MikroTik

CGGXANNX

Yes, the RB260GS is the cheapest MikroTik device that allows you to have individual VLAN per port (access port). However, it runs SwOS which means it does not support 802.1x and you won't be able to assign dynamic VLAN on it ports based on MAC address or username/password/certificates. If you only n...

CGGXANNX

There is no hack. If a client device is not VLAN aware, then there must be VLAN supports at the edge of the network that device is connected to. All your access points are actually switches , just wireless switches instead of wired ethernet switches. A WiFi client connecting to a SSID is somewhat an...

CGGXANNX

If currently most of your LAN network is behind the powerline adapter connected to a single ethernet port of the CCR2004 then unfortunately you cannot activate the dot1x server on the CCR2004 on that port, because it will turn that port into an access port of a single VLAN once a device has authenti...

CGGXANNX

No, the target scope of the "main" route (through the canary address) should be +1 of the "narrow" route, and this latter +1 of scope, (and scopes can be all the same like 10), It may not be strictly speaking 100% correct, but it is easy to remember. i.e.: Strictly speaking you ...

CGGXANNX

Did you try applying this: https://help.mikrotik.com/docs/spaces/ROS/pages/328090/Dot1X#Dot1X-Server And the usual RADIUS attributes for VLAN assignment (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID) should also work: https://help.mikrotik.com/docs/spaces/ROS/pages/328090/Dot1X#Dot1X-Por...

CGGXANNX

I think people on the forum used to add a rule to Kid Control for this kind of monitoring: /ip kid-control add name=monitor mon=0s-1d tue=0s-1d wed=0s-1d thu=0s-1d fri=0s-1d sat=0s-1d sun=0s-1d Data are available in the Devices table. But there is no bridge port / interface, and the counters only co...

CGGXANNX

I had the same issue but only if 10G was advertised. If I remove 10G from my advertised speeds, I immediately get an IP -- but I only sync at 1G, not 2.5G which I would expect for my 1.5G plan. I have been using a G-010S-P from ALCATELLUCENT (should be similar enough to your G-010S-A) since a coupl...

CGGXANNX

In your configuration, when you turn on "VLAN Filtering" on the bridge, most of the ports of the bridge (for example ether2 or ether4) are access port of the VLAN 1 (reason: they have PVID=1 and Frame-Types is admit-all which are the default value, you've also added those ports to the unta...

CGGXANNX

Your new ISP probably puts you behind CGNAT https://en.wikipedia.org/wiki/Carrier-grade_NAT, which means you no longer have a public IP address. To confirm this, compare the IP address listed under IP -> Addresses for ether1 with what sites like https://ifconfig.me/ display to you. If they don't mat...

CGGXANNX

What are devices in your LAN (192.168.88.0/24) running? If they are running Windows then by default they won't answer ping from other subnets. If you are trying to ping the specific server at 192.168.88.117 then with your current config that won't work neither (because of the routing configuration).

CGGXANNX

also the port works only with autonegotiation (1G full duplex), manual setting 1G T-full turns off the port.

Auto-negotiation is required for 1G BASE-T https://en.wikipedia.org/wiki/Gigabit_E ... 1000BASE-T

CGGXANNX

/interface bridge vlan is mapped in WinBox to what you see in the Bridge -> VLANs table. Currently the "bridge" interface (which implicitly is VLAN 1) is the interface that has the management IP address that allows you to reach the switch with the IP address 172.21.9.10. When you use that...

CGGXANNX

You need to change this entry /interface bridge vlan add bridge=bridge tagged=bridge untagged=ether2,ether4,sfp-sfpplus2,ether8,ether7,ether5 vlan-ids=1 And move " bridge " to be member of the untagged list instead of the tagged list. Also " bridge " should not be member of the u...

CGGXANNX

And here is the 1h daily limitation from my tests: /user-manager limitation add name=one-hour-per-day reset-counters-interval=daily uptime-limit=1h /user-manager profile add name=daily-1h name-for-users="1h daily access" validity=unlimited /user-manager profile-limitation add limitation=on...

CGGXANNX

I could configure everything as in your screenshoots. When I connect a client to hotspot, I get to the screen to write credentials, and get "Radius Server is not responding" I just did not install the certificate. the "Radius server is not responding" message is because of the c...

CGGXANNX

No! I've made a type in my previous post with the out-interface-list that should be WAN instead of LAN. Once corrected, NAT in this case is only needed if the container needs to go directly to the internet (for example for upstream DNS lookup) and you don't have additional GUA addresses announced on...

CGGXANNX

There is no problem with assigning IPv6 static address to container. You can give the container a static ULA if you don't have static GUA prefixes. * Go to https://www.unique-local-ipv6.com/ and get a random /48 prefix. For example fd72 : 1a93 : 454c :: /48. * Add fd72 : 1a93 : 454c :: 1...

CGGXANNX

Sorry, I am an old school software developer and it's just a habit for me to think about implementation details and low level inefficiency and your script will cause more unnecessary operations (especially writes and memory allocations/deallocations) while holding locks multiple times, that can be m...

CGGXANNX

The way you update the address list entry triggers two modifications of the list. For data structures heavily optimized for lookup/read performance, modifications are always orders of magnitudes more expensive. Each modification probably needs to lock global data structures (lock the whole firewall ...

CGGXANNX

Maybe something like this in the PPP Profile's On-Up: :local interfaceName "pppoe-out1"; :local addressListName "WAN_IP"; :local comment "WAN IP" :local wanIP [/ip address get [find interface=$interfaceName] address]; /ip firewall address-list remove [find list=$address...

CGGXANNX

Looking at the updated topology, my guess is that accessing the NAS from the Server and transferring files probably produces some additional small percentage of broadcast or multicast traffic. The problem is that when you are transferring at 10Gbps (or even at only 2Gbps), a small percentage might s...

CGGXANNX

FYI I just redid the test configuration and it worked as expected, client loses access to the internet after one hour (and some minutes depending on the interim update interval setting). Some notes: * Please be aware that the hotspot wizard expects an unconfigured interface, you should either set as...

CGGXANNX

I just did more tests and support for RFC 7710 and RFC 8910 is automatically enabled but Windows does not use it at the moment. It works very well with Android.

CGGXANNX

The MAC address in the static DHCP lease is wrong, should be 00:01:2E:64:F0:65 instead of 00:01:2E:64:F0:66.

Edit that entry, clear Client ID (by pressing the triangle button) and change the MAC address to 00:01:2E:64:F0:65.

CGGXANNX

I'm curious, how does the hotspot place restrictions? Isn't it using MAC addresses behind the scenes? What if a client changes their MAC address and reconnects as basically a new user? Last time I tested Hotspot together with User Manager, the Hotspot setup created new chains and dynamic rules in t...

CGGXANNX

Are the workstation and the server in different VLANs? But you've mentioned trace route producing only one hop, so probably not.

CGGXANNX

It should work with hotspot too. You can do a test setup yourself. What you need is: * Install User Manager and set it up with Profiles, Limitations, Profile-Limitations, User Groups, Users, User-Profiles. Don't forget to check Use Profiles in the UM settings. * In UM, add the one "Router"...

CGGXANNX

They does not want to specify one specific hour, they want to users to have 1 hour, whenever each user want Is this possible? How? It's possible with User Manager and WPA Enterprise like I wrote above, but the Access Points must be compatible with RouterOS with regards to Change-of-Authorization (C...

CGGXANNX

This is actually one perfect use-case for WPA2-Enterprise/WPA3-Enterprise with PEAP/MSCHAPv2 and User Manager acting as RADIUS server. No worry about devices having random MAC address, because each user/device has their own username & password. But you'll need access points with WPA2-Enterprise/...

CGGXANNX

First, there is no reasons why you cannot enable flow control on the ethernet port when you use other QoS mechanism such as Queues, that is not related. Second, whether flow control is enabled or not on OpenWrt depends on the chipset/network adapter. You need to add ethtool and run it with the param...

CGGXANNX

There are no configuration changes to be made on the MikroTik device, only on the pfSense router, and that modification only needs to be done once. Did you try to apply what I wrote on post #2? Namely: * pfSense has interface VLAN88, configured with 192.168.88.10/24 (no gateway needed). * On pfSense...

CGGXANNX

No, the problem is because your router is ignoring the pause frames sent by the ONT. The ONT can not keep up with the 1 Gbps rate that the router is pumping to it. Before its buffers are completely filled up the ONT uses flow control (by sending pause frames) to tell the MikroTik router to slow down...

CGGXANNX

In such cases, where the uplink (300 Mbps) is slower than the speed of the ethernet (ports) in the LAN (1 Gbps) the solution might actually be to turn on flow control on all the MikroTik router's ethernet ports on the affected path. Flow control is per default off on MikroTik devices so you can try ...

CGGXANNX

The problem is that when using the mobile MikroTik app, there is a very intriguing text right on the homepage saying that "Internet detect" is disabled. And after tapping on it, just another tap is enough to have Detect Internet turned on. And mobile users also quickly learn that Detect In...

CGGXANNX

The quoted passage mentions the RAW rules because the whole page is to be applied as an example configuration, and if you scroll to the bottom of the page https://help.mikrotik.com/docs/spaces/ROS/pages/328513/Building+Advanced+Firewall#BuildingAdvancedFirewall-IPv4RAWRules There's the rule that doe...

CGGXANNX

Stop calling it a bug and read the doc please https://help.mikrotik.com/docs/spaces/ROS/pages/47579229/Scripting#Scripting-Functions. The :return command is only defined for returning a function value from within a function . Which means it requires a value as argument, and the text content of a scr...

CGGXANNX

* If it shows pppoe-out1 as not ready, then it means that your PPPoE setup currently cannot be dialed successfully. You can open the Log and will probably see a lot of pppoe dialing attempts that fail. One of the reasons might be that your username or password is not correct. You'll get more details...

CGGXANNX

EDIT 2: Thank you, Amm0. Contributions such as yours should be automatically included in the "official" MikroTik guides as standard. People who use MikroTik deal with issues often on an ad-hoc basis and wish to find quick, efficient solutions. It's has been documented after 7.18 was relea...

CGGXANNX

* You go to IP -> Firewall -> NAT tab. Look for the rule that says Action: masquerade Chain: srcnat. Double click to open it. Find the dropdown box with the caption Out. Interface and change the value from ether1 to pppoe-out1 . That should fix your problem. * Alternatively, if you want to do it wit...

CGGXANNX

You need to update your srcnat masquerade rule to use pppoe-out1 as out-interface. Or alternatively do like the defconf firewall, add pppoe-out1 (and ether1 if you plan to access the management of the modem/converter device) to an interface list WAN and change the masquerade rule to use out-interfac...

CGGXANNX

how does the router know that 10.72.22.200 should be assigned to the device About this point: This address can be whatever IP address, even from subnets not managed by the router, it can be 3.4.5.6 for example. The only requirement is that on the remote WireGuard client device (a phone for example)...

CGGXANNX

If your router has enough free RAM and storage space (about 60MB each), you can abuse cloudflared running in a container to be able to use any DoH provider, including Mullvad: doh-cloudflared.png In this example with Mullvad, the command line parameter is: proxy-dns --port 5053 --upstream https://dn...

CGGXANNX

On your pfSense router you'll need to add an Outbound NAT rule on the VLAN88 interface. The goal is to translate the source address of the packets going out of this interface (to the RouterOS device) to 192.168.88.10 (the IP address of pfSense on the interface). On the rule, you only need to keep th...

CGGXANNX

@anav because in OP's original config the subnet 192.168.0.0/24 (or any other smaller subnet enough to encompass 192.168.0.97) doesn't exist yet on his router. The router did not know how to route to destination 192.168.0.97, other than to forward everything to the default destination 0.0.0.0/0 rout...

CGGXANNX

You need to check whether your device has L3HW support for NAT and FastTrack. There's a couple of tables near the bottom of that page I linked above that categorize the devices. Only those with DX4000 and DX8000 switch chip, and the CCR and RDS devices support that. If that not supported, then on yo...

CGGXANNX

It really looks like your ISP is "cheating" with well-known speed test services while throttling normal traffic (including to lesser-known test sites like Real-Debrid). What if you use your browser to go to YouTube and watch a 4K video, while turning on the "Stats for nerds" in t...

CGGXANNX

I am sorry that I did not use the term that you defined in your article @sindy. My "CPU port" is not the specific term that you only used for the hardware switch. For me the bridge (hardware offload by a switch chip or only software based is not important) has ports, including real physica...

CGGXANNX

Yes, it works with all the cases you listed. This frame-types setting on the bridge interface is actually the setting for the "port" persona of bridge, where the bridge is the CPU port, in the same category as ether1, ether2, sfp1, etc... Even the tab in in WinBox has the same options as t...

CGGXANNX

Yes, it's as I expected. You can read more about nexthop lookup here: https://help.mikrotik.com/docs/spaces/ROS/pages/328084/IP+Routing#IPRouting-NexthopLookup When looking for the next hop for the route with destination 192.168.100.0/24 gateway 10.32.1.2 (the one at the bottom of the screenshot), t...

CGGXANNX

Your previous attempts did not work because the router didn't know that it should forward frames destined for 192.168.0.97 to ether2. By adding the IP address (and the network address, if you want you can also use 192.168.0.98/24 as address and 192.168.0.0 as network) to the interface vlan-cameras, ...

CGGXANNX

The first error. 1. is quoting from your config in post #18 and is WRONG ( do not use the bridge itself to set frames ) IMHO if OP has a VLAN-only configuration, with no IP address configured on the interface "bridge", then setting frame-types=admit-only-vlan-tagged is the correct way, an...

CGGXANNX

Is that ether2 port part of a bridge (slave port) or outside of any bridges (standalone interface)? You'll need to add an IP address first /ip address # choose only one of the three following! add address=192.168.0.98 interface=ether2 network=192.168.0.97 # only if ether2 is standalone port! add add...

CGGXANNX

Can you also test with https://www.fast.com (Netflix) and https://real-debrid.com/speedtest (multiple locations but download only)?

CGGXANNX

Can you make the Scope and Target Scope columns visible in the table too?

CGGXANNX

XenForo is not that different from PHPBB for scalability (PHP and MySQL, no multiple servers). Also it's paid (plus addons), Discourse is more suited for modern problems and is free. I don't think citing PHP as disadvantage really works, because modern PHP is much more performant than Ruby (which w...

CGGXANNX

If your router supports L3HW NAT, you need to turn off lw-hw-offloading on the two WAN ports, while enabling them on the rest of the ports. Before making the change on the ports, l3-hw-offloading on the switch chip must be turned off first. Afterward it has to be re-enabled. And you also need to cor...

CGGXANNX

Could you maybe also consider XenForo? It's not free, for self-host it costs a couple of hundred $ once and yearly $60 for upgrades. But the UX is closer to traditional forum software, while still supporting modern features, and performance is really good on forums with > 1 million user accounts.

CGGXANNX

It's the loopback interface, that can be used since 7.14 https://forum.mikrotik.com/viewtopic.php?t=202612 *) system - expose "lo" and "vrf" interfaces; One of the use-cases is to replace the need for adding dummy bridge interfaces if you want extra internal IP addresses for the ...

CGGXANNX

And now the interesting bit. Create a bridge with a /30 address: i had some free time to do a couple of tests today, and this point can be further simplified: we can just add a /32 address to the lo interface. No needs for the extra dummy bridge and the two separate IP addresses for src-nat and dst...

CGGXANNX

After upgrading old RB2011 to 7.19 beta7, can't upload anything any longer (e.g. can't upgrade to beta8). File list empty. Scripts that create backups fail. What's up with that? Check System -> Users: Is there any other user groups than full / read / write . Does the group full still have all check...

CGGXANNX

I would assume that DHCP traffic from the VLAN to the router is blocked just like the winbox traffic. But it is not. All my VLAN clients successfully get an IP address from the router. Why? :o Because DHCP uses raw sockets and is not affected by the /ip firewall filter table's rules. You can read t...

CGGXANNX

I'm curious what IGMP snooping does, is it security related? No, it's not related to security. Turning on IGMP Snooping helps reduce the amount bandwidth used on the ports (like ether1, ether2, sfp1, etc...) of the bridge/switch if there is a lot of multicast traffic. Without IGMP Snooping, if you ...

CGGXANNX

Is the laptop directly connected to the RB4011? (on ether2 or ether8?) Or is this plugged to the Aruba 2915 switch?

CGGXANNX

What should I consider buying to achieve the goals listed below? I’d like them to simply enter a username and password on their devices—without needing to configure pre-shared keys, secrets, or other advanced settings. Is that possible? I have no experience with using MikroTik WiFi hardwares in the...

CGGXANNX

How do I include a SLACC based IPv6. You'll need to write some script. In the same script that you have where you extract the IP address from the /ipv6 neighbor entry, add some code that update the to-address attribute of the dstnat rule (you can set a comment on the rule and then look for it by co...

CGGXANNX

That device asks its DNS server (192.168.0.1) and that DNS server tells the device to go and ask the DNS server at a completely different location (for example, 192.168.2.1). The DNS server (192.168.0.1) doesn't tell the device to go ask the other server. The DNS server performs the lookup itself ,...

CGGXANNX

Re-reading the OP and he/she has the setup where sfp1 is part of the bridge, and the tests are done between sfp1 and other ethernet ports. Which means even with DHCP Snooping disabled, those tests were never hardware offloaded , because sfp1 is outside of the switch chip and is always handled by the...

CGGXANNX

Of course only specifying the dst-port for the dst-nat rules will also nat the intended connections. This however also has the effect of natting every packet that is udp/13231, and so no one who uses this port will be able to correctly communicate with anyone if their traffic is routed by your devi...

CGGXANNX

You should NOT enable IGMP Snooping (nor DHCP Snooping) on the hEX S. Doing so will disable hardware offload on the bridge, switching and VLAN filtering will need to be done entirely by the main CPU and even L2 traffic will all need to share the single 1Gbps link to the main CPU (the other link is u...

CGGXANNX

The "bridge" CPU port is not shown in the tagged list for the VLANs under /interface bridge vlan. Did you turn on the VLAN Filtering checkbox for bridge?

CGGXANNX

someone *please* tell me this is a sick April Fools joke

It's not https://github.com/LibreQoE/LibreQoS/pu ... 2770436543

RIP Dave

.

CGGXANNX

@Larsa I think OP posted the screenshot above your post. Router lifetime is 0, which means other devices will not use the Apple TV as default router, and there is no advertise prefix. I think the Apple TV only announces the route so that it becomes default target for the fdf7:ffab:feed::/64 subnet. ...

CGGXANNX

Unfortunately, if the prefix is the deprecated one as I wrote, then you either need to wait for about a month (the default "valid lifetime" setting value) since the last time that prefix was really "preferred" (non-deprecated) or reboot the router :(. Reducing /ipv6 nd prefix def...

CGGXANNX

On your client devices, are the addresses with that prefix listed as "deprecated"? For Windows, run ipconfig /all , for Linux run ip addr , for *BSD (probably macOS too) run ifconfig , and see if deprecated is shown next to the address. If that's the case, then it's the normal behavior for...

CGGXANNX

Which access points are you using? Do they have a full Gbps link to the router or only fast ethernet (100 Mbps)? Are WiFi clients connected to 5 GHz or 2.4 GHz channels?

CGGXANNX

Can you try to disable IGMP Snooping? First, when you have multiple tagged VLANs, special handling with the multicast querier is needed if IGMP Snooping is to be enabled https://help.mikrotik.com/docs/spaces/ROS/pages/59277403/Bridge+IGMP+MLD+snooping#BridgeIGMP/MLDsnooping-IGMPsnoopingconfiguration...

CGGXANNX

Yes, and I also mentioned above in the screenshot that NAS-Identifier is one of the standard attributes. But MikroTik reasoning was that User-Manager supports CoA with MikroTik devices and that was enough. To be fair, not all AP manufacturers require NAS-Identifier to be sent with CoA messages (UM C...

CGGXANNX

This is a known issue, and I've filled a support request (SUP-163983) last year about it: user-man-sup-163983.png Unfortunately, MikroTik has refused to make the change and closed the ticket, this was their answer: user-man-sup-163983-2.png I've since made a new attempt and suggested an alternative ...

CGGXANNX

The rule add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN" is the important one that protects your router against abuses from the Internet. Do not remove it! Of the five rules that I posted above, only the CAPsMAN rule is optional (in case y...

CGGXANNX

If you mean the Neighbors tab on the login page of WinBox, the listing requires broadcast and will not work over WireGuard. And of course, MAC WinBox also does not work over WireGuard.

CGGXANNX

To access the router remotely, you should configure a VPN, like WireGuard (you can also use the built-in Back-To-Home feature https://help.mikrotik.com/docs/spaces/ROS/pages/197984280/Back+To+Home which does the WG setup for you). From the outside you establish the VPN tunnel (for instance, install ...

CGGXANNX

Please restore the input rules of the defconf firewall. It's not enough to just disable those services that you listed. For instance, your router accepts remote DNS requests and DNS amplification attack (https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/) is a thing! Here are th...

CGGXANNX

Have you considered UDPXY (it's extremely lightweight and run great in container on RouterOS, I use it on my RB5009 and hAP ac² with only 128MB RAM)? It will introduce a few seconds delay to the streams but other than that, it works well, even for watching IPTV channels on the go over WireGuard. I n...

CGGXANNX

You can just run a socks5 server in container (I previously did tests with this one and it's lightweight and works fine https://hub.docker.com/r/serjs/go-socks5-proxy), then use routing rules to steer the outgoing connections of that container's IP address through WG.

CGGXANNX

* If you want ether3-server_switch to be a trunk port of VLAN 20, then the PVID set on that port it wrong, you should change it back to 1 and set Frame Types to admit-only-vlan-tagged . * But if you want ether3-server_switch to be a normal access port of VLAN 20 then keep PVID as 20, but set Frame T...

CGGXANNX

That ULA prefix on the IOT interface might be the result of some device in that VLAN announcing itself as router. Now that the OP has established that that he needs add-default-route=yes in his DHCPv6 client setting, the router no longer has a reason to have /ipv6 settings accept-router-advertisemen...

CGGXANNX

This post has the recent (7.18.1) measurements with Bridge VLAN Filtering that I made on my hAP ac² (also compared to the setup with /interface ethernet switch), no WiFi interfaces though. https://forum.mikrotik.com/viewtopic.php?t=215359#p1132188 Bridging between two ports at wirespeed with Bridge ...

CGGXANNX

Good luck with your endeavor mixing LAN WAN VLAN and whatever between the UniFi and MikroTik network then. As I said, static leases for the APs in MikroTik DHCP server, static lease / IP address for the host machine that from time-to-time runs the controller software. There is nothing special about ...

CGGXANNX

Can your program select the source IP address for its outgoing connections? You can add multiple IP addresses (from the same subnet) to the VETH interface, and they'll be added to the ethernet interface inside the container. If your program is able to pick which of those to use as source IP address,...

CGGXANNX

My Linux VM only runs a couple of times a month, when I want to check for firmware updates. I only need the VM because I need WireGuard to run together with the controller to give it access to the remote locations (If I had run the controller directly on my PC I would need to run WG on my PC too, wh...

CGGXANNX

You don't need to run the controller 24/7. Only when you need to change the configuration or upgrade firmware. I have networks with UniFi APs and RouterOS routers in different locations and just use a small Linux VM where the controller is installed that I only occasionally start up. And I even mana...

CGGXANNX

I have never needed to manually maintain /interface/bridge/vlan table for access ports, ever. I literally just change 'pvid=' per bridge member in /interface/bridge/port, and ROS has always created [D]ynamic entries for those VLANs in the table you reference if they don't exist, and if the VLAN is ...

CGGXANNX

I'm not aware of anything that has changed in RouterOS since the new bridge interface with VLAN filtering was introduced in (I think?) 6.41 up through 7.18 that makes setting vlan-filtering=yes on the bridge any more or less safe on any particular version. So I'm not entirely clear what the referen...

CGGXANNX

Hm, on the Mokerlink, did you go to "Configuration > VLAN -> 802.1Q VID" and set the PVID for the ports? Port 1 should have PVID 30 Port 2 should have PVID 31 Port 3 should have PVID 32 Port 8 should have PVID 29 And while you are there, change Accepted Frame Type of those ports to only un...

CGGXANNX

That's interesting, because /ip firewall nat add action=masquerade chain=srcnat comment="HairPin Nat" connection-mark=test-mark dst-address=192.168.1.9 out-interface-list=LAN src-address=192.168.1.0/24 Should actually not be able to catch anything that /ip firewall nat add action=masquerad...

CGGXANNX

Interesting. Are you currently connected to port #2 of the Mokelink? According to the screenshot, you are on port 6. Port 6 has no connectivity to the CCR2004.

CGGXANNX

The settings on your Molkerlink is currently wrong. A port cannot have multiple VLANs untagged at the same time. Edit the entry for VLAN 1 and remove ports 1, 2, 3, 8, 9 (set to Not Member).

CGGXANNX

For hairpin NAT, your DSTNAT rule cannot use in-interface=ether5 anymore. You will need to replace this rule /ip firewall nat add action=dst-nat chain=dstnat comment="Nat for my server" dst-port=5467 in-interface=ether5 protocol=tcp to-addresses=192.168.1.9 to-ports=5467 with /ip firewall ...

CGGXANNX

"corresponding entry?" The entry in /interface bridge vlan , with the VLAN ID matching the PVID of the bridge (under /interface bridge), and that has "bridge" in its untagged list. The entry that (if you have not explicitly done it yourself) is automatically created if the bridg...

CGGXANNX

Yes. And that's the reason why if you add a VLAN interface to /interface vlan with interface=bridge then "bridge" needs to be in the tagged list of that VLAN ID. Since a few versions RouterOS dynamically adds that to the /interface bridge vlan table for you if you did not do it explicitly....

CGGXANNX

You only need two back-to-back newlines for all cases. No space needed.

CGGXANNX

Yes, and those frames that come to the CPU port (bridge) tagged, you "use" them by adding corresponding interfaces under /interface vlan with interface=bridge . Those interfaces pick the frames with the corresponding VLAN ID tagged (from the CPU port) and strip the tags so that they can be...

CGGXANNX

Also, please note that for the devices with those switch chip (RB5009, CCR2004-16G-2S+, L009), although turning on DHCP Snooping keeps hardware offload on the bridge, it will however make fast path non-functional on the bridge, and it affects fasttrack too. If you have a WAN port outside of the brid...

CGGXANNX

Oh, and this (on RB3011)

/interface vlan
add interface="lacp_src=rb3011UiAS_dst=crs326-24g-2s+" name=vlan99 vlan-id=99

should be

/interface vlan
add interface=bridge1 name=vlan99 vlan-id=99

CGGXANNX

First, if you control the DNS resolver used by most client devices in your network (you announce the DNS server via DHCP and the DNS server is hosted internally), then you should make that DNS server rewriting the DNS record of the domain to the local IP address of the service's host. With that most...

CGGXANNX

I think you need to set l3-hw-offloading of the ports of that VLAN to no (under /interface/ethernet/switch/port)

See https://help.mikrotik.com/docs/spaces/R ... figuration

CGGXANNX

On your RB3011UiAS you are missing the bridge1 port as tagged port of the VLAN entry. This line: /interface bridge vlan add bridge=bridge1 tagged="lacp_src=rb3011UiAS_dst=crs326-24g-2s+" vlan-ids=\ 99 should become: /interface bridge vlan add bridge=bridge1 tagged="lacp_src=rb3011UiAS...

CGGXANNX

For example: "/interface bridge vlan add bridge=bridge tagged=ether1 untagged=bridge vlan-id=10" means that bridge will allow frames with vlan-id=10 to leave the router through ether1 with its vlan tag intact. And, will allow vlan-id=1- frames to egress the router on the bridge port after...

CGGXANNX

Your redirect rules for intercepting DNS53 are ok. However nowadays many devices and applications (modern web browsers, for instance) support DNS over TLS (DoT), DNS over HTTPS (DoH) and DNS over QUIC (DoQ), which means if you really want to force your kids' devices to use the designated DNS resolve...

CGGXANNX

PM963 are PCIe 3.0 x4. With two lanes data transfer at about 2 GB/s is still possible. See: https://en.wikipedia.org/wiki/PCI_Expre ... ison_table

CGGXANNX

Regarding accessing Home Assistant using domain name: The optimal way is what you are actually doing, by having the local DNS resolver rewriting the DNS record to the local LAN IP address (instead of the public IP address). That's best for performance, because the devices in the same LAN subnet and ...

CGGXANNX

Because you are using routing rules to do the WAN1-LAN1 and WAN2-LAN2 force-routing, add this following rule to the top of the routing rule table should re-enable routing between LAN1 and LAN 2 /routing rule add action=lookup disabled=no min-prefix=0 table=main Again, this rule must be above the two...

CGGXANNX

I recognize that DST-NAT occurs at the end of the PREROUTING chain, but is the dstnat attribute set for both explicit static DNAT rules, as well as implicit ones set up by SNAT? Or is dstnat only set when matching explicit DNAT rules for something like port forwarding? You can simply open the IP ->...

CGGXANNX

Bearing in mind that there's implicit ultimate rule in every chain (action=accept), the above rule can be re-written into pair of rules: It's not quite correct, the second rule should be: /ip/firewall/filter add chain=forward action=drop in-interface-list=WAN to produce something similar to the ori...

CGGXANNX

First off all you are doing it wrong, in HEX there's a different way to configure VLAN what you are doing is for CRS3XX Try this https://www.youtube.com/watch?v=Rj9aPoyZOPo No if he is using the RB750Gr3 with RouterOS 7 then what the OP does is the correct way (but ingress-filtering should be set t...

CGGXANNX

For the hAP ax² and ax³ currently there is no performance difference if you create additional bridges, because there is no hardware offload to lose. Usually with the other devices only one bridge can be hardware offloaded, and MikroTik advice is normally to only create one bridge per switch chip. Bu...

CGGXANNX

It's slower in those particular kind of benchmarks because in RouterOS 7 the route cache is no longer available. You can read more from this thread, especially the posts by @raimondsp: https://forum.mikrotik.com/viewtopic.php?p=882867#p882429 https://forum.mikrotik.com/viewtopic.php?p=882867#p882867...

CGGXANNX

Be aware that the hAP ac² numbers are RouterOS 6 numbers and you'll need to deduct 25% or so when doing comparisons with the two other RouterOS 7 (out of factory) devices. Look at the hEX RB750Gr3 as an example, before the hEX refresh was announced the old hEX boasted values of 385 Mbps in that spec...

CGGXANNX

I can't believe it. Same problem again!!! Can't connect from outside. Nothing has changed! I'm going to open a support issue. Wireguard implementation is far from being solid. EDIT I moved from this peer config: add allowed-address=192.168.0.3/28 comment=FLUSHRO2 interface=wireguard1 name=wg1 publi...

CGGXANNX

I didn't bother to read your full config or the whole thread, but using /28 in your allowed-address entries of the peers is simply wrong, and is exactly the reason why only one device can connect at the same time. Please in all the peer entries under /interface wireguard peers change /28 in the allo...

CGGXANNX

For anything >= 1G base-T you need Auto Negotiation turned on. You can try to force it to 1Gbps on both ports by removing the advertised rates, leaving only "1G base T full" and see if the problem is still there. Normally this would have been a typical case where flow control could help (t...

CGGXANNX

Yes, others will probably encounter the issue too if they cleared their browser cache. There is a problem with the forum server since a couple of days. Large transfers are stopped in the middle (usually with connection reset or partial content error). As a result, if the resources are not yet cached...

CGGXANNX

Yes, you'll need both rules. Also, as documented by @EdPa from MikroTik, some bridge settings like DHCP Snooping cause fast path to be ineffective, as a result, fasttrack will also not work on that bridge (shown as active but the counters do not increase), in those cases you'll only get "partia...

CGGXANNX

If possible, try turning on flow control on both the SFP+ interfaces.

CGGXANNX

For this topic, where VLAN Filtering is the goal, Fast Forward's status is irrelevant, it would be inactive anyway.

CGGXANNX

Maybe you can use the IP address list from here and manually & periodically update the address list in RouterOS https://github.com/crypt0rr/public-doh-servers

CGGXANNX

Additionally, a /ip dhcp-server network entry is missing.

CGGXANNX

Yes, the part that I linked to specifically mentioned the changes from v6 to v7 regarding scope and nexthop (and the reasons).

CGGXANNX

OK, let's do this in correct order and one step at a time. Correct order: /interface bridge add /interface bridge port add /interface bridge vlan add /interface vlan add Do we agree on this? I would say this is better /interface bridge add /interface vlan add + configure IP address + DHCP server + ...

CGGXANNX

For this reason (and others, like when you make modification to a vlan or bridge interface, the interface immediately gets new prefix from the pool) I've been setting valid lifetime and preferred lifetime on all of my routers to only 10 minutes. Then I would have to deal with wrong prefixes for at m...

CGGXANNX

You need to set the target-scope value of the dst-address=63.116.158.80/30 gateway=63.116.158.74 route to be at least the scope value of the dst-address=63.116.158.74/32 gateway=vlan44_vrrp route. Read more about it here https://help.mikrotik.com/docs/spaces/ROS/pages/328084/IP+Routing#IPRouting-Nex...

CGGXANNX

Here is a handy guide for Australia. Is that far enough? https://wifiwizardofoz.com/wp-content/uploads/australian_802.11_eirp_transmit_power_limits.pdf 4W on 2.4, up to 4W on 5, depending on band. That table has the EIRP (≈ transmit power + antenna gain) values though. The US will allow 4W EIRP for...

CGGXANNX

That screenshot is from my main router, and it has been like that since ages and all VLANs work without issue :). For this tab, "bridge" acts as a port (like etherX, where you have the same tab with the same options) and setting Frame Types here only affect the "bridge" port, whi...

CGGXANNX

i am using the hAP ac² as a wired only router too, with neither wireless nor wifi-qcom-ac installed. As such it's much better at routing than both the hEX 750Gr3 (3x faster) and the hEx refresh E50UG (1.5x faster), by having true 4 ARM cores instead of 2. IPsec and WireGuard are faster on the hAP ac...

CGGXANNX

And here is the one with 8×2.5G and 2 SFP+ that you can use for 10G https://mikrotik.com/product/crs310_8g_2s_in.

CGGXANNX

I think the goal is not to have any unwanted VLAN ID appearing in the /interface bridge vlan table. Ingress filtering should be turned on for all ports, including "bridge", then you can keep 1 as the PVID of "bridge" but here you should also set frame-types to admit-only-vlan-tag...

CGGXANNX

Normally the file without platform suffix, the one named routeros-7.18_ab244.npk is for x86 (same naming convention as on https://mikrotik.com/download).

CGGXANNX

Can RouterOS do the following: Auto register DHCPv4 and v6 dynamic leases in DNS Auto register DHCPv4 and v6 fixed leases in DNS Currently it's possible with DHCPv4, but you need to write a script and execute it with the "lease-script" property of the DHCPv4 server instance, and add the h...

CGGXANNX

You'll need to put this dstnat rule (with xxx.xxx.xxx.xxx being your fixed ISP provided address) before the existing dstnat rule: /ip firewall nat add action=dst-nat chain=dstnat dst-address=xxx.xxx.xxx.xxx dst-port=22 protocol=tcp to-addresses=192.168.xxx.xxx to-ports=6022 Note: you need both rules...

CGGXANNX

That rule of thumb is quite accurate if you take the default configuration (with the firewall rules from MIkroTik) and disable the fasttrack rule (or before 7.18 when you use the default config with IPv6, because fasttrack was not available). If your configuration can actively make use of fasttrack,...

CGGXANNX

You didn't even read the posts that @erlinden linked for you? Please read that first. Where is your bridge? Your L009 has a good switch chip with hardware offload for VLAN Filtering. You should create one unique bridge over ether2-ether8 and sfp1, but keep ether1 out of that bridge. Then configure B...

CGGXANNX

Do your old router and the new MikroTik one have the same LAN subnet? If not there's probably somewhere in the UniFi controller setting where old addresses/address range are hardcoded. First update both the UniFi controller (on Windows) as well as the firmware of the access points to the latest avai...

CGGXANNX

they route over the dynamic address. So, at the moment you dial PPPoE and configure DHCPv6 client over that pppoe-out interface and get the dynamic IPv6 prefix? And they give you via email the extra fixed /48 prefix? Normally because you use PPPoE the ISP can just use your end of the PPPoE connecti...

CGGXANNX

I have CNAME records pointing to the xxx.sn.mynetname.net of my routers and enable-ssl-certificate dns-name=my.own.domain has always been working (of course port 80 must be temporarily opened and www also has to be temporarily enabled). Generated certs work for www-ssl, SSTP and User Manager, althou...

CGGXANNX

About switchAttempt.rsc (I've only looked at that file), if you want to use the BASE_MGMT vlan interface you need to set secure mode (under /interface ethernet switch port ) on the switch1-cpu port too, not only the 5 ethernet ports. And for the hEX PoE with QCA8337 you should turn on indepenent-lea...

CGGXANNX

I've investigated further and it looks like maybe @LdB's issues and the issues encountered in my tests might not be the same! First to answer jbl42: I have DHCP snooping disabled on the RB5009 since https://forum.mikrotik.com/viewtopic.php?t=212754&start=300#p1118102, and because of this detail ...

CGGXANNX

Hi Anav, It appears to make no sense to you because really in this case the MikroTik devices (at least my RB5009 as well as OP's devices) are not acting as expected with regards to DHCP traffics. The OP (and I in the tests) want the MikroTik device to act as a switch, its job should only be to pass ...

CGGXANNX

I can reproduce this behavior. However, in my case, even adding the VLAN as /interface vlan entry with bridge as parent doesn't help. Test config were: A. ether1 as hybrid port, with VLAN 124 tagged. ether5 as access port of VLAN 124. No /interface vlan entry configured for VLAN 124. /interface brid...

CGGXANNX

I think the data is not available because the DHCP server does not keep track of such information (packet and byte counters) for each lease. It's also logical that it cannot do that because normally traffic between devices on the same layer 2 (same subnet) is not visible to the router, only to the s...

CGGXANNX

It's clearly stated in the docs https://help.mikrotik.com/docs/spaces/ROS/pages/328227/Packet+Flow+in+RouterOS#PacketFlowinRouterOS-FastTrack FastTrack packets bypass firewall, connection tracking, simple queues , queue tree with parent=global, ip traffic-flow, IP accounting, IPSec, hotspot universa...

CGGXANNX

This is still happening for me in 7.18.1.

Enable the "Responder" checkbox for the affected peer in RouterOS.

CGGXANNX

There is no need to change MTU for any ethernet interface at all, VLAN or not. What important is only the L2MTU value, which should be at least 1508 (L2MTU for VLAN interfaces are already automatically reduced by 4 bytes). For most MikroTik hardware that's the case by default. To have IPv4 TCP MSS a...

CGGXANNX

Can you post the text export of the relevant settings for your VLAN 312, both the "bridge" and the "switch" settings, so that I can maybe understand how the "normal" bridge ones are translated into the switch ones? Those settings were temporary, so I am not able to use...

CGGXANNX

As promised, here are some test results from my hAP ac². Two wired PCs are connected directly to ports ether2 and ether5 of the router and run iperf3 (in one direction). * First the bridge as configured by defconf is used. No VLAN is configured. 10.14.2.0/24 is the subnet of the bridge. CPU usage is...

CGGXANNX

Only on some high-end CCR/CRS models is fasttrack hardware offloaded. On most MikroTik's devices, including cheaper CRS and anything <= CCR2004, it's a software mechanism. As for why the accept rule is needed: It's explained in the docs: https://help.mikrotik.com/docs/spaces/ROS/pages/328227/Packet+...

CGGXANNX

Ah yes, can you try to do as @mkx wrote and turn on Multicast Enhancement in the SSID profiles (WiFi) for your UniFi APs? I thought that it was by default turned on so in my old post suggested to try to toggle it off. But I just checked, and the default setting for Multicast Enhancement is off for n...

CGGXANNX

Don't forget to read about the hardware limitations of the DX8000 chips in the CCR2216. Namely it has only 4K entries for NAT and 4.5K fasttrack connections. If your network has more concurrent connections to the WAN then the rest will not be hardware offloaded. That's why the fasttrack rule has the...

CGGXANNX

Yes, it mostly affects the switching functionality. Like when you have your NAS connected to one port of the router (maybe behind other switches), and your PC on another port (also maybe behind other switches), and both devices are in the same layer 2 network (same VLAN, same subnet let's say 192.16...

CGGXANNX

Thank you for your detailed response, it is very useful. I just wanted to clarify something: it seems like L009 became a distraction, as somebody else in the thread mentioned it as an example, but this is not the router I have. I have CCR2216-1G-12XS-2XQ and CCR2004-1G-12S+2XS, does everything you ...

CGGXANNX

For normal WAN - LAN usage there might be not much difference, because the offloading of the switch chip is not really being used, the CPU has to do most of the work moving packets between the off-bridge WAN port and any other on-bridge LAN ports. In case the LAN use VLAN then the switch chip might ...

CGGXANNX

Their marketing values are the one in the 1518 columns :). The 25-rule-1518-byte value can probably never be achieved in real life when there are meaningful firewall filters with fasttrack unavailable . That is where the "marketing" is and where they are overselling it. Usually, most speed...

CGGXANNX

User Manager in ROS7 is MikroTik's implementation of a RADIUS server, mostly to be used with devices running RouterOS as acting the RADIUS clients. That may be why it has the custom MikroTik attributes pre-defined.

CGGXANNX

If you have the User-Manager package installed, you can see the definition of this custom attribute: mikrotik-switching-filter.png Alternatively, the IDs are also available in this section of the documentation: https://help.mikrotik.com/docs/spaces/ROS/pages/2555940/User+Manager#UserManager-Attributes

CGGXANNX

There are specs available in this post viewtopic.php?t=213245#p1131190

CGGXANNX

The 25 rules 512 bytes value is representative for cases where fasttrack cannot be actively used. Like when using mangle mark-routing, or on previous RouterOS versions when using IPv6. For normal configs that can take advantage of fasttrack, throughputs nearer to the fast path value is achievable, a...

CGGXANNX

Thank you for advice, but may I ask why would it better to load CPU with all WAN-bound traffic? Provided that I can (and routinely do) make all ports assigned to LAN as a separate bridge anyway and never include WAN port into that bridge? Wouldn't it be better to use one port from the hardware offl...

CGGXANNX

/interface ovpn-server server add mac-address=[...] name=ovpn-server1 While it's disabled by default, I would prefer default config and especially updates not to create bogus interfaces. This happened because in 7.17 supports for multiple OVPN server instances were introduced. In previous version t...

CGGXANNX

Can you try to reduce these values to 10 minutes and toggle network connectivity on the affected client devices (wifi off/on, cable out/in): ipv6-nd-lifetime.png Those were actually the old default values, but now the default values in newer RouterOS are very high (30 days and 7 days). On all of my ...

CGGXANNX

The order of the rules in the filter firewall is important because within the same chain (in this case "input") the rules are processed from top to bottom. Currently your rule with the comment "Replaces defconf rule for DHCPv6 client prefix delegation..." sits at the bottom of th...

CGGXANNX

When configuring the bridge and VLANs on the hEX PoE, don't forget that it has a QCA8337 switch chip connecting the five ethernet ports. Which means to configure the VLANs you should use the /interface ethernet switch menu instead of Bridge VLAN Filtering. See: https://help.mikrotik.com/docs/spaces/...

CGGXANNX

Did you try enabling flow control on the ethernet ports of the CRS310 (at least on ether1 and ether8 according to your diagram)? Looking at this: 2.5-1G-flow.png Ethernet frames travelling along the green path might reach a rate of 2.5Gbps to arrive at the Fritz!box. From there the orange path can o...

CGGXANNX

Please note that some router models, such as the L009UiGS-RM https://cdn.mikrotik.com/web-assets/product_files/L009UiGS-RM_230555.png, has a good switch chip with hardware offload connecting most of the ports, and one (usually ether1) or a few ports connecting directly to the CPU. In such cases it w...

CGGXANNX

If the NAS only accept connections to it from the same subnet as itself, then one possible "solution" is to masquerade the connections from vlan20 to the NAS, with a NAT firewall rule: chain=srcnat action=masquerade src-address=192.168.20.0/24 dst-address-list=NAS_DEVICES. Where NAS_DEVICE...

CGGXANNX

... but it still shows my local IP :( Don't forget to check whether the fasttrack rule in the Filter table has the connection-mark=no-mark really applied. After that, check the followings: * In IP -> Route, is the flag AS shown next to the route with destination 0.0.0.0/0 in the USE_WG table? * In ...

CGGXANNX

At quick glance you are missing a route in the main table, step #13 of my previous post. What is shown as (step 13) in your file is actually #14 from my post. Also the command that you use to modify the fasttrack rule look for rule with comment "defconf: fasttrack rule". Are you sure that ...

CGGXANNX

It is written everywhere in the Mikrotik docs, that fasttrack only works on main routing table.

It's compatible when connections are put into routing tables other than "main" too, but that must be done with routing rules, not with mangle rules.

CGGXANNX

One of the possible causes is that you have mangle mark-routing rules that put packets of a connection in a routing table other than "main", but did not try to exclude those connection from the fasttrack rule.

CGGXANNX

He has all ethernet ports set to 100Mbps. I don't know if it's deliberate. But auto-negotiation seems to still be enabled.

CGGXANNX

This is the doc for RouterOS 6 https://wiki.mikrotik.com/Manual:IP/Fasttrack. You'll need the two firewall rules under the Initial configuration section. As well as this:

FastPath and Route cache is enabled under IP/Settings

CGGXANNX

At least you can try to enable fasttrack?

CGGXANNX

I think the reason this has a high probability of appearing at reboot is because while the router is being rebooted, clients in the network are still firing DNS queries at it (everything requires address resolution and TTL are nowadays quite short). Normally the queries are made with UDP and are not...

CGGXANNX

Yes. See my post above.

CGGXANNX

I don't have time to produce a ready-to-copy-n-paste configuration for you, but this is the rough idea of the steps that you'll need. 1, Start from the default MikroTik configuration of your hEX refresh (the defconf ), with working main internet connection. 2, Create WireGuard interface (let's say w...

CGGXANNX

so I have manually set MTU of ether1 to 1508. As ISP uses VLAN10 a VLAN interface was added for ether1 also with an MTU of 1508 You don't need to change/increase the MTU setting of the ethernet and VLAN interface underneath the PPPoE client interface. You only need to set Max MRU and Max MTU to 150...

CGGXANNX

why does VyOS only go to 1492 instead of 1500 ??? For VyOS to set ppp-max-payload=1500 in the PADI message the OP will need to do the following: * Set mru and mtu on the pppoe interface to 1500 (E.g. set interfaces pppoe pppoe0 mru 1500 / set interfaces pppoe pppoe0 mtu 1500 ), or delete both (don'...

CGGXANNX

Please edit your post and remove the WG keys.

CGGXANNX

Because DHCP use raw sockets. Here is some literature (from ISC DHCP but should also apply to MikroTik's implementation).
https://kb.isc.org/docs/aa-00378

CGGXANNX

You need to change the prefix length /24 in the allowed-address field (and client-address field too) of the peers to /32.

CGGXANNX

Even vanilla Btrfs RAID 1 can be a real headache, for example, if a disk intermittently disconnects or fails for some reason and then gets marked as unreliable. Restoring a Btrfs RAID 1 is a pretty complicated process and requires expert knowledge, as @Petch1 pointed out in another thread. In other...

CGGXANNX

Because what you observed is common on configurations with IGMP Snooping enabled on hardware offloaded bridge (like my RB5009) when VLANs are in used. After some time, the MDB table no longer has the entries for the multicast addresses of the devices, as a result the router advertisement packets are...

CGGXANNX

Do you have IGMP Snooping turned on on the router?

CGGXANNX

Thank you, yes, this new version is perfect download/file.php?id=72191

CGGXANNX

One thing in your design that needs improvement, and this was also an usability issue in WinBox 3, are these tiny buttons to add/remove items. They were always too small for me in WinBox 3 and difficult to hit even with the mouse (forget about touchscreen). tiny.png WinBox 4 actually improves in thi...

CGGXANNX

RFC 4638 and PPPoE with MTU 1500 work on all of my MikroTik devices. But I've seen multiple people (MikroTik forum in my country) using x86 having the same issue as himurae, where the MTU drops to 1480 because large LCP EchoReq packets cannot be sent. But threre are also people with x86 RouterOS whe...

CGGXANNX

Do you have IGMP Snooping or DHCP Snooping enabled on the bridge?

CGGXANNX

I guess another thing that you can try is to turn on the VLAN Aware checkbox in Proxmox on the Linux Bridge matching the interface used to dial PPPoE? It probably won't help much though. Another attempt that requires more work is to passthrough the network adapter (NIC Passthrough) instead of using ...

CGGXANNX

If you have DHCP Snooping / IGMP Snooping turned on on the bridge, try to disable those features first. At least DHCP Snooping is confirmed by the updated documentation to cause fast-path to be non-working, which causes fasttrack to be useless on that bridge. https://help.mikrotik.com/docs/spaces/RO...

CGGXANNX

Interesting solution, Q 1 : but why do you use recursive scope can you test with defaults scope=10 target-scope=30 I believe... The default scopes was in the config at the start of my post from yesterday https://forum.mikrotik.com/viewtopic.php?t=215016#p1128526, you can see "30 _ 10 _ TEST1&q...

CGGXANNX

Okay CGG, I am down to this. /ip route { main table } add check-gateway=ping " dst-address=0.0.0.0/0 gateway=8.8.8.8 routing-table=main scope=10 target-scope=12 add dst-address=8.8.8.8/32 gateway=ISP1 Gateway routing-table=main scope=10 target-scope=11 +++++++++++++++++ add check-gateway=ping ...

CGGXANNX

If you use Proxmox, can you try in Proxmox to increase the MTU value of: * The network device (ensXXXX) corresponding to the port connecting to the ISP * The corresponding Linux bridge over that port to, let's say 1540 (assuming the network adapter support jumbo frames)? Or are you using NIC passthr...

Search found 632 matches