Without a diagram I have no clue what you are trying to do. Any explanation of requirements to date IS NOT user traffic based only, and is confused with config speak, a no no for communicating requirements. Short story, no diagram no user traffic requirements, no diagram, cannot help. Furthermore, w...
The mangle was recommended, not a random suggestions LOL. It does NO HARM to your setup and one never knows what particular website, through the thirdparty VPN, will give the router shits and giggles. So its a good safety net to keep. To improve your setup you can setup both failover on the main WAN...
Man do I have to state it in writing, your SCOPES are wrong!! LOL The config I gave works, its your config that is broken if it doesnt. I cannot read a winbox jpeg unless its very clealry delineated An RSC script I can read in seconds................... its just a story about requirements I cannot m...
The switch comes in handy for any traffic within the same vlan from user to another.
The router comes into play between user and internet and traffic between different vlans.
Well obviously I thought we were dealing with a router not an access point, which all radio setups have mac-filtering setup for layer2 traffic control ( NOT fw rules )
Again, i should have read more closely, glad you got it sorted.
1. Sorry my bad on the TYPO, WG1 is the correct entry on the routing rule to match the routing-table defined. 2. put IP address on your router for wireguard1 as add address=192.168.32.20/24 interface=wireguard1 network=192.168.32.0 3. As long as both WAN interfaces are interface list members of the ...
Your routing setup follows nothing of what I suggested. so cannot help you there.
You seem to forget that the handshake starts on your router.........
Best of luck..............
Hello, help me. I can't use the forum to ask questions. What do I have to do to be able to do them? As for example in this post it says "It is only visible until the moderator decides. Its a neaderthal approach to ensure your post is not spam, inflammatory etc.................. After a few day...
As I stated, thus far no reason to use VRF has been provided and as a matter of fact it would seem NOT appropriate in this case. Further, your recursive is incorrect. Simple solution works: /ip address add address=192.168.1.241 interface=ether1 network=192.168.1.1 add address=192.168.1.242 interface...
Proper config of the router. It would appear the hacker is not getting into your router but manipulating the traffic reaching his router. The fact that other traffic can reach his device, id indicative of a leaky setup. Post your config /export file=anynameyouwish ( minus public IP address info, any...
NM................ There are bigger issues to solve first. 1. WHAT THE HECK is your WAN. You state: am setting up a config for a MT router which is behind NAT a. you have a static WANIP set up for ether1 which bares no resemblance to any of the VLANS. The static IP makes sense but not the subnet?? b...
Simple question what if one was to use this in routes..... /ip route add distance=2 dst-address=0.0.0.0/0 gateway= 192.168.1.1%ether1 routing-table=main comment="RouteStarlink" add distance=3 dst-address=0.0.0.0/0 gateway= 192.168.1.1%ether2 routing-table=main comment="RouteOrange&quo...
Well if you consider mikrotik is walking on your network, I suppose tread fits!! ( 'trademark' ). Concur, it seems that we are seeing an incomplete software process or maybe not. First, I blame the beta users, working for free and doing a lousy job of detecting all the new beta firmware problems ;-P...
As the question asks.......
What is the point at which losing fastrack and throughput is worth it, vis-a-vis tackling bufferbloat??? ( queueing actually not required )
The question I have is why are you mangling or queueing at all...... You have nothing different in either direction.......... all incoming traffic goes to entire LAN, all outgoing traffic comes from entire LAN. Okay! Its about bufferbloat. For me I would have to weigh any advantage of bufferebloat o...
Allowed IPs on the router is wrong....................... You need a separate peer line for each peer, on the router you dont need client endpoint............ /interface wireguard peers add allowed-address=192.168.40.5/32 comment=ChromeBook interface=wireguard1 public-key=**ELIDED** add allowed-addr...
Or time for a trip, sooner or later having remote devices means a trip. With wireguard and ver7 software probably soon.
It should be a built in plan to any IT equipment anyway.
For all your switches, only the manag3ment vlan need be identified..... (assuming its 192.168.251.0/24) I would take one port off bridge and use it as an emerg access like give it an IP address of 192.168.55.1/24 and then any pc with IPV4 settings set to 192.168.55.5 for example and your in! /interf...
Not possible with the MT device, there are too many ways around the programming.
You need to get a router that does DPI $$$, and then pay their subscription service more $$$$.
Assuming for example vlan3 gateway is 192.168.33.1 (1) Why do you assign a PVID on the trunk port?? Remove it. add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 pvid=3 (2) You can add to each bridge port ingress-filtering=yes (3) There is no need set dhcp client, this is a privat...
Here is one link to such an approach - https://forum.mikrotik.com/viewtopic.php?t=194842 and another. Discovery Between Two Locations SOLUTION METHOD ADD A CONNECTING SUBNET/INTERMEDIARY - EOIP OVER WIREGUARD a. create wireguard connectivity as per normal and then b. create the EOIP tunnel within th...
Good question. Trying to think conceptually. Assuming you have one common cable over which to do this work, I would probably use two different VLANS. At each Router, one of the vlans would be an incoming WAN connection from the other Router. Via a private subnet. on ETHERPORT XY. At each Router the ...
You are not alone, the documentation makes one believe its all there but............. its hiding well!!!! +++++++++++++++++++++++++++++++++++++++++ Planned QoS implementation phases: QoS Marking. QoS profile matching by ingress packet headers, then egress header alternation according to the assigned...
/export file=anynameyouwish ( minus PUBLIC IP information, KEYS, long dhcp lease lists, etc..) There should be relatively little else to scrub ( possibly some names you give to things, comments etc..... ) Use code block to limit visible length and improved readability ( on same line as Bold and Unde...
Okay so you want it to be an access point switch, not sure why that is so hard to say. In that case, the default config is rather simple Nothing much other than bridge, WIFI settings bridge ports ( assuming ether1 is connected to the UDM ) /interface bridge port add bridge=bridge comment=defconf int...
There is no such feature .............its actually called something else! To gain access to this function you have to really mean to do it, aka hard to do by accident. Its not clear how you managed to do this but not understand the ramifications are surprising. What there is are two relatively newis...
Yes it will be a problem to have two dhcp servers on the same network. Remove the UDM router it serves no purpose and only use the HAPAX3. The reason being that for all layer3 needs, the devices will go to the UDM and not to the hapax3. So you need to decide. Will the hapax simply act as a switch/AP...
The diagram labelling needs work. How do vlans 1920,1930 just popup out of the blue ( actually red and orange) for example. They should be traceable back to the 750. Its also not clear what is the management VLAN ( the vlan where every smart device should get its IP address from ). It would appear t...
The point being, the OP should have provided his complete config on the first post........................
Another waste of a chasing thread because there is no first post process....... thankyou MT.
WAIT ONE - do you mean your hapax is only acting as a switch?? The below advice presumed that your hapax3 was connected to the internet via a modem and received a public IP. Do you actually mean your connected to an upstream router which provides a private LAN in the range 10.10.10.X ??? ++++++++++...
Who said you cannot use the hapax3 in bridge mode? I have the hapax3 and am using vlan-filtering with hardware offload.
This is a very capable router!!
Concur, the setup process and menu selections are not intuitive and its easy to get lost, ( especially how there are hidden defaults etc. ) I am not a fan of how they have chosen to give flexibility, or more accurately how clear it is to the admin, what is actually configured. Dont feel bad, you are...
Not sure about latest renditions of WIFI, but most devices probably have a useful limit of around 20-30 active devices. Some devices are specifically made for larger numbers but that is a niche market.(ruckus comes to mind). With newer technologies mu-mimo and latest 6e and 7 technology, dont know. ...
Any RoS device should be able to function as a capsman controller was my understanding. Requirements Any RouterOS device can be a controlled wireless access point (CAP) as long as it has at least a Level 4 RouterOS license CAPsMAN server can be installed on any RouterOS device, even if the device it...
Isnt the first non code block config and wont be the last........... you can thank Normis for ensuring the resulting the first posting experience of new users and those supporting them
Not clear enough, do you mean each customer, each public IP should see approx 1gig up and down, or do they share a 1 gig pipe??
If just an edge type router the RB5009 should do fine 4x1 gig, throughput is well north of 4gigs in this scenario.
Unplug router from internet. Netinstall latest stable firmware Put back config WITHOUT any port forwarding. a. think about having ONLY a server with a secure login process b. think about limiting in source address list which public IPs can access server. c. even better use wireguard and have people ...
Okay now you have me thinking perhaps repace my AX3s with these bad boys. https://www.amazon.ca/Portable-Antenna-Dual-Band-Omnidirectional-Router/dp/B08LZHV83P/ref=sr_1_7?crid=2LK4POLSJPVAY&dib=eyJ2IjoiMSJ9.d7o75FpnshnrVKGe5-c-B68HFFzp0iKhzPKsakuKGUIZn-erRPTYVZjKSuecgvF_aAxk649CL4RzmR20jM6Qn8jXN...
It should be similar on MT router. I am no multi-WAN guru, but basically from what I have seen, A block of IPs is given to the admin, One IP address is used for the router itself, ( nat or no nat, depends on what the op wants to provide on this router ), the rest of the WANIPs can be netmapped to do...
One bridge............., chalk this up to another poster child for Normis' inaction on first posting process.... And they will keep coming day after day after day..................
Yes, but one cannot hang onto betamax forever..............
Heck even my mother in law, is sticking to CABLE TV vice streaming lets say over my appletv.......
Guess what, she upgraded her TV service and they are using android TV boxes LOL.
jargon voor afval, Sorry Loop, disagree! The 1009 2.5 port is a mystery to me as its real world WAN throughput is 300-400Mbps whereas the old hex will get you 400-500 Mbps. Both have two cores.......... The AX3 will get you over 1Gbps and has 4 cores and double the RAM of the L1009, its no contest, ...
Nicely worded statement to induce confusion :-). Wired and then point to point. Do you mean you need a router to terminate a land line connection and then equipment to take that signal over the airwaves in a point to point wifi type setup back to another wired device ????????? Request is too vague, ...
What is preventing the CGNAT LTE (second link) from being used recursively on your home router??
All devices can connect to your home router through the public IP, no need for CHR again.
Diagram and included detail is helpful. However this statement needs to be broken down AS requested - it makes zero sense as stated...... Now, I want to create a simple load balancer on e.g. 192.168.35.1/16 for these machines so LAN for LAN, WAN is no matter in this scheme Identify users/devices Ide...
What your missing is that each smart device should get an IP from a management vlan. Data vlans 17 and 89 are carried forward to each smart device as well. Assuming that the ROUTER has its own internal LAN, wheras, the receiver/txitter are acting solely as AP/switches and do not need an internal LAN...
(1) I am not a queue user but there must be an easier way to do queues than what your config shows................. It would seem like you manually attributed queues on a per IP basis?? (2) Set this to none, as this setting has been known to cause weird issues and is not really needed. /interface de...
As holvoe noted, lets say take ether5 off the bridge. give it an Ip address add address=192.168.55.1/24 interface=ether5 network=192.168.55.0 Ensure ether5 is part of LAN LIST on interface members. Then to complete the config do it by connecting your PC to ether5 and give the pc an IPV4 address stat...
(1) slight mod to dns.. /ip dns set allow-remote-requests=yes servers=1.1.1.1 REMOVE the following default.......... /ip dns static add address=192.168.88.1 comment=defconf name=router.lan (2) Take this default rule and create three new rules......... Clearer and better security. add action=drop cha...
The config was not really what I was asking for but since you did post it your routes are hosed/incorrect. More on that later. So the script finds the new IP for WAN1 and WAN2 locally on the router, and sends it to the dyndns website and updates it............. ?? To confirm, though it would appear ...
To be honest I agree with holvoe, whatever market your trying to satisify it must be rather niche. It makes little sense to me to pair LTE with CCR2XXX products. Instead for CPE boxes look more at the chateau lineup. If you need outdoor antennas look at the ATL LTE 18 kit....... You would have to as...
You need to clarify....
a. who or what has a script?
b. where is this script aimed at.
c. what is the current configuration of your router ( vis-a-vis WAN setup ).
Know very little about LTE and routers, but if its like wifi, then LTE is probably best handled separately a. you can place LTE device where best suited, b. separate device can have a wide variety of antennae and type configurations c. can more easily change and or upgrade device without affecting r...
No idea what you are doing now LOL......... I was strictly looking at the IPs to Routers work. You want each RX to send traffic from its assigned IP, You want each RX to only respond to arp requests for itself. ( maybe blocking arp requests to any other address than the allotted one is a better appr...
Without understanding how your rules are currently setup, it would be presumptive to come up with any solution as it would be guessing . One should realize that rules are integrated and can affect other rules and thus the flow of traffic. Others waste all our time by such frivolous attempts and quit...
Quick set should be avoided for sure........... The idea of the bridge filter rules was to ensure the assignment sticks ( wan1 to R1 etc.........). My guess is that intended traffic between WANIPs, should not affected as the traffic would go to the ISP provider and then return, vice attempt to conne...
Typically a dyndns link to a public IP, is to ONE public IP not two and more specifically to the primary ACTIVE wanip.
If you have two active WANIPs, then you need two dyndns URLs to access them.
Not sure if that answers your question.
Amazing work................. both AMMO and rextended seem more comfortable with syntax than most are with adding a vlan to a pppoe interface...........
Understood but it was material, one should not have floating unused ports on any configuration unless one knows that they will be used in the future. Thus if the OP had stated 4 now and possibly more WANS later, all the power to you, otherwise, its junk and security wise poor design. Caveat I have n...
To your first post --> https://help.mikrotik.com/docs/display/ROS/MAC+server Since there is no problem or issue you need rectified but are seeking knowledge. Suggest start by reading the appropriate documentation applicable to your area of interest. - https://help.mikrotik.com/docs/display/ROS/Route...
No worries, If not useful so be it. @tangent, did you read the first line of the OPs first post?? have a CRS310-8G+2S that needs to go between my fiber modem and 4 routers to split the WAN connection between the routers (technical requirement). Our current He goes on to state in another line ether4-...
I see this similarly (except using basic math if you have four routers you need four ports 4,5,6,7 [ including port 8 would make 5 there tangent ;-) ] I will take a stab at this for grins and giggles......... Not an expert so it could be useless. a. the switch is connected to the network via the man...
A clear set of requirements will lead to an optimal design a. identify all users/devices that will interact on the network ( internal, external including admin) b. identify all traffic flows they require draw a diagram of what you wish to accomplish, identifying devices, WAN, vlans etc. post your co...
Sertik, most of the angst caused is a cumulative thing. When like rextended, one has answered, day in day out, post after post that has zero quality control its very hard to remain patient and one justs gets to the point directly!! ( you have heard of RSI (injury)). Over the years, having been invol...
I think I understand how it works now and am asking pe1chl to confirm, if I have it right, partially right or wrong.
It certainly wasn't a question posed to you, but if you are happy to answer....... ( or trying to pad posting stats LOL )
Sure was, I hope I dont get interviewed by Hur,,,,, guess I'm too old to run for president.
( note probably at that instance I didnt understand what the fix entailed regarding traffic flow and just assumed it would work )
Bananas are yellow, spewing forth a fact doesnt explain the supposed traffic flow. What you seem to have suggested is.. ROUTER sends out a WAN signal to an existing NTP server with dst-port 123 BUT ALSO source port 123??? The router sourcenats that outbound to port 12300, so that at the NTP site, th...
Must be your config at the office MT.
What MT router do you have at home as well ( if attempting to connect on a PC at home ) and its config may also be a problem.
Hahah, Yes I will eat humble pie, I only looked at the example on the first page of the article........ Where it says to create the bridge and its very simple and notes add vlan-filtering=yes at the end. /interface bridge add name=bridge1 It later shows this setup as follows: /interface bridge set b...
The EERO lineup am familiar with as a family member just got some and they are rated at 6E. https://eero.com/shop/eero-pro-6e Yes they talk to each other over wifi if required or you can wire them directly but to take full advantage of their 6E speed, 2.5 gig ports are best. After reviewing these pr...
Glad you understand MKX can you explain what is going on. It would appear that a. the Router has a public IP and is the DHCP server etc.. b. Op has a dyndns URL that he uses for identifying the router ( not using Ip cloud ) c. He wants to reach a server on the LAN d. The server requires port 8.8.8.8...
I prefer the routing table method as it provides more flexibility and functionality. I dont presume that all users must use tunnel 100% of the time. More often than nought, the admin will want to retain the ability for one IP (one of his) to be able to access the local WAN Then there is the scenario...
Read the 7.14 thread............... https://forum.mikrotik.com/viewtopic.php?t=205097 or do forum search for like issue......... https://forum.mikrotik.com/viewtopic.php?t=203123#p1061713 Lots of problems with wg and logging etc..... /system/logging/set 0 topics=info, ! wireguard action=memory
Sorry but your explanations are more confusing then clarifying. I have no clue at all what you are doing or have attempted and I am getting tired of waiting for decent information. Let see if we can make sense of it. What make is router 2? ( assuming its in a separate location in the house and gets ...
AP/Switch approach: In terms of the switch, the main difference is a. only need to create and identify the management vlan on the switch b. only the management vlan is tagged to the bridge in /interface bridge vlans c. only need single MGMT interface list and the only member is the management vlan (...
Hi pe1chl
How will the source nat fix the problem....
If the router goes out to a website and the website sees port 12300 wont it just drop the traffic as its not the usual NTP port???
Not responding, may be in jail :-) In terms of the switch, the main difference is a. only need to create and identify the management vlan on the switch b. only the management vlan is tagged to the bridge in /interface bridge vlans c. only need single MGMT interface list and the only member is the ma...
MT Docs, first line: The RouterOS backup feature allows cloning a router configuration in binary format, which can then be re-applied on the same device. https://help.mikrotik.com/docs/display/ROS/Backup
Thats a downgrade..... going from a multi-core TILE with amazing throughput of 12gigs, which also easily handles your cumulative 7gigs of throughput. So you have to be clear on the reason for upgrade?? Must be due to the lack of 2.5,5,10 or more gig ports available........................ One move y...
Please draw a diagram of what you speak as what you wrote makes little sense to me.
Also try not to speak of any solution config ideas for the following:
a. identify all the users/devices requiring traffic flow
b. identify all the traffic flows each device/user needs.
(1) Its perfectly valid to put the NTP server on each DHCP interface but its really not required if you have input chain rules in the format of add chain=input action=accept in-interface-list=LAN dst-port=53,123 protocol=udp comment="allow users to DNS/NTP services" add chain=input action=...
MT is very forgiving in that it allows you to setup stuff in many ways, and not necessarily the optimal or right way. As for are reading you missed the fact that your entry is not in the reference. /interface bridge add f rame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes Dont need et...
Hairpin via dns.................. Not a clue what it does though, assuming 192.168.88.68 is the IP of the server..... 3. DNS METHOD - AVOID NAT – REDIRECT LAN REQUEST VIA DNS Create the following rule! /ip dns static add address=192.168.88.68 regexp="(^| www \\.) myserver \\. net \$" ttl=5m
The ineptitude of support thus far is to much to let go........... From: /interface wireguard peers add allowed-address=192.168.69. 10 /24 disabled =yes endpoint-address=xx.xx.xx.xx \ endpoint-port=51001 interface=wire-aws persistent-keepalive=25s \ public-key="osi1xxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
The only thing i would consider adding is the following................... but should not make any difference. /ip dns
set allow-remote-requests=yes servers=1.1.1.1
Can you confirm you are accessing the SPFPLUS WAN, and have you tried from your cellphone??
Please use this as a basis for setting up vlans on your router. https://forum.mikrotik.com/viewtopic.php?t=143620 The switch is similar but only need to identify the management vlan and its the only vlan tagged with the bridge on /interface bridge vlan settings! on both do not invoke any other rules...
Accessing the server from your other WAN connection is of course going to be problematic....... Think of the logic......... You come in WAN2 ( not the primary WAN ) lets say you reach the server, the response will go out WAN1 the primary WAN. The return will be coming from a different source address...
Other than adding in-interface-list=LAN on the dstnat rule for completeness, there seems to be no reason at all for not reaching the server from the outside.
- Are you sure you have a publicly reachable IP address??
- Are you sure the server doesnt have its own firewall settings ( like if on a PC ).
Lot of rectal plucks here fellas, get facts before making stories. a. What device is the main router? ( is it MT or something else ) b. Where is the config for review of the cAPAX. c. network diagrams help d. detailing requirements for optimal design (i) identify all users/devices that require traff...
and how many times will you do this in your lifetime jacklaz, LOL............ Tis where a first post process simply works! @OP - a network diagram helps show which devices, which subnets, internet source and overall intentions. The config as noted shows us where you are at currently trying to implem...
Do you mean, knowing the actual traffic flow requirements and perhaps a network diagram would help.............. gee....... where have I heard that before? Certainly not in th non-existent First Post Process LOL.
Okay so basically it would appear that the MT is behind another device and getting a. private IP and associated subnet incoming on ethernet cable as untagged traffic ( assumption is this is the LANIP of the MT on the upstream router LAN and thus also the WANIP of the MT ) b. tagged vlan66 which is W...
Keep chains together and order is important overall. One should have a source originating traffic and an endpoint destination for that traffic. Traffic that is port forwarded should not normally be placed in forward chain but in dstnat chain. The fw forward chain only needs a general rule allowing p...
Never noticed that, anything L3 interfacish doesnt show up on interface list ( wg, ipip,gre etc...). Which limits your options...... perhaps two routers is the only way.
Is the VPN terminated on the MT router or on a server on the LAN? a. If the former then you need to ensure traffic coming in ISP2 goes out WAN2 when the router responds.......... b. If the latter you need to ensure traffic coming in ISP2 goes out WAN2 when the LAN device responds....... In either ca...
Well if you followed their guide, then there should be no issues, just make sure you copied it correctly. I personally would not implement any rules I didnt understand and thats another reason to start small, learn and then add if required. https://help.mikrotik.com/docs/display/ROS/First+Time+Confi...
See Holvoe, a perfect example of a motivated first poster, that with a single training session, could produce a valid first post. There would be many one and dones........... My idea is both practical and feasible, for anybody who is not brain dead that is. :-) Some would take longer, but overall, y...
It will work just fine. You have A primary wg network where all are connected. In case R1 falls off line, you have a backup connection via R3 ( keeping r2,r3,r4 connected ) and any roadwarriors needing access. What I suggest you do is setup a firewall list callled Authorized . add address=10.3.2.11 ...
First setup is some fixes to primary setup and the second is for a backup. Primary Wireguard Interface R1 (Main Server Peer ) /interface wireguard peers add allowed address - 10.3.2.2/32,10.21.30.0/24 interface=WG_mikrotik_R1 comment="peer Router 2" public key="*******************&quo...
As long as the port using the vlan is not on the bridge its a viable path. If you have the vlan on the bridge then you should use all vlans and the bridge does no DHCP etc... Do not use VLAN1 for anything carrying data.......... If your router gets a public IP, then your firewall rules are your bigg...
How is the signal from the middle X, to the O to the right of it/ (If you turn middle O off) I would start with one CAPAX in the current middle position and see if the service is adequate at all locations. If not, then consider moving the central one to the far right hand position and get a second c...
Well I see it as an elegant way of simply stating: Ensure local traffic is not captured out the the tunnel by subsquent routing rules. When one starts having multiple subnets, this simplifies the config. While looking for linux stuff, found this WG QUICK script LOL - https://ro-che.info/articles/202...
ROUTER A (1) set detect internet to NONE. (2) private key NOT supposed to be on peer setting! (3) One should not access winbox (aka the router) directly from the WAN side, unless its connected to an upstream router and you need to access MT router from the upstream routers LAN. I see you have a red...
flatbat is correct,
The name and function are rather bizarre and MUST have more explanation. The fact that you are almost incoherent trying to explain it speaks volumes.
The integer ref is also confusing............how does this relate to for example IPV6 which is 128 bits long .................
Okay to confirm, you have no real knowledge of MT OS and how firewall rules work, and you are going by the assumption if a button exists I should use it.
Good to know. Hopefully others will chime in, as I will be assisting others https://help.mikrotik.com/docs/display/ ... t+Firewall
My rules of thumb for traffic flow rules. a. For traffic to or from a single subnet USE: SRC or DST address x.x.x.0/24 b. For traffic to or from two or more whole subnets USE: interface lists c. For traffic to or from remote subnets (not known to the router) USE: firewall address lists d. For traffi...
Well if all those subnets are local, why are you creating firewall list? A. to identify single subnets in a config use src or dst address .0/24 B. to identify two or more subnets having similar traffic flow expectations use INTERFACE LISTS C. to identify two or more external subnets (not known to th...
Your firewall rules are where the most work is needed, its clear you got mixed up or at least didnt think through the logic. For example you have the office vlan accessing the training vlan and then you have the training vlan accessing the office vlan. But you dont use vlan subnets you actually use ...
No point in reading too far. Tells me all i need to know, if this is an internet facing device (gets public IP) then your setup is flawed for security reasons.
If you want to config the router, use VPN to access the router then use winbox.
No point in looking at configs without first understanding the intent of your diagram. It would appear that the router on the left call it R1 is the Server Peer for handshake purposes ( with address 10.3.2.1) and the three routers on the right R2,R3,R4 are the PEER clients for handshake. Can you con...
There are two approaches used...... (1) Identify the traffic prior to fastrack. add action=accept chain=forward connection-state=established,related,untracked in-interface=vlan101 out-interface=vlan102 add action=accept chain=forward connection-state=established,related,untracked in-interface=vlan10...
You dont get mesh.... You get a mess. Its peer to peer, and you best know what you are doing in firewall rules and routes. Depends on any given scenario: For example, if you have three Routers then you should have B,C connect to A, and the backup best be on either C and B and a connection between th...
(1) Remove bridge filters is probably the most important change. (2) Add wireguard to list members. /interface list member add comment=defconf interface=ether1-WAN list=WAN add comment=defconf interface=bridge-LAN list=LAN add interface =wireguard1 list=LAN (3) Modify firewall rules.... Put input ch...
1. Yes admit all includes both vlan tagged and untagged which, by the way, is a setting I would only use and is required for hybrid ports. If its a trunk port only vlan tagged is appproriate If its an access port, priority and untagged is appropriate. Up to you 2. Whether the changes or not affect p...
Incorrect! Only the peer that is acting as server for handshake has to have a reachable public IP in the standard wireguard setup. (Note: with new wg BTH functionality available on most MT routers, one need not have any reachable IPs). So the Remote Device should have allowed IPs like so. /interface...
a. detailed requirements which point to the design of the config
b. network diagram to show how devices and which devices are communicating
c. complete confg, as MT functionality is integrated accross functionalities.
With the current setup ( assuming the MT is setup as a router ) and ensuring the masquerade rule on the Mikrotik router, any traffic heading out of the mikrotik is going to go to two locations. a. out the internet - one of your users wants to browse, email etc. b. or to a local subnet behind the anc...
Suggest you use Wireguard instead. Does your home router get a reachable public IP, or the upstream router if there is one ( and can you port forward on said upstream router)
Guessing is for cats, sane animals work with facts! ;-PP Both PCs are behind the CRS354 Switch?? If so, yes there is something wrong with the config and likely on the switch. So lets start there....... (1) I dont like your name DISCOVERY ( meaningless) , should be more akin to BASE or better MGMT ( ...
Now you have me confused??? I was talking about this you posted........ My uglier approach is: /routing rule { add action=lookup disabled=$norules dst-address=10.0.0.0/8 table=main add action=lookup disabled=$norules dst-address=172.16.0.0/12 table=main add action=lookup disabled=$norules dst-addres...
First would state a. check to ensure keys are setup correctly b. there is no firewall on the remote device blocking traffic 1. This indicates some sort of error... Which indeed is probably true as you never defined vlan100 so not sure what you are doing here??? You are no using bridge vlan filtering...
Up to you.......
You can use different interfaces OR diff IP address nomenclature assigned to the same wireguard interface.........
In this way on both firewall rules and Allowed IPs, all users would be separated.
Depends on your security posture.
Okay so that is clear to understand. I have run across this already and solved it by ensuring the subnets were designed with this in mind before config. If you have all your subnets in 192.168.0.0 to 192.168.15.0 range, you could simply do /routing rule add dst-address=192.168.0.0/20 action=lookup-o...
Yup should be standard chip in every new wifi product. BULK purchase should get MT best price :-) I'm holding off waiting for the 5009 - WIFI 7 combo product.......... but Normis, why not add another 2.5 gig, as the Marvel chip allows up to 3 SerDes interfaces ( you only have a 10gig and 2.5g port)....
Start your own thread, your scenario bares little to no resemblance to the original threads situation. State the traffic flow requirements and the design will fall out naturally, for example, there is probably no need to have a different wireguard per vlan approach. Post a a diagram of your intentio...
I'm blushing!! In the meantime, you should help the dude in this thread, he has issues with fastrack and queues. https://forum.mikrotik.com/viewtopic.php?t=205474 Why dont you come up with a way to solve that issue. .. I mean it should just work without any need for additional steps............... N...
Single NAT Router 1 incoming on WAN port ---> dstnat to LAN server Double NAT Router1 incoming on WAN port ----> dstnat to LANIP of next router Router2 incoming on fixed IP WAN port ----> dstnat to LANIP of server TRIPLE NAT Router1 incoming on WAN port ----> dstnat to LANIP of next router Router2 ...
What are the requirements for traffic flow that describes all users, devices, cherry picking a port is almost useless to give advice on,,,, configs are integrated animals.
A network diagram will help as well.
I disagree, he inventing a problem thats not a problem. There are working solutions. Add to the list the million of suggestions to make life easier for users................. While you all mull it over obsessively, I will continue to help others and stop by once in a while, to refute anything stated...
Could improvements be made, sure! Can we implement working configs now, yes! +++++++++++++++++++++++++++++++++++++++++++++ Yep, that sounds about right! The whole exercise has currently resulted in two different issues: No they have not. There is nothing new in this discussion and the first item is ...
Well its not a fix, its simply using the tools available properly (already posted in detail ) By the way in a three WAN scenario where 1 fails to 2, fails to 3. If the wireguard is set to look for WAN1 to establish an initial handshake connection, and does so, then WG will gracefully handle any comb...
@ AMMO , I did not know you were a fiction writer. ;-P I think the issue is other side also knows about the 3 WANs – it's not a smartphone/desktop wanting VPN access. It's the far-end wants to steer some traffic down a particular WAN(s), that may not be the "primary"*. I don't think DDNS/...
The WG crypto routing engine is not detailed in the flow diagrams. THere is no issue with dynamic IPs for WANs, as a persons dyndnsURL will keep the WANIP relevant if it changes and I believe the crypto routing process will keep the client peer in step with the new WANIP........... Also take a scena...
Sorry WB, not a clue why you are showing logs of I dunno what. As for Larsa, If I connect to a WAN interface with distance 3, without any other rules setup, there will be no tunnel established. The only thing that using an improperly configured setup accomplishes is that the peer client will reach t...
Just need two rules for sourcenat. Sourcenat is not a firewall function or a routing function!!! add action=masquerade chain=srcnat out-interface=ether2 add action=masquerade chain=srcnat out-interface=ether1 alternatively you could add action=masquerade chain=srcnat out-interface-list=WAN Where bot...
Concur sounds like an OSPF+BDF exercise to detect drops and to direct traffic to remaining connection.
Not having used zerotier that may be much easier,,,,,albeit through third party technically.
Yup, of course if its dynamic, extra work is required, but remember pppoe dynamic, a script is not normally required, pppoe-out1 suffices !!! The router is working as designed. Mangling ( marking connections and marking routes ) works just fine for Wireguard handshakes. Please join the borg! It woul...
Concur with points above, as erlinded indicated once finished setting up all the vlan related settings go back to bridge and set vlan-filtering to YES. As far as /interface bridge vlan settings its much better to put in the untaggings and thus one can more easily distinguish if the OP understands th...
The only thing I can think of is accept that you have to manually divy up the subnets in your head. Treat the local WAN as one WAN with 2/3s of the available BW and the wirguard interface as a second WAN and give it 1/3 of the BW. This really sucks because the beauty of queues parent/child etc.........
Wireguard handshake is a completely different animal, in this case the return traffic is NOT coming from LAN servers but from the router itself. However the same logic applies, if the WG initiates a handshake on WAN3, with WAN1 being primary.................then the handshake will fail. Again easily...
Let me just start by stating, that in general, DSTNAT ( normal port forwarding), in your simple case works quite the opposite. Incoming traffic to a LAN server on WAN3, via DYNDNS URL (or Ip itself) where WAN1 is the primary WAN will fail. The return traffic will go out WAN1, the original sender wil...
Well not sure what you are trying to do. Typically queues are used so that not one user or not one subnet etc, uses all the available WAN bandwidth for its connections..................... So if you have subnets A,B going out WAN interface, and subnet C going out Wireguard interface ( but clearly th...
So this is MT's excuse not to listen to opinions on this forum? I said quite the opposite. I said we listen to all users, not just the forum In what language? What you said was very clear, and you made no mention of listening to all users. In fact, it seemed to be, if anything, stating that home us...
The private key that proton gives you to insert will create a different public key if you already have one generated by the router. This is normal. Much better is to hit the + symbol to generate your wireguard interface on the mikrotik and DONT hit apply. First enter in the private key that Proton g...
Perhaps you should use more standard terminology vice the magical language you learn at Santa HQ. Your question has been answered, its only you that remains in the dark. I have no problems mangling to ensure Wireguard connections respond appropriately. As a matter of fact even in a failover situatio...
1. /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=lte1 list=WAN add interface=ether1 list=WAN Should be /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface =pppoe-out1 list=WAN 2. Why do you have two a...
No mkx, I demand that new posters continue to baffle us with minimalist approaches and lack of information. Why do you want to take the pain out of reading posts. Remember, this is Normis' personal torture chamber for supporters !!! /export file=anynameyouwish ( minus router serial number, any publi...
The question erlinden, is AFTER READING THE EXCELLENT article --> https://forum.mikrotik.com/viewtopic.php?t=143620 WHY DID THE OP THEN USE THIS CONFIG LINE?? /interface bridge add name=bridge-all pvid=100 vlan-filtering=no I would like the OP to go through his/her thinking as to the construction of...
Oh my bad I thought you were showing off your excellent logging. ( also there was no request, comment, question, I dont answer pictures ) If you download new software the first things you should do is read the thread on the new software as users will report issues there. Have a read, https://forum.m...
It is not clear what scenario you are talking about, no diagram?? no config ?? Seriously, what do you mean when a passive peer receives its initial handshake. What do you mean by passive? What do you mean by peer? The wireguard peer ( client for handshake) aggressivelyy sends out a wireguard handsha...