MikroTik

tdw

It is an internal process so accessible on any local IP address via any IP interface, e.g. the gateway address you have set on each bridge, unless restricted by firewall rules. We usually set the NTP server & DHCP server fields to be the same as the gateway for each DHCP server network for any DHCP ...

tdw

I've set up PPTP VPN on several MK routers. They all work except for one problem. I need to access the local network hosted by the MK router. Only one of the routers works right. It has to be a firewall issue, as the only major difference is the firewall settings. On the problem routers I was able ...

tdw

It's enough that I've lost switching possibility for ether1 after some prior upgrade (from 6.3x.x to 6.4x).

What does /interface ethernet switch print detail show?

tdw

Sadly modern SOHO-class RB devices seem to contain crippled switch chips (RB4011 has RTL8367, RB750Gr3 has MT7621) which don't have any VLAN support what so ever. Seems like MT is trying to create some gap between RB and CRS (even low-end) devices. Which in SOHO segment is a pity (RB951G makes a wo...

tdw

Look at speed=100Mbps Not sure why I can not see the correct speed when running this command, but its 1GB link Same here: /interface export /interface ethernet set [ find default-name=ether1 ] name=ether1-Wan speed=100Mbps set [ find default-name=ether2 ] name=ether2 speed=100Mbps set [ find defaul...

tdw

I connect to manage routers with ssh using an rsa ssh key. SSH stong-crypto is set to yes. I upgraded a remote test router from 6.43.16 long-term to 6.44.5 long-term. It allows me to make a connection using Putty as usual, the connection terminal window displays correctly. But when I try to manage ...

tdw

The behaviour you see is correct. IP is layer 3 and ARP handles the layer 3 to layer 2 mappings, whereas the bridge is purely layer 2 and 'which MAC is on which port' is stored in the bridge hosts table.

tdw

The issue is the Sync Rate and whether the module is passive or active So insofar as the RB4011 and its SFP+ port is concerned -- it only accepts Active modules that Sync at 1.25G or 10G and will not accept 2.5G for sync rate. I am assuming that Bell move to 10G will have the ability to Sync at 10G...

tdw

In what way does it crash, or rather does it not work as you expect?

There are functional differences between some switch chips which Mikrotik use, in particular only a couple (QCA8337, Atheros8327) support hybrid ports.

tdw

we use CRM, ISPadmin, which communicates with MKT by API, but when updating to 6.45.1 API doesnt work, because new API authentification is not implement in our CRM. It says "killing PID 25009, API number exceeds the limit", but when downgrade to 6.44.3, which worked with CRM prior and should have c...

tdw

Example what I am trying that is not working: winbox to IPv6 Mikrotik ---> [2605:4e40:0:1fe::]:8295 (this does not work)

All zeros for the host address is somewhat unusual, so may be a bug.

tdw

Not with the Mikrotik supplied 24V PSU as there are several differing incompatible PoE standards. However, it should work if you replace this with a 48V PSU as the RB4011 specification states "DC jack input Voltage 12-57 V ", and the Cloud Key specification states "48V 802.3af or Passive PoE ( Pairs...

tdw

You can't add the SFP to the switch as is connected directly to the CPU, see https://i.mt.lv/cdn/rb_files/RB960PGS-161220141841.png You appear to have the SFP in the bridge and the switch VLANs configured on the CPU port ( /export hide-sensitive is generally more useful than printing settings), so i...

tdw

As you are seeing misdirected unicast from a port on your CRS the issue likely lies with the switch forwarding database therein. I had the same issue with some old Mikrotiks based on AR7240 switch chips where some client MAC addresses on different ports appeared to be hashed to the same value so onl...

tdw

Yes. Removing the masquerade rule leaves the source address of the PPPoE client unchanged, enabling proxy ARP allows the router to reply to ARP requests from the firewall for 192.168.10.x PPPoE client addresses so traffic may be returned.

tdw

OK, you appear to be statically assigning client PPPoE addresses in your RADIUS server rather than using a dynamic IP pool, the method doesn't change - enable proxy ARP on ether1 /interface ethernet set [ find default-name=ether1 ] arp=proxy-arp and disable/remove the masquerade rule. What is the 19...

tdw

It is difficult to say exactly as it isn't clear exactly how devices are connected (hint post the output of /export hide-sensitive and redact any public IPs, etc.). That said stop masquerading your PPPoE clients (as this replaces the PPPoE client address with 192.168.10.3 ), and as you appear to be ...

tdw

If the unmanaged switch connected to ether4 is only for multimedia devices on VLAN30, then change ether4 to be untagged for VLAN30 /interface bridge port ... add bridge=bridge interface=ether4 pvid=30 ... /interface bridge vlan add bridge=bridge untagged=bridge,ether2,ether3,ether5,ether6,ether7 vla...

tdw

I looked at first example (the one involving switches SW1, SW2, SW3 and SW4 and hosts A and B) in RSTP Wiki page (see [1]). 1. I can read that SW1 settings rely on priority while SW4 rely on path-cost. Can you explain why ? Per the Wiki: In RouterOS the root bridge will be elected based on the smal...

tdw

Create an IPsec peer entry for the remote address with a different secret.

tdw

From the Remote Office LAN, I can already ping the Main Office router and the devices inside its LAN, From the Main Office LAN, I can only ping the Remote Office router but not the devices inside its LAN I was thinking, if I am missing a Routing config that will let my ping from the Main Office to ...

tdw

The configurations are missing some important configuration details, so you may have misunderstood what local-address and remote-address do - they are the address the EoIP packets originate from and are sent to, typically the WAN IP of the two Mikrotiks. In the diagram you also have clients 192.168....

tdw

That is because at some point you have turned off bridge VLAN filtering, the emboldened item is missing: /interface bridge add admin-mac=B8:69:F4:B6:7D:6F auto-mac=no comment=defconf name=bridge vlan-filtering=yes Currently, turning on VLAN filtering will break things as your VLAN1 bridge configurat...

tdw

OK. Naming your bridge "Static IPs" is somewhat confusing - it appears to actually be your WAN, and it is included in your LAN interface list which will allow more external access to your Mikrotik than you may wish for. The /ip dhcp client entry for sfp1 is the cause of your DHCP requests, and as it...

tdw

It appears that as Let's Encrypt is fairly new in the certificate world their certificates were cross-signed by an established CA so they would be recognised by browsers which already had the established CA certificate. Now that the Let's Encrypt CA has made its way into trusted CA bundles (in OS an...

tdw

A couple of errors - incorrect address and insufficent scope for NAT:

/ip address
add address=192.168.88.1/24 interface=bridgewifi network=192.168.88.0

/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1 src-address=192.168.88.0/24

tdw

Just changed add bridge=bridge tagged=bridge,ether5,ether6 vlan-ids=2 There was vlan-ids=2, changed it to 20. So if I will want to isolate for example all TV's and other devices from my network, steps are similar right? So another DHCP for multimedia devices, another address list, bridge vlan etc. ...

tdw

As you have moved ether5 & ether6 to a separate bridge the APs will only have access to VLAN20. Using multiple bridges to handle VLANs is not recommended, see https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration for the various pitfalls. The recommended method is to use a single VLAN-aware ...

tdw

The server certificate on the client is unnecessary.

You can use openssl s_client -connect my.host.com:port on a linux system, or something like https://www.sslshopper.com/ssl-checker.html to check the server is providing the correct information.

tdw

/interface bridge port adds interfaces to the bridge, the pvid paramater only specifies which VLAN untagged ingress traffic is assigned to. /interface bridge vlan configures per-VLAN port mapping with an egress VLAN tag action - tagged ports send out frames with a learned VLAN ID tag, untagged port...

tdw

Your approach sounds OK, probably something small overlooked. Post the output of /export hide-sensitive here between code tags (the [] icon above the reply box).

tdw

In v6.43 and later the standards-compliant behaviour (i.e. that packets destined to 01:80:C2:XX:XX:XX should NOT be forwarded) can be disabled by setting the bridge protocol-mode=none, see https://wiki.mikrotik.com/wiki/Manual:L ... _addresses

tdw

AFAIK Verify Server Address from Certificate does nothing if Verify Server Certificate is disabled. The error message self-signed certificate in certificate chain most likely indicates you have not installed the certificate chain - on the server you should have: Let's Encrypt root CA cert, any inter...

tdw

/export hide-sensitive

tdw

No, the whole config - to see all of the interface and IP configuration

tdw

I'd post the output of /export hide-sensitive with any public IPs, etc, obsfucated.

Rather than multiple screenshots, either save as a file and copy to your computer, or use <right-click> Copy All in the terminal window. Paste here in a code tag (the [] icon above the reply box).

tdw

What does the following pasted into a terminal window on the mikrotik show: :foreach i in=[/interface ethernet find] do={ :put "$[/interface ethernet get $i default-name] $[/interface ethernet get $i mac-address]"; } Your config, or certainly the DHCP part of it (using /ip dhcp-server export hide-se...

tdw

Those MAC addresses are assigned to Mikrotik. What are the log messages?

tdw

A DHCP server will not offer an address unless asked for one. With a conventional DHCP server setup, configured with an IP pool, a dynamic lease will appear in the DHCP server leases tab and remain there until the lease time specified expires. An partial ARP entry will appear if anything attempts to...

tdw

IP > Firewall uses IP addresses, not MAC addresses.

If you want to block a MAC address the interface will have to be in a bridge, then use Bridge > Filter

The ! means NOT - for example !192.168.1.42 means 'any address except 192.168.1.42'

tdw

If ping tests from the TP-Link via the HP switch and Mikrotik are OK that would suggest there is no problem with the Mikrotik configuration. Multiple NAT isn't ideal, but wouldn't cause this sort of issue. As you are seeing duplicate packets when testing from the TP-Link LAN, that, and spikes of lag...

tdw

Multinetting (assignment of more than one IP address to an interface) is fine, and the appropriate routing table entries will be created automatically. If you can ping both 10.0.0.2 and 192.168.152.x from the mikrotik, but can't ping or access 10.0.0.2 from 192.168.152.x, what is most likely happeni...

tdw

There are a couple of sections of that configuration where you have used the wrong interfaces, firstly /interface bridge port should refer to physical interfaces, not the VLANs /interface bridge port add bridge=switch_bridge frame-types=admit-only-untagged-and-priority-tagged \ ingress-filtering=yes...

tdw

Historically the RouterBoot firmware and the main RouterOS had unrelated version numbers, and a changelog here https://wiki.mikrotik.com/wiki/RouterBOOT_changelog Mikrotik changed the RouterBoot firmware version numbering so it now matches the RouterOS version number, and AFAIK there isn't any way t...

tdw

You are attempting to mix a VLAN-aware bridge /interface bridge add ... vlan-filtering=yes and switch chips VLANs /interface ethernet switch port . This is inadvisable - either use a non-VLAN-aware bridge (these are transparent to VLANs) and configure switch chip VLANs, OR a VLAN-aware bridge with V...

tdw

Want are you expecting the /ip firewall nat rule #1 at siteA to do?

tdw

So you are running an EoIP tunnel inside a PPTP VPN? This would require smaller MTUs to accommodate the tunnel-in-a-tunnel. In addition, PPTP is an insecure VPN protocol, and uses software encryption which will be loading the CPU in your routers - what is the CPU load whilst you are testing the thro...

tdw

That version is rather old, and has multiple remotely exploitable vulnerabilities - I'd suggest upgrading to at least the current long-term version first. Note that master/slave ports don't exist in version 6.41 onwards, the functionality has been moved to bridges so keep backups. If there are any s...

tdw

The best method very much depends on the nature of the traffic between the two sites e.g. the number of distinct MAC addresses at each end, and the variety of TCP/UDP ports the traffic uses. If your case has the bulk of the traffic between one device at each end over a single TCP or UDP connection t...

tdw

You don't say what model Mikrotik, but switch2 is connected to ether6-10 and switch1 to ether1-5 on 2011/3011 (additionally switch 1 to sfp1 on a 2011)

Search found 135 matches