Community discussions

MikroTik App

Search found 22726 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 76
by anav
Sun Feb 16, 2025 2:24 am
Forum: Announcements
Topic: v7.17.2 [stable] is released!
Replies: 597
Views: 130434

Re: v7.17.2 [stable] is released!

@mikrotik, is there any plans for a 7.17.3 release, or no? I've got hundreds of MikroTiks to update and I'd hate to upgrade everything to 7.17.2 only to find out that 7.17.3 is released a week later... not looking for any specific timeframes or anything, just wondering if another point release is a...
by anav
Sun Feb 16, 2025 2:17 am
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Good day rextended, probably fell asleep in a hammock looking at the stars above the vineyard........ To be so lucky. I prefer light pasta, yours has too much sauce on it. Lets look at facts. Default rule: add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" co...
by anav
Sun Feb 16, 2025 1:25 am
Forum: Beginner Basics
Topic: proton WireGuard - handshake for peer did not complete...
Replies: 12
Views: 620

Re: proton WireGuard - handshake for peer did not complete...

1. You have to pay closer attention to detail where did I put this for interface list?? /interface list member add interface=ether1 list=WAN add interface=ether2 list=LAN add interface=ether3 list=LAN add interface=ether4 list=LAN add interface=ether5 list=LAN add interface=P-CH-159 list=WAN add int...
by anav
Sun Feb 16, 2025 1:13 am
Forum: Beginner Basics
Topic: Creating 3 VLANs on one port and making DHCP on one VLAN
Replies: 5
Views: 226

Re: Creating 3 VLANs on one port and making DHCP on one VLAN

Also where did these recommendations come from. If a recommendation was jump off a bridge ( from an unknown source ) would you do it? ;-) It sounds/looks like an assignment for a class actually. I dont think the responder asked for a partial snippet. /export file=anynameyouwish ( minus router serial...
by anav
Sat Feb 15, 2025 10:41 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Drop all else is only a problem in your mind, and because you dont follow a methodical use case and requirements based process in your thinking. Well, at least I am able to express my ideas without attacking or offending other people. :) You don't have enough new users to shout at today? :?: My my ...
by anav
Sat Feb 15, 2025 7:57 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Drop all else is only a problem in your mind, and because you dont follow a methodical use case and requirements based process in your thinking. Of course one shouldnt fiddle with rules unless they know what they are doing, thats a separate issue. What we are speaking about is a lean, efficient set ...
by anav
Sat Feb 15, 2025 7:55 pm
Forum: General
Topic: VXLAN inside WireGuard tunnel
Replies: 4
Views: 222

Re: VXLAN inside WireGuard tunnel

Since I know squat about vxlan, I would have solved it with wireguard to securely connect the two subnets (using fw rules).
I would never vxlan over the internet directly. I suppose if there was some specific function requiring layer2, then one could vxlan over wireguard.
by anav
Sat Feb 15, 2025 7:52 pm
Forum: Beginner Basics
Topic: possible SYN flooding on tcp port 53 [SOLVED]
Replies: 13
Views: 5194

Re: possible SYN flooding on tcp port 53 [SOLVED]

Sorry you got caught in the cross-hairs, suggest if you have an issue start a new thread and provide some actual information.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)
by anav
Sat Feb 15, 2025 7:45 pm
Forum: Beginner Basics
Topic: proton WireGuard - handshake for peer did not complete...
Replies: 12
Views: 620

Re: proton WireGuard - handshake for peer did not complete...

We are making progress. I understand that you have some users that are able to use the ISP VDSL device for wifi which is great. However the MT router also needs to be able to access the ISP VDSL connection to establish the proton tunnel. This is fine. I just need to know how you are connected to the...
by anav
Sat Feb 15, 2025 5:18 pm
Forum: General
Topic: DNS issue on bridge + vlan +trunk
Replies: 3
Views: 140

Re: DNS issue on bridge + vlan +trunk

Where do you see on any post, anyone asking for a part config LOL.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)
by anav
Sat Feb 15, 2025 5:16 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

What is key is understand the logic and impact of rules and they are tool like anything else to achieve desired functionality. You are fixated on chains, which misses the point. Chains are just indicative of flow of traffic pathways, drop all is simply a statement that affects any traffic in that pa...
by anav
Sat Feb 15, 2025 4:05 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

This allows traffic coming in on the wireguard interface destined for other networks reachable via the same wireguard interface: Code: Select all add action=accept chain=forward comment="Allows cross peer subnet traffic" \ in-interface=212-Wireguard out-interface=212-Wireguard Concur that...
by anav
Sat Feb 15, 2025 3:57 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

And, that there are, generally, 2 approaches or strategies to one's complete set of rules: Wrong, there can only be one ( someone is going to suffer the sword )....................... drop all else. The other is a creation of MT to ensure the blind deaf and dumb user can plug ether1 into the ISP mo...
by anav
Sat Feb 15, 2025 3:47 pm
Forum: Beginner Basics
Topic: Request for help WAN and setup hap ax2 (7.17.2) for a beginnerPCC load balancing configuration
Replies: 8
Views: 848

Re: Request for help WAN and setup hap ax2 (7.17.2) for a beginnerPCC load balancing configuration

ECMP load balancing is automatically applied with routes of equal distance and is what you want, no need for complex PCC load balancing! All you need is to define the two routes as follows. add check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP1-gateway-IP routing-table=main add check-gateway=ping...
by anav
Sat Feb 15, 2025 3:38 pm
Forum: Beginner Basics
Topic: proton WireGuard - handshake for peer did not complete...
Replies: 12
Views: 620

Re: proton WireGuard - handshake for peer did not complete...

1. What is the purpose of putting the WAN as both a member of the LAN and WAN lists??? Typically for third party VPN we make it part of t he WAN List and thus the default source nat rule also ensures any local users going out the wireguard interface will be natted to your assigned proton wireguard I...
by anav
Sat Feb 15, 2025 3:22 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

the issues may come the moment you start fiddling with firewall rules without really knowing what you are doing. Precisely, better to leave the defaults, or at least something that resembles them, not something that for you is only subjectively safer and for someone else can give unexpected problem...
by anav
Sat Feb 15, 2025 3:21 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Well the main difference is that the default settings which work 'out of the box' assume a simple user with one bridge and one subnet etc. This lasts how long in the real world?? The problem is the default rules work on the premise of block all the known bad stuff and allow everything else. Again sa...
by anav
Sat Feb 15, 2025 3:07 pm
Forum: General
Topic: VXLAN inside WireGuard tunnel
Replies: 4
Views: 222

Re: VXLAN inside WireGuard tunnel

To put two PCs in the same L2 space did you consider trying zerotier?
by anav
Sat Feb 15, 2025 12:04 am
Forum: Beginner Basics
Topic: possible SYN flooding on tcp port 53 [SOLVED]
Replies: 13
Views: 5194

Re: possible SYN flooding on tcp port 53 [SOLVED]

Great so you are adding lying to your repertoire of skill sets. In the other thread I asked you to provide your config ( fact/evidence ) so that we may collectively attempt to sort out the issue. Instead you come here spewing BS. We are a patient bunch, still waiting for that config....... still wai...
by anav
Fri Feb 14, 2025 11:20 pm
Forum: Beginner Basics
Topic: Forum rules
Replies: 39
Views: 152930

Re: Forum rules

@rextended, I made the mistake of watching some sappy Tuscan Romance movie last night, to help be me forget about my icy driveway. They used a fictitious town name of Montezara and most of the shooting was done actually in San Quirico D'orcia ( disgustingly beautiful ). Near you?? In terms of the qu...
by anav
Fri Feb 14, 2025 10:36 pm
Forum: Beginner Basics
Topic: Wireguard client cannot ping servername
Replies: 6
Views: 309

Re: Wireguard client cannot ping servername

That cleans up the router now lets get to the pinging nonsense......... can you reach the server and carryout traffic is the goal, not pinging. To reach your router after connecting via wireguard using dyndns name seems bizarre to me, simply use the IP address of the server. That is why we have the ...
by anav
Fri Feb 14, 2025 10:26 pm
Forum: General
Topic: NAT Rule issue – out-interface-list fails for WireGuard traffic
Replies: 7
Views: 497

Re: NAT Rule issue – out-interface-list fails for WireGuard traffic

Well if they dont bother you, then no need to elaborate LOL
All is clear by the way! Understood your feedback.
by anav
Fri Feb 14, 2025 9:47 pm
Forum: General
Topic: Winbox Integration with Vault or Password Manager tools
Replies: 2
Views: 290

Re: Winbox Integration with Vault or Password Manager tools

A company in Europe presented its solution recently and basically entails connecting to one of its servers and it provides a number of additional security options for users to complete. a. 2FA b. original equipment check etc.. So yes there are paid solutions but in terms of built-in, Wireguard is in...
by anav
Fri Feb 14, 2025 9:37 pm
Forum: Beginner Basics
Topic: Route scope and status confusion
Replies: 4
Views: 495

Re: Route scope and status confusion

Well to be honest, use either recursive routing or netwatch, no need to mix them up. Please post config /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys ) In general Primary WAN distance=1 check-gateway=ping Secondary WAN distance=2 Recursive add check-gat...
by anav
Fri Feb 14, 2025 9:36 pm
Forum: Beginner Basics
Topic: Routing between Interfaces
Replies: 2
Views: 287

Re: Routing between Interfaces

Very rude to force us to guess and what your config may or may not entail. Minimum requirements is for the config posted and if complex network a network diagram. What do you want to happen is more relevant post config /export file=anynameyouwish (minus router serial number, any public WANIP informa...
by anav
Fri Feb 14, 2025 9:34 pm
Forum: Beginner Basics
Topic: proton WireGuard - handshake for peer did not complete...
Replies: 12
Views: 620

Re: proton WireGuard - handshake for peer did not complete...

/export file=anynameyouwish ( minus router serial number, any public WANIP information, vpn keys )
by anav
Fri Feb 14, 2025 9:26 pm
Forum: Beginner Basics
Topic: Wireguard config Export and Import
Replies: 4
Views: 3944

Re: Wireguard config Export and Import

If those are your real keys, you might as well start over as publishing actual keys and actual WANIP information is a big NONO. Assuming you have one device ( server peer for handshake and you would like to transfer the setup to a second router as a client peer ). Well its quite simple. What the MAI...
by anav
Fri Feb 14, 2025 9:14 pm
Forum: Beginner Basics
Topic: Request for help WAN and setup hap ax2 (7.17.2) for a beginnerPCC load balancing configuration
Replies: 8
Views: 848

Re: Request for help WAN and setup hap ax2 (7.17.2) for a beginnerPCC load balancing configuration

Just to be clear ISP1 --> throughput up/down ?? ISP2 --> throughput up/down ?? a. you want both ISPs being used at the same time? b. you want each ISP share roughly equally in the distribution of the WAN load ( session requests from LAN users ) c. you want one ISP to be used by all users if the othe...
by anav
Fri Feb 14, 2025 9:08 pm
Forum: Beginner Basics
Topic: How to route specific interface through WireGuard?
Replies: 1
Views: 156

Re: How to route specific interface through WireGuard?

/export file=anynameyouwish ( minus router serial number, any public WANIP information, vpn keys )

Typically the easiest method is to create a table and a routing rule but without knowing the current setup and context its best to provide that information.
by anav
Fri Feb 14, 2025 9:08 pm
Forum: Beginner Basics
Topic: possible SYN flooding on tcp port 53 [SOLVED]
Replies: 13
Views: 5194

Re: possible SYN flooding on tcp port 53 [SOLVED]

NO, the onus is ON you to provide information.
by anav
Fri Feb 14, 2025 9:07 pm
Forum: General
Topic: possible syn flooding on tcp port 53
Replies: 2
Views: 168

Re: possible syn flooding on tcp port 53

Note please stop spamming the forum with duplicate posts.
Readers should go here for further comments --> viewtopic.php?t=211979
by anav
Fri Feb 14, 2025 9:05 pm
Forum: Beginner Basics
Topic: mobile app on the api port or winbox
Replies: 1
Views: 109

Re: mobile app on the api port or winbox

Well your explanation is weak. First, I dont connect to the router via the MT app. That is an unsafe method. FIRST connect via VPN app, then connect with MT APP. I use wireguard. Then you log in as per normal aka like winbox using the mt app. aka either mac address user name password OR IP address:w...
by anav
Fri Feb 14, 2025 9:01 pm
Forum: General
Topic: possible syn flooding on tcp port 53
Replies: 2
Views: 168

Re: possible syn flooding on tcp port 53

Yes, dont connect that PC.

Seeing your config ( ya know evidence and fact ) may show us something.

/export file=anynameyouwish ( minus router serial number, any public wanip information, keys )
by anav
Fri Feb 14, 2025 8:59 pm
Forum: General
Topic: NAT Rule issue – out-interface-list fails for WireGuard traffic
Replies: 7
Views: 497

Re: NAT Rule issue – out-interface-list fails for WireGuard traffic

Is there only one router involved> the one config is provided and onfirm this is the wg server peer for handshake and all incoming are external users?? What is the difference between wireguard1 and wireguard remote, why two interfaces............ I understand that if there is a router (client peer) ...
by anav
Fri Feb 14, 2025 8:50 pm
Forum: General
Topic: WAN Interface configured on VLAN on ethernet port connected to LAN
Replies: 8
Views: 426

Re: WAN Interface configured on VLAN on ethernet port connected to LAN

To be frank, its way beyond my imagination or skill set.
I would attempt to split and simplify.
Its not even clear to me how the two routers are connected ( is their a fiber cable under the road etc ).
WHy would you want them connected anyway if its two different companies and two different needs.
by anav
Fri Feb 14, 2025 8:43 pm
Forum: General
Topic: Why a MikroTik?
Replies: 10
Views: 718

Re: Why a MikroTik?

Well it was going to be a trophy but. a. the gold mined and sold to a us company got 25% more expensive, b. the maple wood sold to a us company got 25% more expensive c. the us company's trophy products were charged another 25 percent hitting the border on the way back to Canada d. for some reason c...
by anav
Fri Feb 14, 2025 8:36 pm
Forum: General
Topic: Hairpin NAT with VLANS not working
Replies: 5
Views: 320

Re: Hairpin NAT with VLANS not working

1. Hairpin nat ONLY applies to users, attempting to use the server via its domain name, that are in the same SUBNET as the server. This does NOT apply to users on different vlans. 2. Keep the hairpin nat rule simple add chain=srcnat action=masquerade src-address=serverSubnet dst-address=serverSubnet...
by anav
Fri Feb 14, 2025 8:31 pm
Forum: General
Topic: Why a MikroTik?
Replies: 10
Views: 718

Re: Why a MikroTik?

I'm just a business-junkie, so I wanted to share. Hey Josephny, we all know your super power is asking many annoying questions on the FORUM. ;-PPP luv ya!! I keep recommending mozerd/s service to folks struggling with and pretending they can successfully set up their own lists and they dont really ...
by anav
Fri Feb 14, 2025 8:29 pm
Forum: General
Topic: How to Load Balance a 2x1gbps from a single router
Replies: 17
Views: 599

Re: How to Load Balance a 2x1gbps from a single router

Sir @anav, you must be joking. You do know that the rb5009 does indeed have an sfp+ port, right? In fact I think that this is probably the best device to receive a "multi-gig" internet connection. It's usually delivered on a copper 2.5GbE, and you can fan out either using the 1G ports on ...
by anav
Fri Feb 14, 2025 6:07 pm
Forum: Beginner Basics
Topic: Wireguard client cannot ping servername
Replies: 6
Views: 309

Re: Wireguard client cannot ping servername

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys ) edit: I see you have, one moment while I take a look., 1. REMOVE THIS LINE or disable, it may be interfering as ISP terminatio work is already done at the pppoe tabs. /ip dhcp-client add comment=defconf in...
by anav
Fri Feb 14, 2025 6:05 pm
Forum: General
Topic: WAN Interface configured on VLAN on ethernet port connected to LAN
Replies: 8
Views: 426

Re: WAN Interface configured on VLAN on ethernet port connected to LAN

The diagram and context are actually needed to start making an assessment of a configuration that makes sense.
by anav
Fri Feb 14, 2025 6:01 pm
Forum: General
Topic: Just messed up my settings, cannot connect to router at all
Replies: 8
Views: 351

Re: Just messed up my settings, cannot connect to router at all

I just checked the VPN box in the Quick Setup page and now I can't access the router and have no internet connectivity. Does the quick settings page essentially override all other settings I've made manually elsewhere? Is there any way I could gain access to the router or do I have to reset it to f...
by anav
Fri Feb 14, 2025 5:58 pm
Forum: General
Topic: Error in local login
Replies: 11
Views: 443

Re: Error in local login

What kind of a clown takes default safe firewall rules and then opens the router to the WWW???? The only thing to do at this point is unplug the router, netinstall the latest firmware and start fresh! Do not connect to the internet until the firewall rules are set! Also recommend changing defaults f...
by anav
Fri Feb 14, 2025 5:56 pm
Forum: General
Topic: How to Load Balance a 2x1gbps from a single router
Replies: 17
Views: 599

Re: How to Load Balance a 2x1gbps from a single router

To be accurate the RB5009 has one 2.5 gig port, so a. it could be used to get receive the 2GB throughput, if the ISP actually provided a useful modem/router, but the rest of the ports on the 5009 are 1gig so any user would only be able to achieve 1gig of speed for any session. b. Even if you could g...
by anav
Fri Feb 14, 2025 5:48 pm
Forum: General
Topic: query about wan and lan
Replies: 4
Views: 213

Re: query about wan and lan

Remove the server it makes no sense where its located or you are not telling us what its purpose really is...........
by anav
Thu Feb 13, 2025 10:20 pm
Forum: General
Topic: WAN Interface configured on VLAN on ethernet port connected to LAN
Replies: 8
Views: 426

Re: WAN Interface configured on VLAN on ethernet port connected to LAN

So are you saying you have two routers in one location??
What is the purpose of the second router at all??
Which router gets which ISP?
by anav
Thu Feb 13, 2025 8:19 pm
Forum: Beginner Basics
Topic: Assistance requested - Wireguard accessing LAN resources and admin via browser.
Replies: 2
Views: 475

Re: Assistance requested - Wireguard accessing LAN resources and admin via browser.

I too use winbox and generally just click on the MAC address to gain access. If you want to use IP address then you will need IP address and port number 192.168.1.1:13456 No one I know uses the browser to access the config securely. So don't worry about it. Changes shown: /interface list member add ...
by anav
Thu Feb 13, 2025 7:52 pm
Forum: General
Topic: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]
Replies: 8
Views: 2207

Re: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]

You are mixing apples and oranges.
Source nat rules are made so that the traffic leaving an interface is given the IP of that interface............

Forward chain rules are granting permission for the identified traffic to flow from indicated source to indicated destination.
by anav
Thu Feb 13, 2025 7:46 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Hahaha okay, I will catch a ride the next time the orange drag president flys by in his sleigh...... Fun image, thanks! IMO "orange president" has clear meaning. How does "orange drag president" alter such? Irony , the Orange melon head, and his republicans have been trashing dr...
by anav
Thu Feb 13, 2025 7:43 pm
Forum: General
Topic: NAT Rule issue – out-interface-list fails for WireGuard traffic
Replies: 7
Views: 497

Re: NAT Rule issue – out-interface-list fails for WireGuard traffic

/export file=anynameyouwish ( minus router serial number and any public WANIP information, keys etc. )
by anav
Thu Feb 13, 2025 7:40 pm
Forum: General
Topic: Is there a good way to add multiple vlans to an interface instead interface to the vlan?
Replies: 9
Views: 1146

Re: Is there a good way to add multiple vlans to an interface instead interface to the vlan?

I believe in the latest software MT provides the ability to create interface lists of vlans so they are automatically handled in the config..... *bridge - added interface-list support for VLANs; Starting from RouterOS version 7.17, you can use interface lists for the tagged and untagged properties i...
by anav
Thu Feb 13, 2025 7:33 pm
Forum: General
Topic: WAN Interface configured on VLAN on ethernet port connected to LAN
Replies: 8
Views: 426

Re: WAN Interface configured on VLAN on ethernet port connected to LAN

Draw a diagram to envisage the network you are speaking of. Which devices and how connected and which vlans travelling through ports.
by anav
Wed Feb 12, 2025 2:27 am
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Besides three vlans, three pools, three dhcp-server, three dhcp server networ and 3 associated IP addresses......... Please explain this wireguard client..... I assume it is another router with two subnets? WHich router is server peer for handshake??? If indeed its a router but a client peer then th...
by anav
Tue Feb 11, 2025 11:40 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Guests would be your guest subnets and home would be your trusted home subnet, iot a subnet for devices, etc...
by anav
Tue Feb 11, 2025 11:39 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Hahaha okay, I will catch a ride the next time the orange drag president flys by in his sleigh......
ride2.jpg
by anav
Tue Feb 11, 2025 6:44 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Too many errors or weird things to go through it yet line by line. What is the purpose of the two guest wifi networks? Why would you not have two vlans, one for home subnet and one for guest subnet? Which device is providing wifi and how connected to router? Why are both guest and home subnets consi...
by anav
Tue Feb 11, 2025 6:03 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Well post dental was not the only issue today its also a stomach bug of some sort, luckily at only one end. ;-)
by anav
Tue Feb 11, 2025 6:00 pm
Forum: General
Topic: WireGuard and placing a client on the LAN segment of my network
Replies: 36
Views: 6816

Re: WireGuard and placing a client on the LAN segment of my network

Nice, being MT oriented, no clue on what unifi provides!!
by anav
Tue Feb 11, 2025 5:50 pm
Forum: General
Topic: Required gateways isolation in bridge VLAN
Replies: 4
Views: 1350

Re: Required gateways isolation in bridge VLAN

You really need to read this -->https://forum.mikrotik.com/viewtopic.php?t=143620 You cannot have more than one untagged pvid assigned to any port and thus this fails /interface bridge vlan add bridge=Bridge-LAN tagged=Bridge-LAN,ether8-test_bablu untagged=ether7-out_test_bablu vlan-ids= 1833 ,3375,...
by anav
Tue Feb 11, 2025 5:41 pm
Forum: Beginner Basics
Topic: Winbox not working with Wireguard Site-to-Site VPN
Replies: 4
Views: 835

Re: Winbox not working with Wireguard Site-to-Site VPN

Just to clarify the intentions of a wireguard tunnel - All the devices on Site B should send the traffic through the tunnel when communicating to the internet and be masqueraded with site A Public IP address, hence the srcnat rule - Sorry I should have mentioned that in my first post. That's why I ...
by anav
Tue Feb 11, 2025 5:31 pm
Forum: General
Topic: Stuck with my Wireguard config [SOLVED]
Replies: 7
Views: 562

Re: Stuck with my Wireguard config [SOLVED]

Awesome glad its working for you.
by anav
Tue Feb 11, 2025 5:30 pm
Forum: General
Topic: Hapax3, no sleep
Replies: 21
Views: 1506

Re: Hapax3, no sleep

Yeah I know, some good syrup from northern NY, its basically like quebec up there, perhaps NY should just become another province of Canada.
by anav
Tue Feb 11, 2025 5:28 pm
Forum: General
Topic: Stuck with my Wireguard config [SOLVED]
Replies: 7
Views: 562

Re: Stuck with my Wireguard config [SOLVED]

As already stated: You do not have an accept rule for the incoming wireguard handshake. add chain=input action=accept comment="wg handshake" dst-port=13231 protocol=udp I would also be clearer on forward chain. Change default rule add action=drop chain=forward comment=\ "defconf: drop...
by anav
Tue Feb 11, 2025 5:15 pm
Forum: Beginner Basics
Topic: Alternatives to Hairpin NAT/split DNS - reaching HTTP server from the same subnet using domain
Replies: 11
Views: 2287

Re: Alternatives to Hairpin NAT/split DNS - reaching HTTP server from the same subnet using domain

And what if I have multiple vlans? Do I need to use address lists?
Hairpin nat is only required if the users are in the same subnet as the server.
So I would make a hairpin nat rule specific to each subnet.
The format provided allows for any number of servers within a subnet.
by anav
Tue Feb 11, 2025 5:10 pm
Forum: General
Topic: Router reaches the Internet, subnets do not
Replies: 13
Views: 1263

Re: Router reaches the Internet, subnets do not

LdB is bang on, I was heading towards a complicated route of masquerade and table/routing rules but the direct sourcenat rules are better.
by anav
Tue Feb 11, 2025 5:07 pm
Forum: General
Topic: Hapax3, no sleep
Replies: 21
Views: 1506

Re: Hapax3, no sleep

Your problem stems from using NY state maple syrup on your pancakes. Use that Canadian syrup and it will all become clear.
Make it fast though, prices will go up.
by anav
Mon Feb 10, 2025 10:38 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Not feeling well today so maybe not....dental stuff nothing serious.
by anav
Mon Feb 10, 2025 9:23 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Should the wireguard interface be included in the interface-list TRUSTED?
Cannot get much clearer than this..
Of course since your bridge is part of TRUSTED
and wireguard is part of TRUSTED
then you are good to go.
by anav
Mon Feb 10, 2025 9:13 pm
Forum: Beginner Basics
Topic: Help swapping to Bridge VLAN filtering [SOLVED]
Replies: 7
Views: 956

Re: Help swapping to Bridge VLAN filtering [SOLVED]

Okay Understood, Interfacex3 covers three third party VPNs to different locations ( or one company with three diff addresses ) InterfacexN interfaces covers connections to other routers. However your router is only a client peer for handshake one other router is the actual server peer for handshake ...
by anav
Mon Feb 10, 2025 9:08 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Yes, but only mac-winbox server use trusted, plain mac-server is not encryped and should be set to NONE. Of course since your bridge is part of TRUSTED and wireguard is part of TRUSTED then you are good to go. I belive the bridge is your main subnet, and if so why are you detailing wifi1 and wifi2 s...
by anav
Mon Feb 10, 2025 7:34 pm
Forum: Beginner Basics
Topic: Help swapping to Bridge VLAN filtering [SOLVED]
Replies: 7
Views: 956

Re: Help swapping to Bridge VLAN filtering [SOLVED]

Read this article. https://forum.mikrotik.com/viewtopic.php?t=143620 ONE BRIDGE all vlans associated to bridge management or trusted vlan is where all smart devices ( can read vlan tags ) get their IP address from. Highly recommend you configure from a safe spot. take one port lets say ether8 off AN...
by anav
Mon Feb 10, 2025 7:28 pm
Forum: Beginner Basics
Topic: Public IP Routing
Replies: 3
Views: 1190

Re: Public IP Routing

concur with MKX, typically one gives them maybe a private IP address schema a. by allocating VPN/subnet to each client b. by pppoe ( I think, this is what most people use ). Perhaps ask why the client needs a public IP, it may be a matter of forwarding a port to his IP address........ Remember any a...
by anav
Mon Feb 10, 2025 7:22 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

Why did you use verbose? Cant read a damn thing LOL.............
By the way what is the purpose of sending a config with red lines,
rule 1 complete config
rule2 no red lines LOL
by anav
Mon Feb 10, 2025 7:17 pm
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 21
Views: 4366

Re: REQ: AirVPN / Wireguard fine tune assistance

2. Authorized should contain all the actual IP addresses the admin may use at the local router at a remote router and via wireguard. Only the admin should have access to the router on the input chain. All other users at most should have access to router services DNS and possibly NTP. We identify a b...
by anav
Mon Feb 10, 2025 4:52 pm
Forum: General
Topic: MUM page not working - Service Unavailable
Replies: 3
Views: 439

Re: MUM page not working - Service Unavailable

Sad, it seems MT took them off line maybe??
by anav
Mon Feb 10, 2025 4:51 pm
Forum: General
Topic: Can someone help me set up 2 wan ports on my Mikrotik?
Replies: 6
Views: 703

Re: Can someone help me set up 2 wan ports on my Mikrotik?

There is no point in providing you a stock setup if you dont understand some basics before doing so. As well we need to know the requirements. A start was the primary. failover wan setup. How many subnets do you need. What type of device do you have Do you plan on doing any VPN like wireguard Do you...
by anav
Mon Feb 10, 2025 4:43 pm
Forum: General
Topic: Firewall rules analysis
Replies: 73
Views: 3250

Re: Firewall rules analysis

GAZA ---. trillion cubic tons of natural gas offshore, or something like that is the driving factor, not the riviera golf course ;-P

As the OP knows full well I dont look at snippets, its much more fun to trash an entire config!!
by anav
Mon Feb 10, 2025 4:41 pm
Forum: General
Topic: WAN-port in bridge vs routed [SOLVED]
Replies: 6
Views: 662

Re: WAN-port in bridge vs routed [SOLVED]

What is not clear to me is the fixation with vlan20. Is this a vlan the ISP provides internet traffic tagged with vlan20 OR is this just the vlan you setup on the switch to move ISP traffic from the modem to the router. Regardless, its not the switch that decides anything, the entire DHCP setup and ...
by anav
Mon Feb 10, 2025 4:37 pm
Forum: General
Topic: Mikrotik Client and User security options (Web protection, DPI...)
Replies: 1
Views: 331

Re: Mikrotik Client and User security options (Web protection, DPI...)

MT is not DPI and thus good security is the basics. Only allow needed traffic block all else. Dont open up ports to the internet ( port forwarding ) if at all possible. a. use wireguard to allow clients to connect to servers instead b. use CHR in cloud if need be c. use zerotier to connect users to ...
by anav
Mon Feb 10, 2025 12:56 am
Forum: General
Topic: DMZ Pinhole
Replies: 27
Views: 3868

Re: DMZ Pinhole

by anav
Mon Feb 10, 2025 12:54 am
Forum: Beginner Basics
Topic: Help swapping to Bridge VLAN filtering [SOLVED]
Replies: 7
Views: 956

Re: Help swapping to Bridge VLAN filtering [SOLVED]

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )
Dont look at snippets.
by anav
Sun Feb 09, 2025 11:17 pm
Forum: General
Topic: Router reaches the Internet, subnets do not
Replies: 13
Views: 1263

Re: Router reaches the Internet, subnets do not

Good, the requirement discussion has started. It would seem you want LAN consisting of 6 subnets on your router. You wish to ensure each SUBNET uses only 1 WAN. 1. Are they all from the same Gateway IP on ether1 ?? 2. Assuming there is no need for failover (as all from same ISP and same modem so if ...
by anav
Sun Feb 09, 2025 11:10 pm
Forum: General
Topic: DMZ Pinhole
Replies: 27
Views: 3868

Re: DMZ Pinhole

No worries, at some point it turns into fun and rewarding!
By the way, the more you learn and know, the more you realize you don't know. :-)
by anav
Sun Feb 09, 2025 11:08 pm
Forum: Announcements
Topic: New exciting features for storage
Replies: 60
Views: 4433

Re: New exciting features for storage

Zerotrust cloudflare on a storage device??? ;-PP
by anav
Sun Feb 09, 2025 8:40 pm
Forum: Beginner Basics
Topic: Strange /ip/dhcp-server/network entries [SOLVED]
Replies: 8
Views: 942

Re: Strange /ip/dhcp-server/network entries [SOLVED]

Concur plus on my configs netmask=24 does not show up so it may mean you added it manually and if so should be removed.
by anav
Sun Feb 09, 2025 8:31 pm
Forum: General
Topic: DMZ Pinhole
Replies: 27
Views: 3868

Re: DMZ Pinhole

So its fair to say you have two types of VPN users. A. admin ( lets say two-five devices ) B. others who need remote access to main and DMZ only. RESULT. All the changes Ive made above stand, except for some finessing of forward chain filter rules and a slight modification to Wireguard. We will give...
by anav
Sun Feb 09, 2025 6:10 pm
Forum: General
Topic: Dynamic routes and High Availability
Replies: 2
Views: 383

Re: Dynamic routes and High Availability

One way is to use recursive routing, basic format: add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12 add distance=1 dst-address=1.1.1.1/32 gateway=CurrentISP1-gatewayIP routing-table=main scope=10 target-scope=11 comment= WAN1-Recursi...
by anav
Sun Feb 09, 2025 6:02 pm
Forum: General
Topic: Mikrotik acting up
Replies: 12
Views: 814

Re: Mikrotik acting up

Twas humour, snagged another one LOL
by anav
Sun Feb 09, 2025 5:55 pm
Forum: General
Topic: DMZ Pinhole
Replies: 27
Views: 3868

Re: DMZ Pinhole

Several issues and the biggie is firewall rules. You have to be waY CLEarer on your forward chain rules. There is no effing reason why vlans can originate traffic to your trusted vlan, aint trusted anymore LOL So I have assumed the following, EVERYONE should have access to dmz MAIN should have acces...
by anav
Sun Feb 09, 2025 2:30 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 469
Views: 441970

Re: NEW FEATURE: Back to Home VPN

I did but checked today and the new supout didnt show, I must not have completed the add process properly. Added it just now and its visible in the conversation trail. @anav, did they get back to you? Been following your saga here for a while on what should be a simple for someone as well-versed in...
by anav
Sun Feb 09, 2025 2:24 pm
Forum: General
Topic: LAN device can not access in CAP's LAN, but can accessed from router LAN
Replies: 9
Views: 981

Re: LAN device can not access in CAP's LAN, but can accessed from router LAN

you need to provide both configs....... not just one
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)
by anav
Sun Feb 09, 2025 2:23 pm
Forum: General
Topic: Multiple PPPoE over VLAN
Replies: 16
Views: 873

Re: Multiple PPPoE over VLAN

It would seem to be that your saying your ISP gives you two PPPOE connection and you want to use one for the Mikrotik router and pass the other to the fritz box ???
If incorrect then yes a detailed diagram is very much required.
by anav
Sun Feb 09, 2025 6:32 am
Forum: Beginner Basics
Topic: How to administer backup WAN modem?
Replies: 5
Views: 519

Re: How to administer backup WAN modem?

Nope, if it aint broke, dont fix it. Carry on!!
by anav
Sun Feb 09, 2025 6:30 am
Forum: General
Topic: Need some routing experts to help me figure out my setup
Replies: 6
Views: 1237

Re: Need some routing experts to help me figure out my setup

It ensures any local traffic that is allowed, by firewall rules, has a path, otherwise all traffic will head out WANS.
by anav
Sat Feb 08, 2025 11:00 pm
Forum: General
Topic: Mikrotik acting up
Replies: 12
Views: 814

Re: Mikrotik acting up

What a Ham, its probably the hex refresh, he's such a clown. :-) If your config is good, ( how could we possibly know ) then its some functionality that causes the issue so remove one wait, if no change remove another, wait. Or conversely start from scratch and add one functionality at a time, wait,...
by anav
Sat Feb 08, 2025 9:35 pm
Forum: Beginner Basics
Topic: Winbox not working with Wireguard Site-to-Site VPN
Replies: 4
Views: 835

Re: Winbox not working with Wireguard Site-to-Site VPN

Nice first post, Typically the issue is a. wireguard peers incorrect b. firewall rules do not allow access Lets review. by the way if IPV6 is not being used remove all the noise This is a good start but remove all the IPV6 firewall address lists and modify rules to only two rules: add chain=input ac...
by anav
Sat Feb 08, 2025 9:31 pm
Forum: Beginner Basics
Topic: How to administer backup WAN modem?
Replies: 5
Views: 519

Re: How to administer backup WAN modem?

Im a bit confused by the approach. Why are you putting script on LAN subnets DHCP when the proper place to address routing is the WANs?? Is it that you want users to always use the primary and if that is not available then use the backup WAN?? This is one of the common approaches and would look like...
by anav
Sat Feb 08, 2025 9:27 pm
Forum: Beginner Basics
Topic: Need help setting DHCP server VLAN
Replies: 2
Views: 459

Re: Need help setting DHCP server VLAN

Single bridge for all data vlans as per https://forum.mikrotik.com/viewtopic.php?t=143620 The single bridge will also be the interface for both ISP vlans. These vlans however will not get any dhcp, Ip address etc.............. The WAN Vlan will get terminated at either the IP DHCP client settings or...
by anav
Sat Feb 08, 2025 9:18 pm
Forum: General
Topic: Blocking admin services - Firewall rules
Replies: 30
Views: 3428

Re: Blocking admin services - Firewall rules

Too funny, far from ready. Not sure why the others are turning a blind ( perhaps bloodshot eye) too. The fact that you are attempting to have your cake and eat it too. Mainly having one pool containing two subnets, one dhcp server the bridge, and then two dhcp server networks and two ip addresses ( ...
by anav
Sat Feb 08, 2025 9:06 pm
Forum: General
Topic: Need some routing experts to help me figure out my setup
Replies: 6
Views: 1237

Re: Need some routing experts to help me figure out my setup

No need for mangles! /table add fib name= useWANFiber add fib name= useWANCable /ip route add check-gateway=ping dst-address=0.0.0.0/0 gateway=(current)fiber-gateway-IP routing-table=main comment=Fiber1 add check-gateway=ping dst-address=0.0.0.0/0 gateway=(current)cable-gateway-IP routing-table=main...
by anav
Sat Feb 08, 2025 8:40 pm
Forum: General
Topic: Multiple Bridge question
Replies: 8
Views: 589

Re: Multiple Bridge question

The WAN associated VLAN is distinct and separate from data vlans behind the router. One only assigns the ISP vlan to either an etherport (which is used in IP DHCP client or pppoe settings) / or less likely some fixed IP address on the VLAN. It has nothing to do with the LAN-BRIDGE so to speak. There...
by anav
Sat Feb 08, 2025 3:15 pm
Forum: General
Topic: Blocking admin services - Firewall rules
Replies: 30
Views: 3428

Re: Blocking admin services - Firewall rules

Please post your lastest config so that we can apply fresh thinking to the issue.
by anav
Sat Feb 08, 2025 3:11 pm
Forum: General
Topic: Hapax3, no sleep
Replies: 21
Views: 1506

Re: Hapax3, no sleep

I provided the solution of doing the config from an off bridge port.......... I mean the complaint was no sleep right ;-)
by anav
Fri Feb 07, 2025 11:29 pm
Forum: Beginner Basics
Topic: Entry level 10GB router planning.
Replies: 7
Views: 765

Re: Entry level 10GB router planning.

holvoe, you are only noticing now?????

I am simply following requirements, requested 10gig ..........
by anav
Fri Feb 07, 2025 11:28 pm
Forum: General
Topic: Blocking admin services - Firewall rules
Replies: 30
Views: 3428

Re: Blocking admin services - Firewall rules

First jotne took your config too seriously, and that is the I LOVE TO DRINK WINE bit........ Clearly sauced as this rule is completely legit, please ignore advice given: add action=accept chain=input comment="Allow Wireguard port" dst-port=13231 \ protocol=udp What can be said is your rule...
by anav
Fri Feb 07, 2025 11:22 pm
Forum: Beginner Basics
Topic: Can't figure out recursive routing
Replies: 5
Views: 721

Re: Can't figure out recursive routing

Please post config /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys ) In general Primary WAN distance=1 check-gateway=ping Secondary WAN distance=2 Recursive add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12 a...
by anav
Fri Feb 07, 2025 8:41 pm
Forum: Wireless Networking
Topic: HAP AX3 simple capsman wireless NOT working
Replies: 11
Views: 2247

Re: HAP AX3 simple capsman wireless NOT working

What is the advantage of using capsman if HAPAX3 is your only wifi device and also your router???
by anav
Fri Feb 07, 2025 8:40 pm
Forum: Beginner Basics
Topic: Wireguard VPN Mikrotik
Replies: 5
Views: 673

Re: Wireguard VPN Mikrotik

Nope......... not to my knowledge.
by anav
Fri Feb 07, 2025 8:36 pm
Forum: General
Topic: WireGuard SMB and Throughput Problems
Replies: 12
Views: 2493

Re: WireGuard SMB and Throughput Problems

The key is understanding the word.......................... Disabled ;-P

As far as NORDVPN goes, that was only if you were using a third party wireguar VPN, if not you can ignore the mangle rule.
( not sure why I thought you had nordvpn - perhaps this --> add name=NordVPN on ipsec ???)
by anav
Fri Feb 07, 2025 8:35 pm
Forum: General
Topic: CRS309 behind CCR2004 setup questions
Replies: 38
Views: 2535

Re: CRS309 behind CCR2004 setup questions

Vlan1000 is your management or trusted vlan as all smart devices get their IP address on that vlan, and all the other vlans have nothing to do with the bridge.
Coming in tagged on etherX and then going out either tagged or untagged on the rest of the switch ports.
by anav
Fri Feb 07, 2025 7:12 pm
Forum: General
Topic: WireGuard SMB and Throughput Problems
Replies: 12
Views: 2493

Re: WireGuard SMB and Throughput Problems

For sure to remove it
go to IP CLOUD
Select TAB ---> BTH VPN
Select First LIne Back to home VPN: and select circle REVOKED and DISABLED

Would also go to the phone were you first created the BTH and remove that as well.
by anav
Fri Feb 07, 2025 7:09 pm
Forum: Beginner Basics
Topic: Wireguard VPN Mikrotik
Replies: 5
Views: 673

Re: Wireguard VPN Mikrotik

Sorry, MT is not an app based appliance. THe best thing you can do is a. make a wifi subnet/vlan on the router that will only go to wireguard, and in this way anyone wanting to use third party for internet, can use that SSID, assuming you have given them the WLAN password. b. if this is for wired ne...
by anav
Fri Feb 07, 2025 7:06 pm
Forum: General
Topic: Router reaches the Internet, subnets do not
Replies: 13
Views: 1263

Re: Router reaches the Internet, subnts do not

https://forum.mikrotik.com/viewtopic.php?p=1123218#p1123218 Use two bridge max on RB4011, most routers its one, but RB4011 has two different switch chips one for ports 1-5 and one for ports 6-10 So group ports that are carrying like users/traffic in two main bridges Bridge1 ports 1-5 and Bridge2 por...
by anav
Fri Feb 07, 2025 6:50 pm
Forum: General
Topic: CRS309 behind CCR2004 setup questions
Replies: 38
Views: 2535

Re: CRS309 behind CCR2004 setup questions

1. Question: Is the same pool for two different DCHP vlan servers intentional?? /ip dhcp-server add add-arp=yes address- pool=vlan10 interface= vlan10 lease-time=10m name=vlan10 add add-arp=yes address-pool=vlan1255 interface=vlan1255 lease-time=10m name=vlan1255 add add-arp=yes address-pool=vlan100...
by anav
Fri Feb 07, 2025 4:58 pm
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 6236

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

AHH, DAMN, sorry didnt see that either!
add address=192.169.50.0/24 comment=guest-vlan50 dns-server=192.168.40.10 domain=vlan50.lan gateway=192.168.50.1[/i]
by anav
Fri Feb 07, 2025 4:53 pm
Forum: General
Topic: Use port 443 for OpenVPN when it is used for other services
Replies: 2
Views: 431

Re: Use port 443 for OpenVPN when it is used for other services

You have to make up your mind,
a. either use MT for openvpn
OR
b. your own server running it.
by anav
Fri Feb 07, 2025 4:52 pm
Forum: General
Topic: default route choice based on throughput
Replies: 4
Views: 1698

Re: default route choice based on throughput

Yes, this method is like PCC but one has to create an extra set of sticky rules (very manual) to achieve load balance by throughput.
--->
tomas.pdf
https://www.youtube.com/watch?v=67Dna_ffCvc
by anav
Fri Feb 07, 2025 2:49 pm
Forum: Beginner Basics
Topic: Entry level 10GB router planning.
Replies: 7
Views: 765

Re: Entry level 10GB router planning.

Chechito why not the CCR2116-12G-4S+ ??? It meets the 10Gig throughput on the WAN side........... and is $995, the product you suggested is for a 100gig wan, at $2795.
Stated differently are you providing us with the extra $1800 dollars?? If so I will send you my bank details.
by anav
Fri Feb 07, 2025 2:40 pm
Forum: General
Topic: Hapax3, no sleep
Replies: 21
Views: 1506

Re: Hapax3, no sleep

Hi Yepa, Read this article for vlans: https://forum.mikrotik.com/viewtopic.php?p=1123218#p1123218 For configuring vlans the easy approach is to take one of the ports lets say ether5, at least temporarily OFF the single bridge. Give it an IP address and add to LAN interface list, assuming you are sta...
by anav
Fri Feb 07, 2025 2:31 pm
Forum: General
Topic: Still fighting with Ecobee (and losing)
Replies: 12
Views: 1243

Re: Still fighting with Ecobee (and losing)

Ahh I dont use them with home assistant. They connect to the internet and I use my APP to control them.
by anav
Fri Feb 07, 2025 6:51 am
Forum: General
Topic: Still fighting with Ecobee (and losing)
Replies: 12
Views: 1243

Re: Still fighting with Ecobee (and losing)

Do I really have to ask for the config again.................... not your first rodeo ;-)
I have ecobees, no issues, main router is ccr1009, but not MT aps.
by anav
Fri Feb 07, 2025 1:05 am
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 6236

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

1. Okay, so ether2 and ether4 go to unif APs...... 2. Switch goes to.................... i imagine eventually MT APs........ 3. nas is only on managment network. Looks good so far. 4. I would change the AP setup somewhat........... to accurately reflect proper setup. FROM: /interface bridge vlan add...
by anav
Thu Feb 06, 2025 9:27 pm
Forum: Beginner Basics
Topic: How to offer DHCP only on WIFI but not on ether
Replies: 9
Views: 736

Re: How to offer DHCP only on WIFI but not on ether

Suggest you dont do anything then that might interfere with the main router since its not your network. Assume some has said you can attach your device to the network and if so, make it like a router so the IP address you get from the router lan subnet will be the wanip on the cap. That way you can ...
by anav
Thu Feb 06, 2025 9:24 pm
Forum: Beginner Basics
Topic: How to run IPv6 from starlink on a mikrotik?
Replies: 36
Views: 12888

Re: How to run IPv6 from starlink on a mikrotik?

Much thanks, very well layed out.
by anav
Thu Feb 06, 2025 9:23 pm
Forum: Beginner Basics
Topic: Slow transfer speeds when changing routing table via mangle. [SOLVED]
Replies: 4
Views: 874

Re: Slow transfer speeds when changing routing table via mangle. [SOLVED]

First thing to do is read this reference document --> https://forum.mikrotik.com/viewtopic.php?t=143620 Second thing to do is modify ether8 ( change name, take it off bridge, give it an IP address, add to LAN and TRUSTED interface lists) Then plug laptop into ether8 to access the router use 192.168....
by anav
Thu Feb 06, 2025 9:12 pm
Forum: Beginner Basics
Topic: wireguard site to site "outbound traffic"
Replies: 4
Views: 520

Re: wireguard site to site "outbound traffic"

For sure. Post both configs /export file=anynameyouwish (m inus router serial number, any public WANIP information, wireguard keys ) Also indicate which router is server for handshake and which is client peer for handshake. ( I am assuming its matriz which has a public IP and is the server peer for ...
by anav
Thu Feb 06, 2025 9:09 pm
Forum: Beginner Basics
Topic: Mapping 2 different ports range
Replies: 4
Views: 464

Re: Mapping 2 different ports range

Sounds like a worthwhile feature request then........
by anav
Thu Feb 06, 2025 9:08 pm
Forum: Beginner Basics
Topic: Wireguard VPN Mikrotik
Replies: 5
Views: 673

Re: Wireguard VPN Mikrotik

The question is not clear and your wireguard even less so. Are you using a third party VPN server or do you have a public IP and are hosting your own WG client server (for handshake) on the router.
by anav
Thu Feb 06, 2025 9:06 pm
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 6236

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

In that case please post the latest config, not one from above etc.. and will have a fresh look.
by anav
Thu Feb 06, 2025 9:05 pm
Forum: Beginner Basics
Topic: How to offer DHCP only on WIFI but not on ether
Replies: 9
Views: 736

Re: How to offer DHCP only on WIFI but not on ether

I would simply create another vlan just for the cap and it would provide wifi.

Depending on settings on the wifi device, one could isolate wifi users from each other.
If wifi users need any access to wired users or vice versa use forward chain firewall rules.
by anav
Thu Feb 06, 2025 9:02 pm
Forum: Beginner Basics
Topic: Mapping 2 different ports range
Replies: 4
Views: 464

Re: Mapping 2 different ports range

So a range of dst ports does not automatically get applied when doing port translation, to the same sequential numbering of a To-range.............???
Too bad there is not an option to force that.
What application requires this kind of assignement though??
by anav
Thu Feb 06, 2025 8:59 pm
Forum: General
Topic: RB5009+ 2x hAP ax2 as access Point
Replies: 16
Views: 2250

Re: RB5009+ 2x hAP ax2 as access Point

If one is willing to do teamviewer or anydesk sessions, assistance can be rendered gratis, depends upon how much free time I get......... in any case can always look me up on discord..... anav_ds. I was joking about 5009, its a very good router certainly nothing wrong with it unless you need a 10GIG...
by anav
Thu Feb 06, 2025 8:56 pm
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1810

Re: VLANs segregation

Yes assuming you have an allow rule for the VLAN interface list or LAN interface list, whatever you call it
add action=accept chain=forward in-interface-list=!!!!!!! out-interface-list=WAN
by anav
Thu Feb 06, 2025 8:54 pm
Forum: General
Topic: Very slow upload speed - Please help! [SOLVED]
Replies: 7
Views: 1031

Re: Very slow upload speed - Please help! [SOLVED]

Reminds me of this post.......
viewtopic.php?p=1124141#p1124141
by anav
Thu Feb 06, 2025 4:06 am
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1810

Re: VLANs segregation

Return traffic to an inquiry made by a home user to defined devices is automatically permitted. The dstnat rule looks fine, the to-port is not really required if same as dst port, its really designed to accommodate port translation if required. There is no forward chain rule required from WAN to LAN...
by anav
Wed Feb 05, 2025 9:56 pm
Forum: Beginner Basics
Topic: Simple AP Bridge setup
Replies: 29
Views: 104554

Re: Simple AP Bridge setup

Luv it!

I found this haiku:

"It’s not DNS
There’s no way it’s DNS
It was DNS"
One could add....

Its not my windows firewall
There's no way its the windows firewall
It was the windows firewall
by anav
Wed Feb 05, 2025 9:48 pm
Forum: Beginner Basics
Topic: How to run IPv6 from starlink on a mikrotik?
Replies: 36
Views: 12888

Re: How to run IPv6 from starlink on a mikrotik?

HI mozerd, any reason to implement the ipv6 if ipv4 works?
by anav
Wed Feb 05, 2025 9:45 pm
Forum: Beginner Basics
Topic: Replace ISP WAN connection with other router
Replies: 7
Views: 694

Re: Replace ISP WAN connection with other router

I would keep ether1 setup as is and use a different port as WAN2 to the router, do you have a spare port?
by anav
Wed Feb 05, 2025 9:43 pm
Forum: General
Topic: Very slow upload speed - Please help! [SOLVED]
Replies: 7
Views: 1031

Re: Very slow upload speed - Please help! [SOLVED]

First just to be clear. 3-4MB MB ps = 25-33 Mpbs.

Second: try disabling your mangle rules to see if that makes a difference.
Other than that can only suspect a cable issue somewhere.
by anav
Wed Feb 05, 2025 9:38 pm
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1810

Re: VLANs segregation

how can I make sure that only certain hosts in Home VLAN can access to hosts in IOT on given ports only? add action=accept chain=forward in-interface=Home dst-address=$HA_IP dst-port=$HA_port protocol=tcp add action=accept chain=forward in-interface=Home dst-address=$Pihole_IP dst-port=53 protocol=u...
by anav
Wed Feb 05, 2025 9:31 pm
Forum: General
Topic: Bridge-domain like configuration on CRS3xx switches
Replies: 4
Views: 711

Re: Bridge-domain like configuration on CRS3xx switches

Tagging or untagging vlans on ports is easy but as usually untagging on any particular is limited to one vlan ( can have none, 1 or many tagged vlan on same port though). So if you mean many untagged vlans on same port NOGO. THe other one is aggregating vlans to one vlan, not sure what you mean by t...
by anav
Wed Feb 05, 2025 12:54 pm
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1810

Re: VLANs segregation

Back to the clear question, I am not aware of what your issue is?
Use of ports in firewall rules works just fine.
by anav
Tue Feb 04, 2025 6:55 pm
Forum: General
Topic: Very slow download speed - Please help!
Replies: 11
Views: 1107

Re: Very slow download speed - Please help!

1. Remove this or disable it, you already are using pppoe as your ISP client interface. /ip dhcp-client add comment=defconf interface=ether1 [/i] 2.What are these for????????? they are not attached to any interface???? If you dont know remove'...... /ip firewall mangle add action=change-mss chain=fo...
by anav
Tue Feb 04, 2025 6:53 pm
Forum: General
Topic: DMZ Pinhole
Replies: 27
Views: 3868

Re: DMZ Pinhole

Its also not clear whats going on ether2,3 would seem you have setup \hybrid ports to what?? unifi access points?
remove bridge from lan interface as a member.
remove the static dns setting to 192.168.88.1
by anav
Tue Feb 04, 2025 12:32 am
Forum: Beginner Basics
Topic: Question on using the Internal Zerotier Controller [SOLVED]
Replies: 40
Views: 3280

Re: Question on using the Internal Zerotier Controller [SOLVED]

Perhaps turning off electrical power to NY state just before superbowl starts would send the right message LOL. But I agree, there are some EU funny rules that are not so easy to overcome, but hey, anything is better than orange farts. By the way, who blinked first game seems to have started one mon...
by anav
Tue Feb 04, 2025 12:26 am
Forum: General
Topic: Network diagram/documentation
Replies: 4
Views: 1243

Re: Network diagram/documentation

Added a few more links above, you might want to avoid the network mappers if looking for simple
PS. I had to take two aspirin after looking at the diagrams. :-)
by anav
Tue Feb 04, 2025 12:20 am
Forum: General
Topic: Network diagram/documentation
Replies: 4
Views: 1243

Re: Network diagram/documentation

Wowzer................ you need some serious software. A bit much to keep on the top of your head only. :-) Maybe something like https://www.fortra.com/products/network-monitoring-software/network-mapping-software https://www.domotz.com/ (more on network mappers --> https://www.dnsstuff.com/top-7-ne...
by anav
Tue Feb 04, 2025 12:02 am
Forum: General
Topic: WireGuard SMB and Throughput Problems
Replies: 12
Views: 2493

Re: WireGuard SMB and Throughput Problems

Should be, many things you utilize I am not going to be helpful on, veth, dockers etc... 1. Please set to NONE as this function has been known to cause issues. /interface detect-internet set detect-interface-list= WAN 2. This line shows an issue as the interface is undefined add allowed-address=192....
by anav
Mon Feb 03, 2025 8:41 pm
Forum: General
Topic: Need some routing experts to help me figure out my setup
Replies: 6
Views: 1237

Re: Need some routing experts to help me figure out my setup

I to have two WANS, one fiber and one cable docsis. I only need a script for the fiber due to the fact when it changes IP address, the new gateway fails to be changed in my manual routes. For some reason my cable modem and router seem to have no issues dealing with the changing gateway....... As to ...
by anav
Mon Feb 03, 2025 8:29 pm
Forum: General
Topic: "Error in Gateway - non zero ip address expected!" when using Quick Set
Replies: 20
Views: 1732

Re: "Error in Gateway - non zero ip address expected!" when using Quick Set

From Larsa the term could be "Klud-gugily", though piger opus seems accurate, as for Kids these days, thats what your parent said ;-P
by anav
Mon Feb 03, 2025 8:15 pm
Forum: Beginner Basics
Topic: paring AVM and wAP ax
Replies: 1
Views: 600

Re: paring AVM and wAP ax

TRY going to home setting above, then to the search box upper right and type in FRITZ
Then go to google and type Fritz Mikrotik
Then go to youtube and type Fritz Mikrotik

Ask chatbot to fix it for ya.
by anav
Mon Feb 03, 2025 8:11 pm
Forum: Beginner Basics
Topic: Question on using the Internal Zerotier Controller [SOLVED]
Replies: 40
Views: 3280

Re: Question on using the Internal Zerotier Controller [SOLVED]

Larsa, are you trying to talk sexy at me "# chmod +r *". ?? Sounds like, if was to guess, some linux NAS command to ensure read only LOL. Ammo, sounds like too much recent smoke inhalation has impaired your judgment of what I am able to accomplish ( or my budget ). I am starting a go fund ...
by anav
Mon Feb 03, 2025 6:51 pm
Forum: Beginner Basics
Topic: Question on using the Internal Zerotier Controller [SOLVED]
Replies: 40
Views: 3280

Re: Question on using the Internal Zerotier Controller [SOLVED]

The most practical application I can think of is my intention to host an NAS for images/video, and have it accessible by globally located family members etc. Zerotier may be the best way to allow users to access, load, organize etc.............. my only concern is inadvertent deletion of files.........
by anav
Mon Feb 03, 2025 6:27 pm
Forum: Beginner Basics
Topic: Question on using the Internal Zerotier Controller [SOLVED]
Replies: 40
Views: 3280

Re: Question on using the Internal Zerotier Controller [SOLVED]

Thanks AMMO, so controller is limited to CLI, is there a sense it will migrate to Winbox eventually. Will stick to non-self-controller option especially since the benefit is tied to using a third party git program which also has to be loaded onto docker??
by anav
Mon Feb 03, 2025 4:35 pm
Forum: Forwarding Protocols
Topic: How can I do load balancing in ospf?
Replies: 4
Views: 1122

Re: How can I do load balancing in ospf?

You can find the answer here --> viewtopic.php?t=214383#p1123298
by anav
Mon Feb 03, 2025 4:32 pm
Forum: Beginner Basics
Topic: Question on using the Internal Zerotier Controller [SOLVED]
Replies: 40
Views: 3280

Re: Question on using the Internal Zerotier Controller [SOLVED]

Okay I had to read the docs to understand the use of the word controller. It would seem one can 'bypas' the zerotier site for setup and do it mostly on the mikrotik device. Does this mean one is still using zerotier servers? How is information protected/encrypted using the controller? Do you need a ...
by anav
Mon Feb 03, 2025 3:41 pm
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1810

Re: VLANs segregation

The ONLY rule needed to allow port forwarding, required in the forward chain, and putting just before the drop all rule is fine. add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat Since MT decided not to provide zerotrust cloudflare in an options package ...
by anav
Mon Feb 03, 2025 2:13 pm
Forum: General
Topic: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]
Replies: 8
Views: 2207

Re: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]

Just so you understand CATs advice...... MULVAD gave you one IP address to use. That is the address they have in their peer settings for your connection. If you send any of your internal user with their private lan subnet IP as source it will get rejected at the other end. We use sourcenat like (lik...
by anav
Mon Feb 03, 2025 2:08 pm
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1810

Re: VLANs segregation

hahah, I thought you meant etherport ...............
Allowing all users to your pi server is perfectly legit.
by anav
Mon Feb 03, 2025 5:01 am
Forum: Beginner Basics
Topic: A simple WAN/LAN/DMZ VLAN config to start off
Replies: 17
Views: 2729

Re: A simple WAN/LAN/DMZ VLAN config to start off

The benefit of consistently using VLAN ID 1 is that it is the default untagged network for Mikrotik devices. Even with gross misconfiguration, you ever won't lose connectivity,
So basically leave it in due to expected incompetence while also leaving security holes in a vlan setup. Bad advice.
by anav
Mon Feb 03, 2025 4:55 am
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1810

Re: VLANs segregation

Typically one only puts allow rules for specific traffic between vlans needed.
Then at the end of the forward chain simply put add chain=forward action=drop comment="drop all else".
Firewall rules are designed to stop layer3 traffic, so by port does not really apply.
by anav
Sun Feb 02, 2025 10:25 pm
Forum: General
Topic: 1.3km Possible?
Replies: 49
Views: 2872

Re: 1.3km Possible?

@Josephny Clay, boulders, I feel your pain, same shit here in Nova Scotia. I retire next Sept, wouldnt mind a trip down to NY state to help and learn ( tics and deer flys would be far worse though than the ground ). Just hope I can afford the gas LOL, what with prices soon to b increasing in the US ...
by anav
Sun Feb 02, 2025 10:17 pm
Forum: General
Topic: 1.3km Possible?
Replies: 49
Views: 2872

Re: 1.3km Possible?

That leaves... Starlink ?

Or you don't want to sponsor Elon ? :lol:
In the not to distant future, if you are not using Starlink
a. you will not be allowed to vote
or
b. you will be deported!
by anav
Sun Feb 02, 2025 10:16 pm
Forum: General
Topic: 1.3km Possible?
Replies: 49
Views: 2872

Re: 1.3km Possible?

Same here, I’d rather have a dentist appointment without anesthesia! 🤣🤣🤣
With those teeth, clearly you never go to the dentist!
by anav
Sun Feb 02, 2025 10:10 pm
Forum: General
Topic: Decision on Network Setup
Replies: 3
Views: 953

Re: Decision on Network Setup

If the ONT provides a public IP, I would probably go that route, if it doles out only a private IP and you cannot forward ports on it etc, ( no access to the public IP) then would go for the direct connection. Reason for hesitation on GPON, being is that incompatibility of ISP and mikrotik traffic o...
by anav
Sun Feb 02, 2025 9:55 pm
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 6236

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

ROUTER VeRY confUsing!! Make up your mind. 1. USE VLANS, do not assign dhcp to bridge etc. 2. a. What should NOT be on your router anywhere is 192.168.88.0 - if you need it assign another vlan but you already have a home subnet, and a management subnet, so WTF is 192.168.88 ??? b. What should be on...
by anav
Sun Feb 02, 2025 5:21 pm
Forum: Beginner Basics
Topic: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]
Replies: 14
Views: 3046

Re: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]

@Ddram, that is now how RoS firewall rules work. If I have two vlans A and B. And I want users in Vlan to be able to access a device in VlANB all I need is: add chain=forward action=accept in-interface=VLANA dst-address=vlanB-DeviceIP All traffic from vlanA to the device will be permitted. All retur...
by anav
Sun Feb 02, 2025 5:13 pm
Forum: General
Topic: 1.3km Possible?
Replies: 49
Views: 2872

Re: 1.3km Possible?

Dont complain, up here in Canada we have to actually buy our cell phones, unlike verizon and T-mobile that give them away like candies.
by anav
Sun Feb 02, 2025 5:11 pm
Forum: General
Topic: 2gws, slowly internet [SOLVED]
Replies: 7
Views: 1834

Re: 2gws, slowly internet [SOLVED]

If you continue to struggle, perhaps an online teamviewer/anydesk session to show you how.......... shouldnt need to though........
by anav
Sun Feb 02, 2025 3:28 pm
Forum: General
Topic: Required gateways isolation in bridge VLAN
Replies: 4
Views: 1350

Re: Required gateways isolation in bridge VLAN

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.) The MT config is interrelated just showing one part is not going to cut it. The requirements for user traffic requested by Sindy is also critical. I would add any external users?? either going to serve...
by anav
Sun Feb 02, 2025 3:23 pm
Forum: General
Topic: 1.3km Possible?
Replies: 49
Views: 2872

Re: 1.3km Possible?

Trench to edge of properties, then towers............ See if there is at any point across the cross property if there is line of sight.
by anav
Sun Feb 02, 2025 4:29 am
Forum: Beginner Basics
Topic: How to forward port? [SOLVED]
Replies: 12
Views: 2354

Re: How to forward port? [SOLVED]

If connecting to a server using the DYNDNS URL of the server and the user doing so is in the same subnet then this is called hairpin nat.
Requires a hairpin source nat rule.
add chain=srctnat action=masquerade src-address=serverSUBNET dst-address=serverSUBNET
by anav
Sun Feb 02, 2025 4:27 am
Forum: General
Topic: Site to site VPN - one http service accessible only via roguewarrior, not LAN
Replies: 7
Views: 2024

Re: Site to site VPN - one http service accessible only via roguewarrior, not LAN

Which one is the MT and is it the Server peer for handshake or client poeer?
Understand about other router but if you cant post on the MT, I will move on.
by anav
Sun Feb 02, 2025 4:25 am
Forum: General
Topic: Is there a way to make the wifi signal stronger on LtAP LTE6?
Replies: 10
Views: 1388

Re: Is there a way to make the wifi signal stronger on LtAP LTE6?

Wifi is not my forte but posting the config is a good starting place.
/export file=anynameyouwish ( minus device serial number, any public WANIP information, keys etc. )_
by anav
Sat Feb 01, 2025 10:37 pm
Forum: General
Topic: ethernet port on Guest Network [SOLVED]
Replies: 10
Views: 1999

Re: ethernet port on Guest Network [SOLVED]

Then send subnet 10 and subnet 172 on whatever port on the router to the MT device on its trunk port.
Or are you saying the upstream router is not capable of vlans.
by anav
Sat Feb 01, 2025 10:34 pm
Forum: General
Topic: Site to site VPN - one http service accessible only via roguewarrior, not LAN
Replies: 7
Views: 2024

Re: Site to site VPN - one http service accessible only via roguewarrior, not LAN

You have not provided the configs of both routers.
/export file=anynamewyouwish ( minus router serial number, any publicWANIP information, keys etc. )
by anav
Sat Feb 01, 2025 7:40 pm
Forum: Beginner Basics
Topic: Forum rules
Replies: 39
Views: 152930

Re: Forum rules

I would have to post less to match Canada's NATO actual % in spending LOL.
I would say 90% of my posts are due to MT not implementing proper joining standards! ;-P
by anav
Sat Feb 01, 2025 7:37 pm
Forum: General
Topic: ethernet port on Guest Network [SOLVED]
Replies: 10
Views: 1999

Re: ethernet port on Guest Network [SOLVED]

Firstly, 7.17. 2 does not exist, only 7.17. 1 and of course betas for 7.18. just to be clear you are using this device ONLY as a switch/AP. You wish to pass the guest network (vlan) to the wifi on the device and to at least one ethernet port. Which port is connected to the router. Is the guest vlan ...
by anav
Sat Feb 01, 2025 6:21 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 309
Views: 519601

Re: Using RouterOS to VLAN your network

This guide is great :) Does all the scripts work on RO7? As far as I understand, the router is mostly trunks as in big networks, many switches are connected up to the router Yes the scripts work fine on RoS7. The only deviation comes when you start using capsman but thats another topic ( datapath i...
by anav
Sat Feb 01, 2025 6:20 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 309
Views: 519601

Re: Using RouterOS to VLAN your network

Switch with a separate router (RoaS) ---snip--- Router Configuration at a glance: https://i.ibb.co/G5BYs2Z/router.png ---snip--- Firstly, I am only a recent MikroTik user, so I am still building my inventory of MT knowledge. Kindly bear with my limited knowledge, but I have a question. Shouldn't ON...
by anav
Sat Feb 01, 2025 6:17 pm
Forum: General
Topic: High Availability 2 DHCP servers
Replies: 30
Views: 2393

Re: High Availability 2 DHCP servers

Geez Holvoe everytime I just think your just a pretty face, you blow me away with some hidden acumen, I also thought like you were retired LOL.
by anav
Sat Feb 01, 2025 6:15 pm
Forum: General
Topic: Is there a way to make the wifi signal stronger on LtAP LTE6?
Replies: 10
Views: 1388

Re: Is there a way to make the wifi signal stronger on LtAP LTE6?

Remove house walls/floors? Oh it's a wooden house with practically no walls :) So my guess is that this isn't really an issue, the signal gets really weak on the same floor. Weird LOS should be good. Makes me think of some antenna orientation issue or more likely interference on the chosen frequenc...
by anav
Sat Feb 01, 2025 6:13 pm
Forum: General
Topic: ethernet port on Guest Network [SOLVED]
Replies: 10
Views: 1999

Re: ethernet port on Guest Network [SOLVED]

Sure, if i was a fiction writer.......... but I am not. Need facts.
/export file=anynameyouwish ( minus mT device serial number, any public WANIP information, keys )
by anav
Sat Feb 01, 2025 6:11 pm
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 6236

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

I didnt have to look far into your router, its missing vlans, only guest is identified. Can I not have both VLAN traffic an non-VLAN traffic in the same network ? My first goal is to only configure the guest VLAN properly, then take it from there. Okay this time will be less polite LOL.......... us...
by anav
Sat Feb 01, 2025 3:49 pm
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 6236

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

I didnt have to look far into your router, its missing vlans, only guest is identified.
by anav
Sat Feb 01, 2025 5:14 am
Forum: General
Topic: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]
Replies: 8
Views: 2207

Re: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]

/interface bridge add name=BR1 vlan-filtering=yes /interface bridge port add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=99 add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether3 pvid=10 add bridge=B...
by anav
Sat Feb 01, 2025 3:53 am
Forum: General
Topic: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]
Replies: 8
Views: 2207

Re: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]

Dont get your point in the added bit in orange, get rid of it. /ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 add action=masquerade chain=srcnat out-interface=MullvadWG_1 src-address=0.0.0.0/0 add one of the two following rules, to help with MTU, whichever works better for ...
by anav
Fri Jan 31, 2025 7:43 pm
Forum: General
Topic: RB5009+ 2x hAP ax2 as access Point
Replies: 16
Views: 2250

Re: RB5009+ 2x hAP ax2 as access Point

Concur I am in the market for a used RB5009, I can at least cover postage. :-)
by anav
Fri Jan 31, 2025 7:42 pm
Forum: General
Topic: WireGuard SMB and Throughput Problems
Replies: 12
Views: 2493

Re: WireGuard SMB and Throughput Problems

You have provided very little useful information to even begin a conversation.
by anav
Fri Jan 31, 2025 6:59 pm
Forum: Beginner Basics
Topic: firewall rules and logging ideas
Replies: 4
Views: 1187

Re: firewall rules and logging ideas

To be clear, are ALL USERS supposed to get DNS from pihole, or only guest users? You should really use one bridge only, and for the LAN and that the LAN should not have any subnet but create two subnets one for guest as you have VLAN guest and one for home VLAN home. ALso dont use the word LAN for t...
by anav
Fri Jan 31, 2025 6:56 pm
Forum: General
Topic: 2gws, slowly internet [SOLVED]
Replies: 7
Views: 1834

Re: 2gws, slowly internet [SOLVED]

If you dont know where the problem is then dont only provide snippets
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys tec.

One common issue is not to disable fastttrack when mangling affects most of the traffic.
by anav
Fri Jan 31, 2025 2:41 pm
Forum: Beginner Basics
Topic: How to forward port? [SOLVED]
Replies: 12
Views: 2354

Re: How to forward port? [SOLVED]

Other points 1. missing wan member /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN add interface=ether2 list=WAN 2. If you manually added netmask=24 on this line, remove it. /ip dhcp-server network add address=10.1.10.0/24 comment=de...
by anav
Fri Jan 31, 2025 2:27 pm
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 21
Views: 4366

Re: REQ: AirVPN / Wireguard fine tune assistance

By adding another wireguard vpn and possibly changing which go to which vpn add complications and changes requirements and should have been identified at the beginning. You will have to start mangling unless you can contain users within subnets. SubnetA goes to sweden, SubnetB, goes to London, Subne...
by anav
Fri Jan 31, 2025 2:23 pm
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 21
Views: 4366

Re: REQ: AirVPN / Wireguard fine tune assistance

It will work properly when you are clearer on requirements. What you are doing is work arounds to ensure traffic flows, the to your expectations. The problem is your actual expectations dont match your up to this point to the discussion previous aka the directions... Step back. Firewall rules are si...
by anav
Fri Jan 31, 2025 12:47 am
Forum: Beginner Basics
Topic: How to forward port? [SOLVED]
Replies: 12
Views: 2354

Re: How to forward port? [SOLVED]

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
by anav
Fri Jan 31, 2025 12:45 am
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 21
Views: 4366

Re: REQ: AirVPN / Wireguard fine tune assistance

No worries, doing well! Will look at this again later. Understand about the wireguard....... Here is an example of your situation I saw elsewhere and the only difference was the endpoint address, but one needed a second interface. /interface wireguard add listen-port=51020 mtu=1420 name=Surfshark1 a...
by anav
Fri Jan 31, 2025 12:35 am
Forum: General
Topic: Vlan Setup
Replies: 3
Views: 1160

Re: Vlan Setup

I dont look at part configs so all three are needed and what is the relationship and type of devices R1,R2,R3 /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.) ensure also you read this guidance on vlans: https://forum.mikrotik.com/viewtopic.php?t=143...
by anav
Thu Jan 30, 2025 11:49 pm
Forum: Beginner Basics
Topic: Troubles with configuring hairpin NAT
Replies: 11
Views: 3199

Re: Troubles with configuring hairpin NAT

So what are you trying to accomplish with repeaters.......
Do communicating devices need to be on different subnets?
Type of devices??? is it SONOS, is it APPLE etc......
by anav
Thu Jan 30, 2025 11:43 pm
Forum: Beginner Basics
Topic: Assistance Needed ASAP
Replies: 4
Views: 1286

Re: Assistance Needed ASAP

Click bait titles dont tittilate you k6 LOL. Why not subscribe to the anav proposed sandbox for new members!!........... Nope we want to continue to get such nonsense......... Getting hit on the head lessons is two doors down. We should all buy orange wigs.
by anav
Thu Jan 30, 2025 11:40 pm
Forum: Beginner Basics
Topic: firewall rules and logging ideas
Replies: 4
Views: 1187

Re: firewall rules and logging ideas

When you want to ditch the youtube nonsense, I will be glad to help provide a clean and useful firewall set of rules.
However, one must look at the config as a whole, so a complete export is required.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Thu Jan 30, 2025 11:36 pm
Forum: General
Topic: VLANs under the bridge
Replies: 8
Views: 1773

Re: VLANs under the bridge

1. One bridge, add both ISP vlans to the single bridge! 2. Recommend changing ether8 to an EDGE port to avoid potential interference. 3. Pools rationalized ( 7,9 duplicates) plus only 6 vlans so only 6 Pools. 4. The APs should also have the home vlan unless nobody at home is allowed wifi ;-P plus of...
by anav
Thu Jan 30, 2025 10:26 pm
Forum: General
Topic: VLANs under the bridge
Replies: 8
Views: 1773

Re: VLANs under the bridge

hide sensitive was valid for ver6 not ver7.
by anav
Thu Jan 30, 2025 10:24 pm
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 21
Views: 4366

Re: REQ: AirVPN / Wireguard fine tune assistance

butt ugly format for export................. Also, pay more attention to security this opens up winbox to the entire internet. add action=accept chain=input comment="allow Winbox" port=8291 protocol=tcp Simply only allow admin "authorized IPs" to access the router via the input c...
by anav
Thu Jan 30, 2025 8:40 pm
Forum: General
Topic: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?
Replies: 51
Views: 5149

Re: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?

Hence why I keep harping you to try just for a month a service that is used for a wide variety of users with no issues....... It may provide you sanity. :-)
by anav
Thu Jan 30, 2025 4:52 pm
Forum: General
Topic: How to configure router so it allows local server access by public host
Replies: 4
Views: 1257

Re: How to configure router so it allows local server access by public host

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Thu Jan 30, 2025 4:51 pm
Forum: General
Topic: only one host to wan
Replies: 7
Views: 1293

Re: only one host to wan

So the device does not get a public IP but a private IP from an upstream company router?
If so, correct one should still ensure access to:
a. the router for config purposes is limited to admin IT staff
b. access to any subnets (double nat) are limited to those requiring access etc...
by anav
Thu Jan 30, 2025 4:29 pm
Forum: General
Topic: only one host to wan
Replies: 7
Views: 1293

Re: only one host to wan

Bad idea to connect any router to the internet without firewall rules in place.
by anav
Thu Jan 30, 2025 4:25 pm
Forum: General
Topic: VLANs under the bridge
Replies: 8
Views: 1773

Re: VLANs under the bridge

Just to be clear, do you have two lines coming from the ISP device and plugged into the router One for internet and your router gets an IP address on the 100 subnet? and the other for Telephone OR You have one line coming from the ISP device and from this you want to use one DHCP from the ISP for th...
by anav
Thu Jan 30, 2025 4:22 pm
Forum: General
Topic: VLANs under the bridge
Replies: 8
Views: 1773

Re: VLANs under the bridge

Remove router serial number from posted configs.
by anav
Thu Jan 30, 2025 4:13 pm
Forum: Beginner Basics
Topic: Wireguard Road Warrior - can access everything except Router
Replies: 22
Views: 2001

Re: Wireguard Road Warrior - can access everything except Router

Post your latest FULL config for review.
by anav
Thu Jan 30, 2025 3:58 am
Forum: Beginner Basics
Topic: Wireguard Road Warrior - can access everything except Router
Replies: 22
Views: 2001

Re: Wireguard Road Warrior - can access everything except Router

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Thu Jan 30, 2025 3:54 am
Forum: General
Topic: RB5009 +wAPax vlans
Replies: 9
Views: 1465

Re: RB5009 +wAPax vlans

So the guide for setting up vlans is this: https://forum.mikrotik.com/viewtopic.php?t=143620 The difference for AP is that only the trusted vlan has the bridge tagged as well in /interface bridge vlan settings. The router all vlans have the bridge tagged. Once you have both done,,,,,,,post for revie...
by anav
Thu Jan 30, 2025 3:48 am
Forum: General
Topic: only one host to wan
Replies: 7
Views: 1293

Re: only one host to wan

In the forward chain, remove the default rule add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN Replace with add chain=forward action=accept comment="host to internet" in-int...
by anav
Thu Jan 30, 2025 3:44 am
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 21
Views: 4366

Re: REQ: AirVPN / Wireguard fine tune assistance

Yes it still recommended for third party VPNs, there are actually two in case one doesnt work well add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn add action=chang...
by anav
Thu Jan 30, 2025 3:40 am
Forum: General
Topic: Mangle policy based routing
Replies: 6
Views: 1748

Re: Mangle policy based routing

You mention two wans (main and LTE) and what you show is actually three ( MAIN on ether1, WIFI1, WIFI2) and no LTE, so I decided to stop looking.
by anav
Thu Jan 30, 2025 3:35 am
Forum: General
Topic: RB5009 +wAPax vlans
Replies: 9
Views: 1465

Re: RB5009 +wAPax vlans

Will you be using capsman?
by anav
Thu Jan 30, 2025 1:06 am
Forum: General
Topic: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?
Replies: 51
Views: 5149

Re: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?

I do suggest you give mozerds service a try.. if just for a month, I am curious as to what your experience will be like.
I predict you would be very content.
by anav
Wed Jan 29, 2025 10:37 pm
Forum: General
Topic: Mangle policy based routing
Replies: 6
Views: 1748

Re: Mangle policy based routing

There is a bug with wireguard on second LAN interface, which is not fixable, something to do with how wireguard works. However there is a way around it, will post later.
by anav
Wed Jan 29, 2025 4:46 am
Forum: General
Topic: Blocking admin services - Firewall rules
Replies: 30
Views: 3428

Re: Blocking admin services - Firewall rules

Nobody asked for just part of your config..........geez So guess what I have to make up shit ..........thats fun Version1-vlans ......... /interface bridge add name=bridge-lan protocol-mode=none vlan-filtering=no { change this to yes as the last step } /interface vlan add interface=bridge-lan name=i...
by anav
Tue Jan 28, 2025 9:03 pm
Forum: General
Topic: Wiregard to redundant routers
Replies: 6
Views: 1535

Re: Wiregard to redundant routers

Again,understood, this is quite easy to accomplish. Recommend two wireguard interfaces on home router one to connect to ISP Router1 and a second to connect to ISP router 2. In this way the following is accomplished. Authorized external wireguard users, accessing either ISP1 or ISP2 will have access ...
by anav
Tue Jan 28, 2025 8:54 pm
Forum: General
Topic: Blocking admin services - Firewall rules
Replies: 30
Views: 3428

Re: Blocking admin services - Firewall rules

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Tue Jan 28, 2025 8:41 pm
Forum: General
Topic: What to buy
Replies: 31
Views: 2477

Re: What to buy

very old product: rb1100 - arm32 cpu 1.4Mhz ram1gig storage 128Mb, 13x 1gig ports, ---throughput -->2.3Gbps relatively new product: rb5009 - arm64 3.5-1.4Mhz ram1gig storage 1gig, 7x 1gig ports 1x 2.5gig port 1x sfp+1 port --- throughput --> 3.1Gbps ++++++++++++++++++++++++++++++++++++++++++++++++++...
by anav
Tue Jan 28, 2025 8:33 pm
Forum: Beginner Basics
Topic: Alternatives to Hairpin NAT/split DNS - reaching HTTP server from the same subnet using domain
Replies: 11
Views: 2287

Re: Alternatives to Hairpin NAT/split DNS - reaching HTTP server from the same subnet using domain

...when trying to access the HTTP server using the domain from the local network (same subnet of the HTTP server) I reach my MikroTik router web ui instead.
by anav
Tue Jan 28, 2025 7:38 pm
Forum: Beginner Basics
Topic: Alternatives to Hairpin NAT/split DNS - reaching HTTP server from the same subnet using domain
Replies: 11
Views: 2287

Re: Alternatives to Hairpin NAT/split DNS - reaching HTTP server from the same subnet using domain

add chain=dstnat action=dstnat src-address=serverSUBNET dst-address=serverSUBNET
by anav
Tue Jan 28, 2025 5:24 pm
Forum: Beginner Basics
Topic: Buyer recommendations for noob in a hurry
Replies: 27
Views: 2973

Re: Buyer recommendations for noob in a hurry

Simple, I have not wasted anytime learning it. I am waiting for the continual changes in MTs approach to wifi slow down and become consistent and stable, and then I may elect to play. MT wifi has no effect on my simply working from day one TP Link APs. My frustration is that capsman interferes with ...
by anav
Tue Jan 28, 2025 4:37 pm
Forum: General
Topic: DMZ Pinhole
Replies: 27
Views: 3868

Re: DMZ Pinhole

Please post config in normal export format, its very difficult trying to read your work otherwise.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)


Note: I read recently that auto-mac for bridge is best set to manual NOT AUTO.
by anav
Tue Jan 28, 2025 4:26 pm
Forum: General
Topic: Winbox 4 does not display system note correctly
Replies: 5
Views: 1113

Re: Winbox 4 does not display system note correctly

I am still using winbox3, winbox4 is not good enough for my needs yet. ;-)
by anav
Tue Jan 28, 2025 4:23 pm
Forum: Beginner Basics
Topic: Buyer recommendations for noob in a hurry
Replies: 27
Views: 2973

Re: Buyer recommendations for noob in a hurry

No, devil's way would be start messing with CAPsMAN :lol:
+1 ;-)
by anav
Tue Jan 28, 2025 5:22 am
Forum: Beginner Basics
Topic: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]
Replies: 14
Views: 3046

Re: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]

When you decide to get rid of quote marks around interface names and port names etc, I will look at the config again.
Also why no pool for two of the vlans?
by anav
Tue Jan 28, 2025 4:51 am
Forum: General
Topic: What to buy
Replies: 31
Views: 2477

Re: What to buy

Also, dont think just about today. Plan ahead, what will likely occur in the next five years.
An investment in a router should cover at least that time span. In other words, is your ISP throughput likely to be the same or increase?
by anav
Mon Jan 27, 2025 11:02 pm
Forum: General
Topic: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?
Replies: 51
Views: 5149

Re: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?

Nice AMMO. A touch of skepticism is always healthy. So just plain 9.9.9.9 no DOH etc.?
by anav
Mon Jan 27, 2025 10:55 pm
Forum: General
Topic: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?
Replies: 51
Views: 5149

Re: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?

So does MT also provide a whitelist feature to help with false positives generated by the adlist feature LOL
by anav
Mon Jan 27, 2025 10:47 pm
Forum: General
Topic: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?
Replies: 51
Views: 5149

Re: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?

Yes and tomorrow, Stephen cashes in his profits from the Trump bitcoin and stops working on the list...................... how useful will it be tomorrow?? I mean lists are outacontrol... https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts https://raw.githubusercontent.com/PolishFilters...
by anav
Mon Jan 27, 2025 10:45 pm
Forum: General
Topic: VLANs under the bridge
Replies: 8
Views: 1773

Re: VLANs under the bridge

You made the error of having a bridge subnet, get rid of it and assign another VLAN. Due to this you failed to clearly identify this other subnet which seems to be at least intended for ports 4,5,6 and sfp-sfpplus1 ???? You also seem to be adding WAN ports to the Bridge which is not usually required...
by anav
Mon Jan 27, 2025 9:52 pm
Forum: 3rd party tools
Topic: Introducing MikroWizard: An Open-Source Solution for MikroTik Router Management
Replies: 80
Views: 22757

Re: Introducing MikroWizard: An Open-Source Solution for MikroTik Router Management

Not a linux guy, can barely understand RoS, can I run this program using dockers image on any windows PC??
Larsa might have to take me under the Wing so to speak........ to show me how.
by anav
Mon Jan 27, 2025 9:41 pm
Forum: 3rd party tools
Topic: 🚀 RemoteWinBox Admiral centralized MikroTik Management
Replies: 10
Views: 4905

Re: 🚀 RemoteWinBox Admiral centralized MikroTik Management

Glad to see Admiral is humming along! The MFA is key for me. Previous experience with the software prior, was that connecting was SSTP without credentials and it seems things are getting better in that regard as well ! Sadly I am only a small time user and couldnt keep pace with the changes and need...
by anav
Mon Jan 27, 2025 9:28 pm
Forum: General
Topic: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?
Replies: 51
Views: 5149

Re: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?

Whats with github and stephen black? Is Mikrotik supporting this list, using this as a default?
Stated otherwise, what lists are people using, and are they trustworthy, uptodate or effective and how do you know?
by anav
Mon Jan 27, 2025 9:26 pm
Forum: Wireless Networking
Topic: Handover between access point of Unifi
Replies: 1
Views: 1598

Re: Handover between access point of Unifi

Why not if the information is coming in wirelessly why would it not work>>
Does your cell phone only work at home?
If your ISP is providing you with any sort of device/modem etc, then that will be the problem not the MT.
by anav
Mon Jan 27, 2025 9:23 pm
Forum: Wireless Networking
Topic: Best Way to Wireless Bridge 1st and 3rd Floor in an old apartment building (Thick Floors/Walls)
Replies: 13
Views: 3202

Re: Best Way to Wireless Bridge 1st and 3rd Floor in an old apartment building (Thick Floors/Walls)

If its an old building does it have old RG6 coax cabling joinging rooms! ( works reasonably with adapters)
You could use that as well. I imagine running outdoor RG6 may be an easy sell to as its quite common to see.
by anav
Mon Jan 27, 2025 9:16 pm
Forum: Forwarding Protocols
Topic: Issue with portforwarding
Replies: 1
Views: 962

Re: Issue with portforwarding

This rule allows port 3000 to the router, which is what you dont want, you want it strictly to the LAN server, so it should be removed. add action=accept chain=input comment="allow 3000" in-interface=pppoe-client port=3000 protocol=tcp This rule is hindering port forward... add action=drop...
by anav
Mon Jan 27, 2025 6:21 pm
Forum: Beginner Basics
Topic: specific WAN for specific Bridge
Replies: 5
Views: 1119

Re: specific WAN for specific Bridge

First thing to do is remove serial number from posted config. Second is to read this reference: https://forum.mikrotik.com/viewtopic.php?t=143620 Third, is when you want to go to one bridge and use vlans, I will be able to assist. (simply take the bridge subnet as a fourth vlan) (which subnet does t...
by anav
Mon Jan 27, 2025 5:49 pm
Forum: Beginner Basics
Topic: specific WAN for specific Bridge
Replies: 5
Views: 1119

Re: specific WAN for specific Bridge

So you have three subnets and each subnet should ONLY use a specific WAN ??
What happens when one of the WANS is not available?
Is there any port forwarding to servers on any of the lans? If so, external users or internal or both ........
Is there any traffic to the router aka VPNs?
by anav
Mon Jan 27, 2025 5:45 pm
Forum: General
Topic: Tenda Access Point and Mikrotik as Router
Replies: 5
Views: 5363

Re: Tenda Access Point and Mikrotik as Router

Post a link to the manual for your device, we use MT not tenda devices!!!
by anav
Mon Jan 27, 2025 1:50 am
Forum: General
Topic: ISP ideas to manage clients ?
Replies: 7
Views: 1327

Re: ISP ideas?

Will there be more offers? Are there any small or internet service providers in this forum? I've been asking this question for the entire time I've been on the forum and I'm not getting a correct answer 😁 Also a comedian, the name associated with your accounts says "new user" and thus one...
by anav
Sun Jan 26, 2025 11:25 pm
Forum: Beginner Basics
Topic: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]
Replies: 14
Views: 3046

Re: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]

Okay understood all. Lets get consistent about nomenclature --> TRUSTED = Admin and IT control and every smart device gets an IP in this subnet. Management should be considered VIPs, head of company or departments that may or may not need special access to something or just simply on their own subne...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 76