Hello, I need to make filter-firewall, where all services from Microsoft will be allowed. The goal is to run forms.office.com after some authentification to Azure account. Here is my idea: 1. make it by filter rule + static address list (destination of microsoft subnets) - but was not successful, ca...

Any particular reason not to configure both links as LACP group? With that many VLANs (and probably many different concurrent connections flowing between both links) traffic would distribute between the links in almost ideal ratio. Do you (or anyone) have LACP (802.3ad) working with CRS over radio ...

I'm pretty sure VLAN99 gets into a semi-loop state when you configure two ports as members even on single end. In this moment switch (which has both ports configured as members) starts sending certain frames to both ports and the other switch (which is still configured with single port member of VL...

So if I understand you right: currently you have VLAN 99 over primary link and everything works fine. If you start to configure VLAN 99 also for secondary link, switches detect loop? But there indeed is (a partial) loop in that case. You can have it like that (I guess you have redundancy in your mi...

primary link: sw1 /eth14/ connected to sw2 /eth1/ secondary: sw1 /eth10/ connected to sw2 /eth19/ vlan99 in mngmt - when i try to send it by secondary link i get loop. Even when vlan99 is not on sw2 port eth19. This is 1st step in my mind. vlan1233 and vlan1234 is dummy - not used anywhere - just to...

my settings differs from picture above. But in general, i know it must be something to do with PVIDs. Now i am able to connect it into one bridge in "/interface bridge port". so line is working. But after sending the same tagged vlan i get loop even when vlan in not member as "tagged&...

Hello,
i try to do 2 sepatare L1 conncestions between 2 CRS. Tagged vlans and untagged vlans - everything is working until i split vlans between 2 separated links i get loop. Is it possible to use vlan filtering in this scenario without LACP/bonding?

Thank you for reply. 1. of course i have separate vlan for management. But this protect only our devices. 2. What about customer routers which they leave open wan access to management their own devices? What about customers radios - eg with terminated pppoe? I can change port or make firewall on cus...

Because of security. I wanna block access to web/ssh/telnet management on other devices. I dont want the customer to see other device. Customers often leave their devices not secured enough, also our management needs to be protected. It looks exactly what i need. I will test it during night. Now i k...

It looks exactly what i need. I will test it during night. Now i know "where to dig". My fault, gw means gateway - ccr1072 on map - NAT/FIREWALL. Thank you, i will let you know. Yeah, I didn't get that, especially that "gw" means a particular router. So instead of forcing traffic...

I am sorry, maybe i didnt expressed myself correctly. I know i can do RAW firewall using IPs, but that is not the point. I want to have firewall on gw only. I dont want to make firewall on each PPPoE 1,2,3 separately. Those machines should be only used for pppoe server purpose. If i will drop some c...

I tried, but cannot figured out rule. cause interface all-ppp is forbiden. btw i dont want to totaly drop communication. i just want to make rules on gateway. Because some clients need to communicate between and some communication must be denied. You can use raw firewall rules without connection tra...

Hello, Due to problem by using single one CCR as PPPoE AC when reaching 1,4k active clients, i placed 3 as AC and 1 as gateway. Those PPPoE1, PPPoE2 do only pppoe server and simple queue based on profile in pppoe server /no NAT, no firewall, no connection tracking/. PPPoE3 is spare only. Then i have...

Threshold for PPPoE AC is somewhere near to 1.4k active connections. More active client connections make mess. It is problem on ccr1036 or ccr1072. It doesnt matter. I even turned off NAT, Connection tracking and firewall. For this i have separate ccr 1072. Only using simple queue and pppoe and it d...

As i mention, problem occures when only 1 ccr1036 is doing pppoe-server. It is doing only pppoe-server within 100vlans /using local secrets, No firewall, no NAT, no connection tracking. I cannot run 1,5k pppoe-clients on one ccr. It is not matter of CPU, problem is when i passs 1,3k clients running....

Hello, I am running PPPoE access concentrator. It provides connection to 1,5k customers. In recent time, i have problem with disconnects. I was suggested by mikrotik support to make new ccr for pppoe only /no NAT, no connection tracking, no firewall/. Now i am running it on ccr1036, peak CPU is 15%....

I do not have a PPPoE access concentrator around, but something like this could work: :foreach Active in=[ / ppp active find ] do={ :local ActiveVal [ / ppp active get $Active ]; :if ([ :len [ / ip address find where address=($ActiveVal->"address") dynamic ] ] = 0) do={ / ppp active remov...

Hello, In this time, i experience problem. I am runnning PPPoE access concentrator on CCR1036 /1500 active connection, CPU under 15%/. PPPoE tunnel to customer is active, i can find it in ppp/active_connection. But i cannot find it in IP/ADDRESS and also in IP/ROUTE. After manual delete of active pp...

Hello folks, i inherited a huge network combined from Cisco and Mikrotik devices. I cannot find reason, why i am getting unwanted traffic into devices /once-in-time/, which traffic doesn't belong to. It causes lags in large scale. Core network is made o Cisco 3XXX and 29XX. VTP is used to distribute...

Hello,
I am looking for quick advice. My machine broke down. I need to take my HDD and put it into another machine. PC are different - previous DELL P3 and new one is HP P4. Is it possible without loosing my licence? Or I need to purchase new licence? HDD will be THE SAME, but HW will be changed.

I need to firewall DHCP.

Is it possible to filter it when 2 interface are bridget together and there is DHCP server going trought interfaces.


thanks

no, there is serious bug in DNS service in MT. Why is it so difficult to find that bug? noone is able to give me advice and answer. I sent supout file, but i only get answer to use "redirect" instead of dst-nat. But I would like to use DNS cache service like in past time. Is it possible, w...

I have the same problem. Using 2.9.50

Upgrade to 3.2 doesnt help. Dont know what to DO !!!

see http://forum.mikrotik.com/viewtopic.php?f=2&t=21452

Look here

http://forum.mikrotik.com/viewtopic.php?f=1&t=18006

excuse me, but very strange situation. What is the result of topic?

could you help me? 247-871-501

v3.2 but, it was reason of upgrading. It was same in v2.9.50

hey, I determined problem: After changing cache size used for DNS it works great, but only for few minutes. The cache is not full. I have tried max. limit and then decrease it / as I have said, DNS worked great but after few minutes som pages couldnt be loaded./ -------------------------------------...

what about man-in-the-middle? is it possible, that somebody is probably poisoning network by bad resolves in udp 53 port?

Hello, I used to use IP/DNS feauture. but one week ago I couldnt resolve some web-pages. So I disabled IP/DNS feature and set dst-NAT of UDP 53 port. but it didnt work how it should. when I set DNS of my ISP in computer, it works great, but i have no time to set if for 100 pcs. Thansk a lot and excu...

Please, help mi, I made mistake. I did firewall rule: DROP all INPUT. I cant access to my router, but internet work /because it is not appylied to forward/. But there is one rule infront of it: accept 53 /DNS/ Is here any chance to get access to my MT router? Or I will need to reset it to default? T...