Community discussions

MikroTik App

Search found 8872 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 30
by anav
Tue Oct 26, 2021 5:50 pm
Forum: General
Topic: Double-check my first hEX PoE configuration
Replies: 9
Views: 474

Re: Double-check my first hEX PoE configuration

I would probably setup it up like ether1 WAN1 ether2 WAN2 Bridge no dhcp vlan11 vlan61 vlan64 vlan69 (the number of Subnets you want to have on your network dictates the number of vlans). IP pool for each vlan IP address for each vlan DHCP network for each vlan DHCP network server for each vlan Brid...
by anav
Tue Oct 26, 2021 5:38 pm
Forum: General
Topic: I need help converting pot forward to floating WAN [SOLVED]
Replies: 10
Views: 305

Re: I need help converting pot forward to floating WAN [SOLVED]

One has a dynamic IP which more often than naught these days rarely changes and there are static WANIPs. Neither has been discussed as floating........................ I think you are smoking too much of something and spend time in the clouds floating. Important thing is your network is up and runni...
by anav
Tue Oct 26, 2021 5:06 pm
Forum: RouterOS v7 BETA
Topic: v7.1rc5 [development] is released!
Replies: 33
Views: 2543

Re: v7.1rc5 [development] is released!

Wow, some nice features, bridge - added HW offload support for vlan-filtering on MT7621 switch chip (hEX, hEX S, RBM33G, RBM11G, LtAP); When will I get that for my CCR1009 (just kidding). dns - fixed memory leak caused by large DNS replies; I wonder how this bug showed up, random stuff that no one c...
by anav
Tue Oct 26, 2021 4:27 pm
Forum: Beginner Basics
Topic: Vlan Configuration - Knots in head
Replies: 20
Views: 830

Re: Vlan Configuration - Knots in head

(1) Add this..... /interface list member add comment=defconf interface=ether1_WAN list=WAN add interface=PPPoE_Out list=WAN add interface=vlan100_intern list=LAN add interface=vlan200_guests list=LAN add interface=bridge list=LAN (2) Change this from add action=accept chain=input comment="allow...
by anav
Tue Oct 26, 2021 4:24 pm
Forum: Beginner Basics
Topic: Recording changes to the config to a log
Replies: 4
Views: 158

Re: Recording changes to the config to a log

If its a mess make a backup file and export the config. Then reset to defaults and slowly put the required settings back in minus any extra not essential. THe exported config can be printed or up on a second monitor for reference purposes, but suggesting dont copy and paste, understand the purpose o...
by anav
Tue Oct 26, 2021 4:52 am
Forum: General
Topic: reset configuration doesnt deploy fw rules
Replies: 6
Views: 237

Re: reset configuration doesnt deploy fw rules

hey mks dont take it personally, I am actually quite impressed by a script solution, I would have only passed on the firewall rules myself so call me a bad name!! I get your point though that the OP should be able to make up the config from scratch if a business IT type. I have done it enough times ...
by anav
Tue Oct 26, 2021 4:46 am
Forum: General
Topic: I need help converting pot forward to floating WAN [SOLVED]
Replies: 10
Views: 305

Re: I need help converting pot forward to floating WAN [SOLVED]

There is no such thing as a floating wan ip address. There is no such thing as a floating port. Either users come in on wan1 or wan2. It is no accident as you the OP provides the wanip to users, there is no floating, its cut and dried. Ports dont have requirements people do, ports are part of a conf...
by anav
Tue Oct 26, 2021 4:27 am
Forum: General
Topic: Will NATted wireguard work?
Replies: 20
Views: 1157

Re: Will NATted wireguard work?

@anav Wireguard is quite fun to use. I tested it behind two nats (double natted) and I had a thing i did not understand. I opened ports on both main routers that directed to the main wireguard peer behind the network. Whatever peer that initiated the connection would use a random port (I am guessin...
by anav
Tue Oct 26, 2021 2:36 am
Forum: Wireless Networking
Topic: RB4011 Wirelesss
Replies: 1
Views: 114

Re: RB4011 Wirelesss

Advice freely given, get RB4011 wired only or the newer RB5009. Plan wifi separately, if you were looking for an alternative that works out of the box and handles vlans, TPLINK EAP245. Do some research on the Mikrotik Audience access point, it may be of interest. I also have the TPLINK 660HD and it ...
by anav
Tue Oct 26, 2021 2:33 am
Forum: Forwarding Protocols
Topic: Hairpin NAT behavior
Replies: 3
Views: 231

Re: Hairpin NAT behavior

Looking at your Config may prove useful to ensure optimized.
/export hide-sensitive file=anynameyouwish

Also read through'
viewtopic.php?t=179343
by anav
Tue Oct 26, 2021 2:26 am
Forum: General
Topic: How do I combine the speed of 4 ADSL lines into one?
Replies: 13
Views: 436

Re: How do I combine the speed of 4 ADSL lines into one?

Interesting solution bpwl, however I take issue with your last statement, bonding or any other method provide ZERO redundancy/failover if all the connections are from the same provider. Here is a google search and interesting they only guarantee 85% of combined speeds... https://www.skywaywest.com/b...
by anav
Tue Oct 26, 2021 2:24 am
Forum: General
Topic: I need help converting pot forward to floating WAN [SOLVED]
Replies: 10
Views: 305

Re: I need help converting pot forward to floating WAN [SOLVED]

Thank you for the in depth reply. Would it be possible for you to answer the question I asked, which was how to alter my cheat sheet?
No, absolutely not.
Make your requirement clear, and I will render assistance.
Other are more than happy to guess at what you mean, I dont play that game.
by anav
Mon Oct 25, 2021 11:52 pm
Forum: General
Topic: SSTP-client uses unsafe ciphers
Replies: 4
Views: 164

Re: SSTP-client uses unsafe ciphers

If you don't use certificates anyone can perform a man-in-the-middle attack. MSCHAPv2 is OK in a validated TLS tunnel - the tunneled traffic is not accessible to others to snoop on the handshake which is required to recover the NTLM hash. With SSTP the session keys generated during MSCHAPv2, or var...
by anav
Mon Oct 25, 2021 11:44 pm
Forum: Beginner Basics
Topic: bridges and VLANs - why?
Replies: 18
Views: 799

Re: bridges and VLANs - why?

As per the links if you need a management vlan use something like vlan99. Use all other vlans for data EXCEPT vlan1 which is the default vlan for the bridge which should be left as the default. At least at our level of MT knowledge. For example I would get rid of the base network and call it a vlan....
by anav
Mon Oct 25, 2021 9:48 pm
Forum: Beginner Basics
Topic: Vlan Configuration - Knots in head
Replies: 20
Views: 830

Re: Vlan Configuration - Knots in head

Also suggest that you adjust setup so. I cannot remember the reason offhand though, sigh getting old. /interface list member add comment=defconf interface=bridge list=LAN (optional in this case - only necessary when bridge is also handling dhcp etc......I think?) add interface=vlan100_intern list=LA...
by anav
Mon Oct 25, 2021 9:42 pm
Forum: Announcements
Topic: v6.49 [stable] is released!
Replies: 148
Views: 27520

Re: v6.49 [stable] is released!

I gather they were on UPSs tha eventually stopped as well. One can get UPS warnings from MT router setups but havent done that yet. IT may help in teh future to gracefully shut down boards in the future...............
by anav
Mon Oct 25, 2021 7:05 pm
Forum: General
Topic: Double-check my first hEX PoE configuration
Replies: 9
Views: 474

Re: Double-check my first hEX PoE configuration

Wow so the ISP router provides you two private WANIPs one DSL sourced and one LTE sourced but from the same gateway IP? So no public IPs involved here right? So for example your saying the following the DSL account WANIP is 192.168.50.25 and the gateway is 192.168.4.1 the LTE account WANIP is 192.16...
by anav
Mon Oct 25, 2021 6:56 pm
Forum: General
Topic: How do I combine the speed of 4 ADSL lines into one?
Replies: 13
Views: 436

Re: How do I combine the speed of 4 ADSL lines into one?

You cannot! Your ISP can do it depending upon the kind of business class services they provide and it will be very expensive. (note will also take some configutation changes on the router) You can combine 4 lines on Mikrotik routers but this is for a. the purpose of redundancy, but this is ONLY vali...
by anav
Mon Oct 25, 2021 6:50 pm
Forum: General
Topic: I need help converting pot forward to floating WAN [SOLVED]
Replies: 10
Views: 305

Re: I need help converting pot forward to floating WAN [SOLVED]

As noted, Port forwarding for dynamic IPs is in the format. add chain=dsntat action=dst-nat i n-interface-list=WAN protocol=tcp \ dst-port=12345 to-addresses=IPofServer to-ports=54321 (to ports only required for port translation). Port forwarding for Static WANIPs is in the format add chain=dsntat a...
by anav
Mon Oct 25, 2021 6:41 pm
Forum: General
Topic: SSTP-client uses unsafe ciphers
Replies: 4
Views: 164

Re: SSTP-client uses unsafe ciphers

Hmm I am using SSTP with winbox remote and select MSCHAP2, TLS only 1.2. No certificates though. Would be happier if there are better options than MSCHAP2 or TLS1.2 I am all for it. What buts me is that they (winbox remote) dont have PFS as an option I can use, even though its available on the MT SS...
by anav
Mon Oct 25, 2021 6:34 pm
Forum: Beginner Basics
Topic: when port is close in dst nat
Replies: 3
Views: 168

Re: when port is close in dst nat

Cannot comment accurately until one sees the config as a whole as parts are interelated.

/export hide-sensitive file=anynameyouwish
by anav
Mon Oct 25, 2021 1:12 am
Forum: General
Topic: Block p2p from IP cameras - RB4011iGS+RM
Replies: 16
Views: 872

Re: Block p2p from IP cameras - RB4011iGS+RM

Are the switches smart switches? Can read vlan tags etc...
Are the access points smart access points?
by anav
Mon Oct 25, 2021 1:10 am
Forum: Beginner Basics
Topic: is my NAT config is ok?
Replies: 24
Views: 1830

Re: is my NAT config is ok?

Sorry I dont understand perhaps someone else does.
Good luck.
by anav
Sun Oct 24, 2021 4:48 am
Forum: General
Topic: Double-check my first hEX PoE configuration
Replies: 9
Views: 474

Re: Double-check my first hEX PoE configuration

interesting, why not simply connect the LTE device directly to the pfsense router??
by anav
Sun Oct 24, 2021 4:45 am
Forum: General
Topic: Route WAN network to VLAN
Replies: 3
Views: 192

Re: Route WAN network to VLAN

The ISP is giving you multiple WANIPs?? Oh I get it, the fritz box only has so many ports and thus the physical limitation. It really doesnt matter how many DHCP addresses it gives out probably 2-256 available etc.......... In that case disagree with MKX. Yes VLAN100 should be untagged on ether1 for...
by anav
Sat Oct 23, 2021 8:42 pm
Forum: Wireless Networking
Topic: Slave SSID/VLAN not working with CAPsMAN and local forwarding
Replies: 6
Views: 342

Re: Slave SSID/VLAN not working with CAPsMAN and local forwarding

Is your main router mikrotik if so, better to move capsman to that..........
by anav
Sat Oct 23, 2021 8:39 pm
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 62
Views: 2709

Re: VPN to connect home network to cottage

In the meantime, try downloading winbox remote for your main router and also for the cottage router. You will need to use two different email addresses as you only get one free tunnel per location. The free version costs nothing............ You can have a tunnel up and running in 5- 10 minutes. Just...
by anav
Sat Oct 23, 2021 8:35 pm
Forum: Beginner Basics
Topic: Best way to connect Windows 10 OS computers to a Filesystem server
Replies: 3
Views: 316

Re: Best way to connect Windows 10 OS computers to a Filesystem server

If it was me and assuming that I controlled the location of the main server. a. ensure the internet connection at the main server location was robust 1 gig fibre b. ensure the router at the main server was robust RB5009 or better c. at each site location dependent upon internet connection 500gig or ...
by anav
Sat Oct 23, 2021 6:38 pm
Forum: Wireless Networking
Topic: CAP-XL-AC trouble bandwidth
Replies: 1
Views: 232

Re: CAP-XL-AC trouble bandwidth

Sorry not familiar with capsman. I would try the router with ONE CAPAC, without capsman first. THen if that works start adding in the capsman programming for the one device until you get it right. Then add the other 9 Personally I would have come to the forum first to ask about wifi devices to add t...
by anav
Sat Oct 23, 2021 6:35 pm
Forum: General
Topic: Double-check my first hEX PoE configuration
Replies: 9
Views: 474

Re: Double-check my first hEX PoE configuration

Let me get this straight, Ether1 provides internet how, from another router which provides you a private LANIP, for your HEX WANIP. One of the main routers lan port connects to the HEX WAN port. What is the main router make and model and what is travelling on this port (subnet(s)?) and how are they ...
by anav
Sat Oct 23, 2021 6:28 pm
Forum: General
Topic: LAN Client authentication over Hotspot [SOLVED]
Replies: 2
Views: 271

Re: LAN Client authentication over Hotspot [SOLVED]

How did you solve it??
by anav
Sat Oct 23, 2021 6:27 pm
Forum: General
Topic: Blocked IP?
Replies: 3
Views: 272

Re: Blocked IP?

Agreed, if you are getting a private IP then unless the ISP forwards the port to your private IP, its unlikely that port forwarding would work. As stated by RIch, most modern programs work becuase they are based on you joining a server (traffic initiated by you) and thus all return traffic is permit...
by anav
Sat Oct 23, 2021 6:25 pm
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 62
Views: 2709

Re: VPN to connect home network to cottage

Ahh, I cant wait for wireguard to go mainstream, watching this torture is no fun.... ;-)
by anav
Sat Oct 23, 2021 6:23 pm
Forum: Beginner Basics
Topic: Vrf vs Vlan
Replies: 2
Views: 177

Re: Vrf vs Vlan

Not sure you would need a vrf table. Just route Subnets, in any format you want to use, to appropriate wan interface. firewall rules used to allow deny traffic between subnets for example........ Sounds like you already have a decent plan to separate the etherports into two groups based o switch chi...
by anav
Sat Oct 23, 2021 4:08 pm
Forum: General
Topic: Will NATted wireguard work?
Replies: 20
Views: 1157

Re: Will NATted wireguard work?

Ive already pointed out what information needs to be put in both the router and the smartphone,
Ive also pointed out issues with your config.
Not much more one can do, until you decide you want to learn MT and not be so stubborn.
Wireguard works great.
by anav
Sat Oct 23, 2021 4:02 pm
Forum: Beginner Basics
Topic: bridges and VLANs - why?
Replies: 18
Views: 799

Re: bridges and VLANs - why?

My basic rule of thumb is that if you need different subnets and have enough ports on the router you dont need a bridge and can assign subnets to etherports. If you run out of ports then go vlans as typically running out of ports means you will need a switch or smart AP down the line and thus one po...
by anav
Sat Oct 23, 2021 3:55 pm
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 62
Views: 2709

Re: VPN to connect home network to cottage

Found a mistake on your Home-Router The Firewall-Rules for IPSec -> add action=accept chain=input comment="Accept: IPSec UDP (Internet -> Router)" ...... -> add action=accept chain=input comment="Accept: IPSec-Traffic (Cottage -> Router)" ..... Need to be BEFORE -> add action=dr...
by anav
Fri Oct 22, 2021 11:39 pm
Forum: Beginner Basics
Topic: bridges and VLANs - why?
Replies: 18
Views: 799

Re: bridges and VLANs - why?

A better read....
viewtopic.php?t=173692
by anav
Fri Oct 22, 2021 11:35 pm
Forum: Beginner Basics
Topic: Vlan Configuration - Knots in head
Replies: 20
Views: 830

Re: Vlan Configuration - Knots in head

This is the bible on vlans,......
viewtopic.php?t=143620

You have fundamental errors in the config............
Ip addresses is a good place to start.....

another good info link
viewtopic.php?t=173692
by anav
Fri Oct 22, 2021 4:29 pm
Forum: General
Topic: WAN Link Dropping [SOLVED]
Replies: 19
Views: 883

Re: WAN Link Dropping [SOLVED]

Thanks for the laugh lol Didn't see it mentioned anywhere in the thread - has the ISP replaced their modem at any point? Also do you have a spare port on the hEX S which you can reconfigure as the WAN to see if it's a port issue? You mentioned rebooting the hardware, disconnecting/reconnecting the ...
by anav
Fri Oct 22, 2021 4:27 pm
Forum: General
Topic: WAN Link Dropping [SOLVED]
Replies: 19
Views: 883

Re: WAN Link Dropping [SOLVED]

It went up and down like a toilet seat at a Chinese buffet today and I can't figure this out! Thanks for the laugh lol Didn't see it mentioned anywhere in the thread - has the ISP replaced their modem at any point? Also do you have a spare port on the hEX S which you can reconfigure as the WAN to s...
by anav
Fri Oct 22, 2021 4:24 pm
Forum: General
Topic: Possible to request LAN IP, through DHCP client ?
Replies: 4
Views: 269

Re: Possible to request LAN IP, through DHCP client ?

In my experience, both cable and Fibre, a dynamic IP is just that, you dont know what IP or even IP gateway the Modem will give you next. Typically on both, when the lease expires one gets the same as they had before.........only after some longer period of time unknown or a power outage of some sor...
by anav
Fri Oct 22, 2021 4:00 pm
Forum: General
Topic: Will NATted wireguard work?
Replies: 20
Views: 1157

Re: Will NATted wireguard work?

Hi there, (1) The WG interface may or may not get an IP address (optional, works either way). It does not need nor should get an IP pool, dhcp server etc......... /ip pool add name=dhcp ranges=192.168.89.2-192.168.89.254 add name=pool1 ranges=192.168.90.128/25 /ip dhcp-server add address-pool=dhcp i...
by anav
Fri Oct 22, 2021 3:51 pm
Forum: Beginner Basics
Topic: Multiple ports in a VLAN
Replies: 3
Views: 262

Re: Multiple ports in a VLAN

Once you have hoisted in MKS, most excellent reference, and still have unresolved issues
Post entire config
/export hide-sensitive file=anynameyouwant
by anav
Fri Oct 22, 2021 3:50 pm
Forum: Beginner Basics
Topic: Configuring Subnet of WAN IPs for NAT
Replies: 4
Views: 251

Re: Configuring Subnet of WAN IPs for NAT

Yup, its easy to fall into the assumption trap!! Best thing is for every op. a. to describe their WANIP ISP setup b. provide a network diagram c. provid config /export hide-sensitive file=anynameyouwish Then there is less guessing and quicker resolution of issues.] Personally I prefer to understand ...
by anav
Thu Oct 21, 2021 11:03 pm
Forum: General
Topic: Please Help with Failover
Replies: 1
Views: 183

Re: Please Help with Failover

by anav
Thu Oct 21, 2021 11:01 pm
Forum: Beginner Basics
Topic: How would you configure this?
Replies: 2
Views: 243

Re: How would you configure this?

USE VLANS to separate traffic subnets.
Then at the router ensure vlan-guestwifi has access to the internet (WAN) but no connectivity to the LAN.
by anav
Thu Oct 21, 2021 9:59 pm
Forum: General
Topic: Double-check my first hEX PoE configuration
Replies: 9
Views: 474

Re: Double-check my first hEX PoE configuration

so you are using the hex as a switch or a router??
In any case here is good article to read.
viewtopic.php?t=143620
by anav
Thu Oct 21, 2021 6:56 pm
Forum: Beginner Basics
Topic: WLAN Password WAP-R [SOLVED]
Replies: 5
Views: 324

Re: WLAN Password WAP-R [SOLVED]

As per pictures.....
wifisec1.jpg
wifisec2.jpg
by anav
Thu Oct 21, 2021 6:38 pm
Forum: Beginner Basics
Topic: Can someone help me
Replies: 12
Views: 551

Re: Can someone help me

Yup looks like a router behind a router based on wan ip structure. My observation is the funny NAT rules....... SOURCENAT: /ip firewall nat add action=masquerade chain=srcnat ???????????? Should be removed. add action=masquerade chain=srcnat comment="masquerade hotspot network" \ src-addre...
by anav
Thu Oct 21, 2021 4:31 pm
Forum: Beginner Basics
Topic: [Help Needed] Connecting MikroTik to several Access Point
Replies: 1
Views: 152

Re: [Help Needed] Connecting MikroTik to several Access Point

Yes, that looks feasible, there are so many ways to configure this beast but a basic ether1 and ether2 cover off one subnet and ether3 and ether4 cover off a different subnet will work fine. Note that there is a hotspot manager in RoS that may be perfect for the wifi hotspot to customers allocation ...
by anav
Thu Oct 21, 2021 4:27 pm
Forum: Beginner Basics
Topic: Request config sanity check
Replies: 19
Views: 1012

Re: Request config sanity check

Well it wasnt the complete config I dont think, no interface lists etc....... but dont see anything untoward. Still some efficiency items in firewall rules. camera interface is same as source list so duplicated like the kids source address list, but this is minor. I cannot review mangle, allergic yo...
by anav
Thu Oct 21, 2021 4:16 pm
Forum: Beginner Basics
Topic: Request config sanity check
Replies: 19
Views: 1012

Re: Request config sanity check

Okay got it, UTAH is a two way VPN construct. MULLVAN is to a VPN provider and remote is for incoming admin config of the router. What is not clear to me is who is using the Mulvad VPN? The reason I question the second sourcenat rule is that I dont think its needed. Its not a wan interface link alth...
by anav
Thu Oct 21, 2021 4:14 pm
Forum: Beginner Basics
Topic: Hairpin not working with PPPoe (static WAN) [SOLVED]
Replies: 3
Views: 288

Re: Hairpin not working with PPPoe (static WAN) [SOLVED]

This link should provide some inspiration. Post back if still having issues.
viewtopic.php?t=179343

Also when you post back with isssues unresolved ensure you post the entire config.
/export hide-sensitive file-anynameyouwish
by anav
Thu Oct 21, 2021 4:11 pm
Forum: Beginner Basics
Topic: Can someone help me
Replies: 12
Views: 551

Re: Can someone help me

Rant on...... Of course the OP did that, k6cccc, the arrogance of people coming here asking for help for their issues and then they assume they know what you need to see and ignore your logical request for context and information. Clearly they know shit otherwise they wouldnt be here asking for help...
by anav
Thu Oct 21, 2021 4:08 pm
Forum: Beginner Basics
Topic: is my NAT config is ok?
Replies: 24
Views: 1830

Re: is my NAT config is ok?

Then we need to speak to the ISP configurer and not you, if they have control over the mikrotik.
by anav
Thu Oct 21, 2021 4:05 pm
Forum: Beginner Basics
Topic: Block access to a printer
Replies: 2
Views: 201

Re: Block access to a printer

If the users are on the same LAN subnet as the printer, there is not much one can do. The best move is to put the printer on a separate subnet or vlan. Then make a firewall rule allowing access to the printer to those who are allowed access. It appears that a few users on the LAN are not allowed in ...
by anav
Wed Oct 20, 2021 11:34 pm
Forum: General
Topic: Ethernet Port Flapping on MikroTik Routers
Replies: 6
Views: 469

Re: Ethernet Port Flapping on MikroTik Routers

What is common is the non-MT equipment being used and one particular brand. I suspect they are not following ethernet protocols properly.................
by anav
Wed Oct 20, 2021 11:22 pm
Forum: Beginner Basics
Topic: Request config sanity check
Replies: 19
Views: 1012

Re: Request config sanity check

(1) As stated before MULLVAD is NOT a WAN interface. Its a LAN interface directly connected to a VPN provider, vice your own remote router. All the traffic from the LAN interface to the VPN provider will go out to the internet. To put it bluntly, no firewall rules from/to WAN affect this interface d...
by anav
Wed Oct 20, 2021 8:04 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

So what was the key, something previous before dhcp server was turned off, or the removal of detect internet
by anav
Wed Oct 20, 2021 6:02 pm
Forum: Beginner Basics
Topic: Chaining an Accespoint behind an Accespoint
Replies: 8
Views: 415

Re: Chaining an Accespoint behind an Accespoint

Ugggg quickstep? Would you in public pick your nose? It grosses people out and you could be sticking a virus up your nose! Well, quickstep is similiar. Using it grosses out all MT folks here. :) Although not as bad as virus, it does usually cockup the config!!! It should have been name quicksand bec...
by anav
Wed Oct 20, 2021 3:36 pm
Forum: General
Topic: Asking for VLAN setup advices
Replies: 4
Views: 296

Re: Asking for VLAN setup advices

The point is that the hex was purchased in error then as it does not fulful the requirements.........
by anav
Wed Oct 20, 2021 3:32 pm
Forum: General
Topic: RB260GS EOL? [SOLVED]
Replies: 15
Views: 772

Re: RB260GS EOL? [SOLVED]

Why,,,,,,,, they are the plain jane 5 port switch.....??

Are you saying that the CSS610-8G-2S+IN is now their low ball switch??
by anav
Wed Oct 20, 2021 2:34 am
Forum: General
Topic: WAN failover not working as expected
Replies: 4
Views: 327

Re: WAN failover not working as expected

Can you provide a network diagram having a devil of a time understanding it.
Seems like your ISP are providing WAN connections with vlans??

Why is vlan 99 part of the bridge itself??
What is the purpose of vlan 99

Once the network is clear it should be simple to fix up.
by anav
Wed Oct 20, 2021 2:29 am
Forum: Beginner Basics
Topic: Can't get second guest bridge to route to WAN
Replies: 9
Views: 400

Re: Can't get second guest bridge to route to WAN

Didnt you mean GRILL LOL
by anav
Wed Oct 20, 2021 2:28 am
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 62
Views: 2709

Re: VPN to connect home network to cottage

I would hope that only one IPSEC tunnel is needed.
by anav
Wed Oct 20, 2021 12:18 am
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 62
Views: 2709

Re: VPN to connect home network to cottage

Yes, dont you want to save yourself hours of frustration!! You can always load up ver7.1b RC4 on both routers and go for it LOL Read through this thread to see if there are any gotchas for a basic setup.......... https://forum.mikrotik.com/viewtopic.php?t=178704 Yeah I had a read through I would wai...
by anav
Wed Oct 20, 2021 12:17 am
Forum: Beginner Basics
Topic: Help! (wanted)
Replies: 13
Views: 520

Re: Help! (wanted)

If your asking me the routing is separate from the IPSEC VPN settings so has nothing to do with step 12.
Yes, no mangling required.
By the way I am gainfully employed so am not available to fulfil your advert for employment. :-)
by anav
Tue Oct 19, 2021 11:23 pm
Forum: Beginner Basics
Topic: VLAN dedictated port and tagged in bridge [SOLVED]
Replies: 5
Views: 384

Re: VLAN dedictated port and tagged in bridge [SOLVED]

Oh, haha, I am just a hack. Not certified or trained, well except for my self-ordained MTUNA certification.
Follow my advice at your own risk!!
by anav
Tue Oct 19, 2021 11:20 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

Or
..
dhcp1.jpg
....
by anav
Tue Oct 19, 2021 10:15 pm
Forum: Beginner Basics
Topic: Standardize Firewall Rules
Replies: 3
Views: 262

Re: Standardize Firewall Rules

viewtopic.php?t=152564

Check out DUDE

Zerotier?

Scripts?

I have seen this type of topic discussed many times....................
by anav
Tue Oct 19, 2021 10:05 pm
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 62
Views: 2709

Re: VPN to connect home network to cottage

Ahh brother, I am with you and would be at the same exact spot. What I can tell you is that wireguard is as easy as vanilla bean icecream melting off hot apple pie!!! Three choices. a. config routers to vers 7.1beta RC4 adn take your chances............. should be fine in my view for most easy confi...
by anav
Tue Oct 19, 2021 10:02 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

Yes the R in the title means both Holvo and I are Retar...... for not figuring this out. :-(
by anav
Tue Oct 19, 2021 10:00 pm
Forum: Wireless Networking
Topic: hap ac3 - worse than hap lite?
Replies: 15
Views: 1375

Re: hap ac3 - worse than hap lite?

There is nothing wrong with the router, it is a very good router.
MT wifi works but is underpowered (the home variety) and thus most folks here do not recommend MT home wifi, its like WIFI5 but pre 2015.
I use TPLINK eap245 and 660 for my home wifi for example.
by anav
Tue Oct 19, 2021 9:58 pm
Forum: Wireless Networking
Topic: RB4011iGS+5HacQ2HnD-IN 5Ghz disappearing
Replies: 26
Views: 10602

Re: RB4011iGS+5HacQ2HnD-IN 5Ghz disappearing

No more likely the rubbish is the person configuring the router. Personally the RB4011 is a fantastic router. MT wifi for home use is rather weak but works. I would never buy an integrated router and wifi device regardless as the placement of the router (garage, basement) where the services are, is ...
by anav
Tue Oct 19, 2021 8:41 pm
Forum: Beginner Basics
Topic: Chaining an Accespoint behind an Accespoint
Replies: 8
Views: 415

Re: Chaining an Accespoint behind an Accespoint

Hello once again fellow MikroTikers,

to tune my home wife i bought a cAP-2nD and a Omnitik 5 PoE ac.

I have never heard of MT devices tuning a spouse out, most just use loud music. :-0


Quick question is the capac connected to the ISP modem or is there a router in between??
by anav
Tue Oct 19, 2021 8:37 pm
Forum: Beginner Basics
Topic: Help! (wanted)
Replies: 13
Views: 520

Re: Help! (wanted)

No need to mangle anything. Just add another route 0.0.0.0/0 gateway=192.168.55.1 route-mark=USEVPN (assuming 192.168.55.1 is the vlan gateway of that subnet). Then create a route rule Interface=VPN interface (or source address 192.168.55.0/24) action: look up only in table table: USEVPN Just to be ...
by anav
Tue Oct 19, 2021 8:30 pm
Forum: Beginner Basics
Topic: Can't get second guest bridge to route to WAN
Replies: 9
Views: 400

Re: Can't get second guest bridge to route to WAN

Repeated but with colour emphasis......LOL /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN missing /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN add interface=apart...
by anav
Tue Oct 19, 2021 7:08 pm
Forum: Beginner Basics
Topic: Can't get second guest bridge to route to WAN
Replies: 9
Views: 400

Re: Can't get second guest bridge to route to WAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

missing
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=apartment-bridge list=LAN
by anav
Tue Oct 19, 2021 5:00 pm
Forum: General
Topic: WAN Link Dropping [SOLVED]
Replies: 19
Views: 883

Re: WAN Link Dropping [SOLVED]

Please keep us informed, if nothing else to show that I saved you $179US ;-)
by anav
Tue Oct 19, 2021 4:58 pm
Forum: Beginner Basics
Topic: VLAN dedictated port and tagged in bridge [SOLVED]
Replies: 5
Views: 384

Re: VLAN dedictated port and tagged in bridge [SOLVED]

Close! What is not clear to me is ether10. In the majority of cases a Router to a Switch scenario port to carry vlans is a trunk port that carries all vlans. You seem to be indicating that the SWITCH is expecting a HYBRID scenario and CAN handle incoming untagged info (main network) as well as sever...
by anav
Tue Oct 19, 2021 2:21 pm
Forum: Beginner Basics
Topic: I need help with firewall
Replies: 1
Views: 190

Re: I need help with firewall

/export hide-sensitive file=anynameyouwish
by anav
Tue Oct 19, 2021 2:20 pm
Forum: Beginner Basics
Topic: Access to webfig not working
Replies: 8
Views: 13361

Re: Access to webfig not working

Update your firmware to the latest long version at least.
by anav
Tue Oct 19, 2021 2:13 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

Ensure DNS setting is entered on this line. /ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 Should look like /ip dhcp-server network add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 Also this is an interface, so try to add either lte a...
by anav
Tue Oct 19, 2021 2:09 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

What confuses me is that the lTE seems to have a 10. xx address, the LAN is on 192.168.x.x
BUt the PC gets 169.254 ???

Regardless of the WAN situation the PC should simply get a proper LANIP from the router???
by anav
Tue Oct 19, 2021 2:05 pm
Forum: General
Topic: Allow WinBox broadcast on WAN interface
Replies: 6
Views: 306

Re: Allow WinBox broadcast on WAN interface

Nope, winbox is not meant to be used on the wan interface.
If you need to access winbox from a remote location use vpn, port knocking etc to access the router and then use winbox to config the router
by anav
Tue Oct 19, 2021 2:04 pm
Forum: General
Topic: WAN failover not working as expected
Replies: 4
Views: 327

Re: WAN failover not working as expected

/export hide-sensitive file=anynameyouwish
by anav
Tue Oct 19, 2021 1:57 pm
Forum: General
Topic: VPN inside Mikrotik and redirect only on LAN
Replies: 8
Views: 549

Re: VPN inside Mikrotik and redirect only on LAN

Sorry not familiar with P2TP?
by anav
Tue Oct 19, 2021 3:40 am
Forum: General
Topic: WAN Link Dropping [SOLVED]
Replies: 19
Views: 883

Re: WAN Link Dropping [SOLVED]

Wow, thanks for the experience lesson.
That seems to be a godsend for your work.

If the everything else checks out and a modem replacement doesnt fix it are you saying
that some modem/ISP combinations are just whacked ???
by anav
Mon Oct 18, 2021 10:56 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

Okay understand about eplus! You need to go to IP DNS settings. Check Green rectangle........... At the top you should see servers, and this is where I assume the 159 came in there, seems to be the fact that you stated use peer DNS, which is fine so that is why that is there, do not remove it. You c...
by anav
Mon Oct 18, 2021 9:57 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

Step 1. Clean up config remove the part in red and add blue /interface list member add comment=defconf interface=wlan1 list=LAN add list=LAN add interface=ether1 list=LAN add interface=lte1 list=WAN add interface=eplus list=WAN /ip address add address=192.168.88.1/24 comment=defconf interface=wlan1 ...
by anav
Mon Oct 18, 2021 9:13 pm
Forum: General
Topic: Help to Drop Download in mikrotik 6.X or 5.x
Replies: 7
Views: 480

Re: Help to Drop Download in mikrotik 6.X or 5.x

Yes rextended, in summary,
the op needs to articulate what the problem is and the requirements and then a solution/config will fall out naturally.
I am not sure what convoluted config was being attempted but it looks stunningly complex and useless at the same time.
by anav
Mon Oct 18, 2021 9:10 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

and do include my suggestion
add interface=eplus list=WAN wont hurt if wrong will help immensely if right!!!
by anav
Mon Oct 18, 2021 8:52 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

I didnt mean literally the file should be called anynameyouwish, I meant that you could use any name you desired for the file LOL
Why not ? It's a name like any other.
Or would you prefer "becauseanavsaidso" ? :lol:
I prefer........... holvoshoulddriveavolvo
by anav
Mon Oct 18, 2021 7:49 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

I am not sure you need to frig with DHCP client, if you already have LTE client settings as a separate entity.
if you do need dhcp client then the interface would be the LTE one NOT the wifi one.
by anav
Mon Oct 18, 2021 7:48 pm
Forum: Beginner Basics
Topic: Block access to winbox on eth 1
Replies: 1
Views: 249

Re: Block access to winbox on eth 1

What are the requirements. Only the admin should be able to configure the routers? Should the admin be able to configure all the routers remotely? What Management subnet or vlan is setup for all these devices? Are all the devices connected to the same TOP router and then to the ISP modem? A network ...
by anav
Mon Oct 18, 2021 7:44 pm
Forum: Beginner Basics
Topic: Request config sanity check
Replies: 19
Views: 1012

Re: Request config sanity check

If mullvad and Utah are groups of users on this router that are remotely using a remote internet connection,
WHY do you have listening ports for them defined on this router??

Please post your latest config .
/export hide-sensitive file=anynameyouwish
by anav
Mon Oct 18, 2021 7:26 pm
Forum: General
Topic: 3years no RouterOS updates - would you consider it compromised & replace the unit?
Replies: 5
Views: 408

Re: 3years no RouterOS updates - would you consider it compromised & replace the unit?

It's much easier for them to send you repalcement device already configured.
Do you mean configured by the Red Army or the ISP, same thing if in China ;-)
by anav
Mon Oct 18, 2021 7:20 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

(1) Lets tidy this up.../interface list member add comment=defconf interface=wlan1 list=LAN add list=LAN add interface=ether1 list=LAN add interface=lte1 list=WAN.. TO /interface list member add comment=defconf interface=wlan1 list=LAN add interface=ether1 list=LAN add interface=lte1 list=WAN add in...
by anav
Mon Oct 18, 2021 7:15 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

I didnt mean literally the file should be called anynameyouwish, I meant that you could use any name you desired for the file LOL
by anav
Mon Oct 18, 2021 7:13 pm
Forum: Beginner Basics
Topic: Request config sanity check
Replies: 19
Views: 1012

Re: Request config sanity check

Anav - still working on revising my config. I wanted to ask you more about the Mangle question you asked. Based on your question, I assume you are not a fan of using Mangle? I used Mangle as I didn't see a way to do PBR as cleanly as with Mangle. I know I can create route rules but I seem to have t...
by anav
Mon Oct 18, 2021 7:09 pm
Forum: Beginner Basics
Topic: Request config sanity check
Replies: 19
Views: 1012

Re: Request config sanity check

Q1. I put two of wireguard interfaces in the WAN list because I basically use them as WAN connections. Mullvad is a commercial VPN provider and the Utah connection is one that I use in great part for streaming media. Does it not make sense for those interfaces to be in the WAN list? NO, they are not...
by anav
Mon Oct 18, 2021 6:57 pm
Forum: General
Topic: VPN inside Mikrotik and redirect only on LAN
Replies: 8
Views: 549

Re: VPN inside Mikrotik and redirect only on LAN

Not really too many depends........
You have to decide which VPN you will use.
by anav
Mon Oct 18, 2021 6:16 pm
Forum: General
Topic: Help to Drop Download in mikrotik 6.X or 5.x
Replies: 7
Views: 480

Re: Help to Drop Download in mikrotik 6.X or 5.x

Dont understand, Do you mean you wish to have some sort of bandwidth management control. a. maximum daily download limit per user? b. maximum daily download limite per subnet? c. Control throughput put speeds so that users can only download at reduced speeds depending upon overall bandwidth. Schedul...
by anav
Mon Oct 18, 2021 6:11 pm
Forum: General
Topic: VPN inside Mikrotik and redirect only on LAN
Replies: 8
Views: 549

Re: VPN inside Mikrotik and redirect only on LAN

So basically you want to create a Mikrotik Router to Mikrotik Router VPN connection so that your home LAN users (some of them) can use the internet provided by the WORK IP. I am curious, how come the TV box doesnt work on the HOME ISP? What makes you think it will work on the WORK ISP? Do you manage...
by anav
Mon Oct 18, 2021 6:06 pm
Forum: General
Topic: 3years no RouterOS updates - would you consider it compromised & replace the unit?
Replies: 5
Views: 408

Re: 3years no RouterOS updates - would you consider it compromised & replace the unit?

Yes, it should be netinstalled with the latest long term firmware, unless the client is a risk taker and absolutely needs wireguard 7.1bRC4
by anav
Mon Oct 18, 2021 4:57 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

Post your lastest config !!

/export hide-sensitive file=anynameyouwish
by anav
Mon Oct 18, 2021 4:56 pm
Forum: Wireless Networking
Topic: How many clients on CAP XL AC?
Replies: 6
Views: 685

Re: How many clients on CAP XL AC?

Rule of thumb, plan for 15 users per AP. Unless the AP is designed specifically for volume.
However, you may need to inject some management such as limiting throughput per users to discourage downloading hogs.
by anav
Mon Oct 18, 2021 4:46 pm
Forum: Wireless Networking
Topic: WIFI 6 Roadmap
Replies: 106
Views: 69119

Re: WIFI 6 Roadmap

meanwhile down in my basement smartphone on my iphone connected to an EAP245 I was getting 530 down and 330 up;
and upstairs on the EAP 660, 650 down, 310 up.
(capac 215 up, 180 down)
by anav
Mon Oct 18, 2021 4:41 pm
Forum: General
Topic: VPN inside Mikrotik and redirect only on LAN
Replies: 8
Views: 549

Re: VPN inside Mikrotik and redirect only on LAN

What you ask makes no sense because you are mixing up both user requirements and config solutions in the same sentences. Please state clearly what you would like your users or devices to accomplish without mentioning the router or the configuration. What it sounds like your saying is that you would ...
by anav
Mon Oct 18, 2021 4:35 pm
Forum: General
Topic: WAN Link Dropping [SOLVED]
Replies: 19
Views: 883

Re: WAN Link Dropping [SOLVED]

BS gotsprings, LOL, do you work for that company ;-) Seriously, I have had plenty of cable modems in the family attached to all kinds of routers including MT and NOT a PEEP of any such lockups. I would get the modem replaced and check the wiring from the road to the modem BUT FIRST CHECK THE CABLE f...
by anav
Mon Oct 18, 2021 4:31 pm
Forum: General
Topic: Setting up VLANS on one Unifi AP
Replies: 7
Views: 499

Re: Setting up VLANS on one Unifi AP

/export hide-sensitive file=anynameyouwish Which subnet is your management vlan on? It could be the home LAN for example, meaning what is your trusted subnet? The Unifi should be getting a LANIP on this subnet. Therefore there are two ways to proceed. (1) Assuming UNIFI is like any other smart devic...
by anav
Mon Oct 18, 2021 4:18 pm
Forum: Beginner Basics
Topic: SmartThings and SharkClean Notifications Stopped Working
Replies: 11
Views: 632

Re: SmartThings and SharkClean Notifications Stopped Working

Try changing this /ip neighbor discovery-settings set discover-interface-list=!all TO /ip neighbor discovery-settings set discover-interface-list=LAN Also Try deleting the static DNS setting of 192.168.7.1 /ip dns static add address=192.168.7.1 comment=defconf name=router.lan and adding under server...
by anav
Mon Oct 18, 2021 4:15 pm
Forum: Beginner Basics
Topic: SmartThings and SharkClean Notifications Stopped Working
Replies: 11
Views: 632

Re: SmartThings and SharkClean Notifications Stopped Working

Do the notifications like all of my devices, go from device to device manufacturer cloud servers, and then to my smartphone ??
All your devices have internet access and thus you should get notices on your smartphone?
by anav
Mon Oct 18, 2021 3:04 pm
Forum: Beginner Basics
Topic: Traffic to management of MikroTik switches not going through
Replies: 25
Views: 1776

Re: Traffic to management of MikroTik switches not going through

Unfortunately its overly complex for me to try and unravel the snakes nest. Follow the guidance here for the router and the switches. https://forum.mikrotik.com/viewtopic.php?t=143620 at least to get ideas. On the router every vlan has to be identified and its parent interface is the bridge. On the ...
by anav
Mon Oct 18, 2021 12:08 am
Forum: General
Topic: WAN Link Dropping [SOLVED]
Replies: 19
Views: 883

Re: WAN Link Dropping [SOLVED]

Hard to say, what type of internet modem service do you have, cable? fibre?

I would certainly log every instance so you have evidence to show the ISP if its determined to be at there end.
by anav
Mon Oct 18, 2021 12:07 am
Forum: General
Topic: VLAN correct config
Replies: 5
Views: 375

Re: VLAN correct config

..... and this article for the setup of vlans.......
viewtopic.php?t=143620
by anav
Mon Oct 18, 2021 12:04 am
Forum: Beginner Basics
Topic: Request config sanity check
Replies: 19
Views: 1012

Re: Request config sanity check

What seems weird to me is the use of/firewall rules for wireguard. Typically one has an input chain rule for the listening port and thats it. If one wants to allow the wireguard interface itself reach the router for admin purposes then there would be a rule for that. etc... In this case I am seeing ...
by anav
Sun Oct 17, 2021 9:34 pm
Forum: Beginner Basics
Topic: Traffic to management of MikroTik switches not going through
Replies: 25
Views: 1776

Re: Traffic to management of MikroTik switches not going through

For the rest of the config, 7 vlans identified but only 5 IP Pools etc., so you are missing data, so it seems.
Otherwise, its a fairly complex setup so if you have your settings right it should work.
by anav
Sun Oct 17, 2021 9:32 pm
Forum: Beginner Basics
Topic: Traffic to management of MikroTik switches not going through
Replies: 25
Views: 1776

Re: Traffic to management of MikroTik switches not going through

Okay, so you need all smart devices to get an IP address on what you use as the management VLAN. If your switches are not Mikrotik then you need to do the following (scenario, home vlan10, guest wifi vlan 20, managment vlan 99) Lets say a 5 port switch eth1 - trunk port from router eth2- trunk port ...
by anav
Sun Oct 17, 2021 9:09 pm
Forum: Beginner Basics
Topic: Where in firewall rules the Fasttrack should be [SOLVED]
Replies: 5
Views: 528

Re: Where in firewall rules the Fasttrack should be [SOLVED]

Looks good the only things I would change
are
/tool mac-server mac-winbox
set allowed-interface-list=non

list=LAN (so as to enable access via winbox to the router on the LAN).

and this one as well..........
/ip neighbor discovery-settings
set discover-interface-list=none

list=LAN
by anav
Sun Oct 17, 2021 4:49 pm
Forum: General
Topic: Block p2p from IP cameras - RB4011iGS+RM
Replies: 16
Views: 872

Re: Block p2p from IP cameras - RB4011iGS+RM

I would put all devices that should not have internet access on their own vlan(s)/
Then simply block vlans from internet.........
by anav
Sun Oct 17, 2021 4:48 pm
Forum: General
Topic: Eth1 as WAN port with DHCP regardless IP
Replies: 3
Views: 344

Re: Eth1 as WAN port with DHCP regardless IP

The modem should provide a public IP to your router and in this case there is no issue with whatever subnet you choose for your LAN.
However if the modem is NOT giving you a public IP but a private IP address, then you have to make sure that your LAN is no a different private SUBNET>
by anav
Sun Oct 17, 2021 4:42 pm
Forum: General
Topic: VLAN correct config
Replies: 5
Views: 375

Re: VLAN correct config

Without knowing the full config I would hedge my bets but in general you can combine vlan-ids IF and only IF the ports are identical for all vlans. Since these are trunk ports, this is a very real possibility. both config are wrong anyway Version 1: /interface bridge vlan add bridge=bridge1 tagged= ...
by anav
Sun Oct 17, 2021 4:24 pm
Forum: Beginner Basics
Topic: Where in firewall rules the Fasttrack should be [SOLVED]
Replies: 5
Views: 528

Re: Where in firewall rules the Fasttrack should be [SOLVED]

/export hide-sensitive file=anynameyouwish
by anav
Sun Oct 17, 2021 3:04 am
Forum: Beginner Basics
Topic: CRS326-24G-2S+IN like a switch with vlan mgmt [SOLVED]
Replies: 8
Views: 850

Re: CRS326-24G-2S+IN like a switch with vlan mgmt [SOLVED]

Almost right I didnt state in red I stated it in blue ;-PP
vlan filtering=yes (add the yes bit as the last step in configuration)
by anav
Sat Oct 16, 2021 11:08 pm
Forum: Beginner Basics
Topic: Request config sanity check
Replies: 19
Views: 1012

Re: Request config sanity check

Yup there are lots of changes required but dont have time to go indepth at the moment.
Didnt see anything dangerous.....
Be forewarned I am a minimalist and strive for cleaner configs.
by anav
Sat Oct 16, 2021 1:19 am
Forum: RouterOS v7 BETA
Topic: Is MT the worse monitoring router?
Replies: 18
Views: 1463

Re: Is MT the worse monitoring router?

What? Its an excellent logging router from my experience.
Did you try packet sniffer for example??
by anav
Sat Oct 16, 2021 1:17 am
Forum: RouterOS v7 BETA
Topic: Wireguard use Hostname in endpoint
Replies: 5
Views: 1342

Re: Wireguard use Hostname in endpoint

I use two MT routers behind main routers as wireguard server and peer responsibilities and a smart phone peer as well.
I use IP cloud for endpoint settings for both routers and for the endpoint peer setting in the smartphone.
All works great.
by anav
Fri Oct 15, 2021 11:56 pm
Forum: Beginner Basics
Topic: Stuck on first ROS baby steps: PPPOE-client not connecting
Replies: 7
Views: 722

Re: Stuck on first ROS baby steps: PPPOE-client not connecting

Does the ISP need to reset at their end, not sure having never used pppoe, but perhaps there is a mac address stored somewhere that needs to be reset? Many folks are using PPOE with all kinds of MT devices without issue. Yeah you would not like to hook up that router anyway as you basically have no ...
by anav
Fri Oct 15, 2021 10:50 pm
Forum: Beginner Basics
Topic: SmartThings and SharkClean Notifications Stopped Working
Replies: 11
Views: 632

Re: SmartThings and SharkClean Notifications Stopped Working

So the euromesh gets its IP address from the MT??
by anav
Fri Oct 15, 2021 9:00 pm
Forum: Beginner Basics
Topic: Seamless failover
Replies: 18
Views: 1203

Re: Seamless failover

So are you saying the cloud location houses the two ISP connections, and the office router only has one connection to the cloud location subnet?
If so what would be the difference between colo and physically putting another router in front of the current router with the same setup??
by anav
Fri Oct 15, 2021 5:04 pm
Forum: Beginner Basics
Topic: SmartThings and SharkClean Notifications Stopped Working
Replies: 11
Views: 632

Re: SmartThings and SharkClean Notifications Stopped Working

So the aero mesh worked with the previous router with no issues??
Connected to the Router via wired connection (I guess at least one of them)?
by anav
Fri Oct 15, 2021 4:48 pm
Forum: Beginner Basics
Topic: SmartThings and SharkClean Notifications Stopped Working
Replies: 11
Views: 632

Re: SmartThings and SharkClean Notifications Stopped Working

yeah that is weird, if everything is on the same subnet.
What is aeromesh??
by anav
Fri Oct 15, 2021 4:44 pm
Forum: Beginner Basics
Topic: Another Port Forwarding issue [SOLVED]
Replies: 2
Views: 411

Re: Another Port Forwarding issue [SOLVED]

(1) Not sure why you use .113 as a gateway. Probably not wrong but not something I see often. /ip dhcp-server network add address=192.168.1.0/24 comment=defconf gateway=192.168.1.113 netmask=24 (2) REMOVE UPNP settings, not required. (3) W hat you are missing is a Port Forward Rule, and we use the d...
by anav
Fri Oct 15, 2021 4:24 pm
Forum: Beginner Basics
Topic: SmartThings and SharkClean Notifications Stopped Working
Replies: 11
Views: 632

Re: SmartThings and SharkClean Notifications Stopped Working

Not enough info.
Network diagram (should show devices and subnets)
config
/export hide-sensitive file=anynameyouwish

What notices were you getting before? Do you mean on PC? on Smartphone?
by anav
Fri Oct 15, 2021 4:21 pm
Forum: Beginner Basics
Topic: Lost management access to AP, how to regain access?
Replies: 2
Views: 333

Re: Lost management access to AP, how to regain access?

Yup! (1) Read and use this as a setup model, examples for your scenario are there. https://forum.mikrotik.com/viewtopic.php?t=143620 The article however doesnt use capsman, either do I, its not worth it IMHO unless you have over 3 cap type devices. (2) One bridge for sure. (3) What I do is take an u...
by anav
Fri Oct 15, 2021 4:15 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

(1) Why do you have two IP addresses for WLAN1 (suggesting removing the one in red) /ip address add address=192.168.88.1/24 comment=defconf interface=wlan1 network=\ 192.168.88.0 add address=10.10.10.1/24 interface=wlan1 network=10.10.10.0 (2) Why do have have LAN setup that is also your WAN setup. ...
by anav
Fri Oct 15, 2021 4:10 pm
Forum: Beginner Basics
Topic: is my NAT config is ok?
Replies: 24
Views: 1830

Re: is my NAT config is ok?

Routing scenario: I had a very simple connection like ISP has given me one static IP address with a subnet mask and gateway. But when i ask them to give me more public IP addresses "then they made this complex setup in Mikrotik". They told me that now they have given me a routed IP and I ...
by anav
Thu Oct 14, 2021 10:06 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

I now have orders
/ export hide-sensitive file = test

tried out. Where can I find the exported file?
Hi there there should be no spaces between file equal sign or test, thus: file=test

It will be found under FILES ;-)
by anav
Thu Oct 14, 2021 10:03 pm
Forum: General
Topic: Will NATted wireguard work?
Replies: 20
Views: 1157

Re: Will NATted wireguard work?

As stated, this is a personal problem that you have, and is clearly no longer related to the wireguard or router settings.
Your stubborn head is the issue preventing success.
Good luck!
by anav
Thu Oct 14, 2021 7:35 pm
Forum: Beginner Basics
Topic: WAP-R [SOLVED]
Replies: 82
Views: 2679

Re: WAP-R [SOLVED]

Yu have to associate this with your DHCP client and WAN interface settings. I dont use LTE so not sure. The rest of the device works from default settings................. Minor tweaking on wifi settings (SSID, security password etc..) NEXT TIME CONTINUE WITH SAME ORIGINAL THREAD, I just noticed you...
by anav
Thu Oct 14, 2021 7:14 pm
Forum: General
Topic: Per-port DHCP with port isolation on a hardware accelerated bridge
Replies: 8
Views: 546

Re: Per-port DHCP with port isolation on a hardware accelerated bridge

Network diagram helps sort that out visually!! Alright, I'll post a diagram tomorrow! If in writing: basically, I need: Hardware acceleration = 1 bridge interface Most connected devices get (by DHCP) fixed addresses (one switch port has the same address to be DHCP'd to the connected device) These p...
by anav
Thu Oct 14, 2021 5:57 pm
Forum: General
Topic: Per-port DHCP with port isolation on a hardware accelerated bridge
Replies: 8
Views: 546

Re: Per-port DHCP with port isolation on a hardware accelerated bridge

The config doenst matter what are the requirements? This should be stated in terms of defining users/devices, groups of users/devices and then defining what they should be able to do, and what they should not be able to do, WITHOUT any discussion of the config etc.... Network diagram helps sort that...
by anav
Thu Oct 14, 2021 4:51 pm
Forum: Beginner Basics
Topic: is my NAT config is ok?
Replies: 24
Views: 1830

Re: is my NAT config is ok?

Observatrions/Comments: 1. There is no need to detail a specific user for a specific source NAT, and by that I mean, source-nat does not tell the packet where to go!! That is the job of the IP ROUTE part of the configuration. In other words, source-nat just states replace the source address of this ...
by anav
Thu Oct 14, 2021 3:52 pm
Forum: General
Topic: two network
Replies: 3
Views: 392

Re: two network

To what degree do they need to exchange data?
THen make the appropriate firewall rules.

IF they are supposed be fully accessible to each other then just have one LAN or share both WANS to both LANs.

As always
a. draw network diagram
b. post your config
/export hide-sensitive file=anynameyouwish
by anav
Thu Oct 14, 2021 12:42 am
Forum: General
Topic: Will NATted wireguard work?
Replies: 20
Views: 1157

Re: Will NATted wireguard work?

Please draw a network diagram as your config on the MT device is very confusing and ALL WRONG, and a diagram will help clear up some unknowns!! Why is the output chain used and especially for the UDP port. Why is the MT device which is your wireguard server port forwarding the UDP port. It should on...
by anav
Thu Oct 14, 2021 12:36 am
Forum: General
Topic: Will NATted wireguard work?
Replies: 20
Views: 1157

Re: Will NATted wireguard work?

Yes, in my case the main router is a CCR1009. Correct I use port forwarding to send the listening udp port to the LANIP of the second router (on the main router LAN applicable subnet). This main router LANIP is thus the same as the WANIP of the secondary router. Thus the listening port traffic hits ...
by anav
Thu Oct 14, 2021 12:26 am
Forum: Beginner Basics
Topic: Seamless failover
Replies: 18
Views: 1203

Re: Seamless failover

You will lose your session regardless of how seamless or quick it may seem.
What your are asking is impossible from what I understand.
by anav
Wed Oct 13, 2021 9:30 pm
Forum: General
Topic: Will NATted wireguard work?
Replies: 20
Views: 1157

Re: Will NATted wireguard work?

It works just fine, its your setup that is not working either on the phone or on the MT itself. Here is an example of my settings for my iphone......... I can only state what I have setup on my wireguard connections................ On the Server Router. a. listening port on input chain to allow init...
by anav
Wed Oct 13, 2021 3:41 am
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 62
Views: 2709

Re: VPN to connect home network to cottage

hahaha I hope rextended didnt also take your virginity at the same time..................
by anav
Wed Oct 13, 2021 2:29 am
Forum: General
Topic: Problem with failover and second wan connection
Replies: 15
Views: 813

Re: Problem with failover and second wan connection

It will be nice when wireguard is out of beta as its far easier to setup than any other VPN.
I can access my router easily with my smartphone as well.
by anav
Wed Oct 13, 2021 2:26 am
Forum: Beginner Basics
Topic: VPN to connect home network to cottage
Replies: 62
Views: 2709

Re: VPN to connect home network to cottage

Wireguard is the right solution, WHEN its out of beta, so you really mean in the interim ?? ;-)
by anav
Wed Oct 13, 2021 1:28 am
Forum: General
Topic: Problem with failover and second wan connection
Replies: 15
Views: 813

Re: Problem with failover and second wan connection

Just had a quick look and looks way better. Are the customers responsible for configuring the router. Or is that the purpose. of the VPN tunnels, aka for you as admin to be able to access the routers for admin purposes?? Just be sure that the ip route gateway numbers you have entered are fake number...
by anav
Wed Oct 13, 2021 1:24 am
Forum: Beginner Basics
Topic: Why is my CAPsMAN network not as good as I hope for?
Replies: 19
Views: 1713

Re: Why is my CAPsMAN network not as good as I hope for?

Yes, go out and buy one TP Link EAP245, and just compare performance.
Then come back and report.
by anav
Wed Oct 13, 2021 12:21 am
Forum: Beginner Basics
Topic: RB3011 VLAN with HP Managed Switch
Replies: 13
Views: 911

Re: RB3011 VLAN with HP Managed Switch

Not quite. I said, keep the bridge and add all the vlans to the bridge. Then use /interface bridge ports and /interface bridge vlan settings as required. To distribute the vlans to the appropriate ports. As per this article. https://forum.mikrotik.com/viewtopic.php?t=143620 quick sample................
by anav
Tue Oct 12, 2021 11:01 pm
Forum: General
Topic: Problem with failover and second wan connection
Replies: 15
Views: 813

Re: Problem with failover and second wan connection

Sorry my rule of thumb is not to provide any assistance to an insecure router setup.
Nothing matters unless that is fixed.
Perhaps others less scrupulous will assist.
Will keep an eye on the thread though.................
by anav
Tue Oct 12, 2021 10:55 pm
Forum: Beginner Basics
Topic: PPOE VLAN
Replies: 2
Views: 316

Re: PPOE VLAN

Attach the vlan to the PPoE-Out interface not the sfp1 physical interface as you have done looking at your snippet (GOOD) For interface list vlan20 interface list=WAN PPoE-Out list=WAN sfp1 list=WAN (all three just to be on the safe side). if that doesnt fix it, need to see the rest of the code ./ex...
by anav
Tue Oct 12, 2021 7:51 pm
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1963

Re: Wireguard proper server config

Good to hear..... Of course think of the logic. The Server Router Wireguard Setting has to include the LISTENING PORT for incoming connections. The Server Router Wireguard Peer setting endpoint port is NOT used at all (unless the initial connection was required to be able to happen both ways)!! Clea...
by anav
Tue Oct 12, 2021 7:46 pm
Forum: Beginner Basics
Topic: RB3011 VLAN with HP Managed Switch
Replies: 13
Views: 911

Re: RB3011 VLAN with HP Managed Switch

Hi tdw, understood all but when managing other smart devices I prefer a consistent approach and that is to have management vlans, could use an existing trusted vlan too, with the bridge doing nothing but bridging. ' So in the ops case I would create vlan50 to replace the bridge subnet, add the vlan ...
by anav
Tue Oct 12, 2021 6:30 pm
Forum: Beginner Basics
Topic: RB3011 VLAN with HP Managed Switch
Replies: 13
Views: 911

Re: RB3011 VLAN with HP Managed Switch

Which VLAN is your management VLAN? 20? 30? something else? THe HP should get an IP address on the management vlan subnet for starters! Why is ether5 part of the bridge??? Why are ether2,3,4 members of the LAN when you already have the bridge identified as LAN. Why isnt vlan30 also associated with L...
by anav
Tue Oct 12, 2021 5:58 pm
Forum: Beginner Basics
Topic: RB3011 VLAN with HP Managed Switch
Replies: 13
Views: 911

Re: RB3011 VLAN with HP Managed Switch

First, Network diagram to see the relationship physical between devices (ports to ports0
and the network structure Subnets/vlans.

Also post your latest config.........
by anav
Tue Oct 12, 2021 5:57 pm
Forum: General
Topic: Log when a specific MAC connect ?
Replies: 8
Views: 455

Re: Log when a specific MAC connect ?

If the connections are to your WAN from the Internet MAC addresses will not available.
Damn, didn't know that.
Oh not to worry, there will be far too many opportunities to re-live that reality. :-)
by anav
Tue Oct 12, 2021 5:53 pm
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1963

Re: Wireguard proper server config

Hi mudcharme, yes I never really looked at my IP Routes in that regard and just had a peak, so thanks for the tip and reminder!! Every subnet gateway has main routing table entry. @ H I can only state what I have setup on my wireguard connections................ On the Server Router. a. listening po...
by anav
Tue Oct 12, 2021 4:57 pm
Forum: General
Topic: Problem with failover and second wan connection
Replies: 15
Views: 813

Re: Problem with failover and second wan connection

Because that provides you with very little security actually. Any public IP can be spoofed on the internet and what you have done: a. The first rule basically says my bank vault is open to anyone with the right key. The key is not some encrypted algorithm, its not even a strong password, its only an...
by anav
Tue Oct 12, 2021 3:29 pm
Forum: Beginner Basics
Topic: Connection issue between LtAP mini LTE kit and hAP lite
Replies: 3
Views: 663

Re: Connection issue between LtAP mini LTE kit and hAP lite

Need more info.
Draw a network diagram so we can see how the devices are related and setup.
by anav
Tue Oct 12, 2021 3:08 pm
Forum: General
Topic: Problem with failover and second wan connection
Replies: 15
Views: 813

Re: Problem with failover and second wan connection

What do you mean connect to winbox from The internet . That is a big security NO NO. Is this the rule you are using.................uh oh!! add action=accept chain=input comment="allow whitelist" in-interface-list=WAN \ src-address-list=whitelist EVEN WORSE, couldnt imagine it being worse ...
by anav
Tue Oct 12, 2021 3:06 pm
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1963

Re: Wireguard proper server config

Hi H. In the case of the smartphone, the endpoint can be any public IP provided by a. the wifi of the location one is in, or b. random generated by the cellular company. In the case of a fixed peer behind a Public IP (static or dynamic - I can use the endpoint of IP cloud if the main router or peer ...
by anav
Tue Oct 12, 2021 2:58 pm
Forum: General
Topic: RouterBOARD 1100x4 VLAN
Replies: 1
Views: 223

Re: RouterBOARD 1100x4 VLAN

Lets see your config please as the explanation was not all that clear.

/export hide-sensitive file=anynameyouwish.

Also a network diagram will help understand the config and relationships between devices!
by anav
Tue Oct 12, 2021 1:49 am
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1963

Re: Wireguard proper server config

The issue I have is that users will not realize that adding the IP creates the static route for you.
I think its still useful to be able to create the route manually and then learn about the iP address trick after LOL
by anav
Tue Oct 12, 2021 1:47 am
Forum: General
Topic: Problem with failover and second wan connection
Replies: 15
Views: 813

Re: Problem with failover and second wan connection

What do you mean reach wan2 from the outside.
It sounds as if you configured the router with incomplete requirements.

Who need outside access in WAN2 and for what reasons??
by anav
Tue Oct 12, 2021 1:37 am
Forum: Useful user articles
Topic: Hairpin NAT The Right way?
Replies: 0
Views: 666

Hairpin NAT The Right way?

There is no right way! It depends.............. Every person will have to decide what is the optimal way to configure their device(s) for hairpin NAT (sometimes called Loopback). Hairpin NAT is a funny situation of what is normally considered a dst-nat problem/variation and mostly for the case of po...
by anav
Tue Oct 12, 2021 12:16 am
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1963

Re: Wireguard proper server config

Ah okay I was not aware of that functionality of adding IP address, thanks for the clarification. In any case the extra route created would not prevent connectivity either way. In any case the OP can try it both ways, as we both have run out of ideas LOL. I would like to know for sure if the phone i...
by anav
Tue Oct 12, 2021 12:15 am
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1963

Re: Wireguard proper server config

Removed port as suggested - no change. You also don't need the static ip route for th e wireguard subnet as it will already be present as a connected route. After deleting this static route, reboot your device. Whaaaaaaaaat? Tell me how any internet traffic going out the server router but originate...
by anav
Tue Oct 12, 2021 12:04 am
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1963

Re: Wireguard proper server config

/ip route add disabled=no distance=1 dst-address=10.20.50.0/24 gateway=wgmt pref-src="" \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10 YES you absolutely need this route (edit: I do because I dont give my WG interface IP addresses) (1) TRY using 10.20.50.2 for dst add...
by anav
Mon Oct 11, 2021 11:43 pm
Forum: Beginner Basics
Topic: local test setup - DNS & DHCP fail
Replies: 2
Views: 475

Re: local test setup - DNS & DHCP fail

The router bascilly works out of the box, hook up your pc to ether2, your ether1 to the ISp modem and your off and running.
by anav
Mon Oct 11, 2021 4:36 pm
Forum: Beginner Basics
Topic: Network Routing [SOLVED]
Replies: 13
Views: 1061

Re: Network Routing [SOLVED]

You are quite right, I was looking at the netgear as the router attached to the internet.
Silly me. Glad I was wrong, ignore my misplaced concerns.....
by anav
Mon Oct 11, 2021 3:30 pm
Forum: General
Topic: Source NAT Multiple ISP
Replies: 8
Views: 625

Re: Source NAT Multiple ISP

Based on the advice from Sindy..... ISP1 provides enough addresses for all tenants ISP1 will be used thus for any external incoming connections (servers, vpn tunnels). ISP1 traffic will be connection marked to ensure return traffic from tenants will go out ISP1 ***** All tenant originated traffic wi...
by anav
Mon Oct 11, 2021 2:54 pm
Forum: General
Topic: Source NAT Multiple ISP
Replies: 8
Views: 625

Re: Source NAT Multiple ISP

Someone smarter than me will have to answer that as my answer is NOT possible but keep in mind I have:
a. limited knowledge in networking
b. rudimentary knowledge of MT
by anav
Mon Oct 11, 2021 2:49 pm
Forum: Beginner Basics
Topic: Network Routing [SOLVED]
Replies: 13
Views: 1061

Re: Network Routing [SOLVED]

@RhoAius
edit: I am out in left field LOL
by anav
Mon Oct 11, 2021 1:25 am
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1963

Re: Wireguard proper server config

I dont see a mismatch the listen port for wireguard and the input chain to listen for it are the same 13231? However why is this rule in your input chain, (what purpose)? add action=accept chain=input comment=Wireguard dst-port=13231 in-interface-list=LAN protocol=udp In the forward chain what is th...
by anav
Mon Oct 11, 2021 1:22 am
Forum: General
Topic: Source NAT Multiple ISP
Replies: 8
Views: 625

Re: Source NAT Multiple ISP

You have the wrong approach, instead of trying to design a config around some vague requirements, forget the config. In a few sentences write down what the user requirements are. A. what do users or groups of users or devices or groups of devices need to be able to do on teh network (what work do th...
by anav
Sun Oct 10, 2021 9:21 pm
Forum: Beginner Basics
Topic: Router route all AP traffic to Wan only
Replies: 13
Views: 1049

Re: Router route all AP traffic to Wan only

Yes, but lets not put the cart before the horse Zach!! Yes me not advocating vlans right away.........miracles. Its good that the OP knows how to manipulate the ports and bridge with rules prior to introducing vlans. Vlans, in general, are only really required if one does not have enough ports and n...
by anav
Sun Oct 10, 2021 9:18 pm
Forum: Beginner Basics
Topic: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]
Replies: 9
Views: 917

Re: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]

Exactly, I was in your boat not to long ago and thanks to the patience of the folks here I have managed to learn just enough to be dangerous. :-) Dont be shy to ask questions, it is fun once you get over some basic understanding hurdles. As anything else the more you learn, the more you realize ther...
by anav
Sun Oct 10, 2021 8:41 pm
Forum: Beginner Basics
Topic: Router route all AP traffic to Wan only
Replies: 13
Views: 1049

Re: Router route all AP traffic to Wan only

Whatever port is going to the AP, remove from the bridge. Give the etherportX its own subnet, IP address IP pool dhcp server and dhcp server network. Make sure its part of the Interface LAN list along with the bridge. In the firewall forward chain rule. Before the last rule put in something to the e...
by anav
Sun Oct 10, 2021 4:08 pm
Forum: Beginner Basics
Topic: Traffic to management of MikroTik switches not going through
Replies: 25
Views: 1776

Re: Traffic to management of MikroTik switches not going through

Well the only thing that would be sensitive someitimes the WANIP creeps in, otherwise, pretty decent. Not sure I will have time today to look but will try. In general, being able to access all devices successfully at least via winbox is to ensure that a managment type vlan exists ( for a business a ...
by anav
Sun Oct 10, 2021 3:59 pm
Forum: Beginner Basics
Topic: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]
Replies: 9
Views: 917

Re: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]

Final comment,
Its more important you understand how the rules work and what they do and then the config will make sense.
IF your just copying and pasting, then you will not be able to progress.
by anav
Sun Oct 10, 2021 3:53 pm
Forum: Beginner Basics
Topic: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]
Replies: 9
Views: 917

Re: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]

Rule number 1, dont put in the last rule on the input chain, drop everything etc. until you are happy with the rest of the input chain rules otherwise you will lock yourself out of the router!! Will attempt to address the questions!! (1) Your /interface bridge vlan rules are fine as you have put the...
by anav
Sun Oct 10, 2021 12:56 am
Forum: Beginner Basics
Topic: Router route all AP traffic to Wan only
Replies: 13
Views: 1049

Re: Router route all AP traffic to Wan only

Its up to the OP to provide a full config via
/export hide-sensitive file=anynameyouwish

I was giving general advice, which is all one can give based on the meager information provided.
by anav
Sat Oct 09, 2021 10:45 pm
Forum: Beginner Basics
Topic: Router route all AP traffic to Wan only
Replies: 13
Views: 1049

Re: Router route all AP traffic to Wan only

In general, this is only possible if the AP and its clients are on a different subnet. If they are on the same subnet (layer2 connectivity) then layer3 firewall rules cannot prevent them from talking to each other. Thus recommend using a different subnet for the AP etc..... Lets say you use 192.168....
by anav
Sat Oct 09, 2021 6:50 pm
Forum: Beginner Basics
Topic: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]
Replies: 9
Views: 917

Re: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]

Okay have had a look, and will discuss some of the findings as one goes from top to bottom of the config. Overall not bad at all. (1) Minor point but I put in the untagged ports in my /interface bridge vlan rules, just so I can map them one to one to the /interface bridge port settings. The router c...
by anav
Sat Oct 09, 2021 6:02 pm
Forum: Beginner Basics
Topic: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]
Replies: 9
Views: 917

Re: RB4011 VLAN / IP filter miskonfiguration? [SOLVED]

Please keep in mind. Youtube can also get you into trouble LOL. The input chain is for traffic to and from the router itself. WAN to Router, LAN to router, Router to WAN, Router to LAN The Forward chain rules are for traffic through the Router LAN to WAN, WAN to LAN, LAN to LAN What will help you he...
by anav
Sat Oct 09, 2021 4:52 pm
Forum: General
Topic: router behind firewall, use vpn only to manage it
Replies: 7
Views: 585

Re: router behind firewall, use vpn only to manage it

That is amazing information Sindy, good pickup on the users 3G limitations. In terms of SSTP, this sight provides a free service, with the hopes you will pay for more, but its easy and good enough for most non-critical situations. https://www.remotewinbox.com/auth/blog/Home#:~:text=RemoteWinBox%20is...
by anav
Sat Oct 09, 2021 4:50 pm
Forum: General
Topic: CRS112 and problem with vlans
Replies: 12
Views: 817

Re: CRS112 and problem with vlans

Your network is a bit confusing, Wat is the switch in between the PC an the Mikrotik switch the CRS112.
What is a BCS???

please post any configurations for MT devices using this
/export hide-sensitive file=anynameyouwish
by anav
Sat Oct 09, 2021 4:46 pm
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1963

Re: Wireguard proper server config

(1) The important learning point being is that if the MT is the public facing router or even if its behind another router, (but is the server to start the connection) one has to ALLOW the listening port traffic to hit the router itself (hence INPUT CHAIN RULE) to initially establish the tunnel. If y...
by anav
Sat Oct 09, 2021 4:33 pm
Forum: Beginner Basics
Topic: Access from 2nd WAN to specific Pool ? [SOLVED]
Replies: 3
Views: 511

Re: Access from 2nd WAN to specific Pool ? [SOLVED]

Sure lets say, WAN1 gateway is 64.24.33.22 WAN2 gateway is 24.165.24.122 IP of NVR is 192.168.1.30 Assuming: Wan1 is primary and and Wan2 is only used if WAN1 is unavailable. /ip route add check-gateway=ping distance=5 gateway=64.24.133.22 add distance=10 gateway=24.165.24.122 distance=10 add distan...
by anav
Sat Oct 09, 2021 4:23 pm
Forum: Beginner Basics
Topic: Router route all AP traffic to Wan only
Replies: 13
Views: 1049

Re: Router route all AP traffic to Wan only

Depends,
Would have to see your current firewall rules to make any assessments.
/export hide-sensitive file=anynameyouwish

my assumption is that the access point is also connected behind the router, also on the network as are the PCs........
by anav
Sat Oct 09, 2021 1:34 am
Forum: Beginner Basics
Topic: usermanager
Replies: 6
Views: 763

Re: usermanager

@anav, there was a link on post #2 ...
Silly me......... Thanks!
by anav
Sat Oct 09, 2021 1:32 am
Forum: General
Topic: router behind firewall, use vpn only to manage it
Replies: 7
Views: 585

Re: router behind firewall, use vpn only to manage it

Just to give you an example. My wireguard Server is an RG450Gx4, sitting on a network as a router but behind the main MT router, a CCR1009. My wireguard Peer consists of an RB4011 behind an ISP Fiber Modem/Router _ the only thing we can do on this ISP device is forward ports. Now there really isnt a...
by anav
Fri Oct 08, 2021 10:40 pm
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1963

Re: Wireguard proper server config

Okay, maybe still possible. YOu can see the left device but its routing not just modeming.......... What one needs to do is access the ISP router and port forward the WIREGUARD LISTENING PORT TO YOUR private WANIP. ( A lanip from the ISP routers perspective ) If you dont have access directly you sho...
by anav
Fri Oct 08, 2021 10:37 pm
Forum: General
Topic: Problem with Public IP in migration from RB4011 to CCR1009
Replies: 8
Views: 582

Re: Problem with Public IP in migration from RB4011 to CCR1009

Sorry, you refuse to answer the question clearly.
No help can be derived until this basic question is answered.

How did you save the configuration.
a. BACKUP
b. export config file

How did you apply the saved file into the new router
a. RESTORE
b. copy and paste from terminal.
by anav
Fri Oct 08, 2021 10:34 pm
Forum: General
Topic: router behind firewall, use vpn only to manage it
Replies: 7
Views: 585

Re: router behind firewall, use vpn only to manage it

Hi GG, If you can setup a wireguard tunnel between your location and the remote location this will be the easiest approach I believe. As long as you have an MT device at either end (not necessarily as a router) it can work. THe only issue is its only available on beta firmware but they are up to V7....
by anav
Fri Oct 08, 2021 10:32 pm
Forum: General
Topic: Firewall Drop Invalid
Replies: 4
Views: 452

Re: Firewall Drop Invalid

I am not aware that output chain firewall rules were required??
Is this something unique to iPV6??
by anav
Fri Oct 08, 2021 10:31 pm
Forum: Beginner Basics
Topic: Port Forwarding for a Noob
Replies: 9
Views: 774

Re: Port Forwarding for a Noob

There are a number of common things that will prevent port forwarding
Private WANIP
Hairpin NAT
Wrong sourcenat config
Wrong dst nat config.

Glad you got it going!!
by anav
Fri Oct 08, 2021 10:21 pm
Forum: Announcements
Topic: v6.48.5 [long-term] is released!
Replies: 104
Views: 21536

Re: v6.48.5 [long-term] is released!

so far so good on a hex as a switch, and capac. will to tile device later today.
tile updated without incidence ccr1009
by anav
Fri Oct 08, 2021 10:20 pm
Forum: RouterOS v7 BETA
Topic: Optimal config for Wireguard
Replies: 5
Views: 1369

Re: Optimal config for Wireguard

Nice synopsis.
"You can only go as fast as the slowest link and there is also some processing loss because of the protocol."
by anav
Fri Oct 08, 2021 8:03 pm
Forum: General
Topic: Wireguard proper server config
Replies: 35
Views: 1963

Re: Wireguard proper server config

Try using IP Cloud on the MT devices to ascertain your public IP at each end.
by anav
Fri Oct 08, 2021 6:45 pm
Forum: General
Topic: Problem with Public IP in migration from RB4011 to CCR1009
Replies: 8
Views: 582

Re: Problem with Public IP in migration from RB4011 to CCR1009

You said it loaded fine LOL

In other words why are using a backup from one machine into a different hardware machine??
by anav
Fri Oct 08, 2021 4:53 pm
Forum: RouterOS v7 BETA
Topic: Optimal config for Wireguard
Replies: 5
Views: 1369

Re: Optimal config for Wireguard

Sorry Mr Whiner, I really dont care about your expectations or lack of literacy etc.. but if you were expecting spoon feeding, correct you came to the wrong place. If after reading the articles, the OP has further more precise questions, they can be answered. Using beta software is not for beginners...
by anav
Fri Oct 08, 2021 4:29 pm
Forum: Beginner Basics
Topic: i need an solution
Replies: 9
Views: 957

Re: i need an solution

So Mickey T, you mean, either a whats my IP search or return from IP Cloud will return a private IP??
by anav
Fri Oct 08, 2021 2:11 pm
Forum: Beginner Basics
Topic: Access from 2nd WAN to specific Pool ? [SOLVED]
Replies: 3
Views: 511

Re: Access from 2nd WAN to specific Pool ? [SOLVED]

Yes
using IP route and route rules.
by anav
Fri Oct 08, 2021 2:10 pm
Forum: Beginner Basics
Topic: Router route all AP traffic to Wan only
Replies: 13
Views: 1049

Re: Router route all AP traffic to Wan only

THrough firewall rules.
by anav
Thu Oct 07, 2021 9:34 pm
Forum: Beginner Basics
Topic: How do I configure a HAP ac as a wireless access point
Replies: 8
Views: 849

Re: How do I configure a HAP ac as a wireless access point

Can you post a non verbose option please LOL
/export hide-sensitive file=anynameyouwish

Why are there two IP addresses??
ip address
add address=192.168.5.6/24 comment=defconf disabled=no interface=bridge \
network=192.168.5.0
add address=192.168.3.4/8 disabled=no interface=ether1 network=192.0.0.0
by anav
Thu Oct 07, 2021 6:15 pm
Forum: General
Topic: vlans not working
Replies: 11
Views: 719

Re: vlans not working

"The internet crap" is mikrotik's official documentation ;-) but I'll check out your link...
Haha too funny, yes that is their old crap, they have better info now............

https://help.mikrotik.com/docs/display/ROS/VLAN
https://help.mikrotik.com/docs/display/ROS/Bridge
by anav
Thu Oct 07, 2021 4:10 am
Forum: General
Topic: vlans not working
Replies: 11
Views: 719

Re: vlans not working

Setup your lab according to this guide, not the internet crap..

viewtopic.php?t=143620
by anav
Thu Oct 07, 2021 3:17 am
Forum: General
Topic: VLAN Issue
Replies: 8
Views: 706

Re: VLAN Issue

Well i do use LACP along with VLANs on a couple of CRS3xxx switches with no problems...
Then I probably have something else wrong. Wouldn't be the first time, won't be the last.
That officially makes you an MT configurer LOL
by anav
Thu Oct 07, 2021 3:14 am
Forum: General
Topic: vlans not working
Replies: 11
Views: 719

Re: vlans not working

You dont define the vlans?? They should have number and name and interface being the bridge. You still havent fixed your /interface bridge vlan as provided. Where are your firewall rules or does this not face the internet (aka an ISP) What is ether3 doing with an IP address. Not much makes sense to ...
by anav
Thu Oct 07, 2021 3:09 am
Forum: Beginner Basics
Topic: Slow internet bandwidth on one PC
Replies: 2
Views: 365

Re: Slow internet bandwidth on one PC

Can you provide a network diagram, so its clear the structure.
by anav
Thu Oct 07, 2021 3:05 am
Forum: Beginner Basics
Topic: usermanager
Replies: 6
Views: 763

Re: usermanager

And where do you find the magic license information??

Found it.
https://help.mikrotik.com/docs/display/ ... cense+keys
by anav
Thu Oct 07, 2021 3:03 am
Forum: Beginner Basics
Topic: [SOLVED] Yet another hairpin nat question
Replies: 18
Views: 1970

Re: Yet another hairpin nat question

Okay it sounds like we are in a double nat scenario. If the IP address your router gives you is not what your IP cloud is showing or WHATS MY IP shows, then you do not have an ISP modem you have an ISP modem/router combo of some sort. In other words you are getting a private IP. So you need to be ab...
by anav
Wed Oct 06, 2021 11:29 pm
Forum: General
Topic: vlans not working
Replies: 11
Views: 719

Re: vlans not working

Then post the complete config.
/export hide-sensitive file=anynameyouwish
by anav
Wed Oct 06, 2021 11:27 pm
Forum: Beginner Basics
Topic: VLAN Check
Replies: 8
Views: 678

Re: VLAN Check

Generalized Approach (understand this excellent article - https://forum.mikrotik.com/viewtopic.php?t=143620 ) ROUTERS< SWITCHES< ACCESS POINTS (all connected smart devices) COMMON ENTRIES 1. Define vlans (interface is bridge) 2. /ip neighbor discovery-settings set discover-interface-list=MANAGE 3. T...
by anav
Wed Oct 06, 2021 9:57 pm
Forum: General
Topic: vlans not working
Replies: 11
Views: 719

Re: vlans not working

Missing. Optional /interface bridge add name=uplink-bridge vlan-filtering=yes /interface bridge port add bridge=uplink-bridge interface=sfp1 ingress-filtering=yes frame-types=admit-only-vlan-tagged add bridge=uplink-bridge interface=ether3 pvid=200 ingress-filtering=yes frame-type=admit-only-untagg...
by anav
Wed Oct 06, 2021 9:52 pm
Forum: Beginner Basics
Topic: Port Forwarding for a Noob
Replies: 9
Views: 774

Re: Port Forwarding for a Noob

I am saying two things. a. the port will not appear open on a normal scan, visible but closed and thats normal with MT. b. test the access to the server or whatever it is in the following ways. i. log in from another user on the LAN using the lanip of the server thingy ii. log in from an external we...
by anav
Wed Oct 06, 2021 8:45 pm
Forum: Beginner Basics
Topic: VLAN Check
Replies: 8
Views: 678

Re: VLAN Check

As for the other two rules, its narrowed down to who has access to the router...... only need one rule! add action=accept chain=input in-interface-list=-manage src-address-list=mgmt_access Yep, i will change it. Personally, I would not post my ssh port or my winbox port on a config either :-) (very...
by anav
Wed Oct 06, 2021 8:44 pm
Forum: Beginner Basics
Topic: Port Forwarding for a Noob
Replies: 9
Views: 774

Re: Port Forwarding for a Noob

Not sure what you mean. But yes your config should be as complete as possible and accurate. If ether1 is your wan port then /interface list members add interface=ether-1 list=WAN if ether1 is a wan port for pppoe with name pppoe-1out /interface list members add interface=ether-1 list=WAN add interfa...
by anav
Wed Oct 06, 2021 8:33 pm
Forum: Beginner Basics
Topic: [SOLVED] Yet another hairpin nat question
Replies: 18
Views: 1970

Re: Yet another hairpin nat question

/ip address add address=192.168.0.1/24 comment=defconf interface=e ther2 network=\ 192.168.0.0 /ip address add address=192.168.0.1/24 comment=defconf interface= bridge network=\ 192.168.0.0 nothing else seems off....... Dont see an IP route do you use the auto ip route in the dhcp client setup?
by anav
Wed Oct 06, 2021 8:28 pm
Forum: Beginner Basics
Topic: No connection in win box
Replies: 4
Views: 484

Re: No connection in win box

Good thing you have no fw rules,,,,,,,,,,,, connecting to the net could be bad news.......
by anav
Wed Oct 06, 2021 3:09 pm
Forum: Beginner Basics
Topic: VLAN Check
Replies: 8
Views: 678

Re: VLAN Check

These three rules dont make sense to me........... add action=accept chain=input comment=ICMP in-interface-list=!WAN protocol=icmp add action=accept chain=input comment=SSH dst-port=22 in-interface-list=!WAN protocol=tcp src-address-list=mgmt_access add action=accept chain=input comment=WINBOX dst-p...
by anav
Wed Oct 06, 2021 2:09 pm
Forum: Useful user articles
Topic: MikroTik Wireguard server with Road Warrior clients
Replies: 48
Views: 15424

Re: MikroTik Wireguard server with Road Warrior clients

Not here, start a new thread and I will have a look, this thread is for a reference document not individual issues.
by anav
Wed Oct 06, 2021 2:08 pm
Forum: Beginner Basics
Topic: RB3011 VLAN with HP Managed Switch
Replies: 13
Views: 911

Re: RB3011 VLAN with HP Managed Switch

The best way is
a. ONE bridge
b. ONE trunk port to the HP switch.

viewtopic.php?t=143620
Read, apply, come back with a config and will be happy to look at it.
by anav
Wed Oct 06, 2021 2:07 pm
Forum: Beginner Basics
Topic: VLAN Check
Replies: 8
Views: 678

Re: VLAN Check

I fail to see any firewall rules on your router and then you put some on the switch?? The config is flawed thus in many ways In terms of the router I am not sure of what you are trying to overall but a management interface is a good idea and keep spf+8 as part of LAN interface for all the rules it c...
by anav
Wed Oct 06, 2021 1:52 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1143

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

No they are not.
your config is hosed, did you not see the example provided??
At least read this article.
viewtopic.php?t=143620

You assigned the vlans to ether1 and not the bridge...........
Furthermore vlans are NOT bridge ports........
by anav
Wed Oct 06, 2021 1:49 pm
Forum: Beginner Basics
Topic: [SOLVED] Yet another hairpin nat question
Replies: 18
Views: 1970

Re: Yet another hairpin nat question

It could be something else on your config...
/export hide-sensitive file=anynameyouwish
by anav
Wed Oct 06, 2021 1:44 pm
Forum: Beginner Basics
Topic: Port Forwarding for a Noob
Replies: 9
Views: 774

Re: Port Forwarding for a Noob

Get rid of the forward chain rule, not needed. add action=accept chain=forward comment="Helium Routing" dst-address=192.168.8.106 dst-port=44158 protocol=tcp Modify this rule add action=dst-nat chain=dstnat comment="Helium Routing" dst-port=44158 protocol=tcp \ in-interface-list=...
by anav
Wed Oct 06, 2021 3:53 am
Forum: Beginner Basics
Topic: i need an solution
Replies: 9
Views: 957

Re: i need an solution

The service provider prevents ddns??
What do you mean.
Have you tried turning IP cloud on and reading your WANIP from it???
by anav
Wed Oct 06, 2021 3:49 am
Forum: Beginner Basics
Topic: [SOLVED] Yet another hairpin nat question
Replies: 18
Views: 1970

Re: Yet another hairpin nat question

Emils explanation is spot on. You can remove the protocol tcp, in the hairpin source nat rule, not required! Since the WANIP is a fixed wanip you dont need anything fancy in terms of other rules or methods! It should just work!! THe problem is your OTHER required basic but non-standard sourcenat rul...
by anav
Tue Oct 05, 2021 7:47 pm
Forum: Beginner Basics
Topic: Trying to allow only one port using In and Out interfaces [SOLVED]
Replies: 9
Views: 834

Re: Trying to allow only one port using In and Out interfaces [SOLVED]

Your input chain rule was flawed from the beginning, it was missing the default last rule in BLUE and you added two other rules that were needed due to missing the default rules but they fail to cover any other WAN to Router traffic that would have been blocked by the proper default rule. {Input Cha...
by anav
Tue Oct 05, 2021 7:40 pm
Forum: Beginner Basics
Topic: Trying to allow only one port using In and Out interfaces [SOLVED]
Replies: 9
Views: 834

Re: Trying to allow only one port using In and Out interfaces [SOLVED]

.Will address input chain next.......... /ip firewall filter {FORWARD CHAIN} add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add actio...
by anav
Tue Oct 05, 2021 7:32 pm
Forum: Beginner Basics
Topic: Trying to allow only one port using In and Out interfaces [SOLVED]
Replies: 9
Views: 834

Re: Trying to allow only one port using In and Out interfaces [SOLVED]

Lets have a look!! See if anything is out of place - RED Improvements possible... GREEN MIssed the boat a bit..... . Blue unknown purpose so probably okay but explanation of requirements would ensure such assumptions - Also since you havent posted the complete config I can only guess at some things....
by anav
Tue Oct 05, 2021 6:48 pm
Forum: Beginner Basics
Topic: 802.1X Video
Replies: 0
Views: 513

802.1X Video

Stumbled across this today and very well done, at least for me to understand.
https://www.youtube.com/watch?v=XvNWa5k20TU
by anav
Tue Oct 05, 2021 6:29 pm
Forum: Beginner Basics
Topic: VLANS
Replies: 4
Views: 519

Re: VLANS

With MT, there are rarely shortcuts as one has to know what they are doing.......... The linked article has the answers, one just has to read it.
by anav
Tue Oct 05, 2021 6:22 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 19
Views: 1143

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

Well the concept I am struggling with is having the wifi link carry more than one vlan. I am only use to wlan to users....... If the wlan to wlan link can be viewed as a wifi trunk port then that is clearer!! Assumptions made vlan 50 is management vlan vlan 10 is data vlan # model = SXT 5HPnD # seri...
by anav
Tue Oct 05, 2021 5:54 pm
Forum: Beginner Basics
Topic: Trying to allow only one port using In and Out interfaces [SOLVED]
Replies: 9
Views: 834

Re: Trying to allow only one port using In and Out interfaces [SOLVED]

Try a different approach with the forward chain amd that is change the concept to what you want to allow!! keep the 5 first Default rules add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec {disable if not using vpn} add action=accept chain=forwa...
by anav
Tue Oct 05, 2021 2:37 pm
Forum: Beginner Basics
Topic: [SOLVED] Yet another hairpin nat question
Replies: 18
Views: 1970

Re: Yet another hairpin nat question

Im feeling lazy so I will make it short................ Hairpin Nat is a funny situation of dst-nat and mostly for the case of port forwarding, where the requirement needs to address local users as follows: a. The server and the lan users of the server ar e on the same subnet b. The server admin req...
by anav
Tue Oct 05, 2021 2:27 pm
Forum: Beginner Basics
Topic: VLANS
Replies: 4
Views: 519

Re: VLANS

But there is no port number on the MT device where the cable from the switch is coming from.
You cannot just lay the cable over the MT device and expect it to work! You have to plug it in.........

The very good article has examples of what you need, its excellent
by anav
Mon Oct 04, 2021 7:51 pm
Forum: General
Topic: Block between hosts/VLAN
Replies: 2
Views: 277

Re: Block between hosts/VLAN

My opinion, not an expert.......... Depends upon vlan awareness of whats on the other side of the NIC? For example a switch port can accept multiple vlans because the switch can read the traffic.... If whatever can read the traffic coming in on the nic, then it can see different vlans and decide wha...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 30