MikroTik

tr00g33k

I cant find option max-prefix-limit ir RoS v7.7, please any tip ?

tr00g33k

Hi, I have some specific configuration on IX. We have peering with IX but no direct peering with other through IX. We have a problem when one of the IX member (lets say AS6500) have two peers one is on the other side of the country (assume ip 10.10.10.101) and one realy close to us (10.10.10.100). R...

tr00g33k

Was this solved in 6.47.2, we have problems when we connect HP or netgear 802.3ad to CRS-354, in hp case there is traffic disruption all over the network, in netgear there is nothing going through. With other devices LACP works ok, if we connect only one cable from MikroTik to HP, no traffic goes th...

tr00g33k

Hi, Bellow Iam attaching the network diagram on which Iam in position os ISP1 (AS65537), we are connected with one router to one of the internet exchange points with two route servers (AS65536). On the other side there is ISP2 (AS65538) connected to the IXP with two routers, one router is 192.168.10...

tr00g33k

Hi, i would like to achive the following configuration that works on Cisco Nexus, on MikroTik HEX s models. CISCO-NX-ISP-SW01 & CISCO-NX-ISP-SW02: Eth1/1: Switchport access vlan 1500 switchport mode dot1q-tunnel Eth1/2 sw mod tr sw tr all vl 1500 C2960-ISP-SW01 & C2960-ISP-SW02: Fa0/1 & ...

tr00g33k

Exactly :) If i would see a post earlier would sure saved me an hour or two of trubleshooting configuration of two data-centers that we dont have any problems with, only CHR have strange problems (or admin didnt get enough of sleep for few days) :) The strangest problems, are most of the time stupid...

tr00g33k

Hi, Installation and configuration: -Imported vmdk 6.44.3 to datastore -Converted vmdk -Created new virtual machine with 2 cpu, 4 gbram, 512mb disk as it is on MikroTik site -Connected disk to ide0 -Network cards vmxnet3 We installed MikroTik CHR 6.44.3 on vmware ESXi 6.5.0.2000 and we have problem ...

tr00g33k

Where you able to solve this ? I have the same problem,...

tr00g33k

That is exactly what i figured out. It didnt go out of my head, so i used good old wireshark to check what is going on R1 and R2. The packet are fragmented but if you are PC1 you dont know about it, because they are fragmented through PPPoE and on the link to the R2. And on the other side of OpeVPN ...

tr00g33k

Hello, I have been playing around a bit with max MTU path discovery, and I came across something strange. My setup is following: http://shrani.si/f/2F/9E/4aIU5CyA/2018-09-02-225848-drawin.png I have OpenVPN tunnel established beetwen R1 and R2 (MikroTiks), R1 access internet through PPPoE, R2 have I...

tr00g33k

Updated CRS326-24G-2S+ from firmware v6.42.3 to 6.42.6 update went fine but after the update process ether24 en ether23 aren't working anymore. They give link negotiate speed ect. but no mac address what so ever. Both port where trunk ports one has a WAP AC on it and the other a Cisco Switch. Movin...

tr00g33k

Hello, I`am testing MikroTik`s VRF functionality, to see where it can came to good use. I`am trying to achieve following: -4 VRFs: red, blue, green, black -red and black VRF with overlaping networks -All VRFs should access internet through main routing table, at gateway 192.168.24.1 (wlan1 interface...

tr00g33k

I had the same problem two mikrotiks (Rb3011, for redundant links), trunk beetwen them and vlans. VRRP V3 protocol:IPv4 on VLAN interface. On ipv4 protocol vrrp is not working I installed ipv6 package and set VRRP V3 protocol to ipv6, not it works. MikroTik Engineers can you give any info why V3 pro...

tr00g33k

If you have PFS (perfect forward secrecy) enabled, try disable-ing it. Check all the timers lifetime for phase1 & phase2. Another thing to try is to ping every 1-3 seconds through tunnel, from one side and from another, and see if the tunnel goes down, even if constantly passing traffic through ...

tr00g33k

Simple solution: on router 1 you create two nat rules one is dst-nat and second is src-nat, you NAT src-address to your router LAN IP, so it hides the public IP of the packet. Example: on router one you create two rules: DST-NAT: /ip fire nat add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-por...

tr00g33k

Add in-interface=WAN or dst-address=WAN-IP to your nat configuration, and everything should work fine.

tr00g33k

Are you doing scan from inside the network to your WAN IP? From routers LAN? If this is the case this is normal.

Checked your config once more you have any TCP port NATed to internal 192.168.88.101 32400

tr00g33k

You are missing established, related firewall rule on forward chain Your config: ip firewall filter add chain=forward action=accept protocol=udp dst-port=53 comment="Accept DNS" add chain=forward action=accept src-address=172.16.31.101/32 dst-address=190.96.78.8/32 add chain=forward action...

tr00g33k

I do this whit quit good results, like this: /ip fire address-list add list=Facebook address=facebook.com /ip fire address-list add list=Facebook address=facebook.de and .ru => or whatever country you live in .ru => russia .de => germany etc and after that: /ip firewall filter add chain=forward src-...

tr00g33k

Do you have any scheme for the begining ? Ok you are beginner with MikroTik. Tell us how you would accomplish this with other vendor network equipment, and we can try to help you with MikroTik. First you need some design How many network nodes ? Will you provide VoIP for customers? Providing TV? Do ...

tr00g33k

It is very hard to guess what is the problem if you dons post cnfiguration. My first guess would be that you briged everything on mikrotik, and connect it to pfsence. Than pfsence gave out DHCP based on dhcp binding that already have. And every device recived correct IP. Communiaction worked because...

tr00g33k

Did you try to tag native vlan ? Do you have the vlans created on switch ? does the port goes up ? Do you see MikroTik in

show cdp neig fa x/y det

?

Do you see any errors in:

sh int status fa x/y

We have many mikrotik => cisco trunks with no problem.

tr00g33k

Two things to try on trunk port on cisco:

switchport trunk encapsulation dot1q

or

global config: vlan dot1q tag nativ

tr00g33k

Thank you for giving me back hope

I tried one more time the same configuration diffrent cisco switch, works perfect, exactly the same configuration. I was testing this on some old Cisco switch. Than i put the same configuration on production networks, works like it was intended to work.

tr00g33k

Hello, i would like to achieve something like this if i even imagine this correctly. I have some network with mostly C2960 switches, that does not support 802.1QinQ. And have some MikroTiks on the edges where i could configure this. But i still have to get vlans through 2960`s without 802.1QinQ supp...

tr00g33k

You can assingn IP on port 2: 192.168.100.1/24 assing IP on port 5: 192.168.1.1/24 ip address add interface=Eth2 address=192.168.100.1/24 ip address add interface=Eth5 address=192.168.1.1/24 Than create firewall rules: ip fire fil add chain=forward src-address=192.168.1.0/24 dst-address=192.168.100....

tr00g33k

That is the easiest solution if the network 192.168.1.0/24 does not need to access back to 172.100.100.0/24.
This is the worst, if you have to make some VPN tunnels and you dont have access to other side, or un-cooperative network admin on the other side.

Glad that this solved your issue

tr00g33k

From 172.10.10.0/24 you can access 192.168.1.0/24?
If this is true what if you try a trick NAT 172.100.100.0/24 through one of the IPs 172.10.10.0/24 to 192.168.1.0/24, so you will see where to look for the miskate, on your side or other side.

tr00g33k

On RB201: You have to have route for 192.168.1.0/24 that shows to GW 172.10.1.2 You have to have route for 172.10.10.0/24 that shows to GW 172.10.1.2 On Rb1200: You have to have policy from 172.100.100.0/24 to 192.168.1.0/24 You have to have policy from 172.10.10.0/24 to 192.168.1.0/24 And all prope...

tr00g33k

You create vlan 100 and 101 like this /interface vlan add name=Vlan100-eth10 interface=eth10 vlan-id=100 /interface vlan add name=Vlan100-eth6 interface=eth6 vlan-id=100 /interface vlan add name=Vlan101-eth10 interface=eth10 vlan-id=101 /interface vlan add name=Vlan101-eth6 interface=eth6 vlan-id=10...

tr00g33k

Hi, i have this situation: Port 1 - working ppoe-out1 connection (wan1) Port 2 - working ppoe-out2 connection (wan2) Port 5 - LAN I have 192.168.1.0/24 and 192.168.2.0/24 ip on port5 LAN. I want set gateway of 192.168.1.0/24 to ppoe-out1 and gateway of 192.168.2.0/24 to ppoe-out2. I tried this /ip ...

tr00g33k

Hi all, I have been trying for several days to get my block of public IPs to work with no luck... I got this mail from my ISP, they said that "We have now routed 62.XX.X.1/29 as second subnet (gw 62.XX.X.1) and we have 1:1 nat your ip 172.16.XX.2 to 62.XX.X.3 and routed the subnet 62.XX.X.64/2...

tr00g33k

The QoS have to be implemented all the way, from your customer to last router

tr00g33k

The only time that this happens is to google? Do you maybe have some firewall rule related to google`s IP, some L7 google firewall rule? Address list? From what i see i wouldnt say it is a ISP problem it looks like the packet doesnt go out from router, could you paste whole config, to see what could...

tr00g33k

Please post whole configuration so we can see what could the problem be.

tr00g33k

Please poste your routing table, routing rules and magle rules, it looks like routing loop. but this is only to google ? Try to make traceroute to see where the packet start to bounce between two hosts, at least it looks like that.

tr00g33k

If I understand correctly what you want to achieve: http://shrani.si/f/E/HZ/P1GcVcG/netscheme.png Yes you can create this, be careful you have to create two separate NAT masquerade rules. And you have to create "policy based routing" with mangle rules, so you have to mark routing from &quo...

tr00g33k

Simple and easy way that i use, create a "netwatch host", than under 1.) UP EVENT: /file print file=XY_Router_UP tool e-mail send server=xx.xx.xx.xx port=25 user=xx@xx.com to=xy@xx.com from=xx@xx.com subject="XY Router UP" body="XY Router UP" 2.) DOWN EVENT: /file print...

tr00g33k

Two ideas, do you maybe have fast path enabled ? Common error when dealing with mangle rules.

Other try with packet marking.

And if still you cannot solve this, try to post the whole configuration so we can see the whole picture

tr00g33k

If i understand correctly you recive tagged vlan 8 on port 1 interface vlan add vlan-id=8 interface=ether1 name=VoIP-Vlan8 and then you want to create access port on ether4 and ether5. For that you create additional bridge interface bridge add name=AccessBridgeVlan8 and add ports to that bridge inte...

tr00g33k

You have ether1 in bridge, on firewall rules use bridge as in/out interface, or remove ether1 from bridge.

tr00g33k

I do it with mangle rules.

About dynamic IP, you could create script, that would check let sat every 30 seconds (with scheduler) for IP on your dynamic IP wan port. And updated mangle rule with IP that is currently on wan2 port.

tr00g33k

Yes because when you define source and you point it to 8.8.8.8 mikrotik looks at the routing table and takes the default route with better distance. And he tries to go out with wan2 IP on wan1 interface, and gets denied from ISP on WAN1, because ISP doesnt know for this segment. You can solve this w...

tr00g33k

So you unpluged one of the cables and did what ? Plug it into another switch ? Please draw as what setup you have right now.

tr00g33k

If you cant get this working you can try with SSTP site to site only port 443 required, if you dont need EOIP because you would need the same L2 broadcast domain over VPN. On one site you setup SSTP server, NAT 443 on DD-WRT, on other side you create SSTP client, and connect to SSTP server.

tr00g33k

One more vote for pure IPsec, at most clients we are running pure IPsec site-to-site MikroTIk->MikroTik and MikroTik->Many other vendors, no problem at all. L2TP and other protocols would be useful if you would run some dynamic routing protocols over site-to-site.

tr00g33k

I had the same problems with hAP lite rb941. Example port 3 only for one laptop did not work, all other ports ok, and port 3 for other computers ok, even two same 8440p elitebooks one worked on ether 3 other not, and the same laptop that did not work on rb941 worked on any other equipment, when repl...

tr00g33k

I have working RADIUS for SSTP and PPtP authentication on windows server 2012.

Make sure to tick the radius authentication

tr00g33k

On which port do they connect if it is UDP 53, be sure to block remote DNS requests under IP->DNS->Allow remote request untick the box or with firewall /ip fire filter chain=input in-interface=WAN protocol=UDP dst-port=53 action=drop Otherwise make a torch on LAN interface and see the connections

tr00g33k

I suggest that you read: http://mum.mikrotik.com/presentations/UA15/presentation_3077_1449654925.pdf And the new way of fast-path diagram is that than and there one of the packets go the slow path so that it checks if others packets are ok to go fast-path, quickly explained. I never have fast-path e...

tr00g33k

Because some packets went the slow path and went through mangle rules as they should and applied correct routing decision. Other packets went through fast-path, and only routing decision was made based on the routing table no mangle rule applied to the packets.

Do you understand the explanation?

tr00g33k

Do you maybe have FastPath enabled? If so, disable and try again.
Maybe you could post your whole config so it is easier to see, it there some little thing that needs to be changed.

tr00g33k

Try this for test: /ip route rule add src-address=10.0.32.1 dst-address=0.0.0.0/0 routing-mark=direct action=lookup and then try delete all other mangling rules and only add this one: /ip firewall mangle add src-address=10.0.32.1 dst-address=0.0.0.0/0 action=mark-routing new-routing-mark=direct pas...

tr00g33k

If there is some traffic in both direction maybe try adjusting tcp-mss, you have L2TP/IPsec site-to-site that goes through PPPoE, if i understood your setting correctly. You have some additional overhead because of this protocols, try adjusting TCP-MSS to about 1352, or even lower if that doesnt work.

tr00g33k

Thank you for the TIP i knew that already but i wanted to masqureade only one port. So today i was playing around and i found the way to do this, but i dont know if this is the way it should be done: /ip firewall nat add action=dst-nat chain=dstnat dst-port=3389 in-interface="Eth1 - WAN" p...

tr00g33k

Hello! I have a question I have two "routers" on network one MikroTik and one L7 firewall for testing purposes. The LAN network have default route (default gateay) set to firewall. But the LAN network can have access through MikroTik to, so the MikroTik and the L7 firewall both have WAN IP...

tr00g33k

I can answer on your question about limited editing for cutomer, you can create web skin, and add only the options that you want that the client can configure. Other it is not possible to answer because it depends on a lot of things. You can access into skin designer through web interface, and you c...

tr00g33k

What kind of VPN connection PPtP, SSTP, vendor specific ? It depends what kind of VPN you whant to block,...

tr00g33k

I think this could be possible, with some scripting. If I understand correctly you have 1 static public IP and more dynamic IPs that are connected with some A records ? You could do two nat rules, with diffrent dst-addresses. Than create script that every 10 seconds resolves dns name, and use that I...

tr00g33k

Try to contact the ISP and ask him what does he recommends for MTU, and set that MTU on WAN interface. Maybe you could give it a shot.

tr00g33k

I would use VRRP and some scripting.

tr00g33k

What about if you do dhcp reservations for this 20 clients and create address list for firewall and then allow only this clients to VPN site ?

tr00g33k

/interface vlan add name=Vlan23 vlan-id=23 interface=ether1 /interface bridge add name="Access_vlan23" /interface bridge port add bridge =Access_vlan23 interface=wlan1 /interface bridge port add bridge=Access_vlan23 interface=Vlan23 This config means that you recive tagged vlan 23 on ethe...

tr00g33k

Let me ask a bit diffrent, did anybody ever tried arp: reply-only on VLAN VRRP interface ?

tr00g33k

Hello I have configured a VRRP on MikroTik CCR-1016 v6.34.4 in my network and I have some problem. My configuration looks something like this: I have VLAN10 on VLAN10 I have configured VRRP interface. On interface VLAN10 I have set arp to enabled. On VRRP-VLAN10 I have set arp to "reply-only&qu...

tr00g33k

What about using NetFlow software for this?

tr00g33k

under:

IP/DHCP Server / Networks / You choose network and add netmask.

If you want to go even further you can even set /32 mask for every client.
how u set /32 mask for every client in mt?

tr00g33k

Maybe I dont understand what exactly you want to achieve, with this config if clients sets up static IP it cannot communicate with router or internet. I have this setup on many networks, and the clients cannot access internet if setup static IP. i am already using the config. u suggest me :) but as ...

tr00g33k

When you reset router:

/system reset-configuration no-defaults=no

tr00g33k

You setup DHCP server to add arp for leases /ip dhcp-server set "DHCP-Local" add-arp=yes => the router will add ARP lease for every DHCP IP address Than on local bridge you setup arp to reply only /interface bridge set "LAN" arp=reply-only => This means that router will reply onl...

tr00g33k

Looks like somebody is bruteforcing your SSH service. If you dont need it disable it under /ip service disable ssh If you use it, limit the access with firewall rules (example if you need access to ssh only from 192.168.1.10): /ip firewall filter add chain=input src-address=192.168.10.1 protocol=tcp...

tr00g33k

Do the same for all 4 WAN ports 1.) Enable PPTP server 2.) For each WAN IP create coresponding firewall rules to accept GRE protocol and TCP port 1723 3.)Configure all other PPTP setings to your need (IP pools, users etc.) You should write some more what you dont know how to do, or what you want to ...

tr00g33k

What if you try Site1: chain=forward action=accept src-address=192.168.253.0/24 dst-address=192.168.88.0/24 log=no log-prefix="" chain=forward action=accept src-address=192.168.88.0/24 dst-address=192.168.253.0/24 log=no log-prefix="" Site2: chain=forward action=accept src-addres...

tr00g33k

/ip firewall filter

add chain=input protocol=udp dst-port=53 in-interface=internet2 action=drop

And delete all the existing connections to port 53 from internet.

tr00g33k

You have to block DNS request on WAN side. Assume your WAN uplink is ether1

/ip firewall filter

add chain=input protocol=udp dst-port=53 in-interface=ether1 action=drop

tr00g33k

Hello! I have a question about QoS in MikroTik, just for example I`am trying to do QoS for ICMP. My setup: Lan: 192.168.1.0/24 Host1: 192.168.1.10 Host2: 192.168.1.20 MikroTik config: add chain=prerouting src-address=192.168.1.0/24 protocol=icmp action=mark-connection passthrough=yes new-connection-...

tr00g33k

ZeroByte thank you for all your help and pointing me in the right direction. The problem was that MikroTik really choose diffrent group and unicast cipher. And it was the same with other vendor than UniFi. I set static aes on AP (UniFi or any other vendor) and on MikroTik and now it works as it shou...

tr00g33k

Yes we tried another router. We started from strach many times. We tried with diffrent vendors than UniFi, it is the same, we tried inbox v60 or something similiar. We tried with about 30 routers hAP Lite, and some RB951 and diffrent OS versions and diffrent firmware versions. Right at the moment I`...

tr00g33k

I`am sorry for reaction, but we are really working hard on this for a few days, and we are trying to get help from all sides, and I`am writing the same thing over and over again. Offcourse I`am helpful for your help, dont get me wrong. Yes it is set to enabled, I have been doing some sniffing and it...

tr00g33k

Please read all my posts, the same with Station mode.

tr00g33k

I`m the admin of the whole network, its not a problem to buy a one or two new mikrotik`s, but i have 9 UniFi AP`s and 30 hAP lite MikroTiks, that are connect through some cisco`s and CCR MikroTik that is routing all traffic to internet. Its like that because client behing mikrotik can have only ethe...

tr00g33k

Ok, what else do you suggest that i use, i tried station mode, the same result. This two modes, are the only modes that mikrotik support with other vendors, please any help how to solve this problem ? For now i manage MikroTik`s from other network, but if I`am on site of this network and have access...

tr00g33k

Hello evrybody, I need some help please. I have UniFi with dhcp and connected to my core network, and on this unify i have connected clients, laptops, mikrotiks as pseudobridge. And the problem is that this MikroTik clients are not pingable inside this broadcast domain 192.168.1.0/24 I can ping lapt...

tr00g33k

Thank you very much. It realy is logical, i just couldn figure out how to have two ports with taged vlan, i didnt tought that you "have to create vlan 10 twice". Thank you very much I will try this as soon as possible. I have another question is this possible with switch function on Router...

tr00g33k

Hello evrybody i would need some help please I attach network diagram of what I would like to achive. On ether 1 I would like to bring vlans 30, 40 tagged and VLAN 20 untagged (native vlan) Then I would like to get vlan 20 untagged to ehter port 2, and VLAN 30 tagged And on ether 3 VLAN 40 untagged ...

tr00g33k

It would be really great if you could add feature, that certificate is needed on client to directly connect to winbox from anywhere. We have a lot of client, and sometimes its realy annoying to always setup vpn, or always have to coonect to office and then to clients. It would be much easies, if i w...

tr00g33k

Hello evryone i would need some help please! Scenario: I have 5 MikroTik routers with 5 diffrent WAN IPs, for Windows clients i would like to create one CA that i would export from one of the mikrotiks and import to client, and with this cert they could connect to evry SSTP MikroTik routers. So my i...

tr00g33k

Hello!

I have a question how to do client isolation in capsman if i have lets say 3 caps with 3 ssids. If there is no capsman you have to untick default forward on wireless interface, but how to solve this with capsman ?

I just cant find how to do it. please help.

tr00g33k

Hello i have a problem with configuring VLANs on mikrotik, I have a WiFi network configured on routerboard 1100AHx2 And 3 APs RouterBoard RB951Ui-2HnD Capsman is connceted to firewall watchguard. And i would like to have configured: On evry AP I have networks: Vlan10 ==> Network 192.168.90.0/24 ==> ...

Search found 89 matches