MikroTik

networknoob88

My question is why it's working without any kind of (input?) rules that allow the two routers themselves to establish and negotiate the tunnel? Since the default firewall rules form up a stateful firewall, where the first rule in chain input of table filter says "accept (packets belonging to) ...

networknoob88

I set up a S2S IPsec tunnel between my CCR and a Fortigate after consulting some online documentation. It worked fine, but I realized that these are the only two IP firewall filter rules I needed to make it work: chain=forward action=accept src-address=<remote-subnet> in-interface=<my-WAN> ipsec-pol...

networknoob88

If you're thinking about encryption acceleration, then CCR doesn't offer it. Even if a device does offer encryption in hardware, it doesn't interfere with framing functions (such as MSS clamping). On this page: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_acceleration It lists "Clou...

networknoob88

I read some posts about this but they were old and seemed to refer to some older versions of RouterOS with issues. I just want to know: 1. What is the approximate max throughput of IPSec tunnel on the CCR-1009-7G with HW acceleration? 2. Does HW acceleration work properly with current versions of Ro...

networknoob88

The problem is that a VPN tunnel has a slightly smaller MTU (maximum packet size) than a plain ethernet network connection, so the router behaves like a funnel that will not let packets that are too large through to the other side. It should inform the sending system whenever a packet is too large,...

networknoob88

Maybe something MTU and PMTU related? Try to add this to see if that fixes it: /ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes \ protocol=tcp tcp-flags=syn WOW that instantly fixed it! Can you give me a super brief explanation (I'm a networking noob) on...

networknoob88

I have an ikev2 site-to-site vpn set up between an Azure vpn gateway and my CCR 1009 using standard Azure VPN parameters (SHA1 AES-256). The connection went live easily. I made sure to disable FastTrack which I understand is a common issue that affects IPSec. I also explicitly set Forward rules to a...

networknoob88

Go to the SYSTEM page. The first ENTRY is for ADDRESS AQUISITION. The second ENTRY is for the STATIC ENTRY if the first entry does not acquire an IP. Set the first entry to static to turn off the DHCP method. Under my System page, there is no "address aquisition". The first field is the m...

networknoob88

I think the RB260GS has DHCP client mode automatically and reverts to fixed address if not acquired. One has to manually disable the auto DHCP feature. Perhaps the RB260GS got assigned a dhcp?? Did you confirm it could actually get an upgrade?? Yeah the web upgrade works. I cant seem to find a way ...

networknoob88

I bought a RB260GS running SwOS. I connected it to my ISP's fiber ONT, then my Mikrotik router to the switch. The switch is used for bypass purpose to isolate certain traffic based on L2 mac protocol between my ONT and my router. After logging into SwOS's web GUI, I noticed that it detected latest S...

networknoob88

... And where do you configure that ACL?

Under SWOS's ACL tab. See pic.

Screenshot (2).png

networknoob88

What exactly do you mean by "ACL rule"?

Just ACL. By "rule" I meant the action I set to redirect ports with a match.

Under Forward, I disabled port1 to port3 forward.

Under ACL, I created an entry that redirect port1 packets to port3, and it works.

networknoob88

I noticed that even if I disable forwarding from port A to port B under the "Forward" tab, an ACL rule that redirects traffic from port A to port B still works.

Is this intended behavior? Basically ACL rules take precedence over Forward rules?

networknoob88

I'm considering buying a Mikrotik switch to do this.
Quick question: can SWOS's web GUI achieve this feature? Or does it have to be a full blown RouterOS based switch?

networknoob88

try using a bridge and bridge rules, maybe that can help I tried. I created a bridge filter, and filtered by mac-protocol 0x888e. I can see the EAP packets coming from the ISP RG, but the problem is I can't do anything with it. The filter only allows me to accept drop etc. I need to redirect those ...

networknoob88

I'm trying to bypass an ISP-issued gateway router with my CCR1009 7G (no switch chip), which involves redirecting EAP packets to the ISP hardware (for authentication). On a Mikrotik router with a switch chip, the following switch rules would achieve this: /interface ethernet switch rule add switch=s...

networknoob88

How can I completely strip all VLAN's on a RB2011 I have been running RouterOS for some time now. Great equipment. Have 50+ 1100AHx2 and CCR1009. Ran into something I didn't think would be a problem. A friend of mine got fiber from the local telco and wanted to bypass the telco's Pace router. He wa...

networknoob88

I don't know much about router hardware but I came from a computer hardware enthusiast background. In that circle, Realtek ethernet = crap (we want Intel). So I'm interested in RB4011 as a low-cost SOHO router. Should I be worried about the fact that it uses a Realtek made switch chip? Also, I can f...

networknoob88

You're to use the range of ip's assigned to you. Since that range is fixed, use src-nat instead of masq. and one of the ip's at hand. And that for both forwarded and local traffic. Yes!! That did it, thank you so much! Just a couple of questions, sorry I'm pretty new to this(as my username suggests...

networknoob88

What about src-nat-ing the outgoing traffic from the router only? The forwarded traffic is / will be ok. Can you clarify this? All the clients that are connected to my CCR use private IPs and NAT. They won't be using any of the static public IPs. The static public IPs are just assigned to the route...

networknoob88

The "pref source" can be defined on the default route too, but I'm not sure if that will do the trick.

This is the first thing I tried. Set pref source on the default route to 22.22.100.156. No errors, but outgoing IP still shows 11.11.100.101.

networknoob88

My CCR is connected to an AT&T ONT box (bypassing AT&T modem/gateway) on a fiber connection. I have a /29 static public IP block from AT&T, but the way AT&T does static IP is as follows: 1. The ONT *must* assign a public IP via DHCP. 2. The static public IP block is then routed throu...

networknoob88

To answer your question: YES! I have a similar setup (except my backup WAN is also my email provider and thus the additional line for the email server IP ). /ip route add check-gateway=ping distance=2 gateway=8.8.4.4 add check-gateway=ping distance=3 gateway=208.67.220.220 add distance=2 dst-addres...

networknoob88

This morning my main fiber Internet went down, so I ordered and activated a secondary cable Internet backup. Set up dual WAN failover using the "simple" method referenced here https://wiki.mikrotik.com/wiki/Two_gateways_failover Secondary WAN is up and running in MT, but it's not failing o...

networknoob88

I'm about to have AT&T Fiber 1000 installed for use with my new CCR1009-7G. The AT&T modem/gateway is a terrible piece of equipment with no bridge-mode and has low NAT table limit. Yet, the AT&T fiber uses some authentication protocol that requires a certificate installed in their own ga...

networknoob88

I did reset and reinstall. I fully understand that I should have changed password immediately after logging in for the first time while being disconnected from WAN. But being the first MT unit I ever played with, my attention during that first hour was on the ocean of options presented to me after l...

networknoob88

I have a new CCR1009 that I've only played with for a few days. Today while working through Winbox, trying to get IPv6 working with my Comcast modem, suddenly I lost connectivity to the router. Trying to log back in fails with "wrong username or password". The router seems to function norm...

networknoob88

I need to do multiple sets of port forwarding like this: TCP Port 10000 Forward to 192.168.88.100 Port 10000 TCP Port 10001 Forward to 192.168.88.101 Port 10000 TCP Port 10002 Forward to 192.168.88.102 Port 10000 TCP Port 10003 Forward to 192.168.88.103 Port 10000 ... Do I have to create a rule for ...

networknoob88

Thank you for the explanation!

networknoob88

Let me add my 2 cents. I believe everything breaks when you change bridge2-vlan500 from untagged to tagged because you run DHCP on bridge itself. For DHCP to work when bridge2-vlan500 is a tagged member of a vlan you need to create a vlan interface with corresponding vlan id on the bridge and run D...

networknoob88

By MAC addresses I can see that "requests" go from Mikrotik to the external devices, and "responses" go from the devices to Mikrotik. It means that Mikrotik systematicall sends everything tagged which in my understanding collides with the fact that you've made ether5 a bridge po...

networknoob88

OK I believe I got what I'm supposed to be looking for in the sniffer file I sniffed the packets by pinging the smart client (192.168.1.102) and dumb client (192.168.1.199) from another client (192.168.89.101) on a separate interface connected to MT. Smart client: request: Ethernet II, Src: Routerbo...

networknoob88

If "smart client" is one which sends and expects tagged frames, then yes, it should ignore the tagless frames where it expects tagged ones. But it may be that it looks into tagless frames as well and if they contain its IP address, it accepts them too. It is "smart" after all, w...

networknoob88

The fact that tagged and not tagged clients cannot communicate with each other over a dumb switch is no surprise as the frames between them are forwarded solely up to MAC addresses and no tagging and untagging takes place, and the frames between two clients' MAC addresses are forwarded directly by ...

networknoob88

So normally you would need to configure a trunk port on which only VLAN 500 is permitted and also set as a default VLAN. That way, tagless frames coming from the wire would be tagged with VID 500, and already tagged frames would be accepted while frames tagged with other VIDs would be ignored. On e...

networknoob88

Indeed VLANs are not useful in that case, but you can still separate the network in different physical networks by connecting each dumb switch to a separate port on the CCR and have a certain class of devices on that switch. You would not put those ports in a bridge, but have separate IP subnets on...

networknoob88

I have a CCR1009-7G running RouterOS 6.42.

I want a simple vlan500 on ether5, that accepts both tagged and untagged packets. For untagged packets they should default to vlan ID 500. No trunks to other routers/switches needed.

Is this possible? If so how should it be done?

Thanks.

networknoob88

Thanks for all your replies. I understand now the difference is basically VLAN on router vs VLAN on switch. Question: is it true to say that if my CCR1009 will be the only "smart" device on the network, with everything else being dumb clients and dumb switches, then there is no point in cr...

networknoob88

Every other tutorial I read about VLANs emphasize on how computers in different VLANs are not supposed to be able to communicate with each other by design and that's what makes them more secure. But it seems in MT (I'm new, starting out fresh on 6.42 with a CCR1009-7G), everything, including VLANs, ...

networknoob88

If you create a VLAN against an interface then the tag applies to that interface on either ingress or egress. If you apply the VLAN to a bridge then the VLAN tag is there for any interfaces that are ports of that bridge. If you have 1 "main" bridge and the VLANs are attached to it then ef...

networknoob88

In this document: https://wiki.mikrotik.com/wiki/Vlans_on_Mikrotik_environment which I assume applies to the current RouterOS version, the example is to first create vlan under Interface, but add a trunk port as the VLAN's interface. Then create a bridge that connects an access port to the VLAN. Wha...

networknoob88

I'm new to the real networking world and just got a CCR1009-7G with the latest version of RouterOS/Winbox to learn. One thing that's causing me massive confusion is VLAN. Tried to look up guides and documentations and they all seemed to mostly refer to either some older version of CCR1009 or some ol...

networknoob88

When you connect by MAC address you are connecting via layer 2. Your firewall works on layer 3. Thanks. Just found that there is a separate Tools -> Mac Server setup where the Mac Winbox server can be controlled. Out of curiosity: Is the RouterOS "router" operation system itself sitting a...

networknoob88

I sincerely believe my post was approved at a timing where it was instantly pushed to the bottom of the list and thus getting no page views.
Your advice on this would be greatly appreciated!

networknoob88

Networking newbie and first time Mikrotik user here (CCR1009 7G). During the initial firewall setup I created the following rule so only specific hosts are allowed to access the router: chain=input action=accept src-address-list=allowed_to_router in-interface=ether2 log=no log-prefix="" La...

Search found 45 matches