MikroTik

dalami

I was really hoping to see some more responses from other AX3 owners. As it is...I'm probably going to box these up soon. Now the question is what do I replace them with. Roll the dice to see if replacement AX3's work? Or look elsewhere? I *want* to use MT devices...but I've seen too many posts from...

dalami

It was worth trying - though I did before. It's not a CAPs issue. I manually applied the settings, disabled everything CAPs, exported the config to compare against what you provided...and the resulting 5g worked, or didn't, just the same.

dalami

Is there something I need to do for this to overwrite my existing setup? Wipe to default? Doing the import it stops with "failure: already have interface with such name".

dalami

The modem is in my back room - about 50' away from AX3. Again - this has only been present a few days and the AX3 performance has been unaltered. PLEASE disregard its existence - other than the fact that this "free" modem is able to push a 5G signal throughout my home while my AX3 can't se...

dalami

Sorry. There's the "Scan" button in winbox, and "Freq. Usage" button. You wanna look for "NF" column in "Freq. Usage" and take note of what it's saying. Here's mine: Ok. Here's frequency usage: frequse.png And here's a scan. scan.png Note the "strong&quo...

dalami

I do have hap ax3. Thank you - I'm glad to have an on-topic response. In addition since in 7.X release have band steering/roaming, you better disable the 2.4G Wifi interface completely to avoid that the AP pushes your clients onto 2.4Ghz (I found the settings for steering are all over the place and...

dalami

Of course. And when I go outside my home - I don't see my hAP 5G. So my beloved MT device is certainly "weaker" than other offerings.

dalami

There's also another possible explanation, which is high noise floor. Please try and measure it with frequency scan tool . Not sure what I'm looking for. Are there lots of other networks visible from my neighbors? Yes. Which makes it all the more annoying - I can see my next door neighbors' 5G netw...

dalami

Have the same router model. Same problem with 5Ghz wifi. <...> And no option to manually chose channels from list and force routed pick what I want, not what it decides is good. Please start a new thread if you need help with basic Mikrotik wifi config - I want to keep this one focused on a specifi...

dalami

Just installed 7.15B9. It seems like it's actually, if only slightly, improved the TX. Where before I never saw better than -60db in my chair I'm now seeing it reach -55db. Something I didn't state previously - while watching in a wifi analyzer the 5G network will periodically disappear. Don't know ...

dalami

Winbox status shows TX 28.
Sitting in my usual chair, about 50 feet away, through a wall or two, the 2G network shows a fairly constant -46db, 5G shows a fluctuating -60 to -70db.
Moving out of the far room, down the hall, to within 10' open line-of-sight, I see -30db@2G, -45db@5G.

dalami

Sure. This is not a CAPSMan issue, not a firewall issue, not a queue issue. Again - for me 2G works fine while 5G has no range. The Android devices that can't connect 20 feet away do connect 6 feet away.

dalami

I'm starting a new thread because the previous one is marked "Solved" - and it degenerated slightly. Please let's focus on the particular issue here - at least some hAP AX3 units appear to have extremely limited range. I'm operating on the assumption that MT designed, tested, and produced ...

dalami

Since it was asked for:

Model C53UiG+5HPaxD2HPaxD
Serial HER09CFZ59Y / HER09DGXRFS
Factory Firmware 7.8
Upgraded Firmware 7.14.2

Both of these units have unusable 5G.

dalami

Slight revision. My current link is 2G down/100M up via cable/DOCSIS. I can run a queue tree on the upload without problems. It's only when I try to run on the download/bridge interface that my 2G gets throttled down to 1.2G. Since the real limiting factor, for my use case, will be upload sharing I ...

dalami

CPU doesn't get above 50% - maybe not even 40% - but the speed is cut in half regardless.

dalami

Interesting. In the process of sanitizing my export I found some garbage filter rules. Removing those was probably a good thing. Now that I've done that, and re-activated the src-nat & routing... It almost works. Or at least - now traffic from the office server fails to reach the cloud server wh...

dalami

Playing with my shiny new RB5009 - it will indeed pass the full 2G (actually, 2.2G) I'm getting from the cable provider. That with fasttrack enabled. However, the instant I enable a queue of any kind the speedtest drops to 1.2G maximum. While I probably don't need any QoS - I was hoping to optimize,...

dalami

I'm not sure how to properly express this. I had a problem that I tried to solve with various combinations of src-nat and routing policy, failed, and then fixed it by doing it properly - which means configuring the clients directly instead of trying to use network magic. But I *want* to learn networ...

dalami

Having just switched ISP's I now have a (theoretical) 2 gig connection. My existing Hex S, with it's 1G ethernet ports, obviously can't handle this. Would the RB5009UG+S+in be an appropriate upgrade here? I do have firewall rules that need to be used - this will be a router/firewall, not just a swit...

dalami

I'm a US integrator and I have accounts with multiple US distributors. I've been buying Mikrotik from them. In the past, the pricing was comparable with Amazon - except for shipping. Now, it seems whoever is selling through Amazon is actually cheaper than the "approved" US distributors - p...

dalami

/interface/wifi> monitor 0
state: running
channel: 5200/ax/eCee
registered-peers: 0
authorized-peers: 0
tx-power: 25
available-channels: 5200/ax/eCee

dalami

I have a "Carsifi" - a wireless android auto adapter. It's about 1" wide, 2" long, and a 1/4" high. It's in my truck, parked outside on my driveway. Inside my house, through multiple walls, I see a 5G wifi signal from that device. While my AX3 half the distance half the wall...

dalami

Should we start a new thread on this since this one is marked solved?

dalami

I still have no idea if I'm on to anything or not. I tried playing with the orientation - sometimes it seemed to help and sometimes not. Which has been my whole experience with the two AX3's I've tried - their 5G range seems abysmal no matter what. Just for fun, I pulled off the pair of 3" ante...

dalami

I just tried something - and please tell me it's not this.

Separate from forcing the channel selection (5785) - I turned one antenna horizontal leaving the other vertical. I'm not saying it's great - but somehow this made a *huge* difference is range and operation for this AX3.

dalami

I've been fighting the same range issue. Being in the same (central) room - 5G works great. Go down the hallway...signal dies. My old hAP ac, which I thought this was replacing, filled the whole house without issue. Is there anything that can address this via software? The 2G signal seems great. Cur...

dalami

Thanks!

dalami

This should be an obvious one - but just because I've found ways to make it work doesn't mean I'm doing it right. Given an existing wired network and I want to add a wireless AP - what is the "correct" way to setup that new AP? Assuming some flavor of a hAP, where the new device includes m...

dalami

That helps! Thank you.

dalami

Is there a list of devices that require/support the "wifi-qcom-ac" package? Should the "wireless" package be uninstalled first?

dalami

Thank you. The combination of "hidden" and previous experience with Mikrotik devices made it so I was not expecting such.

dalami

Just bought a new unit. Connecting via Winbox, I should say attempting to connect, results in "wrong username or password". I'm using the typical default, "admin", and blank password. I'm trying both MAC and IP connect. I've (I think) reset the router several times (unplugged pow...

dalami

I don't understand. Are you saying I need to run srcnet on the lan interface of the mAP? The IoT device just receives DHCP from the mAP and there's nothing else I can configure on it.

dalami

I'm asking this question more as a general theory question - since I think I've fought with this before and I don't know if I'm missing something in practice or if my basic theory is wrong. IoT device connected to a mAP. IoT uses mAP as gateway. mAP connected to internet through 3rd-party router. mA...

dalami

Port knocking on TCP ports is as easy as using /tool fetch url="http://ip.to.be.knocked:port-to-be-knocked/some-bogus-file-name" , and port knocking on UDP ports is as easy as using resolve some.bogus.string.with.dots server=ip.to.be.knocked port=port-to-be-knocked . But there are limitat...

dalami

Having a minimal port knock client available for scripting would be quite helpful.

dalami

Obviously I'm a nefarious character up to no good. I'm a vendor contracted to provide a service which requires internet access. The customer has either a 3rd party or separate corporate department (unclear to me at this time) that administers the firewall. The service I provide is both requested by ...

dalami

Thank you but none of this answers my question. Is there a way to perform a "knock" from within RouterOS?

dalami

I install the mAP on the customer site to give me a gateway to access equipment behind it. So for sites that don't have a blocking firewall configuring wireguard is a piece of cake. But for this one I need a way to tunnel through that third party firewall hence my desire to initiate port knocking fr...

dalami

I'm trying to get around a 3rd-party firewall that blocks non HTTP traffic. I have a mAP installed on the customer's network and I typically have such devices connect to my server via Wireguard - but the traffic is blocked by their firewall. And I'm having difficulties working with the corporate fir...

dalami

Typically, our standard default install will have a masquerade rule on the outbound interface of a router. Sometimes, when using static IP's, we can use an explicit src-nat instead of a masquerade. I *think* this isn't terribly controversial. Now, if I add a tunnel, say Wireguard for argument's sake...

dalami

See "endpoint-independent-nat" and "randomize-port".

dalami

I would say this is embarrassing - except I'm used to displaying my stupidity. Especially on this forum. The particular form my stupidity has taken now was revealed (at least partially) by your logging instructions. Since I saw absolutely no traffic for my actual use (VNC, which means TCP to port 59...

dalami

Maybe I found something...or not. The target IP I'm trying to reach has some kind of firewall protections itself (it's a 3rd-party service out of my control) and only lets specific IP's in. Which is why I need to route my traffic through my current hEX IP. It also doesn't respond to ping - but when ...

dalami

First srcnat rule covers traffic to internet. Second is useless, because it would take subset of traffic already handled by first. Third affects everything else passing through router, so connections between local and VPN subnets, forwarded ports if you have any, etc. It shouldn't be needed. If you...

dalami

New firewall. First - all my src-nat has condensed to: add action=src-nat chain=srcnat comment="Should be last srcnat rule. non-IPSec to Internet NAT to public IP" ipsec-policy=\ out,none out-interface=ether1-Internet to-addresses=<my.external.ip> add action=src-nat chain=srcnat comment=&q...

dalami

You need to sort out the IP address usage so it more coherent for your wireguard as I think this is your major issue. Proposing since you have this in the correct format to keep the hex at The MT client device has a wireguard address of 10.23.1.1/24 OKAY now give the ubunut address= 10.23. 1 . 2 ( ...

dalami

From your collection of srcnat rules, all you should need is just one, and its #7. It covers access from anywhere to internet, so including from remote 10.23.2.x peer. So it should work. Perhaps something you deleted wasn't as irrelevant as you thought? First of all - thank you for your response. I...

dalami

Not only is this not working - I don't understand *why* it is not working. There's obviously something basic here I don't get. Please use whatever size hammer is required to drive the point into my thick head. I have an office network with a hEX that behaves quite nicely. This has a static IP connec...

dalami

Can you consider adding the comment for peer entries to log lines? It's a lot easier for this human to find "Customer #4" than it is "asd8f76908asd7gfhlk23b...". Using the existing logging definition structure, possibly by adding a topic of "wireguard+comment" or "...

dalami

I recall at least one comment that current/recent versions won't initiate Wireguard connections without disabling/enabling the peer. Does anyone have a script they use that might run every x minutes to verify the VPN connection and if not present toggle the peer?

dalami

I have a pair of hAP lites that I upgraded to 7.2rc4 a few months ago - I don't remember using Netinstall but maybe I just suppressed the memory. I just purchased another one, running 6.47.9, and it appears there isn't enough free disk space to upload the package via Winbox. The /files area is empty...

dalami

I saw that - but there's been limited comments for recent versions and many of them negative. I was hoping for something better.

dalami

Can anyone comment on using a USB connected UPS with current routers? Preferably non-APC offerings - particularly Eaton or CyberPower?

dalami

The documentation for the UPS package is a little sparse but only mentions the APC product line as being supported. I've read elsewhere about other brands being used successfully. Is this package based on the "Network UPS Tools" project and should therefore support any UPS of the adopted v...

dalami

Unlike other VPN types, Wireguard is by default silent. If there's no traffic trying to use its interface, it does not try to contact peers (unless you set keepalive for them).

That was it! Thank you!

dalami

I don't understand. My problem is the wireguard interface never even attempts to begin handshaking. This isn't a routing/address/firewall/bridge problem - at least to my ignorant eyes. The wireguard service simply appears to never actually start. This is not my first wireguard setup, nor my first Mi...

dalami

Internet access for ML is fine. It has working DNS, resolves hostnames, and can ping without issue. I have toggled peers and wireguard interface repeatedly - no change.

dalami

If I was having problems fowarding/communicating between interfaces then I'd agree. But my problem is the wireguard interface never initiates communication to the peer. I've never seen that before.

dalami

Correct. That will be the final config. But first I need wireguard working regardless - it shouldn't matter whether the internet connection is wired or wireless.

dalami

How are you planning to use this device with wireguard ? To connect what to where ? The ML will act as a wireless adapter/bridge for a IoT appliance that has an ethernet port. There's existing wifi in the building. Things I'm already missing: - no bridge ? - your wireguard interface does have a pri...

dalami

Here follows the output of "/export": # jul/11/2022 12:12:36 by RouterOS 7.4rc2 # software id = AP1J-KID8 # # model = RBmAPL-2nD # serial number = FACA0F65D6AA /interface wireless set [ find default-name=wlan1 ] ssid=MikroTik /interface wireguard add listen-port=13231 mtu=1420 name=wiregua...

dalami

Just bought a mAP lite to connect a remote site. Naturally, first thing I did after unpacking it was to upgrade to 7.4rc2. Technically, I upgraded to latest version of 6 (whatever that was), then to 7.3.1, then to 7.4. Actually, the first problem was having plugged the mAP lite into my primary route...

dalami

Hi Tony,

Thank you for making this resource available. I'm in Las Vegas, Nevada. My office receives service from a WISP called lv.net. I'm contracted for 25M/5M - and it looks like that's what I'm getting.

dalami

Your target has no data, and simple queuing does not take effect. /queue simple add limit-at=940M/143M max-limit=950M/146M name=CAKE queue=cake-down/cake-up \ target=pppoe-out1 My "target" is should have been set (ether1) - don't know why it didn't show up in the command line (it was set ...

dalami

Disclaimer - I'm barely a dabbler when it comes to this stuff and I'm still not comfortable with some of the jargon and abbreviations. But I'm trying. I have a RB760iGS (hEX S) (256MB RAM) that is my office's gateway/firewall/router. Our internet is provided via a WISP - they're using Ubiquiti equip...

dalami

Yes and yes. So starting over - I have Wireguard setup now with two servers/routers and multiple remotes. I would like to be able to, from my remote, access any other remote and transparently use whichever server provides the optimum connection. Is this possible - preferably using a single network? ...

dalami

So - from a routing standpoint, having two routers in the same network doesn't work? Or is that what policy-based routing is for? I understand, I think, *how* to implement multiple networks as you described. So each remote is going to have two IP's? I just would prefer the elegance of a single endpo...

dalami

As the subject indicates - options such as Tailscale or Zerotier aren't what I'm asking about. This is actually more of a basic networking/routing question. I presently have a physical office server with a static IP. Impressive I know. Additionally I have a subscribed cloud server. I'm playing with ...

dalami

I'm attempting to create a Mikrotik IPSec (IKEv2) link between my office LAN and a customer's LAN. Because I setup my LAN during my earliest network apprentice days - we're on 192.168.0.0/24. And my customer...has an experienced network admin who has chosen for their LAN: 192.168.0.0/24. I can't cha...

dalami

I have (had) a IKEv2 connection from a remote site to my router. The remote is also a Mikrotik device. At some point I reset my router to default - while not having properly made a backup first. Brilliant of me wasn't it? So the remote site continues to try to connect to me. And I get the "unab...

dalami

I still want to learn how to solve my original setup - but as I did gain access I decided to go the easy way and use a different IP range for the VoIP server to router connection. Things seems to be working now - thanks for the help.

dalami

Reading and reading - some articles and posts make more sense than others. It feels like the preferred method, where applicable, is to use connection marks for "serious" decision making and then simple connection mark matching afterwards. Sounds reasonable. But... Previously I've just used...

dalami

Getting closer...and what's nice is I *almost* exactly sort of kind of not really but maybe in a small way understand not only the how but the why. Enabling proxy-arp on the bridge allows my LAN clients to reach 192.168.0.10. Enabling proxy-arp on the interface allows the VoIP server to reach 192.16...

dalami

Actually - I should correct one assumption I made above. I have OSPF running as well - and the LAN server I tested from also has OSPF. So the 192.168.0.10 route got pushed to that server - which allowed it to ping. My other workstations that only have 192.168.0.1 as their gateway are unable to ping ...

dalami

I'm close. I don't know how - but I'm close. I found a page for routing with the same subnet - I tried to adapt from that. Here's the relevant lines - I think (with ether2 now removed from bridge). /ip address add address=192.168.0.1/24 comment="Primary LAN" interface=bridge network=192.16...

dalami

Thinking...experimenting... To answer your question - the VoIP server is manually configured to be 192.168.0.250, gateway 192.168.0.1. I've tried deactivating the port from the bridge - playing with various rules things don't quite work. Then I realized...having removed the port from the bridge - wh...

dalami

Thank you for being gentle. So, for solution "E" - two networks - do I have to do anything besides just removing the port from the bridge? My LAN is on subnet 192.168.0.0/24. The router is 192.168.0.1, and the misbehaving VoIP is setup on 192.168.0.250. All I needed to do for internet acce...

dalami

Have to think my way through this - not easy while sitting down. Too much pressure on the brain. If it matters I'm using a Hex S / RB760iGS as my gateway router. Port 1 is from my ISP. Port 2 goes to my VoIP server. And SFP1 goes to other networking devices starting with a CRS. Port 1 is presently b...

dalami

Ok. I finally did it. At least at the moment - hopefully things are still working next week... This is the definitive way of accomplishing hybrid MAC-based VLAN . I'm declaring that officially - so any mistakes (impossible!) need to be critiqued and corrected. If anything here is wrong, inefficient,...

dalami

Please add the other peer fields, such as "current-endpoint-address", "current-endpoint-port", "rx", "tx", and most importantly "last-handshake" to Winbox. I can only see those via a terminal and "print detail" - which it makes it difficult...

dalami

I love GRE for Mikrotik to Mikrotik IPSec tunnels. [...] Mikrotik's GRE+IPSec implementation uses the default IPSec policy and profile. Because of this, if you have different versions of RouterOS, sometimes you have to tweak the default IPSec settings so they match. Other than reduced configuration...

dalami

Your steps are OK but instead of doing a NAT you can just add a route. You add a route for the destination network via the tunnel, and traffic will just pass through that without being translated. Of course this assumes that the devices on each of the tunnel have their specific router as their defa...

dalami

Maybe I should rephrase - I understand the IPSec communication itself is encrypted and I'm not really asking about the handshake negotiation. I'm asking about routing & policy decisions. Something that might reveal more than just a ping or traceroute showing "no response" - I don't kno...

dalami

After beating my head against a software wall (which is much more painful than a stone wall) - I finally got the remote access I needed functioning. However - I refuse to believe that the unholy union of software and setup I brought into being conforms to the will of Cerf & Kahn. So I beseech th...

dalami

I have my primary router configured as an IPSec listener for several IKEv2 remotes. Most of these work the way I want. One of them...I can establish a connection and the routers talk to each other but I cannot reach the LAN of the remote router. Obviously I've got something wrong but I can't see wha...

dalami

I appreciate the advice - and yes the signal strength is fine. Do you have any comments for my original questions?

dalami

I learned something new again. Thanks! Yes - I'm sure the backup files were in the root level - though they were there previously during other reboots.

dalami

I just had my hAP AC2 powered down for a period (about 12 hours) - and on turning it back on I found it...wiped. Totally reset to default including wiping the file storage...where I had stored a couple backup configs. And being brilliant as usual I hadn't downloaded them for safekeeping. Given that ...

dalami

As usual, I'm confused by the many options available. I have a need for a simple LTE modem that will provide at least one ethernet connection. Wifi is a plus but not essential. I recently ordered a NetGear 1120LB for this application - haven't received or tried it yet but I thought I'd ask if my pre...

dalami

Has anyone been able to restore normal/stable wifi operation on this beta? I loaded it on my home router for Wireguard - wifi is now useless. Fortunately I have a secondary wifi AP available. At least for the past few minutes - after performing a "/interface wireless reset-configuration" ...

dalami

Has anyone been able to restore normal/stable wifi operation on this beta? I loaded it on my home router for Wireguard - wifi is now useless. Fortunately I have a secondary wifi AP available.

dalami

I remember seeing...somewhere...a list or table of the various tests, e.g. interface, dst-address, connection-type, etc. that ranked them according to the level of processing required. I don't remember if it was Mikrotik specific or if it was a generic iptables guide. Haven't been able to find it re...

dalami

The answer is - don't use the "notrack" chain option of the identity. Instead, leave that blank/unspecified and manually create srcnat rule(s) that handle the traffic as appropriate. The "old" way of setting up IPSec was to manually create an "accept" rule in the srcnat...

dalami

So...does use of Mangle completely negate Fasttrack? Or only for applicable connections/packets?

Does this mean that if QoS with queue trees is desired, fasttrack is (perhaps by definition) no longer usable?

dalami

New request - add a new action to Firewall (probably under Filter)..."Run Script". Possible horrible security hole? Of course - like anything else. My first intended use case - via a port knock sequence, update the stored IP for an IPSec peer. An alternative solution for this use case - al...

dalami

It seems like when Mangle based rules are proposed for further matching by NAT or Filter the responses are typically negative - avoid Mangle and implement the pattern matching directly in NAT and/or Filter. The comment is usually something like "now every packet has to be considered". I do...

dalami

I need to have an IPSec client, connecting to my Mikrotik IPSec server/router, reach an external IP address (not in my network). I added the remote address to the split include and it appears in the client's routing table. I am presently unable to reach the remote site via this method. I'm trying to...

dalami

Not sure about that for my case. With 192.168.0.0/24 served by the router, and 10.59.97.0/24 provided by my server at 192.168.0.2 running OpenVPN - if a local device connects to Wi-Fi and gets a 192.168.0.x/24 address, then connects to VPN and gets a 10.59.97.x/24 address - what happens when it trie...

dalami

Two reasons: 1. That will require additional config on the phones, and the VoIP server, and I don't know that I have control over that (actually, I do, I just would rather not fight it with my current provider). 2. Then only way to learn is to do - and I bought this Mikrotik equipment specifically t...

dalami

I'm almost, almost, almost there (theoretically - not functionally) - but I'm still lost on the actual config. So I will ask this: Given CRS112-8P-4S: ether1 - VoIP phone, MAC 00:a8:59:f6:b2:de, IP 192.168.11.141 - also a PC with 192.168.0.x ether4 - VoIP and VoIP DHCP server 192.168.11.1 MAC 00:E0:...

dalami

If you need more than one switching device and you don't want to spend one interconnection cable and a pair of ports per port-based VLAN, you have to use the "tag based VLAN" approach, but you can still attach the tagged ends of /interface vlan only to the interconnect interfaces and make...

dalami

The idea to make it clean by applying srcnat only to dstnatted connections is good, but the result is not that great: - Since each connection can have only one mark, it can easily conflict with some other use. But if you don't need it for anything else, then it's not a problem. - Mangle rules will ...

dalami

I just made some adjustments to my setup - that not only work but they feel right. Please tell me if this works for you or if there's a flaw somewhere... One of the issues with "hairpin NAT" is losing the external IP's. For my purposes that's a problem. I'm far less concerned about logging...

dalami

For a small network (less than 20 devices) - I have identified a single set of clients that I want to be segregated from the rest of the network. Can I make a single VLAN for those ports/MACs - without configuring VLAN for the remainder of the network? Or once I start down the VLAN path...do I need ...

dalami

I want to configure the mikrotik router to send traffic to a SSH server that is listening on port 2222 and I tried the /system ssh commands but they are for connection in client terminal mode. I have set forwarding-enabled both=yes to allow forwarding in both directions but I can't find out how to ...

dalami

The drawing explains the problem of connecting the mikrotik router via ssh to an access point that has an ssh server listening at the address 192.168.43.1:2222. For which I suppose that it would be necessary to activate an SSH client in the Mikrotik router to link it to the address 192.168.43.1:222...

dalami

I have several IPSec clients with copied configs connecting to my router. The Mikrotik devices connect as expected. The Windows 10 client - while it connects, the generates different policies from the policy template. Each of the Mikrotik clients generates a rule for each split network. But the Wind...

dalami

Which is "better"? /ip firewall filter add action=accept chain=forward comment="accept in ipsec policy - must be before fasttrack" ipsec-policy=in,ipsec add action=accept chain=forward comment="accept out ipsec policy - must be before fasttrack" ipsec-policy=out,ipsec o...

dalami

What is your Winbox Version? No crash with v3.24 on on cAP ac v6.47.1

Really?! It's that simple?!

So embarrassed. I thought Winbox self-updated on connection to newer RouterOS versions - never thought I had to manually download from Webfig.

It's always the simple stuff...

dalami

I have a router with several policies and templates defined. I'm trying to edit them - but while *most* of the entries work without issue as soon as I try to edit one of the affected lines Winbox instantly closes. I can edit these lines via ssh or webfig - but the fact that Winbox crashes tells me s...

dalami

Yes - multiple network connections. My primary router has both IPSEC and SSTP remote networks connected to it. The local connections are in a bridge for the LAN. I also have a remote site, connected to my main router via SSTP, which has devices connected in a bridge. I want to expose the remote addr...

dalami

With multiple interfaces in a bridge - should proxy-arp be enabled for each interface, or the bridge, or both?

dalami

Would the following Filter rules compromise "proper" ICMP? If so, how should I configure to block "ping attacks" while allowing all good traffic? add action=accept chain=input comment="Allow limited pings" limit=50/5s,2:packet protocol=icmp add action=drop chain=input c...

dalami

Having just fixed most of my self-inflicted wounds...I think I've almost figured out how much I don't know. So... I've now established both an IKEv2 and a SSTP connection between a remote MT router and my office MT router. They work...so far. But having two VPN's my hope is to able to poke at one wi...

dalami

That...doesn't make sense. It may be right - but it still doesn't make sense. 1) Isn't redirect by definition for a local destination only? 2) If I open port 22 in the filters - then port 22 is open to the internet which is exactly what I don't want to happen. Hmm...would the better choice be to hav...

dalami

I *think* I understand the difference between dst-nat vs redirect: dst-nat forwards incoming requests to an external location while redirect is a special case for the localhost. Assuming that's the case, I again believe that if I want to expose a local service from the router on an alternate port th...

dalami

So I return to my question - how do I configure the CRS1xx to use MAC based VLAN? WinBox shows options, the manual gives minimal descriptions, so I believe there is support for it - but I don't know where to start. Terms like PVID, SVID, CVID, have me quite confused. Ingress/egress are concepts I un...

dalami

The phone in question is a Polycom IP550 which has VLAN support. If necessary, I can manually set the VLAN id in the phone if that leads to a Mikrotik solution.

dalami

I'm able to connect via Android (happens to be a Note 8 running Android 10) via the built-in VPN function with "IPSec IKEv2 RSA". However...while I'm able to ping my router from the phone I can't do anything else - can't access LAN, can't even see WebFig. I do notice the IP assigned to the...

dalami

First, thanks for the responses. Second, let me be clear that I'm not just a novice at VLAN - I've never configured one before. So some foundation concepts are still trying to sink into my tiny brain. The physical connection - these phones basically have built-in two port switches. One port (PoE) co...

dalami

Sorry - I just don't see it. Everything there is port based - nothing filters on MAC. So if a phone is connected to port ether2 on a switch, and a PC is connected to the phone, with the examples given both the phone and the PC will be in a VLAN - which is not the desired behavior.

dalami

Exactly the page I'm talking about - it mentions such a configuration but doesn't actually show it. Everything there is port-based which doesn't help.

dalami

I've found mention of typical VoIP installations where the VoIP phone connects to the switch and a workstation connects to the phone. But I haven't found an actual configuration example for how to place the phones into a VLAN. I'm assuming this would be MAC-based VLAN - and I'm finding no documentat...

dalami

You mentioned a couple of connections - I read "ethernet cable to Nvidia" and later "ethernet cable to TP-Link". You didn't specify if the same cable was being used. If the same cable - forget I asked. If different cables...might be just that simple.

dalami

I'm focusing on your forward chain as that's what would be involved with the RDP stuff. And know that I consider myself a very dangerous amateur when it comes to this subject - I do not consider myself an authority in networks in general or Mikrotik in particular. An excerpt from my own firewall: ad...

dalami

Once again I have a wonderful opportunity to display my ignorance. My primary internet router/gateway/firewall, a RB750GL, has a typical CPU Load of 4%. Now that I've added some more aggressive firewall filtering rules - I will see occasional spikes (less now that I've optimized the ordering) but ju...

dalami

Thank you - but unless I'm not understanding what I'm looking at (which is likely) this doesn't answer my need. I've looked at that information, both in terminal and Winbox, and what I'm seeing is overall bridge status. I guess what I want to see is something that shows actual connections, like the ...

dalami

Is there a way of viewing the "status" of (R)STP? A way to show current traffic paths and identify misconfiguration?

dalami

I think I've got it working - now I'll find what breaks. In the meantime - can anyone confirm if what I've done is "correct" and more importantly - is there a "better" way I should do it? First, I do NOT place the VoIP server port into the isolation group. I've left that at defau...

dalami

Having typed a small novel - I'll condense to what I think my actual question is: The example page for the CRS1xx shows how to limit DHCP. So given: ether1: VoIP server ether2-ether6: VoIP phones ether7-ether8: unused/spare/future sfp10: next switch/router/gateway Based on the example page, I think ...

dalami

I just purchased and began configuring an upgraded router/switch (going from RB750GL to hAP AC2). I initially tried backing up the current config and then restoring to the new - that went horribly. Probably totally due to my own ignorance and external cabling factors - but I digress. I now have the ...

dalami

+1 feature request

dalami

I had a Trendnet TPE-80WS running our phone network - after many years of faithful service it's died. Given my preference for RouterOS - I'm looking for a Mikrotik alternative. I need to drive between 3 and 5 phones with 802.3af. Two models that look interesting are the CRS112-8P-4S-IN and the RB960...

dalami

Thank you - I'll look at EoIP again. What is the difference between using the existing IPSEC connections and configuring the EoIP interfaces with internal IP's compared with explicitly setting IPSEC secrets and external IP's in the EoIP interfaces?

dalami

The answer here is OSPF requires multicast which IPSEC does not provide. So either a layer 2 tunnel needs to be established - or a simple workaround is configuring the necessary links within OSPF via NBMA to use unicast communication.

dalami

I've got working connections from multiple remotes to my primary router via IPSEC. Each remote peer is defined in "/ip ipsec" with their signatures, mode config, etc. The exchange modes are all "IKE2" - I don't know if that means my tunnels are IKEv2 or not. But I do seem to have...

dalami

What I'm doing - part experimenting and part really trying to understand this. In particular, the first thing I wanted working was OSPF. The second was being able to reliably gain access to hosts on either side of the tunnel. Part of that is implementing layer 2 connectivity in some fashion - not su...

dalami

That...made quite a bit of sense. But with that said:

For "full" implementation, do I need to have all three specified at a filter and NAT level?

dalami

add action=masquerade chain=srcnat dst-address=!192.168.178.1 protocol=tcp src-address=192.168.178.0/24

Your 2nd masquerade line, for IPSEC traffic, only permits TCP. Try deleting the protocol reference.

dalami

What is the difference between the following? And what is the correct usage?

chain=input action=accept protocol=ipsec-esp in-interface=ether1-Internet
chain=input action=accept protocol=udp in-interface=ether1-Internet dst-port=500,4500
chain=input action=accept ipsec-policy=in,ipsec

dalami

I know I'm getting closer to overall understanding - but I'm stuck on this part. Remote location: bLookback bridge, no ports, static address 10.255.255.2 bInternet bridge, all physical ports, LAN 192.168.1.12/24 dynamically receives 10.21.3.3 to bInternet bridge via IPSEC known routes: 0 ADS dst-add...

dalami

None.

dalami

I admit it - I'm a bit out of my depth. Like many small business owners I fulfill multiple roles - including IT network admin. And it's been a while since I last set things up. I do remember utilizing some website examples/tutorials and the wiki - but I'm not finding what I need. If I can get this f...

dalami

To do what you want, just use quickset to setup the device as CPE and select bridge mode. In the wireless menu you can scan the network and connect it.

Never used this function before - didn't know about it! Thank you!

dalami

How can I power the mAP Lite via 12VDC? Would I need a PoE injector?

dalami

I've used Mikrotik for routing/switching for some time but I've never worked with the wireless. I started playing with a hAP and got quite confused - especially with CAPS. I've got an application where I need a wireless adapter. To be clear - an existing dedicated function product has a wired ethern...

dalami

Normally I specify "In-interface" for my forward rules. Should I leave that off for fasttrack - and possibly the "global" foward for established/related?

dalami

Thanks again. I was wondering about the mANTbox... Is the primary difference between these, other than the obvious physical, the antenna shape and therefore the coverage area? So the mANTbox gives me an integrated wide-angle sector antenna, the SXT a more focused antenna, and the others give me the ...

dalami

First of all, thanks for the response! As far as available spectrum & existing - they've got at least 7 AP's in that house, and I see at least two of them in the area in question. As I said before, they're all consumer-type AP's with the same SSID for pseudo-mesh operation. I just got some more ...

dalami

Hi all! I've been a happy user of Mikrotik routers for a while - but I've never used Mikrotik wireless. Just didn't need it. Now...but the deep range of products available leaves me confused - I'm not sure where to start. I have a customer that will need to support some wireless cameras. I don't kno...

dalami

Is there any existing resource for comparing RouterBOARDs from a processing standpoint? I don't just mean looking at the raw CPU Mhz/RAM - something more along the lines of how many NAT rules/queues can be applied for a given line speed? Something that would tell me - for a 10M connection, model X w...

dalami

That may actually do it! I'll run some more tests... Of course, with fast track, I'm not doing any queuing. The question becomes do I need to with this connection...probably not... So thank you for giving me what I needed (how to use what I already have) instead of what I wanted (something new to bu...

dalami

I recently realized that my RB750GL is a limiting factor in my connection. I found this out after my ISP replaced the modem and got my connection up to full speed - and then I changed some items on my side, which included using hardwired Gigabit connections instead of wireless. I had a number of rul...

dalami

This is a script I currently use. I left some of my work in progress comments in place - I was experiementing with a few different ways of getting this to work. No guarantees - but it seems to be working for me. # This script attempts to keep the NAT table current by removing unused UPnP rules. # Th...

dalami

For supporting either a home or small office - is there any reason to setup queues on the LAN side to limit download speeds? Should the only queues be on the interface connected to the modem? My goal is to: 1. Maximize efficiency and throughput - take full advantage of whatever bandwidth is being pr...

dalami

Is my problem just a basic misunderstanding on networking principles? I've tried using the packet marks from the "upload" rules that match - based on src IP - and using those in the download queues. Looks like it's working correctly. Was I just overcomplicating it?

dalami

Attached is a screen capture from WinBox. I've defined various mangle rules & queues - and my upload rules work great (although I don't know I'm necessarily doing things the "best" way - they do work). My problem is download - none of the rules I've tried seem to match any download tra...

Search found 159 matches