Community discussions

MikroTik App

Search found 38 matches

by IlKa
Wed Jul 24, 2024 7:37 pm
Forum: SwOS
Topic: How to disable LAG?
Replies: 0
Views: 955

How to disable LAG?

Hello, I have CRS3** switch with SwOS. My ISP sends LAG announcements, hence I see "Trunk1" port even when I set my port into "Passive" mode. How can I disable it at all? I do not need this functionality, and I believe that less things you have enabled the more predictable your s...
by IlKa
Mon Jul 22, 2024 4:30 pm
Forum: General
Topic: Stacking/unstacking Q-in-Q using VLAN filtering / hardware chip
Replies: 6
Views: 434

Re: Stacking/unstacking Q-in-Q using VLAN filtering / hardware chip

nz_monkey thank you.
I assume this can't be done with SwOS either?

loloski, in the example by this link `0x88a8` is used, which is "service tag" and it seems to be supported somehow, but my ISP doesn't use it:(
by IlKa
Mon Jul 22, 2024 3:21 pm
Forum: General
Topic: Stacking/unstacking Q-in-Q using VLAN filtering / hardware chip
Replies: 6
Views: 434

Re: Stacking/unstacking Q-in-Q using VLAN filtering / hardware chip

Thanks loloski!
Performance is what I care about:( What exactly have you done? Have you added `vlan` interface to the bridge?

I think I have two options:
1. Ask ISP to create another VLAN or use service tag
2. Ignore L2 network separation for now (not good, as people would send broardcasts!)
by IlKa
Mon Jul 22, 2024 6:13 am
Forum: General
Topic: Stacking/unstacking Q-in-Q using VLAN filtering / hardware chip
Replies: 6
Views: 434

Stacking/unstacking Q-in-Q using VLAN filtering / hardware chip

Hello, In `DC1` I have a cable with hybrid mode: 1) Untagged traffic (Internet Uplink) 2) Traffic with client (802.1Q) tag `SOME_ISP_TAG` which is a L2 VPN to the `DC2` implemented by my ISP. In `DC2` I have a cable with access mode and untagged traffic from `DC1` (from the point 2) So, in DC1 I hav...
by IlKa
Sat Apr 20, 2024 9:25 pm
Forum: Beginner Basics
Topic: Multiply device with the same IP
Replies: 1
Views: 418

Re: Multiply device with the same IP

`169.254.0.0/16` is APIPA. https://en.wikipedia.org/wiki/Link-local_address You shouldn't use it. So, the correct answer to your question is "Do not do that". But if you still want to give it a try, create separate VLANs you will have 3 different interfaces each connected to a device, and ...
by IlKa
Sat Apr 20, 2024 9:13 pm
Forum: Beginner Basics
Topic: Diff configurations or configuration history?
Replies: 3
Views: 629

Re: Diff configurations or configuration history?

Our routers backup config as text script /system/backup/save dont-encrypt=yes name=myrouter42 /export file=myrouter42.rsc this file is available via TFTP from one particular IP And there is a Linux server that fetches this file every midnight via cron. And then it adds it to git and commits. Git rep...
by IlKa
Sun Apr 07, 2024 1:07 am
Forum: Beginner Basics
Topic: Simple queue for interface to emulate low bandwidth
Replies: 1
Views: 638

Simple queue for interface to emulate low bandwidth

Hello. I have a 1Gb uplink and decided to switch to 100Mb. Before doing so, I want to give it a try. So, my idea was to create a simple queue rule with my uplink interface as target and set upload/download limit there. /queue/simple/add name="good_old_2010" target=if_uplink max-limit=100M/...
by IlKa
Mon Apr 01, 2024 3:04 am
Forum: General
Topic: SMB share cannot be accessed after upgrade
Replies: 26
Views: 4181

Re: SMB share cannot be accessed after upgrade

I'd start with Mirkotik logs.
https://wiki.mikrotik.com/wiki/Manual:System/Log

There is even a separate category: `smb`
by IlKa
Mon Apr 01, 2024 3:01 am
Forum: General
Topic: Forcing source ip and/or route
Replies: 3
Views: 509

Re: Forcing source ip and/or route

dst-address=a.a.a.a gateway=b.b.b.b Why not gateway=b.b.b.a ? I'd say that you took a right direction. 1. Create a separate routing table to route `a.a.a.a` to `b.b.b.a` 2. Create a rule that sticks your client (source address) to this table. 3. Add NAT/Masq. to make sure source address of your cli...
by IlKa
Mon Apr 01, 2024 2:45 am
Forum: Beginner Basics
Topic: OVPN client connects but no reply
Replies: 7
Views: 1647

Re: OVPN client connects but no reply

Are you sure that you should use interface as your gateway, and not a gateway address on remote network? You are using IP mode (the default one) and I think that you should get a gateway address from remove OpenVPN server in the same network your IP sits in. Then, you ping this address. If it works ...
by IlKa
Thu Feb 22, 2024 8:04 pm
Forum: Beginner Basics
Topic: strange behavior of the system
Replies: 1
Views: 354

Re: strange behavior of the system

strange logs and crashing
Showing logs might help
by IlKa
Fri Feb 16, 2024 5:24 am
Forum: Beginner Basics
Topic: actual basics
Replies: 20
Views: 1632

Re: actual basics

Or, maybe some sample interface basic configs would be useful to new users. There is a Quickset: https://wiki.mikrotik.com/wiki/Manual:Quickset Maybe layout (explain) the basic blank config, the default config, and home router config ( I agree that having default ready-to-use configs is a good thin...
by IlKa
Thu Feb 15, 2024 6:27 pm
Forum: Beginner Basics
Topic: Can multiple S2S VPNs between the same two sites coexist on the router?
Replies: 4
Views: 480

Re: Can multiple S2S VPNs between the same two sites coexist on the router?

It is possible to have several routes between two networks, but why do you need it? If you already set up Wiregard, why do you need another VPN? IPSec policy could be pretty complex sometimes, but you could use GRE+IPSec which is pretty simple to configure. It uses IKEv1 (AFAIK) but still works perf...
by IlKa
Thu Feb 15, 2024 5:30 pm
Forum: Beginner Basics
Topic: Mikrotik as OpenVPN client
Replies: 2
Views: 555

Re: Mikrotik as OpenVPN client

Try to ping Mikrotik from Asus and allow icmp input. Does it work?
If it does, then problem is a firewall on the Asus.

I am pretty sure you must open firewall on Asus and configure routing there
https://www.asus.com/support/faq/1013630/
by IlKa
Thu Feb 15, 2024 4:00 am
Forum: Beginner Basics
Topic: Using 1 sfp port for both internet and LAN, is it possible?
Replies: 2
Views: 928

Re: Using 1 sfp port for both internet and LAN, is it possible?

If I got it right, this is called router-on-stick.
https://en.wikipedia.org/wiki/Router_on_a_stick

The idea is to have 2 VLANS over one cable: one for LAN and one for the uplink.

https://help.mikrotik.com/docs/display/ROS/VLAN
by IlKa
Tue Feb 13, 2024 8:24 pm
Forum: Beginner Basics
Topic: RB4011 OpenVPN server - Client no gateway
Replies: 2
Views: 1093

Re: RB4011 OpenVPN server - Client no gateway

but it has no gateway address. You can either: 1. Configure routes on client (`route add..`): https://openvpn.net/community-resources/setting-up-routing/ 2. Push routes from the server, see https://help.mikrotik.com/docs/display/ROS/OpenVPN (`push-routes` and `redirect-gateway`) With route configur...
by IlKa
Sun Feb 11, 2024 5:34 am
Forum: General
Topic: Dual WAN parallel setup for only one subnet?
Replies: 8
Views: 859

Re: Dual WAN parallel setup for only one subnet?

It seems, that you need to solve 2 problems: 1. Disable route if gateway is unreachable. You already done it with `check-gateway` 2. Use different route for different source. This is called "policy routing" and could be done with several routing tables: https://help.mikrotik.com/docs/displ...
by IlKa
Sun Feb 11, 2024 5:27 am
Forum: General
Topic: Host unreachable on only one client [SOLVED]
Replies: 8
Views: 1111

Re: Host unreachable on only one client [SOLVED]

Do PI and other machines on the network see each others' mac addresses in arp?
On Linux, try
ip nei
On Windows
arp -a
by IlKa
Sun Feb 11, 2024 5:08 am
Forum: Beginner Basics
Topic: EAP+PSK ipsec VPN
Replies: 1
Views: 533

Re: EAP+PSK ipsec VPN

You can create CA on Mikrotik itself, then create certificate for server (and sign it using CA), then create client certificate (and sign it using CA), export client certificate (protected by password, because RouterOS doesn't export private key without password) and configure IPSec identity based o...
by IlKa
Sun Feb 11, 2024 4:52 am
Forum: Beginner Basics
Topic: Switch works, except for internet
Replies: 2
Views: 577

Re: Switch works, except for internet

I assume that your gateway is `192.168.241.1`, right? Do you see its mac address in ARP? Can you ping it? Since Mikrotik works as plain L2 switch here (and doesn't do any routing) I doubt that it affects your Intertnet connection somehow (unless you have broken cables or ports of course). As for DNS...
by IlKa
Sun Feb 11, 2024 4:40 am
Forum: Beginner Basics
Topic: Routing 2 networks with DHCP ip address
Replies: 5
Views: 1244

Re: Routing 2 networks with DHCP ip address

Make sure `ether2` and `ether3` aren't in the bridge: https://help.mikrotik.com/docs/display/ROS/Ethernet Set appropriate IP addresses, i.e: `ether2 -- 172.16.200.1`, `ether3 -- 10.20.10.1`: https://wiki.mikrotik.com/wiki/Manual:IP/Address Create IP pools i.e `172.16.200.2 -- 172.16.200.254` for `et...
by IlKa
Mon Sep 25, 2023 4:02 pm
Forum: General
Topic: Mikrotik CHR LAN interface becomes unresponsive at regular intervals
Replies: 3
Views: 674

Re: Mikrotik CHR LAN interface becomes unresponsive at regular intervals

Do you use spanning tree / IEEE 802.1D ?

When interface doesn't work, do you see any traffic? Use packet sniffer to check
by IlKa
Fri Sep 22, 2023 5:50 pm
Forum: Beginner Basics
Topic: The web server does not show the client IP
Replies: 3
Views: 787

Re: The web server does not show the client IP

I still believe the problem is `src-nat`.

See:

`dst-nat` means literally "change DESTINATION address", forward packet to the webserver.
`src-nat` means "changes SOURCE" address, and `REMOTE_ADDR` is source address.
by IlKa
Fri Sep 22, 2023 5:45 pm
Forum: General
Topic: Mikrotik CHR LAN interface becomes unresponsive at regular intervals
Replies: 3
Views: 674

Re: Mikrotik CHR LAN interface becomes unresponsive at regular intervals

Do you see anything suspicious in RouterOS logs or your hypervisor logs?
by IlKa
Thu Sep 14, 2023 4:02 pm
Forum: Beginner Basics
Topic: Beginner Question - 1 ISP two Routers
Replies: 4
Views: 1408

Re: Beginner Question - 1 ISP two Routers

bgp
We only have /31 range from our ISP to use.
Do you have provider independent IP address?
https://en.wikipedia.org/wiki/Provider- ... ress_space
by IlKa
Mon Sep 11, 2023 6:27 pm
Forum: Beginner Basics
Topic: Setting up a Management Port [SOLVED]
Replies: 2
Views: 1525

Re: Setting up a Management Port [SOLVED]

You can move your `ether1` to the separate bridge, configure separate IP network there and then only allow access to your MT from this network using "ip / service /" and/or firewall
by IlKa
Mon Sep 11, 2023 6:23 pm
Forum: Beginner Basics
Topic: I can't connect via ssh to routeros
Replies: 3
Views: 1321

Re: I can't connect via ssh to routeros

Your public IP is Ubuntu Linux and your network structure is unclear. Where does sit MT? Could you draw a map?
If it sits behind Ubuntu, you would need to do NAT there
by IlKa
Mon Sep 11, 2023 2:18 am
Forum: Beginner Basics
Topic: Should I upgrade RouterBOOT on each RouterOS upgrade?
Replies: 8
Views: 3430

Re: Should I upgrade RouterBOOT on each RouterOS upgrade?

Thank you all, I will set `set auto-upgrade=yes` then
by IlKa
Mon Sep 11, 2023 1:08 am
Forum: Beginner Basics
Topic: OpenVPN connected but no access to LAN
Replies: 3
Views: 3342

Re: OpenVPN connected but no access to LAN

Try to add route using `route add` or `New-NetRoute`. Then, manually add firewall forwarding rule on MT. Does it work? If it does, then you need to persist it. In OpenVPN client might have its own configuration but server might also push it. https://openvpn.net/community-resources/expanding-the-scop...
by IlKa
Sun Sep 10, 2023 9:08 pm
Forum: Beginner Basics
Topic: Should I upgrade RouterBOOT on each RouterOS upgrade?
Replies: 8
Views: 3430

Re: Should I upgrade RouterBOOT on each RouterOS upgrade?

Thank you!
If version of routerboot falls too far behind ROS version, then it can happen that device is no longer able to boot a new ROS.
hm.. Does it mean I wouldn't be able to boot MT with backup loader? What should I do if I break the primary one? Boot netinstall with ancient ROS?
by IlKa
Sun Sep 10, 2023 2:57 pm
Forum: Beginner Basics
Topic: 2 WAN - 1 LAN
Replies: 6
Views: 2415

Re: 2 WAN - 1 LAN

I think you can mark connection using firewall. Then, use this mark to route packet using policy routing https://help.mikrotik.com/docs/display/ROS/Mangle https://help.mikrotik.com/docs/display/ROS/Firewall+Marking#FirewallMarking-FailoverWithFirewallMarking https://help.mikrotik.com/docs/display/RO...
by IlKa
Sun Sep 10, 2023 3:24 am
Forum: Beginner Basics
Topic: OpenVPN connected but no access to LAN
Replies: 3
Views: 3342

Re: OpenVPN connected but no access to LAN

Did client install routes to this network? On windows, run C:\> route print Check it has routes to `192.168.1.0/24`. because it's a dynamic interface which doesn't persist you can filter by IP address. Also, since ovpn server uses PPP profiles, you can use `address-list` feature so MT will add all c...
by IlKa
Sun Sep 10, 2023 2:15 am
Forum: Beginner Basics
Topic: New to Mikrotik, RB5009UG+S+ questions
Replies: 1
Views: 1351

Re: New to Mikrotik, RB5009UG+S+ questions

Hello. From what I see, you created a one big bridge for all servers and started DHCP there. Did your server get address from DHCP? Can it ping router `192.168.48.1`? If yes, try to disable all IPs except one on `ether1` and check again. When I try to change the interface to either bridge or the spe...
by IlKa
Sun Sep 10, 2023 1:13 am
Forum: Beginner Basics
Topic: problem settings IPSEC tunel ofice to ofice
Replies: 1
Views: 1137

Re: problem settings IPSEC tunel ofice to ofice

Host prohibited is an ICMP answer sent by router which means "this traffic is not allowed to go through this router".
I'd check firewall on both routers. Do you have forward rule enabled?
by IlKa
Sun Sep 10, 2023 1:09 am
Forum: Beginner Basics
Topic: IPsec,error Message: no policy found/generated
Replies: 1
Views: 1592

Re: IPsec,error Message: no policy found/generated

IPSec failed to find appropriate policy. Do you use IPSec/IKE? If so, what are you trying to achieve and how exactly do you use it?
by IlKa
Sun Sep 10, 2023 1:05 am
Forum: Beginner Basics
Topic: Random Websites Will Not Load, Reset requiered
Replies: 4
Views: 2117

Re: Random Websites Will Not Load, Reset requiered

First try to ping website and connect to port 80. You might find DNS problems (i.e "hostname not found") or connection could be succeed. In this case there might be browser problems. Linux/MacOS $ ping facebook.com $ telnet facebook.com 80 Windows PowerShell PS C:\> ping facebook.com PS C:...
by IlKa
Sun Sep 10, 2023 12:46 am
Forum: Beginner Basics
Topic: Should I upgrade RouterBOOT on each RouterOS upgrade?
Replies: 8
Views: 3430

Should I upgrade RouterBOOT on each RouterOS upgrade?

Hello. I just upgraded RouterOS to "7.11.2" and everything was ok. I then upgraded RouterBOOT and router didn't start (I did it remotely, ha-ha). I will try to run backup bootloader using reset button tomorrow, but I just realized that I shouldn't have done that at all! So, my question is:...
by IlKa
Sat Dec 18, 2021 12:45 am
Forum: Beginner Basics
Topic: A question about GRE and IPSec
Replies: 0
Views: 2723

A question about GRE and IPSec

Hello. I made GRE tunnels between two mikrotiks and enabled IPSec (``ipsec-secret``). Am I right that I have IKEv1 and PSK? If so, is it possible to use IKEv2 and RSA-based auth for GRE? Or should I configure it manually? I heard that PSK is not as secure as asymmetric crypto, so I want to use RSA k...