Community discussions

MikroTik App

Search found 2072 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 7
by tdw
Sat Jan 18, 2025 5:09 pm
Forum: Beginner Basics
Topic: Low internet speed when we did PCC load balancing and connecting 2 ISPs on Mikrotik
Replies: 10
Views: 1519

Re: Low internet speed when we did PCC load balancing and connecting 2 ISPs on Mikrotik

Fasttrack is not compatible with mangle, disable or remove the fasttrack-connection firewall rule.
by tdw
Fri Jan 17, 2025 4:23 am
Forum: General
Topic: PoE hEX RB960PGS as a switch? [SOLVED]
Replies: 9
Views: 442

Re: PoE hEX RB960PGS as a switch? [SOLVED]

I don't think that covers using the Qualcom/Atheros switch chip in the hEX PoE, only VLAN-aware bridges which would be handled by the CPU in this case and not achieve anything near wire-speed throughput. I've not had any slowdowns when configuring VLAN support directly on the switch chip, the existi...
by tdw
Fri Jan 17, 2025 4:09 am
Forum: Beginner Basics
Topic: Bridge operation mode as a layer 2 switch with packet filtering
Replies: 3
Views: 205

Re: Bridge operation mode as a layer 2 switch with packet filtering

For the OPs use case port isolation would likely not be sufficent. In this case creating a bridge, adding all of the ports to it and setting use-ip-firewall=yes under /interface bridge settings would provide the the most flexibility, but as pointed out is handled by the CPU so not going to achive wi...
by tdw
Fri Jan 17, 2025 3:54 am
Forum: Beginner Basics
Topic: Does masquerade automatically change packet IP's back to private?
Replies: 1
Views: 152

Re: Does masquerade automatically change packet IP's back to private?

It's more a case of undoing src-nat, but yes one of the main uses of connection tracking is to handle this. It is possible to apply both src-nat and dst-nat to a connection if a particular use case requires it. You would not be able to do away with connection tracking and have separate reverse rules...
by tdw
Fri Jan 17, 2025 2:50 am
Forum: General
Topic: asymmetric routing
Replies: 12
Views: 575

Re: asymmetric routing

Are all of your internal addresses within 10.42.0.0/16, otherwise they are different. For packets from the router itself you need a mark-routing rule in the output chain as this never hits prerouting . I've found mixing marking in mangle and routing rules can be confusing in complex setups. Certainl...
by tdw
Fri Jan 17, 2025 1:37 am
Forum: Beginner Basics
Topic: Struggling to receive IPv6 prefix delegation from ISP
Replies: 56
Views: 3080

Re: Struggling to receive IPv6 prefix delegation from ISP

A quick search suggests that people have used other routers successfully, but Lit use an oddly small delegated prefix size of /62. It may also be worth experimenting with setting the DHCPv6 client rapid-commit=no (I believe the default is yes), you could try also try specifying prefix-hint=62 and po...
by tdw
Fri Jan 17, 2025 12:52 am
Forum: General
Topic: Mikrotik and APs VLAN
Replies: 20
Views: 1472

Re: Mikrotik and APs VLAN

- but binding dhcp server to vlan 400 interface is not possible because it runs as slave device from ether 4. It is possible, the vlan400 /interface vlan attached to ether4 is not a slave, this term applies to members of a bridge. It is also not possible to bind two dhcp server on the same interfac...
by tdw
Thu Jan 16, 2025 8:45 pm
Forum: Beginner Basics
Topic: Struggling to receive IPv6 prefix delegation from ISP
Replies: 56
Views: 3080

Re: Struggling to receive IPv6 prefix delegation from ISP

It can be difficult getting past first-line support who typically know nothing and are working off scripts. You may have to resort to using the packet sniffer to capture the IPv6 RA and DHCP packets to see what is going on. I don't know if Lit use the router WAN MAC address to link prefix assignment...
by tdw
Thu Jan 16, 2025 8:35 pm
Forum: General
Topic: Mikrotik and APs VLAN
Replies: 20
Views: 1472

Re: Mikrotik and APs VLAN

If you will never require the VLANs to be present on more than one physical port then you can attach an /interface vlan directly to a port. The do not work as drawn, they merely add a VLAN tag for packets passing in one direction and remove it for packets passing in the other. Consider /interface vl...
by tdw
Thu Jan 16, 2025 3:11 pm
Forum: General
Topic: Mikrotik and APs VLAN
Replies: 20
Views: 1472

Re: Mikrotik and APs VLAN

Since the introduction of VLAN-aware bridges some years ago a single bridge is the recommended method. There are various potential issues when using multiple bridges https://help.mikrotik.com/docs/spaces/R ... figuration
by tdw
Thu Jan 16, 2025 3:00 pm
Forum: General
Topic: bridge port pvid vs bridge vlan untagged [SOLVED]
Replies: 3
Views: 218

Re: bridge port pvid vs bridge vlan untagged [SOLVED]

Why is it that you have to specify `untagged=ether6` after you've already assigned the pvid (`pvid=200`) while adding `ether6` as a bridge port? You do not have to. What happens if I don't add `ether6` to VLAN 200's `untagged` list? It is added dynamically based on the PVID setting. There may have ...
by tdw
Thu Jan 16, 2025 2:45 pm
Forum: Beginner Basics
Topic: Struggling to receive IPv6 prefix delegation from ISP
Replies: 56
Views: 3080

Re: Struggling to receive IPv6 prefix delegation from ISP

You may have to add options to your logging rule to see detailed information - typically debug , and if there is too much output !packet can be useful too. The address looks fine - IPv6 uses link-local addresses in many places, rather than global unique addresses. Unfortunately the IPv6 standards al...
by tdw
Wed Jan 15, 2025 5:39 pm
Forum: General
Topic: asymmetric routing
Replies: 12
Views: 575

Re: asymmetric routing

I'm frequently amazed about how few providers implement network ingress filtering per BCP38, if more did it it would help cut down spoofed address DDOS traffic. The route marking should be applied to everything except the ingress interface, otherwise packets will immediately be forwarded back out as...
by tdw
Wed Jan 15, 2025 5:19 pm
Forum: Forwarding Protocols
Topic: SSTP BCP problem
Replies: 4
Views: 452

Re: SSTP BCP problem

Any advice?
There should be no need for routes or tunnel IP addresses as BCP is layer2 not layer3. There is an example in the old Wiki https://wiki.mikrotik.com/Manual:BCP_br ... _bridging) which has not been migrated to the new help pages.
by tdw
Wed Jan 15, 2025 5:12 pm
Forum: Forwarding Protocols
Topic: SSTP BCP problem
Replies: 4
Views: 452

Re: SSTP BCP problem

L2 tunnels: https://help.mikrotik.com/docs/spaces/ROS/pages/100007937/VXLAN https://help.mikrotik.com/docs/spaces/ROS/pages/24805521/EoIP The OP appears to be attempting to use Bridge Control Protocol (BCP) which is part of the PPP standards. It might be considered old-fashioned compared with newer...
by tdw
Wed Jan 15, 2025 5:08 pm
Forum: General
Topic: Mikrotik and APs VLAN
Replies: 20
Views: 1472

Re: Mikrotik and APs VLAN

Why is it not sugestable to run a management vlan on vlan 1? I saw a lot of configurations, where people uses vlan 1, too. There is nothing technically wrong with using VLAN 1 or running management on it, you just have to be very aware of how different vendors use VLAN 1. With Ubiquiti the UniFi de...
by tdw
Wed Jan 15, 2025 4:50 pm
Forum: General
Topic: Cannot sniff packets on VLAN interface on CRS310-8G+2S+
Replies: 1
Views: 160

Re: Cannot sniff packets on VLAN interface on CRS310-8G+2S+

When layer2 hardware offloading is active packets passing through the switch are not seen by the CPU at all https://help.mikrotik.com/docs/spaces/ROS/pages/328227/Packet+Flow+in+RouterOS#PacketFlowinRouterOS-FlowofHardwareOffloadedPacket so the packet sniffer will see nothing. You could add switch r...
by tdw
Wed Jan 15, 2025 4:38 pm
Forum: General
Topic: asymmetric routing
Replies: 12
Views: 575

Re: asymmetric routing

Did you add the additional routing table? Unlike RouterOS v6 you have to explicitly create them in v7:
/routing table
add disabled=no fib name=WAN-A1
by tdw
Tue Jan 14, 2025 1:35 am
Forum: General
Topic: IPv6 DHCP server for one VLAN only
Replies: 2
Views: 326

Re: IPv6 DHCP server for one VLAN only

Historically the Mikrotik DHCPv6 server has only supported prefix delegation, not handing out individual addresses. The latest testing branch release (7.17) adds address delegation, details in the help pages https://help.mikrotik.com/docs/spaces/ROS/pages/24805500/DHCP#DHCP-EnablingIPv6Addressdelega...
by tdw
Sun Jan 12, 2025 1:25 am
Forum: The User Manager
Topic: User Authentication
Replies: 3
Views: 1290

Re: User Authentication

MAC-based mechanisms don't provide authentication as it is trival for anyone to spoof a MAC address and gain access. Any authentication and authorisation setup will require ongoing management, if you already have a database of user credentials such as Windows / Azure AD it is possible to use those f...
by tdw
Sat Jan 11, 2025 10:51 pm
Forum: Beginner Basics
Topic: WiFi Station to Ethernet Port
Replies: 6
Views: 620

Re: WiFi Station to Ethernet Port

There is a LTE interface: /interface lte apn set [ find default=yes ] ip-type=ipv4 use-network-apn=no which cannot exist on a mAP lite. And ovpn/hotspot/ipsec/bfd settings that seem to have no reason to exist. Likely a result of upgrading from RouterOS v6 to v7 as the config conversion isn't great,...
by tdw
Sat Jan 11, 2025 10:27 pm
Forum: RouterBOARD hardware
Topic: CCR1009-7G-1C-1S+ 2.5G Compatible?
Replies: 7
Views: 844

Re: About CCR1009-7G-1C-1S+ (tile)

1.25Gbps max for connection speed BUT with a maximum data speed of 1Gbps and when you look at the block diagram, you'll see why. The optical data rate is 1.25Gbps as the PHY uses 8b/10b encoding - 1Gbps * 10 / 8 = 1.25Gbps . Each block of eight bits is encoded into ten bit symbols with no more than...
by tdw
Sat Jan 11, 2025 10:16 pm
Forum: RouterBOARD hardware
Topic: New/better router with old config
Replies: 2
Views: 481

Re: New/better router with old config

The .backup files are only intended to backup and restore the configuration on the same router. Mikrotik advise against restoring them even on the same model, let alone a completely different one. Create a .rsc with /export (or /export show-sensitive on RouterOS v7) on the existing device, this is a...
by tdw
Sat Jan 11, 2025 10:01 pm
Forum: Beginner Basics
Topic: Separate LANS using Wireless Wire Cube, Non VLAN Router
Replies: 7
Views: 491

Re: Separate LANS using Wireless Wire Cube, Non VLAN Router

Multiple NAT tends not to be problematic these days, certainly Skype and other video calling / VoIP services are fine. Various gaming protocols are problematic with any sort of NAT, not much you can do about it. The CPU in the Cube is reasonably powerful so using one of the pair to provide router fu...
by tdw
Wed Jan 08, 2025 6:48 pm
Forum: General
Topic: Get information about physical connection between RouterOS devices
Replies: 1
Views: 386

Re: Get information about physical connection between RouterOS devices

IP>Neighbours will show the CDP, LLDP & MNDP information received by device ports, adding the Interface Name column provides the port name on the other devices. If the device in question is not configured to send discovery information then Bridge>Hosts shows the source MAC addresses received by ...
by tdw
Mon Jan 06, 2025 5:59 pm
Forum: Beginner Basics
Topic: Issues using VLAN SSIDs on Access Point on a MikroTik device acting as a managed switch
Replies: 15
Views: 2571

Re: Issues using VLAN SSIDs on Access Point on a MikroTik device acting as a managed switch

So a device plugged into ether3 or ether5 receives an address from the range your base untagged network uses, and plugged into ether4 from the range VLAN 20 uses. Does configuring a port with a PVID of 10 similarly provide an address from the range VLAN 10 uses? Have you tried temporarily plugging t...
by tdw
Sun Jan 05, 2025 11:59 pm
Forum: General
Topic: Can't disable IPv6 SLAAC
Replies: 3
Views: 713

Re: Can't disable IPv6 SLAAC

Did you previously have an IPv6 address assigned to the VLAN in question? It may be that if you add an address and then remove it the Mikrotik requires a reboot to stop the advertisment. There a a few things where a reboot is required to get the state consistent after changes, in this case it could ...
by tdw
Sun Jan 05, 2025 5:06 pm
Forum: General
Topic: VLAN Trunk port config
Replies: 11
Views: 1635

Re: VLAN Trunk port config

The switch VLAN setup looks OK - sfpplus1-4 are untagged with VLAN 10 and VLAN 20 tagged, ether1-24 are untagged only. There are some unnecessary entries in the switch configuration which I would suggest removing: /interface vlan add interface=sfp-sfpplus3-wall name=appletalk vlan-id=20 add interfac...
by tdw
Sat Jan 04, 2025 10:27 pm
Forum: Beginner Basics
Topic: Issues using VLAN SSIDs on Access Point on a MikroTik device acting as a managed switch
Replies: 15
Views: 2571

Re: Issues using VLAN SSIDs on Access Point on a MikroTik device acting as a managed switch

Managing the MikroTik on the untagged on the bridge and have the access point connected to ether2, which is untagged. It needs the VLANs for the SSIDs on the AP added as tagged. I'm unsure of your last question but I am forwarding DHCP from OPNsense but the VLAN have a static range they are assigne...
by tdw
Sat Jan 04, 2025 7:44 pm
Forum: Beginner Basics
Topic: Issues using VLAN SSIDs on Access Point on a MikroTik device acting as a managed switch
Replies: 15
Views: 2571

Re: Issues using VLAN SSIDs on Access Point on a MikroTik device acting as a managed switch

Which VLAN are you using for management of the Mikrotik (untagged on the bridge, VLAN 10 or VLAN 20), static or DHCP-assigned address, and which port is the AP plugged into?
by tdw
Sat Jan 04, 2025 2:12 pm
Forum: General
Topic: VLAN Trunk port config
Replies: 11
Views: 1635

Re: VLAN Trunk port config

How can I stop tagged vlan traffic from the switch leaking to the untagged vlan on the router? What do you mean by leaking? Is it possible to use a "hybrid port" with both unagged traffic and tagged traffic to trunk the VLANs between switches? Yes, although some people dislike this arrang...
by tdw
Sat Jan 04, 2025 1:58 pm
Forum: Forwarding Protocols
Topic: OSPF on VLAN interface [SOLVED]
Replies: 3
Views: 1232

Re: OSPF on VLAN interface [SOLVED]

The same with pinging, I can ping the neighbor if everything is configured on the interface, but cannot if it's configured via vlan. If you can't ping the other end of the /30 then it has nothing to do with OSPF, it is something more fundamental than that. Maybe firewall, impossible to tell without...
by tdw
Sat Jan 04, 2025 1:52 pm
Forum: Beginner Basics
Topic: Issues using VLAN SSIDs on Access Point on a MikroTik device acting as a managed switch
Replies: 15
Views: 2571

Re: Issues using VLAN SSIDs on Access Point on a MikroTik device acting as a managed switch

If your OPNsense router is providing VLANs and DHCP services the only configuration on the Mikrotik should be bridge ports & VLANs plus management address.

Is the AP you are setting up another device, or on this Mikrotik in which case there appears to be no configuration for it.
by tdw
Tue Dec 31, 2024 3:22 am
Forum: General
Topic: Managed Dell switch to CRS326
Replies: 7
Views: 1008

Re: Managed Dell switch to CRS326

port 1 - truck, tagged (vlan1) to port 2 on main router port 3-39,41-42 (untagged) (41-42 to OOB of fiber switches) Vlan100 The default for Mikrotik bridge ports, including the internal bridge-to-CPU port, is VLAN 1 untagged. Many of the default settings do not appear in /export so this is not imme...
by tdw
Sat Dec 28, 2024 12:58 am
Forum: General
Topic: IPv6 SLAAC wrong prefix
Replies: 1
Views: 730

Re: IPv6 SLAAC wrong prefix

address=::90 from-pool=fiber6 specifies a local host address of 0000:0000:0000:0090 with a prefix from the pool. There is a longstanding gripe that you can't provide a prefix hint, e.g. ::90:0:0:0:1
by tdw
Tue Dec 24, 2024 6:53 pm
Forum: General
Topic: ISP connection via IPIPv6 tunnel on FTTH/GPON - replace Iliad router with RB4011
Replies: 2
Views: 865

Re: ISP connection via IPIPv6 tunnel on FTTH/GPON - replace Iliad router with RB4011

AFAIK the required helpers for the MAP-E, MAP-T, 464XLAT and Lw4o6 methods are missing from RouterOS, the only successful implementations I've seen use DS-Lite. If enough people ask Mikrotik to add some/all of them it might eventually happen.
by tdw
Fri Dec 13, 2024 7:04 pm
Forum: Beginner Basics
Topic: RouterOS without CAPsMAN?
Replies: 5
Views: 1100

Re: RouterOS without CAPsMAN?

In the release notes for 7.13.x: Notice - Starting from RouterOS version 7.13, significant changes have been made to the RouterOS wireless packages. This is done due to a new product development which will require more disk space for hardware drivers so we had to split it in order to maintain old pr...
by tdw
Fri Dec 13, 2024 3:20 pm
Forum: Wireless Networking
Topic: Windows 10 cannot connect to EAP-TLS Wifi [SOLVED]
Replies: 5
Views: 1460

Re: Windows 10 cannot connect to EAP-TLS Wifi [SOLVED]

You have not fully configured user manager, see https://help.mikrotik.com/docs/spaces/ROS/pages/92635137/Enterprise+wireless+security+with+User+Manager+v5 There are differences between the original wireless and newer wifi drivers. From the help pages for the wifi driver "Properties related to E...
by tdw
Fri Dec 13, 2024 2:55 pm
Forum: General
Topic: OpenVPN Server + DHCP
Replies: 4
Views: 1164

Re: OpenVPN Server + DHCP

So i need to assign a remote-address in the ppp profile for the openvpn server, correct? But if i do this, the dhcp-server ist still invalid. Yes. Creating a DHCP server is not necessary. I changed the interface from dhcp-server from "ovpn-in1" to "bridge" and know the dhcp-serv...
by tdw
Thu Dec 12, 2024 4:49 pm
Forum: General
Topic: OpenVPN Server + DHCP
Replies: 4
Views: 1164

Re: OpenVPN Server + DHCP

Most VPNs are IP / layer 3, not ethernet / layer 2 and have their own mechanisms for client IP address assignment, they do not use DHCP. If the IoT devices are using their own inbuilt OpenVPN client the address will be provided from the pool or explicit addresses in the server PPP profile or secrets...
by tdw
Wed Dec 11, 2024 7:25 pm
Forum: Beginner Basics
Topic: PVID
Replies: 10
Views: 1388

Re: PVID

"vlan 100 between all switches as its OSPF routing vlan 100 and in turn PVID 100 between ports" is confusing - is VLAN 100 tagged or untagged from Site A - CRS / CRS - CRS / CRS - Site B. The posted configuration currently expects VLAN 100 tagged so changing ports to have a PVID of 100 wou...
by tdw
Wed Dec 11, 2024 6:29 pm
Forum: Beginner Basics
Topic: PVID
Replies: 10
Views: 1388

Re: PVID

Currently the bridge is not set to be VLAN aware so all tagged or untagged packets will pass between any ports, management will use VLAN 100 tagged. What are you trying to achieve?
by tdw
Wed Dec 11, 2024 3:31 pm
Forum: General
Topic: Compatibility with Fast SFP Ports
Replies: 1
Views: 679

Re: Compatibility with Fast SFP Ports

No, it doesn't appear that model supports fast ethernet SFPs. See https://help.mikrotik.com/docs/spaces/R ... ansceivers
by tdw
Tue Dec 10, 2024 3:34 pm
Forum: Beginner Basics
Topic: PVID
Replies: 10
Views: 1388

Re: PVID

Likely you are mixing tagged and untagged on the bridge-to-CPU port, if you set pvid= on the bridge itself there should not be an /interface vlan attached to the bridge with the same VLAN ID. Post your configuration, otherwise it is just guesswork.
by tdw
Tue Dec 03, 2024 12:58 am
Forum: General
Topic: RADIUS ON PPP AND HOTSPOT
Replies: 1
Views: 588

Re: RADIUS ON PPP AND HOTSPOT

When creating the two RADIUS clients set service to direct requests to the desired server - hotspot for HotSpot authentication, or ppp for Point-to-Point client authentication (includes PPPoE)
by tdw
Tue Dec 03, 2024 12:51 am
Forum: General
Topic: RouterOS mac/user auth via RADIUS (ClearPass)
Replies: 5
Views: 2340

Re: RouterOS mac/user auth via RADIUS (ClearPass)

AFAIK Mikrotik have only implemented RFC 3580 (single untagged VLAN) dynamic VLAN assignment, to support 'untagged plus one or more tagged' would require RFC 4675 (multiple tagged/untagged VLAN) too.
by tdw
Thu Nov 28, 2024 10:50 pm
Forum: Scripting
Topic: PPP Secrets Disabled date comments
Replies: 6
Views: 897

Re: PPP Secrets Disabled date comments

Disabling the secret will only prevent new connections from authenticating, existing connections will remain connected.
by tdw
Mon Nov 25, 2024 3:51 pm
Forum: Beginner Basics
Topic: ARP table
Replies: 3
Views: 1216

Re: ARP table

I do have the mikrotik router acting as a dns server, basically a caching server. Why? If the Mikrotik is configured in bridge mode it is acting as a switch, I would expect all of the usual gateway functions (DHCP, DNS, firewall) to be handled by your WatchGuard device. If the Mikrotik is providing...
by tdw
Sun Nov 24, 2024 7:51 pm
Forum: Beginner Basics
Topic: ARP table
Replies: 3
Views: 1216

Re: ARP table

I'm not sure how the entries have appeared in the Mikrotik ARP table unless those devices have been attempting IP communications with it. The Mikrotik ARP modes are detailed in the manual https://help.mikrotik.com/docs/spaces/ROS/pages/100892687/ARP#ARP-ARPModes . There is no equivalent to the ARP-R...
by tdw
Sun Nov 24, 2024 5:37 pm
Forum: General
Topic: Setup Dual Stack L2TP Server
Replies: 1
Views: 446

Re: Setup Dual Stack L2TP Server

IPv6 gateways are usually a link local address, the client specifies both the link-local address and interface in its routing table - they should appear as link-local-address%interface
by tdw
Sun Nov 24, 2024 5:24 pm
Forum: Beginner Basics
Topic: ARP table
Replies: 3
Views: 1216

Re: ARP table

If the Mikrotik is operating as a layer 2 bridge the only ARP traffic destined to or from the Mikrotik will be for its management and the gateway addresses, typically you would have a single ARP table entry on the Mikrotik for the gateway. The gateway ARP table will contain entries for all of the cl...
by tdw
Sun Nov 24, 2024 5:17 pm
Forum: General
Topic: Access from OpenVPN to VLAN [SOLVED]
Replies: 3
Views: 750

Re: Access from OpenVPN to VLAN [SOLVED]

When using remote addresses for a VPN connection from a subnet which is attached to an ethernet-like interface (ethernet port, vlan, etc.) you have to enable proxy ARP otherwise local devices on that subnet cannot reach the VPN client. Firewall rules may then prevent traffic as although the addresse...
by tdw
Thu Nov 21, 2024 9:52 pm
Forum: General
Topic: Transition from PPPoE to DHCP
Replies: 1
Views: 460

Re: Transition from PPPoE to DHCP

Large L2 broadcast domains can be problematic, especially if you exceed the maximum forwarding table entries in switches across the network. Each VLAN should have a separate IP address range and gateway, otherwise it would need some likely bodgy combination of proxy ARP, VRFs and NAT. There should b...
by tdw
Wed Nov 20, 2024 2:16 pm
Forum: Beginner Basics
Topic: Trying to trunk between two switches [SOLVED]
Replies: 5
Views: 1462

Re: Trying to trunk between two switches [SOLVED]

Also, you only need create /interface vlan entries for VLANs accessing IP services on the Mikrotik itself, for VLANs which are just passing between switch ports they are unnecessary.
by tdw
Wed Nov 20, 2024 1:44 pm
Forum: General
Topic: IPv6 Configuration RB4011
Replies: 30
Views: 2979

Re: IPv6 Configuration RB4011

With no firewall rules the Mikrotik will forward packets unless explicitly disabled. What does /ipv6 route print show? And is the ISP routing the additional prefix to the Mikrotik WAN address, or just presenting it on the WAN link? The latter requires the somewhat hacky ND proxy, which Mikrotik does...
by tdw
Tue Nov 19, 2024 9:32 pm
Forum: General
Topic: Allocating static IPs directly to PPPoE clients
Replies: 1
Views: 428

Re: Allocating static IPs directly to PPPoE clients

If you have been allocated allocated P.P.P.160/28 why is the router .162/30? It should be /28, and enable proxy-arp for the public PPPoE clients to work. There is no /ppp profile named RCL-Admin referenced by the entries in /ppp secret , there is one named Admin . Not sure why you have local-address...
by tdw
Tue Nov 19, 2024 9:06 pm
Forum: General
Topic: IPv6 Configuration RB4011
Replies: 30
Views: 2979

Re: IPv6 Configuration RB4011

@tdw, as I mentioned in my initial post, my primary intention is to configure it statically. I’m simply assigning addresses to the ether4 and ether6 interfaces. Once I manage to achieve external access through the global address I defined for them, I’ll move on to configuring the devices behind tho...
by tdw
Sat Nov 16, 2024 1:39 pm
Forum: General
Topic: IPv6 Configuration RB4011
Replies: 30
Views: 2979

Re: IPv6 Configuration RB4011

There doesn't appear to be any active entries under /ipv6 nd so devices attached to ether4 or ether6 will not be sent router advertisments telling them what the network prefix or gateway address is.
by tdw
Thu Nov 14, 2024 7:29 pm
Forum: General
Topic: Can't include PPPoE link in bridge
Replies: 4
Views: 653

Re: Can't include PPPoE link in bridge

Terminate the ISP IPv6 connection on the Mikrotik, use the DHCPv6 client to receive a delegated prefix and the DHCPv6 server to serve some of this to the other router.
by tdw
Wed Nov 13, 2024 2:44 pm
Forum: General
Topic: Discovering rogue DHCP source WAN IP
Replies: 10
Views: 840

Re: Discovering rogue DHCP source WAN IP

Search for the errant MAC address in the bridge hosts table on the switches and radios in your network. You should really have DHCP snooping or bridge filters / switch ACLs to prevent rouge DHCP servers, otherwise genuine clients who are closer (in terms of round-trip time) to the problem client sit...
by tdw
Sun Nov 10, 2024 4:53 pm
Forum: General
Topic: Datasheet for new improved hEX?
Replies: 66
Views: 9034

Re: Datasheet for new improved hEX?

The EN7562CT seems to be some internal code of Mikrotik as Google can only find it on Mikrotik pages I did find a teardown of a TP-Link router for the Chinese market which uses it https://www-acwifi-net.translate.goog/25800.html?_x_tr_sl=zh-CN&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=sc and in...
by tdw
Sat Nov 09, 2024 2:55 pm
Forum: SwOS
Topic: SNMPv3 Support
Replies: 5
Views: 3160

Re: SNMPv3 Support

SNMP v1 & v2c are not particularly secure, however as SwOS doesn't support writes the worst case is information disclosure. There are other issues with SwOS - the UI uses basic digest authentication, content is not encrypted, the password is stored as hex ASCII in the configuration file. Some mi...
by tdw
Sat Nov 09, 2024 2:37 pm
Forum: General
Topic: Datasheet for new improved hEX?
Replies: 66
Views: 9034

Re: Datasheet for new improved hEX?

Just reran some tests. While traffic testing and pushing about 1Gbps (laptop to wAP AX , UDP, over Wifi) , cpu on Hex Refresh was 0 to 1%. All ports have H indicator except for ether1 (which is to be expected with the new HW config). I swapped the Refresh for the old Hex I have at my desk. I used e...
by tdw
Sat Nov 02, 2024 6:29 pm
Forum: General
Topic: IPv6 propagate address to clients behind router
Replies: 10
Views: 1288

Re: IPv6 propagate address to clients behind router

As IPv6 requires multicast any badly behaved or configured switches inbetween can prevent IPv6 from working, faulty implementations of DHCP or IGMP snooping are often the cause. So if you have switches between your router and end device(s) check if connecting a device directly to the router works as...
by tdw
Sat Nov 02, 2024 2:11 am
Forum: Beginner Basics
Topic: Stuck on device to vlan assignment principles
Replies: 10
Views: 1204

Re: Stuck on device to vlan assignment principles

TDW's route will lead to graying or loss of hair. This is the sort of scenario 802.1X was designed for. There may be wrinkles in the Mikrotik implementation, which would be addressed with more use and feedback, but with FreeRADIUS and HP switches 16 years ago it was fine. (Odd silvering appeared be...
by tdw
Sat Nov 02, 2024 1:58 am
Forum: Beginner Basics
Topic: Virtualized VLANs (for Proxmox) [SOLVED]
Replies: 12
Views: 6127

Re: Virtualized VLANs (for Proxmox) [SOLVED]

Setting pvid= is irrelevant with frame-types=admit-only-vlan-tagged as untagged packets are discarded.
by tdw
Fri Nov 01, 2024 11:53 pm
Forum: Beginner Basics
Topic: Stuck on device to vlan assignment principles
Replies: 10
Views: 1204

Re: Stuck on device to vlan assignment principles

It depends on the capabilities of the switch chip. Certainly the CRS1xx/2xx devices support MAC-based VLANs, the CRS3xx/CRS5xx devices do too but probably not in a suitable way for your use case. Dot1x would probably work, the port connected to the device at the couch would be set up to use your hom...
by tdw
Fri Nov 01, 2024 5:53 pm
Forum: General
Topic: Only providing default gateway if installed.
Replies: 3
Views: 416

Re: Only providing default gateway if installed.

I can't recall if not having a gateway= setting under /ip dhcp-server network omits a gateway being sent, certainly the Mikrotik will make up DNS servers if there is no entry unless the No DNS option is set. If it does there seems little point in changing it with a script based on external gateway r...
by tdw
Mon Oct 28, 2024 4:21 pm
Forum: Beginner Basics
Topic: Unable to route via VLANs
Replies: 16
Views: 1757

Re: Unable to route via VLANs

I've read through the link, and from the best of my understanding, I have VLAN 1 set as tagged on the CPU-facing bridge port? Or am I completely missing something? Yes, however /interface bridge add name=LAN-bridge includes default settings of pvid=1 and frame-types=admit-all which presents VLAN 1 ...
by tdw
Sun Oct 27, 2024 11:49 pm
Forum: Beginner Basics
Topic: Client isolation with hardware offloading
Replies: 4
Views: 848

Re: Client isolation with hardware offloading

As @mkx states it is unlikely to work nicely. As the ethernet ports presented in the UI are logically multiplexed over a single connection between the switch chip and CPU, using proprietary vendor headers added to the packets, there can be undocumented interactions between software features and prog...
by tdw
Sun Oct 27, 2024 9:46 pm
Forum: General
Topic: "radar detected" But No Recovery - Am I Doing Something Stupid?
Replies: 7
Views: 696

Re: "radar detected" But No Recovery - Am I Doing Something Stupid?

shouldn't it then "retry" them after 1 minute like it says it will? Bug notwithstanding there are various DFS timers: Channel availability check (CAC) where the radio listens before selecting a channel for use, this is 1 minute except where any of the channel overlaps with 5600-5650MHz in...
by tdw
Sun Oct 27, 2024 9:36 pm
Forum: General
Topic: "radar detected" But No Recovery - Am I Doing Something Stupid?
Replies: 7
Views: 696

Re: "radar detected" But No Recovery - Am I Doing Something Stupid?

Because the channels you restricted it to use are only DFS ?
All UK & Europe outdoor fixed wireless channels require DFS
by tdw
Sun Oct 27, 2024 7:58 pm
Forum: Beginner Basics
Topic: Fronius inverter can't access cloud services [SOLVED]
Replies: 14
Views: 2114

Re: Fronius inverter can't access cloud services [SOLVED]

The upnp and nat-pmp settings are unnecessary if the local device is originating the connections. In any case for setups where you do not have a public IP on the client router only PCP works and requires support in the providers AFTR (DS-Lite) or CGNAT (IPv4 only) gateway. With DS-Lite there should ...
by tdw
Sun Oct 27, 2024 1:52 pm
Forum: General
Topic: IPv6 DHCPv6 Issues on MikroTik L009
Replies: 6
Views: 1858

Re: IPv6 DHCPv6 Issues on MikroTik L009

There is no sign of any /ipv6 address or /ipv6 dhcp-client in the export yet you have DHCPv6 logging data
by tdw
Sat Oct 26, 2024 4:36 pm
Forum: Beginner Basics
Topic: Fronius inverter can't access cloud services [SOLVED]
Replies: 14
Views: 2114

Re: Fronius inverter can't access cloud services [SOLVED]

With the default configuration anything initiated from a LAN device has access to the internet - you don't have to add anything, so what are you trying to achive with these additional rules?
by tdw
Sat Oct 26, 2024 4:29 pm
Forum: General
Topic: IPv6 DHCPv6 Issues on MikroTik L009
Replies: 6
Views: 1858

Re: IPv6 DHCPv6 Issues on MikroTik L009

Having a link local address for the default gateway is normal. Provide all of your IPv6 configuration, not just part of it - commonly the DHCP client settings should not add a default route and only request a prefix, not an address, also there should be no /ipv6 nd entry for the interface providing ...
by tdw
Sat Oct 26, 2024 2:24 pm
Forum: RouterBOARD hardware
Topic: Single Pair Ethernet (SPE) on Mikrotik??
Replies: 5
Views: 2805

Re: Single Pair Ethernet (SPE) on Mikrotik??

Think about re-using legacy 2-wire cabling in your house. It is unlikely to be of good enough quality. 100BASE-T1 requires a pair with specifications similar to Cat5e and 1000BASE-T1 similar to Cat6A, both have a reach of 15m being primarily targeted for automotive use. 10BASE-T1L has a reach of 1k...
by tdw
Fri Oct 25, 2024 8:31 pm
Forum: General
Topic: Datasheet for new improved hEX?
Replies: 66
Views: 9034

Re: Datasheet for new improved hEX?

The SoC appears to be from Airoha, and being a subsidiary of MediaTek I doubt there will be any useful information on the open web. From the block diagram the switch chip is only connected to four of the five ports so it can't be used as a wire-speed 5-port switch, unlike all of the previous 5-port ...
by tdw
Fri Oct 25, 2024 7:16 pm
Forum: General
Topic: CCR2116+ROS7.16b4 - Crazy arp on tagged interfaces [SOLVED]
Replies: 7
Views: 1447

Re: CCR2116+ROS7.16b4 - Crazy arp on tagged interfaces [SOLVED]

CCR2116: Port 13 has 2 VLAN interfaces, each VLAN interface assigned to separate bridge, an IP address assigned to each bridge. Two bridges, two subnets. There are many pitfalls with this approach https://help.mikrotik.com/docs/spaces/ROS/pages/19136718/Layer2+misconfiguration , use a single VLAN-a...
by tdw
Tue Oct 22, 2024 3:04 am
Forum: General
Topic: UPS monitor voltage script
Replies: 10
Views: 744

Re: UPS monitor voltage script

It isn't a property. As an aside I'm not sure why load appears in both properties and monitor values, logically it would only be in the latter with the other measured data. To display from the command line :put ([/system/ups/monitor 0 once as-value]->"line-voltage") If you wish to access m...
by tdw
Mon Oct 21, 2024 2:11 pm
Forum: General
Topic: Datasheet for new improved hEX?
Replies: 66
Views: 9034

Re: Datasheet for new improved hEX?

Another very sad thing about the new device: it has passive PoE-in with input voltage range of 12V-28V. MT really should move to 802.3 PoE-in ... Reducing the range (the current hEX and many older products support 8-30V) makes it useless for sites with 12V float-charged lead-acid batteries which va...
by tdw
Thu Oct 17, 2024 4:48 pm
Forum: General
Topic: IPv6 distribution within the LAN [SOLVED]
Replies: 16
Views: 2426

Re: IPv6 distribution within the LAN [SOLVED]

At the end of they day it's down to personal preference, as switches and APs are not doing any routing I prefer disabling that functionality with /ip settings set ip-forward=no and /ipv6 settings set forward=no . With the IPv6 change the device becomes a host rather than a router - these roles have ...
by tdw
Wed Oct 16, 2024 9:31 pm
Forum: General
Topic: IPv6 distribution within the LAN [SOLVED]
Replies: 16
Views: 2426

Re: IPv6 distribution within the LAN [SOLVED]

/ipv6 nd set [ find default=yes ] disabled=yes Can I take from that advice that you believe the ND implementation in RouterOS is useful only for the device that owns the IPv6 prefix, as opposed to clients? That is, that RouterOS doesn't know how to acquire IPv6 addresses via NDP itself? Rather it h...
by tdw
Wed Oct 16, 2024 6:44 pm
Forum: General
Topic: IPv6 distribution within the LAN [SOLVED]
Replies: 16
Views: 2426

Re: IPv6 distribution within the LAN [SOLVED]

Some bridge settings broke multicast until very recent versions of 7.x which prevented IPv6 from working properly The /ipv6 nd settings cover parameters for both hosts and routers, you should not be advertising anything on the switch as it is a host device not a router. My settings for a device runn...
by tdw
Wed Oct 16, 2024 4:23 pm
Forum: General
Topic: Is it possible to assign an individual port to a vlan that is bridged
Replies: 4
Views: 506

Re: Is it possible to assign an individual port to a vlan that is bridged

A port can only be a member of a single bridge. The default behaviour of a bridge is to act in the same manner as an unmanaged switch - it learns MAC addresses and forwards packets with any ethertype including untagged IP or tagged VLAN. To change the behaviour so differing VLANs can be passed throu...
by tdw
Tue Oct 15, 2024 3:56 pm
Forum: General
Topic: OSPF gateway when you have a local gateway
Replies: 5
Views: 563

Re: OSPF gateway when you have a local gateway

By default OSPF instances will use the main routing table, you can specify a VRF to be used instead.

Otherwise you may be able to use protocol property in your existing filter to determine the source, there are also rtab and vrf properties for routing table and VRF names.
by tdw
Fri Oct 11, 2024 2:10 am
Forum: General
Topic: MAC telnet issues with PVID (vlan-filtering)
Replies: 2
Views: 343

Re: MAC telnet issues with PVID (vlan-filtering)

Local services have no access to VLAN 10 with that configuration - add the bridge as a tagged member of the VLAN under /interface bridge vlan and create an interface vlan attached to the bridge.
by tdw
Wed Oct 09, 2024 5:13 pm
Forum: Beginner Basics
Topic: IPv6 ULA DHCP Issue
Replies: 4
Views: 719

Re: IPv6 ULA DHCP Issue

The DHCPv6 server cannot be used to assign individual client addresses https://help.mikrotik.com/docs/display/ ... CPv6Server
by tdw
Sun Oct 06, 2024 2:51 pm
Forum: Beginner Basics
Topic: VLAN on Wifi - Have Unifi AP w no Cloud Key - will it work ? [SOLVED]
Replies: 7
Views: 2091

Re: VLAN on Wifi - Have Unifi AP w no Cloud Key - will it work ? [SOLVED]

None of the UniFi controllers do, Ubiquiti reserve VLAN ID 1 within their switches and access points for untagged traffic. You can untag any VLAN you wish on the Mikrotik hybrid port (e.g. VLAN 10 in Anav's example), being untagged on the wire any use of a VLAN ID within a particular device is irrel...
by tdw
Thu Oct 03, 2024 10:05 pm
Forum: General
Topic: Hotspot with automatic SSO Active DIrectory authentication [SOLVED]
Replies: 3
Views: 655

Re: Hotspot with automatic SSO Active DIrectory authentication [SOLVED]

You would still get a web browser window opening when the captive portal is detected, it may be possible to configure the browser to provide SSO credentials at this point. For deployments with many users it is more common to use WPA2-Enterprise for WiFi and 802.1X for wired connections - there is no...
by tdw
Mon Sep 23, 2024 8:03 pm
Forum: General
Topic: IPv6 DHCP Server not creating bindings for new clients [SOLVED]
Replies: 2
Views: 1262

Re: IPv6 DHCP Server not creating bindings for new clients [SOLVED]

The Mikrotik DHCPv6 server only provides prefix delegation not client addresses, see https://help.mikrotik.com/docs/display/ ... -Summary.3.

If your clients do not support or you do not wish to use SLAAC you will have to set up a third-party DHCPv6 server
by tdw
Mon Sep 23, 2024 5:48 pm
Forum: Beginner Basics
Topic: mikrotik as DHCP server with external DHCP Relay [SOLVED]
Replies: 3
Views: 1055

Re: mikrotik as DHCP server with external DHCP Relay [SOLVED]

The OP is using a layer 3 switch to provide the routing for their VLANs, not the Mikrotik. I have not tried it, but from the documentation all of the DHCP servers should use the same interface= setting (the OPs bridge in this case) and also specify the Relay Agent IP with relay= for the correspondin...
by tdw
Mon Sep 23, 2024 1:44 pm
Forum: Beginner Basics
Topic: hEX / ROS 7.13.5: IPv6 Routing issue - inter-network and LAN/WAN routing not working [SOLVED]
Replies: 17
Views: 3401

Re: hEX / ROS 7.13.5: IPv6 Routing issue - inter-network and LAN/WAN routing not working [SOLVED]

I was just about to post suggesting setting add-default-route=no to the DHCPv6 client so the PPPoE default route is used. What are the /routing rule entries for? I've made posts previously regarding DS-Lite setup. These used AFTR provided by DNS, they would need some modification to use the DHCPv6 o...
by tdw
Sun Sep 22, 2024 7:42 pm
Forum: Beginner Basics
Topic: hEX / ROS 7.13.5: IPv6 Routing issue - inter-network and LAN/WAN routing not working [SOLVED]
Replies: 17
Views: 3401

Re: hEX / ROS 7.13.5: IPv6 Routing issue - inter-network and LAN/WAN routing not working [SOLVED]

Providing the print output from a random set of sections isn't particularly helpful, post the output of /export in a code block (the [] icon above the message box when composing a message) after redacting serial number and any other identifying information. The usual errors with setting up IPv6 is n...
by tdw
Thu Sep 19, 2024 2:27 pm
Forum: Beginner Basics
Topic: Allow full-bridge PPPoE modem access to internet?
Replies: 5
Views: 1139

Re: Allow full-bridge PPPoE modem access to internet?

Given the addresses posted previously you have set the NTP client on the modem to use 192.168.0.1?
by tdw
Sun Sep 15, 2024 3:53 pm
Forum: Beginner Basics
Topic: Allow full-bridge PPPoE modem access to internet?
Replies: 5
Views: 1139

Re: Allow full-bridge PPPoE modem access to internet?

Certainly in the current firmware (v5.2.5) you cannot set a default route - under Configuration > Routing when adding a new route only subnet masks of /8 to /32 are supported, so unless you know the specific address range an external NTP server, and that it will not change, using the Mikrotik is a b...
by tdw
Sat Sep 14, 2024 8:40 pm
Forum: Beginner Basics
Topic: Allow full-bridge PPPoE modem access to internet?
Replies: 5
Views: 1139

Re: Allow full-bridge PPPoE modem access to internet?

The Vigor has no routes other than 192.168.0.0/24 so cannot communicate with anything other than the directly connected Mikrotik. I normally enable the NTP server on the Mikrotik, specify its address (192.168.0.1 in this case) on the modem, and add a firewall rule to allow UDP port 123 input from th...
by tdw
Mon Sep 09, 2024 2:08 pm
Forum: General
Topic: RSTP on SWOS [SOLVED]
Replies: 2
Views: 1286

Re: RSTP on SWOS [SOLVED]

Yes, the election process will be the same as described for RouterOS https://help.mikrotik.com/docs/display/ROS/Spanning+Tree+Protocol#SpanningTreeProtocol-Electionprocess as this is defined by the protocol. There doesn't appear to be a mechanism to manually adjust the port path cost in SwOS, it is ...
by tdw
Sat Sep 07, 2024 7:02 pm
Forum: General
Topic: Untagged VLAN1, tagged VLAN10 and untagged VLAN10 on the same bonding interface
Replies: 6
Views: 772

Re: Untagged VLAN1, tagged VLAN10 and untagged VLAN10 on the same bonding interface

An interface cannot be both tagged and untagged for egress with the same VLAN ID
by tdw
Fri Aug 30, 2024 9:43 pm
Forum: General
Topic: PPTP 2FA with Google Auth [SOLVED]
Replies: 3
Views: 1991

Re: PPTP 2FA with Google Auth [SOLVED]

No. The RADIUS servers enabled for a particular service are tried in order specified. The later ones are only used if there is no response, an accept or reject response terminates the request. If the first two servers are only for the login service you could remove the ppp service from those, the th...
by tdw
Fri Aug 30, 2024 9:29 pm
Forum: Beginner Basics
Topic: Help creating a basic static route
Replies: 0
Views: 895

Re: Help creating a basic static route

A route gateway is usually an IP address through which the target addresses are reachable, an interface name is normally only used on point-to-point links with /32 addresses. So in your case it would be 192.168.0.x where this is the address of the router which is also connected to the 192.168.122.0/...
by tdw
Mon Aug 26, 2024 9:02 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 3465

Re: IPv6 routing using VLANs [SOLVED]

According to the description in the OP, folks at the ISP use the method mentioned in par. 4.1.4 of the RIPE document, i.e. they sacrifice a single /64 from the /48 they gave you as a link subnet. I still suspect on their side of the link they are doing the equivalent of /ipv6 address add address=20...
by tdw
Sun Aug 25, 2024 1:09 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 3465

Re: IPv6 routing using VLANs [SOLVED]

Out of interest how is the provider supplying the /48? If they are just presenting a /48 directly rather than routing it via a transit subnet they are one of the providers who really don't know what they are doing with IPv6 - see https://www.ripe.net/publications/docs/ripe-690/ section 4.1 for discu...
by tdw
Fri Aug 23, 2024 1:16 pm
Forum: General
Topic: How to define untagged (or default/native VLAN) of an Ethernet interface?
Replies: 4
Views: 664

Re: How to define untagged (or default/native VLAN) of an Ethernet interface?

Ethernet-like interfaces are transparent to VLANs, it is just another ethertype. Adding an IP address to an interface handles IP and ARP ethertypes for IPoE, these are untagged on the wire. The /interface vlan entries are wrappers which add a VLAN ID for packets being sent to the parent interface, a...
by tdw
Fri Aug 23, 2024 12:19 am
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3541

Re: 3rd party system installed, can't connect to any devices on the router.

Also, you didn’t mention the role of the 10.0.0.1 gateway in all this. It could be a crucial piece of information especially if it’s a router connecting the two networks. I'm not sure what that address would be, I went up and looked over all the equipment. There's no additional routers, switches, w...
by tdw
Sun Aug 18, 2024 7:02 pm
Forum: Beginner Basics
Topic: Problems connecting to ISPs PPPoE
Replies: 10
Views: 1961

Re: Problems connecting to ISPs PPPoE

If you add a logging topic of ppp, debug and post the redacted (e.g. username) results that may show something up.
by tdw
Sun Aug 18, 2024 2:41 pm
Forum: Beginner Basics
Topic: Problems connecting to ISPs PPPoE
Replies: 10
Views: 1961

Re: Problems connecting to ISPs PPPoE

Have you tried connecting both with and without encryption? If one end requires encryption and the other does not support it the connection setup will fail, I would expect the connection not to require encryption as MPPE has not been secure for years and would be unnecessary overhead for the ISP con...
by tdw
Sun Aug 18, 2024 1:40 pm
Forum: SwOS
Topic: SNMPv3 Support
Replies: 5
Views: 3160

Re: SNMPv3 Support

From the documentation: SwOS supports SNMP v1 and v2c (the Response for GetRequest, GetNextRequest and GetBulkRequest) and uses IF-MIB, SNMPv2-MIB, BRIDGE-MIB and MIKROTIK-MIB (only for health, PoE-out and SFP diagnostics). SNMP traps and writing SwOS configuration are not supported. Available SNMP ...
by tdw
Sat Aug 17, 2024 1:02 pm
Forum: General
Topic: IPv6 WAN to LAN block rule stops traffic. [SOLVED]
Replies: 3
Views: 2573

Re: IPv6 WAN to LAN block rule stops traffic. [SOLVED]

Rules are evaluated in strict order, if you drop any packets arriving from an interface in the WAN list destined for an interface in the LAN list before other rules then bidirectional communication will always fail. With the not working example replies to connections initiated from LAN devices will ...
by tdw
Fri Aug 16, 2024 11:54 pm
Forum: Beginner Basics
Topic: VLAN on Wifi - Have Unifi AP w no Cloud Key - will it work ? [SOLVED]
Replies: 7
Views: 2091

Re: VLAN on Wifi - Have Unifi AP w no Cloud Key - will it work ?

As @erlinden stated you need a UniFi controller to configure their APs as the stanadlone app only provides limited functionality. The controller is available as an appliance, baked into a number of their gateway products but also still as a software installation for Linux, MAC and Windows.
by tdw
Thu Aug 15, 2024 8:16 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3541

Re: 3rd party system installed, can't connect to any devices on the router.

It may not be connected directly but there is an external connection "we can access their Seimens HMI's through their 3rd party website". I certainly wouldn't suggest jumping straight to v7, however v6 long-term and cleaning up whatever cruft has accumulated in the config would be a good s...
by tdw
Thu Aug 15, 2024 7:44 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3541

Re: 3rd party system installed, can't connect to any devices on the router.

From the first post the Mikrotik is running v6.38.1 which was released seven years ago and has numerous vulnerabilites including remote authentication bypass. Hopefully it is not directly exposed to the internet otherwise it will have been compromised, even so it would make a great jumping off point...
by tdw
Wed Aug 14, 2024 6:36 pm
Forum: General
Topic: Ethernet based DHCP static lease on RouterOS
Replies: 3
Views: 1035

Re: Ethernet based DHCP static lease on RouterOS

As mentioned the Mikrotik DHCP server does not support matchind agent circuit ID information in DHCP requests so you would need to run a DHCP server elsewhere and configure that to return fixed addresses for the specific ethernet ports, or from a pool otherwise. If there are multiple routes for the ...
by tdw
Wed Aug 14, 2024 4:50 pm
Forum: General
Topic: Ethernet based DHCP static lease on RouterOS
Replies: 3
Views: 1035

Re: Ethernet based DHCP static lease on RouterOS

There is not an easy way to allocate an address based on physical port rather than MAC or Client ID - whilst Mikrotik can include Option 82 for ports in a bridge the DHCP server has no mechanism to use the Agent Circuit ID. For your setup with additional small subnets then adding static routes on th...
by tdw
Tue Aug 13, 2024 11:13 pm
Forum: Scripting
Topic: How to represent exponentiation in Mikrotik script?
Replies: 4
Views: 1108

Re: How to represent exponentiation in Mikrotik script?

The specific case of 2x can be implemented as a bitwise shift: 1 << x
by tdw
Tue Aug 13, 2024 12:45 pm
Forum: General
Topic: How can I access remotely MT behind a modem?
Replies: 13
Views: 1046

Re: How can I access remotely MT behind a modem?

The source port is picked by the remote client initiating the connection, typically anything greater than 1023 but not fixed.
by tdw
Tue Aug 13, 2024 3:28 am
Forum: Beginner Basics
Topic: 2VLANs + L2/L3 setup
Replies: 8
Views: 1888

Re: 2VLANs + L2/L3 setup

The bridge-to-CPU port settings are incorrect - you are trying to use it simultaneously untagged, by /interface bridge having pvid=200 , and tagged, by having an /interface vlan attached to the bridge with vlan-id=200 ). It is also missing from the /interface bridge vlan entries. Furthermore none of...
by tdw
Sun Aug 11, 2024 3:41 pm
Forum: Beginner Basics
Topic: CAPsMAN through Switch under VLAN [SOLVED]
Replies: 15
Views: 4729

Re: CAPsMAN through Switch under VLAN [SOLVED]

If the cAP ax is working as expected when connected directly to the router (as per OP's first image), but not when connected via the switch (per second image) the most likely cause is a misconfiguration of the switch, although it isn't clear which VLAN the cAP management connection is using - 10, 99...
by tdw
Fri Aug 09, 2024 1:20 am
Forum: General
Topic: vlan and bridge and trunk question [SOLVED]
Replies: 11
Views: 5764

Re: vlan and bridge and trunk question [SOLVED]

An /interface vlan object merely inserts the specfied VLAN tag for packets on ingress and removes them on egress. When configuring a Mikrotik device as a switch you may have various untagged and tagged VLANs configured on several ports, but only a single VLAN configured to transit the bridge-to-CPU ...
by tdw
Thu Aug 08, 2024 6:00 pm
Forum: General
Topic: PPPoE Interface Not Running [SOLVED]
Replies: 2
Views: 4397

Re: PPPoE Interface Not Running [SOLVED]

What messages are there for the PPPoE client interface in the log?
by tdw
Thu Aug 08, 2024 5:56 pm
Forum: General
Topic: vlan and bridge and trunk question [SOLVED]
Replies: 11
Views: 5764

Re: vlan and bridge and trunk question [SOLVED]

No, 11:7 is VLAN ID 11 with priority 7.

You are missing the bridge-to-CPU interface in the bridge VLAN membership:
/interface bridge vlan
add bridge=newBridge tagged=newBridge,bonding1 vlan-ids=10
add bridge=newBridge tagged=newBridge,bonding1 vlan-ids=11
by tdw
Wed Aug 07, 2024 8:22 pm
Forum: General
Topic: Ping IPV4 address with IPv6 WAN
Replies: 1
Views: 548

Re: Ping IPV4 address with IPv6 WAN

Providers initially offered IPv6+IPv4 dual stack, it is becoming more common for them to only implement IPv6 and use one of the many tunneling mechanisms for IPv4 - see https://www.rfc-editor.org/rfc/rfc9313.html for information on the most prominent ones. It is possible to configure DS-Lite on Mikr...
by tdw
Tue Aug 06, 2024 4:52 pm
Forum: Beginner Basics
Topic: tagged and untagged in one vlan table
Replies: 10
Views: 1175

Re: tagged and untagged in one vlan table

There are many pitfalls using multiple bridges, so best avoided. Do you need a bridge? If your network is only connected to a single port you can simply add a vlan interface to that port: /interface vlan add interface=ether1 name=vlan10 vlan-id=10 then add different subnets to the two networks ( eth...
by tdw
Sun Aug 04, 2024 3:43 pm
Forum: Beginner Basics
Topic: [SOLVED] Issue with Setting Up Tagged VLAN on bridge
Replies: 20
Views: 1977

Re: [SOLVED] Issue with Setting Up Tagged VLAN on bridge

You are attempting to use the bridge-to-CPU interface both untagged (by setting pvid=1500 under /interface bridge ) and tagged (by having an /interface vlan with vlan-ids=1500 ) which leads to all sorts of unexpected behaviour. Also setting the PVID under /interface bridge port makes no sense with f...
by tdw
Fri Aug 02, 2024 6:25 pm
Forum: RouterBOARD hardware
Topic: How to intentionally make cable that will negotiate at 10 mbps?
Replies: 16
Views: 3175

Re: How to intentionally make cable that will negotiate at 10 mbps?

Degrading the cabling will never guarantee that the link will operate at 10Mbps. The endpoints transmit their capabilities in the regular fast link pulses and pick the best available speed and duplex option both are capable of, see https://en.wikipedia.org/wiki/Autonegotiation . Depending on the eth...
by tdw
Wed Jul 31, 2024 8:58 pm
Forum: General
Topic: Change from NAT to PPPoE?
Replies: 4
Views: 1560

Re: Change from NAT to PPPoE?

The BT Digital Voice offering is a closed system, you have to use the SH2. There was a thread on the thinkbroadband forum https://forums.thinkbroadband.com/fibre/t/4670157-re-bt-fttp-with-digital-voice-alternative-to-smart-hub-2.html where someone managed to detect and spoof enough information for t...
by tdw
Mon Jul 29, 2024 10:32 pm
Forum: General
Topic: CCR2216 and CCR2116 vlans and bridges..
Replies: 3
Views: 856

Re: CCR2216 and CCR2116 vlans and bridges..

where did pvid=1 come from.. and which is what I think would be the 'native vlan' setting.. and should be changed to 666.. VLAN 1 is the default PVID as you have not specified anything different. /interface bridge port add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1...
by tdw
Mon Jul 29, 2024 2:10 pm
Forum: Scripting
Topic: /tool fetch problem
Replies: 2
Views: 1089

Re: /tool fetch problem

A Mikrotik array is not JSON. Either use the :serialise function in newer versions of RouterOS v7, or construct a data variable containg valid JSON. For example:
:local jsondata "{\"mac\":\"aa:bb:cc:dd:ee:ff\",\"ip\":\"192.168.100.80\"}"
by tdw
Mon Jul 22, 2024 10:48 pm
Forum: General
Topic: IPv6 only working within LAN
Replies: 2
Views: 713

Re: IPv6 only working within LAN

The requested pool should only hand out /64s, not the entire /62. The assigned address should not use the all-zeros host address as this is reserved for 'all routers in subnet' - either use an explicit non-zero address, or alternatively eui-64=yes to generate the host address from the interface MAC ...
by tdw
Fri Jul 19, 2024 10:10 pm
Forum: General
Topic: [Assistance] - VLAN configuration on CRS1xx
Replies: 10
Views: 939

Re: [Assistance] - VLAN configuration on CRS1xx

I don't know if the default items in /export have changed in v7, but certainly in RouterOS v6 /interface ethernet switch ingress-vlan-translation entries have explicit customer-vid=0 . Also, are the bridge ports actually hardware-offloaded - they should have an H flag showing in /interface bridge po...
by tdw
Fri Jul 19, 2024 9:33 pm
Forum: General
Topic: Tunneling CDP messages
Replies: 4
Views: 521

Re: Tunneling CDP messages

It looks like gibberish from ChatGPT or similar. With CDP being a proprietary Cisco protocol Mikrotik do not treat the multicast address it uses as special, so it should propagate throughout the broadcast domain of the layer 2 network. I've not checked EoIP interfaces specifically but certainly all ...
by tdw
Tue Jul 16, 2024 2:37 pm
Forum: General
Topic: Weird behavior of L2TP / IPSEC in ROS7 hAP AX3 / Arm64
Replies: 4
Views: 5319

Re: Weird behavior of L2TP / IPSEC in ROS7 hAP AX3 / Arm64

How did you configure your new ax3, from an /export of the old device, or from a .backup?
by tdw
Fri Jul 12, 2024 4:33 pm
Forum: General
Topic: Switch Rules working without HW on interface?
Replies: 5
Views: 676

Re: Switch Rules working without HW on interface?

I would imagine rules are processed before switching, but wouldn't imagine port isolation would apply unless the ports are being switched in the chip - with hw=no the packet flow would be etherA > CPU interface > software bridge > switch chip interface > etherB, it isn't passing directly between eth...
by tdw
Fri Jul 12, 2024 4:19 pm
Forum: Scripting
Topic: Feature Request: native JSON parsing function [SOLVED]
Replies: 4
Views: 6360

Re: Feature Request: native JSON parsing function [SOLVED]

Mikrotik added :serialize and :deserialize commands in v7 which support JSON. I've not tested to see if it handles nested arrays.
by tdw
Fri Jul 12, 2024 4:06 pm
Forum: General
Topic: Switch Rules working without HW on interface?
Replies: 5
Views: 676

Re: Switch Rules working without HW on interface?

The physical ports on the device are wired to the switch chip so packets will always pass through and be processed by the switch. The underlying architecture has a single interface beween the switch chip and CPU - the ether1..etherX interfaces shown in winbox/CLI are logical interfaces, the driver m...
by tdw
Fri Jul 12, 2024 3:52 pm
Forum: General
Topic: VLAN 1 IP and dedicated MGMT Port IP in same subnet
Replies: 8
Views: 1495

Re: VLAN 1 IP and dedicated MGMT Port IP in same subnet

You cannot use the same IP subnet on multiple layer2 / ethernet interfaces, the device would have no idea of which interface to send ARP requests to.
by tdw
Wed Jul 10, 2024 3:44 pm
Forum: General
Topic: What is the right FW rule to miss out the CPU when x ?
Replies: 4
Views: 530

Re: What is the right FW rule to miss out the CPU when x ?

No, traffic between VLANs passes through forward, not input. Unless your Mikrotik has a switch chip with L3 hardware offload the routed traffic is still handled by the CPU, fasttrack merely skips some of the processing and typically improves performance by a factor around 2-3 times. You could qualif...
by tdw
Wed Jul 10, 2024 1:46 pm
Forum: General
Topic: Help needed with IPv6 on DHCPv6 PD / KPN fiber
Replies: 12
Views: 2505

Re: Help needed with IPv6 on DHCPv6 PD / KPN fiber

This should not be necessary /ppp profile set *0 remote-ipv6-prefix-pool=kpn-pool it is used for PPPoE servers, not clients. This is likely the issue /ipv6 dhcp-client add add-default-route=yes interface=pppoe-kpn pool-name=kpn-pool \ pool-prefix-length=48 request=prefix use-peer-dns=no as DHCPv6 ha...
by tdw
Tue Jul 09, 2024 4:17 am
Forum: General
Topic: DHCP server grants new IP to device after "make static"
Replies: 10
Views: 974

Re: DHCP server grants new IP to device after "make static"

The lease client-id values for some of the entries look odd - have they been editied as they would usually be 1:xx:xx:xx:xx:xx:xx, where xx:xx:xx:xx:xx:xx is the client MAC address.

If a client includes a client ID in the DHCP request the Mikrotik will use this in preference to the MAC address.
by tdw
Tue Jul 09, 2024 3:43 am
Forum: Beginner Basics
Topic: Disable Routing Between Ports
Replies: 22
Views: 2361

Re: Disable Routing Between Ports

By default packets will be forwarded between subnets. As there isn't an option to change the firewall policy you could either add a firewall filter rule to drop any forwarded packets with /ip firewall filter add action=drop chain=forward or even disable all forwarding with /ip settings set ip-forwar...
by tdw
Thu Jul 04, 2024 2:41 am
Forum: General
Topic: Bind public IP per L2TP VPN User.
Replies: 2
Views: 475

Re: Bind public IP per L2TP VPN User.

You can specify an optional single IP address for L2TP users in /ppp secret, see https://help.mikrotik.com/docs/display/ ... erDatabase
by tdw
Thu Jul 04, 2024 2:33 am
Forum: General
Topic: Bridge vlan untagged to other bridge [SOLVED]
Replies: 5
Views: 2461

Re: Bridge vlan untagged to other bridge [SOLVED]

On ether1 is my main vlan trunk to my base switch forwarding all vlans (including vlan 30 tagged). Those vlans were configured in the switch configuration to allow hardware offloaded vlans (vlan filtering with offload is not supported on rb3011). This interface is thus the only member of brLAN. Thi...
by tdw
Mon Jul 01, 2024 11:54 am
Forum: General
Topic: PPPoE interface address
Replies: 2
Views: 385

Re: PPPoE interface address

When running a PPPoE server having an IP address on the interface is unnecessary as the client IP traffic is encapsulated within the PPPoE packets. You can add an IP address to the interface for specific use cases, two common ones are for management of radios in fixed-wireless access networks, and f...
by tdw
Sun Jun 30, 2024 9:51 pm
Forum: The User Manager
Topic: 802.1x
Replies: 6
Views: 4070

Re: 802.1x

That isn't the CA, download it from Let's Encrypt. The RADIUS server certificate is only required by usermanager on the Mikrotik, no need to export it.
by tdw
Sun Jun 30, 2024 3:31 am
Forum: The User Manager
Topic: 802.1x
Replies: 6
Views: 4070

Re: 802.1x

A file with a .crt extension can, and often does, contain PEM encoded content. Unless you are using self-signed certificates you will not have the private key for the CA certificate. The purpose of the the CA certificate on the client is to validate the authenticity of the signer of the server certi...
by tdw
Sat Jun 29, 2024 3:04 pm
Forum: RouterBOARD hardware
Topic: Help with passive POE and Netgear GS728TPv2
Replies: 3
Views: 1799

Re: Help with passive POE and Netgear GS728TPv2

It maybe that the PSE controller provides voltage, current and power information and they choose to display it. Certainly some other vendors 802.3af/at-only switches do so. There are other converters, e.g. PoE Texas / PoE World have a huge range for a variety of uses https://shopify.poe-world.com/co...
by tdw
Sat Jun 29, 2024 2:09 am
Forum: RouterBOARD hardware
Topic: Help with passive POE and Netgear GS728TPv2
Replies: 3
Views: 1799

Re: Help with passive POE and Netgear GS728TPv2

AFAIK the Netgear only provides nominal 48v, the options change the initial negotiation. You can use an 802.3af/at to 24V passive converter - either the Mikrotik RBGPOE-CON-HP, or Ubiquiti INS-3AF-I-G (can only provide a maximum of 12W so OK as long as you don't have power consuming devices plugged ...
by tdw
Sat Jun 29, 2024 1:44 am
Forum: General
Topic: DUAL WAN - 2nd ISP traffic is slow unless I Torch the interface! [SOLVED]
Replies: 5
Views: 3802

Re: DUAL WAN - 2nd ISP traffic is slow unless I Torch the interface! [SOLVED]

fasttrack is not compatible with mangle, disable it
by tdw
Fri Jun 28, 2024 7:07 pm
Forum: Beginner Basics
Topic: Replace RB2011UIAS with CRS310-8G+2S+IN
Replies: 4
Views: 965

Re: Replace RB2011UIAS with CRS310-8G+2S+IN

CRS devices are primarily switches, the CPU is not particularly powerful and not intended to provide anything approaching wirespeed routing - you might get around 400Mbps on a CRS310. Whilst the switch chips in CRS3xx and CRS5xx devices support L3 hardware offloading the device in the CRS310 does no...
by tdw
Fri Jun 28, 2024 6:56 pm
Forum: Beginner Basics
Topic: Configure IPv6 over IPv4 from ISP
Replies: 9
Views: 1855

Re: Configure IPv6 over IPv4 from ISP

You will need to find out which tunneling mechanism the ISP supports. It is possible to do DS-Lite which is basically an IPv4 in IPv6 tunnel (search my posts for examples), but newer methods such as Lw4o6 and MAP-E require support in the client router which Mikrotik have not implemented.
by tdw
Fri Jun 28, 2024 1:47 pm
Forum: The User Manager
Topic: 802.1x
Replies: 6
Views: 4070

Re: 802.1x

Those device certificate settings look to be incorrect. The CA Certificate should, given the name, be the Let's Encrypt root authority certificate - Windows and other OS will already have this installed as a trusted CA. The Device Certificate should not be the server certificate and likely be not in...
by tdw
Fri Jun 28, 2024 1:02 am
Forum: General
Topic: Show full SFP information
Replies: 2
Views: 856

Re: Show full SFP information

It does. SFPs which support Digital Diagnostic Monitoring (DDM) as specified by SFF-8472 store a variety of threshold and calibration data in non-volatile memory at address A2h.

AFAIK RouterOS doesn't read and decode this, only the standard data as specified by INF-8074 at address A0h.
by tdw
Thu Jun 27, 2024 2:53 am
Forum: General
Topic: LOAD BALANCING NOT WORKING ON PPPoE-CLIENT [SOLVED]
Replies: 13
Views: 17856

Re: LOAD BALANCING NOT WORKING ON PPPoE-CLIENT [SOLVED]

It's difficult to tell exactly as there are many redundant entries referring to objects which have been deleted ( something=*id ), but it appears the home LAN (192.168.20.1), some device management for radio links (10.20.0.1) and a local address for PPPoE client connections (172.20.0.1) share the sa...
by tdw
Thu Jun 27, 2024 12:57 am
Forum: General
Topic: LOAD BALANCING NOT WORKING ON PPPoE-CLIENT [SOLVED]
Replies: 13
Views: 17856

Re: LOAD BALANCING NOT WORKING ON PPPoE-CLIENT [SOLVED]

IP packets from PPPoE clients do not arrive on the bridge, each one has its own interface named <pppoe-USERNAME> so using in-interface=bridge1 in mangle rules will not match anything from clients.
by tdw
Wed Jun 26, 2024 3:45 pm
Forum: General
Topic: Setting the Phase 1 mode with EOIP IPSec tunnels
Replies: 2
Views: 330

Re: Setting the Phase 1 mode with EOIP IPSec tunnels

Instead of specifying an IPsec secret in the EoIP interface create IPsec proposals, policies, peers & identities as required, when the EoIP encapsulated traffic matches the policy it will have IPsec applied as specified.
by tdw
Wed Jun 26, 2024 3:42 pm
Forum: General
Topic: Specify IPsec proposal and profile for IPIP/IPsec
Replies: 4
Views: 623

Re: Specify IPsec proposal and profile for IPIP/IPsec

Instead of specifying an IPsec secret in the IPIP interface create IPsec proposals, policies, peers & identities as required, when the IPIP encapsulated traffic matches the policy it will have IPsec applied as specified.
by tdw
Sat Jun 22, 2024 4:22 am
Forum: General
Topic: Is there a way to connect Groove 52 to LiteBeam 5AC-gen2?
Replies: 1
Views: 288

Re: Is there a way to connect Groove 52 to LiteBeam 5AC-gen2?

No. Both Mikrotik and Ubiquiti have proprietary protocols to provide better performance than regular WiFi, especially for PtMP setups. Whilst these extensions are optional on Mikrotik devices they cannot be disabled on the newer Ubiquiti devices, including airMAX AC ones. Even if you could a LiteBea...
by tdw
Wed Jun 19, 2024 4:15 pm
Forum: General
Topic: VLAN tag on port vs Switch Chip
Replies: 5
Views: 770

Re: VLAN tag on port vs Switch Chip

So option a is effectively the default config but with an additional /interface vlan to handle the WAN traffic being tagged. Unless you are likely to have multiple WAN ports, want to be able to easily swap which ports are WAN and which are LAN, passthough additional provider/operator VLANs for IPTV ...
by tdw
Wed Jun 19, 2024 4:52 am
Forum: Beginner Basics
Topic: Hex as Switch; VLANs Can't Access Winbox
Replies: 8
Views: 1949

Re: Hex as Switch; VLANs Can't Access Winbox

Your are missing the bridge-to-cpu port, the /interface bridge vlan entries tagged=ether1 should be tagged=bridge,ether1 . You also need /interface vlan entries to remove tags on egress from the bridge-to-cpu port / add them on ingress to the port, plus IP addresses. See https://forum.mikrotik.com/v...
by tdw
Thu Jun 13, 2024 6:34 pm
Forum: General
Topic: Native vlan
Replies: 4
Views: 609

Re: Native vlan

When I turn off vlan-filtering, only vlan 1 works. What do you mean by 'works'. ether1-6 will be able to communicate with each other, if VLAN 1 untagged also has to transit the ether24 and sfp-sfpplus4 trunks then change frame-types=admit-only-vlan-tagged to admit-all Unrelated, there is no need to...
by tdw
Wed Jun 12, 2024 6:37 pm
Forum: Wireless Networking
Topic: Radius Server setup
Replies: 12
Views: 3437

Re: Radius Server setup

Set up your own RADIUS server & frontend on-prem or hosted elsewhere / subscribe to a cloud-based service (e.g. CloudRADIUS, JumpCloud, Foxpass) and use WPA2-Enterprise for wireless / 802.1X for wired authentication with username/password and/or certificates. All locations should use this data/s...
by tdw
Wed Jun 12, 2024 5:15 pm
Forum: Beginner Basics
Topic: What does PVID do on bridge VLAN
Replies: 1
Views: 1139

Re: What does PVID do on bridge VLAN

In Winbox the VLAN tab of a bridge interface contains the settings of the bridge-to-CPU port, in exactly the same way as the VLAN tab of a bridge port does for other ports added to the bridge. These are layer 2 settings - they will not stop your Guest & IoT networks from accessing some IP servic...
by tdw
Thu Jun 06, 2024 10:11 pm
Forum: SwOS
Topic: Password length limit on SwOS? Seriously?
Replies: 20
Views: 3610

Re: Password length limit on SwOS? Seriously?

The processor in the switch chips on SwOS-only devices is very limited so it is highly unlikely that any encryption can be added. From the Marvell datasheet Target Applications section "Smart and Lightly Managed switches: Integrated microprocessor enables lightly managed switches with the addit...
by tdw
Thu Jun 06, 2024 9:55 pm
Forum: RouterBOARD hardware
Topic: AOC SFP module - S+AO0005. Connector type info.
Replies: 2
Views: 2224

Re: AOC SFP module - S+AO0005. Connector type info.

I suppose the Media Connector type (EEPROM address A0h, byte 2) could be set to either 0Bh 'Optical Pigtail' or 23h 'No separable connector' instead of 21h 'Copper pigtail' (from SFF-8024 Table 4-3 Connector Types). For SFPs, per SFF-8074, bytes 14-18 specify the maximum length for 9/125, 50/125 &am...
by tdw
Thu Jun 06, 2024 7:29 pm
Forum: Forwarding Protocols
Topic: OSPF misconfig causing packet loss
Replies: 3
Views: 1090

Re: OSPF misconfig causing packet loss

When you say Neighbours do you mean OSPF Neighbours or IP Neighbours? Use PTMP rather than broadcast, v7 'ptmp-broadcast' is compatible with v6 'ptmp'.
by tdw
Thu Jun 06, 2024 7:17 pm
Forum: Beginner Basics
Topic: DNS QUAD9 not working?
Replies: 1
Views: 787

Re: DNS QUAD9 not working?

Your ISP could be intercepting any DNS requests not destined for their servers and redirecting them.
by tdw
Tue Jun 04, 2024 8:34 pm
Forum: Announcements
Topic: v7.15.3 [stable] is released!
Replies: 649
Views: 269589

Re: v7.15 [stable] is released!

I'd rather see bridge "the CPU facing port" become a distinct item ... just like switchX-cpu port in switch chip configs. IMO this would prevent quite some confusion which arises from the fact that there are 3 different items (switch-like entity, CPU-facing port and interface) all named t...
by tdw
Tue Jun 04, 2024 8:25 pm
Forum: Announcements
Topic: v7.15.3 [stable] is released!
Replies: 649
Views: 269589

Re: v7.15 [stable] is released!

In fact, I think /interface/vlan should have some option/attribute that automatically adds tagged=bridge (as a dynamic .../bridge/vlan) – so Layer3/IP work without messing with bridge vlan table at all. So whole /interface/bridge/vlans complexity be only needed for hybrid ports or Layer2-only switc...
by tdw
Tue Jun 04, 2024 7:34 pm
Forum: Virtualization
Topic: How CHR choose ARP src-ip when there is more 2 ipv4 adressed on same nic
Replies: 1
Views: 1121

Re: How CHR choose ARP src-ip when there is more 2 ipv4 adressed on same nic

If the public address is routed via the private address it should not be attached to the interface, but rather exist on a loopback interface and the preferred source address set for traffic originated from the Mikrotik itself. /interface bridge add name=local protocol-mode=none /ip address add addre...
by tdw
Mon Jun 03, 2024 10:09 pm
Forum: General
Topic: fiirewall error PPTP VPN
Replies: 2
Views: 531

Re: fiirewall error PPTP VPN

If the 192.168.1.x addresses use a subnet mask of /24 then 192.168.1.0 is not a valid address, so I would expect it to never work.

Also use a better VPN protocol than PPTP, fundamental vulnerabilities have been known for over 10 years making it insecure.
by tdw
Mon Jun 03, 2024 9:59 pm
Forum: General
Topic: RSTP - What the hell? [SOLVED]
Replies: 14
Views: 2927

Re: RSTP - What the hell? [SOLVED]

Also if you set edge=yes on the Mikrotik bridge ports connecting to the Cisco(s) they will ignore any received and not send any BPDUs (equivalent to PortFast ) which may allow you to change to a single bridge. This means that it will ignore the BPDUs that the Cisco's send, turning the Cisco into a ...
by tdw
Mon Jun 03, 2024 7:37 pm
Forum: General
Topic: RSTP - What the hell? [SOLVED]
Replies: 14
Views: 2927

Re: RSTP - What the hell? [SOLVED]

There are various potential pitfalls https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration but impossible to say if you have hit any of these with seeing the configurations. Also if you set edge=yes on the Mikrotik bridge ports connecting to the Cisco(s) they will ignore any received an...
by tdw
Mon Jun 03, 2024 7:18 pm
Forum: General
Topic: VLAN Configuration
Replies: 12
Views: 1825

Re: VLAN Configuration

Nothing obvious assuming that change is only applied to /interface bridge port (two entries), /interface bridge vlan (three entries on two lines) and /interface vlan (one entry) as you can't have two bridges with the same name. Do the Current Tagged and Current Untagged columns under Bridge > VLANs ...
by tdw
Sat Jun 01, 2024 2:04 am
Forum: General
Topic: VLAN Configuration
Replies: 12
Views: 1825

Re: VLAN Configuration

I hadn't spotted that was missing, having bridge-TPP in the tagged list for VLAN 40 is unnecessary. Under /interface bridge port the pvid= setting specifies which VLAN untagged ingress traffic is assigned to. Under /interface bridge vlan ports in the untagged= interface list have the VLAN tag remove...
by tdw
Fri May 31, 2024 1:47 am
Forum: General
Topic: VLAN Configuration
Replies: 12
Views: 1825

Re: VLAN Configuration

The bridge name bridge-TPP refers to both the bridge and the implicit bridge-to-CPU bridge port so you are connecting VLAN 40 on ether4 untagged to the CPU tagged. To connect ether4 untagged to ether5 tagged requires the following change to /interface bridge vlan : add bridge=bridge-TPP tagged= brid...
by tdw
Wed May 29, 2024 11:31 am
Forum: General
Topic: Lock device
Replies: 4
Views: 785

Re: Lock device

Set reformat-hold-button and reformat-hold-button-max. The device cannot be reset, only completely reformatted by holding the reset button for a time between the two values and will then require a netinstall as described in the link provided.
by tdw
Wed May 29, 2024 3:29 am
Forum: General
Topic: Lock device
Replies: 4
Views: 785

Re: Lock device

See https://help.mikrotik.com/docs/display/ ... bootloader. You can disable the Winbox service but that will prevent anyone using it, a usual recommendation is to make Winbox accessible only via a VPN connection to or from the device.
by tdw
Tue May 28, 2024 9:06 pm
Forum: Forwarding Protocols
Topic: OSPF Bug: incorrect network advertisement for point-to-point addresses
Replies: 9
Views: 1887

Re: OSPF Bug: incorrect network advertisement for point-to-point addresses

This caught me out a few weeks ago when converting from 6.x to 7.x. Although it isn't mentioned anywhere in the documentation I could find /routing ospf interface-template has some hidden functionality where specifying type=ptp swaps the local and remote addresses, try add area=A disabled=no network...
by tdw
Mon May 27, 2024 7:51 pm
Forum: General
Topic: Switch CRS112-8P-4S high CPU load [SOLVED]
Replies: 4
Views: 1581

Re: Switch CRS112-8P-4S high CPU load [SOLVED]

Nothing immediately obvious. Possibly if there is much broadcast or multicast traffic on your management VLAN that will be processed by the CPU, even if then discarded.

Using VLAN 1 tagged is uncommon but shouldn't be the cause.
by tdw
Mon May 27, 2024 7:44 pm
Forum: Scripting
Topic: how to provide different ip on pppoe for each connect
Replies: 1
Views: 1205

Re: how to provide different ip on pppoe for each connect

I don't believe you can do this as pool allocations are 'sticky' - for any particular MAC address and username combination the previously used IP is issued when reconnecting. Only a reboot, no free pool addresses (which forces a cleanup), or not being used for some time resets this behaviour.
by tdw
Mon May 27, 2024 6:03 pm
Forum: The User Manager
Topic: Default VLAN for non-authenticated users ?
Replies: 11
Views: 10555

Re: Default VLAN for non-authenticated users ?

I'm not sure why the Mikrotik supplicant works without a certificate on the server. The certificate provides the keying material for the TLS tunnel used by PEAP in addition to providing identity information. Per the previously linked page for Windows supplicants they will not work unless the certifc...
by tdw
Mon May 27, 2024 1:53 pm
Forum: Beginner Basics
Topic: Beginner's question: Bridging and VLANs
Replies: 2
Views: 908

Re: Beginner's question: Bridging and VLANs

One bridge. See https://forum.mikrotik.com/viewtopic.php?t=143620 , https://forum.mikrotik.com/viewtopic.php?t=173692 , https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-SetupExamples for RouterOS, https://help.mikrotik.com/docs/pages/viewpage.action?pageId=76415036#...
by tdw
Sun May 26, 2024 11:34 pm
Forum: The User Manager
Topic: Default VLAN for non-authenticated users ?
Replies: 11
Views: 10555

Re: Default VLAN for non-authenticated users ?

Pretty much all EAP methods will not work unless the server presents a certificate - are you sure FreeRADIUS isn't using some default certificate, whereas usermanager will need one creating
by tdw
Sun May 26, 2024 8:41 pm
Forum: The User Manager
Topic: Default VLAN for non-authenticated users ?
Replies: 11
Views: 10555

Re: Default VLAN for non-authenticated users ?

What certificates are you using for the EAP part. Windows requires the CA to be in the machine certificate store, there are other caveats too https://wiki.geant.org/display/H2eduroa ... iderations
by tdw
Wed May 22, 2024 2:26 pm
Forum: General
Topic: Use specific IP in internal network using L2TP
Replies: 6
Views: 1501

Re: Use specific IP in internal network using L2TP

If the client connected using an IP / layer3 VPN has an address which falls within the subnet used on a local ethernet / layer2 network it requires the use of proxy-ARP. Note the naming of L2TP can be misleading - it refers to layer2 tunneling of PPP packets, not the client IP data itself.
by tdw
Wed May 22, 2024 2:09 pm
Forum: General
Topic: USE IP FIREWALL FEATURE IN BRIDGE SETTINGS [SOLVED]
Replies: 1
Views: 1436

Re: USE IP FIREWALL FEATURE IN BRIDGE SETTINGS [SOLVED]

It forces any bridged traffic to also pass through IP firewall chains https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS#PacketFlowinRouterOS-BridgeForward , this is only required if you wish to apply firewall rules, where bridge ACLs are insufficient (e.g. as they are stateless), or...
by tdw
Wed May 22, 2024 3:52 am
Forum: Beginner Basics
Topic: [delete]
Replies: 23
Views: 1835

Re: CRS310-8G+S2 reality check on CPU use when using internet traffic

CRS devices are primarily ethernet / layer2 switches with some IP / layer3 functionality, i.e. limited performance as the CPU is not particularly capable. RouterOS v7 introduced L3 hardware offloading, however the DX2000 in the CRS310-8G+2S+ only supports routing offload, not fasttrack and NAT conne...
by tdw
Sun May 19, 2024 12:31 pm
Forum: Beginner Basics
Topic: Two public addresses from one provider
Replies: 3
Views: 860

Re: Two public addresses from one provider

Using a bridge as a local/loopback interface will not work if the addresses are presented directly - just add the addresses to the WAN interface, for example: /ip address add address=155.13.35.202/29 interface=ether1 add address=155.13.35.203/29 interface=ether1 Only if the additional addresses are ...
by tdw
Sun May 19, 2024 5:26 am
Forum: The User Manager
Topic: Default VLAN for non-authenticated users ?
Replies: 11
Views: 10555

Re: Default VLAN for non-authenticated users ?

See https://help.mikrotik.com/docs/display/ROS/Dot1X#Dot1X-Server . The guest-vlan-id functionality is odd, other vendors allow access to a guest VLAN immediately until dot1x authentication completes. Other than making a feature request to Mikrotik there isn't much you can do to reduce the time. Not...
by tdw
Fri May 17, 2024 5:29 pm
Forum: General
Topic: CCR2116 RouterOS upgrade vs Routerboard Upgrade [SOLVED]
Replies: 4
Views: 5553

Re: CCR2116 RouterOS upgrade vs Routerboard Upgrade [SOLVED]

The RouterBoard firmware is equivalent to the BIOS on a PC - it handles the initial chipset configuration and RouterOS loading. It is persistent unless upgraded or the device is completely reflashed with netinstall. Historically the firmware and OS used different version numbering. At some point the...
by tdw
Sun May 12, 2024 2:03 pm
Forum: Scripting
Topic: SSTP-server interface scripting [SOLVED]
Replies: 4
Views: 10893

Re: SSTP-server interface scripting [SOLVED]

Did you drop the existing connection? The server binding will be used when the client reconnects.
by tdw
Sun May 12, 2024 1:59 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1800

Re: daloRADIUS & mikrotik PPTP server

That isn't something I have used, if it doesn't have options for specfic RADIUS reply attributes it depends if it has any mechanism for adding generic/custom ones.
by tdw
Sat May 11, 2024 6:48 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1800

Re: daloRADIUS & mikrotik PPTP server

Two routes is correct - one from the point-to-point tunnel, the second the subnet route.

However you can't have the same subnet on both your CHR and the remote client, routing relies on subnets not overlapping with each other as it has no way of knowing which interface to use if they do.
by tdw
Sat May 11, 2024 12:57 pm
Forum: General
Topic: Dropping forward chain new - ppppoe connections
Replies: 2
Views: 598

Re: Dropping forward chain new - ppppoe connections

You do not have pppoe-out1 added to the WAN interface list.
by tdw
Fri May 10, 2024 11:25 pm
Forum: Scripting
Topic: SSTP-server interface scripting [SOLVED]
Replies: 4
Views: 10893

Re: SSTP-server interface scripting [SOLVED]

It doesn't need any scripting, use a server binding : /interface sstp-server add name=sstp-in-lsstp user=lsstp When a connection is made with the username specified the named interface, sstp-in-lsstp in this case, is created instead of the usual <sstp-lsstp> dynamic one. Obviouly only works for a si...
by tdw
Thu May 09, 2024 9:21 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1800

Re: daloRADIUS & mikrotik PPTP server

Is 192.168.0.1 the client remote address? It is safer to use 0.0.0.0 which indicates to use the tunnel regardless of address. An alternate method is to use Framed-IP-Address and Framed-IP-Netmask if the address is part of the routed subnet, in place of using Framed-IP-Address and Framed-Route .
by tdw
Thu May 09, 2024 4:26 am
Forum: RouterBOARD hardware
Topic: Ensuring Compatibility Between SFP+ and SFP28
Replies: 1
Views: 1734

Re: Ensuring Compatibility Between SFP+ and SFP28

Info is in the help pages https://help.mikrotik.com/docs/display/ROS/MikroTik+wired+interface+compatibility#MikroTikwiredinterfacecompatibility-10GSFP+/25GSFP28 and https://help.mikrotik.com/docs/display/ROS/MikroTik+wired+interface+compatibility#MikroTikwiredinterfacecompatibility-SFP+interfacecomp...
by tdw
Wed May 08, 2024 11:08 pm
Forum: Beginner Basics
Topic: LACP btw hEXs & CRS310-8G+2S+ [SOLVED]
Replies: 4
Views: 5351

Re: LACP btw hEXs & CRS310-8G+2S+ [SOLVED]

In this case leaving all the interfaces set to autonegotiate should be fine. The highest speed of those advertised by both devices is chosen so the 2.5Gb advertisment from the CRS will be ignored. The example is using a bond in isolation, hence adding the IP address to it. When adding any ethernet-l...
by tdw
Wed May 08, 2024 7:48 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1800

Re: daloRADIUS & mikrotik PPTP server

I can't immediately recall if the Mikrotik rejects routes where the subnet bits are not zero, so for 192.168.0.1/24 it should really be 192.168.0.0/24
by tdw
Wed May 08, 2024 3:36 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1800

Re: daloRADIUS & mikrotik PPTP server

Per the wiki page for the Framed-Route attribute Format is specified in RFC 2865 (Ch. 5.22) so you should be sending 192.168.0.1/24 0.0.0.0 1
by tdw
Wed May 08, 2024 3:28 pm
Forum: Beginner Basics
Topic: LACP btw hEXs & CRS310-8G+2S+ [SOLVED]
Replies: 4
Views: 5351

Re: LACP btw hEXs & CRS310-8G+2S+ [SOLVED]

Copper ethernet connections operating at a rate of 1Gb or above will not work without autonegotiation, fixed settings only work for 10Mb or 100Mb with half or full duplex.

If you require a specific rate you can use autonegotiation but only advertise that one rate.
by tdw
Tue May 07, 2024 9:44 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1800

Re: daloRADIUS & mikrotik PPTP server

They will appear as dynamic entries under /ip route with the name of the PPPTP/L2TP connection as the gateway.
by tdw
Sun May 05, 2024 4:38 pm
Forum: Beginner Basics
Topic: ipipv6 DS-Lite setup help
Replies: 1
Views: 1053

Re: ipipv6 DS-Lite setup help

by tdw
Sat May 04, 2024 9:38 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1800

Re: daloRADIUS & mikrotik PPTP server

I'm not sure that the supported RADIUS attributes https://wiki.mikrotik.com/wiki/Manual:R ... Attributes have made it to the new help pages.

And stop using PPTP, it has been known to be insecure for at least a decade.
by tdw
Sat May 04, 2024 8:56 pm
Forum: General
Topic: Multiple public IPs, different internal zones
Replies: 10
Views: 2323

Re: Multiple public IPs, different internal zones

No. The OP states the provider supplies five IPs with a /24 netmask, these should just be added to the WAN ethernet interface with a single default route to the provided gateway. All you need to know is same as routing on a NAT a /32 is higher precedence than a /24 No. You are conflating two things ...
by tdw
Tue Apr 30, 2024 9:05 pm
Forum: General
Topic: Load Balancing PPC (2WAN) not balancing well
Replies: 2
Views: 558

Re: Load Balancing PPC (2WAN) not balancing well

If you are not using the hotspot functionality the hotspot=auth should be removed from the PCC rules
by tdw
Tue Apr 30, 2024 7:54 pm
Forum: RouterBOARD hardware
Topic: Powering AX routers
Replies: 12
Views: 2962

Re: Powering AX routers

It is annoying that on new devices Mikrotik have picked voltage ranges which are not directly compatible with float-charged lead-acid batteries. Historically devices supported 8-30V so were quite happy running off nominal 12V (13.8V on charge down to ~10V cutoff) or 24V (27.6V on charge down to ~20V...
by tdw
Tue Apr 30, 2024 4:44 pm
Forum: Beginner Basics
Topic: How to route a IPv6 pool to local IPv4 e.g.192.168.101.x
Replies: 6
Views: 1969

Re: How to route a IPv6 pool to local IPv4 e.g.192.168.101.x

You cannot, it requires a NAT64 translator.
by tdw
Sun Apr 28, 2024 1:48 am
Forum: General
Topic: No DHCP on Bridge VLAN interface.
Replies: 21
Views: 1976

Re: No DHCP on Bridge VLAN interface.

Also as mentioned in an earlier post if you have multiple VLAN IDs specified in a single entry: /interface bridge vlan add bridge=br0 tagged=ether1,br0 vlan-ids=X,Y,Z you should not use these VLANs untagged, i.e. by setting pvid=X or Y or Z under /interface bridge port or dynamically by CAPsMAN. In ...
by tdw
Tue Apr 23, 2024 10:34 pm
Forum: Wireless Networking
Topic: RB2011 + TP-LINK mesh
Replies: 4
Views: 2130

Re: RB2011 + TP-LINK mesh

I do not get the chance to use our existing network cabling for this to work properly, right ? I mean, I need to send a wire from each deco to the other directly and not connecting each one to the switch. It this latter option is possible, It would make the move easier. It depends if the switches y...
by tdw
Tue Apr 23, 2024 8:29 pm
Forum: General
Topic: dhcpv6-pd assign subnet to interface
Replies: 5
Views: 593

Re: dhcpv6-pd assign subnet to interface

No, having a subnet hint does not work. There are a number of grumbles about this in other forum posts.
by tdw
Tue Apr 23, 2024 8:25 pm
Forum: General
Topic: No DHCP on Bridge VLAN interface.
Replies: 21
Views: 1976

Re: No DHCP on Bridge VLAN interface.

You did enable ether1 in /interface bridge port ? Yes, set the PVID for those ports under /interface bridge port and add any tagged membership under /interface bridge vlan , explicitly adding untagged membership is optional as it will be dynamically added from the PVID setting. Some people prefer to...
by tdw
Tue Apr 23, 2024 8:11 pm
Forum: Beginner Basics
Topic: Management VLAN issue [SOLVED]
Replies: 10
Views: 3713

Re: Management VLAN issue [SOLVED]

Do you get an address via DHCP on ether7? You have no DNS server specified in /ip dhcp-server network for that subnet which may cause issues. Can you ping the gateway addresses when connected via those ports having obtained or set an address? Most likely is the firewall filter rules don't allow acce...
by tdw
Tue Apr 23, 2024 3:57 am
Forum: Wireless Networking
Topic: RB2011 + TP-LINK mesh
Replies: 4
Views: 2130

Re: RB2011 + TP-LINK mesh

Configure the TP-Link in Access Point mode, not the default WiFi Router mode, e.g. https://www.tp-link.com/uk/support/faq/1842/ . Where possible connect the Deco units with ethernet cables as meshing reduces capacity - each device has to receive each packet and then transmit onwards. I seem to recal...
by tdw
Tue Apr 23, 2024 3:15 am
Forum: Beginner Basics
Topic: Management VLAN issue [SOLVED]
Replies: 10
Views: 3713

Re: Management VLAN issue [SOLVED]

Unfortunatelly now I'm using vlan id=1 in my network and on some devices I have this hardcoded. That will not be fast and easy configure and switch the router :/ Using VLAN ID 1 is not incorrect, however you can easily get things wrong as a result unless you are familiar with exactly how manufactur...
by tdw
Tue Apr 23, 2024 2:49 am
Forum: General
Topic: No DHCP on Bridge VLAN interface.
Replies: 21
Views: 1976

Re: No DHCP on Bridge VLAN interface.

You haven't copied the /interface bridge vlan settings for VLAN ID 10 correctly - missing tagged=br0
by tdw
Mon Apr 22, 2024 3:14 am
Forum: Beginner Basics
Topic: Internet connection on CRS326 behind external router
Replies: 4
Views: 1373

Re: Internet connection on CRS326 behind external router

To simplify broadcasts ect. every VLAN shall reside in a separate partition of the same /24 subnet. That will not work, and it is not specific to using a Mikrotik. Each VLAN is its own layer 2 broadcast domain so broadcasts will not pass between them. Having overlapping subnets would require specia...
by tdw
Wed Apr 17, 2024 2:55 am
Forum: SwOS
Topic: POE in problem Mikrotik CSS610 netPower Lite 7R Switch
Replies: 4
Views: 1947

Re: POE in problem Mikrotik CSS610 netPower Lite 7R Switch

I discovered that the switch is only receiving PoE from one Ethernet port, despite the requirement for a minimum power input from three ports. Power is only taken from the input with the greatest voltage, each input should be capable of providing all the power necessary to operate the switch itself...
by tdw
Wed Apr 17, 2024 2:40 am
Forum: SwOS
Topic: POE in problem Mikrotik CSS610 netPower Lite 7R Switch
Replies: 4
Views: 1947

Re: POE in problem Mikrotik CSS610 netPower Lite 7R Switch

You're referring to 2 different products:
CSS610
and
netPower Lite 7R
Just for info, the netPower Lite 7R is one of the CSS610 range - its full model name is CSS610-1Gi-7R-2S+OUT
by tdw
Fri Apr 05, 2024 12:22 am
Forum: Beginner Basics
Topic: Virtualized VLANs (for Proxmox) [SOLVED]
Replies: 12
Views: 6127

Re: Virtualized VLANs (for Proxmox) [SOLVED]

The configuration doesn't make sense - you have name=aBridge in /interface bridge but references to bridge=3TSBridge in /interface bridge vlan.
Also, do not set the bridge-to-CPU PVID in /interface bridge to have the same ID as an /interface vlan attached to the bridge.
by tdw
Mon Apr 01, 2024 2:54 pm
Forum: SwOS
Topic: No SwOS for CRS310-8G+2S+ ?
Replies: 12
Views: 7887

Re: No SwOS for CRS310-8G+2S+ ?

According to https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-ConfiguringSwOSusingRouterOS using /system swos upgrade should upgrade the primary backup version of SwOS, and you then install the seco...
by tdw
Tue Mar 26, 2024 1:18 pm
Forum: Beginner Basics
Topic: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]
Replies: 32
Views: 5159

Re: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]

That doesn't agree with your diagram, it shows ether5 and ether6 connected between the CRS and RB3011
by tdw
Tue Mar 26, 2024 4:39 am
Forum: Beginner Basics
Topic: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]
Replies: 32
Views: 5159

Re: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]

It seems like once port is enabled in the bridge, only 802.2 (what the hell is it?) are seen on the interface. Why? Spanning tree, and the port will be ending up in the blocking state to prevent a network loop. STP & RSTP are not VLAN-aware, they allow or block all traffic be it untagged or tag...
by tdw
Sun Mar 17, 2024 12:03 am
Forum: General
Topic: Wires Only Leased Line Hardware Recommendation
Replies: 11
Views: 1588

Re: Wires Only Leased Line Hardware Recommendation

I am a novice with this but the ISP have provided me with the following. It doesn't really make sense, the LAN information is OK LAN First IP Address: 51.x.x.33 LAN Subnet Mask: 255.255.255.240 Customer IP Assignement: 51.x.x.32/28 so when presented as IP over ethernet connections .32 is the networ...
by tdw
Sat Mar 16, 2024 11:12 pm
Forum: General
Topic: Wires Only Leased Line Hardware Recommendation
Replies: 11
Views: 1588

Re: Wires Only Leased Line Hardware Recommendation

A 4011 or 5009 would be fine, ICUK use them or Ubiquiti EdgeRouters on their managed 1Gb EAD circuits. The ISP information seems incomplete - typically they would specify a /30 or /31 WAN connection, together with a routed subnet which you can present on the LAN side of your router as a conventional...
by tdw
Thu Mar 14, 2024 10:47 pm
Forum: General
Topic: VLAN setup device with AR8327 and WI-FI [SOLVED]
Replies: 2
Views: 1678

Re: VLAN setup device with AR8327 and WI-FI [SOLVED]

You have to apply the tagging in the wireless interface with vlan-id=XXX and vlan-mode=use-tag - this is only possible in the old (6.x or 7.x upto and including 7.12) /interface wireless settings, it is a lost feature with the new /interface/wifi/ drivers
by tdw
Tue Feb 27, 2024 8:36 pm
Forum: General
Topic: IPv6 between bridges
Replies: 25
Views: 3368

Re: IPv6 between bridges

I think the problem is with Neighbout Solicitation, not sure if can forward it between bridges. When pinging ISP router from br_lan it sends NS but does not get a reply as multicast packet is not forwarded between br_wan and br_lan to host No it can't, see post #6. The ISP should be routing the /48...
by tdw
Sun Feb 25, 2024 8:34 pm
Forum: General
Topic: IPv6 between bridges
Replies: 25
Views: 3368

Re: IPv6 between bridges

They just forwarded to us /48 prefix.
Forwarded to what address? This is different to the interface on their gateway being given a /48 subnet mask.

A few ISPs seem clueless about this. I suggest reading https://www.ripe.net/publications/docs/ripe-690/, in particular section 4.1
by tdw
Sun Feb 25, 2024 8:29 pm
Forum: General
Topic: IPv6 between bridges
Replies: 25
Views: 3368

Re: IPv6 between bridges

For example br_wan - 2a02:a3XX:8::2/64 br_lan - 2a02:a3XX:8::3/64 Mikrotik in my opinion should be able to route between those GUA addresses as those are internally assigned and GUA must be routed, but it does not. No. This doesn't just apply to Mikrotik, addresses in the same subnet are only reach...
by tdw
Sun Feb 25, 2024 4:24 pm
Forum: General
Topic: IPv6 between bridges
Replies: 25
Views: 3368

Re: IPv6 between bridges

The br_wan address should be /64, and the ISP router should be configured to route the /48 to this address. The br_lan address should again be /64 and also a different subnet. It does not matter what I configure on br_wan and br_lan as IPv6 routing between br_lan and br_wan does not work Example as...
by tdw
Sun Feb 25, 2024 2:02 pm
Forum: General
Topic: IPv6 between bridges
Replies: 25
Views: 3368

Re: IPv6 between bridges

The br_wan address should be /64, and the ISP router should be configured to route the /48 to this address.
The br_lan address should again be /64 and also a different subnet.
by tdw
Sun Feb 25, 2024 2:57 am
Forum: General
Topic: IPv6 between bridges
Replies: 25
Views: 3368

Re: IPv6 between bridges

link local addresses, as the name suggests, are only valid within a layer2 broadcast domain. You say "From br_lan I can not reach br_wan via GUA if both bridges are configured with the GUA address" - you should assign different GUA addresses to each otherwise routing will not work. Typical...
by tdw
Sat Feb 17, 2024 3:57 pm
Forum: General
Topic: Transport layer 2 over Internet?
Replies: 4
Views: 1107

Re: Transport layer 2 over Internet?

There is a layer 2 bridging option for any PPP-based protocols (e.g. L2TP, SSTP) using BCP, although it doesn't work fully with vlan-aware bridges, or OpenVPN using TAP.

With RouterOS v7 there is also VXLAN and L2TPv3 but the documentation and examples are rather sparse.
by tdw
Tue Feb 13, 2024 12:06 am
Forum: Beginner Basics
Topic: Subnet Public IP's issue
Replies: 3
Views: 668

Re: Subnet Public IP's issue

Mikrotik do not support RFC3021 /31 addressing, use /32 for the local and gateway addresses: /ip address add address=88.xx.xx. 15 interface=vlan835 network=88.xx.xx.14 If the subnet public IP is routed to you then adding those addresses to the WAN interface is incorrect. The conventional use case wo...
by tdw
Mon Feb 12, 2024 8:23 pm
Forum: General
Topic: UPnP is not working?
Replies: 14
Views: 1807

Re: UPnP is not working?

The SIM provider unfortunately does not give me public IP, so I'm under cgnat. Cgnat renders UPnP useless ? I know that port forwarding and DDNS are not working Yes. UPnP merely automates port forwarding on your router, it doesn't cascade the forwarding rules/requirements to the providers CGNAT inf...
by tdw
Mon Feb 12, 2024 6:46 pm
Forum: General
Topic: UPnP is not working?
Replies: 14
Views: 1807

Re: UPnP is not working?

Not directly related, but does your SIM provide an unfiltered public IP as most either block inbound traffic or use CGNAT which renders UPnP useless. Setting up port forwarding either manually or with UPnP is only required on older Hikvision devices, more recent ones can be configured to establish a...
by tdw
Tue Feb 06, 2024 11:20 pm
Forum: General
Topic: best RouterOS version for old CCR
Replies: 3
Views: 1049

Re: best RouterOS version for old CCR

IIRC v7 will always be slower due to kernel changes between v6 and v7, e.g. no more route cache.
by tdw
Fri Feb 02, 2024 2:08 pm
Forum: Wireless Networking
Topic: How do you specify the location in ROS 7? [SOLVED]
Replies: 11
Views: 2027

Re: How do you specify the location in ROS 7? [SOLVED]

It appears that way, although it is a limiting factor if you want to use an indoor device in a weatherproof enclosure outdoors, or the L11UG-5HaxD which could be used in either situation.
by tdw
Fri Feb 02, 2024 1:21 pm
Forum: Wireless Networking
Topic: How do you specify the location in ROS 7? [SOLVED]
Replies: 11
Views: 2027

Re: How do you specify the location in ROS 7? [SOLVED]

It appears not to be included in the new wifi package, see viewtopic.php?p=1052150
by tdw
Fri Feb 02, 2024 1:15 pm
Forum: Wireless Networking
Topic: Unable to use 5580/Ceee on hAP ax2 but can on hAP ac lite [SOLVED]
Replies: 19
Views: 2629

Re: Unable to use 5580/Ceee on hAP ax2 but can on hAP ac lite [SOLVED]

Likely skip DFS channels with 10min CAC is incompatible with the channel selection as 5580/Ceee uses 5570-5650.

If the same settings work on a hAP that could be a bug where it is not excluding the extension channels which overlap with 5600-5650.
by tdw
Mon Jan 29, 2024 5:12 pm
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 1690

Re: currently-untagged contradicts untagged [SOLVED]

Actually, I have frame-types=admit-only-vlan-tagged set too, on the bridge.
That is only applicable to the implicit bridge-to-CPU port. Each port added under /interface bridge port has its own frame-types= setting.
by tdw
Wed Jan 24, 2024 5:44 pm
Forum: General
Topic: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2
Replies: 4
Views: 1403

Re: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2

Mikrotik have likely added the warning as it is a common misconfiguration. RouterOS does not restrict many configuration settings which could be questionable or not sensible making it much more flexible than offerings from other vendors.
by tdw
Wed Jan 24, 2024 5:10 pm
Forum: Beginner Basics
Topic: ISP subnet distribution [SOLVED]
Replies: 5
Views: 2287

Re: ISP subnet distribution [SOLVED]

You can either use switch ACL rules, remembering to also permit broadcast IP addresses in addition each clients unicast IP address, or disable hardware offload and use /ip firewall filter rules after applying /interface bridge settings use-ip-firewall=yes . The CPU performance is likely to limit thr...
by tdw
Wed Jan 24, 2024 3:15 pm
Forum: General
Topic: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2
Replies: 4
Views: 1403

Re: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2

Any tagged= or untagged= entries under /interface bridge vlan should only be ports listed under /interface bridge port or bridge names (for the bridge-to-CPU port) You are also mixing tagged and untagged traffic for VLAN 20 on the bridge by having both an /interface vlan with vlan-id=20 attached to ...
by tdw
Wed Jan 24, 2024 2:47 pm
Forum: General
Topic: OpenLDAP login with RADIUS [SOLVED]
Replies: 2
Views: 1811

Re: OpenLDAP login with RADIUS [SOLVED]

MSCHAP will definitely work against plaintext credentials, if your setup does not it is most likely a FreeRADIUS configuration error - run it with debugging enabled and look at the logs. Depending on how your password changing is implemented you should be able to incorporate something which will sto...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7