MikroTik

tdw

Not good. /ip address and /interface vlan objects should not be attached to interfaces which are a member of a bridge, but the bridge itself. What interface is MGMT - there is nothing which creates an interface with this name, or renames an existing interface to this. You have two default routes wit...

tdw

It is a known issue viewtopic.php?f=21&t=172259&p=842156#p844958

tdw

You cannot route VLANs - they are ethernet / layer2, IP routing is layer 3.

Attaching an /ip address to an /interface vlan on an interface (or bridge containing one more more interfaces) will automatically create static routes for those address subnets.

tdw

Also the OP only provided CPU ustilisation for one core. AFAIK not all processes utilise multiple CPU cores well.

tdw

Just as an aside, the rule add action=accept chain=input comment="accept L2TP" dst-port=1701 protocol=udp also permits access to the L2TP server for traffic which is not encapsulated with IPsec. Whilst the L2TP server should reject these if use-ipsec=require is specified, you can definitiv...

tdw

CRS devices are intended to be L2 switches with some L3 functionality, such as providing DHCP, but NOT wire-speed L3 routing/firewalling as they performance-limited by the CPU. If you use CAPsMAN manager forwarding it imposes a significant CPU load on the CAPsMAN controller, so with a CRS as the con...

tdw

I got confused by the fact that you can add multiple VLAN IDs under one entry. It makes much more sense now. You can, and it is fine if you have a large collection of the same VLANs on several tagged interfaces. However, if you wish to have differing sets of VLANs on the interfaces you should creat...

tdw

- Once I enable Bridge VLAN filtering, the IP address set on the bridge is ignored? So far it seems like it is, but it's not marked as invalid in /ip address The implicit bridge-to-CPU port can be configured as an access, trunk or hybrid port, just as with any other bridge ports. An IP address on t...

tdw

Change the hAP IP address to be in the subnet provided by the router (so 192.168.1.x, not the Mikrotik default of 192.168.88.x)

tdw

So the linux VM can successfully ping 192.168.1.1?

What has the address 192.168.1.5 - if it is the linux VM have you configured a default route?

tdw

Well, when I do a 'remove' command in /int bri port mode and delete 0,1,2 which are respectively interfaces mgt,eth1,eth2. Now eth3,4,5... start and 0,1,2 its very frustrating. I'd rather always look for the same numbers eg. MGT = 49 not 0... Basically the physical definitions don't change, but the...

tdw

-Under "/interface bridge vlan" do I really have to list all 40 ports as untaged? [vice-versa, do I really need to list every tagged port for every untaged port?] No. The untagged membership will be dynamically generated from the pvid= settings under /interface bridge port -Why do the int...

tdw

I use HE based on the example configuration without any issues, currently on 6.47.9 (long-term). I don't have any specific input firewall rules for the IPv4 encapsulated tunnel packets - the input chain established,related rule permits inbound tunnel traffic once outbound traffic has established a c...

tdw

I thought Vlan 1 is the VLAn for all untagged packages? Untagged traffic by its very nature has no VLAN ID. Many vendors use a default of adding VLAN ID 1 tags to untagged traffic on ingress and removing them on egress if their device does not support untagged packets internally. The switch chip in...

tdw

The guide mentioned by @anav and the wiki/help pages are a good start, in general random blogs/videos found on the web tend to use obsolete methods, less than optimal, or wrong. - A physical interface (ether10 in my case) cannot be added to multiple bridges. Is the best practice to create one big br...

tdw

Setting the PVID under /interface bridge port is only applicable to bridges with vlan-filtering=yes . Mikrotik have only fully combined bridge VLAN filtering with hardware offload configuration on CRS3xx devices. On all others to achieve wire-speed switching you must use a bridge with vlan-filtering...

tdw

Do not create another bridge, if all ports are already in the bridge created by the default configuration all you have to do is add the /ethernet interface switch settings. For VLAN 1337 tagged on SFP1 and untagged on SFP2 this would be /interface ethernet switch ingress-vlan-translation add ports=s...

tdw

The dot1x certificate= setting is to specify a client certificate for the eap-tls method, it should not be set to the CA certificate.

"certificate not yet valid" points to the time and date on the Mikrotik being set to before the CA certificate start date.

tdw

Use a single bridge, then on CRS1xx/2xx devices configure the switch chip so you have wire-speed connections between ports. The switch menu doesn't hide any of the huge number of switch registers which may be configured for different scenarios, however there are some basic examples here https://wiki...

tdw

It is not trivial to use DNS entries for this (or src-address / dst-address in firewall rules) as you can't wait until DNS resolution has completed before continuing to process packets. However, it is possible to use address lists with firewall rules ( src-address-list / dst-address-list ) which wil...

tdw

There is some redundant configuration from bridges and interfaces being deleted which should be cleaned up: /interface bridge port .... add disabled=yes interface=ether3 add disabled=yes interface=ether12 add bridge="bridge L2 PtoP_" disabled=yes interface=*21 /ip firewall filter add actio...

tdw

AFAIK there isn't. At some point a 'No DNS' option was added to the DHCP server to prevent DNS being offered to DHCP clients, it would be nice if Mikrotik added similar for PPP profiles.

tdw

There is /system default-configuration print which displays the commands applied to create the default setup from a factory reset state, however AFAIK there is nothing to show the initial configuration other than not to apply the default setup and then use /export verbose

tdw

At some point the default values which are supressed during /export were changed, so any existing configurations after a firmware update exhibit this. If you reset the configuration back to factory with the newer firmware the newer defaults are used. I'm not sure why it was changed as only 10-Half, ...

tdw

2. In terms of throughput, should there be big difference if I resign from switch-chip for sake of vlan-filtering (bridge)? Or for a home user (video streaming, web surfing, email, NO gaming capabilities needed) the difference should not be noticeable at all? Another thing is that I am trying to se...

tdw

If a static CNAME entry in 6.47.x does not work I would suspect the UniFi discovery implementation, in which case the scheduled script option suggested by @Sob would be a solution. @Sob & @sindy the OP putting 'route' in the topic title is completely misleading. The UniFi devices have a number o...

tdw

set untagged=([get value-name=untagged [find vlan-ids=10] ],"ether4") [find vlan-ids=10] Is there a reason you explicitly set the untagged= parameter as this will be dynamically populated from the pvid= parameter under /interface bridge port for bridge members and /interface bridge for th...

tdw

The certificate store can be backed up and restored on the same Mikrotik, but not to a different one. It is possible to make a backup which can be restored to something else by exporting a certificate in PKCS12 format so the private key is exported too, see export-certificate in https://wiki.mikroti...

tdw

It isn't clear exactly what your configuration is, posting the output of /export hide-sensitive is much more informative than some vague description. If you have multiple bridges, VLANs attached to interfaces which are members of a bridge, or VLAN interfaces as members of a bridge it could be one of...

tdw

I don't think you have much option other than reorganising the bridge/VLAN setup. You could just convert from master-port to bridge and leave the VLAN interfaces attached to other bridges setup, except there are many pitfalls see https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration especial...

tdw

For complex setups the replacement of master-port configuration with a hardware-offloaded bridge is not handled well by the upgrade process, as in your case. It isn't clear what your original setup was as there is a br-lan and a br-wan, but all five switch ports are configured for hardware VLAN swit...

tdw

As the source and destination addresses are within the same subnet you need to disable any bridge hardware offload and set use-ip-firewall=yes under /interface bridge settings as normally the IP firewall filter/NAT/mangle rules only apply to routed layer 3, not bridged layer 2 traffic. This does inc...

tdw

The forums do have a search facility, and what published information there is available can be found in the help pages. One of the headers could be JTAG for manufacturing test, others may be for features which may be implemented - no point saying what they are if there is not a guaranteed developmen...

tdw

The bridge itself is still set to be both untagged /interface bridge add ingress-filtering=yes name=Bridge pvid=10 vlan-filtering=yes and tagged tagged=Bridge,... under /interface bridge vlan together with /interface vlan add interface=Bridge name=PrivateVLAN vlan-id=10 Change the bridge-to-CPU inte...

tdw

Hmm what about a managed switch in between?

That would become a single point of failure - takes out both WAN connections. Engineering redundancy solutions which does not make your setup less reliable is not straightforward.

tdw

In the article it says "Access ports are configured in a way that means ingress (incoming) packets must not have tags and thus will get a tag applied." so, shouldn't Ingress-Filtering only be activated at ports where there are only packages without tags? Tagged only (a.k.a. trunk): frame-...

tdw

You can only do PAP or MSCHAPv2 against AD, there is no way CHAP can work.

The 'Ignore user dial-in account properties' box is not ticked in your screenshots. I'm not a Windows expert, but without this I expect you have to apply a policy to the user accounts as the default is not to permit dial-in.

tdw

As the bridge and all of the ports have a PVID=1 things are getting confused by also having a VLAN with VID=1 attached to the bridge. There are several options * Use VLAN IDs excluding 1 OR * Set the bridge & port PVIDs to some other value OR * Disable the PVID on ports where you wish to use VLA...

tdw

Screenshots of winbox/webfig pages are generally not very useful, the output of /export hide-sensitive from a terminal window posted as code (the [] icon above the text entry box on the forum page) shows the precise configuration

tdw

But today I´ve seen something strange, i´ve connected my office mikrotik router to mine to access some devices from my home and in the moment I lost internet connection "ping 8.8.8.8" doesn´t response but ping to my office devices response correctly, so I have an internet connection. Goog...

tdw

Screenshots of winbox pages are generally not very useful, the output of /export hide-sensitive from a terminal window posted as code (the [] icon above the text entry box on the forum page) shows the precise configuration Mikrotik documentation on VLAN-aware bridges is here https://wiki.mikrotik.co...

tdw

If you have the default 'allow forward established/related/untracked connection' rule before your rule, yes. The first request from PC on LAN network to media server on IOT network has the connection state new , the reply from media server to PC has the state established and hits this rule. If you a...

tdw

You need not switch the LAN VRRP over due to an external WAN failure, you can have backup default routes, i.e. with a greater distance via the other. If they are static routes the packets will bounce back and forth between the two Mikrotiks when both WANs are down, but you probably don't care in tha...

tdw

Screenshots of Winbox are generally not particularly useful, the output of /export hide-sensitive from a terminal window posted as code (the [] icon above the text entry box on the form page) shows the precise configuration. I suspect that the ADSL and VDSL modems have no route to return traffic to ...

tdw

If you have two public IPs provided by two different providers there isn't much you can do if the public addresses are terminated on the Mikrotiks, other than have an active-active setup with each Mikrotik handling one WAN connection and you loose access to that WAN if there is an issue with the att...

tdw

What are: 192.168.11.0/24 + 192.168.12.0/24 and Remote: 192.168.21.0/24 + 192.168.22.0/24 ?

They were examples of subnets attached to the VLAN interfaces at each end. Your original example has two VLANs but only one subnet at each end which is insufficient.

tdw

For input you should allow established/related/untracked connections, drop invalid connections, allow ICMP as blocking it breaks things such as PMTU detection, then have your drop from outside rule: /ip firewall filter add action=accept chain=input comment="Allow input 'established', 'related' ...

tdw

If you had Head: 192.168.11.0/24 + 192.168.12.0/24 and Remote: 192.168.21.0/24 + 192.168.22.0/24 By this you mean V10 and V20 (example) IP addresses on Head and Remote? Yes, although the IP could be encapsulated in VID 11 + 12 at one end, and VID 21 + 22 at the other. So this is something along L3 ...

tdw

If I go back to my original goal and want to connect head office with remote office and want to bridge L2 between sites then I need to use some kind of EoIP or BCP protocol. This way I can extend VLANs over to remote office. Yes, excepting the limitations of the current BCP implementation. What if ...

tdw

I am trying to wrap my head around all this. I think I am still missing some peices to understand correctly. - Ethernet is L2 - VLAN is ethernet construct and therefore also L2. - bridge is also operating on L2 as it is kind of a "virtual" switch between interfaces Yes to all. - as long a...

tdw

To have a conversation between LAN and DMZ after the initial packet from LAN to DMZ there will be a reply packet from DMZ to LAN and your drop DMZ to LAN rule will drop these too, typically you have an allow established/related/untracked rule as the first item in the forward chain to permit the ongo...

tdw

Similar yes, in fact you can have both L2 & L3 if desired. One thing to watch out for is that BCP doesn't play nicely with VLAN-aware bridges, hopefully Mikrotik will fix it one day. I do have vlans configured under bridge vlan filtering as this appears to be a "promoted" way (I guess...

tdw

Because I must not forget about vpn dial-in users I am sympathizing with L2TP now. Hopefully L2TP/IPsec, plain L2TP is either not or weakly encrypted and the MSCHAPv2 password can have the NT hash and an equivalent password recovered. With L2TP I also have routed or bridged (BCP) way. With BCP I gu...

tdw

I'm not sure the Cloud Key would like 57V passive - the MT48-480095-11DG (45W) would be a better choice, or if you are powering several additional devices from the hEX PoE too the 48POW (70W) may be required depending on their power requirements. Any third-party PSU with a centre-positive 2.1mm barr...

tdw

With regards to the firewall rules that prevent the networks from talking to each other, I used the rules below. After applying these rules things work as I wanted with the exception that computers on each network can still ping the gateway on the opposite networks. This is not what I expected, but...

tdw

I have set 1300 MTU on the EoIP tunnel. Additional rule set MSS to 1250.

Be aware that if you add an EoIP interface with an MTU<1500 to a bridge it will impact any traffic between local bridge ports too, usually breaking things.

tdw

My experiences with Cisco APs, albeit some years ago on 1230 series, was that they didn't particularly like a fully tagged setup so I used managment to the BVI interface untagged. Their newer APs may be better.

tdw

You should have add-default-route=no under /interface l2tp-client - this is likely what is causing all your local devices to use the VPN connection. It would be better to use single mangle rule with an address list rather than having three mangle rules with individual addresses as it reduces the CPU...

tdw

It depends on how the decision to route traffic via the VPN is going to be made. If there are a small number of destination addresses, e.g. a few company subnets, you can use static routes to direct traffic to those addresses via the VPN. However if there are a small number of local source addresses...

tdw

That won't work, the wiki example is using DHCP relay to pass requests for 192.168. 1 .0/24 and 192.168. 2 .0/24 subnets to a DHCP server running in the 192.168. 0 .0/24 subnet. If you wish to extend the network from the other router the hAP should have all ports in one bridge, no DHCP server or DHC...

tdw

@anav The Cisco AP on ether2 is configured with VLAN10 untagged & VLAN20 tagged so frame-types=admit-only-vlan-tagged isn't appropriate either

tdw

Having frame-types=admit-only-untagged-and-priority-tagged for ether2 isn't appropriate for a hybrid port

tdw

I can't comment on Dude access as we do not use it. If you are restricting external access by means of an address lists there is not really a need to change the port(s). It depends on how determined/clever the hackers were as not everything in the underlying OS is exposed through Winbox or CLI. The ...

tdw

The raw GPON interface always operates at 2.5Gbps down / 1.25Gbps up, regardless of the SFP interface rate. GPON supports upto 1:128 split ratios which would be 20Mbps down / 10Mbps up if everyone were using the service at the same instant. The ONU converts ethernet packet payloads to/from GEM (GPON...

tdw

Set hw=no for the ethernet interfaces attached to the other bridges under /interface bridge port , in Winbox this is the 'Hardware Offload' checkbox on the General tab for the ports under Bridge > Ports. Hardware offload is only for ethernet to ethernet traffic for ports attached to one bridge, it w...

tdw

As I said in my previous post your configuration does not allow traffic from the access ports to the CPU.

tdw

Whichever has the greatest port to port traffic, e.g. if you have a PC and a NAS connected to a couple of ethernet ports then the bridge including those. Also note that wlan interfaces cannot be hardware accelerated as the traffic is handled by device driver code running on the CPU.

tdw

The trunk and access ports have no access (IP or MAC based) to the CPU with that configuration: There is a VLAN5 interface configured for IP management of the device, however it is not connected to any ethernet ports. VLAN6 is untagged on ether2, tagged on ether1 and switch1-CPU, however there is no...

tdw

No, one VLAN aware bridge. Then make the port connected to the guest network on the router (blue line) an access port for the guest VLAN. As the unmanaged switch may not pass tagged traffic make all the other Mikrotik ports access ports too, and use CAPsMAN forwarding to encapsulate the guest traffic.

tdw

You mention VLAN 6 for management, however this configuration uses VLAN 5 which is not configured on any of the ether ports: add ports=switch1-cpu switch=switch1 vlan-id=5

tdw

Generally I find it best not to include any untagged= membership entries under /interface bridge vlan as they will be dynamically added when interfaces are running/up based on the pvid= entries under /interface bridge port . If the untagged membership entries are present you have to remember to upda...

tdw

Having two subnets on one link without VLANs is possible but is unusual - it doesn't provide isolation, and DHCP can only be used to assign dynamic addresses to one subnet. Other than this weird internet connection the normal way of implementing this would be to use a single VLAN-aware bridge on the...

tdw

Would it work if I use a USB to RJ45 Cisco Console Cable with FTDI chip? From UPS USB-B port to the serial RJ45 of the MikroTik? Or somehow connecting the USB port of the UPS to the serial RJ45 port of the MikroTik? No. USB only supports host-to-peripheral communications, not host-to-host or periph...

tdw

I thought rollover cable would work as the that's how you can connect the APC UPS form its serial port to another device with RJ45 serial port. I don;t think I've ever seen an APC connection which didn't require a custom cable to swap pin connections as they are not a 1-to-1 mapping. So basically t...

tdw

The recommended setup for Mikrotiks with VLANs is to use a single VLAN-aware bridge, there is a good primer in the forum https://forum.mikrotik.com/viewtopic.php?t=143620 If the wired client connections (what you have called terminals) are on one network you can use CAPsMAN forwarding to segregate t...

tdw

The PPPoE server uses the remote-address setting from the PPP profile, for authentication against a RADIUS server this may be overridden by including a Framed-IP-Address , Framed-Pool or Mikrotik-Group attribute in the Access-Accept message. You can specify local users under /ppp secret with specifi...

tdw

I'm trying to connect an APC UPS SMT750I from its RJ45 console port to the CRS326-24G-2S+RM via its serial console RJ45 port. I used RJ45-to-RJ45 rollover cable to do so. However the RouterOS is not recognising it. What makes you think a rollover cable will work? The APC connector is actually 10-pi...

tdw

Using /export hide-sensitive is generally recommended, and as you also appear to have left login credentials for external services in scripts you may wish to change them. R2 has lots of unnecessary configuration for a simple bridged access point (ipsec, ppp, firewall rules, dhcp-server, static dns, ...

tdw

If I set the uplink interface on R2 to not be part of the bridge and then add the IP address in the interface, it works as it should be, but not if the uplink is part of the bridge. All of the ether and wlan interfaces should be members of one bridge and an IP address assigned to the bridge, can be...

tdw

Either method will work. Using a VLAN-aware bridge is the simplest, you really only need to use the switch chip if you expect a lot of traffic between ethernet ports in the same VLAN as any routed traffic (between VLANs or between VLAN and internet) has to pass through the CPU in any case. Example u...

tdw

VRRP is for failover, not load balancing/sharing, and works for L3 traffic, not L2.

Bonding the L2 interfaces together with an appropriate mode and transmit-hash-policy may work depending on the nature of the traffic, see https://wiki.mikrotik.com/wiki/Manual:Interface/Bonding

tdw

IP pools have no concept of lease time, that is specific to DHCP. A PPP-like connection uses IPCP to inform the client of their IP address, and lasts for as long as the PPP session is connected. Address allocation from pools is generally 'sticky' between reboots of the Mikrotik so if a client discon...

tdw

Most discovery protocols use layer 2 broadcasts and generally can not be routed. You may be able to use multicast routing for some, although from various posts I've seen it does seem to be somewhat hit and miss. There are also some third-party utilities you can run on a separate computer. Also why a...

tdw

Using both switch chips on a 2011/3011 will use the CPU for traffic between the two switch chips, and has issues https://wiki.mikrotik.com/wiki/Manual:L ... itch_chips

tdw

Should I really stick with all my ports on both the switch and the default bridge? Or does this approach limit my performance or flexibility? Yes, the CRS3xx automatically offloads hardware switching to bridge ports. As I get around to setting up VLANs on my network, do I need to make changes in th...

tdw

The 8337 and 8327 work properly, it is just a case of terminology/wording. Basically forget about the vlan-header= setting, with vlan-mode=secure the chip will use the default-vlan-id= setting to tag packets with that VLAN ID on ingress and strip the tag on egress.

tdw

As the wireless interfaces are managed by CAPsMAN they should not be manually added under /interface bridge port

tdw

Did you clear the connection tracking entries or wait (~3 minutes for UDP connections)? The connection state includes flags to indicate if source and/or destination NAT is required, these are set on the first packet of a connection. As UDP doesn't have any concept of a connection, unlike TCP where y...

tdw

Yes, unless a particular selector / matcher is used it will apply to all traffic. That rule has no to-addresses or to-ports so nothing would be changed.

tdw

/interface bridge nat operates at layer 2 / ethernet and changes the MAC address based on the to-dst-mac-address parameter. The dst-port is just one of many selectors to identify a packets on which to perform actions. Is the traffic passing through the bridge to another port, in which case you do n...

tdw

I'm surprised it works as there do not appear to be any addresses associated with the VLANs (ether2.102, ether2.103, etc.), having an address on the base ether2 isn't propagated to the child VLAN interfaces. Our main use of routed IP blocks is public addresses for PPPoE clients, but we have used /32...

tdw

Starting with the standard config it should be: Remove ether1 from the WAN interface list Remove ether5 from the bridge Add a vlan to ether5 with ID 35, you can name it something more representative than vlan1 e.g. vlan35 Add the vlan to the WAN interface list Change the DHCP client interface to the...

tdw

You certainly have to export the certificates as a bundle in PKCS12 format so the private keys are exported too, see export-certificate in https://wiki.mikrotik.com/wiki/Manual:System/Certificates#General_Menu I recall there have been some reports that if a CRL has been specified (as in your example...

tdw

Your confusing layer 2 (ethernet) and layer 3 (IP) functionality. There is mention of an IP address per subnet with the form 10.1.0.1 & 10.2.0.1, but then addresses with the form 10.1.0.2 & 10.1.0.3 which is completely different - if a subnet is attached to an ethernet interface layer 2 swit...

tdw

OpenVPN does not use IPsec. Screenshots are not particularly helpful, they usually don't display everything. Execute /export hide-sensitive in a terminal window, post the output in a code block (the [] icon on the toolbar when posting in the forum) after redacting any public IP addresses.

tdw

Get your RADIUS server to return a Framed-IP-Address attribute when the client authenticates, if present this overrides the pool specified in the PPP profile on the Mikrotik.

tdw

A bridge has two roles - its is both like a switch connecting various ethernet ports together, and also like an ethernet port to pass traffic to services on the Mikrotik itself. Whilst you have br01-Core as a tagged member for VLAN IDs 99, 13 & 22 under /interface bridge vlan it is missing for V...

tdw

There are several mechanisms an ISP may use to provide IPv6 addresses so you need to know which they use. The main issue is that each network requires a /64 prefix, if the ISP provides only one this is fine for a mobile phone as it is the endpoint, however if you are going to route you need one /64 ...

tdw

It had to be something simple like that, nothing obviously incorrect in the configurations. I did notice that VLAN IDs 10 & 99 are tagged on ether1-4 on switch1, however VLAN IDs 50, 70, 80, 90, 100, 200 & 300 are only tagged on ether1 so will not propagate on the trunks connected to ether2-...

tdw

Post the actual configs from /export hide-sensitive

tdw

Finally someone who knows what talk talk is :) It is likely confusing for residents of one country who have never come across the businesses operating as ISPs in others. In the UK the top four ISPs with greater than one million clients each are BT Group (BT, Plusnet, EE), Sky Broadband, Virgin Medi...

tdw

That does seem to make sense with TalkTalk documentation not being up to date as I did find a forum post on the talk talk community that says you dont need to do the VLAN tagging any more for FTTP. The official TalkTalk documentation for using your own router doesnt specify if those settings are fo...

tdw

If you have set a manual address on the D-Link it will not appear in DHCP leases, only devices which make and accept DHCP requests will appear there. As you are connecting to the 'LAN' side of the D-Link router and using it is a wireless access point none of the routing/NAT/firewall functionality on...

tdw

The TalkTalk help pages do not appear to have caught up with their available broadband products, having only recently started selling FTTP services via Openreach connections - PTM encoding and VLAN 101 are only applicable to FTTC / VDSL2 connections. Whilst PPPoE is often used to provide the custome...

tdw

Then how do I get a list of all active services ? This is an almost-complete list https://wiki.mikrotik.com/wiki/Manual:IP/Services#Protocols_and_ports , OpenVPN is missing for example. If a particular service is not enabled the port will be inactive. Some services allow their ports to be changed f...

tdw

Now that you're asking I think I made a dumb question. The bridges, being logical interfaces, act like normal interfaces, so there should be no L2 talk between them, right? Correct. Once you add IP addresses to each bridge then IP traffic at layer 3 can route between them unless blocked with firewa...

tdw

a) Instead of creating a new Bridge, I could use the Bridge from the default config of the CRS326 where all Ports are configured with hw-offloading and pvid=1. I would then need to add VLAN-ID 1 to the trunk port. By doing this, I would simply transition the current flat network in a VLAN-based fla...

tdw

The EoIP settings in that presentation are not correct in as much that the MTU is not set - it should be forced to 1500 to be properly transparent to full-size ethernet frames. BCP over a PPP-like interface with MRRU set (to enable Multilink PPP) will also handle full-sized ethernet frames. There is...

tdw

For PPP-like VPNs you could use the on-up and on-down script actions under /ppp profile to send an email using /tool e-mail send

tdw

See 'Support request instructions' under https://mikrotik.com/support, as you have a reproducible bug you can skip 1 & 2.

tdw

Does idle-timeout under /ip hotspot active change when you send that attribute? If not you will likely have to report it as a bug, if it does it may be that background traffic from the device is more frequent than the timeout - you can check the idle-time value.

tdw

See https://wiki.mikrotik.com/wiki/Manual:R ... dictionary, and https://tools.ietf.org/html/rfc2865#page-49 for that particular attribute.

tdw

A bridge has two roles - its is both like a switch connecting various ethernet ports together, and also like an ethernet port to pass traffic to services on the Mikrotik itself. Somewhat confusingly the settings for both of these roles are made under /interface bridge - the frame-types , ingress-fil...

tdw

Currently for each VLAN's I create a interface VLAN10 for ether1 and interface VLAN10 for ether2 , then create a bridge and add both of those Vlans to that bridge, That isn't necessarily the wrong way of doing it, in fact prior to VLAN-aware bridges being introduced it was the standard method if no...

tdw

The 802.11 WiFi standards do not support transparent layer 2 / ethernet bridging which can break protocols such as DHCP. Various vendors use the 802.11 four address frame packet format / WDS to implement transparent bridging, but as there is no standard method interoperability between vendors is hit...

tdw

I would suspect that the firewall rules are being overly restrictive, certainly that is the case for OpenVPN - you permit the OpenVPN connection, but not traffic from the connected clients. Enabling logging on the input and forward drop rules will likely provide a clue. Not allowing ICMP input will ...

tdw

I am considering using a CRS3XX as the PPPoE server for the VLAN's and have the CCR1009 for firewall and monitoring. The hardware offloading only applies to traffic bridged between ethernet ports, everything else is handled by the CPU. You might get somewhere between 100-200Mbps out of a PPPoE serv...

tdw

When using VLAN's in the bridge ports, is there any work around for HW offloading or put another way what Mikrotik hardware can do VLAN HW offloading? Only the CRS3xx devices support VLAN-aware hardware-offloaded bridges, but these are designed to be layer 2 switches with limited layer 3 support. O...

tdw

Is there such thing as a 1009??

Yes, they have been around for over five years.

tdw

Am I correct that CCR1009-7G-1C-1S+ does not have hardware offload CCR1009-8G-1S-1S+ has hardware offload Yes, the discontinued CCR1009-8G-1S and CCR1009-8G-1S-1S+ (there are fan and passive cooled versions of both) have ether1-4 connected to the processor via an Atheros 8327 switch chip which can ...

tdw

The /interface bridge port and /interface bridge vlan settings are completely ignored unless you set vlan-filtering=yes on the bridge. You also need to add the bridge itself as a tagged member of VLAN ID 100 under /interface bridge vlan , you do not need to set untagged membership as these are dynam...

tdw

Even though the sample has it commented, what is the purpose of admin (vlan 99)? Wouldn't vlan-10 be sufficient? I believe it is to separate management from all user device traffic, there isn't an issue with having a combined 'trusted device and management' network and just separating untrusted / g...

tdw

Yes. The switch chip is always used, creating a bridge and adding ports with hardware offload reconfigures the switch chip at which point the 802.1Q VLAN setup can be made. Without a bridge being configured port-based VLANs are used to multiplex the physical ethernet ports to the logical interfaces ...

tdw

You have to create a bridge with vlan-filtering=no to use the switch chip, see https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#VLAN_Example_1_.28Trunk_and_Access_Ports.29 , https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Management_access_configuration and https://wiki.mikrotik...

tdw

As you only have a single ISP feed having multiple routers will not give you HA for external traffic, it could provide resilience between internal networks using VRRP but you have to take care with things such as DHCP and firewall rules as there is no synchronisation of IP pool use and connection tr...

tdw

I studied the page at https://forum.mikrotik.com/viewtopic.php?t=143620 and focused on Router-Switch-AP (all in one) section which applies to me. As I need only Guest access only on Wifi, I dropped the changes related to the physical ports. You will need a hybrid port with main network untagged and...

tdw

Firstly, as the IPv6 package is disabled by default it is wise to enable it, reboot, and then reset the configuration to include the IPv6 firewall rules. Configuration varies depending on how your ISP delivers IPv6 - some are static only (my ISP doesn't do native IPv6 so I have a 6to4 tunnel, static...

tdw

Mikrotik do not support bonding / LAG across multiple switches, if you connect the pair of interfaces on a server to different switches then only layer 2 option is spanning tree. As you have a single point of failure with a single router anyway adding switch failover may introduce additional potenti...

tdw

I would ideally like to use both the Mikrotik itself and the Cisco since I need to cover a considerably large area.

Using the WiFi on the Mikrotik itself doesn't require CAPsMAN, just configure the wlan interfaces directly

tdw

Thanks for the input. I was following online guides :-) I will reset it and try to find a document I can follow. Unfortunately many third-party blogs and videos are outdated (mostly by firmware changes such as the introduction of VLAN-aware bridges), less than optimal or insecure. The guide in my p...

tdw

The bridge and VLAN setup is horrible and has several of the errors described here https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration . The simplest method would be to use a single VLAN-aware bridge - there is a good primer on Mikrotik VLANs https://forum.mikrotik.com/viewtopic.php?t=1436...

tdw

It would, that forum post is to explain VLAN setup without adding additional baggage. Spanning tree configuration is a complete topic in its own right.

tdw

The proxy-arp setting is only required if the VPN clients and a local network share addresses from the same subnet, it should only be on the parent interface bridge1-lan , not the child interfaces ether3/4/5 . If you are using different subnets it is not required. The routes=192.168.88.0/24 under /p...

tdw

Your management VLAN (ID=5) is untagged on the interfaces to the cAP and hAP ac2 so can be accessed directly without requiring VLAN interfaces on those devices. If you look at the bridge VLANs in Winbox connected to the cAP you will see bridge plus ether1 and/or ether2 as Current Untagged members of...

tdw

AFAIK there are quite a few settings required to configure NPS, I've not tried it myself but others have used this https://mivilisnet.wordpress.com/2018/1 ... indows-ad/

tdw

You can actually leave out the untagged= settings under /interface bridge vlan , they will be dynamically added based on the pvid= settings under /interface bridge port , so it would simplify to /interface bridge vlan add bridge=bridge1 tagged=ether6,ether15,ether16,ether17,LACP1,bridge1 vlan-ids=10...

tdw

You have confused TUN (layer 3 / IP) with TAP (layer 2 / ethernet). None of the layer 3 VPNs (L2TP, PPTP, SSTP, IPsec or OpenVPN TUN) will route broadcasts, however as you have found you can use the same IP range on the local LAN and remote VPN client using proxy-arp. If you need real layer 2 connec...

tdw

That is not the actual configuration on the device, post the output of /export hide-sensitive

tdw

i was planning to ad the eth1 device to a bridge called wan. however i think that isn't the correct methode. What is the best option to make ETH1 also availible as wan interface (when connected to this interface the wireless interface should not connect to an upstream wifi. but make the "lan&q...

tdw

A /ppp profile sets various parameters used by PPP-like (PPP, PPPoE, PPTP, L2TP, SSTP, OVPN) clients and servers, but not passwords. Local servers use the passwords specified under /ppp secret , or RADIUS, to authenticate remote clients. See https://wiki.mikrotik.com/wiki/Manual:PPP_AAA Local client...

tdw

Using use-service-tag=yes under /interface vlan is incorrect for standard VLANs. A bridge has two roles - its is both like a switch connecting various ethernet ports together, and also like an ethernet port to pass traffic to services on the Mikrotik itself. So to provide access to DHCP and routing ...

tdw

As the same VLAN ID at both ends have a different subnet do you really need a layer 2 / ethernet connection, or just to be able to access the IP subnets which is down to IPsec policies and firewall rules.

tdw

If all traffic from the second computer is to go via the WR1043 either put a few ports in a separate bridge on the RB3011, or change the existing bridge to be vlan-aware and use VLANs. No need for any DHCP, NAT, etc. as those few ports are effectively operating as an unmanaged switch. If some of the...

tdw

Afternoon, I am installing a CRS tomorrow, can someone just verify my config.

There is no /interface bridge section to create the bridge.

Does the bridge need to be tagged on all vLans?

Only if you wish to access services on the Mikrotik itself from them, e.g. management access.

tdw

From the wiki "Note that not all packets in a connection can be FastTracked, so it is likely to see some packets going through slow path even though connection is marked for FastTrack. This is the reason why fasttrack-connection is usually followed by identical action=accept rule." So unle...

tdw

IPsec will not transport tagged VLANs as these are ethernet, not IP. You have to use EoIP or the BCP feature of PPP-like protocols e.g. L2TP/IPsec, SSTP to handle these. As you have different subnets using the same VLAN ID at each end you probably do not need to transport the VLANs, just make the su...

tdw

You need to set vlan-mode=secure under /interface ethernet switch port for ether2-5. Per the note in the wiki "For devices with QCA8337 and Atheros8327 switch chips a default vlan-header=leave-as-is should be used. When vlan-mode=secure is configured, it ignore switch port vlan-header options. ...

tdw

You are specifically excluding untagged traffic on the hybrid port connected to the AP. Under /interface bridge port make the following change:
add bridge=bridge-LAN frame-types=admit-only-vlan-taggedadmit-all ingress-filtering=yes interface=ether1 pvid=10

tdw

You could leave a ping running to confirm if the tunnel does then stay up on the problematic link.

If this does turn out to be the case then abusing Tools > Netwatch would do - e.g. interval 25m, no up-script or down-script.

tdw

Perhaps the other connection is transferring some real traffic and USG is ignoring protocol keepalive traffic when looking for idle conditions.

tdw

The server is telling the client to disconnect
13:09:07 l2tp,ppp,debug,packet Tadej: rcvd LCP TermReq id=0x4
which is is complying with
13:09:07 l2tp,ppp,debug,packet Tadej: sent LCP TermAck id=0x4
so some setting at the server end, maybe an idle timeout.

tdw

You can use raw firewall rules without connection tracking

tdw

Is it possible to treat the Ethernet port as completely separate? It seems like it's bridged into the rest at the moment. What I would like to do is have 1x 10G "uplink" to my router, then 3x 2.5G to machines. Is this possible? If so, how? Eventually I don't want to have the Ethernet conn...

tdw

The configuration seems incomplete, to use the switch chip you have to create a bridge and add the ethernet ports to it. Additionally you cannot add IP addresses or services to child interfaces. The basics are covered in https://wiki.mikrotik.com/wiki/Manual:Switch_Router and https://wiki.mikrotik.c...

tdw

Note that when I do enable the rule that I can no longer ping from the router to the laptop, however, a machine that is connected to a different subnet that is connected via link aggregation CAN still ping the laptop. I have two subnets in question. 192.168.0.0/24 is connected to a switch using lin...

tdw

Certainly devices such as the S+RJ10 require significantly more power then optical modules - Mikrotik quote an average power consumption of 2.7W driving a 30m 10GBASE-T link, compared to a maximum of 0.8W for a S+85DLC03D which supports 300m on multimode fibre. Conversely the S+DA0001 and S+DA0003 p...

tdw

Yes, bridge horizon wouldn't work with groups of ports. How about bridge filters /interface list add name=list1 add name=list2 /interface list member add interface=ether2 list=list1 add interface=ether3 list=list1 add interface=ether4 list=list2 add interface=ether5 list=list2 /interface bridge filt...

tdw

The detect-internet function also uses the Mikrotik cloud servers. From various posts it seemd to cause more trouble than it is worth, you could disable it as the ports are already manually assigned to the LAN & WAN interface lists.

tdw

Single malt is good

tdw

Are you sure the credentials are validated, or just accepted by the Windows client?

Does the packet count on the firewall filter add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp rule increase? Anything in the Mikrotik log?

tdw

With that configuration the address 192.168.10.1 in image #7 does not exist until a connection using the PPTP Server PPP profile is made, you can use the LAN gateway address if connecting locally to test. Also there is no need to add 192.168.10.0/24 under /ip dhcp-server network as PPP-like protocol...

tdw

The LAN IP address being applied to ether2 rather than the LAN bridge crops up way too often for everyone to be making the same mistake. I suspect there is something buried in a default script or quickset which was never updated when master-port configuration was replaced by a LAN bridge.

tdw

Do you require multiple VLANs on ports, or are you just trying to isolate groups of ports sharing a subnet within a layer 2 network? If so port isolation or bridge horizon may be a solution.

tdw

Screenshots generally do not convey enough information to be useful, post the output of /export hide-sensitive from a Winbox terminal session in a code block (the [] icon above the text box when posting on the forum). Many third-party guides on the internet are out of date / not optimal / insecure. ...

tdw

Incoming packets have to be handled somwehere. Packets not consumed by dst-nat will either be handled by input if the destination address matches an IP address assigned to the Mikrotik, or forward for any other addresses - this is normal linux routing behaviour. If you have a deny address list you c...

tdw

To access the Mikrotik itself you do indeed need input not forward and/or dst-nat rules. The /ip firewall nat ... add action=dst-nat chain=dstnat comment="Router Remote" dst-port=4770 protocol=tcp src-address=199.51.2.4 to-addresses=10.10.50.1 to-ports=80 ... is incorrect. EDIT: incorrect ...

tdw

You mention VLANs with IP addresses which is not strictly correct - ethernet VLANs may carry assorted IP subnets but a VLAN itself does not have an IP address. Winbox discovery will only display devices on directly attached networks as the information is broadcast, so never routed to other subnets. ...

tdw

If you start with the default configuration that has ether1 configured as the WAN interface acquiring an IP address with DHCP client, and ether2-5 in a bridge configured as the LAN interface providing addresses with a DHCP server, along with a reasonable set of firewall and NAT rules. If you only wi...

tdw

Just because you create two /interface vlan with the same VLAN ID on differing interfaces (ether1 and switch_core_L2), and assign addresses from the same subnet to each of them will not allow access from one to the other. A diagram of what you wish to achieve may be helpful.

tdw

The OVPN server should have its own server certificate, not the self-signed CA, selected. The private key for the server certificate must also be present. The CA certificate, and any intermediate certificates if used, must also exist on the server Mikrotik. They will be present if you generated the ...

tdw

Any bridge filter rules apply to layer 2 traffic between ports only when hardware acceleration is not being used. When hardware acceleration is used the traffic is internal to the switch chip and never reaches any filter rules handled by the CPU, you may be able to use switch rules https://wiki.mikr...

tdw

If the configuration was unchanged between the original hEX Gr3 and hEX lite the most likely cause is the different MAC addresses changing the spanning tree topology - try setting protocol-mode=none on all of the bridges. This is one of the issues discussed here https://wiki.mikrotik.com/wiki/Manual...

tdw

What feature? Some arrow to point you to the right menu?

As mentioned in an earlier post the SNTP client is fine, however upon installing the NTP package to provide a local NTP server the replacement NTP client still only accepts IP addresses, not names.

tdw

Opened it via Windows Certificate handler ... Key Usage: Certificate Signing (04) That is OK for the CA certificate itself, the child certificate used by the OVPN server should have encipherment usages present. The key files are needed to unlock the certificates, aren't they? I normally import them...

tdw

the output of `openssl x509 -in C:\\Users\\someone\\OpenVPN\\config\\cert_export_MY-CA.crt -text` would be helpful, to see what attributes are set in the certificate. Where/how do I run this query? openssl is included with most linux distributions, there will be windows ports available. Alternative...

tdw

If I understand it correctly, VLANs are working in bridge way only if I enable vlan filtering on bridge .... or switch way if I disable vlan filtering on bridge and have everything setup in switch vlan ... is that correct? Yes. When vlan-filtering=yes the VLAN configuration is made under /interface...

tdw

Remove everything in the /interface bridge vlan and /interface ethernet switch egress-vlan-translation sections as they are redundant. The relevant configuration examples are https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Example_1_.28Trunk_and_Access_ports.29 and https://...

tdw

A bridge as two roles - a switch-like role for transporting packets between ports, and a port-like role for transporting packets between the bridge and other functions provided by the Mikrotik. You need to add the bridge itself to the required VLANs under /interface bridge vlan , also it isn't neces...

tdw

Hardware offloading is disabled for VLAN-aware bridges, changing the switch chip settings from default can result in odd behaviour so I would changed those back to the defaults. There is little point having two VLAN-aware bridges, and bridgeIoT is incorrectly configured with a PVID having the same V...

tdw

A number of issues... You only require /interface vlan entries if you wish VLANs to interface with services on the Mikrotik, they are not required for VLANs merely passing through the Mikrotik bridge/switch. Under /interface bridge port setting frame-types= has no effect unless ingress-filtering=yes...

tdw

If WAN1 is not to be used for any other traffic remove its default route so all traffic egresses via WAN2. Use mangle rules to firstly mark the desired connections, then apply policy routing with a routing table entry for the routing marks. The wiki has pages on mangle rules https://wiki.mikrotik.co...

tdw

Screenshots are generally not that helpful.

In a terminal window run /export hide-sensitive and paste the configuration output in a code block (the [] icon above the reply box) which makes it more readable.

tdw

I just printed out all kinds of documentation so I can ready over tonight.. in the meantime what would I have to do to have port 3 on the switch pass down VLAN 10 from the fw? So if I were to hook up a device to that port then DHCP witch is in my FW will get passed down to it Assuming all of the po...

tdw

CR3xx should be configured with a single VLAN-aware bridge as the switch chip is automatically used, a.k.a. hardware offloading. See https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering and there is a good primer on Mikrotik VLANs in the forums https://forum.mikrotik.com/view...

tdw

So that means even if I have iSCSI traffic the packets will route all the way back up to the FW with 1G ports then back down to the SFP+ ports on the mikrotik? Is there a way to not do that? That depends on your network architecture. Traffic within a layer2 network will be switched, e.g. IP traffic...

tdw

So I have a pfsense device as my FW , and I just purchased a mikrotik device as it's the cheapest I can find with sfp+ and I'm having some trouble restricting a port to just one vlan tag... I've done it in Unifi controller where I had to create a network and then assign a port a vlan tag and it wor...

tdw

It's tricky, trying to implement hardware failover can lead to more points of failure. For example, if the LAN is configured to use VRRP for failover between the two routers how would you connect the two routers to your network - if you use a switch that then becomes a single point of failure. Simil...

tdw

The DHCP process only assigns a single IP address to an interface, as you have a static address this could be done with DHCP option 82 (this isn't seen by the end user) or MAC address binding. The framed route setup at the ISP just directs incoming packets for the additional IP address(es) to your p...

tdw

As you are not using a PPP-like connection for your WAN how is your existing main/primary WAN address set/acquired?

tdw

As the DHCP server entries are coloured red in Winbox there is an error with their configuration. Have you added the networks under DHCP Server > Networks? The best way to show configurations is to use the /export hide-sensitive command in a terminal window and paste the output in a code block (the ...

tdw

No, ethernet/IP equipment is likely to only support Ethernet SFP/SFP+. You will need something specifically designed for SDI, likely more expensive than ethernet/IP kit as it is a much smaller market.

tdw

Now I was told those sdi sfps only work with dedicated equipment and not with any switch or router in general as the device needs to encode or decode video to ip. Is that true? Yes. The SFP/SFP+ physical form factor, pinout and power supply may be common, but the serial data stream is specific to t...

tdw

It depends on the optical delivery and type of SFP. For GPON a dumb SFP will not work, but an active SFP which contains ONT functionality and presents a 1000Base-X electrical interface should. There are also some ISPs who use point-to-point 1000Base-LX or 1000Base-BX optics rather than GPON.

tdw

The default configuration forward rules are /ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=i...

tdw

- created two interface lists LAN (with the bridge), and WAN (with physical ge1 and fe9 ifaces, not the PPPoE interfaces act-ge1 and airtel-fe9) - /ip firewall \ nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN I'm suprise...

tdw

Reduce the pool size to leave some non-overlapping addresses available for static allocation.

Also, you can assign the IP address with the Framed-IP-Address RADIUS attribute, which overrides remote-address in the PPP profile, instead of creating local secrets.

tdw

It is unwise to attach VLAN interfaces to individual members of bridges unless you know what the effects will be. There is a good primer on Mikrotik VLANs https://forum.mikrotik.com/viewtopic.php?f=13&t=143620 and there are skeleton examples on the wiki https://wiki.mikrotik.com/wiki/Manual:Inte...

tdw

That should work, we have a site with something similar for six Mikrotiks although using L2TP/IPsec and /32 addresses for the interlinks, so it will be a configuration issue.

tdw

MMIPS for 750G, Long term version. MMIPS is only for the 750Gr3 (second version of the hEX). The original 750G, which the OP has, and the 750Gr2 (first version of the hEX) are MIPSBE. The /system routerboard settings set cpu-frequency=150MHz will be reducing the performance, it should be several ti...

tdw

You might be able to use/abuse /routing filter to modify dynamically added routes.

Search found 713 matches