MikroTik

Spartacus

Hi, I wanted to route MC between two Subnets. VLAN10 and VLAN30. The MC Address is 239.255.255.250 and traffic should be routed for VLAN10 to VLAn30 and the other way around. There is only one Bridge with VLAN-Filtering on. I have also enabled IGMP Snooping on the Bridge. There is no FW - Rule betwe...

Spartacus

Hi, thanks for reply. But for me, that cannot be the case. I have no FW-rules between the Subnets and all the traffic is allowed. So for me it is annother issue, why this is not working. Before the last MT-Update everythink works fine but since 6.46.6 it doesn´t work anymore. Sonos Controller is als...

Spartacus

Hi all, I have the same issue with the PC Controller on Windows when the PC is in a different VLAN than SONOS Players. I am a little bit frustrated that the Controller App cannot find the System anymore. I do not have the isses from an Android Phone. Does anybody know the differences between Windows...

Spartacus

Hi ilovepancakes, thank you so much for this test! I thought I was going crazy! None undestood my issues, but now, I have the certainty that only "operation-mode" will work with the FW-rules above! BTW: I also noticed, that you are not able to make Sonos Updates from a controller in a diff...

Spartacus

Hi, we talk at cross purposes :-) My players are all connected to the LAN by Ethernet. The players are in vlan30, the controller in vlan10 FW between vlan10 and vlan30 is setup as above! Everything works, once controller is registered. BUT: If you start a fresh installed controller software on a cli...

Spartacus

Hi, only one last question! If you reset the controller on your MAC (disconnect from SONOS-Net), and if you then try to register the controller again to your existing SONOS-System. Does this work with the setup above, if your MAC is in a different Subnet than the Players? If you can test this,, it w...

Spartacus

Hi all, thank you for your reply, but it doesn´t change anything if I remove the RP. What I noticed is, that the SONOS players use different UDP-Ports for communication if they try to connect to a controller. I saw a lot of upd -FW-drops in a range between 30000-60000. If I open this range, connecti...

Spartacus

Hi, it´s me again. I see that two FW-rules are not working because package counter is 0. But I do not know why! add chain=forward comment="Forward Sonos multicast traffic" dst-address=239.255.255.250 place-before=$plcBefore add chain=forward comment="Forward Sonos UPnP device discover...

Spartacus

Hi all, sorry for responding so late. I´ve checked the it now without Cisco-Switch and it is not working very well! My Sonos Players are in Subnet vlan30 and the Controller are in vlan10. I have cofigured vlan10 and vlan30 directley on MT-Router Ports as an untagged vlan and i have connected a Windo...

Spartacus

Hi,
thanks but I know this Tutorial very well!

Christian

Spartacus

Hi all, thanks for support. I checked my rules and everything is like described in this thread...Maybe my issue is in annother details, which I did not mention! The RB3011 is the Router but all Sonos Devices are attached to an Cisco SG350x-Switch. I followed this thread: https://support.sonos.com/s/...

Spartacus

Hi, thanks for quick reply! Yes, VLAN30, VLAN10 and the other Controller VLAN is configured in PIM PIM.png I will check Rules tomorrow again, and will let you know! Maybe I do not see my issues! :-) But please check in parallel, if you can add a new controller in the Controller VLAN, or if you can u...

Spartacus

Hi anav,
thanks for reply,
Now it works with Freeradius and mysql-DB. WLAN-Client authenticates with its MAC-Address and receives the desired VLAN. I use a single SSID for all VLANs with multiple cAPs, managed via CAPSMAN.
Spartacus

Spartacus

Hi, I have Sonos players in VLAN99, PIM is active and FW rules are also implemented. It works, but not very well. A new controller can only be added to the system, if i put it temporarily in VLN99 . Same with SW-Updates. I cannot start SW-Updates from the "Controller-VLAN10, only if the control...

Spartacus

Hi,
nobody an idea, if this works, or how to configure?
Spartacus

Spartacus

Hi everybody, I have insatlled a RADIUS server and running MAC authentification with dynamic VLAN assignment on my Cisco Switch for the wired clients. This works pretty good. Username and password is the MAC addess of the cclient and the response ffrom RADIUS is the VLAN which is assigned to the cli...

Spartacus

Hi eberybody, I have an issue with some SIP Clients in my network setup: Network Setup: VLAN 20: internal SIP Server for internal and external Communication (Registrar: Fritzbox 7412) VLAN 20: 4 x Cisco 79xx Sip-Phones attached to Fritbox 7412 VLAN 10: Softphone (e.g. Phoner Lite) attached to FritzB...

Spartacus

Hi anav, funny how different people are. Some people do not want to see the ASCII and others do not want to see the sceenshots :-) Nevertheless, now i have it! The issue was in the interface-list WAN (-> screenshot) No idea how this happens. I removed "all" from the list and now it is work...

Spartacus

Hi anav,
n idea what is going on here. I´ve disabled nearly all Forward rules but it is still not working as it should.
I have no idea what rule is wrong! And I am wondering why no packages were dropped! This seems to be very stange!

Christian

FWRule1.png

Spartacus

Hi, it´s me again. I have learned that VLANs are separated on Layer2 but Layer 3 must be restricted by FW-rules. But I do not really understand, why it is not working. Why is inter-VLAN Traffic not dropped by the "Drop everything" -Rule at the end of the Forward Chain. If someone can have ...

Spartacus

Hi anav, I do not think that the issue is in the FW rules. It must be within the VLAn Config because: - when I initally setup the Router, I startet with VLAN config and I have had no implemented rules. FW was blank. The effect was, that VLANs could not see each other. This was the purpose. - I confi...

Spartacus

Hi anav, I am back on the Router. And I know what happend. I disabled this rule: add action=accept chain=input comment="allow AdminSubnet" in-interface-list=\ LAN src-address-list=AdminSubnet and this was why i cannot connet to the Router. Reset worked and now I recovered the Config. But:&...

Spartacus

Hi
@mkx:
What does this mean? I do not understand this.

@ all
I cannot access the router anymore with winbox. not sure what happend. And I also cannot reset the RB3011 via Reset Button. It is ignored. Does anyone has an Idea how to get access to the RB3011 again?

Spartacus

Hi anav, the changes I made did not have any effects. This means, that Access accross all Subnets is possible. And all changes I did during the last 5,6 months is an OS Update. Seems to be that something happend here. I need to separate the VLANs from each other but not sure, where I can start. I am...

Spartacus

Hi anav, let me summarize what I did until now: I hope I understood correctly: 1. changed the vlan settings under "Bridge" and I removed the VLANS itselves from "tagged" and "untagged" section. VLAN_02.png 2. I also changed SFP1 from "untagged" to "tagged...

Spartacus

Hi, ok. Seems to be not so easy to change Management VLAN. The Cisco devices and the CAPs are configured on VLAN1. If I change it on the Mikrotik from ID1 to ID11, I cannot access my Cisco switches anymore and I am not sure how to change the management vlan of the cisco from VLAN1 to Vlan11 From SFT...

Spartacus

Hi anaw, thanks for quick response. I do not understand all of your comments, but I have to be very careful with what I do, becauseit is in production and small changes can caouse an big issue. I will start with the admin vlan ID. Not sure how long this takes, because it is long time ago that i conf...

Spartacus

Hi anav, great! You are still there, and yes, I am fighting with my router again! I was wondering about this topic today and I am confused. I gues that changes in the OS may couse the issue. Please find below the config. I have shorten it because it shows more than 1000lines and i guess CAPSMAN conf...

Spartacus

Hi all, I have configured bridged VLANs with VLAN-Filtering some time ago. Everything worked fine for months and my subnets did not see each other. This was done under Router-OS 6.4. In order to allow some Subnets to communicate, I installed a FW rule: add action=accept chain=forward comment=\ "...

Spartacus

Hi czfan, thanks for the RTP audio tipp. But why do I need an additional rule for that. I add both subnets to my "VLAN-Friend"-List and everything is allowed between the both subnets. So I do not understand an additional rule for that, @RackKing: Yes, My Sonos Speakers are in VLAN30 and th...

Spartacus

Hi, maybe there is a missunderstanding for the NTP-Rule: NTP-Client (to sync RB with NTP-Servers in WAN) and NTP Server (for Clients in LAN) are running on RB3011 and all clients accross the different subnets can use the GW-Address of the current Subnet als NTP-Server to synchronize the time. Theref...

Spartacus

Hi, here is my feedback. - the NTP rule is necessary to accept NTP queries accross my subnets - I do not use Port 25 for Email - Port forwarding rule is disabled - The SONOS Rules are only for my Sonos devices in VLAN30 (192.168.30.0). It is necessary for the UPNP Discovery and forwards the requests...

Spartacus

Hi, ok here it is, but it is not simplel! Remark: Some rules are disabled! Christian # nov/27/2018 17:09:21 by RouterOS 6.43.4 # software id = UJ3A-L315 # /ip firewall address-list add address=192.168.1.0/24 list=PrivateSubnets add address=192.168.10.0/24 list=PrivateSubnets add address=192.168.20.0...

Spartacus

Hi everybody, thanks for support. But it seems to be not working. The PC Client Software, Phoner, is working on the Client Subnet (192.168.2.0/24) and the Server IP is 192.168.1.10. I configured full access betwee the subnets without success: /ip firewall filter add action=accept chain=forward dst-a...

Spartacus

Hi,
many thanks for your replies and sorry for late response, but I am on business trip and limited access to internet and my router. I will check tomorrow and post my config.
Thanks for help,
Christian

Spartacus

Hi, I have configured several Subnets on my RB3011. All Subnets cannot see each other, it is disabled by FW-Rule. Now I would like to configure some exceptions. I have a local SIP Server on Subnet1 with IP: 192.168.1.10. Client on Subnet1 can connect correctly to the Server, but Clients on Subnet2(1...

Spartacus

Hi,
this rule seems to be working

add action=accept chain=input comment="Allow LAN NTP queries-UDP" dst-port=123  in-interface-list=LAN protocol=udp

Christian

Spartacus

Hi, thanks for clarification. I´ve setup the NTP Client and I can see that NTP-Client on RB is synchronited. But client cannot sync. RB IP 172.16.1.1 My subnet with the NTP-Client is 172.16.30.0/24. IP requested via DHCP, GW is 172.16.30.1 NTP-Config on the client is 172.16.30.1. and I can see in th...

Spartacus

Hi,
thanks for your answer,
but I have configured I"P Cloud ->Update Time". This means that RB3011 has the correct time. This is not the reason for sync issues. Seems to be that the cliend do not find the NTP-Server on my network.
Maybe I have to enter some FW rules?

Christian

Spartacus

Hi, I would like to sync my local mashines (different networks) with the RB3011. I setup the NTP-Server service, but the clients do not sync. /system ntp server set broadcast=no enabled=yes manycast=yes multicast=no NTP-Server for the clients is the GW-Address of the Subnet. (e.g. Network:172.16.30....

Spartacus

Hi, thanks for the modification of the NAT-Rule, but it is not working! Let me try to explain the whole story. Maybe some has an idea: I have Sonos palyers on vlan30 and controller on vlan10 and vlan60 (interface-list "Sonos Control"). PIM is working and I implemented the following FW-rule...

Spartacus

Hi,
I use 6.42.6 and FW3.41 on RB3011
Christian

Spartacus

Hi,
yes, it is ether1 (WAN)
Christian

Spartacus

Hi, I have several internal subnets with WAN Access and the following NAT-Rule: add action=masquerade chain=srcnat comment="masquerade LAN->WAN" out-interface-list=WAN Internet works for all VLAN Subnets, but I have an issue with Multicast Routing within my subnets. If I disable the NAT Ru...

Spartacus

Hi,
who can help with Multicast Routing on a bridged vlan?

Christian

Spartacus

Hi, I need help with Multicast Routing and PIM. I installed the PIM Module on RB3011 OS6.42.6. and PIM is not working for my vlans. I am using a bridge with vlan filtering. All vlans are attached to this bridge. I am using Sonos Player in vlan30 and Controllers in vlan10. The configuration of the FW...

Spartacus

Hi everybody, I got it working for three weeks. But since Update to 9.0 I have a lot of troubles. Sometimes the controllers cannot find the players. I also had trouble with the update. It works only if controller and player are in the same subnet. It is also not possible to enter a new controller to...

Spartacus

Hi Chiverel, I would like to give you a feedback. I decided to disable Twonky on qnap. I installed Kodi on my amazon Fire TV Stick and the android devices, and everything works fine with an nfs share...and btw,, it is very fast! This is ok for me and I think I will not go back to Twonky. But if you ...

Spartacus

Hi, thans for sharing your results! I saw you are using the native DLNA-Server and not Twonky, so this issue seems to be qnap specific. I will also do a test with VLC next week in order to check my Router Config. https://www.administrator.de/content/detail.php?id=362413&token=462#comment-1259332...

Spartacus

Hi, the cAP is managed by capsman and my question was, if the cAPS will sync automatically via capsman, without any additional config on the cAP. Sync time in /ip cloud is enabled (by default), but from which source is it synchronized, from internet? If yes, is it better to add the local router (RB3...

Spartacus

Hi Chivere, I understand what you say, and it is the same to me. Two months ago, I never heard about Mikrotik Router and I learnd ffrom scratch everthing about bridging, vlans and how to implemenz cAPs. I found out how to move my sonos players into a separate subnet and how firewalling works. My con...

Spartacus

Hi, I noticed somthing interesting, maybe you have an idea who to solve this: I put the android in VLAN10 and it works. After that I connected the the tab to vlan60 without closing the Slik UPnP-App and I could receive Streams from DLNA. When you close the app on the tab, the DLNA-Server cannot be f...

Spartacus

Hi, thank you so much for your support, This is really great! Here are the results of the Sniffer Tool: Sniffer in VLAN10 you can see the Notify-Packages from DLNA-Server you can also see the Search-Packages from VLAN40 and VLAN60 SnifferVLAN10.png Sniffer in VLAN40 and VLAN50 you can see the Search...

Spartacus

Hi, ok, let´s go the "Sniffer"-way: Test-Environment: VLAN60: Android Tab with Kodi (better than TV because wall mounted :-)) VLAN60: Windows Notebook with Sniffer VLAN10: Windows PC with Sniffer: I can see on VLAN60 the M-Search packages from the Tab on 239.255.255.255:9000. But how can I...

Spartacus

Hi, I checked the Sniffer in VLAN10: Sniffer2.png Sniffer.png You can see the request from my android tab in vlan60 (172.16.60.199) and it seems to be that connection will close. I do not know if this is correct, but seems to be an issue I also disconnected the Router from WAN and disabled all FW Ru...

Spartacus

Hi, I will test the Sniffer in vlan10 today. BTW: The android tab is in VLAN60. PIM details: Flags: RP - (*,*,RP), WC - (*,G), SG - (S,G), SG_rpt - (S,G,rpt) GROUP SOURCE RP WC 224.0.0.0 172.16.30.1 172.16.30.1 SG 224.0.1.1 0.0.0.0 172.16.30.1 SG 224.0.1.60 0.0.0.0 172.16.30.1 SG 239.255.255.250 0.0...

Spartacus

Hi, no the Windows PC in VLAN40 cannot see the qnap DLNA-Server. I can only the the qnap and the Web-Interface of Twonky. But if I try to open a movie nothing happens. I also tried with Kodi on Android. The DLNA Server cannot be found! It is not an TV issue! As soon as I connect the Tab to VLAN10, I...

Spartacus

Hi, it`s me again. I am little bit frustrated; it doesn´t work :-( The TV and the Windows "Network Environment" cannot see the Twonky-Serveron the qnap I can access the Web interface of Twonky from Windows (172.16.10.10:9000) What I did: I entered a forward chain with additional udp- ports...

Spartacus

Hi Chiverel, thanks for your quick response! I use PIM also for my Sonos Network, and it works The Players are on vlan30, controller on vlan10 and vlan60 (but seems to be not necessary in PIM) Here is the log: /routing pim mfc print detail group=239.255.255.250 source=172.16.10.10 rp=172.16.30.1 ups...

Spartacus

Hi everybody, I found this thread, because I struggle a little bit with the same issue. Maybe someone can help me with this specific setup, because I'm a little overwhelmed with the stuff. I have a Twonky- DLNA-Server running on a qnap in VLAN10. The clients (e.g. Samsung TV) is in VLAN40.. Both VLA...

Spartacus

Hi,
i wanted to install an ntp-client on a cAP AC, but it seems to be that the device will sync the systemtime over CAPsMAN automatically. Is this correct, or do I need to configure a ntp client on the cAP?
I cannot find any configuration in cAP config file
Christian

Spartacus

Hi Niffchen ,
can you please post your config for the Router and the AP? I don´t know why my config doesn´t work!
Thanks,Christian

Spartacus

Hi,
I have nearly the same issue, posted here:
viewtopic.php?f=13&t=136335&p=671531#p671531

Can someone please check this, and help me to get rid of the issue?
Thanks,
Christian

Spartacus

Hi, I am a little bit lost with an issue on my capAC managed by CAPsMAN on RB3011 I wanted to put 2 VLANs "on Air": VLAN60 (Intranet) VLAN70 (Guest) VLAN1 is the admin LAN and should not be "radioed" CAPsMAN runs on the RB3011. All VLANS are "trunked" via SFP to a Cisco...

Spartacus

Hi everybody, I need support in setting up a Sonos System accross different VLANs and i don´t know why this doesn´t work: prerequisite before: all palyers are in vlan99, all controller are in vlan99 Test scenario moving one player to vlan30 Implementation of: /routing pim interface add interface=vla...

Spartacus

Hi, i found this thread and I would like to implement this for my Sonos - System. I have controller on different vlans (vlan10, vlan20 and vlan99) and all the players are on vlan30. But I do not understand the "netControll" in the following configuration: :global ifControl "ether1-mas...

Spartacus

Hi all I've made some progress! I assigned the cAP an IP from my Admin LAN (VLAN1). I also created a "Wireless"-configuration and a "Provisioning" -config in CAPsMAn I changed CAPsMAN Interface to VLAN1. Radio is connected and it seems to be working with the admin LAN. But now I ...

Spartacus

Hi, thank you very much. I have installed the current OS and it seems to be that the AP is connected to CAPsMan on the RB3011. I can see 2 new interfaces cap1 and cap2 and it seems to be that this belongs to the 2.4GHz and the 5GHz net provided by the cAP AC. But now I am lost and I struggling with ...

Spartacus

Hi, I am a little bit confused. I am trying to setup two brand new cAPs AC and I am not sure how to check the CAPsMan Version on my RB3011 and the two cAPs. I would like to use CAPsMAN V2 but how can I check this? Is it included in Router OS 6.42.4, or do I have to upgrade CAPsMAN manually? If yes, ...

Spartacus

Hi,
can noone help here?
Christian

Spartacus

Hi,
misunderstanding from my side

But what about the performance issues with cAP AP and wAP AC. Is it still present? Or is it negligible? I'd like to ask some people about their experiences with the APs.

Christian

Spartacus

Hi, I am still struggling with the config. I´ve added ana dditional subnet to the config, but it does not work. Does anybody knows what is going wrong here?. /ip ipsec mode-config add address-pool=pool_VPN address-prefix-length=32 name=vpn split-include=172.16.1.0/24,192.168.1.0/24 system-dns=no Chr...

Spartacus

Hi Petri, thanks for your reply. I am not sure if the performance of the "ligh"-version is high enough for my WLAN-Client setup. I have some AVM repeaters and a Fritzbox running in my house and the performance is very bad and some clients lose connection sporadically. Therefore I think it ...

Spartacus

Hi Steveocee,
thanks a lot, the reboot was the solution!
How do we say in German: "Reboot tut gut!"

Christian

Spartacus

Hi, I am using 6.42.3. I wanted to resolve internal clients, not external addresses. e.g. client static IP: 192.168.1.7 client name: officePC If I ping officePC I will get now answer. /ip dns static add address=192.168.1.7 name=officePC This does not work for me BTW: Clients with DHCP are resolved c...

Spartacus

Hi, I have clients in my local network with static IPs but I cannot ping them with its FQDN. How can I enter the static address of my client to the RB in order to resolve the DNS name? I tried to enter the name under DNS->static with its IP, but it doesnßt work. Has anyone an idea what I have to do ...

Spartacus

Hi, ok, I have it! :-) On split-include you must define the networks that the client can access. And this is 172.16.1.0/24 and not 172.16.2.0/24 /ip pool add name=pool_VPN ranges=172.16.2.20 - 172.16.2.30 /ip ipsec mode-config add address-pool=pool_VPN address-prefix-length=32 name=vpn split-include...

Spartacus

Hi, sorry for the late response. I checked the changes from CZFan but now I will get an error in the log file (no policy found) and connection is not established. Changes: /ip pool add name=pool_VPN ranges=172.16.2.20 - 172.16.2.30 /ip ipsec mode-config add address-pool=pool_VPN address-prefix-lengt...

Spartacus

Hi, I am looking for WLAn AP for my house but iam not sure how many APs I will need and which device(s ) I should buy because there are a lot of different devices on the market (e.g. hAP AC lite, cAP ac, wAP AC) 3 floors basement garden support of 2,4 GHz and 5 GHz handover support CAPsMan support C...

Spartacus

Hi all
I checked anavs proposal, but it does not work. Same situation as before!

Christian

Spartacus

Hi, I am struggling with VPN Access over IPsec to my internal network. I can connect to the router, but I cannot access anything in my local network (no website, ping does not work, etc.) Connection is established. I guess there is an issue with my FW rules, but I do not have a clue what is missing....

Spartacus

yes, firewall is necessary!

Have you seen my blacklist-proposal? Is this what you mean? Or is it oversized?
Christian

Spartacus

Hi anav, thanks for reply. I´ve implemented the rules in my RB and it seems to be working. I have had to change some syntax-errors, but now it is running. There is an interesting thing, which I noticed during my tests: br_vlan was the only interface in the interface-list and this did not work I have...

Spartacus

Hi, thank you anav for setting up the FW rules. Seems to be that the config above is a good approch and I will start implementing now! But what can be done to harden the Home-Network? Means, what is recommendable in addition? If I read through the forum threads and wiki pages I find a lot of example...

Spartacus

Hi CZFan, yes, my RB is insecure and I am unsure. :lol: ...and it seems to be that Google translate is sometimes a little bit "unsure" as well! Thanks for your answer! This means for bridged VLANs (please find config below): although the VLANS are on the same bridge, they cannot communicat...

Spartacus

anav, I am learning networking from scratch. "Understanding VLANs" was my first topic. After that, I have had to secure my network and I hope I can migrate the current 192er FritzBox-networt to Mikrotik RB, soon (Alll clients will be in VLAN 99, first). After that I will start to switch th...

Spartacus

Hi,
I am a little bit insecure! I have configured my VLANs on the same bridge (VLAN filtering). Does this mean that the clients in the different VLANs can talk to each other on Layer 2? Isn´t it better to use separte bridges, or is this the correct way?

Regards,
Christian

Spartacus

Hi anav,
Hm! You make me feel insecure. I followed this guide because this is the valid way since OS v6.41
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge

BTW:
How can I test the Layer 2 connection? Do you have a clue?

Christian.

Spartacus

Hi anav, thanks for your quick reply, I will work through it today. I used the interface-lists, because the cofing will be extended during the next few months and I guess I will add a WLAN interface, soon. Therefore I think, it is better to use the "lists" Please find below my Config (with...

Spartacus

Hi anav, sorry, but now, I am completey lost :-( in fact where you have in-interface-list there is no such thing, that should in-interface=LAN Same goes for your forward filter rules, replace the non-existant in-interface-list with in-interface=LAN Also destination-address-list=PrivateSubnets If I o...

Spartacus

Hi all, thank you very much for your support. But seems to be, that I am a little bit lost, because there are different ways for implementation, evidently. I am also not sure, if I understood the contex, but let me share my new ruleset with you. Please be patient, if this is not correct, I would be ...

Spartacus

Hi Anav, Sob, you are so fast with your answers, it´s hard for me to follow up! ...give me some more time to understand, what is going on here... :-) @ anav: A: is clear to me, I´ve also included this in my ruleset. Let me summarize what I understood: DNS - Section of RB: setup external DNS-Servers ...

Spartacus

Dears, it is difficult for me, to follow the discussion, because it requires very deep knowledge and I can't see what I have to do now! Your answers raise up 1,000 new questions for me (That's because of my limited knowledge about Firewall-rules!) :( There are some internal SMTP-Systems (e.g. NAS-Se...

Spartacus

Hi all, puuh! Many thanks for your replies. It is not easy for me to follow up, because I used a consumer router with a preconfigured Subnet and firewall (FritzBox) until now and my first steps with Mikrotik HW is only 6 weeks ago. I will rework my rules to my best knowledge and it would be great if...

Spartacus

Hi, thank you very much for the detailed answer. I will rework my rules again, but I am not really sure, if I understood all your comments correctly. I will come back to you tomorrow! Regarding the SPAM rule: I want to prevent my clients from sending SPAM mails to WAN. I'm also confused about the bo...

Spartacus

Hello, I am a very new Mikrotik user and I am working on my firewall rules for my home network on a RB3011. I red a lot of wikis but I am not sure, if I am on the right way. I have developed the rules in a text editor and not deployed to the productive system, yet. I am also not sure, if my rules ar...

Spartacus

Hi everybody, it is very mysterious, because it works now! I have configured 4 Networks on the RB3011 VLAN1: 172.16.1.0/24 (DEFAULT) VLAN10: 172.16.10/24 VLAN20: 172.16.20.0/24 VLAN99: 192.168.1.0/24 If you start Winbox, you can access the RB over the following addresses: 172.16.1.1 172.16.10.1 172....

Spartacus

Hi all, thank you so much for support. Let me summarize in oder to check, if I understood correctly: the order of input-, forward-, output- and "jump-in"-chain doesn't matter, because a package can only pass one of the chains. if there's matching rule within a chain, processing ends there ...

Spartacus

Hello, many thanks for the reply. But there is a question left. If I use the "jump" in a rule how is it processed. Is it like a subroutine and returns the process back to the point, where the "jump" was initiated e.g. 1. add chain=input dst-address=195.x.x.x protocol=tcp dst-port...

Spartacus

Hi, I would like to build up a firewall rule-set which is flexible enough for future implementations and changes on a RB3011 (e.g. VPN, Port Forwarding, etc.) I have learned that it is smart to use "address-lists" and "customized chains" for specific exceptions (e.g. protocol rel...

Spartacus

Hi, thank you!. I think, I wasn't clear enough regarding the main issue: Everything is fine with the VLANS and I can use all of them on the RB and on the Cisco Switches. The only thing which does not work, is the Winbox TooI in VLANnn (ne VLAN1) on the Switch. This is what I do not understand. Why i...

Spartacus

Hi CZFan, thanks for reply. If I understood correctly: I have to configure my DEFAULT VLAN1 in the same way as I did for VLAN10, VLAN20 and VLAN99 I will have access to any Switch behind RB via an untagged VLAN1-Port on RB or on one of the Cisco Switches. This means: I have only tagged VLANs in the ...

Spartacus

Hi, thanks for the reply. Before I change this as described above, I would like to understand what happens: VALN1 is my admin/default LAN. My concerns are that I'm losing access to the Swich itself, if I tagg sfp1 for VLAN 1 The switch IP is 172.16.1.13. I also learned from this tutorial ( https://w...

Spartacus

Hi, hm! I cannot believe this because it means that VLAN setup over a trunk would not work correctly. I think, it must be the same, wether I put the Client on the "local" Ether3 nor annother port on a connected switch in the same VLAN. I guess that my configuration is not correct. Can some...

Spartacus

Hi, I´ve got an issue with my VLAN configuration: The client is connected to 172.16.10.0/24 - If I connect the client to ether3, Winbox can connect to the RB Board via MAC - If I connect the client to a port on my external switch (Cisco SG250) through the configured trunk (SFP-Port) the WinBox Tool ...

Spartacus

Hi squeeze, sorry for this! This was a typo. Permit and probit are very similar! Oh je, I'm very embarrassed and sorry for confusion. But it is clear now and I am not longer confused. Thank you so much for your support. I will play a little bit with the configs. Don´t worry about the internet rules....

Spartacus

Hi all,
yes, you´re right! I didn't consider that! Sorry!
I will go through it again.

One more question:
Is it usefull to block the communication to the GW? The GW answers if you ping it.
Christian.

Spartacus

Hi, sorry, I cannot follow the rules you have added. I have installed the following: /ip firewall address-list add address=172.16.1.0/24 list=Admin add address=172.16.10.0/24 list=VlanFriends add address=172.16.20.0/24 list=VlanFriends add address=172.16.1.0/24 list=PrivateSubnets add address=172.16...

Spartacus

Hi, it´s me again :-) There is one topic left: Does it makes sense to use different domain suffixes in a local domain-environment? example: vlan1: admin.home.mydomain.local vlan10: smarthome.home.mydomain.local vlan20: iptv.home.mydomain.local or is it better, in terms of design rules for networks, ...

Spartacus

Hi, thank you very much for your very detailed reply. I am very happy about any support, especially if an expert takes care of newbie issues . First of all, I will try to answer your questions, although I find it very difficult to give meaningful answers :-). sorry, you´re right. There is no hint wh...

Spartacus

Hi, ok, does it mean I have to add a forward rule for related and established traffic for all interfaces? add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked Sorry, for the stupid questions, but I try to understand ...

Spartacus

Hi, The fritz.box, which you are using for VOIP has no option to set VLAN. DNS knows only IP no VLAN, so you use the IP. If your domain is only internal then I suggest that you use .local instead of .de because .de is kept in the DNS on the Internet. Yes, that´s true! The idea is, to assign an utagg...

Spartacus

Hi all, thank you so much for support. Seems to be that there is a workaround for the "issue". I will check it tomorrow. Let me summarize what I understood in own words (for "script edition"): setup local DNS server with Router IP and enable "allow-remote-requests" setu...

Spartacus

Hi,
is this really the case? There is no way to configure a local DNS on Router OS?
I have not expect this and I cannot believe it! There must be a way and i guess this is missing knowledge on my side. I count on the experts in the forum, to give me the right hint.

Christian

Spartacus

Hi all, hm! Let me try to explain it in annother way! The Fritzbox will not be there in future and will be replaced by the Mikrotik Router. Later, the Fritzbox should run as PBX in Ip-client mode and is only a "slave" on a separate Voip-vlan. I cannot believe, that there is no way, to conf...

Spartacus

Hi everybody, I wanted to redesign my internal network because I am little bit afraid about security. Banking Software together with Gaming-PC and Alexa in the same network is not a good choice in my opinion. Below you will find the current situation and my thoughts to make the local Netzwork a litt...

Spartacus

Hi, please forget the "Fritte". The fritzbox is actually disconnected. I only have a local LAN without connection to the www. But if I understood it correctly, i have to add all my local clients manually to the "phonebook" of my RB3011-DNS-Server. I thought that the dhcp server w...

Spartacus

Hi, it seems to be that Iam to stupid to understand the DNS stuff. Reset config without Default config. setup a network on Ether2 with 172.16.1.0/24 ether1 (WAN) not connected bridge all ether ports no firewall rules installed setup dhcp server on same network setup dhcp gw with 172.16.1.1 setup dhc...

Spartacus

Hi, thank for reply. I am not sure if I understood correctly: The FritzBox will run as the "main" Router only for testiing until RB is prepared for connecting to the WAN. After that i will get a DNS Server from ISP for the internet queries. Does it mean, that the RB will take over the inte...

Spartacus

Hi, I am struggling with DNS setup for my local domains. ether1 is my WAN interface and is currently connected via DHCP to my AVM Router; RB3011 gets a IP Adress from the Router DNS-Server is the IP Address from the AVM Router currently no firewall rules are defined in RB3011 There are 3 vlans runni...

Spartacus

Hi sid5632, I watched this line for several minutes and I diidn´t see what you meant! But then, after minutes....Of course, it must be add bridge=br_vlan tagged=sfp1,br_vlan,vlan20 untagged=ether4 vlan-ids=20 . Ok. But this solves not the access- issue from 172.16.1.0 to the other networks. :( Chris...

Spartacus

Hello, many thanks to all of you for your help. I am not sure, if have understood everything. This is very new stuff for me and i am currently in the "learning mode". I will go through the links and I hope it makes things much more clear. But I do not know what you mean with "mixing b...

Spartacus

Hi, ok, I understand, thanks for clarification. But there is already an issue with my config. I wanted to permit clients in vlan10 and 20 to see each other, and clinets in vlan 10 and vlan20 should not see clients in the admin LAN (vlan1). Therefore I defined a couple of firewall rules (last 4 lines...

Spartacus

Hi everybody, manny thanks for your reply. Seems to be that I am on the right way with the bridged vlan. Not sure in which usecase I will need several bridges if all vlans run over only one bridge! I followed this guide ( https://www.administrator.de/wissen/mikrotik-vlan-konfiguration-router-os-vers...

Spartacus

Hi,
can someone explain me the difference between port based vlan and the possiblilty to add vlans to a bridge. I tried both configs in OS6.42. but I am not sure which one I should use.

Thanks,
Spartacus

Spartacus

Moin, ok, I found a way but I am not sure if this is the best approach! add 5 VLANS on sfp1 vlan1 vlan10...vlan50 add 5 bridges br-admin br-vlan10...br-vlan50 add port to bridge ether2 to br-amin vlan1 to br-admin ether4 to br-vlan10 ether5 to br-vlan10 ether9 to br-vlan20 ether10 to br-vlan20 vlan1...

Spartacus

Hi,
noone an idea to go foeward with this?
Christian

Spartacus

Hi,
puuh, it looks like that RB3011 doesn´t support this feature for SFP1 anymore! The older RB2011 does! Is it correct?
Does anyone knows how I can manage this? I have to use SFP as the trunk-port for the connection to my Cisco switch.

Thanks,
Christian

Spartacus

Hi, I checked the guide below but this does not work for me because I cannot add sfp1 as trunk port. Seems to be that only ether1 to ether10 are available in the switch config! /interface ethernet switch vlan add ports=sfp1,ether3 switch=switch1 vlan-id=200 add ports=sfp1,ether4 switch=switch1 vlan-...

Spartacus

Hi,
thanks for your support! I will try the example after my business trip during next week!
Christian.

Spartacus

Hi, it´s me again: I think my problem is to find the right approch and I am asking for support: I red several howtos and wikis but I did not find the right way. I am runnung OS6.42 on my RB3011. I am not sure if it is correct to manage all the ports (physical and virtual) over a bridge. I tried to p...

Spartacus

Hi everybody, I am very new here and I have a RB3011 since one week. I am not very familar with this and I am trying to configure VLANS without success. Here the speps I tried: - setup a bridge (br01) - setup a VLAN (vlan 10) binded to br01 - ether4 binded to br01 - setup a dhcp Server on br01 ........

Search found 132 matches