MikroTik

Rudios

just do a

/ip neighbor print file=<name>

If you need detailed information, add the 'detail' parameter.

Rudios

Aren't the LLDP packets based on the neighour discovery?
Disable this.

Rudios

You need to supply more information, like IP assignments etc.

Rudios

I guess both servers are using their default gateway (192.168.1.1) and therefore their ether2 connected slave.
I would create a dedicated route on both servers, that if the other server is the destination, forward the packet to the 10.15.x.1 gateway.

Rudios

I would put the dst-address of your hairpin nat rule being the server only
dst-address=192.168.1.252
Also I don't know what the parameter out-interface-list=all does
Last but not least, leave out the protocol parameter

Rudios

Regarding wiki I need to bridge wireless interfaces and switch master port. In this configuration, when I'm running speedtest wired, I see up to 60% CPU usage. When I removed bridge, created new one only with wireless interfaces, running dhcp on it. On master switch port second dhcp server. Then wh...

Rudios

I don't see any reason to use IP 10.10.10.10 on your DNS.
Try again after removing it, or do you have good reason to use it?

Rudios

So how to achieve this? ether1 - wan ether25 - lan wlan12 - wifi. Create bridge between ether1 & wlan12 (without lan access?), leave ether25 in normal switch mode without bridging? I tried to remove ether25 from bridge and leave there ether1 and wlan12 but it didn't works. Any help please. TIA....

Rudios

I don't think this is going to work.
The RS232 connection on the RB only gives you serial connection to the management interface of RouterOS.
I don't think you would be able to read/write any tcp/ip data to/from the PLC

Rudios

Another option would be to allow dns requests to the router on UDP/TCP port 53 and block the rest.
I have to add that I follow this generic rule: Allow specific desired connection and drop everything else.

Rudios

You should be able to reach the router by winbox
On the other hand, you configured the rule on ether3, what if you connect your cable to a different port

Rudios

I vote for unknown port forward!

Rudios

I have two RB2011's just like this currently. Ports 1-5 work perfectly as a dumb switch, but there does not seem to be a way to communicate with the internals. The LCD screen is white as well. I've tried Winbox, NetInstall, serial console, ssh, telnet, mac telnet, reset button, and spanning the har...

Rudios

You have to make a Hairpin NAT Rule,
http://wiki.mikrotik.com/wiki/Hairpin_NAT

Rudios

The device has a serial port, try to connect to it in order to see if it reacts.

Rudios

I think you have to clarify a little.
If you want untagged traffic only, just use the normal interface.
Or are you looking for something that drops all packets that DO have vlan tag?

Rudios

Disable the master port assignment for port 5.

Rudios

In order to know your firewall rules are blocking the traffic in the right way,
Just ping from a PC in one subnet to a connected client on the other subnet (No the router itself)

Rudios

If you configure it as in the image, you need to create static routes in Fritzbox and Zyxel. RB750 should have similar IP: - 192.168.1.X (ideal static IP, excluded from DHCP) on the interface connected to Fritzbox, eg 192.168.1.2 - 192.168.100.X (ideal static IP, excluded from DHCP) on the interfac...

Rudios

Create the needed VLANs on Eth5 and give each VLAN interface a dedicated address (use separate subnets). Build firewall rules in such a way that the traffic can only go outside /ip firewall filter add chain=forward in-interface=vlan-x out-interface=ether1 action=allow add chain=forward in-interface=...

Rudios

You probably mean you type ping!
And what device is holding the IP 10.20.0.254.
If it is the router (interface connected to the 10.20.0.0/24 subnet) it makes sense, because connections to the router itself are handled in the input chain.

Rudios

What do you mean by "ipconfig to the other subnet"?
Maybe draw us a picture and share some more detailed information about your configuration(s)

Rudios

You have to use dst-nat for this.
create something like

/ip firewall nat
add chain=dstnat action=dst-nat src-address=192.168.88.10 protocol=udp dst-address=88.88.88.88 dst-port=xxx to-address=192.168.88.11

Rudios

That is because the dst-nat rule is carried out before the filter rule is applied, and after the dst-nat rule is applied your dst-address is not your public IP anymore but the 10.x.y.z. address. Also you have to handle the filter rules on your forward chain instead of your input because of this dst-...

Rudios

For sure that your firewall could have some negative impact on your tries.
Just temporarily disable your firewall completely on your PC.

Rudios

It depends on the channel you are checking. As of today the most current release is 6.37.3 for the stable channel, for the bug-fix-only channel the latest version is 6.36.4 In order to update you can always download the latest version from the Mikrotik website and upload the package to your routerbo...

Rudios

The thing is that I do not want to connect ( call ) through my WAN IP and use my internet bandwidth when inside WLAN. I want packet to get forwarded directly to my PBX server so that they are not going through my WAN port whenever Im inside my LAN. I guess it is just a matter of routing, you don't ...

Rudios

As I see it you either have to first knock 1000 OR 2000 and if you then knock 3000 you will be granded access. If you want a specific order, all three should be assigned a dedicated address-list. so knock 1000, add to list port-knock1 then; knock 2000, when in port-knock1, add to port-knock2 then kn...

Rudios

I would even go for one allow rule, and then a generic drop.

Rudios

I assume you have a port forward on our router in order to connect you mobile phone via your external IP.
If that is the case you should configure a HairPin NAT rule in order to be able to connect via your WAN ip when inside your network.

Rudios

MikroTik RouterBOARD RB2011UiAS-RM

That model does have a serial console port, so when you have physical access to the device, use this.

Rudios

Keep in mind to use the Legacy Network adapters on your guest configuration.
When using the Standard adapters, they will appear within RouterOS, but will not passthrough any traffic.

Rudios

I also had the first thought to go for simple solution with VLAN's.
@jarda: But how to solve the wireless links in combination with these VLAN's. I have come across some possible solution with WDS, but it is not that stable after-all.

Rudios

Based on your first screenshot you are not using the IP segment 192.168.88.0 at all on your router. Your local IP address is 192.168.1.1 You have set the subnet mask to /8 (255.0.0.0) I guess you have to revert that back to /24 (255.255.255.0) Also your WAN connection is getting an IP address in ran...

Rudios

I still would suggest my earlier solution.
Bridge all ports on the MikroTik and let the DCHP on your cable modem assign addresses to your NASs (or put static if needed)

Rudios

You actually not using the DNS server supplied by your DHCP server (use-peer-dns=no parameter on your dhcp-client)

Rudios

Please share your configurations, that will make it more easy to help you out.

Rudios

rsc is the result of export

Rudios

I would go for the export feature! The big downside to making a backup is that it could only be restored on the same type device, with exact same RouterOS version. When creating an export (rsc file) you could alter fhe file if needed and load it on practical any replacement device when needed. [EDIT...

Rudios

I am not sure, but I guess you will need a device that has 2 wirelss interfaces.
For as much as my information goes, any wireless interface can only be running as an AP or station at any given time uniquely, no dual modes together.

Rudios

Hi everyone, I found my mistake, actually everything worked well from the start, without having to add route. The packed arrived well in my LAN, but could not return to the VPN, because I marked packets in my LAN to WAN1. I therefore excluded marking packets for the VPN: chain=prerouting action=mar...

Rudios

Hi everyone, I found my mistake, actually everything worked well from the start, without having to add route. The packed arrived well in my LAN, but could not return to the VPN, because I marked packets in my LAN to WAN1. I therefore excluded marking packets for the VPN: chain=prerouting action=mar...

Rudios

not working, I already tried. chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=8291 protocol=tcp in-interface=pppoe-out1 dst-port=8291 log=no log-prefix="" for filter rules, I have default rules. If you have default rules, you should add one for allowing traffic after dst-nat.

Rudios

What device is holding your wifi AP?
Where is the device connecting from located? At the same wifi or on the internet somewhere?

Rudios

The best way is to port-forward (dst-nat) an explicit outside port to the internal ip address of your routerboard, port 8291 (default winbox).
Additionally you probably need an allow rule in your firewall filter input chain.

Rudios

on your RB1100 put the following
/ip route
add dst-address=192.168.0.0/24 gateway=10.10.10.11

Rudios

If you do not have the possibility to alter the corp. network infrastructure, the only thing is left is adding a static route on your corp. domain systems. I don't know what type of systems you are using? As last resort you can also NAT masquerade the traffic from your lab environment towards the co...

Rudios

You should add a route to your remote network on your RB1100

Rudios

What if you do a trace route towards the server?

Rudios

Just disable all DHCP stuff on the routerboard and add all ports to the same bridge.
If bridging all ports, it is just like a switch.
Give the MikroTik an IP address for management only (in the 192.168.0.x segment)

Rudios

You have to configure routes towards the corp. domain side of your routerboard.
If only 1 or 2 single devices from your corp. domain needs access to your lab environment I would put a static route on these devices.
If you have multiple, I would solve it in your corp. domain router.

Rudios

Make only 1 network segment and connect directly to the NAS,
Why you put the MikroTik in between with routing (and probably also NAT)?

Rudios

how about any firewall filter rules? For only routing the traffic to the office over the SSTP connection, you have to connect to your office without supplying a default gateway to the connection. Additionally you have to manually put a route on your desktop for the network segment(s) used on your of...

Rudios

So here's the thing to remember: RouterOS process NAT rules before it does Filter rules, so an Accept rule on the input chain will never get hit if you're NATing the traffic. [...]. If referring to dst-nat you are right, dst-nat is handled in pre-routing (before routing decisions are made) Based on...

Rudios

When you are connected to your internal network, how do you access your camera? By using port 80 or 8150? <edit> Since you have supplied your public IP in your previous post I just gave it a try and when I go to port 8150 I end up seeing some "Shark Security" login page for a camera, so in...

Rudios

Input chain is used when traffic is destined for the router itself forward chain is used when traffic is destined for a client and router used to forward the traffic towards it. Then comes the NAT-ting part. Look at http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6 and there you will come to the c...

Rudios

Hi pcarlo71, In my humble opinion you should put in FILTER rules, before rule nr. 6, a rule to accept connections for port 8150: IP -> FIREWALL -> FILTER 1. In GENERAL Tab, click "+", for add new rule 2. select CHAIN = input 3. select PROTOCOL = (6) tcp 4. select destination port = Dst. P...

Rudios

I would try to re-install RouterOS and if that doesn't help I would contact MikroTik support or your supplier because I assume it could be a hardware fault.

Rudios

It looks like your installation is broken (unable to start from internal storage)
RouterBoard will try to start from netinstall.
I would setup netinstall on your PC, hook it up to port 1 of the routerboard and see if it boots.
If so, install a proper RouterOS version via netinstall.

Rudios

i want to know how to link dns no-ip and mikrotik. i already try script but not working. someone can help my problem. i am beginner. i will give you teamviewer connection. please help Like I replied before with the script. Create a new script (Within winbox go to system -> scripts, hit the plus sig...

Rudios

Solved, put my NAT rule masquerade for src.address 172.16.10.0/24 in router 2 to the top (just notice it behind other nat rules so it won't work.) and it work like a charm. Gotta note it =.=!! Thanks you guys for helping me all this time :) Good to hear you solved it, nevertheless I am curious abou...

Rudios

The description is quite obvious (is there a loop)
Without you telling us what is connected to the ports it is very difficult to tell what is going on.

Rudios

I use the following code and it works perfect. #************************************************************************************************ # Parameters #************************************************************************************************ :local username <my-username> :local passwor...

Rudios

I would first disable all firewall rules to see how that goes (maybe only let exist the masquerade rule on RouterA to have internet connection)

Rudios

Does your DHCP supply gateway address?

Rudios

Pick the npk file from the same version you are running.
Also take note of the architecture.

Rudios

Can you please share your 2 configs.

Rudios

are you using any NAT on the second router?
How about firewall, on both routers and the destination client?

Rudios

I am not really into the specific performance differences between various MikroTik models, but I would go for a central MikroTik device to handle all the outgoing traffic and bandwith throttling. Maybe it is worth the effort of putting up dedicated IP segments between the central router and each app...

Rudios

Sure it is possible, just clear the config of R2 with no defaults.
Create a new bridge and put all ports as member of put port port1 as a master for port 2-5
Maybe for easy maintenance access, assign an IP address to either port 1 or the new created bridge (depending on your choice above)

Rudios

During the writing of the post I did check again and found NOTHING of this behaviour anymore!!! OK, that's good as a result, less so as still being unexplained. Indeed glad they're gone, still unclear why For lowering the load on the CPU and block useless traffic I added unreachable routes to my ro...

Rudios

same issue with Samsung TV and this router, no fix so far that i am aware of. I think someone narrowed it down to the device not wanting to talk to the bridge, if you do not have it bridged it works, but as soon as you join the port to a bridge it stops working. Might be worth it to give that a try...

Rudios

Since my RB2011 also has 100Mbit ports and the printer only has 10/100 Mbit capabilities I did not look further into the problem, I just connected the printer to a 10/100 Mbit port. So I am unaware of any solution (other then the one you found; adding a dumb switch). PS. What are the speed capabilit...

Rudios

I have seen somewhat the same behavior with a printer and an RB2011. My conclusion that time was that for some reason the printer wouldn't work when connected to one of the Gbit interfaces of my RB2011. Since you are using an RB951G, also with Gbit ports, I suppose it is cause by some same issue. I ...

Rudios

Like th0massin0 mentioned before, take good notice of the applicable version.
If you would like to add a package, upload the file from the corresponding version as your router is running.
You said you upgraded, but the printout is stilll showing 6.37 (not .1)

Rudios

It is up to you to configure which is which.
Just build your firewall rules in such a way that the traffic is allowed/blocked the way you want it to.

Rudios

Apologies for the late reply; it has been a busy week. No worries for late replies. Just to make sure I have established the correct picture of your situation (as it's not your everyday SOHO setup you have running there): Traffic originating from 192.168.110.253 destined for 172.18.3.4 is coming in...

Rudios

I'm looking into the same question.
I find it very annoying that I'm unable to jump to the first unread post straight away.
By the way, the same applies when listing "Your posts" and is not limited to the "Active Topics" listing.

Rudios

I have found an issue when using inline comments. On initial opening at least the interfaces or firewall windows (maybe other as well, didn't check) the comments column is not there. I have to disable and re-enable the inline comments option in order to let it be shown. And after checking more, I fo...

Rudios

Hello I made some changes in your configuration,please try it and tell me if it works ok or not. Please tell me why are you using "log-prefix" /interface ethernet set [ find default-name=ether1 ] comment="Modem #1" set [ find default-name=ether2 ] comment="Modem #2" se...

Rudios

I believe you can.
Your desired default configuration can be loaded via netinstall when installing the RouterOS.

Rudios

If the destination is unreachable, then the router will drop the packets, but will also generate an ICMP destination unreachable message to the sender. This would be good in an internal network because it will speed up failure detection. Also, when not using an OS that wants to hide all technical m...

Rudios

Aaah, I just thought how about disabling the DHCP client on that specific interface, but I just checked one of my test systems and found out that DHCP client can not be bound to a PPPoE client interface. I assume that it will grab an IP automatically. Isn't your ISP supplying you with your static as...

Rudios

@ZeroByte Adding a blackhole rule for the /16 was indeed the way I was tending to go. An in the meantime I think I will also add 10.0.0.0/8 and 172.16.0.0/12 just to block all private ranges. Does this still make sense? Definitely. I put those very routes in all of my border routers. No need wastin...

Rudios

Wouldn't it be possible to export the configuration to a file without all the unhandy page-breaks?

I have a script that creates an configuration export.
The annoying thing is that there are a lot of page-breaks in the file, which makes it harder to read and to compare.

Rudios

How about just configuring your ISP supplied IP address to the PPPoE client, and disable the DHCP-client on it?

Rudios

Also when running 6.36 my test environment works as suspected.
With the passthrough parameter set to no the system keeps working, so I assume it is not version related in this matter.
This makes it even more weird for me....

Rudios

The IP Addresses shown by the firewall connections are indeed Ubiquiti devices that are managed by the CRM point. However, these devices are all situated behind either MT3, MT4 or MT5. So I would assume that this traffic flows via MT2 (Central router) towards MT3,4 or 5, and not towards the border ...

Rudios

@ZeroByte Adding a blackhole rule for the /16 was indeed the way I was tending to go. An in the meantime I think I will also add 10.0.0.0/8 and 172.16.0.0/12 just to block all private ranges. Does this still make sense? Definitely. I put those very routes in all of my border routers. No need wastin...

Rudios

I have again bounced into some weird behaviour. I am managing a system that does PCC over 4 ADSL lines. These 4 ADSL lines are having an individual modem per line and all 4 modems are connected to a RB2011 for doing the PCC splitting. For testing purposes I have re-build the same situation with some...

Rudios

The IP Addresses shown by the firewall connections are indeed Ubiquiti devices that are managed by the CRM point. However, these devices are all situated behind either MT3, MT4 or MT5. So I would assume that this traffic flows via MT2 (Central router) towards MT3,4 or 5, and not towards the border r...

Rudios

I have to come back to my previous statement. I have looked at the torch a little while longer I have seen a short period where there were indeed entries with connections between 192.168.110.253 and 172.18.x.x Althought I only have seen it twice. See my attachments below Firewall connections overvie...

Rudios

For some reason I was unable to send you a PM.
Contact me on babbelbox@zonnet.nl

Rudios

Doing a torch on the incoming port of the central MT1 is not showing any traffic from the management device 192.168.110.253

Rudios

@haik01 Like said by Che, more specific routes (I do have /24 for each segment) 'win' in favor of the /16. @che I'm not redistributing my statics within OSPF, I'm only distributing my default route from my central router which has a 0.0.0.0/0 towards the internet. @ZeroByte Adding a blackhole rule f...

Rudios

I have a system consisting of multiple MikroTik routers (MT1 MT2, MT3 and MT4), all connected towards 1 central Mikrotik (MTC) which has an internet connection. MT1, MT2, MT3 and MT4 are all handling their own 192.168.x.0/24 ip segment and OSPF is running. In order to prevent unnecessary routing tow...

Rudios

You have to make sure that both the WLAN interface and the interface the PC is connected to are in the same bridge. Seen from your pictures the WLAN interface is not added to any bridge and ether3,4 and 5 are slaved to ether2 So create a bridge (if not already existing) and add ether2 and wlan inter...

Rudios

It indeed is normal, internal traffic and I have made the same assumption you did.
When doing a trace route from any given MT (3,4 or 5) towards the CMR Point the result shows a direct connection with only the IP address of MT2 router at connection point of chosen MT3,4 or 5.

Rudios

I tried to add a small drawing of the situation multiple times, but for some reason it keeps failing.
Hereby a link to the drawing.
https://www.dropbox.com/s/7ja71gc105q8q ... p.jpg?dl=0

Rudios

I bounced into something very strange. Imagine the following scenario 1 Routerboard with ADSL modem behind it. Doing NAT towards the modem and internally connected to a second routerboard. 3 additional routerboards are connected, each handling a dedicated network segment (192.168.11.0/24, 192.168.12...

Rudios

In my case, right clicking gives me a list of options, including download.
The way I do it is clicking the 'copy' icon (third icon, the one with two sheets behind each other) and then paste somewhere on disk on my PC.

Rudios

I muddled through and found it:
Code: Select all
/file edit [filename] contents

Another option would be is to download the file to your PC and open it with your preferred editor.

Rudios

I just tested and it seems that the file is just saved next to the winbox executable file. Maybe that is because I have saved it once this way and that Winbox keeps it like that and that it is not the default behaviour, but hey, if I can, you probably can :) Rethinking it I guess it can be saved any...

Rudios

Are you installing the correct version?

Rudios

What is your goal with the 2 ADSL lines.
Are you looking for some load-balancing solution or primary / backup situation.
Maybe it is worth reading this http://wiki.mikrotik.com/wiki/Manual:PCC
This will help you build a load-balancing solution with failover capabilities.

Rudios

Funny if i check for downloads. I see a new version available (6.37) but the changelog is set back to 6.30
nstalled Version 6.36.3
Latest Version 6.37
What's new in 6.30 (2015-Jul-08 09:07)

Even when running 6.37 it shows the 6.30 changelog.
Probably in-between fix for the changelog-to-long issue.

Rudios

I can imagine that it is a hustle if you need to forward a whole bunch of ports, but are you really in that situation?
How many ports do you need to forward?
I don't know your ISP supplied router, but maybe it is possible to forward a range.

Rudios

Why not use a different IP segment behind your hEX? How can i port forward than?ISP router blocks all the traffic, and i can only port forward from him and in that 192.168.1.0/24 range, usualy i put mikrotik IP in DMZ zone on ISP router, than all ports are open on mirkotik and i firewall and port f...

Rudios

Why not use a different IP segment behind your hEX?

Rudios

[...] Why would you use station-pseudobridge instead of the normal station-bride mode? From what I understand, station-bridge mode requires RouterOS devices on the AP and the station. In my case, my RouterOS device is the station and not the AP. http://wiki.mikrotik.com/wiki/Manual:Wireless_Station...

Rudios

Why would you use station-pseudobridge instead of the normal station-bride mode?

Rudios

Is your DHCP server supplying a router address
Go into DHCP-Server -> Network and check
There is probably the default entry for 192.168.88.0/24 with the corresponding router address (probably called gateway).
Add a new network entry for the 192.168.89.0/24 network with the correct gateway.

Rudios

I wouldn't assign the 192.168.88.x address to port 5 directly, as there is a desire to connect more phones (possibly laptops) in the future. I would just configure the VLAN as described and create a new bridge and add the newly create VLAN as member. Put the 192.168.89.x address to the VLAN bridge, ...

Rudios

Just create a dummy route rule (just a copy of the existing route rule) with a higher distance.

Rudios

I think you also need something like this
http://wiki.mikrotik.com/wiki/Hairpin_NAT

Rudios

We are still on 6.34.6 as 6.35 and 6.36 broke our routing-marks for multi-wan setups... Is this issue fixed again? Can't you fix that by turning off fastpath? I have a setup running with a 4-WAN config and did not experience any problems while running 6.36 My test-setup is running 6.36.2 and also t...

Rudios

Or even combine both in-interface AND dst-address.

Rudios

Hello Anyone Help me Pls?

You need to configure something like PCC (http://wiki.mikrotik.com/wiki/Manual:PCC)

Rudios

Be sure your subnet mask are correct on all devices (R1, R2 and PC1)
Also check your firewall on both your Routers and your PC.

Rudios

... Unless you made a typo with pasting here, your pool3 has a very strange range /ip pool add name=pool3 ranges= 162 .168.30.120-192.168.30.159 AHHH!! Thank you. This must be the problem!! Could be, although it is very weird that the router 'chooses' to assign 192.168.29.x and not anything startin...

Rudios

Do you put only a config on the box? Or do you downgrade RouterOS to an old and wellknown version? The latter is not generally possible. You should not downgrade RouterOS to an older version than the device came with. Agree (although I find it strange that a newly delivered device with let's say 6....

Rudios

...

Unless you made a typo with pasting here, your pool3 has a very strange range

/ip pool
add name=pool3 ranges=162.168.30.120-192.168.30.159

Rudios

Be aware that RouterOS is a quiet picky when it comes to config files with respect to versions.
Some commands do not exist anymore in newer versions.
So make sure your config file is compatible with the designated RouterOS version.

Rudios

and what about the IPv6 EoIP? as it was said, just add eoipv6 tunnel, not eoip: [admin@TestPlace] /interface eoipv6> add remote-address=2a00:1028:8386:8c5e::1 tunnel-id=0 Ha! thank you, overlooked that. Works like a charm now. If there are specific IPv6 related interfaces to be created, why are the...

Rudios

I'm willing to give it a try, what do you exactly want?

Rudios

If I connect the printer to a 100Mbit port, it works! When connecting to a Gbit port, the Routerboard stated the negotiation was done and speed is set to 100 Mbit. That is ok, since the printer doesn't have a Gbit interface. I couldn't find any setting in the printer to force to any speed, but forci...

Rudios

@darkprocess:
Yes, all are member of the same bridge.

@pe1chl:
All set to auto.

I thought it could be related to gbit capable interfaces, since the mAP only has fast ethernet ports. I only tested the gbit interfaces of the RB2011.

Rudios

I happen to experience some strange behaviour. Last week I bought an HP printer, with ethernet port. When I connect the printer to any port of my RB2011 (tried multiple cables and upgraded to ROS 6.35.2 during testing) the printer will not receive an IP from my DHCP server. Also when I configure an ...

Rudios

How great!

Just tried again today with the latest RC (6.35rc49) and it seems to work on Hyper-V running on Windows 10!
Also the 'normal' Hyper-V network interface is functional!
Keep up the good work!

Rudios

Hi folks....I pulled down the VM images and Hyper-V gets an IMPORT FAILED! A server Error occurred while attempting to import the virtual machine. Import failed. Import failed. Unable to find virtual machine import files under location "D:\xfer\Mikrotik\VM\". You can import a virtual mach...

Rudios

[...]
We will check what is going on on Windows 8.1 and Windows 10 and normal Hyper-V interface.

That would be nice!!
Hope to hear some possible solutions soon!

Rudios

What you did was indeed what I suggested.
And what happens if you put the PNG into the same directory as the error.html and refer to it by name only (src="stop.png")

Rudios

I would not put this as a bug right away.
192.168.0.0/24 IS icluded in 192.168.0.0/20
Although 192.168.1.0/24 up to 192.168.4.0/24 are also included.

More basic question, why do you have these overlapping subnets in the first place?

Rudios

AFAIK Level 3 RouterOS does not support AP mode for wireless...

Rudios

One of the little things you can do is PCC. This will load-balance your traffic over multiple connections. But you will in no way be able to aggregate the full speed of all connections if you have no control of the equipment on the other side of the lines. If you would have this control, you would b...

Rudios

and if you start your url with a '/'?

Rudios

I agree with cdiedrich

Rudios

Also keep in mind that when on a Cisco a port is in access mode, the packets exiting the port are actually not tagged with any VLAN information, it's just all access ports with the same vlan are like a separate switch. And since you have bound the 99.1 IP address to the SPF+ interface on your MikroT...

Rudios

I have tested CHR on Windows 10 just now. Running 6.31. I only see my legacy network adapter, not the normal one. Another issue I noticed is that when I check for updates, it tells me that version 6.33.1 is available and after download and reboot it tries to install but the VM keeps rebooting. {add}...

Rudios

If you want your own internal LAN, make sure you put DHCP on your LAN bridge or master port and make sure the WLAN interface is not member of the bridge. Also make sure you create a masquerade rule for the traffic on out-interface=WLAN. If you do not really need your own dedicated LAN IP segment, ju...

Rudios

You can make use of the mangle facilties in the firewall.
As long as the source and destination for both streams are different.
Look at the PCC samples on the web and alter it in order to force certain communication over a dedicated line.

Rudios

Another option would be defining the admin MAC static by choosing one of the assigned interfaces.
Than it never changes depending on PPTP and so on.

Rudios

new images for CHR http://www.mikrotik.com/download/share/chr_6_32.img http://www.mikrotik.com/download/share/chr_6_32.vmdk Hyper-V normal interface is fixed. I don't know what is wrong, but in my case it just keeps rebooting on Hyper-V (Running on Windows 10) [edit] I also have tried to start from...

Rudios

new images for CHR http://www.mikrotik.com/download/share/chr_6_32.img http://www.mikrotik.com/download/share/chr_6_32.vmdk Hyper-V normal interface is fixed. I don't know what is wrong, but in my case it just keeps rebooting on Hyper-V (Running on Windows 10) [edit] I also have tried to start from...

Rudios

What's the purpose of leasing indefinitely?
Making leases static will always assign that IP to the specified MAC.
And the DHCP protocol will refresh the lease within the specified lease-time anyway.

Rudios

I don't know whether it is already mentioned by somebody but I did not read it yet. I have tried the latest available version (6.31) on Hyper-V (Running on windows 10, if it matters) and it seems to work. Only thing I noticed is that only legacy network interfaces are available on the RouterOS inst...

Rudios

Another possible bug I found is that when I assign more than 1 virtual processor, the interface I configured won't get an IP address from my DHCP server (running on a real routerboard).
The routerboard does offer an IP, but it keeps in status offered and the DHCP client on the CHR keeps searching.

Rudios

I don't know whether it is already mentioned by somebody but I did not read it yet. I have tried the latest available version (6.31) on Hyper-V (Running on windows 10, if it matters) and it seems to work. Only thing I noticed is that only legacy network interfaces are available on the RouterOS insta...

Rudios

Also worth adding no-defaults=yes and skip-backup=yes to the reset command.
This will prevent the router from building the default setup (like the 88.1 IP address etc.)

Rudios

Can you share your configs please?
Possibly something with masquerading rule?

Rudios

you could add drop rules for all the possible connections you do not want, like this /ip firewall filter add chain=forward action=drop src-address=172.28.8.0/24 dst-address=172.28.9.0/24 add chain=forward action=drop src-address=172.28.8.0/24 dst-address=172.28.10.0/24 add chain=forward action=drop ...

Rudios

You said you're able to ping 8.8.8.8 from the routerboard itself.
How are the IP and routing settings on your connected PC's?
I can not fully understand why you are using 192.9.x.x address ranges on both internal networks.

Rudios

Also keep in mind that when port5 is slave to port2, assign the VLAN interface to port2 on the mikrotik.

Rudios

I have always used VLANs as interfaces on the ethernet, not used switchport but here's an option. Create the two desired VLAN interfaces on ether9 /interfaces vlan add name=vlan1-e9 vlan-id=1 interface=ether9 add name=vlan2-e9 vlan-id=2 interface=ether9 Build the DCHP servers for each VLAN and assig...

Rudios

That's not gonna work.
192.168.x.x is a private range, and not routable over the internet.
If you want communication between the two locations, build a VPN tunnel (pptp, lt2p, sstp) between them and route the designated traffic over that tunnel.

Rudios

If you mean that every connected device will be limited to the 4Mbit of internet speed, just configure simple queue on the master router.

Rudios

For the failed upgrade, make sure you uploaded the correct packags. For CCR units use the Tile version of the package. The RB2011 uses mipsbe packages which are different. When you are importing your config, which looks fine by the way, does it give any errors? Is the unit running with default confi...

Rudios

Please post your current /export and the IP addresses of the 2 PC's.

Maybe just start without NAT and check whether that is working fine.

Rudios

Did you change your routerboard config as jarda mentioned.
Remove port 3 and 4 from slaving and make them individual ports

Rudios

Adding the fasttrack option is only applicable for the forward chain.
It does not affect the input chain.

Rudios

How about the IP configuration of the two PC's?
And also there is an overlap on your 2 IP segments 10.140.0.0/16 includes 10.140.1.0/26
And last but not least I go with jarda about the switching settings.

Rudios

I experience some behaviour with netwatch I don't understand. I am checking an IP address with an interval of 1 minute (the default) and when the IP goes down/up it will send me an email. That functions as expected. But I have put the timeout to 600000ms (10 minutes) because I don't want to get noti...

Rudios

Are your routes ok?
Does your Home device know how to reach the 10.10.7.0/24 segment?

Also take care of your firewall filter rules.
If you have any, also make sure you have an allowance for pinging from the tunnel interface.

Rudios

Changing the port to something else (i tried 81) did not make any difference (Obviously also changed the NAT rules

).

The thing that did help was rebooting the device.
Still I have no clue what went wrong but after reboot http is working again.

Rudios

Consider the following setup. Setup question.jpg Router RBA and RBB are both MikroTik routers. RBA has all interfaces bridged and two vlan interfaces tied to the bridge (id 18 en 20) 3 dedicated networks are available for the three interfaces 192.168.109.0/24 for the bridge 172.18.16.0/23 for vlan18...

Rudios

Why are you trying to dstnat to the router itself? In your dstnat rules you have specified as to-addresses the IP of the router, you are doing some kind of redirect here. The dstnat rules on the modem should be sufficient to reach the router services you are trying to reach. Although I would sugges...

Rudios

Picture the following situation. ADSL Modem with normal home use, so including NAT and firewall. IP address inside 192.168.12.1/24 3 nat rules incoming ports 10022, 10080 and 18291 are forwarded to 192.168.12.2, no change of ports. Connected Mikrotik with ether1, with IP address 192.168.12.2/24 Seco...

Rudios

I would leave the names as their default and add a comment to identify the connected devices.

Rudios

marking each packet with a routing mark directly will probably work, but will require all packets to traverse the selection criteria. This takes more resources than first tag the connection and then, depending the connection mark with routing mark. On the other hand I guess it also to overcome the i...

Rudios

Theoretical the traffic will be divided into two groups, marked with routing-mark. These routing-marks will be used by the routing-table in order to route the traffic outside over 1 of the available ADSL lines. I have PCC configured for 3 ADSL lines and I have 9 routing rules. 3 for each ADSL line, ...

Rudios

I vote for firewall issue on the PC's itself.
If 1 of the PC's can ping both IP addresses of the CRS, routing is ok.

Rudios

Why do I need an additional rule like this? (seen of system A) /ip firewall nat add chain=srcnat action=accept src-address=<local lan A> dst-address=<local lan B> As far as I know the masquerading rule "should" not catch the outgoing traffic towards the other side of the tunnel, because i...

Rudios

I don't understand. Why do I need a src-nat accept rule in order to get IPSec functional. System setup explanation: I have 2 locations, each with static IP over PPPoE initiated from an RB951. One is L2TP server, the other is L2TP client. I connect from A to the public IP of B, this works fine. On ea...

Rudios

If packages are installed and you are running default configuration there should be multiple entries on the LCD to choose from and also some interface usage slideshow. If your display only lights-up when booting I wonder if it is broken. Are you seeing some text when booting, "like booting from...

Rudios

I would go for this set of rules. /ip firewall filter add action=drop chain=input comment="Drop invalid connections" connection-state=invalid add chain=input comment="Allow ping from outside" disabled=yes in-interface=ether1 protocol=icmp add chain=input comment="Accept esta...

Rudios

Probably you need to create a route or some mangle rules in order to force traffic to go over the tunnel.
If you are using the default configuration, all traffic will be forwarded over ether1.

If your PPTP tunnel is up, can you perform a ping to the other side of the tunnel?

Rudios

Create a DHCP server, attached to the bridge.
Define the correct network and specify DNS and Gateway in order to hand these to DHCP client.

Rudios

If you connect ether1 of your RB750 to your existing TP-Link and connect your PC (with DHCP on) to one of the ports of the MikroTik it should work right away with default config. - Is your MikroTik served with an IP address from the TP-link? - When you connect your PC to the MikroTik, are you served...

Rudios

rextended is right. I can assume that you have the desire that subnet on port 2 can initiate connection to all different subnets but subnet on port 3 and 4 are only allowed to go online (via port 1) If that is the case, use these rules /ip firewall filter add chain=forward connection-state=related a...

Rudios

Thank you, I will give it a try. At which position has the accept rule to be set? chain=forward action=accept protocol=tcp dst-address=192.168.0.5 in-interface=pppoe-WAN dst-port=8083 log=no log-prefix="" And has the masquerade NAT rule to be at the TOP or at the bottom of the port forwar...

Rudios

I would go for the following default rules. /ip firewall filter add action=drop chain=input comment="Drop invalid connections" connection-state=invalid add chain=input comment="Allow ping from outside" disabled=yes in-interface=ether1 protocol=icmp add chain=input comment="A...

Rudios

What you could do (although it is not a real solution) is put a bogus IP address as reservation for the deisred MAC address. If the device then request an IP from the DHCP server it will get a unusable IP address and will not be able to browse the internet. (e.g. assign 192.168.100.254 for the devic...

Rudios

Are you trying to connect from outside your own network of from inside? If you are trying from inside, you will need an additional hairpin nat rule http://wiki.mikrotik.com/wiki/Hairpin_NAT The rules you have posted are looking fine to me, although I would go for a slightly different set of default ...

Rudios

I don't understand, the interfaces are named with text below each connection port

Rudios

Do not put the full zip file. You indeed need to extract the zip and put all the individual (needed) npk files. They will show up on the files list, not on packages. Please be sure to obtain the correct version of the desired packages. I see you are linking to the MIPSLE package, what RouterBoard do...

Rudios

Create a bridge, and put both wlan and ether interface to that bridge.
Define a security profile to connect via your laptop.
I assume you want a plain bridging connection.

Rudios

Can you please share your config to see how your VLAN interfaces are bound to your hardware interfaces.
I have somewhat the same situation and did not came across this issue.

Rudios

Please make sure you have enabed, /interface bridge settings set use-ip-firewall=yes if bridge is used on your router. Why does this have to be enabled, as far as it seems to me it is just a plain router, with incoming on pppoe. 1. First, enable IP Cloud from WinBox menu. 2. Also here, /ip firewall...

Rudios

Just upload the desired packages to the routerboard by pasting on the folders entry within winbox GO to System -> Packages and hit downgrade. Where can I get previous versions ? You can alter the download link of the latest version into the version you want. I don't know what is officially view of ...

Rudios

Just upload the desired packages to the routerboard by pasting on the folders entry within winbox

GO to System -> Packages and hit downgrade.

Rudios

Go for PCC configuration.

I have it running with multiple ADSL lines for almost 2 years now and is working great.

http://wiki.mikrotik.com/wiki/Manual:PCC

Rudios

I think you should add the in-interface parameter on your dstnat rules.
At this stage, all the traffic, both from inside and outside is dst-nat'ted to the Synology.

Rudios

How are your email settings?
Server, username etc.

Rudios

Hi RazorMK, use the following, making sure that where I have set ether1 you set it to the interface where you connect to your isp. /ip firewall mangle add action=change-mss chain=forward new-mss=1400 in-interface=ether1 protocol=tcp tcp-flags=syn tcp-mss=1401-65535 add action=change-mss chain=forwa...

Rudios

All you need is a Hairpin nat rule
htttp://wiki.mikrotik.com/wiki/Hairin_NAT

something like

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.2.0/24 dst-address=192.168.2.200 out-interface=<local lan bridge>

Rudios

I can't direct you to any videos, but I am sure youtube is loaded with mikrotik configuration examples
Also check the mikrotik manual @ http://wiki.mikrotik.com/wiki/Manual:TOC

On the other hand, if you have some difficulties maybe you can put your issue/question here and we can help you.

Rudios

For the first two you can probably solve it by creating static DNS entries on your routerboard.

For the last option you will need a hairpin-nat rule to let that work
See http://wiki.mikrotik.com/wiki/Hairpin_NAT for that.

Rudios

You have to move your DHCP server to be on the created bridge, this is probably still on the master-interface.
This also applies for your IP address assignment

Rudios

I would be nice that in /ip service I could set more ip address or one addres-list
erm, you actually can do this (not with ACLs but with multiple IPs)

Why not just block unwanted access by firewall?

Rudios

I guess you have some dst-nat rule configured.

Search found 966 matches