Community discussions

MikroTik App

Search found 1911 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 7
by tdw
Thu Jun 13, 2024 6:34 pm
Forum: General
Topic: Native vlan
Replies: 4
Views: 348

Re: Native vlan

When I turn off vlan-filtering, only vlan 1 works. What do you mean by 'works'. ether1-6 will be able to communicate with each other, if VLAN 1 untagged also has to transit the ether24 and sfp-sfpplus4 trunks then change frame-types=admit-only-vlan-tagged to admit-all Unrelated, there is no need to...
by tdw
Wed Jun 12, 2024 6:37 pm
Forum: Wireless Networking
Topic: Radius Server setup
Replies: 12
Views: 858

Re: Radius Server setup

Set up your own RADIUS server & frontend on-prem or hosted elsewhere / subscribe to a cloud-based service (e.g. CloudRADIUS, JumpCloud, Foxpass) and use WPA2-Enterprise for wireless / 802.1X for wired authentication with username/password and/or certificates. All locations should use this data/s...
by tdw
Wed Jun 12, 2024 5:15 pm
Forum: Beginner Basics
Topic: What does PVID do on bridge VLAN
Replies: 1
Views: 216

Re: What does PVID do on bridge VLAN

In Winbox the VLAN tab of a bridge interface contains the settings of the bridge-to-CPU port, in exactly the same way as the VLAN tab of a bridge port does for other ports added to the bridge. These are layer 2 settings - they will not stop your Guest & IoT networks from accessing some IP servic...
by tdw
Thu Jun 06, 2024 10:11 pm
Forum: SwOS
Topic: Password length limit on SwOS? Seriously?
Replies: 20
Views: 1166

Re: Password length limit on SwOS? Seriously?

The processor in the switch chips on SwOS-only devices is very limited so it is highly unlikely that any encryption can be added. From the Marvell datasheet Target Applications section "Smart and Lightly Managed switches: Integrated microprocessor enables lightly managed switches with the addit...
by tdw
Thu Jun 06, 2024 9:55 pm
Forum: RouterBOARD hardware
Topic: AOC SFP module - S+AO0005. Connector type info.
Replies: 2
Views: 721

Re: AOC SFP module - S+AO0005. Connector type info.

I suppose the Media Connector type (EEPROM address A0h, byte 2) could be set to either 0Bh 'Optical Pigtail' or 23h 'No separable connector' instead of 21h 'Copper pigtail' (from SFF-8024 Table 4-3 Connector Types). For SFPs, per SFF-8074, bytes 14-18 specify the maximum length for 9/125, 50/125 &am...
by tdw
Thu Jun 06, 2024 7:29 pm
Forum: Forwarding Protocols
Topic: OSPF misconfig causing packet loss
Replies: 3
Views: 240

Re: OSPF misconfig causing packet loss

When you say Neighbours do you mean OSPF Neighbours or IP Neighbours? Use PTMP rather than broadcast, v7 'ptmp-broadcast' is compatible with v6 'ptmp'.
by tdw
Thu Jun 06, 2024 7:17 pm
Forum: Beginner Basics
Topic: DNS QUAD9 not working?
Replies: 1
Views: 258

Re: DNS QUAD9 not working?

Your ISP could be intercepting any DNS requests not destined for their servers and redirecting them.
by tdw
Tue Jun 04, 2024 8:34 pm
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 323
Views: 65704

Re: v7.15 [stable] is released!

I'd rather see bridge "the CPU facing port" become a distinct item ... just like switchX-cpu port in switch chip configs. IMO this would prevent quite some confusion which arises from the fact that there are 3 different items (switch-like entity, CPU-facing port and interface) all named t...
by tdw
Tue Jun 04, 2024 8:25 pm
Forum: Announcements
Topic: v7.15.1 [stable] is released!
Replies: 323
Views: 65704

Re: v7.15 [stable] is released!

In fact, I think /interface/vlan should have some option/attribute that automatically adds tagged=bridge (as a dynamic .../bridge/vlan) – so Layer3/IP work without messing with bridge vlan table at all. So whole /interface/bridge/vlans complexity be only needed for hybrid ports or Layer2-only switc...
by tdw
Tue Jun 04, 2024 7:34 pm
Forum: Virtualization
Topic: How CHR choose ARP src-ip when there is more 2 ipv4 adressed on same nic
Replies: 1
Views: 232

Re: How CHR choose ARP src-ip when there is more 2 ipv4 adressed on same nic

If the public address is routed via the private address it should not be attached to the interface, but rather exist on a loopback interface and the preferred source address set for traffic originated from the Mikrotik itself. /interface bridge add name=local protocol-mode=none /ip address add addre...
by tdw
Mon Jun 03, 2024 10:09 pm
Forum: General
Topic: fiirewall error PPTP VPN
Replies: 2
Views: 315

Re: fiirewall error PPTP VPN

If the 192.168.1.x addresses use a subnet mask of /24 then 192.168.1.0 is not a valid address, so I would expect it to never work.

Also use a better VPN protocol than PPTP, fundamental vulnerabilities have been known for over 10 years making it insecure.
by tdw
Mon Jun 03, 2024 9:59 pm
Forum: General
Topic: RSTP - What the hell? [SOLVED]
Replies: 14
Views: 779

Re: RSTP - What the hell? [SOLVED]

Also if you set edge=yes on the Mikrotik bridge ports connecting to the Cisco(s) they will ignore any received and not send any BPDUs (equivalent to PortFast ) which may allow you to change to a single bridge. This means that it will ignore the BPDUs that the Cisco's send, turning the Cisco into a ...
by tdw
Mon Jun 03, 2024 7:37 pm
Forum: General
Topic: RSTP - What the hell? [SOLVED]
Replies: 14
Views: 779

Re: RSTP - What the hell? [SOLVED]

There are various potential pitfalls https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration but impossible to say if you have hit any of these with seeing the configurations. Also if you set edge=yes on the Mikrotik bridge ports connecting to the Cisco(s) they will ignore any received an...
by tdw
Mon Jun 03, 2024 7:18 pm
Forum: General
Topic: VLAN Configuration
Replies: 12
Views: 1106

Re: VLAN Configuration

Nothing obvious assuming that change is only applied to /interface bridge port (two entries), /interface bridge vlan (three entries on two lines) and /interface vlan (one entry) as you can't have two bridges with the same name. Do the Current Tagged and Current Untagged columns under Bridge > VLANs ...
by tdw
Sat Jun 01, 2024 2:04 am
Forum: General
Topic: VLAN Configuration
Replies: 12
Views: 1106

Re: VLAN Configuration

I hadn't spotted that was missing, having bridge-TPP in the tagged list for VLAN 40 is unnecessary. Under /interface bridge port the pvid= setting specifies which VLAN untagged ingress traffic is assigned to. Under /interface bridge vlan ports in the untagged= interface list have the VLAN tag remove...
by tdw
Fri May 31, 2024 1:47 am
Forum: General
Topic: VLAN Configuration
Replies: 12
Views: 1106

Re: VLAN Configuration

The bridge name bridge-TPP refers to both the bridge and the implicit bridge-to-CPU bridge port so you are connecting VLAN 40 on ether4 untagged to the CPU tagged. To connect ether4 untagged to ether5 tagged requires the following change to /interface bridge vlan : add bridge=bridge-TPP tagged= brid...
by tdw
Wed May 29, 2024 11:31 am
Forum: General
Topic: Lock device
Replies: 4
Views: 436

Re: Lock device

Set reformat-hold-button and reformat-hold-button-max. The device cannot be reset, only completely reformatted by holding the reset button for a time between the two values and will then require a netinstall as described in the link provided.
by tdw
Wed May 29, 2024 3:29 am
Forum: General
Topic: Lock device
Replies: 4
Views: 436

Re: Lock device

See https://help.mikrotik.com/docs/display/ ... bootloader. You can disable the Winbox service but that will prevent anyone using it, a usual recommendation is to make Winbox accessible only via a VPN connection to or from the device.
by tdw
Tue May 28, 2024 9:06 pm
Forum: Forwarding Protocols
Topic: OSPF Bug: incorrect network advertisement for point-to-point addresses
Replies: 9
Views: 592

Re: OSPF Bug: incorrect network advertisement for point-to-point addresses

This caught me out a few weeks ago when converting from 6.x to 7.x. Although it isn't mentioned anywhere in the documentation I could find /routing ospf interface-template has some hidden functionality where specifying type=ptp swaps the local and remote addresses, try add area=A disabled=no network...
by tdw
Mon May 27, 2024 7:51 pm
Forum: General
Topic: Switch CRS112-8P-4S high CPU load [SOLVED]
Replies: 4
Views: 567

Re: Switch CRS112-8P-4S high CPU load [SOLVED]

Nothing immediately obvious. Possibly if there is much broadcast or multicast traffic on your management VLAN that will be processed by the CPU, even if then discarded.

Using VLAN 1 tagged is uncommon but shouldn't be the cause.
by tdw
Mon May 27, 2024 7:44 pm
Forum: Scripting
Topic: how to provide different ip on pppoe for each connect
Replies: 1
Views: 280

Re: how to provide different ip on pppoe for each connect

I don't believe you can do this as pool allocations are 'sticky' - for any particular MAC address and username combination the previously used IP is issued when reconnecting. Only a reboot, no free pool addresses (which forces a cleanup), or not being used for some time resets this behaviour.
by tdw
Mon May 27, 2024 6:03 pm
Forum: The User Manager
Topic: Default VLAN for non-authenticated users ?
Replies: 11
Views: 1467

Re: Default VLAN for non-authenticated users ?

I'm not sure why the Mikrotik supplicant works without a certificate on the server. The certificate provides the keying material for the TLS tunnel used by PEAP in addition to providing identity information. Per the previously linked page for Windows supplicants they will not work unless the certifc...
by tdw
Mon May 27, 2024 1:53 pm
Forum: Beginner Basics
Topic: Beginner's question: Bridging and VLANs
Replies: 2
Views: 495

Re: Beginner's question: Bridging and VLANs

One bridge. See https://forum.mikrotik.com/viewtopic.php?t=143620 , https://forum.mikrotik.com/viewtopic.php?t=173692 , https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-SetupExamples for RouterOS, https://help.mikrotik.com/docs/pages/viewpage.action?pageId=76415036#...
by tdw
Sun May 26, 2024 11:34 pm
Forum: The User Manager
Topic: Default VLAN for non-authenticated users ?
Replies: 11
Views: 1467

Re: Default VLAN for non-authenticated users ?

Pretty much all EAP methods will not work unless the server presents a certificate - are you sure FreeRADIUS isn't using some default certificate, whereas usermanager will need one creating
by tdw
Sun May 26, 2024 8:41 pm
Forum: The User Manager
Topic: Default VLAN for non-authenticated users ?
Replies: 11
Views: 1467

Re: Default VLAN for non-authenticated users ?

What certificates are you using for the EAP part. Windows requires the CA to be in the machine certificate store, there are other caveats too https://wiki.geant.org/display/H2eduroa ... iderations
by tdw
Wed May 22, 2024 2:26 pm
Forum: General
Topic: Use specific IP in internal network using L2TP
Replies: 5
Views: 1090

Re: Use specific IP in internal network using L2TP

If the client connected using an IP / layer3 VPN has an address which falls within the subnet used on a local ethernet / layer2 network it requires the use of proxy-ARP. Note the naming of L2TP can be misleading - it refers to layer2 tunneling of PPP packets, not the client IP data itself.
by tdw
Wed May 22, 2024 2:09 pm
Forum: General
Topic: USE IP FIREWALL FEATURE IN BRIDGE SETTINGS [SOLVED]
Replies: 1
Views: 449

Re: USE IP FIREWALL FEATURE IN BRIDGE SETTINGS [SOLVED]

It forces any bridged traffic to also pass through IP firewall chains https://help.mikrotik.com/docs/display/ROS/Packet+Flow+in+RouterOS#PacketFlowinRouterOS-BridgeForward , this is only required if you wish to apply firewall rules, where bridge ACLs are insufficient (e.g. as they are stateless), or...
by tdw
Wed May 22, 2024 3:52 am
Forum: Beginner Basics
Topic: [delete]
Replies: 23
Views: 1169

Re: CRS310-8G+S2 reality check on CPU use when using internet traffic

CRS devices are primarily ethernet / layer2 switches with some IP / layer3 functionality, i.e. limited performance as the CPU is not particularly capable. RouterOS v7 introduced L3 hardware offloading, however the DX2000 in the CRS310-8G+2S+ only supports routing offload, not fasttrack and NAT conne...
by tdw
Sun May 19, 2024 12:31 pm
Forum: Beginner Basics
Topic: Two public addresses from one provider
Replies: 3
Views: 538

Re: Two public addresses from one provider

Using a bridge as a local/loopback interface will not work if the addresses are presented directly - just add the addresses to the WAN interface, for example: /ip address add address=155.13.35.202/29 interface=ether1 add address=155.13.35.203/29 interface=ether1 Only if the additional addresses are ...
by tdw
Sun May 19, 2024 5:26 am
Forum: The User Manager
Topic: Default VLAN for non-authenticated users ?
Replies: 11
Views: 1467

Re: Default VLAN for non-authenticated users ?

See https://help.mikrotik.com/docs/display/ROS/Dot1X#Dot1X-Server . The guest-vlan-id functionality is odd, other vendors allow access to a guest VLAN immediately until dot1x authentication completes. Other than making a feature request to Mikrotik there isn't much you can do to reduce the time. Not...
by tdw
Fri May 17, 2024 5:29 pm
Forum: General
Topic: CCR2116 RouterOS upgrade vs Routerboard Upgrade [SOLVED]
Replies: 4
Views: 4375

Re: CCR2116 RouterOS upgrade vs Routerboard Upgrade [SOLVED]

The RouterBoard firmware is equivalent to the BIOS on a PC - it handles the initial chipset configuration and RouterOS loading. It is persistent unless upgraded or the device is completely reflashed with netinstall. Historically the firmware and OS used different version numbering. At some point the...
by tdw
Sun May 12, 2024 2:03 pm
Forum: Scripting
Topic: SSTP-server interface scripting [SOLVED]
Replies: 4
Views: 6013

Re: SSTP-server interface scripting [SOLVED]

Did you drop the existing connection? The server binding will be used when the client reconnects.
by tdw
Sun May 12, 2024 1:59 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1007

Re: daloRADIUS & mikrotik PPTP server

That isn't something I have used, if it doesn't have options for specfic RADIUS reply attributes it depends if it has any mechanism for adding generic/custom ones.
by tdw
Sat May 11, 2024 6:48 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1007

Re: daloRADIUS & mikrotik PPTP server

Two routes is correct - one from the point-to-point tunnel, the second the subnet route.

However you can't have the same subnet on both your CHR and the remote client, routing relies on subnets not overlapping with each other as it has no way of knowing which interface to use if they do.
by tdw
Sat May 11, 2024 12:57 pm
Forum: General
Topic: Dropping forward chain new - ppppoe connections
Replies: 2
Views: 381

Re: Dropping forward chain new - ppppoe connections

You do not have pppoe-out1 added to the WAN interface list.
by tdw
Fri May 10, 2024 11:25 pm
Forum: Scripting
Topic: SSTP-server interface scripting [SOLVED]
Replies: 4
Views: 6013

Re: SSTP-server interface scripting [SOLVED]

It doesn't need any scripting, use a server binding : /interface sstp-server add name=sstp-in-lsstp user=lsstp When a connection is made with the username specified the named interface, sstp-in-lsstp in this case, is created instead of the usual <sstp-lsstp> dynamic one. Obviouly only works for a si...
by tdw
Thu May 09, 2024 9:21 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1007

Re: daloRADIUS & mikrotik PPTP server

Is 192.168.0.1 the client remote address? It is safer to use 0.0.0.0 which indicates to use the tunnel regardless of address. An alternate method is to use Framed-IP-Address and Framed-IP-Netmask if the address is part of the routed subnet, in place of using Framed-IP-Address and Framed-Route .
by tdw
Thu May 09, 2024 4:26 am
Forum: RouterBOARD hardware
Topic: Ensuring Compatibility Between SFP+ and SFP28
Replies: 1
Views: 337

Re: Ensuring Compatibility Between SFP+ and SFP28

Info is in the help pages https://help.mikrotik.com/docs/display/ROS/MikroTik+wired+interface+compatibility#MikroTikwiredinterfacecompatibility-10GSFP+/25GSFP28 and https://help.mikrotik.com/docs/display/ROS/MikroTik+wired+interface+compatibility#MikroTikwiredinterfacecompatibility-SFP+interfacecomp...
by tdw
Wed May 08, 2024 11:08 pm
Forum: Beginner Basics
Topic: LACP btw hEXs & CRS310-8G+2S+ [SOLVED]
Replies: 4
Views: 3943

Re: LACP btw hEXs & CRS310-8G+2S+ [SOLVED]

In this case leaving all the interfaces set to autonegotiate should be fine. The highest speed of those advertised by both devices is chosen so the 2.5Gb advertisment from the CRS will be ignored. The example is using a bond in isolation, hence adding the IP address to it. When adding any ethernet-l...
by tdw
Wed May 08, 2024 7:48 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1007

Re: daloRADIUS & mikrotik PPTP server

I can't immediately recall if the Mikrotik rejects routes where the subnet bits are not zero, so for 192.168.0.1/24 it should really be 192.168.0.0/24
by tdw
Wed May 08, 2024 3:36 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1007

Re: daloRADIUS & mikrotik PPTP server

Per the wiki page for the Framed-Route attribute Format is specified in RFC 2865 (Ch. 5.22) so you should be sending 192.168.0.1/24 0.0.0.0 1
by tdw
Wed May 08, 2024 3:28 pm
Forum: Beginner Basics
Topic: LACP btw hEXs & CRS310-8G+2S+ [SOLVED]
Replies: 4
Views: 3943

Re: LACP btw hEXs & CRS310-8G+2S+ [SOLVED]

Copper ethernet connections operating at a rate of 1Gb or above will not work without autonegotiation, fixed settings only work for 10Mb or 100Mb with half or full duplex.

If you require a specific rate you can use autonegotiation but only advertise that one rate.
by tdw
Tue May 07, 2024 9:44 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1007

Re: daloRADIUS & mikrotik PPTP server

They will appear as dynamic entries under /ip route with the name of the PPPTP/L2TP connection as the gateway.
by tdw
Sun May 05, 2024 4:38 pm
Forum: Beginner Basics
Topic: ipipv6 DS-Lite setup help
Replies: 1
Views: 431

Re: ipipv6 DS-Lite setup help

by tdw
Sat May 04, 2024 9:38 pm
Forum: General
Topic: daloRADIUS & mikrotik PPTP server
Replies: 13
Views: 1007

Re: daloRADIUS & mikrotik PPTP server

I'm not sure that the supported RADIUS attributes https://wiki.mikrotik.com/wiki/Manual:R ... Attributes have made it to the new help pages.

And stop using PPTP, it has been known to be insecure for at least a decade.
by tdw
Sat May 04, 2024 8:56 pm
Forum: General
Topic: Multiple public IPs, different internal zones
Replies: 10
Views: 1629

Re: Multiple public IPs, different internal zones

No. The OP states the provider supplies five IPs with a /24 netmask, these should just be added to the WAN ethernet interface with a single default route to the provided gateway. All you need to know is same as routing on a NAT a /32 is higher precedence than a /24 No. You are conflating two things ...
by tdw
Tue Apr 30, 2024 9:05 pm
Forum: General
Topic: Load Balancing PPC (2WAN) not balancing well
Replies: 2
Views: 407

Re: Load Balancing PPC (2WAN) not balancing well

If you are not using the hotspot functionality the hotspot=auth should be removed from the PCC rules
by tdw
Tue Apr 30, 2024 7:54 pm
Forum: RouterBOARD hardware
Topic: Powering AX routers
Replies: 12
Views: 1430

Re: Powering AX routers

It is annoying that on new devices Mikrotik have picked voltage ranges which are not directly compatible with float-charged lead-acid batteries. Historically devices supported 8-30V so were quite happy running off nominal 12V (13.8V on charge down to ~10V cutoff) or 24V (27.6V on charge down to ~20V...
by tdw
Tue Apr 30, 2024 4:44 pm
Forum: Beginner Basics
Topic: How to route a IPv6 pool to local IPv4 e.g.192.168.101.x
Replies: 6
Views: 625

Re: How to route a IPv6 pool to local IPv4 e.g.192.168.101.x

You cannot, it requires a NAT64 translator.
by tdw
Sun Apr 28, 2024 1:48 am
Forum: General
Topic: No DHCP on Bridge VLAN interface.
Replies: 21
Views: 1314

Re: No DHCP on Bridge VLAN interface.

Also as mentioned in an earlier post if you have multiple VLAN IDs specified in a single entry: /interface bridge vlan add bridge=br0 tagged=ether1,br0 vlan-ids=X,Y,Z you should not use these VLANs untagged, i.e. by setting pvid=X or Y or Z under /interface bridge port or dynamically by CAPsMAN. In ...
by tdw
Tue Apr 23, 2024 10:34 pm
Forum: Wireless Networking
Topic: RB2011 + TP-LINK mesh
Replies: 4
Views: 520

Re: RB2011 + TP-LINK mesh

I do not get the chance to use our existing network cabling for this to work properly, right ? I mean, I need to send a wire from each deco to the other directly and not connecting each one to the switch. It this latter option is possible, It would make the move easier. It depends if the switches y...
by tdw
Tue Apr 23, 2024 8:29 pm
Forum: General
Topic: dhcpv6-pd assign subnet to interface
Replies: 5
Views: 454

Re: dhcpv6-pd assign subnet to interface

No, having a subnet hint does not work. There are a number of grumbles about this in other forum posts.
by tdw
Tue Apr 23, 2024 8:25 pm
Forum: General
Topic: No DHCP on Bridge VLAN interface.
Replies: 21
Views: 1314

Re: No DHCP on Bridge VLAN interface.

You did enable ether1 in /interface bridge port ? Yes, set the PVID for those ports under /interface bridge port and add any tagged membership under /interface bridge vlan , explicitly adding untagged membership is optional as it will be dynamically added from the PVID setting. Some people prefer to...
by tdw
Tue Apr 23, 2024 8:11 pm
Forum: Beginner Basics
Topic: Management VLAN issue [SOLVED]
Replies: 10
Views: 2660

Re: Management VLAN issue [SOLVED]

Do you get an address via DHCP on ether7? You have no DNS server specified in /ip dhcp-server network for that subnet which may cause issues. Can you ping the gateway addresses when connected via those ports having obtained or set an address? Most likely is the firewall filter rules don't allow acce...
by tdw
Tue Apr 23, 2024 3:57 am
Forum: Wireless Networking
Topic: RB2011 + TP-LINK mesh
Replies: 4
Views: 520

Re: RB2011 + TP-LINK mesh

Configure the TP-Link in Access Point mode, not the default WiFi Router mode, e.g. https://www.tp-link.com/uk/support/faq/1842/ . Where possible connect the Deco units with ethernet cables as meshing reduces capacity - each device has to receive each packet and then transmit onwards. I seem to recal...
by tdw
Tue Apr 23, 2024 3:15 am
Forum: Beginner Basics
Topic: Management VLAN issue [SOLVED]
Replies: 10
Views: 2660

Re: Management VLAN issue [SOLVED]

Unfortunatelly now I'm using vlan id=1 in my network and on some devices I have this hardcoded. That will not be fast and easy configure and switch the router :/ Using VLAN ID 1 is not incorrect, however you can easily get things wrong as a result unless you are familiar with exactly how manufactur...
by tdw
Tue Apr 23, 2024 2:49 am
Forum: General
Topic: No DHCP on Bridge VLAN interface.
Replies: 21
Views: 1314

Re: No DHCP on Bridge VLAN interface.

You haven't copied the /interface bridge vlan settings for VLAN ID 10 correctly - missing tagged=br0
by tdw
Mon Apr 22, 2024 3:14 am
Forum: Beginner Basics
Topic: Internet connection on CRS326 behind external router
Replies: 2
Views: 319

Re: Internet connection on CRS326 behind external router

To simplify broadcasts ect. every VLAN shall reside in a separate partition of the same /24 subnet. That will not work, and it is not specific to using a Mikrotik. Each VLAN is its own layer 2 broadcast domain so broadcasts will not pass between them. Having overlapping subnets would require specia...
by tdw
Wed Apr 17, 2024 2:55 am
Forum: SwOS
Topic: POE in problem Mikrotik CSS610 netPower Lite 7R Switch
Replies: 4
Views: 522

Re: POE in problem Mikrotik CSS610 netPower Lite 7R Switch

I discovered that the switch is only receiving PoE from one Ethernet port, despite the requirement for a minimum power input from three ports. Power is only taken from the input with the greatest voltage, each input should be capable of providing all the power necessary to operate the switch itself...
by tdw
Wed Apr 17, 2024 2:40 am
Forum: SwOS
Topic: POE in problem Mikrotik CSS610 netPower Lite 7R Switch
Replies: 4
Views: 522

Re: POE in problem Mikrotik CSS610 netPower Lite 7R Switch

You're referring to 2 different products:
CSS610
and
netPower Lite 7R
Just for info, the netPower Lite 7R is one of the CSS610 range - its full model name is CSS610-1Gi-7R-2S+OUT
by tdw
Fri Apr 05, 2024 12:22 am
Forum: Beginner Basics
Topic: Virtualized VLANs (for Proxmox) [SOLVED]
Replies: 7
Views: 2868

Re: Virtualized VLANs (for Proxmox) [SOLVED]

The configuration doesn't make sense - you have name=aBridge in /interface bridge but references to bridge=3TSBridge in /interface bridge vlan.
Also, do not set the bridge-to-CPU PVID in /interface bridge to have the same ID as an /interface vlan attached to the bridge.
by tdw
Mon Apr 01, 2024 2:54 pm
Forum: SwOS
Topic: No SwOS for CRS310-8G+2S+ ?
Replies: 9
Views: 4080

Re: No SwOS for CRS310-8G+2S+ ?

According to https://help.mikrotik.com/docs/display/ROS/CRS3xx%2C+CRS5xx%2C+CCR2116%2C+CCR2216+switch+chip+features#CRS3xx,CRS5xx,CCR2116,CCR2216switchchipfeatures-ConfiguringSwOSusingRouterOS using /system swos upgrade should upgrade the primary backup version of SwOS, and you then install the seco...
by tdw
Tue Mar 26, 2024 1:18 pm
Forum: Beginner Basics
Topic: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]
Replies: 32
Views: 3891

Re: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]

That doesn't agree with your diagram, it shows ether5 and ether6 connected between the CRS and RB3011
by tdw
Tue Mar 26, 2024 4:39 am
Forum: Beginner Basics
Topic: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]
Replies: 32
Views: 3891

Re: CRS3xx and vlans: access port doesn't see traffic unless it is removed from bridge [SOLVED]

It seems like once port is enabled in the bridge, only 802.2 (what the hell is it?) are seen on the interface. Why? Spanning tree, and the port will be ending up in the blocking state to prevent a network loop. STP & RSTP are not VLAN-aware, they allow or block all traffic be it untagged or tag...
by tdw
Sun Mar 17, 2024 12:03 am
Forum: General
Topic: Wires Only Leased Line Hardware Recommendation
Replies: 11
Views: 1301

Re: Wires Only Leased Line Hardware Recommendation

I am a novice with this but the ISP have provided me with the following. It doesn't really make sense, the LAN information is OK LAN First IP Address: 51.x.x.33 LAN Subnet Mask: 255.255.255.240 Customer IP Assignement: 51.x.x.32/28 so when presented as IP over ethernet connections .32 is the networ...
by tdw
Sat Mar 16, 2024 11:12 pm
Forum: General
Topic: Wires Only Leased Line Hardware Recommendation
Replies: 11
Views: 1301

Re: Wires Only Leased Line Hardware Recommendation

A 4011 or 5009 would be fine, ICUK use them or Ubiquiti EdgeRouters on their managed 1Gb EAD circuits. The ISP information seems incomplete - typically they would specify a /30 or /31 WAN connection, together with a routed subnet which you can present on the LAN side of your router as a conventional...
by tdw
Thu Mar 14, 2024 10:47 pm
Forum: General
Topic: VLAN setup device with AR8327 and WI-FI [SOLVED]
Replies: 2
Views: 973

Re: VLAN setup device with AR8327 and WI-FI [SOLVED]

You have to apply the tagging in the wireless interface with vlan-id=XXX and vlan-mode=use-tag - this is only possible in the old (6.x or 7.x upto and including 7.12) /interface wireless settings, it is a lost feature with the new /interface/wifi/ drivers
by tdw
Tue Feb 27, 2024 8:36 pm
Forum: General
Topic: IPv6 between bridges
Replies: 24
Views: 2189

Re: IPv6 between bridges

I think the problem is with Neighbout Solicitation, not sure if can forward it between bridges. When pinging ISP router from br_lan it sends NS but does not get a reply as multicast packet is not forwarded between br_wan and br_lan to host No it can't, see post #6. The ISP should be routing the /48...
by tdw
Sun Feb 25, 2024 8:34 pm
Forum: General
Topic: IPv6 between bridges
Replies: 24
Views: 2189

Re: IPv6 between bridges

They just forwarded to us /48 prefix.
Forwarded to what address? This is different to the interface on their gateway being given a /48 subnet mask.

A few ISPs seem clueless about this. I suggest reading https://www.ripe.net/publications/docs/ripe-690/, in particular section 4.1
by tdw
Sun Feb 25, 2024 8:29 pm
Forum: General
Topic: IPv6 between bridges
Replies: 24
Views: 2189

Re: IPv6 between bridges

For example br_wan - 2a02:a3XX:8::2/64 br_lan - 2a02:a3XX:8::3/64 Mikrotik in my opinion should be able to route between those GUA addresses as those are internally assigned and GUA must be routed, but it does not. No. This doesn't just apply to Mikrotik, addresses in the same subnet are only reach...
by tdw
Sun Feb 25, 2024 4:24 pm
Forum: General
Topic: IPv6 between bridges
Replies: 24
Views: 2189

Re: IPv6 between bridges

The br_wan address should be /64, and the ISP router should be configured to route the /48 to this address. The br_lan address should again be /64 and also a different subnet. It does not matter what I configure on br_wan and br_lan as IPv6 routing between br_lan and br_wan does not work Example as...
by tdw
Sun Feb 25, 2024 2:02 pm
Forum: General
Topic: IPv6 between bridges
Replies: 24
Views: 2189

Re: IPv6 between bridges

The br_wan address should be /64, and the ISP router should be configured to route the /48 to this address.
The br_lan address should again be /64 and also a different subnet.
by tdw
Sun Feb 25, 2024 2:57 am
Forum: General
Topic: IPv6 between bridges
Replies: 24
Views: 2189

Re: IPv6 between bridges

link local addresses, as the name suggests, are only valid within a layer2 broadcast domain. You say "From br_lan I can not reach br_wan via GUA if both bridges are configured with the GUA address" - you should assign different GUA addresses to each otherwise routing will not work. Typical...
by tdw
Sat Feb 17, 2024 3:57 pm
Forum: General
Topic: Transport layer 2 over Internet?
Replies: 4
Views: 551

Re: Transport layer 2 over Internet?

There is a layer 2 bridging option for any PPP-based protocols (e.g. L2TP, SSTP) using BCP, although it doesn't work fully with vlan-aware bridges, or OpenVPN using TAP.

With RouterOS v7 there is also VXLAN and L2TPv3 but the documentation and examples are rather sparse.
by tdw
Tue Feb 13, 2024 12:06 am
Forum: Beginner Basics
Topic: Subnet Public IP's issue
Replies: 3
Views: 531

Re: Subnet Public IP's issue

Mikrotik do not support RFC3021 /31 addressing, use /32 for the local and gateway addresses: /ip address add address=88.xx.xx. 15 interface=vlan835 network=88.xx.xx.14 If the subnet public IP is routed to you then adding those addresses to the WAN interface is incorrect. The conventional use case wo...
by tdw
Mon Feb 12, 2024 8:23 pm
Forum: General
Topic: UPnP is not working?
Replies: 14
Views: 1089

Re: UPnP is not working?

The SIM provider unfortunately does not give me public IP, so I'm under cgnat. Cgnat renders UPnP useless ? I know that port forwarding and DDNS are not working Yes. UPnP merely automates port forwarding on your router, it doesn't cascade the forwarding rules/requirements to the providers CGNAT inf...
by tdw
Mon Feb 12, 2024 6:46 pm
Forum: General
Topic: UPnP is not working?
Replies: 14
Views: 1089

Re: UPnP is not working?

Not directly related, but does your SIM provide an unfiltered public IP as most either block inbound traffic or use CGNAT which renders UPnP useless. Setting up port forwarding either manually or with UPnP is only required on older Hikvision devices, more recent ones can be configured to establish a...
by tdw
Tue Feb 06, 2024 11:20 pm
Forum: General
Topic: best RouterOS version for old CCR
Replies: 3
Views: 677

Re: best RouterOS version for old CCR

IIRC v7 will always be slower due to kernel changes between v6 and v7, e.g. no more route cache.
by tdw
Fri Feb 02, 2024 2:08 pm
Forum: Wireless Networking
Topic: How do you specify the location in ROS 7? [SOLVED]
Replies: 11
Views: 1173

Re: How do you specify the location in ROS 7? [SOLVED]

It appears that way, although it is a limiting factor if you want to use an indoor device in a weatherproof enclosure outdoors, or the L11UG-5HaxD which could be used in either situation.
by tdw
Fri Feb 02, 2024 1:21 pm
Forum: Wireless Networking
Topic: How do you specify the location in ROS 7? [SOLVED]
Replies: 11
Views: 1173

Re: How do you specify the location in ROS 7? [SOLVED]

It appears not to be included in the new wifi package, see viewtopic.php?p=1052150
by tdw
Fri Feb 02, 2024 1:15 pm
Forum: Wireless Networking
Topic: Unable to use 5580/Ceee on hAP ax2 but can on hAP ac lite [SOLVED]
Replies: 19
Views: 1562

Re: Unable to use 5580/Ceee on hAP ax2 but can on hAP ac lite [SOLVED]

Likely skip DFS channels with 10min CAC is incompatible with the channel selection as 5580/Ceee uses 5570-5650.

If the same settings work on a hAP that could be a bug where it is not excluding the extension channels which overlap with 5600-5650.
by tdw
Mon Jan 29, 2024 5:12 pm
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 808

Re: currently-untagged contradicts untagged [SOLVED]

Actually, I have frame-types=admit-only-vlan-tagged set too, on the bridge.
That is only applicable to the implicit bridge-to-CPU port. Each port added under /interface bridge port has its own frame-types= setting.
by tdw
Wed Jan 24, 2024 5:44 pm
Forum: General
Topic: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2
Replies: 4
Views: 739

Re: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2

Mikrotik have likely added the warning as it is a common misconfiguration. RouterOS does not restrict many configuration settings which could be questionable or not sensible making it much more flexible than offerings from other vendors.
by tdw
Wed Jan 24, 2024 5:10 pm
Forum: Beginner Basics
Topic: ISP subnet distribution [SOLVED]
Replies: 5
Views: 1241

Re: ISP subnet distribution [SOLVED]

You can either use switch ACL rules, remembering to also permit broadcast IP addresses in addition each clients unicast IP address, or disable hardware offload and use /ip firewall filter rules after applying /interface bridge settings use-ip-firewall=yes . The CPU performance is likely to limit thr...
by tdw
Wed Jan 24, 2024 3:15 pm
Forum: General
Topic: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2
Replies: 4
Views: 739

Re: Warning message "<network> not a bridge port" after upgrade to RouterOS 13.2

Any tagged= or untagged= entries under /interface bridge vlan should only be ports listed under /interface bridge port or bridge names (for the bridge-to-CPU port) You are also mixing tagged and untagged traffic for VLAN 20 on the bridge by having both an /interface vlan with vlan-id=20 attached to ...
by tdw
Wed Jan 24, 2024 2:47 pm
Forum: General
Topic: OpenLDAP login with RADIUS [SOLVED]
Replies: 2
Views: 835

Re: OpenLDAP login with RADIUS [SOLVED]

MSCHAP will definitely work against plaintext credentials, if your setup does not it is most likely a FreeRADIUS configuration error - run it with debugging enabled and look at the logs. Depending on how your password changing is implemented you should be able to incorporate something which will sto...
by tdw
Sat Jan 20, 2024 7:31 pm
Forum: RouterBOARD hardware
Topic: hAP ax Lite USB power
Replies: 9
Views: 2933

Re: hAP ax Lite USB power

It is a design fault, and easy enough to make when you are not familiar with all of the complexities of USB-C. The original Raspberry Pi 4 had a similar problem, although that was caused due to the two CC pins being wired together to a single resistor as described in this in-depth article https://ha...
by tdw
Tue Jan 16, 2024 9:12 pm
Forum: General
Topic: how to block bridged packet routed through firewall
Replies: 8
Views: 2180

Re: how to block bridged packet routed through firewall

I probably haven't used bridge filters with mac-protocol qualifiers since before VLAN-aware bridges were introduced. It appears that with vlan-filtering=yes on a bridge much of the bridge filtering options become unusable, all I can suggest is opening a support case with Mikrotik regarding not being...
by tdw
Sun Jan 14, 2024 6:11 pm
Forum: Beginner Basics
Topic: Unable to access the router via L2TP
Replies: 5
Views: 1115

Re: Unable to access the router via L2TP

An easy mistake to make is thinking the RJ45 on a PC/laptop is a IP connection. It isn't, layer 3 IP packets are encapsulated in layer 2 ethernet frames sent with layer 1 signalling/coding, e.g. 10BASE-T/100BASE-TX/1000BASE-T. The IP addressing is straightforward - if the destination IP address is w...
by tdw
Sat Jan 13, 2024 9:44 pm
Forum: General
Topic: IP and route configuration for /28
Replies: 12
Views: 1548

Re: IP and route configuration for /28

The standard way to set this up would be to assign 180.2.220.50/28 to your WAN bridge with a default route to 180.2.220.49. The servers would be assigned addresses of 180.2.220.51/28 (likewise .52, .53, etc. for additional servers) again with a default route to 180.2.220.49. If you wish to firewall ...
by tdw
Sat Jan 13, 2024 9:20 pm
Forum: Beginner Basics
Topic: Unable to access the router via L2TP
Replies: 5
Views: 1115

Re: Unable to access the router via L2TP

I don't really understand why? default gateway IP 192.168.1.1, remote IP when connected via VPN 192.168.1.2. It's /24 network so I am on the same subset. Using the same subnet for L2TP connections as the LAN does not make the connection part of the same network . You could either: use an L2TP serve...
by tdw
Sat Jan 13, 2024 9:07 pm
Forum: Beginner Basics
Topic: Why do the docs not mention adding "bridge" as its own tagged interface when doing a VLAN trunk? [SOLVED]
Replies: 10
Views: 1928

Re: Why do the docs not mention adding "bridge" as its own tagged interface when doing a VLAN trunk? [SOLVED]

No. You only need to add the bridge as a tagged member for traffic which interacts with services provided by the CPU, e.g. a router-on-as-stick setup with multiple VLANs. See viewtopic.php?t=173692 for more information.
by tdw
Sat Jan 13, 2024 7:27 pm
Forum: RouterBOARD hardware
Topic: REQUEST: Support i2c SFP/SFP+ Secuential SingleByte Reads to obtain transceiver details from EEPROM
Replies: 36
Views: 21887

Re: REQUEST: Support i2c SFP/SFP+ Secuential SingleByte Reads to obtain transceiver details from EEPROM

This fixes being able to read any data from SFPs which do not correctly handle multi-byte I2C read requests correctly. The actual data, and location thereof, is specified by https://members.snia.org/document/dl/25916 - some is mandatory, some is optional and some is vendor-specific. Mikrotik decode ...
by tdw
Fri Jan 12, 2024 11:06 pm
Forum: General
Topic: IPv6 configuration /64
Replies: 26
Views: 3895

Re: IPv6 configuration /64

Any devices using SLAAC to acquire an IPv6 address require the subnet to be /64, you can't arbitrarily use a different size just because you don't have a suitable block of addresses. It is possible to use smaller subnets if the hosts are assigned static addresses, or acquire addresses from a suitabl...
by tdw
Thu Jan 11, 2024 6:20 pm
Forum: Beginner Basics
Topic: Forward traffic from 1 DHCP client interface to another IP [SOLVED]
Replies: 12
Views: 1578

Re: Forward traffic from 1 DHCP client interface to another IP [SOLVED]

You appear to be using the hEX to connect two networks each of which has existing gateways. Whilst the dst-nat rule will forward packets for any TCP port 80 packets arriving on ether5 to 10.100.10.210 those packets will still have a 192.168.178.x source address, and as 10.100.10.210 knows nothing of...
by tdw
Tue Jan 09, 2024 2:07 am
Forum: General
Topic: how to block bridged packet routed through firewall
Replies: 8
Views: 2180

Re: how to block bridged packet routed through firewall

IIRC you will have to both identify and drop packets in the bridge. Using the IP firewall to identify them would be too late in the packet flow as the packet will have left the bridge by that point. The minimal case to drop any DHCP requests via a bridge port would be /interface bridge filter add ac...
by tdw
Sun Jan 07, 2024 11:20 pm
Forum: General
Topic: video station - change poster, and IMDB information
Replies: 1
Views: 1014

Re: video station - change poster, and IMDB information

Why are you posting this in Mikrotik forums? As Video Station is a QNAP application their forums would be a good starting point.
by tdw
Sun Jan 07, 2024 3:24 am
Forum: General
Topic: how to block bridged packet routed through firewall
Replies: 8
Views: 2180

Re: how to block bridged packet routed through firewall

DHCP servers use raw sockets, not regular UDP sockets as you may expect. So whilst the DHCP packets traverse /ip firewall they are actually processed before the packets can be dropped, and from previous threads I don't believe it is possible in /ip firewall raw either, you would have to use /bridge ...
by tdw
Sun Jan 07, 2024 3:09 am
Forum: General
Topic: No traffic between VLANs regardless of firewall
Replies: 7
Views: 1541

Re: No traffic between VLANs regardless of firewall

Which OS are the PCs running? Windows, for example, by default blocks ICMP from outside the directly connected LAN subnet.

Using bridge-to-CPU interface as hybrid instead of all tagged is not an error, some people just do not like the cosmetics.
by tdw
Sat Dec 23, 2023 6:40 pm
Forum: General
Topic: Installing linux packet on MikroTik Router
Replies: 6
Views: 1172

Re: Installing linux packet on MikroTik Router

No. Only packages signed by Mikrotik can be installed directly on the device. Only Mikrotik know what their plans for future functionality is. If you have a model capable of supporting containers you can add functionality that way.
by tdw
Thu Dec 21, 2023 2:50 am
Forum: Beginner Basics
Topic: Routing does not work
Replies: 1
Views: 622

Re: Routing does not work

A list of commands applied to a device plus prints of a random selection of settings is not representative of the actual configuration on the device. The usual recommendation is to post the output of an /export after redacting any sensitive information (serial number, public IPs, credentials in scri...
by tdw
Thu Dec 14, 2023 5:47 am
Forum: General
Topic: 3 different UPS devices
Replies: 3
Views: 1425

Re: 3 different UPS devices

Having built an interface which allows the Mikrotik UPS package to monitor the likes of Meanwell and PULS PSU with battery charging I've looked into the communications in depth. For the USB HID power device class there are both standard and vendor-specific reports, for the serial APC smart protocol ...
by tdw
Tue Dec 12, 2023 3:14 am
Forum: General
Topic: Couldn't change the SSTP server can't bind, check if the port is not used by other services! [SOLVED]
Replies: 5
Views: 2188

Re: Couldn't change the SSTP server can't bind, check if the port is not used by other services! [SOLVED]

Having the www-ssl service running, or not, on the Mikrotik itself has nothing to do with running an HTTPS webserver elsewhere.
by tdw
Tue Dec 12, 2023 1:36 am
Forum: General
Topic: Couldn't change the SSTP server can't bind, check if the port is not used by other services! [SOLVED]
Replies: 5
Views: 2188

Re: Couldn't change the SSTP server can't bind, check if the port is not used by other services! [SOLVED]

As the error message suggested port 443 is in use:
/ip service
set www-ssl disabled=no
by tdw
Mon Dec 11, 2023 4:48 pm
Forum: Beginner Basics
Topic: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]
Replies: 8
Views: 3497

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]

My WAN was PPPoE, but configured to use baby jumbo frames giving an MTU of 1500, so I used the defaults of mtu=auto and clamp-tcp-mss=yes on the 6to4 interface. The minimum MTU for IPv6 is 1280, normally you should set your MTU correctly and let path MTU discovery do its thing. IPv6 fragmentation is...
by tdw
Sun Dec 10, 2023 5:01 pm
Forum: Beginner Basics
Topic: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]
Replies: 8
Views: 3497

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]

blackhole would be acceptable - any traffic to unallocated subnets would just be dropped. Otherwise adapting the IPv4 workaround as discussed in a related thread viewtopic.php?p=853939#p853939 would be needed to return unreachable.
by tdw
Sat Dec 09, 2023 3:19 pm
Forum: Beginner Basics
Topic: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]
Replies: 8
Views: 3497

Re: correct Hurricane/Tunnelbroker /48 IPv6 configuration for /64 delegation [SOLVED]

And remember to add unreachable or blackhole routes to any routed subnets so packets to any unused portions don't bounce back and forth between you and HE until the TTL expires. From a previous setup before getting native IPv6: /ipv6 route add distance=1 dst-address=2000::/3 gateway=2001:470:xxxC:xx...
by tdw
Wed Dec 06, 2023 11:49 pm
Forum: General
Topic: Cannot reach switchs "managment IP" from other vlan, but can reach all clients.
Replies: 11
Views: 1938

Re: Cannot reach switchs "managment IP" from other vlan, but can reach all clients.

A Mikrotik bridge has two roles, see viewtopic.php?t=173692

For translating between Cisco and Mikrotik switch port terminology this may be useful viewtopic.php?p=920720#p920720
by tdw
Wed Dec 06, 2023 10:05 pm
Forum: General
Topic: Dot1x PEAP rejected: no key for certificate found
Replies: 6
Views: 2801

Re: Dot1x PEAP rejected: no key for certificate found

Might as well continue here for now. If not set the outer identity should use the inner identity, but it may be worth trying setting it explicitly. It isn't clear from the documentation if the dot1x client will refuse to authenticate if no CA has been imported. You should be able to add additional l...
by tdw
Wed Dec 06, 2023 9:53 pm
Forum: General
Topic: Cannot reach switchs "managment IP" from other vlan, but can reach all clients.
Replies: 11
Views: 1938

Re: Cannot reach switchs "managment IP" from other vlan, but can reach all clients.

Also you have configured the bridge-to-CPU interface to be both tagged and untagged, and there is a mismatch between the bridge ports pvid= and bridge vlan untagged= settings - if you remove all of the untagged= entries these will be created dynamically from the pvid= settings. Depending on how othe...
by tdw
Wed Dec 06, 2023 9:24 pm
Forum: Beginner Basics
Topic: IPv6 issues: v6 only for a few address blocks, v4 otherwise [SOLVED]
Replies: 8
Views: 3527

Re: IPv6 issues: v6 only for a few address blocks, v4 otherwise [SOLVED]

There is no possibility for communicating classless routes to IPv6 clients. (Apart from the usual default route, of course) That may be the case for DHCPv6, but that does not acquire the default route in any case. The default route is acquired from RA messages with non-zero RA lifietimes, other rou...
by tdw
Wed Dec 06, 2023 9:21 pm
Forum: Beginner Basics
Topic: IPv6 issues: v6 only for a few address blocks, v4 otherwise [SOLVED]
Replies: 8
Views: 3527

Re: IPv6 issues: Want to advertise three v6 pfx w/ SLAAC [SOLVED]

I am still not sure how to convince the routing tables on laptops etc. to only route to those three ipv6 address blocks and perfer-v4 otherwise. Perhaps I need to just live with the default route and use firewall to achieve what I want? Maybe I send back an ICMP unreachable for all but the blocks I...
by tdw
Wed Dec 06, 2023 3:35 pm
Forum: General
Topic: Having issues with DHCP client over trunk [SOLVED]
Replies: 6
Views: 2571

Re: Having issues with DHCP client over trunk [SOLVED]

Yes.VLAN5 & VLAN10 are transporting the two internet connections to the router. Attaching VLAN interfaces with those IDs to the router P5 provides your 'WAN' interfaces.
by tdw
Tue Dec 05, 2023 11:30 pm
Forum: General
Topic: RouterOS7 - Most correct VLAN setup
Replies: 5
Views: 2606

Re: RouterOS7 - Most correct VLAN setup

As hEX PoE use the QCA8337 switch chip which does not support hardware-offloaded vlan-aware bridges use a single bridge and configure the switch chip to handle the VLAN filtering, see the examples https://help.mikrotik.com/docs/display/ ... upExamples
by tdw
Mon Dec 04, 2023 3:05 am
Forum: General
Topic: Force ipv4 to use for some sites if it have ipv4 and ipv6 address (ipv6 sit tunnelbroker)
Replies: 4
Views: 1461

Re: Force ipv4 to use for some sites if it have ipv4 and ipv6 address (ipv6 sit tunnelbroker)

If client devices resolve both IPv4 and IPv6 addresses for a target site they will use IPv6 in preference to IPv4 to connect. AFAIK Android and iOS implement 'Happy Eyeballs' for fast fallback to IPv4, and some PC programs do but I don't believe Windows itself does. Static IPv6 NXDOMAIN DNS entries ...
by tdw
Fri Dec 01, 2023 8:32 pm
Forum: General
Topic: Dot1x PEAP rejected: no key for certificate found
Replies: 6
Views: 2801

Re: Dot1x PEAP rejected: no key for certificate found

As it is only peripherally related you should really start a new topic rather than resurrecting a years old one. Your site may require a realm in the outer / anonymous identity to direct the request to the appropriate servers (e.g. local or a national proxy). A CA certificate is not required but wit...
by tdw
Thu Nov 30, 2023 4:49 pm
Forum: Beginner Basics
Topic: CRS106-1C-5S: Vlan is forwarded, but no VLAN is configured
Replies: 9
Views: 1619

Re: CRS106-1C-5S: Vlan is forwarded, but no VLAN is configured

The CRS1xx/2xx VLAN handling is very different to all the other models as the UI exposes much of the inner switch workings. The bridge should be set to vlan-filtering=no , any ingress-filtering= , frame-types= and pvid= settings on the bridge and bridge ports should be left at they default values. T...
by tdw
Mon Nov 27, 2023 7:03 pm
Forum: Beginner Basics
Topic: Broadcast packets process [SOLVED]
Replies: 6
Views: 2668

Re: Broadcast packets process [SOLVED]

How can you connect three devices to a single ethernet cable? I would expect each device to be connected to a switch port, in which case you can use port isolation or bridge horizon to prevent packets from one of these devices being sent on the links to the others. Some vendors have 'ip helpers' whi...
by tdw
Sun Nov 26, 2023 6:22 pm
Forum: General
Topic: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]
Replies: 6
Views: 1557

Re: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]

As the PADI/PADO/PADR/PADS handshake completes successfully the PPPoE session should work, but there is no response to the LCP negotiation. I would suggest connecting the modem directly to a PC/Mac and configuring a PPPoE client on that to verify a connection can be established, if that also fails t...
by tdw
Sun Nov 26, 2023 1:56 pm
Forum: Beginner Basics
Topic: Help on RM3011UiAS's DHCP Servers
Replies: 2
Views: 1004

Re: Help on RM3011UiAS's DHCP Servers

Given the volume of outdated or incorrect configuration settings which may be found searching the internet GPT4 isn't going to be very good. Your VLAN interfaces have not been assigned IP addresses. Remove the relay= settings for the DHCP servers, this is to forward requests to a server elsewhere. Y...
by tdw
Sun Nov 26, 2023 1:36 pm
Forum: General
Topic: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]
Replies: 6
Views: 1557

Re: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]

Yes, only any specific settings for managment. Here the factory defaults are bridge mode so the modem will establish a DSL connection and allow PPPoE or DHCP connections from the Mikrotik (or other router) to be established (most of our ISPs use PPPoE but some use DHCP). The firmware for other count...
by tdw
Sat Nov 25, 2023 9:36 pm
Forum: General
Topic: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]
Replies: 6
Views: 1557

Re: Vigor 130 with newer firmware and Mikrotik. Anyone got PPPoe Working? [SOLVED]

For the UK (modem 4 or modem 8 ) there was an issue going from 3.7.x to 3.8.x with the introduction of QinQ support which had the symptoms you describe. Resetting to factory defaults and reconfiguring any settings required, e.g. LAN IP address for management access, resolved the problem. There are v...
by tdw
Fri Nov 24, 2023 9:24 pm
Forum: General
Topic: Issues with Ethernet MTU Size in EoIPv6
Replies: 3
Views: 1064

Re: Issues with Ethernet MTU Size in EoIPv6

Screenshots don't particularly help, an /export of the configuration with any senstive data redacted (serial number, public IP addresses, etc.) shows exactly what you have. There is bound to be fragmentation over a conventional WAN, so it is a case of finding potentially a combination of tunneling t...
by tdw
Fri Nov 24, 2023 6:15 pm
Forum: General
Topic: Issues with Ethernet MTU Size in EoIPv6
Replies: 3
Views: 1064

Re: Issues with Ethernet MTU Size in EoIPv6

The tunnel MTU should be set to 1500 to allow the transport full-sized Ethernet frames over the tunnel. As the tunnel overheads [40 (IPv6) + 8 (GRE) + 14 (ethernet) + some amount for IPsec (depends on settings)] will result in a total packet size greater than your WAN MTU it will be fragmented. IPv6...
by tdw
Fri Nov 24, 2023 5:29 pm
Forum: Beginner Basics
Topic: 2 Vlans, a firewall, and a PITA DNS.
Replies: 3
Views: 1238

Re: 2 Vlans, a firewall, and a PITA DNS.

What you have attempted is the pre-VLAN-aware bridge method which has a number of caveats, see https://help.mikrotik.com/docs/display/ ... figuration
by tdw
Wed Nov 22, 2023 10:24 pm
Forum: SwOS
Topic: CSS610-8P-2S+ randomly stops forwarding for exactly five minutes
Replies: 7
Views: 3165

Re: CSS610-8P-2S+ randomly stops forwarding for exactly five minutes

Switches do not work in that manner. When a packet destined for a unicast MAC address which does not exist in the forwarding database the packet is transmitted out of all the other switch ports, if the destination MAC address does exist in the database the packet is only transmitted out of the port ...
by tdw
Wed Nov 22, 2023 6:19 pm
Forum: General
Topic: Bridge PVID [SOLVED]
Replies: 13
Views: 3364

Re: Bridge PVID [SOLVED]

Purists argue that on trunks all VLANs should be tagged, so you would set frame-types=admit-only-vlan-tagged ingress-filtering=yes - the pvid= setting can be anything as it is ignored. Others prefer hybrid trunks where one VLAN is untagged, often for management and with limited access to other devic...
by tdw
Wed Nov 22, 2023 5:00 pm
Forum: General
Topic: Bridge PVID [SOLVED]
Replies: 13
Views: 3364

Re: Bridge PVID [SOLVED]

Having the same VLAN tagged and untagged on ports (either a physical ethernet or the intrinstic bridge-to-CPU ones) often breaks communications as packets end up being tagged in one direction but not the other, so you are using a side-effect of this misconfiguration to limit access. The correct way ...
by tdw
Wed Nov 22, 2023 3:37 pm
Forum: Beginner Basics
Topic: mikrotik to mikrotik vpn l2tp ipsec problem [SOLVED]
Replies: 2
Views: 1764

Re: mikrotik to mikrotik vpn l2tp ipsec problem [SOLVED]

A common cause of web pages failing to load in this type of setup is inappropriate tunnel MTU settings. If the tunnel MTU + encapsulation & encryption overheads > WAN MTU the reulting packet is split up and sent as fragmented IP packets, these can be dropped or misordered in transit. The default...
by tdw
Wed Nov 22, 2023 1:48 am
Forum: General
Topic: Bridge PVID [SOLVED]
Replies: 13
Views: 3364

Re: Bridge PVID [SOLVED]

Some of the /interface bridge settings relate to the intrinsic bridge-to-CPU port rather than the bridge itself, see viewtopic.php?t=173692
by tdw
Mon Nov 20, 2023 6:53 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 4879

Re: IPv6 DS Lite

Pages not loading or taking a long time to load does suggest MTU / fragment handling / PMTU discovery issues. The default clamp-tcp-mss=yes on the tunnel interface should fix this, which does suggest an issue with their gateway. You could try setting dont-fragment=yes which would drop packets where ...
by tdw
Mon Nov 20, 2023 6:21 pm
Forum: Beginner Basics
Topic: ipv6 setup
Replies: 4
Views: 1274

Re: ipv6 setup

You can not guess what it should be, the ISP should provide it as they will be routing the block of subnets to it. Their terminology is rather vague too - 'IPv6 address' does hints at being the WAN address but would typically be /64, not /56, and 'routing prefix' hints at the routed subnet but would...
by tdw
Mon Nov 20, 2023 4:01 pm
Forum: General
Topic: Hetzner Subnet on Mikrotik CHR
Replies: 9
Views: 1664

Re: Hetzner Subnet on Mikrotik CHR

Proxy-ARP is not required, you can set it back to the default.
by tdw
Mon Nov 20, 2023 3:56 pm
Forum: General
Topic: Using different external DNS-Server for different LANs
Replies: 2
Views: 1065

Re: Using different external DNS-Server for different LANs

Mikrotik only implement a single DNS server so you are limited to the clients using that or external ones. In your case if the WAN1 peer DNS addresses are static and the VoIP hosts to be resolved can be matched with regexp or match-subdomain you could use the WAN2 DNS servers by default with forward...
by tdw
Mon Nov 20, 2023 5:42 am
Forum: General
Topic: Hetzner Subnet on Mikrotik CHR
Replies: 9
Views: 1664

Re: Hetzner Subnet on Mikrotik CHR

If you configure a router VM as they suggest the CHR should have two ethernet interfaces, then it is a case of translating https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/#subnets iface eth0 inet dhcp would be /ip dhcp-client add add-default-route=yes disabled=no interface=...
by tdw
Mon Nov 20, 2023 2:27 am
Forum: General
Topic: Hetzner Subnet on Mikrotik CHR
Replies: 9
Views: 1664

Re: Hetzner Subnet on Mikrotik CHR

Have you read https://docs.hetzner.com/robot/dedicated-server/ip/additional-ip-adresses/#subnets The additional subnet is routed to you. The traditional method would be to assign one of the addresses to a 'LAN' subnet on the CHR to which the VMs are attached, and assign them other addresses from the...
by tdw
Sun Nov 19, 2023 11:59 pm
Forum: SwOS
Topic: CSS610-8P-2S+ randomly stops forwarding for exactly five minutes
Replies: 7
Views: 3165

Re: CSS610-8P-2S+ randomly stops forwarding for exactly five minutes

Five minutes suggests an issue with switch FDB entries ageing out. Do you have any duplicate MAC addresses on different VLANs? SwOS lite does not support IVL which would be required if that is the case.
by tdw
Sun Nov 19, 2023 11:49 pm
Forum: Beginner Basics
Topic: ipv6 setup
Replies: 4
Views: 1274

Re: ipv6 setup

If the addresses are static they should provide a WAN /64 with both their end (the gateway) and your end addresses - the latter should be the target of the routed /56 addresses. If they are mistakenly just presenting a /56 on the WAN that will not work as it requires ND proxy as a hack which Mikroti...
by tdw
Sun Nov 19, 2023 8:46 pm
Forum: General
Topic: Killing my head with L2TP server configuration !
Replies: 2
Views: 2223

Re: Killing my head with L1TP server configuration !

Use the correct terms in the title & description - there is no such thing as L1TP. As you are using a different IP range for VPN clients vs. LAN devices proxy ARP is not required. It is best practice to create a new PPP profile as any changes to the default ones may have unintended side-effects ...
by tdw
Sat Nov 18, 2023 5:18 pm
Forum: Beginner Basics
Topic: Problem with VLAN Setup
Replies: 10
Views: 1475

Re: Problem with VLAN Setup

Three DHCP servers/networks/pools looks fine - the switch management address is static, if there will be other devices on the management VLAN and they are setup in a similar fashion a DHCP server is not required.
by tdw
Sat Nov 18, 2023 1:26 pm
Forum: Beginner Basics
Topic: Problem with VLAN Setup
Replies: 10
Views: 1475

Re: Problem with VLAN Setup

CRS326 -> Port 24 is connected to RB5009 (Port 2) This port is missing from the bridge VLAN settings: /interface bridge vlan add bridge=bridge tagged= ether24, sfp-sfpplus1,sfp-sfpplus2 vlan-ids=10 add bridge=bridge tagged= ether24, sfp-sfpplus1,sfp-sfpplus2 vlan-ids=20 add bridge=bridge tagged= et...
by tdw
Fri Nov 17, 2023 11:37 pm
Forum: Beginner Basics
Topic: Problem with VLAN Setup
Replies: 10
Views: 1475

Re: Problem with VLAN Setup

For the OP - provide the /export of the devices, not the commands you applied to the devices as there may have been errors whilst importing them
by tdw
Fri Nov 17, 2023 2:03 am
Forum: Beginner Basics
Topic: RSTP not working with Switch-VLANs
Replies: 8
Views: 2129

Re: RSTP not working with Switch-VLANs

I'd suggest a new thread with an appropriate title to attract people with CAPsMAN experience. There is also https://help.mikrotik.com/docs/display/ ... with+VLANs if you haven't found it already.
by tdw
Wed Nov 15, 2023 9:39 pm
Forum: Beginner Basics
Topic: RSTP not working with Switch-VLANs
Replies: 8
Views: 2129

Re: RSTP not working with Switch-VLANs

Nothing obvious, other than the Qualcomm/Atheros gigabit switch chips ignore the vlan-header property and use the default-vlan-id property to determine which ports are access ports. From the documentation the vlan-header should always be set to leave-as-is for these chips. The other possibility is t...
by tdw
Wed Nov 15, 2023 3:51 pm
Forum: Beginner Basics
Topic: PPoE Dynamic and Static IPs
Replies: 3
Views: 1011

Re: PPoE Dynamic and Static IPs

You do have to configure the additional addresses on a loopback interface if you wish the Mikrotik to respond to ICMP requests, as you say source and destination NAT will work fine without this.
by tdw
Wed Nov 15, 2023 2:30 am
Forum: Beginner Basics
Topic: RSTP not working with Switch-VLANs
Replies: 8
Views: 2129

Re: RSTP not working with Switch-VLANs

Can the firewall somehow block RSTP with an Input-rule? No. I see RSTP disabled under service ports by default, but I think this is only used when going thru NAT. That is RTSP not RSTP. I created both privat and guest VLANs on the bridge interface. All Ports (except WAN-Port), WLAN interfaces and d...
by tdw
Sun Nov 12, 2023 6:59 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 4879

Re: IPv6 DS Lite

Difficult to say - you can check CPU utilisation on your device, but it is often not possible to check what the ISP is doing. Most likely is fragmented packets - the default MTU for Mikrotik ipipv6 tunnels appears to be 1460 (i.e. 1500 - size of an IPv6 header), if your IPv6 WAN is less than 1500 th...
by tdw
Fri Nov 10, 2023 10:24 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 4879

Re: IPv6 DS Lite

Glad you have got it working. As the AFTR server name appears to be unchanging for the ISP you also do not have to bother with parsing the DHCPv6 option 64 reply and updating the ipipv6 remote address. For info - whilst the tunnel IPv4 address is arbitrary IANA reserved the 192.0.0.0/29 range to pre...
by tdw
Fri Nov 10, 2023 7:26 pm
Forum: General
Topic: /31 subnet
Replies: 8
Views: 1783

Re: /31 subnet

Can you ping the ISP gateway from the Mikrotik itself, and if so tracroute any further?

Lack of internet access from your LAN could be missing/incorrect NAT rules.
by tdw
Fri Nov 10, 2023 5:27 pm
Forum: General
Topic: /31 subnet
Replies: 8
Views: 1783

Re: /31 subnet

You need a default route too:

/ip route add gateway=193.56.1.222
by tdw
Fri Nov 10, 2023 4:48 pm
Forum: General
Topic: /31 subnet
Replies: 8
Views: 1783

Re: /31 subnet

Mikrotiks don't use the obvious syntax for support /31 addresses, instead you configure a /32 address but specify the other end as the network parameter:

/ip address add address=193.56.1.223 network=193.56.1.222 interface=<your WAN interface>
by tdw
Fri Nov 10, 2023 4:27 pm
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 4879

Re: IPv6 DS Lite

You could try !keepalive on the tunnel interface as the remote end may not respond to probes, or it could be firewall rules blocking the traffic.
by tdw
Fri Nov 10, 2023 2:41 am
Forum: General
Topic: IPv6 DS Lite
Replies: 20
Views: 4879

Re: IPv6 DS Lite

The :put command outputs data to the console, you could use :log instead. Are you requesting the option? According to the specifications servers should not send the OPTION_AFTR_NAME unless specifically requested, so /ipv6 dhcp-client option add code=6 name=OPTION_ORO value=0x0040 The rather sparse d...
by tdw
Thu Nov 09, 2023 5:09 am
Forum: Beginner Basics
Topic: Understanding ARP
Replies: 2
Views: 982

Re: Understanding ARP

The layer 3 IP has no concept of MAC addresses, IP firewall and routing are irrelevant to ARP. ARP works within a layer 2 broadcast domain to provide the MAC address associated with an IP address - it doesn't get forwarded outside the broadcast domain.
by tdw
Mon Nov 06, 2023 9:39 pm
Forum: General
Topic: How to downgrade CCR2116-12G-4S+?
Replies: 2
Views: 793

Re: How to downgrade CCR2116-12G-4S+?

Also, recently introduced Mikrotik models were designed to run v7 only - they are not going to expend effort adding support for new SoC and/or peripherals to v6.
by tdw
Mon Nov 06, 2023 9:28 pm
Forum: Beginner Basics
Topic: LTE Dish Router - inbound trafffic - newbie to Mikrotik - help!!
Replies: 3
Views: 1199

Re: LTE Dish Router - inbound trafffic - newbie to Mikrotik - help!!

The default firewall rules permit ICMP. Are you getting a public IP address - in the UK the only mainstream SIMs which provide public addresses are Three, and then only if you use the correct APN. Depending on what the EE SIM with fixed IP will cost, as they are often for small amounts of data for I...
by tdw
Mon Nov 06, 2023 5:32 pm
Forum: General
Topic: GPON ONU module alternatives
Replies: 11
Views: 3108

Re: GPON ONU module alternatives

There are several threads in the forum, e.g. viewtopic.php?p=1027689
by tdw
Mon Nov 06, 2023 5:28 pm
Forum: Beginner Basics
Topic: DHCP Offer not received on other side of trunk [solved]
Replies: 12
Views: 2669

Re: DHCP Offer not received on other side of trunk

Under /interface vlan the entries should have interface=bridgeINT not interface=ether1 . The first post in the thread you quote is similarly incorrect as pointed out by the second post. Which VLAN isn't receiving DHCP, the wAP appears to have multiple DHCP clients plus some DHCP servers which is unu...
by tdw
Sun Nov 05, 2023 6:01 pm
Forum: Beginner Basics
Topic: DHCP Offer not received on other side of trunk [solved]
Replies: 12
Views: 2669

Re: DHCP Offer not received on other side of trunk

The wAP bridge config is a mess: You have VLANs attached directly to a bridge port, they should always be attached to the bridge itself. Don't add a VLAN with ID 1, this is the default PVID on bridge ports. You have a mix of VLAN-aware bridge and switch VLAN configuration - these interact in undocum...
by tdw
Sun Nov 05, 2023 5:45 pm
Forum: Beginner Basics
Topic: RouterOS - Connecting 2 Subnets on 1 Router
Replies: 1
Views: 1045

Re: RouterOS - Connecting 2 Subnets on 1 Router

Static routes are unnecessary. The intrinsic policy is to permit forwarding between any subnets on the mikrotik, likely there are firewall rules blocking communication.
by tdw
Tue Oct 31, 2023 2:34 am
Forum: General
Topic: Routing distance not modifiable [SOLVED]
Replies: 4
Views: 1256

Re: Routing distance not modifiable [SOLVED]

Smaller subnets always have priority over larger, distance is only used when there are multiple subnets of the same size. The static route (#5 of /ip route print ) looks incorrect - the gateway should be next hop address, not the interface: /ip route add dst-address=192.168.253.0/24 gateway=192.168....
by tdw
Tue Oct 31, 2023 2:21 am
Forum: Scripting
Topic: problems with update 7.10+ script does not work
Replies: 2
Views: 1648

Re: problems with update 7.10+ script does not work

See viewtopic.php?t=196072 and modify the script accordingly
by tdw
Mon Oct 30, 2023 10:52 pm
Forum: General
Topic: Vlan L3 Interface & Switching VLAN [SOLVED]
Replies: 1
Views: 678

Re: Vlan L3 Interface & Switching VLAN [SOLVED]

You are missing any /interface bridge vlan configuration. Whilst the bridge port pvid= settings will dynamically add those ports as untagged members you need to specify the bridge-to-cpu port tagged membership. /interface bridge vlan add bridge=br0 tagged=br0 vlan-ids=10 add bridge=br0 tagged=br0 vl...
by tdw
Mon Oct 30, 2023 9:56 pm
Forum: General
Topic: RB3011, VLAN switching/routing and DHCP server
Replies: 11
Views: 1506

Re: RB3011, VLAN switching/routing and DHCP server

Attempting to mix a VLAN-aware bridge and switch-chip VLAN filtering is just asking for trouble. Either: Use a VLAN-aware bridge, the only downside of which is you do not get wirespeed L2 performance between ports in the same VLAN Or: Use a non-VLAN-aware bridge which acts like an unmanaged switch a...
by tdw
Sat Oct 21, 2023 5:16 pm
Forum: Wireless Networking
Topic: No DHCP via WiFi
Replies: 5
Views: 1964

Re: No DHCP via WiFi

Did you make all of the suggested changes, also the wlan interfaces will be added automatically by CAPsMAN so should not be added manually: /interface bridge port add bridge=bridge1 interface=ether1 add bridge=bridge1 interface=wlan1 add bridge=bridge1 interface=wlan2 /interface wireless cap set bri...
by tdw
Tue Oct 10, 2023 9:20 pm
Forum: General
Topic: Can't access DNS domain names from the router
Replies: 7
Views: 1095

Re: Can't access DNS domain names from the router

That does not solve the OPs problem.
by tdw
Tue Oct 10, 2023 2:27 am
Forum: General
Topic: Can't access DNS domain names from the router
Replies: 7
Views: 1095

Re: Can't access DNS domain names from the router

Allowing DNS requests from outside is a bad idea, it turns your router into an open DNS resolver.

All the issues stem from you having deleted the first line of the default configuration which accepts established, related and untracked traffic in the input chain.
by tdw
Sun Oct 08, 2023 11:04 pm
Forum: Beginner Basics
Topic: IPv6 with Vodafone Station (Czechia) borked
Replies: 3
Views: 1014

Re: IPv6 with Vodafone Station (Czechia) borked

It should pass IPv6 OK - however if you have DHCP or IGMP snooping enabled it may break IPv6 multicast, IIRC there have been some forum posts about this.

For the CRS to obtain an IPv6 address disabling IPv6 forwarding will enable it to process RAs.
by tdw
Sun Oct 08, 2023 8:57 pm
Forum: Beginner Basics
Topic: IPv6 with Vodafone Station (Czechia) borked
Replies: 3
Views: 1014

Re: IPv6 with Vodafone Station (Czechia) borked

Are you using the CRS as a bridge or a router? AFAIK mobile operators only provide a single /64 and no prefix delegation. As you need one /64 per network using the CRS as a router will not work unless you resort to NAT (which IPv6 was supposed to do away with).
by tdw
Sun Oct 01, 2023 11:41 pm
Forum: Beginner Basics
Topic: Cannot connect to the internet with PPOE with vlan
Replies: 3
Views: 828

Re: Cannot connect to the internet with PPOE with vlan

The new WAN interface needs adding to the WAN interface list, otherwise there will be no internet access from the LAN:
/interface list member
add interface=EboxPPOE list=WAN


you can also remove ether1 from the list, and disable or remove the DHCP client.
by tdw
Sun Oct 01, 2023 12:48 am
Forum: SwOS
Topic: Help with VLans.
Replies: 10
Views: 3040

Re: Help with VLans.

You have no /ip address in the 10.10.1.0/24 subnet.

The /interface vlan should refer to the bridge, not any member ports.

There are also unnecessary duplicates in /ip pool.
by tdw
Fri Sep 29, 2023 10:37 pm
Forum: General
Topic: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]
Replies: 5
Views: 2153

Re: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]

Without accepting RAs you will likely loose the gateway information. IIRC when changing accept RAs some things don't actually change until after reboot.

I would suggest sending a feature request to Mikrotik, not accepting the RA DNS options is likely to be a common requirement as more people use IPv6
by tdw
Fri Sep 29, 2023 8:46 pm
Forum: General
Topic: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]
Replies: 5
Views: 2153

Re: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]

The DHCPv6 client use-peer-dns option will only affect handling of OPTION_DNS_SERVERS received in the DHCPv6 reply, there is similarly an option in the PPPoE client to use or ignore any DNS provided by IPv6CP when using PPPoE. It needs a separate option use or ignore the RA-provided data.
by tdw
Fri Sep 29, 2023 6:44 pm
Forum: General
Topic: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]
Replies: 5
Views: 2153

Re: Dynamic DNS server being used but Use Peer DNS are unchecked? [SOLVED]

It will be part of the IPv6 RA data from the ISP. AFAIK there isn't an option to ignore the DNS server option if it is present.
by tdw
Fri Sep 29, 2023 2:12 am
Forum: SwOS
Topic: Need Help On Connecting Two CSS610s over VLAN
Replies: 13
Views: 3336

Re: Need Help On Connecting Two CSS610s over VLAN

Hope Mikrotik will fix this bug in the future SWOS Lite release. It isn't a bug as such. Switches may support either shared VLAN learning (SVL) or independent VLAN learning (IVL) modes of operation: In SVL mode there is a single MAC address table so any learnt address applies to all VLANs. In IVL m...
by tdw
Thu Sep 28, 2023 9:18 pm
Forum: Wireless Networking
Topic: Using UniFi AP-AC Lite with MikroTik router on standalone mode
Replies: 1
Views: 1480

Re: Using UniFi AP-AC Lite with MikroTik router on standalone mode

If you plug a laptop directly into the Mikrotik does the Mikrotik hotspot work? With a UniFi AP configured in standalone mode it should provide a transparent connection between WiFi and ethernet. If you use a UniFi portal instead the controller has to be online all of the time, and you can only use ...
by tdw
Sat Sep 23, 2023 8:59 pm
Forum: Beginner Basics
Topic: vlans and wifi with two separate internet routers [SOLVED]
Replies: 9
Views: 1722

Re: vlans and wifi with two separate internet routers [SOLVED]

There may be two methods which work, the example on the new help pages now being suggested over the example in the old wiki. The difference appears to be VLANs port memberships set to 'leave as is' and the VLAN 'VLAN Receive' set to 'only tagged'/'only untagged', I suspect the issue with your origin...
by tdw
Fri Sep 22, 2023 7:49 pm
Forum: Beginner Basics
Topic: vlans and wifi with two separate internet routers [SOLVED]
Replies: 9
Views: 1722

Re: vlans and wifi with two separate internet routers [SOLVED]

The RB260 configuration is almost entirely incorrect. From factory reset: VLAN tab Set Default VLAN ID Port1-> 10, Port2 -> 10, Port3 -> 20 VLANs tab Add VLAN ID 10, set Port1 -> always strip, Port2 -> always strip, Port4 -> add if missing, Port5 -> add if missing Add VLAN ID 20, set Port3 -> always...
by tdw
Fri Sep 22, 2023 7:21 pm
Forum: General
Topic: CRS Switch Question
Replies: 3
Views: 496

Re: CRS Switch Question

Various options: If you are providing their WAN address using DHCP use DHCP option 82 insertion and limit each port to a single lease (you can't use the Mikrotik DHCP server for this). Use 802.1x MAC auth, requires a RADIUS server and restricts them to only connecting devices which are known, e.g. i...
by tdw
Fri Sep 22, 2023 2:00 pm
Forum: General
Topic: FreeRadius and Mikrotik get IP from mySQL IPPOOL
Replies: 1
Views: 440

Re: FreeRadius and Mikrotik get IP from mySQL IPPOOL

Yes, see https://wiki.mikrotik.com/wiki/Manual:R ... ess-Accept

There are several well-known vulnerabilities in 6.40.9, it would be wise to upgrade to the latest LTS (currently 6.49.10).
by tdw
Fri Sep 22, 2023 1:14 am
Forum: General
Topic: How to merge 2 differents trunk + VLANs to one trunk?
Replies: 18
Views: 1600

Re: How to merge 2 differents trunk + VLANs to one trunk?

Use one bridge on the CCR2116, not two separate ones, and configure the /interface bridge vlan membership accordingly on the two trunks. You do not need /interface vlan and /ip address entries for every single VLAN on switches, these are only required for access to the switch itself so for a single ...
by tdw
Thu Sep 21, 2023 11:01 pm
Forum: General
Topic: Static Public IP
Replies: 2
Views: 484

Re: Static Public IP

Your providers gateway will use ARP to resolve the MAC for all IPs in the /25 block other than itself. As you have created a /30 subnet which overlaps with the /25 on a physically separate ethernet network this will fail. Either proxy-arp, or bridge your WAN and customer connection giving them one a...
by tdw
Thu Sep 21, 2023 8:09 pm
Forum: General
Topic: clarification about lldp and voip phones [SOLVED]
Replies: 4
Views: 895

Re: clarification about lldp and voip phones [SOLVED]

If the box between the label 'LLDP MED Network Policy VLAN:' and the downward-pointing triangle is greyed out it should be disabled. When enabled the box is not greyed out and contains the VLAN ID. If you open a terminal window the command /ip neighbor export verbose should display: /ip neighbor dis...
by tdw
Thu Sep 21, 2023 4:19 pm
Forum: General
Topic: clarification about lldp and voip phones [SOLVED]
Replies: 4
Views: 895

Re: clarification about lldp and voip phones [SOLVED]

Historically when VoIP phones were added to offices there were often insufficient network sockets available, a common workaround was to present the normal data network untagged and the VoIP network tagged. Rather than having to configure each phone when deployed a number of autoconfiguration mechani...
by tdw
Thu Sep 21, 2023 4:08 pm
Forum: General
Topic: How to merge 2 differents trunk + VLANs to one trunk?
Replies: 18
Views: 1600

Re: How to merge 2 differents trunk + VLANs to one trunk?

OSPF operates over IP / layer 3, VLANs operate over ethernet /layer 2 - they are completely unrelated to each other. The block on the diagram "OSPF link with 8 subnet with1 Trunk inside of ccr2116 - 8 vlans id:100-107" makes absolutely no sense.
by tdw
Mon Sep 18, 2023 2:24 am
Forum: Beginner Basics
Topic: export/import ROS configuration
Replies: 7
Views: 4739

Re: export/import ROS configuration

Importing a full configuration onto a device which has its default configuration will fail due to duplicate items as you have found. No, reset-configuration will restore the default, using no-defaults=yes will result in a completely unconfigured device ready for a full configuration to be applied. Y...
by tdw
Sun Sep 17, 2023 10:43 pm
Forum: General
Topic: Second PPPoE connection / ICMP
Replies: 2
Views: 593

Re: Second PPPoE connection / ICMP

With multiple WAN connections you need mangle rules to mark inbound traffic and return the replies via the appropriate WAN interface
by tdw
Sat Sep 16, 2023 6:00 pm
Forum: Forwarding Protocols
Topic: Routing between bridges on Mikrotik
Replies: 6
Views: 2746

Re: Routing between bridges on Mikrotik

Your original network diagram doesn't show the whole picture (no mention of the 172.16.x.x subnets, or the router at 10.5.17.253). What is the default gateway of the devices on the 10.5.23.0/24 network? Does the target device accept ICMP requests from outside its subnet (hint Windows doesn't)?
by tdw
Sat Sep 16, 2023 5:48 pm
Forum: Beginner Basics
Topic: VLAN for second IP from ISP
Replies: 3
Views: 1771

Re: VLAN for second IP from ISP

However, i've recently decided to connect a SIP-trunk and ISP gave me a vlanid, a public ip/gateway for my sip station and sip server address, on same port as my internet. So your ISP is providing the SIP service? In which case the public IP, netmask and gateway are for the SIP device - you should ...
by tdw
Sat Sep 16, 2023 5:30 pm
Forum: Beginner Basics
Topic: VLAN for second IP from ISP
Replies: 3
Views: 1771

Re: VLAN for second IP from ISP

There are multiple methods to this "bridge + vlan filltering" or "interface-vlan + bridge"
You need the 2nd method to correctly work with your ISP.
Unlikely, there are very few use cases where a single VLAN-aware bridge cannot implement the configuration required.
by tdw
Tue Sep 12, 2023 12:54 pm
Forum: General
Topic: Mixed mikrotik with tagged/untagged Vlans
Replies: 7
Views: 1052

Re: Mixed mikrotik with tagged/untagged Vlans

Many third-party guides still use the old bridge-per-VLAN approach which predates VLAN-aware bridges. Whilst not wrong there are many pitfalls for the unwary, see https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration (particularly 'VLAN on a bridge in a bridge', 'VLAN in a bridge with a...
by tdw
Tue Sep 12, 2023 4:09 am
Forum: General
Topic: communication between the TP-Link controller and the Wi-Fi access points
Replies: 2
Views: 1049

Re: communication between the TP-Link controller and the Wi-Fi access points

Any device on the hotspot network will have outgoing traffic blocked or redirected until it has logged in to the hotspot. There are several simple options - add firewall rules to the hotspot chains, add server to walled garden IP list, or add IP bindings. The better solution is to have the access po...
by tdw
Fri Sep 08, 2023 2:28 pm
Forum: RouterBOARD hardware
Topic: CRS3xx: switching vs bridging ?
Replies: 12
Views: 3780

Re: CRS3xx: switching vs bridging ?

You can - however the CRS devices were originally designed to support wire-speed L2 switching and also be able to support L3 functionality, but much limited by their CPU performance. As RouterOS v7 has developed some L3 hardware offload has been added by utilising previously unused capabilities of t...
by tdw
Thu Sep 07, 2023 7:01 pm
Forum: RouterBOARD hardware
Topic: CRS3xx: switching vs bridging ?
Replies: 12
Views: 3780

Re: CRS3xx: switching vs bridging ?

1 - yes, assuming hardware offload has not been disabled on the interfaces. 2 - yes, when using the VLAN-aware bridge setup merely adding/removing tags between access and trunk ports is still performed at wire speed. 3 - yes. 4 - bridge filtering, if you cannot achieve what is necessary with switch ...
by tdw
Tue Sep 05, 2023 9:54 pm
Forum: General
Topic: Identify physical interface from DHCP client script
Replies: 4
Views: 1352

Re: Identify physical interface from DHCP client script

ARP and DHCP are usually completely independent, you can disable ARP learning and have the DHCP server create an ARP entry for specific use cases. Enabling DHCP snooping on the bridge will populate the agent-circuit-id and agent-remote-id fields which may provide the information you are looking for....
by tdw
Mon Aug 28, 2023 6:17 pm
Forum: Beginner Basics
Topic: VLAN DHDP-Relay
Replies: 12
Views: 2935

Re: VLAN DHDP-Relay

One DHCP server can issue static addresses for the multiple subnets attached to an interface, however it can only issue dynamic addresses from one pool as it has no idea how to differentiate which clients should be associated with which subnet. (Actually there are mechanisms which allow matching on ...
by tdw
Sat Aug 26, 2023 9:02 pm
Forum: Beginner Basics
Topic: LEOX LXT-010S-H SFP GPON
Replies: 10
Views: 4119

Re: LEOX LXT-010S-H SFP GPON

Currently vlan20 and vlan30 are only associated with the sfp-WAN interface, there is no connection between them and any of the LAN ports. Exactly what is required depends on the network architecture your ISP has implemented for IPTV and telephony traffic - routed or bridged. If the IPTV is bridged, ...
by tdw
Sat Aug 26, 2023 7:29 pm
Forum: Forwarding Protocols
Topic: Is it possible with Mikrotik: Your support required please.
Replies: 15
Views: 3624

Re: Is it possible with Mikrotik

Your picture is incorrect, PPP-based connections are assigned /32 addresses so the L2TP client and server will be 192.168.88.2/ 32 and 192.168.88.1/ 32 . Add a static route for 192.168.10.0/24 to the PPP secret for site B on site A, the L2TP server - this allows site A to forward traffic for that su...
by tdw
Fri Aug 25, 2023 11:43 pm
Forum: Beginner Basics
Topic: VLAN DHDP-Relay
Replies: 12
Views: 2935

Re: VLAN DHDP-Relay

Using VLAN ID 1 is unwise unless you really know what you are doing, many vendors reserve VLAN ID 1 for untagged traffic.

So you are configuring the network drivers on the PCs to use VLAN IDs 1 and 2?
by tdw
Sun Aug 20, 2023 8:35 pm
Forum: General
Topic: problem with vlan101 on port 4 - hap lite [SOLVED]
Replies: 10
Views: 1728

Re: problem with vlan101 on port 4 - hap lite [SOLVED]

/interface bridge vlan
add bridge=BR1 tagged=ether1,ether2,ether3,ether4 vlan-ids=101
...


You can include untagged=ether4 although this will by added dynamically from the port PVID setting
by tdw
Sun Aug 20, 2023 8:30 pm
Forum: General
Topic: Unable to use router IP as Gateway
Replies: 2
Views: 908

Re: Unable to use router IP as Gateway

You cannot have multiple physical networks using the same subnet, the 'Gigabit Bridge' and VLAN_GEN_10 interfaces have the same address and subnet.

You may be suffering from https://xyproblem.info/, a diagram of what you are trying to achieve would be helpful.
by tdw
Sun Aug 20, 2023 8:17 pm
Forum: General
Topic: problem with vlan101 on port 4 - hap lite [SOLVED]
Replies: 10
Views: 1728

Re: problem with vlan101 on port 4 - hap lite [SOLVED]

If Windows works but Linux doesn't most likely packets are tagged in one direction and untagged in the other. Note that the fast ethernet switch chips do not support hybrid operation due to hardware design limitations. There should not be an issue using a VLAN-aware bridge, post your config with tha...
by tdw
Wed Aug 09, 2023 8:33 pm
Forum: General
Topic: Filtering traffic with a LAN
Replies: 8
Views: 2058

Re: Filtering traffic with a LAN

Yes
by tdw
Wed Aug 09, 2023 5:37 pm
Forum: General
Topic: Filtering traffic with a LAN
Replies: 8
Views: 2058

Re: Filtering traffic with a LAN

Configure the Mikrotik as a switch rather than a router. If whichever Mikrotik you use has bridge hardware-offload enabled it would have to be implemented with switch ACLs, the various switch chips have different switch rule capabilies so check https://help.mikrotik.com/docs/display/ROS/Switch+Chip+...
by tdw
Mon Aug 07, 2023 3:44 am
Forum: Beginner Basics
Topic: LAN as tagged VLAN out WAN port for backbone (WAN and LAN on same port) [SOLVED]
Replies: 4
Views: 1635

Re: LAN as tagged VLAN out WAN port for backbone (WAN and LAN on same port) [SOLVED]

There are issues with your 'simpler way', see https://help.mikrotik.com/docs/display/ ... linterface

Several settings, including frame-types= and ingress-filtering=, have no effect unless the bridge has vlan-filtering=yes
by tdw
Sun Aug 06, 2023 2:51 am
Forum: Beginner Basics
Topic: Simple VLAN setup, only VLAN1 is working [SOLVED]
Replies: 3
Views: 1311

Re: Simple VLAN setup, only VLAN1 is working [SOLVED]

You have no /interface bridge vlan entries. Untagged entries will be automatically generated from the pvid= settings for the bridge itself (the implicit bridge-to-cpu port) and any /interface bridge port entries but you have to define all the tagged entries, e.g. for the bridge-to-cpu traffic.
by tdw
Tue Aug 01, 2023 1:52 am
Forum: General
Topic: IPv6 subnet delegation
Replies: 6
Views: 889

Re: IPv6 subnet delegation

ovh also assigned me an ipv6 subnet /56 2001:41d0:700:55xx::/56 gateway 2001:41d0:700:55ff:ff:ff:ff:ff. That is an awful configuration, it requires ND proxy to work and Mikrotik don't implement this. Most common a provider will use a /64, either from the allocated subnet or a completely separate ra...
by tdw
Mon Jul 31, 2023 1:46 pm
Forum: General
Topic: Domain controller query without VPN.
Replies: 4
Views: 652

Re: Domain controller query without VPN.

Yes. Historically something like:
/ip dns static add regexp="your\\.domain\$" forward-to=192.168.2.10
but in newer versions the following is more efficient:
/ip dns static add type=FWD name=your.domain match-subdomain=yes forward-to=192.168.2.10
by tdw
Mon Jul 31, 2023 12:58 pm
Forum: General
Topic: Domain controller query without VPN.
Replies: 4
Views: 652

Re: Domain controller query without VPN.

if I enter 192.168.10.1 as DNS at the branch office, you can surf and call up the static DNS entries. But the domain ctroller query doesn't work properly. It wouldn't as AD DNS contains various special subdomains. At the remote site use the Mikrotik as the DNS server and add a static DNS FWD entry ...
by tdw
Fri Jul 28, 2023 1:51 am
Forum: RouterBOARD hardware
Topic: Dimensions of hEX PoE/RB960PGS
Replies: 5
Views: 2979

Re: Dimensions of hEX PoE/RB960PGS

Although missing on the product page it is in the brochure https://i.mt.lv/cdn/product_files/hEX__poe_190723.pdf - 114 x 137 x 29 mm
by tdw
Fri Jul 28, 2023 1:24 am
Forum: Beginner Basics
Topic: Vlans getting internet but not reaching dhcp server
Replies: 8
Views: 1484

Re: Vlans getting internet but not reaching dhcp server

Obvious errors are various /interface vlan and /ip address items being attached to interfaces which are members of a bridge, also ether1 which appears to be the WAN connection being a member of the bridge.
by tdw
Thu Jul 27, 2023 12:57 pm
Forum: General
Topic: PPPoE Server + Bridge Horizon v7.10.2
Replies: 2
Views: 646

Re: PPPoE Server + Bridge Horizon v7.10.2

The bridge* parameters in the PPP profile are used for BCP, they have nothing to do with IP connectivity between the server and client(s). Setting a horizon with not restrict IP traffic between the client addresses assigned from your IP pool. From https://wiki.mikrotik.com/wiki/Manual:BCP_bridging_(...
by tdw
Thu Jul 27, 2023 12:42 am
Forum: Announcements
Topic: v6.49.8 [long-term] is released!
Replies: 49
Views: 70743

Re: v6.49.8 [long-term] is released!

... it isn't clear if that CVE-2023-30799 was only addressed in 6.49.7 onwards, or also in 6.48.7 LTS which was released at a later date - there is nothing in the release notes. No, post #22 above probably sums up the status completely (not mentioning 6.4 8 .7 does mean something). But since 6.49.8...
by tdw
Wed Jul 26, 2023 3:05 pm
Forum: Announcements
Topic: v6.49.8 [long-term] is released!
Replies: 49
Views: 70743

Re: v6.49.8 [long-term] is released!

I visited a lonely page that feels completely neglected by Mikrotik: https://blog.mikrotik.com/security/ also supplies RSS feed for Mikrotik. +1 and it isn't clear if that CVE-2023-30799 was only addressed in 6.49.7 onwards, or also in 6.48.7 LTS which was released at a later date - there is nothin...
by tdw
Mon Jul 24, 2023 4:51 pm
Forum: General
Topic: DHCP issue with WDS on particular home router brands
Replies: 3
Views: 739

Re: DHCP issue with WDS on particular home router brands

It is an interoperability issue affecting all manufacturers, not just Mikrotik. See https://help.mikrotik.com/docs/display/ ... tion+Modes
by tdw
Sun Jul 23, 2023 3:41 pm
Forum: Announcements
Topic: v6.49.8 [long-term] is released!
Replies: 49
Views: 70743

Re: v6.49.8 [long-term] is released!

So is this just a recompilation/rerelease of 6.49.8 (stable) with no code changes? The original release has a different timestamp - "What's new in 6.49.8 (2023-May-22 16:07)"
by tdw
Fri Jul 21, 2023 2:25 am
Forum: General
Topic: traffic stops almost completely after a few bridge hops
Replies: 9
Views: 1153

Re: traffic stops almost completely after a few bridge hops

The airMAX radios in bridge mode will by default pass all tagged VLANs and provide management access to the radios untagged. If you are seeing unexpected VLANs that will be down to your switch configurations. There is a long-standing bug in airMAX radios operating in point-to-multipoint (even if the...
by tdw
Thu Jul 20, 2023 9:25 pm
Forum: General
Topic: traffic stops almost completely after a few bridge hops
Replies: 9
Views: 1153

Re: traffic stops almost completely after a few bridge hops

Having the same MAC address on two of the devices would mess up the forwarding database on switches/bridges. What wireless devices are you using?
by tdw
Wed Jul 19, 2023 10:31 pm
Forum: Beginner Basics
Topic: Question regarding IP pools [SOLVED]
Replies: 24
Views: 2250

Re: Question regarding IP pools [SOLVED]

one last question , does L2TP have such thing as well ? do I need to set netmask for L2TP as well to be able to use /23 on it ? PPP-based point-to-point links (e.g. PPPoE, L2TP, PPTP, SSTP) have no concept of subnets, each end of the link is assigned a /32. OpenVPN in IP / TUN mode works differentl...
by tdw
Wed Jul 19, 2023 3:12 pm
Forum: Beginner Basics
Topic: Question regarding IP pools [SOLVED]
Replies: 24
Views: 2250

Re: Question regarding IP pools [SOLVED]

Simply set a fairly short lease time in the DHCP server setting. DHCP has absolutely nothing to do with L2TP and other PPP-based point-to-point connection address assignment, it is handled by IPCP. RouterOS address assignments are somewhat sticky - each new connection is assigned an address from th...
by tdw
Sun Jul 16, 2023 3:58 pm
Forum: Beginner Basics
Topic: Forward secondary IP to web server
Replies: 4
Views: 1060

Re: Forward secondary IP to web server

If the WAN connections have different gateways you have to use mangle rules and additional routing tables or VRFs to ensure return traffic uses the same WAN as the inbound traffic arrived on.
by tdw
Sat Jul 08, 2023 6:22 pm
Forum: Beginner Basics
Topic: Bridge issues
Replies: 14
Views: 1959

Re: Bridge issues

Took off the interfaces from what? You should be able to use MAC access from Winbox to access the devices even with no or a broken configuration.
by tdw
Fri Jul 07, 2023 7:21 pm
Forum: Beginner Basics
Topic: Bridge issues
Replies: 14
Views: 1959

Re: Bridge issues

For the first device i have update the settings. Please see the following, don't understand those questions about route and DNS, tried to add the route and DNS as well. As the device is acting as bridge, not a router, you only need a single IP address which should be applied to the bridge, not brid...
by tdw
Wed Jun 28, 2023 1:18 pm
Forum: General
Topic: SSH into LAN over external IP from a L2TP tunnel
Replies: 6
Views: 1007

Re: SSH into LAN over external IP from a L2TP tunnel

Not quite. #1 & #2 only handle traffic to the Mikrotik itself. The traffic to your SSH server requires connection marks in the forward chain plus routing marks in the prerouting chain. You have to make sure that the prerouting mark only applies to outbound traffic (hint: consider what happens if...
by tdw
Fri Jun 23, 2023 11:28 pm
Forum: Scripting
Topic: prevent the script from running if it is already running
Replies: 6
Views: 2656

Re: prevent the script from running if it is already running

It depends from where it is invoked, for scheduled scripts which may not have completed I use the following for on-event :local name "unms_update_ip" :if ([/system script job print count-only where script=$name] = 0) do={ /system script run $name } else={ :log info "$name already runn...
by tdw
Wed Jun 21, 2023 2:56 am
Forum: General
Topic: Public IP routing to LAN [SOLVED]
Replies: 3
Views: 737

Re: Public IP routing to LAN [SOLVED]

You could either create a second LAN, or add the public subnet to the existing LAN - in either case you add 1.2.3.25/29 to the LAN. You will also need to modify the default forward rules which only allow destination NAT traffic from WAN to LAN. Note that if sharing multiple subnets on one LAN you ca...
by tdw
Sun Jun 18, 2023 12:21 pm
Forum: General
Topic: Consolidate 3 switches into 1
Replies: 3
Views: 560

Re: Consolidate 3 switches into 1

CRS3xx running RouterOS only provide wire-speed switching by using hardware offload on one bridge. Use a single bridge with VLANs configuring the groups of access ports, e.g. port 3-8 VLAN100, port 9-16 VLAN101, port 17-24 VLAN 102. CSS devices have a fixed single bridge. You can either use VLANs as...
by tdw
Fri Jun 16, 2023 12:19 pm
Forum: Beginner Basics
Topic: Fiber SC connector: SFP or adapt to LC?
Replies: 3
Views: 1602

Re: Fiber SC connector: SFP or adapt to LC?

You need to know what type of optical network the ISP provides and where the demarcation point between their network and the customer is - often it is an ethernet socket on Network Terminating Equipment (NTE) or Optical Network Terminal (ONT). Their equipment may be necessary so they can carry out r...
by tdw
Thu Jun 15, 2023 3:37 pm
Forum: Beginner Basics
Topic: Basic VLAN and 802.1q trunks
Replies: 7
Views: 1850

Re: Basic VLAN and 802.1q trunks

The first bridge created will use hardware offload. If you disable hardware offload (with hw=no) on all the bridge ports of the first bridge the next bridge will use hardware offload.

The management interface doesn't have to be a member of a bridge, you can assign an IP address to it directly.
by tdw
Thu Jun 15, 2023 3:27 pm
Forum: Beginner Basics
Topic: re-enable ethernet port managment
Replies: 10
Views: 1296

Re: re-enable ethernet port managment

No, the console port is serial RS232 with the commonly used Cisco pinout. You need a USB to RS232 interface and a DB-9 to RJ45 cable, see https://help.mikrotik.com/docs/display/ROS/Serial+Console#SerialConsole-RJ45TypeSerialPort If any SFP interface(s) are bridged to the internal CPU interface you s...
by tdw
Mon Jun 12, 2023 9:08 pm
Forum: Beginner Basics
Topic: Basic VLAN and 802.1q trunks
Replies: 7
Views: 1850

Re: Basic VLAN and 802.1q trunks

Mikrotik have a default native VLAN ID of 1 on bridges (for the switch-to-CPU interface) and bridge ports, as with many other defaults it doesn't appear in /export . Attempting to add an /interface vlan with the same ID usually results in odd behaviour and/or loss of connectivity due to the mix of t...
by tdw
Sat Jun 10, 2023 9:53 pm
Forum: Beginner Basics
Topic: tagged or untagged bridge? and a little more about vlans.
Replies: 2
Views: 544

Re: tagged or untagged bridge? and a little more about vlans.

For a deeper dive into the CPU-to-bridge interface see also viewtopic.php?p=1006033
by tdw
Thu Jun 08, 2023 5:24 pm
Forum: General
Topic: Disconnect DHCP user from RADIUS?
Replies: 2
Views: 380

Re: Disconnect DHCP user from RADIUS?

No, and it is not Mikrotik-specific. There is no mechanism in DHCP to revoke a lease and communicate that to the client. Once a device has been granted an address it is free to use that address until the lease time expires, even if you remove the current lease from the DHCP server. Large ISPs often ...
by tdw
Mon Jun 05, 2023 8:36 pm
Forum: SwOS
Topic: feature request - https for webui
Replies: 31
Views: 14600

Re: feature request - https for webui

SWos does not have much functionality. To support HTTPS it would need crypto, time, a filesystem, a mechanism to upload certificates, etc. I expect that a 'RouterOS lite' which has enough functionality would be easier than trying to retrofit SWos. And make sure you keep any downloaded configuration ...
by tdw
Mon Jun 05, 2023 3:33 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 86
Views: 29098

Re: RouterOS bridge mysteries explained

I'm not sure I've understood you well - I've tested on 7.9 and the rule only counts if I remove the mac-protocol=ip src-address=192.168.229.1/32 conditions: Initially I thought it might be something which got broken going from v6 to v7, but I've tried 7.9.2 on a SMIPS device (not recommend, it's sl...
by tdw
Fri Jun 02, 2023 10:01 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 86
Views: 29098

Re: RouterOS bridge mysteries explained

You can match IP traffic with mac-protocol=ip on a VLAN-aware bridge but you can't select a specific VLAN as well. When VLAN-aware bridges were introduced Mikrotik should have separated the filter functionality so you can apply both a VLAN and another filter, rather than the limited either/or situat...
by tdw
Fri Jun 02, 2023 2:52 pm
Forum: General
Topic: Voice Vlan
Replies: 7
Views: 1042

Re: Voice Vlan

Newer versions of RouterOS 6 & 7 support LLDP-MED, see https://help.mikrotik.com/docs/display/ ... figuration
by tdw
Fri Jun 02, 2023 2:46 pm
Forum: General
Topic: Getting into a loop when using multiple "trunk" ports
Replies: 3
Views: 694

Re: Getting into a loop when using multiple "trunk" ports

You can't just connect multiple links between a pair of devices, as you have found this leads to loops and broadcast storms swamping the network.

You can aggregate multiple physical links into a single virtual link and use this as the trunk. See https://help.mikrotik.com/docs/display/ROS/Bonding
by tdw
Mon May 29, 2023 2:10 pm
Forum: RouterBOARD hardware
Topic: 2 Routers with same MAC addresses?
Replies: 4
Views: 2994

Re: 2 Routers with same MAC addresses?

From the documentation "RouterOS backup feature allows you to save the current device's configuration, which then can be re-applied on the same or a different identical model . This is very useful since it allows you to effortlessly restore the device's configurations or to re-apply the same co...
by tdw
Sat May 27, 2023 7:24 pm
Forum: General
Topic: RouterOS bridge mysteries explained
Replies: 86
Views: 29098

Re: RouterOS bridge mysteries explained

The first of those two cases - when you have untagged traffic to/from the CPU-port.
by tdw
Fri May 26, 2023 5:42 pm
Forum: General
Topic: HELP! - Latency on 1 switch only
Replies: 8
Views: 868

Re: HELP! - Latency on 1 switch only

I missed that. Nothing immediately obvious, is the cable OK (expected link speed, no errors, etc.).
by tdw
Fri May 26, 2023 5:13 pm
Forum: General
Topic: HELP! - Latency on 1 switch only
Replies: 8
Views: 868

Re: HELP! - Latency on 1 switch only

As all traffic between the router and tower switch will currently have to pass through the rack switch CPU it will introduce latency and packet drops if the CPU is overloaded.
by tdw
Fri May 26, 2023 1:57 pm
Forum: General
Topic: HELP! - Latency on 1 switch only
Replies: 8
Views: 868

Re: HELP! - Latency on 1 switch only

Your rack switch is wrongly configured. CRS1xx/2xx do not support hardware-offloaded VLAN-aware bridges, you have to use a regular bridge and configure the switch chip - see https://help.mikrotik.com/docs/pages/vi ... =103841836
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7