MikroTik

anav

(1) This rule is no longer required in the input chain.......... add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN (2) You made the same error in the forward chain, you DIDNT get rid of the old rule that we replaced. Get rid of it!! add ac...

anav

Why dont you pull the crystall ball out of your ass then and provide the config on the MT router please.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

anav

Why would you want to bridge all ports............... That is not a requirement its an attempt, maybe legit, or maybe wrong, to design a config for some reason. We care about the reason because the WHOLE CONFIG is often integrated and thus having the complete picture helps point towards development ...

anav

1. If its a fixed IP you can use either routing rules or mangling. 2. What version of RoS are you using. For vers6 as you have done...... /ip firewall mangle add chain=prerouting dst-address=example.com action=mark-routing new-routing-mark=example_route /ip route add dst-address=0.0.0.0/0 gateway=IS...

anav

(1) Why the duplicate?? Interface] PrivateKey = ------------------------------- Address = 10.10.10.3/32 [Peer] PublicKey = ----------------------------------------- AllowedIPs = 10.10.10.0/24 , 10.10.0.0/24 , 172.16.10.0/22 Endpoint = DDNS:13231 PersistentKeepalive = 25 2. Please provide a diagram b...

anav

Dear Sir Holvoe, I have written many times of MTs unwritten agenda to move all users to newer ARM products, its called the 'obsolescence - death by 1000 cuts product strategy' Just so I can get this straight the difference then between BTH and normal wireguard, and the power/allure of BTH, is that M...

anav

Yes, setup a VPN network on the fortigate and seek advice on a fortigate forum. Once you have all the information and setup complete on the other router. Modify the configs on the MT routers with the correct parameters. https://help.mikrotik.com/docs/display/ROS/IPsec Search on Youtube, seem to be m...

anav

Dont forget the other question,
a. do you have a public IP
b. IF NOT, can you forward a port from your ISP modem/router to your ROUTER.

anav

(1) It makes zero sense to send a hybrid port to a managed switch. Get off the drugs! All vlans should be tagged to the managed switch on the trunk port. /interface bridge port add bridge=vlan-bridge comment=defconf interface=ether2 ingress-filtering=yes frame-types=admit-only-vlan-tagged add bridge...

anav

I really thing asking about adding stuff to a bridge is the WRONG WAY to think. Instead a. identify all user(s)/device(s) / groups of users/devices including the admin b. identify all the traffic the above users/devices require to accomplish. Draw a network diagram of the plan, detailing where the m...

anav

Okay got it, The MAIN ROUTER acts as the server for handshakes on TWO separate wireguard networks. It connects to two other routers acting as clients which initiate the handshake. Once connected the wireguard network is established between routers, users from all devices behind the routers, should b...

anav

BTH is not the only way to apply wireguard parameters silly ammo!

anav

Sure the 750 supports wireguard what seems to be the issue?

anav

config please

anav

I need a diagram to make sense of what your saying.........

anav

Would have to see the latest config to investigate..........

anav

Clearly there is a problem on the config, but I cannot quite put my finger on it. Try anything. Try nothing, maybe like magic it will fix itself. House owner to plumber: I turned on the knob and no water is coming out. Please tell me how to fix it. Plumber: Did you pay your water bill? :-) Plumber: ...

anav

I dont like to suspect, guess or speculate. I am not an investor! ;-PP

Please provide facts/evidence
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.... )

Additionally, the client devices wireguard settings would be necessary to review.

anav

COP28, oh you mean Continue Oil Production 28!

anav

Hope this rewrite make more sense for you!! J2. ENSURING Same WAN for Return Traffic { no mangling } A common problem can occur in multi-wan setups. External traffic to the router ( such as wireguard handshake ) may enter via one ISP and depending upon the configuration on the router, exit a differe...

anav

https://mikrotik.com/consultants

anav

Without seeing your config, its merely an opinion based on no evidence!!

/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.... )

anav

Very confusing why do you have this flow:
internet --->MT ROUTER---> drayket modem ---> network
IT should be
internet--->draytek modem ---> L009 ----> network

????

anav

You really need to provide a network diagram as the description is too confusing.

anav

This statement is problematic........... The WIREGUARD_IT01 = VPN from the customer to us, via site to site. There should be server and client on both sides. Should I assume you mean, that the customer are clients connecting to your WIreguard Server? The other site cannot be a client and server for ...

anav

https://help.mikrotik.com/docs/pages/vi ... d=56459266

anav

Yup, it makes me cringe when I see people deviate from the defaults and dont know what they are doing. (1) Why in gods earth would you allow port 80 to the router from the internet side. I would guess that using ether1 probably wont work as traffic is actually via the interface name in pppoe. (2) Th...

anav

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, etc.. )

anav

What have you done so far?
Have you ever configged an MT router?

anav

I asked you repeatedly for more details but you have not provided them. Posts #28/29 which follows on questions on WG from post #20.

anav

Mangles for 4 WAN PCC - 12 additional tables, 12 pcc mangles, 24 routes. The concept being that each table is getting 1/12 of the traffic and each WAN has 3 tables associated with it. So each WAN is getting 1/4 of the traffic which makes sense as we have four WANs in PCC. Thus when lets say WAN2 fai...

anav

/routing table add fib name=useWan1 add fib name=useWan2 add fib name=useWan3 add fib name=useWan4 add fib name=useWan5 /ip firewall mangle { to ensure local traffic to the router is processed before any other mangle rules } add action=accept chain=prerouting in-interface-list=LAN-list dst-address-t...

anav

For wireguard read this............
viewtopic.php?t=182340

anav

8. Your sourcenat rule does not define an out interface and Its not clear to me why you are delineating any source addresses??? /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ src-address-list="All IP" Why not: add action=masquerade chain=srcna...

anav

1. add the surfshark interface to the WAN list, not the LAN list. There is no incoming traffic to your LAN and thus not appropriate. However, all the users going surfshark from your LAN need to be sourcenatted to the single surfshark IP address you have been given ( per connection, aka separate priv...

anav

If afraid of getting kicked by vlan-filtering=yes........ you have a valid concern,, what I do is take an unused port and stick an IP address on it and do all my initial configuring from there safely. https://forum.mikrotik.com/viewtopic.php?t=181718 As to the other points.... 4. Incorrect, the swit...

anav

Interrupt away LOL. To the OP. it not a matter of deciding how to config it, its you getting clarity on the requirements. a. Identify all the user(s)/device(s) and groups of users/devices including the admin b. Identify all the traffic the above users and devices need to execute. With that clarity a...

anav

Zach, you are indeed correct for 2/3 models of 2004, unfortunately I grabbed the one to compare which has a CPU frequency of 1.2 GHz ( Amazon Annapurna Labs Alpine v2 CPU with 4x 64-bit ARMv8-A Cortex-A57 cores. While this CPU is running at 1.2 GHz, the router can be 3x as fast than the previous gen...

anav

When they changed from vers6 to vers7 many of the existing older routers throughput was reduced significantly.

anav

(1) Turn on vlan-filtering=yes (2) WHY DO YOU HAVE A mgm-vlan bridge??? GET RID OF THIS, its not needed. (3) WHAT THE HECK is the comment here add name=dhcp_pool2 ranges=" ISP provided wan IP" What does internal LAN or VLAN pool have anything to do with the WAN side ????????????? Why are t...

anav

Okay so basically WAN1 not included in PCC. WANS 2-5 PCC. Does each WAN (in 2 thru 5 ) have basically the same throughput? Are the WANS 2-5 from the same provider? The reason I ask is that if there is an issue with a provider it is likely that all internet from that provider will not be available. O...

anav

I dont care about the config first, I care about the requirements. What is your intent with the WANS.................. Do you want user to be able to share all the available WANS? Do you want some subnets to use only WANS. If you dont know what your plan is, I am not going to waste time helping a mo...

anav

There is something wrong with your MT peer settings. /interface wireguard peers add allowed-address=192.168.100.0/24,192.168.146.0/24 client-address=\ 192.168.100.2/32 client-dns=1.1.1.1 interface=wireguard1 public-key=\ "-------------------------------------------=" As far as I know there...

anav

Your firmware is getting dated.

anav

Why do you ask this question in a forum that is designed to point out useful information for folks. " USEFUL USER ARTICLE" Try beginner or general. Did you search hotspot in the search window? Did you search hotspot in youtube "Mikrotik hotspot" Did you check out MT documents? ht...

anav

Note that if you want to allow any traffic from vlanX to vlanY it would go here on the above config ************************************** For example: /ip firewall address-list ( using static DHCP leases!! ) add address=user1-IP-address =PERMITTED comment="user1 to vlan301" add address=us...

anav

Do not understand?? You have two vlans, WTF is this.......... add address=10.201.1.1/24 interface=ProductionNetwork network=10.201.1.0 add address=10.201.2.1/24 interface=vlan2-TheMiddle network=10.201.2.0 add address=10.201.131.0/24 interface=vlan301-AJPT_QLAN network=10.201.131.0 You have no DHCP ...

anav

Thus it should look like this and can be shortened too. /interface bridge vlan add bridge=bridge1 tagged=bridge1,ProductionNetwork vlan-ids=2,301 You have an empty list member entry and should remove it... /interface list member add interface=ProductionNetwork list=WAN add list=LAN add interface=vla...

anav

Please show me in any of the configs from the link this line, I think you made it up, eating magic mushrooms???

add bridge=bridge1 untagged=bridge1,ProductionNetwork vlan-ids=1

anav

WHY DID YOU FAIL TO MENTION YOU ARE ALSO DOING PCC for your LAN??
Do you not think that is important to know? So its not just port fowarding here.

What is your failover plan for PCC????

anav

Two things. 1. Forget config speak if you want to talk requirements. a. identify all user(s)/device(s) and groups of users and devices, including the admin. b. identify all traffic they are supposed to have... Provide your config so far /export file=anynameyouwish (minus router serial number, public...

anav

Why do you have a LANPOOL?? Why are you using bridge filters?? This bridge port makes no sense, you set it up as an access port with pvid ( or even a hybrid port ) and yet limit traffic to vlans.................. illogical!! /interface bridge port add bridge=bridge frame-types= admit-only-vlan-tagge...

anav

There are many threads for failover did you do a search on the forums. Since both your ISPs provide dynamic WANIP addresses you will need to add distance in your client settings....... The IP DHCP client one defaults to a distance of 1, so if that is your primary then leave it ( looked under the Adv...

anav

viewtopic.php?t=143620

anav

Confusing post. Do you have two mikrotik routers you are trying to connect, one with a public IP and one without? OR Do you have two WAN connections and neither one seems to work to setup wireguard. Please also confirm you are using your MT as a wireguard server for the initial handhake and all the ...

anav

@blandoon --> viewtopic.php?t=182276

anav

Sorry this is an MT forum not a fortigate forum.

anav

https://www.youtube.com/watch?v=OGBWSpl1Wik&t=103s&pp=ygUSd2lyZWd1YXJkIG1pa3JvdGlr https://www.youtube.com/watch?v=P6f8Qc4EItc&t=1291s&pp=ygUSd2lyZWd1YXJkIG1pa3JvdGlr https://www.youtube.com/watch?v=vn9ky7p5ESM&t=8s&pp=ygUSd2lyZWd1YXJkIG1pa3JvdGlr https://www.youtube.com/watc...

anav

The reference in case you need it in future.....
viewtopic.php?t=143620

anav

Your post is confusing. Are you trying to RDP from a remote location into your desktop? If so stop right there, RDP is not a secure protocol, use Wireguard instead. If I am wrong and its RDP within the LAN network of the MT, as noted by others, nothing is blocking that. Your mangle rules are suspect...

anav

Roaming properly between multiple MT wifi devices did not come to fruition until the AX product line.
Your friend didnt give you accurate information

anav

you can start by posting your mikrotik config
/export file-=anynameyouwish ( minus router serial #, public WANIp info, keys etc.)

plus linux client wg settings.

anav

1. You have two sets of recursive going on, aka check google and if google is possibly not available, then check cloudflare. You should differentiate the two by distance like so.... add comment="TAG: eth1_wan1 ROUTE GOOGLE" distance=1 dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=10 target-s...

anav

Sent you necessary changes. As noted all IP routes should have actual Gateway IPs.
Prerouting marking rules for WAN1,2,3 only required if hosting servers, the output chain rules are for ensuring traffic to router comes out the right WAN.
All mark routing rules should have passthrough=no

anav

You need a script that takes the newly assigned gateway in IP DHCP client and put it physically in your routing rules.g an easy way is to put a comment in each applicable route could be comment=FIXME Easy to use find command. ;-) Not sure if this is a good script but one that I just saw......... htt...

anav

Concur, the Wireguard specs for Routers would be great, I was just comparing the 5009 to 2004 to 2116 vs TPLINK ER8411, and they do parse out wireguard on their specs.
I dont like how they tout 1518 bytes, standard vice the more real 512 bytes....... but WG is stated as 1400Mpbs,

anav

Nope, you want the throughput, ......... any other router of same ilk will cost far more. Trying to find an alternative, the best TPLINK ER8411 is on par with the 5009 (matches 1518 byte throughput approx 9k Mbps throughput) but it does have amuch higher VPN throughput but at easily double the price...

anav

No idea what it looks like on fortigate but on the MT it would be simple. /ip route add dst-address=wireguardsubnet gateway=LANIPof MIkrotik. so lets say wg 10.10.10.0/24 and lanip of MT is 192.168.5.5 /ip route add dst-address=10.10.10.0/24 gateway=192.168.5.5 Be advised that on the fortigate you n...

anav

If you have three WANS each 1gig then consider the following

RB5009 - throughput around 3gigs so it fits........
If you add more WANS or higher WAN throughput 2.5 gigs then consider the CCR2116 is one solution.

anav

IF the fortigate blow up, then your wireguard connection ( via wan1 or wan2 ) is gone, so I guess your plan is not good. If you want to wireguard regardless, then you have two options. a. put in a static route on the fortigate pointing to the LANIP of the MT (on fortigate subnet - also the wanip of ...

anav

Why do you keep talking ac2........ either roaming is a requirement or its not??

anav

https://www.youtube.com/watch?v=NXvHdZbAuTI
https://www.youtube.com/watch?v=hMj80ZIVBQs
https://www.youtube.com/watch?v=4G_TAiBQisE&t=7s
https://www.youtube.com/watch?v=MN5TwxJZ8Os

viewtopic.php?t=180838

anav

Non-standard but if you understand why it works, then it should be good.

anav

Change all IP ROUTE entries, from ether1,ether2,ether3 to actual gateway IPs.
That should solve most of your issues.

Sent you an updated email with some modifications to Mangles.

anav

I would buy a cheap managed switch from TPLINK for the TV, the CSS610 10gig switch for the office .
For Wifi if the AX3 is not adequate then get a couple of Capaxs
1xAX3
2xCapax ( if needed )
xcheapswitch tplink for tv room and
1 css610 for office

anav

My head hurts LOL, so the gateway is the same for all the public IPs..........

anav

I suggest a proper router, the L1009 wont even handle a full 1gig fiber network, aka no future growth. Please confirm you can run cat6 or fiber between all rooms? Not sure what you meant by one UTP cable.............. Also if there is coax between all rooms you can get 2.5gib through them with adapt...

anav

Yes still bizarro, Whats wrong with this picture for example........ /ip dhcp-server add address-pool=pool1 interface=bridge1 add address-pool=pool2 interface= bridge1 / interface bridge port add bridge=bridge1 interface=ether2 add bridge=bridge1 interface=ether3 add bridge=bridge1 interface=ether4 ...

anav

Perhaps its something I dont understand about multiple WANIPs via the same gateway, or perhaps the OP really means a netmap is needed from the IP to the subnet............ in any case, source nat does not grab or do anything in terms of routing. It states, when the traffic is routed ( by some other ...

anav

The source address you noted has no bearing on routing, it has bearing for what is sourcenatted out that WAN, it does not move traffic :-) Let me rephrase........ based on OPs comments: (Goal is to have all external-bound traffic from vlan23 (10.10.23.0/24) to be sourced with public IP 76.xxx.xxx.10...

anav

viewtopic.php?t=202137#p1040329

anav

Post your config to show what you have setup so far......
/export file=anynameyouwish (minus router serial number, public WANIP information, keys etc.)

anav

Firewall raw rules have nothing to do with policy routing.

You cannot direct traffic for applications using the mikrotik router
You can direct users, subnets, vlans etc
You can elect to share all wans or some with some users etc......

anav

If you looked at the config provided its a very simple addition....... focus on the user rules......... {forward chain} (default rules to keep) add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defc...

anav

Hi Kev, The sourcenat rule makes sense The ip route makes sense, BUT how do you ensure the specific vlan traffic goes out that route OR CONVERSELY how do you ensure all other vlan traffic does NOT go out that route. Suggesting a routing rule............ /routing table add fib name=useISPX /routing r...

anav

Yeah use vlan filtering for the subnets, one bridge............
The bizarro approach to address, dhcp server pool,, if not for a specific needed reasons is cutsie crap for nothing.

viewtopic.php?t=14362

anav

Now lets get real and work on WIFI -7, that is where the meat is on the wifi BONE.

anav

viewtopic.php?t=143620

anav

RICH, please dont waste valuable mikrotik resources on an interim, dead before it goes out the door, 6E standard. TP link and other are rolling out Wi-Fi 7 already and even zyxel is heavily discounting (dumping its new 6E stock). Normis, do not pass go, do not collect $200, go straight to jail if yo...

anav

viewtopic.php?t=143620

anav

Also the requirement should be expressed in terms of user traffic required.
Mangling and routing rules are simply tools to use, for a purpose, and that purpose has not been communicated........

anav

PM me the exact config, sure..........
For all ip routes its best to use the correct gateway vice etherX........... ( exception that comes to mind is wireguard )
If nothing else to demonstrate that the routes are meant for Static IPs/gateways, whereas one would need s cripts for dynamic ones.

anav

As per your other post, (1) MISMATCH in address and gateway!! (2) Duplicate routes. /ip address add address=192.168.100.1/24 interface="LAN bridge" network=192.168.100.0 add address= 100. 90 . 8 0. 70 /29 interface=ether1 network=100.90.80.70 add address=110.100.90.80/30 interface=ether2 n...

anav

Also it would appear you have some duplicates.......... /ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=100.80.90.70 pref-src="" routing-table=main scope=30 \ suppress-hw-offload=no target-scope=10 add check-gateway=ping disabled=no distance=2 dst-addr...

anav

Sure, took me a couple of secs to find the problem. /ip address add address=192.168.100.1/24 interface="LAN bridge" network=192.168.100.0 add address= 100. 90 . 80 . 70 /29 interface=ether1 network=100.90.80.70 add address=110.100.90.80/30 interface=ether2 network=110.100.90.80 add address...

anav

This is your basic default firewall ruleset with a focus on only identifying needed traffic and dropping everything else. /ip firewall-address list { using static dhcp leases mostly } add address=admin-IP1 list=Authorized comment="admin local desktop" add address=admin-IP2 list=Authorized ...

anav

Well what I recommend between two routers is Setting up WIREGUARD between the two, and if the server goes down, due to WAN1 failing, the client will regenerage the connection on WAN2 as I described. As the backup simply connect an easy MT to MT SSTP backup direct to WAN2. Thus you always have a seco...

anav

If one has coax between rooms --> moca, if one has modern wiring - powerline are both options.
MOCA adapters can go up to 2.5 gig
https://www.electronicshub.org/best-moca-adapters/

Powerline.......... https://www.techradar.com/news/the-best ... e-adaptors

anav

Maybe it doesnt work with the new wifiwave wave of products.
Or it was a big security risk?

anav

Hi Broderick, this already happens!! If you have a wireguard server on your Router and WAN1 is the primary, and it goes down the router switches to WAN2, the clients connecting to your WG server will lose connectivity and will try to reconnect and when the WANIP for the router becomes the second ISP...

anav

So you can enter the router via the USB device? Just curious, how do you type on the usb device? small keyboard?

anav

Not sure what it has to do with changing IP but okay.....

anav

NM , posted in error

anav

NM....

anav

What you can do is actually research a product before buying it. Too late now, but on the product page have a look at TEST RESULTS. The throughput one should expect to get with some basic filter rules is somewhere between 300-600Mbps. For 1 gig throughput your best bets are. a. hapax3 --> just over ...

anav

Well if they are static Ips, then that would be easier to deal with, you should confirm with your ISP that they are static!
Confirm you are paying for two separate 1 gig connections? and on each one you can get 1 gig at the same time......

anav

Well I dont understand this o ne...........
but within my LAN I need to allow access between all the VLANs.

Can you elaborate? If they all need access to each other why have separate vlans?

Can you confirm these are dynamic IPs that change BUT the gateway never changes??

anav

If your server does not have secure login (encrypted) then you shouldnt be using those servers. Assuming they are secure logins, consider a. src-address-list on your dst-nat rules ( everyone is comming from a public IP address, static or dynamic either directly or from their upstream ISP modem/route...

anav

Ahh okay one modem two WAN IPs, same gateway address............ Okay that makes sense, my bad.

anav

What are you talking about? The original OP stated he was getting the same IP gateway from two ISPs starlink and something else, aka gateway=192.168.1.1 What does that have to do with you having two 1gig connections? Are you saying you are using two ISP supplied modem routers in front of you and eac...

anav

Use wireguard instead!!!

anav

Word of advice, assign to an empty port an IP address and work safely from that port to do all your config initially and then later acts as an emergency access, besides lot of use of SAFE MODE!!
viewtopic.php?t=181718

anav

Once you provide the details on wireguard I will send an updated config, that gets rid of all the crap..............

anav

You really need to explain your wireguard setup . ITS STILL WRONG!!! Where is the server for VPN01 for handshake? if not this router then this router is the client for handshake? Where is the server for MGNT for handshake? if not this router then this router is the client for handshake? Server Devi...

anav

If its disabled on the config, I delete it when looking at it....... KISS I delete all capsman config entries for easier viewing, now the config is looking smaller LOL No problem for queues, I worked around that so you can user fastrack for everything else......... You forgot to add additional vlans...

anav

YOur three wans, in IP DHCP CLIENT did you enable default routes and if so did you put any script in there..........??

Right now there is no way to determine how you setup the WANs in terms of priority..........??

anav

Which subnets or list of individual devices should be getting NTP services from the router??? Where are the remote subnets coming from in this rule................?? add action=accept chain=forward comment=Accept_Remote_to_Company \ dst-address-list=COMPANY src-address-list=REMOTE Reminder........ a...

anav

This rule makes no sense to me...... add action=accept chain=input comment="Accept Radius" dst-port=3799,1812,1813 \ in-interface-list=!WAN protocol=udp src-address-list=FIREWAL WHere the only entry for firewall address list is the following add address=127.0.0.1 list=FIREWALL Another rule...

anav

Have you considered NOT using the starlink router and connect CGNAT direct to your router?
Your gateway in this case will be 100.64.0.1 ............ or something like that.

anav

I see the issue. The paragraph stood on its own and if you tried to correlate with the previous para, it would seem non-congruent. I have adjusted it so that confusion is removed. Much thanks!

anav

I will have a look. I am actually hoping that you are understanding the config better and learning as you go and gaining confidence in your own skills! Observations: 1. You have many vlans identified but not fully configured, assumed this was future plans and removed them from the config for the mom...

anav

Why, none of those things are required for port forwarding.

anav

Actually the RB4011 has two chips on it, so it kinda makes sense to split it into two bridges, but if my memory recalls only one of them will have Offload so in the end one bridge is best.

anav

First, thanks for reviewing and making suggestions!!

Not sure I follow?
The setting in red, is under the heading of
/ip dhcp-network server NOT /ip address ???

anav

Hmm, way better than my results 1gig to 1gig connection but that was using an RB4011 at one end and RGB450Gx4 at the other.

anav

Good common sense information here!!!
Should go in your 'article' Holvoe,,,,,,,,, when the move is done.

anav

I just may hire you to setup my wifi.................. I just cannot afford the postage and cost of envelope to send the cheque.

anav

I would say 300-350 is pretty decent wireguard speeds, I would not be complaining.

anav

In plain english, the setup for wifi on the device hosting capsman is different or separate from the wifi settings within capsman for the external devices.???

anav

Generally anything is possible but its best to detail all the requirements PRIOR to setting up a config. I would stick to source for PCC because of the banking requirements etc....... I would also contemplate using the # of WANS you need to distribute traffic and then perhaps a couple of dedicated W...

anav

Again, I dont understand the purpose. Showing someone combined WAN output is a useless exercise. Firstly unless you have a bonded setup with the SAME iSP you cannot ADD the throughput of ISP connection and do a speed test that shows the addition of all of them. What you do have is a larger total ban...

anav

Concur, ideally the Landlord isnt using the same LAN for all his devices, but it seems to be the case. Probably one flat LAN.
Is the landlords router actually the iSPs modem/router or is it his own separate router. If so does it get a public IP?

anav

Further this article addresses using any MT device as an AP/switch ( same same just without AP part).
viewtopic.php?t=182276

anav

You need to understand better the use and setup of allowed IPs........
Check this -->viewtopic.php?t=182340

anav

According to other experts here just stick to the defaults as much as possible....... and that its easy.
I beg to differ but check out some newer videos by MT for wifi, they will be helpful.

anav

This is a mikrotik forum, if you have windows questions, go to a windows forum or a wireguard forum where windows may be discussed.

anav

First of all, the router is NOT yours it belongs to the ISP so respect their wishes. However since their device is acting as an ISP/ROUTER and you get a private IP, it is very normal to ask: a. if they can forward ports on the router for you OR b. they can describe the steps you can take to forward ...

anav

RSC is not meant for exporting importing.
THe only function that does that is BACKUP and RESTORE and that is for the same device.
You can use an export to guide you manuallly configuring the new device,
and if you know what you are doing you can import chuncks of config via the TERMINAL CLI window.

anav

If their devices do not allow split tunneling, then perhaps its not possible?

anav

Your explanation is off. If you mean to say that your MT router is the server and the remote clients can connect and reach local router services that would make more sense. Further if the computers that the remote users have cannot reach their local resources that is an issue with the devices they a...

anav

Much easier not to use capsman for only one AP .....

For vlans, use this guide. viewtopic.php?t=143620

anav

Is this a planned exciting move, or a not so glad eviction notice?

anav

Personally I dont ping other users for a living, it is of zero value to me. Can users access the devices they need to access on the LAN and conduct work? Or are they blocked? It doesnt matter what port they are connected to if all ports are part of the same bridge. All to say is so far I do not see ...

anav

@normis--> suggest video how to use vlans with capsman.......... Basically the presenter should take this article viewtopic.php?t=143620
and 'bend it' as required for capsman.

anav

The article is meant for vlans primarily and is not intended for vlans under capsman.
I agree its sorely needed but that is best left to an article describing capsman setup and suggest you go bug holvoetn to make such an article

anav

Firewall rule guidelines 1. Single Subnets --> use dst-address or src-address 2. More than one subnet (whole subnets) --> use interface lists 3. If you have any list that includes a bunch of users (less than a subnet) or from different subnets (with or without whole subnets) then use firewall addres...

anav

This is an unusual rule, did you invent it yourself, or watch youtube from hell channel?? At least its disabled. At the moment I see no reason why users cannot see each other being all on the same subnet and visible at L2. If there are no issues between wired users but issues betwee wired and wired ...

anav

No that is too old for one thing and is not the link I provided for vlan setup. Dont run away from help LOL.

anav

1) If some users speed test will they receive the combined speed test result. If not can we make it so that they are able to achieve that result (this is just a requirement and i understand that LB is not for this) Do not understand the question? Conducting a speed test is not a valid user requirem...

anav

(1) By the way, using ether1, ether2, ether3 WORKS in your config as all your WANIPs are static. My example should reflect the IPs only, so as to not lead others astray. No need to change your config in that regard but I will change my example provided above. :-) (2) Also I may confuse people by usi...

anav

Would concur, wireguard does not scale (pun intended) like an enterprise VPN.
However, tailscale which depends however on a third party, may have some tools/functionality to support such a requirement.

https://tailscale.com/

anav

You clearly know where the problem lies, by NOT including your full config.

anav

Yes absolutely recommend wireguard for both connecting to proton and to host your own wireguard so you can remote into the router to config it or for LAN services or to use its internet or to be forwarded out protons internet.

anav

Because they are not necessary and are bloatware............ Instead stick to the defaults........... The defaults are safe for a single user and a single WAN and LAN subnet with no complexities. Once you go beyond that, its 99.999 percent of the time needed to start mucking about in the rules. The ...

anav

VLANS approach is best described here ---> https://forum.mikrotik.com/viewtopic.php?t=143620 We do one bridge approach here. Open VPN has varied success on MT gear. Recommend you replace your proton connetion to Wireguard. If your MT gets a public IP, or if you are behind and ISP modem/router and ca...

anav

Now for the ROUTES. CAUTION: In your actual implementation use GATEWAY IPS, the use of ether1,2 etc.. is for expediency only. We have the ones we created for the non-pcc mangles as show above...... /ip route add dst-address=0.0.0.0/0 gateway=100.100.100.90 table=useWAN1 add dst-address=0.0.0.0/0 gat...

anav

Third Step lets do the PCC MANGLES. ( 6 mark connections and 6 route markings aka tables ) (using src-address ONLY not both) /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local \ in-interface=LAN-bridge new-connection-mark=WANA-B passthroug...

anav

Non-PCC MANGLE RULES, ensuring traffic entering a WAN exits the same WAN deals with any traffic to the router itself or to any servers on the LAN. These will not interfere with any normal traffic either. /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark \ in-int...

anav

First step Basic firewall rules. /ip firewall address-list { use static dhcp leases } add address=192.168.100.X list=Authorized comment="local admin desktop" add address=192.168.100.AB list=Authorized comment="local admin laptop" add address=192.168.100.CD list=Authorized comment...

anav

viewtopic.php?t=181718

anav

https://help.mikrotik.com/docs/display/ROS/Queues

https://www.youtube.com/watch?v=tnzxrt6 ... 1pa3JvdGlr

anav

For L2TP over WG --> viewtopic.php?t=182340
Check out para 10
(10) L2TP thru WIREGUARD for MTU Issues

anav

Quick Look Config 1. Listening port settings for the interface, on the client device, can be anything and do not have to match the ENDPOINT listening port and are basically random. In your case highly recommend to make them different. /interface wireguard add listen-port= 51820 mtu=1420 name=wiregua...

anav

Well in terms of requirements, routing ports is nonsensical. What is the user traffic that you are trying to execute. ex. users from LANA on router A need to access LANB on Router B ( via wireguar ) users from LANC on router A need to use internet available at Router B etc... If worded in terms of d...

anav

to make recommendations for the two WG, need to see config
/export file=anynameyouwish ( minus router serial #, any publicWANIP information, keys, long dhcp lease lists etc..)

anav

Also recommend you move to 7.12 once we have resolved the issue.

anav

I like the clear explanation, that to upgrade to beyond 7.12 you need to upgrade first to 7.12.

anav

Please post the latest config for me to look at.

anav

First you need to backup and make a coherent plan and before that read this --> https://forum.mikrotik.com/viewtopic.php?t=182340 You will quickly surmize that putting 0.0.0.0/0 at both ends is not the right approach. Once reading, you may make some changes to the config. Give it a try. If still not...

anav

(1) Your doing PCC, drop any queueing of WANS for the moment. (2) interface list members...... should be modified to the below /interface list member add interface=ether2-TW list=WAN add interface=ether1-PIE1 list=WAN add interface=ether3-PIE3 list=WAN add interface=ether4-LTE4 list=WAN add interfac...

anav

Why would you comment on such an old thread? Do you know the context, did you read the link?
MT at the time was having problems at their end............

anav

No silver spoons here, read!
https://www.wireguard.com/xplatform/
https://www.wireguard.com/papers/wireguard.pdf

anav

(1) YES, THAT IS THE WAY. (2) WHAT ARE YOU TALKING ABOUT SUBNET 16? Point #2 was pointing that your allowed Ip 10.10.9.X/32 was wrong..... The correct version is blue. (3) If you look at the config line its clearly an /ip address entry. Its disabled which is good, I am saying just get rid of it. (4)...

anav

Hmm good question.
Post your config.
/export file=anynameyouwish ( minus router serial number, public WANIP informaiton, keys, long dhcp lease lists etc.)

anav

Dont tell anyone, they might want them back LOL

Ahh confusion due to RAM vs Storage.......... I was looking at Storage.........
Capax hapax3 hapax2 have 1Gb of RAM.
hapac3 has 256Mb of RAM

perhaps your thinking hapac3 or hex devices........

anav

But the same specs page you linked above lists 128MB ... hmm. You ok?

Even the capax/hap ax3 have 128MB - meaning the 128MB is sufficient........
Edit. looking at storage not ram, my bad.

anav

Yes......... and https://help.mikrotik.com/docs/display/ROS/WireGuard https://www.youtube.com/watch?v=vn9ky7p5ESM&t=8s&pp=ygUSd2lyZWd1YXJkIG1pa3JvdGlr https://www.youtube.com/watch?v=OGBWSpl1Wik&t=103s&pp=ygUSd2lyZWd1YXJkIG1pa3JvdGlr https://www.youtube.com/watch?v=7F9LG7Qgpmg&pp...

anav

(1) Where is bridge vlan-filtering=yes ?? /interface bridge add name=BRIDGE priority=0x7000 (2) Allowed IPs is not quite right, fixed....... add allowed-address=\ 10.10.9 .0/24 ,192.168.254.0/24,192.168.155.0/24,192.168.249.0/24 \ comment=PeerStS_DIM disabled=yes endpoint-address=vpn.test.com \ endp...

anav

Id rather not Crokinole my way into the OPs head................. and will let the OP provided the actual information.

anav

Philosophy. The default rules come set for a simple user on the bridge via ether2 and wan setup to work on ether1. The traffic is safely protected but it allows all traffic and drops some key things for general safety. When we want to do more, add vlans and other things its much easier, as the confi...

anav

Sounds very doable. Basically server router - input chain rule for port both routers. define interface add ip address add peers, wireguard Ip and remote subnets ( see article for difference between client peer setting and server peer setttings ) add forward chain rules needed for traffic flow add ip...

anav

Before thinking about configurating, its best to understand the requirements and PLAN!!! identify users/devices, groups of users/devices, including admin identify what traffic they need. Do the devices have single WAN or dual WAN? Is there any port forwarding involved on the two devices? What two de...

anav

Since the need for VPN is not clear. Which users are coming to the OFFICE and for what purposes?? Why do you hide a private IP address, assuming the upstream router handles the WAN connection and your WAN input is basically a LAN address on the subnet of the ISP router? The other thing funky about t...

anav

Wireguard has generally better performance and easier to setup. Do you control both ends of the tunnel? ( what is at both ends?) Does at least one end have a publicaly reachable IP address ( not cgnat or natted behind another router )?? If natted behind lets say an ISP modem router, can you forward ...

anav

Firewall Rules Server Router; /ip firewall address-list { static dhcp leases or wireguard ip } add address=172.16.24.XX list= Authorized comment="admin local desktop" add address=172.16.24.AA list=Authorized comment="admin local laptop" add address=172.16.24.BB list=Authorized c...

anav

Client Router (1) It would appear you are trying to use srcnat masquerade to route traffic. This is the wrong approach. /ip firewall nat add action=masquerade chain=srcnat dst-address=172.16.24.0/24 out-interface=\ wireguard-oam src-address=192.168.13.0/24 All you need is....... add action=masquera...

anav

Any reason you chose L2TP vice wireguard??

anav

Need facts/evidence.
So latest configs of the routers please.

anav

Well, good to know, defining the requirements clearly is best done before applying a config. a. you have two WANs. b. there is no failover c. the LAN should use WAN1 only if wan1 goes down, no LAN traffic goes to WAN2 if wan2 goes down, no LAN traffic goes to WAN1 Wan 2 is a static fixed WANIP You h...

anav

You got me Holvoe, apologies to the OP. I know squat about L2TP so will bow out.

anav

Is this whining or asking for help?
Provide a network diagram and full config

/export file=anynameyouwish ( minus router serial# and any public WANIP information, keys etc...)

anav

have been fighting a starlink DNS issue. I know this sounds strange and I am hoping someone will point out why it is behaving this way. Sounds like your asking for help to me......but okay, maybe your not. What a switch has to do with router issues is a bit strange to interject and you have no clari...

anav

Just to clarify, my article uses untracked.........
viewtopic.php?t=180838

If you want me to look at your config, I will rip out anything that is not on those pages,,,,,,,,,
Not required, what I refer to as BLOAT.

anav

Hmm not really, you can setup PCC balancing to favour one over the other but thats hard wired into the config. The only thing I can say off the top is to make a vlan for WIFI in the house and basically route all the traffic from that wifi through the desired WAN. That way folks have a quick and dirt...

anav

The improvements to many functions and the ability to do wireguard are huge reasons to move ahead.
If this is a home no worries, 7.12.1 is decent enough.

anav

Find that hard to believe, wireguard was not possible on vers6
edit: I didnt consider wG on another device, mia culpa!!

anav

The friend is not exactly wrong,,,,,, just a tad misleading. EVERY SWITCH PORT when it comes Default has vlan1 assigned to the port. WE LEAVE THAT vlan1 alone. It works in the background and can basically be ignored. We dont change any vlan1 settings anywhere. EXCEPT.......... when we make a port an...

anav

SERVER Comments 1. This indicates an issue....... /interface list member add comment=defconf interface= *C list=LAN I suspect its because you have not identified any LAN list interface members and yet you have a list?? 2. This is wrong. .......... IF you have IP DHCP Client you should not have a se...

anav

Seems illogical to me.
What is the purpose of buying a MIKROTIK router of that power and using it as a switch??
What am I missing???

anav

Wait you are still on vers 6?? My configs are predicated on vers 7

Search found 18370 matches