MikroTik

huntah

Hi, I am trying to renew LE cert with enable-ssl-certificate but I get the following error. /certificate/enable-ssl-certificate dns-name=somegw.of.mine.com progress: [error] http challenge validation failed, please make sure www service is enabled and your device is accessible by letsencrypt.org ser...

huntah

I have found a sollution. You have to edit the Windows .pbk file! On the user's computer, go to to C:\Users\[username]\AppData\Roaming\Microsoft\Network\Connections\Pbk. Open the rasphone.pbk file with a text editor. In the section for the relevant VPN connection, find userascredentials=1 and change...

huntah

Hi, I have a problem with Windows L2TP/IPSEC clients (also IKEv2/UserManager). We have a domain controler and shared network drives. User takes the notebook home connects to VPN without a problem and then when trying to connect to network drives it fails. But if I go to credential manager on the cli...

huntah

Just a guess... Possibly you have several ip addresses on that interface now? Try that for the first address: :global ddnsip [ /ip/address/get ([ /ip/address/find where interface="ether1" ]->0) address ]; ... or add more properties to your filter. Yes.. exactly I have more addresses! If I...

huntah

Hi, can any tell me if this scipt is working on ROS 7.x global ddnsip [ /ip address get [/ip address find interface="ether1" ] address ] Error: invalid internal item number It was working perfectly on 6.x .. If I put in a corresponding number of the interface it works.. Something must've c...

huntah

QR Code is very useful if it would be implemented in UserManager-Users. There is a field OTP Secret. It works which GoogleAuth! I use this QR Generator: https://jwessel.github.io/totp-gauth-token/QR_generator.html But if Mikrotik would implement this in Winbox or even better WebPortal. We could have...

huntah

Seems like ! is not working in fasttrack and queues I am trying to disable fastrack for GuestNetwork (Capsman and one Vlan interface) so I can enabel queues /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related h...

huntah

MS posted a workaround:

Workaround: To mitigate the issue for some VPNs, you can disable Vendor ID within the server-side settings. Note: Not all VPN servers have the option to disable Vendor ID from being used.

But I don't think we can do that in RouterOS..

huntah

Sadly yes.

MS is talking about removing VendorID from IPSEC but I do not see the option to remove this.
Maybe someone else have found a workaround other than remove the January Patch from MS.

huntah

*) CSS106: make RSTP work with vlanMode=enabled or vlanMode=strict; CSS106 - RSTP issue is resolved SwOS 2.11 and 2.13 - RSTP finds the correct Root Bridge Did have a problem with RSTP root bridge pointed at it itself when I had UPLINK port (SFP) set to TAGGED ONLY! Do not forget to set VLAN Reciev...

huntah

It seems there is a problem with determining the right Bridge Root in RSTP. Here is my scenario: 1. HP v1910-48G - STP enabled. Mode RSTP. Bridge Priority 4096 (0x100 hex in Mikrotik) 2. hAP-Lite with Switch chip defined VLANs and a Bridge with all ports and WLAN1 adapter. (I also disabled Switch As...

huntah

I can confirm that RSTP on CSS106 is broken.. If I enable it it does not compute the right Root Bridge. Root Bridge is always the CSS106 itself. Regardless of Bridge Priority. Directly attached CRS212 port is in Learning and discarding state... It only helps to disable RSTP on CRS212 and than disabl...

huntah

You have set the IP Address on interface instead of bridge /ip address add address=192.168.2.1/24 comment=defconf interface=ether2 network=\ 192.168.2.0 You should change that to Bridge and everthing should work... /ip address add address=192.168.2.1/24 comment=defconf interface=bridge network=192.1...

huntah

Try upgrading winbox to the latest version..

huntah

Ok,

Connection Mark works perfect for this:

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address=LOCALSUBNET new-connection-mark=VIAIPSECTUNEL passthrough=yes src-address=REMOTESUBNET

huntah

Hi, I have setup RoadWarrior remote office behind NAT. I use IKEv2 with mode-conf. I have found that I can route all traffice from remote office over the tunnel via dynamic NAT rule generation. https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Enabling_dynamic_source_NAT_rule_generation Which is fine b...

huntah

This is real bummer. It was working last year (at least until Aug .. when people were on vacation and needed VPN). This year I gues I have to make a new CA and recreate all the certficates and redeploy them.. Is there any way to renew CA certificate in Mikrotik? Also what exactly is the drawback of ...

huntah

The only difference is My CA is set for 10 years.. If the CA is the culprit then I have to recreate the whole VPN system (CA and all 30 certificates). And redeploy them do clients.. If this is some kind of a Apple bug (valid less than 850 days should not be enforced for CA..). I can understand the l...

huntah

@anav: I think your config only works with one certificate?! Judging from this: 17) IDENTITIES Is the biggie, I am not sure if order is important but in any case I have mine first (before any default). Word of caution if you make changes to certificates this will change on you and thus have to reset...

huntah

Code: /interface ethernet switch port set 5 vlan-header=add-if-missing vlan-mode=check # or secure This is switch1-cpu .. I always set this like this: /interface ethernet switch port set 5 vlan-header=leave-as-is vlan-mode=secure Try it.. if it works like this.. Or dou you think this not correct fo...

huntah

CCR1009-7G-1C-1S+ 6.44.6 -> 6.45.8 ip ipsec policy peers where is state unknown.. IPSEC tunnels -- some were working some not.. Manualy specified correct peers sand flushinng SAs solved the problem without reboot. Everything else seems to be working after upgrade.. . Kudos for : /ip ipsec active-pee...

huntah

@mkx: I agree that you can set native vlan as you like (your case 42) but I had had always problem when using VLAN1.. MT devices would only work as they should when untagged VLAN1 through (Cisco, Procurve switches) if they had VLAN0 set.. I do not know if it is a bug or not but it works. This is why...

huntah

I Tried this config on hAP-Lite and it works. I removed for test switch1-cpu from all VLANs (it will lock you out of management! So do have wlan1 enabled or you will need to reset via button). It works as it should! For hybrid ports you need to leave it as is .. Tried and please post back.. The big ...

huntah

hmm... I think this should work.. It works at least for me.. Correct me if i Am wrong: ether1-uplnik -> tagged 15,21 in untagged 0 (Native VLAN - for HP Procurve it translates to VLAN1 unttager --- hybrid port) ether2-Management -> unttaged 15 - access port ether3-PC+Voip -> unttaged 0 (PC) + tagged...

huntah

The point was: 1. HEX price 45 EUR + VAT 2. HEXS price 55 EUR + VAT 3. hAP-AC2 price 55 EUR + VAT 4. And I see here hAP-AC2+SFP for 65 EUR + VAT (my estimate...no such product) Why... I have many custumers where we come to them with Optics and they want just one single affordable device with WiFi.. ...

huntah

It would be extremly nice to have hAP-AC2 with SFP port.
Something like Hex and HexS but with HW VLAN support...

What do you think @Forum and @MikroTik

huntah

After step-by-step config redo I have found out it is the System-Certificate CRL as suspected.. @Mikrotik or someonelse: How exactly does this CRL work I have specified my Public IP address...Should allow HTTP from MyPubIP to MyPubIP port 80 ? What happens if webfig is also on port 80...what happens...

huntah

Hi, I have a strange problem... In Firewall filter I am dropping everything not comming from LAN as a las rule in Input chain. Now I get multiple times a minute this log: Filter:input:in:(unknown 1) out:(unknown 0) , proto TCP (SYN), MyPublicIP:43242-> MyPublicIP:80, len 60 I have IP - Service - www...

huntah

Hi all, support got back to me! And kudos to mr. Edwards for writing the updated easy to understand Wiki for SwOS! https://wiki.mikrotik.com/wiki/SwOS/CSS106-VLAN-Example Please disregard wiki link in previous post because it is outdated! Always use the one provided above this line! For Hybrid port ...

huntah

What was the error?
You need PowerShell and not CMD.
It wont work if you have the same CA. I havent tried to specify which cert to use with the same CA (Certificate Authority).

This is useful if you have multiple IKEv2 VPN clients on different locations. And all the servers have different CA.

huntah

Hi, I thought I have everything figured out.. But again I am buffled :) So I have multiple switches linked together. - port 1 : Uplink to GW (All Tagged) - Port 2 : All Tagged VLANs to hAPAC2 - Port 3: Hybrid Port - Untagged VLAN and Multiple Tagged Ones - Port 4: Hybrid Port - Untagged VLAN and Mul...

huntah

HI, is there any plan to add native support for GoogleAuth or FreeOTP or some other OTP client. It would be great to auth VPN users and/or Router Access (Winbox, WEB etc..) I guess it can be done via external Radius Server.. If someone has done it. Please share it would be helpful to others.. I thin...

huntah

Hi

You have different settings on client and server..
For example..dh group=2 is modp1024
Also enable..ipsec logging to see what client Sends to MikroTik and vice versa

huntah

set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps

I think you Are forcing 100mbs on each interface.....

huntah

Did you disable fasttrack?

huntah

Does your PCC work with fasttrack enabled ?!
I could not make that work....also in wiki it is mentioned in a note....

huntah

HI, use the default settings (ie Quickset). This should give you internet on ether1 and a Bridge with HWoffload and Wlan together. Since you have 32 users I hope you have a Gigabit 24port Switch or two :) So all your clients are directly attached to GigaSiwtch (or whatever switch you got) and only o...

huntah

with Lan C do routing like that:

router a: ether1 IP: 10.30.1.1/29

/ip route
add distance=1 dst-address=10.30.13.0/24 gateway=10.30.1.2

router b: ether3 IP: 10.30.1.2/29

/ip route
add distance=1 dst-address=10.30.14.0/24 gateway=10.30.1.1

huntah

You need to allow also in firewall filter
Place it before drop tule

huntah

I have found the problem it was in RP Filter which was enabled on the Live Router! Wiki has a note about that :) I should RTFM more carefully! Note: PCC setups is not designed to work if RP Filter is enabled On another note..If I set it to Loose it works.. Will the default FW rules in forward chain ...

huntah

I was searcing the forum and came across this:
viewtopic.php?t=110560

I have disabled the fastrack and now it is much better.

Must fasttrack be disabled with PCC? Can someone confirm this..

huntah

OK now I am totally confused :) It kinda works on both devices in my lab. On both there are problems with some sites loading all the images ...or not loaded entirely. Subjective guess it happens more often on hAP-AC2.. Steps to reprodude: 1. Reset config to default 2. remove ether4 from bridge 3. re...

huntah

Ah OK.. did not know that in the wiki.. But tried several scripts but none work on live system with hAP-AC2 so passthrough is definitly an oversight on my side... I just dont get it why it does work on hAP-lite even though it was set incorrectly.. I have just got one spare hAP-AC2 and will try the s...

huntah

It does not matter if I set it to passthrough :/
Also in Wiki there are not passthrough enabled..
https://wiki.mikrotik.com/wiki/Manual:PCC
As I said it works on hAP-lite just not hAP-AC2.
Have you tried it on hAP-AC2.. has anyone?

huntah

Hi, can anyone confirm if PCC (Dual WAN) has problems on hAP-AC2? I have tried ROS6.42.9 and latest currunt 6.43.4. Then I used the same Mangle Rules on Hap-Lite and it worked. Using ROS6.44beta28.. WAN1: DHCP-Client no default route (Cable with static IP assigned) WAN2: DHCP-Client no default route...

huntah

HI,

ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;

just got word back from support. They have found the problem with split-include and it will be fixes in next beta..
Will test then again and post back the results!

huntah

I check exactly like that.. but there arent any routes from split-include.. IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.3.1 192.168.3.122 55 127.0.0.0 255.0.0....

huntah

I have default configuration (eth1 -> DHCLient to my private network)
All drop rules disabled
DHCPServer on Bridge (Default with IP pool 192.168.88.0)
VPN Pool is 192.168.222.0/24
I have attached the full config export compact

huntah

OK my bad

Here is the Wireshark capture from Mikrotik..
There are DHCP Inform messages but I am not able to interpret them :/

huntah

I dont get any DHCPInform..
Attached is the wireshark and then connect to VPN..
I cant put DHCP Server on WAN port ...

guess we will wait for Mktik guys to wake up

Night all and thnx for tips and help sindy!

huntah

I tried with ether1 (my wan on test router) but nothing is catcing in the sniffer when I connect or disconnect. I dont really understand what DNS (udp/53) has to do with DHCP (udp/67-68) If I change it to correct ports I get: 0 14.46 ether1 192.168.222.146:68 (bootpc) 255.255.255.255:67 (bootps) udp...

huntah

I just installed beta28 on brand new HapLite (default Settings). added Certificates and ipsec ike2 RSA setup: /certificate add common-name=TESTCA name=TESTCA days-valid=3650 sign TESTCA ca-crl-host=192.168.3.124 add common-name=192.168.3.124 subject-alt-name=DNS:192.168.3.124 key-usage=tls-server na...

huntah

ike2 - send split networks over DHCP (option 249) to Windows initiators if DHCP Inform is received;

Any Examples?

If I am not mistanken this means that split tunneling will now work!

huntah

Very nice post but one thing is missing,
Final configuration export with your last picture..

huntah

you have not specified where is your VPN server? On the router (mikrotik) or do you have to port forward it to internal OpenVPN server.. If you just need the client it should work out of the box because there are no limitation for outbound limits. So if you have openVPN server on your Mikrotik you n...

huntah

use ip firewall filter and chain forward.

Drop subnet a to subnet b and vice vera.

Or use search on forum. It has been asked and answered multiple times

huntah

Why it just started to suck... different configurations for different rb models in vlans,... are You kidding? cant't rewrite config in common syntax? The VLAN configuration is the same for all models. MikroTik completely changed (improved) the VLAN configuration in 6.41 for all devices. It is not M...

huntah

The hAP ac² dose have a switch chip (Atheros 8327) with vlan switching support and is supported in routeros. The RB750Gr3 have also a switch chip (MT7621) with vlan switching support but is on yet implemented in routeros. So on the RB750Gr3 you only can use software switch if you need vlans. See th...

huntah

There is no switch menu Winbox in 6.42.4 :) In CLI i can see it.. # NAME TYPE MIRROR-SOURCE MIRROR-TARGET SWITCH-ALL-PORTS 0 switch1 Atheros-8327 none none Will try later to set it via CLI and test. And yes the speed is terrible 5MB/s the gateway is HEXGr3 and gets 33% CPU load... but in anyway this...

huntah

Is this only cosmetic bug in Winbox? in terminal I can see HW ofload active but Winbox shows off. If I disable VLAN filtering I can see HW offload in Winbox. Here is the Brige config. It is working.. But I havent tested performace yet... /interface bridge add ageing-time=5m arp=enabled arp-timeout=a...

huntah

The hostnames will be the same for the same router. Do not worry about that. The domain name will always be tied to the serial number of the router. If you are going to change routers - then you better create on your your own DNS server CNAME entry that points to the <SN>.sn.mynetname.net FQDN. It ...

huntah

@janisk: I have multiple Clients with IKEv2 Server with RSA (Certificates). Those Certificates are made with ddns hostname (7dgfdghgssaa1.sn.mynetname.net) from IP Cloud.will the hostname remain the same. If not I have a big problem since I have to reissue all certificates to users on multiple site...

huntah

@janisk: I have multiple Clients with IKEv2 Server with RSA (Certificates). Those Certificates are made with ddns hostname (7dgfdghgssaa1.sn.mynetname.net) from IP Cloud.will the hostname remain the same. If not I have a big problem since I have to reissue all certificates to users on multiple sites.

huntah

Actualy yes and no :) Windows Server VPN (RRAS) uses DHCP to assign IP addresses to VPN Clients. Mikrotik uses only a IP Pool. But that is OK it works. I am trying to put into motion (if you can) a "Feature" in addition to classic routes being sent to the client Another push of DHCP option...

huntah

@mrz IKEv2 client gets an IP from IP-Pool (IKE-Pool). I have one or more DHCP Servers on the LAN side (Depending on VLANs..). But for example sake lets just say I have one on Bridge-Local. Bridge-local: 192.168.1.0/24 IKE-Pool: 192.168.200.0/24 Where do I set DHCP option 121 (on bridge-local DHCP se...

huntah

Hi is there any solution for this problem on Windows10. other than: Add-VpnConnectionRoute -ConnectionName "My VPN" -DestinationPrefix 192.168.0.0/16 -PassThru @Mikrotik or someone else: Is there any way to send DHCP option 121 (Static Routes) when WIn10 connect for split tunneling. I thin...

huntah

Hi, I have found the solution if someone should came accros the same problem. So the solution is to use powerShell and specify the CA to use: here is the example. Set-VpnConnection -Name "My VPN Connection" -MachineCertificateIssuerFilter 'C:\mycerts\cert_export_MikrotikIKEv2-CA.crt' Now I...

huntah

Hi, I have IKEv2 with cert up and running. Everrthig is working as it should but I have a problem on Win10 1803 machines (maybe also other Win versions). The config is based on: https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_using_IKEv2_with_RSA_authentication I manage multiple cl...

huntah

Hi CZFan, first sorry for late reply. I think you have just pasted the same answer which I already tried and found on forum. And It is missing a chain. But it does not work (it does not count the packets). So here is the complete ip firewall export: /ip firewall address-list add address=download.mik...

huntah

Hi, I have a Dude Server installed on a CHR (Hyper-V) which is working. ROS 6.42.2. There is only one ether interface name=ether1. IP and Default GW, DNS is configured and I can ping and traceroute everthing as I should. But the Main Firewall is blocking internet acess directly and I have to use Pro...

huntah

Hi,

I have IKEv2 with certificates up and running. My only question is there a way to see which users have connected and when. (Without Radius and EAP).
Something similar as LT2P - Secrets - Last logon.

Thanks for answers or advise.

huntah

How about NAT (Masquerade). Did you disable it on both sides for the tunel IPs?

huntah

Hi,

I have added some devices (Switches) in Dude / Device.
Now they are not show on default (only) map.

I cannot find the field or setting to specify to show them on the map.
Any help would be appriciated.

Using ROS 6.42

Regards,
Huntah

huntah

Seems like my hap ac2 has 233 MB RAM . at least on ROS 6.40.5 Using it as Cap for testing. So did not jump tu 6.42rc yet.. uptime: 1d7h32m31s version: 6.40.5 (stable) build-time: Oct/31/2017 13:05:15 factory-software: 6.40.5 free-memory: 208.7MiB total-memory: 233.4MiB cpu: ARMv7 cpu-count: 4 cpu-fr...

huntah

*) sfp - improved SFP module compatibility;

That this means thaht the following SFP modules are working:
viewtopic.php?f=17&t=120190&p=591082&hi ... 02#p591082

If yes will there be an update for SwOS also?

huntah

I am very glad Mikrotk is working on Certificates. I dont use SCEP but rather more and more popular LetsEncypt (hotstpot, SSTP and IKEv2 VPN !). I would be great if Mikrotik could implement something like acme.sh . I have used this guide https://www.ollegustafsson.com/en/letsencrypt-routeros/ to aut...

huntah

If you are not using SFP module then you do not need a bridge. So you can remove it as you described All other Interfaces are in the same switch group and thus you can use hw switching. I would do it like this: /interface ethernet set [ find default-name=ether2 ] name=ether2-master set [ find defaul...

huntah

I suspect you have a DHCP assigned IP address and then the the ISP is Routing a block of IPs to your DHCP assigned IP. You can make a local PPPoE Server and distribute the adresses or simply make a Pool With Public IPs and a DHCP Server on the internal bridge(or interface) on which your clients conn...

huntah

HI, Put VLAN9 interface on top of your master interface (ether2-master) /interface vlan add interface=ether2-master name=vlan9 vlan-id=9 And if you do not use SFP1 than you do not need a bridge. If you want to use HW Switching you must not use Bridge (except in new Bridge implementation 6.41RC) But ...

huntah

Yes exactly like that..

huntah

Quite a bit wrong in your config :). First If you make a bridge and put interfaces in bridge than add IP on bridge not interface ether2. /ip address add address=10.9.8.1/24 interface=bridge1 network=10.9.8.0 You wont be able to do what you want using Switch chip.. Well maybe you could (WAN-VLAN10, M...

huntah

Did you manage to get this working?
It would be great.. No need to install cert on user device.. There is also a way to auto renew and import le certs to mikrotik...

huntah

Yes it was a masquerade problem!
I have to masquerade traffic to my other VPN endpoints therefore I have to masquerade on all interfaces not just internet one.

Once again thank you ihave!

huntah

Thank you ihave! I was missing the forward firewall rule! Now the internet is working but I have another problem. From my router where IKEv2 Server is I have several VPN tunels (ovpn, L2TP Client to another branch etc).. If I use L2TP/IPSEC Server instead of IKEv2 I can reach all the remote (VPN) lo...

huntah

Hi all, i have a working Roadwarrior setup IKEv2 but I would like to route all traffic accross the VPN not just SPLIT-Tunnel. I cannot seem to make it work. I get the default route (StrongSwan, even on Win10 with option to use remote default gateway) but it does not seem to work. I think it is a pro...

huntah

You are useing software (ROS) based VLAN routing and handling. Because you have followed the wrong example in Wiki. If I understand U are using a CRS switch (CRS210) so the correct way is using Switch menu and utilise hardware VLAN capatibilities. https://wiki.mikrotik.com/wiki/Manual:CRS_examples#P...

huntah

Anyone knows on which CPU architecture running RouterOS in CRS326-24G-2S+RM? ARM, MIPSBE or SMIPS? How it compares with CPU performance of CRS125 or CRS226?

I would also like to know if it is comparable to CRS125..
How is IPSEC throughput?

huntah

I think there is another mistake in VLAN Example #2 (Trunk and Hybrid Ports): https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_.232_.28Trunk_and_Hybrid_Ports.29 /interface bridge vlan add bridge=bridge1 tagged=ether2,ether7,ether8 untagged=ether6 vlan-ids=200 add bridge=bridge1 ta...

huntah

If you have the same subnet for VPN clients as your internal LAN subnet. Then you have to enable Proxy-arp on the interface facing the local subnet

huntah

yes it does. but you could also buy a new Mikrotik CRS router for roughly the same amount. But Cisco is a better switch evethough it is used. Or If you have Mikrotik on the edge ports (where APs are connected) you could use this thread and it could help you solve your problems: https://forum.mikroti...

huntah

Do you have fasttrack enabled?
If so disable it for IPSEC traffic.

huntah

At first glance. You are mixing IKEv1 (IPSEC) and L2TP/IPSEC.
Specified ppp users have only L2TP allow.
If you want mode-config then you specify users in IP - IPSEC - USERS

But first choose L2TP or IPSEC with mode conf.
If you go L2TP then Iphone should also be set to L2TP (not IPSEC)

huntah

Does the black list function in the discover info window of the dude client for windows work right in this build? In 6.38.3, and previous versions I don't see the . or ... buttons shown in the manual here. http://wiki.mikrotik.com/wiki/Manual:The_Dude/Device_discovery There is a related bug where d...

huntah

Hi,

I dont know why it isnt woriking for you..
But check this site with detailed info:
https://schemen.me/mikrotik-fast-track- ... des-ipsec/

Also check the comments.. maybe you need to add those two rules also..
I did not have to add them.

huntah

Does the black list function in the discover info window of the dude client for windows work right in this build? In 6.38.3, and previous versions I don't see the . or ... buttons shown in the manual here. http://wiki.mikrotik.com/wiki/Manual:The_Dude/Device_discovery There is a related bug where d...

huntah

You have to disable fastrack for IPSEC traffic. It is also documented in Wiki: https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack I have found that this works like a charm: /ip firewall mangle add action=mark-connection chain=forward comment="Mark IPsec" ipsec-policy=out,ipsec new-connecti...

huntah

Hi, I am using ROS 6.38.5 and have a working RoadWarrior IPSEC with ModeConf. https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf Do not forget to BYPASS FASTTRACK and ajust the Phase1 and Phase2 settings in ShrewClient to match your config! It is also working with my Wi...

huntah

Hi, somewhere between ROS 6.32 and lastest 6.37.4 the sorting in DHCP-Server lease changed. I have quite a few reservation (80plus) and was very happy that Dynamicly assigned leases were on top. Now there are inbetween the staticly assigned leases and it is very annoying. Is there any change to get ...

huntah

After several hours and configuraction changes I searched the forum and I can confirm that MRZ answer is correct and working.

Thanks MRZ!

huntah

If it is Tagged VLAN1 then you need to set VLAN1 in mikrotik (interface vlan). If it is Untagged (as in natvice VLAN) then mikrotik needs to be set at VLAN0. Check this post: http://forum.mikrotik.com/viewtopic.php?f=2&t=115115&p=571100&hilit=procurve+vlan HP Procurve should be same as C...

huntah

Native VLAN (Cisco VLAN1) is translated to Mikrotik VLAN ID 0 /interface ethernet switch vlan add ports=ether1,ether2,ether3,ether4,ether5,switch1-cpu switch=switch1 vlan-id=0 add ports=ether1,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=12 /interface ethernet switch port set switch1-cpu vlan-...

huntah

Did some more tests and it seems that Windows10 client add route to the public IP od VPN server Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.23.1 192.168.23.101 50 1.2.3.4 255.255.255.255 192.168.23.1 192.168.23.101 51 192.168.77.0 255.255.255.0 On-link 192.168.77.251...

huntah

Ok Progress on IkeV2-RSA with certificates! Following manual http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_Ikev2_RSA_auth Someone needs to update the Wiki page (ip peer missing exchange-mode=Ike2)! And a few changes I managed to: 1. get connected Windows 10 but no routes are added...

huntah

auth-method=pre-shared-key But than this is not Xauth (mode Confg) ...or am I wrong? I did some tests on windows10 and Ipad (Ios 10.x) and IkeV2 proposal are: Windows10: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_2...

huntah

I can't get it to work IPSec+xauth
Can you post your working /IPSec export
How did you setup client on iPad..
Thanx in advance

huntah

It seems that r3.39rc12 introduces this feature:
*) ike2 - xauth like auth method with user support;

Has anyone tried it yet?
Or can Mikrotik guys give as a working config export.

Thanks

huntah

Hi, is it possible to make IKEv2 VPN with local Auth. Something like on PfSense 2.3.2 https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2#Set_up_Mobile_IPsec_for_IKEv2.2BEAP-MSCHAPv2 This setup is working for me on Windows10 and I only need a Server Cert (created on PfSense) and then I can spe...

huntah

Hi,

you can ping from MT to MT over IPSEC. YOu just need to spcify internal interface

ping interface=bridge-local 172.16.1.10

where bridge-local is my internal interface and 172.16.1.10 is server on the internal remote IPSEC site.

huntah

Hi did you find a way to use a public WWW server for your CA-CRL-HOST. And how does the update process work. If I create Self Signed CA on Mikrotik who must check CRL. VPN Server on Mikrotik (SSTP, IKEv2, OpenVPN) or clients? If only Mikrotik Server then I only have to open WWW service for localhost...

huntah

I know that ROS is working as it should. Because I use it on over 100 system (different setups, WiSP, MultiHome, Multiple VLANs, routing, switching etc). I "decrypted" from your answer you are using NAT. I guess you mean Masquerade if yes disable it for your VLAN segments. Since you cant/ ...

huntah

Yes it is possible to have multiple VLANs on the same interface in the same switchgroup (switch1 or switch2) and also unttaged VLAN (Hybrid port) /interface ethernet switch port set 0 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=secure set 1 default-vlan-id=30 vlan-header=always-strip vla...

huntah

If it is aCHR then you dont have a Switch menu. You configure your interfaces in your CHR HOST (ESXi, Hyper-Z etc). I always configure network interface in the host (tagged) and then use appropriate ether interface in CHR. So now it makes sense what you have wirten ether3-VLAN3 and ether4-vlan4. Aga...

huntah

Your Router has both address 3.1 and 4.1 .. so in traceroute you get in vlan3 to 3.1 address and router knows where to go for vlan4.. There is not and additional hop between 3.1 and 4.1 because it is the same device.. post your config.. Or follow the advice from th0massin0 and follow the wiki. The r...

huntah

Quick look into your configuration and i can see you did not set Admin MAC for bridge. Please set admin MAC to bridge infterface on both switches. But I dont know why you even created a software bridge as you only added ether1-master interface in this bridge? I would remove bridge and add VLAN50 int...

huntah

I think this type of adding IPs by the ISP is wrong. In my cases (different ISPs) I use one DHCP Client address or PPPoE Client for WAN and the the ISP Route all other IPs to my DHCP/PPPoE Assigned IP. Then I can manualy add IPs to ip addresses or route designated (from ISP) addresses to my clients....

huntah

As I said before HP VLAN1 is native VLAN and if you set PVID 1 (or untagged VLAN1) on trunk port of HP it translates to Mikrotik native VLAN 0. Ergo then set up ip directly on interface.. No need for aditional VLAN interface.
Anyhow this is how I do it because it is simpler..

huntah

The reason for setting my management IP on a vlan interface on the trunk port is that this trunk port is always up an running, thus I can connect to my switch. If I use an untagged port for that which is not always up and running I cannot connect to my device. I must say I dont understand exactly w...

huntah

from this export everthing seems to be OK. Do the host on ether2-4 have DHCP-Client enabled? What are those hosts? Can you check IPs on these hosts? Maybe you have another DHCP server on the same network. Are there any other switches on those ports? From Mikrotik point of view everything should be OK.

huntah

post export.. difficult to say.. as this should work normal..

huntah

You said I should not add the address to this interface? What is the reason for that? If I add it to trunk port (ether1) itself how can I be sure that it is only visible in VLAN 1? Native VLAN (VLAN0) is ony visible in this VLAN as any other VLAN. It is the same with HP and VLAN1 which is only visi...

huntah

- All MAC addresses in the Host tab are shown with VLAN ID 0. How is that possible? If you mean when you double click on specific host and see status window I also have all hosts in VLANID 0- . maybe you found a bug (write to support@mikrotik.com). Or if someone else knows why is this feel free to ...

huntah

It think it would be better to solve this in switch chip.. but then you must have ether1 and ether2 in same switch group (master and slave interfaces..)

See this post.
http://forum.mikrotik.com/viewtopic.php ... 28#p505473

huntah

Disregard... was a config mistake...

huntah

Read here and adjust accordingly to your needs

http://wiki.mikrotik.com/wiki/Manual:IP ... ic_address

huntah

Glad to help. I will point out some more things I spotted. Firstly switch1 and switch2 should have secure (not fallback) VLAN Mode set Here are some mistakes that I see comparing diagram and settings from pictures: 1. Ether1 (wan .. i guess it should be unttaged native vlan) set VLAN mode to disable...

huntah

I see you havent assigned Admin MAC to bridge. Please do so and try again. I had bunch of problems without setting Admin MAC on bridges. Of course set each bridge to unique MAC. Try it and post results.. Also if it is not working try firstly without bridges, just interfaces (I know there are two swi...

huntah

You did not read the whole wiki ;) Firstly you must put ports in one switch group. so set ether1 and every other port to slave as master port set to ether1 Also you have to pot your vlan interface on to of ether1 /interface vlan add interface=ether1 name=vlan10 vlan-id=10 add interface=ether1 name=v...

huntah

If this is your complete export you are missing settings for switch chip and VLANs.
for tagged ports:
/interface ethernet switch egress-vlan-tag
for access ports:
/interface ethernet switch ingress-vlan-translation

Look at these examples:
http://wiki.mikrotik.com/wiki/Manual:CRS_examples

huntah

OK I did some test with HP Procurve 1920-8g and hAP Lite. So to sum it up: VLAN1 HP as PVID (or Access Point) translates to VLAN ID 0 on Mikrotik If you change PVID on HP to lets say 450 (something you are not using) and make VLAN1 tagged then it translates on Mikrotik as VLAN1 but you need to creat...

huntah

HI, sadly I did not find time to configure 1920 yet but here is a working setup based on your initial export. I changed and added more VLANs (for test). Every Interfave gets DHCP from VLAN DHCP (on main Mikrotik Router). Also for Access ports you must just set it like default VLANID (ie PVID in HP) ...

huntah

It is not supported.. You can add it on client side manualy.
More on this topic:
http://forum.mikrotik.com/viewtopic.php?t=39999

huntah

My guess would be imported config script. You have a Reset MAC address button in interface windows. Click it and it should revert back to original (unimported) MAC. You can check aginst label on Routerboard hardware. It should be the same. Also check Bridges (admin mac). And change it accordingly. S...

huntah

When I do that the connection to the MikroTik is lost. Thanks to SafeMode I am able to reconnect after a reboot :-) I have assigned the IP 192.168.0.190 to ether1 as I want to connect by winbox with an IP. This did not work until my single switch rule was added. As far as I understand this is neede...

huntah

I will check your settings against a HP procurve 1920-8g tommorow. Especialy VLAN1 because I am not sure how MK and HP see native VLAN.. But in the mean time you could do following for test purpuse: remove ether2 from switch group - set master port to none. Add an IP to the interface and you connect...

huntah

I think "native" VLAN in mikrotik is VLAN0. . For trunk port to Cisco you should have setting "secure" and "add if missing" (ie Tagged interface) on Mikrotik interface (Cisco is connected to ether1 I presume) and default VLAN ID 0 (for native VLAN). Also re-enabe VLAN 0...

huntah

mducharme wrote: Yeah, on the hAP AC I used the "Home AP Dual" quickset config for that kind of setup. I would recommend that for your case. You can always start with that (avoiding use of ether1) and then later manually remove the address from ether1 and make it a slave to ether2-master....

huntah

I think VLAN1 on Procurve is "native" VLAN. native VLAN on RouterOS is VLAN 0. So set it to VLAN0. Also I think you should specify IP of gateway not Interface. I only set Interface when using with PPPoe client and VPN Client interface. For Mirroring ether1 to ether2 you shoukd use this com...

huntah

If you use Quickset then I think you are better of with Home AP than WISP. If I understood you correctly the hAP is connected via ethernet cable. Also you already have a DHCP server in your network.so untick DHCP Server. Set a local IP inside your private network and WiFi settings. Connect ethernet ...

huntah

/interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=\
ether2-master-local,ether5-slave-local,ether7-slave-local

I think you should drop invalid vlan on all interfaces..

huntah

skeeming through setup I cannot see that you allow IPSEC-ESP, IPSEC-AH and UDP 500 ip firewal filter input chain. ;;; Allow IKE chain=input action=accept protocol=udp dst-port=500 ;;; Allow IPSec-esp chain=input action=accept protocol=ipsec-esp ;;; Allow IPSec-ah chain=input action=accept protocol=i...

huntah

add switch1-cpu to vlan and eg.vlan tag on the CRS side if you want to be able to get IP inside ROS
Else it only works on Layer2 (Switching) and you wont be able to manage it via ROS (ie Layer3).

huntah

maybe you are doing NAT on the oposite side 10.254.43.0/24

Check /IP firewall NAT

huntah

Yes it is doable no problem..

huntah

I use SanDisk Extreme CZ80 32Gb, RB3011 can detect it and work at 5000Mbps I format ext3, upload via ftp avarage 5MB/s, download 30MB/s (80MB/200MB when plugin to pc). Can you please test SMB transfer from Windows machine? How is the CPU load.. I have a RB2011 and the speed is too low for any kind ...

huntah

strods wrote: !) ipsec - added IKEv1 xauth user authentication with RADIUS "/ip ipsec user settings set radius=yes" (cli only); !) ipsec - added IKEv2 experimental support with pre-shared-key and rsa-signature authentication methods (cli only); !) ipsec - added support unique policy gener...

huntah

Hi,

is it possible to use a CAP in CAPsMAN system without LAN interface.
Something like UniFi where when you set things up you need a wired link and then it can connect to nearby APs via WLAN uplink..

huntah

Hi, I am expiriencind the same problem. no TX traffic on the new AP.. Did you mange to solve it? I have tried ROS 6.32.4 and 6.34.2 with same result. I started to happen lately (not sure when). Best result is when I disable fastpath.. then is mainly working. If anyone else can confirm this probelm a...

huntah

Hi, is it possible to create a central hotspot and capsman server and connect via internet to other locations. So my setup would be: 1x (or 2x) Central hostpot server and Capsman 20 CAPs around the city. Each of them with static public IP and own internet connection. One method is to link them toget...

huntah

Does anyone else have this problem?

How to drop IP connections to L2TP/IPSEC attackers?

For example if the same IP tries more than 5 times then it is blocked for 24h..

huntah

As it turns out in RB951U it does not work because it uses Atheros 8227 you need at least Atheros8327 chip to use rules. On the other hand if you use RB951G it works because it uses Atheros8327. You can check witch Mikrotik products have which chip on this Wiki Page http://wiki.mikrotik.com/wiki/Man...

huntah

Search the form . answered multiple times!
Or just read the Wiki:
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

Youll probably want: Site to Site IpSec Tunnel section

huntah

I tried the above setup (similar) and it works. I tried it with HP Procurve 1920 switches. They all got the Management IPs via VLAN0 and VLAN200 and VLAN300 vas tagged and avaible in Procurve. My setup: Mikrotik eth4 (vlan0, vlan200,vlan300) -> Procurve1 port 24 (PVID 1, tagged 200, tagged 200) Then...

huntah

Did you set default GW in DHCP Server: Microsoft for some reason designed Win7 (and Win8) to impose the restricted Public network profile for any network that could not be identified - which disables network file sharing. The Network Location Awareness (NLA) service will only allow you to set the ne...

huntah

HI,
answered in other thread
http://forum.mikrotik.com/viewtopic.php ... 94#p506494

huntah

/interface ethernet switch port set 0 vlan-mode=fallback set 1 default-vlan-id=200 vlan-header=add-if-missing vlan-mode=secure set 2 default-vlan-id=200 vlan-header=add-if-missing vlan-mode=secure set 3 default-vlan-id=0 vlan-header=always-strip vlan-mode=secure set 4 default-vlan-id=300 vlan-heade...

huntah

dont use a bridge! Just add vlans to the interface connected to Cisco. Example /interface vlan add interface=eth3 name=vlan15-Management vlan-id=15 add interface=eth3 l2mtu=1594 name=vlan35-private.net vlan-id=35 add interface=eth3 l2mtu=1594 name=vlan36-VoIP-CCTV vlan-id=36 add interface=eth3 l2mt...

huntah

dont use a bridge! Just add vlans to the interface connected to Cisco. Example /interface vlan add interface=eth3 name=vlan15-Management vlan-id=15 add interface=eth3 l2mtu=1594 name=vlan35-private.net vlan-id=35 add interface=eth3 l2mtu=1594 name=vlan36-VoIP-CCTV vlan-id=36 add interface=eth3 l2mtu...

huntah

If you use RB951 or similar you can enable DHCP snopping via Switch Rule .. /interface ethernet switch rule add dst-port=68 new-dst-ports="" ports=ether2-master-local,ether3-slave-local,ether4-slave-local switch=switch1 In this example DHCP traffic isnt allowed on ports ether2,3,4 (all por...

huntah

I need to learn to RTFM

.

The "true" DHCP server must NOT be in the same isolation group..
Now everthing is working as it should and I can enable the filtering rule!

Thanks for your help.

huntah

If you are using CRS use Switch chip VLAN.. It is much faster (wire speed) your configuration is software based Bonding and VLANs.. Use this Wiki: http://wiki.mikrotik.com/wiki/Manual:CRS_examples It is a little tricky at first but when you get a hang of its ok. I would like to see from mikrotik som...

huntah

this should work: /interface ethernet switch port set 0 vlan-mode=fallback set 1 default-vlan-id=200 vlan-header=add-if-missing vlan-mode=secure set 2 default-vlan-id=200 vlan-header=add-if-missing vlan-mode=secure set 3 default-vlan-id=200 vlan-header=always-strip vlan-mode=secure set 4 default-vla...

huntah

Hi, I have used the Wiki Example to implement DHCP Snooping (Rouge Server detection). But it isnt working.. I am missing something.. Here is my setup: Clients on ports 1-22 DHCP Server (port 14) Master-port = ether1-master slave ports = port 2-22 master (ether1-master) /interface ethernet switch por...

huntah

Can I join and ask what is this host in Wiki (http://wiki.mikrotik.com/wiki/Manual:Create_Certificates): /certificate sign ca-template ca-crl-host=10.5.101.16 name=myCa Is this Router IP (public or internal).. which ports on ip firewall filter must be opened to work? I cannot find anywhere more docu...

huntah

I am afraid that this kind of filtering would brake legitimate L2TP connections..
But it is worth a try. I will test it in test enviroment in post back the results..

Thanx for the idea!

huntah

Hi, I have successfuly deployed L2TP/IPSEC VPN server. But I have noticed (on multiple routers with l2TP) that some people are trying to hack into VPN. log: ipsec,error failed to pre-process ph1 packet (side: 1, status 1). ipsec,error phase1 negotiation failed. ipsec,error phase1 negotiation failed ...

huntah

Hi Normis,

can you check if your hAP are also using only 60-80% of CPU.. Is this normal?
Why wont they go up to 100% (max out the cpu).. As I recall RB433AH do that..

huntah

Hi, I just got two new hAP Lite Routers. I was wondering how much IPSEC performace is hidden in those tiny boxes :) They can push 14,5-15Mbit/s which is not as bad as I dreaded... Interesting fact is that the CPU is not maxed out but is between 50-80%. Test was done with 2 PC with Win7 and File copy...

huntah

Anyone else has all the same IPs in Neighbours?

MK-rc5-neighbors.png

huntah

post your config And I will see what I can do...
Also tell us your network settings (local net, remote GW, remote net etc..)

ip ipsec export

huntah

Hi,

You have to make specific Policies for IPSEC tunels.
L2TP/IPSEC policy has 0.0.0.0/0 (Any).
The specific Policy for IPSEc tunel (example: src 192.168.11.0/24, dst 192.168.12.0/24) will take precedens before the generic 0.0.0.0...

so it should work withut any trouble..

huntah

This is done already..
It is from the dude monitoring software that you cannot set the alterantive port to connect to the device behind NAT (multiple MK behind same NAT)

huntah

Try using you login password if you haven't specified anything

huntah

please post you config

export compact

it is difficult to know where the problem lies without a config.

huntah

Thanx I noticed that the next day (fax wasnt working :)) but forgot to update the thread. I also got the official reply from Mikrotik that this is the correct configuration. It would be nice to update the Wiki Examples with something like this (native vlan (untagged, vid=0)) , tagged). It would have...

huntah

Have you tried pinging from clients?
On routers you need to specify the local lan interface to test the tunel. Tools - Ping - Interface..

From a quick glance of your setup the IPSECtunel should work..

huntah

Hi I just had a similiar problem with CRS125. I wanted to set a trunk port on ether1-master (VLAN100 (VoIP), VLAN101 (Guests) + native VLAN (LocalNet)). On CRS I have three DHCP servers (each VLAN + native) Port ether24 is indepedenet (no master) and is used for wan (internet Access). All Wiki CRS E...

huntah

I managed to configured it correctly. VLANs have worked as they should but there was no communication with ROS. I was missing switch1-cpu in the VLAN.. /interface ethernet switch vlan add ports=ether1-master-local,ether6-slave-local,ether14-slave-local,ether16-slave-local,switch1-cpu vlan-id=100 /in...

huntah

Hello, I have a problem configuring VLANs on CRS (heck Im not the only one :). Somehow the Procurve webinterface is way simpler..). My goal is to use CRS as Router and switch for local network and VoIP. So here is my goal: port 1-8 - local LAN untagged devices port 9-15 - VoIP VLAN 100 (tagged devic...

huntah

Normis,

please test them all because it is a vital feature for some of us.
It is good to know what speeds can be achieved with different hardware

huntah

IPSEC performance info would be very nice to know.
3DES-MD5, AES-128-MD5 and SHA1

older (and current on MIPS) models are struggling with SHA1...and IPSEC overall ..

huntah

because it is a router :) client in subnet A has a gw pointing to eth1 and router knows where to route the packets in subnet B because it has an address of subnet B on eth2..Also clients in Subnet B must have gw of router IP on eth2.. If you want to prevent trafic between subnets you must use firewa...

huntah

Try Using Torch in bridge to see packets on all routers (bridges)..
Also you could make Ip firewall filter to log all packets traveling through firewall (chai forward )..

huntah

DHCP on VLAN was also working on 6.11.. I am using it right now without problems. I reported that back in 6.11 released topic..

huntah

[Ticket#2014032566001217] BUG 6.12: Replicable kernel crash when try to discover why winbox not working well from 6.8 over IP obtained from pppoe-client Hi, when I try to replicate this problem: "Winbox connection freeze after some kb received over mppe encrypted connection" RouterOS vers...

huntah

If I understood you correctly a while ago 3 differrent users could connect to VPN server (L2TP) just not at the same time. And now it is not working at all.. I would try to reboot the VPN router and see if it helps. If you havent changed anything it should work. Once on ROS 6.11 my L2TP/IPSEC server...

huntah

have you added routes froms ite b,c,d,e to site a like this:

/ip route add distance=1 dst-address=192.168.20.0/24 gateway=192.168.10.1

You need multiple routes (for each site-> Subnet) all pointing to site A (gateway).

huntah

Hi, first change distance in DHCP Client to 1 /ip dhcp-client add default-route-distance=1 disabled=no interface=ether1 Is your RADIUS Server working? Can you Access Userman? Is hotspot login page accesseble (try typing: 192.168.88.1 it should display login page) Try disabling RADIUS and use interna...

huntah

As rextended said before you can only connect ONE client behind same static IP. So if you have multiple users at a hotel which uses NAT (so all your users are behind NAT with same IP) only 1 will work. This is a limitation of L2TP/IPSEC implementation on Mikrotik. You can try OPVN or PPTP if you nee...

huntah

I use ROS 6.11 and I am happy to report is working for me without problems (DHCP on VLAN, L2TP Server and OVPN Client for VoIP). So if I understood you correctly there is no need for use Encryption in ppp profile because the L2TP/IPSEC is already secure from start.. If the Encryption set to yes basi...

huntah

You need to enable UDP Ports 500, UDP Port 1701, and UDP Port 4500 (For NAT Traversal)

/ip firewall filter add chain=input comment="L2TP ports" action=accept protocol=udp dst-port=500,1701,4500

huntah

I have I question about L2TP/IPSEC configuration. If I set ppp Profile Use Encryption to Yes or required I cannot connect with Android Phone but I have no Problem connecting with Win7 client. It says It is using encoding "MPPE128STATELESS" in Active Connections. If I set Use Encryption to ...

huntah

DHCP on VLAN seems to be working at least for me on RB751-2HND

huntah

I think you masquerade trafiic from phones over PPTP..

add a Firewall NAT rule before masquerade like this:

/ip firewall nat
add chain=srcnat comment="Route Local to Remote VPN" dst-address=\
    192.168.12.0/24 src-address=192.168.10.0/24

Hope this helps.. if not post config export..

huntah

One more thing I just remembered Mikrotik have enabled IPSEC XAUTH support.. This is on my try list :) See here: http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_with_Mode_Conf Also no mention of Droid or IOS support.. For Windows you have Shrew VPN Client.. ON PPTP VPN Passthrough I...

huntah

PPTP works with multiple clients behind same NAT.. If you have multiple static IPs on gateway (L2tp Server) you can make clients connect each to specific static IP.. Yes I know its a stupid work around but it works :) Or you can use OpenVPN via TCP.. it also works for multiple Natted clients.. Since...

huntah

As far as I know there can be only one L2TP/IPSEC tunnel behind the same NATed internet connection. For example when two of out employies stay at the same hotel with public Wifi only one can work. This is the limitation of Mikrotik implementation of L2TP/IPSEC VPN. Cisco VPN client to Cisco ASA has ...

huntah

I read somewhere that because of roaming clients you need some kind of STP protocol..

SXT are not in WDS mode but in station bridge mode and they connect to the second router on top of the hill. WLAN in in classic AP-bridge mode..
SXT have their interfaces (WLAN1 in Ether1) in bridge called hotspot.

huntah

Hello, I have set up a Wireless network with multiple APs and in full bridge mode. See the attached picture. My scenario is as follows: 1. ADSL on WAN side of Router 1, which has configured DHCP Server for the whole network and hotspot server. The router has two WLAN cards. wlan1 is used for 5GHz Up...

huntah

Hi, firstly you must understand that each VAP (Virtual AP) is a separate interface. So if you use bridge and assign both VAP to same bridge the you cannot have separate DHCP servers... I would do this in the following way: 1. Create a bridge - Bridge-Local 2. Add ports to Bridge Local (LAN interface...

huntah

You can add routes in PPP->Secret and the desired username..

Search found 291 matches