Community discussions

MikroTik App

Search found 197 matches

by TheCat12
Sun Jun 09, 2024 7:42 pm
Forum: Beginner Basics
Topic: How to connect PureVPN IKEV2 Server on Mikrotik router?
Replies: 7
Views: 3562

Re: How to connect PureVPN IKEV2 Server on Mikrotik router?

In their guide they have forgotten to mention that ports 500 UDP, 4500 UDP and IPsec-ESP should be opened: /ip firewall filter add action=accept chain=input protocol=udp dst-port=500,4500 add action=accept chain=input protocol=ipsec-esp Because I assume that wouldn't be the only problem, could you k...
by TheCat12
Sat May 11, 2024 9:40 pm
Forum: Beginner Basics
Topic: VLAN and limited inter-VLAN communications - where to start
Replies: 1
Views: 317

Re: VLAN and limited inter-VLAN communications - where to start

I.e. VLAN with separate DHCP for "smart home" and then some kind of special interVLAN firewall rules or it would be more advanced? Yes, exactly that would be needed but a network diagram is recommended to see which ports part of which VLAN should they be and also to understand whether DHC...
by TheCat12
Sat May 11, 2024 12:27 pm
Forum: Beginner Basics
Topic: Help needed in IPv6
Replies: 4
Views: 707

Re: Help needed in IPv6

I have a few questions beforehand: 1. Do you receive the /48 prefix statically or per DHCP? 2. From which port do you receive internet? 3. Are the devices behind the router in a bridge (maybe except port 2) or overall separate? The config so far exported and uploaded here would be a great help: /exp...
by TheCat12
Fri May 10, 2024 11:45 pm
Forum: Beginner Basics
Topic: Connect Mikrotik hAP ac² to pfSense end point [SOLVED]
Replies: 1
Views: 4288

Re: Connect Mikrotik hAP ac² to pfSense end point [SOLVED]

https://help.mikrotik.com/docs/display/ROS/OpenVPN

The easiest way to set up hAP ac² as a client would be IMO with a .ovpn file
by TheCat12
Wed May 08, 2024 2:50 pm
Forum: General
Topic: Access VPN from LAN
Replies: 2
Views: 288

Re: Access VPN from LAN

Could you export your config and post it here? /export file=anynameyouwish (minus sensitive information) P.S. If you don't have any firewall rules and you're directly connected to the Internet, unpulg yourself immediately and implement atleast the default firewall because this state is hazardous for...
by TheCat12
Wed May 08, 2024 2:35 pm
Forum: Beginner Basics
Topic: 2-VPN Server on one Mirkotik with 2 PUblic IP
Replies: 7
Views: 736

Re: 2-VPN Server on one Mirkotik with 2 PUblic IP

First you have to choose your poison (Wireguard, OVPN, IKEv2, L2TP...). In my opinion Wireguard would be the easiest to set up but I'll wait for your decision before suggesting anything
by TheCat12
Tue May 07, 2024 11:33 am
Forum: Beginner Basics
Topic: Question: SSIDs on different VLANs on LAN
Replies: 10
Views: 870

Re: Question: SSIDs on different VLANs on LAN

A network diagram would do magic because the language you use is a bit ambiguous. Also, an exported config is always good to have:

/export file=anynameyouwish
by TheCat12
Mon May 06, 2024 5:55 pm
Forum: General
Topic: Access Mikrotik subnet from modem subnet [SOLVED]
Replies: 18
Views: 4441

Re: Access Mikrotik subnet from modem subnet [SOLVED]

In that case an exported config would be needed because there could be something else blocking the connection:

/export file=anynameyouwish (minus sensitive information)
by TheCat12
Sun May 05, 2024 12:23 pm
Forum: General
Topic: Access Mikrotik subnet from modem subnet [SOLVED]
Replies: 18
Views: 4441

Re: Access Mikrotik subnet from modem subnet [SOLVED]

Wouldn't it be easier to add a forward rule that accepts traffic from the modem addresses to the LAN ones before the "drop all not coming from LAN"? /ip firewall filter add action=accept chain=forward src-address=192.168.1.0/x dst-address=10.0.0.0/y where x and y are the respective subnet ...
by TheCat12
Sun May 05, 2024 12:15 pm
Forum: Beginner Basics
Topic: IPv6 routes not created
Replies: 8
Views: 1250

Re: IPv6 routes not created

A full config is needed here, so kindly post it here
by TheCat12
Sun May 05, 2024 12:08 pm
Forum: Beginner Basics
Topic: Access to Webfig/SSH from Mgmt VLAN
Replies: 1
Views: 381

Re: Access to Webfig/SSH from Mgmt VLAN

An exported config is highly advisable to be able to diagnose the problem

/export file=anynameyouwish (minus sensitive information)
by TheCat12
Sat May 04, 2024 11:48 pm
Forum: Beginner Basics
Topic: Isolate a public server host from LAN
Replies: 4
Views: 653

Re: Isolate a public server host from LAN

Could you export your config and post it here?

On the CLI:
/export file=anynameyouwish (minus sensitive information like serial number, public IP, passwords, etc.)
by TheCat12
Sat May 04, 2024 2:04 pm
Forum: Beginner Basics
Topic: Help Needed: Configuring VPN Access on MikroTik Router [SOLVED]
Replies: 4
Views: 4140

Re: Help Needed: Configuring VPN Access on MikroTik Router [SOLVED]

Ok, then I will give you an example config for L2TP because I'm not very familiar with OpenVPN. For the sake of simplicity I'll use y.y.y.y as VPN addresses: 1. Create a pool from which VPN addresses will be handed out 2. Add a custom profile in PPP/Profiles where you'll specify the VPN addresses 3....
by TheCat12
Sat May 04, 2024 1:32 pm
Forum: Beginner Basics
Topic: Help Needed: Configuring VPN Access on MikroTik Router [SOLVED]
Replies: 4
Views: 4140

Re: Help Needed: Configuring VPN Access on MikroTik Router [SOLVED]

Before suggesting any config whatsoever, have you made the necessary port forwardings on the upstream router which handles the public IP? By default OpenVPN runs on TCP 1194, whereas L2TP on UDP 500,1701,4500
by TheCat12
Tue Apr 30, 2024 10:06 pm
Forum: Beginner Basics
Topic: How to route a IPv6 pool to local IPv4 e.g.192.168.101.x
Replies: 6
Views: 609

Re: How to route a IPv6 pool to local IPv4 e.g.192.168.101.x

Another example on why you shouldn't rely on OpenAI: As @tdw said, a NAT64 translator is needed in order to do that but it is not supported on ROS v7.x or any ROS version in that matter
by TheCat12
Mon Apr 29, 2024 2:05 pm
Forum: Beginner Basics
Topic: VPN - device routing
Replies: 16
Views: 1411

Re: VPN - device routing

Maybe it would be best if you exported your config and posted it here to see what is going on:

/export file=anynameyouwish (minus sensitive information)
by TheCat12
Sun Apr 28, 2024 12:24 pm
Forum: Beginner Basics
Topic: VPN - device routing
Replies: 16
Views: 1411

Re: VPN - device routing

If I understand correctly and the Wireguard addresses are from the 192.168.178.0/x subnet, then the following should be done: 1. Add a new routing table 2. Create a default route to WG gateway in that table 3. Add a routing rule to lookup traffic from 192.168.2.115 only in that table /routing table ...
by TheCat12
Sun Apr 28, 2024 12:07 pm
Forum: Beginner Basics
Topic: New to Mikrotik, help setting up
Replies: 1
Views: 353

Re: New to Mikrotik, help setting up

Could you export your current config and post it here?

/export file=anynameyouwish
by TheCat12
Sat Apr 27, 2024 6:19 pm
Forum: Beginner Basics
Topic: Vlan for Voice
Replies: 13
Views: 1274

Re: Vlan for Voice

I found problems in my config, but this time before deploying it, I would wait for a second opinion from @anav or @mkx: To the existing proposition for a VLAN config before enabling VLAN filtering add the following commands: /interface vlan add interface=bridge name=vlan30 vlan-id=30 /ip address add...
by TheCat12
Fri Apr 26, 2024 11:43 pm
Forum: Beginner Basics
Topic: Vlan for Voice
Replies: 13
Views: 1274

Re: Vlan for Voice

After a lot of headscratching, I think I've come up with a solution which won't lock you out of your router. If it happens anyway, please excuse me in advance. 1. Add SFP WAN and ether8 in the bridge and assign it the VLAN10 interface 2. Create a VLAN for the clients, for the management of the ONU a...
by TheCat12
Tue Apr 23, 2024 4:28 pm
Forum: Beginner Basics
Topic: Is my conf ok?
Replies: 4
Views: 439

Re: Is my conf ok?

As the wise @normis said - "There is no such thing as a stupid question", so don't expect to be bombarded by answers of the type you mentioned. As for your question, the default firewall of MikroTik is pretty decent and it functions really good as default/starting config, I don't see any d...
by TheCat12
Sat Apr 20, 2024 9:50 am
Forum: General
Topic: RB5009 reboots after removing USB modem
Replies: 1
Views: 386

RB5009 reboots after removing USB modem

Good day, recently I bought an RB5009UG+S+IN, updated it to the latest stable version (v7.14.3) and tested out with it a D-Link DWM-157 USB modem. When I was done with the experiments, I unplugged the modem and suddenly lost connectivity to the router after which I realized it had rebooted itself. I...
by TheCat12
Thu Apr 18, 2024 9:09 pm
Forum: Beginner Basics
Topic: Problem with L2TP connection, partially works
Replies: 7
Views: 682

Re: Problem with L2TP connection, partially works

More exported config would be needed to be able to diagnose the problem, the full one best:

/export file=anynameyouwish
by TheCat12
Thu Apr 18, 2024 8:31 pm
Forum: General
Topic: Segregate ethernet/management port for just management
Replies: 4
Views: 408

Re: Segregate ethernet/management port for just management

You should connect from a different port than the ether1 or if you can't connect anymore, then you have successfully removed the port from the bridge and you just need to assign a static address on your computer to be able to connect and set up DHCP server, etc.
by TheCat12
Thu Apr 18, 2024 9:28 am
Forum: General
Topic: Segregate ethernet/management port for just management
Replies: 4
Views: 408

Re: Segregate ethernet/management port for just management

If you're on Winbox, you just select the port and click "-" (minus sign). On the CLI:
/interface bridge port remove [ find interface=[ find default-name=ether1 ] ]
by TheCat12
Wed Apr 17, 2024 8:27 pm
Forum: General
Topic: Static Route and NAT - Cannot reach server in R1 while reachable on outside and R2
Replies: 3
Views: 568

Re: Static Route and NAT - Cannot reach server in R1 while reachable on outside and R2

Is there masquerading/src-natting on R2? And how can a network address have a higher address than the first IP of the subnet?! (I'm referring to the /ip address entry for the VLAN on R1). Probably it's a misconfiguration
by TheCat12
Wed Apr 17, 2024 8:25 pm
Forum: General
Topic: ikev2 nearly working
Replies: 2
Views: 367

Re: ikev2 nearly working

Based on the exported config I can see that you haven't changed/added the server certificate for the identity
by TheCat12
Tue Apr 16, 2024 11:55 pm
Forum: Beginner Basics
Topic: Re-programming remote wAP LTE kit as wireless client
Replies: 2
Views: 417

Re: Re-programming remote wAP LTE kit as wireless client

I think I can conjure up some commands for AP with no default configuration but it'll be quite hard for the user to connect via WiFi because the interface is disabled when there's no default config: /ip address add address=192.168.88.1/24 network=192.168.88.0 interface=ether1 /ip pool add ranges=192...
by TheCat12
Tue Apr 16, 2024 7:40 am
Forum: General
Topic: How to access the Internet via an ipsec tunnel in another office [SOLVED]
Replies: 7
Views: 1715

Re: How to access the Internet via an ipsec tunnel in another office [SOLVED]

1) 1. Create a routing table 2. Add a default route to the IPIP address 3. Create a routing rule for the office computers to force their traffic through the tunnel: /routing table add fib name=through_IPIP /ip route add dst-address=0.0.0.0/0 gateway=172.22.22.1 routing-table=through_IPIP /routing ru...
by TheCat12
Mon Apr 15, 2024 11:36 pm
Forum: General
Topic: IPSEC Phase 2 not establishing [SOLVED]
Replies: 2
Views: 2334

Re: IPSEC Phase 2 not establishing [SOLVED]

The IPsec addresses should be from the same subnet assumingly analogous to the GRE tunnel
by TheCat12
Mon Apr 15, 2024 11:16 pm
Forum: General
Topic: How to access the Internet via an ipsec tunnel in another office [SOLVED]
Replies: 7
Views: 1715

Re: How to access the Internet via an ipsec tunnel in another office [SOLVED]

1) Yes, it's possible with the help of routing tables and routing rules
2) Would need a diagram to see what you mean by additional router
by TheCat12
Mon Apr 15, 2024 11:02 pm
Forum: Beginner Basics
Topic: VLAN not working at TPlink switch [SOLVED]
Replies: 4
Views: 2427

Re: VLAN not working at TPlink switch [SOLVED]

We would need some more information - an exported config, should the port act as a trunk or an access one, is the TP-Link configured to untag VLAN traffic provided the MikroTik port is a trunk port, etc.
by TheCat12
Sat Apr 13, 2024 8:31 pm
Forum: Beginner Basics
Topic: Connect List with new wifi configuration
Replies: 1
Views: 594

Re: Connect List with new wifi configuration

The equivalent to the connect-lists would be the access list
by TheCat12
Sat Apr 13, 2024 9:38 am
Forum: General
Topic: WAN failover - routes flapping [SOLVED]
Replies: 23
Views: 3254

Re: WAN failover - routes flapping [SOLVED]

Also I found a possible solution here: https://forum.mikrotik.com/viewtopic.php?f=2&t=136969&p=674653#p674653 So overall following changes should be made: /interface list set [ find name=VLAN ] name=all_LANs /interface list member add list=all_LANs interface=bridge1 /ip firewall address-list...
by TheCat12
Sat Apr 13, 2024 8:55 am
Forum: General
Topic: WAN failover - routes flapping [SOLVED]
Replies: 23
Views: 3254

Re: WAN failover - routes flapping [SOLVED]

Hi, there are some tweaks that I made in the config but don't see on the current. They were the following: 1. Using in-interface-list=VLAN instead of in-interface=bridge1 2. Adding another route in the main table for WAN2 with distance=2 /ip firewall mangle set [ find in-interface=bridge1] in-interf...
by TheCat12
Fri Apr 12, 2024 11:58 pm
Forum: General
Topic: Not able to access Mikrotik once the IKEv2 is established
Replies: 2
Views: 519

Re: Not able to access Mikrotik once the IKEv2 is established

Could you elaborate from where you can't access the MikroTik via IP - from server side or from the LAN? How is the address.of the Windows server shared - via IPIP, GRE, etc. or how? A full exported config would be best
by TheCat12
Fri Apr 12, 2024 10:06 pm
Forum: General
Topic: WAN failover - routes flapping [SOLVED]
Replies: 23
Views: 3254

Re: WAN failover - routes flapping [SOLVED]

Hi, thank you for informing me about your VLAN setup. Now I can give you some suggestions regarding it and the mangle situation. Hopefully it won't be a big fuss if I introduce a new VLAN in place of VLAN1 for easier management. /interface vlan add interface=bridge1 name=vlan10_StaffMGMT vlan-id=10 ...
by TheCat12
Fri Apr 12, 2024 8:43 pm
Forum: General
Topic: WAN failover - routes flapping [SOLVED]
Replies: 23
Views: 3254

Re: WAN failover - routes flapping [SOLVED]

Now that you mention it, there is also something wrong with the VLAN configuration. Could you make a network diagram with the VLANs included or at least tell me which ports are access ones (if there are such) and which are trunk?
by TheCat12
Fri Apr 12, 2024 8:31 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 1237

Re: forwarding incoming UPD traffic addressed to the router itself

At this point I'll suggest the following combination: /ip firewall filter add acfion=accept chain=forward src-address=10.0.10.1 dst-address=10.0.40.10 protocol=udp dst-port=1234 connection-nat-state=dstnat /ip firewall nat add action=dst-nat chain=dstnat dst-address=10.0.10.1 dst-port=1234 protocol=...
by TheCat12
Fri Apr 12, 2024 6:08 pm
Forum: General
Topic: Issues with inter vlan routing
Replies: 2
Views: 440

Re: Issues with inter vlan routing

Also the out-interface-list should be also set to VLAN:
/ip firewall filter
add action=accept chain=forward comment="VLAN inter-VLAN routing" in-interface-list=VLAN out-interface-list=VLAN log=yes
by TheCat12
Fri Apr 12, 2024 5:48 pm
Forum: General
Topic: Block client MAC only on 2nd Wifi AP
Replies: 4
Views: 453

Re: Block client MAC only on 2nd Wifi AP

Yes, it could be done also like that but you'll have to setup the limit most probably based on trial and error
by TheCat12
Fri Apr 12, 2024 5:39 pm
Forum: General
Topic: WAN failover - routes flapping [SOLVED]
Replies: 23
Views: 3254

Re: WAN failover - routes flapping [SOLVED]

There are some missing and incorrectly configured rules. I'll post them edited and in the correct order after which I will explain the changes: /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN1 new-connection-mark=viaWAN1 passthrough=yes add ac...
by TheCat12
Fri Apr 12, 2024 3:47 pm
Forum: Beginner Basics
Topic: Src NAT from Router LAN IP address to WAN IP adress
Replies: 8
Views: 690

Re: Src NAT from Router LAN IP address to WAN IP adress

The task isn't as easy as it seems because there is one LAN subnet and two gateways - DHCP clients use one and statically assigned another. It would be easier if there were actually two subnets but no. That's why I used so many mangle rules and an address list (luckily the devices behind the second ...
by TheCat12
Fri Apr 12, 2024 3:24 pm
Forum: Beginner Basics
Topic: Src NAT from Router LAN IP address to WAN IP adress
Replies: 8
Views: 690

Re: Src NAT from Router LAN IP address to WAN IP adress

I think that the splitting between the two WANs won't be possible only with the help of NAT - routing tables and in your case mangle rules are also necessary: /ip firewall address-list add list=through_WAN2 address=10.0.0.2 add list=through_WAN2 address=10.0.0.11 add list=through_WAN2 address=10.0.0...
by TheCat12
Thu Apr 11, 2024 10:46 pm
Forum: Beginner Basics
Topic: Mikrotik documentation
Replies: 10
Views: 834

Re: Mikrotik documentation

Apart from that, I have a side question - why is the HA Case Studies section blank? It used to have useful information about WAN failover, firewall marking, etc.
by TheCat12
Thu Apr 11, 2024 10:42 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 1237

Re: forwarding incoming UPD traffic addressed to the router itself

The address of the router in the 10.0.40.0 range matters a lot because it acts as a gateway. That's why I would divide your NAT rule into two parts: dst-nat to the gateway and dst-nat from the gateway to the client: /ip firewall nat add action=dst-nat chain=dstnat dst-address=10.0.10.1 protocol=udp ...
by TheCat12
Thu Apr 11, 2024 5:24 pm
Forum: Beginner Basics
Topic: Multiple WIFI
Replies: 3
Views: 584

Re: Multiple WIFI

VLAN would be easier for isolating the networks. I'll post an example config and further explain the steps: /interface dhcp-client add interface=wifi1 /interface list add name=WAN add name=VLAN /interface bridge add name=bridge /interface bridge port add bridge=bridge interface=ether1 pvid=10 add br...
by TheCat12
Wed Apr 10, 2024 9:46 pm
Forum: General
Topic: Block client MAC only on 2nd Wifi AP
Replies: 4
Views: 453

Re: Block client MAC only on 2nd Wifi AP

Depends on which wireless package respectively menu you are using. If it's the Wireless menu, it can be done through the connect list: /interface wireless connect-list add interface="wifi_interface" connect=no mac-address="mac_address" If the WiFi interfaces are in the Wifiwave2 ...
by TheCat12
Wed Apr 10, 2024 8:15 pm
Forum: Beginner Basics
Topic: Map lite as universal travel router
Replies: 12
Views: 841

Re: Map lite as universal travel router

I was going to suggest that but just wanted to check the overall configuration beforehand
by TheCat12
Wed Apr 10, 2024 7:44 pm
Forum: General
Topic: Trouble connecting Android phone to MikroTik IKEv2 VPN server: Need assistance with log analysis
Replies: 4
Views: 554

Re: Trouble connecting Android phone to MikroTik IKEv2 VPN server: Need assistance with log analysis

Looking at the debug there's something wrong with the identity of the road warrior. Could you also export your config to tell where exactly the problem is?

/export file=anynameyouwish
by TheCat12
Wed Apr 10, 2024 7:32 pm
Forum: Beginner Basics
Topic: Map lite as universal travel router
Replies: 12
Views: 841

Re: Map lite as universal travel router

Could you provide an exported config?

/export file=anynameyouwish
by TheCat12
Tue Apr 09, 2024 7:40 pm
Forum: Beginner Basics
Topic: CSS106-1G-4P-1S vlans to a Unifi switch..
Replies: 1
Views: 304

Re: CSS106-1G-4P-1S vlans to a Unifi switch..

I believe that you've posted in the wrong part of the forum (https://forum.mikrotik.com/viewforum.php?f=17) but I can still tell you that everything is as it should be. Only one note that I found in the docs and I'll quote: With SwOS version 2.13, it is recommended to set VLAN Receive to  any  on tr...
by TheCat12
Tue Apr 09, 2024 7:07 pm
Forum: Beginner Basics
Topic: Multiple WIFI
Replies: 3
Views: 584

Re: Multiple WIFI

Could you export your working config and post it here?

export file=anynameyouwish (minus sensitive infromation)
by TheCat12
Tue Apr 09, 2024 1:26 pm
Forum: Beginner Basics
Topic: Access mikrotik management on other port then eth1
Replies: 5
Views: 607

Re: Access mikrotik management on other port then eth1

I just saw that the WAN subnet and the VLAN subnet are two different ones. So the setup wouldn't be as hard as I thought it would be. I will assume ether1 would be access port for VLAN13 and ether2, 3 and 4 for VLAN12. Firstly, you will remove all bridge port entries because there is no existing bri...
by TheCat12
Mon Apr 08, 2024 12:51 pm
Forum: Beginner Basics
Topic: NEWB - NAT configuration via sfp-sfpplus1 but traffic going through ether1
Replies: 4
Views: 513

Re: NEWB - NAT configuration via sfp-sfpplus1 but traffic going through ether1

The purpose of the bridge is to allow hardware offloading (i.e. not overloading you CPU) for VLAN tagging/untagging. Typically bridges are used to link two or more physical interface as if they were attached to a single LAN. In our case it consists of only one ethernet port due to it being the only ...
by TheCat12
Sun Apr 07, 2024 8:27 pm
Forum: Beginner Basics
Topic: NEWB - NAT configuration via sfp-sfpplus1 but traffic going through ether1
Replies: 4
Views: 513

Re: NEWB - NAT configuration via sfp-sfpplus1 but traffic going through ether1

To enable VLAN254 on the ether1 and thus isolating it from the rest of the network you should remove it from the interface list, add it to a bridge of its own, set up and enable bridge VLAN filtering, optionally add a DHCP server and set the firewall rules to work for VLAN instead of ether1: /interf...
by TheCat12
Sun Apr 07, 2024 2:06 pm
Forum: Beginner Basics
Topic: Separate Wi-Fi for secondary ISP [SOLVED]
Replies: 2
Views: 2298

Re: Separate Wi-Fi for secondary ISP [SOLVED]

For the wifi you colud keep the subnet and wifi and use, as suggested by @Anav, routing rules by creating a routing table, adding a default route and adding the rule: /routing table add fib name=to_LTE /ip route add dst-address=0.0.0.0/0 gateway=lte1_digi@main routing-table=to_LTE /routing rule add ...
by TheCat12
Sat Apr 06, 2024 10:58 pm
Forum: Beginner Basics
Topic: VLAN-DHCP-Server on Ethernet Interface
Replies: 2
Views: 380

Re: VLAN-DHCP-Server on Ethernet Interface

If you want ether5 to be access port for VLAN400, better practice would be to a. add it to the bridge and set a pvid of 400 for it b. set the interface, on which VLAN400 is running, to be the bridge and remove use service tag c. use bridge VLAN table Config: /interface vlan set [ find name=vlan400 ]...
by TheCat12
Sat Apr 06, 2024 10:42 pm
Forum: Beginner Basics
Topic: Access mikrotik management on other port then eth1
Replies: 5
Views: 607

Re: Access mikrotik management on other port then eth1

Could you export the config of the CRS310 and post it here?

export file=anynameyouwish
by TheCat12
Sat Apr 06, 2024 1:07 pm
Forum: Beginner Basics
Topic: Change IP addresses and gateway in wireless wire
Replies: 1
Views: 367

Re: Change IP addresses and gateway in wireless wire

Could you elaborate which IP address and gateway you want to change? Of the WAN interface perhaps (assuming based on fact that you want receive updates)? Is the WAN IP dynamic or static? An exported configuration posted here is also advisable: export file=anynameyouwish (minus sensitive information ...
by TheCat12
Sat Apr 06, 2024 11:44 am
Forum: General
Topic: Communication between multiple subnets
Replies: 5
Views: 418

Re: Communication between multiple subnets

How about adding a walled garden rule:
/ip hotspot walled-garden ip add action=accept server="ether3_server" src-address=192.168.65.0/24
by TheCat12
Sat Apr 06, 2024 8:52 am
Forum: Beginner Basics
Topic: Changing from bridge to router mode via Command Line?
Replies: 3
Views: 441

Re: Changing from bridge to router mode via Command Line?

I don't think it's possible to switch between Router and Bridge mode or do whatever Quickset configuration on the CLI because, as the name suggests, it is a menu to set up quickly and easily configuration. What Router mode essentially does is that it removes ether1 from the bridge and adds masquerad...
by TheCat12
Sat Apr 06, 2024 8:41 am
Forum: General
Topic: 1x RB5009 + 3x hAP ax^3 - Hotspot VLAN Radius Help
Replies: 9
Views: 1348

Re: 1x RB5009 + 3x hAP ax^3 - Hotspot VLAN Radius Help

:( While we wait to be joined by @mkx or @Anav, it would be wise to blend out some sensitive information such as serial number, Wireguard keys, etc.
by TheCat12
Fri Apr 05, 2024 7:55 pm
Forum: General
Topic: Communication between multiple subnets
Replies: 5
Views: 418

Re: Communication between multiple subnets

Most probably yes. If not, an IP binding on the ether3 server should do the trick
by TheCat12
Fri Apr 05, 2024 7:33 pm
Forum: Beginner Basics
Topic: How to block subnet to subnet access
Replies: 10
Views: 1095

Re: How to block subnet to subnet access

For a full isolation of the subnets you should have two drop forward rules:
/ip firewall filter
add chain=forward action=drop src-address=192.168.0.0/24 dst-address=10.0.0.0/24
add chain=forward action=drop src-address=10.0.0.0/24 dst-address=192.168.0.0/24
by TheCat12
Fri Apr 05, 2024 4:53 pm
Forum: General
Topic: Communication between multiple subnets
Replies: 5
Views: 418

Re: Communication between multiple subnets

I think that the L2TP should in theory be able to access all subnets if there aren't any drop firewall rules. For the connection between ether3 and ether2:
/ip firewall filter add action=accept chain=forward src-address=192.168.65.0/24 dst-address=192.168.70.0/24
by TheCat12
Fri Apr 05, 2024 10:53 am
Forum: General
Topic: Wireguard and, I think, DNS
Replies: 13
Views: 903

Re: Wireguard and, I think, DNS

Why not use a universal one - 8.8.8.8 :) Based on the symptoms I also think it's the DNS
by TheCat12
Fri Apr 05, 2024 10:47 am
Forum: Beginner Basics
Topic: Private DNS behind NAT and Back to Home VPN
Replies: 7
Views: 510

Re: Private DNS behind NAT and Back to Home VPN

I assume there is a conflict between the Private DNS you've set up and the one in the BTH settings because both point to the server (one through WAN and one through the WG subnet) and when you connect to BTH, it is as if you're on the LAN level so one connection to WAN and one to LAN would result in...
by TheCat12
Fri Apr 05, 2024 10:26 am
Forum: Beginner Basics
Topic: Private DNS behind NAT and Back to Home VPN
Replies: 7
Views: 510

Re: Private DNS behind NAT and Back to Home VPN

Yes, it makes a lot of sense and in your case it's the correct way. After all it says it's optional :)
by TheCat12
Fri Apr 05, 2024 10:20 am
Forum: Beginner Basics
Topic: Private DNS behind NAT and Back to Home VPN
Replies: 7
Views: 510

Re: Private DNS behind NAT and Back to Home VPN

Then try and add the DNS server in the BTH App config:

Create/Select Tunnel -> ⋮ -> DNS Server
by TheCat12
Fri Apr 05, 2024 9:57 am
Forum: Beginner Basics
Topic: How to block subnet to subnet access
Replies: 10
Views: 1095

Re: How to block router console login from user subnet ONLY

Try the following command:
/ip firewall filter add action=drop chain=input src-address=192.168.0.0/24 protocol=tcp dst-port=22
That will block SSH for the subnet
by TheCat12
Fri Apr 05, 2024 9:52 am
Forum: Beginner Basics
Topic: Private DNS behind NAT and Back to Home VPN
Replies: 7
Views: 510

Re: Private DNS behind NAT and Back to Home VPN

Does at least one of the address lists contain the BTH subnet address? If not, add it
by TheCat12
Fri Apr 05, 2024 9:48 am
Forum: Beginner Basics
Topic: Can't enable l2tp, flagged configuration, can't change device-mode
Replies: 4
Views: 683

Re: Can't enable l2tp, flagged configuration, can't change device-mode

Perhaps try once again to leave the flagged state, and if it has been turned on again, check whether there are any disabled rules, interfaces, etc.
by TheCat12
Fri Apr 05, 2024 9:43 am
Forum: General
Topic: 1x RB5009 + 3x hAP ax^3 - Hotspot VLAN Radius Help
Replies: 9
Views: 1348

Re: 1x RB5009 + 3x hAP ax^3 - Hotspot VLAN Radius Help

The only "issue" I see is that you've set up pvids for the wifis in /interface bridge port on the hAP ax^3 given it's not necessary because you've already done it by specifying VLAN IDs in the wifi datapaths. Maybe there's something else problematic which I can't see or am overlooking, so ...
by TheCat12
Thu Apr 04, 2024 10:34 pm
Forum: Beginner Basics
Topic: 7.14.2 Port Forwarding [SOLVED]
Replies: 9
Views: 2660

Re: 7.14.2 Port Forwarding [SOLVED]

Based on the fact that you have a static public IP you can use it in the NAT rules instead of in-interface-list=WAN: /ip firewall nat add action=dst-nat chain=dstnat comment=Test dst-port=9999 dst-address=192.168.1.1 protocol=tcp to-addresses=192.168.0.170 to-ports=9999 But frankly I don't see any p...
by TheCat12
Thu Apr 04, 2024 10:23 pm
Forum: Beginner Basics
Topic: Can't enable l2tp, flagged configuration, can't change device-mode
Replies: 4
Views: 683

Re: Can't enable l2tp, flagged configuration, can't change device-mode

Something has probabaly triggered the flagged state and that's why the parameter has been set again to yes. Check for any disabled configuration and review it, after which exit the flagged state with the command you used before
by TheCat12
Thu Apr 04, 2024 10:07 pm
Forum: Beginner Basics
Topic: Virtualized VLANs (for Proxmox) [SOLVED]
Replies: 7
Views: 2854

Re: Virtualized VLANs (for Proxmox) [SOLVED]

Could you post a diagram of some sort because your configuration is a bit confusing
by TheCat12
Thu Apr 04, 2024 9:17 pm
Forum: Beginner Basics
Topic: Vpn ikev2 issue after deleting dns certificate [SOLVED]
Replies: 5
Views: 2350

Re: Vpn ikev2 issue after deleting dns certificate [SOLVED]

Just as I expected - you need to specify the dns certificate anew for every identity:
/ip ipsec identity
set [find peer=IKEv2] certificate="dns_certificate"
by TheCat12
Thu Apr 04, 2024 7:41 pm
Forum: Beginner Basics
Topic: Turn off Neighbor discovery
Replies: 5
Views: 2451

Re: Turn off Neighbor discovery

I'd suggest creating an empty interface list and specifying it as the discover-interface-list in /ip/neighbor/discovery-settings
by TheCat12
Thu Apr 04, 2024 7:28 pm
Forum: Beginner Basics
Topic: Vpn ikev2 issue after deleting dns certificate [SOLVED]
Replies: 5
Views: 2350

Re: Vpn ikev2 issue after deleting dns certificate [SOLVED]

I presume the problem would be in IPsec/Identities and that you have to specify the server certificate anew for the different identities but just to be sure could you export your config?
by TheCat12
Wed Apr 03, 2024 11:34 pm
Forum: General
Topic: 1x RB5009 + 3x hAP ax^3 - Hotspot VLAN Radius Help
Replies: 9
Views: 1348

Re: 1x RB5009 + 3x hAP ax^3 - Hotspot VLAN Radius Help

To start off could you kindly attach a network diagram (is there an external radius server, vlans, etc.)?
by TheCat12
Wed Apr 03, 2024 11:18 pm
Forum: Beginner Basics
Topic: I need to access remotely to my DVR cctv
Replies: 2
Views: 568

Re: I need to access remotely to my DVR cctv

The connection between the routers will happen woth the help of site-to-site VPN (Wireguard, IPsec...). Does HQ have a public IP?
by TheCat12
Mon Apr 01, 2024 12:32 pm
Forum: General
Topic: [ask] how to check mac address on vlan
Replies: 4
Views: 389

Re: [ask] how to check mac address on vlan

Torch the interface on which VLAN is running:

https://help.mikrotik.com/docs/display/ROS/Torch
by TheCat12
Mon Apr 01, 2024 12:30 pm
Forum: Beginner Basics
Topic: ROS7 - Vlan multicasting [SOLVED]
Replies: 3
Views: 2320

Re: ROS7 - Vlan multicasting [SOLVED]

Have you tried the following config: /routing igmp-proxy interface add interface=VLAN100 upstream=yes add interface=VLAN200 /ip firewall filter add action=accept chain=forward in-interface=VLAN100 out-interface=VLAN200 I'm not pretty sure myself if it'll work because I myself am not very familiar wi...
by TheCat12
Fri Mar 29, 2024 8:43 pm
Forum: Beginner Basics
Topic: Using a CRS326 as router (FTTH)
Replies: 4
Views: 476

Re: Using a CRS326 as router (FTTH)

I think your masquerade rule and mangle rule #3 aren't working as intended (they're flagged as invalid). On the masquerading rule try to remove src-address-list and for the mangle rule I'm not quite sure (maybe you've put too big of a mss or the rule isn't needed)
by TheCat12
Fri Mar 29, 2024 8:35 pm
Forum: Beginner Basics
Topic: Need help setting up my RBSXTR-LTE.
Replies: 7
Views: 791

Re: Need help setting up my RBSXTR-LTE.

Could you kindly export your configuration here?

/export file=anynameyouwish
by TheCat12
Fri Mar 29, 2024 5:18 pm
Forum: General
Topic: Configure mulitple DHCP Server on each ethernet port [SOLVED]
Replies: 8
Views: 1164

Re: Configure mulitple DHCP Server on each ethernet port [SOLVED]

Also, most probably the bridge filter rules weren't working due to the setting "Use Firewall IP" being turned on
by TheCat12
Fri Mar 29, 2024 5:06 pm
Forum: General
Topic: Configure mulitple DHCP Server on each ethernet port [SOLVED]
Replies: 8
Views: 1164

Re: Configure mulitple DHCP Server on each ethernet port [SOLVED]

FYI, I've made some changes to the config (removed typos and misconfigurations) so please double-check before you apply the settings
by TheCat12
Thu Mar 28, 2024 10:38 pm
Forum: General
Topic: HowTo configure WireGuard in same subnet?
Replies: 3
Views: 608

Re: HowTo configure WireGuard in same subnet?

As stated in the topic it should be possible in theory if you allocate addresses from the subnet, i.e. create a new subnet which is part of the original one. For instance: /ip address add address=10.0.X.1/24 network=10.0.X.0 interface="wireguard_interface" /interface wireguard peer add all...
by TheCat12
Thu Mar 28, 2024 10:28 pm
Forum: Beginner Basics
Topic: VLAN'ising an existing configuration without disrupting service
Replies: 23
Views: 1446

Re: VLAN'ising an existing configuration without disrupting service

Precisely. Without at least a port to which the cAP ac is connected we're with tied hands
by TheCat12
Thu Mar 28, 2024 10:21 pm
Forum: General
Topic: Basic VLAN configuration is not working - new driver wave 2
Replies: 6
Views: 403

Re: Basic VLAN configuration is not working - new driver wave 2

All of the questions of @anav are valid and I would be curious for their answers but one of the problems I see is that you haven't added the bridge as a tagged interface in the bridge VLAN table on the RB750r2
by TheCat12
Thu Mar 28, 2024 9:54 pm
Forum: Beginner Basics
Topic: VLAN'ising an existing configuration without disrupting service
Replies: 23
Views: 1446

Re: VLAN'ising an existing configuration without disrupting service

Could you look in IP/Neighbors and tell me on which interface is the cAP ac discovered? Also an exported config would be nice:

export file=anynameyouwish
by TheCat12
Thu Mar 28, 2024 8:59 pm
Forum: Beginner Basics
Topic: VLAN'ising an existing configuration without disrupting service
Replies: 23
Views: 1446

Re: VLAN'ising an existing configuration without disrupting service

That's why I suggested you using subtitles (forgot to mention with the option "Auto-translate" :) )
by TheCat12
Thu Mar 28, 2024 10:44 am
Forum: General
Topic: Configure mulitple DHCP Server on each ethernet port [SOLVED]
Replies: 8
Views: 1164

Re: Configure mulitple DHCP Server on each ethernet port [SOLVED]

Looking at the intricacy of the network diagram I still find it better and easier for management to use VLAN because if you use multiple bridges you'll have to think of numerous scenarions and thus firewall rules. Looking at the true network diagram I'll repost an edited for your needs config provid...
by TheCat12
Thu Mar 28, 2024 10:04 am
Forum: Beginner Basics
Topic: S2S problem
Replies: 4
Views: 908

Re: S2S problem

An exported config would be a good start:

export file=anynameyouwish
by TheCat12
Wed Mar 27, 2024 10:18 pm
Forum: Beginner Basics
Topic: VLAN'ising an existing configuration without disrupting service
Replies: 23
Views: 1446

Re: VLAN'ising an existing configuration without disrupting service

"Port" is the physical interface on which the cAP is connected and "out of the business" means not to be involved in the VLAN configuration Also highly recommend you to watch this video with subtitles to be able to fully grasp the concept: https://youtu.be/IUu_5wODp44?si=R_qJhYhI...
by TheCat12
Wed Mar 27, 2024 9:53 pm
Forum: Beginner Basics
Topic: Re: VLAN On Main Router + 2 HAP
Replies: 11
Views: 1113

Re: VLAN On Main Router + 2 HAP

Sorry for the late response but a better practice would be a management VLAN as you tried to do it the first time. I'll repost a full and refurbished variant of my config to include a MGMT VLAN where ether8 on the RB5009 and ether2 on the lower hAP would be access ports for it: /interface bridge por...
by TheCat12
Wed Mar 27, 2024 8:56 pm
Forum: Beginner Basics
Topic: VLAN'ising an existing configuration without disrupting service
Replies: 23
Views: 1446

Re: VLAN'ising an existing configuration without disrupting service

A network diagram would be really helpful to see which ports should be configured as access ones and which should stay out of the business
by TheCat12
Wed Mar 27, 2024 8:49 pm
Forum: Beginner Basics
Topic: Try changing the bridge topology because it is prone to looping
Replies: 4
Views: 559

Re: Try changing the bridge topology because it is prone to looping

Allowing communocation between the different subnets on each Ethernet port would be the easiest part and can be done using forward chain and action=accept. Example rule to allow communication between 10.20.0.0/16 and 10.30.0.0/16: /ip firewall filter add action=accept chain=forward src-address=10.20...
by TheCat12
Wed Mar 27, 2024 3:31 pm
Forum: Beginner Basics
Topic: Vlan Client, MGMT - main router, transmitter, receiver with internet connection [SOLVED]
Replies: 3
Views: 2635

Re: Vlan Client, MGMT - main router, transmitter, receiver with internet connection [SOLVED]

Nice new setup you've got there :) Anyhow, I would use on the RB750GL Switch VLAN so you don't load the CPU and do the following steps: 1. Add a bridge for the VLAN 2. Add the ether1 port on the bridge 3. Create VLAN interfaces for the Layer3 routing that is running on the bridge 4. Set addresses fo...
by TheCat12
Wed Mar 27, 2024 8:20 am
Forum: Beginner Basics
Topic: Issue with multiple SSID / LAN
Replies: 5
Views: 657

Re: Issue with multiple SSID / LAN

Also remove detect-interface if you don't need it. It is known among the community to not work properly. And i don't see any "MOOX - MAIN" and "MOOX - IOT DEVICES" configurations which are set in the provisioning
by TheCat12
Wed Mar 27, 2024 8:16 am
Forum: Beginner Basics
Topic: RB1200 initial setup advice needed
Replies: 17
Views: 1012

Re: RB1200 initial setup advice needed

Maybe they didn't find a solution because it is a discontinued product and probably that's the explanation why it is a such
by TheCat12
Tue Mar 26, 2024 9:35 pm
Forum: General
Topic: Mikrotik router configuration to assign a public IP from VPS service in case of fiber connection interruption
Replies: 1
Views: 412

Re: Mikrotik router configuration to assign a public IP from VPS service in case of fiber connection interruption

Maybe the simplest method would be to directly assign a /32 address of your choosing from the public ones to the Router A facing interface with Proxy ARP
by TheCat12
Tue Mar 26, 2024 8:55 pm
Forum: General
Topic: Issue with GRE/Ipsec behind nat
Replies: 2
Views: 673

Re: Issue with GRE/Ipsec behind nat

The unproperly configured local address could be also the main problem - local address should be the IPsec IP address of the server/client (depending on which device you're doing the configuration) and the remote address should be the IPsec IP address of the second device: https://help.mikrotik.com/...
by TheCat12
Tue Mar 26, 2024 8:43 pm
Forum: Beginner Basics
Topic: Issue with multiple SSID / LAN
Replies: 5
Views: 657

Re: Issue with multiple SSID / LAN

To be honest I don't see any ports/interfaces set on the IoT bridge and that would explain why they share the same pool - because they're in the same bridge
by TheCat12
Tue Mar 26, 2024 8:35 pm
Forum: Beginner Basics
Topic: RB1200 initial setup advice needed
Replies: 17
Views: 1012

Re: RB1200 initial setup advice needed

Perhaps it's missing or not properly configured masquerade or, if you are using the default rule, either remove out-interface=WAN or add ether8 to the WAN interface list
by TheCat12
Tue Mar 26, 2024 8:30 pm
Forum: Beginner Basics
Topic: Try changing the bridge topology because it is prone to looping
Replies: 4
Views: 559

Re: Try changing the bridge topology because it is prone to looping

Have you tried running a DHCP server for each subnet and adding firewall rules to allow communication between the subnets?
by TheCat12
Sat Mar 23, 2024 9:58 pm
Forum: General
Topic: Configure mulitple DHCP Server on each ethernet port [SOLVED]
Replies: 8
Views: 1164

Re: Configure mulitple DHCP Server on each ethernet port [SOLVED]

Maybe it'll be good from my side too to explain what configuration I've suggested. Based on the fact that you want four different isolated subnets I have given you an example configuration on how to setup VLANs for each different network where VLAN 99 will act as a management network (hence the name...
by TheCat12
Sat Mar 23, 2024 8:18 pm
Forum: General
Topic: Configure mulitple DHCP Server on each ethernet port [SOLVED]
Replies: 8
Views: 1164

Re: Configure mulitple DHCP Server on each ethernet port [SOLVED]

I also think it's better to use VLAN for better isolation between the subnets. A pro of it would be that you could use differents VLANs on the different Wi-Fis and one or two could be configured for management purposes. Example config on how to setup Bridge VLAN (for ROS 7.1 and higher) on the hEX S...
by TheCat12
Thu Mar 21, 2024 7:44 pm
Forum: Beginner Basics
Topic: Re: VLAN On Main Router + 2 HAP
Replies: 11
Views: 1113

Re: VLAN On Main Router + 2 HAP

Firstly, there is no need of L3 VLAN configuration (no interface vlan, dhcp-client, etc.) on the hAP ac^2 unless one of the VLANs is a management one. Secondly, I don't see any bridge at all on the hAP (unless it's not shown in the config). Another problem I notice is that the ports on the RB5009 wh...
by TheCat12
Thu Mar 21, 2024 9:54 am
Forum: General
Topic: Separate wireless networks, bridged to wired interface
Replies: 8
Views: 955

Re: Separate wireless networks, bridged to wired interface

Because I'm not very good with CAPsMAN, try to check the CAPsMAN part of the configuration with this video:

https://youtu.be/LLuGby1ecVM?si=hIP3F9kLDmGa0XxR

Hopefully it's helpful
by TheCat12
Wed Mar 20, 2024 10:54 pm
Forum: General
Topic: Failover Scare
Replies: 3
Views: 443

Re: Failover Scare

Just one question: why haven't you done the failover with the help of recursive routing? It's much more reliable in my opinion: /ip route set 0 gateway=1.1.1.1 check-gateway=ping scope=11 set 2 scope=10 set 3 scope=10 set 4 gateway=1.0.0.1 check-gateway=ping distance=2 scope=11 And if it's a failove...
by TheCat12
Wed Mar 20, 2024 10:34 pm
Forum: Beginner Basics
Topic: LAN doesn't have internet after changing ISP
Replies: 3
Views: 488

Re: LAN doesn't have internet after changing ISP

Could you export your config and post it here? I presume it may be NAT masquerading, but nevertheless
export file=anynameyouwish
by TheCat12
Mon Mar 18, 2024 4:30 pm
Forum: Beginner Basics
Topic: Set-up Mikrotik as router only, with multiple FW's behinf it
Replies: 7
Views: 1111

Re: Set-up Mikrotik as router only, with multiple FW's behinf it

Glad I could help! Hopefully the topic author finds it also useful
by TheCat12
Sun Mar 17, 2024 10:47 pm
Forum: Beginner Basics
Topic: Set-up Mikrotik as router only, with multiple FW's behinf it
Replies: 7
Views: 1111

Re: Set-up Mikrotik as router only, with multiple FW's behinf it

I think I now understand your request and I also think that assigning the same address you recieve via the PPPoE to a bridge between the two ports and adding static addresses to the devices afterwards would do the trick. Reference topic:

viewtopic.php?t=178654
by TheCat12
Sun Mar 17, 2024 10:32 am
Forum: Beginner Basics
Topic: Set-up Mikrotik as router only, with multiple FW's behinf it
Replies: 7
Views: 1111

Re: Set-up Mikrotik as router only, with multiple FW's behinf it

Could one of you please provide a network diagram so I can wrap my head around your problem?
by TheCat12
Sat Mar 16, 2024 6:30 pm
Forum: Beginner Basics
Topic: managment - topology [SOLVED]
Replies: 2
Views: 3913

Re: managment - topology [SOLVED]

1. /ip firewall filter add action=accept chain=input protocol=tcp dst-port=8291 src-mac-address=xx:xx:xx:xx:xx:xx 2. & 4. /ip firewall filter add action=drop chain=forward src-address=10.27.0.16 dst-address-list=!Allowed /ip firewall address-list add address=10.27.0.30 list=Allowed add address=1...
by TheCat12
Sat Mar 16, 2024 5:12 pm
Forum: General
Topic: Enable Protected Routerboard on a mass of devices
Replies: 3
Views: 653

Re: Enable Protected Routerboard on a mass of devices

Maybe try to downgrade all of the routers to v6 so that there is no need of pressing the button for enabling protected-routerboard and after that upgrade them again to whatever version they were originally on?
by TheCat12
Sat Mar 16, 2024 1:18 pm
Forum: Beginner Basics
Topic: Using a wireguard VPN, access servers that are in a vlan.
Replies: 4
Views: 1062

Re: Using a wireguard VPN, access servers that are in a vlan.

I have a suggestion, after which I will leave you alone delving into vlans. Presuming that you've set as allowed addresses on the CHR the Wireguard VPN pool on the hAP ax^3, I would add a firewall rule which allows traffic between it and the servers vlan: /ip firewall filter add action=accept chain=...
by TheCat12
Wed Mar 13, 2024 10:16 pm
Forum: General
Topic: Use Mikrotik's HotSpot solution to unblock Wireguard???
Replies: 24
Views: 2224

Re: Use Mikrotik's HotSpot solution to unblock Wireguard???

There is a possibility to setup port knocking and know which user is sitting behind the computer - you can use different port combinations for the port knocking and use the src-address selector in the firewall rules so that the port knocking sequence only applies to the exact user. When you don't wa...
by TheCat12
Tue Mar 12, 2024 9:01 pm
Forum: General
Topic: Use Mikrotik's HotSpot solution to unblock Wireguard???
Replies: 24
Views: 2224

Re: Use Mikrotik's HotSpot solution to unblock Wireguard???

Joining the collective brainstorming: I tried adding the same subnet to both a Wireguard interface and a loopback bridge but to no avail. If all of this setup doesn't go anywhere, I'd recommend setting up port knocking for access to the company network and thus adding the wanted layer of security Da...
by TheCat12
Tue Mar 12, 2024 3:43 pm
Forum: Beginner Basics
Topic: Set up backup link
Replies: 1
Views: 535

Re: Set up backup link

I would also do it the way you suggested and create a failover situation: /ip dhcp-client add interface=ether1 add-default-route=yes default-route-distance=2 /ip route add dst-address=0.0.0.0/0 check-gateway=ping distance=1 gateway=lte1 Or if you want to check connectivity on lte recursively: /ip ro...
by TheCat12
Tue Mar 12, 2024 3:14 pm
Forum: Beginner Basics
Topic: Failover Issue
Replies: 7
Views: 613

Re: Failover Issue

Could you please export your configuration here:

/export file name=anynameyouwish.rsc
by TheCat12
Tue Mar 12, 2024 10:52 am
Forum: Beginner Basics
Topic: 2WAN as Failover and Setup Wireguard KEY as Client [SOLVED]
Replies: 35
Views: 6572

Re: 2WAN as Failover and Setup Wireguard KEY as Client [SOLVED]

/interface wireguard add listen-port=13231 private-key="private_key_from_provider" name=wireguard1 /interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=5.172.196.95 endpoint-port="wireguard_port" interface=wireguard1 public-key="public_key_of_provider&q...
by TheCat12
Mon Mar 11, 2024 7:29 am
Forum: General
Topic: UPnP and Hairpin NAT
Replies: 7
Views: 871

Re: UPnP and Hairpin NAT

by TheCat12
Sun Mar 10, 2024 10:35 pm
Forum: General
Topic: UPnP and Hairpin NAT
Replies: 7
Views: 871

Re: UPnP and Hairpin NAT

Is my understanding above correct? Unfortunately, yes. And the only workaround I see is to make the addresses of the UPnP enabled devices static and add your dst-nat rules before the dynamic ones because, as you're probably familiar with, rules are processed in ascending order relative to their pla...
by TheCat12
Sun Mar 10, 2024 9:56 pm
Forum: Beginner Basics
Topic: Redirect all traffic to the LAN webserver
Replies: 2
Views: 525

Re: Redirect all traffic to the LAN webserver

Have you tried the following configuration:
/ip firewall nat
add action=dst-nat chain=dstnat to-addresses=192.168.89.253 src-address=192.168.89.0/24 protocol=tcp dst-port=80,443
by TheCat12
Sun Mar 10, 2024 10:40 am
Forum: Beginner Basics
Topic: Cannot access internet through PLC wifi device [SOLVED]
Replies: 2
Views: 1347

Re: Cannot access internet through PLC wifi device [SOLVED]

Firstly, find in the ARP list what IP was assigned to the PLC by Mikrotik and then add a static route with gateway being the address you just found:
/ip route
add dst-address=192.168.1.200 gateway=*PLC_WAN_address*
by TheCat12
Sat Mar 09, 2024 2:37 pm
Forum: General
Topic: Separate wireless networks, bridged to wired interface
Replies: 8
Views: 955

Re: Separate wireless networks, bridged to wired interface

If you're doing the settings from scratch, then yes, directly reference the VLANs in the /ip address commands and don't use the find parameter: /ip address add address=192.168.1.1/24 network=192.168.1.0 interface=EmployeeLAN_VLAN add address=192.168.7.1/24 network=192.168.7.0 interface=Gastrofix_VLA...
by TheCat12
Sat Mar 09, 2024 10:55 am
Forum: General
Topic: Separate wireless networks, bridged to wired interface
Replies: 8
Views: 955

Re: Separate wireless networks, bridged to wired interface

Another option which I'm starting to think is more suitable is configuring the VLANs through the Switch menu because you can benefit from Hardware Offloading and Layer3 isolation on hardware level. The configuration is similar except almost all VLAN settings are made in the aforementioned menu: /int...
by TheCat12
Sat Mar 09, 2024 9:40 am
Forum: General
Topic: Separate wireless networks, bridged to wired interface
Replies: 8
Views: 955

Re: Separate wireless networks, bridged to wired interface

I was looking at both configs and saw that in the current the 192.168.88.0 network for guests was binded to the Bridge_AP. That's why I referenced it. And in the new revised config you could either use for the ip address section either the [ find interface=... ] commands if the addresses are still b...
by TheCat12
Fri Mar 08, 2024 8:18 pm
Forum: General
Topic: Separate wireless networks, bridged to wired interface
Replies: 8
Views: 955

Re: Separate wireless networks, bridged to wired interface

Why don't you combine your wired and wireless POS in one VLAN and bridge all of the used for VLAN ports and not the VLANs? In this you would utilize bridge VLAN and bind the POS and employee addresses to their respective VLANs: /interface bridge add name=bridge /interface bridge port add bridge=brid...
by TheCat12
Thu Mar 07, 2024 11:04 pm
Forum: General
Topic: UPnP and Hairpin NAT
Replies: 7
Views: 871

Re: UPnP and Hairpin NAT

Maybe change action=masquerade and set dst-address to be the one of the server on the hairpin nat rule as well as on the defconf rule unless there is a reason to be src-nat:
/ip firewall nat
set 0 action=masquerade src-address=""
set 1 action=masquerade dst-address=192.168.1.2
by TheCat12
Thu Mar 07, 2024 10:34 pm
Forum: General
Topic: Bridge mode in Mikrotik
Replies: 1
Views: 264

Re: Bridge mode in Mikrotik

Bridge Mode will basically turn your device into a switch by bridging all interfaces, so if you don't plan on using firewall, etc. yes, it will most probably work
by TheCat12
Thu Mar 07, 2024 7:42 pm
Forum: Beginner Basics
Topic: CRS310-1G-5S-4S+IN I can’t manage to setup trunks on all sfp ports
Replies: 8
Views: 694

Re: CRS310-1G-5S-4S+IN I can’t manage to setup trunks on all sfp ports

I'd suggest you first remove the ports from the old bridge with the following command or through GUI: /interface bridge port remove [ find interface=sfp1 ] remove [ find interface=sfp2 ] and then add them to the new bridge: /inteface bridge port add bridge=bridge1 interface=sfp1 add bridge=bridge1 i...
by TheCat12
Wed Mar 06, 2024 6:12 pm
Forum: Beginner Basics
Topic: Vlan for Voice
Replies: 13
Views: 1274

Re: Vlan for Voice

Wait a second, can't you just add a VLAN30 interface, bridge it with the ether8 port and add a DHCP client if necessary? Why did I remain convinced that ether8 should be a trunk port? Now I feel as if I'd taken crazy pills /interface vlan add interface=sfp-WAN name=vlan30 vlan-id=30 /interface bridg...
by TheCat12
Wed Mar 06, 2024 5:13 pm
Forum: General
Topic: HairPin NAT not working [SOLVED]
Replies: 10
Views: 828

Re: HairPin NAT not working [SOLVED]

@adispy My bad, it's not possible to list out separate ports in the to-ports section. You can leave it blank and the rule will work as intended.
by TheCat12
Wed Mar 06, 2024 4:36 pm
Forum: Beginner Basics
Topic: Vlan for Voice
Replies: 13
Views: 1274

Re: Vlan for Voice

Most probably yes because the OP states that he has replaced a Huawei GPON and these are commonly given by ISPs. Now that you mention it I'm curious how did they register in the first place on the optic network because ISPs are not very cooperative when it comes to replacing their equipment
by TheCat12
Wed Mar 06, 2024 4:12 pm
Forum: General
Topic: HairPin NAT not working [SOLVED]
Replies: 10
Views: 828

Re: HairPin NAT not working [SOLVED]

Firstly, when you have specified dst-ports in the dst-nat rule for the server it is good practice to add them to the to-ports section: chain=dstnat action=dst-nat to-addresses=192.168.10.10 to-ports=443,80,8080,8443 protocol=tcp dst-address=<PUBLIC IP 1> connection-mark="" in-interface=RDS...
by TheCat12
Wed Mar 06, 2024 3:58 pm
Forum: General
Topic: ipsec one-way traffic
Replies: 1
Views: 217

Re: ipsec one-way traffic

In dependence of what traffic you will be blocking - inbound or outbound, you can use ipsec-policy matcher in,ipsec or respectively out,ipsec in a drop rule:
/ip firewall filter
add action=drop chain=forward ipsec-policy=*,ipsec
where * is in or out
by TheCat12
Wed Mar 06, 2024 3:33 pm
Forum: Beginner Basics
Topic: Vlan for Voice
Replies: 13
Views: 1274

Re: Vlan for Voice

Could you try adding the pppoe client to the bridge? Please excuse my stubbornness with this configuration but I can't think of any other working solution. If someone else could think of one, I would be very glad to hear it :)
by TheCat12
Tue Mar 05, 2024 10:34 pm
Forum: General
Topic: ProCube - VLANS and WebGUI
Replies: 2
Views: 282

Re: ProCube - VLANS and WebGUI

Could you provide us with a diagram and/or exported confgurations?
by TheCat12
Tue Mar 05, 2024 10:28 pm
Forum: General
Topic: 2ISP with balancing - how to redirect speedtest.com to use only ISP1
Replies: 1
Views: 268

Re: 2ISP with balancing - how to redirect speedtest.com to use only ISP1

Most easy would be through an address list which resolves the DNS-es of the desired sites to IPs, mangle and routing table: /ip firewall address-list add list=client_sites address=speedtest.net /ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=client_sites new-routing-mar...
by TheCat12
Tue Mar 05, 2024 10:10 pm
Forum: General
Topic: IKEv2 no internet for client
Replies: 10
Views: 1800

Re: IKEv2 no internet for client

I also noticed that you have a masquerading nat rule only for ipsec-policy=out,none: /ip firewall nat add action=masquerade chain=srcnat comment=MSQRD ipsec-policy=out,none \ log-prefix="NAT MSQRD" out-interface=pppoe-out1 src-address=\ 100.100.100.0/24 Better would be if there weren't any...
by TheCat12
Tue Mar 05, 2024 9:37 pm
Forum: Beginner Basics
Topic: Default Password RB4011 GS+RM
Replies: 2
Views: 836

Re: Default Password RB4011 GS+RM

Username is admin, but Mikrotik started randomizing the password for their newer products like the RB4011, so you must check the sticker in the box, on the router, on the box, wherever there is one. Worst case netinstall or flashfig
by TheCat12
Tue Mar 05, 2024 5:19 pm
Forum: Beginner Basics
Topic: Vlan for Voice
Replies: 13
Views: 1274

Re: Vlan for Voice

Presuming that the GrandStream can handle tagged VLAN traffic and based off my previous mistakes during your former topic, for which I apologize, I've come up with a hopefully working solution: 1. Create a VLAN 30 interface, assign it the given address and bind it with the bridge interface 2. Set VL...
by TheCat12
Mon Mar 04, 2024 10:45 pm
Forum: General
Topic: HairPin NAT not working [SOLVED]
Replies: 10
Views: 828

Re: HairPin NAT not working [SOLVED]

The second rule is almost correct, provided that dst-address is the one to which you want to hairpin nat and you've made the rest of your configurarion properly as @anav already said: /ip firewall nat add chain=srcnat action=masquerade src-address=192.168.10.0/24 dst-address=192.168.10.254 out-inter...
by TheCat12
Sun Mar 03, 2024 12:48 pm
Forum: General
Topic: Routing from local to camera conected to NVR
Replies: 2
Views: 340

Re: Routing from local to camera conected to NVR

https://m.youtube.com/watch?v=dqPIpFB7zkc

If you want to change camera IPs to ones from router subnet
by TheCat12
Sun Mar 03, 2024 12:37 pm
Forum: General
Topic: Is Mikrotik discontinued the mANTBox19s
Replies: 4
Views: 350

Re: Is Mikrotik discontinued the mANTBox19s

Most probably to push out newer products like this equivalent: https://mikrotik.com/product/RB921GS-5HPacD-15S
by TheCat12
Sun Mar 03, 2024 12:19 pm
Forum: General
Topic: Is Mikrotik discontinued the mANTBox19s
Replies: 4
Views: 350

Re: Is Mikrotik discontinued the mANTBox19s

[/url]
Is Mikrotik discontinued the mANTBox19s product?
Unfortunately, yes: https://mikrotik.com/product/RB921GS-5HPacD-19S
Have you looked at your local vendors because there is a slim chance they might still have it in stock (based on mine).
by TheCat12
Sat Mar 02, 2024 7:15 pm
Forum: Beginner Basics
Topic: Issue with PVID and untagged ports. [SOLVED]
Replies: 7
Views: 827

Re: Issue with PVID and untagged ports. [SOLVED]

Hi, there is no need of setting untagged ports in the Bridge VLAN table because they are added dynamically due to the pvid. If you want to use VLAN 93 on all of the other ports in the bridge, you could make them trunk ports, so that VLAN aware devices can use the VLAN and the rest of the devices use...
by TheCat12
Tue Feb 27, 2024 9:57 pm
Forum: General
Topic: IKEv2 no internet for client
Replies: 10
Views: 1800

Re: IKEv2 no internet for client

/ip firewall filter
add chain=forward ipsec-policy=out,ipsec action=accept 
That would be an example firewall rule that allows out ipsec traffic. You can customise it according to your needs
by TheCat12
Fri Feb 23, 2024 1:13 pm
Forum: Beginner Basics
Topic: IP/Route and IP/Adresses, the "Adddress List"
Replies: 1
Views: 549

Re: IP/Route and IP/Adresses, the "Adddress List"

Firstly, you don't need to have the LAN subnets of Router2 in the address list of Router1, you should remove them. Secondly, I don't see any 10.10.10.0 subnet that should be pingable. Thirdly, indeed there is a difference whether your gateway is a port or an address: Such route has following special...
by TheCat12
Thu Feb 22, 2024 7:21 pm
Forum: General
Topic: IKEv2 no internet for client
Replies: 10
Views: 1800

Re: IKEv2 no internet for client

Before I forget, I highly advise you to hide sensitive information about L2TP VPN pronto! Also, you're lacking a rule which allows out ipsec traffic or its modified for your needs variant which is a default configuration one
by TheCat12
Thu Feb 22, 2024 3:11 pm
Forum: General
Topic: RB4011 / hEX routers upgrade & VPN connections
Replies: 55
Views: 3476

Re: RB4011 / hEX routers upgrade & VPN connections

As for the Winbox access, you could enable the Accept Winbox from WAN rule but change it only to LAN because as @Mesquite said, when you connect to the WG, you are at LAN level, so no need and bad practice for the router to be accessible through WAN if you don't implement some secure address list, p...
by TheCat12
Wed Feb 21, 2024 2:09 pm
Forum: Beginner Basics
Topic: Translate the income ip to the ethernet
Replies: 4
Views: 601

Re: Translate the income ip to the ethernet

If you want a full translation of the local address of the web server to the public IP of the router and vice versa through a specific port, you should have a srcnat and a dstnat rule: /ip firewall nat add chain=dstnat dst-address="public_ip" dst-port="web_server_port" action=dst...
by TheCat12
Tue Feb 20, 2024 7:03 pm
Forum: General
Topic: Quick set - config - bridge - automa
Replies: 1
Views: 232

Re: Quick set - config - bridge - automa

Quote from MikroTik Wiki:
Bridge mode adds all interfaces to the bridge allowing to forward Layer2 packets (acts as a hub/switch).
Hence, it won't be able to work as a router because it removes default configuration (atleast I think so for the last part, haven't used it myself very often)
by TheCat12
Tue Feb 20, 2024 10:09 am
Forum: General
Topic: RB4011 / hEX routers upgrade & VPN connections
Replies: 55
Views: 3476

Re: RB4011 / hEX routers upgrade & VPN connections

@holvoetn is correct. Whatever configuration they choose, it would be possible because there is atleast one public IP that is de facto static and could be used for whatever VPN they want
by TheCat12
Tue Feb 20, 2024 8:24 am
Forum: General
Topic: RB4011 / hEX routers upgrade & VPN connections
Replies: 55
Views: 3476

Re: RB4011 / hEX routers upgrade & VPN connections

The OP could setup IPsec road warriors on the RB and use a similar configuration to the one that is described in the following topic I attached to reroute their traffic through the IPsec tunnel:

viewtopic.php?t=188935
by TheCat12
Mon Feb 19, 2024 9:52 pm
Forum: General
Topic: RB4011 / hEX routers upgrade & VPN connections
Replies: 55
Views: 3476

Re: RB4011 / hEX routers upgrade & VPN connections

OK, OK, I didn't mean to imply that this is the only and the greatest option, it was a misexpression from my side for which I sincerely apologize. I edited my comment accordingly so it doesn't showcase the critisized option as the only one. @Mesquite is right, there is absolutely no need to buy anyt...
by TheCat12
Mon Feb 19, 2024 9:26 pm
Forum: General
Topic: RB4011 / hEX routers upgrade & VPN connections
Replies: 55
Views: 3476

Re: RB4011 / hEX routers upgrade & VPN connections

No one is saying that money should be spent - the BTH which they have already configured on the RB should be able to access the hEX without any further configuration/equipment. If that's not the case, then @Mesquite's configuration would be advisable. I was just giving an alternative if they really ...
by TheCat12
Mon Feb 19, 2024 9:17 pm
Forum: General
Topic: RB4011 / hEX routers upgrade & VPN connections
Replies: 55
Views: 3476

Re: RB4011 / hEX routers upgrade & VPN connections

When he has already setup BTH and has an active IPsec tunnel, why bother creating a new wireguard site-to-site connection? This thing is really flexible - I've got a real-life situation where I have setup a cAP ax as a BTH server and that was enough to have access to: a. the cAP ax itself b. A RB301...
by TheCat12
Mon Feb 19, 2024 8:10 pm
Forum: General
Topic: RB4011 / hEX routers upgrade & VPN connections
Replies: 55
Views: 3476

Re: RB4011 / hEX routers upgrade & VPN connections

One option would be to buy another router which supports BTH VPN (any router with arm, arm64, tile as architecture, for instance hAP ax lite), although as I said earlier you should be able to access the hEX via the WG which you have already configured on the RB4001. Try to ping it and see if it's re...
by TheCat12
Mon Feb 19, 2024 7:39 am
Forum: General
Topic: RB4011 / hEX routers upgrade & VPN connections
Replies: 55
Views: 3476

Re: RB4011 / hEX routers upgrade & VPN connections

@QuantumAalfa You are correct about the hEX - unfortunately the architecture of the router doesn't support BTH VPN. But you could set it up on Router A and in theory you should be able to access Router B through the IPsec tunnel based on personal experience. As for the previous posts about ROS 6 vs....
by TheCat12
Sun Feb 18, 2024 9:25 pm
Forum: General
Topic: RouterOS - Simple WireGuard Client Setup
Replies: 4
Views: 1794

Re: RouterOS - Simple WireGuard Client Setup

/interface wireguard add listen-port=51820 name=wireguard1 /interace wireguard peers add public-key=CorrectPublicKey allowed-address=DesiredExternalIPAddress/24,WireguardSubnetClientAddress/32 endpoint-address=DesiredEndpointIPAddress endpoint-port=DesiredEndpointPort interface=wireguard1 /ip addre...
by TheCat12
Sun Feb 18, 2024 8:50 pm
Forum: General
Topic: IKEv2 no internet for client
Replies: 10
Views: 1800

Re: IKEv2 no internet for client

Try to change the DNS of the mode-config to 8.8.8.8
by TheCat12
Sun Feb 18, 2024 8:22 pm
Forum: Beginner Basics
Topic: LXT-010S-H from LEOX and VoIP Vlan config
Replies: 7
Views: 790

Re: LXT-010S-H from LEOX and VoIP Vlan config

Then I'll suggest a more easy approach: create a VLAN interface with vlan-id 30 and add it to the bridge which will consequently (hopefully) setup the desired VLAN
/interace vlan add name=VLAN30 vlan-id=30 interface=sfp-WAN

/interface bridge port add bridge=bridge interface=VLAN30
by TheCat12
Sun Feb 18, 2024 9:06 am
Forum: Beginner Basics
Topic: LXT-010S-H from LEOX and VoIP Vlan config
Replies: 7
Views: 790

Re: LXT-010S-H from LEOX and VoIP Vlan config

Okay, I saw a flaw in my plan - a management VLAN. The following configuration should do the trick: /interface bridge port add bridge=bridge interface=sfp-WAN frame-types=admit-only-vlan-tagged set [find interface=ether1-LAN1] pvid=30,99 frame-types=admit-only-untagged-and-priority-tagged set [find ...
by TheCat12
Sat Feb 17, 2024 9:33 pm
Forum: General
Topic: RB4011 / hEX routers upgrade & VPN connections
Replies: 55
Views: 3476

Re: RB4011 / hEX routers upgrade & VPN connections

The logs in question are due to turned on logging on some of the firewall rules, an input chain one. For the secondary questions, in theory there should be no disturbance of the IKEv2 connection and you could set Back to Home VPN server on the router with CGNAT and add your family members as clients...
by TheCat12
Sat Feb 17, 2024 9:16 pm
Forum: Beginner Basics
Topic: LXT-010S-H from LEOX and VoIP Vlan config
Replies: 7
Views: 790

Re: LXT-010S-H from LEOX and VoIP Vlan config

If I understand correctly, ports 1-8 will be access ports and sfp port is trunk. So, you will add it to the bridge, after that you will assign pvid of 30 to the access ports, add a bridge VLAN entry for the trunk port and turn on VLAN filtering: /interface bridge port add interface=sfp-WAN bridge=br...
by TheCat12
Sat Feb 17, 2024 8:17 pm
Forum: Beginner Basics
Topic: LXT-010S-H from LEOX and VoIP Vlan config
Replies: 7
Views: 790

Re: LXT-010S-H from LEOX and VoIP Vlan config

Could you give more details about your setup - which will be your trunk port and which your access ports? Also, why do you have so few firewall rules?
by TheCat12
Fri Feb 16, 2024 3:21 pm
Forum: Beginner Basics
Topic: Firewall rules - Dont know why my server is accessible from the internet. Is should be not [SOLVED]
Replies: 8
Views: 1192

Re: Firewall rules - Dont know why my server is accessible from the internet. Is should be not [SOLVED]

@Empulakcz How do you plan to secure the access to the server through the internet?
by TheCat12
Fri Feb 16, 2024 1:08 pm
Forum: Beginner Basics
Topic: Firewall rules - Dont know why my server is accessible from the internet. Is should be not [SOLVED]
Replies: 8
Views: 1192

Re: Firewall rules - Dont know why my server is accessible from the internet. Is should be not [SOLVED]

It is accessible due to NAT rule 1 which dst-nat's the TS3 port to the public IP. 1 chain=dstnat action=dst-nat to-addresses=192.168.X.X to-ports=9987 protocol=udp dst-address=MY PUBLIC IP in-interface=WAN src-port="" dst-port=9987 log=no log-prefix="" If you disable it, it shoul...
by TheCat12
Thu Feb 15, 2024 5:03 pm
Forum: Beginner Basics
Topic: Mikrotik as OpenVPN client
Replies: 2
Views: 483

Re: Mikrotik as OpenVPN client

Maybe you should allow port 1194?
/ip firewall filter
add chain=input protocol=udp dst-port=1194 action=accept
by TheCat12
Thu Feb 15, 2024 4:48 pm
Forum: Beginner Basics
Topic: Internet for Remote Gateway
Replies: 9
Views: 2526

Re: Internet for Remote Gateway

viewtopic.php?t=178360

I think this would be the best solution to your problem. Through this configuration all necessary traffic will be rerouted through the VPN tunnel and thus the server will become remote gateway for PCs
by TheCat12
Mon Feb 12, 2024 10:28 pm
Forum: Beginner Basics
Topic: Minecraft Server, SSH, etc... protocol issue with RouterOS v7
Replies: 2
Views: 1419

Re: Minecraft Server, SSH, etc... protocol issue with RouterOS v7

Most probably the problem is with the ISP and they haven't made the necessary port forwarding, which would allow connections to your Minecraft servers and would give an explanation to the SSH problem.
by TheCat12
Sat Feb 10, 2024 10:06 pm
Forum: Beginner Basics
Topic: how to give customer 30days internet like ISP do
Replies: 2
Views: 487

Re: how to give customer 30days internet like ISP do

Or enable MAC filtering through Access List usage, set time=30d and force your clients to use non-randomized MAC address using the following access rule: /interface wifiwave2 access-list add action=reject mac-address=02:00:00:00:00:00 mac-address-mask=02:00:00:00:00:00 given that you have either the...
by TheCat12
Sat Feb 10, 2024 9:40 pm
Forum: Beginner Basics
Topic: Wireguard handshake but no traffic [SOLVED]
Replies: 8
Views: 1132

Re: Wireguard handshake but no traffic [SOLVED]

Also Wireguard interface should be part of LAN interface list, not WAN, at least in my opinion
by TheCat12
Thu Feb 08, 2024 10:28 pm
Forum: Beginner Basics
Topic: Please help Surfshark VPN RouterOS 7.12.1/ hAP lite RB941-2nD
Replies: 4
Views: 973

Re: Please help Surfshark VPN RouterOS 7.12.1/ hAP lite RB941-2nD

Nevermind, I may have found a solution. Try it and if it doesn't work, post the log as described above.

viewtopic.php?t=194375
by TheCat12
Thu Feb 08, 2024 9:58 pm
Forum: Beginner Basics
Topic: Please help Surfshark VPN RouterOS 7.12.1/ hAP lite RB941-2nD
Replies: 4
Views: 973

Re: Please help Surfshark VPN RouterOS 7.12.1/ hAP lite RB941-2nD

Not good. Could you add a logging rule for the ipsec with the following command:
/system logging
add action=memory topics=ipsec
and send part of the log here?
by TheCat12
Thu Feb 08, 2024 2:26 pm
Forum: Beginner Basics
Topic: Block PoE-in LAN network
Replies: 1
Views: 970

Re: Block PoE-in LAN network

Firewall rules? Something like:
/ip firewall filter
add chain=forward action=drop src-address=192.168.88.0/24 dst-address=192.168.1.0 /24
Yes, precisely
Also, the devices on my normal LAN of 192.168.1.x can ping the Mikrotik device: 192.168.1.134. Is that okay?
Yes, it's perfectly normal
by TheCat12
Wed Feb 07, 2024 7:43 am
Forum: Beginner Basics
Topic: VPN Client on MikroTik hEX-S
Replies: 11
Views: 1570

Re: VPN Client on MikroTik hEX-S

Dear Mesquite,

please excuse my imprecise language and thank you for the detailed explanation!
by TheCat12
Tue Feb 06, 2024 9:20 pm
Forum: Beginner Basics
Topic: Please help Surfshark VPN RouterOS 7.12.1/ hAP lite RB941-2nD
Replies: 4
Views: 973

Re: Please help Surfshark VPN RouterOS 7.12.1/ hAP lite RB941-2nD

Allow udp ports 500 and 4500 and ipsec-esp:
/ip firewall filter
add chain=input protocol=udp dst-port=500,4500 action=accept
add chain=input protocol=ipsec-esp action=accept
and let's see what happens
by TheCat12
Tue Feb 06, 2024 9:05 pm
Forum: Beginner Basics
Topic: WireGuard or L2TP VPN not working...
Replies: 8
Views: 995

Re: WireGuard or L2TP VPN not working...

You could set in the L2TP server use-ipsec=required and add an IPsec secret if you haven't so that the changes you've made can take effect, plus it's more secure this way
by TheCat12
Tue Feb 06, 2024 8:41 pm
Forum: Beginner Basics
Topic: VPN Client on MikroTik hEX-S
Replies: 11
Views: 1570

Re: VPN Client on MikroTik hEX-S

In the peer settings for the mother's router, shouldn't the example address be 172.16.1.1/32? That way the peer could only access the server in the wireguard subnet and if there are other peers on the mother's router, they will be independent from one another. Just asking to avoid confusion
by TheCat12
Tue Feb 06, 2024 7:19 pm
Forum: Beginner Basics
Topic: VPN Client on MikroTik hEX-S
Replies: 11
Views: 1570

Re: VPN Client on MikroTik hEX-S

First of all, you should add a Wireguard interface and assign it an address (a one from the VPN network, supposedly you have one). You could this with the following commands: /interface wireguard add name=wireguard1 /ip address add address=x.x.x.x/24 network=x.x.x.0 interface=wireguard1 Through the ...
by TheCat12
Tue Feb 06, 2024 6:57 pm
Forum: Beginner Basics
Topic: accept one url and drop all network
Replies: 1
Views: 545

Re: accept one url and drop all network

Could you please export configuration and post it here?
by TheCat12
Mon Feb 05, 2024 10:25 pm
Forum: Beginner Basics
Topic: Troubleshooting wireguard S2S VPN
Replies: 3
Views: 596

Re: Troubleshooting wireguard S2S VPN

Firstly, it is recommendable to use in the peer settings a /32 netmask for the Wireguard address. Secondly, you should add a new rule that allows the Wireguard port, which you are using from the public IP of the PFsense: /ip firewall filter add chain=forward src-address=*public_ip_of_pfsense* protoc...
by TheCat12
Sat Feb 03, 2024 8:52 pm
Forum: Beginner Basics
Topic: WireGuard or L2TP VPN not working...
Replies: 8
Views: 995

Re: WireGuard or L2TP VPN not working...

As for the L2TP, I'm willing to bet that the problem is with the encryption algorthms. That's why I would recommend you to read which algorthms does your laptop support from the following page: https://help.mikrotik.com/docs/display/ROS/IPsec and configure respectively the proposals and profiles fro...
by TheCat12
Thu Feb 01, 2024 11:18 pm
Forum: Beginner Basics
Topic: IPSEC IKEv2 cannot access LAN devices.
Replies: 1
Views: 672

Re: IPSEC IKEv2 cannot access LAN devices.

Could you please export configuration?
by TheCat12
Thu Feb 01, 2024 10:56 pm
Forum: Beginner Basics
Topic: DHCP/DNS configuration for two router setup [SOLVED]
Replies: 9
Views: 1577

Re: DHCP/DNS configuration for two router setup [SOLVED]

I think the easiest way is to remove the dhcp-server, the pool, the nat rule and the dhcp-client and just set the address to one from the desired subnet and add the 5G-WiFi link to the bridge
by TheCat12
Thu Feb 01, 2024 9:42 pm
Forum: Beginner Basics
Topic: VLAN tagged/untagged on same router
Replies: 6
Views: 677

Re: VLAN tagged/untagged on same router

Just a small tip: do not turn on VLAN filtering until you've configured everything else because you may lose access to the router
by TheCat12
Fri Dec 31, 2021 10:02 pm
Forum: Useful user articles
Topic: IPSEC/IKE2 (with certificates) VPN server guide for remote access
Replies: 42
Views: 63306

Re: IPSEC/IKE2 (with certificates) VPN server guide for remote access

hi, i go step by step and finish with this log from mobile: Sep 4 01:47:20 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Sep 4 01:47:20 00[DMN] Starting IKE service (strongSwan 5.9.3rc1, Android 10 - ELE-L29 10.1.0.150(C431E22R2P5)/2020-08-01, ELE-L29 - HUAWEI/ELE-L29EEA/HUA...