Community discussions

MikroTik App

Search found 20030 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 67
by anav
Wed May 29, 2024 1:45 am
Forum: General
Topic: HAP ax lite as AP
Replies: 2
Views: 119

Re: HAP ax lite as AP

Mainly changes recommended: /interface ethernet set [ find default-name=ether2 ] disabled=yes set [ find default-name=ether3 ] disabled=yes set [ find default-name=ether4 ] disabled=no name=Off-Bridge /interface vlan add interface=bridgeLocal name=baseVLAN vlan-id=99 /interface list add name=MANAGE ...
by anav
Tue May 28, 2024 11:16 pm
Forum: General
Topic: RB5009 and 2Gb/s internet speed
Replies: 18
Views: 1080

Re: RB5009 and 2Gb/s internet speed

Hi Golem, if that is the reality of PPOE connectivity regardless of router, then its the ISPs problem of false advertising.
by anav
Tue May 28, 2024 10:38 pm
Forum: Beginner Basics
Topic: Port forward for Minecraft server 25565
Replies: 3
Views: 163

Re: Port forward for Minecraft server 25565

Does your router get a public IP or a private IP from the ISP device? If its a private IP, can you at least forward a port from the ISP router/modem to your router.
by anav
Tue May 28, 2024 9:33 pm
Forum: Beginner Basics
Topic: The simplest NAT problem
Replies: 10
Views: 461

Re: The simplest NAT problem

So the chap wants to connect two devices on with two different IPs with no typical LAN structure so to speak??
Its a bogus concept to me. but me not trained LOL.
by anav
Tue May 28, 2024 7:49 pm
Forum: Beginner Basics
Topic: The simplest NAT problem
Replies: 10
Views: 461

Re: The simplest NAT problem

A confusing post with no complete config provided nor really any context of where the devices sits WITHIN a network.
Where are other switches, upstream user router, upstream ISP modem ( or modem/router ). Type of ISP, public private, static dynamic............ etc...
by anav
Tue May 28, 2024 7:42 pm
Forum: General
Topic: Advice on how to grow an ISP network
Replies: 9
Views: 660

Re: Advice on how to grow an ISP network

Really great overview and summary! You're clearly passionate about designing network architectures. Totally agree with you on OSPF and the challenges of iBGP full mesh.
+1
by anav
Tue May 28, 2024 7:39 pm
Forum: General
Topic: Unable to access devices externally on MikroTik router
Replies: 4
Views: 383

Re: Unable to access devices externally on MikroTik router

Understood, will try to help you set it up. What I need to know is what is it connected to routerwise. An ISP router, your own router? Does the the upstream router have a static or dynamic IP Does the the upstream router have a public IP address, Can you access the upstream router and if not, can yo...
by anav
Tue May 28, 2024 5:34 pm
Forum: General
Topic: VPN & Port forward through 1 Interface
Replies: 5
Views: 445

Re: VPN & Port forward through 1 Interface

(1) Okay so if your port forwarding was old news and not required, then why do you still have dstnat port forwarding rule........ add action=dst-nat chain=dstnat comment="serv " dst-port=24000 \ in-interface-list=WAN protocol=tcp src-address-list=Access to-addresses=\ 192.168.88.10 to-port...
by anav
Tue May 28, 2024 12:10 am
Forum: Forwarding Protocols
Topic: Need a helping hand with port forwarding [SOLVED]
Replies: 7
Views: 325

Re: Need a helping hand with port forwarding [SOLVED]

I will be mostly in brandenburg an der havel for some 'recreational' rowing.
by anav
Mon May 27, 2024 8:52 pm
Forum: Forwarding Protocols
Topic: Need a helping hand with port forwarding [SOLVED]
Replies: 7
Views: 325

Re: Need a helping hand with port forwarding [SOLVED]

The easiest solution IMHO is to put the server in a different subnet then the users but if not...... By the way will be in Berlin, for one afternoon, evening and part of next morning ( a monday ), staying near friederichstrabe station. Any recommendations for things to do? and what to avoid!!! After...
by anav
Mon May 27, 2024 7:30 pm
Forum: Forwarding Protocols
Topic: Need a helping hand with port forwarding [SOLVED]
Replies: 7
Views: 325

Re: Need a helping hand with port forwarding [SOLVED]

Post the complete config for starters as the entire config is related more than you think. Also due to the fact that your fw are crap IMHO, and the config is not set up at all for port forwarding in your scenario: a. external users b. internal users via lanip c. internal users vial WANIP or dyndns n...
by anav
Mon May 27, 2024 7:19 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2412

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

HAPAX3 NOTE this is a non capsman config as I have no clue how to do capsman, too complicated for me. Any vlans / data path removed from wifi settings. You should appreciate how uncluttered and quick this is to configure once the 5009 is done. (1) Will assume etherports 3,4,5 are for home wired net...
by anav
Mon May 27, 2024 6:58 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2412

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

RB 5009 (1) Added home vlan, so bridge does nothing but bridging and you were missing vlan10 items like dhcp-server and pool !! (2) Ether2, will be a management port (3) Ether6, will be an oFF bridge port ( ability for you as admin to access or config router Off the bridge ( safest way to config )....
by anav
Mon May 27, 2024 6:17 pm
Forum: General
Topic: NAT local DNS request to different address for specific interface
Replies: 8
Views: 446

Re: NAT local DNS request to different address for specific interface

Yes, 8080 etc works for webconfig, I use winbox, but thats up to you.
by anav
Mon May 27, 2024 6:15 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2412

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Okay once you go vlans there is no default network, it simply becomes another network like any other vlan subnet, just dont use vlan1.
by anav
Mon May 27, 2024 4:19 pm
Forum: Beginner Basics
Topic: Looking for advice
Replies: 1
Views: 232

Re: Looking for advice

I am not aware of any CRS160 model ???? Two approaches: Option1: hapax3 AND. The one I do recommend for your network is anything with CRS3, as it very similar in approach to how routers handle vlans and thus learning curve is reduced!!......... In this case the CRS310-8G+2S+IN, 8x 2.5gb ports and 2 ...
by anav
Mon May 27, 2024 3:59 pm
Forum: Beginner Basics
Topic: Beginner's question: Bridging and VLANs
Replies: 2
Views: 250

Re: Beginner's question: Bridging and VLANs

If you are sticking with UNIFI smart APs, keep in mind you will need to connect to them via a HYBRID PORT.
The management or Trusted VLAN ( the one where it gets its IP address from) is expected to arrive at the UNIFI untagged and the rest of the vlans tagged.
by anav
Mon May 27, 2024 1:19 am
Forum: General
Topic: NAT local DNS request to different address for specific interface
Replies: 8
Views: 446

Re: NAT local DNS request to different address for specific interface

Hi anav, yes indeed it does. It always resolves the DNS using my local RaspberryPi (192.168.88.112). If I change the DNS manually on my Client Machine, then it will use the 10.64.0.1 DNS. But I want that to happen automatically via NAT (I dont want to change the DHCP Server). Thanks! (1) How, a req...
by anav
Sun May 26, 2024 9:40 pm
Forum: General
Topic: NAT local DNS request to different address for specific interface
Replies: 8
Views: 446

Re: NAT local DNS request to different address for specific interface

Can you be more specific.

If your user is going out the internet via wireguard, the DNS on the local router doesnt come into play.
So not sure of your intentions??
by anav
Sun May 26, 2024 9:37 pm
Forum: General
Topic: 2 networks on one router
Replies: 8
Views: 735

Re: 2 networks on one router

Hi Jaclaz, I just took at is he really wants to know if his ISP has connectivity to the internet vice having the ISP seemingly functional but no internet. Nothing wrong with it but yes a tad strange as no alternative. As a note I am really getting peeved at dynamic print!. There is no reason why not...
by anav
Sun May 26, 2024 4:13 pm
Forum: General
Topic: 2 networks on one router
Replies: 8
Views: 735

Re: 2 networks on one router

(1) One thing I would change is put actual dns servers remote available. /ip dns set allow-remote-requests=yes servers= 1.1.1.1,9.9.9.9 (2) Remove this old default setting /ip dns static add address=192.168.88.1 comment=defconf name=router.lan (3) This is a very dangerous rule because it will allow ...
by anav
Sun May 26, 2024 3:53 pm
Forum: Beginner Basics
Topic: how to change vlan tag for tagged? [SOLVED]
Replies: 7
Views: 468

Re: how to change vlan tag for tagged? [SOLVED]

Vlans are used to keep traffic within a closed subnet at layer2.
They also permit one to push many subnets through a single interface port.
Its not about switching the vlan tags on a whim, which is by the way is not a feasible idea.
by anav
Sun May 26, 2024 12:36 pm
Forum: Beginner Basics
Topic: how to change vlan tag for tagged? [SOLVED]
Replies: 7
Views: 468

Re: how to change vlan tag for tagged? [SOLVED]

Is the hex acting as a router or a switch?
Why would you want to change the tagging of a vlan? ( dont think its possible in your context )
by anav
Sat May 25, 2024 11:54 pm
Forum: General
Topic: Pptp client load balance on os 6 possible?
Replies: 2
Views: 280

Re: Pptp client load balance on os 6 possible?

Not sure what you mean?
If you mean run a server on your router for other users maybe you want queues??
by anav
Sat May 25, 2024 11:52 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 311
Views: 258869

Re: NEW FEATURE: Back to Home VPN

Agree much better documentation will take out some mystery. BUT I SAY AGAIN, BTH needs to be more explicity shown on the export.
/ip cloud full full settings etc........
by anav
Sat May 25, 2024 11:48 pm
Forum: General
Topic: Failover and Selective Load-Balancing Issue
Replies: 5
Views: 587

Re: Failover and Selective Load-Balancing Issue

Finally, I also believe your scripts are wrong or should I say the application of the combination of scripts and IP DHCP settings.

In other words you should select
a. default route=YES
b. distance=255

For both WANs.
by anav
Sat May 25, 2024 11:40 pm
Forum: General
Topic: Failover and Selective Load-Balancing Issue
Replies: 5
Views: 587

Re: Failover and Selective Load-Balancing Issue

Now all user will use WAN0, and WAN1 is the defacto secondary failover option. Now to differentiate a single user by port Mangling is certainly the option that comes to mind. What you have is a holy mess of mangling that makes zeros sense to the requirements you stated. /ip mangle add chain=forward ...
by anav
Sat May 25, 2024 11:30 pm
Forum: General
Topic: Failover and Selective Load-Balancing Issue
Replies: 5
Views: 587

Re: Failover and Selective Load-Balancing Issue

If you wanted nested Recursive..... it would be like so and just using two DNS checks. First we use a bogus or faux address, add distance=1 dst-address=0.0.0.0/0 gateway=10.100.100.10 routing-table=main scope=10 target-scope=14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...
by anav
Sat May 25, 2024 11:16 pm
Forum: General
Topic: Failover and Selective Load-Balancing Issue
Replies: 5
Views: 587

Re: Failover and Selective Load-Balancing Issue

I would want to see the complete config to make any assessments because the rules are often integrated to some extent ( affect each other ). You stated that WAN0 is primary amd WAN1 is secondary and thus......... However, I dont like your setup for recursive. In fact it almost looks like mixing up ...
by anav
Sat May 25, 2024 8:14 pm
Forum: Beginner Basics
Topic: WAN failover with VLANS on RouterOS 7
Replies: 3
Views: 355

Re: WAN failover with VLANS on RouterOS 7

All you have asked for seems doable, with not much work. However, the wireguard listening on T-mobile is problematic. It does not have a public IP and thus cannot be used with a normal wireguard setup. What we can do is setup normal wireguard and once its working disable WAN1 and see if in the wireg...
by anav
Sat May 25, 2024 8:10 pm
Forum: Beginner Basics
Topic: UNLIMITED LAN BUT INTERNET NEEDS AUTHENTICATION
Replies: 1
Views: 248

Re: UNLIMITED LAN BUT INTERNET NEEDS AUTHENTICATION

Sounds like you should read up on
a. userman
b. radius server
c. hotspot.

https://help.mikrotik.com/docs/display/ROS/RouterOS
by anav
Sat May 25, 2024 7:54 pm
Forum: Beginner Basics
Topic: Both Openvpn and Wiregurard fail
Replies: 2
Views: 282

Re: Both Openvpn and Wiregurard fail

Dont care about openvpn etc etc. but will help with wirguard. Does your MT router have a public IP address or connected to an ISP router with a public IP at which you can forward a port to the MT router? Okay I will assume the answer is no and you seem to be connecting to a wireguard server elsewher...
by anav
Sat May 25, 2024 7:50 pm
Forum: General
Topic: VPN & Port forward through 1 Interface
Replies: 5
Views: 445

Re: VPN & Port forward through 1 Interface

Yes the latest config,
In terms of restricting access TO the router input chain..
The only connection, TO the ROUTEr, should be VPN connections and thus no restrictions required.
Connection to the LAN, aka to servers, can be limited by sourc address list on the dstnat rules.
by anav
Sat May 25, 2024 7:49 pm
Forum: General
Topic: [Help] Connect two networks
Replies: 1
Views: 252

Re: [Help] Connect two networks

One bridge.
4 vlans

Simplify firewall rules including getting rid of raw rules.
You spend too much of config in fear instead of simply allowing needing traffic and dropping rest.

Why are you mangling????

Why so many routes??

Explain more your WAN situation.
by anav
Sat May 25, 2024 3:57 am
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 15
Views: 1564

Re: wireGuard does not work for me on my mikrotik RB750r2

The only thing I see that is really weird that I have never seen before are the following rules.... add action=dst-nat chain=dstnat disabled=yes dst-address=8.8.8.8 to-addresses=0.0.0.0/24 ???????????????????? add action=src-nat chain=srcnat disabled=yes out-interface=ether1wan src-address=0.0.0.0/2...
by anav
Fri May 24, 2024 11:52 pm
Forum: Beginner Basics
Topic: Protocols and ports needed by BTH VPN Wireguard
Replies: 6
Views: 368

Re: Protocols and ports needed by BTH VPN Wireguard

I would say so, but in BTH is should be shown in the IP cloud menu I think?
Endpoint for both router and client device is the BTH cloud server...........
Allowed IPs at least on the router for the client peer are probably only set to the wireguard subnet.
by anav
Fri May 24, 2024 11:48 pm
Forum: General
Topic: Sanity Check - chains and "Passthrough" Firewall Rules. [SOLVED]
Replies: 3
Views: 435

Re: Sanity Check - chains and "Passthrough" Firewall Rules. [SOLVED]

Mangle ACTIONS are clearly spelled out here: https://help.mikrotik.com/docs/display/ROS/Mangle Passthrough is clearly spelled out here in MATCHERS. https://help.mikrotik.com/docs/display/ROS/Common+Firewall+Matchers+and+Actions Quote: " passthrough - i f a packet is matched by the rule, increas...
by anav
Fri May 24, 2024 11:14 pm
Forum: Beginner Basics
Topic: Protocols and ports needed by BTH VPN Wireguard
Replies: 6
Views: 368

Re: Protocols and ports needed by BTH VPN Wireguard

Well one would hope it randomly uses Ports and not the default port for wireguard which would be an easy target to filter.
Other than that its UDP based. Any country can block vpns if they put the infrastructure in place to do so.............
by anav
Fri May 24, 2024 11:12 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 311
Views: 258869

Re: NEW FEATURE: Back to Home VPN

Okay understand I may be looking at a BTH setup incorrectly done on an Ops MT router and thus the missing export info?
by anav
Fri May 24, 2024 11:09 pm
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 311
Views: 258869

Re: NEW FEATURE: Back to Home VPN

@Normis. Okay so what I have learned recently. 1. BTH is not applicable to router to router connections. 2. It would appear that BTH configs certain things automatically please confirm. a. sourcenat rule b. wireguard ip address c. input chain handshake rule d. allowed ips. e. wg blocked to LAN but a...
by anav
Fri May 24, 2024 11:01 pm
Forum: General
Topic: Back to home works without Internet
Replies: 5
Views: 456

Re: Back to home works without Internet

Interesting so BTH creates a. an input chain rule automatically b. creates a sourcenat rule automatically c. what about a wireguard address?? d. anything else??? what about allowed-IPs?? why are they showing on the config?? Why did any of this NOT show on the ops config??? or perhaps more to the poi...
by anav
Fri May 24, 2024 10:57 pm
Forum: General
Topic: VPN & Port forward through 1 Interface
Replies: 5
Views: 445

Re: VPN & Port forward through 1 Interface

Hi there, yes there is a bug in Wireguard firmware, which prevents success using Wireguard on WAN2, when WAN1 is primary. We can fix that with some trickery. A quick perusal of your config also shows that you have other issues that need to be addressed first. a. you are port forwarding on ether1, HO...
by anav
Fri May 24, 2024 6:50 pm
Forum: General
Topic: Back to home works without Internet
Replies: 5
Views: 456

Re: Back to home works without Internet

1. Modify your interface list members to include wireguard which affects relevent firewall rules and also can be shortened.... /interface list member add interface= bridge list=LAN add interface=back-to-home-vpn list=LAN add interface=pppoe-client list=WAN 2. Modified cleaned up firewall rules. Also...
by anav
Fri May 24, 2024 3:05 pm
Forum: Forwarding Protocols
Topic: forwarding of all subnet traffic to secondary gateway
Replies: 4
Views: 323

Re: forwarding of all subnet traffic to secondary gateway

Since the second device is acting as a router getting a private LANIP from the chateau. What I would do is only use one bridge and two vlans, easy peasy, and firewall rules easily applied. The question needing answering is what happens when WAN2 is not available do you want the users dedicated to th...
by anav
Fri May 24, 2024 2:43 pm
Forum: General
Topic: Wireguard peer Rx/Tx/Last Handshake stats not updating
Replies: 12
Views: 5097

Re: Wireguard peer Rx/Tx/Last Handshake stats not updating

You are not alone LOL. Based on my experience on these forums, the RoS, after many changes gets stuck in some fashion and recreating the functionality from scratch or simply rebooting the router fixes things magically. :-)
by anav
Fri May 24, 2024 12:34 pm
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 15
Views: 1564

Re: wireGuard does not work for me on my mikrotik RB750r2

Mainly changes shown. Removed persistent keep alive to a peer (client for handshake, its the client that uses that setting) Removed wrong WAN address Modifed dns settings slightly. not sure what 192.168.1.1 was doing there as its not a local subnet. Biggest issue is with your firewall rules. Too muc...
by anav
Fri May 24, 2024 12:10 pm
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 15
Views: 1564

Re: wireGuard does not work for me on my mikrotik RB750r2

More concerning is the port forwarding of the default port for winbox.
Are you actually accessing the router externally using the default winbox port???

It would appear yes, you have the port forwarding setup appropriately
by anav
Fri May 24, 2024 2:07 am
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 15
Views: 1564

Re: wireGuard does not work for me on my mikrotik RB750r2

Show me the port forwarding rule on the upstream router and you have confirmed the upstream router gets a public IP??
by anav
Fri May 24, 2024 2:05 am
Forum: General
Topic: CRS328 mangle rules [SOLVED]
Replies: 3
Views: 435

Re: CRS328 mangle rules [SOLVED]

Is your CRS328 setup as a router or a switch??
by anav
Thu May 23, 2024 5:07 pm
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 15
Views: 1564

Re: wireGuard does not work for me on my mikrotik RB750r2

Well your config is confused........... You have two ether1-wans, and one is disabled. The one that is disabled seems to be a public IP The one that is enabled seems to be a private IP This makes sense if what you are saying about double NAT. It would seem you have an upstream modem/router and thus ...
by anav
Thu May 23, 2024 5:03 pm
Forum: Beginner Basics
Topic: Port forwarding to multiple pppoe connection
Replies: 1
Views: 290

Re: Port forwarding to multiple pppoe connection

Can you be clearer please.
Are you saying ALL LAN traffic should use ppoe-out2
UNLESS
it is traffic on port 10,000.

Or only traffic from ONE user and only on port 10,000 and the rest of the users and the rest of the ports for .19 go out ppoe-out2 ???
by anav
Thu May 23, 2024 4:51 pm
Forum: Beginner Basics
Topic: AT&T FTTH, VLANs, CapsMAN Full Config (RouterOS 7 Updated)
Replies: 33
Views: 6289

Re: AT&T FTTH, VLANs, CapsMAN Full Config (RouterOS 7 Updated)

Because the evidence speaks for itself. Perhaps you should read up on statistics and analytics, vice a sample of one. I have read thousands of posts (at least 10K), and quite clearly capsman is not trivial to learn, and even harder to apply. The fact that MT introduced differing capsman products did...
by anav
Thu May 23, 2024 4:33 pm
Forum: General
Topic: Access Lan Devices through windows Wireguard Client
Replies: 13
Views: 700

Re: Access Lan Devices through windows Wireguard Client

@rplant, It also better to win a big lottery, but not always possible. :-) So if you are able to modify the wireguard client as I noted in a post above...........then you will still need to modify the MT config. You need to allow wg traffic to the server and return traffic back to the client. You al...
by anav
Thu May 23, 2024 4:07 pm
Forum: General
Topic: Lost my guest wifi config on upgrade - now I'm confused
Replies: 3
Views: 346

Re: Lost my guest wifi config on upgrade - now I'm confused

Post both configs when you get a chance, after integrating the information from the link provided.
by anav
Thu May 23, 2024 4:04 pm
Forum: General
Topic: 2 networks on one router
Replies: 8
Views: 735

Re: 2 networks on one router

Please post your latest config with the changes.
by anav
Thu May 23, 2024 3:47 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 22
Views: 1909

Re: BTH BUG Bleeding Into Regular Wireguard.

Chaos or anyone, have they replicated this error on firmware 7.11.X or earlier.
Trying to establish if 7.12 and onwards ( nat hole punching ) is the culprit of this BUg.
by anav
Thu May 23, 2024 3:44 pm
Forum: General
Topic: What is your experience with Mikrotik support
Replies: 12
Views: 746

Re: What is your experience with Mikrotik support

Seems what Ammo is saying is that once you put a condition on, to remove it, you need specific commands to reverse the condition. Your expectation of how to undo the command is not realistic and when it doesnt work you found a work around to get it to where you want to be. In other words use the wor...
by anav
Thu May 23, 2024 1:35 am
Forum: General
Topic: 2 networks on one router
Replies: 8
Views: 735

Re: 2 networks on one router

Should work... but only use one bridge or no bridges. Dont use same DNS site for DNS and for routes recursive Where is ISP2 routing etc...??? What is the purpose of the DNS server at .111 when you push everyone by to 8.8.8.8 If no vpns to the router and no port forwarding to LAN devices then manglin...
by anav
Thu May 23, 2024 1:15 am
Forum: General
Topic: What is your experience with Mikrotik support
Replies: 12
Views: 746

Re: What is your experience with Mikrotik support

Okay I understand, sounds more like incomplete programming then a bug, but very low on the priority list of things they need to do........
by anav
Thu May 23, 2024 12:22 am
Forum: General
Topic: Access Lan Devices through windows Wireguard Client
Replies: 13
Views: 700

Re: Access Lan Devices through windows Wireguard Client

Fire my way your Router config.
/export file=anynameyouwish (minus router serial number and any public WANIP info, keys etc.. )
by anav
Thu May 23, 2024 12:18 am
Forum: General
Topic: Access Lan Devices through windows Wireguard Client
Replies: 13
Views: 700

Re: Access Lan Devices through windows Wireguard Client

Thus your question is more along the lines of how do I control traffic on a windows PC while using wireguard!! If the windows client is not trying to get out the internet of the MT router, it may be easier as you are targetting specific subnets only. My local network is broken and refuses access whe...
by anav
Thu May 23, 2024 12:15 am
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 8
Views: 503

Re: Connection issues with hAP AC2, any problems with my config?

I have no idea what you mean by home network................. However if I was to set this up for you this is how I would do, 1. Keep the single wireguard interface, but we will give it additional IP addresses "=) /interface wireguard peers { no change required to peers !!! } add allowed-addres...
by anav
Wed May 22, 2024 10:54 pm
Forum: Beginner Basics
Topic: [delete]
Replies: 23
Views: 1024

Re: CRS310-8G+S2 reality check on CPU use when using internet traffic

Ur killin me gazpacho ;-)
by anav
Wed May 22, 2024 10:52 pm
Forum: General
Topic: What is your experience with Mikrotik support
Replies: 12
Views: 746

Re: What is your experience with Mikrotik support

When you have an actual use case for traffic flow and the functionality does not work, I would be interested. In other words, where in a bonafide user requirement config, is dst-address-type=local or dst-address-type=!local NOT WORKING. Without context, its meaningless. However just messing around i...
by anav
Wed May 22, 2024 10:49 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 8
Views: 503

Re: Connection issues with hAP AC2, any problems with my config?

Sorry, it does not compute. Where are these machines located? What router are they connected to? What kind of ISP connection do they have. Are they ON all the time? Where did you come up with IP addresses for their wireguard? How did you configure them for wireguard etc. Too many missing pieces for ...
by anav
Wed May 22, 2024 10:36 pm
Forum: General
Topic: Access Lan Devices through windows Wireguard Client
Replies: 13
Views: 700

Re: Access Lan Devices through windows Wireguard Client

Not a problem then to establish a wireguard tunnel. Setup the wireguard interface on the MT device ( acting as Server peer for handshake ) and any single device like windows PC behind TP link router, or any laptop or phone anywhere, as a Client peer for handshake. However lets get the requirement st...
by anav
Wed May 22, 2024 10:34 pm
Forum: General
Topic: What is your experience with Mikrotik support
Replies: 12
Views: 746

Re: What is your experience with Mikrotik support

I asked if you could state what the traffic flow requirements were for this bug, what user traffic was affected. You failed to answer. So I suspect that this falls into the category of not knowing how to config the router and not a bug and that is why MT didnt respond. They should probably change th...
by anav
Wed May 22, 2024 10:31 pm
Forum: General
Topic: Inter sites Wireguard tunels and public access to services through WG
Replies: 5
Views: 505

Re: Inter sites Wireguard tunels and public access to services through WG

Open in notepad++ and manually remove or modify then post with code tags.
by anav
Wed May 22, 2024 9:29 pm
Forum: Beginner Basics
Topic: [delete]
Replies: 23
Views: 1024

Re: CRS310-8G+S2 reality check on CPU use when using internet traffic

Suggest return the CRS and buy a netgear unmanaged switch, save yourself much time now and in the future. MT is not for you.
by anav
Wed May 22, 2024 9:26 pm
Forum: General
Topic: Implementing MikroTik Solutions for a New Business
Replies: 8
Views: 910

Re: Implementing MikroTik Solutions for a New Business

I would do the same but put it inside an empty CriscO box and charge 10X.
by anav
Wed May 22, 2024 8:24 pm
Forum: General
Topic: Implementing MikroTik Solutions for a New Business
Replies: 8
Views: 910

Re: Implementing MikroTik Solutions for a New Business

I would not recommend an old router RB4011, at a minimum for the same price, the RB5009 is a better option. However, a full understanding of the requirements is required before making any hardware decisions. This is not a User or Admin with an issue, this is a student working on a school project, or...
by anav
Wed May 22, 2024 8:21 pm
Forum: Beginner Basics
Topic: [delete]
Replies: 23
Views: 1024

Re: CRS310-8G+S2 reality check on CPU use when using internet traffic

Hold your horses, time for you to put forth some effort! The video link I provided shows you how starting at minute 8:00 for the CRS device.
Its the simplest variation. At the /interface bridge port settings, ensure you check ingress filtering and frame types as appropriate.
by anav
Wed May 22, 2024 7:57 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 8
Views: 503

Re: Connection issues with hAP AC2, any problems with my config?

Sure but you need more info about tessin and camper. Do you simply mean they represent subnets on your Router?? 1. Any reason ether4 on bridge ports is not setup as the others? 2. Need to add wireguard to Interfac list members add interface= wireguard list= LAN 3. TESSIN and CAMPER interfaces make n...
by anav
Wed May 22, 2024 2:19 pm
Forum: Beginner Basics
Topic: Run VPN for specific application
Replies: 2
Views: 301

Re: Run VPN for specific application

Is this gaming done through wired ports or wifi.
Larsa has the right idea.
If done through ports, then connect to a switch and control the switch for nordvpn only, if done by wifi assing a vlan SSID to the wLAN for nordvpn only
by anav
Wed May 22, 2024 3:49 am
Forum: Beginner Basics
Topic: [delete]
Replies: 23
Views: 1024

Re: CRS310-8G+S2 reality check on CPU use when using internet traffic

Let me try to understand your logic. 1. You bought a switch. 2. You configured as a router 3. You are confused because the throughput is at it states for routing. Try actually using it as a switch instead. No DHCP Trunk on ether1 carrying all data vlans and management vlan, access port out to dumb d...
by anav
Wed May 22, 2024 12:22 am
Forum: General
Topic: Access Lan Devices through windows Wireguard Client
Replies: 13
Views: 700

Re: Access Lan Devices through windows Wireguard Client

Does the wireguard mt have a public IP?
Does the TP LINK have a public IP.

Trying to determine which device is capable of server for handshake.
by anav
Wed May 22, 2024 12:20 am
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 8
Views: 503

Re: Connection issues with hAP AC2, any problems with my config?

Yeah lots wrong LOL First mistake two bridges. Why three wireguard interfaces, only need one. Your whole wireguard setup is messed up as well including routes. REMOVE Vlans and vlan mode from wifi setting!! Wireguard does not use vpn pool! Normally a VLAN is not a bridge port, ( removed )! You creat...
by anav
Tue May 21, 2024 10:15 pm
Forum: General
Topic: Unable to access devices externally on MikroTik router
Replies: 4
Views: 383

Re: Unable to access devices externally on MikroTik router

1. It would appear to me you dont have a sweet clue of what is going on! a. First, the product is a switch, not a router, although it can be used as a router if required... b. Second, it actually is configured as a router, NOT as a switch, seeing as you have IP DHCP client enabled. 2. Using a term, ...
by anav
Tue May 21, 2024 10:02 pm
Forum: General
Topic: Config conversion tool
Replies: 4
Views: 407

Re: Config conversion tool

Not a good idea, better to understand the commands in V6, and the relevant/associated or different commands functionality in version 7.
by anav
Tue May 21, 2024 8:28 pm
Forum: General
Topic: Internet sharing between 8 different apartments
Replies: 4
Views: 434

Re: Internet sharing between 8 different apartments

rb5009, no brainer. more ram storage as well, longer support life overall.
by anav
Tue May 21, 2024 8:26 pm
Forum: General
Topic: Inter sites Wireguard tunels and public access to services through WG
Replies: 5
Views: 505

Re: Inter sites Wireguard tunels and public access to services through WG

Eventually will need to see all three configs.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Tue May 21, 2024 8:24 pm
Forum: General
Topic: WireGuard VPN Access from RoadWarrior PC (outside) to 2 WireGuarded Site-to-Site Networks
Replies: 8
Views: 728

Re: WireGuard VPN Access from RoadWarrior PC (outside) to 2 WireGuarded Site-to-Site Networks

Hmm try rebooting the routers, I dont see any reason why the road warrior should not be able to access the LANs on R2 ?????
by anav
Tue May 21, 2024 12:34 pm
Forum: General
Topic: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks
Replies: 16
Views: 1439

Re: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks

Why would you have the MT router (server for peer), be monitoring the client peer behind CGNAT???
by anav
Tue May 21, 2024 12:31 pm
Forum: General
Topic: CAPSMAN: Howto CAP AC XL -> CAP AX migration?
Replies: 21
Views: 3382

Re: CAPSMAN: Howto CAP AC XL -> CAP AX migration?

No worries, I like a straight road, without curves, cliffs, mudslides, falling boulders etc........ Without CAPsMAN will there be correct Roaming? How many access points do you have? I dont run around in my house with my phone ;-P, but yes, roaming is not optimized, does it bother me, not in the le...
by anav
Tue May 21, 2024 1:44 am
Forum: Beginner Basics
Topic: GrooveA as Wireguard client
Replies: 6
Views: 807

Re: GrooveA as Wireguard client

(1) Allowed IPs for GROOVE: The wireguard subnet and the LAN of the UDM. /interface wireguard peers add allowed-address=192.168.4. 0/24 , 192.168.1.0/24 endpoint-address=\ my.wan.ip.address endpoint-port=51820 interface=wireguard1 public-key=\ "publicKeyObfuscated=" (2) Missing Wireguard I...
by anav
Tue May 21, 2024 1:28 am
Forum: General
Topic: Inter sites Wireguard tunels and public access to services through WG
Replies: 5
Views: 505

Re: Inter sites Wireguard tunels and public access to services through WG

So MT CHR in the cloud as the way to reach both routers a. for admin for config purposes b. to forward ports to servers behind each router c. for subnets on R1 to reach R2 and vice versa ?? In terms of port forwarding, does the server need to see the public IP of the external user hitting the CHR, o...
by anav
Tue May 21, 2024 12:33 am
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2412

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

But first, ............... as stated above...... Okay you need to let me know the purpose of each port on the hapax3. To what it leads to, and to what vlan the connected device belongs to. Remember access between vlans and to their devices is controlled by the firewall rules on the 5009 ether1 conn...
by anav
Tue May 21, 2024 12:31 am
Forum: Beginner Basics
Topic: hAP AX3 as a simple Layer2 switch [SOLVED]
Replies: 4
Views: 470

Re: hAP AX3 as a simple Layer2 switch [SOLVED]

1. I only renamed the bridge from WLAN to bridgeWLAN is all ( not a second bridge). The word WLAN has other connotations so I would never use a confusing term. 2. Because as admin you should be able to access all your mikrotiks for config purposes from the managment subnet or the trusted subnet ( tr...
by anav
Mon May 20, 2024 10:18 pm
Forum: Beginner Basics
Topic: hAP AX3 as a simple Layer2 switch [SOLVED]
Replies: 4
Views: 470

Re: hAP AX3 as a simple Layer2 switch [SOLVED]

So you have two vlans for WIFI? Do you have a trusted vlan, or management vlan? The HAP needs an IP address from the trusted vlan. I will assume ether5 is an off bridge access such that you can configure the device safely away from bridge vlan filtering I will assume vlan10 is the trusted VLAN comin...
by anav
Mon May 20, 2024 9:51 pm
Forum: Beginner Basics
Topic: Vlan setup problem
Replies: 2
Views: 373

Re: Vlan setup problem

by anav
Mon May 20, 2024 9:49 pm
Forum: General
Topic: CAPSMAN: Howto CAP AC XL -> CAP AX migration?
Replies: 21
Views: 3382

Re: CAPSMAN: Howto CAP AC XL -> CAP AX migration?

No worries, I like a straight road, without curves, cliffs, mudslides, falling boulders etc........
by anav
Mon May 20, 2024 9:39 pm
Forum: General
Topic: WireGuard VPN Access from RoadWarrior PC (outside) to 2 WireGuarded Site-to-Site Networks
Replies: 8
Views: 728

Re: WireGuard VPN Access from RoadWarrior PC (outside) to 2 WireGuarded Site-to-Site Networks

R2 # model = RB1100x4 /interface wireguard add comment="WireGuard VPN" listen-port=13231 mtu=1420 name=wireguard 2 add comment="Wireguard Secondary" listen-port=14321 mtu=1420 name=wg-bup /interface list add name=WAN add name=LAN /ip neighbor discovery-settings set discover-inte...
by anav
Mon May 20, 2024 9:05 pm
Forum: General
Topic: WireGuard VPN Access from RoadWarrior PC (outside) to 2 WireGuarded Site-to-Site Networks
Replies: 8
Views: 728

Re: WireGuard VPN Access from RoadWarrior PC (outside) to 2 WireGuarded Site-to-Site Networks

My advice is to only use one Router as server, for the Router to Router Traffic. The second wireguard interface I would just use for external road warrior traffic to R2, directly. The reason being, practically speaking if R1 is not working R1-R2 connectivity is zilch and you cannot use R1 to reach R...
by anav
Mon May 20, 2024 8:15 pm
Forum: General
Topic: Why is this traffic being processed by the firewall?
Replies: 2
Views: 333

Re: Why is this traffic being processed by the firewall?

Why use such a convoluted method to control traffic.
Simply put a drop rule at the end of the forward chain, and whatever is not expressly accepted before the rule is not permitted.
by anav
Mon May 20, 2024 8:13 pm
Forum: General
Topic: NTP server
Replies: 3
Views: 418

Re: NTP server

Of course, the router has to get its time from an upstream router and hence a client ....
The server part is to the LAN side.
Depending upon input chain rules, one may have to add port 123 .........
by anav
Mon May 20, 2024 8:12 pm
Forum: General
Topic: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks
Replies: 16
Views: 1439

Re: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks

Gotsprings, is that on a Router (client peer for handshake)??
by anav
Mon May 20, 2024 8:09 pm
Forum: General
Topic: CAPSMAN: Howto CAP AC XL -> CAP AX migration?
Replies: 21
Views: 3382

Re: CAPSMAN: Howto CAP AC XL -> CAP AX migration?

Even easier, no capsman!!
by anav
Sun May 19, 2024 11:30 pm
Forum: Beginner Basics
Topic: ProtonVPN configuration but only for a handful of IP's
Replies: 5
Views: 555

Re: ProtonVPN configuration but only for a handful of IP's

(1) Okay the issue is in allowed IPs at least for starters. The allowed IPs is to identify REMOTE traffic that is coming in, aka external users visiting your device, or local users visiting REMOTE device (for config, subnets or internet ). It is NOT to idenitfy any local users!!! Since you are going...
by anav
Sun May 19, 2024 11:08 pm
Forum: Beginner Basics
Topic: An issue with web-server access from internet
Replies: 11
Views: 899

Re: An issue with web-server access from internet

Ahh thanks, now your first post makes more sense, jaclaz has a keener sense to suss out configs, I need network diagrams LOL.

What brand is the second router?
by anav
Sun May 19, 2024 11:06 pm
Forum: General
Topic: RB5009 and 2Gb/s internet speed
Replies: 18
Views: 1080

Re: RB5009 and 2Gb/s internet speed

Thanks Jaclaz The only managed 5 Port 2.5gb is a chinese special. No thanks. There are no 8 Ports managed.... Thus this link supports research done on my own, there are no viable managed 2.5gb 5 port or 8 port, switches yet worth buying. I like netgear especially with lifetime warranties for exampl...
by anav
Sun May 19, 2024 11:06 pm
Forum: General
Topic: RB5009 and 2Gb/s internet speed
Replies: 18
Views: 1080

Re: RB5009 and 2Gb/s internet speed

Thanks Jack, The only managed 5 Port 2.5gb is a chinese special. No thanks. There are no 8 Ports managed.... Thus this link supports research done on my own, there are no viable managed 2.5gb 5 port or 8 port, switches yet worth buying. I like netgear especially with lifetime warranties for example....
by anav
Sun May 19, 2024 11:01 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 1137

Re: Port forwarding for VPN?

The version of Mikrotrik does not matter if you are NOT using it to communicate for wireguard. The Windows Server behind the MT suffices just fine. Its all transparent to the MT. As long as the server has access to the WAN side, it should be good to go. More than likely its windows firewall or thing...
by anav
Sun May 19, 2024 4:39 pm
Forum: Beginner Basics
Topic: An issue with web-server access from internet
Replies: 11
Views: 899

Re: An issue with web-server access from internet

Let me ask in another way, as I dont think you are getting a public IP at all. a. Compare the WANIP you get on the router ( either you ahve to set this in IP address as provided by ISP, or via IP DHCP client, or PPPOE client, ( what is wan IP) Compare this to b. IP Cloud on the router, enable and se...
by anav
Sun May 19, 2024 4:30 pm
Forum: General
Topic: RB5009 and 2Gb/s internet speed
Replies: 18
Views: 1080

Re: RB5009 and 2Gb/s internet speed

The help you need costs too much $$$. ;-) The point being is that the OP wants to be able to utilize the full amount of 2.5gb at any of those ports. Sure if there are other users on the same port or different ports, the throughput will be less but the potential exists. Site is horrible for any kind ...
by anav
Sun May 19, 2024 2:16 pm
Forum: Beginner Basics
Topic: ProtonVPN configuration but only for a handful of IP's
Replies: 5
Views: 555

Re: ProtonVPN configuration but only for a handful of IP's

Wont look at it unless you post complete config

/export file=anynameyouwish ( minus router serial number, any public WANIP information or keys etc. )

Use notepadd++ to open and edit and then paste here.
by anav
Sun May 19, 2024 2:13 pm
Forum: Beginner Basics
Topic: GrooveA as Wireguard client
Replies: 6
Views: 807

Re: GrooveA as Wireguard client

1. Where is your IP address for WIreguard?? 2. Allowed IPs are WRONG, you need to better explain the uses for wireguard a.. are you just using it to config groove b. are you using it to connect to LAN of groove c. are you using it to connect to LAN of UDM router d. are you using it to go out interne...
by anav
Sun May 19, 2024 2:08 pm
Forum: Beginner Basics
Topic: GrooveA as Wireguard client
Replies: 6
Views: 807

Re: GrooveA as Wireguard client

/ip pool add name=dhcp ranges= 192.168.0.10-192.168.0.254 GrooveGA network is 192.168. 1.0 /24 UDM network is 192.168.1.1/24 If there's anything missing I'd much appreciate some guidance. Ummm, ?????? First the two networks you have stated are identical,, the UDM network you have listed is actually...
by anav
Sun May 19, 2024 2:02 pm
Forum: Beginner Basics
Topic: An issue with web-server access from internet
Replies: 11
Views: 899

Re: An issue with web-server access from internet

I have two routers/networks: 192.168.0.0 which is taking network from ISP and 192.168.3.0 which is connected to 192.168.0.0 and the web-server that is running on 192.168 .3.2. I can reach the web-server from 192.168.0.0 but can't from internet. Tho if I try to connect to my public ip it directs me ...
by anav
Sun May 19, 2024 2:50 am
Forum: Beginner Basics
Topic: VPN - device routing
Replies: 16
Views: 1360

Re: VPN - device routing

Hello, THANK YOU SO MUCH. Its working. Last question: is it possible to change the table in the rule thru an ssh command? (from main to thr_WG) Then I can decide when I want to use the internet thru main or wireguard. You will have to explain the request in more detail Which users, Where are they c...
by anav
Sun May 19, 2024 2:46 am
Forum: General
Topic: Why does PCC break "google.com/maps" - or does it for you? [SOLVED]
Replies: 6
Views: 1893

Re: Why does PCC break "google.com/maps" - or does it for you? [SOLVED]

Too complicated for me to analyze then. Someone with greater knowledge will have to provide assistance. I also was unaware that PCC used Nth and not aware that one could split sessions on the MT device. To ensure banking goes smoothly the recommendation for pCC is to use only source addresses vice b...
by anav
Sun May 19, 2024 12:42 am
Forum: General
Topic: Why does PCC break "google.com/maps" - or does it for you? [SOLVED]
Replies: 6
Views: 1893

Re: Why does PCC break "google.com/maps" - or does it for you? [SOLVED]

Suggest you post the entire config, as you probably have multiple errors.
Your mangle rules are all over the map.

Can you also state why you have mangling rules besides the 4 rules for LB?
by anav
Sun May 19, 2024 12:04 am
Forum: Beginner Basics
Topic: VPN - device routing
Replies: 16
Views: 1360

Re: VPN - device routing

It depends, what throughput is your ISP, if its 1gig, the HEX is underpowered for that and better to stick with USG. As long as you can forward ports and set manual routes on the USG, it should work !!! I can provide a hex setup AS a router that will work, not as a basic switch though. Your IP addre...
by anav
Sat May 18, 2024 10:46 pm
Forum: Beginner Basics
Topic: Problems With 2 Wan - Wan 2 not ping Wan 1
Replies: 7
Views: 450

Re: Problems With 2 Wan - Wan 2 not ping Wan 1

I asked many specific questions to elicit facts and you replied with very little and nothing new. Try again if you want assistance. I dont care what the problem is, I am trying to understand the requirements...... a first step to understanding the config and how to modify it. ---> what happens when ...
by anav
Sat May 18, 2024 10:35 pm
Forum: Beginner Basics
Topic: VPN - device routing
Replies: 16
Views: 1360

Re: VPN - device routing

Okay that was helpful. So basically the HEX is acting as a Switch Type device (not a router) and is assigned an IP of 192.168.2.5 on the FLAN LAN of the USG device. You want the apple TV device to ignore the USG WAN and only go out the HEX wireguard connected to Fritz..... Well thats a problem, its ...
by anav
Sat May 18, 2024 9:09 pm
Forum: General
Topic: Feature Request: Allow Address Lists on Wireguard [SOLVED]
Replies: 11
Views: 3106

Re: Feature Request: Allow Address Lists on Wireguard [SOLVED]

Your mixing apples and oranges. THIS IS NOT A WIREGUARD ISSUE!!! Once you set 0.0.0.0/0 on the R2 router, wireguard could care less about destinations, they are all included. Its up to you the admin on how to send folks to wireguard for that domain. I suppose the easiest way is to have vlan and/or W...
by anav
Sat May 18, 2024 7:43 pm
Forum: General
Topic: Feature Request: Allow Address Lists on Wireguard [SOLVED]
Replies: 11
Views: 3106

Re: Feature Request: Allow Address Lists on Wireguard [SOLVED]

As I surmized, its a request born of not knowing how WG works. If your intention was to go out the internet of R1 ( server for handshake peer ) from R2 ( client peer ), then 0.0.0.0/0 for allowed-IP entry is CORRECT and PROPER at R2 !!! Ensuring which devices are your end, R2, enter the tunnel is up...
by anav
Sat May 18, 2024 7:21 pm
Forum: General
Topic: Port forward from WAN to a host behind Wireguard
Replies: 18
Views: 1996

Re: Port forward from WAN to a host behind Wireguard

Knowingly making connection to the router available to the WWW. Using the default winbox port is icing on the malpractice cake. :-)
/ip firewall filter
add action=accept chain=input comment=Winbox dst-port=8291 in-interface-list=\
WAN protocol=tcp src-address-list=Winbox
by anav
Sat May 18, 2024 7:09 pm
Forum: Beginner Basics
Topic: nat via vpn
Replies: 2
Views: 377

Re: nat via vpn

This is a common methodology
Provide the configs for the CHR and the home device so we can see where you went wrong.
by anav
Sat May 18, 2024 7:07 pm
Forum: Beginner Basics
Topic: CRS310-8G+2S+IN - Low speed ISP [SOLVED]
Replies: 18
Views: 1185

Re: CRS310-8G+2S+IN - Low speed ISP [SOLVED]

Concur with tangent, Why would you try and make the CRS3 Model, which is an excellent switch and exactly what you need, into a router??? The RB5009 can accept 2.5 gig from the ISP as it is, and can transfer to the switch using its SFP+ port. When the day comes and your ISP offers 10Gig connection, I...
by anav
Sat May 18, 2024 7:01 pm
Forum: Beginner Basics
Topic: Problems With 2 Wan - Wan 2 not ping Wan 1
Replies: 7
Views: 450

Re: Problems With 2 Wan - Wan 2 not ping Wan 1

Unfortunately you have to be more precise. The router setup is either Primary and Secondary or Load Balancing. MT OS works on the premise of assuming a non-random routing selection. However this does not preclude setting up the WANs and LANs to work as you wish. What is also missing is the fact that...
by anav
Sat May 18, 2024 6:48 pm
Forum: General
Topic: Feature Request: Allow Address Lists on Wireguard [SOLVED]
Replies: 11
Views: 3106

Re: Feature Request: Allow Address Lists on Wireguard [SOLVED]

Well thats the rub. If the discussion is about adding client devices, the request makes no sense. If this is about client peers ( and server peer ) being able to add applicable SUBNETS to allowed IPs, and their concomitant IP Routes, then we can have a better discussion. Q , Can MT implement these t...
by anav
Sat May 18, 2024 5:22 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2412

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

But first, ............... as stated above......
Okay you need to let me know the purpose of each port on the hapax3. To what it leads to, and to what vlan the connected device belongs to.
Remember access between vlans and to their devices is controlled by the firewall rules on the 5009
by anav
Sat May 18, 2024 5:21 pm
Forum: General
Topic: Feature Request: Allow Address Lists on Wireguard [SOLVED]
Replies: 11
Views: 3106

Re: Feature Request: Allow Address Lists on Wireguard [SOLVED]

I disagree with your request if I think I understand what you are getting it. Appears to be nonsensical! Each entry for Allowed IPs is specific ( at least on the Server Client ( server for handshake ), to ONE client peer. One does not list all the clients on one line??? Remember each peer also has a...
by anav
Sat May 18, 2024 4:57 pm
Forum: Beginner Basics
Topic: No internet acces after capsman setup CAP AX behind rb5009
Replies: 5
Views: 455

Re: No internet acces after capsman setup CAP AX behind rb5009

So what LOL, the only advantage of capsman is slightly better roaming. I have to ask holve, do you run around your house with the cell phone in your hand, or only when you comment on your spouses cooking ;-PP
by anav
Sat May 18, 2024 4:56 pm
Forum: Beginner Basics
Topic: VPN - device routing
Replies: 16
Views: 1360

Re: VPN - device routing

YOu failed to answer my questions about the subnet structure etc.. ???
You should provide a network diagram!!
by anav
Sat May 18, 2024 4:51 pm
Forum: Beginner Basics
Topic: Problems With 2 Wan - Wan 2 not ping Wan 1
Replies: 7
Views: 450

Re: Problems With 2 Wan - Wan 2 not ping Wan 1

Your bizarre testing or results do not make the requirement (actual traffic flow required ) clear at all. To help I would need to know a. identify all user(s)/device(s), groups of users devices, external and internal, including the admin b. identify what traffic they need to accomplish. In terms of ...
by anav
Sat May 18, 2024 4:45 pm
Forum: General
Topic: Feature Request: Allow Address Lists on Wireguard [SOLVED]
Replies: 11
Views: 3106

Re: Feature Request: Allow Address Lists on Wireguard [SOLVED]

Your request is unclear.............
Where would you use this address list?
by anav
Sat May 18, 2024 4:43 pm
Forum: General
Topic: RB5009 and 2Gb/s internet speed
Replies: 18
Views: 1080

Re: RB5009 and 2Gb/s internet speed

@Kaldek, DO YOU NOT READ. First: There is no core switch, he has an RB5009 which acts as both Router and Switch for his purposes. Second: The stated need is for FIVE PORTS to have greater than 1gig capacity. Why do you propose a switch costing $999 US, providing 20x2.5 ports and 4 xcomb0 (Spf+/2.5 p...
by anav
Sat May 18, 2024 4:27 pm
Forum: General
Topic: Correct way to add a vlan on egress
Replies: 5
Views: 396

Re: Correct way to add a vlan on egress

If indeed your PC sends out and expects data on vlan4, the setup I gave you works. Also question not answered, which port is WAN port on your device?
by anav
Sat May 18, 2024 4:25 pm
Forum: General
Topic: Route failover testing NOT a gateway
Replies: 4
Views: 366

Re: Route failover testing NOT a gateway

What are you smoking...............
You provide no details and claim the example provided ( which confirms if the www is reachable) doesnt work without any facts.
good luck, not going to waste my time.
by anav
Sat May 18, 2024 3:58 pm
Forum: General
Topic: Correct way to add a vlan on egress
Replies: 5
Views: 396

Re: Correct way to add a vlan on egress

The solution is to add vlan4 to the config add interface=bridge name=vlan4 vlan-id=4 Then give the vlan an IP address add address=192.168.1.1/24 interface=vlan4 network=192.168.1.0 BRIDGE does no dhcp, does not get an IP address etc... etc..... Which port is your WAN port ???? All ports will be unta...
by anav
Sat May 18, 2024 3:13 am
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2412

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Okay you need to let me know the purpose of each port on the hapax3. To what it leads to, and to what vlan the connected device belongs to.
Remember access between vlans and to their devices is controlled by the firewall rules on the 5009
by anav
Sat May 18, 2024 1:48 am
Forum: Useful user articles
Topic: Advanced Routing Failover without Scripting
Replies: 272
Views: 139434

Re: Advanced Routing Failover without Scripting

I agree that it should work on Vers7, but why bother? Lets think through the logic! What are the chances that one IP address is working and the other NOT working with a single ISP provider (and gateway). Probably checking one WANIP through the same gateway is all that is needed. Now its remotely pos...
by anav
Sat May 18, 2024 1:37 am
Forum: General
Topic: RB5009 and 2Gb/s internet speed
Replies: 18
Views: 1080

Re: RB5009 and 2Gb/s internet speed

His speed he stated was 2Gig, and thus I assumed he would use his 2.5 gig port to the ISP modem.
However it should be possible to connect his sfp+ port to the ISP modem if thats the only viable option and his 2.5gig port to the switch (any of its 2.5gig ports).
by anav
Sat May 18, 2024 1:24 am
Forum: Beginner Basics
Topic: No internet acces after capsman setup CAP AX behind rb5009
Replies: 5
Views: 455

Re: No internet acces after capsman setup CAP AX behind rb5009

I can help if you dont want the extra Years added on your life and loss of hair by using Capsman.
Setting up the AX without capsman on the AX and the RB5009 is SOoooooooooooooooooooo Simple.
by anav
Sat May 18, 2024 1:21 am
Forum: General
Topic: IKEv2 MIKROTIK <---> SOPHOS
Replies: 1
Views: 247

Re: IKEv2 MIKROTIK <---> SOPHOS

The two resources I found are:

viewtopic.php?p=893536&hilit=sophos+ikev2#p893536
and
https://www.youtube.com/watch?v=ISRrnWPQ9zU

Good luck, I use wireguard and it works well!!
by anav
Sat May 18, 2024 1:16 am
Forum: General
Topic: RB5009 and 2Gb/s internet speed
Replies: 18
Views: 1080

Re: RB5009 and 2Gb/s internet speed

In your setup I would get one of these switches.
https://mikrotik.com/product/crs310_8g_ ... ifications

SFP+ port from RB5009 to SFP+ port on switch and then use the 2.5gb ports to your five devices.
by anav
Fri May 17, 2024 11:17 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 1137

Re: Port forwarding for VPN?

What? A hex router is like 60$, a windows computer is much more expensive.
Personally, if it was a business and I could deduct expenses or charge the customer, I would go with a $7 a month CHR cloud server and connect all my devices through that.
by anav
Fri May 17, 2024 11:09 pm
Forum: General
Topic: Port forward from WAN to a host behind Wireguard
Replies: 18
Views: 1996

Re: Port forward from WAN to a host behind Wireguard

To manage 200 routers I would certainly look at something like this to simplify life. https://admiralplatform.com/ Second point is that if you were my IT manager/consultant, I would sue if breached, for malpractice..... :-) Yes when trying to port forward from R1 public IP, through wireguard to Serv...
by anav
Fri May 17, 2024 6:50 pm
Forum: Beginner Basics
Topic: Vlan tuning: Mikrotik router RB4011iGS+ and not Mikrotik switch, which have default VLAN1( not deleteable or change) [SOLVED]
Replies: 8
Views: 5107

Re: Vlan tuning: Mikrotik router RB4011iGS+ and not Mikrotik switch, which have default VLAN1( not deleteable or chang [SOLVED]

Factories are designed to copy brand names and pump out cheapo copies...........
Would never support such companies myself.
by anav
Fri May 17, 2024 6:48 pm
Forum: General
Topic: Weird Wireguard Issue
Replies: 6
Views: 468

Re: Weird Wireguard Issue

What the weird config tells me is that you probably used BTH or quickset or something to setup the wireguard on the MT. If setup manually there is no client nonsense like that on the Allowed IP settings on Server Peer for any other client peer. ITS allowed IPs, Interface NAME, Public key DONE!!
by anav
Fri May 17, 2024 6:44 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 1137

Re: Port forwarding for VPN?

My word, ................. The firmware version on that router is OUTDATED. Suggest you upgrade the firmware to the latest version 7. For example, wireguard is not available on ver6 firmware. Also I see you are not using winbox which is better for most non CLI inclined folks. Just load winbox onto t...
by anav
Fri May 17, 2024 6:38 pm
Forum: General
Topic: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks
Replies: 16
Views: 1439

Re: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks

I have had my router to router wireguard connection stop working.

Simple fix was to send pings across the link every so often. Hasn't dropped in months.
????????????? That is called persistent keep alive ????????
by anav
Fri May 17, 2024 6:37 pm
Forum: General
Topic: WireGuard VPN Access from RoadWarrior PC (outside) to 2 WireGuarded Site-to-Site Networks
Replies: 8
Views: 728

Re: WireGuard VPN Access from RoadWarrior PC (outside) to 2 WireGuarded Site-to-Site Networks

Yes, lets say R1 is the Server client for handshake ( for both client peer router and client road warriors). On R1, ensure you add a relay forward chain rule. add chain=forward action=accept in-interface=wireguard-name out-interface=wireguard name. R1 should have allowed IPs as follows add comment=&...
by anav
Fri May 17, 2024 1:25 pm
Forum: Beginner Basics
Topic: wireGuard does not work for me on my mikrotik RB750r2
Replies: 15
Views: 1564

Re: wireGuard does not work for me on my mikrotik RB750r2

The WANIP as shown is private not public.
by anav
Fri May 17, 2024 1:22 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 1137

Re: Port forwarding for VPN?

In winbox use the NEW TERMINAL selection on the left hand side. Type in /export file=anynameyouwish Then go to FILES on the left hand side, and open the files, find the file you just created and download it to the PC. Then either copy and paste the file so you have access or open the file and copy t...
by anav
Fri May 17, 2024 12:28 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 1137

Re: Port forwarding for VPN?

If you can pass me the config of that router, then I can adjust it for wireguard........
by anav
Fri May 17, 2024 12:26 pm
Forum: General
Topic: [Formal Complaint] Support is ignoring my problem for 3 weeks
Replies: 50
Views: 7017

Re: [Formal Complaint] Support is ignoring my problem for 3 weeks

No need to explain to us, we make mistakes all the time, however an apology to MT support is in order.
by anav
Fri May 17, 2024 3:53 am
Forum: General
Topic: Weird Wireguard Issue
Replies: 6
Views: 468

Re: Weird Wireguard Issue

Your wireguard setup is incorrect. It would appear the MIKROTIK is acting as Server Peer for handshake and the roadwarriors/others are acting as Client peer for handshake. To be clear each client must be defined on the MT device. Using 0.0.0.0/0 as a matching criteria for traffic would mean that onl...
by anav
Fri May 17, 2024 2:15 am
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 1137

Re: Port forwarding for VPN?

I meant for settings on the router. I have relatives in Cuenca and Valencia. :-)
by anav
Fri May 17, 2024 2:14 am
Forum: General
Topic: Weird Wireguard Issue
Replies: 6
Views: 468

Re: Weird Wireguard Issue

Without looking at the config, of both router and client peer hard to say.
This was a known issue but got resolved around 7.12 I thought.
Assuming your client peers have keep alive settings ?
by anav
Fri May 17, 2024 2:12 am
Forum: General
Topic: Route failover testing NOT a gateway
Replies: 4
Views: 366

Re: Route failover testing NOT a gateway

Yes recursive routing where you check connectivity to a DNS, aka the www, not just to the ISP. /ip route add distance=1 check-gateway=ping dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=10 target-scope=12 add distance=2 dst-address=0.0.0.0/0 gateway=9.9.9.9 scope=10 target-scope=12 ++++++++++++++++++++...
by anav
Thu May 16, 2024 11:24 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 1137

Re: Port forwarding for VPN?

Oh as long as you have winbox access we are good to go then!!
If push comes to shove we could do a live session, via teamviewer etc......
by anav
Thu May 16, 2024 11:12 pm
Forum: Beginner Basics
Topic: Vlan tuning: Mikrotik router RB4011iGS+ and not Mikrotik switch, which have default VLAN1( not deleteable or change) [SOLVED]
Replies: 8
Views: 5107

Re: Vlan tuning: Mikrotik router RB4011iGS+ and not Mikrotik switch, which have default VLAN1( not deleteable or chang [SOLVED]

Well, you did scrape the bottom of the switch market to find that copy of somebody elses technology LOL. Okay so change back the management vlan on RB5009 back to vlan99. Going on trunk port to Smart Managemed switch from router (Sfp +1) will be vlan99,10,20,60 Will assume on trunk port on smart swi...
by anav
Thu May 16, 2024 10:54 pm
Forum: General
Topic: [Formal Complaint] Support is ignoring my problem for 3 weeks
Replies: 50
Views: 7017

Re: [Formal Complaint] Support is ignoring my problem for 3 weeks

Well, and all that nasty drivel aimed at MT support. What a clown. Although it smelled off from the get go LOL
by anav
Thu May 16, 2024 10:50 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 1137

Re: Port forwarding for VPN?

To be clear you simply need one PC to talk to the other PC?? Without access to the MT config, not much more we can do at this point for any VPN. Suggest you pick up a cheap MT device like HeX router and attache it to the ISP MT router and then we you can forward the MT port to the hex router and we ...
by anav
Thu May 16, 2024 9:47 pm
Forum: General
Topic: [Formal Complaint] Support is ignoring my problem for 3 weeks
Replies: 50
Views: 7017

Re: [Formal Complaint] Support is ignoring my problem for 3 weeks

Turns out was an MTU config issue, Not an MT support problem, not a bug etc......
by anav
Thu May 16, 2024 9:46 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1511

Re: Winbox IKEv2 strange issue

Glad you got it resolved.
by anav
Thu May 16, 2024 9:31 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 1137

Re: Port forwarding for VPN?

It should be clear that its best to configure the WG on the Router first and copy the public key it provides so you can easily paste it into the windows install and vice versa copy the windows public key to install in the Mikrotik setup.
by anav
Thu May 16, 2024 9:24 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 1137

Re: Port forwarding for VPN?

Really, where did you get the install from? If you can configure a Mikrotik Device, getting a wireguard tunnel setup on windows is a piece of cake. Step1: Download window installer from wireguard website. Step2: At the popup window Select the arrow next to add Add Tunnel at the bottom. SELECT: Add E...
by anav
Thu May 16, 2024 7:31 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 1137

Re: Port forwarding for VPN?

Fear not, provide the config on the MT router or device ( assuming it has a public IP or can be forwarded a port from an upstream router and will have you up and running in no time.)
by anav
Thu May 16, 2024 7:30 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1511

Re: Winbox IKEv2 strange issue

Too funny!!
by anav
Thu May 16, 2024 6:55 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2412

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

No problem his videos are decent no doubt, but he misses the point and that is a separate connection to the router config, not associated with the bridge vlan filtering as that tends to be where ppl screw up most and lock themselves out of the router. Thus accessing the bridge from a port on the dev...
by anav
Thu May 16, 2024 6:53 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1511

Re: Winbox IKEv2 strange issue

Yes I am allergic to many things but mostly IPV6, capsman and IKEv2, although I did get it working from my iphone to MT router once.
by anav
Thu May 16, 2024 6:51 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 1137

Re: Port forwarding for VPN?

Hi there, OPENVPN or OVPN etc has never been fully supported on MT devices. Wireguard is pretty easy but there is a catch, you need at least one of your MT devices to have a public IP address or have an upstream router (yours or ISP) that can forward a port to the MT device. If neither is possible, ...
by anav
Thu May 16, 2024 6:34 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1511

Re: Winbox IKEv2 strange issue

I can help you get a working Wireguard tunnel between your two MT devices, but this requires at least one of the devices has a public IP, or is connected to an upstream router (yours or ISP) that can forward a wireguard port to your device. Please advise.
by anav
Thu May 16, 2024 4:23 pm
Forum: Beginner Basics
Topic: Vlan tuning: Mikrotik router RB4011iGS+ and not Mikrotik switch, which have default VLAN1( not deleteable or change) [SOLVED]
Replies: 8
Views: 5107

Re: Vlan tuning: Mikrotik router RB4011iGS+ and not Mikrotik switch, which have default VLAN1( not deleteable or chang [SOLVED]

When you decide to go back to the sane approach of configuring the router, assistance is possible.
In other words, what needs to be done is setup your managed switch properly.
It should be easy to set it up as required, what is the make and model please.
by anav
Thu May 16, 2024 3:53 pm
Forum: General
Topic: Port forwarding for VPN?
Replies: 28
Views: 1137

Re: Port forwarding for VPN?

Sounds like a waste of time, try using wireguard.
by anav
Thu May 16, 2024 3:52 pm
Forum: General
Topic: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks
Replies: 16
Views: 1439

Re: Wireguard stops handshaking out of sudden - Change of port (only) solves it for weeks

Not enough information.
no config,
no network diagram
no understanding of what is at the two ends of the wireguard connection
etc
etc
by anav
Thu May 16, 2024 3:50 pm
Forum: General
Topic: 2 wan load balancing to make a speed double please 🙏
Replies: 2
Views: 293

Re: 2 wan load balancing to make a speed double please 🙏

No do you own work or at least make an effort based on available mt documents, forum threads, you tube videos........... and you cannot double speed, you can provide more bandwidth for users, but a single session will only get the max throughput of ONE ISP. Two WANs is for making more bandwidth avai...
by anav
Thu May 16, 2024 3:40 pm
Forum: General
Topic: [Formal Complaint] Support is ignoring my problem for 3 weeks
Replies: 50
Views: 7017

Re: [Formal Complaint] Support is ignoring my problem for 3 weeks

So your not complaining about a bug, or issue with the router?
You need assistance to configure the router.?.............--> Perhaps take some courses maybe.
https://www.youtube.com/@MAICT
by anav
Wed May 15, 2024 9:39 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2412

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Which vlan(s) are the other devices connected to on the hapax3?? There is no such thing as local devices as the hapax3 is not acting as a router. Also why do you need a management access port, physical port, on vlan10 on the device itself? For the reason its on the managment vlan you can reach it fr...
by anav
Wed May 15, 2024 9:29 pm
Forum: General
Topic: Confusing routing behavior CCR1009-7G-1C-1S+ [SOLVED]
Replies: 5
Views: 6016

Re: Confusing routing behavior CCR1009-7G-1C-1S+ [SOLVED]

No actually your configuration is hosed...... So for some reason the subnet 192.168.0.0/23 is blocked from reaching the printer at 172.16.10.93. The first thing I would do is get rid of vlan1 for any data traffic. VLAN1 is used in the background by the router already and should NOT be used to someh...
by anav
Wed May 15, 2024 8:20 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2412

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Okay a bit confused, why do you have a LAN on this ax3? There should be no address associated with the bridge. Other than vlans ( for management of router and potentially also associated with a trusted WIFI LAN) vlans for data ( trusted or non-trusted - each associated with its own SSID and WIFI LAN...
by anav
Wed May 15, 2024 7:43 pm
Forum: General
Topic: Confusing routing behavior CCR1009-7G-1C-1S+ [SOLVED]
Replies: 5
Views: 6016

Re: Confusing routing behavior CCR1009-7G-1C-1S+ [SOLVED]

I wouldnt even begin to assess the config without a much clearer set of requirements and a detailed network diagram

a. identify all the user(s)/device(s), groups of users/devices ( including admin )
b. identify all the traffic they need to execute.
by anav
Wed May 15, 2024 6:59 pm
Forum: Beginner Basics
Topic: WireGuard Site-to-Site over WiFi
Replies: 1
Views: 295

Re: WireGuard Site-to-Site over WiFi

Yes, assuming one of the Routers has a publicly reachable IP, or one has an upstream ISP router that can forward the chosen wireguard port you are in business!! Assuming R1 is the Server for handshake (has public IP). Then basically you have to consider a. select a wireguard port ( I never choose de...
by anav
Wed May 15, 2024 6:45 pm
Forum: Beginner Basics
Topic: Port forwarding over site-to-site wireguard [SOLVED]
Replies: 10
Views: 6172

Re: Port forwarding over site-to-site wireguard [SOLVED]

The learning is the important part, copying blindly, never leads to success down the line, although it feels good to see traffic flowing. :-)
by anav
Wed May 15, 2024 5:54 pm
Forum: General
Topic: Feature request : Multipath TCP (MPTCP) support
Replies: 10
Views: 8905

Re: Feature request : Multipath TCP (MPTCP) support

On the subject of the period table element, 'UNOBTANIUM",
I would like to make the request to add...... drumroll please...............

" DPI of encrypted packets "
by anav
Wed May 15, 2024 4:24 pm
Forum: Wireless Networking
Topic: One SSID and multiple VLANs with hardware acceleration
Replies: 13
Views: 4796

Re: One SSID and multiple VLANs with hardware acceleration

I would tackle this with radius server, userman, or hotspot etc. and have different SSIDs per vlan. Keep it simple. No manual work involved.
by anav
Wed May 15, 2024 3:48 pm
Forum: Beginner Basics
Topic: Port forwarding over site-to-site wireguard [SOLVED]
Replies: 10
Views: 6172

Re: Port forwarding over site-to-site wireguard [SOLVED]

You may think that but Mikrotik is often forgiving and will allow traffic to flow until it does not and you trip over some errors in the config. By the way your naming convention for Wireguard was very confusing. You called the wireguard interface on the public IP router wg-lte and you called the wi...
by anav
Wed May 15, 2024 3:10 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 22
Views: 1909

Re: BTH BUG Bleeding Into Regular Wireguard.


I am currently using the DNAT rule that Anav came up with and it works, but this is 100% a bug.
If you get the time right it up and send to MT.
by anav
Wed May 15, 2024 3:08 pm
Forum: Beginner Basics
Topic: Forward Odoo Website to WAN2 interface
Replies: 3
Views: 294

Re: Forward Odoo Website to WAN2 interface

Concept of the solution!! Two WAN load balancing scenario. No vlans, no servers on LAN. Single LAN. Only caveat is that users going to a website described by address-list=WebAddress, have to use WAN2. So my solution is simple, ensure WAN2 is primary in main routes. That means all traffic normally wi...
by anav
Wed May 15, 2024 2:05 pm
Forum: General
Topic: Output route selection - Wireguard
Replies: 21
Views: 3960

Re: Output route selection - Wireguard

There definitely is an issue with Wireguard and two WANS, where one WANTS wireguard to use the secondary WAN. Mangling does NOT work. There are two temp solutions a. Use funky destination nat rule b. Use routing rules if both wans are static WANIPs c. Use routing rules with scripts if WANs are dynam...
by anav
Wed May 15, 2024 3:41 am
Forum: Beginner Basics
Topic: Port forwarding over site-to-site wireguard [SOLVED]
Replies: 10
Views: 6172

Re: Port forwarding over site-to-site wireguard [SOLVED]

Your allowed IP settings are wrong, but ran out of time to look at this today.
by anav
Wed May 15, 2024 2:46 am
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2412

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

The problem is putting dumb switches between the router and the ax3. You should only put managed switches, even cheap ones from netgear or tplink work fine for this.
by anav
Tue May 14, 2024 8:03 pm
Forum: Beginner Basics
Topic: Port forwarding over site-to-site wireguard [SOLVED]
Replies: 10
Views: 6172

Re: Port forwarding over site-to-site wireguard [SOLVED]

Need to see config for BOTH routers.
by anav
Tue May 14, 2024 8:00 pm
Forum: General
Topic: simple port forward not working!!!
Replies: 20
Views: 1283

Re: simple port forward not working!!!

Without the current config, unable to comment. :-)
by anav
Tue May 14, 2024 7:42 pm
Forum: Beginner Basics
Topic: Port forwarding over site-to-site wireguard [SOLVED]
Replies: 10
Views: 6172

Re: Port forwarding over site-to-site wireguard [SOLVED]

One question needs to be answered. Is it important to you that the originating external WANIP is seen at the server at the second router? There are two options a. receive the incoming external requests from WANIPs, sourcenat them to the wireguard IP of the first router, send them to the server at R2...
by anav
Tue May 14, 2024 5:44 pm
Forum: Beginner Basics
Topic: Hairpin NAT [can't figure it out]
Replies: 5
Views: 437

Re: Hairpin NAT [can't figure it out]

(1) The config report by the Router points you to a problem. That problem is you either assign an address to the WAN or your use IP DHCP CLIENT but not both.... Also your configuration for the network setting for IP address is wrong if IP address is the method you choose to stick with! /ip address ....
by anav
Tue May 14, 2024 5:23 pm
Forum: General
Topic: simple port forward not working!!!
Replies: 20
Views: 1283

Re: simple port forward not working!!!

Post your final config for review............
by anav
Tue May 14, 2024 4:18 pm
Forum: Beginner Basics
Topic: 2-VPN Server on one Mirkotik with 2 PUblic IP
Replies: 7
Views: 693

Re: 2-VPN Server on one Mirkotik with 2 PUblic IP

Post the config you have so far, minus router serial number, any public WANIP info, keys etc....
by anav
Tue May 14, 2024 4:16 pm
Forum: Beginner Basics
Topic: Why my thread was deleted without any notification?
Replies: 4
Views: 463

Re: Why my thread was deleted without any notification?

Strange indeed I was helping this chap out, and there were several posts made, and I saw no reason to report or remove thread?????
by anav
Tue May 14, 2024 4:14 pm
Forum: Beginner Basics
Topic: Hairpin NAT [can't figure it out]
Replies: 5
Views: 437

Re: Hairpin NAT [can't figure it out]

Post config for review
/export file=anynameyouwish ( minus router serial number, and any public WANIP info )
by anav
Tue May 14, 2024 4:12 pm
Forum: Beginner Basics
Topic: Forward Odoo Website to WAN2 interface
Replies: 3
Views: 294

Re: Forward Odoo Website to WAN2 interface

Post your config and will try again, I have no idea why your previous thread was deleted. I think someone made an error and instead of deleting perhaps one post they deleted the entire thread?
by anav
Tue May 14, 2024 2:02 pm
Forum: General
Topic: New RouterOS Vulnerability?
Replies: 20
Views: 1188

Re: New RouterOS Vulnerability?

If the router has been compromised, assuming NORMIS or others would know?? I mean besides netinstall and using VPN to access config externally, and a. changing admin user to something not default b. changing winbox port so something not default What actions may have to be done on all devices behind ...
by anav
Tue May 14, 2024 1:58 pm
Forum: General
Topic: New RouterOS Vulnerability?
Replies: 20
Views: 1188

Re: New RouterOS Vulnerability?

Besides the described restore plan, you might as well want to consider closing the Winbox port. Using vpn would add an additional layer of security. And disable the admin account, after creating the correct accounts. CONSIDER?, are you mad? Let me rephrase that LOL CONSIDER? You are bongo nutso! Th...
by anav
Tue May 14, 2024 1:54 pm
Forum: General
Topic: New RouterOS Vulnerability?
Replies: 20
Views: 1188

Re: New RouterOS Vulnerability?

Your post is somewhat confusing you are asking for assistance on routers that dont appear to be under your monitoring or config responsibilities...... Why is this your problem??? In any case, without knowing how the configs were setup with some detail, it is not really possible to say much. Yes, net...
by anav
Tue May 14, 2024 1:06 pm
Forum: Beginner Basics
Topic: Hairpin nat & 2 Vlans [SOLVED]
Replies: 8
Views: 6296

Re: Hairpin nat & 2 Vlans [SOLVED]

Block all else means simply - keep default rules mostly, then only add needed traffic and all else is stopped cold. Its clean, clear and efficient. FORWARD CHAIN { default rules to keep } add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-mark=no-mark c...
by anav
Mon May 13, 2024 11:01 pm
Forum: General
Topic: RB4011 gradually stops accepting traffic on LAN Gateway bridge
Replies: 3
Views: 351

Re: RB4011 gradually stops accepting traffic on LAN Gateway bridge

Do you jiggle up and down or back and forth?
by anav
Mon May 13, 2024 10:08 pm
Forum: Beginner Basics
Topic: Can't find a way to connect to my server using wireguard
Replies: 8
Views: 625

Re: Can't find a way to connect to my server using wireguard

@Blancatel ... Dont agree.... More like: SERVER /interface wireguard add listen-port=13231 mtu=1420 name= wireguard-server /interface wireguard peers add allowed-address=100.100.100.2/32,192.168.88.0/24 comment=ROUTER2-CLIENT \ interface=wireguard-server public-key=\ { no keep alive required on ser...
by anav
Mon May 13, 2024 9:59 pm
Forum: General
Topic: CRS309 - Management VLAN access
Replies: 5
Views: 422

Re: CRS309 - Management VLAN access

Okay the APs are hybrid ports, but you cannot have TWO untagged vlans at a hybrid port, ONLY ONE can come in untagged.
by anav
Mon May 13, 2024 8:34 pm
Forum: General
Topic: CRS309 - Management VLAN access
Replies: 5
Views: 422

Re: CRS309 - Management VLAN access

Which port are all the vlans, from the main router, coming in on? If not the router, then some other switch but which PORT?? Are you saying the bonded LINK, is where all the vlans are coming from then? The BRIDGE DOES NOT GET AN IP address, we are using VLANS. If you want to be able to reach the con...
by anav
Mon May 13, 2024 5:46 pm
Forum: Beginner Basics
Topic: Forwarding ports
Replies: 20
Views: 1888

Re: Forwarding ports

admin is not an account, just a special user LOL, will look at this later when have time
by anav
Mon May 13, 2024 5:43 pm
Forum: General
Topic: CRS309 - Management VLAN access
Replies: 5
Views: 422

Re: CRS309 - Management VLAN access

A few comments. This should be doable but may take a couple of stabs to get working. (1) Bridge ports are for ports and wlans, ( not vlans ) and what is the role of ether1, you forgot about it in bridge vlans???? /interface bridge port add bridge=bridge comment=defconf interface =ether1 add bridge=b...
by anav
Mon May 13, 2024 5:19 pm
Forum: General
Topic: How to use ping with multiple routing marks in ROS version 7?
Replies: 10
Views: 803

Re: How to use ping with multiple routing marks in ROS version 7?

So the MTs are simply switches ??
by anav
Mon May 13, 2024 5:06 pm
Forum: General
Topic: simple port forward not working!!!
Replies: 20
Views: 1283

Re: simple port forward not working!!!

You are missing firewall rules and thus should not be connected to the internet at all. Also when you do introduce rules the config will have to be modified as right now your interface list approach is not quite there. It is not clear also if there is any traffic between vlan1 and vlan2 ( is there a...
by anav
Mon May 13, 2024 4:07 pm
Forum: General
Topic: simple port forward not working!!!
Replies: 20
Views: 1283

Re: simple port forward not working!!!

You are far from done my friend LOL. The mangles was just but one concern LOL
by anav
Mon May 13, 2024 3:13 pm
Forum: General
Topic: Wireguard setup
Replies: 2
Views: 292

Re: Wireguard setup

Yes. First fix the Allowed IPs on the MT client (for handshake) device: [Peer] AllowedIPs = 10.0.1 .0/24 PublicKey = Endpoint = remote_server_ip:13231 PersistentKeepalive = 25 Now for the ability for the laptop to reach the MT will depend on what is going on at the server? You will need another clie...
by anav
Mon May 13, 2024 1:54 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2412

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

To recap you have one main router RB5009 doing the firewall rules DHCP and setting up the required vlans. vlan for home traffic vlan for wifi iot traffic vlan for other vlan for other etc..... The two other device both hapac? set up as AP switches. Post the config of these two if you want them revie...
by anav
Mon May 13, 2024 1:49 pm
Forum: General
Topic: Please bring back 'Make Static' in DHCP Lease menu
Replies: 2
Views: 379

Re: Please bring back 'Make Static' in DHCP Lease menu

If you have a recommendation send it to MT support, they dont monitor all threads.......
by anav
Mon May 13, 2024 1:39 am
Forum: General
Topic: How to configure trunk port on CCR1009?
Replies: 14
Views: 683

Re: How to configure trunk port on CCR1009?

There is no need for WAN ACCESS in your case as the standard LAN interface list comprised of all vlans, adequately covered your needs for firewall rules.
by anav
Sun May 12, 2024 7:10 pm
Forum: Beginner Basics
Topic: RB5009 - how to add the 2.5gbps port to LAN [SOLVED]
Replies: 2
Views: 5993

Re: RB5009 - how to add the 2.5gbps port to LAN [SOLVED]

Ensure its added to the default bridge.
by anav
Sun May 12, 2024 7:09 pm
Forum: General
Topic: Firewall site
Replies: 3
Views: 386

Re: Firewall site

Easily bypassed, cannot be done with guaranteed on MT router.
by anav
Sun May 12, 2024 7:08 pm
Forum: General
Topic: Multiple default routes in main route table
Replies: 9
Views: 2391

Re: Multiple default routes in main route table

If you ever run into mTU issues with Nord wireguard, then on the MT device, Try this first add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=Wireguard-Name passthrough=yes protocol=tcp tcp-flags=syn IF no joy an alterna...
by anav
Sun May 12, 2024 7:01 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 22
Views: 1909

Re: BTH BUG Bleeding Into Regular Wireguard.

I am currently using the DNAT rule that Anav came up with and it works, but this is 100% a bug.
Actually was Sindy that came up with that rule LOL, I cant nat myself out of a paper bag. But concur and I think BTH has something to do with it........ but maybe its existed all this time??
by anav
Sun May 12, 2024 6:57 pm
Forum: General
Topic: Routing between VLANs stopped working after PCC load balancing. [SOLVED]
Replies: 14
Views: 10525

Re: Routing between VLANs stopped working after PCC load balancing. [SOLVED]

Good to know, thanks for the feedback. However you are not quite right YOU DO NEED THAT RULE TO ensure any local traffic CAN reach other subnets prior to mangling for load balancing etc. AKA The POSSIBILITY is created. What is ALLOWED to happen is determined by your firewall rules. So, Then you use ...
by anav
Sun May 12, 2024 6:13 pm
Forum: General
Topic: How to configure trunk port on CCR1009?
Replies: 14
Views: 683

Re: How to configure trunk port on CCR1009?

I have a ccr1009 tile, device as my main router with a gazillion vlan. Will have a quick look at the config. (1) First comment never use a name for any interface which already has connotations on the MT device, let alone the exact nomenclature, bad bad........ thus MODIFY /interface vlan add interfa...
by anav
Sun May 12, 2024 6:07 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 22
Views: 1909

Re: BTH BUG Bleeding Into Regular Wireguard.

I have the same problem with the exact same scenario with two WANs and WG on the non-primary WAN. Well, you're better off using use routing rules, not mangle. While mangle should work here to be consistent with RouterOS... but WG seems to overly follow what Linux kernel does, not Mikrotik's packet ...
by anav
Sun May 12, 2024 6:05 pm
Forum: General
Topic: simple port forward not working!!!
Replies: 20
Views: 1283

Re: simple port forward not working!!!

Please do not explain requirements in terms of a VPN or a vlan, always express requirements in terms of needed traffic flow by users. So. a. you want users on VLANX to only use WAN1 b. you want users on VLANY to ony use WAN2 Q. Are there any other vlans and what should they use?? c. What happens to ...
by anav
Sat May 11, 2024 10:17 pm
Forum: General
Topic: Wireguard Site to Site VPN
Replies: 5
Views: 723

Re: Wireguard Site to Site VPN

Very doable. TO FIX ON CLIENT: No preshared key!! /interface wireguard peers add allowed-address=192.168.0.0/24,10.10.0.0/24 endpoint-address=\ 62.XX endpoint-port=13231 interface=wireguard1 \ persistent-keepalive=10s " public-key=\ "3=" Address all wrong for wireguard. /ip address ad...
by anav
Sat May 11, 2024 10:14 pm
Forum: General
Topic: Routing between VLANs stopped working after PCC load balancing. [SOLVED]
Replies: 14
Views: 10525

Re: Routing between VLANs stopped working after PCC load balancing. [SOLVED]

Similarly could you have not used that firewall adddress list as a first rule in the mangle chain /ip firewall mangle add action=accept chain=prerouting in-interface-list=LAN dst-address-list=connected-subnets Which says let any traffic between vlans be executed before any mangling! THEN the mangle ...
by anav
Sat May 11, 2024 10:09 pm
Forum: General
Topic: How to configure trunk port on CCR1009?
Replies: 14
Views: 683

Re: How to configure trunk port on CCR1009?

No single bridge is correct and as mkx stated, without facts we cannot help.
by anav
Sat May 11, 2024 7:51 pm
Forum: Beginner Basics
Topic: Failover/Load Balancing + PBR [SOLVED]
Replies: 22
Views: 6091

Re: Failover/Load Balancing + PBR [SOLVED]

Well that makes no sense, so weird, sorry dont understand your ip route setup at all.
But if its working, then its better than I can provide.
by anav
Sat May 11, 2024 7:46 pm
Forum: Beginner Basics
Topic: Isolate a public server host from LAN
Replies: 4
Views: 615

Re: Isolate a public server host from LAN

No need for second bridge. Keep ether5 separate from bridge is fine. Firewall rules determine the rest. /interface list add name=WAN add name=LAN /interface list members add interface=ether1 list=WAN add interface=bridge list=LAN add interface=ether5 list=LAN /ip firewall filter add action=accept ch...
by anav
Sat May 11, 2024 6:10 pm
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2412

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Why do you need the hap to act as router?? All you need is for it to provide wifi locally and perhaps some of its port as local ethernet connections to another switch in the area or to other devices. The way to do this is to send to the haps, all the vlans required that it will handle ( vlanX for wl...
by anav
Sat May 11, 2024 6:06 pm
Forum: Beginner Basics
Topic: Forwarding ports
Replies: 20
Views: 1888

Re: Forwarding ports

I look at a lot of configs so at this point before I relook at the config above, let me know the requirements a. identify all the user(s)/device(s0 / groups of users and devices including admin, including internal and external users b. identify what traffic they need. Number and type of WAN connecti...
by anav
Sat May 11, 2024 5:50 pm
Forum: Beginner Basics
Topic: Failover/Load Balancing + PBR [SOLVED]
Replies: 22
Views: 6091

Re: Failover/Load Balancing + PBR [SOLVED]

Okay after reading that you didnt have routes, and needed to add two, I figured out what was wrong You need to go back to IP DHCP client. on DHCP tab select default route=YES on Advanced tab put in default route of 255 The script remains the same in the advanced tab. With that it will work and you c...
by anav
Sat May 11, 2024 5:45 pm
Forum: Beginner Basics
Topic: 2-VPN Server on one Mirkotik with 2 PUblic IP
Replies: 7
Views: 693

Re: 2-VPN Server on one Mirkotik with 2 PUblic IP

Post what you have configured so far.
You will need two wireguard interfaces
Which WAN is primary etc............
by anav
Sat May 11, 2024 5:40 pm
Forum: General
Topic: Port forward from WAN to a host behind Wireguard
Replies: 18
Views: 1996

Re: Port forward from WAN to a host behind Wireguard

M1 FIRST OBSERVATIONS. 1. Unsafe Rule in INput chain. Understand you have it narrowed down but WANIPs can be spoofed. The basic rule of thumb is ONLY configure the router from behind the router. So either from a LAN device or from within the router once connected via VPN, like wireguard. /ip firewa...
by anav
Sat May 11, 2024 4:34 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 22
Views: 1909

Re: BTH BUG Bleeding Into Regular Wireguard.

So the two solutions appear to be dst-nat rule noted above........
or using routing rules as per Rplant.

Until such time MT sorts out this mess. :-(
by anav
Sat May 11, 2024 4:21 pm
Forum: General
Topic: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client
Replies: 33
Views: 1539

Re: Configuration Issue Between FRITZ!Box WireGuard Server and MikroTik Client

Well not sure I can help further, the fact that the network was not as you were indicating tells me there is probably more at play here and thus its probably too difficult.
by anav
Sat May 11, 2024 4:19 pm
Forum: General
Topic: double connections with mangle rules and drop filter rules
Replies: 3
Views: 330

Re: double connections with mangle rules and drop filter rules

I mainly use and recommend wireguard for monitoring, and I used to use SSTP as backup ( no need for certificate between two MT devices ) but recently moved to a more secure IP-IP with ipsec secret as a backup method. By the way the nice thing about a wireguard connection on WAN1. If WAN1 fails, the ...
by anav
Sat May 11, 2024 4:14 pm
Forum: General
Topic: Is there official way to ask for Feature? (ND-proxy RFC 4389)
Replies: 2
Views: 302

Re: Is there official way to ask for Feature? (ND-proxy RFC 4389)

YES, if you sign a contract with Mikrotik for probably $500,000 Euros worth of product, to ensure the functionality is in the next release, it may very well happen.
The higher you go the more likely the chances. :-)
by anav
Sat May 11, 2024 4:12 pm
Forum: General
Topic: Wireguard Site to Site VPN
Replies: 5
Views: 723

Re: Wireguard Site to Site VPN

Your requirements are not clearly stated enough to proceed. Assuming you are the admin a. local admin on Main router b. want to be able to remote config Main router ( laptop somewhere else) c. want to be able to config second router from main router d. want to be able to config second router remotel...
by anav
Sat May 11, 2024 4:05 pm
Forum: General
Topic: Dropping forward chain new - ppppoe connections
Replies: 2
Views: 330

Re: Dropping forward chain new - ppppoe connections

Besides that your firewall rules are a bit silly. A. There is no need for the rule in PURPLE B. It is made even sillier by the rule in Orange. C. Blocking ping from the WAN side is actually not useful and can get in the way of troubleshooting. /ip firewall filter add action=accept chain=input connec...
by anav
Fri May 10, 2024 6:56 pm
Forum: General
Topic: Port forward from WAN to a host behind Wireguard
Replies: 18
Views: 1996

Re: Port forward from WAN to a host behind Wireguard

Yes, both routers please.
by anav
Fri May 10, 2024 6:45 pm
Forum: Beginner Basics
Topic: Can't find a way to connect to my server using wireguard
Replies: 8
Views: 625

Re: Can't find a way to connect to my server using wireguard

Do your have public IPV4 address, or do you have an upstream ISP router with public IP address that can forward ports to your device?
by anav
Fri May 10, 2024 6:44 pm
Forum: Beginner Basics
Topic: Newbie on VPN and wireguard
Replies: 3
Views: 335

Re: Newbie on VPN and wireguard

What router/OS are you using.
Do you have a public IPV4 WANIP address, or if you have an upstream ISP router, does it get a public IP and can it forward ports to your device?
by anav
Fri May 10, 2024 6:27 pm
Forum: General
Topic: simple port forward not working!!!
Replies: 20
Views: 1283

Re: simple port forward not working!!!

Try to add a network diagram as your explanation was confusing.
Also you do not connect wireguard between vlans on a router, you use firewall rules in the forward chain to manage connectivity between local subnets.
by anav
Fri May 10, 2024 6:26 pm
Forum: General
Topic: How to use ping with multiple routing marks in ROS version 7?
Replies: 10
Views: 803

Re: How to use ping with multiple routing marks in ROS version 7?

Austria, wins the olympics for guessing........

Without knowing what you are trying to accomplish with your traffic, its not feasible to answer.
What traffic are you trying to support.
mangles, routing routes, vpns in the mix ????

How many WANs, what does IP routes look like etc...
by anav
Fri May 10, 2024 4:06 am
Forum: Beginner Basics
Topic: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:
Replies: 30
Views: 2412

Re: I need so advice on VLANs for devices connecting only via 2.4GHz wifi:

Just one of them. One would be the main router, the other would solely be an AP switch.
by anav
Thu May 09, 2024 10:45 pm
Forum: Forwarding Protocols
Topic: routing all trafic passthrough wireguard via wifi station
Replies: 5
Views: 557

Re: routing all trafic passthrough wireguard via wifi station

Still not enough detail, Please detail the relationship between every device in your diagram. Right now it looks like the laptop is directly connected to GWY1, which is directly connected to GWY2 Which is directly connected to the MANTBOX, which is directly connected toa wifi AP router which is dire...
by anav
Thu May 09, 2024 10:39 pm
Forum: General
Topic: Port forward from WAN to a host behind Wireguard
Replies: 18
Views: 1996

Re: Port forward from WAN to a host behind Wireguard

I would need to see complete config, MT os does not work in isolation.

/export file=anynameyouwish ( minus router serial number, any public IP information, keys etc.)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 67