MikroTik

vingjfg

Ok. I will brush up on my multicasting tonight and will look more in details tomorrow morning.

vingjfg

OK. First thing, let's change the autonegotiation to only attempt 1Gb/s: in some cases 2.5Gb/s may raise issues. Can you issue the following command? This may interrupt your connectivity for a second. /interface/ethernet/set [find name=ether1] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,...

vingjfg

Up to you. If you are game, we can try to go to the bottom of it.

Thx for the link, opening and reading now.

vingjfg

Yo. With the TV on wired, can you send the current configuration as well as the following outputs? Replace /interface/ethernet/monitor [find name=ether1] once /interface/bridge/monitor [find name=bridge] once /interface/bridge/mdb/print Also, you referred to a page in Spanish documenting the configu...

vingjfg

Hello there,

Can you post your firewall configuration here after you removed the sensitive bits?

In the terminal, issue

/ip/firewall/export

vingjfg

From your configurations, there is an upstream device or devices to which your AP connect. Can you send the configuration of the one to which AP2 connects?

vingjfg

Should be fine. Create the vlan and add the ip to your management vlan.

Port config should be trunks to the network devices and access in whatever vlan for the rest.

vingjfg

I would be very careful mixing VLAN and unmanaged switches, as there is a chance that you'll crash the device, the worst would be that the crashes occur with large packets, that is: seemingly randomly. If you can, ask for a small budget and get a few manageable switches to replace the unmanaged devi...

vingjfg

First, can you fix the netmask on your bridge interface? /ip address add address=192.168.0.1 comment=defconf interface=bridge network=192.168.0.0 Should be /ip address add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0 Second, masquerade implies natting behind the device...

vingjfg

Morning,

Please post you router configuration.

vingjfg

You can make the feature request in the support portal: https://mikrotik.com/support

vingjfg

Hi there. Can you remove the route rule? I suspect it is messing with the connection. From the 10.10.10.0/24 network, if you want to connect to your SSH servers, either your host has a direct route to 192.168.55.0/24 via 10.10.10.10, or you need to set up hairpin NAT on the Mikrotik so it can proces...

vingjfg

My experience with ROs 6 is that trying to set up the mesh can be a lot of trouble. With 2 devices, consider one as AP, the other one as STATION-BRIDGE. That works rather well.

My setup has 3 Audience and they are plowing along without a hitch.

vingjfg

No need to do VLAN filtering on CAPs, that is handled by (the old) CAPsMAN through datapath indeed. Only when using the new wifi-qcom-ac driver, it is required. Unless you have to do some VLAN filtering because of a second LAN port, please leave CAPs mode as default (except for identity). Can you s...

vingjfg

On the AP, if you issue the following command, do you have your additional VLANs? /interface bridge vlan/print As far as I understand CAPSMAN and the datapath, the Wifi will be associated to the correct VLANs on the bridge, but the VLAN themselves are not created on the bridge. When you have the VLA...

vingjfg

Yo! On the AP(s), you need to create the relevant VLANs, that is not automated by CAPSMAN (unfortunately). Provided that ether1 on the AP is the trunk back to the main switch: /interface bridge vlan add bridge=bridge-trunk tagged=ether1 vlan-ids=11 add bridge=bridge-trunk tagged=ether1 vlan-ids=13 a...

vingjfg

Here is the config between code tags. That's easier to read and copy-paste. That being said, there is nothing in this configuration, at least not the WLAN that you mentioned in your message. Can you post the configuration from the CAPSMAN manager? /interface bridge add mtu=1500 name=bridge-trunk pro...

vingjfg

Can we get source IP on bandwidth test tool
Really painful on complex link routers when you can't control what IP the test launches from.

Hi there! The best way to submit a new feature is through the support portal:
https://help.mikrotik.com/servicedesk/s ... r/portal/1

vingjfg

Hi. I will do a few IPv6 tests over the weekend. Reading your configuration, I have a few comments and questions. Here are the configuration bits and my notes. /interface pppoe-client add add-default-route=yes disabled=no interface=ether1 name="ISP PPPoE" \ service-name=internet user=bthom...

vingjfg

For the DHCP issue, that's a good question, no idea really where it can be as it seems intermittent. I would start by checking on which AP the laptop(s) connect, make sure they get a correct registration entry in the CAPSMAN, that their MAC is present on the switch and everything.

vingjfg

Do you see your Mac in the host list?

vingjfg

Do you have a machine on the wifi?

vingjfg

Can you send the output of

 /interface bridge host print

vingjfg

OK, slight change of plans: you are using the native VLAN on the RB and cAP for the management. Let's keep it that way. On the RB, let's assign an IP to the BR1 interface, add it to the BASE list and create a DHCP server. /ip address add interface=BR1 address=192.168.64.1/24 /ip pool add name=pool_a...

vingjfg

You assign the ip to the vlan interface.

Can you post the cAP's config?

vingjfg

Config has no dhcp on base. Did you set a static IP, gateway and dns?

vingjfg

You need to allow BASE to access the Internet as well, add something like /ip firewall filter add action=accept chain=forward comment="BASE Internet Access only" connection-state=new in-interface-list=BASE out-interface-list=WAN After this one add action=accept chain=forward comment="...

vingjfg

Yeah. It didn't register with me, but this rule is rather wrong: /ip firewall raw add action=drop chain=prerouting comment="Drop all non-internet networks" src-address-list=not_in_internet It will drop all traffic with private IP coming from the internal networks, where the intent is to dr...

vingjfg

Do you have an IP on eth1_WAN? And a default route?
Yes, the home router assigned 192.168.1.146 to the RB.

Ahhh okay! The masquerade rule should still work though. On the RB, do you see any rule counter increasing? Any NAT counter increasing?

vingjfg

There are some defaults that can be selected during the install. From the page:

Google
OpenDNS
Level3
Comodo
DNS.WATCH
Quad9
CloudFlare DNS
Custom

vingjfg

For DHCP, I have netmask=24 on each network. It should not matter: the default (netmask=0) uses the netmask from the IP address. Yup, eth1_WAN is a member of the interface list WAN. Your srcnat rule is incorrect - it means "anything going through and exiting through WAN should be natted behind ...

vingjfg

I'll get a look at your config later today. Meanwhile, can you send the output of "ipconfig /all" on your gaming computer with the isp router and then with the rb5009?

vingjfg

Can you send the output of

show crypto ipsec sa

On the asa?

vingjfg

No, you can't create an ACL with multiple interface-lists (unfortunately ...), so the solution is to create successive rules /ip firewall filter add action=drop chain=forward dst-address=77.66.21.133 in-interface-list=VLAN add action=drop chain=forward dst-address=77.66.21.133 in-interface-list=BASE...

vingjfg

Hi there. My comments - Chain input looks good. Chain forward: I think this one has the in-interface wrong add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=not_in_internet\ in-interface=BR1 log=yes log-prefix=!public_from_LAN out-in...

vingjfg

I suspect there are still issues with the export - for example 192.168.0.1 is assigned twice: once to BASE_VLAN, once to Employee_VLAN. Firewall filter The first 4 rules mask all the rest for the chain=input . Checking is easy: do you see the counters below the 4th rule incrementing? /ip firewall fi...

vingjfg

Yup, having a look in a second.

vingjfg

As far as I understand, CAPSMAN does a lot but not everything. Regarding the interface on the RB - have you added BR1 as listening? I am unsure whether eth3 would work as it is a member of the bridge and not a standalone interface. Another possibility is to define the DHCP option caps-manager=<capsm...

vingjfg

This is my cAP: OK, that is really minimalist :lol: So, there is no DHCP server on VLAN1 (interface BR1, 192.168.0.0/24) on your RB. Do you prefer setting a static IP on the cAP or using DHCP? Or did you remove that info from the RB? Your bridge on the cAP needs VLAN-filtering, and you still need t...

vingjfg

My comments on the configuration of the RB . protocol-mode=none can be problematic as the bridge then floods the unknown multicast packets on all ports - that includes LACP PDU, LLDP, spanning tree et al . I have a ticket open for this setting breaking the LACP bonds attached to a switch. Unless you...

vingjfg

Can you post the configuration (minus the sensitive bits) of your RB and one of the cAP? It's in my first post. I'm not with the cAP now, but can provide it in an hour. But the cAP is just factory reset with CAP mode. No other settings made. Works for me, as long as the configuration you posted is ...

vingjfg

Can you post the configuration (minus the sensitive bits) of your RB and one of the cAP?

vingjfg

You can also use the TLS Host to reset the connections to the sites you don't want.

https://mum.mikrotik.com/presentations/ ... 535774.pdf

vingjfg

Alright then. I'm reading on CAPsMAN with the old Wireless driver. Immediately, I see that in Wireless -> CAPSMAN Interface -> Manager -> Manager Interface, you have the all/Forbid above the eth3_MikrotikAPs. Can you invert that order? If that doesn't work, can you set the "all" to "f...

vingjfg

In my case, I had to select the persistent name assignment, and manually add each wifi interface to the relevant vlan on each device (audience)

Do you see the remote caps on the manager?

vingjfg

Would help to have the same on both.
Can you install the wireless package on the cap as well?

vingjfg

Can you post the list of packages installed on your rb and cap?

vingjfg

Wifi -》 remote caps

vingjfg

BTW, the datapath has vlans. In my case that was an issue.

vingjfg

That's good. Do you see the capsman clients on the RB?

vingjfg

Totally should. Do you see your cAP's MAC in the bridge host table?

vingjfg

Eth3 part of a bridge on which capsman listens

vingjfg

Do the cAP have l2 connectivity to the rb? Wired?

vingjfg

Yup, the implementations are incompatible between 6 and 7.

vingjfg

Hi there.

All cAP are at version 7.14 and can see the manager at l2?

vingjfg

Wow wow wow! An IP should be present once and only once - remove the IP addresses assigned directly to ether3 - this interface should be L2 only, no IP. The IP addresses must be on the VLAN interfaces. Can you reconfigure it for the following: IP addresses on the VLAN interfaces, not on ether3 ether...

vingjfg

The setting you see in IP -> Firewall -> Service Ports are the Application Layer Gateways ("ALG"), which transparently transform the traffic going through the Mikrotik. In the case of SIP, that is to rewrite the fields via and contact, to mention only two. Your router doesn't act as a SIP ...

vingjfg

Hi there. If you do the following, does your computer get an IP in vlan 50? /interface bridge port set [find interface=ether3] pvid=50 If you don't have a pvid defined for a bridge port, its default is whatever is defined as pvid for the bridge itself, which you can get with a bridge print. By defau...

vingjfg

Do you have a way to capture some traffic on that port on your host?

vingjfg

As tangent says, there is no better solution here, just pick the one you feel is the most manageable for you and stick to it. I tend to use the interface name to describe the type of connection (ether, pppoe, wifi), and the list name to describe the role (WAN, LAN-Trusted, LAN-IOT, LAN-PRINTERS). As...

vingjfg

Hmmm these are addresses on your local network. If your Mikrotik is doing the PPPoE with your ISP, well I guess you have Internet access, and your modem is just bridging between the two, then it may be hard to get its MAC. Have you checked the underside of the modem? Also, if it is Proximus, I guess...

vingjfg

Digging further, it seems that anything coming or going to a Wifi interface is not fasttracked. Question asked to the support.

vingjfg

Recently, I played with the tls-host fields in the rules. I noticed that the connections were half-fasttracked - meaning only one of the counters is increasing. My setup is like this: boubou.drawio.png The wired connections are untagged, the wifi between the routers is tagged and defined as AP-BRIDG...

vingjfg

Yo So, this rule - /ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.1.2 dst-port=80 \ in-interface=bridge-local protocol=tcp src-address=192.168.1.253 \ to-addresses=192.168.1.2 to-ports=80 It reads "When a packet comes from 192.168.1.253 to original IP address 192.168.1.2 o...

vingjfg

Yes, I could, but I'm not fully sure what you mean by config and probably how to get it. Could you say how, please, pref via WinBox. Thanks In Winbox, click on the button "New Terminal". There, type the command /export file=myExportedConfig In the files section, you will have a new file c...

vingjfg

Hi there. Can you share your current config minus the sensitive parts?

vingjfg

Any chance you can capture some traffic?

vingjfg

Good! The reason I asked is Mikrotik is notable for not repeating mDNS across subnets.

So, both the homepod and iPhone are connected to Wifi and both get an IP in the same subnet, correct?

vingjfg

OK. Are the Homepod and the iPhone on the same L2 network?

vingjfg

As pfturner said, you need to accept NDP advertisements on the WAN interface. Try adding the following and move them above the final deny /ipv6/firewall/raw add chain=icmp6 action=accept in-interface-list=WAN icmp-options=134:0-255 limit=5,10:packet log=no log-prefix="" \ protocol=icmpv6 h...

vingjfg

If I read this correctly, you are not setting the band 2ghz-n to your configuration. Try

/interface/wifi/configuration
set [where name=hidden_2G] channel="2G N"

//JF

vingjfg

OK! I was uncertain as you posted the ip firewall raw for IPv4 and information for IPv6 - but mentioned the issues related to connectivity so I went with IPv4. I saw a few things in the info you sent, namely that you use the interface-list name "VLAN" and not "LAN", keep in mind ...

vingjfg

So it is getting the right IP from the reservation in DHCP, so all good. If you set the IP on the server to static, DHCP will never see any request from the server and will thus never say that it is assigned: it will stay as "waiting" in the DHCP server. If you set the server to get the IP...

vingjfg

Hi there!

Then I am confused - you said you had issues when you added the ip firewall raw rules - do you mean you have issues when you do the same with the ipv6 firewall raw rules?

vingjfg

Your /ip/dhcp-server/export is missing a few items. And you didn't send the output of ip link on the Debian box.

Regarding finding what IP a MAC is assigned (or tries to get), you can look in the logs

/log/print where topics~".*dhcp.*"

vingjfg

Well, it seems you sent me the ipv6 bits and not the ip(v4) ones - can you send again the ipv4 addresses and address-list?

vingjfg

Hi there!

Can you post the output of the following commands?

/ip/address/print
/ip/firewall/address-list/print
/interface/list/member/print

Also, when posting commands or outputs, consider using the code tag (the button is </> above). This presents the information in a nicer format.

vingjfg

Hi there.

I'd start by checking what wifi settings are negotiated between the pod and the fritzbox, and see whether that's available or configured on the cap/ax3.

vingjfg

Hi there.

Can you provide an expunged/sanitized config?

When you have the blank arp table, is all l3 connectivity lost? Or does everything works as usual?

vingjfg

The following command should give you the information as local-address /ip/route/print detail where dst-address=192.168.1.0/24 Flags: D - dynamic; X - disabled, I - inactive, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, i - is-is, d - dhcp, v - vpn, m - modem, y - bgp-mpls-vpn; H...

vingjfg

Hi!

Can you post the output of the following command?

/ip/dhcp-server/export

Also, consider running "ip link" on your Debian server, so I have the MAC address.

vingjfg

Nope, I only see the local DNS resolver and not its upstream. resolver #1 nameserver[0] : 192.168.2.1 if_index : 4 (en0) flags : Request A records reach : 0x00020002 (Reachable,Directly Reachable Address) Can you check on your Mac in the network settings, advanced settings, whether 1.1.1.1 was added...

vingjfg

Interesting. Let me fire up my old mac to see what scutil says.

vingjfg

Can you check that this DNS is not configured as an option in your DHCP?

> /ip/dhcp-server/network/export
...
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 netmask=24

vingjfg

Deadpete, You can restrict the advertised speeds on the link. For example to restrict ether1 to 100M/full or 1G/full, you may use the following. /interface/ethernet/set [find default-name=ether1] advertise=100M-baseT-full,1G-baseT-full This could be an alternative to forcing speed/duplex, as this wi...

vingjfg

If you're willing to give a second shot, here is my lab setup. Mikrotik: external 10.0.0.2, loopback 10.255.255.1/32, tunnel 10.255.254.1/30 Cisco: external 10.0.1.2, loopback 10.255.255.2/32, tunnel 10.255.254.2/30 Mikrotik configuration (relevant bits) /ip ipsec profile set [ find default=yes ] dh...

vingjfg

So the Pi may be a special case. Let's focus on the USB Server then. Currently, only destination NAT is defined - can you look what happens when you try to connect to it from a computer (not the Pi) on your WIFI: torch or packet capture on R1 and R2 - R1 should see 10.30.30.3 and 192.168.100.xx, R2 ...

vingjfg

OK. On the pi, can you send me the output of the following? ip neigh ip route ip link sudo ufw status In R1, when 192.168.88.254 (pi) accesses the Internet, do you see the connections from 192.168.88.254? Or from 10.30.30.2? From 192.168.88.253, there is no srcnat yet so you must see the original IP...

vingjfg

Hi there Can you send the command you created? /ip/firewall/raw/export /ip/firewall/address-list/export Regarding limiting the number of email per hour per IP, not that I know of in the default configuration. The Mikrotik has a pretty basic firewall and in no case something that does DPI/L7 inspecti...

vingjfg

Almost there. Bridge bridge : interface sfp1 is part of the bridge while being used as a L3 interface later. Can lead to issues, especially that bridge and sfp1 are in different interface lists. Firewall chain forward : your natted traffic will go through the default rule and will not show in the st...

vingjfg

Both the host route and the proxy-arp are needed if you don't add a secondary IP to the interface. Adding a secondary IP is not my preferred solution but that's one that works.

Can you send a fresh export of the configuration on R2? There were a few changes and I lost track of which.

vingjfg

Not needed, but check whether the Pi has a firewall set locally.

vingjfg

By the looks of it, this is from R2. Do you have an ARP entry on R1 for 10.30.30.2?

vingjfg

Then on R2 you need to set the interface sfp for proxy-arp. You still need the route for 10.30.30.2/32 to 192.168.88.254.

Adapt the following line of code.

/interface/ethernet/set [find name=sfp1] arp=proxy-arp

Note that sfp1 is still present in the bridge, while being used as a L3 interface.

vingjfg · Re: 1:1 NAT configuration But do you have an ARP entry for 10.30.30.2 on R1?

But do you have an ARP entry for 10.30.30.2 on R1?

vingjfg

No ARP entry.

On R2:

/ip/route/add dst-address=10.30.30.2/32 gateway=192.168.88.254

And try again

vingjfg

On R1.

/ip/arp/print

Do you have an entry for 10.30.30.2?

(If you posted it in the screenshot, can't see it, resolution is too low.)

vingjfg

Sure thing.

If you look in r1, do you see an arp entry for 10.30.30.2?

If not, you need a route host in r2 for 10.30.30.2 that points to your pi. You may have to set proxy arp on the external interface as well, can't remember whether it 's needed.

If you need the commands, let me know.

vingjfg

Can you share the config for R1?

Also, you use action netmap instead of srcnat/dstnat. Be sure to understand how netmap works as it had some subtleties.

vingjfg

Given that the server and the clients are on the same network, the initial packet goes through the router and is dst-natted to 10.0.0.10, but the response goes directly from the server 10.0.0.10 to the client, which expected a reply from 10.0.0.1. The client drops that datagram. If you *really* want...

vingjfg

Seems like a mtu issue, see viewtopic.php?t=155014

vingjfg

Last one for today. If that doesn't work, I will make a lab tomorrow: can you give the 10.0.40.10 ip to your pc and check again?

vingjfg

That's uncanny. Can you post the whole config (remove the private bits)?

vingjfg

Well, paint me green and call me a pickle ... Columns: TIME, INTERFACE, SRC-ADDRESS, DST-ADDRESS, IP-PROTOCOL, SIZE, CPU # TIME INTERFACE SRC-ADDRESS DST-ADDRESS IP-PROTOCOL SIZE CPU 0 6.192 wifi8 192.168.2.6:35454 192.168.2.1:1234 udp 42 3 1 6.192 bridge 192.168.2.6:35454 192.168.2.1:1234 udp 46 3 ...

vingjfg

What might play is if the ethernet interface on the router (the one with IP 10.0.40.254) is itself down because of link-down. Can you connect something to it, like a mini-switch or anything that will make the link go up?

For the non-existent host, my gut feeling is no, but I am about to do a test.

vingjfg

Nope, you are right - my mistake.

You should upgrade to 7 first, then install the qcom driver.

vingjfg

That is ... weird. I created a test rule - Flags: X - disabled, I - invalid; D - dynamic 0 X ;;; defconf: masquerade chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 1 ;;; Test chain=dstnat action=dst-nat to-addresses=172.29.0.1 protocol=udp src-address=192.168.2.0/24 dst-...

vingjfg

From the configuration you sent, you have RouterOS 6.49.14. Try:

https://cdn.mikrotik.com/routeros/6.49. ... .49.14.zip

vingjfg

That is correct - the to-address will not affect the matching of the rule. If the counters are not incrementing, it means something is getting in the way earlier than the rule. To confirm, because you had an input rule that said 3260 and not 1234: The source address is 10.0.10.10 The destination add...

vingjfg

Hello there! Can you share the configuration of one of your wAP AC devices? do not forget to put the configuration between code tags (see: viewtopic.php?p=1051702&hilit=forum#p1051702 for more info).

vingjfg

Ha HA! You wrote initially: ... The machine IP address is 10.0.10.10 The machine does not have a gateway. The router IP address on that interface is 10.0.10.1, which is also the destination IP address of the UDP packages. The destination port is 1234 I can see the incoming traffic using the /tool/to...

vingjfg

Note that you can print all the rules for a given chain by using where=<chain to display> in your print statement. For example all the rules in the input chain: /ip/firewall/filter/print where chain=input The dst-nat arrives before the firewall - so as you change the destination for a non-local addr...

vingjfg

Hi there! The nat rule you sent seems correct. What I cannot say is whether it is high enough to avoid the traffic being matched by another rule. Can you edit it to add the src-address so it looks like the following line, and move it above whatever other dstnat you may have in place. Also, consider ...

vingjfg

That should be the way. Just to be sure, the address-list exists, correct?

Can you provide the error message? And the version of ROS?

vingjfg

As mkx said, you didn't really fix it, you simply changed it to something that happens to work most of the time. In the second packet capture you joined, you see something that will put you on the path: your PC send arp requests for 10.10.5.50 but gets no answer. Here is a discussion that should giv...

vingjfg

Fixed in Observium. Thanks for your support.

Glad to hear it! Please mark this as solved if you get a chance.

vingjfg

IP adress config from your Mikrotik router.

PCAP is a packet capture. You said you took one.

I am interested in seeing the icmp and arp packets.

vingjfg

Can you share the ip address config?

Also, can you share a pcap?

vingjfg

The MAC 00:00:00:00:00:00 indicates a conflict: likely the Mikrotik attempted to hand out the IP 192.168.80.222, but its check determined that IP is already on the network, so Mikrotik blocks it in the pool. As Holvoetn says, it could be a static IP on the Ruckus. Other possibilities I can see: The ...

vingjfg

I tried a snmpwalk with the top of the LLDP OID tree and I get the info.

snmpwalk [...] -m MIKROTIK-MIB -m LLDP-MIB 192.168.2.1 1.0.8802.1.1.2

If you haven't, can you download the Mikrotik MIB and add it to your tool?

https://mikrotik.com/download

vingjfg

Wow, you didn't make it easy for you! The issue I see is that the packet goes in the VPN from the central site to the remote site, is put on the local network, arrives at the windows server .., which tries to reply to 192.168.1.0/24 on the local network. In order for this to work, you will have to p...

vingjfg

Hi there, There is a support portal: Support portal. Regarding lldp and the sending interface, that should be the property interface-name . [admin@********] > /ip/neighbor/print detail 0 interface=wifi3,bridge mac-address=XX:XX:XX:XX:XX:XX identity="*****" platform="" version=&qu...

vingjfg

No worries. Regarding your NAT rule, taking one at random: /ip firewall nat ... add action=accept chain=srcnat comment=ISW_Endpoints dst-address=\ 172.x.x.11 log=yes log-prefix=ISW src-address=105.x.x.19 ... This means "For connections coming from a.b.c.19 and going to 172.x.x.11, do not change...

vingjfg

It looks like the two certificates from letsencrypt actually have different key size: Screenshot from 2024-02-10 21-13-28.png 2048 (MT) vs 4096 (pfsense) I don't know - in the logs with the failure, the certificate status is found as "good", which would indicate that the certificate is ac...

vingjfg

My mistake, I missed the sha256 in the config. Your pfsense has pfs in phase 1, the MT config says none. Can you try setting one?

Nope, nothing obvious I see.

vingjfg

If I read this correctly, your ikev2 p1 has only sha1 defined. Can you add sha256?

vingjfg

For the formatting, please enclose the configuration or config statements between code tags. Looking at your config ... there are severe issues, for example you have the WAN and ISW interfaces parts of the same bridge, while ISW and LAN are part of the same interface group. This begs the question of...

vingjfg

Can you check the IKE p1 proposal on the MT? From the last excerpt, it works with SHA-2 384.

vingjfg

Sure, add the /32 to the tunnel domain on both sides and a nat rule on the server side.

Send the anonymity configs if you want.

vingjfg

Could you post a diagram with this?

X.x.x.19 - you wrote "... assigned to a dedicated private server ..." Do you mean it has a private ip and nat? Or directly the public ip?

vingjfg

Would changing the Radius server be possible?

vingjfg

This is a bit of a feature that is becoming a bug: "protocol-mode=none" not only disables spanning-tree but results in all L2 multicast frames being forwarded to all ports as well. As a result, the switch was forwarding the LACPDU from one ethernet port to another, resulting in the Cisco s...

vingjfg

Hmm... a summary read of your logs shows only broadcasts and multicasts.

vingjfg

For the bridge, could you change the "protocol-mode" to "rstp" and see if it changes something?

vingjfg

No worries.

Can you send the output of the following commands?

/interface/bonding/print
/interface/bridge/port print
/interface/bridge/print detail

vingjfg

As @mesquite and @mkx said plus:

Let's check from the server out.

On the server, can you get the output of the following?

ip addr
ip route list

vingjfg

Thanks for posting here. Note that you haven't posted all I asked. Regarding your test, I suspect you are trying from the same network as your server is on. This cannot work as is, as this needs hairpin NAT. For all to work correctly, your NAT rule should look like this. Replace <PUBLIC IP> with you...

vingjfg

If I understand you correctly: if you pick two ports that don't include gi7 on the Cisco it works fine?

vingjfg

First, please post the images here instead of on an external site. The rule states an inbound interface whose name is "all wire..." - is that your internal (LAN) or external (WAN) interface? Given that the masquerade rule has an outgoing interface of "pppoe-...", I suspect the in...

vingjfg

Hi there! As far as I know and unless you changed the defaults, the LACPDUs are sent every 30s, so that could be something else. However! What LACP mode did you set on the Cisco side? Did you enforce the same load-balancing algo on both ends? Still on the Cisco side, can you look at the interface co...

vingjfg

Glad to hear you figured it out! Regarding spanning tree prio, your itnetwrk-core01 looks like a good candidate for getting prio 0.

vingjfg

Ok, so supposing your bridge is called "bridge" and: ether0: tagged port on vlan 10 ether1: tagged port on vlan 20 ether2: untagged port on vlan 10 ether3: untagged port on vlan 20 ether4: trunk port with vlan 10,20 The following should be close to what is needed. /interface bridge set [br...

vingjfg

Can you send the output of

/interface bridge export

vingjfg

Here are a few corrections. WARNING WARNING WARNING Potential for cutting yourself out of the network. Consider taking one of the interfaces out of the bridges and assigning it an IP directly should you need to rescue the device without too much trouble. WARNING WARNING WARNING # Mikrotik side # Fix...

vingjfg

A few things - Bridge vlan-bridge is not set for vlan-filtering but you are using 802.1q (vlan) subinterfaces on it Bridge br0 , vlan 25, you are using service-tags. Any reason? The Cisco config you sent has the wrong name (CISCO-SW04) and not what should be ITNETWRK-SW-02. The IP is correct but is ...

vingjfg

Now we are getting somewhere. Add this to your running Mikrotik. This will permit access from the internet to your server on TCP/8080. Of course replace <your public IP> with the actual IP address. /ip/firewall/nat add chain=dstnat in-interface-list=WAN action=dst-nat to-addresses=192.168.70.1 dst-p...

vingjfg

It depends. If that's a pure modem, i.e. your Mikrotik is getting a public IP, you may have some chance sniffing the traffic and finding some RFC1918 (aka "private") IP addresses that may be the modem management interface. If the Voo device is also a wifi router and things, then you may ha...

vingjfg

So we ironed out the 70.54/70.254 one - one to go.

Yes for the password. Do that as soon as you can.

Can you send me the NAT rules from the PFSense?

vingjfg

I redrew the schematic with the information you gave. Let me know if that matches. The switch has been removed as it is L2 and won't change a thing (for now). mt-pfsense.drawio.png Note that you wrote the default gateway on the PFSense is 192.168.70.254 and that the MT has 192.168.70.54. So you alre...

vingjfg

The point is that having two bridges is not needed and creates unneeded complexity. However that is not the problem. At least not the main one. Or ones. One of the problems is ... that you have twice the same IP on different interfaces. /ip address add address=192.168.88.1/24 comment=defconf interfa...

vingjfg

You have two bridges, could you rework the configuration to have a single bridge with vlan-filtering and VLANs to separate the hotspot?

vingjfg

I am reading the page on interface/wireless, specifically the section on Radius MAC authentication RADIUS MAC authentication Note: RADIUS MAC authentication is used by access point for clients that are not found in the access-list, similarly to the default-authentication property of the wireless int...

vingjfg

Can you modify your ACL to the following? This means that the clients with signal -65..0 are accepted but when the signal dips under -65, they are disconnected. /interface wireless access-list add signal-range=-65..0 add authentication=no forwarding=no signal-range=-120..-66 The way your ACL was wri...

vingjfg

That's ... not a lot.

Is your ACL set to reject the clients with signal in the range -85..-120?

I created one (using wifi, not wireless) - here is what it looks like.

/interface wifi access-list
add action=reject disabled=no signal-range=-85..120

The second "add", is it an ACL?

vingjfg

Can you post your ACL configuration?

vingjfg

The short answer is "unless you really have something against it, it costs nothing to enable it." I would make the case that in a Mikrotik environment, it is actually better to have something rather than "none": during a recent troubleshooting (LLDP), someone pointed that protoco...

vingjfg

That's interesting. Adding a private key is one of the tests I did and I did not lose the password access to the Linux machine. It could be that I did not log off from my session when I added the key. Could be. I will try when I get my test equipment. That aside, glad you made it work. And yeah, it ...

vingjfg

Can you post the output of the following command?

/interface/bridge/port/print where interface=ether3-green

vingjfg

Well, I was using AES 256 CBC SHA1 for w long time with no issues on mikrotik routers, including this device. But, considering depreciated CBC cipher in OpenVPN Community and much much faster connection time using AES GCM, with ROS v7 I can use this cipher. As I already mentioned, I don't have prob...

vingjfg

Before diving into the guts of the openvpn server, I want to make sure that there is no network issue. From the page you sent, the RB850Gx2 platform supports AES in CBC mode, at least for the devices whose SN starts with 5 or 7. It may be worth giving it a try and see whether that solves the issue -...

vingjfg

Regarding your input rules, can you send the full set? There is some reorganization possible that may help with the issue. With the rules related to the interface WAN you sent, I would reorder in the following way. Note that without having the full input chain, I may just be duplicating existing ent...

vingjfg

Because anyone sending udp datagrams with source port 53 or 123 can reach any udp port on your device.

Nat rule is ok. I will have a closer look tomorrow.

vingjfg

Are these all your input rules? Also, no nat that would interfere?

If ok, can you export all the input and nat rules?

I will have a closer look tomorrow. First thing is your dns_ntp rule is dangerous.

vingjfg

Can you check that your input rules allow traffic to tcp and udp 1194 on your Mikrotik?

vingjfg

Can you add

disable-dco

To the client config?

vingjfg

Here is my defaults for /ip/ssh (7.13.2):. always-allow-password-login is already "no". forwarding-enabled: no always-allow-password-login: no strong-crypto: no allow-none-crypto: no host-key-size: 2048 host-key-type: rsa Changing "strong-crypto" doesn't prevent me from ssh-ing o...

vingjfg

Seems so. I will try tomorrow.

BTW, what's your version?

vingjfg

Yes and we now know that the server is not sending the client packing but the client disconnects (type 1) after a message "USERAUTH FAILURE" (type 51) ( https://www.ietf.org/rfc/rfc4250.txt ) The stanza to debug SSH is the following. Be warned: that's verbose. /system/logging/add topics=ss...

vingjfg

OK. Let's try LogLevel at DEBUG3. I will have a look tomorrow morning.

That is weird.

vingjfg

Hmmm ...

Jan 25 15:28:49 zoidberg sshd[275510]: debug2: input_userauth_request: try method none [preauth]

After this one it should try another method - do you have "PasswordAuthentication yes" in /etc/ssh/sshd_config ?

vingjfg

ok ... can you set the loglevel to DEBUG2, restart the daemon and try another connection?

Stupid question: clocks synchronized on both devices?

vingjfg

OK, that's the general "something went wrong somewhere" type of messages. Could be a number of things: If your server is a bit dated and the client a lot more recent, it may disconnect as it doesn't find something in common (but usually it says so) Are you trying key authentication? If so,...

vingjfg

Ok. That was worth a shot.

On the linux server - can you get the SSH entries?

sudo journalctl -xr -u ssh

vingjfg

Hi there!

Can you try the following?

/system ssh user=<some non root user on the linux server> 192.168.4.5

vingjfg

:thumb up:

I saw the other post, if you haven't already, I will create a bug report.

vingjfg

That is why I think you can just remove it and it will use bc address for local subnet, eks 178.118.85.255 (if its a c net) I just tried: if you set broadcast=yes without specifying any broadcast-addresses , nothing happens. It doesn't work with 255.255.255.255 . My local subnet is 192.168.2.0/24, ...

vingjfg

Also and to check, what is the IP of your RBM11G on that network? You mention the .2 but that would make it right in your DHCP pool.

vingjfg

/system/ntp/server> print enabled: yes broadcast: yes multicast: yes manycast: yes broadcast-addresses: 178.118.85.2 vrf: main use-local-clock: yes local-clock-stratum: 3 auth-key: none Can you double check the broadcast-address? It doesn't look like a broadcast address at all.

vingjfg

The easiest, as far as I can see is something along the lines of the following. This simply takes whatever arrives to the interfaces in the WAN list and translates it to the PFSense's address. /ip/firewall/nat add chain=dstnat in-interface-list=WAN action=dst-nat to-addresses=192.168.70.1 By default...

vingjfg

I can confirm, enabling RSTP or MSTP stop link layer MAC addresses to be forwarded. One issue down, 99 to go! As a side note, i loose connectivity with my switches if i enable STP (this is strange, i have no loops), but i was able to test using RSTP and MSTP. I guess the first thing to look would b...

vingjfg

Some observations might be explained with disabled (R/M)STP on the bridge. It is expected to forward reserved multicast MACs 01:80:C2:00:00:0X (LLDP, BPDU, etc.) when using " protocol-mode=none " setting. Wow, yup! I tested and that's indeed the case. As FIPTech said that its bridge had S...

vingjfg

Thanks! Yes, I have defined Radius for wireless. It works for WPA-EAP, in the logs I see the radius requests go out and the reply come back. I am not using capsman yet. I can try with capsman, but shouldn't it work without as well? I guess that's the $2^20 question - should it work without a /capsm...

vingjfg

I connected another auxiliary router for packet capture, and i did first discover something abnormal : LLDP announcement from every devices connected to the ports of the other router bridge are visible. This indicates that LLDP is switched and broadcasted between ports. I suspect that it's a bug. N...

vingjfg

OK. So you see the same when you change the VLAN of the port as I do when I set the discovery on the VLAN interface. I have the feeling that there is something I am missing but I can't quite point it. Can we do the following? With the discovery as it is, port with PVID1 and additional VLAN (4000) ta...

vingjfg

Nope, not working. Ticket open: SUP-141451.

vingjfg

I configured LLDPD on my computer with a network policy, which got advertised immediately. The fact that my Mikrotik is not advertising the MED extension kind of tells me there could be a bug. As a last try, I will reboot my device and see if that changes something. I found a post from mid-2023 that...

vingjfg

I got curious and tried with my workstation on VLAN1 and VLAN10 - same result, I do not get an advertisement for LLDP-MED, but my workstation doesn't advertise itself as Voice or Phone. I think I may have an app somewhere for that.

vingjfg

I do. I will test later today with VLAN1 and VLAN10 to see if there is a difference.

Meanwhile, if you issue "/ip/neighbor/print" to check that you see neighbors?

vingjfg

Knock on wood!

I suspect that the device tried to tag the LLDP traffic ... which cannot be encapsulated, so while the physical interfaces received and sent the LLDPDU, the LLDP process itself did not receive them.

Hopefully, this will solve it. Let me know how it goes.

vingjfg

I think I found something - setting the list to LAN, I got LLDP announcements on my workstation but the router did not get my announcements. Nor did I get the VLAN. > /ip/neighbor/print I then configured a second list that has the bridge member interface > /interface/list/member/print Columns: LIST,...

vingjfg

I still see LLDPDU. I will install an LLDP responder on my computer to see that I can get the Voice VLAN. > /ip/neighbor/discovery-settings/print discover-interface-list: LAN lldp-med-net-policy-vlan: 11 protocol: cdp,lldp,mndp mode: tx-and-rx 20240122 LLDP Wireshark 2.png

vingjfg

Sure thing - one moment!

vingjfg

Hi Macosoft, You already asked that question in https://forum.mikrotik.com/viewtopic.php?t=203438 . Can you provide the output of the following commands? I may need a larger subset of the configuration later but I want to start with the minimum. /routing/export /ip/firewall/address-list/export /ip/r...

vingjfg

I did some tests with my equipment (7.13.2 on ARM), here is my configuration > /ip/neighbor/discovery-settings/print discover-interface-list: LAN lldp-med-net-policy-vlan: disabled protocol: cdp,lldp,mndp mode: tx-and-rx > /interface/list/member/print Columns: LIST, INTERFACE # LIST INTERFACE 0 LAN ...

vingjfg

Yo. I will try to help. There is more in two heads and stuff.

Radius server - you have set it for wireless service as well, correct? https://help.mikrotik.com/docs/display/ROS/RADIUS

Capsman aaa - you have a definition? https://help.mikrotik.com/docs/display/ROS/CAPsMAN

vingjfg

Hi FIPTech,

That's strange. Can you send your discovery settings and the interface lists members?

Also and to confirm - your bridge is configured with vlan-filtering=yes, correct?

/ip/neighbor/discovery-settings/print
/interface/list/member/print

vingjfg

Here is. Let me know if you have any questions. Comments: If the Public IP One to Five are in the same network, then the addresses with the netmask /32 are to be fixed. Or replace the additional addresses by host routes (my preferred version but that's personal). For the NAT configuration, there are...

vingjfg

Thank you for your answer. The script I am currently using is fixed 0E: 11:22:33:44:55 at the first byte, with 0E at the beginning and random generation at the end. However, I think the range is still not large enough Hi Rosa, I don't know how you generate the MAC addresses but if you feel that the...

vingjfg

Hi Rosa, Regarding the structure of a MAC address, the 2 constraints are: The LSB ("bit 0") of the first byte is 0 for a unicast address, 1 for a multicast address The next bit ("bit 1") of the first byte is 0 for a globally unique address and 1 for a locally administered address...

vingjfg

Ticket created: SUP-141182

Search found 349 matches