Community discussions

Search found 1583 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 32
by sebastia
Thu Jul 18, 2019 2:24 pm
Forum: Virtualization
Topic: Proxmox & CHR for shared home network
Replies: 2
Views: 165

Re: Proxmox & CHR for shared home network

I remember some topics on that recently: check some of these https://forum.mikrotik.com/search.php?keywords=chr+virtual&terms=all&author=&sc=1&sf=all&sr=topics&sk=t&sd=d&st=0&ch=300&t=0&submit=Search On core question, with that relatively limited load, a 4011 or low CCR would be enough. That probabl...
by sebastia
Wed Jul 17, 2019 12:25 pm
Forum: Beginner Basics
Topic: Rate Limiting new connections
Replies: 4
Views: 402

Re: Rate Limiting new connections

Default soho config doesn't allow any traffic initiated from outside. So if not hosting anything it's not needed. If internal resources are accessible, then it might be sensible to do such limiting, if the resource is sensitive. So no silver bullet, and "it depends" Update: I assume a "trust" in int...
by sebastia
Tue Jul 16, 2019 11:44 pm
Forum: General
Topic: rb750gr3 Gigabit auto negotiation
Replies: 13
Views: 762

Re: rb750gr3 Gigabit auto negotiation

Just for reference, gigabit ethernet will auto-detect / auto-cross cable pairs if needed. Hence with gbe cross-over cables are no longer necessary. gbe DOES need / use all 4 pairs though. /interface ethernet> monitor e4_tv once name: e4_tv status: link-ok auto-negotiation: done rate: 100Mbps ... adv...
by sebastia
Tue Jul 16, 2019 8:45 pm
Forum: Beginner Basics
Topic: Rate Limiting new connections
Replies: 4
Views: 402

Re: Rate Limiting new connections

that's a wide subject... the mechanics * limit (https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter) will match as long as conditions as specified are met. And so needs to be followed by rule for "when not". * it's only one of conditions and needs other to be useful, ex: connection-state=new / ...
by sebastia
Tue Jul 16, 2019 8:22 pm
Forum: Beginner Basics
Topic: VLAN Bridge Filtering ALternative
Replies: 9
Views: 624

Re: VLAN Bridge Filtering ALternative

It's been discussed recently: viewtopic.php?f=2&t=150172
by sebastia
Sun Jul 14, 2019 11:32 pm
Forum: General
Topic: What is more efficient for ACL on WAN: conntrack->off or on with established? [SOLVED]
Replies: 5
Views: 498

Re: What is more efficient for ACL on WAN: conntrack->off or on with established? [SOLVED]

asymmetric routing & rp-filter don't go hand-in-hand, that's true.
by sebastia
Sun Jul 14, 2019 1:22 pm
Forum: General
Topic: What is more efficient for ACL on WAN: conntrack->off or on with established? [SOLVED]
Replies: 5
Views: 498

Re: What is more efficient for ACL on WAN: conntrack->off or on with established? [SOLVED]

Instead of doing the filtering manually, you could also do it through

See: https://wiki.mikrotik.com/wiki/Manual:I ... Properties
/ip settings set rp-filter=strict
by sebastia
Sat Jul 13, 2019 2:22 pm
Forum: General
Topic: Feature request: connection nat mismatch detection
Replies: 3
Views: 335

Re: Feature request: connection nat mismatch detection

Thank you for your feedback. Tried the suggestion: Additional config: /interface bridge add name=bridgeE5 protocol-mode=none /interface bridge filter add action=passthrough chain=output log=yes log-prefix="Bridge rule: " mac-protocol=ip src-address=!192.168.45.2/32 /interface bridge port add bridge=...
by sebastia
Thu Jul 11, 2019 4:43 pm
Forum: General
Topic: DNS Broadcast
Replies: 1
Views: 173

Re: DNS Broadcast

firewall "wan" interfaces: only allow traffic you need, drop rest.

Default firewall config is sufficient, have a look
by sebastia
Thu Jul 11, 2019 3:11 pm
Forum: General
Topic: untagged vlan [SOLVED]
Replies: 9
Views: 519

Re: untagged vlan [SOLVED]

this is what I've suggested in post above

Edit for clarify: "To keep things simple I would just advise to setup independent ports, then when the need arrives you can re-evaluate your setup."
by sebastia
Thu Jul 11, 2019 2:14 pm
Forum: Beginner Basics
Topic: load balancing with fail over, added backup line 4G
Replies: 3
Views: 329

Re: load balancing with fail over, added backup line 4G

Regarding config (didn't review it all, just relevant part for this topic) # you probably don't want "passthrough" here add action=mark-connection chain=prerouting comment="REGLAS BALANCEO " \ connection-mark=no-mark in-interface=ISP1 new-connection-mark=ISP1_conn \ passthrough=yes add action=mark-r...
by sebastia
Thu Jul 11, 2019 1:53 pm
Forum: General
Topic: Problem running Traffic Flow
Replies: 7
Views: 402

Re: Problem running Traffic Flow

Hey

The ether2 is "slave", as it's part of bridge1.
/interface bridge port
add bridge=bridge1 interface=ether2-LAN-OFFICE
/ip traffic-flow
set active-flow-timeout=1m cache-entries=16k enabled=yes interfaces=ether2-LAN-OFFICE
Try monitoring bridge1 instead then.
by sebastia
Thu Jul 11, 2019 1:01 pm
Forum: Wireless Networking
Topic: Throughput Presentation, Questions, & Discussion
Replies: 2
Views: 260

Re: Throughput Presentation, Questions, & Discussion

Hey

1. Window size is not a constant for a connection: it's adapted throughout the connection.
2. udp and tcp throughputs are not comparable.
by sebastia
Thu Jul 11, 2019 12:33 pm
Forum: General
Topic: Feature request: connection nat mismatch detection
Replies: 3
Views: 335

Feature request: connection nat mismatch detection

Hi When operating a router with wan fail-over, when NAT is applied to both links, (ex two residential ISP connection), it is possible that "ip leakage" can occur. This is only relevant for networks bound to specific ranges, such as for residential ISP. This doesn't apply to situation when dynamic ro...
by sebastia
Mon Jul 08, 2019 9:27 pm
Forum: General
Topic: Successfully Opening a STX LTE? [SOLVED]
Replies: 2
Views: 175

Re: Successfully Opening a STX LTE? [SOLVED]

Sure, you'll need to use plastic tool to stick it between the parts. Top (part towards antenna) fits over bottom (part with sim/network interface). You'll need to apply some pressure on the bottom part in each of the 6 sections of the hexagon to release internal latch and pull the top apart. Togethe...
by sebastia
Mon Jul 08, 2019 7:46 pm
Forum: General
Topic: RULE for BANKS
Replies: 15
Views: 653

Re: RULE for BANKS

most banks use https right. why not prioritise https traffic up to a certain volume?

might give some improvement...
by sebastia
Mon Jul 08, 2019 7:39 pm
Forum: General
Topic: PCCload balancing vs Remote Connection to LAN...
Replies: 3
Views: 203

Re: PCCload balancing vs Remote Connection to LAN...

Some more notes:
* the queue setup won't work, as they both have seme target, you'll need to use queue linked to interface (queue tree)
* interface e6-10 are part of bridge, they are "slaves" and should not be used on their own
by sebastia
Mon Jul 08, 2019 6:07 pm
Forum: General
Topic: PCCload balancing vs Remote Connection to LAN...
Replies: 3
Views: 203

Re: PCCload balancing vs Remote Connection to LAN...

You're mangling needs improvement, some tips: new connections from wan's need to pinned to these interfaces, otherwise you'll could end up with split routing, which with NAT wont fly... Do that in prerouting, on in-interface=wan1/2/... You only need to mangle route on the outbound track, so when goi...
by sebastia
Mon Jul 08, 2019 5:05 pm
Forum: General
Topic: Problem running Traffic Flow
Replies: 7
Views: 402

Re: Problem running Traffic Flow

See also https://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow

Normally that should be a single (two to change server address) step operation.

Post your config, so it can be consulted: /export hide-sensitive
by sebastia
Mon Jul 08, 2019 3:29 pm
Forum: General
Topic: Problem running Traffic Flow
Replies: 7
Views: 402

Re: Problem running Traffic Flow

Hey

Which interfaces are in the list " Internal-lan"? It's not empty right?
by sebastia
Sun Jul 07, 2019 12:50 am
Forum: Beginner Basics
Topic: Two IPs each on separate port
Replies: 10
Views: 769

Re: Two IPs each on separate port

Possible, not sure if server should be shielded / natted... If not then indeed, that will suffice.
by sebastia
Sun Jul 07, 2019 12:42 am
Forum: Beginner Basics
Topic: load balancing with fail over, added backup line 4G
Replies: 3
Views: 329

Re: load balancing with fail over, added backup line 4G

Hey You're mangling now for connection / routing mark, and you've setup separate routing tables for each mark. Right? Then just have all three routes in the tables T1 Wan1 distance 1 Wan2 distance 2 4G distance 3 T2 Wan2 distance 1 Wan1 distance 2 4G distance 3 In filter:forward you would want to fi...
by sebastia
Sat Jul 06, 2019 11:08 pm
Forum: General
Topic: How do I allow DNS traffic from one VLAN to another? [SOLVED]
Replies: 9
Views: 460

Re: How do I allow DNS traffic from one VLAN to another? [SOLVED]

Another option: VRF. have isolated routing for each vlan, and insert dns server record as allowed target.
https://wiki.mikrotik.com/wiki/Manual:V ... Forwarding
by sebastia
Sat Jul 06, 2019 10:47 pm
Forum: Beginner Basics
Topic: Two IPs each on separate port
Replies: 10
Views: 769

Re: Two IPs each on separate port

Hey, there is no easy software solution to this, see viewtopic.php?f=2&t=149920 with same question.
by sebastia
Fri Jul 05, 2019 11:37 am
Forum: General
Topic: One Router, Two separate networks/internet connections
Replies: 1
Views: 154

Re: One Router, Two separate networks/internet connections

Based on the test results, it should do just fine: https://mikrotik.com/product/RB1100Dx4# ... estresults
But it will always depend on the config applied...
by sebastia
Thu Jul 04, 2019 9:40 pm
Forum: Beginner Basics
Topic: High cpu networking
Replies: 5
Views: 283

Re: High cpu networking

Observations: * input/forward is insufficiently guarded: only tcp is filtered (in some cases), upd goes through + /ip dns set allow-remote-requests=yes = you're probably bombarded by dns requests, and being used for DDOS attacks, using DNS amplification attack why don't you just stick to default fir...
by sebastia
Thu Jul 04, 2019 9:19 pm
Forum: Beginner Basics
Topic: High cpu networking
Replies: 5
Views: 283

Re: High cpu networking

In torch which ports is the traffic going to?
by sebastia
Thu Jul 04, 2019 3:40 pm
Forum: Beginner Basics
Topic: High cpu networking
Replies: 5
Views: 283

Re: High cpu networking

which ports is the traffic going to?

Also notice that you have a similar return traffic as well?
open dns server or some other traffic bounce?

What is your firewall config (/export hide-sensitive)?
by sebastia
Thu Jul 04, 2019 2:04 pm
Forum: Beginner Basics
Topic: Best way to connect a remote site by some kind of VPN?
Replies: 7
Views: 341

Re: Best way to connect a remote site by some kind of VPN?

ipsec-secret is with phrase only (was a shortcut to simplify simple setups). If you want to use certs, then you'll need to configure ipsec manually for that tunnel.

So define tunnel normally "in clear" and define ipsec policy, ... for communication between these tunnel endpoints.
by sebastia
Thu Jul 04, 2019 1:04 pm
Forum: Beginner Basics
Topic: Best way to connect a remote site by some kind of VPN?
Replies: 7
Views: 341

Re: Best way to connect a remote site by some kind of VPN?

For the GRE / IPSec / .. tunnel to be encrypted with ipsec just specify the ipsec-secret on both ends (short-cut). /interface gre add ipsec-secret=... This will create the gre tunnel, which is encrypted by ipsec. To these interfaces, gre tunnel endpoints, assign ip's, on both ends, and use these ass...
by sebastia
Thu Jul 04, 2019 1:00 pm
Forum: General
Topic: untagged vlan [SOLVED]
Replies: 9
Views: 519

Re: untagged vlan [SOLVED]

It could work like that: extend vlans with another smart switch.

But what also possible: extend the access port (=untagged port) with "dumb" switch.

To keep things simple I would just advise to setup independent ports, when when the need arrives you can re-evaluate your setup.
by sebastia
Thu Jul 04, 2019 12:32 pm
Forum: Beginner Basics
Topic: Best way to connect a remote site by some kind of VPN?
Replies: 7
Views: 341

Re: Best way to connect a remote site by some kind of VPN?

That's why you need a tunnel on top: IPSec will only encrypt the GRE/IPIP/... tunnel. But inside that tunnel you're free of (policy) limitation of IPSec
by sebastia
Thu Jul 04, 2019 12:24 pm
Forum: General
Topic: untagged vlan [SOLVED]
Replies: 9
Views: 519

Re: untagged vlan [SOLVED]

Hey

Do you want these vlans to be tagged on other ports? Or do you want one vlan / port and only on that port?
by sebastia
Thu Jul 04, 2019 12:12 pm
Forum: Beginner Basics
Topic: Best way to connect a remote site by some kind of VPN?
Replies: 7
Views: 341

Re: Best way to connect a remote site by some kind of VPN?

Hi For remote traffic to go through home, you would need to route that traffic over vpn tunnel -> gateway should be the remote ip of the tunnel. Second, you'll need to forward traffic from home for remote ip's over tunnel too -> again gateway should be the remote ip of the tunnel. Note that IPSec + ...
by sebastia
Wed Jul 03, 2019 9:08 am
Forum: Beginner Basics
Topic: SXT LTE Kit
Replies: 1
Views: 126

Re: SXT LTE Kit

Hi That depends on what ip you're getting from ISP (lte provider): is it "real" ip (so without any natting) or some CGNAT range ip (100.64.0.0/10). If former you're good to go. If the latter, it will depend on: * can your software call out from inside to some cloud / on-line server, then use that * ...
by sebastia
Wed Jul 03, 2019 8:54 am
Forum: Wireless Networking
Topic: Throughput Issues RouterBoard RBwAPG-5HacT2HnD-US
Replies: 9
Views: 773

Re: Throughput Issues RouterBoard RBwAPG-5HacT2HnD-US

What is your usage scenario: how/what do you intent to use it for?

BTW: "1GBps link" that's just network interface which is gigabit capable, says nothing about the wireless link.
by sebastia
Tue Jul 02, 2019 10:32 am
Forum: General
Topic: Firewall Causing Low Throughput
Replies: 17
Views: 1024

Re: Firewall Causing Low Throughput

Also post the output of cpu profiler (/tool profile cpu=all) during load
by sebastia
Tue Jul 02, 2019 9:35 am
Forum: Beginner Basics
Topic: RB2011 slow internet even with fasttrack
Replies: 91
Views: 9580

Re: RB2011 slow internet even with fasttrack

sure:
1. update to latest version of RouterOs
2. restore default home router config
by sebastia
Tue Jul 02, 2019 9:27 am
Forum: General
Topic: Customer Traffic through Multiple Queues
Replies: 1
Views: 145

Re: Customer Traffic through Multiple Queues

Hey

How about this?
* use interface htb on customer's ppp for 10mbit limit
** if there is conflict with simple q, local traffic (not transit) could be fast-tracked, making it bypass simple queues (~hack)
* use simple queue for transit limit

https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6
by sebastia
Mon Jul 01, 2019 10:59 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 54584

Re: v6.45.1 [stable] is released!

2 options:
1. disable unnecessary packages, and upload ONLY the used ones for upgrade (from "extra packages" zip)
2. netinstall...
by sebastia
Mon Jul 01, 2019 10:46 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 54584

Re: v6.45.1 [stable] is released!

After coming back to 6.43.16 it works fine again.
v6.43.16 is using P2P ip configuration for LTE passthrough. 6.45 is using small ip block, back as it was in pre-6.43.
check what ip you get and if you can ping the gateway at least.
by sebastia
Mon Jul 01, 2019 10:31 pm
Forum: Beginner Basics
Topic: single IP constantly trying to log to my Mikrotik
Replies: 57
Views: 3578

Re: single IP constantly trying to log to my Mikrotik

Yeah, noticed that too. maybe there were some bugs in handling...
by sebastia
Mon Jul 01, 2019 10:17 pm
Forum: Scripting
Topic: Monitoring a Port help?
Replies: 1
Views: 197

Re: Monitoring a Port help?

If there is a resource you could access, the "fetch" can help you
https://wiki.mikrotik.com/wiki/Manual:Tools/Fetch
by sebastia
Mon Jul 01, 2019 10:00 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 54584

Re: v6.45.1 [stable] is released!

one hap lite wont upgrade. I suspect space problem, but there are no files on the system.
Try upgrading with specific packages that you actually use. So download the "extra packages" and only put the packages you need on device + reboot.
by sebastia
Mon Jul 01, 2019 9:25 pm
Forum: Beginner Basics
Topic: CLI command for conntrack port range?
Replies: 5
Views: 491

Re: CLI command for conntrack port range?

there doesn't seem to be one for the ports /system package print Flags: X - disabled # NAME VERSION SCHEDULED 0 system 6.45beta62 /ip firewall connection> print where .dead connection-type gre-key orig-bytes repl-bytes reply-src-address .id dst-address gre-protocol orig-fasttrack-bytes repl-fasttrac...
by sebastia
Mon Jul 01, 2019 9:01 pm
Forum: Beginner Basics
Topic: RB2011 WAN interface not reaching full speed
Replies: 10
Views: 957

Re: RB2011 WAN interface not reaching full speed

In your first post you mentioned
The AVM Fritzbox as Gateway (cable internet) is showing 300/10 MBit/s reaching it.
. Have you tried doring a speedtest directly attached to the fritz? What were the results?
by sebastia
Mon Jul 01, 2019 3:40 pm
Forum: Beginner Basics
Topic: How to switch immediately after a failover ?
Replies: 7
Views: 776

Re: How to switch immediately after a failover ?

Hey @anav The rule /ip firewall filter add action=drop chain=forward comment="Drop: invalid" connection-state=invalid is part of the default configuration already. The extra line with rejects local packets only is to inform local client of different network configuration. The src-address criterium i...
by sebastia
Mon Jul 01, 2019 1:56 pm
Forum: General
Topic: Packet loss GNS3
Replies: 1
Views: 149

Re: Packet loss GNS3

Hi

interfaces part of a bridge should not have ip's on their own. ip should be defined on the level of bridge.
by sebastia
Fri Jun 28, 2019 6:42 pm
Forum: General
Topic: Usable rules for firewall
Replies: 5
Views: 904

Re: Usable rules for firewall

For the beggining non-routable Multicast definitions:
If these are non-routable, then why forward?
  • 1
  • 2
  • 3
  • 4
  • 5
  • 32