Community discussions

MikroTik App

Search found 60 matches

by MangleRule
Wed Nov 28, 2018 6:27 pm
Forum: Beginner Basics
Topic: Winbox and RoMON
Replies: 2
Views: 667

Re: Winbox and RoMON

If you are trying to login using an IP address, there is a firewall rule or something blocking your access if it doesn't respond. RoMON is independent of layer 2 and layer 3 configuration which is why you can login with RoMON.
by MangleRule
Thu May 31, 2018 3:03 am
Forum: Beginner Basics
Topic: How to configure Load balancing in rb2011 il-rm
Replies: 4
Views: 1015

Re: How to configure Load balancing in rb2011 il-rm

I have tried to follow the official documentation and configure my rb2011 il-rm but it does‘nt work. Would someone help me and assist me to make load balancing into this appliance to have this result .. WAN1 (200Mbps) + WAN2 (200Mbps) = OUT (400Mbps) Nb: The configuration of rb2011 series that i fo...
by MangleRule
Sun May 13, 2018 5:03 am
Forum: Beginner Basics
Topic: PPTP - Cannot access device in LAN
Replies: 9
Views: 3579

Re: PPTP - Cannot access device in LAN

That is odd that your camera is phoning out like that. You should just adjust the rule so instead of dst-address=!192.168.88.0/24 just use out-interface=<wan.interface> (Change <wan.interface> to whatever the port going to the internet is).
by MangleRule
Sun May 13, 2018 4:53 am
Forum: Wireless Networking
Topic: hAP ac² AP+bridge mode
Replies: 7
Views: 1594

Re: hAP ac² AP+bridge mode

Does anyone know if the hAP ac² can do WiFi Access Point and WiFi bridge mode in the same time? Well the hAP ac² has two wireless cards, 2.4GHz and 5GHz. Are you talking about using one of the cards (2.4GHz for example) to connect to another SSID as an uplink as well as broadcast it's own network o...
by MangleRule
Sun May 13, 2018 4:09 am
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

Great news SOB, i implemented a variation of your rules with some others and despite having my IP Routes reachable on both internet and email, I dont have internet or email connectivity LOL. I am trying to figure out why but dont see anything obvious. If I get desperate I will ask for help............
by MangleRule
Sat May 12, 2018 12:37 am
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

And i do know how snat and dnat work, thank for the explanation though. I was just stating that your suggestions about Masquerade was coming from left field here and was the opposite of the requirement. Mikrotik firewall is very basic when used to working with iptables. I mean.... iptables are very...
by MangleRule
Sat May 12, 2018 12:21 am
Forum: Beginner Basics
Topic: PPTP - Cannot access device in LAN
Replies: 9
Views: 3579

Re: PPTP - Cannot access device in LAN

That doesn't really help much, that is just a plain torch. You just need to set the Dst. Address to the openHAB server, if you know the port that it uses for the app to communicate to the server add that under the Protocol and Port as well so you can see if the traffic is even reaching the openHAB s...
by MangleRule
Sat May 12, 2018 12:16 am
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

if each vlan has its own gateway which is the router why not use the router as your DNS server and allow incoming traffic on each vlan to destination port 53/udp (the router) otherwise just allow incoming on each vlan with destination any udp/53 and in nat create from source desired vlan for all tr...
by MangleRule
Sat May 12, 2018 12:13 am
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

So in conclusion thanks to Sob:

/ip firewall nat 
  add chain=dstnat protocol=udp dst-port=53 action=redirect
  add chain=dstnat protocol=tcp dst-port=53 action=redirect
by MangleRule
Sat May 12, 2018 12:08 am
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

Okay last time I will list the list on this thread........... One question though remains, when looking at the TO address for the NAT DSTNAT rule for DNS, How would I best handle the fact that I would have multiple router LANIP gateway addresses. Consider each LAN or VLAN will have its own gateway?...
by MangleRule
Fri May 11, 2018 11:58 pm
Forum: Beginner Basics
Topic: Vlan
Replies: 3
Views: 670

Re: Vlan

Are the device across the fiber the ones that can not communicate by chance?
by MangleRule
Fri May 11, 2018 11:50 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

So are you saying dont bother with such rules?? Regardless I am interested in how one would identify such trafffic using the mikrotik,,,,,,,, what combination of time and connections in the extra page would do the trick........... If you don't have multiple Gbps of bandwidth available, you can not ...
by MangleRule
Fri May 11, 2018 11:41 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

Interesting mangle. What do you recommend for dos type scenario. Option 1: tarpit input chain traffic - something about changing data package size being sent - not sure how it does this and to what traffic incoming or returning? Net effect I am told is slowing down the incoming? Option 2: Drop inpu...
by MangleRule
Fri May 11, 2018 11:23 pm
Forum: Beginner Basics
Topic: PPTP - Cannot access device in LAN
Replies: 9
Views: 3579

Re: PPTP - Cannot access device in LAN

The first thing I would try is connecting to the router with Winbox and running the torch tool and see what happens if you try to use the app on your phone while it connects to the PPTP tunnel.
by MangleRule
Fri May 11, 2018 11:08 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

Finally: Brain fart is there a reason why there is no DROP invalid rule on the INPUT Chain?? You should have a drop invalid for the input chain. Basically any packets coming in that do not have a connection tracking entry for it's source and destination and are not new connections, they are invalid...
by MangleRule
Fri May 11, 2018 11:02 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

They will have to use the DNS options I have setup in the router? With both rules, any traffic on TCP/UDP 53 will get the destination address in the packet replaced with the router's IP address so it doesn't matter what they set their machine to. If its the default for lan clients to go out their r...
by MangleRule
Fri May 11, 2018 10:53 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

First part is optional, you can skip to-ports and port will stay the same. But second part is the main point of action=redirect, it always changes destination to router's own address without a need to give a specific one. Oh cool! That is very useful, I probably should have checked the documentatio...
by MangleRule
Fri May 11, 2018 10:44 pm
Forum: Beginner Basics
Topic: PPTP - Cannot access device in LAN
Replies: 9
Views: 3579

Re: PPTP - Cannot access device in LAN

Run the following command so we can see what you have setup.

/export hide-sensitive
by MangleRule
Fri May 11, 2018 10:38 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

I just did a quick test. I ran a DNS query to google.com with the NAT rules in place and there were no hits on the rules. So the rules I listed above will have no effect on the router's self resolution for DNS.
by MangleRule
Fri May 11, 2018 10:34 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

when you state to addresses <routers address>did you mean the LANIP of the subnet? Exactly, so <routers.address> is just what I put in the code example to be replaced for whatever address is reachable on your router. By default, dhcp clients will use the gateway for any routes the host doesn't know...
by MangleRule
Fri May 11, 2018 10:31 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

Special note to anav, this thing is entirely optional and I'd say only needed for special circumstances. Feel free to ignore it. And this note is not meant as anything against MangleRule. :)

Even though redirect makes more semantic sense, unfortunately redirect can only redirect port numbers :(
by MangleRule
Fri May 11, 2018 10:16 pm
Forum: Beginner Basics
Topic: Port forwarding behind CGNAT
Replies: 6
Views: 4030

Re: Port forwarding behind CGNAT

You can setup a MikroTik Cloud Hosted Router on Amazon AWS and use that as a VPN concentrator. Then you can connect your device (laptop, phone, etc) to the VPN and also connect your MikroTik at home to the VPN to get remote access without a public IP.
by MangleRule
Fri May 11, 2018 9:58 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

DNS queries work over 53/udp, tcp is only used for zone transfers, first rule is correct second is wrong if you only accept established connections all new will be dropped, you can do output same as input just make sure to create an outgoing accept rule in output chain for connections related, esta...
by MangleRule
Fri May 11, 2018 9:55 pm
Forum: Beginner Basics
Topic: How to disable DHCP server?
Replies: 3
Views: 2640

Re: How to disable DHCP server?

I dare not to cheer too loud, but this seems to do the trick... Feel free to cheer safely, there is not really room for error with that setup. what do you feel/think when you all read this kind of questions? I just see an opportunity to help someone enjoy MikroTik and prevent some discouragement. E...
by MangleRule
Fri May 11, 2018 9:43 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

@anav : 1. What is the difference (which is better) between these two INPUT chain rules..? a. add action=accept chain=input in-interface=LAN protocol=tcp dst-port=53 b. add action=accept chain=input connection-state=established port=53 protocol=tcp Option A is correct. Option B: connection-state=es...
by MangleRule
Fri May 11, 2018 9:00 pm
Forum: Beginner Basics
Topic: Access Control between VLANs
Replies: 53
Views: 10804

Re: Access Control between VLANs

So to confirm you are saying we don't really need to state untracked (a very rare case only under our control - would require additional rules) The untracked state is usually set in RAW or in...... MangleRules :lol: Once a connection has been marked as untracked, all packets related and established...
by MangleRule
Fri May 11, 2018 8:45 pm
Forum: Beginner Basics
Topic: repeating / bridging hotels captive portal
Replies: 6
Views: 1926

Re: repeating / bridging hotels captive portal

What hardware do you have to use? I usually use a hAP AC Lite . Using the hAP AC Lite, I usually will setup my 2.4GHz interface as a wireless station. Then you just have to setup a dhcp-client on that interface to get an address from the hotel. In the MikroTik NAT firewall rules you can Masquerade t...
by MangleRule
Fri May 11, 2018 8:33 pm
Forum: Beginner Basics
Topic: How to disable DHCP server?
Replies: 3
Views: 2640

Re: How to disable DHCP server?

It sounds like you need to setup a bridge on your wAP AC. From the product page it looks like the wAP AC has a single ethernet interface and two wireless interfaces. # Setup a bridge for your interfaces /interface bridge add name=local-bridge # Add the interfaces to the bridge /interface bridge port...
by MangleRule
Fri May 11, 2018 7:36 pm
Forum: General
Topic: how to block vpn
Replies: 7
Views: 8213

Re: how to block vpn

dear r4z0r84 plz make video this setting and share plz i really need it What is the purpose of blocking the VPNs? What is suggested above is a terrible idea! Even if you force every client to use your VPN to get primary access, someone can just run a VPN tunnel inside of that tunnel and you are bac...
by MangleRule
Fri May 11, 2018 7:21 pm
Forum: Beginner Basics
Topic: MASTER PORT setting missing
Replies: 6
Views: 31553

Re: MASTER PORT setting missing

Please about this problem can you confirm the substitute command for this? # Setup a bridge for your LAN ports /interface bridge add name=local-bridge # Add your LAN ports to the bridge, by using hw=yes, it will leverage hardware offloading to the switch chip giving the same performance as master >...
by MangleRule
Fri May 11, 2018 7:00 pm
Forum: Beginner Basics
Topic: Missing options for settings interface wireless
Replies: 2
Views: 727

Re: Missing options for settings interface wireless

You can use the TAB keyboard key to show all of options when you are in the terminal under "/interface wireless". MikroTik also has excellent documentation on their wiki which can be accessed here: Manual: Interface/Wireless . If you have any specific questions that are not available from the two op...
by MangleRule
Fri May 11, 2018 6:55 pm
Forum: Beginner Basics
Topic: Need help - cannot enter admin page on CAP AC
Replies: 6
Views: 4423

Re: Need help - cannot enter admin page on CAP AC

I tried "arp -a" in terminal, it found the only IP in local network: "(224.0.0.251) at 1:0:5e:0:0:fb on en0 ifscope permanent [ethernet]". Well, i cannot reach 224.0.0.251 from browser also. 224.0.0.251 is a multicast address so that will not have anything to do with the setup, from a quick google ...
by MangleRule
Fri May 11, 2018 6:51 pm
Forum: Beginner Basics
Topic: Need help - cannot enter admin page on CAP AC
Replies: 6
Views: 4423

Re: Need help - cannot enter admin page on CAP AC

If you insert the power to the device while holding the factory reset button, you should get a blink on one of the LED indicators. This will factory reset the device. Plug into the device locally and open Winbox. Using Winbox, you should be able to connect to the device using the MAC address that sh...
by MangleRule
Fri May 11, 2018 6:35 pm
Forum: Beginner Basics
Topic: Can't access ipcam from my modem router behind mikrotik
Replies: 11
Views: 1616

Re: Can't access ipcam from my modem router behind mikrotik

/ip firewall nat add chain=dstnat action=dst-nat in-interface=ether-WAN protocol=tcp dst-address=192.168.0.1 to-addresses=192.168.1.15 dst-port=8080 to-ports=8080 With the above rule, it is stating that if any traffic comes in from the interface ether-WAN destined to the host 192.168.0.1 on port 80...
by MangleRule
Wed May 09, 2018 5:12 pm
Forum: Beginner Basics
Topic: I cannot get internet to work [SOLVED]
Replies: 3
Views: 732

Re: I cannot get internet to work [SOLVED]

I'm glad to hear everything is working for you!
by MangleRule
Wed May 09, 2018 4:06 am
Forum: General
Topic: port speed
Replies: 16
Views: 1678

Re: port speed

It would help to know your configuration as well as the current hardware you have. What speeds can you get through the router currently and what does your CPU look like while you push traffic.
by MangleRule
Wed May 09, 2018 1:04 am
Forum: General
Topic: Usable rules for firewall
Replies: 5
Views: 1861

Re: Usable rules for firewall

Nice.
But you can't switch on/off or count particular protocols hitting your router.

Well you can just disable and enable the items on the address-list to turn them off and on. I guess counters would be the only downside.
by MangleRule
Wed May 09, 2018 12:52 am
Forum: General
Topic: Usable rules for firewall
Replies: 5
Views: 1861

Re: Usable rules for firewall

I'm sure this will be useful to a lot of people! To keep the firewall tables from getting unruly it might be nice to get these into address-lists like "multicast.addresses" and have a single rule. It would make importing, extending, managing, and deleting these rules very simple. /ip firewall filter...
by MangleRule
Tue May 08, 2018 11:27 pm
Forum: Beginner Basics
Topic: Can't access ipcam from my modem router behind mikrotik
Replies: 11
Views: 1616

Re: Can't access ipcam from my modem router behind mikrotik

So lets say for the example the following are true: Public IP: 122.x.x.x Camera IP: 192.168.1.15 Modem/Router LAN: 192.168.1.0/24 Your RB750Gr3 LAN: 192.168.0.0/24 The Modem/Router and your RB750Gr3 both have their own DHCP servers handling their LAN subnets Your RB750Gr3 is getting a DHCP address f...
by MangleRule
Tue May 08, 2018 10:28 pm
Forum: Beginner Basics
Topic: Wirelessly extending network into another building
Replies: 9
Views: 1216

Re: Wirelessly extending network into another building

Based on the above information you used the wireless mode "station". In station mode, you do not have layer 2 bridging so you need to setup a dhcp client on the virtual client for the router to get an IP address and access to the internet. Then you would need to setup a DHCP server for the clients i...
by MangleRule
Tue May 08, 2018 9:39 pm
Forum: Beginner Basics
Topic: Wirelessly extending network into another building
Replies: 9
Views: 1216

Re: Wirelessly extending network into another building

To make sure I understand what you are trying to do, is the following accurate? You have two buildlings Both buildings have MikroTik routers with wireless cards You want to second building to be able to act as an access point as well as a client connecting to the other building using the virtual cli...
by MangleRule
Tue May 08, 2018 9:31 pm
Forum: Beginner Basics
Topic: I cannot get internet to work [SOLVED]
Replies: 3
Views: 732

Re: I cannot get internet to work [SOLVED]

Can you diagram what your goal is with the configuration? It is much easier to help if you have a diagram with your subnets, vlan ids, and maybe a basic traffic flow example. Without a diagram to reference, we have to sift through your configuration to try to guess what you are doing.
by MangleRule
Tue May 08, 2018 9:14 pm
Forum: Beginner Basics
Topic: Its possible to make this in a same RB750gr3 ? [SOLVED]
Replies: 12
Views: 1948

Re: Its possible to make this in a same RB750gr3 ? [SOLVED]

You should not have two devices with the same IP address in the same network domain. You should just get a second RB750gr3 (let's call them R1 and R2). Setup LAN1 on R1 and connect that router to WAN1 Setup LAN2 on R2 and connect that router to WAN2 If you ever wanted redundancy, you can connect R1 ...
by MangleRule
Tue May 08, 2018 8:56 pm
Forum: Beginner Basics
Topic: Traffic issues
Replies: 4
Views: 918

Re: Traffic issues

Can you run the following command and post it to the thread? It will make it easier for someone to get an idea of what you have setup.

/export hide-sensitive
by MangleRule
Tue May 08, 2018 8:52 pm
Forum: Beginner Basics
Topic: MikroTik RB951Ui-2nD Mac Server visible always
Replies: 2
Views: 730

Re: MikroTik RB951Ui-2nD Mac Server visible always

All MAC layer processes are Layer 2 so your firewall is not going to help you with anything. If you want to "secure" the router you can use the following: # Disable MAC Telnet server on all interfaces /tool mac-server set allowed-interface-list=none # Disable MAC Winbox on all interfaces /tool mac-s...
by MangleRule
Tue May 08, 2018 8:13 pm
Forum: Beginner Basics
Topic: Wirelessly extending network into another building
Replies: 9
Views: 1216

Re: Wirelessly extending network into another building

When you say you want to extend the network and not lay a cable that sounds like a perfect use case for a Wireless Wire

They are already paired out of the box as a bridge. They beam-form so you just need to mount them on the side of the buildings.
by MangleRule
Tue May 08, 2018 7:58 pm
Forum: Beginner Basics
Topic: Need Router Suggestion
Replies: 4
Views: 685

Re: Need Router Suggestion

Routers will not have much of an issue handling large amounts of leases. If you are handling 2,046 users though, you are going to run into problems over wireless (I'm assuming since you are doing an outdoor event this is about wireless). You have to remember that the access points, depending on the ...
by MangleRule
Tue May 08, 2018 7:49 pm
Forum: Beginner Basics
Topic: Loadbalance 3 WAN
Replies: 1
Views: 465

Re: Loadbalance 3 WAN

Check out this presentation from one of The Brothers Wisp members Tomas Kirnak: Bandwidth-based load-balancing with failover. The easy way.

Tomas shows a few different approaches to doing this. Hopefully this will give you some ideas for your implementation :)
by MangleRule
Tue May 08, 2018 7:12 pm
Forum: Beginner Basics
Topic: port forwarding issue
Replies: 3
Views: 690

Re: port forwarding issue

You definitely need to give more information here: What are your LAN subnets? Is the 192.168.1.100 address your WAN address? You need to be careful with Masquerade. Masquerade is basically a fancy source NAT used in topologies where your gateway IP address might change. So if you have a dynamic DHCP...
by MangleRule
Tue May 08, 2018 6:45 pm
Forum: Beginner Basics
Topic: telnet to internal device
Replies: 3
Views: 605

Re: telnet to internal device

# Permit any forward traffic that has a destination NAT state. /ip firewall filter add chain=forward connection-nat-state=dstnat action=accept # Destination NAT any traffic on port tcp 23 to the host 192.168.1.30 /ip firewall nat add chain=dstnat protocol=tcp port=23 action=dst-nat to-addresses=192...
by MangleRule
Tue May 08, 2018 6:21 pm
Forum: Beginner Basics
Topic: cAP ac bridge ethernet interfaces [SOLVED]
Replies: 7
Views: 2094

Re: cAP ac bridge ethernet interfaces [SOLVED]

Assuming DHCP leases are coming from your LAN ether2, just bridge all of the ports as shown below. /interface bridge add name="local-bridge" /interface bridge port add bridge="local-bridge" interface=ether1 add bridge="local-bridge" interface=ether2 add bridge="local-bridge" interface=wlan1 add brid...
by MangleRule
Tue May 08, 2018 5:01 pm
Forum: Beginner Basics
Topic: Need Router Suggestion
Replies: 4
Views: 685

Re: Need Router Suggestion

You didn't really mention in the post but is your goal to provide wireless? If that is the case, the issue isn't going to be the DHCP leases, it's going to be shared airtime with that many clients. You would have to split those user up across multiple access points.
by MangleRule
Tue May 08, 2018 4:33 pm
Forum: General
Topic: Store all browsing data in a remote database
Replies: 3
Views: 653

Re: Store all browsing data in a remote database

Realistically the only thing you can really do is setup the MikroTik as a cache DNS server and see what sites are getting queried. Anything further than that, most sites today are HTTPS enabled so the session is encrypted.
by MangleRule
Mon May 07, 2018 7:54 pm
Forum: Beginner Basics
Topic: telnet to internal device
Replies: 3
Views: 605

Re: telnet to internal device

I would highly recommend not using Telnet over the internet without using some sort of encrypted tunnel like IPsec. Anyone could read your credentials in plain text and compromise the system you expose to the internet. I would suggest either setting up a VPN server on the MikroTik you are trying to ...
by MangleRule
Mon May 07, 2018 7:41 pm
Forum: Beginner Basics
Topic: SSTP, remote desktop
Replies: 2
Views: 592

Re: SSTP, remote desktop

That is definitely possible. Once you have the SSTP tunnel up and running, you just need to setup some static routes. The SSTP server needs to know that 192.168.50.0/24 is available over the tunnel and the SSTP client needs to know that 192.168.1.0/24 is available on the other side of the tunnel. On...
by MangleRule
Mon May 07, 2018 7:35 pm
Forum: Beginner Basics
Topic: Hotspot - Userman - Help with setting
Replies: 3
Views: 649

Re: Hotspot - Userman - Help with setting

RouterOS (MikroTik) isn't a RADIUS server, you have a local user database under the users tab to use locally on the MikroTik. The RADIUS server settings are for if you have something like FreeRadius setup to centrally manage users with a RADIUS server.
by MangleRule
Mon May 07, 2018 6:35 am
Forum: General
Topic: How to modify web content using mikrotik proxy?
Replies: 2
Views: 676

Re: How to modify web content using mikrotik proxy?

With an HTTP request, the client makes a request to the server, the server then sends a response that is plain text. There are systems that can catch that server response and inject javascript or HTML before it gets back to the client. With HTTPS this is extremely difficult because the client and se...
by MangleRule
Mon May 07, 2018 6:13 am
Forum: General
Topic: How to insert a javascript on every website user visits
Replies: 3
Views: 598

Re: How to insert a javascript on every website user visits

You wouldn't be able to do this with MikroTik. This type of injection only works on http enabled websites. More and more sites are now using https so it wouldn't work anyways.
by MangleRule
Mon May 07, 2018 1:31 am
Forum: Beginner Basics
Topic: MikroTik RB951Ui-2nD Mac Server visible always
Replies: 2
Views: 730

Re: MikroTik RB951Ui-2nD Mac Server visible always

MAC addresses are layer 2 so your firewall will not help you there. If you want to hide visibility, you can use the following commands: /tool mac-server set [find] disabled=yes /tool mac-server mac-winbox set [find] disabled=yes /tool mac-server ping set enabled=no You can also go into IP > Neighbor...