MikroTik

sebastia

have you tried defining default gateway within wg for u1 & u2, as respectively c1 & c2?

hence routes that get pushed to the wg peers:
https://help.mikrotik.com/docs/spaces/R ... uard-Peers

sebastia

Have you tried their help ? https://support.mobilevikings.be/hc/en-us/articles/15963730456081-How-can-I-configure-my-modem-in-bridge-mode Clearly stated: ppp needed (for bbox3) you should probably copy your current ppp config before switching might also be relevant: https://support.mobilevikings.be/...

sebastia

Hi

As you probably already noticed in some of the post, it's all about the configuration of the hardware.

Hence if you want some help, also post your current config + some hints on what is what.

/export minus passes / sensitive stuff

sebastia

FYI: looks like related to zerotier node

sebastia

Hi Noticed this in firewall logs: 2025-06-07T14:57:31.237416+02:00 firewall.home firewall,info fw2ext: in:(unknown 0) out:e1_ext, connection-mark:FT connection-state:new proto UDP, <pub_ip>:34829-><pub_gw>:5351, len 30 2025-06-07T14:57:31.487536+02:00 firewall.home firewall,info fw2ext: in:(unknown ...

sebastia

Have you looked at the article...? I have a main site and two other remote sites. The remote sites are connect with GRE over IPSec to the main site and everyone can talk to each other. In the main site I have two VMs and I want one of the VMs traffic to go trough the tunnel and get on the internet u...

sebastia

Not yet on .1. FYI, on 7.19 still works for me, even cross version, to v6.

sebastia

Hey Option two is definitely an option. I'm doing it myself... Not that hard either: * configure vlan on LTE kit * configure LTE with passthrough #for v6: /interface vlan add interface=ether1 name=vXXX vlan-id=XXX /interface lte apn set [ find default=yes ] apn=<apn> authentication=pap passthrough-i...

sebastia

A picture is worth a thousand words...

sebastia

Moral of the story "Don't buy brand new hw"? This is the least intelligent thing that has been posted in this thread. Give me a break. Well thank you It is "funny" and playful, in this all but optimal customer experience. But one does need some intelligence to see that ... oh we...

sebastia

Moral of the story "Don't buy brand new hw"?

sebastia

Hi I've noticed that in /certificate menu it's possible to add/define CRL. I'm not sure why it's there, as certificates define CRL themselves: a certificate can contain CRL url for verification (alternative method is OCSP). Ex: certificate of this forum site, defines a CRL and it's enclosed in it, a...

sebastia

Be warned that this is not a recommended configuration, as all bridge traffic will be passed on to cpu. Depending on the volume of the traffic that might become a bottleneck.

sebastia

it seems like a winner in several aspects Not sure... If you look at the theoretical (!) throughput numbers (https://mikrotik.com/product/hex_s_2025#fndtn-testresults) It can "only" hit 1.4Gb/s. In practice will probably be less. Hence that 2.5Gb port is kind of overkill for routing useca...

sebastia

Thx for sharing

sebastia

...Just by setting up routes, the traffic does not get forced trough the IPSec/GRE tunnel.

Sure it does, that's what the _core_ role of routing is

Have a closer look at the linked article, mangling is ONE of the options, not the only one. Which one is best will depend on your criteria...

sebastia

Please try and hopefully confirm. Then default config could then be updated as well...

sebastia

Hi

Is this what you want?
https://help.mikrotik.com/docs/spaces/R ... cy+Routing

sebastia

and the Chinese copy of this TP-link https://www.cudy.com/products/gs108e-1-0 is only $27 and that's sad.

, china coping itself...

sebastia

For all those "it's a switch" statements...

If you look closely

at the product offering website of Mikrotik, you will find L009 here:

https:// mikrotik.com/products/group/ethernet-routers

The switches are under
https:// mikrotik.com/products/group/switches

Thank you

sebastia

"shoe" fits on the metal base section, on both sides

sebastia

Hi

If considering wall mounting a RB5009 or L009, these might come in handy.

https://www.thingiverse.com/thing:7048327

Regards

sebastia

L009 is fixed, to 800MHz (x2)

My point: platforms react differently to other forms of load and don't behave in same manner

sebastia

any other out-of-band methods available? serial?
have you tried rebooting again (via dc methods)?

looks like some troubleshooting / post-mortem will be needed, as 7.19 had quite some changes, including for ssh

sebastia

Thx, one can always learn something new... From my experience these tests are not representative: no queueing, no natting, no mangling, no vlans, ... And these are all applicable to (most) real-world scenarios. If we look at the numbers: L009 is supposed to do about 80k-ish of packets /s. @Chechito ...

sebastia

Hey

bit low on details / context

changelog does mention some changes: https://mikrotik.com/download/changelogs

sebastia

Hey

the split is currently done based on dst-address, for that to work well you need to have knowledge of all involved addresses.
Seems as you miss some still for reddit and paramount, as when you forward all over vpn it does work.

So either update the dst-address list or use another discriminator.

sebastia

off course, is a common misconception, there are to compare devices, not to be representative of some scenario

the possible scenarios are infinite

If the tests are not representative of real-world use-cases, how should I have used these as devices are not being compared in tests that matter?

sebastia

Thank you for your feedback. I do get the impression that you skimmed mostly over previous posts... I didn't own 2011, does nostalgia apply then? about pricing, homework and so forth, I did write this "For a specific use-case I've selected L009, as it matches the needs." and "...but w...

sebastia

agreed, it's a promising platform with this unfortunate limitation

sebastia

So went bing-ing

Found this: https://www.wolfchip.com/qualcomm/ipq-5 ... -01-0.html

up to 1.4GHz ...
ARM Cortex-A53 (hence 64bit)

Hence, intentional limitation ...?
1 or 1.2 GHz with such a massive heatsink should be easy

sebastia

Did you already test if the device as-is performs according to your needs ?

did indeed, it's doing its thing, but with little to no headroom, hence the question. Would like some (more) peace of mind, that if anything ...

and indeed the reference (previous) was running v6.

sebastia

thx for feedback

given the wording, i did expect a connection-less, fire-and-forget "dump packets as long as enough pass" way of testing
...which is everything but what I use in real life (mainly ipv4/6 tcp)

but hoping to discover some hints on optimal / most efficient configuration(s)

sebastia

addition of in-interface(-list) is an optimisation but you still need to enable both -> remove "disabled=yes" disabling fasttrack will do the trick, but a bit harsh for the rest, unless perf is not an issue... a simple alternative method is to fasttrack traffic going to WAN1 only all that ...

sebastia

Hi For a specific use-case I've selected L009, as it matches the needs. I'm a bit concerned though that the cpu; it is a bit underpowered. The predecessor of this platform, 2011, had the ability to adjust cpu clock speed. Given the massive heatsink and cpu operational temp, barely above room temp, i...

sebastia

Hi Miktrotik usually displays for their products a "Test results" page / tab with performance / throughput of item in different configurations. Ex: https://mikrotik.com/product/RB750r2#fndtn-testresults What I'm wondering is if these hardware configurations are documented / are public / ca...

sebastia

lets go in order: see also https://help.mikrotik.com/docs/spaces/ROS/pages/328227/Packet+Flow+in+RouterOS#PacketFlowinRouterOS-FlowofRoutedPacket ip fw mangle: both needed but disabled -> NOK + update second (mark-routing) to include your internal in-interface, so only marking when going to WAN (gue...

sebastia

please also post rest of /ip firewall config as it's relevant

(or just the full config minus sensitive stuff)

sebastia

sure, it possible.

In firewall, in the forward chain, you'll need to allow traffic from wg to that server and the specific set of port. block all else (catch all rule).

sebastia

It's new/fresh... Probably best to contact support then, as bugs are ironed out

sebastia

Have you noticed the note?

RouterOS version: 7.18+

sebastia

I guessing we havn''t seen the full nat table yet, have we?

sebastia

you say it like you've never worked for support, translating from human to techspeak everybody is lazy and writes/tells minimum-minimorum of information, expecting others sharing same context and common sense... which is not that common.

I love it

sebastia

Now the router responds correctly even on the secondary WAN, with the exception of Wireguard.

Furthermore, I would like to make the firewall reachable from the secondary WAN, regardless of whether the primary WAN was Up or not.

These seem to contradict each other?

sebastia

Correct, but once a packet matches the fasttrack rule, no other rules are processed
it effectively works as "accept all"

not quite true, see previous link

agreed for the rest

sebastia

good catch on the "forward" chain Just to correct/clarify: fasttracking doesn''t disable firewall, it optimises it https://help.mikrotik.com/docs/spaces/ROS/pages/130220087/Connection+tracking#Connectiontracking-FastTrack further you can exclude all marked packets from fasttrack once a con...

sebastia

There is still a problem with this setup. You meant to say, "I've extra/new requirements..." right? When the Gateway IP address for the dedicated VoIP network is not the active default route, the route back does not work Indeed, not configured for that. How can i get this config working, ...

sebastia

Hi some feedback: Wireguard seems to always follow the main routing table, I don't understand why. currently wg will use main table, so if wan1 is up (distance=1), it will use it, if wan1 not there, it will use wan2 (distance=2) Switching may require purging conntrack data, some have observed. In th...

sebastia

well done

that 2011 is quite a capable hardware, in right context and with right config

sebastia

Last thing to fix: is that the dhcp client from bridge-base can't get address. Looks like everything behind ether 3 can't see this mikrotik as well. https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features#SwitchChipFeatures-Tagged add bridge1-cpu to vlan1 create vlan on bridge...

sebastia

Looks good...

Some improvements:
* eth1 & eth4 are access ports for vlan 1?
if so best to define it as such in /interface ethernet switch port, just as for port 3

* if you have strict vlan filtering (in switch chip), you probably also want independent-learning=yes

sebastia

@NathanA
I admire your patience.

sebastia

if you post your current config, someone can suggest fine-tuning ...

sebastia

(I don't have 2011, hence can't test) Based on docs, as mentioned, this chip requires special config: https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features#SwitchChipFeatures-PortSettings set default-vlan-id for access ports -> eth2 needs vlan 5 set /interface ethernet switch...

sebastia

based on your feedback I understood that: * eth2 is access port for ISP * eth3 is tagged for vlan 5 to server /interface vlan -> remove name=vlan-cosmos vlan-id=5 because no need to access vlan 5 on router /interface bridge port -> remove interface=vlan-cosmos -> assign interface=ether2 to bridge-ba...

sebastia

hyper-v VM interface: is that the eth3 comment=SERVER-FSG?
is that a tagged or untagged / access port?
there is no need for vlan 5 access on router?

sebastia

current config of vlan is not in line with switch chip recommendations, see links before
I would start with that

and then also upgrade to latest version, if still there -> support ticket
and if not solved, downgrade to v6, as there some reported ok

sebastia

Given that https://mikrotik.com/product/RB2011UiAS-2HnD-IN#fndtn-specifications https://cdn.mikrotik.com/web-assets/product_files/Block-RB2011UAS-2HnD_130546.pdf https://help.mikrotik.com/docs/spaces/ROS/pages/15302988/Switch+Chip+Features add bridge=bridge-base hw=no I suspect all bridge traffic is...

sebastia

Hi

Have you tried to research on https://help.mikrotik.com/docs/?

quick search gave multiple hits...

sebastia

Hi

you should at least provide config info ... (see forum notes on /export) We do not have a "cristal ball"

sebastia

Hey does the cloud bpx use specific ip(s) (ranges)? then you could selectively direct traffic to these over the separate uplink. Make sure that uplink does not have a default route defined, so it won't become fail-over connection. this could be even in the main routing table /ip/route/add dst-addres...

sebastia

Hi what is the goal of this two? /ip firewall filter add action=accept chain=forward dst-address=10.2.0.0/26 out-interface=test src-address=1.1.2.2 /ip firewall nat add action=src-nat chain=srcnat out-interface=test src-address=10.2.0.0/26 to-addresses=1.1.2.2 that's to vpn server and using it's pub...

sebastia

Hey

If nobody seen it before, try support@mikrotik.com or https://help.mikrotik.com/servicedesk/s ... user/login

sebastia

maybe yet simpler:
(your site)
route rule to force over wg
(other site)
dnat to .1 (target)

-> spread complexity

sebastia

https://help.mikrotik.com/docs/spaces/R ... 211299/NAT

netmap?

sebastia

On second thought, natting and routing rule might collide:
not sure when routing rule is evaluated, but if after prerouting, where natting is done
it will not have right effect
https://help.mikrotik.com/docs/spaces/R ... OS-Forward
pls verify

sebastia

Regarding your example: remove /ip firewall mangle add action=mark-routing chain=prerouting dst-address=10.0.0.2 in-interface=vlan101 new-routing-mark=143 passthrough=no change /routing rule add action=lookup disabled=no routing-mark=143 table=143 to /routing rule add action=lookup disabled=no dst-a...

sebastia

seems so: https://help.mikrotik.com/docs/spaces/R ... ling(QinQ)

sebastia

An alternative (and simple) solution: a dedicate "bridge" link, bridging the two switch domains.

sebastia

Hey It's a discouraged practice to perform bandwidth tests involving the subjects themselves for load generation; meaning have other instances, not the routers, do the load test. Also, as you hinted, a tunnel will have lower mtu. that should be accounted for at source and target, to avoid fragmentat...

sebastia

Hey

In this particular case, you could remove the "mangle" rule with extended route rule which would include the dst-adr.

And another appraoch: have second site mulit-homed, with 2nd non coliding ip.

sebastia

Have you considered a DAC? will be cooler and less power hungry
Example: https://mikrotik.com/product/s_ao0005

sebastia

Hey

Sure, it's possible, each instance of OpenVPN, could be limited at the level of firewall to specific access only.

see:
https://help.mikrotik.com/docs/spaces/R ... 55/OpenVPN and
https://help.mikrotik.com/docs/spaces/R ... 574/Filter

sebastia

Please remind me, is Kid controls usage of simple queues, and by extension this script, compatible with "fast-track"-ing?

Thx

sebastia

Hey

That's like "needle in the haystack" ...

Please be more specific: how do you connect, from to, any additional observations about the system? what is happing on crs when you do loos connectivity? is the loss at random or some specific situations? and so on...

sebastia

I you want some assistance or information you should be a bit more polite. Most of us on this forum are not here because we are paid for it. And how would you explain it then, considering that this test goes right against the results of your tests number 2 & 4 from you first post here??? both we...

sebastia

The 1Gb/s links are full duplex.

Just for posteriority, this is NOT the case: Mikrotik always reports full bandwidth over all directions -> that 1Gb/s is shared for both directions!
(as supported by your own tests)

sebastia

1) If we are talking about 5 independent ports: the two 1Gbps links will be used, as needed. There is no hard assignment of a link to a group os ports.

Don't believe that to be the case: I think the port attribution of all independent links is fixed, (but I haven't tested it...)

sebastia

in tests 1 & 3 you don't go to cpu, but are using the hardware switching in the switch chip (= off-loading) -> hence the limitations of the link to cpu don't apply and you get full bandwidth of the 1Gb/s connection / port

So how about that admission :-D ?

sebastia

you are using it (1Gb/s) already!

see second test:

Tx + Rx ~1Gb/s for ports ether1 & ether4

the 1Gb/s from diagram is TOTAL bandwidth available, for BOTH sending and receiving

I expect an apology now ;-)

sebastia

Just noticed it myself in changelog

Good news indeed

Although regex has been mentioned before by staff to be heavy

sebastia

Thx.

Interesting info. A bit early, as you only got it, but I would like to hear your findings on link / connection stability.

sebastia

For the time being, we have to look to other platforms, ex dnsmasq

sebastia

In a way, the affected owners should be thankful for the wake-up call and that the payload was so benign!
Any updates / new events on the topic?

sebastia

Hey

I'm looking for any and all feedback on field-testing of R11e-LTE6.
Please share your findings.

Kind regards
Sebastian

sebastia

Have a look here wrt L7 config: https://www.youtube.com/watch?v=RtFZKvLKgD0
(+ changes as suggested by mkx)

sebastia

Next to "use-ip-firewall=yes" one could also just add bridge rules under /interface bridge filter.

sebastia

Have a look here too: https://wiki.mikrotik.com/wiki/Manual:I ... hop_lookup

Scope is linked to routing configuration: 10 for local, 30 for static, ...
Target scope is that as well, and by specifying target one can define how next hop can be looked up.

sebastia

Is there a high-level roadmap? Could you share it?

sebastia

is the current beta functionality-wise complete
No, BGP and MPLS are not even enabled.

Thx for reaction. Disabled routing was mentioned with beta1, so that was a given / known. But what about the rest? Once bugs are ironed out and routing added, will that be v7.0?

sebastia

removed in beta3...

sebastia

Hi Mikrotik

Is the scope of the first release of v7 covered by current beta? In other words is the current beta functionality-wise complete?

Thx

sebastia

priority is always active: queue tokens are used for packets from highest to lowest prio. Once pipe is full / tokens are exhausted and priority queues are full, new packets get dropped In effect, if bandwidth is not scarce, all packets are transmitted and one could say that priority is irrelevant, a...

sebastia

Most likely because of this in openvpn config

redirect-gateway def1

sebastia

Update on the implementation above with bridge filter rules: Event though the bridge rules are added for a specific "out-bridge", in my case being the LTE bridge, the rules are evaluated for all bridges. This generates additional load and throughput limitation on the main high bandwidth li...

sebastia

Hi Problem is with the routing indeed the first line shouldn't be there Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 0.0.0.0 0.0.0.0 U 50 0 0 tun0 I would suggest to not let the client set any gateway, and nat outgoing traffic to clients, on the vpn server (so src-nat then), to it'...

sebastia

Have a look here https://mum.mikrotik.com/presentations/MX17/presentation_4265_1495639302.pdf But why not start with this: * masquerade: don't use as you have static ip's -> to be replaced (whenever an ip is lost all connections linked to that will need to be dropped, meaning scanning ALL connection...

sebastia

if it's only 1 of 8 failing, I would be looking AT that failing ap. Is it up-to-date and so on...

sebastia

And the total limit is defined at the parent level, all children "borrow" from parent:

/queue tree add limit-at=0 max-limit=5000000 name=ether1 parent=ether1

sebastia

Do you have a backup or export of your "good" config?

sebastia

Hi

Communicating using your home ip is indeed possible. What you would need to ensure is that all traffic at the vpn client side is routed over the vpn / towards the vpn server endpoint.

Software functionality for all tiks is same, and so any tik can do that.

sebastia

in your case the vlan / mgmt traffic is caring same mac as passthrough, and hence gets hijacked by lte interface.

in current setup you'll need a bridge with other mac for the vlan

OR

reverse the config: mgmt over "plain" eth and passthrough over vlan without extra bridge

sebastia

Hi

While CRS305 technically can do what you propose, it's not meant to do that: it can do pppoe but not at speed, as it's not fast enough on cpu side.

sebastia

I didn't say I agree with all comments there

sebastia

see also viewtopic.php?f=3&t=150611 ...

sebastia

Hi

Src-nat and dst-nat are locate in different chains and are executed at different times, dst-nat before routing & src-nat after routing. One can't interfere with the other.

List your full firewall config if you need further assistance (/export hide-sensitive)

sebastia

server=available for all networks configurations
network=only that network

see also manual: https://wiki.mikrotik.com/wiki/Manual:I ... CP_Options

sebastia

Have a look at http://www.firewall.cx/networking-topics/general-networking/107-network-multicast.html or https://www.cisco.com/c/dam/en/us/products/collateral/ios-nx-os-software/ip-multicast/prod_presentation0900aecd80310883.pdf Drop: drop frames to the multicast mac range drop frames with ip protoc...

sebastia

Thx for the info

sebastia

search function helps: https://wiki.mikrotik.com/wiki/Manual:S ... t#SSH-exec (but not a lot yet...)

sebastia

ssh-exec has been added in 6.45.1 (viewtopic.php?t=149786&hilit=ssh-exec), and CAN be called from scripts!

sebastia

Looks ok.
Post full conifg (/export hide-sensitive), maybe something else is interfering.

sebastia

I'm not sure, but as I know, LACP cannot be set when there is only 1 connection between switches (sw1->sw3 and sw2->sw3). How to set LACP in this scenario?

I was thinking LACP between Hyper-V & SW3.

sebastia

Since the Hyper-V is in teaming mode... https://www.vembu.com/blog/configure-nic-teaming-hyper-v/ If Hyper-V ports algorithm is used with Switch Independent teaming mode, the virtual switch can register the MAC addresses of the virtual adapters on separate physical adapters which statically balances...

sebastia

Hey

SW3 should be in bridge mode, as both sw1-2 may be active at any time.

Just a remark: the SW3 is a "single point of failure" in that design.

sebastia

Hey

For general usage, it will do just fine: https://mikrotik.com/product/rb4011igs_ ... estresults
L2TP: don't expect that vpn will be at full speed
bridge: see

sebastia

Hey

have you tried pinging from B to A?

What is the routing table at SXT LTE like?

sebastia

add address=192.168.1.0/24 dns-server=192.168.10.2,1.1.1.1 gateway=192.168.1.254 netmask=24 -> why don't you specify your pi-hole only here? add address=192.168.1.0/24 dns-server=192.168.10.2 gateway=192.168.1.254 netmask=24 try this instead /ip firewall filter add action=accept chain=input comment=...

sebastia

Hey

Maybe some config issue, list your config for review (/export hide-sensitive).

sebastia

add action=accept chain=forward in-interface= bridge out-interface="eht1 Internet"

is enough

for filter table
output = traffic from router itself
(other were correct)

sebastia

these are not needed as dns is on another network
You can force any DNS request to use your DNS by using dst-nat

you're out of context, read last few posts. hint: i've commented on the src-nat!

sebastia

What are you missing, in your opinion? It could be a working config.

sebastia

have a look here https://wiki.mikrotik.com/wiki/Manual:C ... s_switches

sebastia

Can also add a device each side of the wireless devices then use RSTP

will a wireless bridge pass the xSTP related frames?

sebastia

The reason for the Masquerade and DNAT rules are to force any and all DNS query to the Pi that is running PiHole, it's a content blocker based on DNS filter lists. these are not needed as dns is on another network As far as I understand, setting the DNS under IP--> DNS Settings will auto assign the...

sebastia

why do you need this? add action=src-nat chain=srcnat comment="UDP DNS Masquerade Network" out-interface=bridge protocol=udp src-address=192.168.1.0/24 to-addresses=192.168.10.2 to-ports=53 add action=src-nat chain=srcnat comment="TCP DNS Masquerade Network" out-interface=bridge ...

sebastia

either that or ip stack is not correctly configured
list /export hide-sensitive

sebastia

that won't be immediate

sebastia

hint balance -> balances

over both links

if you want active passive that's a different mode
the "immediate" hand over (subsecond) you can have with active-backup, see viewtopic.php?t=150820#p743780

sebastia

in my experience, netinstall can get "confused" when there are multiple interfaces active

sebastia

you have a problem with connectivity NOT dns resolution

you get an IP for a dns in each kind of test
but ping (icmp) and tcp don't get through..

sebastia

do you want an active-backup or active-active?
xor is the last one

sebastia

there is no problem, it's resolving
ping google.com [216.58.223.142]

sebastia

so your dns resolution works fine

sebastia

have a look at https://wiki.mikrotik.com/wiki/Manual:Interface/Bonding, and especially enable link monitoring, probably arp base
examples: https://wiki.mikrotik.com/wiki/Manual:Bonding_Examples

sebastia

only allow them at specified rate, drop rest

sebastia

in this config mgmt is only possible from "address=192.168.0.0/24"
none of the interfaces have this range, maybe routed from somewhere else (through ospf)?

sebastia

disable www & www-ssl ip services

sebastia

to verify dns functionality and limit the scope try testing with "ping" (udp dns) & "nslookup" (tcp dns). both do minimal functions.

if ping <some dns name> uses an ip -> udp dns works
if nslookup <some dns server> works -> tcp firewal / nat works

sebastia

don't see/have the details, but vpn needs to be src-nat, and if your internet uplink probably as well, so in that sense it might be

sebastia

for masq, out interface should be the vpn interface not ether1
don't use srcaddress list on the rule & just nat all going out over vpn -> less potential for issues

sebastia

The other side doesn't know your internal network, to resolve you need to setup src natting on your vpn interface (src-nat or masq)

sebastia

Have a look at getRTT function here viewtopic.php?t=129294

sebastia

in that case you probably don't need any port forwarding as the camera's are connecting to cloud themselves (from inside to outside)? check it / consult documentation you'll need to verify how is the app finally connecting to the camera, through cloud or some other manner? If "some other" ...

sebastia

do you have some central management console / server?
and how to you "connect" the these devices from outside? directly or through some cloud feature?

sebastia

if you want to access each separately, then yes, port forward different ports to specific devices

sebastia

what is the /tool profile indicating?
could you share details on how the blocking works?

sebastia

there was a presentation by Tik support on some frequent issues with pppoe servers: https://mum.mikrotik.com/presentations/ ... 948376.pdf
have a look if relevant for you

sebastia

how about vlan priority? https://wiki.mikrotik.com/wiki/Manual:W ... t_priority + shaping vlan2 to 95% of bandwidth

sebastia

/ip address add address=192.168.13.1/24 interface=ether2 network=192.168.13.0 => should be on brdige2 mikrotik doesn't have a dmz setting, needs to be done manually basically, any connection to the router which is "new" (so not part of existing connection from router) should be then dst-na...

sebastia

post your config, as it's not clear what is what...
/export hide-sensitive (and replace any public ip's)

sebastia

Hey

On paper it sound all right, only there have been some reports of 317 instabilities when under full load. Then there are also people saying they are rock-solid...

sebastia

And what is your question / request?
Also, post config in between < code > tags

sebastia

Hey * with fast-path disabled, fast-track will not work either * you'll need to exclude 88.200 from fasttrack, or manling for route mark will not work * You seem to have two wans? indihome + oxygen is oxygen some vpn for 88.200 only? * you have in config /interface pppoe-client add ac-name=BRAS3-D2-...

sebastia

I didn't try regex in content, but it does match on plain text.

For https, your current L7 will be working with TCP and SSL handshake which is still unencrypted data

sebastia

Hi

Normally one only import private key on target/server device. The public part can be distributed to the users of that server.

If Tik is CA, only import private key.
for opvn server: only import private key
for opvn client: only import private client key

sebastia

hey

and how is the goove connected to 2011?

sebastia

do you have public ip on rb2011? check under "/ip address" in Winbox or through command "/ip address print"

sebastia

That depends on your isp infrastructure (do you have public ip assigned? any ports which are not blocked by isp?) and the configuration of the Tik (what firewall setting do you have there?).

sebastia

Hi

Does that Mikrotik remain ISP's property?

sebastia

that or the "content" packet matching in plain firewall

sebastia

I would expect not as it related to Transport Layer Security which is not used with plain http.

sebastia

Hey Do you have another system to test these changes? In this particular case I would take that "advise" with a HUGE grain of salt, or better yet: just ignore it... Simple queues are processed by multiple cpu cores, which spreads the load. Do you see that? Try monitoring with /tool profile...

sebastia

I am some shocked.
A script on 200+ lines is needed just to create a folder in RouterOS.
This is some MT should add a built in function.
You can always log in via FTP to create a folder and/or copy/move files.

which is exactly what the script does...

NOT a acceptable "solution"

sebastia

This is not Tik related! You should be a asking on Windows forums...

Hint: indicate in windows that the connection is "private"

sebastia

I thought so

sebastia

busted

, I don't own a 4011... Good to know, thx

I meant low-power, based on actual usage: "Max power consumption 44 W"
that's not a lot

sebastia

simple, as a mitigation, firewall / filter the api port

sebastia

- to keep the high speed datastreams away form pfSense (intel Pentium) - to see if it was an option to use the internal router in state of pfSense -> a CRS can't route 10g of data either! -> not with a CRS * to save interfaces between pfSense and the CRS317 -> don't understand that one * to have a l...

sebastia

Hey CRS is not a router, so you shouldn't be using it as one. I would suggest to upgrade the pfsense to "the only router" status: * only bridge on CRS for "data" vlans -> you did say that pfsens is owner of these! if so, CRS should not route (nor firewall) * this means no ip on d...

sebastia

Hey cpu frequency settings requires a reboot to become active (part of boot configuration), so use of script would be limited. Impact-wise, functionally it should do exactly same thing, but slower... Anything running on cpu will be impacted: routing, queuing, firewall, ... Hardware based switching /...

sebastia

Hello From high-level point of view, there would be little difference between udp. And high stream of large icmp packets would be a red flag on it's own. Furthermore, some networks / routers perform icmp "optimisation" / rate limiting, which would result in high packet loss. So far from st...

sebastia

What is your goal? What did you expect?

sebastia

/ip firewall nat set [find where action="masquerade"] !src-address out-interface-list=WAN

sebastia

If you want to have good gaming experience, then indeed you'll need to limit total download from router to all networks together to less than what modem can do. Similar for upload, limit all upload traffic to less what modem can upload. 90-95% is a safe starting point. your wan is ether1, update con...

sebastia

Sniffing takes place "close" to physical layer, and tagging might not have happened yet. Have you tried sniffing a trunk port down the hill? Wrt config, there are few entries, see https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Setup_Examples. Is the vlan 10 already defined unde...

sebastia

Hey

ntp client will determine on it's own how frequently it should poll the upstream server for time update. Usually it starts at 64s and backs down down to 1024s, once clocks are in sync and drift is under control.

sebastia

Hoi
All connections start with dns resolution. Filter / control these and you'll be able to control what connections are made (for most part).

sebastia

Hey

Start with posting your current config (/export hide-sensitive), and indicate what you want to achieve: ip/port/bandwidth/...

sebastia

You keep on stating that, but without any references to back up your case. I on the other hand have proven with above setups that it indeed is the case. When you state that, I'm not so sure if you know what is going on... why don't you then explain to us if you're so sure of yourself what is going o...

sebastia

unmananged switches don't participate in lldp, as said before they don't even have own mac
even this works just fine in any direction and any link interruption

2+2switches.png

see also web: https://networkengineering.stackexchang ... e-switches

sebastia

good plan!

sebastia

Hey, welcome on the forum. hap ac did you connect port 1 to your network. That port if in default config designated Wan, and firewalled. best would be to disable dhcp server on the bridge, within RouterOs, change the ip of the bridge and connect one of these port to your internal network. hex which ...

sebastia

And to remove any doubt, this one works just fine too

2+1switches.png

sebastia

I disagree, an unmanaged switch is essentially invisible on the wire, it just passes packets around and has no own mac. So the above network boils down to this: 2switches.png with STP enabled on both ends, on bridge level, auto fail-over will function # R1 /interface bridge add name=bridge /interfac...

sebastia

well, there are two in this setup CRS & CSS...

sebastia

The only thing that draw my attention was dhcp-snooping on bridge, but its supposed to be done in hardware on AR8327... some other thoughts * check that counters for FastPath are "moving" * check cpu usage during transfer * do you test with multiple streams? * check bridge ports have "...

sebastia

could you post the config?

sebastia

remember something similar

viewtopic.php?f=2&t=126354&hilit=ccr+cpu

sebastia

which version are you running? remember that there was a bug in ROS with regards to that;
Ros 6.45.1:
*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking;

sebastia

Hey

Do you have connection tracking enabled?
was the ddos on ipv6? there was an issue with that not so long ago (implementation in ROS), with a patch release. do you have it?

Edit: just noticed you don't have connection tracking enabled viewtopic.php?f=2&t=151403

sebastia

hey, list your fill firewall rule set, for both ipv4 & ipv6. what I'm wondering: you have fasttrack dummy rule, but not fast track itself..., view is incomplete fasttrack will bypass most of ip processing for bigger part of packets of a connection, but on regular basis packets will be processed ...

sebastia

Anyway, once you put interfaces in a bridge, all configuration related to them needs to be done on the level of bridge. That includes ips, vlans, ... from the sound of it, you would want to bridge the vlans only, 3 and "1" (or another but untagged on ether1) If that's not enough, I would a...

sebastia

And what is the point of all that? These are still separate networks...

At least your footer is totally correct :-p

sebastia

is there a way to set 80/20 for example? Not directly, but you can achieve this by being creative: repeat a link multiple times, for 80/20, pretend you have 5 links each good for 20% of traffic: wan1,wan1,wan1,wan1,wan2 Another option, is bandwidth based load-balancing: https://forum.mikrotik.com/v...

sebastia

the default routes are only relevant in context of fail-over: each connection gets assigned to either Wan1 or Wan2 in mangling, only when that link is not up will the default be relevant. the current load balancing is 50/50 add action=mark-connection chain=prerouting connection-mark=no-mark \ dst-ad...

sebastia

you should remove fasttrack (action=fasttrack-connection, 3 instances), as it's not compatible with loadbalancing "add action=accept chain=prerouting comment=router dst-address-list=router" should be at the beginning of chain / before all LB logic your default routes should have different ...

sebastia

as stated there("conntrack by default is most expensive RouterOS facility"), the high cost of/before "filter" table is the connection tracking logic. If it's disabled, it won't matter whether it's in raw or filter.

sebastia

actually that one

Since RouterOS v6.42 Netwatch is limited to read,write,test,reboot script policies.

To access global variables, "policy" right is needed

sebastia

Let me rephrase: bridge is not what you are looking for = wrong in this case.

vlan3 & lan have different ip ranges so direct communication between devices is not possible -> a router between is needed to do the forwarding. A bridge will not solve that.

Search found 1857 matches