Community discussions

MikroTik App

Search found 7826 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 27
by anav
Sun Aug 01, 2021 3:14 am
Forum: General
Topic: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]
Replies: 10
Views: 295

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

The invisible parameter strikes again...........
by anav
Sun Aug 01, 2021 3:11 am
Forum: General
Topic: Term/technique for local network lookup of CNAME/A record pointing to local network?
Replies: 5
Views: 93

Re: Term/technique for local network lookup of CNAME/A record pointing to local network?

So this is the fourth method of approaching Hairpin NAT then,,,,,,,,,,,as I read a long time ago......but had forgotten? So what does this do? Why is the router going to use the static DNS, what happens if you have other servers on the list of DNS servers, What if peer DNS is allowed? dnsworkaround....
by anav
Sun Aug 01, 2021 3:05 am
Forum: RouterOS v7 BETA
Topic: Route lookup rules: Broken?
Replies: 6
Views: 161

Re: Route lookup rules: Broken?

Is it possible your config is broken and not route lookup rules?
In other words have you setup something similar on non beta firmware and it works fine?
by anav
Sun Aug 01, 2021 12:43 am
Forum: General
Topic: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]
Replies: 10
Views: 295

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Hi andyrys, this is good point you are making and not intuitively clear. Having it stated in the documentation would be of benefit to many. My guess is that many people would assume that the parameter is applied in the default config sourcenat rule with action=accept when reading the MT file. I dont...
by anav
Sun Aug 01, 2021 12:39 am
Forum: General
Topic: Term/technique for local network lookup of CNAME/A record pointing to local network?
Replies: 5
Views: 93

Re: Term/technique for local network lookup of CNAME/A record pointing to local network?

Yes, hairpin nat, one fix is to move the server to a different subnet, problem solved.
as noted lots of examples if you 'search' hairpin nat.
by anav
Sat Jul 31, 2021 10:53 pm
Forum: Wireless Networking
Topic: Block gateway access from connected wifi clients,
Replies: 11
Views: 311

Re: Block gateway access from connected wifi clients,

You got me with that phrasing, feel like a pretzel LOL.
Just sayin that using raw rules can have unintended consequences if one is not 100% sure of the effects.
Input chain is a little harder to screw up.

Still I havent had my question answered, would the input chain option actually work?
by anav
Sat Jul 31, 2021 10:46 pm
Forum: Beginner Basics
Topic: Nat SMTP to second publik IP
Replies: 5
Views: 125

Re: Nat SMTP to second publik IP

Im a little isp... Have 500 clients... All my clients use one public ip...
How do you distribute internet from a single public IP to 500 folks.

500 vlans or 500 PPOE client connections?
by anav
Sat Jul 31, 2021 7:09 pm
Forum: General
Topic: LTE interfaces cannot be bridged?
Replies: 4
Views: 125

Re: LTE interfaces cannot be bridged?

But can the usb port be assigned as a bridge port ???
Reason I ask is because when I use a USB to ethernet adaptor on my laptop it seems to create an another ethernet interface!
by anav
Sat Jul 31, 2021 7:03 pm
Forum: Wireless Networking
Topic: How many concurrent wireless users can support?
Replies: 22
Views: 28775

Re: How many concurrent wireless users can support?

What TP link do you have?? THe MT Audience will be supported for a long time by MT as one of their newer products and thus is probably one of the only MT indoor products worth discussing. The number of concurrent users the Audience can handle would be a very good stat that MT should provide!!! In th...
by anav
Sat Jul 31, 2021 6:59 pm
Forum: Wireless Networking
Topic: Is/Would be there support for client roaming (802.11k,802.11r,802.11v,802.11w) ...
Replies: 7
Views: 2810

Re: Is/Would be there support for client roaming (802.11k,802.11r,802.11v,802.11w) ...

Not surprized you didnt know the correct acronym Normis ;-PPP
Its 802.11 w - 2009.
Glad to hear however, that MT is right on top of 802.11b jajajajaja
by anav
Sat Jul 31, 2021 6:51 pm
Forum: Wireless Networking
Topic: Buy AC3 or can I fix old RB951G-2HnD?
Replies: 4
Views: 230

Re: Buy AC3 or can I fix old RB951G-2HnD?

Try 5GHz settings of Band: 5ghz-n/ac Channel Width: 20/40mhz-Ce OP is currently using RB951G- 2 HnD ... when I last checked my own devices of same model, they didn't have 5GHz radio? Thanks MKX, I dont live in the dark ages LOL. DIdnt realize some people still practice blood letting for example. In...
by anav
Sat Jul 31, 2021 6:48 pm
Forum: Wireless Networking
Topic: Wireless Performance - RB4011iGS+5HacQ2HnD-IN
Replies: 12
Views: 539

Re: Wireless Performance - RB4011iGS+5HacQ2HnD-IN

I would expect somewhere in the range of 100-200 Mbps higher throughput (and more stable) on the fritzbox if using wifi - 5. MTs wifi-5 implementation is less stable and has less distance IMHO (my limited experience)
by anav
Sat Jul 31, 2021 6:45 pm
Forum: Wireless Networking
Topic: Low wifi coverage in bedroom
Replies: 9
Views: 459

Re: Low wifi coverage in bedroom

Your not going to have too much success on 2.4ghz due to the number of wlans using that spectrum. However here are my settings for a capac...... WLAN (2.4) Band: 2ghz - g/n Width: 20MHz Channel.......... you may be better if you only need one channel to choose 4, and if need two 4 and 9 WLAN (5) Ban...
by anav
Sat Jul 31, 2021 6:17 pm
Forum: General
Topic: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]
Replies: 10
Views: 295

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Good to know!
I am going to start using drop all else rules at the end of the NAT chain, just so I am not as lazy as rextended as I like positive affirmation of what the action is...... ;-)
by anav
Sat Jul 31, 2021 6:09 pm
Forum: General
Topic: LTE interfaces cannot be bridged?
Replies: 4
Views: 125

Re: LTE interfaces cannot be bridged?

Without seeing your config hard to tell. One adds etherport, wlans as bridge ports. One adds vlans to a bridge when creating/identifying the vlans THe LTE interface is probably considered an etherport then........ and needs to be indentified as a bridge port.... So what is the problem? If you need t...
by anav
Sat Jul 31, 2021 6:05 pm
Forum: General
Topic: Flood Protect UDP/TCP and SYN
Replies: 7
Views: 4344

Re: Flood Protect UDP/TCP and SYN

Quick questions:
a. do you run servers on your network
b. are you providing internet for other (like PPPOE server)?
by anav
Sat Jul 31, 2021 6:04 pm
Forum: Beginner Basics
Topic: Nat SMTP to second publik IP
Replies: 5
Views: 125

Re: Nat SMTP to second publik IP

So you use public IPs for servers? Is the issue caused by users of the servers or people behind your router using the single IP for your home or own use?? As for servers are they: a. protected by encrypted login (https, FTPs etc) or plain text login or no login? b. limited by a source address or sou...
by anav
Sat Jul 31, 2021 6:01 pm
Forum: RouterOS v7 BETA
Topic: Bridge to Wireguard interface
Replies: 13
Views: 447

Re: Bridge to Wireguard interface

Sorry, not sure what you are doing using a separate UK VPN?
One only needs wireguard and not some other VPN on top (too complicated for me, plus dont touch layer 7 with a ten foot pole))
by anav
Sat Jul 31, 2021 2:57 pm
Forum: RouterOS v7 BETA
Topic: Bridge to Wireguard interface
Replies: 13
Views: 447

Re: Bridge to Wireguard interface

Wireguard doesnt connect to a port. It connects to the router (server) on its wireguard interface which you create and define. Destination Route for the subnet or IP address at the client with gateway being the wiregaurd interface. If you want the users on the WG interface to be able to access LAN r...
by anav
Fri Jul 30, 2021 11:11 pm
Forum: RouterOS v7 BETA
Topic: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?
Replies: 21
Views: 1857

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Interesting,
I have my ccr1009 as my main router (stock firmware) and behind that using the RB450Gx4 as the wireguard server (beta firmware), at the other end, I am using an RB4011 behind an ISPs modem/router hub as the client (also on beta firmware)
I also use my iphone as a client device.
by anav
Fri Jul 30, 2021 10:51 pm
Forum: Beginner Basics
Topic: what is the shortest masquerade rule possible?
Replies: 7
Views: 256

Re: what is the shortest masquerade rule possible?

Seems incomplete (no action) unless without direction the router provides a default action??
by anav
Fri Jul 30, 2021 10:19 pm
Forum: Wireless Networking
Topic: Buy AC3 or can I fix old RB951G-2HnD?
Replies: 4
Views: 230

Re: Buy AC3 or can I fix old RB951G-2HnD?

Try 5GHz settings of Band: 5ghz-n/ac Channel Width: 20/40mhz-Ce Very good question on replacement + router. You could simply add an AUDIENCE wifi (access point) to the existing router, as the router you have does not need upgrading corrrect? Which may be the best answer. In terms of all in one, my q...
by anav
Fri Jul 30, 2021 10:16 pm
Forum: Wireless Networking
Topic: Block gateway access from connected wifi clients,
Replies: 11
Views: 311

Re: Block gateway access from connected wifi clients,

Understood, I seem to remember it being done via input chain vice raw chain and am simply asking the question will it also work in the input chain as stated.
I stay away from raw when I can because its more dangerous for novice users to muck about in the raw chain.
by anav
Fri Jul 30, 2021 9:49 pm
Forum: General
Topic: MikroTik download servers IPs
Replies: 5
Views: 180

Re: MikroTik download servers IPs

I represent the masses and ill-informed. :-)
by anav
Fri Jul 30, 2021 9:26 pm
Forum: Wireless Networking
Topic: How to make CAPs with 2 SSID in different IP domains
Replies: 5
Views: 1153

Re: How to make CAPs with 2 SSID in different IP domains

If it works fine for you, super dont change a thing.
It has never worked satisfactorily for my family so I changed them out for others.
by anav
Fri Jul 30, 2021 9:24 pm
Forum: Wireless Networking
Topic: Block gateway access from connected wifi clients,
Replies: 11
Views: 311

Re: Block gateway access from connected wifi clients,

Wait rextended was that the raw chain or INPUT chain that one blocked one subnet set of users from accessing the gateways of other subnet ( clearly device to device is blocked via the forward chain). I thought this was the solution but perhaps I remembered wrong??? Even if one block lan subnets from...
by anav
Fri Jul 30, 2021 9:16 pm
Forum: Wireless Networking
Topic: Wireless Performance - RB4011iGS+5HacQ2HnD-IN
Replies: 12
Views: 539

Re: Wireless Performance - RB4011iGS+5HacQ2HnD-IN

Who recommended that model vice the wired only RB4011? Placement of wifi is not usually nor should be dictated by router location and is thus better set separately. THe RB4011 router will last far longer than any wifi device one purchases as wifi technology is a moving target (except for MT house wi...
by anav
Fri Jul 30, 2021 9:11 pm
Forum: General
Topic: DNS request coming from gateway IP
Replies: 8
Views: 249

Re: DNS request coming from gateway IP

I Dont have source addresses on both my masquerade rules. How on earth have I survived this long?? /ip firewall nat add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN - FibreOP" \ ipsec-policy=out,none out-interface=vlanbell add action=masquerade chain=srcnat comment="SCR_NAT...
by anav
Fri Jul 30, 2021 9:00 pm
Forum: General
Topic: MikroTik download servers IPs
Replies: 5
Views: 180

Re: MikroTik download servers IPs

GEO, is by IP number?? , I thought OP was asking for location of servers LOL
by anav
Fri Jul 30, 2021 8:58 pm
Forum: General
Topic: Bridge vlan solution without adding interface vlan
Replies: 2
Views: 100

Re: Bridge vlan solution without adding interface vlan

Dont think so. YOu have to add each vlan interface to the bridge as in a basic definition requirement If the router is not involved with DHCP for the vlan subnets then there are some savings there because normally each vlan would also need an IP pool, DHCP server, DHCP server network and IP address....
by anav
Fri Jul 30, 2021 6:41 pm
Forum: General
Topic: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]
Replies: 10
Views: 295

Re: BUG or not BUG? /ip firewall nat add chain=[dstnat|srcnat]

Because they expect you to know better if you are using CLI ?? ;-PPP
They know I will need help (being a winbox user). :-)

Winbox user:
trainingwheels.jpg

CLI user:
by anav
Fri Jul 30, 2021 6:32 pm
Forum: General
Topic: Access to Miktorik's WAN
Replies: 3
Views: 146

Re: Access to Miktorik's WAN

Very confusing, a network diagram would help.

It seems like the remote sites are Servers and you are the vpn client??
by anav
Fri Jul 30, 2021 6:25 pm
Forum: RouterOS v7 BETA
Topic: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?
Replies: 21
Views: 1857

Re: WireGuard - 7.1beta6 - Can't get it to work - Howto setup?

Hey ghost, a. draw a network diagram of what you intend. b. post your config /export hide-sensitive file=anynameyouwish c. post pics of wireguard settings on server router and on a client device (lets say iphone) (and just use fake numbers for the pics but in the right spots to give us an idea of wh...
by anav
Fri Jul 30, 2021 1:30 pm
Forum: General
Topic: DNS request coming from gateway IP
Replies: 8
Views: 249

Re: DNS request coming from gateway IP

If you only have one WAN connection add action=masquerade chain=src-nat in-interface=wanconnectionport DHCP server-network DNS setting for the the user network should be the IP address of the pi-hole device. Ensure the user subnet has access tot he pi-hole device in forward chain. Ensure the pi-hole...
by anav
Thu Jul 29, 2021 10:26 pm
Forum: General
Topic: Block Ping request
Replies: 31
Views: 15466

Re: Block Ping request

Edit, NM read the whole thread it ended up in the sewer LOL.

Okay, but I am a minimalist.
If my home network should have it then I will add it.
If its strictly hobby fun and not necessary then I dont want to add it.

I did once monkey with ICMP settings and jump rules and it was a disaster.
by anav
Thu Jul 29, 2021 9:27 pm
Forum: General
Topic: Block Ping request
Replies: 31
Views: 15466

Re: Block Ping request

Point taken rextended, but it could be a man wearing a dress.............

THis however is clearly "over the top"
rextended.JPG
by anav
Thu Jul 29, 2021 8:41 pm
Forum: Beginner Basics
Topic: Block or Limit Torrents
Replies: 10
Views: 273

Re: Block or Limit Torrents

Simple, buy the disney channel for your kids and then they wont need to torrent the shows!
What is worth torrenting these days anyway??
by anav
Thu Jul 29, 2021 6:32 pm
Forum: General
Topic: Does quouting quotes of quotes in consecutive post make any sense?
Replies: 73
Views: 5940

Re: Does quouting quotes of quotes in consecutive post make any sense?

Nice, but wasted a good joke I had to edit my text (remove Five and put Four) because part of the quote disappeared, like an argentinian govt protestor dropped from a C130 over the Atlantic.
by anav
Thu Jul 29, 2021 6:29 pm
Forum: Useful user articles
Topic: Hairpin NAT - the easy way
Replies: 8
Views: 3828

Re: Hairpin NAT - the easy way

Ahh you twigged a memory, there was a way of directing requesting internally via DNS to the server and not using NAT. Sorry to be so foggy. So there is a fourth method so lets focus on reality situation 2. Public IP, private IP server using DNS method............ THe only thing I could find on my se...
by anav
Thu Jul 29, 2021 6:18 pm
Forum: General
Topic: Block Ping request
Replies: 31
Views: 15466

Re: Block Ping request

meanwhile I accept ICMP which allows me to do the troubleshooting I need for such things as wireguard connections and to no detrimental impact on my router performance..........
by anav
Thu Jul 29, 2021 6:13 pm
Forum: General
Topic: Does quouting quotes of quotes in consecutive post make any sense?
Replies: 73
Views: 5940

Re: Does quouting quotes of quotes in consecutive post make any sense?

4
3
2
1
Is this a trick? Line 4 is actually the same length as line 1 right??
by anav
Thu Jul 29, 2021 6:12 pm
Forum: General
Topic: Does quouting quotes of quotes in consecutive post make any sense?
Replies: 73
Views: 5940

Re: Does quouting quotes of quotes in consecutive post make any sense?

My view on this matter is that I just don't know, I can't judge!
Yes, I concur with your analysis ! ;-PP
by anav
Thu Jul 29, 2021 5:39 pm
Forum: Beginner Basics
Topic: No incoming traffic (Game Ports)
Replies: 8
Views: 388

Re: No incoming traffic (Game Ports)

(1) WRONG: /ip address add address=192.168.0.1/24 comment=defconf interface =ether2 network=\ 192.168.0.0 should be /ip address add address=192.168.0.1/24 comment=defconf interface =bridge network=\ 192.168.0.0 (2) Where is dns-server=192.168.0.1 ?? ( /ip dhcp-server network add address=192.168.0.0/...
by anav
Thu Jul 29, 2021 5:38 pm
Forum: Beginner Basics
Topic: No incoming traffic (Game Ports)
Replies: 8
Views: 388

Re: No incoming traffic (Game Ports)

My first comment not based on the config but reading earlier posts. 1. Are you running a game server or are you just playing? Any modern game worth its salt for strictly playing does not require you to forward ports, you reach out to and connect to either a gaming portal site (steam) or a game site ...
by anav
Thu Jul 29, 2021 5:33 pm
Forum: Useful user articles
Topic: Hairpin NAT - the easy way
Replies: 8
Views: 3828

Re: Hairpin NAT - the easy way

No so simple darknate. Its true that one needs to add a single sourcenat rule as your link describes at the top of the source nat chain, but the not necessarily so for the associated DSTNAT rule. The dstnat rule depends upon if the ISP connection is a static WANIP or a dynamic WANIP. Quite correct i...
by anav
Thu Jul 29, 2021 5:27 pm
Forum: RouterOS v7 BETA
Topic: Bridge to Wireguard interface
Replies: 13
Views: 447

Re: Bridge to Wireguard interface

I have no idea what the OP is asking, and no I am not going to go to other websites to read....... So best a. provide a network diagram b. a clear set of requirements (what he/she wants users to be able to do) without discussing the config c. provide current effort /export hide-sensitive file=anynam...
by anav
Wed Jul 28, 2021 8:18 pm
Forum: Beginner Basics
Topic: Hap ac2 can't use peer dns from isp [SOLVED]
Replies: 11
Views: 406

Re: Hap ac2 can't use peer dns from isp [SOLVED]

VMTs for your patience. Many new users have that static setting left over........... what do you use besides winbox LOL, Yes allow remote requests........... okay good I have it on for a reason ;-) peer dns is dns service from ISP, so if that was enabled, then the router would have a source for dns ...
by anav
Wed Jul 28, 2021 7:37 pm
Forum: General
Topic: Auto Failover is not working Properly
Replies: 5
Views: 203

Re: Auto Failover is not working Properly

What part do you have to do manually it is not clear?? if my wan1 is not available the switch to wan2 happens automatically. My issue is that wan1 when it comes back online, if the gateway has changed would not pick up the new gateway and thus not adjust the routing and thus would stay on ISP2. With...
by anav
Wed Jul 28, 2021 6:39 pm
Forum: General
Topic: Is blocking websites by URL really impossible?
Replies: 12
Views: 313

Re: Is blocking websites by URL really impossible?

Yes, DPG would be more accurate Deep Pocket Gouging...............
PS. Mkx I havent finished with the dns questions... hint!
by anav
Wed Jul 28, 2021 6:35 pm
Forum: General
Topic: Is blocking websites by URL really impossible?
Replies: 12
Views: 313

Re: Is blocking websites by URL really impossible?

That would take too much work, cutting and pasting is easy for an old fart like me........... If you buy me the largest IPAD, I can do that but from my iphone12 mini, ......................... The fact is, I got tired of selling mumbo jumbo to my customers and not even sure if they worked and I coul...
by anav
Wed Jul 28, 2021 6:31 pm
Forum: General
Topic: Is blocking websites by URL really impossible?
Replies: 12
Views: 313

Re: Is blocking websites by URL really impossible?

Yes when I had Zyxel routers one could pay through the nose for multiple types of services to block traffic. Anti-malware protection with firewall, anti-virus, antispam, content filtering, IDP, next-generation application intelligence and SSL inspection 1- Anti-Virus Powered by Kaspersky SafeStream ...
by anav
Wed Jul 28, 2021 6:26 pm
Forum: General
Topic: Two providers. Unstable behavior. [SOLVED]
Replies: 9
Views: 278

Re: Two providers. Unstable behavior. [SOLVED]

1. need network diagram. 2. clearer set of requirements. what do you need users or groups of users to be able to do or not do............ What is the relationship between the ISP connections (assuming from diff providers) (failover, primary, secondary, equally used etc........) What is the relations...
by anav
Wed Jul 28, 2021 6:24 pm
Forum: General
Topic: Is blocking websites by URL really impossible?
Replies: 12
Views: 313

Re: Is blocking websites by URL really impossible?

Yes, need to pay $$$ for IDP and other services.........
Maybe ivp6 solve all issues ... like RoS7 LOL......... ??
by anav
Wed Jul 28, 2021 6:02 pm
Forum: General
Topic: NAT HAIRPIN
Replies: 8
Views: 269

Re: NAT HAIRPIN

hi rextended I hope using your Cray computer you hacked the password and have added in better security for the chap ;-)
by anav
Wed Jul 28, 2021 5:59 pm
Forum: Beginner Basics
Topic: Hap ac2 can't use peer dns from isp [SOLVED]
Replies: 11
Views: 406

Re: Hap ac2 can't use peer dns from isp [SOLVED]

So in summary. 1. The router will basically automatically provide DNS servers with DHCP leases unless, the admin puts in public DNS servers or something locally like rasperrby pi also behind the router on the DHCP Server Network settings for DNS. 2. Setting Allow remote Servers is not any clearer ot...
by anav
Wed Jul 28, 2021 5:13 pm
Forum: Beginner Basics
Topic: No incoming traffic (Game Ports)
Replies: 8
Views: 388

Re: No incoming traffic (Game Ports)

Well it drives me bonkers when people post rules in that format butt ugly and useless, and the proof is JV-Belg you missed that he already has such a rule........ chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN [luck@MikroTik] > To the OP please plea...
by anav
Wed Jul 28, 2021 4:52 pm
Forum: Wireless Networking
Topic: How to make CAPs with 2 SSID in different IP domains
Replies: 5
Views: 1153

Re: How to make CAPs with 2 SSID in different IP domains

I would never use a capac as a router, nor do I use capsman and have replaced all but one capac in my house with EAP 245 and now one EAP 660.
Not going back to MT wifi until after RoS7 comes out and will then see what wifi 6 MT offers.
by anav
Wed Jul 28, 2021 4:40 pm
Forum: General
Topic: NAT HAIRPIN
Replies: 8
Views: 269

Re: NAT HAIRPIN

Since you refuse to post the config, others can help sufficiently. One comes looking for help not knowing what their problem is but arrogantly think they know what they should provide to help. Dont feel bad, seems to be a common problem. I also detest others that attempt to help without the complete...
by anav
Wed Jul 28, 2021 4:38 pm
Forum: Beginner Basics
Topic: Hap ac2 can't use peer dns from isp [SOLVED]
Replies: 11
Views: 406

Re: Hap ac2 can't use peer dns from isp [SOLVED]

Okay so thats a lot of info and not a clear flow chart picture in the mind. But you havent delineated, WHAT ACTUALLY TELLS the router that we want to use the router for DNS ??? Please correct all my wrong headed thinking! 1. To bypass router DNS usage then put in public DNS servers under DHCP-SERVER...
by anav
Wed Jul 28, 2021 2:04 pm
Forum: General
Topic: NAT HAIRPIN
Replies: 8
Views: 269

Re: NAT HAIRPIN

post your config
/export hide-sensitive file=anynameyouwish
by anav
Wed Jul 28, 2021 2:03 pm
Forum: Beginner Basics
Topic: Dual wan
Replies: 10
Views: 369

Re: Dual wan

haplite is underpowered for vpn work and there is no way to recover packets when you change WANs if one goes down.
by anav
Wed Jul 28, 2021 1:57 pm
Forum: Beginner Basics
Topic: cAP ac setup issues
Replies: 5
Views: 319

Re: cAP ac setup issues

Nope,, On my capac, no firewall rules.
Just ensure its LANIP is on the management or home lan.

ether1 and wlans are on the bridge,
eth2 has its own address not associated with the bridge for emerg access
put in a route manually 0.0.0.0/0 gateway=management or homelan gateway
by anav
Wed Jul 28, 2021 4:04 am
Forum: Wireless Networking
Topic: Wifi net work for home with Iot (50 devices)
Replies: 43
Views: 1092

Re: Wifi net work for home with Iot (50 devices)

Keep the mikrotik for routing excellent device.
The audience mesh setup is apparently very good but ensure you get proof from users here, the rest of MT wifi I would not recommend at this time.
by anav
Wed Jul 28, 2021 4:02 am
Forum: General
Topic: Locked out due to vlan filtering
Replies: 6
Views: 331

Re: Locked out due to vlan filtering

This is also a good link........
https://www.youtube.com/watch?v=Rj9aPoyZOPo
by anav
Wed Jul 28, 2021 1:40 am
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 27
Views: 1582

Re: VLANS & Management VLAN

Yes before my time or probably when I got my first hex and was trying to figure out if was a magic box that put an evil spell on me. I wasnt worrying about vlans and chips.........
by anav
Wed Jul 28, 2021 1:38 am
Forum: Beginner Basics
Topic: IPv6 for home
Replies: 12
Views: 520

Re: IPv6 for home

Thank god I dont need ipv6. Hopefully you will guys will have it sorted out before I do LOL. Lots of turkey squabbling ;-P

Seriously what is planned in RoS 7?
by anav
Tue Jul 27, 2021 9:26 pm
Forum: General
Topic: Multi-ISP WAN Failover
Replies: 3
Views: 388

Re: Multi-ISP WAN Failover

How are the sites connected if you can connect them without internet (same building and by what medium, fiber, ethernet, telephone line)?
by anav
Tue Jul 27, 2021 9:21 pm
Forum: General
Topic: From Mikrotik to Ubiquiti UniFi and back to Mikrotik
Replies: 46
Views: 3975

Re: From Mikrotik to Ubiquiti UniFi and back to Mikrotik

Diagram observations. The RB4011 has not connection back to the same 24 port switch?? I would have expected eth2 from the RB4011 to go to one of the ports on the 24 port switch as a trunk port carrying the necessary vlans for untagged dumb devices and tagged smarrt devices like the TPLINK eap 245 an...
by anav
Tue Jul 27, 2021 6:37 pm
Forum: General
Topic: NAT Issue with src-nat <> srcnat? [SOLVED]
Replies: 18
Views: 548

Re: NAT Issue with src-nat <> srcnat? [SOLVED]

Hairpin NAT is for the unique case of servers and users and is only needed when one hosts a server on the same subnet as the users who want/need to access the server AND.....
the admin is forcing them to use public IP address to reach the server, vice the cleaner LANIP !!
by anav
Tue Jul 27, 2021 6:32 pm
Forum: Beginner Basics
Topic: hAP ac3 - VLAN & inter-VLAN
Replies: 21
Views: 1259

Re: hAP ac3 - VLAN & inter-VLAN

No not at all. Are you located by the router (aka office) or are you by a switch ? What I would do is the following create vlan99 for management with you on it and nobody else. Ensure vlan99 has access to all other vlans. Put all smart devices on VLAN99 as their IP address for management purposes. D...
by anav
Tue Jul 27, 2021 4:20 pm
Forum: General
Topic: Local Server Can't be Accessed Because of Port
Replies: 3
Views: 210

Re: Local Server Can't be Accessed Because of Port

1. network diagram please labelled
2. /export hide-sensitive file=anynameyouwish
by anav
Tue Jul 27, 2021 4:18 pm
Forum: Beginner Basics
Topic: cAP ac setup issues
Replies: 5
Views: 319

Re: cAP ac setup issues

Well yes one should configure the capac via laptop first to setup it up for the correct bridge and management setup and lanip address so that it is accessible via winbox on the network. I also like to setup lan2 as a separate LANIP address only so that I can access it separately via laptop in case m...
by anav
Tue Jul 27, 2021 4:15 pm
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 27
Views: 1582

Re: VLANS & Management VLAN

Hi Mkx, thanks for the clear but sickening example. I like things simple and finally felt comfortable with vlan filtering and you just broke an MTUNA certified rule, bridge ports are not vlans. now I know nothing is sacred and my belief system is utterly destroyed LOL. forgive me if I never read thi...
by anav
Tue Jul 27, 2021 4:10 pm
Forum: Beginner Basics
Topic: Blocked IP in firewall filter still shows in log and connections [SOLVED]
Replies: 13
Views: 425

Re: Blocked IP in firewall filter still shows in log and connections [SOLVED]

No worries rextended when you know too much you can trip over your own complicated piles of expertise, I know so little so sometimes the path, cluttered with so little, is clearer ;-)
by anav
Tue Jul 27, 2021 4:08 pm
Forum: Beginner Basics
Topic: Blocked IP in firewall filter still shows in log and connections [SOLVED]
Replies: 13
Views: 425

Re: Blocked IP in firewall filter still shows in log and connections [SOLVED]

Yes I do it all the time,
Heck I put IP CLOUD names in firewall lists too.

Take a look at the firewall address list when you do.
You will note that two rules appear, the one you made and then one the router resolved it too.
So yes its kept up to date.
by anav
Tue Jul 27, 2021 4:06 pm
Forum: Beginner Basics
Topic: Hap ac2 can't use peer dns from isp [SOLVED]
Replies: 11
Views: 406

Re: Hap ac2 can't use peer dns from isp [SOLVED]

Try setting this to NONE, it has been known to cause issues in the past. /interface detect-internet set detect-interface-list=all Then check results! If no improvement then try below. We have these three rules....... /ip dhcp-server network add address=10.10.10.0/24 comment=defconf gateway=10.10.10....
by anav
Tue Jul 27, 2021 3:51 pm
Forum: Beginner Basics
Topic: Blocked IP in firewall filter still shows in log and connections [SOLVED]
Replies: 13
Views: 425

Re: Blocked IP in firewall filter still shows in log and connections [SOLVED]

Hi adrian, should be no need for your router to run a script, just get your users to get dyndns names..........
by anav
Tue Jul 27, 2021 3:50 pm
Forum: Beginner Basics
Topic: Blocked IP in firewall filter still shows in log and connections [SOLVED]
Replies: 13
Views: 425

Re: Blocked IP in firewall filter still shows in log and connections [SOLVED]

Hi rextended. Dst nat rules for port forwarding purposes take on 3 flavours but will ignore hairpin nat. For dynamic public IPs, add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=xxx protocol=yy to-addresses=ip of server to-ports=bb For static public IPs add action=dst-nat chain=dstnat ...
by anav
Tue Jul 27, 2021 3:42 pm
Forum: Beginner Basics
Topic: hAP ac3 - VLAN & inter-VLAN
Replies: 21
Views: 1259

Re: hAP ac3 - VLAN & inter-VLAN

All cases will work. You will still need to setup the dhcp services for all the vlans. However you need to figure our managment vlan. Where is the admin going to access the router for config. What is the purpose of 192.168.2.0? (if not on the bridge good to have a non-bridge emerg backup access to t...
by anav
Tue Jul 27, 2021 3:29 pm
Forum: Beginner Basics
Topic: Blocked IP in firewall filter still shows in log and connections [SOLVED]
Replies: 13
Views: 425

Re: Blocked IP in firewall filter still shows in log and connections [SOLVED]

Okay you have port forwarding setup to a server on your network behind your router. Therefore any public traffic arriving at the router on the port will get passed the forward chain firewall rule. This has nothing to do with traffic to the router which is the input chain, so you need to remove that ...
by anav
Mon Jul 26, 2021 10:54 pm
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 27
Views: 1582

Re: VLANS & Management VLAN

Zach you are blowing my mind LOL.
Please write a user article explaining software vlans!!
by anav
Mon Jul 26, 2021 10:50 pm
Forum: Beginner Basics
Topic: cAP ac setup issues
Replies: 5
Views: 319

Re: cAP ac setup issues

Although the capac can act like a router its really best suited as an AP. If you wanted a combo unit you should have purchased a hapac2 for $69 or a hapac3 for $99 compared to the capac at $69. I too am not convinced that using other vendors POE on the capac will always work. I am using a TPLINKswit...
by anav
Mon Jul 26, 2021 10:33 pm
Forum: Beginner Basics
Topic: hAP ac3 - VLAN & inter-VLAN
Replies: 21
Views: 1259

Re: hAP ac3 - VLAN & inter-VLAN

I would do something like bridge=dualhome add vlans with interface being dualhome each vlan gets 4 properties, address, pool, dhcp server, dhcp-server network where DNS address is pi-hole IP address** (except vlan222 which DNS= is either the IP address of the PI server or the external servers that p...
by anav
Mon Jul 26, 2021 9:48 pm
Forum: Beginner Basics
Topic: hAP ac3 - VLAN & inter-VLAN
Replies: 21
Views: 1259

Re: hAP ac3 - VLAN & inter-VLAN

Hi Steve, No worries, some small victories would be nice! (1) So you basically get private IP from the ISPs router/modem combo. Assuming if any ports need forwarding you have access to the router side of the ISP device to forward them to 192.168.4.2 (2) Ether2 is dedicated to VLAN10 which is then di...
by anav
Mon Jul 26, 2021 8:10 pm
Forum: General
Topic: Dual wan with Load Balance| Fail over | Merge
Replies: 10
Views: 383

Re: Dual wan with Load Balance| Fail over | Merge

Okay so the part you didnt clearly communicate is that (besides the obvious a. yes you have two PPOE client connections to different ISPs b. as noted by rextended you cannot bond this together but all the bandwidth can be shared by your subnets behind the router. c. you have no firewall rules and sh...
by anav
Mon Jul 26, 2021 8:04 pm
Forum: Beginner Basics
Topic: Drop Invalid vs. Drop "all"
Replies: 16
Views: 677

Re: Drop Invalid vs. Drop "all"

signature if stumped.......
by anav
Mon Jul 26, 2021 7:31 pm
Forum: Wireless Networking
Topic: CAPsMAN Help
Replies: 14
Views: 1124

Re: CAPsMAN Help

https://www.youtube.com/watch?v=taQ70m0DVYA

If its not covered here, then we need more videos!!!
by anav
Mon Jul 26, 2021 7:29 pm
Forum: Wireless Networking
Topic: Can't add the second ap to capsman
Replies: 8
Views: 446

Re: Can't add the second ap to capsman

If you suspect its a bug, no one will notice unless you send a supout report and email to MT....
https://wiki.mikrotik.com/wiki/Manual:S ... utput_File
by anav
Mon Jul 26, 2021 7:24 pm
Forum: Beginner Basics
Topic: Drop Invalid vs. Drop "all"
Replies: 16
Views: 677

Re: Drop Invalid vs. Drop "all"

@rextended, Drop me an email if you get a chance and are inclined to do so.
by anav
Mon Jul 26, 2021 7:12 pm
Forum: General
Topic: Dual wan with Load Balance| Fail over | Merge
Replies: 10
Views: 383

Re: Dual wan with Load Balance| Fail over | Merge

Hi there, These are my observations/questions. 1. Okay standard two different WANs each uses a dynamic IP addresses assigned by PPPOE 2. No need for bridge for wan 3. No need for pool for pppoe, it should all be handled in PPPOE client settings interface (all that is basically required for client su...
by anav
Mon Jul 26, 2021 7:01 pm
Forum: General
Topic: NAT Issue with src-nat <> srcnat? [SOLVED]
Replies: 18
Views: 548

Re: NAT Issue with src-nat <> srcnat? [SOLVED]

Of course WHM NAT, if only that was in the title or first post. ;-)
Zing above my head. Curious though what scenario requires this amount of natting. Is this a WISP or something larger??
by anav
Mon Jul 26, 2021 6:29 pm
Forum: Beginner Basics
Topic: Drop Invalid vs. Drop "all"
Replies: 16
Views: 677

Re: Drop Invalid vs. Drop "all"

Allrighty then we have a debate! Bring it ON. I learn when the masters bring their points forward!!
Okay so I dont have much of a life and this is my excitement of the day, I may learn something.
by anav
Mon Jul 26, 2021 6:24 pm
Forum: Beginner Basics
Topic: Hex vs Hex S [SOLVED]
Replies: 22
Views: 696

Re: Hex vs Hex S [SOLVED]

Tue or not, this does not mean that if you ever need help,
I would not try to give it to you ...
Oh he has problems (and so do I) that could benefit from a Holiday in Tuscany, but they may not be IT related .;-)
by anav
Mon Jul 26, 2021 6:21 pm
Forum: Beginner Basics
Topic: Drop Invalid vs. Drop "all"
Replies: 16
Views: 677

Re: Drop Invalid vs. Drop "all"

Okay Can you provide services that are open on the ROUTER (not the LAN) ??? Other than VPN I cannot think of any I would open? I do have NTP server but points to internet time clock. I do have DNS services but points to internet DNS servers. What does invalid protect if the DROP all rule is in place...
by anav
Mon Jul 26, 2021 6:02 pm
Forum: Beginner Basics
Topic: Hex vs Hex S [SOLVED]
Replies: 22
Views: 696

Re: Hex vs Hex S [SOLVED]

Confirms what I have stated paternot. The hex is not 1gig capable otherwise the speeds showing should be around 940 Mbps. :-)))))
by anav
Mon Jul 26, 2021 5:57 pm
Forum: General
Topic: Dual wan with Load Balance| Fail over | Merge
Replies: 10
Views: 383

Re: Dual wan with Load Balance| Fail over | Merge

To be clear you have
Two Different ISPs, each provides you with a dhcp pppoe client login?

Please post your config
/export hide-sensitive file=anynameyouwish
(and also if any information you dont want divulged is still showing please xxxxx it out).
by anav
Mon Jul 26, 2021 5:49 pm
Forum: General
Topic: NAT Issue with src-nat <> srcnat? [SOLVED]
Replies: 18
Views: 548

Re: NAT Issue with src-nat <> srcnat? [SOLVED]

Without seeing the full config hard to say. Also what you do mean by strict ordering. In general all rules are matched in the order they are put on the router and thus order is important If you mean RP filter, it should be set to loose. Why such a complicated sourcenat rule. Typically one doesnt nee...
by anav
Mon Jul 26, 2021 5:47 pm
Forum: Beginner Basics
Topic: ProtonVPN w/ MacOS Setup on Hex S
Replies: 2
Views: 187

Re: ProtonVPN w/ MacOS Setup on Hex S

This is an automated reply from Google. It has come to our attention that you are using apple products. Please cease and desist otherwise the Google police will visit your home. Google will buy your ISP and then only support Google products including Google modem , Google Router, Google AP, Google t...
by anav
Mon Jul 26, 2021 5:37 pm
Forum: Beginner Basics
Topic: Drop Invalid vs. Drop "all"
Replies: 16
Views: 677

Re: Drop Invalid vs. Drop "all"

Rextended that was a very confusing and thus not useful post. I couldnt really understand the points being made to learn what I need to know which is a tad frustrating because you are trying patiently to educate us non-TCP /IT literate folks and really do appreciate the effort. Suggesting that you w...
by anav
Mon Jul 26, 2021 5:29 pm
Forum: Beginner Basics
Topic: Looking up cloud.mikrotik.com every second
Replies: 23
Views: 8302

Re: Looking up cloud.mikrotik.com every second

On winbox,
Select on the lefthand Main menu - INTERFACES.

On the Interface Menu, ensure the first tab is selected called. INTERFACE.
Below this find the Row that has the plus symbol "+"
To the right of this you will find a box labelled 'Detect Internet'
Click on that!!
by anav
Mon Jul 26, 2021 5:18 pm
Forum: Beginner Basics
Topic: Hex vs Hex S [SOLVED]
Replies: 22
Views: 696

Re: Hex vs Hex S [SOLVED]

Confirmed, any speed test through Italy really slows down my connection!! ;-PP

PS. with 120-200Mbps hex S is a great purchase!!
by anav
Mon Jul 26, 2021 4:55 pm
Forum: Beginner Basics
Topic: simple client setup
Replies: 15
Views: 742

Re: simple client setup

It goes with the name, Pollo, run away when the paella pan gets hot. ;-)

I would like to see a labelled network diagram with sufficient detail to explain the scenario.
Perhaps there is something we are missing because we cannot 'see' it.
by anav
Mon Jul 26, 2021 4:37 pm
Forum: Beginner Basics
Topic: Hex vs Hex S [SOLVED]
Replies: 22
Views: 696

Re: Hex vs Hex S [SOLVED]

Dual WAN and, 1+gig network, etc....... RB4011 much better suited. If the network is less than <1 gig, Hex S should be fine, however if future growth to 1 gig or beyond, the RB4011 is a better long term investment. Not that I dont like the hex, I have two, but relegated to switches with need for mor...
by anav
Mon Jul 26, 2021 2:10 pm
Forum: Beginner Basics
Topic: Drop Invalid vs. Drop "all"
Replies: 16
Views: 677

Re: Drop Invalid vs. Drop "all"

Good question and well explained by mkx! I would add that I keep it in both chains because I dont want invalid packets being compared to any other firewall rules along the line, just want them out of the system at the earliest opportunity. Also probably because I dont know much about packets and net...
by anav
Mon Jul 26, 2021 2:04 pm
Forum: Beginner Basics
Topic: Hex vs Hex S [SOLVED]
Replies: 22
Views: 696

Re: Hex vs Hex S [SOLVED]

1Gig or up RB4011 (up to 4gig) Below 1 gig hex S. Hapac2 and hapac3 are both also capable of handling up to 1.5 gig but dont have SFP ports). The Hex series in practice is more like in the 750-850 range and thus not suitable for a 1gig fiber connection. The RB4011 would be a far better option in thi...
by anav
Sun Jul 25, 2021 11:43 pm
Forum: General
Topic: Input firewall filter prioritization [SOLVED]
Replies: 29
Views: 959

Re: Input firewall filter prioritization [SOLVED]

I will try and find another resource for you that is not google.
https://www.bing.com/videos/search?q=sn ... &FORM=VIRE
by anav
Sun Jul 25, 2021 9:30 pm
Forum: Beginner Basics
Topic: hAP ac3 - VLAN & inter-VLAN
Replies: 21
Views: 1259

Re: hAP ac3 - VLAN & inter-VLAN

Please send the full confing please,
/export hide-sensitive file=anynameyouwish
by anav
Sun Jul 25, 2021 8:04 pm
Forum: General
Topic: Internet connection Keep getting down
Replies: 1
Views: 176

Re: Internet connection Keep getting down

1. Draw a labelled network diagram
2. Post your config
/export hide-sensitive fileanynameyouwish

Tells us more detail on the WAN connections you have.......
by anav
Sun Jul 25, 2021 7:53 pm
Forum: General
Topic: Input firewall filter prioritization [SOLVED]
Replies: 29
Views: 959

Re: Input firewall filter prioritization [SOLVED]

Can I ask you where you live? The Southeast US, but I've only seen these firewalls a couple times. I know Walmarts block L2TP/IPSec and they mess with TLS certificates leading to HSTS errors. However, a port 443 WG VPN works just fine, so it's this one place that blocks almost everything. Cablenut,...
by anav
Sun Jul 25, 2021 7:47 pm
Forum: Beginner Basics
Topic: layer 7 port forwarding
Replies: 17
Views: 602

Re: layer 7 port forwarding

Cablenut you have the worst ISP in history or you are working from the prison library. ;-)
@andriys, you have to understand as in extreme sports, Cablenut is an extreme MT configurator due to necessity!!
If he says it works its because it works! (I think he rewrote the book on port knocking LOL).
by anav
Sun Jul 25, 2021 7:41 pm
Forum: Beginner Basics
Topic: hAP ac3 - VLAN & inter-VLAN
Replies: 21
Views: 1259

Re: hAP ac3 - VLAN & inter-VLAN

(1) A detailed network diagram will help. What vlans are going out what ports, not important to us which house simply the vlans and what each network device that is a connecting one is. a. smart switch capable of reading vlans b. smart AP capable of reading vlans c. dumb devices (unmanaged switches,...
by anav
Sun Jul 25, 2021 3:29 pm
Forum: General
Topic: Input firewall filter prioritization [SOLVED]
Replies: 29
Views: 959

Re: Input firewall filter prioritization [SOLVED]

what are you writing? [...] I try to explain better: is for the "troll part", I want to notice to you I already have write possibly helping solution, not one "troll post". also @msatter say "It is really strange and your ISP is keeping an eye on that port because of DDos at...
by anav
Sat Jul 24, 2021 10:22 pm
Forum: Useful user articles
Topic: How to: Edge router and BNG optimization for ISPs Topic is solved
Replies: 10
Views: 1653

Re: How to: Edge router and BNG optimization for ISPs Topic is solved

I love how the article labels the RoS version 6 kernel as ANCIENT :-))
by anav
Sat Jul 24, 2021 10:19 pm
Forum: Beginner Basics
Topic: Allow WAN IP to LAN Client within LAN
Replies: 8
Views: 337

Re: Allow WAN IP to LAN Client within LAN

Like I said, I dont understand the need for proxies............. or more fundamentally the requirements that you have for your users or devices.
For example why cannot they go out from their PC directly to the internet??
by anav
Sat Jul 24, 2021 10:15 pm
Forum: Beginner Basics
Topic: Which FW rule permits 'services'
Replies: 9
Views: 455

Re: Which FW rule permits 'services'

A rule without context is not much help. Questions - "Which FW rule permits 'services'" and "Could someone explain to me where is the corresponding INPUT rule for the 'services' to be accepted by the firewall?" Answer - "/ip firewall filter add action=drop chain=input comme...
by anav
Sat Jul 24, 2021 10:01 pm
Forum: Beginner Basics
Topic: Allow WAN IP to LAN Client within LAN
Replies: 8
Views: 337

Re: Allow WAN IP to LAN Client within LAN

I would love to help but have no idea what a proxy is, what it looks like, its purpose, how it attaches to a router or switch or a pc etc..........
by anav
Sat Jul 24, 2021 5:57 pm
Forum: General
Topic: Master's thesis problem?
Replies: 4
Views: 354

Re: Master's thesis problem?

Concur, you probably want to hit IDP and other security technologies or how Barricuda systems prevent spam email.................
by anav
Sat Jul 24, 2021 5:55 pm
Forum: General
Topic: Hosting a Server on Dynamic home IP
Replies: 2
Views: 231

Re: Hosting a Server on Dynamic home IP

Hi there,
I also use the IP CLOUD its very useful in this regard.
Since it a long ass winded name to remember and not nice to give others I also use a free dyndns provider that links to my IP Cloud name.
That way others using whatever server have a friendly url to remember or type in.
by anav
Sat Jul 24, 2021 5:52 pm
Forum: General
Topic: iPhone not resolving static dns entries [SOLVED]
Replies: 10
Views: 705

Re: iPhone not resolving static dns entries [SOLVED]

I just love a good mystery!
by anav
Sat Jul 24, 2021 5:49 pm
Forum: Beginner Basics
Topic: Port Forwarding from VPN to Client on Ethernet [SOLVED]
Replies: 4
Views: 330

Re: Port Forwarding from VPN to Client on Ethernet [SOLVED]

Hi Thomas. So you have an MT device acting as a router and behind that router you have client PC. Somewhere else on the internet you have an openvpn server which is where attached to what?? Why would you port forward to a client PC is the question seemingly being posed. One port forwards to a server...
by anav
Sat Jul 24, 2021 5:46 pm
Forum: Beginner Basics
Topic: Which FW rule permits 'services'
Replies: 9
Views: 455

Re: Which FW rule permits 'services'

/ip firewall filter add action=drop chain=input comment="Input drop all not coming from LAN" in-interface-list=!LAN A rule without context is not much help. For the OP this is the rule that would have been matched. It basically states dop any traffic that is NOT coming from the LAN. In ef...
by anav
Sat Jul 24, 2021 5:37 pm
Forum: Beginner Basics
Topic: firewall rules questions
Replies: 1
Views: 213

Re: firewall rules questions

Hi Gary, The default rules are simplified to ensure a new user can just login in and start working right away. If you want to start configuring the router and the firewall rules, then the link is not bad but needs a bit of work. In general the default rules allow all traffic to pass except stuff it ...
by anav
Sat Jul 24, 2021 5:10 pm
Forum: Beginner Basics
Topic: Which FW rule permits 'services'
Replies: 9
Views: 455

Re: Which FW rule permits 'services'

in Winbox, you have IP SERVICES. Here you can turn ON or OFF services the router provides and some additional settings. However you still have to use the input chain to allow LAN users access to those services. Under firewall rules you can find Service Ports which you can disable or enable and assig...
by anav
Sat Jul 24, 2021 5:05 pm
Forum: Beginner Basics
Topic: Which FW rule permits 'services'
Replies: 9
Views: 455

Re: Which FW rule permits 'services'

Hi eryx. Input chain is for traffic TO/FRO the router. This includes all services the router can perform DNS, NTP, etc. Winbox is a router service but does not need to be stated specifically in the input chain rule. Most put something that allows the admin full access to the router on the input chai...
by anav
Fri Jul 23, 2021 10:00 pm
Forum: Beginner Basics
Topic: Accessing router in different ethernet port
Replies: 10
Views: 425

Re: Accessing router in different ethernet port

Hi there thanks for being patient! No you dont have to change any rules I would just disable that particular subnet from the list. I will take a look at the config. (1) I dont know why you have these rules as my arp knowledge and uses is next to nil........ so they clearly serve a purpose but beyond...
by anav
Fri Jul 23, 2021 9:58 pm
Forum: Wireless Networking
Topic: Mikrotik - Early Access beta hardware?
Replies: 13
Views: 752

Re: Mikrotik - Early Access beta hardware?

No worries, I was half jesting as its not really a serious topic. You are right he was talking about beta hardware and rextended I think was noting that all hardware can use beta firmware, apples and oranges as you pointed!
by anav
Fri Jul 23, 2021 8:27 pm
Forum: Wireless Networking
Topic: Mikrotik - Early Access beta hardware?
Replies: 13
Views: 752

Re: Mikrotik - Early Access beta hardware?

I dont think rawextended was making any comments about MT hardware (other than wifi) in the same way you guys were. In the sense that the latest MT wifi products are ONLY useable with beta firwmare at the moment and/or mt home wifi products are behind any competitors models in wifi5 and do not have ...
by anav
Fri Jul 23, 2021 8:22 pm
Forum: General
Topic: CRS 2XX Management VLAN Question
Replies: 8
Views: 414

Re: CRS 2XX Management VLAN Question

If this is a switch unit the best starting guide for vlans is here........
https://www.youtube.com/watch?v=Rj9aPoyZOPo
by anav
Fri Jul 23, 2021 8:17 pm
Forum: Beginner Basics
Topic: Accessing router in different ethernet port
Replies: 10
Views: 425

Re: Accessing router in different ethernet port

Found something LOL. the dangers of adding extra rules bloatware in firewall rules. check this out. ip address add address=192.168.88.1/24 interface=2local network=192.168.88.0 add address=192.168.8.1/24 interface=3wired network=192.168.8. 0 add address= 192.168.0.1/24 interface=4wireless network=19...
by anav
Fri Jul 23, 2021 8:14 pm
Forum: Beginner Basics
Topic: Accessing router in different ethernet port
Replies: 10
Views: 425

Re: Accessing router in different ethernet port

Thanks for posting the config. (1) Input chain: Only one line to change! /ip firewall filter add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related add action=drop chain=input comment="\"Drop invalid\"" ...
by anav
Fri Jul 23, 2021 8:02 pm
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 27
Views: 1582

Re: VLANS & Management VLAN

Stop making excuses, you simply needed to state that you had missed what the OP wrote period.
Instead of making a million excuses that dont fly.
You invented shit that doesnt exist, so I am simply informing you to stop making problems that are not there.
by anav
Fri Jul 23, 2021 5:53 pm
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 27
Views: 1582

Re: VLANS & Management VLAN

Thanks charming mud guy! As for the drive by poster this is not a fear problem its a literacy problem on your part.............. Why you read my post without the OPs post is mind boggling. Switch and Router models ? Also many information around in the Mikrotik wiki... Router - CCR1009-7G-1C-PC Switc...
by anav
Fri Jul 23, 2021 5:48 pm
Forum: Beginner Basics
Topic: Accessing router in different ethernet port
Replies: 10
Views: 425

Re: Accessing router in different ethernet port

In general this should be very easy to do. I would create a firewall address list for the three Access Points. Then I would have a firewall rule allowing your PC (source address) in the forward chain be allowed to reach destination address list ( the list of the 3 access points. That is the general ...
by anav
Fri Jul 23, 2021 3:22 am
Forum: General
Topic: VPN for Mikrotik for game Mobile legend
Replies: 9
Views: 1297

Re: VPN for Mikrotik for game Mobile legend

i already use AWS CHR EC2 but mobile legend is still lagging, does anyone know ho to fix this?l
Move to another location in your country with high speed wired internet.
by anav
Fri Jul 23, 2021 3:19 am
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 27
Views: 1582

Re: VLANS & Management VLAN

Why do you waste our time with that post,
a. the 8G must be an old model as its not on the website
b. if you read the posts and specifically post #4 clearly states a 7G model.
by anav
Thu Jul 22, 2021 10:48 pm
Forum: General
Topic: RouterOS Rule tester?
Replies: 18
Views: 828

Re: RouterOS Rule tester?

have had rp filter set to loose since day one,
but ip spoof, do you mean lan to wan traffic with dst address of private IPs?
by anav
Thu Jul 22, 2021 10:29 pm
Forum: General
Topic: RouterOS Rule tester?
Replies: 18
Views: 828

Re: RouterOS Rule tester?

Well I use bridges and vlans and keep firewall rules to the firewall settings. More specifically, each vlan has its own subnet. Understood, I am just not comfortable enough with my knowledge of raw and connection tracking to know when or not to use RAW. For my basic home setup of two wans, about 15 ...
by anav
Thu Jul 22, 2021 10:22 pm
Forum: General
Topic: RouterOS Rule tester?
Replies: 18
Views: 828

Re: RouterOS Rule tester?

One example over all for raw: all incoming IPs presents on blacklist or from DDoS attack. Why bother with those? In case of attack it also consumes less CPU ... No argument, identify in input chain, block in raw makes sense to me....... Just not convinced a. a homeowner is going to get singled out ...
by anav
Thu Jul 22, 2021 10:15 pm
Forum: General
Topic: One wan for Internet and another for vpn [SOLVED]
Replies: 11
Views: 3627

Re: One wan for Internet and another for vpn [SOLVED]

I was hoping to avoid mangling by using Route Rules instead. However this seems to be one case where mangling is required. The Op wants to use WAN1 for all users internet access, those behind the router AND all clients coming in on WAN2 via VPN. Therefore if one use route rules to direct vpn client ...
by anav
Thu Jul 22, 2021 10:02 pm
Forum: General
Topic: RouterOS Rule tester?
Replies: 18
Views: 828

Re: RouterOS Rule tester?

Rextended (or should I say rawtended) is this you?? https://www.youtube.com/watch?v=snqs566G_Zg Concur with pe1chl, raw is not to be trifled with...... mind you I dont yet see the need to use jump either on my small config. (would jump chain be a good candidate for knock rules on the input chain?) A...
by anav
Thu Jul 22, 2021 9:54 pm
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 27
Views: 1582

Re: VLANS & Management VLAN

For the switch this is a decent guide......
https://www.youtube.com/watch?v=Rj9aPoyZOPo
by anav
Thu Jul 22, 2021 7:50 pm
Forum: General
Topic: help.mikrotik.com's advanced firewall
Replies: 3
Views: 675

Re: help.mikrotik.com's advanced firewall

Some thoughts from left field, (not much experience but read a lot) I would go back to the standard default firewall rules as baseline and change a few minor things, basically an accept all and reject what I think is bad, to a concept of block all and allow only the things I need approach. Then add ...
by anav
Thu Jul 22, 2021 7:38 pm
Forum: Beginner Basics
Topic: Routing different networks unstable
Replies: 4
Views: 414

Re: Routing different networks unstable

Hi there, Your setup is very confusing. Which port on the mikrotik is assigned to the WAN connection to your ISP router. In other words you state your ISP router gives you a private IP of 192.168.2.x as a private WANIP and not a public IP. Hence your ISP probably has a modem/router combo putting you...
by anav
Thu Jul 22, 2021 5:35 pm
Forum: General
Topic: Need to hire consultant, online/remote, to create a configuration asap.
Replies: 7
Views: 427

Re: Need to hire consultant, online/remote, to create a configuration asap.

You could try this guy
Perfect, Daryll has experience with routing inter-VLAN for 1000+ users behind 100 PPPoE servers on 100 VLANs so one small group of public IPs should be easy peasy!
by anav
Thu Jul 22, 2021 4:58 pm
Forum: General
Topic: Need to hire consultant, online/remote, to create a configuration asap.
Replies: 7
Views: 427

Re: Need to hire consultant, online/remote, to create a configuration asap.

No worries, but most people (providing advice) dont come here to look for business, tis more of an educational, point you in the right direction approach to help those learn the ROS and how to configure it vice make a polished finished product for payment. If its time sensitive suggest the list, if ...
by anav
Thu Jul 22, 2021 4:54 pm
Forum: General
Topic: CAP AC Reset - How to?
Replies: 22
Views: 1528

Re: CAP AC Reset - How to?

Case in point to add another excellent video in your capsman series to include Bridge/vlans/firewall rules with multiple WLANS ( home, guest, media, iot etc....)
viewtopic.php?f=7&t=176989

Dont make this stuff up it just falls in our laps as a common issue!!!
by anav
Thu Jul 22, 2021 4:48 pm
Forum: Wireless Networking
Topic: WiFi apple problems
Replies: 2
Views: 351

Re: WiFi apple problems

The world refuses to conform to Apple standards LOL........ ( we are owned by Apple or Google LOL, well until amazon decides to take over the internet) Try setting your 5GHz provisioning to the following BAND: 5GHz-n/AC Channel Width: 20/40MHz Ce The other thing to consider would be the dhcp leases ...
by anav
Thu Jul 22, 2021 4:44 pm
Forum: Wireless Networking
Topic: The best simple way for multiSSID (guest) in Capsman
Replies: 3
Views: 336

Re: The best simple way for multiSSID (guest) in Capsman

MKX is bang on (as usual). I use capacs without capsman as setting up bridge/vlans and mutiple WLANS, (home, guest, media, iot) was challenging enough. Each wlan has its own SSID, security profile, and vlan (except for home WLAN because its the same vlan for home wired etc.) This is a video on how t...
by anav
Thu Jul 22, 2021 4:39 pm
Forum: Wireless Networking
Topic: wireless redirection
Replies: 4
Views: 377

Re: wireless redirection

Strange question but okay. If I am in a store and on my iphone want to join a network I go to settings and join. The only time I can be forced anywhere is when I open the browser. So just choosing the wifi network doesnt guarantee anything will be viewed. If you mean when someone opens the browser c...
by anav
Thu Jul 22, 2021 4:28 pm
Forum: Wireless Networking
Topic: CAP AC, HAP AC2, CAPSMAN and channels
Replies: 14
Views: 850

Re: CAP AC, HAP AC2, CAPSMAN and channels

Nice, but I cannot help notice that to achieve success one has to spend time on individual caps. So it would appear that using capsman is less of an efficiency tool than meets the eye. Caveat, I have been too shy/lazy/intimidated to try capsman (and soon no need as replacing capacs with other vendor...
by anav
Thu Jul 22, 2021 3:46 pm
Forum: General
Topic: Can't reach Winbox if Dual WAN in failover mode
Replies: 26
Views: 901

Re: Can't reach Winbox if Dual WAN in failover mode

Hi Dark Nate, The good thing, is I really dont care about your personal opinions or feelings, the goal here is to help the OP. After reading and talking to some folks it seems that IP filter setting on the mT routers is really not a feature/function designed for the home or soho setting. From what I...
by anav
Thu Jul 22, 2021 3:38 am
Forum: General
Topic: Can't reach Winbox if Dual WAN in failover mode
Replies: 26
Views: 901

Re: Can't reach Winbox if Dual WAN in failover mode

Jajajaja

There is a sweet spot and then there is being around too long which may indicate a higher propensity for having Alzheimer's. ;-P
by anav
Thu Jul 22, 2021 12:32 am
Forum: General
Topic: Feature Request: Add Port Knocking on MikroTik App and WinBox
Replies: 5
Views: 387

Re: Feature Request: Add Port Knocking on MikroTik App and WinBox

Correct in that regard, much rather use an MT app for port knock then some 3rd party stuff.
However, as for the analogy I offer water because the person is an alcoholic. ;-)
by anav
Thu Jul 22, 2021 12:24 am
Forum: General
Topic: Can't reach Winbox if Dual WAN in failover mode
Replies: 26
Views: 901

Re: Can't reach Winbox if Dual WAN in failover mode

My point is I do not condone connecting to winbox from the outside unless its via VPN or decent quality port knocking setup. Anything else is a. stupid, and b. a security risk and c. will not help someone do it. I open up Winbox to WAN with filter rules accepting only specific src address list, wor...
by anav
Wed Jul 21, 2021 10:08 pm
Forum: General
Topic: Can't reach Winbox if Dual WAN in failover mode
Replies: 26
Views: 901

Re: Can't reach Winbox if Dual WAN in failover mode

Hi himanshu, using winbox works very well using VPN. For example I have used IKEv2 VPN from my IPhone to establish a secure tunnel to the Router. I then used my MT app on the phone to configure the router which is akin to using winbox, same type of settings etc........ Works well. For example using ...
by anav
Wed Jul 21, 2021 9:00 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 1079

Re: Cannot access router over trunk+switch

Just checked my swos switch and all modes are RTSP (first line checked for RSTP and second line mode) From ROUTER (so main trunk port) RSTP: CHECKED Mode: RTSP Role: Designated Root path cost: Type: edge State: forwarding Rest are a mix of point to point and one edge for Type and forwarding or disca...
by anav
Wed Jul 21, 2021 8:34 pm
Forum: General
Topic: Can't reach Winbox if Dual WAN in failover mode
Replies: 26
Views: 901

Re: Can't reach Winbox if Dual WAN in failover mode

My point is I do not condone connecting to winbox from the outside unless its via VPN or decent quality port knocking setup. Anything else is a. stupid, and b. a security risk and c. will not help someone do it. I open up Winbox to WAN with filter rules accepting only specific src address list, wor...
by anav
Wed Jul 21, 2021 5:29 pm
Forum: General
Topic: Can't reach Winbox if Dual WAN in failover mode
Replies: 26
Views: 901

Re: Can't reach Winbox if Dual WAN in failover mode

My point is I do not condone connecting to winbox from the outside unless its via VPN or decent quality port knocking setup.
Anything else is a. stupid, and b. a security risk and c. will not help someone do it.
by anav
Wed Jul 21, 2021 2:12 pm
Forum: General
Topic: Port Forwarding done right?
Replies: 20
Views: 11757

Re: Port Forwarding done right?

THe confusion is attempting to use forward chain rules for NAT details. All that is required in the forward chain is a singe rule that says, I will allow port forwarding packets through the firewall. The work is done in the NAT rules where one delineates the port details, protocol, any translation a...
by anav
Wed Jul 21, 2021 2:09 pm
Forum: General
Topic: Can't reach Winbox if Dual WAN in failover mode
Replies: 26
Views: 901

Re: Can't reach Winbox if Dual WAN in failover mode

I am confused are you trying to use winbox from within the LAN or externally via the WAN?
by anav
Wed Jul 21, 2021 2:28 am
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 1079

Re: Cannot access router over trunk+switch

Not sure what else can be done...... i dont use preferred source on my route setting but that shouldnt matter.
It should just work!!
by anav
Wed Jul 21, 2021 12:03 am
Forum: General
Topic: CAP AC Reset - How to?
Replies: 22
Views: 1528

Re: CAP AC Reset - How to?

Who is that good looking guy anyway, bears a striking resemblance to a younger looking avatar I see often (needs updating LOL). Should have named it capswoman, lets face it who controls..................... Very nice, I can see this helping many folks starting out!! Save to favourites..... I still w...
by anav
Tue Jul 20, 2021 11:51 pm
Forum: General
Topic: CAP AC Reset - How to?
Replies: 22
Views: 1528

Re: CAP AC Reset - How to?

I will take a look Normis but the evidence on the forums states otherwise...................
by anav
Tue Jul 20, 2021 11:50 pm
Forum: General
Topic: different gateways for voip and http/other
Replies: 1
Views: 260

Re: different gateways for voip and http/other

Yeah that would appear to be a nightmare. Truth be told I would handle this manually. Each desk has a 5 port managed switch and have people change their ethernet cable based on usage. Video switch to ether 5, Non-video ETHER2 (assuming ether1 is used to main router and carries all the vlans). Thus h...
by anav
Tue Jul 20, 2021 11:06 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 1079

Re: Cannot access router over trunk+switch

Okay so If I get this straight, ether1 from the first router is a TRUNK port carrying 10,20.30 and 99 to the first switch. Just for giggles to mirror my Swos settings change SWITCH ONE to the following. VLAN for trunk port (from router and to Swos2) VLAN MODE - ENABLED VLAN RCVE - ANY DEFAULT VLANID...
by anav
Tue Jul 20, 2021 10:33 pm
Forum: General
Topic: Different gateway for two PPPoE server instance
Replies: 12
Views: 761

Re: Different gateway for two PPPoE server instance

/export hide-sensitive file=anynameyouwish
by anav
Tue Jul 20, 2021 10:28 pm
Forum: Beginner Basics
Topic: stopping login attempt to user admin [SOLVED]
Replies: 30
Views: 1225

Re: stopping login attempt to user admin [SOLVED]

OP, i dont know if you are actually a thinking being or just copying down stuff and hoping for the best, Its time you start understanding the config not just copy & paste incorrectly LOL Here is your input chain .................what is wrong?? /ip firewall filter add action=accept chain=input c...
by anav
Tue Jul 20, 2021 10:18 pm
Forum: Beginner Basics
Topic: stopping login attempt to user admin [SOLVED]
Replies: 30
Views: 1225

Re: stopping login attempt to user admin [SOLVED]

rexentended, the OP uses the MT App sometimes to access the router and thus detect internet is useful I believe......... (they are linked somehow).
by anav
Tue Jul 20, 2021 10:16 pm
Forum: RouterOS v7 BETA
Topic: Wireguard on wAP AC
Replies: 6
Views: 593

Re: Wireguard on wAP AC

Can you confirm what you are actually trying to do?
Draw a network diagram to illustrate.
by anav
Tue Jul 20, 2021 6:40 pm
Forum: General
Topic: Looking for Tunnel Suggestions
Replies: 2
Views: 288

Re: Looking for Tunnel Suggestions

600Mbps encrypted is really good from my 'homeowners' perspective running a wireguard between two 1 Gig connections 15km apart on the same network getting around 300Mbps up and 300Mbps down and your getting double that. Assuming you use internet from ISP1 at the main office and connect to all sites ...
by anav
Tue Jul 20, 2021 6:31 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 1079

Re: Cannot access router over trunk+switch

Okay I will look at this sometime today but your network diagram is basically useless as it doesnt indicate the vlans running through the ports........ I gather that each connecting port between devices is a trunk port carrying a number of vlans?? No indication of access ports anywhere but I see pvi...
by anav
Tue Jul 20, 2021 6:26 pm
Forum: Beginner Basics
Topic: stopping login attempt to user admin [SOLVED]
Replies: 30
Views: 1225

Re: stopping login attempt to user admin [SOLVED]

not going to comment until you fix the order of rules.
you have added more lines that are not correct or at least Ive never seen, such as forward chain dst nat rule which I dont understand..........
by anav
Tue Jul 20, 2021 2:18 am
Forum: Wireless Networking
Topic: Netmetal maximum throughput?
Replies: 7
Views: 568

Re: Netmetal maximum throughput?

Im not speculating on physical limitations.
Unless someone has used the netmetal themselves and can provide antenna used and ranges then you can continue to be in the dark.
Gluck!
by anav
Tue Jul 20, 2021 2:11 am
Forum: General
Topic: WireGuard server behind NAT (MikroTik router)
Replies: 2
Views: 365

Re: WireGuard server behind NAT (MikroTik router)

I have always RP-loose not strict but not sure if that makes a difference here. My Wireguard MT Router behind my Main MT Router is similar to your scenario I guess. The other end is an ISP modem router combo in front of an RB4011 acting as a router and the wireguard client part of the connection ( f...
by anav
Tue Jul 20, 2021 1:43 am
Forum: Beginner Basics
Topic: Remote Access via Winbox
Replies: 9
Views: 607

Re: Remote Access via Winbox

I would not consider SSH to be on the same level as VPN, so I would port knock and then SSH in from there as per the fourth link provided. Not sure if this is accurate enough regarding SSH. but 2. Because SSH operates on an application level, only traffic from your applications gets encrypted. This ...
by anav
Mon Jul 19, 2021 9:52 pm
Forum: General
Topic: How to route game to lte
Replies: 5
Views: 345

Re: How to route game to lte

Is there a question? Dont see the route rule either?
by anav
Mon Jul 19, 2021 9:49 pm
Forum: General
Topic: RouterOS Rule tester?
Replies: 18
Views: 828

Re: RouterOS Rule tester?

There are enough tools already to do this work, least of which is putting logging rules before rules to see what packets are hitting the rule in question. As for security holes, plug them for the most part by putting a drop all rule at the end of the forward chain and input chain and thus traffic ge...
by anav
Mon Jul 19, 2021 9:46 pm
Forum: General
Topic: How to connect 2 networks
Replies: 7
Views: 436

Re: How to connect 2 networks

Thanks anav, I need them to communicate two way, so basically all I need to do is add this FW rule? add action=accept chain=forward in-interface=network1 src-address=IPofPC1 out-interface=network2 dst-address=IPofPC2 add action=accept chain=forward in-inteface=network2 src-address=IPofPC2 out-intef...
by anav
Mon Jul 19, 2021 8:46 pm
Forum: Beginner Basics
Topic: stopping login attempt to user admin [SOLVED]
Replies: 30
Views: 1225

Re: stopping login attempt to user admin [SOLVED]

Okay I missed this before....... add action=dst-nat chain=dstnat comment="to see cctv from wireless network" \ dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=\ 192.168.10.254 to-ports=8000 If you want the wifi network to be able to access the CCTV that is a forward firewall...
by anav
Mon Jul 19, 2021 8:35 pm
Forum: Beginner Basics
Topic: stopping login attempt to user admin [SOLVED]
Replies: 30
Views: 1225

Re: stopping login attempt to user admin [SOLVED]

If the youtube rules work for you by all means, I am surprized they do LOL. The problem regarding admin access is that you will need to change the Tools mac winmac server entry for allowed interface from ServicePortOnly to ALL. I recommend you reserve access from ServicePortOnly though.................
by anav
Mon Jul 19, 2021 7:36 pm
Forum: Beginner Basics
Topic: [v6.48 on hap ac^2] Understanding routing-mark
Replies: 5
Views: 559

Re: [v6.48 on hap ac^2] Understanding routing-mark

You added something extra in route rule (get rid of destination bit)
Also get rid of D1 just the source address.
by anav
Mon Jul 19, 2021 7:30 pm
Forum: General
Topic: How to route game to lte
Replies: 5
Views: 345

Re: How to route game to lte

Okay, Lets say your LTE Route currently in place is either created by default or by you and is called LTE Route List ISP1 - PPPOE ISP2 - LTE Then add a third route which copies the existing route and adds a routing mark like below. LTE routing-mark=gameserver Then go to routing rules and add one. De...
by anav
Mon Jul 19, 2021 7:22 pm
Forum: General
Topic: PowerboxPro VLAN switching
Replies: 4
Views: 500

Re: PowerboxPro VLAN switching

Just for my curiosity did you use this kind of setup...............
https://www.youtube.com/watch?v=Rj9aPoyZOPo
by anav
Mon Jul 19, 2021 7:20 pm
Forum: General
Topic: CAP AC Reset - How to?
Replies: 22
Views: 1528

Re: CAP AC Reset - How to?

What I learned about the TP LINK EAP245 makes me hesitating, as they seem to require a cloud or app-based setup or it requires a central control instance. One of the reasons why I after some test setups also refrained from going with Ubiquiti Unifi, who are known for their good APs in the SOHO and ...
by anav
Mon Jul 19, 2021 7:13 pm
Forum: General
Topic: Many dhcp via one port on
Replies: 4
Views: 445

Re: Many dhcp via one port on

Just follow the link provided above it will get you 98% of the way. Once you are done configuring and something isnt working or want to get it checked just post the config /export hide-sensitive file=anynameyouwish PS. Sweet router, if you have an extra one you dont know what to do with send it my w...
by anav
Mon Jul 19, 2021 7:08 pm
Forum: General
Topic: Abuse and Malicious IP List ?
Replies: 1
Views: 287

Re: Abuse and Malicious IP List ?

You can find one here...............
https://itexpertoncall.com/promotional/moab.html#prime
by anav
Mon Jul 19, 2021 7:06 pm
Forum: Beginner Basics
Topic: Dual WAN Failover Script Ping Command [SOLVED]
Replies: 22
Views: 1096

Re: Dual WAN Failover Script Ping Command [SOLVED]

Okay I will bite, perhaps there is a better way to do what I wish. Here is my dhcp script......... :if ($bound=1) do={ :local iface $interface :local gw [ /ip dhcp-client get [ find interface=$"iface" ] gateway ] /ip route set [ find comment="PrimaryRecursive" gateway!=$gw ] gate...
by anav
Mon Jul 19, 2021 6:57 pm
Forum: General
Topic: How to route game to lte
Replies: 5
Views: 345

Re: How to route game to lte

Do you mean you host a server on that port and wish to have all incoming traffic end up on your game server through the LTE connection. What is the speed of that LTE connection ?? How do you propose stopping getting your game server flooded with bots? Or Do you mean that you want all traffic from a ...
by anav
Mon Jul 19, 2021 6:53 pm
Forum: General
Topic: How to connect 2 networks
Replies: 7
Views: 436

Re: How to connect 2 networks

This is easy peasy via firewall rules. Typically we have a last rule in our firewall forward chain that is a block all else rule. Just before this rule we would make one that basically states. Allow PC1 on network 1 to access PC2 on network 2. What isnt clear to me though is if you want it as a one ...
by anav
Mon Jul 19, 2021 6:45 pm
Forum: Beginner Basics
Topic: stopping login attempt to user admin [SOLVED]
Replies: 30
Views: 1225

Re: stopping login attempt to user admin [SOLVED]

Yes, that is the correct link, but I have to go wash my hands now, as I am an IPHONE user LOL. The bridge removal is fine. When to use bridge, but dont use vlans - when two or more ports are using the same DHCP settings then using the bridge is effective in grouping ports for L2 separation from port...
by anav
Mon Jul 19, 2021 6:41 pm
Forum: Beginner Basics
Topic: Dual WAN Failover Script Ping Command [SOLVED]
Replies: 22
Views: 1096

Re: Dual WAN Failover Script Ping Command [SOLVED]

No worries, the OP is happy with your solution, albeit the wrong choice, just kidding.
by anav
Mon Jul 19, 2021 6:01 pm
Forum: Beginner Basics
Topic: stopping login attempt to user admin [SOLVED]
Replies: 30
Views: 1225

Re: stopping login attempt to user admin [SOLVED]

Unless you intend on using the MT app with your router, then this setting can be set to NONE. /interface detect-internet set detect-interface-list=all The one thing I would do is remove the bridge as it really serves no purpose here. You have four independent subnets each assigned to a port and thus...
by anav
Mon Jul 19, 2021 5:22 pm
Forum: Beginner Basics
Topic: Dual WAN Failover Script Ping Command [SOLVED]
Replies: 22
Views: 1096

Re: Dual WAN Failover Script Ping Command [SOLVED]

duplicate post
by anav
Mon Jul 19, 2021 5:21 pm
Forum: Beginner Basics
Topic: Dual WAN Failover Script Ping Command [SOLVED]
Replies: 22
Views: 1096

Re: Dual WAN Failover Script Ping Command [SOLVED]

Did I miss something? Yes... you run beta 7, the script and route are for 6.46+ version, on beta7 the routing is totally different.... You wrote in beginner basics section ,the question for 7 beta must be go on adequate section... Hi rextended, my ccr1009 is on version 6 LOL. The RB450Gx4 behind my...
by anav
Mon Jul 19, 2021 5:18 pm
Forum: Beginner Basics
Topic: Dual WAN Failover Script Ping Command [SOLVED]
Replies: 22
Views: 1096

Re: Dual WAN Failover Script Ping Command [SOLVED]

I thought it was self-explanatory LOL. The point was read the link and then be relieved that the example provided is so simple in comparison to the Russian complex methods LOL. Note1: Checkgateway ping has the effect of telling the router to keep checking the connection every 10 seconds or so. If th...
by anav
Mon Jul 19, 2021 5:03 pm
Forum: Beginner Basics
Topic: Dual WAN Failover Script Ping Command [SOLVED]
Replies: 22
Views: 1096

Re: Dual WAN Failover Script Ping Command [SOLVED]

Sorry the other fella will have to help you there, I only use scripts in DHCP client when necessary. Which is mainly to fetch a new gateway IP to stick in routes rules, when my ISP changes my IP address and or power outage or reboot etc................. Its much easier for me to do routing in the ro...
by anav
Mon Jul 19, 2021 4:50 pm
Forum: Beginner Basics
Topic: Dual WAN Failover Script Ping Command [SOLVED]
Replies: 22
Views: 1096

Re: Dual WAN Failover Script Ping Command [SOLVED]

As rextended stated, look up recursive routing in search!! https://forum.mikrotik.com/viewtopic.php?f=23&t=157048 is a long winded thread on the topic. Basically one wants to use existing DNS servers to verify not only if the connection to the ISP server is good but that the connection from the ...
by anav
Mon Jul 19, 2021 4:44 pm
Forum: Beginner Basics
Topic: Remote Access via Winbox
Replies: 9
Views: 607

Re: Remote Access via Winbox

Yes, I have done it a. with IKEV2 VPN b. wireguard vpn The only other way one would want to do it, not as secure as proper VPN, is port knocking. https://mum.mikrotik.com/presentations/US10/discher.pdf https://mum.mikrotik.com/presentations/ ... tknock.pdf https://systemzone.net/securing-mikroti ......
by anav
Mon Jul 19, 2021 2:27 am
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 27
Views: 1582

Re: VLANS & Management VLAN

But the CCR1009 does so you should use the link provided for that device.
by anav
Mon Jul 19, 2021 2:26 am
Forum: Beginner Basics
Topic: Dual WAN Failover Script Ping Command [SOLVED]
Replies: 22
Views: 1096

Re: Dual WAN Failover Script Ping Command [SOLVED]

Your problem is you have no clue of the requirement and stuck in another routers method.

Define in terms of functionality without discussing config.
It simply sounds like you want the router to check if the WANS are up or not for example.
by anav
Mon Jul 19, 2021 2:21 am
Forum: Beginner Basics
Topic: stopping login attempt to user admin [SOLVED]
Replies: 30
Views: 1225

Re: stopping login attempt to user admin [SOLVED]

You have no firewall rules so if there isnt any other device inbetween this hex should not be connected to the internet. Also not sure why you have a bridge as its only used for one etherport?? What is the purpose of your bridge?? Interface list is made from the winbox interface List settings, You h...
by anav
Sun Jul 18, 2021 3:53 pm
Forum: General
Topic: Cannot access router over trunk+switch
Replies: 35
Views: 1079

Re: Cannot access router over trunk+switch

Clear Network diagram might help and no clue why you have two routers and where is the internet. Also get rid of capsman until you have a working config. Also read this article.... https://forum.mikrotik.com/viewtopic.php?f=23&t=143620 Note, you should realize what the settings that you are usin...
by anav
Sun Jul 18, 2021 3:51 pm
Forum: Useful user articles
Topic: Using RouterOS to VLAN your network
Replies: 184
Views: 136511

Re: Using RouterOS to VLAN your network

Interface VLAN simply replaces Interface LAN, he could have kept it at LAN which is usually used to describe all subnets behind the router. I have used VLAN and LAN separately to separate subnets out on a config, similiary I have used VLANW1 and VLANW0 to distinguish subnets with internet access and...
by anav
Sun Jul 18, 2021 3:39 pm
Forum: General
Topic: Port trunking problems [SOLVED]
Replies: 3
Views: 404

Re: Port trunking problems [SOLVED]

The moment you said openwrt, I realized you were not talking about MT switch to MT AP but MT switch to 3rdparty Equipment. It sounds like you have correctly passed both vlans 100 and 300 to the openwrt device as trunk port and the problem is your AP is a. not able to deal with it OR b. expects a hyb...
by anav
Sun Jul 18, 2021 3:36 pm
Forum: Beginner Basics
Topic: RouterOS do not drop unknown vlans?
Replies: 5
Views: 553

Re: RouterOS do not drop unknown vlans?

Setting ingress filtering on individual bridge ports basically is = to stating if the vlan is not defined on this port then discard it from this port
Settng ingress filtering on the bridge itself = to stating if the vlan is not defined anywhere on the bridge then discard it from any port
by anav
Sat Jul 17, 2021 10:03 pm
Forum: Beginner Basics
Topic: stopping login attempt to user admin [SOLVED]
Replies: 30
Views: 1225

Re: stopping login attempt to user admin [SOLVED]

Post your config
/export hide-sensitive file=anynameyouwish if you want the config reviewed for security practices................
by anav
Sat Jul 17, 2021 5:59 pm
Forum: Beginner Basics
Topic: How to make Port knocking working on vpn/pptp connection ?
Replies: 21
Views: 2712

Re: How to make Port knocking working on vpn/pptp connection ?

Add a hex to your network as a second router but only to use with Beta firmware and wireguard.
Done, it two shakes of a lambs tale, secure method to access the HEX and the main router via your smartphone MT app.
by anav
Sat Jul 17, 2021 3:29 am
Forum: Beginner Basics
Topic: manage config with subversion
Replies: 8
Views: 531

Re: manage config with subversion

Yeah, thats Beginner Basics for sure! ;-PP
by anav
Fri Jul 16, 2021 7:07 pm
Forum: RouterOS v7 BETA
Topic: New User Manager in RouterOS v7
Replies: 85
Views: 65836

Re: New User Manager in RouterOS v7

Luv it!
by anav
Fri Jul 16, 2021 5:54 pm
Forum: Wireless Networking
Topic: Purpose of using Bridge for CAP
Replies: 3
Views: 425

Re: Purpose of using Bridge for CAP

I use capac without capsman, far easier to configure and works well. I use ether1 as the incoming trunk port for my vlans ( guest wifi, home wifi, iot, wifi and media wifi). Works great (note the capac gets an IP address on the home/trusted LAN since I dont use a management vlan) I also setup eth2 a...
by anav
Fri Jul 16, 2021 5:51 pm
Forum: Wireless Networking
Topic: Netmetal maximum throughput?
Replies: 7
Views: 568

Re: Netmetal maximum throughput?

There is one netmetal the triple model (5HSP) which should yield in the 430-450 range and extra would be bonus. However that unit does not appear to have antennas and one would have to add them?? So the answer may be dependent upon the antennas purchased?? Not having any experience with these units ...
by anav
Fri Jul 16, 2021 5:36 pm
Forum: General
Topic: CAPS Man & different WIFI channel config
Replies: 22
Views: 1104

Re: CAPS Man & different WIFI channel config

With my 5Ghz capacs, I use the following settings. 5GHz-N/AC 20/40MHz Ce Explanation of Channels in 5Ghz. The full 5 GHz range spans frequencies from 5.15 GHz to 5.85 GHz. 5GHz wireless communication takes place over a large spectrum with a number of non-overlapping channels of sizable bandwidth. Th...
by anav
Fri Jul 16, 2021 5:29 pm
Forum: Beginner Basics
Topic: multipe network
Replies: 1
Views: 368

Re: multipe network

Network diagram would help as the description you gave doesnt state what kind of WAn, how many wans, type or make of router etc..............
by anav
Fri Jul 16, 2021 5:24 pm
Forum: Beginner Basics
Topic: manage config with subversion
Replies: 8
Views: 531

Re: manage config with subversion

It is not clear what your problem is??
by anav
Fri Jul 16, 2021 5:23 pm
Forum: RouterOS v7 BETA
Topic: New User Manager in RouterOS v7
Replies: 85
Views: 65836

Re: New User Manager in RouterOS v7

Wow hard to believe BPWL that MT is too cheap to send you samples of new MT equipment to test for WIFI. You are truly an outstanding contributor to these forums!
by anav
Fri Jul 16, 2021 5:17 pm
Forum: Beginner Basics
Topic: Remote Access via Winbox
Replies: 9
Views: 607

Re: Remote Access via Winbox

Not a safe or advised practice. It would be like giving all your bank information to hackers and letting them play with password crackers to eventually get into your system. The way to access your router remotely via winbox is to a. preferably use IPSEC VPN or IKEv2 VPN b. from a PC or your smart ph...
by anav
Fri Jul 16, 2021 5:03 pm
Forum: General
Topic: Many dhcp via one port on
Replies: 4
Views: 445

Re: Many dhcp via one port on

Just to be clear the switch will be responsible for all DHCP or a router............
If you get a switch to do routing functions then only a few switches are capable of doing both.
by anav
Thu Jul 15, 2021 11:11 pm
Forum: Beginner Basics
Topic: Help checking Firewall
Replies: 5
Views: 718

Re: Help checking Firewall

I am a minimalist. I consider most of what you have bloated crap and not necessary except for rare cases. KISS principle This is all you need. from your list with some modifications. /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" c...
by anav
Thu Jul 15, 2021 8:34 pm
Forum: Beginner Basics
Topic: RB1100AH - Blocked ports [SOLVED]
Replies: 5
Views: 641

Re: RB1100AH - Blocked ports [SOLVED]

Better security can be afforded by a better understanding. (1) Therefore, via winbox, go to IP Menu Item and select IP SERVICES. Here you can disable all the services the router provides users or access to the router for api, api-ssi, ftp,ssh,telnet,www, www-ssl. THE ONLY ONE YOU SHOULD KEEP ACTIVE ...
by anav
Wed Jul 14, 2021 9:57 pm
Forum: Announcements
Topic: MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!
Replies: 58
Views: 95152

Re: MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!

I guess Latvian women are state of art hardware running complex code and Latvian men like to deal with them ;-) They have women in Latvia?, I thought they did it all through test tubes............................... ( brings up a curious question of how many women actually work in MT, is it a pater...
by anav
Wed Jul 14, 2021 6:53 pm
Forum: General
Topic: Firewall drop all !LAN is not the same as drop all WAN
Replies: 15
Views: 833

Re: Firewall drop all !LAN is not the same as drop all WAN

Pelchi I see your point but once you understand how FW rules work, the interface list usage is quite versatile and I encourage its use not discourage it.
by anav
Wed Jul 14, 2021 6:51 pm
Forum: Beginner Basics
Topic: Problem to see source address - port forward
Replies: 3
Views: 326

Re: Problem to see source address - port forward

Sourcenat is a funny being. The typical source nat rule is add action=masquerade chain=srcnat comment="SCR_NAT FOR LAN USERS" \ ipsec-policy=out,none out-interface-list=WAN Which basically applies WANIP to all outgoing traffic from the LAN I have two WAN interfaces and chose to handle each...
by anav
Wed Jul 14, 2021 6:38 pm
Forum: Announcements
Topic: MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!
Replies: 58
Views: 95152

Re: MUM EUROPE AND OTHER UPCOMING EVENTS - POSTPONED!

Latvians prefer only dealing with code and hardware, they are not social animals..........
I am still wondering how they procreate virtually.........
by anav
Wed Jul 14, 2021 2:38 pm
Forum: General
Topic: Firewall drop all !LAN is not the same as drop all WAN
Replies: 15
Views: 833

Re: Firewall drop all !LAN is not the same as drop all WAN

The key is to go from an allow all concept for both chains (and thus have to know what to block and thus do it with weird commands) to a concept of block all and thus ensure you allow needed traffic. Much clearer and simpler.
by anav
Wed Jul 14, 2021 2:36 pm
Forum: Beginner Basics
Topic: VLANS & Management VLAN
Replies: 27
Views: 1582

Re: VLANS & Management VLAN

Suggest you read through this link and revise your setup. Not much is done correctly

viewtopic.php?f=23&t=143620
by anav
Tue Jul 13, 2021 6:00 pm
Forum: General
Topic: Firewall drop all !LAN is not the same as drop all WAN
Replies: 15
Views: 833

Re: Firewall drop all !LAN is not the same as drop all WAN

The default setup is ONLY for the basic home user that doesnt yet have a clue about MT configs. Its set up that the basic user simply needs to plug ether1 into the ISP modem and connect on ether2 for example. The firewall rules are setup such that only lan users can access the router for security re...
by anav
Tue Jul 13, 2021 5:52 pm
Forum: Beginner Basics
Topic: Block internet from all but one user
Replies: 22
Views: 1030

Re: Block internet from all but one user

Configuring firewall rules without seeing the complete config is a waste of my time........later.
by anav
Mon Jul 12, 2021 11:44 pm
Forum: Beginner Basics
Topic: IP cam reverse NAT
Replies: 8
Views: 422

Re: IP cam reverse NAT

Yes draw a diagram I got lost after the second sentence.
by anav
Mon Jul 12, 2021 11:41 pm
Forum: Beginner Basics
Topic: Block internet from all but one user
Replies: 22
Views: 1030

Re: Block internet from all but one user

Before you monkey with (leapord with) just fw rules, its best to see the entire config as many items have relationships.
/export hide-sensitive file=anynameyouwish.
by anav
Mon Jul 12, 2021 4:46 pm
Forum: General
Topic: Find hostname between vlan
Replies: 12
Views: 738

Re: Find hostname between vlan

<------ what he said, more succinctly than I did :-)
by anav
Mon Jul 12, 2021 4:42 pm
Forum: Beginner Basics
Topic: Block internet from all but one user
Replies: 22
Views: 1030

Re: Block internet from all but one user

Opinions are free and the OP can discard or utilize whatever information/advice is provided. I respect your willingness to go to the ends of the earth regarding technical advice and to remain neutral and avoid the non-technical - ( aka you have better self-control than myself :-) )
by anav
Mon Jul 12, 2021 4:38 pm
Forum: General
Topic: PCQ on VLANS
Replies: 2
Views: 339

Re: PCQ on VLANS

by anav
Mon Jul 12, 2021 2:32 pm
Forum: Beginner Basics
Topic: Block internet from all but one user
Replies: 22
Views: 1030

Re: Block internet from all but one user

rextended is right in that MT is not a parent and should not be a substitute for parenting. Kid control =lazy parenting. The op for a self-admitted adult addiction needs counselling and the kids need discipline. :-) As noted, these are personal items brought up by the OP and the responses are out of...
by anav
Sun Jul 11, 2021 4:05 pm
Forum: General
Topic: ASK[CAPsMAN]
Replies: 13
Views: 779

Re: ASK[CAPsMAN]

You mean how you can automate the creation of the interface names? Exactly, I wouldnt bother assisting such an obtuse fellow probably doing something illegal because he refuses to provide the clear requirements (use cases what users should or should not be able to do and without any mention of conf...
by anav
Sun Jul 11, 2021 3:59 pm
Forum: Beginner Basics
Topic: [v6.48 on hap ac^2] Understanding routing-mark
Replies: 5
Views: 559

Re: [v6.48 on hap ac^2] Understanding routing-mark

Not sure if it will work in your case but in general sometimes routing can be done without mangling!! a. create all required routes on the main table. standard route for internet route for tv1 route for tv2 route for tv3 Now if you need special control of which subnets use the routes (and quite fran...
by anav
Sun Jul 11, 2021 3:51 pm
Forum: Beginner Basics
Topic: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN
Replies: 11
Views: 651

Re: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN

Not many SOHO routers can be configured the way you are describing ... MT is a rare exception because even entry-level routers run full-featured ROS (which means that it comes with associated configuration complexity which puzzles most newbies). Which means that most probably D-link doesn't allow t...
by anav
Sat Jul 10, 2021 11:33 pm
Forum: General
Topic: Ask help for iOS app "Mikrotik" about *import devices*
Replies: 6
Views: 447

Re: Ask help for iOS app "Mikrotik" about *import devices*

That is the correct path, MT has to enable efficient management of multiple devices on the APP.
by anav
Sat Jul 10, 2021 7:43 pm
Forum: Beginner Basics
Topic: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN
Replies: 11
Views: 651

Re: Route lan and wlan traffic on Router/Modem to Routerboard and back to WAN

Yes, sure, dont have a clue about the USB question. As to the reply, let me quote you "I was wondering if I could create static routes for all the ethernet and wlan traffic on the DSL-2888 " Cannot help you there as I stated this is not a D-link forum, in terms of the MT device you can app...
by anav
Sat Jul 10, 2021 7:37 pm
Forum: General
Topic: Help MT constantly sending request to Google
Replies: 22
Views: 890

Re: Help MT constantly sending request to Google

In terms of the firewall the changes to the default recommended, after you have it working of course. Is to change both input and forward chains from allow all and magically know which things one should block, TO allow nothing except what the admin specifically allows. Better security approach. With...
by anav
Sat Jul 10, 2021 7:21 pm
Forum: General
Topic: Help MT constantly sending request to Google
Replies: 22
Views: 890

Re: Help MT constantly sending request to Google

(1)So all the ethernet ports on the router go to PCs? (2) why is your IP pool so small?? (3) ether1 doesnt show on your /interface ethernet list?? (4) Assuming you have two wan connections? on etherports 12 & 13? (5) YOu are missing two important items. a. /interface list b. /interface list memb...
by anav
Sat Jul 10, 2021 5:50 pm
Forum: General
Topic: Find hostname between vlan
Replies: 12
Views: 738

Re: Find hostname between vlan

Concur but I like to see the whole config as it shows where the OPs lack of knowledge is located and any obvious errors etc. Also drop the idea of using capsman as that is an added layer of complexity for an advanced user and not just doing your first major config. Once you have mastered the basic c...
by anav
Sat Jul 10, 2021 5:47 pm
Forum: General
Topic: Help MT constantly sending request to Google
Replies: 22
Views: 890

Re: Help MT constantly sending request to Google

/export hide-sensitive file=anynameyouwish

plus provide a network diagram.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 27