MikroTik

tdw

MMIPS for 750G, Long term version. MMIPS is only for the 750Gr3 (second version of the hEX). The original 750G, which the OP has, and the 750Gr2 (first version of the hEX) are MIPSBE. The /system routerboard settings set cpu-frequency=150MHz will be reducing the performance, it should be several ti...

tdw

You might be able to use/abuse /routing filter to modify dynamically added routes.

tdw

There is stretched up optical cable already(label on cable is: SC simplex 2.0 mm OFNR That does not tell you the type of fibre - SC is the type of plug, simplex is single fibre, 2.0mm OFNR is the diameter and and fire rating of the cable. You need to know if the fibre is single mode or multimode, a...

tdw

I want the vpn clients to have an ip from the main dhcp server. That isn't going to happen unless you use a layer 2 VPN (so OpenVPN TAP or Mikrotik-to-Mikrotik EoIP). Whilst layer 3 VPNs (OpenVPN TUN, SSTP, L2TP/IPsec, etc.) can be used with proxy-arp so the VPN clients can appear to be part of a l...

tdw

For clients to resolve hosts in your AD you have to use your DC as their DNS server. The DC itself should act as a recursive resolver for any other DNS requests.

tdw

If the VPN is for remote access rather than shifting large amounts of data you should be OK, there are plenty of articles covering the issue on the internet if you search for 'tcp meltdown' or 'tcp over tcp problem'. We have a number of Mikrotiks running L2TP/IPsec (permanent site-to-site with stati...

tdw

What can we do if we want to use OpenVPN on MikroTik when it lacks UDP?

The Mikrotik implementation only supports TCP for the VPN client to server connection itself (I believe UDP has been added in RouterOS 7), the VPN tunnel handles any layer 3 payload in IP / TUN mode.

tdw

I was thinking the server address should be in the same subnet as the pool, but it doesn't seem to care. It doesn't have to be. VPNs are point-to-point tunnels with a /32 address at either end, they can be pretty much anything. I'm about to add an OpenVPN server, as well, mainly to overcome the lac...

tdw

Do you have anything plugged in to ether9? If a DHCP server is bound to an interface in the non-running state it appears in red in Winbox / with an invalid flag in /ip dhcp-server print even though it isn't. Physical and some logical interfaces (e.g. VPN tunnels) follow the state of the underlying c...

tdw

If a bridge has vlan-filtering=yes only untagged traffic will pass through the bridge ports. However, if vlan-filtering=no the bridge behaves similarly to an unmanaged switch so any VLAN tagged traffic will pass through all bridge ports.

tdw

You need to specify which tagged VLANs are made available to the various bridge ports, including the bridge itself as a bridge has two roles - a switch-like role for transporting packets between ports, and a port-like role for transporting packets between the bridge and other functions provided by t...

tdw

You have set the bridge to be VLAN-aware but not configured any bridge VLANs, so no tagged traffic will pass through the bridge. See https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering

tdw

You must change the EOIP interface MTU to 1500

tdw

All of those I mentioned have both client and server support: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec - there are some examples in section 17 https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN - there are some limitations (no UDP mode or LZO compression) https://wiki.mikrotik.com/wiki/Manua...

tdw

There are plenty of other VPNs available - plain IPsec, L2TP/IPsec, Open VPN, SSTP

tdw

You may have used the same IP pool for VPN clients, but they do not use DHCP for address allocation. Proxy-arp should be enabled on the same local interface which has the IP address, so the parent bridge rather than the child ethernet and wireless interfaces. Enabling on an interface which has no IP...

tdw

There are different approaches - you could route between subnets on mikrotik2-4 and have static routing rules on mikrotik1 so traffic is directed to the correct mikrotik, or you could use mikrotik2-4 as switches with VLANs and perform all of the routing/firewalling on mikrotik1 which is probably the...

tdw

If you have a working setup with ether1 as WAN and ether2-5 in a bridge as LAN all you should have to do is remove ether5 from the bridge and add an IP address to that port. The mikrotik will route traffic between the two subnets, subject to firewall rules, but you will have to make changes to devic...

tdw

You haven't said which model Mikrotik you have, there is a wide range of CPU capabilities. The best to worst performing VPN protocols supported are IPsec, OpenVPN, SSTP (I'm Ignoring PPTP and L2TP/MPPE which are insecure). Only some flavours of IPsec are supported with hardware acceleration on some ...

tdw

I was looking for "easier" way than bridging ) As from manual, proxy-arp should exactly be it in my case. Not really, the examples do not have the same subnet on different interfaces. My scenario is that I host VMs for clients using both real and private IP space. Making /30 subnets for real IP spa...

tdw

Using gateway=someinterface is only valid for point-to-point interfaces, and using the same subnet on different interfaces requires special handling.

Port isolation or bridge horizon would be a more usual approach for isolating clients within the same L2 network.

tdw

I can't comment on how it appears in Webfig - in Winbox the equivalent control is either blank or "!", not a check mark. It doesn't select whether or not to use an interface, it means 'not' so out-interface="!JRC vpn" means traffic leaving by any interface other than JRC vpn - the reverse of what wa...

tdw

The text on the front of the Mikrotik is just text. The default configuration has port1 = WAN, ports 2-5 & SFP = LAN, but all can be reconfigured for any use. I vaguely recall that the UniFi SFP+ ports have to be configured as 1000FDX to work with gigabit optics - you will have to temporarily connec...

tdw

also copy and paste does not work in the terminal screen (firefox) Not sure why that would be, I use Winbox or SSH rather than the web interface. You can export the configuration to a file with /export hide-sensitive file=somefilename and then download the resulting .rsc file from Files - it is dra...

tdw

Just remove the mac-address=xx:xx:xx:xx:xx:xx from your master config, a suitable MAC will be generated on the target when the configuration is applied

tdw

Yes, they both come with RouterOS L5 licenses preinstalled

tdw

It is difficult to tell the name of the VPN interface from screen shots, apparently not "JRC vpn" from the error message you got. Entering a rule via the web interface is fine, and traffic appears to be hitting it as the packet/byte counters are non-zero, so something else isn't quite right. The bes...

tdw

I have another two routers which connected with RB450G. Those are RB951Ui-2HnD and RB2011UiAS routers which use MIPSBE architecture. Will there be nay issues if I replaced my RB450G router with RB450Gx4 since its is using ARM architecture? No. The connections between devices use standard ethernet a...

tdw

Information on exporting and importing configurations here https://wiki.mikrotik.com/wiki/Manual:C ... Management

tdw

With point-to-point interfaces you can specify the interface as a the gateway rather than an IP address. It correctly becomes disabled when the interface is down and active when the interface is up. That has not been my experience in the past, but admittedly, I haven't tried it in the last year or ...

tdw

Thats progress! thanks TDW. Added route. see attached. The route added is one UNDER "ADDED MANUALLY" The other route is created when the VPN connects and is not removable as it is dynamic. I tried. Good News: I can now ping from TERMINAL addresses other than and including the remote gateway. You li...

tdw

You probably want the static route to be 192.168.5.0/24 via 192.168.5.10. The JRC vpn interface is dynamic and will disappear when it is down, causing your route to change to a next hop value of unknown, and it will not recover. Setting the next hop to an IP will simply disable the route when the t...

tdw

01. Is it possible to use RB450G router backup file with all other architectures like MMIPS,TILE,SMIPS and ARM? No. Even restoring a .backup file to the same model is not officially supported, although if running the same version of RouterOS it usually works. An exported .rsc file can be imported o...

tdw

For your information the majority of forum support is by the community, not Mikrotik employees. The default route via the VPN is inactive (DS not DAS), other than for ECMP you cannot have more than one active route to the same destination. Given you only wish to route some traffic via the VPN, remov...

tdw

So a device connects to an SSID with WPA2-PSK, the traffic to/from it will be placed in a VLAN based upon the AP configuration. When the user successfully authenticates supplying a VLAN ID to the Mikrotik isn't going to move that traffic to another VLAN - it is fixed by the AP.

tdw

But how do devices get assigned to all of these VLANs if you use the same SSID everywhere. Managing MAC-based VLAN assignment will be time consuming if every single device needs adding.

tdw

CCRs don't have any hardware switching so bridge functions which disable hardware don't apply to them. Port isolation / private VLANs can be achieved with hardware switching, but I'm pretty sure there are strange interactions when also using switch chip VLAN filtering - the CRS3xx may be OK, but I h...

tdw

I don't know if 7.x handles things differently to 6.x, but certainly with that all traffic within the bridge is tagged - untagging only occurs on egress for access and hybrid ports. When a port is added to a bridge the default is an access port with PVID 1, as with many other settings on Mikrotiks d...

tdw

I've found https://www.ripe.net/publications/docs/ripe-690 covers the pros and cons of various WAN link addressing methods and prefix size suggestions, pity not all ISPs follow it. You can use the Mikrotik packet sniffer to capture traffic and stream it to Wireshark running on a computer which is of...

tdw

The dynamic VLAN memberships are generated from the pvid= setting under /interface bridge port for access and hybrid ports, so if you have all the PVIDs set to something other than 1 there should be no dynamic entries with the value 1. Internally everything is tagged inside a VLAN-aware bridge, tags...

tdw

So what can i do to stop that ? it's doing it even on static IPs, also when i restart router It's odd that you are seeing it from devices with static addresses. Using the packet sniffer rather than torch may reveal more. BIND on linux uses raw rather than IP sockets so traffic cannot be blocked by ...

tdw

MAC addresses are easy to spoof, you should really be looking at 802.1x for wired and WPA2-Enterprise for wireless authentication against a RADIUS server Not always possible. Depends on the devices. If these devices have no "supplicant" embedded in their software, MAC-authentication is the best thi...

tdw

To the OP - the forum is not always like this, don't be put off by it if you have other issues you need help with.

tdw

SwitchOS is quite limited and doesn't have any encrypted management access, for example. I would be tempted to use RouterOS with a hardware-assisted VLAN-aware bridge from the outset to minimise any disruptions if you needed to change in future. See https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_s...

tdw

Erm, no. There is nothing preventing SSIDs or switch ports being assigned to the untagged network in UniFi, in fact you have to explicitly assign them to be tagged.
Then its not a switch its an abomination following no standards.

Exactly which standards prohibit that behaviour?

tdw

For testing purposes, I connected a NAS to a port designated for the Corporate vlan (id =10). It properly received an IP from the appropriate pool (10.0.10.11) and I can ping it from my pc in the home vlan but am unable to access it. Am I missing a firewall rule that allows intervlan communication ...

tdw

That is the old way of configuring VLANs, and doesn't work well with STP/RSTP see https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_in_bridge_with_a_physical_interface ConfigTX.rsc appears to have no IP configuration, so no way to way to ping it. ConfigRX.rsc has the IP addresses di...

tdw

UDP port 67 & 68 are used for bootp and DHCP, devices will periodically renew their leases after half of the lease period.

tdw

Mikrotik have https://mikrotik.com/product/RBGPOE - it has a DC socket so you can use a gender converter if you need a plug.

There are quite a few other suppliers of gigabit passive converters such as https://www.poetexas.com/ plus many clones of their products.

tdw

Okay if the goal is to pass VLAN 100 as untagged to the Ubiquiti so it gets an IP address on the VLAN100, you must realize that this prevents vlan 100 from being used at any other ports on the ubiquiti. The way to ensure vlan100 is available to be passed on to the other ports on the switch is to se...

tdw

What? Why would ubiquiti need a hybrid port? That's they way they work. Out of the box APs and switches will acquire an IP address with DHCP (untagged, obviously) and attempt to connect to a controller using a number of layer 2 and layer 3 discovery mechanisms. If you have a setup with additional S...

tdw

You haven't changed the VLAN interfaces to the parent which can cause odd behaviour: /interface vlan add interface= TRUNK LAN name=IOT vlan-id=20 /interface vlan add interface= TRUNK LAN name=MGMT vlan-id=10 /interface vlan add interface= TRUNK LAN name=UPC vlan-id=100 I would remove the switch chip...

tdw

Still the device which I attached to ether1 is not reachable with pvid10 and is stated as "disabled port" via winbox. Did I miss something? Presumably that is in the Role column on Bridge > Ports. What is the status (the column to the left of the Interface one)? The output of /interface ethernet pr...

tdw

Most of that is incorrect. You don't say which model Mikrotik, so I'm assuming a 2011/3011/4011 as there are ten ethernet ports and an SFP mentioned - the full reference for VLAN-aware bridges for non-CRS devices is here https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering Fi...

tdw

For Ubiquiti devices you need a hybrid rather than trunk port with your Home VLAN set as the PVID, it is worth turning on ingress filtering on all of the interfaces to prevent devices injecting any other tagged packets they like: /interface bridge port add bridge=bridgeNET ingress-filtering=yes inte...

tdw

VLANs creations under Bridge Management (VLAN1 is hidden, right?) Sort of. A bridge has two roles, one switch-like connecting interfaces together, the other an interface-like one to access services within the Mikrotik (routing, DHCP, etc.). Whilst VLAN ID 1 is used within the switch-like part it is...

tdw

It is some client device (A8:BF:3C is registered to HDV Phoelectron Technology Limited) connected to your layer2 / ethernet network attempting to make a PPPoE connection. If you have a PPPoE server for several ports bridged together you will have to check the bridge hosts table, or use torch / packe...

tdw

MAC addresses are easy to spoof, you should really be looking at 802.1x for wired and WPA2-Enterprise for wireless authentication against a RADIUS server

tdw

The DNS lookups via the Mikrotik and your bind server appear to be working as expected. The N hazartilirot-pc unknown 0.0.0.0 cached record shows that the upstream DNS server (your BIND server) replied with NXDOMAIN so the type and data fields have no value, hence the suggestion to check the BIND se...

tdw

That looks OK, the WAN DHCP client does not use any DNS servers offered and 192.168.10.252 is specified as an upstream DNS server, although without seeing the configuration it is difficult to say if there is anything else which could interfere. The DHCP setup for the 192.168.20.0/24 network should o...

tdw

The Mikrotik hotspot redirects any DNS requests from hotspot clients to the Mikrotik itself. This happens quite early in the firewall chains so the walled garden or walled garden IP functions may occur too late. Is there any reason you can't set the Mikrotik itself to use your DNS server?

tdw

A bridge has two distinct roles - both a switch connecting ports together, and an interface connecting bridge traffic to services (routing, DHCP, etc) on the Mikrotik itself. You haven't included the interface role in your bridge VLAN statements, so: /interface bridge vlan add bridge=bridge-LAN tagg...

tdw

Once an entry exists in the connection tracking table, along with any associated NAT flags, that's it until the connection is closed. UDP connection tracking is tricky - as there is no equivalent of the TCP FIN flag to peek at, the "connection" is deemed to exist until no matching packets are seen f...

tdw

The OP was specifically asking about inter-VLAN routing performance. The CRS devices are ill-suited to that role as they are primarily designed as layer2 switches with limited layer3 support. Although there is tentative support for layer3 hardware offloading in RouterOS 7 for a handful for CRS3xx de...

tdw

By default firewall rules will only act on routed, not bridged, traffic. You could use the use-ip-firewall=yes and use-ip-firewall-for-vlan=yes under /interface bridge settings to force the bridged traffic within a VLAN to be processed too, alternatively a bridge filter or bridge split horizon. Note...

tdw

I've not had any problems mixing Mikrotik and UniFi. One site is similar to yours with an RB750Gr3 connected to a US-8-60W, both with the default ethernet port settings and a regular network cable, the switch obtains an address with DHCP and appeared in a remotely located controller using the DNS la...

tdw

Adding use-service-tag=yes to a vlan interface statement changes the ethertype from 0x8100 to 0x88a8.

tdw

Switching to RSTP would depend on your core network - it isn't suitable for network topologies which pass groups of VLANs along differing redundant paths, you would have to use MSTP which the CRS3xx also support without loosing hardware offloading. As you don't particularly need spanning tree in thi...

tdw

As you must be able to support 1500 byte MTU for BCP to work properly there is bound to be fragmentation somewhere. The L2TP MRU/MTU needs to be smaller than 1450 so there isn't nested fragmentation for both L2TP/IPsec traffic and the BCP payload - I've not found a definitive calculation, others on ...

tdw

You could try asking Mikrotik support directly if they ever intend adding this functionality.

tdw

For info Cisco trunks with a native VLAN, e.g. interface SOMEPORT switchport trunk encapsulation dot1q switchport trunk native vlan R switchport trunk allowed vlan R , S , T switchport mode trunk translates to /interface bridge port add bridge=bridge ingress-filtering=yes interface= PORTNAME pvid= R...

tdw

Firstly the Mikrotik bridge is currently operating as an unmanaged switch, the pvid= settings in the /interface bridge port section and all of the /interface bridge vlan section are ignored until the bridge has the vlan-filtering=yes setting. It appears you have also deleted some interfaces which ha...

tdw

According to https://wiki.mikrotik.com/wiki/Manual:I ... Offloading although CRS1xx/CRS2xx series support bridge IGMP snooping there is a note which states "Feature will not work properly in VLAN switching setups"

tdw

A bridge has two distinct roles - both a switch connecting ports together, and an interface connecting bridge traffic to services (routing, DHCP, etc) on the Mikrotik itself. You haven't included the interface role in your bridge VLAN statements. Also you have a mismatch between tagged and untagged ...

tdw

Post the output of /export hide-sensitive, preferably in a code block (the square brackets icon) to make it more readable.

tdw

I would not expect binding multiple servers to the same interface to work as only one can listen to the PPPoE ethertypes, multiple servers each on a different interface is fine. Why are your attempting to run multiple services on the same interface as any parameters can be set in the client PPP secr...

tdw

The IP addresses should be applied to the bridge, not any of the member ports as this breaks things in odd ways.

tdw

You have /interface bridge port add bridge=bridge1 interface=ether1 hw=yes comment=WiFi add bridge=bridge1 interface=ether2 hw=yes comment=WiFi add bridge=bridge1 interface=ether3 hw=yes comment=WiFi add bridge=bridge1 interface=ether4 hw=yes pvid=10 comment=NAS add bridge=bridge1 interface=ether5 h...

tdw

Without seeing the actual configurations rather than what you believe you have configured it is impossible to say.

tdw

You have created a second /interface vlan port section rather than updating the original one with the correct settings. This will fail when the statements in the second section attempt to add ports which have already been added by statements in the first section - merge the two together.

tdw

There should be no comma before the comment= How would the switch know what the PVID is, if I don't actually define said VLANs on the switch? The VLANs and untagged membership are dynamically generated from the pvid= entries under /interface bridge port if they have not been made explicitly. Your Mi...

tdw

Almost. The syntax of your /interface bridge vlan section is not correct - you can only specify a vlan-ids= value once and the tagged= / untagged= entries expect a list rather than being repeated, also if you wish to comment entries the syntax is comment="some text" , so: /interface bridge vlan add ...

tdw

I have set MTU, MRU and MRRU and now everything works! It's still bugging me... I have exactly the same setup (same ISP, PPPoE, same modem type, L2TP, Mikrotik, but another firmware there) on a different location and everything works there without any required changes to MTU.... Likely something di...

tdw

Only thing not working 1. Can not ping from any VLAN <>vlan1 connected to cisco. (This routing is working to all other switches in VLAN1) so I assume routing is correctly assigned on L3 Therefore I checked on STP: On Cisco Spanning tree was enabled by default – L3 using STP – with Rapid STP. Uplink...

tdw

No there isn't a changelog, only a CLI command history. I thought you may be trying to use the switch chip, which isn't straightforward, but a VLAN-aware bridge doesn't use it. There isn't anything obviously wrong. I prefer to leave out the untagged= entries under /interface bridge vlan as they will...

tdw

As you are using BCP to provide a L2 connection you could use MRRU on the L2TP server and client so full ethernet frames are handled correctly, rather than resorting to mangling the MSS.

tdw

There are limitations with some of older switch chips which do not apply to newer ones, and RouterOS 6.4 was released 7 years ago - there have been many changes since then.

Post your configuration from /export hide-sensitive

tdw

You don't appear to have followed the examples... Switch B: Yes, you do need to create a bridge with all of the ports as members. The CRS1xx/2xx link aggregation trunk applies to ports which are already members of the bridge, unlike CRS3xx and non-CRS devices where the ports added to a bond interfac...

tdw

Just remove the Framed-IP-Netmask attribute from your FreeRADIUS configuration. Defining a pool in FreeRADIUS and the Mikrotik PPP profile is redundant - the 'Remote Address' in the Mikrotik profile (vpn_pptp in your original screenshot) is overridden by the Framed-Pool attribute from FreeRADIUS, th...

tdw

The CRS1xx should be configured to use the switch https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_VLANs_with_Trunks (the inter-VLAN routing and DHCP server sections are not applicable to your setup), and the CRS3xx should be configured with a single VLAN-aware bridge https://wiki.mikrotik.com/wiki/...

tdw

Are you sure the UniFi AP is configured to use tagged VLANs only? We use UniFi APs and switches with Mikrotik routers frequently, and usually leave the UniFi management interface untagged so APs can acquire IP addresses, discover and be adopted by a controller. In the newer versions of UniFi I belie...

tdw

According to https://wiki.mikrotik.com/wiki/Manual:I ... Offloading bridge IGMP snooping does not work properly (whatever that means) on CRS1xx/2xx with VLAN switching setups.

tdw

If the radios are in bridge mode they pass traffic transparently. The IP address is only required for management access to the radio, plus a default gateway if they need to communicate with something outside of their subnet e.g. a PC on another subnet or the internet to download updates - the gatewa...

tdw

The routes for the l2tp connections are wrong - as they are all the same /24 only one can be active, each should have a unique /32. This is not normal, there must be something else in your configuration creating them, post the output of /export hide-sensitive after redacting any other information (e...

tdw

The ISP is providing a /32 network sorry I should have mentioned Alright so I'm starting to grasp what your saying now. So are you saying there are two ways to go about this? One way is a second PPPoE session over the same link attached to my 103.x.x.91 so that the second router (we'll call it that...

tdw

Hi! I have a router CCR1016-12S-1S+ and i setup VPN server on router (PPTP, L2TP, openvpn) Firstly stop using PPTP or L2TP with MPPE encryption as they are not secure. L2TP/IPsec, SSTP and OpenVPN are fine if properly configured. Office network 10.10.10.0/24 VPN network 10.10.100.0/24 My VPN client...

tdw

Thinking of it now, I think the only way to really do it is to bridge eth1 and eth3 together and have the router in eth3 do its own PPPoE session that is tied to this second IP rather than combine the two IPs together into the same PPPoE session Would this sound more like it? Your ISP is only expec...

tdw

Switch, -where are the definitions for all the vlans I only see vlan99?? -you are missing all the untagged interfaces in your bridge vlan rules that should reflect your pvid settings in the bridge ports?? ++++++++++++++++++\ AP -where are the definitions for all the vlans I only see vlan99?? -you a...

tdw

The OpenVPN server netmask has absolutely nothing to do with the WAN subnet mask - for example one router we have is configured with a /32 WAN IP and /30 routed public IP, the VPN local client addresses are a /26 and Open VPN server netmask is /20, encompassing the local client addresses, to allow ...

tdw

I find it very confusing that for this vlan-aware bridge configuration you both need to specify which port(s) you want to be untagged on each VLAN, and ALSO which VLAN you want to be on those PORTS: /interface bridge port add bridge=bridge1 interface=ether1 pvid=99 /interface bridge vlan add bridge...

tdw

Thanks. That's really helpful. Currently Quick Set shows the WAN IP address as 0.0.0.0. How/where do I get rid of that or change it in webfig? I'd like to to be an automatic IP address. Is the source of our problem? Should it be changed to match that of Comcast gateway? 0.0.0.0 is not a valid addre...

tdw

That is an old video, the wireless-rep package doesn't exist in recent versions of RouterOS.

Have a look at viewtopic.php?t=153970

tdw

UPDATE: There's something on the Quick Set page that kept breaking my RB. Whether or not I'm connected to Comcast, once I apply the settings in Quick Set, the box becomes unusable. The config that I restored has WAN IP 192.168.10.2 (static) and LAN IP 192.168.88.1 or 192.168.1.1 on the Quick Set pa...

tdw

The OpenVPN server netmask has absolutely nothing to do with the WAN subnet mask - for example one router we have is configured with a /32 WAN IP and /30 routed public IP, the VPN local client addresses are a /26 and Open VPN server netmask is /20, encompassing the local client addresses, to allow a...

tdw

Read something that said I needed to slave all of the interfaces to the uplink: [admin@MikroTik] /interface ethernet> set [ find default-name=ether48 ] master-port=sfp-sfpplus1 expected end of command (line 1 column 35) Everything I've read just gives me errors. Not even trying to config it to my n...

tdw

The Mikrotik Open VPN client does not support UDP mode specified by that configuration.

tdw

There are signals connected to the USB socket data pins, but not standard USB. Mikrotik use them for passing data to their powerline adapter, see https://i.mt.lv/cdn/product_files/PWR-l ... 200241.pdf

tdw

The router VLAN99 config is fine for attached devices with static IPs. The switch is missing most of the management setup - the VLAN99 interface is disabled, there is no IP or routing information: /interface vlan add disabled=yes interface=ether1 name=VLAN4 vlan-id=4 add disabled=yes interface=bridg...

tdw

See
https://wiki.mikrotik.com/wiki/MikroTik ... ansceivers
and
https://wiki.mikrotik.com/wiki/MikroTik ... iber_links

tdw

CRS products are intended to be L2 switches with limited L3 performance, they are not wire-speed L3 routers.

The performance figures are published on the website for each product, see https://mikrotik.com/product/CRS112-8G- ... estresults for your device.

tdw

Not quite. /interface bridge add admin-mac=XXXXXXXXXXXXXXX auto-mac=no igmp-snooping=yes name=bridge1 /interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1 add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether2 add bridge=bridge1 frame-types=ad...

tdw

The latest beta (6.48beta27) has these in the changelog: *) dot1x - fixed duplicate EAP request packets for server; *) dot1x - fixed EAP packet version numbering; which might fix it. I'm sure new current and long-term updates including these will appear at some point if you do not want to run a beta...

tdw

Adding VLANs segregates the networks at the ethernet / layer2 level, but by default the Mikrotik will route IP / layer3 traffic between all attached subnets. Either block specific VLAN-to-VLAN traffic in the forward chain, or accept the traffic you wish to allow followed by a forward drop rule to bl...

tdw

I gave a example that i use 5 different PC's and that I initiate 5 separate uploads. According to my understanding that are 5 separate streams. Why all the outbound traffic goes out through only one WAN, instead of making a balance and using both WAN ports for outbound traffic? I am trying to solve...

tdw

If you are using hardware offload the bridge filters will not see packets forwarded between ports as they are handled within the switch chips, look at switch ACLs.

tdw

in my scenario, should i be focusing on the switch settings or the bridge as both has vlan options in them. It depends on your requirements: If wire-speed switching within the same VLAN is not of particular importance then a VLAN-aware bridge ( /interface bridge add name=... vlan-filtering=yes ) is...

tdw

All our switches are STP disabled, may this can be the problem?

If there are no loops in the network, no.

tdw

thanks for the response, tdw. I think i am starting to get confused with when to use bridge and switch in the config. Initially i bought this device because it has the switch chip as the switch chip provides the hardware offloading to get close to wire speed across vlans. I will be using this mainl...

tdw

From what i have understood from you statements, can i say that switch1-cpu is the connection from switch chip and cpu Yes. flipping the settings to vlan-mode=secure causes all traffic between the switch and the cpu to be "vlan-aware". By default the switch ports pass all traffic, including tagged ...

tdw

Is there no way that I can get hardware performance on traffic within one switch, and only use the bridge for inter-switch traffic? That would already be a great solution. More specifically, what goes wrong in the example on https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#Configuratio...

tdw

Thanks for the reply! Should the bridge itself also have pvid 99 or do I leave that on the default of pvid 1?

Leave it as 1, the tagged management traffic is unencapsulated by your mgmt_vlan VLAN interface for access by the CPU.

tdw

Could be many things not knowing what your network topology and device configurations are. If you have many switches and interconnections then spanning tree can block some traffic if incorrectly configured - with VLANs you should use either RSTP with all VLANs configured on all trunk links, or more ...

tdw

The PVID for untagged traffic is set to the default of 1, for your setup it should be 99 /interface bridge port add bridge=vlan_trunk interface=ether2 pvid=99 add bridge=vlan_trunk interface=ether3 pvid=99 add bridge=vlan_trunk interface=ether4 pvid=99 add bridge=vlan_trunk interface=ether5 pvid=99 ...

tdw

You only require VLANs to share multiple networks over a single interface, if you only require one interface to be on a separate network that interface can be removed from the bridge and have an IP address, DHCP server, etc. added to it.

tdw

The configuration is completely different to any other vendor, it is a pity Mikrotik have not integrated hardware acceleration (i.e. switching) into the VLAN-aware bridge handling as they have with the CRS3xx devices. https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#VLAN_Example_2_.28Trunk...

tdw

Bumping a post usually has little effect. Your existing rules only mark traffic to the Mikrotik itself and return them via the same interface. As the default route specifies both gateways this is an equal cost multi-path (ECMP) route so outbound traffic will exit via both gateways - if they are with...

tdw

I also read that devices with two switches (like RB2011) cannot do switch-level VLAN filtering: https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_filtering_with_multiple_switch_chips Finally I used the 'new' recommended bridge-based method to configure my VLANs (I think), based on ...

tdw

You only have to add it to VLANs which require access to the CPU, in your config you have IP addresses assigned to VLAN10 and VLAN88 so those should be sufficient. If you have management via the VLANs on the all-vlan-bridge bridge I strongly recommend removing the bridge_bkup bridge as only one brid...

tdw

So, what happens is, the connections simply continue to use pppoe-out1 without ever using pppoe-out2 unless pppoe-out1 failover to pppoe-out2. Basically, load balancing isn't working at all. I think I figured out the problem, inside IP>Route, the route to pppoe-out2 is not active when pppoe-out1 is...

tdw

You do not have the CPU switch port (switch1-cpu) in any of the /interface ethernet switch vlan statements so you will loose access.

tdw

The "# DHCP server can not run on slave interface!" is a hint that the configuration is incorrect - you shouldn't assign IP addresses / connect services to members of a bridge, some things work and some things do not in random ways. There is also a dhcp client attached the interface you have a dhcp ...

tdw

As I've mentioned previously there are several discovery protocols - LLDP information should only be seen on physically connected interfaces, MNDP is broadcast across the layer-2 network. LLDP contains the system-caps and system-caps enabled information not present in MNDP, and similarly MNDP contai...

tdw

First of all you should make interfaces as arp=proxy-arp, next one you should exclude those IP from NAT What will proxy-arp do to remedy that? Not sure I follow you there. They are not in the nat. That is what makes no sense. The only subnet I nat is 10.0.0.0/8 If your ISP is routing the /23 and /2...

tdw

Could you please explain what is the effect of adding VLAN20 and Bridge to tagged vlan-IDs=20 from my config below: /interface bridge vlan add bridge=Bridge_T1_vlan10 tagged=\ ether8-TRUNK,ether9-TRUNK,ether10-TRUNK,ether11-TRUNK vlan-ids=10 add bridge=Bridge_T1_vlan10 tagged="ether8-TRUNK,ether9-T...

tdw

Under /interface bridge the pvid= parameter sets the PVID on the interface-part to the CPU, in the same way that under /interface bridge port the pvid= parameter sets the PVID on the attached interface (typically a physical ethernet port). But, is this mean that setting PVID=10 for a bridge equals ...

tdw

Or someone has plugged in another router on your LAN without you knowing it. Most likely they were looking for switching only, but left the DHCP server enabled. This is possible. But to check that I have to be there physically. (I am currently working from home due to the current situation) If DHCP...

tdw

Wow, So tagging the bridge with specific vlan id is equal to setting PVID at the same value? When you create a bridge it has two roles - a switch-part for connecting interfaces together, and an interface-part for traffic between the CPU and switch-part. The name is the same for both these roles, Ro...

tdw

Either the Mikrotik has been configured to hand out the 192.168.3.x addresses, or more likely someone has plugged another router into your network and that is answering DHCP requests more quickly than the Mikrotik. You can enable rogue DHCP server detection under /ip dhcp-server alert , or IP > DHCP...

tdw

v6.27 has several remotely exploitable authentication bypass vulnerabilites. I would suggest updating to at least the current long-term stable version (currently 6.45.9), and if remotely accessible checking for any configuration you do not recognise, ideally completely wipe with netinstall and recon...

tdw

Thanks fot your feedback, tdw. Main UNIT: Proxy-ARP allow acces via pptp (VPN) to bridge. OK, that is the most common use for proxy-arp. I wouldn't use PPTP for remote access, it is probably the easiest VPN type to setup but is very insecure. CRS125-24G-1S-2Hnd /ip neighbor discovery-settings> prin...

tdw

That is the "old way" of configuring VLANs and can cause potential issues, see https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration There is a good tutorial on the "new way" https://forum.mikrotik.com/viewtopic.php?t=143620 , and descriptions in the Wiki https://wiki.mikrotik.com/wiki/Manua...

tdw

A few minor things could do with tidying up, but nothing immediately jumps out. Main unit: Is there a reason for arp=proxy-arp on the bridge? There are some specific use cases, but not usually required. The DHCP servers have authoritative=after-2sec-delay , this is historic and better set to authori...

tdw

If you have changed the bridge PVID to 10 you almost certainly don't need an interface for VLAN 10 too. Post the output of /export hide-sensitive and redact any other identifying data (e.g. public IPs).

tdw

CRS devices are intended to be L2 switches with some L3 functionality NOT wire-speed L3 routing as they performance-limited by the CPU. They are listed in 'Switches' category on the Mikrotik website rather than 'Ethernet routers' - each model has test results showing the switching and routing perfor...

tdw

ether7: bridge port received packet with own address as source address (74:4d:28:01:2f:3a), probably loop As others have said it is likely to be ports connected together via an unmanged switch, or an unintentional wireless to ethernet connection. As ether7 is receiving its own packets back the prob...

tdw

Do not add the VLAN interface in /interface bridge port. Your have set the bridge VLAN type to 0x88a8 a.k.a. service VLAN, the default 0x8100 would be more usual.

tdw

It doesn't appear to be capable, the rules can match packets but there are no suitable actions.

tdw

Okay, so basically I would be better off putting in the Netgear GSS108e, then. Its the most minimalistic managed switch I have dealt with, doesnt even have an https login method LOL Just don't use the password anywhere else - Netgear use 'XOR password with a fixed string' for security obsfucation. ...

tdw

According to the Wiki https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Rule_Table only the now ancient Atheros 8316 switch chip can alter VLAN IDs. A common technique is to use 802.1x and macauth. Mikrotik implemented 802.1x in v6.45 onwards, and there are limitations - as it requires a VL...

tdw

The VLAN interfaces giving the CPU to access VLANs in /interface vlan must be attached to the parent interface not members, so bridge not ether17.

That setup will work, but will not use hardware switching.

tdw

You can only have one server binding per username - if the same username is used more than once you end up with the server binding plus additional dynamic interfaces <ovpn-someuser-1>, <ovpn-someuser-2>, etc. If a connection is interrupted you can end up with the user connected via a dynamic interfa...

tdw

That rule is for the outer tunnel, not the inner tunnelled traffic. As discussed in post #4 with having firewall rules referring to the lists 'BASE', 'VLAN', 'BASE+VLAN' the open VPN server interface has to be added to these if you wish the VPN traffic to use the rules. Having interface-list=VLAN in...

tdw

By default it will capture everything - including broadcast/multicast traffic from the rest of your network and the Winbox traffic to and from the Mikrotik itself. You can apply filters to reduce the scope of the capture and hopefully volume of packets, there should be something transmitted and rece...

tdw

Local is server, remote is client. For point-to-point interfaces you can have the same local address on multiple interfaces. VLANs are not the issue, they only have significance for layer 2 ethernet. IP routes are automatically added to the routing table ( /ip route print or Winbox, IP > Routes), on...

tdw

There is nowhere to enter an interface in /ip pool - just a pool name, addresses and an optional next pool. So, based on your config, something along the lines of: /ip pool add name=pool_ovpn ranges=10.0.98.10-10.0.98.254 ... /ppp profile add dns-server=10.0.0.3 interface-list=VLAN local-address=10....

tdw

Rules 2, 5 & 12 still have log=yes so the messages will be from one of those

tdw

The configuration has an incorrect VLAN configuration. You diagram shows the master ether1 carrying VLAN 1000 and 1051 tagged, but you have configured the port has VLAN 1000 untagged. It should be: /interface bridge port add bridge=bridge comment=defconf ingress-filtering=yes interface=ether1 pvid=...

tdw

The master and slave configurations appear identical. Cut and paste issue? The configuration has an incorrect VLAN configuration. You diagram shows the master ether1 carrying VLAN 1000 and 1051 tagged, but you have configured the port has VLAN 1000 untagged. It should be: /interface bridge port add ...

tdw

I don't know what is causing the problem. Tried different setups. It is odd that you got to a point where you had some connectivity and then lost it. I might not understand your question, but if this is the question: The remote client has an IP address from a completely different subnet (172.XX...)...

tdw

What other equipment do you have in your network, and the running configuration /export hide-sensitive would help.

tdw

Yes, you do get the impression that Mikrotik just created a UI exposing a load of switch chip registers and left people to figure it out. Originally switch configuration was completely separate from bridges, but they have gradually been merging so the bridge becomes a placeholder for configuring and...

tdw

If you do not need wire-speed switching between ports the RB2011 is fine with a VLAN-aware bridge and no hardware offload. The CRS1xx/2xx switching is very different to the RB devices, the wiki examples are a good starting point. Normally I would say that the CRS devices are intended to be L2 switch...

tdw

Nothing immediately jumps out. Is the Open VPN client connecting from an address within the IP range you are trying to tunnel? I've never tried it myself to see if handles this situation. Also, IIRC there have been comments about /internet detect-internet causing odd behaviour so it may be worth rem...

tdw

Per my previous email either add routing statements to the OpenVPN client configuration file route 10.0.0.0 255.255.0.0 vpn_gateway OR change the Mikrotik VPN server /interface ovpn-server server set auth=sha1 certificate=server cipher=aes256 default-profile=ppp_private enabled=yes netmask=16 requir...

tdw

It does sound like a bug, you could report it to Mikrotik support.

tdw

Ok thanks for clearing this up for me. Now I can access the 10.0.99.0/24 subnet from which the address is given to the interface, but not other subnets, though I have created an address list with 10.0.0.0/16 and added it under the /ppp profile address-list option. Should I need to do anything else ...

tdw

It depends if the addresses are in the same /26 subnet or not - if they are then layer2 port isolation, or similar, could well be an issue. What do you get if you try ping and traceroute from one router to the other, and again in the other direction?

tdw

The Mikrotik OpenVPN implementation is shoehorned into their PPP model, and it does not quite fit, so some of the PPP profile settings have no meaning when used with the OpenVPN server - in particular setting bridge= under /ppp profile has no effect, this is used by PPP Bridge Control Protocol (BCP)...

tdw

Not being able to access the router itself is likely to be firewall rules. Having the same VLAN ID on different bridges will not pass that traffic between bridges, are you looking to bridge or route traffic? Printing the bridge and PPP profile entries provides no useful information, post the output ...

tdw

We set the RADIUS source address to a loopback /32 on each Mikrotik and tunnel traffic to FreeRADIUS based servers over L2TP/IPsec tunnels (rather than GRE) without issue. As your user manager and tunnel endpoints are on the same device it isn't possible to determine the exact source of the problem ...

tdw

You also have a mix of bridge and switch VLAN configuration. Either use a VLAN-aware bridge OR hardware switching mixing them can have unintentional side-effects, currently the /interface bridge port PVID settings are ignored and /interface bridge vlan does nothing. Unless you need wirespeed switchi...

tdw

There will be no communication between ports without /interface bridge and /interface bridge port configuration. Confusingly, depending on which type of Mikrotik you have, hardware switching with VLANs is implemented differently. For the CRS1xx/2xx devices you need a non-VLAN-aware bridge plus ether...

tdw

No. EAP-MSCHAPv2 is plain old MSCHAPv2, so man-in-the middle attacks gathering the handshake are possible - these allow the NTLM password hash to be recovered. Protected EAP may be used as an "outer" method wrapping an "inner" insecure EAP method inside a TLS tunnel to prevent eavesdropping. The ful...

tdw

That is a fragment of the configuration on one device, so impossible to tell what is happening elsewhere. Nothing should be generating VLAN ID 4095 as it is a reserved value. As @mkx said ingress-filtering=yes is only set on a couple of ports, without it frame-types= has no effect. Also /interface b...

tdw

I would suggest protocol-mode=rstp rather than protocol-mode=stp as it converges much more quickly. RouterOS does not change port path cost based on the link speed so you may wish to review the values. Also, on the secondary switch your choice of priority is odd. From the wiki "In RouterOS it is pos...

tdw

From what I recall of the HPE STP/RSTP implementation it is standards compliant - the BPDUs are always untagged. If you stick with RSTP you must have the same selection of VLANs present on all legs of the loop (as the RSTP blocking could interrupt any leg), and RSTP only transmitted untagged for the...

tdw

Without any configuration details it is difficult to say. By default the RADIUS client will use the address of the egress interface as the source address unless you explicitly set one, and the RADIUS server / user manager will reply to that address.

tdw

It depends on how you access traffic on VLAN5 by the CPU, you can either do /interface bridge add name=bridge protocol-mode=none vlan-filtering=yes /interface vlan add interface=bridge name=vlan-5 vlan-id=5 interface bridge vlan add bridge=bridge tagged=bridge vlan-ids=5 /ip address add address=192...

tdw

It depends on how you access traffic on VLAN5 by the CPU, you can either do /interface bridge add name=bridge protocol-mode=none vlan-filtering=yes /interface vlan add interface=bridge name=vlan-5 vlan-id=5 /ip address add address=192.168.1.1/24 interface=vlan-5 network=192.168.1.0 or /interface bri...

tdw

My understanding is that for 1G (and faster) copper links it is not only connection speed that needs to be negotiated, but also the line needs to be tested and some other TX/RX parameters then needs to be negotiated and/or tuned. That's done during the standard link negotiation procedure. You can s...

tdw

You have not included the CPU port in the switch VLAN configuration, see https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Management_access_configuration /interface ethernet switch vlan add independent-learning=yes ports=ether1,ether2 ,switch1-cpu switch=switch1 vlan-id=100 ... Be aware th...

tdw

The incoming/outgoing filter options have been present in RouterOS for some time, and do have limitations. The newer interface list or address list options may be more suitable - when set in a PPP profile these add the interface name or address respectively to a list which can be used as desired in ...

tdw

It is unusual to want to firewall at wire speed within a layer 2 network. At this level isolation is often for devices, rather than specific services on a device, and implemented with split-horizon or port isolation. ACLs will provide some of the functionality you are looking for but they operate pe...

tdw

Now, I can tell you that most of the traffic is accepted in the output chain and to a fraction in the input chain, but there is nothing in the forward chain. Hello! What about the forward chain? Cf. the documentation above: that's exactly the discrepancy between documentation and reality I mean!......

tdw

The Mikrotik client certificates are optional, the VPN can still be secure without them, and Windows doesn't support them: Client checks it is talking to an authentic server by matching the CA which signed the server certificate, and optionally verifying the server hostname matches the certificate. ...

tdw

Create an account on mikrotik.com (this is different from your forum account).
Select 'Request RouterBOARD license key', enter your device serial number and software ID to retrieve the license key data.

tdw

Hopefully you are not using the SSTP without certificates for any important data as it is extremely insecure. From the Wiki "Between two Mikrotik routers it is also possible to set up an insecure tunnel by not using certificates at all. In this case data going through SSTP tunnel is using anonymous ...

tdw

If you do not use RADIUS built in to RouterOS v7 the usual choice is FreeRADIUS or Window NPS (integrated with newer Windows Server products). MAC auth - there are no changes to the device, but you need to record the MAC address of authorised devices. Certificate 802.1X - you need to create, distrib...

tdw

It depends on how hard you want to try preventing unauthorised devices and how determined someone is to bypass your blocks. A very simple method is to disable DHCP and only assign IP addresses with static leases or statically, this would require someone to either manually set an IP address and gatew...

tdw

On your first post you had: add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway \ Which obviously is wrong, your out interface is not eth1 but the PPPoE client... This wrong rule does not keep the router from having access to the Internet, but...

tdw

Or this one https://wiki.mikrotik.com/wiki/Manual:IP/Settings

tdw

There are still significant vulnerabilities in versions prior to v6.44.x. Having upgraded from such an old version I would strongly suggest resetting to the default configuration, disable the default WAN DHCP client, add a PPPoE client, add the PPPoE client interface to the WAN interface list - the ...

tdw

750's are fine with recent RouterOS - I have one running v6.44.6 doing minor stuff, but due to the limited RAM disable packages you are not using (e.g. hotspot, ipv6, mpls, routing, wireless).

Not sure if you can upgrade directly from 4.5 to 6.x, going via 5.26 may work or use netinstall.

tdw

From the wiki "Warning: Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic." so try disabling the fasttrack rule.

tdw

As I said in an earlier post the FreeRADIUS output seems incomplete, sending an Access-Accept outside of an EAP conversation will never work. The choice of MAC address as username is most unusual - typical setups are either EAP-PEAP-MSCHAPv2 with someuser@realm + somepassword as credentials allowing...

tdw

I removed switch1-cpu from switch vlan and everything is working as expected. I am not sure why this was the problem, switch1-cpu just gives access to CPU, needed or not i don't see why it caused a problem... Yeah, I couldn't begin to guess I don't really know this architecture. But I tested adding...

tdw

Please do not hijack old threads if they are not related - the original question was about support of extended ASCII characters. "@" is the network access identifier separator symbol and may be handled differently in FreeRADIUS 3.x, see https://networkradius.com/doc/current/raddb/mods-available/real...

tdw

Nothing obvious to stop communications, if you configure a VLAN directly on DEV-PC and connect it directly to FW1 without the CRS does it work? There are a few minor points but nothing affecting your immediate issue... As you are just using the CRS as a switch the default configuration 'WAN' and 'LA...

tdw

That changed the default configuration static DNS entry 'router.lan' address to match one of the new gateway addresses so the Mikrotik can be referenced by name, which is fine.

tdw

The wiki examples tend to be command-line, but making the equivalent changes through Winbox is fine. Note that many of the examples expect there to be no configuration present - if you try running the commands on a device with a default configuration you will likely get errors about ports already be...

Search found 515 matches