MikroTik

anav

There is also ATL LTE18 KIT ?

anav

An accurate description of context is always appreciated from the get go!!

anav

Dont understand your diagram, and dont even know which devices you have....... If you are going to provide config /export file=anynameyouwish ( minus router serial number, any publicWANIP information, keys ) You have a trunk port to an AP in the garage which model of AP You dont show a trunk to a sw...

anav

If you keep changing the requirements and questions of course the answers will change. The original question was about load balancing the use of the WANs NOT external users access to the LANs or to the routers for config. Vague request beget general answers. Well detailed articulated requirements be...

anav

... just to change de cpu speed, i need to visit all the country for do that.

Consider yourself lucky. France is not so big. Imagine @anav visiting e.g. Whitehorse suburbs to change cpu speed

Nothing a trained cat cannot salvage.
Just hire mkx

......

mkxyes.jpg

anav

Objective still not fulfilled LARSA, the response from the secondary WAN will still have a source IP of the secondary WAN.

anav

If there is a computer in House 1 it would be easiest to use something like TeamViewer to get remote access to the computer, from where you can configure the RB5009 using Winbox.

See post #21 --> Or use anydesk behind a PC that can reach the config.

anav

Take a screenshot?

anav

If your complaining about you run your support business, wont get much sympathy from here.
There are tools within RoS to accomplish much and if not so technically astute sign up for something like this......... https://admiralplatform.com/

anav

So you dont want to use the throughput of the secondary WAN at all?
Just the primary router......... is that becasue the secondary WAN is of little throughput?

If the primary goes down, then you will have to use the second WAN, and it will not be possible to hide this fact.

anav

Are you saying you get 9 WANIP addresses from a single provider?
Are you saying the gateway for all 9 is the same?

Why do some have ip address starting with 92.x and some have 88.y ??

PS. wireguard is not an interface that gets a pool, no dhcp etc..

anav

Your funeral to go off on tangents, and no bridge filters are for advanced users only, I dont touch them being an intermediate user.
Quickset should have been name quicksand

anav

What model of access points? The config is basically default so there should be no difference between wired or wifi clients based on the config.
So the issue is a the AP side............

anav

Can your ISP router even do vlans?

anav

Or string two soup cans together and shoot one over to the remote location and get a person at that end to put it near the MT device.
Or use anydesk behind a PC that can reach the config.

anav

Mimiko, I call BS, you didnt originate the thread, popped in to complain, and have not provided the configs of your devices......
/export file=anynameyouwish ( minus router serial number, any public WANIP information,keys)

anav

ECMP is perfectly fine to use for dual or more wans. Its the least complicated approach. With version 7 firmware it should be the first go to approach.
Mangling and PCC come into play for more complex user needs or if the admin has wan throughputs that are wildly dissimilar

anav

Guidance provided based on your answer above!!
You have lots to learn prior to trying to remotely configuring a 5009.
If you are truly DYI then get GNS3 or EVE-NG and setup a lab type setting where you can practice learning about RoS.

anav

Have you ever used Mikrotik and configured it before?
No

https://mikrotik.com/consultants

anav

something wrong with the ignition coil no doubt. ;-) I will have a look at the config. This if for L1009 with wifi, since its the only config provided. 1. REMOVE bridge from interface list! It is no longer required as it is the vlans that need to be identified as members. add interface=bridge_router...

anav

If you can port forward then you can host wireguard which you will need to do. AirVPN and other types of VPN are NOT for connecting to Air VPN and then to your home router. They are of the type of VPN service that simply provides internet out a different location/country, by either users on the rout...

anav

More importantly can some one wifi expertise please help the OP. Geez!!

anav

I believe AX covers all, in other words it defaults and covers off whatever signal comes in and is thus equivalent to ALL Not really sure, but I also believe that whatever signal is processed then that is the lowest commen denominator. AKA if our processing B, then all other connections after will c...

anav

I use winbox all the time from PC behind my router to reach distant devices. If you need to connect to devices behind the router, then type in their applicable IP address, in this case its management IP address. Once connected to the 5009 over wireguard try this ( critical first step ) For example t...

anav

ECMP on MT not to be confused with EMP LOL

anav

Typical AP setup will assume 99 is management vlan, 10 is home 20 is guest wifi and 30 is IOT wifi, and ether2 is a wired port for home user. /interface bridge add ingress-filtering=no name=bridgegym port-cost-mode=short vlan-filtering=yes /interface ethernet set [ find default-name=ether5 ] name=Of...

anav

When working with vlans and bridge the best approach is take one port Off the Bridge and do all the configuring from this safe spot. The best thing you can do is take one port off the bridge and do your config from there, a safe spot. 1. Take ether5off the bridge at /interface bridge port 2. Make th...

anav

I do not know with any certainty but I would think that having all devices on the same version of firmware will be helpful. I am not a capsman guy but to get your RB2011 and 6 APs working, I can provide assistance without capsman to at least get you to a working config. While you have that, suggest ...

anav

My first instinct was correct still have my lama sense workin. /file=anynameyouwish ( minus router serial number, any public WANIP information, keys ). Answer is the same, it will work if you configure it properly. The problem is you have not provided the FACTS, or EVIDENCE with which folks here can...

anav

Yup, hair turned grey, or loss of hair, skin aged, and suddenly it works. to bad the OP has no clue why, nothing learned. caps SUCKETH the big bone.

anav

The best thing you can do is take one port off the bridge and do your config from there, a safe spot. 1. Take ether5 off the bridge at /interface bridge port 2. Make the following additions/mods /interface ethernet set [ find default-name=ether5] comment=OffBridge5 /interface list member add interfa...

anav

Thats nice, and how do you suppose we are supposed to assist without seeing what you have done on the config to cause this?? Im assuming you at least created a wifi profile for wifi1 or wifi2 such that a master would exist. /export file=anynameyouwish (minus router serial number, any public WANIP in...

anav

Good to hear, others prefer insanity, greying of hair and hair loss, to get capsman going. Is it worth it, not to me!

anav

As for your switch which port on the 5009 goes to the switch........ SAME ISSUE for discover,... WRONG /tool mac-server set allowed-interface-list= MGMT /tool mac-server mac-winbox set allowed-interface-list= none /tool mac-server set allowed-interface-list= none /tool mac-server mac -winbox set all...

anav

Not sure what you mean.......... You have this on the config, which is a good start. /ip neighbor discovery-settings set discover-interface-list=MGMT BUT THE ERROR comes later. You reversed the settings /tool mac-server set allowed-interface-list= MGMT /tool mac-server mac-winbox set allowed-interfa...

anav

No PCC is for load balancing multiple WAN connections for: a. the purpose of redundancy so that if one ISP goes down you have a backup ( clearly not useful if all the WANs come from the same provider ) b. to provide a greater overall bandwidth to share with users, so there are less bottlenecks in tr...

anav

Without seeing your config, hard to see what you have done??
Assuming you have a public WANIP or you can forward ports from an ISP router that has a public IP??

anav

Another reason to avoid anything cap like the plague.

anav

Draw a diagram because you seem to want opposed uses. Wireguard to a third party server Wireguard to home. Which is it or both? ++++++++++++++ It sounds like you need two wireguard interfaces one for third party and one for home. Do you have a public IP address or can you forward ports from an ISP r...

anav

Easy Peasy now that I have facts to work with! :-) /interface list member add interface=ether7 list=WAN add interface=PRIVATE_VLAN list=VLAN add interface=GUEST_VLAN list=VLAN add interface=IOT_VLAN list=VLAN add interface=SECURITY_VLAN list=VLAN add interface=MGMT_VLAN list=VLAN add interface=MGMT_...

anav

Then add access to the management vlan.
add action=accept chain=forward comment="remote admin to trusted vlan" in-interface=BTHWireguard out-interface=vlan-mgmt

anav

Well the way it works is you enable BTH on the router. Take the first created user and install that on your smart phone, any other users have to be created on the smartphone as well. You will need to go to the router at your parents place allows the subnet of wireguard access on the input chain add ...

anav

There is a responder checkbox in winbox I think, try checking that, and see if the issue persists.
.........

Screenshot 2025-03-29 212138.png

anav

Look at zerotier to share gaming server............

anav

The arubas will need to be setup with vlans. They should get their IP address on the VLAN99

anav

So theree switches means three trunk ports BUT................. The unifi expects the trusted or managament vlan untagged and the data vlans tagged. If they are consistent in setup. I'm assuming the arubas are more standard switches. What are the AP types?? /interface bridge port add bridge=bridge1 ...

anav

I dont use capsman because its too difficult and a headache for me. I use what works. Capsman is better if you do it successfully as it allows for better handoff between APs, I could care less in my own house. This will get you setup and working, and then you can implement capsman and whatever else ...

anav

Well the VPS aka a CHR in a cloud is about $6 a month to rent plus the CHR license and use Wireguard VPN, and is a great way to do what you want to do without third party servers. Preferred option 4 You could do it right now with VPN WIREGUARD BTH depending upon what router you bought your parents a...

anav

I have an ax3
Total memory 1024 MiB
Avail Free memory: 651.2 MiB

Meaning used memory is 373.

I do not use any logging or at least minimize it if all possible.
Do not expect the ax3 to be any zippier, unless your holvoe, the rest of us mere mortals get around what you are getting.

anav

Even more pertinent in Basic but based on your lack of experience on the forum ( clearly IT trained and more knowledgeable than I will ever be ) I disagree.

anav

CAPAC, same concept using offbridge on etherport 2. ALso I always wire the capac on ether2 to a spot where I can at least plug in a laptop, could be a closet etc...... emerg config when the capac is very hard to reach etc. Where you set the cap address statically to 192.168.1.xx .......................

anav

Why are you using the capax as a router. All the router stuff should be done on the chateau and the capax as an ap/switch ?? If this is the chateaux then.............. concur the simple approach works and should be the starting point...... Will stick to one trusted vlan and one untrusted vlan. Note ...

anav

1. Adjusted as required. add name=bridge1 port-cost-mode=short vlan-filtering=yes { add the YES as last rule change) /interface ethernet set [ find default-name=ether8 ] name=OffBridge8 /interface vlan add interface=bridge1 name=BASE_VLAN vlan-id=99 add comment="Guest VLAN" interface=bridg...

anav

Before you apply anything one must understand the purpose of the chains. Input chain is traffic TO the router, so to router services. None of your servers behind the router and on the LAN have anything to do with router services and thus seeing their rules in the input chain is ridonkulous. So from ...

anav

That is weird behaviour, perhaps the power cord or supply is wonky? Cables wonky? or maybe the router is toasted??
Suggest try netsinstall as well.

anav

I think mkx said it best in poetry, just make your config look like mine and all will be happy.

What we need, no joke, is for new users to be educated prior to making their first posting, and a sandbox where posts can be reviewed prior to posting live.

anav

Haha,
My answer to your question is simple, Welcome to Canada, South BC ( formerly North Idaho ).

I see what your getting at, try to merge SwoS simplicity within RoS for vlans.
I like the concept.

PS. Working on my Teeter Accent, in case things go awry.

anav

I wouldnt know eltikpad, I have never had to resort to putting an address on the bridge while using vlans. I prefer clean separation of bridge from DHCP etc, once I start using vlans.

anav

Two recommendations
a. take one port off the bridge and safely do all configuration from this port
b. go all vlans, remove bridge from dhcp etc, and simple move this subnet to another vlan.

Willing to go this route let me know.

anav

Tom, these engineers are not all that resourceful, they never came here for help! ;-) I do know that Mikrotik has been making advancements in the automation of setting up vlans on multiple connected devices and automations on interface lists etc...... But nothing towards what you are looking at ... ...

anav

If you dont post the complete config I dont bother looking.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, vpn keys, long dchp lease lists )

anav

Sorry sippan, what is BS is false hope and promises.
If you are unable to inspect encrypted traffic, then do pray tell what effing magic do you use........

anav

Why do you think that the firewall is where the problem is...............

anav

viewtopic.php?t=143620

anav

Probably neither you need an expensive router add then pay for subscription services to handle DPI etc.........

anav

Your request is not clear.
Do you host a wireguard server on your router or are you connecting to a 3rd party server for example.
What are the use cases for wireguard, who uses it and for what purposes.

anav

For me its clear enough, /interface bridge ports and /interface bridge vlans tells a story, the combination informs the router ( and the reader ) how to distribute subnets on the device. Nothing hidden all up front. The two groups of settings cross-check each other for a consistent story. Really the...

anav

Doesnt show up in winbox, and cannot open it in winbox................ Finicky as shit when playing with access permissions.........

anav

Not hyping it down, but its actual use as a data vlan is very niche (rare).

anav

Hi Nathan, great summary. However I am helping mostly new persons and they dont understand the basic entry method (manual) which uses both /interface bridge port and vlan to tell a coherent story. In fact by cross-checking the two sets of entries, a consistent approach and understanding is solidifie...

anav

On the switch, are all ports used, if not dont include them in config.
Why is ether2 part of an LACP and yet you have an address assigned to it.....

More to the point are all these other ports using 10.10.1.X addresses

anav

Okay how to create an offbridge port. REMOVE ether4 from /interface bridge ports /interface ethernet set [ find default-name=ether4 ] comment=OffBridge4 /interface list add list=TRUSTED /interface list member add interface=OffBridge4 list=TRUSTED add interface=mgmt_vlan list=TRUSTED add interface=mg...

anav

Looking at it more closely I dont see any vlans assigned in your cap so maybe tis okay....... Just didnt want to put my foot in it, so to speak., Happy to take a look and pretend its not there LOL. The first problem is that there is only one VLAN, the management vlan. Where is the vlan for the WIFI>...

anav

Cant help you since using capsman. Dont know how that interacts with bridges and vlans sorry.

anav

It should work with the settings I provided via CLI at the end of the post. Additional note for CHR Traffic. To ensure stable connectivity with all types of internet sites (banking etc.) Suggest try the default L3 hash on ECMP as that should provide optimal results. If that doesnt work you can try L...

anav

Duplicate Thread, please follow here............ viewtopic.php?p=1135310#p1135262

anav

allright so to be clear its not the entire subnet but only two Ip addresses, this should work for you /routing table add fib name=useWG / ip route add dst-address=0.0.0.0/0 gateway=WG_Interface routing-table=useWG /routing rules add min-prefix=0 action=lookup-only-in-bridge table=main { permits any ...

anav

No worries, many parts of a config are interrelated and thus a snippet really never tells the whole story.

anav

Ironic, that you were comfortable applying advances pages but dont understand what they are doing, but less so, for experienced users that are willing to provide some practical advice. There is nothing in an anonimized configuration that renders your network to any danger. /export file=anynameyouwis...

anav

On feedback from MT, some changes could be made to re-arrange the menus and thus the next attempt will be to do so, while preserving the overall concept of form follows function. The approach to the wireguard interface is simply superior and should be adopted, including the option to add IP address ...

anav

Bingo! Many thanks @CGGXANNX I was working from the assumption (stupid me) that setting the untagged VLAN was sufficient, but effectively it also needed to be manually assigned the PVID and I hadn't even looked into that submenu as the VID title didn't make me think of everything. If only the title...

anav

Instead of describing hypotheticals, and rules completely out of context, please provide the use-cases, aka actual traffic requirements. a. identify user(s)/groups of users including admin, external, internal b. identify all the traffic they require to execute. c. detail particulars about wan connec...

anav

Good point tdw,
The Unifi Gateway (its wanip) can be on the same mikrotik vlan as the Unifi AP for example which should simplify matters.

anav

Strictly wifi, correct, no capsman right!

anav

For example this OP seems to be doing just that................
viewtopic.php?t=215720

anav

https://forum.mikrotik.com/viewtopic.php?t=143620 Bridge should not normally do DHCP in a vlan setup......... simply create another vlan, amend any associated config lines. It is not clear yet what subnet or user(s) are supposed to go out wireguard. I do see an attempt so sourcneat wireguard traffic...

anav

What you probably realized somewhere through the long winded explanations of my colleagues ;-P, is that the rule actually provides three functions. a. allows traffic from the wan that is for port forwarding ( obtainable understanding ) b. drops any other traffic from the wan ( kinda obscure ) c. all...

anav

Not sure what you are connecting to, that is the missing link
3rd party VPN, a friends server, a Cloud based wireguard ????

anav

Sorry cannot help you. I have provided enough information to give you a load balance of ALL users going to CHR and a load balance of any users not going through CHR.
Not my problem you are fixated on PCC, when its not required and far more complex.

anav

You can read specifications as well as anyone else, depends on your requirements etc.
For me since I love, setting up vlans on mikrotik products via RoS, its the one I would go with.
If you want a plugNplay setup, then I would go with the zyxel ( but only because of that killer sale price )

anav

I would throw away the ubiquiti gateway ultra. Pretty dumb if you cannot buy an AP and get it to work, but instead you have to buy a second ubiquiti product to talk to the AP. To unlock the full potential of UniFi APs, including advanced features and centralized management, you'll need to use a UniF...

anav

Try a more useful set of firewall rules. /ip firewall filter {default rules to keep} add action=accept chain=input connection-state=established,related,untracked add action=drop chain=input connection-state=invalid add action=accept chain=input protocol=icmp (admin rules) add action=accept chain=inp...

anav

Looking at competitors, the only one that comes close to the 328 is this one in terms of price and features..
Personally, If you prefer RoS, then MT is the way to go. If not using RoS, then at the price prefer the latter.
https://www.zyxelguard.com/XGS1930-28HP.asp

anav

Repost both configs for review and use code tags for both.

anav

Thanks Nathan, that is the practical answer and enough technical description I was looking for to continue a general approach to all configs. Very often there is a mix of different vendor switches involved downstream from an MT router. Luckily, thus far I have not needed a config that required vlan1...

anav

Counter opinion, or at least different, TWO VRRF instances. RouterA - VRRF1 - Primary Router and used by VLANs from Router A RouterB - VRRF2 - Primary Router and used by VLANS from Router B. In this way the throughput of both providers is utilized ( why not paying for both!!) and the router vlans do...

anav

I have no reason to doubt that the AX3 is best followed by hapac2 followed by hapax2 based on those tests.
Your in Riga, pop over to MT to confirm!!

anav

Well endpoint has to be a specific WAN for the client to reach the right ROUTER.
The VRRP is for the inside facing users from what I understand.
But its a good point for discussion. Looking forward to what comes out of this thread.

anav

Nice!!

anav

Use wireguard.

anav

Sure that makes sense, if you have misconfigured your wireguard.
If the router is server peer for handshake and it has a number of peers, and one of the peer client settings on the ROUTER, has the error of 0.0.0.0/0 set in Allowed addresses, then this type of problem occurs.

anav

Your trying to stuff a pre-conceived solution for an unknown problem into the MT, the worst way to proceed.
Suggest you detail the USER TRAFFIC requirements, the use-cases that are driving your request.

It may very well be that other tools and methods make sense.

anav

For all IPs that either should not or admin wants not to get forced out of server. /ip firewall address-list add address=IPofDNS list= Exempt comment=" the dns server itself" add address=someOtherUser list=Exempt comment="user to router DNS not my server" /ip firewall nat add cha...

anav

Its not wireguard, that is the problem.
Reset your config to defaults then add wireguard and see if it works.

anav

Thats the European polite answer or part of anyway. This is the German answer!!! This is why if the OP came to me, offering their business I would run for the hills ( okay drive to the Swiss Alps in my Audi ) Tying the router to wifi is STEWPID, wifi technology changes much more quickly and ideal pl...

anav

In this case the wireguard traffic is going to some third party site, presumably to go out internet there. Probably not even a wireguard device at the other end. Since we dont control both ends, how is the remote end supposed to know what subnets we are going to have coming through on wireguard. THe...

anav

Is this a homework question?
If not, then please detail the business requirements and traffic flow requirements.

anav

I’m planning to setup a LAN with few CRS354 and CRS328 all PoE capable ( that’s why of 328 choice for 24ports switches) all linked by 10G sfp+ The only concern is about different switching capability between these two machines, 328 are rather old design…. Any thought ? ? YEAH what a crappy way to m...

anav

BLANK FOR FUTURE IDEAS

anav

Blue squigglies on the diagrams are my attempt to show mandatory entries. One should note that much is based upon having made the wireguard interface first, as this is a reasonable assumption. Where possible, admins may or may not select fields depending upon logic. Ignore the poor quality and non-s...

anav

Manual Peer creation ( key-pair creation at both ends ) This process addresses setting up the router as a client peer for handshake and setting up incoming client peers. The entry process for ‘manual’ will consist of first entering the Interface Name from a pull-down menu. The next common entry arg...

anav

Discussion for the Peer Creation Options: (2) New Peer Creation Process Discussion: The current peer creation process is an attempt to squeeze a number of processes into one page and from a UI perspective fails to be an intuitive and clear approach. After some review, even though there is overlap in...

anav

DISCUSSION: (1) New Wireguard Interface Creation Process Discussion: Overall. the current Wireguard Interface creation menu (New) is acceptable except for the ambiguous nature of the private key. A plus symbol is used to indicate a manual private key entry, typically only used in a third-party VPN s...

anav

When I started using Winbox4, and wireguard, I realized it needs much work! The GUI IMHO is not particularly useful, efficient, or intuitive. Everything is mushed onto one page and one has to sift up and down to find the right information to enter and of course we know there are errors in the curren...

anav

Blue squigglies on the diagrams are my attempt to show mandatory entries. One should note that much is based upon having made the wireguard interface first, this is a reasonable assumption. Where possible, admins may or may not select fields depending upon logic. Please feel free to critique and imp...

anav

Discussion for the Peer Creation Options: (2) New Peer Creation Process Discussion: The peer creation current process is an attempt to squeeze a number of processes into one page and from a UI perspective fails to be an intuitive and clear approach. After some review, even though there is overlap in...

anav

DISCUSSION: (1) New Interface Creation Process Discussion: Overall. the current Wireguard Interface creation menu (New) is acceptable except for the ambiguous nature of the private key. A plus symbol is used to indicate a manual private key entry, typically only used in a third-party VPN scenario, w...

anav

I was trying to keep it as close to the current setup, using clipNsave and paint LOL, no fancy tools. Its simply representative, and while doing it I realized what the three USE CASEs really are. a. local and remote key pair generation required ( manual ) b. local key pair generation not required ( ...

anav

Well either you did monkey with the MTUs, and have forgotten OR someone else configured the router.

anav

New Proposed winbox4 ideas: Much is predicated on first completing the Wireguard Interface setup! Note in the Tab Under WIreguard additional grey entries. ................. wg-peers.jpg ............... when selecting NEW, the options to select type are presented ------------- Peers2.jpg __________ N...

anav

1. Most people set this to none, its been known to cause issues. /interface detect-internet set detect-interface-list= INTERNE T 2. Why do you think its okay to assign two Subnets to the bridge. If you want more subnets make vlans and remove bridge from dchp. /ip address add address=192.168.10.1/25 ...

anav

Suggest you open a new thread in the wireless forum State what device you have and how you can set up the WIFI to accept WIFI on 2ghz wifi as a WLAN from the hotel for example and then use WIFI on 5ghz ( and ether ports ) to distribute to LAN devices. mode (station | station-wds | ap-bridge | bridge...

anav

1. YES, this can be simplified. /interface bridge vlan add bridge=bridge_LAN comment=home_vlan tagged=bridge_LAN,bond_2-4 vlan-ids=10 add bridge=bridge_LAN comment=guest_vlan tagged=bridge_LAN,bond_2-4 vlan-ids=60 add bridge=bridge_LAN comment=eyes_vlan tagged=bridge_LAN,bond_2-4 vlan-ids=50 add bri...

anav

Both configs are good, except on home router this rule is not required as access is covered in the src-address list rule in the input chain. add action=accept chain=input comment="allow WireGuard traffic" src-address=192.168.100.0/24 Its time to ensure the public IPs from generated by oppo...

anav

I predict success with the above changes.

anav

Can you please forget about whatever you are doing with OPVN, it makes no sense to me and is getting in the way. There is no port forwarding ON any of your configs. Also the diagram showing input chain rule on travel router is wrong. I will have a look at the configs. Home router looks okay! One sub...

anav

In other words, unless you get a true DPI router, any type of control over access of google, youtube, etc, is not really effective or worth it.
DNS is a different kettle of fish, so not sure if DPI would even help in that regard.

anav

Getting there LOL. On the HOME router you failed to put in the forward chain rules I had recommended earlier. { default rules to keep } add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes add action=accept chain=for...

anav

There are some tools and ways to do so, and thus experts should chime in, who do this stuff.
In the meantime there are external third party applications designed for the deployment of large numbers of MT devices. Admiral Platform comes to mind.

anav

Good the zyxel has a stand alone configuration which I prefer.
Will be very curious as to your wifi results, throughputs with iphone or android phones etc....

anav

Mkx was faster, but faster is not always better, ask any woman.................

Gigabytes answer gets my vote. Management control is saaweet over RoS.
Your setup looks good!!! Which wifi AP did you get, TPLINK, Zyxel ??

anav

Well I have driven to NYC many a time, and the rules of thumb are carry a gazillion one dollar bills for tolls, get a toll pass when it makes sense, park the car and take the ferry, get a multi-day transport pass ( subway and bus) if there for any length of time. I guess what has changed is this new...

anav

Well I have a suggestion for MT, make their AI bot better, so that I dont have to see people beg rextended for scripts, especially when they pull out AI outputs that are pure crap.

anav

No need to be specific of protocol etc. The fact is that any traffic to the router over 4G itself should respond back via 4G. Finally only two rules are required. /ip firewall mangle add action=mark-connection chain=input comment="Mark connection ICMP for 4G" in-interface=l2tp-4G new-conne...

anav

WAN aggregation does not improve speed. Any singular sessions speed is limited by the WAN being used for that session. What you get is MORE bandwidth overall to share with users, so that there is less bottleneck. Additionally you get redundancy in that being separate Providers, if one is not availab...

anav

How do you propose to identify sites that users traffic is supposed to use the local WAN? Are we talking about programs (like youtube or google), that the router cannot do as its DPI dependent. Then the answer is NO. Are we talking about static public WANIPs ( or dynamic ones that can be identified ...

anav

I only have to know it has come from darkextended to understand it............. it was very much close to my reaction to reading the Ops post,,,,, in english we use the word gibberish.

Reminds me: https://www.youtube.com/shorts/g8ZF3zE7hh4

anav

I am not interested in proving or disproving some testing or lab creation. If you need assistance it will be important that there is clarity in all the use cases of needed traffic flow by users internal, external and admin. Including any vpns, port forwarding etc. and sufficient details if more than...

anav

Dunno, I thought it was so Larsa can fly around and sniff sweet smelling MT equipment. ;-P ROSE (RouterOS Enterprise) package adds data center functionality to RouterOS - for supporting disk monitoring, improved formatting, RAIDs, rsync, iSCSI ,NVMe over TCP, NFS . This functionality currently is su...

anav

You need to buy a car, that scooter just doesnt cut it and you cannot carry much. ;-P

anav

We are all going to end up as batteries for machines anyway

..........................................

the_matrix_human_batteries.jpg

anav

Well when you have a router config to export, and somethings not working let us know.

anav

Of course things didnt work, you made very little of the recommended changes and based on that, I dont think I can help much further.
The main error was pointed out again. Good luck!

anav

You failed to hoist in this point properly.............. Travel Router First problem USING THE SAME SUBNET BEHIND THE ROUTER> Now that you have access on ether5, you should have changed the subnet on the Travel Router, I had suggested to 192.168.38.0/24. THis would be reflected in the allowed addres...

anav

Are they wired or is by wifi?

anav

So they have confirmed connectivity from the street to their modem is solid? If thats the case sounds like the connection fro the modem to the router is the problem. Try a different cable.

anav

Plan for device replacement strategy based on flash usage?

anav

vlan-filtering one bridge can be daunting for the new user as one is adding vlans and eventually drop DCHP and address from the bridge as one should ( bridge subnet simply becomes another data vlan etc.) reference to read: https://forum.mikrotik.com/viewtopic.php?t=143620 To facilitate a painless ex...

anav

Netmap maybe?
Take an etherport off the bridge that is attached to the device..............
Etherport not part of LAN interface
Separate firewall rules if required for etherport

anav

Config of hex
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)

anav

Travel Router First problem USING THE SAME SUBNET BEHIND THE ROUTER> Remember first post I stated: " I would use ether5 as a config port or emergency access port OFF the bridge. " Doing so allows one to easily change subnets. I know its difficult otherwise!! 1- So REMOVE ether5 from the b...

anav

A dynamic IP is not a problem with the home router, and I am assuming its a public IP. The router provides domainurl mynetname under IP cloud to use as a Wireguard endpoint on the travel router I will take a look at the config later. home router config looks pretty normal. If you are not using IPV6 ...

anav

Well, congrats on guru status! Now, the real test: What’s the meaning of life?
Easy: "Always look at the bright side!"

ex. If I have to leave USA (NY) before it turns into Russia, I have a new friend in Canada with room!

( well at least a tent LOL)

anav

IS EVE-NG any better then??

anav

CGG is bang on, it looks like that the BRIDGE itself, should not really have any selections for ingress filtering for frame types or PVID for that matter for vlan-filtering=yes and leaving PVID=1. As I stated I use frame-types admit only vlan tagged specifically to stop any traffic entering the rout...

anav

luv it!

anav

Fascinating but does not answer the question I have in the other thread and request about wireguard.................. our ongoing conversation!!

anav

The bond XR option should only be used with some smart (but dumb) managed switches that only have LAG option. Concur with patrick, 802.ad is the way to go.

anav

All good to know......... ! Hope its working now.

anav

Huawei products should not be used for a multitude of reasons, and one you probably dont know about is how poorly they treat their workers

anav

Thanks for this topic guys, helped me to understand MikroTik better. But I have a little question. For me Ethernet2 is a trunk port (admit only vlan tagged) carrying about 4 vlans(one is the mangement ). I tagged the bridge on each vlan table and the ethernet2 also. At this moment normally my L3 wo...

anav

Based on your config I have no clue what your are doing. Vlan filtering typically has one bridge you have two?? Is this device supposed to be acting as a router or a switch? I suspect a switch because its a switch LOL, and also by ethernet1, I assume that is a trunk port to the upstream router. IF s...

anav

No worries, by the way if you wanted to block wifi clients to wired clients on the same vlan, use bridge horizon same value on /interface bridge ports

anav

I will but, one should not think that more slaps are better!!
https://www.youtube.com/watch?v=IhJQp-q ... xhcA%3D%3D

anav

@Holvoe SEE my friend, simple capsmanless datapthless config IS SUPERIOR. said somewhat in jest of course, The challenge is to provide this chap with a working config with all the datapath entries he was using at the beginning and for the config to work. We can deal with capsman at another time as i...

anav

Yup, good execution, to start with a working config then add pieces back slowly to ensure you understand what breaks and what works. For data path isolation, no worries, assign a datapth1 JUST with isolation invoked and add that to the WLAN where you want to isolate wifi users from each other. That ...

anav

Personally, I see no reason to change your hardware at the moment. Both cameras are on the same vlan so untagg the camera vlan to the dumb switch and you are covered there. The two APs are what unifi, nothing wrong with those, they handle vlans and you just need to feed them hybrid ports from the MT...

anav

No offense taken, in fact MKX is bang on the money and I would unashamedly say that his sentiment lasted far longer than that. I can say that I probably crossed the line when it penetrated my thick skull to find my pea brain, that a wireguard address on the MT router was actually a good thing. And L...

anav

The more detailed the requirements the more accurate the answer!!

anav

Since you don't know the problem, why do you think you know the relevent parts of the config. :-) Seems illogical. In any case /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, long dhcp leases etc.) and for the love of god, dont use VERBOSE export!!! Plea...

anav

Much better and fruitful ways to spend your time LOL

anav

well where will your users get their internet phone book information from then??

anav

Not really but you can ask here but be sure to state your requirements and use cases for traffic and also ISP information. etc.

anav

I may still have one floating around, and if you know anyone with a 3D printer, they could probably make one.

anav

Based on Sindys advice, this may do the trick......... TO ADDRESS ADDITIONAL REQUIREMENT OF SOME USERS USING LOCAL WANS. The key to ensure ECMP works, is for the routes in question to all have the same table with same distance. /ip firewall filter add action=fasttrack-connection connection-state=est...

anav

Thats changing the requirements which nobody wants to deal with --> its called scope creep. The onus is on you to be honest and state the full requirements PRIOR to designing a config. Do better next time!! So before answering, will request much better detail on any other requirements percolating......

anav

I'm curious as to the purpose of the tunnel to this swiss device.
Is the requirement to reach a subnet behind that ISP router?
Is the requirement to simply use internet at that router?
Is the requirement for some entity behind the swiss router to reach the single LANIP on your MT?

anav

Not sure what you mean? The LAN user will only go over the wireguard to the CHR, so there is no other alternative. Yes expect a reduction of speed through wireguard to the CHR. 1. First consider the throughput of each WAN will limit the speed of any session using that WAN 2. Consider the limit on th...

anav

Thanks ! I will fix the PVID 93, my Switch gets ip from the main vlan dhcp and I wanted it to get some ip from the management so I tried to put pvid93 so the device will prioritise that but it is still on MainVlan 15 subnet the switch. I guess I have to put pvid 1 ( default ) instead of pvid93 on t...

anav

Im no wifi datapath expert but I am guessing that since you have detailed both the bridge and vlan in datapath. You need NO entries in either /interface bridge port or /interface bridge vlan FOR ANY of the VLAN traffic, But before you try that first fix the gross error to see if that helps 1. Trunk ...

anav

Hi AMMO, can you go through the page above, and think of making what I have better, and I am missing anything?
A better way to reorg, or to enter data etc.. Or anyone for that matter.

PS. send me a hello on discord anav_ds, I have a word doc for your to critique/peruse!

anav

Well as always it depends, and it depends because the full config has not been provided. A config is very much interrelated so snippets dont provide full context.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)

anav

I would consider setting up VRRP Instances. VRRPA - Router 1 is the primary and Router 2 is backup VRRPB - Router 2 is the primary and Router1 is backup. Why you ask, so that Router1 LAN subnets can use R1 ( via VRRPA) and Router2 LAN subnets can use R2 ( via VRRPB). A more efficient use of both ROU...

anav

My bad, I thought your standard use was connecting to wifi WAN, and then sending the traffic through wifi to other devices in the room. IF that is not your go to, then by all means IP DHCP client on ether1 is ENABLED and the 2.4ghz WAN link in wifi is disable. In both cases wifi to local devices is ...

anav

Very reasonable request, and without going to much into the config it shouldnt be too much of a problem. If the ask was for a USER on the LAN originate traffic to router A that would be more difficult. Basically since we NAT all the traffic leaving router B, going to the TPLINK router, the wireguard...

anav

Looks good from what I can see. The travel router should also be setup with IP DHCP disabled on ether1, just in case you have a wired connection. Otherwise you will need to figure out how to a. grab wifi WAN from 2.4ghz connection to hotel etc ( the part you may need to ask for WIFI assistance to co...

anav

I think it would be worthwhile to point out WHEN vlan-id=1 HAS to be used, (no other way/recourse), and I can probably count on my four finger amputated hand, how many situations that is........
When the time comes though, I will be asking graelex for advice so dont piss him off

anav

Well all the ports are 1gig, the Hex can route about 250-300 Mbps, so that may be your limiting factor, but more likely its the AP throughput. Six vlans but 8? pools? You are still confused a. please remove any IP address assigned to the bridge, it does no dhcp on vlan bridge filtering, to keep it s...

anav

Must be an IPV6 issue then.

anav

I think water broke through the dykes and got into your ears. The chap doesnt need such fancy stuff. A. Basic need, two separate VLAN to separate guest users and trusted users each one tied to the approriate WLAN and different security settings. B. More advanced need, invoke isolation between wifi u...

anav

The concept proposed is a non-PCC, ECMP approach with minimal mangling required. We will use the listening port of the interfaces we create at the CHR (the endpoint ports in the router wireguard peer settings) as an entry argument for our mangle output chain rules. In this way, the handshake ORIGINA...

anav

You cannot. You are hamstrung by whatever device is coming in the WIFI. Stupidly dumb wifi devices internally create a faux guest network. This network uses the same LANIPs but is isolated from the other wifi users and also are isolated from any LAN users on the same subnet but wired. They can only ...

anav

But I can wireguard to my router (establish tunnel) and then use ip addresses on the router to configure the router via the MT app. Do you mean wireguard to a device directly that is downstream of the router, so lets say an AX3 or other MT device behind the router? If so do you want me to test if it...

anav

or just reboot the router? often a good idea after many changes.

anav

My apologies, but I dont understand your network and I dont use IPV6. If you can provide a similar scenario that I could test on my equipment to confirm your findings I am glad to attempt such tests. Do you mean you wireguard into a downstream router or device and wish to be able to reach and config...

anav

Okay so I need to test this by attempting to access a subnet on my Router from my ios app. The allowed IPs on my WG app thus should be restricted to a subnet and the wireguardIP of the router......okay will try. Added wireguard subnet access to a printer on a printer vlan. router firewall rule Chang...

anav

If the upstream or downstream device is a unifi, then you simply need to create a hyrid port vice a trunk port Assume the unifi subnet/management comes into the MT device as untagged and the data vlans tagged. If your running the CRS3XX as a switch then its simple Only define the management VLAN let...

anav

Well this is true, port forwarding requires either a. you get a public IP from the ISP modem b. you get a private IP frome the ISP modem Router BUT, you can access the ISP modem/router to forward ports, or ask the ISP provider and they forward ports upon your request. If not , then you cannot port f...

anav

Sorry not a capsman expert so if its the problem, cannot help. On the hairpin nat rule DUMP the extra stuff and be granular. add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=192.168.0.0/16 src-address=192.168.0.0/16 to-addresses=192.168.2.100 should just be add action=m...

anav

Okay, it got me to thinking that the MT approach is a mess. Their import function is located on the main page so how do you know which interface the peer applies to. Wireguard files do NOT include interface name! When you select a wireguard interface, the IMPORT function is GONE. Similarly to the EX...

Search found 23470 matches