Community discussions

MikroTik App

Search found 20312 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 68
by anav
Tue Jun 25, 2024 2:36 am
Forum: Beginner Basics
Topic: Slow internet with load balancing PCC
Replies: 11
Views: 364

Re: Slow internet with load balancing PCC

(1) Correct, there is no need to have two settings, one for each subnet. Use of interface lists simplifies. (2) I always write the config as though I am talking through the config. If will be shown by the config without the dst-address=0.0.0.0/0 I believe, and thats fine. (3) Good, this is very impo...
by anav
Tue Jun 25, 2024 12:47 am
Forum: General
Topic: recursive routing not wokring [SOLVED]
Replies: 4
Views: 1804

Re: recursive routing not wokring [SOLVED]

If you are mangling for port forwarding reason, then you can ignore the mangling above and focus on the below: /ip firewall address-list add address=server1/32 list= MyServers add address=server2/32 list=MyServers etc...... /ip/firewall/mangle add chain= forward action=mark-connection connection-mar...
by anav
Tue Jun 25, 2024 12:46 am
Forum: Forwarding Protocols
Topic: Its this config possible?? 2ISP, port forwarding and VPN
Replies: 1
Views: 99

Re: Its this config possible?? 2ISP, port forwarding and VPN

Yeah I took a look and commented on your other post---> your mangles made no sense, totally wrong, besides the fact you failed to provide any useful context for mangling. As well your routes were completely hosed. Not surprized nothing works for you. Post your config, explain the requirements fully
by anav
Tue Jun 25, 2024 12:45 am
Forum: General
Topic: recursive routing not wokring [SOLVED]
Replies: 4
Views: 1804

Re: recursive routing not wokring [SOLVED]

(1) Tables seem OKAY. ;-) /routing/table add fib name=to_PPPOE add fib name=to_Router (2) MangleS WHY, you do not say and thus the limited snippets you present has no context and its rather lame.......... But the most common reason is for traffic to the router itself, perhaps vpn etc...... /ip/firew...
by anav
Tue Jun 25, 2024 12:24 am
Forum: Beginner Basics
Topic: WireGuard connection site-to-site configuration
Replies: 1
Views: 73

Re: WireGuard connection site-to-site configuration

BoTH configs
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
by anav
Tue Jun 25, 2024 12:22 am
Forum: Beginner Basics
Topic: Bandwidth Limitation on hAP ac (1Gbps Subscription, Only Getting 150Mbps)
Replies: 8
Views: 275

Re: Bandwidth Limitation on hAP ac (1Gbps Subscription, Only Getting 150Mbps)

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
by anav
Tue Jun 25, 2024 12:18 am
Forum: General
Topic: interconnect between Wireguard and SSTP
Replies: 1
Views: 75

Re: interconnect between Wireguard and SSTP

Why complicate your life with two disparate VPN networks. I would use ONE wireguard network to join the two routers and which would allow me to access both routers as a road warrior for subnet access or both routers config for admin access etc... The reason to use SSTP between two MT devices is that...
by anav
Tue Jun 25, 2024 12:09 am
Forum: General
Topic: Securing Wireguard setup
Replies: 9
Views: 371

Re: Securing Wireguard setup

(1) Yes, where I say to simplify, indeed its a false sense of security. (2) By virtue of being on different vlans subnets are ALREADY separated at layer 2. The firewall rules ensure separation at layer 3. (3) (4) Good, then my rules apply. (5) As you require, flexibility of a clean simplified approa...
by anav
Mon Jun 24, 2024 10:07 pm
Forum: Forwarding Protocols
Topic: I need help, why can't I take my vlan further, what should I modify to make it work correctly?
Replies: 1
Views: 173

Re: I need help, why can't I take my vlan further, what should I modify to make it work correctly?

Keep one vlan for managment. VLAN99 lets say, all devices are assigned a static IP address on this subnet. ON the trunk port is also all the data vlans needed. use one vlan per subnet what do you mean by wlan0 and LAN0?? Basically every device, besides the router, should look like... /interface brid...
by anav
Mon Jun 24, 2024 8:56 pm
Forum: Beginner Basics
Topic: Using RB5009 in bridge mode [SOLVED]
Replies: 16
Views: 4095

Re: Using RB5009 in bridge mode [SOLVED]

Concur, dont understand what is being done here?
There is only one termination point for a public IP, is it the RB5009 or the UG etc......
by anav
Mon Jun 24, 2024 6:15 pm
Forum: Beginner Basics
Topic: Port Forwarding not working
Replies: 6
Views: 253

Re: Port Forwarding not working

Last comment. Its not clear why you are mangling as your config is incomplete.
Be careful as you may be mangling server traffic unintentionally.
If the fixes provided dont work, then I suspect the issues may be with
a. ridonkulous firewall rules
b. mangling interference
by anav
Mon Jun 24, 2024 6:13 pm
Forum: Beginner Basics
Topic: Port Forwarding not working
Replies: 6
Views: 253

Re: Port Forwarding not working

(1) You can easily check if your MYNETNAME is working or not. If IP cloud it should show you the resolved address " public address= W.X.Y.Z " You can double check this on your firewall address list entry. /ip firewall address list add address=MYNETNAME list=myWAN When you check, in winbox,...
by anav
Mon Jun 24, 2024 5:52 pm
Forum: General
Topic: Securing Wireguard setup
Replies: 9
Views: 371

Re: Securing Wireguard setup

I see red and white my friend, colours of our flag by the way :-) the Canadians with Red Maple leafs, drove the Germans from Breskens Pocket. Meanwhile, 2nd Canadian Division, working closely with Belgian resistance fighters, known as the White Brigade, cleared Antwerp's port, and subsequently advan...
by anav
Mon Jun 24, 2024 5:42 pm
Forum: Beginner Basics
Topic: Isolate a single ethernet interface from the rest of the LAN [SOLVED]
Replies: 11
Views: 421

Re: Isolate a single ethernet interface from the rest of the LAN [SOLVED]

Keep it simple!! no need for static routes or the like. This is a basic providing private IP to second router using a dedicated LAN subnet. You can do it many ways, bridge-subnet and ether5 subnet (or what I usually prefer is VLAN5 for home VLAN10 for guest house). /ip address add address=192.168.88...
by anav
Mon Jun 24, 2024 5:19 pm
Forum: Beginner Basics
Topic: Slow internet with load balancing PCC
Replies: 11
Views: 364

Re: Slow internet with load balancing PCC

IP Settings:

RP filter set to LOOSE
TCP syn cookies NOT CHECKED
ALLOW FAST PATH NOT CHECKED
by anav
Mon Jun 24, 2024 5:17 pm
Forum: Beginner Basics
Topic: Slow internet with load balancing PCC
Replies: 11
Views: 364

Re: Slow internet with load balancing PCC

(1) /interface detect-internet set detect-interface-list= NONE (2) MISSING required table main routes for all WANs. /ip route add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 table=main comment=VDLS1 add check-gateway=ping distance=2 dst-address=0.0.0.0/0 gateway=192.168.0...
by anav
Mon Jun 24, 2024 3:29 pm
Forum: Beginner Basics
Topic: Isolate a single ethernet interface from the rest of the LAN [SOLVED]
Replies: 11
Views: 421

Re: Isolate a single ethernet interface from the rest of the LAN [SOLVED]

First: Dont understand why you play with WANs turning off an on manually. What is the requirement that drives that........ Why not primary secondary tertiary OR load balance between all three, or some combination???? It would seem that the requirement in terms of neighbour connectivity is PRIMARILY ...
by anav
Mon Jun 24, 2024 3:19 pm
Forum: General
Topic: Securing Wireguard setup
Replies: 9
Views: 371

Re: Securing Wireguard setup

In a business environment one would use different wg interface altogether to separate business and non-business needs. One could use the same interface and separate subnet addressing as well, which may be appropriate enough to separate some groups of users. Your input is way overkill here and I disa...
by anav
Mon Jun 24, 2024 3:15 pm
Forum: General
Topic: Mikrotik Routing Table
Replies: 1
Views: 120

Re: Mikrotik Routing Table

Unable to comment until see the config......... /export file=anynameyouwish (minus router serial number, any public WANIP info, keys etc..) Both ISPs private IPs? What traffic flow do you need to accomplish creating a static route is NOT a requirement, its config speak. Discuss in terms of users or ...
by anav
Mon Jun 24, 2024 1:58 am
Forum: Beginner Basics
Topic: Slow internet with load balancing PCC
Replies: 11
Views: 364

Re: Slow internet with load balancing PCC

Cannot help your config is missing 192.168.0.0-192.168.3.0 lan subnets........... I see them in mangling but no clue what they are. Are you saying that all your WANs are private IPs? Or are they all dynamic and public but you are simply showing them as private??? Until the WAN situation is sorted ou...
by anav
Mon Jun 24, 2024 1:52 am
Forum: Beginner Basics
Topic: Internet Connectivity Issue with MikroTik Router [SOLVED]
Replies: 6
Views: 272

Re: Internet Connectivity Issue with MikroTik Router [SOLVED]

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
by anav
Mon Jun 24, 2024 1:51 am
Forum: General
Topic: Securing Wireguard setup
Replies: 9
Views: 371

Re: Securing Wireguard setup

Good questions.. (1) The input chain rule can be simplified to just: /ip firewall filter add chain=input action=accept dst-port=49152 protocol=udp comment="accept Wireguard traffic" (2) What most do when the router is the server for handshake is make the wireguard part of the LAN interface...
by anav
Sun Jun 23, 2024 6:02 pm
Forum: General
Topic: script to replace IP address in routes [SOLVED]
Replies: 4
Views: 200

Re: script to replace IP address in routes [SOLVED]

Yup thats pretty common, one identifies the IP route via a unique comment on the IP route line. I have one but do it in the IP DHCP client section (fiber). In my case I have two DNS addresses I check for the IP so I have to change two routes and thus have two find rules. For efficiency sake I could ...
by anav
Sun Jun 23, 2024 4:10 pm
Forum: Beginner Basics
Topic: VLANs - firewall rules
Replies: 3
Views: 387

Re: VLANs - firewall rules

Read through this for better understanding.......
viewtopic.php?t=143620
by anav
Sun Jun 23, 2024 4:02 pm
Forum: General
Topic: Recursive routing working in 7.6?
Replies: 17
Views: 2802

Re: Recursive routing working in 7.6?

Whatever gotsprings did there, its complete BS IMHO. What are your requirements 2 WANs, 3 WANs... ? Both public or private IPs, dynamic/static? There are two approaches to recursive........ FLAT NESTED Flat is basically one DNS server IP to one WAN ISP You can can add more DNS per WAN ISP Nested is ...
by anav
Sun Jun 23, 2024 3:57 pm
Forum: General
Topic: script to replace IP address in routes [SOLVED]
Replies: 4
Views: 200

Re: script to replace IP address in routes [SOLVED]

You have to create a script that reads the new gateway from the ISP and then manually inserts it into the applicable IP route(s).
Search on the forum been covered a lot.
by anav
Sun Jun 23, 2024 3:47 am
Forum: Beginner Basics
Topic: Port forwarding [SOLVED]
Replies: 7
Views: 353

Re: Port forwarding [SOLVED]

To think most people here questioned my need for a sandbox training forum for new posters............... most people are morons. Glad to help once you post your config. In general for a complex setup and question, a network diagram is a good idea - but not usually for simple port forward. Also often...
by anav
Sun Jun 23, 2024 12:29 am
Forum: Beginner Basics
Topic: How to open ports?
Replies: 7
Views: 441

Re: How to open ports?

https://www.youtube.com/watch?v=rwjtRLQjMjA&t=2143s https://www.youtube.com/watch?v=Q9qwgKrw-0g https://www.youtube.com/watch?v=GTDgeZLc190&t=486s https://www.youtube.com/watch?v=NXvHdZbAuTI&t=13s https://www.youtube.com/watch?v=nBUh5Nk2F1k https://www.youtube.com/watch?v=a_8AV6vIDYQ htt...
by anav
Sun Jun 23, 2024 12:21 am
Forum: General
Topic: Wireguard ProtonVPN config for a single IP [SOLVED]
Replies: 6
Views: 316

Re: Wireguard ProtonVPN config for a single IP [SOLVED]

Yes that would do it, I assumed that was short form for 0.0.0.0/0 and didnt mention it. I will know better next time thanks for the feedback.
Glad its working for ya.
by anav
Sat Jun 22, 2024 7:13 pm
Forum: Beginner Basics
Topic: Wireless VLANs on ROS 7.15.0
Replies: 4
Views: 230

Re: Wireless VLANs on ROS 7.15.0

No doubt your config is not correct Post both configs MT and CCS326 Assuming you get a public IP from the draytek modem and the AX3 is acting as a full AP router. /export file=anynamewyouwish ( minus router serial number, any public WANIP information, keys etc._) unless you use capsman and then I ca...
by anav
Sat Jun 22, 2024 7:08 pm
Forum: General
Topic: Wireguard ProtonVPN config for a single IP [SOLVED]
Replies: 6
Views: 316

Re: Wireguard ProtonVPN config for a single IP [SOLVED]

First, details matter (1) the request was to do this in firewall forward chain. add chain=forward action=accept src-address=192.168.20.9/32 out-interface=wg-protonvpn log=yes log=prefix="outbound proton" (2) why did you try pinging anything untilt he rest of the rules were completed? Also ...
by anav
Sat Jun 22, 2024 7:00 pm
Forum: General
Topic: r/MikroTik, unofficial subreddit, my own personalized approach to discuss this topic given my experiences
Replies: 8
Views: 503

Re: r/MikroTik, unofficial subreddit, my own personalized approach to discuss this topic given my experiences

You suffer a common affliction: verbal diarrhea. Please seek counselling as your problems have nothing to do with Mikrotik RoS and furthermore no one here as the time or capacity to deal with it.
by anav
Sat Jun 22, 2024 2:30 pm
Forum: General
Topic: Wireguard ProtonVPN config for a single IP [SOLVED]
Replies: 6
Views: 316

Re: Wireguard ProtonVPN config for a single IP [SOLVED]

Dont see anything on a quick review.................. Yes one can either add proton interface to WAN interface list or separate srcnat rule, both work. (1) Do you have a firewall rule allowing single device to enter proton tunnel? (2) simplify the rule....... /routing rule add action=lookup-only-in-...
by anav
Sat Jun 22, 2024 1:30 pm
Forum: Beginner Basics
Topic: Port forwarding [SOLVED]
Replies: 7
Views: 353

Re: Port forwarding [SOLVED]

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
by anav
Sat Jun 22, 2024 2:54 am
Forum: General
Topic: Default firewall rule for loopback, now that lo interface exists
Replies: 16
Views: 713

Re: Default firewall rule for loopback, now that lo interface exists

Nice use of wireguard connection. Makes sense!
by anav
Fri Jun 21, 2024 8:55 pm
Forum: General
Topic: Default firewall rule for loopback, now that lo interface exists
Replies: 16
Views: 713

Re: Default firewall rule for loopback, now that lo interface exists

How can you ping wireguard road warriors when you dont know their public WANIP?
What is the value in this knowledge?
by anav
Fri Jun 21, 2024 8:53 pm
Forum: General
Topic: Routing gateway by interface name not working consistently
Replies: 3
Views: 164

Re: Routing gateway by interface name not working consistently

/export file=anynameyouwish ( minus router serial number, any public WANIp information, keys etc.)
by anav
Fri Jun 21, 2024 2:33 pm
Forum: Beginner Basics
Topic: Hex as Switch; VLANs Can't Access Winbox
Replies: 5
Views: 339

Re: Hex as Switch; VLANs Can't Access Winbox

Your setup is not quite there........... this would be correct.... (1) only entry required on bridge setting is turning vlan filtering on. (2) I prefer manually entering the untagged and that way it shows up on config exports and can match visually with bridge port settings. (3) Address for the devi...
by anav
Fri Jun 21, 2024 2:15 pm
Forum: General
Topic: Default firewall rule for loopback, now that lo interface exists
Replies: 16
Views: 713

Re: Default firewall rule for loopback, now that lo interface exists

You speak in riddles. What is the requirement in traffic flow for. a. user b. device Allow the router back to itself means nothing to me. Are you saying the admin needs to do something, a user needs to do something, explain in terms of required traffic flow. Unless of course, you have an AI mikrotik...
by anav
Fri Jun 21, 2024 2:12 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 630

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

Connection new is in examples, but its not required in mangles nor in firewall rules. One has to take MT documentation with a grain of salt. It could be used in mangles in very specific circumstances to finesse the identifying of traffic but not in your case. The new-connection-mark appears when you...
by anav
Thu Jun 20, 2024 10:35 pm
Forum: Beginner Basics
Topic: How to open ports?
Replies: 7
Views: 441

Re: How to open ports?

Sorry not my job, I am here to help people with their issues. Take some courses read some books, watch decent videos, and if you have questions, based on some EFFORT, on the subject at hand, then I will gladly respond. https://www.amazon.ca/s?k=mikrotik+book&crid=28D1WR29OK20B&sprefix=mikrot...
by anav
Thu Jun 20, 2024 10:33 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1094

Re: Dual Wan

Well you must be precise and i could care less about WAN2, I care about user/device traffic needs. Primary -WAN1 Secondary -WAN2 (failover) a. access to WAN1 for all (all the time). b. access to WAN2 all the time for a few devices, when failover occurs c. access to WAN2 part time (8-5 M-F) for a few...
by anav
Thu Jun 20, 2024 8:13 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1094

Re: Dual Wan

So the last entry was interesting, as you are attempting to communicate requirements. First that you are trying to limit access to WAN2 for some users/devices ?????... Assuming T Mobile is your failover WAN. It would seem you have a few user/devices that can have access to WAN1 ALL the time, but sho...
by anav
Thu Jun 20, 2024 7:47 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 630

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

Only real change is adding distance to WAN2. /ip route add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=192.168.8.1routing-table=main add check-gateway=ping distance= 2 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main add dst-address=0.0.0.0/0 gateway=192.168.8.1 routing-t...
by anav
Thu Jun 20, 2024 7:43 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 630

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

(1) dont need connection-state=new (2) REMOVE 8291 from port forwarding, this is a router service, so port forwarding does not apply, FURTHER, its not safe to access from external....... REMOVED. Clue port forwarding to gateway is usually not a good idea! The first set of rules below are ONLY REQUIR...
by anav
Thu Jun 20, 2024 5:54 pm
Forum: General
Topic: Default firewall rule for loopback, now that lo interface exists
Replies: 16
Views: 713

Re: Default firewall rule for loopback, now that lo interface exists

Its genetic......... like Łukasiewicz notation ;-)
by anav
Thu Jun 20, 2024 5:37 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 630

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

Without looking at config, if you can ping clients but not reach them...........hmmm Normally On fritz a. need static route stating if you want to reach 192.168.3.0/24 use gateway of 192.168.254 b. need at least firewall rule for 3.0 user to visit 2.0 users. However, since MT is a router you could a...
by anav
Thu Jun 20, 2024 5:28 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 630

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

All understood. PTP is primary WAN, with throughput of 20Mbps 4G router is secondary WAN with throughput roughly double of 50Mbps If this is the case then I would at least do PCC on a 2:1 type basis............ 3:0 wan1 - 4g 3:1 wan2 adsl 3:2 wan1 - 4g The queuing is confusing why are you: - targeti...
by anav
Thu Jun 20, 2024 5:13 pm
Forum: Beginner Basics
Topic: How to open ports?
Replies: 7
Views: 441

Re: How to open ports?

Why dont you stop providing advice until you learn more about RoS please. Your advice is incomplete in multiple ways.
by anav
Thu Jun 20, 2024 5:09 pm
Forum: Beginner Basics
Topic: block cross traffic
Replies: 2
Views: 219

Re: block cross traffic

mkx is suffering from timidness today. Much better to for example at the end of the forward chain put add action=drop chain=forward comment="drop all else" above this as follows: /ip firewall { default rules to keep } add action=fasttrack-connection chain=forward connection-state=establish...
by anav
Thu Jun 20, 2024 4:06 pm
Forum: Beginner Basics
Topic: VLANs - firewall rules
Replies: 3
Views: 387

Re: VLANs - firewall rules

1. You should not be able to access subnets behind the router via your public IP address ( or domain name etc.). If you need to reach servers you would use dstnat rules (port forwarding to do so). So its not clear what you want to achieve exactly. Do you mean access from external locations, do you m...
by anav
Wed Jun 19, 2024 10:00 pm
Forum: Beginner Basics
Topic: No response from NordVPN over OVPN Client config - Router OS 7.15.1 [SOLVED]
Replies: 3
Views: 303

Re: No response from NordVPN over OVPN Client config - Router OS 7.15.1 [SOLVED]

Yes NordLynx crappola. I wonder if you open there app one can find all the necessary info and thus translate it to the router............ Specifically need: a. Wireguard endpoint Port b. Wireguard endpoint address c. DNS server or address preferred/requested/installed by nordlynx app d. Wireguard ad...
by anav
Wed Jun 19, 2024 9:48 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 630

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

(1) You have wireguard Okay I see this is not for remote access to the MT but to go out a third party for wireguard?? Please confirm who/what/where is providing server instance for handshake. (and purpose of wireguard in your setup) (2) WHat is the purpose of queuing? You have PCC setup on wan1 and ...
by anav
Wed Jun 19, 2024 9:43 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 630

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

duplicate
by anav
Wed Jun 19, 2024 9:30 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 630

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

hahahaha, I love the long lines of MT config, its like poetry. What I want is for each new poster to first be eligible for a sandbox forum. There they have to read some dos and donts and then present their post after reading. IF the post meets the standards the post gets elevated to the beginner for...
by anav
Wed Jun 19, 2024 6:48 pm
Forum: Beginner Basics
Topic: Mikrotik "WAN" from Fortigate, cannot accessd evices after Fortigate
Replies: 2
Views: 216

Re: Mikrotik "WAN" from Fortigate, cannot accessd evices after Fortigate

If you want to create a subnet on the mikrotik then it will have to act as a router not a switch. In this case the 10.10.10.X address assigned to the MT by the Fortigate will be: a. the LANIP of the MT on the fortinet lan subnet b. the WANIP of the MT. What you need to decide behind the MT is if a. ...
by anav
Wed Jun 19, 2024 6:42 pm
Forum: Beginner Basics
Topic: Problems with wireguard and Mobile Data
Replies: 3
Views: 294

Re: Problems with wireguard and Mobile Data

The issue is you are getting a private IP from the ISP device and not a public IP.
PPPOE would seem not to be required in this case but not sure.

Can you at least forward ports on the ISP device to the MT????
by anav
Wed Jun 19, 2024 6:40 pm
Forum: Beginner Basics
Topic: How to open ports?
Replies: 7
Views: 441

Re: How to open ports?

Do you have a public IP or does your upstream router allow you to open ports?
What is your level of knowledge configuring MT routers as the RB5009 is not for the faint of heart.
by anav
Wed Jun 19, 2024 6:31 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 630

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

without seeing the config...........................

/export file=anynameyouwish (minus router serial number, any public WANIP info, keys etc. )
by anav
Wed Jun 19, 2024 6:13 pm
Forum: General
Topic: Too tight firewall rules? I'm lost!
Replies: 2
Views: 198

Re: Too tight firewall rules? I'm lost!

Better yet is to realize the config is all connected
/export file=anynameyouwish ( minus router serial#, any public WANIP information, keys, etc. )
by anav
Wed Jun 19, 2024 4:43 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1153

Re: WireGuard routing

R2 CONFIG Main focus is simplifying Wireguard Setup, only one interface required for own vpn /interface wireguard add comment="WG-own-VPN RB5009" listen-port= 51819 mtu=1420 name=WG-Server /interface list add name=LANs /interface list add name=WANs /interface list member add interface=Bri...
by anav
Wed Jun 19, 2024 3:58 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1153

Re: WireGuard routing

R3 CONFIG /interface wireguard peers add allowed-address=10.7.0.0/24,10.10.10.0/24,10.10.11.0/24,10.10.12.0/24 comment="to WG-Own-VPN" endpoint-address=xxxx.xx endpoint-port= 51819 interface=WG2-AX3 persistent-keepalive=1m public-key="xxxx" /interface list add name=LANs /interfa...
by anav
Wed Jun 19, 2024 3:20 pm
Forum: Beginner Basics
Topic: Hex as Switch; VLANs Can't Access Winbox
Replies: 5
Views: 339

Re: Hex as Switch; VLANs Can't Access Winbox

Well you do not state the purpose of ether5 clearly, as its another trunk port. One has to assume its thus going to another smart device and will have to carry the trusted LAN to the next smart device as each smart device should get an IP address on the trusted subnet. Why would you bother putting t...
by anav
Wed Jun 19, 2024 3:01 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 1788

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

/ip neighbor discovery-settings set discover-interface-list=LAN /ip settings set rp-filter=loose tcp-syncookies=no /interface detect-internet set detect-interface-list=none REMOVE - /ip dns static add address=192.168.0.1 comment=defconf name=router.lan REMOVE net mask if you entered it manually. Rem...
by anav
Wed Jun 19, 2024 2:50 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1153

Re: WireGuard routing

Okay will ignore VPS for now............. sorry for the sidetrack but I like to make the whole thing work :-)
The First post focussing on the router is all valid for the purpose of inter LAN traffic and admin able to access each router when local and remote.
by anav
Wed Jun 19, 2024 2:47 pm
Forum: General
Topic: VLAN tag on port vs Switch Chip
Replies: 5
Views: 376

Re: VLAN tag on port vs Switch Chip

Since both work for you and you can measure the performance via speed tests and you can monitor the CPU usage, this is a non-problem. Being a trainer, not sure why the facts are not good enough??? What the heck is operator vlan, like making up new terms to confuse people............... If your fishi...
by anav
Tue Jun 18, 2024 11:14 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1153

Re: WireGuard routing

Enjoy, There are two methods one can choose. There is no automated method to enable and disable at will. You will have to manually decide when and if there is VPS or Local WAN access. 1. Use of Table, IP route, and Routing rules. 2. Use of table, IP route and Mangling (via address list) /ip table an...
by anav
Tue Jun 18, 2024 9:12 pm
Forum: Beginner Basics
Topic: Tunneling internet traffic through IPsec tunnel
Replies: 2
Views: 214

Re: Tunneling internet traffic through IPsec tunnel

Concur like 200-400 Mbps max for ethernet and a portion of that for any VPN. What is your ISP throughput at home? Do you have a public IP at home (static or dynamic)? EGADs, Your rules are a mess and need to be simplified and put in their correct locations. Looks like dynamic PPPOE Besides getting a...
by anav
Tue Jun 18, 2024 6:45 pm
Forum: Beginner Basics
Topic: hap ax3 wifi interfaces
Replies: 13
Views: 2103

Re: hap ax3 wifi interfaces

Perhaps we should call the hapax3 ( with no interFACES), the hap"Arya Stark".
by anav
Tue Jun 18, 2024 6:04 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1094

Re: Dual Wan

Difference between simple but dont understand RoS and complex and dont understand RoS.
So concur one has to get comfortable with RoS to some degree to see the difference.
I recommend Slovenian beer LOL.
by anav
Tue Jun 18, 2024 5:58 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1094

Re: Dual Wan

There was nothing complex about the firewall rules on the initial post as a solution, nor actually is anything else complex mentioned above.
by anav
Tue Jun 18, 2024 5:57 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1153

Re: WireGuard routing

Once we remove the unknowns and get R1 to where it should be we can move to R3 and then finally R2.
by anav
Tue Jun 18, 2024 5:56 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1153

Re: WireGuard routing

Ahh okay. SO main wireguard is to connect routers and subnets and admin access VPS wireguard is to allow certain user access to independent internet. Might work fine but context allows one to make sense of the config . R2-->AX3 -Server Peer for Wireguard network R1 -->RB5009 -Client Peer for Wiregua...
by anav
Mon Jun 17, 2024 11:52 pm
Forum: Beginner Basics
Topic: Firewall - 80 & 443 to Server
Replies: 3
Views: 303

Re: Firewall - 80 & 443 to Server

I recommend. Larsa's Visa Card Number.
by anav
Mon Jun 17, 2024 11:05 pm
Forum: Beginner Basics
Topic: Firewall - 80 & 443 to Server
Replies: 3
Views: 303

Re: Firewall - 80 & 443 to Server

Why not change title too, so its not an attractive stopping place.
by anav
Mon Jun 17, 2024 10:26 pm
Forum: General
Topic: Route Netflix traffic via VPN
Replies: 21
Views: 1460

Re: Route Netflix traffic via VPN

Nice!!!
by anav
Mon Jun 17, 2024 5:08 pm
Forum: Beginner Basics
Topic: IPIP vpn - basic question
Replies: 2
Views: 344

Re: IPIP vpn - basic question

IP --> IP between MT devices is very easy and my choice for back up to wireguard.
All that is required is an ipsec secret shared between the two devices.

For single users not that easy, but wireguard for sure is, but not sure how it scales for large number of users
by anav
Mon Jun 17, 2024 4:51 pm
Forum: Beginner Basics
Topic: VLAN instable ping and connection
Replies: 6
Views: 505

Re: VLAN instable ping and connection

As you can see on the provided link, use of vlan1 is a NO GO.
Make it vlan10 and you are good. Vlan1 is used by the router in the background, do not use!!

If you need an example, think of the base vlan as vlan1
by anav
Mon Jun 17, 2024 4:50 pm
Forum: General
Topic: ccr2004-1G-12S+2XS - performance
Replies: 5
Views: 444

Re: ccr2004-1G-12S+2XS - performance

Concur, you bought a router that for all intensive purposes will be able to route from WAN to LAN maxing out around 5gbps real world. I do note that just bridging and just routing with no other rules in play is around 25gbps. What is not clear to me is what happens on the switching side. a. etherpor...
by anav
Mon Jun 17, 2024 4:45 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 1788

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

1. Best --> have all users wireguard to the inside of the router and then access server.
2. Better --> Ensure you use a source address or source address list for external originators when possible (on dstnat rules). Then ports do not appear on scans, open or closed.
by anav
Mon Jun 17, 2024 2:46 pm
Forum: General
Topic: Access to Mikrotik from wireguard peer
Replies: 6
Views: 322

Re: Access to Mikrotik from wireguard peer

Concur, there are many instances where wireguard is to a third party server and in that case it makes more sense for WG to part of the WAN interface list, and thus the default masquerade rule covers local subnet to wireguard traffic.
by anav
Mon Jun 17, 2024 2:44 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 22
Views: 1365

Re: Long Term release or new functions?

Economics, reality vs wishes of naive software trained folks. If the lack of LTS is hurting the bottom line, finite resources will be shifted or a case could be made for more resources. As stated these polls are a waste of time and are not used to direct or influence any level of management at MT. I...
by anav
Mon Jun 17, 2024 2:33 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1153

Re: WireGuard routing

Your use of subnets for wireguard is problematic, when I get time will modify it.......... Now I see some new information previously not noted, you have a second wireguard network to VPS?? So to be clear R2 is the VPS, RB5009 is R1 and AX3 is R3 ?? Configs of each device are required not just one......
by anav
Mon Jun 17, 2024 2:30 pm
Forum: Beginner Basics
Topic: VLAN instable ping and connection
Replies: 6
Views: 505

Re: VLAN instable ping and connection

Many things wrong 1. first its not a complete export /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.) 2. Your mixing apples and oranges, once you go vlans, dont have the bridge do any dhcp, simply give that subnet a vlan like the rest.... https://for...
by anav
Mon Jun 17, 2024 2:25 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 22
Views: 1365

Re: Long Term release or new functions?

Ur not listening. There is not enough staff to do all. If they apply resources doing LTS effort, then those resources are not available on other work. The answer is more staff, and that aint going to happen unless the lack of staff is hindering profit margins. Remember people are the most expensive ...
by anav
Mon Jun 17, 2024 2:21 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 1788

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

Perhaps, do you or do you not have an IPV6 internet connection?? If not why do you have ipv6 rules, and lists........
by anav
Mon Jun 17, 2024 2:19 pm
Forum: General
Topic: Access to Mikrotik from wireguard peer
Replies: 6
Views: 322

Re: Access to Mikrotik from wireguard peer

Your config is wrong, a reasonable request to post it has been ignored.
by anav
Sun Jun 16, 2024 11:43 pm
Forum: General
Topic: Problems with mangle-rules on RouterOS 7.12
Replies: 15
Views: 2358

Re: Problems with mangle-rules on RouterOS 7.12

Shon post complete config and will look.

/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.)
by anav
Sun Jun 16, 2024 10:10 pm
Forum: Beginner Basics
Topic: No traffic via Mikrotik Wireguard
Replies: 5
Views: 473

Re: No traffic via Mikrotik Wireguard

1. Why do you have this rule, its an advance usage functionality that should be avoided if not required. /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes 2. Modify bridge ports as such. /interface bridge port add bridge=BR1 ingress-filtering=yes frame-type=admit-only-v...
by anav
Sun Jun 16, 2024 9:46 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1153

Re: WireGuard routing

All doable but not quite clear yet. 1. What is the role of R2 with respect to wireguard ( server for handshake for both R1 and R3 ). 2. R2 is the only one of the three with a public IP address or the ability of an upstream ISP router to forward a port? 3. Why are there two wireguard interfaces ident...
by anav
Sun Jun 16, 2024 9:35 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1094

Re: Dual Wan

So access list will work for known devices and I can certainly assign static IPs. What about unknown devices/ visitors on Wi-Fi? Is there another way? Can I allow access to wan1 and wan2 for eth3,4. But eth5,6,7,8 only to wan1 and never wan2. There are actually two requests here............ a. unkn...
by anav
Sun Jun 16, 2024 8:42 pm
Forum: General
Topic: Route Netflix traffic via VPN
Replies: 21
Views: 1460

Re: Route Netflix traffic via VPN

True dat, I never looked at the text and just saw that foreign looking hierglyphics and looking at it more closely does appear to be a script of some sort LOL As to the question easy peasy. Dedicate one VLAN to netflix use ( AKA, be it the apple tv box, or android box etc........ the device in quest...
by anav
Sun Jun 16, 2024 8:37 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 1788

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

Not familiar with IPV6, and I was always given the impression that IPV6 was perfectly safe, obviously not only do you not have the additional protection of NAT, one still needs full set of firewall rules............. dont see why its any better.
by anav
Sun Jun 16, 2024 12:43 am
Forum: General
Topic: Route Netflix traffic via VPN
Replies: 21
Views: 1460

Re: Route Netflix traffic via VPN

That doesnt look like Mikrotik OS, me thinks your in the wrong forum.
by anav
Sat Jun 15, 2024 6:15 pm
Forum: Beginner Basics
Topic: Config Thoughts?
Replies: 5
Views: 605

Re: Config Thoughts?

(1) If the name of your vlan is name=v88-Primary
Dont use the same name for everything else, WAY WAY too confusing.

Right now your IP pool, dhc-server etc have the same name................
by anav
Sat Jun 15, 2024 6:05 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1667

Re: Both Openvpn and Wiregurard fail

Where is the main internet on your diagram WAN1, I only see LTE?? What is the role of that asus router?? Why do you have two wireguards defined on the L1009? I can see the requirement for a NORMAL wiregaurd connection to the VPS as you state all subnets to get internet through VPS. But what happens ...
by anav
Sat Jun 15, 2024 6:02 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1094

Re: Dual Wan

I am not interested in chasing your wish list. Either your requirement are as stated - all devices use WAN1 as primary - only 5 devices use WAN2 as secondary. Or its something else......... if you dont know what you want, suggest you need to plan first and then rewrite your requirements to be accura...
by anav
Sat Jun 15, 2024 5:58 pm
Forum: Beginner Basics
Topic: No traffic via Mikrotik Wireguard
Replies: 5
Views: 473

Re: No traffic via Mikrotik Wireguard

First, would need to see config of router /export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.) Second, would need to know if FOR SURE your wanip Is public! ( also good to know if static or dynamic ). Observations thus far: 1. Assuming WG address on MT routers...
by anav
Sat Jun 15, 2024 5:52 pm
Forum: Beginner Basics
Topic: Vlan Switch to a single router
Replies: 3
Views: 1033

Re: Vlan Switch to a single router

/interface bridge add ingress-filtering=no name=bridgegym vlan-filtering=yes /interface ethernet set [ find default-name=ether2 ] name=emergaccess /interface vlan add interface=bridgegym name=homeVlan vlan-id=12 { mandatory, management or trusted vlan must be identified in /interface vlan - do not ...
by anav
Sat Jun 15, 2024 5:46 pm
Forum: General
Topic: problem with routers
Replies: 4
Views: 360

Re: problem with routers

Need to know the requirements.
a. PCC load balance or
b. wan1 priority, failover to wan2, failover to wan3
c. any users hard coded to go out WANX
d. any vpn like wireguard
e. any port forwarding to lan servers.

Knowing the requirements will ensure a proper config is built.
by anav
Sat Jun 15, 2024 5:43 pm
Forum: General
Topic: AmneziaWG in RouterOS?
Replies: 10
Views: 1468

Re: AmneziaWG in RouterOS?

Interesting concept. If some routers can be set to recognize vlan traffic and this rendition of WG, avoids that detection, would seem to have some value.
by anav
Fri Jun 14, 2024 11:28 pm
Forum: General
Topic: connect a switch to two routers
Replies: 9
Views: 864

Re: connect a switch to two routers

The function of a managed switch is generally to accept a trunk port coming with a bunch of vlans including a management or trusted vlan upon which the switch gets its own IP address. The switch then funnels all the vlans out its ports to either dumb devices ( access ports ), smart devices ( trunk p...
by anav
Fri Jun 14, 2024 11:26 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 22
Views: 1365

Re: Long Term release or new functions?

Your energy is better spent sending me liquid hops from your local brewery.
by anav
Fri Jun 14, 2024 11:25 pm
Forum: General
Topic: Recommend Mikrotik for running Container
Replies: 13
Views: 794

Re: Recommend Mikrotik for running Container

Touche!!
by anav
Fri Jun 14, 2024 11:24 pm
Forum: General
Topic: QA of software releases
Replies: 25
Views: 1465

Re: QA of software releases

Most companies dont have that much transparency/accountability...... but feel free to whine.
by anav
Fri Jun 14, 2024 7:32 pm
Forum: General
Topic: Recommend Mikrotik for running Container
Replies: 13
Views: 794

Re: Recommend Mikrotik for running Container

Is a 'running container' different from a stationary container?
by anav
Fri Jun 14, 2024 7:31 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 22
Views: 1365

Re: Long Term release or new functions?

I thought it was a joke poll LOL, Like, I have nothing better to do today and thought this would be funny.
Concur, with the neighbour of the Pope ;-)
by anav
Fri Jun 14, 2024 5:40 pm
Forum: Beginner Basics
Topic: Can't Port Forward 1433
Replies: 10
Views: 671

Re: Can't Port Forward 1433

Ensure you have telnet Router Services DISABLED, it case it might interfere??
by anav
Fri Jun 14, 2024 5:12 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1094

Re: Dual Wan

So it sounds like you want: a. WAN1 as primary for all devices. b. WAN2 only available for failover and for a limited number of devices. The main approach is to give wan1 a lower distance than wan2 /ip route add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP1-gateway-IP routing-tabl...
by anav
Fri Jun 14, 2024 5:01 pm
Forum: Beginner Basics
Topic: ICMP scan from my own public IP address
Replies: 1
Views: 261

Re: ICMP scan from my own public IP address

Better would be to assess what you have now...
/export file=anynameyouwish ( minus router serial number, any publicWANIP information, keys etc. )
by anav
Fri Jun 14, 2024 4:22 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 22
Views: 1365

Re: Long Term release or new functions?

Wrong syllable, request is for more MT dev and testing staff.
by anav
Fri Jun 14, 2024 4:54 am
Forum: Beginner Basics
Topic: Can't Port Forward 1433
Replies: 10
Views: 671

Re: Can't Port Forward 1433

1. Not sure what your are doing with fancy networking stuff but lets stick to what works. The problem is you have two conflicting networks and non standard nomenclature SO NOT /ip pool add name=dhcp ranges =192.168.88.10-192.168.88.254 /ip address add address=192.168.1.150/ 23 comment=defconf interf...
by anav
Thu Jun 13, 2024 11:15 pm
Forum: Beginner Basics
Topic: Can't Port Forward 1433
Replies: 10
Views: 671

Re: Can't Port Forward 1433

IF this device is connected to the internet ( not an upstream router ) then its not very secure /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain= input comment=wi...
by anav
Thu Jun 13, 2024 11:12 pm
Forum: Beginner Basics
Topic: Basic firewall hardening
Replies: 11
Views: 636

Re: Basic firewall hardening

If one is living in a warzone iPV6 looks harmless in comparison ;-) IPV6 is like taking away my comfort zone.
by anav
Thu Jun 13, 2024 11:09 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 1788

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

I would want to see the c omplete config, its all connected.
/export file=anynameyouwish (minus router serial number, public WANIP information, keys etc. )
by anav
Thu Jun 13, 2024 11:08 pm
Forum: General
Topic: Is there a way to set local ip-address of wireguard tunnel?
Replies: 4
Views: 416

Re: Is there a way to set local ip-address of wireguard tunnel?

You are spouting gibberish. If you want to have a serious discussion
a. provide a diagram
b. explain the wans at both ends ( static, dynamic, public or private)
c. provide configs of MT devices and remote wireguard device setttings
(minus serial number, any public wanip information, keys etc.)
by anav
Thu Jun 13, 2024 11:02 pm
Forum: General
Topic: QA of software releases
Replies: 25
Views: 1465

Re: QA of software releases

Yup, its about time they started to learn!! I would prefer that they are taught to ensure their first post contains coherent information so taht we dont have to hunt and peck for information EVERY time. However you are straying from the gist of the thread which is testing etc......... Kudos to MT to...
by anav
Thu Jun 13, 2024 11:00 pm
Forum: General
Topic: Two Mikrotik wifi-lan sites in one subject
Replies: 2
Views: 225

Re: Two Mikrotik wifi-lan sites in one subject

Zerotier
by anav
Thu Jun 13, 2024 12:03 am
Forum: General
Topic: Help Needed: WireGuard VPN Issues with Dual PPPoE (PCC) on MikroTik Router
Replies: 4
Views: 710

Re: Help Needed: WireGuard VPN Issues with Dual PPPoE (PCC) on MikroTik Router

(1) My apologies I see an error I made. The allowed IPs on main router should be /interface wireguard peers add allowed-address=10.0.0 .1/32 ,192.168.88.0/24 interface=wireguard2 name=\ peer1 public-key="******************************" THe logic is that he server can have multiple peers on...
by anav
Wed Jun 12, 2024 9:48 pm
Forum: General
Topic: [Routing Problem?] No Access to the Default Gateway from Any of the Interface from the VLANs
Replies: 6
Views: 624

Re: [Routing Problem?] No Access to the Default Gateway from Any of the Interface from the VLANs

To avoid the lockout scenario,
I now advocate and use a port set OFF the bridge and I ensure its part of a management list interface.
I give it an IP of like 192.168.55.1/30 and then set my latpop to IPV4 settings of 192.168.55.2 plug it in and configure safely.
by anav
Wed Jun 12, 2024 9:46 pm
Forum: General
Topic: Why DNS servers are knocking port 5678 of pppoe-out1 interface?
Replies: 3
Views: 385

Re: Why DNS servers are knocking port 5678 of pppoe-out1 interface?

We advise setting internet detect to NONE.
by anav
Wed Jun 12, 2024 5:50 pm
Forum: Beginner Basics
Topic: Firewalls
Replies: 2
Views: 260

Re: Firewalls

I dont quite understand.
Why do you have a networking client, when you dont know how to config ????
by anav
Wed Jun 12, 2024 5:43 pm
Forum: General
Topic: Only one Wireguard peer working at a time [SOLVED]
Replies: 6
Views: 2699

Re: Only one Wireguard peer working at a time [SOLVED]

There is logic behind what has been suggested. Its just not a case of memorizing, its a case of understanding. The Server client ( for handshake ) may have 2 or more peers connecting to it. That is multiple peer to peer tunnels. The way any local traffic heading outbound gets sent is by several fact...
by anav
Wed Jun 12, 2024 5:37 pm
Forum: General
Topic: Home LAN ideas
Replies: 4
Views: 361

Re: Home LAN ideas

Legit concerns. I would say four SSIDs is reasonable 2x 2.4 and 2x5. A stretch to go to SIX but still possible. Of course vlans and firewall rules make for very flexible approaches. Typically the last rule in the forward chain is DROP ALL. That means only rules with allowed traffic above this rule a...
by anav
Wed Jun 12, 2024 5:29 pm
Forum: General
Topic: Help Needed: WireGuard VPN Issues with Dual PPPoE (PCC) on MikroTik Router
Replies: 4
Views: 710

Re: Help Needed: WireGuard VPN Issues with Dual PPPoE (PCC) on MikroTik Router

Okay getting a handle on requirements and realistic requirements is important. This is not possible with normal connection let alone through a wireguard tunnel. I want to upload files from that local device using the combined speed of the dual PPPoE connections . So removing that from the table, the...
by anav
Wed Jun 12, 2024 1:41 am
Forum: General
Topic: Problem with selective routing
Replies: 3
Views: 269

Re: Problem with selective routing

Basic safe firewall ruleset. /ip firewall filter { default rules to keep } add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connecti...
by anav
Wed Jun 12, 2024 1:33 am
Forum: General
Topic: Problem with selective routing
Replies: 3
Views: 269

Re: Problem with selective routing

I would hope you are not actually connected to the internet with such UNSAFE settings. You have opened port 80 and your winbox port to the world which is a security NO NO. Pull the plug and change your config before proceeding. Assuming you mean to a third party provider of VPN services. Would have ...
by anav
Wed Jun 12, 2024 12:28 am
Forum: Beginner Basics
Topic: Problems in subnet lan bridge access to wireguard peers
Replies: 7
Views: 534

Re: Problems in subnet lan bridge access to wireguard peers

(1) If you entered this manually remove it should not show on config ....... /ip dhcp-server network add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.5 gateway=\ 192.168.0.5 netmask=24 (2) Modify this for the moment ..... FROM: /ip dns set allow-remote-requests=yes /ip dns static add ...
by anav
Wed Jun 12, 2024 12:19 am
Forum: Beginner Basics
Topic: Web server not accessible with Wireguard
Replies: 2
Views: 489

Re: Web server not accessible with Wireguard

So its working as it should. Lets review the requirements for what looks like an RDP server. Good idea to ensure external access is done through Wireguard. Local LAN users access Server via LANIP direct, -- Good Local LAN users access Server via DYNDNS URL - Good but not sure how seeing as you dont ...
by anav
Wed Jun 12, 2024 12:00 am
Forum: Beginner Basics
Topic: New CCR2004 Config - Did I miss anything?
Replies: 3
Views: 616

Re: New CCR2004 Config - Did I miss anything?

No there is no issue and its included in the MT default rules.
In fact, its quite handy for testing for various things and in some cases is used by the router.
by anav
Tue Jun 11, 2024 11:59 pm
Forum: General
Topic: Home LAN ideas
Replies: 4
Views: 361

Re: Home LAN ideas

Approach seems off.
VLANS is to separate users into homogenous groupings where they can all see each other at Layer2.
Sounds like you need more vlans or more WLANs or both
by anav
Tue Jun 11, 2024 11:54 pm
Forum: General
Topic: Is there a way to set local ip-address of wireguard tunnel?
Replies: 4
Views: 416

Re: Is there a way to set local ip-address of wireguard tunnel?

The ISP route is ONLY used for the initial handshake. After that traffic is sent through the tunnel which is dependent upon the wireguard address structure additional routes if necessary and applicable firewall rules. So access to your LAN from external wireguard users or another wireguard routers s...
by anav
Tue Jun 11, 2024 2:20 pm
Forum: Beginner Basics
Topic: Problems in subnet lan bridge access to wireguard peers
Replies: 7
Views: 534

Re: Problems in subnet lan bridge access to wireguard peers

Post your latest config for review.
by anav
Tue Jun 11, 2024 2:15 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 918

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

That is my understanding. If you have traffic that has to go from one vlan to the other, then it will be a layer3 transaction, hence router is involved. So you will be limited to 1gig traffic vice much faster speeds within the same vlan anywhere on the switch ( assuming ports greater than1gig throug...
by anav
Tue Jun 11, 2024 4:02 am
Forum: Beginner Basics
Topic: New CCR2004 Config - Did I miss anything?
Replies: 3
Views: 616

Re: New CCR2004 Config - Did I miss anything?

Wilmer is decent, we usually quote: https://forum.mikrotik.com/viewtopic.php?t=143620 Missing Frame Types add bridge=RouterBridge interface=sfp-sfpplus2 Missing ingress-filtering=yes ALL the bridge ports. Missing interface bridge vlan entry for ether6 on vlan-id=99 ?? Not required: ( covered by vlan...
by anav
Tue Jun 11, 2024 4:00 am
Forum: Beginner Basics
Topic: HELP: Setting up a new Mikrotik router - hAP ax lite LTE6
Replies: 1
Views: 218

Re: HELP: Setting up a new Mikrotik router - hAP ax lite LTE6

This could be a torturous exercise to try and setup through exchanges here............. Which country are you in...........
Thinking teamviewer type exercise over discord to help setup the device to get it where it should be. ( safe and working )
by anav
Tue Jun 11, 2024 3:58 am
Forum: Beginner Basics
Topic: 2xWireless + VLANs + MGMT = problem
Replies: 3
Views: 294

Re: 2xWireless + VLANs + MGMT = problem

Would need to see config on both
/export file=anynameyouwish (minus device serial number, any public WANIP information, keys etc. )
by anav
Tue Jun 11, 2024 3:55 am
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 5076

Re: No WAN access via Wireguard

As I suspected DNS was an issue.
Also on my wireguard iphone settings, the wireguard IP address is put as /32 NOT /24.
by anav
Mon Jun 10, 2024 10:36 pm
Forum: General
Topic: Wireguard doesn't work and no logs
Replies: 24
Views: 3729

Re: Wireguard doesn't work and no logs

Diagram, requiremnts, config. with all three the problem will become clear.
Suspect the server device for handshake is not setup properly
by anav
Mon Jun 10, 2024 10:33 pm
Forum: General
Topic: Winbox on iPhone
Replies: 4
Views: 303

Re: Winbox on iPhone

How does one get to Align.. I dont see it in my wireless settings?
by anav
Mon Jun 10, 2024 10:02 pm
Forum: Beginner Basics
Topic: Dynamic port forwarding
Replies: 6
Views: 668

Re: Dynamic port forwarding

Seems interesting but why not do the following. Server one. incoming ports 200, 300, 400, 500 Server two with port translation incoming ports 201 to 200, 301 to 300, 401 to 400 and 501 to 500. Thus both are available all the time, just the port designation for the originator changes by one. Server T...
by anav
Mon Jun 10, 2024 9:58 pm
Forum: Beginner Basics
Topic: Map Lite AP Setup
Replies: 2
Views: 211

Re: Map Lite AP Setup

Just to be clear this device is both your router and access point, or simply an access point downstream from the ISP router?
by anav
Mon Jun 10, 2024 7:41 pm
Forum: Beginner Basics
Topic: Problems in subnet lan bridge access to wireguard peers
Replies: 7
Views: 534

Re: Problems in subnet lan bridge access to wireguard peers

Debian... Allowed IPs for both VPn1 and Client 2 seem fine. Client2 Allowed IPs seem fine, assuming 192.168.10.0/24 subnet is on the debian side somewhere. Now, the Debian will need some sort of firewall rules to allow the wireguard traffic which is peer to peer from the computer, to then enter the...
by anav
Mon Jun 10, 2024 6:55 pm
Forum: Beginner Basics
Topic: Config Thoughts?
Replies: 5
Views: 605

Re: Verify my Firewall Config

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Mon Jun 10, 2024 6:54 pm
Forum: Beginner Basics
Topic: Problems in subnet lan bridge access to wireguard peers
Replies: 7
Views: 534

Re: Problems in subnet lan bridge access to wireguard peers

If the MT is the client router, where is the Server Router? What is its config?
by anav
Mon Jun 10, 2024 6:53 pm
Forum: General
Topic: Winbox on iPhone
Replies: 4
Views: 303

Re: Winbox on iPhone

Not all functions are available on the IOS app.
by anav
Mon Jun 10, 2024 6:16 pm
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 973

Re: Dual WAN srcnat and dst-nat setup issue

You didnt follow my firewall forward chain rules. Missing KEY RULE!! /ip firewall filter ....... ....... add action=accept chain=forward comment="internet traffic" in-interface-list=\ LANlist out-interface-list=WANlist add action=accept chain=forward comment="port forwarding" con...
by anav
Mon Jun 10, 2024 6:06 pm
Forum: Beginner Basics
Topic: Routing problem? new config
Replies: 2
Views: 360

Re: Routing problem? new config

Why do you have an expensive managed switch but no vlans ???? Please send to me I will pay postage and send you a TPLINK managed switch :-) HEX (1) Would remove this default DNS setting.. (2) If not using IPV6 disable it and can rid of all ipv6 firewall rules and address lists. (3) I see nothing wro...
by anav
Mon Jun 10, 2024 5:42 pm
Forum: Beginner Basics
Topic: Same VLAN on diferent ports trunk and access
Replies: 2
Views: 290

Re: Same VLAN on diferent ports trunk and access

Well I would recommend a separate management Network. All the switches would get an IP on the management network etc.. Without seeing your config hard to help further. What type of switches are these ( assuming basic managed switches ). /export file=anynameyouwish (minus router serial number, public...
by anav
Mon Jun 10, 2024 5:39 pm
Forum: Beginner Basics
Topic: PCC load balancing on OS7
Replies: 2
Views: 285

Re: PCC load balancing on OS7

IF the second video does not get you all the way, then post your config /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.) Confirm users are coming inbound on the VPN to your router ( mikrotik is hosting VPN using its services ) not to servers on the l...
by anav
Mon Jun 10, 2024 12:07 pm
Forum: Beginner Basics
Topic: 2xWireless + VLANs + MGMT = problem
Replies: 3
Views: 294

Re: 2xWireless + VLANs + MGMT = problem

Where is the router??
by anav
Mon Jun 10, 2024 12:04 pm
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 973

Re: Dual WAN srcnat and dst-nat setup issue

without looking at the config, suspect ISPs are blocking port 25.
Will look at it later today.
by anav
Mon Jun 10, 2024 1:37 am
Forum: General
Topic: two public IP on mikortik
Replies: 3
Views: 324

Re: two public IP on mikortik

Your config is probably wrong.
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)
by anav
Sun Jun 09, 2024 9:36 pm
Forum: Beginner Basics
Topic: How to approach network planning and then implement it?
Replies: 4
Views: 486

Re: How to approach network planning and then implement it?

Good luck. one day kicking and screaming will try ipv6
by anav
Sun Jun 09, 2024 9:35 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 5076

Re: No WAN access via Wireguard

@leik., will have a look. 1. Suggest set this to none. /interface detect-internet set detect-interface-list=all 2. Why is this setting included in your peer 2 ?? Remove it. endpoint-port=33333 3. Forward chain rules ......modify too. add action=accept chain=forward comment="internet traffic&quo...
by anav
Sun Jun 09, 2024 9:16 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 5076

Re: No WAN access via Wireguard

All it needed is a working srcnat masquerade rule with the Wireguard subnet nobody mentions this option, but for me it was the one that was missing was going crazy trying to solve the same problem thank you for sharing the solution! If the Mikrotik device is the Server Peer (one with public IP) sou...
by anav
Sat Jun 08, 2024 5:14 pm
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 973

Re: Dual WAN srcnat and dst-nat setup issue

Okay so you are saying the Mail Server originates traffic outbound and it has to go out WAN2. You didnt notice but there is no need for interface on the dstnat rule for comcast, it should be removed. In that case lets adjust the mangle rules. {C an be first rule, ensuring Server originated traffic g...
by anav
Sat Jun 08, 2024 5:05 pm
Forum: General
Topic: Upgrading Switches using CAPSMAN
Replies: 3
Views: 527

Re: Upgrading Switches using CAPSMAN

I was hoping for less capsman and more cowbell, but I will Dude over capsman anyday!. ;-)
https://vimeo.com/406011330
by anav
Sat Jun 08, 2024 3:50 am
Forum: General
Topic: Separate routing tables in RouterOS v7
Replies: 2
Views: 4154

Re: Separate routing tables in RouterOS v7

Be advised routing rules are useful for FORCING some source addresses or subnet OUT a specific WAN. a. one has to ensure that they identify if local traffic is also required, as FORCING means all traffic. ( there are ways to deal with this ) b. mangling rules SUPERCEDE routing rules if there is over...
by anav
Sat Jun 08, 2024 3:46 am
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 973

Re: Dual WAN srcnat and dst-nat setup issue

- yes the address sort of creates a route but to be complete one must make a manual route as it pertains to non-local traffic. - so you have dyndns Urls to both IPs. To simplify, Will make WAn1 Xfinity the primary route so all traffic will go out that WAN without special rules. Will ensure that any ...
by anav
Sat Jun 08, 2024 12:30 am
Forum: General
Topic: Roadmap for ROS?
Replies: 4
Views: 437

Re: Roadmap for ROS?

Its random to us because they dont make their roadmap public.
by anav
Fri Jun 07, 2024 6:20 pm
Forum: General
Topic: RouterOS Management Ports and Protocols
Replies: 2
Views: 314

Re: RouterOS Management Ports and Protocols

Overall access to make changes via Winbox is user name-password protected. Access TO the Router ( or more accurately to router services ) is controlled by the firewall filter INPUT CHAIN. In addition, access to winbox functionality can be further delineated in two locations: a. Tools / MAC Server / ...
by anav
Fri Jun 07, 2024 5:57 pm
Forum: General
Topic: Mikrotik IOS app login. networks to be added to allowed address in wireguard app
Replies: 9
Views: 866

Re: Mikrotik IOS app login. networks to be added to allowed address in wireguard app

Well to be honest I have always ONLY stuck in 0.0.0.0/0 for allowed IPs on my iphone wg setup, as being the admin I have many subnets I may wish to access, and perhaps even the internet. So you are saying that If only put a LAN that exists on the router in my allowed IPs and then I try to reach an i...
by anav
Fri Jun 07, 2024 5:39 pm
Forum: General
Topic: Can't get WireGuard to work (the way I want) [SOLVED]
Replies: 11
Views: 880

Re: Can't get WireGuard to work (the way I want) [SOLVED]

The main focus is finally being recognized, articulation of clear requirements. a. You wish to send the entire LAN out VPS for internet. ? b. You wish to send the entire LAN to VPS to reach subnet at VPS but with no internet through VPS? What happens if the VPN tunnel for whatever reason is NOT work...
by anav
Fri Jun 07, 2024 5:34 pm
Forum: General
Topic: Questions about IPSEC
Replies: 7
Views: 453

Re: Questions about IPSEC

Unless we are talking enterprise, wireguard is relatively easy. It is designed for: A. road warriors reaching : a. internet via connection point b. LAN devices c. and reaching router config for admin. B . Connecting Two or More Routers/road warriors to : a. use internet at another site b. reach lans...
by anav
Fri Jun 07, 2024 5:27 pm
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 973

Re: Dual WAN srcnat and dst-nat setup issue

(1) Address should be assigned to the bridge NOT ether5. (2) Whats with 192.168.4.11/12 running some sort of pi server for DNS and ntp. Some people do this but not sure there is any added value? Certainly NTP is better done through the router anyway, while DNS has some better affect also forcing usi...
by anav
Fri Jun 07, 2024 5:05 pm
Forum: Beginner Basics
Topic: Change Default route, no ping
Replies: 5
Views: 1528

Re: Change Default route, no ping

Too funny Holvoe, I read, that as SORRY I'm Belgian . ;-P To be clear there is no discovery its all just logic. You attempt to ping the the router on WAN2. The router responds from WAN1 because WAN1 is primary. The solution as you figured out is to ensure the router responds from the same WAN. Mangl...
by anav
Fri Jun 07, 2024 4:54 pm
Forum: Announcements
Topic: v7.16beta [testing] is released!
Replies: 98
Views: 36367

Re: v7.16beta [testing] is released!

This was good too: *) bridge - added dynamic tagged entry when VLAN interface is created on vlan-filtering bridge; It even put comments on in /interface/bridge/vlan on what triggered the "D" dynamic vlan entry there, i.e. "added by pvid", "added by vlan on bridge", ......
by anav
Thu Jun 06, 2024 10:28 pm
Forum: General
Topic: Wireguard not start
Replies: 9
Views: 544

Re: Wireguard not start

Hi nichky, Sorry does not compute LOL.
I dont recall every writing about "responder" ?
What is the context and what is the requirement?
by anav
Thu Jun 06, 2024 1:29 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1607

Re: HAP ax lite as AP

Not required. Once you go vlans the bridge just does bridging and thus is not an interface list member.
by anav
Thu Jun 06, 2024 1:27 pm
Forum: General
Topic: Wireguard not start
Replies: 9
Views: 544

Re: Wireguard not start

Not enough,
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

Plus.
What are the requirements for wireguard traffic, one user, a whole subnet etc......
by anav
Thu Jun 06, 2024 12:11 am
Forum: General
Topic: Can't get WireGuard to work (the way I want) [SOLVED]
Replies: 11
Views: 880

Re: Can't get WireGuard to work (the way I want) [SOLVED]

KK,

So the VPS server is doing its thing correctly.
Each client pEER gets its own IP.

Since its assigned 6 to the MT,
then on the MT
/ip address
add address=10.66.66.6/24 interface=wireguard network=10.66.66.0


The wg address of the VPS cannot be the same and it should probably be 10.66.66.1
by anav
Wed Jun 05, 2024 11:53 pm
Forum: General
Topic: Mikrotik IOS app login. networks to be added to allowed address in wireguard app
Replies: 9
Views: 866

Re: Mikrotik IOS app login. networks to be added to allowed address in wireguard app

You are mixing apples and Oranges, what is controllable is whether or not your traffic can be split. The answer is NO. On my iphone, if I connect to wireguard, ALL my traffic goes through wireguard. You can leave wireguard UP all the time, (ON DEMAND selection at very bottom) and it basically comes ...
by anav
Wed Jun 05, 2024 11:41 pm
Forum: General
Topic: Can't get WireGuard to work (the way I want) [SOLVED]
Replies: 11
Views: 880

Re: Can't get WireGuard to work (the way I want) [SOLVED]

So to be clear the VPS is a cloud server running wireguard. The biggest problem is assigning the same IP nomenclature to both devices.......... 10.66.66. 6 VPS settings: Change IP to 10.66.66. 1 PEER -Do not use preshared key. -For peer ensure you put the public key issued by the mikrotik router. -F...
by anav
Wed Jun 05, 2024 11:21 pm
Forum: General
Topic: Unable to access devices externally on MikroTik router
Replies: 6
Views: 945

Re: Unable to access devices externally on MikroTik router

Get a mikrotik router vice the custom jobbie.
by anav
Wed Jun 05, 2024 2:43 pm
Forum: General
Topic: Mikrotik IOS app login. networks to be added to allowed address in wireguard app
Replies: 9
Views: 866

Re: Mikrotik IOS app login. networks to be added to allowed address in wireguard app

Do not follow. Okay so the Wireguard connects fine. The IOS app is to connect to Winbox, as I stated you can do that using most interfaces be it the wireguard interface, the homelan interface etc.. The app is not to connect to home lan devices. /export file=anynameyouwish (minus router serial number...
by anav
Wed Jun 05, 2024 2:40 pm
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 845

Re: cycle outgoing IP addresses

Assigning the next IP?? That doesnt sound random LOL.
by anav
Wed Jun 05, 2024 2:34 am
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 845

Re: cycle outgoing IP addresses

Seriously?
What is the reason?
Its starting to smell like your client is doing something illegal and suggest you dissolve your relationship.
Either that or the client is going to make your life difficult with a continuous stream of over the top requirements based on what ??????????
by anav
Tue Jun 04, 2024 10:29 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1667

Re: Both Openvpn and Wiregurard fail

(1) There is a problem with some rules you have or interfaces or both hence this....... # no interface add action=drop chain=forward in-interface= *B # no interface add action=drop chain=forward out-interface= *B # no interface add action=drop chain=forward in-interface= *C # no interface add action...
by anav
Tue Jun 04, 2024 10:18 pm
Forum: General
Topic: Mikrotik IOS app login. networks to be added to allowed address in wireguard app
Replies: 9
Views: 866

Re: Mikrotik IOS app login. networks to be added to allowed address in wireguard app

The login works fine from the app when I use it.
Are you attempting winbox or something else.
On the Router you need to allow the wireguard IP to the input chain.
For address just use MT wireguard IP:winboxport
by anav
Tue Jun 04, 2024 6:36 pm
Forum: General
Topic: Mikrotik WireGuard setup for Protone VPN
Replies: 18
Views: 5698

Re: Mikrotik WireGuard setup for Protone VPN

(1) Would remove this default setting.... /ip dns static add address=192.168.88.1 comment=defconf name=router.lan (2) dont really need source address on this rule but no harm. add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=\ 192.168.88.0/24 ROUTES ARE COMPLETELY BIZARRE....
by anav
Tue Jun 04, 2024 5:13 pm
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 344
Views: 78436

Re: v7.15 [stable] is released!

Not sure, we are talking about the same thing, but whether or not the untagged vlan shows up on an export is determined by the /interface bridge vlan settings. If you do not manually put them there as untagged, they do not show as they are dynamically created. This is not new!
by anav
Tue Jun 04, 2024 4:51 pm
Forum: Beginner Basics
Topic: Adding an additonal network
Replies: 9
Views: 637

Re: Adding an additonal network

Hehe, I wish.
Training for worlds masters in Germany, goal, not to come last!
by anav
Tue Jun 04, 2024 4:15 pm
Forum: General
Topic: DNS and Third Party Wireguard
Replies: 0
Views: 198

DNS and Third Party Wireguard

When sending a single user or entire subnet out wireguard to fictitious "ProNord" wireguard vpn, a DNS IP address is usually provided along with the usual settings. ? Q ? --> How do we ensure that when browsing the internet, that those forced out the wireguard tunnel (typically using table...
by anav
Tue Jun 04, 2024 4:04 pm
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 845

Re: cycle outgoing IP addresses

I have no clue on how ISPs dole out blocks of IPs......
My first thought was, use all 5 as separate WANS and load balance between them :-)
by anav
Tue Jun 04, 2024 1:43 pm
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 638

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

If its doing everything you need it to do.........
by anav
Tue Jun 04, 2024 1:40 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 918

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

Got it, thanks again. So to be clear, inter-VLAN routing on the switch can be fast-tracked? It's only when going to WAN which requires NAT'ing that we have to go through CPU no matter what? CRS328-24P-4S+ doesn't support FastTrack offloading, but I suppose you've meant Inter-VLAN Hardware Routing -...
by anav
Tue Jun 04, 2024 1:34 pm
Forum: General
Topic: Mikrotik WireGuard setup for Protone VPN
Replies: 18
Views: 5698

Re: Mikrotik WireGuard setup for Protone VPN

post your config
/export file=anynameyouwish (minus router serial number, any public WANIP info, keys )

please provide setup instructions provided ( without the keys ) as in post above #14.
also did they provide a DNS IP to use?
by anav
Tue Jun 04, 2024 3:22 am
Forum: General
Topic: Mikrotik hex S can't handle with 500Mbps - CPU 95%
Replies: 6
Views: 468

Re: Mikrotik hex S can't handle with 500Mbps - CPU 95%

Traffic between devices on the switch part of the router.
by anav
Tue Jun 04, 2024 3:09 am
Forum: General
Topic: Wireguard DNS Not Working as Expected
Replies: 9
Views: 800

Re: Wireguard DNS Not Working as Expected

Im confused doesnt PPPOE ISP give you a dynamic PUBLIC IP address ?? The reason I ask is you have back to home in your comment for the wireguard interface and thats for the case when you dont have a public IP. Maybe just used the wording not realizing its confusing, if not true???? Also note your us...
by anav
Tue Jun 04, 2024 3:06 am
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 638

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

What I am not convinced of is that DNS is being done through the tunnel. In other words, although traffic may go through the tunnel, DNS queries may still be done through local WAN. I have a thought on how to ensure what we want. /ip firewall nat add chain=dstnat action=dst-nat src-address=192.168.8...
by anav
Tue Jun 04, 2024 2:46 am
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 638

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

Then you must be coming from an IP address on the bridge. Try this routing rule in addition to the existing routing rule and it has to go FIRST in order. /routing rule add min-prefix=0 action=lookup-only-in-table table=main add src-address=192.168.88.0/24 action=lookup table=use-WG. You should be ab...
by anav
Tue Jun 04, 2024 12:05 am
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 638

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

-The easiest way to accomplish what you wish is to separate etheport5 from the rest of the subnets. -There are two ways to accomplish this. one bridge and ethport 5 off the bridge with its own address. one bridge and two vlans We will do the first one........ -Remove default IP DNS STATIC entry -Rem...
by anav
Mon Jun 03, 2024 11:38 pm
Forum: General
Topic: Mikrotik hex S can't handle with 500Mbps - CPU 95%
Replies: 6
Views: 468

Re: Mikrotik hex S can't handle with 500Mbps - CPU 95%

Not surprizing looking at the product test results....
.....
hexs.jpg
.......
by anav
Mon Jun 03, 2024 8:09 pm
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 638

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

First
- Are you connecting to a third party VPN provider??
- does ISP provide a public WANIP on WAN2 ( static or dynamic )

Second require config:
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc..)
by anav
Mon Jun 03, 2024 8:07 pm
Forum: General
Topic: Memory Leak v7.15
Replies: 5
Views: 1159

Re: Memory Leak v7.15

Nice to state here but better to send supouts and report to MT directly.
by anav
Mon Jun 03, 2024 7:32 pm
Forum: General
Topic: Wireguard DNS Not Working as Expected
Replies: 9
Views: 800

Re: Wireguard DNS Not Working as Expected

Description is incomplete.
What wireguard is this
a. going to third party Wireguard Server ??
b. Hosting wireguard on your router so having admin or others come in on wireguard?
c. other?

If, a, is the whole subnet supposed to use WG for internet for example??
by anav
Mon Jun 03, 2024 7:28 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1607

Re: HAP ax lite as AP

Review and config are advised with known facts and provided requirements, adding new ones at the end is too late. Since I am not working on the firewall rules any longer, not sure how to solve that. Typically that is what the Trusted or Management network is for, here the admin can access to update....
by anav
Mon Jun 03, 2024 7:21 pm
Forum: Beginner Basics
Topic: Adding an additonal network
Replies: 9
Views: 637

Re: Adding an additonal network

Yes, especially when I get up at 5am, 3 mornings a week to go rowing for about 10K.
by anav
Mon Jun 03, 2024 7:15 pm
Forum: General
Topic: Wireguard DNS Not Working as Expected
Replies: 9
Views: 800

Re: Wireguard DNS Not Working as Expected

I dont think its possible when using a third party wireguard VPN server to avoid using the third party provided DNS server.
However with the sparse details provided who knows.
Should really provide config.
by anav
Mon Jun 03, 2024 7:12 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 918

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

Not quite. The Router will do all the routing bits, including setting up all the VLANs, giving out DHCP etc. The switch will only need to get an IP address from the management vlan, and then receive all the vlans from the router on one trunk port, and then distribute the vlans out the rest of the po...
by anav
Mon Jun 03, 2024 7:09 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1607

Re: HAP ax lite as AP

Well since you use capsman, that may change the equation and I am unable to assist with that.
So stick to the rules that work for you, especially if the reason for posting has been solved. :-)
by anav
Mon Jun 03, 2024 4:30 pm
Forum: Beginner Basics
Topic: Issues with MikroTik RB951Ui-2HnD Router after being configured as WiFi Repeater [SOLVED]
Replies: 5
Views: 447

Re: Issues with MikroTik RB951Ui-2HnD Router after being configured as WiFi Repeater [SOLVED]

Just to be clear, you mean accept a wifi signal as source and then send that signal onwards to many devices ( wifi source---<router/ap>------> to smartphones/iot etc. )
OR
between two wifi devices ( wifi source ---<router>----- access point---- to smartphones/iot etc. )
by anav
Mon Jun 03, 2024 3:45 pm
Forum: General
Topic: Can't access VLAN with IP address 192.168.88.1
Replies: 1
Views: 368

Re: Can't access VLAN with IP address 192.168.88.1

(1) WTH(alibut) is this?? ( vlanID is not part of your vlan list AND where is the identified port ??? ) add bridge=BR0_LAN tagged=BR0_LAN vlan-ids=1 ????? (2) Your /interface bridge vlan rules are wrong they do not match /interface bridge ports. In addition your sfp plus TRUNK port has a pvid assign...
by anav
Mon Jun 03, 2024 3:43 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1607

Re: HAP ax lite as AP

Please take the time to implement firewall rules and all recommended changes then repost and ask for review.
by anav
Mon Jun 03, 2024 3:41 pm
Forum: Beginner Basics
Topic: Unable to connect to SMTP service port on WAN IP. [SOLVED]
Replies: 3
Views: 298

Re: Unable to connect to SMTP service port on WAN IP. [SOLVED]

Using an un encrypted mail system/server is asking to get hacked.
by anav
Mon Jun 03, 2024 3:39 pm
Forum: Beginner Basics
Topic: Set DHCP server for clients that connect to another AP
Replies: 5
Views: 722

Re: Set DHCP server for clients that connect to another AP

(1) It would appear as if you are using wireguard to a third party VPN or probably based on URL in allowed IPs, a friends MT router. In any case remove the private key entry in the settings you have in allowed IPs, not required. No need to hide wireguard port in interface wireguard, this port (when ...
by anav
Mon Jun 03, 2024 3:31 pm
Forum: Beginner Basics
Topic: Adding an additonal network
Replies: 9
Views: 637

Re: Adding an additonal network

hahah mkx, I fell asleep reading your post, this is what I got out of it... ( thank god I am not trained).

blahblahblahblahblahblah*()#@+!@)!&Y$)@_@+ blahblahblahblah USE VLANS blahblahblahU&((@&#(@&+(@!! blahblahblah
by anav
Mon Jun 03, 2024 3:16 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 918

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

(1) /ip settings set max-neighbor-entries=8192 rp-filter=strict would set this to loose...... (2) Why do you have a LAN attached to the bridge? I dont see any ports using LAN?? (3) HORRIBLE idea to name your bridge= LAN, its already nomenclature used by the router for various things and its very con...
by anav
Mon Jun 03, 2024 3:12 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 918

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

Did it ever occur to you that you bought a switch not a router . Sure it can be used as a router, RoS is fantastically flexible, but still, there are limits on throughput for WAN connectivity. I am actually shocked that you managed to over 500 Mbps. You must not have many rules............... ( dont...
by anav
Mon Jun 03, 2024 2:23 am
Forum: Wireless Networking
Topic: Hap AX2, need help understanding/troubleshooting issue with 2.4GHz connection.
Replies: 8
Views: 1033

Re: Hap AX2, need help understanding/troubleshooting issue with 2.4GHz connection.

Config of both devices is required.
/export file=anynameyouwish ( minus router serial number and any public WANIP information )
by anav
Mon Jun 03, 2024 2:21 am
Forum: Beginner Basics
Topic: Set DHCP server for clients that connect to another AP
Replies: 5
Views: 722

Re: Set DHCP server for clients that connect to another AP

What is the config on the MT.......
/export file=anynameyouwish ( minus router serial number and any public WANIP information )
by anav
Mon Jun 03, 2024 2:19 am
Forum: General
Topic: MVRP usage [SOLVED]
Replies: 10
Views: 762

Re: MVRP usage [SOLVED]

The point being its a trunk port to trunk port activity.
It does nothing to change the fact that one would have to manually untag the vlan for any specific port on a switch
by anav
Mon Jun 03, 2024 1:12 am
Forum: Beginner Basics
Topic: Adding an additonal network
Replies: 9
Views: 637

Re: Adding an additonal network

I dont understand your topology. One should normally only have ONE connection between openWRT router and CRS acting as a router. Similarly, there should only be ONE connection between CRS acting as a router and the unRAID, or more clearly stated only one route (via CRS305) from Router to UNRAID It w...
by anav
Mon Jun 03, 2024 1:00 am
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1274

Re: Routing VLAN to specific WAN using Policy Routing

Too simplistic. If you want to deviate from a logical config and measured troubleshooting steps, you are on your own. Before I go, just to let you know from the TPLink Manual from the latest version firwmare. 3.3 Configure VLAN Wireless VLAN is used to set VLANs for the wireless networks. With this ...
by anav
Sun Jun 02, 2024 9:30 pm
Forum: Beginner Basics
Topic: Raspberry pihole (ad blocker) different ip than router OS network
Replies: 15
Views: 1253

Re: Raspberry pihole (ad blocker) different ip than router OS network

Bollocks, I think it will become quite familiar in your repertoire!

Not knowing what it means, the sentence seems to imply "timid" which is not what I would have used to describe your qualities. :-)
by anav
Sun Jun 02, 2024 9:27 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1667

Re: Both Openvpn and Wiregurard fail

(1) Duplicate table, remove one of them. /routing table add fib name=to-WG add fib name=to-WG (2) No where did I recommend bridge filters ?? REMOVE or disable until wireguard is working!! /interface bridge filter add action=drop chain=forward in-interface=wifi3 add action=drop chain=forward out-inte...
by anav
Sun Jun 02, 2024 9:15 pm
Forum: Beginner Basics
Topic: Port forwarding for Hikvision DVR
Replies: 2
Views: 366

Re: Port forwarding for Hikvision DVR

/ip firewall address-list { use dhcp static set leases for example } add address=10.0.0.X list= Authorized comment="admin PC1" add address=10.0.0.Y list=Authorized comment="admin PC2" add address=VPNaddress list=Authorized comment='remote admin" add address=mynetname.net li...
by anav
Sun Jun 02, 2024 8:55 pm
Forum: Beginner Basics
Topic: Port forwarding for Hikvision DVR
Replies: 2
Views: 366

Re: Port forwarding for Hikvision DVR

(1) It is not clear how you are trying to connect to the DVR. a. Directly from LAN device to DVR using LANIP. Y/N ? b. From Internet using dyndns URL(could be mycloud.net from ip cloud for example) Y/N ? c. From LAN using dyndns URL Y/N ? If c, are you attempting to reach DVR from the same subnet? (...
by anav
Sun Jun 02, 2024 8:50 pm
Forum: Forwarding Protocols
Topic: Mangle Issue (Failover With Two WAN)
Replies: 1
Views: 319

Re: Mangle Issue (Failover With Two WAN)

Some rules mean nothing to me................... The complete config is required for viewing /export file=anynameyouwish ( less router serial number, any public WANIP information, keys etc.) You had a good start on requirements and then fizzled a bit so lets go back to that for a bit more complete v...
by anav
Sun Jun 02, 2024 8:41 pm
Forum: Wireless Networking
Topic: cAP ax Wifi not working
Replies: 17
Views: 988

Re: cAP ax Wifi not working

(1) Stick with default mode for bridge, think its RTSP?? (2) No WAN or LAN on an AP. (3) I config my caps on the bench through ether2, off bridge, and when installed if its reachable directly or else I wire ether2 where I can at least access with laptop. Just change laptop ipv4 settings to 192.168.5...
by anav
Sun Jun 02, 2024 7:23 pm
Forum: Beginner Basics
Topic: Raspberry pihole (ad blocker) different ip than router OS network
Replies: 15
Views: 1253

Re: Raspberry pihole (ad blocker) different ip than router OS network

Anyone? If not administrator please delete this post - I'll look elsewhere. thank you. Did I say I was not interested. I asked for more information to better understand what you attempted to describe. Now that jaclaz is on the case, I am sure he will attempt to resolve your query. I tried, and was ...
by anav
Sun Jun 02, 2024 7:16 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1667

Re: Both Openvpn and Wiregurard fail

(1) Remove the peer name......... pre-shared key ( do not use this attribute ) /interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=**.**.2**.** endpoint-port=\ 41194 interface=wireguard1 name=peer1 persistent-keepalive=25s \ preshared-key="*****=" public-key=\ (2) By ...
by anav
Sun Jun 02, 2024 6:39 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1274

Re: Routing VLAN to specific WAN using Policy Routing

Concur on the TPLINK not too much to screw up there, but what about the switch?? Okay I went back and what troubled me was LTE was on bridge1 and not directly on an etherport on the router. I then checked the diagram and for some strange reason its coming from the AP ???????? ...... ap-router.jpg .....
by anav
Sun Jun 02, 2024 5:29 pm
Forum: Beginner Basics
Topic: Mikrotik as secondary router - one LAN port bridged to WAN
Replies: 4
Views: 670

Re: Mikrotik as secondary router - one LAN port bridged to WAN

/interface vlan add interface=bridge name=ISP-LAN vlan-id=10 add interface=bridge name=HAP-LAN vlan-id=88 /interface bridge port add bridge=bridge interface=ether1 pvid=10 ingress-filtering=yes frame-types=admit-priority-and untagged add bridge=bridge interface=ether2 pvid=88 ingress-filtering=yes ...
by anav
Sun Jun 02, 2024 5:14 pm
Forum: Beginner Basics
Topic: Need help with few questions.
Replies: 5
Views: 451

Re: Need help with few questions.

Lets get this straight, the CRS series are SWITCHES not routers. They can be used as routers but throughput is very much less then pure routers. Provide a diagram as your requirements are not fully understood and seem to be changing with each post. Besides diagram a. identify users/device including ...
by anav
Sun Jun 02, 2024 5:10 pm
Forum: General
Topic: Back To Home VPN - spamming logs when disconnected
Replies: 2
Views: 313

Re: Back To Home VPN - spamming logs when disconnected

Disappointing that MT did not fix this well known issue for the release of 7.15.
by anav
Sun Jun 02, 2024 3:56 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1667

Re: Both Openvpn and Wiregurard fail

Post your latest config and I will relook.
by anav
Sun Jun 02, 2024 3:53 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1274

Re: Routing VLAN to specific WAN using Policy Routing

Are they connected wired or wifi,
Check the switch and AP devices, dont think its the router??
by anav
Sun Jun 02, 2024 2:38 am
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1274

Re: Routing VLAN to specific WAN using Policy Routing

As usual I work from your latest config, so would need to see it to comment on any new issues. Unless you changed something vlan20 should work same as vlan30 as they are identical in terms of the RB5009 router, which leads me to suspect the problem is down the road like at a switch. (4) I would disa...
by anav
Sun Jun 02, 2024 2:32 am
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 2006

Re: Connection issues with hAP AC2, any problems with my config?

Subnets = IP = L3, or did i miss somthing?
Yes rip van Larsa you missed the last 60 years where Zerotier was released putting all assigned subnets into the same L2 space.
by anav
Sat Jun 01, 2024 8:32 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 2006

Re: Connection issues with hAP AC2, any problems with my config?

You know more than I, but AMMO was fairly explicit on setting up the subnets to be part of zerotier.
by anav
Sat Jun 01, 2024 5:51 pm
Forum: Beginner Basics
Topic: Basic Zerotier Question.
Replies: 3
Views: 341

Re: Basic Zerotier Question.

Okay so it sounds very doable. Its a bit better than trying it over wireguard as wireguard then trips over the routing issue, where zerotier does not.
by anav
Sat Jun 01, 2024 4:23 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1274

Re: Routing VLAN to specific WAN using Policy Routing

(1) REMOVE frame types from bridge. keep it simple, we add frame types and ingress filtering at /interface bridge ports. (2) I like order, thus resorted vlans LOL. A cluttered config is a cluttered mind. ;-P (3) For security added Trusted Interface, assuming the one subnet that is trusted is your in...
by anav
Sat Jun 01, 2024 2:51 pm
Forum: Beginner Basics
Topic: Basic Zerotier Question.
Replies: 3
Views: 341

Basic Zerotier Question.

I have a single device on a local subnet lets say 192.168.88.0/24 on an MT router and it needs to reach a device ( and vice versa ) on a separate router (non-mt, with SIM card) and both have natively zerotier, intuitively one should say, yes they can be connected. The subnet on the non-mt Router is ...
by anav
Sat Jun 01, 2024 2:37 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 2006

Re: Connection issues with hAP AC2, any problems with my config?

That router does zerotier natively which may be another avenue of possibiblity. It joins networks at level 2, so no firewall rules apply. The question though remains, what happens when you are local with wifi............. it may integrate really well and be the right path, just dont have any experie...
by anav
Sat Jun 01, 2024 3:43 am
Forum: Beginner Basics
Topic: Device Isolation
Replies: 4
Views: 496

Re: Device Isolation

I typically tend to use vlans to separate subnets at layer2 and firewall rules at layer3.
For firewall rules my last rule is DROP, and thus anything not accepted above in previous rules in that chain, is not permitted. Clean and efficient.
by anav
Fri May 31, 2024 11:43 pm
Forum: Beginner Basics
Topic: Can the firewall drop packets silently?
Replies: 8
Views: 666

Re: Can the firewall drop packets silently?

If i were to latinize it ......................

/export file=vici-de-bici
by anav
Fri May 31, 2024 11:32 pm
Forum: General
Topic: How long does it take for MT tech support to respond?
Replies: 22
Views: 3187

Re: How long does it take for MT tech support to respond?

They have responded to all my inquiries including ideas and supouts in a reasonable time frame, not to say your experience may differ. Perhaps a small investment in a queue system letting folk know they are number 98/2000 might help temper expectations etc... MTs strongpoint has never been communica...
by anav
Fri May 31, 2024 11:24 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 2006

Re: Connection issues with hAP AC2, any problems with my config?

Yes, I can see the dilemma!! What router brand and model do you have in the camper? Is it dual wan capable, can you link to a user guide? Im starting to think that SourceNATing the camper van wireguard outward bound traffic may be a key to an approach. So when wireguard is up....... the MT router ge...
by anav
Fri May 31, 2024 11:16 pm
Forum: General
Topic: Can I only use mikrotik as a firewall?
Replies: 14
Views: 908

Re: Can I only use mikrotik as a firewall?

Absolutely know that companies join conglomerates of like minded companies and ISPs to ward off attacks. They try to isolate the source vectors and close off traffic to the closest point of source. Very enterprisish stuff............ not for the faint of wallet and thus I dont pay for it. Some compa...
by anav
Fri May 31, 2024 11:12 pm
Forum: General
Topic: How long does it take for MT tech support to respond?
Replies: 22
Views: 3187

Re: How long does it take for MT tech support to respond?

yarim just joined to help this thread, how kind.
Yup they are dealing with lots of sups, just keep checking they will get around to it.
by anav
Fri May 31, 2024 11:09 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1274

Re: Routing VLAN to specific WAN using Policy Routing

Heheh, okay will look at it tomorrow, today is booked up or whats left of it.
by anav
Fri May 31, 2024 5:04 pm
Forum: Beginner Basics
Topic: Can the firewall drop packets silently?
Replies: 8
Views: 666

Re: Can the firewall drop packets silently?

Shields up is a very nice but not required,, I believed you the first time,
what is needed is to see why your config is letting that happen :-)

/export file=anynameyouwish (minus switch impersonating a router serial number, any public wanip information, keys etc.)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 68