

You can likely do your original request, but it is kind of expensive (on a hex) You need to have one or more bridge nat rules, that match your requirements that redirect to the CPU which effectively kicks the packet to the routing engine, and then to wireguard as required. If the routing engine just...

rplant

BUT what if I create a subnet on Mikrotik on the same segment of the ISP router, with absolutely NO ROUTING AND FIREWALL RULES? Yes you can do this. (But I would probably leave the default config on it, with firewall rules, etc) Make a subnet, eg. 192.168.10.160/28 (A range of 16), with router ip a...

rplant

It sort of looks like there are 4 bytes required.

Perhaps the pppoe comes on a vlan (quite common)
Or perhaps they are adding a priority vlan header.

Can you manually set the l2mtu of the interface to something higher than 0
eg. 1504

Perhaps via webfig/winbox/cli if you can't do it from the mobile.

rplant

1v73 looks wrong.

rplant

Isn't there any chance to get this working via dynamic routing protocols?

Sorry, I don't know.

You can probably add a ping check to the 2 static routes, so if that link fails, it will fall back to
dynamic routing.

rplant

Hi, It's possible you have cleared the routers config. You should be able to run winbox on your computer, and find the router, (You need to be on the same subnet as the router, eg plugged into it directly. It might take a little while). It will likely have an ip address of 0.0.0.0 Login using its ma...

rplant

An ordinary static route should be fine on the 2116 end.

/ip route
add disabled=no dst-address=10.0.81.0/24 gateway=10.0.3.1 routing-table=main suppress-hw-offload=no

rplant

Hi, By my thought would be to use some routing rules at both ends. (Though your environment looks complicated) Assuming vlan502, 10.0.3.0/30 is your direct path. For wg_roadwarrior On the 2004 Something like: /routing rule add action=lookup comment="min-prefix=0, all except 0.0.0.0/0" disa...

rplant

Hi, Pretty sure you can disable access in the access list tab. Put in the mac address and untick authentication and maybe forwarding. You could perhaps put in a signal strength range say -120..-70 (So if the device gets quite close it will actually connect) It might also be that for some reason it c...

rplant

Yet another option might be to have dhcp hand out /32 ip address ranges.
So everything IP has to be routed.

(Likely not well handled by older devices)

rplant

For me with v7 it just chose 1492 with v6 it always chose 1480.

However as @tdw mentioned, you need to set both mru and mtu to 1492.

rplant

Hi, The Wiitek 10Gb SFP+ to RJ45 will require its backend to run at 10G (which it should automatically do) It will run hot, and also likely to drop packets. (Because its front is running at 2.5G, which the switch doesn't know about) You are probably better to get a 2.5G sfp+ to 2.5G rj45 that requir...

rplant

Hi,

You need hairpin NAT, there is plenty of examples through the forums.

One I just found: viewtopic.php?t=172380

You can also search for hairpin in the following help topic

https://help.mikrotik.com/docs/spaces/R ... 211299/NAT

rplant

Another simpler option if (it works at all) is to enable local proxy arp.
(Without changing original config)
Not quite sure where you would apply this, on the bridge, or the actual interfaces??

Then maybe all ip traffic would get routed.

rplant

I was able to figure it out so I'm all set.

I don't currently need to know this, but I would like to for if/when I do need it (please)

rplant

Hi, Somewhat of a guess You need to have 2 ip address ranges to get things to route. With the device sending its packet at the router, not at the other device. You could perhaps split the 172.16.16.0 range into 2 /25 ranges. with side 1 having 172.16.16.0/25 gateway 172.16.16.1, side 2 having 172.16...

rplant

Is dhcp snooping enabled on any of the ubiquiti gear, it might cause this.
(Apparently it may be a default in some of their gear)

rplant

Hi, The following are my changes to the configuration. (Sorry, It is not a complete configuration @anav is much better at this...) You will need to apply it slowly piece by piece. You will also need to remove your old multi bridge configurations. #xxx.yyy.zzz.11 <--> 10.11.0.0/22 [ether2] #xxx.yyy.z...

rplant

I tried your config, and it seemed to work ok. (I was connecting to another mikrotik) Also when plugged into the trunk it supplied the 3 ip ranges to the Mikrotik via vlans. Perhaps the devices you were connecting too had a firewall on them, and didn't like being accessed from another subnet. or had...

rplant

Hi, As far as I can see the only usable LAN subnet you actually have is 192.168.88.0/24, and I think it likely should work. (It may need a specific NAT rule per @TheCat12) The other subnets you list and attach to bridges are all on the router only, and there is only a single active address for each ...

rplant

Hi, I know nothing about these, but my (only) guess is that it might have something to do with DHCP. Perhaps if it fails to get an IP it eventually stops asking, or something. Check none of the delay options are configured on the dhcp server. Set up a script/netwatch to periodically ping/arp ping on...

rplant

Probably doable using hw offloaded qos. https://help.mikrotik.com/docs/spaces/ROS/pages/189497483/Quality+of+Service Possibly special handlers already exist for multicast (and??) broadcast. Otherwise you can perhaps use switch rules to map the packets you want restricted to a specific traffic class....

rplant

Perhaps there is some dhcp snooping configuration defined somewhere that needs to be reviewed.

rplant

I would like a refresh version of the hap ac2. Pretty much exactly the same as current. Exactly the same Case, pcb and components, except the RAM is replaced with a 256M unit, and the Flash is replaced with a 32M Unit. (Possibly by now cheaper than the current smaller devices) I would also like a (c...

rplant

I don't know that I can help further, but I found the following couple of posts elsewhere that you may have already seen. https://www.reddit.com/r/Starlink/comments/1eyndnu/high_packet_loss_in_bypass_mode/m672h96/ https://www.reddit.com/r/Starlink/comments/17h2f99/solved_issue_with_bypass_mode_slown...

rplant

I am quite possibly completely misunderstanding here, but anyway. I would imagine that 192.168.1.x on R1 would register for a particular multicast with its router. That Router R1 would then register for multicast with something closer to the source. The identity of the original requesting device won...

rplant

Also its often worth graphing your wan interface traffic.

Perhaps something like:

/tool graphing
set store-every=24hours

/tool graphing interface
add allow-address=YOUR_COMPUTER_IP_ADDRESS interface=ether1

Then you can look at the graph(s) in winbox/webfig

rplant

From winbox or webfig have a look at your wan/ether1 interface traffic. (traffic tab) Is it as expected? I would initially disable ipv6, because if its sort of working but sort of not it can be painful. Once network is working well with only ipv4, you can look at this further. You may need to discon...

rplant

Another slight possibility, I don't know if this will work at all, it depends a lot on the L3 switch. You could reconfigure the DHCP server on the 5009 to point the default route of the LAN network at the L3 switch IP Address. Then the devices would send their packets to the switch (for both interne...

rplant

Hi, A little off topic now maybe. I trialled a much simplified version of this system on a Hex (much slower/smaller), to verify some things I thought I knew... It turns out as mentioned by @lurker888, marking the packets as notrack does seem to mean they can't be fasttracked. (under ip settings you ...

rplant

I think one possible set of changes is likely to be: Add wifi2 to the bridge, and change its mode to "Station Bridge" Optional: You could/should also put a dhcp-client on the bridge if you don't have one on it already so the hapac2 also gets an IP address from the Audience. (if you have a ...

rplant

Hi, I think your current problem is that you are getting triangular routing. (which is probably why hardware offload is good, as it is likely not stateful) From Device on 192.168.1.x network to 10.0.0.0/8 likely goes from device to 5009 then to Switch then to 10.x.x.x device. (Hopefully often the 50...

rplant

You seem likely to have done all of this already but just in case... Remove sfp+ from bridge Give sfp+ an IP address, and switch port/vlan? at other end an IP address. Make the sfp+ interface a member of the LAN interface list. But if you need lots of gigs of intervlan routing, it isn't going to do ...

rplant

Another possible option is to mark the packets more carefully.

eg. in interface list not WAN (or in interface not WAN-2)

rplant

Hi, In 7.2.2(ish) the routing was changed, so that if you route mark a packet, and a matching route with that route mark exists in the route table it will use that route entry. It then processes the routing rules table, and finally the route table (again). Previously routing rules occurred first, an...

rplant

Do you perhaps mean CDP?

This is done under ip neighbors

rplant

Hi, The CPU on the CRS317 isn't super fast. (eg. a hap ac2 is faster) See: https://mikrotik.com/product/crs317_1g_16s_rm#fndtn-testresults The commonly used value for routing performance comparison is 25 ip filter rules, 512 byte packets. However it does do some fairly good L3 hardware offloading, b...

rplant

Note however if you use something like a S+RJ10 in the sfp+ port,
it can negotiate 2.5G with remote end while sfp+ is running at 10G,
(so Mikrotik thinks it is running at 10G) it runs hot.

You will likely need some traffic shaping (queue) to limit outbound traffic to <2.5G.

rplant

I assume you are using one of the SFP+ to RJ45 adapters. The following has some info on the Mikrotik one. https://mikrotik.com/product/s_rj10 They have 2 versions, and the first version did not report the link speed correctly. I would not be surprised if many other brands also have very limited link...

rplant

Hi, The 2 subnets should already be connected, you don't need the add action=accept chain=forward comment="enable interconnect lan subnets" rule. You should be able to connect to the various devices in the other subnet. There may be a couple of issues. 1. You may be expecting to see these ...

rplant

Not sure. You may have already tried this. I would try using a separate ethernet interface for the wireguard connection into the 2nd router from the CCR. With an mtu of 1492, and different IP address range to the lan. You may need a routing rule to get the wireguard traffic to exit via this separate...

rplant

My Guess is that the devices on your LAN are receiving a packet from 192.168.100.1/24 and sending their reply back to the main gateway. (Which also doesn't know where 192.168.100.1/24 is) One simple(ish) option might be to masquerade packets leaving your Wap-ax with source address of 192.168.100.0/2...

rplant

You could look at Mikrotik's rose storage.

rplant

My guess is that these devices are probably a bit like a ccr, with no default firewall rules except for a masquerade rule :( The following rules are for a hex, (they are usually all very very similar, except when they have none) And you should be able to copy and paste them in. I think they are quit...

rplant

The fact that logging has the option of a source IP address, and ignores it seems like a bug. Though it might be your config. (Given Wan interfaces usually have some sort of src-nat/masquerade) Do you have a src-nat rule for the wan interface that might apply in this case. You could put in a specifi...

rplant

You possibly also need a bridge nat rule to kick the packet into the routing section of the device.

Something like:

/interface bridge nat
add action=redirect chain=dstnat disabled=no dst-address=192.168.88.88 ip-protocol=tcp dst-port=22 log=yes mac-protocol=ip

rplant

Hi,
V7.16.1

IP Settings.
There are 2 items, the max neighbor entries and Arp Timeout
You could increase the max neighbor entries value or possibly decrease the Arp Timeout value.
(The current default Arp Timeout value appears to be 30S, I would not go below that)

rplant

A few points: The following assumes a config sort of based on default (for SOHO type routers, not CCR, etc which have no firewall rules). I am assuming you have nat. In this case an incoming connection on Wan1 must then also leave by Wan1. (Same for Wan2) Otherwise it just doesn't work. (Often true ...

rplant

Hi, The following was made on a hex, based on its default configuration. But should be applicable to many/most Mikrotiks. I removed all the firewall rules (so fastpath is active) Disabled all admin services except winbox Moved ssh and winbox access to a new vrf vrfAdmin, active on ether5. (So you ca...

rplant

It will block people/devices on the internet from attempting to login to your router. (Or using other services your router may provide, that you haven't provided a rule to allow) The default on a Mikrotik is to allow (input, and also forwarding), you should normally block access you don't specifical...

rplant

Or maybe someone or something is somehow logged into or has a vpn into your gateway router, working on the next step.

rplant

This kind of looks like what you would get, if your gateway was also a Mikrotik, and it had hairpin nat enabled for a SSH port forward/dst-nat connection to the internal router. (With attempted logins from inside)

rplant

Yes, drop by mac address doesn't work at the router stage. You could connect only the Reolink to a specific ethernet port on the router, and block based on port. You could give the Reolink a static lease from the DHCP server, and block based on IP address. (From winbox, go to ip dhcp server, the lea...

rplant

One other thought

If you have an interface that is not part of the bridge, but has an IP address on it, it will route using hw offload.
However if you have a vlan on this interface with an IP address on it, the vlan will use the CPU.

rplant

Perhaps try the following commands to see if L3 offload is not present somewhere. With 400+ routes, you might want to write it to a file, so you can examine it in a text editor or similar. /ip route print [file=somefilename] Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, o - OSPF, d - DHCP; H - HW-OFF...

rplant

I was thinking something like. /ip firewall nat add action=masquerade chain=srcnat comment="Nat lan to wan tvs" out-interface=VLAN_TVs You could also filter by src-ip address, or src ip address list. On review, I notice you have a bunch of bridges on this system. And assorted vlans connect...

rplant

I was thinking of something like. /queue type add kind=pcq name=pcq-upload-24 pcq-classifier=src-address pcq-dst-address-mask=24 pcq-src-address-mask=24 It just groups each /24 lan subnet together so the large upload machines get lumped together. On testing, you may find the pcq-upload-default works...

rplant

You could perhaps see if configuring source nat on packets leaving the LAN for the VLAN_TVs helps.

rplant

Are the MTU's on all the interfaces the same.
The switch might fragment packets in software.
My CRS305 does that...

rplant

Hi, I changed the firewall filter rules, and while I still don't like them much, the ikev2 now should work. They appear to be based on a very old routeros version. The ipsec policy rules have to go above the fasttrack rule. (They seem to work below it when pinging things, but fail when actually tryi...

rplant

Perhaps time for: Thanks @mkx Open terminal window and execute /export file=aynnameyouwish ... fetch resulting file to your management computer, open it with your favourite text editor, redact any sensitive information (such as serial number, public IP address, wireless PSK, etc.) and copy-paste it ...

rplant

If its running v7, use a cake queue that should (hopefully) allow you to near fill the uplink, while also giving everything else in your network a bit of bandwidth rather than being starved out because of the fat upload.

V6, probably a pcq queue.

rplant

I would perhaps actively block udp to and from 3389, (if only to see if it changes anything)

rplant

ikev2 (ipsec) is well supported, and there are fairly good examples around. https://help.mikrotik.com/docs/spaces/ROS/pages/11993097/IPsec#IPsec-RoadWarriorsetupusingIKEv2withRSAauthentication This is more industrial, so perhaps less likely to be dropped. But if your ISP doesn't want you running VPN...

rplant

Another possibility:
Some special handling may be required if you have multiple public ip addresses on the router.

Ignore this, mine seems to handle this fine.

rplant

One possibility. Seems unlikely, but you do have a wanIP as an address list. If you have multiple wan interfaces, and the packet is coming in from one interface, and leaving via another (the wan interface with the lowest metric). This could occur. You would need to mark your packets (or similar) so ...

rplant

One other thought, (Somewhat more like my original thought) You could perhaps make a new pcq type queue, based on pcq-upload-default, but with a 24 mask. (So everything from 10.0.1.x will be counted together) Then back to no marking, and fast track allowed. The low rate lans will be prioritised over...

rplant

Sorry, I should read things a bit more thoroughly. Unfortunately, the 3011 seems to not be great under v7. Perhaps what you have will be good. Though I do not understand why you have a limit of 100M on the backup traffic. You will likely need to add all the packet marks to the parent (WAN-Shaper) so...

rplant

It would be very functional to be able to add a description for each connection that you save and thus identify more quickly to which mikrotik equipment I want to connect I am assuming you a speaking of the managed tab in winbox. In tools at the top, there is and advanced mode you can select, and a...

rplant

As a start, I would be inclined to just put a single cake queue attached to the WAN interface, to see how well (or not) it works. (With no packet marking for shaping) Set it up for 500M, and a bucket size of 0.005-0.01, (or your settings) and see how it goes. You will need to create a new queue type...

rplant

Some possible options: If you make a custom interface list and add all the ports you want (but not the bridge) to this list, you can make ip discovery use this list and it will only target those ports. So no discovery on the ports missing from the list. Another option might be to use a switch chip r...

rplant

2. Yes and no Since the device is now a (dumb) switch it has no way to filter anything. The input firewall chain still works. However by default the bridge is a LAN interface and input is allowed from LAN interfaces, ie. All ports. (Input is disallowed from all except LAN interfaces) You can add (a...

rplant

Hi, I have added the following rules near the top of a default config. (after accept icmp) /ip firewall filter ... add action=accept chain=input comment="allow 500,4500 ipsec in" dst-port=500,4500 protocol=udp add action=accept chain=input comment="allow ipsec-esp in (no nat)" pr...

rplant

Hi, My observations: Actually wireguard in mikrotik does attempt to use the IP address that the incoming packet was sent to. Looking at the packet on the output chain is too late. It has already gone through the routing process, and had it's ip address changed, probably also natted. If you use routi...

rplant

but am struggling to get an IP address on the wireguard peer much less an internet connection You have to setup the ip address on each peer manually. It is attached to the wg interface associated with that peer. wg interface <ip address> peer - allowed ip addresses peer - allowed ip addresses Stric...

rplant

Hi, My guess is that you need to run dhcp, so the ISP gets the MAC address of your router, so it can send packets to it. It may not use arp discovery, the dhcp mac address possibly gets recorded into the radius server, and that is where the routers packets get sent too. (I believe Mikrotik's do this...

rplant

Some thoughts. 1. Don't use L2TP at all, use wireguard, its easier/better. (L2TP is slowly being discouraged) Wireguard: You only need 1 port. You usually don't have to fight much with the ISP router. You don't have to fight much with the client OS. Perhaps a little less good if you are somewhere wh...

rplant

Also Mikrotiks support for assorted sfp's has varied a lot over the routeros versions.
and not always for the better in newer versions it seems.

rplant

Hi, I had sort of thought that auto-negotiation is a combination (max) of -The speeds the sfp port is capable of. -The configured auto-negotiate speeds in the ethernet tab. -The speeds that are advertised as acceptable by the sfp devices ROM. Though your experience seems to indicate otherwise. One p...

rplant

If you have some device/network in your control with a static ip address that you can login to these devices from, you can (as a short term solution) add this ip address to an address list in ip firewall. (eg. admin2) Then change the firewall rule that allows 8291 to only allow 8291 with src-address...

rplant

Hi, I am finding it difficult to understand what you are saying, but I will assume the mikrotik has 3 public ip addresses on it. And the incoming wg packets all come into the mikrotik via either the 2.249 or 2.253 interfaces but directed at the .210 address. Normally for this, I would use routing ru...

rplant

I found this also, which might help.

add action=accept chain=input comment="Allow IKEv2 Traffic" src-address=\
172.17.153.0/24

Change 172.17... for the IP address range from your ikev2 pool.

viewtopic.php?t=190096

rplant

Hi, ikev2: If your hap lite is not the internet gateway, you will possibly need to put some sort of NAT on it, so vpn connections to devices on the local network get masqueraded. (The devices on the local network will likely try to reply to the main gateway rather than the Mikrotik). Otherwise, not ...

rplant

Another thought The arp table can get very big these days. There is an arp timeout value on interfaces and bridges. (Not defined by default) You could perhaps see how big your arp table is and see if it might be the problem. And see if setting the arp timeout to some value (seconds, minutes, hours, ...

rplant

Hi, I suspect it should be possible using vrf's. But I am not sure, and don't know how too, sorry. I had a trial of putting another mikrotik (a hex) in front of a similarly configured setup, and this appears to work ok. If your main router is a high end expensive CCR or similar, this is probably not...

rplant

Perhaps the following might be useful in this case. To make all packets go through the CPU first, and offload only the Fasttrack connections, disable l3hw on all ports but keep it enabled on the switch chip itself: /interface/ethernet/switch set 0 l3-hw-offloading=yes /interface/ethernet/switch/port...

rplant

Hi, I am not quite sure what you are asking, but here are some answers. The RB4011 is not powerful enough to route 10G (and doesn't have the ports to do it really) From the test results section of the RB4011 page: https://mikrotik.com/product/rb4011igs_rm#fndtn-testresults From these results the 512...

rplant

Hi,

There is an mdns repeater setup on recent routeros versions.

It is in ip dns.
You add the interfaces you want mdns to be repeated between.

or by cli (example)

/ip dns
set mdns-repeat-ifaces=ether1,ether2

rplant

Sorry for the delay, forum didn't seem to work for me. /ip firewall mangle # (remove/disable this rule) add action=mark-packet chain=postrouting out-interface=ether1 new-packet-mark=shaped-packets passthrough=no /queue tree add name="WAN-Shaper" parent=ether1 packet-mark=no-mark max-limit=...

rplant

A few things. 1. The RB3011 isn't really fast. 2. It is quite a bit slower using Rosv7 3. You can't fast track simple queues. (not fast track is much slower) 4. You need to set a lower bucket size on the queues. You can show system resources and watch the cpu when you run traffic through the link. T...

rplant

Hi, A couple of things. I would put a routing rule like: add action=lookup comment="min-prefix=0, all except 0.0.0.0/0" disabled=no min-prefix=0 table=main before your existing routing rules. So only for traffic that needs to go via a default gateway will use Table_ISP1 or Table_ISP2. I wo...

rplant

My guess is that perhaps the end devices don't know how to (or don't want to) route back to the wireguard IP address range.

You could add a source nat rule that if the ip address is the wireguard range, it gets masqueraded and see if that works.

rplant

Hi, From your listing. The 2 rules below are not required, the last filter rule will allow (actually let fall through to default allow) connections allowed by your dst-nat rules Rule: add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface="ether8[ISP]"...

rplant

You could check the ip route table with dhcp and static and see if there is any differences. I think your masquerade rule should have an interface (out-interface) on it. Presumably bridge1. Though perhaps only if it is coming from the 10.2.2.0/24 network. Not quite sure why you have ether1 attached ...

rplant

You could maybe try hitting it with a web browser, and see what it thinks about it,
(The mikrotik might have web over tls enabled??)

rplant

You do mention you have a gateway router. So does this router do the firewalling from the internet that your network requires. If so, the CRS354 may be ok. (Otherwise as @anav mentioned, a RB5009 in front might be good) In switch settings, you can enable L3 HW Offload for the switch chip. Then under...

rplant

Hi, It seems to work for me. Though having only 2 ip addresses in the dhcp server pools seems wrong. It could be the devices you are connecting too on the .200.x and/or 178.x vlans don't have the CRS305 as their default gateway. (eg. Not configured by the crs dhcp server) Could also be firewall rule...

rplant

As mentioned by yourself a better option, get a 2.5G ethernet sfp to plug into the router.
Much cheaper and cooler than the 10G device.

fs.com have them.

rplant

Given the routers are fairly powerful. For the outbound traffic, you can probably attach some sort of queue to the sfp+ interface. Queues based on cake are usually easy, perhaps fqcodel might be better in this case but I am no expert on queues. (I have had success with red queues in the past) Set it...

rplant

Sorry, this isn't an answer, but the following may be worthwhile looking at. The following video shows a (fairly long) presentation on setting up something maybe similar (also on a 1036) using dhcp. From 2018 MUM in Melbourne, (unfortunately, there seems to be no printable version) https://www.youtu...

rplant

One thought. You need to do your bandwidth test between 2 devices with the switches in between them. eg. A fast desktop/laptop/server ideally with a 10G port on it, to another desktop/laptop/server with a 10G port on it. Perhaps easier, 1G ports to start with. When the bandwidth test is running thro...

rplant

Hi, Some comments: You have no firewall rules, so it should (if enabled) run in fastpath which is notionally faster than fasttrack. (I am kind of wishing there was a quickset that would apply a default set of firewall rules) These switches will do what I will call L3 switching, and do it really well...

rplant

Perhaps because horizon has been around for a long time and works on all platforms (I believe)

Switch port isolation not so much. Use Switch port isolation if available.

rplant

Below is wrong on router1
(Needs to be .144.1)

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=65.58.144.2

rplant

Hi, It isn't indicated in your listings, but if the default fasttrack rule is in place, it will break marked packets. You could put an accept rule just prior to the fasttrack rule, with a connection-mark=!no-mark (Or add connection-mark=no-mark to the fasttrack rule) Your 2 dst nat rules are identic...

rplant

My thought is to disable the fasttrack rule and see if that helps.

Fast tracked traffic does not get packet/routing marks applied.

If it helps, you might be better off with routing rules.
As they should continue to work with/without fasttrack.

rplant

Rules look ok. Some guesses Does the mikrotik have the same internal ip address as the old router? Presumably .100 and .102 are set up with static ip configurations. Perhaps static arps have been configured somewhere Can .100 and .102 connect to the internet? Traceroute from these to 8.8.8.8 does it...

rplant

Yes.

It has license level 4, so can act as an ap for multiple devices.
(license level 3 only allows a single device)

rplant

Hi, My guess(es) is that it might be something to do with Spanning tree, or more likely Vlan configuration. I would expect spanning tree to begin to work after a minute or so (worst case scenario) Perhaps the switch port you have plugged the router into is on a different vlan to the port the device ...

rplant

Normally Wireguard uses a private key and public key, where the public key is not wrapped in a certificate. Assuming a client/server type configuration. If the clients have a peer (the only one in client/server) with the server's public key, it will trust and can connect to the server with the corre...

rplant

RDP connection dying was one thread
viewtopic.php?p=992900

rplant

Have you disabled fasttrack for the affected/all traffic.

Simplest though blunt option is to disable the default fasttrack forward rule.
CPU usage will increase a lot.

Also, having limit-at on just one queue is probably bad. (Means it is guaranteed 50M, the others are Guaranteed nothing)

rplant

I think this might be basically doable, so long as the ISP router can be configured with static routes on it. ie. 10.0.0.x/24 via 192.168.1.2 (the IP address I have assigned to the CRS) If a device on the main ISP LAN wants to connect to a device on your new LAN, it will send the packet to the ISP r...

rplant

You could perhaps try you iperf (I assume iperf3) With the -V and -M options.

Using custom/reduced MSS settings to see if it is perhaps something to do with reduced MTU at one end due to pppoe.
And add an appropriate mss adjustment rule if it helps

rplant

The current default is 30S, it was 10S for quite a few versions, but there were plenty of people having issues with the 10S value.

rplant

Hi, The tls auth thing is not a certificate. From: https://help.mikrotik.com/docs/display/ROS/OpenVPN OVPN client supports tls authentication. The configuration of tls-auth can be added only by importing .ovpn configuration file. Using tls-auth requires that you generate a shared-secret key, this ke...

rplant

Hi, From the MikroTik wired interface compatibility page. S+RJ10 devices Use these modules only in 10G SFP+ ports with auto-negotiation enable I am fairly sure the S+RJ10 devices need the SFP Port actually running at 10G (10.3G?) for the somewhat complex base T conversion electronics which likely ne...

rplant

Hi, I have found script diagnostics leave a bit to be desired. You can put something like: :log info "script scriptname starting" (perhaps also logging parameters if available) and perhaps a similar entry near the scripts exit point(s) With luck the most recent starting log entry will be a...

rplant

Hi, I would suggest you start off with the default mikrotik config. Then Interface <ether1> contains <VLAN7> <pppoe-out1> is attached to <VLAN7> Enable dns client on <pppoe-out1>, (review settings of pppoe-out1) <dhcpv6-client> is running on <pppoe-out1> ** Changed ** <VLAN7> and <pppoe-out1> both m...

rplant

Perhaps the following on the server /interface detect-internet set detect-interface-list=none /interface list member add comment=defconf interface="WG VPN" list=LAN You may want to eventually restrict it a bit more than giving it full LAN access, but in the short term... Client: Only if th...

rplant

If you do want full l2 connectivity, perhaps you should investigate ZeroTier
(which is supported by Mikrotik)
I have not tried it, but I believe it will do this.

rplant

Some thoughts. A rough outline of what I would do. To hopefully create an approximation to what you appear to want. (Sorry there will likely be errors in this) This assumes somewhere near default config of the Mikrotiks. With a LAN interface list. The 192.168.169.0/24 is broken up into a bunch of /2...

rplant

Hardware: Optical: If you can use prebought optical patch cables or DAC cables things are ok. As soon as you need to make stuff it gets very expensive for the tooling. And yes, copper cables are much more durable. But 10G copper seems to run very hot, so you need fan cooled switches, etc. dac cables...

rplant

Hi, You have the following rule before your allow dns to vlans. add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN Perhaps put all the input rules together and forward rules together. Sorry there may be other issues, that's just the one I s...

rplant

Not sure, seems like something dubious. One hack possibility (for tcp) might be to clamp the mss of your internal devices to 1452, while letting the outside devices stay at 1460. So your devices upload with shorter packets. /ip firewall mangle add action=change-mss chain=forward comment="clamp ...

rplant

Sorry, not much of an answer but. 2. The speed of the switch mostly does not depend on the type of router. However, broadcast and similar packets will likely cause slowdowns as they have to go to everywhere including the slow bits on the lan segment. Would recommend you minimise the number of slower...

rplant

You could try something like the following from the mikrotik, and see if it replies (and the size at which it stops) /ping size=1500 8.8.8.8 do-not-fragment And with luck some indication of where it stops. (You can also use /tool/traceroute with size and do-not-fragment) Note: Traditionally 8.8.8.8 ...

rplant

You could try an mtu on the vigor of 1508 (to include the pppoe header) or even 1512 (to also include the vlan) and see if that helps.

rplant

You have to type in a speed, and it will try to get to that speed.
(You can't leave it at 0)

eg. 1M 10M 100M

rplant

Hi,
The following topic is very similar to what I think you want (except they were getting the address via pppoe)

viewtopic.php?p=1070581#p1070581

rplant

The following has their tested items MikroTik wired interface compatibility https://help.mikrotik.com/docs/pages/viewpage.action?pageId=263749679 Pretty much all their 10G optical SFP's and Dac cables are indicated to work in an L009 (in forced 2.5G mode). For low power/temperature/cost You could us...

rplant

Perhaps something like the following in the central router. /ip firewall filter #existing rules ... #following rules just before existing invalid rule. #(Put them in via terminal, then move them using winbox/webfig) add action=accept chain=forward comment="allow traffic between wg and lan"...

rplant

My Guess Assuming the internet gateway is a Mikrotik and is using something similar to the default config, asymmetric routing that might be the issue. Wg -> Lan Device and Lan Device -> MainGateway -> Wg If it is this, there are a at least a couple of options: 1. On the WG mikrotik enable masquerade...

rplant

It looks like the CRS310 won't do nat or fasttrack connections in hardware, so mostly good for inter vlan routing maybe using some access lists, much less good as an internet gateway, with Nat, Stateful Firewalling, etc. https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOff...

rplant

Hi, I would also include the first routing rule below. It allows devices on your wifi subnet to connect to other local devices, and only internet bound traffic goes via the vpn. (Order matters, put it before the other rule) Note: If using winbox, you likely should have still been able to connect to ...

rplant

You need two or more different vlan's on the hex. The hex needs to have an IP address assigned to it for each vlan. The devices on each vlan need to have the hex as their default gateway. (Alternatively each vlan's default gateway/router could have a static route for the other vlan(s) pointing to th...

rplant

If the mesh router has the option to disable it's dhcp server, you could do that.

Then plug the mikrotik's LAN port into one of the lan ports of the router, and see if devices connect to the Mikrotik.
(You may need later to change the ip address of the mesh router as well)

rplant

You have to ensure that the appropriate packets don't go via fasttrack. Either by having an accept statement for these packets prior to the fasttrack rule or by disabling the fasttrack rule. One possible option (just prior to fasttrack rule) add action=accept chain=forward comment="accept estab...

rplant

Hi, A couple of points, The screenshot doesn't really show what you are doing. Mikrotik doesn't do hairpin nat by default, so it might work from outside but not from inside your network. You could open a terminal window (from webfig, up the top near rhs), and export the entire config, or just the fi...

rplant

In another thread @mkx mentioned that adjust mss will probably not work if the connection is fasttracked.
You could try and disable the fasttrack rule briefly.

rplant

Likely you are going to have to go for a ccr with at least 1 SFP+ port, and perhaps 2. eg. CCR1036-8g-2s+ if you can find one. Then how does your ISP provide you with 2Gbe, it seems like a non-standard value. If over a 2.5Gbe ethernet connection, none of the CCR 10xx series supports this directly. Y...

rplant

Have you added 10.0.2.3/32 as an allowed IP address in the Peer setting on the Mikrotik?

When you look at the peer setting on the Mikrotik are you getting updated Tx, Rx and Last Handshake values.

rplant

Upgrade the ccr2116 to the latest beta version,
generate a supout.rif while working, and another when broken.
(Assuming it's not fixed)

And submit them in the ticket.
Support are quite good, and it is one of their flagship products you are having issues with...

rplant

One thought,
Do you have appropriate firewall rules to allow gre protocol in from the remote peer?

The default rules cause Traffic wrapped in ipsec to be allowed.

rplant

Yet another possibility is broken dns.

If on windows open a command prompt,
type nslookup

And try a few sites (including some you haven't recently used)
does it return immediately with a result?

Is the dns server nslookup is using correct?

rplant

You appear to have different wireless protocols at each end.

rplant

A problem is that out of your switch, every port has both the tagged and the untagged vlans coming out of it and going into it. One Possible option would be to make vlan 1 something else other than 1. eg. 10 Then you could have vlan 20 as the untagged vlan, and vlan 10 as the tagged vlan going to th...

rplant

Sorry, not an answer but.

Pretty sure the ipsec is going to be hardware offloaded, so it is going to take minimal cpu.

rplant

Mostly the Gui is similar to the way the cli is laid out.
The switch menu is a bit different. It is a top level menu in the Gui.

rplant

I have tried (a few times) and also failed to get a 2.5g connection working on an RB4011

**edit:** Note my RB4011 is an old one, I believe they have had a couple of versions of RB4011.

rplant

In the wiki version it notes

The backup RouterBOOT version can not be older than v3.24 version.

So presumably given yours is newer than this, you don't need an upgraded backup routerboot. (so it won't let you upgrade it perhaps)

rplant

A possibility is to split the pairs and run it over a few meters, it will give lots of crosstalk and poor performance, but whether it is enough I don't know. eg. Pairs 1,4 2,3 5,8 6,7 or 1,3 2,4 5,7 6,8 (Cable terminated same at both ends) The cables will test as a simple straight cable (with a very...

rplant

It used to (at minimum) stop a lot of annoying log messages on the server, I assume it still might.

rplant

Try it in both negotiated and non negotiated mode, with each of the 3 (current) 10G settings.
10G base T
10G BaseCR
10G BaseSR LR

And see if any of them work.

rplant

Some minor changes. # cisco interface Ethernet0/0 description trunk from mikrotik switchport trunk encapsulation dot1q switchport trunk allowed vlan 10,20 switchport mode trunk #mikrotik # (Use bridge instead of ether1) /interface vlan add interface=bridge name=vlan10 vlan-id=10 add interface=bridge...

rplant

As a switch it will have plenty of speed between your devices. However connections to the internet via your ISP will need routing with firewalling and presumably Nat. For 2.5G you will need a reasonably powerful router performing this task. If your ISP provided a router you can use it for that task ...

rplant

look at the protected bootloader section of the above document

rplant

Another thought, Partially working ipv6 can cause similar problems.

Try turning off ipv6 on the router.

From winbox
ipv6 settings tick the disable ipv6 box and wait a short while.
(May need to reboot PC if want it to update faster)

rplant

Yes, you could have used the wireless package, and the map could then connect in station bridge. Wifi package does have some niceish features though. Other options: Use Station-Pseudo bridge mode. Ok when it works, need to turn off RSTP. If you go this way and it's not behaving it is worth searching...

rplant

Yes,
If you use poe as an alternate power source, it must be passive/forced on poe or the Mikrotik may lose power when main/other power is lost. (Usually briefly but...)

rplant

A couple of options. 1. Reset the mikrotik with no default config, (but perhaps keep users), and then try to import the file. 2. Open the file in notepad or similar and copy and paste a section at a time into the terminal. You might be wise to compare the current default config to the config you wan...

rplant

I think documentation means devices with version 7 factory firmware, but less than 7.6 get upgraded to a v7.6 factory firmware with protected router boot function. Devices with older (v3, v6) factory firmware get an updated factory firmware (not v7) which has the new protected router boot function. ...

rplant

You can probably enable dhcp relay on the appropriate switch vlans.
And have your dhcp server managing the vlan (remotely).

rplant

You could set it up with the CRS317 as the gateway for both VlanA and VlanB The CRS ROUTES packets from vlanA and vlanB to the router. (and between vlan A and vlan B) No firewall rules needed on CRS for internet traffic, so should be L3WH offloaded, (with very few if any ACL's) Rules/ACLs, mostly fo...

rplant

A couple of thoughts, The following statement doesn't really seem helpful given your current results, but anyway: Mikrotik doesn't by default do hairpin Nat (you need to add the appropriate src-nat rule), so if you are testing from inside your network it will likely not work. You could download tcpr...

rplant

Hi,
License wise:
Not sure there is a limit for raw ipsec.
There is a 500 user one for l2tp.

However, the processor on the RB2011 doesn't do ipsec hardware encryption, and does not have much Ram.
So really only a couple maybe. You would be better off with wireguard with the 2011.

rplant

When a road warrior client from router 1 is connected it can not reach ip's behind the nat of router 2 (which is possible from within router1 main network (and the other way around). Assuming there is no NAT going on. (ie. The packet from 192.168.35.1 reaches device on router 2 as being from 192.16...

rplant

Hi, I think you could start by checking the counters on the dst-nat rules, and see if they increment. (They happen early in the firewall) Typically they will only increment once for each new connection. If they are incrementing, you need to check the 10.0.0.39 (I assume nginx) Perhaps if not increme...

rplant

Fair enough, Perhaps your option 2 would be a good option, you then effectively have a site to site tunnel, and can tunnel whichever clients you want. Option 1 is doable and will most times be fairly well upgraded. However it is not perfect. (Make a script export and a normal backup onto external st...

rplant

I would recommend you experiment with wireguard.
(Even if just for this particular instance)

rplant

You could possibly add a src-nat rule something like

/ip firewall nat
chain=srcnat dst-address=171.11.153.20 src-address=192.168.1.0/24 action=src-nat to-addresses=171.11.153.21

Move it up above any masquerade rules already there.

rplant

For generic case, perhaps not. (maybe a container?)

But for a single source ip sending data, you could probably use a dst-nat and src-nat pair of rules, to send the traffic back.

rplant

You can run your eoip or other tunnel inside wireguard. Though I would perhaps attempt to set up ipv6 and associated routing on the Mikrotik manually, using one of the /64's. You would maybe need to somehow mark the prefix as used though, so the VPS does not try to reuse it. You might need to put (n...

rplant

beep twice usually means it thinks it is ready to start running. You could try connecting to it via wifi, it may have some mikrotik-XXXX ssid with no password. If it is similar to a map/wap, then Wifi is often the only way to connect to this type of device when factory defaulted, but usually the eth...

rplant

I would also suggest you get a Low ESR capacitor (as well as of 105° type).

rplant

fs.com have a few rj45 sfp+ modules.

They range in power consumption from 1.8W to 2.9W
Apparently the S+RJ10s is around 2.7W, so the 1.8W one might be good.
(but quite pricey)

Sorry I don't know how well or hot it works, or if it will work with a Mikrotik.
though fs is usually well supported

rplant

It sounds like you are trying to restore a binary backup file to a new router. That rarely works :( You could search your hard disk for .rsc script files. If you can login to the old one at all (though it sounds unlikely), do a /export, stick it onto your laptop, and manually carefully copy the conf...

rplant

I tried it running with 6.49.13, and that was much improved.

Unfortunately doesn't have the cake queues, but the other queues I tried
seemed to handle 1G ok.
CPU still seemed to be largely locked to 1 core, and still needed multiple streams
or large window to get to 1G ish.

rplant

I had a try with some of this, just to a local iperf3 server. So very little latency unlike over the internet. I found I had to disable the queue tree for best performance. To hit near a gig download I had to have a large window size, or multiple streams. Perhaps partly a limitation of the iperf3 se...

rplant

Hi, It seems unlikely to be good for a 1G connection, Apparently a single connection will only use 1 core. (To reduce out of order packets) From: https://mikrotik.com/product/RB3011UiAS-RM#fndtn-testresults The commonly used 25 IP filter rules, and 512 byte packets lists 452Mbps. Your actual perform...

rplant

Yes there have been many many sfp fixes, and complaints of devices that used to work that no longer do. You could get install the latest betas at both ends (including updating routerboot), and assuming it is still not working create a supout.rif and send to support at mikrotik.com The -40db is a wor...

rplant

The S+RJ10 plugs into a 10G sfp+ interface.
The L009 has a 2.5G sfp interface.

Search found 618 matches