Community discussions

Search found 3284 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 66
by sindy
Wed Jun 19, 2019 5:23 pm
Forum: General
Topic: Hardware VLAN
Replies: 6
Views: 322

Re: Hardware VLAN

I think it will help if I post my cAP ac configureation It does. You do the same thing twice which doesn't help. You've configured the guest wireless interfaces to tag frames as they forward them from the air to the brigde, and to untag them as they forward them from the bridge to the air. But at t...
by sindy
Wed Jun 19, 2019 4:22 pm
Forum: General
Topic: QoS
Replies: 14
Views: 585

Re: QoS

by sindy
Tue Jun 18, 2019 11:20 pm
Forum: General
Topic: VLAN for guest wifi
Replies: 8
Views: 362

Re: VLAN for guest wifi

I cannot see anything wrong in the Mikrotik configuration, but I don't get what you expect to happen. You say you use an unmanaged switch to connect the external gear (IPTV, Apple TV), but the only ethernet interface you've made a member port of VLAN30 on the Mikrotik is tagged. So unless the unmana...
by sindy
Tue Jun 18, 2019 7:04 pm
Forum: General
Topic: Routing question
Replies: 1
Views: 116

Re: Routing question

What you want sounds like normal routing to me (and a waste of IPv4 public addresses as you flush two per each "sub-subnet" to the toilet, which is why many people revert to use of PPPoE where all addresses can be used). One VLAN per subnet is not an issue for a CCR as presumably there will be no ac...
by sindy
Mon Jun 17, 2019 8:10 am
Forum: General
Topic: Hardware VLAN
Replies: 6
Views: 322

Re: Hardware VLAN

So then, it will no be possible to run a dhcp server from a switch vlan nor a bridge vlan? The switch chip knows nothing about L3 (IP). The CPU is connected to one of the ports of the switch, so the bridge VLAN and the switch VLAN are interconnected. So you attach the DHCP server to the same place ...
by sindy
Sun Jun 16, 2019 11:03 pm
Forum: General
Topic: DHCP PROBLEM 169.255.X.X
Replies: 2
Views: 175

Re: DHCP PROBLEM 169.255.X.X

more precisely, the /ip pool to which your pppoe server refers.
by sindy
Sun Jun 16, 2019 10:56 pm
Forum: General
Topic: Strange hiccups in SSH connection [SOLVED]
Replies: 2
Views: 165

Re: Strange hiccups in SSH connection [SOLVED]

Assigning of routing-mark using mangle rules is incompatible with fasttracking but doesn't disable it. Use of sniffer is incompatible with fasttracking but does disable it. Most packets belogning to fasttracked connections bypass the mangle rules, hence get no routing-mark, hence take the "wrong" ro...
by sindy
Sat Jun 15, 2019 10:56 pm
Forum: General
Topic: QoS
Replies: 14
Views: 585

Re: QoS

what else do you need syndi At the moment just time. Your L7 rules rely on a couple of domain names to be present in the initial packets of a connection, but something may have changed in how Google names the sites from which the videos are downloaded, and also if your browser supports QUIC, the do...
by sindy
Sat Jun 15, 2019 10:12 pm
Forum: General
Topic: Block dynamic dhcp request or assign dynamic dhcp requests an ip from other ip range
Replies: 8
Views: 272

Re: Block dynamic dhcp request or assign dynamic dhcp requests an ip from other ip range

Any example when its possible would be appreaciated static-only more or less substitutes "none" here, so when I wrote that you can combine static leases and pools on a single server, it means that you configure at least one pool, the static leases are used automatically even if they don't fit into ...
by sindy
Sat Jun 15, 2019 10:04 pm
Forum: General
Topic: One device in my network will not work
Replies: 4
Views: 137

Re: One device in my network will not work

I can't understand at all.
That's pretty common here, I've reverted to guessing. Here in particular, I've guessed that "it's my Mikrotik" actually means "it's caused by some issue on my Mikrotik". Let's see whether the guess was correct.
by sindy
Sat Jun 15, 2019 9:50 pm
Forum: General
Topic: One device in my network will not work
Replies: 4
Views: 137

Re: One device in my network will not work

Steps would be to determine its MAC address, check that it is registered as WiFi client, check that it has successfully accepted an IP address by DHCP (/ip dhcp-server lease print where mac-address~"xx:xx:xx:xx:xx:xx"), then use /tool sniffer quick ip-address=xxx.xxx.xxx.xxx to see whether it attemp...
by sindy
Sat Jun 15, 2019 9:29 pm
Forum: General
Topic: QoS
Replies: 14
Views: 585

Re: QoS

Who guides me in my concern?
Do you expect us to magically know your layer7 rules? Instead of the full configuration minus sensitive information, you've posted just the mangle rules.
by sindy
Sat Jun 15, 2019 9:23 pm
Forum: General
Topic: need help choosing hardware
Replies: 4
Views: 191

Re: need help choosing hardware

What are the settings you've used on the current hardware (sxtsq 5 ac)?
by sindy
Sat Jun 15, 2019 1:03 pm
Forum: General
Topic: Block dynamic dhcp request or assign dynamic dhcp requests an ip from other ip range
Replies: 8
Views: 272

Re: Block dynamic dhcp request or assign dynamic dhcp requests an ip from other ip range

Hi I tryed to add a static pool to my ether1 and a second dynamic pool to ether1 but it doesnt work it gives a message there is already a dhcp server Error: Couldn't add new dhcp server - server or relay with such interface already exists You can only have a single DHCP server per interface, but yo...
by sindy
Sat Jun 15, 2019 11:00 am
Forum: General
Topic: A most bizarre PoE problem w/hEX S
Replies: 3
Views: 170

Re: A most bizarre PoE problem w/hEX S

Would you mind clarifying the recommended test steps please? I don't know whether you use clicking or typing to set up your Mikrotik 🙂 So "hw" is the name of a parameter of a row of a configuration table which defines the membership of interfaces in bridges (/interface bridge port); the name on the...
by sindy
Sat Jun 15, 2019 10:02 am
Forum: General
Topic: A most bizarre PoE problem w/hEX S
Replies: 3
Views: 170

Re: A most bizarre PoE problem w/hEX S

It sounds really strange. Assuming that ether4 and ether5 are on the same bridge, what is the protocol-mode of that bridge? If set to none , it forwards frames which should not be forwarded, so it lets LLDP through. Same happens if you have hardware-assisted forwarding enabled. LLDP has no role in t...
by sindy
Sat Jun 15, 2019 12:36 am
Forum: General
Topic: VPN down on failover
Replies: 2
Views: 177

Re: VPN down on failover

Or, simpler, just use /ip firewall connection remove [find dst-address~":(5|17|45)00\$" protocol=udp] in the script (if we really talk about L2TP over IPsec here, otherwise different protocols and ports have to be specified), so that you wouldn't need to connecion-mark the VPN transport connection s...
by sindy
Fri Jun 14, 2019 10:40 pm
Forum: General
Topic: QoS
Replies: 14
Views: 585

Re: QoS

No, I just gave my recommendations to classify by connection data volume rather than the particular service. And I've pointed out that QUIC is a specific issue to address which may not have been there when you've set up your configuration. What else did you expect to get when you haven't posted your...
by sindy
Fri Jun 14, 2019 6:57 pm
Forum: General
Topic: QoS
Replies: 14
Views: 585

Re: QoS

Google's use of same IP addresses (often of local caches) for all their services doesn't make it exactly easy to distinguish web browsing on their less bandwidth-intensive services from downloading of youtube videos. So if you want to slow down the download of Youtube videos in favor of faster downl...
by sindy
Fri Jun 14, 2019 2:44 pm
Forum: General
Topic: SSTP over 1 Gbps link bad performance
Replies: 4
Views: 261

Re: SSTP over 1 Gbps link bad performance

Unless something has changed recently, only IPsec can make use of hardware encryption on Mikrotik.
by sindy
Fri Jun 14, 2019 1:04 pm
Forum: General
Topic: vlan bridge to port [SOLVED]
Replies: 10
Views: 414

Re: vlan bridge to port [SOLVED]

First, as on the 4011, activation of vlan-filtering on bridge disables "hardware accelerated bridging", I'd stick with the approach you've started from if you need your other LAN devices to talk to each other, VLAN 70 is the single one for which tagging/untagging is necessary, and you don't need STP...
by sindy
Fri Jun 14, 2019 12:06 pm
Forum: General
Topic: WDS ""wds ignore ssid"
Replies: 9
Views: 328

Re: WDS ""wds ignore ssid"

even with /interface wireless connect-list doesn't have any effect I confirm your observation, so I'd say it's time for an e-mail to support@mikrotik.com (with supout.rif from both your machines), asking them to either clarify the documentation or fix a bug. Log is the same at both devices (differe...
by sindy
Fri Jun 14, 2019 10:20 am
Forum: General
Topic: vlan bridge to port [SOLVED]
Replies: 10
Views: 414

Re: vlan bridge to port [SOLVED]

So the chain is ( == trunk/tagged connection, -- access/tagless connection): variant 1, works: pppoe server == some network == etherX == bridge1 == interface vlan 70 -- bridge2 -- interface pppoe-client (internal) variant 2, doesn't work: pppoe server == some network == etherX == bridge1 == interfac...
by sindy
Thu Jun 13, 2019 4:02 pm
Forum: General
Topic: Wierd Problem with Mikrotik
Replies: 4
Views: 279

Re: Wierd Problem with Mikrotik

How bursty is the traffic through the IPIP tunnels? I mean, can it be that there is silence in both directions for minutes? Your firewall rules on either end may prevent IPIP tunnel's transport packets from being accepted if a matching packet hasn't been sent in the opposite direction a few (tens of...
by sindy
Thu Jun 13, 2019 3:48 pm
Forum: General
Topic: EoIP tunnels randomly fail
Replies: 8
Views: 364

Re: EoIP tunnels randomly fail

On each end, the input rule in firewall must accept protocol=gre packets from the address from which the opposite end sends the EoIP transport packets. But thinking of it, read also this post as your setup is very similar. So still not 100% sure on the rule. Head Office External - 1.1.1.1 Head Offi...
by sindy
Thu Jun 13, 2019 1:51 pm
Forum: General
Topic: EoIP tunnels randomly fail
Replies: 8
Views: 364

Re: EoIP tunnels randomly fail

On each end, the input rule in firewall must accept protocol=gre packets from the address from which the opposite end sends the EoIP transport packets. But thinking of it, read also this post as your setup is very similar.
by sindy
Thu Jun 13, 2019 1:45 pm
Forum: General
Topic: L2TP/IPSec more than one shared secret? [SOLVED]
Replies: 8
Views: 359

Re: L2TP/IPSec more than one shared secret? [SOLVED]

For a road warrior scenario - is there an approach that will work? Alternative VPN or otherwise? If you can use only one public IP address at the L2TP server for both groups of clients (colleagues and contractor), the "alternative VPN" would have to be either IKEv2 IPsec or have nothing to do with ...
by sindy
Thu Jun 13, 2019 12:50 pm
Forum: General
Topic: WDS ""wds ignore ssid"
Replies: 9
Views: 328

Re: WDS ""wds ignore ssid"

I'll only be able to test it practically in hours from now, but the manual says the following: Security profile for WDS link is specified in connect-list. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect ...
by sindy
Thu Jun 13, 2019 8:11 am
Forum: General
Topic: L2TP/IPSec more than one shared secret? [SOLVED]
Replies: 8
Views: 359

Re: L2TP/IPSec more than one shared secret? [SOLVED]

Can the address be the address assigned to the them in the /ppp /secrets local-address? So when those credentials are used they always get the same IP that I can use in FW filter rules? I am assuming that "Incoming connection requests from the IP address" refers to the contractors WAN IP address th...
by sindy
Thu Jun 13, 2019 2:12 am
Forum: General
Topic: L2TP/IPSec more than one shared secret? [SOLVED]
Replies: 8
Views: 359

Re: L2TP/IPSec more than one shared secret? [SOLVED]

If you want to do anything but a single common IPsec peer for all L2TP clients, you have to make do without the automagical generation of the IPsec configuration which RouterOS does for you when you specify the pre-shared key as a parameter of /interface l2tp-server server and set use-ipsec to yes ....
by sindy
Thu Jun 13, 2019 1:44 am
Forum: General
Topic: WDS ""wds ignore ssid"
Replies: 9
Views: 328

Re: WDS ""wds ignore ssid"

Sorry Sindy I couldn't get nothing useful from your message. Couldn't it be related to the fact that there was little useful information in your OP? My question was very simply, i will repeat again. So when i'm using "wds ignore ssid" (wiki: If this property is set to yes, then SSID of the remote A...
by sindy
Wed Jun 12, 2019 6:12 pm
Forum: General
Topic: How to connect branch LAN behind ISP NAT to HQ LAN?
Replies: 2
Views: 132

Re: How to connect branch LAN behind ISP NAT to HQ LAN?

This is your starting point for pure IPsec, this one is for IPsec-encrypted L2TP where most of the IPsec configuration is automagically created by Mikrotik itself and routing behaves the "normal" way, so it is simpler and thus faster to set up at Mikrotik side than pure IPsec. The price to pay is m...
by sindy
Wed Jun 12, 2019 5:43 pm
Forum: General
Topic: EoIP tunnels randomly fail
Replies: 8
Views: 364

Re: EoIP tunnels randomly fail

I cannot suggest what is wrong with the EoIP tunnels, but if you have Mikrotiks at both ends of each tunnel, and unless you need VLANs to run through the tunnels and at the same time be tagged/untagged on the endpoint Mikrotiks, you can use the L2 tunneling capability of L2TP itself. To do that, add...
by sindy
Wed Jun 12, 2019 5:14 pm
Forum: General
Topic: WDS ""wds ignore ssid"
Replies: 9
Views: 328

Re: WDS ""wds ignore ssid"

For the same reason why you can attach IP configuration to a slave port of a bridge which is also a wrong configuration but you can set it up like that and even the auto-generated warning comments in the configuration do not appear to notify you about that. It needs a specific talent to be able to g...
by sindy
Wed Jun 12, 2019 3:21 pm
Forum: General
Topic: Not all RDP traffic seems to be marked in firewall mangle
Replies: 3
Views: 176

Re: Not all RDP traffic seems to be marked in firewall mangle

Is there a way to still mark / count this traffic or is the only way for proper bandwidth management to have fasttracking disabled? It depends what you need to do in particular. If the only traffic categories are "RDP" and "the rest", you can selectively exclude from fasttracking the RDP traffic, h...
by sindy
Wed Jun 12, 2019 8:23 am
Forum: General
Topic: Issues with my setup
Replies: 11
Views: 418

Re: Issues with my setup

If you cannot access the server even from outside, pfsense has nothing to do with it. The first thing I'd do in such case would be to make a command line window as wide as your screen allows, run /tool sniffer quick ip-address=the.public.ip.78 in it and try to access the server from outside. You sho...
by sindy
Wed Jun 12, 2019 12:27 am
Forum: General
Topic: Issues with my setup
Replies: 11
Views: 418

Re: Issues with my setup

Your firewall rules are a nightmare to read but it seems to me that Mikrotik doesn't block access from clients behind the pfsense to the server. Routing seems fine too. So I can only speculate that the pfsense is doing src-nat on connections initiated by hosts in pfsense's LAN (192.168.0.0/24). If i...
by sindy
Tue Jun 11, 2019 7:25 pm
Forum: General
Topic: Issues with my setup
Replies: 11
Views: 418

Re: Issues with my setup

There definitely is something you can do, we just have to find what it is :) So the fixed ISP1 is a pppoe client via vlan621-2 via ether6, so it is a tunnel interface which gets added as a default route, and the ISP routes to you packets for the ...78 via that interface. The picture says ...76 is a ...
by sindy
Tue Jun 11, 2019 12:55 pm
Forum: General
Topic: Interface packets discard.
Replies: 7
Views: 384

Re: Interface packets discard.

Looks to me like traffic is going from pppoe-dait (internet?) to ether1 (lan?). Download probably. No drops. As the OP says pppoe-dait uses wlan1 as transport interface, it doesn't seem plausible unless there was some mysteriously efficient compression. Is compression set to yes in the ppp profile?
by sindy
Tue Jun 11, 2019 11:26 am
Forum: General
Topic: Issues with my setup
Replies: 11
Views: 418

Re: Issues with my setup

Post your configuration, following the anonymisation hint in my automatic signature below, and a description or drawing of the setup - to which port of the Mikrotik the uplink, the server, and the client PC from which you try to access the server are connected. To me, "direct to internet" means that...
by sindy
Tue Jun 11, 2019 8:48 am
Forum: General
Topic: LT2P/IPSec VPN working no internet access [SOLVED]
Replies: 6
Views: 298

Re: LT2P/IPSec VPN working no internet access [SOLVED]

Should I add the interface-list=LAN to both the default and default-encryption profile? It depends on which profile your /interface l2tp-server server , or your /ppp secret refer (the latter, if set, supersedes the former) "remove the last-but-one and last-but-two action=drop rules because they are...
by sindy
Mon Jun 10, 2019 7:54 pm
Forum: General
Topic: Cannot unset default-vlan-id
Replies: 1
Views: 74

Re: Cannot unset default-vlan-id

VLAN ID 0 means to treat the packet as untagged, plus to take the default-vlan-id into account at all, other settings need to be activated on the switch chip. So if you don't need VLANs or switching/bridging, just remove the interfaces from any bridges and attach the IP configurations directly to th...
by sindy
Mon Jun 10, 2019 7:43 pm
Forum: General
Topic: Issues with my setup
Replies: 11
Views: 418

Re: Issues with my setup

I'm not sure what you mean by having the public IP outside NAT, but google this site for "hairpin NAT", client access to public IP handling dst-nat to the server in the same internal subnet from which the client connects is a frequently encountered scenario.
by sindy
Mon Jun 10, 2019 2:11 pm
Forum: General
Topic: 5651 Log For Turkey
Replies: 3
Views: 390

Re: 5651 Log For Turkey

I believe you don't need any script (in the sense of describing an algorithm); it is enough to create a new log action: /system logging action add target=remote name=remote-syslog remote=your.log.server.ip and then add the following: /system logging add topics=firewall,info action=remote-syslog add ...
by sindy
Mon Jun 10, 2019 1:01 pm
Forum: General
Topic: Looking for a simple Firewall filter rules for giving the internet access to the known MAC addresses [SOLVED]
Replies: 7
Views: 317

Re: Looking for a simple Firewall filter rules for giving the internet access to the known MAC addresses [SOLVED]

You can use static DHCP (convert all lease to static) and block by IP. great idea, thnx.. but actually it's a bit easy to find out the IPs ... i'm not sure but i saw somewhere people use simple firewall rules to allow internet for specific MAC... unrecognized MAC automatically get deny from filter....
by sindy
Mon Jun 10, 2019 12:07 pm
Forum: General
Topic: Need Solution: How to get the maximum speed of my Connection from my MikrotikBoard 2011UiAS-2HnD [SOLVED]
Replies: 7
Views: 362

Re: Need Solution: How to get the maximum speed of my Connection from my MikrotikBoard 2011UiAS-2HnD [SOLVED]

It all depends on how exactly your firewall rules look like. If connections which depend on routing-mark to be assigned by mangle rules are fasttracked, they do work but appear to be slow because most packets take the wrong route as they escape the mangle rules, so they are dropped and retransmitted...
by sindy
Mon Jun 10, 2019 11:56 am
Forum: General
Topic: PPPOE Server and VLAN Issue
Replies: 9
Views: 313

Re: PPPOE Server and VLAN Issue

So you're arguing with the fiber provider and they keep telling you it's your fault, and you wanted a second opinion :) ? The only way out is to connect another switch with an SFP instead of their switch and connect a PPPoE client to it (or run a PPPoE client on it if it is not just a switch). If it...
by sindy
Mon Jun 10, 2019 11:52 am
Forum: General
Topic: How to Block PPTP Traffic
Replies: 6
Views: 2856

Re: How to Block PPTP Traffic

didn't work on my router. it should be like this: That's a misunderstanding. The OP wanted to block PPTP to be transited by his Mikrotik, and that rule works for that task. Your rule blocks incoming GRE connections to your Mikrotik itself , which is a different task (and to block PPTP connections t...
by sindy
Mon Jun 10, 2019 11:37 am
Forum: General
Topic: PPPOE Server and VLAN Issue
Replies: 9
Views: 313

Re: PPPOE Server and VLAN Issue

Strictly speaking that's no capture file, it is a screenshot of the sniffer output, which however shows that you do respond to the incoming PPPoE discovery frames but the client most likely doesn't react to these responses and starts sending the requests again. So sniff into a file, download the fil...
by sindy
Mon Jun 10, 2019 11:22 am
Forum: General
Topic: LT2P/IPSec VPN working no internet access [SOLVED]
Replies: 6
Views: 298

Re: LT2P/IPSec VPN working no internet access [SOLVED]

The only rule in the firewall chain of your "drop-all-but-exceptions" firewall which permits outbound connections through WAN is action=accept chain=forward comment="Alllow LAN interface-list out wan interface-list" in-interface-list=LAN out-interface-list=WAN , but as the VPN interfaces are not mem...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 66