Community discussions

MikroTik App

Search found 20293 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 68
by anav
Mon Jun 24, 2024 1:58 am
Forum: Beginner Basics
Topic: Slow internet with load balancing PCC
Replies: 5
Views: 199

Re: Slow internet with load balancing PCC

Cannot help your config is missing 192.168.0.0-192.168.3.0 lan subnets........... I see them in mangling but no clue what they are. Are you saying that all your WANs are private IPs? Or are they all dynamic and public but you are simply showing them as private??? Until the WAN situation is sorted ou...
by anav
Mon Jun 24, 2024 1:52 am
Forum: Beginner Basics
Topic: Internet Connectivity Issue with MikroTik Router [SOLVED]
Replies: 6
Views: 233

Re: Internet Connectivity Issue with MikroTik Router [SOLVED]

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
by anav
Mon Jun 24, 2024 1:51 am
Forum: General
Topic: Securing Wireguard setup
Replies: 2
Views: 127

Re: Securing Wireguard setup

Good questions.. (1) The input chain rule can be simplified to just: /ip firewall filter add chain=input action=accept dst-port=49152 protocol=udp comment="accept Wireguard traffic" (2) What most do when the router is the server for handshake is make the wireguard part of the LAN interface...
by anav
Sun Jun 23, 2024 6:02 pm
Forum: General
Topic: script to replace IP address in routes [SOLVED]
Replies: 4
Views: 195

Re: script to replace IP address in routes [SOLVED]

Yup thats pretty common, one identifies the IP route via a unique comment on the IP route line. I have one but do it in the IP DHCP client section (fiber). In my case I have two DNS addresses I check for the IP so I have to change two routes and thus have two find rules. For efficiency sake I could ...
by anav
Sun Jun 23, 2024 4:10 pm
Forum: Beginner Basics
Topic: VLANs - firewall rules
Replies: 3
Views: 347

Re: VLANs - firewall rules

Read through this for better understanding.......
viewtopic.php?t=143620
by anav
Sun Jun 23, 2024 4:02 pm
Forum: General
Topic: Recursive routing working in 7.6?
Replies: 16
Views: 2721

Re: Recursive routing working in 7.6?

Whatever gotsprings did there, its complete BS IMHO. What are your requirements 2 WANs, 3 WANs... ? Both public or private IPs, dynamic/static? There are two approaches to recursive........ FLAT NESTED Flat is basically one DNS server IP to one WAN ISP You can can add more DNS per WAN ISP Nested is ...
by anav
Sun Jun 23, 2024 3:57 pm
Forum: General
Topic: script to replace IP address in routes [SOLVED]
Replies: 4
Views: 195

Re: script to replace IP address in routes [SOLVED]

You have to create a script that reads the new gateway from the ISP and then manually inserts it into the applicable IP route(s).
Search on the forum been covered a lot.
by anav
Sun Jun 23, 2024 3:47 am
Forum: Beginner Basics
Topic: Port forwarding [SOLVED]
Replies: 7
Views: 323

Re: Port forwarding [SOLVED]

To think most people here questioned my need for a sandbox training forum for new posters............... most people are morons. Glad to help once you post your config. In general for a complex setup and question, a network diagram is a good idea - but not usually for simple port forward. Also often...
by anav
Sun Jun 23, 2024 12:29 am
Forum: Beginner Basics
Topic: How to open ports?
Replies: 7
Views: 384

Re: How to open ports?

https://www.youtube.com/watch?v=rwjtRLQjMjA&t=2143s https://www.youtube.com/watch?v=Q9qwgKrw-0g https://www.youtube.com/watch?v=GTDgeZLc190&t=486s https://www.youtube.com/watch?v=NXvHdZbAuTI&t=13s https://www.youtube.com/watch?v=nBUh5Nk2F1k https://www.youtube.com/watch?v=a_8AV6vIDYQ htt...
by anav
Sun Jun 23, 2024 12:21 am
Forum: General
Topic: Wireguard ProtonVPN config for a single IP [SOLVED]
Replies: 6
Views: 304

Re: Wireguard ProtonVPN config for a single IP [SOLVED]

Yes that would do it, I assumed that was short form for 0.0.0.0/0 and didnt mention it. I will know better next time thanks for the feedback.
Glad its working for ya.
by anav
Sat Jun 22, 2024 7:13 pm
Forum: Beginner Basics
Topic: Wireless VLANs on ROS 7.15.0
Replies: 4
Views: 216

Re: Wireless VLANs on ROS 7.15.0

No doubt your config is not correct Post both configs MT and CCS326 Assuming you get a public IP from the draytek modem and the AX3 is acting as a full AP router. /export file=anynamewyouwish ( minus router serial number, any public WANIP information, keys etc._) unless you use capsman and then I ca...
by anav
Sat Jun 22, 2024 7:08 pm
Forum: General
Topic: Wireguard ProtonVPN config for a single IP [SOLVED]
Replies: 6
Views: 304

Re: Wireguard ProtonVPN config for a single IP [SOLVED]

First, details matter (1) the request was to do this in firewall forward chain. add chain=forward action=accept src-address=192.168.20.9/32 out-interface=wg-protonvpn log=yes log=prefix="outbound proton" (2) why did you try pinging anything untilt he rest of the rules were completed? Also ...
by anav
Sat Jun 22, 2024 7:00 pm
Forum: General
Topic: r/MikroTik, unofficial subreddit, my own personalized approach to discuss this topic given my experiences
Replies: 8
Views: 470

Re: r/MikroTik, unofficial subreddit, my own personalized approach to discuss this topic given my experiences

You suffer a common affliction: verbal diarrhea. Please seek counselling as your problems have nothing to do with Mikrotik RoS and furthermore no one here as the time or capacity to deal with it.
by anav
Sat Jun 22, 2024 2:30 pm
Forum: General
Topic: Wireguard ProtonVPN config for a single IP [SOLVED]
Replies: 6
Views: 304

Re: Wireguard ProtonVPN config for a single IP [SOLVED]

Dont see anything on a quick review.................. Yes one can either add proton interface to WAN interface list or separate srcnat rule, both work. (1) Do you have a firewall rule allowing single device to enter proton tunnel? (2) simplify the rule....... /routing rule add action=lookup-only-in-...
by anav
Sat Jun 22, 2024 1:30 pm
Forum: Beginner Basics
Topic: Port forwarding [SOLVED]
Replies: 7
Views: 323

Re: Port forwarding [SOLVED]

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
by anav
Sat Jun 22, 2024 2:54 am
Forum: General
Topic: Default firewall rule for loopback, now that lo interface exists
Replies: 16
Views: 692

Re: Default firewall rule for loopback, now that lo interface exists

Nice use of wireguard connection. Makes sense!
by anav
Fri Jun 21, 2024 8:55 pm
Forum: General
Topic: Default firewall rule for loopback, now that lo interface exists
Replies: 16
Views: 692

Re: Default firewall rule for loopback, now that lo interface exists

How can you ping wireguard road warriors when you dont know their public WANIP?
What is the value in this knowledge?
by anav
Fri Jun 21, 2024 8:53 pm
Forum: General
Topic: Routing gateway by interface name not working consistently
Replies: 3
Views: 153

Re: Routing gateway by interface name not working consistently

/export file=anynameyouwish ( minus router serial number, any public WANIp information, keys etc.)
by anav
Fri Jun 21, 2024 2:33 pm
Forum: Beginner Basics
Topic: Hex as Switch; VLANs Can't Access Winbox
Replies: 5
Views: 318

Re: Hex as Switch; VLANs Can't Access Winbox

Your setup is not quite there........... this would be correct.... (1) only entry required on bridge setting is turning vlan filtering on. (2) I prefer manually entering the untagged and that way it shows up on config exports and can match visually with bridge port settings. (3) Address for the devi...
by anav
Fri Jun 21, 2024 2:15 pm
Forum: General
Topic: Default firewall rule for loopback, now that lo interface exists
Replies: 16
Views: 692

Re: Default firewall rule for loopback, now that lo interface exists

You speak in riddles. What is the requirement in traffic flow for. a. user b. device Allow the router back to itself means nothing to me. Are you saying the admin needs to do something, a user needs to do something, explain in terms of required traffic flow. Unless of course, you have an AI mikrotik...
by anav
Fri Jun 21, 2024 2:12 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 604

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

Connection new is in examples, but its not required in mangles nor in firewall rules. One has to take MT documentation with a grain of salt. It could be used in mangles in very specific circumstances to finesse the identifying of traffic but not in your case. The new-connection-mark appears when you...
by anav
Thu Jun 20, 2024 10:35 pm
Forum: Beginner Basics
Topic: How to open ports?
Replies: 7
Views: 384

Re: How to open ports?

Sorry not my job, I am here to help people with their issues. Take some courses read some books, watch decent videos, and if you have questions, based on some EFFORT, on the subject at hand, then I will gladly respond. https://www.amazon.ca/s?k=mikrotik+book&crid=28D1WR29OK20B&sprefix=mikrot...
by anav
Thu Jun 20, 2024 10:33 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1081

Re: Dual Wan

Well you must be precise and i could care less about WAN2, I care about user/device traffic needs. Primary -WAN1 Secondary -WAN2 (failover) a. access to WAN1 for all (all the time). b. access to WAN2 all the time for a few devices, when failover occurs c. access to WAN2 part time (8-5 M-F) for a few...
by anav
Thu Jun 20, 2024 8:13 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1081

Re: Dual Wan

So the last entry was interesting, as you are attempting to communicate requirements. First that you are trying to limit access to WAN2 for some users/devices ?????... Assuming T Mobile is your failover WAN. It would seem you have a few user/devices that can have access to WAN1 ALL the time, but sho...
by anav
Thu Jun 20, 2024 7:47 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 604

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

Only real change is adding distance to WAN2. /ip route add check-gateway=ping distance=1 dst-address=0.0.0.0/0 gateway=192.168.8.1routing-table=main add check-gateway=ping distance= 2 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-table=main add dst-address=0.0.0.0/0 gateway=192.168.8.1 routing-t...
by anav
Thu Jun 20, 2024 7:43 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 604

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

(1) dont need connection-state=new (2) REMOVE 8291 from port forwarding, this is a router service, so port forwarding does not apply, FURTHER, its not safe to access from external....... REMOVED. Clue port forwarding to gateway is usually not a good idea! The first set of rules below are ONLY REQUIR...
by anav
Thu Jun 20, 2024 5:54 pm
Forum: General
Topic: Default firewall rule for loopback, now that lo interface exists
Replies: 16
Views: 692

Re: Default firewall rule for loopback, now that lo interface exists

Its genetic......... like Łukasiewicz notation ;-)
by anav
Thu Jun 20, 2024 5:37 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 604

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

Without looking at config, if you can ping clients but not reach them...........hmmm Normally On fritz a. need static route stating if you want to reach 192.168.3.0/24 use gateway of 192.168.254 b. need at least firewall rule for 3.0 user to visit 2.0 users. However, since MT is a router you could a...
by anav
Thu Jun 20, 2024 5:28 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 604

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

All understood. PTP is primary WAN, with throughput of 20Mbps 4G router is secondary WAN with throughput roughly double of 50Mbps If this is the case then I would at least do PCC on a 2:1 type basis............ 3:0 wan1 - 4g 3:1 wan2 adsl 3:2 wan1 - 4g The queuing is confusing why are you: - targeti...
by anav
Thu Jun 20, 2024 5:13 pm
Forum: Beginner Basics
Topic: How to open ports?
Replies: 7
Views: 384

Re: How to open ports?

Why dont you stop providing advice until you learn more about RoS please. Your advice is incomplete in multiple ways.
by anav
Thu Jun 20, 2024 5:09 pm
Forum: Beginner Basics
Topic: block cross traffic
Replies: 2
Views: 209

Re: block cross traffic

mkx is suffering from timidness today. Much better to for example at the end of the forward chain put add action=drop chain=forward comment="drop all else" above this as follows: /ip firewall { default rules to keep } add action=fasttrack-connection chain=forward connection-state=establish...
by anav
Thu Jun 20, 2024 4:06 pm
Forum: Beginner Basics
Topic: VLANs - firewall rules
Replies: 3
Views: 347

Re: VLANs - firewall rules

1. You should not be able to access subnets behind the router via your public IP address ( or domain name etc.). If you need to reach servers you would use dstnat rules (port forwarding to do so). So its not clear what you want to achieve exactly. Do you mean access from external locations, do you m...
by anav
Wed Jun 19, 2024 10:00 pm
Forum: Beginner Basics
Topic: No response from NordVPN over OVPN Client config - Router OS 7.15.1 [SOLVED]
Replies: 3
Views: 283

Re: No response from NordVPN over OVPN Client config - Router OS 7.15.1 [SOLVED]

Yes NordLynx crappola. I wonder if you open there app one can find all the necessary info and thus translate it to the router............ Specifically need: a. Wireguard endpoint Port b. Wireguard endpoint address c. DNS server or address preferred/requested/installed by nordlynx app d. Wireguard ad...
by anav
Wed Jun 19, 2024 9:48 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 604

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

(1) You have wireguard Okay I see this is not for remote access to the MT but to go out a third party for wireguard?? Please confirm who/what/where is providing server instance for handshake. (and purpose of wireguard in your setup) (2) WHat is the purpose of queuing? You have PCC setup on wan1 and ...
by anav
Wed Jun 19, 2024 9:43 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 604

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

duplicate
by anav
Wed Jun 19, 2024 9:30 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 604

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

hahahaha, I love the long lines of MT config, its like poetry. What I want is for each new poster to first be eligible for a sandbox forum. There they have to read some dos and donts and then present their post after reading. IF the post meets the standards the post gets elevated to the beginner for...
by anav
Wed Jun 19, 2024 6:48 pm
Forum: Beginner Basics
Topic: Mikrotik "WAN" from Fortigate, cannot accessd evices after Fortigate
Replies: 2
Views: 209

Re: Mikrotik "WAN" from Fortigate, cannot accessd evices after Fortigate

If you want to create a subnet on the mikrotik then it will have to act as a router not a switch. In this case the 10.10.10.X address assigned to the MT by the Fortigate will be: a. the LANIP of the MT on the fortinet lan subnet b. the WANIP of the MT. What you need to decide behind the MT is if a. ...
by anav
Wed Jun 19, 2024 6:42 pm
Forum: Beginner Basics
Topic: Problems with wireguard and Mobile Data
Replies: 3
Views: 243

Re: Problems with wireguard and Mobile Data

The issue is you are getting a private IP from the ISP device and not a public IP.
PPPOE would seem not to be required in this case but not sure.

Can you at least forward ports on the ISP device to the MT????
by anav
Wed Jun 19, 2024 6:40 pm
Forum: Beginner Basics
Topic: How to open ports?
Replies: 7
Views: 384

Re: How to open ports?

Do you have a public IP or does your upstream router allow you to open ports?
What is your level of knowledge configuring MT routers as the RB5009 is not for the faint of heart.
by anav
Wed Jun 19, 2024 6:31 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 14
Views: 604

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

without seeing the config...........................

/export file=anynameyouwish (minus router serial number, any public WANIP info, keys etc. )
by anav
Wed Jun 19, 2024 6:13 pm
Forum: General
Topic: Too tight firewall rules? I'm lost!
Replies: 2
Views: 192

Re: Too tight firewall rules? I'm lost!

Better yet is to realize the config is all connected
/export file=anynameyouwish ( minus router serial#, any public WANIP information, keys, etc. )
by anav
Wed Jun 19, 2024 4:43 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1082

Re: WireGuard routing

R2 CONFIG Main focus is simplifying Wireguard Setup, only one interface required for own vpn /interface wireguard add comment="WG-own-VPN RB5009" listen-port= 51819 mtu=1420 name=WG-Server /interface list add name=LANs /interface list add name=WANs /interface list member add interface=Bri...
by anav
Wed Jun 19, 2024 3:58 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1082

Re: WireGuard routing

R3 CONFIG /interface wireguard peers add allowed-address=10.7.0.0/24,10.10.10.0/24,10.10.11.0/24,10.10.12.0/24 comment="to WG-Own-VPN" endpoint-address=xxxx.xx endpoint-port= 51819 interface=WG2-AX3 persistent-keepalive=1m public-key="xxxx" /interface list add name=LANs /interfa...
by anav
Wed Jun 19, 2024 3:20 pm
Forum: Beginner Basics
Topic: Hex as Switch; VLANs Can't Access Winbox
Replies: 5
Views: 318

Re: Hex as Switch; VLANs Can't Access Winbox

Well you do not state the purpose of ether5 clearly, as its another trunk port. One has to assume its thus going to another smart device and will have to carry the trusted LAN to the next smart device as each smart device should get an IP address on the trusted subnet. Why would you bother putting t...
by anav
Wed Jun 19, 2024 3:01 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 1751

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

/ip neighbor discovery-settings set discover-interface-list=LAN /ip settings set rp-filter=loose tcp-syncookies=no /interface detect-internet set detect-interface-list=none REMOVE - /ip dns static add address=192.168.0.1 comment=defconf name=router.lan REMOVE net mask if you entered it manually. Rem...
by anav
Wed Jun 19, 2024 2:50 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1082

Re: WireGuard routing

Okay will ignore VPS for now............. sorry for the sidetrack but I like to make the whole thing work :-)
The First post focussing on the router is all valid for the purpose of inter LAN traffic and admin able to access each router when local and remote.
by anav
Wed Jun 19, 2024 2:47 pm
Forum: General
Topic: VLAN tag on port vs Switch Chip
Replies: 5
Views: 366

Re: VLAN tag on port vs Switch Chip

Since both work for you and you can measure the performance via speed tests and you can monitor the CPU usage, this is a non-problem. Being a trainer, not sure why the facts are not good enough??? What the heck is operator vlan, like making up new terms to confuse people............... If your fishi...
by anav
Tue Jun 18, 2024 11:14 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1082

Re: WireGuard routing

Enjoy, There are two methods one can choose. There is no automated method to enable and disable at will. You will have to manually decide when and if there is VPS or Local WAN access. 1. Use of Table, IP route, and Routing rules. 2. Use of table, IP route and Mangling (via address list) /ip table an...
by anav
Tue Jun 18, 2024 9:12 pm
Forum: Beginner Basics
Topic: Tunneling internet traffic through IPsec tunnel
Replies: 2
Views: 203

Re: Tunneling internet traffic through IPsec tunnel

Concur like 200-400 Mbps max for ethernet and a portion of that for any VPN. What is your ISP throughput at home? Do you have a public IP at home (static or dynamic)? EGADs, Your rules are a mess and need to be simplified and put in their correct locations. Looks like dynamic PPPOE Besides getting a...
by anav
Tue Jun 18, 2024 6:45 pm
Forum: Beginner Basics
Topic: hap ax3 wifi interfaces
Replies: 13
Views: 2100

Re: hap ax3 wifi interfaces

Perhaps we should call the hapax3 ( with no interFACES), the hap"Arya Stark".
by anav
Tue Jun 18, 2024 6:04 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1081

Re: Dual Wan

Difference between simple but dont understand RoS and complex and dont understand RoS.
So concur one has to get comfortable with RoS to some degree to see the difference.
I recommend Slovenian beer LOL.
by anav
Tue Jun 18, 2024 5:58 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1081

Re: Dual Wan

There was nothing complex about the firewall rules on the initial post as a solution, nor actually is anything else complex mentioned above.
by anav
Tue Jun 18, 2024 5:57 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1082

Re: WireGuard routing

Once we remove the unknowns and get R1 to where it should be we can move to R3 and then finally R2.
by anav
Tue Jun 18, 2024 5:56 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1082

Re: WireGuard routing

Ahh okay. SO main wireguard is to connect routers and subnets and admin access VPS wireguard is to allow certain user access to independent internet. Might work fine but context allows one to make sense of the config . R2-->AX3 -Server Peer for Wireguard network R1 -->RB5009 -Client Peer for Wiregua...
by anav
Mon Jun 17, 2024 11:52 pm
Forum: Beginner Basics
Topic: Firewall - 80 & 443 to Server
Replies: 3
Views: 300

Re: Firewall - 80 & 443 to Server

I recommend. Larsa's Visa Card Number.
by anav
Mon Jun 17, 2024 11:05 pm
Forum: Beginner Basics
Topic: Firewall - 80 & 443 to Server
Replies: 3
Views: 300

Re: Firewall - 80 & 443 to Server

Why not change title too, so its not an attractive stopping place.
by anav
Mon Jun 17, 2024 10:26 pm
Forum: General
Topic: Route Netflix traffic via VPN
Replies: 21
Views: 1396

Re: Route Netflix traffic via VPN

Nice!!!
by anav
Mon Jun 17, 2024 5:08 pm
Forum: Beginner Basics
Topic: IPIP vpn - basic question
Replies: 2
Views: 341

Re: IPIP vpn - basic question

IP --> IP between MT devices is very easy and my choice for back up to wireguard.
All that is required is an ipsec secret shared between the two devices.

For single users not that easy, but wireguard for sure is, but not sure how it scales for large number of users
by anav
Mon Jun 17, 2024 4:51 pm
Forum: Beginner Basics
Topic: VLAN instable ping and connection
Replies: 6
Views: 486

Re: VLAN instable ping and connection

As you can see on the provided link, use of vlan1 is a NO GO.
Make it vlan10 and you are good. Vlan1 is used by the router in the background, do not use!!

If you need an example, think of the base vlan as vlan1
by anav
Mon Jun 17, 2024 4:50 pm
Forum: General
Topic: ccr2004-1G-12S+2XS - performance
Replies: 5
Views: 436

Re: ccr2004-1G-12S+2XS - performance

Concur, you bought a router that for all intensive purposes will be able to route from WAN to LAN maxing out around 5gbps real world. I do note that just bridging and just routing with no other rules in play is around 25gbps. What is not clear to me is what happens on the switching side. a. etherpor...
by anav
Mon Jun 17, 2024 4:45 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 1751

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

1. Best --> have all users wireguard to the inside of the router and then access server.
2. Better --> Ensure you use a source address or source address list for external originators when possible (on dstnat rules). Then ports do not appear on scans, open or closed.
by anav
Mon Jun 17, 2024 2:46 pm
Forum: General
Topic: Access to Mikrotik from wireguard peer
Replies: 6
Views: 319

Re: Access to Mikrotik from wireguard peer

Concur, there are many instances where wireguard is to a third party server and in that case it makes more sense for WG to part of the WAN interface list, and thus the default masquerade rule covers local subnet to wireguard traffic.
by anav
Mon Jun 17, 2024 2:44 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 22
Views: 1360

Re: Long Term release or new functions?

Economics, reality vs wishes of naive software trained folks. If the lack of LTS is hurting the bottom line, finite resources will be shifted or a case could be made for more resources. As stated these polls are a waste of time and are not used to direct or influence any level of management at MT. I...
by anav
Mon Jun 17, 2024 2:33 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1082

Re: WireGuard routing

Your use of subnets for wireguard is problematic, when I get time will modify it.......... Now I see some new information previously not noted, you have a second wireguard network to VPS?? So to be clear R2 is the VPS, RB5009 is R1 and AX3 is R3 ?? Configs of each device are required not just one......
by anav
Mon Jun 17, 2024 2:30 pm
Forum: Beginner Basics
Topic: VLAN instable ping and connection
Replies: 6
Views: 486

Re: VLAN instable ping and connection

Many things wrong 1. first its not a complete export /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.) 2. Your mixing apples and oranges, once you go vlans, dont have the bridge do any dhcp, simply give that subnet a vlan like the rest.... https://for...
by anav
Mon Jun 17, 2024 2:25 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 22
Views: 1360

Re: Long Term release or new functions?

Ur not listening. There is not enough staff to do all. If they apply resources doing LTS effort, then those resources are not available on other work. The answer is more staff, and that aint going to happen unless the lack of staff is hindering profit margins. Remember people are the most expensive ...
by anav
Mon Jun 17, 2024 2:21 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 1751

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

Perhaps, do you or do you not have an IPV6 internet connection?? If not why do you have ipv6 rules, and lists........
by anav
Mon Jun 17, 2024 2:19 pm
Forum: General
Topic: Access to Mikrotik from wireguard peer
Replies: 6
Views: 319

Re: Access to Mikrotik from wireguard peer

Your config is wrong, a reasonable request to post it has been ignored.
by anav
Sun Jun 16, 2024 11:43 pm
Forum: General
Topic: Problems with mangle-rules on RouterOS 7.12
Replies: 15
Views: 2346

Re: Problems with mangle-rules on RouterOS 7.12

Shon post complete config and will look.

/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.)
by anav
Sun Jun 16, 2024 10:10 pm
Forum: Beginner Basics
Topic: No traffic via Mikrotik Wireguard
Replies: 5
Views: 467

Re: No traffic via Mikrotik Wireguard

1. Why do you have this rule, its an advance usage functionality that should be avoided if not required. /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes 2. Modify bridge ports as such. /interface bridge port add bridge=BR1 ingress-filtering=yes frame-type=admit-only-v...
by anav
Sun Jun 16, 2024 9:46 pm
Forum: Beginner Basics
Topic: WireGuard routing
Replies: 13
Views: 1082

Re: WireGuard routing

All doable but not quite clear yet. 1. What is the role of R2 with respect to wireguard ( server for handshake for both R1 and R3 ). 2. R2 is the only one of the three with a public IP address or the ability of an upstream ISP router to forward a port? 3. Why are there two wireguard interfaces ident...
by anav
Sun Jun 16, 2024 9:35 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1081

Re: Dual Wan

So access list will work for known devices and I can certainly assign static IPs. What about unknown devices/ visitors on Wi-Fi? Is there another way? Can I allow access to wan1 and wan2 for eth3,4. But eth5,6,7,8 only to wan1 and never wan2. There are actually two requests here............ a. unkn...
by anav
Sun Jun 16, 2024 8:42 pm
Forum: General
Topic: Route Netflix traffic via VPN
Replies: 21
Views: 1396

Re: Route Netflix traffic via VPN

True dat, I never looked at the text and just saw that foreign looking hierglyphics and looking at it more closely does appear to be a script of some sort LOL As to the question easy peasy. Dedicate one VLAN to netflix use ( AKA, be it the apple tv box, or android box etc........ the device in quest...
by anav
Sun Jun 16, 2024 8:37 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 1751

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

Not familiar with IPV6, and I was always given the impression that IPV6 was perfectly safe, obviously not only do you not have the additional protection of NAT, one still needs full set of firewall rules............. dont see why its any better.
by anav
Sun Jun 16, 2024 12:43 am
Forum: General
Topic: Route Netflix traffic via VPN
Replies: 21
Views: 1396

Re: Route Netflix traffic via VPN

That doesnt look like Mikrotik OS, me thinks your in the wrong forum.
by anav
Sat Jun 15, 2024 6:15 pm
Forum: Beginner Basics
Topic: Config Thoughts?
Replies: 5
Views: 593

Re: Config Thoughts?

(1) If the name of your vlan is name=v88-Primary
Dont use the same name for everything else, WAY WAY too confusing.

Right now your IP pool, dhc-server etc have the same name................
by anav
Sat Jun 15, 2024 6:05 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1651

Re: Both Openvpn and Wiregurard fail

Where is the main internet on your diagram WAN1, I only see LTE?? What is the role of that asus router?? Why do you have two wireguards defined on the L1009? I can see the requirement for a NORMAL wiregaurd connection to the VPS as you state all subnets to get internet through VPS. But what happens ...
by anav
Sat Jun 15, 2024 6:02 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1081

Re: Dual Wan

I am not interested in chasing your wish list. Either your requirement are as stated - all devices use WAN1 as primary - only 5 devices use WAN2 as secondary. Or its something else......... if you dont know what you want, suggest you need to plan first and then rewrite your requirements to be accura...
by anav
Sat Jun 15, 2024 5:58 pm
Forum: Beginner Basics
Topic: No traffic via Mikrotik Wireguard
Replies: 5
Views: 467

Re: No traffic via Mikrotik Wireguard

First, would need to see config of router /export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.) Second, would need to know if FOR SURE your wanip Is public! ( also good to know if static or dynamic ). Observations thus far: 1. Assuming WG address on MT routers...
by anav
Sat Jun 15, 2024 5:52 pm
Forum: Beginner Basics
Topic: Vlan Switch to a single router
Replies: 4
Views: 1026

Re: Vlan Switch to a single router

/interface bridge add ingress-filtering=no name=bridgegym vlan-filtering=yes /interface ethernet set [ find default-name=ether2 ] name=emergaccess /interface vlan add interface=bridgegym name=homeVlan vlan-id=12 { mandatory, management or trusted vlan must be identified in /interface vlan - do not ...
by anav
Sat Jun 15, 2024 5:46 pm
Forum: General
Topic: problem with routers
Replies: 4
Views: 359

Re: problem with routers

Need to know the requirements.
a. PCC load balance or
b. wan1 priority, failover to wan2, failover to wan3
c. any users hard coded to go out WANX
d. any vpn like wireguard
e. any port forwarding to lan servers.

Knowing the requirements will ensure a proper config is built.
by anav
Sat Jun 15, 2024 5:43 pm
Forum: General
Topic: AmneziaWG in RouterOS?
Replies: 10
Views: 1458

Re: AmneziaWG in RouterOS?

Interesting concept. If some routers can be set to recognize vlan traffic and this rendition of WG, avoids that detection, would seem to have some value.
by anav
Fri Jun 14, 2024 11:28 pm
Forum: General
Topic: connect a switch to two routers
Replies: 9
Views: 837

Re: connect a switch to two routers

The function of a managed switch is generally to accept a trunk port coming with a bunch of vlans including a management or trusted vlan upon which the switch gets its own IP address. The switch then funnels all the vlans out its ports to either dumb devices ( access ports ), smart devices ( trunk p...
by anav
Fri Jun 14, 2024 11:26 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 22
Views: 1360

Re: Long Term release or new functions?

Your energy is better spent sending me liquid hops from your local brewery.
by anav
Fri Jun 14, 2024 11:25 pm
Forum: General
Topic: Recommend Mikrotik for running Container
Replies: 13
Views: 791

Re: Recommend Mikrotik for running Container

Touche!!
by anav
Fri Jun 14, 2024 11:24 pm
Forum: General
Topic: QA of software releases
Replies: 25
Views: 1454

Re: QA of software releases

Most companies dont have that much transparency/accountability...... but feel free to whine.
by anav
Fri Jun 14, 2024 7:32 pm
Forum: General
Topic: Recommend Mikrotik for running Container
Replies: 13
Views: 791

Re: Recommend Mikrotik for running Container

Is a 'running container' different from a stationary container?
by anav
Fri Jun 14, 2024 7:31 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 22
Views: 1360

Re: Long Term release or new functions?

I thought it was a joke poll LOL, Like, I have nothing better to do today and thought this would be funny.
Concur, with the neighbour of the Pope ;-)
by anav
Fri Jun 14, 2024 5:40 pm
Forum: Beginner Basics
Topic: Can't Port Forward 1433
Replies: 10
Views: 659

Re: Can't Port Forward 1433

Ensure you have telnet Router Services DISABLED, it case it might interfere??
by anav
Fri Jun 14, 2024 5:12 pm
Forum: Beginner Basics
Topic: Dual Wan
Replies: 16
Views: 1081

Re: Dual Wan

So it sounds like you want: a. WAN1 as primary for all devices. b. WAN2 only available for failover and for a limited number of devices. The main approach is to give wan1 a lower distance than wan2 /ip route add distance=2 check-gateway=ping dst-address=0.0.0.0/0 gateway=ISP1-gateway-IP routing-tabl...
by anav
Fri Jun 14, 2024 5:01 pm
Forum: Beginner Basics
Topic: ICMP scan from my own public IP address
Replies: 1
Views: 259

Re: ICMP scan from my own public IP address

Better would be to assess what you have now...
/export file=anynameyouwish ( minus router serial number, any publicWANIP information, keys etc. )
by anav
Fri Jun 14, 2024 4:22 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 22
Views: 1360

Re: Long Term release or new functions?

Wrong syllable, request is for more MT dev and testing staff.
by anav
Fri Jun 14, 2024 4:54 am
Forum: Beginner Basics
Topic: Can't Port Forward 1433
Replies: 10
Views: 659

Re: Can't Port Forward 1433

1. Not sure what your are doing with fancy networking stuff but lets stick to what works. The problem is you have two conflicting networks and non standard nomenclature SO NOT /ip pool add name=dhcp ranges =192.168.88.10-192.168.88.254 /ip address add address=192.168.1.150/ 23 comment=defconf interf...
by anav
Thu Jun 13, 2024 11:15 pm
Forum: Beginner Basics
Topic: Can't Port Forward 1433
Replies: 10
Views: 659

Re: Can't Port Forward 1433

IF this device is connected to the internet ( not an upstream router ) then its not very secure /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain= input comment=wi...
by anav
Thu Jun 13, 2024 11:12 pm
Forum: Beginner Basics
Topic: Basic firewall hardening
Replies: 11
Views: 628

Re: Basic firewall hardening

If one is living in a warzone iPV6 looks harmless in comparison ;-) IPV6 is like taking away my comfort zone.
by anav
Thu Jun 13, 2024 11:09 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 1751

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

I would want to see the c omplete config, its all connected.
/export file=anynameyouwish (minus router serial number, public WANIP information, keys etc. )
by anav
Thu Jun 13, 2024 11:08 pm
Forum: General
Topic: Is there a way to set local ip-address of wireguard tunnel?
Replies: 4
Views: 412

Re: Is there a way to set local ip-address of wireguard tunnel?

You are spouting gibberish. If you want to have a serious discussion
a. provide a diagram
b. explain the wans at both ends ( static, dynamic, public or private)
c. provide configs of MT devices and remote wireguard device setttings
(minus serial number, any public wanip information, keys etc.)
by anav
Thu Jun 13, 2024 11:02 pm
Forum: General
Topic: QA of software releases
Replies: 25
Views: 1454

Re: QA of software releases

Yup, its about time they started to learn!! I would prefer that they are taught to ensure their first post contains coherent information so taht we dont have to hunt and peck for information EVERY time. However you are straying from the gist of the thread which is testing etc......... Kudos to MT to...
by anav
Thu Jun 13, 2024 11:00 pm
Forum: General
Topic: Two Mikrotik wifi-lan sites in one subject
Replies: 2
Views: 223

Re: Two Mikrotik wifi-lan sites in one subject

Zerotier
by anav
Thu Jun 13, 2024 12:03 am
Forum: General
Topic: Help Needed: WireGuard VPN Issues with Dual PPPoE (PCC) on MikroTik Router
Replies: 4
Views: 692

Re: Help Needed: WireGuard VPN Issues with Dual PPPoE (PCC) on MikroTik Router

(1) My apologies I see an error I made. The allowed IPs on main router should be /interface wireguard peers add allowed-address=10.0.0 .1/32 ,192.168.88.0/24 interface=wireguard2 name=\ peer1 public-key="******************************" THe logic is that he server can have multiple peers on...
by anav
Wed Jun 12, 2024 9:48 pm
Forum: General
Topic: [Routing Problem?] No Access to the Default Gateway from Any of the Interface from the VLANs
Replies: 6
Views: 610

Re: [Routing Problem?] No Access to the Default Gateway from Any of the Interface from the VLANs

To avoid the lockout scenario,
I now advocate and use a port set OFF the bridge and I ensure its part of a management list interface.
I give it an IP of like 192.168.55.1/30 and then set my latpop to IPV4 settings of 192.168.55.2 plug it in and configure safely.
by anav
Wed Jun 12, 2024 9:46 pm
Forum: General
Topic: Why DNS servers are knocking port 5678 of pppoe-out1 interface?
Replies: 3
Views: 381

Re: Why DNS servers are knocking port 5678 of pppoe-out1 interface?

We advise setting internet detect to NONE.
by anav
Wed Jun 12, 2024 5:50 pm
Forum: Beginner Basics
Topic: Firewalls
Replies: 2
Views: 258

Re: Firewalls

I dont quite understand.
Why do you have a networking client, when you dont know how to config ????
by anav
Wed Jun 12, 2024 5:43 pm
Forum: General
Topic: Only one Wireguard peer working at a time [SOLVED]
Replies: 6
Views: 2679

Re: Only one Wireguard peer working at a time [SOLVED]

There is logic behind what has been suggested. Its just not a case of memorizing, its a case of understanding. The Server client ( for handshake ) may have 2 or more peers connecting to it. That is multiple peer to peer tunnels. The way any local traffic heading outbound gets sent is by several fact...
by anav
Wed Jun 12, 2024 5:37 pm
Forum: General
Topic: Home LAN ideas
Replies: 4
Views: 352

Re: Home LAN ideas

Legit concerns. I would say four SSIDs is reasonable 2x 2.4 and 2x5. A stretch to go to SIX but still possible. Of course vlans and firewall rules make for very flexible approaches. Typically the last rule in the forward chain is DROP ALL. That means only rules with allowed traffic above this rule a...
by anav
Wed Jun 12, 2024 5:29 pm
Forum: General
Topic: Help Needed: WireGuard VPN Issues with Dual PPPoE (PCC) on MikroTik Router
Replies: 4
Views: 692

Re: Help Needed: WireGuard VPN Issues with Dual PPPoE (PCC) on MikroTik Router

Okay getting a handle on requirements and realistic requirements is important. This is not possible with normal connection let alone through a wireguard tunnel. I want to upload files from that local device using the combined speed of the dual PPPoE connections . So removing that from the table, the...
by anav
Wed Jun 12, 2024 1:41 am
Forum: General
Topic: Problem with selective routing
Replies: 3
Views: 266

Re: Problem with selective routing

Basic safe firewall ruleset. /ip firewall filter { default rules to keep } add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connecti...
by anav
Wed Jun 12, 2024 1:33 am
Forum: General
Topic: Problem with selective routing
Replies: 3
Views: 266

Re: Problem with selective routing

I would hope you are not actually connected to the internet with such UNSAFE settings. You have opened port 80 and your winbox port to the world which is a security NO NO. Pull the plug and change your config before proceeding. Assuming you mean to a third party provider of VPN services. Would have ...
by anav
Wed Jun 12, 2024 12:28 am
Forum: Beginner Basics
Topic: Problems in subnet lan bridge access to wireguard peers
Replies: 7
Views: 518

Re: Problems in subnet lan bridge access to wireguard peers

(1) If you entered this manually remove it should not show on config ....... /ip dhcp-server network add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.5 gateway=\ 192.168.0.5 netmask=24 (2) Modify this for the moment ..... FROM: /ip dns set allow-remote-requests=yes /ip dns static add ...
by anav
Wed Jun 12, 2024 12:19 am
Forum: Beginner Basics
Topic: Web server not accessible with Wireguard
Replies: 2
Views: 469

Re: Web server not accessible with Wireguard

So its working as it should. Lets review the requirements for what looks like an RDP server. Good idea to ensure external access is done through Wireguard. Local LAN users access Server via LANIP direct, -- Good Local LAN users access Server via DYNDNS URL - Good but not sure how seeing as you dont ...
by anav
Wed Jun 12, 2024 12:00 am
Forum: Beginner Basics
Topic: New CCR2004 Config - Did I miss anything?
Replies: 3
Views: 605

Re: New CCR2004 Config - Did I miss anything?

No there is no issue and its included in the MT default rules.
In fact, its quite handy for testing for various things and in some cases is used by the router.
by anav
Tue Jun 11, 2024 11:59 pm
Forum: General
Topic: Home LAN ideas
Replies: 4
Views: 352

Re: Home LAN ideas

Approach seems off.
VLANS is to separate users into homogenous groupings where they can all see each other at Layer2.
Sounds like you need more vlans or more WLANs or both
by anav
Tue Jun 11, 2024 11:54 pm
Forum: General
Topic: Is there a way to set local ip-address of wireguard tunnel?
Replies: 4
Views: 412

Re: Is there a way to set local ip-address of wireguard tunnel?

The ISP route is ONLY used for the initial handshake. After that traffic is sent through the tunnel which is dependent upon the wireguard address structure additional routes if necessary and applicable firewall rules. So access to your LAN from external wireguard users or another wireguard routers s...
by anav
Tue Jun 11, 2024 2:20 pm
Forum: Beginner Basics
Topic: Problems in subnet lan bridge access to wireguard peers
Replies: 7
Views: 518

Re: Problems in subnet lan bridge access to wireguard peers

Post your latest config for review.
by anav
Tue Jun 11, 2024 2:15 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 906

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

That is my understanding. If you have traffic that has to go from one vlan to the other, then it will be a layer3 transaction, hence router is involved. So you will be limited to 1gig traffic vice much faster speeds within the same vlan anywhere on the switch ( assuming ports greater than1gig throug...
by anav
Tue Jun 11, 2024 4:02 am
Forum: Beginner Basics
Topic: New CCR2004 Config - Did I miss anything?
Replies: 3
Views: 605

Re: New CCR2004 Config - Did I miss anything?

Wilmer is decent, we usually quote: https://forum.mikrotik.com/viewtopic.php?t=143620 Missing Frame Types add bridge=RouterBridge interface=sfp-sfpplus2 Missing ingress-filtering=yes ALL the bridge ports. Missing interface bridge vlan entry for ether6 on vlan-id=99 ?? Not required: ( covered by vlan...
by anav
Tue Jun 11, 2024 4:00 am
Forum: Beginner Basics
Topic: HELP: Setting up a new Mikrotik router - hAP ax lite LTE6
Replies: 1
Views: 217

Re: HELP: Setting up a new Mikrotik router - hAP ax lite LTE6

This could be a torturous exercise to try and setup through exchanges here............. Which country are you in...........
Thinking teamviewer type exercise over discord to help setup the device to get it where it should be. ( safe and working )
by anav
Tue Jun 11, 2024 3:58 am
Forum: Beginner Basics
Topic: 2xWireless + VLANs + MGMT = problem
Replies: 3
Views: 291

Re: 2xWireless + VLANs + MGMT = problem

Would need to see config on both
/export file=anynameyouwish (minus device serial number, any public WANIP information, keys etc. )
by anav
Tue Jun 11, 2024 3:55 am
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 5036

Re: No WAN access via Wireguard

As I suspected DNS was an issue.
Also on my wireguard iphone settings, the wireguard IP address is put as /32 NOT /24.
by anav
Mon Jun 10, 2024 10:36 pm
Forum: General
Topic: Wireguard doesn't work and no logs
Replies: 24
Views: 3711

Re: Wireguard doesn't work and no logs

Diagram, requiremnts, config. with all three the problem will become clear.
Suspect the server device for handshake is not setup properly
by anav
Mon Jun 10, 2024 10:33 pm
Forum: General
Topic: Winbox on iPhone
Replies: 4
Views: 301

Re: Winbox on iPhone

How does one get to Align.. I dont see it in my wireless settings?
by anav
Mon Jun 10, 2024 10:02 pm
Forum: Beginner Basics
Topic: Dynamic port forwarding
Replies: 6
Views: 664

Re: Dynamic port forwarding

Seems interesting but why not do the following. Server one. incoming ports 200, 300, 400, 500 Server two with port translation incoming ports 201 to 200, 301 to 300, 401 to 400 and 501 to 500. Thus both are available all the time, just the port designation for the originator changes by one. Server T...
by anav
Mon Jun 10, 2024 9:58 pm
Forum: Beginner Basics
Topic: Map Lite AP Setup
Replies: 2
Views: 207

Re: Map Lite AP Setup

Just to be clear this device is both your router and access point, or simply an access point downstream from the ISP router?
by anav
Mon Jun 10, 2024 7:41 pm
Forum: Beginner Basics
Topic: Problems in subnet lan bridge access to wireguard peers
Replies: 7
Views: 518

Re: Problems in subnet lan bridge access to wireguard peers

Debian... Allowed IPs for both VPn1 and Client 2 seem fine. Client2 Allowed IPs seem fine, assuming 192.168.10.0/24 subnet is on the debian side somewhere. Now, the Debian will need some sort of firewall rules to allow the wireguard traffic which is peer to peer from the computer, to then enter the...
by anav
Mon Jun 10, 2024 6:55 pm
Forum: Beginner Basics
Topic: Config Thoughts?
Replies: 5
Views: 593

Re: Verify my Firewall Config

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Mon Jun 10, 2024 6:54 pm
Forum: Beginner Basics
Topic: Problems in subnet lan bridge access to wireguard peers
Replies: 7
Views: 518

Re: Problems in subnet lan bridge access to wireguard peers

If the MT is the client router, where is the Server Router? What is its config?
by anav
Mon Jun 10, 2024 6:53 pm
Forum: General
Topic: Winbox on iPhone
Replies: 4
Views: 301

Re: Winbox on iPhone

Not all functions are available on the IOS app.
by anav
Mon Jun 10, 2024 6:16 pm
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 953

Re: Dual WAN srcnat and dst-nat setup issue

You didnt follow my firewall forward chain rules. Missing KEY RULE!! /ip firewall filter ....... ....... add action=accept chain=forward comment="internet traffic" in-interface-list=\ LANlist out-interface-list=WANlist add action=accept chain=forward comment="port forwarding" con...
by anav
Mon Jun 10, 2024 6:06 pm
Forum: Beginner Basics
Topic: Routing problem? new config
Replies: 2
Views: 340

Re: Routing problem? new config

Why do you have an expensive managed switch but no vlans ???? Please send to me I will pay postage and send you a TPLINK managed switch :-) HEX (1) Would remove this default DNS setting.. (2) If not using IPV6 disable it and can rid of all ipv6 firewall rules and address lists. (3) I see nothing wro...
by anav
Mon Jun 10, 2024 5:42 pm
Forum: Beginner Basics
Topic: Same VLAN on diferent ports trunk and access
Replies: 2
Views: 282

Re: Same VLAN on diferent ports trunk and access

Well I would recommend a separate management Network. All the switches would get an IP on the management network etc.. Without seeing your config hard to help further. What type of switches are these ( assuming basic managed switches ). /export file=anynameyouwish (minus router serial number, public...
by anav
Mon Jun 10, 2024 5:39 pm
Forum: Beginner Basics
Topic: PCC load balancing on OS7
Replies: 2
Views: 279

Re: PCC load balancing on OS7

IF the second video does not get you all the way, then post your config /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.) Confirm users are coming inbound on the VPN to your router ( mikrotik is hosting VPN using its services ) not to servers on the l...
by anav
Mon Jun 10, 2024 12:07 pm
Forum: Beginner Basics
Topic: 2xWireless + VLANs + MGMT = problem
Replies: 3
Views: 291

Re: 2xWireless + VLANs + MGMT = problem

Where is the router??
by anav
Mon Jun 10, 2024 12:04 pm
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 953

Re: Dual WAN srcnat and dst-nat setup issue

without looking at the config, suspect ISPs are blocking port 25.
Will look at it later today.
by anav
Mon Jun 10, 2024 1:37 am
Forum: General
Topic: two public IP on mikortik
Replies: 3
Views: 319

Re: two public IP on mikortik

Your config is probably wrong.
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)
by anav
Sun Jun 09, 2024 9:36 pm
Forum: Beginner Basics
Topic: How to approach network planning and then implement it?
Replies: 4
Views: 484

Re: How to approach network planning and then implement it?

Good luck. one day kicking and screaming will try ipv6
by anav
Sun Jun 09, 2024 9:35 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 5036

Re: No WAN access via Wireguard

@leik., will have a look. 1. Suggest set this to none. /interface detect-internet set detect-interface-list=all 2. Why is this setting included in your peer 2 ?? Remove it. endpoint-port=33333 3. Forward chain rules ......modify too. add action=accept chain=forward comment="internet traffic&quo...
by anav
Sun Jun 09, 2024 9:16 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 5036

Re: No WAN access via Wireguard

All it needed is a working srcnat masquerade rule with the Wireguard subnet nobody mentions this option, but for me it was the one that was missing was going crazy trying to solve the same problem thank you for sharing the solution! If the Mikrotik device is the Server Peer (one with public IP) sou...
by anav
Sat Jun 08, 2024 5:14 pm
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 953

Re: Dual WAN srcnat and dst-nat setup issue

Okay so you are saying the Mail Server originates traffic outbound and it has to go out WAN2. You didnt notice but there is no need for interface on the dstnat rule for comcast, it should be removed. In that case lets adjust the mangle rules. {C an be first rule, ensuring Server originated traffic g...
by anav
Sat Jun 08, 2024 5:05 pm
Forum: General
Topic: Upgrading Switches using CAPSMAN
Replies: 3
Views: 523

Re: Upgrading Switches using CAPSMAN

I was hoping for less capsman and more cowbell, but I will Dude over capsman anyday!. ;-)
https://vimeo.com/406011330
by anav
Sat Jun 08, 2024 3:50 am
Forum: General
Topic: Separate routing tables in RouterOS v7
Replies: 2
Views: 4152

Re: Separate routing tables in RouterOS v7

Be advised routing rules are useful for FORCING some source addresses or subnet OUT a specific WAN. a. one has to ensure that they identify if local traffic is also required, as FORCING means all traffic. ( there are ways to deal with this ) b. mangling rules SUPERCEDE routing rules if there is over...
by anav
Sat Jun 08, 2024 3:46 am
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 953

Re: Dual WAN srcnat and dst-nat setup issue

- yes the address sort of creates a route but to be complete one must make a manual route as it pertains to non-local traffic. - so you have dyndns Urls to both IPs. To simplify, Will make WAn1 Xfinity the primary route so all traffic will go out that WAN without special rules. Will ensure that any ...
by anav
Sat Jun 08, 2024 12:30 am
Forum: General
Topic: Roadmap for ROS?
Replies: 4
Views: 433

Re: Roadmap for ROS?

Its random to us because they dont make their roadmap public.
by anav
Fri Jun 07, 2024 6:20 pm
Forum: General
Topic: RouterOS Management Ports and Protocols
Replies: 2
Views: 308

Re: RouterOS Management Ports and Protocols

Overall access to make changes via Winbox is user name-password protected. Access TO the Router ( or more accurately to router services ) is controlled by the firewall filter INPUT CHAIN. In addition, access to winbox functionality can be further delineated in two locations: a. Tools / MAC Server / ...
by anav
Fri Jun 07, 2024 5:57 pm
Forum: General
Topic: Mikrotik IOS app login. networks to be added to allowed address in wireguard app
Replies: 9
Views: 857

Re: Mikrotik IOS app login. networks to be added to allowed address in wireguard app

Well to be honest I have always ONLY stuck in 0.0.0.0/0 for allowed IPs on my iphone wg setup, as being the admin I have many subnets I may wish to access, and perhaps even the internet. So you are saying that If only put a LAN that exists on the router in my allowed IPs and then I try to reach an i...
by anav
Fri Jun 07, 2024 5:39 pm
Forum: General
Topic: Can't get WireGuard to work (the way I want) [SOLVED]
Replies: 11
Views: 871

Re: Can't get WireGuard to work (the way I want) [SOLVED]

The main focus is finally being recognized, articulation of clear requirements. a. You wish to send the entire LAN out VPS for internet. ? b. You wish to send the entire LAN to VPS to reach subnet at VPS but with no internet through VPS? What happens if the VPN tunnel for whatever reason is NOT work...
by anav
Fri Jun 07, 2024 5:34 pm
Forum: General
Topic: Questions about IPSEC
Replies: 7
Views: 449

Re: Questions about IPSEC

Unless we are talking enterprise, wireguard is relatively easy. It is designed for: A. road warriors reaching : a. internet via connection point b. LAN devices c. and reaching router config for admin. B . Connecting Two or More Routers/road warriors to : a. use internet at another site b. reach lans...
by anav
Fri Jun 07, 2024 5:27 pm
Forum: General
Topic: Dual WAN srcnat and dst-nat setup issue
Replies: 12
Views: 953

Re: Dual WAN srcnat and dst-nat setup issue

(1) Address should be assigned to the bridge NOT ether5. (2) Whats with 192.168.4.11/12 running some sort of pi server for DNS and ntp. Some people do this but not sure there is any added value? Certainly NTP is better done through the router anyway, while DNS has some better affect also forcing usi...
by anav
Fri Jun 07, 2024 5:05 pm
Forum: Beginner Basics
Topic: Change Default route, no ping
Replies: 5
Views: 1520

Re: Change Default route, no ping

Too funny Holvoe, I read, that as SORRY I'm Belgian . ;-P To be clear there is no discovery its all just logic. You attempt to ping the the router on WAN2. The router responds from WAN1 because WAN1 is primary. The solution as you figured out is to ensure the router responds from the same WAN. Mangl...
by anav
Fri Jun 07, 2024 4:54 pm
Forum: Announcements
Topic: v7.16beta [testing] is released!
Replies: 97
Views: 34584

Re: v7.16beta [testing] is released!

This was good too: *) bridge - added dynamic tagged entry when VLAN interface is created on vlan-filtering bridge; It even put comments on in /interface/bridge/vlan on what triggered the "D" dynamic vlan entry there, i.e. "added by pvid", "added by vlan on bridge", ......
by anav
Thu Jun 06, 2024 10:28 pm
Forum: General
Topic: Wireguard not start
Replies: 9
Views: 543

Re: Wireguard not start

Hi nichky, Sorry does not compute LOL.
I dont recall every writing about "responder" ?
What is the context and what is the requirement?
by anav
Thu Jun 06, 2024 1:29 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1585

Re: HAP ax lite as AP

Not required. Once you go vlans the bridge just does bridging and thus is not an interface list member.
by anav
Thu Jun 06, 2024 1:27 pm
Forum: General
Topic: Wireguard not start
Replies: 9
Views: 543

Re: Wireguard not start

Not enough,
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

Plus.
What are the requirements for wireguard traffic, one user, a whole subnet etc......
by anav
Thu Jun 06, 2024 12:11 am
Forum: General
Topic: Can't get WireGuard to work (the way I want) [SOLVED]
Replies: 11
Views: 871

Re: Can't get WireGuard to work (the way I want) [SOLVED]

KK,

So the VPS server is doing its thing correctly.
Each client pEER gets its own IP.

Since its assigned 6 to the MT,
then on the MT
/ip address
add address=10.66.66.6/24 interface=wireguard network=10.66.66.0


The wg address of the VPS cannot be the same and it should probably be 10.66.66.1
by anav
Wed Jun 05, 2024 11:53 pm
Forum: General
Topic: Mikrotik IOS app login. networks to be added to allowed address in wireguard app
Replies: 9
Views: 857

Re: Mikrotik IOS app login. networks to be added to allowed address in wireguard app

You are mixing apples and Oranges, what is controllable is whether or not your traffic can be split. The answer is NO. On my iphone, if I connect to wireguard, ALL my traffic goes through wireguard. You can leave wireguard UP all the time, (ON DEMAND selection at very bottom) and it basically comes ...
by anav
Wed Jun 05, 2024 11:41 pm
Forum: General
Topic: Can't get WireGuard to work (the way I want) [SOLVED]
Replies: 11
Views: 871

Re: Can't get WireGuard to work (the way I want) [SOLVED]

So to be clear the VPS is a cloud server running wireguard. The biggest problem is assigning the same IP nomenclature to both devices.......... 10.66.66. 6 VPS settings: Change IP to 10.66.66. 1 PEER -Do not use preshared key. -For peer ensure you put the public key issued by the mikrotik router. -F...
by anav
Wed Jun 05, 2024 11:21 pm
Forum: General
Topic: Unable to access devices externally on MikroTik router
Replies: 6
Views: 943

Re: Unable to access devices externally on MikroTik router

Get a mikrotik router vice the custom jobbie.
by anav
Wed Jun 05, 2024 2:43 pm
Forum: General
Topic: Mikrotik IOS app login. networks to be added to allowed address in wireguard app
Replies: 9
Views: 857

Re: Mikrotik IOS app login. networks to be added to allowed address in wireguard app

Do not follow. Okay so the Wireguard connects fine. The IOS app is to connect to Winbox, as I stated you can do that using most interfaces be it the wireguard interface, the homelan interface etc.. The app is not to connect to home lan devices. /export file=anynameyouwish (minus router serial number...
by anav
Wed Jun 05, 2024 2:40 pm
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 843

Re: cycle outgoing IP addresses

Assigning the next IP?? That doesnt sound random LOL.
by anav
Wed Jun 05, 2024 2:34 am
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 843

Re: cycle outgoing IP addresses

Seriously?
What is the reason?
Its starting to smell like your client is doing something illegal and suggest you dissolve your relationship.
Either that or the client is going to make your life difficult with a continuous stream of over the top requirements based on what ??????????
by anav
Tue Jun 04, 2024 10:29 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1651

Re: Both Openvpn and Wiregurard fail

(1) There is a problem with some rules you have or interfaces or both hence this....... # no interface add action=drop chain=forward in-interface= *B # no interface add action=drop chain=forward out-interface= *B # no interface add action=drop chain=forward in-interface= *C # no interface add action...
by anav
Tue Jun 04, 2024 10:18 pm
Forum: General
Topic: Mikrotik IOS app login. networks to be added to allowed address in wireguard app
Replies: 9
Views: 857

Re: Mikrotik IOS app login. networks to be added to allowed address in wireguard app

The login works fine from the app when I use it.
Are you attempting winbox or something else.
On the Router you need to allow the wireguard IP to the input chain.
For address just use MT wireguard IP:winboxport
by anav
Tue Jun 04, 2024 6:36 pm
Forum: General
Topic: Mikrotik WireGuard setup for Protone VPN
Replies: 18
Views: 5689

Re: Mikrotik WireGuard setup for Protone VPN

(1) Would remove this default setting.... /ip dns static add address=192.168.88.1 comment=defconf name=router.lan (2) dont really need source address on this rule but no harm. add action=masquerade chain=srcnat out-interface=wireguard-inet src-address=\ 192.168.88.0/24 ROUTES ARE COMPLETELY BIZARRE....
by anav
Tue Jun 04, 2024 5:13 pm
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 335
Views: 76116

Re: v7.15 [stable] is released!

Not sure, we are talking about the same thing, but whether or not the untagged vlan shows up on an export is determined by the /interface bridge vlan settings. If you do not manually put them there as untagged, they do not show as they are dynamically created. This is not new!
by anav
Tue Jun 04, 2024 4:51 pm
Forum: Beginner Basics
Topic: Adding an additonal network
Replies: 9
Views: 634

Re: Adding an additonal network

Hehe, I wish.
Training for worlds masters in Germany, goal, not to come last!
by anav
Tue Jun 04, 2024 4:15 pm
Forum: General
Topic: DNS and Third Party Wireguard
Replies: 0
Views: 196

DNS and Third Party Wireguard

When sending a single user or entire subnet out wireguard to fictitious "ProNord" wireguard vpn, a DNS IP address is usually provided along with the usual settings. ? Q ? --> How do we ensure that when browsing the internet, that those forced out the wireguard tunnel (typically using table...
by anav
Tue Jun 04, 2024 4:04 pm
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 843

Re: cycle outgoing IP addresses

I have no clue on how ISPs dole out blocks of IPs......
My first thought was, use all 5 as separate WANS and load balance between them :-)
by anav
Tue Jun 04, 2024 1:43 pm
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 626

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

If its doing everything you need it to do.........
by anav
Tue Jun 04, 2024 1:40 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 906

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

Got it, thanks again. So to be clear, inter-VLAN routing on the switch can be fast-tracked? It's only when going to WAN which requires NAT'ing that we have to go through CPU no matter what? CRS328-24P-4S+ doesn't support FastTrack offloading, but I suppose you've meant Inter-VLAN Hardware Routing -...
by anav
Tue Jun 04, 2024 1:34 pm
Forum: General
Topic: Mikrotik WireGuard setup for Protone VPN
Replies: 18
Views: 5689

Re: Mikrotik WireGuard setup for Protone VPN

post your config
/export file=anynameyouwish (minus router serial number, any public WANIP info, keys )

please provide setup instructions provided ( without the keys ) as in post above #14.
also did they provide a DNS IP to use?
by anav
Tue Jun 04, 2024 3:22 am
Forum: General
Topic: Mikrotik hex S can't handle with 500Mbps - CPU 95%
Replies: 6
Views: 466

Re: Mikrotik hex S can't handle with 500Mbps - CPU 95%

Traffic between devices on the switch part of the router.
by anav
Tue Jun 04, 2024 3:09 am
Forum: General
Topic: Wireguard DNS Not Working as Expected
Replies: 9
Views: 787

Re: Wireguard DNS Not Working as Expected

Im confused doesnt PPPOE ISP give you a dynamic PUBLIC IP address ?? The reason I ask is you have back to home in your comment for the wireguard interface and thats for the case when you dont have a public IP. Maybe just used the wording not realizing its confusing, if not true???? Also note your us...
by anav
Tue Jun 04, 2024 3:06 am
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 626

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

What I am not convinced of is that DNS is being done through the tunnel. In other words, although traffic may go through the tunnel, DNS queries may still be done through local WAN. I have a thought on how to ensure what we want. /ip firewall nat add chain=dstnat action=dst-nat src-address=192.168.8...
by anav
Tue Jun 04, 2024 2:46 am
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 626

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

Then you must be coming from an IP address on the bridge. Try this routing rule in addition to the existing routing rule and it has to go FIRST in order. /routing rule add min-prefix=0 action=lookup-only-in-table table=main add src-address=192.168.88.0/24 action=lookup table=use-WG. You should be ab...
by anav
Tue Jun 04, 2024 12:05 am
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 626

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

-The easiest way to accomplish what you wish is to separate etheport5 from the rest of the subnets. -There are two ways to accomplish this. one bridge and ethport 5 off the bridge with its own address. one bridge and two vlans We will do the first one........ -Remove default IP DNS STATIC entry -Rem...
by anav
Mon Jun 03, 2024 11:38 pm
Forum: General
Topic: Mikrotik hex S can't handle with 500Mbps - CPU 95%
Replies: 6
Views: 466

Re: Mikrotik hex S can't handle with 500Mbps - CPU 95%

Not surprizing looking at the product test results....
.....
hexs.jpg
.......
by anav
Mon Jun 03, 2024 8:09 pm
Forum: Beginner Basics
Topic: Isolating one ethernet port from Wireguard VPN [SOLVED]
Replies: 10
Views: 626

Re: Isolating one ethernet port from Wireguard VPN [SOLVED]

First
- Are you connecting to a third party VPN provider??
- does ISP provide a public WANIP on WAN2 ( static or dynamic )

Second require config:
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc..)
by anav
Mon Jun 03, 2024 8:07 pm
Forum: General
Topic: Memory Leak v7.15
Replies: 5
Views: 1156

Re: Memory Leak v7.15

Nice to state here but better to send supouts and report to MT directly.
by anav
Mon Jun 03, 2024 7:32 pm
Forum: General
Topic: Wireguard DNS Not Working as Expected
Replies: 9
Views: 787

Re: Wireguard DNS Not Working as Expected

Description is incomplete.
What wireguard is this
a. going to third party Wireguard Server ??
b. Hosting wireguard on your router so having admin or others come in on wireguard?
c. other?

If, a, is the whole subnet supposed to use WG for internet for example??
by anav
Mon Jun 03, 2024 7:28 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1585

Re: HAP ax lite as AP

Review and config are advised with known facts and provided requirements, adding new ones at the end is too late. Since I am not working on the firewall rules any longer, not sure how to solve that. Typically that is what the Trusted or Management network is for, here the admin can access to update....
by anav
Mon Jun 03, 2024 7:21 pm
Forum: Beginner Basics
Topic: Adding an additonal network
Replies: 9
Views: 634

Re: Adding an additonal network

Yes, especially when I get up at 5am, 3 mornings a week to go rowing for about 10K.
by anav
Mon Jun 03, 2024 7:15 pm
Forum: General
Topic: Wireguard DNS Not Working as Expected
Replies: 9
Views: 787

Re: Wireguard DNS Not Working as Expected

I dont think its possible when using a third party wireguard VPN server to avoid using the third party provided DNS server.
However with the sparse details provided who knows.
Should really provide config.
by anav
Mon Jun 03, 2024 7:12 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 906

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

Not quite. The Router will do all the routing bits, including setting up all the VLANs, giving out DHCP etc. The switch will only need to get an IP address from the management vlan, and then receive all the vlans from the router on one trunk port, and then distribute the vlans out the rest of the po...
by anav
Mon Jun 03, 2024 7:09 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1585

Re: HAP ax lite as AP

Well since you use capsman, that may change the equation and I am unable to assist with that.
So stick to the rules that work for you, especially if the reason for posting has been solved. :-)
by anav
Mon Jun 03, 2024 4:30 pm
Forum: Beginner Basics
Topic: Issues with MikroTik RB951Ui-2HnD Router after being configured as WiFi Repeater [SOLVED]
Replies: 5
Views: 439

Re: Issues with MikroTik RB951Ui-2HnD Router after being configured as WiFi Repeater [SOLVED]

Just to be clear, you mean accept a wifi signal as source and then send that signal onwards to many devices ( wifi source---<router/ap>------> to smartphones/iot etc. )
OR
between two wifi devices ( wifi source ---<router>----- access point---- to smartphones/iot etc. )
by anav
Mon Jun 03, 2024 3:45 pm
Forum: General
Topic: Can't access VLAN with IP address 192.168.88.1
Replies: 1
Views: 360

Re: Can't access VLAN with IP address 192.168.88.1

(1) WTH(alibut) is this?? ( vlanID is not part of your vlan list AND where is the identified port ??? ) add bridge=BR0_LAN tagged=BR0_LAN vlan-ids=1 ????? (2) Your /interface bridge vlan rules are wrong they do not match /interface bridge ports. In addition your sfp plus TRUNK port has a pvid assign...
by anav
Mon Jun 03, 2024 3:43 pm
Forum: General
Topic: HAP ax lite as AP
Replies: 16
Views: 1585

Re: HAP ax lite as AP

Please take the time to implement firewall rules and all recommended changes then repost and ask for review.
by anav
Mon Jun 03, 2024 3:41 pm
Forum: Beginner Basics
Topic: Unable to connect to SMTP service port on WAN IP. [SOLVED]
Replies: 3
Views: 292

Re: Unable to connect to SMTP service port on WAN IP. [SOLVED]

Using an un encrypted mail system/server is asking to get hacked.
by anav
Mon Jun 03, 2024 3:39 pm
Forum: Beginner Basics
Topic: Set DHCP server for clients that connect to another AP
Replies: 5
Views: 720

Re: Set DHCP server for clients that connect to another AP

(1) It would appear as if you are using wireguard to a third party VPN or probably based on URL in allowed IPs, a friends MT router. In any case remove the private key entry in the settings you have in allowed IPs, not required. No need to hide wireguard port in interface wireguard, this port (when ...
by anav
Mon Jun 03, 2024 3:31 pm
Forum: Beginner Basics
Topic: Adding an additonal network
Replies: 9
Views: 634

Re: Adding an additonal network

hahah mkx, I fell asleep reading your post, this is what I got out of it... ( thank god I am not trained).

blahblahblahblahblahblah*()#@+!@)!&Y$)@_@+ blahblahblahblah USE VLANS blahblahblahU&((@&#(@&+(@!! blahblahblah
by anav
Mon Jun 03, 2024 3:16 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 906

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

(1) /ip settings set max-neighbor-entries=8192 rp-filter=strict would set this to loose...... (2) Why do you have a LAN attached to the bridge? I dont see any ports using LAN?? (3) HORRIBLE idea to name your bridge= LAN, its already nomenclature used by the router for various things and its very con...
by anav
Mon Jun 03, 2024 3:12 pm
Forum: General
Topic: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge
Replies: 11
Views: 906

Re: Unable to get wire speed between WLAN and LAN on CRS328-24P-4S+ with VLAN bridge

Did it ever occur to you that you bought a switch not a router . Sure it can be used as a router, RoS is fantastically flexible, but still, there are limits on throughput for WAN connectivity. I am actually shocked that you managed to over 500 Mbps. You must not have many rules............... ( dont...
by anav
Mon Jun 03, 2024 2:23 am
Forum: Wireless Networking
Topic: Hap AX2, need help understanding/troubleshooting issue with 2.4GHz connection.
Replies: 8
Views: 1032

Re: Hap AX2, need help understanding/troubleshooting issue with 2.4GHz connection.

Config of both devices is required.
/export file=anynameyouwish ( minus router serial number and any public WANIP information )
by anav
Mon Jun 03, 2024 2:21 am
Forum: Beginner Basics
Topic: Set DHCP server for clients that connect to another AP
Replies: 5
Views: 720

Re: Set DHCP server for clients that connect to another AP

What is the config on the MT.......
/export file=anynameyouwish ( minus router serial number and any public WANIP information )
by anav
Mon Jun 03, 2024 2:19 am
Forum: General
Topic: MVRP usage [SOLVED]
Replies: 10
Views: 759

Re: MVRP usage [SOLVED]

The point being its a trunk port to trunk port activity.
It does nothing to change the fact that one would have to manually untag the vlan for any specific port on a switch
by anav
Mon Jun 03, 2024 1:12 am
Forum: Beginner Basics
Topic: Adding an additonal network
Replies: 9
Views: 634

Re: Adding an additonal network

I dont understand your topology. One should normally only have ONE connection between openWRT router and CRS acting as a router. Similarly, there should only be ONE connection between CRS acting as a router and the unRAID, or more clearly stated only one route (via CRS305) from Router to UNRAID It w...
by anav
Mon Jun 03, 2024 1:00 am
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1268

Re: Routing VLAN to specific WAN using Policy Routing

Too simplistic. If you want to deviate from a logical config and measured troubleshooting steps, you are on your own. Before I go, just to let you know from the TPLink Manual from the latest version firwmare. 3.3 Configure VLAN Wireless VLAN is used to set VLANs for the wireless networks. With this ...
by anav
Sun Jun 02, 2024 9:30 pm
Forum: Beginner Basics
Topic: Raspberry pihole (ad blocker) different ip than router OS network
Replies: 15
Views: 1244

Re: Raspberry pihole (ad blocker) different ip than router OS network

Bollocks, I think it will become quite familiar in your repertoire!

Not knowing what it means, the sentence seems to imply "timid" which is not what I would have used to describe your qualities. :-)
by anav
Sun Jun 02, 2024 9:27 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1651

Re: Both Openvpn and Wiregurard fail

(1) Duplicate table, remove one of them. /routing table add fib name=to-WG add fib name=to-WG (2) No where did I recommend bridge filters ?? REMOVE or disable until wireguard is working!! /interface bridge filter add action=drop chain=forward in-interface=wifi3 add action=drop chain=forward out-inte...
by anav
Sun Jun 02, 2024 9:15 pm
Forum: Beginner Basics
Topic: Port forwarding for Hikvision DVR
Replies: 2
Views: 359

Re: Port forwarding for Hikvision DVR

/ip firewall address-list { use dhcp static set leases for example } add address=10.0.0.X list= Authorized comment="admin PC1" add address=10.0.0.Y list=Authorized comment="admin PC2" add address=VPNaddress list=Authorized comment='remote admin" add address=mynetname.net li...
by anav
Sun Jun 02, 2024 8:55 pm
Forum: Beginner Basics
Topic: Port forwarding for Hikvision DVR
Replies: 2
Views: 359

Re: Port forwarding for Hikvision DVR

(1) It is not clear how you are trying to connect to the DVR. a. Directly from LAN device to DVR using LANIP. Y/N ? b. From Internet using dyndns URL(could be mycloud.net from ip cloud for example) Y/N ? c. From LAN using dyndns URL Y/N ? If c, are you attempting to reach DVR from the same subnet? (...
by anav
Sun Jun 02, 2024 8:50 pm
Forum: Forwarding Protocols
Topic: Mangle Issue (Failover With Two WAN)
Replies: 1
Views: 317

Re: Mangle Issue (Failover With Two WAN)

Some rules mean nothing to me................... The complete config is required for viewing /export file=anynameyouwish ( less router serial number, any public WANIP information, keys etc.) You had a good start on requirements and then fizzled a bit so lets go back to that for a bit more complete v...
by anav
Sun Jun 02, 2024 8:41 pm
Forum: Wireless Networking
Topic: cAP ax Wifi not working
Replies: 17
Views: 984

Re: cAP ax Wifi not working

(1) Stick with default mode for bridge, think its RTSP?? (2) No WAN or LAN on an AP. (3) I config my caps on the bench through ether2, off bridge, and when installed if its reachable directly or else I wire ether2 where I can at least access with laptop. Just change laptop ipv4 settings to 192.168.5...
by anav
Sun Jun 02, 2024 7:23 pm
Forum: Beginner Basics
Topic: Raspberry pihole (ad blocker) different ip than router OS network
Replies: 15
Views: 1244

Re: Raspberry pihole (ad blocker) different ip than router OS network

Anyone? If not administrator please delete this post - I'll look elsewhere. thank you. Did I say I was not interested. I asked for more information to better understand what you attempted to describe. Now that jaclaz is on the case, I am sure he will attempt to resolve your query. I tried, and was ...
by anav
Sun Jun 02, 2024 7:16 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1651

Re: Both Openvpn and Wiregurard fail

(1) Remove the peer name......... pre-shared key ( do not use this attribute ) /interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=**.**.2**.** endpoint-port=\ 41194 interface=wireguard1 name=peer1 persistent-keepalive=25s \ preshared-key="*****=" public-key=\ (2) By ...
by anav
Sun Jun 02, 2024 6:39 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1268

Re: Routing VLAN to specific WAN using Policy Routing

Concur on the TPLINK not too much to screw up there, but what about the switch?? Okay I went back and what troubled me was LTE was on bridge1 and not directly on an etherport on the router. I then checked the diagram and for some strange reason its coming from the AP ???????? ...... ap-router.jpg .....
by anav
Sun Jun 02, 2024 5:29 pm
Forum: Beginner Basics
Topic: Mikrotik as secondary router - one LAN port bridged to WAN
Replies: 4
Views: 668

Re: Mikrotik as secondary router - one LAN port bridged to WAN

/interface vlan add interface=bridge name=ISP-LAN vlan-id=10 add interface=bridge name=HAP-LAN vlan-id=88 /interface bridge port add bridge=bridge interface=ether1 pvid=10 ingress-filtering=yes frame-types=admit-priority-and untagged add bridge=bridge interface=ether2 pvid=88 ingress-filtering=yes ...
by anav
Sun Jun 02, 2024 5:14 pm
Forum: Beginner Basics
Topic: Need help with few questions.
Replies: 5
Views: 449

Re: Need help with few questions.

Lets get this straight, the CRS series are SWITCHES not routers. They can be used as routers but throughput is very much less then pure routers. Provide a diagram as your requirements are not fully understood and seem to be changing with each post. Besides diagram a. identify users/device including ...
by anav
Sun Jun 02, 2024 5:10 pm
Forum: General
Topic: Back To Home VPN - spamming logs when disconnected
Replies: 2
Views: 303

Re: Back To Home VPN - spamming logs when disconnected

Disappointing that MT did not fix this well known issue for the release of 7.15.
by anav
Sun Jun 02, 2024 3:56 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 15
Views: 1651

Re: Both Openvpn and Wiregurard fail

Post your latest config and I will relook.
by anav
Sun Jun 02, 2024 3:53 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1268

Re: Routing VLAN to specific WAN using Policy Routing

Are they connected wired or wifi,
Check the switch and AP devices, dont think its the router??
by anav
Sun Jun 02, 2024 2:38 am
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1268

Re: Routing VLAN to specific WAN using Policy Routing

As usual I work from your latest config, so would need to see it to comment on any new issues. Unless you changed something vlan20 should work same as vlan30 as they are identical in terms of the RB5009 router, which leads me to suspect the problem is down the road like at a switch. (4) I would disa...
by anav
Sun Jun 02, 2024 2:32 am
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1970

Re: Connection issues with hAP AC2, any problems with my config?

Subnets = IP = L3, or did i miss somthing?
Yes rip van Larsa you missed the last 60 years where Zerotier was released putting all assigned subnets into the same L2 space.
by anav
Sat Jun 01, 2024 8:32 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1970

Re: Connection issues with hAP AC2, any problems with my config?

You know more than I, but AMMO was fairly explicit on setting up the subnets to be part of zerotier.
by anav
Sat Jun 01, 2024 5:51 pm
Forum: Beginner Basics
Topic: Basic Zerotier Question.
Replies: 3
Views: 338

Re: Basic Zerotier Question.

Okay so it sounds very doable. Its a bit better than trying it over wireguard as wireguard then trips over the routing issue, where zerotier does not.
by anav
Sat Jun 01, 2024 4:23 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1268

Re: Routing VLAN to specific WAN using Policy Routing

(1) REMOVE frame types from bridge. keep it simple, we add frame types and ingress filtering at /interface bridge ports. (2) I like order, thus resorted vlans LOL. A cluttered config is a cluttered mind. ;-P (3) For security added Trusted Interface, assuming the one subnet that is trusted is your in...
by anav
Sat Jun 01, 2024 2:51 pm
Forum: Beginner Basics
Topic: Basic Zerotier Question.
Replies: 3
Views: 338

Basic Zerotier Question.

I have a single device on a local subnet lets say 192.168.88.0/24 on an MT router and it needs to reach a device ( and vice versa ) on a separate router (non-mt, with SIM card) and both have natively zerotier, intuitively one should say, yes they can be connected. The subnet on the non-mt Router is ...
by anav
Sat Jun 01, 2024 2:37 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1970

Re: Connection issues with hAP AC2, any problems with my config?

That router does zerotier natively which may be another avenue of possibiblity. It joins networks at level 2, so no firewall rules apply. The question though remains, what happens when you are local with wifi............. it may integrate really well and be the right path, just dont have any experie...
by anav
Sat Jun 01, 2024 3:43 am
Forum: Beginner Basics
Topic: Device Isolation
Replies: 4
Views: 493

Re: Device Isolation

I typically tend to use vlans to separate subnets at layer2 and firewall rules at layer3.
For firewall rules my last rule is DROP, and thus anything not accepted above in previous rules in that chain, is not permitted. Clean and efficient.
by anav
Fri May 31, 2024 11:43 pm
Forum: Beginner Basics
Topic: Can the firewall drop packets silently?
Replies: 8
Views: 663

Re: Can the firewall drop packets silently?

If i were to latinize it ......................

/export file=vici-de-bici
by anav
Fri May 31, 2024 11:32 pm
Forum: General
Topic: How long does it take for MT tech support to respond?
Replies: 22
Views: 3184

Re: How long does it take for MT tech support to respond?

They have responded to all my inquiries including ideas and supouts in a reasonable time frame, not to say your experience may differ. Perhaps a small investment in a queue system letting folk know they are number 98/2000 might help temper expectations etc... MTs strongpoint has never been communica...
by anav
Fri May 31, 2024 11:24 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1970

Re: Connection issues with hAP AC2, any problems with my config?

Yes, I can see the dilemma!! What router brand and model do you have in the camper? Is it dual wan capable, can you link to a user guide? Im starting to think that SourceNATing the camper van wireguard outward bound traffic may be a key to an approach. So when wireguard is up....... the MT router ge...
by anav
Fri May 31, 2024 11:16 pm
Forum: General
Topic: Can I only use mikrotik as a firewall?
Replies: 14
Views: 905

Re: Can I only use mikrotik as a firewall?

Absolutely know that companies join conglomerates of like minded companies and ISPs to ward off attacks. They try to isolate the source vectors and close off traffic to the closest point of source. Very enterprisish stuff............ not for the faint of wallet and thus I dont pay for it. Some compa...
by anav
Fri May 31, 2024 11:12 pm
Forum: General
Topic: How long does it take for MT tech support to respond?
Replies: 22
Views: 3184

Re: How long does it take for MT tech support to respond?

yarim just joined to help this thread, how kind.
Yup they are dealing with lots of sups, just keep checking they will get around to it.
by anav
Fri May 31, 2024 11:09 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1268

Re: Routing VLAN to specific WAN using Policy Routing

Heheh, okay will look at it tomorrow, today is booked up or whats left of it.
by anav
Fri May 31, 2024 5:04 pm
Forum: Beginner Basics
Topic: Can the firewall drop packets silently?
Replies: 8
Views: 663

Re: Can the firewall drop packets silently?

Shields up is a very nice but not required,, I believed you the first time,
what is needed is to see why your config is letting that happen :-)

/export file=anynameyouwish (minus switch impersonating a router serial number, any public wanip information, keys etc.)
by anav
Fri May 31, 2024 3:40 pm
Forum: Beginner Basics
Topic: Can the firewall drop packets silently?
Replies: 8
Views: 663

Re: Can the firewall drop packets silently?

Using a switch as a router? Must have a tiny throughput ISP. No port should be normally seen except ICMP....
by anav
Fri May 31, 2024 3:17 pm
Forum: Beginner Basics
Topic: Mikrotik as secondary router - one LAN port bridged to WAN
Replies: 4
Views: 668

Re: Mikrotik as secondary router - one LAN port bridged to WAN

Just to be clear you want the HAPAC to be a router as well and not simply pass on the subnet of the main router ( so it would be an AP/switch, vice router).
Do you need the 192.168.88 network for some reason??
by anav
Fri May 31, 2024 2:25 pm
Forum: General
Topic: Issues with Ping between Wireguard Sites
Replies: 5
Views: 568

Re: Issues with Ping between Wireguard Sites

Not fond of the messy firewall either chains not grouped etc.... Cleaned up version: Did you really mean to give the wireguard user access to the input chain? If so, then it must be you as the admin for access. In this case, lets make the security, access to the router better as well. /ip firewall a...
by anav
Fri May 31, 2024 2:02 pm
Forum: General
Topic: Issues with Ping between Wireguard Sites
Replies: 5
Views: 568

Re: Issues with Ping between Wireguard Sites

Before I look at the config, did you check the windows or linux PC host for its own firewall settings or the application perhaps has some blocking mechanisms??? This is nonsense and should be removed, there is no DHCP with wireguard. Also if you put in netmask manually remove it, not required. /ip d...
by anav
Fri May 31, 2024 2:00 pm
Forum: General
Topic: v. 7.14.3 - 7.15RC3 - 7.15RC4 router was rebooted without proper shutdown, probably kernel failure
Replies: 28
Views: 2138

Re: v. 7.14.3 - 7.15RC3 - 7.15RC4 router was rebooted without proper shutdown, probably kernel failure

Did you create supouts and report possible bug to MT
( aka supout on working RoS ( no reboots ) and then on non-working RoS version (experiencing reboots))

They will be able to answer you questions more accurately.
by anav
Fri May 31, 2024 1:58 pm
Forum: General
Topic: application wise bandwidth controll
Replies: 1
Views: 259

Re: application wise bandwidth controll

Wrong equipment, look elsewhere.
You need expensive equipment with expensive licensed services.
The client should be advised, it will not be cheap.
by anav
Fri May 31, 2024 1:52 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1970

Re: Connection issues with hAP AC2, any problems with my config?

If that works, that means maybe at the other router you are source natting the outputs so they dont actually come from .44 they are coming from 34.2 ??? IN that case adding it to remote-machines should allow that traffic to reach LAN devices on the MT LAN. Allowed IPs on that router should be allowe...
by anav
Fri May 31, 2024 1:49 pm
Forum: General
Topic: Routing VLAN to specific WAN using Policy Routing
Replies: 19
Views: 1268

Re: Routing VLAN to specific WAN using Policy Routing

Well let us know for sure, as not going to look at it if solved LOL
by anav
Fri May 31, 2024 1:44 pm
Forum: General
Topic: Can I only use mikrotik as a firewall?
Replies: 14
Views: 905

Re: Can I only use mikrotik as a firewall?

As an edge router with the ability to filter https and other encrypted traffic, clearly not. For everything else, fantastic. As noted by your second post, this thread is nothing more than trolling. @Larsa: Advanced ddos??, that is the responsibility of ISPs ( and like minded groups of ISPs) and thos...
by anav
Fri May 31, 2024 3:30 am
Forum: Beginner Basics
Topic: What is the purpose of client-dns setting in wireguard
Replies: 3
Views: 437

Re: What is the purpose of client-dns setting in wireguard

Sorry I dont see a client dns setting in my wireguard????

Okay checking the docs, it would appear when using BTH wireguard, its a setting thats there.
Never used it so not sure, how one is supposed to treat that entry.
by anav
Thu May 30, 2024 8:21 pm
Forum: General
Topic: Port forwarding not working anymore after switching to fibre connection
Replies: 7
Views: 1315

Re: Port forwarding not working anymore after switching to fibre connection

Of course not, there is logic: - single subnet, use src or dst-address - two or more whole subnets use interface lists *** - two or more subnets from remote routers use src or dst-address-list - any combination of separate users ( from same or across subnet ) without, OR with other subnets use src o...
by anav
Thu May 30, 2024 7:18 pm
Forum: General
Topic: Issues with Ping between Wireguard Sites
Replies: 5
Views: 568

Re: Issues with Ping between Wireguard Sites

Generally speaking I would need to see both configs. I do note that probably your allowed IPs are the problem and possibly routing.
What is at the other end of the wireguard tunnel?
by anav
Thu May 30, 2024 7:16 pm
Forum: General
Topic: Can I only use mikrotik as a firewall?
Replies: 14
Views: 905

Re: Can I only use mikrotik as a firewall?

That is generally one of the purposes of an MT device.
Where will all the PCs get their IP addresses from??
by anav
Thu May 30, 2024 4:35 pm
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 335
Views: 76116

Re: v7.15 [stable] is released!

Exciting release packed with updates and bug fixes. My whole fleet of routers (30+, various architectures) updated successfully, and good to see over 700kb of free space on my hAP ac2 (from around 300kb on 7.14.3) Good job dev team :D Updating an entire fleet of routers within 2 hours after release...
by anav
Thu May 30, 2024 3:53 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1970

Re: Connection issues with hAP AC2, any problems with my config?

yeah that route looks better........ and if not try 192.168.34.1 as an alternative. (1) Remove sourcenat rule not required. from /ip firewall nat add action=masquerade chain=srcnat comment="defcon: masquerade" ipsec-policy=\ out,none out-interface-list=WAN add action=masquerade chain=srcna...
by anav
Thu May 30, 2024 1:23 pm
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 335
Views: 76116

Re: v7.15 [stable] is released!

Disappointed not to see a router fix for wireguard coming in on WAN2 when WAN2 is secondary WAN and mangling this traffic does not work.
by anav
Thu May 30, 2024 1:12 pm
Forum: Wireless Networking
Topic: Finally success - 802.11r/k/v fast roaming works reliably with WifiWave2
Replies: 63
Views: 20782

Re: Finally success - 802.11r/k/v fast roaming works reliably with WifiWave2

let me rephrase that: The result _should_ be the same.
It it isn't, you may want to report a bug to Mikrotik support.
The design and implementation is a bug.
When I look at capsman configuration, it looks like a nuclear explosion and completely consumes any config, like japanese knotweed.
by anav
Thu May 30, 2024 1:10 pm
Forum: Beginner Basics
Topic: Wireguard setup to VPN LTE RBSXTR
Replies: 21
Views: 990

Re: Wireguard setup to VPN LTE RBSXTR

Compare that to IP DHCP client or the like assigned IP and to ones IP CLOUD. If they are all the same, its a public IP.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 68