Community discussions

MikroTik App

Search found 131 matches

by magchiel
Tue Dec 05, 2023 9:23 am
Forum: General
Topic: [solved] - Route internet traffic from one VLAN to exit via specific IP
Replies: 16
Views: 1991

Re: Route internet traffic from one VLAN to exit via specific IP

Everything is going out the one connection, to the one gateway, so it is not a routing decision it is a NAT rule you need. I was just writing an afterthought on this. Checking the wiki confirmed behaviour in my note, so given that the gateway is the same for main table as for the HP.10 table, there...
by magchiel
Tue Dec 05, 2023 8:56 am
Forum: General
Topic: [solved] - Route internet traffic from one VLAN to exit via specific IP
Replies: 16
Views: 1991

Re: Route internet traffic from one VLAN to exit via specific IP

I think for this to work, you need to keep the distance=1 I have a working setup by using explicit scope and same distance as the default route in the main table (i.e. just changing the routing table) and leaving the dst-address in the routing rule blank. This would translate to your config as: /rou...
by magchiel
Sun Sep 10, 2023 1:12 am
Forum: RouterBOARD hardware
Topic: Product suggestion: 10Gbps router in CRS310 form factor
Replies: 4
Views: 3263

Product suggestion: 10Gbps router in CRS310 form factor

Apologies if this already has been suggested elsewhere, but beyond a two port high performance router (https://forum.mikrotik.com/viewtopic.php?p=956928), I didn't find anything too relevant. When planning the evolution of my network I seem to be hitting a gap in the current lineup, as I don't need ...
by magchiel
Sat Aug 26, 2023 3:11 am
Forum: RouterOS beta
Topic: IPv6 Prefix ID per IPv6 enabled interface
Replies: 31
Views: 4869

Re: IPv6 Prefix ID per IPv6 enabled interface

What I'd want is to remove prefix-length from /ipv6/pool and instead allow both /ipv6/address and /ipv6/dhcp-server to control it alongside Subnet ID. Although that'd require sophisticated conflict tracking. Exactly. The i+1 type of increment in the subnet everytime you assign an address, to me see...
by magchiel
Thu Aug 24, 2023 12:12 am
Forum: Beginner Basics
Topic: Do not redirect (NAT) DNS-Requests for specific domain [SOLVED]
Replies: 3
Views: 1825

Re: Do not redirect (NAT) DNS-Requests for specific domain [SOLVED]

That said, what's keeping you from using (conditional) DNS forwarding, either by using your Mikrotik as a primary DNS server to your existing DNS server or vice versa?
by magchiel
Sun Aug 13, 2023 11:53 am
Forum: Beginner Basics
Topic: Smart TV to remote network using VPN
Replies: 1
Views: 1189

Re: Smart TV to remote network using VPN

If you're ok with passing all the traffic from the TV over the VPN, this should be straightforward using wireguard and policy routing on the TV's IP. If it's only the traffic of the KPN app you want to route, it may involve a bit more wiresharking to work out the specific destinations and ports the ...
by magchiel
Thu Mar 23, 2023 11:11 pm
Forum: Wireless Networking
Topic: HAP AX3 WifiWave2 CAPSMAN
Replies: 43
Views: 18797

Re: HAP AX3 WifiWave2 CAPSMAN

Unfortunately, vlan-id is supported only on 802.11ax interfaces. Documentation has been adjusted. It's indeed unbelievably frustrating. Lost a good day on this trying to migrate a CAPsMANv1 setup to wifiwave2, before it was documented. Right, it should be considered alpha-stage so it is to be expec...
by magchiel
Sun Oct 02, 2022 9:51 am
Forum: RouterOS beta
Topic: mDNS repeater feature
Replies: 330
Views: 98212

Re: mDNS repeater feature

+1 for this feature. And while we're on the subject of IoT devices, I own several products that rely on UDP broadcast [^1] (Squeezebox to name one ubiquitous device). I don't mean to hijack but merely want to add to the point: while I understand all the replies questioning the practices of creating ...
by magchiel
Sun Jun 23, 2019 2:23 pm
Forum: RouterBOARD hardware
Topic: Noctua NF-A4x20 FLX as an aftermarket fan replacement
Replies: 4
Views: 4670

Re: Noctua NF-A4x20 FLX as an aftermarket fan replacement

@magchiel Is the mikrotek still running silent or does the second fan kick in many times ? Just interested I got me such mikrotik here and ordered that NF-A4x20FLX fan to replace the system fan. It's still running, always silent on the Noctua, never with the second (factory standard) fan kicking in...
by magchiel
Fri Jul 21, 2017 1:10 am
Forum: General
Topic: Is hEX (RB750Gr3) can handle 2 x 100M WANs?
Replies: 9
Views: 4233

Re: Is hEX (RB750Gr3) can handle 2 x 100M WANs?

I have no issue with getting 100mbps. That the line speed of my fastest IPSec partner. Many thanks. That's good enough. Were you able to encrypt and decrypt IPSec traffic at linespeed (i.e. 300Mbit/s?). After seeing CCR1009 at 300Mb/sec link with some like 150 VPN pptp/sstp clients (which is not h/...
by magchiel
Fri Jul 21, 2017 12:48 am
Forum: General
Topic: Is hEX (RB750Gr3) can handle 2 x 100M WANs?
Replies: 9
Views: 4233

Re: Is hEX (RB750Gr3) can handle 2 x 100M WANs?

I've been running a Rb3011 with two 300mbps WANs and 24 IPsec tunnels for almost a year with no issues. The CPU is quire powerful. I have recently replaced it with a RB1100AHx4, but only because I wanted the internal storage. Were you able to encrypt and decrypt IPSec traffic at linespeed (i.e. 300...
by magchiel
Fri Jun 02, 2017 1:16 am
Forum: General
Topic: VLAN configuration (untagged and IPTV)
Replies: 12
Views: 8117

Re: VLAN configuration (untagged and IPTV)

The configuration seemed to produce some lag, with audio twitches every now and then. I tried configuring to use the VLAN switch, to see if it seems to be working without twitches. Solved it? When does this lag occur? Monitor CPU loads and total bandwidth used while watching and (fastly) switching ...
by magchiel
Fri Jun 02, 2017 12:47 am
Forum: General
Topic: Redirect port 443 different internal IP
Replies: 5
Views: 2923

Re: Redirect port 443 different internal IP

Thanks, I thought that the "content" option could do it that, if not I will setup with nginx. Thanks! Not reliably since the content will be encrypted so you need an TLS endpoint to inspect it. While the initial handshake will be unencrypted and you could try and device some packet markin...
by magchiel
Thu Jun 01, 2017 10:30 am
Forum: General
Topic: Redirect port 443 different internal IP
Replies: 5
Views: 2923

Re: Redirect port 443 different internal IP

No. The normal pattern for this use case is to setup a reverse proxy with Nginx or similar between the firewall and the various web servers.
by magchiel
Tue May 30, 2017 11:40 pm
Forum: RouterBOARD hardware
Topic: Noctua NF-A4x20 FLX as an aftermarket fan replacement
Replies: 4
Views: 4670

Noctua NF-A4x20 FLX as an aftermarket fan replacement

Hi all, I know the some of you have sought to silence the actively cooled Mikrotik with aftermarket fans, including Noctua. Being a long time fan of this brand (and in no way affiliated nor have I received anything from them or any other supplier), I'd thought to draw your attention to the release o...
by magchiel
Tue May 30, 2017 8:58 am
Forum: General
Topic: VLAN configuration (untagged and IPTV)
Replies: 12
Views: 8117

Re: VLAN configuration (untagged and IPTV)

Current configuration is using the same bridge and I have added VLAN 845 as a VLAN and added it to the same bridge as the other network. Going by the very scarce details you provide, this is your problem. You can use separate bridges for untagged traffic (i.e. bridge_local to which you add all port...
by magchiel
Sun Apr 30, 2017 3:01 pm
Forum: Beginner Basics
Topic: 2 network, 2 ISP, Failover need help
Replies: 11
Views: 3466

Re: 2 network, 2 ISP, Failover need help

Assuming your default ISP route is weight 1 (e.g.: 0.0.0.0/0 via 96.42.1.1 distance 1), to route RT1 controlled via Comcast, add a default route 0.0.0.0/0 via 10.x.2.2 with a distance greater than 1; to route RT2 via AT&T add a route 0.0.0.0/0 via 10.x.1.1 with a distance greater than 1. That sa...
by magchiel
Sun Apr 23, 2017 6:18 pm
Forum: Beginner Basics
Topic: 2 network, 2 ISP, Failover need help
Replies: 11
Views: 3466

Re: 2 network, 2 ISP, Failover need help

How it works? A route with the lower cost is the prefered one? Yep. Just keep the PtP connection open and it'll automatically select the lowest gateway that is actually reachable. For each route you can configure method and interval to check whether or not reachable. Definitely simplest and probabl...
by magchiel
Sun Apr 23, 2017 5:55 pm
Forum: RouterBOARD hardware
Topic: Hardware Bonding?
Replies: 2
Views: 1753

Re: Hardware Bonding?

Nope. Still the main thing holding me back using MT for switching duties.

Maybe ROS7 xD
by magchiel
Sun Feb 19, 2017 11:09 am
Forum: Beginner Basics
Topic: Inter VLAN communications using the switch chip to create the VLANS
Replies: 1
Views: 1021

Re: Inter VLAN communications using the switch chip to create the VLANS

First, in order to prevent any issues and misconceptions, let's get the terminology straight. A management VLAN us usually a VLAN which holds the management interfaces through which you configure your appliances. This is a VLAN that you want to isolate at all costs. The purpose of a VLAN is to isola...
by magchiel
Fri Feb 10, 2017 6:43 pm
Forum: Scripting
Topic: Schedule = wifi night off [lunch off] on working days
Replies: 10
Views: 6585

Re: Schedule = wifi night off [lunch off] on working days

it's about home router (Access point), not phone :) I understand. You on the other hand... You use the GPS on your phone to detect where you are and the data connection to trigger your router to turn on you WiFi as soon as you're (near) home, e.g. through running a curl script which talks to the MT...
by magchiel
Mon Feb 06, 2017 8:41 pm
Forum: General
Topic: [RB2011 as Switch] - How to use all ports?
Replies: 3
Views: 3865

Re: [RB2011 as Switch] - How to use all ports?

On gigabit switches the vlan-header attribute is ignored in secure vlan-mode. Instead the port will behave as leave-as-is. Use the default-vlan-id to tag and untag traffic in secure vlan-mode. Your configuration is untagging vlan 3 on ether10. Also make sure the vlan table is correct for all ports. ...
by magchiel
Mon Feb 06, 2017 7:10 pm
Forum: Scripting
Topic: Schedule = wifi night off [lunch off] on working days
Replies: 10
Views: 6585

Re: Schedule = wifi night off [lunch off] on working days

While the reasons behind your requirement are beyond me and I don't think anyone on this forum is going to script it for you (as with any script help will offered), I'd look into an IFTTT app on your phone with geofencing and the API to tackle this. Much more dynamic if you have a day off, decide to...
by magchiel
Sun Feb 05, 2017 11:53 pm
Forum: Scripting
Topic: Schedule = wifi night off [lunch off] on working days
Replies: 10
Views: 6585

Re: Schedule = wifi night off [lunch off] on working days

First: is the requirement to turn off wifi or to prevent traffic flowing? If it's the latter, easiest for daytime and lunch time is to create a firewall rule using the time attribute. Would reduce the issue to the holidays. If I were to script this, I would have everything in a single script to prev...
by magchiel
Sun Feb 05, 2017 10:59 pm
Forum: Scripting
Topic: Simple Script for enabling Interfaces for FailOver
Replies: 8
Views: 4273

Re: Simple Script for enabling Interfaces for FailOver

Can you tell me,what I need to configure? I prepared the routing rules, but it doesn't work. Default routes are off. What do I need...? Depends how you populate your routing table; if you're using static routes you can modify the distance in the /ip routing entries. If you're getting your default r...
by magchiel
Sun Feb 05, 2017 10:46 pm
Forum: General
Topic: VLANs
Replies: 10
Views: 3246

Re: VLANs

I WAS ABLE TO LEARN IP ADDRESS ON ETHER9 AND ETHER10 THROUGH DHCP . THE ISSUE NOW IS , HOW DO I CONFIG INTERVLAN FOR PC ON ETHER9 TO PING PC ON ETHER10 .... this my export config , assuming ether 8 is to be use as trunk port Don't know whether you've cracked this yet, but provided that you have not...
by magchiel
Sat Jan 14, 2017 7:43 pm
Forum: Scripting
Topic: Simple Script for enabling Interfaces for FailOver
Replies: 8
Views: 4273

Re: Simple Script for enabling Interfaces for FailOver

Assuming you're paying for data and not for uptime the routing distances should suffice (as - bar a keepalive - no data should be transferred so long a lower weighted route is active). If you're adamant that the interface is to be disabled when the landline is working, scripting is your solution as ...
by magchiel
Sat Jan 14, 2017 1:46 pm
Forum: Scripting
Topic: Simple Script for enabling Interfaces for FailOver
Replies: 8
Views: 4273

Re: Simple Script for enabling Interfaces for FailOver

If it's all the same to you, you can also achieve this by setting routing distances for the default routes on both devices. As soon as the default route with the lowest distance will become unavailable (check gateway) it'll switch to next in line.
by magchiel
Sat Jan 14, 2017 1:38 pm
Forum: General
Topic: VLANs
Replies: 10
Views: 3246

Re: VLANs

How to set router #2 this way ether1 - input for VLAN10, VLN20 VLAN30 ether2 - VLAN10 (IPs from DHCP on router #1) ether3 - VLAN20 (IPs from DHCP on router #1) ether4 - VLAN20 (IPs from DHCP on router #1) Most straightforward would be a pure L2 approach and just configure the switch chip on the sec...
by magchiel
Thu Jan 05, 2017 5:27 pm
Forum: General
Topic: Intervaln routing - Multiple gateway
Replies: 4
Views: 1662

Re: Intervaln routing - Multiple gateway

If inside a vlan, i want a computer reach internet on the other gateway, what's the way t do this ? You mean you have a host in VLAN that you would like to connect to the internet through the *other´s* VLAN gateway (e.g. host on vlan10 connecting through 192.168.112.250)? That wouldn't work since t...
by magchiel
Thu Jan 05, 2017 1:16 am
Forum: General
Topic: VLANs
Replies: 10
Views: 3246

Re: VLANs

Agree with Sob's suggestions in above post. I think that BRIDGEs setting is what I have wrong. In that case it would be useful to share your bridge config to ensure L2 is in order before worrying about those layers above. A /interface bridge and /interface vlan export would be nice start. Basically ...
by magchiel
Sat Nov 05, 2016 4:59 pm
Forum: General
Topic: can't reach DSL modem via VPN
Replies: 11
Views: 2198

Re: can't reach DSL modem via VPN

For your DSL ethernet port, try setting ARP to proxy-arp.
by magchiel
Tue Oct 25, 2016 10:40 pm
Forum: Beginner Basics
Topic: New network setup w/ RB 2011U router and (2) RB951U1-2HnD APs...Help w/ setup please
Replies: 4
Views: 1462

Re: New network setup w/ RB 2011U router and (2) RB951U1-2HnD APs...Help w/ setup please

What I need help is the initial RB devices configuration, so all are meshed properly. I will have wired connectivity from the router to each AP. Forget 'mesh'. It's not what you're looking for. It's enough to just configure all access points what same settings and to make sure RBs are on the same L...
by magchiel
Tue Oct 25, 2016 9:06 pm
Forum: Scripting
Topic: i need help for 2 wan bonding/balancing
Replies: 8
Views: 8428

Re: i need help for 2 wan bonding/balancing

thanks for your replay and suggestions! As my upload is 0.5 Mbit/s per single WAN and it takes more than several seconds on speedtest to get to that maximum available speed, (it is raising from about 200 Kbits/s to maximum of 500 Kbits/s in few steps on speedtest speedometer) so i think its even no...
by magchiel
Sun Oct 23, 2016 4:41 pm
Forum: Forwarding Protocols
Topic: Problems with IPSec tunnel routing when using Mangle for dual WAN
Replies: 2
Views: 1734

Re: Problems with IPSec tunnel routing when using Mangle for dual WAN

Seriously, does noone have any hints ? Seriously, you start complaining about response times on a voluntary forum after 15 or so hours? Your username seems adequate then. Secondly, use the code tags. Thirdly, study this http://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6#Ipsec_Encryption.2FDecrypti...
by magchiel
Sun Oct 23, 2016 4:30 pm
Forum: Scripting
Topic: i need help for 2 wan bonding/balancing
Replies: 8
Views: 8428

Re: i need help for 2 wan bonding/balancing

Besides those with Mikrotik below their name, none of us are getting paid for for being on this forum so you might just have to wait before you get response. Especially given your more specific requirements and ideas, this cannot be addressed with a typical 5 minute reply. Secondly, use the code tag...
by magchiel
Wed Oct 19, 2016 7:36 pm
Forum: Beginner Basics
Topic: Help with config
Replies: 7
Views: 1977

Re: Help with config

No, all tagged traffic would be 'trunk' and should work. 'vlan-header=add-if-missing' should sort that for you (on your model anyway; on Gbit models apparently this attribute is ignored when 'vlan-mode=secure' is used and all traffic is treated as 'vlan-header=leave-as-is').
by magchiel
Sun Oct 16, 2016 1:08 pm
Forum: General
Topic: Default VLAN (PVID / native vlan) + VLAN on one port
Replies: 14
Views: 27143

Re: Default VLAN (PVID / native vlan) + VLAN on one port

I have been going through my old configs and the wiki page http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features which is not easy to interpret on this matter to say the least. Having exactly the same problem (connect unifi uap-ac-pro to a rb750 - I assume we will meet again on the ubiquity foru...
by magchiel
Sun Oct 16, 2016 10:03 am
Forum: Beginner Basics
Topic: Help with config
Replies: 7
Views: 1977

Re: Help with config

Sorry, I'm doing this from memory as I currently have no switch-based VLANs running on my routers and have no spare hardware I can test with, so bear with me here. I went through exports of my old configuration where I did use switch based VLAN and found I had explicitly set the vlan-header attribut...
by magchiel
Sat Oct 15, 2016 6:58 pm
Forum: Wireless Networking
Topic: Bandwidth Management with two APs
Replies: 1
Views: 825

Re: Bandwidth Management with two APs

Couple of things: 10 Mbit for 40-45 users in current days is not a lot, but still it should allow for 200 Kbit per user with a practical maximum of 90% of the theoretical 10Mbit. 2 APs for 40-45 user is not a lot. Given your comment on 'resetting the AP' I wouldn't be surprised if the root cause of ...
by magchiel
Sat Oct 15, 2016 5:39 pm
Forum: Scripting
Topic: i need help for 2 wan bonding/balancing
Replies: 8
Views: 8428

Re: i need help for 2 wan bonding/balancing

It's not specifically bonding you're after, but load balancing in general. Bonding is connecting two pieces of hardware through multiple physical connections in a single logical one giving more bandwidth and/or fault tolerance, depending on what specific method you use (e.g. balance-rr or 802.3ad). ...
by magchiel
Sat Oct 15, 2016 2:23 pm
Forum: Beginner Basics
Topic: Help with config
Replies: 7
Views: 1977

Re: Help with config

Try /interface ethernet set ether3 master-port=ether2 set ether4 master-port=ether2 /interface ethernet switch vlan add vlan-id=1 switch=switch1 ports=ether2,ether3 add vlan-id=200 switch=switch1 ports=ether2,ether4 /interface ethernet switch port set ether2 vlan-mode=secure default-vlan-id=1 set et...
by magchiel
Sat Oct 15, 2016 12:19 pm
Forum: General
Topic: Intervaln routing - Multiple gateway
Replies: 4
Views: 1662

Re: Intervaln routing - Multiple gateway

Currently all your locally originated traffic is getting marked for and hence routed to the internet. This includes traffic that has a local destination. The solution is exclude traffic with a local destination from your mangle rules: /ip firewall mangle add chain=prerouting src-address-list=VLAN10 ...
by magchiel
Sat Oct 15, 2016 11:56 am
Forum: Forwarding Protocols
Topic: OSPF-NSSA
Replies: 6
Views: 2920

Re: OSPF-NSSA

I already know that 5's are external routes, and that 7's are external routes for NSSA - but WHY this difference? Why two types that basically do exactly the same thing? Was the format of type 7 different somehow? A stub area blocks Type 5 LSAs. Type 7 makes it possible to bring in external routes ...
by magchiel
Sat Oct 15, 2016 11:27 am
Forum: General
Topic: Firewall connections overview
Replies: 15
Views: 4083

Re: Firewall connections overview

During the writing of the post I did check again and found NOTHING of this behaviour anymore!!! OK, that's good as a result, less so as still being unexplained. For lowering the load on the CPU and block useless traffic I added unreachable routes to my routing table (I started with blackholes but f...
by magchiel
Sun Oct 09, 2016 2:13 pm
Forum: RouterBOARD hardware
Topic: New CRS hardware? Show us some love
Replies: 23
Views: 7828

Re: New CRS hardware? Show us some love

Switch Features in order of importance Broadcast, Multicast and Unknown Unicast Storm Protection (hardware level filters) RSTP, MSTP LLDP G.8032 Ethernet Ring Protection Switching 802.1x for switch ports +1 I'm currently in the process of planning out infrastructure for a new (domestic/SOHO) locati...
by magchiel
Sat Oct 08, 2016 10:23 am
Forum: General
Topic: Use third party DNS with local
Replies: 1
Views: 945

Re: Use third party DNS with local

To be honest, if you're using Active Directory you really should serve your local DNS, not third party, and configure the third party DNS server as forwarders on the local DNS server. If for some reason you'd like to split these responsibilities and/or don't want all DNS lookups going through your s...
by magchiel
Sat Oct 08, 2016 9:55 am
Forum: General
Topic: Default VLAN (PVID / native vlan) + VLAN on one port
Replies: 14
Views: 27143

Re: Default VLAN (PVID / native vlan) + VLAN on one port

This does not work. I don't get a default vlan id. In fact all tagged VLANs also stop working when the vlan-mode for the port is set to something else than 'disabled' Granted, it has been a while since I've configured VLANs on the switch chip, but vlan-mode=disabled ignores all VLAN tags so if conf...
by magchiel
Fri Oct 07, 2016 10:17 pm
Forum: Scripting
Topic: script help
Replies: 1
Views: 844

Re: script help

Search for Tomas' MUM presentation on the forums. It does exactly this utilising traffic monitor.
by magchiel
Fri Oct 07, 2016 9:35 pm
Forum: General
Topic: Firewall connections overview
Replies: 15
Views: 4083

Re: Firewall connections overview

Apologies for the late reply; it has been a busy week. Just to make sure I have established the correct picture of your situation (as it's not your everyday SOHO setup you have running there): Traffic originating from 192.168.110.253 destined for 172.18.3.4 is coming in on MT2:eth10|192.168.110.1/24...
by magchiel
Fri Oct 07, 2016 10:14 am
Forum: Beginner Basics
Topic: [Answered] Bridging vs Master Port - when to choose which?
Replies: 6
Views: 7704

Re: Bridging vs Master Port - when to choose which?

Do bridges benefit from all ports in a bridge being on the same switch chip? Just to add to above: when creating a typical LAN setup with multiple ethernet ports and a wireless interface, I usually set the ethernet ports to a master port (thus utilising the switch chip for anything wired), add the ...
by magchiel
Thu Oct 06, 2016 10:25 am
Forum: RouterBOARD hardware
Topic: CRS226-24G-2S+RM
Replies: 1
Views: 983

Re: CRS226-24G-2S+RM

All CRS devices come with fully functional routerOS, so not lacking L3 features. However the CPU power is limited so don't expect you can go overboard with routing and filtering: it is primarily a switch after al. Compared to the normal RB devices the CRS range comes with additional features L2 in t...
by magchiel
Tue Oct 04, 2016 3:11 am
Forum: General
Topic: Firewall connections overview
Replies: 15
Views: 4083

Re: Firewall connections overview

The IP Addresses shown by the firewall connections are indeed Ubiquiti devices that are managed by the CRM point. However, these devices are all situated behind either MT3, MT4 or MT5. So I would assume that this traffic flows via MT2 (Central router) towards MT3,4 or 5, and not towards the border ...
by magchiel
Mon Oct 03, 2016 1:06 pm
Forum: RouterBOARD hardware
Topic: Problem with IPTV on RB850Gx2
Replies: 14
Views: 6541

Re: Problem with IPTV on RB850Gx2

For what it's worth: I have two RB850Gx2 successfully configured with IPTV (s/n 4*) running without issues, both bridged (purely VLAN-based) as well as routed (with IGMP proxy).
by magchiel
Mon Oct 03, 2016 12:53 pm
Forum: General
Topic: Firewall connections overview
Replies: 15
Views: 4083

Re: Firewall connections overview

To me this looks like the CMR software is trying to discover controllable access points hosts by scanning for open SSH ports at least in the 172.18.3.0/24 and 172.18.16.0/24 subnets, but because of the (default) routing configuration is then inadvertently internet-routed when this traffic reaches MT...
by magchiel
Mon Oct 03, 2016 9:45 am
Forum: General
Topic: Firewall connections overview
Replies: 15
Views: 4083

Re: Firewall connections overview

Doing a torch on the incoming port of the central MT1 is not showing any traffic from the management device 192.168.110.253
Just to check if I fully understand: while still listing connections from/to 192.168.110.253 to/from 192.168.x.x?
by magchiel
Sat Oct 01, 2016 8:57 am
Forum: General
Topic: Firewall connections overview
Replies: 15
Views: 4083

Re: Firewall connections overview

Does torch also show the traffic that you see in the connection table? Could you post some examples?
by magchiel
Fri Sep 30, 2016 9:18 am
Forum: General
Topic: Firewall connections overview
Replies: 15
Views: 4083

Re: Firewall connections overview

I came across various entries looking at the firewall -> connections tab related to an internal Ubiquiti device eg. 192.168.11.5 and the CMR point (192.168.110.253). How come that the external router is even aware of this traffic? Is this LAN or WAN bound traffic? If it's WAN bound it's only logica...
by magchiel
Fri Sep 30, 2016 12:26 am
Forum: Beginner Basics
Topic: Can help me to configure this networking scheme?
Replies: 8
Views: 2299

Re: Can help me to configure this networking scheme?

Above setup works for the basics under the precondition that the other routers support VLANs. There is no information on the router 1 and 2, but I assume them to be non-Mikrotik. The three specials here can be bit tricky also depending on the other hardware: blocking specific websites and content is...
by magchiel
Sun Sep 25, 2016 9:08 pm
Forum: Beginner Basics
Topic: Can help me to configure this networking scheme?
Replies: 8
Views: 2299

Re: Can help me to configure this networking scheme?

I know RB951 can setup its wifi range but the position of these two routers are different. RB951 on 3th floor and router 2 on 1st floor. That's not what I meant. You can still use multiple devices at different locations but you use CAPsMAN to manage them from the RB951 (together with your routing, ...
by magchiel
Sun Sep 25, 2016 2:23 pm
Forum: Beginner Basics
Topic: Can help me to configure this networking scheme?
Replies: 8
Views: 2299

Re: Can help me to configure this networking scheme?

Thanks for the response. I thought this requirement is simple. But thanks for the advice. The requirement itself is, the solution less so. May I ask: why the two routers? This can be done much simpler (i.e.: centrally managed) with just the RB951, a couple of VLAN capable switches and MT-based acce...
by magchiel
Sun Sep 25, 2016 2:09 pm
Forum: General
Topic: can't ping second subnet from mikrotik
Replies: 7
Views: 2232

Re: can't ping second subnet from mikrotik

I would like to ping the second router from mikrotik Make sure you ping *from* the correct interface on the MT. I would also like to comunicate with the second router from my main pc which is connected to ether2 this router then preforms some magic with IPTV and Internet as I can't seem to perform ...
by magchiel
Sun Sep 25, 2016 12:25 pm
Forum: General
Topic: Default VLAN (PVID / native vlan) + VLAN on one port
Replies: 14
Views: 27143

Re: Default VLAN (PVID / native vlan) + VLAN on one port

I have one interface (eth5) with 4 VLANs on it. That's easy but how do we say in Microtik words: put anything untagged in VLAN 5.
/interface ethernet switch port
set ether5 default-vlan-id=5 vlan-header=add-if-missing vlan-mode=fallback
by magchiel
Sun Sep 25, 2016 11:51 am
Forum: General
Topic: PoE Switch opinions
Replies: 2
Views: 1508

Re: PoE Switch opinions

I normally use HP and Cisco for switches, but this is a home user and they have a much smaller budget than my typical client. I'm in the same boat (still waiting for that MT switch that does basic the L2 stuff right... :? ). So far I'm looking at the UBNT EdgeSwitch and Unifi Switch. Any others tha...
by magchiel
Sat Sep 24, 2016 4:36 pm
Forum: Beginner Basics
Topic: cannot reach ipsec tunnel destination from another ipsec tunnel
Replies: 8
Views: 1869

Re: cannot reach ipsec tunnel destination from another ipsec tunnel

Or, alternatively, do not use direct IPsec in tunnel mode, but use a tunnel interface (IPIP, GRE, L2TP) with IPsec protection
and then route the traffic via that tunnel interface.
+1

Using IPsec in transport and seperate tunneling makes routing a piece of cake.
by magchiel
Thu Sep 22, 2016 7:33 pm
Forum: Beginner Basics
Topic: Proper way to passthrough IPTV
Replies: 21
Views: 22012

Re: Proper way to passthrough IPTV

...but TV stops after about 7 seconds. In the routed IPTV setups I have done, each and every time this was a multicast problem either caused by too strict firewall rules or inappropiate setup of IGMP snooping. Using torch, connection table and wireshark will supply you with all the information you ...
by magchiel
Thu Sep 22, 2016 5:50 pm
Forum: General
Topic: InterVLAN Routing on CRS [SOLVED]
Replies: 4
Views: 2576

Re: InterVLAN Routing on CRS [SOLVED]

Assigning a master port will not do anything special to that particular port, i.e.: you can use it as you'd use any other port in that particular switch segment, it just acts as an interface between the switch chip and the cpu. You're not stuck to ether 2 either, e.g.: you have ether 4,5,6,7 in use ...
by magchiel
Thu Sep 22, 2016 5:34 pm
Forum: General
Topic: MARK ESTABLISHED,RELATED Packets HTTPS/HTTP
Replies: 10
Views: 3726

Re: MARK ESTABLISHED,RELATED Packets HTTPS/HTTP

Using transparent proxy would break the SSL connection. Is there a way to block this? Not really. You can block all TCP/UDP 53 traffic to prevent the usage other DNS servers and just rely on your own. A low tech solution would then be to create static A record for the websites you want to block and...
by magchiel
Mon Sep 19, 2016 12:08 am
Forum: General
Topic: MARK ESTABLISHED,RELATED Packets HTTPS/HTTP
Replies: 10
Views: 3726

Re: MARK ESTABLISHED,RELATED Packets HTTPS/HTTP

The new version of firmware that uses address list to filter/block sites is not working. Please check the above code if there is something wrong with it. Thanks, The trouble is that large scale services like http://www.google.com use an array of addresses to allow for load balancing and high availa...
by magchiel
Sun Sep 18, 2016 10:19 pm
Forum: Beginner Basics
Topic: Setting up VLANS
Replies: 5
Views: 2172

Re: Setting up VLANS

no guarantee (not tested or checked for syntax errors), but something like this should work without taxing your CPU for intra-vlan traffic: /interface ethernet set ether3 master-port=ether2 set ether4 master-port=ether2 set ether5 master-port=ether2 /interface ethernet switch vlan add ports=ether2,e...
by magchiel
Sun Sep 18, 2016 9:45 pm
Forum: Beginner Basics
Topic: Load balancing multiple WAN and VPN
Replies: 11
Views: 13819

Re: Load balancing multiple WAN and VPN

Unlike Ubiquity you can't do a test run and then revert or accept after a few minutes.
Try using safe mode.
by magchiel
Sun Sep 18, 2016 9:41 pm
Forum: Beginner Basics
Topic: cannot reach ipsec tunnel destination from another ipsec tunnel
Replies: 8
Views: 1869

Re: cannot reach ipsec tunnel destination from another ipsec tunnel

Ok, make sense - but how to apply
can you please post an example command?
http://wiki.mikrotik.com/wiki/Manual:Si ... ic_Routing

i.e.
/ip route add dst-address=10.10.0.0/16 gateway=10.1.1.1
by magchiel
Sun Sep 11, 2016 8:16 pm
Forum: Beginner Basics
Topic: cannot reach ipsec tunnel destination from another ipsec tunnel
Replies: 8
Views: 1869

Re: cannot reach ipsec tunnel destination from another ipsec tunnel

At site 1: 10.10.0.0/16 via 10.1.1.1
At Azure: 172.16.3.0/24 via 10.1.1.1
by magchiel
Sun Sep 11, 2016 4:05 pm
Forum: Beginner Basics
Topic: Setting up VLANS
Replies: 5
Views: 2172

Re: Setting up VLANS

OK, lets scrap the VLANS interacting and just have the forwarding of un-tagged packets from ports 2-4 going to VLAN 300. How would I do that? Steps above still apply. If they are access ports (no hybrids with other tagged traffic) use VLAN mode 'always strip' instead of 'add if missing' with defaul...
by magchiel
Sat Sep 10, 2016 9:22 pm
Forum: General
Topic: One ISP Modem, multiple dynamic IP addresses
Replies: 14
Views: 3398

Re: One ISP Modem, multiple dynamic IP addresses

I haven't tried this, but couldn't you use multiple DHCP clients on the same interface with different values for the CLIENT_MAC option?
by magchiel
Sat Sep 10, 2016 9:11 pm
Forum: General
Topic: MARK ESTABLISHED,RELATED Packets HTTPS/HTTP
Replies: 10
Views: 3726

Re: MARK ESTABLISHED,RELATED Packets HTTPS/HTTP

What you're trying to accomplish has been discussed extensively on these forums. This is typically a use case for a transparant proxy in your network.
by magchiel
Sat Sep 10, 2016 2:32 pm
Forum: Beginner Basics
Topic: Setting up VLANS
Replies: 5
Views: 2172

Re: Setting up VLANS

Been a while since I've done this but if memory serves right (coming from a clean configuration): start using your switch chip in order to take some load of your CPU, by configuring master port for ports 3-5 to port 2 in /interface ethernet in /interface vlan, add VLANs 100,200 and 300 as interfaces...
by magchiel
Tue Sep 06, 2016 11:49 pm
Forum: Beginner Basics
Topic: MT noobie here
Replies: 1
Views: 823

Re: MT noobie here

To be honest, if you choose to have routed at the CPE level I can't think of a benefit to have public IPs down at the towers and NAT CPE traffic at the towers, compared to NATting traffic at the core level. You lose the opportunity to centralise IP management (although perhaps with DHCP relay things...
by magchiel
Sun Sep 04, 2016 2:18 pm
Forum: Beginner Basics
Topic: Load balancing multiple WAN and VPN
Replies: 11
Views: 13819

Re: Load balancing multiple WAN and VPN

I think I had a similar experience using PCC. Unfortunately for you, I have then put my LB plans in the fridge until I decided to give the bandwidth based LB script indicated below a try, which didn't give me any troubles with the VPN. Ergo I don't have a working solution for the PCC scenario to sha...
by magchiel
Wed Aug 10, 2016 10:43 am
Forum: General
Topic: Best VPN for RouterOS
Replies: 7
Views: 4229

Re: Best VPN for RouterOS

Depends on your requirements. If you just need some straightforward tunneling that doens't cost you too much CPU (and/or when you use lower spec hardware), use PPTP. If you need security/confidentiality you may be looking at L2TP over IPsec, while if you need something that easily tunnels through fi...
by magchiel
Wed Aug 10, 2016 10:36 am
Forum: General
Topic: PPTP Client vpn routing all LAN traffic
Replies: 7
Views: 19708

Re: PPTP Client vpn routing all LAN traffic

1- CANNOT ping from router to any ip on remote lan From which interface are you trying to ping? Are you explicitly selecting the PPTP interface when doing this ping? 2- CAN ping from local lan to any ip on the remote lan (!!) So the ping reply is finding it's way back suggesting the route setup is ...
by magchiel
Fri Jul 29, 2016 2:24 pm
Forum: General
Topic: Sonos across VLANs?
Replies: 41
Views: 17523

Re: Sonos across VLANs?

Apologies for reviving this older thread, but actually (after research and experimenting) I just got this working (many thanks to this post on the Sonos forums ). Turns out it's actually quite easy using PIM in the multicast package and some minimal firewall rules. Below a slightly altered version o...
by magchiel
Fri Jul 29, 2016 11:06 am
Forum: General
Topic: How to allow a website in RB750
Replies: 24
Views: 5415

Re: How to allow a website in RB750

if you update your router board to routeros 6.36 then you can do it. I am using 6.30 now. If I upgrade to 6.36, how to setup ? you can add website name in firewall rule then accept it. Wouldn't this just be a DNS lookup and still be translated into a fixed IP-based rule? If you want to specifically...
by magchiel
Wed Jul 20, 2016 12:54 pm
Forum: General
Topic: Connection marks not being recognized outbound
Replies: 7
Views: 1939

Re: Connection marks not being recognized outbound

I think you also want to mark on the input chain, not just the prerouting. Here are my mangle rules which show IPsec connections tagged as wanx->cpu. /ip firewall mangle add action=mark-connection chain=input comment=WAN->CPU connection-mark=no-mark in-interface=wan1 new-connection-mark=wan1->cpu ad...
by magchiel
Wed Jul 20, 2016 12:30 pm
Forum: Beginner Basics
Topic: RB951G-2HND Firewall Default Settings
Replies: 3
Views: 2571

Re: RB951G-2HND Firewall Default Settings

I reckon that if you want to learn and be able to troubleshoot, it's best to start out clean in order to know your device inside out. Also, learn to use safemode, create intermediate backups to your PC and make sure you know how to reset your device to defaults in case things go wrong (especially si...
by magchiel
Wed Jul 20, 2016 12:15 pm
Forum: General
Topic: Strange ping behaviour with MikroTik CRS125 over L2TP/IPSEC VPN
Replies: 4
Views: 1944

Re: Strange ping behaviour with MikroTik CRS125 over L2TP/IPSEC VPN

Basically you're now saying 'the returnaddress of all traffic originating from 192.168.6.5 is 192.168.2.7', which will never arrive. If you want to use srcnat, use the router-facing IP of the MT. Compared to src-nat, masquerading will be a bit more flexible should the router-facing IP address be sub...
by magchiel
Tue Jul 19, 2016 9:19 pm
Forum: Beginner Basics
Topic: Masquerading over a PTP link
Replies: 1
Views: 871

Re: Masquerading over a PTP link

Don't think there is one 'correct way' of doing this. Think it depends a little bit on other requirements. If you control both ends (MT), strictly speaking masquerading isn't nessecary. You could easily segment the networks into a management, client A and client B network. Avoids having to do double...
by magchiel
Tue Jul 19, 2016 9:07 pm
Forum: General
Topic: Bonding or Failover with asymmetric speed interfaces
Replies: 1
Views: 777

Re: Bonding or Failover with asymmetric speed interfaces

you don't (at least, you're free to test, but the IEEE 802.3ad 2000 specs are limited to same-speed links).

but with that type of CPU power, why not add a higher weighted route for the slower links to achieve the failover as soon as the high speed link goes down?
by magchiel
Tue Jul 19, 2016 8:53 pm
Forum: General
Topic: Limit download per wan port [SOLVED]
Replies: 3
Views: 1263

Re: Limit download per wan port [SOLVED]

how about adding packet marks based on the routing marks to differentiate between the different queues?
by magchiel
Tue Jul 19, 2016 10:11 am
Forum: Beginner Basics
Topic: How to set static IP for webserver?
Replies: 6
Views: 2099

Re: How to set static IP for webserver?

Thank you very much to all of you:) I now have network access to my server... Last question please. I can ping 192.168.88.275 from my windows machine but if I ping via the netbios, I get the following Ping request could not find host freenas. Please check the name and try again. How do I register t...
by magchiel
Tue Jul 19, 2016 10:07 am
Forum: Beginner Basics
Topic: Load balancing multiple WAN and VPN
Replies: 11
Views: 13819

Re: Load balancing multiple WAN and VPN

So main issue is to recognise the traffic. Example: for torrent traffic I have found the P2P profile unreliable (partly because more and more is SSL-based and thus encrypted and hidden from inspection) to consistently route traffic through my VPN without IP-leakage. So I have a src-address based man...
by magchiel
Mon Jul 18, 2016 4:56 pm
Forum: Beginner Basics
Topic: Load balancing multiple WAN and VPN
Replies: 11
Views: 13819

Re: Load balancing multiple WAN and VPN

Thanks but i would prefer adding bandwidth limits to QoS/firewall rules relating to their relevant interfaces. And this would not allow you to do this why exactly? mark connections of interest to route across specific interfaces (e.g. DNS, web traffic, torrent connections) mark connections of inter...
by magchiel
Mon Jul 18, 2016 4:26 pm
Forum: General
Topic: Creating a VPN - Whats Missing ??? Misssing Lan2Lan connection
Replies: 3
Views: 994

Re: Creating a VPN - Whats Missing ???

First check if SA's are properly installed.
Secondly, I just don't understand your dstnat rules. Disable them and add a filter rule on the forward chain to accept traffic. Also, do you have fasttrack disabled?

EDIT: spelling
by magchiel
Mon Jul 18, 2016 3:32 pm
Forum: Beginner Basics
Topic: Load balancing multiple WAN and VPN
Replies: 11
Views: 13819

Re: Load balancing multiple WAN and VPN

so with the assymmetric WAN connections PCC doesn't work too well. Still, it's a matter of properly marking your connections and use queues to limit and/or algorithms to spread the traffic accross routes. For the bandwidth based load ballancing you might want to refer to http://mum.mikrotik.com/pres...
by magchiel
Mon Jul 18, 2016 3:11 pm
Forum: General
Topic: PPTP Client vpn routing all LAN traffic
Replies: 7
Views: 19708

Re: PPTP Client vpn routing all LAN traffic

no, it's relatively easy. Just create a PPTP-client interface to your customer's server, but don't include a default route. The most straightforward option is to then create a static route to the specific subnet of your customer with the remote address of the VPN connection found on the status tab/m...
by magchiel
Mon Jul 18, 2016 1:56 pm
Forum: General
Topic: PPTP Client vpn routing all LAN traffic
Replies: 7
Views: 19708

Re: PPTP Client vpn routing all LAN traffic

yes no problem. I have a similar setup using a external VPN provider for a portion of the local traffic using policy based routing.
by magchiel
Mon Jul 18, 2016 1:53 pm
Forum: General
Topic: how to vlan on master ports
Replies: 3
Views: 1121

Re: how to vlan on master ports

I agree that VLANs are non-trivial in MS. I may have pointed you in the wrong direction a little bit as CRS has some different chip features. I don't have a CRS so I can't help you from own experience but check out http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Port_Based_VLAN and http://wiki.mik...
by magchiel
Mon Jul 18, 2016 10:24 am
Forum: Beginner Basics
Topic: Load balancing multiple WAN and VPN
Replies: 11
Views: 13819

Re: Load balancing multiple WAN and VPN

you're looking for policy based routing. Create rules matching the desired traffic patterns, place routing marks and then create routing rules to route specific traffic accross VPN connections. See http://wiki.mikrotik.com/wiki/Policy_Base_Routing. To use your VPN instead of WAN, you could also choo...
by magchiel
Mon Jul 18, 2016 10:13 am
Forum: Beginner Basics
Topic: No internet traffic between CRS 109 and TL-WR1043ND v1
Replies: 1
Views: 817

Re: No internet traffic between CRS 109 and TL-WR1043ND v1

It's entirely unclear to me what exactly you're trying to accomplish. You mention 'repeater', as in 'wireless repeater'? If not and you're actually daisy chaining the two devices in routed mode, I'd stop there and avoid double NAT headaches. A network diagram would help. In principle, the TP-link wo...
by magchiel
Mon Jul 18, 2016 12:04 am
Forum: Beginner Basics
Topic: How to set static IP for webserver?
Replies: 6
Views: 2099

Re: How to set static IP for webserver?

couple of things: -last octet of the IP is invalid (i.e. .275 -> should be <255). -you're adding an address to your routerboard ethernet port, not a static IP of the client that is connected to it. what you're looking for is indeed a static DHCP lease. I suggest you take a look at Greg Sowell's exce...
by magchiel
Sun Jul 17, 2016 11:56 pm
Forum: General
Topic: Strange ping behaviour with MikroTik CRS125 over L2TP/IPSEC VPN
Replies: 4
Views: 1944

Re: Strange ping behaviour with MikroTik CRS125 over L2TP/IPSEC VPN

It's a wild guess without details on the routing tables and NAT/firewall rules but I think you'll find that the router at the sites A and B will not be able to find a route back to the Mikrotik clients to enter the tunnel as it will show up as orginiating from 192.168.6.x. Then using its default rou...
by magchiel
Sun Jul 17, 2016 10:13 pm
Forum: General
Topic: Issue with RoMON over EoIP
Replies: 18
Views: 8013

Re: Issue with RoMON over EoIP

sorry for not posting back sooner. apparently (as per support response) it's by design and RoMON packets will travel through EoIP bridge to any device in the network *as long as those are not tunnel endpoints*. it is suggested to use the RoMON User policy introduced in 6.35 and use the edge router a...
by magchiel
Sun Jul 17, 2016 9:54 pm
Forum: General
Topic: how to vlan on master ports
Replies: 3
Views: 1121

Re: how to vlan on master ports

If I'm not mistaking you'll have to start using the VLAN config on the switch chip instead of the CPU. See http://wiki.mikrotik.com/wiki/Manual:Sw ... Vlan_Table
by magchiel
Fri Mar 04, 2016 4:37 pm
Forum: General
Topic: Issue with RoMON over EoIP
Replies: 18
Views: 8013

Re: Issue with RoMON over EoIP

magchiel, thank you very much for the detailed problem description.
Please send us (support@mikrotik.com), support output files from "Router1" and "Router2". We will see what could be wrong.
Sent. Thanks in advance.
by magchiel
Fri Mar 04, 2016 12:11 pm
Forum: General
Topic: Issue with RoMON over EoIP
Replies: 18
Views: 8013

Re: Issue with RoMON over EoIP

Simplified diagram (switches and modems left out): +---------+ eth +---------+ EoIP +---------+ | Winbox +------+ Router1 +----------------+ Router2 | +---------+ +---------+ +---------+ | eth | eth siteB siteA | | +---------+ +---------+ | AP1 | | AP2 | +---------+ +---------+ To reiterate the firs...
by magchiel
Thu Mar 03, 2016 11:42 am
Forum: General
Topic: Issue with RoMON over EoIP
Replies: 18
Views: 8013

Issue with RoMON over EoIP

Hi, In the process of testing RoMON in a limited (production) setup between two sites running an RB1100AHx2 as a router and RB912UAG-5HPnD as AP. Both sites are connected through an EoIP tunnel with IPsec. RoMON is enabled and discovery works as advertised (i.e.: all four devices are being discovere...
by magchiel
Tue May 05, 2015 2:19 pm
Forum: General
Topic: MikroTik VPN server with RADIUS authentication
Replies: 3
Views: 8574

Re: MikroTik VPN server with RADIUS authentication

Magchiel: Your reply helped me in getting it to work as I wanted. It is working perfectly now. Great stuff. However, I am wondering is it possible to use RADIUS server authentication for MikroTik OpenVPN as well? hi, sorry I don't use OpenVPN with Mikrotik; the use case for me to use OpenVPN requir...
by magchiel
Wed Mar 18, 2015 1:37 pm
Forum: General
Topic: MikroTik VPN server with RADIUS authentication
Replies: 3
Views: 8574

Re: MikroTik VPN server with RADIUS authentication

Hi, I am trying to figure out, is it possible to use a RADIUS server with MikroTik based VPN server for authenticating VPN clients? yes. What is confusing me is that how will it actually work? Because each PPP Secret under MikroTik is assigned a profile, through which we assign DNS server to the cl...
by magchiel
Thu Mar 05, 2015 9:56 am
Forum: Beginner Basics
Topic: Step Up from the RB2011....?
Replies: 22
Views: 7677

Re: Step Up from the RB2011....?

I only want one box besides the cable thing, that's why I ask for 10 ports (and I never liked that 5 of the RB2011 were only fast, even if I could manage with that). Well to be honest, adding up all these criteria ("not hacking enclosure solution", "one box", "no fan",...
by magchiel
Wed Mar 04, 2015 10:36 pm
Forum: Beginner Basics
Topic: Step Up from the RB2011....?
Replies: 22
Views: 7677

Re: Step Up from the RB2011....?

I have RB1100AHx2 at home (albeit in a closet) which works excellent holding up multiple IPsec and L2TP roadwarrior configs. Was in the same boat as you (CCR vs 1100AHx2) but chose the proven technology. Haven't looked back to be honest: absolutely rocksolid and fast. Recently have deployed a couple...
by magchiel
Fri Feb 20, 2015 11:07 am
Forum: General
Topic: VPN To 3 Sites
Replies: 12
Views: 6471

Re: VPN To 3 Sites

well it can certainly find a route through site A then, it just can't progress afterwards. No firewall rules blocking?
as to the 192.168.1.100/24 for your WAN address: I was under the impression this was 10.10.10.100/xx?

Can you give use a /ppp export verbose hide-sensitive?
by magchiel
Fri Feb 20, 2015 10:31 am
Forum: RouterBOARD hardware
Topic: Buying advice: CRS226-24G-2S+RM or HP V1910-24G
Replies: 6
Views: 3476

Re: Buying advice: CRS226-24G-2S+RM or HP V1910-24G

G'day, I've been running 2 x 1910-16G units in my home lab for the better part of the last year, and I'll be replacing them. Whilst they are feature rich, they are just too damn noisy! I'm going to be replacing them with the 1810-24G v2 units, fanless. thanks for the headsup! I was under the impres...
by magchiel
Wed Feb 18, 2015 11:56 pm
Forum: Beginner Basics
Topic: How to tunnel two subnets over a single dsl connection for multiple sites ?
Replies: 2
Views: 1046

Re: How to tunnel two subnets over a single dsl connection for multiple sites ?

I'm using IPIP+IPsec for this with static routes. See http://gregsowell.com/?p=1290.

More advanced options could be found going down the OSPF or MPLS route but for three networks I couldn't be bothered with it, just set up the tunnel, encryption, static routes and be done with it.
by magchiel
Wed Feb 18, 2015 11:48 pm
Forum: Beginner Basics
Topic: routing between lans throug an ipsec without NAT
Replies: 5
Views: 1663

Re: routing between lans throug an ipsec without NAT

Are you sure it'll match properly with that subnet? Anyway I already exclude internal networks in the masquerading rule like 1 ;;; masquerade external traffic chain=srcnat action=masquerade src-address=xxx.xxx.xxx.xxx/xx dst-address-list=!masq_whitelist out-interface=wan log=no log-prefix="&quo...
by magchiel
Wed Feb 18, 2015 11:25 pm
Forum: General
Topic: VPN To 3 Sites
Replies: 12
Views: 6471

Re: VPN To 3 Sites

I don't personally do PPTP (and wouldn't recommend it as a secure way to connect sites) so perhaps someone else should chime in here as well. As you indicate your there is communication between A and B as well as A and C. I don't know what hardware or configuration you have in place at sites B and C...
by magchiel
Wed Feb 18, 2015 3:11 pm
Forum: Announcements
Topic: RouterOS v6.27 released
Replies: 273
Views: 133987

Re: RouterOS v6.27 released

magchiel - Please generate supout file on your device and send it to support@mikrotik.com.
done.
by magchiel
Wed Feb 18, 2015 2:39 pm
Forum: RouterBOARD hardware
Topic: Buying advice: CRS226-24G-2S+RM or HP V1910-24G
Replies: 6
Views: 3476

Re: Buying advice: CRS226-24G-2S+RM or HP V1910-24G

Thanks for the replies. Encouraging that they seem stable and be able to scale, less encouraging that featurewise they are used in relatively simple setups. I don't need the SFP and in that light it seems a bit light on switch features for the money to be honest. As I was forced to temporary move a ...
by magchiel
Wed Feb 18, 2015 2:23 pm
Forum: Announcements
Topic: RouterOS v6.27 released
Replies: 273
Views: 133987

Re: RouterOS v6.27 released

RB1100AHx2 switch functionality seems affected after upgrading from ROS6.25/RB3.18 to ROS6.27/RB3.22 resulting in periodic dropouts of the network as well as a flapping port to my 10MBit VoIP device. Switch configuration is: /interface ethernet set [ find default-name=ether6 ] arp=proxy-arp set [ fi...
by magchiel
Wed Feb 18, 2015 10:01 am
Forum: General
Topic: VPN To 3 Sites
Replies: 12
Views: 6471

Re: VPN To 3 Sites

you need to give us some more information on what you're using for VPN. Is it just regular IPsec site-to-site? Have you configured routing correctly on all ends? Not masqing IPs? If you're doing IPsec in tunnel mode it won't work. AFAIK if you want routing in your VPN setup you have to setup IPIP tu...
by magchiel
Mon Feb 16, 2015 10:21 am
Forum: RouterBOARD hardware
Topic: Buying advice: CRS226-24G-2S+RM or HP V1910-24G
Replies: 6
Views: 3476

Buying advice: CRS226-24G-2S+RM or HP V1910-24G

Hi all, Looking for some feedback before biting the bullet on buying a new switch. Currently using a lot of Mikrotik around me (router and wireless; RB1100AHx2, RB850Gx2, RB951G-2HPnD, RB912UAG-5HPnD + R11e-2HPnD) and the time has come for me to upgrade my switching appliance. Currently my switches ...
by magchiel
Sun Nov 23, 2014 12:16 pm
Forum: General
Topic: PPTP VPN
Replies: 6
Views: 3226

Re: PPTP VPN

Double check a) whether traffic is flowing properly through the tunnel to the outside world and b) whether DNS settings are correct. You can check a) e.g. by doing a traceroute to some outbound IP e.g. 8.8.8.8 (not hostname in case DNS is crooked) or by opening a torch on your PPTP interface and sta...
by magchiel
Fri Nov 21, 2014 6:06 pm
Forum: General
Topic: IP tunnel going up-down every 30s
Replies: 2
Views: 2113

Re: IP tunnel going up-down every 30s

anyone? :?
by magchiel
Fri Nov 21, 2014 6:05 pm
Forum: General
Topic: PPTP VPN
Replies: 6
Views: 3226

Re: PPTP VPN

A little bit more information would be helpful. Are you looking at some kind of hairpin configuration? Secondly, PPTP is considered insecure. Better to use L2TP. Personally, I use L2TP to dial in with a Windows client from a remote location and all traffic is pushed through the VPN by default, i.e. ...
by magchiel
Fri Nov 21, 2014 5:53 pm
Forum: General
Topic: Central management for authentification
Replies: 8
Views: 3306

Re: Central management for authentification

authentication to what? PPP? Hotspot? Looked at RADIUS?
by magchiel
Fri Nov 21, 2014 5:44 pm
Forum: General
Topic: Firewall rules to block outgoing SMTP
Replies: 2
Views: 11163

Re: Firewall rules to block outgoing SMTP

This rule blocks traffic TO the known servers, not prevent spammers within your network. I would reverse the rule using src-address-list and add an ACCEPT rule before the drop to allow traffic to your server to allow access to these servers. add chain=forward protocol=tcp dst-port=25,587 dst-address...
by magchiel
Tue Nov 18, 2014 3:54 pm
Forum: General
Topic: IP tunnel going up-down every 30s
Replies: 2
Views: 2113

IP tunnel going up-down every 30s

Hi all, Weird issue which I can't seem to diagnose. I have a site-to-site IPIP tunnel with IPsec between a RB1100AHx2 and a RB951G. On the RB1100AHx2 the log shows 30s after the tunnel interface is up, the interface is going down. 30s later the tunnel is up again: 13:31:21 interface,info ipip3 link ...
by magchiel
Mon Oct 20, 2014 2:54 pm
Forum: RouterBOARD hardware
Topic: mAP2n + RB260GSP vs RB951G-2HnD
Replies: 0
Views: 1067

mAP2n + RB260GSP vs RB951G-2HnD

As a follow-up to another thread regarding the wireless capabilities of the mAP2n , as I also need some couple gigabit switching ports in the same room I'm planning to use the on the fence between getting the mAP2n combined with the [url=http://routerboard.com/RB260GSP]RB260GSP (and use PoE to power...
by magchiel
Sun Oct 19, 2014 3:37 pm
Forum: Wireless Networking
Topic: WDS mesh with mAP2N?
Replies: 0
Views: 990

WDS mesh with mAP2N?

Hi all, I'd like to know if it's possible to use the mAP2N to create a WDS mesh with a CRS109 as described on the wiki ? Or is the mAP2N somehow limited in its wireless functions? Use case is to boost wireless reception in a single room while providing roaming for wireless clients and offloading tra...
by magchiel
Sat May 10, 2014 5:27 pm
Forum: RouterBOARD hardware
Topic: Advice on hardware for RB based dual channel AP
Replies: 0
Views: 1221

Advice on hardware for RB based dual channel AP

Hi, I'm looking to upgrade my home wifi system. Currently I'm already using an RB1100AHx2 which managementwise is a dream so also choosing Mikrotik for wifi seems the logical choice. Looking at the various Routerboard and interface options however I'm in doubt what would be the best combination for ...
by magchiel
Mon Jan 06, 2014 3:34 pm
Forum: General
Topic: /tool dns-update for updating PTR and deleting records
Replies: 1
Views: 3919

/tool dns-update for updating PTR and deleting records

Hi all, Starting December I'm happily using a RB1100AHx2 to replace a Netgear WNDR3800 running OpenWRT. It was a necessary upgrade to have enough grunt to run a 100Mbps IPsec tunnel. DHCP and DNS services used to be running on the WNDR3800 on Dnsmasq. Unfortunately RouterOS' DNS functionality is a b...