MikroTik

rkrisi

Dear All, We are using openVPN several years ago with a growing number of clients. Right now, around ~30-40 clients. We want to transfer to UDP protocol, we were only using TCP mode because of lack of support in previous RouterOS releases. I have configured a second openvpn server instance on differ...

rkrisi

MSCHAP will definitely work against plaintext credentials, if your setup does not it is most likely a FreeRADIUS configuration error - run it with debugging enabled and look at the logs. Depending on how your password changing is implemented you should be able to incorporate something which will st...

rkrisi

Dear All, I want to implement login for network admins through our OpenLDAP database. I have configured FreeRadius for this purpose and configured RADIUS on the router. However login is not working as MikroTik is using mschap protocol for login and obviously in openldap we don't have NT-Password or ...

rkrisi

I would also be interested in how 5 Ghz backup is configured in default pair config

Answer is here: viewtopic.php?t=170983#p841316

rkrisi

I would also be interested in how 5 Ghz backup is configured in default pair config

rkrisi

Most of us dont have a rocket ship to get there so keep dreaming. OVPN, is like a zit that wont go away....... Lance it cauterize it etc............ And yes HOLVOE, once we get rid of the useless OVPN code, there will be tons of room, for Zerotrust Cloudflare tunnel WITHIN ROS , let alone as an opt...

rkrisi

I have multiple problems with RB4011 since v7.8. After some time, the bridge ports stop sending any packets, router is inaccessible. This might be solved with this one (from 7.10rc1): *) bridge - fixed HW offloading for vlan-filtered bridge on devices with multiple switches (introduced in v7.8 ); Ho...

rkrisi

If I understand that you want to use a station to connect to multiple router with different ssids and passwords. You can use the connect tab under wireless tables to define the ssids and passwords. Just leave the wireless interface with generic info and no ssid.

Yes, thanks, I will try this!

rkrisi

Dear Community! I want to create a config, where I define more Virtual Wireless interfaces (all in station mode) with different SSID and Password, and the router should connect to any of them available. However I'm not able to do it this way. If the main interface is a station, it will not become ac...

rkrisi

Everything you've (rkrisi) asked has been completely clear. It may be because I have spent a lot of time working with management VRFs in the past, and understand their role in segregating overlapping private IP address space (customer IP vs management IP). My familiarity comes from working on such ...

rkrisi

I'm using 7.7
and where did you write it?

Nowhere. I'm not the original author of this post. I missed that the title says 7.3.1

rkrisi

Same problem for me. Just updated a hexS. On RouterOS 6 all details were visible. On RouterOS 7 everything is blank... Link is OK.
Why you still to use RouterOS 7.3.1????

I'm using 7.7

rkrisi

Same problem for me. Just updated a hexS. On RouterOS 6 all details were visible. On RouterOS 7 everything is blank... Link is OK.

rkrisi

I have experienced several messages like "private-dhcp offering lease 192.168.111.50 for 94:EA:32:35:52:98 without success" after upgrading to 7.7. The result was that the clients were unable to access the network nor Internet. Clients are mostly connected via CAP managed APs. This happen...

rkrisi

Same answer put CHR on that VPS and run wireguard through the CHR on VPS............... get rid of openvpn No VRF required........... I still can't understand your answers. This is a working system, not a hobby project where I can change anything I want. And also I still can't understand how this w...

rkrisi

Yes, exactly what I would like to achieve! Thanks for your diagram. However I did not find any working solution for this. I'm open to other options as well, but the "client" networks behind these routers usually include several subnets, sometimes even overlapping with my VPN subnet. That'...

rkrisi

Ahh and when you say VPS, is it a specific type of server? What can be hosted on it? do not overcomplicate the setup i guess the setup is something like this: 28-12-2022_MTforum_ovpnclientInVrf.png AFAIU the OP just wants to have the remote mgmt tunnel in its own "mgmt vrf" on the router ...

rkrisi

Once again what you state is more confusing then helpful. What do you mean mikrotik has to be the client side? The client side to what...... A. do you mean the MT router Wireguard has a publicly accessible WANIP and thus can be used as a server? B. do you mean that the MT router is a client and doe...

rkrisi

You are correct, I have no clue how your network is cobbled together or why. Seems pretty simple to me, use the VPN capability in MT and drop this ovpnserver. Done! I can change to any kind of VPN, but it has to be a client on the Mikrotik side, because these routers are usually behind a CGNAT or d...

rkrisi

The requirement is clear, something like winbox in remotely via the iphone over wireguard, where the incoming admin can connect to the router. What makes you think this has anything to do with VRF??? A normal wireguard connection and knowledge of firewall rules will meet the requirements! To spell ...

rkrisi

Yes, VRF seems like a clean solution but often it is just a little bit too limited... and the configuration is incoherent. You always need to check the manual because in some places you specify VRF separately, in other places you can use address@vrf notation. Still, all services operate in a single...

rkrisi

When your use of VRF is just a direction you took for this, and not some mandatory situation, you can achieve the same thing using a firewall forward rule. Drop any forward traffic towards that interface. Your management traffic towards the router will only appear in input and output chains, not in...

rkrisi

When your use of VRF is just a direction you took for this, and not some mandatory situation, you can achieve the same thing using a firewall forward rule. Drop any forward traffic towards that interface. Your management traffic towards the router will only appear in input and output chains, not in...

rkrisi

Hi all! I want to make a VPN connection from a router for management purposes. So I want to place this VPN in a seperate VRF, so that the VPN cannot be accessed from the router interfaces, the VPN is only there to connect to it remotely. I have created the ovpn-client as usual, and created a VRF tab...

rkrisi

Thanks for everyone!

My initial config and idea was right, but it did not work first because some old VRF with the same name was stuck in the router.

Recreating the VRF with different name solved all problems

rkrisi

Hi all! I have an RB4011 router and a hexS switch. RB4011 does routing, hexS only provides switch access ports to hosts. Uplink internet is connected to RB4011 directly. I want to add a second (LTE) backup connection to the network. Since RB4011 does not have any LTE and USB interface (and also loca...

rkrisi

It seems that the default configuration works. It was just a mistake by me (some used list interface groups were not created before). Also the logo is now shows the new one after a reset. The login page also works after a reset. So concluding my post, the 'Read this first' instructions says that the...

rkrisi

Hi everyone! I have tried to create a full branding package for our managed devices. This is what I have done: Created an ASCII logo - works, always visible in the terminal Created a "mikrotik_logo.png" file and uploaded to Webfig logo. This works, but the resulting logo was too large. I h...

rkrisi

So you have overlapping subnets? That makes it more difficult, but probably still doable using another routing table. Either using some semi-manual config for VPN client (I don't use RouterOS as OpenVPN client, so I'm not sure if that's possible) or using VRF (I'm not the best friend with that eith...

rkrisi

Unless you're after something special, there's mighty tool called firewall, it can allow access to tunnel from router and block any attempts from elsewhere. Well the mighty tool called firewall will not work here. I want the router to forward packets to the default gateway from clients even if it i...

rkrisi

Hi!

Is it possible to configure openVPN client on Mikrotik router so that only the router can access the routed VPN subnet?

Like deleting the route from the routing table, but only allow that particular router to access that subnet.

Thanks!

rkrisi

Dear Community! I have a fallback LTE device connected to one of my Mikrotik switch (it is connected to the switch because of signal strength and bandwidth and not directly to the router - also my router RB4011 does not have a USB). So the scheme looks like this: LTE Modem -> hex S switch -> RB4011 ...

rkrisi

Thanks solved! Use this: :log warning ("New ISP Gateway: " . $"gateway-address") :log warning ("New ISP IP: " . $"lease-address") To find such problems, put the script in /system scripts and do: /system script print where name="yourscript" Broken hig...

rkrisi

Hi everyone, I have a router with a specific DHCP client script: :log warning "Setting new IP addresses from DHCP-client"; :if ($"bound"=1) do={ :log warning "Setting new IP addresses from DHCP-client"; /ip firewall address-list remove [/ip firewall address-list find li...

rkrisi

I have used the dhcp client/bridge combo for quite some time on crs3xx switches. It worked flawlessly in the 6.x and 7.x versions until 7.2rc2/3. I reported the issue with support and in my report pointed out that switching to tagged/vlan interface config did indeed work. Both methods have their us...

rkrisi

In a VLAN setup the bridge interface should never get a direct IP. Thats a nogo ! IPs should only be distributed on the VLAN IP Interfaces directly ! See https://administrator.de/contentid/367186 for a detailed example. Unfortunately German but the describing screenshots are pretty self explaining....

rkrisi

Is the extract still accurate in this post ? I have an RB760iGS in a lab environment with v7.2rc4, and I could try loading from a clean state to see if I can reproduce what you see. I would use my ER-X as the "router" with dhcp server. # mar/06/2022 20:54:33 by RouterOS 7.2rc4 # model = R...

rkrisi

I had a little time to experiment with this. So I turned off hw offload for all bridge ports first. Then I tried to update to 7.1.3. Same as before, only minor change is that the device got an IP address through the DHCP client! But nothing else worked. Even after this, I was unable to ping the rout...

rkrisi

The original configuration using setting a PVID on the bridge-to-CPU interface making it an access port is absolutely fine, others may not have realised this is not your router and so does not require all of the VLANs trunked to the CPU. You can test the hardware-offloaded switching hypothesis by s...

rkrisi

@rkrisi starting from v7.1rc5 bridge vlan filtering is done using the switch chip in MT7621 devices, from the 7.1rc5 changelog: *) bridge - added HW offload support for vlan-filtering on MT7621 switch chip (hEX, hEX S, RBM33G, RBM11G, LtAP); Prior to that release (including RouterOS 6) bridge vlan ...

rkrisi

Is the "trunk link" connected to ether1 using a native vlan 10? i.e. a "hybrid" in MikroTik terminology. If so, make a backup (because I have not tried this myself) and copy it to a pc you can restore from. Also export and save. Go into safe mode, just in case you loose connecti...

rkrisi

Hard to say because you provided an incomplete config posting. All the rules work together so if you leave some out, I would only be guessing............ default PVID is 1, and it should be left so. If you do use vlans, then use vlans and the bridge should do nothing else but be the bridge. You hav...

rkrisi

I would never use pvid other than the default for the bridge, not sure why you do that?? In any case you need to tag the bridge in bridgevlan settings. /interface bridge vlan add bridge=bridge tagged=ether1, bridge untagged=ether4,ether5 vlan-ids=10 add bridge=bridge tagged=ether1, bridge untagged=...

rkrisi

I have a fairly simple config which works great on RouterOS 6. Upgrading to RouterOS 7, breaks this config, no IP address is obtained through the trunk VLAN port, no communication (also access-port connected devices cannot communicate). What might be wrong, needs to be changed? # feb/24/2022 00:00:0...

rkrisi

I have tried this cable outside the wall (though it is much shorter) with a different socket (not that in-wall socket I have everywhere), that one worked perfectly with 1Gbps speed. That's the answer. You have a cable/socket hardware problem. Make sure your cable and socket are 1Gbps compatible and...

rkrisi

Dear Community! I have wired my home and in some rooms the link is only 100Mbps full-duplex instead 1Gbps full-duplex. On the both end of the link, there are Mikrotik devices (and confirmed that both can do 1Gbps speed). One side: RB4011 Other side: hexS FTP Cat6 cable used in wall. In other rooms w...

rkrisi

Can you remove the antennas from the housing? I mean I know that the cable can't be removed, but can you fully remove the antennas, so that the housing would look like an RB4011 without wifi?

rkrisi

Dear Community! It is possible to somehow block IP addresses when they failed to login through openVPN after X times? I can see in the log that sometimes from random IP address they try to connect through openVPN. The only problem is that from the log I can only see that a 'TCP connection estabilish...

rkrisi

Install hyperv and a chr. Suits your case.

I thought about this, but I hoped that there are easier methods. Anyway I will try this, thanks!

rkrisi

Hi Everyone! We are using several Mikrotik devices in our network and more and more installed every day. Usually I have to write the config scripts without the access to an actual Mikrotik hardware. I thought about it would be great if I could somehow validate these hand written configs without real...

rkrisi

Solved. Needed to add an iptables MASQUERADE for the RPI:

iptables -t nat -A POSTROUTING -d (here your local network) -j MASQUERADE

rkrisi

Correct

Thanks for your help!

rkrisi

So why did you use routing marks in the original post in the first place? Because that config was for traffic balancing. Failover scenario can be greatly simplified, as you can see :) However this way, I need to update at least GW1_IP in case it changes... What is the best way to do this? DHCP clie...

rkrisi

Can I downgrade to this from 6.47 without losing the config?
Yes, make a backup to feel more comfortable anyways

The problem is not the backups (they are done automatically every day), but that these devices are in a remote location, so I can't access them physically.

rkrisi

Can I downgrade to this from 6.47 without losing the config?

rkrisi

Can I use multiple CheckingHosts here? If yes, how? Sure, just add a route to a new checking host and add default route via that host. One of those default routes will be active. Also is it possible to send Email when the failover link becomes active? You need some external script to check, for exa...

rkrisi

So why did you use routing marks in the original post in the first place? Because that config was for traffic balancing. Failover scenario can be greatly simplified, as you can see :) However this way, I need to update at least GW1_IP in case it changes... What is the best way to do this? DHCP clie...

rkrisi

"gateway=etherN" works not the same as with point-to-point interfaces, and definitely not as you expect. Don't use this. Gateways are static So use gateway IPs in gateway= parameter, that's exactly what you need. Yes, sorry I forgot that this would only work with point-to-point interfaces...

rkrisi

If your gateways are static (I didn't see any situations where they are not), just disable adding the default route. If they are not, you may use DHCP Client Script to update your routes with correct gateways. Gateways are static, I have 2 dedicated uplink gateway, but it's IP addresses are not sta...

rkrisi

I have tried setting the routes as described in the first post, but it did not work. Later from the thread I realized that I would need to setup mangle rules for this to work. You don't need routing marks at all: /ip route add dst-address=CheckingHost gateway=GW_MAIN_IP scope=10 add distance=1 gate...

rkrisi

I would need to have a failover link in my setup. Reading through this thread, I'm a little bit confused and I was unable to use this in my setup. Can someone help me? Is this a good way to go? What I would need: I have 2 uplinks (ether) and I would need if the first (main) goes down to route all tr...

rkrisi

Interface can be gateway only when it's point to point type, because there's only one device on the other end and it receives everything. Ethernet can have many different devices connected at the same time, so traffic must be sent to gateway's MAC address (which router gets automaticaly from IP add...

rkrisi

Dynamic default route doesn't check gateway. You can change that with routing filters: https://forum.mikrotik.com/viewtopic.php?p=605415#p605415 But even if gateway is reachable, it still doesn't guarantee that internet will work, because there can be something broken futher in ISP's network. Well ...

rkrisi

Actually, I wasn't reading carefully. If you'd be interested only in changing default route distance, DHCP client has default-route-distance parameter, so you can just set it there and you don't need anything else. If you want better detection whether connections works or not, you may try e.g. Adva...

rkrisi

You can use dhcp lease script to update routes: https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Client#Lease_script_example If it looks complicated, it can be made much simpler: https://forum.mikrotik.com/viewtopic.php?p=748218#p748218 Thanks this looks great! However sometimes the dhcp client not lo...

rkrisi

Dear Community! I want to configure my router to use 2 WAN connection and the second should be used only when the first and main WAN is not reachable. However I'm stuck with the current config: [*] Both WAN uses dynamic IPs, so I can't set default routes manually as most guide says [*] I need dhcp c...

rkrisi

Is there a route back from client subnet to your subnet? if not, there must be. If not the device in client subnet tries to reply through default gateway. Yes there is! If I try to ping anything from this client to my subnet, it works correctly. However the routes looks a little suspicious, I don't...

rkrisi

Dear Community! I have an openVPN server configured on a RB4011 router. Everything works perfectly, except one thing: I want to access one of the clients subnet, but I can't get it to work. The VPN subnet is 10.0.98.0/24 The client subnet is 192.168.1.0/24 I have added a static route to 192.168.1.0/...

rkrisi

It is possible to run multiple virtual wireless interfaces on top of single physical interface with CAPsMAN just like it's possible with local configuration. In provisioning part, use comma-separated list in slave-configurations= property. The only gotcha with CAPsMAN is when one wants to configure...

rkrisi

CAPsMAN needs to control whole wireless interface (physical/primary and virtual APs). With setup wanted by @OP there's a typical chicken&egg problem: device needs primary wireless interface up&running to connect to CAPsMAN so CAPsMAN can not really configure that interface anymore. So no, w...

rkrisi

Well it seems you can't run CAPsMAN on virtual Wireless interfaces... and also you can't create station config in capsman...

rkrisi

This is my current caps-man config on the manager: /caps-man channel add band=2ghz-g/n control-channel-width=20mhz frequency=2422 name=channel_2ghz add band=5ghz-a/n/ac frequency=5500 name=channel_5ghz /caps-man datapath add local-forwarding=yes name=datapath1 /caps-man security add authentication-t...

rkrisi

I have tried setting up this way, but I lost access to the AP.
I don't know what I did wrong, it would be great if somehow I could use CAPsMAN as I would like...

rkrisi

It seems that I had other problems in my network setup, so not the PIM configuration was incorrect.
Anyway for my use-case an IGMP proxy was enough which is much easier to configure.

rkrisi

For me it is also more important to have a stable connection rather than a faster one but with some hiccups. However comparing range and overall wireless stability, my old router performed the same way (no real wireless disconnection problems or whatsoever) - it had other problems, that's why I chan...

rkrisi

Finally solved this! So from Mikrotik perspective, everything was set up properly. You might need IGMP proxy for some devices, but no need for PIM (some suggested that IGMP is not enough, even though every guide says it uses IGMP), just a simple IGMP-Proxy setup will do. I have switched from avahi t...

rkrisi

Ok I might have found the problem and maybe someone could help me with a correct avahi reflector config IGMP forwarding is really needed, though looking at Wireshark a simple IGMP Proxy setup is enough, no need to mess with PIM. The problem seems to be with avahi-reflector, but I don't know what is ...

rkrisi

Sorry I spaced post those filters rules.... I will try to get at it when I get home. That is strange the new device cannot work. What is the igmp all for? It seems that some device don't just use mDNS but also IGMP to discover devices. Even Chromecast for Chrome mentions that IGMP is also needed. M...

rkrisi

It seems that on a new device even on my private vlan the Chromecasts won't work. On my private vlan everything is accessible and for debugging purposes now everything is also allowed from the IoT network, but still I can't get this to work. I have downloaded a Bonjour Browser which lists the mDNS t...

rkrisi

All of the IGMP groups are excluded and I don't know why. It should be forward right? (So that these igmp groups will be present in all vlan v2E vlan_iot 224.0.0.2 0.0.0.0 4m12s v2E vlan_iot 224.0.0.13 0.0.0.0 4m12s v2E vlan_iot 224.0.0.22 0.0.0.0 4m6s v2E vlan_iot 224.0.1.187 0.0.0.0 4m5s v2E vlan_...

rkrisi

I'm still lost with this as I did not find any great example how you could use PIM between VLANs on the same router. Would be great if someone could help me so that from one VLAN the multicast will be forwarded to all other VLANs as well.

rkrisi

Well, you might be right, so I would try this. You mean to allow traffic only to that device? But: It was the input chain rule which caused Chromecast devices to appear. So I added a rule to the input chain, not forward which allows access to the whole network from guest network. The reflector has ...

rkrisi

So the progress is: Chromecast devices work fully on my main network. Guest network does not seem to work, even with mDNS reflection. On Guest network everything is blocked except WAN traffic. As soon as I enable the vlan_guest network to access everything, devices appear. I don't know what I need ...

rkrisi

So the progress is: Chromecast devices work fully on my main network. Guest network does not seem to work, even with mDNS reflection. On Guest network everything is blocked except WAN traffic. As soon as I enable the vlan_guest network to access everything, devices appear. I don't know what I need t...

rkrisi

Well this seems to work, but I'm not sure if it is right or not: 0 Rv2 vlan_iot pim igmp 1 Rv2 vlan_guest pim igmp 2 Rv2 vlan_private pim igmp 3 DR register pim RP: 0 10.0.1.2 static 192

rkrisi

I see lots of reference to theoretical speeds, 867, 1300, etc............. Remember its marketing hype as those are two way added speeds. The most ludicrous is the term ooh aahh 1750 which is adding both 2.4 and 5ghz two way streams 450+1300. Or 867+300 = ~1200 on the packaging. Consider 1300 for e...

rkrisi

This is a post about Wifi problem, is your question still Wifi related? If so you CAN NOT test Wifi connection with Ookla Speedtest. Well you can, but your results do not say anything about the Wifi, but about the complete system. So the only way to do this is test Wifi connection between the AP an...

rkrisi

Well, another observation through longer time... It seems that only speedtest is slow(er), using P2P connection (like torrent client) is much faster, even on my personal computer 15m away from the router. Speedtest (does not matter which - ookla, fast.com, etc... or even local iperf) usually gives 1...

rkrisi

Exactly. AP RX rates I get >1000Mbps with MacPro 3x3 but on AP TX I rarely go over the 800Mbps rates... So client UL is a but better than DL. On the 2x2 client I get 800mbps rates on both Rx and Tx. PS: I keep AMPDU priority as default (only "1" checked). I see bad performance when enabli...

rkrisi

I have found this presentation which seems to do the same (even RB751 is the same :D ) https://mum.mikrotik.com/presentations/MN17/presentation_4441_1497864498.pdf But I might want to get some infos from you, if this is really possible and it would work similar as now (but I would be able to manage ...

rkrisi

Dear Community, Right now I have a second router (RB751) configured as a Wireless repeater. Basically the range for handheld devices are great this 2.4GHz based repeater is only needed for IoT devices cause they have a really low range. I wonder if I can set this up (the second AP only has one wirel...

rkrisi

I implicitly assumed this, but to be sure, I use 80 MHz capable clients.
You can check in the Wireless "registration" tab that they do receive and sent with 80 Mhz
and 2 spatial stream.

Same clients here (I get around 800Mbps Rx rate 80Mhz/2SP/SGI)

rkrisi

Setup: - Near range (2meter) between client and AP - iperf3 on Android / MacOS - iperf3 on Rasp4 with Ethernet connected to RB4011 - RB4011 4x4 ROS 6.46.6, reset to default, 20/40/80MHz channel and Wifi security added (to avoid also anyone connecting to the unit) - Add also the country in Wifi inte...

rkrisi

I also did some tests on the RB4011 5 GHz performance this weekend (using ROS 6.47). It looks like it does not like to transmit data. Using iperf3 over the wifi-connection, the RB4011 was able to receive about 300 MBit/s from a 2x2 client (Intel AC7260), but it only managed to send 80 Mbit/s back t...

rkrisi

But basically this will work as a client from the perspective that it will connect to the router ask for it's DHCP address, etc...? you can setup static IP for second AP if this needed, if you talking about WiFi clients - it will work without any extra setup (DNS (but you can set it for receiving f...

rkrisi

I don't have experience in WDS myself, but just stumbled over this wiki page https://wiki.mikrotik.com/wiki/WDS_repeater_example There are also some YT videos: https://www.youtube.com/watch?v=s6PEDtf5qDQ Thanks I have found these (forgot to mention), but if you have a look at my previous reply, you...

rkrisi

simple case for repeater: main AP - create WDS: wds mode - dynamic, wlan1 mode - AP bridge secondary AP (repeater) - wlan1 mode - wds slave with same SSID, security profile settings, channel (auto also work) Yes this is what I thought, but I had no time to try it out (it is rather risky and I don't...

rkrisi

Also I really don't know which WDS type should be used here. I assume dynamic, but it will also allow for clients to connect to that AP? Or dynamic mesh what needs to be used here?
I could not find any documentation on this...

rkrisi

Kudos to you for sticking with the thread and posting updates! I am installing all Unifi equipment, but dont want to leave RouterOS behind. My project is to break up my network into LAN, IoT & NoT. Right now I am dumping all VLANs to the LAN network. I have implemented policies restricting traf...

rkrisi

Dear community! I have a secondary Mikrotik Router which works now just as a Wireless client and some wired-only clients connected to this AP (unfortunately I don't have wired access there and some devices only supports wired Ethernet connection - that's why this is needed). I want to enable WDS on ...

rkrisi

I'm unfortunately stuck with this. mDNS reflection seems to be working fine, printers, AirPlay devices shows up correctly on every VLAN immediately and works as it should. Though Chromecast devices and Spotify Connect devices don't seem to be working flawlessly. So these devices may need additional...

rkrisi

I'm unfortunately stuck with this. mDNS reflection seems to be working fine, printers, AirPlay devices shows up correctly on every VLAN immediately and works as it should. Though Chromecast devices and Spotify Connect devices don't seem to be working flawlessly. So these devices may need additional ...

rkrisi

Dear Community! I would need to setup PIM to work on my network (lots of devices use IGMP multicast packets to discover each other and other similar multicast methods...). I have one router (RB4011) configured with more VLANs, each VLAN has it's own subnet. I have tried setting up PIM and adding an ...

rkrisi

Finally I was able to get this working.
Basically I needed to add a firewall rule that explicitly says to forward packets originated from the BASE interface (this is where I added the ovpn bindings).
Now everything works as it should.

Thanks for your help!

rkrisi

You can only have one server binding per username - if the same username is used more than once you end up with the server binding plus additional dynamic interfaces <ovpn-someuser-1>, <ovpn-someuser-2>, etc. If a connection is interrupted you can end up with the user connected via a dynamic interf...

rkrisi

That rule is for the outer tunnel, not the inner tunnelled traffic. As discussed in post #4 with having firewall rules referring to the lists 'BASE', 'VLAN', 'BASE+VLAN' the open VPN server interface has to be added to these if you wish the VPN traffic to use the rules. Having interface-list=VLAN i...

rkrisi

Local is server, remote is client. For point-to-point interfaces you can have the same local address on multiple interfaces. VLANs are not the issue, they only have significance for layer 2 ethernet. IP routes are automatically added to the routing table ( /ip route print or Winbox, IP > Routes), o...

rkrisi

I have set everything, different pool for ovpn, removed DNS server as well. Connected, got an IP from the specified pool. However now even when I try to ping a local device from remote device, it does not respond. The other way, from local to remote works... I might think that vlan filtering has to ...

rkrisi

There is nowhere to enter an interface in /ip pool - just a pool name, addresses and an optional next pool. So, based on your config, something along the lines of: /ip pool add name=pool_ovpn ranges=10.0.98.10-10.0.98.254 ... /ppp profile add dns-server=10.0.0.3 interface-list=VLAN local-address=10...

rkrisi

I don't know what is causing the problem. Tried different setups. It is odd that you got to a point where you had some connectivity and then lost it. I might not understand your question, but if this is the question: The remote client has an IP address from a completely different subnet (172.XX...)...

rkrisi

Nothing immediately jumps out. Is the Open VPN client connecting from an address within the IP range you are trying to tunnel? I've never tried it myself to see if handles this situation. Also, IIRC there have been comments about /internet detect-internet causing odd behaviour so it may be worth re...

rkrisi

Per my previous email either add routing statements to the OpenVPN client configuration file route 10.0.0.0 255.255.0.0 vpn_gateway OR change the Mikrotik VPN server /interface ovpn-server server set auth=sha1 certificate=server cipher=aes256 default-profile=ppp_private enabled=yes netmask=16 requi...

rkrisi

Is the OpenVPN client another Mikrotik or a Windows/Linux machine? You may have missed the point of what @tdw wrote - it is not enough to add the routes towards your Mikrotik LAN subnets to the routing table of the client machine's kernel, you also have to add them to the openvpn configuration file...

rkrisi

Ok thanks for clearing this up for me. Now I can access the 10.0.99.0/24 subnet from which the address is given to the interface, but not other subnets, though I have created an address list with 10.0.0.0/16 and added it under the /ppp profile address-list option. Should I need to do anything else ...

rkrisi

The Mikrotik OpenVPN implementation is shoehorned into their PPP model, and it does not quite fit, so some of the PPP profile settings have no meaning when used with the OpenVPN server - in particular setting bridge= under /ppp profile has no effect, this is used by PPP Bridge Control Protocol (BCP...

rkrisi

Not being able to access the router itself is likely to be firewall rules. Having the same VLAN ID on different bridges will not pass that traffic between bridges, are you looking to bridge or route traffic? Printing the bridge and PPP profile entries provides no useful information, post the output...

rkrisi

Dear Community! I have a network seperated with VLANs. I wanted to enable openVPN server on this system, however I'm not able to get it working. Currently I can connect to the server both from inside and outside of the network and I get an IP from the specified pool, but I'm not able to access the l...

rkrisi

These 3 devices are used for testing. Totally random screenshot, so I have not adjusted anything. Ok , rkrisi (Kristof) , thanks for sharing. There is normally a constant or even real time monitoring needed, but lets start with a little comment on this registration table. Elements to consider: - th...

rkrisi

Can get up to 450mbps using btest in my hap ac2, this is my config if it helps /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \ group-key-update=1h mode=dynamic-keys name=main s...

rkrisi

These 3 devices are used for testing. Totally random screenshot, so I have not adjusted anything. Ok , rkrisi (Kristof) , thanks for sharing. There is normally a constant or even real time monitoring needed, but lets start with a little comment on this registration table. Elements to consider: - th...

rkrisi

I come late to this thread and might not have read all of this. So my comment might be useless (or not). Noticed in the config given that you use not all Wifi 802.11 modes in 5G (only n and ac, but not a) I gave this advice as well on 2.4G in other threads, this something not to be done if you want...

rkrisi

These 3 devices are used for testing. Totally random screenshot, so I have not adjusted anything. Ok , rkrisi (Kristof) , thanks for sharing. There is normally a constant or even real time monitoring needed, but lets start with a little comment on this registration table. Elements to consider: - th...

rkrisi

These 3 devices are used for testing. Totally random screenshot, so I have not adjusted anything.

rkrisi

Right now: Channel selection: 5500 MHz TX-power (via antenna gain): Current TX Power: Default - Antenna Gain 3dBi Bandwidth (40 or 80?): 20/40/80XXX So far so good. Channel is OK TX power and 80 MHz will do in this clean environment .Ceee would be more specific than XXXX. Interference is probably o...

rkrisi

You wrote in another thread, that you don't have neighbors nearby and that the spectrum is free from other networks at your place. So, of course if does! Yes, true, but the real (noticeable) difference for me is disabling route cache and fasttrack, then I can get sometimes almost 50% of the lan spe...

rkrisi

So as I said before, I did not bought this router because I only wanted to achieve 1Gbps Wi-Fi speed... But You started this thread because of the bad Wifi. :) Anyway, for all that You need (except WiFi), Mikrotik is perfect. I had RB750GL + Engenius accesspoints working fine in many years. So now ...

rkrisi

I don't think sitting 10cm from the router helps in any way. If it is configured incorrectly it will work incorrectly there also. If you have interference, you can have interference there also.. I don't think it's miss configured. You are getting less then half of the max speed. With fine tuning Yo...

rkrisi

Around 10m away from the router, same room Have You made tests next to the router? As if You can't get decent speed next to the router, then the router is just bad and no matter You adjust, speed won't get better. But if next to the router speed is good, then adjusting router place, antennas etc, m...

rkrisi

How does one relate to another? :) You can use 20MHz channel and still use MIMO. All those spatial streams operate in the same channel(s). I did not state that you could not use 20MHz channel with MIMO .... I did state that if you want PERFORMANCE you must use 40Mhz ... performance means speed........

rkrisi

No I'm using iperf and speedtest tools also (like speedtest.net and fast.com) But I don't get you. What is different in real life? I have a lot of local devices which I can and have to access so these has nothing to do with WAN speed (copying files locally for example). Also if you have a slow WAN,...

rkrisi

WAN speed is not all. I also test it with iperf for example which tests real speed, not just some speedtest server speed. You are testing local network with iperf? If so, then if You are using mainly local network > wan, testing local network doesn't help You much, as real life is different. No I'm...

rkrisi

[
The router is laid down in my Living Room, from around 1.6m above ground (so it is not too high not too low - in my opinion - same location as my previous router).
And You are testing where?

Around 10m away from the router, same room

rkrisi

Why do I have to proof myself. The content of my contributions should be just of value enough. And yes all my Mikrotiks are up to spec right now . I even get borred in checking. (Not a single glitch in the last 6 months, monitored continously with DUDE) Bottleneck is now elsewhere (100 Mbps etherne...

rkrisi

Superchannel will not defeat DFS rules (anymore). The 10 minutes are indeed disturbing, but sometimes the lucky choices while everyone avoids those channels. You can see what those "auto" settings are doing. They are so selfisch to just spoil the whole spectrum by sitting in the middle of...

rkrisi

Right now: Channel selection: 5500 MHz TX-power (via antenna gain): Current TX Power: Default - Antenna Gain 3dBi Bandwidth (40 or 80?): 20/40/80XXX Number of chains used (all 4 or 3 or 2?): All 4 chains are used on TX and RX as well. Max MCS rate (per chain): I could not find this setting anywhere....

rkrisi

Thanks! I have already enabled the most needed ones. However if I remember it right, I was able to add not just inline comments, but normal ones. Anyway I have did some testing and it always seems to me that 5500 MHz selected as frequency is the best I could get. Just to get an overview of the netw...

rkrisi

If I have to say, I would say yes that the speed is just around 10% better with my old router, and compared to a few years back, it is much slower. But as I said, in general when you browse the internet or do anything even locally on the network it feels so much faster - and this is not just placeb...

rkrisi

My previous cheap router seemed really fast when I bought it several years back (even better than now). So after all this testing, Mikrotik speed is about 10% better, then old stock router does provide? Is the speed constantly better, or it just jumped one time (like said before, with Mikrotik, in ...

rkrisi

Ok, the results seems great! 2.4GHz speed improved by choosing 20MHz only, now I was able to get 50Mbps max and around 35Mbps avg. Previously it was around 20-25Mbps max. Regarding 5GHz: you were right. I had to clear Secondary channel to turn it off. However the speed does not improved much. Seems...

rkrisi

Ok, the results seems great! 2.4GHz speed improved by choosing 20MHz only, now I was able to get 50Mbps max and around 35Mbps avg. Previously it was around 20-25Mbps max. Regarding 5GHz: you were right. I had to clear Secondary channel to turn it off. However the speed does not improved much. Seems ...

rkrisi

Tuning is tuning, and that is sometimes more an art than a science. But I love to do it. Getting 10 times better performance gives me the kick, and I achieved this many times in my live, on all sorts of systems. (Sometimes by doing unconventional things, after learning how things work inside. There...

rkrisi

Thanks! So today I will try to disable secondary channel. If I remember correctly I have tried it but it came up with an error. The doc said I should put a 0 there to disable it. I will try that again. Unfortunately I don't want to disable a/n first. It would be my last option, because lot of older...

rkrisi

First, I get your frustration. I also don't like if I have to pay a lot of money for something which doesn't seem to work first as it should. I have accept the fact, that I made mistake, however, I'm honestly curious - can someone fine tune the device and if so, then with what config, as this will ...

rkrisi

As also others are having similar problems, for example: https://forum.mikrotik.com/viewtopic.php?f=13&t=138895 https://forum.mikrotik.com/viewtopic.php?f=2&t=158709 https://forum.mikrotik.com/viewtopic.php?f=7&t=157869 https://forum.mikrotik.com/viewtopic.php?f=2&t=157688 then If Y...

rkrisi

Yes I have changed it from indoors to any! When looking at the current channel I can see: 5500/20-Ceee/ac/DP(24dBm)+5210/80/P(20dBm) So yes, you might be right about the Control channel, and I always get Ceee. So I should increase the antenna gain from 3dBi to 27dBi? Ps.: I already tried using freq...

rkrisi

Only other vendor (like Denon) devices don't show up in Spotify Connect. Google Chromecasts work fine. I need to fine tune this for Denon devices to work: https://denon-uk.custhelp.com/app/answers/detail/a_id/4717/~/network-requirements-for-heos I just need to enable igmp across vlan and these ports...

rkrisi

Thank you very much! I know that some of this data is only makes sense if it is in real time, but I would happily share my config for experts to have a look at. Is the config I attached to my first post doesn't include all the config? /interface wireless shows: Flags: X - disabled, R - running 0 R ...

rkrisi

Thanks for your detailed answer! Looking at the registration table, which client should I look at? Or should I conclude an average performance of the current setting? For example my phone which is quite far away from the router has: -60dbm Signal Strength and RX rate 585Mbps Tx rate 351Mbps, but st...

rkrisi

Looking at the registration table, which client should I look at? At the one you use for testing. For example my phone which is quite far away from the router has: -60dbm Signal Strength and RX rate 585Mbps Tx rate 351Mbps, but still speedtest shows around 150Mbps speed. - Analyze the whole TX/RX-r...

rkrisi

I got an Audience which based on the same wireless chipset with RB4011, in 2x2 the max speed I got is about 470mbps, pretty good I must say, same speed with those IPQ4018/4019 based products like hAP ac2/cAP ac, and ping respond is best among all the APs I got (Aruba IAP-225/315, Ruckus R510, Ubiqu...

rkrisi

What's your client device? It is possible that the speed is limited by the capabilities of your client, not the AP. Can you show what's in the registration table ( /interface wireless registration-table print stats ) during the test? I don't think so. I have tried different devices. Basically my co...

rkrisi

@rkrisi Be a little patient and MikroTik will improve the wireless performance in your RB4011 .... it may take another 6 months ... patience is key My suggestion for you is to buy the Ubiquiti nanoHD access Point Connect that to your RB4011 and you will have superb performance beyond your wildest e...

rkrisi

Maybe someone from MT can have some ideas what might be wrong. Don't be a masochist, thre is no fix. Been there, done that, read my (or use google and find thousands more) story - https://forum.mikrotik.com/viewtopic.php?f=7&t=160252 I have read this thread before... I'm not really happy with t...

rkrisi

Ok I think I have found the solution to this. As I have not found a simple guide to this, I provide it here, what worked for me: Basically followed this guide: http://chrisreinking.com/need-bonjour-across-vlans-set-up-an-avahi-gateway/ As for VLAN setup: set the port to tagged for every vlan, just a...

rkrisi

Maybe someone from MT can have some ideas what might be wrong. Don't be a masochist, thre is no fix. Been there, done that, read my (or use google and find thousands more) story - https://forum.mikrotik.com/viewtopic.php?f=7&t=160252 I have read this thread before... I'm not really happy with t...

rkrisi

Okay thanks! This router was pretty expensive and I hoped that I could get a decent speed with Wi-Fi. I saw here that lots of people have problems with it, but I never thought this is that common. In general I love MT products and its configurability (though I never had any Wi-Fi device before). Wha...

rkrisi

What I have tried: adding the interface of the RPI to the guest vlan as tagged and setting up a sub interface in RPI for the guest vlan. However the RPI did not get a valid address for that vlan, even after enabling DHCP for that sub interface

rkrisi

Dear Community! For IoT devices I need to be able to route mDNS broadcast traffic through VLANs. I saw that this is only currently possible with an external server (or maybe a MetaRouter with OpenWRT, but unfortunately my router - RB4011 - doesn't support MetaRouter yet). Not a big problem, I alread...

rkrisi

Dear Community! I have bought a RB4011iGS+5HacQ2HnD-IN router. I was able to set up everything - got a little help in the forum here - everything working perfectly, except WLAN. I can get maxed out rates (the max I get from my ISP) on ether interfaces, but not on Wi-Fi. I hope that I could get at le...

rkrisi

No I highlighted them because they were missing in your original config. They are now good if you included them. Concur, only have to work on wifi speed and that is probably accomplished with some wifi tweaking. Thank you very much! The config now seems great for me, now I just have to fiddle with ...

rkrisi

Anyway, what is the problem with these? add bridge=vlan_bridge tagged=vlan_bridge untagged=wlan_atlas,wlan_fujijama,ether2,ether3,ether4,ether5,ether6,ether7,ether8 \ vlan-ids=10 add bridge=vlan_bridge tagged=vlan_bridge untagged=wlan_atlas_guest,wlan_fujijama_guest,ether9 vlan-ids=20 I mean you hig...

rkrisi

The FW rules are fine as they are. I just question why you give the VLAN full access to the router. I would not, I would eliminate that input chain rule. YOu need access as the admin and you have provided that with your BASE VLAN rule. I prefer to create an access list which includes the likely IPs...

rkrisi

In summary, So far I see most ports are access ports to devices that are not vlan aware on the private LAN, and ether 9 being a wired guest port??, eth10 a base port). You have an SFP port which is most likely a trunk port which may carry all three vlans? You have 4 wlans, two private (Atlas and fu...

rkrisi

As for wireless speed, there are a lot of possible issues (other wi-fi networks in the neighborhood are the first one to look at, the channel numbering is confusing, as in 2.4 GHz band the numbers are assigned to 5 MHz wide channels whilst 20 MHz wide ones are actually used as a minimum, newer devi...

rkrisi

Since you don't need VLAN tagging on ethernet ports, using a VLAN configuration is just one of possible approaches - the VLAN tag manipulation on wireless frames is done by the CPU in software anyway. So if you prefer to use the VLAN approach for the guest subnet, set vlan-mode of the virtual wirel...

rkrisi

Hi everyone! I have bought a new RB4011iGS+5Hac router. I want to create multiple VLANs to seperate Guest network from my Private network. Ethernet ports on the router (except eth1 which is used as DHCP client to connect to my modem) should be an access port to my private VLAN (vlan_private). I have...

Search found 166 matches