MikroTik

xvo

In ROS you can choose whether you want switched or independent ports on every device for every port.
And as you don't need high speeds, shared bus to the CPU will not be a problem too.
So any device with needed number of ports and needed wifi capability will do.

xvo

If you really don't need more ethernet ports, then it should be ok: it is capable of pretty much everything you can need in home environment.
The only thing is a lack of usb port.

xvo

If you want to set which of them should work you can remove add default route to NO in IP>DHCP Client and add them manually with different distance! You don't really need to set "add default route" to no: DHCP-client (as well as PPPoE-client, L2TP-client, etc.) have "Default route distance" setting...

xvo

It's been quite a while since we've heard anything about the CRS354 and CRS332, any updates on those?

"CRS332" was released long ago as CRS326-24S+2Q+RM: https://mikrotik.com/product/crs326_24s_2q_rm

xvo

CRS328-24P-4S+RM is not listed among devices that support 100Base-FX: https://wiki.mikrotik.com/wiki/MikroTik ... iber_links

xvo

All Mikrotik hardware products come with appropriate license preinstalled, so you don't need to purchase license separately.

xvo

RB750 R2 is supposed to have 16MB flash.
Can you please post what you get in System -> Resources on both routers (the one affected, and the one that is not).

xvo

Seems strange.
Especially because it manifests itself only for apple devices.
Probably a bug.

Anyway, glad you found it.

xvo

Yeah, you are right, that's your feature - jumping to conclusions based on your imagination only. You call imagination the fact that i can see with my eyes 3 different subnets on the provided photo ? Really ? :lol: I ve seen many times as well enginneers not seeing the obvious... no offense too.......

xvo

Yes, but can I set a ban on the firewall only for selected logins (users)?

Only on src-address basis.
Or you can let the user connect, but not allow to reach anything.

Otherwise - couple of scripts in the scheduler, that will disable/enable needed ppp secrets/interfaces.

xvo

Thanks xvo its just a big learning curve for me as I have always dealt with simple networks this one is a big challenge for me and a lot for me to learn. I am an engineer not a software person wires, wifi and fiber I can understand the programming side of things I struggle with. Bottom line: the an...

xvo

xvo this is a new project out of what I have done before. So looking for some help and constructive comments! As I wrote from the start - two devices on you picture don't have to be routers. You can do such link with two managed switches. And it won't be hard to configure them. But, that is all tha...

xvo

I wonder how @xvo and @mkx would isolate those subnets on L2 and L3 with the use of only managed switches... Am just happy that am a step ahead... :lol: Each of the networks can have it's own router, for example. Ahead of what? Common sense? :lol: Yeah, you are right, that's your feature - jumping ...

xvo

...or you can just use "Time" firewall matcher to restrict establishing the l2tp connection outside the needed time interval...

xvo

Nothing was said, unless you see the photo again...

OP said

Is it possible to put 3 networks down a fiber connection then break them out at the other end?
To me this sounds a job for a pair of VLAN switches without any routing capability whatsoever.

Same for me.

xvo

@xvo its an interVLAN network... you need a router to block the L3 communication between VLANs. EEEhhh, what? :shock: Please, tell me, what will change if you swap the two routers on the scheme above with two managed switches. In OP nothing is said about interVLAN routing, only about squeezing 3 se...

xvo

Yes, of course it is possible.
It is called VLANs.
And you even don't need routers for it - managed switches will suffice.

xvo

I don't see anything wrong apart from two moments, that are not related to the problem: 1) Address should be moved to the bridge from ether3 /ip address add address=192.168.1.1/24 comment=defconf interface=ether3 network=192.168.1.0 2) Your firewall is highly inefficient, when it comes to the load o...

xvo

Post your config: /export hide-sensitive There is a lot of sensitive information. Maybe something specific? Well, all specific ideas were already spoken :) What is left are the ones, that you won't normally think of. Replace things like public IP's and port numbers open to outside world with some a...

xvo

Post your config:

/export hide-sensitive

xvo

I don't get it, what has ping to do with dns settings at all?!
What address are you trying to ping?
And using what tool.

The only thing that comes to mind is that you DNS does not serve PTR-entries correctly.
But once again, it has nothing to do with ping.

xvo

In the situation you want to troubleshoot (nothing specified in DHCP networks), what DNS servers do apple devices get?
Does it change anything if you add router's address in DHCP networks as a DNS server too, not only as Gateway?

xvo

The opposite situation, with second WAN, is less common, IMO, and it needs more qualified user to set up by itself, so it's not the problem as big. It depends what we consider a problem. If the problem is that something doesn't work (due to forgotten LAN permissive rule), the home user notices it a...

xvo

No, if you don’t have “use peer dns” checked, and have your server specified in DNS, it won’t.

xvo

Why there is not an ending "drop-all" rule in the forward chain like the one in input chain ? I'm not the author of this idea used in the default firewall configuratuion, but I read it as a way to concentrate all the decision making into a single rule in the nat table, which can choose from the sam...

xvo

Why you need mikrotik in this scheme at all: just add the address of your DNS server in DHCP -> Networks for your network, and let all your devices use it directly.

xvo

CRS328 is ARM architecture , not MIPSBE.

xvo

You can set your backup WAN interface as a destination in your queues.

xvo

I then can add these interfaces into any bridge like any other interface and have both real ports and vlans in same bridge. That is not the proper way to do it. Not only all vlan handling is done by CPU when configured this way, but it also can lead to erroneous behaviour: https://wiki.mikrotik.com...

xvo

Well i dont know about you but i can confirm bandwidth test works just fine outside the local network. There were even some public bandwidth test servers available for those who wanted to make some tests and they worked great! Agreed, that is not the problem. The issue appears when you have multipl...

xvo

Looking at the specs for the block diagram, the 8367 chip supports RGMII, which is 1 Gbps, whereas the 8366 and 8369 support RSGMII which is 2.5Gbps. Could this be an issue? Looking at the Realtek website, I see that there are different RTL8367 models, and some of them have 2,5Gbps interface. So I ...

xvo

Hello, I hope I'm not drudging up or hijacking an old thread, but it seems as though a few months old isn't too far back. However, I'm curious, how can 2.5Gbps be achieved on a 1Gbps chip? I currently have a 4011 with Ether1 and 2 bonded and am seeing a clear bottleneck. My graphs show a plateau at...

xvo

I have tried same Bandwidth test from LAN Bond in that i have seen 2Gig reaching both ports are using full fledge.

That is not surprising: on LAN bond you are using balance-rr mode that can utilise both links even for single connection, so it can be properly tested by single bandwidth test.

xvo

CSS326-24G-2S+RM is a Layer 2 switch, so it can't do routing.
And it doesn't have any advanced features that can need more storage than it is onboard.

xvo

You can try balance-xor if cisco supports it, yes, but that's not the point: there is nothing wrong with 802.3ad, you just don't test it right.

xvo

There is a "bug" in ROS: the wildcard size is not equal the pool size, but the prefixes it hand out.
There was a topic about that not long ago:
viewtopic.php?f=1&t=153437&p=757885

xvo

So you say that LACP does not work when L2+L3 hash is used right? No. I say, that when L2+L3 is used the hash result between two hosts will always be the same, resulting all connections between these two host will always end up to use one particular link. So to fully utilise the bond you need multi...

xvo

L2+L3 No, it means L2+L3 hash is "maximum level" hash for LACP bonding. LACP does not support L3+L4 hash. I do not understand what is your point... My point is you can't test throughput of a bond that is using L2+L3 hash with bandwidth test between only two devices at a time, even if you establish ...

xvo

You mean LACP does not work on L2+L3 hash ?
Because even in the wiki the example uses L2+L3

No, it means L2+L3 hash is "maximum level" hash for LACP bonding.
LACP does not support L3+L4 hash.

Balance-xor does, and also switch chip on CRS always uses L2+L3+L4 hash policy.

xvo

802.3ad can't spread a single connection to multiple links.

And even more: L2+L3 hash means that even multiple connections between two particular hosts will use only one of the links.

xvo

We have as much information as there is in the presentation

xvo

Latest announcement from MUM in Athens couple of days ago:

https://mum.mikrotik.com//presentations ... 732455.pdf

xvo

* Make a slave off the same radio that is a station to be an Access point - make sure this slave interface is on the same bridge as the Station and Eths. * Voila your printer will now connect wirelessly to whichever is the strongest signal or via cable if you prefer. Only this part is not needed, b...

xvo

So let's say I'll take the MikroTik RB4011iGS+RM. How do I power my 3 APs via PoE? The router seems to have only one PoE. Or which wireless APs with Ethernet ports would you use together with the RB4011? For an AP you can choose between cAP ac and wAP ac: https://mikrotik.com/product/cap_ac https:/...

xvo

Well the problem is that it doesn't make sense for me to get a router with wifi. My internet connection on the first floor is in a seperate tech room (as pictured but hard to see in my "network plan") and I only want to (have to) run wired connections inside it. There is a version of 4011 without w...

xvo

so opening the 4500 port is enough, no need to open both 4500 and 500. Прошу прощения, но leaving aside my understanding of your "otherwise there's no real point to use L2TP at all", the above statement is simply wrong. You are perfectly right that an IKE v2 responder MUST always listen on 4500, an...

xvo

For sure I can imagine use cases for l2tp between two devices with public addresses too, but these are scenarios where building a symmetrical tunnel is impossible for some reason. OK, but what you write is relevant for L2TP without IPsec, because it is the only one of "only tunneling" (i.e. without...

xvo

in case clients are behind the NAT, which most likely is the case, because otherwise there's no real point to use L2TP at all. Can you be more verbose regarding this thought, please? Clients, that can benefit from dial-in behaviour: PCs, phones, other personal devices are always behind at least one...

xvo

Evening, Im to accomplish exactly this, is there any example of what the firewall rules should look like? Karel For l2TP+IPSec these ports have to be open: 1) UDP 1701 - for L2TP 2) UDP 500 - for IPSec and UDP 4500 - for IPSec with NAT-traversal, in case clients are behind the NAT, which most likel...

xvo

You can use something like this mount (no matter which one of the devices you choose): https://www.amazon.com/Universal-Antenn ... B002T0E91A

xvo

For 30-80m it seems like a total overkill. https://mikrotik.com/product/wireless_wire For 30-80m it seems like a total overkill. https://mikrotik.com/product/wireless_wire It will work like a charm...! XVO you can have a look at this post https://forum.mikrotik.com/viewtopic.php?t=128251 ... This p...

xvo

For 30-80m it seems like a total overkill.

https://mikrotik.com/product/wireless_wire

xvo

You are welcome!

xvo

Shall I disable the "drop" rule, add the rule you suggested and then enable the "drop" rule again?

Just drag it higher in the GUI

xvo

I missed the "add".
Sorry about that

/ip firewall filter add action=accept chain=input src-address-type=local

And don't forget to place it higher than the last "drop" rule.

xvo

Out of curiosity why would that rule NOT BLOCK an initial negotiation with ones ISP to get an IP for example?
Is it because the routers outgoing communication (looking for an ISP) is what triggers the sequence???

DHCP session starts from the client.

xvo

/ip firewall filter action=accept chain=input src-address-type=local

xvo

The it will be something like this: /ip firewall nat add chain=dstnat action=dst-nat dst-address=!8.8.8.8 to-addresses=8.8.8.8 protocol=tcp dst-port=53 in-interface=***YOUR_LAN_BRIDGE*** add chain=dstnat action=dst-nat dst-address=!8.8.8.8 to-addresses=8.8.8.8 protocol=udp dst-port=53 in-interface=*...

xvo

It's not really "someone": something in your provider's network searching for multicast subscribers.
No idea what exactly for. If you also don't know - just drop it

xvo

It is not clear from the description, do you want to:
1) Redirect all dns queries to the router and use 8.8.8.8 as an upstream dns for it.
2) Redirect all dns queries to 8.8.8.8 and also use 8.8.8.8 for the router itself too?

xvo

It won't.
And you can just drop the log=yes part.

xvo

/ip firewall address-list add address=216.218.206.90 list=blacklist

/ip firewall filter add action=drop chain=input comment="drop blacklisted" in-interface=***YOUR_WAN_INTERFACE*** src-address-list=blacklist

And move this rule just after "drop invalid" rule in the input chain.

xvo

Perhaps you have "Add Default Route" setting checked.

xvo

Yes, sindy, you are right, that’s what I had in mind.

My second idea, to change dst-nat dst-address (or use in-interface matcher instead) will prove the same point: if everything starts working “magically”, that will mean ISP is using 1:1 NAT instead of static routing.

xvo

What is your rule in input chain that is being hit by these packets? Can you add the explicit condition dst-address=59.43.27.9 to it? My guess is that your ISP is NATing packets with your public IP as a dst-address to you grey IP, instead of routing them to you as is. That is possibly why they never...

xvo

IMHO there's a big difference between blocking winbox access using (a very specific if you will) firewall filter rule and setting alowed addresses on service itself: in the later case initial conection is established and only service then decides to drop connection. In case of some nasty vulnerabil...

xvo

Why you think of it as a dirty solution? Solely because it relies on the assumption that the VPN server will always run on the same single IP, whereas the VPN providers often give out an FQDN, like any other internet service, and use short-lived DNS records to distribute the load among their server...

xvo

So, as this is a test routeboard i didn't let it run for hours, so probably the routing cache expires eventually. I solely trying to find a solution to forward all traffic through the VPN (even if it's pptp or l2tp. in my case it is l2tp with ipsec). The first solution (quick and dirty one), there ...

xvo

have dynamic rules created for each client from DHCP server leases Requires the lease to be static... Are you sure about that: all the needed settings are in dhcp-server config? There is no rate limit setting under dhcp server... The only rate limit can be applied for a static lease... So yes unles...

xvo

have dynamic rules created for each client from DHCP server leases
Requires the lease to be static...

Are you sure about that: all the needed settings are in dhcp-server config?

xvo

So a quick and dirty solution is to create a static route with dst-address matching the IP of the VPN server, and let the L2TP install a dynamic default route. Why you think of it as a dirty solution? What can possibly be wrong if the default route distance for dhcp-client on wlan is changed to som...

xvo

Question 1 - What is the difference between these two approaches and their advantage or disadvantages? Is there ever a time you would use both? The firewall rules allow any type of connection to the router from your address list. While "available from" is tied to a specific service. However, if you...

xvo

thank you so much xvo !
The problem solved. your suggestion helpt me.

Best Regards

You are welcome!

xvo

See the "dynamic" with ip 192.168.6.32/27 i put "download limit at" 1M. I set all smartphone for youtubers will be in that IP range. Does it means every user in that IP range will get minimum 1M? No, that's for the whole range. If you want each of them to have 1M you can either use PCQ queue type w...

xvo

What are the modules that you use?

xvo

I know GreasyGeek and am trying to help him with this. Unfortunately, the two CRS309-1G-8S+IN switches I have in production have a different VLAN for traffic and management. What he wants to do (and I can't remrmber how to do) is use the 10Gne ports for their speed and also have the 1Gbe port be pa...

xvo

I’m almost sure you don’t need to configure anything at all in SwOS - the default config should work.
Maybe just change its own IP.

xvo

Why do you want vlans at all if you need everything in one subnet?!

Just bridge all the interfaces and add dhcp-client to that bridge for the CRS to get the address itself (or even add that address statically).

xvo

Or, to outsmart the ones, who will just change their MAC address, as @Jotne suggested, you can reverse the logic: - set default-authenticate=no (or add a "drop" rule at the bottom of ACL). - add rules that will allow authentication to some MACs without any time condition. - and for some MACs with th...

xvo

There is the "time" option in the access list itself.
You can have default-authenticate=yes and add some rules, that won't allow authentication in the needed time window.

xvo

Use different PPP Profiles for different users. And add to each profile the address list (or interface list, whatever suits you better) where the user using this profile will be added. Or you can even use separate firewall chains for each profile defined in incoming-filter and outgoin-filter in prof...

xvo

Thank you for this - are you saying add the user to an interface list? It looks like you can specify an interface list in the profile. I would need to create different VPN profiles as opposed to default. Do i have that right? You can create "L2TP Server Binding" interfaces for every user, that need...

xvo

Should I consider a port knock on prior to allowing a VPN connection?

That's not needed. L2TP+IPSec will be secure enough.

Then allow that IP address via a firewall filter input rule access to Winbox port 8291.

Or you can allow access from the l2tp-in interface created for that user instead.

xvo

Target of the parent must be changed to 192.168.1.0/24 and the algorithm used should be PCQ upload/download default. After that it will work just perfect.! Agree about the parent's target, but I don't about choosing PCQ as a type for it: - if NAT is performed on .2 and .3 (or if you set PCQ Mask to...

xvo

You are welcome. The thing I was talking about in my second proposition is this: You have 20/4 limits from your ISP, and let's say you want to split them equally between two routers. Imagine two scenarios: 1) the load is high on both routers. 2) the load is high on one of them, and zero on the other...

xvo

... you can always workaround assigning the address somewhere by dst-nat to any other router's address. Not to another router address but to address of an internal device ... just like usually done with lone router's address ... Sure. But you can extend this approach for the router itself too.

xvo

Check what DNS server your PC gets from your router.

xvo

That is what is missing:

/interface list member add interface=vlan101 list=WAN

xvo

Edge router does not know where 2.0 and 3.0 are... So since it communicated with them someone has manually configured it.. Thats why there is a one direction communication... Ofcorse there might be other reasons too... Sure. But to get a response back without manually configured routes on mikrotik,...

xvo

Add a route in each mikrotik for the 192.168.1.0/24 and gateway the WAN IP of the Edge rourer... I guess that won't be enough: if it works now (without any additional routes on Mikrotiks) in one direction, then it means NAT is being performed either on UBNT, or on Mikrotiks, or everywhere. An that ...

xvo

Just brainstorming from my part: is it really necessary to play with the "fake" bridge just to assign the /32 address to some interface? From ISP side packets with dst-address=/32 will just get routed to your RB. From LAN side it doesn't get used at all. So it's all internal to RB and thus you don'...

xvo

@xvo: you managed to miss the point with the second paragraph ... OP wrote that the isolated devices need internet access, so firewall filter dropping packets from those devices toward WAN interface is exactly the opposite of what OP wants. There was a second part of the question in the initial pos...

xvo

The problem is in the firewall: you need to add a rule to the input chain that will allow src-address-type=local

xvo

Those of your switches, that "doesn't support 802.1q", won't know anything about your router's firewall rules, and they will gladly pass traffic between different LAN clients. As for the clients that need access to outside blocked, the solution is pretty straightforward: you need to create a rule in...

xvo

Do you have fasttrack disablled in firewall? And by the way, unrelated to this particular problem, I think it will make sense to: 1) add your wan-interface as a Dst. to this queue group - I guess you want to limit only connections to outside world by these 3 queues? 2) set your max limits the same f...

xvo

As I see now your default rule 17 does the same, so you don't need the one I suggested at all.

Are you sure your ISP is not blocking port 443?
Change dst-port in your initial NAT rule to anything else (but leave to-ports=443), and try connecting to this different port from outside.

xvo

In order for this to work you also need a firewall rule, that will allow such connection in forward chain. The simpliest one is: add action=accept chain=forward connection-nat-state=dstnat in-interface=ether1-gateway Placed lower than accept established/related and drop invalid rules of the forward ...

xvo

You need to add bridge itself as a tagged member of the vlan, for which you created a vlan-interface.
In other words, this:

add bridge=bridge1 untagged=ether9 vlan-ids=9

should be this:

add bridge=bridge1 tagged=bridge1 untagged=ether9 vlan-ids=9

xvo

It may sound confusing, but that’s not “max instant” speed, it’s “max average”

“Max 5min average” and “max 30min average” respectively.

xvo

You can see on your own screenshot: first chart is 5min average, while the second is 30m average.

xvo

Backup is not meant to be used on any other device, except for the one it was made on.
Use config /export for that.

xvo

a razor and shaving cream.
What are these?!
A plot to make you uglier ...

xvo

a razor and shaving cream.

What are these?!

xvo

Yup, it's that! Thanks again. For all

Nice! Glad we squared this out.
You are welcome

xvo

I found something interesting, i'm sure it's all about this. On router where i can use filtering device 1 and device 2 was on port 2 and port 10, so it's used by different switch chips. When i put device 1 from port 2 to port 9, there is no packets (of course after changing filter). It will be alwa...

xvo

Fast Path option, only on bridge settings tab?

Yes.

And where can i find hw-offload option?

Port settings in Bridge -> Ports tab

xvo

You are welcome!

xvo

Another thought: perhaps Fast Path on the bridge or (and) hw-offload on the ports that are involved need to be disabled manually in order for bridge filter to work.

xvo

Can't see anything wrong, apart from an address assigned to ether2 instead of bridge, and not ideal masquerade rule.
Have no idea why the rule in question is not being hit.

xvo

Ok. Do

/export hide-sensitive

on a device, that doesn't work and paste the result under here inside "code" marks.

xvo

Both devices are directly connected to Mikrotik, and you can actually see that there is traffic between them? And another idea. That is the device with you ovpn server and the one, on which you enabled proxy-arp on the bridge, right? Try to revert arp mode to enabled and see if it makes the differen...

xvo

Keep in mind that direction makes a difference.
And if your network layout allows you use interface matchers, you probably don't need any others (protocol, ip addresses, etc), if you want to drop all the traffic between devices.

xvo

You are welcome!

xvo

Write permissions will work just fine...

Ok, then

xvo

It's a switch with some L3 capability, not a router.
It won't be able to route 500mbps in real world use.

xvo

Thanks, for the answer. But i can't set any IP filtering, everything greyed. I can only use MAC filtering...

You can use IP section only if you select MAC Protocol - IP, obviously

xvo

If reset doesn't work go for netinstall...
What is your ROS version ?

In case protected-routerboot is on netinstall won't work.

xvo

Look in System -> Routerboard -> Settings for Reformat Hold Button value.
Then reset your router.

xvo

Do you use different subnets for LAN and OVPN clients?
No, all in one subnet.

Make them different then, unless you really need them to be in one /24 subnet.
In that case you can make it work by setting arp-mode to proxy-arp on your bridge.

xvo

And about second question, just checked it on my second mikrotik router. For testing i created rule to block printer adress access from my local computer. And here too, zero packets. Here i have normal masquerade rule, src address local network, out interface WAN. (Because there is no VPN here) Wha...

xvo

except VPN connection - when masquerade is used on out wan interface then i can't connect to local network from my openvpn connection. When out-interface is blank, then i can access everything.

Do you use different subnets for LAN and OVPN clients?

xvo

How can anyone find out if you are doing something wrong if you don't describe what exactly you are doing?!

xvo

The best practice is to use masquerade with out-interface (or out-interface-list) matcher, and only for your WAN interface(s).

xvo

I don't see anything wrong neither in your config nor here.
Are you sure the problem is not on the UniFi side?
Maybe it needs some special settings for hybrid port to work properly?

xvo

Config (export) shows only static entries, while "print" command shows the dynamic ones as well.

xvo

As unfortunate as it is, for now there is no other way to do this, other than performing dst-nat. And you can't perform dst-nat for the packet originated from the router itself. Instead of doing it on all 500 end devices you can place additional router between dude server and the network, to do it i...

xvo

That is basically what a SOHO firewall is with fasttrack rule removed (you don't need it using a CCR in home environment): /ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comme...

xvo

You don't need those two rules, they are not a solution but a workaround for you problem (if you have a problem at all).
Try to disable firewall on your windows machines, as mkx suggests.

xvo

You can change "Dst limit" "Limit by" to src-address.

xvo

What does

/interface bridge vlan print

show?

xvo

Can you please provide an example? I am using custom chains ;) This is what i have in this moment: /ip firewall filter add action=jump chain=forward comment="=> Block Specific UDP" dst-address-list=OwnIPs in-interface=ETH1 jump-target=UDPConnections \ limit=5k,20k:packet protocol=udp src-address-li...

xvo

You will probably need to unsolder or reposition some resistors to disconnect internal antennas and connect your own.
Better contact support directly on this.

xvo

You can use Dst-limit matcher.
But as it performs desired action when under the limit, then applies passthrough, and that behaviour is not reversible (like with Limit matcher), you will need a custom chain for it.

xvo

Thanks @anav fir answer but assigning address to ether2 works fine and I have no problems with it. On my eth2 I have connected switch (Cisco SRW2048) where all devices (including APs) are connected and all of them works fine - gets an IP, etc. Problem I have is that no devices connected to ether2 w...

xvo

Why on earth are you masquerading everything in all directions?!

xvo

If that is the whole config, nothing is preventing clients in one subnet from access to the other. But I believe it's only a part of it, so maybe there's something in the part, that you didn't post. For example in firewall rules. As for seeing computers by the names in different subnet - you need a ...

xvo

Interfaces -> Interface List

xvo

Keep in mind that the more correct way to resolve the issue is not disabling this last firewall rule, but rather to make it work as intended by adding your bridge to interface-list LAN. Not so critical in your current config, because all your interfaces are actually LAN. But can be crucial in other ...

xvo

Add this device to a separate vlan and allow access between this vlan and all other vlans in your router, that is used as a firewall.

xvo

Add a set of static routes on all three routers:
1) On A: to .20 and .30 via B's tunnel address.
2) On B: to .10 via A's tunnel address and to .30 via C's tunnel address.
3) On C: to .10 and .20 via B's tunnel address.

xvo

Adding one mikrotik router between this device and mikrotik switch should be an workarround? Kind of. But not in a way you think of it. And not the sole existence of a router, rather the way it, and the rest of your network will be configured. You don't need to "clone" frames - that won't work for ...

xvo

There's no problem to strip all tags and send untagged frames out.
But how it is supposed to know which tag to add to which frame in the opposite direction?!
Some criteria is needed.

xvo

How it is supposed to chose which vlan tag to add on ingress on ether2 in your scheme?

xvo

It clearly stated the opposite to me. I must must have read the manual on those two in the last two years a dozen times. You don't expect to have to reverse it to make it working as expected. I guess it was designed to be used mainly with a "drop" rule: "passthrough all connections until they reach...

xvo

CRS125-24G-1S-2HnD-IN is not a router.
It's a switch with a little L3 capability.

xvo

Since nobody knows, what exactly you did, it’s hard to judge whether it’s right or wrong. Post /export hide-sensitive from terminal here, and somebody will take a look. But the thing you definitely wrong about is the assumption, that by default router will block traffic between different interfaces/...

xvo

These are supout files, not config exports.

Go to terminal, do:

/export hide-sensitive

and post the result.

xvo

Please, reset it once again.
Configure the same way you've done before.
And before you disconnect from it (losing the ability to connect again) make an /export of the config and post it here.

xvo

Matches connections per address or address block after given value is reached.

If you have an accept rule, that means it starts accepting after you reach the limit.
Before that it work like a passthrough rule.

You should reverse the condition with "!".

xvo

Search for Hairpin NAT

And by the way, with your rules no wonder you are getting to the router itself: they are configured only for ether1.

xvo

You can’t.
The only way is to perform nat from 8291 to your custom port.
And how can I do that?

Add this on your device:

/ip firewall nat add action=dst-nat chain=dstnat dst-address=YOUR_DEVICE_IP dst-port=8291 protocol=tcp src-address=YOUR_DUDE_SERVER_IP to-p
orts=YOUR_CUSTOM_PORT

xvo

You can’t.
The only way is to perform nat from 8291 to your custom port.

xvo

Is there anything valuable in the device’s logs when dude is trying to connect?
Does winbox run on the default port?
Can you confirm with torch, that dude packets are reaching the device?

xvo

Check that your device’s firewall accept connections on default winbox port 8291 from the address of your dude server.

xvo

Do

/user print

and

/user group print

on the router you are trying to connect to.
And see, if the user you are using to login from dude server have the necessary rights.

xvo

Maybe something wrong with Multicast-Settings on the Switch.

Could be.
Try testing without a switch to understand whether Mikrotik or Cisco is causing the problem.

xvo

Not exactly, if your pool’s prefix length is larger than /64, you can use larger wildcard. Tried with /48 pool and /56 prefix length. Wildcard size is tied to to the wrong setting. Could be, I don't have freedom to choose different prefix size (/56 is what I get from ISP so /64 subnets on interface...

xvo

right now it simply dismisses request if wildcard size is anything larger than /64.

Not exactly, if your pool’s prefix length is larger than /64, you can use larger wildcard.
Tried with /48 pool and /56 prefix length.
Wildcard size is tied to to the wrong setting.

xvo

Does the user you are using to login have "dude" permission?

xvo

Follow the link to sonos forum from this early post: viewtopic.php?f=2&t=101244#p549825
There is a comment, that tcp/4444 also need to be opened for software updates to work.

xvo

LTE version is better.

4G version covers only 3,7,20 international bands, while LTE version additionally covers 1,8,38,40, that are also frequently used in Europe.

xvo

We have this wildcard feature, it is not something new, and it is working somehow.
But the expected behaviour should be that the maximum wildcard size can match the size of the pool, not the size of the prefixes it hand out.
So I still think of it to be a bug.

xvo

But think about upsides. Well, just the one upside, it doesn't even need more. It's one-time config, you won't need to touch it ever again, because it's completely transparent and compatible with everything. It's still a hack, no doubt, but it's hard to not like it. I am perfectly aware of the upsi...

xvo

Not for the same ports.

xvo

What did you try to limit the connection number? There is a dedicated "connection limit" matcher in firewall filter. But, honestly I don't thing the problem is in the number of connections, unless it's multiple thousands of them. Are you sure you are using queues right and your IPTV traffic is exclu...

xvo

1) Masking the real src-address.
2) Unnecessary traffic through router.

xvo

What you are looking for is called Hairpin NAT. But i remember from other posts you don't like Hair Pin NAT... :lol: If you want to access just your router from inside the LAN you can just add a static DNS entry... In case you want to access more then as xvo suggested you should use Hair Pin NAT......

xvo

What you are looking for is called Hairpin NAT.

xvo

Let’s say router leased .30 to some device, then .31, then .32
When .30 lease expired, it can be leased again, but router won’t try to fill that gap. It will continue to lease .33 etc. if .32 is still active.
That is what you are talking about?
So once again, why does it bother you?

xvo

Src-nat is performed after forward, so it's ok, actually.
If you add logging for your masquerade rule, you can see the same packets being masqueraded afterwards.

xvo

Because this rule does exactly that - it redirects all tcp/80 traffic to 192.168.2.5: add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=192.168.2.5 to-ports=80 Add dst-address=YOUR-EXTERNAL-IP condition to it. And, by the way, that is not hairpin nat. Hairpin nat is an additional...

xvo

c. Filter rule 'INPUT" from vlan interface (or console) to router for what I dont get??????????????? /ip firewall filter add chain=input action=accept ??????????????????????????????????????????????????? For UPnP service on UDP 1900 :) You console needs a communication channel with the router for as...

xvo

As you've been already told - it is not a bug. Quickset is just a number of preconfigured templates, that can be used for initial configuration. Using quickset on the router that was already configured means overwriting part of its configuration leaving the other part intact and as a result - most l...

xvo

Why is that a problem?

xvo

1) Delete all leftovers. No way somebody here will want to try to understand wether they are interacting with something or not, if they are not needed at all. I definitely don't want to. 2) What is the network interconnecting the two routers: please add to you scheme what address are on that link on...

xvo

It seems you need to decide something first, or at least state it clearly: what device will be responsible for filtering between .2.X and .4.X: Alpha or Beta?

xvo

1) Why you have this on Alpha?

/ip address add address=192.168.4.2/24 interface=e2_switch network=192.168.4.0

2) Why you need so complex firewall on Beta?
3) You definitely don't need NAT on Beta.
4) I can't see where DHCP-server for 192.168.4.0/24 is at all?

xvo

Please, be more clear about your network layout: where is subnet B: 192.168.3.1/24 connected? Alpha or Beta?
And post config exports for both devices.

xvo

I know, I know. Just treat it like a trigger for yourself to reread couple of previous comments :wink: Returning to the subject. Scope/target scope are used for nexthop selection . You can think of it like a process of "route creation" for recursive routes. Scope and target scope are related to each...

xvo

Haven't you met anav before?

Sure I have!
I'm the one who welcomed him in the world of VLANs!
...The deed I will probably regret for the rest of my life...

xvo

You are joking, right?

xvo

Exactly!

There is no relation between distance and scope/target-scope: one is used for route selection, another for nexthop selection.

xvo

Once again, step by step: 1) A route 1 in your config needs a nexthop. 2) It has target-scope=10 3) It then searches the nexthop among the routes that has their scope<=10 4) It finds route 2 that has needed dst-address and scope=10 5) scope=10 (of route 2) <= target-scope=10 (of route 1) ---> route ...

xvo

I just explained you the purpose of both scope and target scope few comments above, then you wrote a config that should work, and now you state, that you haven't understood a word, that I said?
How are you doing it?

xvo

Something like that.

xvo

Not in the verbatim sense of meaning. Phase array doesn't change geometry of antenna, it changes Tx timing of individual (tiny) dipoles and ditto for Rx (where constructive resonance of all Rx elements contributes to higher overall Rx signal from one direction) ... but yes, the net effect is simila...

xvo

That counts for

unless an antenna can change it's geometry on the go

xvo

I think you have that mixed up.

Not me, man. Not me.

xvo

Scope/target scope pairs define which routes can be used for recursive nexthop: the route will search for nexthop only among other routes, whose scope is not higher than it's own target scope.

xvo

Indeed In console it shows all zeroes for current Tx power ... One of beauties of wireless on ARM ...

It's not just ARM, that is true for all 5Ghz radios in 802.11ac devices.

xvo

So setting the antenna gain does not focus the radiation beam?

How can it possibly do that?

Antenna gain (and thus a radiation pattern) is a physical characteristic dependant on antenna's geometry, and can't be changed unless an antenna can change it's geometry on the go

xvo

So I guess all the questions are of the table now

The main thing we figured out: Mikrotik in regulatory-domain mode won't let us break the law after all...
...For that we have manual-tx-power and superchannel!

xvo

What if you don't use it but you check on it, just to know what your programming is "doing"? You find some red fields stating that you must write something. You find some working modes that you don't even know or care about.... In my case you could also find that you lost your 5GHz wifi.... And sin...

xvo

No it wont change the Txpower, however it affects it in other ways... For, example the Txpower will get lower and lower as we increase the Gain in order to stay legal... And also if lets say i use an Antenna with a Gain of 6 dbi instead of one with 3 dbi, its like"doubling" the power because of the...

xvo

Actually, never use quick set :D It's tempting to always advice that, but the truth is, ROS is quite a complicated thing for those who see it for the first time, especially for "home" users. So it is either quickset or "i'll better go and buy something else" for them. Don't think it is wise to enco...

xvo

Again, the EiRP shows the power radiated, and that is the power that should be inside the legal limits, and TX + Gain give us the final dbm value... i dont understand why you say that Gain has nothing to do when thetr is a formula for that thing... Yes! Tx-power + gain will give you the maximum the...

xvo

Have you tried it? :) If you have tx-power-mode=default, antenna-gain=3dbi and tx-power/total-tx-power=14/17dbm and then change to antenna-gain=6dbi you will end up with 11/14dbm! Because the device lowered the Tx-power to stay inside the regulations. Seriously, just try it. You can use tx-power-mod...

xvo

So the total radiated power has two factors, the Tx power of our transmitter and the Antenna's Gain... That is totally wrong. TX-power is a characteristic of the radio emitter, totally independent from the used antenna. Antenna gain shows the distribution of this power in space (compared with an is...

xvo

Nope.
TX-power and Total TX-power indicate values for one chain and for all enabled chains.
The difference between them has nothing to do with antenna gain.

https://wiki.mikrotik.com/wiki/Manual:I ... d_802.11ac

xvo

Don’t ever use quickset after you made some changes from initial configuration.

Search found 631 matches