Community discussions

MikroTik App

Search found 9336 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 32
by anav
Thu Dec 09, 2021 12:04 am
Forum: Beginner Basics
Topic: No internet on "home AP" default setup
Replies: 4
Views: 183

Re: No internet on "home AP" default setup

Nope, the MT is not a modem but there may be work arounds??.
Read this thread perhaps for some ideas.
viewtopic.php?t=154954

Although if you have the ISP modem router in bridge mode, it may be as good as it gets......
by anav
Wed Dec 08, 2021 11:38 pm
Forum: Beginner Basics
Topic: HomeAssistant, Hairpin NAT and port forwarding
Replies: 11
Views: 297

Re: HomeAssistant, Hairpin NAT and port forwarding

You want all external users as per normal AND ONLY YOU on the LAN to be able to access the server??? That wouldn't make any sense. If the whole world can connect, then not allowing some local users to connect would be pointless, because they could simply use some free external proxy server and conn...
by anav
Wed Dec 08, 2021 11:15 pm
Forum: Beginner Basics
Topic: HomeAssistant, Hairpin NAT and port forwarding
Replies: 11
Views: 297

Re: HomeAssistant, Hairpin NAT and port forwarding

No but thats different, YOU SAID external users and now you change the facts to include LAN users.. If access to the server using and external URL is from users on the same subnet as the server yes you need hairpin nat rule. Just to clarify,,,,,,, maybe......... You want all external users as per no...
by anav
Wed Dec 08, 2021 11:13 pm
Forum: General
Topic: prevent asymmetric routing when accessing the management IP address
Replies: 2
Views: 71

Re: prevent asymmetric routing when accessing the management IP address

Not sure what you are asking? a. all smart devices attached to the MT router should have an IP address on the managment subnet. b. all trunk ports to smart devices should carry the management subnet (VLAN), regardless if there is a data port or not that will use the management vlan. Are you saying y...
by anav
Wed Dec 08, 2021 11:08 pm
Forum: General
Topic: Port forwarding problem on VLAN
Replies: 2
Views: 102

Re: Port forwarding problem on VLAN

As Sob noted, your use of youtube and other sources for firewall rules have misguided you and are actually preventing traffic flow you need. Best to reset to defaults and then add rules your really need........ (1) Missing dhcp server for MAIN (another bleeping op who uses Bridge for DHCP and subnet...
by anav
Wed Dec 08, 2021 10:32 pm
Forum: Beginner Basics
Topic: Mikrotik RB4011 Wireless router no ping on terminal but working from outside
Replies: 11
Views: 317

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

To eliminate NTH and mangling disable all the mangling rules and see what happens.
(dont forget to add the routes I noted)
by anav
Wed Dec 08, 2021 10:31 pm
Forum: Beginner Basics
Topic: I can't ping between 2 vlan
Replies: 6
Views: 140

Re: I can't ping between 2 vlan

@NorthBZH: Does the printer have 192.168.1.254 as its default gateway? What I dont understand is why assign vlans for all subnets but then use the bridge for one subnet. I prefer to have the bridge just being the bridge and not cloud up my config with mixing apples and oranges.. Just because you pr...
by anav
Wed Dec 08, 2021 9:43 pm
Forum: General
Topic: Router OS 7.1, Wireguard, Check gateway with ping - Not working
Replies: 1
Views: 96

Re: Router OS 7.1, Wireguard, Check gateway with ping - Not working

Network diagram and export both configs........... not here to play guessing games......
by anav
Wed Dec 08, 2021 9:42 pm
Forum: General
Topic: host sees public IP address of ISP
Replies: 16
Views: 666

Re: host sees public IP address of ISP

Yup, the pony is real good! I just hang onto the mane and enjoy the ride!!
by anav
Wed Dec 08, 2021 9:40 pm
Forum: Beginner Basics
Topic: Mikrotik RB4011 Wireless router no ping on terminal but working from outside
Replies: 11
Views: 317

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

suggest time to upgrade to 6.49 latest stable firmware...................
by anav
Wed Dec 08, 2021 9:33 pm
Forum: Beginner Basics
Topic: I can't ping between 2 vlan
Replies: 6
Views: 140

Re: I can't ping between 2 vlan

Now for your printer issue. Easy since you have no firewall rules in place, everybody should be able to access the printer LOL. So lets apply the proper firewall rule into the set I gave you..... This will be a rule in the forward chain ( across the router so WAN to LAN, LAN to WAN and LAN to LAN). ...
by anav
Wed Dec 08, 2021 9:29 pm
Forum: Beginner Basics
Topic: I can't ping between 2 vlan
Replies: 6
Views: 140

Re: I can't ping between 2 vlan

What I dont understand is why assign vlans for all subnets but then use the bridge for one subnet. I prefer to have the bridge just being the bridge and not cloud up my config with mixing apples and oranges.. Thus create vlan11 assign it to the bridge. Change currently bridge associated " dhcp ...
by anav
Wed Dec 08, 2021 9:15 pm
Forum: Beginner Basics
Topic: I can't ping between 2 vlan
Replies: 6
Views: 140

Re: I can't ping between 2 vlan

The biggest problem is the lack of a proper firewall, the rest can wait. Suggest....... ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf:...
by anav
Wed Dec 08, 2021 9:11 pm
Forum: Beginner Basics
Topic: Send specific packets to another network over IPSEC VPN tunnel
Replies: 4
Views: 141

Re: Send specific packets to another network over IPSEC VPN tunnel

Check out zero tier, this kind of work maybe just got a lot easier......... We dont want to overtax the pretty pony's brain!
by anav
Wed Dec 08, 2021 9:02 pm
Forum: Beginner Basics
Topic: Mikrotik RB4011 Wireless router no ping on terminal but working from outside
Replies: 11
Views: 317

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Thus its your NTH and mangling. Why NTH, no one uses that to share internet If your intention is to use both connections at the same time use PCC!! Also I told you these were WRONGly formatted (and if formatted a duplicate of the first rule)> Why are they still there????? add action =accept chain=sr...
by anav
Wed Dec 08, 2021 8:48 pm
Forum: Beginner Basics
Topic: HomeAssistant, Hairpin NAT and port forwarding
Replies: 11
Views: 297

Re: HomeAssistant, Hairpin NAT and port forwarding

Concur, In this case you do NOT need the hairpin nat rule (so remove it). ANY DEVICE on the internet that hits your WANIP with destination for that port will be able to reach your server. How you setup server security is another matter. What I will say is that if you know all the users and they have...
by anav
Wed Dec 08, 2021 8:37 pm
Forum: Beginner Basics
Topic: Help with home setup RB4011iGS+RM vlans
Replies: 3
Views: 114

Re: Help with home setup RB4011iGS+RM vlans

In general, vlans are a good idea when you want to carry multiple subnet on a single port. This often happens because we run out of ports quickly. If you had 4 subnets only and a five port router (one for WAN) and you only needed four ports and each port was different, clearly no need for vlans. How...
by anav
Wed Dec 08, 2021 8:31 pm
Forum: Beginner Basics
Topic: VLAN configuration RB4011IGS+RM once again
Replies: 17
Views: 1417

Re: VLAN configuration RB4011IGS+RM once again

Id get rid of the UNIFI (and get any other managed switch) or set it up as a NORMAL managed switch where all VLANS go to it are TRUNKED on port 1. In any case, if you insist ......... The RB4011 setup for port 8 would look like /interface bridge ports bridge=bridge interface=ether8 ingress-filtering...
by anav
Wed Dec 08, 2021 8:20 pm
Forum: Beginner Basics
Topic: Mikrotik RB4011 Wireless router no ping on terminal but working from outside
Replies: 11
Views: 317

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

1. More fixes needed SOURCNAT In general you either can use the default rule ( the first one you have) OR split it up into each separate WAN, which your other two lines 'attempted; to do but the format is wrong!! Suggest the below is all you need add chain=scrnat action=masquerade out-interface=ethe...
by anav
Wed Dec 08, 2021 8:12 pm
Forum: Beginner Basics
Topic: Mikrotik RB4011 Wireless router no ping on terminal but working from outside
Replies: 11
Views: 317

Re: Mikrotik RB4011 Wireless router no ping on terminal but working from outside

Hi there, have not yet got into the mangles but I see area for improvement. Took me awhile as I am a one bridge guy and use vlans for all by subnets, much cleaner/easier at least for me to understand. In your case you seem caught in-between, You attempt to use both a vlan and a bridge to feed the du...
by anav
Wed Dec 08, 2021 7:59 pm
Forum: RouterOS v7 BETA
Topic: ZeroTier added to RouterOS v7.1rc2
Replies: 225
Views: 64901

Re: ZeroTier added to RouterOS v7.1rc2

Anyone else done speedtests wireguard vs zerotier.
(for the case of client using servers internet connection for internet).

Nice video.....
https://www.youtube.com/watch?v=eFI59jJ2MM8
by anav
Wed Dec 08, 2021 5:20 pm
Forum: General
Topic: Vlan's do not ping
Replies: 1
Views: 62

Re: Vlan's do not ping

from winbox terminal selection. copy and paste
/export hide-sensitive file=anynameyouwish
by anav
Wed Dec 08, 2021 3:59 pm
Forum: Useful user articles
Topic: Bypassing AT&T Residential Gateways with MikroTik
Replies: 215
Views: 61448

Re: Bypassing AT&T Residential Gateways with MikroTik

I wonder if the 2.5Gig Port on the RB5009 will play nicer with such setups (bypasses)?
by anav
Wed Dec 08, 2021 3:55 pm
Forum: Beginner Basics
Topic: HomeAssistant, Hairpin NAT and port forwarding
Replies: 11
Views: 297

Re: HomeAssistant, Hairpin NAT and port forwarding

Port forwarding is typically for EXTERNAL users to reach a server you are running. Is this or is this not the case?? Accessing existing LAN devices can be done directly from LAN device to LAN device using LANIP Is this or is this not the case?? Finally there is also a case where you want people on a...
by anav
Wed Dec 08, 2021 2:54 pm
Forum: Wireless Networking
Topic: Wifi 7 - MikroTik when???
Replies: 10
Views: 617

Re: Wifi 7 - MikroTik when???

Yes, but its not affordable.............. Product choices of wifi6e needs to proliferate to drive the price down....... anav , are you a WISP engineer ? I've found that my best paying , fastest customers are all slowly moving to the Netgear Orbi Wi-Fi 6E mesh system. One of my issues is that Mikrot...
by anav
Wed Dec 08, 2021 2:49 pm
Forum: General
Topic: isolating a bridge from pinging IPs assigned to other bridges or interfaces on the same router [SOLVED]
Replies: 8
Views: 307

Re: isolating a bridge from pinging IPs assigned to other bridges or interfaces on the same router [SOLVED]

How does bridge, vlans and interface lists help with this? Unless you have them just for L2, i.e. router functioning only as switch, you have the same "problem".
Nothing that was already established, just saying no need for multiple bridges.......
by anav
Wed Dec 08, 2021 2:45 pm
Forum: Beginner Basics
Topic: HomeAssistant, Hairpin NAT and port forwarding
Replies: 11
Views: 297

Re: HomeAssistant, Hairpin NAT and port forwarding

THe rules seem correct.
Although the source address on teh second NAT rule is not required.
chain=srcnat action=masquerade out-interface=pppoe-out1

Why is the expected behaviour not agreable?

If that is not what you want, then please state more clearly your expectations
by anav
Wed Dec 08, 2021 2:43 pm
Forum: Beginner Basics
Topic: Help with home setup RB4011iGS+RM vlans
Replies: 3
Views: 114

Re: Help with home setup RB4011iGS+RM vlans

First thing is to read this article.....
viewtopic.php?t=143620
by anav
Wed Dec 08, 2021 3:09 am
Forum: Wireless Networking
Topic: Wifi 7 - MikroTik when???
Replies: 10
Views: 617

Re: Wifi 7 - MikroTik when???

wifi-6e = not home budget wifi-6e = serious wisp equipment wifi-6e ---> NetGear Orbi WiFi 6E ( This is the fastest of the fastest Mesh system available for any home --- nothing is faster ! )) If you want speed , read-up on Wi-Fi 6E and the 2.4 & 5 & 6-7 GHz band Yes, but its not affordable....
by anav
Wed Dec 08, 2021 2:31 am
Forum: Wireless Networking
Topic: Wifi 7 - MikroTik when???
Replies: 10
Views: 617

Re: Wifi 7 - MikroTik when???

I'm waiting Mikrotik to eventually come out with anything that supports Wi-Fi 6E
wifi-6e = not home budget
wifi-6e = serious wisp equipment
by anav
Wed Dec 08, 2021 2:29 am
Forum: General
Topic: Can somebody explain scope and target scope?
Replies: 38
Views: 13209

Re: Can somebody explain scope and target scope?

As some handsome fella said........
Well, easier way of thinking about it is: "target-scope must be lower on each level of recursion"

As bpwl intimated, one goes to a finer map (zooms in) to find the airport and then the runway..............
by anav
Wed Dec 08, 2021 2:26 am
Forum: General
Topic: isolating a bridge from pinging IPs assigned to other bridges or interfaces on the same router [SOLVED]
Replies: 8
Views: 307

Re: isolating a bridge from pinging IPs assigned to other bridges or interfaces on the same router [SOLVED]

In other words no actual data will flow but if you want to feel better enact extra rules.....
I prefer to use One bridge and do all my talking and blocking with vlans and interface lists......
by anav
Wed Dec 08, 2021 2:22 am
Forum: Announcements
Topic: v7.1 is released!
Replies: 484
Views: 43502

Re: v7.1 is released!

capac doesnt want to upgrade from 6.48.6 so I upgraded it to 6.49.9 thinking maybe it was a step to far same result. It loads the ARM file 12.3 Size and goes through what looks like a normal cycle process, disconnects and a minute later or so come back up?? Also, once I get it uploaded, where is the...
by anav
Tue Dec 07, 2021 8:06 pm
Forum: Announcements
Topic: v7.1 is released!
Replies: 484
Views: 43502

Re: v7.1 is released!

I was kind of waiting for it... after the requests for VTI there would be DMVPN. But of course IPsec technology and MikroTik routers already support quite easy to deploy mesh networks (especially with 7.1) but not with the Cisco proprietary standards. When you have only MikroTik or when you have ac...
by anav
Tue Dec 07, 2021 8:01 pm
Forum: General
Topic: Port Forwarding to an Inner Subnet [SOLVED]
Replies: 8
Views: 316

Re: Port Forwarding to an Inner Subnet [SOLVED]

There's nothing wrong with extra routers, you just need proper routes. So on RB you add: /ip route add dst-address=192.168.1.0/24 gateway=10.70.70.251 and it's for RB to know where to find 192.168.1.x. And then you can remove NAT from Edge Router, tell it to allow access between interfaces as requi...
by anav
Tue Dec 07, 2021 6:48 pm
Forum: General
Topic: Do you use RouterOS 7.1 in production?
Replies: 6
Views: 492

Re: Do you use RouterOS 7.1 in production?

You have a special wireguard firewall ruleset?? Pray tell what could they be. Open ended teases must be answered. a. normal rule for inbound port initial connection + b. rule to allow access from wg interface to router for winbox perhaps ?? c. rule to allow access from wg interface to a LAN user/dev...
by anav
Tue Dec 07, 2021 6:45 pm
Forum: General
Topic: Port Forwarding to an Inner Subnet [SOLVED]
Replies: 8
Views: 316

Re: Port Forwarding to an Inner Subnet [SOLVED]

Sob and Anav .. thank you so much... you are my heroes ! @Anav..it is indeed double NAT. Your instructions were very helpful. Won't leave you before asking.. the MT device is my Main CCR router giving connection to other Routers located at remote locations. I did not anticipate this challenge till ...
by anav
Tue Dec 07, 2021 5:10 pm
Forum: Announcements
Topic: v7.1 is released!
Replies: 484
Views: 43502

Re: v7.1 is released!

PDF information: https://mt.lv/RouterOSv7 Video in Spanish: https://youtu.be/fzLxTl6VXRI Video in English: https://youtu.be/Zp-U7Anv5-0 Video in Russian: https://youtu.be/xRGBbXJc1xA The video missed the most important point...................... Where do I get that Unicorn MuG!! Normis email me to...
by anav
Tue Dec 07, 2021 4:52 pm
Forum: General
Topic: Public Hotspot Configuration
Replies: 4
Views: 207

Re: Public Hotspot Configuration

maybe they dont want to charge or authenticate and merely show a walled garden (advertisement) before providing access????
by anav
Tue Dec 07, 2021 4:50 pm
Forum: General
Topic: Do you use RouterOS 7.1 in production?
Replies: 6
Views: 492

Re: Do you use RouterOS 7.1 in production?

IPNAT, my family (med student, sign other - works from home much, poker players) are far more demanding than any business boss...... Will switch over when 7.2 hits stable stream ;-)
by anav
Tue Dec 07, 2021 4:47 pm
Forum: General
Topic: Port Forwarding to an Inner Subnet [SOLVED]
Replies: 8
Views: 316

Re: Port Forwarding to an Inner Subnet [SOLVED]

This is clearly a double NAT scenario. MT DEVICE 1. Ensure this rule is in the forward chain to allow port forwarding. add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \ connection-state=new in-interface-list=WAN 2. Ensure you have a proper dst-na...
by anav
Tue Dec 07, 2021 4:38 pm
Forum: General
Topic: IP Cloud pulling wrong Public Address [SOLVED]
Replies: 6
Views: 254

Re: IP Cloud pulling wrong Public Address [SOLVED]

The title of the thread should read.
I DONT KNOW WHAT KIND OF ISP CONNECTION I HAVE.
by anav
Tue Dec 07, 2021 4:33 pm
Forum: Beginner Basics
Topic: No internet on "home AP" default setup
Replies: 4
Views: 183

Re: No internet on "home AP" default setup

well hopefully all you did in quickset was choose the mode as you suggested....... Observations: 1. /ip neighbor discovery-settings set discover-interface-list= none change to LAN 2. /tool mac-server mac-winbox set allowed-interface-list= none change to LAN 3. I see two things missing, IP ROUTE for ...
by anav
Tue Dec 07, 2021 4:02 pm
Forum: Announcements
Topic: v7.1 is released!
Replies: 484
Views: 43502

Re: v7.1 is released!

OpenVPN client doesn't work in 7.1. It was working just fine with 6.49.2 and all previous versions. Here's the log: 16:35:38 ovpn,info ovpn-out1: initializing... 16:35:38 ovpn,info ovpn-out1: connecting... 16:35:39 ovpn,info ovpn-out1: using encoding - AES-256-CBC/SHA1 16:35:39 ovpn,info ovpn-out1:...
by anav
Tue Dec 07, 2021 1:08 am
Forum: General
Topic: Force Users to Use Specific DNS Server
Replies: 24
Views: 8657

Re: Force Users to Use Specific DNS Server

That is awesome....... Nice link!
by anav
Tue Dec 07, 2021 1:06 am
Forum: General
Topic: host sees public IP address of ISP
Replies: 16
Views: 666

Re: host sees public IP address of ISP

It can be done accidentally. (see the link I posted) All you need is a inexperienced person who holds the reset button for additional 5 seconds after the LED starts blinking (which isn't much). Since this behavior is unique to Mikrotik, not everyone will release the reset button on time. Sounds lik...
by anav
Mon Dec 06, 2021 11:07 pm
Forum: General
Topic: Force Users to Use Specific DNS Server
Replies: 24
Views: 8657

Re: Force Users to Use Specific DNS Server

If they send query to 8.8.8.8, they will get response from 8.8.8.8 (not really, but it will seem to them to be from there). One possible problem I'm aware of is that RouterOS v6 doesn't keep the case of letters, so if you ask for "MikroTik.com", the answer will contain "mikrotik.com&...
by anav
Mon Dec 06, 2021 11:05 pm
Forum: General
Topic: host sees public IP address of ISP
Replies: 16
Views: 666

Re: host sees public IP address of ISP

Woudnt the perp, I mean OP, have to have made that selection, its not default from what I understand!
by anav
Mon Dec 06, 2021 11:01 pm
Forum: Announcements
Topic: v7.1 is released!
Replies: 484
Views: 43502

Re: v7.1 is released!

hi all, with this version recursive routes work? with 7.1rc4 not working but with 6.x yes They do work. v7 introduced a new limitation: target-scope of your route must be greater than target-scope of the route through which it should be resolved . Heh, I am not sure if I need to take a philosophy c...
by anav
Mon Dec 06, 2021 9:24 pm
Forum: General
Topic: Force Users to Use Specific DNS Server
Replies: 24
Views: 8657

Re: Force Users to Use Specific DNS Server

Crystal clear!! Then the solutions become. A. Force Redirect to OPENDNS (without PI hole) /ip dns set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220 /ip nat add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN protocol=tcp add action=redirect chain=dstnat dst-port=53 i...
by anav
Mon Dec 06, 2021 6:38 pm
Forum: General
Topic: Force Users to Use Specific DNS Server
Replies: 24
Views: 8657

Re: Force Users to Use Specific DNS Server

Okay some progress,
Why not put the open dns servers as static entries.
Does that not mean they take precedence over any other DNS server noted??
Stated otherwise, why put them under Servers?
and if you put them under Servers do you need then to check off the box, allow remote requests??
by anav
Mon Dec 06, 2021 6:34 pm
Forum: General
Topic: VLAN & Trunk Configuration
Replies: 3
Views: 196

Re: VLAN & Trunk Configuration

Confusing, is the MT device the router in this picture?
If so, where are the vlans then created (ip pool, ip address, dhcp server, dhcp server network)
by anav
Mon Dec 06, 2021 5:02 pm
Forum: Announcements
Topic: v7.1 is released!
Replies: 484
Views: 43502

Re: v7.1 is released!

Static route does not works in PPPOE Client , It just works for 10 second and gone ! . current solution just it works with default route Checked in PPPOE-Client Connection , Need fix ASAP !
@parscon: Was static route in PPPOE client working before in previous versions of ver7 RC X ???
by anav
Mon Dec 06, 2021 5:00 pm
Forum: General
Topic: Force Users to Use Specific DNS Server
Replies: 24
Views: 8657

Re: Force Users to Use Specific DNS Server

For starters dont mix and match ideas........ My point and I wish Sob would clarify was to NOT use pi-hole at all if not needed. If you can direct users via MT config to use open dns as a service then pi-hole is not needed. Q1 OP: So is pi-hole the requirement or is open dns the requirement???? (in...
by anav
Mon Dec 06, 2021 4:53 pm
Forum: Beginner Basics
Topic: Static IP for Internet (WAN) not working
Replies: 16
Views: 675

Re: Static IP for Internet (WAN) not working

Ok guys, you want believe what was the issue. They say they had to re-register me because of replacement of ZTE router to ZTE converter and there was problem with optical connectivity (PON LED blinking), something like syncing issue with gateway. After applying their magic I was able to easily conf...
by anav
Mon Dec 06, 2021 4:44 pm
Forum: Beginner Basics
Topic: Dynamic and Static IP MikroTik RouterBOARD 2011UiAS
Replies: 17
Views: 771

Re: Dynamic and Static IP MikroTik RouterBOARD 2011UiAS

Is that why, on the preceding diagram, the network address is showing up as 192.168.88.1 vice the usual 192.168.88.0 ??
by anav
Mon Dec 06, 2021 4:41 pm
Forum: RouterOS v7 BETA
Topic: WireGuard on 7.1 - issue with the number of WG interfaces
Replies: 6
Views: 524

Re: WireGuard on 7.1 - issue with the number of WG interfaces

Sure thing, is your MT the primary router behind the ISP modem or is it behind another router?? Client actions: WIREGUARD INTERFACE 1. give name to interface: lets say wg-client 2. add the listen port that will be open on the server side lets say 6767 3. Public Key (auto generated and what needs to ...
by anav
Mon Dec 06, 2021 3:49 pm
Forum: Announcements
Topic: v7.1 is released!
Replies: 484
Views: 43502

Re: v7.1 is released!

Its simple and clear if version 6 latest stable does everything you need, then dont switch to version 7 until 7.2 is released in a stable channel. Do your research if you want to try version 7, but dont complain if something that works for you in version 6 is either not available or doesnt work in V...
by anav
Mon Dec 06, 2021 2:36 pm
Forum: Useful user articles
Topic: To DDOS or Not To DDOS - Eh Tu Normis
Replies: 9
Views: 701

Re: To DDOS or Not To DDOS - Eh Tu Normis

Isn't "CONSENSUS reached" a bit premature? I don't think there's need to wait for world-wide vote, but maybe just few more people than you and me... :)
You count as 5 people ;-) But okay!
by anav
Mon Dec 06, 2021 2:34 pm
Forum: General
Topic: Only half bandwidth download with simple NAT setup?
Replies: 9
Views: 331

Re: Only half bandwidth download with simple NAT setup?

If your new and still learning why did you change/deviate from the default firewall rules?? Also you dont state which model of device you have?? There were no rules on the router. It was completely blank with no configuration. The router is a Mikrotik hEX A reset of the router would have brought th...
by anav
Mon Dec 06, 2021 2:33 pm
Forum: General
Topic: NAT overload
Replies: 1
Views: 130

Re: NAT overload

For port forwarding normally you need three things. a. one firewall rule (forward chain) that allows dst-nat coming in from the WAN side. b. source nat rule outbound (default rule usually good) c. the dstnat rule. C. is where you need to concentrate your efforts. Here is where you put in the details...
by anav
Mon Dec 06, 2021 2:27 pm
Forum: Beginner Basics
Topic: VLANs cannot see eachothers
Replies: 6
Views: 331

Re: VLANs cannot see eachothers

No worries, in that case the RB4011 will be the router needing full vlan settings and firewall rules etc.
The hapac 2 being an access point/switch will need the minimum.

All well captured here with examples.......
viewtopic.php?t=143620
by anav
Mon Dec 06, 2021 3:55 am
Forum: General
Topic: Only half bandwidth download with simple NAT setup?
Replies: 9
Views: 331

Re: Only half bandwidth download with simple NAT setup?

If your new and still learning why did you change/deviate from the default firewall rules??
Also you dont state which model of device you have??
by anav
Mon Dec 06, 2021 2:09 am
Forum: Useful user articles
Topic: To DDOS or Not To DDOS - Eh Tu Normis
Replies: 9
Views: 701

Re: To DDOS or Not To DDOS - Eh Tu Normis

Ive added the problem of bots looking for open ports ( catching trapping and dropping) .......... /........ and dismissed the idea of fiddling with ICMP.
You will note that that v7 handling of ip routers vis-a-vis unreachable and blackhole still needs to be verified.
by anav
Mon Dec 06, 2021 1:57 am
Forum: General
Topic: Force Users to Use Specific DNS Server
Replies: 24
Views: 8657

Re: Force Users to Use Specific DNS Server

If you are using OPEN DNS, why bother with pi-hole??? Just set up open dns as the static DNS setting Then use redirect function on the dstnat rules and the dns queries will be forced to one of the router interfaces and since the router has been told to use open dns it should work. /ip dns static add...
by anav
Mon Dec 06, 2021 1:54 am
Forum: Beginner Basics
Topic: VLAN configuration RB4011IGS+RM once again
Replies: 17
Views: 1417

Re: VLAN configuration RB4011IGS+RM once again

Thanks for your support :) The emergency port is working fine now! Regarding the second problem (just for better understanding): Next step would be configuring a switch with VLAN support (e.g. I have a Unifi Flex Mini) like this: 1. Port (uplink to Mikrotik) 2. Port Access Port Video VLAN for camer...
by anav
Sun Dec 05, 2021 8:43 pm
Forum: Beginner Basics
Topic: VLANs cannot see eachothers
Replies: 6
Views: 331

Re: VLANs cannot see eachothers

If its to act as a switch then its still wrong, a. where is the trunk port carrying all the vlans from source (aka usually ether1). b. if its a switch you do not set ip address, ip pool, dhcp server, dhcp server network Its pretty basic. create bridge identify vlans to belong on that bridge set brid...
by anav
Sun Dec 05, 2021 8:37 pm
Forum: Beginner Basics
Topic: VLAN Port Settings
Replies: 3
Views: 191

Re: VLAN Port Settings

Trying to figure out what you want to do with a very small piece of your config is not possible without further information. Forget the config as it does not convey intent. In your own words what are you trying to provide to users/devices? How many groups of users /devices do you have? Clearly you h...
by anav
Sun Dec 05, 2021 8:32 pm
Forum: RouterOS v7 BETA
Topic: WireGuard on 7.1 - issue with the number of WG interfaces
Replies: 6
Views: 524

Re: WireGuard on 7.1 - issue with the number of WG interfaces

Hi pawlisko. See my post here, https://forum.mikrotik.com/viewtopic.php?t=174417#p859788 Why you ask, because in my iteration on an earlier version for of ROS7Beta , even though I could, I did NOT use IP addresses for my WG interfaces. Therefore it can be done. The biggest difference is that dynamic...
by anav
Sun Dec 05, 2021 4:39 pm
Forum: Useful user articles
Topic: To DDOS or Not To DDOS - Eh Tu Normis
Replies: 9
Views: 701

Re: To DDOS or Not To DDOS - Eh Tu Normis

Well I am a sucker for pretty ponies......... so unreachable it is, to ensure easier knowledge/troubleshooting of potential issues created by the rule.
by anav
Sun Dec 05, 2021 4:28 pm
Forum: Beginner Basics
Topic: VLANs cannot see eachothers
Replies: 6
Views: 331

Re: VLANs cannot see eachothers

Yup, concur, that this should be removed as 98% time not needed. /interface bridge settings set use-ip-firewall-for-vlan=yes However the more basic question I have is...... what are you using the device for?? A. ROUTER - nope, you have no ISP or WAN interface B. ACCESS/POINT SWITCH - nope you have n...
by anav
Sun Dec 05, 2021 5:07 am
Forum: General
Topic: Mikrotik equipment to the new home
Replies: 20
Views: 1254

Re: Mikrotik equipment to the new home

EMplus, a tad more expensive than TPLINK and same size as Ubiquiti U6 Pro 8.1 inches by 8.1 inches square shape (11 inches corner to corner) vice round shape 9.6 inch radius for TPLINK.
by anav
Sun Dec 05, 2021 4:59 am
Forum: Beginner Basics
Topic: Static IP for Internet (WAN) not working
Replies: 16
Views: 675

Re: Static IP for Internet (WAN) not working

Yeah something smells fishy........
by anav
Sun Dec 05, 2021 4:58 am
Forum: Beginner Basics
Topic: How to create most basic VLAN [SOLVED]
Replies: 13
Views: 687

Re: How to create most basic VLAN [SOLVED]

Man we are holding his hands already I guess Sob you thought his toes needed holding too. ;-) As for separate port let say want to use port 4 for 'other' access a. name port to ether4_access b. ensure not on bridge c. give ip address of lets say 192.168.3.2 network 192.168.3.0 d. ensure you add ethe...
by anav
Sun Dec 05, 2021 4:47 am
Forum: Beginner Basics
Topic: VLAN configuration RB4011IGS+RM once again
Replies: 17
Views: 1417

Re: VLAN configuration RB4011IGS+RM once again

smyers is bang on, and I never said to use .1 for address!! /ip address add address=192.168.3. 2 /24 interface=ether5_emergency network=192.168.3.0 Due to this........ which is fine and good. /tool mac-server mac-winbox set allowed-interface-list=MGMT Ensure;;;;; /interface list member add interface...
by anav
Sat Dec 04, 2021 11:40 pm
Forum: General
Topic: Multiple IPSEC question
Replies: 6
Views: 325

Re: Multiple IPSEC question

The feedback I am getting so far is that it is stable enough for home use and for most things non BGP or non OSPF.
So I would say good to go.
by anav
Sat Dec 04, 2021 11:38 pm
Forum: General
Topic: Mikrotik equipment to the new home
Replies: 20
Views: 1254

Re: Mikrotik equipment to the new home

Haha, maybe MT wifi works for you because you have researched every scrotum hair on the testes of MT wifi in order to get it to work.
Most of us dont have the time, knowledge or patience!
I admire your skill but dont agree with your conclusion.
by anav
Sat Dec 04, 2021 11:29 pm
Forum: Beginner Basics
Topic: How to create most basic VLAN [SOLVED]
Replies: 13
Views: 687

Re: How to create most basic VLAN [SOLVED]

As stated, its easy.
If you can do it with one vlan you can do it with 100 vlans.
The concept and approach is the same.
Do not use the bridge for any subnets and your are golden.
by anav
Sat Dec 04, 2021 10:32 pm
Forum: Beginner Basics
Topic: Static IP for Internet (WAN) not working
Replies: 16
Views: 675

Re: Static IP for Internet (WAN) not working

Yes SOB, just added to my certification course. That funny looking thing we have to use in format xx.xx.xx.xx /xx Is called octal blocks I think and a mask. The concept I was not grasping is that the mask describes the bucket the octal block identifier is contained within. So my two ISPs with /20 /2...
by anav
Sat Dec 04, 2021 10:17 pm
Forum: General
Topic: Mikrotik equipment to the new home
Replies: 20
Views: 1254

Re: Mikrotik equipment to the new home

No key required for TPLINK :-)
by anav
Sat Dec 04, 2021 10:15 pm
Forum: General
Topic: Multiple IPSEC question
Replies: 6
Views: 325

Re: Multiple IPSEC question

Search is your friend, but no guarantees of success. Depending upon your business you want to invest in a router with more horsepower (5009) for example. Wireguard works well and is relatively simple to implement and is now available on 7.1. Also with 7.1,,,,,,,,,,,,,, VPN ---------------------- !) ...
by anav
Sat Dec 04, 2021 10:07 pm
Forum: Beginner Basics
Topic: How to create most basic VLAN [SOLVED]
Replies: 13
Views: 687

Re: How to create most basic VLAN [SOLVED]

Simply use the first link provided, https://forum.mikrotik.com/viewtopic.php?t=143620 To help you when reading through this................ First Define the VLANS with interface bridge Each VLAN gets ip pool, ip address, dhp-server, dhcp-server network. Ensure all vlans are interface list members fo...
by anav
Sat Dec 04, 2021 9:56 pm
Forum: Beginner Basics
Topic: Static IP for Internet (WAN) not working
Replies: 16
Views: 675

Re: Static IP for Internet (WAN) not working

# jan/02/ 1970 00:12:52 by RouterOS 7.0.5 Date seems off and isnt the first release 7.1 test ??? I dont see specifics for the RB5009 on the web page (not listed but assume its ARM but is there a distinction between ARM 32 and ARM 64. ALso does one installs/selects the individual packages from the li...
by anav
Sat Dec 04, 2021 9:51 pm
Forum: Beginner Basics
Topic: Static IP for Internet (WAN) not working
Replies: 16
Views: 675

Re: Static IP for Internet (WAN) not working

Well, you may have a point ( 1/2 a point deduction) as I was not thinking of the omicron (moronic) way of providing WANIPs aka via private IP addresses. Yes on my routers, all the 'private' LANIP addresses are done via 192.168.x.1/24 with network of 192.168.1.0 etc My experience with public IPs is v...
by anav
Sat Dec 04, 2021 8:11 pm
Forum: General
Topic: Download Router configuration
Replies: 11
Views: 511

Re: Download Router configuration

Can you not be more direct my son........... I wish one could type with a scottish accent LOL The answer is NO, you are screwed if inheriting this device without proper access. You need to netinstall the latest version of software and restart a fresh config. The best thing to do is capture the curre...
by anav
Sat Dec 04, 2021 8:08 pm
Forum: General
Topic: Smart home devices are still getting disconnected
Replies: 32
Views: 1341

Re: Smart home devices are still getting disconnected

Capsmanager is not for the newbie. Its another layer of config on top of the standard ROS config and has its own complexities. In other words, best you get WIFI working without capsman first. TWO THINGS (because i cant count) 1. you can make all the SSIDs the same WITHOUT capsman. 2. the decision to...
by anav
Sat Dec 04, 2021 8:04 pm
Forum: Beginner Basics
Topic: Static IP for Internet (WAN) not working
Replies: 16
Views: 675

Re: Static IP for Internet (WAN) not working

Cant be ???????
And your IP address is wrong!! Its not an IP address but a subnet.......
/ip address
add address=XX.XXX.XXX.142/24

If you think you know what the problem is then why ask here, otherwise please show full config.........
by anav
Sat Dec 04, 2021 5:54 pm
Forum: Beginner Basics
Topic: Static IP for Internet (WAN) not working
Replies: 16
Views: 675

Re: Static IP for Internet (WAN) not working

/export hide-sensitive file=anynameyouwish

If the gateway or wanip are public, just put in fake numbers for the ones that come up on the export.
by anav
Sat Dec 04, 2021 5:50 pm
Forum: General
Topic: Mikrotik equipment to the new home
Replies: 20
Views: 1254

Re: Mikrotik equipment to the new home

I have a capac, a TPlink EAP245v3, and a TPlink 660HD in my house. If on a budget, get the TPLINK eap245v3, one for each floor, works with vlans, decent wifi5 performance etc. If have some flexibility get the TPLink 660HD, you will only need two of these as they penetrate through walls quite nicely....
by anav
Sat Dec 04, 2021 3:48 pm
Forum: Wireless Networking
Topic: 802.11ac severe speed degradation with ROS above 6.45.9 (LTS)
Replies: 26
Views: 2940

Re: 802.11ac severe speed degradation with ROS above 6.45.9 (LTS)

Meanwhile, my tp link eap 245 v3 hums along with no issues and expected performance.................. Very happy with MT routing, home wifi not so much. I quickly learned the wrath of university students, poker players, and significant other, is not worth the fun of playing bpwls "explore the m...
by anav
Sat Dec 04, 2021 3:41 pm
Forum: General
Topic: Mikrotik equipment to the new home
Replies: 20
Views: 1254

Re: Mikrotik equipment to the new home

Depends on budget...... 1. No limit - Netgear Orbit WIFI 6 E ( not yet in a wall/ceiling mount option though ) https://www.netgear.com/home/wifi/mesh/rbke963/ 2. $250 - TP link 660HD 3. $180 (maybe) the new Ubiquiti WIFI U6 pro is like the TP 660HD but only $180 but requires stewpid proprietary cont...
by anav
Sat Dec 04, 2021 3:34 pm
Forum: General
Topic: Smart home devices are still getting disconnected
Replies: 32
Views: 1341

Re: Smart home devices are still getting disconnected

As I have been saying, the home wifi bozos at MT should have hired BPWL to ensure a viable WIFI setup and performance from the firmware and better documentation.
by anav
Sat Dec 04, 2021 3:31 pm
Forum: Beginner Basics
Topic: Firewall drop rule not working
Replies: 9
Views: 571

Re: Firewall drop rule not working

What was the error?? I couldnt find it.
by anav
Sat Dec 04, 2021 5:18 am
Forum: General
Topic: why mikrotik donot support nat 444
Replies: 16
Views: 3567

Re: why mikrotik donot support nat 444

Im still luvin Love Hz as a name, friggen awesome!!
https://www.youtube.com/watch?v=soDZBW-1P04
by anav
Sat Dec 04, 2021 5:14 am
Forum: Beginner Basics
Topic: Can't get »Using RouterOS to VLAN your network« up and running
Replies: 6
Views: 367

Re: Can't get »Using RouterOS to VLAN your network« up and running

Take your time, been there exactly. I too experienced this phenomena but I just trusted that when the router restarted it the new settings would stick. Not sure why its being ornery in your case. Thats why I suggest the alternate location for accessing the router, it wont matter what state the bridg...
by anav
Sat Dec 04, 2021 5:12 am
Forum: Beginner Basics
Topic: SFP Ethernet module as WAN port
Replies: 11
Views: 913

Re: SFP Ethernet module as WAN port

They are more or less okay!
Wont hurt, may be better ways to setup once the config is published and runnning.
by anav
Fri Dec 03, 2021 9:31 pm
Forum: General
Topic: drop ports from WAN side
Replies: 11
Views: 560

Re: drop ports from WAN side

Yes some of those ports have to be open for the initial VPN connection of the tunnel as per the config.
There is nothing wrong with this behaviour.
by anav
Fri Dec 03, 2021 9:29 pm
Forum: General
Topic: Traffic are bloced for one devices (WIznet)
Replies: 3
Views: 230

Re: Traffic are bloced for one devices (WIznet)

Could be this scenario? It may depend on DNS, if the boiler DNS is not in the proper format non-standard (wrong letter case) , the MT router will correct the format which then may be rejected with return traffic as unrecognized by the client (boiler). Most brands simply copy the DNS name and regurgi...
by anav
Fri Dec 03, 2021 9:26 pm
Forum: General
Topic: Smart home devices are still getting disconnected
Replies: 32
Views: 1341

Re: Smart home devices are still getting disconnected

Some smart devices are ornery and no matter what you do its a pita......
I have both and concur less problems overall with TP link than Capac.
by anav
Fri Dec 03, 2021 9:14 pm
Forum: Beginner Basics
Topic: Firewall drop rule not working
Replies: 9
Views: 571

Re: Firewall drop rule not working

/interface vlan add interface=bridge name=vlan10 vlan-id=10 add interface=bridge name=vlan20 vlan-id=20 /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface list member add comment=defconf interface=vlan20 list=LAN add comment=defconf interface=ether1 list=WAN add int...
by anav
Fri Dec 03, 2021 3:54 am
Forum: Useful user articles
Topic: To DDOS or Not To DDOS - Eh Tu Normis
Replies: 9
Views: 701

Re: To DDOS or Not To DDOS - Eh Tu Normis

Hi Sob, Thanks much for the conversation, there are many other security steps that people seem to take, such as special DDOS setups or jumping like a frog for icmp types...... As for DDOS, is there some small measures that can be taken to mitigate to some degree..........I would think in raw perhaps...
by anav
Fri Dec 03, 2021 3:42 am
Forum: Beginner Basics
Topic: SFP Ethernet module as WAN port
Replies: 11
Views: 913

Re: SFP Ethernet module as WAN port

Your command works, anav but when I check back the NAT rule at webfig (sorry, this is my first time with RouterOS) it says that both in-interface-list and out-interface-list are set to LAN. Shouldn't out list be WAN? If I try adding in and out list to your command like this: /ip firewall nat add ac...
by anav
Fri Dec 03, 2021 12:31 am
Forum: Wireless Networking
Topic: cAP vs cAP XL
Replies: 27
Views: 1781

Re: cAP vs cAP XL

If anyone has extra money to give CZFAN some Netgear WIFI6E products maybe he will understand!! ;-)
if you really thinking about using netgear and tplink anywhere, NOBODY wanna understand you....
Hmm, I thought Czech folks were practical and used what works!!
by anav
Fri Dec 03, 2021 12:29 am
Forum: Beginner Basics
Topic: Can't get »Using RouterOS to VLAN your network« up and running
Replies: 6
Views: 367

Re: Can't get »Using RouterOS to VLAN your network« up and running

Yes, the router kicks one out but it should have saved the good configuration if not, I have resorted to taking any unused or make a port available. Off the bridge give it an IP address of 192.168.5.2 with network 192.168.5.0 Ensure its added to the same enterface list member as that identified by m...
by anav
Thu Dec 02, 2021 10:54 pm
Forum: Wireless Networking
Topic: cAP vs cAP XL
Replies: 27
Views: 1781

Re: cAP vs cAP XL

If anyone has extra money to give CZFAN some Netgear WIFI6E products maybe he will understand!! ;-)
by anav
Thu Dec 02, 2021 10:51 pm
Forum: Wireless Networking
Topic: How tro put two Wi-Fi radios on separate subnets
Replies: 16
Views: 1042

Re: How tro put two Wi-Fi radios on separate subnets

how to setup the router is easily accomplished with VLANS as per this article which has an example for your case.
viewtopic.php?t=143620

one bridge,
ethernet ports and wlans on bridge
proper bridge vlan config.
Pretty much done!
by anav
Thu Dec 02, 2021 10:47 pm
Forum: Useful user articles
Topic: Hairpin NAT - the easy way
Replies: 33
Views: 14711

Re: Hairpin NAT - the easy way

Nice approach... As @anav said, there are many ways to implement Hairpin NAT... @Easen take a look here https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT I attempted to capture all the discussion here as well....... https://forum.mikrotik.com/viewtopic.php?t=179343 If there is anything ...
by anav
Thu Dec 02, 2021 10:45 pm
Forum: Beginner Basics
Topic: WAN IP and LAN IP HELP
Replies: 5
Views: 230

Re: WAN IP and LAN IP HELP

I meant it as quick way to get to it, to be able to change address. But if you start with safer VPN way from the beginning, even better. A quick way to get your inheritance is to kill your parents,,,,,, but there is risk ;-) (that aside Sob, if you have free time, and since your input was critical ...
by anav
Thu Dec 02, 2021 10:36 pm
Forum: General
Topic: drop ports from WAN side
Replies: 11
Views: 560

Re: drop ports from WAN side

You would be far better off going back to the default firewall rules and then adding what is only necessary from there............ Such as any legitimate VPN rules on the input chain to allow initial connection of the tunnel add action=accept chain=input "allow vpn connection" dst-ports=X,...
by anav
Thu Dec 02, 2021 10:34 pm
Forum: General
Topic: drop ports from WAN side
Replies: 11
Views: 560

Re: drop ports from WAN side

Reading as I go along You have bridge and one vlan = 2 dhcp type interfaces But you have 3 pools?? Your interface list only contains WAN ??? Now I see you have 2 WANS, ether1 ether5 - which is what VLAN1 runs on. Okay so you have another subnet not identified for the hotspot 10.5.50.0/24, No dhpc no...
by anav
Thu Dec 02, 2021 10:17 pm
Forum: Beginner Basics
Topic: SFP Ethernet module as WAN port
Replies: 11
Views: 913

Re: SFP Ethernet module as WAN port

The only thing on a quick glance missing is the default source nat rule??

/ip firewall nat
add action=masquerade chain=srcnat comment="SCR_NAT for LAN" \
ipsec-policy=out,none out-interface=sfp1
by anav
Thu Dec 02, 2021 10:12 pm
Forum: Beginner Basics
Topic: WAN IP and LAN IP HELP
Replies: 5
Views: 230

Re: WAN IP and LAN IP HELP

I dont recommend a NAT rule to a camera that has no protection. Unless you want the camera video to be seen by every tom dick and chinese military hacker....... ;-)
Do concur that VPN into the router and then view camera is a safer method.
by anav
Thu Dec 02, 2021 10:08 pm
Forum: Beginner Basics
Topic: Help forwarding ports
Replies: 5
Views: 275

Re: Help forwarding ports

Whats your point? or in other terms....
How is that helpful?
by anav
Thu Dec 02, 2021 10:04 pm
Forum: General
Topic: Can't ping mikrotik LAN gateway from internal end users devices
Replies: 6
Views: 631

Re: Can't ping mikrotik LAN gateway from internal end users devices

If you want to see how to mangle for load balance properly, look at this thread, yours looks nothing of the sort!!
https://mum.mikrotik.com/presentations/US12/steve.pdf
by anav
Thu Dec 02, 2021 8:23 pm
Forum: Beginner Basics
Topic: WAN IP and LAN IP HELP
Replies: 5
Views: 230

Re: WAN IP and LAN IP HELP

Well the details provided are not all the clear (whose on first etc etc.). Step one: But if it was me, I would use wireguard to connect the the two routers Then on my parents router I would provide the wirguard or vpn interface access to the router on the INPUT CHAIN. I would ensure that the wiregua...
by anav
Thu Dec 02, 2021 8:20 pm
Forum: Beginner Basics
Topic: SFP+ as WAN instead of Ether1
Replies: 5
Views: 252

Re: SFP+ as WAN instead of Ether1

Why SPF+ as WAN.
Is the incoming connection from the ISP coming directly into your router as a fiber end rated at 10Gigs?
Is the incoming connection coming from the ISP modem (ISp modem has a fiber transceiver and if so is this rated at 10Gig?

What are your expectations??
by anav
Thu Dec 02, 2021 8:18 pm
Forum: Beginner Basics
Topic: DEFAULT CONFIG CANT GET INTERNET hEX rb750gr3?
Replies: 1
Views: 127

Re: DEFAULT CONFIG CANT GET INTERNET hEX rb750gr3?

Reset to defaults and dont touch quickset........
Use winbox menus to make changes necessary.
by anav
Thu Dec 02, 2021 8:13 pm
Forum: Beginner Basics
Topic: Help forwarding ports
Replies: 5
Views: 275

Re: Help forwarding ports

In terms of your firewall rules,,,,,,,, how did you get there from the basic defaults..... I suspect too much youtube. :-) Clearly you do not understand firewall rules and should have stayed with the defaults and asked questions first. Ex. Basic, input chain is for traffic to and fro the router itse...
by anav
Thu Dec 02, 2021 7:48 pm
Forum: Beginner Basics
Topic: Help forwarding ports
Replies: 5
Views: 275

Re: Help forwarding ports

Why is your IP Route affiliated to one of your LAN subnets??? /ip route add distance=1 gateway= 192.168.88. /ip pool add name=dhcp_pool0 ranges= 192.168.88.102-192.168.88.254 add name=dhcp_pool2 ranges=192.168.77.2-192.168.77.254 I suspect the IP route is automatically provided by your selections in...
by anav
Thu Dec 02, 2021 7:39 pm
Forum: Beginner Basics
Topic: Help forwarding ports
Replies: 5
Views: 275

Re: Help forwarding ports

If attempting to reach your server from a PC on the same LAN(subnet) but using the WANIP or domain name of the router you are in a loopback situation often called hairpin NAT which is easily solved by putting in a simple masquerade source nat rule prior to the default one provided. Two other things....
by anav
Thu Dec 02, 2021 7:36 pm
Forum: Beginner Basics
Topic: how to setup a correct firewall rules when the Mikrotik is behind the ISP modem [SOLVED]
Replies: 14
Views: 718

Re: how to setup a correct firewall rules when the Mikrotik is behind the ISP modem [SOLVED]

Yup if it doesnt work on the address list, then your creation of another input rule is the other option (both are okay). I am just not sure if you simply need to name the interface or put in the subnet, or put in the IP address etc......... (again havent seen the rest of the config). I would be temp...
by anav
Thu Dec 02, 2021 7:22 pm
Forum: Beginner Basics
Topic: SFP Ethernet module as WAN port
Replies: 11
Views: 913

Re: SFP Ethernet module as WAN port

Please post your config
/export hide-sensitive file=anynameyouwish

YES, any port should be able to be a LAN port or a WAN port at your choosing.
Compatibility between ISP modem and Router on an SFP or SFP+ port is a crapshoot however.
by anav
Thu Dec 02, 2021 7:20 pm
Forum: Announcements
Topic: Newsletter 103
Replies: 25
Views: 6047

Re: Newsletter 103

I like the netFiber 9, will there be a desktop version of it as well? There is currently no comparable desktop or rack mount switch available. CRS212-1G-10S-1S+IN have just one SFP+ and CRS328-4C-20S-4S+RM is far more expensive. If indoor version of netFiber 9 without all the outdoor mounting ended...
by anav
Thu Dec 02, 2021 6:37 pm
Forum: Useful user articles
Topic: To DDOS or Not To DDOS - Eh Tu Normis
Replies: 9
Views: 701

To DDOS or Not To DDOS - Eh Tu Normis

NOVICE USER RECOMMENDED CONFIG. (Intended for the new user who has gained enough knowledge and whose requirements now require changes to the default config). <placeholder> 1. IP ROUTE & BOGONS - INITIAL VIEW reached on the functionality required to ensure private IP addresses not on one of your...
by anav
Thu Dec 02, 2021 6:04 pm
Forum: Announcements
Topic: Newsletter 103
Replies: 25
Views: 6047

Re: Newsletter 103

Opened link in a new window, tried multiple times and got the pdf eventually. CCR2116 seems nice (I think Eva had a slip as she mentioned a "younger brother" - she probably meant "older brother"). might even order it.. but... 2k21 is coming to an end and no reasonably priced 2.5...
by anav
Thu Dec 02, 2021 5:18 pm
Forum: Announcements
Topic: Newsletter 103
Replies: 25
Views: 6047

Re: Newsletter 103

My attempt states, cannot download securely...........

I would say this is RC01 of Newsletter 103
Cant wait to see if RC02 fares any better.
by anav
Thu Dec 02, 2021 4:03 pm
Forum: Beginner Basics
Topic: How would you go about this - 2 separate nets 1 router
Replies: 3
Views: 251

Re: How would you go about this - 2 separate nets 1 router

Okay so if you want to filter between them then that makes sense.
So why not close them as default and then only open the traffic you want to permit.

Basically if you have a well defined set of requirements we can proceed.
If you dont know them yet the discussion is theoretical.
by anav
Thu Dec 02, 2021 4:01 pm
Forum: Beginner Basics
Topic: Firewall drop rule not working
Replies: 9
Views: 571

Re: Firewall drop rule not working

I see what you have done, okay in that case leave ether4 on the bridge.................. I would never do it that way because I dont like mixing bridge dhcp and vlan DHCP on the same port and implicitly using vlan1 like that. I always prefer to have vlan1 NEVER carrying data and assign other vlans t...
by anav
Thu Dec 02, 2021 3:58 pm
Forum: Beginner Basics
Topic: how to setup a correct firewall rules when the Mikrotik is behind the ISP modem [SOLVED]
Replies: 14
Views: 718

Re: how to setup a correct firewall rules when the Mikrotik is behind the ISP modem [SOLVED]

Hi there........ taking a look at the changes....... some mods for accuracy. add action=accept chain=input dst-port=4500 log=yes protocol=udp in-interface-list=WAN add action=accept chain=input dst-port=1701 protocol=udp in-interface-list=WAN add action=accept chain=input dst-port=500 protocol=udp i...
by anav
Thu Dec 02, 2021 3:49 pm
Forum: RouterOS v7 BETA
Topic: Queuing WAN total using multiple WANs
Replies: 7
Views: 427

Re: Queuing WAN total using multiple WANs

The OP needs to know that the person selling such a script is ripping people off. YOu can set up load balancing on the router 1:1, 2:1, 3:1 etc, I think the question that needs answering ......... is there a method to gauge the load and respond accordingly? In other words the router realizes that WA...
by anav
Thu Dec 02, 2021 5:51 am
Forum: Beginner Basics
Topic: Why not a definitive solution to block Youtube?
Replies: 9
Views: 5532

Re: Why not a definitive solution to block Youtube?

By removing internet privileges if they break the rules..........
by anav
Wed Dec 01, 2021 11:30 pm
Forum: Wireless Networking
Topic: WIFI 6 Roadmap
Replies: 117
Views: 75292

Re: WIFI 6 Roadmap

Man I missed the boat, this is netgear 6E
Includes 6ghz network. Insane!! (like the price)
Nothing else on the market like this that I know about.
But dont see a wall/ceiling version??
by anav
Wed Dec 01, 2021 10:55 pm
Forum: Wireless Networking
Topic: WIFI 6 Roadmap
Replies: 117
Views: 75292

Re: WIFI 6 Roadmap

Hi Tom, If you have room in your cough cough 'small budget" can you get a TP link 660HD and the new Ubiquiti WIFI U6 Pro (both wifi 6 models) and compare to the Netgear of which you speak. Just single Access Point performance. The Ubiquiti at $180 Cdn seems to be very very competitively priced ...
by anav
Wed Dec 01, 2021 10:46 pm
Forum: General
Topic: Using Let's Encrypt for SSTP
Replies: 15
Views: 1000

Re: Using Let's Encrypt for SSTP

Hi Sob, You just verified a simple fact for me. Wireguard rocks every other VPN needing client certificate management up the ying yang sucks and ISPAPP.co which does not rely upon open ports or certificates (https connections only) is very appealing as an alternate remote access to config the MT dev...
by anav
Wed Dec 01, 2021 10:34 pm
Forum: General
Topic: Confused about DHCP server
Replies: 15
Views: 706

Re: Confused about DHCP server

I dont think its possible or wise to attach your VPN connections to bridges. Simply make the firewall rules you need to allow connectivity from VPN access to LAN subnets and vice versa etc...... I think of VPNs a faux LANs, they are not real LANs but are parallel to them. A VPN is a tunnel that with...
by anav
Wed Dec 01, 2021 10:29 pm
Forum: General
Topic: [HELP] Need help with bandwidth
Replies: 2
Views: 197

Re: [HELP] Need help with bandwidth

Check out queues, that is how MT does this.
https://help.mikrotik.com/docs/display/ROS/Queues
by anav
Wed Dec 01, 2021 10:29 pm
Forum: General
Topic: [HELP] Need help with bandwidth
Replies: 2
Views: 197

Re: [HELP] Need help with bandwidth

Check out queues, that is how MT does this.
by anav
Wed Dec 01, 2021 10:27 pm
Forum: General
Topic: drop ports from WAN side
Replies: 11
Views: 560

Re: drop ports from WAN side

Please post config if you want assistance.......
/export hide-sensitive file=anynameyouwish
by anav
Wed Dec 01, 2021 10:23 pm
Forum: General
Topic: Has a RB4011 some hardware/sofware bugs now?
Replies: 5
Views: 400

Re: Has a RB4011 some hardware/sofware bugs now?

The last person complaining about RB4011 freezing is running ROS 6.47.10 ... which is rather old. While it's generally fine, very stable release, it's old for RB4011, which is by itself not that old and AFAIK some work had been done regarding stability in more recent ROS versions. 6.47.10 is a prev...
by anav
Wed Dec 01, 2021 10:21 pm
Forum: General
Topic: dhcp client get`s wrong dns
Replies: 21
Views: 763

Re: dhcp client get`s wrong dns

This is all very confusing. There are two possibilities. Either your ISP is dynamic and they set everything automatically and all you need to do is set IP DHCP Client and tick both boxes for use ISP DNS and Create Route Automatically OR They have provided you with the settings to use. Which is true?...
by anav
Wed Dec 01, 2021 10:13 pm
Forum: Beginner Basics
Topic: Cannot connect to guest wifi (VLAN) on cAP ac [SOLVED]
Replies: 2
Views: 189

Re: Cannot connect to guest wifi (VLAN) on cAP ac [SOLVED]

Sure, how many vlans are involved? I see home wifi and guest wifi is the trusted vlan or managment vlan the same as the home wifi. Clue the Access point should have an IP address on the subnet of the trusted vlan. I will assume vlan 2 is the trusted vlan. (1) Missing vlans. You need two identify all...
by anav
Wed Dec 01, 2021 9:48 pm
Forum: Beginner Basics
Topic: Firewall drop rule not working
Replies: 9
Views: 571

Re: Firewall drop rule not working

Why is ether4 on the Bridge? Should be removed. /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 To help decide the above......what is attached to ether4? If you dont need t...
by anav
Wed Dec 01, 2021 9:40 pm
Forum: Beginner Basics
Topic: How would you go about this - 2 separate nets 1 router
Replies: 3
Views: 251

Re: How would you go about this - 2 separate nets 1 router

Very feasible, the only question I have is why are the two VLANS 'open' to each other.
Why not just have one LAN then?
by anav
Wed Dec 01, 2021 9:36 pm
Forum: Beginner Basics
Topic: how to setup a correct firewall rules when the Mikrotik is behind the ISP modem [SOLVED]
Replies: 14
Views: 718

Re: how to setup a correct firewall rules when the Mikrotik is behind the ISP modem [SOLVED]

Well for starters, its cleaner and less prone to errors if you group the chains together .......... That way you can see the order within a chain more readily etc.. rules out of order Irules need modifying rules to remove rules missing /ip firewall filter {input chain} add action=accept chain=input ...
by anav
Wed Dec 01, 2021 2:00 pm
Forum: General
Topic: Has a RB4011 some hardware/sofware bugs now?
Replies: 5
Views: 400

Re: Has a RB4011 some hardware/sofware bugs now?

Recommendation to buy any appliance should be based on your requirements. There is nothing wrong iwth the RB4011 but I would invest in the RB5009 a newer product and around the same price point........ better value for money.
by anav
Wed Dec 01, 2021 1:49 pm
Forum: Beginner Basics
Topic: Firewall drop rule not working
Replies: 9
Views: 571

Re: Firewall drop rule not working

If you dont know what the problem is, why do you think only showing us part of the config will help? Please post your config /export hide-sensitive file=anynameyouwish Seeing as you only wanted one port the rule could be refined to add action=drop chain=forward dst-address=192.168.0.0/24 src-address...
by anav
Tue Nov 30, 2021 10:40 pm
Forum: Beginner Basics
Topic: SM Fiber Modules
Replies: 4
Views: 296

Re: SM Fiber Modules

Hi there, then explain to me how the product I noted at the top [ XS+2733LC15D ] can DO ALL THREE!! 1.25/10/25.
In fact how come it calls them SFP+ transceivers and yet it can do 25gigs, which is SFP28 standard??

Call me confused!!
by anav
Tue Nov 30, 2021 7:38 pm
Forum: General
Topic: Using two routers
Replies: 9
Views: 591

Re: Using two routers

Ahh okay, that makes sense!!
by anav
Tue Nov 30, 2021 7:21 pm
Forum: Beginner Basics
Topic: SM Fiber Modules
Replies: 4
Views: 296

Re: SM Fiber Modules

Well seeing the plethora of 25Gig managed switches, I dont think I will be buying the more expensive SPF28 modules and will stick to those that can handle both SFP and SFP+
Looking for a Bidi Module for 1.25 and 10gig (that will do SFP and SFP+)
Guess what they dont seem to exist? :-(
by anav
Tue Nov 30, 2021 5:52 pm
Forum: Wireless Networking
Topic: cAP vs cAP XL
Replies: 27
Views: 1781

Re: cAP vs cAP XL

The Ubiquiti WIFI U6 Pro is cheaper than the TPLINK eap660HD by about $80 and thus may be excellent value IF, IF it can be configured in a stand alone mode.
by anav
Tue Nov 30, 2021 5:41 pm
Forum: Beginner Basics
Topic: SM Fiber Modules
Replies: 4
Views: 296

SM Fiber Modules

Specifically this one, seems to be super human! XS+2733LC15D https://mikrotik.com/product/xs_2733lc15d Do I have this right, its a BIdi SM module that can negotiate speeds including 1.25 / 10 / 25 up to 15K.......... Funny distance as most vendors will state, 10, 20, 40K as standard distances. I won...
by anav
Tue Nov 30, 2021 5:17 pm
Forum: General
Topic: Confused about DHCP server
Replies: 15
Views: 706

Re: Confused about DHCP server

To be honest (and afterwards always easy to say): I was already wondering about that one as well. WAN and LAN but what about <nothing> ? But I do not think this is related to the DHCP problem. Is it ? With MT one never knows what is or isnt connected,.........well Sindy and Sob know, but I dont. :-)
by anav
Tue Nov 30, 2021 4:26 pm
Forum: General
Topic: Using Let's Encrypt for SSTP
Replies: 15
Views: 1000

Re: Using Let's Encrypt for SSTP

I ask the question mainly because in the SSTP examples I find, verify (server/client) certificates is never checked off, so was wondering is that because the certificates were produced on the MT (self signed). and thus verification is not required? What is the difference between a self-signed MT cer...
by anav
Tue Nov 30, 2021 4:24 pm
Forum: General
Topic: Using two routers
Replies: 9
Views: 591

Re: Using two routers

Can you please post the config of the Mikrotik device
(/export hide-sensitive file=anynameyouwish)
Unable??---> I don't know the login for either of them!!!
by anav
Tue Nov 30, 2021 4:23 pm
Forum: General
Topic: Confused about DHCP server
Replies: 15
Views: 706

Re: Confused about DHCP server

(1) Your are missing one thing....... Maybe? /interface list member add interface=ether1 list=WAN add interface=bridgeNet1 list=LAN add interface=bridgeNet2 list=LAN ???? (2) Confused about another part of the setup....... add address=172.16.200.254/24 interface=bridgeNet1 network=172.16.200.0 add a...
by anav
Tue Nov 30, 2021 4:09 pm
Forum: Beginner Basics
Topic: Travel VPN router - Wireless both WAN and LAN
Replies: 10
Views: 542

Re: Travel VPN router - Wireless both WAN and LAN

mAPLite is a very good Travel-Router! I have 3 of them and one is always in my Laptop-Bag It's Compact and you can power it with your laptop or Power-Bank, everyone should have one =) I do a lot of Job-Hopping... And realised most company's have a PoE-Network So my Main Travel-Router at the moment ...
by anav
Tue Nov 30, 2021 4:07 pm
Forum: Beginner Basics
Topic: Winboxing towards a Mikrotik behind NAT [SOLVED]
Replies: 14
Views: 665

Re: Winboxing towards a Mikrotik behind NAT [SOLVED]

Well if you do get hacked and held ransom for lets say $50,000 just send the bill to Sob and if he gives you any trouble I know some really good lawyers. ;-P
by anav
Tue Nov 30, 2021 12:50 am
Forum: General
Topic: Using Let's Encrypt for SSTP
Replies: 15
Views: 1000

Re: Using Let's Encrypt for SSTP

Can one use lets encrypt, assuming this is simply a certificate maker, for use between two MIkrotik routers ??
by anav
Mon Nov 29, 2021 10:04 pm
Forum: Beginner Basics
Topic: Winboxing towards a Mikrotik behind NAT [SOLVED]
Replies: 14
Views: 665

Re: Winboxing towards a Mikrotik behind NAT [SOLVED]

Dont open up winbox to the internet is clear and simple advice in order to configure the router. Cant say it any more plainly. The answer was already provided so not sure why SOB stated it again, other than to note that the default port for winbox is 8291................. seems like he wanted to pil...
by anav
Mon Nov 29, 2021 9:57 pm
Forum: General
Topic: RDP connencton on a specific WAN
Replies: 3
Views: 226

Re: RDP connencton on a specific WAN

I assumed outgoing from the LAN as he wants the router to ensure a specific WANIP is used.
If it was incoming he wouldnt need to do so as the incoming would be from external users in which case he would tell those external users to use a specific WANIP or domain name!
But agree its not clear!!!
by anav
Mon Nov 29, 2021 9:50 pm
Forum: General
Topic: How to access Mikrotik in Bridge mode with Netbox?
Replies: 13
Views: 752

Re: How to access Mikrotik in Bridge mode with Netbox?

Okay this is dirt simple............. Going back to your config and requirements. ACCESS POINT ONLY. Reset the Access point to default and select wisp mode for example TOP LEFT of quickset menu......... the only setting to touch in quickset (vice See use of ether2 ( removed from bridge and what I us...
by anav
Mon Nov 29, 2021 3:54 pm
Forum: General
Topic: RDP connencton on a specific WAN
Replies: 3
Views: 226

Re: RDP connencton on a specific WAN

How many users on the LAN are using RDP?
by anav
Mon Nov 29, 2021 3:35 pm
Forum: Beginner Basics
Topic: Winboxing towards a Mikrotik behind NAT [SOLVED]
Replies: 14
Views: 665

Re: Winboxing towards a Mikrotik behind NAT [SOLVED]

This sounds like you want to be able to configure or reach the winbox remotely. The way to do this is not by open ports to the router, that is a huge security problem. What you should be asking is "How do I securely manage the MT device remotely that is not the primary router but is acting as a...
by anav
Mon Nov 29, 2021 3:25 pm
Forum: Beginner Basics
Topic: Super Beginnery
Replies: 2
Views: 253

Re: Super Beginnery

What is the purpose of the connectivity (use cases in detail will help resolve equipment and configuration). In other words description of what users should be able to do from both ends........without mentioning the configuration.
by anav
Mon Nov 29, 2021 3:16 pm
Forum: Beginner Basics
Topic: subnets
Replies: 19
Views: 1097

Re: subnets

Sorry if you are connected to the internet without any rules I will not help further.
The default firewall rules are safe and do not stop any connectivity (do not cause issuesa) and by removing them you have no security.
by anav
Sun Nov 28, 2021 6:07 pm
Forum: Beginner Basics
Topic: subnets
Replies: 19
Views: 1097

Re: subnets

Okay so the switch is also a router and you are using bridges to dish subnets to sets of ports vice using VLANs. Four bridges Four pools Four dhcp servers. so far so good. (1) Why is bridge test NOT part of the LAN interface group?? (2) if this is acting as a router why dont you have any firewall ru...
by anav
Sun Nov 28, 2021 3:34 am
Forum: General
Topic: [Leaked Video] CCR2116-12G-4S+ with RouterOS v7 for processing BGP tables in 30s
Replies: 29
Views: 2729

Re: [LEAKED] CCR2116-12G-4S+ with RouterOS v7 for processing BGP tables in 30s

Do you have a better alternative at that price point? Seems to me this is exactly what many people are looking for when managing multiple devices (especially WISPs) Seems like people here want open ports on their device......... really???? Quick to cast dispersion I see very little debate about the ...
by anav
Sat Nov 27, 2021 11:22 pm
Forum: Beginner Basics
Topic: Load balancing - slow loading of websites and more [SOLVED]
Replies: 2
Views: 454

Re: Load balancing - slow loading of websites and more [SOLVED]

Your mangle rules seem a tad off..... note one set of the rules needs to move (from spot 2 to spot 5) (1 should be 1) /ip firewall mangle add action=accept chain=prerouting dst-address= 10.0.0.0/24 i n-interface=\ bridge1 add action=accept chain=prerouting dst-address= 100.64.0.0/10 in-interface=\ b...
by anav
Sat Nov 27, 2021 3:48 pm
Forum: Beginner Basics
Topic: Correct VLAN Setting between Switches
Replies: 6
Views: 546

Re: Correct VLAN Setting between Switches

As for the 260S, recommendations based on my settings: 1. Under VLAN S a. (FIRST ROW) VLANID1 is the default setting should be set to (left as) LEAVE AS IS - for all trunk ports NOT A MEMBER - for all access ports b. (OTHER ROWS) all other vlans Set to LEAVE AS IS - for all trunk ports (if carrying ...
by anav
Sat Nov 27, 2021 2:24 pm
Forum: Beginner Basics
Topic: Correct VLAN Setting between Switches
Replies: 6
Views: 546

Re: Correct VLAN Setting between Switches

Since all the vlans are created on the router, including firewall rules affecting them, best to include its config as well.
/export hide-sensitive file=anynameyouwish
by anav
Fri Nov 26, 2021 10:35 pm
Forum: General
Topic: Protection agains Frag attacks
Replies: 8
Views: 702

Re: Protection agains Frag attacks

How come I never see any of this so called attack traffic ??
It must be my block all else rule at the end of input and forward chains......... thats right I am not a believer.....
Vaccines yes, anything else not so much. If you dont have open ports, then sleep easy.
by anav
Fri Nov 26, 2021 10:33 pm
Forum: General
Topic: Botnet and bad actor filters
Replies: 22
Views: 2288

Re: Botnet and bad actor filters

Znevna uses mind control on his users and they magically dont send traffic to bad sites and thats why he doesnt need blackholes, honeypots, probe blockers or wait for it.................. updated BLACKLISTS......... I just wish he would get on with patenting his mind control............
by anav
Fri Nov 26, 2021 10:30 pm
Forum: General
Topic: Brute passwords of microtik devices from the local network, how to identify malware?
Replies: 9
Views: 1095

Re: Brute passwords of microtik devices from the local network, how to identify malware?

Seems like a no brainer, more secure method if one has many routers to manage.
I post this only to annoy Znevna. :-))
by anav
Fri Nov 26, 2021 5:06 pm
Forum: General
Topic: Can't ping mikrotik LAN gateway from internal end users devices
Replies: 6
Views: 631

Re: Can't ping mikrotik LAN gateway from internal end users devices

A. You have an issue. B. You are looking for help. C. Yes you seem to know for sure what we need to see to solve your problem. Something doesnt fit. Please post entire config for review. /export hide-sensitive file=anynameyouwish (if pppoe also remove any identifying details and any public WANIPs).
by anav
Fri Nov 26, 2021 5:04 pm
Forum: General
Topic: [Leaked Video] CCR2116-12G-4S+ with RouterOS v7 for processing BGP tables in 30s
Replies: 29
Views: 2729

Re: [LEAKED] CCR2116-12G-4S+ with RouterOS v7 for processing BGP tables in 30s

Very nice!,
My CCR1009 cannot keep up with my home demands, that is what I will say to the significant other...............
by anav
Fri Nov 26, 2021 5:02 pm
Forum: Beginner Basics
Topic: Best site to site sertup
Replies: 5
Views: 561

Re: Best site to site sertup

Only on the beta firmware but they are up to RC7 I think. Its getting refined..........
by anav
Fri Nov 26, 2021 3:14 pm
Forum: Beginner Basics
Topic: Best site to site sertup
Replies: 5
Views: 561

Re: Best site to site sertup

Wireguard for the untrained,
Ipsec VPN works great for those that are trained.
by anav
Fri Nov 26, 2021 3:13 pm
Forum: Beginner Basics
Topic: Route marking in OS7.04
Replies: 4
Views: 572

Re: Route marking in OS7.04

So you dont want load balancing???
by anav
Fri Nov 26, 2021 3:12 pm
Forum: Beginner Basics
Topic: macOS Winbox
Replies: 7
Views: 626

Re: macOS Winbox

Better to realize that winbox is for network engineers that are very poor and cannot afford mac desktops or laptops or are not provided such luxurious appliances by their bosses....... (only bosses get macbook pros, not the mere working minions). If lucky an MT enganeer or self made private Certifie...
by anav
Fri Nov 26, 2021 3:09 pm
Forum: Beginner Basics
Topic: subnets
Replies: 19
Views: 1097

Re: subnets

In short,
Please post your config,
by anav
Fri Nov 26, 2021 2:44 pm
Forum: Beginner Basics
Topic: macOS Winbox
Replies: 7
Views: 626

Re: macOS Winbox

Does MAC still make computers?? I thought it was just fake props on movies ;-)
I wonder what percentage of Apple Revenue is due to Computers.........
by anav
Thu Nov 25, 2021 11:19 pm
Forum: General
Topic: separate circuit
Replies: 7
Views: 605

Re: separate circuit

In most cases you only need one bridge!
by anav
Thu Nov 25, 2021 6:01 pm
Forum: Wireless Networking
Topic: cAP vs cAP XL
Replies: 27
Views: 1781

Re: cAP vs cAP XL

Expectations. The TP LINK EAP 245 is the same cost as a CAPAC and works far better.
If you wanted an improvement to that, look at the EAP660HD
There are no cheaper good solutions to individual APs. I am not familiar with mesh products.
by anav
Thu Nov 25, 2021 5:43 pm
Forum: Useful user articles
Topic: Hairpin NAT - Port Forwarding Not Working & More!!
Replies: 26
Views: 3514

Re: SEXY Hairpin NAT - Some of the Ways To Achieve O......

Most comments now included!
by anav
Wed Nov 24, 2021 4:29 pm
Forum: Useful user articles
Topic: Hairpin NAT - Port Forwarding Not Working & More!!
Replies: 26
Views: 3514

Re: SEXY Hairpin NAT - Some of the Ways To Achieve O......

Done and done for recommended amends
by anav
Wed Nov 24, 2021 3:55 pm
Forum: Wireless Networking
Topic: How tro put two Wi-Fi radios on separate subnets
Replies: 16
Views: 1042

Re: How tro put two Wi-Fi radios on separate subnets

I attempted to help by asking pertinent questions, instead, no answer but a NEW question?? use the red X.
Hopefully someone else will have more patience. Good luck.
by anav
Wed Nov 24, 2021 2:18 pm
Forum: Beginner Basics
Topic: Set up as Access Point
Replies: 1
Views: 431

Re: Set up as Access Point

Yup, One bridge ether1 on bridge ether2 not on bridge ether 2 gets IP address of 192.168.5.2 network 192.168.5.0 (ether 2 is your emergency access to the router and the better place to o configure the router from defaults to the setup you want to make) (just hookup; the laptop; to ether2 and set a l...
by anav
Wed Nov 24, 2021 2:00 pm
Forum: Beginner Basics
Topic: Mange Rule - Chain Prerouting vs Forward
Replies: 10
Views: 6830

Re: Mange Rule - Chain Prerouting vs Forward

Regardless if you need to mangle your gaming ports, then its your gaming skills that is the problem. ;-)
by anav
Wed Nov 24, 2021 1:38 am
Forum: Beginner Basics
Topic: Firewall Filter & DNS
Replies: 4
Views: 556

Re: Firewall Filter & DNS

Clearly stated, insight required. Sight being the operative word and thus I noted glasses.
You might say, ocular lubricant may be a part answer! :-)
by anav
Tue Nov 23, 2021 11:10 pm
Forum: General
Topic: Unable to access any MT device behind Mikrotik Router
Replies: 17
Views: 904

Re: Unable to access any MT device behind Mikrotik Router

Sorry if you want to connect MT devices over the internet for configuration purposes, it should be done via VPN. If you want to take short cuts, and let someone else handle connectivity for you try Remote WINBOX service SSTP good enough for home, or even better ISPapp.co service for business (no ope...
by anav
Tue Nov 23, 2021 11:05 pm
Forum: Beginner Basics
Topic: No incoming traffic (Game Ports)
Replies: 10
Views: 1158

Re: No incoming traffic (Game Ports)

What I recommend is that your friend either. a.. has a static fixed WANIP he can give you b. if dynamic he gets a domain name or more accurately a free dyndns name available at many sites............. and then you will ensure that the dst-nat rules for the game has a component of src-address-list=au...
by anav
Tue Nov 23, 2021 7:48 pm
Forum: General
Topic: Unable to access any MT device behind Mikrotik Router
Replies: 17
Views: 904

Re: Unable to access any MT device behind Mikrotik Router

Can you draw a network diagram.
It appears you have setup the LTE devices as routers but I thought the 2011 was your router?
Chicken or egg, whats going on here??

What is connected to the internet and what is the purpose of the LTE devices..............
by anav
Tue Nov 23, 2021 7:41 pm
Forum: Beginner Basics
Topic: Firewall Filter & DNS
Replies: 4
Views: 556

Re: Firewall Filter & DNS

you dont need glasses, there is no user manual.
by anav
Tue Nov 23, 2021 3:50 pm
Forum: Wireless Networking
Topic: How tro put two Wi-Fi radios on separate subnets
Replies: 16
Views: 1042

Re: How tro put two Wi-Fi radios on separate subnets

What is your network design.
Is the device acting as a router and access point, or simply as an access point and if so what router is feeding it?

Please post your config
/export hide-sensitive file=anynameyouwish
by anav
Tue Nov 23, 2021 3:47 pm
Forum: General
Topic: Internet access via Campground Wifi using Metal 52 ac and a Netgear R6400
Replies: 3
Views: 414

Re: Internet access via Campground Wifi using Metal 52 ac and a Netgear R6400

Please post config on metal.....
/export hide-sensitive file=anynameyouwish
by anav
Tue Nov 23, 2021 3:45 pm
Forum: General
Topic: RB750Gr3 Vlan scenario advice
Replies: 10
Views: 1120

Re: RB750Gr3 Vlan scenario advice

Please post your config
/export hide-sensitive file=anynameyouwish
by anav
Tue Nov 23, 2021 1:30 pm
Forum: General
Topic: Unable to access any MT device behind Mikrotik Router
Replies: 17
Views: 904

Re: Unable to access any MT device behind Mikrotik Router

The core config is hosed. Start there. Lots of errors......... lack of bridge definition being one of them.
by anav
Tue Nov 23, 2021 1:27 am
Forum: General
Topic: Unable to access any MT device behind Mikrotik Router
Replies: 17
Views: 904

Re: Unable to access any MT device behind Mikrotik Router

How are your devices connected?
Is their a managment vlan or a trusted subnet.
All devices behind the router should have an IP on the trusted subnet or management vlan.
by anav
Mon Nov 22, 2021 10:47 pm
Forum: General
Topic: Load Balancing / Routing
Replies: 16
Views: 948

Re: Load Balancing / Routing

Concur, many MT users have asked for more fidelity such as being able to use firewall-address-lists for many more entries and rules than is currently allowed.
Then the addition of only one Route Rule would be required. I agree its a shame this has not been implemented.
by anav
Mon Nov 22, 2021 10:45 pm
Forum: General
Topic: IP addresses in the same subnet across multiple interfaces? [SOLVED]
Replies: 8
Views: 867

Re: IP addresses in the same subnet across multiple interfaces? [SOLVED]

Thats up to the individual running the laptop. Connectivity is required and provided.
Two separate mac addresses two connections, only one will be used at a time.
by anav
Mon Nov 22, 2021 10:42 pm
Forum: Beginner Basics
Topic: Avoiding double NAT Fritzbox + CCR2004
Replies: 18
Views: 833

Re: Avoiding double NAT Fritzbox + CCR2004

Sob and Fritz are good friends, Im sure they will work it out! ;-)
by anav
Mon Nov 22, 2021 8:40 pm
Forum: General
Topic: Router for test environment
Replies: 10
Views: 673

Re: Router for test environment

yup the hex is a good candidate.
I attache my MT router to various switches, dlink, mt, netgear, tplink .........
all following this guide...... and whatever the vendor requires.........

viewtopic.php?t=143620
by anav
Mon Nov 22, 2021 8:35 pm
Forum: General
Topic: Load Balancing / Routing
Replies: 16
Views: 948

Re: Load Balancing / Routing

If its a nightmare to manage then suggest your hardware design needs improvement. My method works, why is it so hard to manage? Statically set DHCP leases and IPs are static!! If you have a bunch of users with a specific use case, put them on a vlan! If you dont have the equipment to do that, then t...
by anav
Mon Nov 22, 2021 8:33 pm
Forum: General
Topic: cAP WiFi6 etc....
Replies: 6
Views: 744

Re: cAP WiFi6 etc....

Unfair? Wifi 5 Wave 2 is more than 5 years old, and there is no support in stable releases, I think mikrotik Wifi is dead….. And I think, Mikrotik wi-fi is serving to many happy campers, not being obsessed by the latest and greatest. Perhaps but the TPlink eap245 was the same cost as a Capac and is...
by anav
Mon Nov 22, 2021 6:18 pm
Forum: General
Topic: Load Balancing / Routing
Replies: 16
Views: 948

Re: Load Balancing / Routing

Up to you, with mangling you lose fastrack advantages in connection tracking but probablly no biggie. For me I would change how those strange and weird users are segregated. I would put them on one subnet/vlan if at all possible. As I said, even if 50 users, I would make up 50 route rules. I hate ma...
by anav
Mon Nov 22, 2021 5:40 pm
Forum: General
Topic: Bypass the VPN for SMB access from outside [SOLVED]
Replies: 42
Views: 2160

Re: Bypass the VPN for SMB access from outside [SOLVED]

Normally on an ISP controlled modem/router, where they provide you a private IP address, then the subscriber you, still has a very basic access to the ISP modem router. Typically its so that you can forward a port (DMZ typically is not activated). Thus suggest you try to access the ISP modem/router ...
by anav
Mon Nov 22, 2021 5:24 pm
Forum: General
Topic: Load Balancing / Routing
Replies: 16
Views: 948

Re: Load Balancing / Routing

Super. Start with standard ISP route structure. ISP1 route distance=5 check-gateway=ping ISP2 route distance=10 From the above all users will directed to ISP1 and if down go to ISP2. When ISP 1 comes back online, then all users will head back to ISP1. (Note; This presumes the WAN connections are fro...
by anav
Mon Nov 22, 2021 5:11 pm
Forum: Useful user articles
Topic: Hairpin NAT - Port Forwarding Not Working & More!!
Replies: 26
Views: 3514

Re: SEXY Hairpin NAT - Some of the Ways To Achieve O......

Thanks Sob, Will attempt to satisfy your pernicious penchant for particularly pimply and prickly, pickyness ;-P I do have a JUMP question for you....... can that be used for different scenarios................ let say its this scenario, dynamic wanip, add chain=dstnat action=dst-nat dst-address-type...
by anav
Mon Nov 22, 2021 4:57 pm
Forum: Beginner Basics
Topic: Can not dst-nat to vlan device [SOLVED]
Replies: 7
Views: 682

Re: Can not dst-nat to vlan device [SOLVED]

To clarify, users on the bridge 192.168.1.X will be accessing the cameras on the VLAN via dyndns name as well as folks having external access to the cameras. There is no case of users on the vlan accessing the camera on the vlan (as there are no users on the vlan)? In this case there is no hairpin n...
by anav
Mon Nov 22, 2021 4:37 pm
Forum: Beginner Basics
Topic: Best practice for management isolation/security
Replies: 4
Views: 441

Re: Best practice for management isolation/security

I have never used VRFs, so do not know how complex they are but it if more secure than using a management VLAN, then it sounds like a good idea!!
Wish I could be of more help!
by anav
Mon Nov 22, 2021 4:30 pm
Forum: Beginner Basics
Topic: Avoiding double NAT Fritzbox + CCR2004
Replies: 18
Views: 833

Re: Avoiding double NAT Fritzbox + CCR2004

For firewall rules on CCR.......... one should only allow port forwarding, the specifics are located on the associated DST NAT rule. From: /ip firewall filter add action=accept chain=forward comment="Server 1" dst-address=192.168.2.2 \ dst-port=21 protocol=tcp add action=accept chain=forwa...
by anav
Mon Nov 22, 2021 4:17 pm
Forum: Beginner Basics
Topic: Best practice for management isolation/security
Replies: 4
Views: 441

Re: Best practice for management isolation/security

Just curious what is the advantage of this VRF approach compared to a. ipsec connection to router (then using winbox). b. running dude (internal network normally not sure how this is handled remotely as a server). c. cloud SSTP connection using Remote Winbox service (dont like it for business as I d...
by anav
Mon Nov 22, 2021 4:06 pm
Forum: General
Topic: Load Balancing / Routing
Replies: 16
Views: 948

Re: Load Balancing / Routing

Quick question, what is the purpose of setting up the the router this way? It sounds like you want to use both WANs at the same time, why not just simply load balance the routers ???? I have two WANIPs and all traffic goes to one except email traffic which is based on a previous only connection to W...
by anav
Mon Nov 22, 2021 2:50 pm
Forum: Beginner Basics
Topic: Wireguard VPN routing
Replies: 1
Views: 381

Re: Wireguard VPN routing

Sounds like a case where you need to do two things... a. ensure 192.168.189.128 is routed through the WIREGUARD Tunnel b. at the 192.168.188.1 router, internet traffic is routed back through the tunnel to 192.168.189.128 On the 189 Router I would probably accomplish a. with a destination route and r...
by anav
Mon Nov 22, 2021 2:41 pm
Forum: Beginner Basics
Topic: DNS "Allow Remote Requests" Firewall Configuration
Replies: 2
Views: 447

Re: DNS "Allow Remote Requests" Firewall Configuration

The default firewall rules allow LAN to ROUTER access for such things as Router Services (DNS, NTP). Hence the default rule add action=drop chain=input comment="Defconf: drop all not coming from LAN" \ in-interface-list=!LAN This blocks all WAN to router traffic allowing all LAN to router ...
by anav
Mon Nov 22, 2021 2:13 pm
Forum: Beginner Basics
Topic: Can not dst-nat to vlan device [SOLVED]
Replies: 7
Views: 682

Re: Can not dst-nat to vlan device [SOLVED]

I have no clue what you are attempting to do with telefeno and a private IP address block 10.0.X.X beyond my scope of knowledge? Also, it looks like you are using mangle type rules, but in a way I am not familiar with but again beyond my scope of knowledge but I will say typically, mangle rules bein...
by anav
Mon Nov 22, 2021 2:12 pm
Forum: Beginner Basics
Topic: Can not dst-nat to vlan device [SOLVED]
Replies: 7
Views: 682

Re: Can not dst-nat to vlan device [SOLVED]

Remove this (not required) use standard IP Firewall Rules!! /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \ use-ip-firewall-for-vlan=yes IF not required, set this to none, can often cause issues. interface detect-internet set detect-interface-list= all Since you on...
by anav
Mon Nov 22, 2021 1:56 pm
Forum: Beginner Basics
Topic: Configure as Access Point
Replies: 2
Views: 438

Re: Configure as Access Point

What vlans are feeding the capac from the router?
homelan/guestlan/management (often the trusted home LAN/WIFI is also the managment vlan).
by anav
Mon Nov 22, 2021 2:42 am
Forum: General
Topic: Block p2p from IP cameras - RB4011iGS+RM
Replies: 22
Views: 1881

Re: Block p2p from IP cameras - RB4011iGS+RM

IF your task is simply to block a list of cameras from accessing the internet as you have done seems good to go! The only thing I dont understand is why you have some sort of connection limits, why have them.??? add action=drop chain=forward comment="Drop: IP cameras (LAN -> Internet)" con...
by anav
Mon Nov 22, 2021 2:41 am
Forum: General
Topic: Block p2p from IP cameras - RB4011iGS+RM
Replies: 22
Views: 1881

Re: Block p2p from IP cameras - RB4011iGS+RM

To answer your question I believe all the switches and Access points you are using are smart devices which can read vlans. In this case it gives you much flexibility in that you can create and put the vlans to any ports or wlans you want and thus segregate traffic effectively. Its a layer of magnitu...
by anav
Mon Nov 22, 2021 2:33 am
Forum: General
Topic: Block p2p from IP cameras - RB4011iGS+RM
Replies: 22
Views: 1881

Re: Block p2p from IP cameras - RB4011iGS+RM

This is wrong on your config.......... /ip address add address=192.168.88.1/24 comment=defconf interface =ether2 network=192.168.88.0 SHOULD BE /ip address add address=192.168.88.1/24 comment=defconf interface= bridge network=192.168.88.0 Dont see DNS noted on the config although it may be selected ...
by anav
Mon Nov 22, 2021 1:19 am
Forum: Useful user articles
Topic: Hairpin NAT - Port Forwarding Not Working & More!!
Replies: 26
Views: 3514

Re: SEXY Hairpin NAT - The Right Way To Achieve O......

One loosely related bonus tip: Even if you have static address (but not as static to be guaranteed forever, because you may e.g. change ISP), you may be tempted to use shortcuts like in-interface=WAN (let's forget for a while that you can't use it anyway if you want hairpin NAT), simply because it ...
by anav
Sat Nov 20, 2021 11:40 pm
Forum: Useful user articles
Topic: Hairpin NAT - Port Forwarding Not Working & More!!
Replies: 26
Views: 3514

Re: SEXY Hairpin NAT - The Right Way To Achieve O......

Okay article revamped, please be gentle but comments welcome!!!
by anav
Sat Nov 20, 2021 10:34 pm
Forum: Useful user articles
Topic: Hairpin NAT - Port Forwarding Not Working & More!!
Replies: 26
Views: 3514

Re: SEXY Hairpin NAT - The Right Way To Achieve O......

Thanks Znevna, and all made some modifications so that the writeup is closer to the mark.
I will have to do some more amends as Sob has brought up other iterations or use cases to consider vice the mainstream ones.
by anav
Sat Nov 20, 2021 9:37 pm
Forum: Useful user articles
Topic: Hairpin NAT - Port Forwarding Not Working & More!!
Replies: 26
Views: 3514

Re: SEXY Hairpin NAT - The Right Way To Achieve O......

Well clearly I have botched this all up and need to do a rewrite, can you email me Sob, as its too difficult to attempt on this thread due to my lack of understanding of Italian and the extra noise created by Trollnevna!.
by anav
Sat Nov 20, 2021 9:27 pm
Forum: General
Topic: cAP WiFi6 etc....
Replies: 6
Views: 744

Re: cAP WiFi6 etc....

Feature requests should be posted in the beta forum.
by anav
Sat Nov 20, 2021 9:21 pm
Forum: General
Topic: Help on designing Mikrotik network
Replies: 20
Views: 1163

Re: Help on designing Mikrotik network

Ahh okay yeah if its not MT its not relevant LOL.
by anav
Sat Nov 20, 2021 8:59 pm
Forum: General
Topic: Help on designing Mikrotik network
Replies: 20
Views: 1163

Re: Help on designing Mikrotik network

Yes, anav, you are right. I like this feature somehow, but it is only feasible between switches anyway.
Not sure what you mean........
Vlans works for me for all managed switches (independent of vendor) and all smart access points independent of vendor.
by anav
Sat Nov 20, 2021 8:56 pm
Forum: Beginner Basics
Topic: VLAN between Non-wireless router w/ WAP
Replies: 13
Views: 5919

Re: VLAN between Non-wireless router w/ WAP

Basically. IF you want help, do the preliminary leg work of providing a nice network diagram showing the ports and what they are connected too. If you can differentiate the different groups of devices/users that you require to be on each port even better (you can have multiple users going over a sin...
by anav
Sat Nov 20, 2021 8:54 pm
Forum: Beginner Basics
Topic: VLAN between Non-wireless router w/ WAP
Replies: 13
Views: 5919

Re: VLAN between Non-wireless router w/ WAP

Okay, When you reset, the defaults should be there, access on ether2, wan defaults to ether1..... all ports on the bridge except ether1 Not sure for your device but thats typical. Before embarking on the bridge and vlans. take the last port, ether8 for example. Rename it. ether8-emerg under interfac...
by anav
Sat Nov 20, 2021 4:31 pm
Forum: General
Topic: Help on designing Mikrotik network
Replies: 20
Views: 1163

Re: Help on designing Mikrotik network

I think you are way overcomplicating things....... This is a simple case of various vlans supplying the various needs on the network. Router MT should have enough ports to a. connect to one or more WANs as per the network. b. Rest of ports should be on a single bridge c. Reserve one bridge port for ...
by anav
Sat Nov 20, 2021 4:15 pm
Forum: General
Topic: Imposible getting ping when using vlans
Replies: 20
Views: 1264

Re: Imposible getting ping when using vlans

I dont understand the network as described and the config depends on that structure.

What is/are acting as switch(es) and what is acting as router(s) here??
What is/are connected to ISP modem(s)?
by anav
Sat Nov 20, 2021 4:09 pm
Forum: Beginner Basics
Topic: PCC load balance, but pc got 2 default gateway !help [SOLVED]
Replies: 5
Views: 694

Re: PCC load balance, but pc got 2 default gateway !help [SOLVED]

Observations. 1. MISSING firewall rules to protect your router and LAN network. Suggest put in default rules. (2) remove this setting (select NO) and use the normal /ip firewall rules for input chain and forward chain. /interface bridge settings set use-ip-firewall= yes (3) Your mangle rules...........
by anav
Sat Nov 20, 2021 4:47 am
Forum: General
Topic: Accessing a subnet in which the Mikrotik isn't the gateway
Replies: 2
Views: 637

Re: Accessing a subnet in which the Mikrotik isn't the gateway

Not sure if this is similar to your case, but this thread may give you some ideas......
viewtopic.php?p=891129#p891129
by anav
Sat Nov 20, 2021 4:42 am
Forum: Beginner Basics
Topic: VLAN between Non-wireless router w/ WAP
Replies: 13
Views: 5919

Re: VLAN between Non-wireless router w/ WAP

Sob has been away for awhile so he is rusty and not usually prone to long complicated stories ;-) The long and short of it is that a configuration will fall out naturally from a well thought out design. Meaning, you need to articulate your use cases without any discussion of the config. What singula...
by anav
Sat Nov 20, 2021 12:29 am
Forum: Beginner Basics
Topic: Working around NAT hairpin [SOLVED]
Replies: 27
Views: 2032

Re: Working around NAT hairpin [SOLVED]

I needed to take a break, I found out that I was spending way too much time here. So it was a detox of a kind, OK. With this Covid and alike, I was scared you shifted to Juniper :) And all this time I thought he had retired seeing as I was answering all the threads satisfactorily.......... Missed y...
by anav
Fri Nov 19, 2021 10:27 pm
Forum: Beginner Basics
Topic: Working around NAT hairpin [SOLVED]
Replies: 27
Views: 2032

Re: Working around NAT hairpin [SOLVED]

Sob where you have been ole chum, I almost fainted when I saw you had posted!!
Is the real Sob? or some sick imposter??
You have made my day!
by anav
Fri Nov 19, 2021 5:32 pm
Forum: Beginner Basics
Topic: Working around NAT hairpin [SOLVED]
Replies: 27
Views: 2032

Re: Working around NAT hairpin [SOLVED]

My apologies dabardabar, the guide on simply moving the server to a different subnet was not complete. Instead of this the basic default rules. /ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN add action=dst-nat chain=dstnat dst-port=80 protocol=tcp \ in-interface-list=WAN ...
by anav
Fri Nov 19, 2021 4:52 pm
Forum: General
Topic: Firewall filter rule ignored?
Replies: 13
Views: 859

Re: Firewall filter rule ignored?

As stated separate lists, order is important WITHIN a list.
Input chain, to and fro the router (wan to router, lan to router)
Forward chain, through the router (wan to lan, lan to wan, lan to lan)
by anav
Fri Nov 19, 2021 2:15 pm
Forum: General
Topic: RB-5009 Initial Setup and VLAN configuration
Replies: 6
Views: 809

Re: RB-5009 Initial Setup and VLAN configuration

kk I would also use the unused ether8 as ether8-emergaccess. Give it an IP of 192.168.66.2 network 192.168.66.0 take ether8 off the bridge. Ensure you add it to the management interface as a member. Step 1: You have to define ALL the vlans on the RB5009, you only have defined vlan50 ???? In other wo...
by anav
Fri Nov 19, 2021 3:31 am
Forum: Beginner Basics
Topic: Working around NAT hairpin [SOLVED]
Replies: 27
Views: 2032

Re: Working around NAT hairpin [SOLVED]

Buuuut, I still cannot use testdomain.com from any computer on my internal network, for example a PC with IP 192.168.88.101, it still takes me to MT login page from any of those computers. If I type 192.168.90.200 instead, it will correctly open the website. As I wrote another dozen times already, ...
by anav
Fri Nov 19, 2021 12:45 am
Forum: Beginner Basics
Topic: Working around NAT hairpin [SOLVED]
Replies: 27
Views: 2032

Re: Working around NAT hairpin [SOLVED]

So MKX, Having the server on a different subnet from the Users DOES NOT avoid hairpin nat? ? Further the issue is the makeup of the normal dstnat rule and thus the real culprit is "in-interface-list=WAN" or in-interface=WAN for a dynamic WANIP?? If so I have been working from a wrong assum...
by anav
Thu Nov 18, 2021 11:49 pm
Forum: General
Topic: Botnet and bad actor filters
Replies: 22
Views: 2288

Re: Botnet and bad actor filters

Seeing @anav promoting an useless blacklist and then trying to justify it, is hilarious. Please, continue. I have no steak or stake in any blacklists. I am trying to ascertain the impractical from the practical and apply necessary rules in a minimalistic approach. Thus far I am hearing. Probes are ...
by anav
Thu Nov 18, 2021 11:38 pm
Forum: Beginner Basics
Topic: Working around NAT hairpin [SOLVED]
Replies: 27
Views: 2032

Re: Working around NAT hairpin [SOLVED]

Haha unfortunately I feel so dumb, I still haven't worked it out :) Okay, just to cover the basics, about this: If its no issue to move the server to a different subnet then you are done! Move subnet to different LAN (or users) So, my primary network is 192.168.88.x, and all the client computers ar...
by anav
Thu Nov 18, 2021 11:15 pm
Forum: General
Topic: Botnet and bad actor filters
Replies: 22
Views: 2288

Re: Botnet and bad actor filters

I am making no progress here. So, even if I dont have any ports open, my router is still using cycles to answer port probes?? Is it better to drop all such probes in raw, or ignore the probes. chain=raw action=drop dst-ports=1-65000 in-interface-list=WAN honeypot seem complicated..... I am just gett...
by anav
Thu Nov 18, 2021 11:03 pm
Forum: General
Topic: Firewall filter rule ignored?
Replies: 13
Views: 859

Re: Firewall filter rule ignored?

Basically, I would not put any rules above the default rules myself. But why is your permit SSH rule WIDE FRIGGEN OPEN. Did you mean SSH to be open to the internet and the LAN If its for the internet, suggesting use VPN for access instead. If its for LAN users or the admin then add chain=input actio...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 32