MikroTik

anav

I'm going to restrict access to a specific destinations based on source Mac address. I have two solution. 1. using mangle for marking connections and Policy Base Routing 2. Restrict access with some firewall rule and without mangle and Policy Base Routing Which one is better? Which one is more reso...

anav

Hi @anav The diagram is great! I only had one question, where is the guest wifi coming from?? (AP device?) Glad you like the diagram! It should make setup easier to work through and make maintenance / expansion easier to understand / plan! Yes, guest Wi-Fi should be available on each wAP-AC device ...

anav

If you are connecting to the internet just fine and users are not complaining, then why open up your router to garbage. Drop all is fine.
Near identical is not identical and one rule can make a huge difference.

anav

The best guide is reading this thread! It seems you have half an implementation there of using recursive. The Thread will help sort you out.
viewtopic.php?f=23&t=157048

anav

Router: (WLAN2) remove wireless entry vlan-mode=use tag and vlan identification. It should be NO tag and default of vlan1 left there Router: VLANs should be associated with the Bridge when making the vlans, and not with the WLANs. Router: One dhcp pool per subnet, you have overlapping pools and Its ...

anav

The description you gave however muddled, is a bit helpful as is a diagram but really need your config to see what is going on.
/export hide-sensitive file=anynameyouwish

anav

Pretty basic vlan setup required. The longest times will be spent on creating the DHCP setup for each VLAN (ip address, ip pool, dhcp-server, dhcp-server-network) Getting your bridge port and bridge vlan configuration correct. Getting the switch netgear setup to match the vlan setup coming from the ...

anav

The diagram is great! I only had one question, where is the guest wifi coming from?? (AP device?)

anav

Why are you posting here, thats a beta firmware issue!!
Search the threads to see if there is already a similar thread or start your own.
viewforum.php?f=1

anav

I use the eap245 as standalone units just like I do capacs and its not a problem.
No need for added complexity.

anav

Curious as to where you got the idea that mikrotik were consumer dumbed down devices??
The config seems okay on a quick view.

anav

THis config is so messy and bloated I dont think there is a quick fix. I would use only one bridge and put all subnets as vlans with interface bridge and each vlan has their own dhcp service. AND start with default firewall rules. Then come back here and explain clearly what is to be allowed for tra...

anav

unless you post your config answers will be hard to come by
/export hide-sensitive file=anynameyouwish

anav

If your intent on using WIFI5 devices, suggest the TPLINK eap245.
Stable decent performance. I dont recommend MT wifi current choices.

anav

Makes sense!
From specs: Tested Ambient Temp ---> -20°C to 60°C

anav

Does it have fans?
If not purchase some to blow air in and suck air out........

anav

As you had warned CRS112 became unstable when i connected multiple devices with frequent connections drops. As some of you had recommended I am planning to use CRS112 as a PoE switch and buy another router. Need your advice on the router , will a hEX router suffice for me? This is for a home setup ...

anav

Good to hear, I suspected it has nothing to do with the MT but more so configuring the ISP modem router.

anav

So all you are saying is that 465 is to be no longer user for SMPT and one should use 587. However I fail to see how this makes email traffic any more or less secure because that is what I care about more than some organization telling me what I can and cannot use ports for LOL. If 587 was magically...

anav

All I know is it works fine with my ISP provider??
My ISP provider requires 465 by the way.
Also my settings are start TLS=tls only

anav

hi Erk, yup and I already ordered his book on switching https://www.amazon.ca/gp/product/B08ZW38C46/ref=ppx_yo_dt_b_asin_title_o00_s00?ie=UTF8&psc=1 Hi anav, I took MTCNA, MTCRE, MTCINE, MTCTCE, MTCSE and MTCWE from him in udemy, unfortunately he doesn't have MTCSWE courses yet. Mind to share t...

anav

Buyer beware, I would have recommended the wired version of the RB4011 if you had asked.

anav

I had no luck with my sfp+ port using an SJR10+ ethernet cage attached to my CCR1009 connecting to FIbre OP modem.
The modem has fibre in and ethernet out.

I think the CCR1009 SFP+ is broken. :-(

anav

Regardless of the wifi 5 devices, advertised speeds are two way without consideration of tx loss. So whether its tplink or MT etc........... an 866 advertised should yield around 290, if you do better great but one needs to temper expectations. similarly advertised of 1300 should yield around 433, e...

anav

Anyway, a working mac-telnet from linux terminal would be very handy.
Mikrotik, please share information about authentication mechanism. You do not need to provide any code, just share that information!
+1

Avatar for mkx!!

mkx.jpg

If you poke him hard enough he falls over. ;-)

anav

No wasnt aware that the large switch setups with sWOS dont have a config to export.....

Any switch setups with swOS only have one type of human-readable configuration export: the graphical one.

Ahh the snipping tool! :-)

anav

Your set of extra rules and splunk has little worth to this thread???? I was merely pointing out that the OP already has a firewall rule in place to permit Wan to LAN dst nat traffic and that your suggesting was not only confusing but it assumed he had a drop all end rule which he does not. Call it ...

anav

DONT DISABLE FIREWALL RULES IF CONNECTED TO THE INTERNET>......................... As for fastrack yes, mangling and fastrack dont work well together. However there is a better easier way to accomplish what you want WITHOUT MANGLING which is always better as you can leave fastrack rule up and runnin...

anav

Thanks. I was just ready to post the router config, and did some more troubleshooting. Seems I had 2 bad cables. The third one worked. BTW, the CSS switches run SWOS, not RouterOS. I don't believe there is any option to dump the config to a file. There is a backup, but that is not really human read...

anav

(1) Looking okay for the most part. Remove the source address, not required. See if it works after this removal. add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN \ src-address=10.10.0.0/24 (2) Only have winbox-mac setup, the stan...

anav

A single cable can carry lots of vlans and how they are handled are determined by the equipment at either end. So other than going and renting a large Drill (anything is possible if you really want to do it), using vlans is a viable option. Need to see your configs (both).... to make any design reco...

anav

866/3 = 288 should be doable in LOS scenario.

anav

Ever heard of flogging a dead horse. If you have been searching for a decade you should simply have visited Latvia and talked to MT staff directly.
Besides your in the wrong forum suggest this one..........
https://www.reddit.com/r/Ubiquiti/

anav

Yes i am using CRS112 as a router. FIOS is also a router for now as i look out for options to change that. Is your suggestion to use FIOS as router and keep CRS112 as switch for better performance? I tried with one device connected to CRS112 and i dont see any degrade but its possible that CRS112 m...

anav

/export hide-sensitive file=anynameyouwish

anav

Why start another thread as I dealt with your firewall rules here....... https://forum.mikrotik.com/viewtopic.php?f=13&t=174254 In my opinion you dont need to delineate ports or protocols of that access as I dont think the printer can do much harm. Basically with a drop all rule at the end of th...

anav

Thank you.. I found this (https://wiki.mikrotik.com/wiki/Hairpin_NAT). I'm going to try to follow along with this.. And see if I can't make it work. If not I'll come back and bug you some more. Thanks again for all the help Dont waste your time, I covered completely the best ways to handle hairpin ...

anav

Well stated pelch1, its a service provided by the router so handled in input chain and the Gateway links in the vlans point to the router as noted.

anav

I just wanted to add this: As you enabled the setting to allow remote DNS query, Make sure to drop any incoming traffic from WAN on port 53 TCP/UDP as anyone can use your DNS service and may be used it to attack others or your own router. /ip firewall nat add action=redirect chain=dstnat src-addres...

anav

Seems like this should work for you at the moment. One thing I would change is the following no access via unprotected mac address access, keep only mac winbox active. FROM /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN TO /tool mac-server ...

anav

Feedback. Get rid of VLAN1 it serves no purpose. (1) I dont have Snooping DHCP or IGMP on my bridge, and just wondering what is the value of those settings?? (2) We do not identify vlans in the wirless settings themselves. We associate the vlans to the Bridge ports (ether ports or WLAN ports). inter...

anav

Without seeing the configs on the router and switch not much can be done. Ok, please tell me what you would like to see. Screen shots? something else? The configs LOL /export hide-sensitive file=anynameyouwish Download from files, in winbox and open in notepadd++ paste here and use the code icons (...

anav

hi Erk, yup and I already ordered his book on switching

https://www.amazon.ca/gp/product/B08ZW3 ... UTF8&psc=1

anav

Once the above is setup then we can tackle hairpin nat!! By the way if you put your server on a third subnet by itself. Lets say the server is on ether4 port, Then remove ether 4 from the bridge and simply associate the server with ether4 Or create a bridge for the server. In this way all home users...

anav

Hi there, Yes all etherports (and wlans are considered wireless etherports) should be on the bridge. IN GENERAL! but we have to take a look at your specific case see (2) below. One only needs one FIREWALL RULE, which basically states to the router allow all NAT traffic heading towards your router. I...

anav

First advice - read this best link on vlans https://forum.mikrotik.com/viewtopic.php?f=23&t=143620 Second once you have a config to look at based on the above, please post it here, the pics are not always that helpful and frankly I dont bother hurting my eyes. /export hide-sensitive file=anyname...

anav

Once you have cleaned up the config then you may be ready to try this.......... but recommend you post your config first for a review. Here is the short explanation. You have come across the need for loopback called in the MT world, HairpinNAT. This occurs when users on the same LAN as a server are ...

anav

Hi enos, then you are probably also dealing with hairpin nat and will need to modify your setup.
However prefer to see you working from a fixed up config as all the other noise may get in the way.

anav

Get rid of this. Its rarely used and can cause issues. Just use the normal and default firewall rules for traffic control at layer 3. /Interface bridge filter # no interface add action=drop chain=forward in-interface=*A # no interface add action=drop chain=forward out-interface=*A add action=drop ch...

anav

Without seeing the configs on the router and switch not much can be done.

anav

/export hide-sensitive file=anynameyouwish

should be resolved quickly once viewed.

anav

https://www.amazon.ca/gp/product/B08ZW3 ... UTF8&psc=1
I just ordered my copy LOL

anav

viewtopic.php?f=23&t=143620

https://www.amazon.ca/gp/product/B08ZW3 ... UTF8&psc=1

anav

ETH-7: Here the access point should be connected (via PWR-LINE PRO) WLAN-1 2.4GHz: SSID "HomeBase", frequency 2437, ACL WLAN-2 5GHz: SSID "HomeBase", frequency 5180, ACL Virtual AP 2.4GHz: SSID "Homeautomation-24". Virtual AP 5GHz: SSID "Homeautomation-50" Vi...

anav

Then how were you expecting to move all those WLAN networks to another device?? Trust me its not that complicated and it makes life actually easier during the config. You define the vlans in the router (interface is bridge-router) You create the dhcp networks for the vlans (same as you would for a t...

anav

OK, thx :-) IP Range in Router is 192.168.0.0/24 ... router IP is 192.168.0.1 ... so IP Range in AP is the same ? br, Richard PS: does the WISP "quick set" set device address DHCP from wired ? ... so the the main router is DHCP for the clients connected to the AP ? Basically yes, assuming...

anav

Nope dont need capsman. Use ether2 to setup the capac and use ether1 to power the capac while configuring. Ether2 is the default connection on 192.168.88.1 network. Keep all that as you will be able to troubleshoot the capac independently of the bridge setup. I typically put the capac into WISP mode...

anav

An independent review my ass.................

anav

Good reference on switches....... well apparently,
https://www.youtube.com/watch?v=v9GBZMmMBYA&t=209s

anav

Decent book!
https://stevedischer.com/learn-routeros/

anav

viewtopic.php?f=23&t=143620

Obviously CISCO is obsolete then! ;-)

Also, hot off the press.....
https://www.youtube.com/watch?v=v9GBZMmMBYA.

anav

Question above me, in that I have always thought bridges were software driven entities not hardware.
I like to keep it simple, one bridge is enough, just like one woman is enough!!

anav

Normally one configures the switch for VLANS.

anav

What is important to understand is that the default firewall rules let you work out of the box safely. The input chain rules are for traffic to and from the router from LAN or Internet (think changing router configuration or accessing router services (DNS, NTP, IPSEC, etc.....). The forward chain is...

anav

DOH doesnt work yet from what I understand.
DoH works, but have a memory leakage in all current version of RouterOS

Well yes to be accurate, but are you recommending using it, NO, :-)

anav

client1.jpg

client2.jpg

anav

All doable Gluck! will be here when you need help!!

anav

Not quite everything.
Apparently upnp is a service that the router provides and thus needs INPUT CHAIN rule allowing upnp from LAN.

add chain=input action=accept ( in-interface-list=LAN OR in-interface=subnet ) and source-address=server

anav

Not the place to ask. Please visit the consultants in your area and contact them. https://mikrotik.com/consultants I know mikrotik has a hotspot mechanism already so not sure how much more work is entailed in setting up accounts, but you may be able to do all without a third party??? https://help.mi...

anav

DOH doesnt work yet from what I understand.

anav

(1) What you should conclude is that you either didnt read the reference URL or didnt understand it......... (2) Also very few people use firewall on the bridge its very tricky and causes issues. Why do you need to use this setting vice the normal firewall rules?? /interface bridge settings set use-...

anav

Okay so its working for the most part. (1) Did you fix the sourcenat rules as suggested? (2) HERE could be the issue! From From /ip dhcp-server network add address=10.10.0.0/24 gateway=10.10.0.1 add address=10.10.1.0/24 gateway=10.10.1.1 TO /ip dhcp-server network add address=10.10.0.0/24 gateway=10...

anav

Please dont use vlanid1 for anything other than the default pvid setting on the bridge.
The best source for vlan documentation is viewtopic.php?f=23&t=143620

anav

For me the easiest would be for linux admin to assign vlan tags to your traffic,

Then all you have to do is assign the vlan to the ethernet interface and the connection is made.......

anav

Just out of curiosity is the 10.10.1.0 traffic going out ISP2?? Routes and Route rules are for going out the router, not internal routing so I have no clue of what you are trying to accomplish with winbox?? Going back to first post...... IdeallyI would like these two networks to be separated from ea...

anav

https://techhub.hpe.com/eginfolib/netwo ... 01s03.html
https://techhub.hpe.com/eginfolib/netwo ... 01s04.html
http://www.skullbox.net/hp_procurve_vlan.php

anav

Update the firmware and to get your network going, dont use capsman (at least for now), and it only adds complexity to a config and more work for the router and IMHO not worth it unless one has many access points. Talk less update more! ;-)

anav

Mikrotik support for ONT SFPs is non existent so some might work and most don't. Even compatibility with "normal" SFPs is incomplete (mildly put). Which means that trying to get ONT SFP to work with any MT device is similar to trying to win a jackpot, even if particular ONT SFP works with...

anav

So you mean this is correct....... https://networkdirection.net/articles/network-theory/taggeduntaggedandnativevlans/ https://networkengineering.stackexchange.com/questions/6483/why-and-how-are-ethernet-vlans-tagged http://www.firewall.cx/networking-topics/vlan-networks/219-vlan-tagging.html and of ...

anav

Suggest an overall approach then.............
https://www.youtube.com/watch?v=Wlg5iNU3UvM

anav

The best guide for vlans, is
viewtopic.php?f=23&t=143620
If you are having issues please post your config
/export hide-sensitive file=anynameyouwish

and stop using multiple posts for basically the same questions.

anav

The best guide for vlans, is
viewtopic.php?f=23&t=143620
If you are having issues please post your config
/export hide-sensitive file=anynameyouwish

anav

I suspect your issues are self-caused in having a way too complicated for me to understand dhcp server setup coupled with add firewall rules to the bridge.

What I would do is ensure that a plain jane vanilla setup works and then add in dhcp stuff after...........

anav

Would you consider making all VLANs going over the ports........... would make it clearer and cleaner. aka make home subnet vlan10

anav

With a quick look, cannot see anything grossly in error?? The IP routes do look a bit out of sorts though.. /ip route add check-gateway=ping distance=5 gateway=WAN-pppoe-ISP1 routing-mark=USE_ISP1 add distance=10 gateway=x.x.x.1 routing-mark=USE_ISP2 add check-gateway=ping distance=5 gateway=WAN-ppp...

anav

(1) IF it works for you great, if not, then I would recommend not deviating from vlan1 as the default pvid for the bridge (not vlan10). Remember from the guide...... one does not change the default and introduce a different pvid!! # create one bridge, set VLAN mode off while we configure /interface ...

anav

Again, describe the situation in sufficient detail.
What devices?
How do they attach to the network to begin with
What is their purpose.
Stop being so obtuse..........

anav

/export hide-sensitive file=anynameyouwish

anav

/ip firewall filter add action=accept chain=input comment="##INPUT:Allow Winbox from Radu" connection-state="" in-interface-list=WAN src-address-list=Winbox_Allow add action=accept chain=input comment="##INPUT:Allow Established and Related " connection-state=established...

anav

Your requirement is not clear.
Please state what you want users to be able or not able to do.
Please state what you want devices to be able or not able to do....

anav

Your explanation is again not sufficient. I dont see vlans in your diagram and what does winbox have to do with it? Just stated your managment vlan or subnet is X, could be the same as your home vlan/subnet. Please post entire config /export hide-sensitive file=anynameyouwish Winbox has no need to e...

anav

All of the config, many items have interdependencies and only showing bits and pieces is not usually fruitful.

anav

(1) Am I to assume that all three ports are going to 'Smart Devices' that can read vlan tags?? /interface bridge port add bridge=bridge-home interface=ether2 add bridge=bridge-home interface=ether3 add bridge=bridge-home interface=ether4 /interface bridge settings set use-ip-firewall-for-vlan=yes /i...

anav

Still, would like to see the results of the config I recommended.
That would be more convincing.

anav

I think your DNS rules are the problem. This works just fine........... THe key here is to only allow the admin to the router itself and only allow USERS on the LAN to access the DNS servers. To accomplish this make sure you construct an allow rule first for the admin to access the router in the inp...

anav

Yes, quite correct, the router is alive and has a mind of its own.
You are just a pawn in the evil plans of the router.

Post the complete config
/export hide-sensitive file=anynameyouwish

anav

Post the config again when you get stuck or have made progress either way.
/export hide-sensitive file=anynameyouwish

anav

I would use vlans......, IP POOL OF 1 or 2, Each bridge port will get a specific PVID. Each bridge port has ingress filtering applied, Where is the issue?? Would have to provide some sort of bw management queuing etc so every vlan had equal access to internet etc....... This is not solution for me....

anav

Diagrams please, when you say "THAT NETWORK" it means nothing!!
Spell out the requirements more clearly as well.

anav

I would use vlans......,
IP POOL OF 1 or 2,
Each bridge port will get a specific PVID.
Each bridge port has ingress filtering applied,
Where is the issue??

Would have to provide some sort of bw management queuing etc so every vlan had equal access to internet etc.......

anav

If you are using vlan1 stop there and redo your config and follow this guide. https://forum.mikrotik.com/viewtopic.php?f=23&t=143620 vlan1 is a default ID that should not be changed or used in most circumstances. It is the default bridge vlan pvid and should remain so in most configs' Use vlan10...

anav

I would have not recommended the capac at that price point, but concur with erlinden. What I would do is power the unit via ethernet poe on eth1 and access the cap via eth2. Create a bridge on eth1 and assign everything to the bridge. Keep a separate address, dhcp and everything for ether2 so that y...

anav

Interesting project, my reccomendations: (1) Just for completeness add ether1 interface to the WAN list. /interface list member add interface=ether1-isp1 (2) I am confused why do you only have one CLIENT noted below???? Are you saying the pppoe connection on ether1 is a static WANIP and ether2 ISP i...

anav

Both may be possible, switch chip method depends on the hardware.

bridgevlan filtering
viewtopic.php?f=23&t=143620

Switch chip method
https://www.youtube.com/watch?v=Rj9aPoyZOPo

anav

Provide network diagrams to explain

anav

Kk as I though netwatch is incompatible with ip cloud thanks!

anav

Good question not having done it before, but I do suggest going to the System Menu and selecting Configuration and select the checkbox next to NO DEFAULT CONFIGURATION if you fancy starting from zero/scratch otherwise go to new terminal windows and type /system reset-configuration This should reset ...

anav

It seemed like a good idea at the time. Using IP Cloud to resolve to currently used Dynamic WANIP. However, IP Cloud address, is no longer accessed once the resolving occurs and thus when the IP address changes, the netwatch rule is invalid. Has anyone else noted this issue or did I configure incorr...

anav

That is not a router issue that is simply unplugging the ethernet cable from the TV or the wifi connection. However your reasoning does not take into account that most folks have a netflix account via wifi on their TV. So removing internet is not a possibility. Thats why I suggest at least putting T...

anav

So let me get this straight. Your ROUTER/MODEM has assigned a static LANIP (192.168.3.5) to your MT device also acting as a router and the WANIP is of course also 192.168.3.5 Your MT ROUTER has ONE lan subnet subnets for various purposes 192.168.1.0/24 I will ignore your ether1 as its confusing and ...

anav

No I do not believe there is any cause for concern.
I would try the long version software though as I do not experience this phenomena.

anav

I would rest to defaults and start clean...........

anav

Here is the short explanation. You have come across the need for loopback called in the MT world, Hairpin NAT. This occurs when users on the same LAN as a server are mandated to use the public IP of the network the server is on, vice the much easier and direct LANIP of the server. If creating a new ...

anav

Here is the short explanation. You have come across the need for loopback called in the MT world, Hairpin NAT. This occurs when users on the same LAN as a server are mandated to use the public IP of the network the server is on, vice the much easier and direct LANIP of the server. If creating a new ...

anav

Thanks all I missed a key part of pvid on ports not working until you enable vlan filter on the bridge Been there done that! The enabling of bridge vlan filtering should be the last step after configuring all. Annoyingly this causes the router to burp and one has to relogin and confirm that bridge ...

anav

(1) My advice besides posting the complete config as noted above is to remove this rule /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes as its very tricky to use properly and is only needed in special cases whereas the normal firewall rules work for 99% of needs. (2) ...

anav

If you are already at 6.48 you can leave it at that..... I simply prefer the more stable long term versions.
You should post the entire config as its all inter related.
/export hide-sensitive file=anynameyouwish

anav

Thanks this is a really nice article but the access ports
don’t work in this scenario on my hardware

Then you need to adjust your thinking as the guide works, and your config does not......... imagine that!

anav

Does the fios require a vlan to pass its internet? Highly unlikely but grasping at straws here. Tools: Packet sniffer https://help.mikrotik.com/docs/display/ROS/Packet+Sniffer Tools: Torch https://help.mikrotik.com/docs/display/ROS/Torch https://wiki.mikrotik.com/wiki/Manual:Troubleshooting_tools wi...

anav

No limitations I am aware of, note that one cannot aggregate throughput for a single connection event but you will have more bandwidth overall to share with users.
The other advantage of redundancy does not apply here assuming the wan links are from the SAME isp.

anav

Post your config
/export hide-sensitive file=anynameyouwish

anav

Not sure of fios settings is there something else on that thing that needs to be enabled?
Did you try a different connecting cable?
Next step is trying different ports maybe.....

anav

Is this a recent bug and if so which firmwares does it affect??

anav

Sounds like you should have a stern talking to with your TV ;-)
Is it searching for something in particular, as in do you have apps that people use on the TV???
Do you have the TV on its own VLAN segregated from your other stuff?

anav

Thanks for the clarification!!

anav

The fios didnt give out dhcp and thus it would not be visible, you statically assigned it from the MT side.
Suggest you enter the fios and also statically assign the iP to the router.

anav

viewtopic.php?f=23&t=143620

anav

You should not have a dynamic IP assigned. I thought you were applying a static WANIP.
Follow this tutorial!!

https://www.bing.com/videos/search?q=ho ... &FORM=VIRE

anav

First you need to upgrade your firmware its dated,,,,,,,, use the latest LONG version of firmware for best results. Then read this link which shows vlan1 does not need to be identified as it already exists by default. No one creates and uses vlan1 as a traditional vlan. Read this excellent link........

anav

Sorry dont use powerbox, but RoS is RoS and the same so vlan1 is the default pvid and normally is never removed or changed for vlan filtering or bridge ports. The only time one defines a PVID on a bridge port (access port) is when that port is going to a dumb device. Typically no one uses vlan1 or v...

anav

The drop invalid rules in both the forward and input chain do not cause issues unless you have configured something else in error. Also you need to post your entire config not just the firewall rules to determine what is going on.................... As for firewall rules you would be best to get rid...

anav

Have fun with that Sindy, so many errors dont know where to begin......
I will point out that the wan port is on the bridge and he has ethernet2 on the bridge but both the bridge and ethernet2 have IP addresses.
Why all the partial nets of 192.168.0. - just use vlans so much cleaner.

anav

Okay I am confused by your network. Is the switch acting as a router or a switch? A network diagram would be helpful. What is the purpose of using firewall rules on a switch?? assuming its not acting as a router? Also for vlan filtering you should follow this guide....... https://forum.mikrotik.com/...

anav

You could put both vlans on one port of sw1 to one port of sw2 and then breakout the two untagged vlans on two ports on sw2. Is that what you want to do You could also do what your diagram shows as well but typically switch to managed switch one uses one port to one port to carry the vlans. LInking ...

anav

I could only find one item but dont think it would block traffic? (1) You should only have one sourcenat rule so get rid of the first one as the second one captures the fixed wanip address. /ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN add action=src-nat chain=srcnat out...

anav

I agree with erlinden, playing guessng games is a waste of time, post your config so we can see all pertinent settings.

anav

My problem is I dont understand serve external customers........ what the heck do you mean. You can provide public IPs to folks behind the router, and you can provide internal networks private behind the router. However I have no idea how you serve external customers. do you simply mean you have ser...

anav

Sorry not much of a troubleshooter, check cables, try a different switch etc......

anav

Like I said, let me be more blunt, the FW rules are a farce and make it too difficult to even read.
If you are interested in vlans that work and not cutesy fw rules let me know otherwise someone else can chime in.

anav

Nope, does the MT recognize the SFP port as being active?
Is the DELL switch on the same LAN subnet?

anav

Hi Mkx, Understood thanks for the clarification.
During the MTUNA course we call this.......... yes you can stuff a raccoon up the anus, but it hurts!
On a happier note: The Suez canal, unlike the tube in the previous sentence is now unblocked!!

anav

Since you think defining a vlan is done in Bridge vlan settings and that only providing a partial network diagram is good enough, suggest someone else help.
I can suggest reading this excellent link
viewtopic.php?f=23&t=143620

anav

In that case the response would be thus.......

(1) Missing (and thus ADD)
/interface list member
add interface=Bridge list=LAN
add interface=Internet list=WAN
add interface="Orange Optic" list=WAN

anav

Hi Xavi what you are asking is not possible, at least from limited knowledge base. What you need to do is use vlans and a managed switch. Each office should be on its own vlan and then through firewall rules you can allow shared sources in a precise way. For example VLANA to shared printer on VLANB ...

anav

Dont think multicasting or openvpn work very well on MT routers..
Besides that your firewall config is full of un-needed fluff

If you want to focus on vlans this is your best guide.
viewtopic.php?f=23&t=143620

anav

First you are in the wrong forum. Wireguard is only available in the beta version of the software so you should be posting here. https://forum.mikrotik.com/viewforum.php?f=1 Hairpin Nat only applies to the MT router. Hairpin Nat applies when one tries to access a LOCAL Server by a public IP address ...

anav

post your config
/export hide-sensitive file=anynameyouwish

anav

Your post is confusing and all over the map. a. confirm routing is via an MT router and there are no issues with wired speeds. b. confirm using MT wifi (within a router, or a separate access point/router) and this is the device that is not giving you speeds? c. if b is correct then what speeds are y...

anav

Why not just add the third WAN to your failover such that it only is used when WAN1 and WAN are down......... seems like a huge over complication??

anav

(1) Should be removed. add action=drop chain=forward comment="Block IPs to WAN" log=yes log-prefix=\ "IP blocked from WAN" src-address-list="Block IP" (2) This may not be necessary or more likely wrong, not sure why you are routing on the LAN???? ip route rule add actio...

anav

First question is why have a vlan and then attach it to the bridge? In other words if all the ports attached to the bridge have the same subnet you dont really need the vlan. If however you intend to add vlans then this is a first step but I would recommend removing the bridge from any vlan or dhcp ...

anav

post config
/export hide-sensitive file=anynameyouwish

anav

Provide the config not screenshots
/export hide-sensitive file=anynameyouwish

anav

Dont use quickset, use winbox to configure MT device

anav

Thanks but why /24, its a single IP only?

anav

As stated dont use quickset to enter in parameters. (1) Okay I see you have ether1 on bridge ports disabled as its not on the bridge being the dhcp client, thats fine. (2) You need at least two IP addresses recognized, the one you have for the Bridge (lan) but also (and missing) the eth1 address. Al...

anav

Hi Anav I'll take your advise. As you know I have 3 Wans IPs, 2 Static and 1 Dynamic. It quite strange that I can not ping by second or third interface in Mikrotik terminal ping 8.8.8.8 interface=ether3 It also not working with firewall mangle to bind and redirect user to second Wan. For DNS failur...

anav

Quickset=quicksand, avoid
Will write up something tomorrow.

anav

In my particular case, it's what I wrote at the beginning of the OP - I was getting ready to use Mikrotik as a client in a network not managed by myself which requires that clients authenticate themselves using certificates, and I wanted to make sure everything would run smoothly on site. Thanks fo...

anav

Yes of course!
But first,
/export hide-sensitive file=anynameyouwish

anav

Sounds like a case of knowing too much. I would have simply put the square peg into the square hole instead of contemplating the depth of the hole and what instrument was used to cut the holes. In other words Zing over my head but glad you worked it out. So what I dont get is wifi is just a medium, ...

anav

Its a tad to busy for me to see anything wrong. What I suggest is a. copy your current config. b. reset to default settings for everything. c. Add the LAN network you need d. Bring in the ppoe wan TEST to SEE if you have proper DNS YES e. Add second and third static wANIPs TEST to see if you have pr...

anav

Geez I only have 3 UPS and two cyber power strips and no rack either in the garage. One UPS = 1 modem One UPS = 1 router One UPS = 1 other modem backup iSP & 24 port switch . downstairs basement - cyberpower UPS for tplink poe switch (powers tplink AP and capac), zyxel switch and couple more thi...

anav

The APC one also caused the router to reboot but I take your point on the cyber power...... too funny.
They should call the package APC UPS and not UPS LOL.

anav

I loaded the package and connected the UPS (once via APC, once via Cyberpower), to the USB connection on the MY CCR1009. Both times when I pulled the plug on the APC, to test, the router rebooted and the second time it caused the switch connected to the router to lose some of its configuration. Ther...

anav

3. Yes, there is a learning curve, but not in your case. It should have worked even without any config applied Thus is true. Been working with network for 30 years and RouterOS was/is a steep hill to climb. But when you first get hang of it, you will love it. You can do nearly anything with this sm...

anav

Okay so your new to Mikrotik, I have to ask, why not ask first which device you should buy based on your requirements?? For example, that device seems to be a honking switch but maxes out at less than 500Mbps on the routing side meaning your 1gig internet connection is wasted. Its possible you coul...

anav

Yes, but are they static public WANIPs?

anav

Okay first I will show you the default ones that come from the router and then I will put my variation on them which is similar just a tad more secure. DEFAULT /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ est...

anav

I eventually pulled the plug and tossed the unit in the trash. I should have know better the very instant I found that MikroTik did not supply tech support. I will try the Ubiquiti Edge Router to see if that administers any better. Oh that is simply the MT weeding out process designed for folks wit...

anav

If you are configuring for a hybrid port, lets say vlans,10,11 trunked and 66 untagged. Ether1 is from router, ether2 is the hybrid port, ether 3 is a trunk port (10,11,12) , ether4 is an access port (66) /bridge port add bridge=bridge-new interface=ether1 ingress filtering=yes, allow only vlan tagg...

anav

Do you have access to the cable router (from an ISP provider, or is this like someone giving you an IP on their personal router)?? If its a FIOS router presuming ISP, then, if not shared with others.......... a. do you have access to it? b. can you forward all the ports to you c. can you put it in p...

anav

I dont see anywhere, any relationship of Static LAG to any of the Bonding options on MiKrotik OS?

anav

CONFUSED as there is no network diagram. Is this supposed to be acting as a switch or a router. The reason I ask is you seem to want to state there is a higher order device (router or something) that is of a different subnet?? But then your firewall rules are very incomplete and not really safe for ...

anav

Post your config.
/export hide-sensitive file=anynameyouwish

anav

Post your config.
In the meantime suggest street to modem wire check by ISP and then modem check (old model) needs to be reprogrammed or something, or you didnt pay your bills LOL.

anav

The file is one created in FILES by the fetch tool. The keep-file=no just eliminates the file from being placed in the FILE menu. Okay good to go......... Will give the script a try. OKAY 1. I have no idea if the buffer part of the script works (the first long self-contained part) 2. The parser scri...

anav

If its working for you, great!
If not would need an updated diagram to match.

anav

This is a decent guide.
https://www.youtube.com/watch?v=Rj9aPoyZOPo

anav

(1) You need to define vlans 10 and 20 and their interface is the bridge, thus far only vlan99 is configured. (2) You dont have vlan20 noted in the bridge vlan configuration. (3) SFP+3 and SFP+4 are not configured on the bridge port settings?? (4) SFP+1 and FP+2 are not configured in bridge vlans?? ...

anav

Provide a screen shot of the NTP Client page.

anav

I guess I missed the purpose of the PUT command or sequence? Are you saying I dont need it in my particular script? ? Also should this work for ensuring no files are added # Check for Power failure :if ([:find [:tostr $logMessage] "USB UPS AC power off"] != "") do={ :beep frequen...

anav

Not that I am aware of, the TO-ADDRESSES is IP only as far as I can see. (lists not permitted) The only thing I can think of is use two rules....... DSTNAT RULE1 DSTNAT RULE2 RUN a SYSTEM Script that says check if server1 is down then disable rule 1 If server 1 is up enable rule 1 That way the dst t...

anav

Im talking about the bridge personality on the hapac. Why is it that the wlan ports which are tagged for ether1 and untagged for wlan port DO NOT NEED the bridge to be also tagged. In comparison the managment VLAN needs to be tagged with ether1 AND the bridge!! In other words explain what is needed ...

anav

Please post the config
/export hide-sensitive file=anynameyouwish

anav

You dont have a public IP. The ADSL unit is giving you a private IP and thus NAT is not possible. If you have access to the ADSL router then can you forward ALL the ports to the LANIP on the ADSL router that corresponds to the connection to your router, which is also the fixed WANIP on your MT RB401...

anav

This script works well for me for internal interfaces at the moment and for system/cpu temperature and if you go to my other thread, trying to do so for UPS log entry! https://forum.mikrotik.com/viewtopic.php?f=9&t=173565&p=849993#p849993 The one thing I would like to add from the first exam...

anav

Hi there, I would very much like to use your idea for the UPS monitoring that goes on and available in the LOG. I want to detect a log entry and then send it to my telegram bot. I need help with what to do on the put section Would this be the right approach? (1) Step one would entail adding via CLI ...

anav

Another example /tool fetch "https://api.telegram.org/bot<yourtokencode>/sendMessage\?chat_id=<botcode>&text=Router" Note: Any spaces in the text portion of the URL, the message you wish to send should contain no gaps. Use the '+' symbol for spaces!! You can add time for example. :loca...

anav

You missed the question entirely LOL.
I was asking to confirm why or why not the Bridge needs to be tagged or just the incoming port on the hapac (ether1) for the vlans that are not management and not trunked elsewhere on the hapac (basic vlan into and untagged out on some port).

anav

Easy peasy.
Just make a firewall address list entry and then in the firewall rule point to the list (in-interface-list) or (out-interface-list)

anav

(1) Didnt make this change LOL should be bridge. /ip address add address=192.168.88.1/24 comment=defconf interface= ether2 network=\ 192.168.88.0 (2) not a pppoe guy but shouldnt the dhcp client be the pppoe interface?? /ip dhcp-client add comment=defconf dhcp-options=hostname,clientid interface=eth...

anav

Sounds $$
I should post in the MT Charity Forum. ;-)
Anybody would like to donate a few lines of script on their Virtual MT machine for the purposes of running a Script to let me know when my Internet is hard down LOL.

anav

Draw a diagram as its not clear.
By the way, since you are using vlans, that is your L2 separation between users.
On top of that you may need firewall rules to keep vlans from seeing each other.

Hence, I do not understand about untrusted ports as the security is already provided via vlans.

anav

So basically, I am out of luck, unless magically I have another mickrotik router somewhere, checking my free dyndns name or mikrot cloud name, it sending me an email or telegram with no reponse.. Call me crazy but this ounds like an addition to the MT cloud service?? Why cannot I add a script to my ...

anav

Okay I have no practical way to check if my WAN connection goes down as then I wont have internet but I do have two ISPs. SO what I would like to do is Run a CHeck on my WANs in two parts............... UNLESS There is a better way. NETWATCH (1) USE DNS 9.9.9.9 to check ISP 1 (2) USE DNS 1.1.1.1 to ...

anav

QUESTION. CAN I put the same fetch script in a DHCP CLIENT SCRIPT??
Confirmed Yes, this works too.

anav

Yup that was it!! , okay so replace all my underlines with the + symbol to effect spaces in a URL - works! batting 1000 this morning :-).!!

anav

Suggesting talking to major distributors in the states.......... ISP Supplies for example!! They are more likely to have technicians that know. https://mikrotik.com/buy/northamerica/usa Alternatively check out the list of USA consultants, it sounds like paying for advice may be well worth it!! https...

anav

Thanks, Will give that a try later!! Any ideas on something better for time date on the System scripts than :local sub1 ([/system clock get time]) /tool fetch..............="At $sub1 HP_Printer_is_Offline" :log info "CHECK HP printer stat!!" Seems to work fine for simple netwatch...

Search found 6587 matches