MikroTik

anav

No I meant that an interface with a *1 indicates an issue........The router is telling you that there is a problem.
Which interface is it referring to???

anav

You know the drill all three configs posted for review.
Mind you I expect to see offbridge ports on all three

anav

Send the helper some cat food!!

anav

Try posting your config to see what you have done.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

anav

Meanwhile, the RB5009 is a great upgrade regardless.

anav

1. You have a problem on an interface on the bridge??? add bridge=bridge comment=defconf interface= *1 2. One obvious problem is DUPLICATE IP ADDRESSES (your phone is .2 and your router is .2) MODIFY TO: /ip address add address=192.168.8.1/24 comment=defconf interface=bridge network=\ 192.168.8.0 ad...

anav

1. You didnt remove the rule I requested and instead removed the rule you should keep. ENSURE THIS IS THE RULE you have in the forward chain. ( there is no wg traffic originating from local users going to clients ) add action=accept chain=forward comment="wg clients to LAN" \ in-interface=...

anav

Post latest complete config for review please.

anav

You do know AMMO, that romon is an anagram................

anav

When using vlans work from an offbridge port, as noted many times.

anav

Firewalls are all about matching.............. The default rule states, DROP all traffic coming from the WAN , unless that traffic is identified (by port number/protocol) in the NAT rules. The rule after has nothing to do with WAN traffic, it addresses WIreguard and LAN traffic, a different animal. ...

anav

Correct instead of stating what the router should do according to your wishes in terms of functionality. Better to describe the traffic flow requirement for all identified users and devices. From that a config will take shape. So yes exactly knowing how wireguard works, would tell you that two way i...

anav

Don't see any blood coming from your knees yet, proceed down the learning road, rough as it is

Read the references and vids etc, take a stab at a config.

anav

Okay enjoy,
When you provide a network diagram and finished type of endstate plan more than willing to help.
Not interested in hypotheticals................

anav

Wrong ......... The drop rule 'sort of included in the default rule, very confusing which I loathe, need not be last, in the default rules. That rule only drops any wan traffic not identified for port forwarding, nothing more, nothing less. It has no bearing on any other traffic. Basically the defau...

anav

Okay as I see it you want something very complex There is no point in looking at the config at the moment. What is needed, excuse my overexhuberant colleagues is a concrete plan and understanding of the requirements. IS what you are asking possible. Likely, so how do we get there. What are the limit...

anav

I dont get your point Johnson,
The chap is using default rules which does not incorporate DROP ALL ELSE rules.
The rule above simply drops anything from the WAN side that is not destinated and has no effect on wireguard traffic.

anav

R1- Why is there a second bridge ( aka one for wan )?? R2 Do not name bridge LAN, its very confusing as LAN is already used on the router to denote all local subnets ( bridge subnet, vlans, and/or any subnets tied to etherports, or even wireguard ). Its very confusing to try and read a config where ...

anav

I would only run one wireguard interface and over the primary WAN1 ( digi ). If the primary WAN1 fails then Wireguard should work on the failover WAN2 (orange) ( note one should not PCC any of the wireguard traffic. The key point for us is whether or not both ISP1 and ISP2 provide public IPs to the ...

anav

Please provide a diagram of your network as you explanation was not clear. Does each device have its own internet connection for example. Do any have a public IP address on an upstream device that gets a public IP address that can forward ports to the MT. Not sure why you use two bridges. Your R1 Se...

anav

I am hoping that someone with far more RoS acumen can assist you!

anav

CAVEAT, not IT or network trained, take comments as you wish. 1. RB4011 is not a DPI capable router and this attempt, presumably to block tiktok, is probably not useful and (not sure) may take up valuable cpu bandwidth. /ip firewall layer7-protocol add name=Tiktok regexp="^.+(tiktok.com|musical...

anav

The options are clear. One Cable from modem to MT Device in basement. One Cable from MT Device in basement to MT device upstairs. Which one acts as switch and which one acts as a router should is all very optional. I personally would put the router with two considerations a. UPS backup (as well as m...

anav

Okay, So if you reboot R2 while at R2, the wireguard connection fails to re-establish. That is not normal. Can you confirm if your WANIP at R2 changes upon reboot? Can you please post both configs R1 and R2 /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

anav

Ahh I see, so the issue is more precisely a. I am located at R2 and reboot router 2 and lose my connection via wireguard to Router 1 OR b. I am located at R1 and reboot router 1 and lose my connection via wireguard to Router2 OR c. I am located at R1 and via wireguard reboot router2 and lose my conn...

anav

So it would appear your M2 router gets a public IP from the bridged modem
(ip cloud IP = whatsmyIP(in browser) = ip dhcp client (or pppoe) IP.

If so, then whey do you need a CHR in the cloud? Purposes??

anav

Okay so my guess is that step 9 skips to 15 is correct and that the numbering is not necessarily a traffic flow just a marker number............

anav

Anything outdoor over any distance why not https://mikrotik.com/product/wireless_wire
or the superior https://mikrotik.com/product/wireless_wire_cube_pro
I'd only use the wapax for local coverage (not ptp stuff)

anav

First of all how are you connecting to the two Mikrotik routers on the ground.
Its very unclear, what you have done so far and that is because no requirements have been stated etc..

anav

Okay, I will bite. Lets take the scenario where we mangle traffic coming to the router so it goes back out the same WAN. Lets say WAN1 is primary and traffic is to the router via WAN2 and needs to go back out WAN2. /ip firewall mangle { mangle for traffic to router } add action=mangle chain= input c...

anav

Why would you encourage someone to come in clear text to the router for management purposes, me thinks your dehydrated.

( or lost a bounce in your step )

anav

Thanks for the offer, but I dont belong. You guys know what you are talking about from an educated networking and engineering perspective. DYI doesn't cut the mustard but I am always willing to look at stuff to see if it makes sense for the 'masses'.

anav

<placeholder post for the final version - once ready> I am in the habit of taking pictures to document the progression of works, so here it is (9 June 2025 8:00 Zulu): photo1.jpg :lol: The first thing to do when encountering issues is to stop digging! ;-P Awaiting for the 'real final product' to re...

anav

To the first question: Depends, on the surface yes. If one has multiple ports, all the same and tagged and all going to the same VLAN-ID, they can be combined on the router or Switch. Discussion: If there are any differences between any of the VLAN-IDS, like one has an implicit ( set on bridge port ...

anav

First of all, assuming you are using vlans please read this reference: https://forum.mikrotik.com/viewtopic.php?t=143620 One bridge for each device. Second device gets its IP from the management vlan Only the management vlan need be identified Only the management vlan is tagged on the bridge for /in...

anav

WHY?
Layer7 was the way to block facebook and that is now gone considering the ways that traffic is directed by such Apps.
Unless the router has DPI that can reach into encrypted packets you are wasting your time.

anav

So maybe 10-12 rules.......okay, Be curious when you have 25 rules ??

anav

Because they want to force the user to buy two (OR EVEN BETTER FOUR), to span the width of the rack jajajajajaja
You think I jest??
...............

four.jpg

anav

Surprized you get 900?? How many firewall rules do you have???

anav

1. Change the WIFI password and remind staff that they will lose their jobs if they give out the wifi password. 2. Shut down WIFI by script after hours ( thus ensuring you only keep wireguard or VPN access, wired after hours) These are the easy steps. In terms of shutting down wifi, will let the exp...

anav

If you are getting 940 Mbps, you are good to go. The connection is 1gig and with normal losses around 940/950 is very reasonable. I have a highpowered router and I dont get more than 940 on my 1gig connection. UP your ISP connection if you want more speed. If you wanted a router with up to 1 gig thr...

anav

To work with vlans, you will pull your hair out moving things around best bet is to take one port off the bridge and do all the configuration safely there!!! Notes: 1. FIRST STEP add Offbridge settings, and do all vlan configuration from this safe spot. ( using port 9). Recommend this for all device...

anav

One bridge, no dchp by bridge, if you have a house subnet, simply use a vlan for that as well. Do not use vlan-id=1 Now for best of luck and trouble free its best to take one port off the bridge and do all the configuration from there ( the last step being turning bridge vlan filtering on ). How to:...

anav

ALSO ensure you remove the device serial number and any public WANIP information

anav

/export file=anynameyouwish (minus router serial number, public WANIP information, keys).
Be happy to comment then.

anav

Eider, why do you post a config that is nothing but a security phuckup..................
Ahh okay, that makes more sense........

anav

Provide a network diagrams of what you think the final setup will loook like.

anav

1. I am not familiar with IPV6 so cannot comment on two PPPOE settings. 2. This shows an error in an interface selection add interface =*C list=LAN 3. This address should be removed..................... add address=192.168.100.2/24 interface=ether1 network=192.168.100.0 Your WAN connection coming on...

anav

You are asking questions without attempting basic network knowledge learning. Phrasing questions can I do this or that are clear clues. Requirements in the future should be based on what traffic your users and devices required and questions should be posed in that regard. I have two groups of users,...

anav

/export file=anynameyouwish (minus router serial device, any public WANIP information, keys).

After you post the complete config, happy to comment.

anav

Even in Ireland, redirects work only with compliant users LOL. Even browsers can avoid such configs but concur overall still useful.

anav

And, as I think about it, it should also allow any traffic from the LAN to the router itself, right? Yes but the fact that you have to double check yourself speaks to the lack of clarity of rules. Much better to state cleanly add chain=input action=accept comment="Lan users to router" in-...

anav

Not a lurkerite......... its a false option ;-PP General rule of thumb for firewall rules is that --> Interface lists are better designed to handle whole subnets. --> Address lists are great when anything less than a whole subnet is involved with or without whole subnets ( could be users in one subn...

anav

established related and fastrack are ways the router handles following packets after dealing with the original packets, for efficiency purposes.
Again details best left to experts.

anav

Not ipsec trained, but if you elect to use wireguard, have all the time in the day.

anav

Correct if just starting out IPSEC is advanced and capsman only if using MT wifi, which is a recipe for hair graying or hair loss and wasted time.

anav

Why two bridges? Remove WAN from silly second bridge. Why do you think you can have two subnets on the same bridge, 10.10 and 172.20 add address=10.10.10.1/24 interface=bridge_LAN network=10.10.10.0 add address=192.168.216.1/24 interface=wireguard-vpn network=192.168.216.0 add address=172.20.20.1/24...

anav

I will leave that to experts, but dont be concerned having that in the rules.

anav

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)

anav

I am sure his significant other would welcome an intervention!!

anav

No traffic doesnt go from input to forward, Traffic to the router ( using router services) only goes thru input and is either matched or not matched Traffic through the router ( LAN to LAN, LAN to WAN, WAN to LAN) never sees the input chain. Get familiar with: https://help.mikrotik.com/docs/spaces/R...

anav

Ahh I get the appeal. One could host BTH relay server on ONE mikrotik (with publicly reachable IP) and then use BTH on other MTs, using the the existing relay server on the MT, as the middle go to site. Thus saving the cost of a CHR and VPS and basically providing the same thing, at least for wiregu...

anav

YES, sign up for a VPS and get a CHR and install on the VPS and you have your own relay server! :-PP

anav

Would need to see your config.....
/export file=anynameyouwish (minus router serial number, any public WANIP information)

https://www.youtube.com/watch?v=kdzrRN-iey0

anav

I have a separate management vlan, but it is not required if your home vlan is trusted enough.

anav

Do you mean besides try ANYDESK instead?

Since you have no firewall rules and all is allowed,,,,,,,,, yikes, would never connect this to the internet.......
No nothing should block it. ( did you try disabling upnp ).

Suspect something on the PC, firewall, new OS, something ??????

anav

Makes no sense to me, If one stream has no vlan you can assign it a vlan ( as an untagged port ). It would be wrong to call the MT port type: trunk. Its a hybrid port! /interface vlan add interface=bridge name=vlan-isp vlan-id=10 add interface=bridge name=vlan-voip vlan-id=30 add interface=bridge na...

anav

Router B 1. Same issue no pool required for wireguard. /ip pool add name=dhcp ranges=192.168.30.2-192.168.30.254 add name=vpn ranges=192.168.60.2-192.168.60.255 2. Same same with this, set to none. /interface detect-internet set detect-interface-list=all internet-interface-list=WAN lan-interface-li...

anav

Rule to be refined: add action=accept chain=forward comment="Povol presmerovane porty" \ connection-nat-state=dstnat to: add action=accept chain=forward comment="Povol presmerovane porty connection-nat-state=dstnat in-interface-list=WAN Sorry Disagree, the optimal format of the rule ...

anav

ROUTER A 1. What I saw on first glance is IP pools assigned to wireguard is WRONGO /ip pool add name=dhcp ranges=192.168.10.20-192.168.10.254 add name=vpn ranges=192.168.15.2-192.168.15.254 add name=vpn_zavratec ranges=192.168.60.1-192.168.60.254 Whats funny is you gave in the address for zavratec ...

anav

It is not clear what is coming from ISP.
One cable with two streams of data one untaggged and one tagged
One cable with two streams of data tagged
Two cables one an untagged internet traffic for termination, and one tagged VOIP traffic for termination

anav

The choice of using two WANS vice one as primary and one as failover is at times personal. The logic is that a. if the second WAN is very tiny in throughput then it makes sense to only use if WAN1 is not available and users should be aware that performance may be slower than normal b. If the second ...

anav

As noted, form follows function. Vlans are cheap use as many as you think you need. In terms of security, I will keep it short and no wishy washy talk. Should cameras from company A, be in the same vlan as alarm system from company B, EFF NO :-) Should cameras from company A be in the same vlan as h...

anav

Stab at hapaxlite (using port 4 as offbridge port and trunk port from router using ether1) THE WIFI settings are not here but are left up to you. Setup offbridge4 port first and then do the work from that location. model = hap ax lite # serial number = /interface bridge add name=bridge1 vlan-filteri...

anav

Notes: 1. FIRST STEP add Offbridge settings, and do all vlan configuration from this safe spot. ( using port 9). Recommend this for all devices..... 2. added Management Interface List entity 3 Removed duplicate IP Pool 4. Assume 3 vlans, one is management vlan (all devices get IP address on this vla...

anav

Also please provide one of the hap ax lite configs as well so that I can provide the example.

anav

how do I try it in sandbox/lab?

USE GNS3 or EVE-NG

anav

From remote location I imagine.
a. to visit subnets on router
b. to manage router
c. anything else?

anav

Okay so basically, I should assume the routers are identical, and that Router1 is the master and provides connectivity for all subnets (and uses ISP1 and ISP2 for internet). Router2 is live but dormant and when it becomes primary it uses (ISP1 and ISP2 ) for internet. Thus all vlans are replicated o...

anav

THe title should be; Admin Has a Leaky Config: Dont blame the router LOL Sounds more like an error in your configuration, The client coming in if its allowed addresses=0.0.0.0/0 that usually means that its setup to allow a remote user to see all Router subnets and to go out local internet. So you ne...

anav

Not all that useful answers, and especially the last question.
VLAN10 is on which router or more explicitly, what device is at the other end of the cable hooked into port1 on the switch.

anav

Who will use this tunnel and for what purposes/needs...........

anav

Look more closely k6cc, clearly stated in product brochure!! ......... dualboot.jpg ............... In addition on the associated MT Documents Product Page there are two references to SWOS. https://help.mikrotik.com/docs/spaces/UM/pages/271974525/CRS304-4XG-IN Booting process The device supports boo...

anav

Can you provide more detail.... a network diagram would remove many questions.

anav

yup, try in LAB/sandbox first - all good
next apply to one in situ and observe for one week.

anav

or change ONLY one and see how it performs for a week

anav

Need more information before even looking a the config. 1. Is this device acting as a switch ( aka NOT a router ) please confirm. 2. Assuming one of the internet incoming lines is heading for RouterA for termination and the other internet line coming in is going to Router B for termination? 3. Which...

anav

Overthinking, use this guide as a reference.....
viewtopic.php?t=143620

anav

Have to make some assumptions based on lack of detailed requirements Ether1 needs to be a hybrid port to a UNIFI device, thus management VLAN99 untagged and all data vlans tagged. There is no need for BASE, you already have a managment vlan and management interface!! A trunk port to the hapac makes ...

anav

So, let me get this straight, you probably have a hacked router, and then want us to click on an URL////// Not bloody likely. Disconnect from internet, and then netinstall a fresh firmware and for gods sake dont make any changes to the config before checking here first. And dont use the same usernam...

anav

Did you try a clean netinstall as part of your process............... (and ensure different username and passwords etc........)
Also post config in case there are obvious issues
/export file=anynameyouwish ( minus device serial number, any public WANIP information, keys )

anav

Ditto, no effort to learn and incorporate the Ref on Vlans, moving on!

anav

Yes, my typical advice to combat frustrating bridge vlan setups is....... Also to work on vlans as it can get sticky when applying vlans or trying to change from default to your stetup, its best to do so from a safe spot. Saves much grief! So use an off bridge port for the configuration and also as ...

anav

HAHAHA..... touche, and within the realm of possibility!!

anav

As per the reference once you go vlans, then the bridge does no DHCP, ip pool etc... One simply identifies the access ports and trunk ports (in your case probably none) on the interface bridge ( ports/vlans) settings. For OffBridge work,,,,,,, take ether5 for example........ Also to work on vlans as...

anav

What you can do is get another hex or managed tplink type switch at where equipment can be placed with ethernet cable.
On the single cable from this switch to the router YES, you can run vlans including a vlan to carry the internet signal from any ISP device to the router for termination.

anav

Both useless links, moving on.

anav

You are 100% correct. VRRP is simply only for router failure and could care less about recursive or netwatch. To combine the two however is still possible! one needs to run a script that when the connection to the internet is not available, then lower the priority on the Master priority for vrrp whe...

anav

Hi wise......thanks for the head up...........
This is not the OPs first rodeo so he should know what I mean but you are right!

Public IP means
IP cloud = whats my IP on browser = my IP DHCP client or PPPOE IP.

anav

Yes, tripped across VRRP and two routers in another thread, where I went wrong probably in this thread and the other was thinking that VRRP and recursive router played well together. WrongO VRRP is strictly for router failure and nothing else, and so if no VRRP crosstalk from master, the slave takes...

anav

You are very confused. You want a single bridge and no vlans and yet you have a second subnet for the asus rogue on ether2, but but ether2 is on your bridge, so there is conflict. It would seem you are using your asus rogue as a router and in that case its wanIP will be on the 192.168.88.0/24 networ...

anav

If you have multiple wans, wireguard or BTH will work fine if using the Primary WAN. I f you have a public IP address or can forward the port from the upstream router to the MT router then use normal wireguard. If you do not have a public IP address and want to be able to reach the router use BTH. I...

anav

Without capsman would have been up and running on may21st ;-PPPPPPP ( to all the capsman lovers bronx cheer )

anav

Once you go vlans on any MT device its often better to go all vlans with bridge as interface. The switch gets an IP address from the management or trusted vlan Only the trusted vlan gets tagged to the bridge in /interface bridge vlan settings . The defacto ref for vlans in general is https://forum.m...

anav

Send a supout report to MT on their support page..............

anav

1. Why are you giving an IP pool to WIreguard, no such entity required, remove!! 2. Why did you make the wireguard interface a member of the WAN interface list?? 3. The allowed addresses in peers, is to identify REMOTE device requireing access to the local router, or REMOTE subnets that local users ...

anav

For me its a bloated overcooked firewall but if the aim is security, probably nothing wrong with it. Good, depends what you mean by good, efficient, hardly.

anav

As always, cannot comment without latest config.

anav

Yeah the block diagrams are not helpful....... If this doesnt work then perhaps the other suggestion by mkx may bare fruit. # model = RB760iGS /interface bridge add name=bridge1 /interface vlan add interface=bridge1 name=MGMT vlan-id=3049 vlan-filtering=yes /interface wireless security-profiles set ...

anav

Hi Jaclaz, yup I could be wrong BUT!! My thinking was that the actual WAN connection of each router to the ISP was INDEPENDENT of the virtual wan created between the two routers. The VRRP is not tied in anyway to the ISP itself, for example. How does the Master Router know if its ISP connection is a...

anav

Try Admiral platform, or WInbox, the choice is yours.

anav

Also post your complete config
/export file=anynameyouwish ( minus device serial numbers, any public WANIP information, keys )

anav

I would be happier if they changed the default firewall rules......... add action=accept chain=input comment="Users & Admin to Services" in-interface-list=LAN add action=drop chain=input comment="drop all else" add action=accept chain=forward comment="internet traffic&qu...

anav

So basically your connection to the ISP remains, (but the ISP connection to the internet fails) and thus no failover occurs. Typical solution is recursive routing. This is where the router checks an external public IP address to confirm connectivity. Router VRRPA ( master ) add check-gateway=ping ds...

anav

I also think that basically looking at the device as a 4-port device with an additional low bandwidth port works fine. (For most of the practical applications either not all ports are strictly necessary, or there is a printer, smart TV, etc. that can be used fully with a somewhat reduced bandwidth....

anav

When you have a coherent plan, post the full config.

anav

Yes patrikg, but talking here does not necessarily precipitate action by MT, its not the process used to do so.

anav

How bout a reboot? Would that do it??

anav

Easy answer is VRRP. Basically it creates a virtual WAN/Route to the internet, One router is declared the master and the other the slave but all the users only see one WAN. When the master fails, the traffic is shunted through the backup WAN connection. A slicker alternative, which may not appy for ...

anav

https://mikrotik.com/support

anav

Will give this a whirl..........

anav

. And I can do all of that from my phone, whereas with MikroTik, I have to set up the routers from a laptop.

I have done work on my setups from my phone and tik app? ( via wireguard of course )

anav

Send your suggestion to SUPPORT as a suggested feature. It will get traction there.

anav

Please provide the two latest configs for the CHR config and Router config and will look at that with the new diagram.

anav

I would start by using vlans for all subnets.
Not clear why you have two bridges either.
Why do you have pptp server enabled, is that required for hotspot??
You seem to have changed firewall rules from default..........for what purposes??

I dont see any IP HOTSPOT settings ???

anav

One could conclude that MT does not conduct UPLOAD tests at all when producing throughput tests on their charts. I say this because one might assume they use ether1 for testing and this issue would have been discovered long ago, prior to distribution. Or it could be that they only look at cumulativ...

anav

The port designation is temporary for testing purposes.

Hence a diagram is needed so one can config with context to as close to final implementation as possible.
I wouldnt touch mangles or routes until I know the requirements.

anav

One could conclude that MT does not conduct UPLOAD tests at all when producing throughput tests on their charts.
I say this because one might assume they use ether1 for testing and this issue would have been discovered long ago, prior to distribution.

anav

Some vendors really build for density and they perform very well.

anav

So the order counts.......... SO in this case...... 2.5 to 1 to .25 We would be roughly happy with 67ish% 27ish% 6ish% percentages So roughly speaking we do something like 15/3 for WAN2 (approx 6.75) 15/6 for WAN2 (approx 6.75) 15/9 for WAN2 (approx 6.75) 15/14 for WAN2 (approx 6.75) for a total of ...

anav

Please send supout to MT, to get this fixed asap.

anav

So you are saying, in effect, that the router STILL HAS TO COUNT CONNECTION ASSIGNMENTS.................. in this case 14 ........ SO it auto counts and assigns the missing ones to the non PCC available WAN in the same table. Now this approach sucks since the OP has WANS 4 (future wisp) and 5,6 LTE ...

anav

Why I started buying TPLINK APs.

and will likely buy a zyxel wifi 7 device at some point.

anav

Hi Ammo, I think I concluded the same so my answer would be appear to be correct. Understood, however the amount (contents) of any connection is not predictable in the PCC method so one goes at it the best one can. The double sticky approach of actual bandwidth increases the number of rules but allo...

anav

As Normis stated, if you are experiencing issues, then send a supout to MT, and the more data received, will lead to faster identification of the issue and the possible resolutions.

anav

Would appear thus far you need. 1. VLANS 773/783 to PCC load balance wan1,2,3 ( where WAN1 is 2.5x greater than WAN2 and 10x greater than WAN1 in terms of throughput ) 2. VLANS 137/173 (main/red) use WAN2 as primary and WAN1 as Secondary and 3-6 tertiary 3. VLANS 187/199 (orange/mgmt) use WAN1 as pr...

anav

Didnt help understand your shortcut technique :-( Let me ask it another way, how would you setup PCC for three WANS WAN1 - 2.5 Gpbs ( 2.5x greater than WAN2, 10X greater than WAN1 ) WAN2 - 1 Gbps (4X greater than WAN3 ) WAN3 - 250Mbps Basically, right or wrong I would start by thinking in this way. ...

anav

ADDITIONS/CHANGES ONLY Added working off ether1 as a safe place to make all bridge and vlan changes ..................saves much frustration during initial configuration, also recommended for all 3XX switches. # model = CCR2004-1G-12S+2XS /interface ethernet set [ find default-name=ether1 ] name= Of...

anav

Not sure Normis, I know in another thread that is exactly what I recommended to the OP. ( The op had manipulated the mac address on ether1 which clouded the issue ). https://forum.mikrotik.com/viewtopic.php?p=1140580&hilit=E50UG#p1140650 https://forum.mikrotik.com/viewtopic.php?p=1140580&hil...

anav

Confirm please if you get a private IP on WAN1 ( you seem to indicate its actually terminated at another site). ( I do see vlan35 in the config, so should we assume that the other site simply forwarding the ISP to you over vlan35 and thus you do get a public IP?) TO BE CLEAR....... is vlan35 from th...

anav

Have any MT staff responded to OR discussed the issues of ether1 on this model of hex?

anav

Thanks telepro. I will say however your approach is ill advised......
Only Winbox is accessible from the outside, and only from 2 secured IP public addresses (both of which are fully locked down).

Winbox should never be accessible direct from the outside as Public IP addresses can be spoofed.

anav

As ordained in the bible lɪˈvɪtɪkəs Πωπε/30 -- there can only be one.

anav

Does one end ( one of the routers) have a Public WANIP? If so perhaps try wireguard as a much easier but secure VPN option.

anav

Yes your diagram is great and captures what I was thinking. Yes I would assume that you would physically assign a management vlan IP address to the AP, and then assign other vlans to SSIDs for the traffic required.

anav

Looking at First switch, I would take one port off bridge and make it an emerg access port after using it as a primary change the config port. Why are you adding a PVID to a trunk port on /bridge ports ???????? add bridge=BRIDGE-R1-CRS interface=ETHER1-TO-HEXS-P04 pvid=100 WHY are you sending vlan t...

anav

Sure, I dont see why you have separate vlans for 10,20,30. If they can all access each other its really one vlan. If its only certain IPs that should access the other vlans make applicable firewall address lists and use them in rules. In other words, why have a manag3ment vlan that states has full a...

anav

You have raised a very good point. If you forward the BTH port on the pfsense to the MT router, MT should figure out that the relay server is not required. You should note that when creating the BTH enable, the router auto generates an input chain rule for that port on the router and that is the por...

anav

Like I said pokolo provide your config on the 4011 and one ax lite and I will provide you with a working config of both for vlans and wifi, without capsman............... if not, then bashing your head against a brick wall must be your idea of fun!

anav

A very messy config. I wouldnt bother with regex layer7 attemtps to block social media, waste of time. Also more rules disabled then enabled and the config should be removed of all noise that is not used. Makes it very hard to spot errors. 1. Dont forget to add persistent-keep-alive to proton wiregu...

anav

With version 7 firmware there is no need to PCC similar wan throughputs, ECMP works just as well and is much easier to implement.

anav

When you post the config I will be happy to assist
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)

anav

Config comments: 1. Multiple tables the same reduce to ONE table. /routing table add fib name=via-wg add fib name=via-wg add fib name=via-wg add fib name=via-wg 2. Looking at your peer settings its clear your connecting to a third party VPN, or another Router/device hosting wireguard. Rereading you ...

anav

YOu could rent a VPS in the cloud and stick MT CHR on it and thus never use BTH and just use regular wireguard through the VPS to your router and to any remote devices.

anav

Thats how I setup all of my devices. A port is taken off the bridge It is given its own IP address Its added to the management interface list and LAN interface list (normally so it can access internet if need be) DONE! /ip address add address=192.168.210.1/30 interface=etherX network=192.168.210.0 {...

anav

My own take on the perfectly fine ( but confusing ) default firewall for most of the non high end routers is that it should look like the following. Clear rules without any ! associated rules needed and most new user will be using wireguard not ipsec. THis should be the standard ruleset for one brid...

anav

In addition, within PCC there are times when you create more PCC mangles and routes than normal, but that is to ensure a failover distribution as required. Basically break up a mangling into smaller pieces so that when one route fails, the traffic is split amongst the remaining routes, vice all traf...

anav

Msatter before Version 7.1X I forget which, PCC was clearly the way to go as I do not think ECMP was setup on straight policy routing. One had to invoke extra rules and not sure it worked all that well. Once it became available, as part and parcel of normal policy routing, it was a no brainer for re...

anav

But its blocked by default.............. Only certain subnets decided by you are part of the management interface. Only the management interface list has access to the router config. Only the management vlan and offbridge port are part of this list. You can even narrow down the interface list furthe...

anav

I agree with Ammo. ECMP is easier to go with for a relatively same throughput. The issues sound in my mind to be possibly MTU issues. Suggest at least posting the config of the Rb5009 to see what is going on /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

anav

I would try adding a route with gateway set to the wireguard interface.
Code: Select all
/ip route
add dst-address=0.0.0.0/0 gateway=wg0 routing-table=main

See anserk's post for a proper response. ;-P ( besides 10.20.20.1=wg0 , well sort of )

anav

Yes, config please and indicate also if you do use IP DHCP client if you have selected yes to default route!

anav

Why would you want to block hte management off bridge access port?
Just disable the port in ethernet interfaces .......poof gone.

anav

If you want someone to design your network for you then please use this link. https://mikrotik.com/consultants If you want assistance after developing your own network that is a different story. a. product a network diagram with proposed equipments, wan connections, trunk ports, vlans etc.. b. produ...

anav

Since you know where the problem is, why come here? In other words, providing the full config will give us the facts required to solve. Pretending you know the problem by limiting the config exposed is not helpful actually. My guess is the problem is in a a. routing and/or b. firewall rules. Please ...

anav

Hello, over a 100 Cap's are down due to this 7.19 update! Either changes on all of them or downgrade would be a huge effort. LOG-Error: "CAP connect to Router R2D2 (4F:1B:3B:2B:EB:A2/6/0) failed: ssl: no trusted CA certificate found (6) Fast help is required. We have so many unhappy clients! D...

anav

don't match the interface use the src-address to match instead e.g /ip/firewall/nat/add chain=srcnat action=masquerade src-address=192.168.50.0/24 out-interface=ether1 /ip/firewall/nat/add chain=srcnat action=masquerade src-address=192.168.60.0/24 out-interface=ether2 I hope it make sense @loloski ...

anav

Remove connection from internet immediately router is setup UNSAFE. add action=drop chain=input disabled=yes in-interface-list=!LAN add action=accept chain=input dst-port=8291 protocol=tcp Then netinstall router to ensure a clean restart. There was nothing inherently wrong with the forward rules as...

anav

Nice story, but we are not MT, if you have a good idea, send a suggestion through the support portal.

anav

The question probably doesnt make sense to me as it an impossible ask?

anav

Yup, and anyone else on the router ................( at least its internal )

anav

Difference on the router or the growing brain tumour on the admin???

anav

Well its tricking the router so to speak LOL. We call it a hack! A huge workaround because the normal behaviour of the router is not following our standard rules for mangling and routing. The example linked to is a very complex dual WAN with dual WANIPs at each wan interface.......... I get confused...

anav

The point is the lethargic morons that run the forum dont understand the value in a very easy fix, and building momentum to make some changes is made more difficult by a lazy apathetic bunch of forum users, who sadly accept the insanity of the situation as almost a given. ;-P

anav

Great news, glad its up and running! Also not for winbox the first one is not needed and for better security should be set to none. From: /tool mac-server set allowed-interface-list= MGMT /tool mac-server mac-winbox set allowed-interface-list=MGMT TO: /tool mac-server set allowed-interface-list= non...

anav

I dont see any additional security risk setting up the switch to take the 'raw' wan to a router via a vlan for termination on the router. Ensure all bridge ports are set with ingress filtering and appropriate frame types. Ensure bridge has frame types set to tagged only. @ LURKER: I do not see where...

anav

The responder checkbox as stated in previous post is ONLY to be used by the router if it is the SERVER for handshake. It tells the router that if connection is interrupted and lost with the client dont keep attempting to reach the client............ a. ensure responder checkbox is not used b. ensure...

anav

There is no reason why the hapac acting as a switch from a main router cannot vlan a second wan to the router. There is one trunk port to the router from the switch. One of the vlans already in play to the switch is a management vlan where the hapac gets its IP address from. So lets say we have vlan...

anav

The NAT question, is covered in the sense that all users coming from the local router will have, as source IP, the local wireguard IP address due to the wireguard interface being added to the WAN interface list and thus an extra sourcenat rule just for the wireguard is not required. Now its kind of ...

anav

Concur Sebastia, an incomplete or confusing set of requirements will lead to unneeded series of posts. As for trick, yes, it was incorrectly worded, its simply a normal process within mt ROS to ensure certain traffic types avoid fastrack, ( known limitation). One can use traffic with NO connection m...

anav

Okay will focus on your local router ( client router for handshake ). 1. In general use only one bridge. If you need extra subnets use vlans. /interface bridge add name=BridgemDNS protocol-mode=none vlan-filtering=yes add admin-mac=REMOVED auto-mac=no comment=defconf name=bridge \ port-cost-mode=sho...

anav

Trick??
Fastrack will not work in traffic in certain circumstances, such as queuing and mangling so its not trick LOL, you have no choice but to disable fastrack for certain traffic.

anav

Two errors /ip neighbor discovery-settings set discover-interface-list= LAN /tool mac-server set allowed-interface-list= LAN /tool mac-server mac-winbox set allowed-interface-list= LAN Should be /ip neighbor discovery-settings set discover-interface-list= MGMT /tool mac-server set allowed-interface-...

anav

You are on the right track but beware that any browser can bypass this setup,,,,,,,,,,,,,, nothing is foolproof in terms of dns with a smart user.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)

anav

would need to see both configs /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys ) What are the actual requirements. a. users on remote router to access lan subnets ( right now you have one vlan it seems that need that) b. users on remote router to access i...

anav

Have you considered putting all mail traffic on wan2............

anav

Yes, of course. If using solely BTH the process is very similar. Create BTH (enable) in IP CLOUD in router 1 FIRST CLIENT called master client is your smart phone ( information for this connection is provided on the router ) From MASTER CLIENT, the smartphone, create file for subsequent secondary cl...

anav

Your config is wrong........ not the routers problem, but the admins.......
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )

anav

Please stop your ramblings and post the COMPLETE configuration of your router. I've seen plenty of x86/CHR (both bare metal and VMs) with much weaker CPU than yours having no problem saturating 1Gbps or 2.5Gbps WAN with a normal srcnat masquerade config, including PPPoE overhead. Look at the histor...

anav

That is correct, I do not even look at snippets LOL, good pickup by cat.

anav

Missing camera pool and base pool settings Missing camera and base dhcp-server settings Missing camera and base dhcp-server network settings Two addresses for camera vlan?? What is the purpose of this route?? /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=ma...

anav

Not sure what you mean......... a. If a user has a destination address, that by the configuration of the router, means the traffic will enter the wireguard tunnel and at the other end the source address of the incoming traffic will be seen as the user IP. b. Is the router has setup sourcenat such th...

anav

Normally not an issue post your config.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)

anav

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)

anav

example: add chain=forward action=accept comment="internet traffic" in-interface-list=LAN out-interface-list=LAN add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat add chain=forward action=accept comment="access to common printer" in-i...

anav

Well, if you should loud enough from your location it might hear you! ;-P
What I clearly meant is that the OP has to program the PBX so that its aware of the public IP.

anav

Please post full config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

anav

If doing VRRP and you have two boxes and two internet connections suggest two sets of MASTER - SECONDARY setups. In this manner router A is the master and serves its local users and Router B can be a master and serve its local users, and then if one of the WANs goes down, the losing users will start...

anav

The BTH will have more latency than the regular WIREGUARD yes, however once the BTH determines that you have a reachable public IP address the traffic will proceed directly and the latency should be the same as regular wireguard.

anav

Do you have a public IP. Game servers attract hackers and is the reason why SANE people do not try to host them but use Steam etc.......... However if you have public IP or an upstream ISP router where you can forward ports, suggest using wireguard for your friends to get to your router to game secu...

Search found 24111 matches