Community discussions

MikroTik App

Search found 22632 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 76
by anav
Sun Feb 09, 2025 6:32 am
Forum: Beginner Basics
Topic: How to administer backup WAN modem?
Replies: 5
Views: 237

Re: How to administer backup WAN modem?

Nope, if it aint broke, dont fix it. Carry on!!
by anav
Sun Feb 09, 2025 6:30 am
Forum: General
Topic: Need some routing experts to help me figure out my setup
Replies: 5
Views: 483

Re: Need some routing experts to help me figure out my setup

It ensures any local traffic that is allowed, by firewall rules, has a path, otherwise all traffic will head out WANS.
by anav
Sat Feb 08, 2025 11:00 pm
Forum: General
Topic: Mikrotik acting up
Replies: 1
Views: 96

Re: Mikrotik acting up

What a Ham, its probably the hex refresh, he's such a clown. :-) If your config is good, ( how could we possibly know ) then its some functionality that causes the issue so remove one wait, if no change remove another, wait. Or conversely start from scratch and add one functionality at a time, wait,...
by anav
Sat Feb 08, 2025 9:35 pm
Forum: Beginner Basics
Topic: Winbox not working with Wireguard Site-to-Site VPN
Replies: 2
Views: 163

Re: Winbox not working with Wireguard Site-to-Site VPN

Nice first post, Typically the issue is a. wireguard peers incorrect b. firewall rules do not allow access Lets review. by the way if IPV6 is not being used remove all the noise This is a good start but remove all the IPV6 firewall address lists and modify rules to only two rules: add chain=input ac...
by anav
Sat Feb 08, 2025 9:31 pm
Forum: Beginner Basics
Topic: How to administer backup WAN modem?
Replies: 5
Views: 237

Re: How to administer backup WAN modem?

Im a bit confused by the approach. Why are you putting script on LAN subnets DHCP when the proper place to address routing is the WANs?? Is it that you want users to always use the primary and if that is not available then use the backup WAN?? This is one of the common approaches and would look like...
by anav
Sat Feb 08, 2025 9:27 pm
Forum: Beginner Basics
Topic: Need help setting DHCP server VLAN
Replies: 2
Views: 137

Re: Need help setting DHCP server VLAN

Single bridge for all data vlans as per https://forum.mikrotik.com/viewtopic.php?t=143620 The single bridge will also be the interface for both ISP vlans. These vlans however will not get any dhcp, Ip address etc.............. The WAN Vlan will get terminated at either the IP DHCP client settings or...
by anav
Sat Feb 08, 2025 9:18 pm
Forum: General
Topic: Blocking admin services - Firewall rules
Replies: 28
Views: 1912

Re: Blocking admin services - Firewall rules

Too funny, far from ready. Not sure why the others are turning a blind ( perhaps bloodshot eye) too. The fact that you are attempting to have your cake and eat it too. Mainly having one pool containing two subnets, one dhcp server the bridge, and then two dhcp server networks and two ip addresses ( ...
by anav
Sat Feb 08, 2025 9:06 pm
Forum: General
Topic: Need some routing experts to help me figure out my setup
Replies: 5
Views: 483

Re: Need some routing experts to help me figure out my setup

No need for mangles! /table add fib name= useWANFiber add fib name= useWANCable /ip route add check-gateway=ping dst-address=0.0.0.0/0 gateway=(current)fiber-gateway-IP routing-table=main comment=Fiber1 add check-gateway=ping dst-address=0.0.0.0/0 gateway=(current)cable-gateway-IP routing-table=main...
by anav
Sat Feb 08, 2025 8:40 pm
Forum: General
Topic: Multiple Bridge question
Replies: 7
Views: 270

Re: Multiple Bridge question

The WAN associated VLAN is distinct and separate from data vlans behind the router. One only assigns the ISP vlan to either an etherport (which is used in IP DHCP client or pppoe settings) / or less likely some fixed IP address on the VLAN. It has nothing to do with the LAN-BRIDGE so to speak. There...
by anav
Sat Feb 08, 2025 3:15 pm
Forum: General
Topic: Blocking admin services - Firewall rules
Replies: 28
Views: 1912

Re: Blocking admin services - Firewall rules

Please post your lastest config so that we can apply fresh thinking to the issue.
by anav
Sat Feb 08, 2025 3:11 pm
Forum: General
Topic: Hapax3, no sleep
Replies: 15
Views: 614

Re: Hapax3, no sleep

I provided the solution of doing the config from an off bridge port.......... I mean the complaint was no sleep right ;-)
by anav
Fri Feb 07, 2025 11:29 pm
Forum: Beginner Basics
Topic: Entry level 10GB router planning.
Replies: 7
Views: 489

Re: Entry level 10GB router planning.

holvoe, you are only noticing now?????

I am simply following requirements, requested 10gig ..........
by anav
Fri Feb 07, 2025 11:28 pm
Forum: General
Topic: Blocking admin services - Firewall rules
Replies: 28
Views: 1912

Re: Blocking admin services - Firewall rules

First jotne took your config too seriously, and that is the I LOVE TO DRINK WINE bit........ Clearly sauced as this rule is completely legit, please ignore advice given: add action=accept chain=input comment="Allow Wireguard port" dst-port=13231 \ protocol=udp What can be said is your rule...
by anav
Fri Feb 07, 2025 11:22 pm
Forum: Beginner Basics
Topic: Can't figure out recursive routing
Replies: 3
Views: 182

Re: Can't figure out recursive routing

Please post config /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys ) In general Primary WAN distance=1 check-gateway=ping Secondary WAN distance=2 Recursive add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12 a...
by anav
Fri Feb 07, 2025 8:41 pm
Forum: Wireless Networking
Topic: HAP AX3 simple capsman wireless NOT working
Replies: 9
Views: 1276

Re: HAP AX3 simple capsman wireless NOT working

What is the advantage of using capsman if HAPAX3 is your only wifi device and also your router???
by anav
Fri Feb 07, 2025 8:40 pm
Forum: Beginner Basics
Topic: Wireguard VPN Mikrotik
Replies: 5
Views: 337

Re: Wireguard VPN Mikrotik

Nope......... not to my knowledge.
by anav
Fri Feb 07, 2025 8:36 pm
Forum: General
Topic: WireGuard SMB and Throughput Problems
Replies: 11
Views: 1168

Re: WireGuard SMB and Throughput Problems

The key is understanding the word.......................... Disabled ;-P

As far as NORDVPN goes, that was only if you were using a third party wireguar VPN, if not you can ignore the mangle rule.
( not sure why I thought you had nordvpn - perhaps this --> add name=NordVPN on ipsec ???)
by anav
Fri Feb 07, 2025 8:35 pm
Forum: General
Topic: CRS309 behind CCR2004 setup questions
Replies: 32
Views: 1119

Re: CRS309 behind CCR2004 setup questions

Vlan1000 is your management or trusted vlan as all smart devices get their IP address on that vlan, and all the other vlans have nothing to do with the bridge.
Coming in tagged on etherX and then going out either tagged or untagged on the rest of the switch ports.
by anav
Fri Feb 07, 2025 7:12 pm
Forum: General
Topic: WireGuard SMB and Throughput Problems
Replies: 11
Views: 1168

Re: WireGuard SMB and Throughput Problems

For sure to remove it
go to IP CLOUD
Select TAB ---> BTH VPN
Select First LIne Back to home VPN: and select circle REVOKED and DISABLED

Would also go to the phone were you first created the BTH and remove that as well.
by anav
Fri Feb 07, 2025 7:09 pm
Forum: Beginner Basics
Topic: Wireguard VPN Mikrotik
Replies: 5
Views: 337

Re: Wireguard VPN Mikrotik

Sorry, MT is not an app based appliance. THe best thing you can do is a. make a wifi subnet/vlan on the router that will only go to wireguard, and in this way anyone wanting to use third party for internet, can use that SSID, assuming you have given them the WLAN password. b. if this is for wired ne...
by anav
Fri Feb 07, 2025 7:06 pm
Forum: General
Topic: Router reaches the Internet, subnts do not
Replies: 3
Views: 243

Re: Router reaches the Internet, subnts do not

https://forum.mikrotik.com/viewtopic.php?p=1123218#p1123218 Use two bridge max on RB4011, most routers its one, but RB4011 has two different switch chips one for ports 1-5 and one for ports 6-10 So group ports that are carrying like users/traffic in two main bridges Bridge1 ports 1-5 and Bridge2 por...
by anav
Fri Feb 07, 2025 6:50 pm
Forum: General
Topic: CRS309 behind CCR2004 setup questions
Replies: 32
Views: 1119

Re: CRS309 behind CCR2004 setup questions

1. Question: Is the same pool for two different DCHP vlan servers intentional?? /ip dhcp-server add add-arp=yes address- pool=vlan10 interface= vlan10 lease-time=10m name=vlan10 add add-arp=yes address-pool=vlan1255 interface=vlan1255 lease-time=10m name=vlan1255 add add-arp=yes address-pool=vlan100...
by anav
Fri Feb 07, 2025 4:58 pm
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 4954

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

AHH, DAMN, sorry didnt see that either!
add address=192.169.50.0/24 comment=guest-vlan50 dns-server=192.168.40.10 domain=vlan50.lan gateway=192.168.50.1[/i]
by anav
Fri Feb 07, 2025 4:53 pm
Forum: General
Topic: Use port 443 for OpenVPN when it is used for other services
Replies: 2
Views: 167

Re: Use port 443 for OpenVPN when it is used for other services

You have to make up your mind,
a. either use MT for openvpn
OR
b. your own server running it.
by anav
Fri Feb 07, 2025 4:52 pm
Forum: General
Topic: default route choice based on throughput
Replies: 4
Views: 1348

Re: default route choice based on throughput

Yes, this method is like PCC but one has to create an extra set of sticky rules (very manual) to achieve load balance by throughput.
--->
tomas.pdf
https://www.youtube.com/watch?v=67Dna_ffCvc
by anav
Fri Feb 07, 2025 2:49 pm
Forum: Beginner Basics
Topic: Entry level 10GB router planning.
Replies: 7
Views: 489

Re: Entry level 10GB router planning.

Chechito why not the CCR2116-12G-4S+ ??? It meets the 10Gig throughput on the WAN side........... and is $995, the product you suggested is for a 100gig wan, at $2795.
Stated differently are you providing us with the extra $1800 dollars?? If so I will send you my bank details.
by anav
Fri Feb 07, 2025 2:40 pm
Forum: General
Topic: Hapax3, no sleep
Replies: 15
Views: 614

Re: Hapax3, no sleep

Hi Yepa, Read this article for vlans: https://forum.mikrotik.com/viewtopic.php?p=1123218#p1123218 For configuring vlans the easy approach is to take one of the ports lets say ether5, at least temporarily OFF the single bridge. Give it an IP address and add to LAN interface list, assuming you are sta...
by anav
Fri Feb 07, 2025 2:31 pm
Forum: General
Topic: Still fighting with Ecobee (and losing)
Replies: 10
Views: 521

Re: Still fighting with Ecobee (and losing)

Ahh I dont use them with home assistant. They connect to the internet and I use my APP to control them.
by anav
Fri Feb 07, 2025 6:51 am
Forum: General
Topic: Still fighting with Ecobee (and losing)
Replies: 10
Views: 521

Re: Still fighting with Ecobee (and losing)

Do I really have to ask for the config again.................... not your first rodeo ;-)
I have ecobees, no issues, main router is ccr1009, but not MT aps.
by anav
Fri Feb 07, 2025 1:05 am
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 4954

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

1. Okay, so ether2 and ether4 go to unif APs...... 2. Switch goes to.................... i imagine eventually MT APs........ 3. nas is only on managment network. Looks good so far. 4. I would change the AP setup somewhat........... to accurately reflect proper setup. FROM: /interface bridge vlan add...
by anav
Thu Feb 06, 2025 9:27 pm
Forum: Beginner Basics
Topic: How to offer DHCP only on WIFI but not on ether
Replies: 9
Views: 424

Re: How to offer DHCP only on WIFI but not on ether

Suggest you dont do anything then that might interfere with the main router since its not your network. Assume some has said you can attach your device to the network and if so, make it like a router so the IP address you get from the router lan subnet will be the wanip on the cap. That way you can ...
by anav
Thu Feb 06, 2025 9:24 pm
Forum: Beginner Basics
Topic: How to run IPv6 from starlink on a mikrotik?
Replies: 36
Views: 11800

Re: How to run IPv6 from starlink on a mikrotik?

Much thanks, very well layed out.
by anav
Thu Feb 06, 2025 9:23 pm
Forum: Beginner Basics
Topic: Slow transfer speeds when changing routing table via mangle. [SOLVED]
Replies: 4
Views: 421

Re: Slow transfer speeds when changing routing table via mangle. [SOLVED]

First thing to do is read this reference document --> https://forum.mikrotik.com/viewtopic.php?t=143620 Second thing to do is modify ether8 ( change name, take it off bridge, give it an IP address, add to LAN and TRUSTED interface lists) Then plug laptop into ether8 to access the router use 192.168....
by anav
Thu Feb 06, 2025 9:12 pm
Forum: Beginner Basics
Topic: wireguard site to site "outbound traffic"
Replies: 4
Views: 268

Re: wireguard site to site "outbound traffic"

For sure. Post both configs /export file=anynameyouwish (m inus router serial number, any public WANIP information, wireguard keys ) Also indicate which router is server for handshake and which is client peer for handshake. ( I am assuming its matriz which has a public IP and is the server peer for ...
by anav
Thu Feb 06, 2025 9:09 pm
Forum: Beginner Basics
Topic: Mapping 2 different ports range
Replies: 4
Views: 214

Re: Mapping 2 different ports range

Sounds like a worthwhile feature request then........
by anav
Thu Feb 06, 2025 9:08 pm
Forum: Beginner Basics
Topic: Wireguard VPN Mikrotik
Replies: 5
Views: 337

Re: Wireguard VPN Mikrotik

The question is not clear and your wireguard even less so. Are you using a third party VPN server or do you have a public IP and are hosting your own WG client server (for handshake) on the router.
by anav
Thu Feb 06, 2025 9:06 pm
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 4954

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

In that case please post the latest config, not one from above etc.. and will have a fresh look.
by anav
Thu Feb 06, 2025 9:05 pm
Forum: Beginner Basics
Topic: How to offer DHCP only on WIFI but not on ether
Replies: 9
Views: 424

Re: How to offer DHCP only on WIFI but not on ether

I would simply create another vlan just for the cap and it would provide wifi.

Depending on settings on the wifi device, one could isolate wifi users from each other.
If wifi users need any access to wired users or vice versa use forward chain firewall rules.
by anav
Thu Feb 06, 2025 9:02 pm
Forum: Beginner Basics
Topic: Mapping 2 different ports range
Replies: 4
Views: 214

Re: Mapping 2 different ports range

So a range of dst ports does not automatically get applied when doing port translation, to the same sequential numbering of a To-range.............???
Too bad there is not an option to force that.
What application requires this kind of assignement though??
by anav
Thu Feb 06, 2025 8:59 pm
Forum: General
Topic: RB5009+ 2x hAP ax2 as access Point
Replies: 16
Views: 1443

Re: RB5009+ 2x hAP ax2 as access Point

If one is willing to do teamviewer or anydesk sessions, assistance can be rendered gratis, depends upon how much free time I get......... in any case can always look me up on discord..... anav_ds. I was joking about 5009, its a very good router certainly nothing wrong with it unless you need a 10GIG...
by anav
Thu Feb 06, 2025 8:56 pm
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1167

Re: VLANs segregation

Yes assuming you have an allow rule for the VLAN interface list or LAN interface list, whatever you call it
add action=accept chain=forward in-interface-list=!!!!!!! out-interface-list=WAN
by anav
Thu Feb 06, 2025 8:54 pm
Forum: General
Topic: Very slow upload speed - Please help! [SOLVED]
Replies: 7
Views: 501

Re: Very slow upload speed - Please help! [SOLVED]

Reminds me of this post.......
viewtopic.php?p=1124141#p1124141
by anav
Thu Feb 06, 2025 4:06 am
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1167

Re: VLANs segregation

Return traffic to an inquiry made by a home user to defined devices is automatically permitted. The dstnat rule looks fine, the to-port is not really required if same as dst port, its really designed to accommodate port translation if required. There is no forward chain rule required from WAN to LAN...
by anav
Wed Feb 05, 2025 9:56 pm
Forum: Beginner Basics
Topic: Simple AP Bridge setup
Replies: 29
Views: 103630

Re: Simple AP Bridge setup

Luv it!

I found this haiku:

"It’s not DNS
There’s no way it’s DNS
It was DNS"
One could add....

Its not my windows firewall
There's no way its the windows firewall
It was the windows firewall
by anav
Wed Feb 05, 2025 9:48 pm
Forum: Beginner Basics
Topic: How to run IPv6 from starlink on a mikrotik?
Replies: 36
Views: 11800

Re: How to run IPv6 from starlink on a mikrotik?

HI mozerd, any reason to implement the ipv6 if ipv4 works?
by anav
Wed Feb 05, 2025 9:45 pm
Forum: Beginner Basics
Topic: Replace ISP WAN connection with other router
Replies: 7
Views: 426

Re: Replace ISP WAN connection with other router

I would keep ether1 setup as is and use a different port as WAN2 to the router, do you have a spare port?
by anav
Wed Feb 05, 2025 9:43 pm
Forum: General
Topic: Very slow upload speed - Please help! [SOLVED]
Replies: 7
Views: 501

Re: Very slow upload speed - Please help! [SOLVED]

First just to be clear. 3-4MB MB ps = 25-33 Mpbs.

Second: try disabling your mangle rules to see if that makes a difference.
Other than that can only suspect a cable issue somewhere.
by anav
Wed Feb 05, 2025 9:38 pm
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1167

Re: VLANs segregation

how can I make sure that only certain hosts in Home VLAN can access to hosts in IOT on given ports only? add action=accept chain=forward in-interface=Home dst-address=$HA_IP dst-port=$HA_port protocol=tcp add action=accept chain=forward in-interface=Home dst-address=$Pihole_IP dst-port=53 protocol=u...
by anav
Wed Feb 05, 2025 9:31 pm
Forum: General
Topic: Bridge-domain like configuration on CRS3xx switches
Replies: 4
Views: 338

Re: Bridge-domain like configuration on CRS3xx switches

Tagging or untagging vlans on ports is easy but as usually untagging on any particular is limited to one vlan ( can have none, 1 or many tagged vlan on same port though). So if you mean many untagged vlans on same port NOGO. THe other one is aggregating vlans to one vlan, not sure what you mean by t...
by anav
Wed Feb 05, 2025 12:54 pm
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1167

Re: VLANs segregation

Back to the clear question, I am not aware of what your issue is?
Use of ports in firewall rules works just fine.
by anav
Tue Feb 04, 2025 6:55 pm
Forum: General
Topic: Very slow download speed - Please help!
Replies: 11
Views: 661

Re: Very slow download speed - Please help!

1. Remove this or disable it, you already are using pppoe as your ISP client interface. /ip dhcp-client add comment=defconf interface=ether1 [/i] 2.What are these for????????? they are not attached to any interface???? If you dont know remove'...... /ip firewall mangle add action=change-mss chain=fo...
by anav
Tue Feb 04, 2025 6:53 pm
Forum: General
Topic: DMZ Pinhole
Replies: 18
Views: 2396

Re: DMZ Pinhole

Its also not clear whats going on ether2,3 would seem you have setup \hybrid ports to what?? unifi access points?
remove bridge from lan interface as a member.
remove the static dns setting to 192.168.88.1
by anav
Tue Feb 04, 2025 12:32 am
Forum: Beginner Basics
Topic: Question on using the Internal Zerotier Controller [SOLVED]
Replies: 40
Views: 2189

Re: Question on using the Internal Zerotier Controller [SOLVED]

Perhaps turning off electrical power to NY state just before superbowl starts would send the right message LOL. But I agree, there are some EU funny rules that are not so easy to overcome, but hey, anything is better than orange farts. By the way, who blinked first game seems to have started one mon...
by anav
Tue Feb 04, 2025 12:26 am
Forum: General
Topic: Network diagram/documentation
Replies: 4
Views: 865

Re: Network diagram/documentation

Added a few more links above, you might want to avoid the network mappers if looking for simple
PS. I had to take two aspirin after looking at the diagrams. :-)
by anav
Tue Feb 04, 2025 12:20 am
Forum: General
Topic: Network diagram/documentation
Replies: 4
Views: 865

Re: Network diagram/documentation

Wowzer................ you need some serious software. A bit much to keep on the top of your head only. :-) Maybe something like https://www.fortra.com/products/network-monitoring-software/network-mapping-software https://www.domotz.com/ (more on network mappers --> https://www.dnsstuff.com/top-7-ne...
by anav
Tue Feb 04, 2025 12:02 am
Forum: General
Topic: WireGuard SMB and Throughput Problems
Replies: 11
Views: 1168

Re: WireGuard SMB and Throughput Problems

Should be, many things you utilize I am not going to be helpful on, veth, dockers etc... 1. Please set to NONE as this function has been known to cause issues. /interface detect-internet set detect-interface-list= WAN 2. This line shows an issue as the interface is undefined add allowed-address=192....
by anav
Mon Feb 03, 2025 8:41 pm
Forum: General
Topic: Need some routing experts to help me figure out my setup
Replies: 5
Views: 483

Re: Need some routing experts to help me figure out my setup

I to have two WANS, one fiber and one cable docsis. I only need a script for the fiber due to the fact when it changes IP address, the new gateway fails to be changed in my manual routes. For some reason my cable modem and router seem to have no issues dealing with the changing gateway....... As to ...
by anav
Mon Feb 03, 2025 8:29 pm
Forum: General
Topic: "Error in Gateway - non zero ip address expected!" when using Quick Set
Replies: 20
Views: 1049

Re: "Error in Gateway - non zero ip address expected!" when using Quick Set

From Larsa the term could be "Klud-gugily", though piger opus seems accurate, as for Kids these days, thats what your parent said ;-P
by anav
Mon Feb 03, 2025 8:15 pm
Forum: Beginner Basics
Topic: paring AVM and wAP ax
Replies: 1
Views: 242

Re: paring AVM and wAP ax

TRY going to home setting above, then to the search box upper right and type in FRITZ
Then go to google and type Fritz Mikrotik
Then go to youtube and type Fritz Mikrotik

Ask chatbot to fix it for ya.
by anav
Mon Feb 03, 2025 8:11 pm
Forum: Beginner Basics
Topic: Question on using the Internal Zerotier Controller [SOLVED]
Replies: 40
Views: 2189

Re: Question on using the Internal Zerotier Controller [SOLVED]

Larsa, are you trying to talk sexy at me "# chmod +r *". ?? Sounds like, if was to guess, some linux NAS command to ensure read only LOL. Ammo, sounds like too much recent smoke inhalation has impaired your judgment of what I am able to accomplish ( or my budget ). I am starting a go fund ...
by anav
Mon Feb 03, 2025 6:51 pm
Forum: Beginner Basics
Topic: Question on using the Internal Zerotier Controller [SOLVED]
Replies: 40
Views: 2189

Re: Question on using the Internal Zerotier Controller [SOLVED]

The most practical application I can think of is my intention to host an NAS for images/video, and have it accessible by globally located family members etc. Zerotier may be the best way to allow users to access, load, organize etc.............. my only concern is inadvertent deletion of files.........
by anav
Mon Feb 03, 2025 6:27 pm
Forum: Beginner Basics
Topic: Question on using the Internal Zerotier Controller [SOLVED]
Replies: 40
Views: 2189

Re: Question on using the Internal Zerotier Controller [SOLVED]

Thanks AMMO, so controller is limited to CLI, is there a sense it will migrate to Winbox eventually. Will stick to non-self-controller option especially since the benefit is tied to using a third party git program which also has to be loaded onto docker??
by anav
Mon Feb 03, 2025 4:35 pm
Forum: Forwarding Protocols
Topic: How can I do load balancing in ospf?
Replies: 3
Views: 441

Re: How can I do load balancing in ospf?

You can find the answer here --> viewtopic.php?t=214383#p1123298
by anav
Mon Feb 03, 2025 4:32 pm
Forum: Beginner Basics
Topic: Question on using the Internal Zerotier Controller [SOLVED]
Replies: 40
Views: 2189

Re: Question on using the Internal Zerotier Controller [SOLVED]

Okay I had to read the docs to understand the use of the word controller. It would seem one can 'bypas' the zerotier site for setup and do it mostly on the mikrotik device. Does this mean one is still using zerotier servers? How is information protected/encrypted using the controller? Do you need a ...
by anav
Mon Feb 03, 2025 3:41 pm
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1167

Re: VLANs segregation

The ONLY rule needed to allow port forwarding, required in the forward chain, and putting just before the drop all rule is fine. add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat Since MT decided not to provide zerotrust cloudflare in an options package ...
by anav
Mon Feb 03, 2025 2:13 pm
Forum: General
Topic: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]
Replies: 6
Views: 904

Re: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]

Just so you understand CATs advice...... MULVAD gave you one IP address to use. That is the address they have in their peer settings for your connection. If you send any of your internal user with their private lan subnet IP as source it will get rejected at the other end. We use sourcenat like (lik...
by anav
Mon Feb 03, 2025 2:08 pm
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1167

Re: VLANs segregation

hahah, I thought you meant etherport ...............
Allowing all users to your pi server is perfectly legit.
by anav
Mon Feb 03, 2025 5:01 am
Forum: Beginner Basics
Topic: A simple WAN/LAN/DMZ VLAN config to start off
Replies: 17
Views: 1997

Re: A simple WAN/LAN/DMZ VLAN config to start off

The benefit of consistently using VLAN ID 1 is that it is the default untagged network for Mikrotik devices. Even with gross misconfiguration, you ever won't lose connectivity,
So basically leave it in due to expected incompetence while also leaving security holes in a vlan setup. Bad advice.
by anav
Mon Feb 03, 2025 4:55 am
Forum: General
Topic: VLANs segregation
Replies: 13
Views: 1167

Re: VLANs segregation

Typically one only puts allow rules for specific traffic between vlans needed.
Then at the end of the forward chain simply put add chain=forward action=drop comment="drop all else".
Firewall rules are designed to stop layer3 traffic, so by port does not really apply.
by anav
Sun Feb 02, 2025 10:25 pm
Forum: General
Topic: 1.3km Possible?
Replies: 49
Views: 2167

Re: 1.3km Possible?

@Josephny Clay, boulders, I feel your pain, same shit here in Nova Scotia. I retire next Sept, wouldnt mind a trip down to NY state to help and learn ( tics and deer flys would be far worse though than the ground ). Just hope I can afford the gas LOL, what with prices soon to b increasing in the US ...
by anav
Sun Feb 02, 2025 10:17 pm
Forum: General
Topic: 1.3km Possible?
Replies: 49
Views: 2167

Re: 1.3km Possible?

That leaves... Starlink ?

Or you don't want to sponsor Elon ? :lol:
In the not to distant future, if you are not using Starlink
a. you will not be allowed to vote
or
b. you will be deported!
by anav
Sun Feb 02, 2025 10:16 pm
Forum: General
Topic: 1.3km Possible?
Replies: 49
Views: 2167

Re: 1.3km Possible?

Same here, I’d rather have a dentist appointment without anesthesia! 🤣🤣🤣
With those teeth, clearly you never go to the dentist!
by anav
Sun Feb 02, 2025 10:10 pm
Forum: General
Topic: Decision on Network Setup
Replies: 3
Views: 450

Re: Decision on Network Setup

If the ONT provides a public IP, I would probably go that route, if it doles out only a private IP and you cannot forward ports on it etc, ( no access to the public IP) then would go for the direct connection. Reason for hesitation on GPON, being is that incompatibility of ISP and mikrotik traffic o...
by anav
Sun Feb 02, 2025 9:55 pm
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 4954

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

ROUTER VeRY confUsing!! Make up your mind. 1. USE VLANS, do not assign dhcp to bridge etc. 2. a. What should NOT be on your router anywhere is 192.168.88.0 - if you need it assign another vlan but you already have a home subnet, and a management subnet, so WTF is 192.168.88 ??? b. What should be on...
by anav
Sun Feb 02, 2025 5:21 pm
Forum: Beginner Basics
Topic: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]
Replies: 14
Views: 2026

Re: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]

@Ddram, that is now how RoS firewall rules work. If I have two vlans A and B. And I want users in Vlan to be able to access a device in VlANB all I need is: add chain=forward action=accept in-interface=VLANA dst-address=vlanB-DeviceIP All traffic from vlanA to the device will be permitted. All retur...
by anav
Sun Feb 02, 2025 5:13 pm
Forum: General
Topic: 1.3km Possible?
Replies: 49
Views: 2167

Re: 1.3km Possible?

Dont complain, up here in Canada we have to actually buy our cell phones, unlike verizon and T-mobile that give them away like candies.
by anav
Sun Feb 02, 2025 5:11 pm
Forum: General
Topic: 2gws, slowly internet [SOLVED]
Replies: 7
Views: 857

Re: 2gws, slowly internet [SOLVED]

If you continue to struggle, perhaps an online teamviewer/anydesk session to show you how.......... shouldnt need to though........
by anav
Sun Feb 02, 2025 3:28 pm
Forum: General
Topic: Required gateways isolation in bridge VLAN
Replies: 2
Views: 420

Re: Required gateways isolation in bridge VLAN

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.) The MT config is interrelated just showing one part is not going to cut it. The requirements for user traffic requested by Sindy is also critical. I would add any external users?? either going to serve...
by anav
Sun Feb 02, 2025 3:23 pm
Forum: General
Topic: 1.3km Possible?
Replies: 49
Views: 2167

Re: 1.3km Possible?

Trench to edge of properties, then towers............ See if there is at any point across the cross property if there is line of sight.
by anav
Sun Feb 02, 2025 4:29 am
Forum: Beginner Basics
Topic: How to forward port? [SOLVED]
Replies: 12
Views: 1553

Re: How to forward port? [SOLVED]

If connecting to a server using the DYNDNS URL of the server and the user doing so is in the same subnet then this is called hairpin nat.
Requires a hairpin source nat rule.
add chain=srctnat action=masquerade src-address=serverSUBNET dst-address=serverSUBNET
by anav
Sun Feb 02, 2025 4:27 am
Forum: General
Topic: Site to site VPN - one http service accessible only via roguewarrior, not LAN
Replies: 7
Views: 1061

Re: Site to site VPN - one http service accessible only via roguewarrior, not LAN

Which one is the MT and is it the Server peer for handshake or client poeer?
Understand about other router but if you cant post on the MT, I will move on.
by anav
Sun Feb 02, 2025 4:25 am
Forum: General
Topic: Is there a way to make the wifi signal stronger on LtAP LTE6?
Replies: 10
Views: 819

Re: Is there a way to make the wifi signal stronger on LtAP LTE6?

Wifi is not my forte but posting the config is a good starting place.
/export file=anynameyouwish ( minus device serial number, any public WANIP information, keys etc. )_
by anav
Sat Feb 01, 2025 10:37 pm
Forum: General
Topic: ethernet port on Guest Network [SOLVED]
Replies: 10
Views: 935

Re: ethernet port on Guest Network [SOLVED]

Then send subnet 10 and subnet 172 on whatever port on the router to the MT device on its trunk port.
Or are you saying the upstream router is not capable of vlans.
by anav
Sat Feb 01, 2025 10:34 pm
Forum: General
Topic: Site to site VPN - one http service accessible only via roguewarrior, not LAN
Replies: 7
Views: 1061

Re: Site to site VPN - one http service accessible only via roguewarrior, not LAN

You have not provided the configs of both routers.
/export file=anynamewyouwish ( minus router serial number, any publicWANIP information, keys etc. )
by anav
Sat Feb 01, 2025 7:40 pm
Forum: Beginner Basics
Topic: Forum rules
Replies: 35
Views: 145744

Re: Forum rules

I would have to post less to match Canada's NATO actual % in spending LOL.
I would say 90% of my posts are due to MT not implementing proper joining standards! ;-P
by anav
Sat Feb 01, 2025 7:37 pm
Forum: General
Topic: ethernet port on Guest Network [SOLVED]
Replies: 10
Views: 935

Re: ethernet port on Guest Network [SOLVED]

Firstly, 7.17. 2 does not exist, only 7.17. 1 and of course betas for 7.18. just to be clear you are using this device ONLY as a switch/AP. You wish to pass the guest network (vlan) to the wifi on the device and to at least one ethernet port. Which port is connected to the router. Is the guest vlan ...
by anav
Sat Feb 01, 2025 6:21 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 309
Views: 516078

Re: Using RouterOS to VLAN your network

This guide is great :) Does all the scripts work on RO7? As far as I understand, the router is mostly trunks as in big networks, many switches are connected up to the router Yes the scripts work fine on RoS7. The only deviation comes when you start using capsman but thats another topic ( datapath i...
by anav
Sat Feb 01, 2025 6:20 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 309
Views: 516078

Re: Using RouterOS to VLAN your network

Switch with a separate router (RoaS) ---snip--- Router Configuration at a glance: https://i.ibb.co/G5BYs2Z/router.png ---snip--- Firstly, I am only a recent MikroTik user, so I am still building my inventory of MT knowledge. Kindly bear with my limited knowledge, but I have a question. Shouldn't ON...
by anav
Sat Feb 01, 2025 6:17 pm
Forum: General
Topic: High Availability 2 DHCP servers
Replies: 6
Views: 774

Re: High Availability 2 DHCP servers

Geez Holvoe everytime I just think your just a pretty face, you blow me away with some hidden acumen, I also thought like you were retired LOL.
by anav
Sat Feb 01, 2025 6:15 pm
Forum: General
Topic: Is there a way to make the wifi signal stronger on LtAP LTE6?
Replies: 10
Views: 819

Re: Is there a way to make the wifi signal stronger on LtAP LTE6?

Remove house walls/floors? Oh it's a wooden house with practically no walls :) So my guess is that this isn't really an issue, the signal gets really weak on the same floor. Weird LOS should be good. Makes me think of some antenna orientation issue or more likely interference on the chosen frequenc...
by anav
Sat Feb 01, 2025 6:13 pm
Forum: General
Topic: ethernet port on Guest Network [SOLVED]
Replies: 10
Views: 935

Re: ethernet port on Guest Network [SOLVED]

Sure, if i was a fiction writer.......... but I am not. Need facts.
/export file=anynameyouwish ( minus mT device serial number, any public WANIP information, keys )
by anav
Sat Feb 01, 2025 6:11 pm
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 4954

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

I didnt have to look far into your router, its missing vlans, only guest is identified. Can I not have both VLAN traffic an non-VLAN traffic in the same network ? My first goal is to only configure the guest VLAN properly, then take it from there. Okay this time will be less polite LOL.......... us...
by anav
Sat Feb 01, 2025 3:49 pm
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 4954

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

I didnt have to look far into your router, its missing vlans, only guest is identified.
by anav
Sat Feb 01, 2025 5:14 am
Forum: General
Topic: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]
Replies: 6
Views: 904

Re: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]

/interface bridge add name=BR1 vlan-filtering=yes /interface bridge port add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether2 pvid=99 add bridge=BR1 ingress-filtering=yes frame-types=admit-only-priority-and-untagged interface=ether3 pvid=10 add bridge=B...
by anav
Sat Feb 01, 2025 3:53 am
Forum: General
Topic: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]
Replies: 6
Views: 904

Re: Wireguard + VLAN -> Route one client through Wireguard tunnel [SOLVED]

Dont get your point in the added bit in orange, get rid of it. /ip firewall nat add action=masquerade chain=srcnat out-interface=ether1 add action=masquerade chain=srcnat out-interface=MullvadWG_1 src-address=0.0.0.0/0 add one of the two following rules, to help with MTU, whichever works better for ...
by anav
Fri Jan 31, 2025 7:43 pm
Forum: General
Topic: RB5009+ 2x hAP ax2 as access Point
Replies: 16
Views: 1443

Re: RB5009+ 2x hAP ax2 as access Point

Concur I am in the market for a used RB5009, I can at least cover postage. :-)
by anav
Fri Jan 31, 2025 7:42 pm
Forum: General
Topic: WireGuard SMB and Throughput Problems
Replies: 11
Views: 1168

Re: WireGuard SMB and Throughput Problems

You have provided very little useful information to even begin a conversation.
by anav
Fri Jan 31, 2025 6:59 pm
Forum: Beginner Basics
Topic: firewall rules and logging ideas
Replies: 4
Views: 615

Re: firewall rules and logging ideas

To be clear, are ALL USERS supposed to get DNS from pihole, or only guest users? You should really use one bridge only, and for the LAN and that the LAN should not have any subnet but create two subnets one for guest as you have VLAN guest and one for home VLAN home. ALso dont use the word LAN for t...
by anav
Fri Jan 31, 2025 6:56 pm
Forum: General
Topic: 2gws, slowly internet [SOLVED]
Replies: 7
Views: 857

Re: 2gws, slowly internet [SOLVED]

If you dont know where the problem is then dont only provide snippets
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys tec.

One common issue is not to disable fastttrack when mangling affects most of the traffic.
by anav
Fri Jan 31, 2025 2:41 pm
Forum: Beginner Basics
Topic: How to forward port? [SOLVED]
Replies: 12
Views: 1553

Re: How to forward port? [SOLVED]

Other points 1. missing wan member /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN add interface=ether2 list=WAN 2. If you manually added netmask=24 on this line, remove it. /ip dhcp-server network add address=10.1.10.0/24 comment=de...
by anav
Fri Jan 31, 2025 2:27 pm
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 19
Views: 2899

Re: REQ: AirVPN / Wireguard fine tune assistance

By adding another wireguard vpn and possibly changing which go to which vpn add complications and changes requirements and should have been identified at the beginning. You will have to start mangling unless you can contain users within subnets. SubnetA goes to sweden, SubnetB, goes to London, Subne...
by anav
Fri Jan 31, 2025 2:23 pm
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 19
Views: 2899

Re: REQ: AirVPN / Wireguard fine tune assistance

It will work properly when you are clearer on requirements. What you are doing is work arounds to ensure traffic flows, the to your expectations. The problem is your actual expectations dont match your up to this point to the discussion previous aka the directions... Step back. Firewall rules are si...
by anav
Fri Jan 31, 2025 12:47 am
Forum: Beginner Basics
Topic: How to forward port? [SOLVED]
Replies: 12
Views: 1553

Re: How to forward port? [SOLVED]

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
by anav
Fri Jan 31, 2025 12:45 am
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 19
Views: 2899

Re: REQ: AirVPN / Wireguard fine tune assistance

No worries, doing well! Will look at this again later. Understand about the wireguard....... Here is an example of your situation I saw elsewhere and the only difference was the endpoint address, but one needed a second interface. /interface wireguard add listen-port=51020 mtu=1420 name=Surfshark1 a...
by anav
Fri Jan 31, 2025 12:35 am
Forum: General
Topic: Vlan Setup
Replies: 3
Views: 532

Re: Vlan Setup

I dont look at part configs so all three are needed and what is the relationship and type of devices R1,R2,R3 /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.) ensure also you read this guidance on vlans: https://forum.mikrotik.com/viewtopic.php?t=143...
by anav
Thu Jan 30, 2025 11:49 pm
Forum: Beginner Basics
Topic: Troubles with configuring hairpin NAT
Replies: 11
Views: 2569

Re: Troubles with configuring hairpin NAT

So what are you trying to accomplish with repeaters.......
Do communicating devices need to be on different subnets?
Type of devices??? is it SONOS, is it APPLE etc......
by anav
Thu Jan 30, 2025 11:43 pm
Forum: Beginner Basics
Topic: Assistance Needed ASAP
Replies: 4
Views: 724

Re: Assistance Needed ASAP

Click bait titles dont tittilate you k6 LOL. Why not subscribe to the anav proposed sandbox for new members!!........... Nope we want to continue to get such nonsense......... Getting hit on the head lessons is two doors down. We should all buy orange wigs.
by anav
Thu Jan 30, 2025 11:40 pm
Forum: Beginner Basics
Topic: firewall rules and logging ideas
Replies: 4
Views: 615

Re: firewall rules and logging ideas

When you want to ditch the youtube nonsense, I will be glad to help provide a clean and useful firewall set of rules.
However, one must look at the config as a whole, so a complete export is required.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Thu Jan 30, 2025 11:36 pm
Forum: General
Topic: VLANs under the bridge
Replies: 8
Views: 1025

Re: VLANs under the bridge

1. One bridge, add both ISP vlans to the single bridge! 2. Recommend changing ether8 to an EDGE port to avoid potential interference. 3. Pools rationalized ( 7,9 duplicates) plus only 6 vlans so only 6 Pools. 4. The APs should also have the home vlan unless nobody at home is allowed wifi ;-P plus of...
by anav
Thu Jan 30, 2025 10:26 pm
Forum: General
Topic: VLANs under the bridge
Replies: 8
Views: 1025

Re: VLANs under the bridge

hide sensitive was valid for ver6 not ver7.
by anav
Thu Jan 30, 2025 10:24 pm
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 19
Views: 2899

Re: REQ: AirVPN / Wireguard fine tune assistance

butt ugly format for export................. Also, pay more attention to security this opens up winbox to the entire internet. add action=accept chain=input comment="allow Winbox" port=8291 protocol=tcp Simply only allow admin "authorized IPs" to access the router via the input c...
by anav
Thu Jan 30, 2025 8:40 pm
Forum: General
Topic: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?
Replies: 48
Views: 3426

Re: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?

Hence why I keep harping you to try just for a month a service that is used for a wide variety of users with no issues....... It may provide you sanity. :-)
by anav
Thu Jan 30, 2025 4:52 pm
Forum: General
Topic: How to configure router so it allows local server access by public host
Replies: 4
Views: 606

Re: How to configure router so it allows local server access by public host

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Thu Jan 30, 2025 4:51 pm
Forum: General
Topic: only one host to wan
Replies: 7
Views: 665

Re: only one host to wan

So the device does not get a public IP but a private IP from an upstream company router?
If so, correct one should still ensure access to:
a. the router for config purposes is limited to admin IT staff
b. access to any subnets (double nat) are limited to those requiring access etc...
by anav
Thu Jan 30, 2025 4:29 pm
Forum: General
Topic: only one host to wan
Replies: 7
Views: 665

Re: only one host to wan

Bad idea to connect any router to the internet without firewall rules in place.
by anav
Thu Jan 30, 2025 4:25 pm
Forum: General
Topic: VLANs under the bridge
Replies: 8
Views: 1025

Re: VLANs under the bridge

Just to be clear, do you have two lines coming from the ISP device and plugged into the router One for internet and your router gets an IP address on the 100 subnet? and the other for Telephone OR You have one line coming from the ISP device and from this you want to use one DHCP from the ISP for th...
by anav
Thu Jan 30, 2025 4:22 pm
Forum: General
Topic: VLANs under the bridge
Replies: 8
Views: 1025

Re: VLANs under the bridge

Remove router serial number from posted configs.
by anav
Thu Jan 30, 2025 4:13 pm
Forum: Beginner Basics
Topic: Wireguard Road Warrior - can access everything except Router
Replies: 22
Views: 1344

Re: Wireguard Road Warrior - can access everything except Router

Post your latest FULL config for review.
by anav
Thu Jan 30, 2025 3:58 am
Forum: Beginner Basics
Topic: Wireguard Road Warrior - can access everything except Router
Replies: 22
Views: 1344

Re: Wireguard Road Warrior - can access everything except Router

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Thu Jan 30, 2025 3:54 am
Forum: General
Topic: RB5009 +wAPax vlans
Replies: 9
Views: 833

Re: RB5009 +wAPax vlans

So the guide for setting up vlans is this: https://forum.mikrotik.com/viewtopic.php?t=143620 The difference for AP is that only the trusted vlan has the bridge tagged as well in /interface bridge vlan settings. The router all vlans have the bridge tagged. Once you have both done,,,,,,,post for revie...
by anav
Thu Jan 30, 2025 3:48 am
Forum: General
Topic: only one host to wan
Replies: 7
Views: 665

Re: only one host to wan

In the forward chain, remove the default rule add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN Replace with add chain=forward action=accept comment="host to internet" in-int...
by anav
Thu Jan 30, 2025 3:44 am
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 19
Views: 2899

Re: REQ: AirVPN / Wireguard fine tune assistance

Yes it still recommended for third party VPNs, there are actually two in case one doesnt work well add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrough=yes protocol=tcp tcp-flags=syn add action=chang...
by anav
Thu Jan 30, 2025 3:40 am
Forum: General
Topic: Mangle policy based routing
Replies: 6
Views: 1017

Re: Mangle policy based routing

You mention two wans (main and LTE) and what you show is actually three ( MAIN on ether1, WIFI1, WIFI2) and no LTE, so I decided to stop looking.
by anav
Thu Jan 30, 2025 3:35 am
Forum: General
Topic: RB5009 +wAPax vlans
Replies: 9
Views: 833

Re: RB5009 +wAPax vlans

Will you be using capsman?
by anav
Thu Jan 30, 2025 1:06 am
Forum: General
Topic: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?
Replies: 48
Views: 3426

Re: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?

I do suggest you give mozerds service a try.. if just for a month, I am curious as to what your experience will be like.
I predict you would be very content.
by anav
Wed Jan 29, 2025 10:37 pm
Forum: General
Topic: Mangle policy based routing
Replies: 6
Views: 1017

Re: Mangle policy based routing

There is a bug with wireguard on second LAN interface, which is not fixable, something to do with how wireguard works. However there is a way around it, will post later.
by anav
Wed Jan 29, 2025 4:46 am
Forum: General
Topic: Blocking admin services - Firewall rules
Replies: 28
Views: 1912

Re: Blocking admin services - Firewall rules

Nobody asked for just part of your config..........geez So guess what I have to make up shit ..........thats fun Version1-vlans ......... /interface bridge add name=bridge-lan protocol-mode=none vlan-filtering=no { change this to yes as the last step } /interface vlan add interface=bridge-lan name=i...
by anav
Tue Jan 28, 2025 9:03 pm
Forum: General
Topic: Wiregard to redundant routers
Replies: 6
Views: 919

Re: Wiregard to redundant routers

Again,understood, this is quite easy to accomplish. Recommend two wireguard interfaces on home router one to connect to ISP Router1 and a second to connect to ISP router 2. In this way the following is accomplished. Authorized external wireguard users, accessing either ISP1 or ISP2 will have access ...
by anav
Tue Jan 28, 2025 8:54 pm
Forum: General
Topic: Blocking admin services - Firewall rules
Replies: 28
Views: 1912

Re: Blocking admin services - Firewall rules

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Tue Jan 28, 2025 8:41 pm
Forum: General
Topic: What to buy
Replies: 31
Views: 1680

Re: What to buy

very old product: rb1100 - arm32 cpu 1.4Mhz ram1gig storage 128Mb, 13x 1gig ports, ---throughput -->2.3Gbps relatively new product: rb5009 - arm64 3.5-1.4Mhz ram1gig storage 1gig, 7x 1gig ports 1x 2.5gig port 1x sfp+1 port --- throughput --> 3.1Gbps ++++++++++++++++++++++++++++++++++++++++++++++++++...
by anav
Tue Jan 28, 2025 8:33 pm
Forum: Beginner Basics
Topic: Alternatives to Hairpin NAT/split DNS - reaching HTTP server from the same subnet using domain
Replies: 9
Views: 1293

Re: Alternatives to Hairpin NAT/split DNS - reaching HTTP server from the same subnet using domain

...when trying to access the HTTP server using the domain from the local network (same subnet of the HTTP server) I reach my MikroTik router web ui instead.
by anav
Tue Jan 28, 2025 7:38 pm
Forum: Beginner Basics
Topic: Alternatives to Hairpin NAT/split DNS - reaching HTTP server from the same subnet using domain
Replies: 9
Views: 1293

Re: Alternatives to Hairpin NAT/split DNS - reaching HTTP server from the same subnet using domain

add chain=dstnat action=dstnat src-address=serverSUBNET dst-address=serverSUBNET
by anav
Tue Jan 28, 2025 5:24 pm
Forum: Beginner Basics
Topic: Buyer recommendations for noob in a hurry
Replies: 24
Views: 1639

Re: Buyer recommendations for noob in a hurry

Simple, I have not wasted anytime learning it. I am waiting for the continual changes in MTs approach to wifi slow down and become consistent and stable, and then I may elect to play. MT wifi has no effect on my simply working from day one TP Link APs. My frustration is that capsman interferes with ...
by anav
Tue Jan 28, 2025 4:37 pm
Forum: General
Topic: DMZ Pinhole
Replies: 18
Views: 2396

Re: DMZ Pinhole

Please post config in normal export format, its very difficult trying to read your work otherwise.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)


Note: I read recently that auto-mac for bridge is best set to manual NOT AUTO.
by anav
Tue Jan 28, 2025 4:26 pm
Forum: General
Topic: Winbox 4 does not display system note correctly
Replies: 5
Views: 612

Re: Winbox 4 does not display system note correctly

I am still using winbox3, winbox4 is not good enough for my needs yet. ;-)
by anav
Tue Jan 28, 2025 4:23 pm
Forum: Beginner Basics
Topic: Buyer recommendations for noob in a hurry
Replies: 24
Views: 1639

Re: Buyer recommendations for noob in a hurry

No, devil's way would be start messing with CAPsMAN :lol:
+1 ;-)
by anav
Tue Jan 28, 2025 5:22 am
Forum: Beginner Basics
Topic: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]
Replies: 14
Views: 2026

Re: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]

When you decide to get rid of quote marks around interface names and port names etc, I will look at the config again.
Also why no pool for two of the vlans?
by anav
Tue Jan 28, 2025 4:51 am
Forum: General
Topic: What to buy
Replies: 31
Views: 1680

Re: What to buy

Also, dont think just about today. Plan ahead, what will likely occur in the next five years.
An investment in a router should cover at least that time span. In other words, is your ISP throughput likely to be the same or increase?
by anav
Mon Jan 27, 2025 11:02 pm
Forum: General
Topic: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?
Replies: 48
Views: 3426

Re: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?

Nice AMMO. A touch of skepticism is always healthy. So just plain 9.9.9.9 no DOH etc.?
by anav
Mon Jan 27, 2025 10:55 pm
Forum: General
Topic: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?
Replies: 48
Views: 3426

Re: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?

So does MT also provide a whitelist feature to help with false positives generated by the adlist feature LOL
by anav
Mon Jan 27, 2025 10:47 pm
Forum: General
Topic: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?
Replies: 48
Views: 3426

Re: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?

Yes and tomorrow, Stephen cashes in his profits from the Trump bitcoin and stops working on the list...................... how useful will it be tomorrow?? I mean lists are outacontrol... https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts https://raw.githubusercontent.com/PolishFilters...
by anav
Mon Jan 27, 2025 10:45 pm
Forum: General
Topic: VLANs under the bridge
Replies: 8
Views: 1025

Re: VLANs under the bridge

You made the error of having a bridge subnet, get rid of it and assign another VLAN. Due to this you failed to clearly identify this other subnet which seems to be at least intended for ports 4,5,6 and sfp-sfpplus1 ???? You also seem to be adding WAN ports to the Bridge which is not usually required...
by anav
Mon Jan 27, 2025 9:52 pm
Forum: 3rd party tools
Topic: Introducing MikroWizard: An Open-Source Solution for MikroTik Router Management
Replies: 79
Views: 21468

Re: Introducing MikroWizard: An Open-Source Solution for MikroTik Router Management

Not a linux guy, can barely understand RoS, can I run this program using dockers image on any windows PC??
Larsa might have to take me under the Wing so to speak........ to show me how.
by anav
Mon Jan 27, 2025 9:41 pm
Forum: 3rd party tools
Topic: 🚀 RemoteWinBox Admiral centralized MikroTik Management
Replies: 10
Views: 3744

Re: 🚀 RemoteWinBox Admiral centralized MikroTik Management

Glad to see Admiral is humming along! The MFA is key for me. Previous experience with the software prior, was that connecting was SSTP without credentials and it seems things are getting better in that regard as well ! Sadly I am only a small time user and couldnt keep pace with the changes and need...
by anav
Mon Jan 27, 2025 9:28 pm
Forum: General
Topic: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?
Replies: 48
Views: 3426

Re: Quick take: Cloudfare, Quad9, Google, NextDNS, Adguard or Pihole?

Whats with github and stephen black? Is Mikrotik supporting this list, using this as a default?
Stated otherwise, what lists are people using, and are they trustworthy, uptodate or effective and how do you know?
by anav
Mon Jan 27, 2025 9:26 pm
Forum: Wireless Networking
Topic: Handover between access point of Unifi
Replies: 1
Views: 1100

Re: Handover between access point of Unifi

Why not if the information is coming in wirelessly why would it not work>>
Does your cell phone only work at home?
If your ISP is providing you with any sort of device/modem etc, then that will be the problem not the MT.
by anav
Mon Jan 27, 2025 9:23 pm
Forum: Wireless Networking
Topic: Best Way to Wireless Bridge 1st and 3rd Floor in an old apartment building (Thick Floors/Walls)
Replies: 13
Views: 2625

Re: Best Way to Wireless Bridge 1st and 3rd Floor in an old apartment building (Thick Floors/Walls)

If its an old building does it have old RG6 coax cabling joinging rooms! ( works reasonably with adapters)
You could use that as well. I imagine running outdoor RG6 may be an easy sell to as its quite common to see.
by anav
Mon Jan 27, 2025 9:16 pm
Forum: Forwarding Protocols
Topic: Issue with portforwarding
Replies: 1
Views: 519

Re: Issue with portforwarding

This rule allows port 3000 to the router, which is what you dont want, you want it strictly to the LAN server, so it should be removed. add action=accept chain=input comment="allow 3000" in-interface=pppoe-client port=3000 protocol=tcp This rule is hindering port forward... add action=drop...
by anav
Mon Jan 27, 2025 6:21 pm
Forum: Beginner Basics
Topic: specific WAN for specific Bridge
Replies: 5
Views: 622

Re: specific WAN for specific Bridge

First thing to do is remove serial number from posted config. Second is to read this reference: https://forum.mikrotik.com/viewtopic.php?t=143620 Third, is when you want to go to one bridge and use vlans, I will be able to assist. (simply take the bridge subnet as a fourth vlan) (which subnet does t...
by anav
Mon Jan 27, 2025 5:49 pm
Forum: Beginner Basics
Topic: specific WAN for specific Bridge
Replies: 5
Views: 622

Re: specific WAN for specific Bridge

So you have three subnets and each subnet should ONLY use a specific WAN ??
What happens when one of the WANS is not available?
Is there any port forwarding to servers on any of the lans? If so, external users or internal or both ........
Is there any traffic to the router aka VPNs?
by anav
Mon Jan 27, 2025 5:45 pm
Forum: General
Topic: Tenda Access Point and Mikrotik as Router
Replies: 5
Views: 4275

Re: Tenda Access Point and Mikrotik as Router

Post a link to the manual for your device, we use MT not tenda devices!!!
by anav
Mon Jan 27, 2025 1:50 am
Forum: General
Topic: ISP ideas to manage clients ?
Replies: 7
Views: 850

Re: ISP ideas?

Will there be more offers? Are there any small or internet service providers in this forum? I've been asking this question for the entire time I've been on the forum and I'm not getting a correct answer 😁 Also a comedian, the name associated with your accounts says "new user" and thus one...
by anav
Sun Jan 26, 2025 11:25 pm
Forum: Beginner Basics
Topic: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]
Replies: 14
Views: 2026

Re: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]

Okay understood all. Lets get consistent about nomenclature --> TRUSTED = Admin and IT control and every smart device gets an IP in this subnet. Management should be considered VIPs, head of company or departments that may or may not need special access to something or just simply on their own subne...
by anav
Sun Jan 26, 2025 9:01 pm
Forum: General
Topic: Major Issue with Bridges in RouterOS 7.17 [SOLVED]
Replies: 10
Views: 1555

Re: Major Issue with Bridges in RouterOS 7.17 [SOLVED]

sure sounds like a bug, would take a supout of your router and report the issue to mikrotik ( go to support and register for an account and submit bug report)
by anav
Sun Jan 26, 2025 6:39 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 468
Views: 430994

Re: NEW FEATURE: Back to Home VPN

Send the RIF to support, thank you, there might be some cases where some default config is conflicting.
I did but checked today and the new supout didnt show, I must not have completed the add process properly.
Added it just now and its visible in the conversation trail.
by anav
Sun Jan 26, 2025 6:16 pm
Forum: Beginner Basics
Topic: Wireguard connection only works once: Keepalive problem? [SOLVED]
Replies: 5
Views: 1155

Re: Wireguard connection only works once: Keepalive problem? [SOLVED]

Okay I see one potential issue...... from: /interface wireguard peers add allowed-address=10.255.255.3/ 24 client-keepalive=20s \ endpoint-port=13231 interface=wireguard1 name=peer1 public-key=\ "xxx" add allowed-address=10.255.255.5/ 24 client-keepalive=20s \ endpoint-port=13231 interfac...
by anav
Sun Jan 26, 2025 5:59 pm
Forum: Beginner Basics
Topic: Wireguard connection only works once: Keepalive problem? [SOLVED]
Replies: 5
Views: 1155

Re: Wireguard connection only works once: Keepalive problem? [SOLVED]

Try changing wireguard MTU to 1420 ( that is the normal default), I also dont see anything else at the moment
by anav
Sun Jan 26, 2025 5:31 pm
Forum: Beginner Basics
Topic: Wireguard connection only works once: Keepalive problem? [SOLVED]
Replies: 5
Views: 1155

Re: Wireguard connection only works once: Keepalive problem? [SOLVED]

Only the client peers ON THEIR Devices, require keep alive settings. You have some weird selections..... 1. Remove this dstnat rule, it is not required for standard wireguard usage. /ip firewall nat add action=dst-nat chain=dstnat dst-port=13231 in-interface=vlan-internet \ protocol=udp to-ports=132...
by anav
Sun Jan 26, 2025 4:40 am
Forum: Beginner Basics
Topic: Setting crs304-4xg-in as layer 2 switch [SOLVED]
Replies: 19
Views: 1920

Re: Setting crs304-4xg-in as layer 2 switch [SOLVED]

Good to know!!
by anav
Sun Jan 26, 2025 4:32 am
Forum: Beginner Basics
Topic: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]
Replies: 14
Views: 2026

Re: Question about Firewall Rules for Inter-VLAN Communication [SOLVED]

Why do you have seven vlans and only 5 pools? You are missing an IOT vlan and the work vlan. If you have a trusted network, why is an infrastructure IP identified as Management IP why are you using a management single 1gig port for infrastructure vlan ??? Changing this to 10gig port and keeping the ...
by anav
Sun Jan 26, 2025 3:10 am
Forum: Beginner Basics
Topic: Setting crs304-4xg-in as layer 2 switch [SOLVED]
Replies: 19
Views: 1920

Re: Setting crs304-4xg-in as layer 2 switch [SOLVED]

Seems like 6,6a,7 are perfectly fine for 10gbps connections.
.......
Screenshot 2025-01-25 210955.jpg
by anav
Sat Jan 25, 2025 7:57 pm
Forum: General
Topic: speed problem with Mikrotik Hex model RB750Gr3
Replies: 26
Views: 1722

Re: speed problem with Mikrotik Hex model RB750Gr3

What do you suggest now? What should I do? I don't want to replace the hex, I want to fix the problem. I consider this problem a cat and mouse game on the part of Mikrotik to buy a new device. Well the problem is not understanding the specifications available on the product pages or coming here to ...
by anav
Sat Jan 25, 2025 7:16 pm
Forum: General
Topic: speed problem with Mikrotik Hex model RB750Gr3
Replies: 26
Views: 1722

Re: speed problem with Mikrotik Hex model RB750Gr3

@MKX for the version 7 ECMP it uses L3 hash policy as depicted below. Can you explain these further?? Is there a practical reason to consider L4 or L3 inner( what the heck is L3 inner) ( maybe one works better for consistent interactions with banks etc. ) ..... Screenshot 2025-01-25 131307.jpg
by anav
Sat Jan 25, 2025 7:07 pm
Forum: General
Topic: speed problem with Mikrotik Hex model RB750Gr3
Replies: 26
Views: 1722

Re: speed problem with Mikrotik Hex model RB750Gr3

with Fasttrack you can get Full Speed with the 750GR3 and with 7.18beta this is also working with IPv6 really? 7.18beta pcc work with fasttrack? No I am saying since Vers7, ECMP is now automatically applied and is actually a more favourable load balancing approach IMHO. It automatically provides lo...
by anav
Sat Jan 25, 2025 6:37 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 468
Views: 430994

Re: NEW FEATURE: Back to Home VPN

Interesting as I wouldnt have thought of that but since the router is in some sense a client here as well it kinda works. Just wondering if monkeying with the MTU for one device connection will effect all the other clients connecting............. most will probably be smartphone but could easily hav...
by anav
Sat Jan 25, 2025 6:32 pm
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 19
Views: 2899

Re: REQ: AirVPN / Wireguard fine tune assistance

If we find out that airvpn does not sourcnat external user source IP, then we may look at some additional work to ensure traffic flows properly in all situations. So far there are no issues for the traffic to reach the router and the LAN server. Lets say this time the request is not sourcenatted to ...
by anav
Sat Jan 25, 2025 6:20 pm
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 19
Views: 2899

Re: REQ: AirVPN / Wireguard fine tune assistance

This is my first take on the subject. This should resolve most issues. What is not clear is what the airvpn does with the original source addresses of the incoming traffic to its site. In other words we do not know if airvpn sourcnats the incoming traffic to its own wireguard IP or not. If it does n...
by anav
Sat Jan 25, 2025 5:00 pm
Forum: General
Topic: [feature suggesstion] Allow copying selected lines from Winbox log view
Replies: 7
Views: 874

Re: [feature suggesstion] Allow copying selected lines from Winbox log view

Thats why I said target of opportunity AMMO. If its low hanging fruit in the software vernacular, by all means go for it. I was assuming that its difficult and time consuming to program, your sense is otherwise based on better knowledge of the gubbins of available functionality. If its as easy as co...
by anav
Sat Jan 25, 2025 4:56 pm
Forum: General
Topic: Wiregard to redundant routers
Replies: 6
Views: 919

Re: Wiregard to redundant routers

Sounds like you are complicating things unnecessarily LOL. Assuming your router at home is MT, like a hapax3 etc....... It still requires a NORMAL wan connection to a local ISP. Then you can wireguard to the other ISP routers you are managing at a different location as much as you want through that ...
by anav
Sat Jan 25, 2025 4:35 pm
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 19
Views: 2899

Re: REQ: AirVPN / Wireguard fine tune assistance

okay understood. Flexible list that need to go out wireguard sweden Flexible list that needs to be blocked from any Internet access. So you need to keep two firewall address lists up to date. those allowed LOCAL WAN those not allowed any WAN access Rest go through Sweden. You didnt confirm whether o...
by anav
Sat Jan 25, 2025 4:20 pm
Forum: General
Topic: Wiregard to redundant routers
Replies: 6
Views: 919

Re: Wiregard to redundant routers

Not quite sure but you should be able to have two wireguard tunnels up at all times.
Home router to ISP1 on one wireguard interface and Home router to ISP2 on a second wireguard interface.
Just not sure how your ISP routers are setup and whether or not the backup has a live connection at all.......
by anav
Sat Jan 25, 2025 4:17 pm
Forum: General
Topic: speed problem with Mikrotik Hex model RB750Gr3
Replies: 26
Views: 1722

Re: speed problem with Mikrotik Hex model RB750Gr3

Hard to assess if PCC vice ECMP is more useful without knowing the ISP particulars. ( speaking about need for mangling etc.)
by anav
Sat Jan 25, 2025 3:56 pm
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 19
Views: 2899

Re: REQ: AirVPN / Wireguard fine tune assistance

Did AirVPN provide any DNS servers for you to use? You have two PCs you dont want going out wireguard sweden? Assuming these need to go out regular local WAN? Any other local traffic that should occur ( between LANIPs ) ?? You noted PI server, if all are going out internet via sweden what is the pur...
by anav
Sat Jan 25, 2025 3:09 pm
Forum: Useful user articles
Topic: Hairpin NAT - the easy way
Replies: 49
Views: 104417

Re: Hairpin NAT - the easy way

off the top of my head, the issue is no longer a Layer2 problem, as a different subnet provides no connectivity at layer 2.
by anav
Sat Jan 25, 2025 3:05 pm
Forum: Beginner Basics
Topic: Setting crs304-4xg-in as layer 2 switch [SOLVED]
Replies: 19
Views: 1920

Re: Setting crs304-4xg-in as layer 2 switch [SOLVED]

/interface bridge add ingress-filtering=no name=bridge /interface ethernet set [ find default-name=ether5 ] name=OffBridge5 /interface list add name=MAIN /interface bridge port add bridge=bridge interface=ether1 add bridge=bridge interface=ether2 add bridge=bridge interface=ether3 add bridge=bridge...
by anav
Sat Jan 25, 2025 2:54 pm
Forum: General
Topic: [feature suggesstion] Allow copying selected lines from Winbox log view
Replies: 7
Views: 874

Re: [feature suggesstion] Allow copying selected lines from Winbox log view

pedja, I thought you stopped being spoon fed long ago?? Terminal is a selection in winbox, at the prompt your telling us you are unable to type 10 characters /log/print ?? Further you expect the developers to waste time on this and not all the far more important actual bug fixes etc........... This ...
by anav
Fri Jan 24, 2025 10:51 pm
Forum: General
Topic: Route List / Table question
Replies: 1
Views: 440

Re: Route List / Table question

Wrong, the order of WAN, primary, secondary, tertiary etc or all equal ( same distance - ECMP load balancing) is admin decision.
Very flexible setup.
by anav
Fri Jan 24, 2025 10:47 pm
Forum: Beginner Basics
Topic: Cannot Port Forward using PCC and VLan [SOLVED]
Replies: 5
Views: 1414

Re: Cannot Port Forward using PCC and VLan [SOLVED]

Do not use VLAN1 if at all possible. Make changes for ether2 and do all config from there. RB4011 has two switch chips so put all your important data vlans on the same switch chip....... ports 6-10. With version 7 firmware you are way better given four ISPs with the same throughput to use ECMP. Keep...
by anav
Fri Jan 24, 2025 6:04 pm
Forum: Forwarding Protocols
Topic: Issue Port Forwarding UDP
Replies: 1
Views: 489

Re: Issue Port Forwarding UDP

/export file=anynameyouwish (minus router serial number, any public WANIP information vpn keys etc.)

using notepad++ to open and edit and post here, and use the code tags above, on the same line as Bold and Underline the black square with white square brackets.
by anav
Fri Jan 24, 2025 6:00 pm
Forum: Useful user articles
Topic: Hairpin NAT - the easy way
Replies: 49
Views: 104417

Re: Hairpin NAT - the easy way

Is it because in the same LAN scenario, the packet back would be destined directly to the client MAC address as the server has it in its ARP table, and the router would simply switch it back to the client without any processing, Something like that......... the router knows where the originator is ...
by anav
Fri Jan 24, 2025 1:56 pm
Forum: General
Topic: VLAN config RB760iGS??
Replies: 4
Views: 596

Re: VLAN config RB760iGS??

Is that your complete config....... you have not defined vlans etc. nor have any firewall rules.
Are you trying to use this device as a switch>?
by anav
Thu Jan 23, 2025 10:33 pm
Forum: Beginner Basics
Topic: hEX - E50UG - default password does not work
Replies: 4
Views: 654

Re: hEX - E50UG - default password does not work

Its the basic user test, if you cannot get passed the password, you dont quality to use MT products! ;-)
by anav
Thu Jan 23, 2025 9:10 pm
Forum: Beginner Basics
Topic: VLAN and WIREGUARD basic
Replies: 6
Views: 1844

Re: VLAN and WIREGUARD basic

1.Upgrade firmware to 7.12 and then to 7.17 ( also routerboard ) 2. Then using ether2 to config....... RB4011 has two switch chips, thus to keep all ports used on the same bridge moving them to 6-10 So first step is to move ether8 to ether2 !! 3. Added management vlan 4. Single Wireguard interface b...
by anav
Thu Jan 23, 2025 5:59 pm
Forum: Beginner Basics
Topic: Low internet speed when we did PCC load balancing and connecting 2 ISPs on Mikrotik
Replies: 12
Views: 3126

Re: Low internet speed when we did PCC load balancing and connecting 2 ISPs on Mikrotik

I cannot help, I recommended a different solution for IP routes as noted above, You have provided a routing that is already load balanced based on ECMP and thus is nonsensical. Since you didnt except that change, my providing of recursive wont work either as it wont relate to your current settings.
by anav
Thu Jan 23, 2025 5:25 pm
Forum: General
Topic: BTH VPN WIREGUARD in chr
Replies: 1
Views: 412

Re: BTH VPN WIREGUARD in chr

CHR, well if you are using CHR at home and not in a VPS, cannot help you. The idea of CHR is to acquire a public IP address or at least a public WANIP in a specific geographic location. The key being you no longer need BTH because regular wireguard will work just fine. Good point that it should be i...
by anav
Thu Jan 23, 2025 2:26 pm
Forum: General
Topic: REQ: AirVPN / Wireguard fine tune assistance
Replies: 19
Views: 2899

Re: REQ: AirVPN / Wireguard fine tune assistance

Sure but how bout first you get rid of all the noise.
Delete all the unused config as it makes it harder to read and diagnose issues.
Once done repost and will have a look.
by anav
Thu Jan 23, 2025 2:23 pm
Forum: Beginner Basics
Topic: Cannot Port Forward using PCC and VLan [SOLVED]
Replies: 5
Views: 1414

Re: Cannot Port Forward using PCC and VLan [SOLVED]

First question I have is, how do you propose to setup PCC when you have already setup the pppoe to make routes automatically? If they all have the same distance, you already have ECMP load balancing in effect ??? Not sure what game you are playing, but your config seems focussed on viruses not neede...
by anav
Thu Jan 23, 2025 2:00 pm
Forum: General
Topic: Wireguard Stopped After Upgrade
Replies: 10
Views: 2935

Re: Wireguard Stopped After Upgrade

Upgrade to 7.17 and see if the behaviour repeats itself. Im pretty sure they are interested in working on bugs based on the latest firmware, as any previous bugs may have been taken care of already.
by anav
Thu Jan 23, 2025 1:56 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 468
Views: 430994

Re: NEW FEATURE: Back to Home VPN

No the address range provided is fixed, the admins smartphone will get 192.168.216.3, the router 192.168.216.1 address and 192.168.213.2 is reserved for the relay peer. You are correct the default rule allows access to the LAN, so it depends how you have defined your LAN interface list. Further rule...
by anav
Thu Jan 23, 2025 2:05 am
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 468
Views: 430994

Re: NEW FEATURE: Back to Home VPN

Decided to try BTH on main router CCR1009 and using 7.17 firmware. All good in terms of using the iphone app on trusted WLAN to create the tunnel. All settings checked on router via winbox 1. Only difference from hapax3 ( acting as a switch ) is that I finally see on the CCR1009 version, the forward...
by anav
Wed Jan 22, 2025 6:32 pm
Forum: Beginner Basics
Topic: Optimizing Server Placement: MikroTik Router vs. Switch
Replies: 12
Views: 999

Re: Optimizing Server Placement: MikroTik Router vs. Switch

Is there an echo in here?? ;-)
by anav
Wed Jan 22, 2025 5:08 pm
Forum: Beginner Basics
Topic: Optimizing Server Placement: MikroTik Router vs. Switch
Replies: 12
Views: 999

Re: Optimizing Server Placement: MikroTik Router vs. Switch

Generally speaking if the traffic to the server is mostly across the switch ( users on ports on the switch need access to the server,) then put it behind the switch.
by anav
Wed Jan 22, 2025 4:19 pm
Forum: General
Topic: ROS-7: /ip/route/check
Replies: 6
Views: 1502

Re: ROS-7: /ip/route/check

IOS-7?
Perhaps its no longer Riga Operating System and Mikrotik is being bought out by Wipro and the new name is Indian Operating System ???
by anav
Wed Jan 22, 2025 2:15 pm
Forum: Beginner Basics
Topic: Guest WiFi setup with one main router and a couple of APs in bridge mode
Replies: 11
Views: 1105

Re: Guest WiFi setup with one main router and a couple of APs in bridge mode

Disagree, both APs should have both the management or trusted vlan being sent to them ( as that is where AP gets its IP address from).
Additionally all other data vlans ( trusted wifi, guest wifi, iot wifi) etc should be passed to the APs as well.
by anav
Wed Jan 22, 2025 2:12 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 468
Views: 430994

Re: NEW FEATURE: Back to Home VPN

Same here attempting to do it all from App.
by anav
Wed Jan 22, 2025 4:43 am
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 468
Views: 430994

Re: NEW FEATURE: Back to Home VPN

Did some more testing but still no luck. However I have to admit the hapax3 is not setup as a router but simply an AP switch behind a CCR1009 main router, with one primary WAN. So the management vlan is where the hapax3 gets its IP address. When I use my iphone to start the process, I use a WLAN on ...
by anav
Tue Jan 21, 2025 11:11 pm
Forum: General
Topic: RB5009UG+S+ ip problem
Replies: 16
Views: 1738

Re: RB5009UG+S+ ip problem

I am not a zerotier expert, but assuming stating the zerotier interface on the input chain rule was not enough or accurate, perhaps you need to add actual IP address???
by anav
Tue Jan 21, 2025 11:08 pm
Forum: General
Topic: How to create hairpin rune?
Replies: 2
Views: 584

Re: How to create hairpin rune?

A wider rule, that is often prescribed is dst-address=192.168.12.0/24 src=addres192.168.12.0/24
( intent here is if you have more than one server active in the subnet )
by anav
Tue Jan 21, 2025 11:06 pm
Forum: Scripting
Topic: New command in RouterOs 7
Replies: 37
Views: 13748

Re: New command in RouterOs 7

You guys are amazing, for me its like reading chinese......incomprehensible.
Some day I need to go to California or Italy for a 2 week scripting camp. ( which would barely scratch the surface ).
by anav
Tue Jan 21, 2025 2:51 pm
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 4954

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

What is the management vlan or trusted vlan, and do the capacs and switch get an IP address from this VLAN?
In other words do not see vlan99 above, and it should be going from rb4011 to both capacs as well.
by anav
Tue Jan 21, 2025 2:35 pm
Forum: General
Topic: Back to home (iOS): Connection refused
Replies: 4
Views: 535

Re: Back to home (iOS): Connection refused

Is the Mikrotik device acting as a router or a switch??
How did you create the BTH VPN in the first place.

Ensure you have access to the input chain for the IP address of your phone when connecting from the trusted WLAN.
by anav
Tue Jan 21, 2025 12:01 am
Forum: Beginner Basics
Topic: VLAN on a single port
Replies: 9
Views: 1184

Re: VLAN on a single port

Unfortunately you will have to make an effort fail and try again and learn, there are no shortcuts. Before any advice though one needs a complete set of requirements understood, not just one server. Without the below, you cannot have a realistic plan, and a plan before config is essential. a. identi...
by anav
Mon Jan 20, 2025 8:55 pm
Forum: General
Topic: DMZ Pinhole
Replies: 18
Views: 2396

Re: DMZ Pinhole

Everything was looking normal until you decided to add an undocumented immigrant in your config. Where did vlan16 come from?? Also you stated you want nut client to reach pi...... dmz to lan. however in the diagram it states nut client LISTENing on port 3498, which IMPLIES that the pi is going to co...
by anav
Mon Jan 20, 2025 5:22 pm
Forum: Beginner Basics
Topic: VLAN and WIREGUARD basic
Replies: 6
Views: 1844

Re: VLAN and WIREGUARD basic

If we can be clear on requirements, assistance can be rendered.

a. identify all users/devices, external and internal, and admin
b. identify the traffic the groups above required.
(explain purpose of vlans etc.)
by anav
Mon Jan 20, 2025 4:23 pm
Forum: Beginner Basics
Topic: external dhcp delay on cap ac
Replies: 18
Views: 1512

Re: external dhcp delay on cap ac

So you agree, that if an IT person for a university is going to use MT product, he should
a. actually take some MT courses., or
b. get consulting assistance.
( havent even touched upon security as a component of using MT devices)
by anav
Mon Jan 20, 2025 4:19 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 468
Views: 430994

Re: NEW FEATURE: Back to Home VPN

BTH is supposed to make a dynamic input chain rule for wireguard, completely normal! The forward chain rule you see, I have never seen when making BTH setups, so not sure why you are seeing it. I can only guess is that you didnt select LAN availability for your peers? In any case you can apply firew...
by anav
Mon Jan 20, 2025 5:30 am
Forum: General
Topic: Routing issue VPN>VLAN>CRS328>CRS109>PC
Replies: 3
Views: 950

Re: Routing issue VPN>VLAN>CRS328>CRS109>PC

Not at ALL, conceptually not difficult. assuming you did the opensense properly, you have one trunk port to the 328 and at least one trunk port to the 109. The managment vlan must reach the 109 as all switches get an IP address on that subnet. However not interested in your opinion only on facts and...
by anav
Mon Jan 20, 2025 5:27 am
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 468
Views: 430994

Re: NEW FEATURE: Back to Home VPN

Nichky, the QR code available at the router is ONLY for the first assignment to the admins smartphon........... When you use Manage Shares from that smartphone,, you can create more qrcodes, links BTH app can use, or standard wireguard export files........

The screenshot from my iphone you mean??
by anav
Mon Jan 20, 2025 12:42 am
Forum: General
Topic: L3 HW Offloading RB5009
Replies: 96
Views: 5811

Re: L3 HW Offloading

GLuck, then, as you seem to have all well in hand. Not even sure why you posted.
by anav
Mon Jan 20, 2025 12:24 am
Forum: General
Topic: Adding bridge interface to WAN - is there anything special?
Replies: 2
Views: 590

Re: Adding bridge interface to WAN - is there anything special?

Normally, the WAN need not be part of any bridge.
Depends on the circumstances, and typically in vlan filtering there is only one bridge.
by anav
Mon Jan 20, 2025 12:24 am
Forum: General
Topic: L3 HW Offloading RB5009
Replies: 96
Views: 5811

Re: L3 HW Offloading

To help us, and to help yourself, the clarity starts with you... a. identify all the users/devices (external, internal and including admin) b. identify all the traffic the above groups must accomplish c. detail the WAN ( how many, public, private static, dynamic etc, if more than one, load balance o...
by anav
Mon Jan 20, 2025 12:17 am
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 468
Views: 430994

Re: NEW FEATURE: Back to Home VPN

Well you need to ensure LAN is allowed on bth users ( its the default setting so should be )
You may need to add a forward chain allow rule from BTH to LAN
You may need to add a forward chain rule allow from BTH to WAN
by anav
Sun Jan 19, 2025 10:54 pm
Forum: General
Topic: L3 HW Offloading RB5009
Replies: 96
Views: 5811

Re: L3 HW Offloading

Table refers to Routing Table(s). There is the main table which holds the majority of routes ( associated with IP addresses and subnets ) WAN etc. Special Tables...... not in main, created by admin for the purposes of sending traffic out a different table than the normal routing tables normally used...
by anav
Sun Jan 19, 2025 8:56 pm
Forum: General
Topic: Hot take on Botnets - How do you secure your Mikrotik while setting it up?
Replies: 40
Views: 2921

Re: Hot take on Botnets - How do you secure your Mikrotik while setting it up?

As SIndy said, your assuming to much, I have used CHR and have no clue on how to do any such thing on my computer, it was daunting enough to deal with a VPS, which I had no clues on.
As suggested, the recommendation sent --> SUP-176831
by anav
Sun Jan 19, 2025 7:57 pm
Forum: General
Topic: Hot take on Botnets - How do you secure your Mikrotik while setting it up?
Replies: 40
Views: 2921

Re: Hot take on Botnets - How do you secure your Mikrotik while setting it up?

When you purchase a CHR, you provide a password which MT then bakes into the image prior to sending you the file.
OR
All CHRs come with a random password, part of the purchase is a separate file containing password.
by anav
Sun Jan 19, 2025 6:30 pm
Forum: General
Topic: L3 HW Offloading RB5009
Replies: 96
Views: 5811

Re: L3 HW Offloading

If you actually want to get some answers, and fix the issue, the best place to start is providing your config.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

(ps dont see any cheap RB5009s yet on amazon.com)
by anav
Sun Jan 19, 2025 6:25 pm
Forum: Beginner Basics
Topic: external dhcp delay on cap ac
Replies: 18
Views: 1512

Re: external dhcp delay on cap ac

If you are in charge of Univerisity IT, this is not the place to get your paid work done.
a. take the proper MT courses
b. if an emergency --> https://mikrotik.com/consultants
by anav
Sun Jan 19, 2025 6:22 pm
Forum: Announcements
Topic: v7.17.2 [stable] is released!
Replies: 534
Views: 103988

Re: v7.17 [stable] is released!

Well, we should make some test before upgrading en-masse our devices. I have upgraded only one my personal router that is not critical. The other one in my network are all on the 7.16.2 As a homeowner, I had no issues updating my hapax3, non-critical AP to 7.17. My main router CCR1009 will not get ...
by anav
Sun Jan 19, 2025 5:08 pm
Forum: Beginner Basics
Topic: Setting up DHCP for beginners
Replies: 5
Views: 1130

Re: Setting up DHCP for beginners

Beginners dont normally need more than 50 addresses, is this a real question or a hypothetical?
If its real then you need to provide a far more detailed explanation of your network, the users and services being provided.
by anav
Sun Jan 19, 2025 5:06 pm
Forum: Beginner Basics
Topic: How to set up VLAN to pass traffic through a managed switch? [SOLVED]
Replies: 43
Views: 4954

Re: How to set up VLAN to pass traffic through a managed switch? [SOLVED]

Cannot be that unhappy, you posted on JAN 08, and only getting to it now??? Must have been in the hospital or on vacation.
by anav
Sun Jan 19, 2025 5:02 pm
Forum: Beginner Basics
Topic: Stuck in config: winbox and disconnections [SOLVED]
Replies: 5
Views: 1485

Re: Stuck in config: winbox and disconnections [SOLVED]

Last Version ROUTER ( Assuming Office is trusted subnet ) 1. /interface bridge port add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged \ interface=ether2 pvid=100 add bridge=bridge ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged \ i...
by anav
Sun Jan 19, 2025 4:31 am
Forum: General
Topic: Hot take on Botnets - How do you secure your Mikrotik while setting it up?
Replies: 40
Views: 2921

Re: Hot take on Botnets - How do you secure your Mikrotik while setting it up?

??? You dont deploy it ( connect to ISP ) until its setup.
by anav
Sat Jan 18, 2025 10:41 pm
Forum: General
Topic: RB5009UG+S+ ip problem
Replies: 16
Views: 1738

Re: RB5009UG+S+ ip problem

/ip firewall address-list (using static dhcp leases) add address=192.168.1.X list=Authorized comment="admin desktop" add address=192.168.1.Y list=Authorized comment="admin laptop" add address=192.168.1.Z list=Authorized comment="admin smartphone" /ip firewall filter ad...
by anav
Sat Jan 18, 2025 5:13 pm
Forum: Beginner Basics
Topic: Low internet speed when we did PCC load balancing and connecting 2 ISPs on Mikrotik
Replies: 12
Views: 3126

Re: Low internet speed when we did PCC load balancing and connecting 2 ISPs on Mikrotik

Accurate but avoidable, I missed this when looking at firewall rules. There is a purpose to using no-track in mangling, which is an aide in discriminating which traffic to identity. but also to KEEP fastrack and not cause any slowdown. From: add action=fasttrack-connection chain=forward comment=&quo...
by anav
Sat Jan 18, 2025 5:06 pm
Forum: Beginner Basics
Topic: Low internet speed when we did PCC load balancing and connecting 2 ISPs on Mikrotik
Replies: 12
Views: 3126

Re: Low internet speed when we did PCC load balancing and connecting 2 ISPs on Mikrotik

Support tickets are for bugs in the software mostly, and for suggestions........ It is not designed to help with peoples configs. If we cannot find a source for your issues, after resolving any config issues, then a supout and bug are probably appropriate. This is very simple load balancing so it sh...
by anav
Sat Jan 18, 2025 3:49 am
Forum: General
Topic: Wireguard: Can' access VLANs
Replies: 5
Views: 2016

Re: Wireguard: Can' access VLANs

1. slight mod /interface bridge port add bridge=bridge ingress-filtering=yes frame-type=admit-only-vlan-tagged interface=trunk-switch1-ether1 add bridge=bridge interface=nuc-ether3 pvid=100 comment="hybrid port" add bridge=bridge ingress-filtering=yes frame-type=admit-only-priority-and-unt...
by anav
Fri Jan 17, 2025 11:12 pm
Forum: General
Topic: Merging 2 lines with PCC loadbalancing fails to pick the right gateway [SOLVED]
Replies: 6
Views: 1210

Re: Merging 2 lines with PCC loadbalancing fails to pick the right gateway [SOLVED]

I wondered how its been used for many years with such a misconfiguration............
Which leads one to conclude we dont have a complete picture as well.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Fri Jan 17, 2025 10:42 pm
Forum: Forwarding Protocols
Topic: How to connect WAN directly to some port, bypassing NAT
Replies: 13
Views: 3046

Re: How to connect WAN directly to some port, bypassing NAT

Not a sweet clue of what you are attempting sorry.
by anav
Fri Jan 17, 2025 10:04 pm
Forum: General
Topic: RB5009UG+S+ ip problem
Replies: 16
Views: 1738

Re: RB5009UG+S+ ip problem

I would never rely on NAT and an ISPs modem to provide security. So yes, I think you should add the standard set of firewall rules.
by anav
Fri Jan 17, 2025 6:56 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 468
Views: 430994

Re: NEW FEATURE: Back to Home VPN

@Normis. note: ensured that mac-server win-mac server included Trusted interface note: ensured Trusted interface list included back to home interface. note: ensured input chain rule for BTH subnet allowed ( although have few rules on my hapax3 and no drop all rules) SUPOUT SENT --> SUP-176739 .... I...
by anav
Fri Jan 17, 2025 5:08 pm
Forum: General
Topic: RB5009UG+S+ ip problem
Replies: 16
Views: 1738

Re: RB5009UG+S+ ip problem

One problem is duplication of WAN, either use IP address OR ip dhcp client, NOT both!!! /ip address add address=192.168.1.1/24 interface=lan network=192.168.1.0 add address=192.168.0.200/24 interface=WAN network=192.168.0.0 /ip dhcp-client add interface=WAN Is this device your router? No firewall ru...
by anav
Fri Jan 17, 2025 5:06 pm
Forum: General
Topic: Help needed. Separate internet access per port in the bridge
Replies: 4
Views: 659

Re: Help needed. Separate internet access per port in the bridge

Disagree..... ether1 should NOT be part of the bridge ports or related settings, its WAN and nothing to do with bridge. On the other subject. when you create /interface bridge port for access ports and enter the PVID, the router dynamically includes the required untagging on corresponding /interface...
by anav
Fri Jan 17, 2025 4:48 pm
Forum: Beginner Basics
Topic: Help Wanted: Best practices to protect router and switch management access with bridge-tagged vlans [SOLVED]
Replies: 10
Views: 2086

Re: Help Wanted: Best practices to protect router and switch management access with bridge-tagged vlans [SOLVED]

https://forum.mikrotik.com/viewtopic.php?t=143620 On the router side yes, vlans ( interface bridge vlan ) need to be tagged for bridge and for any trunk ports ( and hybrid ports) When using bridge vlan filtering on switches aka 300 series, only the management vlan needs to be tagged on bridge. NO, r...
by anav
Thu Jan 16, 2025 8:25 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 468
Views: 430994

Re: NEW FEATURE: Back to Home VPN

edit NM. answered a post from page one LOL
by anav
Thu Jan 16, 2025 8:23 pm
Forum: Beginner Basics
Topic: Help Wanted: Best practices to protect router and switch management access with bridge-tagged vlans [SOLVED]
Replies: 10
Views: 2086

Re: Help Wanted: Best practices to protect router and switch management access with bridge-tagged vlans [SOLVED]

Are you familiar with RoS and the use of bridge vlan filtering, as it would be strange to make any assumptions based on limited knowledge?
by anav
Thu Jan 16, 2025 5:26 pm
Forum: General
Topic: PoE hEX RB960PGS as a switch? [SOLVED]
Replies: 9
Views: 1275

Re: PoE hEX RB960PGS as a switch? [SOLVED]

There are many examples of such in the forums, and also a ref with examples.
viewtopic.php?t=143620
by anav
Thu Jan 16, 2025 5:24 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 468
Views: 430994

Re: NEW FEATURE: Back to Home VPN

Sorry for many questions, but just getting deeper into BTH. Why and what traffic is coming in from the dynamic BTH interface that is added? I created BTH on the phone, all works. Then I switch the phone off and would assume no more traffic is coming in/accepted on the input chain. But not the case ...
by anav
Thu Jan 16, 2025 5:21 pm
Forum: Announcements
Topic: v7.17.2 [stable] is released!
Replies: 534
Views: 103988

Re: v7.17 [stable] is released!

@ Edpa 1. *) bridge - added interface-list support for VLANs; Does this mean we can now list the bridge as an interface list member and this will include all vlans attached to the bridge? 2. *) bridge - enable faster HW offloading when detect-internet is disabled; Will faster HW offloading also occu...
by anav
Wed Jan 15, 2025 8:04 pm
Forum: General
Topic: DMZ Pinhole
Replies: 18
Views: 2396

Re: DMZ Pinhole

Understood, no worries. Most are not picky like me. :-)
by anav
Wed Jan 15, 2025 7:23 pm
Forum: General
Topic: DMZ Pinhole
Replies: 18
Views: 2396

Re: DMZ Pinhole

When you are willing to change your config to the optimal one bridge approach - all vlans associated with bridge, will be happy to assist.
viewtopic.php?t=143620
by anav
Wed Jan 15, 2025 6:21 pm
Forum: Useful user articles
Topic: Advanced Routing Failover without Scripting
Replies: 277
Views: 159203

Re: Advanced Routing Failover without Scripting

Do you use netwatch?
by anav
Wed Jan 15, 2025 6:17 pm
Forum: General
Topic: DMZ Pinhole
Replies: 18
Views: 2396

Re: DMZ Pinhole

So you have servers on one subnet. a. are users coming to the servers from external? b. are users coming from same subnet as servers? c. are users coming from the other subnet (where pi is located) So no traffic ORIGINATED at severs, only responses to incoming requests?? ( except for NUT client orig...
by anav
Wed Jan 15, 2025 6:01 pm
Forum: General
Topic: asymmetric routing
Replies: 13
Views: 1680

Re: asymmetric routing

@OP: Still waiting for requirements because I have no clue as to what you mean. As for no-mark, not sure what you mean TDW but that is a separate discussion..........
by anav
Wed Jan 15, 2025 5:58 pm
Forum: Beginner Basics
Topic: Did the Mikrotik firewall block the open ports?
Replies: 38
Views: 4325

Re: Did the Mikrotik firewall block the open ports?

I dont bother looking at snippets....
  • 1
  • 2
  • 3
  • 4
  • 5
  • 76