MikroTik

tdw

Looking at the assigned WAN IP address it appears your ISP is using CGNAT

1 D 100.64.68.8/32 94.229.236.4 mts-pppoe

Without a public IP no amount of tinkering with your router will allow your web server to be accessed from the internet.

tdw

It could be in any number of places - the VPN client, the Mikrotik or the RADIUS server. Most likely a character set mapping issue, enabling debugging/logging on the Mikrotik and/or RADIUS server should display the usernames and hopefully show where it is being misinterpreted. When you say you have ...

tdw

Forwarding a packet out of the interface on which it is received is considered invalid. You have to explicitly allow traffic which does this, typically for asymmetric routing as in your case, also for some multinetted and VRRP configurations as well.

tdw

Yes, but if you attach a server directly to a router and that router fails you have no access to that server. As your servers have multiple NICs you could connect each server to both routers, but you would have to either run a routing protocol on the servers to announce their presence to the two rou...

tdw

SLAAC requires /64 as that is the size of an automatically generated address. It is possible to use smaller subnet sizes when using static addresses or DHCP, but AFAIK it is no longer recommended

tdw

In a word, no. Some encryption algorithms (notably CHAP) require the plaintext password so PPP secrets (for servers), passwords for VPN/PPPoE clients, wireless PSKs, etc. are all stored as plain text in the configuration file. Only trusted administrators should have full access to the Mikrotik. When...

tdw

You don't have to send the traffic through a loopback address on a Mikrotik. Create a loopback interface using a bridge, add the public IP address to the loopback interface, use a srcnat rule specifying the public IP as the to-address: /interface bridge add name=loopback protocol-mode=none /interfac...

tdw

You have assigned the address 192.168.1.3 to ether1 and no address to wlan1. If you want to bridge ether1 and wlan1 so they are the same layer2 network then both interfaces should be added to a bridge, the IP address and DHCP server should specify the bridge as the interface, not any of the members....

tdw

All ports are in the default bridge1 bridge and there is no special configuration on those ports. That is incorrect, as you have: /interface bridge port add bridge=bridge1 interface=ether6 add bridge=bridge1 interface=ether23 add bridge=bridge1 interface=ether24 /interface bridge vlan add bridge=br...

tdw

Each would need their own IP address/subnet, IP pool, DHCP network & DHCP server, plus firewall rules to prevent them communicating with each other - by default the router routes traffic between all LAN networks. Depending on the physical location of the router with respect to the offices, plus the ...

tdw

That rule will allow any IP address to connect to your VPN server, if you expose services on well known ports they will get scanned at some point. You could create an address list, e.g. 'VPNusers' and add src-address-list=VPNusers to the rule. This will prevent access to your VPN server if the addre...

tdw

but their OpenVPN implementation is known to be rudimentary.

And insecure, the MT OpenVPN client does not check the server certificate, see https://nvd.nist.gov/vuln/detail/CVE-2018-10066 and https://janis-streib.de/post/mikrotik-ovpn-security/, which AFAIK has not been addressed

tdw

If you are running RouterOS <6.43 then upgrade to the latest (6.43.8) *BUT* check the release notes for things which may need configuration changes (e.g. bridge / master-port changes if upgrading from <6.41) If the RADIUS traffic is on an internal LAN you are probably OK, it isn't the sort of thing ...

tdw

If there is no IP configuration on the 2011 bridge no firewall rules required, you could exclude the interfaces for mac-telnet & mac-winbox access though. However for management access you probably do want some IP configuration - you have a few options: IP on the bridge, blocking IP on RB2011 ether1...

tdw

It appears you have the wrong netmask on the VRRP interface - unlike all the other VRRP implementations I've seen Mikrotik need the VRRP address to be specfied with /32 NOT /24 (or whatever is appropriate for your LAN/VLAN), see https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP#IPv4 . You then ge...

tdw

AD usually contains NT hash of the users password which will not work with CHAP - you need the plaintext at the server. Presumably you are running RouterOS version < 6.43 as this changed the login service authentication from CHAP to MSCHAPv2 (which should work authenticating against AD). Ensure the ...

tdw

Having VLAN configuration spread across multiple menus is confusing, especially as there are two completely different sets of configuration which depends on an interface being hardware accelerated or not. I suspect the stopping working after 5 minutes is when ARP or FDB table entries age out. This, ...

tdw

You don't have to worry about the VLAN101 tagging - that is handled by the Openreach modem (I've used Draytek 130 modems extensively and they also handle this by default). Unlike the usual retail/business FTTC/FTTP services which use PPPoE it looks like you have a point-to-point ethernet WAN connect...

tdw

Instead of using 'Add default route' in the PPPoE client interface settings you could add a static default route for IPv4 only

/ip route
add distance=1 gateway=YOUR_PPPOE_INTERFACE_NAME

tdw

What information do they provide, and as it is wires-only and FTTC based what VDSL modem are you using?

tdw

Do clients connected to the LAN port using addresses 197.xx.xx.226 - 197.xx.xx.254 have internet access? Assuming they do, the issue is that traffic from the Mikrotik itself will originate from 192.xx.xx.254, as that is assigned to the WAN port, not one of the public IP addresses. You should be able...

tdw

The bridge itself should be included in the bridge vlan declarations /interface bridge vlan add bridge=MAIN_BRIDGE tagged=MAIN_BRIDGE untagged=ether1 vlan-ids=40 add bridge=MAIN_BRIDGE tagged=MAIN_BRIDGE untagged=ether3 vlan-ids=30 add bridge=MAIN_BRIDGE tagged=MAIN_BRIDGE untagged="ether4,ether5,et...

tdw

No IP address assigned to bridge-guest /ip address add address=192.168.10.1/24 interface=bridge-guest That should fix DHCP leases, guest devices might be able to perform DNS lookups as you have specified dns=192.168.0.1 rather than 192.168.10.1 for /ip dhcp-server network and the bridge filter forwa...

tdw

RFC2516 says "When a PADT is received, no further PPP traffic is allowed to be sent using that session. Even normal PPP termination packets MUST NOT be sent after sending or receiving a PADT. A PPP peer SHOULD use the PPP protocol itself to bring down a PPPoE session, but the PADT MAY be used when P...

tdw

Servers can request client certificates in the TLS handshake, it doesn't depend on EAP support. See https://en.wikipedia.org/wiki/Transport ... _handshake

tdw

Use a larger subnet than the default /24 - if you change to 10.5.50.1/23 you could use 10.5.50.2-10.5.51.254 which gives you 509, or 10.5.50.1/22 you could use 10.5.50.2-10.5.53.254 which gives you 1021. I can't recall if you can set a larger subnet in the hotspot wizard, or if you need to change th...

tdw

The dynamic entries are populated from ARP protocol replies - when a device wants to communicate with something on the same subnet as itself it will broadcast an ARP request, e.g. 'Who has 192.168.1.2' and if the target exists it should reply with '00:01:02:03:04:05 has 192.168.1.2', for example. Ha...

tdw

See the second note here https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_with_built-in_switch_chip I've not had chance to experiment with adding all the VLANs to both switch1cpu and switch2cpu (under Switch>VLAN) to see if the traffic would then, for example, take the path e...

tdw

I don't feel competent to compare security of IPsec and SSTP, but haven't found anything regarding SSTP's vulnerabilities than this . From other than security perspective, SSTP, like every other VPN which uses TCP transport, is not the best choice in environments where packet loss is an issue, but ...

tdw

Any port can only be a member of one bridge, with firmware >= 6.41 use a single VLAN-aware bridge and define all of the required VLANs on the one bridge. Your example would become /interface bridge add name=bridge vlan-filtering=no /interface vlan add interface=bridge name=MGMT vlan-id=3524 /interfa...

tdw

Presumably based on https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching#Other_devices_with_built-in_switch_chip And no, ether2 and ether3 are part of the same layer2 network and can communicate with each other, similarly ether4 and ether5 are another layer2 network and communicate with each o...

tdw

RR is only a sensible choice when the two links are identical, basically copper or fibre connections, or you will suffer from out-of-order packet delivery. Traffic distribution for other algorithms very much depends on the hash algorithm and the traffic - if you have routed IP traffic but are using ...

tdw

PPPoE uses IPCP for address assignment, not DHCP. You mention you have 5 fixed IP addresses - presumably a /29 subnet? You would connect to the ISP with some thing like: /interface pppoe-client add add-default-route=yes disabled=no interface=sfp1 name=pppoe-out password=*PASS* use-peer-dns=yes user=...

tdw

I don't know if Mikrotik have removed the previous default config in favor of people using Quickset https://wiki.mikrotik.com/wiki/Manual:Quickset instead, but if they have done it should really be mentioned in the release notes

tdw

There is at least one commercial product, Unimus, which handles mass config management, auditing, etc. - I've not used it, but they were one of the vendors at MUM Birmingham a few weeks ago

tdw

You only need VLANs if you wish to have multiple segregated layer2 (ethernet) networks connected to a single port. In your case your have four distinct networks on four distinct ethernet ports so your scenario is possible without VLANs. ether2 - set ip address, create ip pool for dhcp, dhcp server &...

tdw

STP/RSTP/MSTP were designed to reorganise networks when links failed, not provide bandwidth sharing.If you wish to use both links at the same time see https://wiki.mikrotik.com/wiki/Manual:Interface/Bonding

tdw

'interface bridge vlan' entries specifies egress handling, in the full config listing you seem to be missing: /interface bridge vlan add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4 vlan-ids=100 some of the 'interface bridge port' parameters handle ingress - in addition to 'pvid' for th...

tdw

Not having vlan-mode=secure (see https://wiki.mikrotik.com/wiki/Manual:S ... d_Ports.29 ) on all switch ports often has unintended side-effects, take care when enabling as a misconfiguration of port VLANs can lock you out if conning via a switch port.

tdw

DHCP network is for IGMP - IP TV PPPoE network is for Internet access Both default routes have the same distance (1), so which one is used depends on the order in which they are seen. The distance used to be zero on DHCP/PPPoE client interfaces which technically was incorrect as distance of 0 shoul...

tdw

The warning about master-port configurations being updated to the new bridge configuration should really be repeated in the release notes now this version has changed track from current/stable to bugfix/long-term - people who have been using the bugfix branch may be unaware of the change introduced ...

tdw

As you say, ideally the switch menu VLAN configuration should be replaced by the VLAN-aware bridge so if a port has hardware offload enabled this is automatically translated into the necessary switch VLAN configuration. Meantime, it should be possible to use the switch chip with a non-VLAN aware bri...

tdw

Hello Folks! I have problem backing up configuration on practically all devices using ros 6.42 or bigger, just discovered it today. The message I got is: "backup,critical error creating backup file: could not read all configuration files" There is no full filesystems and other visible errors. I saw...

tdw

I'm also seeing "backup,critical error creating backup file: could not read all configuration files" messages after upgrading on several devices. 2x RB750 v6.39.3 -> v6.42.1 2011UAS-2HnD v6.41.4 -> v6.42 (may also have produced the same message) -> v6.42.1 All appear to be operating fine, backup wor...

Search found 44 matches