Community discussions

MikroTik App

Search found 19524 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 66
by anav
Thu Apr 18, 2024 1:15 pm
Forum: Beginner Basics
Topic: Wireguard client allow for all bridge subnets
Replies: 7
Views: 438

Re: Wireguard client allow for all bridge subnets

Post your latest config with the changes please.
by anav
Tue Apr 16, 2024 10:45 pm
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 990

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

Last email I got said they use ubuntu as the underlying operating system........ A trial report would be amazing. I am most interested in using it in the BRIDGE MODE, which means after the main router and between the main router and network. Using it as a main router to replace the MT is not what mo...
by anav
Tue Apr 16, 2024 2:01 pm
Forum: Beginner Basics
Topic: WireGuard - no lan connection
Replies: 6
Views: 344

Re: WireGuard - no lan connection

Which Router (wireguard) acts as a server for handshake?
Do any of the routers have a public IP address, or an upstream router that can port forward?

Also why does router A have three wireugard two disabled but a hodgepodge of peers.
Clean up before asking us to review........
by anav
Tue Apr 16, 2024 1:25 pm
Forum: Beginner Basics
Topic: Wireguard client allow for all bridge subnets
Replies: 7
Views: 438

Re: Wireguard client allow for all bridge subnets

post your lastest config and perhaps a network diagram.
by anav
Tue Apr 16, 2024 1:18 pm
Forum: General
Topic: WAN failover - routes flapping [SOLVED]
Replies: 23
Views: 1018

Re: WAN failover - routes flapping [SOLVED]

Remove the bogus entries in Orange. Dont use input chain for rules pertaining to the forward chain, they are not needed anyway in the forward chain as we drop all other traffic. There is no fastrack in input chain. Add missing rule (in blue). /ip firewall filter add action=drop chain=input comment=\...
by anav
Mon Apr 15, 2024 8:28 pm
Forum: Beginner Basics
Topic: router to mail.hamilton.com
Replies: 9
Views: 414

Re: router to mail.hamilton.com

Good to know kccc, I will email you to find out the exact time of a big earthquake or the impact of a nuclear weapon. :-)
Wait, you may have shortwave, will give you a call over a repeater LOL
by anav
Mon Apr 15, 2024 8:24 pm
Forum: General
Topic: Configuration not working
Replies: 5
Views: 319

Re: Configuration not working

BIG PROBLEM or BAD JOKE < why do you have WANIP addresses that are identical to local LAN VLAN addresses ????? If your wanips are Public IPs and static, just put in X.X.X.X and Y.Y.Y.Y, if they are private you enter them as they are not a security issue. If your wanips are dynamic then you should b...
by anav
Mon Apr 15, 2024 8:07 pm
Forum: General
Topic: Hairpin NAT over 2 WireGuard connected routers [SOLVED]
Replies: 8
Views: 406

Re: Hairpin NAT over 2 WireGuard connected routers [SOLVED]

Post your complete config minus the usual, please, the snippets you show are not useful without context of the rest of the config.
I also have my doubts as to complete success...........
by anav
Mon Apr 15, 2024 7:36 pm
Forum: General
Topic: WAN failover - routes flapping [SOLVED]
Replies: 23
Views: 1018

Re: WAN failover - routes flapping [SOLVED]

UPDATE JUST REALIZED THAT THIS IS VERSION SIX, So need to adjust ROUTES etc...... So pay close attention to 4.5.6. etc...... (1) Okay to be clear, you can winbox in no problem its just using winbox via IP that is not working? ( or webconfig I suppose ). (2) WAN does not go on bridge! add comment=Fut...
by anav
Mon Apr 15, 2024 5:23 pm
Forum: General
Topic: WAN failover - routes flapping [SOLVED]
Replies: 23
Views: 1018

Re: WAN failover - routes flapping [SOLVED]

I provided a clean clear config, which you ignored. Thus unable to help further. If you had done all that was asked not just part of the mangles, then we could make progress. Not saying it would be 100%, but we could narrow further the problem areas with some certainty. The config has too many spots...
by anav
Mon Apr 15, 2024 4:49 pm
Forum: Beginner Basics
Topic: Wireguard client allow for all bridge subnets
Replies: 7
Views: 438

Re: Wireguard client allow for all bridge subnets

(1) Why do you have your WAN address down twice ??? Oh I see the first one is disabled! Get rid of it, its garbage that creates confusion. /ip address add address=removed comment=defconf disabled=yes interface=wan-sfpplus1 \ network=removed add address=192.168.88.1/22 interface=bridge1 network=192.1...
by anav
Mon Apr 15, 2024 4:28 pm
Forum: Beginner Basics
Topic: Cannot create a guests Wi-Fi network.
Replies: 28
Views: 1588

Re: Cannot create a guests Wi-Fi network.

Sorry didnt realize ether5 was internet, let me rephrase...... Take any one ethernet port ( not WAN ) that you can temporarily modify ( ether1,2,3,4 ??? ) off the bridge.

So why was ether5 on your bridge ports then if it was the WAN ?????
by anav
Mon Apr 15, 2024 4:25 pm
Forum: General
Topic: WAN failover - IPSec does not work on second link
Replies: 3
Views: 257

Re: WAN failover - IPSec does not work on second link

First thing to fix. Use only one bridge!! https://forum.mikrotik.com/viewtopic.php?t=143620 Simplify your life by defining at least two vlans vlan10 is trusted or home vlan vlan20 is guest wifi vlan you can add if you wish to separate out servers, or multimedia, or video cameras or other equipment t...
by anav
Mon Apr 15, 2024 3:22 pm
Forum: Beginner Basics
Topic: Cannot create a guests Wi-Fi network.
Replies: 28
Views: 1588

Re: Cannot create a guests Wi-Fi network.

To configure without headache do the following. (temporary) Take ether5 off the bridge ( so not identifed on /interface bridge ports or /interface bridge vlans ) Give ether5 its own IP address like 192.168.55.1/24 Change IPV4 settings on desktop or laptop and give it an Ip address of 192.168.55.5 fo...
by anav
Mon Apr 15, 2024 2:16 pm
Forum: General
Topic: Specific DST-List over VPN
Replies: 2
Views: 208

Re: Specific DST-List over VPN

What VPN are you connecting to??
If its a thirdparty VPN did they also provide a DNS server address??
by anav
Mon Apr 15, 2024 2:15 pm
Forum: General
Topic: Configuration not working
Replies: 5
Views: 319

Re: Configuration not working

Dont use vlan1 use vlan10 for example.......

viewtopic.php?t=143620
by anav
Mon Apr 15, 2024 2:13 pm
Forum: General
Topic: WAN failover - routes flapping [SOLVED]
Replies: 23
Views: 1018

Re: WAN failover - routes flapping [SOLVED]

Sorry cannot comment without seeing latest config.
by anav
Mon Apr 15, 2024 3:17 am
Forum: General
Topic: WAN failover - IPSec does not work on second link
Replies: 3
Views: 257

Re: WAN failover - IPSec does not work on second link

What makes you thing you know the relevant lines, if you dont know what the problem is?? Suggest full config is more useful and perhaps a network diagram. I never look at snippets, not worth my time,based on answering 1000s of posts. /export file=anynameyouwish (minus router serial number and any pu...
by anav
Mon Apr 15, 2024 12:06 am
Forum: General
Topic: Can't Access aAP ac after setting it up.
Replies: 6
Views: 340

Re: Can't Access aAP ac after setting it up.

Yes. 1. Major omission! Without this you will not be able to reach the AP for config purposes through normal networking ( winbox on base vlan etc.......) /interface list member add interface=BASE_VLAN add interface=emergaccess list=ADMIN 2. Minor omission /ip dns set allow-remote-requests=yes server...
by anav
Sun Apr 14, 2024 11:56 pm
Forum: General
Topic: Hairpin NAT over 2 WireGuard connected routers [SOLVED]
Replies: 8
Views: 406

Re: Hairpin NAT over 2 WireGuard connected routers [SOLVED]

Only changes noted: 1. Added wireguard to LAN interface list. 2. Note to remove static DNS default setting. 3. Remove limitation on ICMP, not required and can get in the way of testing etc. 4. Removed blocking dst nat rules on input chain ( also were not in the right sequence anyway ) useless since ...
by anav
Sun Apr 14, 2024 11:04 pm
Forum: General
Topic: Hairpin NAT over 2 WireGuard connected routers [SOLVED]
Replies: 8
Views: 406

Re: Hairpin NAT over 2 WireGuard connected routers [SOLVED]

Before doing anything fancy with wireguard. Lets get port forward working properly. 1. The easiest method which should work is the direct LANIP address that the user uses to reach the server as in their browser or particular application. This occurs at layer2 and is oblivious to firewall rules etc.....
by anav
Sun Apr 14, 2024 7:31 pm
Forum: General
Topic: V 7.14.2 - firewall rules layout unusable
Replies: 9
Views: 633

Re: V 7.14.2 - firewall rules layout unusable

One reason to use webconfig is to see memory leakage?
by anav
Sun Apr 14, 2024 6:08 pm
Forum: Useful user articles
Topic: How to: Edge router and BNG optimization for ISPs Topic is solved
Replies: 68
Views: 90083

Re: How to: Edge router and BNG optimization for ISPs Topic is solved

The only positive thing I can think of for having to go ipv6, is that I will have to go to Italy and get rextended to explain how to config then, whilst enjoying sunshine, coffee wine, pasta and of course cycling around the countryside.
by anav
Sun Apr 14, 2024 5:18 pm
Forum: General
Topic: Blocking the port scanner on the VPN client side
Replies: 15
Views: 640

Re: Blocking the port scanner on the VPN client side

Since you are unable to articulate with more information I will move on.
by anav
Sun Apr 14, 2024 5:16 pm
Forum: General
Topic: Hairpin NAT over 2 WireGuard connected routers [SOLVED]
Replies: 8
Views: 406

Re: Hairpin NAT over 2 WireGuard connected routers [SOLVED]

Getting there.............. So far I dont see any remote users requiring access, all the users are connected to the local router?? If that is the case then.. Assuming you have some servers on the LOCAL router? a. why not access them by direct LANIP. b. if needing to access them by DYDNS URL (represe...
by anav
Sun Apr 14, 2024 5:06 pm
Forum: Beginner Basics
Topic: router to mail.hamilton.com
Replies: 9
Views: 414

Re: router to mail.hamilton.com

Typically one has the following rules. add chain=input action=accept comment="Admin config access" src-address-list=Authorized ****** add chain=input action=accept comment="users to services: dst-port=53,123 protocol=udp in-interface-list=LAN add chain=input action=accept comment=&quo...
by anav
Sun Apr 14, 2024 4:56 pm
Forum: Beginner Basics
Topic: AT&T FTTH, VLANs, CapsMAN Full Config (RouterOS 7 Updated)
Replies: 27
Views: 5295

Re: AT&T FTTH, VLANs, CapsMAN Full Config (RouterOS 7 Updated)

You are forgetting the point, the capacs I set manually, are RARELY CHANGED, so central managment overhead and config is wasted. Plus its far easier to setup. I can guarantee you, that the time he took to setup capsman on the controller and on each capac, was far longer than anytime I will ever spen...
by anav
Sun Apr 14, 2024 4:46 pm
Forum: Beginner Basics
Topic: Simpler Failover for two Gateways I found working
Replies: 7
Views: 2370

Re: Simpler Failover for two Gateways I found working

The advantage of netwatch, primarily, is that you can very some variables here to ascertain connectivity with more fidelity!! For example, gateway-ping checks every 10 seconds, after two repetitive nil responses, the connection is deemed not active. For many that is too long and thus netwatch if set...
by anav
Sun Apr 14, 2024 4:29 pm
Forum: Beginner Basics
Topic: AT&T FTTH, VLANs, CapsMAN Full Config (RouterOS 7 Updated)
Replies: 27
Views: 5295

Re: AT&T FTTH, VLANs, CapsMAN Full Config (RouterOS 7 Updated)

If you dont have AX wifi, then adding capsman IMHO is a waste of time and config space. Capacs take minutes to setup and dont change very often, so capsman is overhead and complexity for in reality very little if any gain.
by anav
Sun Apr 14, 2024 4:23 pm
Forum: Beginner Basics
Topic: Locked out of HEX POE
Replies: 3
Views: 267

Re: Locked out of HEX POE

Netinstall is sure method. Suggest you take ether5 off bridge, upon entry. Add an IP address to ether5, 192.168.55.1/24 for example. Then change IPV4 settings on desktop or laptop and give it like 192.168.55.5 and you should have access to the router. Do your config from there safely. ( ensure you a...
by anav
Sun Apr 14, 2024 4:14 pm
Forum: Beginner Basics
Topic: router to mail.hamilton.com
Replies: 9
Views: 414

Re: router to mail.hamilton.com

Sorry, its all opinion until evidence is provided .........facts are needed,
by anav
Sun Apr 14, 2024 4:14 pm
Forum: Beginner Basics
Topic: Firewall NAT for DNS traffic not working [SOLVED]
Replies: 3
Views: 282

Re: Firewall NAT for DNS traffic not working [SOLVED]

First, be accurate! You no NOT have an ISP modem. It is an ISP modem/router if it its giving you a private IP address on the WAN side. If you want to as much as possible direct traffic to your own DNS server, great, but keep in mind any browser using VPn proxy or whatever it is they use, can bypass ...
by anav
Sun Apr 14, 2024 3:19 pm
Forum: Beginner Basics
Topic: Low performance on RB5009 with machine behind NAT
Replies: 14
Views: 881

Re: Low performance on RB5009 with machine behind NAT

First mistake, not using IPV4 :-) ( Dark Nate is going to crucify me )
by anav
Sun Apr 14, 2024 3:18 pm
Forum: Beginner Basics
Topic: router to mail.hamilton.com
Replies: 9
Views: 414

Re: router to mail.hamilton.com

Impossible to state what is going on without seeing the config.......... /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.) As holvoe pointed out, there is traffic occurring that may not be wanted, but that is controlled by the config of which you are ...
by anav
Sun Apr 14, 2024 3:15 pm
Forum: General
Topic: Can't Access aAP ac after setting it up.
Replies: 6
Views: 340

Re: Can't Access aAP ac after setting it up.

Also use safemode when implementing config changes. After about 15-20 seconds, without any issues undo safe mode, to keep the changes and then turn it back on.
by anav
Sun Apr 14, 2024 3:14 pm
Forum: General
Topic: configure two wireguard tunnels
Replies: 4
Views: 302

Re: configure two wireguard tunnels

Glad you got it working!! Last point, if you decide to add more servers, then change the rules accordingly. /ip firewall address-list add address=192.168.88.2/32 list= SERVERS comment="server A" add address=192.168.88.XX/32 list=SERVERS comment="server B" add action=accept chain=...
by anav
Sun Apr 14, 2024 3:07 pm
Forum: General
Topic: Blocking the port scanner on the VPN client side
Replies: 15
Views: 640

Re: Blocking the port scanner on the VPN client side

So to be clear, the user is scanning the 10... something network and by local you mean not on your router, but the SAME network that the ISP provides your WANIP on. In other words scanning the ISPs network?? If thats the case then simply make a firewall rule. add chain=forward action=drop in-interfa...
by anav
Sun Apr 14, 2024 1:47 pm
Forum: General
Topic: Hairpin NAT over 2 WireGuard connected routers [SOLVED]
Replies: 8
Views: 406

Re: Hairpin NAT over 2 WireGuard connected routers [SOLVED]

First will need both the CHR config and your home config /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.). Second are you getting your external users (that need access to the server on your home LAN) to use the public IP of the CHR. dyndnsURL:port# w...
by anav
Sun Apr 14, 2024 3:10 am
Forum: General
Topic: Blocking the port scanner on the VPN client side
Replies: 15
Views: 640

Re: Blocking the port scanner on the VPN client side

You mean scans the LOCAL LANS on the router or something else??? Why would your service provider care what goes on in the local LANs behind your router??? Do you know which user? How many users do you have......... What if you created some firewall rules limiting ports to 80 and 443 ?? add action=ac...
by anav
Sat Apr 13, 2024 10:36 pm
Forum: General
Topic: Can't Access aAP ac after setting it up.
Replies: 6
Views: 340

Re: Can't Access aAP ac after setting it up.

Recommend using ether2 to configure the device OFF Bridge. Below is an examplle. Change the ipv4 settings on your desktop or laptop to something like 192.168.36.5 gateway 192.168.36.1 /interface bridge add ingress-filtering=no name=bridgegym vlan-filtering=yes /interface ethernet set [ find default-...
by anav
Sat Apr 13, 2024 9:43 pm
Forum: General
Topic: Blocking the port scanner on the VPN client side
Replies: 15
Views: 640

Re: Blocking the port scanner on the VPN client side

Not sure what you mean.
Are you saying that one of the remote users coming into your router is using your internet to conduct port scanning of the internet???
by anav
Sat Apr 13, 2024 8:23 pm
Forum: Beginner Basics
Topic: Mikrotik RB4011 and a 1 Gbps Up/Down connection
Replies: 7
Views: 735

Re: Mikrotik RB4011 and a 1 Gbps Up/Down connection

I will send you my bill @Moba. ;-P
by anav
Sat Apr 13, 2024 7:54 pm
Forum: General
Topic: WAN failover - routes flapping [SOLVED]
Replies: 23
Views: 1018

Re: WAN failover - routes flapping [SOLVED]

The fundamentals are the same for most setups, the extra sauce stems from well communicated traffic requirements. You have two WANS, in the future 3 possibley four wans. You havent specified a clear plan. WHich is primary and which is secondary so assuming WAN1 is primary and WAN2 is backup. If WAN1...
by anav
Sat Apr 13, 2024 6:22 pm
Forum: Beginner Basics
Topic: Using RB5009 in bridge mode
Replies: 6
Views: 467

Re: Using RB5009 in bridge mode

What you need to figure out or tell us, is what is the internet signal coming from? Does the ISP provide a modem or ONT, from which an ethernet cable is used to connection to the RB5009? If so, then the RB5009 can do everything you need and you should throw the second router into the garbage, (or us...
by anav
Sat Apr 13, 2024 1:59 pm
Forum: General
Topic: Mikrotik router's ability to aggregate internet speed is real?
Replies: 3
Views: 294

Re: Mikrotik router's ability to aggregate internet speed is real?

Routers do not aggregate speed. They can provide increased throughput available to all users and provide redundancy in case one ISP is not available. Any single session cannot be more than the highest 'speed' of any one ISP connection. You are thinking of bonding etc...... Suggest your sources that ...
by anav
Sat Apr 13, 2024 5:16 am
Forum: General
Topic: problems with load balancing
Replies: 1
Views: 189

Re: problems with load balancing

By subnet or IP address, yes, by game type or something else no.
by anav
Sat Apr 13, 2024 5:15 am
Forum: General
Topic: configure two wireguard tunnels
Replies: 4
Views: 302

Re: configure two wireguard tunnels

What I didnt understand is your IP routes...... ??? What is the purpose of this config??? Specifically the routes in orange?? Dont think they are needed. Okay I see that they are disabled. Should remove clutter to a config, far less confusing. /ip route add disabled=no distance=1 dst-address=0.0.0.0...
by anav
Sat Apr 13, 2024 5:06 am
Forum: General
Topic: configure two wireguard tunnels
Replies: 4
Views: 302

Re: configure two wireguard tunnels

Good news, you only need one wireguard interface to accomplish all your tasks. The key is in the firewall rules for what you allow or not allow. You can put all all admin users in one firewall address list and all the general users in another firewall address list. Another option is to use two diffe...
by anav
Sat Apr 13, 2024 3:22 am
Forum: General
Topic: Hairpin NAT with 2 WAN static IP's and 2 LAN's
Replies: 7
Views: 540

Re: Hairpin NAT with 2 WAN static IP's and 2 LAN's

Nice to see you Sob!!
by anav
Fri Apr 12, 2024 10:57 pm
Forum: Beginner Basics
Topic: Guest wifi on 2 Routers with the same ssid
Replies: 8
Views: 489

Re: Guest wifi on 2 Routers with the same ssid

Okay to do this as smoothly as possible I config OFF BRIDGE. By that I mean on the HAP AC2 for example, take one port off the bridge, give it an IP address and then attach desktop/laptop to that port by ethernet and modify ethernet card IPV4 settings. Since you use ether5 to connect to the mini, we ...
by anav
Fri Apr 12, 2024 8:32 pm
Forum: Beginner Basics
Topic: Src NAT from Router LAN IP address to WAN IP adress
Replies: 8
Views: 465

Re: Src NAT from Router LAN IP address to WAN IP adress

Yeah scratching my head to understand WHY. Why would anyone have such a setup? Also the communication is not clear, its ONE LAN, some users have dhcp assigned, the rest are fixed. He wants the dhcp users, sent to WAN1, and fixed LANIPs sent to WAN2 Also assuming users being on the same LAN should st...
by anav
Fri Apr 12, 2024 8:27 pm
Forum: Beginner Basics
Topic: Slow connections across vlans with hex [SOLVED]
Replies: 12
Views: 1008

Re: Slow connections across vlans with hex [SOLVED]

The only block rules you need in firewall are
invalid traffic ( both input and forward chain)
and
last rule in each chain (everything else)

All other firewall rules should be about allowing traffic ( default rules + admin traffic desired )
by anav
Fri Apr 12, 2024 8:24 pm
Forum: Beginner Basics
Topic: No LAN access when connected to BTH
Replies: 7
Views: 445

Re: No LAN access when connected to BTH

You do not need BTH.
Just configure Wireguard manually/properly.

For example, you have no ALLOWED IPs setup that I can see.

Also do you have the particulars of the setup of remote peer clients??
by anav
Fri Apr 12, 2024 8:21 pm
Forum: Beginner Basics
Topic: port forwarding problem [SOLVED]
Replies: 21
Views: 1525

Re: port forwarding problem [SOLVED]

Well if you try to access the camera via the LANIP address of the camera it should work fine. If you are trying to use the same DYNDNS URL there could be problems. If users are in the same LAN as the Server then it will not work without modifications. Easiest is to move users or server to different ...
by anav
Fri Apr 12, 2024 8:12 pm
Forum: Beginner Basics
Topic: No LAN access when connected to BTH
Replies: 7
Views: 445

Re: No LAN access when connected to BTH

Just to be sure I understand. Your router has a non--public IP address. The wan is either like CGNAT or a private IP from an upstream ISP router (which you cannot forward a port on). What you want to do is while away from home remote into the router, via wireguard, and access the LAN, and most likel...
by anav
Fri Apr 12, 2024 8:06 pm
Forum: General
Topic: VLAN filtering blocks DHCP Client on trunk port [SOLVED]
Replies: 8
Views: 600

Re: VLAN configuration with active changes [SOLVED]

Clearly 'hiding' the true mac address............ Perhaps you prefer

"FU:FU:FU:FU:FU:FU" "=)
by anav
Fri Apr 12, 2024 3:34 pm
Forum: Beginner Basics
Topic: Cannot create a guests Wi-Fi network.
Replies: 28
Views: 1588

Re: Cannot create a guests Wi-Fi network.

You didnt answer any of llamajama's questions, so if you want help.............
by anav
Fri Apr 12, 2024 3:33 pm
Forum: Beginner Basics
Topic: Src NAT from Router LAN IP address to WAN IP adress
Replies: 8
Views: 465

Re: Src NAT from Router LAN IP address to WAN IP adress

The function of sourcenat is not ROUTING, so cat is bang on. This is a simple case of subnet A should use WAN1 and subnet B should use WAN2. questions. 1. the majority of traffic will be through WAN X ?? 2. What happens when WANA is not available do you want all traffic to go to WANB 3. What happens...
by anav
Fri Apr 12, 2024 2:33 pm
Forum: Beginner Basics
Topic: Routing Query
Replies: 4
Views: 360

Re: Routing Query

Network diagram please, I have no idea what your doing,
by anav
Fri Apr 12, 2024 4:08 am
Forum: Beginner Basics
Topic: Slow connections across vlans with hex [SOLVED]
Replies: 12
Views: 1008

Re: Slow connections across vlans with hex [SOLVED]

1. vlan-filtering on bridge not turned on. add admin-mac=xx.xx.xx.xx name=bridge vlan-filtering= yes Then it goes downhill............ 2. How can you have 7 VLANS but 10 Pools, 8 DHCP servers, 8 IP addresses, 8 dhcp server networks, some pools seem to overlap (192.168.41.......) 3. Firewall wall are...
by anav
Fri Apr 12, 2024 12:03 am
Forum: Beginner Basics
Topic: Slow connections across vlans with hex [SOLVED]
Replies: 12
Views: 1008

Re: Slow connections across vlans with hex [SOLVED]

post your latest.
by anav
Fri Apr 12, 2024 12:00 am
Forum: General
Topic: Hairpin NAT with 2 WAN static IP's and 2 LAN's
Replies: 7
Views: 540

Re: Hairpin NAT with 2 WAN static IP's and 2 LAN's

Well when you have to have a consistent config, and plan.
You are stuck between assigning subnets to ports, and having vlans.
Suggest if you are considering doing vlans, drop subnets to ports.
If not, then drop vlans.

Let me know which way you go as I dont want to waste time.
by anav
Thu Apr 11, 2024 9:51 pm
Forum: General
Topic: simple 3 isp dhcp clients with aggregation
Replies: 16
Views: 2646

Re: simple 3 isp dhcp clients with aggregation

What I hear is that you have 3 wan connections that you could use to server all LAN users. Separately you have some layers of further requirements - use WAN2 for external users to reach LAN servers Its one router so there is no separate router concept. One uses the functionality and tools available ...
by anav
Thu Apr 11, 2024 9:06 pm
Forum: General
Topic: simple 3 isp dhcp clients with aggregation
Replies: 16
Views: 2646

Re: simple 3 isp dhcp clients with aggregation

Do not tie ISPs to ports, so inflexible an approach and is not based on requirements but not understanding how networking actually works.
ONLY need to
a. identify user/device or groups of users/devices
b. what traffic flow they required
by anav
Thu Apr 11, 2024 7:48 pm
Forum: General
Topic: DHCP Request & PCC Balance
Replies: 14
Views: 599

Re: DHCP Request & PCC Balance

Thanks for the answer, my question was poor.
Assume my question has nothing to do with the APP, personally never have.
My question is regarding the router! I have never turned it on and it does not prevent my access via iphone.
by anav
Thu Apr 11, 2024 7:44 pm
Forum: General
Topic: How to configure a wifi bridge to passthrou many VLANs as trunk and use one VLAN for management?
Replies: 6
Views: 544

Re: How to configure a wifi bridge to passthrou many VLANs as trunk and use one VLAN for management?

WAP1 /interface bridge add name=Bridge1 protocol-mode=none vlan-filtering=yes /interface w60g set [ find ] disabled=no mode=bridge name=wlan60-1 password=PASSWORD put-stations-in-bridge=Bridge1 ssid=SSID /interface list add name=TRUSTED /interface list members add interface=VLAN100 list=TRUSTED /int...
by anav
Thu Apr 11, 2024 7:16 pm
Forum: General
Topic: DHCP Request & PCC Balance
Replies: 14
Views: 599

Re: DHCP Request & PCC Balance

Hey Ammo, I use an Iphone and have not used this functionality. How would it make the experience better???
by anav
Thu Apr 11, 2024 1:48 am
Forum: Beginner Basics
Topic: Redirect Router B to Router A through wireguard [SOLVED]
Replies: 19
Views: 906

Re: Redirect Router B to Router A through wireguard [SOLVED]

You will need to change the Routing Rule on Router B, the action option......... to just lookup /routing rule src-address=LANIP action= lookup table=useWG The current rule will prevent the router from using any other routing. In other words, you DO NOT NEED any script to enable local use of the WAN ...
by anav
Thu Apr 11, 2024 12:15 am
Forum: Announcements
Topic: NEW FEATURE: Back to Home VPN
Replies: 298
Views: 238420

Re: NEW FEATURE: Back to Home VPN

Is BTH programming, interfering with normal wireguard use? BUG? Unable to successfully mangle traffic coming in on WAN2, back out WAN2 for wireguard handshake, when WAN1 is a primary WAN. Return traffic appears to be sent out WAN1 instead, iaw connection-tracking and inability to access config from...
by anav
Wed Apr 10, 2024 10:45 pm
Forum: General
Topic: BTH basic question
Replies: 19
Views: 797

Re: BTH basic question

Well mozerd there are two different things at play here. The connection coming in to the Peer ( server for handshake), on WAN2, getting marked connections, should then result in return traffic from the wireguard module, also with marked connection and go out WAN2. IF there are NECESSARY BTH connecti...
by anav
Wed Apr 10, 2024 3:00 am
Forum: Beginner Basics
Topic: Redirect Router B to Router A through wireguard [SOLVED]
Replies: 19
Views: 906

Re: Redirect Router B to Router A through wireguard [SOLVED]

The big change on Router B seeing as you want internet access but out Router A is changing Allowed IPs........... Many other small changes............... read line by line Simplified firewall rules!!!! For single subnets avoid interface lists............ in general. interface bridge add name="L...
by anav
Wed Apr 10, 2024 2:37 am
Forum: General
Topic: BTH basic question
Replies: 19
Views: 797

Re: BTH basic question

Basically a cloud server operated by Mikrotik, connects the two ends, so that they can punch out of a connection they have which is not public and reach other.
by anav
Wed Apr 10, 2024 2:22 am
Forum: General
Topic: BTH basic question
Replies: 19
Views: 797

Re: BTH basic question

BTH is for the scenario where both ends of the MT tunnel do not have a publicly accessible WANIP ( either on the MT device, or can port forward from the upstream ISP router )
by anav
Wed Apr 10, 2024 2:20 am
Forum: Beginner Basics
Topic: Redirect Router B to Router A through wireguard [SOLVED]
Replies: 19
Views: 906

Re: Redirect Router B to Router A through wireguard [SOLVED]

Yee of little faith LOL.

Now the next step is ensuring LAN from Router B, goes out the WAN of ROuter A for internet ( via the wireguard tunnel)??
by anav
Wed Apr 10, 2024 1:20 am
Forum: Beginner Basics
Topic: Cannot create a guests Wi-Fi network.
Replies: 28
Views: 1588

Re: Cannot create a guests Wi-Fi network.

You have got to be kidding!!

DO NOT Use VLAN1 for management, its already in use in the background by RoS.
Use any other vlan for management and data.
example..
viewtopic.php?t=143620
by anav
Wed Apr 10, 2024 1:19 am
Forum: Beginner Basics
Topic: Mikrotik RB4011 and a 1 Gbps Up/Down connection
Replies: 7
Views: 735

Re: Mikrotik RB4011 and a 1 Gbps Up/Down connection

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Wed Apr 10, 2024 1:17 am
Forum: Beginner Basics
Topic: Redirect Router B to Router A through wireguard [SOLVED]
Replies: 19
Views: 906

Re: Redirect Router B to Router A through wireguard [SOLVED]

Understood, but for me adding extra rules like mangling can interfere with testing other things, especially if you have errors in the mangle. (compoundinig), not that there is,, just sayin. Your first attempt at correction isnt right on both accounts......... attention to detail please!!! Router A. ...
by anav
Tue Apr 09, 2024 11:18 pm
Forum: General
Topic: Address list for dst nat
Replies: 10
Views: 430

Re: Address list for dst nat

Not very useful, those "I don't understand why you would want that, so you should not want that!" replies.= read again, and then one more time............ its not dont want, its cant because dont understand, so need different wording. very few people here actually word requirements in cle...
by anav
Mon Apr 08, 2024 3:37 pm
Forum: General
Topic: Wireguard routing.
Replies: 10
Views: 593

Re: Wireguard routing.

Suggest provide a network diagram to help visualize the equipment/devices and ISPs involved etc... EDIT: I see link above now........... thanks You have three Devices, only shown partial config of one need to see all three /export file=anynameyouwish (minus router serial number, any public WANIP inf...
by anav
Mon Apr 08, 2024 3:35 pm
Forum: Beginner Basics
Topic: Cannot create a guests Wi-Fi network.
Replies: 28
Views: 1588

Re: Cannot create a guests Wi-Fi network.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by anav
Mon Apr 08, 2024 3:34 pm
Forum: Beginner Basics
Topic: RB4011iGS Problem
Replies: 1
Views: 175

Re: RB4011iGS Problem

Login using the mac only? Without the config, not much one can advise.
by anav
Mon Apr 08, 2024 3:33 pm
Forum: Beginner Basics
Topic: Using NAT on Mikrotik
Replies: 5
Views: 401

Re: Using NAT on Mikrotik

Network diagram often helps understand what you are doing,
need full config
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
by anav
Mon Apr 08, 2024 3:31 pm
Forum: Beginner Basics
Topic: Help understand some firewall blocks and wireguard 2 clients issues [SOLVED]
Replies: 7
Views: 799

Re: Help understand some firewall blocks and wireguard 2 clients issues [SOLVED]

-Disable ipv6 and remove all associated fw rules if not using ipv6. -FIrewall rules are a bloated mess concerned with blocking things more than allowing only needed traffic, but not the issue here. Your wireguard is configured incorrectly. Allowed IPs is used to decribe the remote side ( either subn...
by anav
Mon Apr 08, 2024 3:19 pm
Forum: Beginner Basics
Topic: Redirect Router B to Router A through wireguard [SOLVED]
Replies: 19
Views: 906

Re: Redirect Router B to Router A through wireguard [SOLVED]

Which WAN, A or B has a public IP, static or dynamic that is reachable. If neither does, does one of them have an upstream ISP router that you can forward a port on? If both have a publicly reachable IP, which one do you want to act as initiation peer ( client for handshake) and which one do you wan...
by anav
Mon Apr 08, 2024 1:32 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 13
Views: 672

Re: BTH BUG Bleeding Into Regular Wireguard.

Rplant. I am not using packet marking. I am using mark connections.
by anav
Mon Apr 08, 2024 1:28 pm
Forum: General
Topic: Port Forward based on Destination Interface
Replies: 15
Views: 926

Re: Port Forward based on Destination Interface

Where is the rest of the config, firewall rules, NAT, etc.....
by anav
Mon Apr 08, 2024 1:27 pm
Forum: General
Topic: Wireguard routing.
Replies: 10
Views: 593

Re: Wireguard routing.

Your config is wrong, more advice if you provide network diagram and configs of both routers.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )
by anav
Mon Apr 08, 2024 2:55 am
Forum: Beginner Basics
Topic: Redirect Router B to Router A through wireguard [SOLVED]
Replies: 19
Views: 906

Re: Redirect Router B to Router A through wireguard [SOLVED]

Your explanation makes little sense especially these lines and because you dont provide complete config, hard to figure it out. -- FW address-list for WAN is "RB5009" on both routers. -- FW address-list for LAN is "RB5009-LAN" on both routers. -- FW address-list for WAN is "...
by anav
Mon Apr 08, 2024 1:31 am
Forum: General
Topic: Allow port forwarding to work while using VPN as main gateway
Replies: 8
Views: 397

Re: Allow port forwarding to work while using VPN as main gateway

Not interested you use multiple bridges and vlan id of 1.

viewtopic.php?t=143620
by anav
Mon Apr 08, 2024 1:24 am
Forum: Beginner Basics
Topic: How to block subnet to subnet access
Replies: 10
Views: 846

Re: How to block subnet to subnet access

Is your device a router or a switch ( model and firmware ) and normally the setup is one bridge.......... https://forum.mikrotik.com/viewtopic.php?t=143620 would also need to see config to comment further /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys et...
by anav
Sun Apr 07, 2024 8:50 pm
Forum: General
Topic: Allow port forwarding to work while using VPN as main gateway
Replies: 8
Views: 397

Re: Allow port forwarding to work while using VPN as main gateway

terminal in winbox

/export file=anynameyouwish

Find it files and download to your PCC.
open in notepad++

Remove the router serial number and any public WANIP information with X.x.x.x
Remove any keys aka wireguard, and no need to include long dhcp lease lists either.
by anav
Sun Apr 07, 2024 7:48 pm
Forum: Beginner Basics
Topic: How to block subnet to subnet access
Replies: 10
Views: 846

Re: How to block subnet to subnet access

Playing the one million block subnets game is a waste of time and energy. Simply change the default rule that comes with the router. All subnets are blocked immediately at L3, and all one needs to do ( and should do ) is focus on the traffic that is allowed!! From: add action=drop chain=forward comm...
by anav
Sun Apr 07, 2024 7:43 pm
Forum: Beginner Basics
Topic: Access mikrotik management on other port then eth1
Replies: 5
Views: 429

Re: Access mikrotik management on other port then eth1

So the CRS310 is acting as a router getting its WANIP from pensense and then creating other vlans???
Cant do this on fritz box or opensense??
by anav
Sun Apr 07, 2024 7:33 pm
Forum: General
Topic: Allow port forwarding to work while using VPN as main gateway
Replies: 8
Views: 397

Re: Allow port forwarding to work while using VPN as main gateway

Network diagram, config etc............. dont know the scope of what we are dealing with here.
by anav
Sun Apr 07, 2024 7:28 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 13
Views: 672

Re: BTH BUG Bleeding Into Regular Wireguard.

That is correct, the mangles, dont work as the traffic coming from wireguard is not connection marked and thus must be originated by the wireguard module.
by anav
Sun Apr 07, 2024 3:08 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 13
Views: 672

Re: BTH BUG Bleeding Into Regular Wireguard.

No idea what you are talking about rplant. There is no such thing as wireguard port. What I would like explained is the first routing rule you have, what is its purpose and what does it do?? +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ By the way, since we believe its wireguard ...
by anav
Sun Apr 07, 2024 3:14 am
Forum: General
Topic: vpn servers over wan1 and wifi clients over wan2
Replies: 8
Views: 441

Re: vpn servers over wan1 and wifi clients over wan2

post current config
/export file=anynameyouwish ( minus router serial number, any public WANIP, keys etc. )
by anav
Sun Apr 07, 2024 3:08 am
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 13
Views: 672

Re: BTH BUG Bleeding Into Regular Wireguard.

The router is not doing anything wrong, but it seems that wireguard is doing something unexpected!
Interesting comment about routing rules........... not sure one could help in this scenario but you do have me thinking, but in the end, there is no port
to make use of in routing rules so a dead end.
by anav
Sun Apr 07, 2024 3:03 am
Forum: Beginner Basics
Topic: Separate Wi-Fi for secondary ISP
Replies: 2
Views: 259

Re: Separate Wi-Fi for secondary ISP

One bridge, connect the wifi and ssid to a subnet, aka a vlan.
Then using routing rules push that traffic out WAN2.

Search on the forum or yuoutube many examples of dual wan.
by anav
Sat Apr 06, 2024 10:32 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 13
Views: 672

Re: BTH BUG Bleeding Into Regular Wireguard.

Both cases will use main. Mangle has no effect in either case is what I'm saying as WG in kernel already processed it. e.g. it not just keepalives that use only main. Did this setup work in some older versions (e.g. before BTH)? Not 100% sure. I have never stumbled across it before, or at least rec...
by anav
Sat Apr 06, 2024 9:48 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 13
Views: 672

Re: BTH BUG Bleeding Into Regular Wireguard.

It happens with persistent keep alive OFF on both ends....... ( whats left BTH shenanigans )
by anav
Sat Apr 06, 2024 9:47 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5043

Re: WireGuard Multi-WAN Policy Routing

Sadly I may have run into what you are talking recently. --> viewtopic.php?t=206511
I;m convinced (without proof really) that its due to BTH coding as I could have sworn it worked before on version 7 early days!!
by anav
Sat Apr 06, 2024 9:39 pm
Forum: General
Topic: Allow port forwarding to work while using VPN as main gateway
Replies: 8
Views: 397

Re: Allow port forwarding to work while using VPN as main gateway

I would agree, use the main primary WAN for the majority of traffic in this case your WAN2 would be primary, WAN1 secondary and used for VPN.
Do you have specific subnets going out the VPN,,,,,,, what are the use cases for it...........
by anav
Sat Apr 06, 2024 9:20 pm
Forum: General
Topic: BTH BUG Bleeding Into Regular Wireguard.
Replies: 13
Views: 672

BTH BUG Bleeding Into Regular Wireguard.

I have a regular scenario where WIREGUARD should come in WAN2, despite WAN1 being the primary Route. Case in point, an AX3 as peer (client for handshake) to a CCR2004 peer ( server for handshake ) Easily handled by basic mangling and table and route. /ip mangle add chain=input action=mark-connection...
by anav
Sat Apr 06, 2024 4:24 am
Forum: Beginner Basics
Topic: Not getting wireline speeds
Replies: 28
Views: 1166

Re: Not getting wireline speeds

Too much for me. I like the on and off button. :-)
by anav
Sat Apr 06, 2024 4:18 am
Forum: General
Topic: Wireguard and, I think, DNS
Replies: 13
Views: 643

Re: Wireguard and, I think, DNS

Nix on that,,,,,, if the clamp rule doesnt work next try
add action=change-mss chain=forward new-mss=1380 out-interface=Wireguard protocol=tcp tcp-flags=syn tcp-mss=1381-65535
by anav
Fri Apr 05, 2024 10:08 pm
Forum: General
Topic: Wireguard and, I think, DNS
Replies: 13
Views: 643

Re: Wireguard and, I think, DNS

I wouldnt lower the mtu right away, instead I would keep both ends at the default 1420 and add a mangle rule to the french side. / ip firewall mangle add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=Wireguard passthrou...
by anav
Fri Apr 05, 2024 10:06 pm
Forum: General
Topic: Firewall/Routing Question
Replies: 19
Views: 755

Re: Firewall/Routing Question

Because if you have lots of users, its easier to give them and have them remember a name than a number.

blowbluckeye.orgasm:69 for example, unforgettable.
by anav
Fri Apr 05, 2024 6:59 pm
Forum: General
Topic: Wireguard and, I think, DNS
Replies: 13
Views: 643

Re: Wireguard and, I think, DNS

okay machine by machine basis means you have to mangle in most cases.....
Thus use of firewall address list makes sense. If it was just a few, routing rules would work.......
by anav
Fri Apr 05, 2024 6:58 pm
Forum: General
Topic: 2 gws, default route issue.
Replies: 1
Views: 208

Re: 2 gws, default route issue.

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)
by anav
Fri Apr 05, 2024 6:56 pm
Forum: General
Topic: TLS 1.3 support in RouterOS
Replies: 1
Views: 248

Re: TLS 1.3 support in RouterOS

send Normis booze. Perhaps if he is drunk enough he will approve it. :-)

After all it was released in 2018 !!!!

https://www.a10networks.com/glossary/ke ... d-tls-1-3/
by anav
Fri Apr 05, 2024 6:54 pm
Forum: General
Topic: Firewall/Routing Question
Replies: 19
Views: 755

Re: Firewall/Routing Question

So mkx, The user on teh browswer sends hit request. The router B DST-NAT rule intercepts the request and changes the destination IP from a.dyndns.com resloved IP, TO the local server on device A. Transparent to the user. The router know that the traffic for that subnet needs to go out wireguard inte...
by anav
Fri Apr 05, 2024 1:33 pm
Forum: General
Topic: Wireguard and, I think, DNS
Replies: 13
Views: 643

Re: Wireguard and, I think, DNS

Besides the usual bloat of filtering to block traffic instead of simply allowing needed traffic and drop everything else.... I am curious, as to how you separate those needing access to the tunnel. Firstly which router is server for handshake Which end needs to access the internet of the other. Are ...
by anav
Fri Apr 05, 2024 3:59 am
Forum: General
Topic: Firewall/Routing Question
Replies: 19
Views: 755

Re: Firewall/Routing Question

Hi Chechito not sure hairpin or what applies here, I get muddled trying to work my way through it.
by anav
Fri Apr 05, 2024 3:51 am
Forum: General
Topic: Wireguard Keeps trying to reconnect
Replies: 7
Views: 489

Re: Wireguard Keeps trying to reconnect

Persistent keep alive is required on the client ( for handshake ) peer and not on the Server (for handshake) peer.
by anav
Thu Apr 04, 2024 11:53 pm
Forum: Beginner Basics
Topic: Not getting wireline speeds
Replies: 28
Views: 1166

Re: Not getting wireline speeds

Are your devices internet facing, with such sparse rules??
by anav
Thu Apr 04, 2024 11:49 pm
Forum: Beginner Basics
Topic: 7.14.2 Port Forwarding [SOLVED]
Replies: 9
Views: 545

Re: 7.14.2 Port Forwarding [SOLVED]

Sorry both are kind of either wrong or confused LOL...... You have a static Private IP set on IP address for ether1 and you have IP DHCP client turned off. I think what you mean is that you actually have a private WAN IP address provided by the upstream ISP modem/router (via its LAN subnet) and the ...
by anav
Thu Apr 04, 2024 11:43 pm
Forum: Beginner Basics
Topic: Slow connections across vlans with hex [SOLVED]
Replies: 12
Views: 1008

Re: Slow connections across vlans with hex [SOLVED]

Two options.
budget: hap AX3, just disable wifi if dont need, it. Will handle a 1 gig WAN connection
Better: RB5009, good for up to a 2.5 gig WAN connection
PRO: 2116, mouthwatering performance
by anav
Thu Apr 04, 2024 11:41 pm
Forum: Beginner Basics
Topic: Not getting wireline speeds
Replies: 28
Views: 1166

Re: Not getting wireline speeds

Well either their ethernet results failed to include performance via L3HW offload and this is a brilliant router replacement, or their ethernet results are good and no one should fool themselves into thinking these are viable 1gig ethernet router capable, is all I am saying. Perhaps someone with a 3...
by anav
Thu Apr 04, 2024 11:39 pm
Forum: General
Topic: HW Offloading
Replies: 11
Views: 1022

Re: HW Offloading

I will see if there is more uptodate L3HW offload video available................... I just want to make sure advice is accurate and not a guess or wrong.......
by anav
Thu Apr 04, 2024 11:37 pm
Forum: General
Topic: HW Offloading
Replies: 11
Views: 1022

Re: HW Offloading

Yes I know HW offloading is available on some routers and now edumecated that L3HW offloading is also available on at least one router. But it just proves my point, you were unable to answer the thrust off this and may other threads where people are using switches to do routing and wondering why L3H...
by anav
Thu Apr 04, 2024 11:34 pm
Forum: General
Topic: How to do Inter-VLAN Bridging with MikroTik? [SOLVED]
Replies: 15
Views: 820

Re: How to do Inter-VLAN Bridging with MikroTik? [SOLVED]

So, it seems that my devious plan is foiled mainly by the fact that I want to bridge native VLAN with other VLANs . I can create a VLAN interface with id=1, that's for sure. But it appears that it's either not capturing traffic, or outputting traffic with tag present with vlan id set to 1, or both....
by anav
Thu Apr 04, 2024 11:31 pm
Forum: General
Topic: HW Offloading
Replies: 11
Views: 1022

Re: HW Offloading

Very nice MKX, you missed the boat and the barn, as we are talking about switches, and you bring up a ROUTER, not a switch.
None of the CRS3XX series of switches then has L3HW offloading if I had to base it on ethernet test results ( very slow ).
So once again I am searching for some truth and facts.
by anav
Thu Apr 04, 2024 11:17 pm
Forum: General
Topic: Firewall/Routing Question
Replies: 19
Views: 755

Re: Firewall/Routing Question

Ahh I think I get it.... Your dstnat dst-address-list=a.dyndns.org dst-port=81 to-address=addressofserver on Device A. Then the router sees the to-address on a known remote subnet with the following existing route add dst-address=subnetofRouterA gateway=wireguard routing-table=main. Nice!! Just want...
by anav
Thu Apr 04, 2024 11:07 pm
Forum: General
Topic: Firewall/Routing Question
Replies: 19
Views: 755

Re: Firewall/Routing Question

nm duplicate
by anav
Thu Apr 04, 2024 1:08 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 34
Views: 1440

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

No wireguard is not a regular subnet and has no etherPorts associated to it.
by anav
Thu Apr 04, 2024 1:07 pm
Forum: General
Topic: Can't get DHCP with WLAN when using bridge VLAN filtering
Replies: 7
Views: 378

Re: Can't get DHCP with WLAN when using bridge VLAN filtering

one ssid per vlan, thus depending upon which SSID they sign into determines which vlan they get connected to.
by anav
Thu Apr 04, 2024 4:40 am
Forum: Beginner Basics
Topic: InterVLAN routing not working as expected
Replies: 5
Views: 368

Re: InterVLAN routing not working as expected

Nice setup. Clearly the problem is the pfsense. Its butt ugly and capricious ;-) Assuming you have a. a management vlan where all smart devices get their IP address from. b. trunk port carrying all vlans (tagged) to first 310 switch, this is a piece of torte. c. the below example applies to all thre...
by anav
Thu Apr 04, 2024 4:09 am
Forum: Beginner Basics
Topic: Not getting wireline speeds
Replies: 28
Views: 1166

Re: Not getting wireline speeds

Sirbyran, lets make it real, ..................... OP Quote: " ...... i have internet working right now for my AT&T Business Fiber internet, but i'm not getting the full gigabit up and down i'm supposed to be getting MT SPECS reality.jpg ...... WITH NO Rules, the OP will only achieve at bes...
by anav
Thu Apr 04, 2024 4:00 am
Forum: General
Topic: 8.8.8.8 suddenly blocked by my firewall???
Replies: 4
Views: 389

Re: 8.8.8.8 suddenly blocked by my firewall???

Yes, you dont need DDOS on your router, it is the responsibility of upstream providers to do such work. More than likely a misconfigured config is causing issues. Get rid of the bloat and life will be easier. /export file=anynameyouwish ( minus router serial number, public WANIP information, keys et...
by anav
Wed Apr 03, 2024 11:23 pm
Forum: General
Topic: Can't get DHCP with WLAN when using bridge VLAN filtering
Replies: 7
Views: 378

Re: Can't get DHCP with WLAN when using bridge VLAN filtering

4. Why so many management ports on hapaC?? take ether5 off bridge and also make this an emergency access port. 5. /interface bridge port add bridge=BRIDGE ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 comment="trunk from Router" add bridge=BRIDGE ingress-filteri...
by anav
Wed Apr 03, 2024 2:29 pm
Forum: Wireless Networking
Topic: 60GHz security
Replies: 2
Views: 288

Re: 60GHz security

You can always push VPN tunnels ( EOIP/gre or IPIP/ip-encap with ipsec word, or wireguard etc..) through the 60ghz link
by anav
Wed Apr 03, 2024 2:18 pm
Forum: Beginner Basics
Topic: Does "Detect Internet" actually do anything?
Replies: 15
Views: 8339

Re: Does "Detect Internet" actually do anything?

RoS feature I would quietly retire.
by anav
Wed Apr 03, 2024 4:04 am
Forum: General
Topic: Problem with Mangle Rule
Replies: 3
Views: 270

Re: Problem with Mangle Rule

The quality of the response is directly proportional to the quality of information provided to elicit a response. Its not your fault, that the MT barons, do not have a quality standard of posting, avoiding first posts bereft of facts. To better understand your situation, it would be best to provide ...
by anav
Wed Apr 03, 2024 1:09 am
Forum: Beginner Basics
Topic: Newb Question on my topology
Replies: 4
Views: 273

Re: Newb Question on my topology

Why would you use a switch for routing? Quick answer, No!
by anav
Wed Apr 03, 2024 1:05 am
Forum: General
Topic: How to properly block youtube for certain client?
Replies: 5
Views: 351

Re: How to properly block youtube for certain client?

Dont make promises to clients you cannot keep. Unless the client wants to spend a shit ton of money on a very expensive router and and expensive subscriptions...........
by anav
Tue Apr 02, 2024 11:46 pm
Forum: General
Topic: Wireguard DNS re-resolution script
Replies: 4
Views: 315

Re: Wireguard DNS re-resolution script

Correct, since maybe 7.12??? not sure when but there is no longer a need to do this on the client (for handshake) peer to re-establish connectivity with the Server ( for handshake ) peer.
by anav
Tue Apr 02, 2024 11:05 pm
Forum: Beginner Basics
Topic: S2S problem
Replies: 4
Views: 672

Re: S2S problem

emunt please stop, this is not a guessing game. we provide advice based on facts/evidence.
Cat is bang on, we need to see the config to ascertain potential problem area(s).
A config is integrated and thus needs to be seen from the 'whole' perspective.
by anav
Tue Apr 02, 2024 10:59 pm
Forum: Beginner Basics
Topic: DHCP Server - DNS blank or router IP [SOLVED]
Replies: 8
Views: 465

Re: DHCP Server - DNS blank or router IP [SOLVED]

/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns
set allow-remote-requests=yes servers=1.1.1.1
by anav
Tue Apr 02, 2024 10:53 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 34
Views: 1440

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

SPINE: /interface wireguard add listen-port=13299 mtu=1420 name=wireguard-S /ip address add address=172.16.0.100/24 interface=wireguard-S network=172.16.0.0 /interface wireguard peers add allowed-address=172.16.0.200/32,10.20.100.0/24 interface=wireguard-S public-key=\ "sxxxxxdfsd" comment...
by anav
Tue Apr 02, 2024 10:33 pm
Forum: General
Topic: Setup a single Mikrotik Router who does only VPN
Replies: 2
Views: 205

Re: Setup a single Mikrotik Router who does only VPN

Easy to do, why not do it on the main router. Do you have a network diagram to share?
Also is the WANIP on the upstream router publicly accessible??
by anav
Tue Apr 02, 2024 2:42 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 34
Views: 1440

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

??????????? There is no DHCP in wireguard, its not a regular type of subnet, its really an IP address and an interface. (1) Allowed IPs on spine are incorrect, a. you need to put the actual IP assigned to the leaf peer ( and any remote subnets local users are visiting, or any remote subnets visiting...
by anav
Tue Apr 02, 2024 4:43 am
Forum: General
Topic: Wireguard to multiple networks
Replies: 2
Views: 237

Re: Wireguard to multiple networks

How are they all connected, at least provide a diagram.
Are all devices (acting as clients at handshake) connected to a MAIN router ( server for handshake), if so then we need to see its config.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys,, etc.)
by anav
Tue Apr 02, 2024 2:05 am
Forum: General
Topic: CCR2116 disappointing can't do >2gbps PPPOE, single CPU >95%
Replies: 8
Views: 2576

Re: CCR2116 disappointing can't do >2gbps PPPOE, single CPU >95%

Lets see the config please, without facts its just an opinion.
by anav
Tue Apr 02, 2024 2:04 am
Forum: General
Topic: 2 WAN Failover - Cloud DNS
Replies: 14
Views: 1157

Re: 2 WAN Failover - Cloud DNS

Will need to think if there is anything required for incoming wireguard traffic, but not at the moment. I dont believe you have outgoing wireguard traffic, just traffic to the router for config purposes or do you also reach LAN devices. If so many, need access to all ???
by anav
Tue Apr 02, 2024 2:00 am
Forum: General
Topic: 2 WAN Failover - Cloud DNS
Replies: 14
Views: 1157

Re: 2 WAN Failover - Cloud DNS

I gauge discipline and attention to detail to get a sense of the OPs, capabilities and focus. So far not doing so well. Not surprized no improvements yet. (1) This is still not fixed. (should be NONE ) /interface detect-internet set internet-interface-list= WAN lan-interface-list= LAN wan-interface-...
by anav
Mon Apr 01, 2024 10:33 pm
Forum: General
Topic: Experiments with EoIP+IPSec and DDNS/CGNATs for RoMON...
Replies: 12
Views: 592

Re: Experiments with EoIP+IPSec and DDNS/CGNATs for RoMON...

Yes, I unchecked it for both. Not sure what that does but seeing as I am using it as backup config access to wireguard, maybe not so critical?? I mean its only for the connection not other traffic.
More straightforward than SSTP actually. I like it.
by anav
Mon Apr 01, 2024 9:28 pm
Forum: General
Topic: Experiments with EoIP+IPSec and DDNS/CGNATs for RoMON...
Replies: 12
Views: 592

Re: Experiments with EoIP+IPSec & Restricted NATs for RoMON/etc

Hi Ammo, I was able to establish an IPIP with ipsec secret with one fixed WANIP and one dynamic Wanip ( and gain access to config via winbox ).
Dont have any cgnat to test however.
by anav
Mon Apr 01, 2024 9:27 pm
Forum: General
Topic: How insecure of 8791?
Replies: 39
Views: 1728

Re: How insecure of 8791?

Successful connection between one static and one dynamic IP using IPIP and ipsec secret.
I established a winbox connection over the link!
by anav
Mon Apr 01, 2024 4:59 pm
Forum: General
Topic: I'm trying to setup VLANs but I get no gateway
Replies: 4
Views: 297

Re: I'm trying to setup VLANs but I get no gateway

Suggest a diagram which details equipment being used, subnets in play, internet source, port usage etc..........
Suggest a set of requirements to:
a. identify all the users and devices, including the admin
b. identify all the traffic the users/devices need.
by anav
Mon Apr 01, 2024 4:57 pm
Forum: General
Topic: Backup to LTE without guest internet access
Replies: 10
Views: 423

Re: Backup to LTE without guest internet access

Not sure what you mean............. The bad situation is where the connection to the ISP is up but the ISP is not connected to the WWW. In this case the router has no idea. If the connection to the ISP is down, the router will see that and make the route inactive and your backup will be utilized. It...
by anav
Mon Apr 01, 2024 4:54 pm
Forum: General
Topic: Appropriate router for 2G internet routing
Replies: 11
Views: 746

Re: Appropriate router for 2G internet routing

Serious, even the CR2004 cannot do 2gigs with fastrack disabled.
Okay, I just sent a suggestion to MT, to add 25 filter rules fastrack-off LINE to results so people can match up expectations and purchase an appropriate router.
by anav
Mon Apr 01, 2024 3:29 pm
Forum: General
Topic: Multiple WAN - The Third WAN on sfp3
Replies: 22
Views: 864

Re: Multiple WAN - The Third WAN on sfp3

Please ignore quickset so we can focus on a working config. Unless your a squirrel :-) (1) Added back NAS on port 443 to the config. (2) This had no meaning.......... /interface bridge port add bridge=BridgeLAN ingress-filtering=no interface=BondingNAS \ internal-path-cost=10 path-cost=10 add bridge...
by anav
Mon Apr 01, 2024 6:32 am
Forum: General
Topic: Multiple WAN - The Third WAN on sfp3
Replies: 22
Views: 864

Re: Multiple WAN - The Third WAN on sfp3

Lan interface is not a bridge port by the way........... Also cannot make heads or tails of this dstnat rule. add action=dst-nat chain=dstnat comment="NAS Channel" dst-address=\ 61.219.84.108 in-interface=sfp2 log=yes protocol=tcp to-addresses=\ 192.168.88.220 to-ports=0-65535 You want you...
by anav
Mon Apr 01, 2024 4:58 am
Forum: General
Topic: I'm trying to setup VLANs but I get no gateway
Replies: 4
Views: 297

Re: I'm trying to setup VLANs but I get no gateway

Your config makes no senses, its a patchwork of nothing that fits together.
You need to make a coherent plan way before starting a config.
by anav
Mon Apr 01, 2024 4:54 am
Forum: General
Topic: Appropriate router for 2G internet routing
Replies: 11
Views: 746

Re: Appropriate router for 2G internet routing

Correct, the Rb5009 is capable of handling up roughly 3gigs. Surprizing it loses so much steam by turning fast track off.
Its fair to say that MT should include another line entry in their results pages
25 filters (fasttrack off)
by anav
Mon Apr 01, 2024 1:41 am
Forum: General
Topic: ROMON via vpn
Replies: 41
Views: 4376

Re: ROMON via vpn

What if you wanted to do EoIP on top of wireguard and add RoMON?
by anav
Mon Apr 01, 2024 1:39 am
Forum: General
Topic: Multiple WAN - The Third WAN on sfp3
Replies: 22
Views: 864

Re: Multiple WAN - The Third WAN on sfp3

quickset=quicksand :-)
by anav
Sun Mar 31, 2024 10:28 pm
Forum: General
Topic: Multiple WAN - The Third WAN on sfp3
Replies: 22
Views: 864

Re: Multiple WAN - The Third WAN on sfp3

Question not answered, why do you have three WANs??
If you dont have a priority WAN and the other two being backkup what is the thinking?
If you want Lan users to be able to use all three WANs then that is a load sharing setup for the wans.
by anav
Sun Mar 31, 2024 6:19 pm
Forum: General
Topic: Multiple WAN - The Third WAN on sfp3
Replies: 22
Views: 864

Re: Multiple WAN - The Third WAN on sfp3

Okay, same gateway three different WANIPs, from same provider. 1. what should be the priority of WANS? ( all used equally or one only etc and the rest are backups in terms of normal outgoing LAN traffic....) 2. you have servers, and they are to be accessible by different wans correct........ 3. any ...
by anav
Sun Mar 31, 2024 6:11 pm
Forum: General
Topic: Can't access Mikrotik website from china
Replies: 12
Views: 726

Re: Can't access Mikrotik website from china

Dont feed the trolls.
by anav
Sun Mar 31, 2024 4:36 pm
Forum: General
Topic: Multiple WAN - The Third WAN on sfp3
Replies: 22
Views: 864

Re: Multiple WAN - The Third WAN on sfp3

There is nothing weird going on, the router is simply working in accordance with the rules you have made.
To comment further
/export file=anynameyouwish ( minus router serial number, any real public WANIP info, keys etc.)
by anav
Sun Mar 31, 2024 3:46 pm
Forum: Beginner Basics
Topic: WAN and LAN passthrough to second MT - VLAN Question [SOLVED]
Replies: 12
Views: 645

Re: WAN and LAN passthrough to second MT - VLAN Question [SOLVED]

Would need to see both MT FULL configs............ the first and second MTs. Do you have a management vlan organized on the First Router ( or trusted subnet) where all ( both MTs should get their Ip address from ). /export file=anynameyouwish ( minus router serial#, any public WANIP information, key...
by anav
Sun Mar 31, 2024 3:41 pm
Forum: General
Topic: Forcing source ip and/or route
Replies: 3
Views: 301

Re: Forcing source ip and/or route

Post both configs
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, long dchp lease lists etc..)
by anav
Sun Mar 31, 2024 3:39 pm
Forum: General
Topic: NAT with several public IPs
Replies: 2
Views: 243

Re: NAT with several public IPs

What use case for traffic flow are you trying to describe. In other words what user needs their traffic flow so contorted??
by anav
Sun Mar 31, 2024 7:24 am
Forum: Beginner Basics
Topic: WAN and LAN passthrough to second MT - VLAN Question [SOLVED]
Replies: 12
Views: 645

Re: WAN and LAN passthrough to second MT - VLAN Question [SOLVED]

Again, not clear. Do you mean the ISP has a modem router and has a lan subnet, and thus gives the first MT router a private IP on that subnet and you wish to also have that subnet reach a second MT device.? Meaning the First MT device is acting as a router with some of its own DHCP subnet but also o...
by anav
Sun Mar 31, 2024 6:52 am
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

So you can program only through controllor software, is there a user guide for that??
by anav
Sun Mar 31, 2024 1:24 am
Forum: General
Topic: Problem with slow DHCP after migrating to Mikrotik switches
Replies: 2
Views: 312

Re: Problem with slow DHCP after migrating to Mikrotik switches

Of course not! The problem seems to be not having a concrete plan and understanding of the requirements before implementing No idea of your topology, network diagram not provided. ( gives us a visual feel for the plan ) No clue as to where internet comes from, which device is routing etc etc..... Fi...
by anav
Sun Mar 31, 2024 1:20 am
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 34
Views: 1440

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

Of course the WG tunnels would always be active. YOur work or home router would serve as the Server for handshake and all the client devices would have persistent keep alive set. You dont even need a separate wireguard interface for all your devices either. You can separate them by IP address..........
by anav
Sun Mar 31, 2024 1:13 am
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

I would get rid of the unifi switch and get a real one. A plain jane cheapo TPlink managed switch works better or more sanely that the unifi. Or get a CRS3XX switch from mikrotik or send me a copy of the switch User Guide ( I cannot find one ) and then I can figure out how to setup it so it works pr...
by anav
Sun Mar 31, 2024 1:11 am
Forum: Beginner Basics
Topic: WAN and LAN passthrough to second MT - VLAN Question [SOLVED]
Replies: 12
Views: 645

Re: WAN and LAN passthrough to second MT - VLAN Question [SOLVED]

To be clear you have a block of IPs from your provider and you want to use one for the first router and another for the second router??
by anav
Sun Mar 31, 2024 12:21 am
Forum: General
Topic: Experiments with EoIP+IPSec and DDNS/CGNATs for RoMON...
Replies: 12
Views: 592

Re: Experiments with EoIP+IPSec & Restricted NATs for RoMON/etc

yes, but in your example the input chain rule (traffic from the other public IP), limits by protocol GRE..........
In the case of IPIP, are you saying simply let a public IP address access the input chain, without port or protocol limitation ?????
by anav
Sun Mar 31, 2024 12:04 am
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

Regardless, a trusted homesubnet works just fine!! No need to create extra work for nothing really. Just ensure all smart devices get their IP from trusted subnet. Why you cannot reach the capac from behind the draytek is most bizarre but the issue is probably still the switch Negative on the dumb d...
by anav
Sun Mar 31, 2024 12:01 am
Forum: General
Topic: Experiments with EoIP+IPSec and DDNS/CGNATs for RoMON...
Replies: 12
Views: 592

Re: Experiments with EoIP+IPSec & Restricted NATs for RoMON/etc

Ahh so fast path may be fine for IPIP then. All I want to do is a poor mans version of wireguard to access the router for config purposes as the other end, with least amount of fuss. assuming I can do that by lets say 172.16.0.1/30 is IPIP of main device with public IP and 172.16.0.2/30 is ip addres...
by anav
Sat Mar 30, 2024 11:47 pm
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

On an MT router it would be easy to make a firewall rule. add action=accept chain=forward src-address=lanip of your pc (static lease set) dst-address=192.168.0.0/24 On draytek probably a similar filter rule is possible. DIRECTION: LAN to LAN SOURCE: SourceIP --> your PC LANIP DESTINATION: VLAN2 Subn...
by anav
Sat Mar 30, 2024 11:32 pm
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

You might see a slightly better (marginal at best) roaming experience but its not fully fledged as its the older drivers which are missing some of that capability so not worth it IMHO.
Feel free to pull your hair out though! :-)
by anav
Sat Mar 30, 2024 11:30 pm
Forum: General
Topic: How insecure of 8791?
Replies: 39
Views: 1728

Re: How insecure of 8791?

Nice!!! questions already asked there..
by anav
Sat Mar 30, 2024 11:30 pm
Forum: General
Topic: Experiments with EoIP+IPSec and DDNS/CGNATs for RoMON...
Replies: 12
Views: 592

Re: Experiments with EoIP+IPSec & Restricted NATs for RoMON/etc

Okay got it thanks.......... I specifically want to avoid the extra overhead of GRE, if possble, but will acquiesce if not possible. Also one can go into the default ipsec config and improve the security settings, for example would change the DEFAULT PROFILE SETTINGS TO a. HASH proposal (from SHA1) ...
by anav
Sat Mar 30, 2024 11:10 pm
Forum: General
Topic: How insecure of 8791?
Replies: 39
Views: 1728

Re: How insecure of 8791?

AMMO, can you test with IPIP instead or at least tell me how to do so beyond the standard settings. aka. for client site with no static public IP --> what do I put for local address?>> aka. for server site with public IP --> what do I put for remote address?? What additional firewall rules are requi...
by anav
Sat Mar 30, 2024 11:07 pm
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

Since its older wifi from MT, simply recommend setting up just like the first one. It will take only minutes and it will b up and working right away. I avoid capsman because its a quagmire of frustration and complexity. If I had multiple AX wifi devices all using the same new drivers, I might consid...
by anav
Sat Mar 30, 2024 10:33 pm
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

The management vlan is 2, so thats a problem right there........ You need to properly configure the switch, for example it should have its own address as 192.168.0.XX in the vlan2 subnet!!!

I cannot ffind an easy link that shows the management/setup of the software on the switch.......
by anav
Sat Mar 30, 2024 10:02 pm
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

Hahahah, so you have a unifi switch in between.
What is the setup for the UNIFI then,
What is the managment vlan on the UNIF etc.......
by anav
Sat Mar 30, 2024 7:27 pm
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

Figured as much. Just to let you know. If all the vlans are coming as trunk to Mikrotik device, all your vlans should be working on the capac now. Just confirming the only problem is reaching the capac wired behind the draytek using winbox????. Lets do a test! Modify one of the wifis lets say CHANGE...
by anav
Sat Mar 30, 2024 7:17 pm
Forum: General
Topic: How insecure of 8791?
Replies: 39
Views: 1728

Re: How insecure of 8791?

Y:ou have to be more clear than that sir, I have no idea what you mean by this ..... But still need use the CGNAT'ed remote address on the "static IP" side Take as many sentences as you need so the layperson (me) understands what you mean. Also any reason why I should not be able to do sam...
by anav
Sat Mar 30, 2024 6:05 pm
Forum: General
Topic: How insecure of 8791?
Replies: 39
Views: 1728

Re: How insecure of 8791?

Id be interested in your only one side needs public IP teaser. Please elaborate!!!
by anav
Sat Mar 30, 2024 5:19 pm
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

That is correct the CAPACs address is on the BASE or management vlan. The capac is set correctly. Winbox on a the same LAN behind the draytek should see that IP and you should be able to ping that IP. If not, the issue is with the draytek setup. why does your LAN 1 have Vs hard coded instead of chec...
by anav
Sat Mar 30, 2024 5:09 pm
Forum: General
Topic: How insecure of 8791?
Replies: 39
Views: 1728

Re: How insecure of 8791?

Dont forget to tick the ipsec security otherwise you are creating an open hole at both ends.....
by anav
Sat Mar 30, 2024 3:35 pm
Forum: General
Topic: Watchdog, or alternative?
Replies: 8
Views: 453

Re: Watchdog, or alternative?

How long does power go out? A UPS may be better.
by anav
Sat Mar 30, 2024 3:32 pm
Forum: Beginner Basics
Topic: Using a CRS326 as router (FTTH)
Replies: 4
Views: 345

Re: Using a CRS326 as router (FTTH)

post config not snapshots
/export file=anynameyowish (minus router serial #, any public WANIP information )
by anav
Sat Mar 30, 2024 3:20 pm
Forum: Beginner Basics
Topic: VLAN'ising an existing configuration without disrupting service
Replies: 23
Views: 1184

Re: VLAN'ising an existing configuration without disrupting service

Yes buy a plugnPlay Asus router LOL
by anav
Sat Mar 30, 2024 3:10 pm
Forum: General
Topic: How insecure of 8791?
Replies: 39
Views: 1728

Re: How insecure of 8791?

I would use EOIP or IPIP before SSTP, but both of those require two publicly reachable IP addresses at both ends, which removes about 95 of use cases, I run up against.
by anav
Sat Mar 30, 2024 3:07 pm
Forum: General
Topic: Internet speed cut in half after Hex, direct to modem gets full
Replies: 27
Views: 1872

Re: Internet speed cut in half after Hex, direct to modem gets full

Not the same situation at all, you are using the hex mainly as a switch it appears so would need to know whats coming into the trunk port on the hex ( which vlans etc ) and see the config of the hex as well.
by anav
Fri Mar 29, 2024 10:04 pm
Forum: Beginner Basics
Topic: how to assign static IP of choice on LAN host
Replies: 2
Views: 198

Re: how to assign static IP of choice on LAN host

Add manually by mac address
by anav
Fri Mar 29, 2024 10:03 pm
Forum: General
Topic: How insecure of 8791?
Replies: 39
Views: 1728

Re: How insecure of 8791?

Yeah but without certificate how safe is it................. As for IPIP sounded better, more secure than SSTP without certificate BUT, a big BUTT, is that it appears BOTH sides need to have publicly reachable WANIPs ( and maybe even static ones ). All the clowns at MT and youtube always show the ea...
by anav
Fri Mar 29, 2024 8:32 pm
Forum: General
Topic: How insecure of 8791?
Replies: 39
Views: 1728

Re: How insecure of 8791?

Interesting proposal I always used SSTP ( mt to mt approach ) without certificates as my preferred Mt to Mt backup to wireguard.
by anav
Fri Mar 29, 2024 7:48 pm
Forum: General
Topic: Which features are NOT essential to RouterOS?
Replies: 8
Views: 512

Re: Which features are NOT essential to RouterOS?

What I would like to see is a shopping list of functionality that you check off before the MT site wraps up your request in a package for you.....
AI driven downloads.
by anav
Fri Mar 29, 2024 7:07 pm
Forum: Beginner Basics
Topic: hAP ac² - can't import just exported configuration
Replies: 12
Views: 729

Re: hAP ac² - can't import just exported configuration

Comparing is good, why I like notepadd++ as it has a comparitive plugin,,,,,,, comes in handy
by anav
Fri Mar 29, 2024 7:02 pm
Forum: General
Topic: Which features are NOT essential to RouterOS?
Replies: 8
Views: 512

Re: Which features are essential to RouterOS?

Why does your title imply our 'identification of essential" features, when you are really asking which features can we remove from the core RoS???
Ahhh, south of the equator, even toilets flush backwards ;-P ...........
by anav
Fri Mar 29, 2024 6:58 pm
Forum: General
Topic: How insecure of 8791?
Replies: 39
Views: 1728

Re: How insecure of 8791?

So the dyndns address check out to the current WANIP of the remote device and you can ping the device but WG does not come up??
Did you make any changes to the config prior to losing connectivity as there is no clear reason I can think of that would cause loss of connectivity.
by anav
Fri Mar 29, 2024 6:56 pm
Forum: General
Topic: Purchasing on Amazon
Replies: 11
Views: 651

Re: Purchasing on Amazon

Quite right MKX, problem is Ontarions think the sun revolves around them ;-). Sales tax is indeed 15% in NS.
by anav
Fri Mar 29, 2024 4:58 pm
Forum: Beginner Basics
Topic: NAT and reach dhcp clients in router mode from main network
Replies: 5
Views: 291

Re: NAT and reach dhcp clients in router mode from main network

C'mon mkx, dont tell me you are not a Ubiquti expert? Just because the moniker up top says Mikrotik is no excuse! ;-)

Luckily I just happen to know the enlightened path --> https://community.ui.com/
by anav
Fri Mar 29, 2024 4:46 pm
Forum: General
Topic: Purchasing on Amazon
Replies: 11
Views: 651

Re: Purchasing on Amazon

I take donations from Utes :-)) ( yes I noted the recent gymastics victory and the departure of the women from the Sweet 16).
Even better is if you have some exra land in Sedona........... That locale, blew me away.......
by anav
Fri Mar 29, 2024 4:42 pm
Forum: General
Topic: Drop all from WAN not DSTNATed
Replies: 13
Views: 4936

Re: Drop all from WAN not DSTNATed

Interesting, but who uses UPNP,,,,,,, I mean do games actually still require that?? I do everything off steam, nothing fancy required, just works.
by anav
Fri Mar 29, 2024 4:12 pm
Forum: General
Topic: Purchasing on Amazon
Replies: 11
Views: 651

Re: Purchasing on Amazon

Tru Dat but ISP supplies ( forget former name) in Ottawa ( Gloucester ) is selling the same RB5009 router for $287 Cdn + taxes + shipping. Lets compare llama (isp supplies) 287.87+18.77+15% = $352.64 llama (amazon) 323.69+15% = $372.24 Mozerd ( isp supplies, pick up at store ) 287.87 + 13% = $325.30...
by anav
Fri Mar 29, 2024 3:58 pm
Forum: General
Topic: Drop all from WAN not DSTNATed
Replies: 13
Views: 4936

Re: Drop all from WAN not DSTNATed

Well for an advanced user fill yer boots with ! rules. For the beginner it would be far clearer if MT used the three rules as default instead. It demonstrates a LAN to WAN firewall rule It demonstrates an ability to conduct port fowarding ( disabled by default would be my preference ) It demonstrate...
by anav
Fri Mar 29, 2024 3:26 pm
Forum: Beginner Basics
Topic: hAP ac² - can't import just exported configuration
Replies: 12
Views: 729

Re: hAP ac² - can't import just exported configuration

The reasons is that the order of the RSC file, is NOT the order required to add rules to make the config coherent.
In other words, you dont understand the config to the level necessary otherwise you wouldnt have tried, but instead would have
copied and pasted bits in the right order.
by anav
Fri Mar 29, 2024 3:21 pm
Forum: General
Topic: Wireguard from MT to client (win10) with several users to several VLAN's [SOLVED]
Replies: 42
Views: 4361

Re: Wireguard from MT to client (win10) with several users to several VLAN's [SOLVED]

Sorry to confuse, the route I mentioned I thought was for the one going to your ISP.
It was not clear to me if you were using DEFAULT-ROUTE=YES in the IP DHCP client settings
by anav
Fri Mar 29, 2024 3:18 pm
Forum: General
Topic: Drop all from WAN not DSTNATed
Replies: 13
Views: 4936

Re: Drop all from WAN not DSTNATed

Word up, don't irritiate a sick person, I resemble that ! comment. Its a useful tool WHEN NEEDED. Otherwise, why try to be overly cute. The default rule allows one to connect to the internet right away and do most functions. Once one adds rules, its cleaner and clearer to remove the rule and replace...
by anav
Fri Mar 29, 2024 1:13 pm
Forum: General
Topic: HowTo configure WireGuard in same subnet?
Replies: 3
Views: 472

Re: HowTo configure WireGuard in same subnet?

Makes sense to me CGNX. Good advice!!
The other possibility is to use zerotier I suppose.
by anav
Fri Mar 29, 2024 2:20 am
Forum: General
Topic: Basic VLAN configuration is not working - new driver wave 2
Replies: 6
Views: 305

Re: Basic VLAN configuration is not working - new driver wave 2

Highly recommend the first thing you do on both devices is take ether5 off the bridge assign it an IP address of 192.168.55.1/24 ( as per the configs ). Then plug in laptop or pc into device on ether5 and change your ethernet card IPV4 settings to lets say 192.168.55.5 and you should have access. # ...
by anav
Thu Mar 28, 2024 11:23 pm
Forum: Beginner Basics
Topic: 2WAN as Failover and Setup Wireguard KEY as Client [SOLVED]
Replies: 35
Views: 4430

Re: 2WAN as Failover and Setup Wireguard KEY as Client [SOLVED]

Whoever is providing the MikROTIK CHR for wireguard ( server for handshake ) is doing it wrong. Its the client (for handshake) router that needs to setup the mangle rule. Good thing at least both sides are at 1420 for default. I havent paid attention to your firewall rules.....or the rest of the con...
by anav
Thu Mar 28, 2024 10:25 pm
Forum: Beginner Basics
Topic: VLAN'ising an existing configuration without disrupting service
Replies: 23
Views: 1184

Re: VLAN'ising an existing configuration without disrupting service

Post both configs please
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

Not much more can be provided without evidence (fact).
by anav
Thu Mar 28, 2024 9:43 pm
Forum: General
Topic: Basic VLAN configuration is not working - new driver wave 2
Replies: 6
Views: 305

Re: Basic VLAN configuration is not working - new driver wave 2

What is the point of VLAN10 ( aka home )/
Or more accurately, what is the point of the BRIDGE subnet you still have??

Seeing as you have the haplite, ( two separate 2.4ghz wifi setups), do you plan on a home wifi network and a guest or IOT wifi network)
by anav
Thu Mar 28, 2024 7:17 pm
Forum: Beginner Basics
Topic: 7.14.2 HAIRPIN working anywhere ?
Replies: 2
Views: 341

Re: 7.14.2 HAIRPIN working anywhere ?

(1) Change this rule in the forward chain FROM add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN TO: add action=accept chain=forward comment="internet traffic" in-interface-list=...
by anav
Thu Mar 28, 2024 7:09 pm
Forum: Beginner Basics
Topic: Basic Wireguard Setup
Replies: 13
Views: 9982

Re: Basic Wireguard Setup

To fix a dual wan situation where one wants to use WAN2 (backup etc.) for wireguard then one needs to mangle a bit..
by anav
Thu Mar 28, 2024 5:40 pm
Forum: General
Topic: 2 WAN Failover - Cloud DNS
Replies: 14
Views: 1157

Re: 2 WAN Failover - Cloud DNS

Okay so add the new config, See if the ADSL new gateway IP gets populated in the IP routes we create...... Unplug the modem for each test.......... and plug it back in........ You will see in IP DHCP client settings, (STATUS), the new IP and new gatewayIP, then check to see if the gatewayIP migrated...
by anav
Thu Mar 28, 2024 4:03 pm
Forum: General
Topic: Wireguard from MT to client (win10) with several users to several VLAN's [SOLVED]
Replies: 42
Views: 4361

Re: Wireguard from MT to client (win10) with several users to several VLAN's [SOLVED]

Yup too funny, good pickup...... add address=172.16.0.1/24 interface=wireguard1 network=172.16.0.0 Vlan dont need routes? THey get routes when creating the vlan (ip address). Do you mean a route out the router..... /ip route add disabled=yes dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=main
by anav
Thu Mar 28, 2024 2:14 am
Forum: General
Topic: 2 WAN Failover - Cloud DNS
Replies: 14
Views: 1157

Re: 2 WAN Failover - Cloud DNS

Super well do you get a public IP or a private IP from the ADSL modem??
If you reboot the modem do you sometimes get a different WANIP etc....
by anav
Thu Mar 28, 2024 12:14 am
Forum: General
Topic: 2 WAN Failover - Cloud DNS
Replies: 14
Views: 1157

Re: 2 WAN Failover - Cloud DNS

/ip firewall address
add address=cloud.mikrotik.com name=MyCloud
add address=cloud2.mikrotik.com name=MyCloud

/ip mangle
add chain=output protocol=udp dst-port=15252 dst-address-list=MyCloud action=mark-routing new-routing-mark=useWAN2
by anav
Thu Mar 28, 2024 12:04 am
Forum: General
Topic: 2 WAN Failover - Cloud DNS
Replies: 14
Views: 1157

Re: 2 WAN Failover - Cloud DNS

To ensure the wireguard handshake coming in on WAN2 gets answered by WAN2 ( the slower ADSL connection with public IP ) /routing table add fib name=useWAN2 /ip mangle add chain=input action=mark-connections connection-mark=no-mark in-interface=ether2 \ new-connection-mark=incomingWAN2 passthough=ye...
by anav
Wed Mar 27, 2024 11:52 pm
Forum: Beginner Basics
Topic: hAP ax3 behind Internet Router with DHCP, not working as desired
Replies: 3
Views: 292

Re: hAP ax3 behind Internet Router with DHCP, not working as desired

For a network without vlans......... /interface bridge add ingress-filtering=no name=bridge /interface list add name=management /interface wireless set [ find default-name=wlan2 ] band=5ghz-onlyac channel-width=20/40mhz-Ce country=canada disabled=no frequency=5500 \ mode=ap-bridge name=home5GIG secu...
by anav
Wed Mar 27, 2024 11:43 pm
Forum: Beginner Basics
Topic: hAP ax3 behind Internet Router with DHCP, not working as desired
Replies: 3
Views: 292

Re: hAP ax3 behind Internet Router with DHCP, not working as desired

Flat network or do you have vlans for different SSIDS, ( home, guest, iot, media, etc....)
by anav
Wed Mar 27, 2024 7:13 pm
Forum: Announcements
Topic: v7.14.2 [stable] is released!
Replies: 573
Views: 137550

Re: v7.14.2 [stable] is released!

Thats 6.2 miles for you DN, and for me..... 5.4 nm. :-)
by anav
Wed Mar 27, 2024 5:20 pm
Forum: General
Topic: 2 WAN Failover - Cloud DNS
Replies: 14
Views: 1157

Re: 2 WAN Failover - Cloud DNS

To be clear, you want WAN1 to be primary as it has higher bandwidth. In addition you also want WAN2 to be available all the time as wireguard goes through here. If WAN1 goes down traffic should go to WAN2 as backup. If WAN2 goes down, you will lose your ability to keep wireguard going.......... (1) ...
by anav
Wed Mar 27, 2024 2:35 pm
Forum: Beginner Basics
Topic: Vlan Client, MGMT - main router, transmitter, receiver with internet connection [SOLVED]
Replies: 3
Views: 614

Re: Vlan Client, MGMT - main router, transmitter, receiver with internet connection [SOLVED]

Post the three MT configs
/export file=anynameyouwish ( minus router serial number and any public WANIP info )
by anav
Wed Mar 27, 2024 2:02 pm
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

Well its hard to say since the draytek is not an MT device.
I am also not aware of the firewall rules on the draytek etc..
So winbox doesnt see the capac at all?

Did you try it by IP address in Winbox?
192.168.0.200:winboxPort#
by anav
Wed Mar 27, 2024 1:57 pm
Forum: General
Topic: Connect two Mikrotik with gray IP using WireGuard
Replies: 9
Views: 649

Re: Connect two Mikrotik with gray IP using WireGuard

I was of the understanding that BTH can very much handle two non-publicly accessible ISPs and upstream routers are not accessible to port forward to the MT device. ( static or dynamic is a bogus concern ). Zerotier is also a viable solution but one is going through a third party provider, whereas BT...
by anav
Wed Mar 27, 2024 1:02 pm
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

Latest config of both router and capac.
by anav
Wed Mar 27, 2024 1:01 pm
Forum: General
Topic: 2 WAN Failover - Cloud DNS
Replies: 14
Views: 1157

Re: 2 WAN Failover - Cloud DNS

/export file=anynameyouwish ( minus router serial number and any public WANIP information )
by anav
Wed Mar 27, 2024 12:59 pm
Forum: General
Topic: Connect two Mikrotik with gray IP using WireGuard
Replies: 9
Views: 649

Re: Connect two Mikrotik with gray IP using WireGuard

Gray=Dynamic?

In that case do either of the two connections provide a PUBLIC IP, to your MT router, OR to an upstream IP router, that you can forward a port on??
Question asked and not answered ????
by anav
Wed Mar 27, 2024 12:58 pm
Forum: General
Topic: AX3 Wifi confusion
Replies: 9
Views: 695

Re: AX3 Wifi confusion

Illegally setting up WIFI in your country is probably not the best solution.
by anav
Wed Mar 27, 2024 4:43 am
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

Ahhh I see the issue.......... one of the config lines on /interface bridge ports is incorrect. From: /interface bridge port add bridge=bridge1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=17 add bridge=bridge1 ingress-filtering=yes frame-types=admit...
by anav
Wed Mar 27, 2024 4:39 am
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

(1) Since you changed emergaccess to 192.168.88.1 ,, you can get rid of this entry at the bottom. /ip address add address=192.168.55.1/24 interface=emergaccess network=192.168.55.0 (2) Everything else looks fine and thus I suspect we will have to see what is on the other side of ether1 ( where the p...
by anav
Wed Mar 27, 2024 4:32 am
Forum: General
Topic: Connect two Mikrotik with gray IP using WireGuard
Replies: 9
Views: 649

Re: Connect two Mikrotik with gray IP using WireGuard

Gray=Dynamic?

In that case do either of the two connections provide a PUBLIC IP, to your MT router, OR to an upstream IP router, that you can forward a port on??
by anav
Wed Mar 27, 2024 4:30 am
Forum: General
Topic: AX3 Wifi confusion
Replies: 9
Views: 695

Re: AX3 Wifi confusion

Normal MT wifi experience.........Why I use another vendors product for wifi. I mean it will work well once you figure it out, but for me personally not worth the stress to get there.
I am also lazy and dont like dealing with capsman.
by anav
Wed Mar 27, 2024 12:14 am
Forum: Beginner Basics
Topic: 2WAN as Failover and Setup Wireguard KEY as Client [SOLVED]
Replies: 35
Views: 4430

Re: 2WAN as Failover and Setup Wireguard KEY as Client [SOLVED]

So the device at the data center is mikrotik CHR or something else. The local MT router config should be as a client for handshake then. Which local users or subnets are to use this wireguard connection for internet? What happens if the wireugard tunnel goes down for these users? I gather you have n...
by anav
Wed Mar 27, 2024 12:12 am
Forum: Beginner Basics
Topic: Basic Wireguard Setup
Replies: 13
Views: 9982

Re: Basic Wireguard Setup

What is your point? Your post has no context as you were not in the prior discussion, if you have issues please start a new thread.
by anav
Wed Mar 27, 2024 12:05 am
Forum: Beginner Basics
Topic: Unable to find new replacement for existing router...
Replies: 7
Views: 625

Re: Unable to find new replacement for existing router...

I started with CAPACs, and then I migrated, to tplink business access points but kept MT for excellent routers.. AX3 is an excellent router ( and you should get decent local wifi near the unit ) and an even better router is the RB5009
by anav
Wed Mar 27, 2024 12:00 am
Forum: Beginner Basics
Topic: 2WAN as Failover and Setup Wireguard KEY as Client [SOLVED]
Replies: 35
Views: 4430

Re: 2WAN as Failover and Setup Wireguard KEY as Client [SOLVED]

There are two things Each end should have the same MTU setting, start with 1420 Only the client for handshake should use the clamping rule aka the mikrotk. Also starting to get confused as to what you are doing. A. sending wireguard through a third party provider from MT to . proton, or windscribe e...
by anav
Tue Mar 26, 2024 11:57 pm
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 2186

Re: cAP ac Multiple SSID

Not bad!! Good work. (1) Correct only thing to change on the bridge is the name if you dont like bridge and turning on vlan-filtering=yes As I stated I always assign ETHER2 an off bridge address to actually do the initial config and emergency access to the CAP, in case the bridge blows up. (2) Yes, ...
by anav
Tue Mar 26, 2024 11:41 pm
Forum: General
Topic: Connect two Mikrotik with gray IP using WireGuard
Replies: 9
Views: 649

Re: Connect two Mikrotik with gray IP using WireGuard

What do you mean by gray addresses? I am only familiar with mauve addresses.

https://help.mikrotik.com/docs/display/ROS/Back+To+Home
by anav
Tue Mar 26, 2024 9:01 pm
Forum: Beginner Basics
Topic: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]
Replies: 32
Views: 1769

Re: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]

Problem is I stopped looking at this thread awhile ago doing to the moving datum.
Once you get all the final equipment in place, then will be able to devote time and energy to a static target.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 66