Community discussions

MikroTik App

Search found 19 matches

by megatron
Fri Nov 30, 2018 9:14 am
Forum: Beginner Basics
Topic: Firewall: Are packets accepted in mangle prerouting still processed in mangle forward and filter forward?
Replies: 4
Views: 1097

Re: Firewall: Are packets accepted in mangle prerouting still processed in mangle forward and filter forward?

Oh! Sorry for such mistake. I didn't realize it may be interpreted that way. They will definitely go through it. Mangle prerouting / raw prerouting / nat prerouting, filter forward / filter input etc etc... (every combination) these are all different blocks on the diagram. Every block is processed ...
by megatron
Thu Nov 29, 2018 9:56 am
Forum: Beginner Basics
Topic: Firewall: Are packets accepted in mangle prerouting still processed in mangle forward and filter forward?
Replies: 4
Views: 1097

Re: Firewall: Are packets accepted in mangle prerouting still processed in mangle forward and filter forward?

Are packets accepted in mangle prerouting still processed in mangle forward and filter forward? yes, they are. It is separate chain and actually in some cases, it is necessary (for example mangle-prerouting happens before dst-nat but you need to later check, if connection is dst-natted) the "accept...
by megatron
Thu Nov 29, 2018 8:16 am
Forum: Beginner Basics
Topic: Firewall: Are packets accepted in mangle prerouting still processed in mangle forward and filter forward?
Replies: 4
Views: 1097

Firewall: Are packets accepted in mangle prerouting still processed in mangle forward and filter forward?

Referring to the diagram below, https://www.mikrotik-trainings.com/trainings_files/docs/MikroTik_PacketFlow_Routing24.jpg I have many corner case rules in mangle prerouting that happen only very seldomly. Unfortunately, passing "normal" traffic has to be processed against all of them, burdening CPU ...
by megatron
Tue Nov 27, 2018 7:13 pm
Forum: General
Topic: Mark connection/packet then routing vs just Mark Routing?
Replies: 5
Views: 3358

Re: Mark connection/packet then routing vs just Mark Routing?

FWIW, I also encountered this same syndrome, not sure if we share the same circumstance, but here’s how I solved the problem in my case: It turns out that, in my routing table for a specific routing-mark (say we call it PBR), I simply forgot to specify routes back into my private network, such that...
by megatron
Tue Nov 27, 2018 6:48 pm
Forum: General
Topic: Mark connection/packet then routing vs just Mark Routing?
Replies: 5
Views: 3358

Re: Mark connection/packet then routing vs just Mark Routing?

FWIW, I also encountered this same syndrome, not sure if we share the same circumstance, but here’s how I solved the problem in my case: It turns out that, in my routing table for a specific routing-mark (say we call it PBR), I simply forgot to specify routes back into my private network, such that ...
by megatron
Tue Nov 20, 2018 9:13 am
Forum: Beginner Basics
Topic: Can't connect to hAP ac lite behind managed switch using Winbox (MAC address), but connection via IP address works [SOLVED]
Replies: 4
Views: 614

Re: Can't connect to hAP ac lite behind managed switch using Winbox (MAC address), but connection via IP address works [SOLVED]

"all" means all interfaces. Any interface (physical, virtual, dynamic, etc...) will accept MAC-based connections. MAC-based connection should be possible across whole L2 domain unless there are some L2 filters. That means it is NOT LIMITED to only directly connected devices. also, keep in mind that...
by megatron
Tue Nov 06, 2018 8:37 am
Forum: Beginner Basics
Topic: UDP bandwidth test broken when transferring from GE segment to FE segment?
Replies: 0
Views: 297

UDP bandwidth test broken when transferring from GE segment to FE segment?

all.png I am trying to test the UDP bandwidth between a hEX (192.168.88.1) and a hAP ac lite (192.168.88.2) separated by a managed switch. The hEX is the bandwidth test server, while the hAP ac lite is the bandwidth test client. Since the hEX port speed is 1Gbps, while the hAP ac lite's is only 100...
by megatron
Tue Nov 06, 2018 6:31 am
Forum: Beginner Basics
Topic: Can't connect to hAP ac lite behind managed switch using Winbox (MAC address), but connection via IP address works [SOLVED]
Replies: 4
Views: 614

Re: Can't connect to hAP ac lite behind managed switch using Winbox (MAC address), but connection via IP address works [SOLVED]

MAC connections are allowed according to interface list. In CLI that's /tool mac-server mac-winbox , by default it's allowed from LAN interface list. Interface lists are under /interface list . Hello mkx, I did take special care with these settings like as follows: /ip neighbor discovery-settings s...
by megatron
Tue Nov 06, 2018 6:19 am
Forum: Beginner Basics
Topic: Configure each port to its own broadcast domain (RB750Gr3)
Replies: 2
Views: 770

Re: Configure each port to its own broadcast domain (RB750Gr3)

Don't need any bridges then, best way is to simply configure the gateway ip on each port Thank you CZFan, I wouldn't have thought of this option if it weren't for your post. Of course, if the default Mikrotik configuration had to explicitly to bridge the ports together to realize the typical home r...
by megatron
Mon Nov 05, 2018 9:17 am
Forum: Beginner Basics
Topic: Can't connect to hAP ac lite behind managed switch using Winbox (MAC address), but connection via IP address works [SOLVED]
Replies: 4
Views: 614

Can't connect to hAP ac lite behind managed switch using Winbox (MAC address), but connection via IP address works [SOLVED]

I got a new managed switch recently and wanted to test its VLAN function against a hAP ac lite. So, I figured Winbox should be able to connect to it across the managed switch (via MAC address) as long as they're configured to be in the same VLAN/L2 domain. So I set up a management VLAN (VLAN 88) on ...
by megatron
Wed Oct 31, 2018 9:22 am
Forum: Beginner Basics
Topic: Need help understanding VLAN mode
Replies: 9
Views: 2370

Re: Need help understanding VLAN mode

Mikrotik has this (quite) unique feature that even when one configures VLANs on switch/bridge, untagged frames can still enter switch/bridge. The rest of universe seemingly demands that when you start to use VLANs, you have to stick to it so that inside network device, no untagged frames can live. ...
by megatron
Tue Oct 30, 2018 5:19 pm
Forum: Beginner Basics
Topic: Can't connect to hAP ac lite over wireless using Winbox (via MAC address) when wireless vlan-mode=use-tag
Replies: 5
Views: 784

Re: Can't connect to hAP ac lite over wireless using Winbox (via MAC address) when wireless vlan-mode=use-tag

Please, attach the whole config with hide-sensitive option. Here it is, do you see anything wrong with it: # jan/02/1970 01:40:17 by RouterOS 6.43.4 # # model = RouterBOARD 952Ui-5ac2nD /interface bridge add name=bridge1 protocol-mode=none /interface vlan add interface=bridge1 name=vlan-iot vlan-id...
by megatron
Tue Oct 30, 2018 4:54 pm
Forum: Beginner Basics
Topic: Can't connect to hAP ac lite over wireless using Winbox (via MAC address) when wireless vlan-mode=use-tag
Replies: 5
Views: 784

Re: Can't connect to hAP ac lite over wireless using Winbox (via MAC address) when wireless vlan-mode=use-tag

That should work just the same as with ethernet port. Check what do you have in /tool mac-server mac-winbox export You probably have not the whole vlan but only some interfaces added to that list. OK so I checked and found my configuration to be: /ip neighbor discovery-settings set discover-interfa...
by megatron
Tue Oct 30, 2018 11:28 am
Forum: Beginner Basics
Topic: Can't connect to hAP ac lite over wireless using Winbox (via MAC address) when wireless vlan-mode=use-tag
Replies: 5
Views: 784

Can't connect to hAP ac lite over wireless using Winbox (via MAC address) when wireless vlan-mode=use-tag

Is it possible to enable such access? The wireless interface is configured to be a member of a VLAN, so I have no choice but to set vlan-mode=use-tag. Because it's possible to connect using an ethernet port instead, configured as an access port member of said VLAN (vlan-mode=secure, vlan-header=alwa...
by megatron
Mon Oct 29, 2018 11:41 am
Forum: Beginner Basics
Topic: Need help understanding VLAN mode
Replies: 9
Views: 2370

Re: Need help understanding VLAN mode

Hello mkx, thank you for the explanations, if I may add: Switch adds VLAN tag on ingress and removes VLAN tag on egress. Which is exactly what you configured with setting vlan-header=always-strip and (I presume) default-vlan-id=2 . You are right, I set default-vlan-id to 2 for both Ports 2 and 3. Th...
by megatron
Sun Oct 28, 2018 5:01 pm
Forum: Beginner Basics
Topic: Need help understanding VLAN mode
Replies: 9
Views: 2370

Re: Need help understanding VLAN mode

So, I tried the following experiment on a hAP ac lite: Port 1 - trunk port for VLAN2 & VLAN3 Port 2 - access port for VLAN2 Port 3 - access port for VLAN2 Port 4 - access port for VLAN3 Port 5 - access port for VLAN3 Where vlan-mode=secure for all Ports 1 to 5, vlan-header=add-if-missing for Port 1,...
by megatron
Sun Oct 28, 2018 4:48 pm
Forum: Beginner Basics
Topic: Need help understanding VLAN mode
Replies: 9
Views: 2370

Re: Need help understanding VLAN mode

There are at least three different of VLAN implementation. Old bridge way New bridge way Switch way and then you have the old way of mater/switch port. Read this post and you get some understanding of how VLAN works: https://forum.mikrotik.com/viewtopic.php?t=138232 Hello Jotne, thank you for the r...
by megatron
Sun Oct 28, 2018 8:20 am
Forum: Beginner Basics
Topic: Need help understanding VLAN mode
Replies: 9
Views: 2370

Need help understanding VLAN mode

Hello, this is my first week into the Mikrotik and RouterOS world. I am having some trouble understanding VLAN Mode as described on https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features . I just have some questions about the following table describing VLAN Mode = secure : VLAN switching logic.p...
by megatron
Fri Oct 26, 2018 11:22 am
Forum: Beginner Basics
Topic: Configure each port to its own broadcast domain (RB750Gr3)
Replies: 2
Views: 770

Configure each port to its own broadcast domain (RB750Gr3)

I wish to use an RB750Gr3 as a router for 5 different subnets, such that each port is separately configured to have its own broadcast domain. Would it be better (performance-wise, security-wise, etc.) to bridge eth1-eth5, enable VLAN, and assign each port as an access port? Or create 5 separate brid...