MikroTik

erlinden

As all interfaces are on the same bridge, from a computer perspective this connection is through a switch (so no firewall involved). DHCP reservations are beneficial for the IP addresses but not necessary. I would expect to find the solution in the notebook, is this network a so called "private...

erlinden

Id on not agree with the above: /ip dhcp-server network add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24 Can a wireless client ping any public IP at all? Does the DNS server resolve names correctly while connected wireless? Can you please remove serial and place the c...

erlinden

Nice!

erlinden

But my configuration can't have fast track

Because?
Can you share your config?

/export file=anynameyoulike

Remove serial and any other private information and post between code tabs, using the </> button

erlinden

Can you share the config, @oldunixguy?

/export file=anynameyoulike

Remove serial and any other private information and place the ouptu between code tags with the </> button.

CLI not the better option for you?

erlinden

Share config (of the CRS):

/export file=anynameyoulike

Remove serial and any other private information (and place the output here between code tags </> button)

Have you followed this tutorial:
https://help.mikrotik.com/docs/pages/vi ... Id=1409149

erlinden

Still back at square one. Device not detected on Router. Master: Unknown

How did that MAC address get there?

erlinden

On this forum

Can you please share your V7 config:

/export file=anynameyoulike

Remove serial and any other private information. And please place the output between code tags, that is the </> button.

erlinden

Have you tried rebooting?

erlinden

Do you perhaps have a port forward on port 443?
Anything in the logging?

erlinden

Have you found this topic yet:
viewtopic.php?t=180838

@anav is well known on this forum for both his firewall knowledge as well as his communication skills

erlinden

A virtual interface uses the same frequency as its master. Per radio there is only one frequency possible. Did you do a complete config of the virtual interface (at least SSID)? Can you share your config? /export file=anynameyoulike Remove serial and any other private information. And place the expo...

erlinden

Ending with a "drop all" is a very nice approach: it will force you to think about what you want to allow. In regards to your firewall rules: I prefer to first set all rules on the input chain and then on the forward chain. Just for readability (is that correct English?). The order is of i...

erlinden

Can you please share your config, just to make sure...?

/export file=anynameyoulike

Remove serial and any other private information, and place the output here between code tags (</> button)

erlinden

That is because LTS and stable are on the same version (but there might be a difference in build number which is not the same as version). Just ignore it. Or not.

erlinden

i can not add new cap to existed old capsMan

cAP ac or cAP ax? For the latter you will have to wait for v7.13 (currently beta) to be able.

erlinden

Looks like it fixed the issue. But now I have a weaker signal (

Is that a problem? Your accesspoint is probably still sending with higher signal than the mobile device.
Stronger is not always better...

erlinden

A1. Is your modem a router as well: YES = sell RB1100/NO = Modem, Router, Switch, wAP A2. A router needs a firewall, especially when publically available (public IP address) A3. A switch is a switch, no router -> no firewall A4. Default firewall rules are sufficient A5. SSID per network, VLAN is a v...

erlinden

Have been running my RB4011 with nearly all versions...never had this problem. Can you share your config (just to be sure)? /export file=anynameyoulike Remove serial and any other private information, and place it in between code tags: </> Have you tried using a different power supply? Could it be r...

erlinden

RB4011, hAP ax2, hEX S, wAP ac and cAP ac upgraded, no problems for me.

erlinden

Everyone can use Google translate: Hello folks, I'll try it in German first because I probably won't be able to describe the problem clearly in English. I have a WiFi environment with 14 access points (CAP AC and CAP XL) and an RB5009 as Capsman. The illumination with Tamo showed that I had no space...

erlinden

What is the processor consumption while performing a speedtest?

erlinden

Yes it does.

By which I mean:

can you explain what you are running into exactely?
can you share relevant config?

/export file=anynameyoulike

Remove serial and any other private information. And please use the </> tag!

erlinden

You can't stop users for getting around security. Reason I block port 853 is because it was used by a Huawei smartphone (out of the box).

erlinden

I think you indeed have to add the interface list to prefend that anyone (from the Internet) can use your router to get to the DNS server (94.140.14.15). So it is solved. Therefor no attack, just abuse of an incorrect firewall config. As well you might want to consider closing port 853 (DNS over TLS...

erlinden

I think your family is attacking you... :D What do you think these two lines do? add action=dst-nat chain=dstnat comment="DNS ADGUARD FAMILY UDP" dst-port=53 in-interface-list=USUARIOS protocol=udp to-addresses=94.140.14.15 to-ports=53 add action=dst-nat chain=dstnat comment="DNS ADGU...

erlinden

Isn't there an easier way than vlans to segregate traffic by which SSID users connect to?

Sure, get seperate hardware and a second internet connection.

erlinden

Is there an easier way to secure my environment? If you have seen this topic: https://forum.mikrotik.com/viewtopic.php?t=143620 and find it over your head, you should consider getting external help. As, based on your information, you might not be the man for the job. My tip (if you still want to do...

erlinden

My AX2 has 55C when idle, is it okay?

Just checked, around 53C here.

erlinden

@Numlock, if you change Channel to long term, is this still happening?

erlinden

Don't ever use WPA-PSK, use WPA2-PSK only.
Don't use legacy protocols, use 802.11n on 2.4GHz and 802.11n/ac on 5GHz
Don't use 40MHz bandwidth on the 2.4GHz radio, unless you live in the middle of nowhere

Then test again.

At what speed is the testdevice connected to the router?

erlinden

Will you have an AON or an XG-PON connection (assuming you will have fibre)?

erlinden

At what speed (rate) is the phone wirelessly connected to the router?
What speed do you expect?
How crowded is the 2.4GHz band (use the scan option of the Mikrotik)?

erlinden

Google Translate (https://translate.google.com/?hl=nl&sl=auto&tl=en&op=translate): Good morning everyone, I'm new here, I needed the new WireGuard function that was released in version 7.11 so I decided to update my RB 1100 to the stable version 7.11.2. When updating the RB it simply tur...

erlinden

Your rule is basically a drop all rule (which is fine by itself), hence everything from WAN is dropped. If you want to be able to port forward, you have to accept for specific ports, something like: add action=accept chain=forward dst-address=192.168.1.254 dst-port=59010 log=yes log-prefix="POR...

erlinden

Sounds like you have your CAP currently configured as router...why? Not completely clear what you try to accomplish, but it would make more sense (in my opinion) to configure the CAP as CAP (through either reset or Quick Set): https://help.mikrotik.com/docs/display/UM/cAP#:~:text=Reset%20button,-The...

erlinden

What exactely do you mean by V7 device? The "real" difference is being either a wifiwave2 device...or not.

erlinden

Did you configure the openvpn_client (that's one of the reasons it is preferred to have the config instead, as a lot of info is missing). Why did you open the port? Assuming you want to connect the router to the office? /export file=anynameyoulike Just remove serial and any other private information.

erlinden

Using Windows Server 2012 is wrong in itself...but I guest that is not the question.
How is the client configured?
And how is the server configured?

/export file=anynameyoulike

Make sure to remove serial and any other private information.

erlinden

What are you trying to accomplish functionally, @fxwireless?

erlinden

Depends on your requirements, if you can supply them first?

erlinden

I think we all have been there

Glad it is solved!

erlinden

Not working is a bit arbitrary, what exactely is not working and how do you test it?

Seems the port forward you created is correct, did you change anything in the default firewall?
Could you please add your config?

/export file=anynameyoulike

Remove serial and any other pricate information.

erlinden

Strange, as I find it rock stable (running at my parents house). My used config: /interface wifiwave2 channel add band=5ghz-ax disabled=no frequency=5260,5300,5500,5540,5580,5620,5660 name=CH5G width=20/40mhz-Ce add band=2ghz-ax disabled=no frequency=2412,2437,2460 name=CH2.4G width=20mhz /interface...

erlinden

Disabling the interface should turn off the radio. Are you sure your test method is correct?

erlinden

When using PPPoE you don't need an (additional) DHCP client. That is handled by the PPPoE client itself. Or is IP supplied through DHCP?
Can you share config of both routers? And what do you mean by "My PPPoE and Static are working fine"?

erlinden

Configure the eth1 (assuming that is the port you connect your cAP ax with) as trunk port (as well) and do VLAN filtering on the bridge. Then you are good to go.

For VLAN reference, please use this great tutorial:
viewtopic.php?t=143620

erlinden

So absolutely nothing has changed except the RB5009?
How did you configure POE? auto on/forced on? If not the latter, can you give that a try?

erlinden

Lol...never ever use VLAN id 1, it is already in use implicitely. Anything higher than 1 will do (though it is probably limited). In regards to using VLAN (this is a must read tutorial): https://forum.mikrotik.com/viewtopic.php?t=143620 In regards to asking for support, instead of posting screenshot...

erlinden

From your configuration I assume you are using 3 networks:

"Corporate": 192.168.88.1/24
stelzer.local
smarthome.local

Corporate (as I call it) will use default vlan id (which is 1). Better, in my opinion, is to give it an explicit vlan id as well.
In line with the examples...

erlinden

You are running the "old" CAPsMAN while the cAP ax only supports the wifiwave2 CAPsMAN. No backward compatibility, will never come (I think I red that). You will need to install wifiwave2 on the RB5009 and configure it from there: https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWa...

erlinden

https://help.mikrotik.com/docs/display/ ... NFiltering

erlinden

I prefer to use VLAN all the way, no hybrid/implicit VLAN's. That would mean that you add an additional VLAN.
In your config I missed the DHCP servers for the VLAN's, is that on purpose?

Btw, you didn't follow the tutorial completely.

erlinden

If you follow the example, you will probably do just fine:
https://help.mikrotik.com/docs/display/ ... uardtunnel

erlinden

Upgrading from v6.9x to 7.12rc2 all bgp, mpls, ospf settimg all missing.

Thx

What did you expect...just upgrade and continue? You just moved to a new major version!

erlinden

Can you please share your current config, bit hard to understand the situation:

/export file=anynameyoulike

Remove serial and any other private information.

erlinden

Really love this post, turns out my provider is not blocking a lot.... As well as my GS accesspoints turned out to broadcast a lot to 224.0.0.120. One thing: add action=log chain=prerouting log=yes log-prefix="Not TCP protocol" protocol=!tcp Because the action=log , you don't have to do lo...

erlinden

The RB960PGS does support 12-57 V (802.3af/at) as POE in:
https://mikrotik.com/product/RB960PGS

So if you are able to provide it with 48V on the POE in port it will do (at a lesser price than the RB5009).

@mkx, am I missing something?

erlinden

What exactely do you mean by "do not work"?
Could this be Audience or config related?

erlinden

The config would help:

/export file=anynameyoulike

Make sure to remove serial and any other private information

erlinden

Can't upgrade through the MikroTik App, and in Winbox I'm missing the "Donwload and Install" button.

After switching channels, I was able to install. Works perfectly (as it did before on the RC1 as well).

erlinden

I thought that the "connection-state=established,related" was for all established connections. Could it be that there is a connection from the LAN to the device?

Any reason why you don't have untracked there as well (per default)?

erlinden

Would be usefull to have some information:

current config: /export file=anynameyoulike --> Make sure to remove serial and any other private information
Client OS
Client configuration

In addition you might want to test a non-functioning client on a functioning site.

erlinden

Go VLAN all the way, once understanding the concept you won't ever go back.

If you need support, just share your current config:

/export file=anynameyoulike

Remove the serial and any other private information (like public IP).

erlinden

My best guess would be a missing route on Location C.
And compliments to @rplant for his other comments.

erlinden

Can you please elaborate on this:

My objective is to remove the slave to setup my port forwarding.

It's either me missing the purpose or you missing the concept.

erlinden

Anything in the logging that could give a hint?

erlinden

Where to find such paramaters.......gain tx power?

In the documentation:
https://help.mikrotik.com/docs/display/ROS/WifiWave2

erlinden

What is missing (and what I would expect): /interface bridge vlan add bridge=bridge-lan tagged=bridge-lan untagged=[hardware wifi interface],sfp1 vlan-ids=30 And afterwards activate vlan filtering on the bridge In regards to either or not upgrading...you must have seen the security updates because o...

erlinden

When going for VLAN, do VLAN all the way: https://forum.mikrotik.com/viewtopic.php?t=143620 You created a VLAN (vlan30-wifi) but nothing is configured to it. 6.44.3??? 6.49.10 is the latest LTS at this moment, you might want to upgrade. Any reason for not having a firewall? I assume (at least hope) ...

erlinden

Depends on the Huawei:
- Place the MikroTik in the Huawei's DMZ
- Configure the Huawei as bridge (no NAT)
- Port forward all necessary ports from Huawei to the MikroTik

erlinden

Arent static IP showing as well on DHCP leases?

I assume configured on the client, IP reservations are shown indeed.

erlinden

is there an archive for older versions?

You have seen the v6 section (where there is a Netinstall for 6.49.10)?

erlinden

/ip dhcp-server network
add address=10.160.100.0/24 dns-server=10.160.100.1 gateway=10.160.100.1

Clients will use the router as DNS server, so it depends on the DNS IP addresses configured in RouterOS.
Why not set the DNS server to your PiHole server within the /ip dhcp-server network config.

erlinden

Be aware that there are two CAPsMAN versions, one for the older devices and one for Wifiwave2 compatible devices.
You won't be able to combine the two.

erlinden

You probably haven't added this Test network to the LAN Interface List.
Can you share your config to check:

/export file=anynameyoulike

Be sure to remove serial and any other private information.

erlinden

Add bridge, then add all interfaces (wireless as well) to this bridge.
Make sure that the DHCP client is attached to the bridge and...you are done.

If that doesn't work, please share the config (and remove serial and any other private information):

/export file=anynameyoulike

erlinden

Use vlan's, only single bridge required:

viewtopic.php?t=143620

erlinden

I think the "CAP" refers to its mode. Only hAP ax2 and hAP ax3 involved.

@keskol: is this your complete configuration? Is the C53UiG+5HPaxD2HPaxD public facing? I'm missing the firewall part.

And why ffs use UPnP

erlinden

UPnP is where it started (is it required?) and qBittorrent finished it. I would expect that there are some options in qBittorrent to limit these sessions. Using torrent feels like something from the past...at least for me.

erlinden

You can use the RB960PGS:
https://mikrotik.com/product/RB960PGS

erlinden

chain=input action=log connection-nat-state="" protocol=udp in-interface=uplink-vlan400 dst-port=514 log=no log-prefix="" I think that this rule, at least the chain, is not correct as you want to forward (hence you should use the forward chain). Do you have this rule? add action...

erlinden

Do you mean 80 or 800? And what is your definition of "handle"?

I think that around 30 devices per radio is a good startingpoint. But depends on the consumption per device.

Perhaps you can add some additional information about the use case?

erlinden

erlinden

What radio scan are you using? I think your device is not completely configured. I.e. you didn't specify country code on the 5GHz radio. With a rate of 780 Mbps your device is using 80MHz width... In regards to getting 160MHz (bigger is not always better, I prefer to use 40MHz on the 5GHz radios mys...

erlinden

It's the default config, which comes with AX³, you know. Mikrotik must handle it with no excuses.

>dhcp-client on ether1 failed to add 0.0.0.0/0 route to 192.168.1.1: std failure: timeout (13)

Default is 192.168.88.1

erlinden

What a nonsense, didn't expect this bullshit from mikrotik.

Mikrotik can't handle users and their sometimes exotic configs. Not saying this is the case with you...just saying that this is not caused by RouterOS v7.11.2.

erlinden

Defenitely would like to see the config. Sure it is not compromised? Your RotuerOS version is...well...updated...a lot.

erlinden

How can DEFINE the address as FIXED?

This is a rhetorical question:

If you DEFINE the address as FIXED in config, what do you think it will be ?

erlinden

With a router you can handle the failover automatically, only challenge is disabling wireless on the Starlink router when it's link is down. Any way to replace the starlink router with a Mikrotik? Then you can keep the switch.

erlinden

In either way I would change the RB260GSP for a router.

erlinden

If you share your config we can do some additional checking...I was not expecting the necessity of a filter rule on the input chain for having access to the internet.

erlinden

CAP as the CAP AX ? I havent done anything to it.

Indeed, just to be sure...

What's in between the router and the cAP ax?

erlinden

So much to improve...but lets focus on the current problem.
Can you share the CAP config as well?

erlinden

Time for some next stepping...can you provide configs from both CAPsMAN and CAPS?

/export file=anynameyoulike

Make sure to remove serial and any other private information like public IP.

erlinden

Solid green I assume?
Did the cAP ax request/get an IP address?

erlinden

Just to be sure...you did reset the cAP ax to CAP mode?

erlinden

As far as I know it requires a reboot.

Aah...you found out. Did you download:
https://download.mikrotik.com/routeros/ ... 7.11.2.zip

It has to be the arm64 package...

erlinden

For AX devices you have to use a different CAPsMAN:
https://help.mikrotik.com/docs/display/ ... ve2CAPsMAN

erlinden

You (don't) mean the /routing/bgp tab?

erlinden

/system routerboard settings
set auto-upgrade=yes

I prefer to decide when to upgrade and where to.

erlinden

I would:

Uninstall wifiwav2 package and install it next
Reset, no default configuration
Netinstall
RMA

erlinden

At least the MAC address is incorrect...can you correct that?

erlinden

Netinstall, using LTS (https://mikrotik.com/download/changelog ... lease-tree).

erlinden

My (first) reply:

- don't use vlan id = 1
- use a single bridge and add vlan filtering
- upgrade to latest LTS: 6.49.8
- read this

: viewtopic.php?t=143620 (great explenation and examples)

erlinden

If these are all the requirements:
https://mikrotik.com/product/crs112_8p_4s_in

erlinden

Not (completely related), any specific reason for running this version?

erlinden

Based on my feeling: nope.
I would think of either doing some scripting (IP change?) or getting a different ISP.
What ISP do you have? And how do you currently "reject" the private IP address offer?

erlinden

Can you explain a bit more?

erlinden

Also beginners can use the help pages:

https://help.mikrotik.com/docs/display/ ... UI+example

erlinden

What's up with the L2MTU? I haven't set it myself...

erlinden

Turn off VPN or set DNS server to auto on client..

erlinden

Must read (and it is great):

viewtopic.php?t=143620

erlinden

Are you using Winbox?

/Interface/Detect Internet -> select all to "none"

erlinden

An export of your config says more than thousand words:

/export file=anynameyoulike

Remove serial and any other private information like public IP.

And use code tags to make it readable.

erlinden

Thanks for your repply. Do you have a video of this process?

A video of me answering your question...?

Surely there are tons of (crappy) videos on YouTube. All the info you need is in the two supplied links. Feel free to do some investigation yourself.

erlinden

Disable Internet detection and try again:

https://help.mikrotik.com/docs/display/ ... t+Internet

erlinden

DON'T INSTALL RouterOS v7 (on this device, I do love it)!

Why...your hAP lite is underpowered, though it will run and is supported.
If you really need some functionality not present in v6, you should get new hardware.

erlinden

Install Wifiwave2 on your RB3011
Configure CAPsMAN: https://help.mikrotik.com/docs/display/ ... ve2CAPsMAN
Consider using VLAN to seperate networks: viewtopic.php?t=143620

erlinden

I have to think now how to give acces from the outside for some services to have connection to my IP from notebook and smartphone.

Like a VPN connection

erlinden

In addition to the above remarks: Besides channel als set channelwidth explicitely (I set it to Ce at my parents house, this device is rocksolid on 7.11.2...including Wifi). Also cosider setting DTIM to 3 (Apple's preferred setting). While you are at it...also change DHCP lease time to something hig...

erlinden

Good question, it would be absolutely phenomenal if one can answer this question without additional information:

/export file=anynameyoulike

Remove serial and any other private information like public IP.

erlinden

Do you know what version it was running befor the upgrade?
Have you followed the wiki on Netinstall?

https://wiki.mikrotik.com/wiki/Manual:Netinstall

erlinden

Default rules (which is a bit better then your current rule set): /ip firewall filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" add chain=input action=drop connection-state=invalid comment="defc...

erlinden

While you have the chance: use VLAN ID's above 1 (also for the home/corporate/whatever network). In regards to your question: On the forward chain make all allowed traffic explicit (by adding allow filter rules) and end the forward chain with block all. The same for the input chain (be aware that ac...

erlinden

Have this exact device installed at my parents: rock solid. Can you share your config to make sure you have optimized settings?

/export file=anynameyoulike

Remove serial and any other private information like public IP.

Oops...this was requested already...

erlinden

Current config looks like Russian roulette...it might work...or not.
You better set bandwidth to 20MHz (unless there are no other devices transmitting on the 2.4GHz band).
Next, you could better set the channel: either 2412, 2437 or 2462 (to have minimal interference.

erlinden

V7 is required for newer hardware. Has been sad before.
Running v7 in production requires knowledge of RouterOS and its limitations.

erlinden

Tell me, please, what could be the reason? Haven't seen this behavior on any of my devices. Could you share your config to make sure that is ok? What MikroTik do you use? Do you have firmware upgraded as well? /export file=anynameyoulike Remove serial and any other private information like public IP.

erlinden

Thanks

hello friends

Welcome on the forum, you might want to create a new topic. Add you config to it to get some help::

/export file=anynameyoulike

Just remove serial and any other prive information like public IP

erlinden

Why?

To check current settings and to give an explanation. You can provide only the wireless part.

erlinden

Can you select channel 5300, @fragtion? That would make sense in case of 80MHz Ceee.
Can you please share your config:

/export file=anynameyoulike

Remove serial and any other private information like public IP.

erlinden

What channel width are you using, @fragtion? If using 80 MHz, you might have to select extension channel eeCe or eeeC.

erlinden

I think you have to add "Extra packages" manually (and to be specific: ipv6-6.49.5-arm.npk).
Might be better to upgrade (to LTS 6.49.8 or Stable 6.49.10) while you are at it.

erlinden

It's up to you how to approach this. You could share your current config for better advice:

/export file=anynameyoulike

Remove serial and any private information (like public IP address).

erlinden

I love working with VLAN's. In your case Corporate, Guest and Management (if required). Assuming you have MikroTik hardware (what hardware do you use?), this can be easily accomplished:

viewtopic.php?t=143620

erlinden

Upgrade went smooth:

RB4011
hEX s
wAP ac
cAP ac
hAP ax2

erlinden

Did you add a port forward? By any chance have UPnP activated on the Tp-Link?

erlinden

Either downgrade to v7.10.2 or disable fast path"

/interface bridge settings
set allow-fast-path=no

erlinden

i can setup a vpn server on a mikrotik in my network for that on an random high-enough port like 60000. Up till the above sentence your question made perfect sense to me. I think a site-2-site vpn is a very nice solution and can be accomplished pretty easily. Wireguard (in case you can use RouterOS...

erlinden

Have you followed the help page exactely?
https://help.mikrotik.com/docs/display/ROS/Netinstall

I.e., all network adapters disabled during your attempts (except for the one connected)?

erlinden

I see that you configure eth2 with pvid, but eth3 not. While both are configured on the /bridge/port/vlan. Think you should at least have this corrected. Besides that, I don't see any reason why it is not working. Anything in the log?

erlinden

https://mikrotik.com/training/

erlinden

Because of misconfiguration.

May I suggest to aggregate all "your problems" into a single topic?

erlinden

Please work on your basic knowledge mate:
https://en.wikipedia.org/wiki/Private_network

As soon as you know the error AND have adjusted your firewall as requested in one of your other topics...I'm willing to help you gladly.

erlinden

Now I see...it is allowed only via bridge. Still...please consider going back to defaults (which will protect you a lot better) or even better...block everything on the end of both input and forwarch chain. Just be aware to allow everything you want explicitely. You are aware that you do not have an...

erlinden

May I ask who took care of this firewall? You might want to consider bringing it back to default...that saves a lot of time analyzing the problems you run into. While we are at it...if you place the export in between code tags </>, your post will become more readable. Will update my answer with reco...

erlinden

Can you please share the config, instead of posting screenshots?

/export file=anynameyoulike

Make sure to remove serial and any other private information (like public IP).

Are your other port forwards working?

erlinden

The same as on your MikroTik. I you have doubts about that....well....you do the math.

erlinden

Port forward the correct port(s) from your ISP router to your MikroTik router. That's the only additional step you have to perform besides configuring your MikroTik router.

erlinden

Right it is mikrotik, but out of pure curiosity why there is only Home AP Dual?

I think Wifiwave2 devices are limitted from Quickset (think I red something about it) and perhaps (that's my assumption) this devices purpose is Home AP Dual (or CAPs).

erlinden

Please share your config:

/export file=anynameyoulike

Make sure to remove serial and any other private information (like public IP).

erlinden

CAPsMAN (Wifiwave2) is an additional package and can be added to the router manually. I would, assuming the router is Mikrotik as well, go that way.

With all due respect...Quickset has another purpose and doesn't fit (in my opinion) to your use case.

erlinden

Like having trunk ports on both switches?
https://wiki.mikrotik.com/wiki/Manual:C ... Based_VLAN

Please give some context...otherwise it is just a guessing game.

erlinden

If you have seven accesspoints you might want to consider CAPsMAN. Assusming you are going to use these at one site.

And at these numbers you shouldn't be using Quickset at all, but that is my opinion.

erlinden

RouterOS 6.42.6 Mmm...might be time to do an upgrade... authentication-types=wpa-psk,wpa2-psk Please don't use wpa-psk, only use (at least) wpa2-psk aes. /ip dhcp-server add address-pool=dhcp interface=ether2 name=dhcp1 add address-pool=dhcp_pool2 disabled=no interface=bridge name=dhcp2 /interface ...

erlinden

Intervlan communication has to be blocked on firewall.

Better, configure the firewall what is allowed and block everything else (make sure you don't block access to the router completely).

erlinden

So as i read allot here i guess its not possible to assign one subnet to multiple vlans on an ether port.

Why would one assign one subnet to multiple VLANs?

erlinden

What tutorials did you follow? Here is the official wiki: https://wiki.mikrotik.com/wiki/Manual:CAPsMAN If you want feedback, can you please share the current config? /export hide-sensitive file=anynameyoulike Remove serial and any other private info (like public IP). Update: CAP interfaces are adde...

erlinden

Country code is for legislation purposes and probably something more. It is used to select the country you are in. Just to make sure... Is it limited to one device? Have you tried resetting Wifi or even the complete phone? And, perhaps better, removed and afterwards added the Wifi network on this Ap...

erlinden

Can you please help me, what else can i do ?

Using 40MHz on the 2.4GHz band is crap (unless...etc.). Set it to 20MHz.

Can you share your config on your previous device as well? Then we have something to compare.

erlinden

Most ISP's provide information on how to configure your own router...does your provider do that?
Can you show your config to be able to provide feedback (and sometimes a good laughter)?

/export file=anynameyoulike

Make sure tot remove serial and any other private information (like public IP).

erlinden

Tell the switch it's a router...that will do.

erlinden

Trunk and untagged is a bit of a contradiction.

Can you make a network diagram that contains your requirements?
Are you by any chance looking for hybrid ports?

erlinden

CAPsMAN, running on hEX s, only important parts: /interface bridge add admin-mac=**-**-**-** auto-mac=no ingress-filtering=no name=bridge-LAN vlan-filtering=yes /interface vlan add interface=bridge-LAN name=2_VLAN vlan-id=60 add interface=bridge-LAN name=HOME_VLAN vlan-id=61 add interface=bridge-LAN...

erlinden

On the port that my Cap is connected to, I did:

MGT VLAN untagged
Corporate VLAN tagged
Guest VLAN tagged

That gave me the opportunity to leave the cap default (CAPS mode) and set VLAN in datapath.
I can share my config if that helps you?

erlinden

Running cAP ac in a domestic environment with RouterOS v7.11, no problems for me. Did a quick scan on the other topic but didn't see any exports from the config. Did see a lot of crappy settings in the screenshots. Two things I advice: Give V7.11 a chance Optimize your settings *) *) To get some adv...

erlinden

Please elaborate @si458: vlan attached to bridge and vlan-filtering on the bridge? Perhaps share (part of) your config?

erlinden

RB4011: /caps-man datapath add client-to-client-forwarding=yes local-forwarding=yes name=datapath_home vlan-id=101 vlan-mode=use-tag add bridge=bridge client-to-client-forwarding=yes name=datapath_wifi vlan-id=101 vlan-mode=use-tag add bridge=bridge client-to-client-forwarding=yes name=datapath_iot ...

erlinden

Couple of things to consider: wireless-protocol=nv2-nstreme-802.11 means you will connect with either another Mikrotik or something else. Why not use 802.11? authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm is beyond ancient. Change it to authentication-types= wpa2-psk group-ciphers=...

erlinden

i could go back to the old version but do you have enough information to fix the problem in future releases? or should i provide any thing which helps to fix it? The problem was already identified and solved (was informed today by mail). I expect a v7.11.1 release on short notice. In the linked thr...

erlinden

its my settings Better to share your config: /export file=anynameyoulike Make sure to remove serial and any other private information (like public IP). In regards to your settings: nv2 nstreme is Mikrotik only Superchannel!? why post 5GHz radio while you experience problems with the 2.4GHz radio? B...

erlinden

You are talking about a low end device that was introduced in 2015 (and probably earlier) that stil receives updates. What other brand does that? Did you buy the correct device (and are you expectations correct)? As mentioned...there is a workaround by using netinstall. If you stick to V6.x LTS, you...

erlinden

What does "breaks everything" mean to you? Does your phone use the same DNS server as the Windows machine?
In regards to your remark about the firewall rules...if logging is activated on the firewall (drop) rule you might get an indication of the cause of not working.

erlinden

No problem, bit of advice: Order your firewall rules (especially when shared your Mikrotik friends on the forum), that (appart from the missing rule below) will make it more readable and maintainable. /ip firewall filter add action=accept chain=input comment="Accept established,related, untrack...

erlinden

The an export might be helpful:

/export file=anynameyoulike

Remove serial and any other private information (like public IP address).

erlinden

Can you login with Winbox on IP?
Anything relevant in the logging?

erlinden

Nice! I like answers like yours.

erlinden

You are aware that there is a nice search option on this forum?
And if you want some in depth feedback, please share your config:

/export file=anynameyoulike

Make sure to remove serial and any private information (like public IP address)

erlinden

Not sure if you removed it...do both the interface and the peer have public (and private) key implemented?
I assume it is not working on local network?

Follow the link I posted before, then it will work. And consider moving the wireguard firewall filter rule below the Drop invalid rule.

erlinden

Sure...multiple ways to solve this.
I prefer using VLAN's (where you can even distinguish corporate and guest network):

viewtopic.php?t=143620

Update:
Looking at your hardware, two things:

Why?
viewtopic.php?t=175322

erlinden

My advice: use VLAN's and use correct firewall settings.

erlinden

Start over again...your current configuration has flaws. I.e., your firewall is lacking a lot and one of your networks has incorrect IP information. How...? https://wiki.mikrotik.com/wiki/Manual:Reset In summary: /system reset-configuration (from command line) System -> Reset Configuration (from Win...

erlinden

From the documentation (https://help.mikrotik.com/docs/display/ROS/Log): prefix (string; Default: ) prefix added at the beginning of log messages As far as I know you can't filter on the Message itself. Update: I see you already are working on solving the cause: https://forum.mikrotik.com/viewtopic....

erlinden

Do you have a Wireguard enabled?
Is it working locally (next step should be port check)?

Better share your current config (screenshots are unnecessary):

/export file=anynameyoulike

Remove serial and any prive information (like public IP).

erlinden

If you follow the guide (https://help.mikrotik.com/docs/display/ROS/WireGuard#WireGuard-Applicationexamples), you would have known there is no port forward involved. Forwarding means, forward traffic to other device. I assume you want to run a Wireguard server on your MikroTik? Unless you are runnin...

erlinden

Either check if the item exists or remove the current address list.

erlinden

Well, here are my two cents: get firewall back to original, lots of crap added get rid of upnp and disable it like...forever. And start getting ashamed while you want your router as save as possible get rid of auto-upgrade and disable it like...forever reboots are not necessary, you are using MikroT...

erlinden

Before going in depth...why 2 bridges?
And can you share at least your config?

/export file=anynameyoulike

Don't forget to remove serial and any other private information (like public IP)

erlinden

Instead of watching the video (beware that there is lot of crap on YT), could you please share the config?

/export file=anynameyoulike

Remove serial and any private information (like public IP).

erlinden

https://help.mikrotik.com/docs/display/ ... ve2CAPsMAN

erlinden

Would be helpful if you can share your config.

/export file=anynameyoulike

Don't forget to remove the serial and any other private information (like public IP address).

erlinden

My RB4011 does not allow a device connected to bridge port on a specific vlan to reach to any other device on that vlan, unless I'm running "Torch" on the port.
SUP-125214

Sounds like my problem, where you able to ping it from the router?
SUP-125143

erlinden

My bonding interface on the RB4011 was no longer working correctly. I was able to ping it from the router and the camera's could communicate (initiated by the NAS), but the corporate network could neither ping nor communicate through browser or native Synology app with the NAS. Config can be supplie...

erlinden

On any VLAN question...please start here: https://forum.mikrotik.com/viewtopic.php?t=143620 And in regards to this specific switch: https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841836 And if you want some specific feedback...start with sharing your config: /export file=anynameyouli...

erlinden

On any VLAN question...please start here:
viewtopic.php?t=143620

erlinden

The address list entry approach as suggested by erlinden is a tad nicer. Agree :D But still...I doubt if this has worked before...assuming the config remained unchanged. The primary reason was mitigation of https://nvd.nist.gov/vuln/detail/CVE-2023-30799. I could have upgraded to 6.49.8 but I thoug...

erlinden

What is the reason for upgrading? Any particular reason? The first (and only) thing I notice is that I was expecting this line: add address=192.168.128.0/22 list=users This list is used in the firewall (which is in my opinion a bit unreadable...I'm still a fw-rooky). Could that be the reason for hav...

erlinden

Random MAC is, as far as I know, not random after the wireless network is added to the device. Otherwise Kid Control wouldn't work (for me).

erlinden

You might want to add a new topic and at least share your config:

/export file=anynameyoulike

Don't forget to remove serial and any other private information.

Search found 1740 matches