Community discussions

MikroTik App

Search found 4245 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 15
by anav
Mon Jun 01, 2020 12:37 am
Forum: Scripting
Topic: Help with firewall
Replies: 8
Views: 508

Re: Help with firewall

No I think the OP wants to be hacked, he should find older firmware and just use winbox open to the internet. Seriously, concur with Jotne, PPTP is no easier than more secure protocols to implement. Also, the extra load and config mess caused by all these blocking trapping type rules is simply not w...
by anav
Mon Jun 01, 2020 12:33 am
Forum: Wireless Networking
Topic: Netmetal AC2 Disappointments [SOLVED]
Replies: 30
Views: 3427

Re: Netmetal AC2 Disappointments [SOLVED]

Well stated, if the antenna is primarily looking for returns from a certain area (more focused) the returns from other angles will be better ignored.
by anav
Mon Jun 01, 2020 12:27 am
Forum: Beginner Basics
Topic: Is an example available for VoIP with PC?
Replies: 15
Views: 1176

Re: Is an example available for VoIP with PC?

I believe that is the correct path.....
by anav
Mon Jun 01, 2020 12:20 am
Forum: Beginner Basics
Topic: Router doesn't appear in Winbox interface despite reset procedure
Replies: 8
Views: 404

Re: Router doesn't appear in Winbox interface despite reset procedure

My intention was not to use a master password for managed list but I must have put one in when playing and now seemingly locked out forever LOL.
by anav
Sun May 31, 2020 11:25 pm
Forum: Beginner Basics
Topic: Is an example available for VoIP with PC?
Replies: 15
Views: 1176

Re: Is an example available for VoIP with PC?

The grandstream I was reading about allowed for LLDP OR MANUAL methods to setup vlan. However I have no idea what the OP is using.
Equally stupid of VOIP hardware/software providers to RELY on lldp for anything so its not just an MT issue in my mind.
by anav
Sun May 31, 2020 11:09 pm
Forum: Beginner Basics
Topic: does winbox use ssh for connection ?
Replies: 1
Views: 107

Re: does winbox use ssh for connection ?

That is correct it is one of many options.
I simply use the winbox port but I change the port to a non-standard number like 12,789
by anav
Sun May 31, 2020 11:04 pm
Forum: Beginner Basics
Topic: Is an example available for VoIP with PC?
Replies: 15
Views: 1176

Re: Is an example available for VoIP with PC?

Reading some more in general.............. The native or untagged data should be destined for the PC and the tagged data on vlan 20 is for the voip phone. The voip phone will strip these tagged packets off the wire so the PC will never see them. Thus in our construct, the untagged packets belong to ...
by anav
Sun May 31, 2020 10:47 pm
Forum: Beginner Basics
Topic: Is an example available for VoIP with PC?
Replies: 15
Views: 1176

Re: Is an example available for VoIP with PC?

Well the most important thing for me is to understand how this phone connection thingy works. The physical connection - these phones basically have built-in two port switches. One port (PoE) connects to the LAN and provides power and ethernet to the phone. The second port provides connectivity to an...
by anav
Sun May 31, 2020 10:37 pm
Forum: Beginner Basics
Topic: Router doesn't appear in Winbox interface despite reset procedure
Replies: 8
Views: 404

Re: Router doesn't appear in Winbox interface despite reset procedure

Neighbours works well enough for me, the key is to ensure the vlan that holds all the devices is in each ip discovery list. As for managed list, I tried it and got nowhere - bad password. I fear I played with ROMON in the past and I have an old password so locked out? So what should one do if one ca...
by anav
Sun May 31, 2020 10:01 pm
Forum: Beginner Basics
Topic: Router doesn't appear in Winbox interface despite reset procedure
Replies: 8
Views: 404

Re: Router doesn't appear in Winbox interface despite reset procedure

Fezzfeet right you are, I completely missed that ref Winbox version, My apologies to the OP! Please post your config /export hide-sensitive file=anynameyouwish Without the config the only other thing I can think of ensuring the subnet the router is on, is defined as a interface member be it the defa...
by anav
Sun May 31, 2020 8:53 pm
Forum: Wireless Networking
Topic: Netmetal AC2 Disappointments [SOLVED]
Replies: 30
Views: 3427

Re: Netmetal AC2 Disappointments [SOLVED]

As bpwl stated, my recommendation was to focus the wifi ONLY for the intended coverage area and of course one would have to turn down the power as appropriate to the scenario.
If the power is turned down leakage (side and back lobes) should be way smaller than an omni radiating into the house.
by anav
Sun May 31, 2020 8:43 pm
Forum: Beginner Basics
Topic: Router doesn't appear in Winbox interface despite reset procedure
Replies: 8
Views: 404

Re: Router doesn't appear in Winbox interface despite reset procedure

The firmware is so old its almost comical if not the fact that you obviously didnt buy it new but from someone second hand.
Download the latest stable software and then USE NETINSTALL to make sure you are starting from a good clean (not hacked) firmware.
Come back when you need assistance after
by anav
Sun May 31, 2020 8:41 pm
Forum: Beginner Basics
Topic: Using hex as switch?
Replies: 9
Views: 944

Re: Using hex as switch?

The hEX is a super router, but has a weaker switch chip than some other MKT devices. MT7621 is actually decent switch chip, just not when used in Mikrotik device. Even in MT it should do just fine (wirespeed switching) if VLAN is out of scope. When one needs to use VLANs, then indeed hEX is not a g...
by anav
Sun May 31, 2020 8:37 pm
Forum: Beginner Basics
Topic: three newbie questions
Replies: 27
Views: 3094

Re: three newbie questions

The reason Jotne, is that the poster is just plugging stuff into WINBOX without knowing what each config line actually does, or how it interacts with other settings.
The emphasis should be on education during each recommended change.
So walk through it at a bit slower pace...........
or not LOL.
by anav
Sun May 31, 2020 7:22 pm
Forum: Beginner Basics
Topic: hAP AC2 management problem
Replies: 3
Views: 273

Re: hAP AC2 management problem

If the issue is that you cannot connect to the RoS device by LANIP that is normal. I cannot do so directly on any of my devices. I have to use winbox to connect to my devices, it works best for me by mac address but if you use the IP in winbox, dont forget to include the winboxport at the end of the...
by anav
Sun May 31, 2020 5:11 pm
Forum: Beginner Basics
Topic: RTSP Settings
Replies: 1
Views: 136

RTSP Settings

I have basically ignored these (Assuming default is okay) on my 260GS switches. However looking today I noticed some differences in the ports specfically some say EDGE and some say Point to Point for the "TYPE" setting. As for state some are at a snapshot vieweing saying discarding others forwarding...
by anav
Sun May 31, 2020 5:03 pm
Forum: Beginner Basics
Topic: Using hex as switch?
Replies: 9
Views: 944

Re: Using hex as switch?

A switch without vlans is like MKX without lubrication (u can take that anyway you want LOL, but I meant the imbibing kind!).
by anav
Sun May 31, 2020 5:01 pm
Forum: Beginner Basics
Topic: Is an example available for VoIP with PC?
Replies: 15
Views: 1176

Re: Is an example available for VoIP with PC?

https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table The fourth diagram down shows a hybrid vlan approach. If this is what you are looking for? What is not clear to me is how the ethernet coming from the router is going to reach both the PC and VOIP device ???? In a nutshell (using this as a ref ...
by anav
Sun May 31, 2020 4:48 pm
Forum: Beginner Basics
Topic: Is an example available for VoIP with PC?
Replies: 15
Views: 1176

Re: Is an example available for VoIP with PC?

EDIT: duplicate post
by anav
Sun May 31, 2020 4:26 pm
Forum: Wireless Networking
Topic: Setting Time in Capac from main router. [SOLVED]
Replies: 7
Views: 773

Re: Setting Time in Capac from main router. [SOLVED]

hehe, dont forget he has that elusive MT designation MTUNA certificate!! Its special and rare!
by anav
Sun May 31, 2020 4:24 pm
Forum: Wireless Networking
Topic: Additional Security for Wifi Devices.
Replies: 5
Views: 646

Re: Additional Security for Wifi Devices.

Sorry, from being accessed directly since they are on the wired LAN. Direct IP access seems to be non-existant - GOOD Only access by winbox - GOOD winbox limited by username and password - GOOD Anything else I can do?? (dont think so being layer 2) but on router for example I can limite access to th...
by anav
Sun May 31, 2020 4:18 pm
Forum: Beginner Basics
Topic: VLAN w/ trunk on RB2011
Replies: 4
Views: 378

Re: VLAN w/ trunk on RB2011

Ahh Okay, I see what you are saying now. Yes, create a vlanxxx for the ISP connection. The switch will have to accept traffic from the ISP (modem?) without any tags, lets say on port1, tag the packets with vlanxxx and then send them out port 2 to the RB2011. THe RBwill see the packets coming in and ...
by anav
Sun May 31, 2020 3:06 pm
Forum: Wireless Networking
Topic: Netmetal AC2 Disappointments [SOLVED]
Replies: 30
Views: 3427

Re: Netmetal AC2 Disappointments [SOLVED]

Long range on Mikrotik marketing is usually referring to multiple km with high gain antennas and not covering a back yard. The wAP AC has 3 chains on 5ghz compared to 2 chains of the netmetal. And the wAP is the same enclosure as the wireless wire (wAPG-60adkit), so it will be just fine outdoors. H...
by anav
Sun May 31, 2020 2:50 pm
Forum: Wireless Networking
Topic: Additional Security for Wifi Devices.
Replies: 5
Views: 646

Re: Additional Security for Wifi Devices.

My questions was aimed at protecting capacs themselves not the WIFI.
by anav
Sun May 31, 2020 12:04 am
Forum: Beginner Basics
Topic: Unable to get expected speed with router
Replies: 2
Views: 420

Re: Unable to get expected speed with router

Looking at test results, 700-800 is very reasonable for your device and I would have guessed more like maxing out at 500 based on filter rules https://mikrotik.com/product/RB962UiGS-5HacT2HnT#fndtn-testresults if you want 1Gig out of your connection you should purchase the rb4011 or rb4011 with wifi...
by anav
Sun May 31, 2020 12:03 am
Forum: Beginner Basics
Topic: Using hex as switch?
Replies: 9
Views: 944

Re: Using hex as switch?

I have two 260GS, they are a bit ornery to work with but once set they are solid.
Thanks jotne, I have an extra Hex, I might turn that into a switch.....
by anav
Sat May 30, 2020 11:54 pm
Forum: Beginner Basics
Topic: three newbie questions
Replies: 27
Views: 3094

Re: three newbie questions

No worries, okay so you have no clue on what each line on the config does or how the router works (packets moved around). Thats fine, most of us were in that spot at one time or another but pull up your pants and make an effort to learn, cause no one likes to spoon feed forever. (Yes, you are ultima...
by anav
Sat May 30, 2020 8:31 pm
Forum: General
Topic: Winbox Issue
Replies: 3
Views: 581

Re: Winbox Issue

What was the issue??
by anav
Sat May 30, 2020 8:20 pm
Forum: Wireless Networking
Topic: Additional Security for Wifi Devices.
Replies: 5
Views: 646

Additional Security for Wifi Devices.

Currently the Capacs I have reside on the home vlan (trusted). Access to the Capacs is permitted via ip services - winbox non standard port and system username configuration So I can limit winbox access to specific subnet or lanips etc.......... What other security options are open to me to either p...
by anav
Sat May 30, 2020 8:00 pm
Forum: Beginner Basics
Topic: three newbie questions
Replies: 27
Views: 3094

Re: three newbie questions

What is the purpose of that line what does it do? Compare it to other ip address lines. Look at dhcp server settings and compare Look at the bridge port assignments and look for conflicts What is the purpose of the bridge What responsibility are you giving to the bridge What have you attached to the...
by anav
Sat May 30, 2020 7:56 pm
Forum: Beginner Basics
Topic: My first Hex, help to config
Replies: 2
Views: 300

Re: My first Hex, help to config

The first thing you should do is upgrade the firmware, that is extremely old. Did it come to you already configured? if so, it might be best to do a netinstall process in case the router was ever hacked in the past. Wipes the slate clean so you start fresh. Also some advice I gave to another new MT ...
by anav
Sat May 30, 2020 7:52 pm
Forum: RouterOS v7 BETA
Topic: Feature Request: Port Forwarding Wizard/Menu in GUI
Replies: 5
Views: 905

Re: Feature Request: Port Forwarding Wizard/Menu in GUI

They only think that they should have is the "both" (TCP&UDP) instead of using 2 rules I see nothing wrong with an option for both TCP and UDP on the pull-down which would auto generate two rules. The savings is not in the number of rules its simply a savings in one less copy and paste or two rules...
by anav
Sat May 30, 2020 4:35 pm
Forum: General
Topic: DDos protection
Replies: 4
Views: 502

Re: DDos protection

Hi Jay22 I am not familiar with DDOS, but the reading I have done states that it is an attack on ones networks by groups of computers (botnets) that have been compromised. Can you clarify if a. you are suffering DDOS attacks (in which case your ISP will be the primary vehicle of protection - single ...
by anav
Sat May 30, 2020 4:27 pm
Forum: General
Topic: Winbox login issue
Replies: 2
Views: 246

Re: Winbox login issue

Hi camyryn, Sounds like the config needs some minor tweaking. Why not post the config of one of the routers exhibiting the issue and will see whats going on. /export hide-sensitive file=anynameyouwish (did you have it working before with no issue - and if so was there anything you changed on the com...
by anav
Sat May 30, 2020 4:23 pm
Forum: RouterOS v7 BETA
Topic: V7 questions?
Replies: 34
Views: 6362

Re: V7 questions?

It seems you are asking for MT to change a significant part of complex code for your single use case . Seems rather selfish to me, but if it benefits a wide range of users then perhaps MT will implement it. So I reserve judgment on that particular aspect of your spam posts. However, if you recall, y...
by anav
Sat May 30, 2020 4:01 pm
Forum: RouterOS v7 BETA
Topic: Feature Request: Port Forwarding Wizard/Menu in GUI
Replies: 5
Views: 905

Re: Feature Request: Port Forwarding Wizard/Menu in GUI

The default rules already provide the basis for port forwarding (in the forward filter rules). If port forwarding is desired then one simply makes the correct destination nat rule. This is not a consumer router for the best buy crowd (plugNplay lead by the nose). The main difficulty is that people w...
by anav
Sat May 30, 2020 2:53 pm
Forum: General
Topic: Very long ping times
Replies: 4
Views: 772

Re: Very long ping times

/export hide-sensitive file=anynameyouwish
by anav
Sat May 30, 2020 2:51 pm
Forum: Beginner Basics
Topic: VLAN w/ trunk on RB2011
Replies: 4
Views: 378

Re: VLAN w/ trunk on RB2011

So you WAN is not a real WAN? If it is it would not be on port 4 or port 2 as well just incoming and stop at the router.
In any case all your answers are here......

viewtopic.php?f=13&t=143620
by anav
Sat May 30, 2020 4:36 am
Forum: RouterOS v7 BETA
Topic: V7 questions?
Replies: 34
Views: 6362

Re: V7 questions?

Then you just need to mirror ports to the CPU to monitor the actual traffic. Otherwise it sounds like you want to build a software based switch/bridge. This will be slow, power-consuming and costly. It's not for monitoring, it's for firewall. It's also not about building any switch/bridge. Do you k...
by anav
Fri May 29, 2020 10:21 pm
Forum: Wireless Networking
Topic: Multiple VLANs with LHG60/VLAN filtering
Replies: 2
Views: 440

Re: Multiple VLANs with LHG60/VLAN filtering

suggest you have a read of this..... to get you righted.........
viewtopic.php?t=143620
by anav
Fri May 29, 2020 10:20 pm
Forum: Wireless Networking
Topic: Multiple VLANs with LHG60/VLAN filtering
Replies: 2
Views: 440

Re: Multiple VLANs with LHG60/VLAN filtering

Your whole config looks hosed to me, Use one bridge assign all vlans to bridge and change this dd admin-mac=6C:C7:EC:9A:1F:6F auto-mac=no frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes name=bridge1 vlan-filtering=yes to this: add admin-mac=6C:C7:EC:9A:1F:6F auto-mac=no nam...
by anav
Fri May 29, 2020 10:13 pm
Forum: Wireless Networking
Topic: CAPsMAN with VLAN not working properly
Replies: 2
Views: 667

Re: CAPsMAN with VLAN not working properly

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes

did you try it without setting ip firewall =yes. Its not usual to apply this on vlans (by that I mean on the bridge , most just use the firewall filter rules.....)
by anav
Fri May 29, 2020 10:10 pm
Forum: Wireless Networking
Topic: Netmetal AC2 Disappointments [SOLVED]
Replies: 30
Views: 3427

Re: Netmetal AC2 Disappointments [SOLVED]

The netmetal AC2 is a great unit, do not be embarrassed. Its max flex and allows you to server small area with omni antennas OR longer range with diff antennas. It comes with dual chains. (AC1200) It probably has a better capacity to be outdoor then other products. It can handle IPSEC has lots of gu...
by anav
Fri May 29, 2020 9:52 pm
Forum: Beginner Basics
Topic: three newbie questions
Replies: 27
Views: 3094

Re: three newbie questions

Yeah I'm pissed Jotne obscured the process ...........
Uff, that was not my intention :mrgreen:
Je sais, just having a rough day.
by anav
Fri May 29, 2020 7:50 pm
Forum: Beginner Basics
Topic: three newbie questions
Replies: 27
Views: 3094

Re: three newbie questions

I gave explicit instructions on getting help, and hints. It is not an unreasonable request.......... Figure it out and then I can help with the rest. You have to be able to think and understand firewall rules and config to work in MT, otherwise might as well buy a Netgear ;-) Yeah I'm pissed Jotne o...
by anav
Fri May 29, 2020 6:42 pm
Forum: Beginner Basics
Topic: Firewall Problem
Replies: 4
Views: 658

Re: Firewall Problem

post complete config and I can have a look
/export hide-sensitive file=anynameyouwish
by anav
Fri May 29, 2020 4:15 pm
Forum: General
Topic: SNTP vs NTP Clients [SOLVED]
Replies: 3
Views: 618

Re: SNTP vs NTP Clients [SOLVED]

I recently noticed that my CAPACs had wandering date and times and thus decided to syn them to my router. I downloaded the package and in a **fairly easy manner got it setup. I suppose I could have kept the sntp client used on the router and used the same external sntp client on the capacs as well. ...
by anav
Fri May 29, 2020 4:11 pm
Forum: General
Topic: Think i'm being attacked
Replies: 15
Views: 1814

Re: Think i'm being attacked

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

What is this for........... ???
/ip service
set www address=192.168.88.0/24
by anav
Fri May 29, 2020 4:06 pm
Forum: General
Topic: Block inter-vlan traffic in one direction
Replies: 2
Views: 475

Re: Block inter-vlan traffic in one direction

/export hide-sensitive file=anynameyouwish

Then we will be able to comment on the config in a more complete sense as often rules and config are interactive.
by anav
Fri May 29, 2020 2:33 pm
Forum: Beginner Basics
Topic: three newbie questions
Replies: 27
Views: 3094

Re: three newbie questions

Jotne, you know better - use code parenthesis!!
by anav
Fri May 29, 2020 6:01 am
Forum: Beginner Basics
Topic: three newbie questions
Replies: 27
Views: 3094

Re: three newbie questions

(1) No harm in turning this on if its desired. /ip neighbor discovery-settings set discover-interface-list=none (change list to LAN). (2) Typical rookie mistake. See if you can see it. /ip address add address=192.168.88.1/24 comment=defconf interface=ether2 network=\ 192.168.88.0 Hint1 - look at you...
by anav
Fri May 29, 2020 5:56 am
Forum: Beginner Basics
Topic: three newbie questions
Replies: 27
Views: 3094

Re: three newbie questions

export file attached I am still re-reading the links you supplied. So am I understanding correctly, the INPUT chain is for data that is directed to the router, which would only be router control info? So Internet traffic would be handled by the FORWARD chain, which I am not messing with. Correct!!
by anav
Fri May 29, 2020 5:54 am
Forum: Beginner Basics
Topic: [solved] dhcp-client at WAN is stuck with status searching [SOLVED]
Replies: 9
Views: 1154

Re: dhcp-client at WAN is stuck with status searching [SOLVED]

Looks okay for the most part, the only thing I dont understand is the following add action=dst-nat chain=dstnat comment="DNS Redirect" dst-port=53 protocol=\ udp src-address=!10.0.0.3 to-addresses=10.0.0.3 to-ports=53 add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=\ !10.0.0.3 t...
by anav
Fri May 29, 2020 2:05 am
Forum: General
Topic: Think i'm being attacked
Replies: 15
Views: 1814

Re: Think i'm being attacked

I think MT should remove PPTP and add wireguard LOL
by anav
Fri May 29, 2020 2:02 am
Forum: Beginner Basics
Topic: [solved] dhcp-client at WAN is stuck with status searching [SOLVED]
Replies: 9
Views: 1154

Re: dhcp-client at WAN is stuck with status searching [SOLVED]

/export hide-sensitive file=anynameyouwish
by anav
Fri May 29, 2020 2:01 am
Forum: Beginner Basics
Topic: three newbie questions
Replies: 27
Views: 3094

Re: three newbie questions

I wont speculate on a lack of information.
Post your config and i will gladly advise.

/export hide-sensitive file=anynameyouwish
by anav
Thu May 28, 2020 7:50 pm
Forum: General
Topic: Script environment suspicious !
Replies: 7
Views: 1079

Re: Script environment suspicious !

Too bad, for a second there I thought you might have a sense of humour! jajajajaja
by anav
Thu May 28, 2020 7:49 pm
Forum: General
Topic: New Buyer
Replies: 3
Views: 570

Re: New Buyer

I would normally recommend the same based on specs for normal ethernet activity, however if you wish to access your router for configuration while not at home, or have need for other VPN setups then, this is not the right unit to make maximum advantage of your 1gig wan connection. For 1gig across mo...
by anav
Thu May 28, 2020 6:09 pm
Forum: General
Topic: Script environment suspicious !
Replies: 7
Views: 1079

Re: Script environment suspicious !

I'm trapped inside a script! Help! VFunny Jotne LOL.
by anav
Thu May 28, 2020 2:58 pm
Forum: Beginner Basics
Topic: three newbie questions
Replies: 27
Views: 3094

Re: three newbie questions

More clearly stick with the default rules until a. you understand what the default rules actually do and mean b. you understand what any rules you are going to add really do and mean and how they interact with the other rules. Good reading https://help.mikrotik.com/docs/display/ROS/Winbox https://he...
by anav
Thu May 28, 2020 5:47 am
Forum: General
Topic: Followed guide can't get VLANs to work . ( Mikrotik + OpnSense)
Replies: 3
Views: 529

Re: Followed guide can't get VLANs to work . ( Mikrotik + OpnSense)

The only difference between my config and yours is basically I use vlans for all networks.
So the home network is also on a vlan.
by anav
Thu May 28, 2020 5:45 am
Forum: General
Topic: Bloqueo de conexiones persistentes
Replies: 3
Views: 521

Re: Bloqueo de conexiones persistentes

Your are the epitome of lazy Mr Mutluit!! {translated} "Hello everyone, I would like if you can guide me on this topic that I bring, I have seen in my firewall log multiple attempts to connect from the WAN to an aIP that was allowed from the firewall, the behavior is as follows: from a public IP the...
by anav
Thu May 28, 2020 5:41 am
Forum: General
Topic: Security warning (hacking): "Greenbug" Espionage Group
Replies: 1
Views: 344

Re: Security warning (hacking): "Greenbug" Espionage Group

What does this have to do with MT products?
If I have security concerns I go to a proper forum, not spam this one.
https://www.dslreports.com/forum/security
by anav
Thu May 28, 2020 5:38 am
Forum: General
Topic: Having trouble with possible DNAT
Replies: 8
Views: 949

Re: Having trouble with possible DNAT

(1) Get rid of this rule. /interface detect-internet set detect-interface-list=all (2) You are missing the ip pool, ip dhcp-server and ip dhcp-server network for your other subnet????? (3) Wont hurt to set this to LAN vice none. /ip neighbor discovery-settings set discover-interface-list=none (4) Mi...
by anav
Thu May 28, 2020 12:01 am
Forum: General
Topic: Followed guide can't get VLANs to work . ( Mikrotik + OpnSense)
Replies: 3
Views: 529

Re: Followed guide can't get VLANs to work . ( Mikrotik + OpnSense)

Why would I care if openPFS works for vlan30......... As for the MT product....... /interface bridge add ether-type=0x88a8 fast-forward=no name= ONEBRIDGE vlan-filtering=yes /interface vlan add interface=ONEBRIDGE name=Intrerface-vlan30 vlan-id=30 add interface=ONEBRIDGE name=Intrerface-vlan20 vlan-...
by anav
Wed May 27, 2020 10:04 pm
Forum: Beginner Basics
Topic: Redundant Internet Connection Problems
Replies: 2
Views: 302

Re: Redundant Internet Connection Problems

Reset to defaults. Then start again from winbox. A config manuplated in quickset is bound to be problematic.
by anav
Wed May 27, 2020 9:54 pm
Forum: Beginner Basics
Topic: Failover using only one wan interface
Replies: 5
Views: 720

Re: Failover using only one wan interface

hmm good question. I never had email so just added it with critical.

Try....
(1) Route, Info (im assuming when you have two topics it will require both to trigger)

(2) Route, Interface

(3) Info, Interface

(4) Route, Info, Interface

Let me know which works the best ............
by anav
Wed May 27, 2020 8:34 pm
Forum: Beginner Basics
Topic: Failover using only one wan interface
Replies: 5
Views: 720

Re: Failover using only one wan interface

Yes, but I dont know how. :-(

The good news is that it is explained very well here
step1- https://www.youtube.com/watch?v=CMPEVBd4dYw
step2 - https://www.youtube.com/watch?v=fRQfnzo_p9Y
by anav
Wed May 27, 2020 6:21 pm
Forum: General
Topic: Upgrade to HexS (RB760iGS) cannot get ultra fibre speed.
Replies: 18
Views: 1944

Re: Upgrade to HexS (RB760iGS) cannot get ultra fibre speed.

Why would you buy a router and then ask this question........ "Is the HexS RB760iGS able to get 900MBPS, using PPPoE together with a VLAN?" Well based on the AVAILABLE information before purchase (let alone asking on the forum), the short answer is hell no! Using the 512 byte size words and 25 filte...
by anav
Wed May 27, 2020 6:10 pm
Forum: Beginner Basics
Topic: Best practice Firewall Inter-VLAN Routing
Replies: 1
Views: 321

Re: Best practice Firewall Inter-VLAN Routing

One has TWO major tools in firewall rules (besides subnet addresses or singular addresses) to address users or groups of users. Interface Lists and Firewall Address Lists . I tend to use vlans so then not so much so I use subnets themselves. IF YOU HAVE MORE THAN ONE GROUP OF USERS - Interface lists...
by anav
Wed May 27, 2020 4:20 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 3020

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

Ahh okay, i see a log, to know if........... that makes sense.
Then the follow is also valid,
Detect, then block lanip.
Then find out who is pissed off that their internet doesnt work anymore.
I like it!!!
by anav
Wed May 27, 2020 4:16 pm
Forum: General
Topic: Malwarebytes flags Winbox as malware
Replies: 8
Views: 1008

Re: Malwarebytes flags Winbox as malware

Ok "malware" is maybe a bit of an overstatement, but marking as "unusableware" would be appropriate...
Oh I get it, you are mad that us idiots who cannot manage CLI have a tool that lets us bypass all that silly CLI nonsense ;-P
(well except for a few commands that are quite useful)
by anav
Wed May 27, 2020 4:15 pm
Forum: General
Topic: Malwarebytes flags Winbox as malware
Replies: 8
Views: 1008

Re: Malwarebytes flags Winbox as malware

Thats par for the course with MB. It flagged a bill payment feature on my bank website, after logging in,,,,, as malware LOL.
by anav
Wed May 27, 2020 4:01 pm
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 55
Views: 10855

Re: v6.47rc [testing] is released!

It would be better if MT, actually published their requirements documents and associated use cases. It seems as if they are often incomplete based on these sorts of discussions (seems being the operative word). In the above discussion, people are saying great we now functionality X so we should be a...
by anav
Wed May 27, 2020 2:32 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 3020

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

I saw this in best practices wiki, dont use it but do you see value in adding to the default setup..........? This rule just prevents your uplink bandwidth from being wasted by ill-configured software or malware running on devices in your LAN. Let me rephrase my question so it fits the answer... " ...
by anav
Wed May 27, 2020 2:30 pm
Forum: General
Topic: Having trouble with possible DNAT
Replies: 8
Views: 949

Re: Having trouble with possible DNAT

There should be no issue for you to reach any external server via Putty.
However if you have a firewall error it can happen.
Suggest post entire config
/export hide-sensitive file=anynameyouwish
by anav
Wed May 27, 2020 2:26 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 3020

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

I saw this in best practices wiki, dont use it but do you see value in adding to the default setup..........? add action=drop chain=forward comment="Drop tries to reach non-public addresses from LAN" dst-address-list=not_in_internet in-interface=bridge1 (where the list is the usual bogon list - of c...
by anav
Wed May 27, 2020 3:29 am
Forum: General
Topic: IKEv2 IOS - Cannot Connect [SOLVED]
Replies: 16
Views: 2131

Re: IKEv2 IOS - Cannot Connect [SOLVED]

My RESOLVED INFORMATION is accurate.
Apple will not permit anything more than the number of days I stated, regardless.
So yes you have to renew the Cert as 10 years will fail everytime.
by anav
Wed May 27, 2020 12:41 am
Forum: Beginner Basics
Topic: What's wrong with this NAT command ?
Replies: 5
Views: 693

Re: What's wrong with this NAT command ?

Without knowing the use case and seeing the rest of the config, hard to say.
by anav
Tue May 26, 2020 10:47 pm
Forum: Beginner Basics
Topic: Blocking input and forward traffic from IP
Replies: 4
Views: 786

Re: Blocking input and forward traffic from IP

Glad to have a look, but not at snippets.
Please post config
/export hide-sensitive file=anynameyouwish
by anav
Tue May 26, 2020 10:46 pm
Forum: Beginner Basics
Topic: Failover using only one wan interface
Replies: 5
Views: 720

Re: Failover using only one wan interface

Hmm not possible unless maybe both firewalls run through an intermediary device to the Router (maybe a managed switch such that you setup your ethernet to run on two VLANS. VLAN 100 goes to ISP1, vlan 200 goes to ISP2, both VLANS run on ether1 to the switch (trunk port). The switch ingress port is a...
by anav
Tue May 26, 2020 6:59 pm
Forum: General
Topic: newbee questions vlans ons bridgew
Replies: 1
Views: 248

Re: newbee questions vlans ons bridgew

Use this reference.
viewtopic.php?t=143620

Once you have a config made up.
COme here and post it for review.

/export hide-sensitive file=anynameyouwish
by anav
Tue May 26, 2020 6:58 pm
Forum: General
Topic: VLAN bridges
Replies: 1
Views: 349

Re: VLAN bridges

Yes, draw a diagram of your current network. ISP modem, to router where ports on router go, any other devices attached. Describe the use cases. How many group of users and what they are allowed or not allowed to do. (is wifi involved, are there common devices etc.). (are there any non-standard cases...
by anav
Tue May 26, 2020 6:53 pm
Forum: Beginner Basics
Topic: Default Firewall Order
Replies: 5
Views: 985

Re: Default Firewall Order

Not really, I just have such a poor understanding of how this router works (of well packet flow in general) that I have to dumb it down so I understand.
by anav
Tue May 26, 2020 5:02 pm
Forum: General
Topic: RB4011iGS No Internet available to hosts [SOLVED]
Replies: 7
Views: 847

Re: RB4011iGS No Internet available to hosts [SOLVED]

The answer is yes! {Input Chain} This rule in your input chain drops all requests coming from the internet to your router and allows all requests to your router from the LAN. add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN This is a decent generic d...
by anav
Tue May 26, 2020 3:31 pm
Forum: Beginner Basics
Topic: Default Firewall Order
Replies: 5
Views: 985

Re: Default Firewall Order

Change Order in Green Remove in Red Add in Blue add action=accept chain=input comment="Default Firewall - Accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="Default Firewall - Drop Invalid Connections" connection-state=invalid ad...
by anav
Mon May 25, 2020 10:11 pm
Forum: Beginner Basics
Topic: Connecting Mikrotik Router and Mikrotik AP
Replies: 7
Views: 950

Re: Connecting Mikrotik Router and Mikrotik AP

Access Point. Assumptions (1) trunk port from router is ether1 (2) ether 2 is going to a PC on home vlan. (3) Wlan1 is to devices (4) Wlan2 is to home users. added changes or modifications /interface ethernet set [ find default-name=ether1 ] name=LAN_router /interface bridge add admin-mac=48:8F:5A:0...
by anav
Mon May 25, 2020 9:47 pm
Forum: Beginner Basics
Topic: Connecting Mikrotik Router and Mikrotik AP
Replies: 7
Views: 950

Re: Connecting Mikrotik Router and Mikrotik AP

Assumptions: (1) You want two subnets. I will use vlans but you get the idea for a clean config/. (2) I will assume the AP serves both smart devices and homeusers (on different SSIDs etc, with smartdevices using 2.4ghz and homeusers using 5ghz) (3) eth4 goes to AP (4) eth1 goes to WAN (5) Ether 2,3 ...
by anav
Mon May 25, 2020 8:35 pm
Forum: Beginner Basics
Topic: Connecting Mikrotik Router and Mikrotik AP
Replies: 7
Views: 950

Re: Connecting Mikrotik Router and Mikrotik AP

Please repost configs and I will take a look gladly!!
by anav
Mon May 25, 2020 6:29 pm
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2700

Re: Client IP over wan LINK host not REACHABLE

Ahh okay, I missed that totally. The end unit is not a PC, its another router. Assuming the Hapac on the client side is acting as an access point switch and not a router (dont want conflict on dhcp for example) SO haplite WIRED to routeboard (2.4ghzAP) then over WIFI to disclite (client side) WIRED ...
by anav
Mon May 25, 2020 3:58 pm
Forum: General
Topic: I Can't Port Forward
Replies: 33
Views: 3537

Re: I Can't Port Forward

I have no idea what this accomplishes. /ip address add address=192.168.0.1/24 interface=ether2 network=192.168.0.0 add address=192.168.0.1/8 interface=ether2 network=192.0.0.0 I feel like a pretzel trying to wrap my brain around it. But in any case your are half and half in two camps. what is in cha...
by anav
Mon May 25, 2020 2:56 pm
Forum: Wireless Networking
Topic: Setting Time in Capac from main router. [SOLVED]
Replies: 7
Views: 773

Re: Setting Time in Capac from main router. [SOLVED]

Why thank you. Brilliant you are!!
by anav
Mon May 25, 2020 2:52 pm
Forum: Wireless Networking
Topic: Setting Time in Capac from main router. [SOLVED]
Replies: 7
Views: 773

Re: Setting Time in Capac from main router. [SOLVED]

I suggest you a. setup NTP client on router - done, time synched on router b. setup NTP server on router - enabled, broadcast and manycast selected. c. Final step - add input chain rule for service ex. in-interface-list=lan protocol=udp dst-port=123 comment="Access NTP Server" d. On any other device...
by anav
Mon May 25, 2020 1:56 pm
Forum: Wireless Networking
Topic: Setting Time in Capac from main router. [SOLVED]
Replies: 7
Views: 773

Re: Setting Time in Capac from main router. [SOLVED]

That part is done (ntp package). So is this is correct? ntp client set to pool and gains IP and Router time shows correct. enable ntp server only option is to set type of broadcast - kept default of manycast. Thats it? no other selections seem possible? Check capac - sntp client set to gateway of ro...
by anav
Mon May 25, 2020 1:32 pm
Forum: Beginner Basics
Topic: Outdoor AP? [SOLVED]
Replies: 8
Views: 1066

Re: Outdoor AP? [SOLVED]

by anav
Mon May 25, 2020 5:28 am
Forum: General
Topic: WAN on bridge with LAN
Replies: 8
Views: 1005

Re: WAN on bridge with LAN

I am not aware of a such a rule. What I am pretty sure of is that you cannot have two bridges on the same port........... So my original thought of bridge for wan and bridge for lan would probably not work, although cleaner. So I went back to one bridge with many vlans. What I am not clear on is who...
by anav
Mon May 25, 2020 5:06 am
Forum: Wireless Networking
Topic: Setting Time in Capac from main router. [SOLVED]
Replies: 7
Views: 773

Setting Time in Capac from main router. [SOLVED]

I noticed the time and date were wrong on my capac. I do have a System SNTP client option available. it was not enabled and had multicast as the default type. I changed it as follows enabled primary NTP - gateway of subnet the CAPAC is (ex. capac IP is 192.168.1.100 gateway entered 192.168.1.1) I no...
by anav
Mon May 25, 2020 3:43 am
Forum: General
Topic: WAN on bridge with LAN
Replies: 8
Views: 1005

Re: WAN on bridge with LAN

(A diagram would have a logical thing to post.) This seems fairly straightforward - what am I missing?? As long as you are working with a managed switch, in between, isn't this as simple as creating one bridge and multiple vlans? The switch accepts untagged packets from the modem on the port coming ...
by anav
Mon May 25, 2020 3:16 am
Forum: Beginner Basics
Topic: need help with the NAT
Replies: 1
Views: 247

Re: need help with the NAT

Post the config of your router...... /export hide-sensitive file=anynameyouwish. Also read the following https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT https://help.mikrotik.com/docs/pages/viewpage.action?pageId=3211299 Best bet is to make a small investment. https://www.amazon.ca/Theory-labo...
by anav
Mon May 25, 2020 3:06 am
Forum: Beginner Basics
Topic: Connecting Mikrotik Router and Mikrotik AP
Replies: 7
Views: 950

Re: Connecting Mikrotik Router and Mikrotik AP

Get rid of capsman and I will be more than happy to help.
Also, do you plan on providing guest and home user wifi
in other words wifi for home user on .88 network and guests on .10 network ??

Are there separate groups of users?
by anav
Sun May 24, 2020 8:38 pm
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2625

Re: Need help with firewall rules to prevent VLAN access to LAN

Hmm, losing patience, why are you screwing around. The instruction was as simple as this...... /interface bridge add admin-mac= auto-mac=no comment=defconf name=1-default-bridge \ vlan-filtering=yes and yet somehow you took it upon yourself to do this...... /interface bridge add admin-mac=00:00:00:8...
by anav
Sun May 24, 2020 8:20 pm
Forum: General
Topic: DHCP Client Script when provider renews lease
Replies: 8
Views: 1201

Re: DHCP Client Script when provider renews lease

My client script is
":if (\$bound=1) do={ /ip route set [find commen\
t=\"WANNAME\"] gateway=(\$\"gateway-address\") disabled=no; :log warning\
\_(\"New ISP1 gateway: \".(\$\"gateway-address\")) }"

With add default distance route of 255.

I use recursive IP route settings...
by anav
Sun May 24, 2020 8:15 pm
Forum: Beginner Basics
Topic: Router Blocks some internet Trafic
Replies: 15
Views: 1852

Re: Router Blocks some internet Trafic

Hmmm, I cannot see why else that would occur??
by anav
Sun May 24, 2020 5:01 pm
Forum: General
Topic: 35(!) FATAL ERRORS inside the "MikroTik News" web page https://wiki.mikrotik.com/wiki/MikroTik_News
Replies: 2
Views: 639

Re: More than 40(!) FATAL ERRORS inside the "MikroTik News" web page ( https://wiki.mikrotik.com/wiki/MikroTik_News )

Au contraire. MK has a superior QC department. They created the "obsessive compulsive TRAP".
Looks like it found a victim already.
by anav
Sun May 24, 2020 4:58 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 3020

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

First thing you need to do is remove the MT from the internet connection. The next thing you need to do is NET REINSTALL with the latest firmware. So download the latest firmware from Mikrotik and then conduct the NETINSTALL process. Once done, then start from scratch to redo your network setup. If ...
by anav
Sun May 24, 2020 4:54 pm
Forum: Beginner Basics
Topic: Router Blocks some internet Trafic
Replies: 15
Views: 1852

Re: Router Blocks some internet Trafic

Check your cables and terminations.........
by anav
Sun May 24, 2020 2:44 pm
Forum: Beginner Basics
Topic: Router Blocks some internet Trafic
Replies: 15
Views: 1852

Re: Router Blocks some internet Trafic

I am more concerned that you learn from the help vice get the config right LOL. In other words, if we are putting all the interfaces on the bridge, and the bridge is providing DHCP, I hope you can see that mixing the config between bridge and eth2 is wrong. Eth2 is not in play its simply like any ot...
by anav
Sun May 24, 2020 2:36 pm
Forum: Beginner Basics
Topic: Router Blocks some internet Trafic
Replies: 15
Views: 1852

Re: Router Blocks some internet Trafic

You have to be careful, All I asked you to do was move that block internet forward chain rule down from where it was to below the forward chain invalid rule. It looks like you did something different........... ?? (why do you have the invalid input chain rule there, it belongs in the input chain??) ...
by anav
Sun May 24, 2020 2:19 pm
Forum: General
Topic: Router Interface Ethernet error problem.
Replies: 1
Views: 274

Re: Router Interface Ethernet error problem.

/export hide-sensitive file=anynameyouwish
by anav
Sun May 24, 2020 2:18 pm
Forum: General
Topic: Documentation errors
Replies: 6
Views: 1114

Re: Documentation errors

I actually asked them to introduce errors in the documents you are reading so as to keep you away from asking configuration questions. So far its working. ;-)
by anav
Sun May 24, 2020 2:15 pm
Forum: Beginner Basics
Topic: Firewall rule -- Block input not coming from LAN
Replies: 2
Views: 392

Re: Firewall rule -- Block input not coming from LAN

Probably because there are a gazillion bots probing the internet everyday...........

/export hide-sensitive file=anynameyouwish
by anav
Sun May 24, 2020 2:13 pm
Forum: Beginner Basics
Topic: A desperate cry for help.
Replies: 5
Views: 1050

Re: A desperate cry for help.

/export hide-sensitive file=anynameyouwish
by anav
Sun May 24, 2020 2:04 pm
Forum: Beginner Basics
Topic: Router Blocks some internet Trafic
Replies: 15
Views: 1852

Re: Router Blocks some internet Trafic

Yes the presentation as Jotne noted is possible with the code links........... I will look to see if I see anything. (1) Here is the main error I see. /ip address add address=192.168.8.1/24 comment=defconf interface= ether2 network=\ 192.168.8.0 should be add address=192.168.8.1/24 comment=defconf i...
by anav
Sun May 24, 2020 12:48 am
Forum: General
Topic: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]
Replies: 13
Views: 2165

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]

Yes, one for sindy. I am completely bamboozled by what you call LAN, and by the the lack of a LAN interface list and the plethora of interfaces that are seemingly tied to nothing, no port or vlan............ If I had to guess - your config is totally hosed. You need to assign all those interfaces to...
by anav
Sun May 24, 2020 12:30 am
Forum: Beginner Basics
Topic: DHCP Server Problem with VLANs and Bridge [SOLVED]
Replies: 3
Views: 460

Re: DHCP Server Problem with VLANs and Bridge [SOLVED]

In summary, (1) should fix your issues. Items 2, is good practice item 3, is probably not necessary and should only be done if (1) above does not fix the issue. If Item 3 does not fix it either then go back to the original setting (without tagged bridge). (1) When finished the vlan configuration you...
by anav
Sun May 24, 2020 12:21 am
Forum: Beginner Basics
Topic: Hap mini setup
Replies: 3
Views: 263

Re: Hap mini setup

Okay I would reset to defaults and then try again.
Do not use quickset but use winbox instead.
Thee safemode button at the top left of winbox is your friend.

You should get connectivity on eth2 (LAN) and eth1 connected to the internet.
by anav
Sun May 24, 2020 12:01 am
Forum: Beginner Basics
Topic: Router Blocks some internet Trafic
Replies: 15
Views: 1852

Re: Router Blocks some internet Trafic

/export hide-sensitive file=anynameyouwish open in notepad++ and copy here. (ensure for client WANIP that its removed). Just a note, much of hte stuff on youtube is outdated or full of extra unecessary garbage. The default rules are good to go out of the box. Will have you up and running in no time....
by anav
Sat May 23, 2020 7:22 pm
Forum: General
Topic: DNS over HTTPS
Replies: 23
Views: 3477

Re: DNS over HTTPS

Okay after some reading my questions boil down to Q. Advantage of MT router implementation over simply using firefox? - it covers any browser being used? Why not make Doh, part of the default setup for routers coming from the factory?? Right now for dynamic servers I have listed in order 1.1.1.1, 1....
by anav
Sat May 23, 2020 7:19 pm
Forum: Announcements
Topic: Winbox v3.24 released!
Replies: 29
Views: 8970

Re: Winbox v3.24 released!

Hi, just wanted to say THANKS Emils for you and your teams hardwork. Thats all!
by anav
Sat May 23, 2020 7:18 pm
Forum: Beginner Basics
Topic: The extra packages in RouterOS [SOLVED]
Replies: 21
Views: 2055

Re: The extra packages in RouterOS [SOLVED]

Perhaps operator error--------- bug incurred during conception??
by anav
Sat May 23, 2020 6:23 pm
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2700

Re: Client IP over wan LINK host not REACHABLE

Okay so to confirm, The first access point does not talk to any local devices smartphones etc. Its ONLY purpose is to establish a wifi link to a second AP. (not a wired connection to the second AP) Now at the second AP, I will assume its acting as an AP/switch - in other words its considered part of...
by anav
Sat May 23, 2020 4:58 pm
Forum: Beginner Basics
Topic: The extra packages in RouterOS [SOLVED]
Replies: 21
Views: 2055

Re: The extra packages in RouterOS [SOLVED]

Discerning (astute) device, it does not like you! Has Mikrotik developed networking equipment similar to brooms in Harry Potter? ;-P
by anav
Sat May 23, 2020 4:46 pm
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2700

Re: Client IP over wan LINK host not REACHABLE

What kind of connection do you have from ap to ap, wirless? wired?
Why do you call it a WAN link?
Plus the three million other questions asked in my post above.
by anav
Sat May 23, 2020 3:16 pm
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2700

Re: Client IP over wan LINK host not REACHABLE

To that end, I would like to ask the OP the purpose of the first AP - is it just used in a pt to pt type link to the second AP (and server no local clients)? If true and the first AP is a ptp link (not local service), what is the best way to configure that AP so that it doesnt respond to local clien...
by anav
Sat May 23, 2020 2:35 pm
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2700

Re: Client IP over wan LINK host not REACHABLE

I understand your logic, and it is clear that you are the master of networking, of which I often think, if I could only have one small slice of your brain!! ;-) - but my efforts are more on the software and requirements angle. I see bugs that are not coding but are that of poorly articulated and und...
by anav
Sat May 23, 2020 5:49 am
Forum: Beginner Basics
Topic: hap ac2 wifi issues
Replies: 15
Views: 2134

Re: hap ac2 wifi issues

Arggg, I am saying dont touch or use quickset settings............
Just reset the router to defaults select home dual AP in quickset and then leave quickset and then use winbox from then on...........
by anav
Sat May 23, 2020 3:06 am
Forum: General
Topic: Vlan not reaching Wan net [SOLVED]
Replies: 3
Views: 551

Re: Vlan not reaching Wan net [SOLVED]

If you didnt have bonding I could help, sorry no experience with that.
The config looks incomplete
where are the bridge port settings??
where are the bridge vlan settings??

THis may cause you all sort of problems.............
/interface bridge settings
set use-ip-firewall-for-vlan=yes
by anav
Sat May 23, 2020 2:57 am
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2700

Re: Client IP over wan LINK host not REACHABLE

Sindy and OP, the point being, is this an optimal approach given the OPs scenario.
Is there other missing information that we need to do this task.?
I see many more issues but they may not be, if the design suits the purpose.
by anav
Fri May 22, 2020 10:46 pm
Forum: General
Topic: Hairpin nat issue [SOLVED]
Replies: 8
Views: 1577

Re: Hairpin nat issue [SOLVED]

Very complex for me to look at and understand but from what I can see nothign wrong with your dstnat nat rules. Your source nat configuration is beyond me, but lets assume its okay. My two concerns are : (1) the fw rules - a. in general I dont like them and would reset those to defaults and then loo...
by anav
Fri May 22, 2020 10:05 pm
Forum: General
Topic: Flooding UDP port 1194
Replies: 14
Views: 2151

Re: Flooding UDP port 1194

Why not change the port (port translation in router) to your customers. like use 54332 dydns name/url:54332 add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=54332 protocol =tcp? to-addresses=IPserver to-ports=1194 Why would udp scans be stopped by a TCP rule (title of thread- "FLOODING...
by anav
Fri May 22, 2020 9:39 pm
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2700

Re: Client IP over wan LINK host not REACHABLE

I am a bit confused by the setup and terminology used. For example why do you express the wifi connection at the top of schematic as a WAN Link ? Can you confirm that (from bottom left): Router is an MT device setup as a router Switch is an MT device setup as a router but only using it as a switch F...
by anav
Fri May 22, 2020 8:49 pm
Forum: Beginner Basics
Topic: Deny ip PUBLIC traffic
Replies: 10
Views: 1556

Re: Deny ip PUBLIC traffic

cant tell squat from pictures.
please post config
/export hide-sensitive file=anynameyouwish
by anav
Fri May 22, 2020 3:25 pm
Forum: General
Topic: Deny config access from public IP
Replies: 3
Views: 595

Re: Deny config access from public IP

Koutsik, what you say could be very concerning. Please post your config so we can ensure your setup is secure /export hide-sensitive file=anynameyouwish (while your at it make sure you a separate user name, not admin identified to control the router) (change the default winbox port to something else)
by anav
Fri May 22, 2020 1:28 pm
Forum: Beginner Basics
Topic: hap ac2 wifi issues
Replies: 15
Views: 2134

Re: hap ac2 wifi issues

No worries, nothing wrong with WISP or Home Dual as that is only the default setting of the router. As long as we then modify the config from the ios app or winbox it should be fine. what is that other attachment, a separate wifi device?? or you just wanted to show me the wifi settings? What is the ...
by anav
Fri May 22, 2020 4:00 am
Forum: General
Topic: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]
Replies: 13
Views: 2165

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]

First update your router to latest stable version......... Second yes, config is important. Third you have to decide what you want to do a. load balance (probably not as wan1 is miniscule) b. use wan2 as primary and wan1 as backup (more likely) The more information we know about the users on the net...
by anav
Fri May 22, 2020 3:57 am
Forum: Beginner Basics
Topic: "Congestion"
Replies: 13
Views: 1548

Re: "Congestion"

Well my advice is to PHUCK capsman as all I see are frustrated beginner users. My capacs are rock solid without it and I use vlans. I would say get it working first. Then read many threads on capsman before tackling it. Its like biting off more than one can chew at once!! I have zero desire to use c...
by anav
Fri May 22, 2020 3:45 am
Forum: Beginner Basics
Topic: hap ac2 wifi issues
Replies: 15
Views: 2134

Re: hap ac2 wifi issues

I prefer WISP AP but home dual should work also. (1) Remove this it only causes issues, not needed. /interface detect-internet set detect-interface-list=all (2) The following rule is incongruent with the rest of the config ........... /ip address add address=192.168.88.1/24 comment=defconf interface...
by anav
Thu May 21, 2020 4:53 pm
Forum: General
Topic: Firewalling Game Server?
Replies: 9
Views: 1275

Re: Firewalling Game Server?

Hi Mozerd,
Out of curiousity what is the load on the router in that gaming situation.
More precisely does it burn up throughput so like instead of 50mpbs down, one gets 45Mbps down??
by anav
Thu May 21, 2020 2:01 pm
Forum: General
Topic: Firewalling Game Server?
Replies: 9
Views: 1275

Re: Firewalling Game Server?

Is it a standard gaming port, or a common port for something else?? What you can do is a. change your incoming port dyndns.name.url:56432 for example action=dst-nat chain=dstnat in-interface-list=WAN protocol=tcp dst-port=56432 to-addresses=IPgameserver to-ports=11451 (or whatever the port needs to ...
by anav
Thu May 21, 2020 1:53 pm
Forum: General
Topic: Feature Request: zerotier vpn
Replies: 25
Views: 10077

Re: Feature Request: zerotier vpn

@anav: cannot answer your Private Message in this forum (message stays in the outbox).
Latvian cruel joke on North Americans. The message leaves the senders outbox only when the intended reader opens it at his/her inbox.
We dont use polish notation calculators either (backwards) ;-)
by anav
Thu May 21, 2020 1:51 pm
Forum: General
Topic: Best way to prevent attack from external
Replies: 9
Views: 1255

Re: Best way to prevent attack from external

If you want config advice wrt security
post config
/export hide-sensitive file=anynameyouwish
by anav
Thu May 21, 2020 1:33 pm
Forum: Beginner Basics
Topic: "Congestion"
Replies: 13
Views: 1548

Re: "Congestion"

LIke any device aka smart phone playing spotify, the request goes outward from your LAN to spotify and the returns are allowed back in as per any other traffic. Thus it should work without any extra rules. Your spotify rule was misplaced. To allow unsolicited traffic to a server one needs destinatio...
by anav
Thu May 21, 2020 1:30 pm
Forum: Beginner Basics
Topic: hap ac2 wifi issues
Replies: 15
Views: 2134

Re: hap ac2 wifi issues

/export hide-sensitive file=anynameyouwish
by anav
Thu May 21, 2020 3:06 am
Forum: General
Topic: Port Priority
Replies: 13
Views: 1783

Re: Port Priority

Fascinating topic and clear amazing education. I would like to see your config to see if it can be further optimized in any case. /export hide-sensitive file=anynameyouwish @sindy Confirm once you start using mangle rules the router slows down (fasttrack has to be disabled in foreward fw rules) and ...
by anav
Thu May 21, 2020 2:41 am
Forum: General
Topic: Feature Request: zerotier vpn
Replies: 25
Views: 10077

Re: Feature Request: zerotier vpn

+1 in RoS 8.0 ;-)
by anav
Thu May 21, 2020 2:36 am
Forum: Beginner Basics
Topic: Changing Manufacturer and Model Name [SOLVED]
Replies: 8
Views: 1078

Re: Changing Manufacturer and Model Name [SOLVED]

Im going to send you a t-shirt
Wear it Loud
Wear it Proud
MIKROTIK
HA! The back should say - "Mikrotik - Legally Connected"!
My back would say

Promiscuous
.....Client.....
by anav
Thu May 21, 2020 2:34 am
Forum: Beginner Basics
Topic: "Congestion"
Replies: 13
Views: 1548

Re: "Congestion"

Again, I no nothing about capsman. ALso you never answered my questions regarding spotify? What were you trying to accomplish?? Spotify is a music service? What does it have to do with Rpi whatever that is, or xbox?? Unless you host a spotify server on your LAN (other people are going to come in on ...
by anav
Thu May 21, 2020 1:46 am
Forum: Beginner Basics
Topic: Assign unique DHCP server to an AP?
Replies: 3
Views: 408

Re: Assign unique DHCP server to an AP?

First as pcunite stated. READ THE REFERENCE FIRST SO THAT YOU UNDERSTAND WHAT YOU ARE DOING AND WILL MAKE THE REST UNDERSTANDABLE. https://forum.mikrotik.com/viewtopic.php?t=143620 Typically one doesn't use a dumb switch to pass vlans mainly because all vlans are broadcast to all ports which kinda d...
by anav
Thu May 21, 2020 12:05 am
Forum: Beginner Basics
Topic: hap ac2 wifi issues
Replies: 15
Views: 2134

Re: hap ac2 wifi issues

Your best bet is to hook up the router to your PC directly. No internet no wifi nothing, and reset the router to defaults. Trying to recover a botched config is worse than starting from scratch. Then come back and ask for the steps you need next, based on your requirements How many Lans, How many wl...
by anav
Thu May 21, 2020 12:00 am
Forum: Beginner Basics
Topic: Changing Manufacturer and Model Name [SOLVED]
Replies: 8
Views: 1078

Re: Changing Manufacturer and Model Name [SOLVED]

Im going to send you a t-shirt
Wear it Loud
Wear it Proud
MIKROTIK
by anav
Wed May 20, 2020 11:03 pm
Forum: General
Topic: Switch chip VLAN and DHCP
Replies: 1
Views: 367

Re: Switch chip VLAN and DHCP

First its not a router but an AP but RoS is Ros.
Also suggest you follow this guide as what you have setup is strange to me.

viewtopic.php?t=143620
by anav
Wed May 20, 2020 9:08 pm
Forum: Wireless Networking
Topic: Tip for new setup
Replies: 14
Views: 2014

Re: Tip for new setup

by anav
Wed May 20, 2020 8:09 pm
Forum: Beginner Basics
Topic: Bridging vs Switching on CRS3xx series? [SOLVED]
Replies: 10
Views: 1322

Re: Bridging vs Switching on CRS3xx series? [SOLVED]

The problem here is Mikrotik's parlance. We have "bridge" as "ports connected through a switch" and "bridging", as "moving one ethernet datagram from one interface to another, through the CPU". Actually Mikrotik wants you to forget about switches inside their devices ... they do bridges and some po...
by anav
Wed May 20, 2020 7:21 pm
Forum: General
Topic: CAN'T CONNECT TO SOPHOS FIREWALL THROUGH MY MIKROTIK
Replies: 8
Views: 1202

Re: CAN'T CONNECT TO SOPHOS FIREWALL THROUGH MY MIKROTIK

Very strange, I would have thought no changes were needed to even default firewall rules on a hex, in terms of PC clients going out what is internet traffic to a server.
Suggest maybe you have a firewall rule blocking it??
by anav
Wed May 20, 2020 7:15 pm
Forum: General
Topic: vlan configuration
Replies: 2
Views: 404

Re: vlan configuration

post your configs for the the main router and capac....
/export hide-sensitive file=anynameyouwish

Why do you wish to have the vlan for wifi guests go to the CCR28 or whatever, its not wifi capable?/
(or is the capac connected via the CCR28)?
by anav
Wed May 20, 2020 2:37 pm
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2625

Re: Need help with firewall rules to prevent VLAN access to LAN

Okay with the assumptions from your diagram (vlan4 is your homeLAN) and there is nothing on eth3,4,5 Removed unnecessary stuff........... So at this point, if vlans are talking to each other its because your managed switch is not configured properly. The firewall rules prevent the router from allowi...
by anav
Wed May 20, 2020 2:23 pm
Forum: Beginner Basics
Topic: Joining 2 networks
Replies: 19
Views: 2049

Re: Joining 2 networks

As what Solar77 said......... if they where in the same building, yes a direct wired connection via L3 switch would be the way go to. Would an RB2011 do it? probably yes, not sure about the performance though. If you want to use the RB2011, keep both connection on the gigabit ports, not the 100Mbps ...
by anav
Wed May 20, 2020 2:20 pm
Forum: Beginner Basics
Topic: port change rule help
Replies: 3
Views: 469

Re: port change rule help

Yes as described above, you send the packet as per normal
my.ftpserver.com:21

At the mikrotik you put in the dst nat rule that translates 21 to 1234, done..........
by anav
Wed May 20, 2020 2:17 am
Forum: Beginner Basics
Topic: "Congestion"
Replies: 13
Views: 1548

Re: "Congestion"

" Two additional comments.. 1. What is the purpose of this rule?? add action=accept chain=input comment=Spotify connection-state=established,related dst-port=4070 protocol=tcp (spotify is not a service the MT provides and thus confused) " Yes you really didnt answer the question LOL. Is there a spot...
by anav
Wed May 20, 2020 12:15 am
Forum: General
Topic: VLAN confusion
Replies: 6
Views: 1055

Re: VLAN confusion

I wont bother to look unless there are both configs as per the request.
by anav
Wed May 20, 2020 12:14 am
Forum: Beginner Basics
Topic: port change rule help
Replies: 3
Views: 469

Re: port change rule help

Okay so you are trying to reach a server behind a mikrotik router that is using port 1234. You have a device - where is this device? a. behind the same Mikrotik router? b. on the same subnet? c. on a different subnet? Its very easy to accept an incoming request to the router from an external WANIP l...
by anav
Wed May 20, 2020 12:07 am
Forum: Beginner Basics
Topic: Joining 2 networks
Replies: 19
Views: 2049

Re: Joining 2 networks

Is the RB2011 able to be wired to both routers (ie in same building etc).
by anav
Tue May 19, 2020 8:42 pm
Forum: General
Topic: VLAN confusion
Replies: 6
Views: 1055

Re: VLAN confusion

Please post the configs of both the Rb2011 and the hex for us to look at.

/export hide-sensitive file=anynameyouwish
by anav
Tue May 19, 2020 6:25 pm
Forum: General
Topic: Accessing external IP from LAN without hairpin NAT
Replies: 12
Views: 1181

Re: Accessing external IP from LAN without hairpin NAT

No worries, dont want to complicate matters, if there is not an easy route rule at play here, I will drop the subject...............
by anav
Tue May 19, 2020 5:44 pm
Forum: General
Topic: Accessing external IP from LAN without hairpin NAT
Replies: 12
Views: 1181

Re: Accessing external IP from LAN without hairpin NAT

Hmmm, I see you evaded my ip route question. Do not think I didnt notice. ;-P Yes, now that the OP has provided clarity it is much simplified and as you stated the standard dstnat rule to handle outside queries will also work for inside queries (when using dyndns name/url) as was pointed out for the...
by anav
Tue May 19, 2020 5:08 pm
Forum: General
Topic: Accessing external IP from LAN without hairpin NAT
Replies: 12
Views: 1181

Re: Accessing external IP from LAN without hairpin NAT

Hi Patric, Thanks for the extra information. This is all doable with one WANIP. Just put the server on its own subnet (not on a bridge with the rest of the LAN) or in a VLAN (can be on same bridge then). Then by firewall rules, the LAN and server are separate (assuming use of drop all rule as last r...
by anav
Tue May 19, 2020 4:28 pm
Forum: General
Topic: Accessing external IP from LAN without hairpin NAT
Replies: 12
Views: 1181

Re: Accessing external IP from LAN without hairpin NAT

@sindy Some questions. Assumption: OP does not want OPEN PORTS on the router - ie ports accessible to the outside world. - A very reasonable consideration. Solutions: 1. Standard Solution: Simply use the LANIP of the server from subnets behind the router server on subnet A users in subnet A simply ...
by anav
Tue May 19, 2020 3:54 pm
Forum: Beginner Basics
Topic: Mikrotik hAP ac² LAN & WIFI data exchange
Replies: 4
Views: 450

Re: Mikrotik hAP ac² LAN & WIFI data exchange

Why would your company purchase IT equipment with no knowledge of how to configure it. Does said company actually have an IT or networking department or representative. Who recommended the purchase? It may be better for the company (if there really is one) and their lack of expertise to get a more c...
by anav
Tue May 19, 2020 5:08 am
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2625

Re: Need help with firewall rules to prevent VLAN access to LAN

Please provide a diagram to show what is hooked up to which port.
For example its not clear where the unifi is located? connected to smart switch on eth2?
Where is vlan10 connected to??
by anav
Tue May 19, 2020 2:59 am
Forum: Beginner Basics
Topic: Splitting up ports
Replies: 14
Views: 1500

Re: Splitting up ports

Multiple personality disorder, or just like talking to yourself??
by anav
Tue May 19, 2020 12:20 am
Forum: General
Topic: namecheap.com dynamic dns
Replies: 10
Views: 3458

Re: namecheap.com dynamic dns

Ahh so dynu has some ranging from 8.99/yr org.uk to 29.99/ry .guru I think I would take .link for 9.99/yr stink.my.link fix.my.link suck.my.link are all early contenders.... hmmmm ros7.wireguard.link my.home.link .rocks is 11.99 normis.rocks ( if he sent me a wireless wire pair, I would do it :-) ) ...
by anav
Tue May 19, 2020 12:08 am
Forum: General
Topic: namecheap.com dynamic dns
Replies: 10
Views: 3458

Re: namecheap.com dynamic dns

Masses can have own domain names too, if they want, it's simple and cheap. I need to give up six beers each year to afford one, and it's that many only because beer is really cheap here, otherwise it would be even less (not that I'm complaining :)). And it includes use of nameservers run by registr...
by anav
Mon May 18, 2020 10:32 pm
Forum: Wireless Networking
Topic: Mikrotik AC Access Point cap ac
Replies: 36
Views: 4180

Re: Mikrotik AC Access Point cap ac

I have spend a lot of time on the UBNT forum, mostly helping others. I think that forums in common are the best resource for solving problems. Especially because you get support from a community. And not only the community, there are some MikroTik employees giving good information as well. I believ...
by anav
Mon May 18, 2020 10:25 pm
Forum: General
Topic: Dumb question about Bridge mode in RouterOS
Replies: 3
Views: 590

Re: Dumb question about Bridge mode in RouterOS

The only reason to touch quickset is if your setting a wifi router or ap to a different mode.
First mistake touching quickset!!
Without a config, nothing can be known.
/export hide-sensitive file=anynameyouwish
by anav
Mon May 18, 2020 10:22 pm
Forum: Beginner Basics
Topic: 3 VLANs with 2 RouterBoards - find problem in configuration ?
Replies: 5
Views: 657

Re: 3 VLANs with 2 RouterBoards - find problem in configuration ?

Points. - yes you have to specifically note untagged ports where appropriate (as per my inuput). (you are telling the router to remove the vlan tags before they hit devices on that port) - not sure your 185. rule is going to accomplish what you want to achieve, lets discuss that in detail and see if...
by anav
Mon May 18, 2020 10:10 pm
Forum: Beginner Basics
Topic: Outdoor AP? [SOLVED]
Replies: 8
Views: 1066

Re: Outdoor AP? [SOLVED]

The wireless wire are fantastic products, waiting for Normis to send me a complimentary pair of course. If he has a spare wireless wire dish set for me, even better!! Would be great from tx signal from the house down to the water. No electricityy or shed down there so perhaps a battery for when I ne...
by anav
Mon May 18, 2020 7:11 pm
Forum: Beginner Basics
Topic: Splitting up ports
Replies: 14
Views: 1500

Re: Splitting up ports

Please please, can we start a poll for the most useless questions ever asked......??

Or do we just provide equally adept answers instead??

I have never tried to split a port, wondering if I need an axe, a sharp screwdriver, do I need to melt it first with a blowtorch.
by anav
Mon May 18, 2020 4:22 pm
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2625

Re: Need help with firewall rules to prevent VLAN access to LAN

In summary, agree that the managment vlan20 and port designation of mngmt for port 5 are probably not needed. I would guess that the OP is really on the HOME user vlan10. My two rules still work however to ensure that only the OP access the router for config purposes and only the OP can access the o...
by anav
Mon May 18, 2020 4:18 pm
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2625

Re: Need help with firewall rules to prevent VLAN access to LAN

Concur Sindy, one had to make a few assumptions based on incomplete information and my assumption was the following a. the OP or admin has his pc located on etherport 5 and is on vlan 20 . IF true then he simply needs two rules to add to his firewall rules to make it all work input chain rule to all...
by anav
Mon May 18, 2020 4:09 pm
Forum: General
Topic: namecheap.com dynamic dns
Replies: 10
Views: 3458

Re: namecheap.com dynamic dns

ooooh fancy, own domain name................ I am just a peon using free dynu and free mt cloud.
Please send chocolate to keep us masses happy!!
by anav
Mon May 18, 2020 4:06 pm
Forum: Beginner Basics
Topic: 3 VLANs with 2 RouterBoards - find problem in configuration ?
Replies: 5
Views: 657

Re: 3 VLANs with 2 RouterBoards - find problem in configuration ?

Access Point.......
Hmmm what did you start with as the quickset setting - to prepare the box with defaults before configuring?
It looks like to me this is setup as a router and not an access point so unable to really comment until its cleaned up as per
the reference document provided........
by anav
Mon May 18, 2020 2:54 pm
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2625

Re: Need help with firewall rules to prevent VLAN access to LAN

Now you are talking. Your question is a USE CASE, but your description of it is poor. In detail explain what your role is, in relation to the network, (what group of users do you belong to) and what is it that you need to accomplish. Then we will look at how to do that most efficiently in the config...
by anav
Mon May 18, 2020 2:49 pm
Forum: General
Topic: namecheap.com dynamic dns
Replies: 10
Views: 3458

Re: namecheap.com dynamic dns

I use dynu and it works great, and it has the ability to assign a C-name, so I point my FREE service at the MT CLOUD.

Perhaps in Belgium you like to torture friends or businesses with a long ass winded name to use to reach servers :-PPP, but I prefer being human!! :-)
by anav
Mon May 18, 2020 2:45 pm
Forum: Beginner Basics
Topic: 3 VLANs with 2 RouterBoards - find problem in configuration ?
Replies: 5
Views: 657

Re: 3 VLANs with 2 RouterBoards - find problem in configuration ?

The best guide ref vlans is: https://forum.mikrotik.com/viewtopic.php?t=143620 Make sure you read this over to cement your understanding!!! Will look at the configs soon. Router Config: (1) I am a bit lazier than you on the bridge ports (which define ingress behaviour),,,, for the router I normally ...
by anav
Mon May 18, 2020 2:42 pm
Forum: Beginner Basics
Topic: Failed to connect to internet
Replies: 16
Views: 2038

Re: Failed to connect to internet

For a fixed wanip, src-nat is correct.
You were given advice on DNS and IP route already.................. lead a horse to water..............
by anav
Mon May 18, 2020 1:49 am
Forum: Beginner Basics
Topic: Joining 2 networks
Replies: 19
Views: 2049

Re: Joining 2 networks

this is what you need: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IPsec_tunnel have a go and let us know if you run into problems One of your Mikrotik router needs static Public IP, or at least have DDNS setup so it can be reached from the Internet. @solar77 - I am very curious to ...
by anav
Mon May 18, 2020 1:44 am
Forum: Beginner Basics
Topic: Ping from different subnets
Replies: 3
Views: 524

Re: Ping from different subnets

Send me the units you have ( a good investment for future questions ) and I will be able to duplicate and help. Otherwise, how the EFFF is somebody supposed to guess how you screwed up the configuration!!! No wait let me consult the stupid OP configuration database....... OH there it is number 2,345...
by anav
Mon May 18, 2020 1:40 am
Forum: Beginner Basics
Topic: Failed to connect to internet
Replies: 16
Views: 2038

Re: Failed to connect to internet

What is 192.168.1.1 doing here (wanip is not correct)............ replace it with 1.1.1.1, 9.9.9.9 two of the ones that I use for dns. /ip dns set allow-remote-requests=yes servers=1 92.168.1.1 ???? This ip address is wrong and confusing. The interface for 192.168.2.1 is the BRIDGE remember..... (/i...
by anav
Sun May 17, 2020 7:37 pm
Forum: Beginner Basics
Topic: Help me setup private network with a wireless hotspot
Replies: 19
Views: 2455

Re: Help me setup private network with a wireless hotspot

yes your config is probably not optimal
I will try to find some time reading up on hotspot so that we can get you to a useful efficient config!!
by anav
Sun May 17, 2020 6:55 pm
Forum: Beginner Basics
Topic: Help needed on VLAN for hAP ac2
Replies: 9
Views: 1164

Re: Help needed on VLAN for hAP ac2

Super, and yes working with RoS can be daunting. Its setup so very little is automated for the user, in other words you have to tell the router what to in terms of moving packets around. In most consumer routers they have automated most of the activity and the choices are limited in terms of additio...
by anav
Sun May 17, 2020 6:01 pm
Forum: Beginner Basics
Topic: Help needed on VLAN for hAP ac2
Replies: 9
Views: 1164

Re: Help needed on VLAN for hAP ac2

Concur, I am self certified MTUNA, so I am not obligated to charge for configs LOL.
But you need to post your config
/export hide-sensitive file=anynameyouwish

And we can point to the area where your mistakes are located..........
by anav
Sun May 17, 2020 4:31 pm
Forum: General
Topic: Double NAT? Bridge? Playstation 4 R-Play App [SOLVED]
Replies: 5
Views: 973

Re: Double NAT? Bridge? Playstation 4 R-Play App [SOLVED]

Firewall rules put a load on the CPU, so why have unnecessary rules. To me keeping it simple and clean and efficient is good management and security. Unless you have real reasons for tons of specialized rules I would avoid it. Many of the so called youtube experts is junk advice. There are good ones...
by anav
Sun May 17, 2020 4:26 pm
Forum: General
Topic: Hello again MT World
Replies: 2
Views: 491

Re: Hello again MT World

You should make an investment.......
https://mikrotik.com/product/CCR1036-8G-2SplusEM

I think it has enough power, can accommodate 10Gig and had a USB port. :-) :-)
by anav
Sun May 17, 2020 4:22 pm
Forum: General
Topic: Manual to use this forum page
Replies: 1
Views: 318

Re: Manual to use this forum page

Unfortunately there is not. The references I can provide..... https://wiki.mikrotik.com/wiki/Main_Page https://help.mikrotik.com/docs/display/ROS/RouterOS https://www.amazon.ca/Stephen-Rw-Discher/dp/0692777903/ref=sr_1_11?keywords=router+mikrotik+books&qid=1589721662&sr=8-11 https://www.amazon.ca/Th...
by anav
Sun May 17, 2020 4:15 pm
Forum: Beginner Basics
Topic: Double NAT port forwarding
Replies: 5
Views: 6279

Re: Double NAT port forwarding

You are supposing solution without explaining the use cases. The use cases will logically determine the setup of the system. For example the modem and the two routers dont come into play yet. What is that you need the network for. a. groups of users (home, guest, smart devices, servers etc.....) b. ...
by anav
Sun May 17, 2020 4:11 pm
Forum: Beginner Basics
Topic: Joining 2 networks
Replies: 19
Views: 2049

Re: Joining 2 networks

Your diagram is confusing,
You need two MT units one behind each modem acting as the router for its connection.
Then you can setup various tunnels and connections.......
by anav
Sun May 17, 2020 4:06 pm
Forum: Beginner Basics
Topic: "Congestion"
Replies: 13
Views: 1548

Re: "Congestion"

Quick perusal, and the following bears looking at..... Your WLAN1 and WLAN2 are confusing a bit......... not sure what they are assigned to Will assume that wlan1 is for home "vlanMain" and wlan2 is for guest (vlanGuest). You have a etherport5 but you dont say what its for?? ether2 is a trunk port g...
by anav
Sun May 17, 2020 3:16 pm
Forum: Beginner Basics
Topic: Port Forwarding problem with 2 WANs
Replies: 3
Views: 396

Re: Port Forwarding problem with 2 WANs

Yeah, I am no mangle expert, hopefully someone else will chime in.
by anav
Sun May 17, 2020 5:37 am
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2625

Re: Need help with firewall rules to prevent VLAN access to LAN

SOMETHING LIKE>>>>>>>>>>>> Should get you started, much simplified. But only attempt this after reading the above linked article. /interface bridge add admin-mac=XXXXXXXXXX auto-mac=no comment=defconf name=\ 1-default-bridge /interface ethernet set [ find default-name=ether1 ] name=ether1-WAN set [ ...
by anav
Sun May 17, 2020 5:04 am
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2625

Re: Need help with firewall rules to prevent VLAN access to LAN

The reason is your setup is way more complicated that necessary and you have bridged within bridges and misconfigured vlans etc. In other words, nothing is going to work correctly.
USE ONE BRIDGE ONLY
Follow this reference, and you will be fine!
viewtopic.php?f=13&t=143620
by anav
Sun May 17, 2020 12:18 am
Forum: General
Topic: Double NAT? Bridge? Playstation 4 R-Play App [SOLVED]
Replies: 5
Views: 973

Re: Double NAT? Bridge? Playstation 4 R-Play App [SOLVED]

Ahh okay so you can play the PS4 from your app currently via the LANIP of the PS4 on your network. Do you want to be able to a. use the app while away from home (wifi at coffeshop or friends house) OR b. while at home using the WANIP of your router but from the same subnet as the PS4 ?? I had a look...
by anav
Sat May 16, 2020 9:08 pm
Forum: General
Topic: Need help with understanding the Vlan Configuration on Switch
Replies: 4
Views: 1023

Re: Need help with understanding the Vlan Configuration on Switch

That does not explain the switch chip methods unfortunately. From other threads If you do require hardware switching https://wiki.mikrotik.com/wiki/Manual:S ... p_Examples - note that the 8327 switch chip for ether1-5 and 8227 for ether6-10 are different, the 8227 ports require vlan-header setting a...
by anav
Sat May 16, 2020 9:07 pm
Forum: General
Topic: Network
Replies: 4
Views: 772

Re: Network

Draw a diagram as your communication skills are very poor.
by anav
Sat May 16, 2020 9:04 pm
Forum: General
Topic: Double NAT? Bridge? Playstation 4 R-Play App [SOLVED]
Replies: 5
Views: 973

Re: Double NAT? Bridge? Playstation 4 R-Play App [SOLVED]

Post config /export hide-sensitive file=anynameyouwish So the use case is app on iphone, via wireless to ??, wifi connected to router (how?), router connected to modem (is it in bridge mode?) (or is it acting like a modem/router?) What is your ISP dual wan setup? Two physical lines from two differen...
by anav
Sat May 16, 2020 8:55 pm
Forum: Beginner Basics
Topic: Dst & Src NAT - WEAK?
Replies: 0
Views: 305

Dst & Src NAT - WEAK?

Is it just me or does anyone else find this new write up not much better than the wiki on the topic or in fact worse?

https://help.mikrotik.com/docs/pages/vi ... Id=3211299
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT
by anav
Sat May 16, 2020 8:46 pm
Forum: General
Topic: No internet via non-main routing tables if missing default route on main [SOLVED]
Replies: 21
Views: 2232

Re: No internet via non-main routing tables if missing default route on main [SOLVED]

Interesting DM, that the comments about the video do call into question some of the ideas proposed. The moral of the story is trust the folks here that have much practical experience with many different setups. Trusting a single Youtube video as the defacto source of true information is a fools game...
by anav
Sat May 16, 2020 7:54 pm
Forum: Beginner Basics
Topic: Port Forwarding not sending response
Replies: 11
Views: 1556

Re: Port Forwarding not sending response

Perhaps there is something funky happening at the DVR (server)?? Try adding the vlan to the interface list=WAN as well....... /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN add interface=pppoe-out1 list=WAN add interface=vlan1 list=...
by anav
Sat May 16, 2020 6:38 pm
Forum: General
Topic: PPTP Can't access LAN devices, only MT through WinBox
Replies: 3
Views: 560

Re: PPTP Can't access LAN devices, only MT through WinBox

Why??
https://www.comparitech.com/blog/vpn-pr ... s-instead/

Use IKEv2,
OR the default Ipsec L2TP available on quickset. Recommended by Doctors and Normis! :-)
by anav
Sat May 16, 2020 6:37 pm
Forum: General
Topic: Need help with understanding the Vlan Configuration on Switch
Replies: 4
Views: 1023

Re: Need help with understanding the Vlan Configuration on Switch

Very good question Sir, I am in the same boat. Comfortable enough with bridge vlan filtering but leery of switch chip based filtering.

I wish there was a reference of this quality for that
viewtopic.php?t=143620
by anav
Sat May 16, 2020 6:24 pm
Forum: Beginner Basics
Topic: Access a device Mikrotik
Replies: 4
Views: 934

Re: Access a device Mikrotik

IF you mean access your MT router over the internet by mac address, not sure if possible and even if it was, no one here would recommend it from a security standpoint. However, vpn is an excellent way to access your router remotely. I do it using the MT IOS app. Setup: Step1 is create certificates a...
by anav
Sat May 16, 2020 6:19 pm
Forum: Beginner Basics
Topic: Port Forwarding not sending response
Replies: 11
Views: 1556

Re: Port Forwarding not sending response

Hi Tommy, No worries, as i stated depends on isp connection, since you have a dyanmic the following applies. There are two methods one can use........... the alternate uses the IP cloud and your dydns name that MT gives thru the cloud. Regardless of which option you choose (or if isp is static or dy...
by anav
Sat May 16, 2020 2:54 pm
Forum: Beginner Basics
Topic: Connectivity issues between Router and AP
Replies: 5
Views: 762

Re: Connectivity issues between Router and AP

Okay my points, in summary your config is all over the map and needs to be simplified and cleaned up greatly. 1. Recommend you follow this reference to setup your vlans and wifi router. https://forum.mikrotik.com/viewtopic.php?f=13&t=143620 2. Use a separate vlan for the main network 192.168.1.1 jus...
by anav
Sat May 16, 2020 2:44 pm
Forum: Beginner Basics
Topic: RB2011UiAS-IN VLANs on second switch bank
Replies: 10
Views: 1429

Re: RB2011UiAS-IN VLANs on second switch bank

The best reference for vlan bridge filtering is
viewtopic.php?f=13&t=143620
by anav
Sat May 16, 2020 4:33 am
Forum: Wireless Networking
Topic: Mikrotik AC Access Point cap ac
Replies: 36
Views: 4180

Re: Mikrotik AC Access Point cap ac

Concur, most people get it wrong, this is not plugNplay you have to set it up properly.
by anav
Sat May 16, 2020 3:10 am
Forum: General
Topic: Network
Replies: 4
Views: 772

Re: Network

Please use google translate and add more information so we can understand.
Also provide your config

/export hide-sensitive file=anynameyouwish
by anav
Sat May 16, 2020 3:07 am
Forum: Beginner Basics
Topic: RB2011UiAS-IN VLANs on second switch bank
Replies: 10
Views: 1429

Re: RB2011UiAS-IN VLANs on second switch bank

All you need to do is on teh RB2011 is create a bridge, Add the vlan interfaces to the bridge Setup the bridge ports and the vlan bridge interfaces (to reflect access ports) enable vlan filtering Note: No need for DHCP on the RB2011 All you need is one trunk port assigned coming from the hex (also p...
by anav
Sat May 16, 2020 3:02 am
Forum: Beginner Basics
Topic: Port Forwarding not sending response
Replies: 11
Views: 1556

Re: Port Forwarding not sending response

As for the config. 1. Your internet setup is confusing. Does it come on from the ISP on vlan385 via PPPOE? You seem to be missing the defintion for this on /interface internet where is ether1? /interface internet ??????????? Instead you have these two settings visible. /interface vlan add interface=...
by anav
Sat May 16, 2020 2:43 am
Forum: Beginner Basics
Topic: Port Forwarding not sending response
Replies: 11
Views: 1556

Re: Port Forwarding not sending response

Yes, if you are attempting to reach your server from an external connection such as LTE on your iphone it should work. If you attempt to reach your server via its LANIP from the same subnet it should work If you attempt to reach your server from from the same subnet but using the public IP of your c...
by anav
Fri May 15, 2020 10:18 pm
Forum: Beginner Basics
Topic: Port Forwarding not sending response
Replies: 11
Views: 1556

Re: Port Forwarding not sending response

/export hide-sensitive file=anynameyouwish

Is your ISP connection static or dynamic?
dynamic: need to add in-interface=WAN
static: need to add dst-address=IP of your wan
by anav
Fri May 15, 2020 10:16 pm
Forum: General
Topic: Feature request: rules groups or rules colors in WinBox
Replies: 4
Views: 807

Re: Feature request: rules groups or rules colors in WinBox

The issue is resources. nice to have, highly desirable, essential and assign resources appropriately.
I am sure that if the OP pays for a programmers wages for 6 months, Normis may make an exception LOL
by anav
Fri May 15, 2020 10:01 pm
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2625

Re: Need help with firewall rules to prevent VLAN access to LAN

Lots to fix before that Sindy, lets focus on the basics LOL but I am clueless on ipv6 rules LOL so will need help there!
by anav
Fri May 15, 2020 9:56 pm
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2625

Re: Need help with firewall rules to prevent VLAN access to LAN

Your configuration needs work........... Ether5 is completely hosed and your mixing up use of bridges and vlans it looks like. Would it be fair to say is that you are using the default LAN on ethernet 2-4 on the same bridge Then you are using 3 vlans not on any bridge and all going out ether5? I sup...
by anav
Fri May 15, 2020 9:53 pm
Forum: Beginner Basics
Topic: [Swich + router] configuration
Replies: 7
Views: 1027

Re: [Swich + router] configuration

viewtopic.php?f=13&t=143620
Is the best reference to read on the topic and its not that difficult.
There are some gotchas that most trip over but we are here to help.
by anav
Fri May 15, 2020 7:17 pm
Forum: General
Topic: 2 WAN load balancing with recursive routes problem
Replies: 3
Views: 489

Re: 2 WAN load balancing with recursive routes problem

Not qualified to talk mangle or routing but I would simplify those dst nat rules some. /ip firewall nat add action=dst-nat chain=dstnat dst-port=80,443,881 in-interface=eth1_ISP1 \ protocol=tcp to-addresses=192.168.0.254 add action=dst-nat chain=dstnat dst-port=554,8000,8083 in-interface=eth1_ISP1 \...
by anav
Fri May 15, 2020 6:24 pm
Forum: General
Topic: Mikrotik User Log Server Need
Replies: 2
Views: 511

Re: Mikrotik User Log Server Need

Dont know, but also one has to ensure you are writing logs to a disk (and not the memory which could easily get erased).
by anav
Fri May 15, 2020 6:23 pm
Forum: General
Topic: Routing with Guest network
Replies: 2
Views: 401

Re: Routing with Guest network

The first thing I would do is NOT use LAN as a name for a bridge. Its too confusing as there is already an interface called LAN. Change it to lan-bridge and guest-bridge for example. Some of the comments may be due to my ignorance of how the unifi controller or hotspots work, so take it with a grain...
by anav
Fri May 15, 2020 6:09 pm
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2625

Re: Need help with firewall rules to prevent VLAN access to LAN

I usually dont comment on snippets as the whole config tells the story /export hide-sensitive file=anynameyouwish So far so good (but without the rest a meaningless statement). The order within a chain is critical and thus to make it read far easier most admins put all the input rules first and then...
by anav
Fri May 15, 2020 5:31 pm
Forum: Beginner Basics
Topic: Admin access via the internet
Replies: 14
Views: 1740

Re: Admin access via the internet

It should work. Mine does.
No way to tell what the issue(s) may be without a full look.
/export hide-sensitive file=anynameyouwish
by anav
Fri May 15, 2020 3:58 pm
Forum: General
Topic: Static DNS best practice with dedicated server
Replies: 7
Views: 979

Re: Static DNS best practice with dedicated server

Great discussion, i tried pihole once but the system slowed down, and complaints from users, since I didnt know what I was doing, caused me to pull the plug on the idea. In other words your discussion as simple as it is, is still no basic enough for me. :-( Flavour based on questions below. What is ...
by anav
Fri May 15, 2020 2:59 pm
Forum: Beginner Basics
Topic: how to start the configuration (newbie)
Replies: 2
Views: 311

Re: how to start the configuration (newbie)

I would start with connecting the primary ISP first by itself. Create the vlans, dhpc etc. Adjust the firewall rules appropriately (minor changes from default). Then post your config here to see how you are doing. /export hide-sensitive file=anynameyouwish Then tackle adding the two other ISPs. Then...
by anav
Fri May 15, 2020 5:17 am
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2625

Re: Need help with firewall rules to prevent VLAN access to LAN

In forward chain, ensure your subnet has access to internet if required ensure your vlans have access to internet if required Then create last rule chain=forward chain action=drop comment="drop all else" Any traffic you didnt setup before this rule will be dropped including chatter between vlans etc...
by anav
Fri May 15, 2020 2:02 am
Forum: Beginner Basics
Topic: Mikrotik router
Replies: 2
Views: 443

Re: Mikrotik router

Well then if its a wifi router then the RB4011 with wifi would be such a beast.
by anav
Thu May 14, 2020 9:51 pm
Forum: Beginner Basics
Topic: [Swich + router] configuration
Replies: 7
Views: 1027

Re: [Swich + router] configuration

All possible with the hapac, although I am pretty sure you could have done all with ONE IP, but there is nothing wrong with a dedicated IP either for a server and probably a better way to go, just more costly. How to set it up correctly is a good question. Did the ISP give you a block of IPs...........
by anav
Thu May 14, 2020 5:02 pm
Forum: General
Topic: dst-nat routing issues
Replies: 3
Views: 432

Re: dst-nat routing issues

hello. I've been wanting to set this up for years now but was never able to. what I want: be able to access a local service using a public domain (eg: myproject.net instead of 192.168.10.xx). the problem: when I do this, I cannot access ANY external services on the same port. (eg: my app runs on po...
by anav
Thu May 14, 2020 2:23 pm
Forum: General
Topic: Dual Wans - Problem with Upload
Replies: 3
Views: 466

Re: Dual Wans - Problem with Upload

/export hide-sensitive file=anynameyouwish
by anav
Thu May 14, 2020 2:22 pm
Forum: Beginner Basics
Topic: Port Forwarding problem with 2 WANs
Replies: 3
Views: 396

Re: Port Forwarding problem with 2 WANs

Not sure off the bat.
Curious as to why you have three masquerade rules but only two WANs?
Also perhaps the mangling is getting in the way?

How do folks access your servers ? dyndns name? Does it switch to the other ISP automatically?
by anav
Thu May 14, 2020 3:23 am
Forum: Beginner Basics
Topic: VLAN for WAN?
Replies: 11
Views: 1364

Re: VLAN for WAN?

@OP:
First question, what speed internet do you have now, and what are your expectations in the near future?
Fixed the requirement question for you! :-)
by anav
Wed May 13, 2020 11:46 pm
Forum: Beginner Basics
Topic: VLAN for WAN?
Replies: 11
Views: 1364

Re: VLAN for WAN?

Hi lema, Not a CRS kinda guy and you may be right that setting up two bridges on the two units may be the best way. Managed switches have two main types off VLANs, by tag-ID (very flexible as a port can carry multiple vlans) or the older portvlan where one port can carry one vlan. So one identifies ...
by anav
Wed May 13, 2020 6:04 pm
Forum: Beginner Basics
Topic: VLAN for WAN?
Replies: 11
Views: 1364

Re: VLAN for WAN?

So in effect what you are doing is reserving SFP port of Switch and ETH1 of switch as a route to pass modem signal to the HAPAC ROUTER on its ether 1. Is the ISP traffic coming in on a VLAN? If so that makes it really easy to keep it on the same vlan to the hapac. If not I would just use basic port ...
by anav
Wed May 13, 2020 5:02 am
Forum: General
Topic: IKEv2 IOS - Cannot Connect [SOLVED]
Replies: 16
Views: 2131

Re: IKEv2 IOS - Cannot Connect [SOLVED]

Keys to success (pun intended). - Need two certs on Iphone: the client cert and the base cert (.ca) but now done separately. - Require subj alter name format for server and client certs - DNS:actual name (and not common name) - also max days allowed is 800 days Path to Success. MIKROTIK (1) Create B...
by anav
Wed May 13, 2020 3:22 am
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 13730

Re: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

For future Iphone users, 3 items have changed. (1) a. Both certs are required (.ca & .client) but they have to be done/installed separately. b. As well as installing the .ca certificate one has to, on the iphone, also enable the cert under Trusted Certificates. (2) Have to use Subj Alternate name an...
by anav
Tue May 12, 2020 10:07 pm
Forum: General
Topic: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]
Replies: 32
Views: 13730

Re: Solved: iOS 13 & macOS Catalina IKEv2 VPN not working anymore [SOLVED]

MT: So its impossible for me to get an entry in issuer no matter what I try. Apple: With IOS 13 one needs to go to Settings General About - trusted certificates to physically enable the certificate there, which is separate from the General - Settings - Profiles, where one installs the certificate. *...
by anav
Tue May 12, 2020 8:30 pm
Forum: Beginner Basics
Topic: Home network setup adive
Replies: 3
Views: 621

Re: Home network setup adive

I would put the second unit hapac2 very close to the tv wifi and the third unit another hapac2 where you have a switch. No need for the first unit connected tot he ISP to have wifi from your picture (serves no one). Unless there are devices in between that need dedicated line of sight 5ghz, the abov...
by anav
Tue May 12, 2020 7:20 pm
Forum: General
Topic: How to connect to remote VPN periodically?
Replies: 10
Views: 1517

Re: How to connect to remote VPN periodically?

the hapac2 is newer better specs and faster and one can turn the wifi off if not needed. Overall better value although a pubic hair more expensive....... (for those that are of older ilk and dont shave LOL)
by anav
Tue May 12, 2020 7:15 pm
Forum: Beginner Basics
Topic: Router for getting into RouterOS
Replies: 11
Views: 1759

Re: Router for getting into RouterOS

If You don't need the SFP port, I would get an hAP ac2 instead. Much faster, about the same price and comes with dual band WiFi - that You can disable, if needed. Concur! Also you may wish to consider the TPLink eap245 v3, model as very similar to the ubiquit but significantly cheaper. https://www....
by anav
Tue May 12, 2020 6:25 pm
Forum: Beginner Basics
Topic: Linking 2 switches (2 LANs) directly with each other
Replies: 8
Views: 1341

Re: Linking 2 switches (2 LANs) directly with each other

I was thinking the same thing, switches inline vice serial. In that regard traffic within the same vlan doesnt need to hit the router. Traffic from one vlan to a different vlan would have to hit the router via firewall rules I believe. What I am not sure of is if connected in serial that is any diff...
by anav
Tue May 12, 2020 6:22 pm
Forum: Beginner Basics
Topic: Router for getting into RouterOS
Replies: 11
Views: 1759

Re: Router for getting into RouterOS

My issue is the concrete walls, 5ghz may not penetrate two or three walls for example to the furthest location so without a schematic of the layout its impossible to tell. The only reason I bring this up is that if the router location is central and open then it would perhaps be better to get a hapa...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 15