MikroTik

blougaville

Thank you so much! I will weigh my options with both of your suggestions. I appreciate everyone who chimed in.

blougaville

This will happen when you set ARP mode to proxy-arp in the network interface/bridge. Very interesting...I DO have proxy-arp set on the bridge interface because we use OpenVPN and enabling proxy-arp on the bridge is the only way I know of to allow VPN users to pass traffic to resources on our local ...

blougaville

For example if you have use-ip-firewall=yes set on bridge?

Nope, that is turned off...

blougaville

This is strange. I have a firewall filter rule (FORWARD chain) on a Mikrotik router that drops invalid packets. For some reason, it's dropping packets that are to/from the same interface, my LAN subnet. Lots of packets are hitting the rule and being dropped. Here's an example of what I see when I lo...

blougaville

Thank you so much for your advice! I actually feel quite a bit better about using Mikrotik in this case since I think the 1/10 rule definitely applies here. It's scary when they tell me they have large groups coming in and they HAVE TO HAVE GOOD WIFI but I know what you're saying is correct. In this...

blougaville

Thank you both for your replies! Better look into UBNT, Xirrus, Meraki, Fortinet/Meru, Everest Networks (in ascending budget order). Do you have any specific recommendations for these models? I've never used any of these vendors and when I look at their product lines there are lots of options and so...

blougaville

I LOVE Mikrotik and use their equipment in every possible situation. I've had great luck with cAP and hAP ACs for small offices or in larger CAPsMAN deployments with multiple APs but I've never yet done a "high density" installation. I have a banquet room with a maximum capacity of 300 peo...

blougaville

Let's say the address of the server on your network that you want your user to access is: 192.168.88.2

/ip firewall filter
add chain=forward dst-address=!192.168.88.2 action=drop

The exclamation point means "not" so any address that is not the server will be dropped.

blougaville

Mikrotik, can you please chime in on this? Your documentation says it's possible but does not say how. Also, I can't find any good real world examples of why you would use CAPsMAN in local forwarding mode vs manager forwarding mode. I am using CAPsMAN on a CCR in a school with 30+ CAPs and am curren...

blougaville

I understand that when using local forwarding mode the client-to-client forwarding on a interface is not set with CAPsMAN, but is controlled by the local CAP. The manual suggests that client-to-client forwarding needs to be set on the CAP itself, but I can't figure out how to do this. The wireless i...

blougaville

I have two VLANS: interface: private-bridge (192.168.1.0/24) interface: student-bridge (192.168.100.0/24) I'm trying to give different marks with mangle to all packets from each VLAN passing through the router so I want to use custom chains. add action=jump chain=forward in-interface=private-bridge ...

blougaville

Thanks for the replies. Here are the steps I did to get the Mikrotik and Edgeswitch to pass VLANs correctly: On the Ubiquiti EdgeSwitch 1) Create VLANs that you wish to pass from your Mikrotik 2) On Port Configuration page, include VLANs TAGGED on your trunk port(s) 3) On Port Configuration page, in...

blougaville

I'm trying to create a simple trunk to pass VLANs between my new CCR1009-8G-1S-1S+ and a 48-port Ubiquiti EdgeSwitch and I'm having a really hard time. I've read that you can do the VLAN tagging with the switch ports on the CCR but that is just confusing me further and I can't even get it working th...

blougaville

Thank you very much, AlexN. I didn't even think about modifying those rules!

Still, I second the idea that the multiple address list features would be helpful.

blougaville

I have various filter rules to detect port scanners and block them coming into my Mikrotik from the internet. For example: add action=add-src-to-address-list address-list="port scanners" \ address-list-timeout=2w chain=input comment="Add NMAP NULL scan to Port Scanners address list&qu...

blougaville

I was able to get this working by following up on cieplik206's advice. I enabled Use IP Firewall on the bridge interface. Then, I created a firewall filter for dst. address: 192.168.1.0/24, and on advanced tab, bridge in interface: publicVAP, action: reject. Now clients get an IP from my DHCP server...

blougaville

Here is a simplified diagram showing my desired setup: wds-vlan-diagram.jpg The VLANs seem to be passing traffic over the wds link okay (from RouterB, I can ping all the different interfaces on RouterA). The problem is, when a client connects to either of the VirtualAPs on RouterB, it does not find ...

blougaville

Any update on this? I've been dealing with the same issue. Other threads have caused me to suspect a problem with WPA security, but so far all of my tinkering has not resolved the problem.

blougaville

The VLAN option is good to know for the future, but in my case, it would be much easier if I could restrict each MikroTik device using firewall or bridge filter rules on each device. Can anyone post more specific instructions on how this would work?

blougaville

Thanks for the response!

I did try both of those things already and couldn't figure out the settings to make it work. Could you please give me a little more information on what types of rules to create?

Thank you very much!

blougaville

I have a MikroTik AP connected to my main internet router. The internet router is a DHCP server for my LAN. I have two VAPs ("public" and "private"). I'd like to be able to get an IP address from the DHCP on my main internet router from both VAPs, but I'd like to make it so my &q...

blougaville

I know this has been posted in a variety of ways, but it seems like I keep finding contradictions. Here is my understanding of user manager and hotspot session limits: My network: RB493AH with LEVEL 6 License and User Manager Installed (Unlimited active UM sessions is possible) RB411AH with LEVEL 4 ...

blougaville

Thank you, I will take your advice!

Steven

blougaville

Let's say I have a routerboard with two different internet connections coming into two separate interfaces and a LAN interface with two VLANS: ether1 - 99.99.99.99 (WAN link) ether2 - 88.88.88.88 (WAN link) ether3 - 192.168.20.1 (VLAN2, for office network) and 192.168.30.1 (VLAN3, for hotspot networ...

blougaville

I am trying to set up a point to point link with two SR9 900mhz cards. I have two routerboards with the SR9s sitting next to each other on a work bench with no antennas connected. I set up one card to "bridge" wireless mode and the other to "station" wireless mode. On the station...

blougaville

Thanks for your help, fewi. I'm not sure what was causing my problem, but I reset routeros to default configuration and set things up again and was able to route between interfaces no problem. Thanks for reassuring me that interfaces should be routable out of the box!

blougaville

I had some problems to realize transparent bridge without wds. In particular, with a configuration posted I have only direction traffic: the router station and it's lan can ping router bridge and it's lan while isn't the same in the other direction. I am bumping this thread because I am also having...

blougaville

Hi, I am a complete newbie and am having trouble routing between two interfaces (ether1 and wlan1) Here is how I have it configured: IP - Address 192.168.1.1/24 ether1 10.1.10.1/24 wlan1 I have DHCP configured and working on the wlan1 interface, it gives out addresses from a pool to wlan1 clients. I...

blougaville

The card I'm trying to install is an Alfa Networks AWPCI085G. Like I said, the card was mysteriously detected one time and appeared to be working.
I did try another card, a card that is operational in another 411AH board, and that didn't detect on this 411AH either.

Steven

blougaville

I'm attempting to install a wireless card in a routerboard 411ah (it is a compatible Atheros chipset), but I am having trouble with it being detected. The first several times I booted the board, nothing was listed under the PCI tab of Resources in RouterOS. Then one time it magically showed up on th...

blougaville

At this point, I think you are right about it being faulty. It's not under warranty, so I will try to find a replacement. I'm just amazed that it went out after working on a roof for over a year just from carefully replacing the wireless card and booting it up in my office. My fear is now that this ...

blougaville

I just tried the Winbox utility. I tried to the IP address and the mac address of the RB's NIC. No luck. I have set a computer's NIC to use 192.168.88.99/24 so it will be on the same network as the RB411AH. I tried running through my switch with no other devices connected (the switch does not show a...

blougaville

Thanks for the reply! The IP address is now set to the default of 192.168.88.1/24 after resetting to default configuration. I can not ping either direction, that is, from the RB411AH to a network device on the same IP network via serial console, or from a computer on the same IP network to the RB411...

blougaville

I took a functioning RB411AH off of a roof and changed the mini-PCI wireless card. When I powered up the device (using POE, as I always have), the board fully powered up with POE, but I noticed that the network switch it was plugged into was not getting a light. I can log into the console via serial...

Search found 34 matches

Re: Traffic to/from the same interface is hitting firewall filter forward chain? [SOLVED]

Re: Traffic to/from the same interface is hitting firewall filter forward chain? [SOLVED]

Re: Traffic to/from the same interface is hitting firewall filter forward chain? [SOLVED]

Traffic to/from the same interface is hitting firewall filter forward chain? [SOLVED]

Re: Need Advice to Cover 300 WiFi Users in Banquet Hall

Re: Need Advice to Cover 300 WiFi Users in Banquet Hall

Need Advice to Cover 300 WiFi Users in Banquet Hall

Re: how to limit VPN user access to one server? [SOLVED]

Re: client-to-client forwarding in CAPsMAN local forwarding mode

client-to-client forwarding in CAPsMAN local forwarding mode

Jumping VLAN to custom mangle chain

Re: VLAN Trunk Between Mikrotik CCR and Ubiquiti EdgeSwitch

VLAN Trunk Between Mikrotik CCR and Ubiquiti EdgeSwitch

SOLVED How to allow several IPs to bypass a filter rule

How to allow several IPs to bypass a filter rule

SOLVED Restrict one VAP to internet access only

VLANS and DHCP over WDS AP-AP link

Re: Unicast key exchange timeout over WDS (AP-AP) link

Re: Restrict one VAP to internet access only

Re: Restrict one VAP to internet access only

SOLVED Restrict one VAP to internet access only

Annoying User Manager License Clarification

Re: Should I route or load balance in this scenario?

Should I route or load balance in this scenario?

Are my 900mhz SR9s broken?

Re: Incredibly Basic Routing Question

Re: Transparent bridge without wds

Incredibly Basic Routing Question

Re: Installing Wireless Card on 411AH

Installing Wireless Card on 411AH

Re: Help diagnosing ethernet problem on RB411AH

Re: Help diagnosing ethernet problem on RB411AH

Re: Help diagnosing ethernet problem on RB411AH

Help diagnosing ethernet problem on RB411AH