MikroTik

2frogs

Disable the firewall rules before changing to WISP AP. The Quickset is broken, when you make the change it removes the bridge from interface-list=LAN and this causes the firewall filter input rules to drop IP traffic to the router. If you use Winbox, you can connect to the device using the MAC inste...

2frogs

Anav, you need to read up on antenna radiation patterns. Antennas radiate their power in lobes, even omni antennas. The more directional the antenna, the more the lobes are concentrated in one direction and typically there are more lobes. Back lobes are what you need to pay attention to. They radiat...

2frogs

Redirect to your page first and have the login on it (or a link to a separate login page.) This way both android and ios devices will see your advertisements.

2frogs

Your firewall is dropping the traffic. 172.16.0.0/24 is included in the address-list=not_from_intrrnet and is being dropped.

2frogs

Please post your full config. Use “/export hide-sensitive file=myexport” and this will create a myexport.src file you can download and edit with your favorite txt editor. The use of ether2 with slaves is outdated, so you may need to change your IPs to be on your “bridge”. Or you need to consider upd...

2frogs

Long range on Mikrotik marketing is usually referring to multiple km with high gain antennas and not covering a back yard.

The wAP AC has 3 chains on 5ghz compared to 2 chains of the netmetal. And the wAP is the same enclosure as the wireless wire (wAPG-60adkit), so it will be just fine outdoors.

2frogs

PS. The netmetal is what I would get for outdoor and probably with an antenna that has a 180 sector such that I dont get leakage into the house area. This is why you should not be giving product advice! A netmetal with sector is such bad advice for a home user. By the way, the best value Outdoor pr...

2frogs

Testing with the built in tools should not be used a true measure of performance as it uses the cpu for both the test and connectivity.

Only use iperf (or similar) between 2 capable PCs as a true measure of performance. Connect the 2 PCs directly and test first to see what they are capable of.

2frogs

Using dstnat is correct for changing the destination no matter if it is incoming or outgoing! I would suggest changing the ip scope of the pi-hole to outside your lan ip scope. This way you can see individual devises on your pi-hole instead of the router. Add something like 172.16.0.1/24 to the same...

2frogs

Use in-interface or out-interface to use interface name.

You have to define the interface list if you want to use in-interface-list or out-interface-list.

/interface list
add name=WAN

/interface list member
add list=WAN interface=wan

2frogs

Use export instead of print:

/interface wireless export

You should now see if tx-chain=0 or tx-chain=1. It should be tx-chain=0,1. You can change it using:

/interface wireless set wlan1 tx-chain=0,1

2frogs

It is because you have set an address-pool at either /ip hotspot or /ip hotspot user profile. Change both to address-pool=none. Setting an address-pool was intended to help device that might a static IP set in their setting be a able to still connect to the hotspot. That is no longer a common practi...

2frogs

It was most likely the use of Quickset after you had already made changes. Quickset relies on basic scripts to make the changes and if you make changes outside of Quickset, it has know way allowing for your changes. And there are other instances of Quickset just being broke. If can avoid it using it...

2frogs

https://wiki.mikrotik.com/wiki/Manual:Console

2frogs

[tab] button is your best friend in RouterOS.

/[tab] - will show you directory and available commands for that directory

/int[tab] > /interface - auto completes

/interface set [tab] - will show all variables

2frogs

I don’t see a dhcp client.

/ip dhcp-client add interface=lte

The only other odd thing is a blank interface-list-member.

2frogs

/export hide-sensitive file=myconfig

Download myconfig.rsc from Files and edit with your favorite txt editor. Post content.

2frogs

In Quickset it is the very top drop down box, you want “CPE”, but I highly recommend NOT using Quickset as it has a bad habit of breaking things. Just Don’t! I only provided it as one of the places this change could be made... Issue this command in terminal: /interface wireless set wlan1 mode=statio...

2frogs

Auto correct victim.... or poor typing skills....

“ I didn’t say they should.”

2frogs

I didn’t say they should! It could be done in a poor attempt to redirect to their own server. Or a Mom/Pop shop that just doesn’t know any better.

The fact the OP stated this was ongoing from before his Mikrotik router implies to me it is the ISP.

2frogs

I believe both of the previous responses was either backwards or missed the mark, so I am going to give my 2 cents. When you are connecting to a time server, you do so on port 123. This is no different from http on port 80 and https on port 443. The return port is what will be random. Your device wi...

2frogs

Quickset does not make all the necessary changes for the different modes for some reason. A hAP lite (WISP AP) I just tested did not remove the default firewall rules. When a new bridge was created with all ports added, the bridge was removed from interface-list=LAN and replaced with ether2, ether3,...

2frogs

If the modem is in bridge mode, your will need to add an IP address to the interface that it is connected to on the Mikrotik in the range that the modem is in. For example; If your Modem has an IP of 192.168.1.1 and connected to ether1, you would add 192.168.1.2/24 to ether1. /ip address add address...

2frogs

If you plug into the modem directly with your PC or connect to its wireless, do you get an IP from it? Are you able to browse the Internet or ping Internet IPs? If you are having to set an IP in the range of your modem to ping it/ access its web interface, then it is most likely in bridge mode. This...

2frogs

The wAP AC is an excellent outdoor AP.
https://mikrotik.com/product/RBwAPG-5HacT2HnD

2frogs

If mode=station keeps changing to mode=station-wds then it is being changed on Quickset, /interface/wireless or by a script. A WDS link is still possible if mode=station and mode-wds is not =disabled.

2frogs

1. & 2. look good. 3. action=srcnat is normally used when you have multiple IPs on your WAN interface. Using src-address as an example, you could have 1 internal IP use one external IP while the rest of your internal IPs use another. action=masquerade is the default because it works well with a sing...

2frogs

First, thank you for your help. Here is the configuration # jan/02/1970 04:56:35 by RouterOS 6.46.5 # software id = YCEF-KZ52 # # model = RB941-2nD # serial number = D1130BA3F321 /interface bridge add admin-mac=C4:AD:34:C9:6E:47 auto-mac=no comment=defconf name=bridge /interface wireless set [ find...

2frogs

https://mikrotik.com/product/RB750UPr2 The RB750UPr2 is only rated to 30v. It includes a 24v power supply. https://mikrotik.com/product/RB960PGS The RB960PGS (HEX POE) is rated to 57v and includes a 24v power supply. It is passive power, so it will supply what ever you input to it. All Mikrotik POE ...

2frogs

An alternate would be to use something like:

/interface bridge host print

It won't get you the address, but it will get you mac-address and interface it is on. You could then combine this with data from the /ip dhcp-server lease of your router.

2frogs

Since all your ethernet port are slaved to the bridge, only the bridge will show as the interface. You can change the script to: { :local ethlist; :local buffer; :local fileName "address-list"; :foreach i1 in=[/interface find running=yes] do={:set $ethlist [/interface get $i1 value-name=name]; :fore...

2frogs

:foreach i in=[/interface bridge port find where bridge="bro"] do={/interface bridge port set $i pvid=10}

2frogs

:foreach i in=[/ip fire add find where list=name address~".net"] do={:if ([/ping [/ip fire add get $i value-name=address] interval=1s count=5]>0) do={/ ip fire add set $i timeout=30d}}

2frogs

@bpwl This is a Ubiquiti issue. The clients routers are not getting DHCP from the Ubiquiti CPE. I use Mikrotiks at all my towers, using DHCP to hand the IP to the Ubiquiti radios. The radio is configured to then hand out an IP to the customers router . @jakkwb You might try changing lease time to 86...

2frogs

@anav 1. Not sure what you mean!?!? (leave on tcp,upd :53) 2. I believe this would be best, so if there is an issue with it you can redirect to somewhere else. (see 9.) 3. This would be more personal preference. I only use vlan for my Guest network. 4. 192.168.254.1 is pi-Hole in this example: /ip d...

2frogs

This is a strange way of handing out multiple IPs. It is usually considered to be a big No-No to make multiple connections to the same device. You normally have to configure manually for the additional IPs. You might contact your ISP to be sure you have done this correctly.

2frogs

It has it's drawbacks as well! When forwarding, the Pi-hole only sees the Router as a client, so the per client/group blocking won't work. Devices on my network only get 1.1.1.1 & 1.0.0.1, so if I was to disable both sets of NAT rules the devices would still have functioning DNS. I originally had se...

2frogs

Your firewall rules need a lot of work! chain=input is for traffic going to the router it's self (Webfig, Winbox, Ping, DNS, etc.) chain=forward is for any traffic being forwarded by the router (from one interface to another.) All the rules you added mostly belonged to the chain=forward since it was...

2frogs

Not sure if is proper way of handling DNS, but I left Cloudflare as DNS under DHCP-Server>Network and use NAT to redirect to my Pi-hole instance. My Pi-hole has the router set as it's DNS so that I could use Static DNS and the router had Cloudflare set for it's DNS. I have some that I don't want goi...

2frogs

I am going to ask the more obvious! Are you using the default firewall? And did you add ETH3-WAN2 to WAN Interface List?

2frogs

Looks like you are not getting an IP Address on LTE. On your Quick Set page it is empty. And when you pinged 8.8.8.8, which you don’t need DNS to ping IP, it returned “ no route to host”.

2frogs

dstnat: in :pppoe-out1 out:(unknown 0), proto TCP (SYN), 110.54.222.111:49667->101.58.69.xx:3389, len48

You have log=yes (checked), this is the log showing a connection. This is not an error message. Was the client unable to connect to the router?

2frogs

Using Mikrotik Winbox instead of Webfig is the best option. You should be able to connect to the device using the MAC Address to configure your device. It is also best practice to reset the device without default configuration and configure it manually than trying to rely on the basic scripts in the...

2frogs

For the Hotspot to work correctly, it requires internet access so that any html queries can be redirected to the Hotspot login.html landing page. Instead of trying to redirect with firewall, it would be easier to edit the login.html to: <head> <meta http-equiv="refresh" content="5; URL=https://192.1...

2frogs

This is what I use with success;

<head>
  <meta http-equiv="refresh" content="0; URL=https://www.yoururl.com/" />
</head>
<body>
  <p>If you are not redirected in five seconds, <a href="https://www.yoururl.com/">click here</a>.</p>
</body>

Just replace the html code with this.

2frogs

Try increasing DHCP lease-timeout=1d . I know Apple things have issues with the short default lease time.

Edit: just re-read your last post where you changed it, but it might not have been long enough.

2frogs

I have seen lots of explanations of why, most are centered around temporary network issues or bad client devices/drivers. The best solution is to disable the 1:1 NAT by setting the dhcp-pool=none. The 1:1 NAT was introduced to allow devices that had a static IP Address configured to be able to conne...

2frogs

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related

You will need to disable fasttrack as it will break mangle rules.

2frogs

Have you set the cable modem to forward the ports to the mikrotik? I see references to a 192.168.1.1 address in a couple of locations that I am assuming is your cable router. If your mikrotik is getting DHCP from 192.168.1.1 and has an 192.168.1.xxx IP, you will have to forward those ports on the ca...

2frogs

add action=accept chain=input dst-port=1723 comment="accept PPTP" protocol=tcp This needs to go either above or below the "defcon: accept ICMP" because the order matters. Also, chain=input is for any thing going to the router itself. And chain=forward is anything being forwarded by the router (WAN ...

2frogs

2frogs

https://wiki.mikrotik.com/wiki/Manual:License https://wiki.mikrotik.com/wiki/Manual:CHR#Free_licenses In short the x86 version has a 24hr demo (level 0) or a very limited demo (level 1.) The CHR has a free version, limited to 1mpbs/interface. Or 60 day trial mode for any CHR License Levels (P1, P10,...

2frogs

/ip firewall nat add chain=dstnat dst-address=!192.168.88.1 dst-port=80 protocol=tcp dst-address-type=local to-address=192.168.88.253 You can enable the DDNS under IP>Cloud and use the DDNS to access the device. You could also use the DDNS to do the dstnat: /ip firewall address-list add address=you...

2frogs

On the RBMetal, change mode=bridge to mode=ap-bridge, mode=bridge only allows 1 connected client. /interface wireless set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce \ disabled=no hide-ssid=yes mode=ap-bridge security-profile=profile1 ssid=\ <SSID HERE> wps-mode=disabled

2frogs

One use case would be vdsl2 areas where the 2.4ghz bands are overcrowded and all but unusable. Another would be for wireless internet providers that use 2.4ghz bands to distribute internet, they can provide a router they can set to not interfere with the channel they are using to connect that client.

2frogs

First issue is that the LAN IP address should be on the bridge interface since it is the master and ether2 is slaved to it.

Second, is that your NAT rule has your IP scope on src-address-list instead of src-address. You could define an address-list and use that instead.

2frogs

Usually seeing the same MAC with multiple IPs is caused from having a pool set in the hotspot or from having dhcp lease times set too short. Setting a IP pool in the hotspot will create a 1:1 NAT for devices that have a static IP. And sometimes it will NAT devices that received a IP from the dhcp se...

2frogs

If you plug your computer into the cable that is on ether1, does it get an IP address. If it does, make sure it is not in the same range as your router (ie 192.168.88.0/24). I don't see anything in config that would prevent it from obtaining an IP.

2frogs

On CRS, navigate to IP>Addresses. Or

/ip address remove [find address="192.168.88.1/24"]

The address is most likely a left-over from the default config.

2frogs

Since you have a dhcp-client on bridge, just remove the 192.168.88.1/24 address

2frogs

Change: add action=masquerade chain=srcnat comment=LetsencrypLocal dst-address=192.168.88.254 \ dst-port=180,1443 protocol=tcp to add action=masquerade chain=srcnat comment=Hairpin NAT dst-address=192.168.88.0/24 src-address=192.168.88.0/24 as SOB suggested as it is universal. Do you have any static...

2frogs

And you have flushed dns on your device?
What is doing or not doing?
Can you provide:

/ip firewall nat export

2frogs

Try disabling the fast-track firewall rules.

2frogs

@sebastia

I believe you missed that the server is on ports 180 & 1443. Static DNS entries will not work in this case as it points to ports 80 & 443.

2frogs

Instead of the DNS trick, try correcting your dst-nat rules. If you have a static IP: /ip firewall nat add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=your.external.ip.address protocol=tcp to-addresses=192.168.88.245 to-ports=180 add action=dst-nat chain=dstnat comment=Le...

2frogs

What you are seeing is normal. The data rate is the combined theoretically possible rate for upload and download. Since the AP and Client can only send or receive and do so to a single device at a time it will half the data rate. And as you noticed, if you connect a second device and try to download...

2frogs

The best way to set it up is to use Winbox to reset without default and configure it manually. Once you have reset the wAP, you will have to connect to it using it MAC Address. Now you can setup a bridge and add ether1 and wlan1 to it. And now configure wlan1 to be a station with the proper SSID and...

2frogs

The Hotspot Trial user is perfect for what you want. You can edit the default login.html to remove the login box and use the trial user link as the "click here" to agree. https://wiki.mikrotik.com/wiki/Manual:Hotspot_Introduction https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot https://wiki.mikrotik...

2frogs

So if you put these in terminal they run, but not from the script? /system script run firewall-to-backup /system script run firewall-to-main You could also change from using in/out-interface to interface-list and not have to change the firewall rules at all: /interface list add comment=defconf name=...

2frogs

/tool user-manager user set [find shared-users=unlimited] shared-users=1

2frogs

You mentioned untagging/tagging is why I suggested a bridge. But yes, you can put the IP and DHCP Server directly on vlan1. And you can then remove the bridge port for vlan1 as it is not needed.

2frogs

Do you have a static route to your LAN set on the Synology and a static route to the Synology from the Router?

2frogs

I believe you need to create a new bridge for the vlan and add IP and DHCP Server to the new bridge. Then change the bridge port for vlan1 to the new bridge. /interface bridge add name=vlan1-bridge /interface bridge port add bridge=vlan1-bridge interface=vlan1 The rest of your config should remain t...

2frogs

You will need to use vlans, but having two networks in both buildings should not be a problem. There are many tutorials and examples on this forum and elsewhere. You will need a clan capable switch. Or if you only need a few ports and it is indoors you can use something like an hAP-AC/hAP-AC2 and br...

2frogs

I would use the Wireless Wire to bridge the buildings as it can provide wire speeds.

2frogs

The app uses the Winbox port to connect. You can specify the correct port in the address field of app like; 192.168.88.1:1234

2frogs

From Terminal run this command:

/export hide-sensitive file=export

Download and edit the export.rsc using a text editor to remove any public ips or identifying information and paste using the code wrapper [ code][ /code].

2frogs

Try adding this to the top of your mangle rules:

/ip firewall mangle
add action=accept chain=prerouting dst-address=10.255.255.0/24 in-interface=bridge

I believe your rules are too loose and catching any traffic from your LAN to VPN IP ranges.

2frogs

Thought I would let you know that L2TP/IPSec is not any better. I have a TS-431XeU with AnnapurnaLabs Alpine AL-314 32-bit ARM® Cortex-A15 quad-core 1.7GHz processor and 10-11MB/s is all it will do at 40% CPU usage. QVPN represents only 10% CPU usage.

2frogs

Separation will do wonders too. Both horizontal and vertical. Any radio device back to back on a mast is usually a bad idea. 2-3 meters vertically and 1 horizontal is about minimal in my opinion.

2frogs

/ip firewall filter 
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

This rule, since no interfaces are listed and it is above the drop rule (they are processed in order), allows pings from any where.

2frogs

This rule is blocking access: /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN Your VPN is not included in interface-list. You can add it under /ppp profiles: /ppp profile add local-address=192.168.1.1 name=Ovpn-profile remote-a...

2frogs

The bridge is the correct place for the dhcp-client as it is the master interface. It looks like the quick-set is broken, but since it is based off of simple scripts it is limited in functionality and should not be used passed initial setup anyway.

2frogs

:if ([:len [/ip ipsec policy find dst-address=10.0.0.0/16]]=0) do={:put "Not Found" } else={:put "Found"} Or :if ([:len [/ip ipsec policy find dst-address=10.0.0.0/16]]>0) do={:put "Found"} el se={:put "Not Found"} A missing value is not 0, it is null and ROS scripts can't handle nulls. But you can...

2frogs

I am sorry, I either miss read your original setup or confused it with another. You don't even need the ddns hack. Use dst-address=192.168.1.252. /ip firewall nat add chain=srcnat action=src-nat protocol=tcp src-address=10.0.1.0/24 dst-address=192.168.1.252 to-address=10.0.1.1 out-interface=bridge d...

2frogs

Yes, you can use the DDNS you already have setup.

2frogs

On your 10.0.1.1, enable the built in DDNS. Now add your DDNS URL to an address-list with a name like My_IP. You now use dst-address-list in place of dst-address in the hair-pin nat tutorials.

You can also use the DDNS URL to access your server without having to know your current IP.

2frogs

In Terminal, the [TAB] key can be your friend!

It can auto complete command and list: directories, commands and variables

2frogs

Correct! It is already accepted!

2frogs

The default for the firewall filter is to accept. If you remove all rules, everything would be accepted. If you only add chain=forward action=drop, then all being forwarded would be dropped. Now change that rule to include in-interface=ether1 and now only forwards coming from ether1 are being droppe...

2frogs

unset

/ip firewall nat unset [find action=masquerade] out-interface

2frogs

That is correct, you need both rules.

2frogs

@anav
hmm, so glad we can agree it could be done with a single rule:
"And your Filter rule need to be for chain=forward: (or enable the default drop rule)"

2frogs

Or add script to ppp profile to add/remove the interface when you login/logout: on-up=/interface list member add list="LAN" interface=[/interface get [find type=l2tp-in && dynamic=yes] name] on-down=/interface list member remove [find interface!="bridge" && list="LAN"] Or you can also set l2tp serve...

2frogs

You also need a src-nat:

/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.4 to-address=192.168.0.1

2frogs

The Wireless Wire is basically 2 WAP 60G AP, just pre-configured as PtP pair (they can be reconfigured). They have a 60 degree beam width, so depending on the lay out it could cover your end points. There is also a WAP 60Gx3 AP that can cover 180 degrees.
https://mikrotik.com/product/wap_60gx3_ap

2frogs

You can not use 802.11 and NV2 at same time. A dedicated point to point or point to multi-point would be better than trying to use an AP that has other wireless users on it. Have you seen: https://mikrotik.com/product/wap_60g_ap https://mikrotik.com/product/wireless_wire These should be able to conn...

2frogs

Your NAT rules do not need a to-port unless your are changing ports. They should look like this: /ip firewall nat add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89 add action=dst-nat chain=dstnat comment="ALA US...

2frogs

There are actually major differences between the 2 routers when you consider the firewall rules. On Router 1, the default drop for input is dropping all from ether1, which is your WAN. By default it is accepting from all other ports including all other ethers, wlans, bridges, l2tp ,etc. /ip firewall...

2frogs

Yes

/log print file=log.txt

A remote syslog might b a better option depending on intended use.
https://wiki.mikrotik.com/wiki/Manual:System/Log

2frogs

Most likely a partially failed update or some corruption in OS.

2frogs

Create a address-list name=payment_gateway and add www.some.paymentsystem.com and dns ip to it.
Now add dst-address-list!=payment_gateway to both of your rules. The "!" means "not".

This should work for http, but I don't think it will for https...

2frogs

Is x.x.x.x a unique ID or do you have multiple with gateway=x.x.x.x? Copy and paste the following in Terminal: /ip route add dst-address=1.2.3.4/32 gateway=1.2.3.4 distance=5; :if ([/ip route get [find gateway=1.2.3.4] distance]=5) do={:put "True"} else={:put "False"}; ##Should have output of "True"...

2frogs

Spacing maybe!?!? This works for me:

:if ([/ip route [find gateway=x.x.x.x] distance]=2) do={:log error “True”}

2frogs

Code: Select all
/system logging
add topics=debug

Have tried disabling this?

2frogs

https://mikrotik.com/thedude

2frogs

https://wiki.mikrotik.com/wiki/HotSpot_ ... login_page
or
https://mum.mikrotik.com//presentations ... ichael.pdf

2frogs

No, no, no. The WLAN will automatically turn on as soon as someone connects to it. It's so obvious. OK! :mrgreen: /system scheduler add interval=10m name=wlan1-auto-on/off on-event=":if ([/interface wireless get wlan1 disabled]=yes) do={\r\ \n:log info \"Checking for Wireless Users\"\r\ \n; /interf...

2frogs

Use Hotspot with Trial User enabled. You can set your limits by time and/or data and have it reset after a defined period. Now edit/replace login.html the following code and users will be logged in automatically. <!DOCTYPE html> <html> <head> <meta http-equiv="refresh" content="0; url=$(link-login-o...

2frogs

With all ports bridged it does not need a gateway for the clients. It acts like a switch and passes connection through it. It does need a default route for the router itself to connect to the internet. Adding one would allow your NTP Client to work. Should look something like: /ip route add dst-addr...

2frogs

Use Virtual Machine software (I use VirtualBox) to setup 2 Virtual CHR's. You need 2 virtual ethernet interfaces for each. They need minimal setup: ##Gateway1 /ip address add address=192.168.100.1/24 interface=ether2 network=192.168.100.0 /ip dhcp-client add disabled=no interface=ether1 /ip firewall...

2frogs

If you are using the default firewall rules, you could change the default forward drop rule to: /ip firewall filter add chain=forward connection-nat-state=dstnat in-interface=WAN action=accept add chain=forward out-interface=!WAN action=drop And if you are not doing DST-NAT or UPNP, you can omit the...

2frogs

Edit: post duplicated.

2frogs

Here is the correct code: /ip firewall mangle add action=mark-connection chain=forward comment="ISP1-In" in-interface=ether1 new-connection-mark="ISP1-In" add action=mark-connection chain=forward comment="ISP2-In" in-interface=ether2 new-connection-mark="ISP2-In" add action=mark-routing chain=prerou...

2frogs

Oops, I copy/paste wrong section of code. Correct it as @sebastia stated. Sorry for my mistakes!

2frogs

One device has metal casing to give more focus.

So, have you tried without the metal casing?

2frogs

Put this in scheduler:

:if ( [ :len [/interface wireless registration find] ] <= 0 ) do={ /interface wireless disable wlan1; :log info "No Wireless Users - Wireless Disabled";}

2frogs

You will need to put the LAN and all 3 AP's on separate VLAN's. Then create a Hotspot Server for each VLAN. Then on each Username, you can specify which Server that Username is for.

2frogs

You need to mark connections coming in to each WAN and then make routing mark based on those connections: /ip firewall mangle add action=mark-connection chain=input comment="ISP1-In" in-interface=ether1 new-connection-mark="ISP1-In" add action=mark-connection chain=input comment="ISP2-In" in-interfa...

2frogs

Use Winbox to connect using MAC Address. Most likely the default firewall rules is blocking IP access.

2frogs

Add the MAC of the other Basebox in /interface wireless access-list with forward=no and authentication=no. Do this on both.

2frogs

I made the same mistake and tried to reconfigure them as you did. I ended up having to reset to default and swapping the units. I wonder if the slave in the set is only capable of being CPE.

2frogs

See the comment in the speedtest result as shown in your screenshots. CRS devices are intended to be used as hardware switches - they can do some routing and provide some services but the as CPU is not powerful you cannot use them to do wirespeed routing, for example. In my case, i ma talking about...

2frogs

That is correct, although you do not need the forward rule because your default forward drop rule drops all forwarded traffic unless it is in dst-nat: /ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new...

2frogs

You do not have the default firewall. It should include the following: /ip firewall filter add action=accept chain=input connection-state=established,related,untracked comment="DEFAULT: Accept established, related, and untracked traffic." add action=drop chain=input connection-state=invalid comment=...

2frogs

On both the hAP and wAP, use WISP AP from quickset after reset from no-default. After you configure the wireless, select Mode=Bridge, Address Acquisition=Automatic, Bridge All LAN Ports=yes and hit apply. After a couple seconds hit Apply again and it should now have IP from your RB3011. You can now ...

2frogs

I suspect the IP Address is not on the right interface. In winbox, ip>addresses, be sure that the IP is on interface=bridge (or the name of your bridge.)

2frogs

Quickset sets up the VPN using a separate subnet (192.168.89.0/24) than the default (192.168.88.0/24). You change it to the IP and subnet of the router if you wish. It is not advisable to use Quickset past the initial setup, especially if changes where made outside of Quickset. It relies on a basic ...

2frogs

No need to remove dhcp, but you will need to change:
ip/address
ip/pool
ip/dhcp-server/network

And any firewall, nat or mangle rules rules...

2frogs

Sorry, I misunderstood! There is no performance issues with leaving the device powered on. Some changes are better facilitated with restart. Changing the IP scope is one of them. But RouterOS boots fast, less than a minute even while upgrading firmware. And yes you can change IP to /16 if not alread...

2frogs

No, I have devices that are powered off daily when not in use. The only issue I have had is them being powered off while updating. This requires the Net Instal tool to recover.

2frogs

keepalive-timeout=10m

Restarting the router will reset all hotspot user data and remove the mac-cookies. Otherwise, there are no issues with restarting or leaving it powered off for length of time.

2frogs

Input/Output rules are to/from the router itself. And generally, prerouting is used if a routing decision is to be made by he mangle rule. Most other rules will use forward.

2frogs

The data is stored in RAM and not DISK. This is why it is reset after each reboot. You can search for scripts to save the data to disk or use User Manager.

2frogs

You did not mention what Mikrotik device you are using, but some devices only have a Level 3 License and will only work as a Station (CPE) or wireless Bridge to a single device (PtP).

2frogs

Does it have the Detect Internet set?

2frogs

/ip firewall address-list add address=127.0.0.1 list=allow-ip /ip firewall filter add action=drop chain=input comment=\ "You can say thanks on the WebMoney Z399578297824" dst-port=\ 8778,8728,8729,22,23,80,443,8291 protocol=tcp src-address-list=blacklist add action=accept chain=input comment=\ "Ple...

2frogs

Use WinBox; https://download.mikrotik.com/routeros/ ... winbox.exe
In the Neighbors Tab, click on the MAC of the device and it will load in the Connect To field. Enter your credentials below it.

2frogs

IP>Services, this is where you enable/disable, set port # and can set IP's for access. If it is enabled there and your still not able to connect, you will need to check your firewall rules IP>Firewall>Filter to be sure access is not being blocked there. Provide /export if you need any further assist...

2frogs

/ip firewall filter add action=accept chain=input comment=pingcatch in-interface-list=LAN log=yes \ log-prefix=Ping protocol=icmp /system scheduler add interval=1s name=pingbeep on-event=":global pingcont;\r\ \n:if ([:len \$pingcont]=>0) do={:set \$pingcont [/ip firewal filter ge nd comment=\"pingc...

2frogs

As long as your POE is providing the max power draw for each device, then there should be no difference between POE and Power Supply.

2frogs

viewtopic.php?t=49106#p249410

2frogs

Use export. Upload export.rsc. Do /system reset-configuration no-defaults=yes run-after-reset=export.rsc.

This will reset device without default values and import the new settings.

2frogs

This seems to me a DNS or NAT issue. Your NAT rule, although unconventional, should work. I would lean more to DNS. Is the CCR able to resolve DNS it’s self? If you change the DNS server from 192.168.1.1 to 8.8.8.8, does it browse better?

2frogs

If you are attempting to connect using ether 2-5, then this is your issue: /interface list member add comment="Org LAN Bridge2" interface=Bridge2 list=LAN add comment="ISP WAN" interface=Ether1-WAN list=WAN /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LA...

2frogs

I prefer this nat rule over using the ddns shown in the video.

add action=dst-nat chain=dstnat dst-address-type=local dst-address=!192.168.40.1(or router ip) dst-port=80,443  to-addresses=192.168.40.13

2frogs

I would use separate VLANs for each AP and create a Server for each VLAN with different Server Profiles.

2frogs

There should be a setting in your phones vpn settings to send all traffic through the vpn. This is controlled on client side.

2frogs

You could use the Hotspot. In ip-bindings, set your active customers IP's to bypass. Now do as @joegoldman suggest and change their IP to a Hotspot IP and they will get captured by the Hotspot and served the login.html page.

2frogs

-30 is too strong of a signal. Reduce the power on both to maintain a -50 on both. 35Mbps is about the max you can expect from the NanoStation5.

2frogs

No, -79 would be correct. -81 will fall between -120 and -80 and therefore conflict.

2frogs

I would look more at a PtMP antenna for your fixed site. That would make aiming only critical from the temporary location. Especially if the location could change each time.

2frogs

You can delete these, DNS alone is a nominal traffic; /ip firewall filter add action=fasttrack-connection chain=forward comment="Fasstrack DNS TCP" \ dst-port=53 protocol=tcp add action=fasttrack-connection chain=forward comment="Fasttrack DNS UPD" \ dst-port=53 protocol=udp And add this if your CPU...

2frogs

Actually the chart shows the range for the which the max data-rate can be obtained. The fading red line is the maximum distance for the lowest data-rate.

2frogs

If you are new to networking, you should not change the default firewall rule. The default firewall are sufficient for home users.

2frogs

i would do a netinstall and the attempt a restore from backup.

2frogs

I believe I want station-pseudobridge and I am aware of the L2 limitations but as this is a IP routed network should still be possible? https://wiki.mikrotik.com/wiki/Manual:Wireless_Station_Modes This indicates station-pseudobridge is for a single client. A bridge is not a routed network. Got it w...

2frogs

In your example, “;” is still required at the end of the first line. It stands for “New Line.” Not true anymore "New Line" works nice. No need for ; anymore. Only if you like more commands on one line. https://wiki.mikrotik.com/wiki/Manual:Scripting The end of command line is represented by the tok...

2frogs

In your example, “;” is still required at the end of the first line. It stands for “New Line.”

2frogs

I know but I want to be able to access from anywhere and that is not possible if you use whitelist. Actually, Port Knocking allows for this. https://wiki.mikrotik.com/wiki/Port_Knocking But, the short answer is to add an accept for an Source IP before your brute force. Or edit brute force to includ...

2frogs

This can be done with login time-out. However, 10-30 seconds would cause "Already Authorizing, retry later error" if the RADIUS is not done the first authentication request or if the authentication process is still in progress. Actually this has no effect on the OP’s issue, it does take the removal...

2frogs

Another solution is a script to kick any host that is not authorized that runs every 10-30 seconds. Maybe combine this with a delayed redirect of equal time.

2frogs

Not sure it would be any more of a hole than them simply changing their MAC to the same as another user.... shared-user=1 will help prevent this.

2frogs

Yeah, OK. I do recall this behavior and it is easy to reproduce. Create a disable user with MAC of device. Open browser to be caught by portal, then enable user. Now try browsing again and still get caught by portal. Kick host and will login on next attempt. You can login using the MAC as user. Redi...

2frogs

The client should simply be able to browse to web page again to be authenticated. Or you could redirect to a non-walled-garden page as the last step in your payment process. All login processes require a http request. The Hotspot will only resend authorization request if it has not received a respon...

2frogs

Do you have the FTP service enabled and on port 21 of the router? What other firewall rules do you have?
/ip firewall filter export

2frogs

in /ip firewall filter -> add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list” disabled=no This is correct! chain=input is for traffic going to the router itself. https://i.ibb.co/8PcZr6h/1.jpg...

2frogs

Your screenshot suggests you have the rule on chain=forward instead of chain=input...

2frogs

@sebastia

You have miss understood the problem of the OP! He has a forward rule to explicitly allow the dst-nat port. And the problem he is having is when that rule was disabled, he is still able to reach the port. The answer is what I provided. The default drop rule is allowing this traffic.

2frogs

/ip firewall add action=drop chain=forward comment="drop unvanted local traffic" connection-nat-state=!dstnat connection-state=new in-interface=ether10-WAN This is the default drop rule! Any connection coming from WAN would first be New and therefore dropped, unless it is a connection in NAT that i...

2frogs

add action=drop chain=forward comment="drop unvanted local traffic" connection-nat-state=!dstnat connection-state=new in-interface=ether10-WAN This rule allows any DSTNAT rules through the firewall. Remove the connection-nat-state=!dstnat if you only want to specifically allow this traffic with ind...

2frogs

All variables have to be declared that are used in the script, global or not, declared in other scripts or not.

2frogs

I will admit I do not use webfig for any major configurations for this very reason. It is still in development and really only intended for basic changes and preconfigured changes using the quickset (although some of those do not work correctly either.) The need of removing all unused settings, incl...

2frogs

hello to all I have a problem with several equipment mikrotik model slex litle5ac dualband the problem is that it does not see well the signals at 2.4ghz, however close they are the best one sees it at -70db meanwhile another signal 5ghz if it looks perfect up to -40 from the same position because ...

2frogs

Before you change the IP address, create your bridge first. Then assign the static IP to the bridge. Now you should be able to add the ether and wlan to bridge and still access it. When you add the ether/wlan to the bridge it becomes the slave to it and can not have an IP attached to them. And inste...

2frogs

I removed the port in NAT rule, so now it looks like: add action=dst-nat chain=dstnat comment="Plex port forwarding" in-interface=ether1 protocol=tcp to-addresses=\192.168.1.18 to-ports=32400 No, you remove the wrong port. Your rule should be what I posted for you! If that still does not work, make...

2frogs

CPU usage is most likely the cause as it only uses a single core. This bandwidth tool should not be used as an accurate measure.

2frogs

Give this a try!
viewtopic.php?t=135991#p669779

2frogs

What firewall filter rules do you have? Should have an accept rule for either port 32400 or for connection-nat-state=dst (or the default drop with connection-state-nat=!dst.) Are you double NATted? Your NAT rule should work, although you do no need to specify the to-port unless you need to change th...

2frogs

On your mangle rules, use chain=forward... /ip firewall mangle add action=mark-packet chain=forward comment="WAN Zuleitung" in-interface=\ ether1 new-packet-mark=wan_gesamt_up passthrough=no add action=mark-packet chain=forward comment="WAN Zuleitung" \ new-packet-mark=wan_gesamt_down out-interface=...

2frogs

To me the bigger benefit would be that users can create their own account/voucher paid/free and more easily maintain their account.

2frogs

2x PtP is the best option. With PtMP with the AP in middle you will loose 50% of the speed and double the latency as the AP can only communicate with one endpoint at a time. At the mast site, physically separate the 2 devices as much as possible within reason. Use channels as far apart as possible. ...

2frogs

If the device does not touch port 80 (http), then MAC login will not work. If opening a web browser for the device to connect is not an issue, then it is up to preference.

2frogs

That’s correct!

* netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

2frogs

Use action=dst-nat, netmap is intended to do a 1:1 nat between an ip or between sets of multiple ips. Between 2 ips it acts more like an DMZ where it would be port for port. DST-nat is for forwarding either a single port or multiple ports to a device and can be used to forward different ports to dif...

2frogs

The WIKI shows a list of variables that are available for the “on-login” scripts.
https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot/User

List of available variables:

$user
$username (alternative var name for $user)
$address
$"mac-address"
$interface

2frogs

Using auto-mac, the MAC can change after a reboot. Not so great if you are using the MAC for static lease or for other hard coded settings.

2frogs

For some time now:
viewtopic.php?t=134538

In short, Netwatch can only execute scripts with "write, read, test, reboot" policies. Remove all other policies from your scripts.

2frogs

You was nearly there with your code.

/interface bridge
add admin-mac=[/interface ethernet get [find where name="ether1"] mac-address] auto-mac=no name=mybridge

2frogs

It is my understanding that “station-pseudobridge” expects the CPE to be a “bridge” and not a “router”. This would allow a device connected to ether1 to obtain an IP directly from the AP while having it’s MAC translated to the wlan MAC of the CPE.

2frogs

Change the wireless mode from “station-pseudobridge” to “station”.

2frogs

This is what happened to you:
viewtopic.php?t=133533

And I would recommend the added step of doing a Netinstall to insure your device is clean.
https://wiki.mikrotik.com/wiki/Manual:Netinstall

2frogs

/ip firewall nat
add chain=srcnat out-interface-list=WAN src-address-list=group1 action=srcnat to-address=45.45.45.2
add  chain=srcnat out-interface-list=WAN src-address-list=group2 action=srcnat to-address=45.45.45.3

And then disable/remove default masquerade rule.

2frogs

/user add name=user1 group=group1 password=password123

https://mikrotik.com/documentation/manu ... Users.html

2frogs

IP delegation is handled by the DHCP Server and the Address Pool set for it. Under DHCP Lease in DHCP Server is where you make a lease static. IP Binding binds a IP and/or MAC to a specific Hotspot or All. And allows you to Bypass, Block or capture that IP and/or MAC on that Hotspot.

2frogs

In both /ip hotspot server and user profile set address-pool=none. You will still get an address from the DHCP server.

If this does not resolve both issues, you may need to increase your DHCP lease-time a bit!

2frogs

Does your modem hand out DHCP or did you forget to setup a PPPoE-Client on the Mikrotik?

2frogs

If I understood correctly, this is what you need.

/ip dhcp-server lease print where hostname=“pc” file=$n

2frogs

After resetting the mAP and then login with Winbox, you have an option to remove current configuration. Or even better, at some point Reset-Configuration was added to System menu, just check mark "No Default Configuration" and click "Reset Configuration".

2frogs

It looks like the Quick-set is not doing it's job correctly. if you are familiar with Winbox, I would suggest resetting the mAP without a configuration. Then connect to it with Winbox using the MAC address (it should show in the Neighbors tab). Once connected, you can paste the following in a New Te...

Search found 587 matches