add action=dst-nat chain=dstnat comment="Port translation (or any other comment)" dst-address-list=[fill in the public IP address] dst-port=443 log=yes protocol=tcp to-addresses=[fill in the private IP address] to-ports 9152
add action=drop chain=forward comment="Block guest network except WAN" in-interface=GUEST_VLAN out-interface-list=!WAN
Correct, there are a lot of reasons why you don't want multiple NAT in your network (and you have found one of them ;-)).ok I understand, but then I have to reconfigure ASUS Wlan to be an AP instead of an router. In AP Mode NAT is not required. Is that correct ?
There is your problem: because of NAT on the Asus, all traffic is blocked (as should be) from WAN to LAN. Please reread my earlier reply.yes the ASUS Router is configured as router, therefore NAT is active and required.
Thank you very much Chupaka, all I had to do is add the internal DNS server to the list that iukatech quoted. It is now working!Yep, they are designed to pass good traffic for further processing by firewall
Do these rules have to be at the top of the firewall?01/13/2021 Still works like a charm on the newer firm as we just went through the same issue
Disabled is disabled...so it won't interfere.OK have done it.
Will be a problem with the disabled Masquerade? Is needed to delete it or it can be disabled?
Can you please share your config?Did you found any solution to that problem or I purchased a dummy wifi router with big antennas?
You can choose either the interface "Orange Optic" or the interface list WAN (assuming the interface is added tot the list as WAN).Ok and what should I choose in the out. Interface (list)? - LAN, Wan, all, dynamic, none and static
Open a new topic with your specific environment and all the information that is relevant. Unless you are also failing on trying to export pdf and have a compromised RB.Hey, I have the same ptroblem, but I'm not that handy with stuff like this, so I just feel lost at the moment.
Thanks, saved my day! Got it working!!Yes, that's what should be set to none IMHO.
Look at first line, dh-group=modp4096 is used for dh in phase 1 and for PFS in phase 2.
Well, actually...No, it does not depend...
add action=drop chain=forward comment="Block intervlan traffic" in-interface=VLAN1 out-interface-list=VLAN2
No, it is not. In advanced mode on your wireless interface you can specify TX Power. No need (anymore) to use the gain setting.Isn't it also the only way to reduce TX Power? By specifying a higher antenna gain? Yes, there are situations where you might want to lower TX Power.
I assume because 1) most Mikrotik devices have fixed antennas (with corresponding gain) and 2) it is no longer required for "tx power abuse", as tx power can be set manually.Why?
I think the conclusion not to expect too much wirelessly of this device as it is 2.4GHz only answers your question...Hi. Did you ever figure this out? I'm sitting in the same boat at the moment.
iperf3 -c <ip address> -P 8
Assuming you have a Windows machine available...have you tried using Winbox? Or, SSH?after update to 6.47.7 there is no more access to web configuration of the device if it in bridge mode.
what to do?
If asking what not to do...don't change you config ;-)Thanks for the hears up but what should I do on my lunch and afternoon break now? ;)
Not sure what requirements (and expectations) you have, I get a solid (little over) 400 Mbps on my cAP ac.maybe the time to change to orthers WiFi devices.