MikroTik

tdw

The VLAN interfaces giving the CPU to access VLANs in /interface vlan must be attached to the parent interface not members, so bridge not ether17.

That setup will work, but will not use hardware switching.

tdw

You can only have one server binding per username - if the same username is used more than once you end up with the server binding plus additional dynamic interfaces <ovpn-someuser-1>, <ovpn-someuser-2>, etc. If a connection is interrupted you can end up with the user connected via a dynamic interfa...

tdw

That rule is for the outer tunnel, not the inner tunnelled traffic. As discussed in post #4 with having firewall rules referring to the lists 'BASE', 'VLAN', 'BASE+VLAN' the open VPN server interface has to be added to these if you wish the VPN traffic to use the rules. Having interface-list=VLAN in...

tdw

By default it will capture everything - including broadcast/multicast traffic from the rest of your network and the Winbox traffic to and from the Mikrotik itself. You can apply filters to reduce the scope of the capture and hopefully volume of packets, there should be something transmitted and rece...

tdw

Local is server, remote is client. For point-to-point interfaces you can have the same local address on multiple interfaces. VLANs are not the issue, they only have significance for layer 2 ethernet. IP routes are automatically added to the routing table ( /ip route print or Winbox, IP > Routes), on...

tdw

There is nowhere to enter an interface in /ip pool - just a pool name, addresses and an optional next pool. So, based on your config, something along the lines of: /ip pool add name=pool_ovpn ranges=10.0.98.10-10.0.98.254 ... /ppp profile add dns-server=10.0.0.3 interface-list=VLAN local-address=10....

tdw

Rules 2, 5 & 12 still have log=yes so the messages will be from one of those

tdw

The configuration has an incorrect VLAN configuration. You diagram shows the master ether1 carrying VLAN 1000 and 1051 tagged, but you have configured the port has VLAN 1000 untagged. It should be: /interface bridge port add bridge=bridge comment=defconf ingress-filtering=yes interface=ether1 pvid=...

tdw

The master and slave configurations appear identical. Cut and paste issue? The configuration has an incorrect VLAN configuration. You diagram shows the master ether1 carrying VLAN 1000 and 1051 tagged, but you have configured the port has VLAN 1000 untagged. It should be: /interface bridge port add ...

tdw

I don't know what is causing the problem. Tried different setups. It is odd that you got to a point where you had some connectivity and then lost it. I might not understand your question, but if this is the question: The remote client has an IP address from a completely different subnet (172.XX...)...

tdw

What other equipment do you have in your network, and the running configuration /export hide-sensitive would help.

tdw

Yes, you do get the impression that Mikrotik just created a UI exposing a load of switch chip registers and left people to figure it out. Originally switch configuration was completely separate from bridges, but they have gradually been merging so the bridge becomes a placeholder for configuring and...

tdw

If you do not need wire-speed switching between ports the RB2011 is fine with a VLAN-aware bridge and no hardware offload. The CRS1xx/2xx switching is very different to the RB devices, the wiki examples are a good starting point. Normally I would say that the CRS devices are intended to be L2 switch...

tdw

Nothing immediately jumps out. Is the Open VPN client connecting from an address within the IP range you are trying to tunnel? I've never tried it myself to see if handles this situation. Also, IIRC there have been comments about /internet detect-internet causing odd behaviour so it may be worth rem...

tdw

Per my previous email either add routing statements to the OpenVPN client configuration file route 10.0.0.0 255.255.0.0 vpn_gateway OR change the Mikrotik VPN server /interface ovpn-server server set auth=sha1 certificate=server cipher=aes256 default-profile=ppp_private enabled=yes netmask=16 requir...

tdw

It does sound like a bug, you could report it to Mikrotik support.

tdw

Ok thanks for clearing this up for me. Now I can access the 10.0.99.0/24 subnet from which the address is given to the interface, but not other subnets, though I have created an address list with 10.0.0.0/16 and added it under the /ppp profile address-list option. Should I need to do anything else ...

tdw

It depends if the addresses are in the same /26 subnet or not - if they are then layer2 port isolation, or similar, could well be an issue. What do you get if you try ping and traceroute from one router to the other, and again in the other direction?

tdw

The Mikrotik OpenVPN implementation is shoehorned into their PPP model, and it does not quite fit, so some of the PPP profile settings have no meaning when used with the OpenVPN server - in particular setting bridge= under /ppp profile has no effect, this is used by PPP Bridge Control Protocol (BCP)...

tdw

Not being able to access the router itself is likely to be firewall rules. Having the same VLAN ID on different bridges will not pass that traffic between bridges, are you looking to bridge or route traffic? Printing the bridge and PPP profile entries provides no useful information, post the output ...

tdw

We set the RADIUS source address to a loopback /32 on each Mikrotik and tunnel traffic to FreeRADIUS based servers over L2TP/IPsec tunnels (rather than GRE) without issue. As your user manager and tunnel endpoints are on the same device it isn't possible to determine the exact source of the problem ...

tdw

You also have a mix of bridge and switch VLAN configuration. Either use a VLAN-aware bridge OR hardware switching mixing them can have unintentional side-effects, currently the /interface bridge port PVID settings are ignored and /interface bridge vlan does nothing. Unless you need wirespeed switchi...

tdw

There will be no communication between ports without /interface bridge and /interface bridge port configuration. Confusingly, depending on which type of Mikrotik you have, hardware switching with VLANs is implemented differently. For the CRS1xx/2xx devices you need a non-VLAN-aware bridge plus ether...

tdw

No. EAP-MSCHAPv2 is plain old MSCHAPv2, so man-in-the middle attacks gathering the handshake are possible - these allow the NTLM password hash to be recovered. Protected EAP may be used as an "outer" method wrapping an "inner" insecure EAP method inside a TLS tunnel to prevent eavesdropping. The ful...

tdw

That is a fragment of the configuration on one device, so impossible to tell what is happening elsewhere. Nothing should be generating VLAN ID 4095 as it is a reserved value. As @mkx said ingress-filtering=yes is only set on a couple of ports, without it frame-types= has no effect. Also /interface b...

tdw

I would suggest protocol-mode=rstp rather than protocol-mode=stp as it converges much more quickly. RouterOS does not change port path cost based on the link speed so you may wish to review the values. Also, on the secondary switch your choice of priority is odd. From the wiki "In RouterOS it is pos...

tdw

From what I recall of the HPE STP/RSTP implementation it is standards compliant - the BPDUs are always untagged. If you stick with RSTP you must have the same selection of VLANs present on all legs of the loop (as the RSTP blocking could interrupt any leg), and RSTP only transmitted untagged for the...

tdw

Without any configuration details it is difficult to say. By default the RADIUS client will use the address of the egress interface as the source address unless you explicitly set one, and the RADIUS server / user manager will reply to that address.

tdw

It depends on how you access traffic on VLAN5 by the CPU, you can either do /interface bridge add name=bridge protocol-mode=none vlan-filtering=yes /interface vlan add interface=bridge name=vlan-5 vlan-id=5 interface bridge vlan add bridge=bridge tagged=bridge vlan-ids=5 /ip address add address=192...

tdw

It depends on how you access traffic on VLAN5 by the CPU, you can either do /interface bridge add name=bridge protocol-mode=none vlan-filtering=yes /interface vlan add interface=bridge name=vlan-5 vlan-id=5 /ip address add address=192.168.1.1/24 interface=vlan-5 network=192.168.1.0 or /interface bri...

tdw

My understanding is that for 1G (and faster) copper links it is not only connection speed that needs to be negotiated, but also the line needs to be tested and some other TX/RX parameters then needs to be negotiated and/or tuned. That's done during the standard link negotiation procedure. You can s...

tdw

You have not included the CPU port in the switch VLAN configuration, see https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Management_access_configuration /interface ethernet switch vlan add independent-learning=yes ports=ether1,ether2 ,switch1-cpu switch=switch1 vlan-id=100 ... Be aware th...

tdw

The incoming/outgoing filter options have been present in RouterOS for some time, and do have limitations. The newer interface list or address list options may be more suitable - when set in a PPP profile these add the interface name or address respectively to a list which can be used as desired in ...

tdw

It is unusual to want to firewall at wire speed within a layer 2 network. At this level isolation is often for devices, rather than specific services on a device, and implemented with split-horizon or port isolation. ACLs will provide some of the functionality you are looking for but they operate pe...

tdw

Now, I can tell you that most of the traffic is accepted in the output chain and to a fraction in the input chain, but there is nothing in the forward chain. Hello! What about the forward chain? Cf. the documentation above: that's exactly the discrepancy between documentation and reality I mean!......

tdw

The Mikrotik client certificates are optional, the VPN can still be secure without them, and Windows doesn't support them: Client checks it is talking to an authentic server by matching the CA which signed the server certificate, and optionally verifying the server hostname matches the certificate. ...

tdw

Create an account on mikrotik.com (this is different from your forum account).
Select 'Request RouterBOARD license key', enter your device serial number and software ID to retrieve the license key data.

tdw

Hopefully you are not using the SSTP without certificates for any important data as it is extremely insecure. From the Wiki "Between two Mikrotik routers it is also possible to set up an insecure tunnel by not using certificates at all. In this case data going through SSTP tunnel is using anonymous ...

tdw

If you do not use RADIUS built in to RouterOS v7 the usual choice is FreeRADIUS or Window NPS (integrated with newer Windows Server products). MAC auth - there are no changes to the device, but you need to record the MAC address of authorised devices. Certificate 802.1X - you need to create, distrib...

tdw

It depends on how hard you want to try preventing unauthorised devices and how determined someone is to bypass your blocks. A very simple method is to disable DHCP and only assign IP addresses with static leases or statically, this would require someone to either manually set an IP address and gatew...

tdw

On your first post you had: add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway \ Which obviously is wrong, your out interface is not eth1 but the PPPoE client... This wrong rule does not keep the router from having access to the Internet, but...

tdw

Or this one https://wiki.mikrotik.com/wiki/Manual:IP/Settings

tdw

There are still significant vulnerabilities in versions prior to v6.44.x. Having upgraded from such an old version I would strongly suggest resetting to the default configuration, disable the default WAN DHCP client, add a PPPoE client, add the PPPoE client interface to the WAN interface list - the ...

tdw

750's are fine with recent RouterOS - I have one running v6.44.6 doing minor stuff, but due to the limited RAM disable packages you are not using (e.g. hotspot, ipv6, mpls, routing, wireless).

Not sure if you can upgrade directly from 4.5 to 6.x, going via 5.26 may work or use netinstall.

tdw

From the wiki "Warning: Queues (except Queue Trees parented to interfaces), firewall filter and mangle rules will not be applied for FastTracked traffic." so try disabling the fasttrack rule.

tdw

As I said in an earlier post the FreeRADIUS output seems incomplete, sending an Access-Accept outside of an EAP conversation will never work. The choice of MAC address as username is most unusual - typical setups are either EAP-PEAP-MSCHAPv2 with someuser@realm + somepassword as credentials allowing...

tdw

I removed switch1-cpu from switch vlan and everything is working as expected. I am not sure why this was the problem, switch1-cpu just gives access to CPU, needed or not i don't see why it caused a problem... Yeah, I couldn't begin to guess I don't really know this architecture. But I tested adding...

tdw

Please do not hijack old threads if they are not related - the original question was about support of extended ASCII characters. "@" is the network access identifier separator symbol and may be handled differently in FreeRADIUS 3.x, see https://networkradius.com/doc/current/raddb/mods-available/real...

tdw

Nothing obvious to stop communications, if you configure a VLAN directly on DEV-PC and connect it directly to FW1 without the CRS does it work? There are a few minor points but nothing affecting your immediate issue... As you are just using the CRS as a switch the default configuration 'WAN' and 'LA...

tdw

That changed the default configuration static DNS entry 'router.lan' address to match one of the new gateway addresses so the Mikrotik can be referenced by name, which is fine.

tdw

The wiki examples tend to be command-line, but making the equivalent changes through Winbox is fine. Note that many of the examples expect there to be no configuration present - if you try running the commands on a device with a default configuration you will likely get errors about ports already be...

tdw

Nothing obvious. You appear to have configured the RADIUS connector to handle PPP, login, hotspot & wireless - these will send requests in differing formats so your RADIUS server will have to handle them appropriately, the PPP and hotspot options appear to be redundant as there are no PPP or hostpot...

tdw

Assuming that your other firewalls are handling routing, etc. and the CRS is just being a switch then https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#Example_1_.28Trunk_and_Access_ports.29 for the access ports, and the incremental changes https://wiki.mikrotik.com/wiki/Manu...

tdw

Screenshots do not show enough detail, posting the output of /export hide-sensitive is a good starting point.

The FreeRADIUS output seems incomplete, there is no indication of EAP messages - sending an Access-Accept outside of the EAP handshake will fail as there is no keying information provided.

tdw

you can also omit /interface bridge vlan untagged entries ( untagged= ), these will be generated automatically from the /interface bridge port PVID entries ( pvid= ) If I need to change some ports PVID later, will the untagged entries follow automatically? Yes, changing the pvid= settings in /inter...

tdw

A bridge has two roles - one like a switch between member ports, the other an interface for traffic to the CPU. You haven't included the interface-like role in the bridge VLAN configuration. If you are creating VLAN interfaces for all CPU traffic leave the PVID on the bridge itself unchanged (i.e. 1...

tdw

Mikrotik have not implemented hardware VLAN support for the switch chip used in the RB4011. You should be using a single VLAN-aware bridge, in which case you just have to set the PVID for the bridge port interface. Posting the output of /export hide-sensitive usually helps.

tdw

That is a different case to the scenario the OP describes - you are disconnecting the cables, not interrupting traffic flow. From the wiki "MII monitoring monitors only the state of the local interface .... Main disadvantage is that MII monitoring can't tell if the link can actually pass packets or ...

tdw

Your ISP may offer public IP addresses. Some do not, some do but often charge an extra fee.

tdw

Your netmask is incorrect, it should likely be 255.255.255.0 or /24 so any destination outside 192.168.1.x is reached via the gateway.

tdw

The 100.64.x.x address indicates your ISP is using CGNAT to share public IP addresses between customers. It is not possible to port forward or use UPnP with this additional layer of NAT between a public IP and your router.

tdw

When the hotspot is activated on an interface all traffic through that interface is processed by the hotspot firewall chains. Once you are authenticated to the hotspot you should be able to connect to the Mikrotik, or you can use a hotspot IP binding to bypass hotspot authentication https://wiki.mik...

tdw

Why do you have domain=208.67.222.220 and dns-server=8.8.8.8,208.67.222.222,8.8.4.4,0.0.0.0 in the /ip dhcp-server network configuration?

tdw

Those screenshots provide insufficient information, post the output of /export hide-sensitive from a terminal window.

tdw

You have removed the /interface list member entry for the PPPoE client completely, not changed it as suggested.

No idea why the DNS resolves as you describe, it could be your ISP blocking access to that site. Do other sites resolve correctly?

tdw

@ITDave According to the block diagram you can use the SFP and ether1 at the same time.

@hallz the output of /export hide-sensitive having executed your script would provide a better picture of what you have done

tdw

Are you attempting to add an IPv6 address to an IP(v4) address list? The IPv6 configuration is completely independent from IPv4 so setting up an access control list to a service, for example, requires two address lists (IP > Firewall > Address Lists & IPv6 > Firewall > Address Lists) and correspondi...

tdw

You appear to have two PPPoE client interfaces name=pppoe-out1 and name=pppoe-outl , remove the unused one and correct the /interface list membership entry - it appears to be the wrong PPPoE client, so NAT will not work As mentioned before the /ip address is incorrectly specified on interface=ether2...

tdw

Yes, the 8337 supports them as detailed in the link

tdw

https://wiki.mikrotik.com/wiki/Manual:S ... d_Ports.29

Be aware it is not possible to have hybrid ports on the fast ethernet switch chips Mikrotik have used, including the integrated 8227 used for ether6-10 on the 2011

tdw

So the TP-Link should be handling the VLAN encapsulation: [ DSL WAN -- VLAN1885 -- TP-Link bridge ] ==== [ Mikrotik ether1 -- PPPoE client ] To implement the VLAN on the Mikrotik: [ DSL WAN -- TP-Link bridge ] ==== [ Mikrotik ether1 -- VLAN1885 -- PPPoE client ] /interface vlan add interface=ether1 ...

tdw

The LAN IP address should be set on the bridge, not one of the member interfaces (if you have not changed this it may be a bug in Quickset) /ip address add address=192.168.1.2/24 comment=defconf interface= bridge network=192.168.1.0 The DHCP client on ether1 appears to be disabled, if you wish to ac...

tdw

Cloning the TP-Link WAN ethernet address should only necessary if the PPPoE client fails to establish a connection, it sounds as though that is not the case here although it is odd that you are seeing a different IP address. Post the output of /export hide-sensitive after obfuscating public IPs, etc...

tdw

Atheros switch chips support an additional header in traffic between the CPU and switch chip, together with Linux driver support this allows logical etherX interfaces to be multiplexed over the single communication channel to physical ethernet interfaces using port-based VLANs - this is completely h...

tdw

I should have said smart card slot - a SIM is just a particular type of smart card.

tdw

There is both a microSD slot and a SIM slot, none of the CCR devices have miniPCIe slots. AFAIK the SIM slot was intended for secure crypto storage, although this was never finished.

tdw

Almost... /interface bridge port add bridge=bridge comment=defconf hw=no interface=ether2 pvid=100 The /interface bridge vlan settings may be incorrect, it depends on what parameters you have specified for the bridge itself under /interface bridge . Note untagged membership does not have to be expli...

tdw

What version of RouterOS are you running, are any services accessible from the internet?

It is odd for the Mikrotik to be the connection destination IP address if the traffic is outbound.

tdw

I'm sure load balancing with dynamic gateways will have cropped up before in the forums - a script triggered by the DHCP client, or possibly using routing filters. It depends on what you need - if all traffic will be to/from ISP1, other than replies to that coming from ISP2, instead of full load bal...

tdw

There do not appear to be any mangle rules or additional routing tables to properly support dual WAN operation. Replies to traffic arriving from either ISP1 or ISP2 will return via the best default route to ISP1 - this may have accidentally worked until the nightly engineering works correctly blocke...

tdw

VRRP transmits the shared MAC address from whichever device is currently master. I've not used CARP, but I would have expected it do the same - maybe with a configuration option if not the default.

tdw

I believe the SSH crypto comment is due to /ip ssh set allow-none-crypto=yes as a previous RouterOS upgrade erroneously added this. The switch itself will only be making ARP requests associated with its management interface. The traffic egress port will be selected by the contents of the FDB, this i...

tdw

That is unlikely to be the MAC address the modem sees - the bridge is 'LAN' side of the Mikrotik. Assuming the modem is connected to ether1, the command for changing the interface MAC address is /interface ethernet set [ find default-name=ether1 ] mac-address=XX:XX:XX:XX:XX:XX I suspect that after t...

tdw

I do not have a CRS3xx to test on, but whilst hardware offloading is active I would expect /interface bridge filter only to process packets between the switch and CPU, and that to process packets between switch ports you would have to use switch ACLs /interface ethernet switch rule - see https://wik...

tdw

Be aware that the CRS products are intended to be L2 switches with limited L3 performance. You might achieve a few hundred Mb throughput, performance figures are here https://mikrotik.com/product/crs312_4c_ ... estresults

tdw

If the DHCP client were not present the PC would not have an address from the Mikrotik in either case. This is incorrect, the Mikrotik 'WAN' connection DHCP client not obtaining an address will not interfere with the 'LAN' connection DHCP server providing addresses to the attached PC. My problem is...

tdw

Presumably you want to use split tunnelling so not all the client traffic is via the VPN. AFAIK you can use the Windows CMAK to build a VPN connector with associated static routes.

tdw

That would not break anything, the non-RSTP device would ignore the BPDU packets, but a non-optimal setup. RSTP is good in larger setups for redundant paths and/or preventing storms if two edge ports are connected together, but probably unnecessary for a home setup. It does introduce a ~15 seconds f...

tdw

Might be worth looking at the /ip dhcp-server option add-arp=yes, and local proxy-arp https://wiki.mikrotik.com/wiki/Manual:I ... _Proxy_Arp mode.

tdw

It was on fiber, come to think of it, not copper.

That makes sense, there isn't an equivalent of the NWay copper link negotiation for fibre.

tdw

If true, the standard is not uniformly obeyed. In my region, CenturyLink gateway feeds are routinely supplied that run 1G and refuse negotiation, and you can't connect with them unless you configure your interface as 1G non-negotiated. Something to watch out for. If that is on a copper interface ce...

tdw

With both devices, I have never gotten a successful connection to any of my various periphal devices when the routers Ethernet port is configured as a 1G link without Auto Negotiation: You will not, auto-negotiation is mandatory for 1000BASE-T. The definitive reference is IEEE standard 802.3, Secti...

tdw

Historically UniFi only supported untagged management. I believe that tagged management support has been added, BUT this will only be for adopted and provisioned devices - the initial controller discovery and connection to the controller has to be over an untagged network.

tdw

It isn't possible, RouterOS only supports IPsec (native and L2TP/GRE/IPIP/EoIP tunnels), SSTP, OpenVPN (not all features), PPTP (avoid as insecure).

tdw

And here is the Dynamic Bridge config that I think can't be seen in the export above. This is the remains of the default configuration. Maybe this is the reason? I don't know if and possibly how to get rid of it.: The VLAN-aware bridge documentation indicates you have to configure the PVID in /inte...

tdw

No default route on the switch so it won't be able to reply to anything outside 192.168.0.0/24
/ip route
add gateway=192.168.0.1

tdw

When you send traffic to any address outside 192.168.1.0/24 from your laptop it is sent to the gateway address on your ISP router. Unless that router knows specifically where to send traffic destined for 192.168.0.0/24 to, it will be sent to the WAN. You need to configure a static route on the ISP r...

tdw

Mikrotik VLAN configuration has historically been a mess, older versions of RouterOS it did look as though many of the switch chip registers were just presented to the user to figure out. It is getting better with the CRS3xx implementation handling all the behind-the-scenes switch chip configuration...

tdw

It can be configured to report a variety of status information or be controlled by a script https://wiki.mikrotik.com/wiki/Manual:System/LEDS

tdw

The VLAN-aware bridge documentation indicates you have to configure the untagged membership to be the same in both /interface bridge port and /interface bridge vlan , you are missing it in the bridge port entry. In practice if you only configure it in /interface bridge port the corresponding members...

tdw

There will be no change in performance on a CCR1036 as it does not have a hardware switch chip.

tdw

I did say if they are intended to be trunk rather than hybrid ports (didn't look at the link, UniFi requires management untagged) So, from your original config Remove the PVID from the bridge itself, as you access tagged VLAN69 via the vlan-69 interface. Enable ingress filtering in /interface bridge...

tdw

You have configured the bridge, ether7, ether22, ether23 to be both tagged (in /interface bridge vlan ) and untagged (by setting pvid=69 in /interface bridge and /interface bridge port ) which will not work. Remove the pvid= for the bridge and those three interfaces if they are intended to be trunk ...

tdw

The dst-nat rules only apply to traffic from WAN to your servers.

For traffic originating from your servers to WAN add specific src-nat rules BEFORE the generic one.

tdw

As mentioned unless your ISP provides you with an IPv6 WAN address there is no way they will be able connect directly using IPv6, so that is the starting point. If the Mikrotik L2TP server does not support IPv6 that will be a non-starter too. If they only have IPv6 their provider will be providing s...

tdw

If you want to add an IPv6 client you need to implement IPv6 on your device after enabling the package - WAN, LANs, firewall, etc. I can't remember offhand if the L2TP implementation supports IPv6 at the moment.

tdw

If you use a conventional IP / layer 3 VPN, you have no access to the MAC / layer 2 information at the other end. Proxy-arp allows a router to provide its own MAC address to allow communication between devices using the same subnet IP addresses but attached to differing physical networks, e.g. a loc...

tdw

If you only wish one computer to access your company network it would be far simpler to set up VPN connections from that one computer.

tdw

No that's all fine. It is odd that hw=yes but no H flag - possibly the way inactive bonding interfaces work.

The VLAN configuration all looks fine, finding out why the bonding interface is inactive is the next thing to do, what does /interface print show?

tdw

What is the MGMT interface, it doesn't appear in the previous config export? That aside, the bridge port print line " 3 I bond_3-4 bridge yes 1 0x80 10 10 none " shows bond3_4 is inactive, and also does not have hardware offloading which is odd as 802.3ad bonding interfaces can be hardware offloaded...

tdw

Hmm, the bonding interfaces do not appear to be running (no R after the index number), and only the bridge itself appearing in the bridge current tagged vlans.

What does /interface bridge vlan print detail (provides addition detail) and /interface bridge port print give?

tdw

Nothing obvious. What does the output of /interface bridge vlan print and /interface bonding print give?

tdw

You have disabled TCP MSS adjustment in the PPP profile, this often breaks TCP sessions, change to /ppp profile set *0 change-tcp-mss= yes The LAN IP addresses should be applied to the bridge not a member port (in this case ether2), change to /ip address add address=10.10.10.1/24 interface= bridge n...

tdw

That sounds a bit confusing to me........ VLAN traffic inherently is already filtered at layer 2 from other vlans or subnets, (even if on the same bridge). However the router will still route between them at layer 3 and thus firewall rules are needed to stop unwanted traffic between the vlans (at l...

tdw

Assuming the AP is plugged into the CRS as shown in the picture, there is no /interface bridge vlan configuration for VLAN 20 on the CRS

tdw

No. An interface can only be a member of one bridge, bridges can not be members of other bridges. An old way of bridging VLANs was to create VLAN interfaces on ethernet ports, create a bridge per VLAN ID and attach the respective VLANs to bridges. This has various pitfalls, see https://wiki.mikrotik...

tdw

A couple of obvious errors... The IP address should be attached to the bridge, not member interfaces (in this case ether1 ) You have only configured VLAN IDs on the bridge itself, not any of the member interfaces. The wiki documentation is slightly out of date, untagged membership is configured dyna...

tdw

The output of /export hide-sensitive would let us see what you have currently got configured, none of the PVID or bridge VLAN settings have any effect unless vlan-filtering=yes

tdw

Windows does not support OpenVPN natively, install a client e.g. https://openvpn.net/community-downloads/

Alternatively set up the SSTP server on your Mikrotik.

tdw

Elsewhere the wiki states "For CRS1xx and CRS2xx series switches it is possible to use DHCP Snooping along with VLAN switching, but then you must make sure that DHCP packets are sent out with the correct VLAN tag using egress ACL rules" - my emphasis added. The rule they provided is for ingress traf...

tdw

AFAIK RIPE ran out of IPv4 addresses 3-4 months ago. New members no longer get a /22 allocation, just put on the waiting list for a /24 so you may have to purchase some from elsewhere, you do get an AS number. If you changed to a different provider you would most likely loose your existing public ad...

tdw

I was thinking of spanning tree topology changes, but that looks to be fine. What are you expecting the /interface ethernet switch acl rule to do ? My reading of those options is that any packets destined for the standard DHCP server port will be redirected to ether1 - likely including any received ...

tdw

What device does the flapping MAC address belong to?

You have RSTP enabled on the CRS, do you have any spanning tree configured on the Cisco devices? IIRC the default is PVST+ which doesn't necessarily play nicely with RSTP.

tdw

It depends on how your circuits are provided... If you have point-to-point circuits back to a core router in a datacentre you control then you could use ECMP, layer 2 bonding or as another has suggested MPLS and OSPF. If you have managed internet access (MIA) circuits from a provider it would be wor...

tdw

https://wiki.mikrotik.com/wiki/Manual:C ... with_Bonds

tdw

Hi, I own a CRS112-8P-4S-IN and configured my VLANs directly on the switch like the WIKI states. My question is: what function does the bridge (still) serve then? - Do the ports of a VLAN on the switch also need to be bridged together? Yes. A bridge has two personalities - an ethernet switch and in...

tdw

You can't. The Mikrotik OpenVPN implementation does not support a number of features: UDP mode, LZO compression, authentication without username/password, TLS authentication / static keys Some examples of what is supported here https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN#Application_Examples

tdw

XXXX:XXXX:XXXX:XXXX::/64 is the Subnet-Router anycast address (RFC4291 2.6.1) so should not be configured directly on an interface. It could be that older versions of RouterOS had bugs which permitted you to use this successfully.

tdw

You have multiple bridges, a mix of VLAN-aware and non-VLAN-aware configuration, a DHCP server and client on one of the LANs, various firewall rules which will have no effect. Start with https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples#InterVLAN_Routing as a basis for your s...

tdw

Do your RADIUS servers support pools in addition to static assignments - then they could handle the dynamic allocation and tracking If you have limited addresses then it really needs to be handled by the RADIUS servers, it doesn't really matter if they are directly assigned to a PPPoE session or by ...

tdw

If your RADIUS servers sends Framed-IP-Address attributes that address is assigned to the client, no need for IP pools on the PPPoE servers.

tdw

Mikrotik-Group attribute, see https://wiki.mikrotik.com/wiki/Manual:R ... ess-Accept

tdw

A bridge has two personalities, it is both like a switch and also an interface to the CPU. The VLAN interface should not be added as a member of the bridge - remove add bridge=bridge interface=OAM from under /interface bridge port

tdw

If the PPPoE connection is interrupted for any reason and the client reconnects before the Mikrotik PPPoE server has removed the previous connection a suffix is added to the interface name. For example, if you have <pppoe-123456> The connection is interrupted and the client establishes a new connect...

tdw

Proxy-arp does not work like that. When routing IP there is no external visibility of device MAC addresses in another subnet. Using a CRS device as a router is a bad idea - they are designed to be layer2 switches with some performance-limited layer3 functionality. You could use the CRS as an aggrega...

tdw

Expected behaviour as you are using the same subnet for different networks - each PPPoE client is on their own network, completely separate from the CCR LAN network.

Either use a different set of addresses for the PPPoE clients, or enable proxy-arp on the CCR LAN network.

tdw

Create an OVPN server binding interface - this provides an unchanging name to which routes for firewall rules may be attached, you do not need to check the gateway status. Alternatively you may be able to add routes to the PPP secret which are created and bound to the dynamic interface - I haven't t...

tdw

The newer versions of RouterOS split the IPsec configuration into various sections. Previously authentication method, including PSK secret, was part of /ip ipsec peer now there is a separate /ip ipsec peer section for this information.

tdw

can t find this(

It is the Netmask field, default value is 24 - equivalent to 255.255.255.0

tdw

There are various options: Use an adjacent subnet for the remote clients and adjust the netmask to cover local and remote clients. e.g. the existing 192.168. 83 .x/24 network for local clients, 192.168. 82 .x/24 for remote VPN clients with OpenVPN server netmask=23 that's interesting. but where ope...

tdw

Already tried that with 192.168.10.0/24 50

.... dynamic route distance is still 1

That syntax is incorrect. As mentioned above, and in the description of routes here https://wiki.mikrotik.com/wiki/Manual:P ... operties_2, it should be 192.168.10.0/24 0.0.0.0 50

tdw

There are various options: Per your suggestion overlap the local and remote client addresses, the OpenVPN server netmask=24 provides a suitable route, but you need to enable proxy-arp on the local network interface so the Mikrotik replies to any local client ARP requests on behalf of the remote VPN ...

tdw

What value did you use for eee.fff.ggg.hhh? It should be a specific gateway address, or 0.0.0.0 for the Mikrotik to select an appropriate one.

tdw

Windows 10 supports SHA256 for phase1 but only supports SHA1 for phase2 according to the table here https://wiki.mikrotik.com/wiki/Manual:I ... figuration

tdw

You can safely mix changes in Winbox and the CLI.

If you use Quickset, and subsequently make changes with either Winbox or the CLI, then you should not make further changes with Quickset.

tdw

If I understand the whole concept correctly, ether3 and sfp-sfpplus1 should be untagged? Those are the ports which connect directly to my PC and TV. While I can set a VLAN-ID on my network card on the PC, I can not do so on the TV. Yes, the most common setup is to present a single untagged VLAN for...

tdw

Opening a terminal window from Winbox ('New Terminal' in the menu) is recorded as log in via telnet.

tdw

The CRS1xx/2xx switch chip configuration is not at all intuitive - /interface ethernet switch vlan specifies which VLANs are present on which ports, /interface ethernet switch ingress-vlan-translation specifies which tag to apply on untagged ingress packets, /interface ethernet switch egress-vlan-ta...

tdw

Bridges in older versions of RouterOS, and newer ones with vlan-filtering=no , behave similarly to an unmanaged switch - any tagged VLANs will pass freely across all ports as the VLAN ethertype is treared no differently from any other. As soon as you attach a VLAN interface to an ethernet interface,...

tdw

You are running an old version of RouterOS with known remote unauthenticated access vulnerabiliites, so I'd suggest upgrading to at least the latest long-term release. With newer versions of RouterOS you can also use a single VLAN-aware bridge instead of having multiple bridges to connecting the VLA...

tdw

Setting use-service-tag=yes for the VLAN is likely to be wrong. Unless you have a complex setup VLANs normally use the customer rather than service tag type. Without vlan-filtering=yes on the bridge (under /interface bridge ) it will act like an unmanaged switch - any tagged VLANs will pass freely a...

tdw

Additionally, as your AD credentials will be encrypted you cannot use CHAP authentication. Simple authentication mechanisms have the following requirements for RADIUS credentials: PAP - plaintext or encrypted CHAP - plaintext MSCHAPv2 - plaintext or MSCHAPv2 Also, don't use PPTP for VPNs as it is ve...

tdw

I've used Vigor 130 modems with their non-VDSL routers too, so it sounds more like a modem issue if it is not working with either a Mikrotik or Draytek Router.

I've never had to change any modem settings to get PPPoE passthrough to work. Also, which ISP as not all use PPPoE?

tdw

AFAIK the newer versions of RouterOS have a Quickset which supports PPPoE as a WAN address acquisition mode. It is generally a bad idea to go back to Quickset and make changes if Webfig/Winbox have been used to make any subsequent changes - it is best to reset to factory defaults, perform Quickset w...

tdw

The Cisco expects to be able to make an ARP request for any address from .194 to .222. As you are routing the upper half of a physical /27 subnet elsewhere ARP requests will fail, you need to enable proxy ARP on the router 1 interface connected to the Cisco. Proxy ARP is also required if you hand ou...

tdw

If you use the same subnet for the local LAN and remote VPN client the Mikrotik should have proxy ARP enabled - as the remote VPN client is not directly attached to the LAN the Mikrotik has to respond on behalf of the remote client for ARP requests from any device on the local LAN. See https://wiki....

tdw

So I guess I'd have to add "add ports=ether1,switch1-cpu switch=switch1 independent-learning=yes vlan-id=798" ? As you already have add ports=ether1,ether2,ether3 switch=switch1 independent-learning=yes vlan-id=798 change it to add ports=ether1,ether2,ether3 ,switch1-cpu switch=switch1 independent-...

tdw

The PSU supplied with the RB960PGS is 24V, as historically Mikrotik have used 24V passive PoE. The device itself will work with supplies between 12 and 57V but it does not convert voltages. From the website "Ethernet ports 2-5 can power other PoE capable devices with the same voltage as applied to t...

tdw

CHAP, which is used for RADIUS Winbox authentication prior to v6.43, requires plaintext passwords stored on the server.

tdw

You should really start a new topic rather than bumping a not particularly related seven year old thread. A bridge has two aspects - a 'switch part' which handles connections to interfaces, and an 'interface part' which passes traffic from the switch part to other CPU processes. So, to use the vlan1...

tdw

The first one. The interface ethernet switch ports default-vlan-id= setting is equivalent to the Cisco switchport access vlan . Mikrotiks don't have any specific voice related capabilities such as LLDP-MED and voice VLAN. You are providing the VLAN tagged on ether2-5 as hybrid ports rather than the ...

tdw

Under /interface ethernet switch port you should change vlan-header=always-strip to vlan-header=leave-as-is for ether2-5. From the note in https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Port_Settings QCA8337 and Atheros8327 switch chips ignore the vlan-header property and uses the defaul...

tdw

There are two completely independent operations taking place - firstly the dot1x auth to permit layer 2 network access, and subsequently DHCP to obtain a layer 3 network address - this is very different from the traditional RADIUS use case where an IP address can be provided during authentication an...

tdw

There are some cases where perfectly legitimate traffic is flagged as invalid - often where differing interfaces are used for ingress and egress, or following triangular routes as in your case. If you follow the path of packets during a conversation from PC to radio the routing is: PC -> downstream ...

tdw

Do the Mikrotiks have drop forward invalid firewall rules (included in the default configuration), and if so does the packet counter increase when you try to access from downstream of site two?

tdw

If port is already a member of the bridge, e.g. by using the default configuration after reset, you can't add it again and the Wiki examples are usually fragments to apply where there is no existing configuration. You can change the settings of existing through the command line or using Winbox to ac...

tdw

VLAN handling is confusing compared with, for example, HP where you just specify if a VLAN is tagged or untagged and it sorts everything out for you. With Mikrotiks in the /interface bridge port section the pvid= parameter only specifies which VLAN ID any untagged ingress traffic is assigned to. The...

tdw

Bonding interfaces are software-based so can consume much CPU resource, AFAIK the only hardware-based support is CRS devices which have static (no 802.3ad / 802.1ax) link aggregation groups (certainly on 1xx/2xx, not tried on a 3xx). There doesn't appear to be much info on the Netgear, https://kb.ne...

tdw

The VLAN interfaces should not be added under bridge ports. See https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge section 11 for configuration of VLAN-aware bridges, for your setup sections 11.1, 11.2 and 11.4 are likely to be most relevant. In general post the output of /export hide-sensitive ...

tdw

Any address in the pool may be handed out to a client - do not specify any fixed address contained in the pool as the local address in the profile. If you wish to keep the local and remote addresses in the same range you could specify the local address as xxx.xxx.xxx.1 and the pool as xxx.xxx.xxx.2-...

tdw

First thing I noticed was that switch port settings interfered with bridge port settings... It will, traffic always passes through the switch chip - to quote from a previous post: "Looking at Winbox and seeing ether1-5 interfaces you are fooled into thinking that the CPU has five ethernet interface...

tdw

It is likely you have incomplete switch configuration settings - unless vlan-mode=secure there will be leakage between VLANs. Post the output of /export hide-sensitive When using the switch chip untagged ingress traffic is tagged with the default-vlan-id , there are some exceptions between switch po...

tdw

I am not sure what is the use case of enabling use-ip-firewall-for-vlan Do you use more vlans on one bridge? I made one bridge for each vlan. This is probably why I used IP firewall for VLAN. This is my configuration: [Config cut] There is no point in having multiple VLAN-aware bridges with a singl...

tdw

I use vlans in my bridge (use-ip-firewall-for-vlan is disabled) and these are the rules to prevent vlans from talking to each other. Allows first then a drop all at the bottom. I am not sure if rule 29,32,35 are necessary. I don't think traffic within the same subnet and vlan goes through the ip fi...

tdw

Ask the provider if have they given you the correct addresses for your /31 and configured a route.

A trace from the Mikrotik will show how far packets go into their network,

tdw

IP routing knows nothing about VLANs, they are an ethernet (layer 2) construct. Your rules may have a wider scope then you expect, post the output of /export hide-sensitive after redacting any other identifying material (e.g. public addresses)

tdw

Unlike switch chips, which typically apply the PVID tag to untagged packets on ingress and remove it on egress, bridges can handle both tagged and untagged packets. The bridge settings "use IP firewall" and "use IP firewall for VLAN" are only required if you want packets travelling directly between ...

tdw

Sounds like an MTU issue, the default PPPoE server setup has an MTU of 1480.

tdw

Mikrotiks don't support /31 directly, the typical workaround is to configure the interface as a point-to-point link with a /32 address at each end /ip address add address=63.24.113.29 interface=WANVLANNAME network=63.24.113.28 Unless you have disabled or removed the DHCP client in the default config...

tdw

In that case the statement about not being able to route where the source and destination subnets are the same still applies, set up an EoIP tunnel between the Mikrotiks and bridge the VLAN

tdw

In the Mikrotik MPLS/VPLS example the routers are interconnected with IP running over direct ethernet connections, in your case they would be interconnected with IP running over your LTE modem connections. As each of your sites has a single WAN connection, i.e. you don't have redundant paths as in t...

tdw

VLANs are generally unnecessary where there is only a single subnet present on an ethernet network. In your diagram labelling the left and right hand boxes 'LAN 18' rather than 'VLAN 18' would be more appropriate unless the diagram does not show all the detail. It is impossible to route traffic wher...

tdw

Spanning tree will not do what you want - it is designed to block redundant paths. As Mikrotik do not implement SPB (shortest path bridging) you might be able to do something with bridge split horizon, or failing that static bridge filters. Ideally being able to use IP (i.e. layer 3) instead of Ethe...

tdw

A few things: Uncheck 'Use service VLAN' in the configuration for vlan10 - it should be a regular 802.1Q VLAN rather than an 802.1ad (service) VLAN. Remove the entries under /interface ethernet switch vlan - it is possible to mix a non-VLAN aware bridge with hardware switching and VLAN filtering, bu...

tdw

The current untagged vlan10 entry is incorrect, it may be cleared by a reboot.

Note that vlan10 should not be included under Bridge>Ports, the output of /export hide-sensitive would be more useful than a selection of screenshots.

tdw

As you are using a VLAN-aware bridge: The VLAN interface created in #2 should be attached to bridge-lan NOT ether2 When setting up the DHCP server in #4 you need to create an entry under the Network tab too The bridge VLAN settings in #5 are not correct, the entry for VLAN 10 should have tagged=brid...

tdw

Nothing obvious jumps out, although what is /interface bridge filter add action=drop chain=input dst-port=68 in-interface=ether1 ip-protocol=udp mac-protocol=ip for? The only thing which comes to mind is that the wireless link isn't operating transparently so a device connected at the remote end has...

tdw

post the output of /export hide-sensitive for both devices

tdw

I assign an address from the pool on the router wlan1 interface. The router has two global address: 2000:1111:2000:9:aaaa:bbbb:cccc:dddd on sfp1 and 2000:1111:3333::1 on wlan1 There is no mention of wlan1 in anything you have posted so far, all of the IPv6 configuration you have provided references...

tdw

Most likely the additional networks are not having NAT performed before heading for the 'WAN' interface, post the output of /export hide-sensitive after sanitising any public IPs, etc.

tdw

Replace your two existing bridges (bridge & bridge_verejny) with a single VLAN-aware bridge, see https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering and there are many posts on the forms too.

tdw

It is difficult to tell from a printing the state of a few items, /export hide-sensitive (in this case /ipv6 export hide-sensitive is probably sufficient) and sanitise any public IPs. That said, as your ISP is not using link-local addresses for the WAN connection you should configure the DHCP client...

tdw

Without the full configurations it is difficult to see exactly what the problem is. You can't connect bridges together (this isn't strictly true, there are ways of connecting VLANs between bridges but often breaks things in mysterious ways, see https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfigu...

tdw

1. Managed to update all the interface with the correct MAC address. However, the Admin MAC Address on the Bridge is still incorrect. Will it effect the network in any way if I were to disable it and allow RouterOS to pick it from the attached interfaces ? When you disable the bridge Admin MAC addr...

tdw

The HP1810G switch used by the OP didn't implement any spanning tree, but apparently violates network standards by passing BPDUs - see https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c02597134 . I've used HP1810G v2 models which do support spanning tree correctly. The mishandling, toget...

tdw

The IP address and DHCP server configuration is incorrect: /ip address add address=192.168.2.1/24 interface= bridge1 network=192.168.2.0 add address=10.10.10.1/24 interface=IOT network=10.10.10.0 /ip dhcp-server add add-arp=yes address-pool=dhcp disabled=no interface=bridge1 lease-time=1w name=dhcp ...

tdw

Thank you for the feedback. I believe all are very appropriate. Router 1 1. Correct, I loaded a backup from another configuration. Have 5 similar sites, same router model, same ISP and configuration, only difference is the public IP and VLAN ID. Any suggestion to remove the MAC addresses? There is ...

tdw

Your VLANs have isolated the various apartments ethernet / layer 2 networks, however without firewall rules to prevent forwarding the CRS will be routing traffic between the subnets on those VLANs. The CRS devices are designed for switching plus the odd service function and a some routing, the CPU i...

tdw

The CCR packet sniffer shows: Untagged packets arriving on ether3-Server from 10.0.15.10 destined for 10.0.10.5 Tagged packets with VID 10 leaving on ether2-HAPac from 10.0.15.10 destined for 10.0.10.5 so the CCR is forwarding the packets as expected. The hAP packet sniffer shows: Tagged packets wit...

tdw

Router 1 A backup from a different device has been loaded in the past - this is why there are mac-address=CC:2D:E0:39:D0:xx settings present. If the original router with these addresses is connected to the same network it will cause problems. Why the socks proxy setup? The WAN interface list is inco...

Search found 366 matches