MikroTik

acruhl

Spanning tree? Am I missing something?

If that traffic thingy is just an L2 passthrough, then spanning tree should work fine. Make the cost of the backup link higher and it will stay offline until the lower cost link goes down.

acruhl

I tried installing v7 on my hap-lite earlier and it didn't work. An SMIPS package is available so I thought it would work.

Is there a list of devices that v7 is known to work on?

acruhl

Just to be complete, I did do a packet sniffer trace for gre packets and I saw traffic going both ways once I enabled the gre6 interface. But the link never gets established, which makes me think this is bug somehow. Or I'm missing something.

acruhl

I am not using that exact version but I use gre6 on some routers and it works at least up to 6.46.3.

Are you setting any special firewall rules?

I'm doing this in /ipv6 firewall filter:

;;; Allow gre
chain=input action=accept protocol=gre in-interface=ether1

Thanks.

acruhl

I'm trying to establish a gre6 connection between 2 routers on the internet. I couldn't get it working. So I tested 2 routers on my local network which are inside the same ipv6 subnet, and I still can't get it working. I disabled the /ipv6 firewall filter rule that disables traffic on the input chai...

acruhl

Thanks. Just saw it's ARM only. The only ARM device I have is my production top level router. It's an RB450Gx4. All others are MIPS. The reality is I could probably use just about anything as that router and get away with it, maybe I'll move to another one and test v7 on the ARM. Or just get another...

acruhl

Ok, I've heard of v7 for years, didn't even know there was anything known about it. I'll look into it. I'm hoping to go as IPv6 native as I can. I was also hoping to tunnel IPv4 over IPv6 for the heck of it so my top router is 100% IPv6 native. Every time I search on that I find tunneling IPv6 throu...

acruhl

Darnit I found my own post finally when I searched through my own posts which has the answer, but it's really roundabout: https://forum.mikrotik.com/viewtopic.php?f=2&t=141899 I don't understand why you can't just directly edit what gets advertised in the router advertisement. (I'm able to post ...

acruhl

It's been a while since I posted here. I searched on this and it's hard to find specific hits. First, I read this from ZeroByte but it's pretty old: https://forum.mikrotik.com/viewtopic.php?f=2&t=123302 I have had IPv6 working at my house for years now with various MikroTik routers connected dir...

acruhl

I don't see where to download a zip file, only an npk file. I don't use Windows so I don't use winbox, which is how I assume you can upgrade individual packages? I don't see a way to do it on the command line. At https://mikrotik.com/download, download "extra packages", which is the .zip ...

acruhl

How do I convert it to "separate packages"? I'm not finding that information. I'm trying to remove packages now but the error is "can not uninstall bundled package". I assume this is what you mean by separate packages? I explained how to do this in post #48 There's not enough in...

acruhl

I've got a hAP-lite and hAP-mini in a test setup for OSPF routing, neither will upgrade. I deleted all files in the "Files" menu entry and it still won't upgrade. I rebooted them, still won't upgrade. The error is "not enough space". Maybe this is the end of the line for lower e...

acruhl

I've got a hAP-lite and hAP-mini in a test setup for OSPF routing, neither will upgrade. I deleted all files in the "Files" menu entry and it still won't upgrade. I rebooted them, still won't upgrade. The error is "not enough space". Maybe this is the end of the line for lower en...

acruhl

Post what you're trying to do and what the error is.

You should be able to do ip dns server=2XXX:XXX::53 or whatever the address is. I have done it with no problem.

acruhl

I don't disagree with what pe1chl is saying. I deal with Cisco and Juniper regularly and they provide a way to roll back to a previous version pretty easily. You can't test for every possible configuration customers use. With the ability to roll back you (MikroTik) can utilize customer feedback much...

acruhl

Answering my own question partially. Once I googled the right terms, I found some help. I was thinking somehow I should be able to completely control what information is sent in the router advertisement, which is what I was searching for. This seems to not be the case. The router mostly decides what...

acruhl

It seems my router is not sending an IPv6 DNS server in the router advertisement. And I don't know how to control which DNS server it advertises. How do I do this? I can't find documentation for this.

acruhl

This might be simple, I just don't know where to start. This is hypothetical for now, but it might become reality. There are some sites attached to each other through ipsec tunnels over the internet, let's call it 192.168.200.0/20. It's happening above my router. I just have a single uplink to the d...

acruhl

I got a news article about this today through my Google feed. I immediately realized that this is a problem that has been fixed a while. But I agree a short new blog post pointing to the earlier post would reduce confusion. People would be coming here looking for new information. I hope it's clear t...

acruhl

No luck with the null cable either.

I'll try some other stuff unless you see something I missed in the output.

acruhl

Thanks for the clarification. Yes I am trying to log into the MikroTik's serial port, not log out from it. Ok, based on this info I probably need a null modem cable. Everything else I tried is not working so that makes the most sense. I tried 115200 and that didn't work so the next step is to try th...

acruhl

I just bought an RB450Gx4 to play with. It's pretty nice. Except I can't get the serial console working. This is my first ever attempt to connect to a MikroTik by serial cable, but far from my first time using a serial device (I've been around a bit). Searching didn't help much. I'm sure this is a s...

acruhl

I should have said that I'd like to use MetaROUTER, which I think is not possible on arm yet? Does it work on PPC?

You can't always have it all I suppose.

acruhl

This post seems like it's getting off topic so I might start another one. I'm looking at the RB850Gx2 and thinking I'd like to use it. But it seems like it might be the last, or nearly the last PPC based board available. If so, will RouterOS support for PPC end shortly after the last PPC based board...

acruhl

Forget what I said about VRRP if you're trying to use PCC. I didn't see that. If you absolutely need to use both uplinks to get enough bandwidth, then PCC is correct. If not, a master/backup failover setup would be more reliable. I have much better luck with users if the know the uplink bandwidth is...

acruhl

Yeah, looking at your description I think you should look into VRRP failover. You wouldn't need the extra networks, you would just have the 2 wans and 1 subnet below connected by the link between the routers. Figuring out how to failover based on wan link failure is the problem you would have to wor...

acruhl

I can't see the diagram. (EDIT: I can see it now) It says I'm not authorized to download it for whatever reason. Can you fix that? A few things: There's no need to worry about if the hardware switch is being used as of 6.41. See the release notes for 6.41: https://mikrotik.com/download/changelogs If...

acruhl

As far as I know, switch vlan is the old way to do it. You said before you were using 192.168.80.x/24 on vlan100, but in this case it's 10.10.10.x/24. Not sure you need the service tag. Try without it. Your wan bridge is doing something not 100% clear in regards to eth2. You probably don't want eth2...

acruhl

That should work. Make sure eth 2 isn't part of another bridge, if it is and you have other cables connected to the router you might have a spanning tree loop. Send exports: /interface vlan export /interface bridge export /ip address export I suppose it would be useful to set eth2 on both sides as a...

acruhl

The picture doesn't make sense until you label the devices with the red arrows. You shouldn't have to do anything to make the 2 networks communicate if both subnets are defined on the same router. If they aren't talking, you are blocking it. You don't need to add any routes, they are already there a...

acruhl

Well, start with basics. 1. UDP will show errors where TCP won't because TCP will do retransmit until the data is complete. You would see that in a Wireshark trace if it was happening. You can do a packet sniffer trace on the interface where the "bad" network exists on the Mikrotik router ...

acruhl

Yep, funny that this still comes up. I guess this must still be true after all these years. There was conjecture in the "old days" that www.3com.com was the only exception ever made. I have no idea if that's true but it made a good story. They are long gone now of course. (Edit: It's not t...

acruhl

If I'm understanding you correctly, this is not so easy. As you say, creating one trunk port with multiple vlans is a piece of cake... Doing multiple ports means you need to find your setup on this page and make a bunch of bridges to make it work: https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN...

acruhl

Just thought of a few things: What I just said is not the only way to do it. There are other ways. Testing on test devices helps. hAP-lite or hAP-mini devices are fantastic for testing... You may have to "undo" the default bridge setup to get this to work. Mikrotik assumes on some devices ...

acruhl

What is the vlan id of vlan1? Don't use vlan id 1, use something else to keep from getting confused. Vlan 1 is the default vlan and generally shouldn't be used if you're doing vlans. I'm hoping this is right, from memory: Create the vlan interface using a physical interface as it's "interface&q...

acruhl

Not sure this is relevant with wireless, but is your MTU set correctly on the pppoe-client interface?

acruhl

2 things: 1. Use mac telnet as stated above. You'll need to be in the same layer2 domain and it's probably not activated on the WAN interface. 2. ALWAYS use safe mode when doing anything remotely. You can turn it on, do a few commands and ensure they work, then turn it off. Or leave it on the whole ...

acruhl

If you knew that the addresses were worth more today than tomorrow, you might. For example: https://www.networkworld.com/article/3191503/internet/mit-selling-8-million-coveted-ipv4-addresses-amazon-a-buyer.html There are many private companies that hold class A networks. I work for one of them. Comb...

acruhl

I agree that there are older RFCs, what I'm saying is residential support still isn't standardized from what I can tell. So you have to look at what direction actual implementations are taking rather than trusting a 4 1/2 year old RFC. As for DS lite, the IPv4 space could actually start growing agai...

acruhl

I'm not that up to speed on what exactly IPv6 "standards" are, but I have some (possibly naive?) opinions on using it as a residential end customer That RFC document is about 4 1/2 years old now and I would suggest that stuff has changed. For example, using a tunneling service to get IPv6 ...

acruhl

Yeah, that's worth a try next time I'm over there. Setting a static IP is a good start probably. The real problem is I don't know exactly why it's doing this stuff or if it's necessary for it's functionality. In the end the "problem" might only be that MikroTik likes to log messages that t...

acruhl

I'm paranoid these days so I turn on packet sniffer on interfaces quite often, open it in Wireshark, then peel back the stuff that I know should be there until I find the stuff that shouldn't be there. It's surprising if you haven't done it or haven't done it in a while. Doing that is so useful and...

acruhl

I think he mainly wants to get rid of this type of message: default offering lease 192.168.22.209 for CC:35:40:04:38:1B to BC:8C:CD:46:15:F4 without success The info,!dhcp would get rid of the lease renewal messages which he also wants to hide. There may be other info level messages he wants to kee...

acruhl

I bet my left nut you are using some crappy repeaters or a device for switch, that (firmware) is not meant to be a switch. Or connected a freaking Sonos device that makes a loop... Even a laptop, connected both wired and wireless will get 2 separate IPs without problems. Running xp/7/Linux/BD/whate...

acruhl

Yeah. I was really hoping to drop log messages based on a regexp string so I don't drop everything from DHCP.

I'll try it. Thanks.

acruhl

Ok, I'm resurrecting this topic. I finally got to the place where this device exists, and it's a DirecTV DVR/set top box thing. It's apparently doing something on behalf of 2 other "slave" or "client" boxes in other rooms. Super, duper annoying. So I did this: /system logging set...

acruhl

The two addresses, 192.168.33.1 and 192.168.33.2, can ping each other. Other interconnections between the boxes exist, so in order to double-check that the ping cannot get through some other way (which is actually not possible even theoretically but just to be bullet-proof), I've disabled the membe...

acruhl

What you wrote in the diagram isn't really in English, maybe you should try in your native language and see if someone can answer.

acruhl

Don't forget to disable the DHCP server. No need for it if you've just got a bridge. Unless you want it of course. But from your explanation you probably don't want it.

acruhl

Diagram it please.

You don't really "connect" DHCP servers together, so I don't understand what you are asking.

acruhl

A trick I do once in a while is to do /export verbose, then send it to a file. I can then grep (search) the file to see if there is something I missed. Try that while looking for "stp" maybe... If you provide a packet trace showing the STP frame with your mac address as the source, plus /e...

acruhl

(If anyone wants to bring up layer 3 switches, save your typing--they are just misnamed routers.). Yes and no depending on what you need. Cisco 3750 switches have settings that help decide how to allocate resources (is it a switch or a router?) depending on how you use it. There is a difference if ...

acruhl

There is something very wrong in your post. "Learn about it before asking for help." What could be crazier? Invest tons of time in self educating yourself and finally when you're done post a question on the forums?!?!?! Further: "Hire someone" . Blah. If I were willing to accept...

acruhl

Maybe I'm a bit ignorant... I work with Cisco and Juniper all day, and they make this stuff really easy. You either have a tagged vlan or you don't. You just push those around to whatever port you want them to go, and they go there. There's a little bit more to it than that in areas, but basically t...

acruhl

If the ASUS will be in bridge mode, then what do you expect it to do besides function as a switch? Perhaps attach wifi to the bridge I suppose. I think he's referring to that ridiculous article at the link in the first post, which talks about a "router" but it's really a bridge (switch) o...

acruhl

After thinking about this for a minute, this should be a feature request.

A delay after a reboot solves not only the problem you want to solve, but can also solve "flapping" if one router has a problem and starts rebooting itself. It's a nice feature to have.

acruhl

If you don't care which router becomes the master, you can just use preemption-mode=no and that would solve the problem. You could fail it over manually once everything settles. Otherwise, I don't see a way to do it. I'm doing this at work but the routers I'm using have a preemption delay which does...

acruhl

Have you seen this before? What is doing that? I didn't pick up on the D vs DC, good call. Still, it seems like a single machine trolling the subnet space for something... It's annoying if nothing else. If this was my network I would be looking at packet sniffer traces to see what is doing this and ...

acruhl

So the question remains, have you put in a static route to the 10.x.x.x network on all of the Ciscos? I think you'll get ICMP redirects on all packets destined for the non gateway addresses in the 192.168 network (the ISP cloud you have drawn) if you use a default route in the 192.168 network. I don...

acruhl

I'm now dumber after reading the article at that link. The terminology is ridiculous. It's written by someone who is not a network person. Disable the DHCP server in the MikroTik, then attach your links to the LAN ports (not port 1). Those are bridged so the MikroTik will behave as a switch. What ex...

acruhl

To the original post author: I don't have much to add except the things labeled "WiFi router" are a problem. If they really are "routers", then they have networks other than 10.0.0.0/20 under them and you would need to route to clients under those as well, which you haven't menti...

acruhl

Well, "back to basics": You can easily have 2 subnets inside the same layer 2 domain (or physical media, or VLAN, whatever you are calling a single layer 2 network). You just put the gateway addresses on the same interface, for example: /ip address add interface=ether2 address=192.168.1.1/...

acruhl

Possibly. I'm trying to think of a legit use of all zeroes as a MAC and I don't know of one. Hopefully someone knows. To me that looks like some kind of a DDoS attack on that subnet. I would sniff it. If a machine is sending out gratuitous arps with all zeroes for all addresses in the subnet, then y...

acruhl

Yeah, GRE, IPIP, EoIP, whatever works at that point. You can even use the built in ipsec options on the tunnels themselves to make this super easy. Since GRE behaves more like point to point links on a "real" router connection, it's more of a lesson in how routing is supposed to be in my o...

acruhl

Each MikroTik router has IPSec protocol, NAT-Traversal (4500/UDP) and IPSec IKE (500/UDP) traffic forwarded from its gateway (ISP Router) I think this is assuming that the "WAN" interface on the MIkroTik routers will always get the same IP address, or there is some other way on these rout...

acruhl

Subscriber IP - 216.00.14.38 sub - 255.255.255.252 They should be raped with a barbed wire for that subnet size. Those retards are the reason IPv4 is full. I am confused, it is only 2 available host addresses, would you mind to elaborate? At expense of four (one for network address and the other fo...

acruhl

Ok, other than access list 101, that's pretty straightforward on the Cisco. Quick detour. This is going to sound like me lecturing: You said "during testing everyone is down" and it's not acceptable. This is not a good business plan, what happens if the Cisco breaks? You should have schedu...

acruhl

I'm replying to myself now. Something must have been fixed between 6.41 and 6.41.2, but it's still not working exactly how I would expect. This could be my issue and not it's issue. The interface list generally works how I expect it to (for discovery and mac-server), which was not the case with 6.41...

acruhl

Sounds good. I hope I attached it. I anonymized this a bit using a hex editor, I hope I didn't mangle it. A quick look says I didn't. My PD isn't changing anymore (it used to change every few days) so I don't want it out in the open. My ipv6 firewall filter says nobody has found me yet, would like t...

acruhl

A quick look seems the DHCPv6 client on the MikroTik side is at fault. Let me show you my shocked face. What specifically are you looking at? I wiresharked my DHCPv6 request, but I'm finding it hard to match up what I see in the packet vs what you posted here from the RFC. I definitely see IA, I ju...

acruhl

What's even weirder on this is that I couldn't ping the Synology from any other device, but I could go to the synology.me/remote-id link and get on to it. Well, maybe not so weird because that is probably done by using an established outbound connection from your Synology to the Synology website. T...

acruhl

That's a pretty cool writeup about doing IPSEC between 2 natted MIkroTik routers. The only part that seems unreliable is this part: Each MikroTik router has IPSec protocol, NAT-Traversal (4500/UDP) and IPSec IKE (500/UDP) traffic forwarded from its gateway (ISP Router) I think this is assuming that ...

acruhl

Diagram it. Specifically, show how the MikroTik is connected to the Cisco (what port, and is it the "WAN" port on the MikroTik). We need to know if you're trying to do do NAT or not. If not, it's a simple matter of adding routes to both sides. If you are doing NAT, "it doesn't really ...

acruhl

I have an older Synology that works fine. It's attached to a switch under my MikroTik router. I'm reading what "invalid" means in the wiki and it has a strong association with out of order packets or incorrect sequence numbers with NAT. Are you using NAT to talk to it? Does it work from th...

acruhl

Sorry for the noise, I found the answer in the IPv4 section of the manual I think:

https://wiki.mikrotik.com/wiki/Manual:I ... ter#Chains

The input chain is for any packet which ends at any interface on the router itself. Seems counter intuitive to me but anyways.

acruhl

I was testing my IPv6 firewall rules a little while ago. I have rules allowing ICMPv6 for input and forward. I'm using PD to assign an address to the interface on my internal network (xxxx::1/64). Using my mobile phone, I decided to ping the address on my internal interface as well as a machine insi...

acruhl

I'm probably stating the obvious, and I have nothing really to add to sindy's response other than basics: TCP resets are layer 4 and should only be originated by the layer 4 endpoints. You really should rule that out before you blame the router. Sindy's explanation seems plausible (about NAT maybe n...

acruhl

There's not enough information here. You should do /export hide-sensitive from the cli. It appears that you might have multiple internet connections based on your interface naming, you should explain that. I doubt you're passing tagged packets to your ISP, so I'm not sure what you're saying about pa...

acruhl

Wow, that doesn't sound very good when I re-read it. Do the basics. Clean up the config completely. Make sure the upstream IP in the /30 can ping. Then try to ping your internal interface in the /24. If you have evidence that basic stuff is working or not working, you can use this to work with your ...

acruhl

Post your Cisco config. I'm sure someone can look at it and figure it out. You didn't mention any routing protocol peering, so probably your ISP is routing your public /24 to your target ip in the /30. If you remove all config from the router (completely), then put the proper /30 address on the upst...

acruhl

Apologies, I read it wrong. Ignore what I said. It was early...

acruhl

You have to use an interface list name in there now.

See /interface list

You can create your own list.

In my experience it wasn't working very well, but I thought there were some fixes around that in 6.41.2.

acruhl

https://wiki.mikrotik.com/wiki/Manual:I ... LAN#Q-in-Q

Does this not work?

acruhl

Hopefully I understand what you are asking... Set up the edge ports with tagged (vlan10) and untagged traffic. Then add those interfaces to the bond in the MikroTik. I can tell you that I only have experience doing LACP bonding in this type of situation, but from what I understand the other methods ...

acruhl

You are mostly correct. As of 6.40, there is no more master/slave config. But the concept is the same. eth4 cannot be bridged or a slave of any other interface, it becomes separate (a routing interface instead of a switch interface). You put an IP on that interface, say 192.168.100.1/24 from your ex...

acruhl

So this doesn't have anything to do with PoE unless I'm missing something. Have you tried playing with lease-time in /ip dhcp-server lease? I'm using the ISC DHCP server because that's what I had before I was using MikroTik. They have a "max-lease-time" option. It's also possible for a cli...

acruhl

Yeah, NAT will work as long as they know the address of the printer in the other network and whatever else they need to get to. Some modern devices assume everything is in the same L2 domain so they can discover each other so you might lose that. mdns, ssdp and such. There might be a way to make thi...

acruhl

You can. If you want to keep that traffic separate from the rest you would have to put in firewall rules on the hAP that you put the new network on. The rules would keep the 2 subnets from contacting each other. If you look at the default config of a MikroTik, you can see in /ip firewall nat the mas...

acruhl

I just tested this between my Mac laptop and my RB750Gr3 running 6.41.1. I had no problem connecting to the link local address on the MikroTik. I also see the link local address from the MikroTik when I ping ff02::1%en0 I have lots of stuff in the same L2 domain and lots of stuff is responding Somet...

acruhl

The RB750Gr3 will work fine for that. I'm doing the same thing between 2 houses. Use transport mode ipsec, then a GRE tunnel between the 2 sites. Add a /30 network to the GRE tunnel, then add that network to your OSPF networks. Plus whatever other networks you want to route locally. That's all there...

acruhl

I'm not 100% sure I follow your charts, but I see you want to use eth0 and eth0.10 on Linux with bonding, which is pretty much all anyone needs to know. Bonding and VLANs are separate topics and don't have much to do with each other. Once you set up your interfaces for tagged (eth0.10) and untagged ...

acruhl

I'm a command line guy, so here's another way to look at it (with my omission paranoia): [me@MikroTik] /ipv6 dhcp-client> print detail Flags: D - dynamic, X - disabled, I - invalid 0 interface=ether1 status=bound duid="0x(long hex string)” dhcp-server-v6=fe80::stuff:1 request=address,prefix add...

acruhl

I forgot to mention: This setup (ether2 setup above) will work if you're just "transporting" vlans across a link and the vlans won't be used to connect to clients on "access" ports. All you're doing on the wireless links is saying "allow this tag to traverse this link"....

acruhl

I think all links should work like the example: /interface vlan add interface=ether2 name=eth2-vlan200 vlan-id=200 add interface=ether2 name=eth2-vlan300 vlan-id=300 add interface=ether2 name=eth2-vlan400 vlan-id=400 In your case, replace ether2 with whatever interface (wired or wireless) you need t...

acruhl

You could set up routing of the private subnet between the VPN sites over a GRE tunnel possibly. If you're worried about the private address space "leaking" out of a different interface (and it's a legit worry see https://forum.mikrotik.com/viewtopic.php?f=2&t=129771&p=637561#p6375...

acruhl

I'll say this another way. There might be 2 possibilities: 1. Your ISP is statically routing the 2nd subnet down to you via the 1st. 2. Your ISP put the 2nd subnet inside the same L2 domain as your current WAN configuration. (or 3: They want you to peer with them with a routing protocol, but you pro...

acruhl

There is a point that often gets missed on this forum, so I'm going to explain it. This isn't directed to you, but if it works as a reminder, that's great :) As soon as you put IP addresses on bridge1 and bridge2 from my example above, those L2 domains can now talk to each other over L3 (IP). But th...

acruhl

You probably have your terminology wrong. "Untagged" just means the device is plugged into a regular access port (in Cisco language), but configured to be on a certain vlan. Probably all of your devices will be plugged into untagged access ports. If you need more clarification on a tagged ...

acruhl

I can't see your picture.

acruhl

So the config you have now doesn't match your description. If you still want separate L2 domains like you had before, you simply create a new bridge and then add ports to it. So from your description, your "old" setup equivalent would have 3 to 5 assigned to bridge1, and 6 to 10 to bridge2...

acruhl

Post your version and config. The device is telling you that the interface is a port in a bridge (check /interface bridge port) and it wants you to apply the config to the bridge instead of the slave interface probably. Makes sense when you think about it because a slave interface is bridged to othe...

acruhl

I'm not sure if this answers your question but I do transport mode ipsec between 2 IPv6 MikroTik routers without any issue. Then I just do GRE tunnels and route through those. I've also setup ipsec between Linux IPv6 hosts in the PD subnets without any issue as well. Haven't tried any other VPN meth...

acruhl

Have you tried using /ipv6 dhcp-client yet? set request=address just to see if it works. Probably it will since Windows worked and I think it's doing the same thing. Maybe the translation isn't so good, but in this case I think "native stateful" means DHCPv6 which MikroTik does. I'm not su...

acruhl

So have you opened bugs on this? Regular LLDP works from other name brand switches: me@EX2200-24P-4G> show lldp neighbors interface ge-0/0/15 LLDP Neighbor Information: Local Information: Index: 693 Time to live: 120 Time mark: Sat Feb 10 05:14:59 2018 Age: 16 secs Local Interface : ge-0/0/15.0 Pare...

acruhl

I don't see any reason why that wouldn't work. OSPF supports broadcast networks... I test with multiple OSPF routers in the same L2 domain.

acruhl

Heh, you're new.

"Fixed in v7" is a euphemism for "it will be a while", or less optimistic, "it will never happen".

acruhl

The fact that you can ping both PCs from inside the router but not from PC to PC is your first clue. Something in your config is doing this. Start with ping, don't worry that file sharing isn't working. If you can ping both PCs from inside the router, then they should be able to ping each other (thi...

acruhl

Ok. I got it. So back to your original question, how to keep PC1 and PC3 together, and PC2 and PC4 together. That's not so difficult if you just separate the VLANs and make 2 separate EoIP tunnels across the R2 and R4 routers. However, if you want them to "talk to the internet" as well, yo...

acruhl

You said "all clients can communicate to each other". This should not be the case based on your diagram. I just want you to explain how you can have the same subnet (10.10.10.0/24) talking from R2 to R4, and in vlan 10 and vlan 20 and those machines can talk to each other. That should not ...

acruhl

This just happened to me on a hAP lite RB941-2nD configured a similar way, but on 6.39.3. So problem appears to be older than 6.41.1. It is configured as a wireless client (station pseudobridge) with all Ethernet ports configured as a switch, a bridge with wlan1, with dhcp-client configured on the ...

acruhl

I don't really understand what you are trying to accomplish with this diagram. I'm guessing the "MikroTik router" is not acting as a router otherwise you wouldn't have 192.168.2.0/24 on both sides of it. As long as you don't mind double NAT, what I would do is plug the cable coming down fr...

acruhl

Ahh yes. I was thinking of simple queues. Thanks for the explanation.

acruhl

There's something missing either from your explanation or from the diagram. Are you saying that all clients can communicate with each other right now even though you have the same /24 on the same switch separated into 2 vlans? There must be more to that story. If you want PC1 to talk to PC3 but not ...

acruhl

Master port no longer exists as of 6.40. This was due to confusion between master port and bridge, they do the same thing but in different ways in the background.

The new way to do master port is to add interfaces to a bridge. See /interfaces bridge and /interfaces bridge port.

acruhl

I'm trying to understand how this works when we know that fast track will break queues. If I fast track all established and related connections, don't they immediately become not eligible for queuing?

This is interesting, there should be a wiki page on it if there isn't already...

acruhl

acruhl, was the mac address of the bridge originally set as administrative mac address? Or it was just dynamic before the upgrade? Sorry, I meant 6.41 to 6.41.1... I didn't statically set the MAC address. I just added the wired interface to the bridge is all. Looking at my notes on DHCP server conf...

acruhl

Minor issue that maybe not a lot of people will see: My bridge interface MAC address changed after upgrade from 6.40 to 6.40.1, or possibly due to the reboot. This is a wAP-ac. I set it up as a regular access point by adding the ethernet interface to the bridge, then setting dhcp-client to listen on...

acruhl

This is very basic routing, it will work if you have it configured correctly because it's just connected routes. Obviously you have something configured incorrectly which you aren't showing us. Start over with a clean config. Make sure the router interfaces you want to use are not bridged. Take them...

acruhl

Have you tried resetting it to factory defaults by holding the reset button, powering up, and releasing it about 5 seconds later?

acruhl

I stumbled upon this because I was wondering what the settings are in the "switch->port" area. For example, from the Wiki https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features : check - drop packets with vlan tag that is not present in vlan table. Packets with vlan tags that are prese...

acruhl

Diagram it. Someone asked if you get a public IP for your external router interface. If so, you would assign the /29 to the internal interface of the router and then to 3 servers below that. Then the ISP would be probably statically routing the /29 to your public IP. This is what we're trying to fig...

acruhl

Are you using anything other than arp=enabled on your ethernet interfaces? Sorry if I missed something...

acruhl

He said that Winbox showed an error when he try to connect by MAC. I didn't read it that way. Said he couldn't connect with Winbox even though he sees a MAC. Not that he specifically tried by MAC with Winbox. It's kinda funny how english is being changed by people who didn't learn english as their ...

acruhl

Umm.

You don't need to disable ping replies.

You can do it in the firewall if you really want to. But no real need.

acruhl

and so traffic for "existing" SIP connections exits my WAN interface with an obsolete source address and is presumably discarded immediately by my ISP. Sorry, off topic but I couldn't resist. I found a whole range of RFC1918 addresses my ISP (or some other ISP customer?) replies to, and i...

acruhl

mac-telnet from another MikroTik device or there is source code that will compile on Linux. You can recover anything as long as the interface is set up for mac-server on the non responsive device.

acruhl

I have an ER-X. The GUI is definitely more "whiz bangy" and you use the web gui (or cli of course), not something like Winbox. MikroTik seems to do a lot more for your money software wise, but hey, if it doesn't support something that this one does, get it. It's a nice little machine. It's...

acruhl

Even more obvious (because I'm also fairly new to concepts like EiRP): MikroTik isn't just giving you direct control over radio power, like a lot of other 3rd party firmwares do. To do this might violate regulatory controls. They don't want to do this. And you shouldn't do it. And since you're decre...

acruhl

Any one of those should work but the smaller one would not give you any room to grow. Also, other people have said that the MIPS CPUs don't scale well unless they have hardware acceleration for help. The other 2 are ARM.

CZ? Which CZ?

acruhl

Usually anything that is doing WiFi that is bridged to real ethernet ports (meaning almost any home "router") can work as a WiFi access point. The only warning is that you can "brick" it while changing the IP addressing if you're not careful. And you need IP addressing to be able...

acruhl

(Yes I know you can use /32s with routing and stuff works fine...) This is probably academic because I'm using private addressing, but anyway. I came across this regarding using /31 masks on point to point links: https://tools.ietf.org/html/rfc3021 The short story is, I used this between 2 physicall...

acruhl

If you're sure that the Windows side is configured "the same" as the MikroTik side (in theory, they don't use the exact same commands obviously), then you know it can work. If it sort of works, then this implies some issue that may or may not be the router's fault. Have you tried a packet ...

acruhl

And I reply to myself yet again. When you have the ping issue, get a quick packet sniffer trace from the upstream interface and look at it in Wireshark. It should be obvious if it's a layer 2 or layer 3 loop at that point. If it's layer 2, then the upgrade either made a wrong decision, or an incompa...

acruhl

Wait, I said something wrong, if 8.8.8.8 works at all then it's probably not a routing loop problem, at least for the source subnet you are pinging from. Could be a routing loop for another one though. It's not clear from the description, a diagram and some configs might be needed. Probably you shou...

acruhl

As you know, 6.41 has a different bridge implementation so it's possible that whatever assumptions the code is making about creating the bridge and ports is wrong. The fact that you're pinging and dropping packets seems like a layer 2 loop to me. Although when you said you enabled torch and things s...

acruhl

But I want to see in some lists that somebody tried to access to my mikrotik from outside. Is there any way? If "outside" means "internet", this gets tedious and fairly useless very quickly. You should try it though just to prove it to yourself. Add a log prefix for your port 22...

acruhl

I would be very surprised if there was a problem with the device. Another thing to try is if you have another MikroTik, connect it to that and do /tool mac-telnet <MAC> from the other one and see what happens. All this talk of disabling firewalls and other interfaces on Windows seems too complicated...

acruhl

What Sebastia said is the right method, although instead of /6x I would say /64 because you just said that you only want a /64 on the CRS. So hopefully I can explain this simply: 1. Your ISP hands you a global IPv6 address for the wan side of your hEX, and a /56 prefix through prefix delegation. 2. ...

acruhl

Short answer, get rid of all the natting and run a routing protocol, then you don't have to worry at all. It would all "just be connected".

I'm probably missing the reason why you're using so many nats though.

acruhl

Show us routing tables on both sides. I assume your routers do not know where are remote neworks, so they are sending traffic via default routes. +1 Start simple. You're assuming this might be ipsec but there's no proof that routing is working. Has it ever worked? What you showed us doesn't line up...

acruhl

I don't get what you're saying. Are you saying that once I get my global IPv6 IP and delegated prefix, I should stop listening for router advertisements and define these things statically? I'm already addressing my LAN dynamically from the /56 that is assigned to me. The problem is, the prefix keeps...

acruhl

Does anything similar exist? Even if there is just a repository of configs that accomplish certain tasks, that would "focus" the new discussion forum on stuff that is really different and requires review. Sort of like how open source software works now. Nobody has to keep reinventing and d...

acruhl

If the IPv6 setup is static, this is a simple matter of turning on OSPFv3 and advertising the route over to the CRS. If not, there are probably a few ways to do this including an elaborate set of scripts to re-advertise the address and re-do router advertisements. I don't know how I would accomplish...

acruhl

Yeah, sort of an "open source" router config discussion. Makes sense, probably 80% of what people are trying to accomplish on these boards are pretty much common knowledge. My own experience with these boards suggests that another angle should be taken as well. If you look at the videos in...

acruhl

Yeah. I am filtering it in the outbound direction on the WAN interface after I learned about this 10.98.0.2 thing. It's quite interesting to see what tries to get out. I've learned a lot from that. Such as: WhatsApp will try to connect to the RFC1918 address on the "other" side of your con...

acruhl

My ISP appears to be using a RFC 1918 address for the first hop router, as well as responding to pings to another RFC 1918 address. Why? Maybe they consider the space between me and them "not the internet"? For example: [me@MikroTik] > tool traceroute 8.8.4.4 # ADDRESS LOSS SENT LAST AVG B...

acruhl

How does routing work? Is it static from your ISP or are you peering with a routing protocol? You have to know that first. Assuming this network starting with 8 really is a public network, and it should be with that address. If not, use RFC 1918. Like the post above says, you can do pretty much anyt...

acruhl

Ok lets say you want to trunk port 2 and 3? It gets messy: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge Look at example #2 (toward the bottom) but it's doing untagged and tagged traffic. I say this a lot and maybe MikroTik isn't too happy with me but I find Cisco and Juniper switches much...

acruhl

Then create 4 bridges, one for each VLAN. Give the bridges the IP as the gateway. Then setup your NAT and Filter rules as needed. Add each VLAN interface as a port on each respective bridge.

Why use the bridge? Why not just put the IP on the vlan interface? Maybe I'm missing something.

acruhl

Some netboot experience from me: 1. Don't assume you know what the problem is, even if you see messages on the server end. Do a packet sniff and open it up in Wireshark to see if it looks like the the problem you think it is. It's hard to know exactly what the client is doing because there are usual...

acruhl

It's not useless. It's just not as secure as it could be. This is not solely a MikroTik problem, this has existed a while with other hardware.

Yes, there are methods to fix it. If you paid $10,000 for that router instead of $50, you'd have a legit gripe. Otherwise, wait.

acruhl

wow man...

5 MONTHS old.

I think the firmware update may have resolved this problem. I will keep an eye on the log to see if it persists.

Yeah I don't know how I got 5 years.

I don't know what a RB750Gv3 is so I assumed it was old. I have only been using these devices for about 3 years now.

acruhl

You really need to test with other cables.

If possible, you should test other ports as well.

5 years seems past a reasonable warranty period to me, especially when you can get a new one for far less than $100. The RB750Gr3 is pretty nice.

acruhl

My RB750Gr3 does not have those rules. I have not done a factory reset on it recently though. I know they change firewall rules over time and they arrive after factory reset.

acruhl

They probably are not default. I think MikroTik does not write comments in Spanish, but maybe they should. This could be a feature request. I read the wiki page about the ipsec rules and I'm not 100% sure I understand it. Probably I need the context of why they need these rules in order to understan...

acruhl

I have to agree that it's awesome to see an ISP give static assignments like this. The only thing possibly wrong with this is that if you have separate networks on your side (e.g. you have a separate guest network/ssid) then you'll need additional IPv6 space to do that. (each network needs its own ...

acruhl

1. With MikroTik with recent firmware, I would say generally yes. The default firewall seems reasonable. But it's your network so it's up to you. I had an Asus router that had a checkbox for "ipv6" and that's it. I did some testing and found that it blocked all inbound connections to the p...

acruhl

It's pretty cool that you get a static IPv6 setup like that. I have to rely on router advertisements from my ISP and they change my address and prefix every few days, which seems stupid to me but it's my reality. I agree with the above post. That should do it. Don't forget to look at your firewall! ...

acruhl

Almost correct. 192.168.0.0/30 leaves 2 bits to use, and 2 bits is 0 to 3. This means that 0 is the network number and 3 is the broadcast address. You only get to use 1 and 2 for interfaces. It's effectively a point to point network. Just to continue this discussion, 192.168.0.4/30 is the "next...

acruhl

Yeap. Probably you're going to be "bridging" the DSL "router" (which is a modem and router combination probably) so that you will set up the MikroTik as the router and likely pppoe-client. It's probably not a big deal. The only issue I came across when I did this was MikroTik did...

acruhl

+1. Draw it. Use a pen and paper and take a picture, this is fine.

Pretty sure if you put the route or routes that ZeroByte told you to do in the right place(s), this will "just work".

With a picture any one of us can tell you where to put them.

acruhl

Yeah, didn't mean to sound condescending but it probably happened. Sorry about that. I'm probably not going to explain this sufficiently, hopefully the documentation plus a few key points will get you there. You're mostly there anyway. When you set up a DHCP server, it sends a few key pieces of info...

acruhl

What 2frogs said is pretty much right on. Let me make this easier conceptually: 1. The metal52 is your router, the hap ac is just a bridge/access point. I'm not familiar enough with the quick set modes to tell you which ones to use, but others have above. 2. When you pull into some parking spot, you...

acruhl

This is probably not as difficult as you think, or as difficult as you are making it. First, the switch issue. I got a Cisco 2960 48 port 10/100 switch with 2 gigabit uplinks (that I'm using with LACP to the MikroTik router) for $45 shipped to my door. This is a fully managed Cisco switch that can d...

acruhl

Something like: /ip firewall filter add src-address=192.168.5.0/24 dst-address=172.16.0.0/24 action=drop chain=whichever You could also use in-interface= or out-interface= if you know which interface you'll be blocking traffic on. Probably you should create a test subnet that you're trying to block ...

acruhl

If you know the IP of the cloud update server, it would be easy. I found elsewhere on this forum that it might be cloud.mikrotik.com. I did a quick sniffer trace while I did /ip cloud force-update and I see one of the IPs for cloud.mikrotik.com in the trace. If you set a static route to that IP out ...

acruhl

It was said earlier, but I'd like to re-emphasize that low end "switches" have MAC tables that are easily overrun and they start acting like hubs in a hurry in enterprise situations. I have to deal with that all the time. Not to mention when people plug these in and cause L2 loops because ...

acruhl

Good call. I used to have a wifi extender and it did all kinds of wackiness. When I get over there I'll check it.

acruhl

Ok, I have a bit more information. I wiresharked this and I see a DHCP Discover frame sent from the BC:8C:CD:46:15:F4 MAC address, but in the DHCP options it's setting the "client" MAC address to CC:35:40:04:38:1B. Or the other MAC 08:95:2A:B8:EC:86 in another DHCP Discover frame. This see...

acruhl

I have a hAP-Lite with a dhcp-server problem. My problem is the same as this one, but none of the "solutions" in this thread have worked: https://forum.mikrotik.com/viewtopic.php?f=13&t=119702&hilit=dhcp+without+success I tried setting to the dhcp-server to authoritative, I tried d...

acruhl

Since I've been studying my WAN connection traffic behavior, I added rules to block any RFC 1918 trying to exit my WAN interface, and I'm logging them. During the time my wife was doing a video chat on Whats App, it repeatedly tried to access a 192.168.x.x address that is not part of my network, so ...

acruhl

Why doesn't "check gateway" work when setting a route with ip route? Are your WANs DHCP?

acruhl

I've been especially paranoid about traffic entering and exiting my WAN interface in the last few weeks. Don't know why. I've discovered some interesting stuff though. This question is about ethertype. I have a regular cable based ISP. For the heck of it, I let this sniffer run for a while: [me@Mikr...

acruhl

You can probably accomplish what you want to do a little bit easier if you chain the mAP-Lite with a hAP-Lite or hAP-Mini. Or regular mAP. Just be sure to change the default 192.168.88.0/24 net to something else on one of them. The 2nd device works great for mac-telnet in case you mess something up....

acruhl

Cool, thanks for that. I need to learn MikroTik scripting at some point. I've done a few but it's not sticking in my head. On my setup I would have to set: /ip ipsec peer set X address=$variable /ip ipsec policy set X dst-address=$variable sa-dst-address=$variable I have a dyndns account as well, bu...

acruhl

It's a good idea to bridge the modem and use the Mikrotik as the internet facing router. Makes ipsec easier. I'm just doing transport mode ipsec between 2 routers and then I use GRE tunnels to do routing between the sites. Works pretty good. I don't have a script set up to automatically set the publ...

acruhl

If you factory reset it with the reset button for 5 seconds at power on, you should be able to connect to 192.168.88.1 with telnet or ssh using user admin and no password.

acruhl

Hopefully your "old" D-Link device is not 100 megabit... You would need a gigabit device to get to 300 megabits.

My internet service is only 15 megabits down and 2 megabits up, I don't have such problems

acruhl

I have this feeling that these "all in one" cable modem devices, especially ones provided by ISPs, are shady. They will do stuff like this so they don't have to field calls about custom setups. My advice - buy a regular cable modem and try again. Also, you could try another brand of router...

acruhl

First, to try to understand what you're doing. Setting the cable modem to bridge mode and using your MIkroTik as a router seems straightforward to me. Most people should be doing this. Using your cable modem as a router and the MikroTik as a "bridge" is less clear. Are you really only usin...

acruhl

So a few things: Did you get the backup from the exact same device you were restoring it to? There was a time when MikroTik renamed interfaces. For example, at one time the external interface was called "ether1-gateway" and this was change to simply "ether1". If you're trying to ...

acruhl

Yeah, someone had to tell me this. What I found is some interfaces in the list will work, some will not unless I use "all" (which includes the WAN interface which I don't want). For whatever reason, my bonding1 interface doesn't do ip neighbor if I have it in the discover list. It only wor...

acruhl

Well, the most obvious answer would be the new bridge configuration did something that is not compatible with your setup.

Probably you should get support output and send it to MikroTik or post your config here so someone can look at it.

acruhl

Load balancing only happens in the outbound (Tx) direction. Your hash policy on the MikroTik is layer 2 and layer 3. What is it on the Cisco? I have a 2960 with gigabit uplinks ($45 shipped to my door!) set like this: #show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-dst...

acruhl

I believe flow control only starts happening when the interface itself is running out of buffer space, or is otherwise about to degrade performance, so it might be unlikely that it would happen on a wireless link not running near capacity. It might be a good idea on speed mismatched links though. Ye...

acruhl

https://en.wikipedia.org/wiki/Ethernet_flow_control I don't have any WISP experience, but I would guess that this would be most relevant on backhauls. Note that as far as I know, this function only comes into play when one "side" determines that performance degradation is imminent, and fl...

acruhl

I'm doing some more testing meanwhile. CRS109-8G with cisco 2960g switch and 6.39.2 works with balance-rr and there are no errors. I'm setting the cisco with etherchannel though..i'll try more tinkering with the other switch( hp 2410-24g) hello, how did you fix it? we are having the same problem to...

acruhl

The topology doesn't make sense. You have a switch attached directly to a modem, and a VPCS (don't know what that is) attached directly to the switch. And a "MikroTik" (with no further description) attached to the switch as well. Is the modem a modem or a router and a modem? Don't guess ab...

acruhl

Ok. I'm still trying to understand what "dynamic" means though.

Does that mean I have an interface list called dynamic?

Maybe I'm missing something.

acruhl

Seems like when you enable neighbor discovery it also sends out CDP to layer 2 and MNDP to 255.255.255.255 on the public interface, neither of which are desirable as well.

acruhl

Not sure. I think not. Here is a standard router (I think): [me@MikroTik] > /tool mac-server print allowed-interface-list: none [me@MikroTik] > /tool mac-server set allowed-interface-list= AllowedInterfaceList ::= all | none | dynamic | discover | mac-winbox all -- contains all interfaces dynamic --...

acruhl

This is after the fact advice, but it may apply: 1. From the "inside" interfaces: set up /tool mac-server, then use /tool mac-telnet from another MikroTik to connect to it. I have multiple MikroTik routers set up to help recover using mac-telnet. You can find mac-telnet code online that mi...

acruhl

I'm trying to understand the new-ish /ip neighbor discovery-settings options. They are not documented here: https://wiki.mikrotik.com/wiki/Manual:IP/Neighbor_discovery My options are: [me@MikroTik] /ip neighbor discovery-settings> set discover-interface-list= DiscoverInterfaceList ::= [!]DiscoverInt...

acruhl

You should hire a network engineer, or better yet a Mikrotik certified engineer to help you with this. This isn't something that is easy to work out in a forum.

acruhl

Not enough information.

What device are you trying to ping from and what device are you pinging. Where are they attached?

It looks like you have a trunk port on the router and the addresses are probably configured directly, so it seems like a vlan setup issue downstream from the router to me.

acruhl

Well, one of the ISPs appears to have reversed themselves. Maybe they got enough complaints from people doing "IoT" that blocking all incoming connections is BS.

The other one I still can't connect to. Trying to make sure it's not the router's fault...

acruhl

I haven't checked my IPsec peers for a few days and I have no automatic notification if they go down, so I can't be 100% sure this just happened. However: I can no longer ping or connect to my IPSEC peers across the internet. I've tried from other devices that are not IPSEC peers and they can't conn...

acruhl

This is a bit off topic, but it's worth saying for someone searching. If you're not sure, just buy a hAP-lite or a mAP-mini or something and play with it. They are super cheap. It's a great way to figure out how to use RouterOS for testing purposes. This is what convinced me that I wanted to use Rou...

acruhl

That sounds to me like someone got a hold of it and reset it manually, which is possible for anyone with physical access and the ability to Google.

Can you use mac-telnet to get into it by chance?

I don't know what "MI" is or where you are seeing it.

acruhl

The way I read this, this is just a simple case of routing to connected routes.

Do /ip route print

The router will automatically route packets between directly connected subnets. If you don't want this to be the case you have to firewall it or use a VRF.

Search found 368 matches