MikroTik

2frogs

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related

You will need to disable fasttrack as it will break mangle rules.

2frogs

Have you set the cable modem to forward the ports to the mikrotik? I see references to a 192.168.1.1 address in a couple of locations that I am assuming is your cable router. If your mikrotik is getting DHCP from 192.168.1.1 and has an 192.168.1.xxx IP, you will have to forward those ports on the ca...

2frogs

add action=accept chain=input dst-port=1723 comment="accept PPTP" protocol=tcp This needs to go either above or below the "defcon: accept ICMP" because the order matters. Also, chain=input is for any thing going to the router itself. And chain=forward is anything being forwarded by the router (WAN ...

2frogs

2frogs

https://wiki.mikrotik.com/wiki/Manual:License https://wiki.mikrotik.com/wiki/Manual:CHR#Free_licenses In short the x86 version has a 24hr demo (level 0) or a very limited demo (level 1.) The CHR has a free version, limited to 1mpbs/interface. Or 60 day trial mode for any CHR License Levels (P1, P10,...

2frogs

/ip firewall nat add chain=dstnat dst-address=!192.168.88.1 dst-port=80 protocol=tcp dst-address-type=local to-address=192.168.88.253 You can enable the DDNS under IP>Cloud and use the DDNS to access the device. You could also use the DDNS to do the dstnat: /ip firewall address-list add address=you...

2frogs

On the RBMetal, change mode=bridge to mode=ap-bridge, mode=bridge only allows 1 connected client. /interface wireless set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce \ disabled=no hide-ssid=yes mode=ap-bridge security-profile=profile1 ssid=\ <SSID HERE> wps-mode=disabled

2frogs

One use case would be vdsl2 areas where the 2.4ghz bands are overcrowded and all but unusable. Another would be for wireless internet providers that use 2.4ghz bands to distribute internet, they can provide a router they can set to not interfere with the channel they are using to connect that client.

2frogs

First issue is that the LAN IP address should be on the bridge interface since it is the master and ether2 is slaved to it.

Second, is that your NAT rule has your IP scope on src-address-list instead of src-address. You could define an address-list and use that instead.

2frogs

Usually seeing the same MAC with multiple IPs is caused from having a pool set in the hotspot or from having dhcp lease times set too short. Setting a IP pool in the hotspot will create a 1:1 NAT for devices that have a static IP. And sometimes it will NAT devices that received a IP from the dhcp se...

2frogs

If you plug your computer into the cable that is on ether1, does it get an IP address. If it does, make sure it is not in the same range as your router (ie 192.168.88.0/24). I don't see anything in config that would prevent it from obtaining an IP.

2frogs

On CRS, navigate to IP>Addresses. Or

/ip address remove [find address="192.168.88.1/24"]

The address is most likely a left-over from the default config.

2frogs

Since you have a dhcp-client on bridge, just remove the 192.168.88.1/24 address

2frogs

Change: add action=masquerade chain=srcnat comment=LetsencrypLocal dst-address=192.168.88.254 \ dst-port=180,1443 protocol=tcp to add action=masquerade chain=srcnat comment=Hairpin NAT dst-address=192.168.88.0/24 src-address=192.168.88.0/24 as SOB suggested as it is universal. Do you have any static...

2frogs

And you have flushed dns on your device?
What is doing or not doing?
Can you provide:

/ip firewall nat export

2frogs

Try disabling the fast-track firewall rules.

2frogs

@sebastia

I believe you missed that the server is on ports 180 & 1443. Static DNS entries will not work in this case as it points to ports 80 & 443.

2frogs

Instead of the DNS trick, try correcting your dst-nat rules. If you have a static IP: /ip firewall nat add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=your.external.ip.address protocol=tcp to-addresses=192.168.88.245 to-ports=180 add action=dst-nat chain=dstnat comment=Le...

2frogs

What you are seeing is normal. The data rate is the combined theoretically possible rate for upload and download. Since the AP and Client can only send or receive and do so to a single device at a time it will half the data rate. And as you noticed, if you connect a second device and try to download...

2frogs

The best way to set it up is to use Winbox to reset without default and configure it manually. Once you have reset the wAP, you will have to connect to it using it MAC Address. Now you can setup a bridge and add ether1 and wlan1 to it. And now configure wlan1 to be a station with the proper SSID and...

2frogs

The Hotspot Trial user is perfect for what you want. You can edit the default login.html to remove the login box and use the trial user link as the "click here" to agree. https://wiki.mikrotik.com/wiki/Manual:Hotspot_Introduction https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot https://wiki.mikrotik...

2frogs

So if you put these in terminal they run, but not from the script? /system script run firewall-to-backup /system script run firewall-to-main You could also change from using in/out-interface to interface-list and not have to change the firewall rules at all: /interface list add comment=defconf name=...

2frogs

/tool user-manager user set [find shared-users=unlimited] shared-users=1

2frogs

You mentioned untagging/tagging is why I suggested a bridge. But yes, you can put the IP and DHCP Server directly on vlan1. And you can then remove the bridge port for vlan1 as it is not needed.

2frogs

Do you have a static route to your LAN set on the Synology and a static route to the Synology from the Router?

2frogs

I believe you need to create a new bridge for the vlan and add IP and DHCP Server to the new bridge. Then change the bridge port for vlan1 to the new bridge. /interface bridge add name=vlan1-bridge /interface bridge port add bridge=vlan1-bridge interface=vlan1 The rest of your config should remain t...

2frogs

You will need to use vlans, but having two networks in both buildings should not be a problem. There are many tutorials and examples on this forum and elsewhere. You will need a clan capable switch. Or if you only need a few ports and it is indoors you can use something like an hAP-AC/hAP-AC2 and br...

2frogs

I would use the Wireless Wire to bridge the buildings as it can provide wire speeds.

2frogs

The app uses the Winbox port to connect. You can specify the correct port in the address field of app like; 192.168.88.1:1234

2frogs

From Terminal run this command:

/export hide-sensitive file=export

Download and edit the export.rsc using a text editor to remove any public ips or identifying information and paste using the code wrapper [ code][ /code].

2frogs

Try adding this to the top of your mangle rules:

/ip firewall mangle
add action=accept chain=prerouting dst-address=10.255.255.0/24 in-interface=bridge

I believe your rules are too loose and catching any traffic from your LAN to VPN IP ranges.

2frogs

Thought I would let you know that L2TP/IPSec is not any better. I have a TS-431XeU with AnnapurnaLabs Alpine AL-314 32-bit ARM® Cortex-A15 quad-core 1.7GHz processor and 10-11MB/s is all it will do at 40% CPU usage. QVPN represents only 10% CPU usage.

2frogs

Separation will do wonders too. Both horizontal and vertical. Any radio device back to back on a mast is usually a bad idea. 2-3 meters vertically and 1 horizontal is about minimal in my opinion.

2frogs

/ip firewall filter 
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

This rule, since no interfaces are listed and it is above the drop rule (they are processed in order), allows pings from any where.

2frogs

This rule is blocking access: /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN Your VPN is not included in interface-list. You can add it under /ppp profiles: /ppp profile add local-address=192.168.1.1 name=Ovpn-profile remote-a...

2frogs

The bridge is the correct place for the dhcp-client as it is the master interface. It looks like the quick-set is broken, but since it is based off of simple scripts it is limited in functionality and should not be used passed initial setup anyway.

2frogs

:if ([:len [/ip ipsec policy find dst-address=10.0.0.0/16]]=0) do={:put "Not Found" } else={:put "Found"} Or :if ([:len [/ip ipsec policy find dst-address=10.0.0.0/16]]>0) do={:put "Found"} el se={:put "Not Found"} A missing value is not 0, it is null and ROS scripts can't handle nulls. But you can...

2frogs

I am sorry, I either miss read your original setup or confused it with another. You don't even need the ddns hack. Use dst-address=192.168.1.252. /ip firewall nat add chain=srcnat action=src-nat protocol=tcp src-address=10.0.1.0/24 dst-address=192.168.1.252 to-address=10.0.1.1 out-interface=bridge d...

2frogs

Yes, you can use the DDNS you already have setup.

2frogs

On your 10.0.1.1, enable the built in DDNS. Now add your DDNS URL to an address-list with a name like My_IP. You now use dst-address-list in place of dst-address in the hair-pin nat tutorials.

You can also use the DDNS URL to access your server without having to know your current IP.

2frogs

In Terminal, the [TAB] key can be your friend!

It can auto complete command and list: directories, commands and variables

2frogs

Correct! It is already accepted!

2frogs

The default for the firewall filter is to accept. If you remove all rules, everything would be accepted. If you only add chain=forward action=drop, then all being forwarded would be dropped. Now change that rule to include in-interface=ether1 and now only forwards coming from ether1 are being droppe...

2frogs

unset

/ip firewall nat unset [find action=masquerade] out-interface

2frogs

That is correct, you need both rules.

2frogs

@anav
hmm, so glad we can agree it could be done with a single rule:
"And your Filter rule need to be for chain=forward: (or enable the default drop rule)"

2frogs

Or add script to ppp profile to add/remove the interface when you login/logout: on-up=/interface list member add list="LAN" interface=[/interface get [find type=l2tp-in && dynamic=yes] name] on-down=/interface list member remove [find interface!="bridge" && list="LAN"] Or you can also set l2tp serve...

2frogs

You also need a src-nat:

/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.4 to-address=192.168.0.1

2frogs

The Wireless Wire is basically 2 WAP 60G AP, just pre-configured as PtP pair (they can be reconfigured). They have a 60 degree beam width, so depending on the lay out it could cover your end points. There is also a WAP 60Gx3 AP that can cover 180 degrees.
https://mikrotik.com/product/wap_60gx3_ap

2frogs

You can not use 802.11 and NV2 at same time. A dedicated point to point or point to multi-point would be better than trying to use an AP that has other wireless users on it. Have you seen: https://mikrotik.com/product/wap_60g_ap https://mikrotik.com/product/wireless_wire These should be able to conn...

2frogs

Your NAT rules do not need a to-port unless your are changing ports. They should look like this: /ip firewall nat add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89 add action=dst-nat chain=dstnat comment="ALA US...

2frogs

There are actually major differences between the 2 routers when you consider the firewall rules. On Router 1, the default drop for input is dropping all from ether1, which is your WAN. By default it is accepting from all other ports including all other ethers, wlans, bridges, l2tp ,etc. /ip firewall...

2frogs

Yes

/log print file=log.txt

A remote syslog might b a better option depending on intended use.
https://wiki.mikrotik.com/wiki/Manual:System/Log

2frogs

Most likely a partially failed update or some corruption in OS.

2frogs

Create a address-list name=payment_gateway and add www.some.paymentsystem.com and dns ip to it.
Now add dst-address-list!=payment_gateway to both of your rules. The "!" means "not".

This should work for http, but I don't think it will for https...

2frogs

Is x.x.x.x a unique ID or do you have multiple with gateway=x.x.x.x? Copy and paste the following in Terminal: /ip route add dst-address=1.2.3.4/32 gateway=1.2.3.4 distance=5; :if ([/ip route get [find gateway=1.2.3.4] distance]=5) do={:put "True"} else={:put "False"}; ##Should have output of "True"...

2frogs

Spacing maybe!?!? This works for me:

:if ([/ip route [find gateway=x.x.x.x] distance]=2) do={:log error “True”}

2frogs

Code: Select all
/system logging
add topics=debug

Have tried disabling this?

2frogs

https://mikrotik.com/thedude

2frogs

https://wiki.mikrotik.com/wiki/HotSpot_ ... login_page
or
https://mum.mikrotik.com//presentations ... ichael.pdf

2frogs

No, no, no. The WLAN will automatically turn on as soon as someone connects to it. It's so obvious. OK! :mrgreen: /system scheduler add interval=10m name=wlan1-auto-on/off on-event=":if ([/interface wireless get wlan1 disabled]=yes) do={\r\ \n:log info \"Checking for Wireless Users\"\r\ \n; /interf...

2frogs

Use Hotspot with Trial User enabled. You can set your limits by time and/or data and have it reset after a defined period. Now edit/replace login.html the following code and users will be logged in automatically. <!DOCTYPE html> <html> <head> <meta http-equiv="refresh" content="0; url=$(link-login-o...

2frogs

With all ports bridged it does not need a gateway for the clients. It acts like a switch and passes connection through it. It does need a default route for the router itself to connect to the internet. Adding one would allow your NTP Client to work. Should look something like: /ip route add dst-addr...

2frogs

Use Virtual Machine software (I use VirtualBox) to setup 2 Virtual CHR's. You need 2 virtual ethernet interfaces for each. They need minimal setup: ##Gateway1 /ip address add address=192.168.100.1/24 interface=ether2 network=192.168.100.0 /ip dhcp-client add disabled=no interface=ether1 /ip firewall...

2frogs

If you are using the default firewall rules, you could change the default forward drop rule to: /ip firewall filter add chain=forward connection-nat-state=dstnat in-interface=WAN action=accept add chain=forward out-interface=!WAN action=drop And if you are not doing DST-NAT or UPNP, you can omit the...

2frogs

Edit: post duplicated.

2frogs

Here is the correct code: /ip firewall mangle add action=mark-connection chain=forward comment="ISP1-In" in-interface=ether1 new-connection-mark="ISP1-In" add action=mark-connection chain=forward comment="ISP2-In" in-interface=ether2 new-connection-mark="ISP2-In" add action=mark-routing chain=prerou...

2frogs

Oops, I copy/paste wrong section of code. Correct it as @sebastia stated. Sorry for my mistakes!

2frogs

One device has metal casing to give more focus.

So, have you tried without the metal casing?

2frogs

Put this in scheduler:

:if ( [ :len [/interface wireless registration find] ] <= 0 ) do={ /interface wireless disable wlan1; :log info "No Wireless Users - Wireless Disabled";}

2frogs

You will need to put the LAN and all 3 AP's on separate VLAN's. Then create a Hotspot Server for each VLAN. Then on each Username, you can specify which Server that Username is for.

2frogs

You need to mark connections coming in to each WAN and then make routing mark based on those connections: /ip firewall mangle add action=mark-connection chain=input comment="ISP1-In" in-interface=ether1 new-connection-mark="ISP1-In" add action=mark-connection chain=input comment="ISP2-In" in-interfa...

2frogs

Use Winbox to connect using MAC Address. Most likely the default firewall rules is blocking IP access.

2frogs

Add the MAC of the other Basebox in /interface wireless access-list with forward=no and authentication=no. Do this on both.

2frogs

I made the same mistake and tried to reconfigure them as you did. I ended up having to reset to default and swapping the units. I wonder if the slave in the set is only capable of being CPE.

2frogs

See the comment in the speedtest result as shown in your screenshots. CRS devices are intended to be used as hardware switches - they can do some routing and provide some services but the as CPU is not powerful you cannot use them to do wirespeed routing, for example. In my case, i ma talking about...

2frogs

That is correct, although you do not need the forward rule because your default forward drop rule drops all forwarded traffic unless it is in dst-nat: /ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new...

2frogs

You do not have the default firewall. It should include the following: /ip firewall filter add action=accept chain=input connection-state=established,related,untracked comment="DEFAULT: Accept established, related, and untracked traffic." add action=drop chain=input connection-state=invalid comment=...

2frogs

On both the hAP and wAP, use WISP AP from quickset after reset from no-default. After you configure the wireless, select Mode=Bridge, Address Acquisition=Automatic, Bridge All LAN Ports=yes and hit apply. After a couple seconds hit Apply again and it should now have IP from your RB3011. You can now ...

2frogs

I suspect the IP Address is not on the right interface. In winbox, ip>addresses, be sure that the IP is on interface=bridge (or the name of your bridge.)

2frogs

Quickset sets up the VPN using a separate subnet (192.168.89.0/24) than the default (192.168.88.0/24). You change it to the IP and subnet of the router if you wish. It is not advisable to use Quickset past the initial setup, especially if changes where made outside of Quickset. It relies on a basic ...

2frogs

No need to remove dhcp, but you will need to change:
ip/address
ip/pool
ip/dhcp-server/network

And any firewall, nat or mangle rules rules...

2frogs

Sorry, I misunderstood! There is no performance issues with leaving the device powered on. Some changes are better facilitated with restart. Changing the IP scope is one of them. But RouterOS boots fast, less than a minute even while upgrading firmware. And yes you can change IP to /16 if not alread...

2frogs

No, I have devices that are powered off daily when not in use. The only issue I have had is them being powered off while updating. This requires the Net Instal tool to recover.

2frogs

keepalive-timeout=10m

Restarting the router will reset all hotspot user data and remove the mac-cookies. Otherwise, there are no issues with restarting or leaving it powered off for length of time.

2frogs

Input/Output rules are to/from the router itself. And generally, prerouting is used if a routing decision is to be made by he mangle rule. Most other rules will use forward.

2frogs

The data is stored in RAM and not DISK. This is why it is reset after each reboot. You can search for scripts to save the data to disk or use User Manager.

2frogs

You did not mention what Mikrotik device you are using, but some devices only have a Level 3 License and will only work as a Station (CPE) or wireless Bridge to a single device (PtP).

2frogs

Does it have the Detect Internet set?

2frogs

/ip firewall address-list add address=127.0.0.1 list=allow-ip /ip firewall filter add action=drop chain=input comment=\ "You can say thanks on the WebMoney Z399578297824" dst-port=\ 8778,8728,8729,22,23,80,443,8291 protocol=tcp src-address-list=blacklist add action=accept chain=input comment=\ "Ple...

2frogs

Use WinBox; https://download.mikrotik.com/routeros/ ... winbox.exe
In the Neighbors Tab, click on the MAC of the device and it will load in the Connect To field. Enter your credentials below it.

2frogs

IP>Services, this is where you enable/disable, set port # and can set IP's for access. If it is enabled there and your still not able to connect, you will need to check your firewall rules IP>Firewall>Filter to be sure access is not being blocked there. Provide /export if you need any further assist...

2frogs

/ip firewall filter add action=accept chain=input comment=pingcatch in-interface-list=LAN log=yes \ log-prefix=Ping protocol=icmp /system scheduler add interval=1s name=pingbeep on-event=":global pingcont;\r\ \n:if ([:len \$pingcont]=>0) do={:set \$pingcont [/ip firewal filter ge nd comment=\"pingc...

2frogs

As long as your POE is providing the max power draw for each device, then there should be no difference between POE and Power Supply.

2frogs

viewtopic.php?t=49106#p249410

2frogs

Use export. Upload export.rsc. Do /system reset-configuration no-defaults=yes run-after-reset=export.rsc.

This will reset device without default values and import the new settings.

2frogs

This seems to me a DNS or NAT issue. Your NAT rule, although unconventional, should work. I would lean more to DNS. Is the CCR able to resolve DNS it’s self? If you change the DNS server from 192.168.1.1 to 8.8.8.8, does it browse better?

2frogs

If you are attempting to connect using ether 2-5, then this is your issue: /interface list member add comment="Org LAN Bridge2" interface=Bridge2 list=LAN add comment="ISP WAN" interface=Ether1-WAN list=WAN /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LA...

2frogs

I prefer this nat rule over using the ddns shown in the video.

add action=dst-nat chain=dstnat dst-address-type=local dst-address=!192.168.40.1(or router ip) dst-port=80,443  to-addresses=192.168.40.13

2frogs

I would use separate VLANs for each AP and create a Server for each VLAN with different Server Profiles.

2frogs

There should be a setting in your phones vpn settings to send all traffic through the vpn. This is controlled on client side.

2frogs

You could use the Hotspot. In ip-bindings, set your active customers IP's to bypass. Now do as @joegoldman suggest and change their IP to a Hotspot IP and they will get captured by the Hotspot and served the login.html page.

2frogs

-30 is too strong of a signal. Reduce the power on both to maintain a -50 on both. 35Mbps is about the max you can expect from the NanoStation5.

2frogs

No, -79 would be correct. -81 will fall between -120 and -80 and therefore conflict.

2frogs

I would look more at a PtMP antenna for your fixed site. That would make aiming only critical from the temporary location. Especially if the location could change each time.

2frogs

You can delete these, DNS alone is a nominal traffic; /ip firewall filter add action=fasttrack-connection chain=forward comment="Fasstrack DNS TCP" \ dst-port=53 protocol=tcp add action=fasttrack-connection chain=forward comment="Fasttrack DNS UPD" \ dst-port=53 protocol=udp And add this if your CPU...

2frogs

Actually the chart shows the range for the which the max data-rate can be obtained. The fading red line is the maximum distance for the lowest data-rate.

2frogs

If you are new to networking, you should not change the default firewall rule. The default firewall are sufficient for home users.

2frogs

i would do a netinstall and the attempt a restore from backup.

2frogs

I believe I want station-pseudobridge and I am aware of the L2 limitations but as this is a IP routed network should still be possible? https://wiki.mikrotik.com/wiki/Manual:Wireless_Station_Modes This indicates station-pseudobridge is for a single client. A bridge is not a routed network. Got it w...

2frogs

In your example, “;” is still required at the end of the first line. It stands for “New Line.” Not true anymore "New Line" works nice. No need for ; anymore. Only if you like more commands on one line. https://wiki.mikrotik.com/wiki/Manual:Scripting The end of command line is represented by the tok...

2frogs

In your example, “;” is still required at the end of the first line. It stands for “New Line.”

2frogs

I know but I want to be able to access from anywhere and that is not possible if you use whitelist. Actually, Port Knocking allows for this. https://wiki.mikrotik.com/wiki/Port_Knocking But, the short answer is to add an accept for an Source IP before your brute force. Or edit brute force to includ...

2frogs

This can be done with login time-out. However, 10-30 seconds would cause "Already Authorizing, retry later error" if the RADIUS is not done the first authentication request or if the authentication process is still in progress. Actually this has no effect on the OP’s issue, it does take the removal...

2frogs

Another solution is a script to kick any host that is not authorized that runs every 10-30 seconds. Maybe combine this with a delayed redirect of equal time.

2frogs

Not sure it would be any more of a hole than them simply changing their MAC to the same as another user.... shared-user=1 will help prevent this.

2frogs

Yeah, OK. I do recall this behavior and it is easy to reproduce. Create a disable user with MAC of device. Open browser to be caught by portal, then enable user. Now try browsing again and still get caught by portal. Kick host and will login on next attempt. You can login using the MAC as user. Redi...

2frogs

The client should simply be able to browse to web page again to be authenticated. Or you could redirect to a non-walled-garden page as the last step in your payment process. All login processes require a http request. The Hotspot will only resend authorization request if it has not received a respon...

2frogs

Do you have the FTP service enabled and on port 21 of the router? What other firewall rules do you have?
/ip firewall filter export

2frogs

in /ip firewall filter -> add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list” disabled=no This is correct! chain=input is for traffic going to the router itself. https://i.ibb.co/8PcZr6h/1.jpg...

2frogs

Your screenshot suggests you have the rule on chain=forward instead of chain=input...

2frogs

@sebastia

You have miss understood the problem of the OP! He has a forward rule to explicitly allow the dst-nat port. And the problem he is having is when that rule was disabled, he is still able to reach the port. The answer is what I provided. The default drop rule is allowing this traffic.

2frogs

/ip firewall add action=drop chain=forward comment="drop unvanted local traffic" connection-nat-state=!dstnat connection-state=new in-interface=ether10-WAN This is the default drop rule! Any connection coming from WAN would first be New and therefore dropped, unless it is a connection in NAT that i...

2frogs

add action=drop chain=forward comment="drop unvanted local traffic" connection-nat-state=!dstnat connection-state=new in-interface=ether10-WAN This rule allows any DSTNAT rules through the firewall. Remove the connection-nat-state=!dstnat if you only want to specifically allow this traffic with ind...

2frogs

All variables have to be declared that are used in the script, global or not, declared in other scripts or not.

2frogs

I will admit I do not use webfig for any major configurations for this very reason. It is still in development and really only intended for basic changes and preconfigured changes using the quickset (although some of those do not work correctly either.) The need of removing all unused settings, incl...

2frogs

hello to all I have a problem with several equipment mikrotik model slex litle5ac dualband the problem is that it does not see well the signals at 2.4ghz, however close they are the best one sees it at -70db meanwhile another signal 5ghz if it looks perfect up to -40 from the same position because ...

2frogs

Before you change the IP address, create your bridge first. Then assign the static IP to the bridge. Now you should be able to add the ether and wlan to bridge and still access it. When you add the ether/wlan to the bridge it becomes the slave to it and can not have an IP attached to them. And inste...

2frogs

I removed the port in NAT rule, so now it looks like: add action=dst-nat chain=dstnat comment="Plex port forwarding" in-interface=ether1 protocol=tcp to-addresses=\192.168.1.18 to-ports=32400 No, you remove the wrong port. Your rule should be what I posted for you! If that still does not work, make...

2frogs

CPU usage is most likely the cause as it only uses a single core. This bandwidth tool should not be used as an accurate measure.

2frogs

Give this a try!
viewtopic.php?t=135991#p669779

2frogs

What firewall filter rules do you have? Should have an accept rule for either port 32400 or for connection-nat-state=dst (or the default drop with connection-state-nat=!dst.) Are you double NATted? Your NAT rule should work, although you do no need to specify the to-port unless you need to change th...

2frogs

On your mangle rules, use chain=forward... /ip firewall mangle add action=mark-packet chain=forward comment="WAN Zuleitung" in-interface=\ ether1 new-packet-mark=wan_gesamt_up passthrough=no add action=mark-packet chain=forward comment="WAN Zuleitung" \ new-packet-mark=wan_gesamt_down out-interface=...

2frogs

To me the bigger benefit would be that users can create their own account/voucher paid/free and more easily maintain their account.

2frogs

2x PtP is the best option. With PtMP with the AP in middle you will loose 50% of the speed and double the latency as the AP can only communicate with one endpoint at a time. At the mast site, physically separate the 2 devices as much as possible within reason. Use channels as far apart as possible. ...

2frogs

If the device does not touch port 80 (http), then MAC login will not work. If opening a web browser for the device to connect is not an issue, then it is up to preference.

2frogs

That’s correct!

* netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

2frogs

Use action=dst-nat, netmap is intended to do a 1:1 nat between an ip or between sets of multiple ips. Between 2 ips it acts more like an DMZ where it would be port for port. DST-nat is for forwarding either a single port or multiple ports to a device and can be used to forward different ports to dif...

2frogs

The WIKI shows a list of variables that are available for the “on-login” scripts.
https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot/User

List of available variables:

$user
$username (alternative var name for $user)
$address
$"mac-address"
$interface

2frogs

Using auto-mac, the MAC can change after a reboot. Not so great if you are using the MAC for static lease or for other hard coded settings.

2frogs

For some time now:
viewtopic.php?t=134538

In short, Netwatch can only execute scripts with "write, read, test, reboot" policies. Remove all other policies from your scripts.

2frogs

You was nearly there with your code.

/interface bridge
add admin-mac=[/interface ethernet get [find where name="ether1"] mac-address] auto-mac=no name=mybridge

2frogs

It is my understanding that “station-pseudobridge” expects the CPE to be a “bridge” and not a “router”. This would allow a device connected to ether1 to obtain an IP directly from the AP while having it’s MAC translated to the wlan MAC of the CPE.

2frogs

Change the wireless mode from “station-pseudobridge” to “station”.

2frogs

This is what happened to you:
viewtopic.php?t=133533

And I would recommend the added step of doing a Netinstall to insure your device is clean.
https://wiki.mikrotik.com/wiki/Manual:Netinstall

2frogs

/ip firewall nat
add chain=srcnat out-interface-list=WAN src-address-list=group1 action=srcnat to-address=45.45.45.2
add  chain=srcnat out-interface-list=WAN src-address-list=group2 action=srcnat to-address=45.45.45.3

And then disable/remove default masquerade rule.

2frogs

/user add name=user1 group=group1 password=password123

https://mikrotik.com/documentation/manu ... Users.html

2frogs

IP delegation is handled by the DHCP Server and the Address Pool set for it. Under DHCP Lease in DHCP Server is where you make a lease static. IP Binding binds a IP and/or MAC to a specific Hotspot or All. And allows you to Bypass, Block or capture that IP and/or MAC on that Hotspot.

2frogs

In both /ip hotspot server and user profile set address-pool=none. You will still get an address from the DHCP server.

If this does not resolve both issues, you may need to increase your DHCP lease-time a bit!

2frogs

Does your modem hand out DHCP or did you forget to setup a PPPoE-Client on the Mikrotik?

2frogs

If I understood correctly, this is what you need.

/ip dhcp-server lease print where hostname=“pc” file=$n

2frogs

After resetting the mAP and then login with Winbox, you have an option to remove current configuration. Or even better, at some point Reset-Configuration was added to System menu, just check mark "No Default Configuration" and click "Reset Configuration".

2frogs

It looks like the Quick-set is not doing it's job correctly. if you are familiar with Winbox, I would suggest resetting the mAP without a configuration. Then connect to it with Winbox using the MAC address (it should show in the Neighbors tab). Once connected, you can paste the following in a New Te...

2frogs

Hi thanks for the help 2frogs , atm i have done a factory reset on the nano , then did the following : Set the ip to 192.168.2.1 set the dhcp range to 192.168.2.2 >>>> 192.168.2.254 When the nano is connected to the laptop via Ethernet / power supply i am able to connect to it ok on 192.168.2.1 and...

2frogs

In the Quickset of the mAP 2, set it to WISP AP. This adds the Ethernet and Wireless interface to a bridge. Then set it to a static address outside the DHCP range you set on the Nanostation. Now when you connect them together and connect to the wireless of the mAP, you should have Internet and be ab...

2frogs

You also need to change all in-interface= from “BT Modem” to ppoe-out1 in your ip/firewall/filter. And then either add ppoe-out1 to the interface-list=WAN or change your ip/firewall/nat masquerade to out-interface=ppoe-out1 instead of using the list.

2frogs

Do you have a default route on your AP’s?
/ip route add 0.0.0.0/0 gateway=(router ip)

2frogs

Testing to google.com or any other site that redirects you to https:// will not work. You have to try accessing a http site that does not get redirected! Unrelated to your issue, having a pool set under /ip hotspot address-pool other than =none sets a NAT helper intended for devices with a static IP...

2frogs

Why not just manually configure NTP Client on both devices. Here is a guide: https://blog.ligos.net/2018-01-29/NTP-P ... rotik.html

2frogs

Firewall rule order matters! Move filter rule 7 above 6. You are currently dropping everything not established or related.

2frogs

Follow this guide, just replace the VPN with your LTE interface and remove the content=facebook and use dst-address=!<your hotspot ip scope>.
https://wiki.mikrotik.com/wiki/Policy_Base_Routing

2frogs

Are you not able to connect using the MAC address?

2frogs

Do:

/interface bridge set 0 auto-mac=no

As it seems you can not just set admin-mac from terminal. You can set it from winbox also.

2frogs

Are you sure you copied it correctly? It works fine for me!

2frogs

Bridge´s "admin-mac" is 00:00:5E:80:00:04, but it is only shown when I edit the bridge. Not in /interface bridge print or export, not in the hotspot. It should be visable in both print and export. 0 R name="Main" mtu=1500 actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=4C:5E:0C:...

2frogs

Can the Mikrotik resolve DNS properly? Access internet?

Use /tools trace-route and see if it trace to google.com with “use dns” checked.

2frogs

Post /export hide-sensitive.

2frogs

There are several errors! 192.188.254.254 instead of 192.168.254.254.. No DNS under IP>DNS, all DNS request get redirected to the Mikrotik. DHCP lease-time needs to be in a number of hours or some devices (Apple) will not work. Set ip-pool=none in IP>Hotspot, devices will get IP Address from DHCP Se...

2frogs

Or you could just create VAP with different SSID’s for 2.4 and 5.8 in addition to the common SSI. And just connect to the 5.8 SSID.

2frogs

You are maxing out the CPU as it is not strong enough to generate the traffic and also pass it. And that bandwidth test only runs on a single core on multi-core CPU’s. Use iperf between 2 pc’s instead. Bit of a bold claim. A) he 816 drops on that link. Unless he's running 816 btest, this holds no w...

2frogs

For Passive Mode, you do have to forward the Passive Ports as well as the FTP Port.

2frogs

Why do you have captive.apple.com in your walled-garden? iOS uses this url to see if the device is behind a captive portal. If it can access it, it will not pop up the login page.

2frogs

You are maxing out the CPU as it is not strong enough to generate the traffic and also pass it. And that bandwidth test only runs on a single core on multi-core CPU’s. Use iperf between 2 pc’s instead.

2frogs

It goes by total tx output. The number that really matters is the radiated power (antenna gain + tx power - losses). If you have the country set to US and Antenna Gain set to 14 in the Mikrotik settings, then you can leave the power settings to default and the device will control power.

2frogs

Well, there is a lot wrong with that config, but a possible cause for your troubles is the IP is on the wlan interface instead of the bridge.

/ip address add address=10.100.0.7/24 network=10.100.0.0 interface=bridge1

2frogs

Check to see if your network connection type is still Home.
http://www.dummies.com/computers/operat ... windows-7/

2frogs

viewtopic.php?t=94583
Have a look at this.

2frogs

I have seen tutorials for installing Mikrotik CHR on DigitalOcean droplet. Doing this then VPN to it might be a solution.

2frogs

Not sure about from digital ocean, but you can from https://www.tunnelbroker.net/. There is a wiki to help you set it up. https://wiki.mikrotik.com/wiki/Manual:H ... e_for_Home

2frogs

In the meantime... I Believe the router is now infected with something. Its CPU is not 50-85% and im getting 2000 IPs in 4 hours hitting it.. I have not done much work to figure out whats going on yet. It does pass the "check packages" test.. Open DNS resolver most likely. Did you leave “Allow Remo...

2frogs

/tool e-mail send from="rieks@mt.lv" server="159.148.147.198" body="Router down" subject="Router at second floor is down" to="rieks@latnet.lv" port=25 user=rieks password=123abc start-tls=no

2frogs

I am guessing leaving just the Bridge doesn’t work either.

If not email support and include a supout. It looks to be treating the vlan as an external interface instead of internal...

2frogs

What happens when you add the Bridge to the upnp interface also?

2frogs

:do {:if ([/user active print count-only]>0) do={/system script run backup; :delay 30m;}} while=(true); It's not full proof, but works. Just schedule it at startup. If you are using the Dude, you will need to increase the 0 to 1. You can also increase it to 1 and test the script from winbox by open...

2frogs

If you set the backup names to the identity of the device and use unique identities, you should be able to do your backups nightly and will be over written on your server. I do this with nightly exports.

2frogs

The picture doesn't make sense until you label the devices with the red arrows. You shouldn't have to do anything to make the 2 networks communicate if both subnets are defined on the same router. If they aren't talking, you are blocking it. You don't need to add any routes, they are already there ...

2frogs

You just need to add some routes. Change the gateway to your bridges name:

/ip route
add distance=1 dst-address=10.11.128.0/24 gateway=bridge
add distance=1 dst-address=10.124.12.0/24 gateway=bridge
add distance=1 dst-address=124.15.25.0/24 gateway=bridge

2frogs

Do you have a destination nat rule for you PBX? Something like:

/ip firewall nat add chain=dst-nat dst-address=192.168.20.10 protocol=tcp dst-port=5060 to-address=192.168.0.5

2frogs

The Mikrotik and Netgear are not compatible for that type of setup. You can run an network cable betwen them or setup the Mikrotik with a seperate network with the WAN being wlan1 in station mode.

2frogs

I think you have it all wrong. Home/Home Office users do not need that much storage. Using blacklists is the wrong idea. You should be using whitelists. Only allowing trusted ip or temporarily allowing ips is what is need in these situations. Port knocking and trusted address list keeps requirements...

2frogs

Yes, create a bridge for your guest network. Add your guest IP and dhcp Server to that bridge. Then add your 2 vaps under bridge port. You will also need to add a firewall rule to block traffic between your networks.

2frogs

Do you by chance have safe-mode enabled?

2frogs

The CALEA Server is simply a device running RouterOS with the CALEA Package installed. I would recommend a CHR instance, x86 or other device with an actual hard drive. The CALEA Package can be install from the Extra Packages .zip file from https://mikrotik.com/download .

2frogs

https://www.amazon.com/RouterOS-Example-2nd-B-W/dp/0692777083 This book helped me immensely! I would highly suggest buying you a device to test with before messing with production devices. To download your export file you can either drag & drop to your desktop or use an ftp program (if the device ha...

2frogs

You are most likely missing a src-nat. /ip firewall nat add chain=src-nat src-address=192.168.99.0/24 out-interface=bridge action=masquerade set out-interface to the bridge for your main network. To block access from guest to lan: /ip firewall filter add chain=forward src-address=192.168.99.0/24 dst...

2frogs

I just checked 5 different iOS 11.3.1 devices on ROS v6.42.1 and they all work fine. I use the trial feature for my guest network.

2frogs

You can update the current script using: /system script set [find name=scriptname] source=":local currentVPNServer [/interface ovpn-client get vpn-interface connect-to];:local newVPNServer [/resolve newend.point,com;:if ([:len [:toip \$newVPNServer]] > 0) do={:if ( != ) do={/interface ovpn-client s...

2frogs

Add a delay to the top of your script to allow time for all interfaces to initialize.

2frogs

/ip hotspot user print detail file=filename.txt

or

/ip hotspot user export file=filename.txt

Then you should be able to import the txt file into a spreadsheet or in the case of the export simply modify the script directly.

2frogs

Well it didn’t show an error, but here you go:

/ppp active print count-only where (address in 203.0.113.0/24 and !(address in 203.0.113.0/27))

Search found 540 matches