MikroTik

TheLorc

While the connection is better now that I changed MTU in wireguard winbox to 1300, it still seems to be slightly slow at moving files onto the server and moving through the folders on the NAS. So maybe something is still wrong possibly. But at least its letting me log onto the server unlike before. ...

TheLorc

default MTU on wireguard is 1420............... I actually increased it to 1500 for one scenario and it worked out. If your MT is at the client end Try this..... /ip firewall mangle add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu ...

TheLorc

Okay so changing MTU to 1300 in Wireguard -> Wireguard -> (double click interface) -> MTU appears to have fixed the problem. I dont really know what MTU does but that definitely seems to have been the problem given this remote laptop which hasn't worked for months is now suddenly working. Thanks for...

TheLorc

Without seeing the config of the router and the config of the wireguard on the laptop, its unknown. ALso windows has firewalls and AV programs that can interfere. Perhaps there are some MTU issues........... Anav and Jvan, thank you for your replies. I will look into MTU Earlier today I also couldn...

TheLorc

If you guys think this doesnt belong here then I can remove it as I know it may not be related to Mikrotik itself I have a wireguard VPN set up to my mikrotik. We use it for people working from home and also we have a separate site with about 4 people, they all use a wireguard client to connect to t...

TheLorc

I have several NAT rules to open up different network devices on my network. Phone server, file server etc. However at the moment we have a dynamic IP from our ISP. Whenever theres a power cut or the MT is turned off it gets a new IP address from our ISP. I am going to call them and try sort it out,...

TheLorc

Found the problem

Needed to change add action=accept chain=input dst-port=13231 in-interface-list=WAN protocol=\
udp

to 'dst-port=369'

Thanks for the help. Hopefully I can fix the PPPoE stuff with the ISP..

TheLorc

There is no point to fixing wireguard if you have no internet?? How would you test?? (1) Attempt 2 wireguard not working because although you changed the IP address to the IP address formerly used by wireguard-Mikrotik currently disabled, you forget to change the peer IP..... You have by mistake a ...

TheLorc

There is no point to fixing wireguard if you have no internet?? How would you test?? (1) Attempt 2 wireguard not working because although you changed the IP address to the IP address formerly used by wireguard-Mikrotik currently disabled, you forget to change the peer IP..... You have by mistake a ...

TheLorc

I have Internet but it's via "Dynamic acquisition " not PPPoE. Honestly I can't remember for sure what I had prior to factory resetting. I think it MIGHT have been PPPoE and I had a static public ip from my ISP via PPPoE. Can't remember if I had dynamic or pppoe previously tho. I will cont...

TheLorc

So I changed my MT Password a few weeks ago. However due to winbox remembering my password for me, everytime I want to access my MT router I just open winbox and click log in. I forgot the password and then tried to copy it from the winbox window, which removed it and now I completely lost access to...

TheLorc

Thanks everyone for the help. I know now why the TP-Link AP wouldn't work (it only takes 24V Passive PoE which my switch cannot provide)

I have bought an EAP610 but will look into getting a cAP AX (which will work with my switch as its active PoE

)

TheLorc

What is your budget......... Also what is wrong with sticking with same vendor.........https://www.zyxel.com/global/en/products/wireless/802-11ax-wifi-6e-dual-radio-unified-pro-access-point-wax620d-6e I currently have two zyxel nwa1123-acv2 but one of them is turning off repeatedly 5 times a day. I...

TheLorc

Yea, but he said that he bought different AP from different vendor and it didn't worked with poe switch. Maybe that AP is using 24V. I had TP-Link that was powered by 9 or 12V via poe injector. POE Switch: GS1920-24HP https://www.zyxelguard.com/datasheets/GS1920-Series.pdf TP Link AP: EAP110 https:...

TheLorc

Well, from Mikrotik you have new cAP ax: https://mikrotik.com/product/cap_ax Hi, do you know how I can know if my PoE switch will power this AP, or if i will need a separate little power injector? I bought a different AP from a different vendor and it doesnt work with my switch, so it becomes a pai...

TheLorc

But no gigaspeed over wireless.
Current MT products do not have that capability.

If other vendor, wrong place to ask.

Cap AX says 'Wireless 5 GHz Max data rate 1200 Mbit/s' would that not be gigabit?

TheLorc

Hello everyone, Have you got any wireless AP recommendations? Sorry if this is not allowed here. I would like a gigabit speed AP (if that exists?) that is PoE capable (without the use of an injector) I will look myself but if any of you have any recommendations let me know It would have to be wall m...

TheLorc

No, not all do.

I don't think my router RB2011iL has one. No mention of it in the data sheet or manual and I can't ever remember seeing one on it. So I will have to find a different way

TheLorc

Syslog can be network service on whatever ( virtual machine, raspberry pi, Linux computer, ...). I use USB drive on RB5009 as external disk, also did this on Hex. So you plugged a USB drive into your router? Do all routers come with a USB port on them? I dont think my router (RB2011iL) has one, but...

TheLorc

You can increase the line limit per log file, I use 4096 without any problem. This can be large if you wish ..... Sending all important logs to the hEX with DUDE. DUDE has the syslog function built in. Filtered DUDElog is written to disk via the log system of the hEX Here external disk, because of ...

TheLorc

Wait, so this behaviour could be an anti virus scanning the network? Yes. The same experience from other Mikrotik user https://forum.mikrotik.com/viewtopic.php?p=988766&#p988766 Thanks. After I saw what holvoe said I thought I would investigate a bit more. I ran two AVG scans on a certain compu...

TheLorc

Most likely some bot or service on your network trying to scan or even get in. Some reported this behavior from a virus scanner doing this scanning on the network. Your FTP service is enabled so a possible entry point. If not needed, disable. Wait, so this behaviour could be an anti virus scanning ...

TheLorc

Most likely some bot or service on your network trying to scan or even get in. Some reported this behavior from a virus scanner doing this scanning on the network. Your FTP service is enabled so a possible entry point. If not needed, disable. It also tried to log into my phone server via SSH. This ...

TheLorc

paste the result of this command on forum: /ip service export verbose remove serial number and public IP, if any, but do not remove any other line # apr/26/2023 14:26:20 by RouterOS 7.4 # software id = JCY8-AFLA # # model = RB2011iL # serial number = XXXXXXXXXXXXX /ip service set telnet address=&qu...

TheLorc

What does it mean that they are trying to log in via FTP?

All the failed logins were via FTP.

I only know two ways to access Mikrotik router, with winbox, or with web access. What does it mean they are accessing it with FTP? How do you access mikrotik with FTP?

TheLorc

So now that I have this 'save to disk' command entered, it will save logs to disk. Instead of memory. I assume that means the Mikrotik has a disk / hard drive storage space on it as well as RAM and we are saving to the hard drive now instead of the RAM? Rex I am not sure what you mean by 'to see old...

TheLorc

How do I know if my router has 'flash'? Check twice what you paste, something is lost on meantime... after target=disk is present disk-file-name=/seclog Paste this on terminal, if you obtain 1, is a Flash, if is a 0, is a NAND :put [:len [/file find where name="flash" and type="disk&...

TheLorc

You can increase the line limit per log file, I use 4096 without any problem. Ideally these log files are written to disk, even better external disk. You could also use an external syslog server where all log lines are being sent to (and then you can do what you want). Thanks. I will definitely set...

TheLorc

Paste this on router: Add /flash before "/seclog" if your device have flash, or you lost the logs on reboot. /system logging action add disk-file-count=10 name=SaveToDisk target=disk disk-file-name=/seclog /system logging add action=SaveToDisk prefix=SEC topics=system,error,critical You c...

TheLorc

Hi Rex, This seems to be what I am getting. I don't think I have ever entered a command like this before for it to return 'such file name already exists' but it appears I have possibly? [XXXX@MikroTik] /system/logging> /system logging action [XXXX@MikroTik] /system/logging/action> add disk-file-coun...

TheLorc

/log print Thank you rex, do you know is there anyway for it to go back even further? I typed that but the terminal seems to run out of space and so it only shows as far back as yesterday. Or maybe thats all that is stored in its memory? Seems like it has ran out of space I think. The last log was ...

TheLorc

Hi everyone, So I think I have (or had) malware on my network on some device. I can see on my FreePBX phone server a pile of failed logins at 11:09 April 19. Now when I logged into Winbox today and opened the terminal (I was going to do some VLAN stuff) I see it pops up and showed several failed log...

TheLorc

Yes. Windows 11 and windows PCs in general suffer from some issues. 1. Check windows firewall 2. Check third party firewalls you added 3. Check its not a public connection and thus blocked ( private (trusted) vs public internet connections ) If you wish wg assistance, I dont speculate need evidence...

TheLorc

Hi everyone, I have a Mikrotik RB2011 as the main router in our office. I set up Wireguard to work on this router and so far had about 10 laptops with wireguard on them, connected succesfully to our Synology NAS when not connected to the LAN (I.e. abroad, or working from home) The way I do this is s...

TheLorc

Thank you to holvoe and anav, I have now fully accessed the NAS on a remote PC and can ping all of 192.168.32.0/24 and 192.168.88.0/24 - thanks so much! I believe what got it in the end was changing my listening port from 13231 to 369. In the Firewall -> NAT settings I have UDP ports 2000-65000 forw...

TheLorc

So the Mikrotik gets a public IP? Go to a website that tests ports (from behind the router) and see if the sites report the port as open. The client device doesnt have any funky firewall on it?? Well yes I think so. In Quick set and PPPoE settings it shows a public IP and a gateway. Also, I can acc...

TheLorc

I am going to ask something which should already have been asked a while ago... Can you draw a diagram of your network with Mikrotik device and how it goes to internet ? (paper is ok) Please include ISP modem, ethernet connections, what subnet is used where etc etc. I assume there is an ISP modem/r...

TheLorc

Wireguard WILL work if you get the config right. Much easier then IPSEC, if you ask me. The peer will always send. It is only when something comes back, then you will know it works. Which is not the case now. Are you 500% sure the port you want to use for your wireguard interface is accessible from...

TheLorc

(1) On your Mt router input chain rule modify. From add action=accept chain=input dst-port=13231 in-interface =ether1 protocol=udp TO: EITHER add action=accept chain=input dst-port=13231 in-interface -list=WAN protocol=udp OR add action=accept chain=input dst-port=13231 in-interface =pppoe-out2 pro...

TheLorc

(1) On your Mt router input chain rule modify. From add action=accept chain=input dst-port=13231 in-interface =ether1 protocol=udp TO: EITHER add action=accept chain=input dst-port=13231 in-interface -list=WAN protocol=udp OR add action=accept chain=input dst-port=13231 in-interface =pppoe-out2 pro...

TheLorc

please post complete config of MT wireguard server device /export (minus serial number and any public WANIP info) And the settings on the remote device you are using. Also confirm from the remote device that you can ping the MT on the normal WAN side (before attempting a tunnel). I have attached a ...

TheLorc

The order of your firewall rules is important, its a tad messed up will fix it to show you what it should look like. Also, if the intent is to use wireguard to allow access to the NAS server, and potentially other devices at some time on the subnet,then on the client devices ensure you have allowed...

TheLorc

Assumptions (since it is not shown): - Public key of Mikrotik peer = public key shown on top of PC client - please confirm - Public key of PC peer = public key used on Mikrotik Wireguard interface - please confirm If both are correct, do you see packets flowing in status of peer (both TX and RX sho...

TheLorc

Can you also show config from the other side ?
Especially the wireguard part.

I am not 100% sure what you mean but I assume you mean the wireguard windows client info. I have attached it incase that is what you mean. Thank you

TheLorc

Your requirements are NOT clear with respect to internet. If you mean that at the client you wish to still access internet at the local site, that is a function of your client setup be it an android phone, ios phone, windows laptop, mt client device etc........... If you mean you want all client tr...

TheLorc

I know, it was a joke recommendation. :-) Dont overcomplicate your input rules. What I would do is when learning wireguard not to get fancy with assigning it to an interface list (unless it was necessary and there are some cases where it is). It do agree with holvoe but I would suggest something si...

TheLorc

@anav: knowing where you came from with respect to using IP addresses, there might be hope for this world :lol: OP: Why all the VPN protocols ? Disable the ones you do not use (and remove the accompanying filter rules in firewall) This rule might have to be looked at as well: add action=drop chain=...

TheLorc

You should avoid youtube sometimes LOL. Read this. - https://forum.mikrotik.com/viewtopic.php?t=182340 (1) Well there is your problem you don't have numbers for your wireguard IP address.. add address=192. XX.XX .1/24 interface=Mikrotik-Wireguard network=192. XX.XX .0 It should be add address=192.1...

TheLorc

Hi guys, Does anyone know if they can help me. I have followed the following youtube video for Mikrotik Wireguard setup: https://www.youtube.com/watch?v=CH10spRyGpU Essentially he gets you to set up a wireguard server, then a peer, then download wireguard on your remote PC, enter in public key, addr...

TheLorc

Yes I dont see anything that would cause issues here.......... do you have SIP alg enabled, most recommend not doing so. 1. You didnt remove this duplicate rule........... Dont think it will cause issues but it should be removed. /ip firewall nat add action=masquerade chain=srcnat dst-address=192.1...

TheLorc

(1) Put the hairpin nat rule first, and remove the duplicate rule in yellow.. /ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\ 192.168.88.0/24 add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=\ pppoe-out1 to-addresses=XX.XX.XX.XX add a...

TheLorc

Actually it seems to be working for my Synology NAS. When I type https://mypublicIP:5501 it goes to the Synology server (although it says it is not secure) When I type my Synology NAS dynamic DNS hostname into my browser like so: https://myDDNS.net:5501 it goes to the Synology NAS web access site wi...

TheLorc

(1) Put the hairpin nat rule first, and remove the duplicate rule in yellow.. /ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.88.0/24 src-address=\ 192.168.88.0/24 add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=\ pppoe-out1 to-addresses=XX.XX.XX.XX add a...

TheLorc

IN SUMMARY your config bubble is about to be popped!! (1) What are you doing here?? /interface wireguard peers add allowed-address= 192.168.88.0/24 interface=wireguard1 public-key=\ "1Of5xcGq53sXm6h8TKvkn7eGxNHEqom6fhBI8XDPg2I=" You have identified your own subnet as an allowed IP and on ...

TheLorc

If you read the article you would also know that you need a firewall rule to ensure such traffic is allowed. This comes standard as a default rule in the forward chain.... add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connecti...

TheLorc

In your part E of your guide, it states this as an option: 2. CHANGING SUBNET OF SERVER In this scenario, there is no requirement for a sourcenat rule addition as our effort is aimed at avoiding hairpin natting! In fact, there is no hairpin required because the server and users are now on a differe...

TheLorc

Getting there.......... Would need to see firewall rules as well. Is you WANIP static or dynamic public IP? In your part E of your guide, it states this as an option: 2. CHANGING SUBNET OF SERVER In this scenario, there is no requirement for a sourcenat rule addition as our effort is aimed at avoid...

TheLorc

Getting there..........
Would need to see firewall rules as well.

Is you WANIP static or dynamic public IP?

Hi, my IP is static. I have uploaded both filter rules and NAT if that is what you mean by firewall rules.

TheLorc

Read up on Hairpin Nat. Item E - https://forum.mikrotik.com/viewtopic.php?t=182373 Hi, I manually entered a firewall NAT rule with the following entries: Chain: srcnat Src. Address: 192.168.88.0/24 Dst. Address: 192.168.88.0/24 Action: masquerade See attached image. Is this following instructions c...

TheLorc

Hi, I have set up a freepbx server on my LAN. I am using a Mikrotik RB 2011 iL RM. I want to use Acrobits Groundwire as a softphone for my phones. In the settings of Acrobits Groundwire you must define SIP User, SIP Password and SIP Domain. For domain, when I enter my public IP and port for the inte...

TheLorc

removed unnedded quotation

Rebooting the mikrotik router worked. Thanks lol

TheLorc

removed unnedded quotation

Well on my old router I didn't have to do that

TheLorc

Anyone have any ideas what is wrong? Do I need to restart the Mikrotik router to get the port forwarding rules working again? Essentially the setup I have is: SIP Trunk provider receives a call when someone rings our business DID. This then uses the static IP I have set up in the phone carrier dashb...

TheLorc

To do that you just go to Bridge -> Ports -> Delete Ether7 (for example) , then go to IP -> Addresses -> Create new address -> In the entries, leave 'Network' blank, and fill in 10.10.10.254 for Address, and select Ether7 for the interface. Now, even if I disable the bridge or do anything to the ro...

TheLorc

To do that you just go to Bridge -> Ports -> Delete Ether7 (for example) , then go to IP -> Addresses -> Create new address -> In the entries, leave 'Network' blank, and fill in 10.10.10.254 for Address, and select Ether7 for the interface. Now, even if I disable the bridge or do anything to the ro...

TheLorc

Default gateway: 10.50.50.0 or 10.50.50.1 (neither works)
10.50.50.0 as gateway is incorrect for a /24 , 255.255.255.0 network!
Why should 10.50.50.1 work ??? You only defined 10.50.50.254 in your text.

What should I put then?

TheLorc

4. Add ether5-access to the trusted interface as a list member. It could be a trusted vlan, could the management vlan, could be LAN etc...... (router only) How do I do this? I'm sure for someone experienced with Mikrotik this is an obvious and stupid question. However most using this guide will be c...

TheLorc

Okay so you need to create an IP address 10.10.10.254, assign it to the interface Ether7, then statically modify your laptop/PC to be 10.10.10.253/24, and then it will work From what I remember I couldn't connect even with neighbours after disabling the bridge for ethernet ports 2-10, I could be wr...

TheLorc

To do that you just go to Bridge -> Ports -> Delete Ether7 (for example) , then go to IP -> Addresses -> Create new address -> In the entries, leave 'Network' blank, and fill in 10.10.10.254 for Address, and select Ether7 for the interface. Now, even if I disable the bridge or do anything to the ro...

TheLorc

You can work with "SAFE" mode to prevent the kinds of f*ckups, or take 1 interface OUT of the BRIDGE-config and put an IP-address on it, like 10.10.10.254 (while your bridge for example would be 192.168.1.254) That way, if you ever screw up "Bridge" , plug in the designated ETH-...

TheLorc

Hi guys, I locked myself out of my mikrotik router the day I got it. Since then I have been very careful to not make any changes which I haven't seen on a guide or that i don't know what they do. The way I locked myself out was by disabling 'bridge' in the Interfaces -> Interface -> Bridge section. ...

TheLorc

Seriously?

Para M. = Paragraph M.

Yes, I thought he meant some Mikrotik youtuber or something

TheLorc

Para M? What is that? Cant find it when i google?

TheLorc

Be part of a commoner structure, nah not elite enough!
Only a prestigious few get the MTUNA designation. I did say exalted right?

Whats an MTUNA certification?

TheLorc

That seems like quite a lot of configuration... Did not think it would take that much config, but ill give it a go

TheLorc

For road warrior setups, i would suggest either L2TP/IPsec or Wireguard...
https://help.mikrotik.com/docs/display/ROS/IPsec
https://help.mikrotik.com/docs/display/ROS/L2TP
https://help.mikrotik.com/docs/display/ROS/WireGuard

Thank you I will try Wireguard

TheLorc

I have seen the video about using a VPN by TKSJa (a youtube channel based on mikrotik tutorials) here is the video: https://www.youtube.com/watch?v=QWLY5vdKV4c However this was released 5 years ago and I am just wondering if this is still the recommended way to VPN into a remote network. The usage o...

TheLorc

If you have to open a port to an outside agency, its only correct that they provide you with their static WANIP or DYNDNS name in case it changes. THE MT will resolve that for you. As suggested then add to the dst-nat rule the src-address or if they multiple make an ip firewall address list and the...

TheLorc

I fixed it guys!!! I think the issue was my firewall NAT configuration. I had a rule for UDP port 5060 for SIP, and then I have a rule for UDP port 2000-65001 for RTP (the config posted above may not represent that, as I have changed this rule alot to try get RTP working) However I did not have the ...

TheLorc

Whitelisting must been looked at in another context : DENY everyone BUT "whitelist" SOME (or 1) So YES, your (D)NAT rule is probably open for the whole world but I would not call that a correct "whitelist" setup. So either 1) Populate the "src address" field in the NAT...

TheLorc

post your config /export and remove or fake any actual Public IP numbers from the ISP (wan IP, WAN gateway IP etc...) Can't see my public IP anywhere, if you do let me know # jul/25/2022 20:44:51 by RouterOS 7.4 # software id = JCY8-AFLA # # model = RB2011iL # serial number = E7DD0F73B4C5 /interfac...

TheLorc

Hi guys, Basically my softphone app provider (Ringotel) has told me to whitelist their IP in my firewall. I am using an on-premises IP PBX FreePBX server for my phone system. I am trying to switch over my router from a Cisco Meraki MX64 router to a Mikrotik RB2011 iL-RM. So far everything has worked...

TheLorc

Hi guys. For some reason, I can't get my IP PBX on premises phone server to work with Mikrotik. I have internal calls working, from extension to extension within my internal LAN. However, when I ring the DID attached to the business, it goes to the phone carrier, and I have programmed in our public ...

TheLorc

Simply first configure the RouterBOARD,when you are able to "navigate" with ethernet, simply connect one AP on one ethernet port, and follow the other brand tutorial on how to configure an AP... Hi Rextended, I have gotten the wireless AP working. I was setting it up wrong, I did not disa...

TheLorc

Hi guys, I recently bought an RB2011 iL-RM routerOS routerBOARD device. I love it and think Mikrotik is great, its amazing how powerful it is and for such a good price.. This router does not come with wireless capabilities, however in my work we have wireless access points from a different company (...

Search found 85 matches