MikroTik

wiseroute

hi, what do you mean by merging 2 bridges? how? probably your mitm redirect should be easy enough as long as your target server is on separate interface than those wired and wireless lan. let us say a dmz interface for the server? dst-nat should be enough. or you can give us some simple drawing abou...

wiseroute

, I comment that the vpn label does appear in the mpls forwarding table but the traffic-eng one does not appear. --- admin@PE1] > mpl traffic-eng/flow/print detail Flags: N - ingress, E - egress; F - forwarding; R - reservation it's difficult to help you if we don't know your exact mpls topology. f...

wiseroute

Put in bridge WAN and etherX vs customer, assign 10.10.10.4/28 to bridge (and your router have 10.10.10.1 as gateway) and assign 10.10.10.9/28 to customer firewall (that use the same 10.10.10.1 as gateway). If you have more customers, each customer have it's own firewall that prevent customer<->cus...

wiseroute

@ marty, From what I'm reading, I need to create a NAT/Filter to route from 172.30.0.0/24 to the 192.168.5.0/24 - and this will need to be done on the "provider" router. correct. you need srcnat or nat masquerade on providers interface facing the real internet. even just for lab - there is...

wiseroute

https://wiki.mikrotik.com/Manual:Spanning_Tree_Protocol beautifully explained by MT. transparent 'unmanaged' switch still forward any bpdu it received. the decision is up to the smartest switch. any r/m/stp. don't guess how the traffic will flow to which direction. dictate the flow by changing the b...

wiseroute

@ haris, I have set up the pbx with the CHR's public ip and the nat settings. you don't have to. your chr should do the translation for your pbx public ip. think this way; 1. road warrior --> chr --> tunnel to pbx. 2. chr needs to do src nat to both facing the road warrior (internet) and to tunnel f...

wiseroute

You also have to tell the PBX the public IP so that it could put it into the SIP messages. this is the most important point. sip registration needs to know open ports for communication to establish. on both sides (the caller and receiver). making the chr as proxy to re route the sip registration pr...

wiseroute

The same issue occurs when connection a ring of several switches and one of them does not have RSTP enabled - so 10 RSTP switches and 1 non-RSTP switch cause a looped network, indeed, layer 2 design can be confusing. ring topology is not the same thing as lacp pagp mechanism. regardless which stp y...

wiseroute

/ip firewall nat
add action=masquerade chain=srcnat

that part should have its output interface. otherwise you are natting the whole router interface. incorrect nat. hence you have awful nat router performance.

wiseroute

@curious, How can I configure the router to always use 10.10.0.1 when initiating a connection from local to 10.20.0.0/24? I tried adding a route with a preferred source, but this does not seem to work. well.. if you knew how to read routing tables - you don't need extended switch for pings. your 10....

wiseroute

@josephny, ii think your script output problem lies in your understanding how the script being processed by mt. packet-count=15 packet-interval=500ms thr-avg=600ms thr-jitter=2s thr-loss-percent=85% thr-max=2s thr-stdev=500ms try to add parameters one at a time and see how the netwatch script being ...

wiseroute

I have 3 VLANs that I want to connect to the internet, VL600 (Management) VL630 (LAN) VL710 (IOT). So far VL630 works some of the time. the other two appear to be connected (as shown by the system tray icon on the end user device) but go nowhere. Ping doesn't work. I can get to the gateway but not ...

wiseroute

hello mattie, I don't think so since the NVR doesn't provide any access for routing tables etc. if your nvr has wan port - it should have a default routing table to 0/0. traceroute to 192.168.254.2 (192.168.254.2), 64 hops max, 40 byte packets 1 router.lan (192.168.88.1) 7.820 ms 2.997 ms 2.780 ms 2...

wiseroute

now there's only pppoe left in interface-list wan --> no change at all, ping fails/traceroute gets stuck on router 1. ping your gateway ip (and 1.1.1.1 or 8.8.8.8) from the router with src addr of your pppoe ip. if succeed then, 2. ping your gateway ip (and 1.1.1.1 or 8.8.8.8) from the router with ...

wiseroute

ok... now try to disable that hairpin

0 ;;; hairpin nat
chain=srcnat action=masquerade src-address=192.168.177.0/24 dst-address=192.168.177.0/24 log=no log-prefix=""

wiseroute

Adding eth1, pppoe and vlan7

ok. now... exclude eth1 and vlan 7 from address -list wan.

wiseroute

chain=input action=drop in-interface-list=!LAN log=no log-prefix="!LAN" that part - try to change its action=accept. if it's working - then you need to track down how to secure that !lan 2 D 79.224.52.103/32 62.155.242.73 pppoe-t-vdsl and that pppoe was inside vlan 7. you don't have ip ad...

wiseroute

ok. let us continue with

ip firewall filter print details
ip firewall nat print details
ip addresses print details
ip route print details

please put those in separate code tag. it's better to see those output first rather than the config.

wiseroute

hello,

let us try some simple step first,

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

try to include your pppoe and vlan 7 interface to list=wan.

hth.

wiseroute

Personally, I've been a fan of some formalized "template" configuration that can be pushed from Dude, which should solve "VRRP config sync". @ammo, what if we just follow the wiki on a topic - let us say vrrp topic - its step by step manual already there - hence those are templa...

wiseroute

@trextom,

and port forwarding is not working.

update: fixed with the help of this thread. viewtopic.php?f=2&t=49581

great

but - no offense - which part of your problems has been fixed? pcc? fasttrack? port forwarding?

wiseroute

What should I do? Roll back to ROS 7.15.3?

it's definitely your call

next time - if i were you, i will definitely test drive first before live in production.

if it is really important for you - try to reach the mt support. good luck

wiseroute

@sk The diagram is correct and it works. I just need to separate the traffic on those eth ports from the rest of the network, like it is on the ISP router otherwise it bogs down the multicast traffic. I assume the best way to do this is a VLAN? ok. let's break it down nice and slowly. you said curre...

wiseroute

@sk aaa... I'm sorry i just realized that right part should go via internet. No need to fuss with two ports towards ISP router. As long as both ends properly deal with VLANs, your LAN devices (which are not supposed to see IPTV network) won't see that traffic. there you go... @mkx provided you with ...

wiseroute

hello, I'm sorry I don't quite understand this part use the CRS-317 switch as a transparent bridge. Spanning tree is set to "none," and one of my clients, through this switch, uses their own RSTP in a dedicated VLAN for redundancy. did you mean your client set their own vlan - and you let ...

wiseroute

@sk hmm... aaa... you want to relay the iptv from isp1 to isp2? isp1/iptv eoip ---> router1 --- eoip/wg --- router2 eoip ---> isp2/iptv ?? it's doable - but I don't know what will the quality be as it will travel via encrypted Tunnel. and first, let us not discuss about firewall. there are options -...

wiseroute

@alpha, Handshake is not visible in Winbox, but there is sometimes RX and TX traffic. the simplest way is just to look at the state of your wg interface whether is up or down - at your winbox The customer (Android) indicates that the connection is established, but impossible to have access to the WA...

wiseroute

make it @sindy 2 - @internet 0

and a cup of coffee

for @sindy as well

@trextom, have a read

viewtopic.php?t=142401

@mkx and beloved mt members have solid discussion about pcc and fasttrack

wiseroute

@millenium7, super 👍🏻 however occasionally for some reason the script just keeps on firing and reporting an 'up' status, even though no change in neighbors at all diagnosis, 1. if the neighbors they were really in down state without any notice - then your part of the script is in correct behavior. 2...

wiseroute

@ammo, Agree, in concept... But the problem is often "sync everything, except..." - with except part making it tricky. sounds like a developer having a tough project because the customer keeps changing his mind?? 😅 well... remembered the old days we used to do copy paste configs just with ...

wiseroute

hello,

I'm sorry we can't see your diagram in detail. it's too small and blurry.

so... the bottom line is you want to have a setup similar to voice vlan? from 4011 to 5009 using eoip over wireguard?

wiseroute

maybe you can start with these https://mum.mikrotik.com/presentations/MX19/presentation_6911_1555072199.pdf https://docs.ansible.com/ansible/latest/network/user_guide/platform_routeros.html https://yetiops.net/posts/ansible-for-networking-part-6-mikrotik-routeros/#vlans-ip-addressing-and-autonomous-...

wiseroute

I'm afraid synchronization can't be done between 2 vrrp routers - or at least that won't be easy. though it's possible. those 2 routers config mirrors each other. although the required parameters are exactly the same, but not for their value. ie. ip addresses, master-slave value, gateways etc. but i...

wiseroute

@satbox, wonderful lab 👍🏻 In my test, when one of the MLAG primary peers (SW2 or SW4) is restarted, connectivity between SW1 and SW6 is restored in about 13 seconds. this 13 second could be caused by what stp (or port - if any) mode you are using. Conversely, when one of the MLAG secondary peers (SW...

wiseroute

hello, your home lab diagram looks good 👍🏻 The way I've been using VLAN's so far is that they would be tagged to the ports in the Bridge to allow inter-VLAN routing: yes. that's correct. also there are many ways in doing vlan setup in mikrotik which you can tweak to your requirements. mt wiki. as fo...

wiseroute

it's nice to hear you have solved your qos problem. great

no offense, but I hardly see the relationship between your original question description and your solution?

tcp window size? smaller size to bigger one makes latency smaller. great

and what happened to that ether1 port?

wiseroute

the uplink sees a significant reduction on speed, when using QoS. EVEN if the speed limit is bigger than the link speed. I'm sorry, can you be more specific about that qos type you have implemented? wred? have you classify your traffic? you said uplink. did you mean you shaped the outgoing to inter...

wiseroute

@hamed,

Checked WireGuard logs for both the router and the Omid client.

Pinged the Omid IP address (192.168.10.101) from the router but received no response.

and what did those log and ping results say?

wiseroute

@edepalos, So, right now: - I have my tunnel up and running; - I can ping from my machine the anything in my office LAN (PC and hAP ax3); - I can ping from any office PC the field LAN (machine and SXT LTE6); - I can access my office PC's web server from WAN by port forwarding it accordingly (XXXXXX....

wiseroute

@patemot, any rate-limit will always produce latency. we just need to adapt or to fine tune it to an acceptable rate. latency could happen anywhere along the path. Now the weird part: The degradation ONLY happens if the eth1 is running at 2,5Gbps. If I set it to 1Gbps the problem goes away. have you...

wiseroute

hello,

/ip firewall nat
add action=masquerade chain=srcnat

that masquerade option needs output interface parameters (ie. wan internet). otherwise any communication won't work correctly.

wiseroute

@jack, What i need help with is we want to make these IP addresses resilient across multiple totally separate third party connections. We have a main supplier on each IP which currently is supplying us an L2TP tunnel type connection for this IP address on each firewall however I want to make this mo...

wiseroute

@lurker, i will assume that you probably meant to write: iptables - t nat -a output -s 177 -o wan1 - j snat -to 210 no no.. it is literally -s 210 -o wan1 -j snat -to 210 ok. let us try to break down @divb first scenario: - vlan bridge/loopback/wireguard listen ip 210 - wan1 ip 177 no nat. full rout...

wiseroute

@lurker, ok. let us go back to the first problematic ip from the @op - which is 210. and not 177. how about if we use this output nat just to force the output ip using 210 - because the @op said he doesn't have any problem reaching that ip 210 from the internet (full routing)?? iptables - t nat -a o...

wiseroute

hello, - Connect two sites via a site to site tunnel - On every site I should be able to connect with clients (smartphones, laptops) from anywhere in the world - Beeing able to route traffic from one client through the site to site tunnel to use the public ip address from the other site. the first p...

wiseroute

@cgg, It doesn't matter which of the router's addresses the external user used as endpoint address for the WG connection. well, if @op would listen to put wg to listen on interface address 177 (which is persistent in terms of path) - then he won't have this headache resolving pref-src or nat or spoo...

wiseroute

@cgg, First create an address on the lo interface, let's say 10.20.30.40/32 in case you didn't notice - that 210 is the bridge/loopback address which the wg listen to. the exact same thing as you have proposed. the @op scenario and problem was full routing on 2 wan interfaces and the wg bridge (he e...

wiseroute

@divb, I assume it's a bug (or at least very bad implementation) of wireguard that does not set source address properly when generating local packets. ok. let us find out... you have 3 interfaces in the router. 2 wan and 1 loopback (wg ip). now... from those 3 interfaces - 210, 253, 177 which ip did...

wiseroute

@akarpas, quite agree with you that native windows VPN app is very limited but as well as Mikrotik has some limitations to achieve this scenario. well, i think mt has implemented plenty of current vpn solutions standards. as well as ms windows. for a start, tell us about your road warrior operating ...

wiseroute

@anav, the question becomes. Can the wireguard application be separate for each user on a PC. if yes, this is super simple according to these.. https://www.wireguard.com/quickstart/ https://www.wireguard.com/xplatform/ any wg Initiator should read from local wg.conf - so wg seemed able to differenti...

wiseroute

hello, PC on site B has multiple users. yes. a single computer can be used by many users. but mostly only 1 user can control security devices - which is admin/root. for user space vpn - you might read OpenVPN on the wiki page. but... your problem is on your road warrior computer - not on mikrotik de...

wiseroute

@mian, have found what caused the drop in low data between WAN and LAN. I had 100 Simple Queues when I disabled it, It sorted out everything. All data on WAN and LAN is now the same. what do I need to do in Queues which pass equal data between LAN & WAN I don't know what's wrong with Queues asid...

wiseroute

hello,

you might want to read this wiki

https://help.mikrotik.com/docs/spaces/R ... Pv6Address

wiseroute

@mkx, can we route something without knowing where to go for the frame? and vice versa - can we forward a frame if there is different ip sa-da without router? so, i guess basic functionality only limited by which part of the osi or tcp/ip stack we want a device operates. as for the hex and css, haha...

wiseroute

@divb, "try having lamp stack with ssl, or build ipsec using your scenario - and see what happens." Works flawlessly I don't know how you made your scenario work for it - but if you did, probably the whole world won't need for complex load balancers and proxies. just to keep persistent ses...

wiseroute

@dwosky I've checked and Mikrotik has the hEX PoE router that seems to have the PoE+, but I don't know if I'm able to configure it like a switch, so its able to also see the devices connected to the first router as well as internet access. Will this work or should I get a switch instead? Any other s...

wiseroute

+1 with @ldb @jvanham Would something like this work, such that the client routers could obtain an IP address from the Radius server? radius (nas server) only handles AAA (users and password, mac addresses etc - as defined in attributes) requested by routers (nas clients) . it needs to work with dhc...

wiseroute

@maggiore, A single bridge with all the ports on it. Uplink port 10G all the ports to servers with 2.5G (each server has 2x2.5) I have tried configuring the bond to LACP, I am not able to saturate the uplink. There is an evident buffer issue. I'm sorry I don't quite understand your question. i mean:...

wiseroute

move the electronic device outside the conditioned space, again leaving just the probe in the tested environment? that is what i have did. the controller itself doing fine - the only thing is that the probe sensor are broken because of wet and humid. so the whole device is unusable. did recalibrati...

wiseroute

How humid does a mushroom environment get? I use TH316 and humidity rises quite high and haven't had a problem. well, theoretically it supposed to be around 80 to 85 rh. but that doesn't work for my mushrooms - with the results of the mushrooms being too wet. so i kept it around 65 to 75 rh. our ch...

wiseroute

@josephny, Thank you for the familiarity with my environment! well, i have used to put few sensors for my mushrooms production growing chamber (to power on automatic misting devices). but not so much luck as the sensors kept broken all the time by humidity and water vapor. the co2 sensor is the most...

wiseroute

@rplant If I disable uplink 192.0.2.253/31, everything works as expected and I can establish a successful connection via an iPhone (and ping through the tunnel). However, if both uplinks are up, I get the handshake failed on the iPhone client. The package comes in via 192.0.2.249 interface, and, acc...

wiseroute

Despite trying various configurations, I have not been able to achieve the desired result. as holvoetn and potemot suggested, to lower down their bandwidth 👍🏻 while vpn or doh can be drop. a web proxy and safe dns can be useful as well in addition to your l7 filters. if your l7 filter didn't work, ...

wiseroute

@josephny, wifi with its all good and downside (noises, los, weather, winds).. loosing signals is probably common, but having to power cycle the device is another thing. are these ecobee thermostat for the greenhouse? while you're looking for something in their data communication - if they are jammi...

wiseroute

rextended, My edge firewall work not on bogons, but only on allocated. well, aside from the real bogons - any legitimate ipv6 network leakage can be considered as bogons as well. but, i like this one - creating a sandbox this is a simple and very powerful one 👍🏻 Drop on output everything except my I...

wiseroute

So where is all the help when needed by certified Users then ??

as the marketing said:
the forum is community edition version of help,
the consultant is subscription edition version for certified users

wiseroute

hello, no problem. we're all happy to help 👍🏻 so to make things clear, site a, 33.0/24, internet site b, 88.0/24, internet-client When on site a the force site B routing rule is enabled 192.168.88.231 is able to retrieve responses from 192.168.33.0/24 but not from the public internet. yup - that is ...

wiseroute

1 router.local.lan (192.168.88.1) 0.125 ms 0.084 ms 0.110 ms 2 router.local.lan (192.168.88.1) 0.140 ms !H 0.118 ms !H 0.121 ms !H that showed correct behavior for the ip rule to flow through the tunnel, except that either: 1. you don't have gateway installed for the tunnel (to remote router). 2. y...

wiseroute

hello 👋🏻 How could I debug what's going wrong? how about : 1. check default route on the computer and the router. there should be 2 default route entries. make your tunnel gateway route have lower metric so that the request will use the tunnel. 2. ping and traceroute to the website. this should show...

wiseroute

@dcavni, There realy is nothing in logs. i only see, that EOIP went down. are you sure about that? are there any wireguard error as well or not? here is the thing... if the eoip dropped without wireguard being down - then it's obvious that the problem isn't the isp - it's your router. maybe there ar...

wiseroute

hello, However I need to add the ability for the azure cluster to access a specific website through the tunnel and out of the mikrotik instead of out of their local fortigate, aaa... so basically it's the other way around. ok. just mirrors my solution. 1. src nat (masquerade) at the fortigate tunnel...

wiseroute

hello,

you can use winbox, go to switch menu, and mirror your monitored port to suricata port.

https://help.mikrotik.com/docs/spaces/R ... p+Features

wiseroute

@dcavni, please give us the latest syslog output for the wireguard and eoip error - so we could trace what is the culprit with your tunnel. I don't think that the problem was from the isp - although it could be. as you are leaving a half close connection for the tunnel. Could this be automated in so...

wiseroute

@abbi, yes you can request a /64 to hurricane - it's valid internet routable ipv6 address block - but as long as you use their tunnel service because those blocks are in their bgp as. but it is ok if you just want to use their ip internally for your lan (without going outside to the internet, which ...

wiseroute

hello mcfix, have a client with an azure avd cluster behind a virtual fortigate, and a peer tunnel to their hq that sits behind a mikrotik. They have a website they need to access from their virtual desktops, but the website blocks the external IP from the fortigate due to it being in another countr...

wiseroute

hello michallin, This works well when subnets of system's router and user's router differ. We have set "quite random" subnet range (eg. 192.168.153.0/24). Nonetheless, there is possibility that user will have a same subnet. even if those users were on the same office - as long as both rout...

wiseroute

@cgg, No the ISP is not correct. Per RFC 7368 it really depends on how you defined an isp. that rfc referring to which tier the isp belongs to, and in which country the isp operates. don't expect tier 2 or 3 isps will give you a full /48 without rent it from internet registry. probably android ipv6 ...

wiseroute

hello, contacted my ISP and they said that they give out only ::/64 IPv6 prefixes to customers. Which means I have no ability to create my own subnets in my network since IPv6 works on the 64 boundary. the isp was correct on their point of view about the /64 block. that is their block assignment bou...

wiseroute

hello,

can you give us some examples output? just 1 line sample could be enough.

Interface and ip address print, for the pppoe server and client.
ip route, from the server to pppoe clients

and where did you put your pppoe client Interface? on separate interface each - or in a broadcast bridge?

wiseroute

hello, edge-02] /routing/bgp/advertisements> print count-only where peer =CUSTOMER1-v4-1 && dst in 200.0.0.0/8 12357 [edge-02] /routing/bgp/advertisements> print count-only where peer =edge-03-v4-1 && dst in 200.0.0.0/8 11119 does that customer1 act as ebgp peer? a leaf one or transi...

wiseroute

d1lazarus, i have read some of your previous posts, probably you have a wrong solution design, the wrong application for your streaming service requirements. this... So on the WAN interface we would use a private IP address to each router. VRRP2 RTR 1 = 192.168.1.40 RTR 2 = 192.168.1.50 VRRP Address...

wiseroute

hello, Maybe I'm just missing the most obvious solution here ? the loop problem already there between those 4 devices : edge1,2 and core1,2. how did you manage to get those devices running? do edge1 and edge2 vrrp inside interfaces as active - backup? if the existing core1,2 don't support ospf - the...

wiseroute

@hesaam, How can I establish a connection between **main Table** and **Table_ISP1** so that I can access the devices on `bridge1` from my MikroTik router? from where did you connect your ovpn client to the router? was it from the lan side of the router or from the internet side of the router? have y...

wiseroute

interesting idea

did you literally mean synchronization? or did you mean orchestration?

what kind of vrrp parameters value do you need to synchronize?

wiseroute

hello,

ok. nevermind.

have you read this wiki?

https://wiki.mikrotik.com/wiki/Manual:S ... sMAN_setup

--- additional

https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot

maybe it can help you with your user login problem.

wiseroute

hello, Is there a way to map the port 53 on both IPs as failover? e.g. If 172.168.188.10 (ns1) is down to switch to 172.168.188.11 (ns2). I'm using RB5009 (ROS 7.9). the short answer is no. dst-nat can't do target weighting. you will need to add another machine behind your router in front of your ta...

wiseroute

hello, Site A - HEX s - With public IP -Interface Wireguard 4 -allowed addresses 10.10.200.0/30 is that 200.0/30 between site a and your phone? have you allow that subnet on site b? from phone to site b, ip route site b via wg site a. from site b to phone, ip route phone via wg site a. --- addition,...

wiseroute

hello, stuck with letting remote user(s) connect to the other remote sites through a existing wireguard connection to the main site. from your diagram - apart from any firewall problem, - do you a working bidirectional route from the wg2 clients to wg remote sites? - tools : ping and traceroute with...

wiseroute

hello, aaa.. a campus topology. does your university consist of separate building for each faculty? well, your question won't take a short answer. for this part, So the questions, How should I configure the HotSpot so that: It can work besides PPTP server? I mean, client either logins to PPTP VPN, o...

wiseroute

hello, hmm, done some reading on few lines of your fw rules, i think those are nice rules. if i may suggest, there are many types of firewalling based on these: layer 2, layer 3 and layer 4 and above. and the most important thing is to understand: - whether any set firewall rules need to be in state...

wiseroute

hello,

as requested,

for crs 1x and 2x

https://wiki.mikrotik.com/wiki/Manual:C ... s_examples

for crs 3x

https://wiki.mikrotik.com/wiki/Manual:C ... s_switches

hope this helps.

wiseroute

hmm, just to summarize all of the above suggestions: 1. dhcp snooping is mainly applied on switch level. so if anyone considering to get any manageable switch - they should look at this feature availability before they buy. it is really nice feature and important one. 👍🏻 2. if your 4 switches are ma...

wiseroute

@ nescafe2002,

nice pointer. i didn't notice that page

@ thomas,

The question here is, if the NAT on Mikrotik becomes a problem with a time of around 30 minutes with no communication on a specific NAT connection.

maybe you can try to tune it by @ nescafe2002 pointer.

wiseroute

hello, interesting 🤔 i barely pay attention to that details 👍🏻 did you host imap server internally or you were just asking about how long for your router to close your outgoing imap? i myself prefer to choose idle time is set by the server. but as for the MT firewall nat time out - maybe you can rea...

wiseroute

hello, occasionally the items stop polling, the monitored interfaces (about 800) have a polling time of 40 seconds. do you know of any mikrotik or Zabbix bugs? this one is a classic snmp problem. and generally, any polled devices - in their normal operating condition - will have no problem replying ...

wiseroute

@ anav

lightened up... let us say it is guessing week

no worries... you are invited

wiseroute

@ anav The openwrt LAN traffic will come in on ether3 untagged and we can tag it with vlan2 and move it to other ports on the MT are you sure this won't make l2 loop? openwrt LAN traffic is coming tagged from the openwrt. that's what I have suggested in my reply 😉 NOW WHICH DEVICE MT do you have ......

wiseroute

hello, But while my WAN port is a member of this bridge, it seems the NAT masquerading doesn't work since any appliance in the LAN isn't able to connect to the internet or other addresses in the WAN network. first advice is... if you don't have any urgent need to bridge wan interfaces - i think they...

wiseroute

hello, from this point, Forward all traffic from ONT from ETH1 port on MT to port ETH2 on MT (connected to OpenWRT) - VLAN untagged ETH1 - VLAN tagged ETH2 - erase public IP on MT those 2 interfaces should have the same vlan, let us say vlan 5. now, the first problem you will encounter in configurin...

wiseroute

@ miankamran, are you sure your *switch* was cisco sa500? doesn't look right? 🤔 Cisco https://www.cisco.com › obsolete Cisco Small Business SA500 Series Security Appliances anyway... with your current drawing, dynamic vlan can't do what you have in mind. so, the simplest way is : 1. make 2 vlan on M...

wiseroute

@ normis,

you really have a nice green view there, wonderful 👍🏻

well, maybe the next 2023 MT MUM it knows where to go... coffee ☕ on top of that cable roller, funtastico😉

wiseroute

hello, interesting... are you some kind of isp? 🤔 Clients connect to switches using Ethernet cable or Wi-Fi bridges, login to PPTP VPN and use network. We use PPTP to limit bandwidth and weekly traffic usage. are you sure - that was pptp vpn you are using to manage your subscribers? typo? However, P...

wiseroute

how'dy down under 👋🏻 everything looks great. you are good to go 👍🏻 on rb5009, - make a single bridge. - make 2 vlan iface : ip 10.0/24 and 200.0/24 - put ether2, 5-8 on the bridge. do bridge vlan filters. how to guide available on MT wiki bridge vlan. - make your ap in bridge mode. plug in ether2 vl...

wiseroute

hello nima, The service provider of point B informed me via email that a portscan has happened from this server (point B). for the first part, you should request any logs from your provider about their claims (to which target your router b did the scans). otherwise you will get busy for nothing. sec...

wiseroute

@ pe1chl,

are you sure about that?
wpa2/3 etc don't work any longer?

hmm, what does @op role anyway? internet cafe or something else?

wiseroute

@ primeyeti,

can you show us your drawing?

well, vrrp is very nice protocol - but it is considered *old* and not too flexible to manage.

at least you should give a dynamic routing a spin.

wiseroute

@ essam, peoples are sharing my internet with WiFi Scanning. how I can stop users from sharing my hotspot. maybe some basic approach? 🤔 1. don't broadcast your wifi ssid. 2. macaddress filters. need to register their macaddr before making the connection. 3. userman. radius. etc.. hope this helps.

wiseroute

@ holvoetn, don't worry, your proposal was totally correct - to change the remote subnets. so @op network will be scalable in the future. while my proposal was *options* - promoting MT own bridging vpn protocols 👍🏻 maybe vxlan as well 😉 so now, let us give the @op a time to think about which solutio...

wiseroute

@ bencaha,

maybe you want to read these guides

eoip :
https://wiki.mikrotik.com/wiki/Manual:Interface/EoIP

bcp :
https://wiki.mikrotik.com/wiki/Manual:B ... _bridging)

hope this helps.

wiseroute

hmm... interesting

never tried myself - and i think it is difficult to see the point of having it.

anyway... have you read this guide?

https://docs.cilium.io/en/stable/network/kube-router/

wiseroute

hello,

you might want to read this post, i have made a simple ospf interface path priority lab - almost similar to your problem.

viewtopic.php?t=196850

hope this helps.

wiseroute

hello, hmm, interesting 🤔 maybe... if all of these older devices are failed in the upgrade process - probably those devices are not supported by the v7. so they will have at max. v6.48? if there are some that succeed in the upgrade - then this will lead you doing some kind of device sorting. and ask...

wiseroute

hello, As far as I know, priority is used to determine DR and BDR roles... that's router-id in ospf instance config. I was referring to interface path priority - not related to any dr-bdr roles. For the ECMP part you mentioned, I should see two different next-hops and not the same. two different nex...

wiseroute

hello,

have you read this wiki?
maybe it can help you.

https://wiki.mikrotik.com/wiki/Manual:C ... s_examples

wiseroute

hello @miankamran, yes, But I want my users to use ether-2 for IP telephone and ether-5 for the internet. you can just plugged the phone directly to the router. or, if you have any spare budget - you can get a manageable switch for your network. if you have configure the router correctly - maybe you...

wiseroute

hello eabs, once you remove the customer from the Active & Host List of hotspot tab , then customer starts to browse again. have you set user connection limit? maybe your router running out of port for nat translation. for heavy tabbed internet browsing - you should limit user session/connection...

wiseroute

hello,

after this, I plug the ether-2 wire into the unmanageable switch and also plug ether-5 in the switch but my users are facing problems with the internet.

did you plug those 2 cables on the same switch?

if yes, it is looped.

wiseroute

hello, for this part, have two GRE tunnels between them one with a symmetric cost of 100 and the other 200. The v7 router, instead of choosing the least cost for the networks advertised, load-balances the traffic between the two GRE tunnels (192.168.106.20/30), use path priority instead of path cost...

wiseroute

hello msanaii, is this setup - a triangle shaped between those 3 devices? |-------- mt1 path 100 nsx | | |-------- mt2 path 200 am i correct? are you just want to drive the traffic to use mt1 as main, and mt2 as backup? just use lower path priority for the mt2. ie. mt1 128, mt2 64. hope this helps.

wiseroute

@ anav Just to be clear this is advanced tweaking not for the normal home user? Y/N yes and no. yes, if you feel you are being blocked by remote server (ie. www) and your internet became deteriorating because the effects of remote end closing your router ports aggressively. check cmd> netstat -a see...

wiseroute

@ op,

I'm not certain-certain but the IF is up,

your router needs to listen on different port - for the wg tunnels to be usable. ie. 13231 for nordvpn and 13232 for purevpn.

wiseroute

hello shirenzo,

/ip firewall nat add chain=dstnat action=dst-nat dst-address=100.100.100.100 src-address=10.10.10.100 dst-port=25 to-addresses=10.10.10.100 protocol=tcp

you don't need that src-addr.

and specify which interface should listen for the incoming traffic to be translated.

wiseroute

hello Maxwell, glad to hear you have solved your network 👍🏻 The design requires that sites 1-3 from the original diagram are able to access the public internet without first going through the Main Office. Therefore, non-office bound traffic was being masqueraded on the public interfaces of router1 a...

wiseroute

hello,

hmm, interesting

Customers randomly are not able to browse, we have noticed that those cannot ping to their Gateway.

did you ever check how many users connected to the hotspot?

did you provide enough ip for both authorized and unauthorized hotspot clients?

wiseroute

hello @op,

are you sure about this wg interface setup?

/interface wireguard

add listen-port=13231 mtu=1420 name=wg1-nordvpn

add listen-port=13231 mtu=1420 name=wg2-purevpn

wiseroute

hello,

maybe you want to read this article?

https://www.educba.com/nginx-gateway-timeout/

hope this helps.

wiseroute

hello, So there are no switching needs at all between the LANs, each kid only communicates and connects to the internet out through the OpenBSD router. so, do you think it is possible to forward lan traffic to the internet without switching? 🤔 anyway, never tried that openbsdrouter project myself - ...

wiseroute

hello, so one of the problem was We have one customer were the internal network will not be routed right. it is the ip 185.199.107.19. maybe this? add blackhole disabled=no distance=1 dst-address=185.199.104.0/22 gateway="" pref-src="" routing-table=main scope=30 suppress-hw-offl...

wiseroute

hello, ospf neighbor discovery using multicast address 224.0.0.0 - you should allow that address to flow inside the wg tunnels. or... you can specify ospf interface as ptp with unicast static neighbors. so... there are a lot of subnets to pass the wg tunnels : ospf itself and the rest of the network...

wiseroute

hello,

is this ccr in production or just feeding test?

which routeros version? and in what role? i mean: ebgp/ibgp? direct peering or rr-client?

if you have sample config and screenshot - maybe @mrz could help you.

wiseroute

hello Glinka,

However, this doesn't seem to have fixed the problem, and the wifi clients still cannot connect.

ok. let us see your MT dns settings,

and tell us how do configure your wifi clients ip settings. which device gives ip settings to your wifi clients? MT or your wifi box?

wiseroute

hello,

you have a nice new router there

where did you place this new ccr1072? p? pe?

i think you should contact @support for better response - don't forget to attach some comparison screenshot between the old ccr and this new one.

good luck

wiseroute

hello glinka, I'm not sure if this is what you are asking, but foo.bar.com directs to my external IP. This mapping is propagated to all DNS servers. Hence anyone can access my external IP via this domain. ok... where did you hosted your foo.bar.domain? did you rent this domain and host it on the int...

wiseroute

@ primeyeti, I would assume they had NAT traversal enabled on the tunnel. I will double check this with them no no no.. nat traversal is on your router side to configure. There is only a single WAN so shouldn't be an issue of it coming in one WAN and attempting to leave via another if that's what yo...

wiseroute

hello, $ ping foo.bar.com PING foo.bar.com (<external IP>) 56(84) bytes of data. 64 bytes from <my ISP's domain name> (<external IP>): icmp_seq=1 ttl=64 time=3.96 ms is that foo.bar.com dns domain hosted on the internet? if yes, then you could make secondary dns server for lan user on MT : - with pr...

wiseroute

hello Thompson, Action: Redirect The domain stops working. How to proceed in this case? Can someone help me? since we don't have any idea which/what version of your ms ad platform - i only could give you general explanation. ms active directory works on top of its own dns server service (it has to b...

wiseroute

hello, so, where did you host this dns server? on the internet or locally hosted? did you have a dedicated dns server for this domain or you want to make routeros to host your domain? if this domain is actually hosted on the internet, you can dstnat that domain for local lan user directly to the tar...

wiseroute

@ primeyeti i manage a Mikrotik that sits in front of a customer's firewall in which we dstNAT all traffic from the router to their firewall. The client side of the IPSec site to site is on the customer's firewall. did you do ip or port based dsnat? i think you need to know what firewall they have a...

wiseroute

@ tangent

which I count as "mission accomplished" when it comes to the edit, but you tell me; should I have left it as-is or put the breaks in somewhere else, or rewritten it for formatting, or…

nahh.. nevermind, mission accomplished.

let us get some coffee

it is late already

wiseroute

@ pe1chl

Probably when this happens and there is enough load, the result is packet loss due to buffer overflow?

can you try that @ gavinj suggested - hw=no?

wiseroute

@ tangent

I'm sorry, are those @op outputs not being altered by your edits? it is a bit difficult to read the outputs.

@ pmsfm

which router is this on? v6 or that v7?

routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never

wiseroute

hello pmstm, aaa... ok, you have intra area there 10. which router advertise the default route 0.0.0.0/0 - and in which area? backbone or 10 ? i don't see it in your outputs. this instance=default router-id=10.1.100.71 address=10.1.1.114 interface=ether1 priority=1 dr-address=0.0.0.0 backup-dr-addre...

wiseroute

hello from this guide, https://wiki.mikrotik.com/wiki/Manual:IP/Neighbor_discovery it said: Summary MikroTik Neighbor Discovery protocol (MNDP) and LLDP allows to "find" other devices compatible with MNDP or CDP (Cisco Discovery Protocol) or LLDP in Layer2 broadcast domain ip connectivity ...

wiseroute

hello,

I'm sorry I don't get your question - can you explain this?

Now I would like to route two (fixed IPv4 address based) outgoing WireGuard peers through the second WAN. All others through the first WAN.

do you mean:
outgoing wg should go out on wan2, and regular traffic go out on wan1?

wiseroute

hello vadimkara,

. I can ping and access other filials they can ping me but opening ports just hangs from filial to center.

can you show us your ping and traceroute output, from the branch to the central, and vice versa?

if you have a tcping or tcptraceroute output would be nice.

wiseroute

hello,

so, your local lan routes goes out of local router - before reaching its local destination?

you might want to read this guide :

https://wiki.mikrotik.com/wiki/Manual:B ... _Algorithm

wiseroute

hello can you give us some examples config between 2 neighboring v6.48 (which got that default route) and v7 (which not having the default advertisement) - and their ip route output between those 2. just ospf related part config will suffice. also, do you have any route filters on incoming route to ...

wiseroute

hello

have you follow this guide,

https://wiki.mikrotik.com/wiki/Manual:Interface/OVPN

try post your config - so that forum members can help you.

wiseroute

hello tomas, for basic remote desktop 1 to 1 connection, maybe you might read this article : https://learn.microsoft.com/en-us/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access or, if you want other simple rdp software : https://www.tightvnc.com/ and many others. i th...

wiseroute

@ rextended,

this is a good one,

The source IP of the tcp-reset-attack is the same, or it appear to be the IP of the remote site requested?
If is the same... just drop that IP...

hmm, i have forgot what was that tool to check...

netstat -a??

wiseroute

this is the last part from your referenced link above. To help protect the router from TCP RST and SYN DoS attacks: Issue the tcp ack-rst-and-syn command in Global Configuration mode. host1(config)#tcp ack-rst-and-syn Use the no version to disable this protection (the default mode). and I don't know...

wiseroute

Any attempts to open blocked domain will be thrown into ERR_CONNECTION_RESET in Chrome and PR_CONNECT_RESET_ERROR in Firefox (see ... This indicates that a middleman had sent a RST packet, masquerading as the endpoint. first, any isp (read : routers) are mitm - in terms of traffic routing. second, ...

wiseroute

My ISP employs DPI and as one of its strategy is to use TCP Reset Attack

reading your post,
the first thing comes to my mind is:

how do you know that?

wiseroute

if I got it correctly: need to create the same wireguard tunnels from each branch to the new backup router. yes. so there would be 2*4 = 8 tunnels to both primary and backup. Still don’t understand what routing protocol i’d need to implement in the case main router goes down and backup router shoul...

wiseroute

the backup router has a public address. I can't mesh the branches between each other. Am I understanding correctly? let's make it simple... you can have either another wan for hq as backup link to connect those branches. high availability in single router with redundant wan. example: mt wan1 main l...

wiseroute

try to rent a vps on cloud.

install a chr on it. make it a secondary backup route server to overcome those cgnat.

but note those bandwidth traversing that router.

if your branches only use for online transactions - i think the vps bandwidth should suffice.

as long as you aren't huge files.

wiseroute

yes.

hq to a (backup), b, c, d.
a (backup) to hq, b, c, d.

partial meshed.

the dynamic routing protocol is used only for hq failure take over. hq and backup router path priority can be adjusted to your needs.

wiseroute

@ kartone The weak point is clear here: the central router. Ideally we would create another router, with a different link, that needs to take the ownership of routing the traffic when the other (central) router goes down. that's a good point. so there are 5 sites : hq and 4 branches. take one of the...

wiseroute

@ darci Are there any alternative solutions for redirecting them? well, basically - a port is just a port. but... a port will be in different state if it was used by an app. some app can take redirection - some with ssl (read: certificate) planted in it can't take redirection. there are differences ...

wiseroute

@ chaosphere64 Context: I have a FW that acts as DHCP server and sends the local domain as default and also as Domain Search List via DHCP. It seems like the MT devices don't pick that information when configured as DHCP clients. As a result I can't ping all other devices in the local network just b...

wiseroute

hello,

can you show us your topology?

wiseroute

hello What is the "best practice" here? I've tried building something with the help of ChatGPT but I think I am going nowhere. I also do lack of knowledge of queues/QoS in general, so please be kind with me. 8) really? you have asked bots for your settings? 😂 I'm curious... what did the AI...

wiseroute

I'm sorry, i thought i have asked you that cli output?

Interface print

interface bridge port print

wiseroute

@ werdarrfr congratulations! hmm, in case you interested in - what i thought - more simple way... let us say - MT with 4 ethers : - mtcp router, LAN : 192.168.100.253/24, WAN : 172.16.1.2/24 (masqueraded) - lte router, LAN : 192.168.2.2/24, WAN : 172.16.1.3/24 (masqueraded) - MT, to-mtcp : 192.168.1...

wiseroute

hello, 7 chain=dstnat action=netmap to-addresses=192.168.88.71 dst-address=1.1.2.85 in-interface=ether2 log=no log-prefix="" 8 chain=srcnat action=netmap to-addresses=1.1.2.85 src-address=192.168.88.71 out-interface=ether2 log=no log-prefix="" please note that netmap is 1 to 1 ip...

wiseroute

@ werdarrfr,

aaa... you have multiple gateways there.

in that case - this will help

https://wiki.mikrotik.com/wiki/Manual:P ... _Balancing

don't overlook at the load balancing part - but focus on the classifiers to drive 10.10.2.0/24 out to your mtcp router.

wiseroute

hello,

do you mean the last bridge number 11? with id 0x00?

please show us your:

interface print

interface bridge port print

wiseroute

hello What I would like to do is a default route but taking into account only a source address (10.10.2.0/24). I'm sorry, but your setup and your requirements just doesn't make sense because your MT only have 100.253 as gateway? or do you have any other gateway on MT? let us say you make a PBR class...

wiseroute

hello challenge here, for me, is that the VMs are running in different hypervisors. hmm, how many hypervisor host connected to this ap? 1 host with multiple hypervisors? or different machine for each hypervisor? do you mean: you want to interconnect vm's under those hypervisors in other vlan than th...

wiseroute

@ sebus, If I make the port on D-link untagged VLAN 21 , W70B gets 192.168.21.2 and Registration FAILS (yet full access to Internet from this VLAN exists) that was your first problem correct? now, this on your router - where did you put vlan bridge config for tagged and untagged port? 13 R vlan21-ip...

wiseroute

bgp session is on tcp 179,

maybe you either accidentally dropped it in your fw rules - or you have misconfigured somewhere else.

wiseroute

hello wetdarrfr,

is this your setups?

10.10.2.0/24 ---> MT ---> 100.253

https://wiki.mikrotik.com/wiki/Policy_R ... uterOS_3.x

wiseroute

hello croissante, thing is when create a bgp-vpls tunnel from PE1 to PE2 the tunnels form with the peer being the route reflector! and it doesn't even show up in route reflector or has the Bgp signaled flag. can we take a look at your sample output here? along with these 2 part samples tried lots of...

wiseroute

@ Maxwell,

went ahead and tested changing the router priority at site 'D' to 64, but I'm still having the same issue

no no. that 64 is the lte path priority, with its default cost you have set = 500. not the router priority.

hope this helps.

wiseroute

hello graham, On a Linux Mint host using VirtualBox as the hypervisor, with 3 three Debian 11 VMs along with the Router OS VM ok. since i think it was easier to rolls out those vm in Linux - maybe you could try this example steps - with 3 vnic and 3 bridges for the router : 1. Linux and vbox are set...

wiseroute

@ sebus46

i thought i have requested you for

interface bridge vlan print

wiseroute

hmm.. what platform did you use for this setup? windows/linux? VMware/vbox? Looking at the above I notice that ether2 and the bridge have the same mac address. Is this normal / significant? hmm... under basic bridge this is not normal. try to change its Mac address to say 41. and let see what happens.

wiseroute

@ nikolay have gaps in the server configuration, wouldn't that affect the OpenWrt clients that work normally? I don't have any objections with your openwrt output. let us just focus on the MT to your server part. ok. i saw that you have changed your MT client ip 1 D 10.8.0.114/32 10.8.0.113 ovpn-out...

wiseroute

hello am new to Mikrotik and everything i know now is learnt from Youtube and Testing. it's great to have a wonderful learning curve. keep the spirit 👍🏻 and of course MT would love to have you as their next mtcine👍🏻 as for your dream network... i think it is better to wait for your isp to do their w...

wiseroute

hello If I attach clients to the bridge connected to ether2 everything is OK, but connecting any clients to the bridges connected to ether3 or ether 4 fail. do any vms attached to ether3 or ether4 have dual nic connected to both bridges? (as in some kind of bonded interface? no?) ok. let us see your...

wiseroute

@ mwaqsaziz

ISP will provide 0 help, I have asked them how to configure IP POOL they said your headache,

the problem is - if your ISP locked down their router then you can't do much with your router.

so, be nice with your isp - and ask them politely, maybe they will help you

wiseroute

hello

ups... wrong post.

--- edit

you might want to read this first

https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

your requirements on the l2tp server profile section.

hope this helps.

wiseroute

hello

is it possible to ping Miktotik router from public? If yes! How to configure my routers?

yes. it is possible - but it is easier for you to get help from your isp directly. because forum members don't have any idea/privilege on your isp router.

hope this helps.

wiseroute

hello nikolay, this part on your MT router - ovpn client DAc 10.8.0.113/32 ovpn-out1 0 doesn't match with any of your ping result output (the second picture) - that is why you don't see any ovpn interface traffic on your first picture. maybe you might have missed the client config on your ovpn server?

wiseroute

@ holvoetn Not sure what you mean with 1:1. as dedicated 1 ip 1 user (exact measurements of dhcp pool allocation). and the line being not over crowded/over subscribed 😀 500/30 - 1/6 compression. i think it's above normal for home subscription, don't you think? 👍🏻 ok. back to the topic.. so, is this ...

wiseroute

My network leases transit and an IP space of 1.0.0.0/24 to CompanyX CompanyX pays me for 150/150mbit of bandwidth to the internet CompanyX has 2 sites that connect to my network, and I also sell them capacity into my network at 100/100mbit for each site aaa... ok. you have played both l2 and last m...

wiseroute

hello smithg400 In each case the virtual machines were setup with 4 network interfaces and these are configured so that ether1 is attached to Bridged Adapter (virtualbox) / Network Bridge (hyper-v) and ether2-4 are attached to separate internal networks (virtualbox) / private virtual switches (hyper...

wiseroute

@ millenium7 i am sorry don't quite understand for the first part of your questions. can you be more specific? for the second part, imho, although everything is up to you as your own network operator - but I think it is better to leave your client doing their own bgp peering directly to ix. otherwis...

wiseroute

@ holvoetn

(though in practice I have never seen it change the past years).

it's good for you

and I could imagine that your line rate never below 75 percent of your service plan? maybe 1:1 subscription?

wiseroute

@ kentzo

maybe you might want to read this article

https://www.techtarget.com/searchnetwor ... lems-occur

you will find your answer there.

hope this helps.

wiseroute

hello sebus46, SIP (Yealink W70B) is on default LAN, it gets 192.168.88.20 & Registers fine at VoIP provider on Internet via DSL line out hmm, can you post your interface print interface bridge vlan print and your ip firewall rules related to your incoming sip. let us see what exactly is being t...

wiseroute

i think that's a normal dynamic behavior since you didn't put your l2tp clients as static.

for every dynamic interface links (such as pptp, pppoe etc) you will have that behavior.

hope this helps.

wiseroute

@ velis after re-read your post, I want to be able to "ping zabbix" and that would resolve to a machine identifying itself as zabbix, which is somewhere in the subnet. Right now all I can do is "ping 192.168.237.22". i think you should understand that there are 2 ways of ip addre...

wiseroute

have you tried these?

https://wiki.mikrotik.com/wiki/Setting_ ... DHCP_lease

https://wiki.mikrotik.com/wiki/Manual:IP/DNS

wiseroute

do you mean bridge nat as mac address proxy? as my experience concerned, i could barely meet or need one - both in data center and sp environment. let's say i preferred to avoid another unnecessary layer 2 headache since it's really difficult to predict its (l2) behavior, and mac address doesn't pas...

wiseroute

@ nichky https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge nat - bridge network address translation provides ways for changing source/destination MAC addresses of the packets traversing a bridge. Has two built-in chains: - srcnat - used for "hiding" a host or a network behind a differ...

wiseroute

have last two questions: 1. I will know if I will not install a next OS with the reverse proxy is there a good option to use the dsnat function for each FQDN to forward it to the correct server? 2. What is better - install a linux system with reverse proxy or use the Win Server? 1. how many public ...

wiseroute

in MikroTik, neither are offloaded to ASIC.

speaking of which.. has anyone tried to port routeros to an onie-based bare metal switches?

like those from netberg, edge-core?

wiseroute

hello, let's say I have to serve 20 clients in lan2lan, that I will have to close 20 VXLAN tunnels from one router to another only, let's say, this is an example.would it be an overhead of 20x50bytes? I'm not too well versed in vxlan since I had retired long enough to forget the industry. but, afaik...

wiseroute

@ gnoby, please explain us if this is what you meant internet(Public Network Address） connected to: wireguard(mikrotik-server ip-address10.10.10.1/24) it then connected to: wireguard(mikrotik-client10.10.10.2/24) it then connected to: PC{ win7(ip-address)192.168.0.1/24 win10(ip-address192.168.0.2/24...

Search found 437 matches