MikroTik

LdB

I am trying to get the traffic etc of a fixed static IP on router to radius accounting.

I had the idea of putting a pppoe client with a framed IP on the same bridge as a pppoe server but that doesn't work.

Can anyone think of a way to do it because I am out of ideas.

LdB

My work around was always just to use multiple vlans with multiple PPPOE servers which would make sense why it seems to work given the response. So for example if I have two OLT's I would run a different VLAN to each with there own IP pool range. Never knew why it seemed to work just that it did.

LdB

It's in the manual

In 7 bgp-as-path itself is immutable you can't change it and you can't directly remove individual AS numbers from the AS-PATH using filters.

You will need to find another way.

LdB

In VLAN 150 you mangle mark the distinct subnet(s) with a new route mark and selectively route them You did this for the other traffic it's no different The only trick you may need to apply is have a destination list if vlan 150 traffic has to go locally for certain ip's For example if vlan150 traff...

LdB

If VLAN escape is a risk you have some more serious security problems than that.

What you are saying is you are allowing open and unchecked intra vlan routing and you deserve to be hacked.

The VLANs are there for ease of network reticulation they are not there for security and so ends the sermon.

LdB

It is actually correct and the same when you run BGP or OSPF the tik itself has no idea what source IP to use. The networks either end will work correctly it's only a problem on the tik itself :-) Specifically the two services you can't set source IPs for being dns and ntp won't work much to my angst.

LdB

Still got this problem in spades with an OSPF network surely I can't be alone management (dns) ===== router 1 ======= router 2 ====== router 3 10.0.1.0/24 ............. 10.0.2.0/24 .......... 10.0.3.0/24 ....... 10.0.4.0/24 The management IP is carried on the OSPF how the hell do I tell the stupid D...

LdB

The second tunnel is establishing from the same IP as the first on the default setup there is no way for the tik to be able to work out which tunnel is which. You either need to set remote id fields in your setup OR use a different port or IP for the second tunnel if you want to stay with default se...

LdB

Some admins like me are mean you try to probe stuff they give you a 1 to 3 day blacklist. Did the block occur after you tried to probe something?
If it is a blacklist it will drop of in a couple of days.

LdB

CGGXANNX since you actually bothered to do the testing I may be able to add information to yours because I am trying on the lab bench here based on your results. So configuring normal without your b) or cpu facing interface I have a full DreamMachine DMPro it doesn't work all VID DHCP leases are blo...

LdB

Bullshit I told you above I have tried MPSIBE, ARM and ARM64 devices that I have available This is what gets me people can't even bother to spend 2 minutes to read and it's my fault. Please understand I don't need you to solve a problem or help me ... I was simply trying to understand the behaviour ...

LdB

jbl42 you are correct doing b solves problem as well b) trusted=yes on ether1 and DHCP-snooping on bridge enabled I take it then it's a bug exactly as you worked out. I also tried 7.18.2 and it's unchanged I dumbed it down to a single vid on two ports ... your idea works and the CPU forward facing w...

LdB

I love how we are attacked for reporting a behaviour that seems odd and it takes a mikrotik and 10 minutes to test. CGGXANNX took 10min and tested and confirmed but still that isn't enough .. begs question how many people need to confirm to believe it? Seems weird and even ANAV concluded that it sho...

LdB

You don't need my config 1.) Setup a bridge in new format with a vlan and connect it to two ports one VID (trunk) one PVID (access) 2.) Have a device with a DHCP server in the VID and connect to your VID trunk port 3.) On the other PVID port have a DHCP client device I guarantee you the DHCP client ...

LdB

Got rid on inconsistency and behaviour unchanged as expected :-) What you see is the singular switch the devices are just PC's waiting for DHCP from ether1 (via VID 2) and they all get no DHCP unless that interface is present. Ether 1 is another router with only VIDS 2,5,145 and a DHCP server in VLA...

LdB

mkv you are correct ether 1 pvid should be 1 not 2 ... that doesn't change anything because on ether 1 device there is only vids 2, 5, 145 So to clarify the gateway 10.0.2.1 which has the DHCP comes in on VID 2 on ether 1 So the behaviour on any vid or pvid dragged out on any other ethernet to an ap...

LdB

Below is a config of a very simple bridge setup using new VLAN bridge method The line I am interested in is add interface=bridge name=bridge.vlan2 vlan-id=2 If that line is not in DHCP on VLAN2 will not traverse the bridge yet static IPs work. No IP in it and really you would think does nothing but ...

LdB

This line is weird add action=accept chain=srcnat out-interface-list=LAN src-address=192.168.10.80-192.168.10.99 You want to control the guest WAN IP from the SRC-NAT .... then control it stop messing around add action=src-nat chain=srcnat comment="Guest SRC-NAT to some WAN IP" src-address...

LdB

TDW thank you very much that appears to be correct and I will check it in situ tomorrow. anav there was nothing to export the switch is blank empty that is all it does it's a standard layout for a ubiquiti dream machine. ether 1 is trunk tag in Vlan 145 internet Vlan 3 management ether 2 is DM inter...

LdB

Everytime I try with one it fails because vlan 3 and 145 comes back out eth4. On a single bridge you seem to be only able to have all the tagged ports come out to a port there seems to be no way to remove some of them for a certain ethernet port. On a single bridge vlan3 and 145 are on the tagged li...

LdB

I said that is the old way I can't actually even draw it the new way because I can't even establish how many bridges I need. I am thinking two but not even sure on that

LdB

vlan-problem.jpg I can do the attached image in the old format manually placing vlans under each eth port and using 4 bridges and manually connecting each to bridge exactly as per image. Every time I try program the above in new bridge vlan format so I can simplify program I fail badly. I either en...

LdB

Ran across this today it's not the script that is broken it is the adding the script echos to the log file which lo0oks like a new feature. Then when it runs it finds the terms its scanning for in the text of the script and no ip on the line hence 0.0.0.0 You have to do the clear log entry trick sys...

LdB

Not a known bug, have a number of 2116 and 1036's with PPPOE with no issue on multiple versions of 7. Sounds more like you fell foul of OS changes between 6 and 7 you need to post a non sensitive config export. I would also suggest if you are running pings from mikrotik you set the src-address it ma...

LdB

I am looking forward to you explaining VLAN 1 and VLAN 4095 to him

LdB

I assume rule 0 is active I don't recognize the format If it's active 10.0.1.0/24 is never going out REMOTE UNTIL IT IS NAT'ed Rule 10 seems nonsensical because of rule 0 10.0.1.0/24 packets will I assume use rule 0 Rule 11 works because packets in the route queue matching 10.0.1.0/24 then get NATed...

LdB

They are all being too nice I am just going to say it Why the hell are you putting a LAN IP on the ISP interface and whats with 3 masquerades??? The routter gets an IP from the ISP we know that because you have this /ip dhcp-client add interface=ISP-LINK You told the router where the ISP is with thi...

LdB

Does it work with auto-negotation on that is usually the give away something bad may happen randomly.
Typically what happens is one end goes into half duplex which is always fun

LdB

Okay so you have a prefix count to each so now test they are accepting it fully on the second ISP I don't know why you are ibgp that is just weird but they no doubt told you to do that. Generally iBGP is when same AS to same AS number eBGP is for different AS You clearly have different AS numbers so...

LdB

They always have you just need to write them as a /32 with a /32 gateway route as rextended notes above.

Using /32 routes you can even have multiple customers to the same gateway and you reduce your IP loss by half over /31

I smell stupidity at play.

LdB

Sigh ... Yes I actually have 2, 3 and sometimes 4 BGP sesion with many many prefixes but only Os7 stopped using 6 a while ago None of that changes the mechanics and it's more obvious in winbox ... 1 remote AS one BGP session That is what I am scratching my head at your two ISP have different AS and ...

LdB

Is the PC actually pingable?

If the PC has windows you can't ping it as the firewall drops all ping packets.

LdB

This stands out /ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0 add address=192.168.0.1 interface=Wan1 network=192.168.0.1 add address=192.168.1.100 interface=Wan2 network=192.168.1.100 /ip dhcp-client add comment=defconf disabled=no interface=Wan1 add d...

LdB

Two different providers need two bgp sessions You can't have both there AS numbers on the one session :-) So your configuration above is wrong as in this /routing bgp instance set default as=x add as=***** That is one BGP and one AS number (and also a different remote address)... so you don't have a...

LdB

Does your upstream provider know about the extra range and have they confirm they have adjusted there filters?
You can advertize anything you like but unless they accept it your going nowhere

I haven't used v6 for ages but I think you may have to take bgp down and up again to take new filters.

LdB

Goal 1: each of the 6 static public IPs should traffic to/from its own LAN subnet assuring that all traffic from each LAN subnet uses the corresponding public IP. i.e.: xxx.yyy.zzz.11 <--> 10.11.0.0./22 [ether2] xxx.yyy.zzz.50 <--> 10.50.0.0./22 [ether3] xxx.yyy.zzz.55 <--> 10.55.0.0/22 [ether4] xx...

LdB

The issue comes up if you use the backup config from one router to another. If you want to make a copy of a router config strongly suggest you don't use the backup but export the config :-) The backup copy includes the mac address for the original device and you then have two routers with same mac a...

LdB

You can easily make a hybrid port on a mikrotik easily it is used routinely with ubiquiti unifi networks and the like. The only restriction you have been already told only one unique untagged vlan and as many tagged vlans as you like.

LdB

I don't think the issue is the ISP it sounds quite normal. I take it the lte device switches public ip because it's keep alive time was up and it renegotiates new ip with ISP. The tik is sitting on some NAT behind the public IP and is blissfully unaware the public IP has changed. That about sum it u...

LdB

Converting an old static route network over to a PTP OSPF network. All the link transit ips are being advertized along the length of the OSPF network They are inactive because they are filtered out but I have concerns 1.) They make an enormous clutter in the inactive section of route table ... can I...

LdB

It is unknown unicast, broadcast or multicast traffic ... torch can see it but doesn't know what it is.

Follow the bouncing ball you must be able to work out which interface it's coming in because you will be able to see it the other end.

LdB

Need to clarify a couple of points The radius server simply authenticates it doesn't know or care if the IPs being used are public or private. If you are going to dish out private IP's then you will have a source nat or masquerade from that range to the WAN IP. The ip pool for the hand out can be in...

LdB

reading for you

https://edgeoptic.com/kb_article/unders ... te-select/

LdB

^^^ That the traffic is clearly fragmented ... fix the MTU and prosper

LdB

If you only need 5 ports then you might as well use a small tik as the switch because they are usually cheaper than a small vlan aware switch.

LdB

Yes the problem come up like clockwork on transit routers where the default route is usually some bgp-ospf down emergency recovery route. There is internet everywhere and many transit IPs but you have to use the right source IP to get return path back. Running static routes on a transit router is a ...

LdB

Something that annoys me on complex mikrotik configs is how do you know what source IP the internal tik DNS will use? I usually end up having to jam a /32 static route route to the DNS and use a preferred source IP. On failover configs you may have to use multiples for reachability I thought now we ...

LdB

The only reference to 172.16.172.0/24 in your entire config is an entry on the firewall. The mikrotik has no idea where to send 172.16.172.0/24 traffic it's not in the routing table Try starting by telling the mikrotik where to send the traffic /ip route add disabled=no dst-address=172.16.172.0/24 g...

LdB

What makes me even more savage is I just found if you print on the terminal you don't get the pollution like on the GUI This gives only active ospf routes without the junk inactive (filtered routes) /ip route/print where ospf Pretty please can we get the ability to filter the ospf routes in the GUI ...

LdB

Why cant you just mangle traffic based on interface .. why do you need the IP?

LdB

Is there anyway to filter the display of the OSPF routes like NRLI filter on BGP?

Same problem you can end up with an aweful lot of inactive routes on display on a large OSPF network.

LdB

Ah that may do the trick.

I figured someone had to have run into the problem that they wanted to send only mangle marked traffic into the OSPF.

LdB

Its four routers and the Public route complexity dwarfs the problem of this which is monitoring. However the setup comes up normally with a backup access link so perhaps lets start there So if you have a connection to an ISP and a gsm plugged in for private out of band access So the default route is...

LdB

You don't know it isn't the fritzbox that has developed an issue

What does the tik log say happened?

You could also try putting a switch between the fritzbox and mikrotik and if it still drops out see if it was tik side by looking at log. If it isn't tik side then the fritzbox has the issue.

LdB

I am scratching my head over this one I have a local gateway for all other subnet traffic 0.0.0.0/0 via 10.0.1.1 distance 1 I have an OSPF running for network 10.0.2.0/24 and I want that to go out 10.0.2.1 the router has a 10.0.2.2 address which it correctly advertises it can also see 10.0.2.1 corre...

LdB

Is there any way to stop OSPF redistributing blackhole routes but still redistributing static routes?

LdB

Under /ppp profile the local address needs to be 192.168.10.1
The remote takes an IP from the pool and you then have a network when it connects.

Think about what you are asking the router to when it connects with your current setting and go look at the ip route table when connected

LdB

You have profiles such as "Hope Vineyard Music" but your config doesn't include the profiles. Those profiles can have rate limits and we need to see them.

LdB

You need to tell us more to much much to answer that For example if the API device is on a simple interface you can put a simple a queue on it /queue simple add name=queue1 target=ether1 max-limit=128k/256k More complex vlan/interface/ip/dst port examples will require mangle marks and then a queue b...

LdB

You just source NAT the LAN range to the Public IP or masquerade if the interface Public IP if it is dynamic So in your case the static version is /ip firewall nat add action=src-nat chain=srcnat src-address=192.168.88.0/24 to-addresses= 192.168.10.1 The dynamic masquerade version used most where IS...

LdB

i also have an ikev2 connection configured for my android device and from that connection I can correctly ping and connect to lan devices. We aren't mind readers but from that I assume you are talking about a windows VPN connection and you don't know how to choose the gateway ... aka ticking the bo...

LdB

What you are saying is still nonsensical once you open the PPTP tunnels those tunnels have endpoints which you can use to establish the EOIP and it doesn't expose Mikrotik 2 Router 1 has an IP 172.16.1.2 Router 3 has an IP 172.16.2.2 All you need is a static route in router 1 and 3 so they can IP ro...

LdB

I don't get the point directly open the EOIP between router 1 and 3 if that is what is intended

LdB

You can just click on each interface and do a reset mac address to get rid of the mac address copy issue.

LdB

He is asking how to block them not how to bypass them. As an ISP it is done by a provided IP list from the government and is pushed into the router as a blacklist at regular intervals. You can see an active example dealing with commercial blacklists at hybrid networks https://github.com/HybridNetwor...

LdB

Try

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=192.168.10.1 pref-src="" routing-table=tableWAN2 scope=40 suppress-hw-offload=no target-scope=20 vrf-interface=WAN-2-ether5 check-gateway=arp comment="WAN2"

LdB

My guess is the machine you are trying to ping in 10.0.0.xxx has a firewall Open a terminal on the tick and try ping the machine you are trying to access 10.0.0.??? ping 10.0.0.??? src-address=192.168.1.200 Also do a traceroute from a machine in the 192.168.1.xxx range wherever it stops is where the...

LdB

Seriously NO and really NO !!!! Go back and read the ISP gave him 5 /32 IPs he introduced the /24 and I pointed out he doesn't know that which he agreed. He has clarified and as I expected they GAVE HIM A GATEWAY as a /32 as well One other thing that complicates my situation is that my ISP (Verizon ...

LdB

Perhaps lets make you understand the issue the miktoik is the gateway to the 10.0.0.0/24 network Any traffic in that network ends up at the mikrotik it also happens to have a 192.168.1.200 address So anything in the 10.0.0.0/24 network can reach 192.168.1.xxx via 192.168.1.200 Now consider a device ...

LdB

Can we get source IP on bandwidth test tool
Really painful on complex link routers when you can't control what IP the test launches from.

LdB

They will have also given you a gateway for the 5 IPs which is where you send all outbound traffic to internet It might be a /32 or an actual network (/31 /30 /29 etc) often called a transit link where they will give you there end and your end IP. For a /32 The network IP is the /32 address they gav...

LdB

Looks like you are just trying to make a 1:1 map across the tik https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Destination_NAT I am going to assume the networks are /24 as you have not specified /ip firewall nat add chain=dstnat dst-address=192.168.1.121/24 action=netmap to-addresses=192.168....

LdB

The PPP profile for the VPN sets the DNS and WINS server if need be ... set an address don't leave it blank and the client uses it.

Its the last entries before the radio boxes for Change TCP MSS

LdB

I would set the radius source IP to your public IP you expect just to make sure the packets are leaving right interface and address

Next on the Radius server status tab what is happening to the requests are they just timing out?

LdB

This comes up a lot because its hidden away

Goto PPP->Secrets tab click-on the PPP-Authentication&Accounting Button and tick the "use radius" box

LdB

You are completely overthinking it your provider gave you 5 /32 gateways and you have no idea if they come from a/24 that is a complete misunderstanding The VLANs are just isolation and not relevant to the NATs The source NAT is dead simple /ip firewall nat add action=src-nat chain=srcnat src-addres...

LdB

Reduce the MTU the VPN tunnel its to large for the wifi network when you add all the VPN packet overheads in

LdB

People if it was the firewall it wouldn't know about the connection ... forget the firewall he told you this When I press connect on the winbox I can see logs from FG Firewall & Mikrotik so it is hitting the interface but not sure why it is being denied. The actual service has restricted IP rang...

LdB

Check you haven't run out of IPs in pool AKA more clients than IPs .. it does weird stuff when that happens

LdB

The router itself has no access to the internet because there is no default route for unmarked packets. These are your only routes ... do you actually understand what that means? /ip route add dst-address=0.0.0.0/0 gateway=ether1-WANCORP routing-table=WORK add dst-address=0.0.0.0/0 gateway=ether2-WA...

LdB

The internal RDP traffic is being NAT'ed first to the outside router IP. The solution is simple on the firewall setup and entry address for the RDP range So something like /ip firewall address-list add list=RDP-Range address=xxx.xxx.xxx.xxx/yy Now on the outbound NAT goto it's source-address list an...

LdB

On the config you shown have Router 1 knows nothing of 22.22.22.22 R1 is giving you correctly the error message "Invalid argument" because 22.22.22.22 can not be routed and the router is going I don't know what to do with that I am assuming you meant to actually put the address 22.22.22.22...

LdB

There is a reason why CGNAT exists and ipv6 still has resistance which is the legacy. I know from crazy discussions on this forum before where people wanted me to replace solid commercial grade radios worth $100K which will still be running in 20years time because they don't support ipv6 and got ups...

LdB

8.8.8.8 is probably throttling you

https://developers.google.com/speed/public-dns/docs/isp
First statement

High query volumes from a single IPv4 address (or IPv6 /64 network prefix) may be throttled if they exceed these limits.

LdB

I would like to see an export of your bench config because I got different a year ago when deploying and those systems still work today. You would need to send it to mikrotik as a bug report anyhow. I personally still doubt it is a bug just a limitation of the queue system mikrotik uses and any queu...

LdB

Without being argumentative how do you think I worked it all out? ... Exactly that way. In the above you again failed because you said :-) Lol xD Please read my response again where I clearly stated that I changed both the EOIP MTU as well as the WLAN MTU's You aren't supposed to change the EOIP MTU...

LdB

It's not just the ends you have to change you have to do the radios as discussed :-) Did you actually test the link is passing a 1542 packet ... aka check it from tik to tik on a terminal ping xxx.xxx.xxx.xxx size=1542 do-not-fragment If that doesn't go thru then you need to go find what you failed ...

LdB

An EOIP will go thru a smaller MTU that is entirely the point of the standard as you note but it's not a magician the only way it achieves that trick is by breaking the large packet into multiple smaller packets. Its basic physics If you have a sofa and it's bigger than the door the only way you can...

LdB

You have set an EOIP MTU of 1500 and EOIP has an overhead up to 42 bytes and you are sending thru a link and ports with an MTU of 1500 https://help.mikrotik.com/docs/display/ROS/EoIP So every EOIP packet is sent as two packets and so your queue gets it wrong. There are a number of ways to approach i...

LdB

You are very brave you have port 53 exposed to the world and you were so proud of it :-) You clearly didn't read the DNS WIKI did you https://help.mikrotik.com/docs/display/ROS/DNS see this they put it in a green box When DNS server allow-remote-requests are used make sure that you limit access to y...

LdB

We get the problem so go around the issue. At these speeds you are not a domestic customer anymore and you don't want a PPPOE connection because you know there is going to be overheads and MTU clamps. You want a transit link from your upstream provider like any normal ISP would take and in this case...

LdB

Just use a static private IP transit between the modem and the router So lets say on the LAN of the modem you have 192.168.20.1/24 On the CCR you use a suitable static 192.168.20.2/24 to form a transit network Then you just IP route thru it WITHOUT NAT /ip route add distance=1 dst-address=0.0.0.0/0 ...

LdB

That doesn't stop brute force attacks and they can end up ddos-ing the router ... ask the OP you can end up with many very determined attackers. Blacklisting and dropping packets makes the attacks a lot harder as the attack IPs are continually blacklisted and dropped. Okay if they had a massive numb...

LdB

You need to explain what is between site A & B and the unifi setup we aren't mind readers. If the drawing is accurate it's what two towers and you have point-to-point links between them? You probably need VLAN TRUNKS between A & B but as to what VLANS the unifi system is using you said nothi...

LdB

No-one else seems to be having the issue so you are asking them to fix a "bug" that seems isolated to you.

Backup the config and try 7.1.12 what do you have to lose and it may shed some light?
You would likely have a spare router so even just try it with the spare.

LdB

It's actually got worse over time with new versions of winbox. It has nothing to do with CR+LF because often you don't get anywhere near the right text or amount of it and appears to be a clipboard issue. Using an SSH agent like putty and using that to paste text in seems to be better but I have sti...

LdB

To your static routes try adding action=lookup-only-in-table You might get into trouble if this gets more complex you are pre-route marking based on source address ... what if it's just local LAN-LAN traffic. I suspect it wants to be output marked or pre-route with LAN destination exclusions so you ...

LdB

You had it right with the VLANS initially but you need to understand the /30 establishes a network between the devices BUT ONLY for those IPs. The switch will only know about 10.0.0.0/30 not any other network because its a switch and has no default route. If for example you are on a different IP ran...

LdB

Rextended has a script you put in scheduler to run every 5 mins that puts them in a bruteforce_blacklist which you drop on raw filter. Limits the annoyance in logs. That is about all you can do. # Created Jotne && rextended 2022 v1.5 # # This script add ip of user who with "IPSEC negoti...

LdB

Try rolling back to 6.48 which I had a number of CCR1036 running that and BGP with a number of junipers for a long time.

I have long since migrated all the CCR1036 to 7.12 as it wasn't that hard.

LdB

They devices are running a standard DNS check to check if internet is truely there they don't assume it is just because they have an IP. Pretty sure all MAC and some Samsung devices do it.

LdB

Windows will randomly change the IP and domains anyhow to stop hackers trying to pretend to be a windows update. Can I suggest a different tack Windows Update uses TCP port 80, 443 to setup a random port 49152-65535 for the stream. Why don't you first try marking that traffic and see what is in ther...

LdB

It's a broadcast storm it's either malicious or you have a network clash. The first obvious question is you have VLANs why are the cameras on the same VLAN as everything else????? Much easier to diagnose and put queue rate limits on stuff if it isn't all in the same VLAN. The tick will allow access ...

LdB

If they give you multiple trap communities then technically you need multiple source IPs and interfaces so it probably gets more complex than that.

LdB

5XHD only have ethernet interfaces no fibre but I did see that issue with 1Gb fibre on aviat radios. I have something like 30x 5XHD connected to CCR2116 and CCR2004 and haven't seen anything but I am running 7.11.2 on all and the 5XHD are all 1.5.1 firmware (remember there are two firmware involved)...

LdB

If you want security you need to keep things simple and you my friend are down to relying on complex packet marking and if that doesn't raise hairs on the back of your neck it should. Some poor sucker has to maintain this if you leave or get hit by a bus. The obvious answer is spin up a third networ...

LdB

First why in gods name is a remote client connecting to a server on x.x.x.x that is a public IP ... the whole point of the tunnel is to stop having to expose the network to the public IP. The solution works because it is simple and so lets continue along the simple solution path. The blind freddy ob...

LdB

Correct ... Winbox on the interfaces screen has an output of between 50K-250K depending on IPSEC/Tunnel complexity it burns thru GSM data in not time flat.

<edited>

LdB

In your case it's simpler just use two /32 static routes We need to make two new terms which are the gateways for WANs WAN y.y.y.y gateway is y.y.y.gw WAN z.z.z.z gateway is z.z.z.gw So simply specify a /32 route for the EOIP tunnel traffic /ip route add dst-address a.a.a.a/32 gateway=y.y.y.gw add d...

LdB

Yes I know so just open those EOIP tunnels using the Public IP's ... the EOIP tunnels don't give a stuff about the the private IP's unless you want. Start with just two sites with just a matching tunnel id (no ipsec) and the penny should drop because you are over thinking it. Then put the private tr...

LdB

Your linux machine firewall has to be blocking ping responses from 192.168.114.0/24 because that is correct and will work. Really no other option you must have something like ufw running and forgot to allow ping responses thru. You already proved above that anything from 192.168.118.254 is working a...

LdB

So problem is not on the routers we keep coming back to R2 network and the .254 still makes me suspicious. Goto a machine on R2 network and print out the routes On a windows machine on terminal screen route print If we don't get something like below then we slap you :-) Active Routes: Network Destin...

LdB

so on R2 what happens when you do this

ping 192.168.114.150 src-address=192.168.118.254

LdB

They have discussion on dynamic IP on the wireguard is it easy or a good idea probably no

https://nologs-vpn.com/wireguard-dhcp
https://github.com/WireGuard/wg-dynamic ... cs/idea.md

LdB

That will work unless there is a firewall on the device you are trying to ping or R2 is not the gateway of R2 network. So confirm 1.) you can ping the R1 network device from another device on the R1 network 2.) R2 has the gateway of the 192.168.118.0/24 network (normally 192.168.118.1) and you don't...

LdB

Your problem is obvious ... this is wrong /ip route add comment="Route for R1" distance=1 dst-address=192.168.118.0/24 \ gateway=172.16.250.1 As you can ping from R1 to R2 we know that the 192.168.118.0/24 network and machines are on Router 2 So why the hell are you sending 192.168.118.0/2...

LdB

You need to explain the IPs and topology of the network on the remote end of VPN connection. You put both what would be the normal .1 gateway "your end" in the bridges with this /ip address add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0 add address=192.168.89.1/24 inter...

LdB

You just create a pool and use it on the remote address on the profile ... everything else is the same a static IP VPN setup As en example /ip pool add name=VPN_POOL ranges=10.0.0.2-10.0.0.254 /ppp profile add local-address=10.0.0.1 name=VPN remote-address=VPN_POOL use-encryption=yes If you use on p...

LdB

1) Firewall Filter, 127.0.0.0 what's the difference between the firewall rule add action=accept chain=input dst-address=127.0.0.1 and src-address=127.0.0.1? source address = the rule applies to packets leaving 127.0.0.0 AKA sending from that IP destination address = the rule applies to packets comi...

LdB

Your dhcp server doesn't provide any DNS to clients

The router has a DNS which is why it works when plugged into it.

So a DHCP client is connected to the internet and they will be able to ping anywhere they just can't resolve anything unless they manually set a DNS.

LdB

It isn't how you originally did it but the simple way is to set transit ips on the EOIP tunnels and a static route to each user You haven't said if guy 2 and guy3 were directly connected for the excercise I will assume so So on your router On EOIP to second guy put address 10.10.10.1/30 and on EOIP ...

LdB

You are adding the "default route" ... goto ip/route and watch what it does :-) The tunnel comms and keep alive traffic has to go out the normal internet gateway NOT DOWN THE TUNNEL. The moment that route gets added the tunnel will then drop and then the route removes and the tunnel will r...

LdB

It's actually easier than that on the radius setup you can set a source IP (on winbox it's the last entry right down the bottom).

So just set WAN1 public IP as the source IP for the radius server and it will exit that interface.

LdB

Accept

if (dst in xxx.xxx.xxx.0/24 && dst-len in 24-32) { accept; }

Reject

if (dst in xxx.xxx.xxx.0/24 && dst-len in 24-32) { reject; }

LdB

If you are getting invalid password then remember When MAC authentication is configured, the ICX device authenticates the client using the MAC address and the RADIUS server. The device uses the MAC address for both the username and the password in the request sent to the RADIUS server. Several forma...

LdB

You can if you run DHCP in each LAN then on winbox under /ip/dhcp server Goto the networks TAB Click on the DNS box for each DHCP server you want to change and change it :-) Obviously the tik itself has only one DNS but you can use other local ones or external. So something like this is what you can...

LdB

It is simply telling you you can't mark traffic on the input chain on an output interface. The question is why are you trying to mark the traffic which is a complete tangent to what you asked. In your config you have EXCTLY ONE SRC-NAT/MASQUERADE /ip firewall nat add action=masquerade chain=srcnat o...

LdB

You don't have a src-nat of masquerade on the LANs

Your setup of the masquerade failed ... see this line in your post

# in/out-interface matcher not possible when interface (wlan2) is slave - use master instead (bridgeLocal)

LdB

It's just a straight source route from the IP ranges exactly as you described. The exact how depends on mikrotik router OS version but search source-routing for OS6 or OS7 whichever you are on. Latest OS7 link which covers both ways mark and route table OR route rules https://help.mikrotik.com/docs/...

LdB

You aren't making sense the line you need is a NAT rule its that simple. FYI the traffic first comes out from the VLAN .. aka a computer inside the VLAN tries to connect to the internet. The internet doesn't know or care about your VLANs until the traffic is NATed and sent via a public WAN IP. So no...

LdB

The obvious question is why you are trying to break the network into segments per port why not just run different networks per port.
It's generally easier to connect already segmented networks because it just requires basic routing.

LdB

Windows Update requires TCP port 80, 443, and 49152-65535 it's on the MS website.

The initial stuff is via the standard ports HTTP then it gets a server IP and one of those high ports to do the actual exchange.

LdB

NAT'ing into the VLANs is done via a masquerade or src-nat under your /ip/firewall/nat settings add them as required. https://help.mikrotik.com/docs/display/ROS/NAT Either src-nat or masquerade is a one line entry per VLAN with the right LAN ip's required to the desired WAN interface or Public IP. T...

LdB

If you don't tick it then it assumes that you are using local login and have entered the user and password into that secrets list

LdB

It's as basic as you described 1.) Setup Pool of public IPs under /ip/pool 2.) Setup radius server ticking the dhcp box 3.) Under /ppp/secrets click on PPP Authentication & Accounting and tick "use Radius" 4.) Setup DHCP server under /ip/DHCP server setting the "use Radius" s...

LdB

From memory it happens when you run out of free lease IPs AKA every IP in the DHCP pool is in use.
Likely cause you have too long a lease time and old leases haven't dropped off.

Pretty basic to check list the leases by IP and check against the pool.

LdB

I am on different hardware mainly CCR2004, CVC2116 which are ARM64 based and it's just annoying not fatal as per your hardware

LdB

Nope not even close it's a classic problem for an ISP or company with a transit router. The router is just lots of transit links or AS routes with route tables made of statics and some BGP aka where to send packets. So now you want to connect to an NTP server client and so your NTP request packet wi...

LdB

Sindy this is what he says [quote = @kissge83] In the capture, there are 20 ping attempts in the beginning from 10.1.1.193 (local) to 10.77.0.1 (external): ping src-address=10.1.1.193 10.77.0.1 --> I could not see any packet in the capture file, where the destination is 10.77.0.1 for this, even thou...

LdB

I do your trick of putting the 3 rules because I got sick of what is obviously a bug in OS7 that either the pre-routing or the output mark routing doesn't work. I generally need it for out of band GSM access and I want traffic from the GSM to go back out the GSM and got that problem a lot. If neithe...

LdB

You are stating and seeing exactly what I am seeing as well no packets exit the far end of the tunnel from the tunnel IP which is why you can't ping pr route thru it. The only way I can fix the problem by simply putting a /30 on each end of the GRE interfaces and I can route and ping thru those and ...

LdB

@Sindy You are usually correct but in this I can assure you on OS7.12 you can't IP route thru the GRE tunnel IP's. It is definitely not how a CISCO does it but having played with these since upgrading a pile of tiks to OS7 it seems to be a fact at least on ARM64 and MPSIBE architecture. If you WireS...

LdB

Any chance we can get preferred source IP on NTP Client.

The number of times I run into the issue the source IP the mikrotik chooses for that service is wrong and then you have to do hijinx to mangle or static route it to fix is more than annoying.

LdB

You sure you have the right setting on "add default route" because to me it looks like the default route gets dorked when the PPOE connects.

LdB

You need to read again what rplant did and understand it. You can not "IP route" thru the GRE addresses they do not form a proper network they are just tunnel ends even if they have what looks like a network between them. You will find you can change to /32 non connected network IPs and th...

LdB

On the simple queue you can select an interface rather than an IP via the drop down

LdB

On most VPN clients like a windows/mac machines you can choose that on an advanced setup tab.

FYI it's called split tunneling
https://cybernews.com/what-is-vpn/split-tunneling/

LdB

The static route needs to go into main gateway router >>> NOT <<< the VPN router and so question is that also a mikrotik? On a mikrotik command is /ip route add dst-address=10.79.15.0/24 gateway=192.168.9.110 If the main router is something else you will need to work out how to add a static route.

LdB

Reading this statement. using command ping src-address=10.79.15.100 192.168.9.110 = i am able to ping the mikrotik branch1 router. but unable to ping the host connected to the same router. We can guess the remote VPN router IS NOT THE NETWORK GATEWAY ROUTER to the remote network :-) Explaination: Ma...

LdB

With OS7 bgp changes when you connect to a large ISP exchange peer you get a massive number of routes (in my case > 250K) I know you can sort of filter down display using the "input Accept NLRI" but that doesn't really help on a peer because you can't really use a static address list on a ...

LdB

SIgh yes you are right ... had I been more observant the log says it all

Nov/01/2023 00:00:00 memory script info PPP NOT Reset

Thankyou very much for taking time to answer that I failed to notice the obvious.

LdB

This following script has always worked flawlessly on OS6 but is failing on OS7. It actually runs on the first of each month but wont kick the connections Just wondering if anyone can see the problem? :if ([/system clock get date]~"/01/") do={ /ppp/active/remove [/ppp/active/find] :log inf...

LdB

The TP-Link OC300 controller requires a hybrid port and you haven't made it properly on the mikrotik You need to understand the discovery works on the untagged part of the port usually called VLAN 1 or PVID 1 The adoption is on a tagged VLAN or VID ... depends on what terminology you are familar wit...

LdB

What is left out of this whole conversation because some have very limited things they do Do you need IP's in the VLAN at the bridge point????? So are you a) trying to make a basic dumb VLAN switch replacement b) need to route or access thru the VLANS at the bridge point For example of B .... if you...

LdB

One line answer a slash /30 transit on the ip tunnel ends and add a static routes to each router Details OFFICE A TUNNEL END ============= OFFICE B TUNNEL END 10.55.55.1/30 ................................... 10.55.55.2/30 You should be able to ping each router from other via 10.55.55.xxx Then just ...

LdB

Auto-negotiation on SFP has been broken in OS7 on a lot of hardware it's not specific to CCR2216

Hardware I have had the issue on PowerBox Pro, CCR2004, CCR1036, CCR2116

On the plus side at least the SFP leds default setup is correct unlike on OS6

LdB

MTU issue when you have a mismatch you can't login to any secure sites like banks or financial companies.

It shouldn't be random sites it will be very specific sites and consistantly so

LdB

The EAP225 Outdoor is POE

Have you got the cables in the right way around and there is a lot that can go wrong on the power pack injector block. Wont be the first POE injector to die nor the last.

LdB

Works different on OS7 there are two ways to do it 1.) Use main table and the the rules tab under routing to make two policy routes 2.) Make a new table and enable in fib under routing for each ISP. Mangle marking will be on output using src-address to apply the mark to the ISP route is 0.0.0.0/0 to...

LdB

That is a very messy way of doing it apache and nginx servers can do all that without getting the router involved it's called "Virtual Hosting".

You are re-inventing the wheel in a complicated and horrible way.

LdB

Your IP block comes from Information Technology Company (ITC) in Iran https://www.whois.com/whois/78.38.26.1 If they didn't give you a transit /30 then The gateway will be 78.38.26.1 the network is 78.38.26.0 and the broadcast is 78.38.26.63 Create a pool from .2 to .62 /ip pool /add name=publicpool...

LdB

You should be able to simply change the port on the tik to one radio to untagged management (access mode) and then access them as you have the right IP range. Remember when you do it all the data thru the link will stop so make sure you do it from the end you are not relying on passing thru the radi...

LdB

Sounds like you didn't set the airfibre management VLAN ID

If you didn't the airfibre IP is still in default VLAN 1 and not in the VLAN you are expecting it in and hence not accessible.

LdB

We need to understand why you are hellbent on having overlapping subnets ... its a lot easier to not

LdB

You need to confirm your route out the WAN interface and the src-nat is working Check this works first ping 8.8.8.8 src-address=111.111.111.111 If that works then test the source-nat ping 8.8.8.8 src-address=192.168.255.1 If that all works then it is just the VPN settings which is having trouble tra...

LdB

There isn't really any issue you just need IP routes both way thru the transits. You need will need statics in each router I can see the QNAP NAS is 192.168.0.20 but you haven't told us what the IP is for the router so I will assume it is 192.168.0.1 Static route in QNAP NAS 192.168.5.0/24 next-hop ...

LdB

You miss the point you can't select what source IP some services use !!!!! The source IP has zero to do with route table. So lets do it...I have 2 simple static routes 0.0.0.0/0 next hop is some public IP xxx.xxx.xxx.xxx 192.168.0.0/0 next hop is some management gateway I have two addresses on the r...

LdB

Last time I got that I had saved the config of one router and loaded it into the second as a shortcut in setting it up. What I forgot is when you do that it transfers the MAC address and you now have two routers with same MAC address and they don't route very well between each other :-) To solve it ...

LdB

I found the answer here https://help.mikrotik.com/docs/display/ROS/Moving+from+ROSv6+to+v7+with+examples Now input.accept-* allows filtering incoming messages directly before they are even parsed and stored in memory, that way significantly reducing memory usage. Regular input filter chain can only ...

LdB

Playing with OS7 bgp and got it working but have an annoying problem that all the filtered routes show up in red ... see below

https://ibb.co/BByZcjC

How do I stop them displaying?

LdB

Just a question that has always perplexed me how to set default IP that tik itself uses ... this is a generic problem no exact config will help you sort of have to follow the problem. Explaination: On most tik setups we have at least one WAN gateway and at least one Monitoring gateway but those are ...

LdB

Get the MAC address of the machine pretending to be the gateway a simple "arp -a" on the command terminal on windows will show it example arp -a Interface: 192.168.1.35 --- 0xc Internet Address Physical Address Type 192.168.1.1 24-5a-4c-d5-87-d6 dynamic 192.168.1.106 b0-e4-d5-ab-7f-87 dyna...

LdB

The routing and two pppoe servers should not be connected. pppoe server 1 will have one set of IP pool/ interface and gateway pppoe server 2 will have have different IP pool /interface and gateway The routing marking can be off the IP, gateway or interface them being PPPOE servers is irrelevant. For...

LdB

The passthrough only affects the chain movement as anav said. You can control marking based on existing packet, connection or routing marks or use the NOT option on those marks. The default is to ignore all and overmark but that is just the default ... the control is totally up to your marking filte...

LdB

You never mention creating a network profile .. its the second tab and not there for good looks.

Hint set the IP into the interface and press the DHCP setup button select that interface and look what it does after you walk thru the questions

LdB

If you put all 3 gateways on the mikrotik the networks can see each other unless you have a firewall with rule to prevent it Put 192.168.10.1/24, 192.168.20.1/24 & 192.168.30.1/24 on 3 tik interfaces and see what happens :-) If you src-nat or masquerade each network to the internet interface eac...

LdB

FYI so you get how commercially naive you are ... an average effective life, given the specified telecommunications assets within TAX rulings predominately have an effective life of 10 years, and protection systems typically have a 15-year effective life. No-one in the Telco industry would turn over...

LdB

I appreciate your technical background and comments but you are running about -100 in the commercial stakes. The basic fact you are ignoring is who pays for all this extra playing around with a legacy network? The clients don't get anything extra that they are "willing to pay for" from hav...

LdB

This is getting sidetracked into a waste of time about old legacy equipment which has it's own routing, bridges, spanning trees and management networks. As a simple example most CPE have a PPPOE client in the firmware it's strictly IPv4 how would I get it play with an IPv6 feed? Don't suggest an ext...

LdB

Thanks that is useful information and I will follow those up. Yes what I was explaining is commercial reality the IPv4 /24 blocks are extremely expensive because there is huge demand at the edge. Even if I could get IPV6 space many of my RF and Fibre Links can't carry it because the equipment doesn'...

LdB

Yes I get that but as I said above the TIKs start in open to world so newbies to them will make mistakes and struggle with them. Having used Ciscos, Junipers and Ubi Edgerouters for years it feels a bit like a crash test dummy with your first TIK. If the supply chain strains of current never happene...

LdB

In your world you can't do anything on the internet without IPv6 and IPv4 licenses and most small last mile operations shouldn't be there

or are you saying

Newbie Mikrotik users shouldn't be allowed because Mikrotiks don't start with everything locked off like other vendors?

LdB

Sorry tangent your answer ignores reality >>>> I don't OWN any IP range in IPV6 how would I even know how to route it to where and why? <<<< What I do own and control is IPv4 C class licenses and so I must knock down ANY and ALL IPV6 traffic. At the end of the day I am at the internet edge not in th...

LdB

Found it by accident it's dropbox client that triggers the problem not sure if it's malicious or just my setup I have an IP4 only network and these are tiks in the middle of the network The clients have IPV6 ethernet cards and the dropbox client can tunnel directly thru my IPV4 network it ignores al...

LdB

Vecernik87 is correct I can only filter the packets on the output stream .. the initial log was on the receiving tik so you pick them up at source tik and drop them via chain = output interface = the_interface src_address = 0.0.0.0/8 Now you get this log if you log it output: in:(unknown 0) out:ethe...

LdB

Sorry any omission in details is because we are newbie and don't know any better :-) The mikrotik is a CCR-2004-16G-2S+ with O/S 7.6 To mix that up I put a CCR1036-8G-2S+ with OS 6.49.6 No difference both routers showed same behaviour There are 6 VM's all different hardware but all running VMWARE eX...

LdB

I have an infected computer somewhere in the VM machines by look I am getting lots of these packets at the router output: in:(unknown 0) out:ether1, connection-state:invalid proto UDP, 0.0.0.0:9001->10.0.2.152:9001, len 1492 I can see it's attacking 10.0.2.152 but how do I work out the source machin...

LdB

I have got a weird problem between two Tiks. I have a CCR1036-8G-2S+ running 6.49.6 which has a simple BGP to the ISP to get 2 C classes. That connects and distributes some subnets via a /30 link to a CCR2004-16G-2S+ running 7.5 I also have some private IP ranges just IP routed on the same /30 link ...

LdB

We have a remote site that the radius auth connection is broken but we still have internet and tik access.

Just wondering if there is some way to auth everyone locally until we can get there to fix it?

LdB

That one way nature makes me believe the device at 192.168.88.2 doesn't have the gateway at 192.168.88.1 it's probably 192.168.88.254.
Been caught like that before it's pretty evident 192.168.88.2 isn't sending anything back to the Tik and so 192.168.88.1 is probably not the gateway.

LdB

I have a 500Mb layer 2 circuit from an ISP that isn't allowed to transmit VLANS I have two different networks which I need to transit thru the L2 circuit via two different transit IP's network 1 via 10.73.75.0/30 network 2 via 10.75.75.0/30 I have a ccr2004-16g-2s+ and so what is the best way to ach...

LdB

In most cases when you setup the VPN tunnel it will add the specific route dynamically :-) In the mode he is using L2TP/IPSec he should have had to set dynamic end points in policies and those dynamic endpoints will end up in the route table .. its automatic Generally the VPN traffic is the last thi...

LdB

The VPN traffic will either in the specific network or worse case you can mangle mark it as it enters a.a.a.a Either way it will have a tighter network or router mark and won't end up on the 0.0.0.0/0 default route Need a bit more detail of VPN setup to work that thru all we know at the moment is >>...

LdB

It's a ccr2004-16g-2s+ but I hacked it the way CZFan said The only annoying part of that is you seem to have to make a special remote pool of one and Burn an IP for the PPPOE server itself. I tried not having a PPPOE server local address but it wouldn't work .. I am guessing you have to do something...

LdB

There is no need to NAT the traffic it will automatically NAT when it goes from private IP's to the public IP You just IP route them so stop at step 4 Now on router A send all traffic that isn't local connected thru the IP tunnel to router B /ip route add dst-address=0.0.0.0/0 gateway=10.40.40.1 / O...

LdB

Even if possible that makes no sense. So these are customers of another service provider who you want to route there traffic to so they can make the PPPOE authentication Then what you are going to carry all there traffic backward and forward across your network? What you generally want to do is bloc...

LdB

I have a bridge with VLAN 145 and a PPPOE server onto that bridge. I have an old network which was connected on VLAN 258 on ether2 What I would really like to do is bridge VLAN 258 on ether2 to the PPPOE server on VLAN 145. I can't easily change VLAN 258 on ether 2 because that requires access and d...

LdB

I tried moving a config from a CCR1009 to a CCR2004 just using backup and restore and it didn't end well half the config was lost. I have also been caught with when you do this the MAC address gets copied and you have to go along and reset them all. So just wondering what is the preferred way to do ...

LdB

I have a PPPOE client setup on a tik which gets a public IP from ISP The router establishes connection and has internet and I can ping anywhere and everywhere I setup the DHCP server onto a ethernet port and have a NAT masquerade from the source IP range to the PPPOE-out interface very basic config ...

LdB

Yes all fixed with that ... thanks Sindy

Search found 225 matches