Community discussions

MikroTik App

Search found 1782 matches

by sebastia
Fri Mar 12, 2021 1:16 pm
Forum: RouterBOARD hardware
Topic: hEX block diagram
Replies: 47
Views: 17952

Re: hEX block diagram

I you want some assistance or information you should be a bit more polite. Most of us on this forum are not here because we are paid for it. And how would you explain it then, considering that this test goes right against the results of your tests number 2 & 4 from you first post here??? both we...
by sebastia
Fri Mar 12, 2021 12:54 pm
Forum: RouterBOARD hardware
Topic: hEX block diagram
Replies: 47
Views: 17952

Re: hEX block diagram

The 1Gb/s links are full duplex.
Just for posteriority, this is NOT the case: Mikrotik always reports full bandwidth over all directions -> that 1Gb/s is shared for both directions!
(as supported by your own tests)
by sebastia
Fri Mar 12, 2021 12:49 pm
Forum: RouterBOARD hardware
Topic: hEX block diagram
Replies: 47
Views: 17952

Re: hEX block diagram

1) If we are talking about 5 independent ports: the two 1Gbps links will be used, as needed. There is no hard assignment of a link to a group os ports.
Don't believe that to be the case: I think the port attribution of all independent links is fixed, (but I haven't tested it...)
by sebastia
Fri Mar 12, 2021 12:44 pm
Forum: RouterBOARD hardware
Topic: hEX block diagram
Replies: 47
Views: 17952

Re: hEX block diagram

in tests 1 & 3 you don't go to cpu, but are using the hardware switching in the switch chip (= off-loading) -> hence the limitations of the link to cpu don't apply and you get full bandwidth of the 1Gb/s connection / port

So how about that admission :-D ?
by sebastia
Fri Mar 12, 2021 12:18 pm
Forum: RouterBOARD hardware
Topic: hEX block diagram
Replies: 47
Views: 17952

Re: hEX block diagram

you are using it (1Gb/s) already!

see second test:
Image
Tx + Rx ~1Gb/s for ports ether1 & ether4

the 1Gb/s from diagram is TOTAL bandwidth available, for BOTH sending and receiving

I expect an apology now ;-)
by sebastia
Thu Jun 25, 2020 9:23 pm
Forum: General
Topic: DNS forward based on domain name [SOLVED]
Replies: 41
Views: 22964

Re: DNS forward based on domain name [SOLVED]

Just noticed it myself in changelog :-)
Good news indeed

Although regex has been mentioned before by staff to be heavy
by sebastia
Wed Nov 27, 2019 11:05 am
Forum: Wireless Networking
Topic: R11e-LTE6 field-test
Replies: 4
Views: 2737

Re: R11e-LTE6 field-test

Thx.

Interesting info. A bit early, as you only got it, but I would like to hear your findings on link / connection stability.
by sebastia
Tue Nov 19, 2019 4:15 pm
Forum: General
Topic: Add DNS over HTTPS (DoH) support
Replies: 130
Views: 116844

Re: Add DNS over HTTPS (DoH) support

For the time being, we have to look to other platforms, ex dnsmasq
by sebastia
Tue Nov 19, 2019 4:10 pm
Forum: General
Topic: Is there an new exploit going around?
Replies: 57
Views: 22856

Re: Is there an new exploit going around?

In a way, the affected owners should be thankful for the wake-up call and that the payload was so benign!
Any updates / new events on the topic?
by sebastia
Tue Nov 19, 2019 3:22 pm
Forum: Wireless Networking
Topic: R11e-LTE6 field-test
Replies: 4
Views: 2737

R11e-LTE6 field-test

Hey

I'm looking for any and all feedback on field-testing of R11e-LTE6.
Please share your findings.

Kind regards
Sebastian
by sebastia
Tue Nov 19, 2019 2:31 pm
Forum: Beginner Basics
Topic: hAP lite
Replies: 11
Views: 2643

Re: hAP lite

Have a look here wrt L7 config: https://www.youtube.com/watch?v=RtFZKvLKgD0
(+ changes as suggested by mkx)
by sebastia
Tue Nov 19, 2019 2:27 pm
Forum: Beginner Basics
Topic: RB941-2nD and bridge filter feature
Replies: 8
Views: 1622

Re: RB941-2nD and bridge filter feature

Next to "use-ip-firewall=yes" one could also just add bridge rules under /interface bridge filter.
by sebastia
Sat Oct 26, 2019 7:39 pm
Forum: General
Topic: Can somebody explain scope and target scope?
Replies: 46
Views: 24413

Re: Can somebody explain scope and target scope?

Have a look here too: https://wiki.mikrotik.com/wiki/Manual:I ... hop_lookup

Scope is linked to routing configuration: 10 for local, 30 for static, ...
Target scope is that as well, and by specifying target one can define how next hop can be looked up.
by sebastia
Thu Oct 24, 2019 12:20 pm
Forum: RouterOS beta
Topic: Scope of v7.0
Replies: 6
Views: 5194

Re: Scope of v7.0

Is there a high-level roadmap? Could you share it?
by sebastia
Thu Oct 24, 2019 12:13 pm
Forum: RouterOS beta
Topic: Scope of v7.0
Replies: 6
Views: 5194

Re: Scope of v7.0

is the current beta functionality-wise complete
No, BGP and MPLS are not even enabled.
Thx for reaction. Disabled routing was mentioned with beta1, so that was a given / known. But what about the rest? Once bugs are ironed out and routing added, will that be v7.0?
by sebastia
Wed Oct 23, 2019 7:31 pm
Forum: RouterOS beta
Topic: Torrent client
Replies: 59
Views: 36235

Re: Torrent client

removed in beta3...
by sebastia
Wed Oct 23, 2019 7:30 pm
Forum: RouterOS beta
Topic: Scope of v7.0
Replies: 6
Views: 5194

Scope of v7.0

Hi Mikrotik

Is the scope of the first release of v7 covered by current beta? In other words is the current beta functionality-wise complete?

Thx
by sebastia
Mon Oct 21, 2019 2:42 pm
Forum: General
Topic: Queue priority and limits
Replies: 4
Views: 1774

Re: Queue priority and limits

priority is always active: queue tokens are used for packets from highest to lowest prio. Once pipe is full / tokens are exhausted and priority queues are full, new packets get dropped In effect, if bandwidth is not scarce, all packets are transmitted and one could say that priority is irrelevant, a...
by sebastia
Mon Oct 21, 2019 2:38 pm
Forum: General
Topic: OpenVPN routing
Replies: 4
Views: 2891

Re: OpenVPN routing

Most likely because of this in openvpn config

redirect-gateway def1
by sebastia
Sun Oct 20, 2019 5:10 pm
Forum: General
Topic: Feature request: connection nat mismatch detection
Replies: 4
Views: 1960

Re: Feature request: connection nat mismatch detection

Update on the implementation above with bridge filter rules: Event though the bridge rules are added for a specific "out-bridge", in my case being the LTE bridge, the rules are evaluated for all bridges. This generates additional load and throughput limitation on the main high bandwidth li...
by sebastia
Sun Oct 20, 2019 2:07 pm
Forum: General
Topic: OpenVPN routing
Replies: 4
Views: 2891

Re: OpenVPN routing

Hi Problem is with the routing indeed the first line shouldn't be there Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 0.0.0.0 0.0.0.0 U 50 0 0 tun0 I would suggest to not let the client set any gateway, and nat outgoing traffic to clients, on the vpn server (so src-nat then), to it'...
by sebastia
Sat Oct 19, 2019 11:49 pm
Forum: General
Topic: High CPU Usage on CCR 1036-12G-4S
Replies: 4
Views: 4469

Re: High CPU Usage on CCR 1036-12G-4S

Have a look here https://mum.mikrotik.com/presentations/MX17/presentation_4265_1495639302.pdf But why not start with this: * masquerade: don't use as you have static ip's -> to be replaced (whenever an ip is lost all connections linked to that will need to be dropped, meaning scanning ALL connection...
by sebastia
Sat Oct 19, 2019 11:23 pm
Forum: General
Topic: IP ARP Issue.
Replies: 2
Views: 1113

Re: IP ARP Issue.

if it's only 1 of 8 failing, I would be looking AT that failing ap. Is it up-to-date and so on...
by sebastia
Sat Oct 19, 2019 11:15 pm
Forum: General
Topic: Queue priority and limits
Replies: 4
Views: 1774

Re: Queue priority and limits

And the total limit is defined at the parent level, all children "borrow" from parent:

/queue tree add limit-at=0 max-limit=5000000 name=ether1 parent=ether1
by sebastia
Sat Oct 19, 2019 11:08 pm
Forum: General
Topic: Slow OpenVPN [SOLVED]
Replies: 6
Views: 4261

Re: Slow OpenVPN [SOLVED]

Do you have a backup or export of your "good" config?
by sebastia
Fri Oct 18, 2019 9:17 pm
Forum: Beginner Basics
Topic: connect with OpenVPNClient
Replies: 1
Views: 1022

Re: connect with OpenVPNClient

Hi

Communicating using your home ip is indeed possible. What you would need to ensure is that all traffic at the vpn client side is routed over the vpn / towards the vpn server endpoint.

Software functionality for all tiks is same, and so any tik can do that.
by sebastia
Mon Sep 23, 2019 10:34 pm
Forum: Beginner Basics
Topic: LTE passthrough winbox issue
Replies: 6
Views: 5769

Re: LTE passthrough winbox issue

in your case the vlan / mgmt traffic is caring same mac as passthrough, and hence gets hijacked by lte interface.

in current setup you'll need a bridge with other mac for the vlan

OR

reverse the config: mgmt over "plain" eth and passthrough over vlan without extra bridge
by sebastia
Wed Sep 18, 2019 11:06 pm
Forum: Beginner Basics
Topic: Configuration help. Is this possible?
Replies: 4
Views: 1749

Re: Configuration help. Is this possible?

Hi

While CRS305 technically can do what you propose, it's not meant to do that: it can do pppoe but not at speed, as it's not fast enough on cpu side.
by sebastia
Wed Sep 18, 2019 6:37 pm
Forum: RouterBOARD hardware
Topic: GPER usage questions
Replies: 34
Views: 10915

Re: GPER usage questions

I didn't say I agree with all comments there ;-)
by sebastia
Wed Sep 18, 2019 12:10 am
Forum: RouterBOARD hardware
Topic: GPER usage questions
Replies: 34
Views: 10915

Re: GPER usage questions

by sebastia
Wed Sep 18, 2019 12:00 am
Forum: General
Topic: scrnat rule configuration
Replies: 2
Views: 1640

Re: scrnat rule configuration

Hi

Src-nat and dst-nat are locate in different chains and are executed at different times, dst-nat before routing & src-nat after routing. One can't interfere with the other.

List your full firewall config if you need further assistance (/export hide-sensitive)
by sebastia
Tue Sep 17, 2019 11:47 pm
Forum: Beginner Basics
Topic: Difference in setting dhcp options
Replies: 1
Views: 1087

Re: Difference in setting dhcp options

server=available for all networks configurations
network=only that network

see also manual: https://wiki.mikrotik.com/wiki/Manual:I ... CP_Options
by sebastia
Tue Sep 17, 2019 11:34 pm
Forum: General
Topic: Block Multicast
Replies: 3
Views: 2298

Re: Block Multicast

Have a look at http://www.firewall.cx/networking-topics/general-networking/107-network-multicast.html or https://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/ip-multicast/prod_presentation0900aecd80310883.pdf Drop: drop frames to the multicast mac range drop frames with ip protoc...
by sebastia
Tue Sep 17, 2019 10:21 pm
Forum: RouterBOARD hardware
Topic: GPER usage questions
Replies: 34
Views: 10915

Re: GPER usage questions

Thx for the info
by sebastia
Sun Sep 15, 2019 1:06 pm
Forum: Scripting
Topic: ppp profile -> scripts .... run as certain user
Replies: 9
Views: 6011

Re: ppp profile -> scripts .... run as certain user

ssh-exec has been added in 6.45.1 (viewtopic.php?t=149786&hilit=ssh-exec), and CAN be called from scripts!
by sebastia
Sun Sep 15, 2019 12:56 pm
Forum: Beginner Basics
Topic: Not working. What am i missing!?
Replies: 7
Views: 2440

Re: Not working. What am i missing!?

Looks ok.
Post full conifg (/export hide-sensitive), maybe something else is interfering.
by sebastia
Thu Sep 12, 2019 5:37 pm
Forum: General
Topic: Redundant routers/switches
Replies: 11
Views: 3905

Re: Redundant routers/switches

I'm not sure, but as I know, LACP cannot be set when there is only 1 connection between switches (sw1->sw3 and sw2->sw3). How to set LACP in this scenario?
I was thinking LACP between Hyper-V & SW3.
by sebastia
Thu Sep 12, 2019 2:52 pm
Forum: General
Topic: Redundant routers/switches
Replies: 11
Views: 3905

Re: Redundant routers/switches

Since the Hyper-V is in teaming mode... https://www.vembu.com/blog/configure-nic-teaming-hyper-v/ If Hyper-V ports algorithm is used with Switch Independent teaming mode, the virtual switch can register the MAC addresses of the virtual adapters on separate physical adapters which statically balances...
by sebastia
Thu Sep 12, 2019 2:34 pm
Forum: General
Topic: Redundant routers/switches
Replies: 11
Views: 3905

Re: Redundant routers/switches

Hey

SW3 should be in bridge mode, as both sw1-2 may be active at any time.

Just a remark: the SW3 is a "single point of failure" in that design.
by sebastia
Mon Sep 09, 2019 9:08 pm
Forum: General
Topic: Is the RB3011 a good fit?
Replies: 8
Views: 2922

Re: Is the RB3011 a good fit?

Hey

For general usage, it will do just fine: https://mikrotik.com/product/rb4011igs_ ... estresults
L2TP: don't expect that vpn will be at full speed
bridge: see
by sebastia
Mon Sep 09, 2019 6:38 pm
Forum: General
Topic: IPv4 over IPv6 Tunnel
Replies: 2
Views: 1676

Re: IPv4 over IPv6 Tunnel

Hey

have you tried pinging from B to A?

What is the routing table at SXT LTE like?
by sebastia
Sun Sep 08, 2019 1:51 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 7526

Re: RB750, Pi-Hole and cross interface communication

add address=192.168.1.0/24 dns-server=192.168.10.2,1.1.1.1 gateway=192.168.1.254 netmask=24 -> why don't you specify your pi-hole only here? add address=192.168.1.0/24 dns-server=192.168.10.2 gateway=192.168.1.254 netmask=24 try this instead /ip firewall filter add action=accept chain=input comment=...
by sebastia
Sun Sep 08, 2019 1:02 pm
Forum: Forwarding Protocols
Topic: RB 3011UiAS dynamic routes missing for VLANS [SOLVED]
Replies: 4
Views: 10748

Re: RB 3011UiAS dynamic routes missing for VLANS [SOLVED]

Hey

Maybe some config issue, list your config for review (/export hide-sensitive).
by sebastia
Sat Sep 07, 2019 10:45 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 7526

Re: RB750, Pi-Hole and cross interface communication

add action=accept chain=forward in-interface= bridge out-interface="eht1 Internet"
is enough

for filter table
output = traffic from router itself
(other were correct)
by sebastia
Sat Sep 07, 2019 1:34 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 7526

Re: RB750, Pi-Hole and cross interface communication

these are not needed as dns is on another network
You can force any DNS request to use your DNS by using dst-nat
you're out of context, read last few posts. hint: i've commented on the src-nat!
by sebastia
Sat Sep 07, 2019 1:31 pm
Forum: Beginner Basics
Topic: Somehow im blind
Replies: 5
Views: 2013

Re: Somehow im blind

What are you missing, in your opinion? It could be a working config.
by sebastia
Sat Sep 07, 2019 12:33 pm
Forum: General
Topic: Wireless redundate link with bonding
Replies: 15
Views: 4395

Re: Wireless redundate link with bonding

Can also add a device each side of the wireless devices then use RSTP
will a wireless bridge pass the xSTP related frames?
by sebastia
Sat Sep 07, 2019 12:30 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 7526

Re: RB750, Pi-Hole and cross interface communication

The reason for the Masquerade and DNAT rules are to force any and all DNS query to the Pi that is running PiHole, it's a content blocker based on DNS filter lists. these are not needed as dns is on another network As far as I understand, setting the DNS under IP--> DNS Settings will auto assign the...
by sebastia
Sat Sep 07, 2019 12:15 am
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 7526

Re: RB750, Pi-Hole and cross interface communication

why do you need this? add action=src-nat chain=srcnat comment="UDP DNS Masquerade Network" out-interface=bridge protocol=udp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53 add action=src-nat chain=srcnat comment="TCP DNS Masquerade Network" out-interface=bridge ...
by sebastia
Fri Sep 06, 2019 11:41 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 7526

Re: RB750, Pi-Hole and cross interface communication

either that or ip stack is not correctly configured
list /export hide-sensitive
by sebastia
Fri Sep 06, 2019 10:36 pm
Forum: General
Topic: Wireless redundate link with bonding
Replies: 15
Views: 4395

Re: Wireless redundate link with bonding

that won't be immediate ;-)
by sebastia
Fri Sep 06, 2019 10:32 pm
Forum: General
Topic: Wireless redundate link with bonding
Replies: 15
Views: 4395

Re: Wireless redundate link with bonding

hint balance -> balances ;-) over both links

if you want active passive that's a different mode
the "immediate" hand over (subsecond) you can have with active-backup, see viewtopic.php?t=150820#p743780
by sebastia
Fri Sep 06, 2019 10:17 pm
Forum: General
Topic: Netinstall failing on Windows 10
Replies: 4
Views: 3137

Re: Netinstall failing on Windows 10

in my experience, netinstall can get "confused" when there are multiple interfaces active
by sebastia
Fri Sep 06, 2019 10:14 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 7526

Re: RB750, Pi-Hole and cross interface communication

you have a problem with connectivity NOT dns resolution

you get an IP for a dns in each kind of test
but ping (icmp) and tcp don't get through..
by sebastia
Fri Sep 06, 2019 10:11 pm
Forum: General
Topic: Wireless redundate link with bonding
Replies: 15
Views: 4395

Re: Wireless redundate link with bonding

do you want an active-backup or active-active?
xor is the last one
by sebastia
Fri Sep 06, 2019 9:36 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 7526

Re: RB750, Pi-Hole and cross interface communication

there is no problem, it's resolving
ping google.com [216.58.223.142]
by sebastia
Fri Sep 06, 2019 8:49 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 7526

Re: RB750, Pi-Hole and cross interface communication

so your dns resolution works fine
by sebastia
Fri Sep 06, 2019 8:46 pm
Forum: General
Topic: Wireless redundate link with bonding
Replies: 15
Views: 4395

Re: Wireless redundate link with bonding

have a look at https://wiki.mikrotik.com/wiki/Manual:Interface/Bonding, and especially enable link monitoring, probably arp base
examples: https://wiki.mikrotik.com/wiki/Manual:Bonding_Examples
by sebastia
Fri Sep 06, 2019 8:24 pm
Forum: General
Topic: dst-limit possible problem
Replies: 4
Views: 2189

Re: dst-limit possible problem

only allow them at specified rate, drop rest
by sebastia
Fri Sep 06, 2019 8:15 pm
Forum: Beginner Basics
Topic: RouterBOARD 750P r2 - each interface in different network [SOLVED]
Replies: 2
Views: 1486

Re: RouterBOARD 750P r2 - each interface in different network [SOLVED]

in this config mgmt is only possible from "address=192.168.0.0/24"
none of the interfaces have this range, maybe routed from somewhere else (through ospf)?
by sebastia
Fri Sep 06, 2019 8:08 pm
Forum: General
Topic: Disabling/enabling SXT LTE web access via ssh
Replies: 1
Views: 916

Re: Disabling/enabling SXT LTE web access via ssh

disable www & www-ssl ip services
by sebastia
Fri Sep 06, 2019 8:03 pm
Forum: Beginner Basics
Topic: RB750, Pi-Hole and cross interface communication
Replies: 37
Views: 7526

Re: RB750, Pi-Hole and cross interface communication

to verify dns functionality and limit the scope try testing with "ping" (udp dns) & "nslookup" (tcp dns). both do minimal functions.

if ping <some dns name> uses an ip -> udp dns works
if nslookup <some dns server> works -> tcp firewal / nat works
by sebastia
Fri Sep 06, 2019 7:53 pm
Forum: Forwarding Protocols
Topic: Routing problem.
Replies: 6
Views: 3176

Re: Routing problem.

don't see/have the details, but vpn needs to be src-nat, and if your internet uplink probably as well, so in that sense it might be
by sebastia
Fri Sep 06, 2019 5:55 pm
Forum: Forwarding Protocols
Topic: Routing problem.
Replies: 6
Views: 3176

Re: Routing problem.

for masq, out interface should be the vpn interface not ether1
don't use srcaddress list on the rule & just nat all going out over vpn -> less potential for issues
by sebastia
Fri Sep 06, 2019 4:23 pm
Forum: Forwarding Protocols
Topic: Routing problem.
Replies: 6
Views: 3176

Re: Routing problem.

The other side doesn't know your internal network, to resolve you need to setup src natting on your vpn interface (src-nat or masq)
by sebastia
Fri Sep 06, 2019 2:50 pm
Forum: Scripting
Topic: Parse ping result
Replies: 3
Views: 4871

Re: Parse ping result

Have a look at getRTT function here viewtopic.php?t=129294
by sebastia
Fri Sep 06, 2019 2:45 pm
Forum: General
Topic: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN
Replies: 15
Views: 3379

Re: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN

in that case you probably don't need any port forwarding as the camera's are connecting to cloud themselves (from inside to outside)? check it / consult documentation you'll need to verify how is the app finally connecting to the camera, through cloud or some other manner? If "some other" ...
by sebastia
Thu Sep 05, 2019 11:28 pm
Forum: General
Topic: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN
Replies: 15
Views: 3379

Re: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN

do you have some central management console / server?
and how to you "connect" the these devices from outside? directly or through some cloud feature?
by sebastia
Thu Sep 05, 2019 10:41 pm
Forum: General
Topic: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN
Replies: 15
Views: 3379

Re: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN

if you want to access each separately, then yes, port forward different ports to specific devices
by sebastia
Thu Sep 05, 2019 9:41 pm
Forum: General
Topic: Policy to block website in Mikrotik increase CPU
Replies: 16
Views: 3941

Re: Policy to block website in Mikrotik increase CPU

what is the /tool profile indicating?
could you share details on how the blocking works?
by sebastia
Thu Sep 05, 2019 9:36 pm
Forum: RouterBOARD hardware
Topic: CPU usage upto 90%
Replies: 2
Views: 2296

Re: CPU usage upto 90%

there was a presentation by Tik support on some frequent issues with pppoe servers: https://mum.mikrotik.com/presentations/ ... 948376.pdf
have a look if relevant for you
by sebastia
Thu Sep 05, 2019 9:25 pm
Forum: Beginner Basics
Topic: 1 interface, 2 vlans, prioritize Vlan2 95%
Replies: 8
Views: 2547

Re: 1 interface, 2 vlans, prioritize Vlan2 95%

how about vlan priority? https://wiki.mikrotik.com/wiki/Manual:W ... t_priority + shaping vlan2 to 95% of bandwidth
by sebastia
Thu Sep 05, 2019 9:08 pm
Forum: General
Topic: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN
Replies: 15
Views: 3379

Re: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN

/ip address add address=192.168.13.1/24 interface=ether2 network=192.168.13.0 => should be on brdige2 mikrotik doesn't have a dmz setting, needs to be done manually basically, any connection to the router which is "new" (so not part of existing connection from router) should be then dst-na...
by sebastia
Wed Sep 04, 2019 10:42 pm
Forum: General
Topic: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN
Replies: 15
Views: 3379

Re: i have a problem, need help

post your config, as it's not clear what is what...
/export hide-sensitive (and replace any public ip's)
by sebastia
Wed Sep 04, 2019 5:07 pm
Forum: Beginner Basics
Topic: CCR to CRS using S+DA0001 [SOLVED]
Replies: 7
Views: 2674

Re: CCR to CRS using S+DA0001

Hey

On paper it sound all right, only there have been some reports of 317 instabilities when under full load. Then there are also people saying they are rock-solid...
by sebastia
Wed Sep 04, 2019 5:02 pm
Forum: General
Topic: Need help with DMZ config without access to the cameras IP and home automation devices by the WAN
Replies: 15
Views: 3379

Re: i have a problem, need help

And what is your question / request?
Also, post config in between < code > tags
by sebastia
Wed Sep 04, 2019 1:06 pm
Forum: General
Topic: Low Throughput on 2011 [SOLVED]
Replies: 5
Views: 2244

Re: Low Throughput on 2011 [SOLVED]

Hey * with fast-path disabled, fast-track will not work either * you'll need to exclude 88.200 from fasttrack, or manling for route mark will not work * You seem to have two wans? indihome + oxygen is oxygen some vpn for 88.200 only? * you have in config /interface pppoe-client add ac-name=BRAS3-D2-...
by sebastia
Wed Sep 04, 2019 12:46 pm
Forum: General
Topic: Tls host not work
Replies: 9
Views: 10043

Re: Tls host not work

I didn't try regex in content, but it does match on plain text.

For https, your current L7 will be working with TCP and SSL handshake which is still unencrypted data
by sebastia
Mon Sep 02, 2019 8:54 pm
Forum: General
Topic: OpenVPN move to another Board [SOLVED]
Replies: 6
Views: 6704

Re: OpenVPN move to another Board [SOLVED]

Hi

Normally one only import private key on target/server device. The public part can be distributed to the users of that server.

If Tik is CA, only import private key.
for opvn server: only import private key
for opvn client: only import private client key
by sebastia
Mon Sep 02, 2019 8:46 pm
Forum: Beginner Basics
Topic: two networks with vlan in RB2011 and Groove
Replies: 2
Views: 1352

Re: two networks with vlan in RB2011 and Groove

hey

and how is the goove connected to 2011?
by sebastia
Mon Sep 02, 2019 3:37 pm
Forum: Beginner Basics
Topic: can I access mikrotik rb2011 through internet
Replies: 7
Views: 1989

Re: can I access mikrotik rb2011 through internet

do you have public ip on rb2011? check under "/ip address" in Winbox or through command "/ip address print"
by sebastia
Mon Sep 02, 2019 3:26 pm
Forum: Beginner Basics
Topic: can I access mikrotik rb2011 through internet
Replies: 7
Views: 1989

Re: can I access mikrotik rb2011 through internet

That depends on your isp infrastructure (do you have public ip assigned? any ports which are not blocked by isp?) and the configuration of the Tik (what firewall setting do you have there?).
by sebastia
Mon Sep 02, 2019 3:24 pm
Forum: RouterBOARD hardware
Topic: hAP AC2 for home use
Replies: 12
Views: 10831

Re: hAP AC2 for home use

Hi

Does that Mikrotik remain ISP's property?
by sebastia
Mon Sep 02, 2019 11:49 am
Forum: General
Topic: Tls host not work
Replies: 9
Views: 10043

Re: Tls host not work

that or the "content" packet matching in plain firewall
by sebastia
Sun Sep 01, 2019 12:35 pm
Forum: General
Topic: Tls host not work
Replies: 9
Views: 10043

Re: Tls host not work

I would expect not as it related to Transport Layer Security which is not used with plain http.
by sebastia
Sat Aug 31, 2019 11:48 pm
Forum: General
Topic: Quee Process High
Replies: 1
Views: 1044

Re: Quee Process High

Hey Do you have another system to test these changes? In this particular case I would take that "advise" with a HUGE grain of salt, or better yet: just ignore it... Simple queues are processed by multiple cpu cores, which spreads the load. Do you see that? Try monitoring with /tool profile...
by sebastia
Fri Aug 30, 2019 11:07 am
Forum: Scripting
Topic: mkdir function for easy folder creation [SOLVED]
Replies: 19
Views: 11973

Re: mkdir function for easy folder creation [SOLVED]

I am some shocked.
A script on 200+ lines is needed just to create a folder in RouterOS.
This is some MT should add a built in function.
You can always log in via FTP to create a folder and/or copy/move files.
which is exactly what the script does...

NOT a acceptable "solution"
by sebastia
Fri Aug 30, 2019 10:34 am
Forum: General
Topic: Problem ping different lan
Replies: 1
Views: 859

Re: Problem ping different lan

This is not Tik related! You should be a asking on Windows forums...

Hint: indicate in windows that the connection is "private"
by sebastia
Fri Aug 30, 2019 1:19 am
Forum: General
Topic: And now?
Replies: 3
Views: 1327

Re: And now?

I thought so ;-)
by sebastia
Thu Aug 29, 2019 11:56 pm
Forum: General
Topic: RB4011 "under clocking" at 533MHz / frequency scaling
Replies: 3
Views: 2192

Re: RB4011 "under clocking" at 533MHz / frequency scaling

busted ;-), I don't own a 4011... Good to know, thx

I meant low-power, based on actual usage: "Max power consumption 44 W"
that's not a lot
by sebastia
Thu Aug 29, 2019 11:49 pm
Forum: General
Topic: And now?
Replies: 3
Views: 1327

Re: And now?

simple, as a mitigation, firewall / filter the api port
by sebastia
Thu Aug 29, 2019 11:29 pm
Forum: Beginner Basics
Topic: VLAN between two routers. Can it work!? If so how?
Replies: 9
Views: 3785

Re: VLAN between two routers. Can it work!? If so how?

- to keep the high speed datastreams away form pfSense (intel Pentium) - to see if it was an option to use the internal router in state of pfSense -> a CRS can't route 10g of data either! -> not with a CRS * to save interfaces between pfSense and the CRS317 -> don't understand that one * to have a l...
by sebastia
Thu Aug 29, 2019 9:17 pm
Forum: Beginner Basics
Topic: VLAN between two routers. Can it work!? If so how?
Replies: 9
Views: 3785

Re: VLAN between two routers. Can it work!? If so how?

Hey CRS is not a router, so you shouldn't be using it as one. I would suggest to upgrade the pfsense to "the only router" status: * only bridge on CRS for "data" vlans -> you did say that pfsens is owner of these! if so, CRS should not route (nor firewall) * this means no ip on d...
by sebastia
Thu Aug 29, 2019 7:13 pm
Forum: General
Topic: RB4011 "under clocking" at 533MHz / frequency scaling
Replies: 3
Views: 2192

Re: RB4011 "under clocking" at 533MHz / frequency scaling

Hey cpu frequency settings requires a reboot to become active (part of boot configuration), so use of script would be limited. Impact-wise, functionally it should do exactly same thing, but slower... Anything running on cpu will be impacted: routing, queuing, firewall, ... Hardware based switching /...
by sebastia
Wed Aug 28, 2019 12:18 am
Forum: General
Topic: Suggestion: VPN over ICMP
Replies: 3
Views: 2293

Re: Suggestion: VPN over ICMP

Hello From high-level point of view, there would be little difference between udp. And high stream of large icmp packets would be a red flag on it's own. Furthermore, some networks / routers perform icmp "optimisation" / rate limiting, which would result in high packet loss. So far from st...
by sebastia
Tue Aug 27, 2019 10:58 am
Forum: General
Topic: Mark packet dont work like expected
Replies: 2
Views: 952

Re: Mark packet dont work like expected

What is your goal? What did you expect?
by sebastia
Tue Aug 27, 2019 1:36 am
Forum: Scripting
Topic: Remove src-address via script... [SOLVED]
Replies: 2
Views: 7384

Re: Remove src-address via script... [SOLVED]

/ip firewall nat set [find where action="masquerade"] !src-address out-interface-list=WAN
by sebastia
Mon Aug 26, 2019 10:37 pm
Forum: Beginner Basics
Topic: Trouble with setting priorities
Replies: 8
Views: 4454

Re: Trouble with setting priorities

If you want to have good gaming experience, then indeed you'll need to limit total download from router to all networks together to less than what modem can do. Similar for upload, limit all upload traffic to less what modem can upload. 90-95% is a safe starting point. your wan is ether1, update con...
by sebastia
Mon Aug 26, 2019 7:40 pm
Forum: Beginner Basics
Topic: tag all untagged traffic - can't get it working
Replies: 12
Views: 3504

Re: tag all untagged traffic - can't get it working

Sniffing takes place "close" to physical layer, and tagging might not have happened yet. Have you tried sniffing a trunk port down the hill? Wrt config, there are few entries, see https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Setup_Examples. Is the vlan 10 already defined unde...
by sebastia
Mon Aug 26, 2019 7:24 pm
Forum: General
Topic: Force NTP Client Update
Replies: 5
Views: 5615

Re: Force NTP Client Update

Hey

ntp client will determine on it's own how frequently it should poll the upstream server for time update. Usually it starts at 64s and backs down down to 1024s, once clocks are in sync and drift is under control.
by sebastia
Sat Aug 24, 2019 2:49 pm
Forum: Useful user articles
Topic: Whitelisting websites
Replies: 16
Views: 22594

Re: Whitelisting websites

Hoi
All connections start with dns resolution. Filter / control these and you'll be able to control what connections are made (for most part).
by sebastia
Sat Aug 24, 2019 12:11 pm
Forum: Beginner Basics
Topic: Trouble with setting priorities
Replies: 8
Views: 4454

Re: Trouble with setting priorities

Hey

Start with posting your current config (/export hide-sensitive), and indicate what you want to achieve: ip/port/bandwidth/...
by sebastia
Fri Aug 23, 2019 7:03 pm
Forum: SwOS
Topic: Failover capabilities with unmanaged switches involved [SOLVED]
Replies: 11
Views: 14024

Re: Failover capabilities with unmanaged switches involved [SOLVED]

You keep on stating that, but without any references to back up your case. I on the other hand have proven with above setups that it indeed is the case. When you state that, I'm not so sure if you know what is going on... why don't you then explain to us if you're so sure of yourself what is going o...
by sebastia
Fri Aug 23, 2019 3:57 pm
Forum: SwOS
Topic: Failover capabilities with unmanaged switches involved [SOLVED]
Replies: 11
Views: 14024

Re: Failover capabilities with unmanaged switches involved [SOLVED]

unmananged switches don't participate in lldp, as said before they don't even have own mac
even this works just fine in any direction and any link interruption
2+2switches.png
see also web: https://networkengineering.stackexchang ... e-switches
by sebastia
Fri Aug 23, 2019 12:30 pm
Forum: General
Topic: Bridge VLAN Configuration not being applied
Replies: 4
Views: 1829

Re: Bridge VLAN Configuration not being applied

good plan!
by sebastia
Fri Aug 23, 2019 12:28 pm
Forum: Beginner Basics
Topic: New User Questions
Replies: 1
Views: 1011

Re: New User Questions

Hey, welcome on the forum. hap ac did you connect port 1 to your network. That port if in default config designated Wan, and firewalled. best would be to disable dhcp server on the bridge, within RouterOs, change the ip of the bridge and connect one of these port to your internal network. hex which ...
by sebastia
Fri Aug 23, 2019 12:17 pm
Forum: SwOS
Topic: Failover capabilities with unmanaged switches involved [SOLVED]
Replies: 11
Views: 14024

Re: Failover capabilities with unmanaged switches involved [SOLVED]

And to remove any doubt, this one works just fine too
2+1switches.png
by sebastia
Fri Aug 23, 2019 11:57 am
Forum: SwOS
Topic: Failover capabilities with unmanaged switches involved [SOLVED]
Replies: 11
Views: 14024

Re: Failover capabilities with unmanaged switches involved [SOLVED]

I disagree, an unmanaged switch is essentially invisible on the wire, it just passes packets around and has no own mac. So the above network boils down to this: 2switches.png with STP enabled on both ends, on bridge level, auto fail-over will function # R1 /interface bridge add name=bridge /interfac...
by sebastia
Fri Aug 23, 2019 12:36 am
Forum: SwOS
Topic: Failover capabilities with unmanaged switches involved [SOLVED]
Replies: 11
Views: 14024

Re: Failover capabilities with unmanaged switches involved [SOLVED]

well, there are two in this setup CRS & CSS...
by sebastia
Thu Aug 22, 2019 5:33 pm
Forum: General
Topic: Hap Ac 2, not capable of 1Gbit transfer
Replies: 11
Views: 3020

Re: Hap Ac 2, not capable of 1Gbit transfer

The only thing that draw my attention was dhcp-snooping on bridge, but its supposed to be done in hardware on AR8327... some other thoughts * check that counters for FastPath are "moving" * check cpu usage during transfer * do you test with multiple streams? * check bridge ports have "...
by sebastia
Thu Aug 22, 2019 4:47 pm
Forum: General
Topic: Hap Ac 2, not capable of 1Gbit transfer
Replies: 11
Views: 3020

Re: Hap Ac 2, not capable of 1Gbit transfer

could you post the config?
by sebastia
Thu Aug 22, 2019 12:54 pm
Forum: General
Topic: Mikrotik CCR 1036 8G 2S+ Performance issue
Replies: 9
Views: 2115

Re: Mikrotik CCR 1036 8G 2S+ Performance issue

which version are you running? remember that there was a bug in ROS with regards to that;
Ros 6.45.1:
*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;
by sebastia
Thu Aug 22, 2019 12:20 pm
Forum: General
Topic: Mikrotik CCR 1036 8G 2S+ Performance issue
Replies: 9
Views: 2115

Re: Mikrotik CCR 1036 8G 2S+ Performance issue

Hey

Do you have connection tracking enabled?
was the ddos on ipv6? there was an issue with that not so long ago (implementation in ROS), with a patch release. do you have it?

Edit: just noticed you don't have connection tracking enabled viewtopic.php?f=2&t=151403
by sebastia
Thu Aug 22, 2019 11:25 am
Forum: General
Topic: Discord question
Replies: 7
Views: 4606

Re: Discord question

hey, list your fill firewall rule set, for both ipv4 & ipv6. what I'm wondering: you have fasttrack dummy rule, but not fast track itself..., view is incomplete fasttrack will bypass most of ip processing for bigger part of packets of a connection, but on regular basis packets will be processed ...
by sebastia
Wed Aug 21, 2019 8:13 pm
Forum: Beginner Basics
Topic: Bridge untagged ether1 with tagged vlan3 on ether1.
Replies: 10
Views: 3194

Re: Bridge untagged ether1 with tagged vlan3 on ether1.

Anyway, once you put interfaces in a bridge, all configuration related to them needs to be done on the level of bridge. That includes ips, vlans, ... from the sound of it, you would want to bridge the vlans only, 3 and "1" (or another but untagged on ether1) If that's not enough, I would a...
by sebastia
Wed Aug 21, 2019 5:38 pm
Forum: Beginner Basics
Topic: Bridge untagged ether1 with tagged vlan3 on ether1.
Replies: 10
Views: 3194

Re: Bridge untagged ether1 with tagged vlan3 on ether1.

And what is the point of all that? These are still separate networks...

At least your footer is totally correct :-p
by sebastia
Wed Aug 21, 2019 3:16 pm
Forum: General
Topic: 2 wan load balancing with failover problems
Replies: 9
Views: 4181

Re: 2 wan load balancing with failover problems

is there a way to set 80/20 for example? Not directly, but you can achieve this by being creative: repeat a link multiple times, for 80/20, pretend you have 5 links each good for 20% of traffic: wan1,wan1,wan1,wan1,wan2 Another option, is bandwidth based load-balancing: https://forum.mikrotik.com/v...
by sebastia
Wed Aug 21, 2019 2:11 pm
Forum: General
Topic: 2 wan load balancing with failover problems
Replies: 9
Views: 4181

Re: 2 wan load balancing with failover problems

the default routes are only relevant in context of fail-over: each connection gets assigned to either Wan1 or Wan2 in mangling, only when that link is not up will the default be relevant. the current load balancing is 50/50 add action=mark-connection chain=prerouting connection-mark=no-mark \ dst-ad...
by sebastia
Wed Aug 21, 2019 1:05 pm
Forum: General
Topic: 2 wan load balancing with failover problems
Replies: 9
Views: 4181

Re: 2 wan load balancing with failover problems

you should remove fasttrack (action=fasttrack-connection, 3 instances), as it's not compatible with loadbalancing "add action=accept chain=prerouting comment=router dst-address-list=router" should be at the beginning of chain / before all LB logic your default routes should have different ...
by sebastia
Wed Aug 21, 2019 10:56 am
Forum: General
Topic: Moving rules from Filter to RAW cause better performance?
Replies: 7
Views: 3760

Re: Moving rules from Filter to RAW cause better performance?

as stated there("conntrack by default is most expensive RouterOS facility"), the high cost of/before "filter" table is the connection tracking logic. If it's disabled, it won't matter whether it's in raw or filter.
by sebastia
Wed Aug 21, 2019 10:53 am
Forum: Scripting
Topic: RoS functions cannot log when called from a Netwatch script
Replies: 5
Views: 3059

Re: RoS functions cannot log when called from a Netwatch script

actually that one ;-)
Since RouterOS v6.42 Netwatch is limited to read,write,test,reboot script policies.
To access global variables, "policy" right is needed
by sebastia
Wed Aug 21, 2019 10:48 am
Forum: Beginner Basics
Topic: Bridge untagged ether1 with tagged vlan3 on ether1.
Replies: 10
Views: 3194

Re: Bridge untagged ether1 with tagged vlan3 on ether1.

Let me rephrase: bridge is not what you are looking for = wrong in this case.

vlan3 & lan have different ip ranges so direct communication between devices is not possible -> a router between is needed to do the forwarding. A bridge will not solve that.
by sebastia
Tue Aug 20, 2019 11:19 pm
Forum: General
Topic: Slow Gbit speed with Mikrotik hex S
Replies: 15
Views: 8342

Re: Slow Gbit speed with Mikrotik hex S

If you swap the clients, do you also get "reverse" throughput? If so then I would start looking at the clients / software
by sebastia
Tue Aug 20, 2019 10:51 pm
Forum: General
Topic: Slow Gbit speed with Mikrotik hex S
Replies: 15
Views: 8342

Re: Slow Gbit speed with Mikrotik hex S

Hey

All port are independent, right? Not sure about the first transfer, but the second test is reaching physical limitation, as both ether1 & ether5 are on same data bus, which is limited to 1gbs.

see block diagram without switching: https://mikrotik.com/product/hex_s#fndtn-downloads
by sebastia
Tue Aug 20, 2019 10:20 pm
Forum: Scripting
Topic: RoS functions cannot log when called from a Netwatch script
Replies: 5
Views: 3059

Re: RoS functions cannot log when called from a Netwatch script

netwatch doesn't have enough permissions to invoke a global script, see note on https://wiki.mikrotik.com/wiki/Manual:Tools/Netwatch
by sebastia
Tue Aug 20, 2019 10:09 pm
Forum: General
Topic: 2 wan load balancing with failover problems
Replies: 9
Views: 4181

Re: 2 wan load balancing with failover problems

Hey

For starters, post your current config: /export hide-sensitive (in-between code tags)
by sebastia
Tue Aug 20, 2019 10:07 pm
Forum: Beginner Basics
Topic: 4G LTE Confusion
Replies: 3
Views: 1433

Re: 4G LTE Confusion

Hey SXT-4g support ONLY 4G. It will not connect over anything other. SXT-LTE support 4G+3G+2G. Regarding the speed, your phone will have a better modem (if any recent it will support Carrier Aggregation (~bonding for LTE)) than what is in SXT. So most likely you won't get similar rates. On the other...
by sebastia
Tue Aug 20, 2019 9:54 pm
Forum: Beginner Basics
Topic: Bridge untagged ether1 with tagged vlan3 on ether1.
Replies: 10
Views: 3194

Re: Bridge untagged ether1 with tagged vlan3 on ether1.

Hey

Why would you need the bridge anyway?
There is only one interface of each...
by sebastia
Tue Aug 20, 2019 9:46 pm
Forum: General
Topic: Bridge VLAN Configuration not being applied
Replies: 4
Views: 1829

Re: Bridge VLAN Configuration not being applied

a port without pvid would be a port with tagged traffic -> trunk port On https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table doc says PVID - The Port VLAN ID is used for access ports to tag all ingress traffic with a specific VLAN ID. A dynamic entry is added in the bridge VLAN table for every P...
by sebastia
Tue Aug 20, 2019 9:40 pm
Forum: Beginner Basics
Topic: Routing traffic from specific src addresses through specific VPN gateways [SOLVED]
Replies: 4
Views: 2708

Re: Routing traffic from specific src addresses through specific VPN gateways [SOLVED]

Nice investiation - analysis - solution track. Congrats The answer to your question: when a connection is fasttrack-ed, some of it's packets are bypassing among others mangling, and in your case the special routing. The packets arriving at the destination are then discarded as coming from an unknown...
by sebastia
Tue Aug 20, 2019 12:55 pm
Forum: Scripting
Topic: Triggered execution? Interface up/down etc
Replies: 6
Views: 5810

Re: Triggered execution? Interface up/down etc

Hey

To my knowledge not directly. There is the netwatch, with up & down scripts, but it's no synchronous. It will not be triggered by event, but by (delayed) detection.
by sebastia
Tue Aug 20, 2019 12:52 pm
Forum: Beginner Basics
Topic: Routing traffic from specific src addresses through specific VPN gateways [SOLVED]
Replies: 4
Views: 2708

Re: Routing traffic from specific src addresses through specific VPN gateways [SOLVED]

Hey You should consider nat independent of routing: route decides how traffic should be forwarded, nat specifies if traffic leaving a particular interface should be changed. In your case: Routing /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark ... passthrough=...
by sebastia
Mon Aug 19, 2019 11:46 pm
Forum: Beginner Basics
Topic: set Queue on ether2
Replies: 5
Views: 1658

Re: set Queue on ether2

please list your config: /export hide-sensitive
Also what do you want to limit? upload, download, both?
by sebastia
Sun Aug 18, 2019 1:08 am
Forum: Wireless Networking
Topic: LTE based internet and WiFi network at home
Replies: 11
Views: 4077

Re: LTE based internet and WiFi network at home

1. if you want to setup / test LTE AP, then yes you'll need a sim to get active LTE uplink 2. indeed 3. in short: it depends. strength of cell tower signal, interference (other users / towers) and quality of clients antenna, for transmissions in both directions. Wrt to wap lte, it's antenna doesn't ...
by sebastia
Fri Aug 16, 2019 7:40 pm
Forum: Wireless Networking
Topic: LTE based internet and WiFi network at home
Replies: 11
Views: 4077

Re: LTE based internet and WiFi network at home

Yes, all can. But if you specifically need wireless, have a look at wap lte kit.
by sebastia
Tue Aug 13, 2019 4:44 pm
Forum: General
Topic: VLAN or port isolation?
Replies: 18
Views: 9952

Re: VLAN or port isolation?

Yes it will be slower, if enabled.

But if you won't do vlan filtering on 4011 (= selective vlan bridging) that won't be a problem
by sebastia
Tue Aug 13, 2019 3:59 pm
Forum: General
Topic: VLAN or port isolation?
Replies: 18
Views: 9952

Re: VLAN or port isolation?

what do you mean by "Note that the 4011 doesn't doe vlan filtering in hardware."? It could make this any trouble? Or it's just for info?
If you enable "vlan-filtering=yes" on 4011, all vlans will need to pass over cpu. On CSS3xx it's in hardware.
by sebastia
Tue Aug 13, 2019 10:53 am
Forum: Beginner Basics
Topic: File download block?
Replies: 25
Views: 9138

Re: File download block?

With blocking of connection once a volume is reached one can block that connection, but the user can just resume the download with a new connection. So the net effect is slight delay. A more effective approach would be to slow down the connection once a volume has been reached: based on volume, assi...
by sebastia
Tue Aug 13, 2019 10:08 am
Forum: General
Topic: VLAN or port isolation?
Replies: 18
Views: 9952

Re: VLAN or port isolation?

Hi I would think that this will depend on the setting: are the networks / devices in these networks isolated or to they share same spaces port isolation might provide more guarantees from security point of view vlan are more flexible kind of port isolation dictates complexity of configuration: on ro...
by sebastia
Tue Aug 13, 2019 9:57 am
Forum: Beginner Basics
Topic: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server
Replies: 26
Views: 9561

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Agreed with port number change, nat is needed.

@Sob: not sure what would brake with DNSSEC, as the internal dns server, as an authoritative server, would present internal records with own signatures.
by sebastia
Sun Aug 11, 2019 12:05 am
Forum: RouterBOARD hardware
Topic: Power consumption difference - CSS326 / CRS326
Replies: 1
Views: 1715

Re: Power consumption difference - CSS326 / CRS326

Hey
...to have an identical hardware...
This is NOT the case, switch chip are different and with different capabilities: nand, ram, cpu
by sebastia
Sat Aug 10, 2019 5:23 pm
Forum: Beginner Basics
Topic: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server
Replies: 26
Views: 9561

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

@2frogs Split DNS configuration is standard practice in networks with internal and external addressing. It is a proper solution if internal resources need to accessed. The alternative "hairpin" is abusing natting, as two NAT's are needed, first redirect to internal destination (dst-nat) th...
by sebastia
Sat Aug 10, 2019 1:51 pm
Forum: Beginner Basics
Topic: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server
Replies: 26
Views: 9561

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Hey # You don't need these add action=accept chain=forward dst-port=80 in-interface=pppoe-out1 protocol=tcp add action=accept chain=forward dst-port=443 in-interface=pppoe-out1 protocol=tcp add action=accept chain=forward comment="Allow Port Forwarding - DSTNAT" connection-nat-state=dstnat...
by sebastia
Sat Aug 10, 2019 4:43 am
Forum: General
Topic: lease-hostname lease script variable not working
Replies: 3
Views: 3204

Re: lease-hostname lease script variable not working

hey, try $"lease-hostname" instead
by sebastia
Sat Aug 10, 2019 4:29 am
Forum: General
Topic: vlan and bridge forward traffic to wds interfaces
Replies: 5
Views: 2286

Re: vlan and bridge forward traffic to wds interfaces

Don't know about the other vlans, but 20 should be carried only over ether5 + cpu, so # only to cpu & ether5 /interface ethernet switch vlan add ports=ether5,switch1-cpu switch=switch1 vlan-id=20 # add cpu port info /interface ethernet switch port set switch1-cpu vlan-header=leave-as-is vlan-mod...
by sebastia
Thu Aug 08, 2019 11:10 pm
Forum: RouterBOARD hardware
Topic: RBSXTR&R11e-LTE + Back Up Link
Replies: 2
Views: 1796

Re: RBSXTR&R11e-LTE + Back Up Link

Hi

No, you'll need to do it (ex: with script) yourself.
by sebastia
Thu Aug 08, 2019 10:50 pm
Forum: RouterBOARD hardware
Topic: Switch stacking?
Replies: 9
Views: 19025

Re: Switch stacking?

And how about connecting switches over fast(er) trunk ports? Ex: connect 2 CRS326/CSS326 over their SFP+ port(s) and as such generate a 48 port switching plane?
by sebastia
Thu Aug 08, 2019 1:44 pm
Forum: RouterBOARD hardware
Topic: WAN to LAN performance clarity sought...
Replies: 1
Views: 1607

Re: WAN to LAN performance clarity sought...

4011 + rack = 1100AHx4
by sebastia
Wed Aug 07, 2019 3:56 pm
Forum: General
Topic: Routing between VLAN & VLAN+VPN
Replies: 4
Views: 2065

Re: Routing between VLAN & VLAN+VPN

to start with, move "accept establish & related" to top of forward chain -> stateful part of firewall so rules for forward should be: 1. accept established / related 2. drop invalid 3 (rest) In the rest you can then control from where connections are allowed: ex lan -> guest is allowed...
by sebastia
Wed Aug 07, 2019 3:49 pm
Forum: Beginner Basics
Topic: Basic questions about Queues [SOLVED]
Replies: 5
Views: 2480

Re: Basic questions about Queues [SOLVED]

For queues to make sense you need to have a global maximum, if there is non, each subqueue can borrow without limit, and there won't be any prioritisation. such queue tree needs to be attached to independent interface, ex wan, lan. This can be "naked" interface, etherX, or a bridge groupin...
by sebastia
Wed Aug 07, 2019 3:42 pm
Forum: General
Topic: Router - AP with WIFI guest on VLAN don't work
Replies: 4
Views: 1665

Re: Router - AP with WIFI guest on VLAN don't work

So how can i receive untagged traffic in the bridge (to use local LAN) ...? untagged of ether5 will just be "forwarded" to bridge and cpu So how can i receive ... and tagged traffic (vlan-20) out of the bridge ? tagged will be received by vlan on the bridge Todo: migrate vlan to bridge mi...
by sebastia
Wed Aug 07, 2019 3:30 pm
Forum: General
Topic: vlan and bridge forward traffic to wds interfaces
Replies: 5
Views: 2286

Re: vlan and bridge forward traffic to wds interfaces

Have a look at this thread for general info: viewtopic.php?f=13&t=143620
and this wiki for switch based: https://wiki.mikrotik.com/wiki/Manual:S ... p_Examples
by sebastia
Tue Aug 06, 2019 8:07 pm
Forum: Beginner Basics
Topic: default wan
Replies: 7
Views: 2057

Re: default wan

If you can do, then the gateway will be explicit / unique. Right now that's not the case. Otherwise qualify the interface that should be used: gateway="IP%interface"
by sebastia
Tue Aug 06, 2019 7:46 pm
Forum: General
Topic: [ROS/Firewall] How to MANGLE by raw HEX bytes ? [SOLVED]
Replies: 10
Views: 2322

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Try this: content="\03abc\03com" Just tried, no working. Working fine here (from terminal): /ip firewall mangle add action=passthrough chain=prerouting content="cnn\03com" dst-port=53 in-interface=e1_int log=yes log-prefix="DNS catch: " \ protocol=udp "ping cnn.co...
by sebastia
Tue Aug 06, 2019 1:38 pm
Forum: General
Topic: [ROS/Firewall] How to MANGLE by raw HEX bytes ? [SOLVED]
Replies: 10
Views: 2322

Re: [ROS/Firewall] How to MANGLE by raw HEX bytes ?

Try this:
content="\03abc\03com"
by sebastia
Tue Aug 06, 2019 1:31 am
Forum: General
Topic: Router - AP with WIFI guest on VLAN don't work
Replies: 4
Views: 1665

Re: Router - AP with WIFI guest on VLAN don't work

Hello

wrt hac
ether5 participates in bridge (is a slave): it cant operate as an independent interface: not for ip address, vlan, firewall, ...

* hence the vlan should be defined on bridge.
* vlan ip should be assigned to "vlan-guest" interface
by sebastia
Tue Aug 06, 2019 1:17 am
Forum: Beginner Basics
Topic: how to set time limit to dhcp client
Replies: 3
Views: 2979

Re: how to set time limit to dhcp client

Hey

If I got your question right, it's the "lease-time": duration of ip assignment.
by sebastia
Tue Aug 06, 2019 1:08 am
Forum: Wireless Networking
Topic: Bondig WIFI links 60G and 5G
Replies: 15
Views: 4546

Re: Bondig WIFI links 60G and 5G

Hoi

What kind of throughput do you get over the links?
by sebastia
Tue Aug 06, 2019 1:00 am
Forum: General
Topic: Routing between VLAN & VLAN+VPN
Replies: 4
Views: 2065

Re: Routing between VLAN & VLAN+VPN

Hey You're firewall rules: * add action=reject chain=forward comment="Reject HOME from GUEST" dst-address=192.168.5.0/24 reject-with=icmp-host-prohibited src-address=192.168.20.0/24 add action=reject chain=forward comment="Reject MGMT from GUEST" connection-state=new dst-address=...
by sebastia
Tue Aug 06, 2019 12:50 am
Forum: General
Topic: vlan and bridge forward traffic to wds interfaces
Replies: 5
Views: 2286

Re: vlan and bridge forward traffic to wds interfaces

Hey your vlan20 is "hosted" by bridge1, with all of it's interfaces. So any traffic over ether5 / vlan20 will be propagated to all possible participants. The config seems to be pre 6.41, right? Upgrade to post 6.41+ and depending on switch chip capabilities use brdige vlan or switch vlan f...
by sebastia
Tue Aug 06, 2019 12:29 am
Forum: Beginner Basics
Topic: PLEASE HELP - no luck getting it to work / CCR1009-7G-1C-1S+ [SOLVED]
Replies: 24
Views: 5381

Re: 10 hours - no luck getting WAN/INET to work (CCR1009-7G-1C-1S+) [SOLVED]

You don't seem to be very good at hiding addresses. ;)
lol
by sebastia
Tue Aug 06, 2019 12:22 am
Forum: General
Topic: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]
Replies: 12
Views: 3036

Re: interactive TV (Tet) over local network, picture "slideshow" [SOLVED]

Hoi

The network is unclear, could you post a diagram?
by sebastia
Mon Aug 05, 2019 11:50 pm
Forum: RouterBOARD hardware
Topic: Router Issues
Replies: 1
Views: 1409

Re: Router Issues

Hey

Do you have access to it's management functionality? If you do, run "/export hide-sensitive" and paste it here between < code > code goes here </ code > tags.
by sebastia
Mon Aug 05, 2019 11:41 pm
Forum: Beginner Basics
Topic: default wan
Replies: 7
Views: 2057

Re: default wan

Hey, the recursive routing paths, map to same gateway .1.1
by sebastia
Sun Aug 04, 2019 2:07 am
Forum: General
Topic: Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328
Replies: 4
Views: 2175

Re: Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328

* proxy-arp, I don't remember when and why I activated this, could it be because of VPN or mDNS ? should I remove it ? * Ok that's what I tough, but that weren't mentioned in the how-to linked above. Will try a different config with this. * I followed the how-to above, and it adds bond to the bridg...
by sebastia
Sun Aug 04, 2019 1:08 am
Forum: General
Topic: Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328
Replies: 4
Views: 2175

Re: Getting trouble while creating VLANs and bonding interface between an RB3011 and CRS328

Hey There is an extensive vlan how-to on this forum, have a look. (https://forum.mikrotik.com/viewtopic.php?f=13&t=143620&hilit=vlan) Some remarks: * why need for proxy-arp on bridge? * vlan-filtering=yes (on non-CRS3xx hardware) is in software, if you want it hardware, you'll need to do it ...
by sebastia
Sun Aug 04, 2019 12:48 am
Forum: Beginner Basics
Topic: Multiple web addresses Behind router.
Replies: 3
Views: 2725

Re: Multiple web addresses Behind router.

Hey

firewall is ip based, not domain.

What you want to do is normally done on the webserver itself, as the requested domain is part of the request.
by sebastia
Sat Aug 03, 2019 8:24 pm
Forum: General
Topic: Transparent NAT
Replies: 5
Views: 1838

Re: Transparent NAT

Need NAT + LTE not enough for NAT -> NAT somewhere else -> pass-through is the ONLY option
by sebastia
Sat Aug 03, 2019 8:16 pm
Forum: Scripting
Topic: mikrotik scripting
Replies: 3
Views: 2292

Re: mikrotik scripting

by sebastia
Sat Aug 03, 2019 8:14 pm
Forum: General
Topic: Transparent NAT
Replies: 5
Views: 1838

Re: Transparent NAT

Hey

two options:
* lte passthrough
* or just route (and don't nat) traffic to lte modem. lte modem would need to know how to reach your internal network, so you'll need to add route table entries for internal ranges.
by sebastia
Sat Aug 03, 2019 2:35 pm
Forum: Beginner Basics
Topic: Basic questions about Queues [SOLVED]
Replies: 5
Views: 2480

Re: Basic questions about Queues [SOLVED]

At any given time, the bandwidth should not fall below this committed rate That's from manual, not mine. What I think is meant: the total bandwidth of the interface should be at least the sum of "limit-at" see examples here https://wiki.mikrotik.com/wiki/Manual:HTB if you reserve 1M (limi...
by sebastia
Thu Aug 01, 2019 11:58 pm
Forum: Beginner Basics
Topic: Basic questions about Queues [SOLVED]
Replies: 5
Views: 2480

Re: Basic questions about Queues [SOLVED]

Hey "Limit-at" of a queue is always respected (even if it doesn't make sense). So yes you can use it to guarantee assignment, but be careful wrt total bandwidth available. "CIR (Committed Information Rate) – (limit-at in RouterOS) worst case scenario, flow will get this amount of traf...
by sebastia
Thu Aug 01, 2019 11:50 pm
Forum: General
Topic: How to use Queues over PCC load balancing
Replies: 1
Views: 953

Re: How to use Queues over PCC load balancing

Hey

1. use simple queues: these relate to the local user(s) = target
2. what's "vpv"?
by sebastia
Thu Aug 01, 2019 11:39 pm
Forum: RouterBOARD hardware
Topic: GPeR question
Replies: 23
Views: 10166

Re: GPeR question

It's an active device, product page mentions it already = Gigabit Passive Ethernet Repeater. repeater = 2-ports switch => datagram receiver and re-transmit.
I don't see how this would introduce noise.
by sebastia
Thu Aug 01, 2019 11:24 pm
Forum: Beginner Basics
Topic: Simple Queue
Replies: 2
Views: 1318

Re: Simple Queue

See https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack Fasttrack bypasses among other things, simple queues. But you could enable (=> flag) connections for fasttrack selectively. These will then bypass mangling as well. Total output can then be controlled by Queue Tree attached to outgoing interface...
by sebastia
Thu Aug 01, 2019 1:25 pm
Forum: General
Topic: DNS setting via DHCP being ingnored on Vlan
Replies: 8
Views: 2300

Re: DNS setting via DHCP being ingnored on Vlan

Hey

Do you ship to Belgium?

Looks like your mgmt network and guest vlan are hosted by same bridge. Only difference is that vlan is tagged. Question: is that vlan untagged somewhere and offered through access port?

Note: mgmt ip is linked to interface ether5 instead of parent bridge
by sebastia
Wed Jul 31, 2019 12:04 pm
Forum: Beginner Basics
Topic: Disabling o removing DNS Dynamic Servers
Replies: 17
Views: 16890

Re: Disabling o removing DNS Dynamic Servers

try this
/ip dhcp-client set use-peer-dns=no [find]
by sebastia
Tue Jul 30, 2019 9:46 pm
Forum: Beginner Basics
Topic: Multiple vlans and 2 servers
Replies: 1
Views: 1029

Re: Multiple vlans and 2 servers

Hey As I understand your goal, I would put the "old" devices in an isolated subnet / vlan and not allow any outgoing traffic. I would also put fileserver in there, so it's accessible to these devices. Then within firewall only allow traffic to that fileserver's ip, using stateful firewall:...
by sebastia
Mon Jul 29, 2019 3:49 pm
Forum: General
Topic: MAC Address limitation
Replies: 7
Views: 3905

Re: MAC Address limitation

Hi I see two options: * disable arp on the relevant interface: this will prevent unknown client from accessing router. This could mean no dns/dhcp/... But its not "air-tight", client could configure a static ip. Further client will still be able to contact other clients on same subnet., ov...
by sebastia
Mon Jul 29, 2019 2:43 am
Forum: Beginner Basics
Topic: Significant Speed Issues with MikroTik [SOLVED]
Replies: 20
Views: 18206

Re: Significant Speed Issues with MikroTik [SOLVED]

Hey @elico, you obviously use sub-optimal config for your hardware.
Furthermore, the link you provided suggest 1Gbps routing performance for gr3...

Wrt testing, have a look at https://mum.mikrotik.com/presentations/ ... 080654.pdf & https://youtu.be/rQX0inNcPuM
by sebastia
Mon Jul 29, 2019 2:38 am
Forum: Scripting
Topic: mass-enable all of my vlan using script
Replies: 7
Views: 4209

Re: mass-enable all of my vlan using script

Hey

I would do a loop with "foreach" over all entries of a list given by find.

:local vlans [/interface vlan find interface=<interface> ];
:foreach vl in=vlans do={
# do some magic
};

See also https://wiki.mikrotik.com/wiki/Manual:Scripting
by sebastia
Mon Jul 29, 2019 12:22 am
Forum: Wireless Networking
Topic: LTE based internet and WiFi network at home
Replies: 11
Views: 4077

Re: LTE based internet and WiFi network at home

I wouldn't recommend it from economy point of view, but also being completely on your own / unsupported config. Get some off-the-shelf mesh wifi, which already had some prime time, and received some firmware updates. I don't have experience with any, so google is your friend: https://www.google.be/s...
by sebastia
Sun Jul 28, 2019 11:58 pm
Forum: General
Topic: DNS forward based on domain name [SOLVED]
Replies: 41
Views: 22964

Re: DNS forward based on domain name [SOLVED]

dnsmasq will do exactly what you need, and a gr3 (+other hw) with openwrt can run dnsmasq
by sebastia
Sun Jul 28, 2019 12:39 pm
Forum: Wireless Networking
Topic: LTE based internet and WiFi network at home
Replies: 11
Views: 4077

Re: LTE based internet and WiFi network at home

Hoi

Mikrotik has hinted at a mesh product, but it hasn't been released/offered yet.
You could do it on your own (with some multi radio devices), but I wouldn't recommend it.
by sebastia
Sun Jul 28, 2019 12:34 pm
Forum: General
Topic: Exceptions to dynamic simple queues
Replies: 2
Views: 1460

Re: Exceptions to dynamic simple queues

Hey

You should at least share some configuration details (queue config, topology, ...) for others to be able to help you. Your intent is clear, but your environment is not.
by sebastia
Sun Jul 28, 2019 12:16 pm
Forum: General
Topic: Does this mean that these IP addresses were connected to my network and used my network?
Replies: 3
Views: 1722

Re: Does this mean that these IP addresses were connected to my network and used my network?

tcp connection is the first step in establishing a vpn session. Then comes authentication of the server and user, and finally ip layer configuration.
this just means that somebody established the first step.
by sebastia
Sun Jul 28, 2019 11:56 am
Forum: General
Topic: Feature request: Winbox interface list
Replies: 1
Views: 810

Feature request: Winbox interface list

Hi I think it would improve readability of how interfaces are presented in Winbox, if the ports, members of a bridge, would be presented as children of that bridge. Just like it's the case now for vlan interfaces linked to an interface: these are shown right under the parent interface, and indented....
by sebastia
Fri Jul 26, 2019 4:42 pm
Forum: General
Topic: Sniffing in transparent way
Replies: 1
Views: 835

Re: Sniffing in transparent way

by sebastia
Fri Jul 26, 2019 10:38 am
Forum: Beginner Basics
Topic: High cpu networking
Replies: 9
Views: 7612

Re: High cpu networking

did what? the above is NOT an instruction what to do

The instruction was: "why don't you just stick to default firewall, it's more that enough in this case..."
by sebastia
Thu Jul 25, 2019 9:27 pm
Forum: General
Topic: the best way to divide the internet equally among the users
Replies: 4
Views: 1763

Re: the best way to divide the internet equally among the users

upload queue needs to be attached to WAN interface, the queue type used needs to be pcq-upload, for that type define src-address as grouping criterium

download -> LAN interface -> pcq-download -> dst-address

and no need for mangling
by sebastia
Thu Jul 25, 2019 9:24 pm
Forum: General
Topic: RB4011 - Shockingly poor IPv6 performance
Replies: 1
Views: 1132

Re: RB4011 - Shockingly poor IPv6 performance

Yes: there is no stack optimisation (=fasttrack) for ipv6
by sebastia
Thu Jul 25, 2019 9:21 pm
Forum: Beginner Basics
Topic: Significant Speed Issues with MikroTik [SOLVED]
Replies: 20
Views: 18206

Re: Significant Speed Issues with MikroTik [SOLVED]

Indeed noticed, edited post

gr3 should be able to do close to 1gbps cpu-wise, you're nowhere near that, so there must be something else that's causing it.
by sebastia
Thu Jul 25, 2019 9:08 pm
Forum: Beginner Basics
Topic: Significant Speed Issues with MikroTik [SOLVED]
Replies: 20
Views: 18206

Re: Significant Speed Issues with MikroTik [SOLVED]

Some interesing parts:
* why queue with 1GBS = interface speed?
* dns server on PRIVATE=WAN? -> just forwarding to upstream

Other than that looks default.
by sebastia
Thu Jul 25, 2019 6:48 pm
Forum: General
Topic: the best way to divide the internet equally among the users
Replies: 4
Views: 1763

Re: the best way to divide the internet equally among the users

This only "queue tree for download and upload (pcq)" is enough.
upload based on src-address
download based on dst-address
by sebastia
Wed Jul 24, 2019 10:51 pm
Forum: Scripting
Topic: remote ssh via script
Replies: 53
Views: 54399

Re: remote ssh via script

That's just part of the solution. ssh-exec requires use of PKI, while the available documentation relates to real users only
by sebastia
Wed Jul 24, 2019 8:58 pm
Forum: General
Topic: Help with filter Rate Limit
Replies: 6
Views: 3150

Re: Help with filter Rate Limit

The nomenclature of winbox is different then their wiki: rate (winbox) = count (wiki)

The rate limiting logic is functionality provided by iptables of the underlying linux.
Just search for: "rate limit linux firewall" -> https://making.pusher.com/per-ip-rate-l ... -iptables/
by sebastia
Wed Jul 24, 2019 6:16 pm
Forum: General
Topic: Help with filter Rate Limit
Replies: 6
Views: 3150

Re: Help with filter Rate Limit

The above is for "limit" condition. dst-limit is a special case of that one.
by sebastia
Wed Jul 24, 2019 4:56 pm
Forum: General
Topic: Need a help
Replies: 2
Views: 956

Re: Need a help

Contact support.
by sebastia
Wed Jul 24, 2019 2:55 pm
Forum: General
Topic: Help with filter Rate Limit
Replies: 6
Views: 3150

Re: Help with filter Rate Limit

Hey Doc: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties Matches packets up to a limited rate (packet rate or bit rate). Rule using this matcher will match until this limit is reached. Parameters are written in following format: count[/time],burst:mode. count - packet or bit coun...
by sebastia
Mon Jul 22, 2019 5:35 pm
Forum: Forwarding Protocols
Topic: How configure 2Wan with one without routing mark?
Replies: 5
Views: 3230

Re: How configure 2Wan with one without routing mark?

I'm not sure that "rp-filter" would be the issue: it would only impact routing if asymmetric routing would be involved. This doesn't sound to be the case.

List your full config (/export hide-sensitive) and clarify network setup.
by sebastia
Sun Jul 21, 2019 3:16 pm
Forum: Beginner Basics
Topic: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]
Replies: 9
Views: 8934

Re: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]

Under "/ip route" I don't see any entries for "192.168.1.0/24", which would corroborate the fact that's not a routed network, and most likely natted.

Can you disable natting for that link in fortigate?
by sebastia
Sat Jul 20, 2019 12:00 pm
Forum: RouterBOARD hardware
Topic: Mikrotik RBSXTR (No Modem) 9dBi 60 degree LTE Antenna
Replies: 8
Views: 3043

Re: Mikrotik RBSXTR (No Modem) 9dBi 60 degree LTE Antenna

Not listed separately, but offered in distribution channel. Grab it if you want...
by sebastia
Sat Jul 20, 2019 11:57 am
Forum: Beginner Basics
Topic: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]
Replies: 9
Views: 8934

Re: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]

"/export hide-sensitive" would help
by sebastia
Sat Jul 20, 2019 1:20 am
Forum: General
Topic: Link Failover
Replies: 4
Views: 1643

Re: Link Failover

Try posting the config between [ code ] [/ code ] tags. (without spaces between [])
I tend to not open an unknown docx document from net...
by sebastia
Sat Jul 20, 2019 1:14 am
Forum: General
Topic: RB2011UiAS-RM - High CPU on Download
Replies: 6
Views: 2298

Re: RB2011UiAS-RM - High CPU on Download

2011 is not that powerful (cpu-wise), but it shouldn't be as bad See https://www.youtube.com/watch?v=BMNoRJ4Wy3E There were some topic regarding 2011 throughput, have a look. Also not that FastTrack can be enabled selectively, it's not all-or-nothing switch. Finally, if you need more input, post you...
by sebastia
Fri Jul 19, 2019 5:36 pm
Forum: Beginner Basics
Topic: hEX + Linksys E900 + D-Link DIR-615
Replies: 2
Views: 1446

Re: hEX + Linksys E900 + D-Link DIR-615

leave the ap's in bridge. the wifi is configured on them. just make sure these have Ip's in the right range, as specified by hex
by sebastia
Fri Jul 19, 2019 5:27 pm
Forum: General
Topic: RB2011UiAS-RM - High CPU on Download
Replies: 6
Views: 2298

Re: RB2011UiAS-RM - High CPU on Download

Hi

Do you have the latest version of ROS? If not upgrade.

Do you have any special configuration? I would suggest to perform a factory reset to default config for homeAP. This config can do 800+ out of the box.
by sebastia
Fri Jul 19, 2019 4:56 pm
Forum: General
Topic: Link Failover
Replies: 4
Views: 1643

Re: Link Failover

Hey

Note: don't post your public ip's in clear, at least some masking is advised.

The behaviour you describe is unexpected: one link should not impact the other. But to have better view...

Please post your config: "/export hide-sensitive" (mask consistently your public ip's)
by sebastia
Fri Jul 19, 2019 2:09 pm
Forum: Beginner Basics
Topic: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]
Replies: 9
Views: 8934

Re: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]

To do PCC you need to do mangling, and assign route-marks to packets (part of some connection) to always send them some particular route. To force packets from an ip some route, you have to "hard-code" the routing-mark assignment to the one of wan2. in this case, something like: # all pack...
by sebastia
Fri Jul 19, 2019 12:49 pm
Forum: Beginner Basics
Topic: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]
Replies: 9
Views: 8934

Re: Force IP (Fortigate) to use specific wan (Mikrotik) [SOLVED]

Hey

I hope you don't perform natting on fortigate?

If not you can route-mark (table:chain -> mangle:prerouting) all packets from "computer 01" ip's with mark for WAN02.
by sebastia
Fri Jul 19, 2019 10:07 am
Forum: Wireless Networking
Topic: Wireless AC performence issue
Replies: 3
Views: 1994

Re: Wireless AC performence issue

These results (7-800mbs) are in bridge mode for nv2 protocol, on "same table" (short distance / limited interference / ... -> not life environment).
And most important, that's not wifi ap config.
by sebastia
Thu Jul 18, 2019 2:24 pm
Forum: Virtualization
Topic: Proxmox & CHR for shared home network
Replies: 2
Views: 4963

Re: Proxmox & CHR for shared home network

I remember some topics on that recently: check some of these https://forum.mikrotik.com/search.php?keywords=chr+virtual&terms=all&author=&sc=1&sf=all&sr=topics&sk=t&sd=d&st=0&ch=300&t=0&submit=Search On core question, with that relatively limited load, a 4...
by sebastia
Wed Jul 17, 2019 12:25 pm
Forum: Beginner Basics
Topic: Rate Limiting new connections
Replies: 4
Views: 2395

Re: Rate Limiting new connections

Default soho config doesn't allow any traffic initiated from outside. So if not hosting anything it's not needed. If internal resources are accessible, then it might be sensible to do such limiting, if the resource is sensitive. So no silver bullet, and "it depends" Update: I assume a &quo...
by sebastia
Tue Jul 16, 2019 11:44 pm
Forum: General
Topic: rb750gr3 Gigabit auto negotiation [SOLVED]
Replies: 16
Views: 8177

Re: rb750gr3 Gigabit auto negotiation [SOLVED]

Just for reference, gigabit ethernet will auto-detect / auto-cross cable pairs if needed. Hence with gbe cross-over cables are no longer necessary. gbe DOES need / use all 4 pairs though. /interface ethernet> monitor e4_tv once name: e4_tv status: link-ok auto-negotiation: done rate: 100Mbps ... adv...
by sebastia
Tue Jul 16, 2019 8:45 pm
Forum: Beginner Basics
Topic: Rate Limiting new connections
Replies: 4
Views: 2395

Re: Rate Limiting new connections

that's a wide subject... the mechanics * limit (https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter) will match as long as conditions as specified are met. And so needs to be followed by rule for "when not". * it's only one of conditions and needs other to be useful, ex: connection-st...
by sebastia
Tue Jul 16, 2019 8:22 pm
Forum: Beginner Basics
Topic: VLAN Bridge Filtering ALternative
Replies: 9
Views: 4938

Re: VLAN Bridge Filtering ALternative

It's been discussed recently: viewtopic.php?f=2&t=150172
by sebastia
Sun Jul 14, 2019 11:32 pm
Forum: General
Topic: What is more efficient for ACL on WAN: conntrack->off or on with established? [SOLVED]
Replies: 5
Views: 2122

Re: What is more efficient for ACL on WAN: conntrack->off or on with established? [SOLVED]

asymmetric routing & rp-filter don't go hand-in-hand, that's true.
by sebastia
Sun Jul 14, 2019 1:22 pm
Forum: General
Topic: What is more efficient for ACL on WAN: conntrack->off or on with established? [SOLVED]
Replies: 5
Views: 2122

Re: What is more efficient for ACL on WAN: conntrack->off or on with established? [SOLVED]

Instead of doing the filtering manually, you could also do it through

See: https://wiki.mikrotik.com/wiki/Manual:I ... Properties
/ip settings set rp-filter=strict
by sebastia
Sat Jul 13, 2019 2:22 pm
Forum: General
Topic: Feature request: connection nat mismatch detection
Replies: 4
Views: 1960

Re: Feature request: connection nat mismatch detection

Thank you for your feedback. Tried the suggestion: Additional config: /interface bridge add name=bridgeE5 protocol-mode=none /interface bridge filter add action=passthrough chain=output log=yes log-prefix="Bridge rule: " mac-protocol=ip src-address=!192.168.45.2/32 /interface bridge port a...
by sebastia
Thu Jul 11, 2019 4:43 pm
Forum: General
Topic: DNS Broadcast
Replies: 1
Views: 921

Re: DNS Broadcast

firewall "wan" interfaces: only allow traffic you need, drop rest.

Default firewall config is sufficient, have a look
by sebastia
Thu Jul 11, 2019 3:11 pm
Forum: General
Topic: untagged vlan [SOLVED]
Replies: 9
Views: 2488

Re: untagged vlan [SOLVED]

this is what I've suggested in post above

Edit for clarify: "To keep things simple I would just advise to setup independent ports, then when the need arrives you can re-evaluate your setup."
by sebastia
Thu Jul 11, 2019 2:14 pm
Forum: Beginner Basics
Topic: load balancing with fail over, added backup line 4G
Replies: 3
Views: 1856

Re: load balancing with fail over, added backup line 4G

Regarding config (didn't review it all, just relevant part for this topic) # you probably don't want "passthrough" here add action=mark-connection chain=prerouting comment="REGLAS BALANCEO " \ connection-mark=no-mark in-interface=ISP1 new-connection-mark=ISP1_conn \ passthrough=y...
by sebastia
Thu Jul 11, 2019 1:53 pm
Forum: General
Topic: Problem running Traffic Flow
Replies: 7
Views: 2508

Re: Problem running Traffic Flow

Hey

The ether2 is "slave", as it's part of bridge1.
/interface bridge port
add bridge=bridge1 interface=ether2-LAN-OFFICE
/ip traffic-flow
set active-flow-timeout=1m cache-entries=16k enabled=yes interfaces=ether2-LAN-OFFICE
Try monitoring bridge1 instead then.
by sebastia
Thu Jul 11, 2019 1:01 pm
Forum: Wireless Networking
Topic: Throughput Presentation, Questions, & Discussion
Replies: 2
Views: 1485

Re: Throughput Presentation, Questions, & Discussion

Hey

1. Window size is not a constant for a connection: it's adapted throughout the connection.
2. udp and tcp throughputs are not comparable.
by sebastia
Thu Jul 11, 2019 12:33 pm
Forum: General
Topic: Feature request: connection nat mismatch detection
Replies: 4
Views: 1960

Feature request: connection nat mismatch detection

Hi When operating a router with wan fail-over, when NAT is applied to both links, (ex two residential ISP connection), it is possible that "ip leakage" can occur. This is only relevant for networks bound to specific ranges, such as for residential ISP. This doesn't apply to situation when ...
by sebastia
Mon Jul 08, 2019 9:27 pm
Forum: General
Topic: Successfully Opening a STX LTE? [SOLVED]
Replies: 2
Views: 1322

Re: Successfully Opening a STX LTE? [SOLVED]

Sure, you'll need to use plastic tool to stick it between the parts. Top (part towards antenna) fits over bottom (part with sim/network interface). You'll need to apply some pressure on the bottom part in each of the 6 sections of the hexagon to release internal latch and pull the top apart. Togethe...
by sebastia
Mon Jul 08, 2019 7:46 pm
Forum: General
Topic: RULE for BANKS
Replies: 15
Views: 3236

Re: RULE for BANKS

most banks use https right. why not prioritise https traffic up to a certain volume?

might give some improvement...
by sebastia
Mon Jul 08, 2019 7:39 pm
Forum: General
Topic: PCCload balancing vs Remote Connection to LAN...
Replies: 3
Views: 1415

Re: PCCload balancing vs Remote Connection to LAN...

Some more notes:
* the queue setup won't work, as they both have seme target, you'll need to use queue linked to interface (queue tree)
* interface e6-10 are part of bridge, they are "slaves" and should not be used on their own
by sebastia
Mon Jul 08, 2019 6:07 pm
Forum: General
Topic: PCCload balancing vs Remote Connection to LAN...
Replies: 3
Views: 1415

Re: PCCload balancing vs Remote Connection to LAN...

You're mangling needs improvement, some tips: new connections from wan's need to pinned to these interfaces, otherwise you'll could end up with split routing, which with NAT wont fly... Do that in prerouting, on in-interface=wan1/2/... You only need to mangle route on the outbound track, so when goi...
by sebastia
Mon Jul 08, 2019 5:05 pm
Forum: General
Topic: Problem running Traffic Flow
Replies: 7
Views: 2508

Re: Problem running Traffic Flow

See also https://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow

Normally that should be a single (two to change server address) step operation.

Post your config, so it can be consulted: /export hide-sensitive
by sebastia
Mon Jul 08, 2019 3:29 pm
Forum: General
Topic: Problem running Traffic Flow
Replies: 7
Views: 2508

Re: Problem running Traffic Flow

Hey

Which interfaces are in the list " Internal-lan"? It's not empty right?
by sebastia
Sun Jul 07, 2019 12:50 am
Forum: Beginner Basics
Topic: Two IPs each on separate port
Replies: 10
Views: 3326

Re: Two IPs each on separate port

Possible, not sure if server should be shielded / natted... If not then indeed, that will suffice.
by sebastia
Sun Jul 07, 2019 12:42 am
Forum: Beginner Basics
Topic: load balancing with fail over, added backup line 4G
Replies: 3
Views: 1856

Re: load balancing with fail over, added backup line 4G

Hey You're mangling now for connection / routing mark, and you've setup separate routing tables for each mark. Right? Then just have all three routes in the tables T1 Wan1 distance 1 Wan2 distance 2 4G distance 3 T2 Wan2 distance 1 Wan1 distance 2 4G distance 3 In filter:forward you would want to fi...
by sebastia
Sat Jul 06, 2019 11:08 pm
Forum: General
Topic: How do I allow DNS traffic from one VLAN to another? [SOLVED]
Replies: 12
Views: 9923

Re: How do I allow DNS traffic from one VLAN to another? [SOLVED]

Another option: VRF. have isolated routing for each vlan, and insert dns server record as allowed target.
https://wiki.mikrotik.com/wiki/Manual:V ... Forwarding
by sebastia
Sat Jul 06, 2019 10:47 pm
Forum: Beginner Basics
Topic: Two IPs each on separate port
Replies: 10
Views: 3326

Re: Two IPs each on separate port

Hey, there is no easy software solution to this, see viewtopic.php?f=2&t=149920 with same question.
by sebastia
Fri Jul 05, 2019 11:37 am
Forum: General
Topic: One Router, Two separate networks/internet connections
Replies: 1
Views: 822

Re: One Router, Two separate networks/internet connections

Based on the test results, it should do just fine: https://mikrotik.com/product/RB1100Dx4# ... estresults
But it will always depend on the config applied...
by sebastia
Thu Jul 04, 2019 9:40 pm
Forum: Beginner Basics
Topic: High cpu networking
Replies: 9
Views: 7612

Re: High cpu networking

Observations: * input/forward is insufficiently guarded: only tcp is filtered (in some cases), upd goes through + /ip dns set allow-remote-requests=yes = you're probably bombarded by dns requests, and being used for DDOS attacks, using DNS amplification attack why don't you just stick to default fir...
by sebastia
Thu Jul 04, 2019 9:19 pm
Forum: Beginner Basics
Topic: High cpu networking
Replies: 9
Views: 7612

Re: High cpu networking

In torch which ports is the traffic going to?
by sebastia
Thu Jul 04, 2019 3:40 pm
Forum: Beginner Basics
Topic: High cpu networking
Replies: 9
Views: 7612

Re: High cpu networking

which ports is the traffic going to?

Also notice that you have a similar return traffic as well?
open dns server or some other traffic bounce?

What is your firewall config (/export hide-sensitive)?
by sebastia
Thu Jul 04, 2019 2:04 pm
Forum: Beginner Basics
Topic: Best way to connect a remote site by some kind of VPN?
Replies: 7
Views: 1728

Re: Best way to connect a remote site by some kind of VPN?

ipsec-secret is with phrase only (was a shortcut to simplify simple setups). If you want to use certs, then you'll need to configure ipsec manually for that tunnel.

So define tunnel normally "in clear" and define ipsec policy, ... for communication between these tunnel endpoints.
by sebastia
Thu Jul 04, 2019 1:04 pm
Forum: Beginner Basics
Topic: Best way to connect a remote site by some kind of VPN?
Replies: 7
Views: 1728

Re: Best way to connect a remote site by some kind of VPN?

For the GRE / IPSec / .. tunnel to be encrypted with ipsec just specify the ipsec-secret on both ends (short-cut). /interface gre add ipsec-secret=... This will create the gre tunnel, which is encrypted by ipsec. To these interfaces, gre tunnel endpoints, assign ip's, on both ends, and use these ass...
by sebastia
Thu Jul 04, 2019 1:00 pm
Forum: General
Topic: untagged vlan [SOLVED]
Replies: 9
Views: 2488

Re: untagged vlan [SOLVED]

It could work like that: extend vlans with another smart switch.

But what also possible: extend the access port (=untagged port) with "dumb" switch.

To keep things simple I would just advise to setup independent ports, when when the need arrives you can re-evaluate your setup.
by sebastia
Thu Jul 04, 2019 12:32 pm
Forum: Beginner Basics
Topic: Best way to connect a remote site by some kind of VPN?
Replies: 7
Views: 1728

Re: Best way to connect a remote site by some kind of VPN?

That's why you need a tunnel on top: IPSec will only encrypt the GRE/IPIP/... tunnel. But inside that tunnel you're free of (policy) limitation of IPSec