MikroTik

anav

Not that I am aware of sorry.

But perhaps this explains the situation best:
..................

usetherighttool.jpg

anav

Fixed, thanks!

anav

No I said, a. if you only have one vlan per port then you dont really need vlans. b. also since this is a lab environment then you dont need any security. c. if you are trying to practice for real world setups then it would be nutso to have to manage 10 or more devices (config them) using all the di...

anav

Why do you want vlans? There is no need, there is never a duplication of any subnet over a single port? In reality, every device would be on a managed vlan, so every device would have at least two vlans coming in a trunk port. Suggest you look at basic videos and read this article. https://forum.mik...

anav

The problem is that your requirement is not clearly stated. Do you mean, I wish to access my Router while at a remote location? OR Do you mean I wish to access my router while on the LAN of ISP1 modem/router or on the LAN of the ISP2 modem/router. (hint they are not strictly modems if they get a sta...

anav

I dont understand the first post.
Why cannot you simply make the devices available via port forwarding.
How can you expose devices to the internet if you only have one WANIP address, dont you need a block of public IP addresses??

anav

It should work so there may be something else in your config interfering.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

anav

It has two chains, and thus thought the default would include wifi1 andw ifi2 so at least the op could provide coverage for two freqs.....oh well. Nope. Only 2.4Ghz radio so only wifi1. 2 chains does not mean 2 radios. Reminds me to ask you, why do they even state the number of chains, its like use...

anav

Mikrotik provides its own domain URL in IP CLOUD use that.........
https://help.mikrotik.com/docs/spaces/R ... Cloud-DDNS

anav

How can you eat an apple but keep it intact ?

You can not.

I disagree, a whale can swallow it whole....... and then regurgitate it back whole.

anav

VERSION7 instituted some changes mostly to the way of using scope and target scope.......... Nested using a faux address for two canary selections. /ip route add dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 add distance=2 check-gateway=ping dst-address=10.10.10.10/32 gateway=9....

anav

If WAN1 is your primary WAN ( and WAN2 is rarely used ), then it stands to reason that all your wireguard users have WAN1 as their endpoint address. To test if the router will switch to WAN2 automatically, due to distance in route difference, please do not SWAP distances. To test simply unplug inter...

anav

Your testing method may be flawed.
If you swap distances on the WANs, do you also change the endoint address to WAN2 for the device??
You need to NOT change the WAN distance, simply unplug the cable from wan1 into the router.

anav

What kind of switch, like an unmanaged switch with one flat network OR switch with multiple vlans?

anav

Without a router with (DPI) and like services that looks at encrypted packets there is no foolproof way...........

anav

In a dual wan scenario where WAN2 is secondary lets say by distance and your current setup is for users to connect to WAN1 address, when WAN1 fails ( is no longer available ), the router will move wireguard traffic to WAN2 after a short delay. I havent tested that lately but it used to be the case. ...

anav

How do the users get their access,,,,,,,,, if by WIFI, then turn off access point or WLANs at a certain time.

anav

I would add mkx, an admin using MT equipment would probably be trained to some degree to use the equipment in an enterprise networking position. I wonder if any of the certs cover detect internet. OR,
to have at least read viewtopic.php?t=215004

Item 5

anav

Perhaps they never coded to detect and warn about duplicates.....??

anav

I have heard ubiquiti is so designed but never have read TPLink Aps were particularly useful in dense environments.......

anav

Concur unless you set DHCP static lease to phones with randomizer turned off and do not let any other leases occur

anav

Good question, the answer is there is no certainty in the ways of MT programmers regarding wireguard. There is lots wrong with the implementation or GUI or display of information to the admin in RoS regarding wireguard. Typically we dont change our local DNS based on wireguard settings, we simply us...

anav

I hear wifi coming and CRS326 and assuming this router will replace the ASUS. Thus I am assuming you will have more than just one flat network and are planning on vlans? [ if not, send me your CRS326 and I will send you my un-managed switch ;-) ] Also there is nothing secret about your private IP ad...

anav

So you want to get into an argument. Nope … stop using MikroTik wireless and all your limiting factors go away. Yes multiple AP’s provide the required balance and improved performance … Ubiquiti, TP-Link dedicated Access points provide exceptional value for installations thatn require special purpo...

anav

So you want to get into an argument. Then tell me how many WLANs can a single ax3 PRACTICALLY provide.................. ( and remember your the one jumping up and down about network performance !!! ) NOT as many vlans as I have in my house thats for sure............ So one has to use multiple APs to...

anav

Yes, one needs the handshake negotiation to take place via the input chain and then manage traffic exiting and entering the tunnel from the LAN (forward chain)

anav

First, No one is going to hold your hand and tell you what is the optimal number of vlans. Second: The creation of vlans is to segment your network into logical manageable entities/functions and thats a personal choice. Some may prefer lumping all IOT devices into one vlan, and some might separate t...

anav

Its the only perspective! Trying to reduce the number of vlans, is not a valid requirement, its convenience at best. You create the vlans based on the functions your network will be performing. This is both logical and practical and easy to manage. One of the valid overall requirements for a network...

anav

One should view it as, if a device was compromised, what can it then attack........................... simple question. There is no RIGHT answer, its personal , and what level of comfort you have exposing devices to other devices be they IOT, media, voip, laptops, smartphones etc....... . PS Erlinde...

anav

Hex S refresh router with two Access points, very few access points handle 70 clients very well.
If stuck on one AP, look at High density access point brands look at wifi6 as a minimum ubiquiti, RUKUS etc........

anav

use firewall rule to allow it

anav

It has two chains, and thus thought the default would include wifi1 andw ifi2 so at least the op could provide coverage for two freqs.....oh well.

anav

Assuming one flat network........... First create a safe place to config the router, an off bridge port ( remove from /interface bridge ports) and then you will be able to change the main IP structure of the haplite without issue to that of the upstream router without locking yourself out. After ens...

anav

why did you mess with default firewall rules, and then mix up chains etc...... Seems like you are hosting RDP.........its not the best security practice anymore hint........ Also you seem to think its okay to have your winbox port (still in default) to be accessible over the WWW and not via VPN. I h...

anav

For me the question is, to default ON or disabled. Seeing as the majority of users end up turning this OFF and it does create traffic probably unbeknownst to most, it should really be defaulted to disabled. The associated MT doc page is perhaps vague on its purpose and seems to indicate it is OFF by...

anav

bug or feature

anav

No idea where the parts for MT devices are made or where assembled for that matter.
Concur, eap245 was great, and yes omada sucks, all good when manually configured.
Most people stream video these days!!

anav

Yes, using winbox 3, typically it happens 1, 2 or 3 times in a row but never more.
I resolve by closing all the open windows, and that seems to help.
No such issues with winbox4

anav

Smells like MT testosterone in here! ;-PP

anav

Please state MT model.. A switch is not a router?? Although RoS lets one do so, it most cases its a bad idea.

anav

Another nail in the coffin for Capsman if you ask me, if the directions are so vague or out there that this happens, its not worth its weight in chicken feathers or whatever......... argg disgusted...... https://help.mikrotik.com/docs/spaces/ROS/pages/7962638/CAPsMAN Nary a peep I could find about c...

anav

What I suggest is you configure the router from a safe spot to make subnet changes and later if you use vlans. Take etherX like ether5 OFF the bridge in /interface bridge ports So it looks like /interface ethernet set [ find default-name=ether5 ] name=OffBridge5 /ip address add address=192.168.77.1/...

anav

1. FROM /interface list add name=WAN TO /interface list add name=WAN add name=LAN 2. FROM /interface list member add disabled=yes interface=pppoe-out1 list=WAN add disabled=yes interface=ether1 list=WAN TO /interface list member add disabled= NO interface=pppoe-out1 list=WAN add disabled= NO interfa...

anav

rplant ur killen me, whats your address will send you the game whackamole.
Please ask for config LOL
/export file=anynameyouwish ( minus router serial number, any public WANIP information, vpn keys etc.)(

anav

Conceptually speaking you only need two tunnels or two interfaces. The one for you to use your own internet while at a remote location (0.0.0.0/0) has to be on its own Wireguard interface. Also, consider the traffic coming out of the tunnel and hitting your router, being subject to firewall rules as...

anav

Danger Danger: Its amazing your ISP has not blocked you yet. WELL you attract flies with honey and you lay a big fricken goose egg here add action=log chain=input connection-state=new dst-port=53 log-prefix="TCP 53" protocol=tcp Inviting the whole world to use your router for DNS. I would...

anav

By the way, I hope you do know about controversy around TP-Link... I see you have been recommending them here and there. Yes, tp link routers, not access points and in reality, CISCO had issue in the past in the same vein, as guess what most devices are made in China so, do you think parts can get ...

anav

I wouldnt take forum responses personally, they are of no consequence. People here are free to speak their mind, sometimes its refreshing and eye opening and humbling. I make posts based on what I know, and if someone better comes along, who actually knows their stuff, I am all the better for it. (E...

anav

Bad actors/bots are constantly hammering ALL routers, nature of the beast. There is no point logging it and nothing you can do.
However it would not hurt to have your setup/config reviewed to ensure its not getting special attention for some reason.

anav

The what, I cannot find any such model.
I see the Chateau 5G AX??

There will be no appreciable difference.
Suggest considering TPlink and Zyxel wifi 7 products.
OR
add another MT product in the home for better coverage capax for example.

anav

Are you stating that there is no port with more than one vlan going through it???
At a minimum there should be two vlans per port if all are trunk ports going to smart devices, one being the management vlan which all smart devices should get their IP address from.

anav

Suggest for fish --> https://guide.michelin.com/ca/en/new-yo ... k-new-york

anav

Doing the exercise was very helpful to determine form follows function approach and to realize that really what is going on is three different requirements based on how wireguard keys are handled. a. Both ends of a connection manually make and trade public keys (standard wireguard construction) b. A...

anav

Correct interrelated moving parts, and its unfair to ask for definitive specific answers to vaguish questions without the context and information required.

anav

You know I am always truly grateful for the enormous amount of help you have provided to me, but my limited capabilities are focused here, in this thread, on understanding the config items that distinguish router versus switch use in a CRS. Sorry, you dont control the narrative in a public space LO...

anav

Routers --> both bridge/switch and route have multiple IP addresses
Switches --> only bridge/switch have single IP address (for management of switch)
RoS Unique (confuses some) --> determines function by Software not by hardware.

anav

The CRS should be written as Cloud Router Switch . That is indeed the problem, and by the way, you should note that ONLY one switch in the entire lineup uses the terms Cloud Router Switch and that is the CRS317 ( MT informed to remove). There are couple more that use the term Cloud Switch but most ...

anav

Hi Mozerd, I attempted to rejig the Wireguard GUI in winbox 4 and supplied the advice to MT as you can see here. https://forum.mikrotik.com/viewtopic.php?t=215684: The response I got was not enthusiastic as the peer page was too busy etc. So I resubmitted a simplified approach. SEE post #7 for simpl...

anav

A good network diagram will help planning as well....

anav

The example provided is a bit confusing. - why include ports 5 through spf-sfpplus2 if not relevant (not being used) - then I see sfp-sfpplus1 is being used but no indication its a trunk port ( frame types or comment missing ) which is inconsistent from the other entries........ - why are you missin...

anav

https://www.spiceworks.com/tech/networking/articles/network-switch-vs-router/ Clues to you are routing. -DHCP -WAN and LAN -NAT -all subnets have an address -need firewall rules (layer3) Switch..... Single Ip address provided to switch setup is primarily about vlan traffic only management or trusted...

anav

I would go a step further, why are people making excuses for a chap thats willing to spend $600 without research and where the nomenclature NEVER stated cloud router. Go to the switch section of mikrotik, pull up the applicable switch page and I bet you wont find mention of cloud router!!!. Would as...

anav

Since you didnt bother to post config, Im outta here good luck. Others have more patience than I.

anav

Yeah much too busy for me to look at in any detail and wont bother until cleaned up. I did note that this is wrong. add allowed-address= 0.0.0.0/0 client-address=10.194.91.2/32 client-endpoint=xx.xx.xx.xx client-keepalive=10s \ client-listen-port=13834 interface= wireguard_1 name= public-key="&...

anav

I have a 650 myself but plugged into a socket using the adapter ( luckily my wall mount is close to an electrical outlet on the other side of the wall.) I have used injectors with no issue on other tplink and MT access points. https://www.canadacomputers.com/en/power-injector/188906/tp-link-tl-poe16...

anav

While waiting for the diagram, if you have users in the same subnet as the servers and they are attempting to reach the server via domainname/url then the easy fix is a. change server or users to a different subnet otherwise b. need a hairpin nat rule /ip firewall nat add chain=srnat action=masquera...

anav

Would need to see MT config
/export file=anynameyouwish (minus router serial number, any public WANIP information, vpn keys )

The wireguard info you were given to connect to the remote wireguard site.
( minus endpoint address, keys )

Diagram of how all the pieces are connected would be useful.

anav

If your considering WIFI as a factor then get a hex refresh (or better router) and tplink or zyxel wifi7 APs. No point IMHO of going anything less than wifi7 at this point. By the time MT figures out the dogs breakfast of wifi packages and capsman, wifi8 will be out. In other words, dont tie your ro...

anav

seppuku may be less painful

anav

Hi Ammo, Im assuming the distinction was soley at the LAB Rb 5009 regarding changing the Bridge settings ( and not the CRS326 which I am assuming are set at vlan-tagged only on bridge itself ) .... romon.jpg The admins work around was to ignore the ethernet connection and connect to an AP behind the...

anav

Truth be told you are brave and I am a coward......... when it comes to capsman implementation.
Also, you didnt learn anything from me as I dont know anything, but I have successfully passed on information other 'real' experts provide.

anav

Well based on the avatar, I guess that post could be considered a dud! ;-)) So what is the summary on why RoMON does not work here? I lost track of the conversation. The OP was trying to use romon from on a PC behind a second rb5009 (that was giving the lab 5009) a WANIP on its flan LAN, to reach t...

anav

There is nothing about setting up a router for security that is different at home or if travelling.
So ensure on your PC you use vpn for internet and if not at least VPN on the browser or AV software.

anav

Well the problem could still be the config, which you have refused to provide. There may be some collision with the box protocols and the MT config for example.

anav

When you get tired of capsman, I can help get it working....... Its more pain that its worth IMHO. In fact it takes over the config like effing egg plant in a garden.

anav

Well based on the avatar, I guess that post could be considered a dud!

)

anav

Maybe the separate box, does not follow protocols properly?? Bad cables??

anav

Hi Sindy, I dont think the OP has a problem using ROMON when behind the LAB 5009 to reach the connected CRS326 also part of the lab network. The OP, although didnt provide the pertinent information or the pertinent config, only disclosed the fact that he was actually behind another 5009, that provid...

anav

Sure/
--> https://help.mikrotik.com/docs/spaces/R ... 211299/NAT
---> https://www.youtube.com/results?search_ ... airpin+nat
---> search.php?keywords=hairpin+nat

anav

There are many factors involved here. a. how often does the main internet go down? b. what throughput or level of Cellular performance is good enough c. what level of wifi connectivity is good enough..... What is shocking to me is that as the IT person of this network, states that that there was a f...

anav

I would have a home MT router, and use the travel router to use the MT router internet via a wireguard tunnel. There is no special sauce be it on the road or at home to keep the traffic as secure as possible. A layered approach works, so if you dont vpn into home use a vpn on the connected devices, ...

anav

Hard to day without seeing your 5009 config
/export file=anynameyouwish ( minus router serial number, and any public IP information)

The router should be transparent to the device and its connectivity through the internet to office site using the office vpn.

anav

We are going to connect the PC on the master router to the lab router directly on vlan32. So ensure vlan32 is associated with ether1 as well, on the lab router. To facilitate the idea, lets say on the master 5009, its etherport YY that you have connected to the lab5009. Further, you have our pc on t...

anav

Only stating there was a second 5009 at play at such a late stage, and that the Romon issue stemmed from the first one to the Switch was a criminal omission. Consider yourself flogged

Your punishment is having to eat the entire plate of smoked meat served at Katz's.

anav

According to CGX, there were no shortcomings to using bridge itself vlan tagged, so I hesitate to completely swallow the information provided by AMMO and maybe in-between is a more accurate answer???? It would appear to me that any data from a PC trying to talk ROMON that is assumed to be on the man...

anav

Who told you this............... ??????
I need Romon to access the CRS

its clear that even though ROMON should not be affected by vlan tag settings on the bridge itself, they are, so avoid its use is my advice.

anav

So what is now on ether7?? What is the conflict? I am having difficulty identifying the conflict. ether7 is the CRS. The config paints a conflicted story? set [ find default-name= sfp-sfpplus1 ] comment= CSS326 Hard to find ether7 tagged for any vlans going to CRS326 ??? /interface bridge vlan add ...

anav

I access all my downstream devices, ax3 ap, hex switch, etc via neighbours discovery not ROMON (via winbox)

anav

Perhaps "smart"dns was just a marketing ploy?

anav

What are you using ROMON for,,,,,,,,,that is not available through neighbours discovery?

anav

ROUTER You have a disconnect and duplication when I noted on your trusted listed you had three ports ( vice just one trusted offbridge port ) identified. The fallout of that is 1. a. in ethernet interface settings you identify ether5 as the hapax upstairs, and on /interface bridge ports ( athough m...

anav

SWITCH Why are you treating the switch like a router? The only address on the switch is the one given to the switch over the management vlan32 ??? Bridge is not involved............ reminder to look at switch example: https://forum.mikrotik.com/viewtopic.php?t=143620 There is only need of ONE inter...

anav

For a secure connection suggest wireguard, assuming you have at least on public IP available at one of the routers, or the ISP router in front is capable of forwarding ports.
Alternatively use Zerotier.

anav

CGX nailed it........
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 should be pppoe-out1
WINBOX
IP menu firewall -->NAT

Sorry dont know the CLI commands to change.

anav

RoS is very for giving, many of the default settings are ALLOW by default, so unless you define what is allowed, everything is allowed.

anav

Here is one problem........ The termination of the ISP connection is done through pppoe, so the ip address entry for ether1 is incorrect, should be removed. /ip address add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0 add address=cc.220.222.dd/24 interface=ether1 network=91.220.222...

anav

What does a duck do on the router? quackNat quacknat quacknat quacknat.

fixed it for ya

anav

1. Typically the recommendation here is loose , not strict! /ip settings set rp-filter= strict 2. Lack of decent set of firewall rules, plus should be organized together in chains and in a coherent order. PLUS security infraction, one does not access winbox from external as you are attempting. Only ...

anav

/export file=anynameyouwish ( minus router serial number, any public WANIP information ) It should be quick to find the issue! also. a. confirm you are using LANIP of server to reach from LAN? b. confirm you have a public IP address (static or dynamic) OR you have an ISP router that has a public IP ...

anav

Can you post your latest config on both routers.
/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys. )

anav

I do not believe DHCP in general works over wireguard but there may be ways..........
Check out VXLANs and EOIP as two possibilities ( running over wireguard or L2TP to keep the traffic secure ).

anav

Would need to see the complete config, but it sounds like you want the users on your subnets to use wireguard for specific WANIPs that exist, and where they are not static but dynamic WANIPs. First, please do not use the same name for different RoS funcitonalites, aka the name of the list being the ...

anav

How you sussed that out from the information presented boggles my mind. Glad you are here LOL However, the weak point being, how does the router know that 10.72.22.200 should be assigned to the device ( assuming its now in a VLAN of that subnet structure )?? THe router knows that that address might ...

anav

I probably missed the intent entirely but why not something as simple as: If I have a device with LANIP 192.168.0.X and I want it to go out over wireguard but as 10.10.100.Y address add chain=srcnat action=src-nat src-address=192.168.0.97 to-address=10.72.22.200 AND for return traffic..................

anav

What are your qualifiers in the PCC mangle rules??

anav

Normis, massina seems to have experience with migrations, and that at least should be made aware to the admins in their deliberations. Thanks for your feedback in this thread, its really good to see!

anav

To clarify the source nat address part is STILL required. I think he is saying
add action=dst-nat chain=dstnat connection-mark=wg-wan2 to-addresses=10.20.30.40
add action=src-nat chain=input connection-mark=wg-wan2 to-addresses=10.20.30.40

anav

Interesting, as long as there is no downside, narrowing down the frame type at the bridge, is then viable would be my conclusion. Assuming you mean this is valid for both routers and switches CR3 types when using vlan filtering??? Just to be clear this does not interfere with any situations where a....

anav

The first error. 1. is quoting from your config in post #18 EDIT : and is USER OPTIONAL ( without frame limitations vlan-id1 is shown as a dynamic entry but not a concern, as well limit frame types on all bridge ports/wlans - I guess either way is acceptable! 2. is quoting from your confing in post ...

anav

Yup sounds familiar and as CGX pointed out we only need to use one LO address/interface to accomplish same.......... no need for bridge!!
/ip address
add address=10.20.30.40 interface=lo network=10.20.30.40

anav

re: ... Anyway, whatever they end up doing... I do hope they host it on their RDS ROSE server(s) as proof-point they work in the real-world. ... If I hosted this server , I would go with Proxmox hypervisors Xeon , 40-Gig or 100-Gig network cards , NFS mounts from a TrueNAS ( 512-Gig Ram or 1-TB-Ram...

anav

Looking at the diagram it would appear you have three separate networks/locations. The laptop is a remote device could be anywhere a true remote peer. The MT device is a fixed remote device. The Server is the local wireguard in this discussion. All three are not connected but all three have access t...

anav

https://www.discourse.org/about
Nice!!

Example of a forum running discourse as the engine
https://meta.discourse.org/c/data-reporting/148

anav

Speed is not all its cracked up to be, taking ones time mostly results in greater satisfaction,.......... Besides there is an error before that..... and many many after LOL 1. /interface bridge add admin-mac=F4:1E:57:2C:BE:98 auto-mac=no comment=defconf frame-types=\ admit-only-vlan-tagged name=brid...

anav

How does it relate to the input chain rule then?? add chain=input action=accept dst-address=127.0.0.1 and you are saying Then 10.20.30.40 can be used instead of both your 172.16.10.1 and 172.16.10.2. Does this mean the following. /ip firewall nat add action=dst-nat chain=dstnat connection-mark=wg-wa...

anav

Please draw a diagram, I have no clue how everything is hooked up together and to the internet

anav

Hi CGX...
What the heck is lo LOL, an existing interface on the router that is there all the time??

anav

I see no reason to use PCC, if ECMP is ensuring fair usage of all WANs ( they have to be equalish in throughput ). Maybe ECMP circa 7.18, the brewmasters finally got right....................... Better than PCC is actually load balancing which add a layer of additional mangling but you can do it bas...

anav

Well HA does not use DHCP Option codes, must have coders from the dark ages. In any case you could try something like this simple DNS pointing. IOT Subnet on R2 - 192.168.55.0/24 IP of server on R1 - 10.10.10.15 ON R2 /ip dhcp-server network add address=192.168.55.0/24 dns-server=192.168.55.1 domain...

anav

Never said it was, but to think up such trickery, you are on the spectrum somewhere ;-P You have answered my question, there is no rhyme or reason, it is not controllable and thus the faux bridge approach is STILL required even in ECMP. Thus, the answer is dont have multiple WANS, ;-) Good, so you h...

anav

What?? Well the physical port ether1 is a trunk port carrying multiple vlans to the local device. Why would you not think that vlan32 should be allowed to ingress in ether1?? A. its on the trunk port leaving the upstream device. B. its noted as a tagged vlan id on ether1 in /interface bridge vlan s...

anav

You miss the point entirely, The two options presented DHCP and DNS are to inform the iot device, what is the IP address of the HA server, not to change the local subnet IP the iot device is using. And how would DHCP or DNS be used to inform the IoT device the address of the HA server? I stated it ...

anav

I am saying I have 3 ISPs all different all relatively 1gig connections. I load balance via ECMP /ip route ( main table ) add dst-address=0.0.0.0/0 gateway=gatewayIP-wan1 routing table=main add dst-address=0.0.0.0/0 gateway=gatewayIP-wan2 routing table=main add dst-address=0.0.0.0/0 gateway=gatewayI...

anav

Hahaha, I thought it was simply my browser, I keep forgetting they use a haplite to run their website, the free schnapps in the web lounge is not helping work output either.

anav

You miss the point entirely,
The two options presented DHCP and DNS are to inform the iot device, what is the IP address of the HA server, not to change the local subnet IP the iot device is using.

anav

Sorry I meant EMP of course. Does it work during a nuclear blast in the atmosphere??? Of course I meant ECMP, you know this feature --> Equal Cost Multi-Path...... My question is germane, not dry (german), because we are not sure of how the router decides which interface/route it decides to use on t...

anav

Maybe, home assistant appears to be a dogs breakfast with differing information wherever you look. One place says the server scans the network for devices...................

anav

So lurker did you test like 3 WANS with ECMP load balancing
Basic mangle rule in wan3 out wan3 generic all traffic to WAN back out same WAN.
What does the wireguard process choose for source address in this case, alway the correct WAN?? ( regardless if you put wireguard on wan1, wan2, or wan3 )

anav

By the way, Home Assistant devices typically obtain IP addresses from the Home Assistant server through the network's DHCP server, which is usually the router, rather than directly from the Home Assistant server itself. This sounds much like the UNIFI approach where one can use a. create dhcp option...

anav

@lurker888, does EOIP really have the same handshake issue as WG, like I described above?

Since when does EOIP have a handshake, I use EOIP within a wireguard tunnel LOL, not outside of it.

anav

Not your concern mkx, its hard to keep straight incomplete questions without context................

anav

Rereading your first post, BOLLOCKS..... Prerequisites A Mikrotik router running RouterOS v7.x A Linux system (e.g., Debian) to retrieve necessary keys An active NordVPN subscription Why?? NordVPN will give you the private key to use on the Mikrotik Router Interface creation. That creates a public k...

anav

I have a better idea, why not just live in my office I have a spare chair and desk and I can setup a tent outside, winter is almost over.
Payment in good food and beer LOL

anav

Sure, the default setup is quite good, in that it is safe to connect ether1 to you internet connection and use ports 2-5 for internet. If you need more than one network on your home you will need bridge vlan filtering.. This is the best article to read --> https://forum.mikrotik.com/viewtopic.php?t=...

anav

https://www.zyxel.com/us/en-us/products ... 915-series

anav

I have seeing lots of timezones in shared configs, that also may expose your location.
And of course wifi country settings.

Good point, the somali gang members probably dont want people to know they are in Sweden.,.........shhhhh its a secret.

anav

Kid control is not really intuitive.

Have you notifed MT by a suggestion on their support website.
If not, get on with it.

anav

Why would a frame tagged with VID=32 ingressing to ether1 be accepted? What?? Well the physical port ether1 is a trunk port carrying multiple vlans to the local device. Why would you not think that vlan32 should be allowed to ingress in ether1?? A. its on the trunk port leaving the upstream device....

anav

The point being, silly goose is that Jaclaz is talking about a. the items in the config that are not already removed by RoS ( RoS removes passwords and ipsec stuff for example ) b. the items you added or router added, NEEDED not whimsically added, to make the config work, be it public IP address, ga...

anav

No worries there Larsa, no I have not tested the hard down theory, but I trust Larsa has, as he seems to be a testing machine, highly motivated. I am starting to think he is an AI brain attached to an MT network. I sent a suggestion to MT to fix the issue based on the fact that 'fwmark' already exis...

anav

BartoszP aka devil colours would be more appropriate

But please answer my questions here --> viewtopic.php?t=215918#p1137048

anav

If Joseph you are asking a different question, can one see all the routers at one time via winbox, via wireguard, in order to select for configuring, the answer is no. Those protocols dont go over wireguard.

anav

duplicate.

anav

Yes /export file=anynameyouwish ( minus serial number, any public WANIP information, wireguard keys ). WHich mean a. serial number one entry at beginning of config b. WANIP information, so removed any PUBLIC wan ip information --> could be in IP DHCP Client text, IP route text ( public IP address or...

anav

Bartosz you make me laugh................. this is a non-paid gig, dont complain about playing consultant for free. ;-P
Your stamina is commendable.

anav

I assumed as always, that you are short of time and thus want to getter done. If you have time to read novels, that is a different story '=)
Wait till you hit the chapters on VRRP VXLAN and BGP.

anav

Mimiko read this post please --> viewtopic.php?p=1136686#p1136996

anav

It may or may not be applicable for what you are trying to do.
My question is why do you need split DNS for the IOT subnet?
Do you have different IOT devices on the same subnet?
Are there are other ways to target those specific IOT devices......

anav

RIGHT, you proved me right again thank Bartosz........ A config is based on a set of established requirements, not vapour future wishes. If the op wants efficiency, the shortest path to get his 10 routers up and running as they are now, DNS is stewpid. If the op wants to tinker with DNS, which is mo...

anav

The problem with Sindys excellent approach is that it relies on the dstnat rule to un-dst the WAN1 IP to the WAN2IP so that the source of the response traffic leaving the router is correct. The mangle is fine and working as the route chosen is still good. The crux of the problem is how the router de...

anav

Somewhere along the line MT must have changed the default to YES, hard on us ole-timers LOL

anav

THis is the most interesting part about your post. The packet is annotated with the connection mark in the conntrack phase. Until then, there is no associated connection mark. (On normal linux, wg interfaces have a property fwmark, which allows all packets emitted by wg to be marked on creation - th...

anav

(I see what you are doing with wireguard just dont agree with it. There is no case where both sides of a connection need 50.0/24 that I can see.) Regarding the contrack and wireguard and dual WAN etc......... I approached it from a different angle so it makes sense to me. The initial problem before ...

anav

My bad that is valid, but this is assuming the remote router is an MT router. ( client peer for handshake) ........ makes sense, so other peers connecting to the local router can easily re-enter the tunnel and reach the remote router via the local router, so to speak. The local router needs allowed ...

anav

All a waste of time. Simply input chain last rule drop all else Simply forward chain last rule drop all else WInbox services, include all subnets that are TRUSTED, management vlan, offbridge port, and any other subnet where you may be coming from to access winbox and the router (like wireugard subne...

anav

viewtopic.php?t=143620

anav

They like blinking lights?

anav

My problem is not properly understanding connection tracking, Nothing more you can do LOL.
At least I kind of grasp your use of faux bridge and how traffic gets there, its after, the response traffic and mangle and routing that eludes me completely.

anav

It goes to root reason. As I stated, WAN1 being primary WAN2 secondary wanting to use WAN2 for wireguard. We only need to mangle for WAN2 and the problem was the router was sending return traffic via WAN1........ Thus we dsnatted to fool router to send traffic back out WAN2....... You pointed out th...

anav

Well the drop all rule will certainly cut out non trusted vlan access to winbox, since the interface list allows only trusted vlans, but without the drop all rule, nothing is really blocked, mac-server winbox-mac-server is used in conjunction with neighbours discovery to make all smart MT devices sh...

anav

So in your example you have to manipulate both wans, not just wan2??

anav

To config vlan filtering always a good idea to take an unused port or temporarily use a lesser important port and take it off the bridge, Give it an Ip address and config from there safely. Okay how to create an offbridge port. REMOVE ether5 from /interface bridge ports /interface ethernet set [ fin...

anav

Suggest you send supouts to MT as possible bug reports.

anav

The top of the tree may tend to sway significantly so not sure if thats ideal, in my experience its always windy.

A pole on a fixed object like house may be better unless there is an earthquake every time you want to use the connection.

anav

Best thing is to repost your latest for review!

anav

Perfect so netmask 28 works for you !! As for the rest looking at post #3 your worK! /interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface= ether2 \ internal-path-cost=10 path-cost=10 /ip address add address= 192.168.88.1/24 comment=defconf interface=bridge network=...

anav

As surmized: Behaviour is normal: MAC server MAC server section allows you to configure MAC Telnet Server, MAC WinBox Server and MAC Ping Server on RouterOS device. MAC Telnet is used to provide access to a router that has no IP address set. It works just like IP telnet. MAC telnet is possible betwe...

anav

Yes, that should not happen, You should only be able to access the router via Winbox from the management VLAN with those settings.......... I would need to see your whole config to comment accurately though.... /export file=anynameyouwish ( minus router serial number, any public WANIP information, k...

anav

Just started reading the post and yes, MANY ERRORS in the config which are not all yet sorted. Clearly your wireguard IP address is hosed. It should be assuming you only need/want one peer as such add address=192.168.89. 1/30 interface=wireguard1 network=192.168.89.0 { allows only two useable IPs .1...

anav

Why security of course! If you dont want any security
then simply

have two firewall rules
add chain=input action=accept comment="eviscerate me"
add chain=forward action=accept comment="bugger me"

anav

setting up pppoe should be easy peasy, go to ppp settings and hit the plus sign and select pppoe client I think near the bottom of the list. This shows a more complex scenario where they use a vlan to send the traffic, whereas in your case you dont need to replace ether1 as the interface. https://ww...

anav

In a switch scenario. One should normally only identify the management vlan! This vlan in /interface bridge vlans is the ONLY vlan-id that requires the bridge to be tagged, the rest are tagged on etherX and go out etherY or WLAN1/WLAN2 etc.. This vlans address is the address of the switch for manage...

anav

Basic firewall for Router BUT FIRST YOU NEED to add missing pieces!! /interface list add name=WAN add name=LAN add name=TRUSTED /interface list member add interface=ether1 list=WAN add interface=general_vlan list=WAN add interface=media_vlan list=WAN add interface=management_vlan list=WAN add interf...

anav

Okay matt that clears up that perspective. Firewall rules will speed things up actually, especially with use of fastrack etc.. I mean on the router, switch requires no firewall rules. Save turn OFF ipv6 if not using it. Going back to the configs... then switch 326 1. modify the first line for consis...

anav

Router . Summary ( incomplete, not ready for deployment ) 1. Not necessary, as the router dynamically untag the port, but it shows you understand the vlan filtering. /interface bridge vlan add bridge=bridge1 comment="General VLAN" tagged=bridge1,bonding1 untagged=ether3 vlan-ids=10 2. Fir...

anav

Its easy for computers behind the MT to reach other computers because all traffic out the MT is natted to the WANP of the MT .156, which is on the LAN of box devices. Their return traffic goes back to the MT, and the MT un-sourcenats that back to the originators. However consider the reverse, when t...

anav

Create your own EVE-NG or GNS3 type lab environment..........

anav

Lurker, gone down many a rabbit hole, I cannot seem to work my way through the noise of your solution.......... Context: Two WANS, WAN1 primary, and WAN2 secondary and wishing to use WAN2 as the wireguard connection. If given a faux bridge 192.168.66.0/32 address and given a listening port of 55555,...

anav

By rereading the article, where are frame types list on bridge ports, also basic networking, you got the pools but dont you realize each subnet needs
a. pool
b. dhcp server
c. dhpc server network
d. address

anav

Correct, manually entered. Typically, once you have vlans, one has to indicate which is a Trusted or the Management vlan, if nothing else for proper security. This is done through creating a TRUSTED interface list........ This ripples through the config a. the input chain, users ONLY need access to ...

anav

Hi Larsa, I think we need to go to Lurkers solution as the correct answer as Sindys, does not deal with the issue of the primary WAN being not available, and how that screws up the single dsntnat rule.

anav

Sorry couldnt get past the router........

anav

First do not ask any questions and only show snippets on the config of what you think we should see, if you dont know the problem how can you know where to look. You now have almost duplicate SrcNAT Rules and that is redundant, get rid of the second one. For the export to see what is causing your is...

anav

Not possible across brands.
Your best bet is
a. to drill (best)
b. to use moca adapters if there is rgb6 coax in the house (okay) Trendnet makes some
c. use powerline adapters over electrical wiring (mileage will vary) best are https://www.techradar.com/news/the-best ... e-adaptors

anav

Yup the correct vlan reference article was provided! If you will notice, there is one bridge all vlans, so the bridge does no dhcp or subnet work............. simply create a vlan for that subnet as well. To make changes worry free!!! Actually the best thing to do is take ether5 off the bridge and d...

anav

Problem would be in the config settings, which are all gone now so cannot really help.......

anav

If you will notice, there is one bridge all vlans, so the bridge does no dhcp or subnet work............. simply create a vlan for that subnet as well. Actually the best thing to do is take ether5 off the bridge and do all the config from a safe location. Okay how to create an offbridge port. REMOVE...

anav

Sorry no context provided, why are you mangling for example.......
Do you have a network diagram

anav

If you want help with your setup post a new thread and will need your traffic requirements and current config.

anav

WRONG you do not get to set a false narrative. BE HONEST. First, let's leave out the variable of going to each IoT device. This is something that I will need to do regardless of which solution is implemented. Bullpucky, there is nothing you have to do at each device if they are all currently pointin...

anav

That is the point I am making, the work required for firewall rules and routing and allowed IPs needs to be done reqardless of which method is used to get information from the iot device to the home assistant server. What I am saying is that you need to really do a comparison SETUP from where you ar...

anav

Probably more granularity than standard firewall filter rules can provide, although since I dont use bridge filters nothing comes to mind.

anav

Thanks much lurker, that is most helpful for me and will take the time to digest traffic flows as you have manipulated them!!

Any thoughts on what the responder checkbox is trying to do??

anav

The question is about DNS configuration, not how to configure and pass the traffic from branches to main place using VPNs.

You miss the point, the OP does not intend on reaching the home assistant server over the WWW, he wants all traffic to go over wireguard tunnels between the routers.

anav

yup, I understand that you have 100 devices, that you dont need to touch, they are already set for 192.168.0.x There is no need to touch DNS or add DNS servers or make any DNS rules to ANY of the nine routers to get their traffic to the host router for the home assistant server. The home assistant s...

anav

Hi Bartosz, Trying to understand your advice and with Larsa endorsement, of course! I too like Joseph, being not IT professional need some conceptual guidance. What I think your saying, in techno speak, is in static DNS we attach or identify an IP address with an URL or domain name that we have give...

anav

How many ISPs or how may WANIPs will you have and what are the throughputs. Right now I would look at the hex refresh and two or three wifi7 TP link or zyxel APs. If the WAN throughput is greater than what the hex refresh can provide I would look at the RB5009. If you want to look at using MT wifi, ...

anav

HI Larsa and Lurker, have been attempting to follow these entangled threads but not making much headway other than Lurker seems to have come up with a way regardless of scenario to basically ensure that in a multi-wan scenario, RoS can be manipulated to ensure wireguard connections work properly. No...

anav

I bet if you got a TPLINK access point and plugged it into one of the ports it would work just fine. My bet is on the wifi settings........... they are designed for the new user to fail, almost as if, if we want to discourage people from using our wifi.

anav

@anav: I see no savings at all :) Concur, in fact its actually more work to create DNS servers at each location and then modify each IOT device to look for a specific URL. Once done, any change to IP address of the home assistant server would require changes to every local DNS server to match, vice...

Search found 23672 matches