Community discussions

MikroTik App

Search found 1844 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 7
by tdw
Sun Mar 17, 2024 12:03 am
Forum: General
Topic: Wires Only Leased Line Hardware Recommendation
Replies: 10
Views: 767

Re: Wires Only Leased Line Hardware Recommendation

I am a novice with this but the ISP have provided me with the following. It doesn't really make sense, the LAN information is OK LAN First IP Address: 51.x.x.33 LAN Subnet Mask: 255.255.255.240 Customer IP Assignement: 51.x.x.32/28 so when presented as IP over ethernet connections .32 is the networ...
by tdw
Sat Mar 16, 2024 11:12 pm
Forum: General
Topic: Wires Only Leased Line Hardware Recommendation
Replies: 10
Views: 767

Re: Wires Only Leased Line Hardware Recommendation

A 4011 or 5009 would be fine, ICUK use them or Ubiquiti EdgeRouters on their managed 1Gb EAD circuits. The ISP information seems incomplete - typically they would specify a /30 or /31 WAN connection, together with a routed subnet which you can present on the LAN side of your router as a conventional...
by tdw
Thu Mar 14, 2024 10:47 pm
Forum: General
Topic: VLAN setup device with AR8327 and WI-FI [SOLVED]
Replies: 2
Views: 460

Re: VLAN setup device with AR8327 and WI-FI [SOLVED]

You have to apply the tagging in the wireless interface with vlan-id=XXX and vlan-mode=use-tag - this is only possible in the old (6.x or 7.x upto and including 7.12) /interface wireless settings, it is a lost feature with the new /interface/wifi/ drivers
by tdw
Tue Feb 27, 2024 8:36 pm
Forum: General
Topic: IPv6 between bridges
Replies: 22
Views: 1089

Re: IPv6 between bridges

I think the problem is with Neighbout Solicitation, not sure if can forward it between bridges. When pinging ISP router from br_lan it sends NS but does not get a reply as multicast packet is not forwarded between br_wan and br_lan to host No it can't, see post #6. The ISP should be routing the /48...
by tdw
Sun Feb 25, 2024 8:34 pm
Forum: General
Topic: IPv6 between bridges
Replies: 22
Views: 1089

Re: IPv6 between bridges

They just forwarded to us /48 prefix.
Forwarded to what address? This is different to the interface on their gateway being given a /48 subnet mask.

A few ISPs seem clueless about this. I suggest reading https://www.ripe.net/publications/docs/ripe-690/, in particular section 4.1
by tdw
Sun Feb 25, 2024 8:29 pm
Forum: General
Topic: IPv6 between bridges
Replies: 22
Views: 1089

Re: IPv6 between bridges

For example br_wan - 2a02:a3XX:8::2/64 br_lan - 2a02:a3XX:8::3/64 Mikrotik in my opinion should be able to route between those GUA addresses as those are internally assigned and GUA must be routed, but it does not. No. This doesn't just apply to Mikrotik, addresses in the same subnet are only reach...
by tdw
Sun Feb 25, 2024 4:24 pm
Forum: General
Topic: IPv6 between bridges
Replies: 22
Views: 1089

Re: IPv6 between bridges

The br_wan address should be /64, and the ISP router should be configured to route the /48 to this address. The br_lan address should again be /64 and also a different subnet. It does not matter what I configure on br_wan and br_lan as IPv6 routing between br_lan and br_wan does not work Example as...
by tdw
Sun Feb 25, 2024 2:02 pm
Forum: General
Topic: IPv6 between bridges
Replies: 22
Views: 1089

Re: IPv6 between bridges

The br_wan address should be /64, and the ISP router should be configured to route the /48 to this address.
The br_lan address should again be /64 and also a different subnet.
by tdw
Sun Feb 25, 2024 2:57 am
Forum: General
Topic: IPv6 between bridges
Replies: 22
Views: 1089

Re: IPv6 between bridges

link local addresses, as the name suggests, are only valid within a layer2 broadcast domain. You say "From br_lan I can not reach br_wan via GUA if both bridges are configured with the GUA address" - you should assign different GUA addresses to each otherwise routing will not work. Typical...
by tdw
Sat Feb 17, 2024 3:57 pm
Forum: General
Topic: Transport layer 2 over Internet?
Replies: 4
Views: 374

Re: Transport layer 2 over Internet?

There is a layer 2 bridging option for any PPP-based protocols (e.g. L2TP, SSTP) using BCP, although it doesn't work fully with vlan-aware bridges, or OpenVPN using TAP.

With RouterOS v7 there is also VXLAN and L2TPv3 but the documentation and examples are rather sparse.
by tdw
Tue Feb 13, 2024 12:06 am
Forum: Beginner Basics
Topic: Subnet Public IP's issue
Replies: 3
Views: 418

Re: Subnet Public IP's issue

Mikrotik do not support RFC3021 /31 addressing, use /32 for the local and gateway addresses: /ip address add address=88.xx.xx. 15 interface=vlan835 network=88.xx.xx.14 If the subnet public IP is routed to you then adding those addresses to the WAN interface is incorrect. The conventional use case wo...
by tdw
Mon Feb 12, 2024 8:23 pm
Forum: General
Topic: UPnP is not working?
Replies: 14
Views: 771

Re: UPnP is not working?

The SIM provider unfortunately does not give me public IP, so I'm under cgnat. Cgnat renders UPnP useless ? I know that port forwarding and DDNS are not working Yes. UPnP merely automates port forwarding on your router, it doesn't cascade the forwarding rules/requirements to the providers CGNAT inf...
by tdw
Mon Feb 12, 2024 6:46 pm
Forum: General
Topic: UPnP is not working?
Replies: 14
Views: 771

Re: UPnP is not working?

Not directly related, but does your SIM provide an unfiltered public IP as most either block inbound traffic or use CGNAT which renders UPnP useless. Setting up port forwarding either manually or with UPnP is only required on older Hikvision devices, more recent ones can be configured to establish a...
by tdw
Tue Feb 06, 2024 11:20 pm
Forum: General
Topic: best RouterOS version for old CCR
Replies: 3
Views: 607

Re: best RouterOS version for old CCR

IIRC v7 will always be slower due to kernel changes between v6 and v7, e.g. no more route cache.
by tdw
Fri Feb 02, 2024 2:08 pm
Forum: Wireless Networking
Topic: How do you specify the location in ROS 7? [SOLVED]
Replies: 11
Views: 760

Re: How do you specify the location in ROS 7? [SOLVED]

It appears that way, although it is a limiting factor if you want to use an indoor device in a weatherproof enclosure outdoors, or the L11UG-5HaxD which could be used in either situation.
by tdw
Fri Feb 02, 2024 1:21 pm
Forum: Wireless Networking
Topic: How do you specify the location in ROS 7? [SOLVED]
Replies: 11
Views: 760

Re: How do you specify the location in ROS 7? [SOLVED]

It appears not to be included in the new wifi package, see viewtopic.php?p=1052150
by tdw
Fri Feb 02, 2024 1:15 pm
Forum: Wireless Networking
Topic: Unable to use 5580/Ceee on hAP ax2 but can on hAP ac lite [SOLVED]
Replies: 19
Views: 977

Re: Unable to use 5580/Ceee on hAP ax2 but can on hAP ac lite [SOLVED]

Likely skip DFS channels with 10min CAC is incompatible with the channel selection as 5580/Ceee uses 5570-5650.

If the same settings work on a hAP that could be a bug where it is not excluding the extension channels which overlap with 5600-5650.
by tdw
Mon Jan 29, 2024 5:12 pm
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 635

Re: currently-untagged contradicts untagged [SOLVED]

Actually, I have frame-types=admit-only-vlan-tagged set too, on the bridge.
That is only applicable to the implicit bridge-to-CPU port. Each port added under /interface bridge port has its own frame-types= setting.
by tdw
Wed Jan 24, 2024 5:44 pm
Forum: General
Topic: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2
Replies: 4
Views: 459

Re: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2

Mikrotik have likely added the warning as it is a common misconfiguration. RouterOS does not restrict many configuration settings which could be questionable or not sensible making it much more flexible than offerings from other vendors.
by tdw
Wed Jan 24, 2024 5:10 pm
Forum: Beginner Basics
Topic: ISP subnet distribution [SOLVED]
Replies: 5
Views: 701

Re: ISP subnet distribution [SOLVED]

You can either use switch ACL rules, remembering to also permit broadcast IP addresses in addition each clients unicast IP address, or disable hardware offload and use /ip firewall filter rules after applying /interface bridge settings use-ip-firewall=yes . The CPU performance is likely to limit thr...
by tdw
Wed Jan 24, 2024 3:15 pm
Forum: General
Topic: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2
Replies: 4
Views: 459

Re: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2

Any tagged= or untagged= entries under /interface bridge vlan should only be ports listed under /interface bridge port or bridge names (for the bridge-to-CPU port) You are also mixing tagged and untagged traffic for VLAN 20 on the bridge by having both an /interface vlan with vlan-id=20 attached to ...
by tdw
Wed Jan 24, 2024 2:47 pm
Forum: General
Topic: OpenLDAP login with RADIUS [SOLVED]
Replies: 2
Views: 624

Re: OpenLDAP login with RADIUS [SOLVED]

MSCHAP will definitely work against plaintext credentials, if your setup does not it is most likely a FreeRADIUS configuration error - run it with debugging enabled and look at the logs. Depending on how your password changing is implemented you should be able to incorporate something which will sto...
by tdw
Sat Jan 20, 2024 7:31 pm
Forum: RouterBOARD hardware
Topic: hAP ax Lite USB power
Replies: 6
Views: 1958

Re: hAP ax Lite USB power

It is a design fault, and easy enough to make when you are not familiar with all of the complexities of USB-C. The original Raspberry Pi 4 had a similar problem, although that was caused due to the two CC pins being wired together to a single resistor as described in this in-depth article https://ha...
by tdw
Tue Jan 16, 2024 9:12 pm
Forum: General
Topic: how to block bridged packet routed through firewall
Replies: 8
Views: 1792

Re: how to block bridged packet routed through firewall

I probably haven't used bridge filters with mac-protocol qualifiers since before VLAN-aware bridges were introduced. It appears that with vlan-filtering=yes on a bridge much of the bridge filtering options become unusable, all I can suggest is opening a support case with Mikrotik regarding not being...
by tdw
Sun Jan 14, 2024 6:11 pm
Forum: Beginner Basics
Topic: Unable to access the router via L2TP
Replies: 5
Views: 829

Re: Unable to access the router via L2TP

An easy mistake to make is thinking the RJ45 on a PC/laptop is a IP connection. It isn't, layer 3 IP packets are encapsulated in layer 2 ethernet frames sent with layer 1 signalling/coding, e.g. 10BASE-T/100BASE-TX/1000BASE-T. The IP addressing is straightforward - if the destination IP address is w...
by tdw
Sat Jan 13, 2024 9:44 pm
Forum: General
Topic: IP and route configuration for /28
Replies: 12
Views: 1358

Re: IP and route configuration for /28

The standard way to set this up would be to assign 180.2.220.50/28 to your WAN bridge with a default route to 180.2.220.49. The servers would be assigned addresses of 180.2.220.51/28 (likewise .52, .53, etc. for additional servers) again with a default route to 180.2.220.49. If you wish to firewall ...
by tdw
Sat Jan 13, 2024 9:20 pm
Forum: Beginner Basics
Topic: Unable to access the router via L2TP
Replies: 5
Views: 829

Re: Unable to access the router via L2TP

I don't really understand why? default gateway IP 192.168.1.1, remote IP when connected via VPN 192.168.1.2. It's /24 network so I am on the same subset. Using the same subnet for L2TP connections as the LAN does not make the connection part of the same network . You could either: use an L2TP serve...
by tdw
Sat Jan 13, 2024 9:07 pm
Forum: Beginner Basics
Topic: Why do the docs not mention adding "bridge" as its own tagged interface when doing a VLAN trunk? [SOLVED]
Replies: 8
Views: 1225

Re: Why do the docs not mention adding "bridge" as its own tagged interface when doing a VLAN trunk? [SOLVED]

No. You only need to add the bridge as a tagged member for traffic which interacts with services provided by the CPU, e.g. a router-on-as-stick setup with multiple VLANs. See viewtopic.php?t=173692 for more information.
by tdw
Sat Jan 13, 2024 7:27 pm
Forum: RouterBOARD hardware
Topic: REQUEST: Support i2c SFP/SFP+ Secuential SingleByte Reads to obtain transceiver details from EEPROM
Replies: 34
Views: 20219

Re: REQUEST: Support i2c SFP/SFP+ Secuential SingleByte Reads to obtain transceiver details from EEPROM

This fixes being able to read any data from SFPs which do not correctly handle multi-byte I2C read requests correctly. The actual data, and location thereof, is specified by https://members.snia.org/document/dl/25916 - some is mandatory, some is optional and some is vendor-specific. Mikrotik decode ...
by tdw
Fri Jan 12, 2024 11:06 pm
Forum: General
Topic: IPv6 configuration /64
Replies: 26
Views: 2957

Re: IPv6 configuration /64

Any devices using SLAAC to acquire an IPv6 address require the subnet to be /64, you can't arbitrarily use a different size just because you don't have a suitable block of addresses. It is possible to use smaller subnets if the hosts are assigned static addresses, or acquire addresses from a suitabl...
by tdw
Thu Jan 11, 2024 6:20 pm
Forum: Beginner Basics
Topic: Forward traffic from 1 DHCP client interface to another IP [SOLVED]
Replies: 12
Views: 1167

Re: Forward traffic from 1 DHCP client interface to another IP [SOLVED]

You appear to be using the hEX to connect two networks each of which has existing gateways. Whilst the dst-nat rule will forward packets for any TCP port 80 packets arriving on ether5 to 10.100.10.210 those packets will still have a 192.168.178.x source address, and as 10.100.10.210 knows nothing of...
by tdw
Tue Jan 09, 2024 2:07 am
Forum: General
Topic: how to block bridged packet routed through firewall
Replies: 8
Views: 1792

Re: how to block bridged packet routed through firewall

IIRC you will have to both identify and drop packets in the bridge. Using the IP firewall to identify them would be too late in the packet flow as the packet will have left the bridge by that point. The minimal case to drop any DHCP requests via a bridge port would be /interface bridge filter add ac...
by tdw
Sun Jan 07, 2024 11:20 pm
Forum: General
Topic: video station - change poster, and IMDB information
Replies: 1
Views: 841

Re: video station - change poster, and IMDB information

Why are you posting this in Mikrotik forums? As Video Station is a QNAP application their forums would be a good starting point.
by tdw
Sun Jan 07, 2024 3:24 am
Forum: General
Topic: how to block bridged packet routed through firewall
Replies: 8
Views: 1792

Re: how to block bridged packet routed through firewall

DHCP servers use raw sockets, not regular UDP sockets as you may expect. So whilst the DHCP packets traverse /ip firewall they are actually processed before the packets can be dropped, and from previous threads I don't believe it is possible in /ip firewall raw either, you would have to use /bridge ...
by tdw
Sun Jan 07, 2024 3:09 am
Forum: General
Topic: No traffic between VLANs regardless of firewall
Replies: 7
Views: 1223

Re: No traffic between VLANs regardless of firewall

Which OS are the PCs running? Windows, for example, by default blocks ICMP from outside the directly connected LAN subnet.

Using bridge-to-CPU interface as hybrid instead of all tagged is not an error, some people just do not like the cosmetics.
by tdw
Sat Dec 23, 2023 6:40 pm
Forum: General
Topic: Installing linux packet on MikroTik Router
Replies: 6
Views: 866

Re: Installing linux packet on MikroTik Router

No. Only packages signed by Mikrotik can be installed directly on the device. Only Mikrotik know what their plans for future functionality is. If you have a model capable of supporting containers you can add functionality that way.
by tdw
Thu Dec 21, 2023 2:50 am
Forum: Beginner Basics
Topic: Routing does not work
Replies: 1
Views: 589

Re: Routing does not work

A list of commands applied to a device plus prints of a random selection of settings is not representative of the actual configuration on the device. The usual recommendation is to post the output of an /export after redacting any sensitive information (serial number, public IPs, credentials in scri...
by tdw
Thu Dec 14, 2023 5:47 am
Forum: General
Topic: 3 different UPS devices
Replies: 3
Views: 1211

Re: 3 different UPS devices

Having built an interface which allows the Mikrotik UPS package to monitor the likes of Meanwell and PULS PSU with battery charging I've looked into the communications in depth. For the USB HID power device class there are both standard and vendor-specific reports, for the serial APC smart protocol ...
by tdw
Tue Dec 12, 2023 3:14 am
Forum: General
Topic: Couldn't change the SSTP server can't bind, check if the port is not used by other services! [SOLVED]
Replies: 5
Views: 1752

Re: Couldn't change the SSTP server can't bind, check if the port is not used by other services! [SOLVED]

Having the www-ssl service running, or not, on the Mikrotik itself has nothing to do with running an HTTPS webserver elsewhere.
by tdw
Tue Dec 12, 2023 1:36 am
Forum: General
Topic: Couldn't change the SSTP server can't bind, check if the port is not used by other services! [SOLVED]
Replies: 5
Views: 1752

Re: Couldn't change the SSTP server can't bind, check if the port is not used by other services! [SOLVED]

As the error message suggested port 443 is in use:
/ip service
set www-ssl disabled=no
by tdw
Mon Dec 11, 2023 4:48 pm
Forum: Beginner Basics
Topic: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]
Replies: 8
Views: 2823

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]

My WAN was PPPoE, but configured to use baby jumbo frames giving an MTU of 1500, so I used the defaults of mtu=auto and clamp-tcp-mss=yes on the 6to4 interface. The minimum MTU for IPv6 is 1280, normally you should set your MTU correctly and let path MTU discovery do its thing. IPv6 fragmentation is...
by tdw
Sun Dec 10, 2023 5:01 pm
Forum: Beginner Basics
Topic: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]
Replies: 8
Views: 2823

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]

blackhole would be acceptable - any traffic to unallocated subnets would just be dropped. Otherwise adapting the IPv4 workaround as discussed in a related thread viewtopic.php?p=853939#p853939 would be needed to return unreachable.
by tdw
Sat Dec 09, 2023 3:19 pm
Forum: Beginner Basics
Topic: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]
Replies: 8
Views: 2823

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]

And remember to add unreachable or blackhole routes to any routed subnets so packets to any unused portions don't bounce back and forth between you and HE until the TTL expires. From a previous setup before getting native IPv6: /ipv6 route add distance=1 dst-address=2000::/3 gateway=2001:470:xxxC:xx...
by tdw
Wed Dec 06, 2023 11:49 pm
Forum: General
Topic: Cannot reach switchs "managment IP" from other vlan, but can reach all clients.
Replies: 11
Views: 1743

Re: Cannot reach switchs "managment IP" from other vlan, but can reach all clients.

A Mikrotik bridge has two roles, see viewtopic.php?t=173692

For translating between Cisco and Mikrotik switch port terminology this may be useful viewtopic.php?p=920720#p920720
by tdw
Wed Dec 06, 2023 10:05 pm
Forum: General
Topic: Dot1x PEAP rejected: no key for certificate found
Replies: 6
Views: 2521

Re: Dot1x PEAP rejected: no key for certificate found

Might as well continue here for now. If not set the outer identity should use the inner identity, but it may be worth trying setting it explicitly. It isn't clear from the documentation if the dot1x client will refuse to authenticate if no CA has been imported. You should be able to add additional l...
by tdw
Wed Dec 06, 2023 9:53 pm
Forum: General
Topic: Cannot reach switchs "managment IP" from other vlan, but can reach all clients.
Replies: 11
Views: 1743

Re: Cannot reach switchs "managment IP" from other vlan, but can reach all clients.

Also you have configured the bridge-to-CPU interface to be both tagged and untagged, and there is a mismatch between the bridge ports pvid= and bridge vlan untagged= settings - if you remove all of the untagged= entries these will be created dynamically from the pvid= settings. Depending on how othe...
by tdw
Wed Dec 06, 2023 9:24 pm
Forum: Beginner Basics
Topic: IPv6 issues: v6 only for a few address blocks, v4 otherwise [SOLVED]
Replies: 8
Views: 2997

Re: IPv6 issues: v6 only for a few address blocks, v4 otherwise [SOLVED]

There is no possibility for communicating classless routes to IPv6 clients. (Apart from the usual default route, of course) That may be the case for DHCPv6, but that does not acquire the default route in any case. The default route is acquired from RA messages with non-zero RA lifietimes, other rou...
by tdw
Wed Dec 06, 2023 9:21 pm
Forum: Beginner Basics
Topic: IPv6 issues: v6 only for a few address blocks, v4 otherwise [SOLVED]
Replies: 8
Views: 2997

Re: IPv6 issues: Want to advertise three v6 pfx w/ SLAAC [SOLVED]

I am still not sure how to convince the routing tables on laptops etc. to only route to those three ipv6 address blocks and perfer-v4 otherwise. Perhaps I need to just live with the default route and use firewall to achieve what I want? Maybe I send back an ICMP unreachable for all but the blocks I...
by tdw
Wed Dec 06, 2023 3:35 pm
Forum: General
Topic: Having issues with DHCP client over trunk [SOLVED]
Replies: 6
Views: 2132

Re: Having issues with DHCP client over trunk [SOLVED]

Yes.VLAN5 & VLAN10 are transporting the two internet connections to the router. Attaching VLAN interfaces with those IDs to the router P5 provides your 'WAN' interfaces.
by tdw
Tue Dec 05, 2023 11:30 pm
Forum: General
Topic: RouterOS7 - Most correct VLAN setup
Replies: 5
Views: 1710

Re: RouterOS7 - Most correct VLAN setup

As hEX PoE use the QCA8337 switch chip which does not support hardware-offloaded vlan-aware bridges use a single bridge and configure the switch chip to handle the VLAN filtering, see the examples https://help.mikrotik.com/docs/display/ ... upExamples
by tdw
Mon Dec 04, 2023 3:05 am
Forum: General
Topic: Force ipv4 to use for some sites if it have ipv4 and ipv6 address (ipv6 sit tunnelbroker)
Replies: 4
Views: 1182

Re: Force ipv4 to use for some sites if it have ipv4 and ipv6 address (ipv6 sit tunnelbroker)

If client devices resolve both IPv4 and IPv6 addresses for a target site they will use IPv6 in preference to IPv4 to connect. AFAIK Android and iOS implement 'Happy Eyeballs' for fast fallback to IPv4, and some PC programs do but I don't believe Windows itself does. Static IPv6 NXDOMAIN DNS entries ...
by tdw
Fri Dec 01, 2023 8:32 pm
Forum: General
Topic: Dot1x PEAP rejected: no key for certificate found
Replies: 6
Views: 2521

Re: Dot1x PEAP rejected: no key for certificate found

As it is only peripherally related you should really start a new topic rather than resurrecting a years old one. Your site may require a realm in the outer / anonymous identity to direct the request to the appropriate servers (e.g. local or a national proxy). A CA certificate is not required but wit...
by tdw
Thu Nov 30, 2023 4:49 pm
Forum: Beginner Basics
Topic: CRS106-1C-5S: Vlan is forwarded, but no VLAN is configured
Replies: 9
Views: 1463

Re: CRS106-1C-5S: Vlan is forwarded, but no VLAN is configured

The CRS1xx/2xx VLAN handling is very different to all the other models as the UI exposes much of the inner switch workings. The bridge should be set to vlan-filtering=no , any ingress-filtering= , frame-types= and pvid= settings on the bridge and bridge ports should be left at they default values. T...
by tdw
Mon Nov 27, 2023 7:03 pm
Forum: Beginner Basics
Topic: Broadcast packets process [SOLVED]
Replies: 6
Views: 2144

Re: Broadcast packets process [SOLVED]

How can you connect three devices to a single ethernet cable? I would expect each device to be connected to a switch port, in which case you can use port isolation or bridge horizon to prevent packets from one of these devices being sent on the links to the others. Some vendors have 'ip helpers' whi...
by tdw
Sun Nov 26, 2023 6:22 pm
Forum: General
Topic: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]
Replies: 6
Views: 1308

Re: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]

As the PADI/PADO/PADR/PADS handshake completes successfully the PPPoE session should work, but there is no response to the LCP negotiation. I would suggest connecting the modem directly to a PC/Mac and configuring a PPPoE client on that to verify a connection can be established, if that also fails t...
by tdw
Sun Nov 26, 2023 1:56 pm
Forum: Beginner Basics
Topic: Help on RM3011UiAS's DHCP Servers
Replies: 2
Views: 883

Re: Help on RM3011UiAS's DHCP Servers

Given the volume of outdated or incorrect configuration settings which may be found searching the internet GPT4 isn't going to be very good. Your VLAN interfaces have not been assigned IP addresses. Remove the relay= settings for the DHCP servers, this is to forward requests to a server elsewhere. Y...
by tdw
Sun Nov 26, 2023 1:36 pm
Forum: General
Topic: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]
Replies: 6
Views: 1308

Re: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]

Yes, only any specific settings for managment. Here the factory defaults are bridge mode so the modem will establish a DSL connection and allow PPPoE or DHCP connections from the Mikrotik (or other router) to be established (most of our ISPs use PPPoE but some use DHCP). The firmware for other count...
by tdw
Sat Nov 25, 2023 9:36 pm
Forum: General
Topic: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]
Replies: 6
Views: 1308

Re: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]

For the UK (modem 4 or modem 8 ) there was an issue going from 3.7.x to 3.8.x with the introduction of QinQ support which had the symptoms you describe. Resetting to factory defaults and reconfiguring any settings required, e.g. LAN IP address for management access, resolved the problem. There are v...
by tdw
Fri Nov 24, 2023 9:24 pm
Forum: General
Topic: Issues with Ethernet MTU Size in EoIPv6
Replies: 3
Views: 867

Re: Issues with Ethernet MTU Size in EoIPv6

Screenshots don't particularly help, an /export of the configuration with any senstive data redacted (serial number, public IP addresses, etc.) shows exactly what you have. There is bound to be fragmentation over a conventional WAN, so it is a case of finding potentially a combination of tunneling t...
by tdw
Fri Nov 24, 2023 6:15 pm
Forum: General
Topic: Issues with Ethernet MTU Size in EoIPv6
Replies: 3
Views: 867

Re: Issues with Ethernet MTU Size in EoIPv6

The tunnel MTU should be set to 1500 to allow the transport full-sized Ethernet frames over the tunnel. As the tunnel overheads [40 (IPv6) + 8 (GRE) + 14 (ethernet) + some amount for IPsec (depends on settings)] will result in a total packet size greater than your WAN MTU it will be fragmented. IPv6...
by tdw
Fri Nov 24, 2023 5:29 pm
Forum: Beginner Basics
Topic: 2 Vlans, a firewall, and a PITA DNS.
Replies: 3
Views: 1077

Re: 2 Vlans, a firewall, and a PITA DNS.

What you have attempted is the pre-VLAN-aware bridge method which has a number of caveats, see https://help.mikrotik.com/docs/display/ ... figuration
by tdw
Wed Nov 22, 2023 10:24 pm
Forum: SwOS
Topic: CSS610-8P-2S+ randomly stops forwarding for exactly five minutes
Replies: 6
Views: 2574

Re: CSS610-8P-2S+ randomly stops forwarding for exactly five minutes

Switches do not work in that manner. When a packet destined for a unicast MAC address which does not exist in the forwarding database the packet is transmitted out of all the other switch ports, if the destination MAC address does exist in the database the packet is only transmitted out of the port ...
by tdw
Wed Nov 22, 2023 6:19 pm
Forum: General
Topic: Bridge PVID [SOLVED]
Replies: 13
Views: 2633

Re: Bridge PVID [SOLVED]

Purists argue that on trunks all VLANs should be tagged, so you would set frame-types=admit-only-vlan-tagged ingress-filtering=yes - the pvid= setting can be anything as it is ignored. Others prefer hybrid trunks where one VLAN is untagged, often for management and with limited access to other devic...
by tdw
Wed Nov 22, 2023 5:00 pm
Forum: General
Topic: Bridge PVID [SOLVED]
Replies: 13
Views: 2633

Re: Bridge PVID [SOLVED]

Having the same VLAN tagged and untagged on ports (either a physical ethernet or the intrinstic bridge-to-CPU ones) often breaks communications as packets end up being tagged in one direction but not the other, so you are using a side-effect of this misconfiguration to limit access. The correct way ...
by tdw
Wed Nov 22, 2023 3:37 pm
Forum: Beginner Basics
Topic: mikrotik to mikrotik vpn l2tp ipsec problem [SOLVED]
Replies: 2
Views: 1255

Re: mikrotik to mikrotik vpn l2tp ipsec problem [SOLVED]

A common cause of web pages failing to load in this type of setup is inappropriate tunnel MTU settings. If the tunnel MTU + encapsulation & encryption overheads > WAN MTU the reulting packet is split up and sent as fragmented IP packets, these can be dropped or misordered in transit. The default...
by tdw
Wed Nov 22, 2023 1:48 am
Forum: General
Topic: Bridge PVID [SOLVED]
Replies: 13
Views: 2633

Re: Bridge PVID [SOLVED]

Some of the /interface bridge settings relate to the intrinsic bridge-to-CPU port rather than the bridge itself, see viewtopic.php?t=173692
by tdw
Mon Nov 20, 2023 6:53 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 4299

Re: IPv6 DS Lite

Pages not loading or taking a long time to load does suggest MTU / fragment handling / PMTU discovery issues. The default clamp-tcp-mss=yes on the tunnel interface should fix this, which does suggest an issue with their gateway. You could try setting dont-fragment=yes which would drop packets where ...
by tdw
Mon Nov 20, 2023 6:21 pm
Forum: Beginner Basics
Topic: ipv6 setup
Replies: 4
Views: 1118

Re: ipv6 setup

You can not guess what it should be, the ISP should provide it as they will be routing the block of subnets to it. Their terminology is rather vague too - 'IPv6 address' does hints at being the WAN address but would typically be /64, not /56, and 'routing prefix' hints at the routed subnet but would...
by tdw
Mon Nov 20, 2023 4:01 pm
Forum: General
Topic: Hetzner Subnet on Mikrotik CHR
Replies: 9
Views: 1402

Re: Hetzner Subnet on Mikrotik CHR

Proxy-ARP is not required, you can set it back to the default.
by tdw
Mon Nov 20, 2023 3:56 pm
Forum: General
Topic: Using different external DNS-Server for different LANs
Replies: 2
Views: 853

Re: Using different external DNS-Server for different LANs

Mikrotik only implement a single DNS server so you are limited to the clients using that or external ones. In your case if the WAN1 peer DNS addresses are static and the VoIP hosts to be resolved can be matched with regexp or match-subdomain you could use the WAN2 DNS servers by default with forward...
by tdw
Mon Nov 20, 2023 5:42 am
Forum: General
Topic: Hetzner Subnet on Mikrotik CHR
Replies: 9
Views: 1402

Re: Hetzner Subnet on Mikrotik CHR

If you configure a router VM as they suggest the CHR should have two ethernet interfaces, then it is a case of translating https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/#subnets iface eth0 inet dhcp would be /ip dhcp-client add add-default-route=yes disabled=no interface=...
by tdw
Mon Nov 20, 2023 2:27 am
Forum: General
Topic: Hetzner Subnet on Mikrotik CHR
Replies: 9
Views: 1402

Re: Hetzner Subnet on Mikrotik CHR

Have you read https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/#subnets The additional subnet is routed to you. The traditional method would be to assign one of the addresses to a 'LAN' subnet on the CHR to which the VMs are attached, and assign them other addresses from the...
by tdw
Sun Nov 19, 2023 11:59 pm
Forum: SwOS
Topic: CSS610-8P-2S+ randomly stops forwarding for exactly five minutes
Replies: 6
Views: 2574

Re: CSS610-8P-2S+ randomly stops forwarding for exactly five minutes

Five minutes suggests an issue with switch FDB entries ageing out. Do you have any duplicate MAC addresses on different VLANs? SwOS lite does not support IVL which would be required if that is the case.
by tdw
Sun Nov 19, 2023 11:49 pm
Forum: Beginner Basics
Topic: ipv6 setup
Replies: 4
Views: 1118

Re: ipv6 setup

If the addresses are static they should provide a WAN /64 with both their end (the gateway) and your end addresses - the latter should be the target of the routed /56 addresses. If they are mistakenly just presenting a /56 on the WAN that will not work as it requires ND proxy as a hack which Mikroti...
by tdw
Sun Nov 19, 2023 8:46 pm
Forum: General
Topic: Killing my head with L2TP server configuration !
Replies: 2
Views: 1579

Re: Killing my head with L1TP server configuration !

Use the correct terms in the title & description - there is no such thing as L1TP. As you are using a different IP range for VPN clients vs. LAN devices proxy ARP is not required. It is best practice to create a new PPP profile as any changes to the default ones may have unintended side-effects ...
by tdw
Sat Nov 18, 2023 5:18 pm
Forum: Beginner Basics
Topic: Problem with VLAN Setup
Replies: 10
Views: 1331

Re: Problem with VLAN Setup

Three DHCP servers/networks/pools looks fine - the switch management address is static, if there will be other devices on the management VLAN and they are setup in a similar fashion a DHCP server is not required.
by tdw
Sat Nov 18, 2023 1:26 pm
Forum: Beginner Basics
Topic: Problem with VLAN Setup
Replies: 10
Views: 1331

Re: Problem with VLAN Setup

CRS326 -> Port 24 is connected to RB5009 (Port 2) This port is missing from the bridge VLAN settings: /interface bridge vlan add bridge=bridge tagged= ether24, sfp-sfpplus1,sfp-sfpplus2 vlan-ids=10 add bridge=bridge tagged= ether24, sfp-sfpplus1,sfp-sfpplus2 vlan-ids=20 add bridge=bridge tagged= et...
by tdw
Fri Nov 17, 2023 11:37 pm
Forum: Beginner Basics
Topic: Problem with VLAN Setup
Replies: 10
Views: 1331

Re: Problem with VLAN Setup

For the OP - provide the /export of the devices, not the commands you applied to the devices as there may have been errors whilst importing them
by tdw
Fri Nov 17, 2023 2:03 am
Forum: Beginner Basics
Topic: RSTP not working with Switch-VLANs
Replies: 8
Views: 1741

Re: RSTP not working with Switch-VLANs

I'd suggest a new thread with an appropriate title to attract people with CAPsMAN experience. There is also https://help.mikrotik.com/docs/display/ ... with+VLANs if you haven't found it already.
by tdw
Wed Nov 15, 2023 9:39 pm
Forum: Beginner Basics
Topic: RSTP not working with Switch-VLANs
Replies: 8
Views: 1741

Re: RSTP not working with Switch-VLANs

Nothing obvious, other than the Qualcomm/Atheros gigabit switch chips ignore the vlan-header property and use the default-vlan-id property to determine which ports are access ports. From the documentation the vlan-header should always be set to leave-as-is for these chips. The other possibility is t...
by tdw
Wed Nov 15, 2023 3:51 pm
Forum: Beginner Basics
Topic: PPoE Dynamic and Static IPs
Replies: 3
Views: 902

Re: PPoE Dynamic and Static IPs

You do have to configure the additional addresses on a loopback interface if you wish the Mikrotik to respond to ICMP requests, as you say source and destination NAT will work fine without this.
by tdw
Wed Nov 15, 2023 2:30 am
Forum: Beginner Basics
Topic: RSTP not working with Switch-VLANs
Replies: 8
Views: 1741

Re: RSTP not working with Switch-VLANs

Can the firewall somehow block RSTP with an Input-rule? No. I see RSTP disabled under service ports by default, but I think this is only used when going thru NAT. That is RTSP not RSTP. I created both privat and guest VLANs on the bridge interface. All Ports (except WAN-Port), WLAN interfaces and d...
by tdw
Sun Nov 12, 2023 6:59 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 4299

Re: IPv6 DS Lite

Difficult to say - you can check CPU utilisation on your device, but it is often not possible to check what the ISP is doing. Most likely is fragmented packets - the default MTU for Mikrotik ipipv6 tunnels appears to be 1460 (i.e. 1500 - size of an IPv6 header), if your IPv6 WAN is less than 1500 th...
by tdw
Fri Nov 10, 2023 10:24 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 4299

Re: IPv6 DS Lite

Glad you have got it working. As the AFTR server name appears to be unchanging for the ISP you also do not have to bother with parsing the DHCPv6 option 64 reply and updating the ipipv6 remote address. For info - whilst the tunnel IPv4 address is arbitrary IANA reserved the 192.0.0.0/29 range to pre...
by tdw
Fri Nov 10, 2023 7:26 pm
Forum: General
Topic: /31 subnet
Replies: 8
Views: 1185

Re: /31 subnet

Can you ping the ISP gateway from the Mikrotik itself, and if so tracroute any further?

Lack of internet access from your LAN could be missing/incorrect NAT rules.
by tdw
Fri Nov 10, 2023 5:27 pm
Forum: General
Topic: /31 subnet
Replies: 8
Views: 1185

Re: /31 subnet

You need a default route too:

/ip route add gateway=193.56.1.222
by tdw
Fri Nov 10, 2023 4:48 pm
Forum: General
Topic: /31 subnet
Replies: 8
Views: 1185

Re: /31 subnet

Mikrotiks don't use the obvious syntax for support /31 addresses, instead you configure a /32 address but specify the other end as the network parameter:

/ip address add address=193.56.1.223 network=193.56.1.222 interface=<your WAN interface>
by tdw
Fri Nov 10, 2023 4:27 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 4299

Re: IPv6 DS Lite

You could try !keepalive on the tunnel interface as the remote end may not respond to probes, or it could be firewall rules blocking the traffic.
by tdw
Fri Nov 10, 2023 2:41 am
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 4299

Re: IPv6 DS Lite

The :put command outputs data to the console, you could use :log instead. Are you requesting the option? According to the specifications servers should not send the OPTION_AFTR_NAME unless specifically requested, so /ipv6 dhcp-client option add code=6 name=OPTION_ORO value=0x0040 The rather sparse d...
by tdw
Thu Nov 09, 2023 5:09 am
Forum: Beginner Basics
Topic: Understanding ARP
Replies: 2
Views: 895

Re: Understanding ARP

The layer 3 IP has no concept of MAC addresses, IP firewall and routing are irrelevant to ARP. ARP works within a layer 2 broadcast domain to provide the MAC address associated with an IP address - it doesn't get forwarded outside the broadcast domain.
by tdw
Mon Nov 06, 2023 9:39 pm
Forum: General
Topic: How to downgrade CCR2116-12G-4S+?
Replies: 2
Views: 643

Re: How to downgrade CCR2116-12G-4S+?

Also, recently introduced Mikrotik models were designed to run v7 only - they are not going to expend effort adding support for new SoC and/or peripherals to v6.
by tdw
Mon Nov 06, 2023 9:28 pm
Forum: Beginner Basics
Topic: LTE Dish Router - inbound trafffic - newbie to Mikrotik - help!!
Replies: 3
Views: 1020

Re: LTE Dish Router - inbound trafffic - newbie to Mikrotik - help!!

The default firewall rules permit ICMP. Are you getting a public IP address - in the UK the only mainstream SIMs which provide public addresses are Three, and then only if you use the correct APN. Depending on what the EE SIM with fixed IP will cost, as they are often for small amounts of data for I...
by tdw
Mon Nov 06, 2023 5:32 pm
Forum: General
Topic: GPON ONU module alternatives
Replies: 11
Views: 2588

Re: GPON ONU module alternatives

There are several threads in the forum, e.g. viewtopic.php?p=1027689
by tdw
Mon Nov 06, 2023 5:28 pm
Forum: Beginner Basics
Topic: DHCP Offer not received on other side of trunk [solved]
Replies: 12
Views: 2219

Re: DHCP Offer not received on other side of trunk

Under /interface vlan the entries should have interface=bridgeINT not interface=ether1 . The first post in the thread you quote is similarly incorrect as pointed out by the second post. Which VLAN isn't receiving DHCP, the wAP appears to have multiple DHCP clients plus some DHCP servers which is unu...
by tdw
Sun Nov 05, 2023 6:01 pm
Forum: Beginner Basics
Topic: DHCP Offer not received on other side of trunk [solved]
Replies: 12
Views: 2219

Re: DHCP Offer not received on other side of trunk

The wAP bridge config is a mess: You have VLANs attached directly to a bridge port, they should always be attached to the bridge itself. Don't add a VLAN with ID 1, this is the default PVID on bridge ports. You have a mix of VLAN-aware bridge and switch VLAN configuration - these interact in undocum...
by tdw
Sun Nov 05, 2023 5:45 pm
Forum: Beginner Basics
Topic: RouterOS - Connecting 2 Subnets on 1 Router
Replies: 1
Views: 953

Re: RouterOS - Connecting 2 Subnets on 1 Router

Static routes are unnecessary. The intrinsic policy is to permit forwarding between any subnets on the mikrotik, likely there are firewall rules blocking communication.
by tdw
Tue Oct 31, 2023 2:34 am
Forum: General
Topic: Routing distance not modifiable [SOLVED]
Replies: 4
Views: 887

Re: Routing distance not modifiable [SOLVED]

Smaller subnets always have priority over larger, distance is only used when there are multiple subnets of the same size. The static route (#5 of /ip route print ) looks incorrect - the gateway should be next hop address, not the interface: /ip route add dst-address=192.168.253.0/24 gateway=192.168....
by tdw
Tue Oct 31, 2023 2:21 am
Forum: Scripting
Topic: problems with update 7.10+ script does not work
Replies: 2
Views: 1326

Re: problems with update 7.10+ script does not work

See viewtopic.php?t=196072 and modify the script accordingly
by tdw
Mon Oct 30, 2023 10:52 pm
Forum: General
Topic: Vlan L3 Interface & Switching VLAN [SOLVED]
Replies: 1
Views: 556

Re: Vlan L3 Interface & Switching VLAN [SOLVED]

You are missing any /interface bridge vlan configuration. Whilst the bridge port pvid= settings will dynamically add those ports as untagged members you need to specify the bridge-to-cpu port tagged membership. /interface bridge vlan add bridge=br0 tagged=br0 vlan-ids=10 add bridge=br0 tagged=br0 vl...
by tdw
Mon Oct 30, 2023 9:56 pm
Forum: General
Topic: RB3011, VLAN switching/routing and DHCP server
Replies: 11
Views: 1205

Re: RB3011, VLAN switching/routing and DHCP server

Attempting to mix a VLAN-aware bridge and switch-chip VLAN filtering is just asking for trouble. Either: Use a VLAN-aware bridge, the only downside of which is you do not get wirespeed L2 performance between ports in the same VLAN Or: Use a non-VLAN-aware bridge which acts like an unmanaged switch a...
by tdw
Sat Oct 21, 2023 5:16 pm
Forum: Wireless Networking
Topic: No DHCP via WiFi
Replies: 5
Views: 1641

Re: No DHCP via WiFi

Did you make all of the suggested changes, also the wlan interfaces will be added automatically by CAPsMAN so should not be added manually: /interface bridge port add bridge=bridge1 interface=ether1 add bridge=bridge1 interface=wlan1 add bridge=bridge1 interface=wlan2 /interface wireless cap set bri...
by tdw
Tue Oct 10, 2023 9:20 pm
Forum: General
Topic: Can't access DNS domain names from the router
Replies: 7
Views: 955

Re: Can't access DNS domain names from the router

That does not solve the OPs problem.
by tdw
Tue Oct 10, 2023 2:27 am
Forum: General
Topic: Can't access DNS domain names from the router
Replies: 7
Views: 955

Re: Can't access DNS domain names from the router

Allowing DNS requests from outside is a bad idea, it turns your router into an open DNS resolver.

All the issues stem from you having deleted the first line of the default configuration which accepts established, related and untracked traffic in the input chain.
by tdw
Sun Oct 08, 2023 11:04 pm
Forum: Beginner Basics
Topic: IPv6 with Vodafone Station (Czechia) borked
Replies: 3
Views: 897

Re: IPv6 with Vodafone Station (Czechia) borked

It should pass IPv6 OK - however if you have DHCP or IGMP snooping enabled it may break IPv6 multicast, IIRC there have been some forum posts about this.

For the CRS to obtain an IPv6 address disabling IPv6 forwarding will enable it to process RAs.
by tdw
Sun Oct 08, 2023 8:57 pm
Forum: Beginner Basics
Topic: IPv6 with Vodafone Station (Czechia) borked
Replies: 3
Views: 897

Re: IPv6 with Vodafone Station (Czechia) borked

Are you using the CRS as a bridge or a router? AFAIK mobile operators only provide a single /64 and no prefix delegation. As you need one /64 per network using the CRS as a router will not work unless you resort to NAT (which IPv6 was supposed to do away with).
by tdw
Sun Oct 01, 2023 11:41 pm
Forum: Beginner Basics
Topic: Cannot connect to the internet with PPOE with vlan
Replies: 3
Views: 732

Re: Cannot connect to the internet with PPOE with vlan

The new WAN interface needs adding to the WAN interface list, otherwise there will be no internet access from the LAN:
/interface list member
add interface=EboxPPOE list=WAN


you can also remove ether1 from the list, and disable or remove the DHCP client.
by tdw
Sun Oct 01, 2023 12:48 am
Forum: SwOS
Topic: Help with VLans.
Replies: 10
Views: 2737

Re: Help with VLans.

You have no /ip address in the 10.10.1.0/24 subnet.

The /interface vlan should refer to the bridge, not any member ports.

There are also unnecessary duplicates in /ip pool.
by tdw
Fri Sep 29, 2023 10:37 pm
Forum: General
Topic: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]
Replies: 5
Views: 1554

Re: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]

Without accepting RAs you will likely loose the gateway information. IIRC when changing accept RAs some things don't actually change until after reboot.

I would suggest sending a feature request to Mikrotik, not accepting the RA DNS options is likely to be a common requirement as more people use IPv6
by tdw
Fri Sep 29, 2023 8:46 pm
Forum: General
Topic: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]
Replies: 5
Views: 1554

Re: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]

The DHCPv6 client use-peer-dns option will only affect handling of OPTION_DNS_SERVERS received in the DHCPv6 reply, there is similarly an option in the PPPoE client to use or ignore any DNS provided by IPv6CP when using PPPoE. It needs a separate option use or ignore the RA-provided data.
by tdw
Fri Sep 29, 2023 6:44 pm
Forum: General
Topic: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]
Replies: 5
Views: 1554

Re: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]

It will be part of the IPv6 RA data from the ISP. AFAIK there isn't an option to ignore the DNS server option if it is present.
by tdw
Fri Sep 29, 2023 2:12 am
Forum: SwOS
Topic: Need Help On Connecting Two CSS610s over VLAN
Replies: 13
Views: 2981

Re: Need Help On Connecting Two CSS610s over VLAN

Hope Mikrotik will fix this bug in the future SWOS Lite release. It isn't a bug as such. Switches may support either shared VLAN learning (SVL) or independent VLAN learning (IVL) modes of operation: In SVL mode there is a single MAC address table so any learnt address applies to all VLANs. In IVL m...
by tdw
Thu Sep 28, 2023 9:18 pm
Forum: Wireless Networking
Topic: Using UniFi AP-AC Lite with MikroTik router on standalone mode
Replies: 1
Views: 1251

Re: Using UniFi AP-AC Lite with MikroTik router on standalone mode

If you plug a laptop directly into the Mikrotik does the Mikrotik hotspot work? With a UniFi AP configured in standalone mode it should provide a transparent connection between WiFi and ethernet. If you use a UniFi portal instead the controller has to be online all of the time, and you can only use ...
by tdw
Sat Sep 23, 2023 8:59 pm
Forum: Beginner Basics
Topic: vlans and wifi with two separate internet routers [SOLVED]
Replies: 9
Views: 1533

Re: vlans and wifi with two separate internet routers [SOLVED]

There may be two methods which work, the example on the new help pages now being suggested over the example in the old wiki. The difference appears to be VLANs port memberships set to 'leave as is' and the VLAN 'VLAN Receive' set to 'only tagged'/'only untagged', I suspect the issue with your origin...
by tdw
Fri Sep 22, 2023 7:49 pm
Forum: Beginner Basics
Topic: vlans and wifi with two separate internet routers [SOLVED]
Replies: 9
Views: 1533

Re: vlans and wifi with two separate internet routers [SOLVED]

The RB260 configuration is almost entirely incorrect. From factory reset: VLAN tab Set Default VLAN ID Port1-> 10, Port2 -> 10, Port3 -> 20 VLANs tab Add VLAN ID 10, set Port1 -> always strip, Port2 -> always strip, Port4 -> add if missing, Port5 -> add if missing Add VLAN ID 20, set Port3 -> always...
by tdw
Fri Sep 22, 2023 7:21 pm
Forum: General
Topic: CRS Switch Question
Replies: 3
Views: 467

Re: CRS Switch Question

Various options: If you are providing their WAN address using DHCP use DHCP option 82 insertion and limit each port to a single lease (you can't use the Mikrotik DHCP server for this). Use 802.1x MAC auth, requires a RADIUS server and restricts them to only connecting devices which are known, e.g. i...
by tdw
Fri Sep 22, 2023 2:00 pm
Forum: General
Topic: FreeRadius and Mikrotik get IP from mySQL IPPOOL
Replies: 1
Views: 385

Re: FreeRadius and Mikrotik get IP from mySQL IPPOOL

Yes, see https://wiki.mikrotik.com/wiki/Manual:R ... ess-Accept

There are several well-known vulnerabilities in 6.40.9, it would be wise to upgrade to the latest LTS (currently 6.49.10).
by tdw
Fri Sep 22, 2023 1:14 am
Forum: General
Topic: How to merge 2 differents trunk + VLANs to one trunk?
Replies: 18
Views: 1319

Re: How to merge 2 differents trunk + VLANs to one trunk?

Use one bridge on the CCR2116, not two separate ones, and configure the /interface bridge vlan membership accordingly on the two trunks. You do not need /interface vlan and /ip address entries for every single VLAN on switches, these are only required for access to the switch itself so for a single ...
by tdw
Thu Sep 21, 2023 11:01 pm
Forum: General
Topic: Static Public IP
Replies: 2
Views: 456

Re: Static Public IP

Your providers gateway will use ARP to resolve the MAC for all IPs in the /25 block other than itself. As you have created a /30 subnet which overlaps with the /25 on a physically separate ethernet network this will fail. Either proxy-arp, or bridge your WAN and customer connection giving them one a...
by tdw
Thu Sep 21, 2023 8:09 pm
Forum: General
Topic: clarification about lldp and voip phones [SOLVED]
Replies: 4
Views: 721

Re: clarification about lldp and voip phones [SOLVED]

If the box between the label 'LLDP MED Network Policy VLAN:' and the downward-pointing triangle is greyed out it should be disabled. When enabled the box is not greyed out and contains the VLAN ID. If you open a terminal window the command /ip neighbor export verbose should display: /ip neighbor dis...
by tdw
Thu Sep 21, 2023 4:19 pm
Forum: General
Topic: clarification about lldp and voip phones [SOLVED]
Replies: 4
Views: 721

Re: clarification about lldp and voip phones [SOLVED]

Historically when VoIP phones were added to offices there were often insufficient network sockets available, a common workaround was to present the normal data network untagged and the VoIP network tagged. Rather than having to configure each phone when deployed a number of autoconfiguration mechani...
by tdw
Thu Sep 21, 2023 4:08 pm
Forum: General
Topic: How to merge 2 differents trunk + VLANs to one trunk?
Replies: 18
Views: 1319

Re: How to merge 2 differents trunk + VLANs to one trunk?

OSPF operates over IP / layer 3, VLANs operate over ethernet /layer 2 - they are completely unrelated to each other. The block on the diagram "OSPF link with 8 subnet with1 Trunk inside of ccr2116 - 8 vlans id:100-107" makes absolutely no sense.
by tdw
Mon Sep 18, 2023 2:24 am
Forum: Beginner Basics
Topic: export/import ROS configuration
Replies: 7
Views: 2588

Re: export/import ROS configuration

Importing a full configuration onto a device which has its default configuration will fail due to duplicate items as you have found. No, reset-configuration will restore the default, using no-defaults=yes will result in a completely unconfigured device ready for a full configuration to be applied. Y...
by tdw
Sun Sep 17, 2023 10:43 pm
Forum: General
Topic: Second PPPoE connection / ICMP
Replies: 2
Views: 556

Re: Second PPPoE connection / ICMP

With multiple WAN connections you need mangle rules to mark inbound traffic and return the replies via the appropriate WAN interface
by tdw
Sat Sep 16, 2023 6:00 pm
Forum: Forwarding Protocols
Topic: Routing between bridges on Mikrotik
Replies: 6
Views: 2181

Re: Routing between bridges on Mikrotik

Your original network diagram doesn't show the whole picture (no mention of the 172.16.x.x subnets, or the router at 10.5.17.253). What is the default gateway of the devices on the 10.5.23.0/24 network? Does the target device accept ICMP requests from outside its subnet (hint Windows doesn't)?
by tdw
Sat Sep 16, 2023 5:48 pm
Forum: Beginner Basics
Topic: VLAN for second IP from ISP
Replies: 3
Views: 1697

Re: VLAN for second IP from ISP

However, i've recently decided to connect a SIP-trunk and ISP gave me a vlanid, a public ip/gateway for my sip station and sip server address, on same port as my internet. So your ISP is providing the SIP service? In which case the public IP, netmask and gateway are for the SIP device - you should ...
by tdw
Sat Sep 16, 2023 5:30 pm
Forum: Beginner Basics
Topic: VLAN for second IP from ISP
Replies: 3
Views: 1697

Re: VLAN for second IP from ISP

There are multiple methods to this "bridge + vlan filltering" or "interface-vlan + bridge"
You need the 2nd method to correctly work with your ISP.
Unlikely, there are very few use cases where a single VLAN-aware bridge cannot implement the configuration required.
by tdw
Tue Sep 12, 2023 12:54 pm
Forum: General
Topic: Mixed mikrotik with tagged/untagged Vlans
Replies: 7
Views: 998

Re: Mixed mikrotik with tagged/untagged Vlans

Many third-party guides still use the old bridge-per-VLAN approach which predates VLAN-aware bridges. Whilst not wrong there are many pitfalls for the unwary, see https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration (particularly 'VLAN on a bridge in a bridge', 'VLAN in a bridge with a...
by tdw
Tue Sep 12, 2023 4:09 am
Forum: General
Topic: communication between the TP-Link controller and the Wi-Fi access points
Replies: 2
Views: 975

Re: communication between the TP-Link controller and the Wi-Fi access points

Any device on the hotspot network will have outgoing traffic blocked or redirected until it has logged in to the hotspot. There are several simple options - add firewall rules to the hotspot chains, add server to walled garden IP list, or add IP bindings. The better solution is to have the access po...
by tdw
Fri Sep 08, 2023 2:28 pm
Forum: RouterBOARD hardware
Topic: CRS3xx: switching vs bridging ?
Replies: 12
Views: 3311

Re: CRS3xx: switching vs bridging ?

You can - however the CRS devices were originally designed to support wire-speed L2 switching and also be able to support L3 functionality, but much limited by their CPU performance. As RouterOS v7 has developed some L3 hardware offload has been added by utilising previously unused capabilities of t...
by tdw
Thu Sep 07, 2023 7:01 pm
Forum: RouterBOARD hardware
Topic: CRS3xx: switching vs bridging ?
Replies: 12
Views: 3311

Re: CRS3xx: switching vs bridging ?

1 - yes, assuming hardware offload has not been disabled on the interfaces. 2 - yes, when using the VLAN-aware bridge setup merely adding/removing tags between access and trunk ports is still performed at wire speed. 3 - yes. 4 - bridge filtering, if you cannot achieve what is necessary with switch ...
by tdw
Tue Sep 05, 2023 9:54 pm
Forum: General
Topic: Identify physical interface from DHCP client script
Replies: 4
Views: 1297

Re: Identify physical interface from DHCP client script

ARP and DHCP are usually completely independent, you can disable ARP learning and have the DHCP server create an ARP entry for specific use cases. Enabling DHCP snooping on the bridge will populate the agent-circuit-id and agent-remote-id fields which may provide the information you are looking for....
by tdw
Mon Aug 28, 2023 6:17 pm
Forum: Beginner Basics
Topic: VLAN DHDP-Relay
Replies: 12
Views: 2672

Re: VLAN DHDP-Relay

One DHCP server can issue static addresses for the multiple subnets attached to an interface, however it can only issue dynamic addresses from one pool as it has no idea how to differentiate which clients should be associated with which subnet. (Actually there are mechanisms which allow matching on ...
by tdw
Sat Aug 26, 2023 9:02 pm
Forum: Beginner Basics
Topic: LEOX LXT-010S-H SFP GPON
Replies: 10
Views: 3820

Re: LEOX LXT-010S-H SFP GPON

Currently vlan20 and vlan30 are only associated with the sfp-WAN interface, there is no connection between them and any of the LAN ports. Exactly what is required depends on the network architecture your ISP has implemented for IPTV and telephony traffic - routed or bridged. If the IPTV is bridged, ...
by tdw
Sat Aug 26, 2023 7:29 pm
Forum: Forwarding Protocols
Topic: Is it possible with Mikrotik: Your support required please.
Replies: 15
Views: 3305

Re: Is it possible with Mikrotik

Your picture is incorrect, PPP-based connections are assigned /32 addresses so the L2TP client and server will be 192.168.88.2/ 32 and 192.168.88.1/ 32 . Add a static route for 192.168.10.0/24 to the PPP secret for site B on site A, the L2TP server - this allows site A to forward traffic for that su...
by tdw
Fri Aug 25, 2023 11:43 pm
Forum: Beginner Basics
Topic: VLAN DHDP-Relay
Replies: 12
Views: 2672

Re: VLAN DHDP-Relay

Using VLAN ID 1 is unwise unless you really know what you are doing, many vendors reserve VLAN ID 1 for untagged traffic.

So you are configuring the network drivers on the PCs to use VLAN IDs 1 and 2?
by tdw
Sun Aug 20, 2023 8:35 pm
Forum: General
Topic: problem with vlan101 on port 4 - hap lite [SOLVED]
Replies: 10
Views: 1570

Re: problem with vlan101 on port 4 - hap lite [SOLVED]

/interface bridge vlan
add bridge=BR1 tagged=ether1,ether2,ether3,ether4 vlan-ids=101
...


You can include untagged=ether4 although this will by added dynamically from the port PVID setting
by tdw
Sun Aug 20, 2023 8:30 pm
Forum: General
Topic: Unable to use router IP as Gateway
Replies: 2
Views: 885

Re: Unable to use router IP as Gateway

You cannot have multiple physical networks using the same subnet, the 'Gigabit Bridge' and VLAN_GEN_10 interfaces have the same address and subnet.

You may be suffering from https://xyproblem.info/, a diagram of what you are trying to achieve would be helpful.
by tdw
Sun Aug 20, 2023 8:17 pm
Forum: General
Topic: problem with vlan101 on port 4 - hap lite [SOLVED]
Replies: 10
Views: 1570

Re: problem with vlan101 on port 4 - hap lite [SOLVED]

If Windows works but Linux doesn't most likely packets are tagged in one direction and untagged in the other. Note that the fast ethernet switch chips do not support hybrid operation due to hardware design limitations. There should not be an issue using a VLAN-aware bridge, post your config with tha...
by tdw
Wed Aug 09, 2023 8:33 pm
Forum: General
Topic: Filtering traffic with a LAN
Replies: 8
Views: 1751

Re: Filtering traffic with a LAN

Yes
by tdw
Wed Aug 09, 2023 5:37 pm
Forum: General
Topic: Filtering traffic with a LAN
Replies: 8
Views: 1751

Re: Filtering traffic with a LAN

Configure the Mikrotik as a switch rather than a router. If whichever Mikrotik you use has bridge hardware-offload enabled it would have to be implemented with switch ACLs, the various switch chips have different switch rule capabilies so check https://help.mikrotik.com/docs/display/ROS/Switch+Chip+...
by tdw
Mon Aug 07, 2023 3:44 am
Forum: Beginner Basics
Topic: LAN as tagged VLAN out WAN port for backbone (WAN and LAN on same port) [SOLVED]
Replies: 4
Views: 1363

Re: LAN as tagged VLAN out WAN port for backbone (WAN and LAN on same port) [SOLVED]

There are issues with your 'simpler way', see https://help.mikrotik.com/docs/display/ ... linterface

Several settings, including frame-types= and ingress-filtering=, have no effect unless the bridge has vlan-filtering=yes
by tdw
Sun Aug 06, 2023 2:51 am
Forum: Beginner Basics
Topic: Simple VLAN setup, only VLAN1 is working [SOLVED]
Replies: 3
Views: 1229

Re: Simple VLAN setup, only VLAN1 is working [SOLVED]

You have no /interface bridge vlan entries. Untagged entries will be automatically generated from the pvid= settings for the bridge itself (the implicit bridge-to-cpu port) and any /interface bridge port entries but you have to define all the tagged entries, e.g. for the bridge-to-cpu traffic.
by tdw
Tue Aug 01, 2023 1:52 am
Forum: General
Topic: IPv6 subnet delegation
Replies: 6
Views: 804

Re: IPv6 subnet delegation

ovh also assigned me an ipv6 subnet /56 2001:41d0:700:55xx::/56 gateway 2001:41d0:700:55ff:ff:ff:ff:ff. That is an awful configuration, it requires ND proxy to work and Mikrotik don't implement this. Most common a provider will use a /64, either from the allocated subnet or a completely separate ra...
by tdw
Mon Jul 31, 2023 1:46 pm
Forum: General
Topic: Domain controller query without VPN.
Replies: 4
Views: 551

Re: Domain controller query without VPN.

Yes. Historically something like:
/ip dns static add regexp="your\\.domain\$" forward-to=192.168.2.10
but in newer versions the following is more efficient:
/ip dns static add type=FWD name=your.domain match-subdomain=yes forward-to=192.168.2.10
by tdw
Mon Jul 31, 2023 12:58 pm
Forum: General
Topic: Domain controller query without VPN.
Replies: 4
Views: 551

Re: Domain controller query without VPN.

if I enter 192.168.10.1 as DNS at the branch office, you can surf and call up the static DNS entries. But the domain ctroller query doesn't work properly. It wouldn't as AD DNS contains various special subdomains. At the remote site use the Mikrotik as the DNS server and add a static DNS FWD entry ...
by tdw
Fri Jul 28, 2023 1:51 am
Forum: RouterBOARD hardware
Topic: Dimensions of hEX PoE/RB960PGS
Replies: 5
Views: 2779

Re: Dimensions of hEX PoE/RB960PGS

Although missing on the product page it is in the brochure https://i.mt.lv/cdn/product_files/hEX__poe_190723.pdf - 114 x 137 x 29 mm
by tdw
Fri Jul 28, 2023 1:24 am
Forum: Beginner Basics
Topic: Vlans getting internet but not reaching dhcp server
Replies: 8
Views: 1420

Re: Vlans getting internet but not reaching dhcp server

Obvious errors are various /interface vlan and /ip address items being attached to interfaces which are members of a bridge, also ether1 which appears to be the WAN connection being a member of the bridge.
by tdw
Thu Jul 27, 2023 12:57 pm
Forum: General
Topic: PPPoE Server + Bridge Horizon v7.10.2
Replies: 2
Views: 520

Re: PPPoE Server + Bridge Horizon v7.10.2

The bridge* parameters in the PPP profile are used for BCP, they have nothing to do with IP connectivity between the server and client(s). Setting a horizon with not restrict IP traffic between the client addresses assigned from your IP pool. From https://wiki.mikrotik.com/wiki/Manual:BCP_bridging_(...
by tdw
Thu Jul 27, 2023 12:42 am
Forum: Announcements
Topic: v6.49.8 [long-term] is released!
Replies: 49
Views: 67613

Re: v6.49.8 [long-term] is released!

... it isn't clear if that CVE-2023-30799 was only addressed in 6.49.7 onwards, or also in 6.48.7 LTS which was released at a later date - there is nothing in the release notes. No, post #22 above probably sums up the status completely (not mentioning 6.4 8 .7 does mean something). But since 6.49.8...
by tdw
Wed Jul 26, 2023 3:05 pm
Forum: Announcements
Topic: v6.49.8 [long-term] is released!
Replies: 49
Views: 67613

Re: v6.49.8 [long-term] is released!

I visited a lonely page that feels completely neglected by Mikrotik: https://blog.mikrotik.com/security/ also supplies RSS feed for Mikrotik. +1 and it isn't clear if that CVE-2023-30799 was only addressed in 6.49.7 onwards, or also in 6.48.7 LTS which was released at a later date - there is nothin...
by tdw
Mon Jul 24, 2023 4:51 pm
Forum: General
Topic: DHCP issue with WDS on particular home router brands
Replies: 1
Views: 356

Re: DHCP issue with WDS on particular home router brands

It is an interoperability issue affecting all manufacturers, not just Mikrotik. See https://help.mikrotik.com/docs/display/ ... tion+Modes
by tdw
Sun Jul 23, 2023 3:41 pm
Forum: Announcements
Topic: v6.49.8 [long-term] is released!
Replies: 49
Views: 67613

Re: v6.49.8 [long-term] is released!

So is this just a recompilation/rerelease of 6.49.8 (stable) with no code changes? The original release has a different timestamp - "What's new in 6.49.8 (2023-May-22 16:07)"
by tdw
Fri Jul 21, 2023 2:25 am
Forum: General
Topic: traffic stops almost completely after a few bridge hops
Replies: 9
Views: 993

Re: traffic stops almost completely after a few bridge hops

The airMAX radios in bridge mode will by default pass all tagged VLANs and provide management access to the radios untagged. If you are seeing unexpected VLANs that will be down to your switch configurations. There is a long-standing bug in airMAX radios operating in point-to-multipoint (even if the...
by tdw
Thu Jul 20, 2023 9:25 pm
Forum: General
Topic: traffic stops almost completely after a few bridge hops
Replies: 9
Views: 993

Re: traffic stops almost completely after a few bridge hops

Having the same MAC address on two of the devices would mess up the forwarding database on switches/bridges. What wireless devices are you using?
by tdw
Wed Jul 19, 2023 10:31 pm
Forum: Beginner Basics
Topic: Question regarding IP pools [SOLVED]
Replies: 24
Views: 2026

Re: Question regarding IP pools [SOLVED]

one last question , does L2TP have such thing as well ? do I need to set netmask for L2TP as well to be able to use /23 on it ? PPP-based point-to-point links (e.g. PPPoE, L2TP, PPTP, SSTP) have no concept of subnets, each end of the link is assigned a /32. OpenVPN in IP / TUN mode works differentl...
by tdw
Wed Jul 19, 2023 3:12 pm
Forum: Beginner Basics
Topic: Question regarding IP pools [SOLVED]
Replies: 24
Views: 2026

Re: Question regarding IP pools [SOLVED]

Simply set a fairly short lease time in the DHCP server setting. DHCP has absolutely nothing to do with L2TP and other PPP-based point-to-point connection address assignment, it is handled by IPCP. RouterOS address assignments are somewhat sticky - each new connection is assigned an address from th...
by tdw
Sun Jul 16, 2023 3:58 pm
Forum: Beginner Basics
Topic: Forward secondary IP to web server
Replies: 4
Views: 1011

Re: Forward secondary IP to web server

If the WAN connections have different gateways you have to use mangle rules and additional routing tables or VRFs to ensure return traffic uses the same WAN as the inbound traffic arrived on.
by tdw
Sat Jul 08, 2023 6:22 pm
Forum: Beginner Basics
Topic: Bridge issues
Replies: 14
Views: 1709

Re: Bridge issues

Took off the interfaces from what? You should be able to use MAC access from Winbox to access the devices even with no or a broken configuration.
by tdw
Fri Jul 07, 2023 7:21 pm
Forum: Beginner Basics
Topic: Bridge issues
Replies: 14
Views: 1709

Re: Bridge issues

For the first device i have update the settings. Please see the following, don't understand those questions about route and DNS, tried to add the route and DNS as well. As the device is acting as bridge, not a router, you only need a single IP address which should be applied to the bridge, not brid...
by tdw
Wed Jun 28, 2023 1:18 pm
Forum: General
Topic: SSH into LAN over external IP from a L2TP tunnel
Replies: 6
Views: 745

Re: SSH into LAN over external IP from a L2TP tunnel

Not quite. #1 & #2 only handle traffic to the Mikrotik itself. The traffic to your SSH server requires connection marks in the forward chain plus routing marks in the prerouting chain. You have to make sure that the prerouting mark only applies to outbound traffic (hint: consider what happens if...
by tdw
Fri Jun 23, 2023 11:28 pm
Forum: Scripting
Topic: prevent the script from running if it is already running
Replies: 6
Views: 2448

Re: prevent the script from running if it is already running

It depends from where it is invoked, for scheduled scripts which may not have completed I use the following for on-event :local name "unms_update_ip" :if ([/system script job print count-only where script=$name] = 0) do={ /system script run $name } else={ :log info "$name already runn...
by tdw
Wed Jun 21, 2023 2:56 am
Forum: General
Topic: Public IP routing to LAN [SOLVED]
Replies: 3
Views: 551

Re: Public IP routing to LAN [SOLVED]

You could either create a second LAN, or add the public subnet to the existing LAN - in either case you add 1.2.3.25/29 to the LAN. You will also need to modify the default forward rules which only allow destination NAT traffic from WAN to LAN. Note that if sharing multiple subnets on one LAN you ca...
by tdw
Sun Jun 18, 2023 12:21 pm
Forum: General
Topic: Consolidate 3 switches into 1
Replies: 3
Views: 528

Re: Consolidate 3 switches into 1

CRS3xx running RouterOS only provide wire-speed switching by using hardware offload on one bridge. Use a single bridge with VLANs configuring the groups of access ports, e.g. port 3-8 VLAN100, port 9-16 VLAN101, port 17-24 VLAN 102. CSS devices have a fixed single bridge. You can either use VLANs as...
by tdw
Fri Jun 16, 2023 12:19 pm
Forum: Beginner Basics
Topic: Fiber SC connector: SFP or adapt to LC?
Replies: 3
Views: 1184

Re: Fiber SC connector: SFP or adapt to LC?

You need to know what type of optical network the ISP provides and where the demarcation point between their network and the customer is - often it is an ethernet socket on Network Terminating Equipment (NTE) or Optical Network Terminal (ONT). Their equipment may be necessary so they can carry out r...
by tdw
Thu Jun 15, 2023 3:37 pm
Forum: Beginner Basics
Topic: Basic VLAN and 802.1q trunks
Replies: 7
Views: 1499

Re: Basic VLAN and 802.1q trunks

The first bridge created will use hardware offload. If you disable hardware offload (with hw=no) on all the bridge ports of the first bridge the next bridge will use hardware offload.

The management interface doesn't have to be a member of a bridge, you can assign an IP address to it directly.
by tdw
Thu Jun 15, 2023 3:27 pm
Forum: Beginner Basics
Topic: re-enable ethernet port managment
Replies: 10
Views: 1088

Re: re-enable ethernet port managment

No, the console port is serial RS232 with the commonly used Cisco pinout. You need a USB to RS232 interface and a DB-9 to RJ45 cable, see https://help.mikrotik.com/docs/display/ROS/Serial+Console#SerialConsole-RJ45TypeSerialPort If any SFP interface(s) are bridged to the internal CPU interface you s...
by tdw
Mon Jun 12, 2023 9:08 pm
Forum: Beginner Basics
Topic: Basic VLAN and 802.1q trunks
Replies: 7
Views: 1499

Re: Basic VLAN and 802.1q trunks

Mikrotik have a default native VLAN ID of 1 on bridges (for the switch-to-CPU interface) and bridge ports, as with many other defaults it doesn't appear in /export . Attempting to add an /interface vlan with the same ID usually results in odd behaviour and/or loss of connectivity due to the mix of t...
by tdw
Sat Jun 10, 2023 9:53 pm
Forum: Beginner Basics
Topic: tagged or untagged bridge? and a little more about vlans.
Replies: 2
Views: 500

Re: tagged or untagged bridge? and a little more about vlans.

For a deeper dive into the CPU-to-bridge interface see also viewtopic.php?p=1006033
by tdw
Thu Jun 08, 2023 5:24 pm
Forum: General
Topic: Disconnect DHCP user from RADIUS?
Replies: 2
Views: 319

Re: Disconnect DHCP user from RADIUS?

No, and it is not Mikrotik-specific. There is no mechanism in DHCP to revoke a lease and communicate that to the client. Once a device has been granted an address it is free to use that address until the lease time expires, even if you remove the current lease from the DHCP server. Large ISPs often ...
by tdw
Mon Jun 05, 2023 8:36 pm
Forum: SwOS
Topic: feature request - https for webui
Replies: 31
Views: 13407

Re: feature request - https for webui

SWos does not have much functionality. To support HTTPS it would need crypto, time, a filesystem, a mechanism to upload certificates, etc. I expect that a 'RouterOS lite' which has enough functionality would be easier than trying to retrofit SWos. And make sure you keep any downloaded configuration ...
by tdw
Mon Jun 05, 2023 3:33 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 86
Views: 26137

Re: RouterOS bridge mysteries explained

I'm not sure I've understood you well - I've tested on 7.9 and the rule only counts if I remove the mac-protocol=ip src-address=192.168.229.1/32 conditions: Initially I thought it might be something which got broken going from v6 to v7, but I've tried 7.9.2 on a SMIPS device (not recommend, it's sl...
by tdw
Fri Jun 02, 2023 10:01 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 86
Views: 26137

Re: RouterOS bridge mysteries explained

You can match IP traffic with mac-protocol=ip on a VLAN-aware bridge but you can't select a specific VLAN as well. When VLAN-aware bridges were introduced Mikrotik should have separated the filter functionality so you can apply both a VLAN and another filter, rather than the limited either/or situat...
by tdw
Fri Jun 02, 2023 2:52 pm
Forum: General
Topic: Voice Vlan
Replies: 7
Views: 861

Re: Voice Vlan

Newer versions of RouterOS 6 & 7 support LLDP-MED, see https://help.mikrotik.com/docs/display/ ... figuration
by tdw
Fri Jun 02, 2023 2:46 pm
Forum: General
Topic: Getting into a loop when using multiple "trunk" ports
Replies: 3
Views: 543

Re: Getting into a loop when using multiple "trunk" ports

You can't just connect multiple links between a pair of devices, as you have found this leads to loops and broadcast storms swamping the network.

You can aggregate multiple physical links into a single virtual link and use this as the trunk. See https://help.mikrotik.com/docs/display/ROS/Bonding
by tdw
Mon May 29, 2023 2:10 pm
Forum: RouterBOARD hardware
Topic: 2 Routers with same MAC addresses?
Replies: 4
Views: 2694

Re: 2 Routers with same MAC addresses?

From the documentation "RouterOS backup feature allows you to save the current device's configuration, which then can be re-applied on the same or a different identical model . This is very useful since it allows you to effortlessly restore the device's configurations or to re-apply the same co...
by tdw
Sat May 27, 2023 7:24 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 86
Views: 26137

Re: RouterOS bridge mysteries explained

The first of those two cases - when you have untagged traffic to/from the CPU-port.
by tdw
Fri May 26, 2023 5:42 pm
Forum: General
Topic: HELP! - Latency on 1 switch only
Replies: 8
Views: 725

Re: HELP! - Latency on 1 switch only

I missed that. Nothing immediately obvious, is the cable OK (expected link speed, no errors, etc.).
by tdw
Fri May 26, 2023 5:13 pm
Forum: General
Topic: HELP! - Latency on 1 switch only
Replies: 8
Views: 725

Re: HELP! - Latency on 1 switch only

As all traffic between the router and tower switch will currently have to pass through the rack switch CPU it will introduce latency and packet drops if the CPU is overloaded.
by tdw
Fri May 26, 2023 1:57 pm
Forum: General
Topic: HELP! - Latency on 1 switch only
Replies: 8
Views: 725

Re: HELP! - Latency on 1 switch only

Your rack switch is wrongly configured. CRS1xx/2xx do not support hardware-offloaded VLAN-aware bridges, you have to use a regular bridge and configure the switch chip - see https://help.mikrotik.com/docs/pages/vi ... =103841836
by tdw
Thu May 25, 2023 12:30 am
Forum: RouterBOARD hardware
Topic: CAP Lite POE Input (Mode A?)
Replies: 2
Views: 2153

Re: CAP Lite POE Input (Mode A?)

802.3af/at powered devices should accept both Mode A and Mode B with either polarity according to the standards, however Mikrotik PoE-in support is frequently not fully compliant. From https://wiki.mikrotik.com/wiki/Manual:TOC/MikroTik_POE_in_compatibility_table it appears a cAP lite will work if yo...
by tdw
Wed May 24, 2023 11:26 pm
Forum: General
Topic: IPV6 DHCP client does not add correct default route after reboot
Replies: 25
Views: 2186

Re: IPV6 DHCP client does not add correct default route after reboot

You should be able to adapt that for your setup. Some of the problems you had previously may be due to assigning addresses from two pools to the same interface - IIRC there have been issues with this in RouterOS so using a pool for the ISP prefix and a static ULA per that article may help.
by tdw
Wed May 24, 2023 7:50 pm
Forum: General
Topic: IPV6 DHCP client does not add correct default route after reboot
Replies: 25
Views: 2186

Re: IPV6 DHCP client does not add correct default route after reboot

It is the same mechanism as for getting a prefix from your ISP. For example if your ISP provides a prefix of /56 your first router could offer prefixes of /60 to your other routers. It does however require the DHCPv6 server on your first router to support prefix delegation, I suspect that many commo...
by tdw
Wed May 24, 2023 7:09 pm
Forum: General
Topic: IPV6 DHCP client does not add correct default route after reboot
Replies: 25
Views: 2186

Re: IPV6 DHCP client does not add correct default route after reboot

There should be no need for a ULA address (fdxx::) to be assigned to the interface. Why are you using NAT? ISPs should provide a block of addresses with prefix delegation from which you assign addresses to your internal networks. Usually the only case where this isn't possible is LTE/5G WAN connecti...
by tdw
Wed May 24, 2023 5:30 pm
Forum: Beginner Basics
Topic: set ip address after deleting default config?
Replies: 2
Views: 379

Re: set ip address after deleting default config?

Use netinstall to completely reformat the memory and reinstall RouterOS before anything else, see https://help.mikrotik.com/docs/display/ROS/Netinstall
by tdw
Wed May 24, 2023 5:24 pm
Forum: General
Topic: IPV6 DHCP client does not add correct default route after reboot
Replies: 25
Views: 2186

Re: IPV6 DHCP client does not add correct default route after reboot

Change Accept Router Advertisments to yes
by tdw
Wed May 24, 2023 5:17 pm
Forum: General
Topic: IPV6 DHCP client does not add correct default route after reboot
Replies: 25
Views: 2186

Re: IPV6 DHCP client does not add correct default route after reboot

In that case it would only apply when IPv6 forward is disabled
by tdw
Wed May 24, 2023 4:30 pm
Forum: General
Topic: IPV6 DHCP client does not add correct default route after reboot
Replies: 25
Views: 2186

Re: IPV6 DHCP client does not add correct default route after reboot

I have never configured any of my firewalls for IPv6, and yet in winbox, both settings are set to "yes if forwarding disabled". My read on this is that the default config disabled ipv6, however, the settings in winbox mean that if I enabled ipv6, I would have to set both of those options ...
by tdw
Wed May 24, 2023 12:52 am
Forum: General
Topic: Bonding interface as member of another Bonding ?
Replies: 2
Views: 378

Re: Bonding interface as member of another Bonding ?

Initially was thinking about adding the SFP+ to the same bridge where the current bond its and share the tagged VLANs across both the SFP+ and the Bond interface however this doesn't work well, with all interfaces UP I have communication but once the SFP+ goes down it takes almost 1 minute to fallb...
by tdw
Wed May 24, 2023 12:17 am
Forum: Beginner Basics
Topic: Router is getting an ISP DNS server?
Replies: 3
Views: 441

Re: Router is getting an ISP DNS server?

Likely from an RDNSS option in the IPv6 router advertisments. I don't know if there is an option to ignore them.
by tdw
Wed May 24, 2023 12:03 am
Forum: General
Topic: IPV6 DHCP client does not add correct default route after reboot
Replies: 25
Views: 2186

Re: IPV6 DHCP client does not add correct default route after reboot

Ideally the accept RA setting should be per-interface rather than global.
by tdw
Tue May 23, 2023 11:05 pm
Forum: General
Topic: IPV6 DHCP client does not add correct default route after reboot
Replies: 25
Views: 2186

Re: IPV6 DHCP client does not add correct default route after reboot

I don't know why Mikrotik have an add-default-route option in the DHCPv6 client, it is a hacky bodge which adds the DHCPv6 server as the default gateway. This works in some situations, but not all. As @mkx stated DHCPv6 has no mechanism to distribute a default gateway, the gateway and subnet prefix ...
by tdw
Mon May 22, 2023 10:07 pm
Forum: General
Topic: Routing issue
Replies: 8
Views: 632

Re: Routing issue

So I didn't have that issue with the other network because it also happens to be the WAN and there is a firewall rule for that already? Yes, as part of the default configuration. I found the "static DNS" entry - how does that differ from the DNS I input in the main DNS screen? The address...
by tdw
Mon May 22, 2023 9:19 pm
Forum: General
Topic: Routing issue
Replies: 8
Views: 632

Re: Routing issue

For static DNS entries select IP>DNS from the menu, then Static button. The Mikrotik will route packets from 192.168.100.x to 10.12.245.x, but those devices have no idea where to reply to unless they, or their default gateway device, have a static route of 192.168.100.0/24 via 10.12.245.110. The sim...
by tdw
Mon May 22, 2023 8:48 pm
Forum: General
Topic: Site to Site EOIP with Local Internet Access Problem
Replies: 29
Views: 3843

Re: Site to Site EOIP with Local Internet Access Problem

As far as I'm aware devices in the same L2 network are unlikely to do PMTUD for link-local packets, they expect the network to support whatever the interface MTU is set to so you should set the EoIP MTU to 1500. Obviously this will lead to fragmentation as 1500 + EoIP encapsulation + IPsec encapsula...
by tdw
Thu May 18, 2023 1:51 pm
Forum: Beginner Basics
Topic: VLAN Trunks communication [SOLVED]
Replies: 2
Views: 507

Re: VLAN Trunks communication [SOLVED]

For a CRS3xx you should configure a single VLAN-aware bridge which utilises L2 hardware offloading, see https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering and https://forum.mikrotik.com/viewtopic.php?t=143620 You need to add or change settings ...
by tdw
Wed May 17, 2023 6:50 pm
Forum: General
Topic: Muptiple subnets for L2TP/IPSec VPN
Replies: 3
Views: 427

Re: Muptiple subnets for L2TP/IPSec VPN

From the documentation "PPP profiles are used to define default values for user access records stored under /ppp secret submenu. Settings in /ppp secret User Database override corresponding /ppp profile settings except that single IP addresses always take precedence over IP pools when specified...
by tdw
Wed May 17, 2023 2:20 am
Forum: Beginner Basics
Topic: CPE and issue with resceving an IP
Replies: 10
Views: 2204

Re: CPE and issue with resceving an IP

There are limitiations due to the 802.11 protocol which station-pseudobridge only partially addresses, see https://help.mikrotik.com/docs/display/ROS/Wireless+Station+Modes . With the AP and station both being Mikrotik the preferred option would be station-bridge which implements vendor-specific tra...
by tdw
Sat May 13, 2023 7:46 pm
Forum: General
Topic: CRS354-Switch – VLAN – CPU100 %
Replies: 5
Views: 537

Re: CRS354-Switch – VLAN – CPU100 %

If the routing is done elsewhere the interface and bridge VLAN settings would be /interface vlan add comment=MGT interface=BRIDGE name=VLAN_99 vlan-id=99 add comment=COMPANY interface=BRIDGE name=VLAN_100 vlan-id=100 add comment=GUEST interface=BRIDGE name=VLAN_200 vlan-id=200 add comment=DMZ interf...
by tdw
Sat May 13, 2023 5:21 pm
Forum: General
Topic: CRS354-Switch – VLAN – CPU100 %
Replies: 5
Views: 537

Re: CRS354-Switch – VLAN – CPU100 %

If you are using it purely as a switch with the inter-VLAN routing done elsewhere you don't need L3 hardware offload. You also only likely need management access from a single VLAN, in which case remove all of the other /interface vlan items and the bridge as a tagged member of those /interface brid...
by tdw
Sat May 13, 2023 2:42 pm
Forum: General
Topic: Simple? 2 WAN IPs on single interface issue... [SOLVED]
Replies: 5
Views: 511

Re: Simple? 2 WAN IPs on single interface issue... [SOLVED]

Nothing obvious. Given the information from the ISP it should really be address=xx.xx.159.183/24 and address=xx.xx.159.145/24 but if you are seeing the same behaviour when configured like that it does rather point to something at the ISP end. Does the drop in performance occur immediately after enab...
by tdw
Sat May 13, 2023 2:27 pm
Forum: General
Topic: CRS354-Switch – VLAN – CPU100 %
Replies: 5
Views: 537

Re: CRS354-Switch – VLAN – CPU100 %

Difficult to say without knowing how you are using it - if it is for inter-VLAN routing then it would be expected as the CPU in CRS devices is not very capable. That Mikrotik does support L3 hardware offload, but you have to explicitly configure it https://help.mikrotik.com/docs/display/ROS/L3+Hardw...
by tdw
Fri May 12, 2023 2:11 am
Forum: General
Topic: Simple? 2 WAN IPs on single interface issue... [SOLVED]
Replies: 5
Views: 511

Re: Simple? 2 WAN IPs on single interface issue... [SOLVED]

Are your addresses really /32s, and what is youir default route?
by tdw
Wed May 03, 2023 10:30 pm
Forum: General
Topic: SFP Module Speeds 1.2Gb / 2.4Gb
Replies: 5
Views: 562

Re: SFP Module Speeds 1.2Gb / 2.4Gb

It doesn't work like that. The SFP Transceiver specification https://members.snia.org/document/dl/26184 details the mechanical dimensions, electical connections and read-only serial information which describes the module capabilities. Whilst you can plug any ethernet, fibre channel, SONET or GPON SF...
by tdw
Tue May 02, 2023 10:07 pm
Forum: Beginner Basics
Topic: Connect fiber optic to Mikrotik router
Replies: 3
Views: 1263

Re: Connect fiber optic to Mikrotik router

You can not use a standard ethernet or GPON SFP - these are normally just media converters which change an electrical bitstream into an optical one and vice-versa. There are some third-party SFPs which include the functionality of a GPON ONT implementing all of the protocol conversion and processing...
by tdw
Tue May 02, 2023 9:40 pm
Forum: General
Topic: VPN concentrator with Fortigates (dynamic and static IP), AVM FritzBox (dynamic IP) and road warriors
Replies: 6
Views: 736

Re: VPN concentrator with Fortigates (dynamic and static IP), AVM FritzBox (dynamic IP) and road warriors

Aggressive mode should be avoided - it has vulnerabilities which have been known about for decades and will not pass PCI compliance tests, for example. Presumably you are using IKE and PSK. You cannot have multiple IPsec profiles for ::/0 as the only supported identity type is the IP address. Using ...
by tdw
Mon May 01, 2023 1:36 pm
Forum: Beginner Basics
Topic: Reaching 2 VLAN's on a single port for a client device
Replies: 1
Views: 299

Re: Reaching 2 VLAN's on a single port for a client device

Stop using multiple bridges. Since the introduction of VLAN-aware bridges you should use a single bridge to avoid many pitfalls https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration . There is an excellent guide https://forum.mikrotik.com/viewtopic.php?t=143620 , the basic information o...
by tdw
Fri Apr 28, 2023 3:42 pm
Forum: Beginner Basics
Topic: separate traffic in differrnet bridges ... [SOLVED]
Replies: 1
Views: 331

Re: separate traffic in differrnet bridges ... [SOLVED]

You should use a single VLAN-aware bridge. Before bridge VLAN filtering was introduced the only method was to use multiple bridges but there are many pitfalls, see https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration . What you are seeing is standard linux behaviour - all traffic to lo...
by tdw
Thu Apr 13, 2023 10:14 pm
Forum: General
Topic: PVID Uses [SOLVED]
Replies: 23
Views: 1795

Re: PVID Uses [SOLVED]

I've seen it many times, for example on Toshiba laptops with Intel ethernet chipsets, Intel and Asus motherboards. A quick search comes up with articles such as https://superuser.com/questions/1755413/windows-11-connects-to-separate-untagged-and-vlan-tagged-network-at-the-same-tim and https://learn....
by tdw
Thu Apr 13, 2023 4:13 pm
Forum: Beginner Basics
Topic: Cannot pass over 1370 MTU via L2TP/IPSec tunnel
Replies: 9
Views: 998

Re: Cannot pass over 1370 MTU via L2TP/IPSec tunnel

Yes. The performance of fragmented packets across the internet is often worse than non-fragmented. For TCP adjusting the tunnel MTUs and using MSS clamping so each packet contains the maximum possible payload plus protocol and tunnel overheads to fit in the final MTU whilst avoiding fragmentation is...
by tdw
Thu Apr 13, 2023 2:15 pm
Forum: General
Topic: PVID Uses [SOLVED]
Replies: 23
Views: 1795

Re: PVID Uses [SOLVED]

A non-vlan-aware bridge acts like an unmanaged switch, any tagged tagged packets are treated no differently to untagged packets which is unlikely to be desired in many setups. Some devices (e.g. anything running Windows) will strip any received VLAN tags which can also cause unexpected side effects....
by tdw
Thu Apr 13, 2023 2:00 pm
Forum: Beginner Basics
Topic: Cannot pass over 1370 MTU via L2TP/IPSec tunnel
Replies: 9
Views: 998

Re: Cannot pass over 1370 MTU via L2TP/IPSec tunnel

Likely the provider is blocking fragmented packets. If the maximum MTU on the WAN link is 1490 (rather an odd figure), I would expect the maximum for a L2TP/IPsec tunnel with AES and SHA256 to be 1388 before fragmentation occurs.
by tdw
Mon Apr 10, 2023 11:05 pm
Forum: General
Topic: NAT464 configuration
Replies: 1
Views: 577

Re: NAT464 configuration

464XLAT requires the client to implement a SIIT, and Mikrotik don't. You can do DS-Lite.
by tdw
Sat Apr 08, 2023 11:21 pm
Forum: General
Topic: Dual WAN and masquerade vs src-nat
Replies: 7
Views: 743

Re: Dual WAN and masquerade vs src-nat

Yes. More info in the documentation https://help.mikrotik.com/docs/display/ ... Masquerade. You can use an on-up (PPPoE, static IP) or lease script (DHCP) to perform actions when an interface reconnects.
by tdw
Sat Apr 08, 2023 2:01 pm
Forum: General
Topic: Dual WAN and masquerade vs src-nat
Replies: 7
Views: 743

Re: Dual WAN and masquerade vs src-nat

The Mikrotik will clear all masqueraded connection tracking entries using an interface for egress when that interface disconnects and/or its IP address changes. This can cause excessive CPU utilisation if you have a signficant number of connections. A more common issue is when the primary WAN in a f...
by tdw
Sat Apr 08, 2023 1:46 pm
Forum: General
Topic: hap ac2 lite, POE port - WAN Interface [SOLVED]
Replies: 1
Views: 331

Re: hap ac2 lite, POE port - WAN Interface [SOLVED]

On Mikrotik devices the text on the port labels is just that - the function is not fixed, unlike many Ubiquiti devices. You have to swap the references of ether1 and ether5 throught the configuration, for the standard configuration this includes Bridge port membership (ether5 becomes ether1) WAN int...
by tdw
Thu Apr 06, 2023 5:59 pm
Forum: Wireless Networking
Topic: Radar detect problem
Replies: 33
Views: 16388

Re: Radar detect problem

Yes, there are a number of bands where fixed PtP and PtMP links are not permitted without a licence. There are licences available permitting fixed links upto 4W / 36dBm EIRP in the 5725 – 5850 MHz band, and 316W / 55dBm EIRP in the 57 – 71 GHz band (although above 40dBm EIRP we then have to follow t...
by tdw
Thu Apr 06, 2023 5:25 pm
Forum: Wireless Networking
Topic: Radar detect problem
Replies: 33
Views: 16388

Re: Radar detect problem

SRD is a generic term, countries may apply different permissions or restrictions depending on what the device is being used for. For example, in the UK we have the requirements for licence exempt short-range devices https://www.ofcom.org.uk/__data/assets/pdf_file/0028/84970/ir-2030.pdf which runs to...
by tdw
Thu Apr 06, 2023 2:48 pm
Forum: Wireless Networking
Topic: Radar detect problem
Replies: 33
Views: 16388

Re: Radar detect problem

They can be used outdoor as well. Not legally. The reason they are restricted to both indoors and lower power is so that the signal, having had to pass through the building structure, is at a low enough level so as not to interfere with the licensed users of those frequencies. The DFS detection har...
by tdw
Thu Apr 06, 2023 3:05 am
Forum: RouterOS beta
Topic: mikrotik sfp
Replies: 3
Views: 2253

Re: IPLOAD ISSUE IN BOODING BALANCE RR

There is no single solution which will work, it depends on your network architecture and exactly what layer2/3/4 traffic is involved.
by tdw
Thu Apr 06, 2023 2:58 am
Forum: Beginner Basics
Topic: Set up AP with VLAN's on an RB2011
Replies: 11
Views: 902

Re: Set up AP with VLAN's on an RB2011

Multiple bridges are a bad idea, see https://help.mikrotik.com/docs/display/ ... figuration as to why, and viewtopic.php?t=143620 for a primer on VLANs on a Mikrotik
by tdw
Thu Apr 06, 2023 12:29 am
Forum: RouterOS beta
Topic: It is hoped that 2.5Gbps support can be added to the SFP + of rb5009
Replies: 13
Views: 6736

Re: It is hoped that 2.5Gbps support can be added to the SFP + of rb5009

Why would you expect a 1Gbps SFP to work if you attempt to send 2.5Gbps through it.
by tdw
Wed Apr 05, 2023 9:32 pm
Forum: General
Topic: L3HW on a switch [SOLVED]
Replies: 13
Views: 1352

Re: L3HW on a switch [SOLVED]

I try to purely get interVLAN routing working. Since I have NAT covered.
So you have static routes on your clients sending the inter-VLAN traffic to the switch, separate from the default route to your OPNsense router?
by tdw
Wed Apr 05, 2023 9:27 pm
Forum: Wireless Networking
Topic: Point-to-Multipoint with 60G/5G failover
Replies: 13
Views: 3201

Re: Point-to-Multipoint with 60G/5G failover

No, bonding is only appropriate for PtP links. Either RSTP for L2 bridged or OSPF for L3 routed connections, examples of PtMP failover in the documentation would be most helpful.
by tdw
Wed Apr 05, 2023 9:16 pm
Forum: Beginner Basics
Topic: Set up AP with VLAN's on an RB2011
Replies: 11
Views: 902

Re: Set up AP with VLAN's on an RB2011

As ether5 is a member of a bridge the VLAN setup is incorrect. If the VLANs are only going to be accessed via ether5 then remove the bridge port. However, if the VLANs are also going to be accessed via other interfaces the setup needs correcting: /interface vlan add interface= ether5 bridge name=VLA...
by tdw
Mon Apr 03, 2023 2:54 am
Forum: Beginner Basics
Topic: export/import ROS configuration
Replies: 7
Views: 2588

Re: export/import ROS configuration

Using verbose does include absolutely everything, which may generate conflicts - to see what a 'blank' configuration actually looks like try it on a Mikrotik after performing a /system reset-configuration no-defaults=yes ... If you use /export show-sensitive instead this only includes anything diffe...
by tdw
Sun Apr 02, 2023 7:28 pm
Forum: General
Topic: what am i missing. cannot get firewall working on ccr1036
Replies: 9
Views: 537

Re: what am i missing. cannot get firewall working on ccr1036

the use-ip-firewall needed to be set.. Yes. The IP firewall only operates on packets forwarded through, or input/output to/from, the Mikrotik itself. Enabling that setting forces packets bridged to be also processed unless handled by hardware offload (not applicable to the CCR1036). See packet flow...
by tdw
Sun Apr 02, 2023 3:44 pm
Forum: Beginner Basics
Topic: FIOS IPv6 issues [SOLVED]
Replies: 6
Views: 773

Re: FIOS IPv6 issues [SOLVED]

Remove
/ipv6 pool
add name=WAN6 prefix=::/56 prefix-length=64


this is likely creating a static pool with an address of zero giving rise to the invalid address being assigned to the bridge interface, the IPv6 DHCP client will dynamically create the pool when a prefix is acquired.
by tdw
Sun Apr 02, 2023 12:33 am
Forum: Beginner Basics
Topic: FIOS IPv6 issues [SOLVED]
Replies: 6
Views: 773

Re: FIOS IPv6 issues [SOLVED]

Is the WAN connectivity working, i.e. can you ping or traceroute from the Mikrotik to external IPv6 hosts? Something isn't correct as the LAN address isn't being assigned: 2 IG ::1/64 WAN6 bridge yes If you are only using DHCPv6 to hand out DNS, and potentially other DHCP options, there is no need t...
by tdw
Sat Apr 01, 2023 12:38 am
Forum: Beginner Basics
Topic: FIOS IPv6 issues [SOLVED]
Replies: 6
Views: 773

Re: FIOS IPv6 issues [SOLVED]

Unless you need a DHCPv6 server to hand out prefixes and other information to your devices it is not necessary to create one under /ipv6 dhcp-server - specifically it does not provide individual addresses, clients must use SLAAC, static addresses or another DHCPv6 server on your network. Do not set ...
by tdw
Fri Mar 31, 2023 9:39 pm
Forum: SwOS
Topic: LAG not all interfaces work [SOLVED]
Replies: 3
Views: 2711

Re: LAG not all interfaces work [SOLVED]

Replacing the CSS device with one which supports other hashing methods may help - it depends on the source and destination MAC, IP, TCP/UDP ports of the traffic in question, and how they vary for the traffic streams.
by tdw
Fri Mar 31, 2023 9:34 pm
Forum: General
Topic: Prevent multiple discovered neighbors per physical interface? (CDP/MNDP)
Replies: 14
Views: 1193

Re: Prevent multiple discovered neighbors per physical interface? (CDP/MNDP)

I would say the reverse - most switches will treat unknown multicast in the same way as broadcast and forward it to all ports, if they did not do this IPv6 would break. On managed switches there may be options to drop unknown multicast or filter certain multicast addresses. The Mikrotik CRS1xx/2xx d...
by tdw
Fri Mar 31, 2023 7:01 pm
Forum: General
Topic: Prevent multiple discovered neighbors per physical interface? (CDP/MNDP)
Replies: 14
Views: 1193

Re: Prevent multiple discovered neighbors per physical interface? (CDP/MNDP)

The only thing I have noticed is that when you configure discovery on VLAN interfaces, it shows that as the interface rather than a physical one.
See viewtopic.php?p=992390#p992390
by tdw
Wed Mar 29, 2023 11:06 pm
Forum: RouterOS beta
Topic: mikrotik sfp
Replies: 3
Views: 2253

Re: IPLOAD ISSUE IN BOODING BALANCE RR

Bonding is not load balancing. I would not use balance-rr on links with variable latency, even on fixed copper and fibre links you can get out-of-order packet delivery.
by tdw
Wed Mar 29, 2023 7:30 pm
Forum: General
Topic: Can't ping between subnets on the same bridge
Replies: 26
Views: 1113

Re: Can't ping between subnets on the same bridge

Multiple subnets on an interface (a.k.a. multinetting) is perfectly valid, but not common. Packets may be blocked by the firewall forward drop invalid rule as the packet is leaving the same interface it entered, or the devices you are pinging may not be responding - in particular Windows does not re...
by tdw
Wed Mar 29, 2023 7:16 pm
Forum: SwOS
Topic: LAG not all interfaces work [SOLVED]
Replies: 3
Views: 2711

Re: LAG not all interfaces work [SOLVED]

Likely working as designed, see https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-Problem.2 . You cannot change the transmit hash policy in SwOS, from the manual CSS610 "load balancing based only on Layer2 hashing" and CRS318 "load balancing bas...
by tdw
Wed Mar 29, 2023 6:31 pm
Forum: General
Topic: How can I create IKEv2 Client Interface in Mikrotik?
Replies: 1
Views: 262

Re: How can I create IKEv2 Client Interface in Mikrotik?

Mikrotik only implemented raw IPsec, there is no equivalent to Cisco VTI or equivalent from other vendors. The typical workaround is to create an IPsec encapsulated IPIP or GRE tunnel, it is something of a bodge and can lead to greater protocol overheads.
by tdw
Mon Mar 27, 2023 4:21 am
Forum: Beginner Basics
Topic: Neighbour Discovery
Replies: 7
Views: 1458

Re: Neighbour Discovery

There are many factors involved... MNDP is encapsulated in a UDP packet with an IP destination of 255.255.255.255 (this network), sent with an ethernet broadcast destination address so is propagated to everything within a layer 2 network. CDP is encapsulated as LLC/SNAP with an OUI of 0x00000C and p...
by tdw
Sun Mar 26, 2023 7:59 pm
Forum: General
Topic: CRS112 and RSTP
Replies: 4
Views: 816

Re: CRS112 and RSTP

The firmware should handle untagged ethernet management frames (including spanning tree and the so-called slow protocols) regardless of the port settings. I currently don't have a CRS112 to check but in the past have not had an issue using configurations per the examples https://wiki.mikrotik.com/wi...
by tdw
Sun Mar 26, 2023 4:09 pm
Forum: General
Topic: CRS112 and RSTP
Replies: 4
Views: 816

Re: CRS112 and RSTP

STP/RSTP/MSTP traffic is untagged. If you have multiple paths in your topology they must all be configured with the same set of VLANs as STP/RSTP is unaware of them.
by tdw
Wed Mar 22, 2023 6:03 pm
Forum: Beginner Basics
Topic: Outside Network with Port 5060
Replies: 3
Views: 315

Re: Outside Network with Port 5060

Any public IP address will be scanned for services, be it SIP, SSH, Winbox, HTTP(S) or anything else.

Just restricting SIP to your providers addresses is good practice to prevent direct access, unless you are running a SIP server which has to accept connections from anywhere.
by tdw
Wed Mar 22, 2023 4:21 am
Forum: General
Topic: Plugging laptop into VLAN port, blocks bridge interface of other router.
Replies: 6
Views: 466

Re: Plugging laptop into VLAN port, blocks bridge interface of other router.

The addresses would initially be different so they must have been transferred across at some point. Use /interface ethernet [find] reset-mac-address to restore the inbuilt MAC addresses on the ethernet interfaces, other references (bridge admin, secondary wifi, L2 tunnel interfaces) have to be adjus...
by tdw
Wed Mar 22, 2023 3:04 am
Forum: General
Topic: Plugging laptop into VLAN port, blocks bridge interface of other router.
Replies: 6
Views: 466

Re: Plugging laptop into VLAN port, blocks bridge interface of other router.

Have you at some point imported a .backup from one of the Mikrotiks to the other? The mac-address=E4:8D:8C:7D:AF:xx settings under /interface ethernet suggest this, in which case you may have duplicate MACs which confuse the bridge/switch forwarding tables. There are also potential issues on devices...
by tdw
Mon Mar 20, 2023 4:28 pm
Forum: Beginner Basics
Topic: Help setting L2TP/IPSec 1700 MTU [SOLVED]
Replies: 9
Views: 1071

Re: Help setting L2TP/IPSec 1700 MTU [SOLVED]

Changing the MSS to match the L2TP tunnel MTU prevents fragmentation, note this is a different fragmentation to that which occurs if the encapsulated and encrypted L2TP data is larger than supported by the WAN connection. You need policy based routing to specify where traffic should be sent - either...
by tdw
Mon Mar 20, 2023 2:08 pm
Forum: General
Topic: Combined VLAN switch and router+switch on RB951
Replies: 3
Views: 705

Re: Combined VLAN switch and router+switch on RB951

It is difficult to say from seeing only a small part of the configuration. I wouldn't expect the LAN port settings to have to be changed.
by tdw
Mon Mar 20, 2023 1:50 pm
Forum: Beginner Basics
Topic: CRS326-24G-2S+ with two dhcp servers [SOLVED]
Replies: 13
Views: 1304

Re: CRS326-24G-2S+ with two dhcp servers [SOLVED]

The /ip dhcp-server network settings are incorrect, the gateway has to be within the subnet assigned unless you have manually configured static routes on each client.
by tdw
Mon Mar 20, 2023 1:43 pm
Forum: Beginner Basics
Topic: Help setting L2TP/IPSec 1700 MTU [SOLVED]
Replies: 9
Views: 1071

Re: Help setting L2TP/IPSec 1700 MTU [SOLVED]

Possibly fragmented packets are being dropped in transit. Setting the L2TP MTU so payload+L2TP+IPsec fit in a packet and using the PPP profile change-tcp-mss=yes setting without any additional mangle rules is sufficient, the MTU will be somewhere in the range 1380-1410. The IPsec data length varies ...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7