Yeah but without certificate how safe is it................. As for IPIP sounded better, more secure than SSTP without certificate BUT, a big BUTT, is that it appears BOTH sides need to have publicly reachable WANIPs ( and maybe even static ones ). All the clowns at MT and youtube always show the ea...
What I would like to see is a shopping list of functionality that you check off before the MT site wraps up your request in a package for you.....
AI driven downloads.
Why does your title imply our 'identification of essential" features, when you are really asking which features can we remove from the core RoS???
Ahhh, south of the equator, even toilets flush backwards ;-P ...........
So the dyndns address check out to the current WANIP of the remote device and you can ping the device but WG does not come up??
Did you make any changes to the config prior to losing connectivity as there is no clear reason I can think of that would cause loss of connectivity.
I take donations from Utes ) ( yes I noted the recent gymastics victory and the departure of the women from the Sweet 16).
Even better is if you have some exra land in Sedona........... That locale, blew me away.......
Tru Dat but ISP supplies ( forget former name) in Ottawa ( Gloucester ) is selling the same RB5009 router for $287 Cdn + taxes + shipping. Lets compare llama (isp supplies) 287.87+18.77+15% = $352.64 llama (amazon) 323.69+15% = $372.24 Mozerd ( isp supplies, pick up at store ) 287.87 + 13% = $325.30...
Well for an advanced user fill yer boots with ! rules. For the beginner it would be far clearer if MT used the three rules as default instead. It demonstrates a LAN to WAN firewall rule It demonstrates an ability to conduct port fowarding ( disabled by default would be my preference ) It demonstrate...
The reasons is that the order of the RSC file, is NOT the order required to add rules to make the config coherent.
In other words, you dont understand the config to the level necessary otherwise you wouldnt have tried, but instead would have
copied and pasted bits in the right order.
Sorry to confuse, the route I mentioned I thought was for the one going to your ISP.
It was not clear to me if you were using DEFAULT-ROUTE=YES in the IP DHCP client settings
Word up, don't irritiate a sick person, I resemble that ! comment. Its a useful tool WHEN NEEDED. Otherwise, why try to be overly cute. The default rule allows one to connect to the internet right away and do most functions. Once one adds rules, its cleaner and clearer to remove the rule and replace...
Highly recommend the first thing you do on both devices is take ether5 off the bridge assign it an IP address of 192.168.55.1/24 ( as per the configs ). Then plug in laptop or pc into device on ether5 and change your ethernet card IPV4 settings to lets say 192.168.55.5 and you should have access. # ...
Whoever is providing the MikROTIK CHR for wireguard ( server for handshake ) is doing it wrong. Its the client (for handshake) router that needs to setup the mangle rule. Good thing at least both sides are at 1420 for default. I havent paid attention to your firewall rules.....or the rest of the con...
(1) Change this rule in the forward chain FROM add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN TO: add action=accept chain=forward comment="internet traffic" in-interface-list=...
Okay so add the new config, See if the ADSL new gateway IP gets populated in the IP routes we create...... Unplug the modem for each test.......... and plug it back in........ You will see in IP DHCP client settings, (STATUS), the new IP and new gatewayIP, then check to see if the gatewayIP migrated...
Yup too funny, good pickup...... add address=172.16.0.1/24 interface=wireguard1 network=172.16.0.0 Vlan dont need routes? THey get routes when creating the vlan (ip address). Do you mean a route out the router..... /ip route add disabled=yes dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=main
To ensure the wireguard handshake coming in on WAN2 gets answered by WAN2 ( the slower ADSL connection with public IP ) /routing table add fib name=useWAN2 /ip mangle add chain=input action=mark-connections connection-mark=no-mark in-interface=ether2 \ new-connection-mark=incomingWAN2 passthough=ye...
To be clear, you want WAN1 to be primary as it has higher bandwidth. In addition you also want WAN2 to be available all the time as wireguard goes through here. If WAN1 goes down traffic should go to WAN2 as backup. If WAN2 goes down, you will lose your ability to keep wireguard going.......... (1) ...
Well its hard to say since the draytek is not an MT device.
I am also not aware of the firewall rules on the draytek etc..
So winbox doesnt see the capac at all?
Did you try it by IP address in Winbox?
192.168.0.200:winboxPort#
I was of the understanding that BTH can very much handle two non-publicly accessible ISPs and upstream routers are not accessible to port forward to the MT device. ( static or dynamic is a bogus concern ). Zerotier is also a viable solution but one is going through a third party provider, whereas BT...
Ahhh I see the issue.......... one of the config lines on /interface bridge ports is incorrect. From: /interface bridge port add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=17 add bridge=bridge1 ingress-filtering=yes frame-types=admit...
(1) Since you changed emergaccess to 192.168.88.1 ,, you can get rid of this entry at the bottom. /ip address add address=192.168.55.1/24 interface=emergaccess network=192.168.55.0 (2) Everything else looks fine and thus I suspect we will have to see what is on the other side of ether1 ( where the p...
Normal MT wifi experience.........Why I use another vendors product for wifi. I mean it will work well once you figure it out, but for me personally not worth the stress to get there.
I am also lazy and dont like dealing with capsman.
So the device at the data center is mikrotik CHR or something else. The local MT router config should be as a client for handshake then. Which local users or subnets are to use this wireguard connection for internet? What happens if the wireugard tunnel goes down for these users? I gather you have n...
I started with CAPACs, and then I migrated, to tplink business access points but kept MT for excellent routers.. AX3 is an excellent router ( and you should get decent local wifi near the unit ) and an even better router is the RB5009
There are two things Each end should have the same MTU setting, start with 1420 Only the client for handshake should use the clamping rule aka the mikrotk. Also starting to get confused as to what you are doing. A. sending wireguard through a third party provider from MT to . proton, or windscribe e...
Not bad!! Good work. (1) Correct only thing to change on the bridge is the name if you dont like bridge and turning on vlan-filtering=yes As I stated I always assign ETHER2 an off bridge address to actually do the initial config and emergency access to the CAP, in case the bridge blows up. (2) Yes, ...
Problem is I stopped looking at this thread awhile ago doing to the moving datum.
Once you get all the final equipment in place, then will be able to devote time and energy to a static target.
Comparing my config to your config I can see two errors right away. Hovle, should I report you to the UN for attempting to exterminate the newbie race by piling on crap when the solid foundation does not yet exist and furthermore a config that has errors which should be addressed first. If I was in ...
The problem is using vlan1. Your management vlan is the subnet BASE. All your smart devices should get their IP address from the BASE subnet. No one wants to look at a article format, next time post your config as it appears for real /export file=anynameyouwish ( minus router serial number and any p...
If you have a home subnet .88, then call it vlan88 and make it a vlan and then the config will make sense. and where is VLAN50 ???? /ip address add address=192.168.88.1/24 interface= bridge network=192.168.88.0 { wrong } add address=192.168.99.1/24 interface=vlan99 network=192.168.99.0 add address=1...
Can you provide a diagram, so far it looks like most of your bridge ports are connected to smart devices (like smart APs and switches) as they are mostly trunk ports...... You can remove this completely useless line.......... bridge ports/vlans deals with data traffic or management vlan. add bridge=...
Post both configs........ ( minus public WANIP info, keys etc. )
The default mtu setting is 1420 so dont understand why you lowered to the default??
Important is that both sides of the connection have the same mtu setting
Ensure the subnet being used for the cameras fits what they are hardcoded too.
Then via the mac addresses of each camera fix the IP static to the mac address in DHCP leases for that subnet
You have bad info and are not completing the config as provided on the second bridge device. neighbours discovery, bridge itself still has frame types, IP DNS server wrong etc etc. The first one acting as a router is a complete abomination mixing non CRS3 and CRS3 switch setup types and MKX politely...
Sorry your missing the complete config so unable to comment with certainty/
/export file=anynameyouwish ( minus router serial number, any public WANIP info, )
THe 750 was the wrong purchase if looking to maximize 1gig connection. The hapax3 was the device you should have picked up. I dont expect you will see much above 600 on the hex, if that.
The ASUS is a wifi router not an access point and its not a business model its a consumer pro model. 1. No where in the specs does it mention vlans or vlan tagging 2. no where in the manual does it detail assigning vlans and firewalling between vlans. You have a hunk of junk. suggest look at alterna...
Yup, I saw unsafe pptp and then winbox open on the internet............. The right way to handle that is for you to at least be able to wireguard into the First Router. From there you can reach the 305 switch and the second hex through the neighbours discovery etc.
Since the business is closed at Night, capture all the mac addresses, being used over a couple of nights and weekend, then block them all starting monday. Then do the same thing the following weekend and probably one more weekend. Use access lists in wifi settings I think. Thinking three weekends to...
Config of hex, config of second hex please, the 305 I will assume has trunk port from HEX with internet and a trunk port going to hex switch. Assuming there is management vlans where the 305 and hex switch get their IP address from. /export file=anynameyouwish ( minus router serial number, public W...
I have no idea what you are trying to do................... but the setup I gave you should enable HW offloading on the bridge, its done. Intervlan routing is something that is foreign to me. Either the unit is a switch or a router in terms of setup............. it can or cannot have hw offloading. ...
As for your setups. If 317 is a router, where are the router settings? Make up your mind! If the RB5009 is just for internet then you need to have double nat and make up all the subnets on the switch. The switch will get a private IP as its WAN ( private IP from 5009 default subnet I guess ) If the ...
I disagree with MKX, cannot recommend, in general, a switch for routing.
The CRS317, can route up to about 400Mbps but thats it, so depending upon your internet connectivity????????
The RB50009 is designed to router and would be my first choice and then feed one of the switches with the SFP+ port.
Actually the learning point is dont change anything from defaults if you dont understand all possible ramifications.
So glad the MT documentation makes it crystal clear NOT, with gobblity gook speak...........
YOu have to have clear requirements and an understanding of the role of the device you are using. For example it would appear the hex is to be used as a switch and is not connected to an ISP? Identify all users/devices Identify all traffic flows they need (external/internal) Then a config can be des...
Its an excellent link if NOT using capsman controller concept. Setting up the Capacs for the link above is easy and fast. Setting up the off bridge access and doing the configuring from there is recommended. just put something like 192.168.36.3 into the ipv4 settings of your laptop and you are in......
Okay, no worries. Unfortunately that makes no sense to me as it shouldnt happen. As you can see by firewall rules, they are blocked at layer 3 by firewall rules
and the vlan structure blocks any level 2 traffic. so there is no logic
Before doing any configuring lets make sense of what you are doing. A. All connections to the smart devices ( capac, and assuming smart switches ), means that you should have a managment subnet where all smart devices get their IP address from and are connected and accessible only by admin. One can ...
Complete config required for analysis ( minus router serial number, public WANIP information, keys etc.. )
From the displayed information separate the two dns by distance, so the cloudflar ones should both be disttance=2
What is vrf-doing on wan interfaces ???
Why the RB1100, its old news. The RB5009 is cheaper and very capable. However the real question is what are the Throughputs of your Three ISP connections? ISP1 up/down ISP2 up/down ISP3 up/down NOW and planned. If all three are 1gig, then even the 5009 is getting pushed. If you plan on any 2.5 gig c...
Thats what I thought, as the go to rule, that I provided earlier at post #3, does that, but the OP reported issues with it ???? / ip firewall mangle add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrou...
Okay to recap before I look at the monster and by the way, how one would expect to grasp that in bits and pieces of posts etc is amusing.......... You have three WANS and two ROUTERs in the mix. - The Stormshield router gets WAN2 and provides DHCP for the following vlans: 102,106,108,109,111 - The R...
Not a sweet Fing clue. I just saw it writtng somewhere but my guess is this allows the router to match what its detecting on a given connection ( very flexible) for optimal results.
try laptops on both sides of RB5009 and both sides of HAPAX3.... just give both routers a fixed private WANIP address of 192.168.55.5 ( gateway 192.168.55.1) and the laptop on the router side 192.168.55.2 and run IPERF, then you will get a good sense of the throughput on each router wan to lan and l...
I would caveat that with enough detail that shows where all the WANs are comming from and which vlans are going to which device over which ports!! ( to which devices )
According to the current rule setup. This is the only traffic we are allowing. a. anyone on the source address list Authorized should be able to ping and access any vlan user/device. b. wg user1 has access to vlan300 c. wg user2 has access to vlan 600 d. wg user3 has access to vlan 700 From my under...
Please verify that a user from one vlan can access a device on another vlan ( OTHER THAN those allowed ) in other words if a user can ping a user, do the next step access the user device. One should normally be able to ping the gateway of any vlan but I dont think you should be able to ping from use...
None of your vlans are identified, so how can 354 be the router ??? etc.....
So my request for network diagram, but ignored, does not let me progress any further.
you have wan and lan list but dont see any IP DHCP client or route etc................
Detailed network diagram and current config, and i will have it fixed in a jiffy pop.
What always puts the icing on the cake, if you understand your own planning is also.
a. identifying all the users/devices
b. identifying all the traffic they need to accomplish.
Now to answer your question directly
Do this /interface list member
add comment=defconf interface=bridge list=LAN add interface=wireguardInterfaceX list=LAN
add interface=wireguardInterfaceY list=LAN
etc...
add comment=defconf interface=ether1 list=WAN
If anyone complains about your long list of code, they should look inwards for not supporting my recommendation for a first post process !!! Now for the OP...... (1) WIREGUARD is not a local SUBNET, so you only assign an IP address, nothing else!! (2) Get rid of this default setting, its on the stat...
CRS326 1. Same thing, get rid of pvid 999 on bridge itself. 2. Still cannot add :-), you show 4 APs 6-8. Well not quite, you show two AP6s LOL so should be 6-9. How many ports do you use/state for this answer=ports 8-12 ( which is 8,9,10,11,12) 5 ports ???? ( will assume you have five APs for config...
1. No need to set pvid on bridge, its not the usual way. 2. No mention of port 23 so I made it another untagged access port for mngt, like ether24. 3. Speaking of ether24, unless its to a smart switch which you didnt indicate it should not be tagged on /interface bridge vlans 4. Ether22 is off bridg...
Okay, strange but if you can reach by mac you have access.
As far as packets, as long as your browsing experience is okay I wouldnt worry too much.
The extra rule is designed to ensure browsing performance is the best it can be.
In general one should set the Router ( assuming server for handshake ) the wireguard interface as part of the LAN interface, that then usuallly, through fw rules, allows RWs to access internet via FW rules and DNS services via input chain rules. However your request is to config the router, and in t...
1. You have three sourcenat rules, get rid of the first one, its incomplete and is just noise. /ip firewall nat add action=masquerade chain=srcnat add action=masquerade chain=srcnat out-interface-list=WAN add action=masquerade chain=srcnat out-interface=wireguard1 2. well it kinda makes sense, since...
For me your missing some glue.
All smart devices should get an IP address on a managment vlan, or at least a trusted vlan like home vlan.
Also I would separate out media devices, from home camera device, from guest wifi, from iot devices, from home trusted vlan
I would like to know what you are doing here --> *) route - rework of route attributes; Can you post sample text or something, sounds ominous!!! Also, what is meant by: *) wireguard - added option to mark peer as responder only (CLI only); [/i] Is this followup work to this improvement that maybe wa...
Drats, I though this one had gotten buried in the sands of time LOL. The first item I think responds to EFFECTS created via BTH and having both client and server devices being able to try and poke holes through non-public IPs using the BTH code and MT provided cloud hole poking server. ( think this ...
Before I can make sense of bridge ports and vlans you have to get your story straight on diagrams, not sure if intentionally aim to confuse :-) You claim APS 1-5 by your diagram and in orang text seem to indicate they are on ports 10-18 (9 etherports) carrying vlan100,200 So which is it FIVE APS on ...
1. If you think about it, the subnet gateways are considered ROUTER interfaces and thus are normally reachable. However no actual users or devices should be pingable/reachable. 2. Also be aware the 354 is switch and thus routing throughput will be limited. 3. Don't know why you are assigning any PVI...
Why doesnt MT have a return policy for such a device, customer pays for shipping back of defective unit and gets a free replacement or something reasonable etc...
Sorry I have no experience with the CRS1xx series. The only thing I can tell you is the concepts are the same. There will be a trunk port carrying all the data vlans and management vlan from CRS326 to CRS1XX. What will change is how to setup vlans but the rest of the noise should be similar. The bes...
you will find out when you need them LOL.
Describe the requirements you have and the design will fall out gracefully
a. identify users/devices
b. identify the traffic they require
c. provde network diagram detailing devices being used, internet connections and intended subnet usage.
The CRS112 has to be programmed differently...................... There are probably videos on it to be found..... Also the MT docs should discuss - https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841836 CRS1xx VLAN Example #############################################################...
He is using recursive sort of, but also netwatch (vice check-gateway=ping) His problem may be linked to the fact that he used distance=1 for the WAN2-dns vice distance=2 ( main route traffic for same WAN should be same distance) ( dont believe its shown in the pic though, I happen to be clairvoyant ...
The proof is in the config for sure. Strange though all things being equal the config should work as the only change is dhcp client. Perhaps there is an overlap in that the private LAN of the upstream device is the same subnet as the LAN subnet behind the MT ??
Yes, some requirements I can chew on. All good info, and I would add that my approach would be an interesting deviation. PRIMARY IS WAN1 if WAN1 fails, BACKUP goes to BOTH WAN2 and WAN3 doing PCC load balancing for standard traffic that was using WAN1. However you have provided good info in that WAN...
Those are locked features. For $$$ they can be unlocked. ;-) You seem convinced that code is already in the OS, I am not so easily convinced. We have no idea what MT ported across............ Maybe its true and one can only port the entire BLOCK and not partial bits and thus one could say that hooks...
Glad its working for you now! (1) Incomplete # add pppoe and lte to WAN /interface list member add interface=pppoe-alpha list=WAN add interface=lte1 list=WAN (2) If what I suspect src-address-list=office is public WANIPs, then you should consider a different approach to reach the router for config p...
If you do acquire more staff, I vote for coders and testers. I think you already have a great marketing team and from all outward appearances a strong supportive group of colleagues.
On topic: I can observe growing memory usage as well. Under Linux on Wine but it started off by about 80MB and now after a few hours it is 112M. So slightly growing. But as said: I suspect they are going to fix or hunt down such issues anymore. MT apparently has a "new" WinBox in developm...
Okay, the easy explanation is that your ping hits the LTE connection and reaches the router but the router responds via the other WAN as the fiber WAN is primary in terms of routes. To ensure your traffic for WAN2 is responded to via WAN2, you need to mangle. There is no need to do this for WAN1 as ...
Hmm you didnt change allowed IPs on router2............ and there is no need for persistent keep alive on the unit that is server for handshake. Should be (R2) : /interface wireguard peers add allowed-address=10.0.0 .1 /32,10.2.1.0/24 interface=wireguard1 \ public-key="R1 PUBLIC KEY " I no...
Well you have no firewall rules so all should be permitted......... On R2 try adding add chain=input action=accept comment="wg handshake" dst-port=13231 protocol=udp FACEPALM, - we forgot routes ON R1 Add add dst-address=10.1.1.0/24 gateway=wireguard1 routing-table=main comment="route...
You didnt provide your IP DHCP setup for WAN3 ???? Is isp2 public IP??? Also its not clear why you are mangling. Reasons to mangle. Ensure VPN going to a specific WAN leaves the same WAN ( aka proper router services handling ) Ensure external users going to a server on a specific WAN have their traf...
1.'Each RW should have a setup such that you have...' means what? All the devices that are peers ( clients for handshank require basically the same setup ) they need endpoint address, endpoint port, public key of MAIN Router, persistent-keep alive. As for allowed IPs, depends what the needs are ......
kevinds ( quite the opposite actually too ) Im reminded of some sayings.... "The price of inaction is far greater than the cost of making a mistake" "In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing yo...
Nope, no firewall rules are required. The idea of accepting the bridge default protocol mode of RTSP and setting ports to EDGE, should ensure no possible cross talk between WAN ports ( and of course the vlan isolation as well ).
You will not be able to maximize your throughputs as the hex will be one bottleneck and the cable between the two devices the other bottleneck. Suggest you configure ether5 off the bridge first to setup the hex as per the below. Then connect to the hex when behind the RB4011 via ether4, and then mod...
Weird setup?
I see two WANs but are there any users or devices behind the router??
More weirdly trying to create a third WAN via VRF......... as noted I have no clue of the requirements for traffic flow here.
Very logical and well presented holvoe. Concur 100%.
Also I would recommend getting a CHR, one can get a cheap virtual router in the sky to connect all devices, via wireguard and thus all accessible right away.
SSTP as backup since MT to MT can be done easily without certificates
UTP cable of what standard ?
What are the throughputs of each ISP??
What is your plan
Use 1, the other 2 are backup. OR . PCC all three used all the time. ??
Very confusing setup.
You need to select which one is the server for handshake...........
Also why are your LAN subnets the same behind each router, make them different.
Okay thanks for the clarification, by the way if you dont want to mention private subnets, then dont put them in the config or diagram, otherwise terribly confusing. I prefer seeing it all and understanding what you have in mind ref; a. identify all users/devices b. identifying all traffic flows the...
Yeah I thought that might be the reason. On the hAP ax3 though, the PoE port is also the only 2.5 gigabit port. Would this port normally be used as the WAN port or to connect an AP? I wouldn't use the fastest port on router to connect towards ISP ... But that's me, my ISP only offers 1000/100Mbps s...
The use of the VRFs is there for a different reason: both ISP1 and ISP2 routers have the same IP i.e. 192.168.1.1 Use of VRFs is warranted if if each router is serving different subnets. VRF is NOT warranted for distribution to the same LAN ( regardless of number of subments ) The simple method pre...
Unless you post your config, I am unable to comment
/export file=anyname youwish ( minus router serial number, public WANIP info, keys, long dhcp lease lists etc.)
yeah full config. things are not clear. /export file=anynameyouwish ( minus router serial number, any public WANIP info, keys, long dhcp lease lists etc.) Assuming d st-address-list= MyWANIP is a firewall address list entry of either your dyndns URL service, or the iP Cloud service on the router. Th...
In terms of firewall rules I prescribe to only allowing traffic and the dropping all else. I also dont think its prudent that all users have access to config the router when they only need access for DNS services. Looking at rules, I have no clue why in heck you are port forwarding wireguard ????? I...
Each RW should have a setup such that you have client device generated public key, ==>>>> this gets inserted onto the router on the routers peer settings for the specific RW device IP address ---> as we assigned in the peers settings on the router allowed addresses....... a. if the user also require...
In general, one allows traffic to go from client devices to router server ( once a connection is established its peer to peer, really good for two routers, not so significant to a single device........) Therefore its at the router where you want to use firewall rules in the forward chain to state wh...
Does the LTE provide you with a public IP. Does the ISP block ICMP pinging. 1. you can remove this default static setting /ip dns static add address=192.168.88.1 comment=defconf name=router.lan 2. Is bufferbloat that bad.......... its not something to use right away as you can no longer use fastrack...
The AXE3 by far is the best router ( with or without using wireless ) for its price point and features. The RB5009 is by far the best router in its price range of any vendor. However, your approach is all wrong, who gives a flying..........how it looks, does it do the job at a price you can afford. ...
Too passive for me, state it clearly, and ask for better info up front. Dont be shy............ After all, he is asking before spending and thus deserves clarity............
NEGATIVE, that is not required in the least!!! Most times sourcenat is required if going out a third party VPN where they only accept one IP at their end!!! (1) set this to NONE< known to cause issues /interface detect-internet set detect-interface-list= NONE (2) You have RED entries which is not a...
Well I am surprized because you went down the rabbit hole of a very complex VRF config on one hand, but then seemingly want to avoid like the plague a KISS solution ???
In any case, if there is no issue requiring solving I will move on.
AXE3, with or without wifi enabled ( aka as a router ) its the best bang for the buck.
Depending upon usage, pair it with capax.
In other words, you could have an AX3 as a central node and run many CAPAXs connected to it. However your stated requirements are sub-optimal to get a decent response.
Just to be clear the RB4001 r2 is acting as a router and has its own SUbnets with DHCP. Your router settings for the ISPs make no sense to me. Why are you using vlans? Why is there only one IP DHCP client when you said all three get assigned that way. why is your single IP DHCP client have v100 mgmt...
Well if its working for you great.
Its not apparent to me how you send two vlans through an access port to dumb devices...........
The diagram does not show smart switches accepting the vlans so its either correct or the config wrong or the diagram is incorrect and the config is okay.
Without a diagram I have no clue what you are trying to do. Any explanation of requirements to date IS NOT user traffic based only, and is confused with config speak, a no no for communicating requirements. Short story, no diagram no user traffic requirements, no diagram, cannot help. Furthermore, w...
The mangle was recommended, not a random suggestions LOL. It does NO HARM to your setup and one never knows what particular website, through the thirdparty VPN, will give the router shits and giggles. So its a good safety net to keep. To improve your setup you can setup both failover on the main WAN...
Man do I have to state it in writing, your SCOPES are wrong!! LOL The config I gave works, its your config that is broken if it doesnt. I cannot read a winbox jpeg unless its very clealry delineated An RSC script I can read in seconds................... its just a story about requirements I cannot m...
The switch comes in handy for any traffic within the same vlan from user to another.
The router comes into play between user and internet and traffic between different vlans.
Well obviously I thought we were dealing with a router not an access point, which all radio setups have mac-filtering setup for layer2 traffic control ( NOT fw rules )
Again, i should have read more closely, glad you got it sorted.
1. Sorry my bad on the TYPO, WG1 is the correct entry on the routing rule to match the routing-table defined. 2. put IP address on your router for wireguard1 as add address=192.168.32.20/24 interface=wireguard1 network=192.168.32.0 3. As long as both WAN interfaces are interface list members of the ...
Your routing setup follows nothing of what I suggested. so cannot help you there.
You seem to forget that the handshake starts on your router.........
Best of luck..............
Hello, help me. I can't use the forum to ask questions. What do I have to do to be able to do them? As for example in this post it says "It is only visible until the moderator decides. Its a neaderthal approach to ensure your post is not spam, inflammatory etc.................. After a few day...
As I stated, thus far no reason to use VRF has been provided and as a matter of fact it would seem NOT appropriate in this case. Further, your recursive is incorrect. Simple solution works: /ip address add address=192.168.1.241 interface=ether1 network=192.168.1.1 add address=192.168.1.242 interface...
Proper config of the router. It would appear the hacker is not getting into your router but manipulating the traffic reaching his router. The fact that other traffic can reach his device, id indicative of a leaky setup. Post your config /export file=anynameyouwish ( minus public IP address info, any...
NM................ There are bigger issues to solve first. 1. WHAT THE HECK is your WAN. You state: am setting up a config for a MT router which is behind NAT a. you have a static WANIP set up for ether1 which bares no resemblance to any of the VLANS. The static IP makes sense but not the subnet?? b...
Simple question what if one was to use this in routes..... /ip route add distance=2 dst-address=0.0.0.0/0 gateway= 192.168.1.1%ether1 routing-table=main comment="RouteStarlink" add distance=3 dst-address=0.0.0.0/0 gateway= 192.168.1.1%ether2 routing-table=main comment="RouteOrange&quo...
Well if you consider mikrotik is walking on your network, I suppose tread fits!! ( 'trademark' ). Concur, it seems that we are seeing an incomplete software process or maybe not. First, I blame the beta users, working for free and doing a lousy job of detecting all the new beta firmware problems ;-P...
As the question asks.......
What is the point at which losing fastrack and throughput is worth it, vis-a-vis tackling bufferbloat??? ( queueing actually not required )
The question I have is why are you mangling or queueing at all...... You have nothing different in either direction.......... all incoming traffic goes to entire LAN, all outgoing traffic comes from entire LAN. Okay! Its about bufferbloat. For me I would have to weigh any advantage of bufferebloat o...
Allowed IPs on the router is wrong....................... You need a separate peer line for each peer, on the router you dont need client endpoint............ /interface wireguard peers add allowed-address=192.168.40.5/32 comment=ChromeBook interface=wireguard1 public-key=**ELIDED** add allowed-addr...
Or time for a trip, sooner or later having remote devices means a trip. With wireguard and ver7 software probably soon.
It should be a built in plan to any IT equipment anyway.
For all your switches, only the manag3ment vlan need be identified..... (assuming its 192.168.251.0/24) I would take one port off bridge and use it as an emerg access like give it an IP address of 192.168.55.1/24 and then any pc with IPV4 settings set to 192.168.55.5 for example and your in! /interf...
Not possible with the MT device, there are too many ways around the programming.
You need to get a router that does DPI $$$, and then pay their subscription service more $$$$.
Assuming for example vlan3 gateway is 192.168.33.1 (1) Why do you assign a PVID on the trunk port?? Remove it. add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 pvid=3 (2) You can add to each bridge port ingress-filtering=yes (3) There is no need set dhcp client, this is a privat...
Here is one link to such an approach - https://forum.mikrotik.com/viewtopic.php?t=194842 and another. Discovery Between Two Locations SOLUTION METHOD ADD A CONNECTING SUBNET/INTERMEDIARY - EOIP OVER WIREGUARD a. create wireguard connectivity as per normal and then b. create the EOIP tunnel within th...
Good question. Trying to think conceptually. Assuming you have one common cable over which to do this work, I would probably use two different VLANS. At each Router, one of the vlans would be an incoming WAN connection from the other Router. Via a private subnet. on ETHERPORT XY. At each Router the ...
You are not alone, the documentation makes one believe its all there but............. its hiding well!!!! +++++++++++++++++++++++++++++++++++++++++ Planned QoS implementation phases: QoS Marking. QoS profile matching by ingress packet headers, then egress header alternation according to the assigned...
/export file=anynameyouwish ( minus PUBLIC IP information, KEYS, long dhcp lease lists, etc..) There should be relatively little else to scrub ( possibly some names you give to things, comments etc..... ) Use code block to limit visible length and improved readability ( on same line as Bold and Unde...
Okay so you want it to be an access point switch, not sure why that is so hard to say. In that case, the default config is rather simple Nothing much other than bridge, WIFI settings bridge ports ( assuming ether1 is connected to the UDM ) /interface bridge port add bridge=bridge comment=defconf int...
There is no such feature .............its actually called something else! To gain access to this function you have to really mean to do it, aka hard to do by accident. Its not clear how you managed to do this but not understand the ramifications are surprising. What there is are two relatively newis...
Yes it will be a problem to have two dhcp servers on the same network. Remove the UDM router it serves no purpose and only use the HAPAX3. The reason being that for all layer3 needs, the devices will go to the UDM and not to the hapax3. So you need to decide. Will the hapax simply act as a switch/AP...
The diagram labelling needs work. How do vlans 1920,1930 just popup out of the blue ( actually red and orange) for example. They should be traceable back to the 750. Its also not clear what is the management VLAN ( the vlan where every smart device should get its IP address from ). It would appear t...
The point being, the OP should have provided his complete config on the first post........................
Another waste of a chasing thread because there is no first post process....... thankyou MT.
WAIT ONE - do you mean your hapax is only acting as a switch?? The below advice presumed that your hapax3 was connected to the internet via a modem and received a public IP. Do you actually mean your connected to an upstream router which provides a private LAN in the range 10.10.10.X ??? ++++++++++...
Who said you cannot use the hapax3 in bridge mode? I have the hapax3 and am using vlan-filtering with hardware offload.
This is a very capable router!!
Concur, the setup process and menu selections are not intuitive and its easy to get lost, ( especially how there are hidden defaults etc. ) I am not a fan of how they have chosen to give flexibility, or more accurately how clear it is to the admin, what is actually configured. Dont feel bad, you are...
Not sure about latest renditions of WIFI, but most devices probably have a useful limit of around 20-30 active devices. Some devices are specifically made for larger numbers but that is a niche market.(ruckus comes to mind). With newer technologies mu-mimo and latest 6e and 7 technology, dont know. ...
Any RoS device should be able to function as a capsman controller was my understanding. Requirements Any RouterOS device can be a controlled wireless access point (CAP) as long as it has at least a Level 4 RouterOS license CAPsMAN server can be installed on any RouterOS device, even if the device it...
Isnt the first non code block config and wont be the last........... you can thank Normis for ensuring the resulting the first posting experience of new users and those supporting them
Not clear enough, do you mean each customer, each public IP should see approx 1gig up and down, or do they share a 1 gig pipe??
If just an edge type router the RB5009 should do fine 4x1 gig, throughput is well north of 4gigs in this scenario.
Unplug router from internet. Netinstall latest stable firmware Put back config WITHOUT any port forwarding. a. think about having ONLY a server with a secure login process b. think about limiting in source address list which public IPs can access server. c. even better use wireguard and have people ...
Okay now you have me thinking perhaps repace my AX3s with these bad boys. https://www.amazon.ca/Portable-Antenna-Dual-Band-Omnidirectional-Router/dp/B08LZHV83P/ref=sr_1_7?crid=2LK4POLSJPVAY&dib=eyJ2IjoiMSJ9.d7o75FpnshnrVKGe5-c-B68HFFzp0iKhzPKsakuKGUIZn-erRPTYVZjKSuecgvF_aAxk649CL4RzmR20jM6Qn8jXN...
It should be similar on MT router. I am no multi-WAN guru, but basically from what I have seen, A block of IPs is given to the admin, One IP address is used for the router itself, ( nat or no nat, depends on what the op wants to provide on this router ), the rest of the WANIPs can be netmapped to do...
One bridge............., chalk this up to another poster child for Normis' inaction on first posting process.... And they will keep coming day after day after day..................
Yes, but one cannot hang onto betamax forever..............
Heck even my mother in law, is sticking to CABLE TV vice streaming lets say over my appletv.......
Guess what, she upgraded her TV service and they are using android TV boxes LOL.
jargon voor afval, Sorry Loop, disagree! The 1009 2.5 port is a mystery to me as its real world WAN throughput is 300-400Mbps whereas the old hex will get you 400-500 Mbps. Both have two cores.......... The AX3 will get you over 1Gbps and has 4 cores and double the RAM of the L1009, its no contest, ...
Nicely worded statement to induce confusion :-). Wired and then point to point. Do you mean you need a router to terminate a land line connection and then equipment to take that signal over the airwaves in a point to point wifi type setup back to another wired device ????????? Request is too vague, ...
What is preventing the CGNAT LTE (second link) from being used recursively on your home router??
All devices can connect to your home router through the public IP, no need for CHR again.
Diagram and included detail is helpful. However this statement needs to be broken down AS requested - it makes zero sense as stated...... Now, I want to create a simple load balancer on e.g. 192.168.35.1/16 for these machines so LAN for LAN, WAN is no matter in this scheme Identify users/devices Ide...
What your missing is that each smart device should get an IP from a management vlan. Data vlans 17 and 89 are carried forward to each smart device as well. Assuming that the ROUTER has its own internal LAN, wheras, the receiver/txitter are acting solely as AP/switches and do not need an internal LAN...
(1) I am not a queue user but there must be an easier way to do queues than what your config shows................. It would seem like you manually attributed queues on a per IP basis?? (2) Set this to none, as this setting has been known to cause weird issues and is not really needed. /interface de...
As holvoe noted, lets say take ether5 off the bridge. give it an Ip address add address=192.168.55.1/24 interface=ether5 network=192.168.55.0 Ensure ether5 is part of LAN LIST on interface members. Then to complete the config do it by connecting your PC to ether5 and give the pc an IPV4 address stat...
(1) slight mod to dns.. /ip dns set allow-remote-requests=yes servers=1.1.1.1 REMOVE the following default.......... /ip dns static add address=192.168.88.1 comment=defconf name=router.lan (2) Take this default rule and create three new rules......... Clearer and better security. add action=drop cha...
The config was not really what I was asking for but since you did post it your routes are hosed/incorrect. More on that later. So the script finds the new IP for WAN1 and WAN2 locally on the router, and sends it to the dyndns website and updates it............. ?? To confirm, though it would appear ...