MikroTik

2frogs

If you plug your computer into the cable that is on ether1, does it get an IP address. If it does, make sure it is not in the same range as your router (ie 192.168.88.0/24). I don't see anything in config that would prevent it from obtaining an IP.

2frogs

On CRS, navigate to IP>Addresses. Or

/ip address remove [find address="192.168.88.1/24"]

The address is most likely a left-over from the default config.

2frogs

Since you have a dhcp-client on bridge, just remove the 192.168.88.1/24 address

2frogs

Change: add action=masquerade chain=srcnat comment=LetsencrypLocal dst-address=192.168.88.254 \ dst-port=180,1443 protocol=tcp to add action=masquerade chain=srcnat comment=Hairpin NAT dst-address=192.168.88.0/24 src-address=192.168.88.0/24 as SOB suggested as it is universal. Do you have any static...

2frogs

And you have flushed dns on your device?
What is doing or not doing?
Can you provide:

/ip firewall nat export

2frogs

Try disabling the fast-track firewall rules.

2frogs

@sebastia

I believe you missed that the server is on ports 180 & 1443. Static DNS entries will not work in this case as it points to ports 80 & 443.

2frogs

Instead of the DNS trick, try correcting your dst-nat rules. If you have a static IP: /ip firewall nat add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=your.external.ip.address protocol=tcp to-addresses=192.168.88.245 to-ports=180 add action=dst-nat chain=dstnat comment=Le...

2frogs

What you are seeing is normal. The data rate is the combined theoretically possible rate for upload and download. Since the AP and Client can only send or receive and do so to a single device at a time it will half the data rate. And as you noticed, if you connect a second device and try to download...

2frogs

The best way to set it up is to use Winbox to reset without default and configure it manually. Once you have reset the wAP, you will have to connect to it using it MAC Address. Now you can setup a bridge and add ether1 and wlan1 to it. And now configure wlan1 to be a station with the proper SSID and...

2frogs

The Hotspot Trial user is perfect for what you want. You can edit the default login.html to remove the login box and use the trial user link as the "click here" to agree. https://wiki.mikrotik.com/wiki/Manual:Hotspot_Introduction https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot https://wiki.mikrotik...

2frogs

So if you put these in terminal they run, but not from the script? /system script run firewall-to-backup /system script run firewall-to-main You could also change from using in/out-interface to interface-list and not have to change the firewall rules at all: /interface list add comment=defconf name=...

2frogs

/tool user-manager user set [find shared-users=unlimited] shared-users=1

2frogs

You mentioned untagging/tagging is why I suggested a bridge. But yes, you can put the IP and DHCP Server directly on vlan1. And you can then remove the bridge port for vlan1 as it is not needed.

2frogs

Do you have a static route to your LAN set on the Synology and a static route to the Synology from the Router?

2frogs

I believe you need to create a new bridge for the vlan and add IP and DHCP Server to the new bridge. Then change the bridge port for vlan1 to the new bridge. /interface bridge add name=vlan1-bridge /interface bridge port add bridge=vlan1-bridge interface=vlan1 The rest of your config should remain t...

2frogs

You will need to use vlans, but having two networks in both buildings should not be a problem. There are many tutorials and examples on this forum and elsewhere. You will need a clan capable switch. Or if you only need a few ports and it is indoors you can use something like an hAP-AC/hAP-AC2 and br...

2frogs

I would use the Wireless Wire to bridge the buildings as it can provide wire speeds.

2frogs

The app uses the Winbox port to connect. You can specify the correct port in the address field of app like; 192.168.88.1:1234

2frogs

From Terminal run this command:

/export hide-sensitive file=export

Download and edit the export.rsc using a text editor to remove any public ips or identifying information and paste using the code wrapper [ code][ /code].

2frogs

Try adding this to the top of your mangle rules:

/ip firewall mangle
add action=accept chain=prerouting dst-address=10.255.255.0/24 in-interface=bridge

I believe your rules are too loose and catching any traffic from your LAN to VPN IP ranges.

2frogs

Thought I would let you know that L2TP/IPSec is not any better. I have a TS-431XeU with AnnapurnaLabs Alpine AL-314 32-bit ARM® Cortex-A15 quad-core 1.7GHz processor and 10-11MB/s is all it will do at 40% CPU usage. QVPN represents only 10% CPU usage.

2frogs

Separation will do wonders too. Both horizontal and vertical. Any radio device back to back on a mast is usually a bad idea. 2-3 meters vertically and 1 horizontal is about minimal in my opinion.

2frogs

/ip firewall filter 
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

This rule, since no interfaces are listed and it is above the drop rule (they are processed in order), allows pings from any where.

2frogs

This rule is blocking access: /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN Your VPN is not included in interface-list. You can add it under /ppp profiles: /ppp profile add local-address=192.168.1.1 name=Ovpn-profile remote-a...

2frogs

The bridge is the correct place for the dhcp-client as it is the master interface. It looks like the quick-set is broken, but since it is based off of simple scripts it is limited in functionality and should not be used passed initial setup anyway.

2frogs

:if ([:len [/ip ipsec policy find dst-address=10.0.0.0/16]]=0) do={:put "Not Found" } else={:put "Found"} Or :if ([:len [/ip ipsec policy find dst-address=10.0.0.0/16]]>0) do={:put "Found"} el se={:put "Not Found"} A missing value is not 0, it is null and ROS scripts can't handle nulls. But you can...

2frogs

I am sorry, I either miss read your original setup or confused it with another. You don't even need the ddns hack. Use dst-address=192.168.1.252. /ip firewall nat add chain=srcnat action=src-nat protocol=tcp src-address=10.0.1.0/24 dst-address=192.168.1.252 to-address=10.0.1.1 out-interface=bridge d...

2frogs

Yes, you can use the DDNS you already have setup.

2frogs

On your 10.0.1.1, enable the built in DDNS. Now add your DDNS URL to an address-list with a name like My_IP. You now use dst-address-list in place of dst-address in the hair-pin nat tutorials.

You can also use the DDNS URL to access your server without having to know your current IP.

2frogs

In Terminal, the [TAB] key can be your friend!

It can auto complete command and list: directories, commands and variables

2frogs

Correct! It is already accepted!

2frogs

The default for the firewall filter is to accept. If you remove all rules, everything would be accepted. If you only add chain=forward action=drop, then all being forwarded would be dropped. Now change that rule to include in-interface=ether1 and now only forwards coming from ether1 are being droppe...

2frogs

unset

/ip firewall nat unset [find action=masquerade] out-interface

2frogs

That is correct, you need both rules.

2frogs

@anav
hmm, so glad we can agree it could be done with a single rule:
"And your Filter rule need to be for chain=forward: (or enable the default drop rule)"

2frogs

Or add script to ppp profile to add/remove the interface when you login/logout: on-up=/interface list member add list="LAN" interface=[/interface get [find type=l2tp-in && dynamic=yes] name] on-down=/interface list member remove [find interface!="bridge" && list="LAN"] Or you can also set l2tp serve...

2frogs

You also need a src-nat:

/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.4 to-address=192.168.0.1

2frogs

The Wireless Wire is basically 2 WAP 60G AP, just pre-configured as PtP pair (they can be reconfigured). They have a 60 degree beam width, so depending on the lay out it could cover your end points. There is also a WAP 60Gx3 AP that can cover 180 degrees.
https://mikrotik.com/product/wap_60gx3_ap

2frogs

You can not use 802.11 and NV2 at same time. A dedicated point to point or point to multi-point would be better than trying to use an AP that has other wireless users on it. Have you seen: https://mikrotik.com/product/wap_60g_ap https://mikrotik.com/product/wireless_wire These should be able to conn...

2frogs

Your NAT rules do not need a to-port unless your are changing ports. They should look like this: /ip firewall nat add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89 add action=dst-nat chain=dstnat comment="ALA US...

2frogs

There are actually major differences between the 2 routers when you consider the firewall rules. On Router 1, the default drop for input is dropping all from ether1, which is your WAN. By default it is accepting from all other ports including all other ethers, wlans, bridges, l2tp ,etc. /ip firewall...

2frogs

Yes

/log print file=log.txt

A remote syslog might b a better option depending on intended use.
https://wiki.mikrotik.com/wiki/Manual:System/Log

2frogs

Most likely a partially failed update or some corruption in OS.

2frogs

Create a address-list name=payment_gateway and add www.some.paymentsystem.com and dns ip to it.
Now add dst-address-list!=payment_gateway to both of your rules. The "!" means "not".

This should work for http, but I don't think it will for https...

2frogs

Is x.x.x.x a unique ID or do you have multiple with gateway=x.x.x.x? Copy and paste the following in Terminal: /ip route add dst-address=1.2.3.4/32 gateway=1.2.3.4 distance=5; :if ([/ip route get [find gateway=1.2.3.4] distance]=5) do={:put "True"} else={:put "False"}; ##Should have output of "True"...

2frogs

Spacing maybe!?!? This works for me:

:if ([/ip route [find gateway=x.x.x.x] distance]=2) do={:log error “True”}

2frogs

Code: Select all
/system logging
add topics=debug

Have tried disabling this?

2frogs

https://mikrotik.com/thedude

2frogs

https://wiki.mikrotik.com/wiki/HotSpot_ ... login_page
or
https://mum.mikrotik.com//presentations ... ichael.pdf

Search found 530 matches