Community discussions

MikroTik App

Search found 8752 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 30
by anav
Sun Oct 17, 2021 9:34 pm
Forum: Beginner Basics
Topic: Traffic to management of MikroTik switches not going through
Replies: 23
Views: 1383

Re: Traffic to management of MikroTik switches not going through

For the rest of the config, 7 vlans identified but only 5 IP Pools etc., so you are missing data, so it seems.
Otherwise, its a fairly complex setup so if you have your settings right it should work.
by anav
Sun Oct 17, 2021 9:32 pm
Forum: Beginner Basics
Topic: Traffic to management of MikroTik switches not going through
Replies: 23
Views: 1383

Re: Traffic to management of MikroTik switches not going through

Okay, so you need all smart devices to get an IP address on what you use as the management VLAN. If your switches are not Mikrotik then you need to do the following (scenario, home vlan10, guest wifi vlan 20, managment vlan 99) Lets say a 5 port switch eth1 - trunk port from router eth2- trunk port ...
by anav
Sun Oct 17, 2021 9:09 pm
Forum: Beginner Basics
Topic: Where in firewall rules the Fasttrack should be
Replies: 5
Views: 220

Re: Where in firewall rules the Fasttrack should be

Looks good the only things I would change
are
/tool mac-server mac-winbox
set allowed-interface-list=non

list=LAN (so as to enable access via winbox to the router on the LAN).

and this one as well..........
/ip neighbor discovery-settings
set discover-interface-list=none

list=LAN
by anav
Sun Oct 17, 2021 4:49 pm
Forum: General
Topic: Block p2p from IP cameras - RB4011iGS+RM
Replies: 4
Views: 200

Re: Block p2p from IP cameras - RB4011iGS+RM

I would put all devices that should not have internet access on their own vlan(s)/
Then simply block vlans from internet.........
by anav
Sun Oct 17, 2021 4:48 pm
Forum: General
Topic: Eth1 as WAN port with DHCP regardless IP
Replies: 2
Views: 89

Re: Eth1 as WAN port with DHCP regardless IP

The modem should provide a public IP to your router and in this case there is no issue with whatever subnet you choose for your LAN.
However if the modem is NOT giving you a public IP but a private IP address, then you have to make sure that your LAN is no a different private SUBNET>
by anav
Sun Oct 17, 2021 4:42 pm
Forum: General
Topic: VLAN correct config
Replies: 4
Views: 120

Re: VLAN correct config

Without knowing the full config I would hedge my bets but in general you can combine vlan-ids IF and only IF the ports are identical for all vlans. Since these are trunk ports, this is a very real possibility. both config are wrong anyway Version 1: /interface bridge vlan add bridge=bridge1 tagged= ...
by anav
Sun Oct 17, 2021 4:24 pm
Forum: Beginner Basics
Topic: Where in firewall rules the Fasttrack should be
Replies: 5
Views: 220

Re: Where in firewall rules the Fasttrack should be

/export hide-sensitive file=anynameyouwish
by anav
Sun Oct 17, 2021 3:04 am
Forum: Beginner Basics
Topic: CRS326-24G-2S+IN like a switch with vlan mgmt [SOLVED]
Replies: 8
Views: 569

Re: CRS326-24G-2S+IN like a switch with vlan mgmt [SOLVED]

Almost right I didnt state in red I stated it in blue ;-PP
vlan filtering=yes (add the yes bit as the last step in configuration)
by anav
Sat Oct 16, 2021 11:08 pm
Forum: Beginner Basics
Topic: Request config sanity check
Replies: 4
Views: 191

Re: Request config sanity check

Yup there are lots of changes required but dont have time to go indepth at the moment.
Didnt see anything dangerous.....
Be forewarned I am a minimalist and strive for cleaner configs.
by anav
Sat Oct 16, 2021 1:19 am
Forum: RouterOS v7 BETA
Topic: Is MT the worse monitoring router?
Replies: 17
Views: 898

Re: Is MT the worse monitoring router?

What? Its an excellent logging router from my experience.
Did you try packet sniffer for example??
by anav
Sat Oct 16, 2021 1:17 am
Forum: RouterOS v7 BETA
Topic: Wireguard use Hostname in endpoint
Replies: 5
Views: 1063

Re: Wireguard use Hostname in endpoint

I use two MT routers behind main routers as wireguard server and peer responsibilities and a smart phone peer as well.
I use IP cloud for endpoint settings for both routers and for the endpoint peer setting in the smartphone.
All works great.
by anav
Fri Oct 15, 2021 11:56 pm
Forum: Beginner Basics
Topic: Stuck on first ROS baby steps: PPPOE-client not connecting
Replies: 6
Views: 349

Re: Stuck on first ROS baby steps: PPPOE-client not connecting

Does the ISP need to reset at their end, not sure having never used pppoe, but perhaps there is a mac address stored somewhere that needs to be reset? Many folks are using PPOE with all kinds of MT devices without issue. Yeah you would not like to hook up that router anyway as you basically have no ...
by anav
Fri Oct 15, 2021 10:50 pm
Forum: Beginner Basics
Topic: SmartThings and SharkClean Notifications Stopped Working
Replies: 7
Views: 236

Re: SmartThings and SharkClean Notifications Stopped Working

So the euromesh gets its IP address from the MT??
by anav
Fri Oct 15, 2021 9:00 pm
Forum: Beginner Basics
Topic: Seamless failover
Replies: 16
Views: 658

Re: Seamless failover

So are you saying the cloud location houses the two ISP connections, and the office router only has one connection to the cloud location subnet?
If so what would be the difference between colo and physically putting another router in front of the current router with the same setup??
by anav
Fri Oct 15, 2021 5:04 pm
Forum: Beginner Basics
Topic: SmartThings and SharkClean Notifications Stopped Working
Replies: 7
Views: 236

Re: SmartThings and SharkClean Notifications Stopped Working

So the aero mesh worked with the previous router with no issues??
Connected to the Router via wired connection (I guess at least one of them)?
by anav
Fri Oct 15, 2021 4:48 pm
Forum: Beginner Basics
Topic: SmartThings and SharkClean Notifications Stopped Working
Replies: 7
Views: 236

Re: SmartThings and SharkClean Notifications Stopped Working

yeah that is weird, if everything is on the same subnet.
What is aeromesh??
by anav
Fri Oct 15, 2021 4:44 pm
Forum: Beginner Basics
Topic: Another Port Forwarding issue [SOLVED]
Replies: 2
Views: 128

Re: Another Port Forwarding issue [SOLVED]

(1) Not sure why you use .113 as a gateway. Probably not wrong but not something I see often. /ip dhcp-server network add address=192.168.1.0/24 comment=defconf gateway=192.168.1.113 netmask=24 (2) REMOVE UPNP settings, not required. (3) W hat you are missing is a Port Forward Rule, and we use the d...
by anav
Fri Oct 15, 2021 4:24 pm
Forum: Beginner Basics
Topic: SmartThings and SharkClean Notifications Stopped Working
Replies: 7
Views: 236

Re: SmartThings and SharkClean Notifications Stopped Working

Not enough info.
Network diagram (should show devices and subnets)
config
/export hide-sensitive file=anynameyouwish

What notices were you getting before? Do you mean on PC? on Smartphone?
by anav
Fri Oct 15, 2021 4:21 pm
Forum: Beginner Basics
Topic: Lost management access to AP, how to regain access?
Replies: 2
Views: 134

Re: Lost management access to AP, how to regain access?

Yup! (1) Read and use this as a setup model, examples for your scenario are there. https://forum.mikrotik.com/viewtopic.php?t=143620 The article however doesnt use capsman, either do I, its not worth it IMHO unless you have over 3 cap type devices. (2) One bridge for sure. (3) What I do is take an u...
by anav
Fri Oct 15, 2021 4:15 pm
Forum: Beginner Basics
Topic: WAP-R
Replies: 8
Views: 361

Re: WAP-R

(1) Why do you have two IP addresses for WLAN1 (suggesting removing the one in red) /ip address add address=192.168.88.1/24 comment=defconf interface=wlan1 network=\ 192.168.88.0 add address=10.10.10.1/24 interface=wlan1 network=10.10.10.0 (2) Why do have have LAN setup that is also your WAN setup. ...
by anav
Fri Oct 15, 2021 4:10 pm
Forum: Beginner Basics
Topic: is my NAT config is ok?
Replies: 20
Views: 1330

Re: is my NAT config is ok?

Routing scenario: I had a very simple connection like ISP has given me one static IP address with a subnet mask and gateway. But when i ask them to give me more public IP addresses "then they made this complex setup in Mikrotik". They told me that now they have given me a routed IP and I ...
by anav
Thu Oct 14, 2021 10:06 pm
Forum: Beginner Basics
Topic: WAP-R
Replies: 8
Views: 361

Re: WAP-R

I now have orders
/ export hide-sensitive file = test

tried out. Where can I find the exported file?
Hi there there should be no spaces between file equal sign or test, thus: file=test

It will be found under FILES ;-)
by anav
Thu Oct 14, 2021 10:03 pm
Forum: General
Topic: Will NATted wireguard work?
Replies: 7
Views: 369

Re: Will NATted wireguard work?

As stated, this is a personal problem that you have, and is clearly no longer related to the wireguard or router settings.
Your stubborn head is the issue preventing success.
Good luck!
by anav
Thu Oct 14, 2021 7:35 pm
Forum: Beginner Basics
Topic: WAP-R
Replies: 8
Views: 361

Re: WAP-R

Yu have to associate this with your DHCP client and WAN interface settings. I dont use LTE so not sure. The rest of the device works from default settings................. Minor tweaking on wifi settings (SSID, security password etc..) NEXT TIME CONTINUE WITH SAME ORIGINAL THREAD, I just noticed you...
by anav
Thu Oct 14, 2021 7:14 pm
Forum: General
Topic: Per-port DHCP with port isolation on a hardware accelerated bridge
Replies: 5
Views: 181

Re: Per-port DHCP with port isolation on a hardware accelerated bridge

Network diagram helps sort that out visually!! Alright, I'll post a diagram tomorrow! If in writing: basically, I need: Hardware acceleration = 1 bridge interface Most connected devices get (by DHCP) fixed addresses (one switch port has the same address to be DHCP'd to the connected device) These p...
by anav
Thu Oct 14, 2021 5:57 pm
Forum: General
Topic: Per-port DHCP with port isolation on a hardware accelerated bridge
Replies: 5
Views: 181

Re: Per-port DHCP with port isolation on a hardware accelerated bridge

The config doenst matter what are the requirements? This should be stated in terms of defining users/devices, groups of users/devices and then defining what they should be able to do, and what they should not be able to do, WITHOUT any discussion of the config etc.... Network diagram helps sort that...
by anav
Thu Oct 14, 2021 4:51 pm
Forum: Beginner Basics
Topic: is my NAT config is ok?
Replies: 20
Views: 1330

Re: is my NAT config is ok?

Observatrions/Comments: 1. There is no need to detail a specific user for a specific source NAT, and by that I mean, source-nat does not tell the packet where to go!! That is the job of the IP ROUTE part of the configuration. In other words, source-nat just states replace the source address of this ...
by anav
Thu Oct 14, 2021 3:52 pm
Forum: General
Topic: two network
Replies: 3
Views: 195

Re: two network

To what degree do they need to exchange data?
THen make the appropriate firewall rules.

IF they are supposed be fully accessible to each other then just have one LAN or share both WANS to both LANs.

As always
a. draw network diagram
b. post your config
/export hide-sensitive file=anynameyouwish
by anav
Thu Oct 14, 2021 12:42 am
Forum: General
Topic: Will NATted wireguard work?
Replies: 7
Views: 369

Re: Will NATted wireguard work?

Please draw a network diagram as your config on the MT device is very confusing and ALL WRONG, and a diagram will help clear up some unknowns!! Why is the output chain used and especially for the UDP port. Why is the MT device which is your wireguard server port forwarding the UDP port. It should on...
by anav
Thu Oct 14, 2021 12:36 am
Forum: General
Topic: Will NATted wireguard work?
Replies: 7
Views: 369

Re: Will NATted wireguard work?

Yes, in my case the main router is a CCR1009. Correct I use port forwarding to send the listening udp port to the LANIP of the second router (on the main router LAN applicable subnet). This main router LANIP is thus the same as the WANIP of the secondary router. Thus the listening port traffic hits ...
by anav
Thu Oct 14, 2021 12:26 am
Forum: Beginner Basics
Topic: Seamless failover
Replies: 16
Views: 658

Re: Seamless failover

You will lose your session regardless of how seamless or quick it may seem.
What your are asking is impossible from what I understand.
by anav
Wed Oct 13, 2021 9:30 pm
Forum: General
Topic: Will NATted wireguard work?
Replies: 7
Views: 369

Re: Will NATted wireguard work?

It works just fine, its your setup that is not working either on the phone or on the MT itself. Here is an example of my settings for my iphone......... I can only state what I have setup on my wireguard connections................ On the Server Router. a. listening port on input chain to allow init...
by anav
Wed Oct 13, 2021 3:41 am
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 27
Views: 1226

Re: VPN to connect home network to cottage

hahaha I hope rextended didnt also take your virginity at the same time..................
by anav
Wed Oct 13, 2021 2:29 am
Forum: General
Topic: Problem with failover and second wan connection
Replies: 15
Views: 610

Re: Problem with failover and second wan connection

It will be nice when wireguard is out of beta as its far easier to setup than any other VPN.
I can access my router easily with my smartphone as well.
by anav
Wed Oct 13, 2021 2:26 am
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 27
Views: 1226

Re: VPN to connect home network to cottage

Wireguard is the right solution, WHEN its out of beta, so you really mean in the interim ?? ;-)
by anav
Wed Oct 13, 2021 1:28 am
Forum: General
Topic: Problem with failover and second wan connection
Replies: 15
Views: 610

Re: Problem with failover and second wan connection

Just had a quick look and looks way better. Are the customers responsible for configuring the router. Or is that the purpose. of the VPN tunnels, aka for you as admin to be able to access the routers for admin purposes?? Just be sure that the ip route gateway numbers you have entered are fake number...
by anav
Wed Oct 13, 2021 1:24 am
Forum: Beginner Basics
Topic: Why is my CAPsMAN network not as good as I hope for?
Replies: 19
Views: 1484

Re: Why is my CAPsMAN network not as good as I hope for?

Yes, go out and buy one TP Link EAP245, and just compare performance.
Then come back and report.
by anav
Wed Oct 13, 2021 12:21 am
Forum: Beginner Basics
Topic: RB3011 VLAN with HP Managed Switch
Replies: 12
Views: 614

Re: RB3011 VLAN with HP Managed Switch

Not quite. I said, keep the bridge and add all the vlans to the bridge. Then use /interface bridge ports and /interface bridge vlan settings as required. To distribute the vlans to the appropriate ports. As per this article. https://forum.mikrotik.com/viewtopic.php?t=143620 quick sample................
by anav
Tue Oct 12, 2021 11:01 pm
Forum: General
Topic: Problem with failover and second wan connection
Replies: 15
Views: 610

Re: Problem with failover and second wan connection

Sorry my rule of thumb is not to provide any assistance to an insecure router setup.
Nothing matters unless that is fixed.
Perhaps others less scrupulous will assist.
Will keep an eye on the thread though.................
by anav
Tue Oct 12, 2021 10:55 pm
Forum: Beginner Basics
Topic: PPOE VLAN
Replies: 2
Views: 184

Re: PPOE VLAN

Attach the vlan to the PPoE-Out interface not the sfp1 physical interface as you have done looking at your snippet (GOOD) For interface list vlan20 interface list=WAN PPoE-Out list=WAN sfp1 list=WAN (all three just to be on the safe side). if that doesnt fix it, need to see the rest of the code ./ex...
by anav
Tue Oct 12, 2021 7:51 pm
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1650

Re: Wireguard proper server config

Good to hear..... Of course think of the logic. The Server Router Wireguard Setting has to include the LISTENING PORT for incoming connections. The Server Router Wireguard Peer setting endpoint port is NOT used at all (unless the initial connection was required to be able to happen both ways)!! Clea...
by anav
Tue Oct 12, 2021 7:46 pm
Forum: Beginner Basics
Topic: RB3011 VLAN with HP Managed Switch
Replies: 12
Views: 614

Re: RB3011 VLAN with HP Managed Switch

Hi tdw, understood all but when managing other smart devices I prefer a consistent approach and that is to have management vlans, could use an existing rusted vlan too, with the bridge doing nothing but bridging. ' So in the ops case I would create vlan50 to replace the bridge subnet, add the vlan t...
by anav
Tue Oct 12, 2021 6:30 pm
Forum: Beginner Basics
Topic: RB3011 VLAN with HP Managed Switch
Replies: 12
Views: 614

Re: RB3011 VLAN with HP Managed Switch

Which VLAN is your management VLAN? 20? 30? something else? THe HP should get an IP address on the management vlan subnet for starters! Why is ether5 part of the bridge??? Why are ether2,3,4 members of the LAN when you already have the bridge identified as LAN. Why isnt vlan30 also associated with L...
by anav
Tue Oct 12, 2021 5:58 pm
Forum: Beginner Basics
Topic: RB3011 VLAN with HP Managed Switch
Replies: 12
Views: 614

Re: RB3011 VLAN with HP Managed Switch

First, Network diagram to see the relationship physical between devices (ports to ports0
and the network structure Subnets/vlans.

Also post your latest config.........
by anav
Tue Oct 12, 2021 5:57 pm
Forum: General
Topic: Log when a specific MAC connect ?
Replies: 8
Views: 332

Re: Log when a specific MAC connect ?

If the connections are to your WAN from the Internet MAC addresses will not available.
Damn, didn't know that.
Oh not to worry, there will be far too many opportunities to re-live that reality. :-)
by anav
Tue Oct 12, 2021 5:53 pm
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1650

Re: Wireguard proper server config

Hi mudcharme, yes I never really looked at my IP Routes in that regard and just had a peak, so thanks for the tip and reminder!! Every subnet gateway has main routing table entry. @ H I can only state what I have setup on my wireguard connections................ On the Server Router. a. listening po...
by anav
Tue Oct 12, 2021 4:57 pm
Forum: General
Topic: Problem with failover and second wan connection
Replies: 15
Views: 610

Re: Problem with failover and second wan connection

Because that provides you with very little security actually. Any public IP can be spoofed on the internet and what you have done: a. The first rule basically says my bank vault is open to anyone with the right key. The key is not some encrypted algorithm, its not even a strong password, its only an...
by anav
Tue Oct 12, 2021 3:29 pm
Forum: Beginner Basics
Topic: Connection issue between LtAP mini LTE kit and hAP lite
Replies: 3
Views: 533

Re: Connection issue between LtAP mini LTE kit and hAP lite

Need more info.
Draw a network diagram so we can see how the devices are related and setup.
by anav
Tue Oct 12, 2021 3:08 pm
Forum: General
Topic: Problem with failover and second wan connection
Replies: 15
Views: 610

Re: Problem with failover and second wan connection

What do you mean connect to winbox from The internet . That is a big security NO NO. Is this the rule you are using.................uh oh!! add action=accept chain=input comment="allow whitelist" in-interface-list=WAN \ src-address-list=whitelist EVEN WORSE, couldnt imagine it being worse ...
by anav
Tue Oct 12, 2021 3:06 pm
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1650

Re: Wireguard proper server config

Hi H. In the case of the smartphone, the endpoint can be any public IP provided by a. the wifi of the location one is in, or b. random generated by the cellular company. In the case of a fixed peer behind a Public IP (static or dynamic - I can use the endpoint of IP cloud if the main router or peer ...
by anav
Tue Oct 12, 2021 2:58 pm
Forum: General
Topic: RouterBOARD 1100x4 VLAN
Replies: 1
Views: 130

Re: RouterBOARD 1100x4 VLAN

Lets see your config please as the explanation was not all that clear.

/export hide-sensitive file=anynameyouwish.

Also a network diagram will help understand the config and relationships between devices!
by anav
Tue Oct 12, 2021 1:49 am
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1650

Re: Wireguard proper server config

The issue I have is that users will not realize that adding the IP creates the static route for you.
I think its still useful to be able to create the route manually and then learn about the iP address trick after LOL
by anav
Tue Oct 12, 2021 1:47 am
Forum: General
Topic: Problem with failover and second wan connection
Replies: 15
Views: 610

Re: Problem with failover and second wan connection

What do you mean reach wan2 from the outside.
It sounds as if you configured the router with incomplete requirements.

Who need outside access in WAN2 and for what reasons??
by anav
Tue Oct 12, 2021 1:37 am
Forum: Useful user articles
Topic: Hairpin NAT The Right way?
Replies: 0
Views: 349

Hairpin NAT The Right way?

There is no right way! It depends.............. Every person will have to decide what is the optimal way to configure their device(s) for hairpin NAT (sometimes called Loopback). Hairpin NAT is a funny situation of what is normally considered a dst-nat problem/variation and mostly for the case of po...
by anav
Tue Oct 12, 2021 12:16 am
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1650

Re: Wireguard proper server config

Ah okay I was not aware of that functionality of adding IP address, thanks for the clarification. In any case the extra route created would not prevent connectivity either way. In any case the OP can try it both ways, as we both have run out of ideas LOL. I would like to know for sure if the phone i...
by anav
Tue Oct 12, 2021 12:15 am
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1650

Re: Wireguard proper server config

Removed port as suggested - no change. You also don't need the static ip route for th e wireguard subnet as it will already be present as a connected route. After deleting this static route, reboot your device. Whaaaaaaaaat? Tell me how any internet traffic going out the server router but originate...
by anav
Tue Oct 12, 2021 12:04 am
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1650

Re: Wireguard proper server config

/ip route add disabled=no distance=1 dst-address=10.20.50.0/24 gateway=wgmt pref-src="" \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10 YES you absolutely need this route (edit: I do because I dont give my WG interface IP addresses) (1) TRY using 10.20.50.2 for dst add...
by anav
Mon Oct 11, 2021 11:43 pm
Forum: Beginner Basics
Topic: local test setup - DNS & DHCP fail
Replies: 2
Views: 349

Re: local test setup - DNS & DHCP fail

The router bascilly works out of the box, hook up your pc to ether2, your ether1 to the ISp modem and your off and running.
by anav
Mon Oct 11, 2021 4:36 pm
Forum: Beginner Basics
Topic: Network Routing [SOLVED]
Replies: 13
Views: 845

Re: Network Routing [SOLVED]

You are quite right, I was looking at the netgear as the router attached to the internet.
Silly me. Glad I was wrong, ignore my misplaced concerns.....
by anav
Mon Oct 11, 2021 3:30 pm
Forum: General
Topic: Source NAT Multiple ISP
Replies: 8
Views: 504

Re: Source NAT Multiple ISP

Based on the advice from Sindy..... ISP1 provides enough addresses for all tenants ISP1 will be used thus for any external incoming connections (servers, vpn tunnels). ISP1 traffic will be connection marked to ensure return traffic from tenants will go out ISP1 ***** All tenant originated traffic wi...
by anav
Mon Oct 11, 2021 2:54 pm
Forum: General
Topic: Source NAT Multiple ISP
Replies: 8
Views: 504

Re: Source NAT Multiple ISP

Someone smarter than me will have to answer that as my answer is NOT possible but keep in mind I have:
a. limited knowledge in networking
b. rudimentary knowledge of MT
by anav
Mon Oct 11, 2021 2:49 pm
Forum: Beginner Basics
Topic: Network Routing [SOLVED]
Replies: 13
Views: 845

Re: Network Routing [SOLVED]

@RhoAius
edit: I am out in left field LOL
by anav
Mon Oct 11, 2021 1:25 am
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1650

Re: Wireguard proper server config

I dont see a mismatch the listen port for wireguard and the input chain to listen for it are the same 13231? However why is this rule in your input chain, (what purpose)? add action=accept chain=input comment=Wireguard dst-port=13231 in-interface-list=LAN protocol=udp In the forward chain what is th...
by anav
Mon Oct 11, 2021 1:22 am
Forum: General
Topic: Source NAT Multiple ISP
Replies: 8
Views: 504

Re: Source NAT Multiple ISP

You have the wrong approach, instead of trying to design a config around some vague requirements, forget the config. In a few sentences write down what the user requirements are. A. what do users or groups of users or devices or groups of devices need to be able to do on teh network (what work do th...
by anav
Sun Oct 10, 2021 9:21 pm
Forum: Beginner Basics
Topic: Router route all AP traffic to Wan only
Replies: 13
Views: 879

Re: Router route all AP traffic to Wan only

Yes, but lets not put the cart before the horse Zach!! Yes me not advocating vlans right away.........miracles. Its good that the OP knows how to manipulate the ports and bridge with rules prior to introducing vlans. Vlans, in general, are only really required if one does not have enough ports and n...
by anav
Sun Oct 10, 2021 9:18 pm
Forum: Beginner Basics
Topic: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]
Replies: 9
Views: 705

Re: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]

Exactly, I was in your boat not to long ago and thanks to the patience of the folks here I have managed to learn just enough to be dangerous. :-) Dont be shy to ask questions, it is fun once you get over some basic understanding hurdles. As anything else the more you learn, the more you realize ther...
by anav
Sun Oct 10, 2021 8:41 pm
Forum: Beginner Basics
Topic: Router route all AP traffic to Wan only
Replies: 13
Views: 879

Re: Router route all AP traffic to Wan only

Whatever port is going to the AP, remove from the bridge. Give the etherportX its own subnet, IP address IP pool dhcp server and dhcp server network. Make sure its part of the Interface LAN list along with the bridge. In the firewall forward chain rule. Before the last rule put in something to the e...
by anav
Sun Oct 10, 2021 4:08 pm
Forum: Beginner Basics
Topic: Traffic to management of MikroTik switches not going through
Replies: 23
Views: 1383

Re: Traffic to management of MikroTik switches not going through

Well the only thing that would be sensitive someitimes the WANIP creeps in, otherwise, pretty decent. Not sure I will have time today to look but will try. In general, being able to access all devices successfully at least via winbox is to ensure that a managment type vlan exists ( for a business a ...
by anav
Sun Oct 10, 2021 3:59 pm
Forum: Beginner Basics
Topic: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]
Replies: 9
Views: 705

Re: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]

Final comment,
Its more important you understand how the rules work and what they do and then the config will make sense.
IF your just copying and pasting, then you will not be able to progress.
by anav
Sun Oct 10, 2021 3:53 pm
Forum: Beginner Basics
Topic: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]
Replies: 9
Views: 705

Re: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]

Rule number 1, dont put in the last rule on the input chain, drop everything etc. until you are happy with the rest of the input chain rules otherwise you will lock yourself out of the router!! Will attempt to address the questions!! (1) Your /interface bridge vlan rules are fine as you have put the...
by anav
Sun Oct 10, 2021 12:56 am
Forum: Beginner Basics
Topic: Router route all AP traffic to Wan only
Replies: 13
Views: 879

Re: Router route all AP traffic to Wan only

Its up to the OP to provide a full config via
/export hide-sensitive file=anynameyouwish

I was giving general advice, which is all one can give based on the meager information provided.
by anav
Sat Oct 09, 2021 10:45 pm
Forum: Beginner Basics
Topic: Router route all AP traffic to Wan only
Replies: 13
Views: 879

Re: Router route all AP traffic to Wan only

In general, this is only possible if the AP and its clients are on a different subnet. If they are on the same subnet (layer2 connectivity) then layer3 firewall rules cannot prevent them from talking to each other. Thus recommend using a different subnet for the AP etc..... Lets say you use 192.168....
by anav
Sat Oct 09, 2021 6:50 pm
Forum: Beginner Basics
Topic: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]
Replies: 9
Views: 705

Re: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]

Okay have had a look, and will discuss some of the findings as one goes from top to bottom of the config. Overall not bad at all. (1) Minor point but I put in the untagged ports in my /interface bridge vlan rules, just so I can map them one to one to the /interface bridge port settings. The router c...
by anav
Sat Oct 09, 2021 6:02 pm
Forum: Beginner Basics
Topic: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]
Replies: 9
Views: 705

Re: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]

Please keep in mind. Youtube can also get you into trouble LOL. The input chain is for traffic to and from the router itself. WAN to Router, LAN to router, Router to WAN, Router to LAN The Forward chain rules are for traffic through the Router LAN to WAN, WAN to LAN, LAN to LAN What will help you he...
by anav
Sat Oct 09, 2021 4:52 pm
Forum: General
Topic: router behind firewall, use vpn only to manage it
Replies: 7
Views: 502

Re: router behind firewall, use vpn only to manage it

That is amazing information Sindy, good pickup on the users 3G limitations. In terms of SSTP, this sight provides a free service, with the hopes you will pay for more, but its easy and good enough for most non-critical situations. https://www.remotewinbox.com/auth/blog/Home#:~:text=RemoteWinBox%20is...
by anav
Sat Oct 09, 2021 4:50 pm
Forum: General
Topic: CRS112 and problem with vlans
Replies: 12
Views: 710

Re: CRS112 and problem with vlans

Your network is a bit confusing, Wat is the switch in between the PC an the Mikrotik switch the CRS112.
What is a BCS???

please post any configurations for MT devices using this
/export hide-sensitive file=anynameyouwish
by anav
Sat Oct 09, 2021 4:46 pm
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1650

Re: Wireguard proper server config

(1) The important learning point being is that if the MT is the public facing router or even if its behind another router, (but is the server to start the connection) one has to ALLOW the listening port traffic to hit the router itself (hence INPUT CHAIN RULE) to initially establish the tunnel. If y...
by anav
Sat Oct 09, 2021 4:33 pm
Forum: Beginner Basics
Topic: Access from 2nd WAN to specific Pool ?
Replies: 3
Views: 380

Re: Access from 2nd WAN to specific Pool ?

Sure lets say, WAN1 gateway is 64.24.33.22 WAN2 gateway is 24.165.24.122 IP of NVR is 192.168.1.30 Assuming: Wan1 is primary and and Wan2 is only used if WAN1 is unavailable. /ip route add check-gateway=ping distance=5 gateway=64.24.133.22 add distance=10 gateway=24.165.24.122 distance=10 add distan...
by anav
Sat Oct 09, 2021 4:23 pm
Forum: Beginner Basics
Topic: Router route all AP traffic to Wan only
Replies: 13
Views: 879

Re: Router route all AP traffic to Wan only

Depends,
Would have to see your current firewall rules to make any assessments.
/export hide-sensitive file=anynameyouwish

my assumption is that the access point is also connected behind the router, also on the network as are the PCs........
by anav
Sat Oct 09, 2021 1:34 am
Forum: Beginner Basics
Topic: usermanager
Replies: 6
Views: 621

Re: usermanager

@anav, there was a link on post #2 ...
Silly me......... Thanks!
by anav
Sat Oct 09, 2021 1:32 am
Forum: General
Topic: router behind firewall, use vpn only to manage it
Replies: 7
Views: 502

Re: router behind firewall, use vpn only to manage it

Just to give you an example. My wireguard Server is an RG450Gx4, sitting on a network as a router but behind the main MT router, a CCR1009. My wireguard Peer consists of an RB4011 behind an ISP Fiber Modem/Router _ the only thing we can do on this ISP device is forward ports. Now there really isnt a...
by anav
Fri Oct 08, 2021 10:40 pm
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1650

Re: Wireguard proper server config

Okay, maybe still possible. YOu can see the left device but its routing not just modeming.......... What one needs to do is access the ISP router and port forward the WIREGUARD LISTENING PORT TO YOUR private WANIP. ( A lanip from the ISP routers perspective ) If you dont have access directly you sho...
by anav
Fri Oct 08, 2021 10:37 pm
Forum: General
Topic: Problem with Public IP in migration from RB4011 to CCR1009
Replies: 8
Views: 524

Re: Problem with Public IP in migration from RB4011 to CCR1009

Sorry, you refuse to answer the question clearly.
No help can be derived until this basic question is answered.

How did you save the configuration.
a. BACKUP
b. export config file

How did you apply the saved file into the new router
a. RESTORE
b. copy and paste from terminal.
by anav
Fri Oct 08, 2021 10:34 pm
Forum: General
Topic: router behind firewall, use vpn only to manage it
Replies: 7
Views: 502

Re: router behind firewall, use vpn only to manage it

Hi GG, If you can setup a wireguard tunnel between your location and the remote location this will be the easiest approach I believe. As long as you have an MT device at either end (not necessarily as a router) it can work. THe only issue is its only available on beta firmware but they are up to V7....
by anav
Fri Oct 08, 2021 10:32 pm
Forum: General
Topic: Firewall Drop Invalid
Replies: 4
Views: 383

Re: Firewall Drop Invalid

I am not aware that output chain firewall rules were required??
Is this something unique to iPV6??
by anav
Fri Oct 08, 2021 10:31 pm
Forum: Beginner Basics
Topic: Port Forwarding for a Noob
Replies: 9
Views: 628

Re: Port Forwarding for a Noob

There are a number of common things that will prevent port forwarding
Private WANIP
Hairpin NAT
Wrong sourcenat config
Wrong dst nat config.

Glad you got it going!!
by anav
Fri Oct 08, 2021 10:21 pm
Forum: Announcements
Topic: v6.48.5 [long-term] is released!
Replies: 71
Views: 12459

Re: v6.48.5 [long-term] is released!

so far so good on a hex as a switch, and capac. will to tile device later today.
tile updated without incidence ccr1009
by anav
Fri Oct 08, 2021 10:20 pm
Forum: RouterOS v7 BETA
Topic: Optimal config for Wireguard
Replies: 5
Views: 1222

Re: Optimal config for Wireguard

Nice synopsis.
"You can only go as fast as the slowest link and there is also some processing loss because of the protocol."
by anav
Fri Oct 08, 2021 8:03 pm
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1650

Re: Wireguard proper server config

Try using IP Cloud on the MT devices to ascertain your public IP at each end.
by anav
Fri Oct 08, 2021 6:45 pm
Forum: General
Topic: Problem with Public IP in migration from RB4011 to CCR1009
Replies: 8
Views: 524

Re: Problem with Public IP in migration from RB4011 to CCR1009

You said it loaded fine LOL

In other words why are using a backup from one machine into a different hardware machine??
by anav
Fri Oct 08, 2021 4:53 pm
Forum: RouterOS v7 BETA
Topic: Optimal config for Wireguard
Replies: 5
Views: 1222

Re: Optimal config for Wireguard

Sorry Mr Whiner, I really dont care about your expectations or lack of literacy etc.. but if you were expecting spoon feeding, correct you came to the wrong place. If after reading the articles, the OP has further more precise questions, they can be answered. Using beta software is not for beginners...
by anav
Fri Oct 08, 2021 4:29 pm
Forum: Beginner Basics
Topic: i need an solution
Replies: 9
Views: 843

Re: i need an solution

So Mickey T, you mean, either a whats my IP search or return from IP Cloud will return a private IP??
by anav
Fri Oct 08, 2021 2:11 pm
Forum: Beginner Basics
Topic: Access from 2nd WAN to specific Pool ?
Replies: 3
Views: 380

Re: Access from 2nd WAN to specific Pool ?

Yes
using IP route and route rules.
by anav
Fri Oct 08, 2021 2:10 pm
Forum: Beginner Basics
Topic: Router route all AP traffic to Wan only
Replies: 13
Views: 879

Re: Router route all AP traffic to Wan only

THrough firewall rules.
by anav
Thu Oct 07, 2021 9:34 pm
Forum: Beginner Basics
Topic: How do I configure a HAP ac as a wireless access point
Replies: 8
Views: 692

Re: How do I configure a HAP ac as a wireless access point

Can you post a non verbose option please LOL
/export hide-sensitive file=anynameyouwish

Why are there two IP addresses??
ip address
add address=192.168.5.6/24 comment=defconf disabled=no interface=bridge \
network=192.168.5.0
add address=192.168.3.4/8 disabled=no interface=ether1 network=192.0.0.0
by anav
Thu Oct 07, 2021 6:15 pm
Forum: General
Topic: vlans not working
Replies: 11
Views: 664

Re: vlans not working

"The internet crap" is mikrotik's official documentation ;-) but I'll check out your link...
Haha too funny, yes that is their old crap, they have better info now............

https://help.mikrotik.com/docs/display/ROS/VLAN
https://help.mikrotik.com/docs/display/ROS/Bridge
by anav
Thu Oct 07, 2021 4:10 am
Forum: General
Topic: vlans not working
Replies: 11
Views: 664

Re: vlans not working

Setup your lab according to this guide, not the internet crap..

viewtopic.php?t=143620
by anav
Thu Oct 07, 2021 3:17 am
Forum: General
Topic: VLAN Issue
Replies: 8
Views: 667

Re: VLAN Issue

Well i do use LACP along with VLANs on a couple of CRS3xxx switches with no problems...
Then I probably have something else wrong. Wouldn't be the first time, won't be the last.
That officially makes you an MT configurer LOL
by anav
Thu Oct 07, 2021 3:14 am
Forum: General
Topic: vlans not working
Replies: 11
Views: 664

Re: vlans not working

You dont define the vlans?? They should have number and name and interface being the bridge. You still havent fixed your /interface bridge vlan as provided. Where are your firewall rules or does this not face the internet (aka an ISP) What is ether3 doing with an IP address. Not much makes sense to ...
by anav
Thu Oct 07, 2021 3:09 am
Forum: Beginner Basics
Topic: Slow internet bandwidth on one PC
Replies: 2
Views: 277

Re: Slow internet bandwidth on one PC

Can you provide a network diagram, so its clear the structure.
by anav
Thu Oct 07, 2021 3:05 am
Forum: Beginner Basics
Topic: usermanager
Replies: 6
Views: 621

Re: usermanager

And where do you find the magic license information??

Found it.
https://help.mikrotik.com/docs/display/ ... cense+keys
by anav
Thu Oct 07, 2021 3:03 am
Forum: Beginner Basics
Topic: [SOLVED] Yet another hairpin nat question
Replies: 18
Views: 1815

Re: Yet another hairpin nat question

Okay it sounds like we are in a double nat scenario. If the IP address your router gives you is not what your IP cloud is showing or WHATS MY IP shows, then you do not have an ISP modem you have an ISP modem/router combo of some sort. In other words you are getting a private IP. So you need to be ab...
by anav
Wed Oct 06, 2021 11:29 pm
Forum: General
Topic: vlans not working
Replies: 11
Views: 664

Re: vlans not working

Then post the complete config.
/export hide-sensitive file=anynameyouwish
by anav
Wed Oct 06, 2021 11:27 pm
Forum: Beginner Basics
Topic: VLAN Check
Replies: 8
Views: 559

Re: VLAN Check

Generalized Approach (understand this excellent article - https://forum.mikrotik.com/viewtopic.php?t=143620 ) ROUTERS< SWITCHES< ACCESS POINTS (all connected smart devices) COMMON ENTRIES 1. Define vlans (interface is bridge) 2. /ip neighbor discovery-settings set discover-interface-list=MANAGE 3. T...
by anav
Wed Oct 06, 2021 9:57 pm
Forum: General
Topic: vlans not working
Replies: 11
Views: 664

Re: vlans not working

Missing. Optional /interface bridge add name=uplink-bridge vlan-filtering=yes /interface bridge port add bridge=uplink-bridge interface=sfp1 ingress-filtering=yes frame-types=admit-only-vlan-tagged add bridge=uplink-bridge interface=ether3 pvid=200 ingress-filtering=yes frame-type=admit-only-untagg...
by anav
Wed Oct 06, 2021 9:52 pm
Forum: Beginner Basics
Topic: Port Forwarding for a Noob
Replies: 9
Views: 628

Re: Port Forwarding for a Noob

I am saying two things. a. the port will not appear open on a normal scan, visible but closed and thats normal with MT. b. test the access to the server or whatever it is in the following ways. i. log in from another user on the LAN using the lanip of the server thingy ii. log in from an external we...
by anav
Wed Oct 06, 2021 8:45 pm
Forum: Beginner Basics
Topic: VLAN Check
Replies: 8
Views: 559

Re: VLAN Check

As for the other two rules, its narrowed down to who has access to the router...... only need one rule! add action=accept chain=input in-interface-list=-manage src-address-list=mgmt_access Yep, i will change it. Personally, I would not post my ssh port or my winbox port on a config either :-) (very...
by anav
Wed Oct 06, 2021 8:44 pm
Forum: Beginner Basics
Topic: Port Forwarding for a Noob
Replies: 9
Views: 628

Re: Port Forwarding for a Noob

Not sure what you mean. But yes your config should be as complete as possible and accurate. If ether1 is your wan port then /interface list members add interface=ether-1 list=WAN if ether1 is a wan port for pppoe with name pppoe-1out /interface list members add interface=ether-1 list=WAN add interfa...
by anav
Wed Oct 06, 2021 8:33 pm
Forum: Beginner Basics
Topic: [SOLVED] Yet another hairpin nat question
Replies: 18
Views: 1815

Re: Yet another hairpin nat question

/ip address add address=192.168.0.1/24 comment=defconf interface=e ther2 network=\ 192.168.0.0 /ip address add address=192.168.0.1/24 comment=defconf interface= bridge network=\ 192.168.0.0 nothing else seems off....... Dont see an IP route do you use the auto ip route in the dhcp client setup?
by anav
Wed Oct 06, 2021 8:28 pm
Forum: Beginner Basics
Topic: No connection in win box
Replies: 4
Views: 380

Re: No connection in win box

Good thing you have no fw rules,,,,,,,,,,,, connecting to the net could be bad news.......
by anav
Wed Oct 06, 2021 3:09 pm
Forum: Beginner Basics
Topic: VLAN Check
Replies: 8
Views: 559

Re: VLAN Check

These three rules dont make sense to me........... add action=accept chain=input comment=ICMP in-interface-list=!WAN protocol=icmp add action=accept chain=input comment=SSH dst-port=22 in-interface-list=!WAN protocol=tcp src-address-list=mgmt_access add action=accept chain=input comment=WINBOX dst-p...
by anav
Wed Oct 06, 2021 2:09 pm
Forum: Useful user articles
Topic: MikroTik Wireguard server with Road Warrior clients
Replies: 48
Views: 14714

Re: MikroTik Wireguard server with Road Warrior clients

Not here, start a new thread and I will have a look, this thread is for a reference document not individual issues.
by anav
Wed Oct 06, 2021 2:08 pm
Forum: Beginner Basics
Topic: RB3011 VLAN with HP Managed Switch
Replies: 12
Views: 614

Re: RB3011 VLAN with HP Managed Switch

The best way is
a. ONE bridge
b. ONE trunk port to the HP switch.

viewtopic.php?t=143620
Read, apply, come back with a config and will be happy to look at it.
by anav
Wed Oct 06, 2021 2:07 pm
Forum: Beginner Basics
Topic: VLAN Check
Replies: 8
Views: 559

Re: VLAN Check

I fail to see any firewall rules on your router and then you put some on the switch?? The config is flawed thus in many ways In terms of the router I am not sure of what you are trying to overall but a management interface is a good idea and keep spf+8 as part of LAN interface for all the rules it c...
by anav
Wed Oct 06, 2021 1:52 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1038

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

No they are not.
your config is hosed, did you not see the example provided??
At least read this article.
viewtopic.php?t=143620

You assigned the vlans to ether1 and not the bridge...........
Furthermore vlans are NOT bridge ports........
by anav
Wed Oct 06, 2021 1:49 pm
Forum: Beginner Basics
Topic: [SOLVED] Yet another hairpin nat question
Replies: 18
Views: 1815

Re: Yet another hairpin nat question

It could be something else on your config...
/export hide-sensitive file=anynameyouwish
by anav
Wed Oct 06, 2021 1:44 pm
Forum: Beginner Basics
Topic: Port Forwarding for a Noob
Replies: 9
Views: 628

Re: Port Forwarding for a Noob

Get rid of the forward chain rule, not needed. add action=accept chain=forward comment="Helium Routing" dst-address=192.168.8.106 dst-port=44158 protocol=tcp Modify this rule add action=dst-nat chain=dstnat comment="Helium Routing" dst-port=44158 protocol=tcp \ in-interface-list=...
by anav
Wed Oct 06, 2021 3:53 am
Forum: Beginner Basics
Topic: i need an solution
Replies: 9
Views: 843

Re: i need an solution

The service provider prevents ddns??
What do you mean.
Have you tried turning IP cloud on and reading your WANIP from it???
by anav
Wed Oct 06, 2021 3:49 am
Forum: Beginner Basics
Topic: [SOLVED] Yet another hairpin nat question
Replies: 18
Views: 1815

Re: Yet another hairpin nat question

Emils explanation is spot on. You can remove the protocol tcp, in the hairpin source nat rule, not required! Since the WANIP is a fixed wanip you dont need anything fancy in terms of other rules or methods! It should just work!! THe problem is your OTHER required basic but non-standard sourcenat rul...
by anav
Tue Oct 05, 2021 7:47 pm
Forum: Beginner Basics
Topic: Trying to allow only one port using In and Out interfaces [SOLVED]
Replies: 9
Views: 655

Re: Trying to allow only one port using In and Out interfaces [SOLVED]

Your input chain rule was flawed from the beginning, it was missing the default last rule in BLUE and you added two other rules that were needed due to missing the default rules but they fail to cover any other WAN to Router traffic that would have been blocked by the proper default rule. {Input Cha...
by anav
Tue Oct 05, 2021 7:40 pm
Forum: Beginner Basics
Topic: Trying to allow only one port using In and Out interfaces [SOLVED]
Replies: 9
Views: 655

Re: Trying to allow only one port using In and Out interfaces [SOLVED]

.Will address input chain next.......... /ip firewall filter {FORWARD CHAIN} add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add actio...
by anav
Tue Oct 05, 2021 7:32 pm
Forum: Beginner Basics
Topic: Trying to allow only one port using In and Out interfaces [SOLVED]
Replies: 9
Views: 655

Re: Trying to allow only one port using In and Out interfaces [SOLVED]

Lets have a look!! See if anything is out of place - RED Improvements possible... GREEN MIssed the boat a bit..... . Blue unknown purpose so probably okay but explanation of requirements would ensure such assumptions - Also since you havent posted the complete config I can only guess at some things....
by anav
Tue Oct 05, 2021 6:48 pm
Forum: Beginner Basics
Topic: 802.1X Video
Replies: 0
Views: 331

802.1X Video

Stumbled across this today and very well done, at least for me to understand.
https://www.youtube.com/watch?v=XvNWa5k20TU
by anav
Tue Oct 05, 2021 6:29 pm
Forum: Beginner Basics
Topic: VLANS
Replies: 4
Views: 378

Re: VLANS

With MT, there are rarely shortcuts as one has to know what they are doing.......... The linked article has the answers, one just has to read it.
by anav
Tue Oct 05, 2021 6:22 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1038

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Well the concept I am struggling with is having the wifi link carry more than one vlan. I am only use to wlan to users....... If the wlan to wlan link can be viewed as a wifi trunk port then that is clearer!! Assumptions made vlan 50 is management vlan vlan 10 is data vlan # model = SXT 5HPnD # seri...
by anav
Tue Oct 05, 2021 5:54 pm
Forum: Beginner Basics
Topic: Trying to allow only one port using In and Out interfaces [SOLVED]
Replies: 9
Views: 655

Re: Trying to allow only one port using In and Out interfaces [SOLVED]

Try a different approach with the forward chain amd that is change the concept to what you want to allow!! keep the 5 first Default rules add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec {disable if not using vpn} add action=accept chain=forwa...
by anav
Tue Oct 05, 2021 2:37 pm
Forum: Beginner Basics
Topic: [SOLVED] Yet another hairpin nat question
Replies: 18
Views: 1815

Re: Yet another hairpin nat question

Im feeling lazy so I will make it short................ Hairpin Nat is a funny situation of dst-nat and mostly for the case of port forwarding, where the requirement needs to address local users as follows: a. The server and the lan users of the server ar e on the same subnet b. The server admin req...
by anav
Tue Oct 05, 2021 2:27 pm
Forum: Beginner Basics
Topic: VLANS
Replies: 4
Views: 378

Re: VLANS

But there is no port number on the MT device where the cable from the switch is coming from.
You cannot just lay the cable over the MT device and expect it to work! You have to plug it in.........

The very good article has examples of what you need, its excellent
by anav
Mon Oct 04, 2021 7:51 pm
Forum: General
Topic: Block between hosts/VLAN
Replies: 2
Views: 256

Re: Block between hosts/VLAN

My opinion, not an expert.......... Depends upon vlan awareness of whats on the other side of the NIC? For example a switch port can accept multiple vlans because the switch can read the traffic.... If whatever can read the traffic coming in on the nic, then it can see different vlans and decide wha...
by anav
Mon Oct 04, 2021 4:21 pm
Forum: Beginner Basics
Topic: bridge filtering behaviour [SOLVED]
Replies: 7
Views: 670

Re: bridge filtering behaviour [SOLVED]

Hey Welcome to the forums! My apologies for the error. :-)
Glad your issue has been resolved!
We get many similar requests that are troll requests. (typical of just joined...........)
by anav
Mon Oct 04, 2021 4:15 pm
Forum: Wireless Networking
Topic: Mini WISP-like Deployment
Replies: 8
Views: 948

Re: Mini WISP-like Deployment

I would go for all 60HZ stuff to connect the buildings, so zero interference with local wifi, including channel separation considerations.
Whats wrong with building 8 (seems like a candidate for a pole antenna somewhere?

1. Is coverage inside all the buildings required?
by anav
Mon Oct 04, 2021 3:48 pm
Forum: General
Topic: winbox can't work correctly if "users" folder moved from disk C:
Replies: 13
Views: 823

Re: winbox can't work correctly if "users" folder moved from disk C:

No wait, doesnt windows conform to winbox standards?? ;-PP
by anav
Mon Oct 04, 2021 3:46 pm
Forum: Beginner Basics
Topic: bridge filtering behaviour [SOLVED]
Replies: 7
Views: 670

Re: bridge filtering behaviour [SOLVED]

tdw, my usual response to a troll post. :-)
by anav
Mon Oct 04, 2021 3:20 pm
Forum: Beginner Basics
Topic: How to use bridge vlan filtering for my setup?
Replies: 3
Views: 498

Re: How to use bridge vlan filtering for my setup?

Read this article it has examples for wifi.
viewtopic.php?f=23&t=143620
by anav
Mon Oct 04, 2021 3:13 pm
Forum: Beginner Basics
Topic: bridge filtering behaviour [SOLVED]
Replies: 7
Views: 670

Re: bridge filtering behaviour [SOLVED]

Read the user guide.
by anav
Mon Oct 04, 2021 4:49 am
Forum: General
Topic: vlan translation help
Replies: 20
Views: 961

Re: vlan translation help

configuration mumbo jumbo and guessing.
What is/are the requirements................
a. the ISP requires x and y
b. equipment on the network is a special server that needs a and b.

In other words, without talking about the config, what is/are the use cases???
by anav
Mon Oct 04, 2021 4:41 am
Forum: Beginner Basics
Topic: CRS326-24G-2S+IN like a switch with vlan mgmt [SOLVED]
Replies: 8
Views: 569

Re: CRS326-24G-2S+IN like a switch with vlan mgmt [SOLVED]

Using vlan 1 for a management vlan is confusing and inconsistent with advice..... Its not required and if used, then any other switch especially if not MT will be a biatch to work with. Yes, every device has to define the vlans that are running through, so the device knows they exist. I didnt say cr...
by anav
Mon Oct 04, 2021 4:38 am
Forum: Beginner Basics
Topic: Allow all traffic to specific device
Replies: 1
Views: 276

Re: Allow all traffic to specific device

Just follow the user guide.
by anav
Mon Oct 04, 2021 12:15 am
Forum: Beginner Basics
Topic: CRS326-24G-2S+IN like a switch with vlan mgmt [SOLVED]
Replies: 8
Views: 569

Re: CRS326-24G-2S+IN like a switch with vlan mgmt [SOLVED]

Good plan from TDW, however what is missing from the config is the definition of all the VLANS. PLUS the only thing that should get an address is the switch itself, and it should have an address from the Managment Vlan. Where I disagree is I prefer to manually insert the untagged ports to ensure my ...
by anav
Sun Oct 03, 2021 7:35 pm
Forum: General
Topic: vlan translation help
Replies: 20
Views: 961

I was being cheeky, I know how to say Q in Q, but for all I know its the name of a new burger at chucky cheese.... ;-) (okay so I know its vlan within a vlan, just never had an excuse to learn about it).
by anav
Sun Oct 03, 2021 6:19 pm
Forum: Beginner Basics
Topic: Slow CRS326 connection to internet
Replies: 9
Views: 613

Re: Slow CRS326 connection to internet

Concur with Conny, if the thinking is the connection is 300Mbps or less, have the CR326 do everything (routing and switching), otherwise if higher like 1gig,
then the approach would be different.
by anav
Sun Oct 03, 2021 6:16 pm
Forum: General
Topic: 1036 and VLANs - dumb question
Replies: 2
Views: 270

Re: 1036 and VLANs - dumb question

Hard to say the best method, so the answer is it depends........

/export hide-sensitive file=anynameyouwish.

So we can see the current design and how to best optimize the addition of a vlan.
Of course my answer will be to make everything vlans LOL.
by anav
Sun Oct 03, 2021 6:13 pm
Forum: General
Topic: vlan translation help
Replies: 20
Views: 961

Re: vlan translation help

So this is not Q in Q ??
by anav
Sun Oct 03, 2021 4:45 pm
Forum: Beginner Basics
Topic: i need an solution
Replies: 9
Views: 843

Re: i need an solution

Are you the admin of both devices? If yes, then the answer is yes.' When you say you cannot use DDNS, what do you mean. Do you mean the IP cloud of the mikrotik?? It sounds like what you are really saying is that the MT device is not the router on the main network (one with camera). If you do not ha...
by anav
Sun Oct 03, 2021 4:05 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1038

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

my comments were for the link provided, not on the advice provided. Just wanted to add a bit of helpful details
by anav
Sun Oct 03, 2021 3:22 pm
Forum: Beginner Basics
Topic: Need Help
Replies: 1
Views: 297

Re: Need Help

Read the user guide its all in there.
by anav
Sun Oct 03, 2021 3:18 pm
Forum: General
Topic: vlan translation help
Replies: 20
Views: 961

Re: vlan translation help

Your explanation makes little sense as you are mixing up requirements with configuration solution speak.
by anav
Sun Oct 03, 2021 3:15 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1038

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Nice link....... This line...... All devices (R1, R2, AP and ST) needs a VLAN interface created in order to be able to access the device through the specific VLAN ID. For AP and ST create the VLAN interface on top of the bridge interface and assign an IP address to it: Basically makes the case that ...
by anav
Sun Oct 03, 2021 2:34 am
Forum: General
Topic: Guest wifi security configuration
Replies: 6
Views: 510

Re: Guest wifi security configuration

What I would do in the INPUT CHAIN Is remove this rule....... which basically says drop all traffic not coming from the LAN (and by logic thus allow ALL USERS ACCESS TO THE ROUTER!!!) add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN Why? Be...
by anav
Sun Oct 03, 2021 2:25 am
Forum: General
Topic: Guest wifi security configuration
Replies: 6
Views: 510

Re: Guest wifi security configuration

A few errors. (1) Missing Interface members /interface list member add comment=defconf interface=Bridge_CORP list=LAN add comment=defconf interface="ether1 - gateway" list=WAN add Bridge_Public list=LAN (2) Duplicate address, one needs to be removed. /ip address add address=192.168.88.1/24...
by anav
Sun Oct 03, 2021 2:15 am
Forum: RouterOS v7 BETA
Topic: Periodic crashes in 7.1rc4
Replies: 23
Views: 1942

Re: Periodic crashes in 7.1rc4

send a supout to Mikrotik. they should be interested........
by anav
Sat Oct 02, 2021 8:58 pm
Forum: General
Topic: routing between VLANs
Replies: 22
Views: 1697

Re: routing between VLANs

Yes, ensure fastrack is not active!!.
There is some finesse about how one can apply it to some packets and not others but for now just DISABLE it, no need to remove it.
by anav
Sat Oct 02, 2021 8:56 pm
Forum: Beginner Basics
Topic: Firewall question.
Replies: 5
Views: 464

Re: Firewall question.

I dont really care, to tell the truth, if there is some form of packet that reaches the router and its not accepted by the router due to some abnormality, I am super glad I have a rule that will excise that packet!!! Burn it, throw it away, get rid of it., good riddance. As to the types of invalid p...
by anav
Sat Oct 02, 2021 4:05 pm
Forum: General
Topic: Guest wifi security configuration
Replies: 6
Views: 510

Re: Guest wifi security configuration

if you forget to permit something, your legal users will quickly notify you; if you forget to deny something, your illegal users will never let you know.



Effing brilliant. Luv it. Every IT person should have this over the entryway to their office.
by anav
Sat Oct 02, 2021 4:03 pm
Forum: General
Topic: Guest wifi security configuration
Replies: 6
Views: 510

Re: Guest wifi security configuration

Everything correct except the firewall rules - the two rules you've posted are fine as such, but if they are the only rules in the filter, it makes a security hole at least in terms of the guests not being prevented from accessing the management services of the router itself. So post the complete a...
by anav
Sat Oct 02, 2021 3:52 pm
Forum: General
Topic: routing between VLANs
Replies: 22
Views: 1697

Re: routing between VLANs

Yes.............. this rule LOL. To be fair, MK poorly documents the restriction of not using fast track for mangling. Even the two presentations from experts failed to note this as does the WIKI on mangling. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ conn...
by anav
Sat Oct 02, 2021 3:50 pm
Forum: General
Topic: Blocking Routers
Replies: 11
Views: 654

Re: Blocking Routers

Basically it boils down to how many nodes I have is none of your business. If I go to a hotel and I have 3 laptops and 10 cellphones, I get a wifi password for the room that is good for all devices. If your talking about stalls, or displays, same thing, charge should be per stall, unless your stinki...
by anav
Sat Oct 02, 2021 3:37 pm
Forum: General
Topic: vlans leaked
Replies: 4
Views: 415

Re: vlans leaked

/export hide=sensitive file=anynameyouwish

PLUS
network diagram
by anav
Sat Oct 02, 2021 3:30 pm
Forum: Beginner Basics
Topic: Firewall question.
Replies: 5
Views: 464

Re: Firewall question.

IF ether1 is the wan, and its not pppoe and not a vlan, then no harm no fowl. More importantly this is a default rule designed to allow the basic user to. a.. have access to the internet b. block wan to lan traffic (except for any port forwarding - which would be added in NAT rules). Much better is ...
by anav
Fri Oct 01, 2021 10:51 pm
Forum: General
Topic: routing between VLANs
Replies: 22
Views: 1697

Re: routing between VLANs

Did you compare your rules to those of the presentations from the previous post?
by anav
Fri Oct 01, 2021 6:48 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 191
Views: 154000

Re: Using RouterOS to VLAN your network

Hi @pcunite ! Thanks for this comprehensive guide. Really helped me a lot in order to understand vlans and also to correctly config my MT :). I have a question regarding VLAN security : There is also an ingress filtering/frame-type setting on the bridge itself, however it seems you did not configur...
by anav
Fri Oct 01, 2021 6:40 pm
Forum: Beginner Basics
Topic: NAT rule, parameter: "to-address" in Winbox ... where ?
Replies: 26
Views: 1179

Re: NAT rule, parameter: "to-address" in Winbox ... where ?

whatever works for you and you understand. the advantage of rextendeds method is that you can follow the logic of what you are telling the router do to. under the redirect rule, all we know is that the redirect is pointed at a local router interface, BUT WHICH ONE.......we have no clue, so its not a...
by anav
Fri Oct 01, 2021 6:06 pm
Forum: General
Topic: WAN Failover questions
Replies: 3
Views: 448

Re: WAN Failover questions

speak of the de......pussycat

viewtopic.php?f=13&t=176956#p870952
by anav
Fri Oct 01, 2021 6:02 pm
Forum: General
Topic: Combining two routers
Replies: 16
Views: 1357

Re: Combining two routers

Thanks much Sindy,
I am now wondering of the differences between using dstnat or routes to move packets around within the router (besides off the router which is usually routing and port forwarding which is usually dstnat).
by anav
Fri Oct 01, 2021 5:53 pm
Forum: Beginner Basics
Topic: How to use bridge vlan filtering for my setup?
Replies: 3
Views: 498

Re: How to use bridge vlan filtering for my setup?

What I recommend. A. One bridge. B. All vlans, much easier to understand and configure. C. For managment of all devices, quite correct. After the router, all smart devices need an IP on the management VLAN. On your interface list members, create one called manage then put all the interfaces you will...
by anav
Fri Oct 01, 2021 5:46 pm
Forum: Beginner Basics
Topic: NAT rule, parameter: "to-address" in Winbox ... where ?
Replies: 26
Views: 1179

Re: NAT rule, parameter: "to-address" in Winbox ... where ?

OK, i now use as follow: /ip firewall nat add action=redirect chain=dstnat comment="redirect all udp DNS traffic to mikrotik DNS" dst-address=!192.168.55.1 dst-port=53 in-interface-list=LAN protocol=udp to-ports=53 /ip firewall nat add action=redirect chain=dstnat comment="redirect a...
by anav
Fri Oct 01, 2021 5:45 pm
Forum: Beginner Basics
Topic: NAT rule, parameter: "to-address" in Winbox ... where ?
Replies: 26
Views: 1179

Re: NAT rule, parameter: "to-address" in Winbox ... where ?

Ahhh.. well... then it is also my merit when I make you puzzled to understand when I write and do not explain... :lol: (because not everytime I have time... :P ) OMFG too true. I had to laugh, and its one of those quirks in life, I expect, accept and enjoy! Its like what riddle will rextended come ...
by anav
Fri Oct 01, 2021 2:59 pm
Forum: Wireless Networking
Topic: VLAN based guest Wifi at home with Router + 2 APs
Replies: 3
Views: 395

Re: VLAN based guest Wifi at home with Router + 2 APs

When you think you have a config that is about ready, feel free to share here for feedback.
/export hide-sensitive file=anynameyouwant.

Also a network diagram helps show the linkages desired.
by anav
Fri Oct 01, 2021 2:57 pm
Forum: Beginner Basics
Topic: NAT rule, parameter: "to-address" in Winbox ... where ?
Replies: 26
Views: 1179

Re: NAT rule, parameter: "to-address" in Winbox ... where ?

Its better to be lucky than good I guess!! THe problem is I have no foundation in this stuff so I find myself swimming in unchartered waters. Imagine trying to do multiplication without knowing how to add!! I can tell you that a normal person would have shot me several times in frustration but peopl...
by anav
Fri Oct 01, 2021 2:53 pm
Forum: Wireless Networking
Topic: VLAN based guest Wifi at home with Router + 2 APs
Replies: 3
Views: 395

Re: VLAN based guest Wifi at home with Router + 2 APs

Read this article it contains all the answers and examples of setups.......... https://forum.mikrotik.com/viewtopic.php?f=23&t=143620 I have very similar layout ccr1009, to 24 port managed switch on one ether port, 8 port managed switch on other port, hex router acting as a switch, and 3 smart A...
by anav
Fri Oct 01, 2021 2:51 pm
Forum: Useful user articles
Topic: MikroTik Wireguard server with Road Warrior clients
Replies: 48
Views: 14714

Re: MikroTik Wireguard server with Road Warrior clients

This should be a thread in either Ros7 beta or beginner or general.
Not troubleshooting your config. Specific questions about the wireguard implementation that may need explaining are fine but otherwise just clogs up a good reference document into a mess.
by anav
Fri Oct 01, 2021 2:47 pm
Forum: General
Topic: WAN Failover questions
Replies: 3
Views: 448

Re: WAN Failover questions

Typically for a failover scenario isp1 - check ping - distance=5 isp2 distance=10 So all users will go out ISP1 having a shorter distance. If ping fails the router will use ISP2 as the route of choice, and when ISP1 is availalbe again, users will be redirected to isp1. The best thread to read up is ...
by anav
Fri Oct 01, 2021 2:40 pm
Forum: General
Topic: Combining two routers
Replies: 16
Views: 1357

Re: Combining two routers

The short version....... So remove the wrong rule :-) A unique situation can describe something similar but you will never need it. :-)) (Q. I have never used both source address and interface at the same time in a route rule, is that legal??) ( src-address =the.ip.on.E10-fibre action=lookup-only-in...
by anav
Fri Oct 01, 2021 2:32 pm
Forum: Beginner Basics
Topic: NAT rule, parameter: "to-address" in Winbox ... where ?
Replies: 26
Views: 1179

Re: NAT rule, parameter: "to-address" in Winbox ... where ?

Okay 3 errors ;-))
But you still know more almost infinity than I do, ref Networking and MT configurations, so not to worry!!
Best if we drink some good Italian wine and joke about my incompetence!!
by anav
Fri Oct 01, 2021 2:29 pm
Forum: Beginner Basics
Topic: NAT rule, parameter: "to-address" in Winbox ... where ?
Replies: 26
Views: 1179

Re: NAT rule, parameter: "to-address" in Winbox ... where ?

Where is the danger. I dont see it probably because I am innocent of MT hidden dangers!! (aka blissfully ignorant). (error #1 - we still disagree on dhpc being affected by input chain rules ) (error#2 - we disagree on use of redirect) Note: whenever you disagree with me its an error! ;-) My english ...
by anav
Fri Oct 01, 2021 2:22 pm
Forum: Beginner Basics
Topic: NAT rule, parameter: "to-address" in Winbox ... where ?
Replies: 26
Views: 1179

Re: NAT rule, parameter: "to-address" in Winbox ... where ?

Specificity is up to the OP as per any firewall or NAT rule. add chain=dstnat in-interface=SUBNETOFYOURCHOICE action=redirect................... add chain=dstnat scr-address=IPOFYOURCHOICE action=redirect................... add chain=dstnat scr-address-list=IPsOFYOURCHOICE action=redirect..............
by anav
Fri Oct 01, 2021 2:14 pm
Forum: Beginner Basics
Topic: NAT rule, parameter: "to-address" in Winbox ... where ?
Replies: 26
Views: 1179

Re: NAT rule, parameter: "to-address" in Winbox ... where ?

Correct, the latter part is the germane part, config is good, (to - ports are not part of a redirect rule).
As for the first part, If its that dangerous I dont think MT would have it as a function.
Unless perhaps there is another better use of that rule for some specific instance??
by anav
Fri Oct 01, 2021 2:11 pm
Forum: Beginner Basics
Topic: NAT rule, parameter: "to-address" in Winbox ... where ?
Replies: 26
Views: 1179

Re: NAT rule, parameter: "to-address" in Winbox ... where ?

As mkx (house slytherin) noted, its magic! The important part is what he stated "to one of the router's local addresses" Since you want to direct DNS to the router, your Rules are correct, the DNS will be redirected to the local router interface and will thus not use whatever is on the PC....
by anav
Fri Oct 01, 2021 4:23 am
Forum: General
Topic: Combining two routers
Replies: 16
Views: 1357

Re: Combining two routers

This looks funny to me. /ip route rule add action=lookup-only-in-table interface=E10-Fiber table=via-FO why would you put the wan interface as the interface you want to route out a wan interface?? probably completely legit, but seems weird. as for the rest way to complex for me to comment responsibly.
by anav
Fri Oct 01, 2021 2:13 am
Forum: General
Topic: Guest network as VLAN tagged for one port
Replies: 9
Views: 1723

Re: Guest network as VLAN tagged for one port

Yes it is non-standard. There is no reason to carry untagged traffic to a managed switch. It should be like so. Router interface bridge port add bridge=bridge interface=ether1 ingress-filtering=yes frame-types=admit-only-vlan-tagged add bridge=bridge interface=ether2 pvid=20 ingress-filtering=yes fr...
by anav
Fri Oct 01, 2021 1:15 am
Forum: General
Topic: Guest network as VLAN tagged for one port
Replies: 9
Views: 1723

Re: Guest network as VLAN tagged for one port

correct............ The other way to do it is create a vlan for all the other traffic call it vlan 20 /interface bridge add name=bridge protocol-mode=none vlan-filtering=yes /interface bridge port add bridge=bridge interface=ether1 pvid=20 ingress-filtering=yes add bridge=bridge interface=ether2 pvi...
by anav
Fri Oct 01, 2021 1:11 am
Forum: Beginner Basics
Topic: How to Completely Wipe Compromized Router?
Replies: 5
Views: 1653

Re: How to Completely Wipe Compromized Router?

Dont reuse any of the user names or passwords either...........
by anav
Fri Oct 01, 2021 1:10 am
Forum: Announcements
Topic: Newsletter 102
Replies: 30
Views: 11738

Re: Newsletter 102

Three steps: create textual export of current configuration. Execute command /export file=myexport and fetch file off device. Note that this is not backup , which creates binary (and encrypted) file of which contents can not be easily examined. Make a note about users and their passwords, export do...
by anav
Thu Sep 30, 2021 8:16 pm
Forum: General
Topic: An easy routing question [SOLVED]
Replies: 11
Views: 826

Re: An easy routing question [SOLVED]

I believe one has to have a main table entry that is plain jane, but cannot remember why, like most things MT. I could be wrong. However that doesnt answer the questions regarding your scenario and actual situation. Do you have an entire subnet that should go out gateway Y, some users, etc........ W...
by anav
Thu Sep 30, 2021 6:07 pm
Forum: General
Topic: An easy routing question [SOLVED]
Replies: 11
Views: 826

Re: An easy routing question [SOLVED]

However playing a theortical game is fun but may be a waste of your time.
Much better to describe your scenario and what you want users on your network to be able to do etc..
YOu may not need any mangling for example.
by anav
Thu Sep 30, 2021 6:06 pm
Forum: General
Topic: An easy routing question [SOLVED]
Replies: 11
Views: 826

Re: An easy routing question [SOLVED]

Hmm interesting question. (1) I beleive that no traffic will pass to the Y gateway unless you have standard routes for all traffic stated. /ip route add distance=1 gateway=x add distance=1 gateway=y add distance=1 gateway=y routing-mark=some_mark (2) However, then some traffic not mangled with packe...
by anav
Thu Sep 30, 2021 6:01 pm
Forum: Beginner Basics
Topic: CCR2004-1G-12S+2XS slow NAT performance [Fixed]
Replies: 33
Views: 2533

Re: CCR2004-1G-12S+2XS slow NAT performance [Fixed]

MY ISP uses a vlan to pass internet traffic and a different vlan to pass TV traffic.
by anav
Thu Sep 30, 2021 6:00 pm
Forum: Beginner Basics
Topic: physical DMZ in routing mode [SOLVED]
Replies: 7
Views: 732

Re: physical DMZ in routing mode [SOLVED]

Ahh okay so this is transparently transporting the available WANIPs through to the other routers.
More interesting indeed.
by anav
Thu Sep 30, 2021 3:12 pm
Forum: Beginner Basics
Topic: physical DMZ in routing mode [SOLVED]
Replies: 7
Views: 732

Re: physical DMZ in routing mode [SOLVED]

Hi Mkx, What is the other way........ To me this is a block of Ips provided by the ISP where one uses one IP for the router itself and then distributes other IPs 1:1 (public to private IP). One to one NAT or perhaps netmap? First IP as dhcp client. Rest netmapped ? per IP /ip firewall nat add chain=...
by anav
Thu Sep 30, 2021 5:27 am
Forum: Beginner Basics
Topic: Block SSH and WINBOX from WAN Only
Replies: 10
Views: 869

Re: Block SSH and WINBOX from WAN Only

As stated, the default firewall rules ensure you are safe out of the blocks, however one can later fine tune and be more precise on who has access to especially the router itself.
by anav
Thu Sep 30, 2021 12:08 am
Forum: Beginner Basics
Topic: Block SSH and WINBOX from WAN Only
Replies: 10
Views: 869

Re: Block SSH and WINBOX from WAN Only

That is very interesting,............... I will have to explore some more. I have two DHCP clients and have not had any issues connecting that are unusual. My bell client upon any kind of disconnect needs the route to be manually updated with the new gateway but that was an issue for my zyxel router...
by anav
Thu Sep 30, 2021 12:05 am
Forum: Beginner Basics
Topic: Create Interface list via WinBox?
Replies: 3
Views: 487

Re: Create Interface list via WinBox?

Ta da !!!
IL1 - Copy.jpg
IL2 - Copy.jpg
IL3 - Copy.jpg
by anav
Wed Sep 29, 2021 11:07 pm
Forum: General
Topic: TCP port forwarding not working
Replies: 9
Views: 705

Re: TCP port forwarding not working

Concur netinstall that sucker pronto!!
by anav
Wed Sep 29, 2021 10:55 pm
Forum: Beginner Basics
Topic: Block SSH and WINBOX from WAN Only
Replies: 10
Views: 869

Re: Block SSH and WINBOX from WAN Only

Not sure what you mean by DHCP, not required on input chain rule?? Otherwise none of my configs would work LOL. I hope to explain better: With the changes you have proposed, the DHCP Server stops working as well, except for the administrative addresses. The DHCP Server is a service inside RouterBOA...
by anav
Wed Sep 29, 2021 10:52 pm
Forum: Beginner Basics
Topic: Accessing a server from outside network
Replies: 19
Views: 1241

Re: Accessing a server from outside network

Yeah, unfortunately I know even less :)

Anyway, I will try and use it and see how it behaves, I hope everything will be fine from now on :)

I assume this strange behaviour is no cause for alarm?
Nope your rules look good from here.
by anav
Wed Sep 29, 2021 7:55 pm
Forum: Beginner Basics
Topic: Block SSH and WINBOX from WAN Only
Replies: 10
Views: 869

Re: Block SSH and WINBOX from WAN Only

YOu add services required, So if upnp is required you add it before drop all rule So if NTP is added you add it before drop rule. Not sure what you mean by DHCP, not required on input chain rule?? Otherwise none of my configs would work LOL. PS> capsman is for people that like beating themselves wit...
by anav
Wed Sep 29, 2021 7:01 pm
Forum: Beginner Basics
Topic: Block local IP's fails [SOLVED]
Replies: 11
Views: 967

Re: Block local IP's fails [SOLVED]

Awesome glad it works........
Great work MKX ;-P
by anav
Wed Sep 29, 2021 6:56 pm
Forum: Beginner Basics
Topic: Accessing a server from outside network
Replies: 19
Views: 1241

Re: Accessing a server from outside network

Very strange. Im sure there is a viable explanation but it escapes me at the moment. Probably something to do with the fact that the public IP is not on the MT router but on the ISP router........... In other words, the external WANIP of the router is not the same WANIP the lan user is trying to rea...
by anav
Wed Sep 29, 2021 6:53 pm
Forum: Beginner Basics
Topic: Block SSH and WINBOX from WAN Only
Replies: 10
Views: 869

Re: Block SSH and WINBOX from WAN Only

This is easily accomplished as stated by the default firewall rules. Let me direct you to the rule in question. INPUT CHAIN (traffic to and fro the router) add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN As the last rule in th...
by anav
Wed Sep 29, 2021 6:24 pm
Forum: Beginner Basics
Topic: Block local IP's fails [SOLVED]
Replies: 11
Views: 967

Re: Block local IP's fails [SOLVED]

With understanding comes knowledge and information from which advice and configs can then be responsibly offered. ;-P
by anav
Wed Sep 29, 2021 6:14 pm
Forum: Beginner Basics
Topic: Accessing a server from outside network
Replies: 19
Views: 1241

Re: Accessing a server from outside network

Just to be clear you use the WANIP to access the server and the server responds appropriately or is just visible??
Yes I am surprized why it would work if you can.......
by anav
Wed Sep 29, 2021 6:10 pm
Forum: Beginner Basics
Topic: Block local IP's fails [SOLVED]
Replies: 11
Views: 967

Re: Block local IP's fails [SOLVED]

Having a good network map/diagram will help you plan and state clear requirements If you have enough ports and Wireless ports if a wifi router, to separate groups of users by ports, then your golden. If you have to send traffic to a switch which then connects to different users then most likely you ...
by anav
Wed Sep 29, 2021 4:43 pm
Forum: Beginner Basics
Topic: Accessing a server from outside network
Replies: 19
Views: 1241

Re: Accessing a server from outside network

Okay so you need to do this.,
go to the port forward part of the ISP router
forward the port required and use the WANIP of your router as the IP that the ISP router is going to forward that traffic too
Then the settings on your router will work
by anav
Wed Sep 29, 2021 4:05 pm
Forum: Beginner Basics
Topic: Accessing a server from outside network
Replies: 19
Views: 1241

Re: Accessing a server from outside network

Yes, bridge mode usually means its transparent and only acting as a modem. Just to be sure check your WANIP in the IP DHCP Client settings and compare to your IP CLOUD address ( or whats my IP in the browser). If they are the same, then its a good bridge setup. If not perhaps you are getting a priva...
by anav
Wed Sep 29, 2021 3:54 pm
Forum: General
Topic: Bridging VLANs only (and not untagged traffic)
Replies: 3
Views: 422

Re: Bridging VLANs only (and not untagged traffic)

Hi subway have a read through this article....... https://forum.mikrotik.com/viewtopic.php?f=23&t=143620 Fear not, the pvid default is 1 which does not get in the way of any config setup you wish to do in terms of a mix of vlans and non vlans. Its actually easier IMHO to use all VLANs and not to...
by anav
Wed Sep 29, 2021 3:29 pm
Forum: General
Topic: TCP port forwarding not working
Replies: 9
Views: 705

Re: TCP port forwarding not working

/export hide-sensitive file=anynameyouwish
by anav
Wed Sep 29, 2021 2:37 pm
Forum: Beginner Basics
Topic: Accessing a server from outside network
Replies: 19
Views: 1241

Re: Accessing a server from outside network

(1) Why are these two rules disabled?? Especially the second rule which prevent anyone from the internet accessing your LAN. TURN IT ON!!!! ! DANGER!!!! add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes add action=drop chain=forward comment...
by anav
Wed Sep 29, 2021 2:24 pm
Forum: Beginner Basics
Topic: Multi IP PPPOE Wan routing
Replies: 3
Views: 691

Re: Multi IP PPPOE Wan routing

(1) I am not familiar with multiple ppoe clients but will take you word for it that they can come in on same ether 1 connection. (2) Onet error I see is /ip address add address=10.0.0.1/24 comment=defconf interface= ether2 network=10.0.0.0 add address=10.0.10.1/24 interface=UNSAFE network=10.0.10.0e...
by anav
Wed Sep 29, 2021 2:15 pm
Forum: Beginner Basics
Topic: Using Mikrotik with ISP's router in bridge mode [SOLVED]
Replies: 5
Views: 698

Re: Using Mikrotik with ISP's router in bridge mode [SOLVED]

None needed I just created a new nick, to ask the question to make me look smart. I was tired of mKx always getting it right. ;-)
I wanted to see what it felt like, but I concur never hurts to look at the config if not for errors but for efficiencies.
by anav
Wed Sep 29, 2021 2:13 pm
Forum: Beginner Basics
Topic: Accessing a server from outside network
Replies: 19
Views: 1241

Re: Accessing a server from outside network

/export hide-sensitive file=anynameyouwish
by anav
Tue Sep 28, 2021 11:06 pm
Forum: RouterOS v7 BETA
Topic: Microtik wireguard to Raspberry pi
Replies: 6
Views: 889

Re: Microtik wireguard to Raspberry pi

DOes the mikrotik connect to the ISP modem (aka direct to the ISP and not a router behind the ISP router )??
by anav
Tue Sep 28, 2021 6:35 pm
Forum: General
Topic: Failover Single PPPoE
Replies: 3
Views: 394

Re: Failover Single PPPoE

Is the second connection from a different ISP?
How is the connection made.......... WIFI, cellular, ethernet cable from a modem??
(do you get a public IP from the second connection?)
by anav
Tue Sep 28, 2021 6:30 pm
Forum: Beginner Basics
Topic: Using Mikrotik with ISP's router in bridge mode [SOLVED]
Replies: 5
Views: 698

Re: Using Mikrotik with ISP's router in bridge mode [SOLVED]

Remove ether1 from bridge.
Put ISP information into IP DHCP CLIENT
etc......

best bet is to give it at ry and then post your config
/export hide-sensitive file=anynameyouwish
by anav
Tue Sep 28, 2021 6:24 pm
Forum: Beginner Basics
Topic: Setup help
Replies: 3
Views: 441

Re: Setup help

Please read this article on how to setup the MT. https://forum.mikrotik.com/viewtopic.php?f=23&t=143620 Basically you create as many vlans as you need, create them with interface being the bridge. Assign ip pool, ip address, dhcp server, dhcp server for each vlan Then assign bridge ports (ether1...
by anav
Tue Sep 28, 2021 6:19 pm
Forum: Beginner Basics
Topic: Upgrade problems with CCR 1009 [SOLVED]
Replies: 11
Views: 724

Re: Upgrade problems with CCR 1009 [SOLVED]

Concur with erlinden, netinstall that sucker!!
by anav
Tue Sep 28, 2021 3:52 pm
Forum: Announcements
Topic: Newsletter 102
Replies: 30
Views: 11738

Re: Newsletter 102

PDF works for me............
by anav
Mon Sep 27, 2021 9:35 pm
Forum: General
Topic: Wireguard Server behind different router / gateway
Replies: 16
Views: 962

Re: Wireguard Server behind different router / gateway

In a nutshell. You can choose any port for wireguard as long as its UDP. -Port forward on fritz (to audience lanip = audience wanip) -input chain rule on audience accepting same traffic from WAN interface -ip route for wg interface traffic with destination of IP of device or subnet (local to network...
by anav
Mon Sep 27, 2021 9:05 pm
Forum: Beginner Basics
Topic: Hex s redirect traffic or port forwarding
Replies: 23
Views: 1256

Re: Hex s redirect traffic or port forwarding

Got it thanks!!
by anav
Mon Sep 27, 2021 9:02 pm
Forum: Beginner Basics
Topic: Why is my CAPsMAN network not as good as I hope for?
Replies: 19
Views: 1484

Re: Why is my CAPsMAN network not as good as I hope for?

I get average results with occasional stability issues but way better than what you are getting.
Big difference is I dont use capsman its not for the beginner IMHO and should be left alone if possible.
by anav
Mon Sep 27, 2021 6:41 pm
Forum: Wireless Networking
Topic: Wifi between concrete walls
Replies: 20
Views: 2512

Re: Wifi between concrete walls

I would use an external LOS connection between the two builings using 60hz tech. then wire from there to the desired internal locations. All depends on what can be done from external to internal on the buildings. Enter from roof side, or run conduit down a wall to an entry point etc........ https://...
by anav
Mon Sep 27, 2021 6:28 pm
Forum: Beginner Basics
Topic: Hex s redirect traffic or port forwarding
Replies: 23
Views: 1256

Re: Hex s redirect traffic or port forwarding

Okay, can I ask you when the stock market will crash

Whenever you'll have most of your money invested ...
And my legs are long enough to reach the ground............... thanks yoda! (see above post for additional question)
by anav
Mon Sep 27, 2021 6:20 pm
Forum: Beginner Basics
Topic: Hex s redirect traffic or port forwarding
Replies: 23
Views: 1256

Re: Hex s redirect traffic or port forwarding

Okay, can I ask you when the stock market will crash and also what date approximately I will expire so I can plan accordingly.................... fricken clairvoyant networker........................ In terms of order, does the DST NAT rule have to be located before the new srcnat rule. SO its like ...
by anav
Mon Sep 27, 2021 6:18 pm
Forum: Beginner Basics
Topic: How to dst-nat to a host without gateway?
Replies: 2
Views: 502

Re: How to dst-nat to a host without gateway

Well, funny you should ask.

check out this post from this thread......
viewtopic.php?f=13&t=178857#p882479
by anav
Mon Sep 27, 2021 5:28 pm
Forum: General
Topic: Port forwarding dual wan, replies get sent over wrong wan
Replies: 5
Views: 452

Re: Port forwarding dual wan, replies get sent over wrong wan

ISP 1 route check ping distance=5 ISP 2 route distance=10 With two basic routes in place in the main table ISP1 will always be your primary and thus no confusion on port forwarding activities. Dont see the need to mangle in this scenario. However you stated, to boost internet access, so not sure wha...
by anav
Mon Sep 27, 2021 5:06 pm
Forum: Beginner Basics
Topic: Hex s redirect traffic or port forwarding
Replies: 23
Views: 1256

Re: Hex s redirect traffic or port forwarding

That is GREAT news!!!, bu dont thank me, well okay maybe for confusing you, its all MKX........ depressingly so LOL. What is missing for me is the explanation of this statement which magically mks devined was the culprit. It is very likely that CNC gadget doesn't have any routing enabled, so it can ...
by anav
Mon Sep 27, 2021 5:02 pm
Forum: Beginner Basics
Topic: How to use RB750GL
Replies: 2
Views: 373

Re: How to use RB750GL

As a paperweight?
Who sold this to you as a new unit??


Discontinued

The RB750GL is a small SOHO router in a white plastic case.
by anav
Mon Sep 27, 2021 4:16 pm
Forum: Beginner Basics
Topic: Hex s redirect traffic or port forwarding
Replies: 23
Views: 1256

Re: Hex s redirect traffic or port forwarding

Hi Mkx, thought you had given up on this thread or were using it as cheap entertainment watching me flounder around LOL. Lets take the starting point discussion /ip firewall nat add action=src-nat chain=srcnat out-interface=ether1 to-addresses=192.168.51.138 add action=dst-nat chain=dstnat dst-addre...
by anav
Mon Sep 27, 2021 2:14 pm
Forum: General
Topic: Wireguard Server behind different router / gateway
Replies: 16
Views: 962

Re: Wireguard Server behind different router / gateway

Im assuming gateway A and gateway B are standard consumer routers?
Do you have any dyndns domain names for either of the two gateways (and especially for network B router)?
Are both public IPs pingable (from a pc on the other network - in other words, ISP does not block ICMP pings?)
by anav
Mon Sep 27, 2021 2:09 pm
Forum: General
Topic: Audit my input firewall
Replies: 54
Views: 2627

Re: Audit my input firewall

Hi there, 1. Yes, port scanning is not required for your setup. Its more designed at the ISP level for those people running MTs providing IPs and services for users. Akin to edge router services.... The router setup you have is secure and taking CPU resources for fruitless exercise would be a waste....
by anav
Mon Sep 27, 2021 1:59 pm
Forum: General
Topic: RB4011 Slow Inter-VLAN Routing
Replies: 24
Views: 1305

Re: RB4011 Slow Inter-VLAN Routing

My switch is a CSS326-24G-2S+-RM, no routing in it. It has a single 10G trunk to the RB4011 with all the VLANs on it. If not then its going through the CPU of that switch and will be slow as balls Slow as balls? Cannot recall hearing that expression. Sperm in balls travel rather quickly though. :-)...
by anav
Mon Sep 27, 2021 2:09 am
Forum: Wireless Networking
Topic: [Discussion] Is MT treating non-PtP wireless seriously?
Replies: 8
Views: 857

Re: [Discussion] Is MT treating non-PtP wireless seriously?

Rip Van Kiler ??
Sorry bud your as late to the discussion as MT is to providing a fully capable wifi 5 device.
I have been using the tplink eap245 instead of my capacs for some time now.
by anav
Mon Sep 27, 2021 2:07 am
Forum: General
Topic: RB4011 Slow Inter-VLAN Routing
Replies: 24
Views: 1305

Re: RB4011 Slow Inter-VLAN Routing

Yes, no reason why it shouldnt, if it works now with your modules and connections it will work fine on the bridge.
by anav
Mon Sep 27, 2021 2:05 am
Forum: General
Topic: Audit my input firewall
Replies: 54
Views: 2627

Re: Audit my input firewall

Sorry the firewall rules are not the entire config,,,,,,,,,,,, which makes one have to guess at things :-( :-( In any case lets look at what is visible. add action=accept chain=input comment=Allow-VPN src-address-list=Admin-IP add action=accept chain=input comment=\ "Allow access to router from...
by anav
Mon Sep 27, 2021 12:15 am
Forum: General
Topic: Audit my input firewall
Replies: 54
Views: 2627

Re: Audit my input firewall

Sorry I dont get this comment - No, it is not an external IP but an internal network address . If you mean your coming from an external public WANIP into the router via a tunnel okay, but you dont exit the tunnel on the router with the same IP you are put on a subnet, an interface or what I call a f...
by anav
Mon Sep 27, 2021 12:11 am
Forum: General
Topic: RB4011 Slow Inter-VLAN Routing
Replies: 24
Views: 1305

Re: RB4011 Slow Inter-VLAN Routing

Personally if you setup your router using this fine article you wouldnt be having any of your issues
Hint take the subnet and put it on a vlan like the other vlans
Put your ports on a bridge
and use the reference.

viewtopic.php?f=23&t=143620
by anav
Mon Sep 27, 2021 12:08 am
Forum: Beginner Basics
Topic: cAP AC connects & disconnects continually with CAP
Replies: 12
Views: 905

Re: cAP AC connects & disconnects continually with CAP

Meh, one should have to write an exam to use capsman.
It would ensure folks learn how to configure the router without capsman.
and then decide if they really wanted to use capsman.........

It causes nothing but trouble when a non savvy person buys MT wifi and dives right in..........
by anav
Sun Sep 26, 2021 6:57 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 44
Views: 2019

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

https://forum.mikrotik.com/viewtopic.php?f=23&t=175656 You're welcome :) That link misses the most key points where is the direction for input chain rules If needed where is the direction for forward chain rules. But what I find hardest is..........Where is the exit/entry point of the tunnel (b...
by anav
Sun Sep 26, 2021 6:53 pm
Forum: General
Topic: Audit my input firewall
Replies: 54
Views: 2627

Re: Audit my input firewall

To clarify a couple of points... (1) add action = accept chain = input comment = 'allow remote config' src-address = IP of TUNNEL '' '' Thank you very much! :D That source address is on the ROUTER somewhere and is the LANIP of the tunnel exit/entry behind into the LAN side of the router (just make s...
by anav
Sun Sep 26, 2021 6:49 pm
Forum: General
Topic: Licensing question and hardware recommendations for a small home user.
Replies: 3
Views: 440

Re: Licensing question and hardware recommendations for a small home user.

I will 2nd @Anav’s suggestions … except keep the Unifi Switch and Unifi AP’s :)
My bad you already have a switch and one AP...........So mozerd is right in keeping those assets.
by anav
Sun Sep 26, 2021 6:47 pm
Forum: General
Topic: DDOS suspect ? [SOLVED]
Replies: 13
Views: 961

Re: DDOS suspect ? [SOLVED]

Sorry I can be blunt, especially after seeing the same issue with 100s of people!! In short, you need to neinstall the latest long term firmware onto the router. I wouldnt bother trying to discern where the problem is and simply be safe and cautious and assume there has been a compromise and then y...
by anav
Sun Sep 26, 2021 6:45 pm
Forum: General
Topic: Mikrotik Marketing Policy
Replies: 1
Views: 305

Re: Mikrotik Marketing Policy

zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz finished yet.
by anav
Sun Sep 26, 2021 4:02 pm
Forum: General
Topic: Licensing question and hardware recommendations for a small home user.
Replies: 3
Views: 440

Re: Licensing question and hardware recommendations for a small home user.

RB5009 for the router. ports 1,2 (reserved for current and future WAN connections) ports, 3,4,5 to access points ports 6,7 reserve port spf+ to switch for wired units. SFP port - spare One switch for all wired devices - CSS610-8G-2S+IN one SPF+ port to router ports 1-7 for wired devices port 8 spar...
by anav
Sun Sep 26, 2021 3:49 pm
Forum: RouterOS v7 BETA
Topic: Multiple WG clients(peers) per WG service
Replies: 12
Views: 2845

Re: Multiple WG clients(peers) per WG service

Nice, maybe hardware specific then...........
by anav
Sun Sep 26, 2021 3:48 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc4 [development] is released!
Replies: 240
Views: 33001

Re: v7.1rc4 [development] is released!

Supported v7.1rc4 Wave2 for MIPSBE?
See: https://www.qualcomm.com/products/qca9982
OMG, I spit out my coffee reading that line.
We'll get a fifth wave of covid before mipse gets wave2. ;-PP
by anav
Sun Sep 26, 2021 3:21 pm
Forum: General
Topic: RB4011 Slow Inter-VLAN Routing
Replies: 24
Views: 1305

Re: RB4011 Slow Inter-VLAN Routing

I didnt look indepth but a shallow looks everything seems to be in order, for at least what I an understand... Did you try changing this to the sfp+ interface.......... /ip neighbor discovery-settings set discover-interface-list=none First time Ive ever seen this rule suggest you remove it add acti...
by anav
Sun Sep 26, 2021 3:17 pm
Forum: General
Topic: Audit my input firewall
Replies: 54
Views: 2627

Re: Audit my input firewall

IN summary this is the direction I would go,,,,,,,, /ip firewall filter add action=accept chain=input comment="Allow Established,Related" \ connection-state=established,related,untracked add action=drop chain=input comment="drop invalid packets" connection-state=\ invalid add act...
by anav
Sun Sep 26, 2021 2:52 pm
Forum: General
Topic: Audit my input firewall
Replies: 54
Views: 2627

Re: Audit my input firewall

Yes, I have used ipsec vpn in the past and currently using wireguard. I will have a look! (1) I dont quite understand this rule................. add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp in-interface-list=LAN protocol=tcp src-address-list=Admin-IP Why does anyone...
by anav
Sun Sep 26, 2021 2:51 pm
Forum: General
Topic: Wireguard Server behind different router / gateway
Replies: 16
Views: 962

Re: Wireguard Server behind different router / gateway

Yeah the explanation is more confusing then helpful.
Suggest you provided a network diagram to show what you mean
Between devices within the same network on both sides of the tunnel.
by anav
Sun Sep 26, 2021 2:48 pm
Forum: General
Topic: PPPoE does not reconnect automatically. Have to restart router everytime.
Replies: 4
Views: 499

Re: PPPoE does not reconnect automatically. Have to restart router everytime.

Sorry nescafe, if some one said to me anonymized, my eyes would glaze over. I like direct clear speech.
Many times it takes two or three or more times to ask for the export before th op actually produces it. A little reinforcement never hurt.
Not going to change my ways anytime soon. :-)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 30