MikroTik

anav

Without some diagrams nothing makes sense.

anav

Will stick to recursive, works and is much easier or via netwatch if one doesnt want to wait 10 seconds etc....

anav

Well, its pretty straightforward...... Only one vlan is identified on the switch, the management vlan and in IP address is where switch gets its IP address from. Only the managment vlan is tagged with the bridge, the rest are tagged on the incoming trunk port and as required on outgoing ports ( unta...

anav

Is this the same device that mkx was trying to help you with??

anav

You didnt get rid of raw rules................

anav

draw a network diagram.
Do you mean you have two WAN connections?
Do you mean you have two Subnets?

Etc..............

anav

I use my capacs with my hex without capsman its quick and easy to config. Your hair will not turn gray or fall out!!

anav

Sweet!!

anav

You have hidden way to much information, just the WAN public information and the only thing that would relevent is the username and password on pppoe. 1. Improve Interface list entries, but I dont see a trusted or management vlan?? Ahh you are mixing apples and oranges. Once you go vlans so will cha...

anav

Netwatch leaks out any wan to find a connection and thus you need to blackhole any netwatch routing with a second following route same table distance add one.

anav

Then setup vlan filtering now and once its smooth, do the wireguard, should take me 10minutes to fix once you have an initial config its like butta. First however, its best to work the config from an OFF the bridge position. What i recommend is create an offbridge port for local emergency access. So...

anav

Yearly rate of $20,000, that an over 50% markdown sale!! Get it while its hot!

anav

As you may have guessed the responders have some WHAT IFs, and other suggestions ( and also some errors). In other words, you should not be asking for a part solution if the requirements are not fully identified. A better response can be had when we know what else is going on the router for both inc...

anav

You can use mine, only 5c per ping.

anav

This is a clue that the router is not happy with your config....... /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN add interface= *9 list=WAN add interface=ether2 list=WAN /ipv6 dhcp-client add add-default-route=yes interface =*9 po...

anav

The point is wireguard is not the real issue at the moment. Once the config is fixed, then we will be able to see whats going with wireguard, if its still a problem.

anav

Put cement in the serial port ;-P

anav

also add
/ip neighbours discovery
set interface-list=TRUSTED

The option to change the pvid of the bridge exists because in some niche situations it may be required.
I would say its rare but I dont know enought to state what weird setups this would make sense for.

anav

1. Any port not being used should be a. disabled preferably OR b. at least removed from bridge c. the bridge itself retain default pvid but set frame-types=admit-only-vlan-tagged. d. on ports being used, ensure ingress-filtering is enabled and frame types set as required ( either vlan tagged, OR pri...

anav

a diagram and revised cleaned up config may help us provide better assistance.

anav

One flat network or vlans? diagram will help understand

anav

Okay, so depending upon the ability of the unmanaged switch then we have two options and one, both, or none may work. a. make it a trunk port to the un-managed switch both vlans tagged b. make it a hybrid port to the un-managed switch, tagged for one, and untagged for the other. May the best option ...

anav

Yes please, clean up the config, garbage is noise and noise makes it difficult to read a config OR to spot errors..........

anav

Any hex device makes a great little managed switch that works great in a home setting or even an office setting. If one is in a corporate setting where, for example, the same vlan spans two or more ports on the switch, to users that will be sending huge amounts of data back and forth across the swit...

anav

Best to provide your config for review /export file=anynameyouwish (minus router serial number, any public WANIP information, keys),.\ Steps 1. Take the private key given to you and when you make an interface on the MT router, use that private key to generate a public key ( that way windscribe alrea...

anav

There are several options. a. connect PC requiring vlan 10 directly to the audience OR ax3 b. replace the un-managed switch with a managed switch (could even be a hex) and then send the two vlans to the new device 10,20 c. buy a second cheap unmanaged switch untagged to vlan 10 and then plug in the ...

anav

Please draw a network diagram because the explanation muddles devices relationship and clarity is required.
In general, the management vlan needs to go to all smart devices ( such as the audience) as smart devices should get their IP address from the managment vlan.

anav

The information you have provided is sparse. In general on your mikrotik you generate a private key and public key ("######" ) when creating the wireguard interface and lets say create an address like 10.20.30.1/24 with listening port of 51280. The public key is for use on the peer or remo...

anav

Not sure how pppoe works but for security purposes, would remove any username passwords and any public IP address associated from your config. 1. As to the config I didnt get past your IP addressess which are wrong. You have ONE bridge, and one subnet and pool and address associated so not sure what...

anav

Liina, this is NOT your thread, it was started by Hiutale, suggest you start your own thread, to narrow down your specific issues and get assistance.
In other words, we are not focussed on your problems in this thread, so getting upset here, is not going to get you anywhere.

anav

Im saying a bridge gets one address, if you want different subnets you can cover ports A-F with the same subnet and single bridge and use different addresses for ports G,H,I NOT on the bridge, as that will cover three different subnets. OR use one bridge and assign as many vlans as you need (subnets...

anav

Just dont use the internet, there are too many ways around non DPI solutions........

anav

Any sailor worth their salt, knows that a vessel is used for drinking!! Drinkware, beverageware (in other words, cups, jugs and ewers) is a general term for a vessel intended to contain beverages or liquid foods for drinking or consumption. The word cup comes from Middle English cuppe, from Old Engl...

anav

How do you get 940Mb upload??? Thats amazing........ No firewall rules??? hEX refresh can route 1430 Mbps based on the official test results when using large packet size. Interesting using large packet size has never given me accurate results but the smaller 512 byte size does match my real world r...

anav

For MKX, just to be clear, a submarine is NOT a ship!

anav

Also the MT config
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )

anav

Also I recommend taking one of the unused ports on the switch and make it an OFF BRIDGE access port, but will wait to see the config.

anav

Each vlan is created with interface being bridge. Each vlan gets its own dhcp server, ip pool, dhcp-server network AND!!! own IP address ( not a sniff of bridge on these subnet config lines ). The only other place vlans and bridges are mixed is /interface bridge port and /interface bridge lans.

anav

Same with the PHY? Functionality onboard is a subset of available options?

anav

How do you get 940Mb upload??? Thats amazing........ No firewall rules???

anav

Repost the config, when done if still having problems.

anav

According to AI..........In diagrams, the CPU is typically represented by a rectangular box, often colored dark grey or black. The switch chip, which facilitates communication between different parts of a network, is often shown as a similar rectangular or square box, but colored light blue, orange,...

anav

Concur, well stated.
Yes, if one has heavy VLAN traffic ( same vlan ) between different ports on the switch, the ax3 whether its a switch or a router will see some slow down in traffic, whereas a proper switch will not.

anav

I use my ax3 with vlan filtering and I see no ill effects on my LAN subnets...............

anav

My issue with the config is two bridges. Keep it simple, one bridge. Ditch the wrongly named one about vlan10 as you have multiple vlans on that bridge, not just 10. Move the default vlan subnet 88 to a vlan, call it vlan-default. As was pointed out you have two related discrepancies to deal with. a...

anav

The config is far to complex for my level of understanding, however I will say that you give away addresses like candy to kids, and as far as I understand the single bridge should not have multiple IP addresses, nor probably any single etherport............ /ip address add address=192.168.100.254/24...

anav

Why waste a vlan capable device when a flat unmanaged switch will do?

anav

ON VPS FIX the wireguard peers TO: /interface wireguard peers add allowed-address= 192.168.254.2 , 192.168.100.0/24 interface=WG_VPS \ name=peer_WG_VPS public-key= "----" Remove the funky nat rule. /ip firewall nat add action=dst-nat chain=dstnat comment=\ "RDP-Forwarding to local Ro...

anav

So you are using a third party APP to access your feed. Have you thought about the fact that you have to forward a port on your router to everyone in the world............ I have three different types of video cameras in the house and I dont forward a single port and I also use an APP to view them. ...

anav

concur, as stated, your best bet is to have all the others use WAN2 and your family only use wan1.

anav

It would seem your double posting, which is verbotten.
Will follow your thread here............... viewtopic.php?t=216313

anav

Without the config, all i here is opinion of some things that may or may not be relevant, its akin to hearing blah blah blah....
Please post the config for assistance.
/export file=anynameyouwish ( minus router serial number and any public WANIP information (probably none as this is a switch)

anav

You have remnants of the default config 1. From: /ip dhcp-server network add address=192.168.119.0/24 comment=defconf dns-server= 192.168.88.1 gateway=192.168.119.1 netmask=24 TO: /ip dhcp-server network add address=192.168.119.0/24 comment=defconf dns-server= 192.168.119.1 gateway=192.168.119.1 net...

anav

Review the video and when you have something close post here for review/comments
/export file=anynameyouwish ( minus router serial number, any PUBLIC WANIP information )

anav

The article provided and video only show one bridge. To configure the switch the best thing for you do to is take one port OFF the bridge and do all your configuring from this safe spot. Configuring OffBridge So remove ether24 from /interface bridge port Modify the following entry /ethernet set [ fi...

anav

viewtopic.php?t=143620
https://www.youtube.com/watch?v=YLtGQAQ ... 9yayB0cmlw

anav

I would revise the following: From: add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN add action=passthrough chain=forward comment=CAM dst-address=192.168.88.30 \ dst-port=80 protocol=...

anav

Not that I am aware of sorry.

But perhaps this explains the situation best:
..................

usetherighttool.jpg

anav

Fixed, thanks!

anav

No I said, a. if you only have one vlan per port then you dont really need vlans. b. also since this is a lab environment then you dont need any security. c. if you are trying to practice for real world setups then it would be nutso to have to manage 10 or more devices (config them) using all the di...

anav

Why do you want vlans? There is no need, there is never a duplication of any subnet over a single port? In reality, every device would be on a managed vlan, so every device would have at least two vlans coming in a trunk port. Suggest you look at basic videos and read this article. https://forum.mik...

anav

The problem is that your requirement is not clearly stated. Do you mean, I wish to access my Router while at a remote location? OR Do you mean I wish to access my router while on the LAN of ISP1 modem/router or on the LAN of the ISP2 modem/router. (hint they are not strictly modems if they get a sta...

anav

I dont understand the first post.
Why cannot you simply make the devices available via port forwarding.
How can you expose devices to the internet if you only have one WANIP address, dont you need a block of public IP addresses??

anav

It should work so there may be something else in your config interfering.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

anav

It has two chains, and thus thought the default would include wifi1 andw ifi2 so at least the op could provide coverage for two freqs.....oh well. Nope. Only 2.4Ghz radio so only wifi1. 2 chains does not mean 2 radios. Reminds me to ask you, why do they even state the number of chains, its like use...

anav

Mikrotik provides its own domain URL in IP CLOUD use that.........
https://help.mikrotik.com/docs/spaces/R ... Cloud-DDNS

anav

How can you eat an apple but keep it intact ?

You can not.

I disagree, a whale can swallow it whole....... and then regurgitate it back whole.

anav

VERSION7 instituted some changes mostly to the way of using scope and target scope.......... Nested using a faux address for two canary selections. /ip route add dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 add distance=2 check-gateway=ping dst-address=10.10.10.10/32 gateway=9....

anav

If WAN1 is your primary WAN ( and WAN2 is rarely used ), then it stands to reason that all your wireguard users have WAN1 as their endpoint address. To test if the router will switch to WAN2 automatically, due to distance in route difference, please do not SWAP distances. To test simply unplug inter...

anav

Your testing method may be flawed.
If you swap distances on the WANs, do you also change the endoint address to WAN2 for the device??
You need to NOT change the WAN distance, simply unplug the cable from wan1 into the router.

anav

What kind of switch, like an unmanaged switch with one flat network OR switch with multiple vlans?

anav

Without a router with (DPI) and like services that looks at encrypted packets there is no foolproof way...........

anav

In a dual wan scenario where WAN2 is secondary lets say by distance and your current setup is for users to connect to WAN1 address, when WAN1 fails ( is no longer available ), the router will move wireguard traffic to WAN2 after a short delay. I havent tested that lately but it used to be the case. ...

anav

How do the users get their access,,,,,,,,, if by WIFI, then turn off access point or WLANs at a certain time.

anav

I would add mkx, an admin using MT equipment would probably be trained to some degree to use the equipment in an enterprise networking position. I wonder if any of the certs cover detect internet. OR,
to have at least read viewtopic.php?t=215004

Item 5

anav

Perhaps they never coded to detect and warn about duplicates.....??

anav

I have heard ubiquiti is so designed but never have read TPLink Aps were particularly useful in dense environments.......

anav

Concur unless you set DHCP static lease to phones with randomizer turned off and do not let any other leases occur

anav

Good question, the answer is there is no certainty in the ways of MT programmers regarding wireguard. There is lots wrong with the implementation or GUI or display of information to the admin in RoS regarding wireguard. Typically we dont change our local DNS based on wireguard settings, we simply us...

anav

I hear wifi coming and CRS326 and assuming this router will replace the ASUS. Thus I am assuming you will have more than just one flat network and are planning on vlans? [ if not, send me your CRS326 and I will send you my un-managed switch ;-) ] Also there is nothing secret about your private IP ad...

anav

So you want to get into an argument. Nope … stop using MikroTik wireless and all your limiting factors go away. Yes multiple AP’s provide the required balance and improved performance … Ubiquiti, TP-Link dedicated Access points provide exceptional value for installations thatn require special purpo...

anav

So you want to get into an argument. Then tell me how many WLANs can a single ax3 PRACTICALLY provide.................. ( and remember your the one jumping up and down about network performance !!! ) NOT as many vlans as I have in my house thats for sure............ So one has to use multiple APs to...

anav

Yes, one needs the handshake negotiation to take place via the input chain and then manage traffic exiting and entering the tunnel from the LAN (forward chain)

anav

First, No one is going to hold your hand and tell you what is the optimal number of vlans. Second: The creation of vlans is to segment your network into logical manageable entities/functions and thats a personal choice. Some may prefer lumping all IOT devices into one vlan, and some might separate t...

anav

Its the only perspective! Trying to reduce the number of vlans, is not a valid requirement, its convenience at best. You create the vlans based on the functions your network will be performing. This is both logical and practical and easy to manage. One of the valid overall requirements for a network...

anav

One should view it as, if a device was compromised, what can it then attack........................... simple question. There is no RIGHT answer, its personal , and what level of comfort you have exposing devices to other devices be they IOT, media, voip, laptops, smartphones etc....... . PS Erlinde...

anav

Hex S refresh router with two Access points, very few access points handle 70 clients very well.
If stuck on one AP, look at High density access point brands look at wifi6 as a minimum ubiquiti, RUKUS etc........

anav

use firewall rule to allow it

anav

It has two chains, and thus thought the default would include wifi1 andw ifi2 so at least the op could provide coverage for two freqs.....oh well.

anav

Assuming one flat network........... First create a safe place to config the router, an off bridge port ( remove from /interface bridge ports) and then you will be able to change the main IP structure of the haplite without issue to that of the upstream router without locking yourself out. After ens...

anav

why did you mess with default firewall rules, and then mix up chains etc...... Seems like you are hosting RDP.........its not the best security practice anymore hint........ Also you seem to think its okay to have your winbox port (still in default) to be accessible over the WWW and not via VPN. I h...

anav

For me the question is, to default ON or disabled. Seeing as the majority of users end up turning this OFF and it does create traffic probably unbeknownst to most, it should really be defaulted to disabled. The associated MT doc page is perhaps vague on its purpose and seems to indicate it is OFF by...

anav

bug or feature

anav

No idea where the parts for MT devices are made or where assembled for that matter.
Concur, eap245 was great, and yes omada sucks, all good when manually configured.
Most people stream video these days!!

anav

Yes, using winbox 3, typically it happens 1, 2 or 3 times in a row but never more.
I resolve by closing all the open windows, and that seems to help.
No such issues with winbox4

anav

Smells like MT testosterone in here! ;-PP

anav

Please state MT model.. A switch is not a router?? Although RoS lets one do so, it most cases its a bad idea.

anav

Another nail in the coffin for Capsman if you ask me, if the directions are so vague or out there that this happens, its not worth its weight in chicken feathers or whatever......... argg disgusted...... https://help.mikrotik.com/docs/spaces/ROS/pages/7962638/CAPsMAN Nary a peep I could find about c...

anav

What I suggest is you configure the router from a safe spot to make subnet changes and later if you use vlans. Take etherX like ether5 OFF the bridge in /interface bridge ports So it looks like /interface ethernet set [ find default-name=ether5 ] name=OffBridge5 /ip address add address=192.168.77.1/...

anav

1. FROM /interface list add name=WAN TO /interface list add name=WAN add name=LAN 2. FROM /interface list member add disabled=yes interface=pppoe-out1 list=WAN add disabled=yes interface=ether1 list=WAN TO /interface list member add disabled= NO interface=pppoe-out1 list=WAN add disabled= NO interfa...

anav

rplant ur killen me, whats your address will send you the game whackamole.
Please ask for config LOL
/export file=anynameyouwish ( minus router serial number, any public WANIP information, vpn keys etc.)(

anav

Conceptually speaking you only need two tunnels or two interfaces. The one for you to use your own internet while at a remote location (0.0.0.0/0) has to be on its own Wireguard interface. Also, consider the traffic coming out of the tunnel and hitting your router, being subject to firewall rules as...

anav

Danger Danger: Its amazing your ISP has not blocked you yet. WELL you attract flies with honey and you lay a big fricken goose egg here add action=log chain=input connection-state=new dst-port=53 log-prefix="TCP 53" protocol=tcp Inviting the whole world to use your router for DNS. I would...

anav

By the way, I hope you do know about controversy around TP-Link... I see you have been recommending them here and there. Yes, tp link routers, not access points and in reality, CISCO had issue in the past in the same vein, as guess what most devices are made in China so, do you think parts can get ...

anav

I wouldnt take forum responses personally, they are of no consequence. People here are free to speak their mind, sometimes its refreshing and eye opening and humbling. I make posts based on what I know, and if someone better comes along, who actually knows their stuff, I am all the better for it. (E...

anav

Bad actors/bots are constantly hammering ALL routers, nature of the beast. There is no point logging it and nothing you can do.
However it would not hurt to have your setup/config reviewed to ensure its not getting special attention for some reason.

anav

The what, I cannot find any such model.
I see the Chateau 5G AX??

There will be no appreciable difference.
Suggest considering TPlink and Zyxel wifi 7 products.
OR
add another MT product in the home for better coverage capax for example.

anav

Are you stating that there is no port with more than one vlan going through it???
At a minimum there should be two vlans per port if all are trunk ports going to smart devices, one being the management vlan which all smart devices should get their IP address from.

anav

Suggest for fish --> https://guide.michelin.com/ca/en/new-yo ... k-new-york

anav

Doing the exercise was very helpful to determine form follows function approach and to realize that really what is going on is three different requirements based on how wireguard keys are handled. a. Both ends of a connection manually make and trade public keys (standard wireguard construction) b. A...

anav

Correct interrelated moving parts, and its unfair to ask for definitive specific answers to vaguish questions without the context and information required.

anav

You know I am always truly grateful for the enormous amount of help you have provided to me, but my limited capabilities are focused here, in this thread, on understanding the config items that distinguish router versus switch use in a CRS. Sorry, you dont control the narrative in a public space LO...

anav

Routers --> both bridge/switch and route have multiple IP addresses
Switches --> only bridge/switch have single IP address (for management of switch)
RoS Unique (confuses some) --> determines function by Software not by hardware.

anav

The CRS should be written as Cloud Router Switch . That is indeed the problem, and by the way, you should note that ONLY one switch in the entire lineup uses the terms Cloud Router Switch and that is the CRS317 ( MT informed to remove). There are couple more that use the term Cloud Switch but most ...

anav

Hi Mozerd, I attempted to rejig the Wireguard GUI in winbox 4 and supplied the advice to MT as you can see here. https://forum.mikrotik.com/viewtopic.php?t=215684: The response I got was not enthusiastic as the peer page was too busy etc. So I resubmitted a simplified approach. SEE post #7 for simpl...

anav

A good network diagram will help planning as well....

anav

The example provided is a bit confusing. - why include ports 5 through spf-sfpplus2 if not relevant (not being used) - then I see sfp-sfpplus1 is being used but no indication its a trunk port ( frame types or comment missing ) which is inconsistent from the other entries........ - why are you missin...

anav

https://www.spiceworks.com/tech/networking/articles/network-switch-vs-router/ Clues to you are routing. -DHCP -WAN and LAN -NAT -all subnets have an address -need firewall rules (layer3) Switch..... Single Ip address provided to switch setup is primarily about vlan traffic only management or trusted...

anav

I would go a step further, why are people making excuses for a chap thats willing to spend $600 without research and where the nomenclature NEVER stated cloud router. Go to the switch section of mikrotik, pull up the applicable switch page and I bet you wont find mention of cloud router!!!. Would as...

anav

Since you didnt bother to post config, Im outta here good luck. Others have more patience than I.

anav

Yeah much too busy for me to look at in any detail and wont bother until cleaned up. I did note that this is wrong. add allowed-address= 0.0.0.0/0 client-address=10.194.91.2/32 client-endpoint=xx.xx.xx.xx client-keepalive=10s \ client-listen-port=13834 interface= wireguard_1 name= public-key="&...

anav

I have a 650 myself but plugged into a socket using the adapter ( luckily my wall mount is close to an electrical outlet on the other side of the wall.) I have used injectors with no issue on other tplink and MT access points. https://www.canadacomputers.com/en/power-injector/188906/tp-link-tl-poe16...

anav

While waiting for the diagram, if you have users in the same subnet as the servers and they are attempting to reach the server via domainname/url then the easy fix is a. change server or users to a different subnet otherwise b. need a hairpin nat rule /ip firewall nat add chain=srnat action=masquera...

anav

Would need to see MT config
/export file=anynameyouwish (minus router serial number, any public WANIP information, vpn keys )

The wireguard info you were given to connect to the remote wireguard site.
( minus endpoint address, keys )

Diagram of how all the pieces are connected would be useful.

anav

If your considering WIFI as a factor then get a hex refresh (or better router) and tplink or zyxel wifi7 APs. No point IMHO of going anything less than wifi7 at this point. By the time MT figures out the dogs breakfast of wifi packages and capsman, wifi8 will be out. In other words, dont tie your ro...

anav

seppuku may be less painful

anav

Hi Ammo, Im assuming the distinction was soley at the LAB Rb 5009 regarding changing the Bridge settings ( and not the CRS326 which I am assuming are set at vlan-tagged only on bridge itself ) .... romon.jpg The admins work around was to ignore the ethernet connection and connect to an AP behind the...

anav

Truth be told you are brave and I am a coward......... when it comes to capsman implementation.
Also, you didnt learn anything from me as I dont know anything, but I have successfully passed on information other 'real' experts provide.

anav

Well based on the avatar, I guess that post could be considered a dud! ;-)) So what is the summary on why RoMON does not work here? I lost track of the conversation. The OP was trying to use romon from on a PC behind a second rb5009 (that was giving the lab 5009) a WANIP on its flan LAN, to reach t...

anav

There is nothing about setting up a router for security that is different at home or if travelling.
So ensure on your PC you use vpn for internet and if not at least VPN on the browser or AV software.

anav

Well the problem could still be the config, which you have refused to provide. There may be some collision with the box protocols and the MT config for example.

anav

When you get tired of capsman, I can help get it working....... Its more pain that its worth IMHO. In fact it takes over the config like effing egg plant in a garden.

anav

Well based on the avatar, I guess that post could be considered a dud!

)

anav

Maybe the separate box, does not follow protocols properly?? Bad cables??

anav

Hi Sindy, I dont think the OP has a problem using ROMON when behind the LAB 5009 to reach the connected CRS326 also part of the lab network. The OP, although didnt provide the pertinent information or the pertinent config, only disclosed the fact that he was actually behind another 5009, that provid...

anav

Sure/
--> https://help.mikrotik.com/docs/spaces/R ... 211299/NAT
---> https://www.youtube.com/results?search_ ... airpin+nat
---> search.php?keywords=hairpin+nat

anav

There are many factors involved here. a. how often does the main internet go down? b. what throughput or level of Cellular performance is good enough c. what level of wifi connectivity is good enough..... What is shocking to me is that as the IT person of this network, states that that there was a f...

anav

I would have a home MT router, and use the travel router to use the MT router internet via a wireguard tunnel. There is no special sauce be it on the road or at home to keep the traffic as secure as possible. A layered approach works, so if you dont vpn into home use a vpn on the connected devices, ...

anav

Hard to day without seeing your 5009 config
/export file=anynameyouwish ( minus router serial number, and any public IP information)

The router should be transparent to the device and its connectivity through the internet to office site using the office vpn.

anav

We are going to connect the PC on the master router to the lab router directly on vlan32. So ensure vlan32 is associated with ether1 as well, on the lab router. To facilitate the idea, lets say on the master 5009, its etherport YY that you have connected to the lab5009. Further, you have our pc on t...

anav

Only stating there was a second 5009 at play at such a late stage, and that the Romon issue stemmed from the first one to the Switch was a criminal omission. Consider yourself flogged

Your punishment is having to eat the entire plate of smoked meat served at Katz's.

anav

According to CGX, there were no shortcomings to using bridge itself vlan tagged, so I hesitate to completely swallow the information provided by AMMO and maybe in-between is a more accurate answer???? It would appear to me that any data from a PC trying to talk ROMON that is assumed to be on the man...

anav

Who told you this............... ??????
I need Romon to access the CRS

its clear that even though ROMON should not be affected by vlan tag settings on the bridge itself, they are, so avoid its use is my advice.

anav

So what is now on ether7?? What is the conflict? I am having difficulty identifying the conflict. ether7 is the CRS. The config paints a conflicted story? set [ find default-name= sfp-sfpplus1 ] comment= CSS326 Hard to find ether7 tagged for any vlans going to CRS326 ??? /interface bridge vlan add ...

anav

I access all my downstream devices, ax3 ap, hex switch, etc via neighbours discovery not ROMON (via winbox)

anav

Perhaps "smart"dns was just a marketing ploy?

anav

What are you using ROMON for,,,,,,,,,that is not available through neighbours discovery?

anav

ROUTER You have a disconnect and duplication when I noted on your trusted listed you had three ports ( vice just one trusted offbridge port ) identified. The fallout of that is 1. a. in ethernet interface settings you identify ether5 as the hapax upstairs, and on /interface bridge ports ( athough m...

anav

SWITCH Why are you treating the switch like a router? The only address on the switch is the one given to the switch over the management vlan32 ??? Bridge is not involved............ reminder to look at switch example: https://forum.mikrotik.com/viewtopic.php?t=143620 There is only need of ONE inter...

anav

For a secure connection suggest wireguard, assuming you have at least on public IP available at one of the routers, or the ISP router in front is capable of forwarding ports.
Alternatively use Zerotier.

anav

CGX nailed it........
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 should be pppoe-out1
WINBOX
IP menu firewall -->NAT

Sorry dont know the CLI commands to change.

anav

RoS is very for giving, many of the default settings are ALLOW by default, so unless you define what is allowed, everything is allowed.

anav

Here is one problem........ The termination of the ISP connection is done through pppoe, so the ip address entry for ether1 is incorrect, should be removed. /ip address add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0 add address=cc.220.222.dd/24 interface=ether1 network=91.220.222...

anav

What does a duck do on the router? quackNat quacknat quacknat quacknat.

fixed it for ya

anav

1. Typically the recommendation here is loose , not strict! /ip settings set rp-filter= strict 2. Lack of decent set of firewall rules, plus should be organized together in chains and in a coherent order. PLUS security infraction, one does not access winbox from external as you are attempting. Only ...

anav

/export file=anynameyouwish ( minus router serial number, any public WANIP information ) It should be quick to find the issue! also. a. confirm you are using LANIP of server to reach from LAN? b. confirm you have a public IP address (static or dynamic) OR you have an ISP router that has a public IP ...

anav

Can you post your latest config on both routers.
/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys. )

anav

I do not believe DHCP in general works over wireguard but there may be ways..........
Check out VXLANs and EOIP as two possibilities ( running over wireguard or L2TP to keep the traffic secure ).

anav

Would need to see the complete config, but it sounds like you want the users on your subnets to use wireguard for specific WANIPs that exist, and where they are not static but dynamic WANIPs. First, please do not use the same name for different RoS funcitonalites, aka the name of the list being the ...

anav

How you sussed that out from the information presented boggles my mind. Glad you are here LOL However, the weak point being, how does the router know that 10.72.22.200 should be assigned to the device ( assuming its now in a VLAN of that subnet structure )?? THe router knows that that address might ...

anav

I probably missed the intent entirely but why not something as simple as: If I have a device with LANIP 192.168.0.X and I want it to go out over wireguard but as 10.10.100.Y address add chain=srcnat action=src-nat src-address=192.168.0.97 to-address=10.72.22.200 AND for return traffic..................

anav

What are your qualifiers in the PCC mangle rules??

anav

Normis, massina seems to have experience with migrations, and that at least should be made aware to the admins in their deliberations. Thanks for your feedback in this thread, its really good to see!

anav

To clarify the source nat address part is STILL required. I think he is saying
add action=dst-nat chain=dstnat connection-mark=wg-wan2 to-addresses=10.20.30.40
add action=src-nat chain=input connection-mark=wg-wan2 to-addresses=10.20.30.40

anav

Interesting, as long as there is no downside, narrowing down the frame type at the bridge, is then viable would be my conclusion. Assuming you mean this is valid for both routers and switches CR3 types when using vlan filtering??? Just to be clear this does not interfere with any situations where a....

anav

The first error. 1. is quoting from your config in post #18 EDIT : and is USER OPTIONAL ( without frame limitations vlan-id1 is shown as a dynamic entry but not a concern, as well limit frame types on all bridge ports/wlans - I guess either way is acceptable! 2. is quoting from your confing in post ...

anav

Yup sounds familiar and as CGX pointed out we only need to use one LO address/interface to accomplish same.......... no need for bridge!!
/ip address
add address=10.20.30.40 interface=lo network=10.20.30.40

anav

re: ... Anyway, whatever they end up doing... I do hope they host it on their RDS ROSE server(s) as proof-point they work in the real-world. ... If I hosted this server , I would go with Proxmox hypervisors Xeon , 40-Gig or 100-Gig network cards , NFS mounts from a TrueNAS ( 512-Gig Ram or 1-TB-Ram...

anav

Looking at the diagram it would appear you have three separate networks/locations. The laptop is a remote device could be anywhere a true remote peer. The MT device is a fixed remote device. The Server is the local wireguard in this discussion. All three are not connected but all three have access t...

anav

https://www.discourse.org/about
Nice!!

Example of a forum running discourse as the engine
https://meta.discourse.org/c/data-reporting/148

anav

Speed is not all its cracked up to be, taking ones time mostly results in greater satisfaction,.......... Besides there is an error before that..... and many many after LOL 1. /interface bridge add admin-mac=F4:1E:57:2C:BE:98 auto-mac=no comment=defconf frame-types=\ admit-only-vlan-tagged name=brid...

anav

How does it relate to the input chain rule then?? add chain=input action=accept dst-address=127.0.0.1 and you are saying Then 10.20.30.40 can be used instead of both your 172.16.10.1 and 172.16.10.2. Does this mean the following. /ip firewall nat add action=dst-nat chain=dstnat connection-mark=wg-wa...

anav

Please draw a diagram, I have no clue how everything is hooked up together and to the internet

anav

Hi CGX...
What the heck is lo LOL, an existing interface on the router that is there all the time??

anav

I see no reason to use PCC, if ECMP is ensuring fair usage of all WANs ( they have to be equalish in throughput ). Maybe ECMP circa 7.18, the brewmasters finally got right....................... Better than PCC is actually load balancing which add a layer of additional mangling but you can do it bas...

anav

Well HA does not use DHCP Option codes, must have coders from the dark ages. In any case you could try something like this simple DNS pointing. IOT Subnet on R2 - 192.168.55.0/24 IP of server on R1 - 10.10.10.15 ON R2 /ip dhcp-server network add address=192.168.55.0/24 dns-server=192.168.55.1 domain...

anav

Never said it was, but to think up such trickery, you are on the spectrum somewhere ;-P You have answered my question, there is no rhyme or reason, it is not controllable and thus the faux bridge approach is STILL required even in ECMP. Thus, the answer is dont have multiple WANS, ;-) Good, so you h...

anav

What?? Well the physical port ether1 is a trunk port carrying multiple vlans to the local device. Why would you not think that vlan32 should be allowed to ingress in ether1?? A. its on the trunk port leaving the upstream device. B. its noted as a tagged vlan id on ether1 in /interface bridge vlan s...

anav

You miss the point entirely, The two options presented DHCP and DNS are to inform the iot device, what is the IP address of the HA server, not to change the local subnet IP the iot device is using. And how would DHCP or DNS be used to inform the IoT device the address of the HA server? I stated it ...

anav

I am saying I have 3 ISPs all different all relatively 1gig connections. I load balance via ECMP /ip route ( main table ) add dst-address=0.0.0.0/0 gateway=gatewayIP-wan1 routing table=main add dst-address=0.0.0.0/0 gateway=gatewayIP-wan2 routing table=main add dst-address=0.0.0.0/0 gateway=gatewayI...

anav

Hahaha, I thought it was simply my browser, I keep forgetting they use a haplite to run their website, the free schnapps in the web lounge is not helping work output either.

anav

You miss the point entirely,
The two options presented DHCP and DNS are to inform the iot device, what is the IP address of the HA server, not to change the local subnet IP the iot device is using.

anav

Sorry I meant EMP of course. Does it work during a nuclear blast in the atmosphere??? Of course I meant ECMP, you know this feature --> Equal Cost Multi-Path...... My question is germane, not dry (german), because we are not sure of how the router decides which interface/route it decides to use on t...

anav

Maybe, home assistant appears to be a dogs breakfast with differing information wherever you look. One place says the server scans the network for devices...................

anav

So lurker did you test like 3 WANS with ECMP load balancing
Basic mangle rule in wan3 out wan3 generic all traffic to WAN back out same WAN.
What does the wireguard process choose for source address in this case, alway the correct WAN?? ( regardless if you put wireguard on wan1, wan2, or wan3 )

anav

By the way, Home Assistant devices typically obtain IP addresses from the Home Assistant server through the network's DHCP server, which is usually the router, rather than directly from the Home Assistant server itself. This sounds much like the UNIFI approach where one can use a. create dhcp option...

anav

@lurker888, does EOIP really have the same handshake issue as WG, like I described above?

Since when does EOIP have a handshake, I use EOIP within a wireguard tunnel LOL, not outside of it.

anav

Not your concern mkx, its hard to keep straight incomplete questions without context................

anav

Rereading your first post, BOLLOCKS..... Prerequisites A Mikrotik router running RouterOS v7.x A Linux system (e.g., Debian) to retrieve necessary keys An active NordVPN subscription Why?? NordVPN will give you the private key to use on the Mikrotik Router Interface creation. That creates a public k...

anav

I have a better idea, why not just live in my office I have a spare chair and desk and I can setup a tent outside, winter is almost over.
Payment in good food and beer LOL

anav

Sure, the default setup is quite good, in that it is safe to connect ether1 to you internet connection and use ports 2-5 for internet. If you need more than one network on your home you will need bridge vlan filtering.. This is the best article to read --> https://forum.mikrotik.com/viewtopic.php?t=...

anav

https://www.zyxel.com/us/en-us/products ... 915-series

anav

I have seeing lots of timezones in shared configs, that also may expose your location.
And of course wifi country settings.

Good point, the somali gang members probably dont want people to know they are in Sweden.,.........shhhhh its a secret.

anav

Kid control is not really intuitive.

Have you notifed MT by a suggestion on their support website.
If not, get on with it.

anav

Why would a frame tagged with VID=32 ingressing to ether1 be accepted? What?? Well the physical port ether1 is a trunk port carrying multiple vlans to the local device. Why would you not think that vlan32 should be allowed to ingress in ether1?? A. its on the trunk port leaving the upstream device....

anav

The point being, silly goose is that Jaclaz is talking about a. the items in the config that are not already removed by RoS ( RoS removes passwords and ipsec stuff for example ) b. the items you added or router added, NEEDED not whimsically added, to make the config work, be it public IP address, ga...

anav

No worries there Larsa, no I have not tested the hard down theory, but I trust Larsa has, as he seems to be a testing machine, highly motivated. I am starting to think he is an AI brain attached to an MT network. I sent a suggestion to MT to fix the issue based on the fact that 'fwmark' already exis...

anav

BartoszP aka devil colours would be more appropriate

But please answer my questions here --> viewtopic.php?t=215918#p1137048

anav

If Joseph you are asking a different question, can one see all the routers at one time via winbox, via wireguard, in order to select for configuring, the answer is no. Those protocols dont go over wireguard.

anav

duplicate.

Search found 23729 matches