Community discussions

MikroTik App

Search found 18892 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 63
by anav
Mon Feb 26, 2024 1:15 pm
Forum: General
Topic: What happened to anav and "The DEFACTO DEFAULT FIREWALL Setup"
Replies: 18
Views: 744

Re: What happened to anav and "The DEFACTO DEFAULT FIREWALL Setup"

Can anyone tell me, what has happened to @anav and "The DEFACTO DEFAULT FIREWALL Setup"? A couple of new posters didnt like tough love. :-) In any case they were not that wrong as my tone at times was not exemplary. However, any exasperation was due to the continual day in day out, month ...
by anav
Fri Feb 09, 2024 10:33 pm
Forum: Beginner Basics
Topic: VLANS creation and testing-AX2
Replies: 173
Views: 6569

Re: VLANS creation and testing-AX2

Which one is Mr. Hyde?
by anav
Tue Feb 06, 2024 7:53 pm
Forum: Beginner Basics
Topic: VPN Client on MikroTik hEX-S
Replies: 11
Views: 1005

Re: VPN Client on MikroTik hEX-S

https://help.mikrotik.com/docs/display/ROS/WireGuard The tricky part as noted is to generate the interface at both routers and then use the public KEY provided by each in the settings of the other Routers Peer Settings. Your mothers wireguard IP should be something like 172.16.1.1/24, yours 172.16.1...
by anav
Tue Feb 06, 2024 6:50 pm
Forum: Forwarding Protocols
Topic: BGP -OSPF config help
Replies: 7
Views: 2555

Re: BGP -OSPF config help

I never understand why people want free professional consultancy work or even vendor consultancy work on forums. In that vein, how do I get a hold of you for a basic 7.13.3 OSPF-BDF setup. It would seem another poster is looking something similar recently. CHR connected to MT router via two ISP con...
by anav
Tue Feb 06, 2024 5:45 pm
Forum: Forwarding Protocols
Topic: Dual WAN but second WAN only working inbound
Replies: 9
Views: 923

Re: Dual WAN but second WAN only working inbound

My confusion is the statement.......... "but if the webservers try to go out themselves". That is not the function of web servers?? What you are really getting at is that what is happening is users are reaching the web servers externally ( probably by dydns url unless you have a static IP ...
by anav
Tue Feb 06, 2024 5:40 pm
Forum: General
Topic: How good is PCC with a 1:2 ratio
Replies: 16
Views: 1115

Re: How good is PCC with a 1:2 ratio

There is no reason for PCC not to be working. The full 3Mbits/sec less overhead and some losses should be available for connections. Suspect a config setup issue???
by anav
Tue Feb 06, 2024 5:38 pm
Forum: General
Topic: Possible problem with VLAN [SOLVED]
Replies: 11
Views: 803

Re: Possible problem with VLAN [SOLVED]

MKX loved your explanation para, but it was like being stuck in mud. Can you state it in plainer english. Take the hexS as an example. ether1 is from ISP and ports 2-4 are bridge ports, a mix of one trunk port and 3 access ports and a trunk port on the last SFP port. Using pcunites vlan methodology ...
by anav
Tue Feb 06, 2024 5:31 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 71
Views: 3673

Re: [Discussion] MikroTik configuration abstraction complexity

For the longest time I thought the same as you, but over time, it was clear that it was my lack of networking knowledge and Ros Principals that was keeping me from unlocking the flexibility. There are many ways to skin a cat [ as mkx & rextended would say ;-) ] with RoS, and that leads to many w...
by anav
Tue Feb 06, 2024 3:26 pm
Forum: General
Topic: best RouterOS version for old CCR
Replies: 3
Views: 542

Re: best RouterOS version for old CCR

6.49.10, for version 6 is the most stable............
If using 7.13.3, then suggest try and find optimizations in your config.......... Remove any potential bloat.
by anav
Tue Feb 06, 2024 3:21 pm
Forum: Beginner Basics
Topic: Port forwarding to an ASUS router
Replies: 4
Views: 340

Re: Port forwarding to an ASUS router

Well, nothing in your evidence shows that the IP of the asus is 192.168.8.253 but I assume it is.
Secondly your two ports should be the same as your dst-port or blank ( as the router will assume its the same with no entry).
What is in there now 0-6535 is incorrect.
by anav
Tue Feb 06, 2024 2:59 pm
Forum: Beginner Basics
Topic: Please review my Gateway+AP+Multiple VLANS configs
Replies: 2
Views: 280

Re: Please review my Gateway+AP+Multiple VLANS configs

The first config, you have all the vlans assigned to vlan2, and thus your bridge ports should NOT include ether2 ??? Typically following this excellent article: https://forum.mikrotik.com/viewtopic.php?t=143620 The idea is one bridge, and all vlans associated to the bridge, and thus either remove br...
by anav
Tue Feb 06, 2024 2:51 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 71
Views: 3673

Re: [Discussion] MikroTik configuration abstraction complexity

I will agree that since there is no real effort to improve the 'question quality', its no surprize the 'answer quality' is not optimal. Overuse of the word powerful in the explanation, flexible would be more apropos. Recommend to a friend: Not unless they were tinkerers, otherwise the ISP provided r...
by anav
Tue Jan 23, 2024 5:49 am
Forum: General
Topic: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8 [SOLVED]
Replies: 37
Views: 5618

Re: Kill switch set-up - Wireguard (Surfshark) - ROS 7.8 [SOLVED]

Start your own thread, provide network diagram, list the user requirements ( what user and devices you ahve and what traffic they need) and provide your current config
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)
by anav
Tue Jan 23, 2024 4:20 am
Forum: Virtualization
Topic: Trunking VLAN with Meraki cannot reach other vlan
Replies: 3
Views: 528

Re: Trunking VLAN with Meraki cannot reach other vlan

Well if the MT is solely acting as a switch it should have nothing to do with L3 access.
by anav
Tue Jan 23, 2024 4:18 am
Forum: Beginner Basics
Topic: Dual Wan, Dual LAN, No LB or Fail Over on 7.13.2
Replies: 5
Views: 610

Re: Dual Wan, Dual LAN, No LB or Fail Over on 7.13.2

Dont understand why you have two bridges. Its best in most cases to use a one bridge approach, unless its got two separate switch chips in the router. If you have dynamic WANIPs, the hardest part is ensuring the routes are handled appropriately. In most cases this means running scripts to ensure the...
by anav
Tue Jan 23, 2024 4:13 am
Forum: Beginner Basics
Topic: VLAN can't ping gateway
Replies: 8
Views: 649

Re: VLAN can't ping gateway

This way means nothing to me, do you want it to act as a router and handle its own subnet or act like an AP, and passthrough router subnets to the wlans .............
by anav
Tue Jan 23, 2024 3:29 am
Forum: Wireless Networking
Topic: Point-to-Multipoint with 60G/5G failover
Replies: 13
Views: 3075

Re: Point-to-Multipoint with 60G/5G failover

Of course it works, the air is so pure in UTAH ;-)
by anav
Tue Jan 23, 2024 2:42 am
Forum: Announcements
Topic: WinBox v3.40 released!
Replies: 109
Views: 101759

Re: WinBox v3.40 released!

Rhyme Disease '=)
by anav
Tue Jan 23, 2024 12:22 am
Forum: Beginner Basics
Topic: Cant get into my Mikrotik
Replies: 5
Views: 661

Re: Cant get into my Mikrotik

NETINSTALL MT VIDEO --> https://www.youtube.com/watch?v=gzlLbIf3Db MT DOCS --> https://help.mikrotik.com/docs/display/ROS/Netinstall Sage tips/advice on NetInstall if having difficulties ( USE ETHER1 OR the port named BOOT ) ...... a. Regarding Etherboot for all devices, the most error-free method i...
by anav
Tue Jan 23, 2024 12:19 am
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2369

Re: CCR2004-16G-2S multiple bridges or not?

Dont worry, Darknate has a thick skin, not concerned with wall flowers......... ;-)
But how insenstive of you mkx to imply the oP may have purchased the wrong product jajaja
by anav
Mon Jan 22, 2024 8:52 pm
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2369

Re: CCR2004-16G-2S multiple bridges or not?

Nice!!
by anav
Mon Jan 22, 2024 7:48 pm
Forum: Beginner Basics
Topic: Sharing one physical trunk port with two bridges
Replies: 10
Views: 901

Re: Sharing one physical trunk port with two bridges

No worries, just send $$$ kidding!!
by anav
Mon Jan 22, 2024 7:47 pm
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2369

Re: CCR2004-16G-2S multiple bridges or not?

Yes, you can have single bridge spanning both port groups. With potential performance hit mentioned by @anav. There was a bug in how ROS configures VLAN offload to switch chips ... on devices with two switch chips it was necessary to add bridge port as tagged member of all VLANs which span both swi...
by anav
Mon Jan 22, 2024 7:41 pm
Forum: Beginner Basics
Topic: CCR2004-16G-2S multiple bridges or not?
Replies: 36
Views: 2369

Re: CCR2004-16G-2S multiple bridges or not?

Not a chip expert but wouldnt creating the same vlan to cross the two chips be self defeating as this then involves the CPU. In concept, the idea is to maximize wire traffic between ports on the same chip and thus as you surmize, bridge the ports on one chip and the other ports on the other chip for...
by anav
Mon Jan 22, 2024 7:17 pm
Forum: Forwarding Protocols
Topic: BGP Filters translate from ros6 to ros7 not working
Replies: 9
Views: 1241

Re: BGP Filters translate from ros6 to ros7 not working

QUOTE: vingjfg ( from other thread on same topic )
Hi Macosoft,

Can you provide the output of the following commands?

I may need a larger subset of the configuration later but I want to start with the minimum.
/routing/export
/ip/firewall/address-list/export
/ip/route/print
[/quote]
by anav
Mon Jan 22, 2024 7:15 pm
Forum: Forwarding Protocols
Topic: BGP connecting but not forwarding after ros6 to ros7 update
Replies: 5
Views: 1004

Re: BGP connecting but not forwarding after ros6 to ros7 update

Please do not create multiple threads for the same issue.
by anav
Mon Jan 22, 2024 6:38 pm
Forum: Beginner Basics
Topic: VLAN can't ping gateway
Replies: 8
Views: 649

Re: VLAN can't ping gateway

My question is, are you sure you want it to be a Router? By assigning the guest network on the AP, you are really introducing added router functionality and complexity that may not be required. For example why cannot the main router provide the network DHCP etc, and then send at least two vlans in a...
by anav
Mon Jan 22, 2024 6:34 pm
Forum: Beginner Basics
Topic: Sharing one physical trunk port with two bridges
Replies: 10
Views: 901

Re: Sharing one physical trunk port with two bridges

No worries, --> no not a selection for trusted, trusted meaning in concept, different thing! As far as trusted, subnet or vlan yes, and NOT a trusted port (that gets into physical security which is a whole other entity). A trusted subnet (home) or management subnet (business), is the subnet where al...
by anav
Mon Jan 22, 2024 6:16 pm
Forum: General
Topic: OpenVPN server and Wireguard server on same router [SOLVED]
Replies: 2
Views: 528

Re: OpenVPN server and Wireguard server on same router [SOLVED]

1. Dont use vlan1 for data, if you have a home subnet, make it vlan11 for example. Vlan1 works in the background on a bridge, no need to make it a vlan. 2. I am not so sure opnvvpn can be a LAN interface, like wireguard and thus would definitely ensure forward chain rules permit traffic. 3. Why are ...
by anav
Mon Jan 22, 2024 5:35 pm
Forum: Beginner Basics
Topic: Need Help : with DDOS with UDP to My Routers - it takes all my bandwidth
Replies: 16
Views: 1008

Re: Need Help : with DDOS with UDP to My Routers - it takes all my bandwidth

1. How do you know its an attack from the outside.
a. do you have open servers?
b. is traffic to the router itself not protected?
c. did you check with your ISP as DDOS external is something they should be dealing with
by anav
Mon Jan 22, 2024 5:09 pm
Forum: Beginner Basics
Topic: Sharing one physical trunk port with two bridges
Replies: 10
Views: 901

Re: Sharing one physical trunk port with two bridges

Sure I can look, and will respect your wishes to have separate bridges etc............. 1. I'm kinda org freak so moved rules around per bridge basis for easy understanding. :-) 2. The biggest error I see is not tagging the bridge..... as per --> https://forum.mikrotik.com/viewtopic.php?t=143620 3. ...
by anav
Mon Jan 22, 2024 4:23 pm
Forum: General
Topic: Second router as ppoee client for security
Replies: 5
Views: 555

Re: Second router as ppoee client for security

https://www.vultr.com/pricing/#cloud-compute/

$6 gets you a newer server and I believe another $1.20 or so gets you a backup Service.
by anav
Mon Jan 22, 2024 2:22 pm
Forum: Beginner Basics
Topic: bandwidth problem with many router
Replies: 4
Views: 487

Re: bandwidth problem with many router

The HEX is not capable of accommodating a 1gig ISP connection.
Suggest you look at the hapax3 ( wifi router ) or RB5009 router.
Check the specs --> TEST Results for 512 bytes packet size and 25 filter rules for real world results Mbps.
by anav
Mon Jan 22, 2024 2:20 pm
Forum: Beginner Basics
Topic: Failed to route traffic over the wireguard interface [SOLVED]
Replies: 4
Views: 530

Re: Failed to route traffic over the wireguard interface [SOLVED]

Still not getting it.
So the MT device is connected to an ISP modem? and gets a private IP? and is acting fully as a router.
What ISP provider?
by anav
Mon Jan 22, 2024 1:51 pm
Forum: Announcements
Topic: WinBox v3.40 released!
Replies: 109
Views: 101759

Re: WinBox v3.40 released!

rextended you see more with one eye, than most with two eyes............
by anav
Mon Jan 22, 2024 1:48 pm
Forum: Beginner Basics
Topic: connect to winbox from a vlan
Replies: 4
Views: 542

Re: connect to winbox from a vlan

Then the guide provided is excellent and all you need is one port from the MT to one port on the Edge (both trunk ports carrying all the VLANs).
by anav
Mon Jan 22, 2024 1:37 pm
Forum: Beginner Basics
Topic: Failed to route traffic over the wireguard interface [SOLVED]
Replies: 4
Views: 530

Re: Failed to route traffic over the wireguard interface [SOLVED]

Lacking context, is this device connected to an upstream router and is simply acting as an AP getting a private address on the LAN of the upstream router. The confusion stems from the fact that you state its an AP but then you create a subnet and pool etc, for users and thus you are really wanting a...
by anav
Mon Jan 22, 2024 12:57 pm
Forum: General
Topic: eth5 as dhcp client
Replies: 4
Views: 466

Re: eth5 as dhcp client

If by that you mean you wish to have a separate subnet but attached to ether5.
1. take ether5 off the bridge.
2. give it what a subnet needs, IP pool, IP address, dhcp-server, dhcp-server network
etc..
by anav
Mon Jan 22, 2024 3:06 am
Forum: Beginner Basics
Topic: connect to winbox from a vlan
Replies: 4
Views: 542

Re: connect to winbox from a vlan

It is not clear ( no diagram) what your network looks like, how the Mikrotik or where the Mikrotik fits, where is the ISP............... etc etc.
For vlans
This is the best guide --> viewtopic.php?t=143620
by anav
Mon Jan 22, 2024 3:04 am
Forum: Beginner Basics
Topic: Speed and CPU issue with HEX s
Replies: 28
Views: 2009

Re: Speed and CPU issue with HEX s

Regarding official test results One more detail... the official specs also use V6, not V7. If you're not using any V7 features, there might be some merit with latest V6 on a HEX S. Or at least testing it. I beg to differ, I originally bought the hex because the specs for 25 filter rules was easily ...
by anav
Mon Jan 22, 2024 3:01 am
Forum: General
Topic: Route all requests from Interface A to IP address of Interface C on the same router through Interface B
Replies: 13
Views: 1107

Re: Route all requests from Interface A to IP address of Interface C on the same router through Interface B

You should publish all the rule after you implement the suggestion, would not surprize me that something else your doing is getting in the way or is incorrect/
/export file=anynameyouwish ( minus router serial number, public WANIP info, keys, long assed dhpc lease lists )
by anav
Mon Jan 22, 2024 1:19 am
Forum: General
Topic: Port forward does not work on L009
Replies: 3
Views: 483

Re: Port forward does not work on L009

Ahh, fixed to old mac address or something.
No worries we actually prefer to be blinded by information, its all good info and since many parts are interrelated its important to figuring out the issues.
by anav
Mon Jan 22, 2024 1:10 am
Forum: General
Topic: Route all requests from Interface A to IP address of Interface C on the same router through Interface B
Replies: 13
Views: 1107

Re: Route all requests from Interface A to IP address of Interface C on the same router through Interface B

I would imagine its all very doable but before I wrap my head around it, WHY? You can access your synology locally, do dont see the logic in creating a more complex config to achieve what you wish.??? Besides the direct obvious route, you want to connect to the LTE from your phone while behind the C...
by anav
Sun Jan 21, 2024 9:22 pm
Forum: General
Topic: Second router as ppoee client for security
Replies: 5
Views: 555

Re: Second router as ppoee client for security

CHR is a onetime lifetime cost. Try VULTR hosters they are very cheap for a 1 gig connection shared CPU Cloud computing 1 vCPU - $5 a month using older generation devices. More like 6 or 7$ for newer amd and intel devices. https://www.vultr.com/features/datacenter-locations/ https://help.mikrotik.co...
by anav
Sun Jan 21, 2024 9:04 pm
Forum: General
Topic: Port forward does not work on L009
Replies: 3
Views: 483

Re: Port forward does not work on L009

Quote: " What have I missed " Answer: Dont know as you only provided a miniscule part of your config..................... You have been inflicted by the new posters disease!! ;-) I dont know what the problem but I think I know enough not to provide my configuration :-) Please provide full ...
by anav
Sun Jan 21, 2024 8:58 pm
Forum: General
Topic: Second router as ppoee client for security
Replies: 5
Views: 555

Re: Second router as ppoee client for security

Not sure if there is any real gain by doing that. If you dont trust the VPN, there is nothing to be gained by putting the tunnel behind another router. You have firewall rules on the local MT router for most other things. Better security would not to use nordvpn LOL. Set up a CHR in a VPS and have y...
by anav
Sun Jan 21, 2024 8:44 pm
Forum: General
Topic: Route all requests from Interface A to IP address of Interface C on the same router through Interface B
Replies: 13
Views: 1107

Re: Route all requests from Interface A to IP address of Interface C on the same router through Interface B

Well adding new elements is confusing for sure. Before we get to vlan 50 1. DId you add a router for LTE in the main table either through IP DHCP client or manually with distance=5. This will ensure that the router alway chooses the CGNAT connection for local traffic first. 2. I am assuming that the...
by anav
Sun Jan 21, 2024 8:10 pm
Forum: General
Topic: 7.13 wireless package split question
Replies: 74
Views: 15916

Re: 7.13 wireless package split question

+1 For a long term stable Vers 7.12.1 variant!
by anav
Sun Jan 21, 2024 7:16 pm
Forum: General
Topic: Route all requests from Interface A to IP address of Interface C on the same router through Interface B
Replies: 13
Views: 1107

Re: Route all requests from Interface A to IP address of Interface C on the same router through Interface B

I understand your confusion. You only have one external main route for WAN traffic and thus all your local traffic should use that route. I think the problem is that you dont have a regular route for the LTE WAN setting. Either Accept default route in IP DHCP client but set a distance of 5 or someth...
by anav
Sun Jan 21, 2024 7:11 pm
Forum: Announcements
Topic: v7.14beta [testing] is released!
Replies: 510
Views: 144222

Re: v7.14beta [testing] is released!

Less significant, means it doesnt fit into the business planning ( aka profit models and future product planning ). Any change requires resources and those are tightly controlled. @normis I agree with Pe1chl, 7.12.2? whatever was the last one, may be an excellent candidate for long term stable.
by anav
Sun Jan 21, 2024 7:06 pm
Forum: General
Topic: Problem with bridge vlan
Replies: 5
Views: 627

Re: Problem with bridge vlan

Notes: 1. One bridge get rid of wan bridge (sometimes needed but rare" EDIT UNDERSTOOD FRANCE ORANGE REQUIREMENT ] 2. Remove admit only vlan tagged from bridge setting. If you need to apply frame types do so on the /interface bridge ports for standard results. 3. Understood ether8 off the bridg...
by anav
Sun Jan 21, 2024 6:09 pm
Forum: Beginner Basics
Topic: Recommendations on integrating my employer-issued MikroTik into my existing network.
Replies: 5
Views: 895

Re: Recommendations on integrating my employer-issued MikroTik into my existing network.

Interesting setup. The requirement is not quite clear as you have not said a more directed statement such as: I would l like to be able to, from my home WORK VLAN, access the OVPN tunnel, without having to move my laptop ethernet cable around. It does seem as though you want to also reconfigure thei...
by anav
Sun Jan 21, 2024 5:47 pm
Forum: Wireless Networking
Topic: Wifi Wave2 on RB4011iGS+5HacQ2HnD
Replies: 43
Views: 11604

Re: Wifi Wave2 on RB4011iGS+5HacQ2HnD

To flesh out the wifi options:
discussion:
viewtopic.php?t=202578

MT docs page:
https://help.mikrotik.com/docs/display/ ... s+packages
by anav
Sun Jan 21, 2024 5:43 pm
Forum: Beginner Basics
Topic: Use public IPs from remote router [SOLVED]
Replies: 7
Views: 1083

Re: Use public IPs from remote router [SOLVED]

Senje can you provide a bit more detail on how you solved the issue.
Did you create a vpn tunnel and then use static routes?
by anav
Sun Jan 21, 2024 4:51 pm
Forum: Beginner Basics
Topic: port forwarding
Replies: 61
Views: 3939

Re: port forwarding

My bad, I thought you were wanting how to setup zerotier.............. If you mean you need to learn how to setup containers ?? https://help.mikrotik.com/docs/display/ROS/Container?searchId=5FV4ZUOBG https://help.mikrotik.com/docs/display/ROS/Container+-+mosquitto+MQTT+server 3 Part MT videos on con...
by anav
Sun Jan 21, 2024 4:47 pm
Forum: Beginner Basics
Topic: How do I setup NAT for multiple VLANs on different Subtnets? [SOLVED]
Replies: 15
Views: 2717

Re: How do I setup NAT for multiple VLANs on different Subtnets? [SOLVED]

If by the video you mean setting up hybrid ports on MT routers, piece of cake! The ether port is simply pvid for the port you wish to pass untagged in /interface bridge ports, and in /interface bridge vlan settings, simply tag the same etherport port for all vlan-ids needing to be sent tagged and fo...
by anav
Sun Jan 21, 2024 4:41 pm
Forum: Beginner Basics
Topic: Got my HEX working and wanting a sanity check
Replies: 10
Views: 1081

Re: Got my HEX working and wanting a sanity check

Good idea MKX, I have SSH setup as a backup on some devices and mainly use WG to access and between two MT devices I use simple SSTP.
by anav
Sun Jan 21, 2024 4:37 pm
Forum: Beginner Basics
Topic: Need some config help
Replies: 5
Views: 637

Re: Need some config help

Forward chain... simplified /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,re...
by anav
Sun Jan 21, 2024 2:03 am
Forum: Beginner Basics
Topic: Lost management
Replies: 9
Views: 2356

Re: Lost management

No worries, thought so, it seemed out of character for you so go to know!
by anav
Sun Jan 21, 2024 1:48 am
Forum: General
Topic: Bridge filter rules
Replies: 12
Views: 997

Re: Bridge filter rules

Hi there, thanks for the feedback. I am actually more interested not in the mechanics but WHY? Is it a useful thing, or an extra that most dont need? The 2116 is a POWERFUL router so its not like you have to save CPU cycles. I usually focus on what traffic is needed for my users and devices, I dont ...
by anav
Sun Jan 21, 2024 1:40 am
Forum: Beginner Basics
Topic: Speed and CPU issue with HEX s
Replies: 28
Views: 2009

Re: Speed and CPU issue with HEX s

If you look at the specs [ TEST RESULTS } for the router, 512 byte sized packets at Mbps speed, with about 25 filter rules provides the most realistic view into what one should get for real world speeds it looks like No rules - 1820 Mbps 25 queue rules - 735 Mbps 25 filter rules - 385.4 Mbps Conclus...
by anav
Sun Jan 21, 2024 1:33 am
Forum: Beginner Basics
Topic: Upgrade v6 to v7 Fail after previous downgrade
Replies: 1
Views: 468

Re: Upgrade v6 to v7 Fail after previous downgrade

If all else fails, use Netinstall to get where you want to be..... /export your config first, so you know what you will need to put back in afterewards via winbox or CLI interface commands.


viewtopic.php?p=1050175&hilit=netinstall#p1050175
by anav
Sun Jan 21, 2024 1:31 am
Forum: Beginner Basics
Topic: port forwarding
Replies: 61
Views: 3939

Re: port forwarding

by anav
Sat Jan 20, 2024 10:17 pm
Forum: Beginner Basics
Topic: Bridge VLAN Filtering
Replies: 24
Views: 2238

Re: Bridge VLAN Filtering

Get rid of the ideas of using vlan1 for a vlan, turn it into vlan11 for example, and carry one.
by anav
Sat Jan 20, 2024 9:05 pm
Forum: General
Topic: /ip/firewall/filter/export - discrepancy with the where clause
Replies: 3
Views: 523

Re: /ip/firewall/filter/export - discrepancy with the where clause

Good catch, seems like a new search filter/feature not tested, weird.
by anav
Sat Jan 20, 2024 9:03 pm
Forum: Beginner Basics
Topic: Bridge VLAN Filtering
Replies: 24
Views: 2238

Re: Bridge VLAN Filtering

Now lets say on ether5 for example you have a legitimate requirement to pass a hybrid vlan ( be it voip device or a unifi vlan with controller and Aps etc..) Then its simple. FROM smart device to hybrid device, create a hybrid port at both ends. ON MT /interface bridge port ---> PVID the SINGLE vlan...
by anav
Sat Jan 20, 2024 8:48 pm
Forum: Beginner Basics
Topic: Bridge VLAN Filtering
Replies: 24
Views: 2238

Re: Bridge VLAN Filtering

Hi there, No you do not need to make any configuration for vlan1, the router handles that transparently and dynamically in the background. The admin focus should be on the data vlans! :-) Thus I have no clue why you would wish to use or pass VLAN1 carrying data to any device??? For example I connect...
by anav
Sat Jan 20, 2024 8:42 pm
Forum: Beginner Basics
Topic: Bridge VLAN Filtering
Replies: 24
Views: 2238

Re: Bridge VLAN Filtering

Hi there,
No you do not need to make any configuration for vlan1, the router handles that transparently and dynamically in the background.
The admin focus should be on the data vlans! :-)
by anav
Sat Jan 20, 2024 7:14 pm
Forum: General
Topic: Bridge filter rules
Replies: 12
Views: 997

Re: Bridge filter rules

/ip firewall address-list add address=IP1 list=Admin (desktop) add address=IP2 list=Admin (laptop) add address=IP3 list=Admin (smartphone) add address=IP4 list=Admin (wireguard IP - assuming MT is a wg server for handshake) /interface list name=WAN name=LAN name=Manage /Interface list members add i...
by anav
Sat Jan 20, 2024 7:00 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 285
Views: 204544

Re: NEW FEATURE: Back to Home VPN

so what's the point of not supporting other architectures like mmips, taking into account the huge number of devices out there? Business Decisions: LIST OF POTENTIAL ACTION ITEMS BUDGET AVAILABLE THIS YEAR PRIORITIZED LISTS weighting factors - which devices can gain functionality without hardware c...
by anav
Sat Jan 20, 2024 6:46 pm
Forum: Beginner Basics
Topic: Got my HEX working and wanting a sanity check
Replies: 10
Views: 1081

Re: Got my HEX working and wanting a sanity check

1. Looks great, I would also consider changing the default port on wireguard to something else, 15496 etc..... 2. you can get rid of this default setting which is often hard to find ( DNS static settings ). /ip dns static add address=192.168.88.1 comment=defconf name=router.lan 3. I tend to put all ...
by anav
Sat Jan 20, 2024 6:24 pm
Forum: Beginner Basics
Topic: Dual WAN, same Gateway, no need for load balancing or failover, just specify which vlans use which wan port
Replies: 23
Views: 4356

Re: Dual WAN, same Gateway, no need for load balancing or failover, just specify which vlans use which wan port

Your forward chain firewalls have become messy with needless duplications and you are missing THREE DEFAULT RULES>. The rule in red, is open ended ( not a good security practice in general ) and should be removed to clarify requirements..... add action=accept chain=forward comment="Allow IPSec ...
by anav
Sat Jan 20, 2024 5:51 pm
Forum: Beginner Basics
Topic: Dual WAN, same Gateway, no need for load balancing or failover, just specify which vlans use which wan port
Replies: 23
Views: 4356

Re: Dual WAN, same Gateway, no need for load balancing or failover, just specify which vlans use which wan port

Suffice to say, I was unable to get to the DNS questions, as other issues need to be resolved first, but in that vein, can you explain what you are doing in DNS?
It seems you have two local IPs for DNS, please explain.
10.10.0.5
10.10.0.7
by anav
Sat Jan 20, 2024 5:50 pm
Forum: Beginner Basics
Topic: Dual WAN, same Gateway, no need for load balancing or failover, just specify which vlans use which wan port
Replies: 23
Views: 4356

Re: Dual WAN, same Gateway, no need for load balancing or failover, just specify which vlans use which wan port

Going back to first principles........... Dont mix apples and oranges, when you vlans, do all vlans, no bridge dhcp etc. As per the article --> https://forum.mikrotik.com/viewtopic.php?t=143620 ADD: /interface vlan add comment=HoM interface=BR1 name=VL10-HoM vlan-id=10 /interface list members add in...
by anav
Sat Jan 20, 2024 3:24 pm
Forum: Beginner Basics
Topic: Bridge VLAN Filtering
Replies: 24
Views: 2238

Re: Bridge VLAN Filtering

In simple terms, if passing vlans from one smart device to another, this is done normally via a TRUNK PORT at both ends. There should be no PVID assigned which basically tells the router untag the traffic leaving the port and tag the traffic entering the port with this vlan. Not relevant between two...
by anav
Sat Jan 20, 2024 3:19 pm
Forum: Beginner Basics
Topic: two hotspot for two wan
Replies: 3
Views: 498

Re: two hotspot for two wan

Sorry, I know very little about hotspots, other than people also setup Usermanager (radius server functionality) along with the hotspot. https://help.mikrotik.com/docs/pages/viewpage.action?pageId=56459266' https://help.mikrotik.com/docs/display/ROS/Hotspot+customisation https://help.mikrotik.com/do...
by anav
Sat Jan 20, 2024 2:58 pm
Forum: General
Topic: Bridge filter rules
Replies: 12
Views: 997

Re: Bridge filter rules

What kind of traffic do you want to delete/block? Specifically 67-68 port? It can also be locked in the RAW section. It is not necessary to use Bridge-filter. Are you using default firewall settings? Is there a need to block such traffic? I haven,t seen in many configs, with this type of ruleset so...
by anav
Sat Jan 20, 2024 5:39 am
Forum: General
Topic: Cant Access my Mikrotik Routerboard
Replies: 2
Views: 526

Re: Cant Access my Mikrotik Routerboard

Good day. 1. According to this page there is not a Routerboard 750? https://mikrotik.com/products/group/routerboard Perhaps you were thinking about A ROUTER of the 750 series.... known as the HEX lineup. All start with RB750xxx(x) and the xxx tells us which model it is. I provided links to two of th...
by anav
Sat Jan 20, 2024 3:19 am
Forum: Beginner Basics
Topic: Lost management
Replies: 9
Views: 2356

Re: Lost management

Whats your point McGremlin? I am reading mixed messaging here. First, you clearly found rextended's post amusing...... (even a smiley face). EDIT: Just find out that it's an old thread so it was a waste of time for me writing this post... But your's reply was really nice, rextended :D Then here you ...
by anav
Sat Jan 20, 2024 12:27 am
Forum: General
Topic: RB5009 directly connected to CRS310 pings timeout
Replies: 6
Views: 1019

Re: RB5009 directly connected to CRS310 pings timeout

I would suggest posting your config as it might simply be an error your not seeing. ( less router serial number, public WANIP info, keys etc.)
You can use the code quotes above so the post is short (black square with white square brackets (on the same line as B and U for example)
by anav
Fri Jan 19, 2024 11:43 pm
Forum: Beginner Basics
Topic: Sharing one physical trunk port with two bridges
Replies: 10
Views: 901

Re: Sharing one physical trunk port with two bridges

Really a straightforward setup for the most part, the question I have is why do you have TWO ethernet ports going to the hypervisor on the left?? You only need one port going to a smart switch for example if it was there instead of the hyper visor. Thus I would need to understand what the hypervisor...
by anav
Fri Jan 19, 2024 11:37 pm
Forum: Beginner Basics
Topic: two hotspot for two wan
Replies: 3
Views: 498

Re: two hotspot for two wan

A network diagram would be helpful to explain your network, not quite getting it..........
by anav
Fri Jan 19, 2024 11:35 pm
Forum: General
Topic: RB5009 directly connected to CRS310 pings timeout
Replies: 6
Views: 1019

Re: RB5009 directly connected to CRS310 pings timeout

As per the link, time to have a reread, you will see that the bridge should do no DHCP, and its all vlans! Therefore you create vlans for all your subnets and they have interface bridge. The vlans get ip pool, address, dhcp-server, dchp-server network The vlans are part of the lan interface list the...
by anav
Fri Jan 19, 2024 11:31 pm
Forum: General
Topic: hAP ac² multiple networks isolation problem [SOLVED]
Replies: 7
Views: 1280

Re: hAP ac² multiple networks isolation problem [SOLVED]

Awesome! The effort now will be worth it in the long run.
by anav
Fri Jan 19, 2024 11:30 pm
Forum: General
Topic: NAT Hairpin Configuration Troubles
Replies: 13
Views: 994

Re: NAT Hairpin Configuration Troubles

Glad its working for you!!
by anav
Fri Jan 19, 2024 6:42 pm
Forum: General
Topic: hAP ac² multiple networks isolation problem [SOLVED]
Replies: 7
Views: 1280

Re: hAP ac² multiple networks isolation problem [SOLVED]

Regardless, keep the firewall rules as is, if you are happy with performance. However, the multiple bridge approach is really not used anymore, if it ever was. Please use the linked article to reduce your bridges to one. It reduces complexity of the config so that any errors are easier to spot. ( sa...
by anav
Fri Jan 19, 2024 6:07 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 290
Views: 412693

Re: Using RouterOS to VLAN your network

I'm hungry already!
by anav
Fri Jan 19, 2024 4:34 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 290
Views: 412693

Re: Using RouterOS to VLAN your network

Even better, a free trip to a resort with at least one overnight stay included, the Mrs Bpwl, can enjoy a trip too I'm sure!!
by anav
Fri Jan 19, 2024 4:00 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 290
Views: 412693

Re: Using RouterOS to VLAN your network

Another thing in my Ros devices which are faily hard locked (students on holiday press reset and do power off/on sequences as they learned this somewhere as universal problem solving) is using a mode and reset button sequence to activate some script that will open the door for management access (in...
by anav
Fri Jan 19, 2024 3:57 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 290
Views: 412693

Re: Using RouterOS to VLAN your network

Well holvoe, since now you say its true, bpwl and I can put away our dart and ouji boards, these anal plucks we come up with, just for fun, can be nerve rattling, of course until proven true. ;-)
by anav
Fri Jan 19, 2024 3:53 pm
Forum: General
Topic: hAP ac² multiple networks isolation problem [SOLVED]
Replies: 7
Views: 1280

Re: hAP ac² multiple networks isolation problem [SOLVED]

IMHO the config is a bloated mess, more concerned with stopping traffic than simply only allowing needed traffic.
The first place to start though is a one bridge concept and all vlans, bridge does no dhcp.

viewtopic.php?t=143620
by anav
Fri Jan 19, 2024 2:50 pm
Forum: General
Topic: NAT Hairpin Configuration Troubles
Replies: 13
Views: 994

Re: NAT Hairpin Configuration Troubles

Courtesy of Sob , (the problem): "- user client 192.168.88.5 wants to connect to www.myserver.net, resolves hostname, gets 47.123.12.89 and sends initial packet to it - client doesn't have any idea where 47.123.12.89 is, as far as it knows, it can be on the other side of planet - dstnat rule c...
by anav
Fri Jan 19, 2024 1:08 am
Forum: General
Topic: Help me - make script change ip adress every rto
Replies: 11
Views: 920

Re: Help me - make script change ip adress every rto

Interesting, with my limited knowledge would never have seen that coming.
I certainly would have not posted after you noted the possibility.
I have reported the post as well. :-)
Hopefully, there is a clean explanation as the script is interesting nonetheless.
by anav
Fri Jan 19, 2024 1:04 am
Forum: General
Topic: Help me - make script change ip adress every rto
Replies: 11
Views: 920

Re: Help me - make script change ip adress every rto

So basically, the OP asked for a way to deceive the service providers mechanism to prevent abuse of his internet connection? I thought it was a simple case like my own fibre dynamic IP provider, when the IP changes so does the gateway but the gateway used in my Routing Rules does not get updated, an...
by anav
Fri Jan 19, 2024 12:58 am
Forum: General
Topic: Port forwarding over ISP with enabled full network over wireguard forwarding
Replies: 3
Views: 789

Re: Port forwarding over ISP with enabled full network over wireguard forwarding

In a nutshell, a. you use a third party VPN provider for one or more subnets going out wireguard. b. you also have servers on the LAN that (i) internal users use Q1. How do you prefer internal users access server ( by direct LANIP ?) (ii) external users use Q2 . How do external users access the serv...
by anav
Fri Jan 19, 2024 12:32 am
Forum: Beginner Basics
Topic: Worth it to change private IP address early in setup process?
Replies: 13
Views: 2816

Re: Worth it to change private IP address early in setup process?

One should note that neighbour discovery is the helpful key to making this work really well across multiple MT devices on the trusted Subnet ( aka ensure that trusted subnet is in interface list and that interface list is in neighours discovery). I believe the default is LAN, but as soon as multiple...
by anav
Fri Jan 19, 2024 12:01 am
Forum: Useful user articles
Topic: Solving the problem mikrotik router freeze in Calculating download size in update to os v7
Replies: 3
Views: 768

Re: Solving the problem mikrotik router freeze in Calculating download size in update to os v7

Curious, is it monetized if you dont hit subscribe??
Agree, if you have the fix just state it and one can refer to more detail in the video.
by anav
Thu Jan 18, 2024 11:43 pm
Forum: Beginner Basics
Topic: How do I setup NAT for multiple VLANs on different Subtnets? [SOLVED]
Replies: 15
Views: 2717

Re: How do I setup NAT for multiple VLANs on different Subtnets? [SOLVED]

Yes of course! Just set it up more like a switch aka no need for dhcp, firewall rules etc.... This should help with VLAN work............ https://forum.mikrotik.com/viewtopic.php?t=143620 and also the pointers given at this post highlight the main points to consider for this Switch device. https://f...
by anav
Thu Jan 18, 2024 11:38 pm
Forum: Beginner Basics
Topic: Lost management
Replies: 9
Views: 2356

Re: Lost management

Clearly one has to let at least two years go by before stating thanks for the reply.
I thought it was funny, but I have a sense of humour.
by anav
Thu Jan 18, 2024 11:08 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 285
Views: 204544

Re: NEW FEATURE: Back to Home VPN

Not a bad improvisation! I am still curious as there has not really been a handshake at all, just two clients somehow connected and maintaining a connection. I wonder what the underlying virtual structure laid down looks like. Also what happens when one end loses communications? In a typical lost co...
by anav
Thu Jan 18, 2024 10:16 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 290
Views: 412693

Re: Using RouterOS to VLAN your network

Geez another handsome and wise poster, but I still give a slight edge to BPWL ( on which attribute I wont say )
by anav
Thu Jan 18, 2024 8:31 pm
Forum: Wireless Networking
Topic: Wifi 7 - MikroTik when???
Replies: 33
Views: 11567

Re: Wifi 7 - MikroTik when???

Follow the smartphone if you want to follow the market.. As of Dec 21 2023 --> https://gsm.cool/blog/article-wifi7 / https://www.epey.co.uk/phone/wi-fi-bands/wi-fi-7-802-11-a-b-g-n-ac-ax-be/ What I am tracking though: Rumours of Apple 16Pro with wifi chip 2024, Apple17PRO with first time APPLE WIFI ...
by anav
Thu Jan 18, 2024 7:53 pm
Forum: Beginner Basics
Topic: Wireguard - roadwarrior configuration following guide (no internet or LAN connection)
Replies: 14
Views: 1547

Re: Wireguard - roadwarrior configuration following guide (no internet or LAN connection)

Already did, see above for firewall rules applicable to the OPs post. Oops I actually assumed you read the thread. ;-PP
by anav
Thu Jan 18, 2024 7:52 pm
Forum: General
Topic: Struggling with additional WiFI Subnets
Replies: 6
Views: 855

Re: Struggling with additional WiFI Subnets

My usual line is once you go vlan, go all vlans and not have the bridge do anything but bridging (no dhcp). The issue is the bridge is handing out traffic and a LAN and yet you have a vlan doing the same thing on ports you connected to the bridge. Also you are missing the required /interface bridge ...
by anav
Thu Jan 18, 2024 7:22 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 290
Views: 412693

Re: Using RouterOS to VLAN your network

You Sir, are wise and handsome! :-)
by anav
Thu Jan 18, 2024 7:14 pm
Forum: General
Topic: Recursive Mikrotik Documentation ERROR??
Replies: 0
Views: 662

Recursive Mikrotik Documentation ERROR??

https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608 Failover (WAN Backup) This is a basic failover guidance document, where no other traffic is involved or discussed ( no LAN servers, no VPN etc....) just two wans and a LAN. I see two major problems on this doc: 1. Why does MT bring...
by anav
Thu Jan 18, 2024 7:03 pm
Forum: General
Topic: Audience LTE Failover Recursive Routing DHCP
Replies: 3
Views: 522

Re: Audience LTE Failover Recursive Routing DHCP

If I had my choice, any person caught using chapgpt should be banned for life LOL, but in the case when chapGPT rules our lives I wont say boo, for fear of being persecuted by ones and zeros. Did you ask GPT about the official mikrotik documenation as well? Just curious LOL. In any case, you other a...
by anav
Thu Jan 18, 2024 6:54 pm
Forum: Beginner Basics
Topic: Wireguard - roadwarrior configuration following guide (no internet or LAN connection)
Replies: 14
Views: 1547

Re: Wireguard - roadwarrior configuration following guide (no internet or LAN connection)

1.Organization of FW rules by chain is personal preference, much easier to read and spot errors. 2. Order of rules within a chain is CRITICAL 3. No issues, safe to use DNS service of router, that is what it is there for. I often include, in the input chain an interface LAN rule for NTP but also add ...
by anav
Thu Jan 18, 2024 6:27 pm
Forum: General
Topic: Audience LTE Failover Recursive Routing DHCP
Replies: 3
Views: 522

Re: Audience LTE Failover Recursive Routing DHCP

Learning curve: Many things will work somewhat in MT even when configured non-optimally. Doesn't mean you wont run into issue at sometime. 1. You have two options for WAN2. A. the neighbour, on his router, has a way to ensure you always get the same IP address ( set it statically on the lease, like ...
by anav
Thu Jan 18, 2024 6:24 pm
Forum: Beginner Basics
Topic: Multi Device Config file
Replies: 1
Views: 491

Re: Multi Device Config file

Not off the top of my head, not a big network sysadmin guy but I would certainly check out winboxremote, now called Admiral for a paid solution.
by anav
Thu Jan 18, 2024 6:22 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 290
Views: 412693

Re: Using RouterOS to VLAN your network

My experience was otherwise, often I would have to go through bridge vlan filtering=yes four or five times (using winbox, mac, safemode etc...)
I didnt come up with a safer method, just for the fun of it LOL.
Provided through experience!! Your mileage my vary.
by anav
Thu Jan 18, 2024 6:05 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 290
Views: 412693

Re: Using RouterOS to VLAN your network

Adding: if such a user has Safe Mode active and then the bridge burps kicking each connection out ... he's back at where he started. Sounds like have discovered the infinite loop ;-) Yes safe mode is good practice when mucking about in the config, for the bridge configuration the best approach IMHO...
by anav
Thu Jan 18, 2024 6:01 pm
Forum: General
Topic: Struggling with additional WiFI Subnets
Replies: 6
Views: 855

Re: Struggling with additional WiFI Subnets

Some advice, quickset --> avoid! I'm assuming that you have need of multiple SSID/WLANS due to different types of users. - secure home users - untrustworthy IOT devices - vid Cameras - guest users. All which may or may not require different subnets. If they are on their own subnet then they probably...
by anav
Thu Jan 18, 2024 5:57 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 290
Views: 412693

Re: Using RouterOS to VLAN your network

Hi AMMO, there is a reason its OFF at the start and ON at the end, and also a reason why I often suggest doing any bridge config OFF bridge from an etherport direct. The bridge burps the router kicks out and the OP is left confused and frustrated. Its not quite the reason given in documentation,,,,,...
by anav
Thu Jan 18, 2024 5:49 pm
Forum: General
Topic: FailOver does not work when carrier router loses configuration
Replies: 2
Views: 502

Re: FailOver does not work when carrier router loses configuration

Knowing what the ISp1 defaults to, would consider moving to a different subnet architecture for the main LAN subnet. One of the reasons, recursive failover is helpful, is that if one cannot reach the external IP DNS IP address, the router moves to the other WAN. It is really useful for when the ISP ...
by anav
Thu Jan 18, 2024 5:34 pm
Forum: General
Topic: NAT Hairpin Configuration Troubles
Replies: 13
Views: 994

Re: NAT Hairpin Configuration Troubles

Yes, nothing like a short video showing how the electrons are moving about, with some appropriate IPs, and text, would make it crystal clear, but I dont have those skill sets. I relied on explanations from others like MKX, to help understand. Its not something that sticks and have to relearn every t...
by anav
Thu Jan 18, 2024 4:59 pm
Forum: General
Topic: NAT Hairpin Configuration Troubles
Replies: 13
Views: 994

Re: NAT Hairpin Configuration Troubles

There we disagree,
add chain=srcnat action=src-nat dst-address=SubnetofServer src-address=SubnetofServer

Is tres simple!! In zyxel speak, there was a checkbox called loopback to enable. Never knew what it was for until I started using MT devices.
by anav
Thu Jan 18, 2024 4:24 pm
Forum: Beginner Basics
Topic: VLAN configuration for home network [SOLVED]
Replies: 9
Views: 1165

Re: VLAN configuration for home network [SOLVED]

When you do and run into issues, the best thing to do is export the full config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc...)

LLU
by anav
Thu Jan 18, 2024 4:21 pm
Forum: General
Topic: NAT Hairpin Configuration Troubles
Replies: 13
Views: 994

Re: NAT Hairpin Configuration Troubles

So you are using an application to do this???? Me is confused. My impression then was incorrect. I thought you were using a. mynetname or some other dyndns URL when external to the router to access your server AND b. you were able to construct an internal URL of sorts ( a way of pointing to the inte...
by anav
Thu Jan 18, 2024 4:15 pm
Forum: General
Topic: Forum moderation volunteers
Replies: 238
Views: 34307

Re: Forum moderation volunteers

Larsa, I could kiss you but for fear of catching something dreadful, I will not. :-) Yes, frustration and the like is but a symptom of not having enough process and structure at the beginning of a posters experience here. I am trying to address root causes and not focus on symptoms. I listed all the...
by anav
Thu Jan 18, 2024 4:10 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 290
Views: 412693

Re: Using RouterOS to VLAN your network

PCUNITE:::::::::: Looking at a forum post, it was clear to me that we need to add something in the main body text, making it clear that bridge vlan filtering YES NO, needs to be explained. I only found the functionality shown in the scripts. An OP looking at the scripts may see the top initial setti...
by anav
Thu Jan 18, 2024 3:58 pm
Forum: Beginner Basics
Topic: VLAN for unmanaged switch
Replies: 4
Views: 629

Re: VLAN for unmanaged switch

Good advice holvoe............ ;-) Something like an off bridge access to config the router and emergency access anytime the bridge burps eh!! Looking at the article I can now understand the question on bridge vlan-filtering setting. No where in the article does it clearly state this requirement, at...
by anav
Thu Jan 18, 2024 3:54 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 285
Views: 204544

Re: NEW FEATURE: Back to Home VPN

Basically I cannot picture how hole punching would work with WG (and not in the docs)
This especially. How would the cloud instance create a hole to two entities that have no public IP aka CGNAT, then faciliate a direct connection without relay???
Perhaps MT has discovered true magic. :-)
by anav
Thu Jan 18, 2024 3:49 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 285
Views: 204544

Re: NEW FEATURE: Back to Home VPN

3) using hole punching. this means relay only helps to find both ends, but traffic will go direct. I guess now I have questions... Under what conditions does it use hole punching? Does that require the BTH app, or can a normal WG use "hole punched" BTH too? Basically I cannot picture how ...
by anav
Thu Jan 18, 2024 3:39 pm
Forum: General
Topic: NAT Hairpin Configuration Troubles
Replies: 13
Views: 994

Re: NAT Hairpin Configuration Troubles

Tangent, I am interested in your internal host name solution as it may be an approach worthy of more discussion. Typically my response has always been WHY are you sending internet users to your server by DYDDNS URL or mynetname (aka thru WANIP), instead of just using the direct LANIP. Seems foolish ...
by anav
Thu Jan 18, 2024 2:34 am
Forum: General
Topic: Wirefuard and two ISP
Replies: 1
Views: 524

Re: Wirefuard and two ISP

Your configuration is incorrect and there may be multiple compounding errors.
by anav
Thu Jan 18, 2024 2:04 am
Forum: Beginner Basics
Topic: Bridge VLAN Filtering
Replies: 24
Views: 2238

Re: Bridge VLAN Filtering

Without seeing the config, its hard to know where you went wrong. In general, MT device gets IP from the trusted VLAN, This is the only vlan that will have the bridge tagged in /interface bridge vlans The rest of the vlans are tagged on the incoming trunk port and either tagged out another trunk por...
by anav
Thu Jan 18, 2024 12:42 am
Forum: Beginner Basics
Topic: Bridge VLAN Filtering
Replies: 24
Views: 2238

Re: Bridge VLAN Filtering

To put it simply, MT devices accept trunk ports, access ports and hybrid ports without issues, regardless of vendor.
Internally, this is the best guide for at least routers... viewtopic.php?t=143620
by anav
Thu Jan 18, 2024 12:39 am
Forum: General
Topic: Brute Force Attacks
Replies: 16
Views: 2154

Re: Brute Force Attacks

Perhaps you should make use of Mozerds most excellent service, light years ahead of the game in the DIY category......
by anav
Wed Jan 17, 2024 4:32 pm
Forum: General
Topic: Brute Force Attacks
Replies: 16
Views: 2154

Re: Brute Force Attacks

But then you would need french beurre and Canadian Maple Syrup. :-)
by anav
Tue Jan 16, 2024 10:09 pm
Forum: General
Topic: Brute Force Attacks
Replies: 16
Views: 2154

Re: Brute Force Attacks

Strange, its not like you have some secret recipe for vodka ;-)
by anav
Tue Jan 16, 2024 9:50 pm
Forum: Beginner Basics
Topic: RB5009 switch ACL ports=switch1-cpu not filtering
Replies: 13
Views: 3082

Re: RB5009 switch ACL ports=switch1-cpu not filtering

Thanks for the feedback! Good catch.
For knowledge, what would be a good use for switch1-cpu switch filtering USE CASE ??
by anav
Tue Jan 16, 2024 4:38 pm
Forum: General
Topic: Wireguard - access from LAN [SOLVED]
Replies: 4
Views: 815

Re: Wireguard - access from LAN [SOLVED]

Nothing better then finding the issue oneself.......... Often by trying to explain a config one sees the problem!!
by anav
Tue Jan 16, 2024 4:05 pm
Forum: General
Topic: RouterOS download torrent
Replies: 33
Views: 17369

Re: RouterOS download torrent

Its cold in St Louis, perhaps time has also frozen. :-)
by anav
Tue Jan 16, 2024 4:01 pm
Forum: Beginner Basics
Topic: Help i couldn't Login page
Replies: 4
Views: 836

Re: Help i couldn't Login page

Clearly the OP needs some education!
https://www.youtube.com/watch?v=T2ncJ6ciGyM
by anav
Tue Jan 16, 2024 2:47 pm
Forum: General
Topic: Brute Force Attacks
Replies: 16
Views: 2154

Re: Brute Force Attacks

When will they start doing it with IPv6.............
When easy IPV4 targets are not available for starters and if you have something considered of value and exploitable the level of interest climbs......regardless of IPV....
by anav
Mon Jan 15, 2024 10:56 pm
Forum: General
Topic: What is the current version of RouterOS? [SOLVED]
Replies: 4
Views: 821

Re: What is the current version of RouterOS? [SOLVED]

Whats up with that. Glad you asked!!
https://www.youtube.com/watch?v=sqpnRyfz_aY

Correct 7.13.2 is the latest stable firmware but due to changes in how wifi packages are disseminated one has to upgrade to 7.12 first I believe and then to 7.13.
https://mikrotik.com/download/archive
by anav
Mon Jan 15, 2024 10:29 pm
Forum: General
Topic: Forward WAN port to another subnet/router LAN [SOLVED]
Replies: 8
Views: 1665

Re: Forward WAN port to another subnet/router LAN [SOLVED]

If you read the above notes, its pretty much covered. I only mentioned dyndns because most server admins give an URL for people to use, a lot handier than a long assed IP address. Something like Johns.homeserver.net As stated yes. 1. Forward chain rule as per my forward chain above ( get rid of DEFA...
by anav
Mon Jan 15, 2024 8:11 pm
Forum: General
Topic: Forward WAN port to another subnet/router LAN [SOLVED]
Replies: 8
Views: 1665

Re: Forward WAN port to another subnet/router LAN [SOLVED]

Okay so remote router is not MT its something else. You wish for your external users to use your DYNDNS URL/IP address of the mikrotik router to reach the server at 192.168.10.200 In other words, enter the MT router then be port forwarded through the tunnel to the other router.............. I will l...
by anav
Mon Jan 15, 2024 5:49 pm
Forum: General
Topic: Wireguard - access from LAN [SOLVED]
Replies: 4
Views: 815

Re: Wireguard - access from LAN [SOLVED]

I am sorry but I do not understand your setup from the written explanation: Before I look at the config would need to know: It would help if you could state the following a. what are you connecting to using wireguard --> another MT router, a third party vpn provider b. which device is acting as the ...
by anav
Mon Jan 15, 2024 5:45 pm
Forum: Beginner Basics
Topic: How to limit speed for Wireguard Users [SOLVED]
Replies: 6
Views: 2537

Re: How to limit speed for Wireguard Users [SOLVED]

hopefully @rafay will post back with his findings.
Also it would be nice to have a sample of his queue config to help others!!
by anav
Mon Jan 15, 2024 3:50 pm
Forum: General
Topic: Feature requests
Replies: 1711
Views: 617696

Re: Feature requests

Busy cat this morning, check emails ;-P
When you do perhaps give me a hint on how to use sessions windows or why it would be good for me.
by anav
Mon Jan 15, 2024 3:49 pm
Forum: Beginner Basics
Topic: Can you check my router configuration ?
Replies: 2
Views: 525

Re: Can you check my router configuration ?

Awesome first port, great diagram full config and a sense of the requirements. I would recommend reading this article --> https://forum.mikrotik.com/viewtopic.php?t=143620 Create one bridge and assign all vlans to the bridge interface. (exception is the single vlan for WAN attached to etherport inte...
by anav
Mon Jan 15, 2024 3:07 pm
Forum: Beginner Basics
Topic: Route all IP's through Wireguard VPN
Replies: 1
Views: 521

Re: Route all IP's through Wireguard VPN

Hi Shaner, read through the latter part of (7b). THE TRICKY PART - How to get your local traffic into wireguard.
--> viewtopic.php?t=182340
by anav
Mon Jan 15, 2024 3:01 pm
Forum: Beginner Basics
Topic: LACP with SFP+ interfaces
Replies: 2
Views: 570

Re: LACP with SFP+ interfaces

From our South African colleague, recently emigrated to the UK, and soon will be a wanker!!

https://www.youtube.com/watch?v=cJ7NKZj1nu8
by anav
Mon Jan 15, 2024 2:59 pm
Forum: Beginner Basics
Topic: Communication between VLANs [SOLVED]
Replies: 20
Views: 1394

Re: Communication between VLANs [SOLVED]

Glad its working for you dobnat. When you wish to improve the config, to one bridge and better firewall rules let us know. There is is no need for two bridges in most scenarios including your own. Not the most efficient use of the CPU. Also the default firewall rules are very good but agreed they ne...
by anav
Mon Jan 15, 2024 2:47 pm
Forum: General
Topic: User poll about using Winbox
Replies: 91
Views: 38416

Re: User poll about using Winbox

Not a clue, never used it. Seeing as rextended uses it, and he is not the type to phuck around with things that waste his time, it must have value ! If this feature/function can make the user experience with winbox or configurations better, aka easier, more intuitive, faster, less error prone etc.. ...
by anav
Mon Jan 15, 2024 4:51 am
Forum: Beginner Basics
Topic: make user connect to specific ISP
Replies: 1
Views: 468

Re: make user connect to specific ISP

Many questions in the post.
Can you direct a user, group of users, subnet out a specific WAN for internet YES.
Using hotspot, dont know never used it, but I imagine it is possible.
by anav
Mon Jan 15, 2024 1:30 am
Forum: General
Topic: Having trouble setting up WireGuard
Replies: 25
Views: 3487

Re: Having trouble setting up WireGuard

As for the PROTON LINKED ARTICLE LETS REVIEW. ( its been updated since the last time I looked at so good they are trying to keep it current/correct ) PARA1: Correct for any third party VPN you have to download a specific file with your particular parameters. PARA2: Nothing wrong here but on the sour...
by anav
Mon Jan 15, 2024 12:20 am
Forum: General
Topic: Having trouble setting up WireGuard
Replies: 25
Views: 3487

Re: Having trouble setting up WireGuard

Since the instructions provided are dated and not quite spot on, will put a revamped version in the wireguard user article. In the meantime will post it here as well. No leading questions there mate........ I am trying to extract facts and requirements so that a coherent config can be compiled. If y...
by anav
Mon Jan 15, 2024 12:14 am
Forum: General
Topic: Netinstall sending offer, but not installing [SOLVED]
Replies: 30
Views: 24369

Re: Netinstall sending offer, but not installing [SOLVED]

Yup Item f. LOL ( https://forum.mikrotik.com/viewtopic.php?t=182373 ) H. NETINSTALL & PROTECTED ROUTER BOOT MODE (PBRM) NETINSTALL should be used if any security concerns arise OR if your firmware version seems to be acting strangely or the firmware version is really old!! PBRM is mainly activa...
by anav
Sun Jan 14, 2024 8:29 pm
Forum: Beginner Basics
Topic: EoIP
Replies: 19
Views: 1192

Re: EoIP

CONCUR, is there enough electricity in Croatia for that many routers?? Beautiful country I am told, a relative visited recently and loved it. The slight pain in the ass of having to half log into one router to see be able to hit the connect to romon button is well worth it when you see 68 routers sh...
by anav
Sun Jan 14, 2024 8:03 pm
Forum: Beginner Basics
Topic: cAP ac bricked even with netinstall
Replies: 8
Views: 1164

Re: cAP ac bricked even with netinstall

My personal opinion ( being a scaredy cat regarding using capsman ) is that the time to use it is with MULTIPLE Access points that can make use of ROAMING standards only available on AXE3 products. In your case 2 or even 4 is easily managed as they are basically config and forget, they just keep wor...
by anav
Sun Jan 14, 2024 7:56 pm
Forum: General
Topic: Incoming SSH being dropped/delayed on 7.13.1, can you reproduce (easy to try)
Replies: 4
Views: 544

Re: Incoming SSH being dropped/delayed on 7.13.1, can you reproduce (easy to try)

Suggest while waiting, send a supout to tech support.
by anav
Sun Jan 14, 2024 6:20 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2363

Re: DDoS help

jwa if possible some suggestions. a. have a source address list on dst-nat rule so only allowed users can access the ports b. if you have an ARM device, use cloudflare in a docker which allows one to not expose their server ports ( I wish this was in an options package not a container, too much over...
by anav
Sun Jan 14, 2024 6:17 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2363

Re: DDoS help

To avoid any confusion ( between terms with the word loose) M81 is correct.

/ip settings: Should mention RP-filter is best set LOOSE and do NOT recommend checkbox for tcp syn cookies,
/ip firewall: Connection Tab settings (Tracking Button): Do NOT check box for Loose Tracking
by anav
Sun Jan 14, 2024 6:12 pm
Forum: General
Topic: RB5009 directly connected to CRS310 pings timeout
Replies: 6
Views: 1019

Re: RB5009 directly connected to CRS310 pings timeout

Observations: 5009 1. One bridge as per --> https://forum.mikrotik.com/viewtopic.php?t=143620 If you do not want to use the single bridge for vlans and just have the vlan on the port, then simply assign the vlan to the port as you have done and remove bridge and also the bridge port you created for ...
by anav
Sun Jan 14, 2024 4:23 pm
Forum: Beginner Basics
Topic: EoIP
Replies: 19
Views: 1192

Re: EoIP

Basically yes is my impression. I did it just for fun and was tired of looking on a cheat sheet the IP address and Port assigned to natted router, and a remote MT router and throiugh EOIP & Romon I dont need to........... A bit of a lazy approach but if one has many routers/devices not on the di...
by anav
Sun Jan 14, 2024 4:17 pm
Forum: Beginner Basics
Topic: Communication between VLANs [SOLVED]
Replies: 20
Views: 1394

Re: Communication between VLANs [SOLVED]

Mkx, your guesses are pretty damn accurate and annoyingly so ;-), but you make really good points. Appreciate vingifg's enthusiasm but we have had the benefit of years answering questions and attempting to determine the root cause of issues be they: a. poorly worded or total lack of well thought out...
by anav
Sun Jan 14, 2024 2:12 pm
Forum: Beginner Basics
Topic: Communication between VLANs [SOLVED]
Replies: 20
Views: 1394

Re: Communication between VLANs [SOLVED]

If you learn nothing, at least learn, speculating is a waste of time and one needs evidence to make assessments. Guessing may be fun at first but tis tiresome after a few thousand replies.
by anav
Sun Jan 14, 2024 2:48 am
Forum: Beginner Basics
Topic: port forwarding
Replies: 61
Views: 3939

Re: port forwarding

Thats the beauty of zerotier, its free and available for all platforms, so EVERYONE can access your server from anywhere on anything ( as long as they have your permission ). If I recall you need to drag and DROP the package into the left hand main menu selection of Files ( in the file menu popup )....
by anav
Sun Jan 14, 2024 2:44 am
Forum: Beginner Basics
Topic: Which dstIP to use in f/w rule for dstNAT packet? [SOLVED]
Replies: 6
Views: 965

Re: Which dstIP to use in f/w rule for dstNAT packet? [SOLVED]

This is like any consumer router, firewall rules take place after DST-NAT However for the sake of debate, it matters little in the mikrotik setup. We make a blanket rule that simply permits port forwarding and all the details are in the destination nat rule. THERE IS NO NEED FOR ANYTHING ELSE IN FIR...
by anav
Sat Jan 13, 2024 9:13 pm
Forum: Beginner Basics
Topic: Why do the docs not mention adding "bridge" as its own tagged interface when doing a VLAN trunk? [SOLVED]
Replies: 8
Views: 1137

Re: Why do the docs not mention adding "bridge" as its own tagged interface when doing a VLAN trunk? [SOLVED]

I believe that he is asking in the case an MT device is being used as a ROUTER, I already noted its only required for management network (network device gets an IP from) for an MT router being used solely as a switch or switch/AP
by anav
Sat Jan 13, 2024 9:12 pm
Forum: Beginner Basics
Topic: port forwarding
Replies: 61
Views: 3939

Re: port forwarding

Running your own game server with a port exposed is a dangerous game, you will be hacked or ddossed for sure. Best bet is cloudflare as that doesnt expose your public IP. Even the zerotier option is good because you control who has access to your server and again public iP not exposed. The cloud opt...
by anav
Sat Jan 13, 2024 8:42 pm
Forum: Beginner Basics
Topic: port forwarding
Replies: 61
Views: 3939

Re: port forwarding

Anyone with a zerotier account on their PC (windows, linux, mac) or smartphone/ipad android or iphone can connect to the server.......... Whats your problem, an inabilty to do basic research? first hit on google--> https://www.zerotier.com/blog/zerotier-review/ https://blog.fosketts.net/2022/01/14/h...
by anav
Sat Jan 13, 2024 8:19 pm
Forum: Beginner Basics
Topic: port forwarding
Replies: 61
Views: 3939

Re: port forwarding

If you want the device to be accessible 24/7 I would imagine so.
Probably easy to add a script where its only available from time X to time Y
Others are more conversant in zerotier setup..

viewtopic.php?t=195492
viewtopic.php?t=183424
by anav
Sat Jan 13, 2024 8:14 pm
Forum: Beginner Basics
Topic: Why do the docs not mention adding "bridge" as its own tagged interface when doing a VLAN trunk? [SOLVED]
Replies: 8
Views: 1137

Re: Why do the docs not mention adding "bridge" as its own tagged interface when doing a VLAN trunk? [SOLVED]

Because this is the official tutorial, those docs are an imposter ;-) --> viewtopic.php?t=143620

Do agree though, the first article only notes tagging bridge for managment vlan, which is certainly true for using an MT device not as a router but as switch or switch/AP
by anav
Sat Jan 13, 2024 8:00 pm
Forum: Beginner Basics
Topic: port forwarding
Replies: 61
Views: 3939

Re: port forwarding

If you dont have a public IP, there are some options...... 1. Since you have an ARM device you can create a Wireguard connection. a. if you can forward a port from the upstream ISP router to your router OR b. if not, then can use the new BTH feature (since you have an ARM processorl. 2. The above mi...
by anav
Sat Jan 13, 2024 7:22 pm
Forum: Beginner Basics
Topic: port forwarding
Replies: 61
Views: 3939

Re: port forwarding


To do port forwarding, you need a "public IP". See this thread about it: viewtopic.php?t=164825#p810838
Gigabyte asked this MOST PERTINENT question in post #3 and was ignored. Nuff said.
by anav
Sat Jan 13, 2024 6:19 pm
Forum: General
Topic: Firewall-dynamic firewall rules
Replies: 9
Views: 669

Re: Firewall-dynamic firewall rules

Learn away, will move on!
by anav
Sat Jan 13, 2024 5:28 pm
Forum: General
Topic: Firewall-dynamic firewall rules
Replies: 9
Views: 669

Re: Firewall-dynamic firewall rules

The idea of a firewall is to focus on allowed traffic and simply drop all else. The only person(s) that need access to the router ( aka the input chain ) is the admin and a source address list works well. The only viable access method to config the router ( and access all the LANS) is from within th...
by anav
Sat Jan 13, 2024 5:27 pm
Forum: Beginner Basics
Topic: EOIP over Wireguard (For RoMon purposes only) [SOLVED]
Replies: 33
Views: 3688

Re: EOIP over Wireguard (For RoMon purposes only) [SOLVED]

holvoe, you doth create more work than necessary LOL.
Got it, will try creating EOIP on switch and capac to see if they show up as well..........
by anav
Sat Jan 13, 2024 5:25 pm
Forum: Beginner Basics
Topic: Remote acces to webinterface
Replies: 10
Views: 1134

Re: Remote acces to webinterface

Access to a server via port forwarding ( and wanip ) is the normal way.
Access to winbox or the router directly from the WANIP is just plain dumb.
Should only be accessed after entering the router securely via VPN, wireguard, L2TP ispec, Ovpn etc......
by anav
Sat Jan 13, 2024 3:01 pm
Forum: Beginner Basics
Topic: EOIP over Wireguard (For RoMon purposes only) [SOLVED]
Replies: 33
Views: 3688

Re: EOIP over Wireguard (For RoMon purposes only) [SOLVED]

Okay I think I have EOIP setup not sure if its working but I see traffic pings on the direction natted RB450G to the CCR but not the reverse. Doesnt make sense for both to have a keep alive?? Enabled romon, no ID, no password. On new winbox hit the romon box and NOTHING.............. Okay it was me ...
by anav
Sat Jan 13, 2024 2:19 pm
Forum: Beginner Basics
Topic: Vlan Switch to a single router
Replies: 2
Views: 614

Re: Vlan Switch to a single router

Setting an MT router device as a switch.
viewtopic.php?t=182276
by anav
Sat Jan 13, 2024 2:18 pm
Forum: General
Topic: Mikrotik Hex-S + TP-Link Deco m4 Access Point not working.
Replies: 7
Views: 650

Re: Mikrotik Hex-S + TP-Link Deco m4 Access Point not working.

As well as answering the above questions, please post full config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
by anav
Sat Jan 13, 2024 5:12 am
Forum: General
Topic: Unable to Connect over Port 9001
Replies: 3
Views: 493

Re: Unable to Connect over Port 9001

Good day. Observations: 1. The address of your subnet is incorrectly assigned. From: /ip address add address=192.168.1.1/24 interface= ether2 network=192.168.1.0 TO: /ip address add address=192.168.1.1/24 interface= bridge-LAN network=192.168.1.0 2. Simplify firewall! First make this address list /i...
by anav
Sat Jan 13, 2024 4:53 am
Forum: General
Topic: New Router
Replies: 8
Views: 865

Re: New Router

Just to be clear and to amplify Normis, comment, my suggestion of ax3 was not for its wifi but for its throughput RAM, CPU etc....
Its pretty decent for a home router, but since we dont know the 'load' on the system the suggestion of the 5009 may be more appropriate
by anav
Sat Jan 13, 2024 4:49 am
Forum: Beginner Basics
Topic: port forwarding
Replies: 61
Views: 3939

Re: port forwarding

Thanks AMMO, zing above my head but sounds like good info. PS> I thought 7.13.1 was the current latest stable version?
by anav
Sat Jan 13, 2024 4:47 am
Forum: Beginner Basics
Topic: Wireguard - roadwarrior configuration following guide (no internet or LAN connection)
Replies: 14
Views: 1547

Re: Wireguard - roadwarrior configuration following guide (no internet or LAN connection)

What you should note is that everyone has access to the input chain that is on the LAN. For you that is fine but later you should only allow Admins full access to the router and everyone else actually only needs access for router services, typically only DNS So what we do is make a firewall address ...
by anav
Sat Jan 13, 2024 4:39 am
Forum: Beginner Basics
Topic: Wireguard - roadwarrior configuration following guide (no internet or LAN connection)
Replies: 14
Views: 1547

Re: Wireguard - roadwarrior configuration following guide (no internet or LAN connection)

/ip firewall filter { Input Chain } {default rules to keep} add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid a...
by anav
Sat Jan 13, 2024 1:55 am
Forum: Beginner Basics
Topic: Two different isp
Replies: 3
Views: 633

Re: Two different isp

YOu have two choices, small list of users, easier to use routing rules or in the case of a whole subnet.
If its a large list ( but not a subnet ) best to use mangling.

So regardless which choice you make you will also need to
add a table
add an IP route
by anav
Sat Jan 13, 2024 1:50 am
Forum: Beginner Basics
Topic: port forwarding
Replies: 61
Views: 3939

Re: port forwarding

I think the issue is you kept all your old rules instead of replacing them so you have both which is worse LOL.
It demonstrates you dont understand how the firewall works or what each rule does.
by anav
Fri Jan 12, 2024 5:39 pm
Forum: Beginner Basics
Topic: Wireguard - roadwarrior configuration following guide (no internet or LAN connection)
Replies: 14
Views: 1547

Re: Wireguard - roadwarrior configuration following guide (no internet or LAN connection)

Observations: RB5009 Where is the WAN information?? 1. DHCP SERVER-NETWORK PROBLEM: From: /ip dhcp-server network add address= 0.0.0.0/24 dns-server= 0.0.0.0 gateway= 0.0.0.0 netmask=24 TO: /ip dhcp-server network add address= 192.168.0.0/24 dns-server= 192.168.0.1 gateway= 192.168.0.1 2. Your Firew...
by anav
Fri Jan 12, 2024 4:39 pm
Forum: General
Topic: Unable to Connect over Port 9001
Replies: 3
Views: 493

Re: Unable to Connect over Port 9001

Since you know the problem area, why ask?? Why else would you ONLY provide the firewall rules??? If you do not then post complete config /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.) Q1. Do you get a public IP Q2. Is it static or dynamic Q3. Is th...
by anav
Fri Jan 12, 2024 4:35 pm
Forum: General
Topic: Trying to use VLANs & L3 HW offload
Replies: 12
Views: 1702

Re: Trying to use VLANs & L3 HW offload

Why did you buy a switch for the purpose of using it as a router? The throughput will not be very high on the routing side......... https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading...
by anav
Fri Jan 12, 2024 4:30 pm
Forum: Beginner Basics
Topic: EOIP over Wireguard (For RoMon purposes only) [SOLVED]
Replies: 33
Views: 3688

Re: EOIP over Wireguard (For RoMon purposes only) [SOLVED]

I am hoping to get time this weekend. Nothing as extravagant, just Main Router to natted router and if successful will do wireguard to remote router next.
by anav
Fri Jan 12, 2024 3:23 pm
Forum: Beginner Basics
Topic: Wireguard - roadwarrior configuration following guide (no internet or LAN connection)
Replies: 14
Views: 1547

Re: Wireguard - roadwarrior configuration following guide (no internet or LAN connection)

This forum is for useful articles NOT ISSUES, please repost this in either the BEGINNER or GENERAL forum. I will answer your questions there.
by anav
Fri Jan 12, 2024 2:11 pm
Forum: General
Topic: Connection through WireGuard for a list of users [SOLVED]
Replies: 2
Views: 567

Re: Connection through WireGuard for a list of users [SOLVED]

Would need to see full config on MT
/export file=anynameyouwish ( minus router serial number, public wanip information, keys etc )
by anav
Fri Jan 12, 2024 2:10 pm
Forum: General
Topic: AWS instance running WireGuard from hEX S router fails
Replies: 0
Views: 531

Re: AWS instance running WireGuard from hEX S router fails

Which device is acting as server for handshake?

Would need to see the wireguard settings for AWS
Also full config of MT router
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc. )
by anav
Fri Jan 12, 2024 2:07 pm
Forum: General
Topic: New Router
Replies: 8
Views: 865

Re: New Router

The L1009 radio only provides 2.4ghz wifi and its throughput is very limited.
Its a very sexy looking router, so if you want arm candy its good, for many practical reasons avoid!!

The correct replacement is the RB5009.
If you budget does not permit this then look at the hapax3
by anav
Fri Jan 12, 2024 12:55 am
Forum: General
Topic: RouterOS v7 where are the features going?
Replies: 1
Views: 401

Re: RouterOS v7 where are the features going?

They have not removed any functionality that I am aware of.

https://help.mikrotik.com/docs/display/ROS/User+Manager

To figure out which wifi package you should be using: viewtopic.php?p=1047250#p1043068
https://help.mikrotik.com/docs/display/ROS/Wireless
by anav
Thu Jan 11, 2024 10:17 pm
Forum: General
Topic: dst-nat port forwarding not working
Replies: 8
Views: 1134

Re: dst-nat port forwarding not working

Without a detailed diagram including the switch I am lost........
by anav
Thu Jan 11, 2024 7:12 pm
Forum: Beginner Basics
Topic: hEx not routing between hosts in same lan [SOLVED]
Replies: 18
Views: 1666

Re: hEx not routing between hosts in same lan [SOLVED]

Why needed if you use vlans to separate networks?
In what case would you need to separate 2.4ghz users from 5 ghz users on the same VLAN???
by anav
Thu Jan 11, 2024 7:10 pm
Forum: General
Topic: VLAN Setup Please Help [SOLVED]
Replies: 5
Views: 644

Re: VLAN Setup Please Help [SOLVED]

Once you have your bridge and vlans, the firewall rules are easy..... For example.......... ONE ONLY HAS TO ADD ALLOW RULES HERE ***************************** Everything else will be dropped automatically by the last rule. Order is important within a chain!! Organized sets of chains, make reading an...
by anav
Thu Jan 11, 2024 6:17 pm
Forum: Beginner Basics
Topic: Forward traffic from 1 DHCP client interface to another IP [SOLVED]
Replies: 12
Views: 1045

Re: Forward traffic from 1 DHCP client interface to another IP [SOLVED]

That part was clear, try answering the other questions because right now your config makes zero sense and there is no context
by anav
Thu Jan 11, 2024 6:15 pm
Forum: General
Topic: VLAN Setup Please Help [SOLVED]
Replies: 5
Views: 644

Re: VLAN Setup Please Help [SOLVED]

One bridge and the link provided get you 90% there.
by anav
Thu Jan 11, 2024 6:09 pm
Forum: Beginner Basics
Topic: Forward traffic from 1 DHCP client interface to another IP [SOLVED]
Replies: 12
Views: 1045

Re: Forward traffic from 1 DHCP client interface to another IP [SOLVED]

Correct, It is not clear at all.
Is the hex a router or a switch
Are the two networks connected to the internet and if so HOW?
by anav
Thu Jan 11, 2024 5:38 pm
Forum: Beginner Basics
Topic: Forward traffic from 1 DHCP client interface to another IP [SOLVED]
Replies: 12
Views: 1045

Re: Forward traffic from 1 DHCP client interface to another IP [SOLVED]

Your setup makes no sense to me. Are you sure that you are getting WAN from the two networks??
Makes me think, the hex is simply a switch and not a router, or the config is completely nonsensical............... ?>??

Where is the WAN input??
by anav
Thu Jan 11, 2024 5:32 pm
Forum: General
Topic: v7 to 6 any chance to downgrade?
Replies: 27
Views: 4539

Re: v7 to 6 any chance to downgrade?

rextended is correct and Normands/MT are lazy and incompetent. Even TP LINK has different firmware for different hardware versions.
by anav
Thu Jan 11, 2024 4:07 pm
Forum: Beginner Basics
Topic: hEx not routing between hosts in same lan [SOLVED]
Replies: 18
Views: 1666

Re: hEx not routing between hosts in same lan [SOLVED]

So what does horizon value do or not do.... whilst waiting for OP response :-)
by anav
Thu Jan 11, 2024 3:42 pm
Forum: General
Topic: MUM plans for 2023?
Replies: 52
Views: 8589

Re: MUM plans for 2023?

I will start buying lottery tickets.......
by anav
Thu Jan 11, 2024 3:39 pm
Forum: General
Topic: MikroTik forum - http error 500
Replies: 7
Views: 835

Re: MikroTik forum - http error 500

Yesterday indeed it was a pita............ They must have hooked up an hapac lite as their main weblink to the internet ;-P
by anav
Thu Jan 11, 2024 3:38 pm
Forum: Beginner Basics
Topic: Downgrade hAP AX3 from 7.13 to 7.12.1 fail
Replies: 7
Views: 1121

Re: Downgrade hAP AX3 from 7.13 to 7.12.1 fail

There is no going back. You cannot change the past, look forward!
More to the point, what is the reason for going back from 7.13 to 7.12.1
You should consider going to 7.13.1 instead.
by anav
Thu Jan 11, 2024 3:36 pm
Forum: Beginner Basics
Topic: hEx not routing between hosts in same lan [SOLVED]
Replies: 18
Views: 1666

Re: hEx not routing between hosts in same lan [SOLVED]

That would be an EDGE case jajajajaja, I don't think the OP has gone out of his way with fancy configuration modifications not exactly mainstream knowledge, to sabotage his own connectivity.
by anav
Thu Jan 11, 2024 3:34 pm
Forum: Beginner Basics
Topic: Need guidance to configure router hAp ax2
Replies: 1
Views: 519

Re: Need guidance to configure router hAp ax2

1. Use safe mode when configuring 2. Use a port (take it off the bridge ) to do the initial configuring much easier. 3. Use one bridge and vlans 4. Dont use Capsman just becuase its available, if you introduce other MT wifi access points later consider it then. 2 -->https://forum.mikrotik.com/viewto...
by anav
Thu Jan 11, 2024 3:31 pm
Forum: Beginner Basics
Topic: Microtik RB750gr3 and VPN without public IP address
Replies: 2
Views: 604

Re: Microtik RB750gr3 and VPN without public IP address

The new BTH is a perfect fig. Another option is zerotier.
by anav
Thu Jan 11, 2024 3:28 pm
Forum: Beginner Basics
Topic: Forward traffic from 1 DHCP client interface to another IP [SOLVED]
Replies: 12
Views: 1045

Re: Forward traffic from 1 DHCP client interface to another IP [SOLVED]

I would need to see the complete config to ensure accuracy but the only thing required is a firewall forward chain rule. add action=accept chain=forward dst-address=SERVERip dst-port=XXXXX protocol=yyy source-address=list=ServerUsers /ip firewall address-list add address=IP1 list=ServerUsers add add...
by anav
Thu Jan 11, 2024 3:24 pm
Forum: Beginner Basics
Topic: hEx not routing between hosts in same lan [SOLVED]
Replies: 18
Views: 1666

Re: hEx not routing between hosts in same lan [SOLVED]

You are correct, all on the same subnet on the same bridge. The only reason they cannot find each other would be due to firewalls on each PC.
To confirm, post your complete config
/export file=anynamewyouwant ( minus router serial number and any public WANIP information )
by anav
Thu Jan 11, 2024 1:58 pm
Forum: General
Topic: Wireguard Peers can't access IPs on VLANs
Replies: 32
Views: 3108

Re: Wireguard Peers can't access IPs on VLANs

If you have a pi server on .8 and .9, the pi server still requires access to DNS services so just add those addresses then to the input chain vice in-interface-list=LAN. TO: add action=accept chain=input comment="NTP queries-UDP" dst-port=123 in-interface-list=LAN protocol=udp add action=a...
by anav
Thu Jan 11, 2024 1:46 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2363

Re: DDoS help

Sounds like shooting oneself in the foot.......
by anav
Thu Jan 11, 2024 1:44 pm
Forum: Beginner Basics
Topic: Firewall Rules maybe affecting Whatsapp
Replies: 3
Views: 987

Re: Firewall Rules maybe affecting Whatsapp

Not true. I user whats app on my home wifi without any special settings for it. The mikrotik router is not app centric ( cannot block solely apps ) Your firewall rules are a bloated mess and probably have something to do with the issues. However, one needs to see the full config to asses what the fi...
by anav
Thu Jan 11, 2024 1:25 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2363

Re: DDoS help

If truly DDOS then its the responsibility of your ISP and their upstream providers to counter an attack.
Your router is not equipped to do so.
by anav
Thu Jan 11, 2024 2:34 am
Forum: Beginner Basics
Topic: Difficulty Configuring Port Forwarding on RouterOS for Website Hosting
Replies: 2
Views: 574

Re: Difficulty Configuring Port Forwarding on RouterOS for Website Hosting

A couple of pointers on the last post. 1. The dst-nat rule does not require dst-address-type=local . 2 The general hairpin nat rule that will cover all servers in a subnet, or if just one............ one rule. add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address= Local.Serv...
by anav
Thu Jan 11, 2024 2:29 am
Forum: Beginner Basics
Topic: Wireguard vpn
Replies: 2
Views: 573

Re: Wireguard vpn

Two ways, use of routing rules or use of mangles,
Either way you will need to add a table and an IP route.
by anav
Thu Jan 11, 2024 2:28 am
Forum: Beginner Basics
Topic: EOIP over Wireguard (For RoMon purposes only) [SOLVED]
Replies: 33
Views: 3688

Re: EOIP over Wireguard (For RoMon purposes only) [SOLVED]

Yes, gre is set as protocol. On remote router i left src address. I was lazy...
Showing the config or pertinent parts thereof would be nice!
by anav
Wed Jan 10, 2024 6:54 pm
Forum: Beginner Basics
Topic: EOIP over Wireguard (For RoMon purposes only) [SOLVED]
Replies: 33
Views: 3688

Re: EOIP over Wireguard (For RoMon purposes only) [SOLVED]

Do you set GRE protocol or not?
by anav
Wed Jan 10, 2024 6:48 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 285
Views: 204544

Re: NEW FEATURE: Back to Home VPN

Being of the drop all ilk at end of chains, I would prefer forward accept source-address=list=xxx out-interface-list=WAN disabled forward accept source-address-list=xxx out-interface-list=LAN disabled and let the admin decide if the users need one or the other or both. one could argue EQUALLY that p...
by anav
Wed Jan 10, 2024 6:36 pm
Forum: General
Topic: Wireguard Peers can't access IPs on VLANs
Replies: 32
Views: 3108

Re: Wireguard Peers can't access IPs on VLANs

To RECAP. Hex is a router behind an upstream Router. The WAN IP for the hex is also its LANIP on the main subnet on the upstream router. The upstream router also has a guest subnet. The main subnet comes in on ether5 and we tag it with vlan200 The guest subnet comes in on ether2 and we tag it with v...
by anav
Wed Jan 10, 2024 4:15 pm
Forum: General
Topic: Wireguard Peers can't access IPs on VLANs
Replies: 32
Views: 3108

Re: Wireguard Peers can't access IPs on VLANs

Okay, great feedback, not sure whats going on between hex and CHR......... but lets stick with hex reality.

Quick question. What IP addresses do the switches get ( from 900 vlan [( aka hex ) , or 200 vlan ( aka upstream router lan )] ??
by anav
Wed Jan 10, 2024 3:41 pm
Forum: General
Topic: Wireguard Peers can't access IPs on VLANs
Replies: 32
Views: 3108

Re: Wireguard Peers can't access IPs on VLANs

The CHR has no LAN subnets may be the case?? The first rule allows all users coming in on wireguard to access all interfaces (subnets) listed in LAN. You may wish to provide limitations as to which subnets they have access to, or which wireguard users can access all subnets or even further which sub...
by anav
Wed Jan 10, 2024 1:58 pm
Forum: Beginner Basics
Topic: cAP ac bricked even with netinstall
Replies: 8
Views: 1164

Re: cAP ac bricked even with netinstall

Have a read of para H. for ideas. --> viewtopic.php?p=906567#p906567
by anav
Wed Jan 10, 2024 12:57 pm
Forum: General
Topic: Looking for a router for 10 Gigabit
Replies: 1
Views: 474

Re: Looking for a router for 10 Gigabit

2116 seems to have the specs you need.
by anav
Tue Jan 09, 2024 9:18 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 285
Views: 204544

Re: NEW FEATURE: Back to Home VPN

a. Why does the BTH config on the MT create a firewall rule blocking remote client to local LAN interface? Mine is empty. Not sure how the "back-to-home-lan-restricted-peers" address-list in firewall gets populated actually. So rule does nothing in my case. b. Why does the BTH config on t...
by anav
Tue Jan 09, 2024 8:42 pm
Forum: General
Topic: Forward WAN port to another subnet/router LAN [SOLVED]
Replies: 8
Views: 1665

Re: Forward WAN port to another subnet/router LAN [SOLVED]

Connecting via WG to remote?
Too much missing info.
Post full configs on both routers
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)
by anav
Tue Jan 09, 2024 8:40 pm
Forum: General
Topic: dst-nat port forwarding not working
Replies: 8
Views: 1134

Re: dst-nat port forwarding not working

Okay, so this is all good information to know prior to looking at the config. The config is a story and the story is starting to make sense. Will have a relook at the config with a more informed context. :-) To be clear, a. do you get two public IPs from your ISP provider and sending one to Other lo...
by anav
Tue Jan 09, 2024 8:38 pm
Forum: General
Topic: Wi‑Fi 7 / 802.11be
Replies: 25
Views: 8431

Re: Wi‑Fi 7 / 802.11be

Only when I get my wifi7 smartphone which is what vendors should be aiming for in the home market.
by anav
Tue Jan 09, 2024 8:35 pm
Forum: Beginner Basics
Topic: RB5009 switch ACL ports=switch1-cpu not filtering
Replies: 13
Views: 3082

Re: RB5009 switch ACL ports=switch1-cpu not filtering

Fair enough, good thing my internet traffic is clean and doesn't need extra filtering ;-)
Hopefully someone else will pop-in.
by anav
Tue Jan 09, 2024 8:33 pm
Forum: Beginner Basics
Topic: EOIP over Wireguard (For RoMon purposes only) [SOLVED]
Replies: 33
Views: 3688

Re: EOIP over Wireguard (For RoMon purposes only) [SOLVED]

You need two reachable ip addresses on both devices. They need to see each other, as a matter of speaking. But you got it all backwards. You may want to start with describing user requirements, drawing of your network setup and export of all related devices :lol: Glad to see the brainwashing is wor...
by anav
Tue Jan 09, 2024 7:33 pm
Forum: Beginner Basics
Topic: EOIP over Wireguard (For RoMon purposes only) [SOLVED]
Replies: 33
Views: 3688

Re: EOIP over Wireguard (For RoMon purposes only) [SOLVED]

Sweet, I will be adding a remote RB4011 via WG to a ROMON list next week. For now, I want to try it locally. I have an RB450G attached to my main router but natted and it doesnt show up on my winbox list and I would like it to!!! No wg just Main ROUTER LAN to RB450G with local LAN address also the W...
by anav
Tue Jan 09, 2024 7:28 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 285
Views: 204544

Re: NEW FEATURE: Back to Home VPN

Now someone is finally providing useful information with which to discuss further. a. Why does the BTH config on the MT create a firewall rule blocking remote client to local LAN interface? b. Why does the BTH config on the MT create an input chain rule - because the router is still responsible for ...
by anav
Tue Jan 09, 2024 6:59 pm
Forum: General
Topic: dst-nat port forwarding not working
Replies: 8
Views: 1134

Re: dst-nat port forwarding not working

How are you having users connect to the device on vlan10? Direct LANIP address or some sort of DYNDNS name/url? Are users coming in Primary WAN1 or Secondary WAN2 ?? MANY MAJOR ISSUES: 1. Only two of the vlans have full networks, not sure what your expectations are for vlans 88 and 100 (where are th...
by anav
Tue Jan 09, 2024 6:21 pm
Forum: General
Topic: Wi‑Fi 7 / 802.11be
Replies: 25
Views: 8431

Re: Wi‑Fi 7 / 802.11be

Just put it down as a business loss, sending you postage to send to my location. :-) Its not something I would consider funny. https://forum.mikrotik.com/viewtopic.php?t=160561&start=300 I read the thread, couldnt find one single mention of supout report let alone the 100s I expected to see. Al...
by anav
Tue Jan 09, 2024 6:20 pm
Forum: General
Topic: CRS354-48P-4S+2Q+ traffic problem on ports 1 to 8
Replies: 425
Views: 118444

Re: CRS354-48P-4S+2Q+ traffic problem on ports 1 to 8

Hard to have sympathy reading this thread as Rextended alluded to ........ where are the 1000s supout reports..........???
by anav
Tue Jan 09, 2024 6:11 pm
Forum: Beginner Basics
Topic: Test VLAN isolation using InterVLAN Routing by Bridge
Replies: 2
Views: 853

Re: Test VLAN isolation using InterVLAN Routing by Bridge

Firstly a better and original source for that documentation is found here..... https://forum.mikrotik.com/viewtopic.php?t=143620 Where you will find its best not to use vlan1 for data vlans. Also that when you change to using vlans on the bridge its wiser to go all vlans and have the bridge just do ...
by anav
Tue Jan 09, 2024 5:54 pm
Forum: Beginner Basics
Topic: RB5009 switch ACL ports=switch1-cpu not filtering
Replies: 13
Views: 3082

Re: RB5009 switch ACL ports=switch1-cpu not filtering

I dont follow.
So your configuration is based on fear and not facts??

What leakage are you talking about??
If I have a WAN or two, and a LAN with one flat subnet or multiple vlans in subnets.


YOU DECIDE in firewall rules (L3) where traffic is allowed to go.

?????????
by anav
Tue Jan 09, 2024 5:52 pm
Forum: General
Topic: Wi‑Fi 7 / 802.11be
Replies: 25
Views: 8431

Re: Wi‑Fi 7 / 802.11be

Just put it down as a business loss, sending you postage to send to my location. :-)
by anav
Tue Jan 09, 2024 5:47 pm
Forum: General
Topic: Wireguard Peers can't access IPs on VLANs
Replies: 32
Views: 3108

Re: Wireguard Peers can't access IPs on VLANs

Good point, my bad, that rule got left out for some reason and I didnt notice. Its a standard default rule that should always be there, good pickup!
Added to the above to ensure accuracy.
by anav
Tue Jan 09, 2024 5:42 pm
Forum: General
Topic: Wireguard and WAN Interfaces
Replies: 3
Views: 903

Re: Wireguard and WAN Interfaces

Sounds like an infestation of bloated firewall rules, which always cause unforeseen issues, especially by the copy whatever they see on youtube videos disease.
by anav
Tue Jan 09, 2024 3:12 pm
Forum: Beginner Basics
Topic: RB5009 switch ACL ports=switch1-cpu not filtering
Replies: 13
Views: 3082

Re: RB5009 switch ACL ports=switch1-cpu not filtering

Ahh okay, you are talking switches, I thought this was a Router discussion.
THus far you are talking gibberish, please give a practical example of what traffic you wish to flow through the ports or not flow through the ports.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 63