Community discussions

Search found 101 matches

by harvey
Sun Apr 14, 2019 9:21 am
Forum: General
Topic: Pass WAN over VLAN [SOLVED]
Replies: 15
Views: 923

Re: Pass WAN over VLAN [SOLVED]

There's a topic on differences between VLAN setup on bridge vs. VLAN setup on switch ... I've posted config for both cases for the same real-life usage case. Thanks. Reminds me of when I did vlans on an old CRS. Don’t know why, I thought that method was unique to the CRS line. I presume with the CC...
by harvey
Sat Apr 13, 2019 1:37 am
Forum: Beginner Basics
Topic: Router for my new home!
Replies: 14
Views: 1174

Re: Router for my new home!

Presuming you want Wifi as well. The HAP AC2 is a cost effective and small unit with a good balance of features. All depends what you need.
by harvey
Sat Apr 13, 2019 1:30 am
Forum: Beginner Basics
Topic: Access to webfig not working
Replies: 4
Views: 874

Re: Access to webfig not working

Can you post the output of:-
/ip firewall export


You may need to obscure any private details such as public IP addresses if needed.
by harvey
Sat Apr 13, 2019 1:24 am
Forum: Beginner Basics
Topic: External ip in lan network redirect to the router
Replies: 3
Views: 363

Re: External ip in lan network redirect to the router

Or a simpler way, if your internal clients use the Mikrotik for DNS you could add a static entry for your dynamic DNS name to the internal IP. External clients will use the proper WAN IP and internal clients use the internal IP address.
by harvey
Sat Apr 13, 2019 1:13 am
Forum: General
Topic: Pass WAN over VLAN [SOLVED]
Replies: 15
Views: 923

Re: Pass WAN over VLAN [SOLVED]

What I meant indeed. I guess the advantage would be that bridge would already have done the security (vlan filter) checks. Works just fine. Thanks. Ok, so hopefully final question, with regards your comment on "use vlan filtering of /interface switch chip", how exactly would the configuration chang...
by harvey
Sat Apr 13, 2019 12:39 am
Forum: General
Topic: Pass WAN over VLAN [SOLVED]
Replies: 15
Views: 923

Re: Pass WAN over VLAN [SOLVED]

B2 copy-paste error -> name=ether1-vlan-20-access since vlan 100 is passed to bridge1, I would setup the vlan interface on bridge not the ether5 directly (haven't verified if there would be a difference) /interface vlan add comment="WAN Passthrough VLAN" interface=ether5-trunk-to-b1 name=WAN \ vlan...
by harvey
Fri Apr 12, 2019 11:39 pm
Forum: General
Topic: Pass WAN over VLAN [SOLVED]
Replies: 15
Views: 923

Re: Pass WAN over VLAN [SOLVED]

Screen Shot 2019-04-12 at 21.36.53.png Ok, so I set up a rough configuration, apart from setting up ingress-filtering and frame-type, is there anything major I have missed? B1:- /interface bridge add name=bridge1 vlan-filtering=yes /interface ethernet set [ find default-name=ether1 ] comment="WAN p...
by harvey
Fri Apr 12, 2019 7:35 pm
Forum: General
Topic: Pass WAN over VLAN [SOLVED]
Replies: 15
Views: 923

Re: Pass WAN over VLAN [SOLVED]

Try this On B1 /interface bridge vlan add bridge=bridge1 tagged=ether5 ,bridge1 untagged=ether1 vlan-ids=100 On B2: /interface bridge vlan add bridge=bridge1 tagged=ether5,bridge1 untagged=ether1 vlan-ids=100 /interface vlan add interface=bridge1 name=v100 vlan-id=100 /ip address add address=1.1.1....
by harvey
Fri Apr 12, 2019 6:19 pm
Forum: General
Topic: Pass WAN over VLAN [SOLVED]
Replies: 15
Views: 923

Re: Pass WAN over VLAN [SOLVED]

Screen Shot 2019-04-12 at 16.16.31.png OK, so I've done as follows and I've gone wrong somewhere. I'm doing this all in GNS3 at the moment. I set up a fake internet router on 1.1.1.1:- interface ethernet set [ find default-name=ether5 ] name=ISP /ip address add address=1.1.1.1/30 interface=ISP netw...
by harvey
Fri Apr 12, 2019 5:53 pm
Forum: General
Topic: Pass WAN over VLAN [SOLVED]
Replies: 15
Views: 923

Re: Pass WAN over VLAN [SOLVED]

vlan = virtual lan, so what you try to do is not out of the ordinary. Instead of using another physical cable you use vlan instead. To achieve what you want: mark the wan interface on hap as (to-be) as access port for wan vlan: so untagging on egress, and tagging on ingress for WAN interface config...
by harvey
Fri Apr 12, 2019 4:50 pm
Forum: General
Topic: Pass WAN over VLAN [SOLVED]
Replies: 15
Views: 923

Pass WAN over VLAN [SOLVED]

So, I have a dilemma. I'd like to move by main firewall to a separate building away from where my WAN comes in but I only have a single ethernet cable linking the two buildings. I currently run a VLAN trunk between the buildings using the new Bridge VLAN filtering method. The WAN comes in to an area...
by harvey
Fri Apr 12, 2019 3:59 pm
Forum: Beginner Basics
Topic: CCR1009-8G-1S-1S+, Smart card and Certificates
Replies: 10
Views: 4107

Re: CCR1009-8G-1S-1S+, Smart card and Certificates

I'd be interested to know more too if anyone has found a compatible product and some guidelines on how to set up.

Thanks
by harvey
Fri Feb 15, 2019 6:44 pm
Forum: General
Topic: SNMP PSU Values
Replies: 1
Views: 290

Re: SNMP PSU Values

Anyone have information on this? Thanks.
by harvey
Wed Feb 13, 2019 10:09 pm
Forum: General
Topic: SNMP PSU Values
Replies: 1
Views: 290

SNMP PSU Values

Hi, Quick question, I'm monitoring PSU status with SNMP. I can see that a value of 1 means the PSU is OK. Can anyone confirm the value of a failed PSU? Is it 0, 2 or other? Is there anyway to look this up? Also, when it comes to things like fan speed or temperature readings, is there anywhere that d...
by harvey
Sun Oct 28, 2018 10:01 pm
Forum: Wireless Networking
Topic: WAP ac 5GHz issues with iPhone XS
Replies: 142
Views: 17971

Re: WAP ac 5GHz issues with iPhone XS

The only common factor for me is ipv6. With it off problem goes away. By 'off' you mean complete disabling of 'ipv6' package or just disabling IPv6 DHCP Server / ND so that devices don't get ipv6 routable addresses? I’m using 6to4 so I disable the sit interface, disable the ip address on the wan an...
by harvey
Sun Oct 28, 2018 6:22 pm
Forum: Wireless Networking
Topic: WAP ac 5GHz issues with iPhone XS
Replies: 142
Views: 17971

Re: WAP ac 5GHz issues with iPhone XS

The only common factor for me is ipv6. With it off problem goes away. Currently running ac at 80mhz and all fine. As soon as I unable ipv6 it dies. If you disable ipv6 also make sure your clients are not being allocated and don’t have an ipv6 address too.
by harvey
Sat Oct 13, 2018 12:55 pm
Forum: Wireless Networking
Topic: WAP ac 5GHz issues with iPhone XS
Replies: 142
Views: 17971

Re: WAP ac 5GHz issues with iPhone XS

Version 6.44beta14 has been released.
*) wireless - improved stability for 802.11ac;
Have you tried latest 6.44beta release, too?
Already seen and tried without luck
by harvey
Thu Oct 11, 2018 5:46 pm
Forum: General
Topic: iPhone XS and Mikrotik hAP ac
Replies: 29
Views: 4700

Re: iPhone XS and Mikrotik hAP ac

Actually, I'm more convinced it's something to do with Hurricane Electric IPv6 Tunnel. I just remembered I had also disabled this. As soon as I re-enabled it the issue returned. This post already highlighted this issue https://forum.mikrotik.com/viewtopic.php?p=691678#p688505 Can there be a relation...
by harvey
Thu Oct 11, 2018 5:41 pm
Forum: General
Topic: iPhone XS and Mikrotik hAP ac
Replies: 29
Views: 4700

Re: iPhone XS and Mikrotik hAP ac

The only other change I made was to apply Frequency Mode, Country (as per 5Gz) and Antenna Gain to 2 on the 2.4 Ghz Network
by harvey
Thu Oct 11, 2018 5:37 pm
Forum: General
Topic: iPhone XS and Mikrotik hAP ac
Replies: 29
Views: 4700

Re: iPhone XS and Mikrotik hAP ac

I have been able to resolve the issue by making some configuration changes on the Mikrotik. I'm currently running AC at 5Ghz/80Mhz and seems fine. the only difference I can see is `country="united kingdom"` and `frequency-mode=regulatory-domain` :- Before, Not working:- set [ find default-name=wlan2...
by harvey
Sun Oct 07, 2018 1:56 am
Forum: Wireless Networking
Topic: WAP ac 5GHz issues with iPhone XS
Replies: 142
Views: 17971

Re: WAP ac 5GHz issues with iPhone XS

Hi, I just wanted to cross post a similar thread where others have reported the same issues with HAP AC's. I too use 80MHz Channels and HE IPv6 tunnels. I haven't tried changing these. The thread is here https://forum.mikrotik.com/viewtopic.php?f=2&t=139524 I don't believe the phone is at fault as I...
by harvey
Sun Oct 07, 2018 1:49 am
Forum: General
Topic: iPhone XS and Mikrotik hAP ac
Replies: 29
Views: 4700

Re: iPhone XS and Mikrotik hAP ac

Creating a 5Ghz only network on the hap ac2 did not help. In vain I setup up a spare Unifi AC Pro and the iPhone XS wifi works perfectly. I'm struggling to see how this is not Mikrotik related?

This seems separate and unrelated to the other iPhone XS wireless issues reported generally.
by harvey
Mon Oct 01, 2018 11:38 am
Forum: General
Topic: iPhone XS and Mikrotik hAP ac
Replies: 29
Views: 4700

Re: iPhone XS and Mikrotik hAP ac

The only other oddity which I found, when the iPhone XS loses network connectivity I can still ping via IP address e.g. 8.8.8.8 but google.com will not respond. I tried overwriting the DNS on the phone to something out on the WAN e.g. 1.1.1.1 but didn't seem to make a difference. Sometimes the wifi ...
by harvey
Mon Oct 01, 2018 11:24 am
Forum: General
Topic: iPhone XS and Mikrotik hAP ac
Replies: 29
Views: 4700

Re: iPhone XS and Mikrotik hAP ac

I too am having issue with an iPhone XS Max connecting to a HAP AC and HAP AC2 both running 6.43.2. Macbook Pro, iPhone 7 Plus and iPad Pro all working fine. Current Wifi Setup from the AC2:- /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authenticati...
by harvey
Fri Sep 14, 2018 8:53 pm
Forum: Beginner Basics
Topic: Can't access webfig on WAN
Replies: 10
Views: 2334

Re: Can't access webfig on WAN

I very much doubt the 1Mb limit is the issue unless you have other traffic saturating it. I use CHR in the free mode for all my GNS3 labs and have no issues with connecting on any method
by harvey
Fri Sep 14, 2018 6:56 pm
Forum: Beginner Basics
Topic: Can't access webfig on WAN
Replies: 10
Views: 2334

Re: Can't access webfig on WAN

In my experience physical Mikrotik hardware has a default set of rules but CHR is normally blank. This would explain the reason you didn't have any rules.

Did you check your cloud providers security rules? What cloud provider are you using?
by harvey
Fri Sep 14, 2018 1:05 pm
Forum: Beginner Basics
Topic: Can't access webfig on WAN
Replies: 10
Views: 2334

Re: Can't access webfig on WAN

Also, is 443 allowed through on the cloud providers security group/firewall?
by harvey
Fri Sep 14, 2018 1:03 pm
Forum: Beginner Basics
Topic: Can't access webfig on WAN
Replies: 10
Views: 2334

Re: Can't access webfig on WAN

Do you have any conflicting DST-nat rules on port 443 under the nat table? What if you change the https service port number to something different than 443 such as 4443 and then update your filter rule to match?
by harvey
Fri Sep 14, 2018 9:36 am
Forum: Beginner Basics
Topic: Configuring VLANs with DHCP Server and Cisco switch Uplink
Replies: 3
Views: 492

Re: Configuring VLANs with DHCP Server and Cisco switch Uplink

It looks like you have created your trunk on your switch port, I presume you have also created your untagged vlan's on the switch for your access ports? On the Mikrotik side, you'll need to use bridging in one way or another. The newest way which requires ROS 6.4.1 or newer is Bridge VLAN filtering ...
by harvey
Wed Sep 12, 2018 5:35 pm
Forum: General
Topic: Bridge VLAN Filtering help [SOLVED]
Replies: 22
Views: 2007

Re: Bridge VLAN Filtering help [SOLVED]

Thank you to both @xvo and @sindy' for your help, it's working perfectly. For completeness for anyone else in the future, I have included the final working configs and diagram are below:- Screen Shot 2018-09-12 at 15.29.26.png CHR-1 /interface bridge add name=bridge1 vlan-filtering=yes /interface vl...
by harvey
Wed Sep 12, 2018 12:25 pm
Forum: General
Topic: Bridge VLAN Filtering help [SOLVED]
Replies: 22
Views: 2007

Re: Bridge VLAN Filtering help [SOLVED]

/interface vlan add interface=ether3 name=vlan200 vlan-id=200 add interface=ether3 name=vlan300 vlan-id=300 add interface=ether3 name=vlan400 vlan-id=400 This part on CHR-1 is wrong: the interfaces should be created on top of the bridge, not ether3. Then you add ether2 to the same bridge1, set PVID...
by harvey
Tue Sep 11, 2018 1:21 pm
Forum: General
Topic: Bridge VLAN Filtering help [SOLVED]
Replies: 22
Views: 2007

Bridge VLAN Filtering help [SOLVED]

Hi, I am testing out Bridge VLAN filtering to understand how it works. I have built a working example:- Current Setup.png CHR-1: /interface bridge add name=bridge1 vlan-filtering=yes /interface vlan add interface=ether3 name=vlan200 vlan-id=200 add interface=ether3 name=vlan300 vlan-id=300 add inter...
by harvey
Thu Aug 30, 2018 6:24 pm
Forum: General
Topic: Tapatalk SQL error
Replies: 2
Views: 445

Tapatalk SQL error

I am able to browse the Mikrotik Forum on Tapatalk for iOS but as soon as I attempt to login I'm presented with an SQL error.

I have seen on the chat within Tapatalk that other people have a similar issue.

Any ideas how to resolve?
by harvey
Wed Aug 29, 2018 11:28 am
Forum: General
Topic: Caravan WiFi [SOLVED]
Replies: 16
Views: 1731

Re: Caravan WiFi [SOLVED]

Everything was pretty simple to setup. Connected without issue to the campsite WiFi. Captive portal didn't just pop up but on accessing a http based webpage it redirected to the captive portal. Payed my fee and internet worked fine. Multiple devices working so far without issue. When I get a bit mor...
by harvey
Tue Aug 28, 2018 8:01 pm
Forum: General
Topic: Caravan WiFi [SOLVED]
Replies: 16
Views: 1731

Re: Caravan WiFi [SOLVED]

My question is, how will the captive portal be handled? When connecting, would the captive portal of the campsite WiFi be passed through to the clients connected to the Mikrotik in the caravan? If not how would this be achieved? I use Groove 52's for the client that are usually connected to 951ui-2...
by harvey
Mon Aug 27, 2018 8:16 pm
Forum: General
Topic: Caravan WiFi [SOLVED]
Replies: 16
Views: 1731

Re: Caravan WiFi [SOLVED]

May I ask what you guys are using for your block diagrams?

Thanks.
by harvey
Mon Aug 27, 2018 10:58 am
Forum: General
Topic: Caravan WiFi [SOLVED]
Replies: 16
Views: 1731

Re: Caravan WiFi [SOLVED]

Thanks. I did consider the ac lite too. He ac2 was only £12 more and if this doesn't work as a test I can make use of the ac2 at home. As for ac2 running hotter, it's always freezing when we camp so it'll act as a nice heater 😂
by harvey
Mon Aug 27, 2018 10:32 am
Forum: General
Topic: Caravan WiFi [SOLVED]
Replies: 16
Views: 1731

Re: Caravan WiFi [SOLVED]

Thanks for all the advice. I was going to pick up two hap lite's but for a few extra quid I've ordered a hap ac2. I can make more use of that if needed. I'll use 2.4 for site WiFi and 5ghz for caravan WiFi. All my devices should be ok on 5ghz.
by harvey
Sun Aug 26, 2018 10:33 pm
Forum: General
Topic: Caravan WiFi [SOLVED]
Replies: 16
Views: 1731

Re: Caravan WiFi [SOLVED]

Thanks. Pretty happy with the general wifi configuration. So would you expect the campsite captive portal to pop up/pass through to the first connected client on the "LAN" side? This was my main concern. You show the example of the Virtual wireless AP, would that suffice or would two separate cards ...
by harvey
Sun Aug 26, 2018 7:49 pm
Forum: General
Topic: Simple queues didn't work
Replies: 5
Views: 584

Re: Simple queues didn't work

In your firewall filter table you'll have a "forward" rule with an action of fasttrack. Disable that rule. There should be a matching accept rule to let the traffic rule. If you lose internet access change the fasttrack action to accept and re-enable
by harvey
Sun Aug 26, 2018 4:48 pm
Forum: General
Topic: Caravan WiFi [SOLVED]
Replies: 16
Views: 1731

Caravan WiFi [SOLVED]

Quite often when we go on holiday in our caravan the campsites we stay at have WiFi which you typically have to pay for and often limited to one or two devices. They will always have a captive portal. I have often thought about putting in a Mikrotik in the caravan which would connect to the campsite...
by harvey
Sun Aug 26, 2018 4:46 pm
Forum: General
Topic: Simple queues didn't work
Replies: 5
Views: 584

Re: Simple queues didn't work

Yes @joni is right. If you have fasttrack enabled the majority of your traffic will skip through many of the main features including queues. As soon as you disable fasttrack your queues should see a great deal more traffic hitting them. However, your CPU usage may well go up considerably if you have...
by harvey
Mon Oct 30, 2017 10:03 am
Forum: General
Topic: IKEv2 Road Warrior Drops
Replies: 2
Views: 710

Re: IKEv2 Road Warrior Drops

Config is:- /ip ipsec mode-config add address-pool=ipsec-pool name=cfg_priv split-include=0.0.0.0/0,10.10.1.0/24 add address-pool=ipsec-pool address-prefix-length=32 name=cfg1 /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 lifetime=1h pfs-group=modp4096 /ip ipsec peer...
by harvey
Mon Oct 30, 2017 9:59 am
Forum: General
Topic: IKEv2 Road Warrior Drops
Replies: 2
Views: 710

IKEv2 Road Warrior Drops

I've tried setting up IKEv2 Road Warrior as per this:- https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Road_Warrior_setup_Ikev2_RSA_auth When the device attempts to connect it immediately disconnects but from the Mikrotik side it appears connected. It shows Installed SA's, it shows a remote peer and ...
by harvey
Sat Oct 28, 2017 4:22 pm
Forum: Beginner Basics
Topic: how can I setup mikrotik + local dns server
Replies: 2
Views: 9655

Re: how can I setup mikrotik + local dns server

Hello. I recently bought a Routerboard 951G-2HnD. I used defaults since it's for my home LAN, I need no fancy configuration. Just some port forwarding that I already know how to do it. I changed network segment from 192.168.88.0 to 192.168.0.0 Problem is I have no local name resolution. Maybe you c...
by harvey
Sat Oct 28, 2017 4:05 pm
Forum: RouterBOARD hardware
Topic: Paid VPN service Nord VPN
Replies: 16
Views: 11009

Re: Paid VPN service Nord VPN

I'd like to do this as well, I cannot get the solution posted on NordVPN's site for MikroTik to work as the VPN isn't connecting although the traffic marking and routing does work (with other VPNs I've tested) I can get NordVPN working only with L2TP/IPSec and only with certain servers, I was provi...
by harvey
Sat Oct 28, 2017 3:43 pm
Forum: General
Topic: Help with IKEv2/IPsec client configuration
Replies: 35
Views: 10838

Re: Help with IKEv2/IPsec client configuration

Could someone from the MikroTik community please reply and help with the IKEv2 client configuration setup for NordVPN (or any other non-MikroTik VPN provider)? Thanks a lot in advance. I too am interested in getting this to work, however, I spoke to NordVPN support and they stated the following:- A...
by harvey
Fri Oct 27, 2017 5:32 pm
Forum: Wireless Networking
Topic: Wireless clients keep getting disconnected/reconnected
Replies: 23
Views: 13232

Re: Wireless clients keep getting disconnected/reconnected

And you can disable management protection. Hi there, I was reading this post because I have a similar problem. May I ask that is the difference on allowed management protection enable and the disable management protect, does? what's the difference. Thank you in advance. I've started having a simila...
by harvey
Mon Feb 20, 2017 10:17 am
Forum: General
Topic: New device alert
Replies: 0
Views: 370

New device alert

Hi, I have been using arpwatch ( https://en.wikipedia.org/wiki/Arpwatch ) on a raspberry pi on the network to detect when new devices appear on the network and send me an email alert. Is there any kind of script on routeros that could be used to achieve a similar thing without having to require an e...
by harvey
Thu Oct 13, 2016 3:47 pm
Forum: General
Topic: Feature request for v7.x
Replies: 269
Views: 63683

Re: Feature request for v7.x

I would like to voice my agreement with all the requests for enhanced OpenVPN support including:-

UDP support
auth-tls support
Enhance 'auth' algorithms such as SHA512.
Enhance 'cipher' support.
The ability to push configurations to clients.

Thanks for all the hard work.
by harvey
Wed Oct 12, 2016 6:15 pm
Forum: General
Topic: Logging of all traffic - No Blocking
Replies: 8
Views: 1289

Re: Logging of all traffic - No Blocking

Has anybody got any thought on why only one part of the traffic is not being sent to ntopng? Any parts of my configuration that would be useful? Simple try to use netflow v5 in targets options. That seems better. Some devices are showing more accurately. Some others I'm not so sure but I'll keep an...
by harvey
Tue Oct 11, 2016 5:24 pm
Forum: General
Topic: USB 4G UK recommendations
Replies: 1
Views: 394

Re: USB 4G UK recommendations

The ZTE MF823 (https://www.amazon.co.uk/ZTE-86694801-M ... B00MEJJSGW) is jumping out at me. How can I find out if it support the Direct-IP mode talked about here (http://mum.mikrotik.com/presentations/US15/brian.pdf).

Would the ZTE MF823 support SMS?
by harvey
Tue Oct 11, 2016 5:13 pm
Forum: General
Topic: USB 4G UK recommendations
Replies: 1
Views: 394

USB 4G UK recommendations

Hi, I have taken a look at the hardware compatibility list (http://wiki.mikrotik.com/wiki/Supported_Hardware#4G_LTE_cards_and_modems) and I tried an E3372 4G stick, the problem was it came in hilink mode (where it does it's own NAT etc) and I tried converting it to modem mode (following http://blog....
by harvey
Tue Oct 11, 2016 5:02 pm
Forum: General
Topic: Logging of all traffic - No Blocking
Replies: 8
Views: 1289

Re: Logging of all traffic - No Blocking

Has anybody got any thought on why only one part of the traffic is not being sent to ntopng? Any parts of my configuration that would be useful?
by harvey
Sat Oct 08, 2016 12:31 pm
Forum: General
Topic: Logging of all traffic - No Blocking
Replies: 8
Views: 1289

Re: Logging of all traffic - No Blocking

In old versions, yes. Did you update RouterOS?
Yes on 6.37.1
by harvey
Sat Oct 08, 2016 1:00 am
Forum: General
Topic: Logging of all traffic - No Blocking
Replies: 8
Views: 1289

Re: Logging of all traffic - No Blocking

Ok, so it appears that uploads from the client are working fine but downloads are not and the percentage between sent and received it like 98%/2% in favour of sent.

Could something like fasttrack be the issue? Could traffic incoming from the internet be skipping the traffic-flow capture?
by harvey
Sat Oct 08, 2016 12:42 am
Forum: General
Topic: Logging of all traffic - No Blocking
Replies: 8
Views: 1289

Re: Logging of all traffic - No Blocking

traffic-flow is the way to go. what is inaccurate about it? of course you could also setup a port mirroring or packet sniff streaming and send all traffic to an external computer doing the work. Ok, so Mikrotik is set up as follows:- /ip traffic-flow set active-flow-timeout=1m enabled=yes /ip traff...
by harvey
Fri Oct 07, 2016 5:11 pm
Forum: General
Topic: Logging of all traffic - No Blocking
Replies: 8
Views: 1289

Logging of all traffic - No Blocking

Hi, I wondered what the best option would be for logging and generating reports on all internet traffic not just web traffic from within an office. I do not need to block any traffic but is purely for reporting. Some Information I would like to capture would be:- HTTP / HTTPS domains visited and by ...
by harvey
Fri Sep 30, 2016 5:04 pm
Forum: General
Topic: Port forwarding to VLAN
Replies: 3
Views: 1632

Re: Port forwarding to VLAN

You can have one rule for all forwarded ports:
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
Perfect, i'll give that a test.
Seems to work perfectly, thanks
by harvey
Fri Sep 30, 2016 5:03 pm
Forum: Beginner Basics
Topic: find / where + export
Replies: 3
Views: 978

Re: find / where + export

Currently not possible
Ok, no worries, just a thought.

Thanks.
by harvey
Fri Sep 30, 2016 4:29 pm
Forum: General
Topic: Port forwarding to VLAN
Replies: 3
Views: 1632

Re: Port forwarding to VLAN

You can have one rule for all forwarded ports:
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat
Perfect, i'll give that a test.
by harvey
Fri Sep 30, 2016 4:06 pm
Forum: Beginner Basics
Topic: find / where + export
Replies: 3
Views: 978

find / where + export

Hi, Simple little question. Is it possible to combine 'find' or 'where' with the 'export' command. For example, lets say I want to export just the "forward" chain of the firewall filter section? With the print command I can do the following:- /ip firewall filter print where chain=forward However I c...
by harvey
Fri Sep 30, 2016 3:50 pm
Forum: General
Topic: Port forwarding to VLAN
Replies: 3
Views: 1632

Port forwarding to VLAN

Normally when I do a port forward on a simple single network setup I don't need to add anything else to make it work but recently I've had to setup a solution for a multi tenanted building using a CCR with each tenant in their own VLAN and each VLAN is isolated from one another with the exception of...
by harvey
Tue Aug 30, 2016 10:21 pm
Forum: General
Topic: Mikrotik Bridging but Mikrotik can't access the internet
Replies: 6
Views: 910

Re: Mikrotik Bridging but Mikrotik can't access the internet

Okay - you started this thread by saying that your Mikrotik is bridging between your modem and your firewall (which I found a bit strange, but didn't ask questions) This term is what threw me off on the wrong track. Your Mikrotik is routing and not bridging. Anyway, I've looked back over your firew...
by harvey
Thu Aug 25, 2016 9:56 am
Forum: General
Topic: Mikrotik Bridging but Mikrotik can't access the internet
Replies: 6
Views: 910

Re: Mikrotik Bridging but Mikrotik can't access the internet

ether1-wan gets a single dynamic public IP from the ISP. Overlaid on that we are provided with a /29 of public IP's. One of these /29 IP's is placed on ether2-lan and another is placed on the WAN side of the Sophos UTM. The UTM uses ether2-lan's address as it's default gateway. In that /29 there are...
by harvey
Tue Aug 23, 2016 5:28 pm
Forum: General
Topic: Mikrotik Bridging but Mikrotik can't access the internet
Replies: 6
Views: 910

Re: Mikrotik Bridging but Mikrotik can't access the internet

So there is no way for it to directly access the internet considering it is directly connected to the internet gateway? Can you explain why just so I understand.

Many thanks.
by harvey
Tue Aug 23, 2016 5:14 pm
Forum: General
Topic: Mikrotik Bridging but Mikrotik can't access the internet
Replies: 6
Views: 910

Mikrotik Bridging but Mikrotik can't access the internet

Hi, I have a Mikrotik that is acting as a bridge between a modem and firewall. The network diagram looks like this:- https://www.dropbox.com/s/tm8lfd0e7g0kxi2/Firewall%20Setup.png?dl=0 The Clients behind the Sophos UTM all have internet access OK but if I log on to the mikrotik and try and ping 8.8....
by harvey
Tue Aug 23, 2016 10:59 am
Forum: General
Topic: WAN Failover Question
Replies: 5
Views: 610

Re: WAN Failover Question

Have you taken a look at this.... http://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting "But what if your modem is up, and telephone line is down?" This is the script that is confusing to me. I'm confused about the virtual routes. Is this what I use for my public pingable server...
by harvey
Mon Aug 22, 2016 3:30 pm
Forum: General
Topic: WAN Failover Question
Replies: 5
Views: 610

Re: WAN Failover Question

Have you taken a look at this....

http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting

"But what if your modem is up, and telephone line is down?"
by harvey
Tue Feb 23, 2016 11:37 am
Forum: Beginner Basics
Topic: Unable to manage switch from tagged vlan
Replies: 5
Views: 819

Re: Unable to manage switch from tagged vlan

What firewall rules do you have in place? Do you have any rules in place that could restrict access to the winbox or web interface ports from certain IP ranges? You'd need to specifically look at the INPUT chain. Also take a look at '/ip service' and see if there are any subnet restrictions under th...
by harvey
Tue Feb 23, 2016 11:26 am
Forum: Beginner Basics
Topic: Port Opening Issue
Replies: 3
Views: 505

Re: Port Opening Issue

Can you share, what you have done so far to open the port?
by harvey
Wed Oct 22, 2014 12:11 am
Forum: Beginner Basics
Topic: rb2011 - poor performance with uk bt infinity
Replies: 42
Views: 14901

Re: rb2011 - poor performance with uk bt infinity

Yes the hardware is at fault. This blog post explains it somewhat http://blog.linitx.com/mikrotik-fttc-eci-modems/
by harvey
Wed Aug 07, 2013 3:21 pm
Forum: Beginner Basics
Topic: rb2011 - poor performance with uk bt infinity
Replies: 42
Views: 14901

Re: rb2011 - poor performance with uk bt infinity

Oh no false alarm, my switch was still inline.
Oh well, never mind
by harvey
Wed Aug 07, 2013 1:42 pm
Forum: Beginner Basics
Topic: rb2011 - poor performance with uk bt infinity
Replies: 42
Views: 14901

Re: rb2011 - poor performance with uk bt infinity

I've tried v6.2 on my 951G and the problem appears to be resolved. What firmware level are you running?
6.2! Thats strange. Definitely still auto negotiating at 10Mb
by harvey
Mon Aug 05, 2013 11:01 pm
Forum: Beginner Basics
Topic: rb2011 - poor performance with uk bt infinity
Replies: 42
Views: 14901

Re: rb2011 - poor performance with uk bt infinity

Any further update on this? Same issue on v6.2 on 951G-2HnD. Can anyone confirm placing a switch between the modem and RB temporarily fixes the issue?
by harvey
Mon Jul 15, 2013 11:18 pm
Forum: Beginner Basics
Topic: Is the following VLAN / WIFI setup possible?
Replies: 5
Views: 2061

Re: Is the following VLAN / WIFI setup possible?

That's fantastic. I'll try to implement that in the next day or so. Can you confirm which interface you assign ip addresses and DHCP pools to? Is it the vlan interface?
by harvey
Mon Jul 15, 2013 9:46 pm
Forum: Beginner Basics
Topic: Is the following VLAN / WIFI setup possible?
Replies: 5
Views: 2061

Re: Is the following VLAN / WIFI setup possible?

This is doable, yes. If you need wire-speed between the ports on each VLAN you'll have to use the 493G's switch chip, which is a little bit more work to set up. Otherwise you can just set up regular VLANs on the trunk port and bridge the access ports and VAPs with the appropriate VLANs. Regular VLA...
by harvey
Mon Jul 15, 2013 11:47 am
Forum: Beginner Basics
Topic: Is the following VLAN / WIFI setup possible?
Replies: 5
Views: 2061

Is the following VLAN / WIFI setup possible?

I have an 493G with a wireless card in it, I also have a cisco small business switch capable of handling VLAN's. Is it possible to have 2 vlans (potentially more in the future), then have two vaps's linked to the vlans, then specify specific ports on the 493g to be associated specific vlans and comm...
by harvey
Fri Mar 08, 2013 9:22 am
Forum: General
Topic: IPSec Tunnel not working
Replies: 7
Views: 1754

Re: IPSec Tunnel not working

Have done a few checks and all is well.

I have not been able to find any other changes that I may have made. Thanks all for you help.
by harvey
Wed Mar 06, 2013 9:22 am
Forum: General
Topic: IPSec Tunnel not working
Replies: 7
Views: 1754

Re: IPSec Tunnel not working

Not 100% sure what I did but it is now working. The only thing I can think of is when using the ping tool I specified the bridge interface and after a few missed pings it started working. I need to do some more testing to be sure it initiates from both sides etc. I will report back if I find out I d...
by harvey
Tue Mar 05, 2013 9:08 am
Forum: General
Topic: IPSec Tunnel not working
Replies: 7
Views: 1754

Re: IPSec Tunnel not working

Hi, As suggested I have added /ip firewall filter add chain=input comment=Ip-Sec-ESP protocol=ipsec-esp add chain=input comment=IP-Sec-AH protocol=ipsec-ah To both routers. Also both of these were already done:- Also alow UDP 500 on your firewall (input chain), be sure that your nat rule for local n...
by harvey
Mon Mar 04, 2013 1:02 pm
Forum: General
Topic: IPSec Tunnel not working
Replies: 7
Views: 1754

Re: IPSec Tunnel not working

Ok, will try that tonight, thanks!

I will take a look at that thread too.
by harvey
Mon Mar 04, 2013 9:11 am
Forum: General
Topic: IPSec Tunnel not working
Replies: 7
Views: 1754

IPSec Tunnel not working

Hi, I am trying to get an IPSec tunnel working between my home and datacenter. I have set up the IPSec tunnel but nothing seems to happen. Nothing appears on under 'Remote Peers' or 'Installed SAs' on either side. I have enabled IPsec logging on one side and nothing appears:- [admin-sy@scorpio] > / ...
by harvey
Mon Feb 11, 2013 8:08 am
Forum: General
Topic: Can't work out simple VLAN setup
Replies: 3
Views: 731

Re: Can't work out simple VLAN setup

Based on your replies I will give that a go. If I am still stuck I will come back to you with more setup information
by harvey
Sun Feb 10, 2013 10:56 am
Forum: General
Topic: Can't work out simple VLAN setup
Replies: 3
Views: 731

Can't work out simple VLAN setup

I am trying to set up a very simple vlan setup on my existing RB751G-2HnD. I have attached a diagram of my simplet setup. In a summary:- - VLAN 1 - Main Network with wireless SSID and devices plugged in to switch ports 1-4 - VLAN 10 - Guest Network with SSID and anything plugged in to port 5 of the ...
by harvey
Sun Feb 10, 2013 9:39 am
Forum: General
Topic: DHCP to DNS hostname?
Replies: 4
Views: 5979

Re: DHCP to DNS hostname?

I use a script for this which I am using with with 6.0rc9 and is very simple to implement. Just create a new script with none of the checkbox's selected and paste in the following code:- # Domain to be added to your DHCP-clients hostname :local topdomain; :set topdomain "corp.com"; # Use ttl to dist...
by harvey
Thu Dec 06, 2012 1:01 pm
Forum: General
Topic: New to routerOS VLAN's simple set up help
Replies: 3
Views: 2216

Re: New to routerOS VLAN's simple set up help

To clarify can you provide some sample commands and I will try to adapt to my scenario.
by harvey
Wed Dec 05, 2012 4:40 pm
Forum: General
Topic: New to routerOS VLAN's simple set up help
Replies: 3
Views: 2216

New to routerOS VLAN's simple set up help

Hi, I am new to setting up VLAN's on router OS. Current Setup:- RB751G - Simple home access point with bridge containing the switch ports and built in wireless with with interface IP address on bridge and DHCP etc. I also have a Draytek 3300, Cisco SG300 and Netgear WAG302 wireless access point. The...
by harvey
Sun May 13, 2012 7:28 pm
Forum: General
Topic: Router no longer giving out IPv6 addresses
Replies: 0
Views: 470

Router no longer giving out IPv6 addresses

Hi, I am using Hurricane Electric as my tunnel broker for IPv6. It was working absolutely fine to start with and was issuing my devices with IPv6 addresses. Currently any devices that were initially given an address when it was working still gets given an IPv6 address and they can still access IPv6 ...
by harvey
Tue Apr 17, 2012 4:03 pm
Forum: General
Topic: Dual stack IPv6 default?
Replies: 6
Views: 1794

Re: Dual stack IPv6 default?

Yes I have both and the IPv6 is at the top of the list.

The ipv6 only url I have tried and using that will show the IPv4 address. Very strange. At the same time I can go to http://ipv6-test.com/ and it will show both address just fine.
by harvey
Wed Apr 11, 2012 11:20 pm
Forum: Beginner Basics
Topic: Mikrotik Learning Book
Replies: 24
Views: 36065

Mikrotik Learning Book

There are two ebooks available on Amazon Kindle.
by harvey
Wed Apr 11, 2012 11:07 pm
Forum: General
Topic: Dual stack IPv6 default?
Replies: 6
Views: 1794

Dual stack IPv6 default?

I have successfully set up up Dual Stack IPv4/IPv6 with hurricane electric and can browse ipv6 sites. However when browsing sites that offer both it's quite random if it's accessed on the ipv4 or 6 address. For example visiting http://ipv6.chappell-family.com/ipv6tcptest/ when testing the firewall s...
by harvey
Tue Apr 10, 2012 4:58 pm
Forum: General
Topic: Q: VPN L2TP/IPSec
Replies: 30
Views: 5922

Re: Q: VPN L2TP/IPSec

I agree about the PPTP thats why I have avoided it so far.
by harvey
Tue Apr 10, 2012 4:46 pm
Forum: General
Topic: Q: VPN L2TP/IPSec
Replies: 30
Views: 5922

Re: Q: VPN L2TP/IPSec

Ok thanks but Open VPN isn't an option to me as there is no iPad / iPhone client.

PPTP is the only other option.
by harvey
Tue Apr 10, 2012 1:41 pm
Forum: General
Topic: Q: VPN L2TP/IPSec
Replies: 30
Views: 5922

Re: Q: VPN L2TP/IPSec

I am the same, I can't have two connections from the same public IP address even if I create an L2TP server for each user. This is a problem for me as you can't always guarantee where remote workers will be, there are times they may both be in the same place needing to connect back to the office. It...
by harvey
Sun Apr 08, 2012 8:19 pm
Forum: General
Topic: Q: VPN L2TP/IPSec
Replies: 30
Views: 5922

Re: Q: VPN L2TP/IPSec

Please check assigned IPs for userA and userB. Do you use pool for local and remote IP assignements? Solutions: 1. you assign from pool but you need set for local and remote too!! (you can not give fix IP for local and dynamic for remote! because /30 mask) 2. you give fix IP for local and remote to...
by harvey
Sun Apr 08, 2012 1:19 am
Forum: General
Topic: Q: VPN L2TP/IPSec
Replies: 30
Views: 5922

Re: Q: VPN L2TP/IPSec

Further question, following your instructions worked well. However..... If I create a new 'secret' for a new user and they try to simultaneously connect at the same time they can but one user will lose network access. I have also created a new l2tp server interface and mapped the new user to it and ...
by harvey
Sat Apr 07, 2012 9:13 pm
Forum: General
Topic: Q: VPN L2TP/IPSec
Replies: 30
Views: 5922

Re: Q: VPN L2TP/IPSec

Ok, you are right! Need NAT-T for NATed user. But I don't understand your all config because I tested today with my 1100AH (ROS 5.14) and I needed this: mod: I tested with: win7, winXP and Android phone are working well. 1. (you need separate l2tp-server /user with user-name) /interface l2tp-server...
by harvey
Sat Apr 07, 2012 8:39 pm
Forum: General
Topic: Require SSH key
Replies: 2
Views: 494

Re: Require SSH key

It's like that by default, at least on 5.x.
So it does. Just reacts in a different way to what I expected.

Thanks
by harvey
Fri Apr 06, 2012 3:15 am
Forum: General
Topic: Require SSH key
Replies: 2
Views: 494

Require SSH key

Is it possible, like in Linux to only allow SSH access with the use of an ssh key and not allow password authentication.

I currently have DSA key working just fine but would like to not allow ssh connections via password.
by harvey
Fri Apr 06, 2012 2:48 am
Forum: General
Topic: L2TP / IPSec Useable
Replies: 0
Views: 430

L2TP / IPSec Useable

Hi, I purchased my first RouterBoard today (RB751G-2HnD) running v5.6. I have managed to set it up pretty much as I want. I have been able to set ip PPTP VPN access from my iPhone. I would ideally like to run L2TP as it is more secure. I have tried setting it up without much luck. I have been readin...