Community discussions

MikroTik App

Search found 887 matches

by tdw
Mon Jul 26, 2021 3:46 pm
Forum: General
Topic: vlan by mac address on LAN with multiple mikrotik switches
Replies: 11
Views: 228

Re: vlan by mac address on LAN with multiple mikrotik switches

So 801.1X MAC-based authorisation then, per the second paragraph in my previous post it is completely transparent to the devices being plugged in.
by tdw
Mon Jul 26, 2021 2:33 pm
Forum: General
Topic: vlan by mac address on LAN with multiple mikrotik switches
Replies: 11
Views: 228

Re: vlan by mac address on LAN with multiple mikrotik switches

Windows requires the inbuilt supplicant to be running in order to handle EAPOL for EAP username/password or certificate-based connection. I don't know if it is enabled by default, it wasn't on older versions of Windows. For 802.1X MAC-based authorisation (there is no authentication as MACs can easil...
by tdw
Thu Jul 15, 2021 4:11 pm
Forum: Beginner Basics
Topic: One VLAN not working in a sub-switch
Replies: 10
Views: 767

Re: One VLAN not working in a sub-switch

Having sorted out the issues which can arise from multiple bridges there shouldn't be any need to disable RSTP. Even without adjusting the priorities to ensure that the 4011 is the root bridge and setting edge ports to remove the delay before traffic is forwarded there is no obvious reason why it sh...
by tdw
Fri Jul 09, 2021 3:57 pm
Forum: General
Topic: Ethernet Broadcast packets on CRS125
Replies: 9
Views: 509

Re: Ethernet Broadcast packets on CRS125

UDP broadcast traffic is L3, so the L3 firewall still applies if your traffic takes the bridge input path rather than the bridge forward path . I'm not certain, but I think your packets take both paths: forward from ether2, where it gets broadcast flooded, then input to ether1. No it is a UDP IP pa...
by tdw
Fri Jul 09, 2021 2:32 pm
Forum: Beginner Basics
Topic: DHCP Client and tagged or untagged access port [SOLVED]
Replies: 6
Views: 574

Re: DHCP Client and tagged or untagged access port [SOLVED]

CRS3xx only support hardware offload on a single bridge. You can use the bridge for both your 'WAN' and 'VLAN' traffic. Under /interface bridge port add new entries add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=etherX for ether1-8 include frame...
by tdw
Fri Jul 09, 2021 1:55 pm
Forum: General
Topic: dot1x interface not available on certain routerOS?
Replies: 1
Views: 293

Re: dot1x interface not available on certain routerOS?

AFAIK dot1x was removed from the SMIPS architecture builds used by RB931 & RB941 from v6.45.3 onwards as they have insufficient storage.
by tdw
Fri Jul 09, 2021 1:41 pm
Forum: Beginner Basics
Topic: Cant get port forwarding to work [SOLVED]
Replies: 3
Views: 439

Re: Cant get port forwarding to work [SOLVED]

Likely your ISP is using CGNAT to reduce the number of public IPv4 addresses they require, where multiple clients with 'WAN' addresses in the range 100.64.0.0 - 100.127.255.255 share a single public IP. Port forwarding is not possible with this, you will have to ask your ISP if they can provide publ...
by tdw
Thu Jul 08, 2021 8:27 pm
Forum: General
Topic: Ethernet Broadcast packets on CRS125
Replies: 9
Views: 509

Re: Ethernet Broadcast packets on CRS125

The bridge setup is a mess - you have no connectivity between bridge containing ether2-24 plus sfp1, and bridge1 containing ether1. Remove the extra bridges, move the other interfaces from them to bridge, configure wlan1 VLAN membership.
by tdw
Thu Jul 08, 2021 4:06 pm
Forum: Beginner Basics
Topic: One VLAN not working in a sub-switch
Replies: 10
Views: 767

Re: One VLAN not working in a sub-switch

Likely suffering from https://help.mikrotik.com/docs/display/ ... figuration - replace the multiple bridges on the 4011 with a single VLAN-aware bridge, disabling RSTP everywhere might be a quick bodge.
by tdw
Wed Jul 07, 2021 5:12 pm
Forum: Beginner Basics
Topic: RB750 Switch plus VLAN functionality [SOLVED]
Replies: 15
Views: 871

Re: RB750 Switch plus VLAN functionality [SOLVED]

It is odd it took so long to start working as there just didn't appear to be anything wrong, maybe some cached connection/routing/arp data which had to expire.
by tdw
Tue Jul 06, 2021 2:53 pm
Forum: Beginner Basics
Topic: RB750 Switch plus VLAN functionality [SOLVED]
Replies: 15
Views: 871

Re: RB750 Switch plus VLAN functionality [SOLVED]

Something odd going on there, what does /ip address print and /ip route print show?
by tdw
Mon Jul 05, 2021 9:09 pm
Forum: Beginner Basics
Topic: RB750 Switch plus VLAN functionality [SOLVED]
Replies: 15
Views: 871

Re: RB750 Switch plus VLAN functionality [SOLVED]

Selecting a VLAN interface won't work - ping will attempt to send the request from that interface. Instead of selecting an Interface on the General tab you can enter an address of one of the VLANs, e.g. 192.168.30.1, as the Src. Address on the Advanced tab. If that is successful try from one of your...
by tdw
Mon Jul 05, 2021 8:03 pm
Forum: Beginner Basics
Topic: RB750 Switch plus VLAN functionality [SOLVED]
Replies: 15
Views: 871

Re: RB750 Switch plus VLAN functionality [SOLVED]

With either of those in place can you successfully ping or traceroute from the Mikrotik itself to the internet (e.g. 8.8.8.8 or 1.1.1.1), and what does a traceroute from any VLAN client show?
by tdw
Mon Jul 05, 2021 3:51 pm
Forum: Beginner Basics
Topic: RB750 Switch plus VLAN functionality [SOLVED]
Replies: 15
Views: 871

Re: RB750 Switch plus VLAN functionality [SOLVED]

Clients with no VLAN-ID gets internet access on ether 2 - 5 Clients with VLAN-ID gets DHCP IP on ether 2 - 5 but no internet access Added a masquerade rule on the Bridge as ether1 is included within the Bridge to no avail. Any input would be much appreciated to get this resolve to why the VLAN Clie...
by tdw
Mon Jul 05, 2021 1:30 pm
Forum: Beginner Basics
Topic: Separating an AP from the LAN
Replies: 2
Views: 328

Re: Separating an AP from the LAN

I'm fully lost as honestly this whole bridge concept is something I dont really understand. Could someone please explain how should I make the LAN isolation happen and let the AP clients reaching only the internet? Thanks :) A bridge is effectively a network switch, and in its basic form traffic ca...
by tdw
Mon Jul 05, 2021 1:15 pm
Forum: Beginner Basics
Topic: AP config with guest network to existing VLAN
Replies: 5
Views: 394

Re: AP config with guest network to existing VLAN

Multiple bridges is the 'old way' of doing things and can cause numerous issues https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration There is nothing wrong with using VLAN 1, especially untagged, however it can catch out even the experienced as it is the default VLAN ID for bridges and...
by tdw
Sat Jul 03, 2021 3:55 pm
Forum: Beginner Basics
Topic: Mikrotik + freeradius auth with /etc/shadow
Replies: 2
Views: 368

Re: Mikrotik + freeradius auth with /etc/shadow

As of v6.43 the login service RADIUS authentication uses MS-CHAPv2 so your radius server needs either plaintext or NTLM password hashes, it is impossible to use any salted hashes.
by tdw
Fri Jul 02, 2021 9:39 pm
Forum: Beginner Basics
Topic: Tunneling VLAN traffic over Wireguard
Replies: 18
Views: 1156

Re: Tunneling VLAN traffic over Wireguard

AFAIK Wireguard is a layer 3 VPN so there is no concept of VLANs - it will route packets between different subnets at each end and firewall rules can be used to restrict which subnets can communicate with each other. If you really need to extend the layer 2 domain then VxLAN, GRETAP or in the Mikrot...
by tdw
Fri Jul 02, 2021 4:53 pm
Forum: Beginner Basics
Topic: CRS326-24S+2Q+: IGMP-Snooping, Bridges, VLAN
Replies: 6
Views: 637

Re: CRS326-24S+2Q+: IGMP-Snooping, Bridges, VLAN

Is it possible to use more than one Bridge on a single interface ? No. As with anything linux-based a physical interface port can only be a member of one bridge. AFAIK Mikrotik do not support per-VLAN IGMP snooping it is an all-or-nothing setting on the bridge. Would a multicast querier on your Cre...
by tdw
Fri Jul 02, 2021 3:46 pm
Forum: General
Topic: SSTP vs PPTP poor RDP responsiveness
Replies: 7
Views: 529

Re: SSTP vs PPTP poor RDP responsiveness

SSTP and PPTP both use PPP underneath. There is a slightly greater overhead in the TLS encapsulation used by SSTP compared with GRE used by PPTP, but it could be network congestion triggering TCP-in-TCP meltdown - this is a fundamental issue with TCP-based VPNs. As SSTP and the Mikrotik OpenVPN impl...
by tdw
Fri Jul 02, 2021 2:41 pm
Forum: General
Topic: Logitech Flow between different subnets
Replies: 2
Views: 352

Re: Logitech Flow between different subnets

Broadcast packets are never routed, discovery protocols such as this only work within a particular LAN or VLAN. Your quote suggests that Logitech have a backup method for devices in different broadcast domains 'computers that are behind routers or firewalls', but they do not say if that works if the...
by tdw
Fri Jul 02, 2021 2:26 pm
Forum: Scripting
Topic: CRS - VLAN - Add untagged interfaces via script
Replies: 9
Views: 902

Re: CRS - VLAN - Add untagged interfaces via script

There isn't actually any need to set untagged= membership under /interface bridge vlan, they will be added dynamically from the pvid= settings under /interface bridge port
by tdw
Wed Jun 30, 2021 6:47 pm
Forum: General
Topic: Weird warning with bridge config regarding VLANs [SOLVED]
Replies: 9
Views: 814

Re: Weird warning with bridge config regarding VLANs [SOLVED]

If /interface bridge vlan print does not show any ports in the CURRENT-UNTAGGED column when that error is displayed it could be a bug. wlan interfaces themselves have options for VLAN tagging so it may be a historic artefact.
by tdw
Wed Jun 30, 2021 1:30 pm
Forum: General
Topic: Weird warning with bridge config regarding VLANs [SOLVED]
Replies: 9
Views: 814

Re: Weird warning with bridge config regarding VLANs [SOLVED]

It isn't the CAP configuration, it relates to having untagged= entries under /interface bridge vlan on rows which specify more than a single value for vlan-ids= . See the warning regarding this here https://help.mikrotik.com/docs/display/ROS/Bridge#Bridge-BridgeVLANtable Separating the bridge VLANs ...
by tdw
Sun Jun 27, 2021 5:53 pm
Forum: SwOS
Topic: SwOS LAG work? on VLANS
Replies: 4
Views: 910

Re: SwOS LAG work? on VLANS

The issue is described here https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#Bonding_between_Wireless_links Using a variant of this with differing VLAN IDs for the bonded traffic would allow them to be passed to Router B for bonding, the CRS doesn't need any special LAG/bonding setup. R...
by tdw
Thu Jun 24, 2021 3:09 pm
Forum: Beginner Basics
Topic: Hap ac2 Vlan DHCP problem
Replies: 9
Views: 740

Re: Hap ac2 Vlan DHCP problem

No - the bridge-to-CPU interface is a trunk port too, so
/interface bridge vlan
add bridge=BR1 tagged=BR1 vlan-ids=10
add bridge=BR1 tagged=BR1 vlan-ids=20
add bridge=BR1 tagged=BR1 vlan-ids=99
by tdw
Thu Jun 24, 2021 4:13 am
Forum: Beginner Basics
Topic: Hap ac2 Vlan DHCP problem
Replies: 9
Views: 740

Re: Hap ac2 Vlan DHCP problem

There doesn't appear to be any /interface bridge vlan configuration present - the untagged VLAN membership will be generated automatically from the port PVID settings, but the tagged membership on the bridge-to-cpu interface will be missing hence no connectivity, DHCP, etc.
by tdw
Tue Jun 22, 2021 1:38 am
Forum: General
Topic: Lte passthrough not working...
Replies: 5
Views: 367

Re: Lte passthrough not working...

Why the odd MTU setting on the LTE interface?

You could try disabling VLAN filtering on the bridge, I had an issue where passthrough wouldn't connect with it enabled but didn't have chance to investigate in detail as to why.
by tdw
Sat Jun 19, 2021 3:46 pm
Forum: General
Topic: RouterOS questions
Replies: 3
Views: 665

Re: RouterOS questions

Or RADIUS
by tdw
Thu Jun 17, 2021 10:17 pm
Forum: Beginner Basics
Topic: Management interface and general logic behind interfaces
Replies: 3
Views: 461

Re: Management interface and general logic behind interfaces

Well, what I meant by “Out-Of-Band” is a independent Network port which is hard-wired for management only can cannot be used for something else (e.g. routing or traffic processing). OK, so dedicated ethernet rather than some other interface technology (USB, serial, etc.) I admit, a dedicated manage...
by tdw
Tue Jun 15, 2021 5:02 pm
Forum: General
Topic: Single WAN PPPoE, multiple WAN IPs distribution
Replies: 2
Views: 323

Re: Single WAN PPPoE, multiple WAN IPs distribution

There are several methods. e.g. a 'WAN' subnet linking A to B and A to C, NAT, PPPoE server & clients - it depends on your network architecture strategy and where you are going to implement firewall and NAT. That sketch shows Mikrotik A LAN IP 10.0.1.1/ 16 which overlaps with Mikrotik B & C ...
by tdw
Tue Jun 15, 2021 3:47 pm
Forum: Beginner Basics
Topic: Management interface and general logic behind interfaces
Replies: 3
Views: 461

Re: Management interface and general logic behind interfaces

It depends on what you mean by out-of-band as there is a serial console socket on the rear next to the power connector, USB-to-serial interfaces can also be used to provide additional serial ports. The physical ports are connected via switch chips to the CPU and use port-based VLANs (not 802.1Q) to ...
by tdw
Tue Jun 15, 2021 1:14 pm
Forum: General
Topic: DHCP Client and RoMON on CRS326 using post 6.41 VLAN switch configuration [SOLVED]
Replies: 2
Views: 435

Re: DHCP Client and RoMON on CRS326 using post 6.41 VLAN switch configuration [SOLVED]

You have omitted to include the bridge-to-CPU interface under /interface bridge vlan so packets are unable to pass from the switch-like role of the bridge to any services provided by the CPU, https://forum.mikrotik.com/viewtopic.php?f=2&t=173692 is a good description of bridges on Mikrotiks. For...
by tdw
Mon Jun 14, 2021 2:17 pm
Forum: General
Topic: RSTP question about backup port? [SOLVED]
Replies: 6
Views: 732

Re: RSTP question about backup port? [SOLVED]

AFAIK no, devices with ports facing towards root bridge elect which of those is passing traffic and which is blocking.
by tdw
Sun Jun 13, 2021 3:57 pm
Forum: General
Topic: VLAN across bridges
Replies: 10
Views: 526

Re: VLAN across bridges

This sounds really weird, and I would think there should be another way to do this... That's why I said directly share. There are numerous bodges - bringing out the VLAN on physical ports and connecting them per your post; abusing a VLAN interface by attaching it to one bridge and including it as a...
by tdw
Sun Jun 13, 2021 12:50 pm
Forum: General
Topic: VLAN across bridges
Replies: 10
Views: 526

Re: VLAN across bridges

You cannot directly share VLANs between bridges - VLAN 10 on bridge 1 and VLAN 10 on bridge 2 are completely independent ethernet / layer 2 networks.
by tdw
Fri Jun 11, 2021 8:58 pm
Forum: General
Topic: RSTP question about backup port? [SOLVED]
Replies: 6
Views: 732

Re: RSTP question about backup port? [SOLVED]

I don't immediately have access to a complex enough setup to check, but I expect backup would apply to blocked links between leaf nodes.
by tdw
Fri Jun 11, 2021 6:27 pm
Forum: General
Topic: RSTP question about backup port? [SOLVED]
Replies: 6
Views: 732

Re: RTSP question about backup port? [SOLVED]

Presumably you meant RSTP (Rapid Spanning Tree Protocol) and not RTSP (Real-Time Steaming Protocol) in the topic title. Port designation is per the protocol design: root-port - port that is facing towards the root bridge and will be used to forward traffic from/to the root bridge. alternate-port - p...
by tdw
Fri Jun 11, 2021 11:14 am
Forum: General
Topic: Routing for clients assigned public IP via pppoe
Replies: 9
Views: 607

Re: Routing for clients assigned public IP via pppoe

What do /ip route print and /ip arp print show?

setting a computer to 1.2.3.201 and connecting it to the switch allows me to ping the client's public IP
Can the PPPoE client also ping 1.2.3.201 successfully?
by tdw
Fri Jun 11, 2021 12:10 am
Forum: General
Topic: OVPN site-to-site return route ?
Replies: 6
Views: 512

Re: OVPN site-to-site return route ?

No, Mikrotiks do not use .ovpn so either the server netmask, or add static routes on the client Mikrotik via the ovpn interface
by tdw
Thu Jun 10, 2021 5:53 pm
Forum: Beginner Basics
Topic: 2 Existing Wireless Backhauls - need bonded
Replies: 4
Views: 600

Re: 2 Existing Wireless Backhauls - need bonded

The radio links may not be transparent to LACP, the so-called 'slow protocols' need 802.1ad provider bridge support (not to be confused with 802.3ad LACP) to propagate across devices. Additionally when you sent up a bond you may loose management access to some of the radios, a common cheat is to hav...
by tdw
Thu Jun 10, 2021 12:13 pm
Forum: General
Topic: Routing for clients assigned public IP via pppoe
Replies: 9
Views: 607

Re: Routing for clients assigned public IP via pppoe

There is nothing wrong with using 1.2.3.2 for both ether1 and as the local address for the PPPoE client connections. Presumably 1.2.3.x/24 is just a fake range you are using to describe the situation rather than your real public IP addresses. I tried enabling it just on one interface and I was not a...
by tdw
Thu Jun 10, 2021 1:21 am
Forum: General
Topic: Multiple RADIUS servers
Replies: 8
Views: 650

Re: Multiple RADIUS servers

It probably needs some testing - it isn't clear if that setting adds a realm / user domain if none is present in the username, and/or will direct requests for a realm / user domain to a particular server.
by tdw
Wed Jun 09, 2021 7:57 pm
Forum: Beginner Basics
Topic: Winbox won't connect from VLAN [SOLVED]
Replies: 4
Views: 636

Re: Winbox won't connect from VLAN [SOLVED]

All of the /interface bridge vlan settings, plus the pvid= settings under /interface bridge and /interface bridge port have no effect unless vlan-filtering=yes You have also still omitted the bridge-to-CPU interface from /interface bridge vlan so packets are unable to pass from the switch-like role ...
by tdw
Wed Jun 09, 2021 7:36 pm
Forum: General
Topic: Routing for clients assigned public IP via pppoe
Replies: 9
Views: 607

Re: Routing for clients assigned public IP via pppoe

Nothing obvious, the default route is sufficient for all traffic which arrives at the Mikrotik. Are there any firewall rules which you have omitted to show? Whilst you need proxy-arp on ether1 for the WAN IP range, it would not be necessary on ether2 if the LAN IP range did not overlap with the priv...
by tdw
Wed Jun 09, 2021 7:13 pm
Forum: Beginner Basics
Topic: 5G not active after CAP enabled
Replies: 3
Views: 455

Re: 5G not active after CAP enabled

On the CAPsMAN Mikrotik under CAPsMAN > CAP Interface you should see a list of the remote radio interfaces, you can open these and check the Current State entry on the Status tab - it should say running-ap when operating. Not all of the CAP settings are controlled from CAPsMAN so there may be differ...
by tdw
Wed Jun 09, 2021 4:05 pm
Forum: Beginner Basics
Topic: Winbox won't connect from VLAN [SOLVED]
Replies: 4
Views: 636

Re: Winbox won't connect from VLAN [SOLVED]

Because you have only configured the VLAN on the external bridge ports and missed the implicit bridge-to-CPU port setup for management access per https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Management_access_configuration , see https://forum.mikrotik.com/viewtopic.php?f=2&t=173692 for...
by tdw
Wed Jun 09, 2021 1:36 pm
Forum: General
Topic: OVPN site-to-site return route ?
Replies: 6
Views: 512

Re: OVPN site-to-site return route ?

You can include them in the .ovpn configuration, e.g. route 192.168.99.0 255.255.255.0 vpn_gateway

If it is a contiguous block of addresses, of which the VPN tunnel is part, you can use the netmask= parameter in the Mikrotik OpenVPN sever settings.
by tdw
Wed Jun 09, 2021 1:20 pm
Forum: General
Topic: Ovpn - verify server certificate issue [SOLVED]
Replies: 11
Views: 828

Re: Ovpn - verify server certificate issue [SOLVED]

If you provide a CRL host it should actually serve a CRL, otherwise there is no point specifying it. Also, from a number of forum posts a number of people have found that using the 'server' Mikrotik address or loopback IP for a CRL is fine until you replace that Mikrotik, when despite importing back...
by tdw
Tue Jun 08, 2021 11:07 pm
Forum: Beginner Basics
Topic: HAP Ac2 - cannot ping internet from local eth ports
Replies: 3
Views: 520

Re: HAP Ac2 - cannot ping internet from local eth ports

Yes. Just assign an IP address to the bridge for local management access. To access addresses outside of the subnet, e.g. to download new firmware, you also need to set a default route pointing to the router (the Bullet in this case). I haven't got a link to hand but if you search the forums there a...
by tdw
Tue Jun 08, 2021 11:02 pm
Forum: General
Topic: Ovpn - verify server certificate issue [SOLVED]
Replies: 11
Views: 828

Re: Ovpn - verify server certificate issue [SOLVED]

3. Create server certificate.
with which key usage flags?

In Client:
1. Import CA certificate (LAT)
When importing the CA created without a CRL host I would expect the flags to be AT
by tdw
Tue Jun 08, 2021 1:59 pm
Forum: General
Topic: VLAN1 is not working with Cisco Switch
Replies: 10
Views: 688

Re: VLAN1 is not working with Cisco Switch

For MT devices, the vlan1 is the bridge default vlan which is left as is (the default). NO DATA SHOULD RUN through vlan1. That is just your opinion. It is perfectly possible to use VLAN 1 untagged or tagged on Mikrotiks - you just have to be aware that Mikrotik vlan-aware bridge and bridge ports de...
by tdw
Tue Jun 08, 2021 11:53 am
Forum: General
Topic: Multiple RADIUS servers
Replies: 8
Views: 650

Re: Multiple RADIUS servers

Install FreeRADIUS on a local machine, configure as a proxy server to direct requests to the appropriate NPS instance based on the request realm
by tdw
Mon Jun 07, 2021 10:40 pm
Forum: Beginner Basics
Topic: HAP Ac2 - cannot ping internet from local eth ports
Replies: 3
Views: 520

Re: HAP Ac2 - cannot ping internet from local eth ports

You can't have the same subnet assigned to more than one interface, in this case the 'WAN' / ether1 and 'LAN' / bridge - the router has no idea which interface a device using an address in that subnet is attached to. If you are happy with the Bullet providing DHCP and DNS just configure the hAP as a...
by tdw
Mon Jun 07, 2021 6:07 pm
Forum: General
Topic: Ovpn - verify server certificate issue [SOLVED]
Replies: 11
Views: 828

Re: Ovpn - verify server certificate issue [SOLVED]

AFAIK Mikrotik abuse the A flag somewhat - it only appears on CAs generated on a Mikrotik, not on those generated elsewhere and imported. If you generate a CA certificate on one Mikrotik, export it without key, then import onto another Mikrotik the flags are AT (without a CRL) or LAT (with a CRL). I...
by tdw
Sun Jun 06, 2021 10:06 pm
Forum: Beginner Basics
Topic: L2TP/Ipsec into Single VLAN
Replies: 5
Views: 516

Re: L2TP/Ipsec into Single VLAN

I'm not sure how you managed to successfully connect to the VPN server at all if you did not permit UDP 500 & 4500 (for IKE & NAT-T), IPsec-ESP protocol for the IPsec traffic and UDP 1701 (ideally with IPsec policy in:ipsec so only accessible over IPsec) beforehand. That aside, the point I w...
by tdw
Sun Jun 06, 2021 9:24 pm
Forum: General
Topic: someone hack my routrs - can someone help?
Replies: 15
Views: 1855

Re: someone hack my routrs - can someone help?

using old mikrotik routres RB411 I have try to upgrage 3 of them to version 6.48 - the cpu is 100% and mikrotik said it's can't be done. RB4xx are still listed under MIPSBE on the downloads page, if you upgraded a compromised router there may be some malware which doesn't work well in newer version...
by tdw
Sun Jun 06, 2021 7:38 pm
Forum: General
Topic: Ovpn - verify server certificate issue [SOLVED]
Replies: 11
Views: 828

Re: Ovpn - verify server certificate issue [SOLVED]

Can the client Mikrotik check the CRL as you have L flags on the certificates? With certificates and keys generated using OpenSSL with no CRL, then importing CA certificate to server & clients Mikrotiks (has T flag) and importing server certificate to server Mikrotik (has KT flags) works, not us...
by tdw
Sun Jun 06, 2021 3:44 pm
Forum: General
Topic: [Solved] Unexpectedly tricky VLAN setup
Replies: 4
Views: 453

Re: Unexpectedly tricky VLAN setup

As you have
/interface ethernet switch vlan
...
add ports=ether2,ether5,sfp10 vlan-id=30


then you likely want
/interface ethernet switch egress-vlan-tag
...
add tagged-ports=ether2,ether5,sfp10 vlan-id=30


otherwise the VLAN ID 30 tag is stripped on egress from ether2 and ether5 on the CRS
by tdw
Sat Jun 05, 2021 11:15 pm
Forum: General
Topic: Help with L2TP connection - Can't see other LAN devices
Replies: 18
Views: 948

Re: Help with L2TP connection - Can't see other LAN devices

Random videos and blogs found on the internet are often outdated, inaccurate, not optimal, or just wrong. There are no native layer 2 / ethernet VPNs available in Windows, PPP-like VPNs (L2TP, SSTP, PPTP) use point-to-point connections with a /32 IP at each end of the link, they are never part of a ...
by tdw
Sat Jun 05, 2021 9:00 pm
Forum: Beginner Basics
Topic: L2TP/Ipsec into Single VLAN
Replies: 5
Views: 516

Re: L2TP/Ipsec into Single VLAN

You only require proxy-arp when remote VPN client addresses overlap with a subnet on an ethernet interface, so required for Office_VLAN to communicate with VPN clients using addresses from L2TP-Pool . Adding bridge settings to entries under /ppp profile is not necessary - this enables BCP for remote...
by tdw
Fri Jun 04, 2021 12:29 pm
Forum: Beginner Basics
Topic: trying to isolate ether5 from bridge on ether2-4
Replies: 15
Views: 1337

Re: trying to isolate ether5 from bridge on ether2-4

You are missing a IP address for the new network on ether5
/ip address
add address=192.168.89.1/24 interface=ether5


then the DHCP server network has been incorrectly/incompletely defined
add gateway=0.0.0.1
should be
add address=192.168.89.0/24 dns-server=192.168.89.1 gateway=192.168.89.1
by tdw
Wed Jun 02, 2021 10:31 pm
Forum: General
Topic: WLAN SSIDs attached to VLANs
Replies: 17
Views: 1053

Re: WLAN SSIDs attached to VLANs

As you have found extra care should be taken when using VLAN 1 tagged - any ports added to a vlan-aware bridge, plus the implicit bridge-to-CPU port, are by default made untagged members of VLAN 1 unless additional configuration options are specified. It is frequently suggested that VLAN 1 be avoide...
by tdw
Wed Jun 02, 2021 2:14 pm
Forum: Beginner Basics
Topic: VPN Blocking "random" access to remote IPs [SOLVED]
Replies: 3
Views: 487

Re: VPN Blocking "random" access to remote IPs [SOLVED]

Yes, source (192.186.100.0/24) and destination (192.168.0.0/24) addresses on the General tab, but also on the Action tab change Action to masquerade. The equivalent command in a terminal window is /ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.100....
by tdw
Wed Jun 02, 2021 2:50 am
Forum: Beginner Basics
Topic: VPN Blocking "random" access to remote IPs [SOLVED]
Replies: 3
Views: 487

Re: VPN Blocking "random" access to remote IPs [SOLVED]

Yes, if the cameras and controller/recorder are in the same subnet they do not require a gateway setting - it is only used for communication outside of the subnet, e.g. with your VPN. If this is the case you should be able to ping the cameras from the Mikrotik to which they are attached. You could a...
by tdw
Wed Jun 02, 2021 1:23 am
Forum: General
Topic: WLAN SSIDs attached to VLANs
Replies: 17
Views: 1053

Re: WLAN SSIDs attached to VLANs

A slight hurdle is that you need to "admit all" VLANs on the either1 port, I guess since incoming packets are a mixture of untagged and tagged ones. Yes. I do not understand yet where/why the vlan tags are removed for the interfaces wlan15 and wlan25. Is this the result of the configurati...
by tdw
Tue Jun 01, 2021 8:09 pm
Forum: General
Topic: any working dhcp - client ipv6 working example?
Replies: 8
Views: 665

Re: any working dhcp - client ipv6 working example?

If there is not support for ipv6 dhcp server ... why is it available on ipv6 menu ? And. How can I automatically pass default gateway without dhcp server ? how should I pass default gateway to client using SLACC ? Devices pick up the gateway from the periodic Router Advertisment (RA) multicast ICMP...
by tdw
Tue Jun 01, 2021 7:26 pm
Forum: Wireless Networking
Topic: add Hybrid-Port (wired VLAN) to CAP [SOLVED]
Replies: 6
Views: 1067

Re: add Hybrid-Port (wired VLAN) to CAP [SOLVED]

wifi clients can connect to the AP, but will not receive an IP from the DHCP-Server in their respective VLAN (SSID with default VLAN 1 works, though). That configuration has VLAN 1 untagged plus VLAN 11 tagged on ether1, VLAN 11 untagged on ether2, and only VLAN 1 on the implicit CPU bridge port. I...
by tdw
Tue Jun 01, 2021 1:46 pm
Forum: Beginner Basics
Topic: Hardware-Offload [SOLVED]
Replies: 8
Views: 676

Re: Hardware-Offload [SOLVED]

Hardware offload only applies to traffic between ethernet ports passing through the switch chip. Traffic between an ethernet port and the radio has to be handled by the CPU as the wireless drivers run on it. Likewise on the CRS3xx devices hardware offload does not apply to traffic being routed, fire...
by tdw
Mon May 31, 2021 11:46 pm
Forum: Beginner Basics
Topic: MikroTik PPPoE to BT Fibre 900 FTTP
Replies: 2
Views: 302

Re: MikroTik PPPoE to BT Fibre 900 FTTP

Random videos and blogs are often outdated, less than optimal, insecure and sometimes just wrong. IPv6 is an optional nice-to-have, it is not required for basic connectivity. Starting from factory defaults all you should need to do is add a PPPoE client interface and then add that interface to the W...
by tdw
Mon May 31, 2021 7:20 pm
Forum: Beginner Basics
Topic: Trying to setup a guest WiFi with 2 RBs
Replies: 8
Views: 572

Re: Trying to setup a guest WiFi with 2 RBs

With multiple bridges likely one of the issues discussed here https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration , recommended practice is a single VLAN-aware bridge, there is a good primer here https://forum.mikrotik.com/viewtopic.php?t=143620 . As ever without seeing your existing ...
by tdw
Mon May 31, 2021 1:21 pm
Forum: General
Topic: Option 132 for voice vlan doen't work [SOLVED]
Replies: 8
Views: 588

Re: Option 132 for voice vlan doen't work [SOLVED]

The DHCP option should be part of the /ip dhcp-server network settings for the untagged network to which the phone is connected. The phone will initially make a DHCP request on the untagged network, see the option in the reply, switch to using the specified VLAN and make a second DHCP request. Depen...
by tdw
Fri May 28, 2021 10:14 pm
Forum: Scripting
Topic: Export in script bombing after update to 6.48.2 [SOLVED]
Replies: 5
Views: 1021

Re: Export in script bombing after update to 6.48.2 [SOLVED]

From the changelog:
*) console - require "write+ftp" permissions for exporting configuration to file;
by tdw
Fri May 28, 2021 7:04 pm
Forum: General
Topic: VLAN Untagging
Replies: 5
Views: 467

Re: VLAN Untagging

It is the old-style method of bridging ports and VLANs which can result in layer 2 misconfiguration problems https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_in_bridge_with_a_physical_interface - a quick fix is to disable spanning tree on the bridge, using a single VLAN-aware bridg...
by tdw
Fri May 28, 2021 6:48 pm
Forum: Beginner Basics
Topic: VLAN configuration on CRS354
Replies: 2
Views: 294

Re: VLAN configuration on CRS354

@dabuv A configuration fragment you have then added to the switch does not reveal the actual configuration, posting the exported config does. In that fragment port 48 is also an untagged member of VLAN 1 due to pvid=1 automatically being added as the default, use ingress-filtering=yes frame-types=ad...
by tdw
Fri May 28, 2021 1:26 pm
Forum: General
Topic: Lost camera connection via VPN after reboot/lost pptp connection [SOLVED]
Replies: 2
Views: 417

Re: Lost camera connection via VPN after reboot/lost pptp connection [SOLVED]

Interfaces of the form <someinterfacename> are dynamic and references to them will not persist as the interface index changes each time a dynamic interface is created. You can use server bindings which create a static interface associated with a (user)name already defined in PPP Secrets , the PPP Pr...
by tdw
Thu May 27, 2021 4:51 pm
Forum: General
Topic: PPTP VPN Netbios/DNS Issue
Replies: 5
Views: 381

Re: PPTP VPN Netbios/DNS Issue

As the Mikrotik is using Google DNS servers and you are also passing the Google DNS servers to DHCP clients there are no local DNS entries to be looked up by VPN clients. Also, as the PPP profile does not contain any DNS server definitions the Mikrotik will pass its own address to VPN clients which ...
by tdw
Thu May 27, 2021 12:29 pm
Forum: General
Topic: PPTP VPN Netbios/DNS Issue
Replies: 5
Views: 381

Re: PPTP VPN Netbios/DNS Issue

As you have found changing the type of VPN will not fix a configuration error in issuing DHCP server information to the client. Overlapping the office LAN subnet range with the VPN clients introduces additional complexity, requiring proxy-arp otherwise devices on the subnet are unable to communicate...
by tdw
Thu May 27, 2021 1:35 am
Forum: Beginner Basics
Topic: L2TP server to use same pool as LAN
Replies: 5
Views: 451

Re: L2TP server to use same pool as LAN

When you share addresses between a local subnet and remote devices connected by an IP VPN (so L2TP, OVPN tun, SSTP or PPTP) the local devices will use ARP and this is unsuccessful for the remote devices. Use proxy-arp on the interface, or parent bridge if used, for the local subnet.
by tdw
Thu May 27, 2021 1:21 am
Forum: General
Topic: PPTP VPN Netbios/DNS Issue
Replies: 5
Views: 381

Re: PPTP VPN Netbios/DNS Issue

Network browsing will only show devices in the same broadcast domain so you will not see devices in different subnets. Not being able to resolve hostnames, if they are internal to your office network, is likely to be incorrect DNS server(s) being passed from the office Mikrotik when the VPN connecti...
by tdw
Sat May 22, 2021 5:21 pm
Forum: General
Topic: Why AHCI Mode is not accepted in Mikroik !!! Need to Update it [SOLVED]
Replies: 4
Views: 503

Re: Why AHCI Mode is not accepted in Mikroik !!! Need to Update it [SOLVED]

Direct hardware support in the x86 is limited, much better to install a hypervisor on your hardware and use CHR.
by tdw
Sat May 22, 2021 12:54 am
Forum: Beginner Basics
Topic: What is L2TP Secret Tab?
Replies: 6
Views: 506

Re: What is L2TP Secret Tab?

LAC = L2TP access concentrator, LNS = L2TP network server
by tdw
Fri May 21, 2021 9:29 pm
Forum: Beginner Basics
Topic: What is L2TP Secret Tab?
Replies: 6
Views: 506

Re: What is L2TP Secret Tab?

For using the Mikrotik as an LNS, annoyingly they never implemented the LAC functionality.
by tdw
Mon May 17, 2021 7:10 pm
Forum: General
Topic: Redundancy failover ISP [SOLVED]
Replies: 13
Views: 978

Re: Redundancy failover ISP [SOLVED]

As there should be no traffic between the two external ports of the bridge, setting the same horizon value at both of them will prevent any loops and so protocol-mode can be set to none on the bridge itself. Surely that is not correct if the ISP is using VRRP, or similar, for failover as this relie...
by tdw
Mon May 17, 2021 6:54 pm
Forum: Wireless Networking
Topic: 60g new frequencies since 6.82
Replies: 46
Views: 3736

Re: 60g new frequencies since 6.82

That's my understanding, and using a licence https://www.ofcom.org.uk/manage-your-licence/radiocommunication-licences/spectrum-access-ehf which currently has not been updated to include the 57.1 to 70.875 GHz range! I have no idea how they intend communicating this requirement to people who have exi...
by tdw
Mon May 17, 2021 4:47 pm
Forum: General
Topic: Problems to reach routerboard with PPTP tunnel [SOLVED]
Replies: 8
Views: 834

Re: Problems to reach routerboard with PPTP tunnel [SOLVED]

That NAT rule will send any packets for TCP port 11500 to 192.168.3.43 (hint, you may wish to qualify the rule for packets arriving from the WAN interface or interface list, otherwise none of your LAN devices will be able to access anything on the internet using that port), however the source addres...
by tdw
Mon May 17, 2021 1:49 pm
Forum: Forwarding Protocols
Topic: 3 public IP's how to create the rules
Replies: 2
Views: 950

Re: 3 public IP's how to create the rules

The output of /export hide-sensitive would be more informative than just the current routing table. It is likely your dst-nat rule is not being hit as an earlier more generic rule is matching the packets. Assuming the ISP routes the additional subnet to you there are several methods of using the add...
by tdw
Mon May 17, 2021 5:37 am
Forum: Wireless Networking
Topic: 60g new frequencies since 6.82
Replies: 46
Views: 3736

Re: 60g new frequencies since 6.82

I have just updated an Nray and i now have the extra channels, can the UK use these extra channels thou? Ofcom keep on changing things... IR2078 originally covered licence exempt operation for 57.1 to 63.9 GHz, with light licensing for 64 - 66 GHz and operation above 66 GHz prohibited. As of 6 Nove...
by tdw
Sun May 16, 2021 12:41 am
Forum: General
Topic: Problems to reach routerboard with PPTP tunnel [SOLVED]
Replies: 8
Views: 834

Re: Problems to reach routerboard with PPTP tunnel [SOLVED]

I would expect 192.168.3.107 is the address of your PC, did you set arp=proxy-arp on bridge1

The routes parameter was a separate issue I noticed.
by tdw
Sat May 15, 2021 9:33 pm
Forum: General
Topic: Problems to reach routerboard with PPTP tunnel [SOLVED]
Replies: 8
Views: 834

Re: Problems to reach routerboard with PPTP tunnel [SOLVED]

ARP only applies to IP-over-ethernet. If you overlap subnet address on ethernet and non-ethernet interfaces then use proxy-arp on the ethernet interface, or parent bridge if the interface is a member of a bridge, so the Mikrotik replies to ARP requests from ethernet-connected devices on behalf of th...
by tdw
Sat May 15, 2021 9:09 pm
Forum: General
Topic: why mikrotik showing the mac of different van users even that vlan does not exist in switch.??
Replies: 4
Views: 492

Re: why mikrotik showing the mac of different van users even that vlan does not exist in switch.??

The bridge will learn MAC addresses from packets arriving for any VLAN unless you specify ingress-filtering=yes , with that configuration you only filter the sfp-sfpplus1 interface. There are also a number of errors: /interface vlan entries are only required if you wish to access a VLAN by services ...
by tdw
Sat May 15, 2021 2:29 pm
Forum: General
Topic: Redundancy failover ISP [SOLVED]
Replies: 13
Views: 978

Re: Redundancy failover ISP [SOLVED]

It isn't clear where VLANs come into this as none of the description mentions them other than your last sentence, a diagram may be helpful. If the ISP is suggesting you can connect the two internet connections can simply be connected together by a switch you could configure two ports on the CCR1009 ...
by tdw
Tue May 11, 2021 1:32 pm
Forum: General
Topic: external Radius server and mikrotik ???
Replies: 7
Views: 545

Re: external Radius server and mikrotik ???

It works fine against FreeRADIUS. It could be the RADIUS server does not support the required authentication methods - the JumpCloud documentation says "JumpCloud RaaS servers offer both EAP-TTLS/PAP and PEAP (MSCHAPv2) for authentication", it doesn't indicate if it responds to requests wi...
by tdw
Mon May 10, 2021 11:10 pm
Forum: Beginner Basics
Topic: IPv6 For Internal LAN - Google Nest Protect
Replies: 2
Views: 433

Re: IPv6 For Internal LAN - Google Nest Protect

That seems to be a somewhat random requirement, any devices can use IPv6 link-local addresses for communication within a layer 2 network regardless of router settings. If the devices initially connect and work but later drop off the network a support article suggests "Set your Wi-Fi router's DH...
by tdw
Mon May 10, 2021 10:42 pm
Forum: Beginner Basics
Topic: Differences between RB with multiple switch chips [SOLVED]
Replies: 3
Views: 560

Re: Differences between CRS with multiple switch chips [SOLVED]

I'm not aware of any CRS products which have multiple switch chips. There are other devices (RB1100/RB2011/RB3011/RB4011) which do - none of these support hardware offload with VLAN-aware bridges, and there are other limitations https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#VLAN_filt...
by tdw
Mon May 10, 2021 10:28 pm
Forum: Wireless Networking
Topic: After some time, the hotspot configuration is adding "flash" to path on its own
Replies: 1
Views: 408

Re: After some time, the hotspot configuration is adding "flash" to path on its own

AFAIK the default on devices which have a separate flash/ storage path is html-directory=flash/hotspot , otherwise just html-directory=hotspot . I'm not sure why the configuration entry would first be created and subsequently changed. If you do not use the hotspot function you can disable the packag...
by tdw
Mon May 10, 2021 7:47 pm
Forum: General
Topic: MAC based vlan and guests
Replies: 4
Views: 358

Re: MAC based vlan and guests

MAC-based access control is inherently insecure - anyone can easily spoof a MAC and gain access. There are limitations using switch ACLs, only packets with the specified source MAC addresses are placed on the VLANs - packets with any other source MAC addresses, e.g. multicast, will not. Using 802.1x...
by tdw
Sun May 09, 2021 11:04 pm
Forum: Virtualization
Topic: CHR DHCP FIrewall bug?
Replies: 3
Views: 1121

Re: CHR DHCP FIrewall bug?

It is not Mikrotik specific, it likely affects most linux-based systems. With BOOTP, and subsequently DHCP, a client sends requests to UDP port 67 on a server, and the server sends responses to the client using UDP port 68 - AFAIK this methodology was to prevent messages being inappropriately rebroa...
by tdw
Sun May 09, 2021 4:32 pm
Forum: Virtualization
Topic: CHR DHCP FIrewall bug?
Replies: 3
Views: 1121

Re: CHR DHCP FIrewall bug?

It is expected behaviour - the DHCP server uses raw sockets which receive this traffic before it reaches the IP firewall
by tdw
Sat May 08, 2021 2:28 am
Forum: General
Topic: Mikrotik Audience vlan filtering and dhcp issues [SOLVED]
Replies: 6
Views: 612

Re: Mikrotik Audience vlan filtering and dhcp issues [SOLVED]

As you are setting the pvid= for the wlan interfaces under /interface bridge port you should not also set vlan-mode=use-tag under /interface wireless - either create untagged wireless interfaces and set a PVID for the bridge port, or create a tagged wireless interface and make them a tagged bridge V...
by tdw
Fri May 07, 2021 9:11 pm
Forum: Beginner Basics
Topic: ISP switched to Mikrotik 1009
Replies: 5
Views: 757

Re: ISP switched to Mikrotik 1009

In the 'Custom RADIUS attributes' box. You still have to specify the primary address by selecting 'IP address mode CPE: Static IP' and entering an address. There are two methods, you can either use 'Framed-IP-Netmask' to specify a netmask which will be applied to the primary address e.g. for a /30 i...
by tdw
Thu May 06, 2021 5:34 pm
Forum: General
Topic: [SOLVED] IPv6 TunnelBroker route issue
Replies: 3
Views: 314

Re: IPv6 TunnelBroker route issue

There should not be a need to specify the prefix under /ipv6 nd prefix , normally these are dynamically added based on the interface address. Nothing obvious, as you can ping the HE gateway [2001:470:aaaa:26::1] from your LAN clients routing is working - have you tried an online traceroute to 2001:4...
by tdw
Thu May 06, 2021 2:18 pm
Forum: General
Topic: Erroneous DNS packets down PPPoE interfaces [SOLVED]
Replies: 2
Views: 381

Re: Erroneous DNS packets down PPPoE interfaces [SOLVED]

Do you have the /interface detect-internet feature configured, if so set all of the entries to none
by tdw
Thu May 06, 2021 2:11 pm
Forum: Beginner Basics
Topic: ISP switched to Mikrotik 1009
Replies: 5
Views: 757

Re: ISP switched to Mikrotik 1009

Presumably the second /24 is routed to you, and you drop or reject any unused addresses to prevent routing loops.

With PPPoE there is no need for VLANs to provide multiple addresses - if using RADIUS include a Framed-Route attribute to forward whatever sized subnet to the client.
by tdw
Wed May 05, 2021 5:24 pm
Forum: General
Topic: Guest VLAN issues
Replies: 8
Views: 522

Re: Guest VLAN issues

That would only filter packets using 0x88a8 ethertype for tagging, UniFi uses regular 802.1Q 0x8100
by tdw
Wed May 05, 2021 4:59 pm
Forum: General
Topic: One IP per VLAN
Replies: 15
Views: 942

Re: One IP per VLAN

It appears the Mikrotik DHCP server implementation is not up to using the option 82 information, despite elsewhere being able to add the option to bridged (using DHCP snooping) and routed (using DHCP relay) traffic - you could use a more capable DHCP server to handle the requests directly, or a RADI...
by tdw
Wed May 05, 2021 4:38 pm
Forum: General
Topic: Guest VLAN issues
Replies: 8
Views: 522

Re: Guest VLAN issues

Removing vlan-filtering=yes makes the bridge act as an unmanaged switch so any VLAN-tagged traffic can egress from all ports, usually undesirable.
by tdw
Wed May 05, 2021 4:21 pm
Forum: General
Topic: Guest VLAN issues
Replies: 8
Views: 522

Re: Guest VLAN issues

Nothing immediately obvious, changing the MTU under /interface vlan is unnecessary and may cause other issues. Have you tried connecting the UniFi AP directly to the Mikrotik via a PoE injector to rules out configuration of the Netgear switch? The add action=drop chain=input comment="defconf: d...
by tdw
Thu Apr 29, 2021 8:24 pm
Forum: General
Topic: One IP per VLAN
Replies: 15
Views: 942

Re: One IP per VLAN

We want to control what IP gets handed out by what vlan the switch port is in. That is not what VLANs are intended for. If you have multiple clients sharing the same subnet and want to assign an IP address based on switch port, rather than MAC address (so you do not have to know what the client equ...
by tdw
Thu Apr 29, 2021 7:19 pm
Forum: General
Topic: One IP per VLAN
Replies: 15
Views: 942

Re: One IP per VLAN

Why separate VLANs? If you are using one subnet you can only have one DHCP server serving it, there are other ways of isolating clients within layer 2 networks e.g. bridge filtering, port isolation.
by tdw
Wed Apr 28, 2021 2:33 pm
Forum: Beginner Basics
Topic: Advanced VLANs on Switch chip and Brige
Replies: 7
Views: 840

Re: Advanced VLANs on Switch chip and Brige

If the performance of the vlan-aware bridges is sufficient the leave things as they are, otherwise you could look at converting some to use hardware switching. As mentioned previously hardware switching with hybrid ports is supported only by some gigabit switch chips (QCA8337, Atheros8327), it is no...
by tdw
Mon Apr 26, 2021 4:41 pm
Forum: Beginner Basics
Topic: mikrotik client radius server2019
Replies: 8
Views: 909

Re: mikrotik client radius server2019

If the firewall is active and blocking RADIUS requests it does point to something missing from the NPS configuration - there may be something extra required on Server2019 compared with earlier versions. As it isn't Mikrotik-specific it would be better to find a Windows forums covering third-party de...
by tdw
Mon Apr 26, 2021 4:38 pm
Forum: General
Topic: Routes to multiple addresses
Replies: 5
Views: 557

Re: Routes to multiple addresses

No. As you have a layer 2 network using OpenVPN TAP then it is a single broadcast domain and the usual IP-over-ethernet mechanisms apply, e.g. ARP to discover the MAC address associated with a particular IP address. You could do something hacky with bridge filters to block broadcast/multicast as req...
by tdw
Mon Apr 26, 2021 4:15 pm
Forum: Beginner Basics
Topic: mikrotik client radius server2019
Replies: 8
Views: 909

Re: mikrotik client radius server2019

There is nothing the the RADIUS specification which insists on the source port being fixed, as with many other protocols the client OS can pick an available port.

If you are seeing drop messages from the windows firewall you have not disabled it as you claimed to have done in the previous post.
by tdw
Sun Apr 25, 2021 5:48 pm
Forum: Beginner Basics
Topic: MAC VLAN on CRS354-48G
Replies: 18
Views: 1430

Re: MAC VLAN on CRS354-48G

Whilst switch rules would map unicast traffic to specific VLANs any broadcast/multicast traffic would not be, likely breaking things. As you are using OPNsense which appears to support RADIUS https://docs.opnsense.org/manual/how-tos/freeradius.html you have everything needed to implement 802.1x http...
by tdw
Sun Apr 25, 2021 5:05 pm
Forum: Beginner Basics
Topic: Port forwarding dst-nat on 2nd WAN
Replies: 17
Views: 1267

Re: Port forwarding dst-nat on 2nd WAN

The IPv6 rules appear to be the default, and as there is no other IPv6 configuration likely that the IPv6 package is enabled but not used. Not having any IPv4 firewall rules is really bad, especially as the DNS server allows remote requests so can be used in UDP amplification attacks. Going back to ...
by tdw
Sun Apr 25, 2021 4:49 pm
Forum: Beginner Basics
Topic: Filter by MAC addrss on ethernet ports [SOLVED]
Replies: 1
Views: 388

Re: Filter by MAC addrss on ethernet ports [SOLVED]

You could use bridge filters to block unknown unicast MAC addresses, but it soon gets unwieldy for many addresses and will use CPU resources checking every packet against multiple rules. Alternatively you could only assign DHCP addresses for known MAC addresses instead of having a general pool. Both...
by tdw
Sun Apr 25, 2021 4:30 pm
Forum: General
Topic: Routes to multiple addresses
Replies: 5
Views: 557

Re: Routes to multiple addresses

Routes are selected by netmask so the granularity is by increasing powers of 2, however it is possible to use routing marks and lookups in alternate routing tables in specific scenarios. Unless you are using EoIP or BCP to create layer2 (ethernet) VPN connections broadcasts are irrelevent, they will...
by tdw
Fri Apr 23, 2021 7:55 pm
Forum: Beginner Basics
Topic: Advanced VLANs on Switch chip and Brige
Replies: 7
Views: 840

Re: Advanced VLANs on Switch chip and Brige

Rsw1-1 has no default route, so can only communicate with addresses in the 10.129.33.16/29 subnet. You could add
/ip route
add distance=1 gateway=10.129.33.17
by tdw
Thu Apr 22, 2021 9:50 pm
Forum: Beginner Basics
Topic: Advanced VLANs on Switch chip and Brige
Replies: 7
Views: 840

Re: Advanced VLANs on Switch chip and Brige

Other than CRS3xx devices you can either use a VLAN-aware bridge without hardware switching, or a regular bridge with hardware switching. The VLAN-aware bridge method is more straightforward and common across devices, however bridged traffic uses the CPU and may be a limiting factor on lower-powered...
by tdw
Wed Apr 21, 2021 10:18 pm
Forum: General
Topic: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)
Replies: 26
Views: 1850

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

Is this the configuration need to rely the switch cpu not the switch chip? I looked at many articles said it is prefer to use bridge vlan filtering to set up vlans. BTW, To me, the Mikrotik is very very complicate. To set up vlan and trunk, it look to me there are 3 options. 1. Setup in switch tab ...
by tdw
Wed Apr 21, 2021 5:10 pm
Forum: Beginner Basics
Topic: Can't get VLAN network work as I need (Confusion)
Replies: 3
Views: 557

Re: Can't get VLAN network work as I need (Confusion)

You have not indicated which Mikrotik models you are using. The capabilities and how you configure them differ significantly so your partial configurations may be inappropriate - in particular fast ethernet (10/100Mbit) switch chips do not support hybrid ports, and not all have SFP ports connected t...
by tdw
Tue Apr 20, 2021 8:13 pm
Forum: Beginner Basics
Topic: Routing configuration
Replies: 7
Views: 718

Re: Routing configuration

Using VLAN 1 is fine as long as you are aware of the limitations. Some manufacturers require their device management to be untagged so needing "hybrid" ports, others artificially restrict VLAN 1 to be untagged only. The IP addresses and DHCP pool address ranges are perfectly OK for /22 sub...
by tdw
Mon Apr 19, 2021 2:42 am
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2229

Re: CRS317-1G-16S+ High CPU lead to drop packet

Your posted configuration does not agree with that statement
by tdw
Sun Apr 18, 2021 10:16 pm
Forum: General
Topic: Load Balance Multiple ISP connection
Replies: 3
Views: 381

Re: Load Balance Multiple ISP connection

Also to eliminate the PON devices, will use a single switch with SFP ports. That will only work with active PON SFPs which handle all of the PON framing, authentication, encoding, etc. presenting a 1000BASE-X interface to the Mikrotik. Dumb PON SFPs which only contain the optical-electrical convers...
by tdw
Sun Apr 18, 2021 2:44 pm
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2229

Re: CRS317-1G-16S+ High CPU lead to drop packet

Anything using the WiFi_Data or WiFi_Guest CAPsMAN datapath do not use local forwarding, so the traffic to/from clients using them will be handled by the CPU in the CRS.
by tdw
Sun Apr 18, 2021 2:40 am
Forum: General
Topic: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)
Replies: 26
Views: 1850

Re: Config VLan and trunk between RB4011 router and CRS328 Switch (Running RouteOS)

I've not been through the configs in detail, but on the router /interface bridge vlan add bridge=Bridge tagged=sfp-sfpplus1 vlan-ids=10 add bridge=Bridge tagged=sfp-sfpplus1 vlan-ids=50 should be /interface bridge vlan add bridge=Bridge tagged=Bridge,sfp-sfpplus1 vlan-ids=10 add bridge=Bridge tagged...
by tdw
Tue Apr 13, 2021 7:11 pm
Forum: Beginner Basics
Topic: What's is VLAN Filtering bridge option [SOLVED]
Replies: 3
Views: 537

Re: What's is VLAN Filtering bridge option [SOLVED]

When VLAN filtering is not enabled on the bridge it behaves like an unmanaged switch - packets with any ethertype, including 802.1Q VLANs, are forwarded to all* ports.

(* - based on the usual learnt MAC address forwarding table)
by tdw
Tue Apr 13, 2021 2:05 am
Forum: Beginner Basics
Topic: Accessing clients / servers across different VLANs (printer, USB server, NAS, ...)
Replies: 5
Views: 892

Re: Accessing clients / servers across different VLANs (printer, USB server, NAS, ...)

In my opinion you dont need to delineate ports or protocols of that access as I dont think the printer can do much harm. Printers make a great jumping-off point for network infiltration - printers and their network interface cards are often long-lived and are either no longer supported by the manuf...
by tdw
Sun Apr 11, 2021 4:49 pm
Forum: Beginner Basics
Topic: Mikrotik Switch - it is not a switch?
Replies: 30
Views: 2383

Re: Mikrotik Switch - it is not a switch?

Any port can be untagged for at most one VLAN, unfortunately the Mikrotik user interface does not enforce this so you can create nonsensical configurations. If you are trying to isolate your two customers who are sharing the same public subnet from the ISP then you should be looking at port isolatio...
by tdw
Thu Apr 08, 2021 9:20 pm
Forum: General
Topic: VLAN setup for CCR1016 and CRS226
Replies: 14
Views: 1114

Re: VLAN setup for CCR1016 and CRS226

You could but it isn't worth it: The various client devices would require static routes to the VLAN IP addresses on the CRS as they will send all traffic not destined for their subnet to their gateway address on the CCR. You can easily end up with firewall issues stemming from triangular routes. As ...
by tdw
Wed Apr 07, 2021 4:37 pm
Forum: General
Topic: VPN client get reserved IP address for another client
Replies: 1
Views: 192

Re: VPN client get reserved IP address for another client

DHCP server is not used for VPN address assignments - PPP-like protocols (L2TP, PPTP, SSTP) use network control protocols (NCP) to establish the protocol parameters, in this case Internet Protocol Control Protocol (IPCP) for IP address and gateway. Mikrotik IP pools can be used by various different ...
by tdw
Mon Apr 05, 2021 11:21 pm
Forum: Wireless Networking
Topic: set PVID of WDS dynamic interface? and wireless clients with a vlan-aware bridge
Replies: 6
Views: 1650

Re: set PVID of WDS dynamic interface? and wireless clients with a vlan-aware bridge

I raised a ticket last month as this also affects PPP-like interfaces (L2TP/PPTP/SSTP) when using BCP. The reply was "Unfortunately, such an option is not supported. We will see if this could be added in future RouterOS releases, but I cannot promise that it will be implemented." Do you ne...
by tdw
Mon Apr 05, 2021 7:31 pm
Forum: Beginner Basics
Topic: VLAN Filter - how do ingress and egress rules work?
Replies: 16
Views: 1377

Re: VLAN Filter - how do ingress and egress rules work?

I tend to avoid Cisco stuff, my understanding (which may be incorrect) for their interfaces is: Access ports are untagged. Trunk ports with no native VLAN are tagged only. Trunk ports with a native VLAN are hybrid, you can have a differing native VLANs on different interfaces. Both Cisco and Mikroti...
by tdw
Fri Apr 02, 2021 3:50 pm
Forum: General
Topic: port 53 open despite firewall rules
Replies: 42
Views: 2920

Re: port 53 open despite firewall rules

Most likely the interface you are scanning through is not a member of the WAN interface list, just conjecture without seeing the configuration.
by tdw
Fri Apr 02, 2021 2:44 am
Forum: Beginner Basics
Topic: A little help with VLANs - CRS328
Replies: 10
Views: 1088

Re: A little help with VLANs - CRS328

Difficult to say what the problem is without the 4011 configuration.
by tdw
Fri Apr 02, 2021 2:42 am
Forum: Beginner Basics
Topic: Dual WAN and bridges [SOLVED]
Replies: 7
Views: 815

Re: Dual WAN and bridges [SOLVED]

In that case pfSense will be doing bridge filtering, not routing filtering. The FreeBSD PF code used by pfSense is different to Linux netfilter as used in the Mikrotik - the bridge filtering is non-stateful, although bridged IP traffic can be forced to pass through the IP firewall chains if necessar...
by tdw
Thu Apr 01, 2021 6:29 pm
Forum: Beginner Basics
Topic: A little help with VLANs - CRS328
Replies: 10
Views: 1088

Re: A little help with VLANs - CRS328

If the trunk port on the 4011 is a member of a bridge then /interface vlan items should refer to the bridge, not the individual port, with a similar VLAN-aware bridge setup as on the CRS. A bridge has two roles - its is both like a switch connecting various ethernet ports together, and also like an ...
by tdw
Thu Apr 01, 2021 5:34 pm
Forum: Beginner Basics
Topic: A little help with VLANs - CRS328
Replies: 10
Views: 1088

Re: A little help with VLANs - CRS328

CRS devices are intended to be L2 switches with some L3 functionality, but NOT wire-speed L3 routing/firewalling as they are performance-limited by the CPU (RouterOS v7, currently in beta, will provide L3 hardware offloading on some CRS3xx devices). So it is best to use the CRS just for switching VL...
by tdw
Thu Apr 01, 2021 3:42 pm
Forum: Beginner Basics
Topic: Dual WAN and bridges [SOLVED]
Replies: 7
Views: 815

Re: Dual WAN and bridges [SOLVED]

"you can't have the same IP network on both sides of a router" - isn't this exactly what a bridge makes work? So I can have same IP-network on both sides. No. Bridges handle layer2, routers handle layer3. Transparent IP filtering is possible, but rather a niche use case, and not possible ...
by tdw
Thu Apr 01, 2021 12:52 pm
Forum: General
Topic: Join interface to VPN pool
Replies: 7
Views: 561

Re: Join interface to VPN pool

Yes, although it doesn't have to be the same pool, just the same subnet.
by tdw
Thu Apr 01, 2021 12:42 pm
Forum: Beginner Basics
Topic: Dual WAN and bridges [SOLVED]
Replies: 7
Views: 815

Re: Dual WAN and bridges [SOLVED]

You have a number of conflicting statements regarding bridging and routing - you can't have the same IP network on both sides of a router, for example. Also CRS devices are intended to be L2 switches with some L3 functionality, but NOT wire-speed L3 routing/firewalling as they performance-limited by...
by tdw
Mon Mar 29, 2021 3:00 pm
Forum: General
Topic: Join interface to VPN pool
Replies: 7
Views: 561

Re: Join interface to VPN pool

For Windows you can add persistent routes to a VPN connection with a powershell command, you could probably come up with a setup script which creates a VPN connection and adds the routes. Also for Windows you can configure VPN connections to add a class-based route instead of a default route if you ...
by tdw
Mon Mar 29, 2021 1:48 pm
Forum: General
Topic: Join interface to VPN pool
Replies: 7
Views: 561

Re: Join interface to VPN pool

You can't add layer 3 / IP interfaces to a layer 2 / ethernet bridge, proxy-arp is the workaround when the VPN addresses overlap with the subnet on the layer 2 interface or bridge. The more common way is to use different subnets for the local network and remote VPN connections, then let normal IP ro...
by tdw
Mon Mar 29, 2021 5:23 am
Forum: General
Topic: Join interface to VPN pool
Replies: 7
Views: 561

Re: Join interface to VPN pool

It may be your use of terminology but normally you would have a local subnet with one or more interfaces attached, then have an IP pool containing a range of the addresses from that subnet which can be assigned to VPN connections. As anything directly attached to the local subnet assumes that everyt...
by tdw
Wed Mar 24, 2021 10:11 pm
Forum: RouterOS v7 BETA
Topic: OSPF Cost
Replies: 4
Views: 1106

Re: OSPF Cost

Per interface under /routing ospf interface (or Routing > OSPF on the Interface tab in Winbox)
by tdw
Mon Mar 22, 2021 8:40 pm
Forum: Beginner Basics
Topic: mikrotik client radius server2019
Replies: 8
Views: 909

Re: mikrotik client radius server2019

The "radius timeout" message in the log implies either a problem with the RADIUS traffic between Mikrotik and Windows server caused by firewalling and/or routing, or NPS is incorrectly configured. Obviously you can't authenticate CHAP against AD either, only PAP or MSCHAPv2.
by tdw
Mon Mar 22, 2021 4:40 pm
Forum: Beginner Basics
Topic: Vlaning [SOLVED]
Replies: 12
Views: 1536

Re: Vlaning [SOLVED]

You haven't provided a diagram of your setup and how you would like it to work. With multiple network interfaces on devices you often end up with triangular routes, traffic in one direction goes via a third device, e.g. A -> B but B -> C -> A, firewall connection tracking can see these incomplete co...
by tdw
Sun Mar 21, 2021 1:35 pm
Forum: Beginner Basics
Topic: Vlaning [SOLVED]
Replies: 12
Views: 1536

Re: Vlaning [SOLVED]

Yes. Many old guides refer to ether2 which was applicable when using the old master-port switch configuration in RouterOS 6.40.x and earlier. With current versions you should use the bridge, the interface aspect of the bridge is the CPU end of the connection to the switch1-cpu port of the switch chip.
by tdw
Sun Mar 21, 2021 4:21 am
Forum: General
Topic: CRS328 Bonding With Vlan Filtering
Replies: 4
Views: 569

Re: CRS328 Bonding With Vlan Filtering

It all depends on the destination MAC and IP addresses of your traffic in each direction. There should not be a problem with layer-2-and-3 , did you change the setting at both ends? If the traffic is not suited to distribution over the lanes with either layer-2 or layer-2-and-3 you could try using m...
by tdw
Sun Mar 21, 2021 4:10 am
Forum: Beginner Basics
Topic: Vlaning [SOLVED]
Replies: 12
Views: 1536

Re: Vlaning [SOLVED]

The /interface vlan entries are still incorrectly attached to ether2.
by tdw
Sun Mar 21, 2021 2:15 am
Forum: General
Topic: CRS328 Bonding With Vlan Filtering
Replies: 4
Views: 569

Re: CRS328 Bonding With Vlan Filtering

This is a limitation of bonded interfaces in general, not Mikrotik specifically. The lane of the bond used is determined by transmit-hash-policy , the default is layer-2 so all traffic will use the same lane for one destination MAC address. Changing to layer-2-and-3 only uses the same lane for one d...
by tdw
Sat Mar 20, 2021 8:12 pm
Forum: Beginner Basics
Topic: Vlaning [SOLVED]
Replies: 12
Views: 1536

Re: Vlaning [SOLVED]

OK, if you are using hardware VLAN switching see https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-SetupExamples and https://wiki.mikrotik.com/wiki/Manual:Switch_Router . I can't comment on the video (I'm not going to waste time watching it), but many third-party vid...
by tdw
Sat Mar 20, 2021 5:36 pm
Forum: Beginner Basics
Topic: Set up RB fiber router with L2TP
Replies: 7
Views: 659

Re: Set up RB fiber router with L2TP

If the VPN clients are assigned IP addresses from the same subnet as the local LAN proxy ARP is required - the Mikrotik then responds with its own MAC address in response to ARP requests from the local LAN. If the VPN clients are assigned IP addresses from a completely different subnet the problem i...
by tdw
Sat Mar 20, 2021 12:35 am
Forum: Beginner Basics
Topic: Vlaning [SOLVED]
Replies: 12
Views: 1536

Re: Vlaning [SOLVED]

There is a good primer on Mikrotik VLANs viewtopic.php?t=143620 and there are skeleton examples in the help pages https://help.mikrotik.com/docs/display/ ... NFiltering
by tdw
Fri Mar 19, 2021 6:44 pm
Forum: General
Topic: EAP-TTLS and EAP Identity
Replies: 7
Views: 659

Re: EAP-TTLS and EAP Identity

Sending a username in an Access Accept to the NAS may be supported by some NAS but it is not mandated in the RFCs, see https://tools.ietf.org/html/rfc2865#page-63, and not supported by Mikrotik https://wiki.mikrotik.com/wiki/Manual:R ... ess-Accept
by tdw
Thu Mar 18, 2021 10:51 pm
Forum: General
Topic: No access to MT after WinBox reset
Replies: 16
Views: 799

Re: No access to MT after WinBox reset

It depends if you configure the wireless connection on the pi to have a default gateway, or indeed IP address if you are going to use MAC access. You could probably run something along the lines of sleep 120; reboot & on the pi so any volatile configuration changes, i.e. just issuing direct comm...
by tdw
Thu Mar 18, 2021 5:04 pm
Forum: General
Topic: No access to MT after WinBox reset
Replies: 16
Views: 799

Re: No access to MT after WinBox reset

Is it a wAP? It is a while since I used one but I recall that they can only be configured via the WiFi connection (this may be different in newer firmware). It depends if you select 'No default configuration' or not in the device reset process. As the device is acquiring an address via DHCP it would...
by tdw
Thu Mar 18, 2021 4:10 pm
Forum: General
Topic: No access to MT after WinBox reset
Replies: 16
Views: 799

Re: No access to MT after WinBox reset

The firewall in the default configuration blocks all access via the WAN port to the Mikrotik itself.
by tdw
Wed Mar 17, 2021 3:47 am
Forum: General
Topic: PPPoE and Filter-Id
Replies: 3
Views: 378

Re: PPPoE and Filter-Id

Although all of the rules are listed in one table each chain is distinct, and is traversed as shown here https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6#Diagram . The action being called jump is slightly misleading, it more akin to call or jump to subroutine . It is best practice to position th...
by tdw
Mon Mar 15, 2021 4:25 pm
Forum: Beginner Basics
Topic: Two mikrotik routers conflict in same network, why???
Replies: 19
Views: 1570

Re: Two mikrotik routers conflict in same network, why???

Even with fresh versions of ROS, reset configuration sets internal IP to bridge, BUT QuickSet sets internal IP to ether2. I have never figured out the real reason.
Supposedly fixed in 6.48, from the changelog
*) quickset - fixed local IP address setting on master interface;
by tdw
Mon Mar 15, 2021 4:09 pm
Forum: General
Topic: PPPoE and Filter-Id
Replies: 3
Views: 378

Re: PPPoE and Filter-Id

You need /ip firewall filter add chain=forward action=jump jump-target=ppp and possibly /ip firewall filter add chain=input action=jump jump-target=ppp depending on what firewalling you wish to do. Without this the dynamic rules added to the ppp chain are never processed. This mechanism is rather ol...
by tdw
Mon Mar 08, 2021 6:58 pm
Forum: General
Topic: Bridge itself = always untagged
Replies: 3
Views: 457

Re: Bridge itself = always untagged

I am unable to add the Bridge itself under /interface bridge port A typo in my post, I should have said "adding the bridge to the tagged= port list in the statements under /interface bridge vlan " not ... /interface bridge port If I set the Bridge as tagged VID100 under /interface bridge ...
by tdw
Mon Mar 08, 2021 2:27 pm
Forum: General
Topic: Bridge itself = always untagged
Replies: 3
Views: 457

Re: Bridge itself = always untagged

A bridge has two roles - its is both like a switch connecting various ethernet ports together, and also like an ethernet port to pass traffic to services on the Mikrotik itself. Somewhat confusingly the settings for both of these roles are made under /interface bridge - the frame-types , ingress-fil...
by tdw
Mon Mar 08, 2021 2:16 pm
Forum: General
Topic: Open ftp only for WAN-IP-range [SOLVED]
Replies: 12
Views: 863

Re: Open ftp only for WAN-IP-range [SOLVED]

Given how buggy various NAS appliances seem to be, and that regular FTP sends your credentials in plaintext which anyone can snoop, allowing access from even some of the internet is a bad idea - using a VPN would help.
by tdw
Sat Mar 06, 2021 8:16 pm
Forum: Beginner Basics
Topic: Weird LTE and ADSL setup, is it possible?
Replies: 9
Views: 805

Re: Weird LTE and ADSL setup, is it possible?

Source address. You can further qualify by protocol and port, for example you could mark the destination ports for mail submission / POP3 / IMAP to use one WAN, and remaining services to use the other.
by tdw
Sat Mar 06, 2021 5:26 pm
Forum: Beginner Basics
Topic: Weird LTE and ADSL setup, is it possible?
Replies: 9
Views: 805

Re: Weird LTE and ADSL setup, is it possible?

It depends on the device provided - often they are crippled by the ISP and cannot operate as just a modem so you have to use them in router mode. However this does mean double NAT (although often not a problem these days) and makes loss of connectivity detection for failover more difficult. For ADSL...
by tdw
Fri Mar 05, 2021 8:01 pm
Forum: RouterBOARD hardware
Topic: How change outgoing-voltage on rs232 on a Routerboard
Replies: 3
Views: 954

Re: How change outgoing-voltage on rs232 on a Routerboard

The RS232 standards specify a voltage between +3 and +15v for the space (low) state, -3 and -15v for the mark (high) state. Additionally inputs have to withstand +/- 25v, and outputs being shorted to ground. So the Routerboard output is within specifications, it is likely that your Modbus interface ...
by tdw
Fri Mar 05, 2021 7:30 pm
Forum: General
Topic: VLAN setup for CCR1016 and CRS226
Replies: 14
Views: 1114

Re: VLAN setup for CCR1016 and CRS226

AFAIK that refers to private VLANs which are different to 802.1Q virtual LANs, the latter are what most people are referring to VLANs.

The switch chip in CRS1xx/2xx devices can be programmed to do either, and also protocol or MAC-based VLANs neither of which are particularly common these days.
by tdw
Fri Mar 05, 2021 6:28 pm
Forum: General
Topic: router for fiber internet + wifi AC speeds question
Replies: 8
Views: 863

Re: router for fiber internet + wifi AC speeds question

That SFP appears to be a generic 1000BASE-BX10 device with TX 1490nm / RX 1310nm so should work in Mikrotiks SFP ports. Until that particular combination is tested there is always a small possibility of an incompatibility due to differing interpretations of the standards. The original hAP AC does no...
by tdw
Fri Mar 05, 2021 5:46 pm
Forum: General
Topic: VLAN setup for CCR1016 and CRS226
Replies: 14
Views: 1114

Re: VLAN setup for CCR1016 and CRS226

Or other methods as mentioned here https://wiki.mikrotik.com/wiki/Manual:C ... s_examples
Yes, for the CRS226 to retain wire-speed switching. As the CCR1016 doesn't have a hardware switch just use the usual VLAN-aware bridge setup for that.
by tdw
Fri Mar 05, 2021 5:10 pm
Forum: General
Topic: Mikrotik Dynamic VLAN
Replies: 2
Views: 374

Re: Mikrotik Dynamic VLAN

There are a number of serious errors with the bridge setup: You should not include any /interface vlan objects in the /interface bridge vlan settings. You are attempting to use the bridge-to-CPU interface as untagged (with /interface bridgeadd name=EAP-BRIDGE pvid=99 vlan-filtering=yes ) and tagged ...
by tdw
Fri Mar 05, 2021 4:51 pm
Forum: General
Topic: What is IP SOCKS ? I got hacked and they open this
Replies: 14
Views: 4766

Re: What is IP SOCKS ? I got hacked and they open this

Yes, there were some well publicised vulnerabilities allowing remote unauthenticated access on devices which did not have firewall rules to restrict remote administrative access. It is good practice to only allow remote administrative access from a few known IP addresses, or better still via a VPN c...
by tdw
Fri Mar 05, 2021 4:40 pm
Forum: General
Topic: Can't get IPv6 SLAAC on router under another router
Replies: 4
Views: 532

Re: Can't get DHCPv6 on router under another router

Your other devices are likely using SLAAC to set their addresses. The Mikrotik DHCPv6 server implementation will not hand out addresses, only prefix and/or other configuration. Without the DHCP server or ND configuration it is difficult to say what is wrong.
by tdw
Wed Mar 03, 2021 2:40 pm
Forum: Beginner Basics
Topic: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
Replies: 14
Views: 1083

Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions

Not good. /ip address and /interface vlan objects should not be attached to interfaces which are a member of a bridge, but the bridge itself. What interface is MGMT - there is nothing which creates an interface with this name, or renames an existing interface to this. You have two default routes wit...
by tdw
Tue Mar 02, 2021 8:18 pm
Forum: General
Topic: Firmware 6.48.1 with Gigaset VoIP
Replies: 3
Views: 448

Re: Firmware 6.48.1 with Gigaset VoIP

by tdw
Tue Mar 02, 2021 7:24 pm
Forum: Beginner Basics
Topic: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions
Replies: 14
Views: 1083

Re: CCR2004 Beginner inter-VLAN Routing and upstream LAN questions

You cannot route VLANs - they are ethernet / layer2, IP routing is layer 3.

Attaching an /ip address to an /interface vlan on an interface (or bridge containing one more more interfaces) will automatically create static routes for those address subnets.
by tdw
Mon Mar 01, 2021 8:22 pm
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2229

Re: CRS317-1G-16S+ High CPU lead to drop packet

Also the OP only provided CPU ustilisation for one core. AFAIK not all processes utilise multiple CPU cores well.
by tdw
Mon Mar 01, 2021 2:11 pm
Forum: General
Topic: Winbox to remote router over L2TP/IPsec [SOLVED]
Replies: 12
Views: 629

Re: Winbox to remote router over L2TP/IPsec [SOLVED]

Just as an aside, the rule add action=accept chain=input comment="accept L2TP" dst-port=1701 protocol=udp also permits access to the L2TP server for traffic which is not encapsulated with IPsec. Whilst the L2TP server should reject these if use-ipsec=require is specified, you can definitiv...
by tdw
Mon Mar 01, 2021 1:49 pm
Forum: General
Topic: CRS317-1G-16S+ High CPU lead to drop packet
Replies: 28
Views: 2229

Re: CRS317-1G-16S+ High CPU lead to drop packet

CRS devices are intended to be L2 switches with some L3 functionality, such as providing DHCP, but NOT wire-speed L3 routing/firewalling as they performance-limited by the CPU. If you use CAPsMAN manager forwarding it imposes a significant CPU load on the CAPsMAN controller, so with a CRS as the con...
by tdw
Sun Feb 28, 2021 2:49 am
Forum: Beginner Basics
Topic: Bridge VLANs on RB4011iGS+RM
Replies: 6
Views: 598

Re: Bridge VLANs on RB4011iGS+RM

I got confused by the fact that you can add multiple VLAN IDs under one entry. It makes much more sense now. You can, and it is fine if you have a large collection of the same VLANs on several tagged interfaces. However, if you wish to have differing sets of VLANs on the interfaces you should creat...
by tdw
Sat Feb 27, 2021 3:02 am
Forum: Beginner Basics
Topic: Bridge VLANs on RB4011iGS+RM
Replies: 6
Views: 598

Re: Bridge VLANs on RB4011iGS+RM

- Once I enable Bridge VLAN filtering, the IP address set on the bridge is ignored? So far it seems like it is, but it's not marked as invalid in /ip address The implicit bridge-to-CPU port can be configured as an access, trunk or hybrid port, just as with any other bridge ports. An IP address on t...
by tdw
Fri Feb 26, 2021 6:50 pm
Forum: Beginner Basics
Topic: Simple setup as AP - ping from LAN fails
Replies: 2
Views: 264

Re: Simple setup as AP - ping from LAN fails

Change the hAP IP address to be in the subnet provided by the router (so 192.168.1.x, not the Mikrotik default of 192.168.88.x)
by tdw
Fri Feb 26, 2021 3:53 pm
Forum: Beginner Basics
Topic: PC can not reach internet, router can.
Replies: 9
Views: 787

Re: PC can not reach internet, router can.

So the linux VM can successfully ping 192.168.1.1?

What has the address 192.168.1.5 - if it is the linux VM have you configured a default route?
by tdw
Thu Feb 25, 2021 11:52 pm
Forum: Beginner Basics
Topic: VLAN & Trunk on CRS354 & other questions
Replies: 4
Views: 501

Re: VLAN & Trunk on CRS354 & other questions

Well, when I do a 'remove' command in /int bri port mode and delete 0,1,2 which are respectively interfaces mgt,eth1,eth2. Now eth3,4,5... start and 0,1,2 its very frustrating. I'd rather always look for the same numbers eg. MGT = 49 not 0... Basically the physical definitions don't change, but the...
by tdw
Thu Feb 25, 2021 9:50 pm
Forum: Beginner Basics
Topic: VLAN & Trunk on CRS354 & other questions
Replies: 4
Views: 501

Re: VLAN & Trunk on CRS354 & other questions

-Under "/interface bridge vlan" do I really have to list all 40 ports as untaged? [vice-versa, do I really need to list every tagged port for every untaged port?] No. The untagged membership will be dynamically generated from the pvid= settings under /interface bridge port -Why do the int...
by tdw
Thu Feb 25, 2021 4:15 pm
Forum: General
Topic: Simple HE 6to4 tunnel can Tx but not Rx [SOLVED]
Replies: 6
Views: 642

Re: Simple HE 6to4 tunnel can Tx but not Rx [SOLVED]

I use HE based on the example configuration without any issues, currently on 6.47.9 (long-term). I don't have any specific input firewall rules for the IPv4 encapsulated tunnel packets - the input chain established,related rule permits inbound tunnel traffic once outbound traffic has established a c...
by tdw
Thu Feb 25, 2021 2:28 pm
Forum: Beginner Basics
Topic: Simple VLAN fails....
Replies: 8
Views: 630

Re: Simple VLAN fails....

I thought Vlan 1 is the VLAn for all untagged packages? Untagged traffic by its very nature has no VLAN ID. Many vendors use a default of adding VLAN ID 1 tags to untagged traffic on ingress and removing them on egress if their device does not support untagged packets internally. The switch chip in...
by tdw
Wed Feb 24, 2021 7:10 pm
Forum: Beginner Basics
Topic: Bridge VLANs on RB4011iGS+RM
Replies: 6
Views: 598

Re: Bridge VLANs on RB4011iGS+RM

The guide mentioned by @anav and the wiki/help pages are a good start, in general random blogs/videos found on the web tend to use obsolete methods, less than optimal, or wrong. - A physical interface (ether10 in my case) cannot be added to multiple bridges. Is the best practice to create one big br...
by tdw
Wed Feb 24, 2021 5:56 pm
Forum: Beginner Basics
Topic: Simple VLAN fails....
Replies: 8
Views: 630

Re: Simple VLAN fails....

Setting the PVID under /interface bridge port is only applicable to bridges with vlan-filtering=yes . Mikrotik have only fully combined bridge VLAN filtering with hardware offload configuration on CRS3xx devices. On all others to achieve wire-speed switching you must use a bridge with vlan-filtering...
by tdw
Wed Feb 24, 2021 5:17 pm
Forum: Beginner Basics
Topic: Simple VLAN fails....
Replies: 8
Views: 630

Re: Simple VLAN fails....

Do not create another bridge, if all ports are already in the bridge created by the default configuration all you have to do is add the /ethernet interface switch settings. For VLAN 1337 tagged on SFP1 and untagged on SFP2 this would be /interface ethernet switch ingress-vlan-translation add ports=s...
by tdw
Wed Feb 24, 2021 2:30 pm
Forum: General
Topic: Dot1x PEAP rejected: no key for certificate found
Replies: 2
Views: 219

Re: Dot1x PEAP rejected: no key for certificate found

The dot1x certificate= setting is to specify a client certificate for the eap-tls method, it should not be set to the CA certificate.

"certificate not yet valid" points to the time and date on the Mikrotik being set to before the CA certificate start date.
by tdw
Mon Feb 22, 2021 4:43 pm
Forum: Beginner Basics
Topic: Simple VLAN fails....
Replies: 8
Views: 630

Re: Simple VLAN fails....

Use a single bridge, then on CRS1xx/2xx devices configure the switch chip so you have wire-speed connections between ports. The switch menu doesn't hide any of the huge number of switch registers which may be configured for different scenarios, however there are some basic examples here https://wiki...
by tdw
Mon Feb 22, 2021 4:36 pm
Forum: General
Topic: IP > Service > winbox/www - Not Able to Use DNS?
Replies: 3
Views: 320

Re: IP > Service > winbox/www - Not Able to Use DNS?

It is not trivial to use DNS entries for this (or src-address / dst-address in firewall rules) as you can't wait until DNS resolution has completed before continuing to process packets. However, it is possible to use address lists with firewall rules ( src-address-list / dst-address-list ) which wil...
by tdw
Mon Feb 22, 2021 3:17 pm
Forum: General
Topic: Problem with L2/L3 Tunnel VLAN
Replies: 14
Views: 851

Re: Problem with L2/L3 Tunnel VLAN

There is some redundant configuration from bridges and interfaces being deleted which should be cleaned up: /interface bridge port .... add disabled=yes interface=ether3 add disabled=yes interface=ether12 add bridge="bridge L2 PtoP_" disabled=yes interface=*21 /ip firewall filter add actio...
by tdw
Sun Feb 21, 2021 5:25 pm
Forum: General
Topic: No DNS for PPP-clients
Replies: 1
Views: 208

Re: No DNS for PPP-clients

AFAIK there isn't. At some point a 'No DNS' option was added to the DHCP server to prevent DNS being offered to DHCP clients, it would be nice if Mikrotik added similar for PPP profiles.
by tdw
Sun Feb 21, 2021 4:56 pm
Forum: General
Topic: /interface ethernet set [ find default-name=ether1 ] speed=100Mbps [SOLVED]
Replies: 4
Views: 352

Re: /interface ethernet set [ find default-name=ether1 ] speed=100Mbps [SOLVED]

There is /system default-configuration print which displays the commands applied to create the default setup from a factory reset state, however AFAIK there is nothing to show the initial configuration other than not to apply the default setup and then use /export verbose
by tdw
Sun Feb 21, 2021 3:11 pm
Forum: General
Topic: /interface ethernet set [ find default-name=ether1 ] speed=100Mbps [SOLVED]
Replies: 4
Views: 352

Re: /interface ethernet set [ find default-name=ether1 ] speed=100Mbps [SOLVED]

At some point the default values which are supressed during /export were changed, so any existing configurations after a firmware update exhibit this. If you reset the configuration back to factory with the newer firmware the newer defaults are used. I'm not sure why it was changed as only 10-Half, ...
by tdw
Sun Feb 21, 2021 2:53 pm
Forum: Beginner Basics
Topic: hAP ac2 setup with VLAN
Replies: 4
Views: 563

Re: hAP ac2 setup with VLAN

2. In terms of throughput, should there be big difference if I resign from switch-chip for sake of vlan-filtering (bridge)? Or for a home user (video streaming, web surfing, email, NO gaming capabilities needed) the difference should not be noticeable at all? Another thing is that I am trying to se...
by tdw
Sat Feb 20, 2021 3:01 pm
Forum: General
Topic: Static DNS Route with Dynamic Address
Replies: 19
Views: 1241

Re: Static DNS Route with Dynamic Address

If a static CNAME entry in 6.47.x does not work I would suspect the UniFi discovery implementation, in which case the scheduled script option suggested by @Sob would be a solution. @Sob & @sindy the OP putting 'route' in the topic title is completely misleading. The UniFi devices have a number o...
by tdw
Fri Feb 19, 2021 3:56 pm
Forum: Scripting
Topic: Append Bridge vlan values
Replies: 2
Views: 617

Re: Append Bridge vlan values

set untagged=([get value-name=untagged [find vlan-ids=10] ],"ether4") [find vlan-ids=10] Is there a reason you explicitly set the untagged= parameter as this will be dynamically populated from the pvid= parameter under /interface bridge port for bridge members and /interface bridge for th...
by tdw
Fri Feb 19, 2021 3:05 pm
Forum: General
Topic: Moving SSTP (vpn) CA certificate to another MT
Replies: 1
Views: 195

Re: Moving SSTP (vpn) CA certificate to another MT

The certificate store can be backed up and restored on the same Mikrotik, but not to a different one. It is possible to make a backup which can be restored to something else by exporting a certificate in PKCS12 format so the private key is exported too, see export-certificate in https://wiki.mikroti...
by tdw
Fri Feb 19, 2021 2:43 pm
Forum: General
Topic: Problem with L2/L3 Tunnel VLAN
Replies: 14
Views: 851

Re: Problem with L2/L3 Tunnel VLAN

It isn't clear exactly what your configuration is, posting the output of /export hide-sensitive is much more informative than some vague description. If you have multiple bridges, VLANs attached to interfaces which are members of a bridge, or VLAN interfaces as members of a bridge it could be one of...
by tdw
Thu Feb 18, 2021 6:10 pm
Forum: General
Topic: Why does 6.38 to 6.48.1 upgrade destroy my router and how can I avoid it?
Replies: 4
Views: 486

Re: Why does 6.38 to 6.48.1 upgrade destroy my router and how can I avoid it?

I don't think you have much option other than reorganising the bridge/VLAN setup. You could just convert from master-port to bridge and leave the VLAN interfaces attached to other bridges setup, except there are many pitfalls see https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration especial...
by tdw
Thu Feb 18, 2021 1:51 pm
Forum: General
Topic: Why does 6.38 to 6.48.1 upgrade destroy my router and how can I avoid it?
Replies: 4
Views: 486

Re: Why does 6.38 to 6.48.1 upgrade destroy my router and how can I avoid it?

For complex setups the replacement of master-port configuration with a hardware-offloaded bridge is not handled well by the upgrade process, as in your case. It isn't clear what your original setup was as there is a br-lan and a br-wan, but all five switch ports are configured for hardware VLAN swit...
by tdw
Thu Feb 18, 2021 1:08 pm
Forum: General
Topic: RB750GL - Port Redirect
Replies: 6
Views: 487

Re: RB750GL - Port Redirect

As the source and destination addresses are within the same subnet you need to disable any bridge hardware offload and set use-ip-firewall=yes under /interface bridge settings as normally the IP firewall filter/NAT/mangle rules only apply to routed layer 3, not bridged layer 2 traffic. This does inc...
by tdw
Wed Feb 17, 2021 7:55 pm
Forum: RouterBOARD hardware
Topic: DBM33G Hardware documentation
Replies: 1
Views: 606

Re: DBM33G Hardware documentation

The forums do have a search facility, and what published information there is available can be found in the help pages. One of the headers could be JTAG for manufacturing test, others may be for features which may be implemented - no point saying what they are if there is not a guaranteed developmen...
by tdw
Wed Feb 17, 2021 6:08 pm
Forum: Beginner Basics
Topic: VLAN-Problems [SOLVED]
Replies: 18
Views: 1348

Re: VLAN-Problems [SOLVED]

The bridge itself is still set to be both untagged /interface bridge add ingress-filtering=yes name=Bridge pvid=10 vlan-filtering=yes and tagged tagged=Bridge,... under /interface bridge vlan together with /interface vlan add interface=Bridge name=PrivateVLAN vlan-id=10 Change the bridge-to-CPU inte...
by tdw
Mon Feb 15, 2021 7:10 pm
Forum: General
Topic: How to connect vrrp'ed routers to wan (ISP)
Replies: 12
Views: 861

Re: How to connect vrrp'ed routers to wan (ISP)

Hmm what about a managed switch in between?
That would become a single point of failure - takes out both WAN connections. Engineering redundancy solutions which does not make your setup less reliable is not straightforward.
by tdw
Mon Feb 15, 2021 6:19 pm
Forum: Beginner Basics
Topic: VLAN-Problems [SOLVED]
Replies: 18
Views: 1348

Re: VLAN-Problems [SOLVED]

In the article it says "Access ports are configured in a way that means ingress (incoming) packets must not have tags and thus will get a tag applied." so, shouldn't Ingress-Filtering only be activated at ports where there are only packages without tags? Tagged only (a.k.a. trunk): frame-...
by tdw
Mon Feb 15, 2021 5:47 pm
Forum: Beginner Basics
Topic: L2TP with Radius Authentication
Replies: 15
Views: 849

Re: L2TP with Radius Authentication

You can only do PAP or MSCHAPv2 against AD, there is no way CHAP can work.

The 'Ignore user dial-in account properties' box is not ticked in your screenshots. I'm not a Windows expert, but without this I expect you have to apply a policy to the user accounts as the default is not to permit dial-in.
by tdw
Mon Feb 15, 2021 5:41 pm
Forum: Beginner Basics
Topic: VLAN-Problems [SOLVED]
Replies: 18
Views: 1348

Re: VLAN-Problems [SOLVED]

As the bridge and all of the ports have a PVID=1 things are getting confused by also having a VLAN with VID=1 attached to the bridge. There are several options * Use VLAN IDs excluding 1 OR * Set the bridge & port PVIDs to some other value OR * Disable the PVID on ports where you wish to use VLA...
by tdw
Mon Feb 15, 2021 5:23 pm
Forum: Beginner Basics
Topic: Port Forwarding after ISP Switch
Replies: 3
Views: 278

Re: Port Forwarding after ISP Switch

Screenshots of winbox/webfig pages are generally not very useful, the output of /export hide-sensitive from a terminal window posted as code (the [] icon above the text entry box on the forum page) shows the precise configuration
by tdw
Mon Feb 15, 2021 5:17 pm
Forum: Beginner Basics
Topic: Internet / VPN Problem
Replies: 12
Views: 1150

Re: Internet / VPN Problem

But today I´ve seen something strange, i´ve connected my office mikrotik router to mine to access some devices from my home and in the moment I lost internet connection "ping 8.8.8.8" doesn´t response but ping to my office devices response correctly, so I have an internet connection. Goog...
by tdw
Mon Feb 15, 2021 4:55 pm
Forum: Beginner Basics
Topic: VLAN-Problems [SOLVED]
Replies: 18
Views: 1348

Re: VLAN-Problems [SOLVED]

Screenshots of winbox pages are generally not very useful, the output of /export hide-sensitive from a terminal window posted as code (the [] icon above the text entry box on the forum page) shows the precise configuration Mikrotik documentation on VLAN-aware bridges is here https://wiki.mikrotik.co...
by tdw
Sat Feb 13, 2021 8:00 pm
Forum: Beginner Basics
Topic: Splitting Ports into Seperate Isolated Networks
Replies: 25
Views: 1695

Re: Splitting Ports into Seperate Isolated Networks

If you have the default 'allow forward established/related/untracked connection' rule before your rule, yes. The first request from PC on LAN network to media server on IOT network has the connection state new , the reply from media server to PC has the state established and hits this rule. If you a...
by tdw
Fri Feb 12, 2021 7:06 pm
Forum: General
Topic: How to connect vrrp'ed routers to wan (ISP)
Replies: 12
Views: 861

Re: How to connect vrrp'ed routers to wan (ISP)

You need not switch the LAN VRRP over due to an external WAN failure, you can have backup default routes, i.e. with a greater distance via the other. If they are static routes the packets will bounce back and forth between the two Mikrotiks when both WANs are down, but you probably don't care in tha...
by tdw
Fri Feb 12, 2021 5:04 pm
Forum: General
Topic: no Access for local web management of DSL !
Replies: 2
Views: 238

Re: no Access for local web management of DSL !

Screenshots of Winbox are generally not particularly useful, the output of /export hide-sensitive from a terminal window posted as code (the [] icon above the text entry box on the form page) shows the precise configuration. I suspect that the ADSL and VDSL modems have no route to return traffic to ...
by tdw
Fri Feb 12, 2021 4:47 pm
Forum: General
Topic: How to connect vrrp'ed routers to wan (ISP)
Replies: 12
Views: 861

Re: How to connect vrrp'ed routers to wan (ISP)

If you have two public IPs provided by two different providers there isn't much you can do if the public addresses are terminated on the Mikrotiks, other than have an active-active setup with each Mikrotik handling one WAN connection and you loose access to that WAN if there is an issue with the att...
by tdw
Thu Feb 11, 2021 5:11 pm
Forum: Beginner Basics
Topic: L2TP routed/bridged/vlans
Replies: 13
Views: 832

Re: L2TP routed/bridged/vlans

What are: 192.168.11.0/24 + 192.168.12.0/24 and Remote: 192.168.21.0/24 + 192.168.22.0/24 ?
They were examples of subnets attached to the VLAN interfaces at each end. Your original example has two VLANs but only one subnet at each end which is insufficient.
by tdw
Thu Feb 11, 2021 5:07 pm
Forum: Beginner Basics
Topic: Confused how to do VLAN Firewall filters? [SOLVED]
Replies: 8
Views: 620

Re: Confused how to do VLAN Firewall filters? [SOLVED]

For input you should allow established/related/untracked connections, drop invalid connections, allow ICMP as blocking it breaks things such as PMTU detection, then have your drop from outside rule: /ip firewall filter add action=accept chain=input comment="Allow input 'established', 'related' ...
by tdw
Thu Feb 11, 2021 4:10 pm
Forum: Beginner Basics
Topic: L2TP routed/bridged/vlans
Replies: 13
Views: 832

Re: L2TP routed/bridged/vlans

If you had Head: 192.168.11.0/24 + 192.168.12.0/24 and Remote: 192.168.21.0/24 + 192.168.22.0/24 By this you mean V10 and V20 (example) IP addresses on Head and Remote? Yes, although the IP could be encapsulated in VID 11 + 12 at one end, and VID 21 + 22 at the other. So this is something along L3 ...
by tdw
Thu Feb 11, 2021 3:27 pm
Forum: Beginner Basics
Topic: L2TP routed/bridged/vlans
Replies: 13
Views: 832

Re: L2TP routed/bridged/vlans

If I go back to my original goal and want to connect head office with remote office and want to bridge L2 between sites then I need to use some kind of EoIP or BCP protocol. This way I can extend VLANs over to remote office. Yes, excepting the limitations of the current BCP implementation. What if ...
by tdw
Thu Feb 11, 2021 1:58 pm
Forum: Beginner Basics
Topic: L2TP routed/bridged/vlans
Replies: 13
Views: 832

Re: L2TP routed/bridged/vlans

I am trying to wrap my head around all this. I think I am still missing some peices to understand correctly. - Ethernet is L2 - VLAN is ethernet construct and therefore also L2. - bridge is also operating on L2 as it is kind of a "virtual" switch between interfaces Yes to all. - as long a...
by tdw
Thu Feb 11, 2021 1:37 pm
Forum: Beginner Basics
Topic: Confused how to do VLAN Firewall filters? [SOLVED]
Replies: 8
Views: 620

Re: Confused how to do VLAN Firewall filters? [SOLVED]

To have a conversation between LAN and DMZ after the initial packet from LAN to DMZ there will be a reply packet from DMZ to LAN and your drop DMZ to LAN rule will drop these too, typically you have an allow established/related/untracked rule as the first item in the forward chain to permit the ongo...
by tdw
Wed Feb 10, 2021 11:47 pm
Forum: Beginner Basics
Topic: L2TP routed/bridged/vlans
Replies: 13
Views: 832

Re: L2TP routed/bridged/vlans

Similar yes, in fact you can have both L2 & L3 if desired. One thing to watch out for is that BCP doesn't play nicely with VLAN-aware bridges, hopefully Mikrotik will fix it one day. I do have vlans configured under bridge vlan filtering as this appears to be a "promoted" way (I guess...
by tdw
Wed Feb 10, 2021 9:40 pm
Forum: Beginner Basics
Topic: L2TP routed/bridged/vlans
Replies: 13
Views: 832

Re: L2TP routed/bridged/vlans

Because I must not forget about vpn dial-in users I am sympathizing with L2TP now. Hopefully L2TP/IPsec, plain L2TP is either not or weakly encrypted and the MSCHAPv2 password can have the NT hash and an equivalent password recovered. With L2TP I also have routed or bridged (BCP) way. With BCP I gu...
by tdw
Wed Feb 10, 2021 9:13 pm
Forum: Beginner Basics
Topic: unifi cloud key
Replies: 7
Views: 1548

Re: unifi cloud key

I'm not sure the Cloud Key would like 57V passive - the MT48-480095-11DG (45W) would be a better choice, or if you are powering several additional devices from the hEX PoE too the 48POW (70W) may be required depending on their power requirements. Any third-party PSU with a centre-positive 2.1mm barr...
by tdw
Wed Feb 10, 2021 4:17 am
Forum: Beginner Basics
Topic: Splitting Ports into Seperate Isolated Networks
Replies: 25
Views: 1695

Re: Splitting Ports into Seperate Isolated Networks

With regards to the firewall rules that prevent the networks from talking to each other, I used the rules below. After applying these rules things work as I wanted with the exception that computers on each network can still ping the gateway on the opposite networks. This is not what I expected, but...
by tdw
Wed Feb 10, 2021 3:42 am
Forum: Beginner Basics
Topic: EoIP Tunnel Clamp TPC MSS
Replies: 7
Views: 790

Re: EoIP Tunnel Clamp TPC MSS

I have set 1300 MTU on the EoIP tunnel. Additional rule set MSS to 1250.
Be aware that if you add an EoIP interface with an MTU<1500 to a bridge it will impact any traffic between local bridge ports too, usually breaking things.
by tdw
Mon Feb 08, 2021 6:21 pm
Forum: Beginner Basics
Topic: Cisco AP Autonomout Mode VLAN issue on one VLAN [SOLVED]
Replies: 17
Views: 1198

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN [SOLVED]

My experiences with Cisco APs, albeit some years ago on 1230 series, was that they didn't particularly like a fully tagged setup so I used managment to the BVI interface untagged. Their newer APs may be better.
by tdw
Mon Feb 08, 2021 2:08 pm
Forum: General
Topic: LT2P VPN
Replies: 8
Views: 688

Re: LT2P VPN

You should have add-default-route=no under /interface l2tp-client - this is likely what is causing all your local devices to use the VPN connection. It would be better to use single mangle rule with an address list rather than having three mangle rules with individual addresses as it reduces the CPU...
by tdw
Sat Feb 06, 2021 9:46 pm
Forum: General
Topic: LT2P VPN
Replies: 8
Views: 688

Re: LT2P VPN

It depends on how the decision to route traffic via the VPN is going to be made. If there are a small number of destination addresses, e.g. a few company subnets, you can use static routes to direct traffic to those addresses via the VPN. However if there are a small number of local source addresses...
by tdw
Sat Feb 06, 2021 2:57 am
Forum: Beginner Basics
Topic: Enable DHCP passthrough to upper router (DHCP server)
Replies: 1
Views: 354

Re: Enable DHCP passthrough to upper router (DHCP server)

That won't work, the wiki example is using DHCP relay to pass requests for 192.168. 1 .0/24 and 192.168. 2 .0/24 subnets to a DHCP server running in the 192.168. 0 .0/24 subnet. If you wish to extend the network from the other router the hAP should have all ports in one bridge, no DHCP server or DHC...
by tdw
Wed Feb 03, 2021 7:02 pm
Forum: Beginner Basics
Topic: Cisco AP Autonomout Mode VLAN issue on one VLAN [SOLVED]
Replies: 17
Views: 1198

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN [SOLVED]

@anav The Cisco AP on ether2 is configured with VLAN10 untagged & VLAN20 tagged so frame-types=admit-only-vlan-tagged isn't appropriate either
by tdw
Wed Feb 03, 2021 2:35 pm
Forum: Beginner Basics
Topic: Cisco AP Autonomout Mode VLAN issue on one VLAN [SOLVED]
Replies: 17
Views: 1198

Re: Cisco AP Autonomout Mode VLAN issue on one VLAN [SOLVED]

Having frame-types=admit-only-untagged-and-priority-tagged for ether2 isn't appropriate for a hybrid port
by tdw
Mon Feb 01, 2021 10:07 pm
Forum: General
Topic: After Hack are we clean ?
Replies: 6
Views: 791

Re: After Hack are we clean ?

I can't comment on Dude access as we do not use it. If you are restricting external access by means of an address lists there is not really a need to change the port(s). It depends on how determined/clever the hackers were as not everything in the underlying OS is exposed through Winbox or CLI. The ...
by tdw
Mon Feb 01, 2021 5:15 pm
Forum: General
Topic: [Question]: Anyone running a MA5671A GPON ONU at 2.5 GBit/s
Replies: 7
Views: 1014

Re: [Question]: Anyone running a MA5671A GPON ONU at 2.5 GBit/s

The raw GPON interface always operates at 2.5Gbps down / 1.25Gbps up, regardless of the SFP interface rate. GPON supports upto 1:128 split ratios which would be 20Mbps down / 10Mbps up if everyone were using the service at the same instant. The ONU converts ethernet packet payloads to/from GEM (GPON...
by tdw
Mon Feb 01, 2021 4:49 pm
Forum: General
Topic: hardware offload (HW) hap ac Lile?
Replies: 5
Views: 532

Re: hardware offload (HW) hap ac Lile?

Set hw=no for the ethernet interfaces attached to the other bridges under /interface bridge port , in Winbox this is the 'Hardware Offload' checkbox on the General tab for the ports under Bridge > Ports. Hardware offload is only for ethernet to ethernet traffic for ports attached to one bridge, it w...
by tdw
Sun Jan 31, 2021 9:55 pm
Forum: Beginner Basics
Topic: Switch chip
Replies: 9
Views: 1039

Re: Switch chip

As I said in my previous post your configuration does not allow traffic from the access ports to the CPU.
by tdw
Sun Jan 31, 2021 9:00 pm
Forum: General
Topic: hardware offload (HW) hap ac Lile?
Replies: 5
Views: 532

Re: hardware offload (HW) hap ac Lile?

Whichever has the greatest port to port traffic, e.g. if you have a PC and a NAS connected to a couple of ethernet ports then the bridge including those. Also note that wlan interfaces cannot be hardware accelerated as the traffic is handled by device driver code running on the CPU.
by tdw
Sat Jan 30, 2021 3:53 pm
Forum: Beginner Basics
Topic: Switch chip
Replies: 9
Views: 1039

Re: Switch chip

The trunk and access ports have no access (IP or MAC based) to the CPU with that configuration: There is a VLAN5 interface configured for IP management of the device, however it is not connected to any ethernet ports. VLAN6 is untagged on ether2, tagged on ether1 and switch1-CPU, however there is no...
by tdw
Fri Jan 29, 2021 12:46 am
Forum: General
Topic: Help on wiring solution
Replies: 18
Views: 1490

Re: Help on wiring solution

No, one VLAN aware bridge. Then make the port connected to the guest network on the router (blue line) an access port for the guest VLAN. As the unmanaged switch may not pass tagged traffic make all the other Mikrotik ports access ports too, and use CAPsMAN forwarding to encapsulate the guest traffic.
by tdw
Thu Jan 28, 2021 8:50 pm
Forum: Beginner Basics
Topic: Switch chip
Replies: 9
Views: 1039

Re: Switch chip

You mention VLAN 6 for management, however this configuration uses VLAN 5 which is not configured on any of the ether ports: add ports=switch1-cpu switch=switch1 vlan-id=5
by tdw
Thu Jan 28, 2021 8:37 pm
Forum: General
Topic: Reconfigure VLAN on CRS-326-24P-2S+ [SOLVED]
Replies: 7
Views: 752

Re: Reconfigure VLAN on CRS-326-24P-2S+ [SOLVED]

Generally I find it best not to include any untagged= membership entries under /interface bridge vlan as they will be dynamically added when interfaces are running/up based on the pvid= entries under /interface bridge port . If the untagged membership entries are present you have to remember to upda...
by tdw
Thu Jan 28, 2021 8:04 pm
Forum: General
Topic: Help on wiring solution
Replies: 18
Views: 1490

Re: Help on wiring solution

Having two subnets on one link without VLANs is possible but is unusual - it doesn't provide isolation, and DHCP can only be used to assign dynamic addresses to one subnet. Other than this weird internet connection the normal way of implementing this would be to use a single VLAN-aware bridge on the...
by tdw
Thu Jan 28, 2021 7:50 pm
Forum: General
Topic: APC SMT750U & CRS326-24G-2S+RM
Replies: 9
Views: 755

Re: APC SMT750U & CRS326-24G-2S+RM

Would it work if I use a USB to RJ45 Cisco Console Cable with FTDI chip? From UPS USB-B port to the serial RJ45 of the MikroTik? Or somehow connecting the USB port of the UPS to the serial RJ45 port of the MikroTik? No. USB only supports host-to-peripheral communications, not host-to-host or periph...
by tdw
Mon Jan 25, 2021 8:08 pm
Forum: General
Topic: APC SMT750U & CRS326-24G-2S+RM
Replies: 9
Views: 755

Re: APC SMT750U & CRS326-24G-2S+RM

I thought rollover cable would work as the that's how you can connect the APC UPS form its serial port to another device with RJ45 serial port. I don;t think I've ever seen an APC connection which didn't require a custom cable to swap pin connections as they are not a 1-to-1 mapping. So basically t...
by tdw
Mon Jan 25, 2021 7:54 pm
Forum: General
Topic: Help on wiring solution
Replies: 18
Views: 1490

Re: Help on wiring solution

The recommended setup for Mikrotiks with VLANs is to use a single VLAN-aware bridge, there is a good primer in the forum https://forum.mikrotik.com/viewtopic.php?t=143620 If the wired client connections (what you have called terminals) are on one network you can use CAPsMAN forwarding to segregate t...
by tdw
Mon Jan 25, 2021 2:28 pm
Forum: General
Topic: Making PPPOE-Client ip's static
Replies: 1
Views: 303

Re: Making PPPOE-Client ip's static

The PPPoE server uses the remote-address setting from the PPP profile, for authentication against a RADIUS server this may be overridden by including a Framed-IP-Address , Framed-Pool or Mikrotik-Group attribute in the Access-Accept message. You can specify local users under /ppp secret with specifi...