Hi, The following are my changes to the configuration. (Sorry, It is not a complete configuration @anav is much better at this...) You will need to apply it slowly piece by piece. You will also need to remove your old multi bridge configurations. #xxx.yyy.zzz.11 <--> 10.11.0.0/22 [ether2] #xxx.yyy.z...
I tried your config, and it seemed to work ok. (I was connecting to another mikrotik) Also when plugged into the trunk it supplied the 3 ip ranges to the Mikrotik via vlans. Perhaps the devices you were connecting too had a firewall on them, and didn't like being accessed from another subnet. or had...
Hi, As far as I can see the only usable LAN subnet you actually have is 192.168.88.0/24, and I think it likely should work. (It may need a specific NAT rule per @TheCat12) The other subnets you list and attach to bridges are all on the router only, and there is only a single active address for each ...
Hi, I know nothing about these, but my (only) guess is that it might have something to do with DHCP. Perhaps if it fails to get an IP it eventually stops asking, or something. Check none of the delay options are configured on the dhcp server. Set up a script/netwatch to periodically ping/arp ping on...
Probably doable using hw offloaded qos. https://help.mikrotik.com/docs/spaces/ROS/pages/189497483/Quality+of+Service Possibly special handlers already exist for multicast (and??) broadcast. Otherwise you can perhaps use switch rules to map the packets you want restricted to a specific traffic class....
I would like a refresh version of the hap ac2. Pretty much exactly the same as current. Exactly the same Case, pcb and components, except the RAM is replaced with a 256M unit, and the Flash is replaced with a 32M Unit. (Possibly by now cheaper than the current smaller devices) I would also like a (c...
I don't know that I can help further, but I found the following couple of posts elsewhere that you may have already seen. https://www.reddit.com/r/Starlink/comments/1eyndnu/high_packet_loss_in_bypass_mode/m672h96/ https://www.reddit.com/r/Starlink/comments/17h2f99/solved_issue_with_bypass_mode_slown...
I am quite possibly completely misunderstanding here, but anyway. I would imagine that 192.168.1.x on R1 would register for a particular multicast with its router. That Router R1 would then register for multicast with something closer to the source. The identity of the original requesting device won...
From winbox or webfig have a look at your wan/ether1 interface traffic. (traffic tab) Is it as expected? I would initially disable ipv6, because if its sort of working but sort of not it can be painful. Once network is working well with only ipv4, you can look at this further. You may need to discon...
Another slight possibility, I don't know if this will work at all, it depends a lot on the L3 switch. You could reconfigure the DHCP server on the 5009 to point the default route of the LAN network at the L3 switch IP Address. Then the devices would send their packets to the switch (for both interne...
Hi, A little off topic now maybe. I trialled a much simplified version of this system on a Hex (much slower/smaller), to verify some things I thought I knew... It turns out as mentioned by @lurker888, marking the packets as notrack does seem to mean they can't be fasttracked. (under ip settings you ...
I think one possible set of changes is likely to be: Add wifi2 to the bridge, and change its mode to "Station Bridge" Optional: You could/should also put a dhcp-client on the bridge if you don't have one on it already so the hapac2 also gets an IP address from the Audience. (if you have a ...
Hi, I think your current problem is that you are getting triangular routing. (which is probably why hardware offload is good, as it is likely not stateful) From Device on 192.168.1.x network to 10.0.0.0/8 likely goes from device to 5009 then to Switch then to 10.x.x.x device. (Hopefully often the 50...
You seem likely to have done all of this already but just in case... Remove sfp+ from bridge Give sfp+ an IP address, and switch port/vlan? at other end an IP address. Make the sfp+ interface a member of the LAN interface list. But if you need lots of gigs of intervlan routing, it isn't going to do ...
Hi, In 7.2.2(ish) the routing was changed, so that if you route mark a packet, and a matching route with that route mark exists in the route table it will use that route entry. It then processes the routing rules table, and finally the route table (again). Previously routing rules occurred first, an...
Hi, The CPU on the CRS317 isn't super fast. (eg. a hap ac2 is faster) See: https://mikrotik.com/product/crs317_1g_16s_rm#fndtn-testresults The commonly used value for routing performance comparison is 25 ip filter rules, 512 byte packets. However it does do some fairly good L3 hardware offloading, b...
Note however if you use something like a S+RJ10 in the sfp+ port,
it can negotiate 2.5G with remote end while sfp+ is running at 10G,
(so Mikrotik thinks it is running at 10G) it runs hot.
You will likely need some traffic shaping (queue) to limit outbound traffic to <2.5G.
I assume you are using one of the SFP+ to RJ45 adapters. The following has some info on the Mikrotik one. https://mikrotik.com/product/s_rj10 They have 2 versions, and the first version did not report the link speed correctly. I would not be surprised if many other brands also have very limited link...
Hi, The 2 subnets should already be connected, you don't need the add action=accept chain=forward comment="enable interconnect lan subnets" rule. You should be able to connect to the various devices in the other subnet. There may be a couple of issues. 1. You may be expecting to see these ...
Not sure. You may have already tried this. I would try using a separate ethernet interface for the wireguard connection into the 2nd router from the CCR. With an mtu of 1492, and different IP address range to the lan. You may need a routing rule to get the wireguard traffic to exit via this separate...
My Guess is that the devices on your LAN are receiving a packet from 192.168.100.1/24 and sending their reply back to the main gateway. (Which also doesn't know where 192.168.100.1/24 is) One simple(ish) option might be to masquerade packets leaving your Wap-ax with source address of 192.168.100.0/2...
My guess is that these devices are probably a bit like a ccr, with no default firewall rules except for a masquerade rule :( The following rules are for a hex, (they are usually all very very similar, except when they have none) And you should be able to copy and paste them in. I think they are quit...
The fact that logging has the option of a source IP address, and ignores it seems like a bug. Though it might be your config. (Given Wan interfaces usually have some sort of src-nat/masquerade) Do you have a src-nat rule for the wan interface that might apply in this case. You could put in a specifi...
IP Settings.
There are 2 items, the max neighbor entries and Arp Timeout
You could increase the max neighbor entries value or possibly decrease the Arp Timeout value.
(The current default Arp Timeout value appears to be 30S, I would not go below that)
A few points: The following assumes a config sort of based on default (for SOHO type routers, not CCR, etc which have no firewall rules). I am assuming you have nat. In this case an incoming connection on Wan1 must then also leave by Wan1. (Same for Wan2) Otherwise it just doesn't work. (Often true ...
Hi, The following was made on a hex, based on its default configuration. But should be applicable to many/most Mikrotiks. I removed all the firewall rules (so fastpath is active) Disabled all admin services except winbox Moved ssh and winbox access to a new vrf vrfAdmin, active on ether5. (So you ca...
It will block people/devices on the internet from attempting to login to your router. (Or using other services your router may provide, that you haven't provided a rule to allow) The default on a Mikrotik is to allow (input, and also forwarding), you should normally block access you don't specifical...
This kind of looks like what you would get, if your gateway was also a Mikrotik, and it had hairpin nat enabled for a SSH port forward/dst-nat connection to the internal router. (With attempted logins from inside)
Yes, drop by mac address doesn't work at the router stage. You could connect only the Reolink to a specific ethernet port on the router, and block based on port. You could give the Reolink a static lease from the DHCP server, and block based on IP address. (From winbox, go to ip dhcp server, the lea...
If you have an interface that is not part of the bridge, but has an IP address on it, it will route using hw offload.
However if you have a vlan on this interface with an IP address on it, the vlan will use the CPU.
Perhaps try the following commands to see if L3 offload is not present somewhere. With 400+ routes, you might want to write it to a file, so you can examine it in a text editor or similar. /ip route print [file=somefilename] Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, o - OSPF, d - DHCP; H - HW-OFF...
I was thinking something like. /ip firewall nat add action=masquerade chain=srcnat comment="Nat lan to wan tvs" out-interface=VLAN_TVs You could also filter by src-ip address, or src ip address list. On review, I notice you have a bunch of bridges on this system. And assorted vlans connect...
I was thinking of something like. /queue type add kind=pcq name=pcq-upload-24 pcq-classifier=src-address pcq-dst-address-mask=24 pcq-src-address-mask=24 It just groups each /24 lan subnet together so the large upload machines get lumped together. On testing, you may find the pcq-upload-default works...
Hi, I changed the firewall filter rules, and while I still don't like them much, the ikev2 now should work. They appear to be based on a very old routeros version. The ipsec policy rules have to go above the fasttrack rule. (They seem to work below it when pinging things, but fail when actually tryi...
Perhaps time for: Thanks @mkx Open terminal window and execute /export file=aynnameyouwish ... fetch resulting file to your management computer, open it with your favourite text editor, redact any sensitive information (such as serial number, public IP address, wireless PSK, etc.) and copy-paste it ...
If its running v7, use a cake queue that should (hopefully) allow you to near fill the uplink, while also giving everything else in your network a bit of bandwidth rather than being starved out because of the fat upload.
ikev2 (ipsec) is well supported, and there are fairly good examples around. https://help.mikrotik.com/docs/spaces/ROS/pages/11993097/IPsec#IPsec-RoadWarriorsetupusingIKEv2withRSAauthentication This is more industrial, so perhaps less likely to be dropped. But if your ISP doesn't want you running VPN...
One possibility. Seems unlikely, but you do have a wanIP as an address list. If you have multiple wan interfaces, and the packet is coming in from one interface, and leaving via another (the wan interface with the lowest metric). This could occur. You would need to mark your packets (or similar) so ...
One other thought, (Somewhat more like my original thought) You could perhaps make a new pcq type queue, based on pcq-upload-default, but with a 24 mask. (So everything from 10.0.1.x will be counted together) Then back to no marking, and fast track allowed. The low rate lans will be prioritised over...
Sorry, I should read things a bit more thoroughly. Unfortunately, the 3011 seems to not be great under v7. Perhaps what you have will be good. Though I do not understand why you have a limit of 100M on the backup traffic. You will likely need to add all the packet marks to the parent (WAN-Shaper) so...
It would be very functional to be able to add a description for each connection that you save and thus identify more quickly to which mikrotik equipment I want to connect I am assuming you a speaking of the managed tab in winbox. In tools at the top, there is and advanced mode you can select, and a...
As a start, I would be inclined to just put a single cake queue attached to the WAN interface, to see how well (or not) it works. (With no packet marking for shaping) Set it up for 500M, and a bucket size of 0.005-0.01, (or your settings) and see how it goes. You will need to create a new queue type...
Some possible options: If you make a custom interface list and add all the ports you want (but not the bridge) to this list, you can make ip discovery use this list and it will only target those ports. So no discovery on the ports missing from the list. Another option might be to use a switch chip r...
2. Yes and no Since the device is now a (dumb) switch it has no way to filter anything. The input firewall chain still works. However by default the bridge is a LAN interface and input is allowed from LAN interfaces, ie. All ports. (Input is disallowed from all except LAN interfaces) You can add (a...
Hi, I have added the following rules near the top of a default config. (after accept icmp) /ip firewall filter ... add action=accept chain=input comment="allow 500,4500 ipsec in" dst-port=500,4500 protocol=udp add action=accept chain=input comment="allow ipsec-esp in (no nat)" pr...
Hi, My observations: Actually wireguard in mikrotik does attempt to use the IP address that the incoming packet was sent to. Looking at the packet on the output chain is too late. It has already gone through the routing process, and had it's ip address changed, probably also natted. If you use routi...
but am struggling to get an IP address on the wireguard peer much less an internet connection You have to setup the ip address on each peer manually. It is attached to the wg interface associated with that peer. wg interface <ip address> peer - allowed ip addresses peer - allowed ip addresses Stric...
Hi, My guess is that you need to run dhcp, so the ISP gets the MAC address of your router, so it can send packets to it. It may not use arp discovery, the dhcp mac address possibly gets recorded into the radius server, and that is where the routers packets get sent too. (I believe Mikrotik's do this...
Some thoughts. 1. Don't use L2TP at all, use wireguard, its easier/better. (L2TP is slowly being discouraged) Wireguard: You only need 1 port. You usually don't have to fight much with the ISP router. You don't have to fight much with the client OS. Perhaps a little less good if you are somewhere wh...
Hi, I had sort of thought that auto-negotiation is a combination (max) of -The speeds the sfp port is capable of. -The configured auto-negotiate speeds in the ethernet tab. -The speeds that are advertised as acceptable by the sfp devices ROM. Though your experience seems to indicate otherwise. One p...
If you have some device/network in your control with a static ip address that you can login to these devices from, you can (as a short term solution) add this ip address to an address list in ip firewall. (eg. admin2) Then change the firewall rule that allows 8291 to only allow 8291 with src-address...
Hi, I am finding it difficult to understand what you are saying, but I will assume the mikrotik has 3 public ip addresses on it. And the incoming wg packets all come into the mikrotik via either the 2.249 or 2.253 interfaces but directed at the .210 address. Normally for this, I would use routing ru...
Hi, ikev2: If your hap lite is not the internet gateway, you will possibly need to put some sort of NAT on it, so vpn connections to devices on the local network get masqueraded. (The devices on the local network will likely try to reply to the main gateway rather than the Mikrotik). Otherwise, not ...
Another thought The arp table can get very big these days. There is an arp timeout value on interfaces and bridges. (Not defined by default) You could perhaps see how big your arp table is and see if it might be the problem. And see if setting the arp timeout to some value (seconds, minutes, hours, ...
Hi, I suspect it should be possible using vrf's. But I am not sure, and don't know how too, sorry. I had a trial of putting another mikrotik (a hex) in front of a similarly configured setup, and this appears to work ok. If your main router is a high end expensive CCR or similar, this is probably not...
Perhaps the following might be useful in this case. To make all packets go through the CPU first, and offload only the Fasttrack connections, disable l3hw on all ports but keep it enabled on the switch chip itself: /interface/ethernet/switch set 0 l3-hw-offloading=yes /interface/ethernet/switch/port...
Hi, I am not quite sure what you are asking, but here are some answers. The RB4011 is not powerful enough to route 10G (and doesn't have the ports to do it really) From the test results section of the RB4011 page: https://mikrotik.com/product/rb4011igs_rm#fndtn-testresults From these results the 512...
Sorry for the delay, forum didn't seem to work for me. /ip firewall mangle # (remove/disable this rule) add action=mark-packet chain=postrouting out-interface=ether1 new-packet-mark=shaped-packets passthrough=no /queue tree add name="WAN-Shaper" parent=ether1 packet-mark=no-mark max-limit=...
A few things. 1. The RB3011 isn't really fast. 2. It is quite a bit slower using Rosv7 3. You can't fast track simple queues. (not fast track is much slower) 4. You need to set a lower bucket size on the queues. You can show system resources and watch the cpu when you run traffic through the link. T...
Hi, A couple of things. I would put a routing rule like: add action=lookup comment="min-prefix=0, all except 0.0.0.0/0" disabled=no min-prefix=0 table=main before your existing routing rules. So only for traffic that needs to go via a default gateway will use Table_ISP1 or Table_ISP2. I wo...
Hi, From your listing. The 2 rules below are not required, the last filter rule will allow (actually let fall through to default allow) connections allowed by your dst-nat rules Rule: add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface="ether8[ISP]"...
You could check the ip route table with dhcp and static and see if there is any differences. I think your masquerade rule should have an interface (out-interface) on it. Presumably bridge1. Though perhaps only if it is coming from the 10.2.2.0/24 network. Not quite sure why you have ether1 attached ...
You do mention you have a gateway router. So does this router do the firewalling from the internet that your network requires. If so, the CRS354 may be ok. (Otherwise as @anav mentioned, a RB5009 in front might be good) In switch settings, you can enable L3 HW Offload for the switch chip. Then under...
Hi, It seems to work for me. Though having only 2 ip addresses in the dhcp server pools seems wrong. It could be the devices you are connecting too on the .200.x and/or 178.x vlans don't have the CRS305 as their default gateway. (eg. Not configured by the crs dhcp server) Could also be firewall rule...
Given the routers are fairly powerful. For the outbound traffic, you can probably attach some sort of queue to the sfp+ interface. Queues based on cake are usually easy, perhaps fqcodel might be better in this case but I am no expert on queues. (I have had success with red queues in the past) Set it...
Sorry, this isn't an answer, but the following may be worthwhile looking at. The following video shows a (fairly long) presentation on setting up something maybe similar (also on a 1036) using dhcp. From 2018 MUM in Melbourne, (unfortunately, there seems to be no printable version) https://www.youtu...
One thought. You need to do your bandwidth test between 2 devices with the switches in between them. eg. A fast desktop/laptop/server ideally with a 10G port on it, to another desktop/laptop/server with a 10G port on it. Perhaps easier, 1G ports to start with. When the bandwidth test is running thro...
Hi, Some comments: You have no firewall rules, so it should (if enabled) run in fastpath which is notionally faster than fasttrack. (I am kind of wishing there was a quickset that would apply a default set of firewall rules) These switches will do what I will call L3 switching, and do it really well...
Hi, It isn't indicated in your listings, but if the default fasttrack rule is in place, it will break marked packets. You could put an accept rule just prior to the fasttrack rule, with a connection-mark=!no-mark (Or add connection-mark=no-mark to the fasttrack rule) Your 2 dst nat rules are identic...
Rules look ok. Some guesses Does the mikrotik have the same internal ip address as the old router? Presumably .100 and .102 are set up with static ip configurations. Perhaps static arps have been configured somewhere Can .100 and .102 connect to the internet? Traceroute from these to 8.8.8.8 does it...
Hi, My guess(es) is that it might be something to do with Spanning tree, or more likely Vlan configuration. I would expect spanning tree to begin to work after a minute or so (worst case scenario) Perhaps the switch port you have plugged the router into is on a different vlan to the port the device ...
Normally Wireguard uses a private key and public key, where the public key is not wrapped in a certificate. Assuming a client/server type configuration. If the clients have a peer (the only one in client/server) with the server's public key, it will trust and can connect to the server with the corre...
I think this might be basically doable, so long as the ISP router can be configured with static routes on it. ie. 10.0.0.x/24 via 192.168.1.2 (the IP address I have assigned to the CRS) If a device on the main ISP LAN wants to connect to a device on your new LAN, it will send the packet to the ISP r...
You could perhaps try you iperf (I assume iperf3) With the -V and -M options.
Using custom/reduced MSS settings to see if it is perhaps something to do with reduced MTU at one end due to pppoe.
And add an appropriate mss adjustment rule if it helps
Hi, The tls auth thing is not a certificate. From: https://help.mikrotik.com/docs/display/ROS/OpenVPN OVPN client supports tls authentication. The configuration of tls-auth can be added only by importing .ovpn configuration file. Using tls-auth requires that you generate a shared-secret key, this ke...
Hi, From the MikroTik wired interface compatibility page. S+RJ10 devices Use these modules only in 10G SFP+ ports with auto-negotiation enable I am fairly sure the S+RJ10 devices need the SFP Port actually running at 10G (10.3G?) for the somewhat complex base T conversion electronics which likely ne...
Hi, I have found script diagnostics leave a bit to be desired. You can put something like: :log info "script scriptname starting" (perhaps also logging parameters if available) and perhaps a similar entry near the scripts exit point(s) With luck the most recent starting log entry will be a...
Hi, I would suggest you start off with the default mikrotik config. Then Interface <ether1> contains <VLAN7> <pppoe-out1> is attached to <VLAN7> Enable dns client on <pppoe-out1>, (review settings of pppoe-out1) <dhcpv6-client> is running on <pppoe-out1> ** Changed ** <VLAN7> and <pppoe-out1> both m...
Perhaps the following on the server /interface detect-internet set detect-interface-list=none /interface list member add comment=defconf interface="WG VPN" list=LAN You may want to eventually restrict it a bit more than giving it full LAN access, but in the short term... Client: Only if th...
If you do want full l2 connectivity, perhaps you should investigate ZeroTier
(which is supported by Mikrotik)
I have not tried it, but I believe it will do this.
Some thoughts. A rough outline of what I would do. To hopefully create an approximation to what you appear to want. (Sorry there will likely be errors in this) This assumes somewhere near default config of the Mikrotiks. With a LAN interface list. The 192.168.169.0/24 is broken up into a bunch of /2...
Hardware: Optical: If you can use prebought optical patch cables or DAC cables things are ok. As soon as you need to make stuff it gets very expensive for the tooling. And yes, copper cables are much more durable. But 10G copper seems to run very hot, so you need fan cooled switches, etc. dac cables...
Hi, You have the following rule before your allow dns to vlans. add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN Perhaps put all the input rules together and forward rules together. Sorry there may be other issues, that's just the one I s...
Not sure, seems like something dubious. One hack possibility (for tcp) might be to clamp the mss of your internal devices to 1452, while letting the outside devices stay at 1460. So your devices upload with shorter packets. /ip firewall mangle add action=change-mss chain=forward comment="clamp ...
Sorry, not much of an answer but. 2. The speed of the switch mostly does not depend on the type of router. However, broadcast and similar packets will likely cause slowdowns as they have to go to everywhere including the slow bits on the lan segment. Would recommend you minimise the number of slower...
You could try something like the following from the mikrotik, and see if it replies (and the size at which it stops) /ping size=1500 8.8.8.8 do-not-fragment And with luck some indication of where it stops. (You can also use /tool/traceroute with size and do-not-fragment) Note: Traditionally 8.8.8.8 ...
The following has their tested items MikroTik wired interface compatibility https://help.mikrotik.com/docs/pages/viewpage.action?pageId=263749679 Pretty much all their 10G optical SFP's and Dac cables are indicated to work in an L009 (in forced 2.5G mode). For low power/temperature/cost You could us...
Perhaps something like the following in the central router. /ip firewall filter #existing rules ... #following rules just before existing invalid rule. #(Put them in via terminal, then move them using winbox/webfig) add action=accept chain=forward comment="allow traffic between wg and lan"...
My Guess Assuming the internet gateway is a Mikrotik and is using something similar to the default config, asymmetric routing that might be the issue. Wg -> Lan Device and Lan Device -> MainGateway -> Wg If it is this, there are a at least a couple of options: 1. On the WG mikrotik enable masquerade...
It looks like the CRS310 won't do nat or fasttrack connections in hardware, so mostly good for inter vlan routing maybe using some access lists, much less good as an internet gateway, with Nat, Stateful Firewalling, etc. https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOff...
Hi, I would also include the first routing rule below. It allows devices on your wifi subnet to connect to other local devices, and only internet bound traffic goes via the vpn. (Order matters, put it before the other rule) Note: If using winbox, you likely should have still been able to connect to ...
You need two or more different vlan's on the hex. The hex needs to have an IP address assigned to it for each vlan. The devices on each vlan need to have the hex as their default gateway. (Alternatively each vlan's default gateway/router could have a static route for the other vlan(s) pointing to th...
If the mesh router has the option to disable it's dhcp server, you could do that.
Then plug the mikrotik's LAN port into one of the lan ports of the router, and see if devices connect to the Mikrotik.
(You may need later to change the ip address of the mesh router as well)
You have to ensure that the appropriate packets don't go via fasttrack. Either by having an accept statement for these packets prior to the fasttrack rule or by disabling the fasttrack rule. One possible option (just prior to fasttrack rule) add action=accept chain=forward comment="accept estab...
Hi, A couple of points, The screenshot doesn't really show what you are doing. Mikrotik doesn't do hairpin nat by default, so it might work from outside but not from inside your network. You could open a terminal window (from webfig, up the top near rhs), and export the entire config, or just the fi...
In another thread @mkx mentioned that adjust mss will probably not work if the connection is fasttracked.
You could try and disable the fasttrack rule briefly.
Likely you are going to have to go for a ccr with at least 1 SFP+ port, and perhaps 2. eg. CCR1036-8g-2s+ if you can find one. Then how does your ISP provide you with 2Gbe, it seems like a non-standard value. If over a 2.5Gbe ethernet connection, none of the CCR 10xx series supports this directly. Y...
A problem is that out of your switch, every port has both the tagged and the untagged vlans coming out of it and going into it. One Possible option would be to make vlan 1 something else other than 1. eg. 10 Then you could have vlan 20 as the untagged vlan, and vlan 10 as the tagged vlan going to th...
A possibility is to split the pairs and run it over a few meters, it will give lots of crosstalk and poor performance, but whether it is enough I don't know. eg. Pairs 1,4 2,3 5,8 6,7 or 1,3 2,4 5,7 6,8 (Cable terminated same at both ends) The cables will test as a simple straight cable (with a very...
As a switch it will have plenty of speed between your devices. However connections to the internet via your ISP will need routing with firewalling and presumably Nat. For 2.5G you will need a reasonably powerful router performing this task. If your ISP provided a router you can use it for that task ...
Yes, you could have used the wireless package, and the map could then connect in station bridge. Wifi package does have some niceish features though. Other options: Use Station-Pseudo bridge mode. Ok when it works, need to turn off RSTP. If you go this way and it's not behaving it is worth searching...
Yes,
If you use poe as an alternate power source, it must be passive/forced on poe or the Mikrotik may lose power when main/other power is lost. (Usually briefly but...)
A couple of options. 1. Reset the mikrotik with no default config, (but perhaps keep users), and then try to import the file. 2. Open the file in notepad or similar and copy and paste a section at a time into the terminal. You might be wise to compare the current default config to the config you wan...
I think documentation means devices with version 7 factory firmware, but less than 7.6 get upgraded to a v7.6 factory firmware with protected router boot function. Devices with older (v3, v6) factory firmware get an updated factory firmware (not v7) which has the new protected router boot function. ...
You could set it up with the CRS317 as the gateway for both VlanA and VlanB The CRS ROUTES packets from vlanA and vlanB to the router. (and between vlan A and vlan B) No firewall rules needed on CRS for internet traffic, so should be L3WH offloaded, (with very few if any ACL's) Rules/ACLs, mostly fo...
A couple of thoughts, The following statement doesn't really seem helpful given your current results, but anyway: Mikrotik doesn't by default do hairpin Nat (you need to add the appropriate src-nat rule), so if you are testing from inside your network it will likely not work. You could download tcpr...
Hi,
License wise:
Not sure there is a limit for raw ipsec.
There is a 500 user one for l2tp.
However, the processor on the RB2011 doesn't do ipsec hardware encryption, and does not have much Ram.
So really only a couple maybe. You would be better off with wireguard with the 2011.
When a road warrior client from router 1 is connected it can not reach ip's behind the nat of router 2 (which is possible from within router1 main network (and the other way around). Assuming there is no NAT going on. (ie. The packet from 192.168.35.1 reaches device on router 2 as being from 192.16...
Hi, I think you could start by checking the counters on the dst-nat rules, and see if they increment. (They happen early in the firewall) Typically they will only increment once for each new connection. If they are incrementing, you need to check the 10.0.0.39 (I assume nginx) Perhaps if not increme...
Fair enough, Perhaps your option 2 would be a good option, you then effectively have a site to site tunnel, and can tunnel whichever clients you want. Option 1 is doable and will most times be fairly well upgraded. However it is not perfect. (Make a script export and a normal backup onto external st...
You can run your eoip or other tunnel inside wireguard. Though I would perhaps attempt to set up ipv6 and associated routing on the Mikrotik manually, using one of the /64's. You would maybe need to somehow mark the prefix as used though, so the VPS does not try to reuse it. You might need to put (n...
beep twice usually means it thinks it is ready to start running. You could try connecting to it via wifi, it may have some mikrotik-XXXX ssid with no password. If it is similar to a map/wap, then Wifi is often the only way to connect to this type of device when factory defaulted, but usually the eth...
It sounds like you are trying to restore a binary backup file to a new router. That rarely works :( You could search your hard disk for .rsc script files. If you can login to the old one at all (though it sounds unlikely), do a /export, stick it onto your laptop, and manually carefully copy the conf...
I tried it running with 6.49.13, and that was much improved.
Unfortunately doesn't have the cake queues, but the other queues I tried
seemed to handle 1G ok.
CPU still seemed to be largely locked to 1 core, and still needed multiple streams
or large window to get to 1G ish.
I had a try with some of this, just to a local iperf3 server. So very little latency unlike over the internet. I found I had to disable the queue tree for best performance. To hit near a gig download I had to have a large window size, or multiple streams. Perhaps partly a limitation of the iperf3 se...
Hi, It seems unlikely to be good for a 1G connection, Apparently a single connection will only use 1 core. (To reduce out of order packets) From: https://mikrotik.com/product/RB3011UiAS-RM#fndtn-testresults The commonly used 25 IP filter rules, and 512 byte packets lists 452Mbps. Your actual perform...
Yes there have been many many sfp fixes, and complaints of devices that used to work that no longer do. You could get install the latest betas at both ends (including updating routerboot), and assuming it is still not working create a supout.rif and send to support at mikrotik.com The -40db is a wor...
I gain the impression that the S+RJ10 still runs quite warm, as its backend has to be run at approx 10.3G
(whether connected on the RJ45 side at 1G, 2.5G, or 10G)
While an actual 2.5G unit's backend runs at 2.5G (* 10/8).
(Whether connected on the RJ45 side at 2.5G, 1G or lower speeds)
I found out empirically that if you turn off the interfaces and peers on both routers for 10-15 minutes and then turn them on, everything works. I think I have seen something similar in the past, if you turned off the wireguard interface and then turned it back on it fairly soon after. It didn't se...
Sorry, don't know. However I would turn off the persistent-keepalive on router-B. Perhaps trying to connect back to the IP/Port it was last connected too is doing something. Also, you can check the counters on the firewall rule on Router-B, and see if packets are actually getting in, enable logging ...
Usually means you have overlapping allowed addresses on your peer configurations. This is an error. If this what you actually need and want, (eg. you want to use ospf to the peers and route via the ospf chosen link, etc) You need to have multiple wireguard interfaces with one (overlapping) peer per ...
Hi, I have a dhcp-client script that changes some of the routes. /ip dhcp-client add default-route-distance=70 interface=ether2 script="/ip route\r\ \n:if (\$bound = 1) do={\r\ \n set [find where comment~\"altgw\"] gateway=\$\"gateway-address\"\r\ \n}" I also find it be...
Perhaps get a hap ac2 as a gateway router in front of the switch at the home end.
Then you can have hardware offloaded ipsec at both ends if you want that.
Or wireguard. (I like wireguard, but hardware offloaded ipsec can be quite fast)
So it is not possible if the peer is on dynamic IP? Yes, You can look at the ipsec setup created when you add ipsec to the ipip tunnel and make something similar. But I think ipip requires a fixed address at each end anyway. You could possibly use an ikev2 tunnel, (where the client can get a fixed ...
You could try attaching a queue onto the LAN ethernet port you are using and see what that does. (ether2...) Make a new queue type using cake, probably near default. Create a new queue, (Queue tree) with your new queue type, attach with parent as ether2, and set with a max limit of 1G. Assuming you ...
Not sure, but possibly if you do that, it can't tell the remote end (client) what the server end IP address is. This usually doesn't matter, except perhaps if you want to ping the server from the client. (I don't know that windows likes it much though) Â There is a couple of places to setup the loca...
You can get GPON ONU sfp modules. However you would need to get the ISP, or their wholesaler to agree to you using the 3rd party module. You would need to provide them with some information about it, perhaps its mac address and/or serial number, not sure. They can then add the ONU information onto t...
I assume the ISP's router is doing Nat? Or is it handing the IP address off to the Mikrotik in some fashion? If ISP router is doing NAT, it will also need a port forward (likely to the Mikrotik, possibly direct to the web server) The web app server needs to know it is running on port 8080, or more u...
You can set both the wireguard and eoip mtu's to 1500, it becomes less efficient as the larger packets are fragmented, but they get rebuilt at the endpoint. Perhaps set the eoip mtu to 1500 and leave the wireguard one at 1420 (1420 assumes no pppoe). An alternative, you can use a mangle rule to do m...
Hi, Assuming a near default mikrotik configuration. I will make ether2 the second port. You need the ip address and netmask of the Zyxel. Using winbox (or webfig) From Bridge, Ports tab Remove, or disable the ether2 entry from the default bridge. From ip/address, create a new ip address in the same ...
Assuming near default Mikrotik configuration. Likely option is you need to make the openvpn client interface on the Mikrotik a member of the LAN interface list. The following seems likely already done, you need to have routes on the Asus telling it the mikrotik lan network IP's are via the openvpn c...
Hi, Check the counters on the following rule. /ip firewall filter add action=accept chain=input comment=Wireguard dst-port=54321 protocol=udp If when you try to connect via mobile, it doesn't increment at least the once it cannot work. You could try changing the port. Other things to check (Once the...
Hi, I have seen a post for something maybe similar, where the solution was to make the queue on ether1 a multi-queue-ethernet-default queue. (Assumes ether1 is internet) (Maybe you could try multi-queue-ethernet-default on the other interfaces as well) If this doesn't help: You could perhaps experim...
There have been other questions about the 10GTek device, perhaps this might help. https://forum.mikrotik.com/viewtopic.php?p=1067590#p1067590 I have not used this sfp module, (or the css switch), but I find on their routers, using 1G base X is a good choice for connectivity. Also there have been a l...
Hi The following has the list of devices with assorted compatibilities, including 2.5G https://help.mikrotik.com/docs/display/ROS/MikroTik+wired+interface+compatibility It doesn't (currently) list the CCR2004-16G-2S+ as being compatible with 2.5G, but does have a different CCR2004 device listed. The...
Hi, For not double NAT. If you can change the ISP router, you may be able to add a static route to it. 192.168.88.0/24 via 192.168.1.2 Then from anav's config, change all the WAN interfaces to LAN and let the ISP router pretty much do all the Natting and external firewalling. /interface list members...
Another thought, perhaps there is some queues configured. I trialled a basic gre tunnel from a 4011 to a hap ax3, Edit: was incorrectly fast path (all fast track and about 2 meters of cable), and tested a bidirectional btest over the gre link at 300M in both directions from my PC through the 4011 (g...
Your mtu of 1476 on the at&t service seems highly dubious. I believe the default MTU for at&t it is 1500. (But I could easily be wrong) 1476 matches the normal mtu of a gre tunnel. (Inside a normal 1500 mtu ethernet connection). Then also 1420 seems odd, (looks maybe like an mtu for ipsec en...
One possible option: Configure the router with a separate /32 subnet and interface with device A plugged into it. (Assuming router described is Mikrotik, Probably just remove ETH1 from the bridge) This subnet/interface is added as a member of the LAN interface list. (And removed from WAN interface l...
Hi, I thought about this for a while. It would be easy enough to run 2 VLans through from the hap ax2 to a managed switch or other Mikrotik at the gpon end, and then another cable from there to the TP-Link (or if that cable is also not possible, yet another managed switch at the TP-Link location. Ho...
Example basic setup, my thoughts NOTE: ** I have no experience with CRS so consider with care ** vlan2 + 192.168.2.1 -- Other Devices on vlan2 | TPLink 192.168.1.1 - vlanbase - CRS 192.168.1.2 -- Other Devices on vlanbase | vlan3 + 192.168.3.1 -- Other Devices on vlan3 TPLink (or other suitably powe...
USB Sticks for container store, general storage, Dude Storage Ethernet Adapters (some): Additional ethernet port Serial port adapters (some): Terminal access, Remote Serial port facility Discontinued Woobm (wireless USB serial port) was kind of good could get you out of trouble when you locked yours...
Assuming something near a default configuration I would create a new bridge, perhaps call it bridgewan2, turn off rstp on this new bridge. It is only to hold ip addresses. /interface bridge add name=bridgewan2 protocol-mode=none Create a new IP address on this bridge 155.133.35.203 network 155.133.3...
Hi, https://mikrotik.com/products/group/ethernet-routers I think an RB5009 would likely do what you need. Or scroll down for faster, better performance, more features. Probably skip the RB1100A's, as they are an older generation, similar to the RB4011 but with more storage. Presumably you are going ...
Some thoughts: It looks like you are not using ipsec, is this correct? From windows, you need to subtract 28 from your length of ping, (Windows makes the data in the packet that big, then has 28 bytes of IP header on top). So for a 1500 byte mtu, ping -f -l 1472 51.x.x.232 If the MTU the router thin...
I would assume that this is displaying the information from ip firewall connections. (but could easily be wrong) Another option is the kid control which will apparently give statistics. Unfortunately I have not used it. Also you can create (with a script), a bunch of simple queues, one per LAN IP ad...
Cool, On review, I have some reservations about the following though /interface bridge vlan add bridge=bridge1 tagged=bridge1,ether3,ether4 untagged=\ ether2,ether5,ether6,ether7,sfp-sfpplus1 vlan-ids=10,20,30,40,50 I think you should remove the untagged= section. I am fairly sure the pvid=10 on the...
It feels like an MTU/ mss issue. Can you ping the remote end with 1400 byte packets over the link. /ping something-at-other-end-of-tunnel do-not-fragment size=1400 You could add some mangle rules to change the mss of tcp syn packets that leave or enter router using the IKEv2 policies. (1360 seems co...
You can put your outbound queue on ether1, and your inbound queue on bridge.
Then you should be able to fasttrack it.
You probably need to set the bucket size in the queue to 0.01 (or maybe less)
Also need to add no-mark and all other packet marks you use to these two queues.
Hi, I assume you are using 1G baseX at both ends. Auto negotiation turned off. It should work, all parts have been tested from here: https://help.mikrotik.com/docs/display/ROS/MikroTik+wired+interface+compatibility You may need to upgrade your routeros and routerboot if you haven't already, (probabl...
If using ipsec, possibly worth looking at the installed SA's and check it is using hardware encryption. /ip ipsec installed-sa print Flags in the second column, H for HW-AEAD Also your dst-nat rule, perhaps restrict it to in-interface=gre-2 The mangle rule, forces all packets from the specified addr...
Yes, I like your diagram, what did you use to make that? One relatively simple option is to put the lte device onto the vlan 10 IP range, (no dhcp server enabled on lte device). Eg. 192.168.1.10/24 Then put a src-nat firewall rule onto the Router for all traffic going to 192.168.1.10 And a default r...
The brass fold down tab is likely to lock the rj10 device into the sfp slot.
If you can pull the rj10 out of the slot without unlocking the tab you need to move it
to the locked position.
Seems unlikely to be the issue with the ethernet cable coming out.
Perhaps try another ethernet cable.
Note:
If your client is a Mikrotik or other router, you will likely need to add some static routes into it.
Ordinary clients will automatically set up routes from the allowed ip settings.
If your server is on the 192.168.88.0/24 range Try to ping 192.168.88.1 from your wireguard client. If this doesn't work, 192.168.88.0/24 likely needs to be added to your wireguard client configuration. When this is working, try to ping your server from your wireguard client. If this doesn't work: T...
Hi, If you have set it up as dmz of your existing router, you should probably rethink your firewall rules completely. and quickly. Go back to factory default rules and add your changes. You seem to have no block rules, so devices on the internet can presumably access the Mikrotik with no restraint. ...
/interface list member
add interface=WG-Cloud-BLR list=WAN
Possibly also
Change the wireguard MTU on the 5009 to 1412 (because its inside pppoe)
Add a persistent keep alive on the 5009 (somewhere 25-60 seconds is likely good)
1. Add the pppoe Interface to the WAN interface list.
2. Disable/remove dhcp client on ether1 if it is still present.
3. Reboot the router (maybe something is remembering something from prior to disabling detect internet)
Filtering dst-nat ed packets seems to work ok here. One guess: If you copied and modified the default defconf: drop all from WAN not DSTNATed rule and edited it. You need to remove the connection state (! dst-nat) setting from your new rule. Also: You should be using a newer version of RouterOS, (an...
One solution Set up a route table to go via wireguard, and route entry to go via the wireguard interface. /route table add disabled=no fib name=ViaWG-Cloud /ip route add disabled=no dst-address=0.0.0.0/0 gateway=WG-Cloud routing-table=ViaWG-Cloud Then for setting up the routing of specified IP Addre...
I trialled this at home, and it looks like theCat12's solution is likely the correct one. I connected to a device behind the Mikrotik, and the first couple of packets went via the main gateway, then the main gateway set an icmp redirect for host, giving the ip address of the Mikrotik, and after that...
You could try the following: 1. Backup your current mikrotik config, because this may not work... Change the Mikrotik's wan1 interface to be a Lan interface. (Default config would involve removing from WAN interface list, and adding to LAN interface list) Change the IP address on the Lan interface t...
You could use OSPF, and set a higher metric on the LtAP. (both on local route table via pppoe client config, and OSPF) OSPF metric setup is non obvious (v7) Part example is: https://forum.mikrotik.com/viewtopic.php?t=181118 Mine wound up as: /routing filter rule add chain=ospf-metric rule="if (...
If you have the default firewall fasttrack rule in place, you need to have an accept rule prior to this rule
for the packets using the via-vrrp1 routing.
Hi, You need to be a little bit careful how you mark your routes. If they are marked with via-vrrp1, they WILL use routes using table=use-vrrp1 I would tend to force it to go via routing rules. ip/firewall/mangle/ chain=prerouting action=mark-routing new-routing-mark=rule-vrrp1 passthrough=yes in-in...
Hi, Some options. Option 1 Push a route to the client (or set it up on OVPN client) of 192.168.10.0/24 via the existing OVPN connection. Then let the (presumably existing) configuration on the Mikrotik route and NAT this to the 192.168.10.0/24 Mikrotik WAN network. The next couple Both basically inv...
It looks like the lan sfp2 is not running. In winbox, double click on the sfp2 and check its link status. What is it connected too? If a 1G DAC or optical device you possibly need to force it to 1GBaseX, or at least include 1GBaseX in the Auto negotiation settings in the ethernet tab. if 10G probabl...