Community discussions

MikroTik App

Search found 997 matches

by cdiedrich
Mon Oct 24, 2022 3:59 pm
Forum: General
Topic: VRRP sync-connection-tracking with multiple vrrp interfaces
Replies: 1
Views: 861

VRRP sync-connection-tracking with multiple vrrp interfaces

I haven't found any hint in the forums or manual pages yet and hope for clairification. I have a pair of routers, each running 3 vrrp interfaces. Identical config. I'm about to upgrade to 7.6 (from 6.49.6) soon to take advantage of synced connection tracking. Do I need to enable sync-connection-trac...
by cdiedrich
Fri Feb 26, 2021 5:50 pm
Forum: Forwarding Protocols
Topic: VPN Client Isolation from one another
Replies: 7
Views: 3160

Re: VPN Client Isolation from one another

Well, the "single drop rule" was just half of the story ;-) The # of "just allow rules on top of that single drop rule" would most likely be the same as my suggestion ;-) I'll get you some chocolate - once traveling and live events are possible again, I'd be happy to meet you for...
by cdiedrich
Fri Feb 26, 2021 1:43 pm
Forum: General
Topic: PTZ controller overloaded with data?
Replies: 6
Views: 1104

Re: PTZ controller overloaded with data?

My two cents: /ip neighbor discovery-settings set discover-interface-list= none Given that the largest volumes of data in the network should be the video streams, I'd assume there's rather some kind of packets the keyboard doesn't know how to handle, which may cause an overflow of some buffer despi...
by cdiedrich
Fri Feb 26, 2021 1:42 pm
Forum: General
Topic: PTZ controller overloaded with data?
Replies: 6
Views: 1104

Re: PTZ controller overloaded with data?

Man, I know - I'm working with NDI almost daily ;-) We made very good experience with UDP unicast (tcp tends to be laggy from time to time).Even two or three destinations work well in this setup. Unfortunately, I don't have any experience with MikroTik switching (using them as routers only), all our...
by cdiedrich
Fri Feb 26, 2021 12:51 pm
Forum: General
Topic: PTZ controller overloaded with data?
Replies: 6
Views: 1104

Re: PTZ controller overloaded with data?

Since your setup is really small - do you really need multicast? Looks like every NDI source connects to one destination only. Quickest way would be going unicast.
Apart from this, your config looks good to me.
-Chris
by cdiedrich
Fri Feb 26, 2021 10:48 am
Forum: Beginner Basics
Topic: Turn off Neighbor discovery
Replies: 5
Views: 3466

Re: Turn off Neighbor discovery

You're talkinmg about clients - so I guess you provide Internet service? And your client-facing network is basically just a L2 domain and you want to totally block discovery within this domain? So not just making your Tik devices invisible to them but also theirs from one another? Then it depends on...
by cdiedrich
Thu Feb 25, 2021 7:25 pm
Forum: Forwarding Protocols
Topic: VPN Client Isolation from one another
Replies: 7
Views: 3160

Re: VPN Client Isolation from one another

I wish I was as smart as anav whom I appreciate and respect as a vivid forum member ever since - but I guess everyone has a bad day now and then. And yes, I totally missed the scale.\ How about this one - can be created by script and should basically do what is needed - still some lines per tenant: ...
by cdiedrich
Thu Feb 25, 2021 4:40 pm
Forum: Forwarding Protocols
Topic: VPN Client Isolation from one another
Replies: 7
Views: 3160

Re: VPN Client Isolation from one another

/ip firewall filter
add chain=forward action=drop src-address=10.10.10.0/24 dst-address=10.10.11.0/24 comment="Drop A to B"
add chain=forward action=drop src-address=10.10.11.0/24 dst-address=10.10.10.0/24 comment="Drop B to A"
Done.
-Chris
by cdiedrich
Wed Feb 24, 2021 6:42 pm
Forum: General
Topic: DNS-resolution without DNS-Sever, Route or IP
Replies: 6
Views: 1800

Re: DNS-resolution without DNS-Sever, Route or IP

Winbox is using your computer's DNS settings.
resolve command in terminal is using the router's DNS settings.
-Chris
by cdiedrich
Wed Feb 24, 2021 2:17 pm
Forum: Beginner Basics
Topic: Internet / VPN Problem
Replies: 12
Views: 2129

Re: Internet / VPN Problem

Looks like a device with the private MAC address 00:00:5e:00:01:6F (this belongs to a VRRP interface) is doing proxy-arp.
The reply from that MAC address with IP 192.168.2.3 points to a D-Link AP. I'd check its settings.
-Chris
by cdiedrich
Tue Feb 23, 2021 6:24 pm
Forum: The User Manager
Topic: DHCP server problem
Replies: 14
Views: 33409

Re: DHCP server problem

Didn't see anything that would point to a dhcp server problem. I guess you know your firewall is pretty wide open, don't you? Just out of curiosity: do your udp dst-nat rules include port 67 and/or 68? What's the actual mac address of your 1100's bridge? I see a duplicated mac address in your switch...
by cdiedrich
Tue Feb 23, 2021 5:53 pm
Forum: Useful user articles
Topic: iPhones, work and school computers not communicating fully
Replies: 1
Views: 9845

Re: iPhones, work and school computers not communicating fully

Yes. This is the only possible answer to your question. Without knowing anything about your setup, nobody can help you. There's obviously no switch "make everything work perfectly" which is disabled by default.and has just to be turned on. So please share some information with us, the mini...
by cdiedrich
Sun Jan 31, 2021 12:51 pm
Forum: General
Topic: CapsMan Wifi Interfaces
Replies: 2
Views: 603

Re: CapsMan Wifi Interfaces

That can really be misledaing.
So see the actual managed interfaces, you need to look at your caps manager.
The output of the managed CAP is just an indication that you can't do anything there b/c it is managed by CAPsMAN.
-Chris
by cdiedrich
Tue Jan 12, 2021 7:50 pm
Forum: Virtualization
Topic: ESXI7.0 CHR How to improve performance with Hyper-thread enabled
Replies: 3
Views: 7430

Re: ESXI7.0 CHR How to improve performance with Hyper-thread enabled

Well, you said when turning off HT you other instances (vms?) suffer degraded performance - so my advice was for a scenario with HT still being enabled. CPU affinity is a good path to go to make sure the assigned vCPUs are not running on the same physical core in a HT environment. And just out of cu...
by cdiedrich
Mon Jan 11, 2021 5:54 pm
Forum: Virtualization
Topic: ESXI7.0 CHR How to improve performance with Hyper-thread enabled
Replies: 3
Views: 7430

Re: ESXI7.0 CHR How to improve performance with Hyper-thread enabled

Using Hyperthreading with CPU-intense workloads is far from being a good idea.
If not done yet, I'd check CPU affinity (make sure the vCPUs assigned to your CHR instance are not on the same physical cores) and probably add a CPU reservation for the vm at 125% of its average load.
Good luck,
-Chris
by cdiedrich
Thu Nov 05, 2020 5:48 pm
Forum: General
Topic: ssh key auth issues between two rOS devices
Replies: 7
Views: 1708

Re: ssh key auth issues between two rOS devices

Now this make so much sense...
Thanks for opening my eyes.
Now these commands are to be used in scripts run by the scheduler - will that be run with the account of the script owner?

Thanks!
-Chris
by cdiedrich
Thu Nov 05, 2020 5:05 pm
Forum: General
Topic: ssh key auth issues between two rOS devices
Replies: 7
Views: 1708

Re: ssh key auth issues between two rOS devices

a standard company-wide admin account
by cdiedrich
Thu Nov 05, 2020 3:55 pm
Forum: General
Topic: ssh key auth issues between two rOS devices
Replies: 7
Views: 1708

Re: ssh key auth issues between two rOS devices

Dang - and this happens to me :-) Exact same output on both devices: /user ssh-keys prin Flags: R - RSA, D - DSA # USER BITS KEY-OWNER 0 R remote 2048 user@computer /user ssh-keys priva prin Flags: R - RSA, D - DSA # USER BITS KEY-OWNER 0 R remote 2048 user@computer
by cdiedrich
Thu Nov 05, 2020 2:49 pm
Forum: General
Topic: ssh key auth issues between two rOS devices
Replies: 7
Views: 1708

ssh key auth issues between two rOS devices

Morning all, My goal is to make two routers talk to each other in a script with ssh-exec. I created a user and keys according to this Wiki article . But when trying to fire a command from a remote router (with the exact same user and key config), I always receive an authentication error while the de...
by cdiedrich
Thu Nov 05, 2020 1:28 pm
Forum: Beginner Basics
Topic: Limit connection VPN [SOLVED]
Replies: 5
Views: 4699

Re: Limit connection VPN [SOLVED]

Your question is a bit ambigous. Do you have a problem that only ten users can connect concurrently and you want more users or do you want to limit the amount of concurrent vpn connectios to a total of ten? Either way, post an export of your config and we can see to find a way to accomplish the one ...
by cdiedrich
Thu Nov 05, 2020 1:21 pm
Forum: Forwarding Protocols
Topic: Need help with Server connection/forwarding on CCR1036
Replies: 2
Views: 1241

Re: Need help with Server connection/forwarding on CCR1036

Let's assume your servers are configured in a /24 subnet and .1 of this subnet is their default g/w, it'll be this:
/ip address
add interface=ether3 address=192.168.2.1/24 disabled=no
add interface=ether4 address=192.168.3.1/24 disabled=no
by cdiedrich
Wed Sep 30, 2020 3:38 pm
Forum: Scripting
Topic: Sending Post Request with Headers or JSON Body
Replies: 1
Views: 1326

Re: Sending Post Request with Headers or JSON Body

the fetch tool has improved quite a lot since 5.25
Just looked at it on my 6.46.7 version and now there's header-field and http-method parametrs (like get, put, post, delete). Have look at the manual entry
Probably it's just a routerOS upgrade you need.

-Chris
by cdiedrich
Wed Sep 23, 2020 3:52 pm
Forum: Virtualization
Topic: Winbox has been disconnected
Replies: 6
Views: 9338

Re: Winbox has been disconnected

Hmm..
Which versions are CCR, CHR and Winbox running?
Did you try "Legacy Mode" from The Tools menu to connect?

-Chris
by cdiedrich
Wed Sep 23, 2020 12:56 pm
Forum: Virtualization
Topic: Winbox has been disconnected
Replies: 6
Views: 9338

Re: Winbox has been disconnected

The information provided is too little to really help. Does your CHR have connectivity at all when checking from vm console? Does it do its job beside Winbox connectivity? Did I get it right that you can connect to the web interface but not through Winbox? How are you connecting though Winbox? via I...
by cdiedrich
Mon Sep 21, 2020 1:54 pm
Forum: The Dude
Topic: Web Access in Dude Server 6.45.7
Replies: 5
Views: 10610

Re: Web Access in Dude Server 6.45.7

Web access to the dude is pretty limited, but possible.
Just log into webfig of your hEX and navigate to Dude.
It's totally OK to view network maps which already have been created - but not much more.

It might be a good idea to create a separate user for this together with a custom skin.

-Chris
by cdiedrich
Fri Sep 18, 2020 4:21 pm
Forum: Forwarding Protocols
Topic: Dynamic Routing Problem
Replies: 3
Views: 5179

Re: Dynamic Routing Problem

Check your subnetting. Your "external" router sees the src address of 73.65/27 as a local address b/c it's in the range of 73.0/24.
This would also not work with Cisco.
Try adding a static route to your "external" router for 73.64/24 with gw=73.3 then it should work.

-Chris
by cdiedrich
Wed Sep 16, 2020 3:14 pm
Forum: Wireless Networking
Topic: Can't connect to Wireless
Replies: 3
Views: 6360

Re: Can't connect to Wireless

I've had a similar problem with a client of mine quite a while back and the behavior was exactly the same. Try setting "group ciphers" to TKIP in your security profile and give it another try. And make sure you're using a clean 20MHz channel on the TP-Link, ideally on 1,6 or 11 as @erlinde...
by cdiedrich
Wed Sep 16, 2020 12:03 pm
Forum: General
Topic: Terrible speeds over point to point 10G SFP+
Replies: 5
Views: 1144

Re: Terrible speeds over point to point 10G SFP+

Simple solution:
Do not use the devices for testing (well, better: guessing) bandwidths. It's always a CPU bottleneck.
Get yourself two computers, connect them to the switches and run iPerf on them.
-Chris
by cdiedrich
Mon Sep 14, 2020 6:06 pm
Forum: The Dude
Topic: Concatenate - how to properly escape double quotes?
Replies: 3
Views: 4992

Re: Concatenate - how to properly escape double quotes?

Now that is brilliant!
Will try this first thing tomorrow morning.
Thanks a lot - the easiest things rarely are that obvious.

-Chris
by cdiedrich
Wed Sep 09, 2020 4:17 pm
Forum: RouterBOARD hardware
Topic: LtAP Mini on USB Powerbank
Replies: 6
Views: 1847

Re: LtAP Mini on USB Powerbank

Well, according to the LTAP mini datasheet, it draws a maximum power of 9W.
That represents 1800mA current at 5VDC. So a fully charged 6000mAh power bank should last about 3:20h under perfect conditions. You should be safe assuming 2:30...2:45h realistically.
-Chris
by cdiedrich
Wed Sep 09, 2020 4:13 pm
Forum: Virtualization
Topic: VMware Esxi Use Virtual Mikrotik
Replies: 3
Views: 8379

Re: VMware Esxi Use Virtual Mikrotik

Now that's by design, unfortunately. The most pragmatic way would be filtering by IP address.
-Chris
by cdiedrich
Wed Sep 09, 2020 2:46 pm
Forum: Virtualization
Topic: VMware Esxi Use Virtual Mikrotik
Replies: 3
Views: 8379

Re: VMware Esxi Use Virtual Mikrotik

First, you need to enable promiscuous mode on the vswitch port groups your routerOS vm is connected to. Since that impacts all other vms as well, I-d advise to create another port group just for this vm on the vSwitch (the one that has physical adapters and has the "VM Network" port group ...
by cdiedrich
Tue Sep 08, 2020 1:32 pm
Forum: The Dude
Topic: Dude device bulk password change
Replies: 6
Views: 5849

Re: Dude device bulk password change

As long as the devices are on a map, you can multi-select the devices in question, right-click, settings and just update the password there. Do not touch any other fields.
-Chris
by cdiedrich
Mon Sep 07, 2020 6:27 pm
Forum: The Dude
Topic: The dude server update to 6.47.3 in CHR r750gr3
Replies: 5
Views: 5273

Re: The dude server update to 6.47.3 in CHR r750gr3

Yes, that will definitely work.
by cdiedrich
Mon Sep 07, 2020 2:24 pm
Forum: The Dude
Topic: The dude server update to 6.47.3 in CHR r750gr3
Replies: 5
Views: 5273

Re: The dude server update to 6.47.3 in CHR r750gr3

You'll need to update your system package as well. The Dude package can't be a different version than routerOS. The easiest way would be to go through the normal update process via System -> Packages -> Check for updates. This will update all necessary packages. And, of course, the platform has to m...
by cdiedrich
Fri Sep 04, 2020 7:42 pm
Forum: General
Topic: VPN and subnet have different netmasks
Replies: 11
Views: 3931

Re: VPN and subnet have different netmasks

First: You won't need any bridge for vpn access. Instead of poking into the dark, please post an export of your config and let us know what you exactly want to achieve. "Doesn't see anything in the subnet" is still too vague. Re-reading your initial post now makes me guess you want a site2...
by cdiedrich
Tue Sep 01, 2020 5:24 pm
Forum: General
Topic: VPN and subnet have different netmasks
Replies: 11
Views: 3931

Re: VPN and subnet have different netmasks

Nope.
Just create a dedicated IP pool seperate from your local subnet for vpn clients and let them use these addresses.
-Chris
by cdiedrich
Mon Aug 31, 2020 4:56 pm
Forum: Beginner Basics
Topic: UDP blocked over VPN issue
Replies: 1
Views: 1189

Re: UDP blocked over VPN issue

The problem is not UDP but that it's Multicast
Check this post by @doneware and the whole thread.
-Chris
by cdiedrich
Thu Aug 20, 2020 2:18 pm
Forum: Beginner Basics
Topic: Точка - многоточка
Replies: 9
Views: 1605

Re: Точка - многоточка

Well, it's not free actually but bound to the (disk on the) device and being paid for with the purchase of the device. As long as you see a running routerOS when it's booted, you're safe.There's no recurring cost.
-Chris
by cdiedrich
Wed Aug 19, 2020 3:06 pm
Forum: The Dude
Topic: Concatenate - how to properly escape double quotes?
Replies: 3
Views: 4992

Concatenate - how to properly escape double quotes?

Good afternoon all, I'm trying to create a custom probe with passing device_property("FirstAddress") into a ros_command by concatenating the string. I'm struggling to correctly escape double quotes into the concatenated result. Escaping with a leading \ I get a "parse error" as w...
by cdiedrich
Thu Aug 13, 2020 3:11 pm
Forum: General
Topic: winbox size in 4k screen
Replies: 5
Views: 2057

Re: winbox size in 4k screen

Haven’t tried it myself with winbox, but it might be worth a shot creating a scaling manifest file as described here in point 4.
-Chris
by cdiedrich
Thu Aug 13, 2020 12:30 pm
Forum: General
Topic: winbox size in 4k screen
Replies: 5
Views: 2057

Re: winbox size in 4k screen

Tools -> Zoom In
by cdiedrich
Tue Jul 28, 2020 1:05 pm
Forum: Beginner Basics
Topic: How to identify network adapters
Replies: 1
Views: 951

Re: How to identify network adapters

Common practice is checking mac addresses - the last two bytes should be way enough to figure out on such a small NIC count.
The other way would be hooking up a dumb switch to the empty NIC and see which one goes up in routerOS.

-Chris
by cdiedrich
Mon Jul 27, 2020 3:14 pm
Forum: Forwarding Protocols
Topic: Cisco Router to Mikrotik Router Etherchannel(Bonding) issue
Replies: 3
Views: 10488

Re: Cisco Router to Mikrotik Router Etherchannel(Bonding) issue

Hmm... I don't see any obvious misconfiguration in your setup. Just double-checked it with a bonding I have up and running here and the only differences I see is explicit LACP protocol assignment to the interfaces on the cisco side and plain layer2-hashing on the Tik side. Here's my working config (...
by cdiedrich
Mon Jul 27, 2020 10:59 am
Forum: Beginner Basics
Topic: How to configure secure wireless bridge between MikroTiks [SOLVED]
Replies: 4
Views: 2413

Re: How to configure secure wireless bridge between MikroTiks [SOLVED]

Now that's simple.

execute this command on both ends, station side first:
/int w60g set [find] password=yoursafepassword
After they reconnect, traffic is encrypted.
-Chris
by cdiedrich
Fri Jul 24, 2020 2:06 pm
Forum: Beginner Basics
Topic: How to configure secure wireless bridge between MikroTiks [SOLVED]
Replies: 4
Views: 2413

Re: How to configure secure wireless bridge between MikroTiks [SOLVED]

The information provided is pretty little. In case it is just a transparent bridge, you can only encrypt the transport link. If your links are running 802.11, first step would be to encrypt the w/l traffic with WPA2-PSK. Create identical security profiles on each end of a link and use them in the wi...
by cdiedrich
Thu Jul 16, 2020 2:17 pm
Forum: Beginner Basics
Topic: Mikrotik and Esxi 6.7 NIC teaming (802.3ad) ISSUE
Replies: 4
Views: 6791

Re: Mikrotik and Esxi 6.7 NIC teaming (802.3ad) ISSUE

The problem is neither the physical switch nor the routerOS license level. It's in ESX. Link aggregation is only supported on distributed switches. These are only available from vSphere enterprise license level upwards. All standard vSwitches in ESXi balance the vm NICs between all uplinks of the vS...
by cdiedrich
Sun Jul 12, 2020 11:13 pm
Forum: Wireless Networking
Topic: 802.11r/k, Band Steering
Replies: 54
Views: 24924

Re: 802.11r/k, Band Steering

Yeah, it’s really sad. Due to the lack of standardized roaming features I replaced about 700 centrally managed APs in 20+ locations with Meraki just in the past two years...
by cdiedrich
Sun Jul 12, 2020 12:13 pm
Forum: Wireless Networking
Topic: 802.11r/k, Band Steering
Replies: 54
Views: 24924

Re: 802.11r/k, Band Steering

Hahahaha...
No.
:(
by cdiedrich
Sun Jun 21, 2020 11:30 am
Forum: Forwarding Protocols
Topic: Ethernet loaad balance
Replies: 5
Views: 2285

Re: Ethernet loaad balance

I think the best start would be that you post an export of your config. Then we can take a deeper look.
-Chris
by cdiedrich
Fri Jun 19, 2020 2:35 pm
Forum: Forwarding Protocols
Topic: Ethernet loaad balance
Replies: 5
Views: 2285

Re: Ethernet loaad balance

That's pretty little information. I guess you already know that the ideal solution would be replacing your CCR with one that actually has SFP+ slots. You could distribute your ten addresses across multiple physical interfaces, no bridges. Then you can set routes for all interfaces to the same gatewa...
by cdiedrich
Fri Jun 12, 2020 1:18 pm
Forum: Virtualization
Topic: ERROR: System ID on this CHR has been regenerated multiple times - please create new installation
Replies: 1
Views: 4960

Re: ERROR: System ID on this CHR has been regenerated multiple times - please create new installation

I had exactly this issue a couple of weeks ago and contacted support about it (Ticket # SUP-16818)
They say there is no way around this and advise a fresh install :-(
Totally agree on being cumbersome. Where feasible, we're going back to basic x86 images.
-Chris
by cdiedrich
Wed May 20, 2020 12:41 pm
Forum: Wireless Networking
Topic: 4k over wifi
Replies: 35
Views: 9742

Re: 4k over wifi

I doubt that will ever work with both peers connected to the same AP. A 4k stream allocates a significant amount of bandwidth - and your AP will have to receive and transmit it at the same time. If there is absolutely no chance to have at least one end wired, the only chance I see is adding a dedica...
by cdiedrich
Mon Apr 27, 2020 12:06 pm
Forum: Scripting
Topic: Each time the LAN IP obtained from dhcp after the host restarts is different from the last time
Replies: 4
Views: 3312

Re: Each time the LAN IP obtained from dhcp after the host restarts is different from the last time

The easiest way would be making the lease static. If not possible for whichever reason, you can retrieve the active IP by mac address with
/ip dhcp-server lease get [find mac-address=00:01:02:03:04:05] address
And use this to adjust the netwatch script.
by cdiedrich
Thu Apr 23, 2020 1:05 pm
Forum: Scripting
Topic: Each time the LAN IP obtained from dhcp after the host restarts is different from the last time
Replies: 4
Views: 3312

Re: After an IP of the intranet goes offline, the following command is automatically executed

/tool netwatch
add down-script="/int pppoe-client set pppoe-out10 disabled=yes
    \n:delay 3s\r\
    \n/int pppoe-client set pppoe-out10 disabled=no\r\
    \n" host=192.168.88.10
by cdiedrich
Thu Apr 23, 2020 10:53 am
Forum: The Dude
Topic: The Dude link Label apparence probleme Ros_command with as-value [SOLVED]
Replies: 4
Views: 25114

Re: The Dude link Label apparence probleme Ros_command with as-value [SOLVED]

I'd say it's about your double quotes - the "inner" double quotes need to be escaped.
try this:
[ros_command(":put ([interface ethernet monitor sfpplus1 once as-value]->\"sfp-vendor-part-number\")")]
by cdiedrich
Fri Mar 06, 2020 11:42 am
Forum: General
Topic: feature request ADVANCED DNS Server
Replies: 46
Views: 19139

Re: feature request ADVANCED DNS Server

Totally with pe1chl. For the conditional forwarders I'd love to see having this possibility for reverse lookups as well. Like That is not different functionality. To have reverse working for subnet 172.16.16.0/24 you configure an NS record for 16.16.172.in-addr.arpa. (and the router should forward ...
by cdiedrich
Fri Mar 06, 2020 11:21 am
Forum: General
Topic: feature request ADVANCED DNS Server
Replies: 46
Views: 19139

Re: feature request ADVANCED DNS Server

Totally with pe1chl. For the conditional forwarders I'd love to see having this possibility for reverse lookups as well. Like /ip dns add conditional-forwarders=10.20.30.40,10.20.31.40 domains=test.com,xyz.org subnets=10.20.30.0/23 add conditional-forwarders=172.16.16.16 subnets=172.16.16.0/24,192.1...
by cdiedrich
Thu Mar 05, 2020 10:37 am
Forum: Forwarding Protocols
Topic: Configuring the wlan1 onto a different subnet
Replies: 3
Views: 3835

Re: Configuring the wlan1 onto a different subnet

First, please put config exports into code blocks, makes it much easier to read. For your problem, this should fix it: ## make sure your dhcp sends out dns servers and correct gateways. A Gateway must be in the same subnet to be reachable. /ip dhcp-server network add address=192.168.10.0/24 gateway=...
by cdiedrich
Wed Mar 04, 2020 8:30 am
Forum: The Dude
Topic: Insert Image in Dude
Replies: 6
Views: 19145

Re: Insert Image in Dude

You can do this with the "Static Network Element".
Insert, right-click, select Appearance, select image (previously uploaded to the Dude), choose a proper scale for the image, select rectangle as shape and use white as color.
-Chris
by cdiedrich
Mon Feb 03, 2020 12:16 pm
Forum: Beginner Basics
Topic: IP Neighbor Duplicates
Replies: 9
Views: 6888

Re: IP Neighbor Duplicates

I've seen this a couple of times (count is easily three-digit) and it is really annoying. The interface list for discovery should only contain the bridge the lan-facing interface is bound to. No physical interfaces belonging to the same bridge. In 100% of my cases the issue only appeared on access p...
by cdiedrich
Fri Jan 31, 2020 12:06 pm
Forum: Scripting
Topic: Disabling interface with script
Replies: 3
Views: 3010

Re: Disabling interface with script

With VRRP you already have everything you need. You can use any private network for VRRP, like 172.16.16.0/29. Then use .2/30 and .3/30 for the physical interface addresses and .1/32 for the VRRP address. Then add your public IP with correct subnet mask to that vrrp interface as well. It will follow...
by cdiedrich
Fri Jan 17, 2020 3:32 pm
Forum: General
Topic: Traffic segmentation on an interface level?
Replies: 8
Views: 3216

Re: Traffic segmentation on an interface level?

I have to chime in in not seeing a proper solution but I totally understand the demand. A dodgy solution with a noticeable admin overhead would be bridge horizon and static routes for all hosts in the same subnet via the default g/w. And this being set on each and every host. Far from nice, far from...
by cdiedrich
Fri Jan 17, 2020 3:15 pm
Forum: General
Topic: vrrp and multiple ip.
Replies: 4
Views: 1631

Re: vrrp and multiple ip.

Just for the first - the one in the same subnet you're using for vrrp.
The other addresses can be any mask and will follow the vrrp status.

-Chris
by cdiedrich
Fri Jan 17, 2020 7:23 am
Forum: General
Topic: vrrp and multiple ip.
Replies: 4
Views: 1631

Re: vrrp and multiple ip.

Yup, that works. But the vrrp address has to be a /32 no matter what the actual subnet size is.
-Chris
by cdiedrich
Wed Jan 15, 2020 9:55 am
Forum: Beginner Basics
Topic: MultiCast between VLANS (Chromecast vlan1) to/from (PC/Mobile vlan2)
Replies: 13
Views: 8071

Re: MultiCast between VLANS (Chromecast vlan1) to/from (PC/Mobile vlan2)

It's just a shame that a capable os doesn't have a process to handle multicast across bridge/vlans!
No, it's not.
The topic is about link-local multicast and that's the way it is supposed to work.
routerOS does in fact offer "real" multicast routing with PIM and multicast package.
-Chris
by cdiedrich
Tue Jan 14, 2020 11:45 am
Forum: General
Topic: Assign static IP address to VPN client problem
Replies: 9
Views: 5742

Re: Assign static IP address to VPN client problem

There is a vpn client who need an IP address from the local address space. The only reason I can see for this being necessary is a service running in your LAN that only accepts connections from the local LAN. So it's not the client that needs the local range address but the service being accessed. ...
by cdiedrich
Mon Jan 13, 2020 4:47 pm
Forum: General
Topic: Assign static IP address to VPN client problem
Replies: 9
Views: 5742

Re: Assign static IP address to VPN client problem

Best and common practice is to have a dedicated subnet for vpn clients.
There's absolutely no reason for vpn clients being located in the same subnet as the local LAN.
-Chris
by cdiedrich
Mon Jan 13, 2020 2:36 pm
Forum: General
Topic: VPN Queue Help
Replies: 3
Views: 1614

Re: VPN Queue Help

A simple "Simple Queue" should do the trick. On each end of your tunnel, add a simple queue with the local subnet as target and the remote subnet as as "dst" and fill both "Max Limit" fields with your desired total b/w. like "60M". After reading your post agai...
by cdiedrich
Tue Jan 07, 2020 9:51 am
Forum: General
Topic: Routing Question: Not able to get 1 gbps through our gateway with our router inline can without it
Replies: 8
Views: 2915

Re: Routing Question: Not able to get 1 gbps through our gateway with our router inline can without it

That should be fairly easy - of course it depends on the complexity of your setup. I'd strongly advise to schedule a downtime for doing this b/c you never know... I'd create a script that adjusts all necessary settings (i.e. IP address interface binding, firewall rules with in/out-interface matchers...
by cdiedrich
Fri Nov 22, 2019 11:21 am
Forum: Beginner Basics
Topic: Map Lite wireless bridge
Replies: 13
Views: 7277

Re: Map Lite wireless bridge

You could try station-pseudobridge-clone with your cam's MAC address as station-bridge-clone-mac parameter.
Just to be 100% sure: your main router is not running routerOS, right?

-Chris
by cdiedrich
Thu Nov 21, 2019 12:50 pm
Forum: Forwarding Protocols
Topic: IEEE1588 PTPv2 support for CRS317
Replies: 29
Views: 98177

Re: IEEE1588 PTPv2 support for CRS317

That is great news.
Just thinking further - together with GPS it could become a really nice Master clock or even grand master...
And it could open the CRS range for use with AVB.
by cdiedrich
Tue Nov 19, 2019 10:05 am
Forum: Wireless Networking
Topic: How to make a CAPsMAN redundant?
Replies: 5
Views: 5541

Re: How to make a CAPsMAN redundant?

That's unfortunately true. I have a set of scripts ready that push new new config to the backup capsman. First script exports the current /caps-man config into a file. Then I have another file ready that completely wipes the current /caps-man config. The wipe script is uploaded via ftp as wipecaps.a...
by cdiedrich
Sat Nov 09, 2019 4:07 pm
Forum: RouterOS beta
Topic: Poll: who wants to have a better /export ?
Replies: 17
Views: 8054

Re: Poll: who wants to have a better /export ?

I also voted for full user export with md5-hashed passwords. +1 for exporting certificates as they are a essential part of the config. And I´m totally with mada3k to have public keys exportable. Now for the import process, I´d love to see an option for error-handling, ideally per config section. Lik...
by cdiedrich
Tue Nov 05, 2019 2:31 pm
Forum: Beginner Basics
Topic: get Alert by email on new Device [SOLVED]
Replies: 25
Views: 25943

Re: get Alert by email on new Device [SOLVED]

Hmmm...
Turn on logging for topics e-mail,debug and trigger that command manually. Then you can see the whole smtp session in your log.
Maybe you find a hint on what's wrong there.
-Chris
by cdiedrich
Tue Nov 05, 2019 1:41 pm
Forum: Beginner Basics
Topic: get Alert by email on new Device [SOLVED]
Replies: 25
Views: 25943

Re: get Alert by email on new Device [SOLVED]

Did you configure /tool e-mail before?

Like:
/tool e-mail
set address=mail.provider.com from=dhcpalerts@provider.com password=youremailpassword port=465 start-tls=tls-only user=dhcpalerts@provider.com
-Chris
by cdiedrich
Tue Nov 05, 2019 10:29 am
Forum: Beginner Basics
Topic: get Alert by email on new Device [SOLVED]
Replies: 25
Views: 25943

Re: get Alert by email on new Device [SOLVED]

You could trigger /tool e-mail from your dhcp server's lease-script
-Chris
by cdiedrich
Tue Nov 05, 2019 10:01 am
Forum: Forwarding Protocols
Topic: ip forwarding with different vlan
Replies: 2
Views: 2541

Re: ip forwarding with different vlan

So both networks are attached to the same router? If so and the config is default-ish, it should automatically route between the networks without any user action required. Your question was a bit ambigious, either a language barrier or typo - or not precisely put. I read your "won't" as &q...
by cdiedrich
Tue Nov 05, 2019 9:50 am
Forum: General
Topic: Not full gigabit speed
Replies: 3
Views: 1452

Re: Not full gigabit speed

Your config looks good to me an first sight. There have been issues in throughput and packet loss on RB3011 with the LCD turned on. Try turning off the LCD screen and see if that helps. As for your plenty dst-nat rules, you can aggregate the ports comma-seperated into one rule for each protocol and ...
by cdiedrich
Mon Nov 04, 2019 1:11 pm
Forum: Beginner Basics
Topic: Two subnets not communicating after Mangle rule [SOLVED]
Replies: 3
Views: 2426

Re: Two subnets not communicating after Mangle rule [SOLVED]

Your mangle rule sets the routing mark no matter what the dst-address is. So add a route with the appropriate routing mark like this: /ip route add dst-address=192.168.138.0/24 gateway=ether1 routing-mark=your-routing-mark-eth3-wan add dst-address=192.168.138.0/24 gateway=ether1 routing-mark=your-ro...
by cdiedrich
Fri Nov 01, 2019 5:35 pm
Forum: Beginner Basics
Topic: DHCP only on WiFi
Replies: 2
Views: 1817

Re: DHCP only on WiFi

Totally understandable application. I'd say this would work: /interface list add name=nodhcpports /interface list member add interface=ether3 list=nodhcpports add interface=ether4 list=nodhcpports /interface bridge filter add action=log chain=input dst-port=67-68 in-bridge=bridge1 in-interface-list=...
by cdiedrich
Fri Nov 01, 2019 5:05 pm
Forum: General
Topic: Log file spam with failed to pre-process ph2 packet error and wrong password error
Replies: 4
Views: 3008

Re: Log file spam with failed to pre-process ph2 packet error

I've seen this before a couple of times when no ipsec policies and proposals were defined but the other end had some proposals defined already.
Try adding sha1 to auth-algorithms in your proposals.

-Chris
by cdiedrich
Fri Nov 01, 2019 11:29 am
Forum: General
Topic: Remote syslog [SOLVED]
Replies: 5
Views: 2945

Re: Remote syslog [SOLVED]

Hmmm...
which networks are bound to which interfaces?
And what's the content of the "lan" address list?

You normally just need one masq rule for everything going out to WAN. with proper routing in place, you won't need any internal src-nating as your last rule implies.
-Chris
by cdiedrich
Thu Oct 31, 2019 3:18 pm
Forum: The Dude
Topic: Dude 64-bt version
Replies: 16
Views: 18899

Re: Dude 64-bt version

+1
...and a Dude server with 64bit counters, please :-)

-Chris
by cdiedrich
Thu Oct 31, 2019 11:45 am
Forum: General
Topic: Remote syslog [SOLVED]
Replies: 5
Views: 2945

Re: Remote syslog [SOLVED]

post an export of your core router's /ip firewall nat section.
Looks like your default (masquerade) rule is configured too loosely.

-Chris
by cdiedrich
Tue Oct 29, 2019 7:41 pm
Forum: Scripting
Topic: Script to delete itself after executing... [SOLVED]
Replies: 7
Views: 14009

Re: Script to delete itself after executing... [SOLVED]

It's only a guess, but I wouldn't be surprised if the script file is locked during execution and can't be deleted because of that. I could imagine a workaround: in your config script, create a scheduler item that runs on startup and deletes that file. It then removes itself from scheduler with the s...
by cdiedrich
Tue Oct 29, 2019 4:50 pm
Forum: Wireless Networking
Topic: CAPSMAN - How to persuade clients to choose 5GHz over 2GHz?
Replies: 10
Views: 10275

Re: CAPSMAN - How to persuade clients to choose 5GHz over 2GHz?

Access lists will allow you to control what device connects to which AP but you have to manually decide. Perhaps you could do some OUI lookup to determine 5GHZ capable devices or deny access for a while and see if they connect to 5GHz and if not then allow 2GHz ? It would be a good trick if we coul...
by cdiedrich
Tue Oct 29, 2019 1:32 pm
Forum: Scripting
Topic: Script to delete itself after executing... [SOLVED]
Replies: 7
Views: 14009

Re: Script to delete itself after executing... [SOLVED]

If the script is a file on the device, the last line of the script should be
/file remove yourscript.rsc
If the script is in the internal script repository, the last line should be
/system script remove where name=yourscriptname

-Chris
by cdiedrich
Tue Oct 29, 2019 1:27 pm
Forum: Wireless Networking
Topic: Huge wireless speed difference on RB2011UAS-2HnD
Replies: 8
Views: 2801

Re: Huge wireless speed difference on RB2011UAS-2HnD

In such scenarios I recommend to check these options: TX power: your w/l interface has a lot of power. Make sure you're running in regulatory-domain mode for your country. It's not unlikely that your router just saturates your client's RF interface. Adjust TX power downwards in 3dB steps if still ne...
by cdiedrich
Tue Oct 29, 2019 9:10 am
Forum: Beginner Basics
Topic: Worth it to change private IP address early in setup process?
Replies: 13
Views: 3374

Re: Worth it to change private IP address early in setup process?

It depends. There´s basically nothing speaking against using the default range - but when it becomes likely that you interconnect with other networks that may be in the same subnet (i.e. deploy a MikroTik network for a friend of yours and set up tunnels between them and your network to service them)...
by cdiedrich
Mon Oct 28, 2019 7:44 am
Forum: Beginner Basics
Topic: Create a VLAN - with no additional hardware
Replies: 4
Views: 1669

Re: Create a VLAN - with no additional hardware

vlan tags should be transparently carried through your unmanaged switch, it should work right away. The only drawback would be that every port of you witch will turn into a trunk port and that you can´t create access ports for the other lan on that switch. But looking at the scenario you described t...
by cdiedrich
Sun Oct 27, 2019 1:27 pm
Forum: General
Topic: Several DNS requests at non-existent domain
Replies: 6
Views: 2336

Re: Several DNS requests at non-existent domain

Yeah, in that case I´d recommend unbound as well.
by cdiedrich
Sun Oct 27, 2019 11:11 am
Forum: Wireless Networking
Topic: Capsman manager running on RB2011, but no CAP on it [SOLVED]
Replies: 19
Views: 7876

Re: Capsman manager running on RB2011, but no CAP on it [SOLVED]

In your local CAP settings, remove discovery interface and add 127.0.0.1 as CAPsMAN address.
-Chris
by cdiedrich
Sun Oct 27, 2019 11:08 am
Forum: General
Topic: Several DNS requests at non-existent domain
Replies: 6
Views: 2336

Re: Several DNS requests at non-existent domain

If the domains are foreseeable, I´d implement a basic conditional forwarder with L7 matcher and dst-nat. And in case the returned addresses are all in a foreseeable subnet, you can even add a term for reverse lookup: /ip firewall layer7-protocol add name=„fibusta“ regexp=„fibusta.lib|[0-9]+.195.10.1...
by cdiedrich
Thu Oct 10, 2019 3:40 pm
Forum: Forwarding Protocols
Topic: CCR TO CCR connection with pppoe Server and static IP [SOLVED]
Replies: 5
Views: 11554

Re: CCR TO CCR connection with pppoe Server and static IP [SOLVED]

Is getting the address from CCR1's dhcp server? If so, make the lease static, adjust the address and let CCR2 renew the lease. If it's static on CCR2, first add it to to correct interface (which then has .14 and .1), adjust all routes and peer settings in both routers accordingly, then remove .14 -C...
by cdiedrich
Wed Oct 09, 2019 5:57 pm
Forum: Forwarding Protocols
Topic: CCR TO CCR connection with pppoe Server and static IP [SOLVED]
Replies: 5
Views: 11554

Re: CCR TO CCR connection with pppoe Server and static IP [SOLVED]

Looking at your diagram I can only guess: 103.88.88.13/30 is the transport network between ccr1 and ccr2 ccr2 has a default route pointing to ccr1 103.88.88.1/29 is hosted on ccr2 and ccr1 should be able to talk to 103.88.88.1 Let's assume: ccr1 has 103.88.88.13/30 and ccr2 has 103.88.88.14/30 of th...
by cdiedrich
Tue Oct 08, 2019 3:47 pm
Forum: Forwarding Protocols
Topic: 3 branch offices VLAN over PPTP?
Replies: 5
Views: 4048

Re: 3 branch offices VLAN over PPTP?

Bummer.
No that's no EoIP scenario. Nor vlan - vlans are L2-local as well.
Try setting the tunnel interface as gateway in your routes instead of the remote IP of the tunnel.
-Chris
by cdiedrich
Tue Oct 08, 2019 2:58 pm
Forum: Forwarding Protocols
Topic: 3 branch offices VLAN over PPTP?
Replies: 5
Views: 4048

Re: 3 branch offices VLAN over PPTP?

Routing looks correct.
I'd rather say that this is a Windoze Firewall problem which by default does not accept incoming connections from non-local subnets.

-Chris
by cdiedrich
Fri Oct 04, 2019 1:10 pm
Forum: Useful user articles
Topic: setting change on multiple users with one click
Replies: 4
Views: 14090

Re: setting change on multiple users with one click

You can try MobaXterm. Log into all devices concurrently and then use Multi-Exec. Every character you type will be sent to all Sessions. Or create a .rsc script which contains all the changes and then upload it to all devices by FTP and name it <yourscript>.auto.rsc - it'll thenm be executed automag...
by cdiedrich
Tue Sep 24, 2019 5:35 pm
Forum: The Dude
Topic: Multiple Vlan monitoring
Replies: 7
Views: 5952

Re: Multiple Vlan monitoring

After thinking about this topic for a while, this might be a (part of a) solution: You say that you want to monitor your resident devices that might be shuffled around vlans, but do get an address in the vlan they've been moved to. And I read that the dude is running on the same machine as the dhcp ...
by cdiedrich
Thu Sep 12, 2019 4:37 pm
Forum: Wireless Networking
Topic: 802.11r/k, Band Steering
Replies: 54
Views: 24924

Re: 802.11r/k, Band Steering

I have to agree, pe1chl. But the density of devices with problems drops constantly. I build temporary wireless networks with tens of thousands of concurrent clients on a very regular basis - the last time I had problems with clients with k/r/v was in August 2017 (that was a Meru/Fortinet system). Cl...
by cdiedrich
Wed Sep 11, 2019 11:57 am
Forum: Wireless Networking
Topic: 802.11r/k, Band Steering
Replies: 54
Views: 24924

Re: 802.11r/k, Band Steering

I asked Support mid-July if there are mid-term (i.e. within a year) plans to implement k/r/v roaming and band steering.
The reply was that there's 'no precise schedule'.
That being said, I'm currently replacing a couple of CAPsMAN sites with Meraki. Really a bummer.
-Chris
by cdiedrich
Tue Sep 10, 2019 5:28 pm
Forum: Beginner Basics
Topic: Wireless Wire - VLAN [SOLVED]
Replies: 3
Views: 2021

Re: Wireless Wire - VLAN [SOLVED]

Quick solution: create a vlan interface on the bridge interface. Assign an IP address to that vlan interface. Done. A colleague of mine had a similar problem with a D-Link switch. It seemed that LLDP neighbor discovery was causing the problem. Disable neighbor discovery (create a interface list with...
by cdiedrich
Thu Aug 22, 2019 1:19 pm
Forum: Beginner Basics
Topic: mac address/Wifi connection
Replies: 1
Views: 934

Re: mac address/Wifi connection

WhatsApp uses end-to-end encryption, so you're basically safe. Even if an attacker captures your raw data stream of a conversation, they still have to decrypt it. I wouldn't say that it's impossible, but frankly not within reasonable amount of labor, time and skills. Assuming that your WiFi is alrea...
by cdiedrich
Tue Aug 20, 2019 12:56 pm
Forum: Scripting
Topic: Round decimal number [SOLVED]
Replies: 2
Views: 6901

Re: Round decimal number [SOLVED]

Haven't found a real round function, but you may get lucky with this decimal calculation script and specify the decimal point place.
-Chris
by cdiedrich
Mon Aug 19, 2019 5:32 pm
Forum: Wireless Networking
Topic: upload speed down
Replies: 7
Views: 2335

Re: upload speed down

The config looks good so far. There's still a dhcp-client active on wlan1 - since you're using pppoe you won't need dhcp. I can only think of a polarization and/or alignment issue here - check your signal levels, the rx levels on both chains should be pretty close, an imbalance of 6 or more dB is a ...
by cdiedrich
Mon Aug 19, 2019 1:20 pm
Forum: Beginner Basics
Topic: Learning about Dude
Replies: 1
Views: 973

Re: Learning about Dude

The answer to each of your questions is yes.
For testing/learing/evaluating, you should consider deploying a CHR instance via ova in your ESX environment. It doesn't have a 24h limit but is limited to 1MBps throughput in unlicensed state.
-Chris
by cdiedrich
Fri Aug 09, 2019 9:02 am
Forum: General
Topic: unknow packets broadcasted
Replies: 4
Views: 1637

Re: unknow packets broadcasted

I'd say it's CDP messages to 01:00:0C:CC:CC:CC. Check your discovery settings and adjust your discovery interface list to just the interfaces really needed for discovery. -Chris Edit: After re-reading the post in terms of timing and looking at the amount of bridges (I now assume that there's a bridg...
by cdiedrich
Fri Aug 09, 2019 8:26 am
Forum: General
Topic: Slow transfer speeds on LAN
Replies: 4
Views: 3965

Re: Slow transfer speeds on LAN

From first sight I'd say that it's bridge-related. You have two bridges on the same physical switch chip (which covers sfp and ether1-5). And hw-offload is only available for one bridge per switch chip. So I guess that your link-local traffic is going through the CPU. It looks that you don't really ...
by cdiedrich
Fri Aug 09, 2019 8:12 am
Forum: Beginner Basics
Topic: Split /24 public ip addresses [SOLVED]
Replies: 2
Views: 1959

Re: Split /24 public ip addresses [SOLVED]

Pretty straight forward: /ip firewall address-list add list=wan.1 address=192.168.0.2 add list=wan.1 address=192.168.0.3 ... add list=wan.2 address=192.168.0.9 add list=wan.2 address=192.168.0.10 ...and so on /ip firewall nat add action=src-nat src-address-list=wan.1 to-address=add list=wan.1 addres...
by cdiedrich
Wed Aug 07, 2019 3:15 pm
Forum: Forwarding Protocols
Topic: Routing Subnets not published by my router
Replies: 6
Views: 3471

Re: Routing Subnets not published by my router

Copy that - what a bummer. Now it really gets tricky and I'm not sure if it's possible at all. It might be worth a try to assign all addresses of all subnets to the router, give the machines other private subnets and create netmap rules for each and every IP address... Together with hairpin nat... W...
by cdiedrich
Wed Aug 07, 2019 10:27 am
Forum: Forwarding Protocols
Topic: Routing Subnets not published by my router
Replies: 6
Views: 3471

Re: Routing Subnets not published by my router

The best way would be to talk to your ISP and let him give you control over your subnets, these should then typically be routed through a /30 transport subnet - one end their router, the other end your CCR.
-Chris
by cdiedrich
Mon Aug 05, 2019 5:37 pm
Forum: Beginner Basics
Topic: Restrict access to hEX Ethernet port only for wAP
Replies: 21
Views: 4789

Re: Restrict access to hEX Ethernet port only for wAP

I can think of a couple of scenarios: 1. Isolating the AP from the rest: Create a dedicated /30 transport network for this certain AP and make ARP on those two interfaces (ether on hEX, ether1 on AP) static. Configure seperate datapaths for all your WiFi networks for manager forwarding and apply the...
by cdiedrich
Mon Aug 05, 2019 11:49 am
Forum: Beginner Basics
Topic: Please help!!!!
Replies: 5
Views: 1912

Re: Please help!!!!

If your router has a serial console, you might get lucky with access from there and probably a script logging you in and disabling your netwatch item. That shouldn't take longer than two seconds.
Good luck!
-Chris
by cdiedrich
Thu Aug 01, 2019 4:47 pm
Forum: Beginner Basics
Topic: AirPrint doesn't work
Replies: 8
Views: 5818

Re: AirPrint doesn't work

If you didn't touch the data rates, then it should be good.
-Chris
by cdiedrich
Thu Aug 01, 2019 4:02 pm
Forum: General
Topic: DHCP error message [SOLVED]
Replies: 4
Views: 3664

Re: DHCP error message [SOLVED]

Ooops... sorry, I was too quick reading your post. The error deals with dhcp client. That might be a heritage from the original config when ether1 was WAN.
It looks like you configured your device for bridging only or get WAN through SFP. So it should be safe just to remove that dhcp-client.
-Chris
by cdiedrich
Thu Aug 01, 2019 3:55 pm
Forum: General
Topic: DHCP error message [SOLVED]
Replies: 4
Views: 3664

Re: DHCP error message [SOLVED]

Put the dhcp server on the bridge and not on physical interfaces being member of a bridge.
-Chris
by cdiedrich
Thu Aug 01, 2019 3:00 pm
Forum: Beginner Basics
Topic: AirPrint doesn't work
Replies: 8
Views: 5818

Re: AirPrint doesn't work

Setting multicast-helper from 'default' or 'disabled' to 'full' should solve the issue.
Additionally, check if lower rates are disabled - I had this issue more than once when el-cheapo WiFi printers only worked reliably when lower rates were re-enabled.
-Chris
by cdiedrich
Wed Jul 31, 2019 4:24 pm
Forum: General
Topic: DNS setting via DHCP being ingnored on Vlan
Replies: 8
Views: 2431

Re: DNS setting via DHCP being ingnored on Vlan

Post an export of your config and we can have a look at it - everything else will be guessing.
-Chris
by cdiedrich
Wed Jul 31, 2019 2:00 pm
Forum: Beginner Basics
Topic: 2 ISP + L2TP/IPsec
Replies: 3
Views: 1850

Re: 2 ISP + L2TP/IPsec

I guess you add routing marks for this PC, correct? You'll need to add a route to this PC with its new routing mark to work. like: /ip route add dst-address=192.168.88.22 gateway=bridge routing-mark=myWan2-mark Edit: And probably (if even not more likely) a route to the vpn client with that routing ...
by cdiedrich
Wed Jul 31, 2019 1:30 pm
Forum: Useful user articles
Topic: Force OpenDNS and Safe Search on a vlan only
Replies: 1
Views: 13205

Re: Force OpenDNS and Safe Search on a vlan only

You should be good to set src-address in your dst-nat rules matching the subnet of your specific vlan.
If you have more address spaces to cover, you might be better off with an address list.

And I think your post is better placed in General.

-Chris
by cdiedrich
Wed Jul 31, 2019 1:04 pm
Forum: Scripting
Topic: Email-script if a certain DSTNAT is used
Replies: 1
Views: 2026

Re: Email-script if a certain DSTNAT is used

You might get lucky with this log parser script.
If you have more than a handful of equipment, it might be worth considering collecting all logs centrally. We're running Graylog to collect the logs from ~200 devices and setting up alerts in Graylog is really easy.

-Chris
by cdiedrich
Wed Jul 31, 2019 8:36 am
Forum: General
Topic: DHCP Server assign IPs to MACs 00:00:00:00:00:00
Replies: 6
Views: 5003

Re: DHCP Server assign IPs to MACs 00:00:00:00:00:00

...assigned by UniFi APs? So you have multiple dhcp servers in a single network?
First step is to disable those dhcp servers.
Second step is to check whether there's one or more devices with proxy-arp configured in your network. I could bet your lan-facing interface has proxy-arp enabled.
-Chris
by cdiedrich
Wed Jul 31, 2019 8:13 am
Forum: General
Topic: MAC Address limitation
Replies: 7
Views: 4368

Re: MAC Address limitation

The definitely best solution is dot1x as @sebastia mentioned. When your switches support it as well you're close to 100% secure.
-Chris
by cdiedrich
Mon Jul 29, 2019 5:49 pm
Forum: Scripting
Topic: DuckDNS Update Script (free DynDNS alternative)
Replies: 20
Views: 31865

Re: DuckDNS Update Script (free DynDNS alternative)

It pretty much looks like a private address - 172.22/16 is within 172.16/12 which is a private range.
And since the initial script is pulling the address from the interface, I'm sure you have a private address and your ISP is NATing your address.
-Chris
by cdiedrich
Mon Jul 29, 2019 5:14 pm
Forum: Scripting
Topic: DuckDNS Update Script (free DynDNS alternative)
Replies: 20
Views: 31865

Re: DuckDNS Update Script (free DynDNS alternative)

Hi - when I try to use this, it appears that there is another private address between the my Mikrotik router and the internet. So it returns a private address. Any other way I can do this? You could get your Ip this way: /tool fetch mode=http http-method=get url=http://icanhazip.com/ dst-path=myip....
by cdiedrich
Mon Jul 29, 2019 4:03 pm
Forum: General
Topic: MAC Address limitation
Replies: 7
Views: 4368

Re: MAC Address limitation

I'd like to add the option of only using static dhcp leases with "add arp for lease" option and setting the arp mode of the lan-facing interface to reply-only.
That at least blocks rogue clients from accessing the internet.
-Chris
by cdiedrich
Mon Jul 29, 2019 10:46 am
Forum: The Dude
Topic: Multiple Vlan monitoring
Replies: 7
Views: 5952

Re: Multiple Vlan monitoring

I get your points and understand your problems - i am in the events industry as well and know the woes with guest productions sharing consoles :-) A possible solution could be HotSpot with IP-binding aka one-to-one-NAT aka "Universal client" - you can translate literally any IP address to ...
by cdiedrich
Fri Jul 26, 2019 12:21 pm
Forum: Scripting
Topic: Built in function library
Replies: 142
Views: 151989

Re: Built in function library

I'd love to see the terminal object-oriented.
Please stop the off-topic messages, and please delete them if they are yours.
(I will delete this when that happens)
After re-reading my post I have to fully agree. Edited.
Thanks,
-Chris
by cdiedrich
Fri Jul 26, 2019 11:46 am
Forum: General
Topic: Load balancing over dual L2 backhaul fibre
Replies: 4
Views: 1525

Re: Load balancing over dual L2 backhaul fibre

Perfect.
So a bonding with balance-rr should absolutely do the trick.
-Chris
by cdiedrich
Fri Jul 26, 2019 11:03 am
Forum: General
Topic: Load balancing over dual L2 backhaul fibre
Replies: 4
Views: 1525

Re: Load balancing over dual L2 backhaul fibre

What device is the other end of that link?
Is it a switch? Or another MikroTik router?

You should be absolutely fine with bonding and balance-rr. Unfortunately, the fewest switches do this as well. And be aware that balance-rr can cause a lot of out-of-order packets.

-Chris
by cdiedrich
Thu Jul 25, 2019 5:58 pm
Forum: Scripting
Topic: Built in function library
Replies: 142
Views: 151989

Re: Built in function library

[removed b/c off-topic]
Additionally to all the mentioned functions, I'd consider a basic set of IP calculations very helpful.

-Chris
by cdiedrich
Thu Jul 25, 2019 12:58 pm
Forum: Scripting
Topic: Notification for new DHCP leases [SOLVED]
Replies: 2
Views: 6916

Re: Notification for new DHCP leases [SOLVED]

Sure.
Take a look at "lease-script" in the dhcp-server manual.
Add your matchers against the leaseActIP variable and then trigger an email.

-Chris
by cdiedrich
Tue Jul 23, 2019 5:13 pm
Forum: General
Topic: RSTP, when on lose ability to connect by IP to non root switch
Replies: 5
Views: 1989

Re: RSTP, when on lose ability to connect by IP to non root switch

Nope, a root bridge can't have a backup port. It's on the other bridges to turn ports into backup. I guess the 60GHz link is MikroTik? What is the 24GHz link? Is it an AirFiber? Is WDS enabled on it? Is any STP-flavor definitely disabled on the w/l links? I had some similar issues a while ago when S...
by cdiedrich
Tue Jul 23, 2019 2:33 pm
Forum: The Dude
Topic: Multiple Vlan monitoring
Replies: 7
Views: 5952

Re: Multiple Vlan monitoring

You could run a discovery for the given subnets.
But that is a one-time run, either you repeat it every now and then or look for some other solution (NetXMS could deliver what you're looking for as it constantly scans the newtorks).
-Chris
by cdiedrich
Tue Jul 23, 2019 11:55 am
Forum: Wireless Networking
Topic: How to make a CAPsMAN redundant?
Replies: 5
Views: 5541

Re: How to make a CAPsMAN redundant?

If the bridges are replicable on the other router is solely your realm. If so, it's absolutely possible to add a redundant CAPsMAN. Make the two a vrrp cluster and clone the CAPsMAN config over to the other. Make your APs connect to the vrid. Make sure you disable all L2 connectivity for APs and man...
by cdiedrich
Mon Jul 22, 2019 3:38 pm
Forum: General
Topic: Allow trafic from one LAN to another but not the reverse [SOLVED]
Replies: 4
Views: 2337

Re: Allow trafic from one LAN to another but not the reverse [SOLVED]

/ip firewall filter add action=accept chain=forward dst-address=172.16.11.0/24 src-address=172.16.10.0/24 add action=accept chain=forward connection-state=established,related dst-address=172.16.10.0/24 src-address=172.16.11.0/24 add action=drop chain=forward connection-state=invalid,new dst-address...
by cdiedrich
Mon Jul 22, 2019 10:46 am
Forum: General
Topic: 19" POE panel with LAN control
Replies: 1
Views: 1073

Re: 19" POE panel with LAN control

I was looking into the same challenge recently. There's the Phihong POE370U which offers a network interface for managemengt (web interface) and snmp monitoring.
But looking at the pricing, a decent PoE switch might come in cheaper.

-Chris
by cdiedrich
Mon Jul 22, 2019 10:30 am
Forum: Beginner Basics
Topic: Use eth1, eth2 and WiFi in same network...
Replies: 1
Views: 1995

Re: Use eth1, eth2 and WiFi in same network...

Remove all firewall rules in filter and nat sections. Remove dhcp-client from ether1. Add ether1 to bridge-local. Remove ether1 from Interface-list "WAN". Add ether1 to interface-list "LAN". Done. Then you still have a dhcp server running on your device. Disable it if not needed....
by cdiedrich
Sat Jul 20, 2019 10:34 am
Forum: General
Topic: RB450Gx4 and hAPac spanning tree problem
Replies: 11
Views: 3637

Re: RB450Gx4 and hAPac spanning tree problem

As you can see, we don‘t get any further.
Now is the point to post both your full configs.
/export compact hide-sensitive 
-Chris
by cdiedrich
Fri Jul 19, 2019 1:10 pm
Forum: General
Topic: RB450Gx4 and hAPac spanning tree problem
Replies: 11
Views: 3637

Re: RB450Gx4 and hAPac spanning tree problem

This is not a full config export.
And are you sue about always-strip?
by cdiedrich
Thu Jul 18, 2019 3:43 pm
Forum: Forwarding Protocols
Topic: Can't establish LDP session between two Mikrotik routers
Replies: 7
Views: 4255

Re: Can't establish LDP session between two Mikrotik routers

But if I remove an interface from the bridge, I loose connectivity to that interface. This is why I always add all interface to the default bridge.
You will have mpls connectivity on this interface.
by cdiedrich
Thu Jul 18, 2019 3:33 pm
Forum: Forwarding Protocols
Topic: Can't establish LDP session between two Mikrotik routers
Replies: 7
Views: 4255

Re: Can't establish LDP session between two Mikrotik routers

LDP interface configuration is invalid. Are those interfaces slaves? if yes then you need to add master. Yes, they are all slaves. I run version 6.42.11 and 6.43.9. All my interface all linked to the default bridge: /interface bridge port add bridge=bridge comment=defconf interface=ether2 So you an...
by cdiedrich
Thu Jul 18, 2019 12:55 pm
Forum: General
Topic: encrypted password for mikrotik config
Replies: 24
Views: 11156

Re: encrypted password for mikrotik config

and not to mention to have the user database in an export.
by cdiedrich
Wed Jul 17, 2019 5:05 pm
Forum: General
Topic: RB450Gx4 and hAPac spanning tree problem
Replies: 11
Views: 3637

Re: RB450Gx4 and hAPac spanning tree problem

So as said twice now, post your configs and we can get a grasp of what's going on.
-Chris
by cdiedrich
Wed Jul 17, 2019 3:47 pm
Forum: Beginner Basics
Topic: My NAT forwarding is working, but I don't know how!
Replies: 2
Views: 1154

Re: My NAT forwarding is working, but I don't know how!

dst-address is meant to be the WAN address of your router the server is located behind. I assume the 93. address is the remote location, correct? specifying a src-address surely adds some layer of security b/c the dst-nat will only happen when the connection is originated from this particular addres...
by cdiedrich
Wed Jul 17, 2019 1:54 pm
Forum: General
Topic: RB450Gx4 and hAPac spanning tree problem
Replies: 11
Views: 3637

Re: RB450Gx4 and hAPac spanning tree problem

As Anav said, we're fishing in the dark without actually seeing your configs.
I could imagine two more scenarios:

Is it possible that the PVIDs differ between the devices?
Can there be an additional link between them through an access port?

-Chris
by cdiedrich
Tue Jul 16, 2019 5:31 pm
Forum: General
Topic: RB951G & NordVPN (IKEv2/IPsec) / hexS&VLANs&NordVPN [SOLVED]
Replies: 18
Views: 6543

Re: RB951G & NordVPN (IKEv2/IPsec) [SOLVED]

I bet it's your hardware. the 951 is MipsBE and this is far from ideal for encrypting IPsec traffic. You might want to try a 750Gr3, 3011, 4011 or CCR series - these offer hardware acceleration. I personally run a 750Gr3 in my remote office which talks to our main office (CCR1036) through IPsec and ...
by cdiedrich
Tue Jul 16, 2019 5:17 pm
Forum: Forwarding Protocols
Topic: Multicast to PPP clients
Replies: 12
Views: 5668

Re: Multicast to PPP clients

That is an excellent point!
-Chris
by cdiedrich
Tue Jul 16, 2019 5:10 pm
Forum: General
Topic: Why Mikrotik ???
Replies: 32
Views: 13193

Re: Why Mikrotik ???

(c) Do Mikrotik have any limitations? That truly is difficult to answer. I'm managing about 5000 individual devices (covering routers, switches, wireless devices and more from MikroTik, Fortinet, Cisco, Juniper, SilverPeak, PepLink, UBNT and many more) in any given year and I'd say that about 90% o...
by cdiedrich
Sun Jul 14, 2019 12:44 pm
Forum: Forwarding Protocols
Topic: Multicast to PPP clients
Replies: 12
Views: 5668

Re: Multicast to PPP clients

Try adding a static route to your DG as follows:
224.0.1.1 via 172.16.4.17

-Chris
by cdiedrich
Sun Jul 14, 2019 11:38 am
Forum: General
Topic: Routing Question: Not able to get 1 gbps through our gateway with our router inline can without it
Replies: 8
Views: 2915

Re: Routing Question: Not able to get 1 gbps through our gateway with our router inline can without it

Since you stated that you're using a CCR1009-8G-1S-1S+ it is important to know which interfaces you are using for your backhaul and LAN side. That one still has a switch chip which aggregates ether1-ether4 to a single 1G pipe to the CPU. If you have both interfaces in that port range, it might be a ...
by cdiedrich
Fri Jul 12, 2019 2:21 pm
Forum: Forwarding Protocols
Topic: Multicast to PPP clients
Replies: 12
Views: 5668

Re: Multicast to PPP clients

Keep your address space as it is. Then install and configure PIM your router: Add the DG-facing interface to PIM. Add the pptp clients to PIM with their interfaces (create pptp server bindings for each client, these can be added). Your DG should send the multicast traffic to your router (give it sta...
by cdiedrich
Fri Jul 12, 2019 1:53 pm
Forum: Scripting
Topic: WOL PC while it's down [SOLVED]
Replies: 2
Views: 3996

Re: WOL PC while it's down [SOLVED]

I'd say /tool netwatch is your friend. It does exactly what you need, just fill in scripts for up/down that will fire on these events. But it might get tricky b/c the script is only fired once, not every time the target gets checked. So you might add another netwatch item which monitors your UPS. On...
by cdiedrich
Fri Jul 12, 2019 1:29 pm
Forum: Forwarding Protocols
Topic: Multicast to PPP clients
Replies: 12
Views: 5668

Re: Multicast to PPP clients

You shouldn't. That's reserved for IPv4 Multicast and will reliably mess things up in your router. I was asking if the Multicast you want to send to the clients is in that range. And if it is, chances are high that you will have success using PIM on your router. Here's an excellent presentation cove...
by cdiedrich
Fri Jul 12, 2019 12:14 pm
Forum: Forwarding Protocols
Topic: Multicast to PPP clients
Replies: 12
Views: 5668

Re: Multicast to PPP clients

BCP or any "true" layer2 tunnel (EoIP or vpls for example) will surely do. Is that Multicast link-local (224.0.0.0/24) or routable (everything from 224.0.1.0 upwards)? If the latter, you could surely try PIM on your concentrator and make the clients send a join request - this could easily ...
by cdiedrich
Fri Jul 12, 2019 10:21 am
Forum: General
Topic: IPSec VPN (Sonciwall to MTK)
Replies: 3
Views: 1251

Re: IPSec VPN (Sonciwall to MTK)

I'm pretty sure it's related to your loose masquerade rule. Traffic from Sonicwall to your subnet works b/c traffic is NATed to your routers internal IP address which is known to your site. And I guess that traffic towards the Sonicwall is mostt likely NATed to your WAN IP address so that traffic wi...
by cdiedrich
Thu Jul 11, 2019 2:01 pm
Forum: General
Topic: IPSec VPN (Sonciwall to MTK)
Replies: 3
Views: 1251

Re: IPSec VPN (Sonciwall to MTK)

On first sight I see two issues: Your default masquerade rule is way too loose - it will masquerade everything from anywhere to anywhere. Add your local subnet as src-address and add your WAN-interface as out-interface. Move your NAT accept rules before your masquerade rule. and as a side note: Your...
by cdiedrich
Thu Jul 11, 2019 1:17 pm
Forum: Forwarding Protocols
Topic: Multicast to PPP clients
Replies: 12
Views: 5668

Re: Multicast to PPTP clients

In case the pptp clients are routers and not raod-VPN computers, you could give it a try by using BCP.
-Chris
by cdiedrich
Tue Jul 09, 2019 1:31 pm
Forum: Beginner Basics
Topic: DHCP option by rule [SOLVED]
Replies: 4
Views: 3161

Re: DHCP option by rule [SOLVED]

The lease script is fired after the lease is bound.
Either way you approach it - you would need static leases to assign the right options to the right clients.
Once your lease is static, you can adjust all options or select predefined option sets.
-Chris
by cdiedrich
Fri Jul 05, 2019 3:50 pm
Forum: General
Topic: ISP assigns Static IP addresses via DHCP
Replies: 6
Views: 2407

Re: ISP assigns Static IP addresses via DHCP

I'm not sure if your ISP will allocate those reserved (and not changeable) MAC addresses of the VRRP interfaces, but it should be worth a try. If they don't, the next step towards madness is to use a bridge between the VRRP and the physical uplink interface and to set /interface bridge nat and /int...
by cdiedrich
Fri Jul 05, 2019 3:20 pm
Forum: General
Topic: ISP assigns Static IP addresses via DHCP
Replies: 6
Views: 2407

Re: ISP assigns Static IP addresses via DHCP

The only way of getting more than one DHCP client on one interface is using VRRP interfaces. Add a VRRP interface to your WAN-port and add a dhcp client to this. You'll need some unused address space on the interfaces to make VRRP work. Like 192.168.171.2/30 on ethernet, .1/32 for vrrp1, vrid 2 192....
by cdiedrich
Fri Jul 05, 2019 11:51 am
Forum: Virtualization
Topic: VMWare Changing Time
Replies: 4
Views: 9223

Re: VMWare Changing Time

Edit vm settings -> VM Options -> VMware Tools -> Time and uncheck "Synchronize guest time with host"
by cdiedrich
Fri Jul 05, 2019 11:41 am
Forum: Beginner Basics
Topic: nat issue on mikrotik routers
Replies: 1
Views: 950

Re: nat issue on mikrotik routers

I'm totally not into gaming but I'm almost certain that it has to do with your loose masquerade rule. This rule catches any traffic and NATs from anywhere to anywhere. Modify it to narrow down matches: /ip firewall nat add action=masquerade chain=srcnat src-address=your.lan.space/24 out-interface=wl...
by cdiedrich
Wed Jul 03, 2019 12:41 pm
Forum: General
Topic: Block .exe from local network
Replies: 5
Views: 1789

Re: Block .exe from local network

Proxy can be used to deny access to specific file types.
True, but only on http. Which is not the case on drive shares.
-Chris
by cdiedrich
Wed Jul 03, 2019 10:57 am
Forum: General
Topic: Block .exe from local network
Replies: 5
Views: 1789

Re: Block .exe from local network

No, not in routerOS. First, operations in the local network usually don't pass the router. Second, there is no way to block transfers by file extension in routerOS, you'd need an advanced L7 firewall (that could even prevent that content from coming into your network). Best idea would be either bloc...
by cdiedrich
Tue Jul 02, 2019 6:53 pm
Forum: General
Topic: LIMIT FACEBOOK SPEED
Replies: 5
Views: 3746

Re: LIMIT FACEBOOK SPEED

It strongly depends on your organizational structure and what services your staff is supposed to use. Everything that syncs back to a cloud (Like Dropbox, iCloud, Google Drive, etc) is a good start to limit - especially as those syncs happen in background, nobody would really notice that the task is...
by cdiedrich
Tue Jul 02, 2019 5:41 pm
Forum: General
Topic: LIMIT FACEBOOK SPEED
Replies: 5
Views: 3746

Re: LIMIT FACEBOOK SPEED

No :-) Facebook traffic is not really high and not so bandwidth-consuming as it's a lot of GET requests with little transfer per request. I made the experience that limiting sites like this is more labor than you would gain out of it. Limiting sites with big transfers is much more suitable so that a...
by cdiedrich
Tue Jul 02, 2019 3:24 pm
Forum: General
Topic: unwanted change of source IP in my traffic
Replies: 6
Views: 1514

Re: unwanted change of source IP in my traffic

As a first guess without seeing your config, I'd say your default srcnat/masquerade rule is too loose (i.e. has no src-address and no out-interface specified) Further I can imagine that your NAT-accept rules for this traffic are below the default srcnat/masquerade rule. Post an export of your config...
by cdiedrich
Tue Jul 02, 2019 2:58 pm
Forum: General
Topic: Firewall software or hardware
Replies: 7
Views: 2365

Re: Firewall software or hardware

I agree it's another single point of failure but i guess there is less chances of a hardware firewall failure? That's a misconception. It's built from the same components: power supplies (failure #1), fans (failure #2), semiconductors, physical connectors, HDDs/SSDs, etc that are all subject to the...
by cdiedrich
Tue Jul 02, 2019 1:12 pm
Forum: General
Topic: have a two WAN ports in RB951 Router
Replies: 2
Views: 1019

Re: have a two WAN ports in RB951 Router

Verify your default routes if you have check-gateway=ping enabled. If not, interface link state is the only indicator for your router.
-Chris
by cdiedrich
Tue Jul 02, 2019 1:09 pm
Forum: General
Topic: Firewall software or hardware
Replies: 7
Views: 2365

Re: Firewall software or hardware

@cdiedrich, do you know how HA clusters/pairs of Fortigate and PA behave in this regard?
I do - absolutely seamless. All connections are always in sync. Dealing with those as my daily business...
by cdiedrich
Tue Jul 02, 2019 10:53 am
Forum: General
Topic: Firewall software or hardware
Replies: 7
Views: 2365

Re: Firewall software or hardware

You are correct about the need of duplicating settings, but that counts for every setting, not only Firewall. And once created and proven good, I consider a firewall rather static... And with some scripting you could automate the replication to the other peer. When getting one firewall in front of t...
by cdiedrich
Mon Jul 01, 2019 3:41 pm
Forum: Beginner Basics
Topic: Expose the device name on the upsteam network
Replies: 4
Views: 1589

Re: Expose the device name on the upsteam network

Upstream - or, to be more precise: The server that holds the data for your 192.168.0.0 network.
-Chris
by cdiedrich
Mon Jul 01, 2019 2:33 pm
Forum: General
Topic: Route based on latency?
Replies: 3
Views: 1664

Re: Route based on latency?

Thanks for the hints.
I already considered the scripting way but was unsure if there was something more obvious that I might have missed.
-Chris
by cdiedrich
Mon Jul 01, 2019 2:04 pm
Forum: General
Topic: Firewall software or hardware
Replies: 7
Views: 2365

Re: Firewall software or hardware

It depends on your needs. Do you need stateful failover? Do you need DPI? Do you need address collection in the firewall to do further things with on the CCRs? Do you need application control? Is firewall latency an issue? Do you need advanced logging facilities? Do you want it cloud managed? Do you...
by cdiedrich
Mon Jul 01, 2019 1:13 pm
Forum: Beginner Basics
Topic: Expose the device name on the upsteam network
Replies: 4
Views: 1589

Re: Expose the device name on the upsteam network

Add a dns entry for your hAP.
-Chris
by cdiedrich
Thu Jun 27, 2019 1:24 pm
Forum: General
Topic: VLAN VRRP
Replies: 18
Views: 7949

Re: VLAN VRRP

It's absolutely possible.
First, add vlans to the bonding interface and then add vrrp interfaces to the vlans.
Or, if you want one vrrp interface being the master of the whole subsequent trunk port, add just one vrrp on the bonding interface and then add vlans to the vrrp interface.
Done.
-Chris
by cdiedrich
Wed Jun 26, 2019 7:55 pm
Forum: General
Topic: Route based on latency?
Replies: 3
Views: 1664

Route based on latency?

All, I need to create a self-contained package for a client of ours who will tour with a recurring event. Their guest management system relies on a timing-critical database application running somewhere in a cloud. Due to recent bad experiences with venue internet and partially blocked ports, the pa...
by cdiedrich
Fri Jun 21, 2019 9:21 am
Forum: Wireless Networking
Topic: Need Advice to Cover 300 WiFi Users in Banquet Hall
Replies: 6
Views: 2445

Re: Need Advice to Cover 300 WiFi Users in Banquet Hall

I'd strongly recommend not to use MikroTik wireless devices for high density applications. The lack of any 802.11 roaming, band steering and adjustable beacon interval renders them useless for such deployments. Better look into UBNT, Xirrus, Meraki, Fortinet/Meru, Everest Networks (in ascending budg...
by cdiedrich
Thu May 16, 2019 11:42 am
Forum: Forwarding Protocols
Topic: OpenVPN + IpSec [SOLVED]
Replies: 6
Views: 11341

Re: OpenVPN + IpSec [SOLVED]

Does Site B have a route to 192.168.252.0/24 via Site A?
-Chris
by cdiedrich
Wed May 15, 2019 6:34 pm
Forum: General
Topic: Load balancing 2x WAN on same FTTH gateway
Replies: 3
Views: 1381

Re: Load balancing 2x WAN on same FTTH gateway

Multi-WAN with same gateway works as described in this thread.
Regarding the resulting bandwidth, you will have 700/700-ish with multiple flows while one flow cannot be greater than the WAN link it is assigned to.
Look at the examples in this manual page.

-Chris
by cdiedrich
Wed May 15, 2019 5:59 pm
Forum: Beginner Basics
Topic: Multiple Entries for same IPs in ARP table? [SOLVED]
Replies: 2
Views: 2194

Re: Multiple Entries for same IPs in ARP table? [SOLVED]

You have the same IP range (10.20.0/24) in br-AP and vlan1002.
-Chris
by cdiedrich
Wed May 15, 2019 10:47 am
Forum: Virtualization
Topic: Server 2019 HV with chr-6.44.3 no bridge function
Replies: 2
Views: 5057

Re: Server 2019 HV with chr-6.44.3 no bridge function

I could bet that it's related to Hyper-V not being configured for promiscous mode.
-Chris
by cdiedrich
Wed May 08, 2019 1:52 pm
Forum: Beginner Basics
Topic: winbox and vlan
Replies: 4
Views: 1680

Re: winbox and vlan

If I remember correctly, admin access is restricted to 192.168.88.0/24 in the default config, so access from 10.0.0.0/8 will be dropped and you're seeing the timeouts. Try adding your vlan100 range under IP -> Services in the "available from" field. To do so, either connect from a 192.168....
by cdiedrich
Thu Apr 04, 2019 5:47 pm
Forum: The Dude
Topic: Programmatically adjust devices?
Replies: 8
Views: 4423

Re: Programmatically adjust devices?

Hey Ruben,

that would be great, thank you very much.
DM is not supported here in the forum - feel free to contact me on cdiedrich (at) clairglobal.com

Thanks again,
-Chris
by cdiedrich
Wed Apr 03, 2019 10:19 pm
Forum: The Dude
Topic: Nested functions in probes, numbers in custom fields
Replies: 0
Views: 2678

Nested functions in probes, numbers in custom fields

Hi all, It looks like using nested functions in probes don't work as expected. Runnind the Dude 6.44 in a x86 instance (not CHR). 6.44.1 shows the very same behaviour. These terms are working perfectly when being used individually in a function probe in the "available" line: if(device_prop...
by cdiedrich
Wed Apr 03, 2019 2:02 am
Forum: The Dude
Topic: Programmatically adjust devices?
Replies: 8
Views: 4423

Re: Programmatically adjust devices?

Update:
A colleague of mine is currently writing a Python script that remote controls chrome that then cycles through WebFig where we have access to all relevant device fields in the dude.
Will share the outcome once we have what we need.

-Chris
by cdiedrich
Wed Apr 03, 2019 1:46 am
Forum: The Dude
Topic: Programmatically adjust devices?
Replies: 8
Views: 4423

Re: Programmatically adjust devices?

What a bummer - thanks.
Time to get an apprentice working on updating ~2000 devices with three fields each...
-Chris
by cdiedrich
Wed Apr 03, 2019 1:17 am
Forum: The Dude
Topic: Programmatically adjust devices?
Replies: 8
Views: 4423

Programmatically adjust devices?

Dear all,

is there a way (through script, API or whatsoever) to bulk-update device custom fields?
We have a map with thousands of devices and need to fill custom fields based on either MAC address, device name or IP address.

Any hint is highly appreciated.
Thanks,
-Chris
by cdiedrich
Fri Mar 29, 2019 12:01 pm
Forum: Beginner Basics
Topic: VPN Connect 2 Locations and a few Clients ?
Replies: 7
Views: 1714

Re: VPN Connect 2 Locations and a few Clients ?

Now that's a good start. All that's left is adding routes through the tunnel. Assuming 192.168.1.0/24 is on the tunnel local IP of 192.168.99.1 and 192.168.10.0/24 is on the tunnel local IP of 192.168.99.2 do this: #on router 1 /ip route add dst-address=192.168.1.0/24 gateway=192.168.99.1 distance=2...
by cdiedrich
Thu Mar 28, 2019 3:21 pm
Forum: Beginner Basics
Topic: VPN Connect 2 Locations and a few Clients ?
Replies: 7
Views: 1714

Re: VPN Connect 2 Locations and a few Clients ?

This Section of the IPsec manual is pretty comprehensive and should exactly do what you want to accomplish.

Since IPsec is a cpu-hog, I'd advise to use it on routers with h/w acceleration olnly (all CCR series, 1100AHx4, RG750Gr3, RB3011).

-Chris
by cdiedrich
Wed Mar 27, 2019 2:14 pm
Forum: The Dude
Topic: graphing MultiGig links from SNMP
Replies: 1
Views: 4239

graphing MultiGig links from SNMP

Hi all, we recently upgraded our infrastructure to Cisco Nexus 3548P and Catalyst 9300 switches. While updating the dude maps (Running 6.44.1 in a CHR) I realized that the link graphs don't scale correctly: I have a couple of links from 9300 TwoGigabit-Interfaces linking to other devices with a 1Gig...
by cdiedrich
Thu Mar 21, 2019 3:13 pm
Forum: General
Topic: wAP ac and wap60g PoE issues on Catalyst 9300
Replies: 2
Views: 2189

wAP ac and wap60g PoE issues on Catalyst 9300

I'm facing strange issues powering wAP ac and wap60g devices from a Cisco Catalyst 9300. The devices don't turn on at all. They work well with Cisco 3560, UBNT Edge Switches and Netonix. Now the fix that made it work is really strange: I just insert a passive MTik Gigabit PoE injector on the AP side...
by cdiedrich
Thu Mar 14, 2019 3:10 pm
Forum: Scripting
Topic: How to really make backups (by script) ?
Replies: 15
Views: 8111

Re: How to really make backups (by script) ?

You could add a mini-script at the end of the rsc file which resets all mac-addresses and sets the bridges to auto-mac. This goes into the scheduler, to be run at startup. The script will delete itself from scheduler once finished. Like this: /system scheduler add name=resetmac on-event=":forea...
by cdiedrich
Thu Mar 14, 2019 2:14 pm
Forum: General
Topic: Wirless Managemnt On VLAN and Pass All vlans [SOLVED]
Replies: 4
Views: 1682

Re: Wirless Managemnt On VLAN and Pass All vlans [SOLVED]

So you already created a vlan interface. Put this on the bridge, not on physical ports. Then add an appropriate ip address to that vlan interface. Or enable vlan filtering on your bridges, create all allowed vlans for these and their tagged port mappings for both physiical interfaces (ether and wlan...
by cdiedrich
Wed Mar 13, 2019 1:10 pm
Forum: Wireless Networking
Topic: Mikrotik WLAN & CAPsMAN - Bad download perfomance
Replies: 47
Views: 17152

Re: CAPsMAN poor wireless speed

Looking at your first screen shot in your first post, I'd say that's a decent connection. You're connected at VHT MCS 7 with two spatial streams and short guard interval resulting in 650MBps connection rate at 80MHz. Keeping in mind that actual real-life throughput is roughly 50...65% of the w/l con...
by cdiedrich
Wed Mar 13, 2019 12:18 pm
Forum: Beginner Basics
Topic: VPN betwenn 2 Mikrotik behind Router
Replies: 4
Views: 1282

Re: VPN betwenn 2 Mikrotik behind Router

Do the Tiks have routes set?

like
#Site B
/ip route add distance=20 dst-address=192.168.10.0/24 gateway=1.1.1.1
#Site A
/ip route add distance=20 dst-address=192.168.1.0/24 gateway=1.1.1.2
by cdiedrich
Wed Mar 13, 2019 11:49 am
Forum: General
Topic: Troubble with a IP Address
Replies: 1
Views: 792

Re: Troubble with a IP Address

Did you specify a subnet mask?
If not, the address is a /32 and can't communicate anywhere.
So it should look like
/ip address add address=172.18.0.1/24 interface=vlan101
I guess your config looks like
/ip address add address=172.18.0.1 interface=vlan101
and won't work.
-Chris
by cdiedrich
Wed Mar 13, 2019 11:43 am
Forum: Beginner Basics
Topic: VPN betwenn 2 Mikrotik behind Router
Replies: 4
Views: 1282

Re: VPN betwenn 2 Mikrotik behind Router

Did I get this correctly that the oVPN connection is up and your MTik devices are not acting as routers behind in any way? If so, you'd need to add static routes in the FritzBoxes for the remote subnets pointing to the local MikroTik device as gateway. And the MTik devices should know the remote rou...
by cdiedrich
Tue Mar 12, 2019 1:18 pm
Forum: General
Topic: What is the best method to connect between 2 routers? and How?
Replies: 8
Views: 1617

Re: What is the best method to connect between 2 routers? and How?

The exact same question has been asked & solved in this thread just a couple of minutes ago.
by cdiedrich
Tue Mar 12, 2019 11:20 am
Forum: General
Topic: HAP ac bug
Replies: 2
Views: 1048

Re: HAP ac bug

Did you tick "Keep old configuration" during NetInstall? Or did you restore a backup (not .rsc) file after installing? I had the exact symptoms on a 2011 a couple of years ago. NetInstalling it freshly without the old config solved it for me. Also check system routerboard if there's someth...
by cdiedrich
Mon Mar 11, 2019 3:50 pm
Forum: General
Topic: mikrotik repeat hotspot
Replies: 5
Views: 1428

Re: mikrotik repeat hotspot

Yes, you can.
Authentication is simply done through a client device behind that Mkrotik. Done that a couple of times and it's really straight forward.
-Chris
by cdiedrich
Fri Mar 08, 2019 1:11 pm
Forum: General
Topic: wifi AC speed went down from 7xx mbps to 1xx mbps after migrating wlans to CAPsMAN
Replies: 2
Views: 1010

Re: wifi AC speed went down from 7xx mbps to 1xx mbps after migrating wlans to CAPsMAN

Are you talking about throughput or connected rates? Connected rates don't give you too much information when the device is idle. They're adjusted dynamically based on load and connection quality. If you're talking about throughput, I'd first check data path which should be "local forwarding&qu...
by cdiedrich
Wed Mar 06, 2019 4:47 pm
Forum: Beginner Basics
Topic: How to make vpn exclude 1 internet, in a load balancer
Replies: 3
Views: 1085

Re: How to make vpn exclude 1 internet, in a load balancer

That already makes sense.
Additional question: is the VPN originated from your router?
If so, set a static route to the vpn peer via default g/w of ether1's ISP.
-Chris
by cdiedrich
Mon Feb 25, 2019 11:28 am
Forum: Forwarding Protocols
Topic: Dual SIP providers one Lan routing on Mikrotik
Replies: 4
Views: 3432

Re: Dual SIP providers one Lan routing on Mikrotik

Add two more default routes with routing marks for both providers. Do I have to create a routing mark first? and then add the route? or how do I add the two more default routes for both providers The sequence of doing this stuff doesn't really matter - you can do it either order. It might be good t...
by cdiedrich
Mon Feb 25, 2019 11:17 am
Forum: Wireless Networking
Topic: Managment ip for cAP
Replies: 5
Views: 1763

Re: Managment ip for cAP

Sure thing.
The easiest way would be adding back your vlan interface to the bridge and moving the dhcp-client to that vlan interface.
Make sure you do not use the option "use-service-tag".

-Chris
by cdiedrich
Fri Feb 22, 2019 5:40 pm
Forum: Wireless Networking
Topic: Managment ip for cAP
Replies: 5
Views: 1763

Re: Managment ip for cAP

Your vlan 99 comes untagged from your switch - so it's native to your cap.
remove the vlan interface from your bridge and move the dhcp-client directly to the bridge.

And as a side note: you wouldn't need the option "use service tag" - wthis is only needed for QinQ tunnels.

-Chris
by cdiedrich
Fri Feb 22, 2019 1:36 pm
Forum: Wireless Networking
Topic: Managment ip for cAP
Replies: 5
Views: 1763

Re: Managment ip for cAP

An export of your cap config would be good to see along with a "show int Gi0/xx switchport" off your switch from the port the cap is connected to.
-Chris
by cdiedrich
Fri Feb 22, 2019 1:13 pm
Forum: Forwarding Protocols
Topic: Dual SIP providers one Lan routing on Mikrotik
Replies: 4
Views: 3432

Re: Dual SIP providers one Lan routing on Mikrotik

Keep both default routes. Add two more default routes with routing marks for both providers. Add two src-nat rules for both WAN interfaces. Add routes for both SBCs with above routing marks. Mangle your incoming and outgoing connections from/to those SBCs (first: mark connection, second: mark routin...
by cdiedrich
Thu Feb 14, 2019 4:02 pm
Forum: General
Topic: Multiple Public IP over Same Interface with Same Gateway
Replies: 7
Views: 2139

Re: Multiple Public IP over Same Interface with Same Gateway

You won't need routes for this - all IPs of your /29 subnet will talk to the same gateway on your ISP's side. just create dedicated NAT rules: /ip firewall nat add chain=srcnat action=src-nat src-address=your.vlan.10.range/24 dst-address=0.0.0.0/0 to-address=your.public.ip-forVlan10 add chain=srcnat...
by cdiedrich
Thu Feb 07, 2019 9:12 am
Forum: Beginner Basics
Topic: Different DNS to different Mac addresses
Replies: 4
Views: 3579

Re: Different DNS to different Mac addresses

Since your devices are already known, you could create static leases for those.
Let the DHCP server add the lease a to an address list and use this list for your rules.

-Chris
by cdiedrich
Mon Feb 04, 2019 5:55 pm
Forum: General
Topic: Question for an expert - Layer 2 / 3 Bridging
Replies: 4
Views: 2081

Re: Question for an expert - Layer 2 / 3 Bridging

Besides the mentioned points this sounds like a QoS problem to me. Try to capture packets and take a look at dscp values. If not set up properly on the switch, this can cause undesired behavior - especially when running other dscp-critical protocols like Dante on the same trunk. Since my experience ...
by cdiedrich
Wed Jan 30, 2019 1:51 pm
Forum: Forwarding Protocols
Topic: Problem while using VRRP between routers with BGP
Replies: 7
Views: 4149

Re: Problem while using VRRP between routers with BGP

In routing filters - as you already did with prepend and MED.
-Chris
by cdiedrich
Wed Jan 30, 2019 9:46 am
Forum: Forwarding Protocols
Topic: Problem while using VRRP between routers with BGP
Replies: 7
Views: 4149

Re: Problem while using VRRP between routers with BGP

I had the same issue with one of our CCR vrrp-cluster peering a SilverPeak VXOA appliance. It turned out that the appliance wasn't interpreting MEDs correctly. I solved it with manually adjusting advertised distances. Not the smart way but it worked. Just to be sure - your two CCRs share the same AS...
by cdiedrich
Wed Jan 30, 2019 7:06 am
Forum: Beginner Basics
Topic: Point to MultiPoint woes
Replies: 4
Views: 1203

Re: Point to MultiPoint woes

-27dB is way too loud. They are screaming at each other.
Even for a lab - increase the distance between the two units drastically.
I'm pretty sure that's one (or even your only) of your problems.

Flapping data rates are pretty normal when being mostly idle.

-Chris
by cdiedrich
Tue Jan 29, 2019 11:44 am
Forum: Wireless Networking
Topic: Art-Net / UDP port 6454 over WIFI
Replies: 9
Views: 3266

Re: Art-Net / UDP port 6454 over WIFI

The previously mentioned rates count for .11b and .11g - HT MCS count for .11n, VHT MCS for .11ac (not applicable on your device) I'd suggest to disable MCS 0-2 and 8 - so the lowest rate a .11n device can connect with will be 26MBit with one (HT MCS3) or two (HT MCS9) spatial streams. Find a very c...
by cdiedrich
Tue Jan 29, 2019 9:56 am
Forum: Beginner Basics
Topic: Point to MultiPoint woes
Replies: 4
Views: 1203

Re: Point to MultiPoint woes

I'm not sure if that Quickset-CPE setting is the setting you want. Leave quickset aside, remove both configurations and start from scratch: On the AP side, create a bridge, add wired and wireless interfaces to it. Completely disable any flavor of STP on the bridge. Set your wireless interface to ap-...
by cdiedrich
Mon Jan 28, 2019 8:18 pm
Forum: Wireless Networking
Topic: Art-Net / UDP port 6454 over WIFI
Replies: 9
Views: 3266

Re: Art-Net / UDP port 6454 over WIFI

Now that's a bummer.
It's been a while since I last did ArtNet over MTik wireless.
You might try to disable multicast helper and set the lowest basic and common-rates to 24M. Don't forget to adjust ht- and vht- mcs indexes as well.

Good luck,
-Chris
by cdiedrich
Mon Jan 28, 2019 2:44 pm
Forum: Wireless Networking
Topic: Art-Net / UDP port 6454 over WIFI
Replies: 9
Views: 3266

Re: Art-Net / UDP port 6454 over WIFI

I'd say your issues are layer2, no need to add anything to the firewall - just leave it completely blank. First thing to check is TX power - by default routerOS devices come with really high tx power which can easily overload your connected clients. Have a look in registration table - any connection...
by cdiedrich
Mon Jan 28, 2019 1:40 pm
Forum: General
Topic: Tunnel which generates least traffic when IDLE
Replies: 13
Views: 3894

Re: Tunnel which generates least traffic when IDLE

if security is not really an issue, I can recommend pptp which creates just a couple of kilobytes per day when totally idle.
-Chris
by cdiedrich
Fri Jan 25, 2019 3:12 pm
Forum: General
Topic: S-to-S Ipsec tunell comes up, but after 40 minutes I get error
Replies: 9
Views: 3020

Re: S-to-S Ipsec tunell comes up, but after 40 minutes I get error

Perfect!
Glad it was so simple.
-Chris
by cdiedrich
Fri Jan 25, 2019 1:49 pm
Forum: General
Topic: S-to-S Ipsec tunell comes up, but after 40 minutes I get error
Replies: 9
Views: 3020

Re: S-to-S Ipsec tunell comes up, but after 40 minutes I get error

Try it. IPsec relies a lot on proper synchronization - and even slightest drifts or glitches can break tunnels.
Had this a couple of times before.
-Chris
by cdiedrich
Fri Jan 25, 2019 1:40 pm
Forum: General
Topic: S-to-S Ipsec tunell comes up, but after 40 minutes I get error
Replies: 9
Views: 3020

Re: S-to-S Ipsec tunell comes up, but after 40 minutes I get error

Odd.
Do both routers use the same NTP server?
-Chris
by cdiedrich
Fri Jan 25, 2019 1:15 pm
Forum: General
Topic: S-to-S Ipsec tunell comes up, but after 40 minutes I get error
Replies: 9
Views: 3020

Re: S-to-S Ipsec tunell comes up, but after 40 minutes I get error

Mismatching lifetimes in proposals?
LifeBytes configured?
-Chris
by cdiedrich
Fri Jan 25, 2019 10:07 am
Forum: General
Topic: MikroTik Bonding under bridge but with loop
Replies: 2
Views: 1790

Re: MikroTik Bonding under bridge but with loop

First thing I see is that you're using bondings across devices (connecting Switch 4 to 5-10). That's not possible with MikroTik switches as they aren't stackable in terms of backplane extension. Bondings have to terminate in the very same device. I'd say that's the first source of your problems. -Ch...
by cdiedrich
Thu Jan 24, 2019 2:16 pm
Forum: Beginner Basics
Topic: Help with traffic routing [SOLVED]
Replies: 7
Views: 2262

Re: Help with traffic routing [SOLVED]

Setting the route only to one side of the network is not enough. Now your MTik machine knows it, but the two others still don't so nothing will happen. I don't understand your concerns about security - you established a vpn already, isn't this a sign for trust? And be aware that netmapping still pre...
by cdiedrich
Thu Jan 24, 2019 11:56 am
Forum: Beginner Basics
Topic: Help with traffic routing [SOLVED]
Replies: 7
Views: 2262

Re: Help with traffic routing [SOLVED]

I don't see a reason for netmapping here. You just need to add routes: FW1: dst-address=192.168.1.0/24 via VPN endpoint on Router1. Router1: dst-address=192.168.242.0/29 via VPN endpoint on FW1 dst-address=192.168.1.0/24 via 172.16.0.3 (MikroTik router) MikroTik: dst-address=192.168.242.0/29 via 172...
by cdiedrich
Wed Jan 23, 2019 4:14 pm
Forum: Beginner Basics
Topic: How to discover a remote device on the network ?
Replies: 6
Views: 1636

Re: How to discover a remote device on the network ?

Simple: no way.
-Chris
by cdiedrich
Wed Jan 23, 2019 3:53 pm
Forum: Beginner Basics
Topic: IP Sec tunnel alive but no traffic (NAT and Firewall rules are added)
Replies: 9
Views: 2249

Re: IP Sec tunnel alive but no traffic (NAT and Firewall rules are added)

I think I found a typo in "giganet" router's ipsec policy:
Its address should be 178.x.x.33 but in the policy sa-src-address is configured as 178.x.x.153

The rest is not looking too bad on first sight.
-Chris
by cdiedrich
Wed Jan 23, 2019 3:19 pm
Forum: Wireless Networking
Topic: MultiSSID and VLANS
Replies: 1
Views: 915

Re: MultiSSID and VLANS

remove your vlan interfaces. remove your "Vlan2_bridge" bridge. Enable vlan filtering on your native bridge "bridge" and set it to pvid=2. Then move the IP address to this bridge. Add your virtual APs for guest access to that bridge and keep their vlan setting at vlan-id=2 and se...
by cdiedrich
Wed Jan 23, 2019 2:37 pm
Forum: Beginner Basics
Topic: IP Sec tunnel alive but no traffic (NAT and Firewall rules are added)
Replies: 9
Views: 2249

Re: IP Sec tunnel alive but no traffic (NAT and Firewall rules are added)

Insight: looking at your screenshot, your masquerade rule doesn't have a matcher for src-address. It may happen (that's still my guess, but it's not unlikely) that traffic from the remote network gets caught by this rule and then gets masqueraded, leaving your router via pppoe-out1 (when I read your...
by cdiedrich
Wed Jan 23, 2019 1:33 pm
Forum: Beginner Basics
Topic: Transparent Connection on SIP SERVER, its possible? [SOLVED]
Replies: 3
Views: 1812

Re: Transparent Connection on SIP SERVER, its possible? [SOLVED]

Great to hear it works.
I wouldn't say so security-wise.
-Chris
by cdiedrich
Wed Jan 23, 2019 1:32 pm
Forum: Beginner Basics
Topic: IP Sec tunnel alive but no traffic (NAT and Firewall rules are added)
Replies: 9
Views: 2249

Re: IP Sec tunnel alive but no traffic (NAT and Firewall rules are added)

Did you adjust your masquerade rule as well?
And BTW, it's better to post config exports than screenshots. A screenshot only shows a fraction of all possible parameters.

-Chris
by cdiedrich
Wed Jan 23, 2019 1:04 pm
Forum: General
Topic: Drop forward rules NOT worked between devices connected via Wi-Fi
Replies: 10
Views: 2612

Re: Drop forward rules NOT worked between devices connected via Wi-Fi

Sorry, didn't notice the default-fwd=no in the config.
As OP also set default-authentication=no and created an access list with default-forward=yes per client, this setting overrides the setting in the interface setting.
So we're still talking about a default-forward issue on the w/l interface.
-Chris
by cdiedrich
Wed Jan 23, 2019 12:21 pm
Forum: Beginner Basics
Topic: Two L2TP-tunnels from one WAN
Replies: 5
Views: 1795

Re: Two L2TP-tunnels from one WAN

Just add (static) routes with the remote address of the tunnel as gateway. as a side note: L2TP/IPsec or plain IPsec would give you much better results in a site2site tunnel - SSTP is tcp-based and sending acks back and forth has a negative impact on latency and hence throughput. Additionally, SSTP ...
by cdiedrich
Wed Jan 23, 2019 10:46 am
Forum: Beginner Basics
Topic: Two L2TP-tunnels from one WAN
Replies: 5
Views: 1795

Re: Two L2TP-tunnels from one WAN

http://macappstore.org/sstp-client/
/Chris
by cdiedrich
Wed Jan 23, 2019 10:33 am
Forum: General
Topic: Drop forward rules NOT worked between devices connected via Wi-Fi
Replies: 10
Views: 2612

Re: Drop forward rules NOT worked between devices connected via Wi-Fi

Your second "unexpected" condition is correct and is totally expected for me. The traffic doesn't even enter the bridge - it remains in the wireless interface, the two devices use your wlan interface as a wireless switch. Mitigation would be disabling default-forward on the AP - this will ...
by cdiedrich
Wed Jan 23, 2019 10:25 am
Forum: General
Topic: Using DNS instead of IP with MikroTik Router as a VPN Client
Replies: 2
Views: 2699

Re: Using DNS instead of IP with MikroTik Router as a VPN Client

I wonder which version of routerOS you are running.
connect-to nicely accepts fqdn. I'm connecting many devices with this.
-Chris
by cdiedrich
Tue Jan 22, 2019 1:50 pm
Forum: Beginner Basics
Topic: Two L2TP-tunnels from one WAN
Replies: 5
Views: 1795

Re: Two L2TP-tunnels from one WAN

There's nothing you did wrong. It's the nature of ipsec-esp - the protocol does not contain any information which session it belongs to. So the edge router where your road warriors are located has no idea to which client it has to send incoming packets. Usually the first connected client wins and ge...
by cdiedrich
Tue Jan 22, 2019 12:23 pm
Forum: Beginner Basics
Topic: IP Sec tunnel alive but no traffic (NAT and Firewall rules are added)
Replies: 9
Views: 2249

Re: IP Sec tunnel alive but no traffic (NAT and Firewall rules are added)

This is just a guess but probably worth a try: Your default masquerade rule in both sites has no src-address specified which leaves plenty of room for interpretation and I wouldn't be surprised if tunnel traffic from the remote site gets masqueraded right away and comes out of your LAN-facing interf...
by cdiedrich
Tue Jan 22, 2019 11:54 am
Forum: General
Topic: Suggestions for allowing only one pppoe connection over a layer2
Replies: 1
Views: 976

Re: Suggestions for allowing only one pppoe connection over a layer2

The first thing in my mind would be bridge filters in your CPE.
You ideally whitelist the MAC address of your customer's router for pppoe discovery and session and drop all other pppoe traffic.
This might get tedious but could be worth a try...
-Chris
by cdiedrich
Tue Jan 22, 2019 11:43 am
Forum: General
Topic: OpenVPN suddenly stopped working
Replies: 2
Views: 1437

Re: OpenVPN suddenly stopped working

Looks like the connection attempt is being rejected from your router. Is your ovpn server still running?
Did you apply any changes to your input firewall before that?
by cdiedrich
Mon Jan 21, 2019 4:10 pm
Forum: General
Topic: Unidirectional ethernet on routerOS?
Replies: 0
Views: 866

Unidirectional ethernet on routerOS?

All, Has anyone tried (and successfully implemented) to realize a pair of unidirectional ethernet links like UDE on Cisco 4500/6500 switch platform on a MikroTik router? If so, I'd be very interested on how it was achieved. Manually maintaining host/mac tables is not an option for my application... ...
by cdiedrich
Mon Jan 21, 2019 1:53 pm
Forum: Beginner Basics
Topic: Transparent Connection on SIP SERVER, its possible? [SOLVED]
Replies: 3
Views: 1812

Re: Transparent Connection on SIP SERVER, its possible? [SOLVED]

Your default masquerade rule is too ambigious. With your current setting everything will be NATed. It looks like you have multiple ISPs and a bunch of local networks attached. Try to narrow down your masquerade rule. Add all your local subnets to another address list "localnetworks" Adjust...
by cdiedrich
Fri Jan 18, 2019 4:16 pm
Forum: Virtualization
Topic: CHR, LACP, and VMware
Replies: 3
Views: 7311

Re: CHR, LACP, and VMware

If your license allows, do the bonding in ESX. If not, you'll need to dedicate NICs to your CHR instance and then follow these steps: Create a vSwitch per NIC, allow promiscuous mode for vSwitch. Add each dedicated NIC to the corresponding vSwitch as single uplink only. Create port groups on that vS...
by cdiedrich
Fri Jan 18, 2019 2:00 pm
Forum: General
Topic: Attempting to get a MikroTik Powerbox Pro to act as a pure switch for hundreds of VLANs [SOLVED]
Replies: 1
Views: 1581

Re: Attempting to get a MikroTik Powerbox Pro to act as a pure switch for hundreds of VLANs [SOLVED]

This Manual article on bridge vlan table should basically clarify you'll need.to get started.
But AFAIR the PowerBox Pro's switch chip doesn't support vlan filtering in hardware. Should not be a problem if all ports are the same vlan-wise.
-Chris
by cdiedrich
Wed Jan 16, 2019 11:31 am
Forum: General
Topic: Large deployment suggestions for event
Replies: 13
Views: 3224

Re: Large deployment suggestions for event

I'd go for router redundancy. Configure both the same and use vrrp. 500/300 is way enough for 5k attendees, I totally second the proposal of using 4G just as failover. I do a lot of festivals (with attendee counts between 10000 and 120000) on a very regular basis and I can tell you from my experienc...
by cdiedrich
Tue Dec 18, 2018 6:24 pm
Forum: Beginner Basics
Topic: i have problem to make my range up to 1022 [SOLVED]
Replies: 3
Views: 1676

Re: i have problem to make my range up to 1022 [SOLVED]

Looking at all your other posts on this forum you should basically have all info needed. First, adjust the subnet mask in your IP address: Change it from 192.168.88.1/24 to 192.168.88.1/22 - or whatever your subnet is. Then change your DHCP-Server network definition to the /22 subnet Then adjust the...