MikroTik

anav

Yes, this is a dogs breakfaST of a config, surprized much works, before tackling wireguard must read this and apply: https://forum.mikrotik.com/viewtopic.php?t=143620 One bridge, all subnets expressed as vlans!! ( and where in the heck did you conjure up this non-existent interface interface=wlan_11...

anav

Not sure what command you used LOL but it wasnt what I gave you which doesnt bode well for future advice not being followed ;-PP

I suspect you used something like
/export verbose file=expoanythingyouwish

Please post without the verbose........

anav

Avoid those that talk in riddles LOL.........
Case in point, you DONT want to end up like this................ dog pukes on config --> viewtopic.php?p=1142057#p1142017

anav

FIGURING OUT WHAT kind of connection your ISP device is getting certainly is key!! Check IP DHCP Client for your WANIP? a. confirm you are getting private WANIP on the MT device ( should be a private IP from the ISP router LAN side ) CHECK IP Cloud b. check the IP address you get from IP CLOUD enabl...

anav

Clearly indicating as noted that any hands off adaptation will require scripting.

anav

Management should be handled by a management vlan and associated with a TRUSTED interface list, and that TRUSTED interface list should be used for neighbors discovery and mac server winbox-server tool setting. You can attache your PC to any sfp port or to a switch connected to an sfp port and call i...

anav

RoS is very flexible and allows one to do all kinds of setups, many are not wrong, they are simply not efficient. This is the case with two bridges, it seems like an obvious go to, but its if needing multiple subnets to a.. use a combination of single bridge and assign other ports their own subnet b...

anav

To be clear you want primary DNS to be your NAS. If the NAS crashes you still want folks to be able to access the internet by a public DNS service. This will not be possible without some intervention after the NAS crashes. For example you could do this... address=192.168.0.0/24 dns-server=adguard-se...

anav

/// I will stick with simple ///

anav

Please provide the configs from both Starlink MT router and the VPS CHR......... 1. There is nothing we can do to control the setup on your roadwarriors. That is up to you to config. On my iphone for example my allowed IPs are 0.0.0.0/0 and any traffic I attempt is routed through the vpn tunnel. The...

anav

Sorry copy and paste the config to here directly via text editor aka notepadd++ Then post here and use the code quotes around the text ( above black square with white square brackets on the same line as Bold and Italics etc.) We appreciate the effort to provide the config, but its against good secur...

anav

Correct Jaclaz, the use of ether5 as a temporary off bridge port is still valid, and thus at the very end, that switch can be done from a PC working on any of the other ports with admin privileges. a. remove IP address for ether5 and change name back to plain jane ether5. b. remove ether5 from LAN a...

anav

OP: Any post entry without context is only opinion, we work from facts.
please post both configs
/export file=anynameyouwish ( minus device serial number, any public WANIP information, keys)

anav

That is the point, there should not be three people guessing, it should be one person answering correctly for a decently constructed post. Rinse repeat posts per day, day after day, year after year........
Definition of insanity or refusal to look at context.........

anav

Not sure what you mean, you configure wireguard at each end as applicable. For example: the main bridge, haves 20 hosts connected. I want that the Wireguard tunnel is only applied to the device 192.168.88.20, not the 19 others. For starters you need a plan, and clear requirements For example I have...

anav

Not sure what you mean, you configure wireguard at each end as applicable.

anav

Great then we can expect to see two configs

anav

Sort of, the bridge can be used for any number of connections of ports but typically its used to encompass all the LAN ports and not the wan Port. Correct one assigns ports to a bridge if they are meant to be glued together at layer2 by that bridge. So if one wanted to apply firewall wall rules (lay...

anav

Can you draw a network diagram so I can see the relationship between devices, location and how attached to the internet............

anav

https://www.youtube.com/watch?v=EX6QqHmbBpY&list=PLJ7SGFemsLl0ld4OrcnVBHg4kPk0Y2_Z9 (and many others) From mikrotik................ https://www.youtube.com/watch?v=13NvZY7sRlY https://www.youtube.com/watch?v=ZpAY_6RDuRA https://www.youtube.com/watch?v=kF4b_t6W5fM https://www.youtube.com/watch?v=...

anav

Which end has a public IP or an ISP router that one can forward a public IP too...... I would setup a wireguard connection at both ends, one of them being the server for handshake and the other being the client for initial handshake. https://help.mikrotik.com/docs/spaces/ROS/pages/69664792/WireGuard...

anav

..........

latestinterface1.jpg

..........

latestinterface2.jpg

anav

1. Due to a better understanding the Responder Function, it is now clear to me that MT had it correctly positioned to be associated with each peer and not the entire interface as I thought. However, I have decided to leave the RESPONDER checkbox on the interface page due to the fact that its likely ...

anav

That would be the first approach by someone using logic but doesnt know the efficient approach . 1. assign each port a subnet 2. assign a bridge as a subnet for all ports 3. assign a bridge with a subnet for some ports and for others assign separate subnets 4. Assign one bridge (with no dhcp respons...

anav

When a device is acting as a router, the WAN interface ( typically an ethernet port) normally has nothing to do with the LAN bridge. ( only the router itself is getting an IP address via this port ) ( the subnets either get their ip address from the bridge, or via vlans, or possibly partly bridge fo...

anav

Once fixed, then recheck. I suspect any further issue for road warriors to reach either internet or subnets have more to do with the VPS setup than the MT.

anav

yup I see that the bridge subnet added for troubleshooting purposes vice single admin devices, no worries. black bold, recommend removing orange bold not required at all red bold, remove blue bold, forgot to add !! /ip firewall filter add action=accept chain=input comment=\ "defconf: accept est...

anav

4. Export and post your full configuration. Redact as necessary, but not too much.

For the mother of god this !!!!
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )

Also a network diagram to show the relationship between devices..........

anav

1. I wouldnt name my wg interface mark phone, dont like spaces and its simply the name of the peer,,,,,,, wireguard1 is an example. 2. the address in firewall rule is incorrect should be 192.168.100.0 /24 add chain=input action=accept comment="wg access" in-interface=wireguard1 src-address...

anav

No worries, meant TLC sorry! ( tender loving care ) Local users in your config do use the local WAN for internet, there is no way for them to use wireguard based on the config, so not a concern. a. since the wireguard interface is part of the LAN interface list and b. you have a rule allowing LAN in...

anav

I forget, what does Amnezia do ?? bada bing!!

anav

Anyway it would be much better/easier if you could post more details on your layout and your current configuration, following these instructions: https://forum.mikrotik.com/viewtopic.php?t=203686#p1051720 If I got paid a nickel every time you typed that.......................... One day you too wil...

anav

On the VPS server you need a relay rule of sorts as wireguard is a peer to peer network so in MT terms it would be add action=accept chain=forward comment="relay rule" in-interface=wg0 out-interface=wg0 Therefore a destination address for 10.0.0.25 would come from a road warrior exit the t...

anav

First mistake is using ubuntu for VPS in stead of mikrotik CHR ;-P What you are attempting to do I only explain in MT terms. The MT Router behind the starlink needs some TLC! 1. Delete this line, known to cause funky issues on MT devices. or set to none! / interface detect-internet set detect-interf...

anav

Concur with Sindy, admins job is not about random results LOL, I think most people would simply like certainty and KISS, which setting the initial wireguard listening port ( we are talking the client peer for handshake, so can be anything ) to a fixed number is not going to upset anyone. What is coo...

anav

Yes, I prefer to turn off the default route in IP DHCP Settings so its clear to the reader what the routes are doing, clearly in this case the default route, if still in place for WAN2, with the same distance as the PRIMARY, would act like ECMP and thus get some of the sessions. Turning it off and u...

anav

That was my fault cgx, I provided the incomplete routes setup ( forgot to ensure the check-gateway=ping were included ) Should have been. /ip route add check-gateway=pin g comment="Primary WAN" dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main scope=10 target-scope=12 add check-gate...

anav

For a config review, as jaclaz stated, the complete config less router serial number any public wanip information or keys is required.

anav

2. That was from default configuration from MTK. I dont have set something like that! Nope, this is not part of any default setting, its on the config you provided, and the only way it is enabled is if you made it so, but in any case no biggie, just disable it. ( mostly used for queuing I believe )...

anav

Not trolling, just call it like I see it. Pushback rebuttal is directly proportional to the ego of the other. :-) Haven't tested lately but ports being forwarded on a router used to show existing on port scans but closed ( not open ) If you add a source address or address list to a dstnat rule, the ...

anav

I would prefer not to have random port selection as there is always the chance of duplicating a port being used somewhere on the router......................... or something fairly common....22, 80, 443 etc........ but glad to hear this works!!

anav

Nothing I can see thus far that would cause any issues. Couple of things seem off. 1. The second NAT rule seems to be doing nothing, you identify a source address but what is being source natted too??? So perhaps you should explain why you have the second rule ( intent-purpose ??) /ip firewall nat a...

anav

No idea what you mean, if you have an emergency call 911! The only emergency is the bloated crap load of rules you have............. And why are you port forwarding NTP to a subnet?????? Finally, too many parts of the config are missing, I will move on to help someone else more cooperative, as i did...

anav

If the mikrotik is a client peer for handshake then change the listening port on the interface as this should clear up the issue. Dont laugh but here is a script that will do just that......... It should be paired with a route that checks if there is an address available on the remote server peer ro...

anav

If you now have a static Public IP available to the mikrotik router OR to the ISP router, then remove BTH and simply use full normal wireguard on your MT router.
If its the ISP router that gets a public IP then simply forward the listening port to the MT.......

anav

1. What is connected to each port on the RB4011, ether2,ether3,ether4,ether5, ether6, ether7 ????? 2. It seems you have every vlan going to every port?? if so then this can be shortened TO: /interface bridge vlan add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids= 10,20,30,...

anav

Evidence.
Post config
/export file=anynameyouwish ( minus router serial number, any public WANIP, keys )

Also, why do you need www and ftp internally?

anav

Dont mind helping but one has to make efforts as well......

anav

None of those were new rules, it was an excerpt from your existing rules ( thought you would recognize them LOL ). When I give you hints, the idea is for you to then go ahead and do some research. Go to mikrotik documents and in the search put in sniffer. https://help.mikrotik.com/docs/spaces/ROS/pa...

anav

Sorry need to see script not pics. /export file=anynameyouwish (minus router serial number, any WANIP public information, keys, passwords ) The pic does show that the first recursive is active, and the second recursive not being used and the backup not being used. Thus nothing strange from that at l...

anav

No .......all I did was modifying one existing rule, the bit I added is bolded.

Try sniffing traffic on port 53

anav

I dont care about puke windows puke. :-) Also why would your windows PC know that the traffic or DNS is even going in an encrypted tunnel??? The question is are the www lookups from the LAN subnet going through wireguard or not. I am not sure how to test that, but we dont allow your LAN to go anywhe...

anav

1`. Here is problem1 add bridge =*F interface= pppoe-out1 Do not add the pppoe interface to the bridge!!! 2. Here is problem2 /ip dhcp-client add comment=defconf interface=ether1 This should be disabled or removed, the client settings for wan are dealt with in the pppoe settings!! 3. Problem number ...

anav

I would say your missing the part of who is being redirected here......... /ip firewall nat add chain=dstnat dst-port=53 protocol=udp to-addresses=10.10.10.2 action=dst-nat comment="redirect DNS" ( src-address=subnet???? src-address-list=???? ) ahh I see you have addressed that in your lat...

anav

Ahh okay,,,,,,,,,,,,,,,,
So normally the router trunk from the CRS that contains the subnet would not be used but sort of sitting there waiting?? ) and I note that if pFS is not working there are no subnets coming in on the switch side trunk.

anav

I didnt see any messages on discord.........

anav

I think its illogical to do both at the same time, but given that its wholly possible, due to flexibility of RoS, then why on earth would you want to create additional subnets (on the router acting part) that have the same address on subnets traversing through the switch part ?????

anav

SE:CR:ET:MA:CA:DD

anav

Everthing should go through the tunnel setup as far as I know.

anav

Okay so you are using this switch as a Router, and thus assuming your ISP throughout is no bigger than 200Mbps. Lots of things to fix in /interface bridge ports and bridge vlan Read this bible has switch examples -->https://forum.mikrotik.com/viewtopic.php?t=143620 Then watch this video --> https://...

anav

It would appear so, I read scripts better than diagrams LOL

anav

Okay so most of that went zing over my head as usual.
What should we ask Mikrotik to do........................

anav

The config looks just fine to me, all good!!

anav

Sorry dont read that format.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)

anav

Probably related........ Should be good to go.

anav

No that is for the firewall rule that is duplicated which you did not highlight,,,,,,,,,,,,,,,,,,,,,, the reason is there is no incoming handshake to the router for establishing the vpn connection, its your router that is sending out the intitial handshake and thus its the remote end (if mikrotik) t...

anav

Where are you located? I can help but dont take payments..........
contact me at discord (removed no messages sent)

anav

Its RoS, not linux, sorry. VRF will work for your requirements.

anav

Just the one dealing with wireguard and do you know why it is not required??

anav

Hmm probably a few errors, lets see what we can ascertain. 1. This rule is not required. If you note that the last rule states DROP ALL ELSE, this means anything above this rule NOT allowed will automatically be dropped so this rule is not wrong but simply not needed. add action=drop chain=forward c...

anav

Just remove, delete them LOL. do you use winbox?

anav

Suspect simply hiding the mac address...............??

anav

Your config rsc is fine, regarding security, As for observations, just two........ a. WHy do you have this rule??? add action=accept chain=input comment="Allow WireGuard" dst-port=51820 \ protocol=udp b. why do you have this rule out of the order for forward chain rules and especially when...

anav

Yes it can, use VRF to create the additional virtual routing table on the mikrotik device!!

anav

I see you have a fixed WANIP......... Thus (KISS) /ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.1.0/24 add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN add action=dst-nat chain...

anav

/ip firewall address-list add mynetname.net list= MyWAN { using your my ip cloud name } /ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.1.0/24 add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-inte...

anav

Does the RB5009 provide time to the netgear switch (NTP). Stretch but thinking of things that may cause differences.
Wonder if you can borrow a different switch to see if the behaviour remains.

anav

Any information that identifies the IP address of the ISP internet address you were given, or the ISP gateway IP address etc..........
or any passwords or usernmames provided by the ISP.

anav

Its better than most but still has some meandering not well explained items and some errors but overall not a bad video.
The fact that you state firewall rules should have no bearing on the wireguard config also detracts from the post ( aka your assessment).

anav

Sure,
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)

anav

There may be some tricks you can do with NAT ( source or destination ) but this assumed two mikrotiks at either end. Also its not clear whether or not the duplication is the subnet at your router, with wireguard, OR with the remote subnet at the other end, with wireguard? Lets assume the duplication...

anav

Anav, I think some people will still use the web interface as opposed to using Winbox, so I included those remove commands in order to clear out those config items in that scenario where they may have made initial ip configurations. Ahhh okay, my bad. Ensure though you reference that so its clear t...

anav

Nathan your hurting my brain, is there any reason to separate connection tracking clearing of change IP and down and change of ISP? and if not, then MT simply needs to ensure the functionality exists that covers both, even if its just a checkbox.

anav

heated agreement, MT needs to make src address only as ECMP hash option.

anav

There is also the similar mangle rule, probably wont help either but worth a shot..... disable the other and try this one: add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wg-nordvpn passthrough=yes protocol=tcp tcp-fl...

anav

What routers or devices are handling wireguard at each end?

anav

I would make some changes....... as follows ( we gave used a wireguard interface name ( can use whatever you prefer) of wireguard-VPN ) THIRD PARTY VPN - one flat subnet only /interface wireguard add name=wireguard-VPN mtu=1420 listen-port= AnyPort# \ private-key="INSERT THE PROVIDED PRIVATE KE...

anav

Did you make your suggestion directly to Mikrotik via their support page sub section Suggestion ( vice Bug )??
Seems like an L3-lite is a very worthwhile suggestion.

anav

yes you could try adding this rule in ip firewall mangle.
add action=change-mss chain=forward new-mss=1380 out-interface=wg-nordvpn protocol=tcp tcp-flags=syn tcp-mss=1381-65535

anav

Instead of presupposing the solution stating the issue solely and asking for potential approaches is better. To be clear a. who decided the IP address schema of the wireguard subnet and can you change it? b. who decided the IP address schema of the local subnet that clashes and can you change it. Th...

anav

/export file=anynamwyouwish (minus router serial number, any public WANIP information, keys) for both sites.

anav

For this one, i got this error while trying to add [admin@MikroTik] /ip/firewall/filter> add action=accept chain=forward comment="Subnet to wireguard" out-interface=wg-nordvpn src-address=50.50.50/0/24 value of range must have netmask after '/' either as number or as ip value Of course it...

anav

Okay, nice explanation!! From my reading its probably best to have the NVR and the cameras on the same subnet but this is still possible and keep all your requirements. Just a bit of finessing on the firewall rules. Not sure why you have an ageing time set on the bridge, first time Ive seen that so ...

anav

For router security also recommend the following rules. /ip firewall filter { input chain default rules to keep } add action=accept chain=input connection-state=established,related,untracked add action=drop chain=input connection-state=invalid add action=accept chain=input protocol=icmp add action=a...

anav

Yes, the rules provide good security and prevent leakage as you desire.
They only allow lan traffic out the wireguard tunnel.

As to the other question, just to confirm that you have a default route enabled in LTE settings.
I am assuming you do otherwise the tunnel could not be established.

anav

Sorry lurker didnt really understand but you seem to be saying that with the new kernel ( really still an old kernel ) that MT is now using, the unexpected behaviour is normal/expected, much to our shagrin. Furthermore, you are hoping that MT comes up with a built-in easier way to clear the connecti...

anav

Yup watching this thread as most expect masquerade to clear connections..........otherwise rextended scripts will get extended use LOL.
I would not consider this solved until MT replies with certainty about new behaviour or they forget to do something during programming etc............

anav

Okay, 1. Modify allowed IPs from: /interface wireguard peers add allowed-address=0.0.0.0/0 ,::/0 endpoint-address= \ endpoint-port= interface=wg-nordvpn name=peer1 public-key="" TO: /interface wireguard peers add allowed-address= 0.0.0.0/0 endpoint-address="as provided" \ endpoin...

anav

Looks like you pushed a release candidate (beta) to production. Probably not the smartest move.

Larsa, dont they teach that at IT school. Use the latest beta firmware for production!
Maybe they took that advice when running the Spanish electrical grid ;-)

anav

viewtopic.php?t=143620

anav

If you think the two rules are complex, I imagine you don't do the cooking at home ;-PP
I dont disagree with the simple approach, but nothing wrong with knowing how one gets there and thus able to adjust if required.

anav

You have hidden to much information to be of real assistance. The only thing that should not be entered is a. NORD VPN settings - private key - public key - endpoint address The rest should have been available for viewing. b. Router settings - serial number ( check ) - endpoint-address ( check ) - p...

anav

Danke!!

anav

Lets set the rules straight here!!! TWO RULES OF THUMB (scope & target scope): First Rule . The resolving route (DIRECT - connected route) with dst-address TO the "real WWW IP (dns site)" and with local ISP gateway IP, has Target-Scope=X and the recursive route (INDIRECT - external rou...

anav

The bible on setting up vlans: viewtopic.php?t=143620

anav

Provide a diagram and a clearer description of the requirements Does the NVR need to be on the same subnet as the cameras? One can access the NVR by IP address and not have to be in the same LAN (advised for security reasons). So neither cameras nor NVR need access to the internet?? Wifi will have h...

anav

Go to the support page: https://mikrotik.com/support
Select the CONTACT SUPPORT BAR in the middle of the page: https://help.mikrotik.com/servicedesk/s ... r/portal/1

anav

Yes and no. Even with the odd ether-1 setup, it's faster then old Hex when used as a normal router. As a switch however, that's another story. I'm sure they made it in accordance to what's needed for majority of their customers. We only see a fraction of that population here (and only the most savv...

anav

Obscure, not, simple transaction issue: No one paid my tariff of 365 belgian chocolates ( one for every day ).

anav

Hi Jaclaz, I assumed the OP, when he stated he was behind NAT, meant that the hex was behind an upstream router ( aka ISP or own )??

anav

Now, there are many parts of the config missing, so no guarantees if the router will work properly in all circumstances or if the setup is secure..

anav

Two errors: You changed the PVID on the bridge itself, this should kept to the default of 1. Secondly forgot to tag the bridge! Modifications: /interface bridge add ingress-filtering=no name=bridge1 protocol-mode=none pvid=1 vlan-filtering=yes (once the rest is setup and working add frame-types=admi...

anav

Its an excellent cheap wireguard device as a host and its easy to setup.
You just have to be clear on the requirements and a network diagram also helps in planning.

anav

There would be no problem with a wired only version, just plug in a wifi AP at the other end............

anav

1. A port carrying only a single vlan tagged subnet is still a trunk port LOL. 2. What are the tagged vlans on ports 3,4 and 6-8 going to?? Any smart device on the network should be on the managment vlan ( get its LANIP from the management subnet ) and thus each trunk port should carry as a minimum ...

anav

Provide
a. the config settings provided........... ( minus endoint address use x.x.x.x.x and any keys )
b. router config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

anav

It is not clear what you are doing on the hex as you dont provide an actual config.......... nor is it clear what you are connecting to, a third party provider, your own server somewhere?? Nor are the requirements stated, what is the purpose of the wg connection for the hex............ to reach inte...

anav

Indeed advanced!!
MT AI BOT Transcript.

Hey Bot, is Normis Sexy?

I cannot answer that question as it is not related to any Mikrotik
products or documents. However, yes, but without the beard.

anav

It would seem that the ether1 renders this device useless compared to older versions of hex ( except arm core of course and thus BTH etc. )

anav

This would be appear to be some hardware or firmware issue, cannot see it being related to RoS. Should be reported as bug to MT.
And perhaps a product wide recall and refund to all purchasers of this product and rename the product to Hex Recycle

anav

No, you have configured the mikrotik to ensure that the communication you seek is not available. In other words self-inflicted due to lack of knowledge. The firewall rules are not the problem. The basis of error is a missing routing rule..... Complete review follows. You have not provided any of the...

anav

One must first ask, is this the optimal location to ask such a question? For example, when did the Ford Mustang first come out with a v-8 engine? OR How do they put the cadbury milk chocolate in the cadbury milk chocolate bar? Both are technology questions! :-) Neither of which the MT AI bot could a...

anav

My bad I looked at the date of the responder and not the original post date LOL.
I blane yahelb for bringing it back to life

anav

I didnt get past the first para where your world has apparently ended, but you have never posted here for help. Why come here to complain, this is not the complaint department its the get assistance with your config department. Counselling and mental health well being are down the hall. The way it w...

anav

It works, something wrong with your device settings or the manual information you provided to connect.s Possibly a permissions on the router as well.

anav

Same questions I had. I believe the NVR talks to the reolink cloud server. User, via their reolink app, reach the cloud server and then down to their NVR. The NVR should have no ports forwarded to it, that would be bad, if the OP was thinking of port forwarding to view direclty by IP or something. A...

anav

KISS ( i personally would never go to the complex lengths above)! - never open up DNS to the WAN side. - have drop all else rules at end of forward and input chains - do not host servers if at all possible, if you must....... do you really have to???? a. use VPN for users to access subnet locations ...

anav

viewtopic.php?t=143620

anav

Sorry cannot help further. The advice from the beginning has been one bridge..........lead a horse to water......

anav

One would have to provide the fact. /export file=anynameyouwish (minus router serial number, any public WANIP informaiton, keys) In both cases, device as a switch or router: The fact of the matter is the bridge does NOT get an address. The vlan gets an address. The only route required on a switch, a...

anav

Without some diagrams nothing makes sense.

anav

Will stick to recursive, works and is much easier or via netwatch if one doesnt want to wait 10 seconds etc....

anav

Well, its pretty straightforward...... Only one vlan is identified on the switch, the management vlan and in IP address is where switch gets its IP address from. Only the managment vlan is tagged with the bridge, the rest are tagged on the incoming trunk port and as required on outgoing ports ( unta...

anav

Is this the same device that mkx was trying to help you with??

anav

You didnt get rid of raw rules................

anav

draw a network diagram.
Do you mean you have two WAN connections?
Do you mean you have two Subnets?

Etc..............

anav

I use my capacs with my hex without capsman its quick and easy to config. Your hair will not turn gray or fall out!!

anav

Sweet!!

anav

You have hidden way to much information, just the WAN public information and the only thing that would relevent is the username and password on pppoe. 1. Improve Interface list entries, but I dont see a trusted or management vlan?? Ahh you are mixing apples and oranges. Once you go vlans so will cha...

anav

Netwatch leaks out any wan to find a connection and thus you need to blackhole any netwatch routing with a second following route same table distance add one.

anav

Then setup vlan filtering now and once its smooth, do the wireguard, should take me 10minutes to fix once you have an initial config its like butta. First however, its best to work the config from an OFF the bridge position. What i recommend is create an offbridge port for local emergency access. So...

anav

Yearly rate of $20,000, that an over 50% markdown sale!! Get it while its hot!

anav

As you may have guessed the responders have some WHAT IFs, and other suggestions ( and also some errors). In other words, you should not be asking for a part solution if the requirements are not fully identified. A better response can be had when we know what else is going on the router for both inc...

anav

You can use mine, only 5c per ping.

anav

This is a clue that the router is not happy with your config....... /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN add interface= *9 list=WAN add interface=ether2 list=WAN /ipv6 dhcp-client add add-default-route=yes interface =*9 po...

anav

The point is wireguard is not the real issue at the moment. Once the config is fixed, then we will be able to see whats going with wireguard, if its still a problem.

anav

Put cement in the serial port ;-P

anav

also add
/ip neighbours discovery
set interface-list=TRUSTED

The option to change the pvid of the bridge exists because in some niche situations it may be required.
I would say its rare but I dont know enought to state what weird setups this would make sense for.

anav

1. Any port not being used should be a. disabled preferably OR b. at least removed from bridge c. the bridge itself retain default pvid but set frame-types=admit-only-vlan-tagged. d. on ports being used, ensure ingress-filtering is enabled and frame types set as required ( either vlan tagged, OR pri...

anav

a diagram and revised cleaned up config may help us provide better assistance.

anav

One flat network or vlans? diagram will help understand

anav

Okay, so depending upon the ability of the unmanaged switch then we have two options and one, both, or none may work. a. make it a trunk port to the un-managed switch both vlans tagged b. make it a hybrid port to the un-managed switch, tagged for one, and untagged for the other. May the best option ...

anav

Yes please, clean up the config, garbage is noise and noise makes it difficult to read a config OR to spot errors..........

anav

Any hex device makes a great little managed switch that works great in a home setting or even an office setting. If one is in a corporate setting where, for example, the same vlan spans two or more ports on the switch, to users that will be sending huge amounts of data back and forth across the swit...

anav

Best to provide your config for review /export file=anynameyouwish (minus router serial number, any public WANIP information, keys),.\ Steps 1. Take the private key given to you and when you make an interface on the MT router, use that private key to generate a public key ( that way windscribe alrea...

anav

There are several options. a. connect PC requiring vlan 10 directly to the audience OR ax3 b. replace the un-managed switch with a managed switch (could even be a hex) and then send the two vlans to the new device 10,20 c. buy a second cheap unmanaged switch untagged to vlan 10 and then plug in the ...

anav

Please draw a network diagram because the explanation muddles devices relationship and clarity is required.
In general, the management vlan needs to go to all smart devices ( such as the audience) as smart devices should get their IP address from the managment vlan.

anav

The information you have provided is sparse. In general on your mikrotik you generate a private key and public key ("######" ) when creating the wireguard interface and lets say create an address like 10.20.30.1/24 with listening port of 51280. The public key is for use on the peer or remo...

anav

Not sure how pppoe works but for security purposes, would remove any username passwords and any public IP address associated from your config. 1. As to the config I didnt get past your IP addressess which are wrong. You have ONE bridge, and one subnet and pool and address associated so not sure what...

anav

Liina, this is NOT your thread, it was started by Hiutale, suggest you start your own thread, to narrow down your specific issues and get assistance.
In other words, we are not focussed on your problems in this thread, so getting upset here, is not going to get you anywhere.

anav

Im saying a bridge gets one address, if you want different subnets you can cover ports A-F with the same subnet and single bridge and use different addresses for ports G,H,I NOT on the bridge, as that will cover three different subnets. OR use one bridge and assign as many vlans as you need (subnets...

anav

Just dont use the internet, there are too many ways around non DPI solutions........

anav

Any sailor worth their salt, knows that a vessel is used for drinking!! Drinkware, beverageware (in other words, cups, jugs and ewers) is a general term for a vessel intended to contain beverages or liquid foods for drinking or consumption. The word cup comes from Middle English cuppe, from Old Engl...

anav

How do you get 940Mb upload??? Thats amazing........ No firewall rules??? hEX refresh can route 1430 Mbps based on the official test results when using large packet size. Interesting using large packet size has never given me accurate results but the smaller 512 byte size does match my real world r...

anav

For MKX, just to be clear, a submarine is NOT a ship!

anav

Also the MT config
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )

anav

Also I recommend taking one of the unused ports on the switch and make it an OFF BRIDGE access port, but will wait to see the config.

anav

Each vlan is created with interface being bridge. Each vlan gets its own dhcp server, ip pool, dhcp-server network AND!!! own IP address ( not a sniff of bridge on these subnet config lines ). The only other place vlans and bridges are mixed is /interface bridge port and /interface bridge lans.

anav

Same with the PHY? Functionality onboard is a subset of available options?

anav

How do you get 940Mb upload??? Thats amazing........ No firewall rules???

anav

Repost the config, when done if still having problems.

anav

According to AI..........In diagrams, the CPU is typically represented by a rectangular box, often colored dark grey or black. The switch chip, which facilitates communication between different parts of a network, is often shown as a similar rectangular or square box, but colored light blue, orange,...

anav

Concur, well stated.
Yes, if one has heavy VLAN traffic ( same vlan ) between different ports on the switch, the ax3 whether its a switch or a router will see some slow down in traffic, whereas a proper switch will not.

anav

I use my ax3 with vlan filtering and I see no ill effects on my LAN subnets...............

anav

My issue with the config is two bridges. Keep it simple, one bridge. Ditch the wrongly named one about vlan10 as you have multiple vlans on that bridge, not just 10. Move the default vlan subnet 88 to a vlan, call it vlan-default. As was pointed out you have two related discrepancies to deal with. a...

anav

The config is far to complex for my level of understanding, however I will say that you give away addresses like candy to kids, and as far as I understand the single bridge should not have multiple IP addresses, nor probably any single etherport............ /ip address add address=192.168.100.254/24...

anav

Why waste a vlan capable device when a flat unmanaged switch will do?

anav

ON VPS FIX the wireguard peers TO: /interface wireguard peers add allowed-address= 192.168.254.2 , 192.168.100.0/24 interface=WG_VPS \ name=peer_WG_VPS public-key= "----" Remove the funky nat rule. /ip firewall nat add action=dst-nat chain=dstnat comment=\ "RDP-Forwarding to local Ro...

anav

So you are using a third party APP to access your feed. Have you thought about the fact that you have to forward a port on your router to everyone in the world............ I have three different types of video cameras in the house and I dont forward a single port and I also use an APP to view them. ...

anav

concur, as stated, your best bet is to have all the others use WAN2 and your family only use wan1.

anav

It would seem your double posting, which is verbotten.
Will follow your thread here............... viewtopic.php?t=216313

anav

Without the config, all i here is opinion of some things that may or may not be relevant, its akin to hearing blah blah blah....
Please post the config for assistance.
/export file=anynameyouwish ( minus router serial number and any public WANIP information (probably none as this is a switch)

anav

You have remnants of the default config 1. From: /ip dhcp-server network add address=192.168.119.0/24 comment=defconf dns-server= 192.168.88.1 gateway=192.168.119.1 netmask=24 TO: /ip dhcp-server network add address=192.168.119.0/24 comment=defconf dns-server= 192.168.119.1 gateway=192.168.119.1 net...

anav

Review the video and when you have something close post here for review/comments
/export file=anynameyouwish ( minus router serial number, any PUBLIC WANIP information )

anav

The article provided and video only show one bridge. To configure the switch the best thing for you do to is take one port OFF the bridge and do all your configuring from this safe spot. Configuring OffBridge So remove ether24 from /interface bridge port Modify the following entry /ethernet set [ fi...

anav

viewtopic.php?t=143620
https://www.youtube.com/watch?v=YLtGQAQ ... 9yayB0cmlw

anav

I would revise the following: From: add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN add action=passthrough chain=forward comment=CAM dst-address=192.168.88.30 \ dst-port=80 protocol=...

anav

Not that I am aware of sorry.

But perhaps this explains the situation best:
..................

usetherighttool.jpg

anav

Fixed, thanks!

anav

No I said, a. if you only have one vlan per port then you dont really need vlans. b. also since this is a lab environment then you dont need any security. c. if you are trying to practice for real world setups then it would be nutso to have to manage 10 or more devices (config them) using all the di...

anav

Why do you want vlans? There is no need, there is never a duplication of any subnet over a single port? In reality, every device would be on a managed vlan, so every device would have at least two vlans coming in a trunk port. Suggest you look at basic videos and read this article. https://forum.mik...

anav

The problem is that your requirement is not clearly stated. Do you mean, I wish to access my Router while at a remote location? OR Do you mean I wish to access my router while on the LAN of ISP1 modem/router or on the LAN of the ISP2 modem/router. (hint they are not strictly modems if they get a sta...

anav

I dont understand the first post.
Why cannot you simply make the devices available via port forwarding.
How can you expose devices to the internet if you only have one WANIP address, dont you need a block of public IP addresses??

anav

It should work so there may be something else in your config interfering.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

anav

It has two chains, and thus thought the default would include wifi1 andw ifi2 so at least the op could provide coverage for two freqs.....oh well. Nope. Only 2.4Ghz radio so only wifi1. 2 chains does not mean 2 radios. Reminds me to ask you, why do they even state the number of chains, its like use...

anav

Mikrotik provides its own domain URL in IP CLOUD use that.........
https://help.mikrotik.com/docs/spaces/R ... Cloud-DDNS

anav

How can you eat an apple but keep it intact ?

You can not.

I disagree, a whale can swallow it whole....... and then regurgitate it back whole.

anav

VERSION7 instituted some changes mostly to the way of using scope and target scope.......... Nested using a faux address for two canary selections. /ip route add dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 add distance=2 check-gateway=ping dst-address=10.10.10.10/32 gateway=9....

anav

If WAN1 is your primary WAN ( and WAN2 is rarely used ), then it stands to reason that all your wireguard users have WAN1 as their endpoint address. To test if the router will switch to WAN2 automatically, due to distance in route difference, please do not SWAP distances. To test simply unplug inter...

anav

Your testing method may be flawed.
If you swap distances on the WANs, do you also change the endoint address to WAN2 for the device??
You need to NOT change the WAN distance, simply unplug the cable from wan1 into the router.

Search found 23859 matches