Community discussions

MikroTik App

Search found 21236 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 71
by anav
Wed Oct 16, 2024 2:23 am
Forum: Beginner Basics
Topic: Forwarding traffic
Replies: 11
Views: 620

Re: Forwarding traffic

# software id = TFI5-YPER # # model = CCR2004-16G-2S+ # serial number = REDACTED /interface bridge add name=bridge1 vlan-filtering=yes /interface ethernet set [ find default-name=ether5 ] advertise=\ 10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full /interface wireguard add listen-port=...
by anav
Wed Oct 16, 2024 1:51 am
Forum: General
Topic: RB4011iGS+RM: Some clients don't get DHCP
Replies: 1
Views: 56

Re: RB4011iGS+RM: Some clients don't get DHCP

Yes, its problems with your config.
by anav
Tue Oct 15, 2024 11:58 pm
Forum: General
Topic: Is it possible to assign an individual port to a vlan that is bridged
Replies: 1
Views: 61

Re: Is it possible to assign an individual port to a vlan that is bridged

You assign vlans to the bridge not the port. On the port you can put one or more vlans as desired via the bridge setup. Vlans by themselves are blocked from other vlans at layer2. Using firewall rules you block them at layer3 on the router, the fact that they are on the same bridge is not an issue. ...
by anav
Tue Oct 15, 2024 11:49 pm
Forum: Beginner Basics
Topic: Forwarding traffic
Replies: 11
Views: 620

Re: Forwarding traffic

ROUTER A Unable to progress as your VLANS are not quite there, maybe........ incongruence between bridge ports and bridge vlans. You have ports indicating both trunk and access port attributes. Can you provide the following information for all your ports................. port X --> to single dumb d...
by anav
Tue Oct 15, 2024 10:40 pm
Forum: Beginner Basics
Topic: Forwarding traffic
Replies: 11
Views: 620

Re: Forwarding traffic

ROUTER B 1. Added ipv6 drop all firewall rules for whatever reason it got activated by mistake. 2. Remove unnecessary interface list members, bridge covers all ports. 3. With only one LAN subnet, two LAN interface lists is not logical??? 4. Adjusted,Updated firewall rules. Now only trusted can acce...
by anav
Tue Oct 15, 2024 9:49 pm
Forum: Beginner Basics
Topic: Forwarding traffic
Replies: 11
Views: 620

Re: Forwarding traffic

What is the difference between LAN and SLAN??
Is LAN like home users and SLAN like iot and media and guest wifi ??
by anav
Tue Oct 15, 2024 9:32 pm
Forum: Beginner Basics
Topic: Forwarding traffic
Replies: 11
Views: 620

Re: Forwarding traffic

Well it doesnt sound like you are sending users to safe servers. Most modern gaming servers like Steam do not require ports open etc........ in any case by dst address is actually very useful. First step is to simply and reduced to one Wireguard network. In case the main Wireguard network is down, w...
by anav
Tue Oct 15, 2024 9:20 pm
Forum: General
Topic: Remote Access to Local OLTs via VPN on MikroTik Without Public IP
Replies: 23
Views: 595

Re: Remote Access to Local OLTs via VPN on MikroTik Without Public IP

Your choice, will move on to help others..........

I was quite clear.......
Need full config of router.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )

Also the wireguard configuration of the client ( minus any public WANIP information, keys etc. )
by anav
Tue Oct 15, 2024 8:56 pm
Forum: General
Topic: Remote Access to Local OLTs via VPN on MikroTik Without Public IP
Replies: 23
Views: 595

Re: Remote Access to Local OLTs via VPN on MikroTik Without Public IP

If this is a public IP facing router it should be unplugged ASAP as you have no firewall rules.
by anav
Tue Oct 15, 2024 8:36 pm
Forum: General
Topic: Remote Access to Local OLTs via VPN on MikroTik Without Public IP
Replies: 23
Views: 595

Re: Remote Access to Local OLTs via VPN on MikroTik Without Public IP

Unable at the moment.............
by anav
Tue Oct 15, 2024 8:30 pm
Forum: Beginner Basics
Topic: Forwarding traffic
Replies: 11
Views: 620

Re: Forwarding traffic

Attaching both configs. Ideally both routers could reach each others subnets. Not quite complete............... Which LANIPs need to access the internet on Router B? Are there specific and unique dst ports involved. Is the WANIP (destination address on the www, fixed/static for game server, or alwa...
by anav
Tue Oct 15, 2024 8:23 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1321
Views: 259104

Re: 📣 WinBox 4 is here 📣

Is there really no git repo/github...or modern known issues/feature request tracker for winbox4? A manually updated list at the top of a 1315 reply forum post seems like a bonkers implementation considering we're almost 1/4 of the way thru the 21st century. This is HOTEL Mikrotik, you can never lea...
by anav
Tue Oct 15, 2024 8:18 pm
Forum: General
Topic: Remote Access to Local OLTs via VPN on MikroTik Without Public IP
Replies: 23
Views: 595

Re: Remote Access to Local OLTs via VPN on MikroTik Without Public IP

Need full config of router.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )

Also the wireguard configuration of the client ( minus any public WANIP information, keys etc. )
by anav
Tue Oct 15, 2024 8:16 pm
Forum: General
Topic: RB4011 VLAN configuration
Replies: 1
Views: 65

Re: RB4011 VLAN configuration

by anav
Tue Oct 15, 2024 6:06 pm
Forum: RouterBOARD hardware
Topic: New to MikroTik - Choosing between a RB4011 (WiFi), RB5009 + AP and a hAP AX3
Replies: 12
Views: 1134

Re: New to MikroTik - Choosing between a RB4011 (WiFi), RB5009 + AP and a hAP AX3

No question the only two units worthy of consideration are the ax3 and 5009. However the ax3 is limited in wan throughput to 1gig connections, while the 5009 is future proofed to 2.5 gig connections ( maxes out aroundd 3Gbps on routing ) With a price differential of only 10E, its a no brainer to get...
by anav
Tue Oct 15, 2024 5:57 pm
Forum: Wireless Networking
Topic: Connect to Hotel Wifi
Replies: 16
Views: 982

Re: Connect to Hotel Wifi

...but ROS can be hard to master.
Where did you get that from ? :lol:
You crack me up!!

BPWL for president of MT, re-assign the well-intentioned but failing staff they have running the wifi show. Mean well and positive outcomes have proven to be mutually exclusive! :-(
by anav
Tue Oct 15, 2024 5:48 pm
Forum: General
Topic: Remote Access to Local OLTs via VPN on MikroTik Without Public IP
Replies: 23
Views: 595

Re: Remote Access to Local OLTs via VPN on MikroTik Without Public IP

Sure, turn on IP cloud and get the dyndns address......... This is the endpoint address you will need on any client peers to connect to your wireguard VPN on the router. Identify the subnet you wish to be able to access over wireguard. /interface wireguard add listen-port=53477 mtu=1420 name=wgOLT /...
by anav
Tue Oct 15, 2024 4:41 pm
Forum: Beginner Basics
Topic: Forwarding traffic
Replies: 11
Views: 620

Re: Forwarding traffic

I've already got WireGuard VPN connection between the devices. I use it to access the other device using WinBox. Further guidance is much appreciated. Show both configs /export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.) Also identify which IP address(e...
by anav
Tue Oct 15, 2024 4:35 pm
Forum: General
Topic: Remote Access to Local OLTs via VPN on MikroTik Without Public IP
Replies: 23
Views: 595

Re: Remote Access to Local OLTs via VPN on MikroTik Without Public IP

Its getting clearer thanks!
Suggesting either a wireguard VPN connection or a zerotier connection (LARSA can help with), that will allow you to securely access your resources behind the mikrotik router while away.
I suppose which is readily available on the CHR would be a starting point.
by anav
Tue Oct 15, 2024 1:19 pm
Forum: General
Topic: Asking for help: Setting Up a Multi-Site in-house Wireguard network [SOLVED]
Replies: 10
Views: 308

Re: Asking for help: Setting Up a Multi-Site in-house Wireguard network [SOLVED]

No argument from me vis-a-vis using zerotier....
Basically all connect to cloudflare VPS in a way

would just like to add wireguard doesnt really use certificates, it does add pre-shared key if you want extra security.
by anav
Tue Oct 15, 2024 2:38 am
Forum: Beginner Basics
Topic: Automatically divide customers into 4 internet lines equally
Replies: 10
Views: 346

Re: Automatically divide customers into 4 internet lines equally

PCC is but one part of the equation, all of the required user traffic needs to be identified before starting the config.
by anav
Tue Oct 15, 2024 2:36 am
Forum: General
Topic: Asking for help: Setting Up a Multi-Site in-house Wireguard network [SOLVED]
Replies: 10
Views: 308

Re: Asking for help: Setting Up a Multi-Site in-house Wireguard network [SOLVED]

Yes, but until I actually use zerotier, I will be unfamiliar with its application and nuances.
No worries, ehbowen, Anav1 Larsa 0 ;-)
by anav
Mon Oct 14, 2024 11:25 pm
Forum: General
Topic: Opening ports makes me lose connection
Replies: 5
Views: 141

Re: Opening ports makes me lose connection

It sounds like you almost dont need a router if opening all ports up.
Typically I advise that its a foolish thing to do......................... especially if your router is public IP facing.
by anav
Mon Oct 14, 2024 11:24 pm
Forum: General
Topic: Hardware suggestion please
Replies: 3
Views: 118

Re: Hardware suggestion please

https://forum.mikrotik.com/viewtopic.php?t=143620 A. 1.6Gbps link is best served by the RB5009 Router with room for growth....... ( up to 3gigs so sufficient for an ISP 2.5gig connection ) B. Budget choice is indeed the hapax3 with 1.1Gbps with 25 filter rules and higher with less rules so close eno...
by anav
Mon Oct 14, 2024 11:19 pm
Forum: General
Topic: vlan 100 on WAN port , NAT on Lan side , no internet on LAN side
Replies: 4
Views: 136

Re: vlan 100 on WAN port , NAT on Lan side , no internet on LAN side

1. Modify this /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN TO: /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN add interface=vlan100 list=WAN 2. Modify this to so...
by anav
Mon Oct 14, 2024 10:21 pm
Forum: General
Topic: vlan 100 on WAN port , NAT on Lan side , no internet on LAN side
Replies: 4
Views: 136

Re: vlan 100 on WAN port , NAT on Lan side , no internet on LAN side

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)
by anav
Mon Oct 14, 2024 10:17 pm
Forum: General
Topic: Asking for help: Setting Up a Multi-Site in-house Wireguard network [SOLVED]
Replies: 10
Views: 308

Re: Asking for help: Setting Up a Multi-Site in-house Wireguard network [SOLVED]

No worries, you are good shape. I would probably use the most stable internet connection ( with a public IP ) as the main Wireguard Server. Assuming its your VPS, since normally there is built-in redundancy available 24/7 and usually decent enough throughput. So I am talking about putting a licensed...
by anav
Mon Oct 14, 2024 6:18 pm
Forum: General
Topic: Dividing users on Internet lines
Replies: 1
Views: 63

Re: Dividing users on Internet lines

Do NOT use multiple posts for same issue ---> viewtopic.php?t=211736
by anav
Mon Oct 14, 2024 4:11 pm
Forum: Wireless Networking
Topic: Connect to Hotel Wifi
Replies: 16
Views: 982

Re: Connect to Hotel Wifi

MT wifi is a mess. Station in layman speak means "client", an interface in station mode connects to an existing wireless network (hotel access point) just like your phone or laptop would. AP is much more intuitive as a name, It is the mode where the interface creates a new wireless networ...
by anav
Mon Oct 14, 2024 4:05 pm
Forum: General
Topic: Remote Access to Local OLTs via VPN on MikroTik Without Public IP
Replies: 23
Views: 595

Re: Remote Access to Local OLTs via VPN on MikroTik Without Public IP

What do you mean Mikrotik CHR? Do you have a licensed CHR in the cloud? If so you can setup wireguard on the CHR, and tne access all devices locally. One creates a peer to peer connection from the Main Router to CHR and from any remote devices to the CHR. With proper routing rules and firewall rules...
by anav
Mon Oct 14, 2024 2:42 pm
Forum: Scripting
Topic: Help with this script
Replies: 12
Views: 451

Re: Help with this script

Dice che gli script non risolveranno le tue esigenze e che utilizzeranno le impostazioni del router disponibili inclusi ma non limitati a elenchi e filtri.
by anav
Mon Oct 14, 2024 2:36 pm
Forum: Beginner Basics
Topic: Automatically divide customers into 4 internet lines equally
Replies: 10
Views: 346

Re: Automatically divide customers into 4 internet lines equally

Your requirements are NOT clearly stated or accurate. Your writing states four internet WANS, but your diagram only shows 3?? What do you mean NOT distribute the load? How do you propose that the router share the load so to speak? Do you mean you have four different subnets, OR perhaps 4 groups of u...
by anav
Mon Oct 14, 2024 12:55 am
Forum: Beginner Basics
Topic: hAP ax^3 - access to NAS
Replies: 7
Views: 245

Re: hAP ax^3 - access to NAS

What model of router do you have attached to the internet?
by anav
Sun Oct 13, 2024 10:34 pm
Forum: Beginner Basics
Topic: Routing with VLan
Replies: 6
Views: 236

Re: Routing with VLan

You have to decided on who does DHCP on your network.
If the switch will just be a switch that is easily accomplished, no double nat etc....
However if you want the switch to be a second router, then your thoughput may be limited to approx 300-400Mbps.......
by anav
Sun Oct 13, 2024 10:27 pm
Forum: General
Topic: Very slow download on mobile through Back to Home
Replies: 3
Views: 880

Re: Very slow download on mobile through Back to Home

Nothing obvious to me.

1. set detect internet to none, its known to cause funny issues..

2. Remove this static DNS setting, it no longer appplies.
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
by anav
Sun Oct 13, 2024 9:20 pm
Forum: Forwarding Protocols
Topic: BGP PBR instead of ECMP
Replies: 5
Views: 327

Re: BGP PBR instead of ECMP

What purty colours!! Version 6. /ip firewall mangle add chain=forward action=mark-connections connection-mark=no-mark dst-address-type=!local src-address=192.168.1.0/24 new-connection-mark=stream1 passthrough=yes add chain=forward action=mark-connections connection-mark=no-mark dst-address-type=!loc...
by anav
Sun Oct 13, 2024 8:57 pm
Forum: Beginner Basics
Topic: No WAN connectivity on VLANs
Replies: 4
Views: 146

Re: No WAN connectivity on VLANs

I use separate vlans to visualize different data needs ( single bridge ).
by anav
Sun Oct 13, 2024 6:01 pm
Forum: Beginner Basics
Topic: Routing Policy Issue - Not Working as Expected
Replies: 15
Views: 713

Re: Routing Policy Issue - Not Working as Expected

1. Suggest remove these unless you can justify with purpose.... /interface bridge settings set allow-fast-path=no use-ip-firewall=yes 2. Why do you have fast forward=no for the normal bridge settings? ( Does it interfere with hotspot function?) 3. Missing route for modem2 table main................ ...
by anav
Sun Oct 13, 2024 5:35 pm
Forum: Wireless Networking
Topic: Best single AP for wireless range?
Replies: 4
Views: 370

Re: Best single AP for wireless range?

Funny, I migrated away from MT WIFI, for the most part.
by anav
Sun Oct 13, 2024 5:34 pm
Forum: Wireless Networking
Topic: cAP AX and Dynamic VLAN assignment
Replies: 8
Views: 505

Re: cAP AX and Dynamic VLAN assignment

Do post your config, interesting setup!!
/export file=anynameyouwish ( minus device serial number, any public WANIP information, keys etc. )
by anav
Sun Oct 13, 2024 5:29 pm
Forum: Wireless Networking
Topic: Configure AX3 as AP with WIFI per VLAN [SOLVED]
Replies: 4
Views: 313

Re: Configure AX3 as AP with WIFI per VLAN [SOLVED]

If the AX3 is simply an AP, from an upstream router then it should be a relatively easy setup. Assuming wifi settings are good ............. will focus on mechanics of the rest. First, you need to identify the managment or Trusted vlan, from which the AX3 SHould get its IP address from. Only the tru...
by anav
Sun Oct 13, 2024 5:06 pm
Forum: Wireless Networking
Topic: I can't access my mikrotik through wireguard
Replies: 1
Views: 78

Re: I can't access my mikrotik through wireguard

Why posting in wifi forum?
In any case post both configs
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

Also confirm at least one of the routers has a publicly reachable WANIP.
by anav
Sun Oct 13, 2024 4:19 pm
Forum: Forwarding Protocols
Topic: Port Forward 2 WANs + Loadbalance + mikrotik
Replies: 1
Views: 86

Re: Port Forward 2 WANs + Loadbalance + mikrotik

The mikrotik can only work with what its been given. Your problem is to get the traffic from the WWW to the mikrotik or more specifically to the WANIP of the Mikrotik ( the wanip also being the LANIP of the mt device on the load balance network I guess Why do the modems publish the same private subn...
by anav
Sun Oct 13, 2024 3:42 pm
Forum: Beginner Basics
Topic: Routing Policy Issue - Not Working as Expected
Replies: 15
Views: 713

Re: Routing Policy Issue - Not Working as Expected

Your job is to provide the information requested so that assistance can be rendered.
- define requirements as previously explained
- provide complete config /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
- network diagram also helps.
by anav
Sun Oct 13, 2024 3:28 pm
Forum: General
Topic: Wireguard connects - no connectivity [SOLVED]
Replies: 12
Views: 417

Re: Wireguard connects - no connectivity [SOLVED]

Okay, so basically asking how to reach the other remote site from the android device......... The other remote site being a router with subnet 10.1.1.0/24. Lets say someone from 192.168.1.0 local subnet wants to reach 10.1.1.X.................... The main router doesnt know about this remote subnet ...
by anav
Sun Oct 13, 2024 5:21 am
Forum: General
Topic: Wireguard connects - no connectivity [SOLVED]
Replies: 12
Views: 417

Re: Wireguard connects - no connectivity [SOLVED]

1. Allowed IPs identifies remote addresses and thus this is not correct and should be removed. add allowed-address=172.16.0.3/32, 192.168.1.0/24 interface=wg0 name=wg1 \ public-key="" 2. Why did you create another wireguard address, the router only uses one address in this configuration......
by anav
Sat Oct 12, 2024 11:05 pm
Forum: Beginner Basics
Topic: Routing Policy Issue - Not Working as Expected
Replies: 15
Views: 713

Re: Routing Policy Issue - Not Working as Expected

Concur, OP is confused or trying to follow to many guides and not really understanding what is being done in them.
by anav
Sat Oct 12, 2024 11:02 pm
Forum: General
Topic: Wireguard connects - no connectivity [SOLVED]
Replies: 12
Views: 417

Re: Wireguard connects - no connectivity [SOLVED]

Yes and yes LOL. Be careful NOT to put in the drop all rule as the last rule in the input chain UNTIL your ALLOW trusted rule is in place and properly configured, otherwise you will lock yourself out. On that note, typically if I have a spare port, I take it off the bridge give it an IP of 192.168.5...
by anav
Sat Oct 12, 2024 10:58 pm
Forum: General
Topic: RouterOS 7.x Connection Tracking, Failover and NAT
Replies: 14
Views: 419

Re: RouterOS 7.x Connection Tracking, Failover and NAT

Well it sounds like your asking different things. If a connection goes down, then that session effectively dies a slow death for sure........ The degree to which the new connections smoothly transition to the other WAN is always a work in progress. However, I dont agree with the assertion that the n...
by anav
Sat Oct 12, 2024 10:16 pm
Forum: Beginner Basics
Topic: Routing Policy Issue - Not Working as Expected
Replies: 15
Views: 713

Re: Routing Policy Issue - Not Working as Expected

dont care about partial config in the slightest or commenting on so little information and a config is all interrelated. Mangling depends upon well articulated requirements identify devices/users ( internal, external, admin etc...) identify traffic they need to execute - config, with mangles or rout...
by anav
Sat Oct 12, 2024 8:48 pm
Forum: General
Topic: RouterOS 7.x Connection Tracking, Failover and NAT
Replies: 14
Views: 419

Re: RouterOS 7.x Connection Tracking, Failover and NAT

Sounds like a misconfiguration on RoS6..............
No such issues if configured properly on 6 or 7 from my understanding (albeit limited).
by anav
Sat Oct 12, 2024 6:54 pm
Forum: General
Topic: Back to Home VPN (Wireguard) no internet.
Replies: 3
Views: 143

Re: Back to Home VPN (Wireguard) no internet.

Suggest post mt router config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

Also publish settings on windows wireguard as well............
by anav
Sat Oct 12, 2024 6:52 pm
Forum: General
Topic: Wireguard connects - no connectivity [SOLVED]
Replies: 12
Views: 417

Re: Wireguard connects - no connectivity [SOLVED]

1. You also have this config error but not sure what you have put here to cause this? add interface=*E list=LAN Related to the mostly likely incorrectly or not needed attempt to port forward using wireguard?? # no interface add action=dst-nat chain=dstnat dst-port=51821 in-interface=*E protocol=udp ...
by anav
Sat Oct 12, 2024 5:27 pm
Forum: Beginner Basics
Topic: Prioritizing Port 1935 on microtik router board
Replies: 3
Views: 132

Re: Prioritizing Port 1935 on microtik router board

Your best bet is to ensure traffic for priorty can be expressed as ports or IP adddresses ( subnet, source-address-list ) as those are easier to manage ........
by anav
Sat Oct 12, 2024 4:46 pm
Forum: Beginner Basics
Topic: Prioritizing Port 1935 on microtik router board
Replies: 3
Views: 132

Re: Prioritizing Port 1935 on microtik router board

Probably queuing, read up on that.
by anav
Sat Oct 12, 2024 4:41 pm
Forum: General
Topic: Back to Home VPN (Wireguard) no internet.
Replies: 3
Views: 143

Re: Back to Home VPN (Wireguard) no internet.

Most likely a firewall blocking on the windows machine.
by anav
Sat Oct 12, 2024 4:37 pm
Forum: General
Topic: Wireguard connects - no connectivity [SOLVED]
Replies: 12
Views: 417

Re: Wireguard connects - no connectivity [SOLVED]

Your problem is simple get rid of the second wireguard its causing you all sorts of problems and not needed. Your allowed peers identifies the wrong thing... Adjusted: /interface wireguard add listen-port=51820 mtu=1420 name=wg0 /interface wireguard peers add allowed-address=172.16.0.2/32,10.1.1.0/2...
by anav
Sat Oct 12, 2024 2:22 pm
Forum: Beginner Basics
Topic: NAT - Port forwarding, closing ports
Replies: 4
Views: 196

Re: NAT - Port forwarding, closing ports

THe config will likely reveal all, and should be fixed up quickly. WHile waiting for the config, the OP should make it clear. a. Are servers used by only external users or also by internal users b. If by internal users, how are they accessing the server ( lan ip or ??? ) c. confirm you have publicly...
by anav
Sat Oct 12, 2024 2:19 pm
Forum: Beginner Basics
Topic: Forcing traffic through specific WAN
Replies: 7
Views: 309

Re: Forcing traffic through specific WAN

Ports, IPs easy to deal with, traffic types.......... you got the wrong router to do that. Its all a matter of mangling for the most part. Identify any vlans coming into specific WANs - mangle for that Identify any incoming port forwarding - mangle for that Identify the load balancing - mangle for t...
by anav
Sat Oct 12, 2024 1:16 am
Forum: Beginner Basics
Topic: Forcing traffic through specific WAN
Replies: 7
Views: 309

Re: Forcing traffic through specific WAN

State the requirements clearly, which ports for example..............

Post the config <----------
/export file=anynamyouwish ( minus router serial number, any public WANIP information, keys etc, dont need long lease lists either LOL )
by anav
Sat Oct 12, 2024 1:15 am
Forum: General
Topic: enabling/disabling routes takes a long time
Replies: 7
Views: 339

Re: enabling/disabling routes takes a long time

You still owe me a wireguard ( possibly using L2TP as well (not encrypted) dual WAN via CHR mt in the cloud setup help session for OSPF/BDF there LARSA.
by anav
Fri Oct 11, 2024 10:05 pm
Forum: Beginner Basics
Topic: VPN is unable to access the local network
Replies: 2
Views: 121

Re: VPN is unable to access the local network

Yes, your config blocks it.
by anav
Fri Oct 11, 2024 10:02 pm
Forum: General
Topic: Netwatch icmp problem
Replies: 3
Views: 179

Re: Netwatch icmp problem

Funny I have a friend who tried to use netwatch icmp and many parameters ex. host=9.9.9.9 interval=5s packet-count=10 \ packet-interval=500ms thr-avg=700ms thr-jitter=2s thr-loss-count=26 thr-max=2s thr-stdev=700ms timeout=3s ( real world many installs etc ) and after many false alarms has gone to t...
by anav
Fri Oct 11, 2024 5:26 pm
Forum: Beginner Basics
Topic: Another begginer's VLAN issue, network connection of the "switch" [SOLVED]
Replies: 10
Views: 3669

Re: Another begginer's VLAN issue, network connection of the "switch" [SOLVED]

Good day,
The defacto guide to understanding bridge vlans is here.
If you have any questions from that feel free to ask!!
viewtopic.php?t=143620

MT Documents are way better now on this topic.
by anav
Fri Oct 11, 2024 5:19 pm
Forum: Beginner Basics
Topic: QuickSet uses 0.0.0.0 for DHCP server network
Replies: 17
Views: 600

Re: QuickSet uses 0.0.0.0 for DHCP server network

Who is going to by CCR class router and not have to schmucks about how to program it?
I think MT should require proof of MTCNA prior to purchase ;-)
( says the guy who bought a CCR1009 without any schmucks, truth be told I cut my teeth on two hex's, capac and RBG450G. )
by anav
Fri Oct 11, 2024 2:23 pm
Forum: Beginner Basics
Topic: QuickSet uses 0.0.0.0 for DHCP server network
Replies: 17
Views: 600

Re: QuickSet uses 0.0.0.0 for DHCP server network

Another case of MT staff dont use the equipment they sell, should have been discovered long ago.
OR
Their test process is flawed, take your pick.
by anav
Fri Oct 11, 2024 4:27 am
Forum: Beginner Basics
Topic: No Truking on VLAN with VLAN filtering
Replies: 3
Views: 216

Re: No Truking on VLAN with VLAN filtering

Missing IP pool for the two vlans. Why do you have the bridge doing dhcp?? You need dchp server and dhcp server network for all three vlans! /ip pool add name=dhcp ranges=192.168.7.101-192.168.7.199 add name=pool-8 ranges=192.168.8.101-192.168.8.199 add name=pool-9 ranges=192.168.9.101-192.168.9.199...
by anav
Thu Oct 10, 2024 9:44 pm
Forum: General
Topic: Firewall Best Practice
Replies: 1
Views: 177

Re: Firewall Best Practice

No idea, dont use chains as I rarely have an actual need, the concept of chains is very nice agreed, but rare to see. Well mostly see it in garbage firewall rulesets. /ip firewall filter { default rules to keep } add chain=input action=accept connection-state=established,related,untracked add chain=...
by anav
Thu Oct 10, 2024 9:34 pm
Forum: General
Topic: MikroTik RouterOS Enterprise
Replies: 11
Views: 584

Re: MikroTik RouterOS Enterprise

sounds like your issues are all wifi........................ simple solution
by anav
Thu Oct 10, 2024 1:51 pm
Forum: Beginner Basics
Topic: No Truking on VLAN with VLAN filtering
Replies: 3
Views: 216

Re: No Truking on VLAN with VLAN filtering

Standard config view please.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

This is the defacto bible on explaining the setup ...........
viewtopic.php?t=143620
by anav
Thu Oct 10, 2024 2:25 am
Forum: Beginner Basics
Topic: hAP AC - Setup repeater with partial wireguard traffic
Replies: 2
Views: 165

Re: hAP AC - Setup repeater with partial wireguard traffic

Not sure on your diagram, It would appear that you have the hapac wired directly to the ISP router ( the hapac is also setup as a router ). I am assuming that the ISP router gets a public IP and that you can forward the wireguard port from the ISP router to the MT router?? So need to confirm that an...
by anav
Thu Oct 10, 2024 2:21 am
Forum: Beginner Basics
Topic: Simpler Failover for two Gateways I found working
Replies: 32
Views: 6203

Re: Simpler Failover for two Gateways I found working

Separate from jaclaz question, why not consider VRRP as a way to create a seamless connection from the client (lan) perspective, or will not work in your zooom example. ????
by anav
Thu Oct 10, 2024 12:27 am
Forum: Beginner Basics
Topic: Simpler Failover for two Gateways I found working
Replies: 32
Views: 6203

Re: Simpler Failover for two Gateways I found working

Nice feedback AMMO. Conceptually, I like the idea. basic failover, - first step when learning how to use two wans Recursive failover - If concerned that the ISP is flaky and want to confirm connectivity to WWW ( seems many do ) Netwatch failover - If not happy with 20 seconds before any action is ta...
by anav
Thu Oct 10, 2024 12:06 am
Forum: Beginner Basics
Topic: Mikrotik 4011 2x ISP LAN routing
Replies: 9
Views: 436

Re: Mikrotik 4011 2x ISP LAN routing

Next lets look at other rules..... 1. CHANGE THIS TO /ip settings set max-neighbor-entries=8192 rp-filter= loose 2. DECIDE!!! Either use IP DHCP client for ether9 OR assign an IP address but not both !!! Since its a static IP, setting the IP address makes sense and I ssuspect you just entered a gene...
by anav
Wed Oct 09, 2024 11:54 pm
Forum: Beginner Basics
Topic: Mikrotik 4011 2x ISP LAN routing
Replies: 9
Views: 436

Re: Mikrotik 4011 2x ISP LAN routing

The first thing to do in mangling is to ensure traffic heading for WAN2 is sent back out via WAN2. This should direct all VPNs coming on WAN2 to go back out WAN2. Of course one must have standard sourcenat rule in place as well Your wireguard rule seems to be deleted not sure why............ in anyc...
by anav
Wed Oct 09, 2024 11:22 pm
Forum: Beginner Basics
Topic: Simpler Failover for two Gateways I found working
Replies: 32
Views: 6203

Re: Simpler Failover for two Gateways I found working

So is your thinking that when one connection goes down for whatever reason, the netwatch setup is very good in terms of detecting and switching the users to the backup, however the problem is users sessions interrupted mid-stream are left hanging? Isnt that partially taken care of by using masquerad...
by anav
Wed Oct 09, 2024 7:29 pm
Forum: Forwarding Protocols
Topic: Routing Vlan traffic over Vpn
Replies: 2
Views: 179

Re: Routing Vlan traffic over Vpn

Besides network diagram any advice has to be predicated upon a thorough understanding of the requirements, not parts thereof.
A, identify all the devices, users including the admin
B. identify the traffic they need to be able to execute
by anav
Wed Oct 09, 2024 5:27 pm
Forum: Beginner Basics
Topic: DoH Mullvad/Yandex
Replies: 3
Views: 1366

Re: DoH Mullvad/Yandex

no no no..................... ask about http3 support, by the time they implement 2, the draft for http4 will be out . ;-)
by anav
Wed Oct 09, 2024 5:25 pm
Forum: Beginner Basics
Topic: Cannot access my new rb5009, incorrect username or password, after update from 7.12.2 to 7.16 [SOLVED]
Replies: 5
Views: 898

Re: Cannot access my new rb5009, incorrect username or password, after update from 7.12.2 to 7.16 [SOLVED]

Clearly Holvoe, Mikrotik staff use apple products and zyxel networking equipment and not MT products, as that kind of oversight only happens when you dont actually use the equipment for real.
by anav
Wed Oct 09, 2024 5:15 pm
Forum: General
Topic: Tailscale now NAT-PMP problem
Replies: 20
Views: 625

Re: Tailscale UPNP problem

The explanation of your WAN is confusing. You state an ISP modem is feeding the MT router but then you state the MT is getting a DMZ IP..........?? If its a modem, the MT router would get a public IP, would it not?? If its a modem/router then getting a private IP for WAN would make more sense..... W...
by anav
Wed Oct 09, 2024 1:39 am
Forum: General
Topic: Load Sharing and Failover
Replies: 8
Views: 331

Re: Load Sharing and Failover

My question was for the OP, the originator, didnt realize it was you that had answered..........
by anav
Wed Oct 09, 2024 1:13 am
Forum: General
Topic: Load Sharing and Failover
Replies: 8
Views: 331

Re: Load Sharing and Failover

When you become more forthcoming with requirements an optimal config can be designed. What is wireguard on demand mean. ( your using a third party provider? you have wireguard vPS in the cloud? your MT is acting as a wireguard server and you as the admin login from away ? ) Which WAN is used for por...
by anav
Wed Oct 09, 2024 1:11 am
Forum: General
Topic: Whats the point of this default FW rule?
Replies: 9
Views: 450

Re: Whats the point of this default FW rule?

As I tried to explain your concept of forward chain and traffic is flawed. There is such a beast as WAN to LAN traffic. All traffic is not destined necessarily for the input chain. The dstnat rule, the default rule EVEN Tells you there is............... It says block all WAN to LAN traffic EXCEPT FO...
by anav
Wed Oct 09, 2024 12:55 am
Forum: General
Topic: I cannot route from mikrotik to my internal network.
Replies: 5
Views: 276

Re: I cannot route from mikrotik to my internal network.

Draw a diagram as your network design is very confusing when you try to explain it.....................

a. is the mikrotik connected to an upstream ISP router or Modem?
b. does the mikrotik get a public IP or a private IP from the upstream device?
by anav
Wed Oct 09, 2024 12:53 am
Forum: Beginner Basics
Topic: Simpler Failover for two Gateways I found working
Replies: 32
Views: 6203

Re: Simpler Failover for two Gateways I found working

Well to help me understand I have created a recursive ruleset and a netwatch ruleset for the basic setup of TWO WANS. Most LAN users (single subnet /23) should use WAN1. Rest of users identified by firewall address list should use WAN2 Each WAN should be used as backup of the other. See result recur...
by anav
Wed Oct 09, 2024 12:43 am
Forum: Beginner Basics
Topic: Dual WAN Woes.
Replies: 10
Views: 468

Re: Dual WAN Woes.

Here is my attempt at using netwatch LOL. No promises and hopefully somebody can point out if there are errors. /ip route { WAN1 } add dst-address=0.0.0.0/0 gateway=ether1 routing-table=main add dst-address=1.1.1.1/32 gateway=ether1 routing-table=main add distance=2 dst-address=1.1.1.1 black-hole=ye...
by anav
Tue Oct 08, 2024 11:36 pm
Forum: Beginner Basics
Topic: Dual WAN Woes.
Replies: 10
Views: 468

Re: Dual WAN Woes.

Going to take the easy way out. All traffic will go out WAN1, by default and thus we only have to 'force' business traffic out WAN2. First fix the mistake already noted: /interface list member add comment=defconf interface=bridge list=LAN add comment=Three interface=ether1 list=WAN add interface=ICU...
by anav
Tue Oct 08, 2024 10:23 pm
Forum: Beginner Basics
Topic: Mikrotik 4011 2x ISP LAN routing
Replies: 9
Views: 436

Re: Mikrotik 4011 2x ISP LAN routing

With VPNs to the router involved mangling is required.
Since you didnt state otherwise, it would appear you have no port forwardings involved.

post your config on what you have so far....
/export file=anynameyouwish ( minus router serial number, any publicWANIP information, keys etc. )
by anav
Tue Oct 08, 2024 10:20 pm
Forum: Beginner Basics
Topic: Simpler Failover for two Gateways I found working
Replies: 32
Views: 6203

Re: Simpler Failover for two Gateways I found working

[quote=jaclaz post_id=1102129 time=1728390315 user_id=224177 -Tab -> Down /ip route enable [find comment=LTE-Failover] [find dst-address=0.0.0.0/0 and gateway=192.168.1.250] -Tab -> Up /ip route disable [find comment=LTE-Failover] [find dst-address=0.0.0.0/0 and gateway=192.168.1.250] [/quote] Just ...
by anav
Tue Oct 08, 2024 10:14 pm
Forum: General
Topic: Load Sharing and Failover
Replies: 8
Views: 331

Re: Load Sharing and Failover

Do you have any VPNs ( such as wireguard ) in the mix via a specific WAN, and also any port forwarding to servers --> on either LAN??..........
by anav
Tue Oct 08, 2024 6:59 pm
Forum: General
Topic: wireguard site to multi site setup
Replies: 5
Views: 318

Re: wireguard site to multi site setup

Remember, that each link is still peer to peer. There is hub and spoke network! However we set up the routes and firewall rules such that desired connectivity can be reached. Because each device is on the same wireguard subnet and each client peer has either 0.0.0.0/0 in allowed IPs OR 172.17.17. 0/...
by anav
Tue Oct 08, 2024 6:28 pm
Forum: Announcements
Topic: v7.17beta [testing] is released!
Replies: 412
Views: 47957

Re: v7.17beta [testing] is released!

a roadmap would be nice (*wishful thinking*)
Easy Peasy just become a valued investor. ;-)
by anav
Tue Oct 08, 2024 5:43 pm
Forum: General
Topic: Load Sharing and Failover
Replies: 8
Views: 331

Re: Load Sharing and Failover

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.) To be clear what you want is NORMAL ( no sharing ) LAN1 to use WAN1 for all traffic LAN2 to use WAN2 for all traffic. Failover ( share available WAN ) If WAN1 is down, LAN1 should use WAN2 if WAN2 is do...
by anav
Tue Oct 08, 2024 5:38 pm
Forum: General
Topic: wireguard site to multi site setup
Replies: 5
Views: 318

Re: wireguard site to multi site setup

What is your comfort level programming MT routers? The configuration is not a copy and paste exercise, you should understand what you are doing and how the different sections are related. routing, firewall rules, wireguard protocol and processes etc..... That said, wireguard is by far the easiest VP...
by anav
Tue Oct 08, 2024 5:35 pm
Forum: General
Topic: Call of Duty PC Game
Replies: 5
Views: 2515

Re: Call of Duty PC Game

Absolutely no ports are needed for call of duty, when using steam or other game sites.
If you are trying to run your own gaming server, good luck with that.
by anav
Tue Oct 08, 2024 5:32 pm
Forum: General
Topic: I cannot route from mikrotik to my internal network.
Replies: 5
Views: 276

Re: I cannot route from mikrotik to my internal network.

You do not need a secondary router to segment yournetwork. Simply create as many vlans as you need and attach them to the bridge. one for home/trusted one for servers one for iot one for guests etc............. You have four ports to distribute the vlans. If you have more ports required to ensure al...
by anav
Tue Oct 08, 2024 5:29 pm
Forum: General
Topic: Whats the point of this default FW rule?
Replies: 9
Views: 450

Re: Whats the point of this default FW rule?

As noted you are confused about the chains. WAN TO the ROUTER is input chain, think of a. vpn connection to the router b. Configuring the router WAN to LAN ( through the router) a. port forwarding normally from the www. b. upstream router subnets to NATTED mikrotik router ( aka subnets on upstream r...
by anav
Tue Oct 08, 2024 5:26 pm
Forum: General
Topic: Whats the point of this default FW rule?
Replies: 9
Views: 450

Re: Whats the point of this default FW rule?

The default firewall rules are for the sole purpose of an individual connecting to his ISP and using the internet. Once you start changing the network it is advised to revisit the firewall rules and modify accordingly. As you have found out, the default rules are not all that clear for the beginner....
by anav
Mon Oct 07, 2024 8:49 pm
Forum: General
Topic: Looking for instrction to isolate guest wifi networks
Replies: 12
Views: 562

Re: Looking for instrction to isolate guest wifi networks

Prior to using capsman, it was quite easy to setup up vlan per SSID or vlan per USER group (and assign both SSIDS to same VLAN) and have them fully separated at layer2 by vlans, at layer 3 by firewall rules and then through wifi settings decide whether or not wifi users should be able to see others ...
by anav
Mon Oct 07, 2024 8:45 pm
Forum: General
Topic: [Wireguard} - Connecting router as client - [SOLVED]
Replies: 6
Views: 400

Re: [Wireguard} - Connecting router as client - [SOLVED]

MTs are actually very cost effective, flexible and powerful devices, just needs a brain and some patience and they work just fine.
For anybody else,, aka with a lobotomy and the attention span of gnat, yes, Asus is better.

& Kisses!
by anav
Mon Oct 07, 2024 8:17 pm
Forum: Beginner Basics
Topic: Dual WAN Woes.
Replies: 10
Views: 468

Re: Dual WAN Woes.

Without a specific subnet to differentiate, then its more complicated as you will need to mangle and use a firewall address list to identify the IPs that are considered business. If you have the business on a different subnet, then the routing rule method is more viable. What is keeping you from add...
by anav
Mon Oct 07, 2024 6:28 pm
Forum: Beginner Basics
Topic: Dual WAN Woes.
Replies: 10
Views: 468

Re: Dual WAN Woes.

Very reasonable request. Couple of questions........ Assuming the PPOE is a public IP?? if not is WAN1 a public IP Do you port forward to any servers on family LAN? Do you have any VPNs required ............ If not, you should consider at least wireguard vpn so that you can access your router config...
by anav
Sun Oct 06, 2024 11:45 pm
Forum: Beginner Basics
Topic: Mikrotik 4011 2x ISP LAN routing
Replies: 9
Views: 436

Re: Mikrotik 4011 2x ISP LAN routing

It will be a complicated setup but assuming you have port forwarding to servers on WAN2 and VPNS coming into WAN2, Simply make two routes, WAN1 PRIMARY WAN2 Secondary Mangle traffic to the router, ( vpns ) Mangle traffic through the router ( port forwarding ) Send all return traffic back out WAN2 th...
by anav
Sun Oct 06, 2024 11:39 pm
Forum: General
Topic: Need a forward rule
Replies: 24
Views: 1185

Re: Need a forward rule

Depends, If you are assigned a static WANIP, its often easier just to set the IP yourself. If assigned a dynamic WANIP a dhcp client setting can make sense for route, but it depends on the ISP provider. Same with ppppoe type connection... Typically if doing something funky with routes its often bett...
by anav
Sun Oct 06, 2024 11:33 pm
Forum: General
Topic: Wireguard Performance (Validate config)
Replies: 2
Views: 268

Re: Wireguard Performance (Validate config)

You should get around 300Mbps on the 5009, I suspect your config, besides wireguard is not optimal either. Most of your setup is non-standard starting with adding a vlan to bridge setup, weird dhcp settings etc... Crappy firewall rule setup etc etc.. Crappy mangling setup etc etc.. Wireguard missing...
by anav
Sun Oct 06, 2024 11:32 pm
Forum: General
Topic: Need a forward rule
Replies: 24
Views: 1185

Re: Need a forward rule

Nothing is 'normal, there are default rules for the very basic setup and the rest are ADMIN decisions.
by anav
Sun Oct 06, 2024 9:15 pm
Forum: Beginner Basics
Topic: Mikrotik 4011 2x ISP LAN routing
Replies: 9
Views: 436

Re: Mikrotik 4011 2x ISP LAN routing

YES
by anav
Sun Oct 06, 2024 6:50 pm
Forum: General
Topic: [Wireguard} - Connecting router as client - [SOLVED]
Replies: 6
Views: 400

Re: [Wireguard} - Connecting router as client

Certainly, assumed you were doing wireguard that you already had basic MT setup and use under your belt.
Not a good plan if not had some practical experience
by anav
Sun Oct 06, 2024 5:35 pm
Forum: General
Topic: Wireguard s
Replies: 6
Views: 387

Re: Wireguard s

What ts a white IP..............

Need config of the router
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Sun Oct 06, 2024 2:28 pm
Forum: Beginner Basics
Topic: Looking to replace CCR1009 with a newer CCR router...
Replies: 5
Views: 379

Re: Looking to replace CCR1009 with a newer CCR router...

Hi Steve, he wants to hit 10Gigs with his ISP provider. Why dont you check which routers are capable of routing 10gigs to the ISP for starters, not the CCR1009 ;-) I have an older CCR1009, I would like to replace with a newer CCR router that can handle the following: 1 uplink via Fiber 10G to my ISP...
by anav
Sun Oct 06, 2024 2:26 pm
Forum: Beginner Basics
Topic: i need help with this error
Replies: 6
Views: 350

Re: i need help with this error

Concur with erlinden, pull the router netinstall new clean firmware and redo your setup.
Start with the default settings and for gods sake dont open up the winbox port to the internet!!
by anav
Sun Oct 06, 2024 2:22 pm
Forum: General
Topic: wireguard problem with a v 7.14
Replies: 29
Views: 6554

Re: wireguard problem with a v 7.14

Without seeing your config, its not possible to comment. Most of the time its admin error.
by anav
Sun Oct 06, 2024 2:20 pm
Forum: General
Topic: Managing Connected Devices on TP-Link Access Point with MikroTik Router - Need Advice
Replies: 4
Views: 229

Re: Managing Connected Devices on TP-Link Access Point with MikroTik Router - Need Advice

They are not access points, those are old wifi routers that could be used as access points. However these are dumb devices, there is no vlan capability and no real management capability. You can provide one subnet per port ( and thus per AP ) on the router and thats probably the extent of the separa...
by anav
Sat Oct 05, 2024 11:34 pm
Forum: Beginner Basics
Topic: Looking to replace CCR1009 with a newer CCR router...
Replies: 5
Views: 379

Re: Looking to replace CCR1009 with a newer CCR router...

Once cannot copy, suggest start fresh and clean and build config slowly. Starting with a network diagram to identify all the users/devices on the network as well as switches Aps etc.. Also, if you didnt know, Mikrotik has a website with all the details you seek. Have a look and pick which one has th...
by anav
Sat Oct 05, 2024 11:30 pm
Forum: General
Topic: Need a forward rule
Replies: 24
Views: 1185

Re: Need a forward rule

Instead of blindly posting bits of a config and asking is the config okay, Start from the beginning. a. network diagram b. identify all users ( devices, users (external, internal, admin) c. identify all the traffic they should be able to execute d. provide enough details on wan side for type of ISP,...
by anav
Sat Oct 05, 2024 11:28 pm
Forum: General
Topic: DHCP works, but NO Internet [SOLVED]
Replies: 17
Views: 592

Re: DHCP works, but NO Internet [SOLVED]

What is the purpose of connecting without a bridge????
Easy to assign ports to a single subnet no bridge, but what is the fun in that??
by anav
Sat Oct 05, 2024 11:22 pm
Forum: General
Topic: [Wireguard} - Connecting router as client - [SOLVED]
Replies: 6
Views: 400

Re: [Wireguard} - Connecting router as client

1. Although not blocked I would probably add an explicit allow rule in forward chain, prior to the last rule. add chain=forward action=accept src-address=192.168.88.0/24 out-interface=wireguard-inert 2. This rule is NOT required add action=masquerade chain=srcnat out-interface=wireguard-inet src-add...
by anav
Sat Oct 05, 2024 3:52 pm
Forum: General
Topic: bridge setting ip filter problem
Replies: 3
Views: 174

Re: bridge setting ip filter problem

From a basic perspective, a single subnet and bridge work well to allow use of ones wired and wifi ports on one network. There is no need to use IP Bridge filtering here. USE NORMAL FIREWALL RULES to separate traffic at layer 3. If you had two subnets one for the bridge and most wired and wifi ports...
by anav
Sat Oct 05, 2024 1:44 am
Forum: General
Topic: cloudflare fights off a record amount of DDoS traffic, mikrotik one of the main culprits
Replies: 5
Views: 732

Re: cloudflare fights off a record amount of DDoS traffic, mikrotik one of the main culprits

The only guarantee is that you are the one responsible for the admin of the router and thus do things properly.
If not the admin, there is no way of knowing. I hope that makes you feel better.
Its the same with any router.
by anav
Fri Oct 04, 2024 11:53 pm
Forum: General
Topic: RouterOS (7.16) - Simple WireGuard Client Setup
Replies: 6
Views: 510

Re: RouterOS (7.16) - Simple WireGuard Client Setup

Complete mikrotik config please.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Fri Oct 04, 2024 11:49 pm
Forum: Beginner Basics
Topic: Could you audit my firewall rules
Replies: 6
Views: 460

Re: Could you audit my firewall rules

Sorry I dont comment on partial configs as all parts are related, and yes your firewall rules need work.
by anav
Fri Oct 04, 2024 6:19 pm
Forum: General
Topic: cloudflare fights off a record amount of DDoS traffic, mikrotik one of the main culprits
Replies: 5
Views: 732

Re: cloudflare fights off a record amount of DDoS traffic, mikrotik one of the main culprits

Yeah clickbait title threads I normally dont answer other than to point out the garbage title.
by anav
Fri Oct 04, 2024 2:49 pm
Forum: Beginner Basics
Topic: 2 ISP CONFIGURTAION PROBLEM
Replies: 5
Views: 304

Re: 2 ISP CONFIGURTAION PROBLEM

I dont use official documentation or anyones documentation if it doesnt make sense to me. If the official documentation says jump off a cliff I am afraid we may not see you any longer. ;-) For the OP, please describe the requirements more fully before deciding on any config. Do you have any VPNs com...
by anav
Fri Oct 04, 2024 2:47 pm
Forum: Beginner Basics
Topic: Wireguard Peer how to use local DNS
Replies: 4
Views: 326

Re: Wireguard Peer how to use local DNS

Your config has many errors in it, but more importantly your config also doesnt seem to match your intentions.
What are the requirements for pihole, should all vlans use it, only one vlan, what is the purpose of pihole on your network.
by anav
Fri Oct 04, 2024 2:42 pm
Forum: General
Topic: Device got hacked 1 min after connected to internet
Replies: 51
Views: 4550

Re: Device got hacked 1 min after connected to internet

Exactly, which I suggested above...
ROS without config should not have internet access because of exposed services.
On that we can agree LOL.
by anav
Fri Oct 04, 2024 3:18 am
Forum: General
Topic: WireGuard stopped cooperating after the 7.16 upgrade [SOLVED]
Replies: 4
Views: 465

Re: WireGuard stopped cooperating after the 7.16 upgrade [SOLVED]

Concur, not in this case but its often true, the more described up front in understanding the requirements that lead you to two wireguard interfaces, means a solution will be holistic and ensure all use cases are thought of/included.
by anav
Thu Oct 03, 2024 9:30 pm
Forum: General
Topic: Device got hacked 1 min after connected to internet
Replies: 51
Views: 4550

Re: Device got hacked 1 min after connected to internet

or just apply script... It seem logic is here - more stupid people are ones which cannot for any reason remove SIM than ones that don't know that lte1 needs to be enabled to have internet access (if is mitigated like that) Go ahead and rely on scripts the rest of the "real" IT human race ...
by anav
Thu Oct 03, 2024 8:23 pm
Forum: General
Topic: Device got hacked 1 min after connected to internet
Replies: 51
Views: 4550

Re: Device got hacked 1 min after connected to internet

Genius, brilliant! Solution of the century. So basically remove the invisible cable wire.... who would of thunk it.........
by anav
Thu Oct 03, 2024 6:54 pm
Forum: Beginner Basics
Topic: Secondary WAN and failover setup hap ax2 (7.16) for a beginner [SOLVED]
Replies: 48
Views: 1918

Re: Secondary WAN and failover setup hap ax2 (7.16) for a beginner [SOLVED]

Im sorry jaclaz, but you clearly missed the boat.
The OP has two subnets, one for the home lan and one for the guest wifi.
Two vlans makes much sense to me.

As for the OP, good luck, advice not followed, your in good hands with jaclaz, out.
by anav
Thu Oct 03, 2024 6:50 pm
Forum: General
Topic: WireGuard stopped cooperating after the 7.16 upgrade [SOLVED]
Replies: 4
Views: 465

Re: WireGuard stopped cooperating after the 7.16 upgrade [SOLVED]

Perhaps if you were more honest about the config it would be helpful. You didnt mention why you have two wireguard interfaces for example????? There are many parts of the config, that I dont like but in terms of wireguard, you clearly do not understand how wireguard works. Your allowed IPs for being...
by anav
Thu Oct 03, 2024 6:05 pm
Forum: Beginner Basics
Topic: 2 ISP CONFIGURTAION PROBLEM
Replies: 5
Views: 304

Re: 2 ISP CONFIGURTAION PROBLEM

Would it not be for the second bit...... ???? /ip route add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.100.1%"ISP1_interface" distance=1 add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.100.1%"ISP2_interface" distance=2 add dst-address=0.0.0.0/0 gateway=...
by anav
Thu Oct 03, 2024 5:46 pm
Forum: Beginner Basics
Topic: Secondary WAN and failover setup hap ax2 (7.16) for a beginner [SOLVED]
Replies: 48
Views: 1918

Re: Secondary WAN and failover setup hap ax2 (7.16) for a beginner [SOLVED]

1. You are attempting to have two different subnets assigned from the single bridge. There are several approaches, two bridges but not advised or two vlans, very much advised. You already have two pools.......... just complete the config...... and first add the vlans to the bridge. /interface vlan a...
by anav
Thu Oct 03, 2024 5:09 pm
Forum: Beginner Basics
Topic: How to reach WG client from LAN
Replies: 6
Views: 257

Re: How to reach WG client from LAN

Why? SSH is not required if you have a wireguard connection??
Also is there a reason not to use the wireugard on the router itself?
by anav
Thu Oct 03, 2024 4:58 pm
Forum: Beginner Basics
Topic: Access Printer from another Mikrotik Router
Replies: 11
Views: 711

Re: Access Printer from another Mikrotik Router

For me, a detailed network diagram would help illustrate effectively what you are trying to accomplish. In general if you have a main router and then other sub-set routers connected ( creating double nat ) communication from the main router to the secondary router is easily handled by adding static ...
by anav
Thu Oct 03, 2024 4:18 pm
Forum: General
Topic: Device got hacked 1 min after connected to internet
Replies: 51
Views: 4550

Re: Device got hacked 1 min after connected to internet

The logic is NOT to connect to the internet until firewall rules are in place and admin information/access to router has been changed from default and secured. Relying on default anything in the router is the wrong approach. Just dont attach the cable or sim card etc, until the router is ready to be...
by anav
Wed Oct 02, 2024 11:08 pm
Forum: General
Topic: DNS over HTTPS
Replies: 263
Views: 129126

Re: DNS over HTTPS

by anav
Wed Oct 02, 2024 11:05 pm
Forum: General
Topic: Wireguard on standalone server with mikrotik router
Replies: 2
Views: 184

Re: Wireguard on standalone server with mikrotik router

So your thinking is that a client Wireguard HOST ( seeing as you are using a third party VPN provider and thus server is at the other end ) on your network vice using the router as the client itself is of course very possible. NOt sure that performance will be any better, but its a matter of appropr...
by anav
Wed Oct 02, 2024 11:03 pm
Forum: General
Topic: DDoS protection without DDoSing oneself?
Replies: 7
Views: 393

Re: DDoS protection without DDoSing oneself?

Yes, if the upstream ISP or farther up line providers cannot prevent it, there is no chance in heck that RoS is going to do anything fruitful.
by anav
Wed Oct 02, 2024 2:05 am
Forum: General
Topic: multiple devices whit one wireguard client
Replies: 6
Views: 282

Re: multiple devices whit one wireguard client

Instead of trying to shove a wet noodle up a straw, come clean and state your USER requirements in a clear manner without discussing any actual configuration on wireguard. User X must be able to User Y must be able to User X must not be able to User Y must not be able to etc.... hypotheticals on wha...
by anav
Tue Oct 01, 2024 11:48 pm
Forum: General
Topic: Wireguard low Throughput
Replies: 2
Views: 191

Re: Wireguard low Throughput

400Mbps is actually quite good!
by anav
Tue Oct 01, 2024 11:47 pm
Forum: General
Topic: MikroTik Configuration Issue
Replies: 2
Views: 163

Re: MikroTik Configuration Issue

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Mon Sep 30, 2024 10:08 pm
Forum: General
Topic: Mikrotik setup for private home -> Switch + AccessPoints
Replies: 7
Views: 391

Re: Mikrotik setup for private home -> Switch + AccessPoints

Ahh okay I didnt realize you had a small internet connection, the switch should be good for up to 300 down or so.
by anav
Mon Sep 30, 2024 10:07 pm
Forum: General
Topic: Our mikrotik hacked
Replies: 25
Views: 1313

Re: Our mikrotik hacked

No point in resetting anything as you have no idea why this happened and thus it will happen again.
Do you a copy of the config prior to hacking to show...........

Netinstall is the only viable method of putting a clean load, if the device is accessible.
by anav
Mon Sep 30, 2024 4:50 pm
Forum: General
Topic: wireguard problem with a v 7.14
Replies: 29
Views: 6554

Re: wireguard problem with a v 7.14

Post your config for review.

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
by anav
Mon Sep 30, 2024 4:24 pm
Forum: General
Topic: Mikrotik setup for private home -> Switch + AccessPoints
Replies: 7
Views: 391

Re: Mikrotik setup for private home -> Switch + AccessPoints

What router will you be using?
by anav
Sun Sep 29, 2024 10:30 pm
Forum: Beginner Basics
Topic: hAP ax^2 as AP - add ethernet port to VLAN [SOLVED]
Replies: 8
Views: 555

Re: hAP ax^2 as AP - add ethernet port to VLAN [SOLVED]

Well generally speaking do not use vlan1, change that to vlan10 for your sanity. There should be no issue have the hapax3 running capsman but be aware the configuration when using it to run capsman is different than before when it wasnt. Too complex for me but search some threads in the wifi forum a...
by anav
Sun Sep 29, 2024 7:39 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 61
Views: 11687

Re: Router OS 7 on UEFI

Rhetorical question, the answer is YES, remove work-arounds where possible. In this case, the cost/effort to remain compatible with major cloud providers is important in the support of the their CHR product line. To be fair, they cannot be on top of every issue and I am confident they will jump on t...
by anav
Sun Sep 29, 2024 7:09 pm
Forum: General
Topic: Masquerade with VLANs [SOLVED]
Replies: 5
Views: 446

Re: Masquerade with VLANs [SOLVED]

(1) I will add dont mix apples and oranges. Once you go vlans, ensure all subnets are vlans, and thus the bridge does no DHCP etc, just bridging. Okay I see, that is what you have done, bridge ports was misleading..... Prefer......... clarity /interface bridge port add bridge=Bridge ingress-filterin...
by anav
Sun Sep 29, 2024 7:07 pm
Forum: General
Topic: How to Configure a WireGuard VPN Connection to NordVPN on a Mikrotik Router Running ROS v7.x
Replies: 2
Views: 1378

Re: How to Configure a WireGuard VPN Connection to NordVPN on a Mikrotik Router Running ROS v7.x

There are two options, the one that was stated as well as:
add action=change-mss chain=forward new-mss=1380 out-interface=wg-nordvpn protocol=tcp tcp-flags=syn tcp-mss=1381-65535
by anav
Sun Sep 29, 2024 12:13 am
Forum: General
Topic: Bandwidth-based load balancing with failover
Replies: 8
Views: 697

Re: Bandwidth-based load balancing with failover

Where is the the rest of the router config, firewall rules etc............ Would seem you need to just follow the pdf real close. Connected networks etc... The only real change I see is the special table routes. The rest seems to be close to good as is. /ip route add gateway=192.168.10.1 distance=1 ...
by anav
Sat Sep 28, 2024 8:49 pm
Forum: Forwarding Protocols
Topic: Difference between this two routers configs ?
Replies: 1
Views: 674

Re: Difference between this two routers configs ?

Because............ they must be different in some way. Why not have a look at the configs and see what the difference is.........
by anav
Sat Sep 28, 2024 8:20 pm
Forum: Beginner Basics
Topic: Challenges, Deficiencies, and Constraints in Developing Computer Network Practical Modules Using Mikrotik
Replies: 3
Views: 616

Re: Challenges, Deficiencies, and Constraints in Developing Computer Network Practical Modules Using Mikrotik

Get your hands dirty using the equipment, that will take a year, and then perhaps you will be ready to write something.
Nothing we can tell you will make a lick of sense without practical experience. Sorry have to write your own paper.
by anav
Sat Sep 28, 2024 8:14 pm
Forum: General
Topic: Bandwidth-based load balancing with failover
Replies: 8
Views: 697

Re: Bandwidth-based load balancing with failover

The op was not asking for PCC, but more load balancing in the traditional way.
Yes you can somewhat load balance on PCC but its not as good at the pdf method which is more geared towards LB but a tad more complicated.
by anav
Sat Sep 28, 2024 8:12 pm
Forum: General
Topic: Wireguard peer responder clarification
Replies: 7
Views: 592

Re: Wireguard peer responder clarification

No I dont need to tell myself on each config who is client for handshake and who is server for handshake. I am the admin I know what I have setup and can add comments if required.
These settings should only be required perhaps for BTH settings, certainly not normal wireguard setups......
by anav
Sat Sep 28, 2024 6:01 pm
Forum: Beginner Basics
Topic: Issue with Wireguard - Connected but no traffic
Replies: 3
Views: 469

Re: Issue with Wireguard - Connected but no traffic

REMOTE OFFICE CONFIG 2. Based on Allowed IPs, assume you want the remote office to be able to use the internet of the Primary Office ??? ( as well as access subnets on the Main Office ). No, it must use its own internet and Wireguard for access to subnets on the Main Office 3. Your WAN setup is inc...
by anav
Sat Sep 28, 2024 5:42 pm
Forum: Beginner Basics
Topic: I am a software engineer who is new to all these
Replies: 6
Views: 551

Re: I am a software engineer who is new to all these

For someone who is supposed to be adept at writing software requirements, concur it was a piss poor effort. I am thinking that the person is really someone who eats a lot and has developed processes that effectively allow him to get softer faster........... ( nothing to do with code at all ) Alterna...
by anav
Sat Sep 28, 2024 5:39 pm
Forum: Beginner Basics
Topic: One network hidden, one visible
Replies: 3
Views: 395

Re: One network hidden, one visible

hoelvo, I cannot wait for you to ask another 100 hunt and peck questions! ;-PPP

Please post config, so we have a sense of your config.....
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
by anav
Sat Sep 28, 2024 5:35 pm
Forum: General
Topic: Wireguard peer responder clarification
Replies: 7
Views: 592

Re: Wireguard peer responder clarification

I have not played with the new settings yet but I will attempt to keep it cleaner and thus less confusing. SERVER for initial handshake allowedIPs=10.20.30.2/32,subnetA,subnetB interface=wg1 comment="client peer1 Hex home Router" public-key="key1" allowedIPs=10.20.30.3/32 interfa...
by anav
Sat Sep 28, 2024 5:22 pm
Forum: General
Topic: SOLVED: Port forwarding from MikroTik router to internal network (behind DS-Lite) via WireGuard [SOLVED]
Replies: 3
Views: 782

Re: SOLVED: Port forwarding from MikroTik router to internal network (behind DS-Lite) via WireGuard [SOLVED]

Good to hear, and if you run into future issues, please post both configs /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.) Allowed IPs describe three things 1. THE WIREGUARD NETWORK PORTION a. the wireguard subnet 0/24 ( at the client device peer at ...
by anav
Sat Sep 28, 2024 4:35 pm
Forum: General
Topic: CRS326-24S+ gets a little hot
Replies: 5
Views: 489

Re: CRS326-24S+ gets a little hot

More space between units and between units and walls of enclosure and air circulating through, its not complicated.
Furthermore, look at at a portable air conditioner unit for the ambient air if you have no control over the room.
Electronics like cool but also DRY air.
by anav
Fri Sep 27, 2024 8:36 pm
Forum: Beginner Basics
Topic: Issue with Wireguard - Connected but no traffic
Replies: 3
Views: 469

Re: Issue with Wireguard - Connected but no traffic

YOUR REMOTE OFFICE CONFIG 1. Fix error in config from: /ip address add address=172.16.46.1/24 comment=defconf interface =ether2 network=\ 172.16.46.0 TO: /ip address add address=172.16.46.1/24 comment=defconf interface =bridge network=\ 172.16.46.0 2. Based on Allowed IPs, assume you want the remote...
by anav
Fri Sep 27, 2024 8:10 pm
Forum: General
Topic: Bandwidth-based load balancing with failover
Replies: 8
Views: 697

Re: Bandwidth-based load balancing with failover

Of course the foundation of the pdf is solid, and one only need to tweak it for RoS changes. I dont see the current config of the router to understand the setup you have vis-a-vis any subnets, firewall rules and existing routes. /export file=anynameyouwish ( minus router serial number, any public WA...
by anav
Fri Sep 27, 2024 1:34 pm
Forum: General
Topic: Bandwidth-based load balancing with failover
Replies: 8
Views: 697

Re: Bandwidth-based load balancing with failover

Since you used chatgpt, does that mean you understand the config, or really dont have a clue??
by anav
Fri Sep 27, 2024 1:33 pm
Forum: General
Topic: Any plan for Mikrotk to upgrade its travel router ?
Replies: 11
Views: 1124

Re: Any plan for Mikrotk to upgrade its travel router ?

Dont agree, the 5ghz allows the flexibility required to deal with how the site provided wifi internet signal. If on 2ghz, then distribute to devices in the room with 5ghz and of course the reverse. If using LTE to capture signal, then having the option to deal with crowded wifi spectrum in the immed...
by anav
Thu Sep 26, 2024 5:22 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 353
Views: 336881

Re: NEW FEATURE: Back to Home VPN

Regarding the TOPIC
We have updated the manual with the Share function info (APP side) https://help.mikrotik.com/docs/display/ROS/Back+To+Home
Much thanks for these efforts!
by anav
Thu Sep 26, 2024 4:12 pm
Forum: General
Topic: SOLVED: Port forwarding from MikroTik router to internal network (behind DS-Lite) via WireGuard [SOLVED]
Replies: 3
Views: 782

Re: Port forwarding from MikroTik router to internal network (behind DS-Lite) via WireGuard [SOLVED]

Very confusing without a diagram.
Do you mean you setup CHR in the cloud on some service??
by anav
Thu Sep 26, 2024 3:26 pm
Forum: Forwarding Protocols
Topic: Rdp failure
Replies: 4
Views: 722

Re: Rdp failure

Concur, go back to basic config. Dont attempt to use RDP on your router, even enterprises have stopped using RDP with all their edge router firewalls and fancy protections etc........most if not all have moved to citrix like setups. As intimated, if you need to provide secure access, wireguard ( or ...
by anav
Thu Sep 26, 2024 2:33 pm
Forum: Beginner Basics
Topic: How to debug Wireguard?
Replies: 2
Views: 525

Re: How to debug Wireguard?

Without seeing the main router (server for handshake ) settings, hard to say.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
by anav
Wed Sep 25, 2024 9:53 pm
Forum: Wireless Networking
Topic: Mikrotik or others on AX wifi access point
Replies: 168
Views: 9934

Re: Mikrotik or others on AX wifi access point

I think i have one hap ax lite lte somehwhere, i will test it. If it works that is great. Mikrotik wifi is now rock solid... So WPA3 and PM is the issue here... I have an ax3 setup as a router and AP in the basement, its pretty decent with WPA2 only..... However the capac also in the basement is at...
by anav
Wed Sep 25, 2024 6:42 pm
Forum: General
Topic: Segregate an internal Wireguard server
Replies: 16
Views: 921

Re: Segregate an internal Wireguard server

Well if you go by the title of the thread it does intimate what erlinden is suggesting, ( a wireguard server on the NETWORK, not on the router ).
by anav
Wed Sep 25, 2024 6:02 pm
Forum: General
Topic: Wireguard slow between LAN hosts but fast when testing speed between routers.
Replies: 8
Views: 1298

Re: Wireguard slow between LAN hosts but fast when testing speed between routers.

Along with leaked usernames which sindy pointed out, your firewall rule has an unsafe rule! Note: You have queues on both routers, this may cause slowdown if fastrack is turned on, but not 100% sure if your simple queue inputs affect fasttrack. I would test with queues on and then removed to see if ...
by anav
Wed Sep 25, 2024 4:49 pm
Forum: General
Topic: WireGuard VPN / Firewall Rules [SOLVED]
Replies: 11
Views: 1870

Re: WireGuard VPN / Firewall Rules [SOLVED]

Good to hear! Assuming that the persistent keep alive settings are only there to identify what is set on the peers themselves...... In terms of the router setup the only thing I would likely change is the access by admin. You have two separate accesses setup, and I would merge into one. There is no ...
by anav
Wed Sep 25, 2024 1:28 pm
Forum: General
Topic: Device got hacked 1 min after connected to internet
Replies: 51
Views: 4550

Re: Device got hacked 1 min after connected to internet

Connecting to the internet prior to having at least the requisite firewall rules in place is a fools game, unless one is into gambling.
by anav
Wed Sep 25, 2024 1:25 pm
Forum: General
Topic: Wireguard slow between LAN hosts but fast when testing speed between routers.
Replies: 8
Views: 1298

Re: Wireguard slow between LAN hosts but fast when testing speed between routers.

/export file=anynameyouwish ( minus router serial number, any public wanip information, keys, etc. )
by anav
Wed Sep 25, 2024 1:23 pm
Forum: General
Topic: Wireguard not reconect after route change
Replies: 4
Views: 629

Re: Wireguard not reconect after route change

Two things I would change, (1) On the Client for handshake change the allowed IPs from 10.1.38.1/32 to: 10.1.38.0/24 (2) The allowed Ips cannot include 10.0.0.0/8 on both routers! It is ONLY to identify either a. remote subnet that local users need to reach OR b. remote subnet whose users need to ac...
by anav
Tue Sep 24, 2024 5:53 pm
Forum: Beginner Basics
Topic: ipv6 security
Replies: 14
Views: 1310

Re: ipv6 security

My rules of thumb
DISABLE IPV6
Ensure there are only two IPV6 firewall rules....
add chain=input action=drop
add chain=forward action=drop

That way if somehow you inadvertently enable IPV6, or an update enables it, your ass is covered.
by anav
Tue Sep 24, 2024 5:50 pm
Forum: General
Topic: Segregate an internal Wireguard server
Replies: 16
Views: 921

Re: Segregate an internal Wireguard server

Yes, its amazing how clearly you can articulate the facts, with so few words. :-) Simply port forwarding the incoming wg port to the lanip of the wireguard server ON THE NETWORK . Confusion stems as the OP stated he is running the wireguard ON THE 5009 In any case you can port forward to any IP addr...
by anav
Tue Sep 24, 2024 5:19 pm
Forum: General
Topic: Segregate an internal Wireguard server
Replies: 16
Views: 921

Re: Segregate an internal Wireguard server

Hi Holvoe perhaps you understand the requirement a bit better. 1. Is the OP trying to have clients attempt to reach Server at Router B via the public IP of Router A, and then have that traffic enter a wireguard tunnel and travel to Router B where the server resides?? OR 2. Is the OP trying to force ...
by anav
Tue Sep 24, 2024 4:01 pm
Forum: Forwarding Protocols
Topic: Wireguard and more routing problem with 2 WAN
Replies: 5
Views: 1125

Re: Wireguard and more routing problem with 2 WAN

Sorry on vacation. Still a problem??
by anav
Tue Sep 24, 2024 3:53 pm
Forum: General
Topic: Segregate an internal Wireguard server
Replies: 16
Views: 921

Re: Segregate an internal Wireguard server

Provide a diagram as you are unable to articulate clear requirements in writing.
Also recommend stating requirements NOT in config speak but in terms of use cases and users traffic that needs to be executed.
by anav
Tue Sep 24, 2024 3:46 pm
Forum: General
Topic: Wireguard not reconect after route change
Replies: 4
Views: 629

Re: Wireguard not reconect after route change

Post both configs to see what is going on. /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.). Conceptually once a wireguard connection is established, both ends keep the other end up to date on the relevant WANIP. Hence if the main router changes its ...
by anav
Tue Sep 24, 2024 3:20 pm
Forum: General
Topic: Suggestion for 1500+ VPN endpoints
Replies: 1
Views: 377

Re: Suggestion for 1500+ VPN endpoints

1500 vpn endpoints,,,,,,,,,,,,, I would not use wireguard as you want something more enterprise.....
Look at cloudflare options or some sort of enteprise ipsec offering.
by anav
Mon Sep 23, 2024 7:40 pm
Forum: Beginner Basics
Topic: only 1 lan device via wireguard
Replies: 3
Views: 732

Re: only 1 lan device via wireguard

Conceptually I understand you have a third party VPN provider (proton) of which you want to send ONE IP address out the wirguard for external internet. This is easily accomplished without any Mangling. Instead use Routing Rules. 1. Table add fib name=useProton 2. Route add dst-address=0.0.0.0/0 inte...
by anav
Mon Sep 23, 2024 7:32 pm
Forum: Beginner Basics
Topic: Wireguard Port Forwarding and Firewall Rule
Replies: 1
Views: 682

Re: Wireguard Port Forwarding and Firewall Rule

Why not host wireguard on RB3011 directly??
by anav
Mon Sep 23, 2024 7:26 pm
Forum: General
Topic: Wireguard: only the last edited peer is working [SOLVED]
Replies: 10
Views: 2253

Re: Wireguard: only the last edited peer is working [SOLVED]

thanks khaaleex, Im ipv6 illiterate so any help in that regard is greatly appreciated. I suppose the OP thought his brainwaves were powerful enough that we knew he was using IPV6. :-)
by anav
Mon Sep 23, 2024 7:25 pm
Forum: General
Topic: Struggling with VLAN configuration (egress works but not ingress)
Replies: 16
Views: 1060

Re: Struggling with VLAN configuration (egress works but not ingress)

My bad I missed that connection point, need glasses LOL.
in that case will only work if the APs are managed and can pass vlans.
by anav
Mon Sep 23, 2024 7:23 pm
Forum: General
Topic: Segregate an internal Wireguard server
Replies: 16
Views: 921

Re: Segregate an internal Wireguard server

Sure I understand how it works, and its simple in terms of what is allowed or not allowed, and it appears you have made it way more complex than required. When a remote user comes in you simply allocate firewall rules accordingly on the incoming side, for good security.......... Examples: wg subnet ...
by anav
Mon Sep 23, 2024 7:12 pm
Forum: General
Topic: VLAN + wireguard connectivity
Replies: 3
Views: 589

Re: VLAN + wireguard connectivity

CHR 1. Missing local network..........in address /ip address add address=10.0.123.1/24 interface=wireguard_CHR network=10.0.123.0 add address=192.168.130.1/24 interface=bridge network=192.168.130.0 2. Adjust, simplify NAT, too messy.......... /ip firewall nat add action=masquerade chain=srcnat out-i...
by anav
Mon Sep 23, 2024 6:52 pm
Forum: General
Topic: VLAN + wireguard connectivity
Replies: 3
Views: 589

Re: VLAN + wireguard connectivity

Treat the capac as an AP not a router......... Assuming vlan20 is the trusted subnet. There is a clue in the error in your bridge port settings *A Assuming ether1 is trunk port to Router, will use ether2 as an off bridge backup or easy management access. Remove the IP dns static setting...... /ip dn...
by anav
Mon Sep 23, 2024 5:14 pm
Forum: General
Topic: Struggling with VLAN configuration (egress works but not ingress)
Replies: 16
Views: 1060

Re: Struggling with VLAN configuration (egress works but not ingress)

Wrong again, many people have wired connections between APs. Very common if one is using a AP based router as an AP/switch. Even my capac has two ports so that I can wire in from the main router and yet feed another smart or dumb device from the other connection. Depends on the type of AP and the re...
by anav
Mon Sep 23, 2024 5:12 pm
Forum: General
Topic: WireGuard VPN / Firewall Rules [SOLVED]
Replies: 11
Views: 1870

Re: WireGuard VPN / Firewall Rules [SOLVED]

To be clear, users do not have direct access to this off site other company server. Your Routers fixed WANIP is whitelisted so as to be able to reach that server. First you need to establish local router access to this whitelisted server ( aka from your LAN ). If you can do this, then remote wiregua...
by anav
Mon Sep 23, 2024 5:03 pm
Forum: General
Topic: AmneziaWG in RouterOS?
Replies: 27
Views: 13943

Re: AmneziaWG in RouterOS?

Last I checked, there's plenty of vpn or equivalent sneaky ways to get a MT to bypass a state based vpn block, that doesnt require some 'magic' plugin for MT that "would work", but other existing mechanisms already onboard dont... Please enlighten us as most States have ways of detecting ...
by anav
Mon Sep 23, 2024 5:01 pm
Forum: General
Topic: Struggling with VLAN configuration (egress works but not ingress)
Replies: 16
Views: 1060

Re: Struggling with VLAN configuration (egress works but not ingress)

The connection from your 5009 to the switch via proper direct trunk port works fine. If you attempt to connect two smart devices in between some dumb devices, results are never guaranteed. Suggest your connection points include small managed switches if neeed be so it looks like 50009 -----> small m...
by anav
Mon Sep 23, 2024 4:56 pm
Forum: General
Topic: LTE Wireguard with DDNS [SOLVED]
Replies: 2
Views: 560

Re: LTE Wireguard with DDNS [SOLVED]

Very similar in some regards......... one needs an input chain rule to allow the wireguard port to hit the router itself. As long as the dyndns rule resolves to the public IP of your router, you are golden. If the public IP is given to the ISPs upstream device ( aka modem ) you will need to be able ...
by anav
Mon Sep 23, 2024 4:53 pm
Forum: General
Topic: Segregate an internal Wireguard server
Replies: 16
Views: 921

Re: Segregate an internal Wireguard server

As erlinden intimates, the requirement is not clear. Wireguard is its own separate entity and needs no VLAN. Through wireguard allowed IPs and firewall rules one can direct users coming in and going out as needed. There is no wireguard network on a vlan perse..... You can have users coming in throug...
by anav
Fri Sep 06, 2024 10:37 pm
Forum: Beginner Basics
Topic: Add alternate route
Replies: 6
Views: 763

Re: Add alternate route

All three routers have to have WAN connections to reach each other. If one router goes down, then it is no longer in play period. The other two can still reach each other. The exception to the above, which may be a possibility in your case ( vague diagrams ), is if two routers of the routers can be ...
by anav
Thu Sep 05, 2024 10:47 pm
Forum: Beginner Basics
Topic: LAN to LAN basics
Replies: 21
Views: 2385

Re: LAN to LAN basics

Im going to slap an electron carbon tax fine on you for a waste of a post ( or awful humour ) take your pick ;-P
by anav
Thu Sep 05, 2024 10:44 pm
Forum: General
Topic: Routing out through multiple WAN IP addresses
Replies: 1
Views: 343

Re: Routing out through multiple WAN IP addresses

In zyxel vernacular this one was one to one NAT............
I think in MT lingo you want to research NETMAP
by anav
Thu Sep 05, 2024 1:37 pm
Forum: Beginner Basics
Topic: LAN to LAN basics
Replies: 21
Views: 2385

Re: LAN to LAN basics

Just to note, on the first page of the article you stated you had already read............... PCUNITES vlan bible. quote: Native, Base, & MGMT (management) VLAN: As you create your VLANs and pick VLAN IDs for each one, understand that the base network that you used to initiate your first connect...
by anav
Thu Sep 05, 2024 12:03 am
Forum: Beginner Basics
Topic: Help setting up cap AX [SOLVED]
Replies: 14
Views: 1408

Re: Help setting up cap AX [SOLVED]

The good news is that soon there will be a useable MAC and linux version of winbox. RIght now its a beta, not ready for beginners IMHO, heck I am not using it either. Infabo, put yourself in the shoes of newbie regarding usability and you will come to a different conclusion. By that I mean, dont ass...
by anav
Wed Sep 04, 2024 2:25 pm
Forum: Beginner Basics
Topic: Help setting up cap AX [SOLVED]
Replies: 14
Views: 1408

Re: Help setting up cap AX [SOLVED]

Remove your serial number from your post above! Is an AP so all router crap for the most part is removed. Ether 2 on the capax will be used as a SAFE off bridge port to configure or access the AP. ****** Remove client from AP, you have set correctly the AP to get a static set IP of 192.168.88.2 outs...
by anav
Wed Sep 04, 2024 2:10 pm
Forum: Beginner Basics
Topic: How communicate between router without involving WAN [SOLVED]
Replies: 7
Views: 1021

Re: How communicate between router without involving WAN [SOLVED]

What is the purpose of joining the two routers, clearly stated requirements drive the config.
In other words describe the user traffic that needs to be executed.
by anav
Wed Sep 04, 2024 2:07 pm
Forum: Beginner Basics
Topic: 2 PPOE CLIENTS
Replies: 2
Views: 495

Re: 2 PPOE CLIENTS

Not sure what you mean.
Do you have two PPPOE WAN connections ( aka the router is a client to the ISP)

Same ISP, two different PPPOE logins?
Two different ISPs????
by anav
Wed Sep 04, 2024 2:06 pm
Forum: Beginner Basics
Topic: Wireguard - adding another peer they make handshake but cant ping
Replies: 2
Views: 487

Re: Wireguard - adding another peer they make handshake but cant ping

No idea what mess you have without the configs of both routers. /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, etc. ) One has to ensure the correct allowed addresses in wirguard setting, matching with ip routes if required for remote subnets and finally...
by anav
Wed Sep 04, 2024 2:04 pm
Forum: General
Topic: new-mss VS. clamp-to-pmtu with v7
Replies: 10
Views: 1577

Re: new-mss VS. clamp-to-pmtu with v7

The rule of thumb when controlling both ends IS to match MTU, I think the default is 1420 not 1500 on the MT.
In any case, if one know the MTU setting at the other end, the first thing to try is matching it on the MT.
Then the rules above.
by anav
Wed Sep 04, 2024 2:02 pm
Forum: General
Topic: Mangle with two different WAN
Replies: 27
Views: 1928

Re: Mangle with two different WAN

Sorry I coudnt get you there, the WAN situation was a bit over my head for sure.
by anav
Tue Sep 03, 2024 11:59 pm
Forum: General
Topic: new-mss VS. clamp-to-pmtu with v7
Replies: 10
Views: 1577

Re: new-mss VS. clamp-to-pmtu with v7

My understanding is, at least for wireguard, if your router is the client for handshake, typically to 3rd party providers, then one can use either of these two settings, and depending upon the provider one may work better than the other. I have not heard of adding this setting to the Server (for han...
by anav
Mon Sep 02, 2024 9:15 pm
Forum: Beginner Basics
Topic: Setting up 3 APs to a wifi router
Replies: 1
Views: 371

Re: Setting up 3 APs to a wifi router

Knowing which Netgear router would help....... Knowing which MT AP would also help. In general the idea is that the netgear gives each AP a different IP address. Each AP has a basic setup as follows..... ( yours may have less LAN ports for example ) ( assuming the Netgear subnet is 192.168.1.0/2 and...
by anav
Mon Sep 02, 2024 8:58 pm
Forum: General
Topic: Mangle with two different WAN
Replies: 27
Views: 1928

Re: Mangle with two different WAN

Correct! Wireguard on WAN2 will not work at the moment. PUt in the following dstnat rule and it should work... /ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN add action=dst-nat chain=dst-nat dst-address-type=local in-interface=l2tpBouyg-4G dst-port=13232 protocol=udp to-a...
by anav
Mon Sep 02, 2024 8:56 pm
Forum: General
Topic: Wireguard and internal connection to internet
Replies: 13
Views: 1581

Re: Wireguard and internal connection to internet

From the first link above............ Check it out. Simple Network Interface WireGuard works by adding a network interface (or multiple), like eth0 or wlan0, called wg0 (or wg1, wg2, wg3, etc). This network interface can then be configured normally using ifconfig(8) or ip-address(8), with routes for...
by anav
Mon Sep 02, 2024 8:51 pm
Forum: General
Topic: Wireguard and internal connection to internet
Replies: 13
Views: 1581

Re: Wireguard and internal connection to internet

In a nutshell, allowed IPs is the key to success, The server router (for handshake) denotes each peer individually by its /32 address. DO NOT DEVIATE. Each client typically for max flex denotes the server by the subnet address............ especially true and germane for client routers for handshake....
by anav
Mon Sep 02, 2024 5:08 pm
Forum: General
Topic: Mangle with two different WAN
Replies: 27
Views: 1928

Re: Mangle with two different WAN

Just to be clear everything except wireguard is working fine? Can you connect on wireguard ORG that is coming through on WAN1 fine? Only issue is not being able to connect directly on WAN2 ? If so that makes sense as the config seems fairly correct in terms of wireguard. The only problem should be f...
by anav
Mon Sep 02, 2024 3:54 pm
Forum: General
Topic: Wireguard and internal connection to internet
Replies: 13
Views: 1581

Re: Wireguard and internal connection to internet

You clearly do not understand how wireguard works, Its a peer to peer connection. That means you cannot on the server assign 0.0.0.0 .............................where is the peer to peer Furthermore, ALL traffic from the router (be it originating outbound over the tunnel or return traffic, will NEV...
by anav
Mon Sep 02, 2024 3:52 pm
Forum: General
Topic: Mangle with two different WAN
Replies: 27
Views: 1928

Re: Mangle with two different WAN

Did you make the changes I have provided in the last two posts yet??
When you do, then repost the config for viewing please.
by anav
Mon Sep 02, 2024 3:51 pm
Forum: General
Topic: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wrong
Replies: 20
Views: 2735

Re: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wr

Apparently ARP is a very viable method of what you are doing with it. Similar to ping and the only difference is ARP would not be used recursive routing which is where I am used to it being used. As was explained to me, Ping is checking to see if if something is UP or ON, while ARP is checking if so...
by anav
Mon Sep 02, 2024 3:46 pm
Forum: General
Topic: Mangle with two different WAN
Replies: 27
Views: 1928

Re: Mangle with two different WAN

In terms of firewall.......... You have given access to configure the router to the ENTIRE LAN so all users could potentially access the config of the router....... Normally we do not do so as they have no need. We only give permission to the admins YOu can do that by source address list hence the b...
by anav
Mon Sep 02, 2024 3:18 pm
Forum: General
Topic: Mangle with two different WAN
Replies: 27
Views: 1928

Re: Mangle with two different WAN

I see red lines on your mangle rule so will start there....... Did you put the red colors in or did the router?? Why do you have the word add?? its not part of the config???? Get rid of icmp protocol........... Should be: /ip firewall mangle action=mark-connection chain= input connection-mark=no-mar...
by anav
Mon Sep 02, 2024 5:41 am
Forum: Beginner Basics
Topic: Problem with accessibility of sites through WG
Replies: 7
Views: 927

Re: Problem with accessibility of sites through WG

Network diagram and configs of both routers
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
by anav
Mon Sep 02, 2024 5:39 am
Forum: General
Topic: Wireguard and internal connection to internet
Replies: 13
Views: 1581

Re: Wireguard and internal connection to internet

I did, your allowed IPs are wrong. I gave you an example of how to fix them. The remote laptop and android phone, should now be able to reach any LAN subnet or your router for config purposes if your firewall rules permit that. No special dstnat or sourcenat rules required at all for wireguard in th...
by anav
Mon Sep 02, 2024 5:36 am
Forum: General
Topic: wireguard is never ready for production bug router os 7.15.3 (stable)
Replies: 1
Views: 530

Re: wireguard is never ready for production bug router os 7.15.3 (stable)

Whats your point.............. Send a supout if youve found a bug.
by anav
Sun Sep 01, 2024 11:00 pm
Forum: General
Topic: Wireguard and internal connection to internet
Replies: 13
Views: 1581

Re: Wireguard and internal connection to internet

Sweet shouldnt take too long to fix up then.. Sadly capsman screws up my knowledge of vlans and how they are supposed to be configured but will attempt anyway I find it strange that you do not have pool for vlan TH ?? I find it very strange that you do not have dhcp-server for TH ?? Why you are hidi...
by anav
Sun Sep 01, 2024 7:46 pm
Forum: General
Topic: Wireguard and internal connection to internet
Replies: 13
Views: 1581

Re: Wireguard and internal connection to internet

reviewing Just to be clear a. You are setting up this device as ROUTER not only a switch b. The ATT router gets a public IP address ****** c. You can forward ports on the ATT device to the LANIP of the Mitkrotik device. ( on the lan subnet of the ATT ) ****** your IP cloud setting shows the public I...
by anav
Sun Sep 01, 2024 2:32 pm
Forum: Beginner Basics
Topic: Bridge VLAN Filtering & Firewall [SOLVED]
Replies: 11
Views: 1256

Re: Bridge VLAN Filtering & Firewall [SOLVED]

Sounds like your firewall rules are the problem...... use something like the default rule set with proper modifications /ip firewall address-list { dhcp leases set statically } add address=adminIP1 list=Authorized comment=adminPC add address=adminIP2 list=Authorized comment=adminlaptop add address=a...
by anav
Sun Sep 01, 2024 2:28 pm
Forum: General
Topic: Wireguard and internal connection to internet
Replies: 13
Views: 1581

Re: Wireguard and internal connection to internet

Draw a diagram, your explanation is more confusing than helpful.
and post complete config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Sun Sep 01, 2024 1:36 am
Forum: Beginner Basics
Topic: hEX on Switch should manage access to printer [SOLVED]
Replies: 20
Views: 1851

Re: hEX on Switch should manage access to printer [SOLVED]

If this is an internet facing router your firewall rules suck.
Side note: If you have a vlan fully open to another vlan ( two way comms), perhaps it should just be one vlan?
by anav
Sun Sep 01, 2024 1:34 am
Forum: Beginner Basics
Topic: Bridge VLAN Filtering & Firewall [SOLVED]
Replies: 11
Views: 1256

Re: Bridge VLAN Filtering & Firewall [SOLVED]

Traffic flow is directed by the /interface bridge ports and /interface bridge vlans. In other words they instruct where VLANX goes in and out of ports and whether or not its flowing out of a port tagged or untagged and whether or not its tagged coming into a port etc.. The firewall rules are there t...
by anav
Sat Aug 31, 2024 9:56 pm
Forum: Beginner Basics
Topic: Bridge VLAN Filtering & Firewall [SOLVED]
Replies: 11
Views: 1256

Re: Bridge VLAN Filtering & Firewall [SOLVED]

What most do is simply have a rule at the end of the forward chain for example add chain=forward action=drop comment=Drop all Else Thus unless you have rules above this allowing traffic, EVERYTHING else is blocked. So typcially one has allow LAN interface list to WAN interface list for internet allo...
by anav
Sat Aug 31, 2024 9:51 pm
Forum: General
Topic: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wrong
Replies: 20
Views: 2735

Re: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wr

1. In your config I see this... Which indicated an error that needs to be resolved. /interface pppoe-server server add interface= *B service-name=service1 AND /ip address add address=100.0.41.1/20 disabled=yes interface= *B network=100.0.3 2.0 AND add address=10.14.0.2/16 disabled=yes interface= *15...
by anav
Sat Aug 31, 2024 9:01 pm
Forum: General
Topic: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wrong
Replies: 20
Views: 2735

Re: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wr

Yeah my bad, there is no script for DHCP server its just one long winded DHCP Client script LOL.

Looking at your routes........
What is check-gateway=arp not familiar with that usage............ how does it compare to ping........ or more accurately , why using arp?
by anav
Sat Aug 31, 2024 6:45 pm
Forum: Beginner Basics
Topic: Default firewall config
Replies: 30
Views: 63371

Re: Default firewall config

It is fine for the basic generic setup the OP was looking for in terms of: TAKING the default firewall set of rules and a. make them efficient b. change concept to block all and identify needed traffic above block all rule. If its good for your scenario, if different from a single subnet one bridge ...
by anav
Sat Aug 31, 2024 6:42 pm
Forum: Beginner Basics
Topic: Firewall Address List enhancement
Replies: 5
Views: 569

Re: Firewall Address List enhancement

Lists within lists is not possible.
What is your requirement exactly that would require such a functionality for home or even small business..........
That cannot be solved via existing interface list and firewall address list. ???????????
by anav
Sat Aug 31, 2024 5:51 pm
Forum: Beginner Basics
Topic: Firewall Address List enhancement
Replies: 5
Views: 569

Re: Firewall Address List enhancement

..............................

yup.jpg
by anav
Sat Aug 31, 2024 4:33 pm
Forum: Beginner Basics
Topic: Wireguard Road Warrior Problems with muti WAN
Replies: 5
Views: 665

Re: Wireguard Road Warrior Problems with muti WAN

To assist, you need to detail all the requirements clearly since there is a lot going on a. identify each user/device, groups of users/devices including admin and external users b. identify what traffic they need to accomplish. Discuss what each WAN is expected to be used for. Part of PCC group of W...
by anav
Sat Aug 31, 2024 4:29 pm
Forum: Beginner Basics
Topic: VPN behind CG-NAT [SOLVED]
Replies: 2
Views: 703

Re: VPN behind CG-NAT [SOLVED]

Yes, that would be the best way.
Another method is to rent a Server and setup CHR MT instance in the cloud, they can be had for around $8 a month.
by anav
Sat Aug 31, 2024 4:49 am
Forum: Beginner Basics
Topic: Hybrid ports and VLAN for tagged and untagged connections.
Replies: 10
Views: 1384

Re: Hybrid ports and VLAN for tagged and untagged connections.

/export file=anynameyouwish ( minus router serial number, any public wanip information, keys, etc.)
by anav
Fri Aug 30, 2024 10:33 pm
Forum: General
Topic: Mangle with two different WAN
Replies: 27
Views: 1928

Re: Mangle with two different WAN

Complete rewrite! ip firewall filter {input chain} add action=accept chain=input connection-state=established,related,untracked add action=drop chain=input connection-state=invalid add action=accept chain=input protocol=icmp +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ add action=accep...
by anav
Fri Aug 30, 2024 10:12 pm
Forum: General
Topic: Mangle with two different WAN
Replies: 27
Views: 1928

Re: Mangle with two different WAN

Wow, glad you managed that, I would have been lost in that WAN setup. Changes/additions only. Not asking you to delete any config, just modify existing config or add config. # model = CCR1036-12G-4S /interface list add name=WAN add name=LAN /interface list members add interface=ether2-MGTM list=LAN ...
by anav
Fri Aug 30, 2024 6:13 pm
Forum: General
Topic: Mangle with two different WAN
Replies: 27
Views: 1928

Re: Mangle with two different WAN

What is the purpose of FOUR routes, I was only expecting two?? /ip route add comment="To connect ORG srv" dst-address=10.42.0.0/24 gateway=10.42.17.121 add comment="To connect to Bouygue srv" dst-address=89.81.69.0/24 gateway=10.223.130.120 add comment="Default route via Ora...
by anav
Fri Aug 30, 2024 5:41 pm
Forum: General
Topic: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wrong
Replies: 20
Views: 2735

Re: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wr

Okay, all good info, yes it should load balance any connection coming from vlan7,ether10. I dont understand the purpose of your complex scripts.......... Why are they needed especially the dhcp server???? You seem to have two sets, DHCP server and DHCP clients etc.... THe dhcp client assuming ISP......
by anav
Fri Aug 30, 2024 5:38 pm
Forum: General
Topic: Mangle with two different WAN
Replies: 27
Views: 1928

Re: Mangle with two different WAN

Okay, much clearer thanks!!

So is the purpose of the two separate wireguard interfaces is to have both up at all times, one for WAN1 and one for WAN2.. makes sense to me.
Which is primary WAN and which is secondary WAN?
by anav
Fri Aug 30, 2024 5:28 pm
Forum: Scripting
Topic: Find External IP ? [SOLVED]
Replies: 29
Views: 96201

Re: Find External IP ? [SOLVED]

Why use all these complicate code, when you can just go to IP Cloud and turn it on. Then router does everything for you. To get the IP address in code: :put [/ip cloud get public-address] Jotne, I want to put the dynamic wanip in a dstnat rule. Note the comment for identification/location purposes....
by anav
Fri Aug 30, 2024 4:52 pm
Forum: General
Topic: Mangle with two different WAN
Replies: 27
Views: 1928

Re: Mangle with two different WAN

Remove serial number above. To be clear. a. are you using the MT as a server for handshake for two wireguard interfaces. b. are you using the mT as client for handshake for two wireguard interfaces. c. are any of your WANIP addresses public? d. if No, can you forward the wireguard port to your MT ro...
by anav
Fri Aug 30, 2024 4:37 pm
Forum: Beginner Basics
Topic: Wireguard Road Warrior Problems with muti WAN
Replies: 5
Views: 665

Re: Wireguard Road Warrior Problems with muti WAN

So is the mikrotik AX3 not the server for your wireguard network??? If it is, which I conclude as you have the input chain rule to accept the handshake, then your allowed IPs are incorrect. Each road warrior needs their specific config line. Its peer to peer VPN, thus one rule for all makes no sense...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 71