Community discussions

MikroTik App

Search found 168 matches

by LdB
Wed May 22, 2024 5:56 pm
Forum: General
Topic: Ethernet through put VERY slow
Replies: 18
Views: 1518

Re: Ethernet through put VERY slow

You have profiles such as "Hope Vineyard Music" but your config doesn't include the profiles. Those profiles can have rate limits and we need to see them.
by LdB
Wed May 22, 2024 5:40 pm
Forum: General
Topic: How to Handle Rate Limiting in API Requests?
Replies: 1
Views: 337

Re: How to Handle Rate Limiting in API Requests?

You need to tell us more to much much to answer that For example if the API device is on a simple interface you can put a simple a queue on it /queue simple add name=queue1 target=ether1 max-limit=128k/256k More complex vlan/interface/ip/dst port examples will require mangle marks and then a queue b...
by LdB
Wed May 22, 2024 5:17 pm
Forum: General
Topic: How can I access ISP router from lan
Replies: 5
Views: 491

Re: How can I access ISP router from lan

You just source NAT the LAN range to the Public IP or masquerade if the interface Public IP if it is dynamic So in your case the static version is /ip firewall nat add action=src-nat chain=srcnat src-address=192.168.88.0/24 to-addresses= 192.168.10.1 The dynamic masquerade version used most where IS...
by LdB
Wed May 15, 2024 11:13 am
Forum: General
Topic: Accessing lan devices over l2tp vpn
Replies: 3
Views: 342

Re: Accessing lan devices over l2tp vpn

i also have an ikev2 connection configured for my android device and from that connection I can correctly ping and connect to lan devices. We aren't mind readers but from that I assume you are talking about a windows VPN connection and you don't know how to choose the gateway ... aka ticking the bo...
by LdB
Wed May 15, 2024 5:16 am
Forum: General
Topic: Transit over two EOIP tunnels over PPTP
Replies: 10
Views: 632

Re: Transit over two EOIP tunnels over PPTP

What you are saying is still nonsensical once you open the PPTP tunnels those tunnels have endpoints which you can use to establish the EOIP and it doesn't expose Mikrotik 2 Router 1 has an IP 172.16.1.2 Router 3 has an IP 172.16.2.2 All you need is a static route in router 1 and 3 so they can IP ro...
by LdB
Tue May 14, 2024 5:45 pm
Forum: General
Topic: Transit over two EOIP tunnels over PPTP
Replies: 10
Views: 632

Re: Transit over two EOIP tunnels over PPTP

I don't get the point directly open the EOIP between router 1 and 3 if that is what is intended
by LdB
Tue May 14, 2024 5:37 pm
Forum: General
Topic: Best way to export and then import configuration
Replies: 4
Views: 393

Re: Best way to export and then import configuration

You can just click on each interface and do a reset mac address to get rid of the mac address copy issue.
by LdB
Tue May 07, 2024 5:29 pm
Forum: General
Topic: Find best way to block many website
Replies: 7
Views: 520

Re: Find best way to block many website

He is asking how to block them not how to bypass them. As an ISP it is done by a provided IP list from the government and is pushed into the router as a blacklist at regular intervals. You can see an active example dealing with commercial blacklists at hybrid networks https://github.com/HybridNetwor...
by LdB
Tue May 07, 2024 9:30 am
Forum: General
Topic: Multiple gateways in RouterOS 7.6
Replies: 4
Views: 917

Re: Multiple gateways in RouterOS 7.6

Try
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.10.1 pref-src="" routing-table=tableWAN2 scope=40 suppress-hw-offload=no target-scope=20 vrf-interface=WAN-2-ether5 check-gateway=arp comment="WAN2"
by LdB
Tue May 07, 2024 4:55 am
Forum: General
Topic: Access Mikrotik subnet from modem subnet [SOLVED]
Replies: 18
Views: 4437

Re: Access Mikrotik subnet from modem subnet [SOLVED]

My guess is the machine you are trying to ping in 10.0.0.xxx has a firewall Open a terminal on the tick and try ping the machine you are trying to access 10.0.0.??? ping 10.0.0.??? src-address=192.168.1.200 Also do a traceroute from a machine in the 192.168.1.xxx range wherever it stops is where the...
by LdB
Sun May 05, 2024 2:56 pm
Forum: General
Topic: Multiple public IPs, different internal zones
Replies: 10
Views: 1588

Re: Multiple public IPs, different internal zones

Seriously NO and really NO !!!! Go back and read the ISP gave him 5 /32 IPs he introduced the /24 and I pointed out he doesn't know that which he agreed. He has clarified and as I expected they GAVE HIM A GATEWAY as a /32 as well One other thing that complicates my situation is that my ISP (Verizon ...
by LdB
Sun May 05, 2024 2:18 pm
Forum: General
Topic: Access Mikrotik subnet from modem subnet [SOLVED]
Replies: 18
Views: 4437

Re: Access Mikrotik subnet from modem subnet [SOLVED]

Perhaps lets make you understand the issue the miktoik is the gateway to the 10.0.0.0/24 network Any traffic in that network ends up at the mikrotik it also happens to have a 192.168.1.200 address So anything in the 10.0.0.0/24 network can reach 192.168.1.xxx via 192.168.1.200 Now consider a device ...
by LdB
Sat May 04, 2024 6:57 pm
Forum: General
Topic: Feature request
Replies: 2
Views: 330

Feature request

Can we get source IP on bandwidth test tool
Really painful on complex link routers when you can't control what IP the test launches from.
by LdB
Sat May 04, 2024 6:13 pm
Forum: General
Topic: Multiple public IPs, different internal zones
Replies: 10
Views: 1588

Re: Multiple public IPs, different internal zones

They will have also given you a gateway for the 5 IPs which is where you send all outbound traffic to internet It might be a /32 or an actual network (/31 /30 /29 etc) often called a transit link where they will give you there end and your end IP. For a /32 The network IP is the /32 address they gav...
by LdB
Fri May 03, 2024 7:11 pm
Forum: General
Topic: Giving an internal device an "external" IP address and making it accessible to external devices
Replies: 2
Views: 345

Re: Giving an internal device an "external" IP address and making it accessible to external devices

Looks like you are just trying to make a 1:1 map across the tik https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Destination_NAT I am going to assume the networks are /24 as you have not specified /ip firewall nat add chain=dstnat dst-address=192.168.1.121/24 action=netmap to-addresses=192.168....
by LdB
Fri May 03, 2024 6:46 pm
Forum: General
Topic: IKEv2 VPN with DNS in another internal VLAN
Replies: 13
Views: 1712

Re: IKEv2 VPN with DNS in another internal VLAN

The PPP profile for the VPN sets the DNS and WINS server if need be ... set an address don't leave it blank and the client uses it.

Its the last entries before the radio boxes for Change TCP MSS
by LdB
Fri May 03, 2024 6:37 pm
Forum: General
Topic: no radius server found for 58:0f
Replies: 6
Views: 541

Re: no radius server found for 58:0f

I would set the radius source IP to your public IP you expect just to make sure the packets are leaving right interface and address

Next on the Radius server status tab what is happening to the requests are they just timing out?
by LdB
Thu May 02, 2024 9:02 am
Forum: General
Topic: no radius server found for 58:0f
Replies: 6
Views: 541

Re: no radius server found for 58:0f

This comes up a lot because its hidden away

Goto PPP->Secrets tab click-on the PPP-Authentication&Accounting Button and tick the "use radius" box
by LdB
Thu May 02, 2024 6:24 am
Forum: General
Topic: Multiple public IPs, different internal zones
Replies: 10
Views: 1588

Re: Multiple public IPs, different internal zones

You are completely overthinking it your provider gave you 5 /32 gateways and you have no idea if they come from a/24 that is a complete misunderstanding The VLANs are just isolation and not relevant to the NATs The source NAT is dead simple /ip firewall nat add action=src-nat chain=srcnat src-addres...
by LdB
Wed May 01, 2024 5:10 pm
Forum: General
Topic: Wireguard road warrior setup does not work under WiFi
Replies: 21
Views: 1389

Re: Wireguard road warrior setup does not work under WiFi

Reduce the MTU the VPN tunnel its to large for the wifi network when you add all the VPN packet overheads in
by LdB
Wed May 01, 2024 5:04 pm
Forum: General
Topic: Winbox connection denied through VPN
Replies: 7
Views: 841

Re: Winbox connection denied through VPN

People if it was the firewall it wouldn't know about the connection ... forget the firewall he told you this When I press connect on the winbox I can see logs from FG Firewall & Mikrotik so it is hitting the interface but not sure why it is being denied. The actual service has restricted IP rang...
by LdB
Wed May 01, 2024 4:57 pm
Forum: General
Topic: PPPOE Users Lost IP !!!!
Replies: 2
Views: 284

Re: PPPOE Users Lost IP !!!!

Check you haven't run out of IPs in pool AKA more clients than IPs .. it does weird stuff when that happens :-)
by LdB
Sun Apr 21, 2024 4:22 pm
Forum: General
Topic: Configuration not working
Replies: 6
Views: 821

Re: Configuration not working

The router itself has no access to the internet because there is no default route for unmarked packets. These are your only routes ... do you actually understand what that means? /ip route add dst-address=0.0.0.0/0 gateway=ether1-WANCORP routing-table=WORK add dst-address=0.0.0.0/0 gateway=ether2-WA...
by LdB
Sat Apr 20, 2024 6:18 am
Forum: General
Topic: Use specific IP in internal network using L2TP
Replies: 5
Views: 1083

Re: Use specific IP in internal network using L2TP

The internal RDP traffic is being NAT'ed first to the outside router IP. The solution is simple on the firewall setup and entry address for the RDP range So something like /ip firewall address-list add list=RDP-Range address=xxx.xxx.xxx.xxx/yy Now on the outbound NAT goto it's source-address list an...
by LdB
Sat Apr 20, 2024 5:54 am
Forum: General
Topic: Static Route and NAT - Cannot reach server in R1 while reachable on outside and R2
Replies: 3
Views: 568

Re: Static Route and NAT - Cannot reach server in R1 while reachable on outside and R2

On the config you shown have Router 1 knows nothing of 22.22.22.22 R1 is giving you correctly the error message "Invalid argument" because 22.22.22.22 can not be routed and the router is going I don't know what to do with that I am assuming you meant to actually put the address 22.22.22.22...
by LdB
Sun Apr 14, 2024 6:00 am
Forum: Useful user articles
Topic: How to: Edge router and BNG optimization for ISPs Topic is solved
Replies: 68
Views: 94018

Re: How to: Edge router and BNG optimization for ISPs Topic is solved

There is a reason why CGNAT exists and ipv6 still has resistance which is the legacy. I know from crazy discussions on this forum before where people wanted me to replace solid commercial grade radios worth $100K which will still be running in 20years time because they don't support ipv6 and got ups...
by LdB
Sun Jan 07, 2024 4:33 pm
Forum: General
Topic: Under DNS Amplification attack, network unusable with Mikrotik routers
Replies: 12
Views: 2811

Re: Under DNS Amplification attack, network unusable with Mikrotik routers

8.8.8.8 is probably throttling you

https://developers.google.com/speed/public-dns/docs/isp
First statement
High query volumes from a single IPv4 address (or IPv6 /64 network prefix) may be throttled if they exceed these limits.
by LdB
Sat Jan 06, 2024 2:21 am
Forum: General
Topic: QoS parent=global /w EoIP tunnel = half throughput?
Replies: 10
Views: 1708

Re: QoS parent=global /w EoIP tunnel = half throughput?

I would like to see an export of your bench config because I got different a year ago when deploying and those systems still work today. You would need to send it to mikrotik as a bug report anyhow. I personally still doubt it is a bug just a limitation of the queue system mikrotik uses and any queu...
by LdB
Fri Jan 05, 2024 6:44 pm
Forum: General
Topic: QoS parent=global /w EoIP tunnel = half throughput?
Replies: 10
Views: 1708

Re: QoS parent=global /w EoIP tunnel = half throughput?

Without being argumentative how do you think I worked it all out? ... Exactly that way. In the above you again failed because you said :-) Lol xD Please read my response again where I clearly stated that I changed both the EOIP MTU as well as the WLAN MTU's You aren't supposed to change the EOIP MTU...
by LdB
Fri Jan 05, 2024 3:14 pm
Forum: General
Topic: QoS parent=global /w EoIP tunnel = half throughput?
Replies: 10
Views: 1708

Re: QoS parent=global /w EoIP tunnel = half throughput?

It's not just the ends you have to change you have to do the radios as discussed :-) Did you actually test the link is passing a 1542 packet ... aka check it from tik to tik on a terminal ping xxx.xxx.xxx.xxx size=1542 do-not-fragment If that doesn't go thru then you need to go find what you failed ...
by LdB
Thu Jan 04, 2024 3:21 pm
Forum: General
Topic: QoS parent=global /w EoIP tunnel = half throughput?
Replies: 10
Views: 1708

Re: Strange double-QOS on EOIP tunnel..?

An EOIP will go thru a smaller MTU that is entirely the point of the standard as you note but it's not a magician the only way it achieves that trick is by breaking the large packet into multiple smaller packets. Its basic physics If you have a sofa and it's bigger than the door the only way you can...
by LdB
Thu Jan 04, 2024 3:54 am
Forum: General
Topic: QoS parent=global /w EoIP tunnel = half throughput?
Replies: 10
Views: 1708

Re: Strange double-QOS on EOIP tunnel..?

You have set an EOIP MTU of 1500 and EOIP has an overhead up to 42 bytes and you are sending thru a link and ports with an MTU of 1500 https://help.mikrotik.com/docs/display/ROS/EoIP So every EOIP packet is sent as two packets and so your queue gets it wrong. There are a number of ways to approach i...
by LdB
Wed Jan 03, 2024 7:21 am
Forum: General
Topic: DNS not resolving some domains
Replies: 23
Views: 3244

Re: DNS not resolving some domains

You are very brave you have port 53 exposed to the world and you were so proud of it :-) You clearly didn't read the DNS WIKI did you https://help.mikrotik.com/docs/display/ROS/DNS see this they put it in a green box When DNS server allow-remote-requests are used make sure that you limit access to y...
by LdB
Wed Jan 03, 2024 2:49 am
Forum: General
Topic: How do I reduce PPPoE client CPU usage? [SOLVED]
Replies: 6
Views: 2637

Re: How do I reduce PPPoE client CPU usage? [SOLVED]

We get the problem so go around the issue. At these speeds you are not a domestic customer anymore and you don't want a PPPOE connection because you know there is going to be overheads and MTU clamps. You want a transit link from your upstream provider like any normal ISP would take and in this case...
by LdB
Tue Jan 02, 2024 2:45 pm
Forum: General
Topic: How do I reduce PPPoE client CPU usage? [SOLVED]
Replies: 6
Views: 2637

Re: How do I reduce PPPoE client CPU usage? [SOLVED]

Just use a static private IP transit between the modem and the router So lets say on the LAN of the modem you have 192.168.20.1/24 On the CCR you use a suitable static 192.168.20.2/24 to form a transit network Then you just IP route thru it WITHOUT NAT /ip route add distance=1 dst-address=0.0.0.0/0 ...
by LdB
Tue Jan 02, 2024 8:20 am
Forum: General
Topic: How can I protect my VPN network from attempted intrusion?
Replies: 9
Views: 1564

Re: How can I protect my VPN network from attempted intrusion?

That doesn't stop brute force attacks and they can end up ddos-ing the router ... ask the OP you can end up with many very determined attackers. Blacklisting and dropping packets makes the attacks a lot harder as the attack IPs are continually blacklisted and dropped. Okay if they had a massive numb...
by LdB
Tue Jan 02, 2024 8:11 am
Forum: General
Topic: ISP router on remote location, how to use internet and also access UNIFI Devices
Replies: 2
Views: 790

Re: ISP router on remote location, how to use internet and also access UNIFI Devices

You need to explain what is between site A & B and the unifi setup we aren't mind readers. If the drawing is accurate it's what two towers and you have point-to-point links between them? You probably need VLAN TRUNKS between A & B but as to what VLANS the unifi system is using you said nothi...
by LdB
Tue Jan 02, 2024 8:01 am
Forum: General
Topic: BGP peer goes down, no ACK for 60 minutes
Replies: 22
Views: 3132

Re: BGP peer goes down, no ACK for 60 minutes

No-one else seems to be having the issue so you are asking them to fix a "bug" that seems isolated to you.

Backup the config and try 7.1.12 what do you have to lose and it may shed some light?
You would likely have a spare router so even just try it with the spare.
by LdB
Sun Dec 31, 2023 4:43 am
Forum: General
Topic: Terminal paste issue
Replies: 14
Views: 5554

Re: Terminal paste issue

It's actually got worse over time with new versions of winbox. It has nothing to do with CR+LF because often you don't get anywhere near the right text or amount of it and appears to be a clipboard issue. Using an SSH agent like putty and using that to paste text in seems to be better but I have sti...
by LdB
Sat Dec 30, 2023 4:47 pm
Forum: General
Topic: ccr2116-12g-4s+The strategy is not effective
Replies: 2
Views: 1066

Re: ccr2116-12g-4s+The strategy is not effective

To your static routes try adding action=lookup-only-in-table You might get into trouble if this gets more complex you are pre-route marking based on source address ... what if it's just local LAN-LAN traffic. I suspect it wants to be output marked or pre-route with LAN destination exclusions so you ...
by LdB
Sat Dec 30, 2023 4:17 pm
Forum: General
Topic: Establish communication through a VLAN between Mikrotik router and switch
Replies: 2
Views: 647

Re: Establish communication through a VLAN between Mikrotik router and switch

You had it right with the VLANS initially but you need to understand the /30 establishes a network between the devices BUT ONLY for those IPs. The switch will only know about 10.0.0.0/30 not any other network because its a switch and has no default route. If for example you are on a different IP ran...
by LdB
Sat Dec 30, 2023 3:55 pm
Forum: General
Topic: How can I protect my VPN network from attempted intrusion?
Replies: 9
Views: 1564

Re: How can I protect my VPN network from attempted intrusion?

Rextended has a script you put in scheduler to run every 5 mins that puts them in a bruteforce_blacklist which you drop on raw filter. Limits the annoyance in logs. That is about all you can do. # Created Jotne && rextended 2022 v1.5 # # This script add ip of user who with "IPSEC negoti...
by LdB
Sat Dec 30, 2023 3:38 pm
Forum: General
Topic: BGP peer goes down, no ACK for 60 minutes
Replies: 22
Views: 3132

Re: BGP peer goes down, no ACK for 60 minutes

Try rolling back to 6.48 which I had a number of CCR1036 running that and BGP with a number of junipers for a long time.

I have long since migrated all the CCR1036 to 7.12 as it wasn't that hard.
by LdB
Fri Dec 15, 2023 4:08 am
Forum: General
Topic: i have problem (no Internet available) in mobile
Replies: 8
Views: 1894

Re: i have problem (no Internet available) in mobile

They devices are running a standard DNS check to check if internet is truely there they don't assume it is just because they have an IP. Pretty sure all MAC and some Samsung devices do it.
by LdB
Fri Dec 15, 2023 4:01 am
Forum: General
Topic: I need the IP from these domain subdomain
Replies: 1
Views: 1213

Re: I need the IP from these domain subdomain

Windows will randomly change the IP and domains anyhow to stop hackers trying to pretend to be a windows update. Can I suggest a different tack Windows Update uses TCP port 80, 443 to setup a random port 49152-65535 for the stream. Why don't you first try marking that traffic and see what is in ther...
by LdB
Fri Dec 15, 2023 3:42 am
Forum: General
Topic: Possible hardware issue/loop CCR1009-7G-1C-1S+
Replies: 2
Views: 1347

Re: Possible hardware issue/loop CCR1009-7G-1C-1S+

It's a broadcast storm it's either malicious or you have a network clash. The first obvious question is you have VLANs why are the cameras on the same VLAN as everything else????? Much easier to diagnose and put queue rate limits on stuff if it isn't all in the same VLAN. The tick will allow access ...
by LdB
Tue Dec 12, 2023 5:36 am
Forum: General
Topic: SNMP Monitoring from Multiple Collectors [SOLVED]
Replies: 10
Views: 2453

Re: SNMP Monitoring from Multiple Collectors [SOLVED]

If they give you multiple trap communities then technically you need multiple source IPs and interfaces so it probably gets more complex than that.
by LdB
Tue Dec 12, 2023 5:03 am
Forum: General
Topic: TX drops on CCR-2116
Replies: 5
Views: 3064

Re: TX drops on CCR-2116

5XHD only have ethernet interfaces no fibre but I did see that issue with 1Gb fibre on aviat radios. I have something like 30x 5XHD connected to CCR2116 and CCR2004 and haven't seen anything but I am running 7.11.2 on all and the 5XHD are all 1.5.1 firmware (remember there are two firmware involved)...
by LdB
Sun Dec 10, 2023 2:35 pm
Forum: General
Topic: EoIP with Multiple WAN
Replies: 10
Views: 2091

Re: EoIP with Multiple WAN

If you want security you need to keep things simple and you my friend are down to relying on complex packet marking and if that doesn't raise hairs on the back of your neck it should. Some poor sucker has to maintain this if you leave or get hit by a bus. The obvious answer is spin up a third networ...
by LdB
Sun Dec 10, 2023 3:08 am
Forum: General
Topic: EoIP with Multiple WAN
Replies: 10
Views: 2091

Re: EoIP with Multiple WAN

First why in gods name is a remote client connecting to a server on x.x.x.x that is a public IP ... the whole point of the tunnel is to stop having to expose the network to the public IP. The solution works because it is simple and so lets continue along the simple solution path. The blind freddy ob...
by LdB
Sun Dec 10, 2023 2:54 am
Forum: General
Topic: Winbox connection altering the PC Gateway ? [SOLVED]
Replies: 8
Views: 2349

Re: Winbox connection altering the PC Gateway ? [SOLVED]

Correct ... Winbox on the interfaces screen has an output of between 50K-250K depending on IPSEC/Tunnel complexity it burns thru GSM data in not time flat.

<edited>
by LdB
Sat Dec 09, 2023 10:24 am
Forum: General
Topic: EoIP with Multiple WAN
Replies: 10
Views: 2091

Re: EoIP with Multiple WAN

In your case it's simpler just use two /32 static routes We need to make two new terms which are the gateways for WANs WAN y.y.y.y gateway is y.y.y.gw WAN z.z.z.z gateway is z.z.z.gw So simply specify a /32 route for the EOIP tunnel traffic /ip route add dst-address a.a.a.a/32 gateway=y.y.y.gw add d...
by LdB
Wed Dec 06, 2023 3:39 pm
Forum: General
Topic: EoIP
Replies: 3
Views: 1806

Re: EoIP

Yes I know so just open those EOIP tunnels using the Public IP's ... the EOIP tunnels don't give a stuff about the the private IP's unless you want. Start with just two sites with just a matching tunnel id (no ipsec) and the penny should drop because you are over thinking it. Then put the private tr...
by LdB
Mon Dec 04, 2023 6:38 am
Forum: General
Topic: EoIP tunnel not comunicating
Replies: 10
Views: 1682

Re: EoIP tunnel not comunicating

Your linux machine firewall has to be blocking ping responses from 192.168.114.0/24 because that is correct and will work. Really no other option you must have something like ufw running and forgot to allow ping responses thru. You already proved above that anything from 192.168.118.254 is working a...
by LdB
Sun Dec 03, 2023 12:48 pm
Forum: General
Topic: EoIP tunnel not comunicating
Replies: 10
Views: 1682

Re: EoIP tunnel not comunicating

So problem is not on the routers we keep coming back to R2 network and the .254 still makes me suspicious. Goto a machine on R2 network and print out the routes On a windows machine on terminal screen route print If we don't get something like below then we slap you :-) Active Routes: Network Destin...
by LdB
Sat Dec 02, 2023 3:29 pm
Forum: General
Topic: EoIP tunnel not comunicating
Replies: 10
Views: 1682

Re: EoIP tunnel not comunicating

so on R2 what happens when you do this

ping 192.168.114.150 src-address=192.168.118.254
by LdB
Fri Dec 01, 2023 2:54 pm
Forum: General
Topic: Road warrior Wireguard
Replies: 5
Views: 1565

Re: Road warrior Wireguard

They have discussion on dynamic IP on the wireguard is it easy or a good idea probably no

https://nologs-vpn.com/wireguard-dhcp
https://github.com/WireGuard/wg-dynamic ... cs/idea.md
by LdB
Fri Dec 01, 2023 2:21 pm
Forum: General
Topic: EoIP tunnel not comunicating
Replies: 10
Views: 1682

Re: EoIP tunnel not comunicating

That will work unless there is a firewall on the device you are trying to ping or R2 is not the gateway of R2 network. So confirm 1.) you can ping the R1 network device from another device on the R1 network 2.) R2 has the gateway of the 192.168.118.0/24 network (normally 192.168.118.1) and you don't...
by LdB
Thu Nov 30, 2023 5:46 pm
Forum: General
Topic: EoIP tunnel not comunicating
Replies: 10
Views: 1682

Re: EoIP tunnel not comunicating

Your problem is obvious ... this is wrong /ip route add comment="Route for R1" distance=1 dst-address=192.168.118.0/24 \ gateway=172.16.250.1 As you can ping from R1 to R2 we know that the 192.168.118.0/24 network and machines are on Router 2 So why the hell are you sending 192.168.118.0/2...
by LdB
Thu Nov 30, 2023 5:33 pm
Forum: General
Topic: Unable to connect Local LAN devices from VPN without default -GW
Replies: 2
Views: 1076

Re: Unable to connect Local LAN devices VPN without default -GW

You need to explain the IPs and topology of the network on the remote end of VPN connection. You put both what would be the normal .1 gateway "your end" in the bridges with this /ip address add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0 add address=192.168.89.1/24 inter...
by LdB
Thu Nov 30, 2023 5:10 pm
Forum: General
Topic: Road warrior Wireguard
Replies: 5
Views: 1565

Re: Road warrior Wireguard

You just create a pool and use it on the remote address on the profile ... everything else is the same a static IP VPN setup As en example /ip pool add name=VPN_POOL ranges=10.0.0.2-10.0.0.254 /ppp profile add local-address=10.0.0.1 name=VPN remote-address=VPN_POOL use-encryption=yes If you use on p...
by LdB
Thu Nov 30, 2023 3:59 am
Forum: General
Topic: Questions about (basic) firewall
Replies: 9
Views: 2141

Re: Questions about (basic) firewall

1) Firewall Filter, 127.0.0.0 what's the difference between the firewall rule add action=accept chain=input dst-address=127.0.0.1 and src-address=127.0.0.1? source address = the rule applies to packets leaving 127.0.0.0 AKA sending from that IP destination address = the rule applies to packets comi...
by LdB
Thu Nov 30, 2023 3:28 am
Forum: General
Topic: Clients not able to browse internet running a CCR2004-16G-2S
Replies: 2
Views: 1223

Re: Clients not able to browse internet running a CCR2004-16G-2S

Your dhcp server doesn't provide any DNS to clients :-)
The router has a DNS which is why it works when plugged into it.

So a DHCP client is connected to the internet and they will be able to ping anywhere they just can't resolve anything unless they manually set a DNS.
by LdB
Wed Nov 29, 2023 6:03 am
Forum: General
Topic: EoIP
Replies: 3
Views: 1806

Re: EoIP

It isn't how you originally did it but the simple way is to set transit ips on the EOIP tunnels and a static route to each user You haven't said if guy 2 and guy3 were directly connected for the excercise I will assume so So on your router On EOIP to second guy put address 10.10.10.1/30 and on EOIP ...
by LdB
Wed Nov 29, 2023 5:07 am
Forum: General
Topic: OpenVPN site2site problem
Replies: 2
Views: 1315

Re: OpenVPN site2site problem

You are adding the "default route" ... goto ip/route and watch what it does :-) The tunnel comms and keep alive traffic has to go out the normal internet gateway NOT DOWN THE TUNNEL. The moment that route gets added the tunnel will then drop and then the route removes and the tunnel will r...
by LdB
Wed Nov 29, 2023 4:44 am
Forum: General
Topic: Forwarding Radius authentication traffic to specific WAN
Replies: 3
Views: 1147

Re: Forwarding Radius authentication traffic to specific WAN

It's actually easier than that on the radius setup you can set a source IP (on winbox it's the last entry right down the bottom).

So just set WAN1 public IP as the source IP for the radius server and it will exit that interface.
by LdB
Wed Nov 22, 2023 6:50 am
Forum: Forwarding Protocols
Topic: BGP filter with as-path
Replies: 6
Views: 2459

Re: BGP filter with as-path

Accept
if (dst in xxx.xxx.xxx.0/24 && dst-len in 24-32) { accept; }
Reject
if (dst in xxx.xxx.xxx.0/24 && dst-len in 24-32) { reject; }
by LdB
Wed Nov 22, 2023 6:28 am
Forum: General
Topic: Assign Public IP's with DHCP
Replies: 7
Views: 1540

Re: Assign Public IP's with DHCP

If you are getting invalid password then remember When MAC authentication is configured, the ICX device authenticates the client using the MAC address and the RADIUS server. The device uses the MAC address for both the username and the password in the request sent to the RADIUS server. Several forma...
by LdB
Wed Nov 22, 2023 6:14 am
Forum: General
Topic: Using different external DNS-Server for different LANs
Replies: 2
Views: 1056

Re: Using different external DNS-Server for different LANs

You can if you run DHCP in each LAN then on winbox under /ip/dhcp server Goto the networks TAB Click on the DNS box for each DHCP server you want to change and change it :-) Obviously the tik itself has only one DNS but you can use other local ones or external. So something like this is what you can...
by LdB
Wed Nov 22, 2023 5:38 am
Forum: General
Topic: multi vlan with multi wan setup
Replies: 21
Views: 3267

Re: multi vlan with multi wan setup

It is simply telling you you can't mark traffic on the input chain on an output interface. The question is why are you trying to mark the traffic which is a complete tangent to what you asked. In your config you have EXCTLY ONE SRC-NAT/MASQUERADE /ip firewall nat add action=masquerade chain=srcnat o...
by LdB
Wed Nov 22, 2023 5:28 am
Forum: General
Topic: Clients on station not reachable [SOLVED]
Replies: 10
Views: 1941

Re: Clients on station not reachable [SOLVED]

You don't have a src-nat of masquerade on the LANs ;-)

Your setup of the masquerade failed ... see this line in your post
# in/out-interface matcher not possible when interface (wlan2) is slave - use master instead (bridgeLocal)
by LdB
Wed Nov 22, 2023 5:03 am
Forum: General
Topic: Routing Different Network Segments to specific Ports
Replies: 7
Views: 1349

Re: Routing Different Network Segments to specific Ports

It's just a straight source route from the IP ranges exactly as you described. The exact how depends on mikrotik router OS version but search source-routing for OS6 or OS7 whichever you are on. Latest OS7 link which covers both ways mark and route table OR route rules https://help.mikrotik.com/docs/...
by LdB
Tue Nov 21, 2023 5:25 am
Forum: General
Topic: multi vlan with multi wan setup
Replies: 21
Views: 3267

Re: multi vlan with multi wan setup

You aren't making sense the line you need is a NAT rule its that simple. FYI the traffic first comes out from the VLAN .. aka a computer inside the VLAN tries to connect to the internet. The internet doesn't know or care about your VLANs until the traffic is NATed and sent via a public WAN IP. So no...
by LdB
Tue Nov 21, 2023 4:57 am
Forum: General
Topic: Routing Different Network Segments to specific Ports
Replies: 7
Views: 1349

Re: Routing Different Network Segments to specific Ports

The obvious question is why you are trying to break the network into segments per port why not just run different networks per port.
It's generally easier to connect already segmented networks because it just requires basic routing.
by LdB
Mon Nov 20, 2023 4:38 am
Forum: General
Topic: Help with whitelisting
Replies: 5
Views: 1272

Re: Help with whitelisting

Windows Update requires TCP port 80, 443, and 49152-65535 it's on the MS website.

The initial stuff is via the standard ports HTTP then it gets a server IP and one of those high ports to do the actual exchange.
by LdB
Mon Nov 20, 2023 3:43 am
Forum: General
Topic: multi vlan with multi wan setup
Replies: 21
Views: 3267

Re: multi vlan with multi wan setup

NAT'ing into the VLANs is done via a masquerade or src-nat under your /ip/firewall/nat settings add them as required. https://help.mikrotik.com/docs/display/ROS/NAT Either src-nat or masquerade is a one line entry per VLAN with the right LAN ip's required to the desired WAN interface or Public IP. T...
by LdB
Sun Nov 19, 2023 6:16 am
Forum: General
Topic: Assign Public IP's with DHCP
Replies: 7
Views: 1540

Re: Assign Public IP's with DHCP

If you don't tick it then it assumes that you are using local login and have entered the user and password into that secrets list
by LdB
Sat Nov 18, 2023 10:03 am
Forum: General
Topic: Assign Public IP's with DHCP
Replies: 7
Views: 1540

Re: Assign Public IP's with DHCP

It's as basic as you described 1.) Setup Pool of public IPs under /ip/pool 2.) Setup radius server ticking the dhcp box 3.) Under /ppp/secrets click on PPP Authentication & Accounting and tick "use Radius" 4.) Setup DHCP server under /ip/DHCP server setting the "use Radius" s...
by LdB
Sat Nov 18, 2023 9:43 am
Forum: General
Topic: MAC address 000000000000 with many DHCP leases
Replies: 1
Views: 876

Re: MAC address 000000000000 with many DHCP leases

From memory it happens when you run out of free lease IPs AKA every IP in the DHCP pool is in use.
Likely cause you have too long a lease time and old leases haven't dropped off.

Pretty basic to check list the leases by IP and check against the pool.
by LdB
Sat Nov 18, 2023 9:35 am
Forum: General
Topic: Problems with mangle-rules on RouterOS 7.12
Replies: 12
Views: 1979

Re: Problems with mangle-rules on RouterOS 7.12

I am on different hardware mainly CCR2004, CVC2116 which are ARM64 based and it's just annoying not fatal as per your hardware :-)
by LdB
Sat Nov 18, 2023 9:30 am
Forum: General
Topic: Small Feature request
Replies: 2
Views: 883

Re: Small Feature request

Nope not even close it's a classic problem for an ISP or company with a transit router. The router is just lots of transit links or AS routes with route tables made of statics and some BGP aka where to send packets. So now you want to connect to an NTP server client and so your NTP request packet wi...
by LdB
Fri Nov 17, 2023 6:59 pm
Forum: General
Topic: GRE over IPSEC - cannot reach clients
Replies: 19
Views: 3032

Re: GRE over IPSEC - cannot reach clients

Sindy this is what he says [quote = @kissge83] In the capture, there are 20 ping attempts in the beginning from 10.1.1.193 (local) to 10.77.0.1 (external): ping src-address=10.1.1.193 10.77.0.1 --> I could not see any packet in the capture file, where the destination is 10.77.0.1 for this, even thou...
by LdB
Fri Nov 17, 2023 6:39 pm
Forum: General
Topic: Problems with mangle-rules on RouterOS 7.12
Replies: 12
Views: 1979

Re: Problems with mangle-rules on RouterOS 7.12

I do your trick of putting the 3 rules because I got sick of what is obviously a bug in OS7 that either the pre-routing or the output mark routing doesn't work. I generally need it for out of band GSM access and I want traffic from the GSM to go back out the GSM and got that problem a lot. If neithe...
by LdB
Fri Nov 17, 2023 6:11 pm
Forum: General
Topic: GRE over IPSEC - cannot reach clients
Replies: 19
Views: 3032

Re: GRE over IPSEC - cannot reach clients

You are stating and seeing exactly what I am seeing as well no packets exit the far end of the tunnel from the tunnel IP which is why you can't ping pr route thru it. The only way I can fix the problem by simply putting a /30 on each end of the GRE interfaces and I can route and ping thru those and ...
by LdB
Fri Nov 17, 2023 11:20 am
Forum: General
Topic: GRE over IPSEC - cannot reach clients
Replies: 19
Views: 3032

Re: GRE over IPSEC - cannot reach clients

@Sindy You are usually correct but in this I can assure you on OS7.12 you can't IP route thru the GRE tunnel IP's. It is definitely not how a CISCO does it but having played with these since upgrading a pile of tiks to OS7 it seems to be a fact at least on ARM64 and MPSIBE architecture. If you WireS...
by LdB
Fri Nov 17, 2023 10:53 am
Forum: General
Topic: Small Feature request
Replies: 2
Views: 883

Small Feature request

Any chance we can get preferred source IP on NTP Client.

The number of times I run into the issue the source IP the mikrotik chooses for that service is wrong and then you have to do hijinx to mangle or static route it to fix is more than annoying.
by LdB
Fri Nov 17, 2023 10:47 am
Forum: General
Topic: PPPoE Client and Server bug
Replies: 1
Views: 812

Re: PPPoE Client and Server bug

You sure you have the right setting on "add default route" because to me it looks like the default route gets dorked when the PPOE connects.
by LdB
Mon Nov 13, 2023 1:35 pm
Forum: General
Topic: GRE over IPSEC - cannot reach clients
Replies: 19
Views: 3032

Re: GRE over IPSEC - cannot reach clients

You need to read again what rplant did and understand it. You can not "IP route" thru the GRE addresses they do not form a proper network they are just tunnel ends even if they have what looks like a network between them. You will find you can change to /32 non connected network IPs and th...
by LdB
Mon Nov 13, 2023 1:01 pm
Forum: General
Topic: Limit bandwidth to internet of MikroTik router itself?
Replies: 4
Views: 894

Re: Limit bandwidth to internet of MikroTik router itself?

On the simple queue you can select an interface rather than an IP via the drop down
by LdB
Fri Nov 10, 2023 9:01 am
Forum: General
Topic: Redirecting all traffic from a specified device via VPN (L2TP)
Replies: 5
Views: 885

Re: Redirecting all traffic from a specified device via VPN (L2TP)

On most VPN clients like a windows/mac machines you can choose that on an advanced setup tab.

FYI it's called split tunneling
https://cybernews.com/what-is-vpn/split-tunneling/
by LdB
Fri Nov 10, 2023 8:19 am
Forum: General
Topic: IPSEC Tunnel Established but not able to ping hosts
Replies: 10
Views: 2415

Re: IPSEC Tunnel Established but not able to ping hosts

The static route needs to go into main gateway router >>> NOT <<< the VPN router and so question is that also a mikrotik? On a mikrotik command is /ip route add dst-address=10.79.15.0/24 gateway=192.168.9.110 If the main router is something else you will need to work out how to add a static route.
by LdB
Thu Nov 09, 2023 8:04 am
Forum: General
Topic: IPSEC Tunnel Established but not able to ping hosts
Replies: 10
Views: 2415

Re: IPSEC Tunnel Established but not able to ping hosts

Reading this statement. using command ping src-address=10.79.15.100 192.168.9.110 = i am able to ping the mikrotik branch1 router. but unable to ping the host connected to the same router. We can guess the remote VPN router IS NOT THE NETWORK GATEWAY ROUTER to the remote network :-) Explaination: Ma...
by LdB
Thu Nov 09, 2023 3:35 am
Forum: General
Topic: Route display filtering
Replies: 0
Views: 1336

Route display filtering

With OS7 bgp changes when you connect to a large ISP exchange peer you get a massive number of routes (in my case > 250K) I know you can sort of filter down display using the "input Accept NLRI" but that doesn't really help on a peer because you can't really use a static address list on a ...
by LdB
Thu Nov 02, 2023 3:29 am
Forum: General
Topic: PPPOE monthly reset script not working on OS7
Replies: 2
Views: 613

Re: PPPOE monthly reset script not working on OS7

SIgh yes you are right ... had I been more observant the log says it all
Nov/01/2023 00:00:00 memory script info PPP NOT Reset
Thankyou very much for taking time to answer that I failed to notice the obvious.
by LdB
Wed Nov 01, 2023 4:28 am
Forum: General
Topic: PPPOE monthly reset script not working on OS7
Replies: 2
Views: 613

PPPOE monthly reset script not working on OS7

This following script has always worked flawlessly on OS6 but is failing on OS7. It actually runs on the first of each month but wont kick the connections Just wondering if anyone can see the problem? :if ([/system clock get date]~"/01/") do={ /ppp/active/remove [/ppp/active/find] :log inf...
by LdB
Wed Sep 13, 2023 6:12 pm
Forum: General
Topic: communication between the TP-Link controller and the Wi-Fi access points
Replies: 2
Views: 1047

Re: communication between the TP-Link controller and the Wi-Fi access points

The TP-Link OC300 controller requires a hybrid port and you haven't made it properly on the mikrotik You need to understand the discovery works on the untagged part of the port usually called VLAN 1 or PVID 1 The adoption is on a tagged VLAN or VID ... depends on what terminology you are familar wit...
by LdB
Wed Sep 13, 2023 5:51 pm
Forum: General
Topic: Mixed mikrotik with tagged/untagged Vlans
Replies: 7
Views: 1051

Re: Mixed mikrotik with tagged/untagged Vlans

What is left out of this whole conversation because some have very limited things they do Do you need IP's in the VLAN at the bridge point????? So are you a) trying to make a basic dumb VLAN switch replacement b) need to route or access thru the VLANS at the bridge point For example of B .... if you...
by LdB
Wed Sep 13, 2023 5:34 pm
Forum: General
Topic: Unique public static IP on VPN
Replies: 3
Views: 802

Re: Unique public static IP on VPN

One line answer a slash /30 transit on the ip tunnel ends and add a static routes to each router Details OFFICE A TUNNEL END ============= OFFICE B TUNNEL END 10.55.55.1/30 ................................... 10.55.55.2/30 You should be able to ping each router from other via 10.55.55.xxx Then just ...
by LdB
Tue Aug 29, 2023 11:25 am
Forum: General
Topic: CCR2216 SFP interface's not responding
Replies: 5
Views: 2104

Re: CCR2216 SFP interface's not responding

Auto-negotiation on SFP has been broken in OS7 on a lot of hardware it's not specific to CCR2216

Hardware I have had the issue on PowerBox Pro, CCR2004, CCR1036, CCR2116

On the plus side at least the SFP leds default setup is correct unlike on OS6 :-)
by LdB
Fri Aug 25, 2023 12:17 pm
Forum: General
Topic: Mikrotik Router cannot access Specific Websites
Replies: 7
Views: 1887

Re: Mikrotik Router cannot access Specific Websites

MTU issue when you have a mismatch you can't login to any secure sites like banks or financial companies.

It shouldn't be random sites it will be very specific sites and consistantly so :-)
by LdB
Fri Aug 25, 2023 12:11 pm
Forum: General
Topic: Link down, link up on all ports
Replies: 6
Views: 2072

Re: Link down, link up on all ports

The EAP225 Outdoor is POE :-)

Have you got the cables in the right way around and there is a lot that can go wrong on the power pack injector block. Wont be the first POE injector to die nor the last.
by LdB
Fri Aug 18, 2023 6:00 pm
Forum: General
Topic: Multi Gateway - Multi routing with PPPOE distribution
Replies: 5
Views: 1284

Re: Multi Gateway - Multi routing with PPPOE distribution

Works different on OS7 there are two ways to do it 1.) Use main table and the the rules tab under routing to make two policy routes 2.) Make a new table and enable in fib under routing for each ISP. Mangle marking will be on output using src-address to apply the mark to the ISP route is 0.0.0.0/0 to...
by LdB
Fri Aug 18, 2023 5:35 pm
Forum: General
Topic: How to forward FQDN to local network
Replies: 18
Views: 3659

Re: How to forward FQDN to local network

That is a very messy way of doing it apache and nginx servers can do all that without getting the router involved it's called "Virtual Hosting".

You are re-inventing the wheel in a complicated and horrible way.
by LdB
Fri Aug 18, 2023 5:25 pm
Forum: General
Topic: Routing
Replies: 4
Views: 989

Re: Routing

Your IP block comes from Information Technology Company (ITC) in Iran https://www.whois.com/whois/78.38.26.1 If they didn't give you a transit /30 then The gateway will be 78.38.26.1 the network is 78.38.26.0 and the broadcast is 78.38.26.63 Create a pool from .2 to .62 /ip pool /add name=publicpool...
by LdB
Wed Aug 16, 2023 5:23 am
Forum: General
Topic: VLANs over Airfiber P2P - cant access radios anymore
Replies: 4
Views: 1505

Re: VLANs over Airfiber P2P - cant access radios anymore

You should be able to simply change the port on the tik to one radio to untagged management (access mode) and then access them as you have the right IP range. Remember when you do it all the data thru the link will stop so make sure you do it from the end you are not relying on passing thru the radi...
by LdB
Tue Aug 15, 2023 11:23 am
Forum: General
Topic: VLANs over Airfiber P2P - cant access radios anymore
Replies: 4
Views: 1505

Re: VLANs over Airfiber P2P - cant access radios anymore

Sounds like you didn't set the airfibre management VLAN ID :-)

If you didn't the airfibre IP is still in default VLAN 1 and not in the VLAN you are expecting it in and hence not accessible.
by LdB
Tue Aug 15, 2023 11:00 am
Forum: General
Topic: Nat for ipsec with same subnets
Replies: 6
Views: 1418

Re: Nat for ipsec with same subnets

We need to understand why you are hellbent on having overlapping subnets ... its a lot easier to not :-)
by LdB
Tue Aug 15, 2023 10:19 am
Forum: General
Topic: srcnat local IP to public IP address
Replies: 1
Views: 684

Re: srcnat local IP to public IP address

You need to confirm your route out the WAN interface and the src-nat is working Check this works first ping 8.8.8.8 src-address=111.111.111.111 If that works then test the source-nat ping 8.8.8.8 src-address=192.168.255.1 If that all works then it is just the VPN settings which is having trouble tra...
by LdB
Thu Jul 20, 2023 6:12 pm
Forum: General
Topic: Route OpenVPN traffic via IPSec
Replies: 4
Views: 1503

Re: Route OpenVPN traffic via IPSec

There isn't really any issue you just need IP routes both way thru the transits. You need will need statics in each router I can see the QNAP NAS is 192.168.0.20 but you haven't told us what the IP is for the router so I will assume it is 192.168.0.1 Static route in QNAP NAS 192.168.5.0/24 next-hop ...
by LdB
Thu Jul 20, 2023 5:18 pm
Forum: General
Topic: How to set Mikrotik default IP
Replies: 3
Views: 1274

Re: How to set Mikrotik default IP

You miss the point you can't select what source IP some services use !!!!! The source IP has zero to do with route table. So lets do it...I have 2 simple static routes 0.0.0.0/0 next hop is some public IP xxx.xxx.xxx.xxx 192.168.0.0/0 next hop is some management gateway I have two addresses on the r...
by LdB
Thu Jul 20, 2023 4:57 pm
Forum: General
Topic: unable to access second router from first router
Replies: 11
Views: 2202

Re: unable to access second router from first router

Last time I got that I had saved the config of one router and loaded it into the second as a shortcut in setting it up. What I forgot is when you do that it transfers the MAC address and you now have two routers with same MAC address and they don't route very well between each other :-) To solve it ...
by LdB
Thu Jul 20, 2023 4:52 pm
Forum: General
Topic: IP route showing BGP filtered routes
Replies: 1
Views: 335

Re: IP route showing BGP filtered routes

I found the answer here https://help.mikrotik.com/docs/display/ROS/Moving+from+ROSv6+to+v7+with+examples Now input.accept-* allows filtering incoming messages directly before they are even parsed and stored in memory, that way significantly reducing memory usage. Regular input filter chain can only ...
by LdB
Tue Jul 18, 2023 8:24 pm
Forum: General
Topic: IP route showing BGP filtered routes
Replies: 1
Views: 335

IP route showing BGP filtered routes

Playing with OS7 bgp and got it working but have an annoying problem that all the filtered routes show up in red ... see below
Image
https://ibb.co/BByZcjC

How do I stop them displaying?
by LdB
Tue Jul 18, 2023 3:43 am
Forum: General
Topic: How to set Mikrotik default IP
Replies: 3
Views: 1274

How to set Mikrotik default IP

Just a question that has always perplexed me how to set default IP that tik itself uses ... this is a generic problem no exact config will help you sort of have to follow the problem. Explaination: On most tik setups we have at least one WAN gateway and at least one Monitoring gateway but those are ...
by LdB
Wed Jul 12, 2023 6:26 pm
Forum: General
Topic: gateway spoof
Replies: 12
Views: 1556

Re: gateway spoof

Get the MAC address of the machine pretending to be the gateway a simple "arp -a" on the command terminal on windows will show it example arp -a Interface: 192.168.1.35 --- 0xc Internet Address Physical Address Type 192.168.1.1 24-5a-4c-d5-87-d6 dynamic 192.168.1.106 b0-e4-d5-ab-7f-87 dyna...
by LdB
Wed Jul 12, 2023 6:10 pm
Forum: General
Topic: PPPoE clients routing (two routing tables)?
Replies: 2
Views: 884

Re: PPPoE clients routing (two routing tables)?

The routing and two pppoe servers should not be connected. pppoe server 1 will have one set of IP pool/ interface and gateway pppoe server 2 will have have different IP pool /interface and gateway The routing marking can be off the IP, gateway or interface them being PPPOE servers is irrelevant. For...
by LdB
Wed Jul 12, 2023 5:15 pm
Forum: General
Topic: passthrough in mangle rules
Replies: 2
Views: 523

Re: passthrough in mangle rules

The passthrough only affects the chain movement as anav said. You can control marking based on existing packet, connection or routing marks or use the NOT option on those marks. The default is to ignore all and overmark but that is just the default ... the control is totally up to your marking filte...
by LdB
Fri Feb 24, 2023 6:24 pm
Forum: General
Topic: DHCP server(s) on VLAN issue
Replies: 3
Views: 419

Re: DHCP server(s) on VLAN issue

You never mention creating a network profile .. its the second tab and not there for good looks.

Hint set the IP into the interface and press the DHCP setup button select that interface and look what it does after you walk thru the questions :-)
by LdB
Fri Feb 24, 2023 6:04 pm
Forum: General
Topic: 3 subnet or just 2? Could you help me?
Replies: 5
Views: 506

Re: 3 subnet or just 2? Could you help me?

If you put all 3 gateways on the mikrotik the networks can see each other unless you have a firewall with rule to prevent it Put 192.168.10.1/24, 192.168.20.1/24 & 192.168.30.1/24 on 3 tik interfaces and see what happens :-) If you src-nat or masquerade each network to the internet interface eac...
by LdB
Sun Jan 08, 2023 7:54 pm
Forum: General
Topic: UDP attack from LAN network [SOLVED]
Replies: 28
Views: 3576

Re: UDP attack from LAN network [SOLVED]

FYI so you get how commercially naive you are ... an average effective life, given the specified telecommunications assets within TAX rulings predominately have an effective life of 10 years, and protection systems typically have a 15-year effective life. No-one in the Telco industry would turn over...
by LdB
Sun Jan 08, 2023 5:27 pm
Forum: General
Topic: UDP attack from LAN network [SOLVED]
Replies: 28
Views: 3576

Re: UDP attack from LAN network [SOLVED]

I appreciate your technical background and comments but you are running about -100 in the commercial stakes. The basic fact you are ignoring is who pays for all this extra playing around with a legacy network? The clients don't get anything extra that they are "willing to pay for" from hav...
by LdB
Sun Jan 08, 2023 11:39 am
Forum: General
Topic: UDP attack from LAN network [SOLVED]
Replies: 28
Views: 3576

Re: UDP attack from LAN network [Solved]

This is getting sidetracked into a waste of time about old legacy equipment which has it's own routing, bridges, spanning trees and management networks. As a simple example most CPE have a PPPOE client in the firmware it's strictly IPv4 how would I get it play with an IPv6 feed? Don't suggest an ext...
by LdB
Sat Jan 07, 2023 11:52 pm
Forum: General
Topic: UDP attack from LAN network [SOLVED]
Replies: 28
Views: 3576

Re: UDP attack from LAN network

Thanks that is useful information and I will follow those up. Yes what I was explaining is commercial reality the IPv4 /24 blocks are extremely expensive because there is huge demand at the edge. Even if I could get IPV6 space many of my RF and Fibre Links can't carry it because the equipment doesn'...
by LdB
Sat Jan 07, 2023 11:14 pm
Forum: General
Topic: UDP attack from LAN network [SOLVED]
Replies: 28
Views: 3576

Re: UDP attack from LAN network

Yes I get that but as I said above the TIKs start in open to world so newbies to them will make mistakes and struggle with them. Having used Ciscos, Junipers and Ubi Edgerouters for years it feels a bit like a crash test dummy with your first TIK. If the supply chain strains of current never happene...
by LdB
Sat Jan 07, 2023 10:55 pm
Forum: General
Topic: UDP attack from LAN network [SOLVED]
Replies: 28
Views: 3576

Re: UDP attack from LAN network

In your world you can't do anything on the internet without IPv6 and IPv4 licenses and most small last mile operations shouldn't be there :-)

or are you saying

Newbie Mikrotik users shouldn't be allowed because Mikrotiks don't start with everything locked off like other vendors?
by LdB
Sat Jan 07, 2023 10:15 pm
Forum: General
Topic: UDP attack from LAN network [SOLVED]
Replies: 28
Views: 3576

Re: UDP attack from LAN network

Sorry tangent your answer ignores reality >>>> I don't OWN any IP range in IPV6 how would I even know how to route it to where and why? <<<< What I do own and control is IPv4 C class licenses and so I must knock down ANY and ALL IPV6 traffic. At the end of the day I am at the internet edge not in th...
by LdB
Sat Jan 07, 2023 10:28 am
Forum: General
Topic: UDP attack from LAN network [SOLVED]
Replies: 28
Views: 3576

Re: UDP attack from LAN network

Found it by accident it's dropbox client that triggers the problem not sure if it's malicious or just my setup I have an IP4 only network and these are tiks in the middle of the network The clients have IPV6 ethernet cards and the dropbox client can tunnel directly thru my IPV4 network it ignores al...
by LdB
Fri Jan 06, 2023 9:15 pm
Forum: General
Topic: UDP attack from LAN network [SOLVED]
Replies: 28
Views: 3576

Re: UDP attack from LAN network

Vecernik87 is correct I can only filter the packets on the output stream .. the initial log was on the receiving tik so you pick them up at source tik and drop them via chain = output interface = the_interface src_address = 0.0.0.0/8 Now you get this log if you log it output: in:(unknown 0) out:ethe...
by LdB
Wed Jan 04, 2023 8:23 am
Forum: General
Topic: UDP attack from LAN network [SOLVED]
Replies: 28
Views: 3576

Re: UDP attack from LAN network

Sorry any omission in details is because we are newbie and don't know any better :-) The mikrotik is a CCR-2004-16G-2S+ with O/S 7.6 To mix that up I put a CCR1036-8G-2S+ with OS 6.49.6 No difference both routers showed same behaviour There are 6 VM's all different hardware but all running VMWARE eX...
by LdB
Mon Jan 02, 2023 4:28 am
Forum: General
Topic: UDP attack from LAN network [SOLVED]
Replies: 28
Views: 3576

UDP attack from LAN network [SOLVED]

I have an infected computer somewhere in the VM machines by look I am getting lots of these packets at the router output: in:(unknown 0) out:ether1, connection-state:invalid proto UDP, 0.0.0.0:9001->10.0.2.152:9001, len 1492 I can see it's attacking 10.0.2.152 but how do I work out the source machin...
by LdB
Thu Dec 22, 2022 10:56 am
Forum: General
Topic: Weird IP routing drop for 10 seconds
Replies: 0
Views: 256

Weird IP routing drop for 10 seconds

I have got a weird problem between two Tiks. I have a CCR1036-8G-2S+ running 6.49.6 which has a simple BGP to the ISP to get 2 C classes. That connects and distributes some subnets via a /30 link to a CCR2004-16G-2S+ running 7.5 I also have some private IP ranges just IP routed on the same /30 link ...
by LdB
Tue Nov 15, 2022 3:44 am
Forum: General
Topic: Any way to any and all users on local
Replies: 0
Views: 262

Any way to any and all users on local

We have a remote site that the radius auth connection is broken but we still have internet and tik access.

Just wondering if there is some way to auth everyone locally until we can get there to fix it?
by LdB
Tue Oct 25, 2022 9:13 am
Forum: General
Topic: Port Forwarding. So Simple. So Difficult. [SOLVED]
Replies: 33
Views: 5102

Re: Port Forwarding. So Simple. So Difficult. [SOLVED]

That one way nature makes me believe the device at 192.168.88.2 doesn't have the gateway at 192.168.88.1 it's probably 192.168.88.254.
Been caught like that before it's pretty evident 192.168.88.2 isn't sending anything back to the Tik and so 192.168.88.1 is probably not the gateway.
by LdB
Tue Oct 25, 2022 8:02 am
Forum: General
Topic: Two networks thru Layer 2 that doesn't allow vlans
Replies: 1
Views: 276

Two networks thru Layer 2 that doesn't allow vlans

I have a 500Mb layer 2 circuit from an ISP that isn't allowed to transmit VLANS I have two different networks which I need to transit thru the L2 circuit via two different transit IP's network 1 via 10.73.75.0/30 network 2 via 10.75.75.0/30 I have a ccr2004-16g-2s+ and so what is the best way to ach...
by LdB
Mon Oct 10, 2022 5:05 pm
Forum: General
Topic: Need help with directing traffic over IP-IP tunnel
Replies: 8
Views: 1459

Re: Need help with directing traffic over IP-IP tunnel

In most cases when you setup the VPN tunnel it will add the specific route dynamically :-) In the mode he is using L2TP/IPSec he should have had to set dynamic end points in policies and those dynamic endpoints will end up in the route table .. its automatic Generally the VPN traffic is the last thi...
by LdB
Mon Oct 10, 2022 4:05 pm
Forum: General
Topic: Need help with directing traffic over IP-IP tunnel
Replies: 8
Views: 1459

Re: Need help with directing traffic over IP-IP tunnel

The VPN traffic will either in the specific network or worse case you can mangle mark it as it enters a.a.a.a Either way it will have a tighter network or router mark and won't end up on the 0.0.0.0/0 default route Need a bit more detail of VPN setup to work that thru all we know at the moment is >>...
by LdB
Mon Oct 10, 2022 4:01 pm
Forum: General
Topic: Bridge two VLAN's
Replies: 5
Views: 700

Re: Bridge two VLAN's

It's a ccr2004-16g-2s+ but I hacked it the way CZFan said The only annoying part of that is you seem to have to make a special remote pool of one and Burn an IP for the PPPOE server itself. I tried not having a PPPOE server local address but it wouldn't work .. I am guessing you have to do something...
by LdB
Mon Oct 10, 2022 11:32 am
Forum: General
Topic: Need help with directing traffic over IP-IP tunnel
Replies: 8
Views: 1459

Re: Need help with directing traffic over IP-IP tunnel

There is no need to NAT the traffic it will automatically NAT when it goes from private IP's to the public IP You just IP route them so stop at step 4 Now on router A send all traffic that isn't local connected thru the IP tunnel to router B /ip route add dst-address=0.0.0.0/0 gateway=10.40.40.1 / O...
by LdB
Mon Oct 10, 2022 11:19 am
Forum: General
Topic: clients try to connect to PPPOE service
Replies: 1
Views: 317

Re: clients try to connect to PPPOE service

Even if possible that makes no sense. So these are customers of another service provider who you want to route there traffic to so they can make the PPPOE authentication Then what you are going to carry all there traffic backward and forward across your network? What you generally want to do is bloc...
by LdB
Mon Oct 10, 2022 10:59 am
Forum: General
Topic: Bridge two VLAN's
Replies: 5
Views: 700

Bridge two VLAN's

I have a bridge with VLAN 145 and a PPPOE server onto that bridge. I have an old network which was connected on VLAN 258 on ether2 What I would really like to do is bridge VLAN 258 on ether2 to the PPPOE server on VLAN 145. I can't easily change VLAN 258 on ether 2 because that requires access and d...
by LdB
Mon Sep 19, 2022 6:12 am
Forum: General
Topic: Moving configs between TIK router models
Replies: 3
Views: 553

Moving configs between TIK router models

I tried moving a config from a CCR1009 to a CCR2004 just using backup and restore and it didn't end well half the config was lost. I have also been caught with when you do this the MAC address gets copied and you have to go along and reset them all. So just wondering what is the preferred way to do ...
by LdB
Wed Sep 07, 2022 6:15 am
Forum: General
Topic: PPPOE client with DHCP NAT for clients
Replies: 0
Views: 1133

PPPOE client with DHCP NAT for clients

I have a PPPOE client setup on a tik which gets a public IP from ISP The router establishes connection and has internet and I can ping anywhere and everywhere I setup the DHCP server onto a ethernet port and have a NAT masquerade from the source IP range to the PPPOE-out interface very basic config ...
by LdB
Tue Aug 30, 2022 4:08 pm
Forum: General
Topic: IPSEC can't ping anything but router [SOLVED]
Replies: 3
Views: 999

Re: IPSEC can't ping anything but router [SOLVED]

Yes all fixed with that ... thanks Sindy
by LdB
Tue Aug 30, 2022 11:20 am
Forum: General
Topic: Simple Queue Bandwidth Distribution
Replies: 2
Views: 518

Re: Simple Queue Bandwidth Distribution

That one is in the manual and can't be answered https://wiki.mikrotik.com/wiki/Manual:Queues_-_PCQ#PCQ_Rate_Examples It must noted that if both limits (pcq-rate and max-limit) are unspecified, queue behavior can be imprecise. So it is strongly suggested to have at least one of these options set. l s...
by LdB
Tue Aug 30, 2022 7:17 am
Forum: General
Topic: IPSEC can't ping anything but router [SOLVED]
Replies: 3
Views: 999

Re: IPSEC can't ping anything but router [SOLVED]

Cheers for help ... the packets are arriving brid... 96.142 57 -> 4C:5E:0C:C5:FB:D3 0A:00:3E:45:52:87 10.0.4.1 brid... 97.144 58 -> 4C:5E:0C:C5:FB:D3 0A:00:3E:45:52:87 10.0.4.1 brid... 98.146 59 -> 4C:5E:0C:C5:FB:D3 0A:00:3E:45:52:87 10.0.4.1 brid... 99.149 60 -> 4C:5E:0C:C5:FB:D3 0A:00:3E:45:52:87 ...
by LdB
Mon Aug 29, 2022 9:23 am
Forum: General
Topic: IPSEC can't ping anything but router [SOLVED]
Replies: 3
Views: 999

IPSEC can't ping anything but router [SOLVED]

I have an IPSEC tunnel running between sites with ip ranges 10.0.4.0/24 and 10.0.220.0/24 setup is as per the wiki with the standard src-nats in the top of rules The site2 has an interface in VLAN220 carrying IP 10.0.220.166/24 From site1 I can ping that interface on site 2 with command and it works...
by LdB
Tue Aug 23, 2022 4:08 pm
Forum: General
Topic: OpenVPN client disconnects every 30sec
Replies: 0
Views: 420

OpenVPN client disconnects every 30sec

I have tried Router OS 7.4 and 6.96 and both do the same Exactly as described above I the tik setup as an OpenVPN client and it connects perfectly and I can ping etc thru it Then 30 seconds later it will disconnect take 2-3 to re-establish and the cycle goes on and on Log just says it dosconnected o...
by LdB
Tue Aug 09, 2022 6:26 pm
Forum: Beginner Basics
Topic: Two mikrotik can't ping
Replies: 6
Views: 766

Re: Two mikrotik can't ping

Ah that is it ... I had indeed restored the config of tik1 on tik2 before clearing tik2.

So I take it from that the MAC is software based and part of the config?
Talk about a gotcha :-)

So how do I clear it to get a unique MAC?
by LdB
Tue Aug 09, 2022 12:16 pm
Forum: Beginner Basics
Topic: Two mikrotik can't ping
Replies: 6
Views: 766

Re: Two mikrotik can't ping

@bpwl Look at the neighbors screen it shows each device mac and it's IP .. it was wrong for the 2nd CCR it isn't what it showed it was actual the other tiks MAC Anyhow tried replacing each tik with a different one and when I replace the second one it worked. The neighbors screen now correctly shows ...
by LdB
Tue Aug 09, 2022 9:06 am
Forum: Beginner Basics
Topic: Two mikrotik can't ping
Replies: 6
Views: 766

Two mikrotik can't ping

I have the weirdest problem on something I have done many many times I have 2 mikrotiks connected by 5XHD ubiquiti link and weirdly they can't ping each other I even reset the config on both so no firewalls on either One tik is 192.168.21.1/24 the other is 192.168.21.2/24 the IPs are simply on the e...
by LdB
Fri Jun 24, 2022 6:28 am
Forum: Beginner Basics
Topic: Mikrotik bandwidth access
Replies: 5
Views: 483

Re: Mikrotik bandwidth access

When that happens it usually means you created a loop :-)

Got the interfaces menu and look at the data flowing in/out the ports and you will need to supply model and sanitized config for anyone to help.
by LdB
Fri Jun 24, 2022 6:23 am
Forum: Beginner Basics
Topic: Need Help to block access to MT from hotspot users
Replies: 6
Views: 1501

Re: Need Help to block access to MT from hotspot users

It's reasonably well covered in https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router Essentially you limit access to the router itself to a very limited trusted IP range and you have not explained where the trusted range interface is. If you need further help we need the ISP(WAN) interface nam...
by LdB
Thu Jun 09, 2022 3:30 pm
Forum: Beginner Basics
Topic: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN
Replies: 24
Views: 2725

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

You can't do it the new way it won't work on most hardware as the port is neither pure access or trunk. So you either do it the old way (and work thru the pitfalls) or not at all in most cases. There are also pitfalls for the single bridge config many of which are listed on your link so it's no cure...
by LdB
Thu Jun 09, 2022 8:40 am
Forum: Beginner Basics
Topic: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN
Replies: 24
Views: 2725

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Sigh .... I am going to dispense with the stupid names and just leave it as either? as an example this is what you require for a hybrid port Ether? <==========UNTAGGED FILTER=========> Bridge_VLAN1 <=========> Some Tik service VLAN 2221 <==== 2221 TAGGED FILTER =======> Bridge_VLAN2221 <=========> S...
by LdB
Wed Jun 08, 2022 10:14 am
Forum: Beginner Basics
Topic: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN
Replies: 24
Views: 2725

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

You don't need "vlan filtering" (as in the tick box on a bridge) on any of the bridges the ingress filter makes sure each bridge can only see one set of traffic ... if you tick it probably still works but it will be doing nothing. All the bridge is doing is giving you a place to connect an...
by LdB
Tue Jun 07, 2022 11:15 am
Forum: Beginner Basics
Topic: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN
Replies: 24
Views: 2725

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

At a guess is trying to make a multi access hotspot via a multi SSID access point .. he sort of describes that in the OP Each VLAN becomes its own SSID on those AP's and the untagged is the management So in his case it probably goes something like this untagged = AP management 2221 = Guest Wifi 2222...
by LdB
Tue Jun 07, 2022 7:19 am
Forum: Beginner Basics
Topic: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN
Replies: 24
Views: 2725

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

This bit is correct ... with question/proviso ... "bridge-PPPoE & Hotspot" is not a valid interface name on my router and OS Hence I am going to replace it with a standard name ... lets say "PPPoE-Ether" and you don't need pvid 1 that will be the raw port So your ether?? port...
by LdB
Mon Jun 06, 2022 9:10 am
Forum: Beginner Basics
Topic: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN
Replies: 24
Views: 2725

Re: Creating multiple VLANs on existing CCR1009-7G-1C-1S+ with active PPPoE and Hotspot without VLAN

Not tried it on Mikrotik but it's common to do that on ubiquiti dream machines ... what you need is a hybrid port The port contains a PVID (untagged) and any number of VID's (tagged) Most switches can also do it. If you can do it on a Mikrotik it would be done the same way .... so I tried it on a CC...
by LdB
Fri Jun 03, 2022 10:49 am
Forum: Beginner Basics
Topic: Which MTU size should I set on my interfaces?
Replies: 15
Views: 14615

Re: Which MTU size should I set on my interfaces?

It also requires the ISP getting it right :lol: For example the MTU for Ubiquiti OLT-4 or OLT-8 GPON head end unit is 1518-1982 you can't set it to anything else and the default is 1518. With the VLAN and GPON and PPPOE overheads that leaves an MTU of 1492 for customer I could write a book about how...
by LdB
Fri Jun 03, 2022 9:02 am
Forum: Beginner Basics
Topic: BGP aggregation on OS 6.49.6
Replies: 2
Views: 519

Re: BGP aggregation on OS 6.49.6

Resolved problem with help of a local Mikrotik expert Issue was I had the "redistribute static" box ticked Which when you put in a static route to a subnet range like /25 /26 /27 etc (suggested by kevinds above and I was doing) sends it out to the upstream and breaks the BGP because it can...
by LdB
Tue May 31, 2022 4:01 pm
Forum: Beginner Basics
Topic: BGP aggregation on OS 6.49.6
Replies: 2
Views: 519

BGP aggregation on OS 6.49.6

I have a BGP session with a C class that needs to be broken down into a /25 and two /26 as a static route to 3 other routers (the BGP router simply distributes) Now if I establish the BGP with a single /24 static route to one router all works great So I assumed if I turn aggregation on I could do th...
by LdB
Wed May 25, 2022 12:49 pm
Forum: Announcements
Topic: v7.3rc [testing] is released!
Replies: 452
Views: 106073

Re: v7.3beta [testing] is released!

Not sure if anyone has mentioned but /31 link networks are dead in 7.3 beta37
They won't function as nexthop on static routes.
by LdB
Wed Jan 05, 2022 4:33 am
Forum: Beginner Basics
Topic: Virtual Node .. how to do
Replies: 0
Views: 2573

Virtual Node .. how to do

I am trying to do this with live IP's there is no NAT's at all on router except for private access balance_inout.jpg I can do each part on it's own with a real port but virtual node is doing my head in I tried creating a bridge entry as the virtual node and while it looks correct nothing routes As a...
by LdB
Tue Dec 21, 2021 5:05 pm
Forum: Beginner Basics
Topic: Radius problem [SOLVED]
Replies: 3
Views: 2109

Re: Radius problem [SOLVED]

Why do you have the rule that allows userman access to LOCAL as disabled?????
add action=accept chain=input comment="allow userman to work" disabled=yes src-address=127.0.0.1
by LdB
Fri Aug 20, 2021 9:03 pm
Forum: General
Topic: Bridge filter marking
Replies: 2
Views: 599

Re: Bridge filter marking

It's used on the LAN side of a ubiquiti dream machine as their rate limiting sucks. There are 3 client networks and clients in those networks get different speeds. So the above simply marks the traffic in the VLANS upload and download The marks get sent to a stock standard pcq queue setup which limi...
by LdB
Fri Aug 20, 2021 7:29 pm
Forum: General
Topic: Dual-wan with failover
Replies: 7
Views: 999

Re: Dual-wan with failover

by LdB
Fri Aug 20, 2021 6:07 pm
Forum: General
Topic: Bridge filter marking
Replies: 2
Views: 599

Bridge filter marking

I have 3 vlans I want to set a pcq upload/down queue on each so obviously I need to mark the traffic but I want asymmetrical upload/download. Currently only way I have worked to do this is by having each vlan come into a different ethernet each like so /interface bridge add name=bridge1 /interface b...
by LdB
Fri May 21, 2021 11:12 am
Forum: Beginner Basics
Topic: Load balancing 3 WANS to combined out
Replies: 0
Views: 651

Load balancing 3 WANS to combined out

There are plenty of load balancer examples with NAT's but none with live IP's I have a C class from my ISP and 3 different pop's on 3 links on /32's which must the provide a single WAN out load balanced on another /32 in that class It sort of works when all 3 links in but it's hard to work out if th...