MikroTik

xvo

Wire speed can be achieved only on first bridge, all others bridges are software this is why you have low perfomance. RB4011 have two switch chips, so hw-offloading can work on two bridges if each one of them utilises different switch chips. However bonding and vlans are hw-offloaded only on crs3xx...

xvo

Still can't find anything in your config that could interfere with queues.

xvo

Try setting max-limit much lower than your actual speed (5M/10M for example) and see if the queues still don't work.
To rule out the possibility, that your ISP shaper takes effect before your mikrotik.

xvo

Create separate provisions for each frequency and use them on the cAPs you want (based on radio MAC address).

xvo

I have no other ideas.
Almost identical config works for me.

xvo

Did you also try to change targets from interface names to address ranges?

xvo

Try setting your max-limit values at least 5-10% lower than your typical ISP speed: you might hit the ISP limits before you hit your own.

xvo

What I wanted to achieve is to bring the internet into combo1 port therefore all remaining 7 ethernet ports will be free for my local network. You can do that. But you need to move all existing "wan" config from eth1 to combo1. For reference do an /export in terminal and look for all the places whe...

xvo

You are free to use any port or multiple ones for your WAN connection. That depends only on how you configure the router. As it is clearly stated in the wiki, only combo port accepts 100mb sfp modules, so even if it worked you wouldn't get any additional free ethernet ports: https://wiki.mikrotik.co...

xvo

The second should not be a problem: +1 local port to add to the bridge; -1 wan port and everything related to connecting to the outside world; -all dhcp servers; +1 dhcp client on one of the vlan-interfaces (on this device it is actually ok if the bridge is a tagged member for only one vlan - to hav...

xvo

Told ya!

xvo

In order to stop guessing post your:

/export hide-sensitive

xvo

Stupid question: is interface on Site B configured to advertise 1000M at all (have needed options ticked)?

xvo

In most of the the cases when DHCP server doesn't work on vlans after initial configuration, the reason is somebody forgets to add bridge itself as a tagged member of all needed vlans, and as a result - all vlan-interfaces configured on that bridge are actually not connected anywhere.

xvo

The fact, that the problem appears after a few days, makes me think, that something goes wrong when router tries to renew dhcp lease.
Anyway, if that’s on ISP side OP should try to contact them in the first place.

xvo

My mistake.. XVO any suggestions for the actual problem instead of correcting me for somerhing obviously i didnt see?

Most likely problem is on ISP side.

xvo

No its not ok... you ping your ISPs lan IP which is 192.168.0.1 and you get network unreachable...

That is a response from 192.168.0.1 about the 1.1.1.1

xvo

No dhcp server is needed on the cAPs.

xvo

That should work: /queue simple add dst=ether1 max-limit=22M/50M name=queue3 queue=default/default target=ether2,ether4 add dst=ether1 limit-at=11M/25M max-limit=22M/50M name=queue1 parent=queue3 queue=default/default target=ether2 add dst=ether1 limit-at=11M/25M max-limit=22M/50M name=queue2 parent...

xvo

So what? You asked "Why would a home/office Access point/router have an SFP port ?" like it's some kind of nonsense never seen before. While it's really a nice feature to have for some users. Home users as well. If you want an sfp port then buy a mikrotik model with an SFP port! So many!!! If i wan...

xvo

Ok, I get it.
Some people in this thread are from ip:port + hairpin nat camp.
Others from dns + reverse proxy camp.
You are somewhere in the middle

xvo

Personally i use Hair pin nat in the following cases (just an example) I have a dns name which with the help of a script i update it with my public IP address and at the same time there is a static dns entry in my router with the same Dns name which points to my rourers IP... This way i can access ...

xvo

Any reason why you would advice against powering them wih PoE? By the way, they max at 19W, not 24W.
No..! According to the manual the max power consumption is 24W...

You are confusing CSS326 and CRS326.

xvo

Does firewall on ppp client device allow ping at all?

xvo

I guess that in my case it is: physical interfaces -> bonding -> bridge -> vlan(-s) on top of bridge

Yes, that's correct.

You are welcome

xvo

I guess both blue and orange arrows need to run on one logic link between the two routers? In that case on Mikrotik 2 you will need to: - bridge upper and lower interfaces. - create 3 vlan interfaces on that bridge (for wan, lan and management) + for each one an ip configuration. - configure (in bri...

xvo

BestVPN is one you make yourself, host CHR somewhere and use native Mikrotik protocols (EoIP, IPIP, etc.)

True.

xvo

The reason it is used in the most example configs is the simple fact that in most typical scenarios you need some of the ports switched or bridged together to have L2 connectivity between the ports. That is not the case when you use only one interface for uplink, one for downlink, and device is used...

xvo

Bridge is essentially a software switch, and you don't need a switch between you UPLINK and DOWNLINK. So remove UPLINK from the bridge, so that it contains only one interface - DOWNLINK. Then all the vlans have to be created on the bridge as a parent. And after that you can use UPLINK and VLAN-XXX i...

xvo

And why not? Original hAP AC has it :) So, it should have an SFP because another model does? Also hap ac with hap ac 2 are completelly different, the only common they got is their name... hap ac has different CPU, different architecture, different wireless chips and different prices.. you can't com...

xvo

Why would a home/office Access point/router have an SFP port ?
There are many other models with SFP ports...

And why not? Original hAP AC has it

xvo

Can't confirm the crashes to be a serious issue. I guess I only experienced winbox to crash only several times for the last couple of years. But I'm on high sierra. And the inability to drag-n-drop from winbox, well, could be a major issue for a file server client, but not for a router configuring s...

xvo

Connecting to the router itself won't make that traffic "routed", just "switched to the router's CPU".
Obviously such traffic can't avoid CPU in any scenario - because CPU is its destination

And it won't affect the other traffic in any way.

xvo

No, they don't.
But wine winbox/dude from http://joshaven.com work flawlessly for most people on this forum.

xvo

There were some gentle hints some time ago that something is on the way, but no specifics, no timeline.

xvo

Sure!
If you can connect all the APs by wire it will be the best and the easiest solution.
Only thing to keep in mind - use different non-overlapping channels on the adjacent APs.

xvo

There is no universal solution.
Too many factors: inside/outside, distances, obstacles, number of clients, uplink speed, neighbouring network, etc.
And the best option can be found only after at least basic radio analysis at the location.

xvo

Both options are bad, but the second one is still muuuuch better.
Ideally you need separate radios for PtP backbone and for serving clients.

xvo

That's exactly how I did it.
And from what I've read, yes, any VPS running on VMware/KVM should be fine.

xvo

I think I didn't completely get this one. If the question is about connecting to the routers themselves, then you just need to assign an address (or DHCP client) to the bridges on each router. Not to the ports belonging to the bridge, but the bridge itself. And once again: Separate bridges = Routing...

xvo

1) Yes, only one hw-offloaded bridge per switch chip: that means that on devices with one switch chip you can have hw-offload only on one bridge, on devices like RB4011/RB3011 - total of two hw-offloaded bridges, one for each port group, and on devices without the switch chip - no hw-offload obvious...

xvo

No, wlan <-> eth traffic will cause CPU load only on the device where this wlan is, not on any others.

xvo

Passing data between bridged ethernet ports will be automatically done on wirespeed using switch chip (of course if you leave hw-offload option on). Passing data from wlan to ethernet will be done by CPU as it's just the way it works, nothing can be done about it. So you actually don't need to do an...

xvo

I started with debian machine and then just overwrote system disk with ROS image.

They issue coupons worth 10€ so you can try yourself before purchasing.

xvo

As It's just for private use (holding several VPN tunnels with low traffic + dude) the smallest one for 2.79€/month is more than enough.

xvo

I have a CHR running on ArubaCloud.

xvo

Maybe your cable is bigger than 80-90m?
If yes you could use this https://mikrotik.com/product/gper#fndtn-downloads

GPER needs PoE to work, so it won’t help.

xvo

Nobody here knows if the 2nd 5GHz is locked down

It's not: viewtopic.php?f=3&t=148488&sid=e509cbae ... ad#p751638

xvo

Wait. If r1-r2 and r1–r3 are bridged together, then just bridge r2-r3 link with them and run stp on the briges. That would be the easiest way.

xvo

You don’t need to change any existing addresses, routes. Just add additional routes (IP -> Routes).

xvo

You need additional set of routes on each of the routers with a higher distance than the direct ones. For example on r2 you have a route to r1 via interface1 and to r3 via interface2 with distance 0. Now you need to add routes: to r1 via r3 address, and to r3 via r1 address with distance >0. And thi...

xvo

Almost:

/ip route add dst-address=200.1.20.16/29 gateway=192.168.XX.2
/ip route add dst-address=200.1.20.24/29 gateway=192.168.XX.6

xvo

Well, you just add routes to these subnets with their addresses as a gateway

xvo

I suppose if one also has untrustworthy family members giving away wifi passwords to other then guest networks (ie to home lan), then yes it would also be plausible. Well, I look at it from another perspective: I don't want any awkward moments trying to explain to my guests why I don't trust them w...

xvo

It is not clear to me how the router or AP magically knows which VLAN to send traffic down. No magic here. You just list all the known mac-addresses and vlan ids you want them to belong. And after that add the final rule for "all others" that you don't know :) Simple as that. By the way, you can do...

xvo

I think that's because you run neighbour discovery on "all" interface list.
Create a list containing only the bridge (or only physical interfaces).
Then open "discovery settings" and choose that list.

xvo

How the heck will the router or AP know which three vlans to assign incoming untagged traffic too..... Its a mystery to me so please enlighten me.

Based on access list entries.
You can now see two working config examples in this thread: mine and TS's.

xvo

Hi,

This is what I have create and it work well, I think.
It needs to be fine-tuned a little bit more, but so far so good.

Yep, that looks nice

xvo

I'd like to know if it's wireless (2.4 or 5Ghz would be nice) or wired. I'd like the mac, the IP, how long it's been connected, whether it's reserved, static, or dhcp set, how long the lease is left. So you need the list of devices that... what exactly? Interact with your router in every possible w...

xvo

The issue or limitation is that the radio set cannot assign two different PVIDs to incoming wifi traffic and thus can handle one VLAN only.

That is totally untrue.
It can and it does.

xvo

BTW: how do computers get ipv6 adresses anyways since DHCPv6 server is blank in winbox? if no DHCP -> no ipadress?

Using SLAAC

xvo

Miracle, I tried Bridge > host - looks good - how do I get the IP's as well? Device names that are known would be good as well. Thanks! XVO IP>ARP - pretty good - I can work with this. Still missing connection type, device name if know Is there any way to add more information to the tables? I guess...

xvo

but I already have some dynamic DNS servers in ip->DNS
2a00:ee0:d::13
2a00:ee0:d::23

so DNS should work

Try to add ones that definitely work, from google (already posted by @romihg) or cloudflare:
2606:4700:4700::1111
2606:4700:4700::1001

xvo

IP -> DNS is used both for ipv4 and ipv6: just add ipv6 dns address there and remove all ipv4 ones.

xvo

@xvo Thank you very much for posting the example. I have tried it, but it does not work for me. The example is for a separate AP, right? I use the RB4011 which have 2 embedded AP's. Thanks. That's just an example of how to use access list. So for sure it has to be adopted to your interface names, v...

xvo

Hi XVO, Thanks - Yes, they are all there. That's not exactly what I was looking for. I went to the page. Above the list of connections, it said I had 400+ connections. If I scroll down they are all there. It's not a consolidated look. Keep the good ideas coming. I appreciate it. Cheers! Then what e...

xvo

IP -> Firewall -> Connections

xvo

Yes; currently the routerboard is configured as an AP. I suppose the 2.4Ghz radio could be configured as a station, as a client to the internet WiFi. But then I lose the 2.4 band and have only the 5Ghz for an AP? Yes. You either configure your 2.4 Ghz/5Ghz band as AP mode or station mode. It cant b...

xvo

Please. Can you provide me an example, please? Or push me into the right direction? That is the relevant part of my config with access list examples: /interface bridge port add bridge=bridge-LAN ingress-filtering=yes interface=ether1 pvid=99 add bridge=bridge-LAN frame-types=admit-only-vlan-tagged ...

xvo

@mkx I think I understand what you are saying, but in practice… Vacuum cleaner(s), refrigerator(s) and so on are usually connect via WiFi to the network. That’s why I create and connect them to one (1) virtual 2.4GHz AP. This virtual AP use vlan20. But how do I give the cleaner a other vlan number ...

xvo

Thanks for your help man. All sorted now.

Switch1 → hAP wan → hAP Lan1 → switch2 → rest of network

I also managed to organize Google/Bing/Duckduckgo safesearch (to block inappropriate image searches) and used OpenDNS for further restrictions.

xvo

Hey man, I played around with Winbox setup last night and understand the config a little better now. However, should the LAN cable from the DLink to the hAP be plugged in to the WAN port, or to LAN2? The hAP mini has 3 ports: Internet, 2 and 3 I would think it should be plugged in to LAN2 and make ...

xvo

Thanks. At the hAP login screen there's the quick setup drop down box. Do I have to select anything there and enter any ip's anywhere? Also should the default gateway of the primary router (192.168.0.1) be inserted anywhere? Meantime I'm searching for the link cable... Sent from my MI 9 using Tapat...

xvo

The LAN cable between switch1 and switch2 is connected between 20 other lan cables on switch2. Therefore difficult to locate the link cable. Can I hook the HAP up behind the switch? That does however not sound right to me... Sent from my MI 9 using Tapatalk No, that won't work. By the way, you migh...

xvo

You will get internet access and access from secondary network to primary if you simply connect 1st hAP port to switch1 and the 2nd to switch2. Even with default config. And no additional config on dlink. The only real downside will be one unnecessary NAT performed on hAP. To remove it, and to get c...

xvo

But it does not ... So far the whole day IPIP works fine. I do not use IPv6 so don't really care about GRE if that's the only one difference vs IPIP, there are no drops in browsing pages like with GRE active tunnel. Maybe it's not MTU related after all. If you want to debug it further - you can pos...

xvo

Thanks, so far I've changed GRE to IPIP and looks like problem has gone. Don't know what happened but one site was changing MTU to 1380 second to 1420 and lots of problems were happening there. Changing MTU statically to 1500 on GRE killed performance and transfers and raised up tons of packet loss...

xvo

lower MTU to what value you suggest? Try what ping sizes pass without fragmentation from the router and use it as an MTU value. Can MTU be lowered on WAN interface, but still be 1500 on the rest of the ports? Yes, sure. After excessive tests it looks like my GRE tunnel is causing troubles. Have GRE...

xvo

Try pinging with different packet sizes and "don't fragment flag".
Can be problems with PMTUD somewhere at your ISP.
If that's the case - set lower MTU on your WAN interface.

xvo

Please stop posting about what can happen when you interpret 802.11d country codes sent by others and focus on the request to send the 802.11d country code in a MikroTik AP so that others (broken, old, whatever) can pick it up and do whatever they were programmed to do with it! I am totally with yo...

xvo

Smartphones and other mobile devices have GPS, they don't need 802.11d at all. That's right, but all the rest of the equipment is needed. The rest of the equipment should use something like "no-country-set" or ask the user, if it can't locate it's position with 100% accuracy. Out of curiosity looke...

xvo

We would appreciate further compartmentalizing of Router OS features to increase device efficiency and reduce attack surface. Put SMB, Torrent, and other things that have no place in ISP infrastructure into another package. Put BGP, MPLS, and other things that have no place in consumer devices into...

xvo

If there is no other information. You have to broadcast the region for Mikrotik with another device. 😂 Smartphones and other mobile devices have GPS, they don't need 802.11d at all. Out of curiosity looked what regions do APs around broadcast at the moment, only half of them are set to the correct ...

xvo

I talked about this from the very beginning - re-read it. Only you have a special case in 2010. The new 802.11ac - restriction on visible channels. That is the problem. It's not a special case, It's a long known issue with a known workaround. Although it's not exactly the same problem, it is connec...

xvo

Bottom line: devices CAN use 802.11d to help them set the region, but they CAN NOT use ONLY 802.11d, they need something else - gps, whatever. Thus support of 802.11d is nearly useless - all modern devices will set the region without it. no and no again. I have a mikrotik network. Regoin Apple can ...

xvo

Bottom line: devices CAN use 802.11d to help them set the region, but they CAN NOT use ONLY 802.11d, they need something else - gps, whatever. Thus support of 802.11d is nearly useless - all modern devices will set the region without it. no and no again. I have a mikrotik network. Regoin Apple can ...

xvo

Bottom line: devices CAN use 802.11d to help them set the region, but they CAN NOT use ONLY 802.11d, they need something else - gps, whatever. Thus support of 802.11d is nearly useless - all modern devices will set the region without it. no and no again. I have a mikrotik network. Regoin Apple can ...

xvo

not a true statement, on all models since 2012, everything is fine with 802.11d. The AP must broadcast 802.11d. a piece of shit - tp-link even does it. That is a known problem for pre-2012 devices. Your "everything is fine with 802.11d" most likely means that apple no longer uses 802.11d at all, or...

xvo

not a true statement, on all models since 2012, everything is fine with 802.11d. The AP must broadcast 802.11d. a piece of shit - tp-link even does it. That is a known problem for pre-2012 devices. Your "everything is fine with 802.11d" most likely means that apple no longer uses 802.11d at all, or...

xvo

Apple's implementation of 802.11d is a real pain in the ass, indeed. And setting the correct country code on the AP in use won't solve the problem in some cases. For example (at least for some older macbooks's), if there are changes in country regulations, they are not updated in the drivers. So if ...

xvo

There won't be one. Audience hasn't got USB port (at least I didn't see it mentioned), so you'll have to use generic PowerLine2ethernet devices.

But it has two ethernet ports, so PWR-LINE-PRO can be used.

xvo

The only thought to consider: hEX S have a very weak switch chip implementation - it can't do vlan's in hardware, only in software. It is not a real problem for small loads, but depending of the intra-vlan/inter-vlan ratio it can be a good idea to put a more decent switch between hEX and the rest o...

xvo

Here is my config backup! I have not internet still, and router cant still not ping internet from it self. Could it be the routerbord firmware? Mine says 6.45.3 but on download page it says tilegx_3.41.fwf or is that someting else. Just thinking of what it can be as i think Routerbord follows Route...

xvo

The only thought to consider: hEX S have a very weak switch chip implementation - it can't do vlan's in hardware, only in software. It is not a real problem for small loads, but depending of the intra-vlan/inter-vlan ratio it can be a good idea to put a more decent switch between hEX and the rest of...

xvo

Uh, wait. You said you wanted to use it as an AP only. Then you should have no WAN interface at all, it should be just bridging (wifi is LAN, ethernet is LAN)... right? Or am I missing something? At this point all real WAN/LAN distinctions are already removed from configuration. That's just names o...

xvo

Thanks! I got my device today and had it configured in minutes, thanks to you guys. Quick question though, I'm using the WinBox GUI to connect and configure, which works fine from any device actually connected to the hAP wirelessly. However I have a hard-wired machine on the same LAN as the hAP (it...

xvo

The lamest way to do it is to use the quick-set menu, select the "Home AP Dual" template, and then in the template: - configure a static LAN IP address of your router, that is free in your network. - and remove the check from the DHCP server option. This way eth1 will still be your WAN interface me...

xvo

Hi, I know that it can be configured as router, but if you look at the links my configuration is only as l2 switch no routing no fw no vlans and still if i copy file from computers in same subnet so routing is not required I got this performance drop. It looks like for some reason it is hitting cpu...

xvo

It's not "just L2 switch", but also a router at the same time.
Not a powerful one, so when it routes instead of switching, you see a huge performance drop.
Keep that in mind configuring your network.

xvo

If it bothers you, just set it 1Gbps for all gigabit ethernet ports and it will disappear from export. It does not bother me, but can easy be misunderstand. On Cisco speed 100 settes the interface 100MB/s fixed. ...and on mikrotik auto-negotiation on/off and speed when auto-negotiation is set to of...

xvo

Running 6.43.4 I do see this as well. /interface ethernet set [ find default-name=ether1 ] name=ether1-Wan speed=100Mbps set [ find default-name=ether2 ] name=ether2 speed=100Mbps set [ find default-name=ether3 ] speed=100Mbps set [ find default-name=ether4 ] name=ether4 speed=100Mbps set [ find de...

xvo

1-5: You need to advertise dns for your deviced: IPv6 --> ND 6: Yes, that is normal. DHCPv6 is ROS is currently incapable of handing addresses - only prefixes. All the addresses on another RB have to be configured manually, got by SLAAC, or picked from prefix pool. So you can: 1) assign the address...

xvo

Would be nice if CRS112 was half rack width with option to join 2 together to make 16 port full width.

And it doesn't look like having 16G and 1-2SFP+ in CRS112 size is something impossible either.

xvo

Hello. Well i've the same problem here. No ADSL or Fiber...that's why i'm using LTE connection. So...3Unlimited and Vodafone Red+ must have linked to a landline contract? Thanks in advance. Maurizio True for 3Unlimited, but haven't seen such limitation for Red+, only that it is obligatory to stay o...

xvo

I guess no need to further explain the difference between static DNS servers settings and static DNS entries?

xvo

Well, if you have four entries there, how is it blank?!
Remove these four entries, and that would be blank

xvo

I am talking about the IP DNS settings that show up at the top of the frigging page IN WHITE BOXES............ These are set by the ADMIN. What do you call those then???? FIXED DNS settings ;;--))))) In any case, I was stating that using PEER DNS setting overides the manual FIXED entries on the IP ...

xvo

I think my Use Peer DNS, 'trumps" your IP DNS reference. In any case, I imagine you like warm beers, which is like stale cigarettes to a smoker OR moldy cheese to John Cleese in the cheese shop, ie gross but it will do pig. Use-peer-DNS adds dynamic entries, so the static ones will be preferred (if...

xvo

Thanks for the info, but Unlimited Red+ seems to be smartphone only, and I have no luck to find any info on 3Unlimited. For Italian law, you can use the GB of any mobile plan as you want. You can use sim for smartphone for tethering and modem without problems. https://www.ilsole24ore.com/art/tecnol...

xvo

https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack

"firewall filter and mangle rules will not be applied for FastTracked traffic"

xvo

There's no real difference. You'll just get a public ip instead of some private one on your WAN interface. When you purchase public ip from you provider, I'm sure they will explain the method, how they deliver it - do you need to assign it manually, or you will just get it by DHCP client of from PPP...

xvo

thank you very much for your information God bless you You are welcome. Just keep in mind that having a public IP means you need to pay more attention to security, i.e.: - properly configured firewall - access to services on the router not exposed to the outside - and the ones that you don't use - ...

xvo

It does not matter if I set it to passthrough :/
Also in Wiki there are not passthrough enabled..
https://wiki.mikrotik.com/wiki/Manual:PCC
As I said it works on hAP-lite just not hAP-AC2.
Have you tried it on hAP-AC2.. has anyone?

Passthrough=yes is the default setting.

xvo

The best way is public IP + any kind of VPN server running on your RB. thank you for your speedy replay lets say you get puplic ip for example = 37.230.130.95 what are the next steps , what are the settings in mikrotik system to using this puplic ip address for remotely accessing my routerboard? an...

xvo

But that goes to my point about nothing specific in the redirect rule. How would I exclude the VLAN from that rule in NAT when no source or destination is identified? Just add source to the rule ( in-interface or src-address ) :) Also I am not quite sure if you answered the question, where does the...

xvo

Hello. Well you'll not find any unlimited from our major carriers (vodafone..tim..TRE/ Wind). But there are some company which are selling internet service using our carriers nets. It's not true! Only TIM don't have unlimited data plan. Vodafone have Unlimited Red + WindTre have 3Unlimited Both the...

xvo

You can either remove all current connections to the cam manually (IP --> Firewall --> Connections). Or you can move you rule higher then established/related one, but that can result an additional CPU load (because all traffic will be checked by this rule, even the connections that were already esta...

xvo

The best way is public IP + any kind of VPN server running on your RB.

xvo

Just kidding, inside joke with xvo, he has helped through the same process held my hand, heck practically changed my diapers LOL. You are in good hands, but plug your nose, dont like his aftershave (who am I kidding I'm convinced he doesn't know what a razor looks like must be his perfume errr colo...

xvo

Okay so a user manual setting on a computer will override the DHCP network setting and thus the redirect rule is required (for the office setting) Yes. For office internal network it makes more sense. Especially if you need everybody to use some special dns service - with security and content filte...

xvo

I also find such measures unnecessary in home environment. Someone can always set it manually on the device's network settings. But who cares?! It's a guest network anyway. If someone among your guest have set his laptop/phone to always use google dns, so let it use it - less load and unneeded cache...

xvo

1. Redirect is like dst-nat to the router itself. So if you redirect all DNS requests it means that the will be served by you router, without the client knowing it. Even if it will try to use some external DNS. 2. use-peer-dns only means that you will get the addresses of DNS servers from remote pee...

xvo

Not separate, the "dns" topic in logging section.

I meant that you can use action=redirect in /ip firewall nat for DNS requests - that will force the use of your DNS even if a client attempts to connect to any other DNS server.

xvo

Good to know, now I can add the other vlans I have been planning;

Much thanks!
Forget the Ghost Busters, call XVO!!

You are welcome!
I'll try not to forget about the beer you mentioned

xvo

Okay, it worked but I am confused. I added the guest vlan to the interface list for LAN and voila magic it worked. BUT........... I already had. a. homebridge on the lan interface list b. ether2 on the lan interface list c. ether3 on the lan interface list d. ether4 on the lan interface list Since ...

xvo

Thanks - hadn't spotted that. Now got that enabled, and getting some DNS info in the syslog file. It's not very useful info though: <14>1 2018-11-03T17:27:46+00:00 MikroTik forward - - - forward: in:bridge1_LAN out:EE Broadband, src-mac 24:5e:be:1d:09:9f, proto UDP, 192.168.1.98:54957->8.8.8.8:53, ...

xvo

/interface 6to4
add disabled=no !keepalive local-address=1.2.3.4 name=6to4-tunnel1 remote-address=192.88.99.1
Code: Select all
local-address = wan IP
remote-address = address of the tunnel end

That's right and 192.88.99.1 is the right remote-address for 6to4

xvo

xvo

To make firewall logging work you need not only to set log=yes in the rule but also add logging for the firewall topic (or a part of it):

/system logging
add action=remote topics=firewall

(Of course you need to get a syslog server running on your NAS beforehand).

xvo

Well &^%^ me! Awesome pickup. When you come to Canada, I will have a cold beer waiting for you, heck a whole case for all the trouble I have put your through for one little typo. I will fix and try right away! Okay, partial success!!! I now get an IP and connect to the router through the capAC. How...

xvo

1-5: You need to advertise dns for your deviced: IPv6 --> ND 6: Yes, that is normal. DHCPv6 is ROS is currently incapable of handing addresses - only prefixes. All the addresses on another RB have to be configured manually, got by SLAAC, or picked from prefix pool. So you can: 1) assign the address ...

xvo

Found this: /ip address add address=192.168.0.1/24 interface=HomeBridge network=192.168.0.0 add address=192.168.2.1/24 interface=ether4 network=192.168.2.0 add address=192.168.100.0/24 interface=GuestWifi_T&B_V100 network=\ 192.168.100.0 Unless it's a typo in the post, looks like a reason to me :)

xvo

they should not yes, but i have this issue and also they will be upper of dynamic rules in raw tab

Are you sure they aren't just sorted?

xvo

Hello. Well you'll not find any unlimited from our major carriers (vodafone..tim..TRE/ Wind). But there are some company which are selling internet service using our carriers nets. For unlimited service : OGilink - Works with Vodafone..but is quite expensive. 69 for unlimited - or..39 Euros to have...

xvo

Thanks a lot..!!! Ang greetings from Italy Maurizio Hi again. It turns out, I might need a little advice from you too, if you don't mind: Can you suggest me any mobile carrier in Italy, with unlimited LTE traffic plan, that won't cost me a fortune? :) I might end up having to install a setup very s...

xvo

It shouldn't change on its own.

xvo

I think the answer in your use is to simply get a CRS328 which is a little more expensive but has some "growing room". https://mikrotik.com/product/crs328_24p_4s_rm I hope that dedicated PoE and non-PoE ports will not be a thing in the future and they adopt the standard they are currently setting a...

xvo

Thanks a lot..!!!

Ang greetings from Italy

Maurizio

You are welcome!

xvo

When using L2TP + ipsec you can't be sure, that the packet is not fragmented, even if you specifically restrict fragmentation of the original packet. The original packet first packed into l2tp (that can, by the way, also perform fragmentation and defragmentation, but only if asked to), then it is pr...

xvo

Hello. I don't have any free ports in the router, so i have no choice but to connect them to the switch runnings SwOS. Also i want maximum performance so i don't want to do any filtering/routing/bridging in the CPU, i want to use something that my devices have hardware support for. Thank you for yo...

xvo

I guess it has to do something with that data lanes XOR logic - either SFP or one more lane to the switch chip. You are right - looks like most possible cause. Despite you say the problem is solved, I think this behaviour should be described somewhere (on a wiki? in quick start guide?) in a form of...

xvo

You can either make bridge use IP firewall:
https://wiki.mikrotik.com/wiki/Manual:I ... e_Settings
Or configure filters on the bridge itself:
https://wiki.mikrotik.com/wiki/Manual:I ... e_Firewall

xvo

If you can have the PCs that need to be isolated connected directly to hEX, not the switch, then you can do it without vlans and in several different ways: - you can create separate subnet(s) for such PC(s) - you can run IP firewall on the bridge - you can configure bridge own filtering - you can us...

xvo

Is there a possibility, that you have a default config address assigned to sfp interface instead of the default bridge?

xvo

Hello. Yes..i was looking to it or any RB 951. But what about wireless coverage? Using a CAP AC for example, will help me to have a better wireless coverage inside the house? I know is more complicated but maybe those AP have a better and bigger antenna inside. What do you think.? Does it make sens...

xvo

+1
Need that too

Any of this with internal PSU will be fine:
CRS318-8G-8P-2S+
CRS318-10G-6P-2S+
CRS318-12G-4P-2S+

xvo

hello. I can't use the RBM33 like this just because the routerboard is installed on the pole to make the antennas cables as short as possible. I need to have one router..or switch with dediated AP to be used inside my home. I see... But you can still combine switch + AP in one device, or perhaps ev...

xvo

Hi!

It would be great to be able to configure the refresh rate to lower that bandwidth consumption...

You can give it a try here: viewtopic.php?t=45934

xvo

Hi! Thats strange... I am connecting to the IP of the CRS. I just checked my Firewall-connection-list.... If I just connect to the CRS, it consumes only a few kbps (14,4) If I only open the interface-list, it goes up to 260 kbps --> The problem seems to be the Interface List. Can you confirm this? ...

xvo

any switch working like that to suggest to me for home applications?

Thanks a lot.

I think any switch will do ok, but my point was to eliminate the need of additional switch at all, combing it's functionality with AP.

xvo

do you know if any MiniPCie dual and modem exist to be used with routerboard? i've one SXT LTE without modem...eventually i could buy a modem to use it like AP.. Unfortunately I don't have much knowledge about MiniPCie modems/wireless cards. I thought you were going to use RBm11G with the modem? If...

xvo

Yes both checked in safe mode and nothing bad happened so safe mode is off. Operations direct connect commences today. Actually I have a spare (second ethernet cable, diverted from an unused location box, before the basement was recently finished, so I have a direct line to the patch panel going to...

xvo

You can even eliminate the need to buy a 56$ 260GSP and buy a device that will serve as switch, AP and will provide power to RBm11G.

xvo

Hello.. Oops..this is new to me. is it possibile to buy the level 4 licence and upgrade it..? You can purchase it ( https://wiki.mikrotik.com/wiki/Manual:License#License_Levels ). But there's really no point to do so in your case. There are plenty of newer devices, more powerful than RB 411l, that ...

xvo

Done, and still not working. Something is preventing the devices using the virtual AP from a. getting dhcp assigned and b. no internet. I wonder if because I am connected to homelan on my smart phone, when I try to connect to the vlan, the smartphone isnt able to switch IP structures (unlikely). So...

xvo

Okay I will try the VLAN filtering. Not sure what function this does but the last time we tried it at least on the hex, in safe mode, it didnt like it LOL. On the Bridge Vlan checkbox after selecting VLAN filtering, there is only one option to enter a VLAN, Right now it defaults to PVID1 Should I e...

xvo

as i've a Rb411l with a wireless card to be used as AP...this can be connected to the switch as well right? Can the RB 411l upgraded to the last routeros version? You can connect it to the switch and you can upgrade it to the latest version, but you can't use it as AP (unless you have bought a sepa...

xvo

When set to "auto" the switch will perform a check whether device supports PoE or not, and It will apply current only to ports where the devices need that. And if you want, you can always set PoE-mode to off for ports that don't need it. https://wiki.mikrotik.com/wiki/Manual:PoE-Out#SwOS Router or s...

xvo

Hi! Absolutely. I checked it twice It should not be that way. That is winbox connections to 4 different routers: Lower 3 have no open windows, only cpu/time/date/etc in the dashboard. Upper one has an open IP --> Firewall --> Connections from where I took a screenshot. So it never rises over 5kbps/...

xvo

I'm afraid that while each MST instance does build its individual topology (it's the essence of MST functionality), you cannot set different priority/cost to a single port in each instance. So if your idea was to say that port A has lower cost than port B for MSTI 0 and port B has lower cost than p...

xvo

Hi!

I see constantly 200 kbps with NO open windows.

...tested with CRS 326.

Stril

Are you sure that it's winbox traffic?

xvo

Try to remove tkip from /interface wireless security-profiles

xvo

You need to add bridge itself as a tagged port for your vlans, to make a connection to ip configuration of vlan-interfaces: /interface bridge vlan add bridge=bridge1 tagged= bridge1 ,sfp-sfpplus1 untagged=ether6 vlan-ids=100 add bridge=bridge1 tagged= bridge1 ,sfp-sfpplus1 untagged=ether5 vlan-ids=4...

xvo

Yes, but with only one window, I already see 200 kbps... Torch? :) Not necessarily :) For example firewall with around 40 rules - adds around 100kbps in spikes. Interfaces window with 10 interfaces - 80kbps, almost constantly. IPsec Installed SAs with 10 items - 20kbps. So opening a bunch of window...

xvo

Seems that inject-summary-lsa=no works only for stub areas, non for NSSA.

xvo

type=stub ?

xvo

Winbox traffic depends on the number of simultaneously opened windows (number of data, that need to be refreshed in real-time).

xvo

I see no structural flaws: so the last thing left to do is to enable vlan filtering for bridges on both devices. Answers to your questions: 1) I suggested to connect cAP to hEX directly only temporarily - to debug their config and get them running 100% as they should, and only then to deal with any ...

xvo

Thank you for the reply. Since this is only a single trunk port, I just set it up the "old way" with 2 bridges. The EAP245 does properly accept tagged vlans and is giving out proper DHCP on each SSID. I am sorry I posted the question so poorly. I am just having a hard time understanding the post 6....

xvo

There are numerous similar topics on the forum. Briefly: if you need a more complex config then a single trunk port, then in latest ROS versions the best way to configure vlans is one single bridge containing physical ports, with vlan-interfaces created on top of that bridge , and vlan filtering eit...

xvo

Just another suggestion: test with cAP attached directly to hEX (with no switches in between) - there's still a tiny chance, that they can mess with the process.

xvo

Got it working properly now. Thanks for your help!

Great! You are welcome

xvo

Hi xvo, In my current forward rules I probably go overboard as I have source address (192.168.0.0/24) In-Inteface: HomeBridge Out-Interface List: WAN But I do that to distinguish which address source on the home bridge I am delineating. Thus my intention for the VLAN to WAN allow forward chain is t...

xvo

Please post an export from both routers.

xvo

After a couple of days with just another similar topic I started to mix things up :))) The correct setting for cAP will be: /interface bridge vlan add bridge=bridge tagged=ether1,Basement_Guests vlan-ids=100 You are right about firewall rules - need one rule to allow from Guest to WAN. From Guest to...

xvo

I've figured out how to set the limits for the VPN user. Now if I log in as that user and exceed the limit the VPN connection drops. Is there anyway that I can keep the VPN connection established, but drop packets instead? Use the second option I mentioned - dynamically created queues, configured o...

xvo

What in-interface for traffic which go from bridgeLAN interface to bridgeLAN interface ? Why if i do exactly same operation on CCR then ping works ? I doubt interfaces are used at all when you are pinging local addresses. At least in-interface. And you log entries clearly show that. If you want to ...

xvo

Some things are still not clear: do you have your tunnel bridged with LAN only on one side or on both sides?

xvo

...and finally I got what are you trying to prove

No difference in behaviour between CCR and all others I mentioned above.
The answer is in your log: obviously, in such case there is no in-interface, so it doesn't match your first rule.

xvo

On hEX you forgot to allow traffic from Guest.... to WAN

On cAP, that:
/interface bridge vlan
add bridge=bridge tagged=Guests_T&B_VLAN,bridge vlan-ids=100
has to be this:
/interface bridge vlan
add bridge=bridge tagged=Guests_T&B_VLAN,Basement_Guests vlan-ids=100

xvo

Tried on hEX, hAP ac2, hAP mini - nothing like this.

xvo

Well, the next day. I'm still trying to build up a simple AP and it still doesn't work... :( It's even impossible to set the CAP with the Quick Set again :-/ If I choose that option and activate it it's impossible to connect to the AP again :( :( :( Isn't there a step by step tutorial to build a AP...

xvo

It totally makes sense.
When increasing the timeout you are still sure that the action for all previously met rules are still fulfilled.
If you allow to decrease the timeout, that will mean than one rule can cancel the one that was met previously.

xvo

What exactly do you have configured on that bridge?
What is connected to it?
Do you have (R/M)STP running on it?

xvo

All changes implemented and ready to test it shortly. In terms of the cap AC setup. Let me recap. a. its in ap bridge mode and not router mode so not sure why the default config has ether1 in WAN mode. b. ether1 is active and is physically attached to the network, strangely the cap AC seems to be h...

xvo

After implementing vlan-aware bridges with hw-offload you no longer need 1 bridge per vlan. But with VLAN-aware bridges you have no hw-offload at all! The config mentioned above - with multiple bridges - was always purely software, and it was the only way for devices without switch chip. No point t...

xvo

I want to see HW Off-load enabled in all bridge interfaces, not just one. Specially knowing that you need 1 Bridge per VLAN having this limitation is a killer as I will limit the traffic throughput without unable to get wired speed only in just 1 VLAN. Really?? Seriously?? After implementing vlan-a...

xvo

I don't see anything wrong. And I could not reproduce the issue: I have an AP running with vlan-mode=use-tag and vlan-inerface attached to the bridge with the only difference being vlan-filtering enabled on the bridge. I disabled vlan-filtering and it made no difference, I was still able to connect ...

xvo

What is the purpose of you nat rules?
I'm almost sure that one default masquerade rule is sufficient:

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

or

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1

xvo

I've figured out how to set the limits for the VPN user. Now if I log in as that user and exceed the limit the VPN connection drops. Is there anyway that I can keep the VPN connection established, but drop packets instead? Use the second option I mentioned - dynamically created queues, configured o...

xvo

Please, attach the whole config with hide-sensitive option.

xvo

The WISP AP in a bridge mode doens't work at all. No Internet via LAN nor WLAN and I can't connect to the accesspoint again, so I have to do a OS reset. In wisp ap bridge mode you need to connect cap to existing network with running dhcp server for it to work, it won't work standalone. I just have ...

xvo

There is rate-limit setting in ppp profile.
Or the ability to create a queue autimatically.

xvo

Here's the link to the similar thread:
viewtopic.php?f=13&t=138366&p=682048#p681679

xvo

The closest quickset preset for you is WISP AP in a bridge mode . But it is preconfigured with only one radio, and the second one disabled. So you will need to configure the second radio manually. Or you can go the "pro way" and configure everything from blank config without using quickset. If you w...

xvo

That should work just the same as with ethernet port.

Check what do you have in /tool mac-server mac-winbox export
You probably have not the whole vlan but only some interfaces added to that list.

xvo

Ok, that worked so far. I set the intern IP adress of my Accesspoint to the IP I got from the FritzBox and deactivated DHCP on my accesspoint. I changed my PC IP manually and I can connect to the accesspoint now. The problem is now, that I don't have a internet connection with my pc. What can I do ...

xvo

1) On HEX this line: /interface bridge vlan add bridge=HomeBridge tagged=ether2 vlan-ids=100 must include the bridge itself: /interface bridge vlan add bridge=HomeBridge tagged=HomeBridge,ether2 vlan-ids=100 On cAP AC it is really a little messy :) 2) This: /interface vlan add interface=Basement_Gue...

xvo

The default firewall is configured to allow access from interfaces in a default interface-list "LAN", so just add your new bridge as a member of this list.

xvo

Just to give some information about this setup. It is the old way by using many VLAN. From 6.41 you can use Bridge aware VLAN. Se some example here: https://forum.mikrotik.com/viewtopic.php?t=138232 ...and the config above is exactly a vlan-aware bridge. Aka "the new way". "The old way" would be а ...

Search found 420 matches