Community discussions

MikroTik App

Search found 278 matches

by llamajaja
Tue Jul 16, 2024 7:13 pm
Forum: Beginner Basics
Topic: Load balance first attempt
Replies: 6
Views: 733

Re: Load balance first attempt

The easy way to load balance on MT routers ( PCC ) is to take traffic coming from the LAN and send some to WAN1 and some to WAN2. If the throughput is somewhat equal then its a one to one type of setup. If WAN1 has closer to 2/3 than 2/4s of traffic then one could send traffic in one cycle to WAN1, ...
by llamajaja
Tue Jul 16, 2024 7:09 pm
Forum: Beginner Basics
Topic: Port forwarding with hairpin NAT and dynamic IP combo
Replies: 12
Views: 1154

Re: Port forwarding with hairpin NAT and dynamic IP combo

Sorry, none of MTs routers have the capacity to deal with the number of IPV6 numbers that one would get.
At least thats what a birdy told me, but I probably misinterpreted what I was being told.
by llamajaja
Tue Jul 16, 2024 5:44 pm
Forum: Beginner Basics
Topic: Port forwarding with hairpin NAT and dynamic IP combo
Replies: 12
Views: 1154

Re: Port forwarding with hairpin NAT and dynamic IP combo

Three things generally speaking. a. use the same format as Static IP, but dst-address-list=MyWAN (vice dst-address=) where as noted above one can use a dyndns URL as an address, could even be your IP cloud net.name. b. ensure your hairpin nat rule is in the proper format add chain=srcnat action=masq...
by llamajaja
Tue Jul 16, 2024 5:23 pm
Forum: Beginner Basics
Topic: Wireguard no handshake on iOS
Replies: 4
Views: 966

Re: Wireguard no handshake on iOS

Concur with previous posters. If your android is connecting its using BTH not regular wireguard setting Which is only required if you dont have a public IP. For client devices allowed IPs, you need either, BOTH the subnet of wireguard and the subnet(s) you need to access { 192.168.100.0/24,192.168.1...
by llamajaja
Tue Jul 16, 2024 5:04 pm
Forum: General
Topic: Recursive routing question [SOLVED]
Replies: 7
Views: 1959

Re: Recursive routing question [SOLVED]

Thank you, yes the wording was misleading ( at least to my simple brain ) , you have clarified it.
by llamajaja
Tue Jul 16, 2024 4:01 pm
Forum: General
Topic: Help feature no longer working with question mark "?"
Replies: 10
Views: 533

Re: Help feature no longer working with question mark "?"

Ketchup is for losers.................. If anything red goes on my food its hot sauce.
Sorry rextended, I assumed you were weened with vino, my bad.
Not maple syrup, but heck bacon goes with just about anything.

PS actually prefer estrella with my calamari.
MUM in Valencia please!!!
by llamajaja
Tue Jul 16, 2024 3:59 pm
Forum: General
Topic: Recursive routing question [SOLVED]
Replies: 7
Views: 1959

Re: Recursive routing question [SOLVED]

The "recursive routing" is just an incorrect shortcut for "recursive next-hop search"; the search processs has nothing to do with the actual packet flow. Okay then please explain how traffic from the user on the LAN when selecting www address, gets routed?? I am curious. :-) The...
by llamajaja
Tue Jul 16, 2024 3:49 pm
Forum: General
Topic: Trouble with WireGuard.
Replies: 4
Views: 868

Re: Trouble with WireGuard.

If your router has a public IP ( or can port forward from ISP router to your router ) do not use BTH or any automated tricks. It seems to cause issues and you dont learn a damn thing about how to setup wireguard properly especially since its not that hard. post your router config please /export file...
by llamajaja
Tue Jul 16, 2024 3:44 pm
Forum: General
Topic: Help feature no longer working with question mark "?"
Replies: 10
Views: 533

Re: Help feature no longer working with question mark "?"

hahahah, I thought the same thing when rowing yesterday 32 felt like 38 with humidity. Hard to grip the oar handles.
Drinking chilled vino over there or is that blasphemy? Sangria with ICE and some calamari .....
by llamajaja
Tue Jul 16, 2024 3:41 pm
Forum: General
Topic: Weird behavior of L2TP / IPSEC in ROS7 hAP AX3 / Arm64
Replies: 4
Views: 2848

Re: Weird behavior of L2TP / IPSEC in ROS7 hAP AX3 / Arm64

Best bet is to use net reinstall with a clean version of 7.1X of your choice. Following the bouncing bugs not sure what is the best version to use currently 7.13?
by llamajaja
Tue Jul 16, 2024 3:39 pm
Forum: General
Topic: Block 4 websites version 7.14
Replies: 11
Views: 899

Re: Block 4 websites version 7.14

Fixed it for ya........
...not everything can (or should) be "solved" at network-level via mikrotik products... RoS from 750 to ccr2216 is still RoS.
by llamajaja
Tue Jul 16, 2024 3:35 pm
Forum: General
Topic: Help feature no longer working with question mark "?"
Replies: 10
Views: 533

Re: Help feature no longer working with question mark "?"

Suffering from lack of knowledge anxiety, rextended, or simply puzzled beyond belief ;-P
Not very carbon friendly...

If work, why upgrade??????????????????
And, why upgrade without read changelogs??????????????????
by llamajaja
Wed Jul 10, 2024 6:58 pm
Forum: Wireless Networking
Topic: 60Ghz success
Replies: 24
Views: 3352

Re: 60Ghz success

Question>
(1) Why wAP 60 and wAP 60G AP?
Vice getting a wireless wire kit ??? ( assuming kit is a pre-configged wireless link with two wAP 60G AP devices ?? )

(2) Finally what ruled out the better WW Cube Pro
(longer ranges, more versatile and with 5ghz backup)
by llamajaja
Wed Jul 10, 2024 6:50 pm
Forum: Wireless Networking
Topic: 60Ghz success
Replies: 24
Views: 3352

Re: 60Ghz success

Sweet! Good proof of concept for any one here thinking of something similar. LIke the fact that the one at the 'house' is somewhat protected from the elements as well. Reminder to me that the beam is fairly focused near each device and thus clearance is not a big issue as opposed to halfway between ...
by llamajaja
Wed Jul 10, 2024 6:42 pm
Forum: Beginner Basics
Topic: VLAN Issue
Replies: 21
Views: 1571

Re: VLAN Issue

Yes, and if one thinks about a trunk port coming in with vlan20, it can be then untagged to a port and no definition required for the transfer of such traffic through the bridge.
What is being done is the reverse and thus your setup would seem to the correct one, not required to define.
by llamajaja
Wed Jul 10, 2024 5:34 pm
Forum: Beginner Basics
Topic: Am I being port scanned?
Replies: 9
Views: 954

Re: Am I being port scanned?

Yup, no reason normally to have UPNP enabled............
by llamajaja
Wed Jul 10, 2024 5:31 pm
Forum: Beginner Basics
Topic: VLAN Issue
Replies: 21
Views: 1571

Re: VLAN Issue

Understood, however since the vlan didnt exist yet (from source), I thought it was necessary??
Perhaps I am wrong, as your logic is also valid, will ask a friend.......
by llamajaja
Wed Jul 10, 2024 5:27 pm
Forum: Beginner Basics
Topic: Am I being port scanned?
Replies: 9
Views: 954

Re: Am I being port scanned?

The WWW is being constantly scanned by bots, so consider life is normal. Open ports attract more flies, one thing you can do is - ensure you have source address list for all those externally accessing your server a. users should either have fixed static WANIPs OR b. they should be able to use DYNDSN...
by llamajaja
Wed Jul 10, 2024 3:49 pm
Forum: General
Topic: What is the right FW rule to miss out the CPU when x ?
Replies: 4
Views: 384

Re: What is the right FW rule to miss out the CPU when x ?

What you need to do is copy and paste information within the same VLAN, and do this behind a SWITCH with greater than 1gig ports. Other wise a. your limited to 1 gig ports to begin with and then the ROUTING capacity of the router ( whether its between internet and vlans or between vlans Why not load...
by llamajaja
Wed Jul 10, 2024 3:34 pm
Forum: Beginner Basics
Topic: VLAN Issue
Replies: 21
Views: 1571

Re: VLAN Issue

Cat is on the right track for sure ( except he mixes up the 175 with 170 on several lines of the config ) and agree stick to private IPs within the router, there are ways to ensure external access to your LAN etc, without such drastic ideas. That requirement is secondary and can be dealt with after ...
by llamajaja
Tue Jul 09, 2024 9:42 pm
Forum: Beginner Basics
Topic: wireguard VPN and Synology NAS
Replies: 4
Views: 863

Re: wireguard VPN and Synology NAS

(1) One thing not showing on the APP config is persistent keep alive = 30s etc.. if you have such a setting. Router (3) Add the Wireguard to the LAN interface list. (4) DO NOT UNDERSTAND the purpose of this config line??? /ip dhcp-server network add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24 (5) ...
by llamajaja
Tue Jul 09, 2024 8:16 pm
Forum: General
Topic: Routing VLAN through Wireguard [SOLVED]
Replies: 34
Views: 2569

Re: Routing VLAN through Wireguard [SOLVED]

You are right, First I would burn the fritz box! Then i would need a real router.
by llamajaja
Tue Jul 09, 2024 8:12 pm
Forum: Beginner Basics
Topic: Masquerade rule without source address doesn't catch wireguard traffic.
Replies: 5
Views: 952

Re: Masquerade rule without source address doesn't catch wireguard traffic.

Good day, As usual, I disagree, otherwise, the world would have frozen over, The discussion above I provided, expressed the viewpoint that we were talking about local LAN users entering the wireguard tunnel and heading outbound to a distant site for internet. In this case your comment does not apply...
by llamajaja
Tue Jul 09, 2024 7:14 pm
Forum: Beginner Basics
Topic: Masquerade rule without source address doesn't catch wireguard traffic.
Replies: 5
Views: 952

Re: Masquerade rule without source address doesn't catch wireguard traffic.

You do not provide enough context. If you have wireguard traffic leaving the router it has nothing to with going out your WAN on ether1. In fact, in general, one has no need to specify the WAN interface because we use interface lists /interface list add name=LAN add name=WAN /interface list memberes...
by llamajaja
Tue Jul 09, 2024 6:19 pm
Forum: General
Topic: Winbox feature request: ICMP/Port Knocking for administrative access
Replies: 25
Views: 1465

Re: Winbox feature request: ICMP/Port Knocking for administrative access

The only reason to use port knocking is if there isnt any other viable alternatives, including spending $7US a month to setup a cloud CHR. The extreme case is living in the wrong country, where democratic values don't exist, and all forms of VPN are blocked by the STATE, why still living there for s...
by llamajaja
Tue Jul 09, 2024 6:12 pm
Forum: General
Topic: How to set or add IP Public from Modem directly to MikroTik
Replies: 13
Views: 857

Re: How to set or add IP Public from Modem directly to MikroTik

Nothing better than the red army having a clear digital path to all the homes in Europe ;-)
The slow drip drip drip of digital intrusion and take over...........
https://www.nbcnews.com/news/world/aust ... rcna160813
by llamajaja
Tue Jul 09, 2024 5:40 pm
Forum: General
Topic: Routing VLAN through Wireguard [SOLVED]
Replies: 34
Views: 2569

Re: Routing VLAN through Wireguard [SOLVED]

Sure, just add the MT device to the FRITZ and have the fritz LAN be the WAN for the new MT device. :-)
Then we can wireugard from mt to mt, I know that works LOL.
The only requirement on fritz is to be able to port forward WG listenting port to the new MT.
by llamajaja
Tue Jul 09, 2024 5:33 pm
Forum: Beginner Basics
Topic: Is it useful to block ICMP response for closed UDP ports? [SOLVED]
Replies: 3
Views: 2345

Re: Is it useful to block ICMP response for closed UDP ports? [SOLVED]

There is no security risk to expose ICMP as far as I am aware but it does impeded troubleshooting and some router functionality if needed.
by llamajaja
Thu Jul 04, 2024 9:19 pm
Forum: Wireless Networking
Topic: CAP ax Gen 6 mediocre performance
Replies: 45
Views: 4840

Re: CAP ax Gen 6 mediocre performance

A change of 3dbs is 1/2 the power. So 2 dbs is not trivial!!
by llamajaja
Thu Jul 04, 2024 8:49 pm
Forum: General
Topic: Mangle for route to specific internet resources through vpn server
Replies: 10
Views: 668

Re: Mangle for route to specific internet resources through vpn server

A first poster process would have alleviated the need for that comment of yours stated how many 100s if not 1000s of times, and would prevent same in the future but status quo & lethargy must live on!! ....................
by llamajaja
Thu Jul 04, 2024 8:40 pm
Forum: Beginner Basics
Topic: Using the router as DNS for the guest network
Replies: 23
Views: 1470

Re: Using the router as DNS for the guest network

Maybe he has a large extended family ;-)
by llamajaja
Thu Jul 04, 2024 7:43 pm
Forum: General
Topic: Firewall routing help
Replies: 9
Views: 620

Re: Firewall routing help

--> rextended è buono come il pane.
--> rextended non ha peli sulla lingua, dice quello che pensa.

I hope its not to hot where you are.
Take care.


.
by llamajaja
Thu Jul 04, 2024 7:39 pm
Forum: Beginner Basics
Topic: Help SCRNAT with two public subnets
Replies: 7
Views: 739

Re: Help SCRNAT with two public subnets

One would think, but then again you are using logic and educational principles. :-)
by llamajaja
Thu Jul 04, 2024 7:17 pm
Forum: Beginner Basics
Topic: Selectively block RDP
Replies: 3
Views: 619

Re: Selectively block RDP

Originating Inbound traffic is normally blocked by firewall rules.
Originating Outbound traffic other than blocking standard RDP port, dont know. One could change the RDP port number on you and then not much you can do.
by llamajaja
Thu Jul 04, 2024 7:15 pm
Forum: Beginner Basics
Topic: Replace RB2011UIAS with CRS310-8G+2S+IN
Replies: 4
Views: 800

Re: Replace RB2011UIAS with CRS310-8G+2S+IN

What is the throughput of the ISP(s)?
Is most of the traffic in the same vlan or is it mostly across vlans.
Is the majority of traffic from vlan to internet?
by llamajaja
Thu Jul 04, 2024 7:13 pm
Forum: Beginner Basics
Topic: Using the router as DNS for the guest network
Replies: 23
Views: 1470

Re: Using the router as DNS for the guest network

yup, if it works, and the rest of the users are happy, then its an exercise in config, that is not necessary at this point.
To be frank, until recently I would never assign subnets to ports or wifi ports, and would only use vlans.......so everyone learns at their own pace.
by llamajaja
Thu Jul 04, 2024 7:04 pm
Forum: General
Topic: Output route selection - Wireguard
Replies: 29
Views: 5850

Re: Output route selection - Wireguard

Good idea, you can use the dstnat rule work around, it works!
by llamajaja
Thu Jul 04, 2024 6:18 pm
Forum: General
Topic: Firewall routing help
Replies: 9
Views: 620

Re: Firewall routing help

Every question so poorly worded constructed and presented, should be handled by Mikrotik as they do not want to support better forum handling of new posters. :-P For the OP. Please provide a diagram and export your config /export file=anynameyouwish ( minus router serial number, any public WANIP inf...
by llamajaja
Tue Jul 02, 2024 10:44 pm
Forum: Beginner Basics
Topic: HairPin NAT with PPPoE Dynamic WAN IP rule
Replies: 4
Views: 1158

Re: HairPin NAT with PPPoE Dynamic WAN IP rule

Thanks rodney, but its not your rule and its been stated on many threads. If you want plugNplay use TPLINK or DLINK or NETGEAR etc.
If one wants to learn RoS, the rule is a good starting place but one should learn what is going on with traffic flow to make sense of why the rule works.
by llamajaja
Tue Jul 02, 2024 10:41 pm
Forum: Beginner Basics
Topic: VPN connection from abroad
Replies: 7
Views: 1118

Re: VPN connection from abroad

Does your router have a public IP address??
by llamajaja
Tue Jul 02, 2024 10:40 pm
Forum: Beginner Basics
Topic: RB5009 and what seems like DNS problems
Replies: 4
Views: 596

Re: RB5009 and what seems like DNS problems

Hmm I see you are allowing ISP DNS usage! /interface pppoe-client add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=\ ether1_WAN name=pppoe-1und1 use-peer-dns= yes user=\ Hxxxxxx/xxxxxxxx@online.de So try disabling all your current IP DNS settings and see if the performance impr...
by llamajaja
Tue Jul 02, 2024 10:27 pm
Forum: Beginner Basics
Topic: Wireguard + Adguard Help
Replies: 8
Views: 1138

Re: Wireguard + Adguard Help

Observations: (1) Dont see sfpplus1 identified on /interface bridge vlans...... (2) Simplify your interface list member, the bridge is not needed for starters. why do you have both LAN and VLAN. Then you duplicate everything on firewall address lists...........redundant and usually not required. Kee...
by llamajaja
Tue Jul 02, 2024 9:30 pm
Forum: Beginner Basics
Topic: Mangle Rules with Multi WAN
Replies: 6
Views: 1104

Re: Mangle Rules with Multi WAN

The point about fastrack is very important as you want to keep fastrack for the rest of your traffic. Since we have clearly identified a source address structure for this traffic we can really nail it down. Using rplants excellent work for maintaining fastrackk (for dynamic gateway changes as well) ...
by llamajaja
Tue Jul 02, 2024 9:17 pm
Forum: Beginner Basics
Topic: Mangle Rules with Multi WAN
Replies: 6
Views: 1104

Re: Mangle Rules with Multi WAN

I am not sure why rplant is suggesting routing rules because that assumes you are working with IP addresses only. This is only true for SOURCE but not for DESTINATION. The only requirement as you have stated is basically any IP address with dst port ABC needs to go through WAN2. Routing RULES do NOT...
by llamajaja
Tue Jul 02, 2024 9:13 pm
Forum: Beginner Basics
Topic: Mangle Rules with Multi WAN
Replies: 6
Views: 1104

Re: Mangle Rules with Multi WAN

So the single and only special requirement for your configuration is that ANY user (not single user, group of users or one subnet of users if have multiple subnets) with destination of port ABC, must use WAN2? I'm assuming WAN1 is primary and WAN2 is secondary (failover). What you haven stated is WH...
by llamajaja
Tue Jul 02, 2024 8:34 pm
Forum: Beginner Basics
Topic: RB5009 and what seems like DNS problems
Replies: 4
Views: 596

Re: RB5009 and what seems like DNS problems

/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)
by llamajaja
Tue Jul 02, 2024 8:31 pm
Forum: General
Topic: VLANs & DHCP advice needed
Replies: 8
Views: 959

Re: VLANs & DHCP advice needed

Okay, thats fine, just to be clear then that there is one single flat network coming from the watchguard. What is this subnet and what is its significant to the rest of the network? I am assuming none, and its simply acting as the WAN connection for all intensive purposes for the MT device. Also I a...
by llamajaja
Tue Jul 02, 2024 8:25 pm
Forum: General
Topic: no receive on speedtest through wireguard
Replies: 18
Views: 1233

Re: no receive on speedtest through wireguard

Observations: (1) I cannot make any headway into your setup of ports vlans and subnets. Thus cannot even fathom attempting Wireguard advice. Try to simplify if possible. One bridge! The only port NOT on bridge should be a.. WAN ports b. Management port (ether13) if the intention is to be able to loc...
by llamajaja
Tue Jul 02, 2024 8:05 pm
Forum: General
Topic: no receive on speedtest through wireguard
Replies: 18
Views: 1233

Re: no receive on speedtest through wireguard

Hah hah fair enough. I will keep trying. Especially because the interloper couldnt be further from the truth. I prefer to SIMPLIFY configs, not make them more complex and furthermore I do go off on non direct parts of the issue when the config is so badly botched it needs attention. It is also myopi...
by llamajaja
Tue Jul 02, 2024 8:01 pm
Forum: General
Topic: Is RouterOS Affected by CVE-2024-6387?
Replies: 9
Views: 2185

Re: Is RouterOS Affected by CVE-2024-6387?

Who uses SSH??? I mean SSH1 as that is what Open SSH was based on??

Perhaps Kev, you want this......... ;-)

https://www.ietf.org/archive/id/draft-m ... h3-00.html
by llamajaja
Tue Jul 02, 2024 7:54 pm
Forum: General
Topic: VLANs & DHCP advice needed
Replies: 8
Views: 959

Re: VLANs & DHCP advice needed

The requirements need to be stated a bit more clearly............ Break it down, as you have, CRS326 PORTA needs to carry vlans XYZ trunked to Smart Device Y (model?) CRS326 PORTB needs to carry vlan W untagged to PC/printer (dumb device) For each smart device then break down its movement of traffic...
by llamajaja
Tue Jul 02, 2024 7:50 pm
Forum: General
Topic: VLANs & DHCP advice needed
Replies: 8
Views: 959

Re: VLANs & DHCP advice needed

Well, the issue is you do not have direct contact with any of the end devices. The firewall router ( which I am assuming provides all the vlans ) sends the vlans to the CRS326 on the CRS326 trunk port sfp-sfplus1. Note I said trunk port because there is no reason on this earth for there to be untagg...
by llamajaja
Tue Jul 02, 2024 7:42 pm
Forum: General
Topic: Wireguard DNS Not Working as Expected
Replies: 22
Views: 2807

Re: Wireguard DNS Not Working as Expected

Okay after some more research. 1. The function of DNS (udp type traffic) to acquire www addressing, is SEPARATE and INDPENDENT from the TCP https traffic going to specific sites. The latter is dependent upon the routes available on the router and the former the DNS services setup on the router. 2. T...
by llamajaja
Tue Jul 02, 2024 7:22 pm
Forum: General
Topic: Apple tv on wireguard
Replies: 5
Views: 1225

Re: Apple tv on wireguard

The mangle rule indicated above needs only to be on the client side. If that rule doesnt work an alternative is
add action=change-mss chain=forward new-mss=1380 out-interface=wireguard1 protocol=tcp tcp-flags=syn tcp-mss=1381-65535

This rule has no effect on the rest of the routers performance
by llamajaja
Tue Jul 02, 2024 7:20 pm
Forum: General
Topic: Adding Management Port
Replies: 1
Views: 259

Re: Adding Management Port

Hard to say, very odd config you have there.

Try this
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 vlan-ids=10
add bridge=BR1 tagged=ether1 vlan-ids=20
add bridge=BR1 tagged=ether1 vlan-ids=30
add bridge=BR1 tagged=ether1 vlan-ids=40
add bridge=BR1 tagged=ether1 vlan-ids=50
by llamajaja
Tue Jul 02, 2024 7:17 pm
Forum: General
Topic: Feature Request to help Iranian
Replies: 8
Views: 3248

Re: Feature Request to help Iranian

Can amnezia vpn be run on a server/pc behind the router ??
by llamajaja
Tue Jul 02, 2024 7:15 pm
Forum: General
Topic: Wireguard: only the last edited peer is working [SOLVED]
Replies: 9
Views: 1926

Re: Wireguard: only the last edited peer is working [SOLVED]

By not assuming your config is correct.
Please post /export file=anynameyouwish ( minus router serial number, any public WANIP info, keys etc.O)
by llamajaja
Thu Jun 27, 2024 10:04 pm
Forum: Beginner Basics
Topic: Which dstnat rules?
Replies: 3
Views: 573

Re: Which dstnat rules?

The answer provided was incomplete and missed the mark. Note: Teh to-port entry, IS required, if the incoming port will be different from the port hitting the server (port translation by the router). There are two main categories to consider in DST NAT RULES a. Static IP ( your IP address is static/...
by llamajaja
Thu Jun 27, 2024 9:35 pm
Forum: Beginner Basics
Topic: [SOLVED] Kind request for feedback about firewall configuration
Replies: 8
Views: 1101

Re: Kind request for feedback about firewall configuration

I dont comment unless I see the full config as items are related.
by llamajaja
Thu Jun 27, 2024 5:27 pm
Forum: General
Topic: Securing Wireguard setup
Replies: 19
Views: 1642

Re: Securing Wireguard setup

Sounds good............ let us know either way.
by llamajaja
Thu Jun 27, 2024 5:12 pm
Forum: Beginner Basics
Topic: Bandwidth Limitation on hAP ac (1Gbps Subscription, Only Getting 150Mbps)
Replies: 11
Views: 1447

Re: Bandwidth Limitation on hAP ac (1Gbps Subscription, Only Getting 150Mbps)

Disagree the results show that with firewall rules the device should easily reach 300Mpbs and possibly up to 400Mbps. However, I really like MKXs observation that upgrading from SIX is not optimal for throughput and that a clean netinstall for version 7 yields best results. Its almost a bug in a sen...
by llamajaja
Thu Jun 27, 2024 5:09 pm
Forum: Beginner Basics
Topic: NTP client not syncing [SOLVED]
Replies: 13
Views: 3042

Re: NTP client not syncing [SOLVED]

Without seeing MT NTP config and input chain firewall rules config, hard to make any assessment.
by llamajaja
Wed Jun 26, 2024 6:12 pm
Forum: General
Topic: Two Wireguard VPN connections on one uplink interface (Ethernet)
Replies: 7
Views: 827

Re: Two Wireguard VPN connections on one uplink interface (Ethernet)

The quick and dirty method would be subnets out specific VPNs but failover is not in the cards. Also you failed to note if the VPNs were all from the same provider ??????, if so, talk about failover is moot. /ip routing tables add fib name=use-VPN-A add fib name=use-VPN-B add fib name=use-VPN-C add ...
by llamajaja
Wed Jun 26, 2024 5:58 pm
Forum: General
Topic: Mikrotik Router
Replies: 4
Views: 806

Re: Mikrotik Router

Your requirements are poorly stated. You want all 2.5 gig ports but remember the 5009 is limited to routing realistically at around 3gigs. So if you had 8 ports all capable of 2.5 gigs, you wouldnt achieve WAN throughput greater than 3 gigs at any one time. If that is not a concern to you and simply...
by llamajaja
Wed Jun 26, 2024 5:45 pm
Forum: General
Topic: Wireguard DNS Not Working as Expected
Replies: 22
Views: 2807

Re: Wireguard DNS Not Working as Expected

I will have a look. Goal is to ensure road warriors or any user for that matter coming in via Wireguard and going out LOCAL 5009 internet gets stuffed through the pi hole DNS. (1) Add wireguard to LAN interface /interface list member add interface="Local Bridge" list=listBridge add interfa...
by llamajaja
Wed Jun 26, 2024 4:50 pm
Forum: General
Topic: Inter-vlan issues
Replies: 2
Views: 447

Re: Inter-vlan issues

Sorry your requirements are not clear.
If you have 9 vlans that can reach each other in both directions and one vlan that cannot
YOU ONLY NEED TWO VLANS.
by llamajaja
Wed Jun 26, 2024 4:48 pm
Forum: General
Topic: Dual WAN + LAN1 , access to LAN2 in Wan2
Replies: 16
Views: 1388

Re: Dual WAN + LAN1 , access to LAN2 in Wan2

Dont see anything OBVIOUS yet........ some small items. (1) Modify From: /interface detect-internet set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\ all wan-interface-list=WAN TO: /interface detect-internet set detect-interface-list= NONE can cause issues....... (2) Not...
by llamajaja
Wed Jun 26, 2024 4:19 pm
Forum: General
Topic: Two Wireguard VPN connections on one uplink interface (Ethernet)
Replies: 7
Views: 827

Re: Two Wireguard VPN connections on one uplink interface (Ethernet)

Okay as I understand it you wish to force ALL USERS through vpn for internet Preferably PCC load balancing access so the load is shared equitably between users. OR Subnets X,Y to vpn1, AB, to vpn2, CD to vpn3 (assuming all from same vpn provider and thus failover means nothing. a. confirm all subnet...
by llamajaja
Wed Jun 26, 2024 4:13 pm
Forum: Beginner Basics
Topic: Issues port forwarding to isp vlan [SOLVED]
Replies: 4
Views: 2516

Re: Issues port forwarding to isp vlan [SOLVED]

Not sure what you are doing with PLEX and DNS, but suggest you disable the two IP DNS static rules you have made while making the changes recommended. They should NOT be required. /ip dns static add address=192.168.10.1 comment=defconf name=router.lan add address=192.168.10.3 regexp=".*plex\\.d...
by llamajaja
Wed Jun 26, 2024 4:08 pm
Forum: Beginner Basics
Topic: Issues port forwarding to isp vlan [SOLVED]
Replies: 4
Views: 2516

Re: Issues port forwarding to isp vlan [SOLVED]

(1) Which interface was identified here???? --> that now has the YOU HAVE AN ERROR indication LOL add bridge=bridge interface=ether1 add interface= *9 (2) Since spf+1 is the WAN port it needs to be removed from the bridge. I see that its disabled but dont keep garbage lying around get rid of it. (3)...
by llamajaja
Tue Jun 25, 2024 6:11 pm
Forum: General
Topic: Recursive routing working in 7.6?
Replies: 21
Views: 3641

Re: Recursive routing working in 7.6?

I dont know whether to be humbled or amused LOL.

If you are saying I have uncanny powers to spot useless posts, then I am humbled.
If you are saying, I have a unique propensity to dish out vacuous posts, then I am amused. :-)
by llamajaja
Tue Jun 25, 2024 5:54 pm
Forum: General
Topic: LOAD BALANCING NOT WORKING ON PPPoE-CLIENT [SOLVED]
Replies: 13
Views: 14770

Re: LOAD BALANCING NOT WORKING ON PPPoE-CLIENT [SOLVED]

/export file=anynameyouwish (minus router serial number, any public WANIp info, keys, etc. )
by llamajaja
Tue Jun 25, 2024 5:51 pm
Forum: General
Topic: Securing Wireguard setup
Replies: 19
Views: 1642

Re: Securing Wireguard setup

Its not a matter of seeing what happens, its KNOWING what will happen. Use the force! This is the way!
by llamajaja
Tue Jun 25, 2024 5:42 pm
Forum: Beginner Basics
Topic: Slow internet with load balancing PCC
Replies: 12
Views: 993

Re: Slow internet with load balancing PCC

Thank you for the kind appreciation you wish to express, I will take it directly from you (vice through a third party ).
by llamajaja
Tue Jun 25, 2024 5:37 pm
Forum: Beginner Basics
Topic: WireGuard routing [SOLVED]
Replies: 15
Views: 3576

Re: WireGuard routing [SOLVED]

Traffic going out VPS should not have anything to do with fastrack. Not part of the traffic flow that goes by fastrack that I am aware of but will look into it.. If it was a concern then simply put two rules before fastrack add chain=forward action=accept connection-state=established,related src-add...
by llamajaja
Tue Jun 25, 2024 5:28 pm
Forum: Beginner Basics
Topic: Forum rules
Replies: 29
Views: 97766

Re: Exporting RouterOS configuration for new users

Hello and welcome to the Mikrotik forum :D For all new users that uses RouterOS for the first time and have some questions regarding their config here is short tutorial on how to access RouterOS configuration using "WinBox" and how to export their configuration and posting it properly in ...
by llamajaja
Thu Apr 18, 2024 9:22 pm
Forum: Beginner Basics
Topic: Cannot get WireGuard to route traffic
Replies: 6
Views: 1429

Re: Cannot get WireGuard to route traffic

To answer the title, by creating an IP address for wireguard, it becomes a local interface and thus the router creates a route for that traffic. So you should not have to do any routing.. One reason to create route is if you have to reach remote subnets via wireguard, but not the case here ( allowed...
by llamajaja
Thu Apr 18, 2024 9:20 pm
Forum: Beginner Basics
Topic: Cannot get WireGuard to route traffic
Replies: 6
Views: 1429

Re: Cannot get WireGuard to route traffic

(1) It would seem you have a problem on your WAN interface: /ip dhcp-client # DHCP client can not run on slave or passthrough interface! add comment=defconf interface=ether1 add interface=sfp-sfpplus1 (2) wg settings seem fine..... (3) To allow traffic to router for config purposes ........ from wir...
by llamajaja
Thu Apr 18, 2024 7:47 pm
Forum: Forwarding Protocols
Topic: 2 Wan with load and VPN
Replies: 1
Views: 918

Re: 2 Wan with load and VPN

What type of VPN are you using. Do you have a publicly reachable WAN ( wan1, or wan2, or both)?? What type of interface is RED taller, a port?? Is the VPN port simply identifying which users will be going out VPn\? WHat type of VPN is it, remote users coming to your router or using a third party vpn...
by llamajaja
Thu Apr 18, 2024 6:47 pm
Forum: General
Topic: Configuration not working
Replies: 6
Views: 927

Re: Configuration not working

Okay to confirm, You have a mikrotik device, that you would like to act also as a router in terms of providing DHCP services etc.. You are simply terminating the WANIP connections at the two upstream ISP routers. These routers are providing the Mikrotik router a private IP address on their respectiv...
by llamajaja
Thu Apr 18, 2024 6:22 pm
Forum: General
Topic: Disable WIREGUARD clients from local LAN
Replies: 7
Views: 967

Re: Disable WIREGUARD clients from local LAN

The traffic that will appear slower to the user on the router will be the traffic going out Wireguard.
Other traffic going out the local WAN should not be affected.
by llamajaja
Thu Apr 18, 2024 6:20 pm
Forum: General
Topic: Wireguard Keeps trying to reconnect
Replies: 7
Views: 1322

Re: Wireguard Keeps trying to reconnect

Believe this is a known issue with the BTH functionality being addressed for imminent 7.15 release. Imminent used loosely.
by llamajaja
Thu Apr 18, 2024 3:40 pm
Forum: General
Topic: ECMP load Balance + Port forwarding random WAN fail.
Replies: 4
Views: 1019

Re: ECMP load Balance + Port forwarding random WAN fail.

Need to post config properly

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys )

I can help if you wish to change to PCC, which is better load balancing,
by llamajaja
Thu Apr 18, 2024 3:39 pm
Forum: General
Topic: When will Mikrotik support Express VPN or NordVPN etc
Replies: 2
Views: 519

Re: When will Mikrotik support Express VPN or NordVPN etc

Use wireguard, its better.
by llamajaja
Thu Apr 18, 2024 3:34 pm
Forum: General
Topic: Disable WIREGUARD clients from local LAN
Replies: 7
Views: 967

Re: Disable WIREGUARD clients from local LAN

You are mistaken, the only traffic that is really slowed down by wireguard is wireguard traffic as the the CPU handles this functionality. The tunnels are supposed to maintain 'touch' at both ends, hence the keep alive function. This activity will not harm the ax3 or have any effects on other normal...
by llamajaja
Wed Apr 17, 2024 9:03 pm
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 1870

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

Larsa being right all the time? Probably because I have a big llama brain and he has a tiny mouse/bat brain. :-)
Maybe I should stick to flatulence and biting........
by llamajaja
Wed Apr 17, 2024 8:58 pm
Forum: Beginner Basics
Topic: WireGuard - no lan connection
Replies: 8
Views: 1502

Re: WireGuard - no lan connection

Router C......... Same issues as Router A, need to be fixed....... 1. Changes for backup wireguard /interface wireguard add listen-port=52810 mtu=1420 name=WireGuard add listen-port=52910 mtu=1420 name=WG-C /interface list member add interface=ether1 list=WAN add interface=ether2 list=LAN add interf...
by llamajaja
Wed Apr 17, 2024 8:37 pm
Forum: Beginner Basics
Topic: WireGuard - no lan connection
Replies: 8
Views: 1502

Re: WireGuard - no lan connection

Router B - remember this is the backup wireguard in case B is down so B and C can still reach each other and so that the admin can reach both routers remotely. Besides all the fixes noted for Router A, they are all applicable here as well, 1. Add the extra wireguard items: /interface wireguard add l...
by llamajaja
Wed Apr 17, 2024 7:34 pm
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 1870

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

Latest email update Quote: " We do not man-in-the-middle encrypted protocols. (e.g. adding certificate to endpoints and terminating ssl/tls in firewalla and re-encrypt them). this behavior is not safe for our customers, and usually should be managed by IT/InfoSec. Firewalla can see (and control...
by llamajaja
Wed Apr 17, 2024 7:31 pm
Forum: Beginner Basics
Topic: WireGuard - no lan connection
Replies: 8
Views: 1502

Re: WireGuard - no lan connection

RouterA (1) Remove pre-shared keys from wireguard. I have not ever seen it used, so for this testing remove. Once we get a good working config, feel free to play with it at your leisure. (2) Remove ether1 from Bridge, WAN is not part of LAN bridge. (3) Modify as follows: /interface list member add c...
by llamajaja
Wed Apr 17, 2024 6:45 pm
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 1870

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

Larsa, how do know that firewalla doesnt use SSL/TSL in its DPI functionality??
by llamajaja
Wed Apr 17, 2024 6:43 pm
Forum: General
Topic: FailOver Dual Public WAN
Replies: 3
Views: 409

Re: FailOver Dual Public WAN

Using masquerade, at least my understanding, does a better job of flushing old connections ?
by llamajaja
Wed Apr 17, 2024 5:44 pm
Forum: Beginner Basics
Topic: WireGuard - no lan connection
Replies: 8
Views: 1502

Re: WireGuard - no lan connection

Okay the assumptions will be as follows. 1. Router A is the server for handshake purposes...... Routers B and C will connect to Router A. 2. For redundancy, in case Router A is not available for whatever reason, will create secondary WG between Router B and C, with Router B being server for handshake.
by llamajaja
Wed Apr 17, 2024 5:38 pm
Forum: Beginner Basics
Topic: Firewall rules not applying to bridge
Replies: 3
Views: 890

Re: Firewall rules not applying to bridge

Why do you have an IP pool for the bridge and NOT for vlan80>> Dont need one for the bridge If you want another subnet create a vlan....... Same issue with dhcp-server. Okay its clear you communicated about two vlans, but you failed to mention another subnet........!! /interface vlan add interface=b...
by llamajaja
Wed Apr 17, 2024 4:40 pm
Forum: Beginner Basics
Topic: Firewall rules not applying to bridge
Replies: 3
Views: 890

Re: Firewall rules not applying to bridge

Since gateways are MT interfaces, one can always ping the vLAN gateway but one should not be able to ping other users or worse access them ( I mean across vlans ).
by llamajaja
Wed Apr 17, 2024 4:37 pm
Forum: Beginner Basics
Topic: Firewall and Hotspot
Replies: 2
Views: 416

Re: Firewall and Hotspot

Wrong question Bartoz! Why does MT not a have a first post process, to ensure posters understand what should be provided and so helpers can quickly deal with issues efficiently. :-)
by llamajaja
Wed Apr 17, 2024 4:31 pm
Forum: Beginner Basics
Topic: Wireguard client allow for all bridge subnets
Replies: 20
Views: 2324

Re: Wireguard client allow for all bridge subnets

1. Would recommend upgrade firmware to at least 7.12.2 later. 2. Modify this rule. From add action=accept chain=input comment="accept LAN traffic only" in-interface=bridge1 TO: add action=accept chain=input comment="accept LAN traffic only" in-interface -list=LAN 3. REMOVE this r...
by llamajaja
Tue Apr 16, 2024 6:58 pm
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 1870

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

Okay they are telling me they use their own software coupled with Zeek monitoring software, say they do not use any existing platform???
Their new 10gig box supposedly comes with 8gigs of memory and quad core cpu ???
by llamajaja
Tue Apr 16, 2024 5:11 pm
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 1870

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

Similar crapola then to NETGATE PFSense Plus ~ Cheaper device but they charge for cloud access.
by llamajaja
Tue Apr 16, 2024 5:04 pm
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 1870

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

How did you figure it out Mozerd?
So pfsense has layer 7 capabilities? If so how do they compare to MTs efforts with regex?
Im assuming that they are probably not all that different and if so, then pfsense DPI is also not viable???
by llamajaja
Tue Apr 16, 2024 4:30 pm
Forum: General
Topic: WAN failover - routes flapping [SOLVED]
Replies: 23
Views: 4001

Re: WAN failover - routes flapping [SOLVED]

If you elect to do queuing, then disable fastrack. That accept thing got by all of us, good catch!!!
by llamajaja
Tue Apr 16, 2024 4:28 pm
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 1870

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

-Train employees to think and ask questions if unsure before clicking on anything. ( on web or in emails #1 issue ) -Make sure device firmware is always up to date. -Use reasonable passwords for devices. ( add wo factor authentication for better protection ) -Always use antivirus. ++++++++++++++++++...
by llamajaja
Thu Apr 11, 2024 6:11 pm
Forum: Beginner Basics
Topic: Mikrotik as a backup wireless link with Cisco
Replies: 11
Views: 819

Re: Mikrotik as a backup wireless link with Cisco

easy peasy...... just one long config line LOL vlan-ids=2,10,20,30,40,50,60..........................all of them You could break it up if you so desired........... add bridge=bridge tagged=ether1,wireless-link vlan-ids= (15 vlans ) add bridge=bridge tagged=ether1,wireless-link vlan-ids= ( next 15 vl...
by llamajaja
Thu Apr 11, 2024 6:07 pm
Forum: Beginner Basics
Topic: Mikrotik documentation
Replies: 10
Views: 992

Re: Mikrotik documentation

True that, the website is updated regularly......Okay, given you have opted to create PDF in a cumbersome way ;-), seems like its what we will get so, better than not having it. Thanks.
by llamajaja
Thu Apr 11, 2024 6:04 pm
Forum: Beginner Basics
Topic: Guest wifi on 2 Routers with the same ssid
Replies: 14
Views: 1613

Re: Guest wifi on 2 Routers with the same ssid

# model = RBD52G-5HacD2HnD /interface bridge add admin-mac=********** auto-mac=no comment=defconf name=bridge vlan-filtering=no { change to yes as last config step } /interface list add comment=defconf name=WAN add comment=defconf name=LAN "**************" /interface vlan add interface=vl...
by llamajaja
Thu Apr 11, 2024 5:28 pm
Forum: Beginner Basics
Topic: WireGuard and NordVPN :(
Replies: 1
Views: 563

Re: WireGuard and NordVPN :(

Post your current config please.

/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.. )
by llamajaja
Thu Apr 11, 2024 5:26 pm
Forum: Beginner Basics
Topic: Mikrotik documentation
Replies: 10
Views: 992

Re: Mikrotik documentation

Updated Rarely is not acceptable.......... Updated version stored upon each firmware release is reasonable as part of your release process. Cant be too demanding, its a pdf.
by llamajaja
Thu Apr 11, 2024 5:24 pm
Forum: Beginner Basics
Topic: Src NAT from Router LAN IP address to WAN IP adress
Replies: 8
Views: 872

Re: Src NAT from Router LAN IP address to WAN IP adress

Please provide the config, you have so far......

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.. )
by llamajaja
Thu Apr 11, 2024 4:56 pm
Forum: Beginner Basics
Topic: Mikrotik as a backup wireless link with Cisco
Replies: 11
Views: 819

Re: Mikrotik as a backup wireless link with Cisco

Ah its a backup to the fibre link between building, Got it!! In this case, its simply acting as a wifi switch. Thus Take a look at this example............. Assume the management vlan is 99, and the other vlans are 2,10,20,30,40,50,60 VLAN 99 subnet is 192.168.99.0/24 NOTE the only difference I can ...
by llamajaja
Thu Apr 11, 2024 4:44 pm
Forum: Beginner Basics
Topic: Slow connections across vlans with hex [SOLVED]
Replies: 12
Views: 4649

Re: Slow connections across vlans with hex [SOLVED]

Post again after applying the new knowledge MKX referenced, and we will have another look!
by llamajaja
Thu Apr 11, 2024 4:42 pm
Forum: Beginner Basics
Topic: port forwarding problem [SOLVED]
Replies: 21
Views: 4945

Re: port forwarding problem [SOLVED]

(1) recommend change this rule: from: add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN TO: add action=accept chain=forward comment="internet traffic" in-interface-list=LAN o...
by llamajaja
Thu Apr 11, 2024 4:15 pm
Forum: Beginner Basics
Topic: Mikrotik as a backup wireless link with Cisco
Replies: 11
Views: 819

Re: Mikrotik as a backup wireless link with Cisco

It depends, Are you replacing the CISCO router, or simply providing a second WAN into the CISCO router. If its the latter, the MT devices are nothing more than probably moving the public IP along or simply terminating the WAN connection, and simply providing a private WANIP to the Cisco. In other wo...
by llamajaja
Thu Apr 11, 2024 4:11 pm
Forum: Beginner Basics
Topic: Mikrotik documentation
Replies: 10
Views: 992

Re: Mikrotik documentation

It should updated after every firmware release. This assumes that the changes incorporated have at that point been properly updated/documented in the official docs.
by llamajaja
Thu Apr 11, 2024 4:09 pm
Forum: Announcements
Topic: WinBox v3.40 released!
Replies: 165
Views: 167674

Re: WinBox v3.40 released!

Winbox, IMHO is the secret sauce, allowing non CLI trained folks to access and modify their configs and view all kinds of information. I had no RoS or CLI or networking training but do use Terminal from time to time as required and basic scripting as well. So CLI is just a fingertip away in winbox. ...
by llamajaja
Wed Apr 10, 2024 9:02 pm
Forum: Beginner Basics
Topic: Cannot create a guests Wi-Fi network.
Replies: 28
Views: 2335

Re: Cannot create a guests Wi-Fi network.

Without diagram all is a bit weird.
Is this acting as a router as well and if so where is the WAN information
( which port, static IP or dynamic IP, from ISP or private IP from ISP router/modem
by llamajaja
Wed Apr 10, 2024 8:55 pm
Forum: Announcements
Topic: WinBox v3.40 released!
Replies: 165
Views: 167674

Re: WinBox v3.40 released!

Just saying,sweet to be able to have multiple winbox windows open, viewing rules being tripped, logs filling, sniffing ongoing, connections tracking shown etc.........
by llamajaja
Wed Apr 10, 2024 8:09 pm
Forum: General
Topic: BTH basic question
Replies: 19
Views: 1735

Re: BTH basic question

No one has proven to me its not a BTH bug. Why else would the router attempt to initiate traffic (not properly respond to incoming traffic, thus bypassing mangles ) from the Peer (Server for handshake )? The only two things I can think of are. A. BTH traffic in the background. b. Normal conversation...
by llamajaja
Wed Apr 10, 2024 8:02 pm
Forum: General
Topic: Wireguard routing.
Replies: 10
Views: 851

Re: Wireguard routing.

Correct, The subnets cannot be duplicated for two different peers.
If unable to change one of them then use a second wireguard interface.
by llamajaja
Wed Apr 10, 2024 7:59 pm
Forum: General
Topic: Recommend me a VPN
Replies: 4
Views: 1751

Re: Recommend me a VPN

nm duplicate....................
by llamajaja
Wed Apr 10, 2024 7:59 pm
Forum: General
Topic: Recommend me a VPN
Replies: 4
Views: 1751

Re: Recommend me a VPN

Not enough info.
by llamajaja
Wed Apr 10, 2024 7:53 pm
Forum: General
Topic: BTH basic question
Replies: 19
Views: 1735

Re: BTH basic question

My questions have to do with the bloat created by BTH. Clearly it works also if one has at least one publicly accessible WANIP. People are using it and ending up with Peer (Server for handshake) allowed IPs that contain 'extra' information such as endpoint address and endpoint port etc....... Create...
by llamajaja
Wed Apr 10, 2024 7:24 pm
Forum: General
Topic: simple 3 isp dhcp clients with aggregation
Replies: 21
Views: 4236

Re: simple 3 isp dhcp clients with aggregation

Why not have all three WANs share PCC as well?
What are the down/up throughputs of each WAN??
by llamajaja
Wed Apr 10, 2024 7:23 pm
Forum: General
Topic: Routing Tables on Hap AC2
Replies: 3
Views: 498

Re: Routing Tables on Hap AC2

Probably we are not handling the pppoe properly in some way not sure if the issue is ppp profile or pppoe server........
by llamajaja
Wed Apr 10, 2024 7:16 pm
Forum: Beginner Basics
Topic: Redirect Router B to Router A through wireguard [SOLVED]
Replies: 19
Views: 3697

Re: Redirect Router B to Router A through wireguard [SOLVED]

Nope the handshake is initiated on Router B and lands at the WAN on Router A, and thus why A needs the input chain rule only.
by llamajaja
Wed Apr 10, 2024 6:16 pm
Forum: General
Topic: Routing Tables on Hap AC2
Replies: 3
Views: 498

Re: Routing Tables on Hap AC2

you are missing a manual route for WAN1 as you opted to use default route on WAN2 only??? ( but not visible ip dhcp client for wan1 ) /interface list member add interface=ether2 list=WAN add interface=ether1 list=WAN add interface=ether3 list=LAN add interface=<pppoe-1111> list=ppp add interface=ser...
by llamajaja
Wed Apr 10, 2024 5:51 pm
Forum: General
Topic: DHCP Request & PCC Balance
Replies: 14
Views: 947

Re: DHCP Request & PCC Balance

Of course it should, you programmed the router to do so. Geez, there is no accountability in todays youth ;-) ( for marking connections more accurate to use input chain for rules to router and forward chain through router ) 1. Set this to NONE is the general recommendation from users and MT...... /i...
by llamajaja
Wed Apr 10, 2024 5:11 pm
Forum: Beginner Basics
Topic: Guest wifi on 2 Routers with the same ssid
Replies: 14
Views: 1613

Re: Guest wifi on 2 Routers with the same ssid

Post both configs............... I will set you up so it works without capsman......

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
by llamajaja
Wed Apr 10, 2024 5:07 pm
Forum: Beginner Basics
Topic: Redirect Router B to Router A through wireguard [SOLVED]
Replies: 19
Views: 3697

Re: Redirect Router B to Router A through wireguard [SOLVED]

Sorry, I changed all your wireguard1 entries, on Router B, to wireguardB. Call me anal, but when looking at a config I want to know intuitively which of two or three or more configs I am looking at. Using the same name on both RouterA and RouterB is not clear to me and thus prefer to distinguish. Pe...
by llamajaja
Wed Apr 10, 2024 5:01 pm
Forum: Beginner Basics
Topic: Src NAT from Router LAN IP address to WAN IP adress
Replies: 8
Views: 872

Re: Src NAT from Router LAN IP address to WAN IP adress

Yes if you can explain your requirements more clearly......... dont mix up config speak with requirements. a. identify all user(s)/device(s) and groups of users/devices, including admin b. identify the traffic they need to accomplish Provide a network diagram showing the ISP connections, subnets, po...
by llamajaja
Wed Apr 10, 2024 4:59 pm
Forum: Beginner Basics
Topic: Help in traffic redirection
Replies: 3
Views: 527

Re: Help in traffic redirection

One option is to procure a cloud server, can get them cheap in the USE like $6 A MONTh. Then route all users at work with need to access library through a wireguard tunnel to the CHR and out the internet that way ( KNOWN FIXED PUBLIC ip ) You will need to mangle LAN traffic destined for medical serv...
by llamajaja
Wed Apr 10, 2024 4:09 pm
Forum: Beginner Basics
Topic: Firewall rule to share device among subnets [SOLVED]
Replies: 8
Views: 3130

Re: Firewall rule to share device among subnets [SOLVED]

Just for your edification. General rules of thumb. 1. To firewall a single address use: src-address or dst-address 2. To firewall a single subnet use: src-address=subnet or dst-address=subnet ( where subnet example looks like 192.168.88.0/24 ) 3. For two or more subnets use: INTERFACE LISTS. Excepti...
by llamajaja
Wed Apr 10, 2024 3:56 pm
Forum: Beginner Basics
Topic: Cannot create a guests Wi-Fi network.
Replies: 28
Views: 2335

Re: Cannot create a guests Wi-Fi network.

Concur tangent, I could post a working config for either option in minutes, except he is using capsman which I dont touch with a 10 foot pole. One of these years will have to bite the bullet.
by llamajaja
Tue Apr 09, 2024 10:33 pm
Forum: Beginner Basics
Topic: Redirect Router B to Router A through wireguard [SOLVED]
Replies: 19
Views: 3697

Re: Redirect Router B to Router A through wireguard [SOLVED]

Router B. Missing two things: /interface wireguard peers add allowed-address= 192.168.202.0/24 ,192.168.201.0/24 endpoint-address=123.456.789.1 endpoint-port=23231 interface=wireguard1 public-key="***********************************************=" persistent-keep-alive=35 have to move on, b...
by llamajaja
Tue Apr 09, 2024 10:27 pm
Forum: Beginner Basics
Topic: Redirect Router B to Router A through wireguard [SOLVED]
Replies: 19
Views: 3697

Re: Redirect Router B to Router A through wireguard [SOLVED]

Router A: Modify Allowed IPs so looks like: /interface wireguard peers add allowed-address= 192.168.202.2/32 ,192.168.88.0/24 interface=wireguard1 public-key="**********************=" [/b] / /ip dns set allow-remote-requests=yes servers=1.1.1.2,1.1.1.1,1.0.0.2,8.8.8.8 /ip firewall filter a...
by llamajaja
Tue Apr 09, 2024 9:14 pm
Forum: Beginner Basics
Topic: Help understand some firewall blocks and wireguard 2 clients issues [SOLVED]
Replies: 7
Views: 3521

Re: Help understand some firewall blocks and wireguard 2 clients issues [SOLVED]

Not really only to say the problem is likely on the remote device. Either the public Key is wrong from the MT device, or some other setting...... Of course the public key of the remote device may be incorrectly input to the allowed IP peer setttings on the mT as well. The fact that device 1 works gr...
by llamajaja
Tue Apr 09, 2024 9:06 pm
Forum: Beginner Basics
Topic: Cannot create a guests Wi-Fi network.
Replies: 28
Views: 2335

Re: Cannot create a guests Wi-Fi network.

Sorry not familiar with capsman, and not sure why needed with single device??
otherwise its too easy to setup a vlan ( transparent ) for the current LAN and a new one for guests, attached to the WLAN.......
by llamajaja
Tue Apr 09, 2024 9:03 pm
Forum: Beginner Basics
Topic: filtering big local lan
Replies: 4
Views: 467

Re: filtering big local lan

Vlans are cheap use them.
by llamajaja
Tue Apr 09, 2024 8:58 pm
Forum: General
Topic: simple 3 isp dhcp clients with aggregation
Replies: 21
Views: 4236

Re: simple 3 isp dhcp clients with aggregation

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc)
by llamajaja
Tue Apr 09, 2024 8:56 pm
Forum: General
Topic: Wireguard VPN not working on a single Android palmtop
Replies: 3
Views: 856

Re: Wireguard VPN not working on a single Android palmtop

#1 Issue on these sorts of problems......... Ensure you have the right public key on the android from the MT. Ensure on the MT you have the right public key from the android #2 issue - Rest of Allowed Ips configured right at both ends. +++++++++++++++++++++++++++++++++++++++++++ Disable other peers ...
by llamajaja
Tue Apr 09, 2024 8:52 pm
Forum: General
Topic: Address list for dst nat
Replies: 10
Views: 1029

Re: Address list for dst nat

I dont care about wanting to use an alias address because that is not clarifying or providing any logic or reasoning. Its some unknown functionality without a purpose. Please state what associated users you have and what traffic flows they require..... then we will be able to make sense of what you ...
by llamajaja
Tue Apr 09, 2024 7:03 pm
Forum: General
Topic: Up 200 CAP
Replies: 12
Views: 1107

Re: Up 200 CAP

He forget the endy bit....... I have completed this work: over 2OO internal and external AP-ACs all wired in fiber optics 9/125. 3x vlan: wifi guest(VLAN100), wifi management(VLAN200), wired voip(VLAN50). CCR1016, CRS318, RBD22UGS-5HPacD2HnD, RBwsAP-5Hac2nD, RBcAPGi-5acD2nD, SFP+ and my hair turned ...
by llamajaja
Tue Apr 09, 2024 7:00 pm
Forum: General
Topic: How to configure a wifi bridge to passthrou many VLANs as trunk and use one VLAN for management?
Replies: 6
Views: 1037

Re: How to configure a wifi bridge to passthrou many VLANs as trunk and use one VLAN for management?

Can you draw a network diagram detailing from where internet starts ( isp and device(s) ) to the WAPs etc......... ports and vlans included........
by llamajaja
Tue Apr 09, 2024 6:58 pm
Forum: General
Topic: Address list for dst nat
Replies: 10
Views: 1029

Re: Address list for dst nat

Now with that knowledge can you frame your question so that it makes sense.....................
by llamajaja
Tue Apr 09, 2024 6:55 pm
Forum: General
Topic: Address list for dst nat
Replies: 10
Views: 1029

Re: Address list for dst nat

For port forwarding, you need a generic allow port forwarding rule in the forward chain. add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat Then you need a specific DST NAT rule, detailing the port, the server etc...... For a dynamic public IP the standar...
by llamajaja
Thu Apr 04, 2024 9:58 pm
Forum: Beginner Basics
Topic: 7.14.2 Port Forwarding [SOLVED]
Replies: 9
Views: 3173

Re: 7.14.2 Port Forwarding [SOLVED]

/export file=anynameyouwish ( minus router serial number, any public WANIP information,keys )
by llamajaja
Thu Apr 04, 2024 8:21 pm
Forum: Forwarding Protocols
Topic: SSH port forwarding doesn't work
Replies: 5
Views: 1017

Re: SSH port forwarding doesn't work

would need to see the complete config
/export file=anynameyouwish ( minus router serial#, any public WANIP information, keys etx.)
by llamajaja
Thu Apr 04, 2024 8:18 pm
Forum: Forwarding Protocols
Topic: FTP cannot connect if i use the public ip
Replies: 6
Views: 1245

Re: FTP cannot connect if i use the public ip

/export file=anynameyouwish ( minus router serial number, any public WANIP information,keys etc.)
by llamajaja
Thu Apr 04, 2024 8:16 pm
Forum: General
Topic: HW Offloading
Replies: 11
Views: 1317

Re: HW Offloading

Just to be clear is HW offloading possible on some routers regarding its chip, completetely different from L3HW offloading discussed for switches? I am trying to make sense of test results. For routers, I look at the table with or without filter rules and assume the speeds reflect the best possible ...
by llamajaja
Thu Apr 04, 2024 8:04 pm
Forum: Beginner Basics
Topic: InterVLAN routing not working as expected
Replies: 5
Views: 774

Re: InterVLAN routing not working as expected

1. I am not big fan of the documentation myself. I rely on other sources which I referenced and common sense. 2. You have to clearly decide if the PFSENSE is going to the router with DHCP firewall rules, etc or Just termination point for WAN, no rules and forward WAN vlan to Switch GR and have Switc...
by llamajaja
Thu Apr 04, 2024 6:06 pm
Forum: General
Topic: Firewall/Routing Question
Replies: 19
Views: 1180

Re: Firewall/Routing Question

Yup its up a level from my knowledge hoping MKX will find this thread and comment!!
by llamajaja
Thu Apr 04, 2024 6:05 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 35
Views: 4338

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

Not a problem and makes sense. I would also setup an IP-IP backup tunnel based on Ipsec secret as a backup to wiregurd. This has nothing to with your attempt to assign wireguard to ports vice users/devices etc... What you are talking now is simply to access remote routers for config purposes. If you...
by llamajaja
Thu Apr 04, 2024 5:05 pm
Forum: General
Topic: WiFi Isolation Using VLANs
Replies: 2
Views: 839

Re: WiFi Isolation Using VLANs

As noted vlans block at layer2, firewall rules block at layer3.
To block WiTHIN layer2, the same guestnetwork, has been accomplished by access list (mac) address within the wifi settings.

https://help.mikrotik.com/docs/display/ ... AccessList
by llamajaja
Thu Apr 04, 2024 4:57 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 35
Views: 4338

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

Since you have one bridge and subnet assigned to bridge on all devices, each device has a flat subnet associated. In other words, all users are on the same LAN and same subnet and yes all ports are part of bridge. You need to decide WHICH users require access to wireguard. a. by firewall address lis...
by llamajaja
Thu Apr 04, 2024 4:53 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 35
Views: 4338

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

What I will say is, that you do not state requirements in terms of ports etc... Describe requirements in terms of a. identify users/devices, groups of users/devices and b. identify what traffic they need to accomplish. So ports are NOT users or devices!! Should explain the need for wireguard to user...
by llamajaja
Thu Apr 04, 2024 4:49 pm
Forum: General
Topic: Winbox WAN access problem
Replies: 6
Views: 451

Re: Winbox WAN access problem

I dont see an issue with the rule myself? I think the extras showing are simply the defaults and not stuff he is added,,,,,,,, but not sure. However, you have a mixed bag of crap, Unsafe winbox access, two different access to openvpn?? and SSH which is not the most secure access. Simply and get bett...
by llamajaja
Thu Apr 04, 2024 4:43 pm
Forum: General
Topic: Firewall/Routing Question
Replies: 19
Views: 1180

Re: Firewall/Routing Question

Your explanation is not complete or maybe just lacks some clarity. Are you saying that a. Users at Device B, via wireguard, successfully access the Iris Server on the LAN at Device A? Note: Assuming the users simply put in their APP or browser 192.168.0.1 : 81 and the connection works great. b. You ...
by llamajaja
Thu Apr 04, 2024 4:01 pm
Forum: General
Topic: Winbox WAN access problem
Replies: 6
Views: 451

Re: Winbox WAN access problem

Wrong approach.
One should not open up winbox to the www.
Instead VPN to he router and then access the config via winbox. Wireguard is a decent option.
by llamajaja
Wed Apr 03, 2024 9:37 pm
Forum: Beginner Basics
Topic: Does "Detect Internet" actually do anything?
Replies: 15
Views: 9408

Re: Does "Detect Internet" actually do anything?

Normis, on a side note, does RoS use the input chain default rule dst-address=127.0.0.1 for anything other than internal capsman use?????
by llamajaja
Wed Apr 03, 2024 9:32 pm
Forum: Beginner Basics
Topic: Not getting wireline speeds
Replies: 28
Views: 1673

Re: Not getting wireline speeds

Routing expectations from a routing device are reasonable.
Switching expectations from a switching device are reasonable
Expecting a coffee bean grinder to make a smoothie not so much.

To echo the point, its 2024 and we still have wars and famine............
by llamajaja
Wed Apr 03, 2024 9:24 pm
Forum: General
Topic: Can't get DHCP with WLAN when using bridge VLAN filtering [SOLVED]
Replies: 7
Views: 1210

Re: Can't get DHCP with WLAN when using bridge VLAN filtering [SOLVED]

hapac3 ( and technically the CRS3 switch is pretty much identical in approach setup minus wifi. ) 1. Remove frame types.........here /interface bridge add frame-types=admit-only-vlan-tagged name=BRIDGE vlan-filtering=yes 2. Need only to define one VLAN, and this is where the HAP gets its own IP addr...
by llamajaja
Wed Apr 03, 2024 9:21 pm
Forum: General
Topic: Can't get DHCP with WLAN when using bridge VLAN filtering [SOLVED]
Replies: 7
Views: 1210

Re: Can't get DHCP with WLAN when using bridge VLAN filtering [SOLVED]

keep your 5,6 as is, I had forg0tten about two chips, so two bridges should work.
by llamajaja
Wed Apr 03, 2024 8:25 pm
Forum: General
Topic: Can't get DHCP with WLAN when using bridge VLAN filtering [SOLVED]
Replies: 7
Views: 1210

Re: Can't get DHCP with WLAN when using bridge VLAN filtering [SOLVED]

Use code quotes to shorten up the view on the config. ( black square with white brackets inside ) 1) ONE BRIDGE -- ah okay using fact it has two chips.......... 2) USE THIS REF: https://forum.mikrotik.com/viewtopic.php?t=143620 3) Dont see any wireguard settings?? 4. All one needs to on bridge itsel...
by llamajaja
Wed Apr 03, 2024 7:53 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 35
Views: 4338

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

Attention to detail my friend! SPINE 1. You need to add ether 2,3,4 to the bridge ports! ( assuming they are part of your LAN as you have no other ports or addressess delineated ) 2. If the Spine is behind another router fine, if not, pull the ethernet cable from the modem , as you have no firewall ...
by llamajaja
Wed Apr 03, 2024 7:32 pm
Forum: Beginner Basics
Topic: cAP ac Multiple SSID
Replies: 43
Views: 3486

Re: cAP ac Multiple SSID

You did NOT find that device under MT--> products --> Routers. Hence, its a switch and should be used as a switch. What you want is an RB5009 as the router and then a switch. Not sure what you are looking for in a switch though, here are two potential options. 24gig ports, 2xsfp+ ports - ->CRS326-24...
by llamajaja
Wed Apr 03, 2024 7:18 pm
Forum: Beginner Basics
Topic: Not getting wireline speeds
Replies: 28
Views: 1673

Re: Not getting wireline speeds

The 310 is a switch and yet your requirement is clearly routing..................... Why the purchase of the 310?? With any kind of firewall rules applied your throughput is going to max out at 200Mbps or less! Assuming by the way, this device is getting a public IP from a fiber modem/ont ( and not ...
by llamajaja
Wed Apr 03, 2024 7:13 pm
Forum: Beginner Basics
Topic: Newb Question on my topology
Replies: 4
Views: 506

Re: Newb Question on my topology

Reputable brand? Nothing wrong with Mikrotik Routers, the RB5009 is an excellent router for your situation.
If you meant a router, vice a switch, that is not brand, that is form following function, procure and use a product for what it was intended to do!
by llamajaja
Wed Apr 03, 2024 5:53 pm
Forum: General
Topic: Enable to log into brand new switch [SOLVED]
Replies: 5
Views: 764

Re: Enable to log into brand new switch [SOLVED]

Why each MT devices doesn't come with a magnifying glass is beyond me. :-)
by llamajaja
Wed Apr 03, 2024 5:43 pm
Forum: General
Topic: How to do Inter-VLAN Bridging with MikroTik? [SOLVED]
Replies: 15
Views: 1971

Re: How to do Inter-VLAN Bridging with MikroTik? [SOLVED]

Suggest you approach this in a logical manner instead of playing footsie with switch settings or bridge talk all without any real focus.. a. identify all the devices/users including the admin b. identify all the traffic flows they actually require 9 (no mention of config etc.) c. provide a network d...
by llamajaja
Tue Apr 02, 2024 8:19 pm
Forum: General
Topic: Problem with Mangle Rule
Replies: 3
Views: 360

Re: Problem with Mangle Rule

Sure thing. Please use this virtual eraser to remove your mangles, this virtual pen to rewrite proper mangles, and these virtual scales, to help load balance your PCC.
by llamajaja
Tue Apr 02, 2024 8:17 pm
Forum: General
Topic: Wireguard DNS re-resolution script
Replies: 4
Views: 687

Re: Wireguard DNS re-resolution script

Correct, since maybe 7.12??? not sure when but there is no longer a need to do this on the client (for handshake) peer to re-establish connectivity with the Server ( for handshake ) peer.
by llamajaja
Tue Apr 02, 2024 8:14 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 35
Views: 4338

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

Mozerd, how easy is it to integrate PRO WG MGMT with MT devices?? Does it run on windows PC?
by llamajaja
Tue Apr 02, 2024 8:12 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 35
Views: 4338

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

You all be missing the point..................... Zerotier, besides the limitation to ARM devices, is forcing the OP to be dependent upon THIRD PARTY. Wireguard is direct and thus more secure and independent --> and ZT may conflict with Company Policy..... I mean its unlikely that cloudflare is goin...
by llamajaja
Tue Jan 23, 2024 5:15 pm
Forum: Beginner Basics
Topic: Cant get into my Mikrotik
Replies: 5
Views: 1246

Re: Cant get into my Mikrotik

Suggest that the Mikrotik document be clearer in this regard, it is actually could be construed as somewhat misleading.............
....
current.jpg
....

Suggestion:
....
recommend.jpg
by llamajaja
Tue Jan 23, 2024 3:39 pm
Forum: Beginner Basics
Topic: Dual WAN- No load balance, No failover
Replies: 2
Views: 789

Re: Dual WAN- No load balance, No failover

Are ISP1 and ISP2, fixed static public IPs, or dynamic WANIPs............
by llamajaja
Tue Jan 23, 2024 3:30 pm
Forum: Beginner Basics
Topic: VLAN can't ping gateway
Replies: 8
Views: 1003

Re: VLAN can't ping gateway

Which router, and what is the current firmware version being used? Better to assign the port to the address you want and forget vlan2. The bridge will remain serving all ports BUT NOT ether2. Remove this route it serves no purpose as one is automatically created via the bridge associated IP address&...
by llamajaja
Thu Dec 21, 2023 10:45 pm
Forum: Beginner Basics
Topic: Mikrotik as road warrior Wireguard client to Unifi UDM [SOLVED]
Replies: 13
Views: 3070

Re: Mikrotik as road warrior Wireguard client to Unifi UDM [SOLVED]

Why would you even consider posting a peer config the UDM thought the peer should have MAKES ZERO LOGIC.

Need to see actual UDM config (server)
and actual peers (clients) of interest CONFIGS.
by llamajaja
Thu Dec 21, 2023 10:37 pm
Forum: General
Topic: Issue with Wireguard - Connected but no traffic [SOLVED]
Replies: 16
Views: 3737

Re: Issue with Wireguard - Connected but no traffic [SOLVED]

(1) Not sure why you are getting a weird outcome for ethernet7 add interface=*7 list=LAN ?? /ip firewall mangle add action=passthrough chain=forward comment="Forward wg traffic" disabled=\ yes dst-address=0.0.0.0 in-int erface=*7 (2) Dont get your rules the chains are mixed up and thus not...
by llamajaja
Thu Dec 21, 2023 10:00 pm
Forum: Beginner Basics
Topic: Mikrotik as road warrior Wireguard client to Unifi UDM [SOLVED]
Replies: 13
Views: 3070

Re: Mikrotik as road warrior Wireguard client to Unifi UDM [SOLVED]

(1) Dont understand your Server UDM settings. a. You should show all the peers on the UDM. b. Each peer client gets a separate line entry. c. Each peer client in allowed IPs should be show as the actual IP/32 of that client peer. d. The UDM does not require an endpoint in allowed IPs, IT IS the endp...
by llamajaja
Wed Oct 11, 2023 12:08 pm
Forum: General
Topic: Prioritize Telegram Traffic using MikroTik RouterOS v7 [SOLVED]
Replies: 8
Views: 4056

Re: Prioritize Telegram Traffic using MikroTik RouterOS v7 [SOLVED]

Why bother, I have never had to prioritize traffic. Assuming your pipe is extremely small????
by llamajaja
Wed Oct 11, 2023 12:06 pm
Forum: Beginner Basics
Topic: Do we have a list of how many devices
Replies: 4
Views: 1001

Re: Do we have a list of how many devices

hapax3 is your best budget approach, RB5009 is overkill but allows much room for growth.
by llamajaja
Wed Oct 11, 2023 1:42 am
Forum: General
Topic: Wireguard peer interface irregularly stop working
Replies: 66
Views: 21531

Re: Wireguard peer interface irregularly stop working

Yes I think so!
by llamajaja
Wed Oct 11, 2023 1:40 am
Forum: General
Topic: Conditional NAT Routing Based on Domain Name for Two Web Applications on Port 80
Replies: 9
Views: 1265

Re: Conditional NAT Routing Based on Domain Name for Two Web Applications on Port 80

As to discriminating the NAT based on external port number, that would work, but my read of the OP's question is that he would not want to give out nonstandard port numbers to achieve this. Hogwash. Why would the OP not want to give out a port that works for a simple way to complete the requirement...
by llamajaja
Wed Oct 11, 2023 1:35 am
Forum: General
Topic: Tenda Access Point and Mikrotik as Router
Replies: 2
Views: 2914

Re: Tenda Access Point and Mikrotik as Router

provide a link to the correct tenda manual (user guide) and I will look.
by llamajaja
Wed Oct 11, 2023 1:34 am
Forum: General
Topic: NAT only allowing one NAT
Replies: 4
Views: 851

Re: NAT only allowing one NAT

New install 7.8??? 7.11.2 would be a new install.......
by llamajaja
Tue Oct 10, 2023 8:15 pm
Forum: General
Topic: Conditional NAT Routing Based on Domain Name for Two Web Applications on Port 80
Replies: 9
Views: 1265

Re: Conditional NAT Routing Based on Domain Name for Two Web Applications on Port 80

What I would do is slightly differen, proxy or reverse anything sounds to complex for me and I am a rower LOL. I would not let tangent lead you astray to some tangent solution jajajaja..., and would direct all your domain name centric users 9 sistema1 ) to port 11080. Thus no conflict on entering th...
by llamajaja
Tue Oct 10, 2023 8:07 pm
Forum: General
Topic: Client accessing Internet through remote VPN link
Replies: 2
Views: 544

Re: Client accessing Internet through remote VPN link

After more thought, you may be able to accomplish the goal if you use two wireguard interfaces on the CHR, one for each Router. THat is because on one wireguard interface there can only be one peer with 0.0.0.0/0 and it has to be last in the order otherwise all traffic will go to this peer. SO, the ...
by llamajaja
Tue Oct 10, 2023 7:59 pm
Forum: General
Topic: Can't access DNS domain names from the router
Replies: 7
Views: 1309

Re: Can't access DNS domain names from the router

yup any dns rule in input chain should be dst-port and should stipulate in-interface--list=LAN
by llamajaja
Tue Oct 10, 2023 7:45 pm
Forum: General
Topic: Client accessing Internet through remote VPN link
Replies: 2
Views: 544

Re: Client accessing Internet through remote VPN link

Caveat valid for only wireguard as this I know. Well, you need a reachable endpoint. It certainly can be a friends house with a public IP or chr in a cloud server situation etc. So yes two routers can be linked as clients to the same Server Router and both router can reach the internet at the cloud ...
by llamajaja
Tue Oct 10, 2023 7:18 pm
Forum: General
Topic: Load Balancing issue in Mikrotik
Replies: 3
Views: 655

Re: Load Balancing issue in Mikrotik

Wow, I want that router maybe lays golden eggs too. :-)
by llamajaja
Tue Oct 10, 2023 7:16 pm
Forum: Beginner Basics
Topic: What model is best for this setup
Replies: 6
Views: 1181

Re: What model is best for this setup

Holve your wasting valuable posting time here when you could be waxing eloquently in my thread about IGMP and ax3!
by llamajaja
Tue Oct 10, 2023 6:34 pm
Forum: Beginner Basics
Topic: Transfer my Asus router to mikrotik [SOLVED]
Replies: 8
Views: 2054

Re: Transfer my Asus router to mikrotik [SOLVED]

Assume pppoe is coming on vlan20 add vlan20-ISP as an interface, with parent interface=ether1 ( assuming ether1 is assigned to ISP cable connection ). In pppp settings ADD + pppoe client Here add pppoe to the interface vlan20-ISP and simply keep the defaut name think its pppoe-out1. Done. In the ppo...
by llamajaja
Tue Oct 10, 2023 6:29 pm
Forum: Beginner Basics
Topic: Route through Mikrotik router
Replies: 1
Views: 725

Re: Route through Mikrotik router

Do you want the fortigate to get a public IP or double nat behind MT router?? Assuming you dont want the server to get a public IP either. It sounds like if this is the case then you need to decide how you want to divy up all the lan traffic towards three public IPS. a. subnets dedicated to specific...
by llamajaja
Tue Oct 10, 2023 6:26 pm
Forum: Beginner Basics
Topic: Wireguard VPN Setup to access NAS behind Microtik
Replies: 30
Views: 4681

Re: Wireguard VPN Setup to access NAS behind Microtik

Sorry for the late response, been busy with lot of stuffs. Now everything is working perfectly fine. I had to change the allowed address on VPN client from 0.0.0.0/0 to 192.168.88.254 to make internet traffic pass through the client's own network. Thanks a lot for your time and effort :) No worries...
by llamajaja
Tue Oct 10, 2023 6:21 pm
Forum: Beginner Basics
Topic: VLAN troubleshooting Mikrotik Router and Unifi Switch / Access points
Replies: 2
Views: 1576

Re: VLAN troubleshooting Mikrotik Router and Unifi Switch / Access points

No need for bridge related subnet it should do no dhcp servicing. vlan10 managment 10.0.20.0 vlan20 NAS 10.0.20.0 vlan30 untrusted ( guest wifi?) 10.0.30.0 vlan 5 home 192.168.0.0 How to setup up vlans ---> https://forum.mikrotik.com/viewtopic.php?t=143620 Since unifi by default expects management v...
by llamajaja
Mon Oct 09, 2023 10:22 pm
Forum: Beginner Basics
Topic: What model is best for this setup
Replies: 6
Views: 1181

Re: What model is best for this setup

Hi Moba, travelling in Europe so was easier to just start new name.
by llamajaja
Mon Oct 09, 2023 7:13 pm
Forum: Beginner Basics
Topic: `MovieStar Spain Fiber Modem Move Internet and IPTV to AX3
Replies: 3
Views: 1367

Re: `MovieStar Spain Fiber Modem Move Internet and IPTV to AX3

Excellent article with correct menus, in terms of removing internet and IPTV from the moviestar device, but heck getting IPTV setup on Ax3 is seemingly too difficult? https://www.redeszone.net/tutoriales/configuracion-routers/configurar-askey-rtf8115vw-movistar-bridge-puente/ Now this article points...
by llamajaja
Mon Oct 09, 2023 5:13 pm
Forum: Wireless Networking
Topic: Mikrotik hAP AX3 very bad Wi-Fi performance and coverage
Replies: 38
Views: 15743

Re: Mikrotik hAP AX3 very bad Wi-Fi performance and coverage

But where does it show what the actual gain and tx power settings currently are??
by llamajaja
Mon Oct 09, 2023 4:37 pm
Forum: General
Topic: Relation between Firewall and NAT
Replies: 3
Views: 821

Re: Relation between Firewall and NAT

In general, if one is connecting TO THE ROUTER, as in a VPN service offered by the router say something like wireguard, the remote user has to initiate a connection to the router and this is accomplished via the INPUT CHAIN!! (WAN to Router) If you are connecting to a SERVER behind the router ( noth...
by llamajaja
Mon Oct 09, 2023 2:52 pm
Forum: Beginner Basics
Topic: `MovieStar Spain Fiber Modem Move Internet and IPTV to AX3
Replies: 3
Views: 1367

Re: Reduce Triple Play to Single Play via AX3

So far: Relevant bits separated out........ /interface bridge add admin-mac=xx auto-mac=no comment=defconf igmp-snooping=yes \ multicast-querier=yes multicast-router=disabled name=bridge igmp-version=2 mld-version=1 vlan-filtering=yes /interface vlan add interface=bridge name= vlan-internet-6 vlan-i...
by llamajaja
Mon Oct 09, 2023 2:30 pm
Forum: Wireless Networking
Topic: Mikrotik hAP AX3 very bad Wi-Fi performance and coverage
Replies: 38
Views: 15743

Re: Mikrotik hAP AX3 very bad Wi-Fi performance and coverage

Where to find such paramaters.......gain tx power?
by llamajaja
Mon Oct 09, 2023 2:24 pm
Forum: Wireless Networking
Topic: GuestWifi DHCP Problems
Replies: 1
Views: 1281

Re: GuestWifi DHCP Problems

Your approach is flawed, if you want to use the RB4011 solely as an ap/switch with one flat network then your approach is sound. The RB4011 has a bridge with IP address set statically or assigned by the upstream router. However now you want a guest network, and you suddenly want the RB4011 to act as...
by llamajaja
Mon Oct 09, 2023 2:12 pm
Forum: Beginner Basics
Topic: Attempting to evolve from caveman's failover
Replies: 58
Views: 9570

Re: Attempting to evolve from caveman's failover

Start at para I..... feel your pain. viewtopic.php?t=182373
by llamajaja
Mon Oct 09, 2023 1:22 pm
Forum: General
Topic: Relation between Firewall and NAT
Replies: 3
Views: 821

Re: Relation between Firewall and NAT

THe only rule required in the forward chain is to allow port forwarding in general. add chain=forward action=accept comment="allow port forwarding" connection-nat-stat=dstnat Then in your dst-nat rules (dynamic wanip) add chain=dstnat action=masquerade protocol=??? dst-port=xxxxx in-interf...
by llamajaja
Mon Oct 09, 2023 10:43 am
Forum: Beginner Basics
Topic: What model is best for this setup
Replies: 6
Views: 1181

Re: What model is best for this setup

What is your budget? hapax2 hapax3 come to mind, you can elect not to use their wifi if not needed but both can handle the throughput.
For future growth the RB5009 is a great long term investment.
by llamajaja
Sun Oct 08, 2023 11:16 am
Forum: Forwarding Protocols
Topic: Suggestion for Enhancement to MikroTik's IP Traffic Flow (Source/Destination AS)
Replies: 17
Views: 5519

Re: Suggestion for Enhancement to MikroTik's IP Traffic Flow (Source/Destination AS)

Dont blame Normis and the staff doing the work. Such decisions are made at higher levels, aka the amount of resources allocated to working ON MT development etc... which would cut into the (millionaire) owners profits in the myopic short term...... Heresy!! So much unrealized potential is the sense ...
by llamajaja
Sun Oct 08, 2023 10:15 am
Forum: General
Topic: CHR behind NAT as WG Server [SOLVED]
Replies: 9
Views: 1884

Re: CHR behind NAT as WG Server [SOLVED]

As I stated you need to sourcenat the remote users coming from CHR and going to users/devices on the subnet of the ISP router. This means you need to treat the CHR like a router and set it up accordingly. If you want to use the CHR as simply a switch, then that would work if you could designate rout...
by llamajaja
Sat Oct 07, 2023 8:56 pm
Forum: Beginner Basics
Topic: `MovieStar Spain Fiber Modem Move Internet and IPTV to AX3
Replies: 3
Views: 1367

Re: Reduce Triple Play to Single Play via AX3

FIrst change. After reading the MT docs... It would appear that on the Bridge Itself, I should ENABLE multicast querier and turn OFF multicast router. On the interface bridge port (in this case WLAN ) going to a TPLINK extender connected by ethernet cable to the iptv set top box, I make PERMANENT th...
by llamajaja
Sat Oct 07, 2023 8:20 pm
Forum: Beginner Basics
Topic: `MovieStar Spain Fiber Modem Move Internet and IPTV to AX3
Replies: 3
Views: 1367

`MovieStar Spain Fiber Modem Move Internet and IPTV to AX3

My brother has an ax3 working fine off LAN port on movistar modem/router. It provides better wifi than the wifi provided by the modem router. We could leave well enough alone there, but he wants to see if most of the traffic responsibility can be hosted by the ax3. Specifically the internet and the ...
by llamajaja
Sat Oct 07, 2023 7:58 pm
Forum: Beginner Basics
Topic: Cross VLAN Multicast / PIM Config
Replies: 30
Views: 10242

Re: Cross VLAN Multicast / PIM Config

I noticed the following on 7.12rc............ *) pimsm - improved system stability; but more importantly in my case *) wifiwave2 - implemented an option to transmit IP multicast packets as unicasts; Reason being is I am going to attempt on an AX3, replacing ppoe internet on vlan, and IPTV on vlan on...
by llamajaja
Sat Oct 07, 2023 7:51 pm
Forum: General
Topic: Definitive guide to failover
Replies: 4
Views: 1699

Re: Definitive guide to failover

See paragraph I for starters. --- viewtopic.php?t=182373
by llamajaja
Sat Oct 07, 2023 7:34 pm
Forum: General
Topic: Config 2 routers to accsess same local server, double WAN,how?
Replies: 12
Views: 1683

Re: Config 2 routers to accsess same local server, double WAN,how?

Ahh, okay, Im not the one to describe a wifi to wifi connection but the concept is the same.......... R1 gets a wifi signal and its used as a WAN2 input......... so a different subnet then exists on R1. Whatever IP address is assigned to the R1 WLAN port is set statically on both devices by IP addre...
by llamajaja
Sat Oct 07, 2023 7:24 pm
Forum: General
Topic: Cant access router after enabling Wireguard VPN [SOLVED]
Replies: 6
Views: 1839

Re: Cant access router after enabling Wireguard VPN [SOLVED]

You completely deleted this setting from your new config.................. ITS MISSING /ip dhcp-server network add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\ 192.168.1.1 netmask=24 but remember change this to........ /ip dhcp-server network add address=192.168.1.0/24 com...
by llamajaja
Sat Oct 07, 2023 7:07 pm
Forum: General
Topic: Cant access router after enabling Wireguard VPN [SOLVED]
Replies: 6
Views: 1839

Re: Cant access router after enabling Wireguard VPN [SOLVED]

I know another rule that helps if there are internet issue when using the Nordvpn tunnel, so just in case you run into that later here it is.... /ip firewall mangle add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wire...
by llamajaja
Sat Oct 07, 2023 7:01 pm
Forum: General
Topic: Cant access router after enabling Wireguard VPN [SOLVED]
Replies: 6
Views: 1839

Re: Cant access router after enabling Wireguard VPN [SOLVED]

(1) Using 8.8.8.8 is fine but you have failed to get rid of the static setting............ (2) The allow rule for nordvpn is in the wrong order, not that it should hurt but its not ideal...ç Put that rule FROM: add action=drop chain=input comment="defconf: drop all not coming from LAN" \ i...
by llamajaja
Sat Oct 07, 2023 11:02 am
Forum: General
Topic: Tool to migrate/convert *.cfg.rsc between different devices
Replies: 10
Views: 2614

Re: Tool to migrate/convert *.cfg.rsc between different devices

Concur, I only deal in onesies, twosies, but looking after a whack of routers.......... a better method would be beneficial...
by llamajaja
Sat Oct 07, 2023 10:42 am
Forum: General
Topic: Config 2 routers to accsess same local server, double WAN,how?
Replies: 12
Views: 1683

Re: Config 2 routers to accsess same local server, double WAN,how?

are the two routers connected by ethernet cable?? if so, then treat the connection from R2 as WAN2 on R1. What is the function of Router 2, assuming its a cellular capable router what are your options on R2. Terminate the LTE signal into a public IP address and through NAT provide you with a private...
by llamajaja
Sat Oct 07, 2023 12:26 am
Forum: General
Topic: Cant access router after enabling Wireguard VPN [SOLVED]
Replies: 6
Views: 1839

Re: Cant access router after enabling Wireguard VPN [SOLVED]

Observations. 1. I know nothing about pppoe but are the max-mru and max-mtu set as defaults? Just asking as I dont know. 2. You should get rid of the static DNS settings.... and what the heck is 103. whatever??? Is that the nordvpn dns provided info? /ip dns set allow-remote-requests=yes servers= 10...
by llamajaja
Sat Oct 07, 2023 12:00 am
Forum: General
Topic: Config 2 routers to accsess same local server, double WAN,how?
Replies: 12
Views: 1683

Re: Config 2 routers to accsess same local server, double WAN,how?

You can terminate the WAN2 with a vlan as you have done...... On Router1, Create the vlan to the ethernet port interface the traffic is coming in on. in IP DHCP client ensure the interface is vlanXX. Done........ Now I will assume both WANS are capable of being reached by public or Domain Names. The...
by llamajaja
Fri Oct 06, 2023 11:53 pm
Forum: General
Topic: Config 2 routers to accsess same local server, double WAN,how?
Replies: 12
Views: 1683

Re: Config 2 routers to accsess same local server, double WAN,how?

Okay, the approach seems flawed to me. THe first router, the primary router gets a dynamic public IP. Therefore you can set any LANsubnet structure you wish behind this router. I personally prefer vlans if you need vlans and thus there is no bridge subnet it just is a bridge with no DHCP responsibil...
by llamajaja
Fri Oct 06, 2023 11:42 pm
Forum: General
Topic: CHR behind NAT as WG Server [SOLVED]
Replies: 9
Views: 1884

Re: CHR behind NAT as WG Server [SOLVED]

My apologies, rereading my advice I have no clue why I was even mentioning routing rules. Lets follow the path........ CHR is wireguard Server. To do this we need. a. listening port on ISP router forwarded to LANIP of CHR (wanip of CHR) b. listening port on CHR accept rule on input chain. c. default...
by llamajaja
Fri Oct 06, 2023 8:19 pm
Forum: General
Topic: Suggestions for a router?
Replies: 9
Views: 1261

Re: Suggestions for a router?

Thats fine, but the way we tested was the opposite end did an ookla speed test through my router and I did the reverse through the other router. Show results doing such real world tests and then I will beleive you. Trying to keep it real and not give false expectations. My equipment far site was isp...
by llamajaja
Fri Oct 06, 2023 8:16 pm
Forum: Beginner Basics
Topic: Hybrid VLAN and bridging in ROSv7 [SOLVED]
Replies: 18
Views: 6201

Re: Mikrotik VLAN routing for dummies [SOLVED]

The MT router is very flexible, you can do almost anything that is within the networking spectrum of allowable setups, however with later RoS and products the vlan filitering approach on one bridge works very well and is why its often cited. As soon as one goes to using one vlan for lan traffic one ...
by llamajaja
Fri Oct 06, 2023 7:18 pm
Forum: General
Topic: Poor WireGuard performance on RB5009
Replies: 5
Views: 3131

Re: Poor WireGuard performance on RB5009

Too much missing info........ In general, require only one bridge, add all vlans to the bridge. Remove frame types from bridge, and use them where applicable on bridge ports....... One wireguard interface is required only....... Understand you wish to separate remote users from another wireguard sit...
by llamajaja
Fri Oct 06, 2023 7:06 pm
Forum: General
Topic: Tool to migrate/convert *.cfg.rsc between different devices
Replies: 10
Views: 2614

Re: Tool to migrate/convert *.cfg.rsc between different devices

Yes pe1chi, dont exaggerate the problem. Changes are not that different and its not that hard or time consuming........... What next the router needs to hold your member so you can take a whiz with no hands???
by llamajaja
Fri Oct 06, 2023 6:54 pm
Forum: General
Topic: Suggestions for a router?
Replies: 9
Views: 1261

Re: Suggestions for a router?

I do not think that you will be able to achieve 500Mb with any MT router. I am maxed out on two 1gig connections with the same provider a few miles apart and the best we can achieve is around 300 or so.... Concur that you should do better than 100, but only if both ends of the connection provide eno...
by llamajaja
Fri Oct 06, 2023 6:51 pm
Forum: General
Topic: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2
Replies: 18
Views: 2107

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

Looking at mangling,,,,,,, I will assume the following. a. there are no local LAN servers that external users are accessing. b. there are no external users using Router services ( no incoming vpn handshakes to the router ). c. There is only ONE user that needs special treatment to go out NET as the ...
by llamajaja
Fri Oct 06, 2023 3:11 pm
Forum: General
Topic: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2
Replies: 18
Views: 2107

Re: DNS Resolution Issues with two ISPs on RB4011iGS+ OS 7.11.2

(1) Remove this static dns setting, not required. /ip dns static add address=192.168.1.1 comment=defconf disabled=yes name=router.lan (2) This is useless....... If you are trying to identify two different groups of users (to use the two different WANs) You have listed the entire subnet!! For example...
by llamajaja
Fri Oct 06, 2023 2:29 pm
Forum: General
Topic: The predicted demise of "tls-host=" firewall filters is near!
Replies: 21
Views: 3150

Re: The predicted demise of "tls-host=" firewall filters is near!

IP cloud service, what could MT do here, heck even for a small price,,,,,,,,, Normis might even get a raise!!
by llamajaja
Fri Oct 06, 2023 2:20 pm
Forum: General
Topic: Tool to migrate/convert *.cfg.rsc between different devices
Replies: 10
Views: 2614

Re: Tool to migrate/convert *.cfg.rsc between different devices

Too funny, I think its pure genius that I can export a config file and put any of the script file directly into the command prompt of another router and insert exactly the same code. So effing convenient.........
by llamajaja
Fri Oct 06, 2023 2:18 pm
Forum: General
Topic: Generating WireGuard peer configuration on MikroTik without shell access
Replies: 3
Views: 2627

Re: Generating WireGuard peer configuration on MikroTik without shell access

Looking at 7.12rc, they have added CLI commands for generating QR codes so progress is being made. I asked if there was an intention to move this to winbox and also to provide some CLI examples for this. The more that ask the more likely it is done!
by llamajaja
Fri Oct 06, 2023 2:08 pm
Forum: Announcements
Topic: v7.12rc is released!
Replies: 225
Views: 109632

Re: v7.12rc is released!

Will the wireguard creation file capability get moved to winbox or will stay only with CLI, if so can some CLI examples be added to the docs....
There are some hints for Back to Home, but that should be moved to under the wireguard documenation section, and with more meat on the bone (IMHO).
by llamajaja
Fri Oct 06, 2023 10:42 am
Forum: Beginner Basics
Topic: Moving from USG to Mikrotik
Replies: 7
Views: 4902

Re: Moving from USG to Mikrotik

Can you better explain the shortcomings of the RB5009 you noted.
" I don't run DHCP or DNS on RouterOS because it doesn't allow for the flexibility I need and also the DNS implementation in RouterOS 7 is troublesome."
by llamajaja
Fri Oct 06, 2023 10:40 am
Forum: Beginner Basics
Topic: Hybrid VLAN and bridging in ROSv7 [SOLVED]
Replies: 18
Views: 6201

Re: Mikrotik VLAN routing for dummies [SOLVED]

Bla bla bla
@llamajaja … aka @anav …. Did they ban you AGAIN ??? goodness gracious great 👍
No, I have been a good boy lately, even quiet on the "must have zerotrust cloudflare in an options package" mantra LOL.
--> simply travelling..........
by llamajaja
Fri Oct 06, 2023 10:34 am
Forum: Beginner Basics
Topic: Port forwarding and firewall rules
Replies: 3
Views: 2231

Re: Port forwarding and firewall rules

First things first. I am not happy to see this rule in the input chain. add action=accept chain=input comment=" allow IP from WAN " in-interface=\ pppoe-out1 log-prefix=_allowWAN src-address-list=AllowWAN I understand the need to be able to config the router remotely but this method is a s...
by llamajaja
Thu Oct 05, 2023 11:58 pm
Forum: General
Topic: FTP client blocked
Replies: 5
Views: 2357

Re: FTP client blocked

concentrate on hairpin nat.
loopback button doesnt exist on MT RoS, you have to add the functionality manually.
your destination nat rule is incomplete as well.
do you have a fixed wanip static or dynamic answer will help guide you
by llamajaja
Thu Oct 05, 2023 11:52 pm
Forum: General
Topic: Dual WAN Setup: Winbox Accessible but NAT and OpenVPN Issues
Replies: 2
Views: 628

Re: Dual WAN Setup: Winbox Accessible but NAT and OpenVPN Issues

oops that was version 7 firmware.......... Same idea though.......... (just dont need to create a table separately) Need IP route add dst-address=0.0.0.0/0 gateway=isp2-gatewayIP routing-mark =useWAN2 Need routing rules add action=lookup-only-in-table dst-address=other-Subnet table=main ( remove if ...
by llamajaja
Thu Oct 05, 2023 11:48 pm
Forum: General
Topic: Dual WAN Setup: Winbox Accessible but NAT and OpenVPN Issues
Replies: 2
Views: 628

Re: Dual WAN Setup: Winbox Accessible but NAT and OpenVPN Issues

No mangling required. External initiated traffic heading for the local lan servers is only coming in on WAN2 and thus routing rules should suffice. add action=lookup-only-in-table src-address=serverA-IP table=useWAN2 add action=lookup-only-in-table src-address=serverB-IP table=useWAN2 add fib table=...
by llamajaja
Thu Oct 05, 2023 10:55 pm
Forum: Beginner Basics
Topic: Hybrid VLAN and bridging in ROSv7 [SOLVED]
Replies: 18
Views: 6201

Re: Mikrotik VLAN routing for dummies [SOLVED]

Basically to setup vlans, you have good references. For managing vlan traffic, the basic default firewall rules are not quite sufficient or more accurately efficient. Best to change the following default ruleset from: add action=drop chain=forward comment="defconf: drop invalid" connection...
by llamajaja
Thu Oct 05, 2023 10:39 pm
Forum: Beginner Basics
Topic: hAP ax3 Port forwarding not working
Replies: 16
Views: 1882

Re: hAP ax3 Port forwarding not working

So the ubiquiti provides a LAN subnet of 192.168.1.0/24 and its address is 192.168.1.1, this is all good and normal. However the ubiquiti itself must get a public IP address on the WAN side. What you need to do simply use whats my IP in a browser to figure out the public IP the ubiquiti is getting c...
by llamajaja
Thu Oct 05, 2023 10:00 pm
Forum: Beginner Basics
Topic: Help on applying advanced firewall rules
Replies: 27
Views: 3221

Re: Help on applying advanced firewall rules

I would say unless you understand what each rule is doing, what raw means vice other filter categories etc..... then you are over your head and shouldnt be applying these rules....... and should go for a clean lean and safe config. If interested let me know.
by llamajaja
Thu Oct 05, 2023 2:32 pm
Forum: General
Topic: The predicted demise of "tls-host=" firewall filters is near!
Replies: 21
Views: 3150

Re: The predicted demise of "tls-host=" firewall filters is near!

I understand both needs. Its no ones business (ISP, google) etc, to see what I am doing. On the other hand..... I may not want my network to be used for destructive social programs such as instagram or facebook etc.......... even if just temporarily aka 6 months. I have come to the conclusion is tha...
by llamajaja
Thu Oct 05, 2023 2:22 pm
Forum: General
Topic: Multiple WANs, load balancing plz help its little complicated
Replies: 2
Views: 637

Re: Multiple WANs, load balancing plz help its little complicated

In broad concept terms..... Ensure your mangles includes marking connections coming in on WANS1-5 (prerouting) and marking routes (output chain) for any return traffic. Ensure you dont include WAN5 in PCC mangle rules. Ensure you create an interface list for all the LAN subnets that need to be part ...
by llamajaja
Thu Oct 05, 2023 2:09 pm
Forum: Beginner Basics
Topic: Help on applying advanced firewall rules
Replies: 27
Views: 3221

Re: Help on applying advanced firewall rules

Why. a ROUTER is for routing authorized traffic, you seem intent or focussed on blocking traffic. Most of that is not needed. Best start of with a basic firewall, ensure users on lan have access to services on input chain, access to wan on forward chain and drop all else in both chains. Suffices for...
by llamajaja
Thu Oct 05, 2023 2:06 pm
Forum: Beginner Basics
Topic: Cross VLAN Multicast / PIM Config
Replies: 30
Views: 10242

Re: Cross VLAN Multicast / PIM Config

So the conclusion is that with the latest firmware one can multicast between vlans successfully?