Community discussions

Search found 4021 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 81
by ZeroByte
Thu Feb 22, 2018 4:52 pm
Forum: General
Topic: pppoe
Replies: 1
Views: 65

Re: pppoe

Don't put any IP addressing on the interfaces where you serve PPPoE. Then it is impossible to get IP service w/o PPPoE.
If you have some sort of "management" IP range in use on the same network segment, then your goal should be to move this functionality to a different VLAN.
by ZeroByte
Thu Feb 22, 2018 4:30 pm
Forum: General
Topic: Get physical interface on a bridge
Replies: 1
Views: 48

Re: Get physical interface on a bridge

Remember that the Hotspot feature is a layer3 function - so it's going to see interfaces in terms of "IP interfaces" not "switchport" interfaces (to borrow a term from Cisco and others). Scripting would need to use the bridge hosts table / switch hosts tables to find the exact physical interface. I'...
by ZeroByte
Wed Feb 21, 2018 7:06 pm
Forum: General
Topic: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]
Replies: 8
Views: 386

Re: SIP client cannot re-register in the SIP server after switching ISP (different NAT) [SOLVED]

Hi @sindy, thanks for your explanation. You are right: the SIP problem is not a SIP problem, but an UDP NAT problem (a more general problem). It isn't even a bug: it's a UDP NAT limitation (a protocol limitation). I made some NAT tests and understood better how NAT works in MikroTik. I'm publishing...
by ZeroByte
Thu Feb 01, 2018 10:18 pm
Forum: General
Topic: pppoe server problem
Replies: 1
Views: 71

Re: pppoe server problem

Are you assigning the default GW to your clients?
Do the clients have "use default GW" set to yes on their pppoe-client interface configuration?
by ZeroByte
Thu Feb 01, 2018 10:06 pm
Forum: Forwarding Protocols
Topic: OSPF and Routing Broke
Replies: 3
Views: 149

Re: OSPF and Routing Broke

Did you check the routing tables during the outage to confirm that all IP routes pointed in the proper direction, and on both routers? I'm having a little trouble visualizing your issue because you speak of two routers, but when you say you checked from "the router" it's unclear which one you mean. ...
by ZeroByte
Sat Jan 20, 2018 6:34 am
Forum: General
Topic: New to Mikrotik Routing
Replies: 3
Views: 150

Re: New to Mikrotik Routing

Many smaller, inexpensive SOHO Mikrotik routers cannot do 100Mbps of throughput. Some routers can do this if you use the fast-track feature (e.g. the 2011 series). The key is to watch the CPU utilization during a speed test (through the router from a PC, not the BTest service in Mikrotik itself). If...
by ZeroByte
Sat Jan 20, 2018 5:08 am
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 473

Re: IPv6 router settings

Maybe ask ISP if they could end this changing nonsense and give you permanent prefix? Perhaps they are just new to IPv6 and don't know better. Of course there's also a possibility that they are doing this on purpose, to make you pay more for some "enterprise" connection where prefix does not change...
by ZeroByte
Wed Jan 17, 2018 11:36 pm
Forum: General
Topic: How to disable access from local to some local to Mikrotik AP?
Replies: 13
Views: 269

Re: How to disable access from local to some local to Mikrotik AP?

I made the rule: chain=forward src-address-list="ProtectedHosts" dst-address-list="LimitedClients" action=accept which I have dropped before the drop rule and I can not get to the address 192.168.20.110 or even ping if the drop rule ok - go into your router and run this command in a terminal: /ip f...
by ZeroByte
Wed Jan 17, 2018 11:21 pm
Forum: Forwarding Protocols
Topic: Forwarding DDoS
Replies: 3
Views: 289

Re: Forwarding DDoS

Probably what happened was that the DDoS attack used radomized ports and IP addresses, which overloaded the connection state tracking table on the router. If you're not using any kind of stateful features, you can disable state tracking which will reduce the load on the router in such situations in ...
by ZeroByte
Wed Jan 17, 2018 10:52 pm
Forum: General
Topic: How to disable access from local to some local to Mikrotik AP?
Replies: 13
Views: 269

Re: How to disable access from local to some local to Mikrotik AP?

Thanks to this, but if I apply this rule, I can not get myself out of range 192.168.20.4-100 to administer clients to addresses 192.168.20.110-114 Dude - you really need to learn what you're doing if you're going to get this picky about stuff and not just expect people to do everything for you. The...
by ZeroByte
Wed Jan 17, 2018 10:42 pm
Forum: General
Topic: Splash page/redirect
Replies: 3
Views: 1137

Re: Splash page/redirect

The way to do this is to configure your hotspot with unlimited simultaneous users in the profile section, and create some basic default user/password for the hotspot. Then you create your splash page with a "continue to Internet" button on it. Design the form on this splash page to simply contain th...
by ZeroByte
Wed Jan 17, 2018 10:18 pm
Forum: General
Topic: Domain coltroler & Active directory
Replies: 1
Views: 108

Re: Domain coltroler & Active directory

The only way to accomplish that would be to run a metarouter image on your Mikrotik using something like DD-WRT, but I wouldn't recommend that. Neither Mikrotik nor the DD-WRT people work on keeping these things compatible with each other and up to date. So that is to say: Nope - Mikrotik's not an o...
by ZeroByte
Wed Jan 17, 2018 9:58 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Use specific internet connection for VPN client connection
Replies: 3
Views: 190

Re: Use specific internet connection for VPN client connection

Step1: create a static host route to whatever IP address the VPN endpoint currently uses - make the GW be the preferred IP address. Place a useful comment on this route such as "VPN" Step2: copy this route into all of your routing tables Step3: You could write a script that runs every minute and doe...
by ZeroByte
Wed Jan 17, 2018 9:53 pm
Forum: Scripting
Topic: I need is to create a script that allows to lower the priority of one of the routers configured with VRRP
Replies: 1
Views: 71

Re: I need is to create a script that allows to lower the priority of one of the routers configured with VRRP

Make a direct connection between the routers and number it with some throwaway subnet, such as 192.168.255.0/30
Make R1 have a backup default GW of 192.168.255.2
Make R2 have a backup default GW of 192.168.255.1

this way it won't matter which device is acting as the VRRP master.
by ZeroByte
Wed Jan 17, 2018 9:49 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: EoIP (+IPSec) interface status
Replies: 4
Views: 205

Re: EoIP (+IPSec) interface status

Try using OSPF across the tunnel. As long as the two interfaces have the same cost, OSPF will use equal-cost multipath routing (EQMP) to load share between the two paths. If one path fails, OSPF will lose adjacency across it regardless of the interface's up/down state.
by ZeroByte
Wed Jan 17, 2018 9:46 pm
Forum: Beginner Basics
Topic: EOIP Tunnel
Replies: 2
Views: 89

Re: EOIP Tunnel

Try making the tunnel operate as a layer3 (routed IP hop) connection instead of a bridge.
by ZeroByte
Wed Jan 17, 2018 9:40 pm
Forum: General
Topic: How to disable access from local to some local to Mikrotik AP?
Replies: 13
Views: 269

Re: How to disable access from local to some local to Mikrotik AP?

The easiest thing to do would be to enable the "use IP firewall" option on your bridge so that you can make forwarding filter rules that block the traffic you want. Make an IP address list called "LimitedClients" and list the IP addresses 192.168.20.110-114 Make another IP address list called "Prote...
by ZeroByte
Wed Jan 17, 2018 6:36 pm
Forum: General
Topic: Routing between two Mikrotik routers is not working
Replies: 22
Views: 441

Re: Routing between two interfaces is not working

Firstly, do not masquerade between internal networks in your router. Masquerade/SrcNat is only needed for access to the public Internet, or for cases where you need to reach some network that you do not control, and it has no routing information on how to reach your actual IP addressing. Since you c...
by ZeroByte
Wed Jan 17, 2018 6:13 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Routing traffic over 2 interfaces
Replies: 4
Views: 236

Re: Routing traffic over 2 interfaces

You should use different IP ranges on different interfaces. The problem is that any device outside of the /29 network (i.e. is on the ether1 10.0.0.0/22 network) does not realize that this block of addresses is not local and must be reached via the router. They simply ARP for 10.0.0.103, which does ...
by ZeroByte
Wed Jan 17, 2018 5:54 pm
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 473

Re: IPv6 router settings

In the IPv4 world you have NAT. It directly protects your internal devices from being accessed from the internet. Even when the device doesn't have a firewall. In IPv6 there is no NAT. So theoretically everyone can access everything. Of course to prevent this you setup the firewall but i don't foun...
by ZeroByte
Wed Jan 17, 2018 1:16 am
Forum: Beginner Basics
Topic: IPv6 router settings
Replies: 15
Views: 473

Re: IPv6 router settings

One more point: Make sure that you're not blocking ICMPv6 in your IPv6 firewall filter rules. "ARP" functionality was moved into ICMP for IPv6 (now known as ND - Neighbor Discovery) I have to agree that it's awesome to see an ISP give static assignments like this. The only thing possibly wrong with ...
by ZeroByte
Tue Jan 16, 2018 9:54 pm
Forum: General
Topic: How to disable access from local to some local to Mikrotik AP?
Replies: 13
Views: 269

Re: How to disable access from local to some local to Mikrotik AP?

Make a second SSID (create a VAP interface), and make the insecure devices use the second AP, and put that on a different IP range (don't bridge the VAP - put a new IP address directly on it and configure a new DHCP service on this network). Then use the IP Firewall filter to block in-interface=VAP ...
by ZeroByte
Tue Jan 16, 2018 9:23 pm
Forum: Forwarding Protocols
Topic: MPLS, BGP and OSPF design for wisp
Replies: 10
Views: 456

Re: MPLS, BGP and OSPF design for wisp

The goal of this design is to use OSPF only for EQMP load balancing between the sites, but BGP as the overall routing protocol. EBGP allows routing policy to be modified and advertised at each tower site. iBGP basically considers the entire AS with a more or less single unified routing policy for eg...
by ZeroByte
Tue Jan 16, 2018 8:56 pm
Forum: Beginner Basics
Topic: Demo License / Level 1 for home use
Replies: 6
Views: 243

Re: Demo License / Level 1 for home use

I think the electricity savings would more than pay for a hEX over a powerful PC running 24x7. ;)
by ZeroByte
Tue Jan 16, 2018 8:33 pm
Forum: General
Topic: Multiple subnet routing
Replies: 1
Views: 69

Re: Multiple subnet routing

In layer 3, each node must have a route to every other IP address in the network. I'm assuming that the PFSense cluster is a layer3 firewall and not acting as a transparent L2 firewall. I'm also assuming that the public IP addresses for your company are on the WAN interfaces of the NG0x nodes (where...
by ZeroByte
Tue Jan 16, 2018 6:09 pm
Forum: Forwarding Protocols
Topic: BGP Route Reflectors, how to properly configure??
Replies: 19
Views: 7533

Re: BGP Route Reflectors, how to properly configure??

But, this example seems to be a bad practice and for my opinion it doesn't have sense, because, the idea of getting two RR is to increase the uptime of any iBGP solution, so why are you going to configure a Route-Reflect client to only one RR instead of configuring to both of RRs?? I think this is ...
by ZeroByte
Tue Jan 16, 2018 5:50 pm
Forum: General
Topic: Dual wan PCC load balancing
Replies: 4
Views: 155

Re: Dual wan PCC load balancing

ok - it looks like your NAT rules are to blame. You're using netmap which is a stateless nat action - that means you must use TWO rules to accomplish each mapping. I see why you thought to use this, as it's apparent that you have a 1:1 relationship between a specific public IP address and private IP...
by ZeroByte
Mon Jan 15, 2018 6:17 pm
Forum: Forwarding Protocols
Topic: BGP Route Reflectors, how to properly configure??
Replies: 19
Views: 7533

Re: BGP Route Reflectors, how to properly configure??

Can you please point out the part in the RFC that says you must use the same ID on all members of the same cluster? I was going to draw a diagram of a scenario that would cause blackholing, but I found one on this website http://network-101.blogspot.co.uk/2011/06/bgp-cluster-id-loop-prevention.html...
by ZeroByte
Mon Jan 15, 2018 6:07 pm
Forum: Beginner Basics
Topic: Probably a basic issue not able to network across multiple networks and devices
Replies: 4
Views: 93

Re: Probably a basic issue not able to network across multiple networks and devices

The upstream router needs to have a static route to the downstream router.

Add an IP route w/ the dst=10.0.1.0/24 and gateway=wan.ip.of.rb911
by ZeroByte
Mon Jan 15, 2018 6:05 pm
Forum: RouterBOARD hardware
Topic: hEX PoE Routing between sfp ethernet and eth0
Replies: 1
Views: 94

Re: hEX PoE Routing between sfp ethernet and eth0

Not sure which port you mean by "eth0" as Mikrotik's ethernet interfaces are named "ether1, ether2, ..." but regardless, it is easy to have ports as isloated layer3 ports in Mikrotik. Just make sure that they're not part of any master/slave switch groups (v6.40.5 and earlier) and are not configured ...
by ZeroByte
Mon Jan 15, 2018 5:55 pm
Forum: General
Topic: Dual wan PCC load balancing
Replies: 4
Views: 155

Re: Dual wan PCC load balancing

Without digging into your configuration, I can say that the most likely cause is that your mangle tables aren't creating connection tracking entries for route marks on new connections originating on the various WAN interfaces. That's the most common mistake I've seen in posts with your problem.
by ZeroByte
Thu Jan 11, 2018 10:45 pm
Forum: General
Topic: IGMP Snooping Command
Replies: 11
Views: 2881

Re: IGMP Snooping Command

I read the manual page you linked to. By my reading, it's entirely possible that the multicast helper acts in a manner similar to PIM in dense mode - i.e. it sends a copy to EACH client at its individual mod rate, as opposed to sending a copy only to the subscribed stations. Given that they just now...
by ZeroByte
Thu Jan 11, 2018 4:37 pm
Forum: General
Topic: IGMP Snooping Command
Replies: 11
Views: 2881

Re: IGMP Snooping Command

Sorry, of course I mean multicast traffic. I need IPTV from my ISP to work on a notebook over WiFi. The problem now is: when any device connected to my hAP lite via WiFi start viewing IPTV, all other wifi-clients start receiving multicast traffic simultaneously. IGMP snooping enabled/disabled on br...
by ZeroByte
Thu Jan 11, 2018 12:43 am
Forum: General
Topic: IGMP Snooping Command
Replies: 11
Views: 2881

Re: IGMP Snooping Command

Well, IGMP flooding over WiFi is still here. I have a hAP lite with RouterOS 6.41 and even after enabling IGMP snooping on bridge interface I have IGMP traffic on all connected wireless devices. This may be a silly question, but are any wireless devices subscribed to the multicast group? Furthermor...
by ZeroByte
Thu Jan 11, 2018 12:26 am
Forum: General
Topic: Rule order for established
Replies: 7
Views: 154

Re: Rule order for established

established = state tracking has seen traffic in both directions. I'd define it as: has passed traffic in one direction. In home NAT environments, if your browser sends tcp syn, the 1st returning syn,ack already is related. (otherwise it would be blocked !) Yeah - but I think "established" is what ...
by ZeroByte
Wed Jan 10, 2018 6:42 pm
Forum: General
Topic: Rule order for established
Replies: 7
Views: 154

Re: Rule order for established

established = state tracking has seen traffic in both directions. related = state tracking helper has noticed that the packet is part of a connection negotiated in another established connection No packet will match these states as part of an initial connection, so the packet will go past this rule ...
by ZeroByte
Wed Jan 10, 2018 4:37 pm
Forum: Forwarding Protocols
Topic: BGP Multipath Load Balancing
Replies: 14
Views: 1154

Re: BGP Multipath Load Balancing

It can be changed if made a filter to discard half of ISP1 prefixes? No, here I mean the route prefixes that I receive from ISP1 and not my advertised networks prefixes. This would only affect your outbound traffic path selection. In fact, the better thing to do about prefixes received from upstrea...
by ZeroByte
Wed Jan 10, 2018 12:16 am
Forum: General
Topic: Rule order for established
Replies: 7
Views: 154

Re: Rule order for established

Typically, you do want that first or at least as early as possible for the very reason you're thinking. If you have some filters that you would like to be able to use to cut off existing flows, you can place those in the prerouting chain of the RAW table, which happens before state tracking. The raw...
by ZeroByte
Tue Jan 09, 2018 11:05 pm
Forum: Forwarding Protocols
Topic: BGP Multipath Load Balancing
Replies: 14
Views: 1154

Re: BGP Multipath Load Balancing

It can be changed if made a filter to discard half of ISP1 prefixes? If you do that, and ISP2 goes down, then any IP within those prefixes not being advertised to ISP1 will not have Internet connectivity. Let's say that you have a /20 of IP space, all contiguous as a single /20 block, e.g. 100.64.8...
by ZeroByte
Tue Jan 09, 2018 6:05 pm
Forum: Beginner Basics
Topic: port forwarding blocks internet
Replies: 5
Views: 188

Re: port forwarding blocks internet

Hallo i want to see if somebody using port-forwarding from witch IP its coming now I only see the IP of the router if i click under IP>Firewall>NAT the option In.Interface:Ether1 now I'm able to see the external IP but this blocks al my outgoing traffic (no access to internet) It sounds like your n...
by ZeroByte
Tue Jan 09, 2018 5:33 pm
Forum: Forwarding Protocols
Topic: BGP Multipath Load Balancing
Replies: 14
Views: 1154

Re: BGP Multipath Load Balancing

First of all - are we talking about outbound traffic or inbound traffic? Local_Pref (and other such metrics) will tune your OUTBOUND preference, but only on the prefixes you receive. If you're getting only a few dozen or few hundred prefixes, then you're going to get almost zero load-balancing from ...
by ZeroByte
Mon Jan 08, 2018 11:10 pm
Forum: Wireless Networking
Topic: Mikrotik user
Replies: 1
Views: 89

Re: Mikrotik user

Your question is a little bit unclear. Do you mean that users are sharing their wifi password, and multiple people are connecting using that? Or do you mean that people are connecting routers to your network and then sharing it with their own WiFi from those routers? There's not much you can do abou...
by ZeroByte
Mon Jan 08, 2018 5:12 pm
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 288
Views: 64768

Re: RouterOS v7.0 beta1 - when?

I think he's referring to the fact that BGP runs in a single thread - ergo cannot take advantage of multi-core tile platform. It could be that during convergence, his network performance is spotty due to various reasons, but that's just speculation on my part. At the end of the day, though, there ha...
by ZeroByte
Wed Jan 03, 2018 4:42 pm
Forum: Beginner Basics
Topic: Service port filtering for just one interface
Replies: 4
Views: 116

Re: Service port filtering for just one interface

Disable HW forwarding on the interface in question and then you can use the bridge filter rules to block the traffic. Chain = input Ethernet protocol = ip ip protocol = udp ports=67,68 To disable HW forwarding in versions 6.40.5 and below, you set master-port=none / in v6.41 and after, you un-check ...
by ZeroByte
Tue Jan 02, 2018 4:44 pm
Forum: Forwarding Protocols
Topic: RIP routers without next hop
Replies: 20
Views: 480

Re: RIP routers without next hop

Thanks for clearing up my explanation, Airbanduk.

It's threads like this which lead to my writing the haiku in my signature line. :)
by ZeroByte
Tue Jan 02, 2018 4:27 pm
Forum: The User Manager
Topic: Locked iPhone means no notifications - MT Hotspot [SOLVED]
Replies: 7
Views: 325

Re: Locked iPhone means no notifications - MT Hotspot [SOLVED]

Personally, I'm not a fan of hotspots. They cause all sorts of things like this to happen. The biggest issue would probably be the increasing use of SSL everywhere, because transparent redirection of SSL causes warnings to pop up on the customers' screens if the devices aren't silently testing for h...
by ZeroByte
Tue Jan 02, 2018 2:18 am
Forum: Forwarding Protocols
Topic: BGP bug - subtle but problematic issue with communities
Replies: 24
Views: 2171

Re: BGP bug - subtle but problematic issue with communities

I haven't tested this lately, but I would suspect that this is on the "fixed in v7" pile of cans being kicked down the road over in Latvia. ;) On this topic, I think it would be nice if the networks list allowed you to assign a routing filter chain per network, similar to the route-map functionality...
by ZeroByte
Tue Jan 02, 2018 2:10 am
Forum: Beginner Basics
Topic: Help with IPV6 on RB750
Replies: 2
Views: 95

Re: Help with IPV6 on RB750

You'll need to get an IPv6 allocation from your ISP which has at least 4 blocks of addresses in it. The standard subnet in IPv6 is a /64. This means at the very minimum, you should receive at least a /62 but recommended best practice is to avoid subneting except on nibble boundaries - which means th...
by ZeroByte
Fri Dec 29, 2017 11:50 pm
Forum: The User Manager
Topic: Locked iPhone means no notifications - MT Hotspot [SOLVED]
Replies: 7
Views: 325

Re: Locked iPhone means no notifications - MT Hotspot [SOLVED]

Users are not logged out of hotspot when this problem occurs. Keep-alives also fail.. Problem also occurs if phone is added to bypass list and can browse fine without traditional authentication steps. That's not the impression I got reading your original post: Bypassing hotspot - I ping the phone, ...
by ZeroByte
Fri Dec 29, 2017 6:41 pm
Forum: Forwarding Protocols
Topic: RIP routers without next hop
Replies: 20
Views: 480

Re: RIP routers without next hop

But I am afraid you were not accurate in one point, the router does not accept the packages because he hasn't join to the the multicast address for RIP v2. 224.0.0.9, you can add any route to RIP, and then it will work, I added 0.0.0.0/0, and then he reports his membership via IGMPv3 to that multic...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 81