Community discussions

MikroTik App

Search found 1363 matches

by tdw
Thu May 26, 2022 5:14 pm
Forum: Beginner Basics
Topic: Help with SSTP configuration and local network ping.
Replies: 5
Views: 185

Re: Help with SSTP configuration and local network ping.

My boss would like to Ping the ISP 1 devices while connected to VPN client and vice versa. I told him that with my knowledge its not possible and the local subnet for one ISP should be different. He keeps insisting that a simple firewall rule will do the trick. The issue is that each mikrotik has a...
by tdw
Thu May 26, 2022 12:53 am
Forum: Beginner Basics
Topic: Dumb AP: Static IP and DHCP Client
Replies: 5
Views: 242

Re: Dumb AP: Static IP and DHCP Client

For the route, yes. I suspect updates worked because the DNS entry was cached, add 192.168.3.1 as a DNS server too.

RouterOS can be rather a steep learning curve, it is basically linux underneath with a custom user interface on top.
by tdw
Wed May 25, 2022 3:53 pm
Forum: General
Topic: How to setup VLAN on Mikrotik PWR-LINE? [SOLVED]
Replies: 2
Views: 115

Re: How to setup VLAN on Mikrotik PWR-LINE? [SOLVED]

The power line interface should behave as any other ethernet-like layer2 interface, so the example https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_#1_(Trunk_and_Access_Ports) should work with pwr-line1 as the trunk and an ethernet interface as an access port. Unless you really ne...
by tdw
Wed May 25, 2022 2:05 pm
Forum: Beginner Basics
Topic: Dumb AP: Static IP and DHCP Client
Replies: 5
Views: 242

Re: Dumb AP: Static IP and DHCP Client

You can add a default route under IP > Route and a DNS server under IP > DNS. Alternatively if the router you are connecting this Mikrotik to supports static DHCP leases you could assign an address that way.
by tdw
Mon May 23, 2022 11:02 pm
Forum: General
Topic: IPv6 Support? When actually?
Replies: 2
Views: 174

Re: IPv6 Support? When actually?

Why are you manually handing out/assigning FE80:: addresses? This seems wrong.. Is it a static /48? I strongly suggest you use that instead.. IPv6 prefixes.. IPv6-Pool and IPv6-DHCP-Server on your central router. It is nothing to do with the user configuration or global unicast (GUA) / unique local...
by tdw
Mon May 23, 2022 4:37 pm
Forum: General
Topic: SIP Issues
Replies: 37
Views: 1414

Re: SIP Issues

As the Mikrotik is responding with ICMP host unreachable that suggests the issue is with the Mikrotik - AnyNode connection. If the ARP table entry expires and is not refreshed for some reason the Mikrotik would send that response.
by tdw
Mon May 23, 2022 3:13 pm
Forum: General
Topic: SIP Issues
Replies: 37
Views: 1414

Re: SIP Issues

It is already open by way of the connection tracking shown in post #5.

Getting ICMP host unreachable responses points to something more complex, hence the requests to see a packet trace of the registration process.
by tdw
Mon May 23, 2022 12:50 pm
Forum: General
Topic: Have internet, but switch will not update.
Replies: 3
Views: 159

Re: Have internet, but switch will not update.

Does the Mikrotik DHCP client have use-peer-dns=yes? Is the DHCP server configured to send DNS server(s) (option 6) if requested by a client?
by tdw
Mon May 23, 2022 12:59 am
Forum: Beginner Basics
Topic: RB4011 IPv6 setup - only link-local address on PC
Replies: 15
Views: 579

Re: RB4011 IPv6 setup - only link-local address on PC

It varies. Not having NAT is good, the literal IP format takes some getting used to, but some of the under-the-hood stuff is quite different - Neighbour Discovery replacing ARP and IPv4 Router Discovery / Router Redirect, requiring multicast, DHCPv6 not having any concept of gateways....
by tdw
Sun May 22, 2022 11:42 pm
Forum: Beginner Basics
Topic: RB4011 IPv6 setup - only link-local address on PC
Replies: 15
Views: 579

Re: RB4011 IPv6 setup - only link-local address on PC

IPv6 isn't just IPv4 with larger addresses, some of the underlying mechanisms are different. The outbound packet from PC to Mikrotik is sent to the default gateway, which in this case the the Mikrotik link-local address via a specific interface. As the first traceroute packet will have a TTL of 1, a...
by tdw
Sun May 22, 2022 10:38 pm
Forum: Beginner Basics
Topic: trying to get rid of vlan 1 on 951G-2HnD [SOLVED]
Replies: 19
Views: 608

Re: trying to get rid of vlan 1 on 951G-2HnD [SOLVED]

There is additional overhead with routing compared to software bridging. I would still expect somewhat better routing performance from a hAP ac2.
by tdw
Sun May 22, 2022 9:49 pm
Forum: Beginner Basics
Topic: trying to get rid of vlan 1 on 951G-2HnD [SOLVED]
Replies: 19
Views: 608

Re: trying to get rid of vlan 1 on 951G-2HnD [SOLVED]

what a hunk of junk, even an hex or capac, handles that with ease...........
They would as the processors are several times more powerful:
RB951G-2HnD - single-core 600MHz MIPS
hEX - dual-core 880MHz MIPS
cAP ac - quad-core 716MHz ARM
by tdw
Sun May 22, 2022 8:34 pm
Forum: Beginner Basics
Topic: trying to get rid of vlan 1 on 951G-2HnD [SOLVED]
Replies: 19
Views: 608

Re: trying to get rid of vlan 1 on 951G-2HnD [SOLVED]

That would be fine if the Atheros/Qualcomm switch chips supported hardware offload with vlan-aware bridges. Given the RB951G-2HnD is an older device the CPU performance would likely limit software bridged thoughput to a few hundred Mbps.
by tdw
Sun May 22, 2022 7:47 pm
Forum: General
Topic: IKEv2 between MikroTiks, sides switching, initiator <> responder
Replies: 15
Views: 3017

Re: IKEv2 between MikroTiks, sides switching, initiator <> responder

I have recently discovered this whilst looking at replacing IKE with IKE2 and thought I was doing something wrong. It doesn't affect the current use case, but what happens if you are using mode-config ? And what appears to be another error in the documentation - for peer exchange-mode it says "...
by tdw
Sun May 22, 2022 7:16 pm
Forum: Beginner Basics
Topic: trying to get rid of vlan 1 on 951G-2HnD [SOLVED]
Replies: 19
Views: 608

Re: trying to get rid of vlan 1 on 951G-2HnD [SOLVED]

Yes
/interface ethernet switch port
set 0 default-vlan-id=70; set 5 default-vlan-id=70

(obviously with safe mode, just in case)
by tdw
Sun May 22, 2022 6:41 pm
Forum: Beginner Basics
Topic: trying to get rid of vlan 1 on 951G-2HnD [SOLVED]
Replies: 19
Views: 608

Re: trying to get rid of vlan 1 on 951G-2HnD [SOLVED]

The /ip dhcp-client add disabled=no interface=bridge-ALL configuration will acquire an address using untagged traffic through the switch1-cpu port. This currently has PVID 1, the export does not show the deafults, fully it would be set 5 default-vlan-id=1 vlan-mode=secure . Similarly the ether1-WAN ...
by tdw
Sun May 22, 2022 4:14 pm
Forum: Beginner Basics
Topic: RB4011 IPv6 setup - only link-local address on PC
Replies: 15
Views: 579

Re: RB4011 IPv6 setup - only link-local address on PC

****:****:*****:*****::/64 dev enp37s0 proto ra metric 100 pref medium fe80::/64 dev enp37s0 proto kernel metric 100 pref medium fe80::/64 dev enp37s0.99 proto kernel metric 256 pref medium default via fe80::de2c:6eff:fe18:caa dev enp37s0 proto ra metric 20100 pref medium So this PC is picking up R...
by tdw
Sun May 22, 2022 2:52 am
Forum: Beginner Basics
Topic: RB4011 IPv6 setup - only link-local address on PC
Replies: 15
Views: 579

Re: RB4011 IPv6 setup - only link-local address on PC

The default firewall rules drop forwarded traffic arriving through any interfaces not in the LAN interface list. Routing is hop-by-hop so routes via link-local addresses are fine, if you check the routes on your PC the default route (::0) will be to the link-local address of the Mikrotik interface. ...
by tdw
Sat May 21, 2022 9:04 pm
Forum: Beginner Basics
Topic: Problem with Ubiquiti cloud controller when APs are behind a Mikrotik
Replies: 13
Views: 551

Re: Problem with Ubiquiti cloud controller when APs are behind a Mikrotik

That suggests it is something else if pings are successfully bypassing the hotspot, maybe additional firewall rules. You can use the packet sniffer, filter on the IP address of the AP.
by tdw
Sat May 21, 2022 8:08 pm
Forum: Beginner Basics
Topic: Problem with Ubiquiti cloud controller when APs are behind a Mikrotik
Replies: 13
Views: 551

Re: Problem with Ubiquiti cloud controller when APs are behind a Mikrotik

Works on our hotspots. Can the AP resolve the inform URL address, the AP DNS server address would typically be set to the same as the gateway address, and does the Mikrotik apply srcnat to the outbound WAN traffic?
by tdw
Sat May 21, 2022 7:56 pm
Forum: Beginner Basics
Topic: Problem with Ubiquiti cloud controller when APs are behind a Mikrotik
Replies: 13
Views: 551

Re: Problem with Ubiquiti cloud controller when APs are behind a Mikrotik

Yes, AP MAC address.

Both IP addresses are the same fixed IP of the AP. The to-address is part of the internal hotspot translation system, it has nothing to do with the destination of traffic from the AP.
by tdw
Sat May 21, 2022 7:10 pm
Forum: Beginner Basics
Topic: Problem with Ubiquiti cloud controller when APs are behind a Mikrotik
Replies: 13
Views: 551

Re: Problem with Ubiquiti cloud controller when APs are behind a Mikrotik

We have always used /ip hotspot ip-binding add mac-address=XX:XX:XX:XX:XX:XX address=NNN.NNN.NNN.NNN to-address=NNN.NNN.NNN.NNN type=bypassed with the device address either set statically or getting it from a static DHCP lease. Never tried it without the addresses, the wiki isn't clear what would ha...
by tdw
Sat May 21, 2022 6:25 pm
Forum: Beginner Basics
Topic: Problem with Ubiquiti cloud controller when APs are behind a Mikrotik
Replies: 13
Views: 551

Re: Problem with Ubiquiti cloud controller when APs are behind a Mikrotik

For outbound UniFi APs -> controller connections you only need to add hotspot IP bindings, MAC and IP addresses.
by tdw
Sat May 21, 2022 5:51 pm
Forum: Beginner Basics
Topic: RB4011 IPv6 setup - only link-local address on PC
Replies: 15
Views: 579

Re: RB4011 IPv6 setup - only link-local address on PC

Providing the configuration rather than a few screenshots would be better. Firstly you need you an globally unique address on the WAN port and a default route so the router itself can access the internet. As the WAN connection appears to be IPoE the correct method to obtain the default route is to u...
by tdw
Sat May 21, 2022 2:58 pm
Forum: Beginner Basics
Topic: Can't route between 2 subnets
Replies: 7
Views: 424

Re: Can't route between 2 subnets

At minimum, you need something like "/ip/route add dst-address=192.168.88.0/24 gateway=192.168.100.2" to get packets from the 0 network to the 100 network, and its inverse to get the replies back. No, not in this case. Directly connected networks (e.g. adding an IP address to an ethernet ...
by tdw
Sat May 21, 2022 2:41 am
Forum: Beginner Basics
Topic: Basic Router + switch + ap with VLAN [SOLVED]
Replies: 2
Views: 188

Re: Basic Router + switch + ap with VLAN [SOLVED]

The switch is missing /interface bridge vlan entries for all VLANs except 99. You should not set the bridge PVID to have the same value as an /interface vlan , either /interface bridge add name=BR1 protocol-mode=none pvid= 99 1 vlan-filtering=yes /interface vlan add interface=BR1 name=MGMT_VLAN vlan...
by tdw
Thu May 19, 2022 5:39 pm
Forum: General
Topic: SIP Issues
Replies: 37
Views: 1414

Re: SIP Issues

Do you see the registration messages between the Mikrotik and SBC in the packet trace in both directions (SBC -> Mikrotik and Mikrotik -> SBC)
by tdw
Thu May 19, 2022 5:05 pm
Forum: General
Topic: SIP Issues
Replies: 37
Views: 1414

Re: SIP Issues

Is the phone registered with the PBX? If there is no connection (under IP > Firewall > Connections) the incoming packets have nowhere to go and will be dropped. There is little point setting 1000M-half,1000M-full on ether1 as the device only supports fast, not gigabit, ethernet. The Drop External Ac...
by tdw
Wed May 18, 2022 2:38 pm
Forum: Beginner Basics
Topic: pppoe client/server using bto modem and internal dslam
Replies: 4
Views: 225

Re: pppoe client/server using bto modem and internal dslam

The old BT Huawei/ECI modems already handle the VLAN 101 tagging internally so you attach the PPPoE client directly to the ethernet inteface connected to the modem.
by tdw
Tue May 17, 2022 1:27 am
Forum: Beginner Basics
Topic: Dual WAN failover messes with DNS
Replies: 3
Views: 253

Re: Dual WAN failover messes with DNS

As you have multiple DNS servers added by having the DHCP client setting use-peer-dns=yes there is no control over which of the listed servers will be used. If the ISPs only permit DNS lookups from their servers via their connection you may well get lookup failures. The simplest fix is to set one or...
by tdw
Mon May 16, 2022 9:57 pm
Forum: Beginner Basics
Topic: Share 192.168.88.00/24 subnet on VPN with OpenVPN
Replies: 4
Views: 305

Re: Share 192.168.88.00/24 subnet on VPN with OpenVPN

Routes specify the destination, 192.168.88.0/24 is from the locally attached LAN so adding the static route for the same subnet is incorrect. The Mikrotik OpenVPN client automatically adds a static route back to the server with the netmask specified by the server, so the static route to 10.8.0.0/24 ...
by tdw
Mon May 16, 2022 7:46 pm
Forum: Beginner Basics
Topic: Share 192.168.88.00/24 subnet on VPN with OpenVPN
Replies: 4
Views: 305

Re: Share 192.168.88.00/24 subnet on VPN with OpenVPN

As two unconnected networks (the VPN tunnel and the local LAN) share the same address range any devices attached to the LAN will expect those addresses to be directly reachable on the local ethernet network. If you set arp=proxy-arp on the bridge the Mikrotik will return its own MAC address to reque...
by tdw
Mon May 16, 2022 6:13 pm
Forum: General
Topic: ROS7 - VLAN Switch chip
Replies: 15
Views: 844

Re: ROS7 - VLAN Switch chip

switch1-cpu is the internal ethernet connection between the CPU and switch, without that there is no connection from the external ports through the switch to the CPU for management access. There have been odd interfactions when only some ports are configured for 802.1Q VLANs as the other ports are s...
by tdw
Mon May 16, 2022 5:51 pm
Forum: General
Topic: PPPOE disconnects - UK FTTC
Replies: 6
Views: 384

Re: PPPOE disconnects - UK FTTC

PPP sessions should be able to reject unsupported control protocols during negotiation without aborting the entire session, certainly it works fine the other way around with an IPv6-enabled Mikrotik connecting to an IPv4-only ISP (Plusnet). Maybe the ISP or carrier has changed something which only m...
by tdw
Mon May 16, 2022 5:30 pm
Forum: Wireless Networking
Topic: vlans to multiple access points
Replies: 7
Views: 623

Re: vlans to multiple access points

Those APs do not have any management APIs, it would be a case of the logging in to each AP and manually changing the settings. You could use WPA2-Enterprise and an external RADIUS server to manage the authentication so it is centralised. This would only work if all of the client devices support it, ...
by tdw
Sun May 15, 2022 2:34 am
Forum: General
Topic: Inter-VLAN Routing Across IPSec VPN
Replies: 9
Views: 812

Re: Inter-VLAN Routing Across IPSec VPN

No. There are no 'IPsec interfaces' to apply routes to as Mikrotik do not implement an equivalent of Cisco VTI, or similar by other manufacturers. IPsec policies match traffic to be transported or tunneled based on some combination of addresses, protocols and ports. A packet matching a policy gets e...
by tdw
Sat May 14, 2022 11:37 pm
Forum: Beginner Basics
Topic: ipv6 only works when pinging from the router [SOLVED]
Replies: 6
Views: 603

Re: ipv6 only works when pinging from the router [SOLVED]

What are you expecting /ipv6 route add disabled=no dst-address=::/0 gateway=ether1 to do? Using gateway=someinterface is only valid for point-to-point media, so not ethernet. The gateway will be learnt from the upstream RAs due to accept-router-advertisements=yes , although this was broken in 7.1.x,...
by tdw
Sat May 14, 2022 2:30 pm
Forum: General
Topic: Inter Switch VLAN
Replies: 3
Views: 403

Re: Inter Switch VLAN

One of the paths forming the inetswitch - site1switch - interswitch - site2switch loop will be disabled by spanning tree, and as you do not have the same VLANs configured on each path connectivity will be lost. If you wish to have redundant paths with blocks on different links for some VLANs you wil...
by tdw
Fri May 13, 2022 2:17 pm
Forum: Forwarding Protocols
Topic: RTSP Over WiFI Not Blocking
Replies: 4
Views: 472

Re: RTSP Over WiFI Not Blocking

That won't work. Each branch of the layer 2 network tree exchanges packets with its immediate neighbour and each node builds a list of path costs back to the root to determine which ports should be enabled and which blocked.

Offhand I can't think of any methods which would work in this scenario.
by tdw
Fri May 13, 2022 1:56 pm
Forum: Beginner Basics
Topic: DNS forward server for router itself
Replies: 4
Views: 390

Re: DNS forward server for router itself

There is no way to distinguish requests as the Mikrotik is making requests on behalf of the clients, the client - Mikrotik and Mikrotik - external server requests are not directly related. Instead of setting the DHCP server to provide the IP address of the router as the DNS server to clients you cou...
by tdw
Fri May 13, 2022 1:43 pm
Forum: Forwarding Protocols
Topic: RTSP Over WiFI Not Blocking
Replies: 4
Views: 472

Re: RTSP Over WiFI Not Blocking

You mean RSTP (Rapid Spanning Tree Protocol) not RTSP (Real Time Streaming Protocol).

Does the rest of your network have RSTP enabled? All of the non-edge devices in your layer 2 network should have it configured.
by tdw
Thu May 12, 2022 8:36 pm
Forum: General
Topic: RSTP Problem with Bridge VLAN Filtering
Replies: 12
Views: 955

Re: RSTP Problem with Bridge VLAN Filtering

Had to also update DHCP relay to use the new VLAN interfaces. So far so good. You would, but the full configuration wasn't provided so any other use if interfaces was unknown. I use routing marks in the mangle table to mark outbound (public IPs) per VLAN so I can pick it up in the routing rules and...
by tdw
Wed May 11, 2022 9:27 pm
Forum: General
Topic: RSTP Problem with Bridge VLAN Filtering
Replies: 12
Views: 955

Re: RSTP Problem with Bridge VLAN Filtering

If a Mikrotik bridge is set to protocol-mode=none it is not 802.1D compliant as the so-called 'slow protocols' which include STP, LACP, etc. are forwarded between ports which is likely the cause of your problem. This is actually useful in some scenarios, but not here. As you are using the 'old style...
by tdw
Wed May 11, 2022 2:11 pm
Forum: Beginner Basics
Topic: poor bridge/vlan throughput
Replies: 8
Views: 742

Re: poor bridge/vlan throughput

Between devices on the same VLAN you are bridging layer 2 traffic, a Mikrotik which supports hardware-offloading on a vlan-aware bridge will pass this at wire speed. Between devices on different VLANs you are routing layer 3 traffic, this is limited by the CPU performance of the Mikrotik unless you ...
by tdw
Mon May 09, 2022 9:40 pm
Forum: Beginner Basics
Topic: Remote Access Local PPPOE client
Replies: 1
Views: 178

Re: Remote Access Local PPPOE client

Does the PPPoE router allow remote management and ping on its WAN port? What firewall rules are on your Mikrotik PPPoE server?
by tdw
Sun May 08, 2022 1:42 am
Forum: Beginner Basics
Topic: Routerboard hEX PoE lite (RB750UPr2) - PoE max speed
Replies: 6
Views: 476

Re: Routerboard hEX PoE lite (RB750UPr2) - PoE max speed

That device has fast ethernet (10/100Mbit) interfaces, not gigabit.
by tdw
Fri May 06, 2022 7:01 pm
Forum: Beginner Basics
Topic: DHCP working only in few VLANS
Replies: 8
Views: 595

Re: DHCP working only in few VLANS

I'm misremembering where things should go. On the controller under /caps-man configuration the datapath.bridge= setting should be left blank/unset. On the CAP under /interface wireless cap the bridge= setting should be the name of the bridge on the CAP.
by tdw
Thu May 05, 2022 5:51 pm
Forum: Beginner Basics
Topic: DHCP working only in few VLANS
Replies: 8
Views: 595

Re: DHCP working only in few VLANS

What is the configuration on the APs? With CAPsMAN local-forwarding=yes the datapath.bridge= specifies the name of the bridge on the AP NOT on the controller. The bridge names on the AP and controller can be the same or different, you just have to use the correct name if they are different. There ma...
by tdw
Wed May 04, 2022 7:27 pm
Forum: Wireless Networking
Topic: Capsman and advertise ipv6dns to clients [SOLVED]
Replies: 13
Views: 801

Re: Capsman and advertise ipv6dns to clients [SOLVED]

Yes, but with a rather different configuration - v6.48.6; ND has advertise-dns=no , as this version does not allow the offered DNS servers to be configured, and other-configuration=yes ; DNSv6 addresses provided by DHCP option 23. Additionally no capsman, as the radios are configured directly, but t...
by tdw
Wed May 04, 2022 5:42 pm
Forum: Beginner Basics
Topic: MikroTik hAP Lite as OVPN Client [SOLVED]
Replies: 2
Views: 256

Re: MikroTik hAP Lite as OVPN Client [SOLVED]

Likely you have selected the wrong certificate for the OVPN client - it should be the client certificate, not the CA or server certificate. The CA and any intermediate certs used by the server only have to be installed under System > Certificates so the can be found when Verify Server Certificate is...
by tdw
Tue May 03, 2022 11:23 pm
Forum: General
Topic: IPv6 help needed
Replies: 4
Views: 338

Re: IPv6 help needed

It depends on what your configuration was previously, it may be incorrect and just happened to work accidentally. In particular DHCPv6 has no mechanism to obtain or provide a default gateway. The Mikrotik DHCPv6 client add-default-route=yes is a hacky bodge, it uses the address of the DHCPv6 server ...
by tdw
Tue May 03, 2022 11:07 pm
Forum: General
Topic: Login with freeradius -> openldap
Replies: 1
Views: 262

Re: Login with freeradius -> openldap

I can't recall what was used previously, from the changelog... MAJOR CHANGES IN v6.43: !) radius - use MS-CHAPv2 for "login" service authentication; I suspect transporting plain-text credentials over plain RADIUS only protected by a simple secret was considered a bad idea. You are correct ...
by tdw
Tue May 03, 2022 12:35 pm
Forum: Beginner Basics
Topic: IPv6 Address Pool decision
Replies: 4
Views: 352

Re: IPv6 Address Pool decision

Last time I tried, probably on 6.48.6, with a /48 it didn't appear to work, may be different in v7.
by tdw
Mon May 02, 2022 11:07 pm
Forum: Beginner Basics
Topic: IPv6 Address Pool decision
Replies: 4
Views: 352

Re: IPv6 Address Pool decision

You can't, as discussed in several forum topics. It would be nice if you could do
/ipv6 address
add address=::50:0:0:0:1 from-pool=provider interface=vlan50
by tdw
Mon May 02, 2022 7:07 pm
Forum: Wireless Networking
Topic: Capsman and advertise ipv6dns to clients [SOLVED]
Replies: 13
Views: 801

Re: Capsman and advertise ipv6dns to clients [SOLVED]

Maybe viewtopic.php?t=157341 although odd that it affects DNS but not the gateway.
by tdw
Sat Apr 30, 2022 2:26 pm
Forum: General
Topic: IPv6 Default route invalid?
Replies: 3
Views: 310

Re: IPv6 Default route invalid?

To expand on the WAN-side configuration... DHCPv6 has no mechanism to obtain or provide a default gateway. The Mikrotik DHCPv6 client add-default-route=yes is a hacky bodge, it uses the address of the DHCPv6 server from which the address/prefix/other information was received - this works if the DHCP...
by tdw
Fri Apr 29, 2022 10:56 pm
Forum: Beginner Basics
Topic: False dynamic route
Replies: 9
Views: 465

Re: False dynamic route

You still incorrectly have gateways set to interfaces, not addresses. Post the output of /export hide-sensitive after redacting any public IP addresses, etc.
by tdw
Fri Apr 29, 2022 7:32 pm
Forum: Forwarding Protocols
Topic: Multi WAN Connection Tracking
Replies: 17
Views: 746

Re: Multi WAN Connection Tracking

Use /ip firewall mangle to also apply routing marks to marked connections, as you have only a screenshot of firewall connections what you have there is not displayed. For traffic from the Mikrotik itself it should be: /ip firewall mangle add chain=output connection-mark=WAN1_conn action=mark-routing...
by tdw
Fri Apr 29, 2022 6:41 pm
Forum: Beginner Basics
Topic: False dynamic route
Replies: 9
Views: 465

Re: False dynamic route

Using gateway=interfacename is only valid for point-to-point interfaces, not ethernet, you should specify an address. Directly-attached routes will be added automatically from the addresses and netmasks specified /ip address . You only have to use pref-src= if you have multiple IP addresses on the s...
by tdw
Fri Apr 29, 2022 6:26 pm
Forum: Forwarding Protocols
Topic: Multi WAN Connection Tracking
Replies: 17
Views: 746

Re: Multi WAN Connection Tracking

As with many blogs/videos it is incomplete - it only handles connections to the Mikrotik itself, not connections passing through the Mikrotik (both directly routed and destination NAT), and re-marks connections for every packet received, not just the first one which would have a connection state of ...
by tdw
Fri Apr 29, 2022 5:54 pm
Forum: General
Topic: Open vpn issue after config export
Replies: 1
Views: 171

Re: Open vpn issue after config export

Did you reinstall the certificate used by the OVPN server? Certificates will only be restored from a .backup file to the same Mikrotik. If you restore a .backup to a different Mikrotik (not officially recommended, usually OK to the same model), or from an .rsc export, you have to import the certific...
by tdw
Fri Apr 29, 2022 5:37 pm
Forum: Forwarding Protocols
Topic: Multi WAN Connection Tracking
Replies: 17
Views: 746

Re: Multi WAN Connection Tracking

Mark connections which are new or have no mark on ingress via the respective WAN interfaces, apply routing marks based on the connection marks to lookup outbound routes. It is mentioned in the Wiki PCC example https://wiki.mikrotik.com/wiki/Manual:PCC#Policy_routing and is still relevant even if you...
by tdw
Fri Apr 29, 2022 12:06 am
Forum: Beginner Basics
Topic: hapLite VLAN trunk fails with no default vlan defined. [SOLVED]
Replies: 34
Views: 1162

Re: hapLite VLAN trunk fails with no default vlan defined. [SOLVED]

Ahh, so I have the trunk set to add if missing (which I thought was the docs).

https://wiki.mikrotik.com/wiki/Manual:S ... s_Ports.29 shows "add if missing"
Scroll to the note at the bottom of that section in the Wiki.
by tdw
Thu Apr 28, 2022 11:43 pm
Forum: General
Topic: VRRP Issues
Replies: 16
Views: 794

Re: VRRP Issues

Is the switch between the two Mikrotiks the same as you are using elsewhere? Maybe filtering multicast which would break VRRP.
by tdw
Thu Apr 28, 2022 11:39 pm
Forum: Beginner Basics
Topic: hapLite VLAN trunk fails with no default vlan defined. [SOLVED]
Replies: 34
Views: 1162

Re: hapLite VLAN trunk fails with no default vlan defined. [SOLVED]

With the gigabit atheros switch chips you should leave vlan-header=leave-as-is as described in the documentation. Enabling VLAN filtering on the bridge will disable hardware switching, so you will not get wire-speed switching between ports, and requires the bridge port PVID and bridge VLANs to be de...
by tdw
Thu Apr 28, 2022 4:42 pm
Forum: General
Topic: VRRP Issues
Replies: 16
Views: 794

Re: VRRP Issues

The model shouldn't make any difference unless there is something broken in the version of RouterOS you are using on those architectures. You could use the packet sniffer to see if each is receiving the VRRP packets from the other, and that the contents are correct (the are small enough to decode by...
by tdw
Thu Apr 28, 2022 3:33 am
Forum: Beginner Basics
Topic: hapLite VLAN trunk fails with no default vlan defined. [SOLVED]
Replies: 34
Views: 1162

Re: hapLite VLAN trunk fails with no default vlan defined. [SOLVED]

ether23 is missing from the definitions under /interface ethernet switch vlan on the CRS
by tdw
Thu Apr 28, 2022 2:52 am
Forum: Beginner Basics
Topic: Bridging Advice [SOLVED]
Replies: 8
Views: 618

Re: Bridging Advice [SOLVED]

Any port not in a bridge is in its own layer 2 broadcast domain, not connected to any other ports. The switch chip and linux network driver martial data between physical ports and the logical interfaces in the UI / CLI behind the scenes. A group of ports added to a bridge operate in the same fashion...
by tdw
Thu Apr 28, 2022 2:25 am
Forum: General
Topic: Wireguard roadwarrior inside a bridge?
Replies: 4
Views: 263

Re: Wireguard roadwarrior inside a bridge?

Hello, is it possible that a roadwarrior type wireguard interface can be inside a bridge? I have tried and they are not available in Bridge/Ports.
No. Wireguard presents IP / layer 3 interfaces. You can only add ethernet / layer 2 interfaces to a bridge.
by tdw
Thu Apr 28, 2022 2:14 am
Forum: Beginner Basics
Topic: hapLite VLAN trunk fails with no default vlan defined. [SOLVED]
Replies: 34
Views: 1162

Re: hapLite VLAN trunk fails with no default vlan defined. [SOLVED]

The entire /interface bridge vlan section and the pvid= settings in the /interface bridge port are ignored when the bridge has vlan-filtering=no . The switching setup should work with /interface ethernet switch port .... set 3 vlan-header=add-if-missing vlan-mode=secure i.e. with default-vlan-id=0 ....
by tdw
Wed Apr 27, 2022 9:19 pm
Forum: General
Topic: VRRP Issues
Replies: 16
Views: 794

Re: VRRP Issues

How are they actually connected together, bridges or external switches? You can't just have MTik01 ether1 connected to MTik02 ether1, and similiarly MTik01 ether2 connected to MTik02 ether2, as nothing else whould be connected.
by tdw
Wed Apr 27, 2022 9:11 pm
Forum: General
Topic: IPv6 routes with no gateway
Replies: 4
Views: 270

Re: IPv6 routes with no gateway

So do you have a switch or multiple network cables connecting your main Mikrotik with the AT&T gateway? IIRC there are forum threads which discuss abusing VRRP interfaces to effectively provide multiple MAC addresses on an interface allowing a request to be made from each. I do wish providers wo...
by tdw
Wed Apr 27, 2022 8:14 pm
Forum: Forwarding Protocols
Topic: Neighboring Routers send out a lot of Broadcast Requests
Replies: 4
Views: 245

Re: Neighboring Routers send out a lot of Broadcast Requests

What IP address are the ARPing for?
by tdw
Wed Apr 27, 2022 8:13 pm
Forum: General
Topic: IPv6 routes with no gateway
Replies: 4
Views: 270

Re: IPv6 routes with no gateway

DHCPv6 has no mechanism to obtain or provide a default gateway. The Mikrotik DHCPv6 client add-default-route=yes is a hacky bodge, it uses the address of the DHCPv6 server from which the address/prefix/other information was received - this works if the DHCPv6 server and the default gateway are the s...
by tdw
Wed Apr 27, 2022 7:51 pm
Forum: Forwarding Protocols
Topic: Neighboring Routers send out a lot of Broadcast Requests
Replies: 4
Views: 245

Re: Neighboring Routers send out a lot of Broadcast Requests

00: 00: 5E: 00: 01: 0A is the MAC address for a VRRP interface with a VRID of 10, an interface with that address is trying to find an IP address with ARP.
by tdw
Wed Apr 27, 2022 3:46 pm
Forum: Beginner Basics
Topic: Help with source of DNS entries (and search domain)
Replies: 5
Views: 286

Re: Help with source of DNS entries (and search domain)

How have you configured your IPv6 WAN and LAN settings? The PPPoE client 'Use peer DNS' setting only applies to IPv4, similarly the DHCP(v4) server network settings.
by tdw
Wed Apr 27, 2022 3:34 pm
Forum: General
Topic: Can I do this , bridging DC together
Replies: 2
Views: 212

Re: Can I do this , bridging DC together

No, you appear to have private layer 2 links so the complications which arise from encapsulating ethernet (layer 2) in IP (layer 3) can be avoided, it is also out of date inasmuch that EoIP can optionally use IPsec (previously it couldn't so sometimes nested tunnels were used to overcome this limita...
by tdw
Tue Apr 26, 2022 7:56 pm
Forum: Beginner Basics
Topic: Sky FTTP Configuration
Replies: 8
Views: 491

Re: Sky FTTP Configuration

The setup in my previous post was used on FTTP, ether1 plugged directly into the Openreach ONT. If you are switching between a Sky router and something else I believe you have to leave some time or the new device will fail to acquire an address.
by tdw
Mon Apr 25, 2022 10:30 pm
Forum: Beginner Basics
Topic: Sky FTTP Configuration
Replies: 8
Views: 491

Re: Sky FTTP Configuration

Per that Sky forum post - if you configure IPv6 and DHCPv6 that "authenticates" the DHCPv4, otherwise you have to fake up an option 61 in the DHCPv4 request. Last year I used the following on an IPv4 only setup after the WAN connection was slammed: /ip dhcp-client option add code=61 name=c...
by tdw
Mon Apr 25, 2022 2:54 pm
Forum: Forwarding Protocols
Topic: Separate wans for dowload and upload traffic
Replies: 4
Views: 265

Re: Separate wans for dowload and upload traffic

It is not possible. If you send a packet out via WAN1 the remote service sees packets from that IP address and will return replies to the same address, you cannot force the remote service to return packets to a completely different IP address for WAN2. You can use policy-based routing so that conver...
by tdw
Mon Apr 25, 2022 1:01 pm
Forum: Beginner Basics
Topic: Sky FTTP Configuration
Replies: 8
Views: 491

Re: Sky FTTP Configuration

No. They were the first provider in the UK to use IPoE instead of PPPoE on WAN connections, and used DHCP option 61 to identify the router so any other random devices plugged directly into WAN would not acquire an address. Many modem/router manufacturers, and sometimes Sky themselves, erroneously re...
by tdw
Sat Apr 23, 2022 6:17 pm
Forum: Beginner Basics
Topic: CRS326 as a switch, running basic ROS? [SOLVED]
Replies: 4
Views: 361

Re: CRS326 as a switch, running basic ROS? [SOLVED]

ip-forward is just for completeness, with only a single IP address there should be no forwarding. One of the defaults for /ip cloud is update-time=yes , and defaults are not shown in exports unless you use /export verbose . If there is no other time source RouterOS will use the Mikrotik cloud to pro...
by tdw
Sat Apr 23, 2022 5:26 pm
Forum: Beginner Basics
Topic: Vlan configuration issue
Replies: 88
Views: 3779

Re: Vlan configuration issue

Or if the OP only requires a single base/management/trusted network plus a guest network in a VLAN the configuration in post 61 https://forum.mikrotik.com/viewtopic.php?t=183962#p927539 was fine, it just needed ingress-filtering=yes on all bridge ports, frame-types=admit-all on ether2 & ether5 p...
by tdw
Sat Apr 23, 2022 5:07 pm
Forum: Beginner Basics
Topic: CRS326 as a switch, running basic ROS? [SOLVED]
Replies: 4
Views: 361

Re: CRS326 as a switch, running basic ROS? [SOLVED]

IIRC you need the security package for SSH. As you have an input firewall restricting access, specifying address= under /ip service is unnecessary. Using plain www is insecure, if winbox & SSH for management are not sufficient consider using www-ssl although you will have to create an import cer...
by tdw
Sat Apr 23, 2022 4:24 pm
Forum: Beginner Basics
Topic: Vlan configuration issue
Replies: 88
Views: 3779

Re: Vlan configuration issue

My reading of the IEEE 802.1Q spec is that the internal workings of the "bridge" (they never use the word switch) is that the spec treats the bridge device as a black box, i.e. the spec says nothing about the internal implementation, only the required external behavior for given inputs. S...
by tdw
Fri Apr 22, 2022 11:47 pm
Forum: Beginner Basics
Topic: Vlan configuration issue
Replies: 88
Views: 3779

Re: Vlan configuration issue

Per my previous post the TL-WA901ND likely only has untagged managment access, and as the OP has a combined base/trusted/management VLAN it should be untagged on the Mikrotik port (so the AP management works), and the AP multi SSID settings use VLAN 1 (as on this particular TP-Link AP this means unt...
by tdw
Fri Apr 22, 2022 9:25 pm
Forum: Beginner Basics
Topic: Vlan configuration issue
Replies: 88
Views: 3779

Re: Vlan configuration issue

You are both going around in circles, in no particular order: The TL-WA901ND does not have an option to explicitly set a management VLAN ID which the EAPxxx models do, so it is likely that managment access is always untagged. It is not clear if using an SSID with associated an VLAN ID 1 leads to tag...
by tdw
Fri Apr 22, 2022 7:49 pm
Forum: Virtualization
Topic: L2TP Bridging on CHR
Replies: 2
Views: 290

Re: L2TP Bridging on CHR

It could be a CHR bug or VM host issue, otherwise: From what I recall it is recommended to set the bridge MAC address to the address of any of the local bridge port members when using BCP. BCP is known not to work with VLAN-aware bridges, yours are OK unless you have redacted that setting from the c...
by tdw
Fri Apr 22, 2022 7:07 pm
Forum: Beginner Basics
Topic: Encrypted L2 Tunnel
Replies: 8
Views: 373

Re: Encrypted L2 Tunnel

I think you're confusing encrypted data transport with encrypted authentication. Once the CHAP or whatever stage is over, PPPoE is unencrypted.
Not necessarily - PPPoE supports MPPE for data encryption, not that 40-bit or 128-bit RC4 can be considered secure these days.
by tdw
Fri Apr 22, 2022 7:03 pm
Forum: Beginner Basics
Topic: Encrypted L2 Tunnel
Replies: 8
Views: 373

Re: Encrypted L2 Tunnel

For encryption at layer2 you need to be looking at MACsec. Note that if you bridge your subnet at either end and the untrusted link they will all be in the same broadcast domain with all the usual limitations, you should be able to avoid some of that using VLANs if the untrusted link supports them. ...
by tdw
Fri Apr 22, 2022 1:49 pm
Forum: RouterOS beta and rc versions
Topic: Unable to export configuration on hAP mini 7.1
Replies: 15
Views: 4488

Re: Unable to export configuration on hAP mini 7.1

Difficult to say, I have one running v7.2 which idles at around 5% when showing interfaces and resources in Winbox. Exporting a near factory-default configuration does now complete, but takes around 2 minutes at 100% CPU and wlan connections will sometimes disconnect. Upgrading to 7.2.1 eventually w...
by tdw
Tue Apr 19, 2022 7:38 pm
Forum: Beginner Basics
Topic: Vlan configuration issue
Replies: 88
Views: 3779

Re: Vlan configuration issue

The only problem that I still do not understand is that, I need to make Ether 2 and ether 5 (the trunk ports connected to smart switches or smart AP) in admit all mode, and not admit only tagged as per Anav's advice. If i use only tagged vlan option on these trunk ports I loose connectivity to the ...
by tdw
Thu Apr 14, 2022 2:11 pm
Forum: General
Topic: Can i add a package of a newer version of Mikrotik to older one? [SOLVED]
Replies: 2
Views: 346

Re: Can i add a package of a newer version of Mikrotik to older one? [SOLVED]

The version has to match.

Hopefully you are not using RouterOS 6.28 for anything important / have it exposed to the Internet as there are many critical security vulnerabilities which have been fixed in later versions.
by tdw
Mon Apr 11, 2022 6:21 pm
Forum: General
Topic: NAT64 and DNS64
Replies: 95
Views: 39785

Re: NAT64 and DNS64

DNS64 is incompatible with DNSSEC. As both Android & iOS have supported 464XLAT for a number of years I would expect this approach, a Stateless IP/ICMP Translator (SIIT) at the client and NAT64 at the provider, to become more widespread so Mikrotik support for this would be good.
by tdw
Mon Apr 11, 2022 3:28 pm
Forum: Forwarding Protocols
Topic: Can`t open connection to L2tp server via port forwarding
Replies: 3
Views: 327

Re: Can`t open connection to L2tp server via port forwarding

No, when NAT traversal is involved the IPsec ESP traffic is encapsulated in UDP. The initial IKE handshake uses UDP port 500, if NAT is detected in the path a switch to UDP port 4500 is made and this port is also used for encapsulated ESP. Once the IPsec connection is established the L2TP UDP port 1...
by tdw
Sat Apr 09, 2022 2:06 pm
Forum: Beginner Basics
Topic: Routerboard RB2011 UAS RM
Replies: 12
Views: 613

Re: Routerboard RB2011 UAS RM

OK, so the second WAN and LAN now use different subnets. The ISP route needs changing to use an address rather than interface per my earlier post. The mangle mark connection rules have the wrong logic, as written they apply PCC with a destination of 192.168.1.0/24 it should be not 192.168.1.0/24 . Y...
by tdw
Sat Apr 09, 2022 12:01 am
Forum: General
Topic: How to properly isolate (R/M)STP networks?
Replies: 6
Views: 463

Re: How to properly isolate (R/M)STP networks?

that sounds more like yes discover which transitions immediately to edge, sends BPDUs and will become non-edge if BPDUs are received, similar to portfast on Cisco
by tdw
Fri Apr 08, 2022 5:25 pm
Forum: General
Topic: How to properly isolate (R/M)STP networks?
Replies: 6
Views: 463

Re: How to properly isolate (R/M)STP networks?

It certainly works with hardware offloading on the Qualcomm/Atheros chips in the smaller switches, and others have used it with successfully on some CRS devices so may be a bug in the implementation for specific switch chips.
by tdw
Fri Apr 08, 2022 4:44 pm
Forum: Beginner Basics
Topic: Routerboard RB2011 UAS RM
Replies: 12
Views: 613

Re: Routerboard RB2011 UAS RM

Fasttrack and mangle rules do not work together, so there must be something else going on. You mention the DHCP client getting the same subnet as the router and 192.168.2.0, previously they were both 192.168.1.x so which has been changed? The latest configuration and acquired DHCP client address wou...
by tdw
Fri Apr 08, 2022 3:25 pm
Forum: Beginner Basics
Topic: Routerboard RB2011 UAS RM
Replies: 12
Views: 613

Re: Routerboard RB2011 UAS RM

You cannot have the same subnet for the LAN and either of the WANs. Unless you can change the 5G to use a different subnet, e.g. 192.168.2.0/24, you will have to change your LAN and all attached devices to something other than 192.168.1.0/24. If you can change the 5G device to be 192.168.2.254, for ...
by tdw
Fri Apr 08, 2022 3:10 pm
Forum: General
Topic: Bridge Setup with Failover
Replies: 1
Views: 135

Re: Bridge Setup with Failover

Use spanning tree (RSTP rather than the original STP), adjust the bridge priority on router 1 to make that the root device, set the path costs so the non-forwarding path is router2 - router 3. See https://help.mikrotik.com/docs/display/ROS/Spanning+Tree+Protocol and https://help.mikrotik.com/docs/di...
by tdw
Fri Apr 08, 2022 12:54 am
Forum: Beginner Basics
Topic: Routerboard RB2011 UAS RM
Replies: 12
Views: 613

Re: Routerboard RB2011 UAS RM

With the original configuration clients could possibly have been using the ISP2 connection directly if they were assigned addresses directly from the 5G router. Presumably the two ISP devices use different subnets from each other, and not your LAN 192.168.1.0/24 either. Using gateway=SomeInterfaceNa...
by tdw
Thu Apr 07, 2022 11:10 pm
Forum: Beginner Basics
Topic: Routerboard RB2011 UAS RM
Replies: 12
Views: 613

Re: Routerboard RB2011 UAS RM

Without going through the configuration in detail a couple of obvious errors stand out: You have not removed ether2 being used for the second ISP connection from the LAN bridge /interface bridge port add bridge=bridge comment=defconf interface=ISP2 .... fasttrack has not been disabled, update the fi...
by tdw
Thu Apr 07, 2022 10:54 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 6
Views: 488

Re: IPv6 DS Lite

I'm not aware of a cut-and-paste example. There are also various reported issues with IPv6 Router Advertisments and DHCPv6 Prefix Discovery over PPPoE connections using RouterOS v7, hopefully fixed in the recently released v7.2. For IPv6 it should be a case of something based on the following which ...
by tdw
Thu Apr 07, 2022 7:56 pm
Forum: Beginner Basics
Topic: Routerboard RB2011 UAS RM
Replies: 12
Views: 613

Re: Routerboard RB2011 UAS RM

Random web sites, Youtube videos, etc. are often oudated, not optimal, or just wrong. There are code snippets in the wiki https://wiki.mikrotik.com/wiki/Manual:TOC and new help pages https://help.mikrotik.com/docs/ . With the recent release of RouterOS v7 some examples refer to v7 and older ones to ...
by tdw
Thu Apr 07, 2022 7:36 pm
Forum: General
Topic: How to properly isolate (R/M)STP networks?
Replies: 6
Views: 463

Re: How to properly isolate (R/M)STP networks?

At some point setting a bridge port edge=yes stops BPDUs from being sent and ignores any received. This is not mentioned in the old wiki but is in the new help pages, so not sure in which version it was introduced. It certainly works in v6.47.10 and v6.48.6, see https://help.mikrotik.com/docs/displa...
by tdw
Wed Apr 06, 2022 11:56 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 6
Views: 488

Re: IPv6 DS Lite

Once you have a working IPv6 connection it should be possible to use an IPIPv6 tunnel to connect with the AFTR, and as the ISP provides a DNS name something like: /interface ipipv6 add name=dslite1 remote-address=aftr.prod.m-online.net /ip address add address=192.0.0.2/29 interface=dslite1 /ip route...
by tdw
Wed Apr 06, 2022 10:44 pm
Forum: General
Topic: Switch Chip VLAN Switching in Software Bridge [SOLVED]
Replies: 23
Views: 1619

Re: Switch Chip VLAN Switching in Software Bridge [SOLVED]

Reagrding post #9: Setting frame-types= and the defintions in /interface bridge vlan have no effect when the bridge has vlan-filtering=no . As noted in the documentation "On QCA8337 and Atheros8327 switch chips, a default vlan-header=leave-as-is property should be used. The switch chip will det...
by tdw
Wed Apr 06, 2022 10:17 pm
Forum: General
Topic: Copy speed via trunk simply too slow
Replies: 8
Views: 422

Re: Copy speed via trunk simply too slow

But I keep the Vlan99 config on both devices? The VLAN is not necessary for trunk operation. Do I add the two trunk ports to the bridge on the CRS123? On the CRS125, yes. The /interface ethernet switch trunk settings combine the ports within the switch chip to form a trunk. On the hAP, no. The /int...
by tdw
Wed Apr 06, 2022 2:13 pm
Forum: General
Topic: send route to vpn l2tp
Replies: 2
Views: 218

Re: send route to vpn l2tp

You cannot push routes directly, Windows uses DHCP once the L2TP connection is established to retrieve additional routes. It may be possible to use L2TP-server bindings and create a DCHP server for each to do this on a Mikrotik, although I have not tried it. You can add static routes to VPN connecti...
by tdw
Wed Apr 06, 2022 1:41 pm
Forum: General
Topic: Copy speed via trunk simply too slow
Replies: 8
Views: 422

Re: Copy speed via trunk simply too slow

The problem is not the trunk itself, rather that you are routing 192.168.1.x -> 20.20.20.1 and 20.20.20.2 -> 192.168.2.x. The CRS models are designed to be wire-speed switches with limited IP services such as routing and firewalling. Use a single bridge on both Mikrotiks with the link between them a...
by tdw
Sun Apr 03, 2022 10:58 pm
Forum: General
Topic: Switch Chip VLAN Switching in Software Bridge [SOLVED]
Replies: 23
Views: 1619

Re: Switch Chip VLAN Switching in Software Bridge [SOLVED]

Use a bridge with vlan-filtering=no . You can configure specific VLANs on the hardware-offloaded ports ether1-ether5, however the software bridged ports will pass all tagged and untagged traffic. You can restrict VLANs between the switch chip and the software bridge by configuring the switch1 cpu sw...
by tdw
Sun Apr 03, 2022 7:29 pm
Forum: Wireless Networking
Topic: Wireless bridge with Cisco switches [SOLVED]
Replies: 39
Views: 1799

Re: Wireless bridge with Cisco switches [SOLVED]

Region should be set to comply with your country regulations, higher frequencies are generally better although from comments in the forum there have been issues with the uppermost available. Alignment on LHG and nRAY is critical (better than 1 degree), less so on Cube, and fairly relaxed on wAP 60G ...
by tdw
Sun Apr 03, 2022 7:16 pm
Forum: Beginner Basics
Topic: How to passthrough LTE with ipv4 and ipv6
Replies: 4
Views: 346

Re: How to passthrough LTE with ipv4 and ipv6

Does the carrier provide dual-stack IPv4 and IPv6 at the same time, or do they provide IPv6 with IPv4 tunneling support (e.g. DS-Lite, Lw4o6, 464XLAT, NAT64/DNS64 or MAP-T/E) which requires the client device to implement the their end of the tunnel? Also you will likely get a /64 IPv6 address so you...
by tdw
Sat Apr 02, 2022 1:42 pm
Forum: Beginner Basics
Topic: PPPoE Client BT Broadband Bouncing and losing Internet
Replies: 6
Views: 417

Re: PPPoE Client BT Broadband Bouncing and losing Internet

Unlikely to be the FTTC connection itself. If it were just ether1 it could be the VDSL modem misbehaving, but as it two ports at the same time it is most probably port flapping - there are a number of posts in the forums for some models which seem to suffer.
by tdw
Mon Mar 28, 2022 8:48 pm
Forum: Beginner Basics
Topic: factory reset, upgrade, and import rules
Replies: 6
Views: 438

Re: factory reset, upgrade, and import rules

From the link in their sig. yet another spammer
by tdw
Fri Mar 25, 2022 2:10 am
Forum: General
Topic: IPSec with preshared key and upgrade from v6 to v7
Replies: 1
Views: 194

Re: IPSec with preshared key and upgrade from v6 to v7

v6 /export is equivalent to v7 /export show-sensitive
v7 /export is equivalent to v6 /export hide-sensitive

There seem to be issues with IPsec in v7, e.g. viewtopic.php?t=180996
by tdw
Fri Mar 25, 2022 2:01 am
Forum: General
Topic: bridged vlan & leaking discovery question
Replies: 4
Views: 318

Re: bridged vlan & leaking discovery question

Likely it is Windows ignoring VLAN tags so any broadcast/multicast traffic tagged with VLAN ID 1234 will also be seen, you can check with Wireshark.
by tdw
Fri Mar 25, 2022 1:13 am
Forum: General
Topic: How to use a IPv6 only LTE connection on an established IPv4 LAN with non IPv6 capable devices
Replies: 4
Views: 288

Re: How to use a IPv6 only LTE connection on an established IPv4 LAN with non IPv6 capable devices

Router Advertisment, it is one of the functions provided by Neighbor Discovery Protocol (NDP) a.k.a. Neighbor Discovery (ND)
by tdw
Thu Mar 24, 2022 11:37 pm
Forum: General
Topic: How to use a IPv6 only LTE connection on an established IPv4 LAN with non IPv6 capable devices
Replies: 4
Views: 288

Re: How to use a IPv6 only LTE connection on an established IPv4 LAN with non IPv6 capable devices

I've found this https://www.ipv6.org.uk/wp-content/uplo ... 801207.pdf, in particular page 12, so unless EE have changed their planned architecture you will need something to provide the CLAT functionality of 464XLAT.
by tdw
Thu Mar 24, 2022 11:19 pm
Forum: General
Topic: How to use a IPv6 only LTE connection on an established IPv4 LAN with non IPv6 capable devices
Replies: 4
Views: 288

Re: How to use a IPv6 only LTE connection on an established IPv4 LAN with non IPv6 capable devices

Mobile/cellular carriers often only provide a single /64 and use the RFC7278 bodge. This is just about OK for a mobile with tethering, or a MiFi device with a single "LAN", but useless if it is in (or connected to) a router which requires a /64 per interface. Support for prefix delegation ...
by tdw
Thu Mar 24, 2022 2:16 pm
Forum: Wireless Networking
Topic: Wireless bridge with Cisco switches [SOLVED]
Replies: 39
Views: 1799

Re: Wireless bridge with Cisco switches [SOLVED]

Only the newer products have additional 5GHz radios - Cube 60G ac / Wireless Wire Cube, Cube 60Pro ac / Wireless Wire Cube Pro and CubeSA 60Pro ac
by tdw
Wed Mar 23, 2022 8:34 pm
Forum: Wireless Networking
Topic: Wireless bridge with Cisco switches [SOLVED]
Replies: 39
Views: 1799

Re: Wireless bridge with Cisco switches [SOLVED]

Check that the w60g interface region and channel are set for your regulatory requirements. You may wish to disable unused services and/or restrict access via your management VLAN, unless that is handled elsewhere. Newer firmware will have improvements, and various vulnerabilities are discovered in t...
by tdw
Wed Mar 23, 2022 6:07 pm
Forum: Wireless Networking
Topic: Wireless bridge with Cisco switches [SOLVED]
Replies: 39
Views: 1799

Re: Wireless bridge with Cisco switches [SOLVED]

If those are the exact configs you entered on the devices there is a line missing in the station: add bridge=bridge interface=wlan60-1 /interface vlan add interface=bridge name=MGMT vlan-id=30 without this the subsequent add will fail and there is no management interface to apply an IP address to. M...
by tdw
Wed Mar 23, 2022 3:36 am
Forum: General
Topic: Why does this work with Cisco and Not with Mikrotik-? [SOLVED]
Replies: 21
Views: 900

Re: Why does this work with Cisco and Not with Mikrotik-? [SOLVED]

Not all vendors SFPs interoperate. Also an optical 1G SFP in a SFP+ cage requires the link speed to be forced to 1G full-duplex, e.g.
/interface ethernet set sfp-sfpplus4 auto-negotiation=no speed=1Gbps full-duplex=yes
by tdw
Wed Mar 23, 2022 3:06 am
Forum: General
Topic: Why does this work with Cisco and Not with Mikrotik-? [SOLVED]
Replies: 21
Views: 900

Re: Why does this work with Cisco and Not with Mikrotik-? [SOLVED]

Spanning tree may be ignored, but for the other ISP it obviously isn't if they have to apply filtering.

You didn't answer the question about thow the AT&T modem is connected - it has RJ45 sockets for LAN connections, sfpplus4 where you were connecting it is an SFP cage.
by tdw
Wed Mar 23, 2022 2:51 am
Forum: General
Topic: Why does this work with Cisco and Not with Mikrotik-? [SOLVED]
Replies: 21
Views: 900

Re: Why does this work with Cisco and Not with Mikrotik-? [SOLVED]

It doesn't make sense to have a bridge port with frame-types=admit-only-untagged-and-priority-tagged and listed in bridge vlan tagged= , this will likely leak VLANs out. Other than that the configuration looks OK, as mentioned previously having a bridge port with edge=yes will stop BPDUs being sent ...
by tdw
Wed Mar 23, 2022 1:48 am
Forum: General
Topic: Why does this work with Cisco and Not with Mikrotik-? [SOLVED]
Replies: 21
Views: 900

Re: Why does this work with Cisco and Not with Mikrotik-? [SOLVED]

Post your configuration from /export hide-sensitive
by tdw
Tue Mar 22, 2022 11:17 pm
Forum: General
Topic: Why does this work with Cisco and Not with Mikrotik-? [SOLVED]
Replies: 21
Views: 900

Re: Why does this work with Cisco and Not with Mikrotik-? [SOLVED]

interface SOMEPORT switchport mode access switchport access vlan P translates to /interface bridge port add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface= PORTNAME pvid= P this dynamically adds untagged membership to the VLAN in /interface bridge ...
by tdw
Tue Mar 22, 2022 8:53 pm
Forum: Beginner Basics
Topic: new ISP wants PPPoE connection with tagged VLAN - need some guidance
Replies: 15
Views: 980

Re: new ISP wants PPPoE connection with tagged VLAN - need some guidance

You will not be able to access the Mikrotik itself as the VPN connections are not part of the LAN interface list due to add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN You can either allow input from everything other than the WAN by replac...
by tdw
Tue Mar 22, 2022 8:24 pm
Forum: Wireless Networking
Topic: Wireless bridge with Cisco switches [SOLVED]
Replies: 39
Views: 1799

Re: Wireless bridge with Cisco switches [SOLVED]

You have not configured the AP settings as suggested previously. Until the wireless link is established and you can ping the station from the AP there is absolutely no point in trying to connect clients beyond the station. It may be worth setting a password for the wireless link, I don't know how w6...
by tdw
Mon Mar 21, 2022 10:01 pm
Forum: Wireless Networking
Topic: Wireless bridge with Cisco switches [SOLVED]
Replies: 39
Views: 1799

Re: Wireless bridge with Cisco switches [SOLVED]

By default management access will be untagged, as in your original configuration: /ip address add address=10.55.5.61/24 interface=bridge network=10.55.5.0 If you require management access to be tagged a VLAN interface is also required, for example to use VLAN 60: /interface vlan add interface=bridge...
by tdw
Mon Mar 21, 2022 7:57 pm
Forum: Wireless Networking
Topic: Wireless bridge with Cisco switches [SOLVED]
Replies: 39
Views: 1799

Re: Wireless bridge with Cisco switches [SOLVED]

If the bridge has vlan-filtering=no (doesn't appear in /export as it is the default) it will transparently pass any tags
by tdw
Mon Mar 21, 2022 5:02 pm
Forum: Wireless Networking
Topic: Wireless bridge with Cisco switches [SOLVED]
Replies: 39
Views: 1799

Re: Wireless bridge with Cisco switches [SOLVED]

An established wireless connection is only part of process, the bridges are required to complete the path ethernet === bridge === wireless ----- wireless === bridge === ethernet. You could have modified the existing configurations rather than resetting the devices. If they are individual devices the...
by tdw
Fri Mar 18, 2022 10:25 pm
Forum: Wireless Networking
Topic: Wireless bridge with Cisco switches [SOLVED]
Replies: 39
Views: 1799

Re: Wireless bridge with Cisco switches [SOLVED]

From some old configs, AP: /interface bridge add name=bridge1 protocol-mode=none /interface w60g set [ find ] disabled=no mode=bridge name=wlan60-1 ssid=HN-PtP-01 put-stations-in-bridge=bridge /interface w60g station add mac-address=48:8F:5A:DA:9F:33 name=wlan60-station-1 parent=wlan60-1 remote-addr...
by tdw
Fri Mar 18, 2022 9:27 pm
Forum: Wireless Networking
Topic: Wireless bridge with Cisco switches [SOLVED]
Replies: 39
Views: 1799

Re: Wireless bridge with Cisco switches [SOLVED]

Does Quickset handle W60G interfaces correctly? The configuration is much different to regular 2.4/5GHz WLAN interfaces.
by tdw
Fri Mar 18, 2022 5:02 pm
Forum: Wireless Networking
Topic: station mode WPA2 Enterprise
Replies: 1
Views: 179

Re: station mode WPA2 Enterprise

Mikrotik support for EAP methods as a client/station is limited to EAP-TLS, EAP-TTLS-MSCHAPv2 or PEAP (likely EAP-PEAP-MSCHAPv2). See https://help.mikrotik.com/docs/display/ROS/Wireless+Interface#WirelessInterface-WPAEAPproperties for a general description, although it seems inaccurate/incomplete in...
by tdw
Fri Mar 18, 2022 4:29 pm
Forum: Wireless Networking
Topic: Wireless bridge with Cisco switches [SOLVED]
Replies: 39
Views: 1799

Re: Wireless bridge with Cisco switches [SOLVED]

Those configs will not pass any traffic. Use the factory default configuration, just change the IP address, plus SSID & password if desired.
by tdw
Fri Mar 18, 2022 1:39 pm
Forum: Beginner Basics
Topic: Vlan configuration issue
Replies: 88
Views: 3779

Re: Vlan configuration issue

Unlikely. The OP states it is working with VLAN 10 which is tagged, but not with untagged traffic.
by tdw
Fri Mar 18, 2022 1:29 pm
Forum: Beginner Basics
Topic: CRS 3xx switch and management VLAN
Replies: 1
Views: 180

Re: CRS 3xx switch and management VLAN

Yes. If management access is configured to be from a specific VLAN you either need one of the ports set to be an access port on that VLAN, or with a trunk port something else on the network to apply the VLAN tag. The documentation covers all of the scenarios for management on a CRS3xx https://help.m...
by tdw
Fri Mar 18, 2022 12:20 am
Forum: General
Topic: SSH service not working
Replies: 8
Views: 479

Re: SSH service not working

OK, does your ISP filter any well-known ports such as SSH?
by tdw
Thu Mar 17, 2022 10:43 pm
Forum: Beginner Basics
Topic: Basic IPv6 Setup - prefix from ISP
Replies: 14
Views: 955

Re: Basic IPv6 Setup - prefix from ISP

That is down to Mikrotik CLI quirks, use ping [:resolve ipv6.google.com]
by tdw
Thu Mar 17, 2022 10:28 pm
Forum: General
Topic: Winbox login through radius
Replies: 25
Views: 13411

Re: Winbox login through radius

Unless it is directly related it its considered bad practice to resurrect ancient threads, start a new topic including all the relevant information - User Manager is completely different from using AD, NPS or FreeRADIUS, and the authentication method used by Winbox has changed. Having used FreeRADIU...
by tdw
Thu Mar 17, 2022 9:34 pm
Forum: General
Topic: Winbox login through radius
Replies: 25
Views: 13411

Re: Winbox login through radius

Why bump an almost 8 year old thread? If you had actually checked Mikrotik changed the login service authentication to MSCHAPv2 in v6.43 almost four years ago which will work with either plaintext or NTLM hashes / Active Directory.
by tdw
Thu Mar 17, 2022 6:10 pm
Forum: Beginner Basics
Topic: RB3011 can't connect to modem
Replies: 2
Views: 249

Re: RB3011 can't connect to modem

"ip dhcp-client print" returns: Flags: X - disabled, I - invalid, D - dynamic That means that the dhcp-client of the rb3011-router is disabled No, that is a list of the possible flags. The original post has # INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS 0 I ;;; defconf ether1 y...
by tdw
Thu Mar 17, 2022 3:44 pm
Forum: General
Topic: SSH service not working
Replies: 8
Views: 479

Re: SSH service not working

Do you have a public IP on the Mikrotik itself? Many ISPs are resorting to CGNAT to conserve IPv4 addresses, if this is the case the WAN address on the Mikrotik will likely be in the range 100.64.0.0-100.127.255.255 (or less likely 10.x.x.x, 172.16.0.0-172.31.255.255, or 192.168.x.x) and inbound acc...
by tdw
Thu Mar 17, 2022 1:54 pm
Forum: Beginner Basics
Topic: Using /28 IP behind Mikrotik
Replies: 6
Views: 496

Re: Using /28 IP behind Mikrotik

No, that is the gateway address to set on the additional hosts. The Mikrotik should have a route from having add-default-route=yes in /interface pppoe-client
by tdw
Thu Mar 17, 2022 5:09 am
Forum: General
Topic: SSH service not working
Replies: 8
Views: 479

Re: SSH service not working

The permitted external address for SSH in /ip services does not match either of the addresses in the /ip firewall address-list named support.
by tdw
Thu Mar 17, 2022 3:16 am
Forum: General
Topic: CRS328-4c-20s-4s+ learning its own mac address [SOLVED]
Replies: 1
Views: 195

Re: CRS328-4c-20s-4s+ learning its own mac address [SOLVED]

Normal behaviour. The L flag indicates the address is local, whereas the E flag indicates the address is external. With independent VLAN learning (IVL) each VLAN is treated separately in the forwarding database (FDB).
by tdw
Thu Mar 17, 2022 1:51 am
Forum: Beginner Basics
Topic: Using /28 IP behind Mikrotik
Replies: 6
Views: 496

Re: Using /28 IP behind Mikrotik

1.1.1.82/28 (or 1.1.1.82 with netmask 255.255.255.240) and gateway 1.1.1.81
by tdw
Wed Mar 16, 2022 6:26 pm
Forum: Beginner Basics
Topic: Using /28 IP behind Mikrotik
Replies: 6
Views: 496

Re: Using /28 IP behind Mikrotik

Is the WAN connection (presumably PPPoE rather actual PPP on a serial port) part of the /28, i.e. are you assigned 1.1.1.81/28? (I'm assuming 1.1.1.81 is not the real address) If this is the case just add 1.1.1.81/28 as the address of the bridge interface, hosts connected to ether2 or ether3 can use...
by tdw
Wed Mar 16, 2022 2:14 pm
Forum: Beginner Basics
Topic: Bridge VLANS hEX S v7.2rc4 /interface bridge vlan print [SOLVED]
Replies: 11
Views: 894

Re: Bridge VLANS hEX S v7.2rc4 /interface bridge vlan print [SOLVED]

Property frame-types is about ingress filtering and thus has nothing to do with untagging on egress. Property pvid does though ... when set, it this setting that implicitly adds port as untagged to VLAN used and will untag frames on egress. However frame-types does modify untagged membership, when ...
by tdw
Wed Mar 16, 2022 2:09 pm
Forum: Beginner Basics
Topic: Basic IPv6 Setup - prefix from ISP
Replies: 14
Views: 955

Re: Basic IPv6 Setup - prefix from ISP

No. As the Mikrotik DHCPv6 server can only provide prefixes and other information, but not addresses, you need managed-address-configuration=no
by tdw
Wed Mar 16, 2022 12:28 pm
Forum: Beginner Basics
Topic: Basic IPv6 Setup - prefix from ISP
Replies: 14
Views: 955

Re: Basic IPv6 Setup - prefix from ISP

Did you set set accept-router-advertisements=yes too?
by tdw
Wed Mar 16, 2022 2:02 am
Forum: Beginner Basics
Topic: Basic IPv6 Setup - prefix from ISP
Replies: 14
Views: 955

Re: Basic IPv6 Setup - prefix from ISP

The DHCPv6 client add-default-route=yes is a hacky bodge. There is no default gateway information provided by DHCPv6, the client uses the address of the DHCPv6 server from which the address/prefix/other information was received - this works if the DHCPv6 server and the default gateway are the same h...
by tdw
Tue Mar 15, 2022 8:56 pm
Forum: Beginner Basics
Topic: new ISP wants PPPoE connection with tagged VLAN - need some guidance
Replies: 15
Views: 980

Re: new ISP wants PPPoE connection with tagged VLAN - need some guidance

@tdw - you're right that it is a UK FTTC connection, in fact, there are going to be two lines going into the CISCO C1117-MP4 $$$ box so there is a backup "fail-over" line. I did try and speak with the support people at the ISP last night but he didn't really understand if that was the rea...
by tdw
Tue Mar 15, 2022 2:00 pm
Forum: Beginner Basics
Topic: Bridge VLANS hEX S v7.2rc4 /interface bridge vlan print [SOLVED]
Replies: 11
Views: 894

Re: Bridge VLANS hEX S v7.2rc4 /interface bridge vlan print [SOLVED]

Is there a winbox setting to unhide the tagged and untagged? There aren't any columns I see even expanding the screen Right-click within any of the child windows, the context menu has Show Columns... I normally have all excepting Untagged selected as there are no untagged= entries in the /interface...
by tdw
Mon Mar 14, 2022 7:36 pm
Forum: General
Topic: Mangle Echo Replay From WAN Fail
Replies: 6
Views: 319

Re: Mangle Echo Replay From WAN Fail

I'm not wading through all of that, a couple of obvious issues are using gateway=INTERFACE is only valid for point-to-point links; the mangle rules only apply to outbound packets typically you mark a connection then apply a routing mark based on the connection mark.
by tdw
Mon Mar 14, 2022 7:15 pm
Forum: Beginner Basics
Topic: new ISP wants PPPoE connection with tagged VLAN - need some guidance
Replies: 15
Views: 980

Re: new ISP wants PPPoE connection with tagged VLAN - need some guidance

Only use quickset once. If any other changes are made through winbox/webfig using it again will break your configuration in random ways. As there are master-port=ether2-master-local statements in your configuration you are running an old, insecure, remotely exploitable version of RouterOS. There may...
by tdw
Mon Mar 14, 2022 5:00 pm
Forum: General
Topic: 2 ways to associate bridge and VLAN
Replies: 22
Views: 1294

Re: 2 ways to associate bridge and VLAN

No. Looking at https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS#PacketFlowinRouterOS-OverallPacketflowDiagram and with /interface vlan interface=ether1 name=vlan2-ether1 vlan-id=2 as an example: When a packet tagged with VLAN ID 2 arrives via ether1 the flow is In-interface bridge ...
by tdw
Mon Mar 14, 2022 2:57 am
Forum: Forwarding Protocols
Topic: (re)distribute IPSec route via OSPF
Replies: 10
Views: 2939

Re: (re)distribute IPSec route via OSPF

IPsec typically is policy-based so anything matching policies is intercepted for processing, see the IPsec policies in https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS#PacketFlowinRouterOS-LogicalInterfaces , not route-based hence no routes to redistribute. Some vendors have virtua...
by tdw
Sat Mar 12, 2022 4:14 pm
Forum: General
Topic: RoMON not work over trunk
Replies: 4
Views: 667

Re: RoMON not work over trunk

Do the Cisco switches block the RoMON multicast address [01:80:c2:00:88:bf] or ethertype 0x88bf due to either a bug or IGMP filtering? Some other switches seem to have issues, e.g. https://community.cisco.com/t5/small-business-switches/how-to-report-a-bug-without-a-contract-sg200-switch/td-p/4307249
by tdw
Sat Mar 12, 2022 3:55 am
Forum: General
Topic: 2 ways to associate bridge and VLAN
Replies: 22
Views: 1294

Re: 2 ways to associate bridge and VLAN

The majority of /interface (you can omit inbound/outbound tunnels) and /ip hotspot . As you have connectivity without the hotspot enabled it is unlikely to be anything in /ip address or /ip dhcp-server , but it could still be something in /ip firewall filter especially if you have many rules. As sug...
by tdw
Fri Mar 11, 2022 5:52 pm
Forum: Scripting
Topic: Need DHCP Lease Script to limit agent-remote-id (CPE Mac) to 1 IP address
Replies: 4
Views: 255

Re: Need DHCP Lease Script to limit agent-remote-id (CPE Mac) to 1 IP address

The OP is likely using a bridged wireless CPE, and to avoid having to register the MAC addresses of the client router, wishes to use relay agent information to determine which client site is connecting. If the client connected a switch in place of the router and connected multiple devices they could...
by tdw
Fri Mar 11, 2022 5:26 pm
Forum: General
Topic: 2 ways to associate bridge and VLAN
Replies: 22
Views: 1294

Re: 2 ways to associate bridge and VLAN

Cisco default VLAN is set to 1. I *thought* that is different from 'untagged vlan'...which I thought mean no tag Untagged does indeed mean there is no VLAN tag and therefore no VLAN ID. but as I learn more I'm seeing some documentation that seems to treat vlan 1 as untagged. It depends on the hardw...
by tdw
Fri Mar 11, 2022 2:47 pm
Forum: Scripting
Topic: Need DHCP Lease Script to limit agent-remote-id (CPE Mac) to 1 IP address
Replies: 4
Views: 255

Re: Need DHCP Lease Script to limit agent-remote-id (CPE Mac) to 1 IP address

The script is executed after a lease is assigned or de-assigned, you cannot use them to process options before a lease is assigned. You could use a third-party DHCP server.
by tdw
Fri Mar 11, 2022 2:36 pm
Forum: Beginner Basics
Topic: Question about SFP optics
Replies: 3
Views: 332

Re: Question about SFP optics

That SFP appears to be 100Mbit, not gigabit, so you could try forcing the interface speed to 100M/Full. However, the hEX PoE is not listed in the compatibility table for that speed https://wiki.mikrotik.com/wiki/MikroTik_wired_interface_compatibility#SFP_interface_compatibility_with_100M_optical_tra...
by tdw
Thu Mar 10, 2022 7:19 pm
Forum: Beginner Basics
Topic: Vlan configuration issue
Replies: 88
Views: 3779

Re: Vlan configuration issue

No! The OP has untagged devices attached to the unmanaged switch, the main network should remain untagged on the connection from the Mikrotik to the switch. Whilst piggybacking a tagged network on top of this setup is not ideal, as all the regular attached devices will receive the VLAN-encapsulated ...
by tdw
Wed Mar 09, 2022 9:55 pm
Forum: Beginner Basics
Topic: Setting up RouterOS as a switch with RoaS
Replies: 28
Views: 1543

Re: Setting up RouterOS as a switch with RoaS

You only require /interface vlan definitions if the Mikrotik itself requires access to the VLANs through the CPU - bridge interface. For VLANs merely passing through the bridge between external bridge ports they are not required.
by tdw
Wed Mar 09, 2022 3:53 pm
Forum: Beginner Basics
Topic: Does it matter ...
Replies: 1
Views: 193

Re: Does it matter ...

You should only ever use Quickset once (for a basic single LAN to WAN setup), or never (and perform all of the configuration manually).

After you make changes through Winbox / Webfig, especially to networks, VLANs, firewall rules, etc., running Quickset again will cause undefined changes.
by tdw
Tue Mar 08, 2022 3:37 pm
Forum: General
Topic: CRS212 Tagged VLAN doesn´t work
Replies: 2
Views: 191

Re: CRS212 Tagged VLAN doesn´t work

Do not set vlan-filtering=yes on CRS1xx/2xx as this disables hardware switching and ignores any configuration under /interface ethernet switch ...
by tdw
Tue Mar 08, 2022 3:28 am
Forum: General
Topic: PPTP client choking on MPPE requirement
Replies: 1
Views: 183

Re: PPTP client choking on MPPE requirement

That error indicates the client requires MPPE so setting the server profile use-encryption=no will certainly cause the connection to fail. If you want an unencrypted connection configure the client not to ask for one. If you want an encrypted connection configure the PPTP server authentication=mscha...
by tdw
Mon Mar 07, 2022 2:58 pm
Forum: Scripting
Topic: Assign local-address on-script PPP profile [SOLVED]
Replies: 5
Views: 443

Re: Assign local-address on-script PPP profile [SOLVED]

I do not believe there are any RADIUS attributes to set the local address directly as Framed-IP-Address or Framed-Pool specify the remote client address. If there are only a few local addresses required the Mikrotik-Group attribute does allow selection of a PPP profile containing the desired address.
by tdw
Sun Mar 06, 2022 1:38 am
Forum: Beginner Basics
Topic: Firewall disrupting email and receiving plain DNS replies
Replies: 5
Views: 316

Re: Firewall disrupting email and receiving plain DNS replies

Help figuring out why I'm being bombarded with incoming DNS replies from port 53 on servers I don't use. If you have a public IP address you will be scanned from random addresses to well known ports. It is important to block new inbound DNS packets otherwise you will get used for DDoS amplifciation...
by tdw
Sun Mar 06, 2022 1:27 am
Forum: General
Topic: RouterOS 7 Bridge VLAN/DHCP client issue after upgrade
Replies: 22
Views: 1700

Re: RouterOS 7 Bridge VLAN issue after upgrade

But thinking a bit more about this, and the CPU/integrated switch ASIC RGMII link, if all tagging/untagging is being done by the CPU, then ROS must be creating a trunk link between the switch ASIC and the CPU "under the covers". I am trying to figure out how this is done. Certainly for th...
by tdw
Sun Mar 06, 2022 1:03 am
Forum: General
Topic: WOL + Bonding / force Frame to Interface?
Replies: 2
Views: 179

Re: WOL + Bonding / force Frame to Interface?

No. Bonding just presents an interface - you pass a packet to it, the egress interface is chosen based on the packet header and hash type selected. If the QNAP doesn't listen on all interfaces for WoL packets it should leave the ones on which it does not in the down state, the transmitting device wi...
by tdw
Sat Mar 05, 2022 6:41 pm
Forum: Beginner Basics
Topic: issue with dhcp-server and vlans and console access [SOLVED]
Replies: 13
Views: 994

Re: issue with dhcp-server and vlans and console access [SOLVED]

Three? There are four VLANs. Also /interface bridge .... add name=bridge1 should be /interface bridge .... add name=bridge1 vlan-filtering=yes Without that the bridge behaves like an unmanaged switch passing any untagged or tagged traffic between all ports which explains the fixed vlan ether ports d...
by tdw
Sat Mar 05, 2022 5:28 pm
Forum: Beginner Basics
Topic: issue with dhcp-server and vlans and console access [SOLVED]
Replies: 13
Views: 994

Re: issue with dhcp-server and vlans and console access [SOLVED]

I've not checked the entire configuration but the obvious omission is the bridge-to-CPU interface in the bridge VLAN settings: /interface bridge vlan add bridge=bridge1 tagged= bridge1, ether2,ether3,ether6,sfp-sfpplus1 untagged=ether5,ether4 vlan-ids=110 add bridge=bridge1 tagged= bridge1, ether2,e...
by tdw
Sat Mar 05, 2022 3:16 pm
Forum: Beginner Basics
Topic: DLNA Server not reachable accross VLANs
Replies: 7
Views: 518

Re: DLNA Server not reachable accross VLANs

Or set up a DLNA proxy or forwarder on something attached to all of the VLANs. People have used Raspberry Pi, or similar small low power computing devices; alternatively you could run something in a container or VM if you have a suitable host, e.g. some NAS have this facility.
by tdw
Sat Mar 05, 2022 3:06 pm
Forum: General
Topic: RouterOS 7 Bridge VLAN/DHCP client issue after upgrade
Replies: 22
Views: 1700

Re: RouterOS 7 Bridge VLAN issue after upgrade

The original configuration using setting a PVID on the bridge-to-CPU interface making it an access port is absolutely fine, others may not have realised this is not your router and so does not require all of the VLANs trunked to the CPU. You can test the hardware-offloaded switching hypothesis by se...
by tdw
Fri Mar 04, 2022 7:55 pm
Forum: RouterOS beta and rc versions
Topic: CRS318 and L3HW routing
Replies: 26
Views: 3593

Re: CRS318 and L3HW routing

And for inter-VLAN routing you also need
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
by tdw
Fri Mar 04, 2022 4:41 pm
Forum: General
Topic: LLDP Issue - See all devices [SOLVED]
Replies: 3
Views: 345

Re: LLDP Issue - See all devices [SOLVED]

If a bridge has protocol-mode=none it will forward packets with a destination MAC address 01:80:C2:00:00:0x, this is not compliant with 802.1D but has its uses. If you set protocol-mode=rstp , and optionally edge=yes on all of the bridge ports if you do not want to send/receive spanning-tree BPDUs, ...
by tdw
Fri Mar 04, 2022 12:27 am
Forum: Beginner Basics
Topic: Setting up RouterOS as a switch with RoaS
Replies: 28
Views: 1543

Re: Setting up RouterOS as a switch with RoaS

Use a single VLAN-aware bridge, note that the bridging will be done in software so you are unlikely to achieve gigabit thoughput on ether1-5/sfp1 on a 2011. There is no easy way to use the switch chips directly if you wish to ports on both switches with hardware offloading, see https://help.mikrotik...
by tdw
Fri Mar 04, 2022 12:17 am
Forum: General
Topic: MAC-based radius auth
Replies: 6
Views: 298

Re: MAC-based radius auth

I also recall there is a Juniper white paper discussing PPPoE and IPoE in broadband networks, although it is mainly aimed at DSL / FTTx networks it has some applicability to fixed wireless too so might be worth a search for.
by tdw
Fri Mar 04, 2022 12:10 am
Forum: General
Topic: MAC-based radius auth
Replies: 6
Views: 298

Re: MAC-based radius auth

The DHCP server receives a DHCP request from the customer device, issues a RADIUS request based on the DHCP request and will offer a DHCP lease if a RADIUS Access-Accept is received - there is no caching. I'm not sure how the Mikrotik handles DHCP renews if you change the rate limits, and I recall t...
by tdw
Thu Mar 03, 2022 5:59 pm
Forum: General
Topic: MAC-based radius auth
Replies: 6
Views: 298

Re: MAC-based radius auth

You have nowhere where ethernet traffic is blocked until authorised. At most you can control IP address assignment to the customer router by configuring the DHCP server on the Mikrotik to use RADIUS, the Access-Accept can configure a simple queue in addition to the IP address handed to the customer.
by tdw
Thu Mar 03, 2022 1:59 am
Forum: General
Topic: MAC-based radius auth
Replies: 6
Views: 298

Re: MAC-based radius auth

It depends on how the LAN-connected computers are attached - if they are using PPPoE clients you would already have a PPPoE server configured on the Mikrotik, and these authenticate with username/password. With regular IP-over-ethernet a common method is to use 802.1X https://help.mikrotik.com/docs/...
by tdw
Wed Mar 02, 2022 1:58 pm
Forum: General
Topic: MikroTik CRS328-4C-20S-4S+ bonding to Cisco 2960S
Replies: 6
Views: 347

Re: MikroTik CRS328-4C-20S-4S+ bonding to Cisco 2960S

I was thinking more of source+destination MAC being a better choice than source MAC only, which is the Cisco default, for layer 2. The Cisco may only support MAC (src, dst, src+dst) OR IP (src, dst, src+dst) methods, not any combined MAC+IP / layer2+layer3 ones which are often better.
by tdw
Tue Mar 01, 2022 9:38 pm
Forum: General
Topic: MikroTik CRS328-4C-20S-4S+ bonding to Cisco 2960S
Replies: 6
Views: 347

Re: MikroTik CRS328-4C-20S-4S+ bonding to Cisco 2960S

The bond member through which data is sent is determined purely by the sending end - so Cisco for Cisco->Mikrotik packets and Mikrotik for Mikrotik->Cisco packets. Using Source MAC address for EtherChannel Load Balancing on the Cisco appears to be the worst choice for your use case, and layer 2 on t...
by tdw
Mon Feb 28, 2022 10:01 pm
Forum: General
Topic: IPv6 NAT T-Mobile Home Internet
Replies: 10
Views: 736

Re: IPv6 NAT T-Mobile Home Internet

Mobile/cellular carriers often only provide a single /64 and use the RFC7278 bodge. This is just about OK for a mobile with tethering, or a MiFi device with a single "LAN", but useless if it is in (or connected to) a router which requires a /64 per interface. Support for prefix delegation ...
by tdw
Sun Feb 27, 2022 8:17 pm
Forum: Beginner Basics
Topic: No internet on LAN port with VLAN20
Replies: 5
Views: 419

Re: No internet on LAN port with VLAN20

The 'old way' of using multiple bridges can lead to many misconfiguration issues https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration . Inter-VLAN, WAN and WiFi traffic are always handled by the CPU, using the switch chip only offloads port-to-port traffic so is rarely worth the additi...
by tdw
Sun Feb 27, 2022 3:48 pm
Forum: General
Topic: Change from NAT to PPPoE?
Replies: 3
Views: 295

Re: Change from NAT to PPPoE?

Yes. Start from the default configuration on the Mikrotik, connect ether1 to your existing router and the Mikrotik will use DHCP to acquire an IP address. Configure the LAN-side VLANs as desired, a single VLAN-aware bridge and hybrid ports are the most straightforward method when interworking with U...
by tdw
Sun Feb 27, 2022 2:41 pm
Forum: General
Topic: What mikrotik do i need for 12U colocation?
Replies: 6
Views: 504

Re: What mikrotik do i need for 12U colocation?

I am seriously considering this https://mikrotik.com/product/crs326_24s_2q_rm but only if the routing performance will be good enough for me Will use routeOS v7 on it question now is will the routing performance be great enough for my 12U setup? Anyone know where i can get the performance results f...
by tdw
Sat Feb 26, 2022 7:09 pm
Forum: Beginner Basics
Topic: Lost access to RG750gr3 Vlan with my config [SOLVED]
Replies: 6
Views: 693

Re: Lost access to RG750gr3 Vlan with my config [SOLVED]

There is no path defined for data between the bridge and the CPU, hence no communication possible. Also, the 750 does not require multiple interface VLANs and IP addresses unless you really want to access it from all of the VLANs - typically you would have one 'management' VLAN. The mixed use of ser...
by tdw
Fri Feb 25, 2022 8:11 pm
Forum: General
Topic: IPv6 from LTE connection
Replies: 13
Views: 843

Re: IPv6 from LTE connection

Likely carrier-grade NAT (CGNAT) between the public IP address and that assigned to your WAN connection. As with regular NAT this allows the carrier to provide access to several clients sharing a single public IP address. Your local WAN address will likely be in the range 100.64.0.0-100.127.255.255 ...
by tdw
Fri Feb 25, 2022 5:52 pm
Forum: General
Topic: IPv6 from LTE connection
Replies: 13
Views: 843

Re: IPv6 from LTE connection

You need a /64 subnet for the WAN and each LAN, mobile/cellular carriers often only provide a single /64 and use the RFC7278 bodge. This is just about OK for a mobile with tethering, or a MiFi device with a single "LAN", but useless if it is in (or connected to) a router which requires a /...
by tdw
Thu Feb 24, 2022 7:28 pm
Forum: General
Topic: Slower than expected wired throughput between switch and router
Replies: 5
Views: 377

Re: Slower than expected wired throughput between switch and router

With hardware offload on enter1-5 & the SFP you will achive gigabit wire-speed switching between ports, but as soon as the CPU is involved performance will be limited. With a 2011 a few hundred Mbps is achievable.
by tdw
Thu Feb 24, 2022 7:05 pm
Forum: General
Topic: Slower than expected wired throughput between switch and router
Replies: 5
Views: 377

Re: Slower than expected wired throughput between switch and router

You should use something else to send and receive bandwidth test data, not the devices you are testing the link between. This is especially true of devices with low performance CPUs such as the 2011.
by tdw
Wed Feb 23, 2022 2:25 pm
Forum: General
Topic: Disable BPDU sending on one port [SOLVED]
Replies: 4
Views: 508

Re: Disable BPDU sending on one port [SOLVED]

Set edge=yes for the interface bridge port. I do not recall when this feature was added, it is mentioned in the help pages but not the old wiki.
by tdw
Fri Feb 18, 2022 4:57 pm
Forum: General
Topic: Push same traffic to different devices
Replies: 13
Views: 647

Re: Push same traffic to different devices

It used to be documented that they used illegal MAC addresses to trigger this. Illegal MAC addresses cannot be stored in the address table of the switch, so the switch has to send it to all ports Not exactly - they used a multicast MAC address as unmanaged switches, or managed with IGMP snooping di...
by tdw
Wed Feb 16, 2022 6:22 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 29
Views: 6782

Re: RouterOS bridge mysteries explained

Where is documented, that the Bridge-[itself]-Interface works only with untagged frames? If this is somewhere written (I never found it), why is it not in big, red letters? It isn't because it does not. Just as with any physical interface the other CPU processes are expecting untagged IP packets, f...
by tdw
Tue Feb 15, 2022 1:23 am
Forum: General
Topic: PVID confusion
Replies: 6
Views: 497

Re: PVID confusion

(1) If a port on the switch has only tagged VLAN's assigned to it, do i need to change the default PVID on that port ? (2) Should I set that port to "Tagged Only" in "Acceptable Frames Types" from default "Admin All" when all the VLANS are tagged going through that por...
by tdw
Sat Feb 12, 2022 11:23 pm
Forum: Beginner Basics
Topic: Multiple uplinks to the same switch on different VLANs [SOLVED]
Replies: 6
Views: 676

Re: Multiple uplinks to the same switch on different VLANs [SOLVED]

If you have multiple links containing differing VLANs between a pair of switches you either have have to ensure spanning tree is disabled or use MSTP.
by tdw
Fri Feb 11, 2022 7:50 pm
Forum: General
Topic: VLAN Configuration: Unifi AP(3 ssids on 3 VLans) +Mikrotik Router(RBG450GX4) [SOLVED]
Replies: 10
Views: 1135

Re: VLAN Configuration: Unifi AP(3 ssids on 3 VLans) +Mikrotik Router(RBG450GX4) [SOLVED]

should Unifi AP have atleast one of its SSIds with 'LAN' setup for management traffic(adoption etc) to work correctly? The SSIDs do not have to be associated with the management traffic network - you can have the management untagged, using the default "LAN" network in the controller, and ...
by tdw
Fri Feb 11, 2022 5:51 am
Forum: RouterBOARD hardware
Topic: powering wall wart devices in a datacenter
Replies: 11
Views: 900

Re: powering wall wart devices in a datacenter

This is what I referred to as 2 phase, apparently it should be called split-phase (it seems to me like a 2-phase 180 degrees system, similar to 3-phase with 120 degrees: angle = 360 / n.phases. To distinguish it from 2-phase with a 90 degree phase angle which can be used to drive motors without a s...
by tdw
Thu Feb 10, 2022 1:07 am
Forum: Beginner Basics
Topic: Basic Trunk / VLAN config... another one! [SOLVED]
Replies: 20
Views: 2045

Re: Basic Trunk / VLAN config... another one! [SOLVED]

You are missing any /interface bridge vlan entries so there is no connection between the bridge-to-cpu interface and the /interface vlan entries
by tdw
Thu Feb 03, 2022 4:44 am
Forum: Beginner Basics
Topic: Mikrotik CCR 1009 two IP Pools /24 PPOE server
Replies: 7
Views: 947

Re: Mikrotik CCR 1009 two IP Pools /24 PPOE server

2. I wanted to run two servers with separate pool (two /24) on two different ports that goes to to different OLTs . Is this efficient ? It doesn't affect the Mikrotik, depends if it is a sensible division of your IP space. why is net not working on 2nd POOL. that was my 1st question Any number of t...
by tdw
Thu Feb 03, 2022 12:09 am
Forum: Beginner Basics
Topic: Mikrotik CCR 1009 two IP Pools /24 PPOE server
Replies: 7
Views: 947

Re: Mikrotik CCR 1009 two IP Pools /24 PPOE server

There is no need to assign an IP address to ether3, and you can share a pool across multiple PPPoE servers if required.

You have a public /23?
by tdw
Wed Feb 02, 2022 4:01 pm
Forum: General
Topic: Certificate based NAC Auth on hEX PoE possible?
Replies: 1
Views: 512

Re: Certificate based NAC Auth on hEX PoE possible?

https://help.mikrotik.com/docs/display/ROS/Dot1X There were several bugs/features with the original dot1x implementation, I believe these are now resolved. The logic of which certificates to authorise and which VLAN to grant access to is handed by your back-end RADIUS server. The Mikrotik merely pr...
by tdw
Wed Feb 02, 2022 3:47 pm
Forum: General
Topic: RB2011 How connect ports from differ HW switch ?
Replies: 5
Views: 788

Re: RB2011 How connect ports from differ HW switch ?

You means the vlan-filtering=yes works on RB2011 ? If yes then this software way is proper for me. It does, but without any hardware offload. I'm actually running the following on a 2011 (ether1-4 & ether7-9 as access ports, ether5-6 as hybrid ports to an HP1810-8G and hAP ac lite respectively)...
by tdw
Wed Feb 02, 2022 3:55 am
Forum: General
Topic: RB2011 How connect ports from differ HW switch ?
Replies: 5
Views: 788

Re: RB2011 How connect ports from differ HW switch ?

There is no good way to do hardware offloading across multiple switch chips, see https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-VLANfilteringwithmultipleswitchchips There are also issues with Atheros fast ethernet (10/100Mbps) switch chips, they do not supp...
by tdw
Mon Jan 31, 2022 1:35 pm
Forum: Wireless Networking
Topic: Support of radius mac auth with username and password
Replies: 6
Views: 1802

Re: Support of radius mac auth with username and password

We were using hostapd, where it was sending encrypted user-password for mac with delimiter in USER-PASSWORD radius attribute, which was not working with Mikrotik User Manager. But I think User Manager support only CHAP-password, so needed to know how Mikrotik create a hash to compare it with CHAP-P...
by tdw
Mon Jan 31, 2022 11:51 am
Forum: Beginner Basics
Topic: add/ remove interface from bridge vlan
Replies: 8
Views: 1106

Re: add/ remove interface from bridge vlan

It's very bad one has to list all vlans again that there's no simple command to add/remove an interface from an existing vlan. No different to changing a list of ports in a firewall rule - you have to specify all of current plus new ones, not just the new ones. Should be very easy to implement as w...
by tdw
Mon Jan 31, 2022 11:37 am
Forum: General
Topic: Masquerading setup. potential issues
Replies: 5
Views: 674

Re: Masquerading setup. potential issues

Overlap is needed because some clients are android and apple devices, they should get access to other clients(another mikrotik routers) networks, but mikrotik's ovpn implementation doesn't include pushing routes to clients. You can't push additional routes, you can however control the netmask of th...
by tdw
Sun Jan 30, 2022 4:00 pm
Forum: Beginner Basics
Topic: Moving existing Lan into new Vlans, DHCP doesn't give out IPs
Replies: 3
Views: 567

Re: Moving existing Lan into new Vlans, DHCP doesn't give out IPs

I also do not know how i have to configure the trunked ports leading to access switches. is it good enough to just add them to the vlan_bridge? No, in addition to adding ports under /inteface bridge port you have to configure the tagged VLAN membership /interface bridge vlan add bridge=vlan_bridge ...
by tdw
Sat Jan 29, 2022 1:10 pm
Forum: Wireless Networking
Topic: Support of radius mac auth with username and password
Replies: 6
Views: 1802

Re: Support of radius mac auth with username and password

This is a user forum, not direct support from Mikrotik. It is not clear exactly what you are trying to achieve - writing your own RADIUS client to authenticate against User Manager? How Mirkrotik radius server decrypt chap password radius attribute coming in radius access-request without chap-challe...
by tdw
Fri Jan 28, 2022 2:43 pm
Forum: General
Topic: "disabled" does not always mean completely disabled!
Replies: 3
Views: 912

Re: "disabled" does not always mean completely disabled!

I would suspect that where the item in question has support for being disabled in the underlying Linux kernel or program then it would be instantiated from the UI/CLI settings so it may be referenced. For example, a disabled interface could be created, but set to down , and the interface reference c...
by tdw
Wed Jan 26, 2022 12:59 pm
Forum: General
Topic: VPN Remote Users
Replies: 3
Views: 890

Re: VPN Remote Users

You cannot push a static route to the client, it has to be configured at their end. On Windows using the inbuilt VPN client you unselect the 'Use default gateway on remote network' option to enable split tunneling, and if 'Disable class based route addition' is also unselected a /8, /16 or /24 route...
by tdw
Mon Jan 24, 2022 3:34 pm
Forum: General
Topic: I disconnected some equipment and when reconnecting it suddenly an unknown IP segment was present.
Replies: 7
Views: 843

Re: I disconnected some equipment and when reconnecting it suddenly an unknown IP segment was present.

You can have multiple subnets (layer 3) on an ethernet network (layer 2). You could have one group of devices using 192.168.1.x/24 and another group using 192.168.2.x/24, the only thing you can't do is have non-static DHCP for both subnets. When you say I see 192.168.137.* addresses called mshome.ne...
by tdw
Mon Jan 24, 2022 3:08 pm
Forum: General
Topic: I disconnected some equipment and when reconnecting it suddenly an unknown IP segment was present.
Replies: 7
Views: 843

Re: I disconnected some equipment and when reconnecting it suddenly an unknown IP segment was present.

Any other PCs connected? I'm not sure that the offending MAC address will show up in the Mikrotik ARP table as the Mikrotik is not using that subnet, you might have to use the packet sniffer (or Wireshark on a PC), to spot it in broadcasts.
by tdw
Mon Jan 24, 2022 2:16 pm
Forum: General
Topic: I disconnected some equipment and when reconnecting it suddenly an unknown IP segment was present.
Replies: 7
Views: 843

Re: I disconnected some equipment and when reconnecting it suddenly an unknown IP segment was present.

On each PC open Settings > Network & Internet, select Change adapter settings. Right-click the wired network connection (often just called Ethernet), select Properties. On the Sharing tab ensure that Allow other users to connect through this computer's Internet connection is not ticked, it it is...
by tdw
Mon Jan 24, 2022 2:06 pm
Forum: General
Topic: Autosensing passive PoE?
Replies: 11
Views: 1146

Re: Autosensing passive PoE?

It very much depends on the ethenet interface design in the device being plugged in - if each pair has its own individual terminating resistor and isolating capacitor nothing untoward happens, however to save money often the terminating resistors share a single isolating capacitor so any potential b...
by tdw
Mon Jan 24, 2022 1:39 pm
Forum: Beginner Basics
Topic: VLAN Setup hEX & CRS125
Replies: 2
Views: 1011

Re: VLAN Setup hEX & CRS125

A bridge with vlan-filtering=yes on a CRS1xx/2xx will disable hardware offload. Setting hw=yes on bridge ports only makes the port eligible for hardware offload as long as all the other requirements are met . In your original CRS configuration you have vlan-filtering=yes so all of the switch configu...
by tdw
Fri Jan 21, 2022 3:03 pm
Forum: General
Topic: How to get IPv6 for AP's bridge? [SOLVED]
Replies: 10
Views: 1323

Re: How to get IPv6 for AP's bridge? [SOLVED]

Setting forward=no leaving accept-router-advertisements=yes-if-forwarding-disabled. does indeed work, with the same annoying invisible IP address and default route behaviour.
by tdw
Thu Jan 20, 2022 2:18 pm
Forum: General
Topic: Publish/share router identity to WAN [SOLVED]
Replies: 2
Views: 523

Re: Publish/share router identity to WAN [SOLVED]

The name-to-IP mapping is handled by the customers router, nothing to do with the Mikrotik. Typically when a device is added to a LAN which will be accessed by various people you either set a static IP address, or create a static DHCP lease on the customers router to always assign the same IP to the...
by tdw
Wed Jan 19, 2022 10:27 pm
Forum: General
Topic: Switch ACL to restrict IP usage [SOLVED]
Replies: 18
Views: 1833

Re: Switch ACL to restrict IP usage [SOLVED]

The square in front of a condition where a "!" appears when you click it is the "NOT" operator. This option is not available in switch ACL. You could use rules to permit packets from the correct source IP on each client port, followed by a drop rule for any IP from all client po...
by tdw
Wed Jan 19, 2022 10:20 pm
Forum: General
Topic: Switch ACL to restrict IP usage [SOLVED]
Replies: 18
Views: 1833

Re: Switch ACL to restrict IP usage [SOLVED]

Now I get it... Layer-2 security/filter using Layer-3 addresses.. Switch ACL can never check the L3-adress used. You can on CRS3xx https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches#Switch_Rules_.28ACL.29 , CRS1xx/2xx https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches#Access...
by tdw
Wed Jan 19, 2022 9:59 pm
Forum: Beginner Basics
Topic: Does Mikrotik devices except MMS?
Replies: 9
Views: 1332

Re: Does Mikrotik devices except MMS?

The Wikipedia description https://en.wikipedia.org/wiki/Multimedia_Messaging_Service#Technical_description covers the process pretty well. Automatically handling the SMS control message would be difficult to add to Mikrotiks - if using LTE passthrough there may be no access to the internet for the M...
by tdw
Mon Jan 17, 2022 7:23 pm
Forum: General
Topic: Adding Comment to DHCP Lease [SOLVED]
Replies: 8
Views: 1535

Re: Adding Comment to DHCP Lease [SOLVED]

There is nothing to figure out - the DHCP hostname is an optional parameter that can be passed to a DHCP server within a DHCP request to provide additional information about the client. If the Apple device chooses not to send its name in the DHCP request there is nothing you can do on the Mikrotik t...
by tdw
Mon Jan 17, 2022 7:18 pm
Forum: Forwarding Protocols
Topic: PPPoE & public subnet
Replies: 6
Views: 1545

Re: PPPoE & public subnet

I do not believe usermanger allows additional attributes to be added, in which case you will have to manually add and manage static routes for each client requiring a public subnet:
/ip route add dst-address=w.x.y.z/29 gateway=<clientIPaddress>
by tdw
Mon Jan 17, 2022 1:34 am
Forum: Wireless Networking
Topic: Bandwidth test can't connect to VLAN IP address's
Replies: 5
Views: 1305

Re: Bandwidth test can't connect to VLAN interfaces!

If you have IP connectivity then most likely a firewall rule blocking BTest
by tdw
Sun Jan 16, 2022 11:01 pm
Forum: Forwarding Protocols
Topic: PPPoE & public subnet
Replies: 6
Views: 1545

Re: PPPoE & public subnet

Or if you are authenticating against RADIUS return a Framed-Route with the other Access-Accept attributes. As an aside using netmap seems unnecessary, you could just assign the public IP directly to the clients PPPoE connection instead of assigning a private addresss and using NAT. @sob you do have ...
by tdw
Sun Jan 16, 2022 10:43 pm
Forum: General
Topic: Cityfibre UK - ECI ONT B-FOCuS 0-1G + Mikrotik Dropouts at 2h 24m Intervals
Replies: 6
Views: 1058

Re: Cityfibre UK - ECI ONT B-FOCuS 0-1G + Mikrotik Dropouts at 2h 24m Intervals

Most odd. MNDP packets are not really anything special, just UDP packets broadcast to 255.255.255.255 on IPv4 and multicast to the 'all routers' address on IPv6.

It needs fixing by ECI, but I suspect trying to relay the information through the usual support channels will be almost impossible.
by tdw
Sun Jan 16, 2022 5:56 pm
Forum: General
Topic: CRS109 VLANS issue - untagged are tagged
Replies: 3
Views: 2395

Re: CRS109 VLANS issue - untagged are tagged

This switch doesn't have a "real" switch-chip (CRS109 switch-ASIC: Qualcomm QCA-XXX) like the other CRS switches (CRS3xx: switch-ASIC: marvell dx ), so the "bridge-filter" will not work. Your configuration is not wrong, but your device physically cannot do what you asking from i...
by tdw
Sun Jan 16, 2022 4:49 pm
Forum: Wireless Networking
Topic: Bandwidth test can't connect to VLAN IP address's
Replies: 5
Views: 1305

Re: Bandwidth test can't connect to VLAN interfaces!

Interfaces are irrelevant, Bandwidth Test connects to an IP address, BTest Server will listen for connections on all local IP addresses.
by tdw
Fri Jan 14, 2022 6:37 pm
Forum: General
Topic: Optimal settings for IPSec hardware offload
Replies: 5
Views: 880

Re: Optimal settings for IPSec hardware offload

AES-128 is sufficiently secure for most applications which would increase performance compared to AES-256 - the Mikrotik test results indicate 472.6Mbps compared to 359.5Mbps for 1400byte payloads. The Diffie-Hellman calculations are always carried out in software but only occur during initial key e...
by tdw
Fri Jan 14, 2022 4:46 pm
Forum: General
Topic: L2TP/IPsec Issues with Windows 11 update - kb5009566
Replies: 29
Views: 11465

Re: L2TP/IPsec Issues with Windows 11 update - kb5009566

Interesting they say "Workaround: To mitigate the issue for some VPNs" - do they mean only some VPNs are broken, or all VPNs are broken and some may be fixed?

I am still able to connect successfully to Mikrotiks running 6.47.9 and 6.47.10 from Windows 10 with KB5009543 installed...
by tdw
Fri Jan 14, 2022 4:34 pm
Forum: General
Topic: Cityfibre UK - ECI ONT B-FOCuS 0-1G + Mikrotik Dropouts at 2h 24m Intervals
Replies: 6
Views: 1058

Re: Cityfibre UK - ECI ONT B-FOCuS 0-1G + Mikrotik Dropouts at 2h 24m Intervals

It may just not handle unexpected broadcast/multicast packets, which would be utterly abysmal coding in the ONT firmware. I believe Mikrotiks only listen for CDP, they listen for and send LLDP and MNDP. As adding the switch between the ONT and Mikrotik changed the interval before reboot it is likely...
by tdw
Thu Jan 13, 2022 9:30 pm
Forum: General
Topic: Cityfibre UK - ECI ONT B-FOCuS 0-1G + Mikrotik Dropouts at 2h 24m Intervals
Replies: 6
Views: 1058

Re: Cityfibre UK - ECI ONT B-FOCuS 0-1G + Mikrotik Dropouts at 2h 24m Intervals

That's an odd one. As the problem still occurs with the fibre disconnected it must be something sent from the Mikrotik triggering the reboot of the ONT - possibly some memory exhaustion caused by discovery packets if you have that enabled on the Mikrotik.
by tdw
Thu Jan 13, 2022 9:15 pm
Forum: General
Topic: Throughput performance issue RB750Gr3 (hEX)
Replies: 13
Views: 1842

Re: Throughput performance issue RB750Gr3 (hEX)

LE3: I see mtu/mru=1500 set on the pppoe interface but no mtu change for the vlan interface & ethernet interface that it sits on? That is fine as Mikrotik splits layer2 and layer3 MTUs (defaults 1596 & 1500 for an ethernet interface on a 750Gr3), and the ethernet & VLAN interfaces are m...
by tdw
Wed Jan 12, 2022 6:59 pm
Forum: Wireless Networking
Topic: Use Mikrotik hAP AC3 as combined AP/switch
Replies: 10
Views: 2233

Re: Use Mikrotik hAP AC3 as combined AP/switch

I don't have one to test, however there is no mention of configuring tagged wlan interfaces in https://help.mikrotik.com/docs/display/ROS/WifiWave2 . Until this is fixed you can work around it by creating an /interface vlan attached to the existing bridge for the desired VLAN ID, then add this vlan ...
by tdw
Wed Jan 12, 2022 5:39 pm
Forum: Wireless Networking
Topic: Use Mikrotik hAP AC3 as combined AP/switch
Replies: 10
Views: 2233

Re: Use Mikrotik hAP AC3 as combined AP/switch

Other hAP with 6.x can do this so it should be possible, just somewhat fiddly. As RouterOS doesn't support hardware offloading for vlan-aware bridges using the Atheros 8327 switch chip you must: 1. use a non-VLAN-aware bridge (so no setting pvid= or adding anything under /interface bridge vlan ) 2. ...
by tdw
Mon Jan 10, 2022 3:02 am
Forum: General
Topic: hEX POE - POE power management menu?
Replies: 2
Views: 594

Re: hEX POE - POE power management menu?

It is. In Winbox open the Interfaces page, double-click on an interface to bring up the page for that interface, select the PoE tab
by tdw
Mon Jan 03, 2022 9:03 pm
Forum: General
Topic: Jan 3 2022 Forum is very slow
Replies: 22
Views: 2058

Re: Jan 3 2022 Forum is very slow

As with @sob IPv6 is OK at the moment, IPv4 is very sluggish e.g. ... 4 14 ms 14 ms 14 ms 195.99.125.140 5 14 ms 14 ms 15 ms peer7-et-3-1-1.telehouse.ukcore.bt.net [109.159.252.164] 6 15 ms 14 ms 14 ms 166-49-214-194.gia.bt.net [166.49.214.194] 7 * * * Request timed out. 8 14 ms 14 ms 14 ms ldn-bb4-...
by tdw
Mon Jan 03, 2022 6:53 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 29
Views: 6782

Re: RouterOS bridge mysteries explained

What I find annoying is that you cannot set pvid to none to get all VLANs tagged at the respective port, i.e. there must always be some "native vlan" associated to each port (including the "router-facing virtual port of the virtual switch"). If you set ingress-filtering=yes fram...
by tdw
Sun Jan 02, 2022 8:06 pm
Forum: Beginner Basics
Topic: Outbound routing broke after rebooting upstream router, appears to be issue when bridge sees gateway up again?
Replies: 3
Views: 797

Re: Outbound routing broke after rebooting upstream router, appears to be issue when bridge sees gateway up again?

Having the same MAC address for the bridge and one of the member ports is fine. You appear to be using the CRS as a router, in which case the uplink should not be a member of the bridge. If you do wish to pass the uplink subnet through to other interfaces it can be included as a member of the bridge...
by tdw
Sat Jan 01, 2022 5:10 pm
Forum: General
Topic: Nasty bug with Procurve switchs - STP - GVRP
Replies: 4
Views: 1424

Re: Nasty bug with Procurve switchs - STP - GVRP

After checking in details the frames, RSTP and GVRP frames are very similar, they are 802.2 Ethernet frames with a LLC header that have the same 0x42 number for DSAP and SSAP. Weird. That is correct, they both use DSAP and SSAP 0x42 "IEEE 802.1 Bridge Spanning Tree Protocol". The name is ...