Community discussions

MikroTik App

Search found 331 matches

  • 1
  • 2
by rplant
Sun Apr 21, 2024 12:52 pm
Forum: General
Topic: Trouble with WireGuard.
Replies: 2
Views: 173

Re: Trouble with WireGuard.

Incorrect public key at one or both ends seems to be more common than it should be.
Time/Date at both ends need to be near each other.

You can put in a firewall rule with log enabled on the outbound port as source port, (and interface), to see if anything is leaving for the
remote device.
by rplant
Sun Apr 21, 2024 12:26 pm
Forum: Beginner Basics
Topic: Using RB5009 in bridge mode [SOLVED]
Replies: 14
Views: 1166

Re: Using RB5009 in bridge mode [SOLVED]

But there is. You just have to go to PPP -> Profiles, and make a new one (or a copy of default)
Yay, Thank you :)
by rplant
Sat Apr 20, 2024 3:48 am
Forum: Beginner Basics
Topic: Problem with L2TP connection, partially works
Replies: 6
Views: 390

Re: Problem with L2TP connection, partially works

Not sure, Check that the firewall rule with 500,4500,1701 is counting. Perhaps split it into 3 rules, so you can see if you are getting all three counting (when coming in via isp router) Some ISP routers are annoying with ipsec, and need fiddling to get them to pass it through properly. There is nor...
by rplant
Sat Apr 20, 2024 3:28 am
Forum: Beginner Basics
Topic: Using RB5009 in bridge mode [SOLVED]
Replies: 14
Views: 1166

Re: Using RB5009 in bridge mode [SOLVED]

Also i missed something in the last post. You need to also add a route to your public ip in the "vrf-lan" instance. add dst-address=<public ip> gateway=ether2@vrf-lan routing-table=vrf-lan A problem that could also occur is, if you have a dynamic IPv4 address via pppoe because the the dhc...
by rplant
Fri Apr 19, 2024 12:47 pm
Forum: Beginner Basics
Topic: Problem with L2TP connection, partially works
Replies: 6
Views: 390

Re: Problem with L2TP connection, partially works

Hi, If you are using a windows laptop to connect to your l2tp server, it won't work. Windows doesn't like natted L2TP server endpoints. (unless using certificates) There is a registry hack to make it work. If there is only one person (or less good a very trusted few) know the ipsec password/key it s...
by rplant
Thu Apr 18, 2024 6:36 am
Forum: RouterBOARD hardware
Topic: Mikrotik DAC between SFP and SFP+ ports
Replies: 2
Views: 504

Re: Mikrotik DAC between SFP and SFP+ ports

Hi, Check: https://help.mikrotik.com/docs/display/ROS/MikroTik+wired+interface+compatibility I have a FS.com 10G DAC which works well (but is not supported) between a 4011 and a 3011 with the 4011 forced to 1G, and is also working well between the 4011 and a 10G sfp+ on a non Mikrotik switch. Virtua...
by rplant
Thu Apr 18, 2024 2:56 am
Forum: General
Topic: question on tunnel performance and getting past single core limits
Replies: 10
Views: 650

Re: question on tunnel performance and getting past single core limits

I think at this point you know far more than me about vxlan, fragmentation. But anyway... where are you seeing this configuration? dont-fragment (disabled | enabled | inherit; Default: disabled) (default disabled looks correct) I'm not finding anythign allowing for packet re-assembly on mikrotik. I ...
by rplant
Wed Apr 17, 2024 10:25 am
Forum: RouterBOARD hardware
Topic: Best choice for vpn gate
Replies: 3
Views: 664

Re: Best choice for vpn gate

Possibly worth looking at and comments surrounding

viewtopic.php?p=1063801#p1063801

I like the hap ac2, though with current routeros versions you will likely need to disable and remove wifi packages.
by rplant
Tue Apr 16, 2024 9:15 am
Forum: General
Topic: question on tunnel performance and getting past single core limits
Replies: 10
Views: 650

Re: question on tunnel performance and getting past single core limits

vxlan has an option to override/force allow fragmentation. It might need working pmtu to work correctly?
by rplant
Tue Apr 16, 2024 3:04 am
Forum: General
Topic: question on tunnel performance and getting past single core limits
Replies: 10
Views: 650

Re: question on tunnel performance and getting past single core limits

I have seen posters having success using vxlan, apparently it runs multi core and supports fast path. If the above works, For later experimentation: You could somehow have the encrypted traffic in the internal network(s) use bigger than 1500 sized packets. (say 2800+) And let them be fragmented over...
by rplant
Mon Apr 15, 2024 6:48 am
Forum: General
Topic: Wireguard and MTU/MSS issues
Replies: 1
Views: 326

Re: Wireguard and MTU/MSS issues

A few (hopefully some helpful) thoughts. If your hub is using pppoe, you will need to reduce the size of the wireguard vpn to 1412. (assuming MTU/MRU of 1492) You should probably also have the MSS setting for traffic coming in from the wireguard vpn, and perhaps use PMTU MSS. (rather than fixed size...
by rplant
Mon Apr 15, 2024 6:23 am
Forum: General
Topic: Specific DST-List over VPN
Replies: 2
Views: 269

Re: Specific DST-List over VPN

Not much to go on there. So per @anav /export file=anynameyouwish (minus router serial number and any public WANIP information, keys etc. ) However I will also make a guess. You need to limit the traffic that gets fast tracked. eg. Just before the fasttrack rule. /ip firewall filter .... add action=...
by rplant
Sat Apr 13, 2024 5:59 am
Forum: General
Topic: Modify the DHCP client of an LTE interface
Replies: 9
Views: 484

Re: Modify the DHCP client of an LTE interface

You can currently 7.15beta8 do the following, (it seems harder than it was) Add a dhcp client for some other interface. (Make a bridge if necessary) Save the new dhcp client and disable it. Then with the lte device plugged in Change the newly created dhcp client to use the lte1 interface (keep it di...
by rplant
Mon Apr 08, 2024 7:43 am
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 13
Views: 738

Re: BTH BUG Bleeding Into Regular Wireguard.

Wireguard port (Really only applies to server), often for Mikrotik 13231 /routing rule add action=lookup comment="min-prefix=0, all except 0.0.0.0/0" disabled=no min-prefix=0 table=main Just an easy way of making all routes that are not 0.0.0.0/0 use the main routing table This is often a ...
by rplant
Sun Apr 07, 2024 11:46 am
Forum: RouterBOARD hardware
Topic: Gigabit auto-negotiation over 2-pair cable
Replies: 12
Views: 973

Re: Gigabit auto-negotiation over 2-pair cable

You could perhaps script it with some sort of netwatch or similar script, that if can't connect, after a while it removes the 1G advertisements. (Ideally on the nearest to management end, though unfortunately it looks like you would have to do it on the remote end routers) Though if you are putting ...
by rplant
Sun Apr 07, 2024 11:19 am
Forum: Beginner Basics
Topic: OVPN client connects but no reply
Replies: 5
Views: 686

Re: OVPN client connects but no reply

On the Mikrotik can you ping 10.81.234.129? On the Mikrotik can you trace route to 10.0.10.119, do you see the intermediate hops? If so, perhaps 10.0.10.119 doesn't respond to pings (from non local subnet)? Could you ping this IP when connected via your computer? You could add openvpn to system/logg...
by rplant
Sun Apr 07, 2024 9:02 am
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 13
Views: 738

Re: BTH BUG Bleeding Into Regular Wireguard.

At least a part of the problem is that if/when packets/connections are marked coming into the wireguard port, responses, etc are not marked when leaving from the wireguard port. Routing rules do work. (And you then don't need to mark anything for wg routing purposes) However if you have dynamic IP a...
by rplant
Sun Apr 07, 2024 8:32 am
Forum: General
Topic: Queue over PPPoE ISP Client interface not working
Replies: 3
Views: 298

Re: Queue over PPPoE ISP Client interface not working

You need to have some limits on the queue.
eg. max-limit=50M

Also, if marking packets, probably need all possible marks.
Perhaps if use cake for queue, won't need any marking.

Possibly set queue bucket size=0.01
by rplant
Thu Apr 04, 2024 12:10 pm
Forum: General
Topic: IP address invalid [SOLVED]
Replies: 2
Views: 279

Re: IP address invalid [SOLVED]

The network and address should be different for a /32.
for /32 Address is local ip address, network is remote end ip address.
by rplant
Wed Apr 03, 2024 6:28 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Cool, well done, with much patience...
by rplant
Wed Apr 03, 2024 1:56 am
Forum: General
Topic: 10Gtek SFP module ref ASF-GE-T auto negotiation problem with RouterOS > 7.12
Replies: 3
Views: 723

Re: 10Gtek SFP module ref ASF-GE-T auto negotiation problem with RouterOS > 7.12

A couple of thoughts.

1. Plug the port into a 100M something, does it connect, and work?

2. Set auto negotiation, include 1000 base-x in the list of negotiation items.
(Or even have it as the only item)
by rplant
Fri Mar 29, 2024 5:39 am
Forum: General
Topic: How can I configure my own PPPOE server to access IPV6 under ROS 6.XX?
Replies: 2
Views: 242

Re: How can I configure my own PPPOE server to access IPV6 under ROS 6.XX?

Hi, One possibility is that you create an IPv6 dhcp client, and attach that to the pppoe client interface. With luck you can check prefix and address items and will get both. If you require prefixes (which you probably will) It will require a pool name (which it will auto create) And a prefix length...
by rplant
Mon Mar 25, 2024 11:46 pm
Forum: General
Topic: L2TP client won't connect, from certain routers.
Replies: 3
Views: 807

Re: L2TP client won't connect, from certain routers.

Hi, You can under system logging add an l2tp entry, to get a bunch more logging that might be helpful. /system logging add topics=l2tp I think you will need to change (or remove) the max-mtu and max-mru settings. Perhaps you could set up mrru with some value maybe >1518 (if the provider supports thi...
by rplant
Fri Mar 22, 2024 11:25 am
Forum: Beginner Basics
Topic: Wireguard handshake is succesful but client is unable to access internet
Replies: 3
Views: 497

Re: Wireguard handshake is succesful but client is unable to access internet

Hi, The following is only if you are running the Mikrotik as a Bridge Device inside your ISP router LAN. Acting as a Wireguard server for remote clients, (and possibly not doing much else) Note: Many of Anav's comments still apply. (If you are doing something else, please ignore all this) 1. Give th...
by rplant
Fri Mar 22, 2024 8:19 am
Forum: Wireless Networking
Topic: HAP AX Lite - WPS not working [SOLVED]
Replies: 8
Views: 2538

Re: HAP AX Lite - WPS not working [SOLVED]

Cool...

One thought about the randomised password, you could connect your laptop to the airport using wps and once connected.
From a command prompt use:

netsh wlan show profile /?

View the password, is it the same (if different my guess is that it will probably some function of mac address)
by rplant
Fri Mar 22, 2024 7:23 am
Forum: General
Topic: UPnP won't work after literal hours of trying - help pls!
Replies: 12
Views: 735

Re: UPnP won't work after literal hours of trying - help pls!

Literally all I did and voila, it all worked, no changes needed. Is that normal for RouterOS/RB5009? I've only had it a week. Most things work immediately, but there is a small number (Mostly I seem to find by trial and error) where a reboot is required. Perhaps where some service now needs to be r...
by rplant
Fri Mar 22, 2024 7:18 am
Forum: Beginner Basics
Topic: Issue with ping and EoIP
Replies: 2
Views: 347

Re: Issue with ping and EoIP

One possible option is a second eoip for the link over ether4. Ether 4 will likely have a different IP address, that the existing main campus eoip doesn't know about. You can then have both links running and use rstp or similar to prevent loops. Other options might be to setup an l3 vpn (road warrie...
by rplant
Tue Mar 19, 2024 10:00 am
Forum: General
Topic: UPnP won't work after literal hours of trying - help pls!
Replies: 12
Views: 735

Re: UPnP won't work after literal hours of trying - help pls!

Make the input action for 1900 and 2828 accept and log (for all devices) initially.
Mostly just to see if they count, and what is attempting to send UPNP packets.

Then Reboot the router.
by rplant
Tue Mar 19, 2024 6:24 am
Forum: Beginner Basics
Topic: Wireguard handshake is succesful but client is unable to access internet
Replies: 3
Views: 497

Re: Wireguard handshake is succesful but client is unable to access internet

I think adding a masquerade rule to the bridge for traffic from the wireguard interface is needed.
/ip firewall nat
add action=masquerade chain=srcnat comment="wireguard: masquerade" \
    out-interface=bridge src-address=192.168.100.0/24
 
by rplant
Sat Mar 16, 2024 4:40 am
Forum: RouterBOARD hardware
Topic: Upgrade from RB750Gr3
Replies: 16
Views: 1302

Re: Upgrade from RB750Gr3

You can see ram used, cpu use, disk used/free space (and other stuff) /system resource print Another couple of cheaper (but less good) router options are: (Note: You can disable, and with current V7 actually remove the wifi/wireless packages) Hap AC2, - CPU quite a bit faster than hex - Only 128M Ra...
by rplant
Tue Mar 12, 2024 12:22 am
Forum: General
Topic: IPsec identities keep getting disabled
Replies: 4
Views: 632

Re: IPsec identities keep getting disabled

Hi, I thought about it some more, perhaps the following might be useful. Make a backup, and export of your current config. Trawl through the export from 1, and make sure there are no dubious scripting entries (system scripts, system scheduler, perhaps dhcp/pppoe scripts) either unknown or (now) inco...
by rplant
Mon Mar 11, 2024 9:50 am
Forum: General
Topic: IPsec identities keep getting disabled
Replies: 4
Views: 632

Re: IPsec identities keep getting disabled

Hi, Sorry I don't know what the problem might be, apart from that I don't think you shouldn't be attempting this in the first place. The CPU isn't very powerful, has no ipsec hardware offload and when you overload it, the switching management functionality will likely suffer. You could try wireguard...
by rplant
Sun Mar 10, 2024 1:31 am
Forum: Beginner Basics
Topic: Logging incoming traffic
Replies: 3
Views: 332

Re: Logging incoming traffic

For the mirror interface, there is also the possibility of using the Switches mirroring function.
(Needs to be a router with a switch chip which is many/most of them)

Need to ensure the destination port is on the same switch as the source port.
In cases where the router has more than 1 switch chip.
by rplant
Sun Mar 10, 2024 12:50 am
Forum: General
Topic: How to get the result of a DHCPv6 client request for an option ?
Replies: 2
Views: 251

Re: How to get the result of a DHCPv6 client request for an option ?

in https://wiki.mikrotik.com/wiki/Manual:IPv6/DHCP_Client it mentions an options array as being one of the variables supplied to the script. This looks like it might actually be present but using it will take some effort/ may not be doable. It appears to mostly be binary. my script /log info $options
by rplant
Sun Mar 10, 2024 12:02 am
Forum: Beginner Basics
Topic: Share WAN port between 2 interfaces
Replies: 1
Views: 252

Re: Share WAN port between 2 interfaces

Yes it is possible. Ideally use Winbox, or webfig to configure the router. Non optimal solution, (but likely near enough) Summary Add a new 2 port bridge for Wan connection, create and connect a pppoe client to it. Roughly what I would do: Starting from the Mikrotik default configuration with a rece...
by rplant
Fri Mar 08, 2024 9:46 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5129

Re: WireGuard Multi-WAN Policy Routing

Ammo's suggestion appears to work. I made a new bridge, added an IP address to it, put a dst-nat rule for the wireguard traffic to listen on a different port, and forward to the new IP address, and correct wireguard port. Then routing rule to route from new IP address to wan via correct table. /inte...
by rplant
Thu Mar 07, 2024 2:11 am
Forum: Beginner Basics
Topic: Multiple WAN IP addresses on the same interface, forwarding to internal devices
Replies: 2
Views: 331

Re: Multiple WAN IP addresses on the same interface, forwarding to internal devices

Assuming the Mikrotik's LAN/Bridge address is 192.168.0.xx/24 perhaps apply a src-nat masquerade rule to the LAN/Bridge interface. Unfortunately, this will result in the PLC's not knowing what real IP connected to them. You will likely need to enable Logging on the dst-nat rule, so you can, when nec...
by rplant
Wed Mar 06, 2024 12:27 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Hi, I think you possibly need to revert to the previous separated configuration for the 4011 that connected and worked with the phones. It has the firewall rules you need and want when having an external facing Wan interface (which is what the voip pppoe interface is) From there, you just need to re...
by rplant
Mon Mar 04, 2024 1:01 pm
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Hi, I am not sure if what I am about to describe aligns with what you want to do, but. Outline: Slave the RB4011 to the UDM Pro for internet access, but keeps voip wan. Phones are setup to use the RB4011 for their default gateway and DNS Everything else continues to use the UDM Pro for their default...
by rplant
Mon Mar 04, 2024 10:03 am
Forum: Beginner Basics
Topic: WireGuard Handshake issue protonvpn
Replies: 19
Views: 2132

Re: WireGuard Handshake issue protonvpn

Use Anav's config, it seems likely more flexible.

One minor change
(10.2.0.1 seems to be the IP that protonvpn uses for its end)
/ip address
add address=10.2.0.2/30 interface=WG0 network=10.2.0.0
by rplant
Mon Mar 04, 2024 9:45 am
Forum: Wireless Networking
Topic: HAP AX Lite - WPS not working [SOLVED]
Replies: 8
Views: 2538

Re: HAP AX Lite - WPS not working [SOLVED]

If you have an older device that runs the wireless package, you could experiment with that. It has a lot more tweaky options.
by rplant
Mon Mar 04, 2024 12:12 am
Forum: Beginner Basics
Topic: WireGuard Handshake issue protonvpn
Replies: 19
Views: 2132

Re: WireGuard Handshake issue protonvpn

One issue with the above is that there is no DNS available when wireguard is turned off.

You could perhaps add 8.8.8.8 and/or 1.1.1.1 as dns servers
by rplant
Sun Mar 03, 2024 1:45 pm
Forum: Beginner Basics
Topic: WireGuard Handshake issue protonvpn
Replies: 19
Views: 2132

Re: WireGuard Handshake issue protonvpn

I think your best option is to reset to the default config and work from there. Once reset, You can choose from the following as suits your requirements. Set up the name for the Router Set up the password for the Router. Set up your wireless as required. /ip services, Turn off unneeded services (I r...
by rplant
Sat Mar 02, 2024 11:04 am
Forum: Wireless Networking
Topic: HAP AX Lite - WPS not working [SOLVED]
Replies: 8
Views: 2538

Re: Mitsubishi AC adapters won’t associate or connect through WPS [SOLVED]

Perhaps set the mac address of the wifi interface to the same as the airport and see if it likes that.
(Turn off the airport)
by rplant
Sat Mar 02, 2024 10:42 am
Forum: Forwarding Protocols
Topic: OSPF over Wireguard links
Replies: 11
Views: 922

Re: OSPF over Wireguard links

This is worth looking at:

viewtopic.php?t=182046

I would be inclined to setup static neighbors to the wireguard peers.
by rplant
Fri Mar 01, 2024 2:36 am
Forum: Beginner Basics
Topic: Transparent bridge, mangle and prerouting
Replies: 3
Views: 428

Re: Transparent bridge, mangle and prerouting

Sorry for the amount of text here. My thoughts. 1. You likely need to take some care with your customers networks. 2. The VPN connection to your server should look like a WAN interface to your client, - ie. Your clients can connect to your server. - Your server can't open connections to devices on ...
by rplant
Thu Feb 29, 2024 7:08 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Well Done :)
by rplant
Thu Feb 29, 2024 6:52 am
Forum: Beginner Basics
Topic: Transparent bridge, mangle and prerouting
Replies: 3
Views: 428

Re: Transparent bridge, mangle and prerouting

Hi, My thought is that you might be better with a different router that has a different switch chip. (eg. A Hap AC^2) With these switch chips, you can set the bridge to be fully hardware forwarding, using switch rules to kick selected switched packets to the CPU. (It then hits the bridge configurati...
by rplant
Thu Feb 29, 2024 12:05 am
Forum: Beginner Basics
Topic: Some websites do not load - PPPOE -
Replies: 1
Views: 329

Re: Some websites do not load - PPPOE -

Commonly the MTU for pppoe is 1492, Some ISP's do seem to require 1480 though. If you have any max-mru, max-mtu set in your pppoe client you could remove the settings, see if anything changes. You could also try setting them to 1492 (or even 1500, though this is very unlikely to work) See what the m...
by rplant
Wed Feb 28, 2024 2:03 am
Forum: Beginner Basics
Topic: WireGuard Handshake issue protonvpn
Replies: 19
Views: 2132

Re: WireGuard Handshake issue protonvpn

Another possibility If you have a routing entry like: /ip route add comment="via wireguard" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wireguard1 or (not better) /ip route add comment="via wireguard" disabled=no distance=1 dst-address=0.0.0.0/128 gateway=wireguard1 add ...
by rplant
Tue Feb 27, 2024 12:51 pm
Forum: Beginner Basics
Topic: Help routing 1 internal IP address to a different dns server
Replies: 10
Views: 645

Re: Help routing 1 internal IP address to a different dns server

You can make a dhcp server network entry for the specific static ip address,
with required dns server, etc.
by rplant
Tue Feb 27, 2024 5:31 am
Forum: Wireless Networking
Topic: Wireless Bridge with hAP AX3 [SOLVED]
Replies: 6
Views: 1420

Re: Wireless Bridge with hAP AX3 [SOLVED]

Check here: viewtopic.php?p=1025978#p1025970

Try to change bridge protocol from rstp (default) to none.
by rplant
Mon Feb 26, 2024 3:49 am
Forum: Beginner Basics
Topic: WireGuard Handshake issue protonvpn
Replies: 19
Views: 2132

Re: WireGuard Handshake issue protonvpn

Needing the raw rule, might indicate some sort of dubiousness. You could fix the port your MT client connects from, (in the example below 13231) Add the following rules, enable them and see what gets logged, and how/if the counters count. (Alternatively, set the firewall rules below to log packets t...
by rplant
Fri Feb 23, 2024 6:30 am
Forum: General
Topic: Wireguard Site-to-Site Route not working
Replies: 3
Views: 650

Re: Wireguard Site-to-Site Route not working

Assuming Site B is acting as a client to Site A with Wireguard connected over IPv6, it seems like it should work.

Site B has keep-alive configured?
The static route you talk of is for 192.168.1.0/24 via Wireguard1?
You have appropriate black hole routes or filtering for 192.168.1.0/24 otherwise?
by rplant
Wed Feb 21, 2024 11:19 am
Forum: Beginner Basics
Topic: IP connectivity basics
Replies: 2
Views: 343

Re: IP connectivity basics

Perhaps you installed the newer wifi package onto the hap ac2?
It is not compatible with that capsman.
You need the older wireless package instead.

(If it was also running 7.12.1, it would only have the old wireless package)
by rplant
Wed Feb 21, 2024 1:35 am
Forum: Beginner Basics
Topic: RB3011 SFP speed issue
Replies: 8
Views: 922

Re: RB3011 SFP speed issue

For Mikrotik's S-RJ01 they have the following note: Use these modules only with auto-negotiation enabled, forced link speeds are not supported. They will negotiate to correct duplex and highest possible rate. I would suggest you also do this. Also, try plugging the other end into a normal ethernet p...
by rplant
Wed Feb 21, 2024 12:17 am
Forum: Beginner Basics
Topic: WireGuard Handshake issue protonvpn
Replies: 19
Views: 2132

Re: WireGuard Handshake issue protonvpn

Some possible reasons.

The destination IP address or port is wrong.
One (or both) of the Public keys is wrong.
The clock is wrong.

Perhaps your government or ISP blocks protonvpn.
(I would assume you would know if they did though)
by rplant
Tue Feb 20, 2024 12:42 am
Forum: RouterBOARD hardware
Topic: Locked Out
Replies: 12
Views: 1002

Re: Locked Out

Perhaps a router between you and the target router is doing NAT, so the target router is not seeing a 192.168.121.x IP address?
by rplant
Tue Feb 20, 2024 12:34 am
Forum: RouterBOARD hardware
Topic: Locked Out
Replies: 12
Views: 1002

Re: Locked Out

Unless you have disabled this option.
The Mikrotik woobm is handy for this scenario.

Plug into the usb port, looks like a serial console interface to the Mikrotik.
Connect to it wirelessly from your laptop.
by rplant
Sun Feb 18, 2024 2:21 am
Forum: Beginner Basics
Topic: RB3011 SFP speed issue
Replies: 8
Views: 922

Re: RB3011 SFP speed issue

Sorry, on review it looks like 10G optical modules very likely work in this port. (I had thought they wouldn't) But the Base T modules, not so much probably at least partly because they have a bunch more complexity in them. Mikrotik's S+RJ10 won't work with any SFP only port, only sfp+, I would assu...
by rplant
Sat Feb 17, 2024 12:15 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Cool, Good Luck
by rplant
Fri Feb 16, 2024 12:40 pm
Forum: General
Topic: no NTP update after reboot RouterOS v7 hAP ax³ [SOLVED]
Replies: 4
Views: 619

Re: no NTP update after reboot RouterOS v7 hAP ax³ [SOLVED]

Feb/15/2024 12:37:58 system,error,critical router rebooted without proper shutdown, probably power outage Feb/15/2024 14:20:10 system,critical,info ntp change time Feb/15/2024 12:38:19 => Feb/15/2024 14:20:10 Appears to indicate time change happened <1 minute after reboot. 12:37:58 to 12:38:19 time...
by rplant
Fri Feb 16, 2024 12:21 pm
Forum: Beginner Basics
Topic: MikroTik switch and Unifi Switch can no longer negotiate 10Gb connection over SFP+
Replies: 6
Views: 899

Re: MikroTik switch and Unifi Switch can no longer negotiate 10Gb connection over SFP+

Lots of sfp things seem to have been fixed in the 7.14 chain, perhaps upgrade to it.
by rplant
Fri Feb 16, 2024 12:12 pm
Forum: Beginner Basics
Topic: RB5009 - invalid mtu 8000 on ether1 any idea why?
Replies: 7
Views: 859

Re: RB5009 - invalid mtu 8000 on ether1 any idea why?

You could perhaps set ether1 mtu to 8000 and see if it stops.
And see if anything breaks.
by rplant
Fri Feb 16, 2024 12:02 pm
Forum: Beginner Basics
Topic: RB3011 SFP speed issue
Replies: 8
Views: 922

Re: RB3011 SFP speed issue

RB3011 has a 1G sfp port not 10G.
by rplant
Fri Feb 16, 2024 1:41 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Hi, I found I forgot to setup DNS for the pppoe connections: You can apply the following change. /interface pppoe-client set pppoe-wan use-peer-dns=yes set pppoe-voip use-peer-dns=yes To look at the DNS servers it has received. /ip dns print The dynamic servers it has listed will have been provided ...
by rplant
Thu Feb 15, 2024 10:35 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Sorry for the delay, I had no internet for a while. Apparently you should remove the serial number from your listing. You need to add the following, or the wan side can't work. /interface list member add interface=vlan835 list=WAN add interface=pppoe-wan list=WAN The first section of your log looks ...
by rplant
Tue Feb 13, 2024 2:23 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

More voice stuff: This assumes the pppoe-voip connection is up and connected. Mostly from the BYOD_OneNet_Info document. #Add static routes /ip route add dst-address=62.38.86.32/28 gateway=pppoe-voip add dst-address=62.38.86.48/28 gateway=pppoe-voip add dst-address=62.38.86.144/28 gateway=pppoe-voip...
by rplant
Tue Feb 13, 2024 2:04 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Hi, I think it should be ok, though I have not used an ONT. I gain the impression that the customer side is normal ethernet, (with vlans and pppoe running on it in this case). Offtopic: You could perhaps at some later trial the following config later and perhaps get the internet also running from th...
by rplant
Tue Feb 13, 2024 1:01 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Hi, Yes, the UCM6302 should be configured as static, and not on vlan 838. I have attached a diagram of how I think it will be setup at least initially for testing. vfgr.jpg For testing, use ether1 as the WAN port, as this minimises the amount of changes that need to be configured from the default co...
by rplant
Mon Feb 12, 2024 2:04 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Some (current) configuration setup (hopefully).


https://www.vodafone.gr/ypostirixi/tech ... al-support

Choose the bottom entry.
by rplant
Sun Feb 11, 2024 2:42 am
Forum: Beginner Basics
Topic: L2TP connection and the same LAN subnet IP
Replies: 10
Views: 1193

Re: RDP connection and the same LAN subnet IP

To 192.168.0.XX IP from local PC with 192.168.0.XX IP A possibility is on the Mikrotik to have some dst-nat rules, which say if the destination address from a VPN client is 192.168.200.XX forward it to 192.168.0.XX (netmap?) Then on the local PC with IP address 192.168.0.24 to connect to 192.168.0.2...
by rplant
Sun Feb 11, 2024 2:25 am
Forum: Beginner Basics
Topic: Same address pool in WAN/LAN [SOLVED]
Replies: 9
Views: 1104

Re: Same address pool in WAN/LAN [SOLVED]

Pools shouldn't go through subnet boundaries. You can do something like the following. Set a static IP address on the Wan side of the second router. One of the following should be fine. 192.168.1.2/25 (0 to 127) gateway 192.168.1.1 If only have 2 devices on Wan side of second router. 192.168.1.2/30 ...
by rplant
Sat Feb 10, 2024 11:09 am
Forum: General
Topic: Wireguard doesn't work and no logs
Replies: 22
Views: 2571

Re: Wireguard doesn't work and no logs

The keys are not supposed to change, however now I think about it,
I have seen other posts where it didn't work, so they changed one character in the key, then changed the key back
to what it was, and it started working.

Hopefully newer versions of RouterOS are better.
by rplant
Sat Feb 10, 2024 8:29 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Using the Mikrotik as the voip PPPoE client: I am assuming the UCM6302 is the main phone hub, and phones connect to it, and the UCM6302 connects to the ISP's voip service. The UCM6302 is plugged into a spare port on the RB4011#1 (Not port 9) (At some stage, perhaps want to rejig this a bit, so maybe...
by rplant
Sat Feb 10, 2024 6:23 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Hardware connectivity: I am assuming that the link from the UDM-PRO sfp+1 to the ISP WAN interface is an ethernet cable. You need to get another connection (the voice pppoe) onto this cable and into the ISP WAN. There are a few options. 1. You do it from the UDM, probably best, but sorry I don't kno...
by rplant
Sat Feb 10, 2024 5:38 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Hi, Find some changes to make the router more secure. Copy and paste a bit at a time, pick the bits you want. #Some additions to make router more secure (most from default firewall config). /interface list add comment=defconf name=LAN /interface list member add comment=defconf interface=bridge list=...
by rplant
Fri Feb 09, 2024 12:45 pm
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Hi,

I found the following it looks like it might be very similar to how you are connected.

https://assets.ctfassets.net/b79acpktwv ... t_Info.pdf
by rplant
Fri Feb 09, 2024 8:26 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Hi, Given you had no Wan list, you likely need to use the following (if you haven't already) /ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN /ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!...
by rplant
Fri Feb 09, 2024 5:53 am
Forum: General
Topic: Access single server across VLANs
Replies: 5
Views: 407

Re: Access single server across VLANs

These look a bit dubious ** add bridge=BR0 tagged=BR0,ether8 untagged=ether7 vlan-ids=20,30,40 Perhaps add bridge=BR0 tagged=BR0,ether8 untagged=ether7 vlan-ids=20 add bridge=BR0 tagged=BR0,ether8 vlan-ids=30,40 Also ** add bridge=BR0 tagged=BR0 vlan-ids=201 Perhaps add bridge=BR0 tagged=BR0 untagge...
by rplant
Thu Feb 08, 2024 12:28 am
Forum: General
Topic: Wireguard doesn't work and no logs
Replies: 22
Views: 2571

Re: Wireguard doesn't work and no logs

I would generally look at the wireguard peer tx, rx and last handshake information. If they aren't changing with incoming it would normally mean the public key you have is wrong. Or the clock has the wrong time at one (or both) ends. You have the private key for the peer, so you can make another wir...
by rplant
Thu Feb 08, 2024 12:01 am
Forum: General
Topic: Is architecture emulation under docker supported?
Replies: 6
Views: 552

Re: Is architecture emulation under docker supported?

If you search the forums, someone has made a docker container for the cli netinstall program.
They have put in a (x64 I think) emulator into the container (it is smaller than the netinstall executable)
by rplant
Tue Feb 06, 2024 11:52 pm
Forum: General
Topic: Feature requests
Replies: 1744
Views: 638403

Re: Feature requests

Bridge-To-Bridge joiner.
You can do that with two local EoIP interfaces.
Whenever I have tried this it never allows me to have 2 with the same tunnel ID.
Also quite a lot of overhead.
by rplant
Tue Feb 06, 2024 8:27 am
Forum: General
Topic: Feature requests
Replies: 1744
Views: 638403

Re: Feature requests

Bridge-To-Bridge joiner. To be assumed it will not be high performance. Uses: - Legacy PPPoE pass through (My ISP uses PPPoE...) - Natting Mac addresses from devices to the CPU. (Multiple devices with the same Mac Address) - mDNS and SSDP pass through in a single router. https://forum.mikrotik.com/v...
by rplant
Tue Feb 06, 2024 1:23 am
Forum: Beginner Basics
Topic: Troubleshooting wireguard S2S VPN
Replies: 3
Views: 500

Re: Troubleshooting wireguard S2S VPN

One (major) issue.

Unless the mikrotik is the networks default gateway, nothing on the network will be attempting to
send packets destined for head office to the Mikrotik, they will send them to the home internet router.

(Unless they have appropriate static routes installed)
by rplant
Tue Feb 06, 2024 12:36 am
Forum: Beginner Basics
Topic: Troubleshooting wireguard S2S VPN
Replies: 3
Views: 500

Re: Troubleshooting wireguard S2S VPN

If that is pretty much the entire configuration (ie. No drop rules in filter) it looks like it should be working. Double check that the rx, tx and last handshake counters in the wireguard peer are all non zero. (Seems likely that is also ok, given you can ping the 10.0.0.0/24 from the PFSense, but c...
by rplant
Sat Feb 03, 2024 8:43 am
Forum: General
Topic: Allow remote-logging input on ROS [SOLVED]
Replies: 12
Views: 1314

Re: Allow remote-logging input on ROS [SOLVED]

What I have works, but it was setup quite a while ago, so there maybe something I have missed here. /system logging action add disk-file-count=10 disk-file-name=disk1/dudeLog/dudeLogNew disk-lines-per-file=4000 name=dudeLog target=\ disk # for testing (later) add name=dudeSyslog remote=127.0.0.1 tar...
by rplant
Sat Feb 03, 2024 2:08 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

perhaps /interface/bridge/port disable [find where interface=ether9] /interface vlan add name=voip_vodafone_vlan vlan-id=838 interface=ether9 /interface pppoe-client add name=pppoe_connection_for_vodafone_voip user=guest@onenetvoice.gr password=guest \ interface=voip_vodafone_vlan disabled=no /inter...
by rplant
Sat Feb 03, 2024 1:36 am
Forum: General
Topic: OVPN Windows client disconnecting every 1 minute without internal tunnel traffic
Replies: 3
Views: 401

Re: OVPN Windows client disconnecting every 1 minute without internal tunnel traffic

Sorry, Not sure.

Perhaps you could remove the ping-restart entry on the client and see if the link works ok without it.
(Or make it much bigger)
by rplant
Fri Feb 02, 2024 11:21 am
Forum: General
Topic: OVPN Windows client disconnecting every 1 minute without internal tunnel traffic
Replies: 3
Views: 401

Re: OVPN Windows client disconnecting every 1 minute without internal tunnel traffic

Possibly the keepalive timeout on the server is too long. From help (https://help.mikrotik.com/docs/display/ROS/OpenVPN) its definition looks kind of strange, it appears to do nothing until the timeout expires then sends ping packets one per second until either another timeout occurs or it receives ...
by rplant
Fri Feb 02, 2024 10:45 am
Forum: General
Topic: CCR1009-8G-1S Throughput Speed
Replies: 20
Views: 990

Re: CCR1009-8G-1S Throughput Speed

You could attach one of these to your 10G sfp+ port maybe with a dac cable.

https://www.aliexpress.com/item/1005006278753506.html
by rplant
Fri Feb 02, 2024 10:36 am
Forum: Beginner Basics
Topic: Two ISP IN SINGLE MIKROTIK PORT
Replies: 3
Views: 514

Re: Two ISP IN SINGLE MIKROTIK PORT

You can possibly attach 2 vlan interfaces to ether3, add the vlan's to the WAN interface list. and then attach your connect ISP pppoe client to one of them (instead of ether3) And your Cyber ISP pppoe client to the other. Then plug ether3 into the ONU instead of the TP-Link. If you know the vlan use...
by rplant
Fri Feb 02, 2024 4:17 am
Forum: Beginner Basics
Topic: Traffic not working from internal to VPN users
Replies: 1
Views: 314

Re: Traffic not working from internal to VPN users

My guess is it is triangle routing. Packets leaving the OPNSense device head likely straight to the .10.x destination. Packets leaving the .10.x towards the vpn go via the Mikrotik then the OPNSense. The Mikrotik will generally drop these packets. (By default they have a drop invalid rule) You could...
by rplant
Wed Jan 31, 2024 1:25 am
Forum: General
Topic: Allow remote-logging input on ROS [SOLVED]
Replies: 12
Views: 1314

Re: Allow remote-logging input on ROS [SOLVED]

This may be wrong for the current dude versions, but it used to use the underlying logging system of the Mikrotik.

So all the logs were on the mikrotik, viewable in winbox.
If logging to file for persistence you would likely need external storage and multiple files specified.
by rplant
Wed Jan 31, 2024 1:16 am
Forum: General
Topic: EoIP with one side behind 1-to-1 NAT: am I doing something wrong? [SOLVED]
Replies: 8
Views: 627

Re: EoIP with one side behind 1-to-1 NAT: am I doing something wrong? [SOLVED]

A minor quibble I should note that /ip firewall filter add action=accept place-before=1 chain=input ipsec-policy=in,ipsec protocol=gre is really just equivalent to /ip firewall filter add action=accept place-before=1 chain=input src-address=Y.Y.Y.Y protocol=gre on side A... Not really: The first say...
by rplant
Tue Jan 30, 2024 4:05 am
Forum: Beginner Basics
Topic: Cannot access my LAN over remote WireGuard VPN
Replies: 3
Views: 722

Re: Cannot access my LAN over remote WireGuard VPN

My Guess is the allowed IPs setting in your PC's wireguard client.

A setting that should work would be 172.16.0.0/24, 10.11.11.0/24
by rplant
Tue Jan 30, 2024 3:52 am
Forum: Beginner Basics
Topic: Help with configuration of a port.
Replies: 41
Views: 4694

Re: Help with configuration of a port.

Seems like a strange setup. I would have thought that voice pppoe config would be done on the UDM Pro. Probably adding (another)? pppoe client on the same physical port it is currently using as its WAN port. But anyway. Assuming you have somewhere to plug ether9 into. Disable the existing ether9 bri...
by rplant
Mon Jan 29, 2024 6:39 am
Forum: Beginner Basics
Topic: Multiple wired clients with same MAC addresses
Replies: 4
Views: 550

Re: Multiple wired clients with same MAC addresses

I trialled this for a while, but couldn't get it to work. I eventually needed a bridge to bridge joiner, which Mikrotik traditionally seems unkeen on. I tried another approach with which I had some success and may work, but have been unable to get it to pass through broadcast packets. (If they are a...
by rplant
Sun Jan 28, 2024 1:43 pm
Forum: Beginner Basics
Topic: Multiple wired clients with same MAC addresses
Replies: 4
Views: 550

Re: Multiple wired clients with same MAC addresses

Sorry, on further thought, the above won't work :( The return traffic nat processing can't be setup. I am now thinking perhaps an individual bridge per port to do the src-nat from the port and dst-nat to the port might work. With the individual bridges then connected using vlan interfaces to a centr...
by rplant
Sun Jan 28, 2024 3:54 am
Forum: General
Topic: Wireguard on Windows (client), no gateway, can't ping router [SOLVED]
Replies: 11
Views: 1327

Re: Wireguard on Windows (client), no gateway, can't ping router [SOLVED]

Does the wireguard inteface on the router have IP address 192.168.97.x/24 on it (I would normally use 192.168.97.1/24). Does the wireguard peer configuration on the router have an allowed ips of 192.168.97.2 (only) for your peer. I would normally add 192.168.97.0/24 to the allowed ip list on your PC...
by rplant
Sun Jan 28, 2024 3:25 am
Forum: Beginner Basics
Topic: strongSwan and dynamic IP address
Replies: 2
Views: 375

Re: strongSwan and dynamic IP address

Perhaps add a script to your dhcp/pppoe client on the Router, to update the ikev2 VPN settings when its public ip address changes.

Or perhaps consider using wireguard.
by rplant
Sun Jan 28, 2024 1:41 am
Forum: Beginner Basics
Topic: Multiple wired clients with same MAC addresses
Replies: 4
Views: 550

Re: Multiple wired clients with same MAC addresses

You could try the following: Perhaps leave the ports attached to the bridge. In bridge filter, mark each packet with its incoming port number, (if it matches your industrial devices mac address) /interface bridge filter add action=mark-packet chain=forward disabled=yes in-interface=ether3 new-packet...
by rplant
Fri Jan 26, 2024 11:40 am
Forum: Beginner Basics
Topic: Access to LAN resources via WireGuard tunnel
Replies: 3
Views: 569

Re: Access to LAN resources via WireGuard tunnel

Sounds like it would be safe to make it go away?
Yes I think so.

I have no idea how they would have got there.
There looks to be only a couple of items that need to be changed.
by rplant
Fri Jan 26, 2024 2:05 am
Forum: General
Topic: Routing Bug or config Error?
Replies: 15
Views: 847

Re: Routing Bug or config Error?

Hi, Pretty sure that can't work. Note: The following is my understanding, (though I am often wrong). The router routes packets to the wireguard interface, and the wireguard interface (not the router) figures (based on allowed IP addresses) which peer to send them too. WIth multiple 0.0.0.0/0 allowed...
by rplant
Fri Jan 26, 2024 1:48 am
Forum: General
Topic: Sonos Across VLANs in 2024
Replies: 6
Views: 1330

Re: Sonos Across VLANs in 2024

Sorry, no actual answer but the following couple of links might be helpful.

viewtopic.php?t=194842&sid=9823878ca8fa ... 9452b2a5de

https://www.packetmischief.ca/2021/08/0 ... n-network/
by rplant
Fri Jan 26, 2024 1:09 am
Forum: Beginner Basics
Topic: Maintaining the wsAP ac lite in a "continuously ready state"
Replies: 1
Views: 369

Re: Maintaining the wsAP ac lite in a "continuously ready state"

My guess is it might be RSTP on the mikrotik bridge.
You could turn STP off and see if it helps.
by rplant
Fri Jan 26, 2024 1:05 am
Forum: Beginner Basics
Topic: Access to LAN resources via WireGuard tunnel
Replies: 3
Views: 569

Re: Access to LAN resources via WireGuard tunnel

Hi, Having the LAN network as 192.168.0.0/16 will stop wireguard working All the devices on the LAN network will be arping for 192.168.100.x expecting it to be a neighbour. You can enable proxy arp on the mikrotik bridge which will likely get it to work. Though I think you should reduce the address ...
by rplant
Wed Jan 24, 2024 12:39 pm
Forum: Beginner Basics
Topic: ISP subnet distribution [SOLVED]
Replies: 5
Views: 961

Re: ISP subnet distribution [SOLVED]

One (expensive cpu) is to setup the 3011 as a pppoe server. With username/password for each downstream router, each thus getting its assigned IP Address. If the downstream routers are Mikrotiks, you could assign each of them a /32 from your assigned range. (Perhaps all with a single upstream IP addr...
by rplant
Wed Jan 24, 2024 10:43 am
Forum: Beginner Basics
Topic: Swap between PPPoE and DHCP quickly? [SOLVED]
Replies: 1
Views: 502

Re: Swap between PPPoE and DHCP quickly? [SOLVED]

Not really, If what you have is somewhere near the default Mikrotik config, (Which is a very good starting point) You can just add a pppoe client (With appropriate options) Then add this pppoe client to the interface list WAN. Presumably both it and your current WAN port will be on ether1. Then just...
by rplant
Wed Jan 24, 2024 2:19 am
Forum: Beginner Basics
Topic: Constant, similar packets being dropped by raw filter rule
Replies: 8
Views: 1648

Re: Constant, similar packets being dropped by raw filter rule

Sorry I misread your first post, as indicating the router had a fixed ip address.
So ignore my previous suggestion about the dhcp client.

It sounds like it is perhaps a noisy bridge network you are plugged into.
by rplant
Tue Jan 23, 2024 5:22 am
Forum: Beginner Basics
Topic: PPPoE Client: Where to find PPPoE Auth-Ack Message
Replies: 5
Views: 611

Re: PPPoE Client: Where to find PPPoE Auth-Ack Message

perhaps change the buffer size in memory2 to be a 1000 or more lines, or with appropriate scripting stop on full.

It looks to be part of ppp, so you could do ppp, debug, packet instead might reduce the amount of data slightly.
by rplant
Tue Jan 23, 2024 12:37 am
Forum: Beginner Basics
Topic: Constant, similar packets being dropped by raw filter rule
Replies: 8
Views: 1648

Re: Constant, similar packets being dropped by raw filter rule

Hi, It appears you have not disabled the dhcp client on ether1. So it is sending requests, but never getting a reply due to filter. The dhcp server may well be trying to give your router the same ip/route information that you configured manually. (or perhaps sets it up so you wind up with a page on ...
by rplant
Mon Jan 22, 2024 12:51 pm
Forum: Beginner Basics
Topic: Internet and LAN Extender
Replies: 3
Views: 658

Re: Internet and LAN Extender

Using your second config From memory, the starlink will be handing out 192.168.1.x IP addresses, so without some fiddling you can't have a 192.168.1.x address on the Mikrotik's bridge, for this mode of operation. add address=192.168.1.131 comment=defconf interface=bridge network=\ 192.168.1.0 Indica...
by rplant
Mon Jan 22, 2024 12:23 pm
Forum: Beginner Basics
Topic: PPPoE Client: Where to find PPPoE Auth-Ack Message
Replies: 5
Views: 611

Re: PPPoE Client: Where to find PPPoE Auth-Ack Message

If you are using tools/packet sniffer. You can click on packets, choose the appropriate one, and look at the raw hex data in winbox You can also go into system\logging Add a new rule with topics pppoe and action = memory And see if the required information arrives in the log. Slightly offtopic With ...
by rplant
Mon Jan 22, 2024 1:57 am
Forum: General
Topic: User poll about using Winbox
Replies: 102
Views: 75623

Re: User poll about using Winbox

1. I guess all the time 2. Remember your settings for that router 3. It would be nice if I had a default setting called ??? That when I deleted the existing session for a router, then connected to it again it would use the default session. Also have a one time only tickbox saying use default session...
by rplant
Sat Jan 20, 2024 9:25 am
Forum: Beginner Basics
Topic: PowerBox Pro into SWITCH only mode?
Replies: 4
Views: 832

Re: PowerBox Pro into SWITCH only mode?

Yes it can be put into a switch mode. It is easy to do, (but perhaps less so if you have never used/seen a Mikrotik before) It comes with a 24v power supply, I assume you will need 48-56v power supply to drive the cameras. Mikrotik RBGPOE is a very basic passive poe injector which should be enough. ...
by rplant
Thu Jan 18, 2024 9:59 am
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 155044

Re: v7.14beta [testing] is released!

With luck the new storage options will eventually allow packages to be stored and used on external storage.
by rplant
Sun Jan 14, 2024 12:18 pm
Forum: General
Topic: Q: How to bridge filter MNDP within a VLAN?
Replies: 3
Views: 663

Re: Q: How to bridge filter MNDP within a VLAN?

You can change the discovery settings under ip neighbors.

Default is LAN,
You could make a new Address list, which only includes the interfaces you want
MNDP (and others) to advertise (and listen) on.
by rplant
Sun Jan 14, 2024 11:25 am
Forum: Beginner Basics
Topic: Change VLAN MAC address - which is the current recommended way?
Replies: 3
Views: 727

Re: Change VLAN MAC address - which is the current recommended way?

I haven't tested it, but the following might work.

You could add a macvlan to the vlan interface.
And set the mac address on the macvlan.
(Though it likely will get handled by the cpu so slow on a crs)
by rplant
Wed Jan 10, 2024 11:16 am
Forum: Beginner Basics
Topic: connect printer to wifi through mAP lite
Replies: 5
Views: 1024

Re: connect printer to wifi through mAP lite

Perhaps the ubiquiti AP is set to not allow wireless clients to communicate with each other.
by rplant
Sat Jan 06, 2024 12:40 am
Forum: General
Topic: Add IP with more than X connection to blocklist
Replies: 1
Views: 958

Re: Add IP with more than X connection to blocklist

I would perhaps put the first item into mangle, prerouting chain.
(and also include in-interface=YourWanInterface)

The second item I would put in the raw table, (and maybe also include in-interface=)
by rplant
Sat Jan 06, 2024 12:21 am
Forum: Beginner Basics
Topic: Routing a VLAN through Wireguard
Replies: 5
Views: 1690

Re: Routing a VLAN through Wireguard

Anav is worth listening to. On further consideration, the routing is a bit broken. Once a device on vlan40 gets an IP address it won't be able to ping or otherwise connect to the router. (Packets sent from it to the routers IP address are pushed out the wireguard interface) My normal method would be...
by rplant
Fri Jan 05, 2024 2:36 pm
Forum: Beginner Basics
Topic: Routing a VLAN through Wireguard
Replies: 5
Views: 1690

Re: Routing a VLAN through Wireguard

Hi, I think you should seriously consider using a single bridge, and vlan filtering. But anyway. The following don't make any sense, the bridges are not attached to "ether2 MDF" /interface bridge vlan add bridge="BR - VLAN10 - General LAN" tagged="ether2 MDF" vlan-ids=1...
by rplant
Thu Jan 04, 2024 2:31 am
Forum: General
Topic: Simple hairpin not working
Replies: 17
Views: 1762

Re: Simple hairpin not working

Hi,

Your dstnat rules need to be changed (Hairpin isn't coming in from a WAN port)

add action=dst-nat chain=dstnat comment=https dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.14 to-ports=443

instead of using in-interface-list=WAN, perhaps use dst-address-type=local
by rplant
Sat Dec 30, 2023 11:14 am
Forum: General
Topic: l2tp client: configure source port [SOLVED]
Replies: 6
Views: 1396

Re: l2tp client: configure source port [SOLVED]

You can do source nat on the output chain normally.
Unfortunately not sure if it works when it is about to be ipsec encrypted.
If works the 2nd Mikrotik could source nat its port 1701 to maybe 1702
by rplant
Thu Dec 28, 2023 7:07 am
Forum: Beginner Basics
Topic: ccr1009 gen1 pppoe problem
Replies: 1
Views: 495

Re: ccr1009 gen1 pppoe problem

Some possible options Power Supply Failing Electrolytic Capacitors Failing Bits of flash failing Something attached to ccr failing/misbehaving. So ccr is seeing ethernet down events. With luck Flash might be easiest to work around. Netinstall apparently helps, maps out bad blocks. Make a backup and ...
by rplant
Sun Dec 24, 2023 5:45 am
Forum: Beginner Basics
Topic: No internet via VLAN Wireguard Client [SOLVED]
Replies: 5
Views: 1272

Re: No internet via VLAN Wireguard Client [SOLVED]

In winbox in wireguard peers, there is Rx, Tx and LastHandshake. You need to have stuff in them, if nothing you likely need to review the public keys, (and IP addresses) You seem to be route marking packets coming from the wireguard interface mullvad-upstream to make them leave via the wireguard int...
by rplant
Fri Dec 22, 2023 10:47 am
Forum: General
Topic: Connecting 2 remote clients over Remote Desktop over VPN
Replies: 7
Views: 2400

Re: Connecting 2 remote clients over Remote Desktop over VPN

This is a bit (lot) of a hack. (Hopefully temporary until you determine what the underlying issue is) You could possibly source nat traffic from site 1 towards site 2 with the mikrotik at site 3 so it looks to be coming from site 3 (probably from the mikrotik's IP Address). Need to make sure first t...
by rplant
Fri Dec 22, 2023 6:03 am
Forum: General
Topic: Can't enable Protected RouterBOOT
Replies: 3
Views: 545

Re: Can't enable Protected RouterBOOT

Actually apparently it is only reset button. The following topic has some good information. https://forum.mikrotik.com/viewtopic.php?t=181158 Probably also worth reading ** edit ** https://help.mikrotik.com/docs/display/ROS/RouterBOARD and https://wiki.mikrotik.com/wiki/Manual:RouterBOARD_settings#P...
by rplant
Fri Dec 22, 2023 1:31 am
Forum: Beginner Basics
Topic: Mikrotik as road warrior Wireguard client to Unifi UDM [SOLVED]
Replies: 13
Views: 1692

Re: Mikrotik as road warrior Wireguard client to Unifi UDM [SOLVED]

Hi,
It seems mostly good.


Double Check (again) the public key at each end is correct.

At the UDM:
Are the packets arriving at the UDM.
Is the UDM sending anything back?
Does the UDM actually have 192.168.2.1/24 assigned to wg interface.
by rplant
Thu Dec 21, 2023 8:50 am
Forum: General
Topic: Can't enable Protected RouterBOOT
Replies: 3
Views: 545

Re: Can't enable Protected RouterBOOT

You need to power cycle the router (eg. remove power plug)
or press reset button shortly after enabling the option.
(Both are physical actions)
by rplant
Tue Dec 19, 2023 3:09 am
Forum: General
Topic: Two Starlinks, management interface access
Replies: 15
Views: 2414

Re: Two Starlinks, management interface access

Hi, Strictly you can't. You need to make mangle rules to mark the packets and then route them so they will go where you want it to go. You can either add yourself to an address list, so your packets go out the chosen interface. Or use dst-nat so you attempt to connect to a different IP (.100.11 and ...
by rplant
Tue Dec 19, 2023 2:57 am
Forum: General
Topic: Powering Mikrotik hAP ax² Router from Power Bank
Replies: 5
Views: 1077

Re: Powering Mikrotik hAP ax² Router from Power Bank

Ordinary USB to 12V adapters are probably a bit limited.

However if it is a PD or a QC3 powerbank.
You can get PD or QC3 USB to DC connector, with a trigger circuit for QC3 or PD (different cables)
So 12V (or 20V) is provided direct from the power bank.
by rplant
Mon Dec 18, 2023 2:33 am
Forum: General
Topic: Two Starlinks, management interface access
Replies: 15
Views: 2414

Re: Two Starlinks, management interface access

You can do something like the following /ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.100.1%ether2 routing-table=ViaEther2 suppress-hw-offload=no add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.100.1%ether1 pref-src="" routing-table=ViaEther1 scope=30 sup...
by rplant
Sun Dec 17, 2023 12:12 am
Forum: General
Topic: Two Starlinks, management interface access
Replies: 15
Views: 2414

Re: Two Starlinks, management interface access

A couple of options (Sorry I know little about starlinks) 1. dst-nat and mangle routing This is quite dependent on the webserver on the starlink unfortunately. Sub option 1, (most likely to work) forward connections to 192.168.100.1: 1443 to ether2: 192.168.100.1:443 (and/or : 8080 -> ether2: 80) If...
by rplant
Mon Dec 11, 2023 11:21 pm
Forum: General
Topic: VoWifi - do not work [SOLVED]
Replies: 13
Views: 2843

Re: VoWifi - do not work [SOLVED]

It kind of looks like it should almost be working, not sure, wait a while?

My phone (not a samsung) will often take a while to decide to use vowifi if it has an ok 4g signal.
From memory (I think but am not sure) it might be less picky if the 4g signal is rubbish.
by rplant
Mon Dec 11, 2023 11:12 pm
Forum: Beginner Basics
Topic: extender won't connect - somewhat solved
Replies: 5
Views: 1395

Re: extender won't connect

You could try turning off spanning tree protocol on the bridge of the RB951Ui-2HnD, it sometimes helps.
by rplant
Mon Dec 11, 2023 4:11 am
Forum: General
Topic: CAPsMAN with WiFiWave2 in mixed network
Replies: 13
Views: 2810

Re: CAPsMAN with WiFiWave2 in mixed network

Sorry this may well be redundant... The "capsman" setup for the newer wifi is done under the WiFi Tab, not under the Capsman Tab. It is easy to attach local wifiwave2 interfaces to configurations that are part of "capsman", but they cannot actually be controlled/configured by the...
by rplant
Mon Dec 11, 2023 3:47 am
Forum: General
Topic: VoWifi - do not work [SOLVED]
Replies: 13
Views: 2843

Re: VoWifi - do not work [SOLVED]

This might not fix your problem but do it anyway and restart from there. Remove 500 and 4500 from the sip helper (service port). Ideally disable the sip helper. Set the udp stream timeout back to its default of 3 minutes from current 6 minutes, (Or maybe even to 2 minutes, as specified in "NAT ...
by rplant
Sat Dec 09, 2023 1:13 am
Forum: Beginner Basics
Topic: Trying to redirect an address-list through an EOIP Tunnel
Replies: 2
Views: 1681

Re: Trying to redirect an address-list through an EOIP Tunnel

Hi, The order of route processing has changed a little. If you mark a packet with a route mark, and there is a matching entry in the routing table. It will use that entry, (and not look at the routing rules) If you need things to go via the routing rules (which is usually good) you should mark the p...
by rplant
Fri Dec 08, 2023 6:14 am
Forum: General
Topic: Mangle route for WAN2 causing loop [SOLVED]
Replies: 4
Views: 1943

Re: Mangle route for WAN2 causing loop [SOLVED]

Hi,
The rule setting the routing table likely needs to use incoming interfaces. Not destination IP addresses.
The Natted destination address is not yet known, it will still be the external IP address of the router.
(You could add this to your address list I guess)
by rplant
Fri Dec 08, 2023 6:01 am
Forum: Beginner Basics
Topic: EoIP: guarantee MTU of 1500 [SOLVED]
Replies: 4
Views: 2341

Re: EoIP: guarantee MTU of 1500 [SOLVED]

Apparently eoip adds an overhead of 42 bytes, so it should fit ok.
by rplant
Fri Dec 08, 2023 2:35 am
Forum: General
Topic: mikrotik sip don't forward bye commands
Replies: 8
Views: 2181

Re: mikrotik sip don't forward bye commands

How did the static arp go? For the following topic with vaguely similar issues rdp connection dying https://forum.mikrotik.com/viewtopic.php?t=178364 Setting the UDP Timeout to 20s from its default 10s fixed the problem in a lot of cases. It shouldn't make any difference but... Mikrotik might also l...
by rplant
Wed Dec 06, 2023 9:56 am
Forum: General
Topic: How to Hairpin on the first hop (not on internet gateway)
Replies: 6
Views: 1891

Re: How to Hairpin on the first hop (not on internet gateway)

If the router is actually routing the packet, it can dst-nat the packet it doesn't need to have the IP address on itself.

Because it will presumably be hairpinning the packet, you will need to src-nat the packet as well.
(Possibly the src-nat IP you use does need to be on the router)
by rplant
Wed Dec 06, 2023 7:33 am
Forum: General
Topic: Routing rule VS mangle mark routing
Replies: 9
Views: 3120

Re: Routing rule VS mangle mark routing

Hi, I built an approximation to this, but with no vxlans (just used another bridge, and ether2 as wan2) It seemed to mostly work, but the vrf-wan2 being a vrf made it quite painful. I seemed to need to reboot whenever I had done more than a couple of changes. I was also unable to traceroute from the...
by rplant
Tue Dec 05, 2023 11:48 pm
Forum: General
Topic: Wireguard tunnel - speed problem
Replies: 19
Views: 3474

Re: Wireguard tunnel - speed problem

Hmm, A couple of (possibly poorly conceived) thoughts. If you haven't tried it, try copying using robocopy with /MT flag, (is this different to what you have already tried with SMB?) If you are running large frame sizes 4k+ in both networks, perhaps you could make the MTU on wireguard this large siz...
by rplant
Mon Dec 04, 2023 1:08 pm
Forum: General
Topic: Wireguard tunnel - speed problem
Replies: 19
Views: 3474

Re: Wireguard tunnel - speed problem

Another thought, It is very likely the bandwidth test was running with multiple (20?) connections. This probably helps by allowing more cores onto the task, and also reduces the impact of latency, and the different connections can overall fill the link. This possibly means that with a few ftp transf...
by rplant
Mon Dec 04, 2023 3:46 am
Forum: Beginner Basics
Topic: CPE and issue with resceving an IP
Replies: 10
Views: 2260

Re: CPE and issue with resceving an IP

Hi, I would probably do the following. Leave the main network as is but set up the DHCP server to not assign devices to a part of it. Remove Nat (if any) on the 951. **Edit In interfaces interface lists, ensure the wlan is not a member of WAN (So No Nat, and other firewall rules), and optionally mak...
by rplant
Mon Dec 04, 2023 3:16 am
Forum: General
Topic: Wireguard tunnel - speed problem
Replies: 19
Views: 3474

Re: Wireguard tunnel - speed problem

Well the speeds all look pretty good, from one wireguard endpoint to the other endpoint, via wireguard. (This is what the graphs are isn't it?) So perhaps it is the Lan interfaces that are causing the issues. My thoughts are perhaps MTU and MSS. One end wg MTU will likely (should) be at 1420, while ...
by rplant
Sun Dec 03, 2023 3:45 am
Forum: General
Topic: Wireguard tunnel - speed problem
Replies: 19
Views: 3474

Re: Wireguard tunnel - speed problem

Hi,
Could you graph the Rx only (To A) as well please.
(Also, just have a look the queues if any at both ends, maybe disable them briefly)
by rplant
Sun Dec 03, 2023 3:23 am
Forum: Beginner Basics
Topic: Failover between 2 ISPs using gateways with same IP (was NAT traffic to VRF)
Replies: 38
Views: 6598

Re: Failover between 2 ISPs using gateways with same IP (was NAT traffic to VRF)

action=src-nat does require an address (unlike masquerade) You can put something along the lines of the following into your dhcp client configuration (below is for changing items in the routing table based on the contents of the comment for the rule, modify as required for NAT entries) /ip dhcp-clie...
by rplant
Sat Dec 02, 2023 11:27 am
Forum: Wireless Networking
Topic: Station Pseudobridge Repeater with Static DHCP-Client
Replies: 3
Views: 1428

Re: Station Pseudobridge Repeater with Static DHCP-Client

To mark it as a wan interface. You add it to the wan interface list in Interfaces, interface list tab (winbox) You should find ether1 a member of the wan list. (cli) /interface list member add interface=wlan1 list=WAN Note: This only applies if you are altering the default configuration, if you are ...
by rplant
Sat Dec 02, 2023 3:21 am
Forum: Wireless Networking
Topic: Station Pseudobridge Repeater with Static DHCP-Client
Replies: 3
Views: 1428

Re: Station Pseudobridge Repeater with Static DHCP-Client

Do you really need it bridged? It's much more reliable and easier to set up the wireless station interface as a station, remove it from any bridge, add a dhcp client to it, then make it a wan interface. (interface / interface list) (With the default config making it a wan interface, will make it Nat...
by rplant
Thu Nov 30, 2023 11:57 pm
Forum: General
Topic: How to Hairpin on the first hop (not on internet gateway)
Replies: 6
Views: 1891

Re: How to Hairpin on the first hop (not on internet gateway)

Another (possibly easy) option is to use DNS. Externally, the DNS used will point to the gateway. Internally the DNS will point direct to the router1 You would perhaps need to create another DNS record specifically for this task. Another another option If the access point is a Mikrotik, (or the traf...
by rplant
Thu Nov 30, 2023 9:55 am
Forum: General
Topic: How to Hairpin on the first hop (not on internet gateway)
Replies: 6
Views: 1891

Re: How to Hairpin on the first hop (not on internet gateway)

Are you saying that the link between router1 and router2 is 10Mbps? If so, the likely best option is to upgrade this link. Otherwise, my guess is that the hairpin is getting throttled by some queue's, presumably on router2. In this case, (I am assuming router2 is an MT), add appropriate fast queuein...
by rplant
Thu Nov 30, 2023 9:41 am
Forum: General
Topic: SIP Packets Passthrough not working
Replies: 5
Views: 1538

Re: SIP Packets Passthrough not working

Some guesses.

3cx want a bunch of dst-nat entries, are these in place?

There have been issues in other places with the short udp initial timeouts.
You could change the UDP Timeout in tracking.
In Winbox, ip firewall, choose connections tab, and then tracking button.
by rplant
Wed Nov 29, 2023 8:16 am
Forum: Beginner Basics
Topic: Issues about wireguard connectivity on RouterOS with multiple WAN ports
Replies: 13
Views: 2006

Re: Issues about wireguard connectivity on RouterOS with multiple WAN ports

wireguard with 2 gateways. Conclusion Likely only works well by using routing rules. Some testing and observations: Router with 2 wan ports (both with NAT, dhcp client), wireguard configured, input rule to allow wireguard in, otherwise near base configuration. Configured mangle rules marking new co...
by rplant
Sat Nov 25, 2023 11:15 am
Forum: Wireless Networking
Topic: LTapMini w/ EP06
Replies: 3
Views: 1375

Re: LTapMini w/ EP06

This is not recent but may still apply. From https://wiki.mikrotik.com/wiki/Cellular_Quectel_modems_01 To make the EP06 modem working on most of the mini-pcie slots of the RouterBoard you need to tape the USB 3.0 pins on the modem or tape the PCIE pins on the mini-pcie slot as the USB3.0 pins are no...
by rplant
Sat Nov 25, 2023 10:41 am
Forum: General
Topic: After Wireguard Client configuration successfully, lan area cannot access wireguard area.
Replies: 6
Views: 1321

Re: After Wireguard Client configuration successfully, lan area cannot access wireguard area.

This likely needs fixing. add action=src-nat chain=srcnat dst-address=192.168.100.0/24 dst-limit=\ 1,5,dst-address/1m40s limit=1,5:packet psd=21,3s,3,1 src-address=\ 192.168.88.0/24 time=0s-1d,sun,mon,tue,wed,thu,fri,sat to-addresses=\ 192.168.100.2 Needs perhaps a dst-address list and include 192.1...
by rplant
Fri Nov 24, 2023 1:55 am
Forum: General
Topic: Cannot upgrade firmware on HAP Lite
Replies: 23
Views: 5104

Re: Cannot upgrade firmware on HAP Lite

One other thing with netinstall is that it remembers the previous file you uploaded (maybe months ago), and doesn't pick the file in the current directory.

When the device is connected and you are ready to go, double check the file it's about to upload is the one you want.
by rplant
Fri Nov 24, 2023 1:33 am
Forum: Beginner Basics
Topic: Issues about wireguard connectivity on RouterOS with multiple WAN ports
Replies: 13
Views: 2006

Re: Issues about wireguard connectivity on RouterOS with multiple WAN ports

It used to be (and possibly still is) that connection marks did not get from input to output with wireguard (or openvpn). I have used the source IP address as a routing selector in the routing rules for this. It does NOW remember the source IP address.   Assumes static IP address. Can update rules u...
by rplant
Thu Nov 23, 2023 9:17 am
Forum: General
Topic: Clients on station not reachable [SOLVED]
Replies: 10
Views: 1723

Re: Clients on station not reachable [SOLVED]

** Edit **

You can try station pseudo bridge It might work.

If it does, you shouldn't need to do anything much else.

It seems that if you turn off rstp on the bridge (at both ends) this is more likely to work.
(But Station Pseudo bridge is a dodgy hack)
by rplant
Wed Nov 22, 2023 6:45 am
Forum: General
Topic: Clients on station not reachable [SOLVED]
Replies: 10
Views: 1723

Re: Clients on station not reachable [SOLVED]

Hi, I assume you want it all bridged so everything on the wired network can see everything connected to the wap and visa versa. (Importantly I also assume the device the wAP is connected to via wlan2 is a Mikrotik device) In this case, set the 5GHz interface on the wAP to Station Bridge Mode. Probab...
by rplant
Tue Nov 21, 2023 2:39 am
Forum: General
Topic: DHCP problem with Chinese wireless repeater connected to Mikrotik AP
Replies: 6
Views: 4982

Re: DHCP problem with Chinese wireless repeater connected to Mikrotik AP

Hi,

You could try turning off rstp on the mikrotik's bridge, it seems to cause issues in this case sometimes.
by rplant
Tue Nov 21, 2023 2:23 am
Forum: Beginner Basics
Topic: 5G/LTE through Wifi bridge to network
Replies: 4
Views: 1535

Re: 5G/LTE through Wifi bridge to network

Hi, The Chateau doesn't appear to have configuration for a default gateway. Is there a default route via the lte in /ip/route? Perhaps a dhcp client on the lte interface enabling the default route and dns. Then once that is done, you should be able to ping and traceroute the internet say 8.8.8.8 fro...
by rplant
Sat Nov 18, 2023 8:41 am
Forum: Beginner Basics
Topic: Long identyfing network in Win
Replies: 11
Views: 2153

Re: Long identyfing network in Win

Hi,

I think you are supposed to remove some of the information on your export.

My guess is it's the stp enabled on the hap ac2's.
rstp is a lot quicker, (and can skip steps)
by rplant
Fri Nov 17, 2023 8:57 am
Forum: Beginner Basics
Topic: dhcp relay using LAN IP address as source
Replies: 10
Views: 3055

Re: dhcp relay using LAN IP address as source

You can do a source nat

perhaps something like
/ip firewall nat
add action=src-nat chain=srcnat out-interface=ether1 src-address=\
    169.254.1.2 to-addresses=192.168.5.1 dst-address=192.168.0.0/24
probably needs to go near the top.
by rplant
Sun Nov 12, 2023 7:57 am
Forum: General
Topic: IPv4 Fast Path not activated [SOLVED]
Replies: 6
Views: 1289

Re: IPv4 Fast Path not activated [SOLVED]

One likely culprit, you have to disable/remove all firewall rules.

https://wiki.mikrotik.com/wiki/Manual:Fast_Path
by rplant
Sat Nov 11, 2023 10:48 am
Forum: General
Topic: WireGuard and mangle routing
Replies: 25
Views: 2520

Re: WireGuard and mangle routing

Yes, If you route mark a packet, and then have a routing entry that matches, it WILL use that routing entry. You could perhaps put an accept rule prior to the route marking rule, where the listed destinations shouldn't go via wireguard. eg. Where the destination IP matches any of the local network I...
by rplant
Fri Nov 10, 2023 11:06 pm
Forum: Wireless Networking
Topic: Device connected to tplink repeater not getting ip's from Mikrotik DHCP [SOLVED]
Replies: 3
Views: 1997

Re: Device connected to tplink repeater not getting ip's from Mikrotik DHCP [SOLVED]

It is worth checking that you have rstp turned off on the mikrotik's bridge.
It often seems to be a bit of a showstopper in this situation.
(Apart from any other incompatibility issues.)
by rplant
Tue Nov 07, 2023 12:23 pm
Forum: General
Topic: GRE over IPSEC - cannot reach clients
Replies: 19
Views: 2761

Re: GRE over IPSEC - cannot reach clients

The routes should be through the gre tunnel. /ip route add disabled=no dst-address=10.77.0.0/24 gateway=gre-tunnel1 You can (but don't have too) add addresses to the gre tunnels. (allows you to test just the tunnel, and route via ip addresses) on side1 /ip address add address=192.168.40.1/24 interfa...
by rplant
Tue Nov 07, 2023 10:44 am
Forum: Forwarding Protocols
Topic: Routed Multi-WAN without NAT
Replies: 8
Views: 2255

Re: Routed Multi-WAN without NAT

I gain the impression that sticky is the only way the Mikrotik will do it.

https://wiki.mikrotik.com/wiki/Manual:I ... MP)_routes
by rplant
Mon Nov 06, 2023 1:29 am
Forum: Forwarding Protocols
Topic: Routed Multi-WAN without NAT
Replies: 8
Views: 2255

Re: Routed Multi-WAN without NAT

This seems likely to work /ip route add check-gateway=ping disabled=no distance=1 dst-address=8.8.8.8/32 gateway=1.2.3.6%ether1 pref-src="" routing-table=\ main scope=10 target-scope=10 add check-gateway=ping disabled=no distance=1 dst-address=8.8.8.8/32 gateway=5.6.7.10%ether2 pref-src=&q...
by rplant
Fri Nov 03, 2023 2:45 am
Forum: Beginner Basics
Topic: Issue with HiSense aircon
Replies: 15
Views: 4238

Re: Issue with HiSense aircon

maybe it is an mtu issue.

/ip firewall mangle
add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=ether1 passthrough=yes protocol=tcp tcp-flags=syn

(courtesy anav)
by rplant
Thu Nov 02, 2023 2:01 am
Forum: Forwarding Protocols
Topic: Routed Multi-WAN without NAT
Replies: 8
Views: 2255

Re: Routed Multi-WAN without NAT

A simpler option that might (or might not) work

/ip/route/
add dst-address=8.8.8.8 scope=10 gateway=1.2.3.6
add dst-address=8.8.8.8 scope=10 gateway=5.6.7.10

add dst-address=0.0.0.0/0 gateway=8.8.8.8 check-gateway=ping target-scope=11
by rplant
Thu Nov 02, 2023 1:49 am
Forum: Forwarding Protocols
Topic: Routed Multi-WAN without NAT
Replies: 8
Views: 2255

Re: Routed Multi-WAN without NAT

Some (maybe) helpful stuff https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608 https://forum.mikrotik.com/viewtopic.php?t=173227 Mostly they seem to like route marking but if you have some IP addresses that you don't mind if only accessible via one route. Perhaps Something like this...
by rplant
Wed Nov 01, 2023 2:51 am
Forum: Forwarding Protocols
Topic: Routed Multi-WAN without NAT
Replies: 8
Views: 2255

Re: Routed Multi-WAN without NAT

Hi, If you just need basic ecmp you can set up same destination (default) routes from each interface with the same distance. You can set up recursive routing on the 2 links, so if some link specific upstream target becomes unavailable, that link is regarded as dead. If you need bgp to do clever thin...
by rplant
Mon Oct 30, 2023 11:11 pm
Forum: Beginner Basics
Topic: wireguard, mark routing, dns doesn't work
Replies: 12
Views: 2560

Re: wireguard, mark routing, dns doesn't work

Try finding the mtu of the link. (Apparently netflix checks it) on windows ping -f -l 1472 nova.cz or maybe (linux) traceroute --mtu nova.cz Issue with short mtu. (and using ppp to fix it) https://forum.mikrotik.com/viewtopic.php?p=1023023#p1023023 Or you can just set the mtu of your wireguard inter...
by rplant
Mon Oct 30, 2023 11:12 am
Forum: Beginner Basics
Topic: wireguard, mark routing, dns doesn't work
Replies: 12
Views: 2560

Re: wireguard, mark routing, dns doesn't work

Perhaps read the network settings off appletv2 and write them down. Remove appletv2 Plug a laptop in where the appletv2 was, and set it up the same as appletv2. Do traceroutes, pings to destinations on and off vpn. See how far they go, does that tell you where they stop, and where to look. What size...
by rplant
Mon Oct 30, 2023 5:20 am
Forum: General
Topic: NAT - Source and Destination NAT on same router [SOLVED]
Replies: 2
Views: 1015

Re: NAT - Source and Destination NAT on same router [SOLVED]

I don't think it matters. The 4 parts of the connection need to match. So a new outbound connection might be Natted to 50010 from the router, but it would not be to the same IP and port that has an inbound connection into 50010, so it would be seen and handled different. And the return traffic to th...
by rplant
Mon Oct 30, 2023 12:46 am
Forum: Wireless Networking
Topic: 2 different networks with AP
Replies: 2
Views: 1478

Re: 2 different networks with AP

Another simpler option, that might work if the gateways have the ability to add static routes. In the gateway add a static route for the other subnet via the local SXT's IP address on both sides. Change the sxt's so the link is routed. (ie. with 105.1 on wlan1, similar to Option3) and add a route to...
by rplant
Sun Oct 29, 2023 12:24 pm
Forum: Wireless Networking
Topic: 2 different networks with AP
Replies: 2
Views: 1478

Re: 2 different networks with AP

Sorry for the amount of text... I will assume each network has its own gateway/router that provides dhcp and internet. Something like 106.1 supplying 192.168.106.0/24, and 107.1 similar. Thoughts In the short term, setup ROMON on both units, tools/romon put a password into it, and enable. (Same pass...
by rplant
Fri Oct 27, 2023 5:00 am
Forum: Beginner Basics
Topic: Cannot connect to LAN machine while connected thru VPN
Replies: 2
Views: 1006

Re: Cannot connect to LAN machine while connected thru VPN

I assume your PC is getting a 10.something address on its l2tp connection (It needs to be 10.something) Perhaps modify (or copy and modify) the forward rule so it is the other way around. (from 10.0.0.0/8 to 10.10.85.0/24) Next, probably setup a Src-nat rule for your PC's l2tp address. if src-ip=pc-...
by rplant
Fri Oct 27, 2023 1:48 am
Forum: RouterOS beta
Topic: ping - missing routing-table
Replies: 8
Views: 7911

Re: ping - missing routing-table

It seems like you can use

ping destination interface=xxxx

And it fails if it can't reach destination via that interface.
(traceroute tries, but will use whatever is available if doesn't work via interface though)
by rplant
Wed Oct 25, 2023 2:59 am
Forum: Beginner Basics
Topic: MQS Weirdness
Replies: 3
Views: 1117

Re: MQS Weirdness

This may not be helpful but anyway... A map will do most everything the mqs will do, but reliably and with routeros under it. (Maybe also a hap ax lite could be used) You could setup wireguard, and have it phone home. One thought with the MQS is that devices these days don't like it if they don't ge...
by rplant
Sun Oct 22, 2023 2:01 am
Forum: Wireless Networking
Topic: Wireless station scanning issue
Replies: 6
Views: 1993

Re: Wireless station scanning issue

Hi, In your second post you mentioned the master interface as being an AP. Make the master interface the Station. It should then automatically chase the remote AP it wants to connect too. The downside of this option is that the now Slave AP on this router, will not be accessible until the Station pa...
by rplant
Sat Oct 21, 2023 12:26 pm
Forum: Wireless Networking
Topic: No DHCP via WiFi
Replies: 5
Views: 1719

Re: No DHCP via WiFi

Hi,

In the wap You need to add the ether1 port to the bridge bridge1
Also perhaps make discovery-interfaces include the bridge.
by rplant
Wed Oct 18, 2023 3:35 am
Forum: Wireless Networking
Topic: use Mikrotik as wireless ethernet bridge
Replies: 13
Views: 16271

Re: use Mikrotik as wireless ethernet bridge

This topic is probably worth reading. https://forum.mikrotik.com/viewtopic.php?t=180369 If you have one, you can attach another Mikrotik (doesnt need wireless) to the wired side of the lan. Then make an eoip or similar bridge from the Mikrotik wireless client through to that router. (Eoip needs stat...
by rplant
Tue Oct 17, 2023 12:14 pm
Forum: General
Topic: open port vs forward port
Replies: 3
Views: 1033

Re: open port vs forward port

My guess (but I could well be wrong...)

They want access to the outside internet using these ports.
So remove the inbound port forwards.

If keen (and possibly not a terrible option), you could block (and log) all other outbound access.
by rplant
Mon Oct 16, 2023 1:52 am
Forum: Beginner Basics
Topic: Connect to WiFi, Bridge to Ethernet (DHCP)
Replies: 18
Views: 4503

Re: Connect to WiFi, Bridge to Ethernet (DHCP)

Yes, Restoring a backup onto a different router (Unfortunately even of the same model router) usually doesn't work. You need to copy and paste in the text configuration, which will also often need some minor changes (eg. bridge mac addresses) on the fly. And need to take care not to lock yourself ou...
by rplant
Sat Oct 14, 2023 5:23 am
Forum: General
Topic: RouterOS 6.49.1 vs 7.11.2 IPSEC NAT problem
Replies: 5
Views: 958

Re: RouterOS 6.49.1 vs 7.11.2 IPSEC NAT problem

If you have any mangle route marking/policy routing configured, there have been some significant changes in this area.
by rplant
Sat Oct 14, 2023 5:17 am
Forum: General
Topic: What is the pwr-line1 interface on mAP 2nd and how to use it?
Replies: 5
Views: 998

Re: What is the pwr-line1 interface on mAP 2nd and how to use it?

Hi,

Interface is via the usb port (maybe not usb mode though), it can be used with their power line products
eg. PL6400
https://mikrotik.com/product/pwr_line_us
by rplant
Sat Oct 14, 2023 4:43 am
Forum: General
Topic: DHCP relay for certain MACs
Replies: 1
Views: 545

Re: DHCP relay for certain MACs

Hi, Often phones can process an option from the dhcp service which tells the phone to use a different vlan, and they will jump onto this other vlan. Which could be handled by the microsoft dhcp server, and also can be prioritized appropriately. You would need to look at the phone(s) manuals. Many sm...
by rplant
Thu Oct 12, 2023 10:08 am
Forum: General
Topic: Wireguard site to multi site
Replies: 5
Views: 2155

Re: Wireguard site to multi site

LocationA L=192.168.0.0/24 WG1=10.255.255.1/24 Port= 13231 WG2=10.255.254.1/24 Port= 13232 Wan= 190.229.05.220 Allowed Address: 10.255.255.1/32 192.168.2.0/24 Allowed Address: 10.255.254.1/32 192.168.4.0/24 LocationB L=192.168.2.0/24 WG1=10.255.255.2/24 Port= 13231 Wan= 190.229.15.220 Allowed Addre...
by rplant
Sat Oct 07, 2023 5:43 am
Forum: Beginner Basics
Topic: Connect to WiFi, Bridge to Ethernet (DHCP)
Replies: 18
Views: 4503

Re: Connect to WiFi, Bridge to Ethernet (DHCP)

Cool,

Another thought, if you have any spare Aruba's, lots of the newer enterprise devices will do a mesh.
You could get its user guide, and if it does do mesh set that up.

This will give a much faster network than the maplite.
by rplant
Sat Oct 07, 2023 2:28 am
Forum: General
Topic: RB4011 "Internal error: Oops: 17 [#1] SMP ARM" [SOLVED]
Replies: 8
Views: 2047

Re: RB4011 "Internal error: Oops: 17 [#1] SMP ARM" [SOLVED]

Perhaps use the reset button to get it into netinstall mode using the backup bootloader.
And a version of netinstall (or compatible) that looks like a late v6 version.
by rplant
Fri Oct 06, 2023 1:33 am
Forum: Beginner Basics
Topic: Connect to WiFi, Bridge to Ethernet (DHCP)
Replies: 18
Views: 4503

Re: Connect to WiFi, Bridge to Ethernet (DHCP)

Hi, Not sure, but you could try to change the wireless band to be 2ghz bgn. Also make wlan1 station (only) Also, I think this: add action=masquerade chain=srcnat should be: add action=masquerade chain=srcnat out-interface-list=WAN (But this change is unlikely to fix your wifi connection problem) Aft...
by rplant
Thu Oct 05, 2023 1:07 pm
Forum: Beginner Basics
Topic: Connect to WiFi, Bridge to Ethernet (DHCP)
Replies: 18
Views: 4503

Re: Connect to WiFi, Bridge to Ethernet (DHCP)

I am assuming the Aruba is using something more than a basic wpa2 psk. The following might be helpful. https://nixfaq.org/2020/06/using-a-mikrotik-router-as-a-wireless-client-station-to-a-802-1x-eap-secured-wifi-network.html Once you get the map lite connected to the ap you can work through the rest.
by rplant
Wed Oct 04, 2023 5:50 am
Forum: Beginner Basics
Topic: Connect to WiFi, Bridge to Ethernet (DHCP)
Replies: 18
Views: 4503

Re: Connect to WiFi, Bridge to Ethernet (DHCP)

Hi, In general attempting to bridge wifi clients doesn't work. If the AP is a mikrotik running 6.xx versions, it has features that do work well with mikrotik clients, just choose station bridge on the maplite, and add it to the bridge. (choose ap bridge on the mikrotik AP) Otherwise, you can try set...
by rplant
Wed Oct 04, 2023 4:06 am
Forum: General
Topic: CHR behind NAT as WG Server [SOLVED]
Replies: 9
Views: 1393

Re: CHR behind NAT as WG Server [SOLVED]

Hi, Some Options. 1. You can nat the output from the wireguard interface that goes out the lan ports. 2. If you put the wireguard on a subset of the same ip range as the lan network, you can make it look like it is part of the same subnet. eg. if lan is 192.168.0.0/24, then assign wireguard interfac...
by rplant
Tue Oct 03, 2023 7:00 am
Forum: Beginner Basics
Topic: too many ip and MAC addresses in "ARP LIST" tab
Replies: 2
Views: 8496

Re: too many ip and MAC addresses in "ARP LIST" tab

It kind of looks like there is no default gateway configured on lte1.
Is it dhcp?
and maybe lte1 is setup with proxy arp enabled.
by rplant
Sun Oct 01, 2023 6:30 am
Forum: Beginner Basics
Topic: PoE in not Working [SOLVED]
Replies: 4
Views: 1488

Re: PoE in not Working [SOLVED]

Hi, hex-s's are good and should work. Do you need the hex-s to power other downstream devices? It has only a single poe out port, (and it doesn't do proper 802.3af/at out) Otherwise perhaps the hex PoE (not lite) This unit is listed as only passive poe in, but I have found that it starts and works w...
by rplant
Sat Sep 30, 2023 1:54 pm
Forum: Beginner Basics
Topic: PoE in not Working [SOLVED]
Replies: 4
Views: 1488

Re: PoE in not Working [SOLVED]

Hi,

This unit wants passive PoE at 24v.
You could put an rbgpoe inline, (or a ubiquiti instant af) or cheaper a passive poe injector plugged into the hex's power supply,
feeding the ethernet cable.
by rplant
Thu Sep 28, 2023 2:56 am
Forum: General
Topic: Mikrotik spams DHCP discover from all bridge ports [SOLVED]
Replies: 4
Views: 1099

Re: Mikrotik spams DHCP discover from all bridge ports [SOLVED]

I I do not expect to see bridge interfaces (ether2-5) send any DHCP Discover messages as there's no configured DHCP clients on them. I will assume this means. no dhcp client configured on the Hap AC2 bridge. there are external dhcp clients on the lan network. The bridge by default mostly acts as a d...
by rplant
Tue Sep 26, 2023 4:46 am
Forum: RouterOS beta
Topic: RDP Connection Dying
Replies: 57
Views: 32360

Re: RDP Connection Dying

Are there any updates regarding this issue? ... From what I understand, these modifications can do no harm but I would like to understand the situation better. Hi, Some thoughts, The mikrotik firewall is usually stateful. If you have a rule like, let any device on vlans x,y,z connect via UDP to ser...
by rplant
Mon Sep 25, 2023 6:48 am
Forum: General
Topic: FTP download very slow behind Mikrotik
Replies: 1
Views: 622

Re: FTP download very slow behind Mikrotik

If it is only this one ftp site that is running slowly, my GUESS would be that it might be due to out of order packets. You could try turning fast path off (I think but am not sure that because some packets still have to go the slow way, you will get some out of order packets. If fast path is off, p...
by rplant
Fri Sep 22, 2023 1:07 am
Forum: General
Topic: Should moderators redact sensitive info, and how much?
Replies: 49
Views: 3970

Re: Should moderators redact sensitive info, and how much?

Perhaps a sanitize option to the export command would be helpful.
by rplant
Mon Sep 18, 2023 3:36 am
Forum: Useful user articles
Topic: aggiornamento RouterOS v7.11.2 Aug/31/2023
Replies: 3
Views: 2189

Re: aggiornamento RouterOS v7.11.2 Aug/31/2023

Hi,

If you are talking about the routerboard firmware, probably should upgrade it.

Through winbox: system / RouterBOARD / upgrade

If it's an LTE modem, it looks to be separate.

For information try here.

https://help.mikrotik.com/docs/display/ ... areupgrade
by rplant
Sat Sep 09, 2023 1:32 pm
Forum: Wireless Networking
Topic: CubeSA 60Pro ac - kernel failure
Replies: 10
Views: 3736

Re: CubeSA 60Pro ac - kernel failure

This might be part of it.

CubeSA 60Pro WATER DANGER
viewtopic.php?t=189614
by rplant
Sat Sep 09, 2023 1:28 pm
Forum: Wireless Networking
Topic: hAP as Station?
Replies: 5
Views: 1804

Re: hAP as Station?

I tried dstnat port forwarding but couldn't get it to work.
You will need both dstnat and srcnat for the port forwarding.

So the IP address hitting the Tasmota is the ax3's IP address,
which it knows how to reply too.
by rplant
Thu Sep 07, 2023 11:26 am
Forum: General
Topic: Issue with Ring cameras & fasttrack
Replies: 5
Views: 1139

Re: Issue with Ring cameras & fasttrack

An option for matching address list can be something like the following: Use the route marking to match an entry in the rule table, which then matches an entry in the route table. /ip firewall mangle add action=mark-routing dst-address-list=myList new-routing-mark=ruleViaR2 /routing rule add action=...
by rplant
Thu Sep 07, 2023 3:09 am
Forum: RouterOS beta
Topic: Why isn't macvlan support a priority for MikroTik?
Replies: 16
Views: 5967

Re: Why isn't macvlan support a priority for MikroTik?

/interface macvlan add mac-address=CC:2D:E0:68:xx:xx name=ether1.macvlan1 parent=ether1 also /ip dhcp-client add add-default-route=no interface=ether1.macvlan1 Then on dhcp server I give it an alternate IP address. add address=192.168.92.20 client-id=1:cc:2d:e0:68:xx:xx \ mac-address=CC:2D:E0:68:xx:...
by rplant
Wed Sep 06, 2023 2:23 pm
Forum: RouterOS beta
Topic: Why isn't macvlan support a priority for MikroTik?
Replies: 16
Views: 5967

Re: Why isn't macvlan support a priority for MikroTik?

Adding a macVlan onto eth1 of a hex PoE seems to work, however fastrack only seems to work in 1 direction.
From router towards upstream ok, downstream does not get fasttracked.
by rplant
Wed Sep 06, 2023 12:33 pm
Forum: General
Topic: hap ac2 bootloop, netinstall does not work, is this the end?
Replies: 11
Views: 2152

Re: hap ac2 bootloop, netinstall does not work, is this the end?

Hi, If you are doing netinstall to fix bootloop, you are probably using reset button to get it into netinstall mode. Which will almost always be using the backup bootloader, from the factory firmware. From the manual Note: You can also do the previous three functions without loading the backup loade...
by rplant
Mon Sep 04, 2023 7:46 am
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 125929

Re: v7.12beta [testing] is released!

Another option for 9k frames over wifi is to use eoip.
You can make its frame size big and it becomes fairly efficient when they are big.

Then perhaps a bit of bridge filtering/policy routing, so the larger frames go over the wifi via the eoip tunnel,
while the smaller frames don't.
by rplant
Wed Aug 30, 2023 9:23 am
Forum: RouterBOARD hardware
Topic: Equivalent for USW Flex - no MT alternative?
Replies: 13
Views: 4191

Re: Equivalent for USW Flex - no MT alternative?

Powerbox Pro (or it's indoor brother, hex PoE)
will accept and start on 802.1af/t

And poe out can be forced on if you want passive poe out.

Do a search for GPOE-1-WM
for a passive gigabit poe splitter/injector which passes through the
voltage supplied (either splitting or injecting).
by rplant
Sat Aug 26, 2023 3:05 am
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 125929

Re: v7.12beta [testing] is released!

*) dhcp - fixed DHCP server and relay related response delays;

Caused me some grief, had it on Authoritative after 2 Seconds, and things other than windows no longer got an IP address.
by rplant
Wed Aug 23, 2023 1:37 pm
Forum: General
Topic: mAP (RBmAP2nD) supports a PoE camera on 2nd eth?
Replies: 4
Views: 1209

Re: mAP (RBmAP2nD) supports a PoE camera on 2nd eth?

https://help.mikrotik.com/docs/display/ROS/PoE-Out Indicates Mikrotik devices with PoE out support Overload and short circuit protection. Possibly also the switches safety circuit protection will trigger. Take care plugging non PoE devices into ether 2 of the map if it has PoE out turned on. (eg. Wh...
by rplant
Tue Aug 01, 2023 1:34 am
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 299
Views: 241421

Re: NEW FEATURE: Back to Home VPN

What would be the use case, sorry I don't get it Similar use case to using your Relay Except closer to home. I have a CHR in a nearby data centre, and currently use a wireguard in wireguard tunnel to get back to home (CGNAT) with e2e encryption. It is not ideal on a number of points, but still bris...
by rplant
Mon Jul 31, 2023 12:43 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 299
Views: 241421

Re: NEW FEATURE: Back to Home VPN

Hi, Could you perhaps consider making a NAT helper for routerOS, that would make a router act as a relay like your BTH relay. That can be applied to a small number of UDP ports. Some maybe simplifications. Server connects via one port clients connect via another port. (does this make it simpler?) On...
by rplant
Sat Jul 08, 2023 8:19 am
Forum: RouterOS beta
Topic: Hex: No DHCP IP address acquired on WAN interface
Replies: 41
Views: 6323

Re: Hex: No DHCP IP address acquired on WAN interface

You could perhaps suggest to your ISP that they include a note indicating some/all? basic internet packets use priority tagged ethernet frames.
Might help others in future.
by rplant
Fri Jul 07, 2023 9:43 am
Forum: RouterOS beta
Topic: Hex: No DHCP IP address acquired on WAN interface
Replies: 41
Views: 6323

Re: Hex: No DHCP IP address acquired on WAN interface

04:38:11.021059 00:30:88:19:c2:af > 64:d1:54:??:??:??, ethertype 802.1Q (0x8100), length 346: vlan 0, p 6, Hmm it does have a vlan, but for 0. Not quite sure what to do there, some Mikrotiks you can get the switch chips to remove vlan tags, not the Hex. I was thinking you could connect the ethernet ...
by rplant
Wed Jul 05, 2023 4:30 am
Forum: RouterOS beta
Topic: Hex: No DHCP IP address acquired on WAN interface
Replies: 41
Views: 6323

Re: Hex: No DHCP IP address acquired on WAN interface

Some of the ISP replies seem strange.

Why is it often sending to:
217.19.17.85.67 > 217.19.19.188

Does this unit have a static ip address on the interface?
(probably 217.19.19.188)

Perhaps remove it.
by rplant
Mon Jul 03, 2023 10:34 am
Forum: RouterOS beta
Topic: Hex: No DHCP IP address acquired on WAN interface
Replies: 41
Views: 6323

Re: Hex: No DHCP IP address acquired on WAN interface

From the original post - Connected both the WAN cable and the Hex to a managed Layer 2 switch (TP-Link TL-SG108PE): works This seems very dubious, does an ordinary non managed layer 2 switch cause it to work? Maybe indicates some sort of interface stability issue? Maybe configure to run at 100M and ...
by rplant
Fri Jun 30, 2023 2:14 am
Forum: RouterOS beta
Topic: Hex: No DHCP IP address acquired on WAN interface
Replies: 41
Views: 6323

Re: Hex: No DHCP IP address acquired on WAN interface

Maybe you could attempt to get your openwrt client to send these additional options and see if it causes the dhcp to break and if so, That might be useful to send to Mikrotik Support. (And maybe also to your ISP) Perhaps easier. You could ask your ISP tech support and see if they can give you any in...
by rplant
Wed Jun 28, 2023 11:39 am
Forum: RouterOS beta
Topic: Hex: No DHCP IP address acquired on WAN interface
Replies: 41
Views: 6323

Re: Hex: No DHCP IP address acquired on WAN interface

Hi, Some thoughts: Try changing the Hostname/Identity of the router. Maybe they block devices named Mikrotik (due to some issues in the past with poorly configured devices) Looking at the Mikrotik dhcp client page, it says it requests a few options. But none of those listed are the CAPWAP-Server or ...
by rplant
Wed Jun 28, 2023 7:21 am
Forum: RouterOS beta
Topic: "Feature" request: Improve discovery (LLDP) compatibility with TP-Link
Replies: 1
Views: 2033

Re: "Feature" request: Improve discovery (LLDP) compatibility with TP-Link

While Mikrotik are looking into this :) I have a Xirrus AP, the Mikrotik seems to see it only with LLDP, while the Xirrus is also sending CDP. Also, the Xirrus provides a system description entry that is only visible from the CLI, not from winbox or webfig (Not sure how it should be displayed, perha...
by rplant
Fri Jun 23, 2023 2:12 am
Forum: RouterOS beta
Topic: Feature request: Link Flap Prevention and Dampening
Replies: 3
Views: 2447

Re: Feature request: Link Flap Prevention and Dampening

bfd dampening seems to be a thing, maybe that would be good.
by rplant
Tue Jun 20, 2023 11:45 am
Forum: RouterOS beta
Topic: Hex: No DHCP IP address acquired on WAN interface
Replies: 41
Views: 6323

Re: Hex: No DHCP IP address acquired on WAN interface

Hi, I had a look nat the Tweak setup page https://www.tweak.nl/support/apparatuur-configureren.html , and for 2 of their setups, the internet uses vlan 34 You could add a vlan interface to ether1 with a vlan of 34, Make the new vlan interface a wan (Interfaces interface list) (leave ether1 as a wan)...
by rplant
Wed Jun 07, 2023 3:11 am
Forum: Announcements
Topic: v7.9.2 [stable] is released!
Replies: 72
Views: 26357

Re: v7.9.2 [stable] is released!

is a linux box still the only way to get the pub/priv keys needed to set up the WG connections? The guides are great but "go and find a linux box to find the keys" is just useless. If you create a wireguard interface and don't specify a private key, it will make one for you. (And shows yo...
by rplant
Fri Jun 02, 2023 8:35 am
Forum: RouterOS beta
Topic: Hex: No DHCP IP address acquired on WAN interface
Replies: 41
Views: 6323

Re: Hex: No DHCP IP address acquired on WAN interface

The following post is using a wireless wan, but maybe a similar issue https://forum.mikrotik.com/viewtopic.php?t=196619&sid=fbd589b9dcafdb9847c66eae441f371b#p1005601 What happens is that the client does get connected to the WiFi network, but sometimes the wireless interface does not go to the &q...
by rplant
Wed May 24, 2023 11:00 am
Forum: Announcements
Topic: v7.9.1 [stable] is released!
Replies: 59
Views: 18384

Re: v7.9.1 [stable] is released!

I don't suppose applying this cve fix (only) to some (one??) of the versions people are currently having to roll back too is an option?
by rplant
Wed May 24, 2023 10:54 am
Forum: RouterOS beta
Topic: Can hAP Ax2 (rOS7) do routed client bridge and simultaneous VPN? And is there a guide?
Replies: 3
Views: 2446

Re: Can hAP Ax2 (rOS7) do routed client bridge and simultaneous VPN? And is there a guide?

1. Get Wan-wifi bridged to LAN ports.

Will likely give you grief.
There is currently no 4 address mode in wifi on ax2. And wifi bridging modes seem often to be somewhat proprietary anyway.

If you use the Wan Wifi as an ordinary wan (no bridge) with all clients Natted behind it, that should work ok.
by rplant
Thu Apr 27, 2023 10:48 am
Forum: Announcements
Topic: Newsletter #112 | April 2023
Replies: 66
Views: 12122

Re: Newsletter #112 | April 2023

I guess I rarely look at the announcements forum and had just assumed it would show up at the top of the other forums,
it doesn't really matter.
by rplant
Wed Apr 26, 2023 4:16 am
Forum: Announcements
Topic: Newsletter #112 | April 2023
Replies: 66
Views: 12122

Re: Newsletter #112 | April 2023

Hi,

Why is this announcement only in the announcements forum, and not in the announcements section of all forums?
Is it broken?
by rplant
Fri Apr 21, 2023 3:45 am
Forum: RouterOS beta
Topic: RDP Connection Dying
Replies: 57
Views: 32360

Re: RDP Connection Dying

UPGRADED (!) to RB4011 with Router OS 6.49.7, all same settings. STILL ISSUE >>>> RDP cannot connect via L2TP/IPSEC VPN "Remote Desktop can't connect to the remote computer for one of these reasons... 1) Remote access to the server is not enabled 2) The remote computer is turned off 3) The rem...
by rplant
Sun Apr 02, 2023 1:04 pm
Forum: RouterOS beta
Topic: Bridge to Wireguard interface [SOLVED]
Replies: 20
Views: 17296

Re: Bridge to Wireguard interface [SOLVED]

The following can be done and is usually near enough. The router hosting wireguard does not need to be the gateway. eg. Lan Using 192.168.0.0/24 Though if you are using a very common IP address range like above, you might want to consider renumbering your Lan. Note: The router needs an IP address in...
by rplant
Tue Mar 21, 2023 5:47 am
Forum: RouterOS beta
Topic: Routing mark and Os7 with two isp [SOLVED]
Replies: 10
Views: 4622

Re: Routing mark and Os7 with two isp [SOLVED]

Hi, Routing has changed a bit. Direct matching routes with routing table entries in the route table are used first. /ip route add check-gateway=ping [b]disabled=no[/b] distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 pref-src="" routing-table=isp2 scope=30 suppress-hw-offload=no target...
by rplant
Sun Mar 05, 2023 10:13 am
Forum: Announcements
Topic: v7.8 [stable] is released!
Replies: 425
Views: 140452

Re: v7.8 [stable] is released!

This update broke my containers because disk1 was automatically renamed to usb1-part1 for some reason, and then disk1 was automatically re-added, so the update corrupted all the paths.
You can rename the disks (change the name of the slot)
You may need the cli to do it though.
by rplant
Mon Feb 06, 2023 4:12 am
Forum: Announcements
Topic: v7.7 [stable] is released!
Replies: 357
Views: 114245

Re: v7.7 [stable] is released!

Device: RB5009
Firmware : v7.7
Use case/ Problem:
Run Adguard Home as a container with RB5009...
Hi,
You can rename the slot (eg to Fit1 or something)
With luck it might stay the same.
by rplant
Tue Aug 16, 2022 7:26 am
Forum: Announcements
Topic: Newsletter 107
Replies: 50
Views: 26531

Re: Newsletter 107

No USB, so nice otherwise, why? :(

Maybe a soon to be released Plus version with USB and 802.3af PoE :)
by rplant
Sun Aug 14, 2022 6:07 am
Forum: Announcements
Topic: Re: v7.4.1 [stable] is released!
Replies: 99
Views: 32332

Re: v7.4.1 [stable] is released!

After upgrading from 7.1.5 to 7.4.1, routing through the second provider stopped working. Hi, Some things. /routing table add fib name=MARK-ISP2 /ip dhcp-client add default-route-distance=4 interface=ETH2-ISP2 script="/ip route set gat\ eway=\$\"gateway-address\" [/ip route find wher...
by rplant
Tue Jul 19, 2022 12:12 pm
Forum: RouterOS beta
Topic: 7.4rc2 container does not start after reboot [SOLVED]
Replies: 5
Views: 5035

Re: 7.4rc2 container does not start after reboot [SOLVED]

Hapac3, I made a small container that does fit into the flash, and it is restartable on reboot. it isn't running after reboot, but just needs a /container start 0 command. (Note: I had to create the docker directory before it would create the iperf container in it) Mikrotik maybe needs to delay cont...
by rplant
Sun Jul 17, 2022 8:30 am
Forum: RouterOS beta
Topic: 7.4rc2 container does not start after reboot [SOLVED]
Replies: 5
Views: 5035

Re: 7.4rc2 container does not start after reboot [SOLVED]

Hi,
Perhaps those boot up log messages are meaningful.
Maybe disk1 becomes available after the container initialization.
(Which fails because disk1 is not yet available)

Can you perhaps put the container, and mounts into flash rather than disk1 and see if it works through a reboot then.
by rplant
Sat Jun 11, 2022 5:22 am
Forum: Announcements
Topic: v7.3 and v7.3.1 [stable] is released!
Replies: 269
Views: 81346

Re: v7.3 and v7.3.1 [stable] is released!

Some thoughts and workarounds for new Routing What I think routing might now be doing (This is a guess and could easily be wrong) Step 1 (New Stuff) Does packet have a Route Mark/Table specified, and does a Route Exist in IP route tables which matches the destination address for the packet , and is...
by rplant
Fri Jun 10, 2022 2:25 am
Forum: Announcements
Topic: v7.3 and v7.3.1 [stable] is released!
Replies: 269
Views: 81346

Re: v7.3 [stable] is released!

I probably know what it is, and it's not you, it's RouterOS. I now tested it and it happened between 7.2.1 and 7.2.2. Previously if there were multiple routing tables, local destinations (addresses assigned to router) always had priority and used main routing table, but it doesn't happen anymore. S...
by rplant
Thu Jun 09, 2022 1:51 pm
Forum: Announcements
Topic: v7.3 and v7.3.1 [stable] is released!
Replies: 269
Views: 81346

Re: v7.3 [stable] is released!

"Routing marks now have higher priority", this is my config i hope you can give me some advice Hi, It's kind of complicated, but I did find the following. /ip firewall mangle add action=mark-routing chain=prerouting comment=International \ dst-address-list=!nice new-routing-mark=Cloudflar...
by rplant
Wed Jun 08, 2022 10:50 am
Forum: Announcements
Topic: v7.3 and v7.3.1 [stable] is released!
Replies: 269
Views: 81346

Re: v7.3 [stable] is released!

in ROS 7.3 it seem routing ignoring the routing rules ip, it routing mangle route first rather than routing rule ip, i am scratch my head now, is there anyone have tips for this kind problem Hi, Routing marks now have higher priority. One way to make rules work. Separate the route tables (routing m...
by rplant
Tue May 17, 2022 6:51 am
Forum: Announcements
Topic: v7.2.2 [stable] and v7.2.3 [stable] are released!
Replies: 401
Views: 82031

Re: v7.2.2 [stable] and v7.2.3 [stable] are released!

Routing Rules and Marking (maybe a fix) Some more stuff. It looks like if you have a routing table, and routing marks on packets for that routing table. The packets will go via that routing table, even if the destination IP is one of the addresses on the router. I assume to help Isolate VRF's better.
by rplant
Tue May 17, 2022 6:42 am
Forum: General
Topic: Problems with L2TP VPN with Mangle rules [SOLVED]
Replies: 9
Views: 2569

Re: Problems with L2TP VPN with Mangle rules [SOLVED]

Not sure,
but it looks like that if you route mark a packet that should go to the router, it will go via the specified routing table.

eg. if a packet destined for router ip address got marked with l2tv, it would get sent to Tadej
  • 1
  • 2