Community discussions

Search found 87 matches

by RoadkillX
Sat May 04, 2019 1:22 pm
Forum: General
Topic: Share internet BTW head office and Branch
Replies: 3
Views: 318

Re: Share internet BTW head office and Branch

Set up a proxy in HQ so that other offices in the mpls vrf can reach the internet through it. I believe that was the intention of who chose that topology. Asking the ISP to leak your vrf to the internet will surely have additional costs.
by RoadkillX
Sun Jun 10, 2018 3:58 pm
Forum: Beginner Basics
Topic: Again... VLAN on the Rb750Gr3 [SOLVED]
Replies: 3
Views: 883

Re: Again... VLAN on the Rb750Gr3 [SOLVED]

Hi, reset the configs and try this. 1. Create bridge. 2. Add ether5 to bridge 3. /Interface bridge port ether5->vlan set frame-types to vlan tagged only and enable ingress-filtering (don't change the port pvid) 4. Create vlan 10 in /interface bridge vlan, tagged ports are the bridge and ether5, no u...
by RoadkillX
Sun May 20, 2018 8:21 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

Check for DSCP markings on the BT router.
by RoadkillX
Sun May 20, 2018 8:03 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

I have 42ms latency to google when link is idle while at fullspeed either download or upload it increased to 45-47ms you guys should check those fiber connections :lol: :lol:
by RoadkillX
Sun May 20, 2018 2:00 am
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

Then somewhere it says your fasttrack have attribute in interface set to PPPoE? Remove that.
Just saying there was a reason not disagreeing with your suggestion.
by RoadkillX
Sun May 20, 2018 1:46 am
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

if fasttrack is left without in-interface all traffic that meets the condition will be fastracked so firewall filter won't apply to vlans, there was a reason behind it...
by RoadkillX
Sat May 19, 2018 11:50 pm
Forum: General
Topic: Hi Problem with my RB3011
Replies: 9
Views: 955

Re: Hi Problem with my RB3011

I dare to disagree with the contents of what you wrote. The OP is not using the machine as a bridge, the L2 functionality is provided by an external device, but the routing is so complex and the address plan so fragmented that it may require a rearrangement of the address plan to permit use of fast...
by RoadkillX
Sat May 19, 2018 11:21 pm
Forum: General
Topic: Hi Problem with my RB3011
Replies: 9
Views: 955

Re: Hi Problem with my RB3011

Porqué eso es un router y lo estas usando como un switch eso no son vlans, el equipo esta a tope porque lo estas usando mal. Y pensar que michel y elio siempre dicen no asere si desde que tu te fuiste la red hasta al palo no falla... I've seen this network, i was once part of it, its just a huge bro...
by RoadkillX
Sat May 19, 2018 10:19 pm
Forum: Beginner Basics
Topic: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]
Replies: 43
Views: 2806

Re: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]

As an example: If you have a switch chip, created bridge with ports 2 - 5 in this bridge, HW enabled. Then create 2 vlans with ports 2&3 on VLAN100 and ports 4&5 on VLAN200, then theoretically, you will get HW offload functionality between ports 2&3 and also between ports 4&5, but should you have t...
by RoadkillX
Sat May 19, 2018 9:44 pm
Forum: Beginner Basics
Topic: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]
Replies: 43
Views: 2806

Re: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]

Awesome, who needs the ghostbusters, call RoadkillX
break some, fix some, learn in the process. :lol: :lol:
by RoadkillX
Sat May 19, 2018 9:10 pm
Forum: General
Topic: How to configure multiple vlan with hw-offload
Replies: 30
Views: 3361

Re: How to configure multiple vlan with hw-offload

@sindy you beat me to it. if you enable service tag (s-tag) you'd just be tagging with 802.1ad which is a tag isp uses to switch traffic and to indicate that their is another vlan tag inside it, the actual (c-tag) customer tag that comes out to the customer. So that wouldn't work unless some one is ...
by RoadkillX
Sat May 19, 2018 9:03 pm
Forum: Beginner Basics
Topic: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]
Replies: 43
Views: 2806

Re: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]

from what i understand, If you have on switch-chip then add all interfaces to a bridge then do vlans in /interface ethernet switch you'll get hw-offload on all interfaces in the bridge, if you have 2 switch-chips then each bridge will have the ether interfaces for it according to docs, but you'll tr...
by RoadkillX
Sat May 19, 2018 3:32 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

Can you try doing the speedtest connected yo ether2, you can check if hw-offload is enabled using Winbox in bridge- port you'll see the H next to the port number if hwoffload is enabled. igmp snooping must be disabled on Bridge for hwoffload to work.
by RoadkillX
Sat May 19, 2018 1:56 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

Yeah I agree is something in the RB, have you tried connecting the ISP cable in another RB port? You probably have, but just checking, is hw-offload active on your bridge ports? RB2011 has 2 switch chips so bridge1 must have ports (ether1-ether5+sfp1) and bridge 2 (ether 6-10), is your Lan connected...
by RoadkillX
Sat May 19, 2018 1:36 am
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

Wait...made no difference even in cpu? same speeds and cpu usage with fasstrack and without? if so then the rule is not working correctly. *I just ran a test on an RB750Gr3 fiber 300/300mbps connection with fasttrack full speed download 37MBps cpu is at 7-8% without fasstrack 22-25% i have no rules ...
by RoadkillX
Sat May 19, 2018 1:13 am
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

Have you checked if the fasstrack rule is enabled and in-interface set to your pppoe connection on the rule?
by RoadkillX
Fri May 18, 2018 10:57 pm
Forum: General
Topic: Mikrotik RB962UiGS - slow gigabit speed
Replies: 11
Views: 1709

Re: Mikrotik RB962UiGS - slow gigabit speed

If your cpu is at 94% then you need fasttrack enabled to get more bandwidth but you won't be able to use rules in filter, mangle or queue for fasttracked packets. /ip firewall filter add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related,untracked in-int...
by RoadkillX
Fri May 18, 2018 5:33 pm
Forum: General
Topic: How to configure multiple vlan with hw-offload
Replies: 30
Views: 3361

Re: How to configure multiple vlan with hw-offload

This works for me, but am sure there are better ways to do it though and it's still a work in process. RB750Gr3 /interface bridge add admin-mac= auto-mac=no name=bridge protocol-mode=none /interface ethernet set [ find default-name=ether1 ] name=ether1.HUG set [ find default-name=ether2 ] name=ether...
by RoadkillX
Thu May 17, 2018 11:50 pm
Forum: General
Topic: Bug: CRS317 cuts off C-tag in qinq packets
Replies: 27
Views: 2569

Re: Bug: CRS317 cuts off C-tag in qinq packets

I don't know the inner workings of CRS3xx but...
q.e.d.
You want a cookie or a tap on the back? ...
by RoadkillX
Thu May 17, 2018 6:50 pm
Forum: General
Topic: Bug: CRS317 cuts off C-tag in qinq packets
Replies: 27
Views: 2569

Re: Bug: CRS317 cuts off C-tag in qinq packets

yes, nothing to lose, but all vlans packets transmitted over all ports. I tested this option in practice. If you remove the vlan-filtering=yes option, the switch turns into a hub ). Think you read the https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#VLAN. I don't know the inner workings...
by RoadkillX
Thu May 17, 2018 6:12 am
Forum: General
Topic: Mikrotik act as SLAVE DNS
Replies: 13
Views: 1973

Re: Mikrotik act as SLAVE DNS

@RoadkillX: Trouble is, it's all wrong (it's nothing against you). If you make DNS server in Location A (which can resolve both private and public names) your main resolver, then Location B becomes dependent on Location A. And it's not about those local names, that's just a small, less-important pa...
by RoadkillX
Thu May 17, 2018 12:48 am
Forum: Beginner Basics
Topic: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]
Replies: 43
Views: 2806

Re: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]

I have two bridges? Are you saying if I remove one bridge suddenly HW off loading will magically appear. Where is this magic information hiding LOL. Can't remember were i read it but yes you can only have 1 bridge with hw-offload on RB devices and 7 on CRS devices, you can select which bridge to en...
by RoadkillX
Thu May 17, 2018 12:44 am
Forum: Beginner Basics
Topic: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]
Replies: 43
Views: 2806

Re: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]

Not really, you can have dynamic list that may not always contain something.
Then it makes sense, didn't know that could be done, i've been using RouterOS for less than 2 months so still have to discover a lot of bells and whistles.
by RoadkillX
Thu May 17, 2018 12:23 am
Forum: Beginner Basics
Topic: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]
Replies: 43
Views: 2806

Re: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]

I will take a wild guess at your HW offload issue, bridges, many, many bridges.....
I always forget that, on RB only 1 bridge hw-offload on CRS only 7 something like that.
by RoadkillX
Wed May 16, 2018 11:55 pm
Forum: General
Topic: Mikrotik act as SLAVE DNS
Replies: 13
Views: 1973

Re: Mikrotik act as SLAVE DNS

So conditional forwarders, send everything for X domain to X ip and all else to public dns, can't be done on mikrotik but you can use your primary dns as a dns-server in the mikrotik and in bind allow the mikrotik to query internal zones, recursion and access the cache so if bind already knows the A...
by RoadkillX
Wed May 16, 2018 11:31 pm
Forum: Beginner Basics
Topic: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]
Replies: 43
Views: 2806

Re: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]

Well, if you had src-address-list=192.168.0.0/24, then it was looking for list named "192.168.0.0/24". And you thought RouterOS was broken, shame on you! :D
I guess in some way it is broken it shouldn't allow the name of a list that doesn't exist. :? :?
by RoadkillX
Wed May 16, 2018 11:28 pm
Forum: Beginner Basics
Topic: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]
Replies: 43
Views: 2806

Re: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]

roadkil in ref to hw offload, my iGMP snooping is off?? roadkil in ref to rules order, yes I allow all LAN to WAN, you are saying why not limit traffic ONLY to port 80 and 443?? probably a good idea, but only if Sob says so! ;-) it sounds and is weird, on my RB750Gr3 in winbox it showed igmp snoopi...
by RoadkillX
Wed May 16, 2018 6:36 pm
Forum: Beginner Basics
Topic: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]
Replies: 43
Views: 2806

Re: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]

( PS what i cannot figure out is why my HW offloading which is checked off is showing as NOT on :-( ) My RB750Gr3 went crazy once with the igmp snooping on the bridge in winbox it would be unticked and in the terminal it would show igmp-snooping=yes i disabled it in terminal and hw-offload started ...
by RoadkillX
Wed May 16, 2018 2:49 pm
Forum: General
Topic: Port forwarding not working
Replies: 16
Views: 939

Re: Port forwarding not working

if you can, post the netmap rules and remove public ips from them, not sure if hide-sensitive will do that. Maybe you missed something or misunderstood how something works and someone else can spot it, can't troubleshoot with limited information. *netmap - creates a static 1:1 mapping of one set of ...
by RoadkillX
Wed May 16, 2018 1:21 pm
Forum: Beginner Basics
Topic: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]
Replies: 43
Views: 2806

Re: HOW SIMPLE THINGS SHUT DOWN CONNECTIVITY [SOLVED]

(PS does it make any difference if invalid drop rule is after or before accept established, connected rule - i.e. any logic to apply here?) i'd say more along the lines of performance and not security, if you drop invalid before checking if it's connected or established you'll be saving cpu time in...
by RoadkillX
Wed May 16, 2018 12:56 pm
Forum: General
Topic: Is it so hard to use dynamic IP VPNs with mikrotik
Replies: 23
Views: 1410

Re: Is it so hard to use dynamic IP VPNs with mikrotik

- SSTP, OpenVPN(TCP) Works, is fine, but TCP over TCP should not be the way to go for Site-to-Site-VPNs. Running on several sites, primary at 2mbps and sites at 512kbps they only share internal routes, Domain controller replication runs without a problem and hits 460kbps for each site instant messa...
by RoadkillX
Wed May 16, 2018 12:34 pm
Forum: General
Topic: Port forwarding not working
Replies: 16
Views: 939

Re: Port forwarding not working

Again all rules are needed to determine which one is causing the problem something is forwarding your publicip:445 to an internal host before it gets to the samba dst-nat rule,try in nat move the samba dst-nat to the begginng of the list am sure it'll work or your samba is blocking connections. *net...
by RoadkillX
Wed May 16, 2018 11:23 am
Forum: General
Topic: Port forwarding not working
Replies: 16
Views: 939

Re: Port forwarding not working

Export your filter, mangle and Nat rules.
by RoadkillX
Tue May 15, 2018 5:48 pm
Forum: General
Topic: Bug: CRS317 cuts off C-tag in qinq packets
Replies: 27
Views: 2569

Re: Bug: CRS317 cuts off C-tag in qinq packets

Ok so this switch is the middle switch then It doesn't have to add a c-tag only switch based on service vlan instead if user vlan. /interface bridge add name=bridge0 igmp-snooping=no protocol-mode=none /interface bridge port add bridge=bridge0 interface=t01 hw=yes add bridge=bridge0 interface=t02 hw...
by RoadkillX
Tue May 15, 2018 5:34 pm
Forum: General
Topic: Bug: CRS317 cuts off C-tag in qinq packets
Replies: 27
Views: 2569

Re: Bug: CRS317 cuts off C-tag in qinq packets

Honestly don't understand how something so simple on CRS1xx/CRS2xx is so complicated or even as you say not possible on CRS3xx.
by RoadkillX
Tue May 15, 2018 5:15 pm
Forum: General
Topic: Bug: CRS317 cuts off C-tag in qinq packets
Replies: 27
Views: 2569

Re: Bug: CRS317 cuts off C-tag in qinq packets

That is what i was referring to, according to the documentation for QinQ to work you will have 1 vlan(17/27 c-tag) inside another vlan(11 s-tag) and it to ethernet trunk which will be the ethernet port from ISP with vlan11. That is why i was saying for that to work it'd require layer3 which won't be...
by RoadkillX
Tue May 15, 2018 5:00 pm
Forum: Beginner Basics
Topic: DHCP over bridge VLAN [SOLVED]
Replies: 14
Views: 5848

Re: DHCP over bridge VLAN [SOLVED]

You're right just add a dhcp-server on vlan20. else even if vlans are correct you won't get dhcp lease.
by RoadkillX
Tue May 15, 2018 4:30 pm
Forum: General
Topic: Port forwarding inside the same lan
Replies: 3
Views: 443

Re: Port forwarding inside the same lan

Why do you have to do it in NAT? Devices on network 192.168.1.0/24 can reach 192.168.1.1 directly and 192.168.1.10, same subnet, so on your input chain incoming interface dst-address 192.168.1.1 Lan dst port 8080 redirect to 192.168.1.10 to port 80. Only set dst address if router has multiple lan ip...
by RoadkillX
Tue May 15, 2018 4:15 pm
Forum: Beginner Basics
Topic: DHCP over bridge VLAN [SOLVED]
Replies: 14
Views: 5848

Re: DHCP over bridge VLAN [SOLVED]

That's the one i can't seem to understand its way easier in CRS1xx/2xx
by RoadkillX
Tue May 15, 2018 4:01 pm
Forum: General
Topic: CRS Inter vlan routing
Replies: 5
Views: 620

Re: CRS Inter vlan routing

Your right....my apologies as I have been adding and removing configurations. I now have it enabled like so: /interface ethernet switch egress-vlan-translation add customer-vid=20 customer-vlan-format=untagged-or-tagged new-customer-vid=0 ports=ether2,ether4,ether6 service-vlan-format=untagged-or-t...
by RoadkillX
Tue May 15, 2018 1:07 pm
Forum: General
Topic: Port forwarding not working
Replies: 16
Views: 939

Re: Port forwarding not working

try action dst-nat instead of netmap and specify in-interface. No, didn't help. I have several perfectly working forwards like rdp, vnc and ssh, but problem with samba. Samba also uses 445 for file sharing it is after all microsoft-ds so same port you'd open on windows, 139 you don't need across th...
by RoadkillX
Tue May 15, 2018 12:15 pm
Forum: Beginner Basics
Topic: DHCP over bridge VLAN [SOLVED]
Replies: 14
Views: 5848

Re: DHCP over bridge VLAN [SOLVED]

You'd have to do is, on the ubqt device tag the vlans i really can't help there, i don't have a clue on ubqt, once that's done you'll receive tagged frames for both vlans on your mikrotik all to do is in brige vlan add pseudo: /interface bridge vlan vlan10 tagged=eth10-ubqt,brigde-trunk untagged=eth...
by RoadkillX
Tue May 15, 2018 11:44 am
Forum: General
Topic: Bug: CRS317 cuts off C-tag in qinq packets
Replies: 27
Views: 2569

Re: Bug: CRS317 cuts off C-tag in qinq packets

@RoadkillX you do not test your setup on the mentioned HW therefore it's invalid and not what anybody was asking for. @TestCRS thx for the ethertype reminder from RoadkillX I found the relatively simple case to do: set the vlan added to the bridge with "use service tag" and you should be fine. -> s...
by RoadkillX
Tue May 15, 2018 11:32 am
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

I don't see a problem. Uploading at the max bandwidth of 10Mbps will result in high latency. There are ways to adjust for it with custom queuing to reduce the high latency for desired traffic, such as ping for example. It will result in a slight, not very noticeable reduced upload speed for the big...
by RoadkillX
Tue May 15, 2018 11:24 am
Forum: General
Topic: CRS Inter vlan routing
Replies: 5
Views: 620

Re: CRS Inter vlan routing

You have some vlan10 configurations disabled as explained by @sindy above, i'll assume you've done that intentionally since it isn't working and continue to what i think is the issue. i'd look into this: add customer-vid=0 new-customer-vid=20 ports=ether2,ether4,ether6,ether8 add customer-vid=0 disa...
by RoadkillX
Mon May 14, 2018 12:37 pm
Forum: General
Topic: Can not redirect to https using web proxy rule
Replies: 8
Views: 4011

Re: Can not redirect to https using web proxy rule

I really don't think that would work redirections to https are done by webservers because they tell the browser to start talking ssl over XXX port, if you do a redirect on the router you are just changing the packet data the browser doesn't know and will continue like if it were an http connection, ...
by RoadkillX
Mon May 14, 2018 12:22 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

When you apply fasttrack to certain traffic it won't go through flter mangle or queues, so it doesn't hit the cpu which increases throughput, downside you won't be able to apply queues or firewall rules to that traffic. the default rule still gives quite a lot of control in firewall since it's only ...
by RoadkillX
Mon May 14, 2018 11:35 am
Forum: General
Topic: Mangle rules layer 3 vs layer 4
Replies: 2
Views: 396

Re: Mangle rules layer 3 vs layer 4

Reorder the rules to be mark-connection then mark-routing then mark-packet enable passthrough on mark-routing disable on all rules that mark-packets so that once marked it leaves the prerouting chain and the mark-connection will not get overwrriten by http-https rule. 1) Mark Google Drive connection...
by RoadkillX
Mon May 14, 2018 11:23 am
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

Quite sure upgrade will fix it, there are problems on that version with the pppoe-client MRU and fasttrack was not yet implemented that's why the rules added had no effect :lol:, Give us an update when done!
by RoadkillX
Mon May 14, 2018 11:02 am
Forum: Beginner Basics
Topic: No access to LAN over OPENVPN (can only ping router) [SOLVED]
Replies: 4
Views: 1648

Re: No access to LAN over OPENVPN (can only ping router) [SOLVED]

Can you ping the router on 192.168.3.1? In your client openvpn configuration do you have the line redirect-gateway?
by RoadkillX
Mon May 14, 2018 10:42 am
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

Well if you can't reset the device because you need the configs then upgrade to latest firmware, i went through the changelog and there are quite a few relevant updates for pppoe-client since 6.34.2
by RoadkillX
Mon May 14, 2018 10:00 am
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

Did you add all those config or were they there when you bought the router? And it's on version 6.34.2 latest is 6.42.1

* This was clearly a corporate router before i suggest a config reset upgrade and add your BT config.
by RoadkillX
Mon May 14, 2018 9:49 am
Forum: General
Topic: Bug: CRS317 cuts off C-tag in qinq packets
Replies: 27
Views: 2569

Re: Bug: CRS317 cuts off C-tag in qinq packets

@TestCRS /interface ethernet switch set bridge-type=service-vid-used-as-lookup-vid /interface ethernet switch egress-vlan-tag add tagged-ports=ISP vlan-id=11 # This is assuming that traffic incoming on internal interface is already tagged. if it's not then add #2 instead of #1 #1 /interface etherne...
by RoadkillX
Mon May 14, 2018 3:40 am
Forum: General
Topic: Bug: CRS317 cuts off C-tag in qinq packets
Replies: 27
Views: 2569

Re: Bug: CRS317 cuts off C-tag in qinq packets

@TestCRS /interface ethernet switch set bridge-type=service-vid-used-as-lookup-vid /interface ethernet switch egress-vlan-tag add tagged-ports=ISP vlan-id=11 # This is assuming that traffic incoming on internal interface is already tagged. if it's not then add #2 instead of #1 #1 /interface ethernet...
by RoadkillX
Mon May 14, 2018 12:10 am
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

My bad, on the router terminal type export hide-sensitive without the / should give a dump of all the config for pasting here.
by RoadkillX
Sun May 13, 2018 11:49 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

weird, last resource /export hide-sensitve if you can.
by RoadkillX
Sun May 13, 2018 11:38 pm
Forum: General
Topic: Bug: CRS317 cuts off C-tag in qinq packets
Replies: 27
Views: 2569

Re: Bug: CRS317 cuts off C-tag in qinq packets

you might brush up your knowledge
sure thing :lol:
by RoadkillX
Sun May 13, 2018 11:35 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

How is your cpu usage on the router while running the speedtest? check your firewall if this rules exist and are enabled: add action=fasttrack-connection chain=forward connection-state=established,related,untracked in-interface=MyPPPOE add action=accept chain=forward connection-state=established,rel...
by RoadkillX
Sun May 13, 2018 11:20 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

Set on the mikrotik pppoe MTU=1492 and MRU=1492 and see if it improves.
by RoadkillX
Sun May 13, 2018 11:10 pm
Forum: General
Topic: Bug: CRS317 cuts off C-tag in qinq packets
Replies: 27
Views: 2569

Re: Bug: CRS317 cuts off C-tag in qinq packets

it should do 10Gb within the same vlan but not intervlan the original poster was never talking about inter-vlan-anything maybe you should revisit the original problem-report. QinQ requires intervlan. it's a vlan interface inside another vlan interface so revisit the docs ;-), to be more clear QinQ ...
by RoadkillX
Sun May 13, 2018 11:02 pm
Forum: RouterBOARD hardware
Topic: New : RB760IGS - HEX-S
Replies: 38
Views: 14919

Re: New : RB760IGS - HEX-S

Is this a future device? i can't find anywhere to buy it and its not on the mikrotik page, i NEED that sfp port i have a HEX right now and that is my only complain.
by RoadkillX
Sun May 13, 2018 10:43 pm
Forum: General
Topic: Bug: CRS317 cuts off C-tag in qinq packets
Replies: 27
Views: 2569

Re: Bug: CRS317 cuts off C-tag in qinq packets

This is not a bug, its clearly misconfiguration respectfully disagree - the CRS and the new bridge-hardware-accelleration config to use it as a switch and get hardware-forwarding is what the original poster tried to achieve imho (and I see no flaw in the config); you are referencing the implementat...
by RoadkillX
Sun May 13, 2018 9:58 pm
Forum: General
Topic: Bug: CRS317 cuts off C-tag in qinq packets
Replies: 27
Views: 2569

Re: Bug: CRS317 cuts off C-tag in qinq packets

This is not a bug, its clearly misconfiguration starting with ingress-filtering on ports, you can't filter ingress frames when you haven't stated if that interface will be tagged or untagged for the vlan in interface bridge vlan. You're are actually dropping all frames not for vlan17 or 27 so no vla...
by RoadkillX
Sun May 13, 2018 8:56 pm
Forum: Beginner Basics
Topic: DropBox can not be accessed
Replies: 3
Views: 476

Re: DropBox can not be accessed

You need to discard network and configurations issues on your workstations then move on to the router if it is a router misconfiguration then please be more verbose so we can help you.
by RoadkillX
Sun May 13, 2018 8:51 pm
Forum: Beginner Basics
Topic: DHCP over bridge VLAN [SOLVED]
Replies: 14
Views: 5848

Re: DHCP over bridge VLAN [SOLVED]

May I ask with which program did you make the diagram? i used https://www.draw.io/ This explanation gives a much better perspective, one doubt, which is your vlan10 tagged interface? this will be where your l3 vlan interface needs to be in order to have intervlan routing. i'am asuming eth10 is conn...
by RoadkillX
Sun May 13, 2018 8:34 pm
Forum: General
Topic: I cant quite wrap my head around this one...
Replies: 62
Views: 5680

Re: I cant quite wrap my head around this one...

Can you check that you have the same MTU on the BT Home router and on the mikrotik pppoe connection?
by RoadkillX
Sun May 13, 2018 8:22 pm
Forum: General
Topic: filter rule notation
Replies: 5
Views: 464

Re: filter rule notation

Well, I wouldnt go that far, he may be onto something................ ;-)
:lol: :lol:
by RoadkillX
Sun May 13, 2018 8:19 pm
Forum: General
Topic: Correction to Interface Monitoring Script... Unable to resolve [SOLVED]
Replies: 4
Views: 408

Re: Correction to Interface Monitoring Script... Unable to resolve [SOLVED]

I think the error is related as it says to the value-name which happens to be your input so edit the script and change the name of the l2tp-client to the actual name of your l2tp-client or rename the interface to match the #script1. Same for script 2 check that your interface is named WAN if not ren...
by RoadkillX
Sun May 13, 2018 7:52 pm
Forum: Beginner Basics
Topic: Firewall Rules: Block ICMP from WAN (PPPOE connection) [SOLVED]
Replies: 22
Views: 2819

Re: Firewall Rules: Block ICMP from WAN (PPPOE connection) [SOLVED]

Default config allows incoming icmp from any interface, edit all the firewall rules and change the incoming interface to your pppoe which is the connection that needs protection and remove the default icmp allow rule since mikrotik firewall has a default accept policy the icmp packets will go throug...
by RoadkillX
Sun May 13, 2018 7:40 pm
Forum: General
Topic: filter rule notation
Replies: 5
Views: 464

Re: filter rule notation

Export the firewall rules which are full length-intuitive text, don't reinvent the wheel.
by RoadkillX
Sun May 13, 2018 7:26 pm
Forum: General
Topic: ccr1009-8g-1s-1s+
Replies: 5
Views: 663

Re: ccr1009-8g-1s-1s+

What @revelation said: What is lacking about your current service for WiFi for your clients? You need to know this in order to know what to prioritize or limit depending on the situation, evalutate your networks (per service) bandwidth allocation and configure preferably queue trees (queue trees use...
by RoadkillX
Sun May 13, 2018 7:10 pm
Forum: Beginner Basics
Topic: DHCP over bridge VLAN [SOLVED]
Replies: 14
Views: 5848

Re: DHCP over bridge VLAN [SOLVED]

check.png

is the above what you're trying to do? i don't understand your diagram and config is a weird mix of bridge vlans&switch chip vlans&vlans interfaces inside bridges...
by RoadkillX
Sat May 12, 2018 7:10 pm
Forum: Beginner Basics
Topic: How to block IP-range
Replies: 8
Views: 6872

Re: How to block IP-range

Firewall Address list with summarized routes, and block forwarding from LAN to WAN for that address list /ip firewall address-list add address=146.66.156.0/23 list=Valve add address=185.25.180.0/23 list=Valve /ip firewall filter add action=drop chain=forward dst-address-list=Valve in-interface=bridg...
by RoadkillX
Sat May 12, 2018 1:13 pm
Forum: Beginner Basics
Topic: CRS328-24P-4S+ VLAN Setup Problem
Replies: 21
Views: 3002

Re: CRS328-24P-4S+ VLAN Setup Problem

Can you check that the switch connected to port24 is not tagging vlan20 across the port since the crs328 expects untagged traffic incoming on ether24. Or on the CRS328 switch ether24 in the vlan bridge from untagged to tagged for vlan20 and see if it works. i really can't see any other problems. *Ha...
by RoadkillX
Sat May 12, 2018 2:43 am
Forum: RouterBOARD hardware
Topic: What can be improved in hEX (RB750Gr3)?
Replies: 22
Views: 3838

Re: What can be improved in hEX (RB750Gr3)?

!!sfp port!!
by RoadkillX
Sat May 12, 2018 2:36 am
Forum: RouterBOARD hardware
Topic: CRS317-1G-16s+ enterprise grade ready?
Replies: 3
Views: 723

Re: CRS317-1G-16s+ enterprise grade ready?

CRS112-8G-4S with 5 vlans on the switch chip can easily switch 2Gbps between diferent vlans and cpu usage is lauphable, this without using sfp ports. So i imagine a CRS3xx could do a whole lot better. if you do vlans on a bridge the cpu gets involved and Routing-NAT without fastrack will give most 3...
by RoadkillX
Sat May 12, 2018 1:31 am
Forum: General
Topic: Rules not working
Replies: 3
Views: 482

Re: Rules not working

You can't forward traffic heading to the internet unless you are forwarding a public ip address, create this rules in prerouting on each vlan interface or lan interface list, on the interface with your public address configure masquerade or src-nat (if static ip) for everything since you're doing fi...
by RoadkillX
Sat May 12, 2018 1:15 am
Forum: Beginner Basics
Topic: Vlan
Replies: 3
Views: 448

Re: Vlan

Can you export the relevant part of your config (switch vlan or bridge vlan) so it'll be easier to see? what i understand is that you have vlan600 which is for managment with range 192.168.100.0/24 and another 5 vlans and you can ping 3 of the branches, can you ping from the mgmt vlan, from office v...
by RoadkillX
Sat May 12, 2018 12:22 am
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 7018

Re: Access Control between VLANs

if each vlan has its own gateway which is the router why not use the router as your DNS server and allow incoming traffic on each vlan to destination port 53/udp (the router) otherwise just allow incoming on each vlan with destination any udp/53 and in nat create from source desired vlan for all tr...
by RoadkillX
Sat May 12, 2018 12:13 am
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 7018

Re: Access Control between VLANs

Okay last time I will list the list on this thread........... One question though remains, when looking at the TO address for the NAT DSTNAT rule for DNS, How would I best handle the fact that I would have multiple router LANIP gateway addresses. Consider each LAN or VLAN will have its own gateway?...
by RoadkillX
Fri May 11, 2018 11:58 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 7018

Re: Access Control between VLANs

So are you saying dont bother with such rules?? Regardless I am interested in how one would identify such trafffic using the mikrotik,,,,,,,, what combination of time and connections in the extra page would do the trick........... Mirror the wan port to an ethernet interface and check all traffic w...
by RoadkillX
Fri May 11, 2018 11:43 pm
Forum: Beginner Basics
Topic: Port forwarding behind CGNAT
Replies: 6
Views: 2231

Re: Port forwarding behind CGNAT

If you just want to be able to connect via ssh and manage your devices you can use a tor hidden service, if you want to host something on the internet then you have to ask you isp for upnp on your interface or static port nat mapping or 1:1.
by RoadkillX
Fri May 11, 2018 10:17 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 7018

Re: Access Control between VLANs

DNS queries work over 53/udp, tcp is only used for zone transfers, first rule is correct second is wrong if you only accept established connections all new will be dropped, you can do output same as input just make sure to create an outgoing accept rule in output chain for connections related, esta...
by RoadkillX
Fri May 11, 2018 9:42 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 7018

Re: Access Control between VLANs

Okay new and improved Version............. /ip firewall filter {INPUT} add action=accept chain=input comment="Accept established and related connections" \ connection-state=established,related protocol=tcp add action=accept chain=input comment=\ ALLOW list admin access to Router (all ports) \ src-a...
by RoadkillX
Fri May 11, 2018 2:53 am
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 7018

Re: Access Control between VLANs

Is use-ip-firewall=yes for both bridges? I don't know which device is being used but if it's not a CRS you'll only get hw-offloading on 1 of the bridges and you'll see high cpu usage, this is better done using vlans (Correct way to divide layer2 networks) since right now it's like 2 separate network...
by RoadkillX
Thu May 10, 2018 1:49 am
Forum: Beginner Basics
Topic: CRS328-24P-4S+ VLAN Setup Problem
Replies: 21
Views: 3002

Re: CRS328-24P-4S+ VLAN Setup Problem

Try this: - Create bridge1 add ether1 and ether24. - add vlan 10 tagged ether1 - add vlan 20 tagged ether1 untagged 24 - add interface vlan10 vlan-id 10 interface ether1 (set ip address) - enable bridge vlan filtering /interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 inter...
by RoadkillX
Thu May 10, 2018 12:24 am
Forum: General
Topic: RB750 OpenVPN thoroughput problem
Replies: 15
Views: 9186

Re: RB750 OpenVPN thoroughput problem

Having kind of the same problem with RB750Gr3 6.42.1, i can get a max speed of 12mbps using BF-CBC and MD5 if i change to aes-256-cbc and SHA1 it'll go down to 6-7mbps even when copying from hosts in my own LAN connected either from inside or outside the network, internet is stable and idle during t...