MikroTik

anav

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)

anav

Sorry muy importante to see the entire config
/export file=anynameyouwish ( minus router serial number or switch serial number, any public WANIP information, keys )

anav

Design. Both ISP connections must reach router ( can be through an existing switch ) Router connected to each switch Switch configured as required to each device. Done. What more do you need! State Requirements ( identify all users/devices, include external,internal, admin / then identify all the tr...

anav

Why use PCC if ECMP is working fine???? Also, I have to laugh, if you know where the problem is, since you have not provided the full config, then why ask for help here?? I usually never even bother looking at snippets, 90% of the time, doesnt provide all the information required for rectification. ...

anav

I drink coke zero.
Also, enjoy how mikrotic continues to waste our time by not having a new poster process... Thanks, for the efficiency of Latvia, what would we do with our free time!!

anav

https://www.youtube.com/watch?v=EX6QqHm ... 4kPk0Y2_Z9
https://www.youtube.com/watch?v=XpH_cbF ... u-PxO8k3db
https://mikrotik.com/consultants

anav

I suggest that you forget capsman and simply setup the wifi in each ax lite as you are doing now.
How many vlans do you need on your network? ( often= # of SSIDs, home users, guest users, IOT devices etc. + managment vlan or one can use home vlan as trusted ! )

anav

Interesting question but the answer is no, as you would need completely different wireguard interface which the router creates. Its kind of automagic............ You start the BTH process, enable it on the router. Then you setup the master Smartphone account on your smartphone. Then from your smartp...

anav

Post both configs. CHR and first starlink /export file=anynameyouwish ( minus device serial number, any public WANIP information, keys ). To be clear on requirements. There are two sets of road warriors. a. those that need access to LANS on each starlink. b. ADMIN that needs access to LANS too but m...

anav

Yes that was my bad, I meant Remove the NETMASK, what is missing is any DNS-server setting.

anav

Hahah, luv the explanation jaclaz, but I agree with rextended that the default rules for a single bridge and flat network are just fine ( a very narrow set of initial circumstances )!!
As soon as one starts changing the config, the default rules can usually be better optimized to fit the changes.

anav

Your config aka firewall rules are complete waste of time, its like you decided I am going to focus on blocking everything I can think of or read about or saw a youtube video about and never asked the question do I really need to do this. or WHY doesnt the basic firewall set of rules that MT provide...

anav

As noted, above @sindy's "Bridge Mysteries" post goes in way more depth.

Soon to be a Netflix Series..... The Mystery of Sindy's Bridge

anav

No problem, once you post both config, I will be able to ensure it meets the needs.

anav

Thanks for letting us know, hence why network diagrams are important to inform and provide context on connected devices!!
Advice for all the whackamole advisors here, basically everyone except myself.... ;-PPPP

anav

There is no lan 192.168.90......it really just a wireguard subnet with no dhcp or anything but sits at the LAN level and thus is subject to L3 firewall rules. Okay so who is using the full internet ??? Is it the roadwarriors using home internet Is it the roadwarriors using office internet Is it the ...

anav

Okay I understand better now, what is going on. For the HAPAC at the office.......... then... Lets give it a wireguard address /ip address 192.168.90.2/24 interface=wireguard network=192.168.90.0 Its settings would be add allowed address=192.168.90.0/24,192.168.88.0./24 endpoint-address=HomerouterIP...

anav

1. What is the purpose of this entry.......... /ip dhcp-server network add address =0.0.0.0/24 gateway =0.0.0.0 netmask=24 2. Format seems off add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24 TRY: add address=192.168.1.0/24 gateway=192.168.1.1 network=192.168.1.0 3. Get rid of the garbage f...

anav

Are both devices mikrotik routers?
If so post both or at least the main router.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)

anav

So just to get this straight. Your ISP gets a private IP?? In other words you can either forward a port (by port) or all ports by DMZ, to the LANIP of the hapac, and the traffic heading for a specific PORT to your ISPs public IP will reach your hapac? If that is the case it should work just fine. 1....

anav

Would need to see the complete config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

anav

Post your updated latest config for review when ready
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys)

anav

One is unable to easily create and send a client peer user, a completed wireguard setup file or qr code, so dont waste your time. I have provided MT with some thoughts on how to achieve this, lets see what they come up with down the line. For now send your peer users the information in a text file s...

anav

Correct, opening up dns on the input chain, to anything but the LAN, is a bad security practice. WRONG: /interface wireguard peers add allowed-address=10.3.53 .0/24 interface=wireguard1 name=peer5 private-key=\ "12345678+x5heP9Jtyk18+VADKp4tV2Z8S3E=" public-key=\ "987654321+IcGxbs30vd...

anav

You are stating how you achieve some goal but not articulating the requirements clearly. Identify the external users that need access to your device. Identify what they need access to. State how they should connect to you device ( wireguard? port forwarding? ) Also the mechanism. By WANIP, by LANIP,...

anav

First, no need to run around in circles. Step1: Ensure you have a public IP from your ISP or perhaps an ISP provider router that gets a PUBLIC IP, and you can forward ports from the ISP router. Step2: If the answer to 1 is YES, gold, if the answer is NO, then problems, and the question asked above b...

anav

Sounds like for every hapax3, they should release a hapNV3, likewise -- ax4, NV4

anav

Clearly the evidence and your statements are in contradiction. You didnt remove wireguard as the peer settings were still there. You didnt remove ether10 DMZ as you named it from the bridge it was still there etc. Without a clear set of requirements, which you keep changing or informing in dribs and...

anav

Awesome good plan........ the concept of identifying users and traffic needed is that it helps formulate a decent plan and with a decent diagram and config with known context can be provided more readily. 1. Since ether10 is disabled, the one that holds the DMZ, I would suggest not including it on t...

anav

1. What third party wirguard vpn are you connecting to?? 2. If the router is acting as server peer for handshake, ( no third party, then your peer is wrong it needs to be the exact wireguard IP /32 of the client peer ) 3. What is the purpose of stating a private key in wireguard peers? Its not asked...

anav

I dont understand......so you have one RB5009, connected to the internet and it handles most of your regular home traffic?
THen you have a second RB5009 for VPN traffic?
WHY? you only need one device to do both...

anav

What have you done so far? Where is your config??

anav

1. Set all of this to none, its known to cause all sorts of weird issues. /interface detect-internet set detect-interface-list= static internet-interface-list= WAN \ lan-interface-list= LAN wan-interface-list= WAN 2. If ether2 is on the bridge there is no need for this entry...... add interface=ethe...

anav

Why do you even own a router? It looks like your more concerned with blocking traffic vice creating rules to allow only needed traffic. Might as well not bother using the internet. Looks like bloatware............. Focus on needed traffic and at the end of each chain simply put drop rule for everyth...

anav

or not and simply accept its far easier to know what traffic is needed vice all the ways traffic can possibly circumvent firewall rules.
Allow what you want, drop the rest is as clear and as simple as it gets, anything else is just noise...........

anav

Much easier to spot errors when your firewall rules are within the same chain as well!! Also for interfaces you could make one for all subnets that need internet, or need access to a printer or whatever you fancy. Its a matter of creating interfaces or firewall address lists for efficiency and clari...

anav

Interface lists are handy things. They are used in different parts of the config. Think of using them as a way to describe one or more interface ( normally vlans once gone down the path of using vlans). The default interface lists are well understood, WAN and LAN. One can make any sort of LIST one n...

anav

The complete config is required as requested for me to reply, unlike anserk I dont like playing whackamole ;-P
Its already clear that you are trying some non-standard setups to deal with a yet to be fully determined wan setup and unknown set of user requirements.

anav

Forgot to add,
BOTH devices need an IP ADDRESS, that is on the management vlan.
THUS for both need
/ip address
add address=x.x.x.x/24 interface=vlan42mgt network=x.x.x.0

anav

Minor things so far.. 1. Remove the extra entries............... to see if it makes a differerence from: /ip neighbor discovery-settings set discover-interface-list=MGMT lldp-med-net-policy-vlan=1000 TO /ip neighbor discovery-settings set discover-interface-list=MGMT 2. Slight mod /interface bridge ...

anav

Where is the first switch getting its vlans from aka where is the router providing DHCP for all the subnets?? In other words, is the first device, is NOT acting solely as a switch, and its supposed to be acting as a RoUTER, Important to point out as I was looking for a trunk port from an upstream ro...

anav

As pointed out the config should be: /interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=1000 add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10 add bridge=bridge frame-types=admit-only-untagged...

anav

without seeing config...............hard to say
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

anav

Yes, this is a dogs breakfaST of a config, surprized much works, before tackling wireguard must read this and apply: https://forum.mikrotik.com/viewtopic.php?t=143620 One bridge, all subnets expressed as vlans!! ( and where in the heck did you conjure up this non-existent interface interface=wlan_11...

anav

Not sure what command you used LOL but it wasnt what I gave you which doesnt bode well for future advice not being followed ;-PP

I suspect you used something like
/export verbose file=expoanythingyouwish

Please post without the verbose........

anav

Avoid those that talk in riddles LOL.........
Case in point, you DONT want to end up like this................ dog pukes on config --> viewtopic.php?p=1142057#p1142017

anav

FIGURING OUT WHAT kind of connection your ISP device is getting certainly is key!! Check IP DHCP Client for your WANIP? a. confirm you are getting private WANIP on the MT device ( should be a private IP from the ISP router LAN side ) CHECK IP Cloud b. check the IP address you get from IP CLOUD enabl...

anav

Clearly indicating as noted that any hands off adaptation will require scripting.

anav

Management should be handled by a management vlan and associated with a TRUSTED interface list, and that TRUSTED interface list should be used for neighbors discovery and mac server winbox-server tool setting. You can attache your PC to any sfp port or to a switch connected to an sfp port and call i...

anav

RoS is very flexible and allows one to do all kinds of setups, many are not wrong, they are simply not efficient. This is the case with two bridges, it seems like an obvious go to, but its if needing multiple subnets to a.. use a combination of single bridge and assign other ports their own subnet b...

anav

To be clear you want primary DNS to be your NAS. If the NAS crashes you still want folks to be able to access the internet by a public DNS service. This will not be possible without some intervention after the NAS crashes. For example you could do this... address=192.168.0.0/24 dns-server=adguard-se...

anav

/// I will stick with simple ///

anav

Please provide the configs from both Starlink MT router and the VPS CHR......... 1. There is nothing we can do to control the setup on your roadwarriors. That is up to you to config. On my iphone for example my allowed IPs are 0.0.0.0/0 and any traffic I attempt is routed through the vpn tunnel. The...

anav

Sorry copy and paste the config to here directly via text editor aka notepadd++ Then post here and use the code quotes around the text ( above black square with white square brackets on the same line as Bold and Italics etc.) We appreciate the effort to provide the config, but its against good secur...

anav

Correct Jaclaz, the use of ether5 as a temporary off bridge port is still valid, and thus at the very end, that switch can be done from a PC working on any of the other ports with admin privileges. a. remove IP address for ether5 and change name back to plain jane ether5. b. remove ether5 from LAN a...

anav

OP: Any post entry without context is only opinion, we work from facts.
please post both configs
/export file=anynameyouwish ( minus device serial number, any public WANIP information, keys)

anav

That is the point, there should not be three people guessing, it should be one person answering correctly for a decently constructed post. Rinse repeat posts per day, day after day, year after year........
Definition of insanity or refusal to look at context.........

anav

Not sure what you mean, you configure wireguard at each end as applicable. For example: the main bridge, haves 20 hosts connected. I want that the Wireguard tunnel is only applied to the device 192.168.88.20, not the 19 others. For starters you need a plan, and clear requirements For example I have...

anav

Not sure what you mean, you configure wireguard at each end as applicable.

anav

Great then we can expect to see two configs

anav

Sort of, the bridge can be used for any number of connections of ports but typically its used to encompass all the LAN ports and not the wan Port. Correct one assigns ports to a bridge if they are meant to be glued together at layer2 by that bridge. So if one wanted to apply firewall wall rules (lay...

anav

Can you draw a network diagram so I can see the relationship between devices, location and how attached to the internet............

anav

https://www.youtube.com/watch?v=EX6QqHmbBpY&list=PLJ7SGFemsLl0ld4OrcnVBHg4kPk0Y2_Z9 (and many others) From mikrotik................ https://www.youtube.com/watch?v=13NvZY7sRlY https://www.youtube.com/watch?v=ZpAY_6RDuRA https://www.youtube.com/watch?v=kF4b_t6W5fM https://www.youtube.com/watch?v=...

anav

Which end has a public IP or an ISP router that one can forward a public IP too...... I would setup a wireguard connection at both ends, one of them being the server for handshake and the other being the client for initial handshake. https://help.mikrotik.com/docs/spaces/ROS/pages/69664792/WireGuard...

anav

..........

latestinterface1.jpg

..........

latestinterface2.jpg

anav

1. Due to a better understanding the Responder Function, it is now clear to me that MT had it correctly positioned to be associated with each peer and not the entire interface as I thought. However, I have decided to leave the RESPONDER checkbox on the interface page due to the fact that its likely ...

anav

That would be the first approach by someone using logic but doesnt know the efficient approach . 1. assign each port a subnet 2. assign a bridge as a subnet for all ports 3. assign a bridge with a subnet for some ports and for others assign separate subnets 4. Assign one bridge (with no dhcp respons...

anav

When a device is acting as a router, the WAN interface ( typically an ethernet port) normally has nothing to do with the LAN bridge. ( only the router itself is getting an IP address via this port ) ( the subnets either get their ip address from the bridge, or via vlans, or possibly partly bridge fo...

anav

Once fixed, then recheck. I suspect any further issue for road warriors to reach either internet or subnets have more to do with the VPS setup than the MT.

anav

yup I see that the bridge subnet added for troubleshooting purposes vice single admin devices, no worries. black bold, recommend removing orange bold not required at all red bold, remove blue bold, forgot to add !! /ip firewall filter add action=accept chain=input comment=\ "defconf: accept est...

anav

4. Export and post your full configuration. Redact as necessary, but not too much.

For the mother of god this !!!!
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )

Also a network diagram to show the relationship between devices..........

anav

1. I wouldnt name my wg interface mark phone, dont like spaces and its simply the name of the peer,,,,,,, wireguard1 is an example. 2. the address in firewall rule is incorrect should be 192.168.100.0 /24 add chain=input action=accept comment="wg access" in-interface=wireguard1 src-address...

anav

No worries, meant TLC sorry! ( tender loving care ) Local users in your config do use the local WAN for internet, there is no way for them to use wireguard based on the config, so not a concern. a. since the wireguard interface is part of the LAN interface list and b. you have a rule allowing LAN in...

anav

I forget, what does Amnezia do ?? bada bing!!

anav

Anyway it would be much better/easier if you could post more details on your layout and your current configuration, following these instructions: https://forum.mikrotik.com/viewtopic.php?t=203686#p1051720 If I got paid a nickel every time you typed that.......................... One day you too wil...

anav

On the VPS server you need a relay rule of sorts as wireguard is a peer to peer network so in MT terms it would be add action=accept chain=forward comment="relay rule" in-interface=wg0 out-interface=wg0 Therefore a destination address for 10.0.0.25 would come from a road warrior exit the t...

anav

First mistake is using ubuntu for VPS in stead of mikrotik CHR ;-P What you are attempting to do I only explain in MT terms. The MT Router behind the starlink needs some TLC! 1. Delete this line, known to cause funky issues on MT devices. or set to none! / interface detect-internet set detect-interf...

anav

Concur with Sindy, admins job is not about random results LOL, I think most people would simply like certainty and KISS, which setting the initial wireguard listening port ( we are talking the client peer for handshake, so can be anything ) to a fixed number is not going to upset anyone. What is coo...

anav

Yes, I prefer to turn off the default route in IP DHCP Settings so its clear to the reader what the routes are doing, clearly in this case the default route, if still in place for WAN2, with the same distance as the PRIMARY, would act like ECMP and thus get some of the sessions. Turning it off and u...

anav

That was my fault cgx, I provided the incomplete routes setup ( forgot to ensure the check-gateway=ping were included ) Should have been. /ip route add check-gateway=pin g comment="Primary WAN" dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main scope=10 target-scope=12 add check-gate...

anav

For a config review, as jaclaz stated, the complete config less router serial number any public wanip information or keys is required.

anav

2. That was from default configuration from MTK. I dont have set something like that! Nope, this is not part of any default setting, its on the config you provided, and the only way it is enabled is if you made it so, but in any case no biggie, just disable it. ( mostly used for queuing I believe )...

anav

Not trolling, just call it like I see it. Pushback rebuttal is directly proportional to the ego of the other. :-) Haven't tested lately but ports being forwarded on a router used to show existing on port scans but closed ( not open ) If you add a source address or address list to a dstnat rule, the ...

anav

I would prefer not to have random port selection as there is always the chance of duplicating a port being used somewhere on the router......................... or something fairly common....22, 80, 443 etc........ but glad to hear this works!!

anav

Nothing I can see thus far that would cause any issues. Couple of things seem off. 1. The second NAT rule seems to be doing nothing, you identify a source address but what is being source natted too??? So perhaps you should explain why you have the second rule ( intent-purpose ??) /ip firewall nat a...

anav

No idea what you mean, if you have an emergency call 911! The only emergency is the bloated crap load of rules you have............. And why are you port forwarding NTP to a subnet?????? Finally, too many parts of the config are missing, I will move on to help someone else more cooperative, as i did...

anav

If the mikrotik is a client peer for handshake then change the listening port on the interface as this should clear up the issue. Dont laugh but here is a script that will do just that......... It should be paired with a route that checks if there is an address available on the remote server peer ro...

anav

If you now have a static Public IP available to the mikrotik router OR to the ISP router, then remove BTH and simply use full normal wireguard on your MT router.
If its the ISP router that gets a public IP then simply forward the listening port to the MT.......

anav

1. What is connected to each port on the RB4011, ether2,ether3,ether4,ether5, ether6, ether7 ????? 2. It seems you have every vlan going to every port?? if so then this can be shortened TO: /interface bridge vlan add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids= 10,20,30,...

anav

Evidence.
Post config
/export file=anynameyouwish ( minus router serial number, any public WANIP, keys )

Also, why do you need www and ftp internally?

anav

Dont mind helping but one has to make efforts as well......

anav

None of those were new rules, it was an excerpt from your existing rules ( thought you would recognize them LOL ). When I give you hints, the idea is for you to then go ahead and do some research. Go to mikrotik documents and in the search put in sniffer. https://help.mikrotik.com/docs/spaces/ROS/pa...

anav

Sorry need to see script not pics. /export file=anynameyouwish (minus router serial number, any WANIP public information, keys, passwords ) The pic does show that the first recursive is active, and the second recursive not being used and the backup not being used. Thus nothing strange from that at l...

anav

No .......all I did was modifying one existing rule, the bit I added is bolded.

Try sniffing traffic on port 53

anav

I dont care about puke windows puke. :-) Also why would your windows PC know that the traffic or DNS is even going in an encrypted tunnel??? The question is are the www lookups from the LAN subnet going through wireguard or not. I am not sure how to test that, but we dont allow your LAN to go anywhe...

anav

1`. Here is problem1 add bridge =*F interface= pppoe-out1 Do not add the pppoe interface to the bridge!!! 2. Here is problem2 /ip dhcp-client add comment=defconf interface=ether1 This should be disabled or removed, the client settings for wan are dealt with in the pppoe settings!! 3. Problem number ...

anav

I would say your missing the part of who is being redirected here......... /ip firewall nat add chain=dstnat dst-port=53 protocol=udp to-addresses=10.10.10.2 action=dst-nat comment="redirect DNS" ( src-address=subnet???? src-address-list=???? ) ahh I see you have addressed that in your lat...

anav

Ahh okay,,,,,,,,,,,,,,,,
So normally the router trunk from the CRS that contains the subnet would not be used but sort of sitting there waiting?? ) and I note that if pFS is not working there are no subnets coming in on the switch side trunk.

anav

I didnt see any messages on discord.........

anav

I think its illogical to do both at the same time, but given that its wholly possible, due to flexibility of RoS, then why on earth would you want to create additional subnets (on the router acting part) that have the same address on subnets traversing through the switch part ?????

anav

SE:CR:ET:MA:CA:DD

anav

Everthing should go through the tunnel setup as far as I know.

anav

Okay so you are using this switch as a Router, and thus assuming your ISP throughout is no bigger than 200Mbps. Lots of things to fix in /interface bridge ports and bridge vlan Read this bible has switch examples -->https://forum.mikrotik.com/viewtopic.php?t=143620 Then watch this video --> https://...

anav

It would appear so, I read scripts better than diagrams LOL

anav

Okay so most of that went zing over my head as usual.
What should we ask Mikrotik to do........................

anav

The config looks just fine to me, all good!!

anav

Sorry dont read that format.
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)

anav

Probably related........ Should be good to go.

anav

No that is for the firewall rule that is duplicated which you did not highlight,,,,,,,,,,,,,,,,,,,,,, the reason is there is no incoming handshake to the router for establishing the vpn connection, its your router that is sending out the intitial handshake and thus its the remote end (if mikrotik) t...

anav

Where are you located? I can help but dont take payments..........
contact me at discord (removed no messages sent)

anav

Its RoS, not linux, sorry. VRF will work for your requirements.

anav

Just the one dealing with wireguard and do you know why it is not required??

anav

Hmm probably a few errors, lets see what we can ascertain. 1. This rule is not required. If you note that the last rule states DROP ALL ELSE, this means anything above this rule NOT allowed will automatically be dropped so this rule is not wrong but simply not needed. add action=drop chain=forward c...

anav

Just remove, delete them LOL. do you use winbox?

anav

Suspect simply hiding the mac address...............??

anav

Your config rsc is fine, regarding security, As for observations, just two........ a. WHy do you have this rule??? add action=accept chain=input comment="Allow WireGuard" dst-port=51820 \ protocol=udp b. why do you have this rule out of the order for forward chain rules and especially when...

anav

Yes it can, use VRF to create the additional virtual routing table on the mikrotik device!!

anav

I see you have a fixed WANIP......... Thus (KISS) /ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.1.0/24 add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN add action=dst-nat chain...

anav

/ip firewall address-list add mynetname.net list= MyWAN { using your my ip cloud name } /ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.1.0/24 src-address=192.168.1.0/24 add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-inte...

anav

Does the RB5009 provide time to the netgear switch (NTP). Stretch but thinking of things that may cause differences.
Wonder if you can borrow a different switch to see if the behaviour remains.

anav

Any information that identifies the IP address of the ISP internet address you were given, or the ISP gateway IP address etc..........
or any passwords or usernmames provided by the ISP.

anav

Its better than most but still has some meandering not well explained items and some errors but overall not a bad video.
The fact that you state firewall rules should have no bearing on the wireguard config also detracts from the post ( aka your assessment).

anav

Sure,
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys)

anav

There may be some tricks you can do with NAT ( source or destination ) but this assumed two mikrotiks at either end. Also its not clear whether or not the duplication is the subnet at your router, with wireguard, OR with the remote subnet at the other end, with wireguard? Lets assume the duplication...

anav

Anav, I think some people will still use the web interface as opposed to using Winbox, so I included those remove commands in order to clear out those config items in that scenario where they may have made initial ip configurations. Ahhh okay, my bad. Ensure though you reference that so its clear t...

anav

Nathan your hurting my brain, is there any reason to separate connection tracking clearing of change IP and down and change of ISP? and if not, then MT simply needs to ensure the functionality exists that covers both, even if its just a checkbox.

anav

heated agreement, MT needs to make src address only as ECMP hash option.

anav

There is also the similar mangle rule, probably wont help either but worth a shot..... disable the other and try this one: add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wg-nordvpn passthrough=yes protocol=tcp tcp-fl...

anav

What routers or devices are handling wireguard at each end?

anav

I would make some changes....... as follows ( we gave used a wireguard interface name ( can use whatever you prefer) of wireguard-VPN ) THIRD PARTY VPN - one flat subnet only /interface wireguard add name=wireguard-VPN mtu=1420 listen-port= AnyPort# \ private-key="INSERT THE PROVIDED PRIVATE KE...

anav

Did you make your suggestion directly to Mikrotik via their support page sub section Suggestion ( vice Bug )??
Seems like an L3-lite is a very worthwhile suggestion.

anav

yes you could try adding this rule in ip firewall mangle.
add action=change-mss chain=forward new-mss=1380 out-interface=wg-nordvpn protocol=tcp tcp-flags=syn tcp-mss=1381-65535

anav

Instead of presupposing the solution stating the issue solely and asking for potential approaches is better. To be clear a. who decided the IP address schema of the wireguard subnet and can you change it? b. who decided the IP address schema of the local subnet that clashes and can you change it. Th...

anav

/export file=anynamwyouwish (minus router serial number, any public WANIP information, keys) for both sites.

anav

For this one, i got this error while trying to add [admin@MikroTik] /ip/firewall/filter> add action=accept chain=forward comment="Subnet to wireguard" out-interface=wg-nordvpn src-address=50.50.50/0/24 value of range must have netmask after '/' either as number or as ip value Of course it...

anav

Okay, nice explanation!! From my reading its probably best to have the NVR and the cameras on the same subnet but this is still possible and keep all your requirements. Just a bit of finessing on the firewall rules. Not sure why you have an ageing time set on the bridge, first time Ive seen that so ...

anav

For router security also recommend the following rules. /ip firewall filter { input chain default rules to keep } add action=accept chain=input connection-state=established,related,untracked add action=drop chain=input connection-state=invalid add action=accept chain=input protocol=icmp add action=a...

anav

Yes, the rules provide good security and prevent leakage as you desire.
They only allow lan traffic out the wireguard tunnel.

As to the other question, just to confirm that you have a default route enabled in LTE settings.
I am assuming you do otherwise the tunnel could not be established.

anav

Sorry lurker didnt really understand but you seem to be saying that with the new kernel ( really still an old kernel ) that MT is now using, the unexpected behaviour is normal/expected, much to our shagrin. Furthermore, you are hoping that MT comes up with a built-in easier way to clear the connecti...

anav

Yup watching this thread as most expect masquerade to clear connections..........otherwise rextended scripts will get extended use LOL.
I would not consider this solved until MT replies with certainty about new behaviour or they forget to do something during programming etc............

anav

Okay, 1. Modify allowed IPs from: /interface wireguard peers add allowed-address=0.0.0.0/0 ,::/0 endpoint-address= \ endpoint-port= interface=wg-nordvpn name=peer1 public-key="" TO: /interface wireguard peers add allowed-address= 0.0.0.0/0 endpoint-address="as provided" \ endpoin...

anav

Looks like you pushed a release candidate (beta) to production. Probably not the smartest move.

Larsa, dont they teach that at IT school. Use the latest beta firmware for production!
Maybe they took that advice when running the Spanish electrical grid ;-)

anav

viewtopic.php?t=143620

anav

If you think the two rules are complex, I imagine you don't do the cooking at home ;-PP
I dont disagree with the simple approach, but nothing wrong with knowing how one gets there and thus able to adjust if required.

anav

You have hidden to much information to be of real assistance. The only thing that should not be entered is a. NORD VPN settings - private key - public key - endpoint address The rest should have been available for viewing. b. Router settings - serial number ( check ) - endpoint-address ( check ) - p...

anav

Danke!!

anav

Lets set the rules straight here!!! TWO RULES OF THUMB (scope & target scope): First Rule . The resolving route (DIRECT - connected route) with dst-address TO the "real WWW IP (dns site)" and with local ISP gateway IP, has Target-Scope=X and the recursive route (INDIRECT - external rou...

anav

The bible on setting up vlans: viewtopic.php?t=143620

anav

Provide a diagram and a clearer description of the requirements Does the NVR need to be on the same subnet as the cameras? One can access the NVR by IP address and not have to be in the same LAN (advised for security reasons). So neither cameras nor NVR need access to the internet?? Wifi will have h...

anav

Go to the support page: https://mikrotik.com/support
Select the CONTACT SUPPORT BAR in the middle of the page: https://help.mikrotik.com/servicedesk/s ... r/portal/1

anav

Yes and no. Even with the odd ether-1 setup, it's faster then old Hex when used as a normal router. As a switch however, that's another story. I'm sure they made it in accordance to what's needed for majority of their customers. We only see a fraction of that population here (and only the most savv...

anav

Obscure, not, simple transaction issue: No one paid my tariff of 365 belgian chocolates ( one for every day ).

anav

Hi Jaclaz, I assumed the OP, when he stated he was behind NAT, meant that the hex was behind an upstream router ( aka ISP or own )??

anav

Now, there are many parts of the config missing, so no guarantees if the router will work properly in all circumstances or if the setup is secure..

anav

Two errors: You changed the PVID on the bridge itself, this should kept to the default of 1. Secondly forgot to tag the bridge! Modifications: /interface bridge add ingress-filtering=no name=bridge1 protocol-mode=none pvid=1 vlan-filtering=yes (once the rest is setup and working add frame-types=admi...

anav

Its an excellent cheap wireguard device as a host and its easy to setup.
You just have to be clear on the requirements and a network diagram also helps in planning.

anav

There would be no problem with a wired only version, just plug in a wifi AP at the other end............

anav

1. A port carrying only a single vlan tagged subnet is still a trunk port LOL. 2. What are the tagged vlans on ports 3,4 and 6-8 going to?? Any smart device on the network should be on the managment vlan ( get its LANIP from the management subnet ) and thus each trunk port should carry as a minimum ...

anav

Provide
a. the config settings provided........... ( minus endoint address use x.x.x.x.x and any keys )
b. router config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys )

anav

It is not clear what you are doing on the hex as you dont provide an actual config.......... nor is it clear what you are connecting to, a third party provider, your own server somewhere?? Nor are the requirements stated, what is the purpose of the wg connection for the hex............ to reach inte...

anav

Indeed advanced!!
MT AI BOT Transcript.

Hey Bot, is Normis Sexy?

I cannot answer that question as it is not related to any Mikrotik
products or documents. However, yes, but without the beard.

anav

It would seem that the ether1 renders this device useless compared to older versions of hex ( except arm core of course and thus BTH etc. )

anav

This would be appear to be some hardware or firmware issue, cannot see it being related to RoS. Should be reported as bug to MT.
And perhaps a product wide recall and refund to all purchasers of this product and rename the product to Hex Recycle

anav

No, you have configured the mikrotik to ensure that the communication you seek is not available. In other words self-inflicted due to lack of knowledge. The firewall rules are not the problem. The basis of error is a missing routing rule..... Complete review follows. You have not provided any of the...

anav

One must first ask, is this the optimal location to ask such a question? For example, when did the Ford Mustang first come out with a v-8 engine? OR How do they put the cadbury milk chocolate in the cadbury milk chocolate bar? Both are technology questions! :-) Neither of which the MT AI bot could a...

anav

My bad I looked at the date of the responder and not the original post date LOL.
I blane yahelb for bringing it back to life

anav

I didnt get past the first para where your world has apparently ended, but you have never posted here for help. Why come here to complain, this is not the complaint department its the get assistance with your config department. Counselling and mental health well being are down the hall. The way it w...

anav

It works, something wrong with your device settings or the manual information you provided to connect.s Possibly a permissions on the router as well.

anav

Same questions I had. I believe the NVR talks to the reolink cloud server. User, via their reolink app, reach the cloud server and then down to their NVR. The NVR should have no ports forwarded to it, that would be bad, if the OP was thinking of port forwarding to view direclty by IP or something. A...

anav

KISS ( i personally would never go to the complex lengths above)! - never open up DNS to the WAN side. - have drop all else rules at end of forward and input chains - do not host servers if at all possible, if you must....... do you really have to???? a. use VPN for users to access subnet locations ...

anav

viewtopic.php?t=143620

anav

Sorry cannot help further. The advice from the beginning has been one bridge..........lead a horse to water......

anav

One would have to provide the fact. /export file=anynameyouwish (minus router serial number, any public WANIP informaiton, keys) In both cases, device as a switch or router: The fact of the matter is the bridge does NOT get an address. The vlan gets an address. The only route required on a switch, a...

anav

Without some diagrams nothing makes sense.

anav

Will stick to recursive, works and is much easier or via netwatch if one doesnt want to wait 10 seconds etc....

anav

Well, its pretty straightforward...... Only one vlan is identified on the switch, the management vlan and in IP address is where switch gets its IP address from. Only the managment vlan is tagged with the bridge, the rest are tagged on the incoming trunk port and as required on outgoing ports ( unta...

anav

Is this the same device that mkx was trying to help you with??

anav

You didnt get rid of raw rules................

anav

draw a network diagram.
Do you mean you have two WAN connections?
Do you mean you have two Subnets?

Etc..............

anav

I use my capacs with my hex without capsman its quick and easy to config. Your hair will not turn gray or fall out!!

anav

Sweet!!

anav

You have hidden way to much information, just the WAN public information and the only thing that would relevent is the username and password on pppoe. 1. Improve Interface list entries, but I dont see a trusted or management vlan?? Ahh you are mixing apples and oranges. Once you go vlans so will cha...

anav

Netwatch leaks out any wan to find a connection and thus you need to blackhole any netwatch routing with a second following route same table distance add one.

anav

Then setup vlan filtering now and once its smooth, do the wireguard, should take me 10minutes to fix once you have an initial config its like butta. First however, its best to work the config from an OFF the bridge position. What i recommend is create an offbridge port for local emergency access. So...

anav

Yearly rate of $20,000, that an over 50% markdown sale!! Get it while its hot!

anav

As you may have guessed the responders have some WHAT IFs, and other suggestions ( and also some errors). In other words, you should not be asking for a part solution if the requirements are not fully identified. A better response can be had when we know what else is going on the router for both inc...

anav

You can use mine, only 5c per ping.

anav

This is a clue that the router is not happy with your config....... /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN add interface= *9 list=WAN add interface=ether2 list=WAN /ipv6 dhcp-client add add-default-route=yes interface =*9 po...

anav

The point is wireguard is not the real issue at the moment. Once the config is fixed, then we will be able to see whats going with wireguard, if its still a problem.

anav

Put cement in the serial port ;-P

anav

also add
/ip neighbours discovery
set interface-list=TRUSTED

The option to change the pvid of the bridge exists because in some niche situations it may be required.
I would say its rare but I dont know enought to state what weird setups this would make sense for.

anav

1. Any port not being used should be a. disabled preferably OR b. at least removed from bridge c. the bridge itself retain default pvid but set frame-types=admit-only-vlan-tagged. d. on ports being used, ensure ingress-filtering is enabled and frame types set as required ( either vlan tagged, OR pri...

anav

a diagram and revised cleaned up config may help us provide better assistance.

anav

One flat network or vlans? diagram will help understand

anav

Okay, so depending upon the ability of the unmanaged switch then we have two options and one, both, or none may work. a. make it a trunk port to the un-managed switch both vlans tagged b. make it a hybrid port to the un-managed switch, tagged for one, and untagged for the other. May the best option ...

anav

Yes please, clean up the config, garbage is noise and noise makes it difficult to read a config OR to spot errors..........

anav

Any hex device makes a great little managed switch that works great in a home setting or even an office setting. If one is in a corporate setting where, for example, the same vlan spans two or more ports on the switch, to users that will be sending huge amounts of data back and forth across the swit...

anav

Best to provide your config for review /export file=anynameyouwish (minus router serial number, any public WANIP information, keys),.\ Steps 1. Take the private key given to you and when you make an interface on the MT router, use that private key to generate a public key ( that way windscribe alrea...

anav

There are several options. a. connect PC requiring vlan 10 directly to the audience OR ax3 b. replace the un-managed switch with a managed switch (could even be a hex) and then send the two vlans to the new device 10,20 c. buy a second cheap unmanaged switch untagged to vlan 10 and then plug in the ...

anav

Please draw a network diagram because the explanation muddles devices relationship and clarity is required.
In general, the management vlan needs to go to all smart devices ( such as the audience) as smart devices should get their IP address from the managment vlan.

Search found 23902 matches