MikroTik

tdw

Unlike switch chips, which typically apply the PVID tag to untagged packets on ingress and remove it on egress, bridges can handle both tagged and untagged packets. The bridge settings "use IP firewall" and "use IP firewall for VLAN" are only required if you want packets travelling directly between ...

tdw

Sounds like an MTU issue, the default PPPoE server setup has an MTU of 1480.

tdw

Mikrotiks don't support /31 directly, the typical workaround is to configure the interface as a point-to-point link with a /32 address at each end /ip address add address=63.24.113.29 interface=WANVLANNAME network=63.24.113.28 Unless you have disabled or removed the DHCP client in the default config...

tdw

In that case the statement about not being able to route where the source and destination subnets are the same still applies, set up an EoIP tunnel between the Mikrotiks and bridge the VLAN

tdw

In the Mikrotik MPLS/VPLS example the routers are interconnected with IP running over direct ethernet connections, in your case they would be interconnected with IP running over your LTE modem connections. As each of your sites has a single WAN connection, i.e. you don't have redundant paths as in t...

tdw

VLANs are generally unnecessary where there is only a single subnet present on an ethernet network. In your diagram labelling the left and right hand boxes 'LAN 18' rather than 'VLAN 18' would be more appropriate unless the diagram does not show all the detail. It is impossible to route traffic wher...

tdw

Spanning tree will not do what you want - it is designed to block redundant paths. As Mikrotik do not implement SPB (shortest path bridging) you might be able to do something with bridge split horizon, or failing that static bridge filters. Ideally being able to use IP (i.e. layer 3) instead of Ethe...

tdw

A few things: Uncheck 'Use service VLAN' in the configuration for vlan10 - it should be a regular 802.1Q VLAN rather than an 802.1ad (service) VLAN. Remove the entries under /interface ethernet switch vlan - it is possible to mix a non-VLAN aware bridge with hardware switching and VLAN filtering, bu...

tdw

The current untagged vlan10 entry is incorrect, it may be cleared by a reboot.

Note that vlan10 should not be included under Bridge>Ports, the output of /export hide-sensitive would be more useful than a selection of screenshots.

tdw

As you are using a VLAN-aware bridge: The VLAN interface created in #2 should be attached to bridge-lan NOT ether2 When setting up the DHCP server in #4 you need to create an entry under the Network tab too The bridge VLAN settings in #5 are not correct, the entry for VLAN 10 should have tagged=brid...

tdw

Nothing obvious jumps out, although what is /interface bridge filter add action=drop chain=input dst-port=68 in-interface=ether1 ip-protocol=udp mac-protocol=ip for? The only thing which comes to mind is that the wireless link isn't operating transparently so a device connected at the remote end has...

tdw

post the output of /export hide-sensitive for both devices

tdw

I assign an address from the pool on the router wlan1 interface. The router has two global address: 2000:1111:2000:9:aaaa:bbbb:cccc:dddd on sfp1 and 2000:1111:3333::1 on wlan1 There is no mention of wlan1 in anything you have posted so far, all of the IPv6 configuration you have provided references...

tdw

Most likely the additional networks are not having NAT performed before heading for the 'WAN' interface, post the output of /export hide-sensitive after sanitising any public IPs, etc.

tdw

Replace your two existing bridges (bridge & bridge_verejny) with a single VLAN-aware bridge, see https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering and there are many posts on the forms too.

tdw

It is difficult to tell from a printing the state of a few items, /export hide-sensitive (in this case /ipv6 export hide-sensitive is probably sufficient) and sanitise any public IPs. That said, as your ISP is not using link-local addresses for the WAN connection you should configure the DHCP client...

tdw

Without the full configurations it is difficult to see exactly what the problem is. You can't connect bridges together (this isn't strictly true, there are ways of connecting VLANs between bridges but often breaks things in mysterious ways, see https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfigu...

tdw

1. Managed to update all the interface with the correct MAC address. However, the Admin MAC Address on the Bridge is still incorrect. Will it effect the network in any way if I were to disable it and allow RouterOS to pick it from the attached interfaces ? When you disable the bridge Admin MAC addr...

tdw

The HP1810G switch used by the OP didn't implement any spanning tree, but apparently violates network standards by passing BPDUs - see https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02597134 . I've used HP1810G v2 models which do support spanning tree correctly. The mishandling, toget...

tdw

The IP address and DHCP server configuration is incorrect: /ip address add address=192.168.2.1/24 interface= bridge1 network=192.168.2.0 add address=10.10.10.1/24 interface=IOT network=10.10.10.0 /ip dhcp-server add add-arp=yes address-pool=dhcp disabled=no interface=bridge1 lease-time=1w name=dhcp ...

tdw

Thank you for the feedback. I believe all are very appropriate. Router 1 1. Correct, I loaded a backup from another configuration. Have 5 similar sites, same router model, same ISP and configuration, only difference is the public IP and VLAN ID. Any suggestion to remove the MAC addresses? There is ...

tdw

Your VLANs have isolated the various apartments ethernet / layer 2 networks, however without firewall rules to prevent forwarding the CRS will be routing traffic between the subnets on those VLANs. The CRS devices are designed for switching plus the odd service function and a some routing, the CPU i...

tdw

The CCR packet sniffer shows: Untagged packets arriving on ether3-Server from 10.0.15.10 destined for 10.0.10.5 Tagged packets with VID 10 leaving on ether2-HAPac from 10.0.15.10 destined for 10.0.10.5 so the CCR is forwarding the packets as expected. The hAP packet sniffer shows: Tagged packets wit...

tdw

Router 1 A backup from a different device has been loaded in the past - this is why there are mac-address=CC:2D:E0:39:D0:xx settings present. If the original router with these addresses is connected to the same network it will cause problems. Why the socks proxy setup? The WAN interface list is inco...

tdw

Ah, just had a thought - I missed On Router 2 there is no NAT . It is much easier to read configuration files than written descriptions! If there is no NAT or firewalling on Router 2 then you do not need any changes to it, only some dstnat rules on Router 1: /ip firewall nat add action=dst-nat chain...

tdw

TDW When I first read and understood your suggestion, I was pretty sure that it would work. Sadly it did not. Question:In your suggestion for Router 1, was it intentional that you did not have a setting for To Ports? If to-ports is not present a rule uses the same port(s) as given in dst-ports , yo...

tdw

Regarding DNS: Our primary server (a Synology RackStation) is running the DNS Server package and I'm planning to make it the authoritative master DNS record for our domain. What rules would I need to implement to have all devices on the network look to that unit as the DNS server, and then to force...

tdw

You haven't mentioned what WiFi system you are using, but as long as you can create multiple SSIDs and associate them with tagged VLANs they are just a counduit for the traffic from the client device to the Mikrotik. Thanks for the very helpful answer. I'm planning to spend some time working on the...

tdw

Where I'd like to get to: Data subnet, /24, for trusted devices...some wired, some Wi-fi...which should be able to access everything on the internal network plus access to Internet. Guest subnet, /25, for guest WI-fi access through a Unifi portal. Should only have access to the Internet...filtered ...

tdw

The Mikrotik LAN IP is bound to a member of the bridge rather than the bridge itself, this often breaks things in strange ways. It should be

/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0

tdw

@sindy has covered points I was going to raise, a couple more: On your HP1810-8G you don't have to configure the ingress PVID, as shown under VLANs > VLAN Ports, separately - it is automatically generated from the ports set to Untagged under VLANs > Participation / Tagging. Also the HP only permits ...

tdw

Dang I know that we have a good number of unmanaged swiches in our park. So if I understand, if we have this kind of device I will have to remain with that problem unless we replce them? Yes, if you have a flat unmanaged layer 2 network you are the the mercy of whatever clients plug in. What I do n...

tdw

The LAN IP address should be attached to the bridge interface=bridge not a member port (currently set to interface=ether2)

tdw

As the device is so far away I'd also recommend having an identical device with a configuration as similar as possible to the remote device to test locally before deployment.

AFAIK it isn't possible to downgrade to a version earlier than the factory default.

tdw

You need to configure it on all of the switches which have the final connection to the client routers, not the central Mikrotik. Some info on the wiki https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#DHCP_Snooping_and_DHCP_Option_82 more via the search engine of your choice. If you are using s...

tdw

Create NAT rules on both routers, for example on router 1 a single rule can NAT a block of ports /ip firewall nat add action=dst-nat chain=dstnat dst-port=50021-50030 in-interface-list=WAN protocol=tcp to-addresses=192.168.255.2 And on router 2, on rule per target device /ip firewall nat add action=...

tdw

It is unlikely that DHCP on the Mikrotik stops working - it is often the case that a client router miscabled in this way will answer DHCP requests from other nearby client routers more quickly than your main router as they are closer (less network hops). On your distribution switches you can either ...

tdw

Could be any number of things. Post the output of /export hide-sensitive after also disgusing any public IPs present.

tdw

There is nothing wrong with assigning .0 and .255 addresses IF they are valid for the subnet in question, i.e. not for a /24 ethernet network as they have special meaning, but fine part way through a /23 or larger. If for some reason you object to having .0 present specify multiple non-overlapping r...

tdw

You can load-balance / load-share outgoing traffic. You have no control over incoming traffic unless you have true load-balancing hardware at the ISP providing the ADSL circuits, or your remote client also has a Mikrotik and creates five VPN connections, one to each of your public IP addresses, and ...

tdw

Yes, it has come up a couple of times, see https://forum.mikrotik.com/viewtopic.php?f=21&t=150045&p=739992&hilit=forwarding%3Dremote#p739565 and https://forum.mikrotik.com/viewtopic.php?f=2&t=150447&p=741186&hilit=forwarding%3Dremote#p741186 Previous versions of RouterOS had SSH port forwarding enab...

tdw

According to the datasheet https://i.mt.lv/cdn/rb_files/SFP2-131002143606.pdf attenuators are not required as the maximum RX power accepted is at least 0dBm and the TX power will be between -3 and -9dBm.

If support say attenuators are required is the datasheet incorrect?

tdw

Routing broadcast, and unicast to broadcast, has been considered to be a bad thing for many years - most network devices don't do it, some have options to allow it, or specific 'helper' functions for some protocols. I've abused the DHCP relay helper in HP routers in the past to broadcast WoL packets...

tdw

Looks fine for access from the x.y.z.0/24 network, anything else will fail as there are no other routes. The bridge has spanning tree enabled, but as you can access the Mikrotik via Winbox with MAC address that doesn't appear to be an issue. Can you ping other devices on that subnet from the Mikroti...

tdw

Your concept is correct, but impossible to diagnose with no information. Post the output of /export hide-sensitive, ideally in code tags (the black [] icon above the text box) to make it more readable.

tdw

It looks like a bug - there seems little point the interface list builtins being exported to the config file if they cannot be imported or edited. For now, before uploading to the Mikrotik edit the .rsc file and remove the offending lines set [ find name=all ] comment="contains all interfaces" exclu...

tdw

The firewall and NAT rules use interface lists to specify roles, and you haven't updated the WAN interface list to reflect the actual WAN interface. Add /interface list member add interface=pppoe-bt list=WAN and upgrade RouterOS to the latest long-term (currently v6.44.5) as that version has known v...

tdw

Now I want to add a new VPN (site to site) by using OVPN. 1) Is it possible to have several VPN ? Yes 2) I already defined 3 certificates (ca,server,client): shall I use ca and server certificates for the second VPN or shall I define others ? The OpenVPN (and SSTP) server only allow a single server...

tdw

The NAT rule appears to be incorrect, either

/ip firewall nat
add action=src-nat chain=srcnat comment="nat to modem" dst-address=172.16.2.248 out-interface=ether1 to-addresses=172.16.2.250

or
add action=masquerade chain=srcnat comment="nat to modem" dst-address=172.16.2.248 out-interface=ether1

tdw

Care must be taken not to compare dissimilar things. There are a range of SFF specifications, and whilst the electrical interfaces of the 18 contacts and the mechanical dimensions of cage & modules are well defined across SFPs the rate, encoding and interpretation of the data streams very much depen...

tdw

A quick google revealed this https://social.technet.microsoft.com/Forums/en-US/e6408325-013c-4d0a-8130-5ce991355c08/windows-vpn-clients-ignoring-dhcp-option-121-from-rras-server?forum=winserverNIS so it looks like it used to work and then broke - you may have to dig into some Windows forums to find ...

tdw

Your remote PC is likely set to not use the VPN as the default gateway, in which case you require static routes so traffic to your other internal networks are sent via the VPN tunnel, not out of the LAN gateway. Apparently the Windows VPN client will pick up additional routes from DHCP option 121 if...

tdw

If you specify an outgoing interface for the ping check that should work, however it will not fix incoming traffic via the failover interface - that requires connection & route marking to return incoming traffic back out of the same interface. In many cases you can perform failover without scripting...

tdw

6.43 and 6.44 supported both old and new style API logins as RouterOS had reversibly encrypted (old as used prior to 6.43) and hashed (new as using since 6.43) passwords stored. Yes, there was an issue with allowing both style logins which was fixed before the 6.43 stable release, but as of 6.45 the...

tdw

You do not add VLAN interfaces in /interface bridge vlan , so /interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=10 is correct for creating a VLAN interface, but this /interface bridge vlan add bridge=BR1 untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,BLUE_VLAN vlan-ids=10 to...

tdw

It is an internal process so accessible on any local IP address via any IP interface, e.g. the gateway address you have set on each bridge, unless restricted by firewall rules. We usually set the NTP server & DHCP server fields to be the same as the gateway for each DHCP server network for any DHCP ...

tdw

I've set up PPTP VPN on several MK routers. They all work except for one problem. I need to access the local network hosted by the MK router. Only one of the routers works right. It has to be a firewall issue, as the only major difference is the firewall settings. On the problem routers I was able ...

tdw

It's enough that I've lost switching possibility for ether1 after some prior upgrade (from 6.3x.x to 6.4x).

What does /interface ethernet switch print detail show?

tdw

Sadly modern SOHO-class RB devices seem to contain crippled switch chips (RB4011 has RTL8367, RB750Gr3 has MT7621) which don't have any VLAN support what so ever. Seems like MT is trying to create some gap between RB and CRS (even low-end) devices. Which in SOHO segment is a pity (RB951G makes a wo...

tdw

Look at speed=100Mbps Not sure why I can not see the correct speed when running this command, but its 1GB link Same here: /interface export /interface ethernet set [ find default-name=ether1 ] name=ether1-Wan speed=100Mbps set [ find default-name=ether2 ] name=ether2 speed=100Mbps set [ find defaul...

tdw

I connect to manage routers with ssh using an rsa ssh key. SSH stong-crypto is set to yes. I upgraded a remote test router from 6.43.16 long-term to 6.44.5 long-term. It allows me to make a connection using Putty as usual, the connection terminal window displays correctly. But when I try to manage ...

tdw

The behaviour you see is correct. IP is layer 3 and ARP handles the layer 3 to layer 2 mappings, whereas the bridge is purely layer 2 and 'which MAC is on which port' is stored in the bridge hosts table.

tdw

The issue is the Sync Rate and whether the module is passive or active So insofar as the RB4011 and its SFP+ port is concerned -- it only accepts Active modules that Sync at 1.25G or 10G and will not accept 2.5G for sync rate. I am assuming that Bell move to 10G will have the ability to Sync at 10G...

tdw

In what way does it crash, or rather does it not work as you expect?

There are functional differences between some switch chips which Mikrotik use, in particular only a couple (QCA8337, Atheros8327) support hybrid ports.

tdw

we use CRM, ISPadmin, which communicates with MKT by API, but when updating to 6.45.1 API doesnt work, because new API authentification is not implement in our CRM. It says "killing PID 25009, API number exceeds the limit", but when downgrade to 6.44.3, which worked with CRM prior and should have c...

tdw

Example what I am trying that is not working: winbox to IPv6 Mikrotik ---> [2605:4e40:0:1fe::]:8295 (this does not work)

All zeros for the host address is somewhat unusual, so may be a bug.

tdw

Not with the Mikrotik supplied 24V PSU as there are several differing incompatible PoE standards. However, it should work if you replace this with a 48V PSU as the RB4011 specification states "DC jack input Voltage 12-57 V ", and the Cloud Key specification states "48V 802.3af or Passive PoE ( Pairs...

tdw

You can't add the SFP to the switch as is connected directly to the CPU, see https://i.mt.lv/cdn/rb_files/RB960PGS-161220141841.png You appear to have the SFP in the bridge and the switch VLANs configured on the CPU port ( /export hide-sensitive is generally more useful than printing settings), so i...

tdw

As you are seeing misdirected unicast from a port on your CRS the issue likely lies with the switch forwarding database therein. I had the same issue with some old Mikrotiks based on AR7240 switch chips where some client MAC addresses on different ports appeared to be hashed to the same value so onl...

tdw

Yes. Removing the masquerade rule leaves the source address of the PPPoE client unchanged, enabling proxy ARP allows the router to reply to ARP requests from the firewall for 192.168.10.x PPPoE client addresses so traffic may be returned.

tdw

OK, you appear to be statically assigning client PPPoE addresses in your RADIUS server rather than using a dynamic IP pool, the method doesn't change - enable proxy ARP on ether1 /interface ethernet set [ find default-name=ether1 ] arp=proxy-arp and disable/remove the masquerade rule. What is the 19...

tdw

It is difficult to say exactly as it isn't clear exactly how devices are connected (hint post the output of /export hide-sensitive and redact any public IPs, etc.). That said stop masquerading your PPPoE clients (as this replaces the PPPoE client address with 192.168.10.3 ), and as you appear to be ...

tdw

If the unmanaged switch connected to ether4 is only for multimedia devices on VLAN30, then change ether4 to be untagged for VLAN30 /interface bridge port ... add bridge=bridge interface=ether4 pvid=30 ... /interface bridge vlan add bridge=bridge untagged=bridge,ether2,ether3,ether5,ether6,ether7 vla...

tdw

I looked at first example (the one involving switches SW1, SW2, SW3 and SW4 and hosts A and B) in RSTP Wiki page (see [1]). 1. I can read that SW1 settings rely on priority while SW4 rely on path-cost. Can you explain why ? Per the Wiki: In RouterOS the root bridge will be elected based on the smal...

tdw

Create an IPsec peer entry for the remote address with a different secret.

tdw

From the Remote Office LAN, I can already ping the Main Office router and the devices inside its LAN, From the Main Office LAN, I can only ping the Remote Office router but not the devices inside its LAN I was thinking, if I am missing a Routing config that will let my ping from the Main Office to ...

tdw

The configurations are missing some important configuration details, so you may have misunderstood what local-address and remote-address do - they are the address the EoIP packets originate from and are sent to, typically the WAN IP of the two Mikrotiks. In the diagram you also have clients 192.168....

tdw

That is because at some point you have turned off bridge VLAN filtering, the emboldened item is missing: /interface bridge add admin-mac=B8:69:F4:B6:7D:6F auto-mac=no comment=defconf name=bridge vlan-filtering=yes Currently, turning on VLAN filtering will break things as your VLAN1 bridge configurat...

tdw

OK. Naming your bridge "Static IPs" is somewhat confusing - it appears to actually be your WAN, and it is included in your LAN interface list which will allow more external access to your Mikrotik than you may wish for. The /ip dhcp client entry for sfp1 is the cause of your DHCP requests, and as it...

tdw

It appears that as Let's Encrypt is fairly new in the certificate world their certificates were cross-signed by an established CA so they would be recognised by browsers which already had the established CA certificate. Now that the Let's Encrypt CA has made its way into trusted CA bundles (in OS an...

tdw

A couple of errors - incorrect address and insufficent scope for NAT:

/ip address
add address=192.168.88.1/24 interface=bridgewifi network=192.168.88.0

/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1 src-address=192.168.88.0/24

tdw

Just changed add bridge=bridge tagged=bridge,ether5,ether6 vlan-ids=2 There was vlan-ids=2, changed it to 20. So if I will want to isolate for example all TV's and other devices from my network, steps are similar right? So another DHCP for multimedia devices, another address list, bridge vlan etc. ...

tdw

As you have moved ether5 & ether6 to a separate bridge the APs will only have access to VLAN20. Using multiple bridges to handle VLANs is not recommended, see https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration for the various pitfalls. The recommended method is to use a single VLAN-aware ...

tdw

The server certificate on the client is unnecessary.

You can use openssl s_client -connect my.host.com:port on a linux system, or something like https://www.sslshopper.com/ssl-checker.html to check the server is providing the correct information.

tdw

/interface bridge port adds interfaces to the bridge, the pvid paramater only specifies which VLAN untagged ingress traffic is assigned to. /interface bridge vlan configures per-VLAN port mapping with an egress VLAN tag action - tagged ports send out frames with a learned VLAN ID tag, untagged port...

tdw

Your approach sounds OK, probably something small overlooked. Post the output of /export hide-sensitive here between code tags (the [] icon above the reply box).

tdw

In v6.43 and later the standards-compliant behaviour (i.e. that packets destined to 01:80:C2:XX:XX:XX should NOT be forwarded) can be disabled by setting the bridge protocol-mode=none, see https://wiki.mikrotik.com/wiki/Manual:L ... _addresses

tdw

AFAIK Verify Server Address from Certificate does nothing if Verify Server Certificate is disabled. The error message self-signed certificate in certificate chain most likely indicates you have not installed the certificate chain - on the server you should have: Let's Encrypt root CA cert, any inter...

tdw

/export hide-sensitive

tdw

No, the whole config - to see all of the interface and IP configuration

tdw

I'd post the output of /export hide-sensitive with any public IPs, etc, obsfucated.

Rather than multiple screenshots, either save as a file and copy to your computer, or use <right-click> Copy All in the terminal window. Paste here in a code tag (the [] icon above the reply box).

tdw

What does the following pasted into a terminal window on the mikrotik show: :foreach i in=[/interface ethernet find] do={ :put "$[/interface ethernet get $i default-name] $[/interface ethernet get $i mac-address]"; } Your config, or certainly the DHCP part of it (using /ip dhcp-server export hide-se...

tdw

Those MAC addresses are assigned to Mikrotik. What are the log messages?

tdw

A DHCP server will not offer an address unless asked for one. With a conventional DHCP server setup, configured with an IP pool, a dynamic lease will appear in the DHCP server leases tab and remain there until the lease time specified expires. An partial ARP entry will appear if anything attempts to...

tdw

IP > Firewall uses IP addresses, not MAC addresses.

If you want to block a MAC address the interface will have to be in a bridge, then use Bridge > Filter

The ! means NOT - for example !192.168.1.42 means 'any address except 192.168.1.42'

tdw

If ping tests from the TP-Link via the HP switch and Mikrotik are OK that would suggest there is no problem with the Mikrotik configuration. Multiple NAT isn't ideal, but wouldn't cause this sort of issue. As you are seeing duplicate packets when testing from the TP-Link LAN, that, and spikes of lag...

tdw

Multinetting (assignment of more than one IP address to an interface) is fine, and the appropriate routing table entries will be created automatically. If you can ping both 10.0.0.2 and 192.168.152.x from the mikrotik, but can't ping or access 10.0.0.2 from 192.168.152.x, what is most likely happeni...

tdw

There are a couple of sections of that configuration where you have used the wrong interfaces, firstly /interface bridge port should refer to physical interfaces, not the VLANs /interface bridge port add bridge=switch_bridge frame-types=admit-only-untagged-and-priority-tagged \ ingress-filtering=yes...

tdw

Historically the RouterBoot firmware and the main RouterOS had unrelated version numbers, and a changelog here https://wiki.mikrotik.com/wiki/RouterBOOT_changelog Mikrotik changed the RouterBoot firmware version numbering so it now matches the RouterOS version number, and AFAIK there isn't any way t...

tdw

You are attempting to mix a VLAN-aware bridge /interface bridge add ... vlan-filtering=yes and switch chips VLANs /interface ethernet switch port . This is inadvisable - either use a non-VLAN-aware bridge (these are transparent to VLANs) and configure switch chip VLANs, OR a VLAN-aware bridge with V...

tdw

Want are you expecting the /ip firewall nat rule #1 at siteA to do?

tdw

So you are running an EoIP tunnel inside a PPTP VPN? This would require smaller MTUs to accommodate the tunnel-in-a-tunnel. In addition, PPTP is an insecure VPN protocol, and uses software encryption which will be loading the CPU in your routers - what is the CPU load whilst you are testing the thro...

tdw

That version is rather old, and has multiple remotely exploitable vulnerabilities - I'd suggest upgrading to at least the current long-term version first. Note that master/slave ports don't exist in version 6.41 onwards, the functionality has been moved to bridges so keep backups. If there are any s...

tdw

The best method very much depends on the nature of the traffic between the two sites e.g. the number of distinct MAC addresses at each end, and the variety of TCP/UDP ports the traffic uses. If your case has the bulk of the traffic between one device at each end over a single TCP or UDP connection t...

tdw

You don't say what model Mikrotik, but switch2 is connected to ether6-10 and switch1 to ether1-5 on 2011/3011 (additionally switch 1 to sfp1 on a 2011)

tdw

Bonding is not load balancing, see https://wiki.mikrotik.com/wiki/Manual:I ... ding_modes for a description of how the traffic is distributed.

Depending on your use requirements using per-connection classifier with mangle & routing marks may be a better option.

tdw

Some good examples here, one of them with a hybrid port......... https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table But on my switches RB941-2nD & RB951G-2HnD that disables hardware offloading so that's why I would like to setup using /interface ethernet switc h method. Example using switch ch...

tdw

See the comment in the speedtest result as shown in your screenshots.

CRS devices are intended to be used as hardware switches - they can do some routing and provide some services but the as CPU is not powerful you cannot use them to do wirespeed routing, for example.

tdw

You need a bridge with the VLANs on it. It doesn't have to be VLAN-aware, so it is possible to combine CAP with hardware switched ethernet ports. As the CAP is likely to have a single managment IP on one VLAN you don't need any firewall rules on the CAP as all the VLAN encapsulated traffic is passe...

tdw

Does disabling the PPTP helper service make any difference? (As helpers are tied up with conntrack, which gets the packets before mangle, packet flow may be interfered with)

tdw

Use netmap https://wiki.mikrotik.com/wiki/Manual:I ... :1_mapping - the rules can be made more specific to only map traffic via the VPN interfaces. Translating the addresses at each client will be far easier than attempting it on the headquarters router.

tdw

Are the following true, if local forwarding for caps is enabled? 1. In a wifi network with multiple vlans (internal vlan and guest hotspot vlan), each cap would need to have a vlan enabled bridge and inter-vlan drop rules set on the firewall. You need a bridge with the VLANs on it. It doesn't have ...

tdw

Using connection and route marks it is possible to direct traffic via multiple WAN connections, you can create marks based on source or destination ports or addresses - e.g. all traffic from a specific device on your LAN, all traffic to a specific host on the internet, all HTTP traffic, etc. One exa...

tdw

I don't see why OpenVPN should be any faster than SSTP if using the same ciphers. They will be similar, whilst both OpenVPN and SSTP have a simple packet structure wrapped in TLS, the SSTP data is further wrapped in a PPP layer which has a small additional computational overhead. As you say, the on...

tdw

200 see https://wiki.mikrotik.com/wiki/Manual:License AFAIK the CHR license limits interface speed, not number of services.

tdw

SSTP is secure but slow (I suspect this may be why you are looking at moving away from it), otherwise IPsec

tdw

OpenVPN doesn't really fit into the standard PPP model so the local and remote interface address show as blank in Winbox on the interface status tab, however if you look under IP > Addresses you see the dynamically assigned address, and a dynamic route is created via the VPN interface. The local add...

tdw

Have you configured static routes so site A forwards traffic for 192.168.100.0/24 via the VPN, and similarly site B forwards traffic for 192.168.16.0/24?

Be aware the Mikrotik OpenVPN client implementation is insecure as it does not check server certificate validity, IPsec is recommended.

tdw

The only weird thing done by Ar8327 is that it ignores vlan-header= setting and does whatever it sees fit.

Only for vlan-mode=secure where the VLAN table and port PVID determine what is tagged or untagged instead.

tdw

Your diagram doesn't show which ports are connected to which devices so the topology isn't easy to figure out. Have you changed anything since it was working, e.g. upgraded firmware on anything.

tdw

You could use the bridge admin MAC to bodge the CCR to become the root, the proper way is to adjust the bridge priority - lower bridge priorities have precedence, the MAC addresses are used as a tie-break if the bridge priorities are the same.

tdw

If the default bridge priority is used for STP/RSTP then the switch (or bridge) with the lowest MAC address is elected root. If there is another STP/RSTP device with a MAC address between the one which was on your 2011 and the CCR you would get exactly what you are seeing - the other device would be...

tdw

Do you have a switch with STP/RSTP connected to ether2?

tdw

You haven't posted all of your VPN server configuration. What is netmask set to in /interface ovpn-server server?

tdw

Questions: 1. Do I need to create a bridge and add all ether ports to the bridge? Yes, see https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_with_built-in_switch_chip 2. How do I set the HAPAC2's mgmt vlan to VL3? The example in the Wiki usese VLAN99 for management, adjust as...

tdw

Assuming your WAN connection is delivered via the SFP port on VLAN 7, remove add bridge=bridge interface=sfp1 from /interface bridge port - the WAN connection doesn't need to go anywhere near the bridge if it is only feeding the Mikrotik. The most glaring problem is the misconfigured bridge, it shou...

tdw

Try entering each sign command one at a time instead of pasting the whole block from the Wiki

tdw

Use proxy-arp instead of NAT.

The VPN connection is still not really on the same network even though it is part of the same subnet, you might have to use L2 VPN such as OpenVPN TAP or EoIP.

tdw

Depends on the intended setup, vlan10 + vlan20 on ether2 only and ether3/4/5 in a bridge with no IP config - fine if ether2 is feeding a switch or similar and ether3/4/5 not in use.

tdw

These look wrong

/ip route
add distance=1 gateway="ether1 WAN"
add distance=1 dst-address=192.168.0.0/22 gateway=192.168.1.1

I would remove them as the DHCP client on ether1 will create a default route.

There doesn't appear to be any configuration for vlan30.

tdw

I had a similar problem recently. After restoring the backup did you delete the certificates before importing them again?

tdw

See https://forum.mikrotik.com/viewtopic.php?t=123036 You can also do away with /ip route add distance=10 gateway=ether10_WAN_02_BACKUP by changing your backup WAN DHCP client to ip dhcp-client add comment=WAN_02_BACKUP default-route-distance=10 dhcp-options=hostname,clientid disabled=no interface=e...

tdw

Fasttrack doesn't work with mangle rules - disable it.

Put an extra blank line between code blocks to make them display properly.

tdw

I'd suggest posting your current configuration - use '/export hide-sensitive file=MYCONFIGNAME' then replace any public IPs, etc. still visible and post between code tags (the [] option above)

tdw

Presumably you have set this up with a gateway check on the fibre WAN default gateway, and the ADSL WAN default gateway has a greater distance so becomes active when the fibre WAN goes away. Create an additional default gateway for the ADSL WAN, but for marked routes. You will need to mark new conne...

tdw

The certificates can be also used for other types of VPN or for HTTPS. The server and client certificates should not have the "A" flag - did you enter each /certificate sign command individually, or paste them from the wiki? Be aware the Mikrotik OpenVPN client does not check certificates and is sus...

tdw

Yes, although you should use private IP addresses internally, I'd suggest something like 192.168.99.x For the first Mikrotik, wlan1 operating as a station with a DHCP client to pick up an IP and gateway from the host, ether1 with IP 192.168.99.1 and DHCP server, DNS proxy and NAT for your devices /i...

tdw

Yes, but with restrictions - the throughput will be less (it can't receive and transmit at the same time), and will require manual configuration to connect to the host WiFi (SSID and passphrase). Most importantly, the WLAN interface must be the station so it can scan for the host WiFi and set the ch...

tdw

Ok so please advise if I got it right: I set up a client DHCP on ethernet 1 (Where I connect physically the DSL modem) . I create then a bridge for ports 2,3,4,5 and VPN wifi. Then in addresses I hand out 190.168.0.1/24 for ethernet 1 and 190.168.1.1/24 to bridge. I arrange on the LAN side DHCP ser...

tdw

I've setup a PPTP site to site

Just don't - PPTP is insecure.

I'd suggest one of the IPsec-based VPNs available - the Mikrotik OpenVPN implementation doesn't support UDP transport, plus the client has a vulnerability to man-in-the-middle attacks, SSTP is slow.

tdw

If the "WAN" on your Mikrotik is configured with a DHCP client it will obtain an ISP address from the ISP DSL router, devices on your "LAN" will be able to access the internet. I would pick something other than 192.168.1.x for your LAN IP range as both 192.168.0.x and 192.168.1.x are commonly used b...

tdw

Yes, externally initiated IPv6 traffic to random addresses is disallowed. I added this when NDP exhaustion attacks were discussed. Due to the address list, only systems that have initiated outbound traffic (within the last 8 hours) plus a number of addresses of servers put in the address list as st...

tdw

The default fixed interface speeds when not using autonegotiation changed between v6.42 and v6.43 so this now appears in the compact configuration export after upgrading, it has no effect whilst autonegotiation is enabled.

tdw

Only directly connected interfaces should have a distance (administrative weight) of 0. Older versions of RouterOS permitted a default route with a distance of 0 to be created on dynamic interfaces. It was changed sometime around v6.39 - v6.40 - any edits to the interface after upgrading require the...

tdw

I would suspect that RouterOS only tracks IP addresses assigned from the pool. Whilst it might be possible to check if an address is actively in use, scanning PPP secrets for any overlapping addresses which are not would be complex, and if the addresses are assigned externally there would be no way ...

tdw

Mikrotiks do not support VRRP owner, the virtual IP cannot be the same as the real IP, and are unlike other manufacturers implementations in that the mask on IPv4 VRRP interface should be /32. The /32 mask caught me out when I first set up VRRP, with /24 (matching the real IP mask) it worked most of...

tdw

Looking at the assigned WAN IP address it appears your ISP is using CGNAT

1 D 100.64.68.8/32 94.229.236.4 mts-pppoe

Without a public IP no amount of tinkering with your router will allow your web server to be accessed from the internet.

tdw

It could be in any number of places - the VPN client, the Mikrotik or the RADIUS server. Most likely a character set mapping issue, enabling debugging/logging on the Mikrotik and/or RADIUS server should display the usernames and hopefully show where it is being misinterpreted. When you say you have ...

tdw

Forwarding a packet out of the interface on which it is received is considered invalid. You have to explicitly allow traffic which does this, typically for asymmetric routing as in your case, also for some multinetted and VRRP configurations as well.

tdw

Yes, but if you attach a server directly to a router and that router fails you have no access to that server. As your servers have multiple NICs you could connect each server to both routers, but you would have to either run a routing protocol on the servers to announce their presence to the two rou...

tdw

SLAAC requires /64 as that is the size of an automatically generated address. It is possible to use smaller subnet sizes when using static addresses or DHCP, but AFAIK it is no longer recommended

tdw

In a word, no. Some encryption algorithms (notably CHAP) require the plaintext password so PPP secrets (for servers), passwords for VPN/PPPoE clients, wireless PSKs, etc. are all stored as plain text in the configuration file. Only trusted administrators should have full access to the Mikrotik. When...

tdw

You don't have to send the traffic through a loopback address on a Mikrotik. Create a loopback interface using a bridge, add the public IP address to the loopback interface, use a srcnat rule specifying the public IP as the to-address: /interface bridge add name=loopback protocol-mode=none /interfac...

tdw

You have assigned the address 192.168.1.3 to ether1 and no address to wlan1. If you want to bridge ether1 and wlan1 so they are the same layer2 network then both interfaces should be added to a bridge, the IP address and DHCP server should specify the bridge as the interface, not any of the members....

tdw

All ports are in the default bridge1 bridge and there is no special configuration on those ports. That is incorrect, as you have: /interface bridge port add bridge=bridge1 interface=ether6 add bridge=bridge1 interface=ether23 add bridge=bridge1 interface=ether24 /interface bridge vlan add bridge=br...

tdw

Each would need their own IP address/subnet, IP pool, DHCP network & DHCP server, plus firewall rules to prevent them communicating with each other - by default the router routes traffic between all LAN networks. Depending on the physical location of the router with respect to the offices, plus the ...

tdw

That rule will allow any IP address to connect to your VPN server, if you expose services on well known ports they will get scanned at some point. You could create an address list, e.g. 'VPNusers' and add src-address-list=VPNusers to the rule. This will prevent access to your VPN server if the addre...

tdw

but their OpenVPN implementation is known to be rudimentary.

And insecure, the MT OpenVPN client does not check the server certificate, see https://nvd.nist.gov/vuln/detail/CVE-2018-10066 and https://janis-streib.de/post/mikrotik-ovpn-security/, which AFAIK has not been addressed

tdw

If you are running RouterOS <6.43 then upgrade to the latest (6.43.8) *BUT* check the release notes for things which may need configuration changes (e.g. bridge / master-port changes if upgrading from <6.41) If the RADIUS traffic is on an internal LAN you are probably OK, it isn't the sort of thing ...

tdw

If there is no IP configuration on the 2011 bridge no firewall rules required, you could exclude the interfaces for mac-telnet & mac-winbox access though. However for management access you probably do want some IP configuration - you have a few options: IP on the bridge, blocking IP on RB2011 ether1...

tdw

It appears you have the wrong netmask on the VRRP interface - unlike all the other VRRP implementations I've seen Mikrotik need the VRRP address to be specfied with /32 NOT /24 (or whatever is appropriate for your LAN/VLAN), see https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP#IPv4 . You then ge...

tdw

AD usually contains NT hash of the users password which will not work with CHAP - you need the plaintext at the server. Presumably you are running RouterOS version < 6.43 as this changed the login service authentication from CHAP to MSCHAPv2 (which should work authenticating against AD). Ensure the ...

tdw

Having VLAN configuration spread across multiple menus is confusing, especially as there are two completely different sets of configuration which depends on an interface being hardware accelerated or not. I suspect the stopping working after 5 minutes is when ARP or FDB table entries age out. This, ...

tdw

You don't have to worry about the VLAN101 tagging - that is handled by the Openreach modem (I've used Draytek 130 modems extensively and they also handle this by default). Unlike the usual retail/business FTTC/FTTP services which use PPPoE it looks like you have a point-to-point ethernet WAN connect...

tdw

Instead of using 'Add default route' in the PPPoE client interface settings you could add a static default route for IPv4 only

/ip route
add distance=1 gateway=YOUR_PPPOE_INTERFACE_NAME

tdw

What information do they provide, and as it is wires-only and FTTC based what VDSL modem are you using?

tdw

Do clients connected to the LAN port using addresses 197.xx.xx.226 - 197.xx.xx.254 have internet access? Assuming they do, the issue is that traffic from the Mikrotik itself will originate from 192.xx.xx.254, as that is assigned to the WAN port, not one of the public IP addresses. You should be able...

tdw

The bridge itself should be included in the bridge vlan declarations /interface bridge vlan add bridge=MAIN_BRIDGE tagged=MAIN_BRIDGE untagged=ether1 vlan-ids=40 add bridge=MAIN_BRIDGE tagged=MAIN_BRIDGE untagged=ether3 vlan-ids=30 add bridge=MAIN_BRIDGE tagged=MAIN_BRIDGE untagged="ether4,ether5,et...

tdw

No IP address assigned to bridge-guest /ip address add address=192.168.10.1/24 interface=bridge-guest That should fix DHCP leases, guest devices might be able to perform DNS lookups as you have specified dns=192.168.0.1 rather than 192.168.10.1 for /ip dhcp-server network and the bridge filter forwa...

tdw

RFC2516 says "When a PADT is received, no further PPP traffic is allowed to be sent using that session. Even normal PPP termination packets MUST NOT be sent after sending or receiving a PADT. A PPP peer SHOULD use the PPP protocol itself to bring down a PPPoE session, but the PADT MAY be used when P...

tdw

Servers can request client certificates in the TLS handshake, it doesn't depend on EAP support. See https://en.wikipedia.org/wiki/Transport ... _handshake

tdw

Use a larger subnet than the default /24 - if you change to 10.5.50.1/23 you could use 10.5.50.2-10.5.51.254 which gives you 509, or 10.5.50.1/22 you could use 10.5.50.2-10.5.53.254 which gives you 1021. I can't recall if you can set a larger subnet in the hotspot wizard, or if you need to change th...

tdw

The dynamic entries are populated from ARP protocol replies - when a device wants to communicate with something on the same subnet as itself it will broadcast an ARP request, e.g. 'Who has 192.168.1.2' and if the target exists it should reply with '00:01:02:03:04:05 has 192.168.1.2', for example. Ha...

tdw

See the second note here https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_with_built-in_switch_chip I've not had chance to experiment with adding all the VLANs to both switch1cpu and switch2cpu (under Switch>VLAN) to see if the traffic would then, for example, take the path e...

tdw

I don't feel competent to compare security of IPsec and SSTP, but haven't found anything regarding SSTP's vulnerabilities than this . From other than security perspective, SSTP, like every other VPN which uses TCP transport, is not the best choice in environments where packet loss is an issue, but ...

tdw

Any port can only be a member of one bridge, with firmware >= 6.41 use a single VLAN-aware bridge and define all of the required VLANs on the one bridge. Your example would become /interface bridge add name=bridge vlan-filtering=no /interface vlan add interface=bridge name=MGMT vlan-id=3524 /interfa...

tdw

Presumably based on https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_with_built-in_switch_chip And no, ether2 and ether3 are part of the same layer2 network and can communicate with each other, similarly ether4 and ether5 are another layer2 network and communicate with each o...

tdw

RR is only a sensible choice when the two links are identical, basically copper or fibre connections, or you will suffer from out-of-order packet delivery. Traffic distribution for other algorithms very much depends on the hash algorithm and the traffic - if you have routed IP traffic but are using ...

tdw

PPPoE uses IPCP for address assignment, not DHCP. You mention you have 5 fixed IP addresses - presumably a /29 subnet? You would connect to the ISP with some thing like: /interface pppoe-client add add-default-route=yes disabled=no interface=sfp1 name=pppoe-out password=*PASS* use-peer-dns=yes user=...

tdw

I don't know if Mikrotik have removed the previous default config in favor of people using Quickset https://wiki.mikrotik.com/wiki/Manual:Quickset instead, but if they have done it should really be mentioned in the release notes

tdw

There is at least one commercial product, Unimus, which handles mass config management, auditing, etc. - I've not used it, but they were one of the vendors at MUM Birmingham a few weeks ago

tdw

You only need VLANs if you wish to have multiple segregated layer2 (ethernet) networks connected to a single port. In your case your have four distinct networks on four distinct ethernet ports so your scenario is possible without VLANs. ether2 - set ip address, create ip pool for dhcp, dhcp server &...

tdw

STP/RSTP/MSTP were designed to reorganise networks when links failed, not provide bandwidth sharing.If you wish to use both links at the same time see https://wiki.mikrotik.com/wiki/Manual:Interface/Bonding

tdw

'interface bridge vlan' entries specifies egress handling, in the full config listing you seem to be missing: /interface bridge vlan add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4 vlan-ids=100 some of the 'interface bridge port' parameters handle ingress - in addition to 'pvid' for th...

tdw

Not having vlan-mode=secure (see https://wiki.mikrotik.com/wiki/Manual:S ... d_Ports.29 ) on all switch ports often has unintended side-effects, take care when enabling as a misconfiguration of port VLANs can lock you out if conning via a switch port.

tdw

DHCP network is for IGMP - IP TV PPPoE network is for Internet access Both default routes have the same distance (1), so which one is used depends on the order in which they are seen. The distance used to be zero on DHCP/PPPoE client interfaces which technically was incorrect as distance of 0 shoul...

tdw

The warning about master-port configurations being updated to the new bridge configuration should really be repeated in the release notes now this version has changed track from current/stable to bugfix/long-term - people who have been using the bugfix branch may be unaware of the change introduced ...

tdw

As you say, ideally the switch menu VLAN configuration should be replaced by the VLAN-aware bridge so if a port has hardware offload enabled this is automatically translated into the necessary switch VLAN configuration. Meantime, it should be possible to use the switch chip with a non-VLAN aware bri...

tdw

Hello Folks! I have problem backing up configuration on practically all devices using ros 6.42 or bigger, just discovered it today. The message I got is: "backup,critical error creating backup file: could not read all configuration files" There is no full filesystems and other visible errors. I saw...

tdw

I'm also seeing "backup,critical error creating backup file: could not read all configuration files" messages after upgrading on several devices. 2x RB750 v6.39.3 -> v6.42.1 2011UAS-2HnD v6.41.4 -> v6.42 (may also have produced the same message) -> v6.42.1 All appear to be operating fine, backup wor...

Search found 190 matches