Community discussions

MikroTik App

Search found 20224 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 68
by anav
Sun Jun 16, 2024 11:43 pm
Forum: General
Topic: Problems with mangle-rules on RouterOS 7.12
Replies: 14
Views: 2069

Re: Problems with mangle-rules on RouterOS 7.12

Shon post complete config and will look.

/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.)
by anav
Sun Jun 16, 2024 10:10 pm
Forum: Beginner Basics
Topic: No traffic via Mikrotik Wireguard
Replies: 4
Views: 331

Re: No traffic via Mikrotik Wireguard

1. Why do you have this rule, its an advance usage functionality that should be avoided if not required. /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes 2. Modify bridge ports as such. /interface bridge port add bridge=BR1 ingress-filtering=yes frame-type=admit-only-v...
by anav
Sun Jun 16, 2024 9:46 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 1
Views: 190

Re: WireGuard routing

All doable but not quite clear yet. 1. What is the role of R2 with respect to wireguard ( server for handshake for both R1 and R3 ). 2. R2 is the only one of the three with a public IP address or the ability of an upstream ISP router to forward a port? 3. Why are there two wireguard interfaces ident...
by anav
Sun Jun 16, 2024 9:35 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 8
Views: 487

Re: Dual Wan

So access list will work for known devices and I can certainly assign static IPs. What about unknown devices/ visitors on Wi-Fi? Is there another way? Can I allow access to wan1 and wan2 for eth3,4. But eth5,6,7,8 only to wan1 and never wan2. There are actually two requests here............ a. unkn...
by anav
Sun Jun 16, 2024 8:42 pm
Forum: General
Topic: Route Netflix traffic via VPN
Replies: 6
Views: 369

Re: Route Netflix traffic via VPN

True dat, I never looked at the text and just saw that foreign looking hierglyphics and looking at it more closely does appear to be a script of some sort LOL As to the question easy peasy. Dedicate one VLAN to netflix use ( AKA, be it the apple tv box, or android box etc........ the device in quest...
by anav
Sun Jun 16, 2024 8:37 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 6
Views: 843

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

Not familiar with IPV6, and I was always given the impression that IPV6 was perfectly safe, obviously not only do you not have the additional protection of NAT, one still needs full set of firewall rules............. dont see why its any better.
by anav
Sun Jun 16, 2024 12:43 am
Forum: General
Topic: Route Netflix traffic via VPN
Replies: 6
Views: 369

Re: Route Netflix traffic via VPN

That doesnt look like Mikrotik OS, me thinks your in the wrong forum.
by anav
Sat Jun 15, 2024 6:15 pm
Forum: Beginner Basics
Topic: Config Thoughts?
Replies: 5
Views: 455

Re: Config Thoughts?

(1) If the name of your vlan is name=v88-Primary
Dont use the same name for everything else, WAY WAY too confusing.

Right now your IP pool, dhc-server etc have the same name................
by anav
Sat Jun 15, 2024 6:05 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1489

Re: Both Openvpn and Wiregurard fail

Where is the main internet on your diagram WAN1, I only see LTE?? What is the role of that asus router?? Why do you have two wireguards defined on the L1009? I can see the requirement for a NORMAL wiregaurd connection to the VPS as you state all subnets to get internet through VPS. But what happens ...
by anav
Sat Jun 15, 2024 6:02 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 8
Views: 487

Re: Dual Wan

I am not interested in chasing your wish list. Either your requirement are as stated - all devices use WAN1 as primary - only 5 devices use WAN2 as secondary. Or its something else......... if you dont know what you want, suggest you need to plan first and then rewrite your requirements to be accura...
by anav
Sat Jun 15, 2024 5:58 pm
Forum: Beginner Basics
Topic: No traffic via Mikrotik Wireguard
Replies: 4
Views: 331

Re: No traffic via Mikrotik Wireguard

First, would need to see config of router /export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.) Second, would need to know if FOR SURE your wanip Is public! ( also good to know if static or dynamic ). Observations thus far: 1. Assuming WG address on MT routers...
by anav
Sat Jun 15, 2024 5:52 pm
Forum: Beginner Basics
Topic: Vlan Switch to a single router
Replies: 4
Views: 899

Re: Vlan Switch to a single router

/interface bridge add ingress-filtering=no name=bridgegym vlan-filtering=yes /interface ethernet set [ find default-name=ether2 ] name=emergaccess /interface vlan add interface=bridgegym name=homeVlan vlan-id=12 { mandatory, management or trusted vlan must be identified in /interface vlan - do not ...
by anav
Sat Jun 15, 2024 5:46 pm
Forum: General
Topic: problem with routers
Replies: 4
Views: 321

Re: problem with routers

Need to know the requirements.
a. PCC load balance or
b. wan1 priority, failover to wan2, failover to wan3
c. any users hard coded to go out WANX
d. any vpn like wireguard
e. any port forwarding to lan servers.

Knowing the requirements will ensure a proper config is built.
by anav
Sat Jun 15, 2024 5:43 pm
Forum: General
Topic: AmneziaWG in RouterOS?
Replies: 10
Views: 1292

Re: AmneziaWG in RouterOS?

Interesting concept. If some routers can be set to recognize vlan traffic and this rendition of WG, avoids that detection, would seem to have some value.
by anav
Fri Jun 14, 2024 11:28 pm
Forum: General
Topic: connect a switch to two routers
Replies: 5
Views: 398

Re: connect a switch to two routers

The function of a managed switch is generally to accept a trunk port coming with a bunch of vlans including a management or trusted vlan upon which the switch gets its own IP address. The switch then funnels all the vlans out its ports to either dumb devices ( access ports ), smart devices ( trunk p...
by anav
Fri Jun 14, 2024 11:26 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 13
Views: 819

Re: Long Term release or new functions?

Your energy is better spent sending me liquid hops from your local brewery.
by anav
Fri Jun 14, 2024 11:25 pm
Forum: General
Topic: Recommend Mikrotik for running Container
Replies: 13
Views: 710

Re: Recommend Mikrotik for running Container

Touche!!
by anav
Fri Jun 14, 2024 11:24 pm
Forum: General
Topic: QA of software releases
Replies: 25
Views: 1312

Re: QA of software releases

Most companies dont have that much transparency/accountability...... but feel free to whine.
by anav
Fri Jun 14, 2024 7:32 pm
Forum: General
Topic: Recommend Mikrotik for running Container
Replies: 13
Views: 710

Re: Recommend Mikrotik for running Container

Is a 'running container' different from a stationary container?
by anav
Fri Jun 14, 2024 7:31 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 13
Views: 819

Re: Long Term release or new functions?

I thought it was a joke poll LOL, Like, I have nothing better to do today and thought this would be funny.
Concur, with the neighbour of the Pope ;-)
by anav
Fri Jun 14, 2024 5:40 pm
Forum: Beginner Basics
Topic: Can't Port Forward 1433
Replies: 8
Views: 422

Re: Can't Port Forward 1433

Ensure you have telnet Router Services DISABLED, it case it might interfere??
by anav
Fri Jun 14, 2024 5:12 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 8
Views: 487

Re: Dual Wan

So it sounds like you want: a. WAN1 as primary for all devices. b. WAN2 only available for failover and for a limited number of devices. The main approach is to give wan1 a lower distance than wan2 /ip route add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP1-gateway-IP routing-tabl...
by anav
Fri Jun 14, 2024 5:01 pm
Forum: Beginner Basics
Topic: ICMP scan from my own public IP address
Replies: 1
Views: 211

Re: ICMP scan from my own public IP address

Better would be to assess what you have now...
/export file=anynameyouwish ( minus router serial number, any publicWANIP information, keys etc. )
by anav
Fri Jun 14, 2024 4:22 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 13
Views: 819

Re: Long Term release or new functions?

Wrong syllable, request is for more MT dev and testing staff.
by anav
Fri Jun 14, 2024 4:54 am
Forum: Beginner Basics
Topic: Can't Port Forward 1433
Replies: 8
Views: 422

Re: Can't Port Forward 1433

1. Not sure what your are doing with fancy networking stuff but lets stick to what works. The problem is you have two conflicting networks and non standard nomenclature SO NOT /ip pool add name=dhcp ranges =192.168.88.10-192.168.88.254 /ip address add address=192.168.1.150/ 23 comment=defconf interf...
by anav
Thu Jun 13, 2024 11:15 pm
Forum: Beginner Basics
Topic: Can't Port Forward 1433
Replies: 8
Views: 422

Re: Can't Port Forward 1433

IF this device is connected to the internet ( not an upstream router ) then its not very secure /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain= input comment=wi...
by anav
Thu Jun 13, 2024 11:12 pm
Forum: Beginner Basics
Topic: Basic firewall hardening
Replies: 11
Views: 575

Re: Basic firewall hardening

If one is living in a warzone iPV6 looks harmless in comparison ;-) IPV6 is like taking away my comfort zone.
by anav
Thu Jun 13, 2024 11:09 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 6
Views: 843

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

I would want to see the c omplete config, its all connected.
/export file=anynameyouwish (minus router serial number, public WANIP information, keys etc. )
by anav
Thu Jun 13, 2024 11:08 pm
Forum: General
Topic: Is there a way to set local ip-address of wireguard tunnel?
Replies: 4
Views: 373

Re: Is there a way to set local ip-address of wireguard tunnel?

You are spouting gibberish. If you want to have a serious discussion
a. provide a diagram
b. explain the wans at both ends ( static, dynamic, public or private)
c. provide configs of MT devices and remote wireguard device setttings
(minus serial number, any public wanip information, keys etc.)
by anav
Thu Jun 13, 2024 11:02 pm
Forum: General
Topic: QA of software releases
Replies: 25
Views: 1312

Re: QA of software releases

Yup, its about time they started to learn!! I would prefer that they are taught to ensure their first post contains coherent information so taht we dont have to hunt and peck for information EVERY time. However you are straying from the gist of the thread which is testing etc......... Kudos to MT to...
by anav
Thu Jun 13, 2024 11:00 pm
Forum: General
Topic: Two Mikrotik wifi-lan sites in one subject
Replies: 2
Views: 210

Re: Two Mikrotik wifi-lan sites in one subject

Zerotier
by anav
Thu Jun 13, 2024 12:03 am
Forum: General
Topic: Help Needed: WireGuard VPN Issues with Dual PPPoE (PCC) on MikroTik Router
Replies: 4
Views: 515

Re: Help Needed: WireGuard VPN Issues with Dual PPPoE (PCC) on MikroTik Router

(1) My apologies I see an error I made. The allowed IPs on main router should be /interface wireguard peers add allowed-address=10.0.0 .1/32 ,192.168.88.0/24 interface=wireguard2 name=\ peer1 public-key="******************************" THe logic is that he server can have multiple peers on...
by anav
Wed Jun 12, 2024 9:48 pm
Forum: General
Topic: [Routing Problem?] No Access to the Default Gateway from Any of the Interface from the VLANs
Replies: 6
Views: 546

Re: [Routing Problem?] No Access to the Default Gateway from Any of the Interface from the VLANs

To avoid the lockout scenario,
I now advocate and use a port set OFF the bridge and I ensure its part of a management list interface.
I give it an IP of like 192.168.55.1/30 and then set my latpop to IPV4 settings of 192.168.55.2 plug it in and configure safely.
by anav
Wed Jun 12, 2024 9:46 pm
Forum: General
Topic: Why DNS servers are knocking port 5678 of pppoe-out1 interface?
Replies: 3
Views: 339

Re: Why DNS servers are knocking port 5678 of pppoe-out1 interface?

We advise setting internet detect to NONE.
by anav
Wed Jun 12, 2024 5:50 pm
Forum: Beginner Basics
Topic: Firewalls
Replies: 2
Views: 225

Re: Firewalls

I dont quite understand.
Why do you have a networking client, when you dont know how to config ????
by anav
Wed Jun 12, 2024 5:43 pm
Forum: General
Topic: Only one Wireguard peer working at a time [SOLVED]
Replies: 6
Views: 2570

Re: Only one Wireguard peer working at a time [SOLVED]

There is logic behind what has been suggested. Its just not a case of memorizing, its a case of understanding. The Server client ( for handshake ) may have 2 or more peers connecting to it. That is multiple peer to peer tunnels. The way any local traffic heading outbound gets sent is by several fact...
by anav
Wed Jun 12, 2024 5:37 pm
Forum: General
Topic: Home LAN ideas
Replies: 4
Views: 317

Re: Home LAN ideas

Legit concerns. I would say four SSIDs is reasonable 2x 2.4 and 2x5. A stretch to go to SIX but still possible. Of course vlans and firewall rules make for very flexible approaches. Typically the last rule in the forward chain is DROP ALL. That means only rules with allowed traffic above this rule a...
by anav
Wed Jun 12, 2024 5:29 pm
Forum: General
Topic: Help Needed: WireGuard VPN Issues with Dual PPPoE (PCC) on MikroTik Router
Replies: 4
Views: 515

Re: Help Needed: WireGuard VPN Issues with Dual PPPoE (PCC) on MikroTik Router

Okay getting a handle on requirements and realistic requirements is important. This is not possible with normal connection let alone through a wireguard tunnel. I want to upload files from that local device using the combined speed of the dual PPPoE connections . So removing that from the table, the...
by anav
Wed Jun 12, 2024 1:41 am
Forum: General
Topic: Problem with selective routing
Replies: 3
Views: 238

Re: Problem with selective routing

Basic safe firewall ruleset. /ip firewall filter { default rules to keep } add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connecti...
by anav
Wed Jun 12, 2024 1:33 am
Forum: General
Topic: Problem with selective routing
Replies: 3
Views: 238

Re: Problem with selective routing

I would hope you are not actually connected to the internet with such UNSAFE settings. You have opened port 80 and your winbox port to the world which is a security NO NO. Pull the plug and change your config before proceeding. Assuming you mean to a third party provider of VPN services. Would have ...
by anav
Wed Jun 12, 2024 12:28 am
Forum: Beginner Basics
Topic: Problems in subnet lan bridge access to wireguard peers
Replies: 7
Views: 437

Re: Problems in subnet lan bridge access to wireguard peers

(1) If you entered this manually remove it should not show on config ....... /ip dhcp-server network add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.5 gateway=\ 192.168.0.5 netmask=24 (2) Modify this for the moment ..... FROM: /ip dns set allow-remote-requests=yes /ip dns static add ...
by anav
Wed Jun 12, 2024 12:19 am
Forum: Beginner Basics
Topic: Web server not accessible with Wireguard
Replies: 2
Views: 334

Re: Web server not accessible with Wireguard

So its working as it should. Lets review the requirements for what looks like an RDP server. Good idea to ensure external access is done through Wireguard. Local LAN users access Server via LANIP direct, -- Good Local LAN users access Server via DYNDNS URL - Good but not sure how seeing as you dont ...
by anav
Wed Jun 12, 2024 12:00 am
Forum: Beginner Basics
Topic: New CCR2004 Config - Did I miss anything?
Replies: 3
Views: 511

Re: New CCR2004 Config - Did I miss anything?

No there is no issue and its included in the MT default rules.
In fact, its quite handy for testing for various things and in some cases is used by the router.
by anav
Tue Jun 11, 2024 11:59 pm
Forum: General
Topic: Home LAN ideas
Replies: 4
Views: 317

Re: Home LAN ideas

Approach seems off.
VLANS is to separate users into homogenous groupings where they can all see each other at Layer2.
Sounds like you need more vlans or more WLANs or both
by anav
Tue Jun 11, 2024 11:54 pm
Forum: General
Topic: Is there a way to set local ip-address of wireguard tunnel?
Replies: 4
Views: 373

Re: Is there a way to set local ip-address of wireguard tunnel?

The ISP route is ONLY used for the initial handshake. After that traffic is sent through the tunnel which is dependent upon the wireguard address structure additional routes if necessary and applicable firewall rules. So access to your LAN from external wireguard users or another wireguard routers s...
by anav
Tue Jun 11, 2024 2:20 pm
Forum: Beginner Basics
Topic: Problems in subnet lan bridge access to wireguard peers
Replies: 7
Views: 437

Re: Problems in subnet lan bridge access to wireguard peers

Post your latest config for review.
by anav
Tue Jun 11, 2024 2:15 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 798

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

That is my understanding. If you have traffic that has to go from one vlan to the other, then it will be a layer3 transaction, hence router is involved. So you will be limited to 1gig traffic vice much faster speeds within the same vlan anywhere on the switch ( assuming ports greater than1gig throug...
by anav
Tue Jun 11, 2024 4:02 am
Forum: Beginner Basics
Topic: New CCR2004 Config - Did I miss anything?
Replies: 3
Views: 511

Re: New CCR2004 Config - Did I miss anything?

Wilmer is decent, we usually quote: https://forum.mikrotik.com/viewtopic.php?t=143620 Missing Frame Types add bridge=RouterBridge interface=sfp-sfpplus2 Missing ingress-filtering=yes ALL the bridge ports. Missing interface bridge vlan entry for ether6 on vlan-id=99 ?? Not required: ( covered by vlan...
by anav
Tue Jun 11, 2024 4:00 am
Forum: Beginner Basics
Topic: HELP: Setting up a new Mikrotik router - hAP ax lite LTE6
Replies: 1
Views: 193

Re: HELP: Setting up a new Mikrotik router - hAP ax lite LTE6

This could be a torturous exercise to try and setup through exchanges here............. Which country are you in...........
Thinking teamviewer type exercise over discord to help setup the device to get it where it should be. ( safe and working )
by anav
Tue Jun 11, 2024 3:58 am
Forum: Beginner Basics
Topic: 2xWireless + VLANs + MGMT = problem
Replies: 3
Views: 271

Re: 2xWireless + VLANs + MGMT = problem

Would need to see config on both
/export file=anynameyouwish (minus device serial number, any public WANIP information, keys etc. )
by anav
Tue Jun 11, 2024 3:55 am
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 4768

Re: No WAN access via Wireguard

As I suspected DNS was an issue.
Also on my wireguard iphone settings, the wireguard IP address is put as /32 NOT /24.
by anav
Mon Jun 10, 2024 10:36 pm
Forum: General
Topic: Wireguard doesn't work and no logs
Replies: 24
Views: 3565

Re: Wireguard doesn't work and no logs

Diagram, requiremnts, config. with all three the problem will become clear.
Suspect the server device for handshake is not setup properly
by anav
Mon Jun 10, 2024 10:33 pm
Forum: General
Topic: Winbox on iPhone
Replies: 4
Views: 283

Re: Winbox on iPhone

How does one get to Align.. I dont see it in my wireless settings?
by anav
Mon Jun 10, 2024 10:02 pm
Forum: Beginner Basics
Topic: Dynamic port forwarding
Replies: 6
Views: 654

Re: Dynamic port forwarding

Seems interesting but why not do the following. Server one. incoming ports 200, 300, 400, 500 Server two with port translation incoming ports 201 to 200, 301 to 300, 401 to 400 and 501 to 500. Thus both are available all the time, just the port designation for the originator changes by one. Server T...
by anav
Mon Jun 10, 2024 9:58 pm
Forum: Beginner Basics
Topic: Map Lite AP Setup
Replies: 2
Views: 185

Re: Map Lite AP Setup

Just to be clear this device is both your router and access point, or simply an access point downstream from the ISP router?
by anav
Mon Jun 10, 2024 7:41 pm
Forum: Beginner Basics
Topic: Problems in subnet lan bridge access to wireguard peers
Replies: 7
Views: 437

Re: Problems in subnet lan bridge access to wireguard peers

Debian... Allowed IPs for both VPn1 and Client 2 seem fine. Client2 Allowed IPs seem fine, assuming 192.168.10.0/24 subnet is on the debian side somewhere. Now, the Debian will need some sort of firewall rules to allow the wireguard traffic which is peer to peer from the computer, to then enter the...
by anav
Mon Jun 10, 2024 6:55 pm
Forum: Beginner Basics
Topic: Config Thoughts?
Replies: 5
Views: 455

Re: Verify my Firewall Config

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Mon Jun 10, 2024 6:54 pm
Forum: Beginner Basics
Topic: Problems in subnet lan bridge access to wireguard peers
Replies: 7
Views: 437

Re: Problems in subnet lan bridge access to wireguard peers

If the MT is the client router, where is the Server Router? What is its config?
by anav
Mon Jun 10, 2024 6:53 pm
Forum: General
Topic: Winbox on iPhone
Replies: 4
Views: 283

Re: Winbox on iPhone

Not all functions are available on the IOS app.
by anav
Mon Jun 10, 2024 6:16 pm
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 826

Re: Dual WAN srcnat and dst-nat setup issue

You didnt follow my firewall forward chain rules. Missing KEY RULE!! /ip firewall filter ....... ....... add action=accept chain=forward comment="internet traffic" in-interface-list=\ LANlist out-interface-list=WANlist add action=accept chain=forward comment="port forwarding" con...
by anav
Mon Jun 10, 2024 6:06 pm
Forum: Beginner Basics
Topic: Routing problem? new config
Replies: 2
Views: 265

Re: Routing problem? new config

Why do you have an expensive managed switch but no vlans ???? Please send to me I will pay postage and send you a TPLINK managed switch :-) HEX (1) Would remove this default DNS setting.. (2) If not using IPV6 disable it and can rid of all ipv6 firewall rules and address lists. (3) I see nothing wro...
by anav
Mon Jun 10, 2024 5:42 pm
Forum: Beginner Basics
Topic: Same VLAN on diferent ports trunk and access
Replies: 2
Views: 248

Re: Same VLAN on diferent ports trunk and access

Well I would recommend a separate management Network. All the switches would get an IP on the management network etc.. Without seeing your config hard to help further. What type of switches are these ( assuming basic managed switches ). /export file=anynameyouwish (minus router serial number, public...
by anav
Mon Jun 10, 2024 5:39 pm
Forum: Beginner Basics
Topic: PCC load balancing on OS7
Replies: 2
Views: 225

Re: PCC load balancing on OS7

IF the second video does not get you all the way, then post your config /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.) Confirm users are coming inbound on the VPN to your router ( mikrotik is hosting VPN using its services ) not to servers on the l...
by anav
Mon Jun 10, 2024 12:07 pm
Forum: Beginner Basics
Topic: 2xWireless + VLANs + MGMT = problem
Replies: 3
Views: 271

Re: 2xWireless + VLANs + MGMT = problem

Where is the router??
by anav
Mon Jun 10, 2024 12:04 pm
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 826

Re: Dual WAN srcnat and dst-nat setup issue

without looking at the config, suspect ISPs are blocking port 25.
Will look at it later today.
by anav
Mon Jun 10, 2024 1:37 am
Forum: General
Topic: two public IP on mikortik
Replies: 3
Views: 304

Re: two public IP on mikortik

Your config is probably wrong.
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)
by anav
Sun Jun 09, 2024 9:36 pm
Forum: Beginner Basics
Topic: How to approach network planning and then implement it?
Replies: 4
Views: 464

Re: How to approach network planning and then implement it?

Good luck. one day kicking and screaming will try ipv6
by anav
Sun Jun 09, 2024 9:35 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 4768

Re: No WAN access via Wireguard

@leik., will have a look. 1. Suggest set this to none. /interface detect-internet set detect-interface-list=all 2. Why is this setting included in your peer 2 ?? Remove it. endpoint-port=33333 3. Forward chain rules ......modify too. add action=accept chain=forward comment="internet traffic&quo...
by anav
Sun Jun 09, 2024 9:16 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 4768

Re: No WAN access via Wireguard

All it needed is a working srcnat masquerade rule with the Wireguard subnet nobody mentions this option, but for me it was the one that was missing was going crazy trying to solve the same problem thank you for sharing the solution! If the Mikrotik device is the Server Peer (one with public IP) sou...
by anav
Sat Jun 08, 2024 5:14 pm
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 826

Re: Dual WAN srcnat and dst-nat setup issue

Okay so you are saying the Mail Server originates traffic outbound and it has to go out WAN2. You didnt notice but there is no need for interface on the dstnat rule for comcast, it should be removed. In that case lets adjust the mangle rules. {C an be first rule, ensuring Server originated traffic g...
by anav
Sat Jun 08, 2024 5:05 pm
Forum: General
Topic: Upgrading Switches using CAPSMAN
Replies: 3
Views: 495

Re: Upgrading Switches using CAPSMAN

I was hoping for less capsman and more cowbell, but I will Dude over capsman anyday!. ;-)
https://vimeo.com/406011330
by anav
Sat Jun 08, 2024 3:50 am
Forum: General
Topic: Separate routing tables in RouterOS v7
Replies: 2
Views: 4131

Re: Separate routing tables in RouterOS v7

Be advised routing rules are useful for FORCING some source addresses or subnet OUT a specific WAN. a. one has to ensure that they identify if local traffic is also required, as FORCING means all traffic. ( there are ways to deal with this ) b. mangling rules SUPERCEDE routing rules if there is over...
by anav
Sat Jun 08, 2024 3:46 am
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 826

Re: Dual WAN srcnat and dst-nat setup issue

- yes the address sort of creates a route but to be complete one must make a manual route as it pertains to non-local traffic. - so you have dyndns Urls to both IPs. To simplify, Will make WAn1 Xfinity the primary route so all traffic will go out that WAN without special rules. Will ensure that any ...
by anav
Sat Jun 08, 2024 12:30 am
Forum: General
Topic: Roadmap for ROS?
Replies: 4
Views: 411

Re: Roadmap for ROS?

Its random to us because they dont make their roadmap public.
by anav
Fri Jun 07, 2024 6:20 pm
Forum: General
Topic: RouterOS Management Ports and Protocols
Replies: 2
Views: 283

Re: RouterOS Management Ports and Protocols

Overall access to make changes via Winbox is user name-password protected. Access TO the Router ( or more accurately to router services ) is controlled by the firewall filter INPUT CHAIN. In addition, access to winbox functionality can be further delineated in two locations: a. Tools / MAC Server / ...
by anav
Fri Jun 07, 2024 5:57 pm
Forum: General
Topic: Mikrotik IOS app login. networks to be added to allowed address in wireguard app
Replies: 9
Views: 824

Re: Mikrotik IOS app login. networks to be added to allowed address in wireguard app

Well to be honest I have always ONLY stuck in 0.0.0.0/0 for allowed IPs on my iphone wg setup, as being the admin I have many subnets I may wish to access, and perhaps even the internet. So you are saying that If only put a LAN that exists on the router in my allowed IPs and then I try to reach an i...
by anav
Fri Jun 07, 2024 5:39 pm
Forum: General
Topic: Can't get WireGuard to work (the way I want) [SOLVED]
Replies: 11
Views: 788

Re: Can't get WireGuard to work (the way I want) [SOLVED]

The main focus is finally being recognized, articulation of clear requirements. a. You wish to send the entire LAN out VPS for internet. ? b. You wish to send the entire LAN to VPS to reach subnet at VPS but with no internet through VPS? What happens if the VPN tunnel for whatever reason is NOT work...
by anav
Fri Jun 07, 2024 5:34 pm
Forum: General
Topic: Questions about IPSEC
Replies: 7
Views: 417

Re: Questions about IPSEC

Unless we are talking enterprise, wireguard is relatively easy. It is designed for: A. road warriors reaching : a. internet via connection point b. LAN devices c. and reaching router config for admin. B . Connecting Two or More Routers/road warriors to : a. use internet at another site b. reach lans...
by anav
Fri Jun 07, 2024 5:27 pm
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 826

Re: Dual WAN srcnat and dst-nat setup issue

(1) Address should be assigned to the bridge NOT ether5. (2) Whats with 192.168.4.11/12 running some sort of pi server for DNS and ntp. Some people do this but not sure there is any added value? Certainly NTP is better done through the router anyway, while DNS has some better affect also forcing usi...
by anav
Fri Jun 07, 2024 5:05 pm
Forum: Beginner Basics
Topic: Change Default route, no ping
Replies: 5
Views: 1506

Re: Change Default route, no ping

Too funny Holvoe, I read, that as SORRY I'm Belgian . ;-P To be clear there is no discovery its all just logic. You attempt to ping the the router on WAN2. The router responds from WAN1 because WAN1 is primary. The solution as you figured out is to ensure the router responds from the same WAN. Mangl...
by anav
Fri Jun 07, 2024 4:54 pm
Forum: Announcements
Topic: v7.16beta [testing] is released!
Replies: 83
Views: 21481

Re: v7.16beta [testing] is released!

This was good too: *) bridge - added dynamic tagged entry when VLAN interface is created on vlan-filtering bridge; It even put comments on in /interface/bridge/vlan on what triggered the "D" dynamic vlan entry there, i.e. "added by pvid", "added by vlan on bridge", ......
by anav
Thu Jun 06, 2024 10:28 pm
Forum: General
Topic: Wireguard not start
Replies: 9
Views: 499

Re: Wireguard not start

Hi nichky, Sorry does not compute LOL.
I dont recall every writing about "responder" ?
What is the context and what is the requirement?
by anav
Thu Jun 06, 2024 1:29 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1417

Re: HAP ax lite as AP

Not required. Once you go vlans the bridge just does bridging and thus is not an interface list member.
by anav
Thu Jun 06, 2024 1:27 pm
Forum: General
Topic: Wireguard not start
Replies: 9
Views: 499

Re: Wireguard not start

Not enough,
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

Plus.
What are the requirements for wireguard traffic, one user, a whole subnet etc......
by anav
Thu Jun 06, 2024 12:11 am
Forum: General
Topic: Can't get WireGuard to work (the way I want) [SOLVED]
Replies: 11
Views: 788

Re: Can't get WireGuard to work (the way I want) [SOLVED]

KK,

So the VPS server is doing its thing correctly.
Each client pEER gets its own IP.

Since its assigned 6 to the MT,
then on the MT
/ip address
add address=10.66.66.6/24 interface=wireguard network=10.66.66.0


The wg address of the VPS cannot be the same and it should probably be 10.66.66.1
by anav
Wed Jun 05, 2024 11:53 pm
Forum: General
Topic: Mikrotik IOS app login. networks to be added to allowed address in wireguard app
Replies: 9
Views: 824

Re: Mikrotik IOS app login. networks to be added to allowed address in wireguard app

You are mixing apples and Oranges, what is controllable is whether or not your traffic can be split. The answer is NO. On my iphone, if I connect to wireguard, ALL my traffic goes through wireguard. You can leave wireguard UP all the time, (ON DEMAND selection at very bottom) and it basically comes ...
by anav
Wed Jun 05, 2024 11:41 pm
Forum: General
Topic: Can't get WireGuard to work (the way I want) [SOLVED]
Replies: 11
Views: 788

Re: Can't get WireGuard to work (the way I want) [SOLVED]

So to be clear the VPS is a cloud server running wireguard. The biggest problem is assigning the same IP nomenclature to both devices.......... 10.66.66. 6 VPS settings: Change IP to 10.66.66. 1 PEER -Do not use preshared key. -For peer ensure you put the public key issued by the mikrotik router. -F...
by anav
Wed Jun 05, 2024 11:21 pm
Forum: General
Topic: Unable to access devices externally on MikroTik router
Replies: 6
Views: 909

Re: Unable to access devices externally on MikroTik router

Get a mikrotik router vice the custom jobbie.
by anav
Wed Jun 05, 2024 2:43 pm
Forum: General
Topic: Mikrotik IOS app login. networks to be added to allowed address in wireguard app
Replies: 9
Views: 824

Re: Mikrotik IOS app login. networks to be added to allowed address in wireguard app

Do not follow. Okay so the Wireguard connects fine. The IOS app is to connect to Winbox, as I stated you can do that using most interfaces be it the wireguard interface, the homelan interface etc.. The app is not to connect to home lan devices. /export file=anynameyouwish (minus router serial number...
by anav
Wed Jun 05, 2024 2:40 pm
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 806

Re: cycle outgoing IP addresses

Assigning the next IP?? That doesnt sound random LOL.
by anav
Wed Jun 05, 2024 2:34 am
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 806

Re: cycle outgoing IP addresses

Seriously?
What is the reason?
Its starting to smell like your client is doing something illegal and suggest you dissolve your relationship.
Either that or the client is going to make your life difficult with a continuous stream of over the top requirements based on what ??????????
by anav
Tue Jun 04, 2024 10:29 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1489

Re: Both Openvpn and Wiregurard fail

(1) There is a problem with some rules you have or interfaces or both hence this....... # no interface add action=drop chain=forward in-interface= *B # no interface add action=drop chain=forward out-interface= *B # no interface add action=drop chain=forward in-interface= *C # no interface add action...
by anav
Tue Jun 04, 2024 10:18 pm
Forum: General
Topic: Mikrotik IOS app login. networks to be added to allowed address in wireguard app
Replies: 9
Views: 824

Re: Mikrotik IOS app login. networks to be added to allowed address in wireguard app

The login works fine from the app when I use it.
Are you attempting winbox or something else.
On the Router you need to allow the wireguard IP to the input chain.
For address just use MT wireguard IP:winboxport
by anav
Tue Jun 04, 2024 6:36 pm
Forum: General
Topic: Mikrotik WireGuard setup for Protone VPN
Replies: 18
Views: 5621

Re: Mikrotik WireGuard setup for Protone VPN

(1) Would remove this default setting.... /ip dns static add address=192.168.88.1 comment=defconf name=router.lan (2) dont really need source address on this rule but no harm. add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=\ 192.168.88.0/24 ROUTES ARE COMPLETELY BIZARRE....
by anav
Tue Jun 04, 2024 5:13 pm
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 311
Views: 60590

Re: v7.15 [stable] is released!

Not sure, we are talking about the same thing, but whether or not the untagged vlan shows up on an export is determined by the /interface bridge vlan settings. If you do not manually put them there as untagged, they do not show as they are dynamically created. This is not new!
by anav
Tue Jun 04, 2024 4:51 pm
Forum: Beginner Basics
Topic: Adding an additonal network
Replies: 9
Views: 591

Re: Adding an additonal network

Hehe, I wish.
Training for worlds masters in Germany, goal, not to come last!
by anav
Tue Jun 04, 2024 4:15 pm
Forum: General
Topic: DNS and Third Party Wireguard
Replies: 0
Views: 177

DNS and Third Party Wireguard

When sending a single user or entire subnet out wireguard to fictitious "ProNord" wireguard vpn, a DNS IP address is usually provided along with the usual settings. ? Q ? --> How do we ensure that when browsing the internet, that those forced out the wireguard tunnel (typically using table...
by anav
Tue Jun 04, 2024 4:04 pm
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 806

Re: cycle outgoing IP addresses

I have no clue on how ISPs dole out blocks of IPs......
My first thought was, use all 5 as separate WANS and load balance between them :-)
by anav
Tue Jun 04, 2024 1:43 pm
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 552

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

If its doing everything you need it to do.........
by anav
Tue Jun 04, 2024 1:40 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 798

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

Got it, thanks again. So to be clear, inter-VLAN routing on the switch can be fast-tracked? It's only when going to WAN which requires NAT'ing that we have to go through CPU no matter what? CRS328-24P-4S+ doesn't support FastTrack offloading, but I suppose you've meant Inter-VLAN Hardware Routing -...
by anav
Tue Jun 04, 2024 1:34 pm
Forum: General
Topic: Mikrotik WireGuard setup for Protone VPN
Replies: 18
Views: 5621

Re: Mikrotik WireGuard setup for Protone VPN

post your config
/export file=anynameyouwish (minus router serial number, any public WANIP info, keys )

please provide setup instructions provided ( without the keys ) as in post above #14.
also did they provide a DNS IP to use?
by anav
Tue Jun 04, 2024 3:22 am
Forum: General
Topic: Mikrotik hex S can't handle with 500Mbps - CPU 95%
Replies: 6
Views: 451

Re: Mikrotik hex S can't handle with 500Mbps - CPU 95%

Traffic between devices on the switch part of the router.
by anav
Tue Jun 04, 2024 3:09 am
Forum: General
Topic: Wireguard DNS Not Working as Expected
Replies: 9
Views: 658

Re: Wireguard DNS Not Working as Expected

Im confused doesnt PPPOE ISP give you a dynamic PUBLIC IP address ?? The reason I ask is you have back to home in your comment for the wireguard interface and thats for the case when you dont have a public IP. Maybe just used the wording not realizing its confusing, if not true???? Also note your us...
by anav
Tue Jun 04, 2024 3:06 am
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 552

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

What I am not convinced of is that DNS is being done through the tunnel. In other words, although traffic may go through the tunnel, DNS queries may still be done through local WAN. I have a thought on how to ensure what we want. /ip firewall nat add chain=dstnat action=dst-nat src-address=192.168.8...
by anav
Tue Jun 04, 2024 2:46 am
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 552

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

Then you must be coming from an IP address on the bridge. Try this routing rule in addition to the existing routing rule and it has to go FIRST in order. /routing rule add min-prefix=0 action=lookup-only-in-table table=main add src-address=192.168.88.0/24 action=lookup table=use-WG. You should be ab...
by anav
Tue Jun 04, 2024 12:05 am
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 552

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

-The easiest way to accomplish what you wish is to separate etheport5 from the rest of the subnets. -There are two ways to accomplish this. one bridge and ethport 5 off the bridge with its own address. one bridge and two vlans We will do the first one........ -Remove default IP DNS STATIC entry -Rem...
by anav
Mon Jun 03, 2024 11:38 pm
Forum: General
Topic: Mikrotik hex S can't handle with 500Mbps - CPU 95%
Replies: 6
Views: 451

Re: Mikrotik hex S can't handle with 500Mbps - CPU 95%

Not surprizing looking at the product test results....
.....
hexs.jpg
.......
by anav
Mon Jun 03, 2024 8:09 pm
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 552

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

First
- Are you connecting to a third party VPN provider??
- does ISP provide a public WANIP on WAN2 ( static or dynamic )

Second require config:
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc..)
by anav
Mon Jun 03, 2024 8:07 pm
Forum: General
Topic: Memory Leak v7.15
Replies: 5
Views: 1109

Re: Memory Leak v7.15

Nice to state here but better to send supouts and report to MT directly.
by anav
Mon Jun 03, 2024 7:32 pm
Forum: General
Topic: Wireguard DNS Not Working as Expected
Replies: 9
Views: 658

Re: Wireguard DNS Not Working as Expected

Description is incomplete.
What wireguard is this
a. going to third party Wireguard Server ??
b. Hosting wireguard on your router so having admin or others come in on wireguard?
c. other?

If, a, is the whole subnet supposed to use WG for internet for example??
by anav
Mon Jun 03, 2024 7:28 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1417

Re: HAP ax lite as AP

Review and config are advised with known facts and provided requirements, adding new ones at the end is too late. Since I am not working on the firewall rules any longer, not sure how to solve that. Typically that is what the Trusted or Management network is for, here the admin can access to update....
by anav
Mon Jun 03, 2024 7:21 pm
Forum: Beginner Basics
Topic: Adding an additonal network
Replies: 9
Views: 591

Re: Adding an additonal network

Yes, especially when I get up at 5am, 3 mornings a week to go rowing for about 10K.
by anav
Mon Jun 03, 2024 7:15 pm
Forum: General
Topic: Wireguard DNS Not Working as Expected
Replies: 9
Views: 658

Re: Wireguard DNS Not Working as Expected

I dont think its possible when using a third party wireguard VPN server to avoid using the third party provided DNS server.
However with the sparse details provided who knows.
Should really provide config.
by anav
Mon Jun 03, 2024 7:12 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 798

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

Not quite. The Router will do all the routing bits, including setting up all the VLANs, giving out DHCP etc. The switch will only need to get an IP address from the management vlan, and then receive all the vlans from the router on one trunk port, and then distribute the vlans out the rest of the po...
by anav
Mon Jun 03, 2024 7:09 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1417

Re: HAP ax lite as AP

Well since you use capsman, that may change the equation and I am unable to assist with that.
So stick to the rules that work for you, especially if the reason for posting has been solved. :-)
by anav
Mon Jun 03, 2024 4:30 pm
Forum: Beginner Basics
Topic: Issues with MikroTik RB951Ui-2HnD Router after being configured as WiFi Repeater [SOLVED]
Replies: 5
Views: 349

Re: Issues with MikroTik RB951Ui-2HnD Router after being configured as WiFi Repeater [SOLVED]

Just to be clear, you mean accept a wifi signal as source and then send that signal onwards to many devices ( wifi source---<router/ap>------> to smartphones/iot etc. )
OR
between two wifi devices ( wifi source ---<router>----- access point---- to smartphones/iot etc. )
by anav
Mon Jun 03, 2024 3:45 pm
Forum: General
Topic: Can't access VLAN with IP address 192.168.88.1
Replies: 1
Views: 289

Re: Can't access VLAN with IP address 192.168.88.1

(1) WTH(alibut) is this?? ( vlanID is not part of your vlan list AND where is the identified port ??? ) add bridge=BR0_LAN tagged=BR0_LAN vlan-ids=1 ????? (2) Your /interface bridge vlan rules are wrong they do not match /interface bridge ports. In addition your sfp plus TRUNK port has a pvid assign...
by anav
Mon Jun 03, 2024 3:43 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1417

Re: HAP ax lite as AP

Please take the time to implement firewall rules and all recommended changes then repost and ask for review.
by anav
Mon Jun 03, 2024 3:41 pm
Forum: Beginner Basics
Topic: Unable to connect to SMTP service port on WAN IP. [SOLVED]
Replies: 3
Views: 268

Re: Unable to connect to SMTP service port on WAN IP. [SOLVED]

Using an un encrypted mail system/server is asking to get hacked.
by anav
Mon Jun 03, 2024 3:39 pm
Forum: Beginner Basics
Topic: Set DHCP server for clients that connect to another AP
Replies: 5
Views: 702

Re: Set DHCP server for clients that connect to another AP

(1) It would appear as if you are using wireguard to a third party VPN or probably based on URL in allowed IPs, a friends MT router. In any case remove the private key entry in the settings you have in allowed IPs, not required. No need to hide wireguard port in interface wireguard, this port (when ...
by anav
Mon Jun 03, 2024 3:31 pm
Forum: Beginner Basics
Topic: Adding an additonal network
Replies: 9
Views: 591

Re: Adding an additonal network

hahah mkx, I fell asleep reading your post, this is what I got out of it... ( thank god I am not trained).

blahblahblahblahblahblah*()#@+!@)!&Y$)@_@+ blahblahblahblah USE VLANS blahblahblahU&((@&#(@&+(@!! blahblahblah
by anav
Mon Jun 03, 2024 3:16 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 798

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

(1) /ip settings set max-neighbor-entries=8192 rp-filter=strict would set this to loose...... (2) Why do you have a LAN attached to the bridge? I dont see any ports using LAN?? (3) HORRIBLE idea to name your bridge= LAN, its already nomenclature used by the router for various things and its very con...
by anav
Mon Jun 03, 2024 3:12 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 798

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

Did it ever occur to you that you bought a switch not a router . Sure it can be used as a router, RoS is fantastically flexible, but still, there are limits on throughput for WAN connectivity. I am actually shocked that you managed to over 500 Mbps. You must not have many rules............... ( dont...
by anav
Mon Jun 03, 2024 2:23 am
Forum: Wireless Networking
Topic: Hap AX2, need help understanding/troubleshooting issue with 2.4GHz connection.
Replies: 8
Views: 991

Re: Hap AX2, need help understanding/troubleshooting issue with 2.4GHz connection.

Config of both devices is required.
/export file=anynameyouwish ( minus router serial number and any public WANIP information )
by anav
Mon Jun 03, 2024 2:21 am
Forum: Beginner Basics
Topic: Set DHCP server for clients that connect to another AP
Replies: 5
Views: 702

Re: Set DHCP server for clients that connect to another AP

What is the config on the MT.......
/export file=anynameyouwish ( minus router serial number and any public WANIP information )
by anav
Mon Jun 03, 2024 2:19 am
Forum: General
Topic: MVRP usage [SOLVED]
Replies: 10
Views: 701

Re: MVRP usage [SOLVED]

The point being its a trunk port to trunk port activity.
It does nothing to change the fact that one would have to manually untag the vlan for any specific port on a switch
by anav
Mon Jun 03, 2024 1:12 am
Forum: Beginner Basics
Topic: Adding an additonal network
Replies: 9
Views: 591

Re: Adding an additonal network

I dont understand your topology. One should normally only have ONE connection between openWRT router and CRS acting as a router. Similarly, there should only be ONE connection between CRS acting as a router and the unRAID, or more clearly stated only one route (via CRS305) from Router to UNRAID It w...
by anav
Mon Jun 03, 2024 1:00 am
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1168

Re: Routing VLAN to specific WAN using Policy Routing

Too simplistic. If you want to deviate from a logical config and measured troubleshooting steps, you are on your own. Before I go, just to let you know from the TPLink Manual from the latest version firwmare. 3.3 Configure VLAN Wireless VLAN is used to set VLANs for the wireless networks. With this ...
by anav
Sun Jun 02, 2024 9:30 pm
Forum: Beginner Basics
Topic: Raspberry pihole (ad blocker) different ip than router OS network
Replies: 15
Views: 1164

Re: Raspberry pihole (ad blocker) different ip than router OS network

Bollocks, I think it will become quite familiar in your repertoire!

Not knowing what it means, the sentence seems to imply "timid" which is not what I would have used to describe your qualities. :-)
by anav
Sun Jun 02, 2024 9:27 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1489

Re: Both Openvpn and Wiregurard fail

(1) Duplicate table, remove one of them. /routing table add fib name=to-WG add fib name=to-WG (2) No where did I recommend bridge filters ?? REMOVE or disable until wireguard is working!! /interface bridge filter add action=drop chain=forward in-interface=wifi3 add action=drop chain=forward out-inte...
by anav
Sun Jun 02, 2024 9:15 pm
Forum: Beginner Basics
Topic: Port forwarding for Hikvision DVR
Replies: 2
Views: 310

Re: Port forwarding for Hikvision DVR

/ip firewall address-list { use dhcp static set leases for example } add address=10.0.0.X list= Authorized comment="admin PC1" add address=10.0.0.Y list=Authorized comment="admin PC2" add address=VPNaddress list=Authorized comment='remote admin" add address=mynetname.net li...
by anav
Sun Jun 02, 2024 8:55 pm
Forum: Beginner Basics
Topic: Port forwarding for Hikvision DVR
Replies: 2
Views: 310

Re: Port forwarding for Hikvision DVR

(1) It is not clear how you are trying to connect to the DVR. a. Directly from LAN device to DVR using LANIP. Y/N ? b. From Internet using dyndns URL(could be mycloud.net from ip cloud for example) Y/N ? c. From LAN using dyndns URL Y/N ? If c, are you attempting to reach DVR from the same subnet? (...
by anav
Sun Jun 02, 2024 8:50 pm
Forum: Forwarding Protocols
Topic: Mangle Issue (Failover With Two WAN)
Replies: 1
Views: 281

Re: Mangle Issue (Failover With Two WAN)

Some rules mean nothing to me................... The complete config is required for viewing /export file=anynameyouwish ( less router serial number, any public WANIP information, keys etc.) You had a good start on requirements and then fizzled a bit so lets go back to that for a bit more complete v...
by anav
Sun Jun 02, 2024 8:41 pm
Forum: Wireless Networking
Topic: cAP ax Wifi not working
Replies: 17
Views: 910

Re: cAP ax Wifi not working

(1) Stick with default mode for bridge, think its RTSP?? (2) No WAN or LAN on an AP. (3) I config my caps on the bench through ether2, off bridge, and when installed if its reachable directly or else I wire ether2 where I can at least access with laptop. Just change laptop ipv4 settings to 192.168.5...
by anav
Sun Jun 02, 2024 7:23 pm
Forum: Beginner Basics
Topic: Raspberry pihole (ad blocker) different ip than router OS network
Replies: 15
Views: 1164

Re: Raspberry pihole (ad blocker) different ip than router OS network

Anyone? If not administrator please delete this post - I'll look elsewhere. thank you. Did I say I was not interested. I asked for more information to better understand what you attempted to describe. Now that jaclaz is on the case, I am sure he will attempt to resolve your query. I tried, and was ...
by anav
Sun Jun 02, 2024 7:16 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1489

Re: Both Openvpn and Wiregurard fail

(1) Remove the peer name......... pre-shared key ( do not use this attribute ) /interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=**.**.2**.** endpoint-port=\ 41194 interface=wireguard1 name=peer1 persistent-keepalive=25s \ preshared-key="*****=" public-key=\ (2) By ...
by anav
Sun Jun 02, 2024 6:39 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1168

Re: Routing VLAN to specific WAN using Policy Routing

Concur on the TPLINK not too much to screw up there, but what about the switch?? Okay I went back and what troubled me was LTE was on bridge1 and not directly on an etherport on the router. I then checked the diagram and for some strange reason its coming from the AP ???????? ...... ap-router.jpg .....
by anav
Sun Jun 02, 2024 5:29 pm
Forum: Beginner Basics
Topic: Mikrotik as secondary router - one LAN port bridged to WAN
Replies: 4
Views: 612

Re: Mikrotik as secondary router - one LAN port bridged to WAN

/interface vlan add interface=bridge name=ISP-LAN vlan-id=10 add interface=bridge name=HAP-LAN vlan-id=88 /interface bridge port add bridge=bridge interface=ether1 pvid=10 ingress-filtering=yes frame-types=admit-priority-and untagged add bridge=bridge interface=ether2 pvid=88 ingress-filtering=yes ...
by anav
Sun Jun 02, 2024 5:14 pm
Forum: Beginner Basics
Topic: Need help with few questions.
Replies: 5
Views: 408

Re: Need help with few questions.

Lets get this straight, the CRS series are SWITCHES not routers. They can be used as routers but throughput is very much less then pure routers. Provide a diagram as your requirements are not fully understood and seem to be changing with each post. Besides diagram a. identify users/device including ...
by anav
Sun Jun 02, 2024 5:10 pm
Forum: General
Topic: Back To Home VPN - spamming logs when disconnected
Replies: 2
Views: 282

Re: Back To Home VPN - spamming logs when disconnected

Disappointing that MT did not fix this well known issue for the release of 7.15.
by anav
Sun Jun 02, 2024 3:56 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1489

Re: Both Openvpn and Wiregurard fail

Post your latest config and I will relook.
by anav
Sun Jun 02, 2024 3:53 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1168

Re: Routing VLAN to specific WAN using Policy Routing

Are they connected wired or wifi,
Check the switch and AP devices, dont think its the router??
by anav
Sun Jun 02, 2024 2:38 am
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1168

Re: Routing VLAN to specific WAN using Policy Routing

As usual I work from your latest config, so would need to see it to comment on any new issues. Unless you changed something vlan20 should work same as vlan30 as they are identical in terms of the RB5009 router, which leads me to suspect the problem is down the road like at a switch. (4) I would disa...
by anav
Sun Jun 02, 2024 2:32 am
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1878

Re: Connection issues with hAP AC2, any problems with my config?

Subnets = IP = L3, or did i miss somthing?
Yes rip van Larsa you missed the last 60 years where Zerotier was released putting all assigned subnets into the same L2 space.
by anav
Sat Jun 01, 2024 8:32 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1878

Re: Connection issues with hAP AC2, any problems with my config?

You know more than I, but AMMO was fairly explicit on setting up the subnets to be part of zerotier.
by anav
Sat Jun 01, 2024 5:51 pm
Forum: Beginner Basics
Topic: Basic Zerotier Question.
Replies: 3
Views: 318

Re: Basic Zerotier Question.

Okay so it sounds very doable. Its a bit better than trying it over wireguard as wireguard then trips over the routing issue, where zerotier does not.
by anav
Sat Jun 01, 2024 4:23 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1168

Re: Routing VLAN to specific WAN using Policy Routing

(1) REMOVE frame types from bridge. keep it simple, we add frame types and ingress filtering at /interface bridge ports. (2) I like order, thus resorted vlans LOL. A cluttered config is a cluttered mind. ;-P (3) For security added Trusted Interface, assuming the one subnet that is trusted is your in...
by anav
Sat Jun 01, 2024 2:51 pm
Forum: Beginner Basics
Topic: Basic Zerotier Question.
Replies: 3
Views: 318

Basic Zerotier Question.

I have a single device on a local subnet lets say 192.168.88.0/24 on an MT router and it needs to reach a device ( and vice versa ) on a separate router (non-mt, with SIM card) and both have natively zerotier, intuitively one should say, yes they can be connected. The subnet on the non-mt Router is ...
by anav
Sat Jun 01, 2024 2:37 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1878

Re: Connection issues with hAP AC2, any problems with my config?

That router does zerotier natively which may be another avenue of possibiblity. It joins networks at level 2, so no firewall rules apply. The question though remains, what happens when you are local with wifi............. it may integrate really well and be the right path, just dont have any experie...
by anav
Sat Jun 01, 2024 3:43 am
Forum: Beginner Basics
Topic: Device Isolation
Replies: 4
Views: 457

Re: Device Isolation

I typically tend to use vlans to separate subnets at layer2 and firewall rules at layer3.
For firewall rules my last rule is DROP, and thus anything not accepted above in previous rules in that chain, is not permitted. Clean and efficient.
by anav
Fri May 31, 2024 11:43 pm
Forum: Beginner Basics
Topic: Can the firewall drop packets silently?
Replies: 8
Views: 621

Re: Can the firewall drop packets silently?

If i were to latinize it ......................

/export file=vici-de-bici
by anav
Fri May 31, 2024 11:32 pm
Forum: General
Topic: How long does it take for MT tech support to respond?
Replies: 22
Views: 3151

Re: How long does it take for MT tech support to respond?

They have responded to all my inquiries including ideas and supouts in a reasonable time frame, not to say your experience may differ. Perhaps a small investment in a queue system letting folk know they are number 98/2000 might help temper expectations etc... MTs strongpoint has never been communica...
by anav
Fri May 31, 2024 11:24 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1878

Re: Connection issues with hAP AC2, any problems with my config?

Yes, I can see the dilemma!! What router brand and model do you have in the camper? Is it dual wan capable, can you link to a user guide? Im starting to think that SourceNATing the camper van wireguard outward bound traffic may be a key to an approach. So when wireguard is up....... the MT router ge...
by anav
Fri May 31, 2024 11:16 pm
Forum: General
Topic: Can I only use mikrotik as a firewall?
Replies: 14
Views: 854

Re: Can I only use mikrotik as a firewall?

Absolutely know that companies join conglomerates of like minded companies and ISPs to ward off attacks. They try to isolate the source vectors and close off traffic to the closest point of source. Very enterprisish stuff............ not for the faint of wallet and thus I dont pay for it. Some compa...
by anav
Fri May 31, 2024 11:12 pm
Forum: General
Topic: How long does it take for MT tech support to respond?
Replies: 22
Views: 3151

Re: How long does it take for MT tech support to respond?

yarim just joined to help this thread, how kind.
Yup they are dealing with lots of sups, just keep checking they will get around to it.
by anav
Fri May 31, 2024 11:09 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1168

Re: Routing VLAN to specific WAN using Policy Routing

Heheh, okay will look at it tomorrow, today is booked up or whats left of it.
by anav
Fri May 31, 2024 5:04 pm
Forum: Beginner Basics
Topic: Can the firewall drop packets silently?
Replies: 8
Views: 621

Re: Can the firewall drop packets silently?

Shields up is a very nice but not required,, I believed you the first time,
what is needed is to see why your config is letting that happen :-)

/export file=anynameyouwish (minus switch impersonating a router serial number, any public wanip information, keys etc.)
by anav
Fri May 31, 2024 3:40 pm
Forum: Beginner Basics
Topic: Can the firewall drop packets silently?
Replies: 8
Views: 621

Re: Can the firewall drop packets silently?

Using a switch as a router? Must have a tiny throughput ISP. No port should be normally seen except ICMP....
by anav
Fri May 31, 2024 3:17 pm
Forum: Beginner Basics
Topic: Mikrotik as secondary router - one LAN port bridged to WAN
Replies: 4
Views: 612

Re: Mikrotik as secondary router - one LAN port bridged to WAN

Just to be clear you want the HAPAC to be a router as well and not simply pass on the subnet of the main router ( so it would be an AP/switch, vice router).
Do you need the 192.168.88 network for some reason??
by anav
Fri May 31, 2024 2:25 pm
Forum: General
Topic: Issues with Ping between Wireguard Sites
Replies: 5
Views: 520

Re: Issues with Ping between Wireguard Sites

Not fond of the messy firewall either chains not grouped etc.... Cleaned up version: Did you really mean to give the wireguard user access to the input chain? If so, then it must be you as the admin for access. In this case, lets make the security, access to the router better as well. /ip firewall a...
by anav
Fri May 31, 2024 2:02 pm
Forum: General
Topic: Issues with Ping between Wireguard Sites
Replies: 5
Views: 520

Re: Issues with Ping between Wireguard Sites

Before I look at the config, did you check the windows or linux PC host for its own firewall settings or the application perhaps has some blocking mechanisms??? This is nonsense and should be removed, there is no DHCP with wireguard. Also if you put in netmask manually remove it, not required. /ip d...
by anav
Fri May 31, 2024 2:00 pm
Forum: General
Topic: v. 7.14.3 - 7.15RC3 - 7.15RC4 router was rebooted without proper shutdown, probably kernel failure
Replies: 27
Views: 1838

Re: v. 7.14.3 - 7.15RC3 - 7.15RC4 router was rebooted without proper shutdown, probably kernel failure

Did you create supouts and report possible bug to MT
( aka supout on working RoS ( no reboots ) and then on non-working RoS version (experiencing reboots))

They will be able to answer you questions more accurately.
by anav
Fri May 31, 2024 1:58 pm
Forum: General
Topic: application wise bandwidth controll
Replies: 1
Views: 254

Re: application wise bandwidth controll

Wrong equipment, look elsewhere.
You need expensive equipment with expensive licensed services.
The client should be advised, it will not be cheap.
by anav
Fri May 31, 2024 1:52 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1878

Re: Connection issues with hAP AC2, any problems with my config?

If that works, that means maybe at the other router you are source natting the outputs so they dont actually come from .44 they are coming from 34.2 ??? IN that case adding it to remote-machines should allow that traffic to reach LAN devices on the MT LAN. Allowed IPs on that router should be allowe...
by anav
Fri May 31, 2024 1:49 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1168

Re: Routing VLAN to specific WAN using Policy Routing

Well let us know for sure, as not going to look at it if solved LOL
by anav
Fri May 31, 2024 1:44 pm
Forum: General
Topic: Can I only use mikrotik as a firewall?
Replies: 14
Views: 854

Re: Can I only use mikrotik as a firewall?

As an edge router with the ability to filter https and other encrypted traffic, clearly not. For everything else, fantastic. As noted by your second post, this thread is nothing more than trolling. @Larsa: Advanced ddos??, that is the responsibility of ISPs ( and like minded groups of ISPs) and thos...
by anav
Fri May 31, 2024 3:30 am
Forum: Beginner Basics
Topic: What is the purpose of client-dns setting in wireguard
Replies: 3
Views: 399

Re: What is the purpose of client-dns setting in wireguard

Sorry I dont see a client dns setting in my wireguard????

Okay checking the docs, it would appear when using BTH wireguard, its a setting thats there.
Never used it so not sure, how one is supposed to treat that entry.
by anav
Thu May 30, 2024 8:21 pm
Forum: General
Topic: Port forwarding not working anymore after switching to fibre connection
Replies: 7
Views: 1010

Re: Port forwarding not working anymore after switching to fibre connection

Of course not, there is logic: - single subnet, use src or dst-address - two or more whole subnets use interface lists *** - two or more subnets from remote routers use src or dst-address-list - any combination of separate users ( from same or across subnet ) without, OR with other subnets use src o...
by anav
Thu May 30, 2024 7:18 pm
Forum: General
Topic: Issues with Ping between Wireguard Sites
Replies: 5
Views: 520

Re: Issues with Ping between Wireguard Sites

Generally speaking I would need to see both configs. I do note that probably your allowed IPs are the problem and possibly routing.
What is at the other end of the wireguard tunnel?
by anav
Thu May 30, 2024 7:16 pm
Forum: General
Topic: Can I only use mikrotik as a firewall?
Replies: 14
Views: 854

Re: Can I only use mikrotik as a firewall?

That is generally one of the purposes of an MT device.
Where will all the PCs get their IP addresses from??
by anav
Thu May 30, 2024 4:35 pm
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 311
Views: 60590

Re: v7.15 [stable] is released!

Exciting release packed with updates and bug fixes. My whole fleet of routers (30+, various architectures) updated successfully, and good to see over 700kb of free space on my hAP ac2 (from around 300kb on 7.14.3) Good job dev team :D Updating an entire fleet of routers within 2 hours after release...
by anav
Thu May 30, 2024 3:53 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1878

Re: Connection issues with hAP AC2, any problems with my config?

yeah that route looks better........ and if not try 192.168.34.1 as an alternative. (1) Remove sourcenat rule not required. from /ip firewall nat add action=masquerade chain=srcnat comment="defcon: masquerade" ipsec-policy=\ out,none out-interface-list=WAN add action=masquerade chain=srcna...
by anav
Thu May 30, 2024 1:23 pm
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 311
Views: 60590

Re: v7.15 [stable] is released!

Disappointed not to see a router fix for wireguard coming in on WAN2 when WAN2 is secondary WAN and mangling this traffic does not work.
by anav
Thu May 30, 2024 1:12 pm
Forum: Wireless Networking
Topic: Finally success - 802.11r/k/v fast roaming works reliably with WifiWave2
Replies: 63
Views: 20196

Re: Finally success - 802.11r/k/v fast roaming works reliably with WifiWave2

let me rephrase that: The result _should_ be the same.
It it isn't, you may want to report a bug to Mikrotik support.
The design and implementation is a bug.
When I look at capsman configuration, it looks like a nuclear explosion and completely consumes any config, like japanese knotweed.
by anav
Thu May 30, 2024 1:10 pm
Forum: Beginner Basics
Topic: Wireguard setup to VPN LTE RBSXTR
Replies: 21
Views: 926

Re: Wireguard setup to VPN LTE RBSXTR

Compare that to IP DHCP client or the like assigned IP and to ones IP CLOUD. If they are all the same, its a public IP.
by anav
Thu May 30, 2024 1:08 pm
Forum: General
Topic: Port forwarding not working anymore after switching to fibre connection
Replies: 7
Views: 1010

Re: Port forwarding not working anymore after switching to fibre connection

Yes and no, MT docs are actually quite bad when it comes to firewall, they add so much garbage, not quite as bad as YT, but still too much noise.
by anav
Thu May 30, 2024 1:06 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1878

Re: Connection issues with hAP AC2, any problems with my config?

Also you didnt make any of the changes I made on my last post # 11,
by anav
Thu May 30, 2024 12:58 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1878

Re: Connection issues with hAP AC2, any problems with my config?

Before looking at any more configs, there is no problem from the other wireguard, you can reach 192.168.88 no problem from your machine and vice versa? If so then there is nothing wrong with the setup on the MT, its whatever router thingy or windows server at the end of the 192.168.44 subnet. Is tha...
by anav
Thu May 30, 2024 4:03 am
Forum: Beginner Basics
Topic: Lan - Lan 4 ip route
Replies: 1
Views: 294

Re: Lan - Lan 4 ip route

Not sure what you mean by make?? First if they are different subnets, one needs to consider firewall rules to ensure those IPs can reach other at level3. In terms of routing, if they are local subnets on the router, the router knows about them and creates routes already. Therefore, there should be n...
by anav
Thu May 30, 2024 4:00 am
Forum: Beginner Basics
Topic: Raspberry pihole (ad blocker) different ip than router OS network
Replies: 15
Views: 1164

Re: Raspberry pihole (ad blocker) different ip than router OS network

a picture is helpful got a network diagram.
also current config.
by anav
Thu May 30, 2024 3:59 am
Forum: Beginner Basics
Topic: Wireguard setup to VPN LTE RBSXTR
Replies: 21
Views: 926

Re: Wireguard setup to VPN LTE RBSXTR

Cant help with ipv6, I am old skool ipv4 only.
Static or dynamic doesnt matter as long as its public or if there is an upstream ISP router he can at least forward a port to a downstream router and yes an MT device there would be real handy.
by anav
Thu May 30, 2024 3:56 am
Forum: General
Topic: Port forwarding not working anymore after switching to fibre connection
Replies: 7
Views: 1010

Re: Port forwarding not working anymore after switching to fibre connection

Number of errors. If you use vlans on the bridge, then you should use all vlans as it stands now the vlan probably doenst work. as you have no corresponding /interface bridge port or /interface bridge vlan settings etc.. Also, ether1 is the wan port, no business being on the bridge, hence the router...
by anav
Thu May 30, 2024 3:45 am
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1878

Re: Connection issues with hAP AC2, any problems with my config?

Everything looked good until I reached FW rules, mostly out of order........... (i) moved fastrack rule down to be with other forward chain rules. (ii) moved wirguard handshake rule to first of admin rules. (iii) removed wg remote from access to Router for config purposes, I am assuming that those a...
by anav
Wed May 29, 2024 10:27 pm
Forum: General
Topic: multi vlan with multi wan setup
Replies: 21
Views: 3289

Re: multi vlan with multi wan setup

Bingo................. and the more we have up front = less config time, less re-work and less swearing. :-) Now try to convince MT that we need a basic USER education piece prior to first post that contains the important elements. Once a post meets the intent below it goes from draft forum to viewa...
by anav
Wed May 29, 2024 10:21 pm
Forum: Beginner Basics
Topic: Wireguard setup to VPN LTE RBSXTR
Replies: 21
Views: 926

Re: Wireguard setup to VPN LTE RBSXTR

Thanks for that encouraging tidbit LOL. Okay so that removes wireguard as a possiblity unless you are willing a. to ask ISP for a public IP address --> dont think its possible but maybe it is?? b. rent a server in the cloud (create your own reachable IP and then use regular wireguard ) Cost approx $...
by anav
Wed May 29, 2024 9:45 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1417

Re: HAP ax lite as AP

Now to your newer hap config LOL
Looks fine to me!!

Its a basic AP/switch, as long as your wifi settings are okay, they are looking a bit sparse even for a simple wifi network.
Traffic comes in on ether1 and goes out wifi1 and you use vlan99 to manage the device.
by anav
Wed May 29, 2024 9:41 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1417

Re: HAP ax lite as AP

By all means modify as you desire. Being truthful and accurate with requirements leads to quicker resolution and satisfaction. :-) Otherwise I fill gaps as I have to ASS U ME what the facts may be. What I provided works, given the context provided. There was no need for bridge dhcp Base vlan is what...
by anav
Wed May 29, 2024 9:33 pm
Forum: General
Topic: multi vlan with multi wan setup
Replies: 21
Views: 3289

Re: multi vlan with multi wan setup

again liviuu, providing a specific solution to a perceived problem may or may not be the right approach. Perhaps in your case mangling is NOT required only routing rules! Maybe the mangling and requirements can be met in more efficient ways etc... Certainly all feasible and best done WITHIN context ...
by anav
Wed May 29, 2024 9:23 pm
Forum: Beginner Basics
Topic: Wireguard setup to VPN LTE RBSXTR
Replies: 21
Views: 926

Re: Wireguard setup to VPN LTE RBSXTR

Well I am no BTH expert, and thats the functionality you will need seeing as you dont get a public IP via LTE, apn. You get a private IP I believe?????? So you will need to read up on BTH and make use of settings available in IP CLOUD. I would stick to doing things as manually as possible but basica...
by anav
Wed May 29, 2024 6:59 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1417

Re: HAP ax lite as AP

(1) So I see all four vlans going to the switch, no problem there. It could be shortened to one rule. /interface bridge vlan add bridge=bridge1 tagged=bridge1,eth2_ext_switch vlan-ids=10,20,30,99 (2) What does not make sense to me at all is your interface list membership. Does this makes sense to yo...
by anav
Wed May 29, 2024 6:03 pm
Forum: General
Topic: Best way to forward web traffic to portal page?
Replies: 4
Views: 589

Re: Best way to forward web traffic to portal page?

lookup hotspot, userman, radius server in MT Docs.
https://help.mikrotik.com/docs/display/ROS/RouterOS
by anav
Wed May 29, 2024 1:45 am
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1417

Re: HAP ax lite as AP

Mainly changes recommended: /interface ethernet set [ find default-name=ether2 ] disabled=yes set [ find default-name=ether3 ] disabled=yes set [ find default-name=ether4 ] disabled=no name=Off-Bridge /interface vlan add interface=bridgeLocal name=baseVLAN vlan-id=99 /interface list add name=MANAGE ...
by anav
Tue May 28, 2024 11:16 pm
Forum: General
Topic: RB5009 and 2Gb/s internet speed [SOLVED]
Replies: 19
Views: 1657

Re: RB5009 and 2Gb/s internet speed [SOLVED]

Hi Golem, if that is the reality of PPOE connectivity regardless of router, then its the ISPs problem of false advertising.
by anav
Tue May 28, 2024 10:38 pm
Forum: Beginner Basics
Topic: Port forward for Minecraft server 25565
Replies: 3
Views: 443

Re: Port forward for Minecraft server 25565

Does your router get a public IP or a private IP from the ISP device? If its a private IP, can you at least forward a port from the ISP router/modem to your router.
by anav
Tue May 28, 2024 9:33 pm
Forum: Beginner Basics
Topic: The simplest NAT problem
Replies: 11
Views: 701

Re: The simplest NAT problem

So the chap wants to connect two devices on with two different IPs with no typical LAN structure so to speak??
Its a bogus concept to me. but me not trained LOL.
by anav
Tue May 28, 2024 7:49 pm
Forum: Beginner Basics
Topic: The simplest NAT problem
Replies: 11
Views: 701

Re: The simplest NAT problem

A confusing post with no complete config provided nor really any context of where the devices sits WITHIN a network.
Where are other switches, upstream user router, upstream ISP modem ( or modem/router ). Type of ISP, public private, static dynamic............ etc...
by anav
Tue May 28, 2024 7:42 pm
Forum: General
Topic: Advice on how to grow an ISP network
Replies: 9
Views: 980

Re: Advice on how to grow an ISP network

Really great overview and summary! You're clearly passionate about designing network architectures. Totally agree with you on OSPF and the challenges of iBGP full mesh.
+1
by anav
Tue May 28, 2024 7:39 pm
Forum: General
Topic: Unable to access devices externally on MikroTik router
Replies: 6
Views: 909

Re: Unable to access devices externally on MikroTik router

Understood, will try to help you set it up. What I need to know is what is it connected to routerwise. An ISP router, your own router? Does the the upstream router have a static or dynamic IP Does the the upstream router have a public IP address, Can you access the upstream router and if not, can yo...
by anav
Tue May 28, 2024 5:34 pm
Forum: General
Topic: VPN & Port forward through 1 Interface
Replies: 5
Views: 735

Re: VPN & Port forward through 1 Interface

(1) Okay so if your port forwarding was old news and not required, then why do you still have dstnat port forwarding rule........ add action=dst-nat chain=dstnat comment="serv " dst-port=24000 \ in-interface-list=WAN protocol=tcp src-address-list=Access to-addresses=\ 192.168.88.10 to-port...
by anav
Tue May 28, 2024 12:10 am
Forum: Forwarding Protocols
Topic: Need a helping hand with port forwarding [SOLVED]
Replies: 7
Views: 663

Re: Need a helping hand with port forwarding [SOLVED]

I will be mostly in brandenburg an der havel for some 'recreational' rowing.
by anav
Mon May 27, 2024 8:52 pm
Forum: Forwarding Protocols
Topic: Need a helping hand with port forwarding [SOLVED]
Replies: 7
Views: 663

Re: Need a helping hand with port forwarding [SOLVED]

The easiest solution IMHO is to put the server in a different subnet then the users but if not...... By the way will be in Berlin, for one afternoon, evening and part of next morning ( a monday ), staying near friederichstrabe station. Any recommendations for things to do? and what to avoid!!! After...
by anav
Mon May 27, 2024 7:30 pm
Forum: Forwarding Protocols
Topic: Need a helping hand with port forwarding [SOLVED]
Replies: 7
Views: 663

Re: Need a helping hand with port forwarding [SOLVED]

Post the complete config for starters as the entire config is related more than you think. Also due to the fact that your fw are crap IMHO, and the config is not set up at all for port forwarding in your scenario: a. external users b. internal users via lanip c. internal users vial WANIP or dyndns n...
by anav
Mon May 27, 2024 7:19 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2657

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

HAPAX3 NOTE this is a non capsman config as I have no clue how to do capsman, too complicated for me. Any vlans / data path removed from wifi settings. You should appreciate how uncluttered and quick this is to configure once the 5009 is done. (1) Will assume etherports 3,4,5 are for home wired net...
by anav
Mon May 27, 2024 6:58 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2657

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

RB 5009 (1) Added home vlan, so bridge does nothing but bridging and you were missing vlan10 items like dhcp-server and pool !! (2) Ether2, will be a management port (3) Ether6, will be an oFF bridge port ( ability for you as admin to access or config router Off the bridge ( safest way to config )....
by anav
Mon May 27, 2024 6:17 pm
Forum: General
Topic: NAT local DNS request to different address for specific interface [SOLVED]
Replies: 10
Views: 884

Re: NAT local DNS request to different address for specific interface [SOLVED]

Yes, 8080 etc works for webconfig, I use winbox, but thats up to you.
by anav
Mon May 27, 2024 6:15 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2657

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Okay once you go vlans there is no default network, it simply becomes another network like any other vlan subnet, just dont use vlan1.
by anav
Mon May 27, 2024 4:19 pm
Forum: Beginner Basics
Topic: Looking for advice
Replies: 1
Views: 398

Re: Looking for advice

I am not aware of any CRS160 model ???? Two approaches: Option1: hapax3 AND. The one I do recommend for your network is anything with CRS3, as it very similar in approach to how routers handle vlans and thus learning curve is reduced!!......... In this case the CRS310-8G+2S+IN, 8x 2.5gb ports and 2 ...
by anav
Mon May 27, 2024 3:59 pm
Forum: Beginner Basics
Topic: Beginner's question: Bridging and VLANs
Replies: 2
Views: 484

Re: Beginner's question: Bridging and VLANs

If you are sticking with UNIFI smart APs, keep in mind you will need to connect to them via a HYBRID PORT.
The management or Trusted VLAN ( the one where it gets its IP address from) is expected to arrive at the UNIFI untagged and the rest of the vlans tagged.
by anav
Mon May 27, 2024 1:19 am
Forum: General
Topic: NAT local DNS request to different address for specific interface [SOLVED]
Replies: 10
Views: 884

Re: NAT local DNS request to different address for specific interface [SOLVED]

Hi anav, yes indeed it does. It always resolves the DNS using my local RaspberryPi (192.168.88.112). If I change the DNS manually on my Client Machine, then it will use the 10.64.0.1 DNS. But I want that to happen automatically via NAT (I dont want to change the DHCP Server). Thanks! (1) How, a req...
by anav
Sun May 26, 2024 9:40 pm
Forum: General
Topic: NAT local DNS request to different address for specific interface [SOLVED]
Replies: 10
Views: 884

Re: NAT local DNS request to different address for specific interface [SOLVED]

Can you be more specific.

If your user is going out the internet via wireguard, the DNS on the local router doesnt come into play.
So not sure of your intentions??
by anav
Sun May 26, 2024 9:37 pm
Forum: General
Topic: 2 networks on one router
Replies: 9
Views: 1155

Re: 2 networks on one router

Hi Jaclaz, I just took at is he really wants to know if his ISP has connectivity to the internet vice having the ISP seemingly functional but no internet. Nothing wrong with it but yes a tad strange as no alternative. As a note I am really getting peeved at dynamic print!. There is no reason why not...
by anav
Sun May 26, 2024 4:13 pm
Forum: General
Topic: 2 networks on one router
Replies: 9
Views: 1155

Re: 2 networks on one router

(1) One thing I would change is put actual dns servers remote available. /ip dns set allow-remote-requests=yes servers= 1.1.1.1,9.9.9.9 (2) Remove this old default setting /ip dns static add address=192.168.88.1 comment=defconf name=router.lan (3) This is a very dangerous rule because it will allow ...
by anav
Sun May 26, 2024 3:53 pm
Forum: Beginner Basics
Topic: how to change vlan tag for tagged? [SOLVED]
Replies: 7
Views: 673

Re: how to change vlan tag for tagged? [SOLVED]

Vlans are used to keep traffic within a closed subnet at layer2.
They also permit one to push many subnets through a single interface port.
Its not about switching the vlan tags on a whim, which is by the way is not a feasible idea.
by anav
Sun May 26, 2024 12:36 pm
Forum: Beginner Basics
Topic: how to change vlan tag for tagged? [SOLVED]
Replies: 7
Views: 673

Re: how to change vlan tag for tagged? [SOLVED]

Is the hex acting as a router or a switch?
Why would you want to change the tagging of a vlan? ( dont think its possible in your context )
by anav
Sat May 25, 2024 11:54 pm
Forum: General
Topic: Pptp client load balance on os 6 possible?
Replies: 2
Views: 371

Re: Pptp client load balance on os 6 possible?

Not sure what you mean?
If you mean run a server on your router for other users maybe you want queues??
by anav
Sat May 25, 2024 11:52 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 311
Views: 262227

Re: NEW FEATURE: Back to Home VPN

Agree much better documentation will take out some mystery. BUT I SAY AGAIN, BTH needs to be more explicity shown on the export.
/ip cloud full full settings etc........
by anav
Sat May 25, 2024 11:48 pm
Forum: General
Topic: Failover and Selective Load-Balancing Issue
Replies: 5
Views: 669

Re: Failover and Selective Load-Balancing Issue

Finally, I also believe your scripts are wrong or should I say the application of the combination of scripts and IP DHCP settings.

In other words you should select
a. default route=YES
b. distance=255

For both WANs.
by anav
Sat May 25, 2024 11:40 pm
Forum: General
Topic: Failover and Selective Load-Balancing Issue
Replies: 5
Views: 669

Re: Failover and Selective Load-Balancing Issue

Now all user will use WAN0, and WAN1 is the defacto secondary failover option. Now to differentiate a single user by port Mangling is certainly the option that comes to mind. What you have is a holy mess of mangling that makes zeros sense to the requirements you stated. /ip mangle add chain=forward ...
by anav
Sat May 25, 2024 11:30 pm
Forum: General
Topic: Failover and Selective Load-Balancing Issue
Replies: 5
Views: 669

Re: Failover and Selective Load-Balancing Issue

If you wanted nested Recursive..... it would be like so and just using two DNS checks. First we use a bogus or faux address, add distance=1 dst-address=0.0.0.0/0 gateway=10.100.100.10 routing-table=main scope=10 target-scope=14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...
by anav
Sat May 25, 2024 11:16 pm
Forum: General
Topic: Failover and Selective Load-Balancing Issue
Replies: 5
Views: 669

Re: Failover and Selective Load-Balancing Issue

I would want to see the complete config to make any assessments because the rules are often integrated to some extent ( affect each other ). You stated that WAN0 is primary amd WAN1 is secondary and thus......... However, I dont like your setup for recursive. In fact it almost looks like mixing up ...
by anav
Sat May 25, 2024 8:14 pm
Forum: Beginner Basics
Topic: WAN failover with VLANS on RouterOS 7
Replies: 3
Views: 527

Re: WAN failover with VLANS on RouterOS 7

All you have asked for seems doable, with not much work. However, the wireguard listening on T-mobile is problematic. It does not have a public IP and thus cannot be used with a normal wireguard setup. What we can do is setup normal wireguard and once its working disable WAN1 and see if in the wireg...
by anav
Sat May 25, 2024 8:10 pm
Forum: Beginner Basics
Topic: UNLIMITED LAN BUT INTERNET NEEDS AUTHENTICATION
Replies: 1
Views: 352

Re: UNLIMITED LAN BUT INTERNET NEEDS AUTHENTICATION

Sounds like you should read up on
a. userman
b. radius server
c. hotspot.

https://help.mikrotik.com/docs/display/ROS/RouterOS
by anav
Sat May 25, 2024 7:54 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1489

Re: Both Openvpn and Wiregurard fail

Dont care about openvpn etc etc. but will help with wirguard. Does your MT router have a public IP address or connected to an ISP router with a public IP at which you can forward a port to the MT router? Okay I will assume the answer is no and you seem to be connecting to a wireguard server elsewher...
by anav
Sat May 25, 2024 7:50 pm
Forum: General
Topic: VPN & Port forward through 1 Interface
Replies: 5
Views: 735

Re: VPN & Port forward through 1 Interface

Yes the latest config,
In terms of restricting access TO the router input chain..
The only connection, TO the ROUTEr, should be VPN connections and thus no restrictions required.
Connection to the LAN, aka to servers, can be limited by sourc address list on the dstnat rules.
by anav
Sat May 25, 2024 7:49 pm
Forum: General
Topic: [Help] Connect two networks
Replies: 2
Views: 504

Re: [Help] Connect two networks

One bridge.
4 vlans

Simplify firewall rules including getting rid of raw rules.
You spend too much of config in fear instead of simply allowing needing traffic and dropping rest.

Why are you mangling????

Why so many routes??

Explain more your WAN situation.
by anav
Sat May 25, 2024 3:57 am
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 15
Views: 1698

Re: wireGuard does not work for me on my mikrotik RB750r2

The only thing I see that is really weird that I have never seen before are the following rules.... add action=dst-nat chain=dstnat disabled=yes dst-address=8.8.8.8 to-addresses=0.0.0.0/24 ???????????????????? add action=src-nat chain=srcnat disabled=yes out-interface=ether1wan src-address=0.0.0.0/2...
by anav
Fri May 24, 2024 11:52 pm
Forum: Beginner Basics
Topic: Protocols and ports needed by BTH VPN Wireguard
Replies: 6
Views: 501

Re: Protocols and ports needed by BTH VPN Wireguard

I would say so, but in BTH is should be shown in the IP cloud menu I think?
Endpoint for both router and client device is the BTH cloud server...........
Allowed IPs at least on the router for the client peer are probably only set to the wireguard subnet.
by anav
Fri May 24, 2024 11:48 pm
Forum: General
Topic: Sanity Check - chains and "Passthrough" Firewall Rules. [SOLVED]
Replies: 3
Views: 602

Re: Sanity Check - chains and "Passthrough" Firewall Rules. [SOLVED]

Mangle ACTIONS are clearly spelled out here: https://help.mikrotik.com/docs/display/ROS/Mangle Passthrough is clearly spelled out here in MATCHERS. https://help.mikrotik.com/docs/display/ROS/Common+Firewall+Matchers+and+Actions Quote: " passthrough - i f a packet is matched by the rule, increas...
by anav
Fri May 24, 2024 11:14 pm
Forum: Beginner Basics
Topic: Protocols and ports needed by BTH VPN Wireguard
Replies: 6
Views: 501

Re: Protocols and ports needed by BTH VPN Wireguard

Well one would hope it randomly uses Ports and not the default port for wireguard which would be an easy target to filter.
Other than that its UDP based. Any country can block vpns if they put the infrastructure in place to do so.............
by anav
Fri May 24, 2024 11:12 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 311
Views: 262227

Re: NEW FEATURE: Back to Home VPN

Okay understand I may be looking at a BTH setup incorrectly done on an Ops MT router and thus the missing export info?
by anav
Fri May 24, 2024 11:09 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 311
Views: 262227

Re: NEW FEATURE: Back to Home VPN

@Normis. Okay so what I have learned recently. 1. BTH is not applicable to router to router connections. 2. It would appear that BTH configs certain things automatically please confirm. a. sourcenat rule b. wireguard ip address c. input chain handshake rule d. allowed ips. e. wg blocked to LAN but a...
by anav
Fri May 24, 2024 11:01 pm
Forum: General
Topic: Back to home works without Internet
Replies: 5
Views: 652

Re: Back to home works without Internet

Interesting so BTH creates a. an input chain rule automatically b. creates a sourcenat rule automatically c. what about a wireguard address?? d. anything else??? what about allowed-IPs?? why are they showing on the config?? Why did any of this NOT show on the ops config??? or perhaps more to the poi...
by anav
Fri May 24, 2024 10:57 pm
Forum: General
Topic: VPN & Port forward through 1 Interface
Replies: 5
Views: 735

Re: VPN & Port forward through 1 Interface

Hi there, yes there is a bug in Wireguard firmware, which prevents success using Wireguard on WAN2, when WAN1 is primary. We can fix that with some trickery. A quick perusal of your config also shows that you have other issues that need to be addressed first. a. you are port forwarding on ether1, HO...
by anav
Fri May 24, 2024 6:50 pm
Forum: General
Topic: Back to home works without Internet
Replies: 5
Views: 652

Re: Back to home works without Internet

1. Modify your interface list members to include wireguard which affects relevent firewall rules and also can be shortened.... /interface list member add interface= bridge list=LAN add interface=back-to-home-vpn list=LAN add interface=pppoe-client list=WAN 2. Modified cleaned up firewall rules. Also...
by anav
Fri May 24, 2024 3:05 pm
Forum: Forwarding Protocols
Topic: forwarding of all subnet traffic to secondary gateway
Replies: 4
Views: 385

Re: forwarding of all subnet traffic to secondary gateway

Since the second device is acting as a router getting a private LANIP from the chateau. What I would do is only use one bridge and two vlans, easy peasy, and firewall rules easily applied. The question needing answering is what happens when WAN2 is not available do you want the users dedicated to th...
by anav
Fri May 24, 2024 2:43 pm
Forum: General
Topic: Wireguard peer Rx/Tx/Last Handshake stats not updating
Replies: 12
Views: 5220

Re: Wireguard peer Rx/Tx/Last Handshake stats not updating

You are not alone LOL. Based on my experience on these forums, the RoS, after many changes gets stuck in some fashion and recreating the functionality from scratch or simply rebooting the router fixes things magically. :-)
by anav
Fri May 24, 2024 12:34 pm
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 15
Views: 1698

Re: wireGuard does not work for me on my mikrotik RB750r2

Mainly changes shown. Removed persistent keep alive to a peer (client for handshake, its the client that uses that setting) Removed wrong WAN address Modifed dns settings slightly. not sure what 192.168.1.1 was doing there as its not a local subnet. Biggest issue is with your firewall rules. Too muc...
by anav
Fri May 24, 2024 12:10 pm
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 15
Views: 1698

Re: wireGuard does not work for me on my mikrotik RB750r2

More concerning is the port forwarding of the default port for winbox.
Are you actually accessing the router externally using the default winbox port???

It would appear yes, you have the port forwarding setup appropriately
by anav
Fri May 24, 2024 2:07 am
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 15
Views: 1698

Re: wireGuard does not work for me on my mikrotik RB750r2

Show me the port forwarding rule on the upstream router and you have confirmed the upstream router gets a public IP??
by anav
Fri May 24, 2024 2:05 am
Forum: General
Topic: CRS328 mangle rules [SOLVED]
Replies: 3
Views: 549

Re: CRS328 mangle rules [SOLVED]

Is your CRS328 setup as a router or a switch??
by anav
Thu May 23, 2024 5:07 pm
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 15
Views: 1698

Re: wireGuard does not work for me on my mikrotik RB750r2

Well your config is confused........... You have two ether1-wans, and one is disabled. The one that is disabled seems to be a public IP The one that is enabled seems to be a private IP This makes sense if what you are saying about double NAT. It would seem you have an upstream modem/router and thus ...
by anav
Thu May 23, 2024 5:03 pm
Forum: Beginner Basics
Topic: Port forwarding to multiple pppoe connection
Replies: 1
Views: 357

Re: Port forwarding to multiple pppoe connection

Can you be clearer please.
Are you saying ALL LAN traffic should use ppoe-out2
UNLESS
it is traffic on port 10,000.

Or only traffic from ONE user and only on port 10,000 and the rest of the users and the rest of the ports for .19 go out ppoe-out2 ???
by anav
Thu May 23, 2024 4:51 pm
Forum: Beginner Basics
Topic: AT&T FTTH, VLANs, CapsMAN Full Config (RouterOS 7 Updated)
Replies: 33
Views: 6500

Re: AT&T FTTH, VLANs, CapsMAN Full Config (RouterOS 7 Updated)

Because the evidence speaks for itself. Perhaps you should read up on statistics and analytics, vice a sample of one. I have read thousands of posts (at least 10K), and quite clearly capsman is not trivial to learn, and even harder to apply. The fact that MT introduced differing capsman products did...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 68