MikroTik

marklodge

OK, thank you once again for the excellent and 'to-the-point' advice.
I have added the IP addresses to the vlan70 interface (the same interface that the other WAN IP is on) just to mitigate any future issues that you have mentioned

marklodge

Thank you so much for the reply. You are a legend for public IP routing. So now my config looks like this: /ip route add distance=1 dst-address=45.85.224.224/27 type=unreachable /ip route print 1229 A SU 45.85.224.224/27 1 Adding all of the Public IP addresses to the vlan70Fiber interface is fine to...

marklodge

Me too. From South Africa.
Was just going to post this... Thought it was my routing (as I was adding new public IPs) Wrong timing..

marklodge

Does WAN/Public IP addresses have to be assigned to any interface of the core or edge router? Here is my topology example.PNG And here is my config: [User@Gateway-CCR1009] > ip firewall nat export /ip firewall nat add action=src-nat chain=srcnat out-interface=vlan70Fiber src-address=10.11.1.4 to-add...

marklodge

vlan issue

marklodge

Okay, thanks. I found that option. It was disabled. So now in Splynx, both POD + clean and COA & POD is enabled. Should be fine right?

coa.PNG

marklodge

do a speedtest from the mikrotik to a public btest server

marklodge

Any ideas? Also, just FYI - only-one=yes only takes effect when you are not using a RADIUS server. Thank you for this info. Yes, the radius server is doing something called POD+Clean according to the settings in Splynx. Is this sufficient and correct? (screenshot below) So, me seeing both sessions ...

marklodge

If you want an adblocker for YouTube, use uBlock Origin. Works perfect.

Regards.

Excellent, thank you very much for being so helpful!

marklodge

No the issue is with the person who controls the computer, they need a spanking!

seriously, whats bitten you??

marklodge

Router: CCR1016. VER 6.47.1 PPPOE SERVER enabled on a 5 interfaces Config: name="PPPoE-Profile" local-address=10.2.2.1 use-mpls=default use-compression=default use-encryption=default [b]only-one=yes[/b] change-tcp-mss=yes use-upnp=default address-list="" dns-server=10.31.31.105,8.8.4.4 on-up="" on-d...

marklodge

I think you want this forum.......
https://yttalk.com/

I'm using mikrotik, so thought maybe there is an issue on my config

marklodge

Thanks for the replies guys. It was the Adblocker

marklodge

post and

 /export hide-sensitive

here

marklodge

Recently I am getting this when i try to open a youtube video. But after a couple of seconds it does actually play the video. And sometimes it does not.

An error occurred. Please try again later. (Playback ID: 3b_5eLEgWkNm33GA)
Learn More

snio.PNG

marklodge

what happens if you disable all firewall rules?
does it work?

marklodge

For no packet loss, reliability, and failover do not use a flat bridged network. Use dynamic routing

marklodge

are these accept rules above all others?

marklodge

can you ping 8.8.8.8

marklodge

use simple queues with scripts

marklodge

This is a working export of the telegram api

/tool fetch url=\"https://api.telegram.org/bot812342342:AAGPKJHKJgjjfhfSWEWEV1qvxAKOIk/sendMessage\\\?chat_id=-YOUR-CHAT-ID&text=Test

marklodge

An update on this.
Downgrading firmware to 6.44 fixes it and routing no longer breaks.

marklodge

please post a diagram of the current setup and how you would like it changed

marklodge

Chateau C12 LTE, ROS v7.1beta1, LTE modem firmware EG12EAPAR01A06M4G . I have switched off default fasttrack for FORWARD chain in order to use QoS and prioritizing traffic. In default setup, I can connect to my SSH servers. If I switch off fasttrack , I will get an error after timeout: packet_write...

marklodge

if the user can't connect more than once at a time, then you can simply create static "L2TP server binding" which will create your interface permanently. Alternative, possibly better way (no matter how many connections are we talking about) is to add profile, with selected "interface list". That is...

marklodge

I want to Masquerade traffic out to a l2tp client. When the client is connected, it works. But when the client disconnects then the Masquerade NAT rule shows NO INTERFACE. I need the Masquerade rule to be active as soon as the l2tp client connects. How can I solve this? Please refer to screenshots m...

marklodge

Report them to Anav?

Yes I see he picked it up. Good for you guys

marklodge

This may seem strange, but its true. The Mikrotik 60ghz WW link is breaking OSPF routing. Its a 200m link and signal is good. But it has happened 4 or five times now already. The routing breaks to all the routers connected via the 60ghz link. Then when I reboot the 60ghz link all if fine again. The ...

marklodge

Latest ver of winbox
Connect to romon,
tick Open in new window
connect to any router, it will disconnect and show another window, then it will connect once you press it again

marklodge

We've found the cause of the OSPF errors (ms-configured switch) but the PPPoE drop outs still remain

i had the exact same issue
please tell me what was mis configured

marklodge

Run OSPF only on one subet connecting both routers. Check whether RouterIDs are unique.

Correct. I had this issue and solved it this way.
So, two routers connecting to each other had the range 10.2.0.0/22 area=external added.
On one router i changed the area to area14 and the errors disappeared

marklodge

.. So my question is, must the local address be attached to a physical / virtual interface? ... Sorry, don't think I was clear in my question, what I meant to ask was: So my question is, must the local address be " static " configured to a physical / virtual interface? This is my question too.

marklodge

I have already told you the most straightforward way to pursue this issue. Let me know when you have performed it. Thank you very much, you helped me by pointing out the torch function. The issue was a firewall rule that was dropping invalid connections (default mikrotik firewall) Once that was dis...

marklodge

1. Could you please give me some reasons or standard/"good" practices to use when setting the Local IP address of the PPPOE profile. I have 8 routers in an ospf ring. 1 core at the main tower and the others are on towers working as edge routers, with pppoe termination of clients happening on each r...

marklodge

Unless you are going to use RFC1918 space for the local address, it's probably recommended that you don't use a pool. 1. Could you please give me some reasons or standard/"good" practices to use when setting the Local IP address of the PPPOE profile. I have 8 routers in an ospf ring. 1 core at the ...

marklodge

So I have 10 mikrotik routers on different towers, each has around 15 interfaces connected to Ubiquiti radios (sectors) Is it possible to show the Interfaces as Devices on the network map? So, instead of adding each device, I would like to add the 10 mikrotik routers and have an exploded view of eac...

marklodge

Here is a quick mod which visualizes the RB4011. Everyone is welcome to improve it.

4011.zip

marklodge

Your new figure contains nearly no IP address labels, so I can't follow your explanation. If you have determined that return routing of messages from 10.6.0.4 is failing with OSPF enabled, then run a traceroute from 10.6.0.4 to the original origin of the message, examine the results with OSPF disab...

marklodge

You may be looking for the problem on the wrong unit. OSPF should be constructing reciprocal routes on the other unit, and those may be wrong. Torch the interface at 10.6.0.4 to see if your requests from 10.200.0.4 are arriving and departing. Torch the interface at 10.200.0.1 and I suspect you will...

marklodge

Here is a diagram of the network, basically its just two routers with a wireless PtP link between them. MAP1.jpg So, the address of this side of the link is: 10.200.0.4/29 and the remote side is: add address=10.200.0.1/29 The issue is that if I disable the following I can access the remote pppoe cli...

marklodge

must use wine

marklodge

reset maybe?

marklodge

on Port 221?
why

marklodge

On the CRS switches I had this issue. Auto Negotiation does not work well. Set it to 10gb or 1gb manually

marklodge

More info needed

marklodge

A Mikrotik router is the only DHCP server, giving out IPs on the range of 10.33.33.0/24 All working well for many months. Just today I added a new device and noticed that it did get an IP of 10.33.33.115 and no issues. But this DHCP Lease is NOT showing up in the DHCP Leases menu on the Mikrotik. Al...

marklodge

That's how it works with public addresses, you don't need any NAT. Nice, isn't it? :) Of course if you'll also connect some private subnets to your routers, you will need NAT for them. But it's important to use it selectively only for those subnets, and don't let it interfere with other public addr...

marklodge

Default gateway on your CCRs should be 45.45.45.1. And PPPoE client will have whatever is PPPoE server's local address (this part clearly works, if it can access internet). But I'm not sure if I believe you about no NAT rules. Maybe you didn't add no new NAT rules, but what about original masquerad...

marklodge

1) If you didn't need dstnat with masquerade, you don't need it with srcnat either. Those things are not really related, each one serves different purpose. 2) That's the one. 3) Yes, two subnets on same interface and routing between them is possible, router doesn't mind. Although in your case you m...

marklodge

The correct (or let's say most usual and compatible) way is to *not* use some of "my" configs. But in a desperate world where IPv4 addresses are scarse, desperate measures are sometimes required. :) Basic scheme is that you have some connecting subnet between you and ISP and another subnet routed t...

marklodge

Thanks. And special thanks to the kind people who answered my post. I have downloaded the quick guide and here i have copied the relevant info: Power output This device can supply PoE powering to external devices from its Ethernet ports. The output voltage will be selected automatically, depending o...

marklodge

I have searched through this forum and read the threads regarding public IP assignment, alot of which was replied to by 'Sob' Even though this has given me a an idea about how to go bout doing it, I still want to know the "industry standard" (if there is) or the most common ways this is usually acco...

marklodge

Before you ask such questions here, you could simply check device specification section. If you did not find an answer on your question there, please take a look at brochure where you could find more detailed information and device description. https://i.mt.lv/cdn/rb_files/CR328-24P-4SplusRM-180424...

marklodge

Does this mean the wiki is incorrect?
Which part of which document do you have in mind?

Please refer to attached pic

marklodge

Bridge interface , which gets created implicitly for any bridge bridge , is implicitly created as untagged member of VLAN with VID=1 (which makes using VLAN VID=1 in the rest of config so exciting). You can change that if you set pvid on bridge interface to something else ... but you can not make b...

marklodge

I am following this: https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table It states that: Note: When frame-type=admit-only-vlan-tagged is used on a port, then the port is not dynamically added as untagged port for the PVID. But i am still getting it added as an untagged port. What am I missing? F...

marklodge

I am following this: https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table
But even after deploying the strictest measures, like ingress filtering, admit only tagged and even tag stacking, RoMON is still able to connect to it from another romon enabled router. Is this normal?

marklodge

The above config does not seem to work out, instead I have decided to build a netwatch on the two poe switches only to power up/ power down the links accordingly.

marklodge

Goal: To have 2 ptp links from and edge tower to the main tower. But only one of them should be powered on at the same time. If one link fails the other link powers up and data is sent over there. Reason: If both links are running all the time, the same frequency cannot be used, increases co locatio...

marklodge

Does CRS328-24P-4S+RM support 24v passive poe?

https://mikrotik.com/product/crs328_24p_4s_rm

I need to power around 20 x UBNT Rocket Prisms/air fiber and LHGs.

marklodge

I have a dhcp server that assigns IPs from 172.16.1.10-17..16.3.10. Now when it reaches the end of 172.16.0. range, the next IP it assigns is 172.16.1.0 How can I set the DHCP server to not assign the .0 IP of each range

Attached screenshot

marklodge

I can't tell how much will 4k devices need, it depends on what they do and it can vary greatly. The same goes for concurrency limits. It's not like normal device sends dns queries all the time, so average rate should not be high. You should have some space for spikes, again the same thing. I'm big ...

marklodge

Your 10GB plan probably won't work, I think it uses only RAM. But it's unlikely that you'd ever need that much anyway, records time out, they don't last forever. But it of course depends on how big network you have. Other than that, all resolvers are same in principle. If you need only bare basics,...

marklodge

Purely from a DNS caching only perspective. Is a standalone BIND or Unbound DNS Caching server much different to Mikrotiks DNS cache feature? I have 7 towers, each has a mikrotik router acting as a PPPOE server, so I am thinking that I should just increase the cache size to like 10GB (using SD card ...

marklodge

I'm using it for a core router with 1gbps traffic, serving 800 clients, meaning many thousands of packets per second. My current CCR 1016 is showing around 36k p/s on the main WAN interface. And one of the CPU cores are 95% usage all the time, while the others are around 0 to 20% used. When you say ...

marklodge

I am reading the specs here:
https://mikrotik.com/product/CCR1036-12G-4S-EM
It says 36 cores x 1.2GHz CPU. Is this 36 cores? or 36 threads?

Please confirm

And what would be the x86 comparision to this?
Would a 4 core Dell poweredge server perform better than this CCR for routing/firewall etc?

marklodge

Why not just cut and paste and use the code block in the FONT line a the top of the EDIT block.
My firewall/AV setup
blocks pastebin LOL.

Because it was rather large, but I've did as you said.

marklodge

Removed

marklodge

i dont play whackamole with attempting to solve config issues. Just remove any sensitive bits (dont need to see any vpn stuff, dhcp leases, any firewall address lists, etc............. as a minimum interface ethernet ip addresses vlan config bridge config bridge port config birdge vlan config dhcp-...

marklodge

post your config
/export hide-sensitive file=yourconfig

Well, the original post is a very simplified version of my config. My actual config is more complex. Could I PM you my output?

marklodge

I have 4 devices, each of them has management vlan enabled as VLAN 10. 2 devices are connected to ether2 and the other 2 devices are connected to ether3 So, I create a VLAN with ID 10 on ether2 and another VLAN 10 on ether3. Then I create a Bridge called Management Bridge and give it an IP of 172.16...

marklodge

From my understanding you should just have to use a NAT rule to forward all traffic for the WAN to the IP of the pppoe client then a NAT rule to translate all traffic from pppoe client to the specific WAN IP. /ip firewall nat add chain=dstnat dst-address=45.45.45.2 action=dst-nat to-addresses=10.2....

marklodge

Advertise other subnets as external.

Please let me know how to do this

marklodge

How do I route a WAN IP to a PPPOE Client connected to an Edge router?
Here is a diagram that explains it all

wan-topppoe-edge.png

marklodge

RouterIDs are unique
If I run the subnet on one router only it does not propagate the clients on the router that the subnet is not running on.

marklodge

I want to be able to reach my clients CPE.

This is my setup: and I'm getting the error mentioned
The small circles represent pppoe-clients IP

11.png

marklodge

Thank you for the reply.
Would I need to change my network topology for ipv6 to work?
Will it work over the current pppoe setup?

Could you link me to some good resources to understand this better?

marklodge

I have a WISP setup. Simple PTMP and CPEs in router mode connecting via PPPOE How do I enable IPv6 for clients? I have the Mikrotik IPv6 package installed and enabled My WAN interface shows an IPv6 address SLAAC is enabled on CPE But my computer connected to the CPE does not receive an IPv6 address,...

marklodge

How can I add all of urlhaus's list of malware urls to a block list?
https://urlhaus.abuse.ch/api/#retrieve

marklodge

Should the MTU be set on the VPLS tunnels or on the ether interfaces, or both?

marklodge

404 on the chr 43.7 files

https://mikrotik.com/routeros/6.43.7/chr-6.43.7.vhdx

marklodge

/ip firewall nat add chain=srcnat out-interface-list=WAN src-address-list=group1 action=srcnat to-address=45.45.45.2 add chain=srcnat out-interface-list=WAN src-address-list=group2 action=srcnat to-address=45.45.45.3 And then disable/remove default masquerade rule. Thank you for this, I will try im...

marklodge

I have 500 pppoe clients and I have 5 WAN IPs from my provider
How do I set a different WAN IP for each 100 users?

Example:
4mb User group will use: 45.45.45.2
2mb User group will use: 45.45.45.3
etc

marklodge

Are all your 500 clients sharing the same address? Then this issue really cannot be avoided, because there will always be bad guys in there. However, you should still make sure your router and any client routers that you manage are properly configured and not part of the botnet. Yes, all are sharin...

marklodge

Environment: MikroTik CCR1016 as Core router Static IP 500 PPPoE connected clients Recently we've been getting the Unusual Traffic warning when doing a Google Search.Copied below: About this page Our systems have detected unusual traffic from your computer network. This page checks to see if it's r...

marklodge

As I recall, the NanoStation will happily pass VLAN traffic and is VLAN aware for the management interface, but I'm not aware of the ability to specify which VLAN to use for locally connected stations. Note that I am using them for a point to point link with a managed switch (CSS326-24G-2S) on each...

marklodge

Also models with QCA8337, Atheros8327, Atheros8316 switch chips seem to be able to use the same method as for CRS3xx, but their rule tables are smaller.

This is inaccurate, I tested the CRS3xx method on the Atheros8327 chip, but New VLAN ID is not supported

marklodge

While reading the datasheet here, these specs confused me:

• Up to 1.5 mpps throughput in regular mode
• Up to 17.8 mpps throughput in fastpath mode (wire speed)
• Up to 12 Gbps throughput with RouterOS queue/firewall configuration

What does Up to 1.5 mpps throughput in regular mode mean?

marklodge

You will then get usage data per customer that let you create simple bandwidth usage graphs, Thank you, I understand all that you have said, I will now setup a freeradius server and check it out. So, instead of sending the ppp secrets I will just be sending the same details to the Radius MySQL data...

marklodge

Using a specialized tool that analyzes SNMP and/or Netflow to generate a graph would be most efficient for the router indeed. If you're OK with sacrificing some of that efficiency for the purposes of customizable implementation, the other way would be to detect a new PPPoE interface appearing (see ...

marklodge

If you have shell access to your web server, you can run a PHP from the command line. You can also add it as a startup script if you want it to also restart with a server restart. Or use cron if you want to run it at regular intervals rather than continuously. If you run it continuously, you can us...

marklodge

I have a MySQL db of all ppp secrets, these get sent to the mikrotik via the PEAR2 API. I need to see how many of the ppp clients are active and then mark them as active on the local mysql db. Is there a reason you aren't just using RADIUS (ex. FreeRADIUS), which does all this for you (and more)? 1...

marklodge

I read here https://wiki.mikrotik.com/wiki/Manual:Queue that Priority Does not work on parent queue But I wish to confirm, as I have seen that dynamically created parent queues by some ISP Framework software has priorities set If I have the following parents and children: 2mbps-Home-Priority=5/5 -fr...

marklodge

I would like to know the same:
is there a way to tag packets from a specific MAC address(es) with a VLAN id?

marklodge

Yes, you can. All you need do is select the vlan interface while creating the hotspot for that vlan. You can check out my post on hotspot here. https://www.timigate.com/2017/11/how-to-solve-all-your-mikrotik-hotspot.html I have checked your post. I do understand that I can run a hotspot server on a...

marklodge

I wish to see how much bandwidth was used per PPP connection, how would I do this via API, I understand that the options are probably Graphing, SNMP or Netflow.
I just need the simplest way for now. I need to get the usage and create monthly, weekly graphs.

marklodge

This can be accomplished using MAC Based VLANs, correct?

marklodge

I have read this: https://forum.mikrotik.com/viewtopic.php?t=78145 But it is not working for me My application: I have a MySQL db of all ppp secrets, these get sent to the mikrotik via the PEAR2 API. I need to see how many of the ppp clients are active and then mark them as active on the local mysql...

marklodge

Thank you, so much!

marklodge

Using PEAR2_Net_RouterOS-1.0.0b6 The following works fine the in the Mikrotik Terminal. But I cant get it to work via the API. How would I do the following: :foreach user in=[/ip firewall address-list find find address=10.2.2.2] do={ /ip firewall address-list disable $user } Or ip firewall address-l...

marklodge

For some reason your shared host doesn't have the Phar extension, which is required to open PHAR files. It may be using PHP 5.2 or earlier, where Phar was not enabled by default, or it may be disabled by the host for some reason. If the problem is 5.2, there's no workaround - find a different host ...

marklodge

Hi
I have everything working fine on my local xampp install. I uploaded it to my shared hosting package and I get the following error:

 PHP Fatal error:  Class 'Phar' not found in /home/sharedhost/mysite/PEAR2_Net_RouterOS-1.0.0b6.phar on line 18

marklodge

I think that I posted in the wrong section, should I copy it here or just link it:

This is the post:
viewtopic.php?f=7&t=137675

marklodge

Attached diagram shows what I wish to accomplish. The idea is just to separate the traffic per AP, so that I can see count of users connected and traffic stats per AP. How can I accomplish this? The APs are Nanostation M2s, they support VLAN per interface [WLAN0.LAN0, or BRIDGE0]. hotspotPerVLAN.png

marklodge

Following this: https://wiki.mikrotik.com/wiki/Transparently_Bridge_two_Networks_using_MPLS I need to know, in a setup where I am using the tunnel as a psuedo wire from the main tower to a sub tower, does the VPLS interface need to be added to a bridge? The tunnel works fine without being added to a...

marklodge

Are you able to not use the Cisco? Does it provide any other purpose? Personally, I'd still not be using it.. Just connecting the fiber directly to the Mikrotik. No, the Cisco is leased to us by the fiber provider, actually we dont have access to it, only physical access of course, so that we can p...

marklodge

Sorry guys if I was not clear. 1. No this is not a homework question, this is for a real world deployment. 2. The cisco is leased to us by the fiber supplier, it is the Fiber Termination point. The Mikrotik is our own router, which we use to supply internet to the users. 3. The fiber supplier gives ...

marklodge

Attached diagram is my setup

Should I connect the server to the mikrotik or the cisco ?

acmetube.png

marklodge

Thats exactly it, you said:

If you add mine before them, it will allow queries for specific hostname

But it does not do this. [I adjusted it to myisp.com of course]

marklodge

I had thought that the solution received from Mikrotik was workable, but it is not, as it drops connections from the router itself too. So now, the router cannot resolve DNS or ping or anything.

marklodge

Then allow dns requests for hotspot.com (put the filter rule before the blocking ones): /ip firewall layer7-protocol add name="dns hotspot.com" regexp="\\x07hotspot\\x03com.\\x01" /ip firewall filter add action=accept chain=input dst-port=53 layer7-protocol="dns hotspot.com" protocol=udp Not ideal,...

marklodge

Why not drop DNS to everything except where you need it ?

Thank you to the previous poster for the workaround, since he said it is not ideal. I am eager to know what your solution was. Please post it for our benefit

marklodge

You said you received a workable solution, was it something else, if you are asking it again? The solution i received was to drop all DNS traffic, which is workable. But your solution would be better, if I can allow DNS only where I need it that would be great. I need DNS only to resolve the hotspo...

marklodge

Sorry, but in my opinion the first response contains everything you need to know, to resolve your issue (if your suspicions are correct, of course). Why not drop DNS to everything except where you need it ? What is unclear in those emails ? Why not drop DNS to everything except where you need it ? ...

marklodge

And your opinion, sir, is certainly better than mine. Just an update, fair is fair and all that, 2 minutes after this post I received a reply from mikrotik, with a workable solution. And about 2 hours after this post I received another reply to my second ticket. Amazing

marklodge

Is it just me that finds Mikrotik email support very unhelpful? For example, look at this email exchange: First, I state the issue and ask for soultions: >>>> I have an issue here with users stealing internet via apps like Freedom >>>> and HTTP injectors. >>>> AFAIK they can do this because mikrotik...

marklodge

but how would they log in? [/i] from my op: They should be only allowed access to the hotspot portal, ie: 192.168.88.2 on port 80 only You realize that most devices are going to detect they are on a hotspot/proxied network and send them to the login page? exactly, they will be directed to http://19...

marklodge

Ah, but you have not understood my post.
I asked:
How do I drop all traffic coming from unauthorized hotspot users?

Meaning, once they are authorized they can access any site, any port.

marklodge

I have a simple hotspot running, i dont need dns to resolve to the hotspot portal. My hotspot portal address is 192.168.88.2 How do I drop all traffic coming from unauthorized hotspot users? I want to drop all DNS, ICMP, any and all protocols and ports for unauthorized users. The only thing that the...

marklodge

My question:
I have a Hotspot running. If I drop all DNS requests clients will not be able to resolve the hotspot portal address!

marklodge

This is a reply from mikrotik support
Hello,

You can add firewall filter rules that drop DNS requests to your router. You can learn how to configure firewall rules from this wiki page:

https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter

Best regards,
Martins S.
--

marklodge

I have an issue here with users stealing internet via apps like Freedom and HTTP injectors.
AFAIK they can do this because mikrotik hotspot allows DNS requests for unauthorized users

Any solutions?

marklodge

Im getting this error. the protected array. Also the parent is created but why does this happen Fatal error: Uncaught PEAR2\Net\RouterOS\RouterErrorException: Router returned error when adding items in phar://C:/mikrotikweb/PEAR2_Net_RouterOS-1.0.0b6.phar/PEAR2_Net_RouterOS-1.0.0b6/src/PEAR2/Net/Rou...

marklodge

I have the following working perfectly in Delphi. But i don't know how to run the same in PHP. How do I do the following using PHP API: Eg: 1 /ppp/secret/remove =numbers=testuser Eg: 2 /ppp/secret/add =name=testuser =password=testpass =remote-address=10.1.1.1 Eg: 3 /ppp/secret/print =count-only Eg: ...

marklodge

I have a ring of 7 routers, running MPLS and VPLS with OSPF routing.
I am picking up high latency issues between two points, so I suspect looping somewhere along the line.
I am thinking about cancelling OSPF routing and just creating static routes, what are your thoughts?

marklodge

We are developing a Queue Tree contention application, this app connects to the mikrotik routers and does the rate limiting per contention basis. But we cant seem to add more than 128 childrent toa single parent. How do I add more than 128 child IP addresses in a parent queue? I'm using this for con...

marklodge

I was watching this tutorial regarding voip and IP telephony on Cisco: https://www.youtube.com/watch?v=QRmHqTLe260 The video demonstrates how an IP phone can be auto configured from the router and then able to call another phone over the lan. How would I do the same with Mikrotik? Or, what is the Mi...

marklodge

And buying 5x Mikrotik links, then you are Abel tu buy one link who can deliver 500MBit directly

What type of link will deliver 500mbps? Are you positive that it will be the same price as buying 5 x ptp radios?

marklodge

I have two mikrotiks in two different locations. I wish to create an aggregated link of 500mbps speed between the two using 5 x 100mbps speed radios. How could I achieve this? Secondly, what are your thoughts on filtering traffic per link, for example, all torrent downloads use Link1, all http use l...

marklodge

I have a mikrotik as a hotspot with modem connected to ether1. My modem IP is 10.0.0.1. Everyone on the hotspot can access the modem admin panel. I can block it via a filter rule, but I wish to instead make a dummy page which logs all access to it and sends me a notification whenever it is accessed....

marklodge

are you running a hotspot?

marklodge

Picture says [asks] it all

marklodge

Run normal chr instead the simulator. What is normal chr? Cloud Hosted Router . A version of RouterOS for use in Virtual Machines, like VirtualBox, VMWare and the like. You get the real software running on a virtual hardware, and you can have as many of them running at once as the real hardware wil...

marklodge

Run normal chr instead the simulator. What is normal chr? Why to simulate anything that you can have in real? I require advanced logging, for example, if an intruder touches the mikrotik simulation it needs to log everything possible, date, time, username/s,password/s, source etc. As far as I under...

marklodge

I want to code a RouterOS / Routerboard Simulator. My initial test was to create a listener on TCP port 8291, but when I try to connect to my listener IP from winbox I dont get any response. What am I doing wrong? I also need to set up the simulator to show up in MikroTik Neighbor Discovery, any hel...

marklodge

I have a hotspot running on a Mikrotik RB. I needed to route all traffic through a VPN connection. I just added a new PPTP Client and checked Add Default route , and everything worked well. For my own study and learning/curiosity I wish to understand why the VPN tutorials for Mikrotik always suggest...

marklodge

The files that you wish to access has to reside within the Hotspot directory chosen

marklodge

I need to hand out different IPs to specific users. Reason: To allow certain users full access to all websites and to restrict access to only one website for other users I have created another IP pool and applied it to a test account but once the user logs in he has no access to the internet or even...

marklodge

Hi there, the forward chain, sorry for that. thank you, i appreciate your kind assistance I have done as you said but yet am unable to access the AP Here is my config ping 192.168.111.10 SEQ HOST SIZE TTL TIME STATUS 0 192.168.111.10 timeout 1 192.168.111.10 timeout 2 192.168.111.10 timeout 3 192.1...

marklodge

[quote="MLubbe"]Hi there, /ip firewall nat add action=accept src-address=192.168.111.0/24 dst-address=192.168.111.0/24 [/quote] What chain should the above be in? [code] /ip firewall nat> add action=accept src-address=192.168.111.0/24 dst-address=192.168.111.0/24 chain: failure: no chain specified A...

marklodge

Hi there, 1) Ensure that there is an 192.168.111.0/24 & a 192.168.88.0/24 address on your bridge interface. 2) Accept LAN to LAN & AP to AP traffic to prevent them from Masquerading behind the routers IP 3) Masquerade traffic out of your bridge interface. Thank you very much. Could you please enlig...

marklodge

I have an AP connected to ether 2 of my mikrotik Mikrotik is running a hotspot on a bridge interface which includes all lan and wlan ports. I connect with my laptop to ether 3 of the mikrotik. My IP is 192.168.88.10, the AP ip address is 192.168.111.20. What rules do I need to add to facilitate acce...

marklodge

The default Firewall rules drops traffic not coming from LAN, disable this rule and it will work

marklodge

Repost I have inserted an external USB flash drive into my rb2011, I have formatted it as ext3. It shows up under Files as disk1. All good. Now how do I access files in disk1 folder from my browser? I am running a Hotspot, if I create a folder with files under my Hotspot directory I can access those...

marklodge

Bump... 7 years later

marklodge

I I have inserted an external USB flash drive into my rb2011, I have formatted it as ext3. It shows up under Files as disk1. All good. Now how do I access files in disk1 folder from my browser? I am running a Hotspot, if I create a folder with files under my Hotspot directory I can access those file...

marklodge

How do I generate an usermanager HTML usage report daily, via script and schedule?

marklodge

Thanks, I have heard about the skins feature. But I specifically want it for winbox.
Could this be a feature request. Or is there another way to do this

marklodge

My staff needs to login to our mikrotik router via winbox to administer the Hotspot that runs for our place. But I don't want them to be able to do anything else, like editing the firewall rules etc. How do I hide the Firewall menu and other menus from winbox? If I need to do any changes I will do i...

marklodge

Router details:
Mikrotik RB750 latest Current firmware.
Supout attached

Issue
I am running a very basic hotspot, simply did the hotspot setup and added users and limits.
But users data upload and download values are not working correctly, user may download 20mb, but it shows only a few kb.

marklodge

*Confused*
LTE is 2.6ghz and can connect users at 40km.
Wifi is 2.4ghz and can only connect users at max 1.3km (usually no more than 300 meters)
AFAIK.... lower frequency = more penetration, further range..right........or am i missing something?

marklodge

Hi
you can backup from old UM and Restore it to new UM
from maintenance menu in UM

Thank you for the reply, but please do not raise my hopes of a solution without reading my post till the end.
I quote:

And i cant export from the Maintenance Tab in User Manager due to no space.

marklodge

I want to transfer all user manager users to another mikrotik board I cant seem to get all the users across WITH their profile info When i do the following: /tool user-manager user export I get the following output: add customer=admin disabled=no ip-address=192.168.10.1 name=cname \ password=pw shar...

marklodge

BitTorrent uses multiple TCP sessions. If the upload becomes saturated due to the BitTorrent client attempting uploads then sessions being used for download may also show reduction in throughput due to their ACKs being delayed/lost.

I see, thanks for the info. So is there a solution?

marklodge

I have set a simple queue for a client. He uses mostly torrents, so its always uploading and downloading and he is complaining about unstable/lower than his line speed. The Upload limit of his queue is set to 512k and download to 4MB I have noticed that when the upload speed hits the limit it brings...

marklodge

Routing a proxy server connection to match the clients routing mark I have a network that serves internet to 60 clients, all go through a mikrotik rb which routes traffic according to MARK_ROUTING rule in mangle. So, Group1 goes thru WAN1, and Group2 goes thru WAN2 etc. Now i want to setup a squid p...

marklodge

Im a little disturbed as i do not understand the following: I followed this http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router and after i added the following rule: add chain=input action=log log-prefix="Filter:" comment="" disabled=no add chain=input action=drop comment="drop everything els...

marklodge

Post your firewall and interface config (export)

marklodge

Hi
are you use UDP Protocol for sip registration or TCP?

im not really sure buddy, how would i check that? here is a screenshot of my settings on the sip device

marklodge

Im using the gigaset handsets and connecting via SIP function. This is my config, very basic: ip firewall address-list print detail 4 list=Allowed Internet address=192.168.5.0/24 ip firewall nat print detail Flags: X - disabled, I - invalid, D - dynamic 1 chain=srcnat action=masquerade src-address-l...

marklodge

looking at the pictures it seems you have adsl routers with pppoe clients that forward all traffic to the rb750 and between rb750 and routers you have a switch. If this is right you only need 2 port on rb: 1 for clients and 1 to the switch. I'll setup the routers on the same subnet (ex. 172.16.0.0/...

marklodge

Buy a RB1100 or RB1200 so you have much interface. I also think that rb750 couldn't run as reliable main router, pppoe concentrator and dsl load balancer ok, i buy rb1100, then what do i do when i need to add a 11th and 12th DSL line? and what if i need to add 20 more dsl lines? how would i join th...

marklodge

currently i'm doing a pppoe-out to each of the WAN links (my DSL routers) and i'm using the pppoe-out as the gateway. do you have any example config that i would use for NAT-DMZ between the routers and mikrotik? would the routers have to be i Router mode (ISP username nad pw programmed into the rout...

marklodge

We currently have 4 dsl lines, each line serves 8 clients. we are marking clients per ip, so the mangle rule for client group 1 looks like this : ;;; client group 1 chain=prerouting action=mark-routing new-routing-mark=client-group-1 passthrough=no src-address=192.168.1.0/24 Then we route it out ove...

marklodge

Before i report this as a bug i would like to confirm if it really is one. My RB: 600A i just upgraded from 4.16 to latest version 5.14 Bug in Version 5.14 for RB600 series: 1. Clients cannot login via usermanager to view thier usage etc (by going to http://routerip/user ) 2. The front page logo doe...

marklodge

reply?

marklodge

how do i sort the users by the amount of bandwidth they have used, in usermanager 5?
i nusermanager 4 i could just click the download arrow to sort the users, (see attached screenshot. but in usreman 5 i cant do it. is there another way of accomplishing this in userman 5?

marklodge

OK, well i tried what i wanted but did not get the results expected. Problem is that some youtube videos dont work (error occured) and some dont load, and it takes longer than usual to load. heres my config if anyone wants it /ip firewall address-list add address=208.117.224.0/24 disabled=no list=Yo...

marklodge

;;; Youtube chain=prerouting action=add-dst-to-address-list protocol=tcp address-list=Youtube address-list-timeout=10m in-interface=!(YOUR PUBLIC IFACE) dst-port=80 content=youtube.com Thanks for that. Does this work and and add all the ips that serve youtube videos to the address-list? Because i s...

marklodge

i have 3 wan links to the internet with around 25 clients. i want to route all web video like youtube dailymotion etc to one specific WAN link OR a cahching server. I tried to mark web video like .flv and .mp4 extension using layer7 but that did not work. so i think it is best if i mark all traffic ...

marklodge

Don't NAT until you get to the the 750 or use one of the load balancing examples in the wiki. I don't use Rockets, but this is easy enough to do on a routed all MT network. (policy routing) if i dont Masquerade NAT from my RB in rural area i cant reach the RB in business area I tried the NTH and a ...

marklodge

heres my network layout,
problem: i cant get the rb750g to load-balance as it cannot see the source ip addresses of clients (192.168.5.x or 192.168.6.x)
How do i loadbalance in this situation?

my mikrotik layout.png

marklodge

Nope. Same principle. The connection the proxy makes has NOTHING to do with the original connection from the user that prompted the proxy to fetch content. You can't make a routing decision based on properties that connection simply doesn't have. The source IP is the router itself. i see, thanks a ...

marklodge

It won't be possible. Proxies take connections, terminate them on themselves, and then fetch the content for the client. Once they have fetched it they returned it. Therefore a proxy splits what would normally be a client/server connection and makes it two connections. Your WAN routers will only ev...

marklodge

this is my network layout. (attached picture) Will it be possible to route client group 1 to ADSL 1 and client group 2 to ADSL 2? i need to have all connections go thru a proxy plus have the ability to route specific clients to a specific gateway. does anyone here know whether that will be at all po...

marklodge

i am using ADSL routers in router mode as my gateways. the adsl routers create the pppoe connection to my isp. is this what you mean? Not really, this normally happens with multiple tunnels within. It's always possible that your ISP may be doing something further up the line. In any event the probl...

marklodge

Yes. Use the IP firewall mangle section to mark connections, and to mark routing based on connection marks. Then have routes out via specific interfaces for those routing marks. Your post is kind of shy on details, so this is a made up example. Traffic to/from 192.168.1.10/32 will be routed out a c...

marklodge

i have 2 adsl lines in a business area where there is adsl infrastructure. i want to serve this to a rural area. so i want to use route my clients thru the mikrotik router in the business area. i need to know: 1. is it possible to mark the connections coming from clients (on the router in rural area...

marklodge

My System: RB433 v5.8 i am trying to follow this Load Balancing example: http://wiki.mikrotik.com/wiki/Manual:PCC But it just doesnt work. After i do the config i try to access the internet, i cannot, unless i specify a default route (without routing marks) Heres my config [admin@MikroTik] /ip addre...

marklodge

I need calrity on the following please. 1. Under pppoe-servers. Should the MAX MTU be 1500 for all sites to work? - The reason for this is that i have set my MAX MTU to 1480 and set the following mangle rule: / ip firewall mangle add chain=forward protocol=tcp tcp-flags=syn action=change-mss tcp-mss...

marklodge

You are probably accessing the internet through a tunneled connection (e.g. PPtP tunneled over PPPoE to deliver public IP's) and that creates problems with MTU/MSS when using another PPPoE connection inside your network i am using ADSL routers in router mode as my gateways. the adsl routers create ...

marklodge

Set your MTU and MSS appropriately for a PPPoE connection. See the FAQ on the wiki for how to. Wow, that worked! but i dont understand how it worked tho. because i just set the MTU and MRU on the pppoe service to: 1500 instead of 1480 isnt it supposed to be less, not more? i am using ubiquiti airma...

marklodge

i have had a problem now for 3 weeks, cant access yahoo mail nor paypal and some other ssl sites. (some ssl https sites do work tho, like hostgator cpanel and gmail ) i have completely RESET my mikrotik rb433 and upgraded it to the latest v5.8 and all i configured was a super basic pppoe server usin...

marklodge

It looks like port 80 gets natted and goes through a web proxy, but you forgot about 443 and it doesn't get natted. i forgot to mention that not ALL https does not work. there are 3 that i know dose not work, 1. gumtree.co.za (cannot sign in to : https://secure.gumtree.co.za/capetown-westerncape/s-...

marklodge

I cannot access any secure https sites such as: Yahoo Mail It opens up and the following address shows in the address bar and it just hangs. https://login.yahoo.com/config/login_verify2?.intl=us&.src=ym Here are the details that fewi requests. [admin@UBNTMik] > /ip address print detail Flags: X - di...

marklodge

I am load balancing between two adsl lines. I have set equal cost gateways /ip route add dst-address=0.0.0.0/0 gateway=10.0.0.12,10.0.0.13 \ routing-mark=ecmp-http-route then i do as per the instructions on the mikrotik wiki ( http://wiki.mikrotik.com/wiki/ECMP_load_balancing_with_masquerade ) OK th...

marklodge

i have three mikrotiks serving three client groups. each mikrotik runs a usermanager and pppoe service on the eth2 port i want to join them all up and load balance between them all. i am looking at this load balancing: http://wiki.mikrotik.com/wiki/NTH_load_balancing_with_masquerade_%28another_appro...

marklodge

ok thanks for the info. i'll be trying to use two proxies now. one for browsing and the othe for downloads. hope it works!

marklodge

How would i mark routing for EXE files that are 10MB or more? Possible? So the final result will mark routing only for files that are .exe AND the exe file size is 10MB or more. My intention is to actually block the above 10Mb exe files. But mark routing is better as i can redirect to my webserver f...

marklodge

ok thanks for the answers, the reason i did what i did was firstly i just followed the tutorial step by step and it called for the following: /ip firewall mangle add chain=prerouting in-interface=LAN \ dst-address=10.0.0.0/24 action=mark-packet \ new-packet-mark=exempt-up add chain=postrouting out-i...

marklodge

Thanks for the help fewi! I did as you said, matched the queue and mangle names, but although i could see traffic flowing over the mangle rules to the queues it did not override the limit. But then i blanked out the in and out interface from the Queue Tree exempt rule and then it worked! Now i need ...

marklodge

You could go to a PCQ queue tree configuration, but that's not really necessary. If you tried overriding simple queues with queue trees as described in the link I posted and it didn't work then something wasn't implemented right. Post the configuration you tried, together with all the info requeste...

marklodge

Those rate limits are implemented via simple queues so this link applies: http://wiki.mikrotik.com/wiki/PCQ_and_Hotspots,_and_exempting_upstream_resources_from_rate_limit Currently i have dynamic queues set from the Mikrotik Usermanager. Should i clear all the Rate Limits set in the mikrotik userma...

marklodge

This is exactly what i'm trying to achive too.
Did you find a way to limit internet traffic only?

marklodge

wont the first pppoe client who connects use gateway 1 and the second pppoe client who connects use gateway 2?

marklodge

i once spoke to a MT techie who told me if i have two adsl lines connected i could setup a very simple load balancing by adding the second adsl routers address into IP>Routes list with a distance of 2 (i'm not sure exactly if he said distance of 2 or not)
anyhow. i want to know if this is workable?

marklodge

any suggestions?

marklodge

Network diagram will help to understand what is happening. BTW unless DSLs are copper or some other "weird" interface (read not ethernet or WiFi), all can be done by one Mikrotik. Heres my newtork diagram. The reason i have to have both adsl routers connected to each other is because i need to rout...

marklodge

so basically. the Rocket M5's must be connected to ether2 of the mikrotik and the ether1 must be connected to the Internet (dsl router) . Is that correct?

so it wont work if for eg, ether1 is connected to the same switch that the rorckets and the dsl router is connected to?

marklodge

I have two adsl routers connected to two mikrotiks. so basically both adsl routers are connected to each other. both routers are currently in Router mode. meaning the adsl routers dial the pppoe connection to my providers. Now for some weird reason, the adsl connection (to my provider) of one router...

Search found 251 matches