Community discussions

Search found 1776 matches

by sebastia
Mon Sep 23, 2019 10:34 pm
Forum: Beginner Basics
Topic: LTE passthrough winbox issue
Replies: 5
Views: 976

Re: LTE passthrough winbox issue

in your case the vlan / mgmt traffic is caring same mac as passthrough, and hence gets hijacked by lte interface.

in current setup you'll need a bridge with other mac for the vlan

OR

reverse the config: mgmt over "plain" eth and passthrough over vlan without extra bridge
by sebastia
Wed Sep 18, 2019 11:06 pm
Forum: Beginner Basics
Topic: Configuration help. Is this possible?
Replies: 4
Views: 636

Re: Configuration help. Is this possible?

Hi

While CRS305 technically can do what you propose, it's not meant to do that: it can do pppoe but not at speed, as it's not fast enough on cpu side.
by sebastia
Wed Sep 18, 2019 6:37 pm
Forum: RouterBOARD hardware
Topic: GPER usage questions
Replies: 31
Views: 3439

Re: GPER usage questions

I didn't say I agree with all comments there ;-)
by sebastia
Wed Sep 18, 2019 12:10 am
Forum: RouterBOARD hardware
Topic: GPER usage questions
Replies: 31
Views: 3439

Re: GPER usage questions

by sebastia
Wed Sep 18, 2019 12:00 am
Forum: General
Topic: scrnat rule configuration
Replies: 2
Views: 531

Re: scrnat rule configuration

Hi

Src-nat and dst-nat are locate in different chains and are executed at different times, dst-nat before routing & src-nat after routing. One can't interfere with the other.

List your full firewall config if you need further assistance (/export hide-sensitive)
by sebastia
Tue Sep 17, 2019 11:47 pm
Forum: Beginner Basics
Topic: Difference in setting dhcp options
Replies: 1
Views: 310

Re: Difference in setting dhcp options

server=available for all networks configurations
network=only that network

see also manual: https://wiki.mikrotik.com/wiki/Manual:I ... CP_Options
by sebastia
Tue Sep 17, 2019 11:34 pm
Forum: General
Topic: Block Multicast
Replies: 3
Views: 520

Re: Block Multicast

Have a look at http://www.firewall.cx/networking-topics/general-networking/107-network-multicast.html or https://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/ip-multicast/prod_presentation0900aecd80310883.pdf Drop: drop frames to the multicast mac range drop frames with ip protoc...
by sebastia
Tue Sep 17, 2019 10:21 pm
Forum: RouterBOARD hardware
Topic: GPER usage questions
Replies: 31
Views: 3439

Re: GPER usage questions

Thx for the info
by sebastia
Sun Sep 15, 2019 1:06 pm
Forum: Scripting
Topic: ppp profile -> scripts .... run as certain user
Replies: 9
Views: 1234

Re: ppp profile -> scripts .... run as certain user

ssh-exec has been added in 6.45.1 (viewtopic.php?t=149786&hilit=ssh-exec), and CAN be called from scripts!
by sebastia
Sun Sep 15, 2019 12:56 pm
Forum: Beginner Basics
Topic: Not working. What am i missing!?
Replies: 7
Views: 960

Re: Not working. What am i missing!?

Looks ok.
Post full conifg (/export hide-sensitive), maybe something else is interfering.
by sebastia
Thu Sep 12, 2019 5:37 pm
Forum: General
Topic: Redundant routers/switches
Replies: 11
Views: 1000

Re: Redundant routers/switches

I'm not sure, but as I know, LACP cannot be set when there is only 1 connection between switches (sw1->sw3 and sw2->sw3). How to set LACP in this scenario?
I was thinking LACP between Hyper-V & SW3.
by sebastia
Thu Sep 12, 2019 2:52 pm
Forum: General
Topic: Redundant routers/switches
Replies: 11
Views: 1000

Re: Redundant routers/switches

Since the Hyper-V is in teaming mode... https://www.vembu.com/blog/configure-nic-teaming-hyper-v/ If Hyper-V ports algorithm is used with Switch Independent teaming mode, the virtual switch can register the MAC addresses of the virtual adapters on separate physical adapters which statically balances...
by sebastia
Thu Sep 12, 2019 2:34 pm
Forum: General
Topic: Redundant routers/switches
Replies: 11
Views: 1000

Re: Redundant routers/switches

Hey

SW3 should be in bridge mode, as both sw1-2 may be active at any time.

Just a remark: the SW3 is a "single point of failure" in that design.
by sebastia
Mon Sep 09, 2019 9:08 pm
Forum: General
Topic: Is the RB3011 a good fit?
Replies: 8
Views: 868

Re: Is the RB3011 a good fit?

Hey

For general usage, it will do just fine: https://mikrotik.com/product/rb4011igs_ ... estresults
L2TP: don't expect that vpn will be at full speed
bridge: see
by sebastia
Mon Sep 09, 2019 6:38 pm
Forum: General
Topic: IPv4 over IPv6 Tunnel
Replies: 2
Views: 381

Re: IPv4 over IPv6 Tunnel

Hey

have you tried pinging from B to A?

What is the routing table at SXT LTE like?
by sebastia
Sun Sep 08, 2019 1:51 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 3008

Re: RB750, Pi-Hole and cross interface communication

add address=192.168.1.0/24 dns-server=192.168.10.2,1.1.1.1 gateway=192.168.1.254 netmask=24 -> why don't you specify your pi-hole only here? add address=192.168.1.0/24 dns-server=192.168.10.2 gateway=192.168.1.254 netmask=24 try this instead /ip firewall filter add action=accept chain=input comment=...
by sebastia
Sun Sep 08, 2019 1:02 pm
Forum: Forwarding Protocols
Topic: RB 3011UiAS dynamic routes missing for VLANS [SOLVED]
Replies: 4
Views: 702

Re: RB 3011UiAS dynamic routes missing for VLANS [SOLVED]

Hey

Maybe some config issue, list your config for review (/export hide-sensitive).
by sebastia
Sat Sep 07, 2019 10:45 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 3008

Re: RB750, Pi-Hole and cross interface communication

add action=accept chain=forward in-interface= bridge out-interface="eht1 Internet"
is enough

for filter table
output = traffic from router itself
(other were correct)
by sebastia
Sat Sep 07, 2019 1:34 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 3008

Re: RB750, Pi-Hole and cross interface communication

these are not needed as dns is on another network
You can force any DNS request to use your DNS by using dst-nat
you're out of context, read last few posts. hint: i've commented on the src-nat!
by sebastia
Sat Sep 07, 2019 1:31 pm
Forum: Beginner Basics
Topic: Somehow im blind
Replies: 5
Views: 741

Re: Somehow im blind

What are you missing, in your opinion? It could be a working config.
by sebastia
Sat Sep 07, 2019 12:33 pm
Forum: General
Topic: Wireless redundate link with bonding
Replies: 15
Views: 1165

Re: Wireless redundate link with bonding

Can also add a device each side of the wireless devices then use RSTP
will a wireless bridge pass the xSTP related frames?
by sebastia
Sat Sep 07, 2019 12:30 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 3008

Re: RB750, Pi-Hole and cross interface communication

The reason for the Masquerade and DNAT rules are to force any and all DNS query to the Pi that is running PiHole, it's a content blocker based on DNS filter lists. these are not needed as dns is on another network As far as I understand, setting the DNS under IP--> DNS Settings will auto assign the...
by sebastia
Sat Sep 07, 2019 12:15 am
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 3008

Re: RB750, Pi-Hole and cross interface communication

why do you need this? add action=src-nat chain=srcnat comment="UDP DNS Masquerade Network" out-interface=bridge protocol=udp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53 add action=src-nat chain=srcnat comment="TCP DNS Masquerade Network" out-interface=bridge protocol=tcp src-add...
by sebastia
Fri Sep 06, 2019 11:41 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 3008

Re: RB750, Pi-Hole and cross interface communication

either that or ip stack is not correctly configured
list /export hide-sensitive
by sebastia
Fri Sep 06, 2019 10:36 pm
Forum: General
Topic: Wireless redundate link with bonding
Replies: 15
Views: 1165

Re: Wireless redundate link with bonding

that won't be immediate ;-)
by sebastia
Fri Sep 06, 2019 10:32 pm
Forum: General
Topic: Wireless redundate link with bonding
Replies: 15
Views: 1165

Re: Wireless redundate link with bonding

hint balance -> balances ;-) over both links

if you want active passive that's a different mode
the "immediate" hand over (subsecond) you can have with active-backup, see viewtopic.php?t=150820#p743780
by sebastia
Fri Sep 06, 2019 10:17 pm
Forum: General
Topic: Netinstall failing on Windows 10
Replies: 4
Views: 708

Re: Netinstall failing on Windows 10

in my experience, netinstall can get "confused" when there are multiple interfaces active
by sebastia
Fri Sep 06, 2019 10:14 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 3008

Re: RB750, Pi-Hole and cross interface communication

you have a problem with connectivity NOT dns resolution

you get an IP for a dns in each kind of test
but ping (icmp) and tcp don't get through..
by sebastia
Fri Sep 06, 2019 10:11 pm
Forum: General
Topic: Wireless redundate link with bonding
Replies: 15
Views: 1165

Re: Wireless redundate link with bonding

do you want an active-backup or active-active?
xor is the last one
by sebastia
Fri Sep 06, 2019 9:36 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 3008

Re: RB750, Pi-Hole and cross interface communication

there is no problem, it's resolving
ping google.com [216.58.223.142]
by sebastia
Fri Sep 06, 2019 8:49 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 3008

Re: RB750, Pi-Hole and cross interface communication

so your dns resolution works fine
by sebastia
Fri Sep 06, 2019 8:46 pm
Forum: General
Topic: Wireless redundate link with bonding
Replies: 15
Views: 1165

Re: Wireless redundate link with bonding

have a look at https://wiki.mikrotik.com/wiki/Manual:Interface/Bonding, and especially enable link monitoring, probably arp base
examples: https://wiki.mikrotik.com/wiki/Manual:Bonding_Examples
by sebastia
Fri Sep 06, 2019 8:24 pm
Forum: General
Topic: dst-limit possible problem
Replies: 4
Views: 888

Re: dst-limit possible problem

only allow them at specified rate, drop rest
by sebastia
Fri Sep 06, 2019 8:15 pm
Forum: Beginner Basics
Topic: RouterBOARD 750P r2 - each interface in different network [SOLVED]
Replies: 2
Views: 337

Re: RouterBOARD 750P r2 - each interface in different network [SOLVED]

in this config mgmt is only possible from "address=192.168.0.0/24"
none of the interfaces have this range, maybe routed from somewhere else (through ospf)?
by sebastia
Fri Sep 06, 2019 8:08 pm
Forum: General
Topic: Disabling/enabling SXT LTE web access via ssh
Replies: 1
Views: 240

Re: Disabling/enabling SXT LTE web access via ssh

disable www & www-ssl ip services
by sebastia
Fri Sep 06, 2019 8:03 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 3008

Re: RB750, Pi-Hole and cross interface communication

to verify dns functionality and limit the scope try testing with "ping" (udp dns) & "nslookup" (tcp dns). both do minimal functions.

if ping <some dns name> uses an ip -> udp dns works
if nslookup <some dns server> works -> tcp firewal / nat works
by sebastia
Fri Sep 06, 2019 7:53 pm
Forum: Forwarding Protocols
Topic: Routing problem.
Replies: 6
Views: 530

Re: Routing problem.

don't see/have the details, but vpn needs to be src-nat, and if your internet uplink probably as well, so in that sense it might be
by sebastia
Fri Sep 06, 2019 5:55 pm
Forum: Forwarding Protocols
Topic: Routing problem.
Replies: 6
Views: 530

Re: Routing problem.

for masq, out interface should be the vpn interface not ether1
don't use srcaddress list on the rule & just nat all going out over vpn -> less potential for issues
by sebastia
Fri Sep 06, 2019 4:23 pm
Forum: Forwarding Protocols
Topic: Routing problem.
Replies: 6
Views: 530

Re: Routing problem.

The other side doesn't know your internal network, to resolve you need to setup src natting on your vpn interface (src-nat or masq)
by sebastia
Fri Sep 06, 2019 2:50 pm
Forum: Scripting
Topic: Parse ping result
Replies: 3
Views: 683

Re: Parse ping result

Have a look at getRTT function here viewtopic.php?t=129294
by sebastia
Fri Sep 06, 2019 2:45 pm
Forum: General
Topic: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN
Replies: 15
Views: 1443

Re: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN

in that case you probably don't need any port forwarding as the camera's are connecting to cloud themselves (from inside to outside)? check it / consult documentation you'll need to verify how is the app finally connecting to the camera, through cloud or some other manner? If "some other" manner, ad...
by sebastia
Thu Sep 05, 2019 11:28 pm
Forum: General
Topic: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN
Replies: 15
Views: 1443

Re: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN

do you have some central management console / server?
and how to you "connect" the these devices from outside? directly or through some cloud feature?
by sebastia
Thu Sep 05, 2019 10:41 pm
Forum: General
Topic: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN
Replies: 15
Views: 1443

Re: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN

if you want to access each separately, then yes, port forward different ports to specific devices
by sebastia
Thu Sep 05, 2019 9:41 pm
Forum: General
Topic: Policy to block website in Mikrotik increase CPU
Replies: 16
Views: 1461

Re: Policy to block website in Mikrotik increase CPU

what is the /tool profile indicating?
could you share details on how the blocking works?
by sebastia
Thu Sep 05, 2019 9:36 pm
Forum: RouterBOARD hardware
Topic: CPU usage upto 90%
Replies: 2
Views: 397

Re: CPU usage upto 90%

there was a presentation by Tik support on some frequent issues with pppoe servers: https://mum.mikrotik.com/presentations/ ... 948376.pdf
have a look if relevant for you
by sebastia
Thu Sep 05, 2019 9:25 pm
Forum: Beginner Basics
Topic: 1 interface, 2 vlans, prioritize Vlan2 95%
Replies: 8
Views: 956

Re: 1 interface, 2 vlans, prioritize Vlan2 95%

how about vlan priority? https://wiki.mikrotik.com/wiki/Manual:W ... t_priority + shaping vlan2 to 95% of bandwidth
by sebastia
Thu Sep 05, 2019 9:08 pm
Forum: General
Topic: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN
Replies: 15
Views: 1443

Re: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN

/ip address add address=192.168.13.1/24 interface=ether2 network=192.168.13.0 => should be on brdige2 mikrotik doesn't have a dmz setting, needs to be done manually basically, any connection to the router which is "new" (so not part of existing connection from router) should be then dst-nat-ed to .1...
by sebastia
Wed Sep 04, 2019 10:42 pm
Forum: General
Topic: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN
Replies: 15
Views: 1443

Re: i have a problem, need help

post your config, as it's not clear what is what...
/export hide-sensitive (and replace any public ip's)
by sebastia
Wed Sep 04, 2019 5:07 pm
Forum: Beginner Basics
Topic: CCR to CRS using S+DA0001 [SOLVED]
Replies: 7
Views: 866

Re: CCR to CRS using S+DA0001

Hey

On paper it sound all right, only there have been some reports of 317 instabilities when under full load. Then there are also people saying they are rock-solid...
by sebastia
Wed Sep 04, 2019 5:02 pm
Forum: General
Topic: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN
Replies: 15
Views: 1443

Re: i have a problem, need help

And what is your question / request?
Also, post config in between < code > tags
by sebastia
Wed Sep 04, 2019 1:06 pm
Forum: General
Topic: Low Throughput on 2011 [SOLVED]
Replies: 5
Views: 592

Re: Low Throughput on 2011 [SOLVED]

Hey * with fast-path disabled, fast-track will not work either * you'll need to exclude 88.200 from fasttrack, or manling for route mark will not work * You seem to have two wans? indihome + oxygen is oxygen some vpn for 88.200 only? * you have in config /interface pppoe-client add ac-name=BRAS3-D2-...
by sebastia
Wed Sep 04, 2019 12:46 pm
Forum: General
Topic: Tls host not work
Replies: 9
Views: 2205

Re: Tls host not work

I didn't try regex in content, but it does match on plain text.

For https, your current L7 will be working with TCP and SSL handshake which is still unencrypted data
by sebastia
Mon Sep 02, 2019 8:54 pm
Forum: General
Topic: OpenVPN move to another Board [SOLVED]
Replies: 4
Views: 645

Re: OpenVPN move to another Board [SOLVED]

Hi

Normally one only import private key on target/server device. The public part can be distributed to the users of that server.

If Tik is CA, only import private key.
for opvn server: only import private key
for opvn client: only import private client key
by sebastia
Mon Sep 02, 2019 8:46 pm
Forum: Beginner Basics
Topic: two networks with vlan in RB2011 and Groove
Replies: 2
Views: 417

Re: two networks with vlan in RB2011 and Groove

hey

and how is the goove connected to 2011?
by sebastia
Mon Sep 02, 2019 3:37 pm
Forum: Beginner Basics
Topic: can I access mikrotik rb2011 through internet
Replies: 7
Views: 723

Re: can I access mikrotik rb2011 through internet

do you have public ip on rb2011? check under "/ip address" in Winbox or through command "/ip address print"
by sebastia
Mon Sep 02, 2019 3:26 pm
Forum: Beginner Basics
Topic: can I access mikrotik rb2011 through internet
Replies: 7
Views: 723

Re: can I access mikrotik rb2011 through internet

That depends on your isp infrastructure (do you have public ip assigned? any ports which are not blocked by isp?) and the configuration of the Tik (what firewall setting do you have there?).
by sebastia
Mon Sep 02, 2019 3:24 pm
Forum: RouterBOARD hardware
Topic: hAP AC2 for home use
Replies: 12
Views: 1368

Re: hAP AC2 for home use

Hi

Does that Mikrotik remain ISP's property?
by sebastia
Mon Sep 02, 2019 11:49 am
Forum: General
Topic: Tls host not work
Replies: 9
Views: 2205

Re: Tls host not work

that or the "content" packet matching in plain firewall
by sebastia
Sun Sep 01, 2019 12:35 pm
Forum: General
Topic: Tls host not work
Replies: 9
Views: 2205

Re: Tls host not work

I would expect not as it related to Transport Layer Security which is not used with plain http.
by sebastia
Sat Aug 31, 2019 11:48 pm
Forum: General
Topic: Quee Process High
Replies: 1
Views: 348

Re: Quee Process High

Hey Do you have another system to test these changes? In this particular case I would take that "advise" with a HUGE grain of salt, or better yet: just ignore it... Simple queues are processed by multiple cpu cores, which spreads the load. Do you see that? Try monitoring with /tool profile On the ot...
by sebastia
Fri Aug 30, 2019 11:07 am
Forum: Scripting
Topic: mkdir function for easy folder creation
Replies: 8
Views: 925

Re: mkdir function for easy folder creation

I am some shocked.
A script on 200+ lines is needed just to create a folder in RouterOS.
This is some MT should add a built in function.
You can always log in via FTP to create a folder and/or copy/move files.
which is exactly what the script does...

NOT a acceptable "solution"
by sebastia
Fri Aug 30, 2019 10:34 am
Forum: General
Topic: Problem ping different lan
Replies: 1
Views: 279

Re: Problem ping different lan

This is not Tik related! You should be a asking on Windows forums...

Hint: indicate in windows that the connection is "private"
by sebastia
Fri Aug 30, 2019 1:19 am
Forum: General
Topic: And now?
Replies: 3
Views: 465

Re: And now?

I thought so ;-)
by sebastia
Thu Aug 29, 2019 11:56 pm
Forum: General
Topic: RB4011 "under clocking" at 533MHz / frequency scaling
Replies: 3
Views: 495

Re: RB4011 "under clocking" at 533MHz / frequency scaling

busted ;-), I don't own a 4011... Good to know, thx

I meant low-power, based on actual usage: "Max power consumption 44 W"
that's not a lot
by sebastia
Thu Aug 29, 2019 11:49 pm
Forum: General
Topic: And now?
Replies: 3
Views: 465

Re: And now?

simple, as a mitigation, firewall / filter the api port
by sebastia
Thu Aug 29, 2019 11:29 pm
Forum: Beginner Basics
Topic: VLAN between two routers. Can it work!? If so how?
Replies: 9
Views: 857

Re: VLAN between two routers. Can it work!? If so how?

- to keep the high speed datastreams away form pfSense (intel Pentium) - to see if it was an option to use the internal router in state of pfSense -> a CRS can't route 10g of data either! -> not with a CRS * to save interfaces between pfSense and the CRS317 -> don't understand that one * to have a l...
by sebastia
Thu Aug 29, 2019 9:17 pm
Forum: Beginner Basics
Topic: VLAN between two routers. Can it work!? If so how?
Replies: 9
Views: 857

Re: VLAN between two routers. Can it work!? If so how?

Hey CRS is not a router, so you shouldn't be using it as one. I would suggest to upgrade the pfsense to "the only router" status: * only bridge on CRS for "data" vlans -> you did say that pfsens is owner of these! if so, CRS should not route (nor firewall) * this means no ip on data vlans for CRS * ...
by sebastia
Thu Aug 29, 2019 7:13 pm
Forum: General
Topic: RB4011 "under clocking" at 533MHz / frequency scaling
Replies: 3
Views: 495

Re: RB4011 "under clocking" at 533MHz / frequency scaling

Hey cpu frequency settings requires a reboot to become active (part of boot configuration), so use of script would be limited. Impact-wise, functionally it should do exactly same thing, but slower... Anything running on cpu will be impacted: routing, queuing, firewall, ... Hardware based switching /...
by sebastia
Wed Aug 28, 2019 12:18 am
Forum: General
Topic: Suggestion: VPN over ICMP
Replies: 2
Views: 547

Re: Suggestion: VPN over ICMP

Hello From high-level point of view, there would be little difference between udp. And high stream of large icmp packets would be a red flag on it's own. Furthermore, some networks / routers perform icmp "optimisation" / rate limiting, which would result in high packet loss. So far from stealthy. Ps...
by sebastia
Tue Aug 27, 2019 10:58 am
Forum: General
Topic: Mark packet dont work like expected
Replies: 2
Views: 284

Re: Mark packet dont work like expected

What is your goal? What did you expect?
by sebastia
Tue Aug 27, 2019 1:36 am
Forum: Scripting
Topic: Remove src-address via script... [SOLVED]
Replies: 2
Views: 374

Re: Remove src-address via script... [SOLVED]

/ip firewall nat set [find where action="masquerade"] !src-address out-interface-list=WAN
by sebastia
Mon Aug 26, 2019 10:37 pm
Forum: Beginner Basics
Topic: Trouble with setting priorities
Replies: 8
Views: 912

Re: Trouble with setting priorities

If you want to have good gaming experience, then indeed you'll need to limit total download from router to all networks together to less than what modem can do. Similar for upload, limit all upload traffic to less what modem can upload. 90-95% is a safe starting point. your wan is ether1, update con...
by sebastia
Mon Aug 26, 2019 7:40 pm
Forum: Beginner Basics
Topic: tag all untagged traffic - can't get it working
Replies: 12
Views: 968

Re: tag all untagged traffic - can't get it working

Sniffing takes place "close" to physical layer, and tagging might not have happened yet. Have you tried sniffing a trunk port down the hill? Wrt config, there are few entries, see https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Setup_Examples. Is the vlan 10 already defined under "switch ...
by sebastia
Mon Aug 26, 2019 7:24 pm
Forum: General
Topic: Force NTP Client Update
Replies: 5
Views: 428

Re: Force NTP Client Update

Hey

ntp client will determine on it's own how frequently it should poll the upstream server for time update. Usually it starts at 64s and backs down down to 1024s, once clocks are in sync and drift is under control.
by sebastia
Sat Aug 24, 2019 2:49 pm
Forum: Useful user articles
Topic: Whitelisting websites
Replies: 13
Views: 1197

Re: Whitelisting websites

Hoi
All connections start with dns resolution. Filter / control these and you'll be able to control what connections are made (for most part).
by sebastia
Sat Aug 24, 2019 12:11 pm
Forum: Beginner Basics
Topic: Trouble with setting priorities
Replies: 8
Views: 912

Re: Trouble with setting priorities

Hey

Start with posting your current config (/export hide-sensitive), and indicate what you want to achieve: ip/port/bandwidth/...
by sebastia
Fri Aug 23, 2019 7:03 pm
Forum: SwOS
Topic: Failover capabilities with unmanaged switches involved [SOLVED]
Replies: 11
Views: 1147

Re: Failover capabilities with unmanaged switches involved [SOLVED]

You keep on stating that, but without any references to back up your case. I on the other hand have proven with above setups that it indeed is the case. When you state that, I'm not so sure if you know what is going on... why don't you then explain to us if you're so sure of yourself what is going o...
by sebastia
Fri Aug 23, 2019 3:57 pm
Forum: SwOS
Topic: Failover capabilities with unmanaged switches involved [SOLVED]
Replies: 11
Views: 1147

Re: Failover capabilities with unmanaged switches involved [SOLVED]

unmananged switches don't participate in lldp, as said before they don't even have own mac
even this works just fine in any direction and any link interruption
2+2switches.png
see also web: https://networkengineering.stackexchang ... e-switches
by sebastia
Fri Aug 23, 2019 12:30 pm
Forum: General
Topic: Bridge VLAN Configuration not being applied
Replies: 4
Views: 593

Re: Bridge VLAN Configuration not being applied

good plan!
by sebastia
Fri Aug 23, 2019 12:28 pm
Forum: Beginner Basics
Topic: New User Questions
Replies: 1
Views: 243

Re: New User Questions

Hey, welcome on the forum. hap ac did you connect port 1 to your network. That port if in default config designated Wan, and firewalled. best would be to disable dhcp server on the bridge, within RouterOs, change the ip of the bridge and connect one of these port to your internal network. hex which ...
by sebastia
Fri Aug 23, 2019 12:17 pm
Forum: SwOS
Topic: Failover capabilities with unmanaged switches involved [SOLVED]
Replies: 11
Views: 1147

Re: Failover capabilities with unmanaged switches involved [SOLVED]

And to remove any doubt, this one works just fine too
2+1switches.png
by sebastia
Fri Aug 23, 2019 11:57 am
Forum: SwOS
Topic: Failover capabilities with unmanaged switches involved [SOLVED]
Replies: 11
Views: 1147

Re: Failover capabilities with unmanaged switches involved [SOLVED]

I disagree, an unmanaged switch is essentially invisible on the wire, it just passes packets around and has no own mac. So the above network boils down to this: 2switches.png with STP enabled on both ends, on bridge level, auto fail-over will function # R1 /interface bridge add name=bridge /interfac...
by sebastia
Fri Aug 23, 2019 12:36 am
Forum: SwOS
Topic: Failover capabilities with unmanaged switches involved [SOLVED]
Replies: 11
Views: 1147

Re: Failover capabilities with unmanaged switches involved [SOLVED]

well, there are two in this setup CRS & CSS...
by sebastia
Thu Aug 22, 2019 5:33 pm
Forum: General
Topic: Hap Ac 2, not capable of 1Gbit transfer
Replies: 11
Views: 1197

Re: Hap Ac 2, not capable of 1Gbit transfer

The only thing that draw my attention was dhcp-snooping on bridge, but its supposed to be done in hardware on AR8327...
some other thoughts
* check that counters for FastPath are "moving"
* check cpu usage during transfer
* do you test with multiple streams?
* check bridge ports have "H" flag
by sebastia
Thu Aug 22, 2019 4:47 pm
Forum: General
Topic: Hap Ac 2, not capable of 1Gbit transfer
Replies: 11
Views: 1197

Re: Hap Ac 2, not capable of 1Gbit transfer

could you post the config?
by sebastia
Thu Aug 22, 2019 12:54 pm
Forum: General
Topic: Mikrotik CCR 1036 8G 2S+ Performance issue
Replies: 9
Views: 637

Re: Mikrotik CCR 1036 8G 2S+ Performance issue

which version are you running? remember that there was a bug in ROS with regards to that;
Ros 6.45.1:
*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;
by sebastia
Thu Aug 22, 2019 12:20 pm
Forum: General
Topic: Mikrotik CCR 1036 8G 2S+ Performance issue
Replies: 9
Views: 637

Re: Mikrotik CCR 1036 8G 2S+ Performance issue

Hey

Do you have connection tracking enabled?
was the ddos on ipv6? there was an issue with that not so long ago (implementation in ROS), with a patch release. do you have it?

Edit: just noticed you don't have connection tracking enabled viewtopic.php?f=2&t=151403
by sebastia
Thu Aug 22, 2019 11:25 am
Forum: General
Topic: Discord question
Replies: 7
Views: 911

Re: Discord question

hey, list your fill firewall rule set, for both ipv4 & ipv6. what I'm wondering: you have fasttrack dummy rule, but not fast track itself..., view is incomplete fasttrack will bypass most of ip processing for bigger part of packets of a connection, but on regular basis packets will be processed with...
by sebastia
Wed Aug 21, 2019 8:13 pm
Forum: Beginner Basics
Topic: Bridge untagged ether1 with tagged vlan3 on ether1.
Replies: 10
Views: 1204

Re: Bridge untagged ether1 with tagged vlan3 on ether1.

Anyway, once you put interfaces in a bridge, all configuration related to them needs to be done on the level of bridge. That includes ips, vlans, ... from the sound of it, you would want to bridge the vlans only, 3 and "1" (or another but untagged on ether1) If that's not enough, I would advise you ...
by sebastia
Wed Aug 21, 2019 5:38 pm
Forum: Beginner Basics
Topic: Bridge untagged ether1 with tagged vlan3 on ether1.
Replies: 10
Views: 1204

Re: Bridge untagged ether1 with tagged vlan3 on ether1.

And what is the point of all that? These are still separate networks...

At least your footer is totally correct :-p
by sebastia
Wed Aug 21, 2019 3:16 pm
Forum: General
Topic: 2 wan load balancing with failover problems
Replies: 8
Views: 817

Re: 2 wan load balancing with failover problems

is there a way to set 80/20 for example? Not directly, but you can achieve this by being creative: repeat a link multiple times, for 80/20, pretend you have 5 links each good for 20% of traffic: wan1,wan1,wan1,wan1,wan2 Another option, is bandwidth based load-balancing: https://forum.mikrotik.com/v...
by sebastia
Wed Aug 21, 2019 2:11 pm
Forum: General
Topic: 2 wan load balancing with failover problems
Replies: 8
Views: 817

Re: 2 wan load balancing with failover problems

the default routes are only relevant in context of fail-over: each connection gets assigned to either Wan1 or Wan2 in mangling, only when that link is not up will the default be relevant. the current load balancing is 50/50 add action=mark-connection chain=prerouting connection-mark=no-mark \ dst-ad...
by sebastia
Wed Aug 21, 2019 1:05 pm
Forum: General
Topic: 2 wan load balancing with failover problems
Replies: 8
Views: 817

Re: 2 wan load balancing with failover problems

you should remove fasttrack (action=fasttrack-connection, 3 instances), as it's not compatible with loadbalancing "add action=accept chain=prerouting comment=router dst-address-list=router" should be at the beginning of chain / before all LB logic your default routes should have different distances:...
by sebastia
Wed Aug 21, 2019 10:56 am
Forum: General
Topic: Moving rules from Filter to RAW cause better performance?
Replies: 7
Views: 804

Re: Moving rules from Filter to RAW cause better performance?

as stated there("conntrack by default is most expensive RouterOS facility"), the high cost of/before "filter" table is the connection tracking logic. If it's disabled, it won't matter whether it's in raw or filter.
by sebastia
Wed Aug 21, 2019 10:53 am
Forum: Scripting
Topic: RoS functions cannot log when called from a Netwatch script
Replies: 5
Views: 598

Re: RoS functions cannot log when called from a Netwatch script

actually that one ;-)
Since RouterOS v6.42 Netwatch is limited to read,write,test,reboot script policies.
To access global variables, "policy" right is needed
by sebastia
Wed Aug 21, 2019 10:48 am
Forum: Beginner Basics
Topic: Bridge untagged ether1 with tagged vlan3 on ether1.
Replies: 10
Views: 1204

Re: Bridge untagged ether1 with tagged vlan3 on ether1.

Let me rephrase: bridge is not what you are looking for = wrong in this case.

vlan3 & lan have different ip ranges so direct communication between devices is not possible -> a router between is needed to do the forwarding. A bridge will not solve that.
by sebastia
Tue Aug 20, 2019 11:19 pm
Forum: General
Topic: Slow Gbit speed with Mikrotik hex S
Replies: 15
Views: 1442

Re: Slow Gbit speed with Mikrotik hex S

If you swap the clients, do you also get "reverse" throughput? If so then I would start looking at the clients / software
by sebastia
Tue Aug 20, 2019 10:51 pm
Forum: General
Topic: Slow Gbit speed with Mikrotik hex S
Replies: 15
Views: 1442

Re: Slow Gbit speed with Mikrotik hex S

Hey

All port are independent, right? Not sure about the first transfer, but the second test is reaching physical limitation, as both ether1 & ether5 are on same data bus, which is limited to 1gbs.

see block diagram without switching: https://mikrotik.com/product/hex_s#fndtn-downloads
by sebastia
Tue Aug 20, 2019 10:20 pm
Forum: Scripting
Topic: RoS functions cannot log when called from a Netwatch script
Replies: 5
Views: 598

Re: RoS functions cannot log when called from a Netwatch script

netwatch doesn't have enough permissions to invoke a global script, see note on https://wiki.mikrotik.com/wiki/Manual:Tools/Netwatch
by sebastia
Tue Aug 20, 2019 10:17 pm
Forum: Beginner Basics
Topic: Simple NAT between networks
Replies: 5
Views: 731

Re: Simple NAT between networks

start with posting your config
by sebastia
Tue Aug 20, 2019 10:09 pm
Forum: General
Topic: 2 wan load balancing with failover problems
Replies: 8
Views: 817

Re: 2 wan load balancing with failover problems

Hey

For starters, post your current config: /export hide-sensitive (in-between code tags)
by sebastia
Tue Aug 20, 2019 10:07 pm
Forum: Beginner Basics
Topic: 4G LTE Confusion
Replies: 3
Views: 542

Re: 4G LTE Confusion

Hey SXT-4g support ONLY 4G. It will not connect over anything other. SXT-LTE support 4G+3G+2G. Regarding the speed, your phone will have a better modem (if any recent it will support Carrier Aggregation (~bonding for LTE)) than what is in SXT. So most likely you won't get similar rates. On the other...
by sebastia
Tue Aug 20, 2019 9:54 pm
Forum: Beginner Basics
Topic: Bridge untagged ether1 with tagged vlan3 on ether1.
Replies: 10
Views: 1204

Re: Bridge untagged ether1 with tagged vlan3 on ether1.

Hey

Why would you need the bridge anyway?
There is only one interface of each...
by sebastia
Tue Aug 20, 2019 9:46 pm
Forum: General
Topic: Bridge VLAN Configuration not being applied
Replies: 4
Views: 593

Re: Bridge VLAN Configuration not being applied

a port without pvid would be a port with tagged traffic -> trunk port On https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table doc says PVID - The Port VLAN ID is used for access ports to tag all ingress traffic with a specific VLAN ID. A dynamic entry is added in the bridge VLAN table for every P...
by sebastia
Tue Aug 20, 2019 9:40 pm
Forum: Beginner Basics
Topic: Routing traffic from specific src addresses through specific VPN gateways [SOLVED]
Replies: 4
Views: 649

Re: Routing traffic from specific src addresses through specific VPN gateways [SOLVED]

Nice investiation - analysis - solution track. Congrats The answer to your question: when a connection is fasttrack-ed, some of it's packets are bypassing among others mangling, and in your case the special routing. The packets arriving at the destination are then discarded as coming from an unknown...
by sebastia
Tue Aug 20, 2019 12:55 pm
Forum: Scripting
Topic: Triggered execution? Interface up/down etc
Replies: 5
Views: 713

Re: Triggered execution? Interface up/down etc

Hey

To my knowledge not directly. There is the netwatch, with up & down scripts, but it's no synchronous. It will not be triggered by event, but by (delayed) detection.
by sebastia
Tue Aug 20, 2019 12:52 pm
Forum: Beginner Basics
Topic: Routing traffic from specific src addresses through specific VPN gateways [SOLVED]
Replies: 4
Views: 649

Re: Routing traffic from specific src addresses through specific VPN gateways [SOLVED]

Hey You should consider nat independent of routing: route decides how traffic should be forwarded, nat specifies if traffic leaving a particular interface should be changed. In your case: Routing /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark ... passthrough=...
by sebastia
Mon Aug 19, 2019 11:46 pm
Forum: Beginner Basics
Topic: set Queue on ether2
Replies: 5
Views: 594

Re: set Queue on ether2

please list your config: /export hide-sensitive
Also what do you want to limit? upload, download, both?
by sebastia
Sun Aug 18, 2019 1:08 am
Forum: Wireless Networking
Topic: LTE based internet and WiFi network at home
Replies: 11
Views: 1238

Re: LTE based internet and WiFi network at home

1. if you want to setup / test LTE AP, then yes you'll need a sim to get active LTE uplink 2. indeed 3. in short: it depends. strength of cell tower signal, interference (other users / towers) and quality of clients antenna, for transmissions in both directions. Wrt to wap lte, it's antenna doesn't ...
by sebastia
Fri Aug 16, 2019 7:40 pm
Forum: Wireless Networking
Topic: LTE based internet and WiFi network at home
Replies: 11
Views: 1238

Re: LTE based internet and WiFi network at home

Yes, all can. But if you specifically need wireless, have a look at wap lte kit.
by sebastia
Tue Aug 13, 2019 4:44 pm
Forum: General
Topic: VLAN or port isolation?
Replies: 12
Views: 1829

Re: VLAN or port isolation?

Yes it will be slower, if enabled.

But if you won't do vlan filtering on 4011 (= selective vlan bridging) that won't be a problem
by sebastia
Tue Aug 13, 2019 3:59 pm
Forum: General
Topic: VLAN or port isolation?
Replies: 12
Views: 1829

Re: VLAN or port isolation?

what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info?
If you enable "vlan-filtering=yes" on 4011, all vlans will need to pass over cpu. On CSS3xx it's in hardware.
by sebastia
Tue Aug 13, 2019 10:53 am
Forum: Beginner Basics
Topic: File download block?
Replies: 25
Views: 2485

Re: File download block?

With blocking of connection once a volume is reached one can block that connection, but the user can just resume the download with a new connection. So the net effect is slight delay. A more effective approach would be to slow down the connection once a volume has been reached: based on volume, assi...
by sebastia
Tue Aug 13, 2019 10:08 am
Forum: General
Topic: VLAN or port isolation?
Replies: 12
Views: 1829

Re: VLAN or port isolation?

Hi I would think that this will depend on the setting: are the networks / devices in these networks isolated or to they share same spaces port isolation might provide more guarantees from security point of view vlan are more flexible kind of port isolation dictates complexity of configuration: on ro...
by sebastia
Tue Aug 13, 2019 9:57 am
Forum: Beginner Basics
Topic: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server
Replies: 26
Views: 2663

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Agreed with port number change, nat is needed.

@Sob: not sure what would brake with DNSSEC, as the internal dns server, as an authoritative server, would present internal records with own signatures.
by sebastia
Sun Aug 11, 2019 12:05 am
Forum: RouterBOARD hardware
Topic: Power consumption difference - CSS326 / CRS326
Replies: 1
Views: 417

Re: Power consumption difference - CSS326 / CRS326

Hey
...to have an identical hardware...
This is NOT the case, switch chip are different and with different capabilities: nand, ram, cpu
by sebastia
Sat Aug 10, 2019 5:23 pm
Forum: Beginner Basics
Topic: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server
Replies: 26
Views: 2663

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

@2frogs Split DNS configuration is standard practice in networks with internal and external addressing. It is a proper solution if internal resources need to accessed. The alternative "hairpin" is abusing natting, as two NAT's are needed, first redirect to internal destination (dst-nat) then a sourc...
by sebastia
Sat Aug 10, 2019 1:51 pm
Forum: Beginner Basics
Topic: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server
Replies: 26
Views: 2663

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Hey # You don't need these add action=accept chain=forward dst-port=80 in-interface=pppoe-out1 protocol=tcp add action=accept chain=forward dst-port=443 in-interface=pppoe-out1 protocol=tcp add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat # as thes...
by sebastia
Sat Aug 10, 2019 4:43 am
Forum: General
Topic: lease-hostname lease script variable not working
Replies: 1
Views: 297

Re: lease-hostname lease script variable not working

hey, try $"lease-hostname" instead
by sebastia
Sat Aug 10, 2019 4:29 am
Forum: General
Topic: vlan and bridge forward traffic to wds interfaces
Replies: 5
Views: 574

Re: vlan and bridge forward traffic to wds interfaces

Don't know about the other vlans, but 20 should be carried only over ether5 + cpu, so # only to cpu & ether5 /interface ethernet switch vlan add ports=ether5,switch1-cpu switch=switch1 vlan-id=20 # add cpu port info /interface ethernet switch port set switch1-cpu vlan-header=leave-as-is vlan-mode=se...
by sebastia
Thu Aug 08, 2019 11:10 pm
Forum: RouterBOARD hardware
Topic: RBSXTR&R11e-LTE + Back Up Link
Replies: 2
Views: 409

Re: RBSXTR&R11e-LTE + Back Up Link

Hi

No, you'll need to do it (ex: with script) yourself.
by sebastia
Thu Aug 08, 2019 10:50 pm
Forum: RouterBOARD hardware
Topic: Switch stacking?
Replies: 9
Views: 5723

Re: Switch stacking?

And how about connecting switches over fast(er) trunk ports? Ex: connect 2 CRS326/CSS326 over their SFP+ port(s) and as such generate a 48 port switching plane?
by sebastia
Thu Aug 08, 2019 1:44 pm
Forum: RouterBOARD hardware
Topic: WAN to LAN performance clarity sought...
Replies: 1
Views: 352

Re: WAN to LAN performance clarity sought...

4011 + rack = 1100AHx4
by sebastia
Wed Aug 07, 2019 3:56 pm
Forum: General
Topic: Routing between VLAN & VLAN+VPN
Replies: 4
Views: 407

Re: Routing between VLAN & VLAN+VPN

to start with, move "accept establish & related" to top of forward chain -> stateful part of firewall so rules for forward should be: 1. accept established / related 2. drop invalid 3 (rest) In the rest you can then control from where connections are allowed: ex lan -> guest is allowed (for all with...
by sebastia
Wed Aug 07, 2019 3:49 pm
Forum: Beginner Basics
Topic: Basic questions about Queues [SOLVED]
Replies: 5
Views: 841

Re: Basic questions about Queues [SOLVED]

For queues to make sense you need to have a global maximum, if there is non, each subqueue can borrow without limit, and there won't be any prioritisation. such queue tree needs to be attached to independent interface, ex wan, lan. This can be "naked" interface, etherX, or a bridge grouping some int...
by sebastia
Wed Aug 07, 2019 3:42 pm
Forum: General
Topic: Router - AP with WIFI guest on VLAN don't work
Replies: 4
Views: 451

Re: Router - AP with WIFI guest on VLAN don't work

So how can i receive untagged traffic in the bridge (to use local LAN) ...? untagged of ether5 will just be "forwarded" to bridge and cpu So how can i receive ... and tagged traffic (vlan-20) out of the bridge ? tagged will be received by vlan on the bridge Todo: migrate vlan to bridge migrate vlan...
by sebastia
Wed Aug 07, 2019 3:30 pm
Forum: General
Topic: vlan and bridge forward traffic to wds interfaces
Replies: 5
Views: 574

Re: vlan and bridge forward traffic to wds interfaces

Have a look at this thread for general info: viewtopic.php?f=13&t=143620
and this wiki for switch based: https://wiki.mikrotik.com/wiki/Manual:S ... p_Examples
by sebastia
Tue Aug 06, 2019 8:07 pm
Forum: Beginner Basics
Topic: default wan
Replies: 7
Views: 749

Re: default wan

If you can do, then the gateway will be explicit / unique. Right now that's not the case. Otherwise qualify the interface that should be used: gateway="IP%interface"
by sebastia
Tue Aug 06, 2019 7:46 pm
Forum: General
Topic: [ROS/Firewall] How to MANGLE by raw HEX bytes ? [SOLVED]
Replies: 6
Views: 540

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Try this: content="\03abc\03com" Just tried, no working. Working fine here (from terminal): /ip firewall mangle add action=passthrough chain=prerouting content="cnn\03com" dst-port=53 in-interface=e1_int log=yes log-prefix="DNS catch: " \ protocol=udp "ping cnn.com" generates: 18:42:31 firewall,inf...
by sebastia
Tue Aug 06, 2019 1:38 pm
Forum: General
Topic: [ROS/Firewall] How to MANGLE by raw HEX bytes ? [SOLVED]
Replies: 6
Views: 540

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Try this:
content="\03abc\03com"
by sebastia
Tue Aug 06, 2019 1:31 am
Forum: General
Topic: Router - AP with WIFI guest on VLAN don't work
Replies: 4
Views: 451

Re: Router - AP with WIFI guest on VLAN don't work

Hello

wrt hac
ether5 participates in bridge (is a slave): it cant operate as an independent interface: not for ip address, vlan, firewall, ...

* hence the vlan should be defined on bridge.
* vlan ip should be assigned to "vlan-guest" interface
by sebastia
Tue Aug 06, 2019 1:17 am
Forum: Beginner Basics
Topic: how to set time limit to dhcp client
Replies: 3
Views: 384

Re: how to set time limit to dhcp client

Hey

If I got your question right, it's the "lease-time": duration of ip assignment.
by sebastia
Tue Aug 06, 2019 1:08 am
Forum: Wireless Networking
Topic: Bondig WIFI links 60G and 5G
Replies: 15
Views: 1539

Re: Bondig WIFI links 60G and 5G

Hoi

What kind of throughput do you get over the links?
by sebastia
Tue Aug 06, 2019 1:00 am
Forum: General
Topic: Routing between VLAN & VLAN+VPN
Replies: 4
Views: 407

Re: Routing between VLAN & VLAN+VPN

Hey You're firewall rules: * add action=reject chain=forward comment="Reject HOME from GUEST" dst-address=192.168.5.0/24 reject-with=icmp-host-prohibited src-address=192.168.20.0/24 add action=reject chain=forward comment="Reject MGMT from GUEST" connection-state=new dst-address=192.168.0.0/24 rejec...
by sebastia
Tue Aug 06, 2019 12:50 am
Forum: General
Topic: vlan and bridge forward traffic to wds interfaces
Replies: 5
Views: 574

Re: vlan and bridge forward traffic to wds interfaces

Hey

your vlan20 is "hosted" by bridge1, with all of it's interfaces. So any traffic over ether5 / vlan20 will be propagated to all possible participants.

The config seems to be pre 6.41, right? Upgrade to post 6.41+ and depending on switch chip capabilities use brdige vlan or switch vlan filtering.
by sebastia
Tue Aug 06, 2019 12:29 am
Forum: Beginner Basics
Topic: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+ [SOLVED]
Replies: 24
Views: 1494

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+) [SOLVED]

You don't seem to be very good at hiding addresses. ;)
lol
by sebastia
Tue Aug 06, 2019 12:22 am
Forum: General
Topic: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]
Replies: 12
Views: 1102

Re: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]

Hoi

The network is unclear, could you post a diagram?
by sebastia
Mon Aug 05, 2019 11:50 pm
Forum: RouterBOARD hardware
Topic: Router Issues
Replies: 1
Views: 327

Re: Router Issues

Hey

Do you have access to it's management functionality? If you do, run "/export hide-sensitive" and paste it here between < code > code goes here </ code > tags.
by sebastia
Mon Aug 05, 2019 11:41 pm
Forum: Beginner Basics
Topic: default wan
Replies: 7
Views: 749

Re: default wan

Hey, the recursive routing paths, map to same gateway .1.1
by sebastia
Sun Aug 04, 2019 2:07 am
Forum: General
Topic: Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328
Replies: 4
Views: 543

Re: Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328

* proxy-arp, I don't remember when and why I activated this, could it be because of VPN or mDNS ? should I remove it ? * Ok that's what I tough, but that weren't mentioned in the how-to linked above. Will try a different config with this. * I followed the how-to above, and it adds bond to the bridg...
by sebastia
Sun Aug 04, 2019 1:08 am
Forum: General
Topic: Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328
Replies: 4
Views: 543

Re: Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328

Hey There is an extensive vlan how-to on this forum, have a look. (https://forum.mikrotik.com/viewtopic.php?f=13&t=143620&hilit=vlan) Some remarks: * why need for proxy-arp on bridge? * vlan-filtering=yes (on non-CRS3xx hardware) is in software, if you want it hardware, you'll need to do it through ...
by sebastia
Sun Aug 04, 2019 12:48 am
Forum: Beginner Basics
Topic: Multiple web addresses Behind router.
Replies: 3
Views: 514

Re: Multiple web addresses Behind router.

Hey

firewall is ip based, not domain.

What you want to do is normally done on the webserver itself, as the requested domain is part of the request.
by sebastia
Sat Aug 03, 2019 8:24 pm
Forum: General
Topic: Transparent NAT
Replies: 5
Views: 559

Re: Transparent NAT

Need NAT + LTE not enough for NAT -> NAT somewhere else -> pass-through is the ONLY option
by sebastia
Sat Aug 03, 2019 8:16 pm
Forum: Scripting
Topic: mikrotik scripting
Replies: 3
Views: 622

Re: mikrotik scripting

by sebastia
Sat Aug 03, 2019 8:14 pm
Forum: General
Topic: Transparent NAT
Replies: 5
Views: 559

Re: Transparent NAT

Hey

two options:
* lte passthrough
* or just route (and don't nat) traffic to lte modem. lte modem would need to know how to reach your internal network, so you'll need to add route table entries for internal ranges.
by sebastia
Sat Aug 03, 2019 2:35 pm
Forum: Beginner Basics
Topic: Basic questions about Queues [SOLVED]
Replies: 5
Views: 841

Re: Basic questions about Queues [SOLVED]

At any given time, the bandwidth should not fall below this committed rate That's from manual, not mine. What I think is meant: the total bandwidth of the interface should be at least the sum of "limit-at" see examples here https://wiki.mikrotik.com/wiki/Manual:HTB if you reserve 1M (limit-at) but ...
by sebastia
Thu Aug 01, 2019 11:58 pm
Forum: Beginner Basics
Topic: Basic questions about Queues [SOLVED]
Replies: 5
Views: 841

Re: Basic questions about Queues [SOLVED]

Hey "Limit-at" of a queue is always respected (even if it doesn't make sense). So yes you can use it to guarantee assignment, but be careful wrt total bandwidth available. "CIR (Committed Information Rate) – (limit-at in RouterOS) worst case scenario, flow will get this amount of traffic rate regard...
by sebastia
Thu Aug 01, 2019 11:50 pm
Forum: General
Topic: How to use Queues over PCC load balancing
Replies: 1
Views: 232

Re: How to use Queues over PCC load balancing

Hey

1. use simple queues: these relate to the local user(s) = target
2. what's "vpv"?
by sebastia
Thu Aug 01, 2019 11:39 pm
Forum: RouterBOARD hardware
Topic: GPeR question
Replies: 18
Views: 2318

Re: GPeR question

It's an active device, product page mentions it already = Gigabit Passive Ethernet Repeater. repeater = 2-ports switch => datagram receiver and re-transmit.
I don't see how this would introduce noise.
by sebastia
Thu Aug 01, 2019 11:24 pm
Forum: Beginner Basics
Topic: Simple Queue
Replies: 2
Views: 363

Re: Simple Queue

See https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack Fasttrack bypasses among other things, simple queues. But you could enable (=> flag) connections for fasttrack selectively. These will then bypass mangling as well. Total output can then be controlled by Queue Tree attached to outgoing interface...
by sebastia
Thu Aug 01, 2019 1:25 pm
Forum: General
Topic: DNS setting via DHCP being ingnored on Vlan
Replies: 8
Views: 698

Re: DNS setting via DHCP being ingnored on Vlan

Hey

Do you ship to Belgium?

Looks like your mgmt network and guest vlan are hosted by same bridge. Only difference is that vlan is tagged. Question: is that vlan untagged somewhere and offered through access port?

Note: mgmt ip is linked to interface ether5 instead of parent bridge
by sebastia
Wed Jul 31, 2019 12:04 pm
Forum: Beginner Basics
Topic: Disabling o removing DNS Dynamic Servers
Replies: 16
Views: 1407

Re: Disabling o removing DNS Dynamic Servers

try this
/ip dhcp-client set use-peer-dns=no [find]
by sebastia
Tue Jul 30, 2019 9:46 pm
Forum: Beginner Basics
Topic: Multiple vlans and 2 servers
Replies: 1
Views: 368

Re: Multiple vlans and 2 servers

Hey As I understand your goal, I would put the "old" devices in an isolated subnet / vlan and not allow any outgoing traffic. I would also put fileserver in there, so it's accessible to these devices. Then within firewall only allow traffic to that fileserver's ip, using stateful firewall: so allow ...
by sebastia
Mon Jul 29, 2019 3:49 pm
Forum: General
Topic: MAC Address limitation
Replies: 7
Views: 820

Re: MAC Address limitation

Hi I see two options: * disable arp on the relevant interface: this will prevent unknown client from accessing router. This could mean no dns/dhcp/... But its not "air-tight", client could configure a static ip. Further client will still be able to contact other clients on same subnet., over unmanag...
by sebastia
Mon Jul 29, 2019 2:43 am
Forum: Beginner Basics
Topic: Significant Speed Issues with MikroTik [SOLVED]
Replies: 18
Views: 1584

Re: Significant Speed Issues with MikroTik [SOLVED]

Hey @elico, you obviously use sub-optimal config for your hardware.
Furthermore, the link you provided suggest 1Gbps routing performance for gr3...

Wrt testing, have a look at https://mum.mikrotik.com/presentations/ ... 080654.pdf & https://youtu.be/rQX0inNcPuM
by sebastia
Mon Jul 29, 2019 2:38 am
Forum: Scripting
Topic: mass-enable all of my vlan using script
Replies: 7
Views: 845

Re: mass-enable all of my vlan using script

Hey

I would do a loop with "foreach" over all entries of a list given by find.

:local vlans [/interface vlan find interface=<interface> ];
:foreach vl in=vlans do={
# do some magic
};

See also https://wiki.mikrotik.com/wiki/Manual:Scripting
by sebastia
Mon Jul 29, 2019 12:22 am
Forum: Wireless Networking
Topic: LTE based internet and WiFi network at home
Replies: 11
Views: 1238

Re: LTE based internet and WiFi network at home

I wouldn't recommend it from economy point of view, but also being completely on your own / unsupported config. Get some off-the-shelf mesh wifi, which already had some prime time, and received some firmware updates. I don't have experience with any, so google is your friend: https://www.google.be/s...
by sebastia
Sun Jul 28, 2019 11:58 pm
Forum: General
Topic: DNS forward based on domain name
Replies: 18
Views: 4228

Re: DNS forward based on domain name

dnsmasq will do exactly what you need, and a gr3 (+other hw) with openwrt can run dnsmasq
by sebastia
Sun Jul 28, 2019 12:39 pm
Forum: Wireless Networking
Topic: LTE based internet and WiFi network at home
Replies: 11
Views: 1238

Re: LTE based internet and WiFi network at home

Hoi

Mikrotik has hinted at a mesh product, but it hasn't been released/offered yet.
You could do it on your own (with some multi radio devices), but I wouldn't recommend it.
by sebastia
Sun Jul 28, 2019 12:34 pm
Forum: General
Topic: Exceptions to dynamic simple queues
Replies: 2
Views: 447

Re: Exceptions to dynamic simple queues

Hey

You should at least share some configuration details (queue config, topology, ...) for others to be able to help you. Your intent is clear, but your environment is not.
by sebastia
Sun Jul 28, 2019 12:16 pm
Forum: General
Topic: Does this mean that these IP addresses were connected to my network and used my network?
Replies: 3
Views: 570

Re: Does this mean that these IP addresses were connected to my network and used my network?

tcp connection is the first step in establishing a vpn session. Then comes authentication of the server and user, and finally ip layer configuration.
this just means that somebody established the first step.
by sebastia
Sun Jul 28, 2019 11:56 am
Forum: General
Topic: Feature request: Winbox interface list
Replies: 1
Views: 297

Feature request: Winbox interface list

Hi I think it would improve readability of how interfaces are presented in Winbox, if the ports, members of a bridge, would be presented as children of that bridge. Just like it's the case now for vlan interfaces linked to an interface: these are shown right under the parent interface, and indented....
by sebastia
Fri Jul 26, 2019 4:42 pm
Forum: General
Topic: Sniffing in transparent way
Replies: 1
Views: 240

Re: Sniffing in transparent way

by sebastia
Fri Jul 26, 2019 10:38 am
Forum: Beginner Basics
Topic: High cpu networking
Replies: 9
Views: 1035

Re: High cpu networking

did what? the above is NOT an instruction what to do

The instruction was: "why don't you just stick to default firewall, it's more that enough in this case..."
by sebastia
Thu Jul 25, 2019 9:27 pm
Forum: General
Topic: the best way to divide the internet equally among the users
Replies: 4
Views: 478

Re: the best way to divide the internet equally among the users

upload queue needs to be attached to WAN interface, the queue type used needs to be pcq-upload, for that type define src-address as grouping criterium

download -> LAN interface -> pcq-download -> dst-address

and no need for mangling
by sebastia
Thu Jul 25, 2019 9:24 pm
Forum: General
Topic: RB4011 - Shockingly poor IPv6 performance
Replies: 1
Views: 287

Re: RB4011 - Shockingly poor IPv6 performance

Yes: there is no stack optimisation (=fasttrack) for ipv6
by sebastia
Thu Jul 25, 2019 9:21 pm
Forum: Beginner Basics
Topic: Significant Speed Issues with MikroTik [SOLVED]
Replies: 18
Views: 1584

Re: Significant Speed Issues with MikroTik [SOLVED]

Indeed noticed, edited post

gr3 should be able to do close to 1gbps cpu-wise, you're nowhere near that, so there must be something else that's causing it.
by sebastia
Thu Jul 25, 2019 9:08 pm
Forum: Beginner Basics
Topic: Significant Speed Issues with MikroTik [SOLVED]
Replies: 18
Views: 1584

Re: Significant Speed Issues with MikroTik [SOLVED]

Some interesing parts:
* why queue with 1GBS = interface speed?
* dns server on PRIVATE=WAN? -> just forwarding to upstream

Other than that looks default.
by sebastia
Thu Jul 25, 2019 6:48 pm
Forum: General
Topic: the best way to divide the internet equally among the users
Replies: 4
Views: 478

Re: the best way to divide the internet equally among the users

This only "queue tree for download and upload (pcq)" is enough.
upload based on src-address
download based on dst-address
by sebastia
Wed Jul 24, 2019 10:51 pm
Forum: Scripting
Topic: remote ssh via script
Replies: 52
Views: 30653

Re: remote ssh via script

That's just part of the solution. ssh-exec requires use of PKI, while the available documentation relates to real users only
by sebastia
Wed Jul 24, 2019 8:58 pm
Forum: General
Topic: Help with filter Rate Limit
Replies: 6
Views: 417

Re: Help with filter Rate Limit

The nomenclature of winbox is different then their wiki: rate (winbox) = count (wiki)

The rate limiting logic is functionality provided by iptables of the underlying linux.
Just search for: "rate limit linux firewall" -> https://making.pusher.com/per-ip-rate-l ... -iptables/
by sebastia
Wed Jul 24, 2019 6:16 pm
Forum: General
Topic: Help with filter Rate Limit
Replies: 6
Views: 417

Re: Help with filter Rate Limit

The above is for "limit" condition. dst-limit is a special case of that one.
by sebastia
Wed Jul 24, 2019 4:56 pm
Forum: General
Topic: Need a help
Replies: 3
Views: 265

Re: Need a help

Contact support.
by sebastia
Wed Jul 24, 2019 2:55 pm
Forum: General
Topic: Help with filter Rate Limit
Replies: 6
Views: 417

Re: Help with filter Rate Limit

Hey Doc: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties Matches packets up to a limited rate (packet rate or bit rate). Rule using this matcher will match until this limit is reached. Parameters are written in following format: count[/time],burst:mode. count - packet or bit coun...
by sebastia
Mon Jul 22, 2019 5:35 pm
Forum: Forwarding Protocols
Topic: How configure 2Wan with one without routing mark?
Replies: 5
Views: 611

Re: How configure 2Wan with one without routing mark?

I'm not sure that "rp-filter" would be the issue: it would only impact routing if asymmetric routing would be involved. This doesn't sound to be the case.

List your full config (/export hide-sensitive) and clarify network setup.
by sebastia
Sun Jul 21, 2019 3:16 pm
Forum: Beginner Basics
Topic: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]
Replies: 8
Views: 1080

Re: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]

Under "/ip route" I don't see any entries for "192.168.1.0/24", which would corroborate the fact that's not a routed network, and most likely natted.

Can you disable natting for that link in fortigate?
by sebastia
Sat Jul 20, 2019 12:00 pm
Forum: RouterBOARD hardware
Topic: Mikrotik RBSXTR (No Modem) 9dBi 60 degree LTE Antenna
Replies: 8
Views: 1020

Re: Mikrotik RBSXTR (No Modem) 9dBi 60 degree LTE Antenna

Not listed separately, but offered in distribution channel. Grab it if you want...
by sebastia
Sat Jul 20, 2019 11:57 am
Forum: Beginner Basics
Topic: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]
Replies: 8
Views: 1080

Re: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]

"/export hide-sensitive" would help
by sebastia
Sat Jul 20, 2019 1:20 am
Forum: General
Topic: Link Failover
Replies: 4
Views: 729

Re: Link Failover

Try posting the config between [ code ] [/ code ] tags. (without spaces between [])
I tend to not open an unknown docx document from net...
by sebastia
Sat Jul 20, 2019 1:14 am
Forum: General
Topic: RB2011UiAS-RM - High CPU on Download
Replies: 6
Views: 812

Re: RB2011UiAS-RM - High CPU on Download

2011 is not that powerful (cpu-wise), but it shouldn't be as bad See https://www.youtube.com/watch?v=BMNoRJ4Wy3E There were some topic regarding 2011 throughput, have a look. Also not that FastTrack can be enabled selectively, it's not all-or-nothing switch. Finally, if you need more input, post you...
by sebastia
Fri Jul 19, 2019 5:36 pm
Forum: Beginner Basics
Topic: hEX + Linksys E900 + D-Link DIR-615
Replies: 2
Views: 429

Re: hEX + Linksys E900 + D-Link DIR-615

leave the ap's in bridge. the wifi is configured on them. just make sure these have Ip's in the right range, as specified by hex
by sebastia
Fri Jul 19, 2019 5:27 pm
Forum: General
Topic: RB2011UiAS-RM - High CPU on Download
Replies: 6
Views: 812

Re: RB2011UiAS-RM - High CPU on Download

Hi

Do you have the latest version of ROS? If not upgrade.

Do you have any special configuration? I would suggest to perform a factory reset to default config for homeAP. This config can do 800+ out of the box.
by sebastia
Fri Jul 19, 2019 4:56 pm
Forum: General
Topic: Link Failover
Replies: 4
Views: 729

Re: Link Failover

Hey

Note: don't post your public ip's in clear, at least some masking is advised.

The behaviour you describe is unexpected: one link should not impact the other. But to have better view...

Please post your config: "/export hide-sensitive" (mask consistently your public ip's)
by sebastia
Fri Jul 19, 2019 2:09 pm
Forum: Beginner Basics
Topic: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]
Replies: 8
Views: 1080

Re: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]

To do PCC you need to do mangling, and assign route-marks to packets (part of some connection) to always send them some particular route. To force packets from an ip some route, you have to "hard-code" the routing-mark assignment to the one of wan2. in this case, something like: # all packets from c...
by sebastia
Fri Jul 19, 2019 12:49 pm
Forum: Beginner Basics
Topic: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]
Replies: 8
Views: 1080

Re: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]

Hey

I hope you don't perform natting on fortigate?

If not you can route-mark (table:chain -> mangle:prerouting) all packets from "computer 01" ip's with mark for WAN02.
by sebastia
Fri Jul 19, 2019 10:07 am
Forum: Wireless Networking
Topic: Wireless AC performence issue
Replies: 3
Views: 681

Re: Wireless AC performence issue

These results (7-800mbs) are in bridge mode for nv2 protocol, on "same table" (short distance / limited interference / ... -> not life environment).
And most important, that's not wifi ap config.
by sebastia
Thu Jul 18, 2019 2:24 pm
Forum: Virtualization
Topic: Proxmox & CHR for shared home network
Replies: 2
Views: 533

Re: Proxmox & CHR for shared home network

I remember some topics on that recently: check some of these https://forum.mikrotik.com/search.php?keywords=chr+virtual&terms=all&author=&sc=1&sf=all&sr=topics&sk=t&sd=d&st=0&ch=300&t=0&submit=Search On core question, with that relatively limited load, a 4011 or low CCR would be enough. That probabl...
by sebastia
Wed Jul 17, 2019 12:25 pm
Forum: Beginner Basics
Topic: Rate Limiting new connections
Replies: 4
Views: 622

Re: Rate Limiting new connections

Default soho config doesn't allow any traffic initiated from outside. So if not hosting anything it's not needed. If internal resources are accessible, then it might be sensible to do such limiting, if the resource is sensitive. So no silver bullet, and "it depends" Update: I assume a "trust" in int...
by sebastia
Tue Jul 16, 2019 11:44 pm
Forum: General
Topic: rb750gr3 Gigabit auto negotiation [SOLVED]
Replies: 16
Views: 1342

Re: rb750gr3 Gigabit auto negotiation [SOLVED]

Just for reference, gigabit ethernet will auto-detect / auto-cross cable pairs if needed. Hence with gbe cross-over cables are no longer necessary. gbe DOES need / use all 4 pairs though. /interface ethernet> monitor e4_tv once name: e4_tv status: link-ok auto-negotiation: done rate: 100Mbps ... adv...
by sebastia
Tue Jul 16, 2019 8:45 pm
Forum: Beginner Basics
Topic: Rate Limiting new connections
Replies: 4
Views: 622

Re: Rate Limiting new connections

that's a wide subject... the mechanics * limit (https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter) will match as long as conditions as specified are met. And so needs to be followed by rule for "when not". * it's only one of conditions and needs other to be useful, ex: connection-state=new / ...
by sebastia
Tue Jul 16, 2019 8:22 pm
Forum: Beginner Basics
Topic: VLAN Bridge Filtering ALternative
Replies: 9
Views: 990

Re: VLAN Bridge Filtering ALternative

It's been discussed recently: viewtopic.php?f=2&t=150172
by sebastia
Sun Jul 14, 2019 11:32 pm
Forum: General
Topic: What is more efficient for ACL on WAN: conntrack->off or on with established? [SOLVED]
Replies: 5
Views: 662

Re: What is more efficient for ACL on WAN: conntrack->off or on with established? [SOLVED]

asymmetric routing & rp-filter don't go hand-in-hand, that's true.
by sebastia
Sun Jul 14, 2019 1:22 pm
Forum: General
Topic: What is more efficient for ACL on WAN: conntrack->off or on with established? [SOLVED]
Replies: 5
Views: 662

Re: What is more efficient for ACL on WAN: conntrack->off or on with established? [SOLVED]

Instead of doing the filtering manually, you could also do it through

See: https://wiki.mikrotik.com/wiki/Manual:I ... Properties
/ip settings set rp-filter=strict
by sebastia
Sat Jul 13, 2019 2:22 pm
Forum: General
Topic: Feature request: connection nat mismatch detection
Replies: 3
Views: 455

Re: Feature request: connection nat mismatch detection

Thank you for your feedback. Tried the suggestion: Additional config: /interface bridge add name=bridgeE5 protocol-mode=none /interface bridge filter add action=passthrough chain=output log=yes log-prefix="Bridge rule: " mac-protocol=ip src-address=!192.168.45.2/32 /interface bridge port add bridge=...
by sebastia
Thu Jul 11, 2019 4:43 pm
Forum: General
Topic: DNS Broadcast
Replies: 1
Views: 248

Re: DNS Broadcast

firewall "wan" interfaces: only allow traffic you need, drop rest.

Default firewall config is sufficient, have a look
by sebastia
Thu Jul 11, 2019 3:11 pm
Forum: General
Topic: untagged vlan [SOLVED]
Replies: 9
Views: 681

Re: untagged vlan [SOLVED]

this is what I've suggested in post above

Edit for clarify: "To keep things simple I would just advise to setup independent ports, then when the need arrives you can re-evaluate your setup."
by sebastia
Thu Jul 11, 2019 2:14 pm
Forum: Beginner Basics
Topic: load balancing with fail over, added backup line 4G
Replies: 3
Views: 493

Re: load balancing with fail over, added backup line 4G

Regarding config (didn't review it all, just relevant part for this topic) # you probably don't want "passthrough" here add action=mark-connection chain=prerouting comment="REGLAS BALANCEO " \ connection-mark=no-mark in-interface=ISP1 new-connection-mark=ISP1_conn \ passthrough=yes add action=mark-r...
by sebastia
Thu Jul 11, 2019 1:53 pm
Forum: General
Topic: Problem running Traffic Flow
Replies: 7
Views: 584

Re: Problem running Traffic Flow

Hey

The ether2 is "slave", as it's part of bridge1.
/interface bridge port
add bridge=bridge1 interface=ether2-LAN-OFFICE
/ip traffic-flow
set active-flow-timeout=1m cache-entries=16k enabled=yes interfaces=ether2-LAN-OFFICE
Try monitoring bridge1 instead then.
by sebastia
Thu Jul 11, 2019 1:01 pm
Forum: Wireless Networking
Topic: Throughput Presentation, Questions, & Discussion
Replies: 2
Views: 448

Re: Throughput Presentation, Questions, & Discussion

Hey

1. Window size is not a constant for a connection: it's adapted throughout the connection.
2. udp and tcp throughputs are not comparable.
by sebastia
Thu Jul 11, 2019 12:33 pm
Forum: General
Topic: Feature request: connection nat mismatch detection
Replies: 3
Views: 455

Feature request: connection nat mismatch detection

Hi When operating a router with wan fail-over, when NAT is applied to both links, (ex two residential ISP connection), it is possible that "ip leakage" can occur. This is only relevant for networks bound to specific ranges, such as for residential ISP. This doesn't apply to situation when dynamic ro...
by sebastia
Mon Jul 08, 2019 9:27 pm
Forum: General
Topic: Successfully Opening a STX LTE? [SOLVED]
Replies: 2
Views: 267

Re: Successfully Opening a STX LTE? [SOLVED]

Sure, you'll need to use plastic tool to stick it between the parts. Top (part towards antenna) fits over bottom (part with sim/network interface). You'll need to apply some pressure on the bottom part in each of the 6 sections of the hexagon to release internal latch and pull the top apart. Togethe...
by sebastia
Mon Jul 08, 2019 7:46 pm
Forum: General
Topic: RULE for BANKS
Replies: 15
Views: 867

Re: RULE for BANKS

most banks use https right. why not prioritise https traffic up to a certain volume?

might give some improvement...
by sebastia
Mon Jul 08, 2019 7:39 pm
Forum: General
Topic: PCCload balancing vs Remote Connection to LAN...
Replies: 3
Views: 320

Re: PCCload balancing vs Remote Connection to LAN...

Some more notes:
* the queue setup won't work, as they both have seme target, you'll need to use queue linked to interface (queue tree)
* interface e6-10 are part of bridge, they are "slaves" and should not be used on their own
by sebastia
Mon Jul 08, 2019 6:07 pm
Forum: General
Topic: PCCload balancing vs Remote Connection to LAN...
Replies: 3
Views: 320

Re: PCCload balancing vs Remote Connection to LAN...

You're mangling needs improvement, some tips: new connections from wan's need to pinned to these interfaces, otherwise you'll could end up with split routing, which with NAT wont fly... Do that in prerouting, on in-interface=wan1/2/... You only need to mangle route on the outbound track, so when goi...
by sebastia
Mon Jul 08, 2019 5:05 pm
Forum: General
Topic: Problem running Traffic Flow
Replies: 7
Views: 584

Re: Problem running Traffic Flow

See also https://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow

Normally that should be a single (two to change server address) step operation.

Post your config, so it can be consulted: /export hide-sensitive
by sebastia
Mon Jul 08, 2019 3:29 pm
Forum: General
Topic: Problem running Traffic Flow
Replies: 7
Views: 584

Re: Problem running Traffic Flow

Hey

Which interfaces are in the list " Internal-lan"? It's not empty right?
by sebastia
Sun Jul 07, 2019 12:50 am
Forum: Beginner Basics
Topic: Two IPs each on separate port
Replies: 10
Views: 1047

Re: Two IPs each on separate port

Possible, not sure if server should be shielded / natted... If not then indeed, that will suffice.
by sebastia
Sun Jul 07, 2019 12:42 am
Forum: Beginner Basics
Topic: load balancing with fail over, added backup line 4G
Replies: 3
Views: 493

Re: load balancing with fail over, added backup line 4G

Hey You're mangling now for connection / routing mark, and you've setup separate routing tables for each mark. Right? Then just have all three routes in the tables T1 Wan1 distance 1 Wan2 distance 2 4G distance 3 T2 Wan2 distance 1 Wan1 distance 2 4G distance 3 In filter:forward you would want to fi...
by sebastia
Sat Jul 06, 2019 11:08 pm
Forum: General
Topic: How do I allow DNS traffic from one VLAN to another? [SOLVED]
Replies: 9
Views: 671

Re: How do I allow DNS traffic from one VLAN to another? [SOLVED]

Another option: VRF. have isolated routing for each vlan, and insert dns server record as allowed target.
https://wiki.mikrotik.com/wiki/Manual:V ... Forwarding
by sebastia
Sat Jul 06, 2019 10:47 pm
Forum: Beginner Basics
Topic: Two IPs each on separate port
Replies: 10
Views: 1047

Re: Two IPs each on separate port

Hey, there is no easy software solution to this, see viewtopic.php?f=2&t=149920 with same question.
by sebastia
Fri Jul 05, 2019 11:37 am
Forum: General
Topic: One Router, Two separate networks/internet connections
Replies: 1
Views: 208

Re: One Router, Two separate networks/internet connections

Based on the test results, it should do just fine: https://mikrotik.com/product/RB1100Dx4# ... estresults
But it will always depend on the config applied...
by sebastia
Thu Jul 04, 2019 9:40 pm
Forum: Beginner Basics
Topic: High cpu networking
Replies: 9
Views: 1035

Re: High cpu networking

Observations: * input/forward is insufficiently guarded: only tcp is filtered (in some cases), upd goes through + /ip dns set allow-remote-requests=yes = you're probably bombarded by dns requests, and being used for DDOS attacks, using DNS amplification attack why don't you just stick to default fir...
by sebastia
Thu Jul 04, 2019 9:19 pm
Forum: Beginner Basics
Topic: High cpu networking
Replies: 9
Views: 1035

Re: High cpu networking

In torch which ports is the traffic going to?
by sebastia
Thu Jul 04, 2019 3:40 pm
Forum: Beginner Basics
Topic: High cpu networking
Replies: 9
Views: 1035

Re: High cpu networking

which ports is the traffic going to?

Also notice that you have a similar return traffic as well?
open dns server or some other traffic bounce?

What is your firewall config (/export hide-sensitive)?
by sebastia
Thu Jul 04, 2019 2:04 pm
Forum: Beginner Basics
Topic: Best way to connect a remote site by some kind of VPN?
Replies: 7
Views: 467

Re: Best way to connect a remote site by some kind of VPN?

ipsec-secret is with phrase only (was a shortcut to simplify simple setups). If you want to use certs, then you'll need to configure ipsec manually for that tunnel.

So define tunnel normally "in clear" and define ipsec policy, ... for communication between these tunnel endpoints.
by sebastia
Thu Jul 04, 2019 1:04 pm
Forum: Beginner Basics
Topic: Best way to connect a remote site by some kind of VPN?
Replies: 7
Views: 467

Re: Best way to connect a remote site by some kind of VPN?

For the GRE / IPSec / .. tunnel to be encrypted with ipsec just specify the ipsec-secret on both ends (short-cut). /interface gre add ipsec-secret=... This will create the gre tunnel, which is encrypted by ipsec. To these interfaces, gre tunnel endpoints, assign ip's, on both ends, and use these ass...
by sebastia
Thu Jul 04, 2019 1:00 pm
Forum: General
Topic: untagged vlan [SOLVED]
Replies: 9
Views: 681

Re: untagged vlan [SOLVED]

It could work like that: extend vlans with another smart switch.

But what also possible: extend the access port (=untagged port) with "dumb" switch.

To keep things simple I would just advise to setup independent ports, when when the need arrives you can re-evaluate your setup.
by sebastia
Thu Jul 04, 2019 12:32 pm
Forum: Beginner Basics
Topic: Best way to connect a remote site by some kind of VPN?
Replies: 7
Views: 467

Re: Best way to connect a remote site by some kind of VPN?

That's why you need a tunnel on top: IPSec will only encrypt the GRE/IPIP/... tunnel. But inside that tunnel you're free of (policy) limitation of IPSec
by sebastia
Thu Jul 04, 2019 12:24 pm
Forum: General
Topic: untagged vlan [SOLVED]
Replies: 9
Views: 681

Re: untagged vlan [SOLVED]

Hey

Do you want these vlans to be tagged on other ports? Or do you want one vlan / port and only on that port?
by sebastia
Thu Jul 04, 2019 12:12 pm
Forum: Beginner Basics
Topic: Best way to connect a remote site by some kind of VPN?
Replies: 7
Views: 467

Re: Best way to connect a remote site by some kind of VPN?

Hi For remote traffic to go through home, you would need to route that traffic over vpn tunnel -> gateway should be the remote ip of the tunnel. Second, you'll need to forward traffic from home for remote ip's over tunnel too -> again gateway should be the remote ip of the tunnel. Note that IPSec + ...
by sebastia
Wed Jul 03, 2019 9:08 am
Forum: Beginner Basics
Topic: SXT LTE Kit
Replies: 1
Views: 222

Re: SXT LTE Kit

Hi That depends on what ip you're getting from ISP (lte provider): is it "real" ip (so without any natting) or some CGNAT range ip (100.64.0.0/10). If former you're good to go. If the latter, it will depend on: * can your software call out from inside to some cloud / on-line server, then use that * ...
by sebastia
Wed Jul 03, 2019 8:54 am
Forum: Wireless Networking
Topic: Throughput Issues RouterBoard RBwAPG-5HacT2HnD-US
Replies: 11
Views: 1289

Re: Throughput Issues RouterBoard RBwAPG-5HacT2HnD-US

What is your usage scenario: how/what do you intent to use it for?

BTW: "1GBps link" that's just network interface which is gigabit capable, says nothing about the wireless link.
by sebastia
Tue Jul 02, 2019 10:32 am
Forum: General
Topic: Firewall Causing Low Throughput
Replies: 19
Views: 1680

Re: Firewall Causing Low Throughput

Also post the output of cpu profiler (/tool profile cpu=all) during load
by sebastia
Tue Jul 02, 2019 9:35 am
Forum: Beginner Basics
Topic: RB2011 slow internet even with fasttrack
Replies: 98
Views: 13475

Re: RB2011 slow internet even with fasttrack

sure:
1. update to latest version of RouterOs
2. restore default home router config
by sebastia
Tue Jul 02, 2019 9:27 am
Forum: General
Topic: Customer Traffic through Multiple Queues
Replies: 1
Views: 207

Re: Customer Traffic through Multiple Queues

Hey

How about this?
* use interface htb on customer's ppp for 10mbit limit
** if there is conflict with simple q, local traffic (not transit) could be fast-tracked, making it bypass simple queues (~hack)
* use simple queue for transit limit

https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6
by sebastia
Mon Jul 01, 2019 10:59 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 69896

Re: v6.45.1 [stable] is released!

2 options:
1. disable unnecessary packages, and upload ONLY the used ones for upgrade (from "extra packages" zip)
2. netinstall...
by sebastia
Mon Jul 01, 2019 10:46 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 69896

Re: v6.45.1 [stable] is released!

After coming back to 6.43.16 it works fine again.
v6.43.16 is using P2P ip configuration for LTE passthrough. 6.45 is using small ip block, back as it was in pre-6.43.
check what ip you get and if you can ping the gateway at least.
by sebastia
Mon Jul 01, 2019 10:31 pm
Forum: Beginner Basics
Topic: single IP constantly trying to log to my Mikrotik
Replies: 57
Views: 4278

Re: single IP constantly trying to log to my Mikrotik

Yeah, noticed that too. maybe there were some bugs in handling...
by sebastia
Mon Jul 01, 2019 10:17 pm
Forum: Scripting
Topic: Monitoring a Port help?
Replies: 1
Views: 365

Re: Monitoring a Port help?

If there is a resource you could access, the "fetch" can help you
https://wiki.mikrotik.com/wiki/Manual:Tools/Fetch
by sebastia
Mon Jul 01, 2019 10:00 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 69896

Re: v6.45.1 [stable] is released!

one hap lite wont upgrade. I suspect space problem, but there are no files on the system.
Try upgrading with specific packages that you actually use. So download the "extra packages" and only put the packages you need on device + reboot.
by sebastia
Mon Jul 01, 2019 9:25 pm
Forum: Beginner Basics
Topic: CLI command for conntrack port range?
Replies: 5
Views: 622

Re: CLI command for conntrack port range?

there doesn't seem to be one for the ports /system package print Flags: X - disabled # NAME VERSION SCHEDULED 0 system 6.45beta62 /ip firewall connection> print where .dead connection-type gre-key orig-bytes repl-bytes reply-src-address .id dst-address gre-protocol orig-fasttrack-bytes repl-fasttrac...
by sebastia
Mon Jul 01, 2019 9:01 pm
Forum: Beginner Basics
Topic: RB2011 WAN interface not reaching full speed
Replies: 10
Views: 1111

Re: RB2011 WAN interface not reaching full speed

In your first post you mentioned
The AVM Fritzbox as Gateway (cable internet) is showing 300/10 MBit/s reaching it.
. Have you tried doring a speedtest directly attached to the fritz? What were the results?
by sebastia
Mon Jul 01, 2019 3:40 pm
Forum: Beginner Basics
Topic: How to switch immediately after a failover ?
Replies: 7
Views: 951

Re: How to switch immediately after a failover ?

Hey @anav The rule /ip firewall filter add action=drop chain=forward comment="Drop: invalid" connection-state=invalid is part of the default configuration already. The extra line with rejects local packets only is to inform local client of different network configuration. The src-address criterium i...
by sebastia
Mon Jul 01, 2019 1:56 pm
Forum: General
Topic: Packet loss GNS3
Replies: 1
Views: 199

Re: Packet loss GNS3

Hi

interfaces part of a bridge should not have ip's on their own. ip should be defined on the level of bridge.
by sebastia
Fri Jun 28, 2019 6:42 pm
Forum: General
Topic: Usable rules for firewall
Replies: 5
Views: 1092

Re: Usable rules for firewall

For the beggining non-routable Multicast definitions:
If these are non-routable, then why forward?
by sebastia
Fri Jun 28, 2019 6:36 pm
Forum: General
Topic: Bandwidth Load Balancing - LTE modem slooow Ping and slooow connections
Replies: 8
Views: 962

Re: Bandwidth Load Balancing - LTE modem slooow Ping and slooow connections

Your routing table is fine. Wrt traceroute I could replicate your issue. When only outgoing interface is specified no routing takes place, and system expects target ip to be local -> it asks through ARP for MAC of target ip. Documentation is missing for that tool... if you want an ip to test lte, ju...
by sebastia
Fri Jun 28, 2019 5:24 pm
Forum: General
Topic: Bandwidth Load Balancing - LTE modem slooow Ping and slooow connections
Replies: 8
Views: 962

Re: Bandwidth Load Balancing - LTE modem slooow Ping and slooow connections

And how does your routing look like?

/ip route print detail
by sebastia
Fri Jun 28, 2019 5:17 pm
Forum: Beginner Basics
Topic: How to switch immediately after a failover ?
Replies: 7
Views: 951

Re: How to switch immediately after a failover ?

I have these after "est-rel accept" rule in my "established-related" chain, which is one of the first one invoked. Rather than notify client, shouldn't be more effective to cut out dead connections ? Not necessaries: if client assumes connection is still good, it will send packets using that's state...
by sebastia
Fri Jun 28, 2019 5:02 pm
Forum: Wireless Networking
Topic: Broadcast storm prevention
Replies: 3
Views: 479

Re: Broadcast storm prevention

1) based on your network knowledge. Or map it with Dude.
2) one of these needs to be enabled on all bridges / switches participating in loops. STP is L2 protocol, below routing.
see https://wiki.mikrotik.com/wiki/Manual:S ... e_Protocol
by sebastia
Fri Jun 28, 2019 4:52 pm
Forum: General
Topic: Bandwidth Load Balancing - LTE modem slooow Ping and slooow connections
Replies: 8
Views: 962

Re: Bandwidth Load Balancing - LTE modem slooow Ping and slooow connections

With regards to TTL on windows ping -i 65 <address> on linux ping -t 65 <address> Try pinging with higher TTL value from network to see if that resolves it. you said pinging from behind Tik is slow. Tik is one more hop. iI've heard of some isp's which limit traffic not matching specific criteria. So...
by sebastia
Fri Jun 28, 2019 3:22 pm
Forum: Wireless Networking
Topic: Broadcast storm prevention
Replies: 3
Views: 479

Re: Broadcast storm prevention

If you have loops, enable xSTP
by sebastia
Fri Jun 28, 2019 2:25 pm
Forum: General
Topic: Generic question about throttling
Replies: 2
Views: 381

Re: Generic question about throttling

can you throttle per port and per connection? Can you throttle based upon MAC address? yes, by marking traffic, in mangle table ROS does support average and burst, with configurable limits and timings https://wiki.mikrotik.com/wiki/Manual:Queue Sharing the bandwidth fairly across all the connection...