Community discussions

MikroTik App

Search found 661 matches

by 2frogs
Wed Jun 09, 2021 10:22 pm
Forum: Beginner Basics
Topic: Queue List questions
Replies: 3
Views: 276

Re: Queue List questions

You need to disable fast-track found in IP>Firewall>Filter or at least exclude your guest-lan from it.
by 2frogs
Fri Jun 04, 2021 3:42 pm
Forum: General
Topic: Guest network doesn't have internet
Replies: 8
Views: 442

Re: Guest network doesn't have internet

The reason your configuration on the cAP is not working, is due to the src-nat rule. It is using out-interface-list=WAN and the only interface-list=WAN is ether1. In your case, the bridge interface will be your WAN and the guestbridge will be your LAN. But I would not changing the interface-list to ...
by 2frogs
Thu May 27, 2021 4:02 pm
Forum: General
Topic: Cloud Router Bricked after firmware update
Replies: 3
Views: 273

Re: Cloud Router Bricked after firmware update

Try using netinstall. You may also try a different power supply.

https://wiki.mikrotik.com/wiki/Manual:Netinstall
by 2frogs
Wed May 26, 2021 3:22 am
Forum: Beginner Basics
Topic: GrooveGA-52HPacn won't save LAN IP address
Replies: 9
Views: 474

Re: GrooveGA-52HPacn won't save LAN IP address

3 Jan/02/197000:01:08 memory system.error. critical. unknown. unknown. unknown error while running customized default configuration script: interrupted This indicates the default script was replaced with a custom script. Perform a netinstall and select "Apply default config" to revert thi...
by 2frogs
Mon May 24, 2021 8:46 pm
Forum: Beginner Basics
Topic: GrooveGA-52HPacn won't save LAN IP address
Replies: 9
Views: 474

Re: GrooveGA-52HPacn won't save LAN IP address

You should perform a netinstall on this device. Simply resetting the device may not be enough to remove any bad code.
by 2frogs
Fri May 21, 2021 7:48 pm
Forum: The Dude
Topic: problems accessing hAP lite
Replies: 6
Views: 896

Re: problems accessing hAP lite

You might also try netinstall with a different power supply for the hAP lite. It may not be providing the proper power needed for boot up.
by 2frogs
Fri May 21, 2021 7:43 pm
Forum: Beginner Basics
Topic: UPnP defaulting to ether1; should be sfp(WAN)
Replies: 3
Views: 309

Re: UPnP defaulting to ether1; should be sfp(WAN)

Since you have made changes outside of the Quick Set screen, do not use it any longer for making changes. It relies on fairly simple scripts to make it's changes and can't account for what you do outside of it's scripting.
by 2frogs
Fri May 21, 2021 1:33 am
Forum: General
Topic: Mikrotik,pihole & unbound. [SOLVED]
Replies: 19
Views: 2131

Re: Mikrotik,pihole & unbound. [SOLVED]

It works in my testing. Can you post full export?
by 2frogs
Tue May 18, 2021 4:49 pm
Forum: Beginner Basics
Topic: Too many address in /ip dns static
Replies: 5
Views: 535

Re: Too many address in /ip dns static

You should do a netinstall. A simple reset may not remove all compromising components.
by 2frogs
Thu May 13, 2021 7:56 am
Forum: General
Topic: Mikrotik,pihole & unbound. [SOLVED]
Replies: 19
Views: 2131

Re: Mikrotik,pihole & unbound. [SOLVED]

/ip firewall filter add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\ bridge out-interface-list=WAN add action=drop chain=forward comment="Drop All Else" These 2 firewall rules are causing both issues. I suggest using this one and it will also replace th...
by 2frogs
Tue May 11, 2021 11:31 pm
Forum: General
Topic: Suspect hAP ac lite wasn't new
Replies: 10
Views: 667

Re: Suspect hAP ac lite wasn't new

If you decide to keep it, you should do a netinstall just to be sure there are no bad things left on it.
by 2frogs
Mon May 10, 2021 3:55 pm
Forum: General
Topic: Mikrotik,pihole & unbound. [SOLVED]
Replies: 19
Views: 2131

Re: Mikrotik,pihole & unbound. [SOLVED]

/ip firewall nat add chain=dstnat dst-address=192.168.88.1 src-address=!192.168.88.5 in-interface=bridge dst-port=53 protocol=tcp action=dst-nat to-address=192.168.88.5 add chain=dstnat dst-address=192.168.88.1 src-address=!192.168.88.1 in-interface=bridge dst-port=53 protocol=udp action=dst-nat to...
by 2frogs
Sun May 09, 2021 8:51 pm
Forum: General
Topic: Mikrotik,pihole & unbound. [SOLVED]
Replies: 19
Views: 2131

Re: Mikrotik,pihole & unbound. [SOLVED]

The reason the NAT rules do not work when in the same subnet, is because the clients communicate directly with one another. For the router to do the NAT, that traffic has to passthrough it's CPU. This does not happen even when clients are connected to the router, but on bridged interfaces. If this w...
by 2frogs
Fri May 07, 2021 2:31 am
Forum: General
Topic: Mikrotik,pihole & unbound. [SOLVED]
Replies: 19
Views: 2131

Re: Mikrotik,pihole & unbound. [SOLVED]

It is better to have your PiHole on a different subnet, this way you can use dst-nat to do the fail over. You will not have to wait for your dhcp-lease on each device to renew before the fail over works. /ip route add dst-address=192.168.188.2 gateway=bridge /ip dhcp-server network add address=192.1...
by 2frogs
Mon May 03, 2021 8:58 pm
Forum: The Dude
Topic: Unable to connect Dude client since upgrading to 6.48.2 [SOLVED]
Replies: 2
Views: 845

Re: Unable to connect Dude client since upgrading to 6.48.2 [SOLVED]

Did you update the client to the same version? The server and client have to be the same version.
by 2frogs
Fri Apr 23, 2021 4:22 pm
Forum: Beginner Basics
Topic: DSTNAT doesn't opening port
Replies: 9
Views: 699

Re: DSTNAT doesn't opening port

When testing for the ports to be open, are you testing from a device on the WAN side or the server on LAN? Your NAT rule only allows from the WAN. I see no error with your NAT rules. As far Filter rules, the default state (without rules) is to accept. Your original configuration was not block the NA...
by 2frogs
Fri Apr 23, 2021 1:28 am
Forum: Beginner Basics
Topic: Port forwarding not working from Public IP ranges [SOLVED]
Replies: 27
Views: 1876

Re: Port forwarding not working from Public IP ranges [SOLVED]

You should do a netinstall instead of just a reset. There sometimes is weirdness that can't be fixed with a reset or upgrade/downgrade.
by 2frogs
Wed Apr 21, 2021 7:52 pm
Forum: Beginner Basics
Topic: hAP ac lite as NAT device
Replies: 2
Views: 295

Re: hAP ac lite as NAT device

Since you want to use the wireless to connect to remote networks, you will want to use mode=station. Create a dhcp-client for the wlan also. If you have need to remember the connections, you can use the wireless connect-list. You will also either add another src-nat rule for wlan or change first one...
by 2frogs
Wed Apr 14, 2021 11:36 pm
Forum: Beginner Basics
Topic: Forcing IP requests to a specific WAN
Replies: 8
Views: 523

Re: Forcing IP requests to a specific WAN

/ip firewall mangle
add chain=prerouting action=mark-routing dst-address=138.68.XXX.XXX in-interface=bridge1 new-routing-mark=to_WAN1 passtrough=no
by 2frogs
Wed Apr 14, 2021 8:26 pm
Forum: Beginner Basics
Topic: HAP AC Lite DHCP-SERVER Network DNS Server Config Wrong but Working?
Replies: 2
Views: 297

Re: HAP AC Lite DHCP-SERVER Network DNS Server Config Wrong but Working?

dns-none=no (default) means without setting dns-server= the dhcp-server will pass the dynamic dns.

https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server
by 2frogs
Mon Apr 12, 2021 6:46 pm
Forum: Scripting
Topic: Resolve - change dns server
Replies: 1
Views: 347

Re: Resolve - change dns server

Yes:
/resolve www.mikrotik.com server=8.8.8.8
by 2frogs
Mon Apr 12, 2021 4:45 pm
Forum: Scripting
Topic: need a script for heartbeat
Replies: 1
Views: 429

Re: need a script for heartbeat

Using Fetch command in a schedule should do the trick.

https://wiki.mikrotik.com/wiki/Manual:System/Scheduler
https://wiki.mikrotik.com/wiki/Manual:Tools/Fetch

Code should be as simple as:
/tool Fetch url="provided.unique.url" mode=http
by 2frogs
Fri Apr 09, 2021 2:47 pm
Forum: General
Topic: number range
Replies: 2
Views: 312

Re: number range

There is a shorter command:
:for i from=0 to=12 do={/interface bridge port set $i pvid=101}
by 2frogs
Fri Apr 09, 2021 6:18 am
Forum: The Dude
Topic: Web Access in Dude Server 6.45.7
Replies: 10
Views: 1281

Re: Web Access in Dude Server 6.45.7

Maybe you should a netinstall. I had a new hEX S that was in a boot loop from the box. I preformed a netinstall and it has been fine since.
by 2frogs
Wed Apr 07, 2021 11:06 pm
Forum: Beginner Basics
Topic: HELP: access external web page:port
Replies: 4
Views: 497

Re: HELP: access external web page:port

Reading your post, it seems you are actually attempting to reach an internal server using the external address. Using an in-interface in this situation will not work. You need to use dst-address=external-ip (best practice with static ip) or dst-type=local dst-address=!router-ip (works with dynamic i...
by 2frogs
Wed Apr 07, 2021 4:26 pm
Forum: Wireless Networking
Topic: WiFi in packing hall - how to build it
Replies: 8
Views: 1133

Re: WiFi in packing hall - how to build it

I would test a triple chain NetMetal or RouterBoard with a triple chain wireless card. Treat each chain as a seperate AP as far as mounting is concerned. This way you should only need 4 APs. You will need to get as much physical separation as possible and reduce the power some. You should be able to...
by 2frogs
Wed Apr 07, 2021 4:56 am
Forum: The Dude
Topic: Web Access in Dude Server 6.45.7
Replies: 10
Views: 1281

Re: Web Access in Dude Server 6.45.7

Screenshot_20210406-204552_Opera.jpg
Maybe you have a custom skin and have Dude menu blocked. https://myrouter/webfig/#Dude will return you to the Quickset, you have include :Menu_Name. Such as https://myrouter/webfig/#Dude:Network_Maps
by 2frogs
Fri Apr 02, 2021 6:40 pm
Forum: General
Topic: port 53 open despite firewall rules
Replies: 42
Views: 2589

Re: port 53 open despite firewall rules

Is this your full export? I also do not see any of your LAN settings. No bridge_lan or ports connected to it. No DHCP Server.

From what you have posted, you don't have DNS running on your device.
/ip dns
set allow-remote-requests=yes
Or you would see this present.
by 2frogs
Wed Mar 31, 2021 10:46 pm
Forum: General
Topic: Port forwarding from a different subnet [SOLVED]
Replies: 15
Views: 1113

Re: Port forwarding from a different subnet [SOLVED]

Have you tried using 192.168.3.5:67-69 directly? To other devices on this subnet, the it would seem no different if the NVRs were directly attached (if your firewall is not dropping the traffic).

Maybe a misconfiguration on the Modem/Router. Or it needs a hairpin nat.
by 2frogs
Wed Mar 31, 2021 6:32 pm
Forum: General
Topic: Port forwarding from a different subnet [SOLVED]
Replies: 15
Views: 1113

Re: Port forwarding from a different subnet [SOLVED]

Looks to me your firewall is doing as it should and your answers should be in your logs.

Hint: prefix=!public
by 2frogs
Wed Mar 31, 2021 4:28 pm
Forum: Scripting
Topic: Completing a script for checking and updating dynamic ISPs Gateway
Replies: 12
Views: 995

Re: Completing a script for checking and updating dynamic ISPs Gateway

Just need to add "where" to the find and you can search using multiple parameters. :if ($bound=1) do={/ip route set [find where dst-address=0.0.0.0/0 routing-mark=ISP2] gateway=$"gateway-address" } Alternatively, you could set comment=ISP2-Default or something unique and use that...
by 2frogs
Mon Mar 22, 2021 5:53 pm
Forum: Beginner Basics
Topic: Trying to Setup New WiFi Password!
Replies: 2
Views: 376

Re: Trying to Setup New WiFi Password!

In webfig menu area there is a hide-password button to see the password as you typed. Also there is a safe mode button that if on when you change the password, you will have to toggle off/on to make changes permanent.
by 2frogs
Mon Mar 22, 2021 4:32 pm
Forum: Scripting
Topic: SCRIPT Works in System Script but no in NETWATCH??? [SOLVED]
Replies: 4
Views: 865

Re: SCRIPT Works in System Script but no in NETWATCH??? [SOLVED]

Correction: it was 2018. VER 6.42

https://wiki.mikrotik.com/wiki/Manual:Tools/Netwatch

There is an example in the wiki. Create the script with dont-require-permissions=yes.
by 2frogs
Mon Mar 22, 2021 4:17 pm
Forum: Scripting
Topic: SCRIPT Works in System Script but no in NETWATCH??? [SOLVED]
Replies: 4
Views: 865

Re: SCRIPT Works in System Script but no in NETWATCH??? [SOLVED]

Fetch may also needs permissions not available to Netwatch. These changes were made in response to the 2019 security issues, I believe.
by 2frogs
Mon Mar 22, 2021 2:50 pm
Forum: The Dude
Topic: The Dude and windows 10
Replies: 3
Views: 755

Re: The Dude and windows 10

Insure your Dude client is the same version as server. I believe with server ver 6.48.1 and client ver 6.48, it was stuck on getting stuff with no upgrade notice.
by 2frogs
Mon Mar 22, 2021 1:51 pm
Forum: Scripting
Topic: SCRIPT Works in System Script but no in NETWATCH??? [SOLVED]
Replies: 4
Views: 865

Re: SCRIPT Works in System Script but no in NETWATCH??? [SOLVED]

Netwatch (also DHCP, PPP, etc.) lacks permissions to use global variables.

You can create a script where permissions are not required and then call on that script.
by 2frogs
Sat Mar 20, 2021 5:20 pm
Forum: General
Topic: needing netinstall most of the times after restarting the router
Replies: 8
Views: 855

Re: needing netinstall most of the times after restarting the router

If the 9 volt adapter does not have enough amp rating it could cause strange behavior. The device uses max 7 watts with no attachments which is .8 amps at 9 volts. It has 24 watt max total or 2.7 amps at 9 volts.
by 2frogs
Sat Mar 20, 2021 4:12 pm
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2381

Re: Discovery of external IP address (Noip.com)

You will have to have port forwarding available on at least one of the modems (No IP is just another DDNS services) or you will have to connect both to third device that has a public IP or the ability to forward ports. There is no magical way of connecting from one network to another directly withou...
by 2frogs
Sat Mar 20, 2021 2:51 pm
Forum: General
Topic: Compromised clients / Firewall question
Replies: 3
Views: 457

Re: Compromised clients / Firewall question

You are seeing all of those log messages because of this firewall rule: add action=drop chain=forward comment=\ "Drop packets from SMTP spammer address list." log=yes src-address-list=\ "SMTP spammer" The devices you see in the logs have been caught by the SMTP Spammer rules and ...
by 2frogs
Sat Mar 20, 2021 6:25 am
Forum: Wireless Networking
Topic: Indoor PTP links without line of sight
Replies: 11
Views: 1172

Re: Indoor PTP links without line of sight

Have you considered powerline adapters?
https://mikrotik.com/product/pl7510gi
by 2frogs
Sat Mar 20, 2021 5:53 am
Forum: General
Topic: Discovery of external IP address (Noip.com)
Replies: 30
Views: 2381

Re: Discovery of external IP address (Noip.com)

There is a built in DDNS under IP>Cloud.

If you have an update client running on a device in your network, you can enter your DDNS in IP>Firewall>Address List and it will resolve it to your IP.
by 2frogs
Fri Mar 19, 2021 3:37 am
Forum: General
Topic: No access to MT after WinBox reset
Replies: 16
Views: 759

Re: No access to MT after WinBox reset

In testing I have found that creating a virtual station on a wlan with ap bridge works sometimes and not others (I have done ap bridge on mode station many times with out issue.) Maybe a better solution is to just use the wlan as station temporarily. 1. Make export of current config and save it some...
by 2frogs
Fri Mar 19, 2021 12:57 am
Forum: General
Topic: No access to MT after WinBox reset
Replies: 16
Views: 759

Re: No access to MT after WinBox reset

If your other MikroTik device has wireless and is in range, you could setup a virtual wireless interface in station mode with a dhcp-client on it. Then use the telnet tools to access the other device.
by 2frogs
Thu Mar 18, 2021 8:59 pm
Forum: General
Topic: I can't connect to my NVRs [SOLVED]
Replies: 12
Views: 913

Re: I can't connect to my NVRs [SOLVED]

The reason you can't connect to your adsl is because of the /16 (192.168.0.0-192.168.254.254) IP scope you have set. It's IP belong in this range and is being routed out on the bridge instead of your WAN. Looking at your config, I do not see a reason not to use /24 and have a single subnet (192.168....
by 2frogs
Thu Mar 18, 2021 8:37 pm
Forum: General
Topic: No access to MT after WinBox reset
Replies: 16
Views: 759

Re: No access to MT after WinBox reset

The User Manual from product page: https://help.mikrotik.com/docs/display/UM/mAP+lite Depending on age of the device, the earlier ROS versions may not have had all the safe guards in place or pre-configured differently from a more up to date version. Or possibly had been configured by someone else p...
by 2frogs
Thu Mar 18, 2021 6:39 pm
Forum: Scripting
Topic: Completing a script for checking and updating dynamic ISPs Gateway
Replies: 12
Views: 995

Re: Completing a script for checking and updating dynamic ISPs Gateway

If I understood your requirements, X.X.X.X/32 (example 111.222.112.221/32) is static IP of data center. From: https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Client bound - 1 - lease is added/changed; 0 - lease is removed So this says when lease is added (new/reboot) or changed to set the gateway for ...
by 2frogs
Thu Mar 18, 2021 6:12 pm
Forum: General
Topic: No access to MT after WinBox reset
Replies: 16
Views: 759

Re: No access to MT after WinBox reset

It should have a default SSID MikroTik-######(last six octets of wlan1 MAC) with no password.
by 2frogs
Thu Mar 18, 2021 5:57 pm
Forum: General
Topic: No access to MT after WinBox reset
Replies: 16
Views: 759

Re: No access to MT after WinBox reset

The default config should be Home AP for this device. This means the ether1 is WAN and wlan1 is LAN. The default firewall rules only allow access to the mAP from LAN. You will have to have someone connect to the wireless of the mAP with a device that you can remote into to be able to reconfigure it....
by 2frogs
Thu Mar 18, 2021 5:43 pm
Forum: Scripting
Topic: Completing a script for checking and updating dynamic ISPs Gateway
Replies: 12
Views: 995

Re: Completing a script for checking and updating dynamic ISPs Gateway

Put this in the script under dhcp-client. It will update only if there is a changed.
:if ($bound=1) do={/ip route set [find dst-address=X.X.X.X/32] gateway=$"gateway-address" }
by 2frogs
Thu Mar 18, 2021 4:16 pm
Forum: Wireless Networking
Topic: extended WiFi to LAN, router --> cAP ac --> LAN clients: works but don't understand 100% why
Replies: 10
Views: 806

Re: extended WiFi to LAN, router --> cAP ac --> LAN clients: works but don't understand 100% why

The reason you have configure it the way you have has to do with a limitation of the wireless standards. More specifically it has to do with the way MAC addresses are passed from the client to the connected network. In a normal connection, only the MAC of the connected device is seen by the network....
by 2frogs
Wed Mar 17, 2021 9:17 pm
Forum: Wireless Networking
Topic: Transparent L2 bridge via wireless P2P but no LOS
Replies: 1
Views: 391

Re: Transparent L2 bridge via wireless P2P but no LOS

Very straightforward! Use ap-bridge & station-bridge on the pairs.
by 2frogs
Wed Mar 17, 2021 4:14 pm
Forum: Beginner Basics
Topic: No Internet on Wlan bridge [SOLVED]
Replies: 12
Views: 788

Re: No Internet on Wlan bridge [SOLVED]

On your Bridge1 configuration you have the address 192.168.177.1 set to interface=ether2, this should be set to the Bridge that port salved to, interface=bridge_192.168.177.0.

Also the other IP's for the other ports also slaved to that bridge will also not work.
by 2frogs
Thu Mar 11, 2021 11:52 pm
Forum: Scripting
Topic: since in netwatch [SOLVED]
Replies: 15
Views: 1272

Re: since in netwatch [SOLVED]

I missed the closing ]. I have updated, please try again.
by 2frogs
Wed Mar 10, 2021 6:15 pm
Forum: Scripting
Topic: since in netwatch [SOLVED]
Replies: 15
Views: 1272

Re: since in netwatch [SOLVED]

Try:
:local since [/tool netw get [find where comment=MAIN CONNECTION] since]
My apologies for my other reply, I was pulled away before I could complete my thought and didn't realize I had submitted it.
by 2frogs
Wed Mar 10, 2021 3:11 pm
Forum: Beginner Basics
Topic: Port Forwarding
Replies: 15
Views: 945

Re: Port Forwarding

I agree with erlinden, your rule seems to be working. As a quick sanity check, you can change the to-port to the same as the first one and see if it opens. It would seem to me that there is an issue with the device you are forwarding to. Either you have the wrong port or it's firewall is not open to...
by 2frogs
Tue Mar 09, 2021 6:48 pm
Forum: Beginner Basics
Topic: Separate network with access to the internet
Replies: 3
Views: 391

Re: Separate network with access to the internet

Your /interface list members are set incorrectly. You have the individual Interfaces set as members, but the interfaces are slaved to a bridge, so you must use the bridges as the interface. As a result, your firewall filter rules are currently dropping your traffic. You should only need: /interface ...
by 2frogs
Sat Mar 06, 2021 5:59 am
Forum: Scripting
Topic: since in netwatch [SOLVED]
Replies: 15
Views: 1272

Re: since in netwatch [SOLVED]

value-name=since
by 2frogs
Tue Mar 02, 2021 7:10 pm
Forum: Beginner Basics
Topic: Block Router Admin Access from the Wireless Interfaces
Replies: 7
Views: 575

Re: Block Router Admin Access from the Wireless Interfaces

Another option is to set your device IP or list of IP's in IP> Service.
by 2frogs
Tue Mar 02, 2021 2:45 pm
Forum: General
Topic: RouterOS on USB flash
Replies: 3
Views: 316

Re: RouterOS on USB flash

Did you format the USB disk to Fat32?
by 2frogs
Tue Mar 02, 2021 12:49 am
Forum: Beginner Basics
Topic: Port 22 / SFTP/SSH Being Blocked
Replies: 34
Views: 2155

Re: Port 22 / SFTP/SSH Being Blocked

Export current configuration, then NetInstall current rOS version and Import your configuration. I have seen random weirdness with devices before. I just had to NetInstall a new hAP AC that was in a boot loop straight out of the box.
by 2frogs
Tue Mar 02, 2021 12:13 am
Forum: The Dude
Topic: autoscan and auto deletion for devices in dude
Replies: 1
Views: 489

Re: autoscan and auto deletion for devices in dude

I wouldn't think so since the whole purpose of The Dude is to monitor devices and their state. How would The Dude know the difference between a device that is down that is supposed to up? Or a device no longer connected to your network that no longer needs monitoring?
by 2frogs
Tue Mar 02, 2021 12:10 am
Forum: General
Topic: winbox multiple instances/databases
Replies: 5
Views: 360

Re: winbox multiple instances/databases

Why not use Group in Advanced Mode.
by 2frogs
Fri Feb 26, 2021 7:16 pm
Forum: Scripting
Topic: Help with Script to read routes and create import file of FW addresses
Replies: 7
Views: 789

Re: Help with Script to read routes and create import file of FW addresses

Variables have a 4096 byte limit. Instead of writing from an array, just amend the file. It is similar to amending an array. Here is an example: /file print file=test; :delay 2s; /file set test.txt contents="/ip firewall address-list\n"; :foreach i in=[/ip firewall address-list find where ...
by 2frogs
Tue Feb 23, 2021 6:41 pm
Forum: General
Topic: Winbox Question
Replies: 8
Views: 485

Re: Winbox Question

Open Winbox, Tools>Move Session Folder. Set to something other than your desktop.
by 2frogs
Tue Feb 23, 2021 5:53 pm
Forum: Beginner Basics
Topic: How do I manage WISP AP via WebUI?
Replies: 10
Views: 3207

Re: How do I manage WISP AP via WebUI?

Less of a works-as-expected and more of a you-cant-mikrotik... I gave up! 😕
by 2frogs
Thu Feb 11, 2021 9:15 pm
Forum: Scripting
Topic: Disable or Enable any item in mikrotik by using Terminal
Replies: 2
Views: 448

Re: Disable or Enable any item in mikrotik by using Terminal

You was in the wrong menu. Lists can only be added or removed, but members can be disable. Sometimes the flow between Winbox and CLI can be seeming backwards...
interface list member set [find list=POE] disabled=yes
by 2frogs
Thu Feb 11, 2021 6:25 am
Forum: Scripting
Topic: local dictionary variable persisting between runs [SOLVED]
Replies: 14
Views: 1405

Re: local dictionary variable persisting between runs [SOLVED]

You can narrow the scope for the local variable to help mitigate the issue: global main do={ #populate dict with values based on given name if ($1="bob") do={ local dict ({}) set ($dict->"name") "bob" set ($dict->"address") "maple st." set ($dict->&q...
by 2frogs
Wed Feb 10, 2021 4:45 pm
Forum: Beginner Basics
Topic: Groove connecting to wifi but not passing IP to Routerboard
Replies: 6
Views: 540

Re: Groove connecting to wifi but not passing IP to Routerboard

I would use the Groove in CPE mode and the hAP in WISP AP mode. First reset the Groove to factory default. Then insure the mode on Quickset is set to CPE. You should be able to use the Quickset to connect to an AP, browse the Internet and update the Groove when connected directly to it. Next, reset ...
by 2frogs
Tue Feb 09, 2021 4:54 am
Forum: Scripting
Topic: string to ip data type [SOLVED]
Replies: 2
Views: 561

Re: string to ip data type [SOLVED]

Are you getting a blank space in your $dnsIp by chance? As expected: :local dnsIp "172.0.0.1"; :put "length=$[:len $dnsIp]"; :put "v alue=$dnsIp"; :put "type=$[:typeof $dnsIp]"; :set $dnsIp [:toip $dnsIp]; :put "v alue=$dnsIp"; :put "type=$[type...
by 2frogs
Mon Feb 08, 2021 11:50 pm
Forum: Beginner Basics
Topic: Port 22 / SFTP/SSH Being Blocked
Replies: 34
Views: 2155

Re: Port 22 / SFTP/SSH Being Blocked

Have you tried with:
/ip ssh
set forwarding-enabled=no
by 2frogs
Mon Feb 08, 2021 3:43 pm
Forum: Scripting
Topic: Please help to see this script for batch adding add-list [SOLVED]
Replies: 3
Views: 637

Re: Please help to see this script for batch adding add-list [SOLVED]

:for i from=1 to=50 do={/ip firewall address-list add list="user_$i" address="172.16.1.$(($i*5)-4)-172.16.1.$($i*5)"}
by 2frogs
Wed Dec 30, 2020 3:43 pm
Forum: Beginner Basics
Topic: How do I manage WISP AP via WebUI?
Replies: 10
Views: 3207

Re: How do I manage WISP AP via WebUI?

I have discovered there is a flaw in the script that the Quickset uses to change to WISP AP. It leaves intact and active the default firewall rules, including the Drop Input not from the Interface-List LAN. It also removes the Bridge Interface from this list and only adds the individual Interfaces (...
by 2frogs
Sun May 31, 2020 7:52 pm
Forum: Beginner Basics
Topic: hAP AC2 management problem [SOLVED]
Replies: 4
Views: 1187

Re: hAP AC2 management problem [SOLVED]

Disable the firewall rules before changing to WISP AP. The Quickset is broken, when you make the change it removes the bridge from interface-list=LAN and this causes the firewall filter input rules to drop IP traffic to the router. If you use Winbox, you can connect to the device using the MAC inste...
by 2frogs
Sun May 31, 2020 5:59 pm
Forum: Wireless Networking
Topic: Netmetal AC2 Disappointments [SOLVED]
Replies: 30
Views: 6097

Re: Netmetal AC2 Disappointments [SOLVED]

Anav, you need to read up on antenna radiation patterns. Antennas radiate their power in lobes, even omni antennas. The more directional the antenna, the more the lobes are concentrated in one direction and typically there are more lobes. Back lobes are what you need to pay attention to. They radiat...
by 2frogs
Sun May 31, 2020 5:02 am
Forum: Scripting
Topic: [Hotspot] Redirect new devices on external website, cut connection if skipped
Replies: 1
Views: 552

Re: [Hotspot] Redirect new devices on external website, cut connection if skipped

Redirect to your page first and have the login on it (or a link to a separate login page.) This way both android and ios devices will see your advertisements.
by 2frogs
Sat May 30, 2020 5:34 pm
Forum: Beginner Basics
Topic: Redirect outgoing DNS requets to internal DNS server
Replies: 15
Views: 4295

Re: Redirect outgoing DNS requets to internal DNS server

Your firewall is dropping the traffic. 172.16.0.0/24 is included in the address-list=not_from_intrrnet and is being dropped.
by 2frogs
Sat May 30, 2020 3:53 pm
Forum: Beginner Basics
Topic: Redirect outgoing DNS requets to internal DNS server
Replies: 15
Views: 4295

Re: Redirect outgoing DNS requets to internal DNS server

Please post your full config. Use “/export hide-sensitive file=myexport” and this will create a myexport.src file you can download and edit with your favorite txt editor. The use of ether2 with slaves is outdated, so you may need to change your IPs to be on your “bridge”. Or you need to consider upd...
by 2frogs
Sat May 30, 2020 12:38 am
Forum: Wireless Networking
Topic: Netmetal AC2 Disappointments [SOLVED]
Replies: 30
Views: 6097

Re: Netmetal AC2 Disappointments [SOLVED]

Long range on Mikrotik marketing is usually referring to multiple km with high gain antennas and not covering a back yard.

The wAP AC has 3 chains on 5ghz compared to 2 chains of the netmetal. And the wAP is the same enclosure as the wireless wire (wAPG-60adkit), so it will be just fine outdoors.
by 2frogs
Sat May 30, 2020 12:03 am
Forum: Wireless Networking
Topic: Netmetal AC2 Disappointments [SOLVED]
Replies: 30
Views: 6097

Re: Netmetal AC2 Disappointments [SOLVED]

PS. The netmetal is what I would get for outdoor and probably with an antenna that has a 180 sector such that I dont get leakage into the house area. This is why you should not be giving product advice! A netmetal with sector is such bad advice for a home user. By the way, the best value Outdoor pr...
by 2frogs
Fri May 29, 2020 4:15 pm
Forum: Wireless Networking
Topic: How to measure WiFi performance from a Mikrotik AP to a Mac? [SOLVED]
Replies: 6
Views: 1954

Re: How to measure WiFi performance from a Mikrotik AP to a Mac? [SOLVED]

Testing with the built in tools should not be used a true measure of performance as it uses the cpu for both the test and connectivity.

Only use iperf (or similar) between 2 capable PCs as a true measure of performance. Connect the 2 PCs directly and test first to see what they are capable of.
by 2frogs
Wed May 27, 2020 8:22 pm
Forum: Beginner Basics
Topic: Redirect outgoing DNS requets to internal DNS server
Replies: 15
Views: 4295

Re: Redirect outgoing DNS requets to internal DNS server

Using dstnat is correct for changing the destination no matter if it is incoming or outgoing! I would suggest changing the ip scope of the pi-hole to outside your lan ip scope. This way you can see individual devises on your pi-hole instead of the router. Add something like 172.16.0.1/24 to the same...
by 2frogs
Wed May 27, 2020 2:32 pm
Forum: Beginner Basics
Topic: What's wrong with this NAT command ?
Replies: 5
Views: 1274

Re: What's wrong with this NAT command ?

Use in-interface or out-interface to use interface name.

You have to define the interface list if you want to use in-interface-list or out-interface-list.
/interface list
add name=WAN

/interface list member
add list=WAN interface=wan
by 2frogs
Fri May 22, 2020 5:14 pm
Forum: Wireless Networking
Topic: Wi-Fi download speed in RB751U-2HnD
Replies: 5
Views: 1183

Re: Wi-Fi download speed in RB751U-2HnD

Use export instead of print:
/interface wireless export
You should now see if tx-chain=0 or tx-chain=1. It should be tx-chain=0,1. You can change it using:
/interface wireless set wlan1 tx-chain=0,1
by 2frogs
Thu May 21, 2020 11:35 pm
Forum: General
Topic: Hotspot Dynamic and Authorized Host
Replies: 2
Views: 985

Re: Hotspot Dynamic and Authorized Host

It is because you have set an address-pool at either /ip hotspot or /ip hotspot user profile. Change both to address-pool=none. Setting an address-pool was intended to help device that might a static IP set in their setting be a able to still connect to the hotspot. That is no longer a common practi...
by 2frogs
Thu May 21, 2020 6:10 pm
Forum: Beginner Basics
Topic: Internet stop working / DNS Issue
Replies: 10
Views: 2077

Re: Internet stop working / DNS Issue

It was most likely the use of Quickset after you had already made changes. Quickset relies on basic scripts to make the changes and if you make changes outside of Quickset, it has know way allowing for your changes. And there are other instances of Quickset just being broke. If can avoid it using it...
by 2frogs
Wed May 20, 2020 5:57 pm
Forum: General
Topic: print built in RouterOS variables
Replies: 8
Views: 2332

Re: print built in RouterOS variables

[tab] button is your best friend in RouterOS.

/[tab] - will show you directory and available commands for that directory

/int[tab] > /interface - auto completes

/interface set [tab] - will show all variables
by 2frogs
Tue May 19, 2020 7:45 pm
Forum: Beginner Basics
Topic: Internet stop working / DNS Issue
Replies: 10
Views: 2077

Re: Internet stop working / DNS Issue

I don’t see a dhcp client.
/ip dhcp-client add interface=lte
The only other odd thing is a blank interface-list-member.
by 2frogs
Tue May 19, 2020 5:53 pm
Forum: Beginner Basics
Topic: Internet stop working / DNS Issue
Replies: 10
Views: 2077

Re: Internet stop working / DNS Issue

/export hide-sensitive file=myconfig
Download myconfig.rsc from Files and edit with your favorite txt editor. Post content.
by 2frogs
Tue May 19, 2020 5:16 pm
Forum: Beginner Basics
Topic: Where do I set the default mode "station" on webfig?
Replies: 12
Views: 2124

Re: Where do I set the default mode "station" on webfig?

In Quickset it is the very top drop down box, you want “CPE”, but I highly recommend NOT using Quickset as it has a bad habit of breaking things. Just Don’t! I only provided it as one of the places this change could be made... Issue this command in terminal: /interface wireless set wlan1 mode=statio...
by 2frogs
Tue May 19, 2020 3:47 pm
Forum: Beginner Basics
Topic: Does RouterOS block NTP traffic by default? [SOLVED]
Replies: 23
Views: 4930

Re: Does RouterOS block NTP traffic by default? [SOLVED]

Auto correct victim.... or poor typing skills....

“ I didn’t say they should.”
by 2frogs
Tue May 19, 2020 3:15 pm
Forum: Beginner Basics
Topic: Does RouterOS block NTP traffic by default? [SOLVED]
Replies: 23
Views: 4930

Re: Does RouterOS block NTP traffic by default? [SOLVED]

I didn’t say they should! It could be done in a poor attempt to redirect to their own server. Or a Mom/Pop shop that just doesn’t know any better.

The fact the OP stated this was ongoing from before his Mikrotik router implies to me it is the ISP.
by 2frogs
Tue May 19, 2020 1:59 pm
Forum: Beginner Basics
Topic: Does RouterOS block NTP traffic by default? [SOLVED]
Replies: 23
Views: 4930

Re: Does RouterOS block NTP traffic by default? [SOLVED]

I believe both of the previous responses was either backwards or missed the mark, so I am going to give my 2 cents. When you are connecting to a time server, you do so on port 123. This is no different from http on port 80 and https on port 443. The return port is what will be random. Your device wi...
by 2frogs
Tue May 19, 2020 6:19 am
Forum: General
Topic: Dumb question about Bridge mode in RouterOS
Replies: 3
Views: 834

Re: Dumb question about Bridge mode in RouterOS

Quickset does not make all the necessary changes for the different modes for some reason. A hAP lite (WISP AP) I just tested did not remove the default firewall rules. When a new bridge was created with all ports added, the bridge was removed from interface-list=LAN and replaced with ether2, ether3,...
by 2frogs
Tue May 19, 2020 5:43 am
Forum: Beginner Basics
Topic: How to port forward and access my ISM modem device
Replies: 1
Views: 515

Re: How to port forward and access my ISM modem device

If the modem is in bridge mode, your will need to add an IP address to the interface that it is connected to on the Mikrotik in the range that the modem is in. For example; If your Modem has an IP of 192.168.1.1 and connected to ether1, you would add 192.168.1.2/24 to ether1. /ip address add address...
by 2frogs
Tue May 19, 2020 5:14 am
Forum: Beginner Basics
Topic: Failed to connect to internet
Replies: 16
Views: 2775

Re: Failed to connect to internet

If you plug into the modem directly with your PC or connect to its wireless, do you get an IP from it? Are you able to browse the Internet or ping Internet IPs? If you are having to set an IP in the range of your modem to ping it/ access its web interface, then it is most likely in bridge mode. This...
by 2frogs
Mon May 18, 2020 8:14 pm
Forum: Beginner Basics
Topic: Outdoor AP? [SOLVED]
Replies: 8
Views: 2216

Re: Outdoor AP? [SOLVED]

The wAP AC is an excellent outdoor AP.
https://mikrotik.com/product/RBwAPG-5HacT2HnD
by 2frogs
Mon May 18, 2020 7:29 pm
Forum: Beginner Basics
Topic: Where do I set the default mode "station" on webfig?
Replies: 12
Views: 2124

Re: Where do I set the default mode "station" on webfig?

If mode=station keeps changing to mode=station-wds then it is being changed on Quickset, /interface/wireless or by a script. A WDS link is still possible if mode=station and mode-wds is not =disabled.
by 2frogs
Mon May 18, 2020 3:03 pm
Forum: Beginner Basics
Topic: Failed to connect to internet
Replies: 16
Views: 2775

Re: Failed to connect to internet

1. & 2. look good. 3. action=srcnat is normally used when you have multiple IPs on your WAN interface. Using src-address as an example, you could have 1 internal IP use one external IP while the rest of your internal IPs use another. action=masquerade is the default because it works well with a ...
by 2frogs
Mon May 18, 2020 2:04 am
Forum: Beginner Basics
Topic: Failed to connect to internet
Replies: 16
Views: 2775

Re: Failed to connect to internet

First, thank you for your help. Here is the configuration # jan/02/1970 04:56:35 by RouterOS 6.46.5 # software id = YCEF-KZ52 # # model = RB941-2nD # serial number = D1130BA3F321 /interface bridge add admin-mac=C4:AD:34:C9:6E:47 auto-mac=no comment=defconf name=bridge /interface wireless set [ find...
by 2frogs
Sat May 16, 2020 10:33 pm
Forum: General
Topic: Solution needed: router PoE + WIreless
Replies: 6
Views: 1558

Re: Solution needed: router PoE + WIreless

https://mikrotik.com/product/RB750UPr2 The RB750UPr2 is only rated to 30v. It includes a 24v power supply. https://mikrotik.com/product/RB960PGS The RB960PGS (HEX POE) is rated to 57v and includes a 24v power supply. It is passive power, so it will supply what ever you input to it. All Mikrotik POE ...
by 2frogs
Sat May 16, 2020 7:24 pm
Forum: Scripting
Topic: How to get IP, MAC, EtherPort for all currently active EtherPorts? [SOLVED]
Replies: 25
Views: 4764

Re: How to get IP, MAC, EtherPort for all currently active EtherPorts? [SOLVED]

An alternate would be to use something like:
/interface bridge host print
:D

It won't get you the address, but it will get you mac-address and interface it is on. You could then combine this with data from the /ip dhcp-server lease of your router.
by 2frogs
Sat May 16, 2020 7:09 pm
Forum: Scripting
Topic: How to get IP, MAC, EtherPort for all currently active EtherPorts? [SOLVED]
Replies: 25
Views: 4764

Re: How to get IP, MAC, EtherPort for all currently active EtherPorts? [SOLVED]

Since all your ethernet port are slaved to the bridge, only the bridge will show as the interface. You can change the script to: { :local ethlist; :local buffer; :local fileName "address-list"; :foreach i1 in=[/interface find running=yes] do={:set $ethlist [/interface get $i1 value-name=na...
by 2frogs
Sat May 16, 2020 5:54 pm
Forum: Scripting
Topic: Create list of interfaces in a loop [SOLVED]
Replies: 2
Views: 995

Re: Create list of interfaces in a loop [SOLVED]

:foreach i in=[/interface bridge port find where bridge="bro"] do={/interface bridge port set $i pvid=10}
:D
by 2frogs
Sat May 16, 2020 5:19 am
Forum: Scripting
Topic: Address Lists [SOLVED]
Replies: 2
Views: 1229

Re: Address Lists [SOLVED]

:foreach i in=[/ip fire add find where list=name address~".net"] do={:if ([/ping [/ip fire add get $i value-name=address] interval=1s count=5]>0) do={/ ip fire add set $i timeout=30d}}
:D
by 2frogs
Fri May 15, 2020 6:01 pm
Forum: General
Topic: Mikrotik DHCP lease time with Ubiquiti and wireless routers
Replies: 16
Views: 2653

Re: Mikrotik DHCP lease time with Ubiquiti and wireless routers

@bpwl This is a Ubiquiti issue. The clients routers are not getting DHCP from the Ubiquiti CPE. I use Mikrotiks at all my towers, using DHCP to hand the IP to the Ubiquiti radios. The radio is configured to then hand out an IP to the customers router . @jakkwb You might try changing lease time to 86...
by 2frogs
Fri May 15, 2020 5:13 pm
Forum: General
Topic: Static DNS best practice with dedicated server
Replies: 7
Views: 1576

Re: Static DNS best practice with dedicated server

@anav 1. Not sure what you mean!?!? (leave on tcp,upd :53) 2. I believe this would be best, so if there is an issue with it you can redirect to somewhere else. (see 9.) 3. This would be more personal preference. I only use vlan for my Guest network. 4. 192.168.254.1 is pi-Hole in this example: /ip d...
by 2frogs
Thu May 14, 2020 8:05 pm
Forum: General
Topic: Dual WAN 1 LAN with NAT configuration [SOLVED]
Replies: 27
Views: 4673

Re: Dual WAN 1 LAN with NAT configuration [SOLVED]

This is a strange way of handing out multiple IPs. It is usually considered to be a big No-No to make multiple connections to the same device. You normally have to configure manually for the additional IPs. You might contact your ISP to be sure you have done this correctly.
by 2frogs
Thu May 14, 2020 7:43 pm
Forum: General
Topic: Static DNS best practice with dedicated server
Replies: 7
Views: 1576

Re: Static DNS best practice with dedicated server

It has it's drawbacks as well! When forwarding, the Pi-hole only sees the Router as a client, so the per client/group blocking won't work. Devices on my network only get 1.1.1.1 & 1.0.0.1, so if I was to disable both sets of NAT rules the devices would still have functioning DNS. I originally ha...
by 2frogs
Thu May 14, 2020 8:28 am
Forum: General
Topic: Dual WAN 1 LAN with NAT configuration [SOLVED]
Replies: 27
Views: 4673

Re: Dual WAN 1 LAN with NAT configuration [SOLVED]

Your firewall rules need a lot of work! chain=input is for traffic going to the router it's self (Webfig, Winbox, Ping, DNS, etc.) chain=forward is for any traffic being forwarded by the router (from one interface to another.) All the rules you added mostly belonged to the chain=forward since it was...
by 2frogs
Thu May 14, 2020 6:59 am
Forum: General
Topic: Static DNS best practice with dedicated server
Replies: 7
Views: 1576

Re: Static DNS best practice with dedicated server

Not sure if is proper way of handling DNS, but I left Cloudflare as DNS under DHCP-Server>Network and use NAT to redirect to my Pi-hole instance. My Pi-hole has the router set as it's DNS so that I could use Static DNS and the router had Cloudflare set for it's DNS. I have some that I don't want goi...
by 2frogs
Wed May 13, 2020 5:00 pm
Forum: General
Topic: Dual WAN 1 LAN with NAT configuration [SOLVED]
Replies: 27
Views: 4673

Re: Dual WAN 1 LAN with NAT configuration [SOLVED]

I am going to ask the more obvious! Are you using the default firewall? And did you add ETH3-WAN2 to WAN Interface List?
by 2frogs
Tue May 12, 2020 12:41 am
Forum: Beginner Basics
Topic: Internet stop working / DNS Issue
Replies: 10
Views: 2077

Re: Internet stop working / DNS Issue

Looks like you are not getting an IP Address on LTE. On your Quick Set page it is empty. And when you pinged 8.8.8.8, which you don’t need DNS to ping IP, it returned “ no route to host”.
by 2frogs
Sun May 10, 2020 7:11 am
Forum: Beginner Basics
Topic: remote forwarding remote winbox issue [SOLVED]
Replies: 14
Views: 3110

Re: remote forwarding remote winbox issue [SOLVED]

dstnat: in :pppoe-out1 out:(unknown 0), proto TCP (SYN), 110.54.222.111:49667->101.58.69.xx:3389, len48
You have log=yes (checked), this is the log showing a connection. This is not an error message. Was the client unable to connect to the router?
by 2frogs
Sun May 10, 2020 7:01 am
Forum: Beginner Basics
Topic: Configure as router and gateway to home wifi
Replies: 1
Views: 623

Re: Configure as router and gateway to home wifi

Using Mikrotik Winbox instead of Webfig is the best option. You should be able to connect to the device using the MAC Address to configure your device. It is also best practice to reset the device without default configuration and configure it manually than trying to rely on the basic scripts in the...
by 2frogs
Sat May 09, 2020 7:15 pm
Forum: Forwarding Protocols
Topic: port forwading
Replies: 13
Views: 2561

Re: port forwading

For the Hotspot to work correctly, it requires internet access so that any html queries can be redirected to the Hotspot login.html landing page. Instead of trying to redirect with firewall, it would be easier to edit the login.html to: <head> <meta http-equiv="refresh" content="5; UR...
by 2frogs
Sat May 09, 2020 4:46 pm
Forum: Beginner Basics
Topic: How to do Mikrotik hotspot who redirects the user to the company website, without login page. [SOLVED]
Replies: 5
Views: 1649

Re: How to do Mikrotik hotspot who redirects the user to the company website, without login page. [SOLVED]

This is what I use with success; <head> <meta http-equiv="refresh" content="0; URL=https://www.yoururl.com/" /> </head> <body> <p>If you are not redirected in five seconds, <a href="https://www.yoururl.com/">click here</a>.</p> </body> Just replace the html code with th...
by 2frogs
Wed Feb 12, 2020 4:48 pm
Forum: General
Topic: Chromecast sleepmode issue
Replies: 25
Views: 5087

Re: Chromecast sleepmode issue

Try increasing DHCP lease-timeout=1d . I know Apple things have issues with the short default lease time.

Edit: just re-read your last post where you changed it, but it might not have been long enough.
by 2frogs
Wed Jan 22, 2020 5:08 pm
Forum: General
Topic: Hotspot already logged in via and status is Active but just stuck at login page and can't go Internet
Replies: 2
Views: 711

Re: Hotspot already logged in via and status is Active but just stuck at login page and can't go Internet

I have seen lots of explanations of why, most are centered around temporary network issues or bad client devices/drivers. The best solution is to disable the 1:1 NAT by setting the dhcp-pool=none. The 1:1 NAT was introduced to allow devices that had a static IP Address configured to be able to conne...
by 2frogs
Fri Sep 20, 2019 9:30 am
Forum: Beginner Basics
Topic: WAN's seem happy, but no Internet Access
Replies: 2
Views: 862

Re: WAN's seem happy, but no Internet Access

/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
You will need to disable fasttrack as it will break mangle rules.
by 2frogs
Fri Sep 20, 2019 9:06 am
Forum: Beginner Basics
Topic: Trouble Forwarding Ports [SOLVED]
Replies: 2
Views: 973

Re: Trouble Forwarding Ports [SOLVED]

Have you set the cable modem to forward the ports to the mikrotik? I see references to a 192.168.1.1 address in a couple of locations that I am assuming is your cable router. If your mikrotik is getting DHCP from 192.168.1.1 and has an 192.168.1.xxx IP, you will have to forward those ports on the ca...
by 2frogs
Fri Sep 20, 2019 8:36 am
Forum: Beginner Basics
Topic: Setup VPN with Mikrotik
Replies: 6
Views: 1694

Re: Setup VPN with Mikrotik

add action=accept chain=input dst-port=1723 comment="accept PPTP" protocol=tcp This needs to go either above or below the "defcon: accept ICMP" because the order matters. Also, chain=input is for any thing going to the router itself. And chain=forward is anything being forwarded...
by 2frogs
Fri Sep 20, 2019 8:07 am
Forum: Beginner Basics
Topic: Licensing question, demo
Replies: 2
Views: 916

Re: Licensing question, demo

https://wiki.mikrotik.com/wiki/Manual:License https://wiki.mikrotik.com/wiki/Manual:CHR#Free_licenses In short the x86 version has a 24hr demo (level 0) or a very limited demo (level 1.) The CHR has a free version, limited to 1mpbs/interface. Or 60 day trial mode for any CHR License Levels (P1, P10,...
by 2frogs
Fri Sep 20, 2019 7:49 am
Forum: Forwarding Protocols
Topic: Port forwarding dynamic IP [SOLVED]
Replies: 3
Views: 6539

Re: Port forwarding dynamic IP [SOLVED]

/ip firewall nat add chain=dstnat dst-address=!192.168.88.1 dst-port=80 protocol=tcp dst-address-type=local to-address=192.168.88.253 You can enable the DDNS under IP>Cloud and use the DDNS to access the device. You could also use the DDNS to do the dstnat: /ip firewall address-list add address=you...
by 2frogs
Sun Sep 15, 2019 1:22 am
Forum: Wireless Networking
Topic: wireless bridge problems
Replies: 2
Views: 1134

Re: wireless bridge problems

On the RBMetal, change mode=bridge to mode=ap-bridge, mode=bridge only allows 1 connected client. /interface wireless set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce \ disabled=no hide-ssid=yes mode=ap-bridge security-profile=profile1 ssid=\ <SSID HERE> wps-mode=disabled
by 2frogs
Tue Sep 10, 2019 6:04 am
Forum: Wireless Networking
Topic: Bit confused by the existence of the hAP AC Lite?
Replies: 15
Views: 4180

Re: Bit confused by the existence of the hAP AC Lite?

One use case would be vdsl2 areas where the 2.4ghz bands are overcrowded and all but unusable. Another would be for wireless internet providers that use 2.4ghz bands to distribute internet, they can provide a router they can set to not interfere with the channel they are using to connect that client.
by 2frogs
Sat Sep 07, 2019 4:40 pm
Forum: Beginner Basics
Topic: Somehow im blind
Replies: 5
Views: 1511

Re: Somehow im blind

First issue is that the LAN IP address should be on the bridge interface since it is the master and ether2 is slaved to it.

Second, is that your NAT rule has your IP scope on src-address-list instead of src-address. You could define an address-list and use that instead.
by 2frogs
Tue Sep 03, 2019 5:14 am
Forum: Wireless Networking
Topic: Hotspot woes, users having to keep signing in
Replies: 1
Views: 826

Re: Hotspot woes, users having to keep signing in

Usually seeing the same MAC with multiple IPs is caused from having a pool set in the hotspot or from having dhcp lease times set too short. Setting a IP pool in the hotspot will create a 1:1 NAT for devices that have a static IP. And sometimes it will NAT devices that received a IP from the dhcp se...
by 2frogs
Sat Aug 17, 2019 4:34 am
Forum: Beginner Basics
Topic: can only get a dynamic ip on bridge interface
Replies: 10
Views: 2543

Re: can only get a dynamic ip on bridge interface

If you plug your computer into the cable that is on ether1, does it get an IP address. If it does, make sure it is not in the same range as your router (ie 192.168.88.0/24). I don't see anything in config that would prevent it from obtaining an IP.
by 2frogs
Thu Aug 15, 2019 9:41 pm
Forum: Beginner Basics
Topic: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server
Replies: 26
Views: 6068

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

On CRS, navigate to IP>Addresses. Or
/ip address remove [find address="192.168.88.1/24"]
The address is most likely a left-over from the default config.
by 2frogs
Thu Aug 15, 2019 7:08 pm
Forum: Beginner Basics
Topic: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server
Replies: 26
Views: 6068

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Since you have a dhcp-client on bridge, just remove the 192.168.88.1/24 address
by 2frogs
Thu Aug 15, 2019 3:08 pm
Forum: Beginner Basics
Topic: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server
Replies: 26
Views: 6068

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Change: add action=masquerade chain=srcnat comment=LetsencrypLocal dst-address=192.168.88.254 \ dst-port=180,1443 protocol=tcp to add action=masquerade chain=srcnat comment=Hairpin NAT dst-address=192.168.88.0/24 src-address=192.168.88.0/24 as SOB suggested as it is universal. Do you have any static...
by 2frogs
Wed Aug 14, 2019 6:03 pm
Forum: Beginner Basics
Topic: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server
Replies: 26
Views: 6068

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

And you have flushed dns on your device?
What is doing or not doing?
Can you provide:
/ip firewall nat export
by 2frogs
Mon Aug 12, 2019 9:02 pm
Forum: General
Topic: Simple Queue not working unless torch is running
Replies: 2
Views: 870

Re: Simple Queue not working unless torch is running

Try disabling the fast-track firewall rules.
by 2frogs
Sun Aug 11, 2019 5:44 am
Forum: Beginner Basics
Topic: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server
Replies: 26
Views: 6068

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

@sebastia

I believe you missed that the server is on ports 180 & 1443. Static DNS entries will not work in this case as it points to ports 80 & 443.
by 2frogs
Sat Aug 10, 2019 3:21 pm
Forum: Beginner Basics
Topic: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server
Replies: 26
Views: 6068

Re: New to Mikrotik trying to setup portforwarding for letsencrypt nginx on unraid server

Instead of the DNS trick, try correcting your dst-nat rules. If you have a static IP: /ip firewall nat add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=your.external.ip.address protocol=tcp to-addresses=192.168.88.245 to-ports=180 add action=dst-nat chain=dstnat comment=Le...
by 2frogs
Thu Aug 08, 2019 9:10 pm
Forum: Beginner Basics
Topic: wifi speed - 2 clients only
Replies: 2
Views: 1033

Re: wifi speed - 2 clients only

What you are seeing is normal. The data rate is the combined theoretically possible rate for upload and download. Since the AP and Client can only send or receive and do so to a single device at a time it will half the data rate. And as you noticed, if you connect a second device and try to download...
by 2frogs
Thu Aug 08, 2019 4:28 pm
Forum: Beginner Basics
Topic: MikroTik wAP as wireless client?
Replies: 4
Views: 3965

Re: MikroTik wAP as wireless client?

The best way to set it up is to use Winbox to reset without default and configure it manually. Once you have reset the wAP, you will have to connect to it using it MAC Address. Now you can setup a bridge and add ether1 and wlan1 to it. And now configure wlan1 to be a station with the proper SSID and...
by 2frogs
Thu Aug 08, 2019 7:45 am
Forum: Wireless Networking
Topic: Hotspot Mikrotik Customization
Replies: 2
Views: 1088

Re: Hotspot Mikrotik Customization

The Hotspot Trial user is perfect for what you want. You can edit the default login.html to remove the login box and use the trial user link as the "click here" to agree. https://wiki.mikrotik.com/wiki/Manual:Hotspot_Introduction https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot https://wik...
by 2frogs
Thu Aug 08, 2019 7:30 am
Forum: Scripting
Topic: Failover script to call another script
Replies: 1
Views: 1570

Re: Failover script to call another script

So if you put these in terminal they run, but not from the script? /system script run firewall-to-backup /system script run firewall-to-main You could also change from using in/out-interface to interface-list and not have to change the firewall rules at all: /interface list add comment=defconf name=...
by 2frogs
Thu Aug 08, 2019 6:33 am
Forum: Beginner Basics
Topic: simultaneous user logins
Replies: 2
Views: 897

Re: simultaneous user logins

/tool user-manager user set [find shared-users=unlimited] shared-users=1
by 2frogs
Thu Aug 01, 2019 6:35 am
Forum: General
Topic: Very simple VLAN
Replies: 16
Views: 2651

Re: Very simple VLAN

You mentioned untagging/tagging is why I suggested a bridge. But yes, you can put the IP and DHCP Server directly on vlan1. And you can then remove the bridge port for vlan1 as it is not needed.
by 2frogs
Thu Aug 01, 2019 5:16 am
Forum: Beginner Basics
Topic: VPN problem between local LAN and VPN clients
Replies: 3
Views: 1156

Re: VPN problem between local LAN and VPN clients

Do you have a static route to your LAN set on the Synology and a static route to the Synology from the Router?
by 2frogs
Thu Aug 01, 2019 4:59 am
Forum: General
Topic: Very simple VLAN
Replies: 16
Views: 2651

Re: Very simple VLAN

I believe you need to create a new bridge for the vlan and add IP and DHCP Server to the new bridge. Then change the bridge port for vlan1 to the new bridge. /interface bridge add name=vlan1-bridge /interface bridge port add bridge=vlan1-bridge interface=vlan1 The rest of your config should remain t...
by 2frogs
Wed Jul 31, 2019 4:30 pm
Forum: Wireless Networking
Topic: Help with a wireless backbone
Replies: 3
Views: 1140

Re: Help with a wireless backbone

You will need to use vlans, but having two networks in both buildings should not be a problem. There are many tutorials and examples on this forum and elsewhere. You will need a clan capable switch. Or if you only need a few ports and it is indoors you can use something like an hAP-AC/hAP-AC2 and br...
by 2frogs
Wed Jul 31, 2019 2:33 am
Forum: Wireless Networking
Topic: Help with a wireless backbone
Replies: 3
Views: 1140

Re: Help with a wireless backbone

I would use the Wireless Wire to bridge the buildings as it can provide wire speeds.
by 2frogs
Tue Jul 30, 2019 5:35 am
Forum: General
Topic: Mikrotik Mobile App [SOLVED]
Replies: 2
Views: 1102

Re: Mikrotik Mobile App [SOLVED]

The app uses the Winbox port to connect. You can specify the correct port in the address field of app like; 192.168.88.1:1234
by 2frogs
Fri Jul 26, 2019 2:23 pm
Forum: Wireless Networking
Topic: Faile to add queue
Replies: 1
Views: 668

Re: Faile to add queue

From Terminal run this command:
/export hide-sensitive file=export
Download and edit the export.rsc using a text editor to remove any public ips or identifying information and paste using the code wrapper [ code][ /code].
by 2frogs
Fri Jul 26, 2019 2:11 pm
Forum: General
Topic: Ovpn server on separate pool cannot reach lan
Replies: 4
Views: 1459

Re: Ovpn server on separate pool cannot reach lan

Try adding this to the top of your mangle rules:
/ip firewall mangle
add action=accept chain=prerouting dst-address=10.255.255.0/24 in-interface=bridge
I believe your rules are too loose and catching any traffic from your LAN to VPN IP ranges.
by 2frogs
Thu Jul 25, 2019 7:35 am
Forum: General
Topic: Need to set up access to NAS openvpn
Replies: 45
Views: 5572

Re: Need to set up access to NAS openvpn

Thought I would let you know that L2TP/IPSec is not any better. I have a TS-431XeU with AnnapurnaLabs Alpine AL-314 32-bit ARM® Cortex-A15 quad-core 1.7GHz processor and 10-11MB/s is all it will do at 40% CPU usage. QVPN represents only 10% CPU usage.
by 2frogs
Tue Jul 23, 2019 12:15 am
Forum: Wireless Networking
Topic: 6 x 60G AP Sectors Area Configuration Thread
Replies: 5
Views: 1443

Re: 6 x 60G AP Sectors Area Configuration Thread

Separation will do wonders too. Both horizontal and vertical. Any radio device back to back on a mast is usually a bad idea. 2-3 meters vertically and 1 horizontal is about minimal in my opinion.
by 2frogs
Mon Jul 22, 2019 9:25 pm
Forum: General
Topic: Can't access Winbox from VPN - OpenVpn
Replies: 4
Views: 2751

Re: Can't access Winbox from VPN - OpenVpn

/ip firewall filter 
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
This rule, since no interfaces are listed and it is above the drop rule (they are processed in order), allows pings from any where.
by 2frogs
Mon Jul 22, 2019 9:02 pm
Forum: General
Topic: Can't access Winbox from VPN - OpenVpn
Replies: 4
Views: 2751

Re: Can't access Winbox from VPN - OpenVpn

This rule is blocking access: /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN Your VPN is not included in interface-list. You can add it under /ppp profiles: /ppp profile add local-address=192.168.1.1 name=Ovpn-profil...
by 2frogs
Sat Jul 20, 2019 3:52 am
Forum: Beginner Basics
Topic: RBwAPG-60ad IP Settings
Replies: 1
Views: 832

Re: RBwAPG-60ad IP Settings

The bridge is the correct place for the dhcp-client as it is the master interface. It looks like the quick-set is broken, but since it is based off of simple scripts it is limited in functionality and should not be used passed initial setup anyway.
by 2frogs
Sat Jul 20, 2019 3:05 am
Forum: Scripting
Topic: am i missing something???
Replies: 2
Views: 1577

Re: am i missing something???

:if ([:len [/ip ipsec policy find dst-address=10.0.0.0/16]]=0) do={:put "Not Found" } else={:put "Found"} Or :if ([:len [/ip ipsec policy find dst-address=10.0.0.0/16]]>0) do={:put "Found"} el se={:put "Not Found"} A missing value is not 0, it is null and ROS...
by 2frogs
Fri Jul 19, 2019 4:13 am
Forum: General
Topic: hair pin when out interface has different address
Replies: 8
Views: 1247

Re: hair pin when out interface has different address

I am sorry, I either miss read your original setup or confused it with another. You don't even need the ddns hack. Use dst-address=192.168.1.252. /ip firewall nat add chain=srcnat action=src-nat protocol=tcp src-address=10.0.1.0/24 dst-address=192.168.1.252 to-address=10.0.1.1 out-interface=bridge d...
by 2frogs
Thu Jul 18, 2019 8:13 pm
Forum: General
Topic: hair pin when out interface has different address
Replies: 8
Views: 1247

Re: hair pin when out interface has different address

Yes, you can use the DDNS you already have setup.
by 2frogs
Wed Jul 17, 2019 8:18 pm
Forum: General
Topic: hair pin when out interface has different address
Replies: 8
Views: 1247

Re: hair pin when out interface has different address

On your 10.0.1.1, enable the built in DDNS. Now add your DDNS URL to an address-list with a name like My_IP. You now use dst-address-list in place of dst-address in the hair-pin nat tutorials.

You can also use the DDNS URL to access your server without having to know your current IP.
by 2frogs
Wed Jul 17, 2019 2:13 pm
Forum: General
Topic: A difficault question about CLI [SOLVED]
Replies: 3
Views: 924

Re: A difficault question about CLI [SOLVED]

In Terminal, the [TAB] key can be your friend! :)

It can auto complete command and list: directories, commands and variables
by 2frogs
Tue Jul 16, 2019 3:23 pm
Forum: Beginner Basics
Topic: connection state question [SOLVED]
Replies: 13
Views: 2229

Re: connection state question [SOLVED]

Correct! It is already accepted!
by 2frogs
Tue Jul 16, 2019 2:42 pm
Forum: Beginner Basics
Topic: connection state question [SOLVED]
Replies: 13
Views: 2229

Re: connection state question [SOLVED]

The default for the firewall filter is to accept. If you remove all rules, everything would be accepted. If you only add chain=forward action=drop, then all being forwarded would be dropped. Now change that rule to include in-interface=ether1 and now only forwards coming from ether1 are being droppe...
by 2frogs
Tue Jul 16, 2019 2:21 pm
Forum: General
Topic: A difficault question about CLI [SOLVED]
Replies: 3
Views: 924

Re: A difficault question about CLI [SOLVED]

unset
/ip firewall nat unset [find action=masquerade] out-interface
by 2frogs
Tue Jul 16, 2019 3:33 am
Forum: General
Topic: Redirecting Problems [SOLVED]
Replies: 3
Views: 1025

Re: Redirecting Problems [SOLVED]

That is correct, you need both rules.
by 2frogs
Mon Jul 15, 2019 3:02 am
Forum: General
Topic: Port Forwarding Not Working but Shows Packets
Replies: 20
Views: 5478

Re: Port Forwarding Not Working but Shows Packets

@anav
hmm, so glad we can agree it could be done with a single rule:
"And your Filter rule need to be for chain=forward: (or enable the default drop rule)"
by 2frogs
Sat Jul 13, 2019 11:45 pm
Forum: General
Topic: Mikrotik Web Interface not accesible via VPN on remote router
Replies: 5
Views: 4273

Re: Mikrotik Web Interface not accesible via VPN on remote router

Or add script to ppp profile to add/remove the interface when you login/logout: on-up=/interface list member add list="LAN" interface=[/interface get [find type=l2tp-in && dynamic=yes] name] on-down=/interface list member remove [find interface!="bridge" && list=&...
by 2frogs
Sat Jul 13, 2019 4:28 am
Forum: General
Topic: Redirecting Problems [SOLVED]
Replies: 3
Views: 1025

Re: Redirecting Problems [SOLVED]

You also need a src-nat:
/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.0.0/24 dst-address=192.168.0.4 to-address=192.168.0.1
by 2frogs
Sat Jul 13, 2019 1:46 am
Forum: Wireless Networking
Topic: Can I use NV2 and "normal" Wifi on the same device?
Replies: 4
Views: 1121

Re: Can I use NV2 and "normal" Wifi on the same device?

The Wireless Wire is basically 2 WAP 60G AP, just pre-configured as PtP pair (they can be reconfigured). They have a 60 degree beam width, so depending on the lay out it could cover your end points. There is also a WAP 60Gx3 AP that can cover 180 degrees.
https://mikrotik.com/product/wap_60gx3_ap
by 2frogs
Fri Jul 12, 2019 9:25 pm
Forum: Wireless Networking
Topic: Can I use NV2 and "normal" Wifi on the same device?
Replies: 4
Views: 1121

Re: Can I use NV2 and "normal" Wifi on the same device?

You can not use 802.11 and NV2 at same time. A dedicated point to point or point to multi-point would be better than trying to use an AP that has other wireless users on it. Have you seen: https://mikrotik.com/product/wap_60g_ap https://mikrotik.com/product/wireless_wire These should be able to conn...
by 2frogs
Fri Jul 12, 2019 9:09 pm
Forum: General
Topic: Port Forwarding Not Working but Shows Packets
Replies: 20
Views: 5478

Re: Port Forwarding Not Working but Shows Packets

Your NAT rules do not need a to-port unless your are changing ports. They should look like this: /ip firewall nat add action=dst-nat chain=dstnat comment="ALA USG VPN" dst-port=500 in-interface=ether1-gateway log=yes protocol=udp to-addresses=10.0.1.89 add action=dst-nat chain=dstnat comme...
by 2frogs
Fri Jul 12, 2019 8:24 pm
Forum: General
Topic: Mikrotik Web Interface not accesible via VPN on remote router
Replies: 5
Views: 4273

Re: Mikrotik Web Interface not accesible via VPN on remote router

There are actually major differences between the 2 routers when you consider the firewall rules. On Router 1, the default drop for input is dropping all from ether1, which is your WAN. By default it is accepting from all other ports including all other ethers, wlans, bridges, l2tp ,etc. /ip firewall...
by 2frogs
Fri Jul 12, 2019 6:35 pm
Forum: Beginner Basics
Topic: Log File [SOLVED]
Replies: 4
Views: 1517

Re: Log File [SOLVED]

Yes
/log print file=log.txt
A remote syslog might b a better option depending on intended use.
https://wiki.mikrotik.com/wiki/Manual:System/Log
by 2frogs
Wed Jul 10, 2019 11:18 pm
Forum: General
Topic: Very high sector writes
Replies: 43
Views: 5960

Re: Very high sector writes

Most likely a partially failed update or some corruption in OS.
by 2frogs
Wed Jul 10, 2019 5:38 am
Forum: General
Topic: Help with IP-> Filter needed
Replies: 2
Views: 731

Re: Help with IP-> Filter needed

Create a address-list name=payment_gateway and add www.some.paymentsystem.com and dns ip to it.
Now add dst-address-list!=payment_gateway to both of your rules. The "!" means "not".

This should work for http, but I don't think it will for https...
by 2frogs
Wed Jul 10, 2019 3:05 am
Forum: Beginner Basics
Topic: Scripting distance of routes [SOLVED]
Replies: 8
Views: 2123

Re: Scripting distance of routes [SOLVED]

Is x.x.x.x a unique ID or do you have multiple with gateway=x.x.x.x? Copy and paste the following in Terminal: /ip route add dst-address=1.2.3.4/32 gateway=1.2.3.4 distance=5; :if ([/ip route get [find gateway=1.2.3.4] distance]=5) do={:put "True"} else={:put "False"}; ##Should h...
by 2frogs
Tue Jul 09, 2019 7:45 pm
Forum: Beginner Basics
Topic: Scripting distance of routes [SOLVED]
Replies: 8
Views: 2123

Re: Scripting distance of routes [SOLVED]

Spacing maybe!?!? This works for me:
:if ([/ip route [find gateway=x.x.x.x] distance]=2) do={:log error “True”}
by 2frogs
Sat Jul 06, 2019 3:25 am
Forum: General
Topic: Very high sector writes
Replies: 43
Views: 5960

Re: Very high sector writes

/system logging
add topics=debug
Have tried disabling this?
by 2frogs
Thu Jul 04, 2019 3:48 am
Forum: Scripting
Topic: Script to disable Wlan when no user are logged on
Replies: 8
Views: 2730

Re: Script to disable Wlan when no user are logged on

No, no, no. The WLAN will automatically turn on as soon as someone connects to it. It's so obvious. OK! :mrgreen: /system scheduler add interval=10m name=wlan1-auto-on/off on-event=":if ([/interface wireless get wlan1 disabled]=yes) do={\r\ \n:log info \"Checking for Wireless Users\"...
by 2frogs
Sun Jun 30, 2019 6:07 pm
Forum: Wireless Networking
Topic: Hotspot without pass
Replies: 1
Views: 899

Re: Hotspot without pass

Use Hotspot with Trial User enabled. You can set your limits by time and/or data and have it reset after a defined period. Now edit/replace login.html the following code and users will be logged in automatically. <!DOCTYPE html> <html> <head> <meta http-equiv="refresh" content="0; url...
by 2frogs
Fri Jun 28, 2019 12:10 am
Forum: Wireless Networking
Topic: Gateway for AP-Bridge, no DHCP
Replies: 2
Views: 1061

Re: Gateway for AP-Bridge, no DHCP

With all ports bridged it does not need a gateway for the clients. It acts like a switch and passes connection through it. It does need a default route for the router itself to connect to the internet. Adding one would allow your NTP Client to work. Should look something like: /ip route add dst-addr...
by 2frogs
Thu Jun 27, 2019 7:25 am
Forum: Beginner Basics
Topic: Simulation two WAN with one ISP
Replies: 4
Views: 1431

Re: Simulation two WAN with one ISP

Use Virtual Machine software (I use VirtualBox) to setup 2 Virtual CHR's. You need 2 virtual ethernet interfaces for each. They need minimal setup: ##Gateway1 /ip address add address=192.168.100.1/24 interface=ether2 network=192.168.100.0 /ip dhcp-client add disabled=no interface=ether1 /ip firewall...
by 2frogs
Wed Jun 26, 2019 4:12 pm
Forum: General
Topic: Best Way to Isolate Bridges to Reach Each Other's IPs
Replies: 26
Views: 4100

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

If you are using the default firewall rules, you could change the default forward drop rule to: /ip firewall filter add chain=forward connection-nat-state=dstnat in-interface=WAN action=accept add chain=forward out-interface=!WAN action=drop And if you are not doing DST-NAT or UPNP, you can omit the...
by 2frogs
Wed Jun 26, 2019 4:10 pm
Forum: General
Topic: Best Way to Isolate Bridges to Reach Each Other's IPs
Replies: 26
Views: 4100

Re: Best Way to Isolate Bridges to Reach Each Other's IPs

Edit: post duplicated.
by 2frogs
Wed Jun 12, 2019 8:23 pm
Forum: Beginner Basics
Topic: set up second WAN/ISP temporarily
Replies: 8
Views: 1484

Re: set up second WAN/ISP temporarily

Here is the correct code: /ip firewall mangle add action=mark-connection chain=forward comment="ISP1-In" in-interface=ether1 new-connection-mark="ISP1-In" add action=mark-connection chain=forward comment="ISP2-In" in-interface=ether2 new-connection-mark="ISP2-In&qu...
by 2frogs
Wed Jun 12, 2019 3:07 pm
Forum: Beginner Basics
Topic: set up second WAN/ISP temporarily
Replies: 8
Views: 1484

Re: set up second WAN/ISP temporarily

Oops, I copy/paste wrong section of code. Correct it as @sebastia stated. Sorry for my mistakes!
by 2frogs
Wed Jun 12, 2019 6:58 am
Forum: Beginner Basics
Topic: RBwAPG-60ad distance =0.0 ?
Replies: 10
Views: 1972

Re: RBwAPG-60ad distance =0.0 ?

One device has metal casing to give more focus.
So, have you tried without the metal casing?
by 2frogs
Wed Jun 12, 2019 6:53 am
Forum: Scripting
Topic: Script to disable Wlan when no user are logged on
Replies: 8
Views: 2730

Re: Script to disable Wlan when no user are logged on

Put this in scheduler:
:if ( [ :len [/interface wireless registration find] ] <= 0 ) do={ /interface wireless disable wlan1; :log info "No Wireless Users - Wireless Disabled";}
by 2frogs
Wed Jun 12, 2019 6:02 am
Forum: General
Topic: Make Hotspot Usernames for different APs
Replies: 3
Views: 735

Re: Make Hotspot Usernames for different APs

You will need to put the LAN and all 3 AP's on separate VLAN's. Then create a Hotspot Server for each VLAN. Then on each Username, you can specify which Server that Username is for.
by 2frogs
Wed Jun 12, 2019 3:31 am
Forum: Beginner Basics
Topic: set up second WAN/ISP temporarily
Replies: 8
Views: 1484

Re: set up second WAN/ISP temporarily

You need to mark connections coming in to each WAN and then make routing mark based on those connections: /ip firewall mangle add action=mark-connection chain=input comment="ISP1-In" in-interface=ether1 new-connection-mark="ISP1-In" add action=mark-connection chain=input comment=...
by 2frogs
Tue Jun 11, 2019 8:03 pm
Forum: Beginner Basics
Topic: Block acces to a New router
Replies: 2
Views: 962

Re: Block acces to a New router

Use Winbox to connect using MAC Address. Most likely the default firewall rules is blocking IP access.
by 2frogs
Wed Jun 05, 2019 2:55 am
Forum: Wireless Networking
Topic: AP and 2 repeaters in one line [SOLVED]
Replies: 2
Views: 1072

Re: AP and 2 repeaters in one line [SOLVED]

Add the MAC of the other Basebox in /interface wireless access-list with forward=no and authentication=no. Do this on both.
by 2frogs
Sun Jun 02, 2019 4:51 am
Forum: Wireless Networking
Topic: LHG 60GHz Wireless Wire [SOLVED]
Replies: 3
Views: 1405

Re: LHG 60GHz Wireless Wire [SOLVED]

I made the same mistake and tried to reconfigure them as you did. I ended up having to reset to default and swapping the units. I wonder if the slave in the set is only capable of being CPE.
by 2frogs
Tue May 28, 2019 6:49 pm
Forum: Beginner Basics
Topic: crs125-24g-1s-2hnd 100% cpu load when i am doing speedtest
Replies: 8
Views: 1601

Re: crs125-24g-1s-2hnd 100% cpu load when i am doing speedtest

See the comment in the speedtest result as shown in your screenshots. CRS devices are intended to be used as hardware switches - they can do some routing and provide some services but the as CPU is not powerful you cannot use them to do wirespeed routing, for example. In my case, i ma talking about...
by 2frogs
Tue May 28, 2019 4:38 am
Forum: Beginner Basics
Topic: Hacker trying to log in - firewall default
Replies: 4
Views: 1290

Re: Hacker trying to log in - firewall default

That is correct, although you do not need the forward rule because your default forward drop rule drops all forwarded traffic unless it is in dst-nat: /ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection...
by 2frogs
Tue May 28, 2019 2:59 am
Forum: Beginner Basics
Topic: Hacker trying to log in - firewall default
Replies: 4
Views: 1290

Re: Hacker trying to log in - firewall default

You do not have the default firewall. It should include the following: /ip firewall filter add action=accept chain=input connection-state=established,related,untracked comment="DEFAULT: Accept established, related, and untracked traffic." add action=drop chain=input connection-state=invali...
by 2frogs
Mon Apr 08, 2019 1:04 am
Forum: Wireless Networking
Topic: hAP ac^2 won't pass IPs
Replies: 8
Views: 1548

Re: hAP ac^2 won't pass IPs

On both the hAP and wAP, use WISP AP from quickset after reset from no-default. After you configure the wireless, select Mode=Bridge, Address Acquisition=Automatic, Bridge All LAN Ports=yes and hit apply. After a couple seconds hit Apply again and it should now have IP from your RB3011. You can now ...
by 2frogs
Wed Apr 03, 2019 3:54 pm
Forum: Beginner Basics
Topic: How do I manage WISP AP via WebUI?
Replies: 10
Views: 3207

Re: How do I manage WISP AP via WebUI?

I suspect the IP Address is not on the right interface. In winbox, ip>addresses, be sure that the IP is on interface=bridge (or the name of your bridge.)
by 2frogs
Thu Mar 28, 2019 3:14 am
Forum: Beginner Basics
Topic: Confused about VPN local IP
Replies: 2
Views: 896

Re: Confused about VPN local IP

Quickset sets up the VPN using a separate subnet (192.168.89.0/24) than the default (192.168.88.0/24). You change it to the IP and subnet of the router if you wish. It is not advisable to use Quickset past the initial setup, especially if changes where made outside of Quickset. It relies on a basic ...
by 2frogs
Wed Mar 27, 2019 4:47 am
Forum: General
Topic: Hotpot users
Replies: 7
Views: 1137

Re: Hotpot users

No need to remove dhcp, but you will need to change:
ip/address
ip/pool
ip/dhcp-server/network

And any firewall, nat or mangle rules rules...
by 2frogs
Tue Mar 26, 2019 6:25 pm
Forum: General
Topic: Hotpot users
Replies: 7
Views: 1137

Re: Hotpot users

Sorry, I misunderstood! There is no performance issues with leaving the device powered on. Some changes are better facilitated with restart. Changing the IP scope is one of them. But RouterOS boots fast, less than a minute even while upgrading firmware. And yes you can change IP to /16 if not alread...
by 2frogs
Tue Mar 26, 2019 12:27 pm
Forum: General
Topic: Hotpot users
Replies: 7
Views: 1137

Re: Hotpot users

No, I have devices that are powered off daily when not in use. The only issue I have had is them being powered off while updating. This requires the Net Instal tool to recover.
by 2frogs
Tue Mar 26, 2019 3:32 am
Forum: General
Topic: Hotpot users
Replies: 7
Views: 1137

Re: Hotpot users

keepalive-timeout=10m

Restarting the router will reset all hotspot user data and remove the mac-cookies. Otherwise, there are no issues with restarting or leaving it powered off for length of time.
by 2frogs
Mon Mar 25, 2019 10:12 pm
Forum: Beginner Basics
Topic: Output, postrouting or forward?
Replies: 3
Views: 806

Re: Output, postrouting or forward?

Input/Output rules are to/from the router itself. And generally, prerouting is used if a routing decision is to be made by he mangle rule. Most other rules will use forward.
by 2frogs
Mon Mar 25, 2019 9:34 pm
Forum: General
Topic: Hotspot uptime not updated when router is off
Replies: 1
Views: 718

Re: Hotspot uptime not updated when router is off

The data is stored in RAM and not DISK. This is why it is reset after each reboot. You can search for scripts to save the data to disk or use User Manager.
by 2frogs
Mon Mar 25, 2019 9:25 pm
Forum: Beginner Basics
Topic: Master interface
Replies: 2
Views: 1098

Re: Master interface

You did not mention what Mikrotik device you are using, but some devices only have a Level 3 License and will only work as a Station (CPE) or wireless Bridge to a single device (PtP).
by 2frogs
Mon Mar 25, 2019 7:58 pm
Forum: General
Topic: wAP AC reaching out to 159.148.172.226:80 every hour
Replies: 11
Views: 2230

Re: wAP AC reaching out to 159.148.172.226:80 every hour

Does it have the Detect Internet set?
by 2frogs
Fri Mar 22, 2019 6:30 am
Forum: Beginner Basics
Topic: Can't connect to web interface internal
Replies: 10
Views: 7613

Re: Can't connect to web interface internal

/ip firewall address-list add address=127.0.0.1 list=allow-ip /ip firewall filter add action=drop chain=input comment=\ "You can say thanks on the WebMoney Z399578297824" dst-port=\ 8778,8728,8729,22,23,80,443,8291 protocol=tcp src-address-list=blacklist add action=accept chain=input comm...
by 2frogs
Thu Mar 21, 2019 10:30 pm
Forum: Beginner Basics
Topic: Can't connect to web interface internal
Replies: 10
Views: 7613

Re: Can't connect to web interface internal

Use WinBox; https://download.mikrotik.com/routeros/ ... winbox.exe
In the Neighbors Tab, click on the MAC of the device and it will load in the Connect To field. Enter your credentials below it.
by 2frogs
Thu Mar 21, 2019 1:00 pm
Forum: Beginner Basics
Topic: Can't connect to web interface internal
Replies: 10
Views: 7613

Re: Can't connect to web interface internal

IP>Services, this is where you enable/disable, set port # and can set IP's for access. If it is enabled there and your still not able to connect, you will need to check your firewall rules IP>Firewall>Filter to be sure access is not being blocked there. Provide /export if you need any further assist...
by 2frogs
Wed Mar 20, 2019 2:58 pm
Forum: Scripting
Topic: Sounding the beeper when a LAN device pings the router
Replies: 2
Views: 871

Re: Sounding the beeper when a LAN device pings the router

/ip firewall filter add action=accept chain=input comment=pingcatch in-interface-list=LAN log=yes \ log-prefix=Ping protocol=icmp /system scheduler add interval=1s name=pingbeep on-event=":global pingcont;\r\ \n:if ([:len \$pingcont]=>0) do={:set \$pingcont [/ip firewal filter ge nd comment=\&...
by 2frogs
Sat Mar 16, 2019 5:35 pm
Forum: Wireless Networking
Topic: PoE vs Outlet power
Replies: 1
Views: 675

Re: PoE vs Outlet power

As long as your POE is providing the max power draw for each device, then there should be no difference between POE and Power Supply.
by 2frogs
Sat Mar 16, 2019 5:28 pm
Forum: General
Topic: Mangle rules
Replies: 4
Views: 841

Re: Mangle rules

by 2frogs
Tue Mar 12, 2019 4:16 pm
Forum: Scripting
Topic: How to really make backups (by script) ?
Replies: 15
Views: 4392

Re: How to really make backups (by script) ?

Use export. Upload export.rsc. Do /system reset-configuration no-defaults=yes run-after-reset=export.rsc.

This will reset device without default values and import the new settings.
by 2frogs
Mon Mar 11, 2019 9:20 pm
Forum: Beginner Basics
Topic: After configuration when connecting all ports no internet connection
Replies: 4
Views: 727

Re: After configuration when connecting all ports no internet connection

This seems to me a DNS or NAT issue. Your NAT rule, although unconventional, should work. I would lean more to DNS. Is the CCR able to resolve DNS it’s self? If you change the DNS server from 192.168.1.1 to 8.8.8.8, does it browse better?
by 2frogs
Wed Mar 06, 2019 3:38 am
Forum: Beginner Basics
Topic: Can't login via WinBox
Replies: 3
Views: 659

Re: Can't login via WinBox

If you are attempting to connect using ether 2-5, then this is your issue: /interface list member add comment="Org LAN Bridge2" interface=Bridge2 list=LAN add comment="ISP WAN" interface=Ether1-WAN list=WAN /ip firewall filter add action=drop chain=input comment="defconf: dr...
by 2frogs
Tue Mar 05, 2019 8:25 pm
Forum: General
Topic: dynamic ip in a dst-nat rule
Replies: 5
Views: 945

Re: dynamic ip in a dst-nat rule

I prefer this nat rule over using the ddns shown in the video.
add action=dst-nat chain=dstnat dst-address-type=local dst-address=!192.168.40.1(or router ip) dst-port=80,443  to-addresses=192.168.40.13
by 2frogs
Sun Feb 24, 2019 9:21 pm
Forum: General
Topic: Hotspot detect user ap
Replies: 3
Views: 910

Re: Hotspot detect user ap

I would use separate VLANs for each AP and create a Server for each VLAN with different Server Profiles.
by 2frogs
Sat Feb 23, 2019 3:29 am
Forum: General
Topic: Road Warrior setup using IKEv2 with RSA authentication with client internet over office pulic IP
Replies: 1
Views: 707

Re: Road Warrior setup using IKEv2 with RSA authentication with client internet over office pulic IP

There should be a setting in your phones vpn settings to send all traffic through the vpn. This is controlled on client side.
by 2frogs
Sat Feb 23, 2019 3:13 am
Forum: Beginner Basics
Topic: disable PPPoE connections go to html page
Replies: 4
Views: 1082

Re: disable PPPoE connections go to html page

You could use the Hotspot. In ip-bindings, set your active customers IP's to bypass. Now do as @joegoldman suggest and change their IP to a Hotspot IP and they will get captured by the Hotspot and served the login.html page.
by 2frogs
Sat Feb 23, 2019 2:43 am
Forum: Wireless Networking
Topic: point to point low throughput!
Replies: 7
Views: 1892

Re: point to point low throughput!

-30 is too strong of a signal. Reduce the power on both to maintain a -50 on both. 35Mbps is about the max you can expect from the NanoStation5.
by 2frogs
Sat Feb 23, 2019 1:03 am
Forum: General
Topic: Simple home setup - wireless roaming between APs
Replies: 7
Views: 10041

Re: Simple home setup - wireless roaming between APs

No, -79 would be correct. -81 will fall between -120 and -80 and therefore conflict.
by 2frogs
Sat Feb 23, 2019 12:17 am
Forum: Wireless Networking
Topic: Selection guide for PtP links Ranges?
Replies: 11
Views: 1711

Re: Selection guide for PtP links Ranges?

I would look more at a PtMP antenna for your fixed site. That would make aiming only critical from the temporary location. Especially if the location could change each time.
by 2frogs
Fri Feb 22, 2019 11:23 pm
Forum: Beginner Basics
Topic: Firewall rules
Replies: 4
Views: 1559

Re: Firewall rules

You can delete these, DNS alone is a nominal traffic; /ip firewall filter add action=fasttrack-connection chain=forward comment="Fasstrack DNS TCP" \ dst-port=53 protocol=tcp add action=fasttrack-connection chain=forward comment="Fasttrack DNS UPD" \ dst-port=53 protocol=udp And ...
by 2frogs
Fri Feb 22, 2019 8:49 pm
Forum: Wireless Networking
Topic: Selection guide for PtP links Ranges?
Replies: 11
Views: 1711

Re: Selection guide for PtP links Ranges?

Actually the chart shows the range for the which the max data-rate can be obtained. The fading red line is the maximum distance for the lowest data-rate.
by 2frogs
Fri Feb 22, 2019 8:26 pm
Forum: Beginner Basics
Topic: Firewall rules
Replies: 4
Views: 1559

Re: Firewall rules

If you are new to networking, you should not change the default firewall rule. The default firewall are sufficient for home users.
by 2frogs
Fri Feb 22, 2019 6:44 pm
Forum: General
Topic: Accidentally updated router firmware to long term 6.42.12
Replies: 2
Views: 875

Re: Accidentally updated router firmware to long term 6.42.12

i would do a netinstall and the attempt a restore from backup.
by 2frogs
Thu Feb 21, 2019 10:33 pm
Forum: Beginner Basics
Topic: station-pseudobridge L3 bridge to non MikroTik?
Replies: 6
Views: 2179

Re: station-pseudobridge L3 bridge to non MikroTik?

I believe I want station-pseudobridge and I am aware of the L2 limitations but as this is a IP routed network should still be possible? https://wiki.mikrotik.com/wiki/Manual:Wireless_Station_Modes This indicates station-pseudobridge is for a single client. A bridge is not a routed network. Got it w...
by 2frogs
Tue Jan 08, 2019 12:47 am
Forum: General
Topic: Plink script
Replies: 7
Views: 1811

Re: Plink script

In your example, “;” is still required at the end of the first line. It stands for “New Line.” Not true anymore "New Line" works nice. No need for ; anymore. Only if you like more commands on one line. https://wiki.mikrotik.com/wiki/Manual:Scripting The end of command line is represented ...
by 2frogs
Mon Jan 07, 2019 10:11 pm
Forum: General
Topic: Plink script
Replies: 7
Views: 1811

Re: Plink script

In your example, “;” is still required at the end of the first line. It stands for “New Line.”
by 2frogs
Fri Dec 21, 2018 1:29 pm
Forum: Beginner Basics
Topic: Brute Forse SSH blacklist
Replies: 5
Views: 1295

Re: Brute Forse SSH blacklist

I know but I want to be able to access from anywhere and that is not possible if you use whitelist. Actually, Port Knocking allows for this. https://wiki.mikrotik.com/wiki/Port_Knocking But, the short answer is to add an accept for an Source IP before your brute force. Or edit brute force to includ...
by 2frogs
Thu Dec 20, 2018 7:54 pm
Forum: General
Topic: Hotspot with mac-login, external captive portal and RADIUS auth - How to force a second auth request
Replies: 13
Views: 3193

Re: Hotspot with mac-login, external captive portal and RADIUS auth - How to force a second auth request

This can be done with login time-out. However, 10-30 seconds would cause "Already Authorizing, retry later error" if the RADIUS is not done the first authentication request or if the authentication process is still in progress. Actually this has no effect on the OP’s issue, it does take t...
by 2frogs
Thu Dec 20, 2018 7:52 am
Forum: General
Topic: Hotspot with mac-login, external captive portal and RADIUS auth - How to force a second auth request
Replies: 13
Views: 3193

Re: Hotspot with mac-login, external captive portal and RADIUS auth - How to force a second auth request

Another solution is a script to kick any host that is not authorized that runs every 10-30 seconds. Maybe combine this with a delayed redirect of equal time.
by 2frogs
Thu Dec 20, 2018 7:42 am
Forum: General
Topic: Hotspot with mac-login, external captive portal and RADIUS auth - How to force a second auth request
Replies: 13
Views: 3193

Re: Hotspot with mac-login, external captive portal and RADIUS auth - How to force a second auth request

Not sure it would be any more of a hole than them simply changing their MAC to the same as another user.... shared-user=1 will help prevent this.
by 2frogs
Thu Dec 20, 2018 6:36 am
Forum: General
Topic: Hotspot with mac-login, external captive portal and RADIUS auth - How to force a second auth request
Replies: 13
Views: 3193

Re: Hotspot with mac-login, external captive portal and RADIUS auth - How to force a second auth request

Yeah, OK. I do recall this behavior and it is easy to reproduce. Create a disable user with MAC of device. Open browser to be caught by portal, then enable user. Now try browsing again and still get caught by portal. Kick host and will login on next attempt. You can login using the MAC as user. Redi...
by 2frogs
Wed Dec 19, 2018 4:21 pm
Forum: General
Topic: Hotspot with mac-login, external captive portal and RADIUS auth - How to force a second auth request
Replies: 13
Views: 3193

Re: Hotspot with mac-login, external captive portal and RADIUS auth - How to force a second auth request

The client should simply be able to browse to web page again to be authenticated. Or you could redirect to a non-walled-garden page as the last step in your payment process. All login processes require a http request. The Hotspot will only resend authorization request if it has not received a respon...
by 2frogs
Tue Dec 11, 2018 10:45 pm
Forum: General
Topic: Mikrotik Port Scanner -> Filezilla (21) Problem
Replies: 7
Views: 1504

Re: Mikrotik Port Scanner -> Filezilla (21) Problem

Do you have the FTP service enabled and on port 21 of the router? What other firewall rules do you have?
/ip firewall filter export
by 2frogs
Tue Dec 11, 2018 8:05 pm
Forum: General
Topic: Mikrotik Port Scanner -> Filezilla (21) Problem
Replies: 7
Views: 1504

Re: Mikrotik Port Scanner -> Filezilla (21) Problem

in /ip firewall filter -> add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list” disabled=no This is correct! chain=input is for traffic going to the router itself. https://i.ibb.c...
by 2frogs
Tue Dec 11, 2018 6:54 pm
Forum: General
Topic: Mikrotik Port Scanner -> Filezilla (21) Problem
Replies: 7
Views: 1504

Re: Mikrotik Port Scanner -> Filezilla (21) Problem

Your screenshot suggests you have the rule on chain=forward instead of chain=input...
by 2frogs
Sun Dec 09, 2018 8:45 pm
Forum: General
Topic: Incorrect firewall behavious
Replies: 13
Views: 1416

Re: Incorrect firewall behavious

@sebastia

You have miss understood the problem of the OP! He has a forward rule to explicitly allow the dst-nat port. And the problem he is having is when that rule was disabled, he is still able to reach the port. The answer is what I provided. The default drop rule is allowing this traffic.
by 2frogs
Sun Dec 09, 2018 6:08 pm
Forum: General
Topic: Incorrect firewall behavious
Replies: 13
Views: 1416

Re: Incorrect firewall behavious

/ip firewall add action=drop chain=forward comment="drop unvanted local traffic" connection-nat-state=!dstnat connection-state=new in-interface=ether10-WAN This is the default drop rule! Any connection coming from WAN would first be New and therefore dropped, unless it is a connection in ...
by 2frogs
Sun Dec 09, 2018 3:41 pm
Forum: General
Topic: Incorrect firewall behavious
Replies: 13
Views: 1416

Re: Incorrect firewall behavious

add action=drop chain=forward comment="drop unvanted local traffic" connection-nat-state=!dstnat connection-state=new in-interface=ether10-WAN This rule allows any DSTNAT rules through the firewall. Remove the connection-nat-state=!dstnat if you only want to specifically allow this traffi...
by 2frogs
Sun Dec 09, 2018 5:52 am
Forum: Scripting
Topic: Type "nothing" [SOLVED]
Replies: 15
Views: 2761

Re: Type "nothing" [SOLVED]

All variables have to be declared that are used in the script, global or not, declared in other scripts or not.
by 2frogs
Fri Dec 07, 2018 4:33 am
Forum: Beginner Basics
Topic: RouterOS not loading at static IP
Replies: 3
Views: 948

Re: RouterOS not loading at static IP

I will admit I do not use webfig for any major configurations for this very reason. It is still in development and really only intended for basic changes and preconfigured changes using the quickset (although some of those do not work correctly either.) The need of removing all unused settings, incl...
by 2frogs
Thu Dec 06, 2018 10:00 pm
Forum: Wireless Networking
Topic: 2.4ghz casi ciega en sxt
Replies: 2
Views: 833

Re: 2.4ghz casi ciega en sxt

hello to all I have a problem with several equipment mikrotik model slex litle5ac dualband the problem is that it does not see well the signals at 2.4ghz, however close they are the best one sees it at -70db meanwhile another signal 5ghz if it looks perfect up to -40 from the same position because ...
by 2frogs
Thu Dec 06, 2018 9:48 pm
Forum: Beginner Basics
Topic: RouterOS not loading at static IP
Replies: 3
Views: 948

Re: RouterOS not loading at static IP

Before you change the IP address, create your bridge first. Then assign the static IP to the bridge. Now you should be able to add the ether and wlan to bridge and still access it. When you add the ether/wlan to the bridge it becomes the slave to it and can not have an IP attached to them. And inste...
by 2frogs
Thu Nov 29, 2018 8:32 am
Forum: Beginner Basics
Topic: Plex port forwarding
Replies: 7
Views: 5979

Re: Plex port forwarding

I removed the port in NAT rule, so now it looks like: add action=dst-nat chain=dstnat comment="Plex port forwarding" in-interface=ether1 protocol=tcp to-addresses=\192.168.1.18 to-ports=32400 No, you remove the wrong port. Your rule should be what I posted for you! If that still does not ...