Community discussions

MikroTik App

Search found 1983 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 7
by tdw
Thu Oct 03, 2024 10:05 pm
Forum: General
Topic: Hotspot with automatic SSO Active DIrectory authentication [SOLVED]
Replies: 4
Views: 156

Re: Hotspot with automatic SSO Active DIrectory authentication [SOLVED]

You would still get a web browser window opening when the captive portal is detected, it may be possible to configure the browser to provide SSO credentials at this point. For deployments with many users it is more common to use WPA2-Enterprise for WiFi and 802.1X for wired connections - there is no...
by tdw
Mon Sep 23, 2024 8:03 pm
Forum: General
Topic: IPv6 DHCP Server not creating bindings for new clients
Replies: 2
Views: 702

Re: IPv6 DHCP Server not creating bindings for new clients

The Mikrotik DHCPv6 server only provides prefix delegation not client addresses, see https://help.mikrotik.com/docs/display/ ... -Summary.3.

If your clients do not support or you do not wish to use SLAAC you will have to set up a third-party DHCPv6 server
by tdw
Mon Sep 23, 2024 5:48 pm
Forum: Beginner Basics
Topic: mikrotik as DHCP server with external DHCP Relay [SOLVED]
Replies: 3
Views: 461

Re: mikrotik as DHCP server with external DHCP Relay [SOLVED]

The OP is using a layer 3 switch to provide the routing for their VLANs, not the Mikrotik. I have not tried it, but from the documentation all of the DHCP servers should use the same interface= setting (the OPs bridge in this case) and also specify the Relay Agent IP with relay= for the correspondin...
by tdw
Mon Sep 23, 2024 1:44 pm
Forum: Beginner Basics
Topic: hEX / ROS 7.13.5: IPv6 Routing issue - inter-network and LAN/WAN routing not working [SOLVED]
Replies: 17
Views: 2389

Re: hEX / ROS 7.13.5: IPv6 Routing issue - inter-network and LAN/WAN routing not working [SOLVED]

I was just about to post suggesting setting add-default-route=no to the DHCPv6 client so the PPPoE default route is used. What are the /routing rule entries for? I've made posts previously regarding DS-Lite setup. These used AFTR provided by DNS, they would need some modification to use the DHCPv6 o...
by tdw
Sun Sep 22, 2024 7:42 pm
Forum: Beginner Basics
Topic: hEX / ROS 7.13.5: IPv6 Routing issue - inter-network and LAN/WAN routing not working [SOLVED]
Replies: 17
Views: 2389

Re: hEX / ROS 7.13.5: IPv6 Routing issue - inter-network and LAN/WAN routing not working [SOLVED]

Providing the print output from a random set of sections isn't particularly helpful, post the output of /export in a code block (the [] icon above the message box when composing a message) after redacting serial number and any other identifying information. The usual errors with setting up IPv6 is n...
by tdw
Thu Sep 19, 2024 2:27 pm
Forum: Beginner Basics
Topic: Allow full-bridge PPPoE modem access to internet?
Replies: 5
Views: 596

Re: Allow full-bridge PPPoE modem access to internet?

Given the addresses posted previously you have set the NTP client on the modem to use 192.168.0.1?
by tdw
Sun Sep 15, 2024 3:53 pm
Forum: Beginner Basics
Topic: Allow full-bridge PPPoE modem access to internet?
Replies: 5
Views: 596

Re: Allow full-bridge PPPoE modem access to internet?

Certainly in the current firmware (v5.2.5) you cannot set a default route - under Configuration > Routing when adding a new route only subnet masks of /8 to /32 are supported, so unless you know the specific address range an external NTP server, and that it will not change, using the Mikrotik is a b...
by tdw
Sat Sep 14, 2024 8:40 pm
Forum: Beginner Basics
Topic: Allow full-bridge PPPoE modem access to internet?
Replies: 5
Views: 596

Re: Allow full-bridge PPPoE modem access to internet?

The Vigor has no routes other than 192.168.0.0/24 so cannot communicate with anything other than the directly connected Mikrotik. I normally enable the NTP server on the Mikrotik, specify its address (192.168.0.1 in this case) on the modem, and add a firewall rule to allow UDP port 123 input from th...
by tdw
Mon Sep 09, 2024 2:08 pm
Forum: General
Topic: RSTP on SWOS [SOLVED]
Replies: 2
Views: 396

Re: RSTP on SWOS [SOLVED]

Yes, the election process will be the same as described for RouterOS https://help.mikrotik.com/docs/display/ROS/Spanning+Tree+Protocol#SpanningTreeProtocol-Electionprocess as this is defined by the protocol. There doesn't appear to be a mechanism to manually adjust the port path cost in SwOS, it is ...
by tdw
Sat Sep 07, 2024 7:02 pm
Forum: General
Topic: Untagged VLAN1, tagged VLAN10 and untagged VLAN10 on the same bonding interface
Replies: 6
Views: 503

Re: Untagged VLAN1, tagged VLAN10 and untagged VLAN10 on the same bonding interface

An interface cannot be both tagged and untagged for egress with the same VLAN ID
by tdw
Fri Aug 30, 2024 9:43 pm
Forum: General
Topic: PPTP 2FA with Google Auth [SOLVED]
Replies: 3
Views: 794

Re: PPTP 2FA with Google Auth [SOLVED]

No. The RADIUS servers enabled for a particular service are tried in order specified. The later ones are only used if there is no response, an accept or reject response terminates the request. If the first two servers are only for the login service you could remove the ppp service from those, the th...
by tdw
Fri Aug 30, 2024 9:29 pm
Forum: Beginner Basics
Topic: Help creating a basic static route
Replies: 1
Views: 298

Re: Help creating a basic static route

A route gateway is usually an IP address through which the target addresses are reachable, an interface name is normally only used on point-to-point links with /32 addresses. So in your case it would be 192.168.0.x where this is the address of the router which is also connected to the 192.168.122.0/...
by tdw
Mon Aug 26, 2024 9:02 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1746

Re: IPv6 routing using VLANs [SOLVED]

According to the description in the OP, folks at the ISP use the method mentioned in par. 4.1.4 of the RIPE document, i.e. they sacrifice a single /64 from the /48 they gave you as a link subnet. I still suspect on their side of the link they are doing the equivalent of /ipv6 address add address=20...
by tdw
Sun Aug 25, 2024 1:09 pm
Forum: General
Topic: IPv6 routing using VLANs [SOLVED]
Replies: 27
Views: 1746

Re: IPv6 routing using VLANs [SOLVED]

Out of interest how is the provider supplying the /48? If they are just presenting a /48 directly rather than routing it via a transit subnet they are one of the providers who really don't know what they are doing with IPv6 - see https://www.ripe.net/publications/docs/ripe-690/ section 4.1 for discu...
by tdw
Fri Aug 23, 2024 1:16 pm
Forum: General
Topic: How to define untagged (or default/native VLAN) of an Ethernet interface?
Replies: 4
Views: 489

Re: How to define untagged (or default/native VLAN) of an Ethernet interface?

Ethernet-like interfaces are transparent to VLANs, it is just another ethertype. Adding an IP address to an interface handles IP and ARP ethertypes for IPoE, these are untagged on the wire. The /interface vlan entries are wrappers which add a VLAN ID for packets being sent to the parent interface, a...
by tdw
Fri Aug 23, 2024 12:19 am
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 2618

Re: 3rd party system installed, can't connect to any devices on the router.

Also, you didn’t mention the role of the 10.0.0.1 gateway in all this. It could be a crucial piece of information especially if it’s a router connecting the two networks. I'm not sure what that address would be, I went up and looked over all the equipment. There's no additional routers, switches, w...
by tdw
Sun Aug 18, 2024 7:02 pm
Forum: Beginner Basics
Topic: Problems connecting to ISPs PPPoE
Replies: 10
Views: 1306

Re: Problems connecting to ISPs PPPoE

If you add a logging topic of ppp, debug and post the redacted (e.g. username) results that may show something up.
by tdw
Sun Aug 18, 2024 2:41 pm
Forum: Beginner Basics
Topic: Problems connecting to ISPs PPPoE
Replies: 10
Views: 1306

Re: Problems connecting to ISPs PPPoE

Have you tried connecting both with and without encryption? If one end requires encryption and the other does not support it the connection setup will fail, I would expect the connection not to require encryption as MPPE has not been secure for years and would be unnecessary overhead for the ISP con...
by tdw
Sun Aug 18, 2024 1:40 pm
Forum: SwOS
Topic: SNMPv3 Support
Replies: 3
Views: 1179

Re: SNMPv3 Support

From the documentation: SwOS supports SNMP v1 and v2c (the Response for GetRequest, GetNextRequest and GetBulkRequest) and uses IF-MIB, SNMPv2-MIB, BRIDGE-MIB and MIKROTIK-MIB (only for health, PoE-out and SFP diagnostics). SNMP traps and writing SwOS configuration are not supported. Available SNMP ...
by tdw
Sat Aug 17, 2024 1:02 pm
Forum: General
Topic: IPv6 WAN to LAN block rule stops traffic. [SOLVED]
Replies: 3
Views: 1048

Re: IPv6 WAN to LAN block rule stops traffic. [SOLVED]

Rules are evaluated in strict order, if you drop any packets arriving from an interface in the WAN list destined for an interface in the LAN list before other rules then bidirectional communication will always fail. With the not working example replies to connections initiated from LAN devices will ...
by tdw
Fri Aug 16, 2024 11:54 pm
Forum: Beginner Basics
Topic: VLAN on Wifi - Have Unifi AP w no Cloud Key - will it work ? [SOLVED]
Replies: 6
Views: 942

Re: VLAN on Wifi - Have Unifi AP w no Cloud Key - will it work ?

As @erlinden stated you need a UniFi controller to configure their APs as the stanadlone app only provides limited functionality. The controller is available as an appliance, baked into a number of their gateway products but also still as a software installation for Linux, MAC and Windows.
by tdw
Thu Aug 15, 2024 8:16 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 2618

Re: 3rd party system installed, can't connect to any devices on the router.

It may not be connected directly but there is an external connection "we can access their Seimens HMI's through their 3rd party website". I certainly wouldn't suggest jumping straight to v7, however v6 long-term and cleaning up whatever cruft has accumulated in the config would be a good s...
by tdw
Thu Aug 15, 2024 7:44 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 2618

Re: 3rd party system installed, can't connect to any devices on the router.

From the first post the Mikrotik is running v6.38.1 which was released seven years ago and has numerous vulnerabilites including remote authentication bypass. Hopefully it is not directly exposed to the internet otherwise it will have been compromised, even so it would make a great jumping off point...
by tdw
Wed Aug 14, 2024 6:36 pm
Forum: General
Topic: Ethernet based DHCP static lease on RouterOS
Replies: 3
Views: 463

Re: Ethernet based DHCP static lease on RouterOS

As mentioned the Mikrotik DHCP server does not support matchind agent circuit ID information in DHCP requests so you would need to run a DHCP server elsewhere and configure that to return fixed addresses for the specific ethernet ports, or from a pool otherwise. If there are multiple routes for the ...
by tdw
Wed Aug 14, 2024 4:50 pm
Forum: General
Topic: Ethernet based DHCP static lease on RouterOS
Replies: 3
Views: 463

Re: Ethernet based DHCP static lease on RouterOS

There is not an easy way to allocate an address based on physical port rather than MAC or Client ID - whilst Mikrotik can include Option 82 for ports in a bridge the DHCP server has no mechanism to use the Agent Circuit ID. For your setup with additional small subnets then adding static routes on th...
by tdw
Tue Aug 13, 2024 11:13 pm
Forum: Scripting
Topic: How to represent exponentiation in Mikrotik script?
Replies: 4
Views: 493

Re: How to represent exponentiation in Mikrotik script?

The specific case of 2x can be implemented as a bitwise shift: 1 << x
by tdw
Tue Aug 13, 2024 12:45 pm
Forum: General
Topic: How can I access remotely MT behind a modem?
Replies: 13
Views: 778

Re: How can I access remotely MT behind a modem?

The source port is picked by the remote client initiating the connection, typically anything greater than 1023 but not fixed.
by tdw
Tue Aug 13, 2024 3:28 am
Forum: Beginner Basics
Topic: 2VLANs + L2/L3 setup
Replies: 8
Views: 1529

Re: 2VLANs + L2/L3 setup

The bridge-to-CPU port settings are incorrect - you are trying to use it simultaneously untagged, by /interface bridge having pvid=200 , and tagged, by having an /interface vlan attached to the bridge with vlan-id=200 ). It is also missing from the /interface bridge vlan entries. Furthermore none of...
by tdw
Sun Aug 11, 2024 3:41 pm
Forum: Beginner Basics
Topic: CAPsMAN through Switch under VLAN [SOLVED]
Replies: 15
Views: 2404

Re: CAPsMAN through Switch under VLAN [SOLVED]

If the cAP ax is working as expected when connected directly to the router (as per OP's first image), but not when connected via the switch (per second image) the most likely cause is a misconfiguration of the switch, although it isn't clear which VLAN the cAP management connection is using - 10, 99...
by tdw
Fri Aug 09, 2024 1:20 am
Forum: General
Topic: vlan and bridge and trunk question [SOLVED]
Replies: 11
Views: 2939

Re: vlan and bridge and trunk question [SOLVED]

An /interface vlan object merely inserts the specfied VLAN tag for packets on ingress and removes them on egress. When configuring a Mikrotik device as a switch you may have various untagged and tagged VLANs configured on several ports, but only a single VLAN configured to transit the bridge-to-CPU ...
by tdw
Thu Aug 08, 2024 6:00 pm
Forum: General
Topic: PPPoE Interface Not Running [SOLVED]
Replies: 2
Views: 1727

Re: PPPoE Interface Not Running [SOLVED]

What messages are there for the PPPoE client interface in the log?
by tdw
Thu Aug 08, 2024 5:56 pm
Forum: General
Topic: vlan and bridge and trunk question [SOLVED]
Replies: 11
Views: 2939

Re: vlan and bridge and trunk question [SOLVED]

No, 11:7 is VLAN ID 11 with priority 7.

You are missing the bridge-to-CPU interface in the bridge VLAN membership:
/interface bridge vlan
add bridge=newBridge tagged=newBridge,bonding1 vlan-ids=10
add bridge=newBridge tagged=newBridge,bonding1 vlan-ids=11
by tdw
Wed Aug 07, 2024 8:22 pm
Forum: General
Topic: Ping IPV4 address with IPv6 WAN
Replies: 1
Views: 361

Re: Ping IPV4 address with IPv6 WAN

Providers initially offered IPv6+IPv4 dual stack, it is becoming more common for them to only implement IPv6 and use one of the many tunneling mechanisms for IPv4 - see https://www.rfc-editor.org/rfc/rfc9313.html for information on the most prominent ones. It is possible to configure DS-Lite on Mikr...
by tdw
Tue Aug 06, 2024 4:52 pm
Forum: Beginner Basics
Topic: tagged and untagged in one vlan table
Replies: 10
Views: 841

Re: tagged and untagged in one vlan table

There are many pitfalls using multiple bridges, so best avoided. Do you need a bridge? If your network is only connected to a single port you can simply add a vlan interface to that port: /interface vlan add interface=ether1 name=vlan10 vlan-id=10 then add different subnets to the two networks ( eth...
by tdw
Sun Aug 04, 2024 3:43 pm
Forum: Beginner Basics
Topic: [SOLVED] Issue with Setting Up Tagged VLAN on bridge
Replies: 20
Views: 1291

Re: [SOLVED] Issue with Setting Up Tagged VLAN on bridge

You are attempting to use the bridge-to-CPU interface both untagged (by setting pvid=1500 under /interface bridge ) and tagged (by having an /interface vlan with vlan-ids=1500 ) which leads to all sorts of unexpected behaviour. Also setting the PVID under /interface bridge port makes no sense with f...
by tdw
Fri Aug 02, 2024 6:25 pm
Forum: RouterBOARD hardware
Topic: How to intentionally make cable that will negotiate at 10 mbps?
Replies: 16
Views: 1815

Re: How to intentionally make cable that will negotiate at 10 mbps?

Degrading the cabling will never guarantee that the link will operate at 10Mbps. The endpoints transmit their capabilities in the regular fast link pulses and pick the best available speed and duplex option both are capable of, see https://en.wikipedia.org/wiki/Autonegotiation . Depending on the eth...
by tdw
Wed Jul 31, 2024 8:58 pm
Forum: General
Topic: Change from NAT to PPPoE?
Replies: 4
Views: 1346

Re: Change from NAT to PPPoE?

The BT Digital Voice offering is a closed system, you have to use the SH2. There was a thread on the thinkbroadband forum https://forums.thinkbroadband.com/fibre/t/4670157-re-bt-fttp-with-digital-voice-alternative-to-smart-hub-2.html where someone managed to detect and spoof enough information for t...
by tdw
Mon Jul 29, 2024 10:32 pm
Forum: General
Topic: CCR2216 and CCR2116 vlans and bridges..
Replies: 3
Views: 531

Re: CCR2216 and CCR2116 vlans and bridges..

where did pvid=1 come from.. and which is what I think would be the 'native vlan' setting.. and should be changed to 666.. VLAN 1 is the default PVID as you have not specified anything different. /interface bridge port add bridge=vlan-bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1...
by tdw
Mon Jul 29, 2024 2:10 pm
Forum: Scripting
Topic: /tool fetch problem
Replies: 2
Views: 444

Re: /tool fetch problem

A Mikrotik array is not JSON. Either use the :serialise function in newer versions of RouterOS v7, or construct a data variable containg valid JSON. For example:
:local jsondata "{\"mac\":\"aa:bb:cc:dd:ee:ff\",\"ip\":\"192.168.100.80\"}"
by tdw
Mon Jul 22, 2024 10:48 pm
Forum: General
Topic: IPv6 only working within LAN
Replies: 2
Views: 365

Re: IPv6 only working within LAN

The requested pool should only hand out /64s, not the entire /62. The assigned address should not use the all-zeros host address as this is reserved for 'all routers in subnet' - either use an explicit non-zero address, or alternatively eui-64=yes to generate the host address from the interface MAC ...
by tdw
Fri Jul 19, 2024 10:10 pm
Forum: General
Topic: [Assistance] - VLAN configuration on CRS1xx
Replies: 10
Views: 637

Re: [Assistance] - VLAN configuration on CRS1xx

I don't know if the default items in /export have changed in v7, but certainly in RouterOS v6 /interface ethernet switch ingress-vlan-translation entries have explicit customer-vid=0 . Also, are the bridge ports actually hardware-offloaded - they should have an H flag showing in /interface bridge po...
by tdw
Fri Jul 19, 2024 9:33 pm
Forum: General
Topic: Tunneling CDP messages
Replies: 4
Views: 376

Re: Tunneling CDP messages

It looks like gibberish from ChatGPT or similar. With CDP being a proprietary Cisco protocol Mikrotik do not treat the multicast address it uses as special, so it should propagate throughout the broadcast domain of the layer 2 network. I've not checked EoIP interfaces specifically but certainly all ...
by tdw
Tue Jul 16, 2024 2:37 pm
Forum: General
Topic: Weird behavior of L2TP / IPSEC in ROS7 hAP AX3 / Arm64
Replies: 4
Views: 2588

Re: Weird behavior of L2TP / IPSEC in ROS7 hAP AX3 / Arm64

How did you configure your new ax3, from an /export of the old device, or from a .backup?
by tdw
Fri Jul 12, 2024 4:33 pm
Forum: General
Topic: Switch Rules working without HW on interface?
Replies: 5
Views: 480

Re: Switch Rules working without HW on interface?

I would imagine rules are processed before switching, but wouldn't imagine port isolation would apply unless the ports are being switched in the chip - with hw=no the packet flow would be etherA > CPU interface > software bridge > switch chip interface > etherB, it isn't passing directly between eth...
by tdw
Fri Jul 12, 2024 4:19 pm
Forum: Scripting
Topic: Feature Request: native JSON parsing function [SOLVED]
Replies: 4
Views: 2992

Re: Feature Request: native JSON parsing function [SOLVED]

Mikrotik added :serialize and :deserialize commands in v7 which support JSON. I've not tested to see if it handles nested arrays.
by tdw
Fri Jul 12, 2024 4:06 pm
Forum: General
Topic: Switch Rules working without HW on interface?
Replies: 5
Views: 480

Re: Switch Rules working without HW on interface?

The physical ports on the device are wired to the switch chip so packets will always pass through and be processed by the switch. The underlying architecture has a single interface beween the switch chip and CPU - the ether1..etherX interfaces shown in winbox/CLI are logical interfaces, the driver m...
by tdw
Fri Jul 12, 2024 3:52 pm
Forum: General
Topic: VLAN 1 IP and dedicated MGMT Port IP in same subnet
Replies: 6
Views: 565

Re: VLAN 1 IP and dedicated MGMT Port IP in same subnet

You cannot use the same IP subnet on multiple layer2 / ethernet interfaces, the device would have no idea of which interface to send ARP requests to.
by tdw
Wed Jul 10, 2024 3:44 pm
Forum: General
Topic: What is the right FW rule to miss out the CPU when x ?
Replies: 4
Views: 383

Re: What is the right FW rule to miss out the CPU when x ?

No, traffic between VLANs passes through forward, not input. Unless your Mikrotik has a switch chip with L3 hardware offload the routed traffic is still handled by the CPU, fasttrack merely skips some of the processing and typically improves performance by a factor around 2-3 times. You could qualif...
by tdw
Wed Jul 10, 2024 1:46 pm
Forum: General
Topic: Help needed with IPv6 on DHCPv6 PD / KPN fiber
Replies: 12
Views: 1722

Re: Help needed with IPv6 on DHCPv6 PD / KPN fiber

This should not be necessary /ppp profile set *0 remote-ipv6-prefix-pool=kpn-pool it is used for PPPoE servers, not clients. This is likely the issue /ipv6 dhcp-client add add-default-route=yes interface=pppoe-kpn pool-name=kpn-pool \ pool-prefix-length=48 request=prefix use-peer-dns=no as DHCPv6 ha...
by tdw
Tue Jul 09, 2024 4:17 am
Forum: General
Topic: DHCP server grants new IP to device after "make static"
Replies: 10
Views: 790

Re: DHCP server grants new IP to device after "make static"

The lease client-id values for some of the entries look odd - have they been editied as they would usually be 1:xx:xx:xx:xx:xx:xx, where xx:xx:xx:xx:xx:xx is the client MAC address.

If a client includes a client ID in the DHCP request the Mikrotik will use this in preference to the MAC address.
by tdw
Tue Jul 09, 2024 3:43 am
Forum: Beginner Basics
Topic: Disable Routing Between Ports
Replies: 22
Views: 1597

Re: Disable Routing Between Ports

By default packets will be forwarded between subnets. As there isn't an option to change the firewall policy you could either add a firewall filter rule to drop any forwarded packets with /ip firewall filter add action=drop chain=forward or even disable all forwarding with /ip settings set ip-forwar...
by tdw
Thu Jul 04, 2024 2:41 am
Forum: General
Topic: Bind public IP per L2TP VPN User.
Replies: 2
Views: 319

Re: Bind public IP per L2TP VPN User.

You can specify an optional single IP address for L2TP users in /ppp secret, see https://help.mikrotik.com/docs/display/ ... erDatabase
by tdw
Thu Jul 04, 2024 2:33 am
Forum: General
Topic: Bridge vlan untagged to other bridge [SOLVED]
Replies: 5
Views: 1753

Re: Bridge vlan untagged to other bridge [SOLVED]

On ether1 is my main vlan trunk to my base switch forwarding all vlans (including vlan 30 tagged). Those vlans were configured in the switch configuration to allow hardware offloaded vlans (vlan filtering with offload is not supported on rb3011). This interface is thus the only member of brLAN. Thi...
by tdw
Mon Jul 01, 2024 11:54 am
Forum: General
Topic: PPPoE interface address
Replies: 2
Views: 272

Re: PPPoE interface address

When running a PPPoE server having an IP address on the interface is unnecessary as the client IP traffic is encapsulated within the PPPoE packets. You can add an IP address to the interface for specific use cases, two common ones are for management of radios in fixed-wireless access networks, and f...
by tdw
Sun Jun 30, 2024 9:51 pm
Forum: The User Manager
Topic: 802.1x
Replies: 6
Views: 1842

Re: 802.1x

That isn't the CA, download it from Let's Encrypt. The RADIUS server certificate is only required by usermanager on the Mikrotik, no need to export it.
by tdw
Sun Jun 30, 2024 3:31 am
Forum: The User Manager
Topic: 802.1x
Replies: 6
Views: 1842

Re: 802.1x

A file with a .crt extension can, and often does, contain PEM encoded content. Unless you are using self-signed certificates you will not have the private key for the CA certificate. The purpose of the the CA certificate on the client is to validate the authenticity of the signer of the server certi...
by tdw
Sat Jun 29, 2024 3:04 pm
Forum: RouterBOARD hardware
Topic: Help with passive POE and Netgear GS728TPv2
Replies: 3
Views: 702

Re: Help with passive POE and Netgear GS728TPv2

It maybe that the PSE controller provides voltage, current and power information and they choose to display it. Certainly some other vendors 802.3af/at-only switches do so. There are other converters, e.g. PoE Texas / PoE World have a huge range for a variety of uses https://shopify.poe-world.com/co...
by tdw
Sat Jun 29, 2024 2:09 am
Forum: RouterBOARD hardware
Topic: Help with passive POE and Netgear GS728TPv2
Replies: 3
Views: 702

Re: Help with passive POE and Netgear GS728TPv2

AFAIK the Netgear only provides nominal 48v, the options change the initial negotiation. You can use an 802.3af/at to 24V passive converter - either the Mikrotik RBGPOE-CON-HP, or Ubiquiti INS-3AF-I-G (can only provide a maximum of 12W so OK as long as you don't have power consuming devices plugged ...
by tdw
Sat Jun 29, 2024 1:44 am
Forum: General
Topic: DUAL WAN - 2nd ISP traffic is slow unless I Torch the interface! [SOLVED]
Replies: 5
Views: 2578

Re: DUAL WAN - 2nd ISP traffic is slow unless I Torch the interface! [SOLVED]

fasttrack is not compatible with mangle, disable it
by tdw
Fri Jun 28, 2024 7:07 pm
Forum: Beginner Basics
Topic: Replace RB2011UIAS with CRS310-8G+2S+IN
Replies: 4
Views: 800

Re: Replace RB2011UIAS with CRS310-8G+2S+IN

CRS devices are primarily switches, the CPU is not particularly powerful and not intended to provide anything approaching wirespeed routing - you might get around 400Mbps on a CRS310. Whilst the switch chips in CRS3xx and CRS5xx devices support L3 hardware offloading the device in the CRS310 does no...
by tdw
Fri Jun 28, 2024 6:56 pm
Forum: Beginner Basics
Topic: Configure IPv6 over IPv4 from ISP
Replies: 9
Views: 1496

Re: Configure IPv6 over IPv4 from ISP

You will need to find out which tunneling mechanism the ISP supports. It is possible to do DS-Lite which is basically an IPv4 in IPv6 tunnel (search my posts for examples), but newer methods such as Lw4o6 and MAP-E require support in the client router which Mikrotik have not implemented.
by tdw
Fri Jun 28, 2024 1:47 pm
Forum: The User Manager
Topic: 802.1x
Replies: 6
Views: 1842

Re: 802.1x

Those device certificate settings look to be incorrect. The CA Certificate should, given the name, be the Let's Encrypt root authority certificate - Windows and other OS will already have this installed as a trusted CA. The Device Certificate should not be the server certificate and likely be not in...
by tdw
Fri Jun 28, 2024 1:02 am
Forum: General
Topic: Show full SFP information
Replies: 2
Views: 488

Re: Show full SFP information

It does. SFPs which support Digital Diagnostic Monitoring (DDM) as specified by SFF-8472 store a variety of threshold and calibration data in non-volatile memory at address A2h.

AFAIK RouterOS doesn't read and decode this, only the standard data as specified by INF-8074 at address A0h.
by tdw
Thu Jun 27, 2024 2:53 am
Forum: General
Topic: LOAD BALANCING NOT WORKING ON PPPoE-CLIENT [SOLVED]
Replies: 13
Views: 14594

Re: LOAD BALANCING NOT WORKING ON PPPoE-CLIENT [SOLVED]

It's difficult to tell exactly as there are many redundant entries referring to objects which have been deleted ( something=*id ), but it appears the home LAN (192.168.20.1), some device management for radio links (10.20.0.1) and a local address for PPPoE client connections (172.20.0.1) share the sa...
by tdw
Thu Jun 27, 2024 12:57 am
Forum: General
Topic: LOAD BALANCING NOT WORKING ON PPPoE-CLIENT [SOLVED]
Replies: 13
Views: 14594

Re: LOAD BALANCING NOT WORKING ON PPPoE-CLIENT [SOLVED]

IP packets from PPPoE clients do not arrive on the bridge, each one has its own interface named <pppoe-USERNAME> so using in-interface=bridge1 in mangle rules will not match anything from clients.
by tdw
Wed Jun 26, 2024 3:45 pm
Forum: General
Topic: Setting the Phase 1 mode with EOIP IPSec tunnels
Replies: 2
Views: 246

Re: Setting the Phase 1 mode with EOIP IPSec tunnels

Instead of specifying an IPsec secret in the EoIP interface create IPsec proposals, policies, peers & identities as required, when the EoIP encapsulated traffic matches the policy it will have IPsec applied as specified.
by tdw
Wed Jun 26, 2024 3:42 pm
Forum: General
Topic: Specify IPsec proposal and profile for IPIP/IPsec
Replies: 4
Views: 492

Re: Specify IPsec proposal and profile for IPIP/IPsec

Instead of specifying an IPsec secret in the IPIP interface create IPsec proposals, policies, peers & identities as required, when the IPIP encapsulated traffic matches the policy it will have IPsec applied as specified.
by tdw
Sat Jun 22, 2024 4:22 am
Forum: General
Topic: Is there a way to connect Groove 52 to LiteBeam 5AC-gen2?
Replies: 1
Views: 212

Re: Is there a way to connect Groove 52 to LiteBeam 5AC-gen2?

No. Both Mikrotik and Ubiquiti have proprietary protocols to provide better performance than regular WiFi, especially for PtMP setups. Whilst these extensions are optional on Mikrotik devices they cannot be disabled on the newer Ubiquiti devices, including airMAX AC ones. Even if you could a LiteBea...
by tdw
Wed Jun 19, 2024 4:15 pm
Forum: General
Topic: VLAN tag on port vs Switch Chip
Replies: 5
Views: 613

Re: VLAN tag on port vs Switch Chip

So option a is effectively the default config but with an additional /interface vlan to handle the WAN traffic being tagged. Unless you are likely to have multiple WAN ports, want to be able to easily swap which ports are WAN and which are LAN, passthough additional provider/operator VLANs for IPTV ...
by tdw
Wed Jun 19, 2024 4:52 am
Forum: Beginner Basics
Topic: Hex as Switch; VLANs Can't Access Winbox
Replies: 5
Views: 814

Re: Hex as Switch; VLANs Can't Access Winbox

Your are missing the bridge-to-cpu port, the /interface bridge vlan entries tagged=ether1 should be tagged=bridge,ether1 . You also need /interface vlan entries to remove tags on egress from the bridge-to-cpu port / add them on ingress to the port, plus IP addresses. See https://forum.mikrotik.com/v...
by tdw
Thu Jun 13, 2024 6:34 pm
Forum: General
Topic: Native vlan
Replies: 4
Views: 498

Re: Native vlan

When I turn off vlan-filtering, only vlan 1 works. What do you mean by 'works'. ether1-6 will be able to communicate with each other, if VLAN 1 untagged also has to transit the ether24 and sfp-sfpplus4 trunks then change frame-types=admit-only-vlan-tagged to admit-all Unrelated, there is no need to...
by tdw
Wed Jun 12, 2024 6:37 pm
Forum: Wireless Networking
Topic: Radius Server setup
Replies: 12
Views: 1626

Re: Radius Server setup

Set up your own RADIUS server & frontend on-prem or hosted elsewhere / subscribe to a cloud-based service (e.g. CloudRADIUS, JumpCloud, Foxpass) and use WPA2-Enterprise for wireless / 802.1X for wired authentication with username/password and/or certificates. All locations should use this data/s...
by tdw
Wed Jun 12, 2024 5:15 pm
Forum: Beginner Basics
Topic: What does PVID do on bridge VLAN
Replies: 1
Views: 650

Re: What does PVID do on bridge VLAN

In Winbox the VLAN tab of a bridge interface contains the settings of the bridge-to-CPU port, in exactly the same way as the VLAN tab of a bridge port does for other ports added to the bridge. These are layer 2 settings - they will not stop your Guest & IoT networks from accessing some IP servic...
by tdw
Thu Jun 06, 2024 10:11 pm
Forum: SwOS
Topic: Password length limit on SwOS? Seriously?
Replies: 20
Views: 2324

Re: Password length limit on SwOS? Seriously?

The processor in the switch chips on SwOS-only devices is very limited so it is highly unlikely that any encryption can be added. From the Marvell datasheet Target Applications section "Smart and Lightly Managed switches: Integrated microprocessor enables lightly managed switches with the addit...
by tdw
Thu Jun 06, 2024 9:55 pm
Forum: RouterBOARD hardware
Topic: AOC SFP module - S+AO0005. Connector type info.
Replies: 2
Views: 1345

Re: AOC SFP module - S+AO0005. Connector type info.

I suppose the Media Connector type (EEPROM address A0h, byte 2) could be set to either 0Bh 'Optical Pigtail' or 23h 'No separable connector' instead of 21h 'Copper pigtail' (from SFF-8024 Table 4-3 Connector Types). For SFPs, per SFF-8074, bytes 14-18 specify the maximum length for 9/125, 50/125 &am...
by tdw
Thu Jun 06, 2024 7:29 pm
Forum: Forwarding Protocols
Topic: OSPF misconfig causing packet loss
Replies: 3
Views: 571

Re: OSPF misconfig causing packet loss

When you say Neighbours do you mean OSPF Neighbours or IP Neighbours? Use PTMP rather than broadcast, v7 'ptmp-broadcast' is compatible with v6 'ptmp'.
by tdw
Thu Jun 06, 2024 7:17 pm
Forum: Beginner Basics
Topic: DNS QUAD9 not working?
Replies: 1
Views: 593

Re: DNS QUAD9 not working?

Your ISP could be intercepting any DNS requests not destined for their servers and redirecting them.
by tdw
Tue Jun 04, 2024 8:34 pm
Forum: Announcements
Topic: v7.15.3 [stable] is released!
Replies: 655
Views: 256204

Re: v7.15 [stable] is released!

I'd rather see bridge "the CPU facing port" become a distinct item ... just like switchX-cpu port in switch chip configs. IMO this would prevent quite some confusion which arises from the fact that there are 3 different items (switch-like entity, CPU-facing port and interface) all named t...
by tdw
Tue Jun 04, 2024 8:25 pm
Forum: Announcements
Topic: v7.15.3 [stable] is released!
Replies: 655
Views: 256204

Re: v7.15 [stable] is released!

In fact, I think /interface/vlan should have some option/attribute that automatically adds tagged=bridge (as a dynamic .../bridge/vlan) – so Layer3/IP work without messing with bridge vlan table at all. So whole /interface/bridge/vlans complexity be only needed for hybrid ports or Layer2-only switc...
by tdw
Tue Jun 04, 2024 7:34 pm
Forum: Virtualization
Topic: How CHR choose ARP src-ip when there is more 2 ipv4 adressed on same nic
Replies: 1
Views: 543

Re: How CHR choose ARP src-ip when there is more 2 ipv4 adressed on same nic

If the public address is routed via the private address it should not be attached to the interface, but rather exist on a loopback interface and the preferred source address set for traffic originated from the Mikrotik itself. /interface bridge add name=local protocol-mode=none /ip address add addre...
by tdw
Mon Jun 03, 2024 10:09 pm
Forum: General
Topic: fiirewall error PPTP VPN
Replies: 2
Views: 427

Re: fiirewall error PPTP VPN

If the 192.168.1.x addresses use a subnet mask of /24 then 192.168.1.0 is not a valid address, so I would expect it to never work.

Also use a better VPN protocol than PPTP, fundamental vulnerabilities have been known for over 10 years making it insecure.
by tdw
Mon Jun 03, 2024 9:59 pm
Forum: General
Topic: RSTP - What the hell? [SOLVED]
Replies: 14
Views: 1939

Re: RSTP - What the hell? [SOLVED]

Also if you set edge=yes on the Mikrotik bridge ports connecting to the Cisco(s) they will ignore any received and not send any BPDUs (equivalent to PortFast ) which may allow you to change to a single bridge. This means that it will ignore the BPDUs that the Cisco's send, turning the Cisco into a ...
by tdw
Mon Jun 03, 2024 7:37 pm
Forum: General
Topic: RSTP - What the hell? [SOLVED]
Replies: 14
Views: 1939

Re: RSTP - What the hell? [SOLVED]

There are various potential pitfalls https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration but impossible to say if you have hit any of these with seeing the configurations. Also if you set edge=yes on the Mikrotik bridge ports connecting to the Cisco(s) they will ignore any received an...
by tdw
Mon Jun 03, 2024 7:18 pm
Forum: General
Topic: VLAN Configuration
Replies: 12
Views: 1527

Re: VLAN Configuration

Nothing obvious assuming that change is only applied to /interface bridge port (two entries), /interface bridge vlan (three entries on two lines) and /interface vlan (one entry) as you can't have two bridges with the same name. Do the Current Tagged and Current Untagged columns under Bridge > VLANs ...
by tdw
Sat Jun 01, 2024 2:04 am
Forum: General
Topic: VLAN Configuration
Replies: 12
Views: 1527

Re: VLAN Configuration

I hadn't spotted that was missing, having bridge-TPP in the tagged list for VLAN 40 is unnecessary. Under /interface bridge port the pvid= setting specifies which VLAN untagged ingress traffic is assigned to. Under /interface bridge vlan ports in the untagged= interface list have the VLAN tag remove...
by tdw
Fri May 31, 2024 1:47 am
Forum: General
Topic: VLAN Configuration
Replies: 12
Views: 1527

Re: VLAN Configuration

The bridge name bridge-TPP refers to both the bridge and the implicit bridge-to-CPU bridge port so you are connecting VLAN 40 on ether4 untagged to the CPU tagged. To connect ether4 untagged to ether5 tagged requires the following change to /interface bridge vlan : add bridge=bridge-TPP tagged= brid...
by tdw
Wed May 29, 2024 11:31 am
Forum: General
Topic: Lock device
Replies: 4
Views: 555

Re: Lock device

Set reformat-hold-button and reformat-hold-button-max. The device cannot be reset, only completely reformatted by holding the reset button for a time between the two values and will then require a netinstall as described in the link provided.
by tdw
Wed May 29, 2024 3:29 am
Forum: General
Topic: Lock device
Replies: 4
Views: 555

Re: Lock device

See https://help.mikrotik.com/docs/display/ ... bootloader. You can disable the Winbox service but that will prevent anyone using it, a usual recommendation is to make Winbox accessible only via a VPN connection to or from the device.
by tdw
Tue May 28, 2024 9:06 pm
Forum: Forwarding Protocols
Topic: OSPF Bug: incorrect network advertisement for point-to-point addresses
Replies: 9
Views: 1133

Re: OSPF Bug: incorrect network advertisement for point-to-point addresses

This caught me out a few weeks ago when converting from 6.x to 7.x. Although it isn't mentioned anywhere in the documentation I could find /routing ospf interface-template has some hidden functionality where specifying type=ptp swaps the local and remote addresses, try add area=A disabled=no network...
by tdw
Mon May 27, 2024 7:51 pm
Forum: General
Topic: Switch CRS112-8P-4S high CPU load [SOLVED]
Replies: 4
Views: 1250

Re: Switch CRS112-8P-4S high CPU load [SOLVED]

Nothing immediately obvious. Possibly if there is much broadcast or multicast traffic on your management VLAN that will be processed by the CPU, even if then discarded.

Using VLAN 1 tagged is uncommon but shouldn't be the cause.
by tdw
Mon May 27, 2024 7:44 pm
Forum: Scripting
Topic: how to provide different ip on pppoe for each connect
Replies: 1
Views: 694

Re: how to provide different ip on pppoe for each connect

I don't believe you can do this as pool allocations are 'sticky' - for any particular MAC address and username combination the previously used IP is issued when reconnecting. Only a reboot, no free pool addresses (which forces a cleanup), or not being used for some time resets this behaviour.
by tdw
Mon May 27, 2024 6:03 pm
Forum: The User Manager
Topic: Default VLAN for non-authenticated users ?
Replies: 11
Views: 4751

Re: Default VLAN for non-authenticated users ?

I'm not sure why the Mikrotik supplicant works without a certificate on the server. The certificate provides the keying material for the TLS tunnel used by PEAP in addition to providing identity information. Per the previously linked page for Windows supplicants they will not work unless the certifc...
by tdw
Mon May 27, 2024 1:53 pm
Forum: Beginner Basics
Topic: Beginner's question: Bridging and VLANs
Replies: 2
Views: 799

Re: Beginner's question: Bridging and VLANs

One bridge. See https://forum.mikrotik.com/viewtopic.php?t=143620 , https://forum.mikrotik.com/viewtopic.php?t=173692 , https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-SetupExamples for RouterOS, https://help.mikrotik.com/docs/pages/viewpage.action?pageId=76415036#...
by tdw
Sun May 26, 2024 11:34 pm
Forum: The User Manager
Topic: Default VLAN for non-authenticated users ?
Replies: 11
Views: 4751

Re: Default VLAN for non-authenticated users ?

Pretty much all EAP methods will not work unless the server presents a certificate - are you sure FreeRADIUS isn't using some default certificate, whereas usermanager will need one creating
by tdw
Sun May 26, 2024 8:41 pm
Forum: The User Manager
Topic: Default VLAN for non-authenticated users ?
Replies: 11
Views: 4751

Re: Default VLAN for non-authenticated users ?

What certificates are you using for the EAP part. Windows requires the CA to be in the machine certificate store, there are other caveats too https://wiki.geant.org/display/H2eduroa ... iderations
by tdw
Wed May 22, 2024 2:26 pm
Forum: General
Topic: Use specific IP in internal network using L2TP
Replies: 6
Views: 1390

Re: Use specific IP in internal network using L2TP

If the client connected using an IP / layer3 VPN has an address which falls within the subnet used on a local ethernet / layer2 network it requires the use of proxy-ARP. Note the naming of L2TP can be misleading - it refers to layer2 tunneling of PPP packets, not the client IP data itself.
by tdw
Wed May 22, 2024 2:09 pm
Forum: General
Topic: USE IP FIREWALL FEATURE IN BRIDGE SETTINGS [SOLVED]
Replies: 1
Views: 1059

Re: USE IP FIREWALL FEATURE IN BRIDGE SETTINGS [SOLVED]

It forces any bridged traffic to also pass through IP firewall chains https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS#PacketFlowinRouterOS-BridgeForward , this is only required if you wish to apply firewall rules, where bridge ACLs are insufficient (e.g. as they are stateless), or...
by tdw
Wed May 22, 2024 3:52 am
Forum: Beginner Basics
Topic: [delete]
Replies: 23
Views: 1600

Re: CRS310-8G+S2 reality check on CPU use when using internet traffic

CRS devices are primarily ethernet / layer2 switches with some IP / layer3 functionality, i.e. limited performance as the CPU is not particularly capable. RouterOS v7 introduced L3 hardware offloading, however the DX2000 in the CRS310-8G+2S+ only supports routing offload, not fasttrack and NAT conne...
by tdw
Sun May 19, 2024 12:31 pm
Forum: Beginner Basics
Topic: Two public addresses from one provider
Replies: 3
Views: 711

Re: Two public addresses from one provider

Using a bridge as a local/loopback interface will not work if the addresses are presented directly - just add the addresses to the WAN interface, for example: /ip address add address=155.13.35.202/29 interface=ether1 add address=155.13.35.203/29 interface=ether1 Only if the additional addresses are ...
by tdw
Sun May 19, 2024 5:26 am
Forum: The User Manager
Topic: Default VLAN for non-authenticated users ?
Replies: 11
Views: 4751

Re: Default VLAN for non-authenticated users ?

See https://help.mikrotik.com/docs/display/ROS/Dot1X#Dot1X-Server . The guest-vlan-id functionality is odd, other vendors allow access to a guest VLAN immediately until dot1x authentication completes. Other than making a feature request to Mikrotik there isn't much you can do to reduce the time. Not...
by tdw
Fri May 17, 2024 5:29 pm
Forum: General
Topic: CCR2116 RouterOS upgrade vs Routerboard Upgrade [SOLVED]
Replies: 4
Views: 5153

Re: CCR2116 RouterOS upgrade vs Routerboard Upgrade [SOLVED]

The RouterBoard firmware is equivalent to the BIOS on a PC - it handles the initial chipset configuration and RouterOS loading. It is persistent unless upgraded or the device is completely reflashed with netinstall. Historically the firmware and OS used different version numbering. At some point the...
by tdw
Sun May 12, 2024 2:03 pm
Forum: Scripting
Topic: SSTP-server interface scripting [SOLVED]
Replies: 4
Views: 8282

Re: SSTP-server interface scripting [SOLVED]

Did you drop the existing connection? The server binding will be used when the client reconnects.
by tdw
Sun May 12, 2024 1:59 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1368

Re: daloRADIUS & mikrotik PPTP server

That isn't something I have used, if it doesn't have options for specfic RADIUS reply attributes it depends if it has any mechanism for adding generic/custom ones.
by tdw
Sat May 11, 2024 6:48 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1368

Re: daloRADIUS & mikrotik PPTP server

Two routes is correct - one from the point-to-point tunnel, the second the subnet route.

However you can't have the same subnet on both your CHR and the remote client, routing relies on subnets not overlapping with each other as it has no way of knowing which interface to use if they do.
by tdw
Sat May 11, 2024 12:57 pm
Forum: General
Topic: Dropping forward chain new - ppppoe connections
Replies: 2
Views: 481

Re: Dropping forward chain new - ppppoe connections

You do not have pppoe-out1 added to the WAN interface list.
by tdw
Fri May 10, 2024 11:25 pm
Forum: Scripting
Topic: SSTP-server interface scripting [SOLVED]
Replies: 4
Views: 8282

Re: SSTP-server interface scripting [SOLVED]

It doesn't need any scripting, use a server binding : /interface sstp-server add name=sstp-in-lsstp user=lsstp When a connection is made with the username specified the named interface, sstp-in-lsstp in this case, is created instead of the usual <sstp-lsstp> dynamic one. Obviouly only works for a si...
by tdw
Thu May 09, 2024 9:21 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1368

Re: daloRADIUS & mikrotik PPTP server

Is 192.168.0.1 the client remote address? It is safer to use 0.0.0.0 which indicates to use the tunnel regardless of address. An alternate method is to use Framed-IP-Address and Framed-IP-Netmask if the address is part of the routed subnet, in place of using Framed-IP-Address and Framed-Route .
by tdw
Thu May 09, 2024 4:26 am
Forum: RouterBOARD hardware
Topic: Ensuring Compatibility Between SFP+ and SFP28
Replies: 1
Views: 894

Re: Ensuring Compatibility Between SFP+ and SFP28

Info is in the help pages https://help.mikrotik.com/docs/display/ROS/MikroTik+wired+interface+compatibility#MikroTikwiredinterfacecompatibility-10GSFP+/25GSFP28 and https://help.mikrotik.com/docs/display/ROS/MikroTik+wired+interface+compatibility#MikroTikwiredinterfacecompatibility-SFP+interfacecomp...
by tdw
Wed May 08, 2024 11:08 pm
Forum: Beginner Basics
Topic: LACP btw hEXs & CRS310-8G+2S+ [SOLVED]
Replies: 4
Views: 4918

Re: LACP btw hEXs & CRS310-8G+2S+ [SOLVED]

In this case leaving all the interfaces set to autonegotiate should be fine. The highest speed of those advertised by both devices is chosen so the 2.5Gb advertisment from the CRS will be ignored. The example is using a bond in isolation, hence adding the IP address to it. When adding any ethernet-l...
by tdw
Wed May 08, 2024 7:48 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1368

Re: daloRADIUS & mikrotik PPTP server

I can't immediately recall if the Mikrotik rejects routes where the subnet bits are not zero, so for 192.168.0.1/24 it should really be 192.168.0.0/24
by tdw
Wed May 08, 2024 3:36 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1368

Re: daloRADIUS & mikrotik PPTP server

Per the wiki page for the Framed-Route attribute Format is specified in RFC 2865 (Ch. 5.22) so you should be sending 192.168.0.1/24 0.0.0.0 1
by tdw
Wed May 08, 2024 3:28 pm
Forum: Beginner Basics
Topic: LACP btw hEXs & CRS310-8G+2S+ [SOLVED]
Replies: 4
Views: 4918

Re: LACP btw hEXs & CRS310-8G+2S+ [SOLVED]

Copper ethernet connections operating at a rate of 1Gb or above will not work without autonegotiation, fixed settings only work for 10Mb or 100Mb with half or full duplex.

If you require a specific rate you can use autonegotiation but only advertise that one rate.
by tdw
Tue May 07, 2024 9:44 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1368

Re: daloRADIUS & mikrotik PPTP server

They will appear as dynamic entries under /ip route with the name of the PPPTP/L2TP connection as the gateway.
by tdw
Sun May 05, 2024 4:38 pm
Forum: Beginner Basics
Topic: ipipv6 DS-Lite setup help
Replies: 1
Views: 781

Re: ipipv6 DS-Lite setup help

by tdw
Sat May 04, 2024 9:38 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1368

Re: daloRADIUS & mikrotik PPTP server

I'm not sure that the supported RADIUS attributes https://wiki.mikrotik.com/wiki/Manual:R ... Attributes have made it to the new help pages.

And stop using PPTP, it has been known to be insecure for at least a decade.
by tdw
Sat May 04, 2024 8:56 pm
Forum: General
Topic: Multiple public IPs, different internal zones
Replies: 10
Views: 2130

Re: Multiple public IPs, different internal zones

No. The OP states the provider supplies five IPs with a /24 netmask, these should just be added to the WAN ethernet interface with a single default route to the provided gateway. All you need to know is same as routing on a NAT a /32 is higher precedence than a /24 No. You are conflating two things ...
by tdw
Tue Apr 30, 2024 9:05 pm
Forum: General
Topic: Load Balancing PPC (2WAN) not balancing well
Replies: 2
Views: 463

Re: Load Balancing PPC (2WAN) not balancing well

If you are not using the hotspot functionality the hotspot=auth should be removed from the PCC rules
by tdw
Tue Apr 30, 2024 7:54 pm
Forum: RouterBOARD hardware
Topic: Powering AX routers
Replies: 12
Views: 2128

Re: Powering AX routers

It is annoying that on new devices Mikrotik have picked voltage ranges which are not directly compatible with float-charged lead-acid batteries. Historically devices supported 8-30V so were quite happy running off nominal 12V (13.8V on charge down to ~10V cutoff) or 24V (27.6V on charge down to ~20V...
by tdw
Tue Apr 30, 2024 4:44 pm
Forum: Beginner Basics
Topic: How to route a IPv6 pool to local IPv4 e.g.192.168.101.x
Replies: 6
Views: 1112

Re: How to route a IPv6 pool to local IPv4 e.g.192.168.101.x

You cannot, it requires a NAT64 translator.
by tdw
Sun Apr 28, 2024 1:48 am
Forum: General
Topic: No DHCP on Bridge VLAN interface.
Replies: 21
Views: 1647

Re: No DHCP on Bridge VLAN interface.

Also as mentioned in an earlier post if you have multiple VLAN IDs specified in a single entry: /interface bridge vlan add bridge=br0 tagged=ether1,br0 vlan-ids=X,Y,Z you should not use these VLANs untagged, i.e. by setting pvid=X or Y or Z under /interface bridge port or dynamically by CAPsMAN. In ...
by tdw
Tue Apr 23, 2024 10:34 pm
Forum: Wireless Networking
Topic: RB2011 + TP-LINK mesh
Replies: 4
Views: 1349

Re: RB2011 + TP-LINK mesh

I do not get the chance to use our existing network cabling for this to work properly, right ? I mean, I need to send a wire from each deco to the other directly and not connecting each one to the switch. It this latter option is possible, It would make the move easier. It depends if the switches y...
by tdw
Tue Apr 23, 2024 8:29 pm
Forum: General
Topic: dhcpv6-pd assign subnet to interface
Replies: 5
Views: 506

Re: dhcpv6-pd assign subnet to interface

No, having a subnet hint does not work. There are a number of grumbles about this in other forum posts.
by tdw
Tue Apr 23, 2024 8:25 pm
Forum: General
Topic: No DHCP on Bridge VLAN interface.
Replies: 21
Views: 1647

Re: No DHCP on Bridge VLAN interface.

You did enable ether1 in /interface bridge port ? Yes, set the PVID for those ports under /interface bridge port and add any tagged membership under /interface bridge vlan , explicitly adding untagged membership is optional as it will be dynamically added from the PVID setting. Some people prefer to...
by tdw
Tue Apr 23, 2024 8:11 pm
Forum: Beginner Basics
Topic: Management VLAN issue [SOLVED]
Replies: 10
Views: 3388

Re: Management VLAN issue [SOLVED]

Do you get an address via DHCP on ether7? You have no DNS server specified in /ip dhcp-server network for that subnet which may cause issues. Can you ping the gateway addresses when connected via those ports having obtained or set an address? Most likely is the firewall filter rules don't allow acce...
by tdw
Tue Apr 23, 2024 3:57 am
Forum: Wireless Networking
Topic: RB2011 + TP-LINK mesh
Replies: 4
Views: 1349

Re: RB2011 + TP-LINK mesh

Configure the TP-Link in Access Point mode, not the default WiFi Router mode, e.g. https://www.tp-link.com/uk/support/faq/1842/ . Where possible connect the Deco units with ethernet cables as meshing reduces capacity - each device has to receive each packet and then transmit onwards. I seem to recal...
by tdw
Tue Apr 23, 2024 3:15 am
Forum: Beginner Basics
Topic: Management VLAN issue [SOLVED]
Replies: 10
Views: 3388

Re: Management VLAN issue [SOLVED]

Unfortunatelly now I'm using vlan id=1 in my network and on some devices I have this hardcoded. That will not be fast and easy configure and switch the router :/ Using VLAN ID 1 is not incorrect, however you can easily get things wrong as a result unless you are familiar with exactly how manufactur...
by tdw
Tue Apr 23, 2024 2:49 am
Forum: General
Topic: No DHCP on Bridge VLAN interface.
Replies: 21
Views: 1647

Re: No DHCP on Bridge VLAN interface.

You haven't copied the /interface bridge vlan settings for VLAN ID 10 correctly - missing tagged=br0
by tdw
Mon Apr 22, 2024 3:14 am
Forum: Beginner Basics
Topic: Internet connection on CRS326 behind external router
Replies: 4
Views: 1017

Re: Internet connection on CRS326 behind external router

To simplify broadcasts ect. every VLAN shall reside in a separate partition of the same /24 subnet. That will not work, and it is not specific to using a Mikrotik. Each VLAN is its own layer 2 broadcast domain so broadcasts will not pass between them. Having overlapping subnets would require specia...
by tdw
Wed Apr 17, 2024 2:55 am
Forum: SwOS
Topic: POE in problem Mikrotik CSS610 netPower Lite 7R Switch
Replies: 4
Views: 1216

Re: POE in problem Mikrotik CSS610 netPower Lite 7R Switch

I discovered that the switch is only receiving PoE from one Ethernet port, despite the requirement for a minimum power input from three ports. Power is only taken from the input with the greatest voltage, each input should be capable of providing all the power necessary to operate the switch itself...
by tdw
Wed Apr 17, 2024 2:40 am
Forum: SwOS
Topic: POE in problem Mikrotik CSS610 netPower Lite 7R Switch
Replies: 4
Views: 1216

Re: POE in problem Mikrotik CSS610 netPower Lite 7R Switch

You're referring to 2 different products:
CSS610
and
netPower Lite 7R
Just for info, the netPower Lite 7R is one of the CSS610 range - its full model name is CSS610-1Gi-7R-2S+OUT
by tdw
Fri Apr 05, 2024 12:22 am
Forum: Beginner Basics
Topic: Virtualized VLANs (for Proxmox) [SOLVED]
Replies: 7
Views: 3940

Re: Virtualized VLANs (for Proxmox) [SOLVED]

The configuration doesn't make sense - you have name=aBridge in /interface bridge but references to bridge=3TSBridge in /interface bridge vlan.
Also, do not set the bridge-to-CPU PVID in /interface bridge to have the same ID as an /interface vlan attached to the bridge.
by tdw
Mon Apr 01, 2024 2:54 pm
Forum: SwOS
Topic: No SwOS for CRS310-8G+2S+ ?
Replies: 12
Views: 6051

Re: No SwOS for CRS310-8G+2S+ ?

According to https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-ConfiguringSwOSusingRouterOS using /system swos upgrade should upgrade the primary backup version of SwOS, and you then install the seco...
by tdw
Tue Mar 26, 2024 1:18 pm
Forum: Beginner Basics
Topic: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]
Replies: 32
Views: 4640

Re: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]

That doesn't agree with your diagram, it shows ether5 and ether6 connected between the CRS and RB3011
by tdw
Tue Mar 26, 2024 4:39 am
Forum: Beginner Basics
Topic: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]
Replies: 32
Views: 4640

Re: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]

It seems like once port is enabled in the bridge, only 802.2 (what the hell is it?) are seen on the interface. Why? Spanning tree, and the port will be ending up in the blocking state to prevent a network loop. STP & RSTP are not VLAN-aware, they allow or block all traffic be it untagged or tag...
by tdw
Sun Mar 17, 2024 12:03 am
Forum: General
Topic: Wires Only Leased Line Hardware Recommendation
Replies: 11
Views: 1406

Re: Wires Only Leased Line Hardware Recommendation

I am a novice with this but the ISP have provided me with the following. It doesn't really make sense, the LAN information is OK LAN First IP Address: 51.x.x.33 LAN Subnet Mask: 255.255.255.240 Customer IP Assignement: 51.x.x.32/28 so when presented as IP over ethernet connections .32 is the networ...
by tdw
Sat Mar 16, 2024 11:12 pm
Forum: General
Topic: Wires Only Leased Line Hardware Recommendation
Replies: 11
Views: 1406

Re: Wires Only Leased Line Hardware Recommendation

A 4011 or 5009 would be fine, ICUK use them or Ubiquiti EdgeRouters on their managed 1Gb EAD circuits. The ISP information seems incomplete - typically they would specify a /30 or /31 WAN connection, together with a routed subnet which you can present on the LAN side of your router as a conventional...
by tdw
Thu Mar 14, 2024 10:47 pm
Forum: General
Topic: VLAN setup device with AR8327 and WI-FI [SOLVED]
Replies: 2
Views: 1480

Re: VLAN setup device with AR8327 and WI-FI [SOLVED]

You have to apply the tagging in the wireless interface with vlan-id=XXX and vlan-mode=use-tag - this is only possible in the old (6.x or 7.x upto and including 7.12) /interface wireless settings, it is a lost feature with the new /interface/wifi/ drivers
by tdw
Tue Feb 27, 2024 8:36 pm
Forum: General
Topic: IPv6 between bridges
Replies: 25
Views: 2758

Re: IPv6 between bridges

I think the problem is with Neighbout Solicitation, not sure if can forward it between bridges. When pinging ISP router from br_lan it sends NS but does not get a reply as multicast packet is not forwarded between br_wan and br_lan to host No it can't, see post #6. The ISP should be routing the /48...
by tdw
Sun Feb 25, 2024 8:34 pm
Forum: General
Topic: IPv6 between bridges
Replies: 25
Views: 2758

Re: IPv6 between bridges

They just forwarded to us /48 prefix.
Forwarded to what address? This is different to the interface on their gateway being given a /48 subnet mask.

A few ISPs seem clueless about this. I suggest reading https://www.ripe.net/publications/docs/ripe-690/, in particular section 4.1
by tdw
Sun Feb 25, 2024 8:29 pm
Forum: General
Topic: IPv6 between bridges
Replies: 25
Views: 2758

Re: IPv6 between bridges

For example br_wan - 2a02:a3XX:8::2/64 br_lan - 2a02:a3XX:8::3/64 Mikrotik in my opinion should be able to route between those GUA addresses as those are internally assigned and GUA must be routed, but it does not. No. This doesn't just apply to Mikrotik, addresses in the same subnet are only reach...
by tdw
Sun Feb 25, 2024 4:24 pm
Forum: General
Topic: IPv6 between bridges
Replies: 25
Views: 2758

Re: IPv6 between bridges

The br_wan address should be /64, and the ISP router should be configured to route the /48 to this address. The br_lan address should again be /64 and also a different subnet. It does not matter what I configure on br_wan and br_lan as IPv6 routing between br_lan and br_wan does not work Example as...
by tdw
Sun Feb 25, 2024 2:02 pm
Forum: General
Topic: IPv6 between bridges
Replies: 25
Views: 2758

Re: IPv6 between bridges

The br_wan address should be /64, and the ISP router should be configured to route the /48 to this address.
The br_lan address should again be /64 and also a different subnet.
by tdw
Sun Feb 25, 2024 2:57 am
Forum: General
Topic: IPv6 between bridges
Replies: 25
Views: 2758

Re: IPv6 between bridges

link local addresses, as the name suggests, are only valid within a layer2 broadcast domain. You say "From br_lan I can not reach br_wan via GUA if both bridges are configured with the GUA address" - you should assign different GUA addresses to each otherwise routing will not work. Typical...
by tdw
Sat Feb 17, 2024 3:57 pm
Forum: General
Topic: Transport layer 2 over Internet?
Replies: 4
Views: 791

Re: Transport layer 2 over Internet?

There is a layer 2 bridging option for any PPP-based protocols (e.g. L2TP, SSTP) using BCP, although it doesn't work fully with vlan-aware bridges, or OpenVPN using TAP.

With RouterOS v7 there is also VXLAN and L2TPv3 but the documentation and examples are rather sparse.
by tdw
Tue Feb 13, 2024 12:06 am
Forum: Beginner Basics
Topic: Subnet Public IP's issue
Replies: 3
Views: 591

Re: Subnet Public IP's issue

Mikrotik do not support RFC3021 /31 addressing, use /32 for the local and gateway addresses: /ip address add address=88.xx.xx. 15 interface=vlan835 network=88.xx.xx.14 If the subnet public IP is routed to you then adding those addresses to the WAN interface is incorrect. The conventional use case wo...
by tdw
Mon Feb 12, 2024 8:23 pm
Forum: General
Topic: UPnP is not working?
Replies: 14
Views: 1438

Re: UPnP is not working?

The SIM provider unfortunately does not give me public IP, so I'm under cgnat. Cgnat renders UPnP useless ? I know that port forwarding and DDNS are not working Yes. UPnP merely automates port forwarding on your router, it doesn't cascade the forwarding rules/requirements to the providers CGNAT inf...
by tdw
Mon Feb 12, 2024 6:46 pm
Forum: General
Topic: UPnP is not working?
Replies: 14
Views: 1438

Re: UPnP is not working?

Not directly related, but does your SIM provide an unfiltered public IP as most either block inbound traffic or use CGNAT which renders UPnP useless. Setting up port forwarding either manually or with UPnP is only required on older Hikvision devices, more recent ones can be configured to establish a...
by tdw
Tue Feb 06, 2024 11:20 pm
Forum: General
Topic: best RouterOS version for old CCR
Replies: 3
Views: 794

Re: best RouterOS version for old CCR

IIRC v7 will always be slower due to kernel changes between v6 and v7, e.g. no more route cache.
by tdw
Fri Feb 02, 2024 2:08 pm
Forum: Wireless Networking
Topic: How do you specify the location in ROS 7? [SOLVED]
Replies: 11
Views: 1731

Re: How do you specify the location in ROS 7? [SOLVED]

It appears that way, although it is a limiting factor if you want to use an indoor device in a weatherproof enclosure outdoors, or the L11UG-5HaxD which could be used in either situation.
by tdw
Fri Feb 02, 2024 1:21 pm
Forum: Wireless Networking
Topic: How do you specify the location in ROS 7? [SOLVED]
Replies: 11
Views: 1731

Re: How do you specify the location in ROS 7? [SOLVED]

It appears not to be included in the new wifi package, see viewtopic.php?p=1052150
by tdw
Fri Feb 02, 2024 1:15 pm
Forum: Wireless Networking
Topic: Unable to use 5580/Ceee on hAP ax2 but can on hAP ac lite [SOLVED]
Replies: 19
Views: 2234

Re: Unable to use 5580/Ceee on hAP ax2 but can on hAP ac lite [SOLVED]

Likely skip DFS channels with 10min CAC is incompatible with the channel selection as 5580/Ceee uses 5570-5650.

If the same settings work on a hAP that could be a bug where it is not excluding the extension channels which overlap with 5600-5650.
by tdw
Mon Jan 29, 2024 5:12 pm
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 1390

Re: currently-untagged contradicts untagged [SOLVED]

Actually, I have frame-types=admit-only-vlan-tagged set too, on the bridge.
That is only applicable to the implicit bridge-to-CPU port. Each port added under /interface bridge port has its own frame-types= setting.
by tdw
Wed Jan 24, 2024 5:44 pm
Forum: General
Topic: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2
Replies: 4
Views: 1058

Re: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2

Mikrotik have likely added the warning as it is a common misconfiguration. RouterOS does not restrict many configuration settings which could be questionable or not sensible making it much more flexible than offerings from other vendors.
by tdw
Wed Jan 24, 2024 5:10 pm
Forum: Beginner Basics
Topic: ISP subnet distribution [SOLVED]
Replies: 5
Views: 1975

Re: ISP subnet distribution [SOLVED]

You can either use switch ACL rules, remembering to also permit broadcast IP addresses in addition each clients unicast IP address, or disable hardware offload and use /ip firewall filter rules after applying /interface bridge settings use-ip-firewall=yes . The CPU performance is likely to limit thr...
by tdw
Wed Jan 24, 2024 3:15 pm
Forum: General
Topic: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2
Replies: 4
Views: 1058

Re: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2

Any tagged= or untagged= entries under /interface bridge vlan should only be ports listed under /interface bridge port or bridge names (for the bridge-to-CPU port) You are also mixing tagged and untagged traffic for VLAN 20 on the bridge by having both an /interface vlan with vlan-id=20 attached to ...
by tdw
Wed Jan 24, 2024 2:47 pm
Forum: General
Topic: OpenLDAP login with RADIUS [SOLVED]
Replies: 2
Views: 1478

Re: OpenLDAP login with RADIUS [SOLVED]

MSCHAP will definitely work against plaintext credentials, if your setup does not it is most likely a FreeRADIUS configuration error - run it with debugging enabled and look at the logs. Depending on how your password changing is implemented you should be able to incorporate something which will sto...
by tdw
Sat Jan 20, 2024 7:31 pm
Forum: RouterBOARD hardware
Topic: hAP ax Lite USB power
Replies: 12
Views: 4271

Re: hAP ax Lite USB power

It is a design fault, and easy enough to make when you are not familiar with all of the complexities of USB-C. The original Raspberry Pi 4 had a similar problem, although that was caused due to the two CC pins being wired together to a single resistor as described in this in-depth article https://ha...
by tdw
Tue Jan 16, 2024 9:12 pm
Forum: General
Topic: how to block bridged packet routed through firewall
Replies: 8
Views: 2512

Re: how to block bridged packet routed through firewall

I probably haven't used bridge filters with mac-protocol qualifiers since before VLAN-aware bridges were introduced. It appears that with vlan-filtering=yes on a bridge much of the bridge filtering options become unusable, all I can suggest is opening a support case with Mikrotik regarding not being...
by tdw
Sun Jan 14, 2024 6:11 pm
Forum: Beginner Basics
Topic: Unable to access the router via L2TP
Replies: 5
Views: 1824

Re: Unable to access the router via L2TP

An easy mistake to make is thinking the RJ45 on a PC/laptop is a IP connection. It isn't, layer 3 IP packets are encapsulated in layer 2 ethernet frames sent with layer 1 signalling/coding, e.g. 10BASE-T/100BASE-TX/1000BASE-T. The IP addressing is straightforward - if the destination IP address is w...
by tdw
Sat Jan 13, 2024 9:44 pm
Forum: General
Topic: IP and route configuration for /28
Replies: 12
Views: 1699

Re: IP and route configuration for /28

The standard way to set this up would be to assign 180.2.220.50/28 to your WAN bridge with a default route to 180.2.220.49. The servers would be assigned addresses of 180.2.220.51/28 (likewise .52, .53, etc. for additional servers) again with a default route to 180.2.220.49. If you wish to firewall ...
by tdw
Sat Jan 13, 2024 9:20 pm
Forum: Beginner Basics
Topic: Unable to access the router via L2TP
Replies: 5
Views: 1824

Re: Unable to access the router via L2TP

I don't really understand why? default gateway IP 192.168.1.1, remote IP when connected via VPN 192.168.1.2. It's /24 network so I am on the same subset. Using the same subnet for L2TP connections as the LAN does not make the connection part of the same network . You could either: use an L2TP serve...
by tdw
Sat Jan 13, 2024 9:07 pm
Forum: Beginner Basics
Topic: Why do the docs not mention adding "bridge" as its own tagged interface when doing a VLAN trunk? [SOLVED]
Replies: 10
Views: 3896

Re: Why do the docs not mention adding "bridge" as its own tagged interface when doing a VLAN trunk? [SOLVED]

No. You only need to add the bridge as a tagged member for traffic which interacts with services provided by the CPU, e.g. a router-on-as-stick setup with multiple VLANs. See viewtopic.php?t=173692 for more information.
by tdw
Sat Jan 13, 2024 7:27 pm
Forum: RouterBOARD hardware
Topic: REQUEST: Support i2c SFP/SFP+ Secuential SingleByte Reads to obtain transceiver details from EEPROM
Replies: 37
Views: 23327

Re: REQUEST: Support i2c SFP/SFP+ Secuential SingleByte Reads to obtain transceiver details from EEPROM

This fixes being able to read any data from SFPs which do not correctly handle multi-byte I2C read requests correctly. The actual data, and location thereof, is specified by https://members.snia.org/document/dl/25916 - some is mandatory, some is optional and some is vendor-specific. Mikrotik decode ...
by tdw
Fri Jan 12, 2024 11:06 pm
Forum: General
Topic: IPv6 configuration /64
Replies: 26
Views: 4853

Re: IPv6 configuration /64

Any devices using SLAAC to acquire an IPv6 address require the subnet to be /64, you can't arbitrarily use a different size just because you don't have a suitable block of addresses. It is possible to use smaller subnets if the hosts are assigned static addresses, or acquire addresses from a suitabl...
by tdw
Thu Jan 11, 2024 6:20 pm
Forum: Beginner Basics
Topic: Forward traffic from 1 DHCP client interface to another IP [SOLVED]
Replies: 12
Views: 2442

Re: Forward traffic from 1 DHCP client interface to another IP [SOLVED]

You appear to be using the hEX to connect two networks each of which has existing gateways. Whilst the dst-nat rule will forward packets for any TCP port 80 packets arriving on ether5 to 10.100.10.210 those packets will still have a 192.168.178.x source address, and as 10.100.10.210 knows nothing of...
by tdw
Tue Jan 09, 2024 2:07 am
Forum: General
Topic: how to block bridged packet routed through firewall
Replies: 8
Views: 2512

Re: how to block bridged packet routed through firewall

IIRC you will have to both identify and drop packets in the bridge. Using the IP firewall to identify them would be too late in the packet flow as the packet will have left the bridge by that point. The minimal case to drop any DHCP requests via a bridge port would be /interface bridge filter add ac...
by tdw
Sun Jan 07, 2024 11:20 pm
Forum: General
Topic: video station - change poster, and IMDB information
Replies: 1
Views: 1066

Re: video station - change poster, and IMDB information

Why are you posting this in Mikrotik forums? As Video Station is a QNAP application their forums would be a good starting point.
by tdw
Sun Jan 07, 2024 3:24 am
Forum: General
Topic: how to block bridged packet routed through firewall
Replies: 8
Views: 2512

Re: how to block bridged packet routed through firewall

DHCP servers use raw sockets, not regular UDP sockets as you may expect. So whilst the DHCP packets traverse /ip firewall they are actually processed before the packets can be dropped, and from previous threads I don't believe it is possible in /ip firewall raw either, you would have to use /bridge ...
by tdw
Sun Jan 07, 2024 3:09 am
Forum: General
Topic: No traffic between VLANs regardless of firewall
Replies: 7
Views: 1823

Re: No traffic between VLANs regardless of firewall

Which OS are the PCs running? Windows, for example, by default blocks ICMP from outside the directly connected LAN subnet.

Using bridge-to-CPU interface as hybrid instead of all tagged is not an error, some people just do not like the cosmetics.
by tdw
Sat Dec 23, 2023 6:40 pm
Forum: General
Topic: Installing linux packet on MikroTik Router
Replies: 6
Views: 1539

Re: Installing linux packet on MikroTik Router

No. Only packages signed by Mikrotik can be installed directly on the device. Only Mikrotik know what their plans for future functionality is. If you have a model capable of supporting containers you can add functionality that way.
by tdw
Thu Dec 21, 2023 2:50 am
Forum: Beginner Basics
Topic: Routing does not work
Replies: 1
Views: 704

Re: Routing does not work

A list of commands applied to a device plus prints of a random selection of settings is not representative of the actual configuration on the device. The usual recommendation is to post the output of an /export after redacting any sensitive information (serial number, public IPs, credentials in scri...
by tdw
Thu Dec 14, 2023 5:47 am
Forum: General
Topic: 3 different UPS devices
Replies: 3
Views: 1511

Re: 3 different UPS devices

Having built an interface which allows the Mikrotik UPS package to monitor the likes of Meanwell and PULS PSU with battery charging I've looked into the communications in depth. For the USB HID power device class there are both standard and vendor-specific reports, for the serial APC smart protocol ...
by tdw
Tue Dec 12, 2023 3:14 am
Forum: General
Topic: Couldn't change the SSTP server can't bind, check if the port is not used by other services! [SOLVED]
Replies: 5
Views: 2819

Re: Couldn't change the SSTP server can't bind, check if the port is not used by other services! [SOLVED]

Having the www-ssl service running, or not, on the Mikrotik itself has nothing to do with running an HTTPS webserver elsewhere.
by tdw
Tue Dec 12, 2023 1:36 am
Forum: General
Topic: Couldn't change the SSTP server can't bind, check if the port is not used by other services! [SOLVED]
Replies: 5
Views: 2819

Re: Couldn't change the SSTP server can't bind, check if the port is not used by other services! [SOLVED]

As the error message suggested port 443 is in use:
/ip service
set www-ssl disabled=no
by tdw
Mon Dec 11, 2023 4:48 pm
Forum: Beginner Basics
Topic: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]
Replies: 8
Views: 4542

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]

My WAN was PPPoE, but configured to use baby jumbo frames giving an MTU of 1500, so I used the defaults of mtu=auto and clamp-tcp-mss=yes on the 6to4 interface. The minimum MTU for IPv6 is 1280, normally you should set your MTU correctly and let path MTU discovery do its thing. IPv6 fragmentation is...
by tdw
Sun Dec 10, 2023 5:01 pm
Forum: Beginner Basics
Topic: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]
Replies: 8
Views: 4542

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]

blackhole would be acceptable - any traffic to unallocated subnets would just be dropped. Otherwise adapting the IPv4 workaround as discussed in a related thread viewtopic.php?p=853939#p853939 would be needed to return unreachable.
by tdw
Sat Dec 09, 2023 3:19 pm
Forum: Beginner Basics
Topic: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]
Replies: 8
Views: 4542

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]

And remember to add unreachable or blackhole routes to any routed subnets so packets to any unused portions don't bounce back and forth between you and HE until the TTL expires. From a previous setup before getting native IPv6: /ipv6 route add distance=1 dst-address=2000::/3 gateway=2001:470:xxxC:xx...
by tdw
Wed Dec 06, 2023 11:49 pm
Forum: General
Topic: Cannot reach switchs "managment IP" from other vlan, but can reach all clients.
Replies: 11
Views: 2012

Re: Cannot reach switchs "managment IP" from other vlan, but can reach all clients.

A Mikrotik bridge has two roles, see viewtopic.php?t=173692

For translating between Cisco and Mikrotik switch port terminology this may be useful viewtopic.php?p=920720#p920720
by tdw
Wed Dec 06, 2023 10:05 pm
Forum: General
Topic: Dot1x PEAP rejected: no key for certificate found
Replies: 6
Views: 2984

Re: Dot1x PEAP rejected: no key for certificate found

Might as well continue here for now. If not set the outer identity should use the inner identity, but it may be worth trying setting it explicitly. It isn't clear from the documentation if the dot1x client will refuse to authenticate if no CA has been imported. You should be able to add additional l...
by tdw
Wed Dec 06, 2023 9:53 pm
Forum: General
Topic: Cannot reach switchs "managment IP" from other vlan, but can reach all clients.
Replies: 11
Views: 2012

Re: Cannot reach switchs "managment IP" from other vlan, but can reach all clients.

Also you have configured the bridge-to-CPU interface to be both tagged and untagged, and there is a mismatch between the bridge ports pvid= and bridge vlan untagged= settings - if you remove all of the untagged= entries these will be created dynamically from the pvid= settings. Depending on how othe...
by tdw
Wed Dec 06, 2023 9:24 pm
Forum: Beginner Basics
Topic: IPv6 issues: v6 only for a few address blocks, v4 otherwise [SOLVED]
Replies: 8
Views: 4200

Re: IPv6 issues: v6 only for a few address blocks, v4 otherwise [SOLVED]

There is no possibility for communicating classless routes to IPv6 clients. (Apart from the usual default route, of course) That may be the case for DHCPv6, but that does not acquire the default route in any case. The default route is acquired from RA messages with non-zero RA lifietimes, other rou...
by tdw
Wed Dec 06, 2023 9:21 pm
Forum: Beginner Basics
Topic: IPv6 issues: v6 only for a few address blocks, v4 otherwise [SOLVED]
Replies: 8
Views: 4200

Re: IPv6 issues: Want to advertise three v6 pfx w/ SLAAC [SOLVED]

I am still not sure how to convince the routing tables on laptops etc. to only route to those three ipv6 address blocks and perfer-v4 otherwise. Perhaps I need to just live with the default route and use firewall to achieve what I want? Maybe I send back an ICMP unreachable for all but the blocks I...
by tdw
Wed Dec 06, 2023 3:35 pm
Forum: General
Topic: Having issues with DHCP client over trunk [SOLVED]
Replies: 6
Views: 3141

Re: Having issues with DHCP client over trunk [SOLVED]

Yes.VLAN5 & VLAN10 are transporting the two internet connections to the router. Attaching VLAN interfaces with those IDs to the router P5 provides your 'WAN' interfaces.
by tdw
Tue Dec 05, 2023 11:30 pm
Forum: General
Topic: RouterOS7 - Most correct VLAN setup
Replies: 5
Views: 3875

Re: RouterOS7 - Most correct VLAN setup

As hEX PoE use the QCA8337 switch chip which does not support hardware-offloaded vlan-aware bridges use a single bridge and configure the switch chip to handle the VLAN filtering, see the examples https://help.mikrotik.com/docs/display/ ... upExamples
by tdw
Mon Dec 04, 2023 3:05 am
Forum: General
Topic: Force ipv4 to use for some sites if it have ipv4 and ipv6 address (ipv6 sit tunnelbroker)
Replies: 4
Views: 1722

Re: Force ipv4 to use for some sites if it have ipv4 and ipv6 address (ipv6 sit tunnelbroker)

If client devices resolve both IPv4 and IPv6 addresses for a target site they will use IPv6 in preference to IPv4 to connect. AFAIK Android and iOS implement 'Happy Eyeballs' for fast fallback to IPv4, and some PC programs do but I don't believe Windows itself does. Static IPv6 NXDOMAIN DNS entries ...
by tdw
Fri Dec 01, 2023 8:32 pm
Forum: General
Topic: Dot1x PEAP rejected: no key for certificate found
Replies: 6
Views: 2984

Re: Dot1x PEAP rejected: no key for certificate found

As it is only peripherally related you should really start a new topic rather than resurrecting a years old one. Your site may require a realm in the outer / anonymous identity to direct the request to the appropriate servers (e.g. local or a national proxy). A CA certificate is not required but wit...
by tdw
Thu Nov 30, 2023 4:49 pm
Forum: Beginner Basics
Topic: CRS106-1C-5S: Vlan is forwarded, but no VLAN is configured
Replies: 9
Views: 1759

Re: CRS106-1C-5S: Vlan is forwarded, but no VLAN is configured

The CRS1xx/2xx VLAN handling is very different to all the other models as the UI exposes much of the inner switch workings. The bridge should be set to vlan-filtering=no , any ingress-filtering= , frame-types= and pvid= settings on the bridge and bridge ports should be left at they default values. T...
by tdw
Mon Nov 27, 2023 7:03 pm
Forum: Beginner Basics
Topic: Broadcast packets process [SOLVED]
Replies: 6
Views: 3517

Re: Broadcast packets process [SOLVED]

How can you connect three devices to a single ethernet cable? I would expect each device to be connected to a switch port, in which case you can use port isolation or bridge horizon to prevent packets from one of these devices being sent on the links to the others. Some vendors have 'ip helpers' whi...
by tdw
Sun Nov 26, 2023 6:22 pm
Forum: General
Topic: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]
Replies: 6
Views: 2113

Re: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]

As the PADI/PADO/PADR/PADS handshake completes successfully the PPPoE session should work, but there is no response to the LCP negotiation. I would suggest connecting the modem directly to a PC/Mac and configuring a PPPoE client on that to verify a connection can be established, if that also fails t...
by tdw
Sun Nov 26, 2023 1:56 pm
Forum: Beginner Basics
Topic: Help on RM3011UiAS's DHCP Servers
Replies: 2
Views: 1100

Re: Help on RM3011UiAS's DHCP Servers

Given the volume of outdated or incorrect configuration settings which may be found searching the internet GPT4 isn't going to be very good. Your VLAN interfaces have not been assigned IP addresses. Remove the relay= settings for the DHCP servers, this is to forward requests to a server elsewhere. Y...
by tdw
Sun Nov 26, 2023 1:36 pm
Forum: General
Topic: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]
Replies: 6
Views: 2113

Re: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]

Yes, only any specific settings for managment. Here the factory defaults are bridge mode so the modem will establish a DSL connection and allow PPPoE or DHCP connections from the Mikrotik (or other router) to be established (most of our ISPs use PPPoE but some use DHCP). The firmware for other count...
by tdw
Sat Nov 25, 2023 9:36 pm
Forum: General
Topic: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]
Replies: 6
Views: 2113

Re: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]

For the UK (modem 4 or modem 8 ) there was an issue going from 3.7.x to 3.8.x with the introduction of QinQ support which had the symptoms you describe. Resetting to factory defaults and reconfiguring any settings required, e.g. LAN IP address for management access, resolved the problem. There are v...
by tdw
Fri Nov 24, 2023 9:24 pm
Forum: General
Topic: Issues with Ethernet MTU Size in EoIPv6
Replies: 3
Views: 1199

Re: Issues with Ethernet MTU Size in EoIPv6

Screenshots don't particularly help, an /export of the configuration with any senstive data redacted (serial number, public IP addresses, etc.) shows exactly what you have. There is bound to be fragmentation over a conventional WAN, so it is a case of finding potentially a combination of tunneling t...
by tdw
Fri Nov 24, 2023 6:15 pm
Forum: General
Topic: Issues with Ethernet MTU Size in EoIPv6
Replies: 3
Views: 1199

Re: Issues with Ethernet MTU Size in EoIPv6

The tunnel MTU should be set to 1500 to allow the transport full-sized Ethernet frames over the tunnel. As the tunnel overheads [40 (IPv6) + 8 (GRE) + 14 (ethernet) + some amount for IPsec (depends on settings)] will result in a total packet size greater than your WAN MTU it will be fragmented. IPv6...
by tdw
Fri Nov 24, 2023 5:29 pm
Forum: Beginner Basics
Topic: 2 Vlans, a firewall, and a PITA DNS.
Replies: 3
Views: 1307

Re: 2 Vlans, a firewall, and a PITA DNS.

What you have attempted is the pre-VLAN-aware bridge method which has a number of caveats, see https://help.mikrotik.com/docs/display/ ... figuration
by tdw
Wed Nov 22, 2023 10:24 pm
Forum: SwOS
Topic: CSS610-8P-2S+ randomly stops forwarding for exactly five minutes
Replies: 7
Views: 4255

Re: CSS610-8P-2S+ randomly stops forwarding for exactly five minutes

Switches do not work in that manner. When a packet destined for a unicast MAC address which does not exist in the forwarding database the packet is transmitted out of all the other switch ports, if the destination MAC address does exist in the database the packet is only transmitted out of the port ...
by tdw
Wed Nov 22, 2023 6:19 pm
Forum: General
Topic: Bridge PVID [SOLVED]
Replies: 13
Views: 4858

Re: Bridge PVID [SOLVED]

Purists argue that on trunks all VLANs should be tagged, so you would set frame-types=admit-only-vlan-tagged ingress-filtering=yes - the pvid= setting can be anything as it is ignored. Others prefer hybrid trunks where one VLAN is untagged, often for management and with limited access to other devic...
by tdw
Wed Nov 22, 2023 5:00 pm
Forum: General
Topic: Bridge PVID [SOLVED]
Replies: 13
Views: 4858

Re: Bridge PVID [SOLVED]

Having the same VLAN tagged and untagged on ports (either a physical ethernet or the intrinstic bridge-to-CPU ones) often breaks communications as packets end up being tagged in one direction but not the other, so you are using a side-effect of this misconfiguration to limit access. The correct way ...
by tdw
Wed Nov 22, 2023 3:37 pm
Forum: Beginner Basics
Topic: mikrotik to mikrotik vpn l2tp ipsec problem [SOLVED]
Replies: 2
Views: 2815

Re: mikrotik to mikrotik vpn l2tp ipsec problem [SOLVED]

A common cause of web pages failing to load in this type of setup is inappropriate tunnel MTU settings. If the tunnel MTU + encapsulation & encryption overheads > WAN MTU the reulting packet is split up and sent as fragmented IP packets, these can be dropped or misordered in transit. The default...
by tdw
Wed Nov 22, 2023 1:48 am
Forum: General
Topic: Bridge PVID [SOLVED]
Replies: 13
Views: 4858

Re: Bridge PVID [SOLVED]

Some of the /interface bridge settings relate to the intrinsic bridge-to-CPU port rather than the bridge itself, see viewtopic.php?t=173692
by tdw
Mon Nov 20, 2023 6:53 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 5684

Re: IPv6 DS Lite

Pages not loading or taking a long time to load does suggest MTU / fragment handling / PMTU discovery issues. The default clamp-tcp-mss=yes on the tunnel interface should fix this, which does suggest an issue with their gateway. You could try setting dont-fragment=yes which would drop packets where ...
by tdw
Mon Nov 20, 2023 6:21 pm
Forum: Beginner Basics
Topic: ipv6 setup
Replies: 4
Views: 1419

Re: ipv6 setup

You can not guess what it should be, the ISP should provide it as they will be routing the block of subnets to it. Their terminology is rather vague too - 'IPv6 address' does hints at being the WAN address but would typically be /64, not /56, and 'routing prefix' hints at the routed subnet but would...
by tdw
Mon Nov 20, 2023 4:01 pm
Forum: General
Topic: Hetzner Subnet on Mikrotik CHR
Replies: 9
Views: 1907

Re: Hetzner Subnet on Mikrotik CHR

Proxy-ARP is not required, you can set it back to the default.
by tdw
Mon Nov 20, 2023 3:56 pm
Forum: General
Topic: Using different external DNS-Server for different LANs
Replies: 2
Views: 1185

Re: Using different external DNS-Server for different LANs

Mikrotik only implement a single DNS server so you are limited to the clients using that or external ones. In your case if the WAN1 peer DNS addresses are static and the VoIP hosts to be resolved can be matched with regexp or match-subdomain you could use the WAN2 DNS servers by default with forward...
by tdw
Mon Nov 20, 2023 5:42 am
Forum: General
Topic: Hetzner Subnet on Mikrotik CHR
Replies: 9
Views: 1907

Re: Hetzner Subnet on Mikrotik CHR

If you configure a router VM as they suggest the CHR should have two ethernet interfaces, then it is a case of translating https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/#subnets iface eth0 inet dhcp would be /ip dhcp-client add add-default-route=yes disabled=no interface=...
by tdw
Mon Nov 20, 2023 2:27 am
Forum: General
Topic: Hetzner Subnet on Mikrotik CHR
Replies: 9
Views: 1907

Re: Hetzner Subnet on Mikrotik CHR

Have you read https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/#subnets The additional subnet is routed to you. The traditional method would be to assign one of the addresses to a 'LAN' subnet on the CHR to which the VMs are attached, and assign them other addresses from the...
by tdw
Sun Nov 19, 2023 11:59 pm
Forum: SwOS
Topic: CSS610-8P-2S+ randomly stops forwarding for exactly five minutes
Replies: 7
Views: 4255

Re: CSS610-8P-2S+ randomly stops forwarding for exactly five minutes

Five minutes suggests an issue with switch FDB entries ageing out. Do you have any duplicate MAC addresses on different VLANs? SwOS lite does not support IVL which would be required if that is the case.
by tdw
Sun Nov 19, 2023 11:49 pm
Forum: Beginner Basics
Topic: ipv6 setup
Replies: 4
Views: 1419

Re: ipv6 setup

If the addresses are static they should provide a WAN /64 with both their end (the gateway) and your end addresses - the latter should be the target of the routed /56 addresses. If they are mistakenly just presenting a /56 on the WAN that will not work as it requires ND proxy as a hack which Mikroti...
by tdw
Sun Nov 19, 2023 8:46 pm
Forum: General
Topic: Killing my head with L2TP server configuration !
Replies: 2
Views: 2259

Re: Killing my head with L1TP server configuration !

Use the correct terms in the title & description - there is no such thing as L1TP. As you are using a different IP range for VPN clients vs. LAN devices proxy ARP is not required. It is best practice to create a new PPP profile as any changes to the default ones may have unintended side-effects ...
by tdw
Sat Nov 18, 2023 5:18 pm
Forum: Beginner Basics
Topic: Problem with VLAN Setup
Replies: 10
Views: 1571

Re: Problem with VLAN Setup

Three DHCP servers/networks/pools looks fine - the switch management address is static, if there will be other devices on the management VLAN and they are setup in a similar fashion a DHCP server is not required.
by tdw
Sat Nov 18, 2023 1:26 pm
Forum: Beginner Basics
Topic: Problem with VLAN Setup
Replies: 10
Views: 1571

Re: Problem with VLAN Setup

CRS326 -> Port 24 is connected to RB5009 (Port 2) This port is missing from the bridge VLAN settings: /interface bridge vlan add bridge=bridge tagged= ether24, sfp-sfpplus1,sfp-sfpplus2 vlan-ids=10 add bridge=bridge tagged= ether24, sfp-sfpplus1,sfp-sfpplus2 vlan-ids=20 add bridge=bridge tagged= et...
by tdw
Fri Nov 17, 2023 11:37 pm
Forum: Beginner Basics
Topic: Problem with VLAN Setup
Replies: 10
Views: 1571

Re: Problem with VLAN Setup

For the OP - provide the /export of the devices, not the commands you applied to the devices as there may have been errors whilst importing them
by tdw
Fri Nov 17, 2023 2:03 am
Forum: Beginner Basics
Topic: RSTP not working with Switch-VLANs
Replies: 8
Views: 2474

Re: RSTP not working with Switch-VLANs

I'd suggest a new thread with an appropriate title to attract people with CAPsMAN experience. There is also https://help.mikrotik.com/docs/display/ ... with+VLANs if you haven't found it already.
by tdw
Wed Nov 15, 2023 9:39 pm
Forum: Beginner Basics
Topic: RSTP not working with Switch-VLANs
Replies: 8
Views: 2474

Re: RSTP not working with Switch-VLANs

Nothing obvious, other than the Qualcomm/Atheros gigabit switch chips ignore the vlan-header property and use the default-vlan-id property to determine which ports are access ports. From the documentation the vlan-header should always be set to leave-as-is for these chips. The other possibility is t...
by tdw
Wed Nov 15, 2023 3:51 pm
Forum: Beginner Basics
Topic: PPoE Dynamic and Static IPs
Replies: 3
Views: 1110

Re: PPoE Dynamic and Static IPs

You do have to configure the additional addresses on a loopback interface if you wish the Mikrotik to respond to ICMP requests, as you say source and destination NAT will work fine without this.
by tdw
Wed Nov 15, 2023 2:30 am
Forum: Beginner Basics
Topic: RSTP not working with Switch-VLANs
Replies: 8
Views: 2474

Re: RSTP not working with Switch-VLANs

Can the firewall somehow block RSTP with an Input-rule? No. I see RSTP disabled under service ports by default, but I think this is only used when going thru NAT. That is RTSP not RSTP. I created both privat and guest VLANs on the bridge interface. All Ports (except WAN-Port), WLAN interfaces and d...
by tdw
Sun Nov 12, 2023 6:59 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 5684

Re: IPv6 DS Lite

Difficult to say - you can check CPU utilisation on your device, but it is often not possible to check what the ISP is doing. Most likely is fragmented packets - the default MTU for Mikrotik ipipv6 tunnels appears to be 1460 (i.e. 1500 - size of an IPv6 header), if your IPv6 WAN is less than 1500 th...
by tdw
Fri Nov 10, 2023 10:24 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 5684

Re: IPv6 DS Lite

Glad you have got it working. As the AFTR server name appears to be unchanging for the ISP you also do not have to bother with parsing the DHCPv6 option 64 reply and updating the ipipv6 remote address. For info - whilst the tunnel IPv4 address is arbitrary IANA reserved the 192.0.0.0/29 range to pre...
by tdw
Fri Nov 10, 2023 7:26 pm
Forum: General
Topic: /31 subnet
Replies: 8
Views: 2726

Re: /31 subnet

Can you ping the ISP gateway from the Mikrotik itself, and if so tracroute any further?

Lack of internet access from your LAN could be missing/incorrect NAT rules.
by tdw
Fri Nov 10, 2023 5:27 pm
Forum: General
Topic: /31 subnet
Replies: 8
Views: 2726

Re: /31 subnet

You need a default route too:

/ip route add gateway=193.56.1.222
by tdw
Fri Nov 10, 2023 4:48 pm
Forum: General
Topic: /31 subnet
Replies: 8
Views: 2726

Re: /31 subnet

Mikrotiks don't use the obvious syntax for support /31 addresses, instead you configure a /32 address but specify the other end as the network parameter:

/ip address add address=193.56.1.223 network=193.56.1.222 interface=<your WAN interface>
by tdw
Fri Nov 10, 2023 4:27 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 5684

Re: IPv6 DS Lite

You could try !keepalive on the tunnel interface as the remote end may not respond to probes, or it could be firewall rules blocking the traffic.
by tdw
Fri Nov 10, 2023 2:41 am
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 5684

Re: IPv6 DS Lite

The :put command outputs data to the console, you could use :log instead. Are you requesting the option? According to the specifications servers should not send the OPTION_AFTR_NAME unless specifically requested, so /ipv6 dhcp-client option add code=6 name=OPTION_ORO value=0x0040 The rather sparse d...
by tdw
Thu Nov 09, 2023 5:09 am
Forum: Beginner Basics
Topic: Understanding ARP
Replies: 2
Views: 1051

Re: Understanding ARP

The layer 3 IP has no concept of MAC addresses, IP firewall and routing are irrelevant to ARP. ARP works within a layer 2 broadcast domain to provide the MAC address associated with an IP address - it doesn't get forwarded outside the broadcast domain.
by tdw
Mon Nov 06, 2023 9:39 pm
Forum: General
Topic: How to downgrade CCR2116-12G-4S+?
Replies: 2
Views: 955

Re: How to downgrade CCR2116-12G-4S+?

Also, recently introduced Mikrotik models were designed to run v7 only - they are not going to expend effort adding support for new SoC and/or peripherals to v6.
by tdw
Mon Nov 06, 2023 9:28 pm
Forum: Beginner Basics
Topic: LTE Dish Router - inbound trafffic - newbie to Mikrotik - help!!
Replies: 3
Views: 1298

Re: LTE Dish Router - inbound trafffic - newbie to Mikrotik - help!!

The default firewall rules permit ICMP. Are you getting a public IP address - in the UK the only mainstream SIMs which provide public addresses are Three, and then only if you use the correct APN. Depending on what the EE SIM with fixed IP will cost, as they are often for small amounts of data for I...
by tdw
Mon Nov 06, 2023 5:32 pm
Forum: General
Topic: GPON ONU module alternatives
Replies: 11
Views: 3799

Re: GPON ONU module alternatives

There are several threads in the forum, e.g. viewtopic.php?p=1027689
by tdw
Mon Nov 06, 2023 5:28 pm
Forum: Beginner Basics
Topic: DHCP Offer not received on other side of trunk [solved]
Replies: 12
Views: 3131

Re: DHCP Offer not received on other side of trunk

Under /interface vlan the entries should have interface=bridgeINT not interface=ether1 . The first post in the thread you quote is similarly incorrect as pointed out by the second post. Which VLAN isn't receiving DHCP, the wAP appears to have multiple DHCP clients plus some DHCP servers which is unu...
by tdw
Sun Nov 05, 2023 6:01 pm
Forum: Beginner Basics
Topic: DHCP Offer not received on other side of trunk [solved]
Replies: 12
Views: 3131

Re: DHCP Offer not received on other side of trunk

The wAP bridge config is a mess: You have VLANs attached directly to a bridge port, they should always be attached to the bridge itself. Don't add a VLAN with ID 1, this is the default PVID on bridge ports. You have a mix of VLAN-aware bridge and switch VLAN configuration - these interact in undocum...
by tdw
Sun Nov 05, 2023 5:45 pm
Forum: Beginner Basics
Topic: RouterOS - Connecting 2 Subnets on 1 Router
Replies: 1
Views: 1072

Re: RouterOS - Connecting 2 Subnets on 1 Router

Static routes are unnecessary. The intrinsic policy is to permit forwarding between any subnets on the mikrotik, likely there are firewall rules blocking communication.
by tdw
Tue Oct 31, 2023 2:34 am
Forum: General
Topic: Routing distance not modifiable [SOLVED]
Replies: 4
Views: 2020

Re: Routing distance not modifiable [SOLVED]

Smaller subnets always have priority over larger, distance is only used when there are multiple subnets of the same size. The static route (#5 of /ip route print ) looks incorrect - the gateway should be next hop address, not the interface: /ip route add dst-address=192.168.253.0/24 gateway=192.168....
by tdw
Tue Oct 31, 2023 2:21 am
Forum: Scripting
Topic: problems with update 7.10+ script does not work
Replies: 2
Views: 2165

Re: problems with update 7.10+ script does not work

See viewtopic.php?t=196072 and modify the script accordingly
by tdw
Mon Oct 30, 2023 10:52 pm
Forum: General
Topic: Vlan L3 Interface & Switching VLAN [SOLVED]
Replies: 1
Views: 1170

Re: Vlan L3 Interface & Switching VLAN [SOLVED]

You are missing any /interface bridge vlan configuration. Whilst the bridge port pvid= settings will dynamically add those ports as untagged members you need to specify the bridge-to-cpu port tagged membership. /interface bridge vlan add bridge=br0 tagged=br0 vlan-ids=10 add bridge=br0 tagged=br0 vl...
by tdw
Mon Oct 30, 2023 9:56 pm
Forum: General
Topic: RB3011, VLAN switching/routing and DHCP server
Replies: 11
Views: 1898

Re: RB3011, VLAN switching/routing and DHCP server

Attempting to mix a VLAN-aware bridge and switch-chip VLAN filtering is just asking for trouble. Either: Use a VLAN-aware bridge, the only downside of which is you do not get wirespeed L2 performance between ports in the same VLAN Or: Use a non-VLAN-aware bridge which acts like an unmanaged switch a...
by tdw
Sat Oct 21, 2023 5:16 pm
Forum: Wireless Networking
Topic: No DHCP via WiFi
Replies: 5
Views: 2259

Re: No DHCP via WiFi

Did you make all of the suggested changes, also the wlan interfaces will be added automatically by CAPsMAN so should not be added manually: /interface bridge port add bridge=bridge1 interface=ether1 add bridge=bridge1 interface=wlan1 add bridge=bridge1 interface=wlan2 /interface wireless cap set bri...
by tdw
Tue Oct 10, 2023 9:20 pm
Forum: General
Topic: Can't access DNS domain names from the router
Replies: 7
Views: 1308

Re: Can't access DNS domain names from the router

That does not solve the OPs problem.
by tdw
Tue Oct 10, 2023 2:27 am
Forum: General
Topic: Can't access DNS domain names from the router
Replies: 7
Views: 1308

Re: Can't access DNS domain names from the router

Allowing DNS requests from outside is a bad idea, it turns your router into an open DNS resolver.

All the issues stem from you having deleted the first line of the default configuration which accepts established, related and untracked traffic in the input chain.
by tdw
Sun Oct 08, 2023 11:04 pm
Forum: Beginner Basics
Topic: IPv6 with Vodafone Station (Czechia) borked
Replies: 3
Views: 1141

Re: IPv6 with Vodafone Station (Czechia) borked

It should pass IPv6 OK - however if you have DHCP or IGMP snooping enabled it may break IPv6 multicast, IIRC there have been some forum posts about this.

For the CRS to obtain an IPv6 address disabling IPv6 forwarding will enable it to process RAs.
by tdw
Sun Oct 08, 2023 8:57 pm
Forum: Beginner Basics
Topic: IPv6 with Vodafone Station (Czechia) borked
Replies: 3
Views: 1141

Re: IPv6 with Vodafone Station (Czechia) borked

Are you using the CRS as a bridge or a router? AFAIK mobile operators only provide a single /64 and no prefix delegation. As you need one /64 per network using the CRS as a router will not work unless you resort to NAT (which IPv6 was supposed to do away with).
by tdw
Sun Oct 01, 2023 11:41 pm
Forum: Beginner Basics
Topic: Cannot connect to the internet with PPOE with vlan
Replies: 3
Views: 937

Re: Cannot connect to the internet with PPOE with vlan

The new WAN interface needs adding to the WAN interface list, otherwise there will be no internet access from the LAN:
/interface list member
add interface=EboxPPOE list=WAN


you can also remove ether1 from the list, and disable or remove the DHCP client.
by tdw
Sun Oct 01, 2023 12:48 am
Forum: SwOS
Topic: Help with VLans.
Replies: 10
Views: 3479

Re: Help with VLans.

You have no /ip address in the 10.10.1.0/24 subnet.

The /interface vlan should refer to the bridge, not any member ports.

There are also unnecessary duplicates in /ip pool.
by tdw
Fri Sep 29, 2023 10:37 pm
Forum: General
Topic: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]
Replies: 5
Views: 3206

Re: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]

Without accepting RAs you will likely loose the gateway information. IIRC when changing accept RAs some things don't actually change until after reboot.

I would suggest sending a feature request to Mikrotik, not accepting the RA DNS options is likely to be a common requirement as more people use IPv6
by tdw
Fri Sep 29, 2023 8:46 pm
Forum: General
Topic: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]
Replies: 5
Views: 3206

Re: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]

The DHCPv6 client use-peer-dns option will only affect handling of OPTION_DNS_SERVERS received in the DHCPv6 reply, there is similarly an option in the PPPoE client to use or ignore any DNS provided by IPv6CP when using PPPoE. It needs a separate option use or ignore the RA-provided data.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7