Community discussions

MikroTik App

Search found 433 matches

  • 1
  • 2
by TheCat12
Sat Nov 23, 2024 11:55 pm
Forum: Beginner Basics
Topic: WAN interface intermittently receiving DHCP from DHCP server
Replies: 5
Views: 578

Re: WAN interface intermittently receiving DHCP from DHCP server

Maybe I'm blind but I don't see anything irregular in the configuration you have provided besides the following thing: /interface bridge add add-dhcp-option82=yes admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=\ "LAN bridge" dhcp-snooping=yes name=bridge1 It's probably best to remove it s...
by TheCat12
Tue Nov 19, 2024 10:43 pm
Forum: Beginner Basics
Topic: ipsec between two mikrotiks
Replies: 5
Views: 743

Re: ipsec between two mikrotiks

introduction, there are two devices on the Internet with public IPv4, no NAT and masquerading, no local subnets, A masquerade is always needed to access the internet: /ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN ipsec-policy=out,none And no local subnets sounds impossi...
by TheCat12
Sun Nov 17, 2024 1:34 pm
Forum: Beginner Basics
Topic: ipsec between two mikrotiks
Replies: 5
Views: 743

Re: ipsec between two mikrotiks

For the firewall it's easy - you add two rules allowing input from UDP 500 and 4500 and IPsec ESP on the IPsec server. For the policies it depends what subnets you want to route through the tunnel
by TheCat12
Wed Nov 06, 2024 6:41 pm
Forum: General
Topic: Routing all traffic through Site A over IKEv2 or IKEv2 and EOIP
Replies: 9
Views: 755

Re: Routing all traffic through Site A over IKEv2 or IKEv2 and EOIP

The aforementioned policies should be added as additional ones to the template. As to why does the Wireguard get affected, I can't really tell
by TheCat12
Wed Nov 06, 2024 9:41 am
Forum: General
Topic: Routing all traffic through Site A over IKEv2 or IKEv2 and EOIP
Replies: 9
Views: 755

Re: Routing all traffic through Site A over IKEv2 or IKEv2 and EOIP

I forgot that you wanted to route all traffic through IKEv2. Luckily, it's a matter of a few small changes on Router B: /ip ipsec policy add action=none src-address=192.168.95.0/24 dst-address=192.168.95.0/24 add action=encrypt level=unique proposal=ikev2 srx-address=192.168.95.0/24 dst-address=0.0....
by TheCat12
Wed Nov 06, 2024 12:02 am
Forum: General
Topic: Routing all traffic through Site A over IKEv2 or IKEv2 and EOIP
Replies: 9
Views: 755

Re: Routing all traffic through Site A over IKEv2 or IKEv2 and EOIP

On Router A:
/ip ipsec policy
add action=encrypt tunnel=yes proposal=ikev2 src-address=10.0.88.0/24 dst-address=192.168.95.0/24
On Router B:
/ip ipsec policy
add action=encrypt tunnel=yes proposal=ikev2 dst-address=10.0.88.0/24 src-address=192.168.95.0/24
by TheCat12
Tue Nov 05, 2024 9:47 am
Forum: General
Topic: Routing all traffic through Site A over IKEv2 or IKEv2 and EOIP
Replies: 9
Views: 755

Re: Routing all traffic through Site A over IKEv2 or IKEv2 and EOIP

It is possible to route traffic without EoIP with the appropriate policies but an exported config is advisable:

export file=anynameyouwish (minus sensitive info like public IPs, passwords, etc.)
by TheCat12
Tue Nov 05, 2024 9:35 am
Forum: Beginner Basics
Topic: Problem with failover to backup ISP [SOLVED]
Replies: 10
Views: 857

Re: Problem with failover to backup ISP [SOLVED]

I think the two default routes that are with direct gateways to the ISPs, i.e. the ones without comment, are messing around with the failover. Disable them and try tripping the ISP into switching over again
by TheCat12
Sun Nov 03, 2024 4:14 pm
Forum: Beginner Basics
Topic: Separate internet while using 3 modems
Replies: 12
Views: 931

Re: Separate internet while using 3 modems

Looking at the diagram, the following setup would suffice - bridge ether1 with ether4, ether2 with ether5, ether3 with ether6, create an interface list for the bridges and add them to it accordingly and then create the following firewall rule: /ip firewall filter add action=accept chain=forward in-i...
by TheCat12
Sat Nov 02, 2024 1:09 pm
Forum: Beginner Basics
Topic: Separate internet while using 3 modems
Replies: 12
Views: 931

Re: Separate internet while using 3 modems

The image of the diagram is a bit broken. Could you repost it somehow? Also, it would be nice to answer @anav's questions whether a fallback scenario (one modem stops functioning) would be needed and whether there'll be incoming VPNs
by TheCat12
Thu Oct 31, 2024 7:53 pm
Forum: Beginner Basics
Topic: Sites connected with Wireguard but not able to access other hosts
Replies: 8
Views: 696

Re: Sites connected with Wireguard but not able to access other hosts

My suspicions were confirmed: you added on both sides in the allowed-address field a /32 instead of the whole subnet: On Router A: /interface wireguard peers add allowed-address=10.2.200.2/30, 192.168.201.1/32 endpoint-address=\ <code> endpoint-port=59123 interface=wg-fs name=\ fs persistent-keepali...
by TheCat12
Thu Oct 31, 2024 12:31 pm
Forum: Beginner Basics
Topic: Separate internet while using 3 modems
Replies: 12
Views: 931

Re: Separate internet while using 3 modems

I think you need a router with more ports or possibly you would have to configure VLANs but would still need an additional switch
by TheCat12
Thu Oct 31, 2024 12:11 pm
Forum: Beginner Basics
Topic: Sites connected with Wireguard but not able to access other hosts
Replies: 8
Views: 696

Re: Sites connected with Wireguard but not able to access other hosts

Without config there's nothing we can tell...

export file=anynameyouwish (minus sensitive info)

My guess would be that you haven't configured allowed addresses and routes properly but that's just a guess
by TheCat12
Sun Oct 27, 2024 8:36 am
Forum: General
Topic: IPsec Tunnel (NordVPN) works only internally - but not for clients
Replies: 1
Views: 283

Re: IPsec Tunnel (NordVPN) works only internally - but not for clients

Since we can't see your configuration through a crystal ball, please post it here:

export file=anynameyouwish (minus sensitive info like public IPs, passwords, etc.)
by TheCat12
Sun Oct 27, 2024 8:14 am
Forum: Beginner Basics
Topic: Wireless AP and Router on different subnets - imperfect communication
Replies: 3
Views: 480

Re: Wireless AP and Router on different subnets - imperfect communication

That is because of the following rule on the AP: /ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN If you disable it, you should be able to access wireless devices from...
by TheCat12
Thu Oct 24, 2024 12:12 pm
Forum: Beginner Basics
Topic: GRE over CUSTOM IPSec [SOLVED]
Replies: 5
Views: 590

Re: GRE over CUSTOM IPSec [SOLVED]

Instead of using the "IPsec secret" option in the GRE menu, you can add a custom identity which would be configured with the custom IPsec configuration
by TheCat12
Wed Oct 23, 2024 10:26 am
Forum: Beginner Basics
Topic: Port Forwarding not working properly
Replies: 3
Views: 514

Re: Port Forwarding not working properly

Looking at the config, most probably an ISP problem. Only one tip for the firewall: the fasttrack connection rule is a bit too forward for my liking, better put it somewehere after, for example, the "Accept established, related" one
by TheCat12
Tue Oct 22, 2024 10:29 pm
Forum: General
Topic: Connect 2 l2tp clinets to same l2tp server with diffrent wan interface
Replies: 2
Views: 274

Re: Connect 2 l2tp clinets to same l2tp server with diffrent wan interface

Before suggesting anything, I would like to have a look at the exported config of the server:

export file=anynameyouwish (minus sensitive info like serial numbers, passwords, public IPs etc.)
by TheCat12
Tue Oct 22, 2024 10:16 pm
Forum: General
Topic: l2tp subnet routing router to router
Replies: 11
Views: 617

Re: l2tp subnet routing router to router

Maybe I'll have to see the configurations of at least the two L2TP servers just to check what the situation is:

export file=anynameyouwish (minus sensitive info like public IPs, passwords etc.)
by TheCat12
Tue Oct 22, 2024 11:27 am
Forum: General
Topic: l2tp subnet routing router to router
Replies: 11
Views: 617

Re: l2tp subnet routing router to router

Back to the main point, I'll write down a list of all the possible route combinations for each and every router, so that everything is accessible through anything. The OP will decide what is needed and what not # 192.168.98.0/24 router /ip route add dst-address=192.168.99.0/24 gateway=192.168.100.1 ...
by TheCat12
Mon Oct 21, 2024 11:14 pm
Forum: General
Topic: l2tp subnet routing router to router
Replies: 11
Views: 617

Re: l2tp subnet routing router to router

It is possible with the help of staric routes but more details are needed - which router(s) is/are L2TP server(s)? How exactly are all the routers connected with each other? A simple diagram would be best
by TheCat12
Mon Oct 21, 2024 11:08 pm
Forum: General
Topic: Translate Google Forms link
Replies: 2
Views: 320

Re: Translate Google Forms link

If no MikroTik solution to your problem pops up, may I suggest printing out a QR code instead of an URL?
by TheCat12
Mon Oct 21, 2024 2:29 pm
Forum: Beginner Basics
Topic: VPN is unable to access the local network
Replies: 8
Views: 2043

Re: VPN is unable to access the local network

The default firewall covers security pretty good, but if you want to strengthen it:

https://help.mikrotik.com/docs/spaces/R ... d+Firewall
by TheCat12
Mon Oct 21, 2024 9:37 am
Forum: Beginner Basics
Topic: ISP routed bridge + traditional NAT setup.
Replies: 2
Views: 407

Re: ISP routed bridge + traditional NAT setup.

You're lucky that the addresses are being routed to you because you can manage them however you desire: For the pfsense firewalls you can add public IPs directly on the ports facing them. For the unraid server you can add a route with dst-address=public IP and gateway=natted subnet as well as add th...
by TheCat12
Mon Oct 21, 2024 9:12 am
Forum: Beginner Basics
Topic: Bridge interface vs bridge port, publics interfaces [SOLVED]
Replies: 2
Views: 476

Re: Bridge interface vs bridge port, publics interfaces [SOLVED]

It means that if you set a bridge as the interface, on which the hotspot should be running, no WAN ports should be members of the bridge, only LAN ones
by TheCat12
Sun Oct 20, 2024 11:02 am
Forum: Beginner Basics
Topic: VPN is unable to access the local network
Replies: 8
Views: 2043

Re: VPN is unable to access the local network

These are the default firewall rules which you should have present in the order in which they are posted, i.e. input rules at the top, after that forward rules whereby these three rules: add action=accept chain=forward comment=FTP dst-port=21 protocol=tcp add action=accept chain=forward dst-port=500...
by TheCat12
Sat Oct 19, 2024 7:58 pm
Forum: Beginner Basics
Topic: VPN is unable to access the local network
Replies: 8
Views: 2043

Re: VPN is unable to access the local network

If this router is not behind a stronger firewall, then my condolences to you (revert to a default firewall filter because your network is as open as a door in a field). Then we will discuss the matter of the VPNs
by TheCat12
Wed Oct 16, 2024 8:12 pm
Forum: General
Topic: Problem to connect to ISP via PPPOE
Replies: 18
Views: 1180

Re: Problem to connect to ISP via PPPOE

Looking at the error - wrong username/password or the PPPoE server has a problem
by TheCat12
Mon Oct 14, 2024 10:37 pm
Forum: General
Topic: Opening ports makes me lose connection
Replies: 5
Views: 368

Re: Opening ports makes me lose connection

Without seeing the config I can't tell nothing, so:

export file=anynameyouwish (minus sensitive info)
by TheCat12
Sun Oct 13, 2024 10:14 pm
Forum: Beginner Basics
Topic: Use mikrotik router to establish a vpn connection to another mikrotik server
Replies: 1
Views: 408

Re: Use mikrotik router to establish a vpn connection to another mikrotik server

I'd say quite fast: add a L2TP client with "Use IPsec" enabled: https://help.mikrotik.com/docs/display/ROS/L2TP After that, create a routing table, add a default route pointing to the L2TP interface on both main and newly created routing tables and use routing rules to specify which client...
by TheCat12
Sun Oct 13, 2024 4:55 pm
Forum: General
Topic: How to distribute public ip that is on the same route but multiple block
Replies: 1
Views: 279

Re: How to distribute public ip that is on the same route but multiple block

I'd suggest using src- and dst-nat rules in order to translate all addresses to corresponding VPN ones 1:1 : /ip firewall nat add action=dst-nat chain=dstnat dst-address=99.99.99.6 to-addresses=11.11.11.3 add action=src-nat chain=srcnat to-addresses=99.99.99.6 src-address=11.11.11.3 and so on. Maybe...
by TheCat12
Sat Oct 12, 2024 10:20 am
Forum: Beginner Basics
Topic: IP and Routing: SFP GPON Module WebUI access hmm [SOLVED]
Replies: 11
Views: 1271

Re: IP and Routing: SFP GPON Module WebUI access hmm [SOLVED]

One way is the aforementioned one, another way is to create a backup file through the Files menu whose content you cannot view, edit, etc. because it's a binary file
by TheCat12
Sat Oct 12, 2024 10:13 am
Forum: Beginner Basics
Topic: NAT - Port forwarding, closing ports
Replies: 4
Views: 512

Re: NAT - Port forwarding, closing ports

We need to have a look at the configuration because that doesn't sound like normal port forwarding behavior

export file=anynameyouwish (minus sensitive info like serial number, public IPs, passwords, etc.)
by TheCat12
Sat Oct 12, 2024 10:06 am
Forum: Beginner Basics
Topic: How do I specify an address pool for a ppp profile? [SOLVED]
Replies: 2
Views: 538

Re: How do I specify an address pool for a ppp profile? [SOLVED]

Looking at the screenshot, you're trying to add the pool to a secret, not to the profile which is, as correctly suggested by most internet resources, located in the PPP –> Profile section
by TheCat12
Sat Oct 12, 2024 10:02 am
Forum: Beginner Basics
Topic: IP and Routing: SFP GPON Module WebUI access hmm [SOLVED]
Replies: 11
Views: 1271

Re: IP and Routing: SFP GPON Module WebUI access hmm [SOLVED]

Then I guess that is the problem since the first address of a subnet is mostly reserved for the gateway, i.e. the GPON
by TheCat12
Fri Oct 11, 2024 11:39 pm
Forum: Beginner Basics
Topic: IP and Routing: SFP GPON Module WebUI access hmm [SOLVED]
Replies: 11
Views: 1271

Re: IP and Routing: SFP GPON Module WebUI access hmm [SOLVED]

/ip address
[...]
add address=192.168.1.1/24 interface=sfp1 network=192.168.1.0
Shouldn't the address be something other than 192.168.1.1? Maybe .2?
by TheCat12
Wed Oct 09, 2024 8:00 pm
Forum: Beginner Basics
Topic: How to solve the problem with DHCP
Replies: 2
Views: 481

Re: How to solve the problem with DHCP

It should also be possible with a RADIUS server (or User Manager for that matter): It is also possible to hand out leases for DHCP clients using the RADIUS server; the supported parameters for a RADIUS server are as follows: Access-Request: NAS-Identifier - router identity NAS-IP-Address - IP addres...
by TheCat12
Wed Oct 09, 2024 7:38 pm
Forum: General
Topic: Streaming Error for Surveillance Cameras (NO NAT)
Replies: 8
Views: 927

Re: Streaming Error for Surveillance Cameras (NO NAT)

First off, your firewall is a mess to say the very least - misordered rules, redundant rules, etc.

Secondly, I suspect you're missing some NAT port forwardings like 80,443,554
by TheCat12
Tue Oct 08, 2024 11:24 pm
Forum: General
Topic: Streaming Error for Surveillance Cameras (NO NAT)
Replies: 8
Views: 927

Re: Streaming Error for Surveillance Cameras (NO NAT)

https://en.akinator.com/

or

export file=anynameyouwish (minus sensitive info like public IPs, passwords, etc.)
by TheCat12
Tue Oct 08, 2024 10:11 pm
Forum: General
Topic: Split Tunneling for L2TP on MikroTik RouterOS
Replies: 1
Views: 291

Re: Split Tunneling for L2TP on MikroTik RouterOS

If you're configuring L2TP over IPsec (which you probably should be) there's an option in the mode configurations named "split-include" but for you to be able to use it you would have to configure the whole IPsec part by yourself instead of just adding IPsec secret under the PPP profile wh...
by TheCat12
Tue Oct 08, 2024 9:36 pm
Forum: Beginner Basics
Topic: Add public subnet to WAN with and without NAT [SOLVED]
Replies: 8
Views: 962

Re: Add public subnet to WAN with and without NAT [SOLVED]

Probably because the VLAN should also be src-natted:
/ip firewall nat
add action=src-nat chain=srcnat src-address=10.0.100.0/24 to-addresses=188.213.95.249
by TheCat12
Tue Oct 08, 2024 11:15 am
Forum: Beginner Basics
Topic: Add public subnet to WAN with and without NAT [SOLVED]
Replies: 8
Views: 962

Re: Add public subnet to WAN with and without NAT [SOLVED]

That is the more fortunate situation because you can do the following: For the server you can add one of the addresses directly on the Ethernet port facing it. For the VLANs and other NATted subnets you could add routes pointing to their gateways with dst-address being a public IP: /ip route add dst...
by TheCat12
Tue Oct 08, 2024 10:14 am
Forum: Beginner Basics
Topic: Add public subnet to WAN with and without NAT [SOLVED]
Replies: 8
Views: 962

Re: Add public subnet to WAN with and without NAT [SOLVED]

If that's really the first usable address, it could be that they're routing the /29 block to you and they're using different addresses for the PPPoE link?
by TheCat12
Tue Oct 08, 2024 10:00 am
Forum: Beginner Basics
Topic: Add public subnet to WAN with and without NAT [SOLVED]
Replies: 8
Views: 962

Re: Add public subnet to WAN with and without NAT [SOLVED]

Is your ISP the gateway (they have the first usable address of the subnet for their router) or do they route the /29 block to you?
by TheCat12
Sun Oct 06, 2024 12:20 am
Forum: General
Topic: Problem to connect to ISP via PPPOE
Replies: 18
Views: 1180

Re: Problem to connect to ISP via PPPOE

Without an exported config it would be very hard to diagnose the problem: export file=anynameyouwish (minus sensitive info like serial numbers, passwords, etc.) Nevertheless, I'll have a shot in the dark and guess misconfigured NAT masquerading, e.g. the PPPoE interface is not added to the WAN inter...
by TheCat12
Sun Oct 06, 2024 12:14 am
Forum: General
Topic: Can't ping a public ip over a vlan interface
Replies: 4
Views: 331

Re: Can't ping a public ip over a vlan interface

Does the LTE interface add a default route?

Aside from that, mixing VLAN and non-VLAN traffic on the same interface never leads to anything good. Keep that in mind
by TheCat12
Thu Oct 03, 2024 11:03 pm
Forum: Beginner Basics
Topic: 2 ISP CONFIGURTAION PROBLEM
Replies: 5
Views: 557

Re: 2 ISP CONFIGURTAION PROBLEM

Would it not be for the second bit...... ???? /ip route add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.100.1%"ISP1_interface" distance=1 add check-gateway=ping dst-address=0.0.0.0/0 gateway=192.168.100.1%"ISP2_interface" distance=2 add dst-address=0.0.0.0/0 gateway...
by TheCat12
Wed Oct 02, 2024 9:31 pm
Forum: Beginner Basics
Topic: 2 ISP CONFIGURTAION PROBLEM
Replies: 5
Views: 557

Re: 2 ISP CONFIGURTAION PROBLEM

you cant as far as im awear run two isp in to the mikrotik at the same time As a matter of fact you can, but since both ISPs provide addresses from the same address space, the routing part would be a bit tricky. First, the creation of routing tables and mangling which is typical load balancing, sho...
by TheCat12
Wed Oct 02, 2024 8:58 pm
Forum: Beginner Basics
Topic: Access Printer from another Mikrotik Router
Replies: 10
Views: 1427

Re: Access Printer from another Mikrotik Router

I did this, but I had no luck and how can I grant access only to the printer IP?
May we then have a look at the exported config of the router?

export file=anynameyouwish (minus sensitive info like passwords, etc.)
by TheCat12
Sat Sep 28, 2024 1:30 pm
Forum: General
Topic: PUBLIC IP DISTRIBUTE TO VPN
Replies: 6
Views: 834

Re: PUBLIC IP DISTRIBUTE TO VPN

You still have to answer my question whether both sides of the L2TP tunnel are MikroTik routers because routing will be made on the router with the public IPs
by TheCat12
Sat Sep 28, 2024 1:21 pm
Forum: Beginner Basics
Topic: Access Printer from another Mikrotik Router
Replies: 10
Views: 1427

Re: Access Printer from another Mikrotik Router

No need for the last two NAT rules, most probably you're missing a route:
/ip route
add dst-address=192.168.18.0/23 gateway=192.168.18.1
by TheCat12
Sat Sep 28, 2024 10:39 am
Forum: General
Topic: To limit one device from accessing another on the same subnet.
Replies: 4
Views: 680

Re: To limit one device from accessing another on the same subnet.

You can create address lists and block traffic using only the "forward" chain but you have to enable "Use IP Firewall" and "Use IP Firewall for VLAN" from the bridge settings
by TheCat12
Sat Sep 28, 2024 10:26 am
Forum: Beginner Basics
Topic: Why no Internet access? [SOLVED]
Replies: 2
Views: 751

Re: Why no Internet access? [SOLVED]

The SFP port should be part of the WAN interface list in order for the NAT masquerade rule to work properly:
/interface list member
add interface=sfp1 list=WAN
by TheCat12
Thu Sep 26, 2024 9:47 pm
Forum: General
Topic: PUBLIC IP DISTRIBUTE TO VPN
Replies: 6
Views: 834

Re: PUBLIC IP DISTRIBUTE TO VPN

i want to create a pptp vpn server
Better create a L2TP server here too, because PPTP is deprected.

Aside from that, are both sides of the existing L2TP tunnel MikroTik? What do you mean by "distribute the public IPs to clients"? Maybe you meant PPPoE instead of PPTP?
by TheCat12
Tue Sep 24, 2024 11:18 pm
Forum: General
Topic: Help please with guest wlan
Replies: 8
Views: 1059

Re: Help please with guest wlan

For such a simple setup VLANs would be a pushover in my opinion. Appropriate firewall rules and assigning the wlan1 interface to a bridge to be used for DHCP so that it doesn't show red should be enough
by TheCat12
Tue Sep 24, 2024 11:10 pm
Forum: General
Topic: Help please with guest wlan
Replies: 8
Views: 1059

Re: Help please with guest wlan

This would be done with the help of firewall rules, of course: /ip firewall filter add action=accept chain=forward connection-state=established,related,untracked add action=drop chain=forward in-interface=bridge1 out-interface=wlan1 add action=accept chain=forward protocol=tcp dst-port=80,443 in-int...
by TheCat12
Mon Sep 23, 2024 11:15 pm
Forum: General
Topic: Router on a Stick with Inter-VLAN L3 Routing on Switch CRS504-4XQ-IN
Replies: 1
Views: 639

Re: Router on a Stick with Inter-VLAN L3 Routing on Switch CRS504-4XQ-IN

and when I create IP addresses that collide with the upstream router's default VLAN gateway (10.60.0.1) Why do you create addresses that are the same as the DHCP servers' if I understand your lexicon correctly? Since you're running DHCP, why don't let the servers assign such: /ip dhcp-client add in...
by TheCat12
Sun Sep 22, 2024 7:11 pm
Forum: General
Topic: "Routing Rules" vs "Mangle Route Rule"
Replies: 11
Views: 1405

Re: "Routing Rules" vs "Mangle Route Rule"

Am I missing a reference in the main table for 192.168.9.9, even though it's brought in by the wireguard interface as being reachable on REMOTE1? Possibly, better add the route to roll it out as a probable cause. It could also be of higher distance if ECMP is not desired and one gateway is to be pr...
by TheCat12
Sun Sep 22, 2024 7:05 pm
Forum: General
Topic: "Routing Rules" vs "Mangle Route Rule"
Replies: 11
Views: 1405

Re: "Routing Rules" vs "Mangle Route Rule"

I have noticed this train of thought on the forum recently and I don't get it. Why presence of a route to a given destination (or even less logically, of a default route) in the main table should be a mandatory pre-requisite for a route to that destination to work in another table? For the followin...
by TheCat12
Sun Sep 22, 2024 11:43 am
Forum: General
Topic: "Routing Rules" vs "Mangle Route Rule"
Replies: 11
Views: 1405

Re: "Routing Rules" vs "Mangle Route Rule"

Could it be that they are missing the default route from the custom routing table in the main one?
by TheCat12
Sat Sep 21, 2024 11:22 am
Forum: Beginner Basics
Topic: Trouble configuring a router from behind a DMZ
Replies: 5
Views: 1063

Re: Trouble configuring a router from behind a DMZ

There is a small detail from the default firewall I forgot about - the rule "Drop all input not coming from LAN". If you edit it, for example, to also allow your main network as src-address, then you should start accessing the RB5009 from behind the hEX S
by TheCat12
Fri Sep 20, 2024 1:18 pm
Forum: Beginner Basics
Topic: Failover WAN issues - could use a config check
Replies: 1
Views: 695

Re: Failover WAN issues - could use a config check

To be able to use check-gateway you have to disable add-default-route on the primary WAN DHCP client and add a static route pointing to the its gateway manually: /ip route add check-gateway=ping dst-address=0.0.0.0/0 gateway="Primary_WAN_gateway" If you want your failover to be even more r...
by TheCat12
Thu Sep 19, 2024 9:18 pm
Forum: General
Topic: Help with Bandwidth Allocation on Mikrotik RouterOS
Replies: 1
Views: 565

Re: Help with Bandwidth Allocation on Mikrotik RouterOS

Is the bandwidth symmetrical (equal download and upload)? Should only download be allocated or both?
by TheCat12
Thu Sep 19, 2024 9:14 pm
Forum: General
Topic: How to apply NAT rules based on Interface.
Replies: 2
Views: 615

Re: How to apply NAT rules based on Interface.

Source NAT, as the name suggests, applies for packets that originate from the NAT-ted network, i.e. your network, whose source address should be change/translate to one specified in the according rule. That's why src-nat rules will apply only on out-interface - the interface from which packets will ...
by TheCat12
Tue Sep 17, 2024 4:52 pm
Forum: General
Topic: Separate dhcp pools for each interface on CCR2004-1G-12S+2XS
Replies: 1
Views: 463

Re: Separate dhcp pools for each interface on CCR2004-1G-12S+2XS

If everything should be interconnected, then adding a separate DHCP server per interface would be the solution
by TheCat12
Tue Sep 17, 2024 9:44 am
Forum: General
Topic: How to prioritize packets to/from LAN IP
Replies: 9
Views: 2097

Re: How to prioritize packets to/from LAN IP

@TheCat12, your rules rewrite the connection mark (even twice) when handling each packet, what's the point? The very idea of using connection marks when dealing with QoS is to translate complex match conditions into a connection mark only once, when handling the initial packet of a connection, or m...
by TheCat12
Mon Sep 16, 2024 6:23 pm
Forum: General
Topic: How to prioritize packets to/from LAN IP
Replies: 9
Views: 2097

Re: How to prioritize packets to/from LAN IP

Something like this should work: /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=!LAN_conn new-connection-mark=Other_conn add action=mark-connection chain=prerouting src-address=*LAN_IP* new-connection-mark=LAN_conn add action=mark-connection chain=prerouting dst-addr...
by TheCat12
Mon Sep 16, 2024 5:31 pm
Forum: General
Topic: ikev2 ipsec route not working [SOLVED]
Replies: 5
Views: 1561

Re: ikev2 ipsec route not working [SOLVED]

You're missing a NAT rule on each router to bypass masquerading packets before being encrypted. It should be placed as the first one # Router 1 /ip firewall nat add action=accept chain=srcnat place-before=0 dst-address=192.168.3.0/24 src-address=10.53.2.0/24 # Router 2 /ip firewall nat add action=ac...
by TheCat12
Mon Sep 16, 2024 4:32 pm
Forum: Beginner Basics
Topic: How to Forward Multiple Ports to Two Output Ports on MikroTik RouterOS
Replies: 6
Views: 1269

Re: How to Forward Multiple Ports to Two Output Ports on MikroTik RouterOS

That should be quite achievable:
/interface ethernet switch rule
add new-dst-ports=etherx,ethery src-address=x.x.x.x ports=ethera,etherb
by TheCat12
Sun Sep 15, 2024 6:36 pm
Forum: General
Topic: L2TP VPN subnet routing [SOLVED]
Replies: 10
Views: 2153

Re: L2TP VPN subnet routing [SOLVED]

Perhaps firewall blocking traffic? If Office A router is also MikroTik, consider exporting its config and posting it here
by TheCat12
Sun Sep 15, 2024 6:33 pm
Forum: General
Topic: Passthrough Network Via Mikrotiks
Replies: 14
Views: 1498

Re: Passthrough Network Via Mikrotiks

I can configure VLAN in three places: 1. In the Interface configuration (vlan-mode and vlan-id): [admin@hAP-bedroom] > /interface/wireless/print Flags: X - disabled; R - running 0 R name="telekom-guest" mtu=1500 l2mtu=1600 mac-address=DE:2C:6E:25:88:49 arp=enabled interface-type=virtual m...
by TheCat12
Sun Sep 15, 2024 5:09 pm
Forum: Beginner Basics
Topic: VLANs to segreggate network
Replies: 8
Views: 1137

Re: VLANs to segreggate network

Apparently I read your OP too diagonally and didn't see the obvious problems - the bridges. For VLAN to work properly, you need one bridge with all of the ports on which traffic will be tagged/untagged. Also, the VLAN interfaces shouldn't be members of the bridge(s). That's why before we continue, t...
by TheCat12
Sun Sep 15, 2024 4:02 pm
Forum: General
Topic: L2TP VPN subnet routing [SOLVED]
Replies: 10
Views: 2153

Re: L2TP VPN subnet routing [SOLVED]

That I'll contribute to address space overlapping - a very broad route which could apply to the remote subnet and to the L2TP one. If you change one of them and add appropriate static routes or use a more specific route (e.g. 192.168.100.0/24 instead of 192.168.0.0/16), it should start working as ex...
by TheCat12
Sun Sep 15, 2024 10:58 am
Forum: General
Topic: L2TP VPN subnet routing [SOLVED]
Replies: 10
Views: 2153

Re: L2TP VPN subnet routing [SOLVED]

Wait a minute, have you added a route pointing to the L2TP subnet on Office A router?
by TheCat12
Sun Sep 15, 2024 10:48 am
Forum: Beginner Basics
Topic: VLANs to segreggate network
Replies: 8
Views: 1137

Re: VLANs to segreggate network

Would you export your config and post it here because it seems that my local fortune teller is on vacation:

export file=anynameyouwish (minus sensitive info)
by TheCat12
Sat Sep 14, 2024 10:09 pm
Forum: General
Topic: Passthrough Network Via Mikrotiks
Replies: 14
Views: 1498

Re: Passthrough Network Via Mikrotiks

This part of suggested configuration did not worked: /interface bridge vlan add bridge=bridge tagged=bridge,ether1,wlan1 vlan-ids=10 add bridge=bridge tagged=ether1,wlan3 vlan-ids=20 What is the point behind adding WLAN* interface as tagged? If I understand well, tagging interface means that the in...
by TheCat12
Fri Sep 13, 2024 11:42 am
Forum: General
Topic: ikev2 ipsec route not working [SOLVED]
Replies: 5
Views: 1561

Re: ikev2 ipsec route not working [SOLVED]

Since no problems are visible, the full configuration of both routers would be needed: export file=anynameyouwish (minus sensitive info like public IPs, passwords, etc.) Also, would you elaborate on the following quote from your original post: I have a problem with site to site IKEV/IPSEC vpn that I...
by TheCat12
Fri Sep 13, 2024 9:55 am
Forum: General
Topic: L2TP VPN subnet routing [SOLVED]
Replies: 10
Views: 2153

Re: L2TP VPN subnet routing [SOLVED]

If the real source addresses of those who access Office A aren't of importance, add a masquerade rule for all traffic leaving out of the SSTP tunnel. Otherwise, you might want to look into policy based routing and mangling
by TheCat12
Fri Sep 13, 2024 8:44 am
Forum: Beginner Basics
Topic: Trouble configuring a router from behind a DMZ
Replies: 5
Views: 1063

Re: Trouble configuring a router from behind a DMZ

Have you changed the default Winbox port? If so, edit the rules acceordingly because in theory they should work the way you've created and placed them
by TheCat12
Wed Sep 11, 2024 11:05 pm
Forum: Beginner Basics
Topic: How to Forward Multiple Ports to Two Output Ports on MikroTik RouterOS
Replies: 6
Views: 1269

Re: How to Forward Multiple Ports to Two Output Ports on MikroTik RouterOS

I'll have to disappoint you but I don't think the desired setup is possible with your device even though it's a very powerful one. The only one that will work in your scenario, to my knowledge, is the RB5009
by TheCat12
Wed Sep 11, 2024 6:58 pm
Forum: Beginner Basics
Topic: Trouble configuring a router from behind a DMZ
Replies: 5
Views: 1063

Re: Trouble configuring a router from behind a DMZ

On the last firewall rule add an exception for dst-port=8291
by TheCat12
Tue Sep 10, 2024 8:42 pm
Forum: General
Topic: Passthrough Network Via Mikrotiks
Replies: 14
Views: 1498

Re: Passthrough Network Via Mikrotiks

I think adding a second Ethernet cable between R1 and R2 would simplify the configuration if possible. Since R1 is in bridge mode it won't matter whether you're receiving PPPoE from one port and DHCP from another or both from the same port. In the case with two Ethernet cables you would need to remo...
by TheCat12
Tue Sep 10, 2024 4:02 pm
Forum: Beginner Basics
Topic: Trouble with DNAT rules
Replies: 2
Views: 732

Re: Trouble with DNAT rules

/ip/firewall/filter print /ip/firewall/filter print Flags: X - disabled, I - invalid; D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 1 chain=input action=accept protocol=icmp 2 chain=input action=accept connection-state=established 3 chain=input a...
by TheCat12
Tue Sep 10, 2024 2:45 pm
Forum: General
Topic: Passthrough Network Via Mikrotiks
Replies: 14
Views: 1498

Re: Passthrough Network Via Mikrotiks

A question out of pure curiosity - how would the PPPoE work in conjunction with a VLAN aware bridge? Should the PPPoE interface run on top of a VLAN interface or how?
by TheCat12
Tue Sep 10, 2024 2:33 pm
Forum: Beginner Basics
Topic: Beginner fail to port forwarding [SOLVED]
Replies: 10
Views: 1842

Re: Beginner fail to port forwarding [SOLVED]

Looking at the NAT masquerade rule, I assume you connect to the internet via PPPoE and some questions arise like: Do you have a default route pointing to it? Have you added the PPPoE interface to the WAN interface list? Do you receive a public IP at all? Should the answer to any of the questions be ...
by TheCat12
Mon Sep 09, 2024 9:54 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1594
Views: 399762

Re: 📣 WinBox 4 is here 📣

A bit off-topic but since this is the most viewed topic by MikroTik employees as of now, could somebody from the MikroTik Documentation editors correct the spelling of the following page title:

https://help.mikrotik.com/docs/display/ ... prevention
by TheCat12
Fri Sep 06, 2024 11:13 pm
Forum: General
Topic: Help please with guest wlan
Replies: 8
Views: 1059

Re: Help please with guest wlan

The solution would be to create the Virtual AP as you probably did, add it to a second bridge and after that continue configuring DHCP (the bridge will be the interface on which it should be running), firewall rules, etc.
by TheCat12
Fri Sep 06, 2024 9:19 pm
Forum: Beginner Basics
Topic: Add alternate route
Replies: 6
Views: 1045

Re: Add alternate route

How are Router 1 and Router 2 connected? Which router receives what address from the other one as de facto WAN? An export of the configuration of one or both routers would be quite helpful:

export file=anynameyouwish
by TheCat12
Fri Sep 06, 2024 9:08 pm
Forum: Beginner Basics
Topic: IKEv2 Troubles
Replies: 1
Views: 540

Re: IKEv2 Troubles

Could you post an export of your config and one of the IPsec logs?

export file= anynameyouwish (minus sensitive info)
/system logging add topics=ipsec,!debug
by TheCat12
Fri Sep 06, 2024 9:04 pm
Forum: Beginner Basics
Topic: WebFig access issues with VPN through LTE
Replies: 10
Views: 1167

Re: WebFig access issues with VPN through LTE

Not that I expect it to be the problem, but could you add the following firewall rules somewhere in the beginning:
/ip firewall filter
add action=accept chain=input protocol=tcp dst-port=1723
add action=accept chain=input protocol=47 
by TheCat12
Tue Sep 03, 2024 10:57 pm
Forum: General
Topic: /31 through a IPSec over GRE tunnel
Replies: 7
Views: 781

Re: /31 through a IPSec over GRE tunnel

There is a small hack to use /31 addresses - one address to be the local address and the remote one to be specified as the network. For example, site 1 - address=192.168.1.0 & network=192.168.1.1, site 2 - address=192.168.1.1 & network=192.168.1.0
by TheCat12
Tue Sep 03, 2024 10:45 pm
Forum: Beginner Basics
Topic: WebFig access issues with VPN through LTE
Replies: 10
Views: 1167

Re: WebFig access issues with VPN through LTE

Port 8080 of the dst-nat rule is a reserved port for other use, so change it to a more obsolete one (e.g. 17680)

And you've leaked your PPTP username and password, elide them PRONTO and change them afterwards!
by TheCat12
Mon Sep 02, 2024 11:54 pm
Forum: Beginner Basics
Topic: Feedback on first setup
Replies: 3
Views: 825

Re: Feedback on first setup

This makes it sound like it would switch to the second server if pihole goes down but then not switch back when it comes back online as 1.1.1.1 will still be online. I am using pihole for some local DNS addresses that i have not assigned on cloudflare so want it to use that server whenever possible...
by TheCat12
Mon Sep 02, 2024 11:39 pm
Forum: Beginner Basics
Topic: WebFig access issues with VPN through LTE
Replies: 10
Views: 1167

Re: WebFig access issues with VPN through LTE

For the love of God and your router, please do not use PPTP! It is obsolete, deprecated and insecure! At least use L2TP over IPsec. And please update your router to either 6.49.17 or 7.x
by TheCat12
Sat Aug 31, 2024 4:03 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1594
Views: 399762

Re: 📣 WinBox 4 is here 📣

But at least color contrast was fine 😅

Agree. A little more colour won't harm
by TheCat12
Sat Aug 31, 2024 4:01 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1594
Views: 399762

Re: 📣 WinBox 4 is here 📣

Most companies tend to lean towards a more modern UI to please and attract new customers but sometimes they overstep the thin line between usability and aesthetics. I called it "a breath of fresh air" not because it still has a lot of issues and complaints which should be heard and fixed b...
by TheCat12
Sat Aug 31, 2024 3:33 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1594
Views: 399762

Re: 📣 WinBox 4 is here 📣

Although I'm still a bit overhauled by the new UI, it was a long-awaited breath of fresh air. And the fact that it's also Linux native makes it even better.

+1 to return tabs
by TheCat12
Sat Aug 31, 2024 3:26 pm
Forum: Beginner Basics
Topic: Feedback on first setup
Replies: 3
Views: 825

Re: Feedback on first setup

Firstly, I want to congratulate you on your configuration - it looks very promising and surely it will work even without the suggestions/answers I'll give you throughout the post. I am running a local DNS on PiHole on 172.23.20.2 and want the router to default to using this DNS server but if it goes...
by TheCat12
Fri Aug 30, 2024 5:27 pm
Forum: Beginner Basics
Topic: No internet access [SOLVED]
Replies: 2
Views: 1756

Re: No internet access [SOLVED]

May I assume that the mANTBox should receive internet on ether1 via DHCP? If that's the case, remove all DHCP server related configuration (/ip pool, /ip dhcp-server, /ip dhcp-server network). If the Mikrotik connects to the internet via the same port otherwise, just remove it from the bridge
by TheCat12
Thu Aug 29, 2024 9:46 am
Forum: General
Topic: Virtual Subnet Trough Ipsec Tunnel - Mikrotik To Cisco
Replies: 6
Views: 989

Re: Virtual Subnet Trough Ipsec Tunnel - Mikrotik To Cisco

Have you tried following @sindy's tip? If it doesn't work, please post a full export of the config:

export file=anynameyouwish (minus senstitve info like public IPs, passwords, etc.)
by TheCat12
Mon Aug 26, 2024 10:43 pm
Forum: Beginner Basics
Topic: RouterOS config VLAN/segmentation [SOLVED]
Replies: 4
Views: 2616

Re: RouterOS config VLAN/segmentation [SOLVED]

It would be nice to have a full export of the config to have a general overview of the situation: export file=anynameyouwish (minus any sensitive info) As for your question, you would need to configure a VLAN interface if you will be handling L3 traffic (addresses, DHCP, routing, etc.), and change t...
by TheCat12
Fri Aug 23, 2024 10:36 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 4381

Re: My IKEV2 vpn stopped working

Is there a way to make strongSwan work without going the certificate route? The only other way is configuring User Manager (your router has a beefy flash, so no worries for installing) which could be or could be not more complicated to set up. But let's try anyway. Here you can read what the prereq...
by TheCat12
Fri Aug 23, 2024 8:20 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 4381

Re: My IKEV2 vpn stopped working

@TheCat12, on top of the above, the case brought in by @johnb175a is very different from the other two. Guilty. :( When I looked at the config and the IPsec exports and everything seemed normal, I had to call you in as an IPsec expert. As for the OP's problem, I think I might have found the culprit...
by TheCat12
Fri Aug 23, 2024 7:45 pm
Forum: Beginner Basics
Topic: Route all traffic via WireGuard
Replies: 8
Views: 2119

Re: Route all traffic via WireGuard

Also, I am missing the confic which basically says "all wifi1 users are using the routing table use-WG". How does wifi1 know which routing table to use? The following line from @anav's configuration should answer your question: /routing rule add action=lookup-only-in-table src-address=192...
by TheCat12
Fri Aug 23, 2024 7:35 pm
Forum: Beginner Basics
Topic: Need some help looking at config
Replies: 1
Views: 503

Re: Need some help looking at config

I don't see anywhere in the configuration you provided that VLAN filtering is turned on: /interface bridge set bridge1 vlan-filtering=yes Also, a better option for management access to the router is to remove one port from the bridge and assign it an IP address instead on the whole bridge and when y...
by TheCat12
Thu Aug 22, 2024 8:25 pm
Forum: General
Topic: Can not NAT packets after PBR [SOLVED]
Replies: 6
Views: 2639

Re: Can not NAT packets after PBR [SOLVED]

I replicated the setup and everything works as expected. Maybe it's worth opening a ticket to MikroTik support because it could be a bug
by TheCat12
Thu Aug 22, 2024 8:14 pm
Forum: Beginner Basics
Topic: Understanding/configuration problem switching/routing/NAT
Replies: 10
Views: 2033

Re: Understanding/configuration problem switching/routing/NAT

In this case neither firewall rules and routes, nor use-ip-firewall=yes is needed because a blank firewall allows everything by default, dynamic routes are added when you add an address to an interface and the traffic is not between two bridged ports
by TheCat12
Thu Aug 22, 2024 12:52 pm
Forum: Beginner Basics
Topic: unable to get internet connection
Replies: 14
Views: 1148

Re: unable to get internet connection

Perhaps you have a typo in the ether1 address?
by TheCat12
Thu Aug 22, 2024 12:24 pm
Forum: General
Topic: Can not NAT packets after PBR [SOLVED]
Replies: 6
Views: 2639

Re: Can not NAT packets after PBR [SOLVED]

I think it's due to the usage of action=masquerade , which can cause leakages in your scenario, instead of action=src-nat , which in your case is the preferred way because the IP of the router is static: /ip firewall nat add action=src-nat chain=srcnat to-addresses=192.168.6.1 out-interface=ether2 A...
by TheCat12
Wed Aug 21, 2024 11:23 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 4381

Re: My IKEV2 vpn stopped working

Unfortunately I'm out of options. That's why I'll once again ask @sindy to have a look at your case
by TheCat12
Wed Aug 21, 2024 11:11 pm
Forum: Beginner Basics
Topic: Route all traffic via WireGuard
Replies: 8
Views: 2119

Re: Route all traffic via WireGuard

Since your Mikrotik is currently acting as a switch, you won't be able to perform routing with it. You'll have to configure a DHCP server and deal with double NAT or find another Mikrotik (e.g. hAP ac²) and put it in place of your home router, if possible and your budget allows it, because you'll ha...
by TheCat12
Wed Aug 21, 2024 10:55 pm
Forum: Beginner Basics
Topic: Switch IP address at VLAN [SOLVED]
Replies: 6
Views: 2709

Re: Switch IP address at VLAN [SOLVED]

Because you're dealing with Layer3 traffic you would have to add the bridge interface as a tagged port to the appropriate bridge VLAN table entry:

/interface bridge vlan
add bridge=bridge tagged=\
combo1,sfp1,sfp2,sfp3,sfp18,sfp-sfpplus1,sfp-sfpplus2,bridge untagged=sfp19 \
vlan-ids=10
by TheCat12
Tue Aug 20, 2024 12:48 pm
Forum: Beginner Basics
Topic: Understanding/configuration problem switching/routing/NAT
Replies: 10
Views: 2033

Re: Understanding/configuration problem switching/routing/NAT

Now that I think of it, the problem may be that ether24 is in the same broadcast group as the VLAN, yet it has a different IP from the rest of the subnet, of which the router couldn't know, hence no src-nat. That's why you should remove the port out of the bridge, assign it the 192.168.19.41 address...
by TheCat12
Mon Aug 19, 2024 2:01 pm
Forum: Beginner Basics
Topic: Forwarding 1 interface to another
Replies: 6
Views: 1492

Re: Forwarding 1 interface to another

Easiest way would be to create a routing table, add a default route with gateway the OVPN to it and use routing rules: /routing table add fib name=through_VPN /ip route add dst-address=0.0.0.0/0 gateway="OVPN_interface" routing-table=through_VPN /routing rule add action=lookup-only-in-tabl...
by TheCat12
Sat Aug 17, 2024 12:10 pm
Forum: Beginner Basics
Topic: IPSec site to site VPN
Replies: 4
Views: 1266

Re: IPSec site to site VPN

You're missing firewall rules on both sites to allow traffic between the subnets: /ip firewall filter add action=accept chain=forward src-address=192.168.43.0/24 dst-address=192.168.44.0/24 place-before=8 add action=accept chain=forward dst-address=192.168.43.0/24 src-address=192.168.44.0/24 place-b...
by TheCat12
Wed Aug 14, 2024 9:05 pm
Forum: Beginner Basics
Topic: Understanding/configuration problem switching/routing/NAT
Replies: 10
Views: 2033

Re: Understanding/configuration problem switching/routing/NAT

I forgot about a selector called "out-bridge-port". That could do the trick
by TheCat12
Wed Aug 14, 2024 1:26 pm
Forum: Beginner Basics
Topic: Understanding/configuration problem switching/routing/NAT
Replies: 10
Views: 2033

Re: Understanding/configuration problem switching/routing/NAT

The NAT rule won't work because "Use IP Firewall for Bridge" should be enabled: /interface bridge settings use-ip-firewall=yes use-ip-firewall-for-vlan=yes After that, the src-nat rule should work: /ip firewall nat add action=src-nat chain=srcnat protocol=udp to-addresses=192.168.19.41 src...
by TheCat12
Tue Aug 13, 2024 7:47 pm
Forum: Beginner Basics
Topic: Understanding/configuration problem switching/routing/NAT
Replies: 10
Views: 2033

Re: Understanding/configuration problem switching/routing/NAT

May I inquire what the component is that is sending broadcast messages and why the broadcast messages should be limited only to a specific Ethernet port and, by that, src-natted?
by TheCat12
Tue Aug 13, 2024 7:37 pm
Forum: General
Topic: virtual interface for DHCP Client WAN over VLAN [SOLVED]
Replies: 7
Views: 4206

Re: virtual interface for DHCP Client WAN over VLAN [SOLVED]

No need, I could answer that with ease - leave the WAN interface out of the equation, i.e. remove it from the bridge and remove all VLAN configurations from and associated with it. If you do that, all of your VLANs will have by default internet access which you can then limit with the help of firewa...
by TheCat12
Tue Aug 13, 2024 7:24 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 4381

Re: My IKEV2 vpn stopped working

Should I assign the IP to lo or create a bridge-loopback and assign it there? It's one and the same. The lo interface was exposed precisely to eliminate the need for a loopback bridge It's so strange that this all worked without all these changes a while back. Although I am not sure if it was worki...
by TheCat12
Tue Aug 13, 2024 11:58 am
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 4381

Re: My IKEV2 vpn stopped working

I get "input does not match any value of interface". I see a lo interface, but not a lo1.
So the name is lo:
/ip address
add address=192.168.10.1/24 interface=lo
by TheCat12
Tue Aug 13, 2024 10:31 am
Forum: Beginner Basics
Topic: LAN randomly stops working after NAT and Hairpin NAT
Replies: 3
Views: 1209

Re: LAN randomly stops working after NAT and Hairpin NAT

Unfortunately, I can't tell what the problem could be but I can think of a temporary/permanent solution - setting up VLANs after you undo the port isolation. In your case, it could be done from the same menu, from which you set up port isolation, to take advantage of hardware offloading. The VLANs w...
by TheCat12
Mon Aug 12, 2024 10:59 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 4381

Re: My IKEV2 vpn stopped working

Also, I don't see a policy template:
/ip ipsec policy group
add name=ikev2-policies

/ip ipsec policy
add dst-address=192.168.10.0/24 group=ike2-policies proposal=proposal1 src-address=0.0.0.0/0 template=yes
by TheCat12
Mon Aug 12, 2024 10:46 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 4381

Re: My IKEV2 vpn stopped working

You're missing a loopback address:
/ip address
add address=192.168.10.1/24 interface=lo1
*lo1 should be the name of recently exposed loopback interface, if not, please change "interface=" correspondingly
by TheCat12
Mon Aug 12, 2024 9:02 pm
Forum: Beginner Basics
Topic: 2 ISP Internet / 1 LAN WIFI Router Combine 2 ISP to Network
Replies: 11
Views: 1473

Re: 2 ISP Internet / 1 LAN WIFI Router Combine 2 ISP to Network

Your PPPoE connections are not running. Could your ISPs be using VLANs or maybe only the ISP devices authenticate via PPPoE and you only need DHCP clients on the hEX
by TheCat12
Mon Aug 12, 2024 8:46 pm
Forum: General
Topic: Wireguard Policy Based Routing on ROS7+ - Best Practices
Replies: 11
Views: 1704

Re: Wireguard Policy Based Routing on ROS7+ - Best Practices

1) Yes-ish, because there is no need of the mangle rules (the routing rule does the same) and the nat rule (the default one already does the same) 2) No need, because action=lookup on the routing rule means that routing decisions will fall back to the main table if the route, specified in the wg-nor...
by TheCat12
Mon Aug 12, 2024 8:31 pm
Forum: General
Topic: VPN site-to-site between MiktoTik and Check Point Quantum Spark
Replies: 1
Views: 501

Re: VPN site-to-site between MiktoTik and Check Point Quantum Spark

I'd suggest looking at the following MUM presentation to gain insights on how to configure IKEv2 site-to-site:

https://youtu.be/n5_Af2vllOA?si=OQnzMSIWeViM8xhs

For the Quantum Spark side:

https://youtu.be/jccJI89Xkfk?si=DHNISCrWNEwWJnRo
by TheCat12
Mon Aug 12, 2024 8:21 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 4381

Re: My IKEV2 vpn stopped working

@johnb175a, in your case, the VPN tunnel establishes, so the problem is somewhere else. That's why I would additionally need a full export of the config:

/export file=anynameyouwish (minus sensitive info)
by TheCat12
Mon Aug 12, 2024 5:02 pm
Forum: General
Topic: Problem Ikev2 Ipsec + Web/EmailServer + Hairpin Nat
Replies: 2
Views: 1587

Re: Problem Ikev2 Ipsec + Web/EmailServer + Hairpin Nat

Let me go to my local Madame Esmeralda because, unlike @Anav, I do not possess any psychic supplies

or

/export file=anynameyouwish (minus sensitive info)

(Sorry for the sarcasm, Mikrotik not adding a first-time poster manual is at fault for it, not you)
by TheCat12
Mon Aug 12, 2024 1:36 pm
Forum: General
Topic: basic VLAN routing [SOLVED]
Replies: 2
Views: 3502

Re: basic VLAN routing [SOLVED]

I think this address is causing you problems:
add address=192.168.170.0/28 interface=openmetallab-management-vlan170 \
    network=192.168.170.0
It should be 192.168.170.1/28
by TheCat12
Mon Aug 12, 2024 1:15 pm
Forum: General
Topic: virtual interface for DHCP Client WAN over VLAN [SOLVED]
Replies: 7
Views: 4206

Re: virtual interface for DHCP Client WAN over VLAN [SOLVED]

I think you need to change your concept of VLANs a little bit, so please read the following first and after that come back to discuss a possible solution:

viewtopic.php?t=143620
by TheCat12
Sat Aug 10, 2024 11:50 pm
Forum: Beginner Basics
Topic: CAPsMAN through Switch under VLAN [SOLVED]
Replies: 15
Views: 4581

Re: CAPsMAN through Switch under VLAN [SOLVED]

Not sure what exactely you are referring to, but from the wiki: WiFi CAPsMAN only passes wireless configuration to the CAP, all forwarding decisions are left to the CAP itself - there is no CAPsMAN forwarding mode. To get it to work through the switch, you have to add VLAN ID 1 to the switch config...
by TheCat12
Sat Aug 10, 2024 11:36 pm
Forum: General
Topic: WAN port in Switch?
Replies: 2
Views: 794

Re: WAN port in Switch?

Something like that should do the trick: 1. On the L009 add ether1 to the LAN bridge remove DHCP, etc. and add static address 2. On the RB5009 add the following configuration: /routing table add fib name=to_ISP1 /ip route add distance=1 dst-address=0.0.0.0/0 gateway="L009_static_IP" set [ ...
by TheCat12
Sat Aug 10, 2024 7:32 pm
Forum: General
Topic: CAPsMAN, RB4011-RB960PGS-cAP AX/wAP ac [SOLVED]
Replies: 16
Views: 2818

Re: CAPsMAN, RB4011-RB960PGS-cAP AX/wAP ac [SOLVED]

Perhaps it's an arising conflict between VLAN 1 and 51 because they both have analogous configuration (same ports, none of which has untagged traffic) and at least one common MAC address is learned by both of them
by TheCat12
Sat Aug 10, 2024 6:40 pm
Forum: General
Topic: CAPsMAN, RB4011-RB960PGS-cAP AX/wAP ac [SOLVED]
Replies: 16
Views: 2818

Re: CAPsMAN, RB4011-RB960PGS-cAP AX/wAP ac [SOLVED]

Unless you configure management VLAN on the RB4011, the RB960PGS and the APs, VLAN1 as a mean of access to the APs should suffice. As a side note, please consider enabling ingress-filtering and configuring frame-types on the RB4011 ports as follows: frame-types=allow-only-vlan-tagged for trunk ports...
by TheCat12
Sat Aug 10, 2024 6:08 pm
Forum: General
Topic: IKE2 IPSec VPN: Windows claims policy match error
Replies: 5
Views: 1485

Re: IKE2 IPSec VPN: Windows claims policy match error

Based on previous experience with setting up IKEv2 on Windows, I suspect that encryption methods can't be negotiated between the parties. To troubleshoot that we will need apart from an exported config a log print with IPsec logging turned on:
/system logging
add topics=ipsec,!debug
by TheCat12
Sat Aug 10, 2024 6:01 pm
Forum: Beginner Basics
Topic: Mikrotik VPN to access all private networks
Replies: 1
Views: 828

Re: Mikrotik VPN to access all private networks

Before configuring VPN, I highly, very highly suggest you set up VLANs, at least for the sake of network desaturation if I may say so. If you're not familiar with it, I suggest reading this:

viewtopic.php?t=143620
by TheCat12
Fri Aug 09, 2024 10:25 pm
Forum: Beginner Basics
Topic: CAPsMAN through Switch under VLAN [SOLVED]
Replies: 15
Views: 4581

Re: CAPsMAN through Switch under VLAN [SOLVED]

Local forwarding should be enabled on the datapaths because the AP is not directly connected to the CAPsMAN
by TheCat12
Wed Aug 07, 2024 10:55 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 4381

Re: My IKEV2 vpn stopped working

Personally, I use sha1, sha256, aes-256 and pfs-group=none for proposals and sha256, aes-256, modp1024 and modp2048 for profiles and it works for my native Android VPN client although I see that the OP uses the same configuration and it doesn't work for him, which is very odd. Perhaps an Android or ...
by TheCat12
Wed Aug 07, 2024 10:51 pm
Forum: General
Topic: My IKEV2 vpn stopped working
Replies: 41
Views: 4381

Re: My IKEV2 vpn stopped working

If somebody could enable IPsec logging and post the log here, I would be glad to help:
/system logging
add action=memory topic=ipsec,!debug
by TheCat12
Wed Aug 07, 2024 10:00 pm
Forum: Beginner Basics
Topic: Mikrotik RB5009UG+S+IN and ZyXEL EX5601-T0
Replies: 1
Views: 782

Re: Mikrotik RB5009UG+S+IN and ZyXEL EX5601-T0

If you configure the Zyxel in bridge mode, i.e. all ports are bridged and it doesn't distribute addresses of its own, then the port forwarding will be done on the Mikrotik, else on the Zyxel
by TheCat12
Tue Aug 06, 2024 10:16 pm
Forum: General
Topic: IPSec VPN via IPv6 | No traffic
Replies: 3
Views: 929

Re: IPSec VPN via IPv6 | No traffic

You would need to add an IPv6 loopback address, use an IPv6 pool for the mode-config or use static addressing, add an IPv6 IPsec policy and use IPv6 LAN addresses to access resources.

Please refer to the following topic:

viewtopic.php?t=204321
by TheCat12
Tue Aug 06, 2024 9:58 pm
Forum: General
Topic: Feature Request: 6VPE (VPNv6) - ipv6 address family
Replies: 41
Views: 7319

Re: Feature Request: 6VPE (VPNv6) - ipv6 address family

I think they are adding it as a feature because it can be seen as an AFI on the CLI only
by TheCat12
Mon Aug 05, 2024 9:01 pm
Forum: Beginner Basics
Topic: Problem with setting up and having internal Switch VLANs on the hapac2 router nothing works as it should
Replies: 3
Views: 916

Re: Problem with setting up and having internal Switch VLANs on the hapac2 router nothing works as it should

Your configuration is a bit tricky bacause it is better to use the Switch menu for VLANs yet the wifi interfaces cannot be used in it because they are not physical ports. With respect to that the following should be done: 1. The VLAN interfaces should be assigned to the bridge itself and not the tru...
by TheCat12
Sun Aug 04, 2024 1:10 pm
Forum: Beginner Basics
Topic: New to RouterOS - could use assist with Site-to-Site VPN
Replies: 5
Views: 1145

Re: New to RouterOS - could use assist with Site-to-Site VPN

You should either have routes or IPsec policies that tell the traffic how to get to the remote LAN. IMO it is better to use IPsec policies: # Site A /ip ipsec policy add tunnel=yes src-address=192.168.1.0/24 dst-address=172.16.2.0/24 action=encrypt proposal="Site_A_proposal" # Site B /ip i...
by TheCat12
Sun Aug 04, 2024 12:58 pm
Forum: Beginner Basics
Topic: [SOLVED] Issue with Setting Up Tagged VLAN on bridge
Replies: 20
Views: 1752

Re: [SOLVED] Issue with Setting Up Tagged VLAN on bridge

Because ether1 is the trunk port, shouldn't the PVID 1500 be set on ether2? That way you'll have access to the management VLAN through the aforementioned port
by TheCat12
Sun Aug 04, 2024 12:21 am
Forum: Beginner Basics
Topic: Problem with setting up and having internal Switch VLANs on the hapac2 router nothing works as it should
Replies: 3
Views: 916

Re: Problem with setting up and having internal Switch VLANs on the hapac2 router nothing works as it should

Your VLANs are messed up and you are missing CAPsMAN configuration: /interface bridge port set [ find interface=ether3 ] pvid=1 set [ find interface=ether4 ] pvid=1 /interface vlan set [ find interface=ether5 ] interface=bridgeLocal /interface ethernet switch port set 2 vlan-header=leave-as-is set 3...
by TheCat12
Sat Aug 03, 2024 2:52 pm
Forum: Beginner Basics
Topic: [SOLVED] Issue with Setting Up Tagged VLAN on bridge
Replies: 20
Views: 1752

Re: Issue with Setting Up Tagged VLAN on bridge

I think your problem corresponds to the following one: https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration#Layer2misconfiguration-VLANfilteringwithsimplifiedbridgeVLANtable The solution to it is adding a separate Bridge VLAN entry for every VLAN ID in the bridge VLAN table. You could ...
by TheCat12
Sat Aug 03, 2024 9:48 am
Forum: Beginner Basics
Topic: Can't access new CRS309 by IP
Replies: 3
Views: 829

Re: Can't access new CRS309 by IP

Shouldn't your network in the IP/Address entry be 10.10.0.0 because what you have wirtten is the netmask which you could specify with a /24 after the address
by TheCat12
Sat Aug 03, 2024 9:45 am
Forum: Beginner Basics
Topic: [SOLVED] Issue with Setting Up Tagged VLAN on bridge
Replies: 20
Views: 1752

Re: Issue with Setting Up Tagged VLAN on bridge

Could you post your ocnfig the following command:

/export file=anynameyouwish

That way it'll be better readible and will have more details about the configiuration which are not visible in your format
by TheCat12
Fri Aug 02, 2024 10:23 pm
Forum: General
Topic: VPN site-to-site routing host is unreachable even with connection between gateway
Replies: 5
Views: 731

Re: VPN site-to-site routing host is unreachable even with connection between gateway

also sorry for maybe dumb questions but im still quite new to thee VPNs in mikrotik.
No need to be, IPsec on MikroTik and overall is a bit finicky
by TheCat12
Fri Aug 02, 2024 10:20 pm
Forum: General
Topic: VPN site-to-site routing host is unreachable even with connection between gateway
Replies: 5
Views: 731

Re: VPN site-to-site routing host is unreachable even with connection between gateway

I meant that you could scratch the following policy on client side: /ip ipsec policy add dst-address=10.22.22.1/32 peer=ike2-peer proposal=IKEv2 src-address=10.22.22.2/32 tunnel=yes And add a template in place of it: /ip ipsec policy add group=MyGroup peer=ike2-peer proposal=IKEv2 template=yes After...
by TheCat12
Fri Aug 02, 2024 10:12 pm
Forum: Beginner Basics
Topic: OSPF Routing
Replies: 3
Views: 872

Re: OSPF Routing

I think the main problem is in the VLAN part of the configuration (misconfiguration and mismatched vlan-ids) and not in the OSPF part, so good thing you posted here. Now to the VLAN - I would bridge all of the VLAN200 ports (except one so you don't lock yourself out during the setup) and assign the ...
by TheCat12
Fri Aug 02, 2024 8:12 pm
Forum: General
Topic: What are the best practices for securing a MikroTik router from external threats?
Replies: 16
Views: 1924

Re: What are the best practices for securing a MikroTik router from external threats?

It looks like a combination of Vincent van Purr and Claude Meowet
by TheCat12
Fri Aug 02, 2024 1:02 pm
Forum: General
Topic: VPN site-to-site routing host is unreachable even with connection between gateway
Replies: 5
Views: 731

Re: VPN site-to-site routing host is unreachable even with connection between gateway

Instead of creating a tunnel between the VPN addresses of the tunnel on client side, you could use a policy template. As for the communication between the LANs, it should be quite an easy fix: # Server /ip ipsec policy add action=encrypt proposal=ike2-proposal src-address=192.168.200.0/24 dst-addres...
by TheCat12
Fri Aug 02, 2024 12:37 pm
Forum: Beginner Basics
Topic: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please
Replies: 36
Views: 3060

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

I have nothing to add. Even if the code is bad-shaped, which it is not, what matters most is that it works.

P.S. For your information, what you have achieved between the routers is not a L2TP tunnel but rather an IPsec tunnel
by TheCat12
Thu Aug 01, 2024 11:59 pm
Forum: Beginner Basics
Topic: OSPF Routing
Replies: 3
Views: 872

Re: OSPF Routing

I wouldn't classify the topic as "Beginner Basics" but who am I to judge?
Anyway, is the router part of the backbone or a different area? Do the timers match?

An exported config would help finding the cause of the problem:

/export file=anynameyouwish (minus sensitive info)
by TheCat12
Tue Jul 30, 2024 9:29 pm
Forum: Beginner Basics
Topic: Unbale to route the default route to ISP router
Replies: 2
Views: 771

Re: Unbale to route the default route to ISP router

Without config we can't tell anything...

/export file=anynameyouwish
by TheCat12
Wed Jul 24, 2024 8:08 pm
Forum: General
Topic: Policy routing - Documentation typo
Replies: 13
Views: 826

Re: Policy routing - Documentation typo

Someone was in a hurry to fix it:
Screenshot_20240724_200744_Samsung Internet.jpg
by TheCat12
Tue Jul 23, 2024 6:42 pm
Forum: Beginner Basics
Topic: IPsec VPN - NAT rule to reach the server
Replies: 6
Views: 966

Re: IPsec VPN - NAT rule to reach the server

I'd suggest using the following IPsec policy on the local router:
/ip ipsec policy
add action=encrypt src-address=192.168.1.0/24 dst-address=171.11.153.20
And one with swapped source and destination addresses on the remote party
by TheCat12
Sun Jul 21, 2024 1:26 pm
Forum: General
Topic: 2 WANs for 2 Separated LANs RouterOS 7.11.3
Replies: 10
Views: 1215

Re: 2 WANs for 2 Separated LANs RouterOS 7.11.3

1. Your firewall filter is a self-hazard - better use the default one than this open door for attacks, malware and what not 2. The accept mangle rules aren't necessary 3. You're missing two routes: /ip route add dst-address=0.0.0.0/0 gateway=100.94.144.1 routing-table=main add dst-address=0.0.0.0/0 ...
by TheCat12
Sat Jul 20, 2024 7:06 pm
Forum: Beginner Basics
Topic: L2TP VPN - Site to Site - routing [SOLVED]
Replies: 21
Views: 6749

Re: L2TP VPN - Site to Site - routing [SOLVED]

Because I forgot that a route should be added on Site A:
/ip route
add dst-address=192.168.1.116 gateway=<l2tp client interface>
by TheCat12
Sat Jul 20, 2024 6:55 pm
Forum: Beginner Basics
Topic: From router + AP to switch + AP [SOLVED]
Replies: 11
Views: 5613

Re: From router + AP to switch + AP [SOLVED]

Just one question - is a default route to the gateway needed? As the AP de facto acts as a switch, shouldn't routing be handled by the gateway?
by TheCat12
Sat Jul 20, 2024 5:25 pm
Forum: Beginner Basics
Topic: From router + AP to switch + AP [SOLVED]
Replies: 11
Views: 5613

Re: From router + AP to switch + AP [SOLVED]

Don't forget to assign the DHCP client on the bridge and not on ether1 or better yet, assign the address that is currently on ether1 on the bridge and don't add a DHCP client and:

7. Delete or disable all default routes if there are such existent
by TheCat12
Sat Jul 20, 2024 5:17 pm
Forum: Beginner Basics
Topic: NAT port 21
Replies: 4
Views: 826

Re: NAT port 21

In the dst-nat rule you haven't specified dst-address (i.e. your static public IP), against which the packets should be matched so that their destination address is accordingly translated. Also, port 22 is SSH, so you better change your dst-port (the more obscure, the better)
by TheCat12
Sat Jul 20, 2024 5:08 pm
Forum: Beginner Basics
Topic: L2TP VPN - Site to Site - routing [SOLVED]
Replies: 21
Views: 6749

Re: L2TP VPN - Site to Site - routing [SOLVED]

/routing table
add fib name=through_VPN
/ip route
add dst-address=0.0.0.0/0 gateway="remote tunnel IP"
/routing rule
add src-address=192.168.1.116 action=lookup-only-in-table table=through_VPN
by TheCat12
Sat Jul 20, 2024 1:32 pm
Forum: Beginner Basics
Topic: RB2011 + hap ax3 - routing help needed
Replies: 13
Views: 1201

Re: RB2011 + hap ax3 - routing help needed

If we consider the default bridge as WAN and the IoT as LAN, change the default bridge to be part of the WAN interface list and remove out-interface=ether1 from the masquerade rule: /interface list member set [ find interface=bridge ] list=WAN /ip firewall nat set [ find out-interface=ether1 ] out-i...
by TheCat12
Sat Jul 20, 2024 8:35 am
Forum: Beginner Basics
Topic: RB2011 + hap ax3 - routing help needed
Replies: 13
Views: 1201

Re: RB2011 + hap ax3 - routing help needed

Could you export the config of the hAP ax³ and post it here?

/export file=anynameyouwish (minus sensitive info)
by TheCat12
Thu Jul 18, 2024 6:55 pm
Forum: Beginner Basics
Topic: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please
Replies: 36
Views: 3060

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

And make sure not to run a DHCP server for the 172.17.0.0 range on the branch office router as it may lead to undesired effects
by TheCat12
Thu Jul 18, 2024 6:03 pm
Forum: Beginner Basics
Topic: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please
Replies: 36
Views: 3060

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

It probably happens because the addresses of local and remote LAN are the same. I think that could be overcome with the help of an EoIP tunnel spanned over the L2TP tunnel but that would require a static address for the branch office router instead of a random one from the VPN pool: # Head office /p...
by TheCat12
Thu Jul 18, 2024 4:17 pm
Forum: Beginner Basics
Topic: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please
Replies: 36
Views: 3060

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

I can try to help you with that problem too - firstly you have to turn on IP firewall for the bridge: /interface bridge settings set use-ip-firewall=yes After that add a firewall to drop all forward for the PBX address except for in-interface-list=PPP: /ip firewall filter add action=drop chain=forwa...
by TheCat12
Thu Jul 18, 2024 3:45 pm
Forum: Beginner Basics
Topic: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please
Replies: 36
Views: 3060

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

You could also remove the add-dst-to-address-list rules because they should be covered by the mangle
by TheCat12
Thu Jul 18, 2024 2:27 pm
Forum: Beginner Basics
Topic: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please
Replies: 36
Views: 3060

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

For the firewall filter just add the following rule before the drop all input not from LAN and remove from the latter connection-state=established : /ip firewall filter add action=accept chain=input ipsec-policy=in:ipsec And please try to implement my new revision of the mangle rules and give me a f...
by TheCat12
Thu Jul 18, 2024 11:15 am
Forum: Beginner Basics
Topic: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please
Replies: 36
Views: 3060

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

I'll once again try to rewrite and rearrange your mangle rules so that hopefully everything works after that. In my previous posts I was pretty sloppy about the order of the rules on which I emphasized earlier that it is of importance (shame on me) and probably that's the reason why you lost remote ...
by TheCat12
Wed Jul 17, 2024 5:03 pm
Forum: General
Topic: [Assistance] - VLAN configuration on CRS1xx
Replies: 10
Views: 816

Re: [Assistance] - VLAN configuration on CRS1xx

Perhaps the problem is in the firewall. That's why it's not good to work with sniplets of config. Would you export your whole config and post it here?

/export file=anynanmeyoulike (minus sensitive information like serial numbers, public IPs, etc.)
by TheCat12
Wed Jul 17, 2024 4:57 pm
Forum: Beginner Basics
Topic: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please
Replies: 36
Views: 3060

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

One minor suggestion - remove the dst-address-lists of the "X only VPN" rules (rules no. 12,13,14) so that all traffic originating from the VPN can be matched against them, not only destined to the addresses in the lists. Also you could combine rules no. 15-20 by using in-interface-list=LA...
by TheCat12
Wed Jul 17, 2024 3:43 pm
Forum: Beginner Basics
Topic: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please
Replies: 36
Views: 3060

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

I see that you've reverted to the old naming convention for the routing tables and marks. That's why I'll suggest once more to change it as in the previous sniplets of configuration. Bear in mind that you should not only change the names of the routing marks but also that of the routing tables to ma...
by TheCat12
Wed Jul 17, 2024 3:21 pm
Forum: General
Topic: Too tight firewall rules? I'm lost!
Replies: 15
Views: 1708

Re: Too tight firewall rules? I'm lost!

Perhaps exactly that is the problem - the ports that should be used to access the server are changed so that the outside users don't know the original ones
by TheCat12
Wed Jul 17, 2024 3:19 pm
Forum: General
Topic: [Assistance] - VLAN configuration on CRS1xx
Replies: 10
Views: 816

Re: [Assistance] - VLAN configuration on CRS1xx

I think that there is no need for egress-vlan-translation and that is causing the problem: When an entry is created under  /interface ethernet switch ingress-vlan-translation , then the switch chip will add a VLAN tag on ingress frames on the specified port. To remove the VLAN tag on the same port f...
by TheCat12
Wed Jul 17, 2024 3:07 pm
Forum: General
Topic: Too tight firewall rules? I'm lost!
Replies: 15
Views: 1708

Re: Too tight firewall rules? I'm lost!

The VLAN is a side note.

However, I just saw that you haven't specified the to-ports parameter in the dstnat rules. Maybe that is the cause
by TheCat12
Wed Jul 17, 2024 2:49 pm
Forum: General
Topic: Too tight firewall rules? I'm lost!
Replies: 15
Views: 1708

Re: Too tight firewall rules? I'm lost!

More likely what @karlisi suspected - you're behind the ISP's NAT which doesn't have full port forwarding enabled, hence no access to the server from the outside

P.S. Your VLAN is not configured properly
by TheCat12
Wed Jul 17, 2024 1:29 pm
Forum: Beginner Basics
Topic: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please
Replies: 36
Views: 3060

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

For the firewall filter rules I forgot that the order in which they are is of importance baecause the matching is dome sequentially. That's why the drop input expecr from LAN should be after all other input rules and analogously for the drop forward from WAN except dst-nated rule. As for the three s...
by TheCat12
Wed Jul 17, 2024 11:43 am
Forum: Beginner Basics
Topic: Preserve Port number on src Nat rule [SOLVED]
Replies: 3
Views: 4715

Re: Preserve Port number on src Nat rule [SOLVED]

Use action=src-nat in the srcnat rule so that you can specify to which port should the IP address be sourcenatted: /ip firewall nat add action=src-nat chain=srcnat protocol=tcp src-port=5060 src-address=192.168.7.100 to-addresses=222.222.123.2 to-ports=5060 Just make sure to put the rule before any ...
by TheCat12
Mon Jul 15, 2024 10:29 pm
Forum: Beginner Basics
Topic: Port forwarding for a Minecraft server
Replies: 1
Views: 793

Re: Port forwarding for a Minecraft server

The only thing you should change from the screenshot config is to remove in-interface=bridge . If you have a static public IP, you could use it in dst-address instead of in-interface-list=WAN. If the rule still doesn't work, maybe you're behimd carrier-grade NAT and you should ISP to create a full p...
by TheCat12
Mon Jul 15, 2024 9:58 pm
Forum: Beginner Basics
Topic: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please
Replies: 36
Views: 3060

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

Your firewall still lacks some essential rules, for example dropping all input not coming from LAN (a default config rule): /ip firewall filter add action=drop chain=input in-interface-list=!LAN Another one is drop all forward from WAN not dstnat-ed: /ip firewall filter add action=drop chain=forward...
by TheCat12
Mon Jul 15, 2024 1:33 pm
Forum: Beginner Basics
Topic: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please
Replies: 36
Views: 3060

Re: MikroTik Configuration 3 WAN 2 LAN and VPN Need Kind Help from Seniors Please

1) Remove WiFi interface list and add ether11-WiFi to the LAN interface list (you'll see why short after): /interface list add name=WAN add name=LAN add name=WiFi /interface list member add interface=ether5 list=WAN add interface=ether9 list=WAN add interface=ether1 list=WAN add interface=ether12-LA...
by TheCat12
Sat Jul 13, 2024 10:36 pm
Forum: General
Topic: How to Configure DHCP Server for Static Leases Only
Replies: 2
Views: 712

Re: How to Configure DHCP Server for Static Leases Only

Use address-pool=static-only on the DHCP server and that should do the trick
by TheCat12
Sat Jul 13, 2024 6:45 pm
Forum: Beginner Basics
Topic: VLAN Issue
Replies: 21
Views: 1873

Re: VLAN Issue

You're mixing apples with oranges and your VLAN config is a complete mess. You either use VLANs all the way or don't use them at all, hybrid setups don't work as expected. 1) Remove or change pvid of vlan bridge to 20 and remove frame-types if you don't want to lock yourself out: add comment=VLANTES...
by TheCat12
Sat Jul 13, 2024 5:23 pm
Forum: Beginner Basics
Topic: Port forwarding with hairpin NAT and dynamic IP combo
Replies: 12
Views: 1453

Re: Port forwarding with hairpin NAT and dynamic IP combo

One way would be to use a DNS record - for example the one from IP/Cloud, which you could add in an address list and use dst-address-list instead of a dst-address. Another way is the one you mentioned - create a DHCP lease script. There is no better or worse way
by TheCat12
Fri Jul 12, 2024 10:52 pm
Forum: Beginner Basics
Topic: Port Forwarding and Opening (Destiny 2 specific)
Replies: 1
Views: 1471

Re: Port Forwarding and Opening (Destiny 2 specific)

For the UPnP to work, you need to add interfaces: /ip upnp interfaces add interface=ether1 type=external add interface=bridge type=internal enable 0,1 Otherwise all ports are open by default, to forward ports you need to add dstnat rules: /ip firewall nat add action=dst-nat chain=dstnat protocol=udp...
by TheCat12
Fri Jul 12, 2024 10:30 pm
Forum: General
Topic: VLAN cannot access the internet
Replies: 2
Views: 926

Re: VLAN cannot access the internet

Perhaps it is missing NAT?
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp-sfpplus1
Also, remove sfp-sfpplus1 from the bridge as well as from the bridge VLAN table and VLAN 1 from the latter, and everything should be fine
by TheCat12
Fri Jul 12, 2024 7:36 pm
Forum: Beginner Basics
Topic: How to connect PureVPN IKEV2 Server on Mikrotik router?
Replies: 12
Views: 5047

Re: How to connect PureVPN IKEV2 Server on Mikrotik router?

Could you export your config and post it here to have a look what could be going wrong?

/export file=anynameyouwish (minus sensitive info)
by TheCat12
Fri Jul 12, 2024 10:40 am
Forum: General
Topic: use remote gateway over ipsec as main gateway for single computer
Replies: 1
Views: 666

Re: use remote gateway over ipsec as main gateway for single computer

I'd suggest using IPsec policies on both routers - on local router policies with src-address the streaming devices, which should be routed through the tunnel, and on the remote router the other way around. Only exception on the remote router is that in this case policies with action=none shpuld be a...
by TheCat12
Thu Jul 11, 2024 11:32 am
Forum: General
Topic: Problems with VLAN passtrough
Replies: 9
Views: 722

Re: Problems with VLAN passtrough

Maybe to better understand what you try to achieve a simple network diagram would be needed. Also, does VLAN 30 arrive at the Mikrotik as .1Q tunnel and which are/should be its inner VLANs?
by TheCat12
Thu Jul 11, 2024 10:57 am
Forum: General
Topic: Basic setup for Starlink
Replies: 5
Views: 2956

Re: Basic setup for Starlink

One of the problems may be that your LAN network's addresses overlap with those handed out by the Starlink because, if I remember correctly, it is CGNAT. Nevertheless, an export of the config is advisable for us to be able to help you:

/export file=anynameyouwish (minus sensitive info)
by TheCat12
Wed Jul 10, 2024 11:50 pm
Forum: General
Topic: Sending ACS url, username and password to Mikrotik
Replies: 1
Views: 402

Re: Sending ACS url, username and password to Mikrotik

Shouldn't you use the TR069 package because this sounds like terminology of this protocol
by TheCat12
Wed Jul 10, 2024 11:42 pm
Forum: Beginner Basics
Topic: VLAN Issue
Replies: 21
Views: 1873

Re: VLAN Issue

Newer models like hAP ac² should have a random password by default which is on the sticker that is on the box, hidden on the router
by TheCat12
Wed Jul 10, 2024 11:39 pm
Forum: Beginner Basics
Topic: How to connect PureVPN IKEV2 Server on Mikrotik router?
Replies: 12
Views: 5047

Re: How to connect PureVPN IKEV2 Server on Mikrotik router?

Looking at the error, there is a bunch of possibilities what could be wrong - wrong Phase 1 IP addresses, misconfigured NAT, wrong usage of local-address parameter...
by TheCat12
Wed Jul 10, 2024 6:11 pm
Forum: Beginner Basics
Topic: VLAN Issue
Replies: 21
Views: 1873

Re: VLAN Issue

Although it "doesn't exist from source" as you refer to it, it does get introduced by being set as vlan-id in /interface bridge vlan and/or pvid in /interface bridge port, depending on the role of the port, and the VLAN tag begins being added/stripped after enabling vlan-filtering
by TheCat12
Wed Jul 10, 2024 4:19 pm
Forum: Beginner Basics
Topic: VLAN Issue
Replies: 21
Views: 1873

Re: VLAN Issue

For option 1 I disagree that there is a need for a VLAN200 interface because the VLAN should operate only on L2, no L3 needed. That's why I omitted it from my config
by TheCat12
Wed Jul 10, 2024 3:26 pm
Forum: General
Topic: output chain: Change source address [SOLVED]
Replies: 2
Views: 2561

Re: output chain: Change source address [SOLVED]

Isn't there a src-address option in the /radius menu?
by TheCat12
Wed Jul 10, 2024 12:10 am
Forum: Beginner Basics
Topic: VLAN Issue
Replies: 21
Views: 1873

Re: VLAN Issue

A side question - why do you use a public IP (170.x.x.x) for LAN?
by TheCat12
Wed Jul 10, 2024 12:05 am
Forum: Beginner Basics
Topic: VLAN Issue
Replies: 21
Views: 1873

Re: VLAN Issue

Ok then, first you'll create a bridge with all ethernet ports except ether1 in it (for the config I'll assume all ports are ether1-5), then create a VLAN interface for VLAN 20 and configure IP addresses and DHCP settings for it. After that you'll fill in the Bridge VLAN table and enable vlan-filteri...
by TheCat12
Tue Jul 09, 2024 11:46 pm
Forum: Beginner Basics
Topic: VLAN Issue
Replies: 21
Views: 1873

Re: VLAN Issue

So VLAN 20 is for the "normal" internet, I assume? And the DHCP server for it would be the Mikrotik?
by TheCat12
Tue Jul 09, 2024 11:18 pm
Forum: General
Topic: Natting traffic
Replies: 1
Views: 594

Re: Natting traffic

I'd suggesting using the firewall rule you mentioned with connection-nat-state=!dstnat . Not sure if it wouldn't allow direct access though
by TheCat12
Tue Jul 09, 2024 11:01 pm
Forum: General
Topic: Too tight firewall rules? I'm lost!
Replies: 15
Views: 1708

Re: Too tight firewall rules? I'm lost!

I'll cite @anav with modifications from another post. Hopefully he won't be mad at me 😬 (1) Remove IP DNS STATIC setting (2) This one is part of your port forwarding issue.......... Modify this default rule in forward chain From: add action=drop chain=forward comment=\ "defconf: drop all from W...
by TheCat12
Tue Jul 09, 2024 10:21 pm
Forum: General
Topic: Problems with VLAN passtrough
Replies: 9
Views: 722

Re: Problems with VLAN passtrough

To start things off, an export of the config would be helpful to see what is going on at the moment:

/export file=anynameyouwish (minus sensitive info)
by TheCat12
Tue Jul 09, 2024 8:40 pm
Forum: General
Topic: Not able to access Mikrotik once the IKEv2 is established
Replies: 5
Views: 1789

Re: Not able to access Mikrotik once the IKEv2 is established

Maybe if the OP had exported the full config without eliding important parts such as the firewall and probably more, I could've helped him. Alas, I couldn't. Maybe I could help you @Yanik if you give me some more details like what is on the other side of the VPN, whether GRE, IPIP, etc. is used for ...
by TheCat12
Tue Jul 09, 2024 8:00 pm
Forum: General
Topic: Dual WAN with DHCP on RouterOS 6
Replies: 3
Views: 532

Re: Dual WAN with DHCP on RouterOS 6

To free up space, you could remove some packages which you probably wouldn't need like "routing", "mpls", etc.
by TheCat12
Tue Jul 09, 2024 7:47 pm
Forum: General
Topic: No RoMON Help Please
Replies: 7
Views: 1268

Re: No RoMON Help Please

Go into settings (upper right corner) and there you'll find a toggle "Enable RoMON"
by TheCat12
Mon Jul 08, 2024 11:31 pm
Forum: Beginner Basics
Topic: I cannot locally reach my local web server.
Replies: 7
Views: 1141

Re: I cannot locally reach my local web server.

The rule can be generalized with the help of address lists - add all addresses of local servers to an address list and reference it in the hairpin NAT rule ( dst-address-list instead of dst-address ). Also remove or disable the settings which include the default address 192.168.88.1 ( /ip address , ...
by TheCat12
Mon Jul 08, 2024 11:20 pm
Forum: Beginner Basics
Topic: wireguard VPN and Synology NAS
Replies: 4
Views: 1215

Re: wireguard VPN and Synology NAS

Could you export your config and post it here?

/export file=anynameyouwish (minus sensitive information like public keys, passwords, etc.)
by TheCat12
Mon Jul 08, 2024 11:18 pm
Forum: Beginner Basics
Topic: Help with Initial Configuration of RouterOS on MikroTik hAP ac²
Replies: 3
Views: 940

Re: Help with Initial Configuration of RouterOS on MikroTik hAP ac²

Dear Emily,

Would you kindly open a new terminal, run the command /export file=anynameyouwish and post the newly created file here? That would help us a lot in diagnosing the problem.

TheCat12
by TheCat12
Mon Jul 08, 2024 6:11 pm
Forum: Beginner Basics
Topic: I cannot locally reach my local web server.
Replies: 7
Views: 1141

Re: I cannot locally reach my local web server.

There is an easier hairpin NAT rule:

https://help.mikrotik.com/docs/display/ ... HairpinNAT

No need of mangle whatsoever

P.S. You shouldn't consider the 192.168.1.0 network for the hairpin NAT rule because the web server is not part of it
by TheCat12
Mon Jul 08, 2024 5:53 pm
Forum: Beginner Basics
Topic: Chateau 5G VLAN Setup Issue
Replies: 1
Views: 667

Re: Chateau 5G VLAN Setup Issue

1) Yes, because this is a whole other method which has nothing to do with the switch one 2) It is advisable for ether2 to be on a seperate bridge even though it is one port 3) Yes, but you could limit the traffic from VLAN 20 to the other VLANs if it's necessary from the firewall: /ip firewall filte...
by TheCat12
Mon Jul 08, 2024 5:19 pm
Forum: Beginner Basics
Topic: Firewall not working
Replies: 5
Views: 1200

Re: Firewall not working

The explanation is that your router most probably acts at the moment as a switch (I assume all ports are bridged together for the computers to get an IP address from the same range as the WAN). If you want your firewall to work properly, you should remove your WAN port from the bridge, create a sepa...
by TheCat12
Mon Jul 08, 2024 3:26 pm
Forum: Beginner Basics
Topic: Need help with setting up a subnet
Replies: 6
Views: 837

Re: Need help with setting up a subnet

Quite an easy fix with precisely a firewall rule: /ip firewall filter add action=drop chain=forward dst-address=192.168.18.0/24 src-address=192.168.1.0/24 I would suggest also adding a rule that prevents access to the slave antenna from the guest network: /ip firewall filter add action=drop chain=in...
by TheCat12
Mon Jul 08, 2024 10:42 am
Forum: Beginner Basics
Topic: VPN connection from abroad
Replies: 7
Views: 1296

Re: VPN connection from abroad

What I would suggest is running the command /export file=anynameyouwish, remove sensitive information like passwords and post the redacted file here because we need to see the full configuration to be able to find out what the problem is
by TheCat12
Sun Jul 07, 2024 4:20 pm
Forum: Beginner Basics
Topic: Need help with setting up a subnet
Replies: 6
Views: 837

Re: Need help with setting up a subnet

Actually there might be a way - if you create a bridge on the slave antenna as per instructions on how to create a PtP link, fix the mode of the W60G interface to station-bridge , assign to the bridge only the W60G interface and add static address and default route for the bridge, then it might work...
by TheCat12
Sat Jul 06, 2024 11:20 pm
Forum: Beginner Basics
Topic: Need help with setting up a subnet
Replies: 6
Views: 837

Re: Need help with setting up a subnet

I think it won't be possible to separate the subnets on the antenna, but rather on the access point because the antennas act as a wireless extension of the ISP modem subnet and also don't have enough interfaces to do routing on them. That's why you should make the AP the DHCP server
by TheCat12
Sat Jul 06, 2024 10:43 pm
Forum: Beginner Basics
Topic: Wireless VLANs on ROS 7.15.0 [SOLVED]
Replies: 6
Views: 4929

Re: Wireless VLANs on ROS 7.15.0 [SOLVED]

Your logic is on point and here is the proof: https://help.mikrotik.com/docs/download/attachments/122388507/Vlan-wlan1.jpg?version=1&modificationDate=1650965266847&api=v2 The picture is from https://help.mikrotik.com/docs/display/ROS/VLANs+on+Wireless Although the settings are for an older v...
by TheCat12
Sat Jul 06, 2024 7:41 pm
Forum: Beginner Basics
Topic: Help to allowing GuestLAN to Access HomeLAN Services via Domain (Public IP or WAN)
Replies: 2
Views: 593

Re: Help to allowing GuestLAN to Access HomeLAN Services via Domain (Public IP or WAN)

The exact rule you mentioned is to be used but with a minor tweak - an added connection-nat-state=!dstnat This way only resources with a dstnat rule would be accessible from the guest LAN
by TheCat12
Sun Jun 30, 2024 11:00 pm
Forum: Beginner Basics
Topic: Configure IPv6 over IPv4 from ISP
Replies: 9
Views: 1711

Re: Configure IPv6 over IPv4 from ISP

I suggest then having a look at this reddit post:

https://www.reddit.com/r/mikrotik/comme ... _japanese/

Hopefully you find some useful information there
by TheCat12
Sat Jun 29, 2024 9:42 am
Forum: Beginner Basics
Topic: How to DMZ to ROS?
Replies: 11
Views: 1026

Re: How to DMZ to ROS?

Please run the following command:

/export file=anynamyouwish

and post the created file here
by TheCat12
Fri Jun 28, 2024 10:44 pm
Forum: Beginner Basics
Topic: How to DMZ to ROS?
Replies: 11
Views: 1026

Re: How to DMZ to ROS?

I have been successfully port-forwarding in the past. Besides, with DMZ is ISP port-forwarding even a consideration? Yes, as I said, if you're sitting behind CGNAT, i.e. the ISP router is in Router mode and not Bridge mode, then you're out of luck. Try port forwarding something from your MGMT netwo...
by TheCat12
Fri Jun 28, 2024 10:01 pm
Forum: Beginner Basics
Topic: How to DMZ to ROS?
Replies: 11
Views: 1026

Re: How to DMZ to ROS?

Is it possible that your ISP has not enabled port forwarding, and you're behind CGNAT because the rule should be working regardless whether you're behind DMZ or not, given that it's set up properly
by TheCat12
Fri Jun 28, 2024 8:08 pm
Forum: Beginner Basics
Topic: Configure IPv6 over IPv4 from ISP
Replies: 9
Views: 1711

Re: Configure IPv6 over IPv4 from ISP

Most probably we're talking about MAP-E, so please refer to the following topic and the commands of @urban69:

viewtopic.php?t=180608
by TheCat12
Thu Jun 27, 2024 8:10 pm
Forum: Beginner Basics
Topic: [SOLVED] Kind request for feedback about firewall configuration
Replies: 8
Views: 1246

Re: Kind request for feedback about firewall configuration

Regarding note 1, you could disable the unused rules. Now on to your questions: 1. Yes, there are no visible nonsensical rules. 2. Rule 4 is redundant because rule 5 has a greater coverage - no access to the router from an interface that is not part of the LAN interface list. As for the role of rule...
by TheCat12
Tue Jun 25, 2024 10:22 pm
Forum: Beginner Basics
Topic: Publishing WebApp through static IP
Replies: 2
Views: 745

Re: Publishing WebApp through static IP

A good start would be to kindly post the config of the router:

/export file=anynameyouwish (minus sensitive info)
by TheCat12
Tue Jun 25, 2024 10:17 pm
Forum: Beginner Basics
Topic: Firewall - TOR and proxy
Replies: 2
Views: 1520

Re: Firewall - TOR and proxy

I assume 192.168.0.11 is not the WAN address, and for the rules to work, you need it. Following changes should be made:
/ip firewall nat
set 1 src-address=192.168.0.18 dst-address="" src-port=9050 dst-port=""
set 11 src-address="" dst-address="WAN_address"
by TheCat12
Tue Jun 25, 2024 3:43 pm
Forum: Beginner Basics
Topic: Configure IPv6 over IPv4 from ISP
Replies: 9
Views: 1711

Re: Configure IPv6 over IPv4 from ISP

Could you kindly export the configuration and post it here as well as say the name of the ISP just to be sure if IPv4 over IPv6 is the case
/export file=anynameyouwish
by TheCat12
Sun Jun 09, 2024 7:42 pm
Forum: Beginner Basics
Topic: How to connect PureVPN IKEV2 Server on Mikrotik router?
Replies: 12
Views: 5047

Re: How to connect PureVPN IKEV2 Server on Mikrotik router?

In their guide they have forgotten to mention that ports 500 UDP, 4500 UDP and IPsec-ESP should be opened: /ip firewall filter add action=accept chain=input protocol=udp dst-port=500,4500 add action=accept chain=input protocol=ipsec-esp Because I assume that wouldn't be the only problem, could you k...
by TheCat12
Sat May 11, 2024 9:40 pm
Forum: Beginner Basics
Topic: VLAN and limited inter-VLAN communications - where to start
Replies: 1
Views: 485

Re: VLAN and limited inter-VLAN communications - where to start

I.e. VLAN with separate DHCP for "smart home" and then some kind of special interVLAN firewall rules or it would be more advanced? Yes, exactly that would be needed but a network diagram is recommended to see which ports part of which VLAN should they be and also to understand whether DHC...
by TheCat12
Sat May 11, 2024 12:27 pm
Forum: Beginner Basics
Topic: Help needed in IPv6
Replies: 4
Views: 1294

Re: Help needed in IPv6

I have a few questions beforehand: 1. Do you receive the /48 prefix statically or per DHCP? 2. From which port do you receive internet? 3. Are the devices behind the router in a bridge (maybe except port 2) or overall separate? The config so far exported and uploaded here would be a great help: /exp...
by TheCat12
Fri May 10, 2024 11:45 pm
Forum: Beginner Basics
Topic: Connect Mikrotik hAP ac² to pfSense end point [SOLVED]
Replies: 1
Views: 5321

Re: Connect Mikrotik hAP ac² to pfSense end point [SOLVED]

https://help.mikrotik.com/docs/display/ROS/OpenVPN

The easiest way to set up hAP ac² as a client would be IMO with a .ovpn file
by TheCat12
Wed May 08, 2024 2:50 pm
Forum: General
Topic: Access VPN from LAN
Replies: 2
Views: 369

Re: Access VPN from LAN

Could you export your config and post it here? /export file=anynameyouwish (minus sensitive information) P.S. If you don't have any firewall rules and you're directly connected to the Internet, unpulg yourself immediately and implement atleast the default firewall because this state is hazardous for...
by TheCat12
Wed May 08, 2024 2:35 pm
Forum: Beginner Basics
Topic: 2-VPN Server on one Mirkotik with 2 PUblic IP
Replies: 7
Views: 1040

Re: 2-VPN Server on one Mirkotik with 2 PUblic IP

First you have to choose your poison (Wireguard, OVPN, IKEv2, L2TP...). In my opinion Wireguard would be the easiest to set up but I'll wait for your decision before suggesting anything
by TheCat12
Tue May 07, 2024 11:33 am
Forum: Beginner Basics
Topic: Question: SSIDs on different VLANs on LAN
Replies: 10
Views: 1322

Re: Question: SSIDs on different VLANs on LAN

A network diagram would do magic because the language you use is a bit ambiguous. Also, an exported config is always good to have:

/export file=anynameyouwish
by TheCat12
Mon May 06, 2024 5:55 pm
Forum: General
Topic: Access Mikrotik subnet from modem subnet [SOLVED]
Replies: 18
Views: 5709

Re: Access Mikrotik subnet from modem subnet [SOLVED]

In that case an exported config would be needed because there could be something else blocking the connection:

/export file=anynameyouwish (minus sensitive information)
by TheCat12
Sun May 05, 2024 12:23 pm
Forum: General
Topic: Access Mikrotik subnet from modem subnet [SOLVED]
Replies: 18
Views: 5709

Re: Access Mikrotik subnet from modem subnet [SOLVED]

Wouldn't it be easier to add a forward rule that accepts traffic from the modem addresses to the LAN ones before the "drop all not coming from LAN"? /ip firewall filter add action=accept chain=forward src-address=192.168.1.0/x dst-address=10.0.0.0/y where x and y are the respective subnet ...
by TheCat12
Sun May 05, 2024 12:15 pm
Forum: Beginner Basics
Topic: IPv6 routes not created
Replies: 8
Views: 1687

Re: IPv6 routes not created

A full config is needed here, so kindly post it here
by TheCat12
Sun May 05, 2024 12:08 pm
Forum: Beginner Basics
Topic: Access to Webfig/SSH from Mgmt VLAN
Replies: 1
Views: 572

Re: Access to Webfig/SSH from Mgmt VLAN

An exported config is highly advisable to be able to diagnose the problem

/export file=anynameyouwish (minus sensitive information)
by TheCat12
Sat May 04, 2024 11:48 pm
Forum: Beginner Basics
Topic: Isolate a public server host from LAN
Replies: 4
Views: 805

Re: Isolate a public server host from LAN

Could you export your config and post it here?

On the CLI:
/export file=anynameyouwish (minus sensitive information like serial number, public IP, passwords, etc.)
by TheCat12
Sat May 04, 2024 2:04 pm
Forum: Beginner Basics
Topic: Help Needed: Configuring VPN Access on MikroTik Router [SOLVED]
Replies: 4
Views: 12122

Re: Help Needed: Configuring VPN Access on MikroTik Router [SOLVED]

Ok, then I will give you an example config for L2TP because I'm not very familiar with OpenVPN. For the sake of simplicity I'll use y.y.y.y as VPN addresses: 1. Create a pool from which VPN addresses will be handed out 2. Add a custom profile in PPP/Profiles where you'll specify the VPN addresses 3....
by TheCat12
Sat May 04, 2024 1:32 pm
Forum: Beginner Basics
Topic: Help Needed: Configuring VPN Access on MikroTik Router [SOLVED]
Replies: 4
Views: 12122

Re: Help Needed: Configuring VPN Access on MikroTik Router [SOLVED]

Before suggesting any config whatsoever, have you made the necessary port forwardings on the upstream router which handles the public IP? By default OpenVPN runs on TCP 1194, whereas L2TP on UDP 500,1701,4500
  • 1
  • 2