Community discussions

MikroTik App

Search found 19931 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 67
by anav
Sun May 19, 2024 11:30 pm
Forum: Beginner Basics
Topic: ProtonVPN configuration but only for a handful of IP's
Replies: 4
Views: 261

Re: ProtonVPN configuration but only for a handful of IP's

(1) Okay the issue is in allowed IPs at least for starters. The allowed IPs is to identify REMOTE traffic that is coming in, aka external users visiting your device, or local users visiting REMOTE device (for config, subnets or internet ). It is NOT to idenitfy any local users!!! Since you are going...
by anav
Sun May 19, 2024 11:08 pm
Forum: Beginner Basics
Topic: An issue with web-server access from internet
Replies: 8
Views: 381

Re: An issue with web-server access from internet

Ahh thanks, now your first post makes more sense, jaclaz has a keener sense to suss out configs, I need network diagrams LOL.

What brand is the second router?
by anav
Sun May 19, 2024 11:06 pm
Forum: General
Topic: RB5009 and 2Gb/s internet speed
Replies: 15
Views: 752

Re: RB5009 and 2Gb/s internet speed

Thanks Jaclaz The only managed 5 Port 2.5gb is a chinese special. No thanks. There are no 8 Ports managed.... Thus this link supports research done on my own, there are no viable managed 2.5gb 5 port or 8 port, switches yet worth buying. I like netgear especially with lifetime warranties for exampl...
by anav
Sun May 19, 2024 11:06 pm
Forum: General
Topic: RB5009 and 2Gb/s internet speed
Replies: 15
Views: 752

Re: RB5009 and 2Gb/s internet speed

Thanks Jack, The only managed 5 Port 2.5gb is a chinese special. No thanks. There are no 8 Ports managed.... Thus this link supports research done on my own, there are no viable managed 2.5gb 5 port or 8 port, switches yet worth buying. I like netgear especially with lifetime warranties for example....
by anav
Sun May 19, 2024 11:01 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 893

Re: Port forwarding for VPN?

The version of Mikrotrik does not matter if you are NOT using it to communicate for wireguard. The Windows Server behind the MT suffices just fine. Its all transparent to the MT. As long as the server has access to the WAN side, it should be good to go. More than likely its windows firewall or thing...
by anav
Sun May 19, 2024 4:39 pm
Forum: Beginner Basics
Topic: An issue with web-server access from internet
Replies: 8
Views: 381

Re: An issue with web-server access from internet

Let me ask in another way, as I dont think you are getting a public IP at all. a. Compare the WANIP you get on the router ( either you ahve to set this in IP address as provided by ISP, or via IP DHCP client, or PPPOE client, ( what is wan IP) Compare this to b. IP Cloud on the router, enable and se...
by anav
Sun May 19, 2024 4:30 pm
Forum: General
Topic: RB5009 and 2Gb/s internet speed
Replies: 15
Views: 752

Re: RB5009 and 2Gb/s internet speed

The help you need costs too much $$$. ;-) The point being is that the OP wants to be able to utilize the full amount of 2.5gb at any of those ports. Sure if there are other users on the same port or different ports, the throughput will be less but the potential exists. Site is horrible for any kind ...
by anav
Sun May 19, 2024 2:16 pm
Forum: Beginner Basics
Topic: ProtonVPN configuration but only for a handful of IP's
Replies: 4
Views: 261

Re: ProtonVPN configuration but only for a handful of IP's

Wont look at it unless you post complete config

/export file=anynameyouwish ( minus router serial number, any public WANIP information or keys etc. )

Use notepadd++ to open and edit and then paste here.
by anav
Sun May 19, 2024 2:13 pm
Forum: Beginner Basics
Topic: GrooveA as Wireguard client
Replies: 5
Views: 460

Re: GrooveA as Wireguard client

1. Where is your IP address for WIreguard?? 2. Allowed IPs are WRONG, you need to better explain the uses for wireguard a.. are you just using it to config groove b. are you using it to connect to LAN of groove c. are you using it to connect to LAN of UDM router d. are you using it to go out interne...
by anav
Sun May 19, 2024 2:08 pm
Forum: Beginner Basics
Topic: GrooveA as Wireguard client
Replies: 5
Views: 460

Re: GrooveA as Wireguard client

/ip pool add name=dhcp ranges= 192.168.0.10-192.168.0.254 GrooveGA network is 192.168. 1.0 /24 UDM network is 192.168.1.1/24 If there's anything missing I'd much appreciate some guidance. Ummm, ?????? First the two networks you have stated are identical,, the UDM network you have listed is actually...
by anav
Sun May 19, 2024 2:02 pm
Forum: Beginner Basics
Topic: An issue with web-server access from internet
Replies: 8
Views: 381

Re: An issue with web-server access from internet

I have two routers/networks: 192.168.0.0 which is taking network from ISP and 192.168.3.0 which is connected to 192.168.0.0 and the web-server that is running on 192.168 .3.2. I can reach the web-server from 192.168.0.0 but can't from internet. Tho if I try to connect to my public ip it directs me ...
by anav
Sun May 19, 2024 2:50 am
Forum: Beginner Basics
Topic: VPN - device routing
Replies: 16
Views: 1150

Re: VPN - device routing

Hello, THANK YOU SO MUCH. Its working. Last question: is it possible to change the table in the rule thru an ssh command? (from main to thr_WG) Then I can decide when I want to use the internet thru main or wireguard. You will have to explain the request in more detail Which users, Where are they c...
by anav
Sun May 19, 2024 2:46 am
Forum: General
Topic: Why does PCC break "google.com/maps" - or does it for you? [SOLVED]
Replies: 6
Views: 1738

Re: Why does PCC break "google.com/maps" - or does it for you? [SOLVED]

Too complicated for me to analyze then. Someone with greater knowledge will have to provide assistance. I also was unaware that PCC used Nth and not aware that one could split sessions on the MT device. To ensure banking goes smoothly the recommendation for pCC is to use only source addresses vice b...
by anav
Sun May 19, 2024 12:42 am
Forum: General
Topic: Why does PCC break "google.com/maps" - or does it for you? [SOLVED]
Replies: 6
Views: 1738

Re: Why does PCC break "google.com/maps" - or does it for you? [SOLVED]

Suggest you post the entire config, as you probably have multiple errors.
Your mangle rules are all over the map.

Can you also state why you have mangling rules besides the 4 rules for LB?
by anav
Sun May 19, 2024 12:04 am
Forum: Beginner Basics
Topic: VPN - device routing
Replies: 16
Views: 1150

Re: VPN - device routing

It depends, what throughput is your ISP, if its 1gig, the HEX is underpowered for that and better to stick with USG. As long as you can forward ports and set manual routes on the USG, it should work !!! I can provide a hex setup AS a router that will work, not as a basic switch though. Your IP addre...
by anav
Sat May 18, 2024 10:46 pm
Forum: Beginner Basics
Topic: Problems With 2 Wan - Wan 2 not ping Wan 1
Replies: 7
Views: 324

Re: Problems With 2 Wan - Wan 2 not ping Wan 1

I asked many specific questions to elicit facts and you replied with very little and nothing new. Try again if you want assistance. I dont care what the problem is, I am trying to understand the requirements...... a first step to understanding the config and how to modify it. ---> what happens when ...
by anav
Sat May 18, 2024 10:35 pm
Forum: Beginner Basics
Topic: VPN - device routing
Replies: 16
Views: 1150

Re: VPN - device routing

Okay that was helpful. So basically the HEX is acting as a Switch Type device (not a router) and is assigned an IP of 192.168.2.5 on the FLAN LAN of the USG device. You want the apple TV device to ignore the USG WAN and only go out the HEX wireguard connected to Fritz..... Well thats a problem, its ...
by anav
Sat May 18, 2024 9:09 pm
Forum: General
Topic: Feature Request: Allow Address Lists on Wireguard [SOLVED]
Replies: 11
Views: 2948

Re: Feature Request: Allow Address Lists on Wireguard [SOLVED]

Your mixing apples and oranges. THIS IS NOT A WIREGUARD ISSUE!!! Once you set 0.0.0.0/0 on the R2 router, wireguard could care less about destinations, they are all included. Its up to you the admin on how to send folks to wireguard for that domain. I suppose the easiest way is to have vlan and/or W...
by anav
Sat May 18, 2024 7:43 pm
Forum: General
Topic: Feature Request: Allow Address Lists on Wireguard [SOLVED]
Replies: 11
Views: 2948

Re: Feature Request: Allow Address Lists on Wireguard [SOLVED]

As I surmized, its a request born of not knowing how WG works. If your intention was to go out the internet of R1 ( server for handshake peer ) from R2 ( client peer ), then 0.0.0.0/0 for allowed-IP entry is CORRECT and PROPER at R2 !!! Ensuring which devices are your end, R2, enter the tunnel is up...
by anav
Sat May 18, 2024 7:21 pm
Forum: General
Topic: Port forward from WAN to a host behind Wireguard
Replies: 17
Views: 1551

Re: Port forward from WAN to a host behind Wireguard

Knowingly making connection to the router available to the WWW. Using the default winbox port is icing on the malpractice cake. :-)
/ip firewall filter
add action=accept chain=input comment=Winbox dst-port=8291 in-interface-list=\
WAN protocol=tcp src-address-list=Winbox
by anav
Sat May 18, 2024 7:09 pm
Forum: Beginner Basics
Topic: nat via vpn
Replies: 2
Views: 280

Re: nat via vpn

This is a common methodology
Provide the configs for the CHR and the home device so we can see where you went wrong.
by anav
Sat May 18, 2024 7:07 pm
Forum: Beginner Basics
Topic: CRS310-8G+2S+IN - Low speed ISP
Replies: 17
Views: 748

Re: CRS310-8G+2S+IN - Low speed ISP

Concur with tangent, Why would you try and make the CRS3 Model, which is an excellent switch and exactly what you need, into a router??? The RB5009 can accept 2.5 gig from the ISP as it is, and can transfer to the switch using its SFP+ port. When the day comes and your ISP offers 10Gig connection, I...
by anav
Sat May 18, 2024 7:01 pm
Forum: Beginner Basics
Topic: Problems With 2 Wan - Wan 2 not ping Wan 1
Replies: 7
Views: 324

Re: Problems With 2 Wan - Wan 2 not ping Wan 1

Unfortunately you have to be more precise. The router setup is either Primary and Secondary or Load Balancing. MT OS works on the premise of assuming a non-random routing selection. However this does not preclude setting up the WANs and LANs to work as you wish. What is also missing is the fact that...
by anav
Sat May 18, 2024 6:48 pm
Forum: General
Topic: Feature Request: Allow Address Lists on Wireguard [SOLVED]
Replies: 11
Views: 2948

Re: Feature Request: Allow Address Lists on Wireguard [SOLVED]

Well thats the rub. If the discussion is about adding client devices, the request makes no sense. If this is about client peers ( and server peer ) being able to add applicable SUBNETS to allowed IPs, and their concomitant IP Routes, then we can have a better discussion. Q , Can MT implement these t...
by anav
Sat May 18, 2024 5:22 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 24
Views: 1683

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

But first, ............... as stated above......
Okay you need to let me know the purpose of each port on the hapax3. To what it leads to, and to what vlan the connected device belongs to.
Remember access between vlans and to their devices is controlled by the firewall rules on the 5009
by anav
Sat May 18, 2024 5:21 pm
Forum: General
Topic: Feature Request: Allow Address Lists on Wireguard [SOLVED]
Replies: 11
Views: 2948

Re: Feature Request: Allow Address Lists on Wireguard [SOLVED]

I disagree with your request if I think I understand what you are getting it. Appears to be nonsensical! Each entry for Allowed IPs is specific ( at least on the Server Client ( server for handshake ), to ONE client peer. One does not list all the clients on one line??? Remember each peer also has a...
by anav
Sat May 18, 2024 4:57 pm
Forum: Beginner Basics
Topic: No internet acces after capsman setup CAP AX behind rb5009
Replies: 5
Views: 334

Re: No internet acces after capsman setup CAP AX behind rb5009

So what LOL, the only advantage of capsman is slightly better roaming. I have to ask holve, do you run around your house with the cell phone in your hand, or only when you comment on your spouses cooking ;-PP
by anav
Sat May 18, 2024 4:56 pm
Forum: Beginner Basics
Topic: VPN - device routing
Replies: 16
Views: 1150

Re: VPN - device routing

YOu failed to answer my questions about the subnet structure etc.. ???
You should provide a network diagram!!
by anav
Sat May 18, 2024 4:51 pm
Forum: Beginner Basics
Topic: Problems With 2 Wan - Wan 2 not ping Wan 1
Replies: 7
Views: 324

Re: Problems With 2 Wan - Wan 2 not ping Wan 1

Your bizarre testing or results do not make the requirement (actual traffic flow required ) clear at all. To help I would need to know a. identify all user(s)/device(s), groups of users devices, external and internal, including the admin b. identify what traffic they need to accomplish. In terms of ...
by anav
Sat May 18, 2024 4:45 pm
Forum: General
Topic: Feature Request: Allow Address Lists on Wireguard [SOLVED]
Replies: 11
Views: 2948

Re: Feature Request: Allow Address Lists on Wireguard [SOLVED]

Your request is unclear.............
Where would you use this address list?
by anav
Sat May 18, 2024 4:43 pm
Forum: General
Topic: RB5009 and 2Gb/s internet speed
Replies: 15
Views: 752

Re: RB5009 and 2Gb/s internet speed

@Kaldek, DO YOU NOT READ. First: There is no core switch, he has an RB5009 which acts as both Router and Switch for his purposes. Second: The stated need is for FIVE PORTS to have greater than 1gig capacity. Why do you propose a switch costing $999 US, providing 20x2.5 ports and 4 xcomb0 (Spf+/2.5 p...
by anav
Sat May 18, 2024 4:27 pm
Forum: General
Topic: Correct way to add a vlan on egress
Replies: 5
Views: 311

Re: Correct way to add a vlan on egress

If indeed your PC sends out and expects data on vlan4, the setup I gave you works. Also question not answered, which port is WAN port on your device?
by anav
Sat May 18, 2024 4:25 pm
Forum: General
Topic: Route failover testing NOT a gateway
Replies: 4
Views: 317

Re: Route failover testing NOT a gateway

What are you smoking...............
You provide no details and claim the example provided ( which confirms if the www is reachable) doesnt work without any facts.
good luck, not going to waste my time.
by anav
Sat May 18, 2024 3:58 pm
Forum: General
Topic: Correct way to add a vlan on egress
Replies: 5
Views: 311

Re: Correct way to add a vlan on egress

The solution is to add vlan4 to the config add interface=bridge name=vlan4 vlan-id=4 Then give the vlan an IP address add address=192.168.1.1/24 interface=vlan4 network=192.168.1.0 BRIDGE does no dhcp, does not get an IP address etc... etc..... Which port is your WAN port ???? All ports will be unta...
by anav
Sat May 18, 2024 3:13 am
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 24
Views: 1683

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Okay you need to let me know the purpose of each port on the hapax3. To what it leads to, and to what vlan the connected device belongs to.
Remember access between vlans and to their devices is controlled by the firewall rules on the 5009
by anav
Sat May 18, 2024 1:48 am
Forum: Useful user articles
Topic: Advanced Routing Failover without Scripting
Replies: 272
Views: 138920

Re: Advanced Routing Failover without Scripting

I agree that it should work on Vers7, but why bother? Lets think through the logic! What are the chances that one IP address is working and the other NOT working with a single ISP provider (and gateway). Probably checking one WANIP through the same gateway is all that is needed. Now its remotely pos...
by anav
Sat May 18, 2024 1:37 am
Forum: General
Topic: RB5009 and 2Gb/s internet speed
Replies: 15
Views: 752

Re: RB5009 and 2Gb/s internet speed

His speed he stated was 2Gig, and thus I assumed he would use his 2.5 gig port to the ISP modem.
However it should be possible to connect his sfp+ port to the ISP modem if thats the only viable option and his 2.5gig port to the switch (any of its 2.5gig ports).
by anav
Sat May 18, 2024 1:24 am
Forum: Beginner Basics
Topic: No internet acces after capsman setup CAP AX behind rb5009
Replies: 5
Views: 334

Re: No internet acces after capsman setup CAP AX behind rb5009

I can help if you dont want the extra Years added on your life and loss of hair by using Capsman.
Setting up the AX without capsman on the AX and the RB5009 is SOoooooooooooooooooooo Simple.
by anav
Sat May 18, 2024 1:21 am
Forum: General
Topic: IKEv2 MIKROTIK <---> SOPHOS
Replies: 1
Views: 188

Re: IKEv2 MIKROTIK <---> SOPHOS

The two resources I found are:

viewtopic.php?p=893536&hilit=sophos+ikev2#p893536
and
https://www.youtube.com/watch?v=ISRrnWPQ9zU

Good luck, I use wireguard and it works well!!
by anav
Sat May 18, 2024 1:16 am
Forum: General
Topic: RB5009 and 2Gb/s internet speed
Replies: 15
Views: 752

Re: RB5009 and 2Gb/s internet speed

In your setup I would get one of these switches.
https://mikrotik.com/product/crs310_8g_ ... ifications

SFP+ port from RB5009 to SFP+ port on switch and then use the 2.5gb ports to your five devices.
by anav
Fri May 17, 2024 11:17 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 893

Re: Port forwarding for VPN?

What? A hex router is like 60$, a windows computer is much more expensive.
Personally, if it was a business and I could deduct expenses or charge the customer, I would go with a $7 a month CHR cloud server and connect all my devices through that.
by anav
Fri May 17, 2024 11:09 pm
Forum: General
Topic: Port forward from WAN to a host behind Wireguard
Replies: 17
Views: 1551

Re: Port forward from WAN to a host behind Wireguard

To manage 200 routers I would certainly look at something like this to simplify life. https://admiralplatform.com/ Second point is that if you were my IT manager/consultant, I would sue if breached, for malpractice..... :-) Yes when trying to port forward from R1 public IP, through wireguard to Serv...
by anav
Fri May 17, 2024 6:50 pm
Forum: Beginner Basics
Topic: Vlan tuning: Mikrotik router RB4011iGS+ and not Mikrotik switch, which have default VLAN1( not deleteable or change) [SOLVED]
Replies: 8
Views: 4955

Re: Vlan tuning: Mikrotik router RB4011iGS+ and not Mikrotik switch, which have default VLAN1( not deleteable or chang [SOLVED]

Factories are designed to copy brand names and pump out cheapo copies...........
Would never support such companies myself.
by anav
Fri May 17, 2024 6:48 pm
Forum: General
Topic: Weird Wireguard Issue
Replies: 6
Views: 353

Re: Weird Wireguard Issue

What the weird config tells me is that you probably used BTH or quickset or something to setup the wireguard on the MT. If setup manually there is no client nonsense like that on the Allowed IP settings on Server Peer for any other client peer. ITS allowed IPs, Interface NAME, Public key DONE!!
by anav
Fri May 17, 2024 6:44 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 893

Re: Port forwarding for VPN?

My word, ................. The firmware version on that router is OUTDATED. Suggest you upgrade the firmware to the latest version 7. For example, wireguard is not available on ver6 firmware. Also I see you are not using winbox which is better for most non CLI inclined folks. Just load winbox onto t...
by anav
Fri May 17, 2024 6:38 pm
Forum: General
Topic: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks
Replies: 10
Views: 773

Re: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks

I have had my router to router wireguard connection stop working.

Simple fix was to send pings across the link every so often. Hasn't dropped in months.
????????????? That is called persistent keep alive ????????
by anav
Fri May 17, 2024 6:37 pm
Forum: General
Topic: WireGuard VPN Access from RoadWarrior PC (outside) to 2 WireGuarded Site-to-Site Networks
Replies: 3
Views: 218

Re: WireGuard VPN Access from RoadWarrior PC (outside) to 2 WireGuarded Site-to-Site Networks

Yes, lets say R1 is the Server client for handshake ( for both client peer router and client road warriors). On R1, ensure you add a relay forward chain rule. add chain=forward action=accept in-interface=wireguard-name out-interface=wireguard name. R1 should have allowed IPs as follows add comment=&...
by anav
Fri May 17, 2024 1:25 pm
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 4
Views: 612

Re: wireGuard does not work for me on my mikrotik RB750r2

The WANIP as shown is private not public.
by anav
Fri May 17, 2024 1:22 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 893

Re: Port forwarding for VPN?

In winbox use the NEW TERMINAL selection on the left hand side. Type in /export file=anynameyouwish Then go to FILES on the left hand side, and open the files, find the file you just created and download it to the PC. Then either copy and paste the file so you have access or open the file and copy t...
by anav
Fri May 17, 2024 12:28 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 893

Re: Port forwarding for VPN?

If you can pass me the config of that router, then I can adjust it for wireguard........
by anav
Fri May 17, 2024 12:26 pm
Forum: General
Topic: [Formal Complaint] Support is ignoring my problem for 3 weeks
Replies: 50
Views: 6907

Re: [Formal Complaint] Support is ignoring my problem for 3 weeks

No need to explain to us, we make mistakes all the time, however an apology to MT support is in order.
by anav
Fri May 17, 2024 3:53 am
Forum: General
Topic: Weird Wireguard Issue
Replies: 6
Views: 353

Re: Weird Wireguard Issue

Your wireguard setup is incorrect. It would appear the MIKROTIK is acting as Server Peer for handshake and the roadwarriors/others are acting as Client peer for handshake. To be clear each client must be defined on the MT device. Using 0.0.0.0/0 as a matching criteria for traffic would mean that onl...
by anav
Fri May 17, 2024 2:15 am
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 893

Re: Port forwarding for VPN?

I meant for settings on the router. I have relatives in Cuenca and Valencia. :-)
by anav
Fri May 17, 2024 2:14 am
Forum: General
Topic: Weird Wireguard Issue
Replies: 6
Views: 353

Re: Weird Wireguard Issue

Without looking at the config, of both router and client peer hard to say.
This was a known issue but got resolved around 7.12 I thought.
Assuming your client peers have keep alive settings ?
by anav
Fri May 17, 2024 2:12 am
Forum: General
Topic: Route failover testing NOT a gateway
Replies: 4
Views: 317

Re: Route failover testing NOT a gateway

Yes recursive routing where you check connectivity to a DNS, aka the www, not just to the ISP. /ip route add distance=1 check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12 add distance=2 dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12 ++++++++++++++++++++...
by anav
Thu May 16, 2024 11:24 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 893

Re: Port forwarding for VPN?

Oh as long as you have winbox access we are good to go then!!
If push comes to shove we could do a live session, via teamviewer etc......
by anav
Thu May 16, 2024 11:12 pm
Forum: Beginner Basics
Topic: Vlan tuning: Mikrotik router RB4011iGS+ and not Mikrotik switch, which have default VLAN1( not deleteable or change) [SOLVED]
Replies: 8
Views: 4955

Re: Vlan tuning: Mikrotik router RB4011iGS+ and not Mikrotik switch, which have default VLAN1( not deleteable or chang [SOLVED]

Well, you did scrape the bottom of the switch market to find that copy of somebody elses technology LOL. Okay so change back the management vlan on RB5009 back to vlan99. Going on trunk port to Smart Managemed switch from router (Sfp +1) will be vlan99,10,20,60 Will assume on trunk port on smart swi...
by anav
Thu May 16, 2024 10:54 pm
Forum: General
Topic: [Formal Complaint] Support is ignoring my problem for 3 weeks
Replies: 50
Views: 6907

Re: [Formal Complaint] Support is ignoring my problem for 3 weeks

Well, and all that nasty drivel aimed at MT support. What a clown. Although it smelled off from the get go LOL
by anav
Thu May 16, 2024 10:50 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 893

Re: Port forwarding for VPN?

To be clear you simply need one PC to talk to the other PC?? Without access to the MT config, not much more we can do at this point for any VPN. Suggest you pick up a cheap MT device like HeX router and attache it to the ISP MT router and then we you can forward the MT port to the hex router and we ...
by anav
Thu May 16, 2024 9:47 pm
Forum: General
Topic: [Formal Complaint] Support is ignoring my problem for 3 weeks
Replies: 50
Views: 6907

Re: [Formal Complaint] Support is ignoring my problem for 3 weeks

Turns out was an MTU config issue, Not an MT support problem, not a bug etc......
by anav
Thu May 16, 2024 9:46 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1398

Re: Winbox IKEv2 strange issue

Glad you got it resolved.
by anav
Thu May 16, 2024 9:31 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 893

Re: Port forwarding for VPN?

It should be clear that its best to configure the WG on the Router first and copy the public key it provides so you can easily paste it into the windows install and vice versa copy the windows public key to install in the Mikrotik setup.
by anav
Thu May 16, 2024 9:24 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 893

Re: Port forwarding for VPN?

Really, where did you get the install from? If you can configure a Mikrotik Device, getting a wireguard tunnel setup on windows is a piece of cake. Step1: Download window installer from wireguard website. Step2: At the popup window Select the arrow next to add Add Tunnel at the bottom. SELECT: Add E...
by anav
Thu May 16, 2024 7:31 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 893

Re: Port forwarding for VPN?

Fear not, provide the config on the MT router or device ( assuming it has a public IP or can be forwarded a port from an upstream router and will have you up and running in no time.)
by anav
Thu May 16, 2024 7:30 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1398

Re: Winbox IKEv2 strange issue

Too funny!!
by anav
Thu May 16, 2024 6:55 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 24
Views: 1683

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

No problem his videos are decent no doubt, but he misses the point and that is a separate connection to the router config, not associated with the bridge vlan filtering as that tends to be where ppl screw up most and lock themselves out of the router. Thus accessing the bridge from a port on the dev...
by anav
Thu May 16, 2024 6:53 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1398

Re: Winbox IKEv2 strange issue

Yes I am allergic to many things but mostly IPV6, capsman and IKEv2, although I did get it working from my iphone to MT router once.
by anav
Thu May 16, 2024 6:51 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 893

Re: Port forwarding for VPN?

Hi there, OPENVPN or OVPN etc has never been fully supported on MT devices. Wireguard is pretty easy but there is a catch, you need at least one of your MT devices to have a public IP address or have an upstream router (yours or ISP) that can forward a port to the MT device. If neither is possible, ...
by anav
Thu May 16, 2024 6:34 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1398

Re: Winbox IKEv2 strange issue

I can help you get a working Wireguard tunnel between your two MT devices, but this requires at least one of the devices has a public IP, or is connected to an upstream router (yours or ISP) that can forward a wireguard port to your device. Please advise.
by anav
Thu May 16, 2024 4:23 pm
Forum: Beginner Basics
Topic: Vlan tuning: Mikrotik router RB4011iGS+ and not Mikrotik switch, which have default VLAN1( not deleteable or change) [SOLVED]
Replies: 8
Views: 4955

Re: Vlan tuning: Mikrotik router RB4011iGS+ and not Mikrotik switch, which have default VLAN1( not deleteable or chang [SOLVED]

When you decide to go back to the sane approach of configuring the router, assistance is possible.
In other words, what needs to be done is setup your managed switch properly.
It should be easy to set it up as required, what is the make and model please.
by anav
Thu May 16, 2024 3:53 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 893

Re: Port forwarding for VPN?

Sounds like a waste of time, try using wireguard.
by anav
Thu May 16, 2024 3:52 pm
Forum: General
Topic: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks
Replies: 10
Views: 773

Re: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks

Not enough information.
no config,
no network diagram
no understanding of what is at the two ends of the wireguard connection
etc
etc
by anav
Thu May 16, 2024 3:50 pm
Forum: General
Topic: 2 wan load balancing to make a speed double please 🙏
Replies: 2
Views: 246

Re: 2 wan load balancing to make a speed double please 🙏

No do you own work or at least make an effort based on available mt documents, forum threads, you tube videos........... and you cannot double speed, you can provide more bandwidth for users, but a single session will only get the max throughput of ONE ISP. Two WANs is for making more bandwidth avai...
by anav
Thu May 16, 2024 3:40 pm
Forum: General
Topic: [Formal Complaint] Support is ignoring my problem for 3 weeks
Replies: 50
Views: 6907

Re: [Formal Complaint] Support is ignoring my problem for 3 weeks

So your not complaining about a bug, or issue with the router?
You need assistance to configure the router.?.............--> Perhaps take some courses maybe.
https://www.youtube.com/@MAICT
by anav
Wed May 15, 2024 9:39 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 24
Views: 1683

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Which vlan(s) are the other devices connected to on the hapax3?? There is no such thing as local devices as the hapax3 is not acting as a router. Also why do you need a management access port, physical port, on vlan10 on the device itself? For the reason its on the managment vlan you can reach it fr...
by anav
Wed May 15, 2024 9:29 pm
Forum: General
Topic: Confusing routing behavior CCR1009-7G-1C-1S+ [SOLVED]
Replies: 5
Views: 5922

Re: Confusing routing behavior CCR1009-7G-1C-1S+ [SOLVED]

No actually your configuration is hosed...... So for some reason the subnet 192.168.0.0/23 is blocked from reaching the printer at 172.16.10.93. The first thing I would do is get rid of vlan1 for any data traffic. VLAN1 is used in the background by the router already and should NOT be used to someh...
by anav
Wed May 15, 2024 8:20 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 24
Views: 1683

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Okay a bit confused, why do you have a LAN on this ax3? There should be no address associated with the bridge. Other than vlans ( for management of router and potentially also associated with a trusted WIFI LAN) vlans for data ( trusted or non-trusted - each associated with its own SSID and WIFI LAN...
by anav
Wed May 15, 2024 7:43 pm
Forum: General
Topic: Confusing routing behavior CCR1009-7G-1C-1S+ [SOLVED]
Replies: 5
Views: 5922

Re: Confusing routing behavior CCR1009-7G-1C-1S+ [SOLVED]

I wouldnt even begin to assess the config without a much clearer set of requirements and a detailed network diagram

a. identify all the user(s)/device(s), groups of users/devices ( including admin )
b. identify all the traffic they need to execute.
by anav
Wed May 15, 2024 6:59 pm
Forum: Beginner Basics
Topic: WireGuard Site-to-Site over WiFi
Replies: 1
Views: 240

Re: WireGuard Site-to-Site over WiFi

Yes, assuming one of the Routers has a publicly reachable IP, or one has an upstream ISP router that can forward the chosen wireguard port you are in business!! Assuming R1 is the Server for handshake (has public IP). Then basically you have to consider a. select a wireguard port ( I never choose de...
by anav
Wed May 15, 2024 6:45 pm
Forum: Beginner Basics
Topic: Port forwarding over site-to-site wireguard [SOLVED]
Replies: 10
Views: 6072

Re: Port forwarding over site-to-site wireguard [SOLVED]

The learning is the important part, copying blindly, never leads to success down the line, although it feels good to see traffic flowing. :-)
by anav
Wed May 15, 2024 5:54 pm
Forum: General
Topic: Feature request : Multipath TCP (MPTCP) support
Replies: 10
Views: 8859

Re: Feature request : Multipath TCP (MPTCP) support

On the subject of the period table element, 'UNOBTANIUM",
I would like to make the request to add...... drumroll please...............

" DPI of encrypted packets "
by anav
Wed May 15, 2024 4:24 pm
Forum: Wireless Networking
Topic: One SSID and multiple VLANs with hardware acceleration
Replies: 13
Views: 4714

Re: One SSID and multiple VLANs with hardware acceleration

I would tackle this with radius server, userman, or hotspot etc. and have different SSIDs per vlan. Keep it simple. No manual work involved.
by anav
Wed May 15, 2024 3:48 pm
Forum: Beginner Basics
Topic: Port forwarding over site-to-site wireguard [SOLVED]
Replies: 10
Views: 6072

Re: Port forwarding over site-to-site wireguard [SOLVED]

You may think that but Mikrotik is often forgiving and will allow traffic to flow until it does not and you trip over some errors in the config. By the way your naming convention for Wireguard was very confusing. You called the wireguard interface on the public IP router wg-lte and you called the wi...
by anav
Wed May 15, 2024 3:10 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 21
Views: 1569

Re: BTH BUG Bleeding Into Regular Wireguard.


I am currently using the DNAT rule that Anav came up with and it works, but this is 100% a bug.
If you get the time right it up and send to MT.
by anav
Wed May 15, 2024 3:08 pm
Forum: Beginner Basics
Topic: Forward Odoo Website to WAN2 interface
Replies: 3
Views: 254

Re: Forward Odoo Website to WAN2 interface

Concept of the solution!! Two WAN load balancing scenario. No vlans, no servers on LAN. Single LAN. Only caveat is that users going to a website described by address-list=WebAddress, have to use WAN2. So my solution is simple, ensure WAN2 is primary in main routes. That means all traffic normally wi...
by anav
Wed May 15, 2024 2:05 pm
Forum: General
Topic: Output route selection - Wireguard
Replies: 21
Views: 3889

Re: Output route selection - Wireguard

There definitely is an issue with Wireguard and two WANS, where one WANTS wireguard to use the secondary WAN. Mangling does NOT work. There are two temp solutions a. Use funky destination nat rule b. Use routing rules if both wans are static WANIPs c. Use routing rules with scripts if WANs are dynam...
by anav
Wed May 15, 2024 3:41 am
Forum: Beginner Basics
Topic: Port forwarding over site-to-site wireguard [SOLVED]
Replies: 10
Views: 6072

Re: Port forwarding over site-to-site wireguard [SOLVED]

Your allowed IP settings are wrong, but ran out of time to look at this today.
by anav
Wed May 15, 2024 2:46 am
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 24
Views: 1683

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

The problem is putting dumb switches between the router and the ax3. You should only put managed switches, even cheap ones from netgear or tplink work fine for this.
by anav
Tue May 14, 2024 8:03 pm
Forum: Beginner Basics
Topic: Port forwarding over site-to-site wireguard [SOLVED]
Replies: 10
Views: 6072

Re: Port forwarding over site-to-site wireguard [SOLVED]

Need to see config for BOTH routers.
by anav
Tue May 14, 2024 8:00 pm
Forum: General
Topic: simple port forward not working!!!
Replies: 20
Views: 1138

Re: simple port forward not working!!!

Without the current config, unable to comment. :-)
by anav
Tue May 14, 2024 7:42 pm
Forum: Beginner Basics
Topic: Port forwarding over site-to-site wireguard [SOLVED]
Replies: 10
Views: 6072

Re: Port forwarding over site-to-site wireguard [SOLVED]

One question needs to be answered. Is it important to you that the originating external WANIP is seen at the server at the second router? There are two options a. receive the incoming external requests from WANIPs, sourcenat them to the wireguard IP of the first router, send them to the server at R2...
by anav
Tue May 14, 2024 5:44 pm
Forum: Beginner Basics
Topic: Hairpin NAT [can't figure it out]
Replies: 5
Views: 392

Re: Hairpin NAT [can't figure it out]

(1) The config report by the Router points you to a problem. That problem is you either assign an address to the WAN or your use IP DHCP CLIENT but not both.... Also your configuration for the network setting for IP address is wrong if IP address is the method you choose to stick with! /ip address ....
by anav
Tue May 14, 2024 5:23 pm
Forum: General
Topic: simple port forward not working!!!
Replies: 20
Views: 1138

Re: simple port forward not working!!!

Post your final config for review............
by anav
Tue May 14, 2024 4:18 pm
Forum: Beginner Basics
Topic: 2-VPN Server on one Mirkotik with 2 PUblic IP
Replies: 7
Views: 664

Re: 2-VPN Server on one Mirkotik with 2 PUblic IP

Post the config you have so far, minus router serial number, any public WANIP info, keys etc....
by anav
Tue May 14, 2024 4:16 pm
Forum: Beginner Basics
Topic: Why my thread was deleted without any notification?
Replies: 4
Views: 378

Re: Why my thread was deleted without any notification?

Strange indeed I was helping this chap out, and there were several posts made, and I saw no reason to report or remove thread?????
by anav
Tue May 14, 2024 4:14 pm
Forum: Beginner Basics
Topic: Hairpin NAT [can't figure it out]
Replies: 5
Views: 392

Re: Hairpin NAT [can't figure it out]

Post config for review
/export file=anynameyouwish ( minus router serial number, and any public WANIP info )
by anav
Tue May 14, 2024 4:12 pm
Forum: Beginner Basics
Topic: Forward Odoo Website to WAN2 interface
Replies: 3
Views: 254

Re: Forward Odoo Website to WAN2 interface

Post your config and will try again, I have no idea why your previous thread was deleted. I think someone made an error and instead of deleting perhaps one post they deleted the entire thread?
by anav
Tue May 14, 2024 2:02 pm
Forum: General
Topic: New RouterOS Vulnerability?
Replies: 20
Views: 1099

Re: New RouterOS Vulnerability?

If the router has been compromised, assuming NORMIS or others would know?? I mean besides netinstall and using VPN to access config externally, and a. changing admin user to something not default b. changing winbox port so something not default What actions may have to be done on all devices behind ...
by anav
Tue May 14, 2024 1:58 pm
Forum: General
Topic: New RouterOS Vulnerability?
Replies: 20
Views: 1099

Re: New RouterOS Vulnerability?

Besides the described restore plan, you might as well want to consider closing the Winbox port. Using vpn would add an additional layer of security. And disable the admin account, after creating the correct accounts. CONSIDER?, are you mad? Let me rephrase that LOL CONSIDER? You are bongo nutso! Th...
by anav
Tue May 14, 2024 1:54 pm
Forum: General
Topic: New RouterOS Vulnerability?
Replies: 20
Views: 1099

Re: New RouterOS Vulnerability?

Your post is somewhat confusing you are asking for assistance on routers that dont appear to be under your monitoring or config responsibilities...... Why is this your problem??? In any case, without knowing how the configs were setup with some detail, it is not really possible to say much. Yes, net...
by anav
Tue May 14, 2024 1:06 pm
Forum: Beginner Basics
Topic: Hairpin nat & 2 Vlans [SOLVED]
Replies: 8
Views: 6196

Re: Hairpin nat & 2 Vlans [SOLVED]

Block all else means simply - keep default rules mostly, then only add needed traffic and all else is stopped cold. Its clean, clear and efficient. FORWARD CHAIN { default rules to keep } add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-mark=no-mark c...
by anav
Mon May 13, 2024 11:01 pm
Forum: General
Topic: RB4011 gradually stops accepting traffic on LAN Gateway bridge
Replies: 3
Views: 328

Re: RB4011 gradually stops accepting traffic on LAN Gateway bridge

Do you jiggle up and down or back and forth?
by anav
Mon May 13, 2024 10:08 pm
Forum: Beginner Basics
Topic: Can't find a way to connect to my server using wireguard
Replies: 8
Views: 593

Re: Can't find a way to connect to my server using wireguard

@Blancatel ... Dont agree.... More like: SERVER /interface wireguard add listen-port=13231 mtu=1420 name= wireguard-server /interface wireguard peers add allowed-address=100.100.100.2/32,192.168.88.0/24 comment=ROUTER2-CLIENT \ interface=wireguard-server public-key=\ { no keep alive required on ser...
by anav
Mon May 13, 2024 9:59 pm
Forum: General
Topic: CRS309 - Management VLAN access
Replies: 5
Views: 383

Re: CRS309 - Management VLAN access

Okay the APs are hybrid ports, but you cannot have TWO untagged vlans at a hybrid port, ONLY ONE can come in untagged.
by anav
Mon May 13, 2024 8:34 pm
Forum: General
Topic: CRS309 - Management VLAN access
Replies: 5
Views: 383

Re: CRS309 - Management VLAN access

Which port are all the vlans, from the main router, coming in on? If not the router, then some other switch but which PORT?? Are you saying the bonded LINK, is where all the vlans are coming from then? The BRIDGE DOES NOT GET AN IP address, we are using VLANS. If you want to be able to reach the con...
by anav
Mon May 13, 2024 5:46 pm
Forum: Beginner Basics
Topic: Forwarding ports
Replies: 20
Views: 1843

Re: Forwarding ports

admin is not an account, just a special user LOL, will look at this later when have time
by anav
Mon May 13, 2024 5:43 pm
Forum: General
Topic: CRS309 - Management VLAN access
Replies: 5
Views: 383

Re: CRS309 - Management VLAN access

A few comments. This should be doable but may take a couple of stabs to get working. (1) Bridge ports are for ports and wlans, ( not vlans ) and what is the role of ether1, you forgot about it in bridge vlans???? /interface bridge port add bridge=bridge comment=defconf interface =ether1 add bridge=b...
by anav
Mon May 13, 2024 5:19 pm
Forum: General
Topic: How to use ping with multiple routing marks in ROS version 7?
Replies: 9
Views: 656

Re: How to use ping with multiple routing marks in ROS version 7?

So the MTs are simply switches ??
by anav
Mon May 13, 2024 5:06 pm
Forum: General
Topic: simple port forward not working!!!
Replies: 20
Views: 1138

Re: simple port forward not working!!!

You are missing firewall rules and thus should not be connected to the internet at all. Also when you do introduce rules the config will have to be modified as right now your interface list approach is not quite there. It is not clear also if there is any traffic between vlan1 and vlan2 ( is there a...
by anav
Mon May 13, 2024 4:07 pm
Forum: General
Topic: simple port forward not working!!!
Replies: 20
Views: 1138

Re: simple port forward not working!!!

You are far from done my friend LOL. The mangles was just but one concern LOL
by anav
Mon May 13, 2024 3:13 pm
Forum: General
Topic: Wireguard setup
Replies: 2
Views: 264

Re: Wireguard setup

Yes. First fix the Allowed IPs on the MT client (for handshake) device: [Peer] AllowedIPs = 10.0.1 .0/24 PublicKey = Endpoint = remote_server_ip:13231 PersistentKeepalive = 25 Now for the ability for the laptop to reach the MT will depend on what is going on at the server? You will need another clie...
by anav
Mon May 13, 2024 1:54 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 24
Views: 1683

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

To recap you have one main router RB5009 doing the firewall rules DHCP and setting up the required vlans. vlan for home traffic vlan for wifi iot traffic vlan for other vlan for other etc..... The two other device both hapac? set up as AP switches. Post the config of these two if you want them revie...
by anav
Mon May 13, 2024 1:49 pm
Forum: General
Topic: Please bring back 'Make Static' in DHCP Lease menu
Replies: 2
Views: 354

Re: Please bring back 'Make Static' in DHCP Lease menu

If you have a recommendation send it to MT support, they dont monitor all threads.......
by anav
Mon May 13, 2024 1:39 am
Forum: General
Topic: How to configure trunk port on CCR1009?
Replies: 14
Views: 639

Re: How to configure trunk port on CCR1009?

There is no need for WAN ACCESS in your case as the standard LAN interface list comprised of all vlans, adequately covered your needs for firewall rules.
by anav
Sun May 12, 2024 7:10 pm
Forum: Beginner Basics
Topic: RB5009 - how to add the 2.5gbps port to LAN [SOLVED]
Replies: 2
Views: 5939

Re: RB5009 - how to add the 2.5gbps port to LAN [SOLVED]

Ensure its added to the default bridge.
by anav
Sun May 12, 2024 7:09 pm
Forum: General
Topic: Firewall site
Replies: 3
Views: 365

Re: Firewall site

Easily bypassed, cannot be done with guaranteed on MT router.
by anav
Sun May 12, 2024 7:08 pm
Forum: General
Topic: Multiple default routes in main route table
Replies: 9
Views: 2298

Re: Multiple default routes in main route table

If you ever run into mTU issues with Nord wireguard, then on the MT device, Try this first add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=Wireguard-Name passthrough=yes protocol=tcp tcp-flags=syn IF no joy an alterna...
by anav
Sun May 12, 2024 7:01 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 21
Views: 1569

Re: BTH BUG Bleeding Into Regular Wireguard.

I am currently using the DNAT rule that Anav came up with and it works, but this is 100% a bug.
Actually was Sindy that came up with that rule LOL, I cant nat myself out of a paper bag. But concur and I think BTH has something to do with it........ but maybe its existed all this time??
by anav
Sun May 12, 2024 6:57 pm
Forum: General
Topic: Routing between VLANs stopped working after PCC load balancing. [SOLVED]
Replies: 14
Views: 10467

Re: Routing between VLANs stopped working after PCC load balancing. [SOLVED]

Good to know, thanks for the feedback. However you are not quite right YOU DO NEED THAT RULE TO ensure any local traffic CAN reach other subnets prior to mangling for load balancing etc. AKA The POSSIBILITY is created. What is ALLOWED to happen is determined by your firewall rules. So, Then you use ...
by anav
Sun May 12, 2024 6:13 pm
Forum: General
Topic: How to configure trunk port on CCR1009?
Replies: 14
Views: 639

Re: How to configure trunk port on CCR1009?

I have a ccr1009 tile, device as my main router with a gazillion vlan. Will have a quick look at the config. (1) First comment never use a name for any interface which already has connotations on the MT device, let alone the exact nomenclature, bad bad........ thus MODIFY /interface vlan add interfa...
by anav
Sun May 12, 2024 6:07 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 21
Views: 1569

Re: BTH BUG Bleeding Into Regular Wireguard.

I have the same problem with the exact same scenario with two WANs and WG on the non-primary WAN. Well, you're better off using use routing rules, not mangle. While mangle should work here to be consistent with RouterOS... but WG seems to overly follow what Linux kernel does, not Mikrotik's packet ...
by anav
Sun May 12, 2024 6:05 pm
Forum: General
Topic: simple port forward not working!!!
Replies: 20
Views: 1138

Re: simple port forward not working!!!

Please do not explain requirements in terms of a VPN or a vlan, always express requirements in terms of needed traffic flow by users. So. a. you want users on VLANX to only use WAN1 b. you want users on VLANY to ony use WAN2 Q. Are there any other vlans and what should they use?? c. What happens to ...
by anav
Sat May 11, 2024 10:17 pm
Forum: General
Topic: Wireguard Site to Site VPN
Replies: 4
Views: 368

Re: Wireguard Site to Site VPN

Very doable. TO FIX ON CLIENT: No preshared key!! /interface wireguard peers add allowed-address=192.168.0.0/24,10.10.0.0/24 endpoint-address=\ 62.XX endpoint-port=13231 interface=wireguard1 \ persistent-keepalive=10s " public-key=\ "3=" Address all wrong for wireguard. /ip address ad...
by anav
Sat May 11, 2024 10:14 pm
Forum: General
Topic: Routing between VLANs stopped working after PCC load balancing. [SOLVED]
Replies: 14
Views: 10467

Re: Routing between VLANs stopped working after PCC load balancing. [SOLVED]

Similarly could you have not used that firewall adddress list as a first rule in the mangle chain /ip firewall mangle add action=accept chain=prerouting in-interface-list=LAN dst-address-list=connected-subnets Which says let any traffic between vlans be executed before any mangling! THEN the mangle ...
by anav
Sat May 11, 2024 10:09 pm
Forum: General
Topic: How to configure trunk port on CCR1009?
Replies: 14
Views: 639

Re: How to configure trunk port on CCR1009?

No single bridge is correct and as mkx stated, without facts we cannot help.
by anav
Sat May 11, 2024 7:51 pm
Forum: Beginner Basics
Topic: Failover/Load Balancing + PBR [SOLVED]
Replies: 22
Views: 5997

Re: Failover/Load Balancing + PBR [SOLVED]

Well that makes no sense, so weird, sorry dont understand your ip route setup at all.
But if its working, then its better than I can provide.
by anav
Sat May 11, 2024 7:46 pm
Forum: Beginner Basics
Topic: Isolate a public server host from LAN
Replies: 4
Views: 585

Re: Isolate a public server host from LAN

No need for second bridge. Keep ether5 separate from bridge is fine. Firewall rules determine the rest. /interface list add name=WAN add name=LAN /interface list members add interface=ether1 list=WAN add interface=bridge list=LAN add interface=ether5 list=LAN /ip firewall filter add action=accept ch...
by anav
Sat May 11, 2024 6:10 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 24
Views: 1683

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Why do you need the hap to act as router?? All you need is for it to provide wifi locally and perhaps some of its port as local ethernet connections to another switch in the area or to other devices. The way to do this is to send to the haps, all the vlans required that it will handle ( vlanX for wl...
by anav
Sat May 11, 2024 6:06 pm
Forum: Beginner Basics
Topic: Forwarding ports
Replies: 20
Views: 1843

Re: Forwarding ports

I look at a lot of configs so at this point before I relook at the config above, let me know the requirements a. identify all the user(s)/device(s0 / groups of users and devices including admin, including internal and external users b. identify what traffic they need. Number and type of WAN connecti...
by anav
Sat May 11, 2024 5:50 pm
Forum: Beginner Basics
Topic: Failover/Load Balancing + PBR [SOLVED]
Replies: 22
Views: 5997

Re: Failover/Load Balancing + PBR [SOLVED]

Okay after reading that you didnt have routes, and needed to add two, I figured out what was wrong You need to go back to IP DHCP client. on DHCP tab select default route=YES on Advanced tab put in default route of 255 The script remains the same in the advanced tab. With that it will work and you c...
by anav
Sat May 11, 2024 5:45 pm
Forum: Beginner Basics
Topic: 2-VPN Server on one Mirkotik with 2 PUblic IP
Replies: 7
Views: 664

Re: 2-VPN Server on one Mirkotik with 2 PUblic IP

Post what you have configured so far.
You will need two wireguard interfaces
Which WAN is primary etc............
by anav
Sat May 11, 2024 5:40 pm
Forum: General
Topic: Port forward from WAN to a host behind Wireguard
Replies: 17
Views: 1551

Re: Port forward from WAN to a host behind Wireguard

M1 FIRST OBSERVATIONS. 1. Unsafe Rule in INput chain. Understand you have it narrowed down but WANIPs can be spoofed. The basic rule of thumb is ONLY configure the router from behind the router. So either from a LAN device or from within the router once connected via VPN, like wireguard. /ip firewa...
by anav
Sat May 11, 2024 4:34 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 21
Views: 1569

Re: BTH BUG Bleeding Into Regular Wireguard.

So the two solutions appear to be dst-nat rule noted above........
or using routing rules as per Rplant.

Until such time MT sorts out this mess. :-(
by anav
Sat May 11, 2024 4:21 pm
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

Well not sure I can help further, the fact that the network was not as you were indicating tells me there is probably more at play here and thus its probably too difficult.
by anav
Sat May 11, 2024 4:19 pm
Forum: General
Topic: double connections with mangle rules and drop filter rules
Replies: 3
Views: 300

Re: double connections with mangle rules and drop filter rules

I mainly use and recommend wireguard for monitoring, and I used to use SSTP as backup ( no need for certificate between two MT devices ) but recently moved to a more secure IP-IP with ipsec secret as a backup method. By the way the nice thing about a wireguard connection on WAN1. If WAN1 fails, the ...
by anav
Sat May 11, 2024 4:14 pm
Forum: General
Topic: Is there official way to ask for Feature? (ND-proxy RFC 4389)
Replies: 2
Views: 280

Re: Is there official way to ask for Feature? (ND-proxy RFC 4389)

YES, if you sign a contract with Mikrotik for probably $500,000 Euros worth of product, to ensure the functionality is in the next release, it may very well happen.
The higher you go the more likely the chances. :-)
by anav
Sat May 11, 2024 4:12 pm
Forum: General
Topic: Wireguard Site to Site VPN
Replies: 4
Views: 368

Re: Wireguard Site to Site VPN

Your requirements are not clearly stated enough to proceed. Assuming you are the admin a. local admin on Main router b. want to be able to remote config Main router ( laptop somewhere else) c. want to be able to config second router from main router d. want to be able to config second router remotel...
by anav
Sat May 11, 2024 4:05 pm
Forum: General
Topic: Dropping forward chain new - ppppoe connections
Replies: 2
Views: 304

Re: Dropping forward chain new - ppppoe connections

Besides that your firewall rules are a bit silly. A. There is no need for the rule in PURPLE B. It is made even sillier by the rule in Orange. C. Blocking ping from the WAN side is actually not useful and can get in the way of troubleshooting. /ip firewall filter add action=accept chain=input connec...
by anav
Fri May 10, 2024 6:56 pm
Forum: General
Topic: Port forward from WAN to a host behind Wireguard
Replies: 17
Views: 1551

Re: Port forward from WAN to a host behind Wireguard

Yes, both routers please.
by anav
Fri May 10, 2024 6:45 pm
Forum: Beginner Basics
Topic: Can't find a way to connect to my server using wireguard
Replies: 8
Views: 593

Re: Can't find a way to connect to my server using wireguard

Do your have public IPV4 address, or do you have an upstream ISP router with public IP address that can forward ports to your device?
by anav
Fri May 10, 2024 6:44 pm
Forum: Beginner Basics
Topic: Newbie on VPN and wireguard
Replies: 3
Views: 320

Re: Newbie on VPN and wireguard

What router/OS are you using.
Do you have a public IPV4 WANIP address, or if you have an upstream ISP router, does it get a public IP and can it forward ports to your device?
by anav
Fri May 10, 2024 6:27 pm
Forum: General
Topic: simple port forward not working!!!
Replies: 20
Views: 1138

Re: simple port forward not working!!!

Try to add a network diagram as your explanation was confusing.
Also you do not connect wireguard between vlans on a router, you use firewall rules in the forward chain to manage connectivity between local subnets.
by anav
Fri May 10, 2024 6:26 pm
Forum: General
Topic: How to use ping with multiple routing marks in ROS version 7?
Replies: 9
Views: 656

Re: How to use ping with multiple routing marks in ROS version 7?

Austria, wins the olympics for guessing........

Without knowing what you are trying to accomplish with your traffic, its not feasible to answer.
What traffic are you trying to support.
mangles, routing routes, vpns in the mix ????

How many WANs, what does IP routes look like etc...
by anav
Fri May 10, 2024 4:06 am
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 24
Views: 1683

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Just one of them. One would be the main router, the other would solely be an AP switch.
by anav
Thu May 09, 2024 10:45 pm
Forum: Forwarding Protocols
Topic: routing all trafic passthrough wireguard via wifi station
Replies: 5
Views: 519

Re: routing all trafic passthrough wireguard via wifi station

Still not enough detail, Please detail the relationship between every device in your diagram. Right now it looks like the laptop is directly connected to GWY1, which is directly connected to GWY2 Which is directly connected to the MANTBOX, which is directly connected toa wifi AP router which is dire...
by anav
Thu May 09, 2024 10:39 pm
Forum: General
Topic: Port forward from WAN to a host behind Wireguard
Replies: 17
Views: 1551

Re: Port forward from WAN to a host behind Wireguard

I would need to see complete config, MT os does not work in isolation.

/export file=anynameyouwish ( minus router serial number, any public IP information, keys etc.)
by anav
Thu May 09, 2024 8:41 pm
Forum: Beginner Basics
Topic: Failover/Load Balancing + PBR [SOLVED]
Replies: 22
Views: 5997

Re: Failover/Load Balancing + PBR [SOLVED]

Remove this rule.....
add action=reject chain=input in-interface-list=LAN log=yes log-prefix=\
rej_LAN reject-with=icmp-admin-prohibited


When you fixed the above items in the two posts and still cannot connect, then I will ahve someone else review the mangles as they look correct to me.
by anav
Thu May 09, 2024 8:39 pm
Forum: Beginner Basics
Topic: Failover/Load Balancing + PBR [SOLVED]
Replies: 22
Views: 5997

Re: Failover/Load Balancing + PBR [SOLVED]

Of course they cannot, The Entrys dont match....... In fact having a symbol before a quote mark is probably really bad........... add add-default-route=no comment=WAN1-ISP interface=ether1-WAN1 script="if (\$\ bound=1) do={\r\ \n:local gw \$\"gateway-address\"\r\ \n/ip route set [ fin...
by anav
Thu May 09, 2024 8:20 pm
Forum: General
Topic: Port forward from WAN to a host behind Wireguard
Replies: 17
Views: 1551

Re: Port forward from WAN to a host behind Wireguard

Well there are two approaches and the you wish will predicate the config option to go with. Question: do you want to know who the external IPs are at the M@ server ( identify them ) NO --> then source-nat all the traffic going into the wireguard tunnel at M1 --> advantage mangling not required you s...
by anav
Thu May 09, 2024 8:10 pm
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

Probably firewall rules on your MT router dont allow it.
by anav
Thu May 09, 2024 3:21 pm
Forum: Beginner Basics
Topic: Failover/Load Balancing + PBR [SOLVED]
Replies: 22
Views: 5997

Re: Failover/Load Balancing + PBR [SOLVED]

What is expected, and what is actually being observed??
by anav
Thu May 09, 2024 3:17 pm
Forum: General
Topic: Router unreachable after adding a routing mark "main"
Replies: 5
Views: 677

Re: Router unreachable after adding a routing mark "main"

@pe1chl Do you mean something like this at the start of mangle rules. /ip firewall mangle add action=accept chain=prerouting in-interface-list=LAN dst-address-list=MyWANS add action=accept chain=prerouting in-interface-list=LAN dst-address-type=local Where the first rule accepts traffic from any LAN...
by anav
Thu May 09, 2024 1:32 am
Forum: Beginner Basics
Topic: Failover/Load Balancing + PBR [SOLVED]
Replies: 22
Views: 5997

Re: Failover/Load Balancing + PBR [SOLVED]

Ahh didnt realize that they were set to yes. That is better. Good catch.
by anav
Wed May 08, 2024 9:22 pm
Forum: General
Topic: WAN connection from second mikrotik router? [SOLVED]
Replies: 10
Views: 4150

Re: WAN connection from second mikrotik router? [SOLVED]

Regardless, whether the cgnat lands on the ax3 or the RB5009 you cannot use it for port forwarding, its not a public IP that is reachable.
The only thing you can do is port forward on the WAN1 which is public on the Ax3, from there you can point to the RB5009 and an available server.........
by anav
Wed May 08, 2024 8:24 pm
Forum: Beginner Basics
Topic: Setup wireguard
Replies: 8
Views: 528

Re: Setup wireguard

Profile addition removed...
by anav
Wed May 08, 2024 8:24 pm
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

I understand sorry, time delay to get questions answered. I will try to be patient :-)
by anav
Wed May 08, 2024 8:18 pm
Forum: Beginner Basics
Topic: Wireguard setup Roadwarrior [SOLVED]
Replies: 14
Views: 4528

Re: Wireguard setup Roadwarrior [SOLVED]

No thanks, dont want to see that ugly looking set of firewall rules again. ;-)
Glad you got it sorted!
by anav
Wed May 08, 2024 8:10 pm
Forum: Beginner Basics
Topic: Failover/Load Balancing + PBR [SOLVED]
Replies: 22
Views: 5997

Re: Failover/Load Balancing + PBR [SOLVED]

Correct, The only difference without LBing would be the mangling for LBing. Remember the routes we creates were also to ensure some users went out wan1 and some out wan2 along with establishing orderly main table routes. Without loadbalancing we would still need all six routes. I would have routing ...
by anav
Wed May 08, 2024 8:03 pm
Forum: General
Topic: Wireguard peer being unable to ping/connect to an address inside bridge1.
Replies: 1
Views: 230

Re: Wireguard peer being unable to ping/connect to an address inside bridge1.

Purpose of Wireguard, remote connection when away from home/business to access Router LAN, to access Router CONFIG, to go out Router internet?????
by anav
Wed May 08, 2024 8:01 pm
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

Well you need to confirm something.
What is the wireguard IP address of the fritz --> ??
What is the subnet on the fritz trying to reach from MT -->??
by anav
Wed May 08, 2024 8:00 pm
Forum: General
Topic: WAN connection from second mikrotik router? [SOLVED]
Replies: 10
Views: 4150

Re: WAN connection from second mikrotik router? [SOLVED]

One could always terminate both on the Ax3 and then send a single LAN only to the 5009 and that becomes WAN for the 5009 with a fixed private IP.
The desired WAN is only used by that LAN.
Advantages Disadvantages?
by anav
Wed May 08, 2024 5:52 pm
Forum: Forwarding Protocols
Topic: routing all trafic passthrough wireguard via wifi station
Replies: 5
Views: 519

Re: routing all trafic passthrough wireguard via wifi station

Okay lets break this down so it makes sense. You want to establish a wireguard connection from your LAPTOP to the MT MANTBOX. Does the mantbox have a public IP address associated with it, or is it connected to an ISP Router with a public IP and you can forward ports to the MANTBOX?? Then you want to...
by anav
Wed May 08, 2024 5:47 pm
Forum: Wireless Networking
Topic: Wifi 6 mesh
Replies: 7
Views: 599

Re: Wifi 6 mesh

@erlindend! Mesh is not a marketing gimmick LOL, its a systems where only one WIFI device is wired to the router or ISP modem/router and the rest of them connect to each other over wifi.
by anav
Wed May 08, 2024 5:46 pm
Forum: Wireless Networking
Topic: Very bad wifi performance in new HAP ax3
Replies: 22
Views: 1743

Re: Very bad wifi performance in new HAP ax3

normis, you have a special Iphone LOL. I have the ax3 and dont get 800 but will go recheck now that you have made me curious.
by anav
Wed May 08, 2024 5:42 pm
Forum: Beginner Basics
Topic: Setup wireguard
Replies: 8
Views: 528

Re: Setup wireguard

See my profile
by anav
Wed May 08, 2024 5:32 pm
Forum: Beginner Basics
Topic: Failover/Load Balancing + PBR [SOLVED]
Replies: 22
Views: 5997

Re: Failover/Load Balancing + PBR [SOLVED]

I could have gotten cute and used the fact that we made WAN1 primary ( as then vlan30 users would automatically go there ). However I chose simply to create the two WANS as is and use mangling to ensure connectivity as required. Dont be caught up on the fact that one wan is primary and another secon...
by anav
Wed May 08, 2024 5:18 pm
Forum: Beginner Basics
Topic: Setup wireguard
Replies: 8
Views: 528

Re: Setup wireguard

Meanwhile while you provide the answers, here is a guide for four routers with two of them being publicly reachable.
viewtopic.php?p=1062502&hilit=Four+rout ... d#p1062502
by anav
Wed May 08, 2024 5:12 pm
Forum: Beginner Basics
Topic: Setup wireguard
Replies: 8
Views: 528

Re: Setup wireguard

The question was simple WHICH ROUTER, has a reachable public IP. So far, you are batting zero. The reason I ask is the routers with public IP can be used as the Server for handshake in the wireguard network to be created. Since you four routers at play, I would advise Primary (with public IP) and th...
by anav
Wed May 08, 2024 5:08 pm
Forum: Beginner Basics
Topic: How to block IP range when NATed?
Replies: 11
Views: 603

Re: How to block IP range when NATed?

The approach is problematic ( more interested in blocking traffic vice focusing on needed traffic and simply dropping all else, Your attempt to run RDP for clients is going to cause issues. First and foremost RDP is an old protocol not considered secure. Its been replaced by citrix type functionalit...
by anav
Wed May 08, 2024 5:01 pm
Forum: General
Topic: [Help] VLAN Routing to VPN, with Local connections - Unusable performance when routing out Wireguard Interface
Replies: 7
Views: 778

Re: [Help] VLAN Routing to VPN, with Local connections - Unusable performance when routing out Wireguard Interface

Better to understand all the requirements BEFORE working on the config. As an overall approach is needed as many parts of the config are related.
Post your latest config for review.
by anav
Wed May 08, 2024 4:59 pm
Forum: General
Topic: WAN connection from second mikrotik router? [SOLVED]
Replies: 10
Views: 4150

Re: WAN connection from second mikrotik router? [SOLVED]

Very weird, so from one ISP, and one cable from ISP modem ( in bridge mode ), you get two public IP addresses. One static and one PPPOE dial dynamic. They both come in on vlan1501. Do they have the same gateway? etc.. So if you were to run both on the AX3, how would you do it. FOR STATIC>> /IP dhcp ...
by anav
Wed May 08, 2024 3:21 pm
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

Well you need to confirm something.
What is the wireguard IP address of the fritz --> ??
What is the subnet on the fritz trying to reach from MT -->??
by anav
Wed May 08, 2024 2:50 pm
Forum: Beginner Basics
Topic: 2-VPN Server on one Mirkotik with 2 PUblic IP
Replies: 7
Views: 664

Re: 2-VPN Server on one Mirkotik with 2 PUblic IP

Are both ends using MT routers? What does your client use?
Remember If WAN1 goes down, your wireguard will automatically switch to WAN2 with a slight delay.
The router will inform the client end that the endpoint address has changed.
by anav
Wed May 08, 2024 2:40 pm
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 4
Views: 612

Re: wireGuard does not work for me on my mikrotik RB750r2

Is this router connected to the internet. If so unplug immediately as you have no firewall protection. You dont know how to setup wireguard but you removed the perfectly good default firewall rules protecting your network ????? You are missing the allowing of handshake rule in the input chain and ma...
by anav
Wed May 08, 2024 2:38 pm
Forum: Beginner Basics
Topic: Wireguard interface on 2 different WAN
Replies: 3
Views: 308

Re: Wireguard interface on 2 different WAN

The question I have is WHY? As a backup? If you have wireguard setup on WAN1, and WAN1 fails and your router moves to using WAN2, your wireguard will also shift to WAN2 after some period of delay. If your purpose is to provide different access for different users, that starts to make a little sense ...
by anav
Wed May 08, 2024 2:34 pm
Forum: Beginner Basics
Topic: Setup wireguard
Replies: 8
Views: 528

Re: Setup wireguard

Which Router(s) have a reachable public IP address, or can forward ports from upstream router.
Dont really care about NORDVPN, has nothing to do with what your asking.
by anav
Wed May 08, 2024 2:30 pm
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

/ip route
add dst-address=10.3.1.0/24 gateway=wireguard1 routing-table=main
by anav
Wed May 08, 2024 2:28 pm
Forum: General
Topic: Find best way to block many website
Replies: 7
Views: 439

Re: Find best way to block many website

Stated differently, MT devices cannot provide the answers you seek to comply with Govt Regulations.
by anav
Wed May 08, 2024 2:27 pm
Forum: General
Topic: Dynamic interface list woes
Replies: 3
Views: 347

Re: Dynamic interface list woes

Without seeing your config, one is guessing..........rather work on facts......

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Wed May 08, 2024 2:25 pm
Forum: General
Topic: Router unreachable after adding a routing mark "main"
Replies: 5
Views: 677

Re: Router unreachable after adding a routing mark "main"

The difference between V6 and V7 (1) In V7 you need to separately create tables. /routing table add fib name=to-ISP1 add fib name=to-ISP2 (2) Mangle rules do not change, you still need new-routing-mark=to-ISPX (3) Ip Routes change - you do NOT use route-marking in IP route, instead you use routing-t...
by anav
Wed May 08, 2024 2:19 pm
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

What are the subnets on the fritz that the users on your local MT devices need to visit?? They need to be accounted for on both allowed IPs and IP routes. Since you have 0.0.0.0/0 set as allowed IPs, which covers both the case of internet and subnets, you dont really need to adjust allowed IPs. Sinc...
by anav
Wed May 08, 2024 2:12 pm
Forum: General
Topic: WAN connection from second mikrotik router? [SOLVED]
Replies: 10
Views: 4150

Re: WAN connection from second mikrotik router? [SOLVED]

You cannot terminate A single ISP connection in two routers.
That being said, are you saying you get two separate WAN connections from ISP1 ??
by anav
Wed May 08, 2024 1:11 am
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

The IP address is incorrect From: add address=192.168.1.5 interface=wireguard1 network=192.168.1.0 TO: add address=192.168.1.5 /24 interface=wireguard1 network=192.168.1.0 Remove this static DNS setting /ip dns static add address=192.168.88.1 comment=defconf name=router.lan The most important questi...
by anav
Tue May 07, 2024 11:49 pm
Forum: Beginner Basics
Topic: Cannot get WireGuard to route traffic
Replies: 6
Views: 671

Re: Cannot get WireGuard to route traffic

/ip firewall address-list add address=192.168.88.XX list= Authorized comment="admin desktop" add address=192.168.100.2 list=Authorized comment="admin remote phone" add address=192.168.100.2 list=Authorized comment="admin remote laptop" The question I have is the other ...
by anav
Tue May 07, 2024 10:59 pm
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

Post your latest config with changes included please.
by anav
Tue May 07, 2024 10:06 pm
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

Yes, this is necessary. add address=192.168.1.5 interface=wireguard1 network=192.168.1.0 The issue is the question I posed which you didnt answer. What is going out wireguard to the fritz, one user, all users etc...... Also can you confirm you have remote users hitting the fritz and needing then acc...
by anav
Tue May 07, 2024 10:01 pm
Forum: Beginner Basics
Topic: Failover/Load Balancing + PBR [SOLVED]
Replies: 22
Views: 5997

Re: Failover/Load Balancing + PBR [SOLVED]

That is one approach get rid of the offending diagram LOL. (1) Since you are queueing and mangling, we need to remove the fastrack rule from the forward chain. (2) Primary WAN for vlan30 is WAN1 (3) Primary WAN for one user on vlan10 is WAN2 --> 172.16.10.100 (4) All other users should share the ava...
by anav
Tue May 07, 2024 8:01 pm
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

(1) Pre-shared key is not required, and is not normally used, so for troubleshooting purposes remove for now. /interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=x2061.myfritz.net \ endpoint-port=59162 interface=wireguard1 persistent-keepalive=25s \ preshared-key="=" ...
by anav
Tue May 07, 2024 7:00 pm
Forum: Beginner Basics
Topic: Mikrotik wAP AC - Router, no bridge, Beginner questions
Replies: 13
Views: 495

Re: Mikrotik wAP AC - Router, no bridge, Beginner questions

Glad its all working for you now. :-)
by anav
Tue May 07, 2024 6:50 pm
Forum: Beginner Basics
Topic: Question: SSIDs on different VLANs on LAN
Replies: 10
Views: 775

Re: Question: SSIDs on different VLANs on LAN

Not being clear, The MT you stated should be used as an AP. The PA you stated handles creation of vlans/subnets and handles DHCP. 1. On the MT AP 192.168.98.91 (assigned to ether2) should be just used for managing the MT AP. Understood that the IP address is assigned to the MT device and thus its on...
by anav
Tue May 07, 2024 6:41 pm
Forum: Forwarding Protocols
Topic: routing all trafic passthrough wireguard via wifi station
Replies: 5
Views: 519

Re: routing all trafic passthrough wireguard via wifi station

Sorry very confusing..... Can you draw a network diagram please....... Not sure which ones still valid...... Step1 - NETWORK DIAGRAM Provide a network diagram of your setup with enough detail so that the subnets (vlans), devices and their relationships are clearly established. If able, on the same, ...
by anav
Tue May 07, 2024 6:33 pm
Forum: Beginner Basics
Topic: Port forwarding on RBwAPGR-5HacD2HnD&R11e-LTE6
Replies: 8
Views: 672

Re: Port forwarding on RBwAPGR-5HacD2HnD&R11e-LTE6

Okay So compare the 62.x.x.x.x public IP you get via IP cloud, to your WANIP address you get in IP DHCP client. Are they the same?? It might show on your LTE settings ??? Or may show up as your gateway IP??? No need to show the numbers but if public they should all sorta lineup. Note even your IP cl...
by anav
Tue May 07, 2024 6:29 pm
Forum: Beginner Basics
Topic: Failover/Load Balancing + PBR [SOLVED]
Replies: 22
Views: 5997

Re: Failover/Load Balancing + PBR [SOLVED]

Not my problem your diagram does not match the first few lines of the config. Stopped me cold. Not going to waste my time on such blatant inconsistencies. If you had said ignore the etherport designations on the diagram, because they were wrong, then I would have been prepared Your response did not ...
by anav
Tue May 07, 2024 6:23 pm
Forum: Beginner Basics
Topic: Mikrotik wAP AC - Router, no bridge, Beginner questions
Replies: 13
Views: 495

Re: Mikrotik wAP AC - Router, no bridge, Beginner questions

Fantastic!. Yes you can enable the IP DHCP client, and also select default-route= yes, and then remove the IP address and the manual route, comes to the same thing! However, you appear to be not listening, and keep running into a stone wall. Do you like the pain?? Please remove your bridge filter it...
by anav
Tue May 07, 2024 5:52 pm
Forum: Beginner Basics
Topic: Question: SSIDs on different VLANs on LAN
Replies: 10
Views: 775

Re: Question: SSIDs on different VLANs on LAN

Sorry, but your not making sense. You want different vlans (at least two ) to enter the MT AP, so it can distribute them over WIFI. If one of the those two vlans is not a trusted subnet ( limited to trusted users aka home vice guest ) then one should have a separate management subnet but will leave ...
by anav
Tue May 07, 2024 5:46 pm
Forum: General
Topic: Find best way to block many website
Replies: 7
Views: 439

Re: Find best way to block many website

Yes but that means you need equipment that can do DPI of encrypted traffic so that rules out most equipment unless you go high end Juniper etc with subscription services.
by anav
Tue May 07, 2024 4:29 pm
Forum: Beginner Basics
Topic: Port forwarding on RBwAPGR-5HacD2HnD&R11e-LTE6
Replies: 8
Views: 672

Re: Port forwarding on RBwAPGR-5HacD2HnD&R11e-LTE6

Are you sure you get a public IP address from the ISP provider??
by anav
Tue May 07, 2024 4:27 pm
Forum: Beginner Basics
Topic: Route a Static IP through Wireguard Tunnel
Replies: 4
Views: 397

Re: Route a Static IP through Wireguard Tunnel

Best to provide config after giving it a go.
by anav
Tue May 07, 2024 4:26 pm
Forum: Beginner Basics
Topic: Cannot get WireGuard to route traffic
Replies: 6
Views: 671

Re: Cannot get WireGuard to route traffic

(1) Yes local interface created. Extra routing only required if visiting subnets at other end of tunnel and you need to tell router to get there you need to go through tunnel. (2) It means an error on your config. Remove ether1 from dhcp client, it has nothing to do with WAN (3) FW rules are not the...
by anav
Tue May 07, 2024 4:00 pm
Forum: Beginner Basics
Topic: Mikrotik wAP AC - Router, no bridge, Beginner questions
Replies: 13
Views: 495

Re: Mikrotik wAP AC - Router, no bridge, Beginner questions

So the zyxel is a modem router or just a modem?? Will assume very little if any protection afforded by zyxel. Bridge Filter removed. No need to add a bridge. /ip dhcp-client add disabled= YES interface=ether2-UPLINK /ip firewall filter { order is important ! } add action=accept chain=input connectio...
by anav
Tue May 07, 2024 3:59 pm
Forum: Beginner Basics
Topic: Port forwarding trouble with PCC load balancing
Replies: 30
Views: 2190

Re: Port forwarding trouble with PCC load balancing

Nope, the fw rules and mangle rules are not as I put them so cannot really help much more.
by anav
Tue May 07, 2024 3:55 pm
Forum: Beginner Basics
Topic: Mikrotik wAP AC - Router, no bridge, Beginner questions
Replies: 13
Views: 495

Re: Mikrotik wAP AC - Router, no bridge, Beginner questions

If you want to use it as an AP, configure it as an AP. The steps would be: Reset to default: https://wiki.mikrotik.com/wiki/Manual:Reset Select Home AP in QuickSet Config the wireless part He wants two different subnet for wifi, NOT subnets from the main router. Using the MT device as a router is t...
by anav
Tue May 07, 2024 3:51 pm
Forum: Beginner Basics
Topic: Mikrotik wAP AC - Router, no bridge, Beginner questions
Replies: 13
Views: 495

Re: Mikrotik wAP AC - Router, no bridge, Beginner questions

I dont use ip forward, not familiar..... Also you state you would prefer not to use bridge, so what makes you think you can throw in a bridge filter ( advanced setting ) without any bridge ??? Lets stick to simple and what works please. (1) Get rid of bridge filter! (2) What is your intent for firew...
by anav
Tue May 07, 2024 3:40 pm
Forum: Beginner Basics
Topic: Question: SSIDs on different VLANs on LAN
Replies: 10
Views: 775

Re: Question: SSIDs on different VLANs on LAN

This is straightforward you are simply using the hapAX3 as a AP.switch Thus I would expect the input port is a trunk port carrying all the vlans required for data and the management VLAN ( which may be considered an already existing trusted user vlan) So which vlans are coming into the hapax3? Which...
by anav
Tue May 07, 2024 3:36 pm
Forum: Beginner Basics
Topic: Mikrotik wAP AC - Router, no bridge, Beginner questions
Replies: 13
Views: 495

Re: Mikrotik wAP AC - Router, no bridge, Beginner questions

Is the MT AP acting as a router?
Giving out dhcp, routing etc and the upstream router is solely being used as a WAN source, providing a private IP on its LAN to the MT device??
by anav
Tue May 07, 2024 3:33 pm
Forum: Beginner Basics
Topic: Failover/Load Balancing + PBR [SOLVED]
Replies: 22
Views: 5997

Re: Failover/Load Balancing + PBR [SOLVED]

Just looking at your etherports on the config, I get confused because your diagram and your wording are in conflict. Without consistency, there is no point in assessing config. The ports on your router ether1 and ether2 Go to WAN -- config text -- Check ether3 goes to Switch1 -- config text--- WRONG...
by anav
Tue May 07, 2024 3:26 pm
Forum: General
Topic: CapsMan VLAN trouble
Replies: 8
Views: 514

Re: CapsMan VLAN trouble

Besides the main router how many APs are you controlling?
by anav
Tue May 07, 2024 3:25 pm
Forum: General
Topic: Find best way to block many website
Replies: 7
Views: 439

Re: Find best way to block many website

Not sure what you mean.
The govt blocks websites and you want to be able to access such websites?
The govt expects you to block websites as a private homeowner?
by anav
Tue May 07, 2024 1:11 am
Forum: Beginner Basics
Topic: Loadbalancing two internet connections - do I need a seperate
Replies: 1
Views: 285

Re: Loadbalancing two internet connections - do I need a seperate

Load balancing is fairly straight foward on RoS
I would get your money back, the device does not do DPI inspections ( of encrypted traffic ) and thus is a ripoff.
by anav
Tue May 07, 2024 1:10 am
Forum: Wireless Networking
Topic: Full wifi device isolation
Replies: 6
Views: 616

Re: Full wifi device isolation

VLANS are extremely useful in preventing groups of users from accessing each other and are recommended. For users within a VLAN, then firewall rules are useless. In the old way of WIFI one could use access lists ............... however all i can find on my hapax3 is clien-isolation. Here is a quote ...
by anav
Tue May 07, 2024 1:01 am
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

Without seeing the complete config, hard to say
/export file=anynameyouwish (minus router serial number, any public WANIP informaiton, keys )
by anav
Mon May 06, 2024 11:40 pm
Forum: Beginner Basics
Topic: Port forwarding on RBwAPGR-5HacD2HnD&R11e-LTE6
Replies: 8
Views: 672

Re: Port forwarding on RBwAPGR-5HacD2HnD&R11e-LTE6

best to post your config thus far.


/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc )
by anav
Mon May 06, 2024 10:42 pm
Forum: General
Topic: Prevent Port Scanners using PSD rule
Replies: 1
Views: 295

Re: Prevent Port Scanners using PSD rule

Dont waste your time.
Allow needed traffic
Drop all else.
If you are using VPN, you are fine.
by anav
Mon May 06, 2024 9:57 pm
Forum: General
Topic: Routing table mixed
Replies: 2
Views: 278

Re: Routing table mixed

Will need to some mangling and routes and tables.
by anav
Mon May 06, 2024 8:53 pm
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

The problem is not MT centric its more like you dont understand how to setup WG period. ROUTER WIREGUARD SERVER FRIZBOX [Interface] PrivateKey = yLLoDlrjI8fLdv8KxoSvP9tbla8KY2Sqglua+bshJUE= ListenPort = 59162 Address = 10.3.1.1 /24 [Peer] PublicKey = 1/po8VJryRbMhluUbH8IU725lKsToVohwrma4uFDYio= Pres...
by anav
Mon May 06, 2024 7:58 pm
Forum: Beginner Basics
Topic: Forwarding ports
Replies: 20
Views: 1843

Re: Forwarding ports

I still see iPV6 lists and firewall rules LOL (2) what is the purpose of this rule.......... Lets get rid of it for now (DISABLE) /ip dns static add address=192.168.30.5 name=srv.lan ???? Also add this /ip dns set allow-remote-requests=yes servers =1.1.1.1 { unless using ISP dns, if so ignore the ad...
by anav
Mon May 06, 2024 7:11 pm
Forum: Beginner Basics
Topic: Wireguard setup Roadwarrior [SOLVED]
Replies: 14
Views: 4528

Re: Wireguard setup Roadwarrior [SOLVED]

Overall dont see anything glaring. You have not made the changes I recommended in the first go around and I am not about to go through that again, suffice to say, they were not provided lightly and may help gain success. Once you fix those, then we can look at anything else that may be more obvious....
by anav
Mon May 06, 2024 7:06 pm
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1475

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

We need to see the MT config and also understand how the users on the MT if any are being directed out the tunnel and why?
Requirements!! + Config, then we can assist on the proper config.
by anav
Mon May 06, 2024 5:58 pm
Forum: Beginner Basics
Topic: ISP CONFIGURATION [SOLVED]
Replies: 8
Views: 4434

Re: ISP CONFIGURATION [SOLVED]

It seems to me, through my presence in this forum, that some, but not all, are aggressive in a very annoying way when asking any question, either because the Mikrotik OS is new to them, or they are new members and have forgotten that they are in a forum and the main goal is to help each other and e...
by anav
Mon May 06, 2024 5:56 pm
Forum: General
Topic: Need help to prepare for MTCNA exam
Replies: 2
Views: 344

Re: Need help to prepare for MTCNA exam

Wise advice!
If you need extra help..........
https://www.youtube.com/@MAICT
by anav
Mon May 06, 2024 4:15 pm
Forum: Beginner Basics
Topic: Forwarding ports
Replies: 20
Views: 1843

Re: Forwarding ports

(1) Why do you keep adding bridge to the interface lists....... its not required! /interface list member add interface=pppoe-wan list=WAN add interface=vlan1 list=LAN add interface=vlan2 list=LAN add interface=vlan3 list=LAN add interface=vlan99-work list=LAN add interface=vlan100-mgmt list=LAN add ...
by anav
Mon May 06, 2024 2:52 pm
Forum: Beginner Basics
Topic: Wireguard setup Roadwarrior [SOLVED]
Replies: 14
Views: 4528

Re: Wireguard setup Roadwarrior [SOLVED]

Yes, the issue is you have a CGNAT connection. If your device was an arm,arm64,tile architecture one could also use the BTH VPN wireguard functionality (which would allow you to deal with the CGNAT shortcoming). The only other option I know of, but have not implemented is using IPV6 to do so. Snippe...
by anav
Mon May 06, 2024 3:32 am
Forum: Beginner Basics
Topic: Pinging the Wireguard client from the server host machine
Replies: 1
Views: 280

Re: Pinging the Wireguard client from the server host machine

Without a network diagram for starters, your explanation makes little sense.
Would also need configs to understand where there are issues.
by anav
Sun May 05, 2024 11:16 pm
Forum: Beginner Basics
Topic: ISP CONFIGURATION [SOLVED]
Replies: 8
Views: 4434

Re: ISP CONFIGURATION [SOLVED]

Sure, I will direct you to the perfect spot to get support you need.
https://mikrotik.com/consultants
by anav
Sun May 05, 2024 5:44 pm
Forum: Beginner Basics
Topic: Help me improve
Replies: 2
Views: 348

Re: Help me improve

Which interface is this that is giving you errors on the bridge??? add bridge=bridge interface=*9 THis rule makes no sense as configured, why is it set to DROP?? add action=drop chain=forward comment="port forwarding" connection-nat-state=\ dstnat Three options make sense. a. one if you wa...
by anav
Sun May 05, 2024 5:41 pm
Forum: Beginner Basics
Topic: Forwarding ports
Replies: 20
Views: 1843

Re: Forwarding ports

Post complete config for review as previous.
by anav
Sun May 05, 2024 5:33 pm
Forum: Beginner Basics
Topic: Wireguard setup Roadwarrior [SOLVED]
Replies: 14
Views: 4528

Re: Wireguard setup Roadwarrior [SOLVED]

The allowed IPs in the router setting ( for the peer windows client) is correct as is : /interface wireguard peers add allowed-address= 172.16.0.2/32 interface=wireguard1 public-key=\ "123123123123123123=" Concur on the client side device (windows10) allowed address should be: 192.168.1 .0...
by anav
Sat May 04, 2024 8:23 pm
Forum: Beginner Basics
Topic: Allow All Port Forwarding On Microtik Hap AC2 [SOLVED]
Replies: 17
Views: 2589

Re: Allow All Port Forwarding On Microtik Hap AC2 [SOLVED]

Ahh okay, so basically default forward just means NO BSS blocking. All wired clients within a WLAN ( same SSID ) can reach/see each other..
by anav
Sat May 04, 2024 7:16 pm
Forum: Beginner Basics
Topic: Allow All Port Forwarding On Microtik Hap AC2 [SOLVED]
Replies: 17
Views: 2589

Re: Allow All Port Forwarding On Microtik Hap AC2 [SOLVED]

So how is the user selecting the printer and printing???
by anav
Sat May 04, 2024 6:53 pm
Forum: Beginner Basics
Topic: Allow All Port Forwarding On Microtik Hap AC2 [SOLVED]
Replies: 17
Views: 2589

Re: Allow All Port Forwarding On Microtik Hap AC2 [SOLVED]

All port forwarding is ridiculous. All you need is the IP address of the printer and the main port(s) the printer uses....... Need one port forwarding rule in forward chain.... add chain=forward action=accept connection-nat-state=dstnat THen need dstnat rules something like add chain=dstnat action=d...
by anav
Sat May 04, 2024 6:52 pm
Forum: Beginner Basics
Topic: How to allow traffic from outside WAN port on default RB750GR3
Replies: 7
Views: 513

Re: How to allow traffic from outside WAN port on default RB750GR3

Notepad ++ has the ability to compare two configs, very nice!!!
by anav
Sat May 04, 2024 4:07 pm
Forum: Beginner Basics
Topic: Wireless Wire not usable as AiMesh ethernet backhaul?
Replies: 1
Views: 261

Re: Wireless Wire not usable as AiMesh ethernet backhaul?

It should its basically a wifi ethernet cable concept.
by anav
Sat May 04, 2024 4:03 pm
Forum: General
Topic: [Help] VLAN Routing to VPN, with Local connections - Unusable performance when routing out Wireguard Interface
Replies: 7
Views: 778

Re: [Help] VLAN Routing to VPN, with Local connections - Unusable performance when routing out Wireguard Interface

Before I look at the config, what is the purpose of your management VLAN? If you want vlan10 and 99 to fully talk to each other drop vlan99 and keep vlan10. As for the other vlans, only the management vlan should really see all other vlans. All vlans should be able to access a shared printer. Do any...
by anav
Sat May 04, 2024 3:58 pm
Forum: General
Topic: Wireguard road warrior setup does not work under WiFi
Replies: 21
Views: 1302

Re: Wireguard road warrior setup does not work under WiFi

A whitelist to allow external WANIPs to connect to your wireguard port is not required. That is the purpose of the VPN connection. Only those with proper encrypted credentials will be able to connect and thus there is no need for a whitelist.
by anav
Sat May 04, 2024 2:48 am
Forum: General
Topic: Wireguard road warrior setup does not work under WiFi
Replies: 21
Views: 1302

Re: Wireguard road warrior setup does not work under WiFi

Wrong. There is no whitelist created by the wireguard interface??????\ By creating a wireguard interface and a wireguard IP address, one setups the possibility of a working wireguard structure. You still need the input chain rule to allow the handshake of clients to reach the router. You still need ...
by anav
Sat May 04, 2024 2:43 am
Forum: General
Topic: Strange issue with srd/dst address type 'local'
Replies: 4
Views: 948

Re: Strange issue with srd/dst address type 'local'

Id rather not play what if I do this or that on a config.............useless. Instead state reality and requirements a. identify user(s)/device(s) and groups of users/devices including yourself as admin b. identify what traffic they need to accomplish. The config will fall out naturally from well th...
by anav
Fri May 03, 2024 11:47 pm
Forum: Wireless Networking
Topic: Product Recommendation for Outdoor Mesh WiFi w/ Hotspot 2.0
Replies: 1
Views: 264

Re: Product Recommendation for Outdoor Mesh WiFi w/ Hotspot 2.0

For PTP I would look at --> https://mikrotik.com/product/wireless_w ... ifications --> gig link on 60Hz so no interference with other wifi.
MT does not make mesh systems for local distribution of wifi.
by anav
Fri May 03, 2024 11:43 pm
Forum: Beginner Basics
Topic: How to limit mac addresses to connect to Mikrotik 7.8
Replies: 10
Views: 789

Re: How to limit mac addresses to connect to Mikrotik 7.8

You can do that by only manually assigning DHCP leases I thought. Make use of ARP list etc.
by anav
Fri May 03, 2024 11:42 pm
Forum: Beginner Basics
Topic: Port forwarding trouble with PCC load balancing
Replies: 30
Views: 2190

Re: Port forwarding trouble with PCC load balancing

Ammo are you saying that for PPPOE one cannot decline the default route and use manual routes ???
Also if that is true then how do you manage check-gateway=ping on the main route ( is that available on the PPOE DHCP client settings somewhere)???
by anav
Fri May 03, 2024 7:14 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 139
Views: 9711

Re: [Discussion] MikroTik configuration abstraction complexity

Can be improved by AI.............. Will have to be as soon the DDOS attach will be AI run.
by anav
Fri May 03, 2024 5:37 pm
Forum: Beginner Basics
Topic: Port forwarding trouble with PCC load balancing
Replies: 30
Views: 2190

Re: Port forwarding trouble with PCC load balancing

Sounds more like a PPPOE ISP problem, perhaps they are blocking ICMP.
Otherwise out of ideas, perhaps someone else can do bettter.
by anav
Fri May 03, 2024 5:35 pm
Forum: General
Topic: Wireguard road warrior setup does not work under WiFi
Replies: 21
Views: 1302

Re: Wireguard road warrior setup does not work under WiFi

Then cannot help you.
I thought we were discussing using the wireguard on the MT router.
by anav
Fri May 03, 2024 4:37 pm
Forum: Beginner Basics
Topic: 1 wan for browsing, 1 wan for external services
Replies: 12
Views: 837

Re: 1 wan for browsing, 1 wan for external services

There are many ways to skin the cat as mkx and rextended say. :-) So yes, If you just have this, /ip firewall mangle add chain=prerouting src-address=192.168.X.X action=mark-routing new-routing-mark=WAN2 Any traffic from that LANIP should go out WAN2. That means ANY TRAFFIC!! Think about it. Also, Y...
by anav
Fri May 03, 2024 4:27 pm
Forum: Beginner Basics
Topic: How to limit mac addresses to connect to Mikrotik 7.8
Replies: 10
Views: 789

Re: How to limit mac addresses to connect to Mikrotik 7.8

Only give the SSID password to those that need it for any particular Subnet WLAN
  • 1
  • 2
  • 3
  • 4
  • 5
  • 67