Community discussions

Search found 270 matches

by skuykend
Mon Apr 02, 2018 5:27 am
Forum: General
Topic: DST-NAT over two Gateways
Replies: 14
Views: 2187

Re: DST-NAT over two Gateways

You can definitely use dstnat from two WAN's... you just have to make sure you mange/mark new incoming connections and use a marked routing table that will have a default route to the correct WAN. If you use fasttrack you will want to make sure you don't fasttrack the mangled connections.
by skuykend
Tue Mar 20, 2018 9:50 pm
Forum: RouterBOARD hardware
Topic: CRS112 drops HW offloading when bridge is VLAN IVL enabled
Replies: 2
Views: 710

Re: CRS112 drops HW offloading when bridge is VLAN IVL enabled

Yes, for that switch chip, vlan filtering must be disabled on the bridge and done from the switch menu instead. You will then get HW offloading with vlans.
by skuykend
Sun Mar 18, 2018 10:46 pm
Forum: Beginner Basics
Topic: Cant get vlans to work [SOLVED]
Replies: 7
Views: 4239

Re: Cant get vlans to work

You're going to want only the one bridge, don't add a second. The vlan20 interface should use the main bridge.

Then use the switch menu to set up which ports are tagged and untagged and what vlans are allowed.

https://wiki.mikrotik.com/wiki/Manual:S ... p_Features
by skuykend
Sat Mar 17, 2018 8:04 am
Forum: General
Topic: firewall - mangle - how to mark only internet traffic
Replies: 3
Views: 443

Re: firewall - mangle - how to mark only internet traffic

Yes, commonly used to route traffic back through the correct interface in a dual wan setup. Mark new incoming connections, then mark outgoing packets based on that.
by skuykend
Sat Mar 17, 2018 4:26 am
Forum: General
Topic: vlan-filtering=no is NOT the same as pre-6.41
Replies: 4
Views: 612

Re: vlan-filtering=no is NOT the same as pre-6.41

Sounds like it may be an issue with changes in STP in the new bridge implementation, what settings are you using on the MikroTik and Dell's for STP?
by skuykend
Sun Mar 11, 2018 6:55 am
Forum: SwOS
Topic: VLAN table being ignored?
Replies: 3
Views: 686

Re: VLAN table being ignored?

I'm not familiar with SwOS, but from what your describing, it sounds like if you set the default VLAN-ID for a port, it automatically gets added to allowed vlans whether selected or not.
by skuykend
Fri Mar 09, 2018 9:56 pm
Forum: General
Topic: CRS 317-1G-16S+ RouterOS or SwOS?
Replies: 3
Views: 721

Re: CRS 317-1G-16S+ RouterOS or SwOS?

Check the 6.42RC thread: viewtopic.php?f=21&p=647092#p647092

and CRS3xx vlans and bonding: https://wiki.mikrotik.com/wiki/Manual:C ... ds#Bonding

Remove the bonded slave ports from the bridge, then add the bonded interface back to the bridge.
by skuykend
Fri Mar 09, 2018 8:15 pm
Forum: General
Topic: CRS 317-1G-16S+ RouterOS or SwOS?
Replies: 3
Views: 721

Re: CRS 317-1G-16S+ RouterOS or SwOS?

As long as you use a single bridge on the ports, hardware acceleration (hardware switching) will work 6.41+. LACP though is just getting added in the latest 6.42rc's, but is already in SwOS.
by skuykend
Thu Mar 08, 2018 7:39 pm
Forum: General
Topic: Problems with Vlans. [SOLVED]
Replies: 34
Views: 2709

Re: Problems with Vlans. [SOLVED]

Mikrotik config seems fine to me. Not too familiar with cisco, but don't you need to set up what vlans are allowed on what ports (specifically 0/0 AND 0/1), other than just the switchport access vlan?
by skuykend
Thu Mar 08, 2018 4:59 am
Forum: Beginner Basics
Topic: Best way to set up WLAN w/3 Virtual APs on different subnets each with net access but not communicating +/ DNS+NTP? [SOLVED]
Replies: 2
Views: 555

Re: Best way to set up WLAN w/3 Virtual APs on different subnets each with net access but not communicating +/ DNS+NTP? [SOLVED]

You can either set up separate bridges for each subnet, or use vlans on the main bridge, each with it's own internal subnet/router ip and dhcp server config. It will depends on if you still want switch functionality, trunk ports, etc on which will be best with your situation. You may also need ip fi...
by skuykend
Wed Mar 07, 2018 8:20 pm
Forum: Beginner Basics
Topic: NAS
Replies: 12
Views: 1820

Re: NAS

Very useful for mail servers, etc when used from a phone that goes back and forth from inside to outside of LAN.
by skuykend
Mon Mar 05, 2018 8:22 pm
Forum: Beginner Basics
Topic: No internet router Mikrotik
Replies: 13
Views: 3534

Re: No internet router Mikrotik

Make sure the router also can resolve dns.
For manual download you want Tile for CCR. Either bugfix or current. Main package, unless you've already added extra packages.
by skuykend
Sun Mar 04, 2018 5:19 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 95871

Re: v6.42rc [release candidate] is released!

The documentation says add both.
It's showing ether3 and ether4 also in the bridge as non-bonded ports as an example, but the bonded interface consisting of ether1 and ether2 is added to the bridge just as bond1.
by skuykend
Fri Mar 02, 2018 8:22 pm
Forum: Beginner Basics
Topic: Creating VLAN on CRS326
Replies: 12
Views: 1879

Re: Creating VLAN on CRS326

Sounds like you just need to set up ip firewall rules to limit talking between the two subnets.
by skuykend
Fri Feb 23, 2018 8:32 pm
Forum: General
Topic: Help with gateway
Replies: 13
Views: 811

Re: Help with gateway

Make sure you disable your fasttrack rule, fasttrack doesn't behave well with marked packets.
by skuykend
Fri Feb 23, 2018 3:29 pm
Forum: RouterBOARD hardware
Topic: CRS317 Product information discrepency [SOLVED]
Replies: 5
Views: 750

Re: CRS317 Product information discrepency [SOLVED]

The connection from switch chip to CPU of CRS317 is not 1Gb/s, it is an internally connected bus and the speed is not documented.
We will fix the diagram.

https://i.mt.lv/routerboard/files/CRS31 ... 102556.png
Thank you Normis!
by skuykend
Fri Feb 23, 2018 3:04 am
Forum: RouterBOARD hardware
Topic: CRS317 Product information discrepency [SOLVED]
Replies: 5
Views: 750

Re: CRS317 Product information discrepency [SOLVED]

It can switch 3000 Mbps (1500 up and 1500 down). It can't route this much. While switching, all the hard work is done inside the switch chip - it never reaches the CPU. Well it can switch a lot more than that between all ports, 158,906Mbps. I'm strictly taking about cpu bridging/routing, which the ...
by skuykend
Fri Feb 23, 2018 2:21 am
Forum: RouterBOARD hardware
Topic: CRS317 Product information discrepency [SOLVED]
Replies: 5
Views: 750

CRS317 Product information discrepency [SOLVED]

Although not mainly a router, the CRS317 test results show that it is able to route and bridge at over 3000Mbps, but the block diagram shows only a 1Gbps connection to the cpu. Is there some other magic that is going on, or is the connection to the CPU actually 10Gbps? Has anyone checked actual rout...
by skuykend
Thu Feb 22, 2018 8:46 pm
Forum: Beginner Basics
Topic: having trouble this early bad sign
Replies: 3
Views: 408

Re: having trouble this early bad sign

Maybe using NAT on router 2 or PC is Windows and not part of a domain. Default Windows firewall will block ping responses to other subnets.
by skuykend
Thu Feb 22, 2018 2:58 am
Forum: General
Topic: IPTV Problem
Replies: 4
Views: 1693

Re: IPTV Problem

Quite the config.

I kind of doubt it will help much, but I noticed your lan ip is configured on Ether2 instead of the Bridge. This can sometimes cause issues, but I don't know if it would slow down things too much to interfere with HD vs SD throughput. Should be worth the try though.
by skuykend
Tue Feb 20, 2018 7:57 pm
Forum: Beginner Basics
Topic: Mikrotik hotspot is not accepting anymore users after 10-12 users has connected.
Replies: 8
Views: 1006

Re: Mikrotik hotspot is not accepting anymore users after 10-12 users has connected.

Level 3 license is limited to 10 'active' userman sessions. Level 4 is still only 20.
by skuykend
Fri Feb 16, 2018 3:09 am
Forum: General
Topic: VLAN priority
Replies: 20
Views: 4619

Re: VLAN priority

Once you enter VLANs into the new bridge the hardware-access is turned off except in CRS3xx switches. See this: https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Bridge_Hardware_Offloading This is really a big pity, because before this new bridge was introduced the natural way was to confi...
by skuykend
Tue Feb 13, 2018 6:49 pm
Forum: General
Topic: VLAN priority
Replies: 20
Views: 4619

Re: VLAN priority

Would probably be best to make Ether1 part of the switch group with all other ports (default the untagged internet to something like vlan 40 and make that your new WAN interface) and let the switch do the work of passing the multicast at wire speed. Then the router just has to work on the routing fo...
by skuykend
Mon Feb 12, 2018 10:05 pm
Forum: General
Topic: VLAN routing in CRS317 [SOLVED]
Replies: 4
Views: 512

Re: VLAN routing in CRS317 [SOLVED]

Ahh, in addition to what I put earlier, you'll also need to add the bridge1 as a tagged member of vlan 2001 so it can talk to the cpu.
/interface bridge vlan
add bridge=bridge1 tagged=sfp-sfpplus8,bridge1 untagged=sfp-sfpplus15 vlan-ids=2001
by skuykend
Mon Feb 12, 2018 7:14 pm
Forum: General
Topic: VLAN routing in CRS317 [SOLVED]
Replies: 4
Views: 512

Re: VLAN routing in CRS317 [SOLVED]

First thing I see is your parent interface for your vlans under /interface vlans should be the bridge1 not sfp-sfpplus8.
by skuykend
Mon Feb 12, 2018 3:48 am
Forum: Announcements
Topic: v6.41.2 [current]
Replies: 125
Views: 28374

Re: v6.41.2 [current]

Upgraded all devices from 6.41.1 to 6.41.2. Went well, but then after some time my CRS317 lost management DHCP client lease from my CCR1009 (log message via serial on 317 indicates lost lease). Using trunked VLANS. Haven't noticed any other devices losing connectivity yet. edit: Other traffic was st...
by skuykend
Sat Jan 06, 2018 2:07 am
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 76613

Re: v6.41 [current]

Just in the process of downgrading back to 6.40.5.... On the RB2011 it doesn't appear possible to create a working bridge (hw offload) config as efficient as the previous software revision, where we could use switch hardware offload on both the 1000M ports and 100M ports - then bridge those switche...
by skuykend
Thu Jan 04, 2018 11:34 pm
Forum: Beginner Basics
Topic: CRS125, ROS 6.41, VLANs
Replies: 13
Views: 2299

Re: CRS125, ROS 6.41, VLANs

Is there a reason you're using two bridges? That's not gennerally recommended on the CRS1XX as it breaks some functionality. Are both showing as actively HW offloading when not using bridge VLAN filtering option? It would be best to only use one bridge (no VLAN filtering) with all ports in one switc...
by skuykend
Thu Jan 04, 2018 12:36 am
Forum: Beginner Basics
Topic: RB3011: Switch-flag "Switch all ports" forget status
Replies: 2
Views: 329

Re: RB3011: Switch-flag "Switch all ports" forget status

That option doesn't apply to the 3011. Only to the RB850 and some similar. Use master ports (pre-6.41) or a bridge (6.41+) to set up switch groups.
by skuykend
Fri Dec 29, 2017 11:52 pm
Forum: General
Topic: vlan issue RouterOS 6.41
Replies: 5
Views: 955

Re: vlan issue RouterOS 6.41

I'm thinking there's still an issue with STP/RSTP compatibility with different switch chips and/or vendors. If you turn it off on both bridges do the messages go away?
by skuykend
Fri Dec 29, 2017 4:54 am
Forum: General
Topic: vlan issue RouterOS 6.41
Replies: 5
Views: 955

Re: vlan issue RouterOS 6.41

What hardware are you running on? I don't see any bridge/vlan or switch/vlan settings.
by skuykend
Fri Dec 29, 2017 1:32 am
Forum: General
Topic: 6.41 and VLANs - what is the proper an most performant way to do that now?
Replies: 1
Views: 2664

Re: 6.41 and VLANs - what is the proper an most performant way to do that now?

This is what's been working for me. For most switch chips except the newer CRS3XX series, you want to be closer to config 2. Put all ports from the switch(s) directly under a single bridge. Do NOT use the vlan section under bridges and leave VLAN filtering unchecked in the bridge options. Add all ne...
by skuykend
Wed Dec 27, 2017 12:01 am
Forum: Wireless Networking
Topic: wAP AC 5GHz problem
Replies: 4
Views: 546

Re: wAP AC 5GHz problem

23V is easily within acceptable voltage range, but are you getting enough amps when fully loaded? Are you using ultra thin CAT wire from your power injector and/or extra long? Try replacing with another thicker CAT cable. You can also watch the voltage when highly loaded with two chains and see if i...
by skuykend
Mon Dec 25, 2017 7:40 am
Forum: Wireless Networking
Topic: Netmetal 5 2x2 vs 3x3
Replies: 2
Views: 388

Re: Netmetal 5 2x2 vs 3x3

From my understanding (not perfect) for longer point to point links single or dual is fine. If you're connecting multiple clients or short range clients that have/support multiple antennas/chains the more chains gives more speed/throughput.
by skuykend
Mon Dec 25, 2017 4:30 am
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 76613

Re: v6.41 [current]

update on my CCR1009-1s-1s+ (older Modell) worked, but i see no bridge. Is this correct?
If you didn't have any of the switch ports set to a Master-port, then this is normal.
by skuykend
Sat Dec 23, 2017 9:09 am
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 76613

Re: v6.41 [current]

How the conversion works when there are two switches in the device and both are in the common bridge? What if there are multiple switch groups within one switch differently bridged with other interfaces? My RB2011 (I'm using as a switch at the moment) with two switch chips seems to convert and work...
by skuykend
Sat Dec 23, 2017 8:42 am
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 76613

Re: v6.41 [current]

By upgrading from 6.40.5, will it automatically and intelligently add the correct rules to switch all the switch-related configurations to bridge ones? From what I'm seeing, for most older hardware switch vlan configurations the switch menu and settings are still used. Just the Master-Port changes ...
by skuykend
Sat Dec 23, 2017 3:57 am
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 76613

Re: v6.41 [current]

Upgraded CRS317 to 6.41 from rc61. Seemed to be no problems with its upgrade. I also have a few RB's and CRS as switches connected to it which I left at 6.40.5. A little while later my CRS226 @ 6.40.5 stopped responding properly which hasn't happened in years. Traffic wasn't being passed properly an...
by skuykend
Fri Dec 22, 2017 3:45 am
Forum: Beginner Basics
Topic: NAT doesn't work when IP ranges are specified
Replies: 16
Views: 1012

Re: NAT doesn't work when IP ranges are specified

One option may be to put in both addresses as separate rules, and then use "nth=2,1" on the first one of the series.

At most it would take two attempts to connect to the 'up' server.
by skuykend
Fri Dec 22, 2017 1:16 am
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 122362

Re: v6.41rc [release candidate] is released! New bridge implementation!

Looks like demo Routerboards find final version 6.41... Is the release being prepare right now?
And no mention of the bridge update!
by skuykend
Fri Dec 22, 2017 1:10 am
Forum: General
Topic: Switch Configuration Help Required.
Replies: 6
Views: 675

Re: Switch Configuration Help Required.

First thing, the 951U is fast Ethernet only, your trunk is always going to be limited to 100mbps.
by skuykend
Fri Dec 22, 2017 1:05 am
Forum: General
Topic: Bridge is like a hub, floods all ports.
Replies: 12
Views: 1176

Re: Bridge is like a hub, floods all ports.

Not normal unless you have something broadcasting. More likely a loop somewhere in L2 land. Look at the logs, Export your configs, especially any switch configs on both routers and post.
by skuykend
Thu Dec 14, 2017 2:27 am
Forum: Beginner Basics
Topic: wAP AC in CAP mode: no ping to 8.8.8.8
Replies: 2
Views: 502

Re: wAP AC in CAP mode: no ping to 8.8.8.8

I don't see a default route and your ip address on vlan needs a /24.
.
by skuykend
Fri Dec 01, 2017 11:11 am
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 122362

Re: v6.41rc [release candidate] is released! New bridge implementation!

In their shoes I would concurrently release a new 6.40.x in bugfix and stable, forcing all system to switch to bugfix channel as update default (6.40.x should then live in bugfix for long time). For admins ready to 6.41 it would be simple enough as manually switch to current again; in this way all ...
by skuykend
Fri Dec 01, 2017 10:41 am
Forum: Beginner Basics
Topic: Is my interface done correctly [SOLVED]
Replies: 6
Views: 651

Re: Is my interface done correctly [SOLVED]

What version of ROS are you using? Are all ports set as master to Ether1? Ether2 shows as slave so I think you are using the RC version with the new switch/bridge implementation or else using as a switch. Give us more information.
by skuykend
Fri Nov 10, 2017 9:35 am
Forum: RouterBOARD hardware
Topic: Power brick for CRS125 Cloud Switch
Replies: 1
Views: 306

Re: Power brick for CRS125 Cloud Switch

Original is a 24V 0.8A, center post positive. Are you needing the jack dimensions? Otherwise anything within the voltage you listed and above the wattage would be sufficient. (@12V you should get double specified amps @1.6A or higher).
by skuykend
Sat Nov 04, 2017 4:04 am
Forum: RouterBOARD hardware
Topic: What mikrotik to buy?
Replies: 2
Views: 582

Re: What mikrotik to buy?

What features are you using on your old 1100? Bypass features? Encryption? Etc?

Are you just upgrading because of age or are you encountering any performance issues?

I would think the new 1100's would would be more inline with your old 1100, but hard to determine your needs.
by skuykend
Fri Nov 03, 2017 10:44 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 122362

Re: v6.41rc [release candidate] is released! New bridge implementation!

They've done that already. Done what? In released version? With no roll back? Hey, you must be kidding me! :) They had some of the new bridge code in 6.40rc and reverted it for the final 6.40, then put it back in for 6.41rc. At this point a lot of their new devices are starting to rely on it though...
by skuykend
Sun Oct 29, 2017 7:17 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 122362

Re: v6.41rc [release candidate] is released! New bridge implementation!

No ports/wlan working with default config for RB951G on rc47. Pretty sure was working on rc44 Will have to Netinstall.
by skuykend
Sat Oct 28, 2017 7:14 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 122362

Re: v6.41rc [release candidate] is released! New bridge implementation!

CRS317 running 6.41rc47 for about 5 days then fault led came on, and other LED's stopped responding (seemed left at their previous state). I also lost access to the my management vlan/IP, but the switch seemed to be otherwise still working passing traffic. Just no access to the CPU. I didn't think t...
by skuykend
Sat Oct 28, 2017 7:02 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 122362

Re: v6.41rc [release candidate] is released! New bridge implementation!

The support promised the next rc release will have a fix for my crash. That was one and a half week ago...
Will we have a release any time soon?
Hopefully a new RC early next week, but they pretty much shut down development during a MUM, which started Thursday.
by skuykend
Thu Sep 28, 2017 10:49 am
Forum: RouterBOARD hardware
Topic: CRS317-1G-16S+RM
Replies: 4
Views: 1441

Re: CRS317-1G-16S+RM

Seems confusing to me as well. Add on top of that that it's dual boot and has a version of SwOS in that 16MB as well! Must be some non disclosure reason? or else I'll just keep replaying the Gods Must be Crazy 1 2 and 3! But then again a 16 port SFP+ switch with RJ45 10GBe $85 adapters coming soon, ...
by skuykend
Wed Sep 27, 2017 3:54 am
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 122362

Re: v6.41rc [release candidate] is released! New bridge implementation!

I just put 6.41rc32 onto an RB2011UAS-2HnD and have a question. I had a similar issue with a 951G. First boot with upgrade, was still able to connect from port 5. Rebooted one more time and lost connection until I switched to port 2. Maybe the initial config needs one more reboot or switch reset to...
by skuykend
Thu Sep 21, 2017 2:37 am
Forum: RouterBOARD hardware
Topic: CRS317-1G-16S+RM - VLans not configurable [SOLVED]
Replies: 16
Views: 5111

Re: CRS317-1G-16S+RM - VLans not configurable [SOLVED]

Looks like with 6.41+ VLAN switch configuration is going to now be in the Bridges section and not the Switch menu to make RoS VLANS RSTP compatible.

https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
by skuykend
Thu Sep 21, 2017 2:32 am
Forum: Beginner Basics
Topic: Access to my LAN from external network.
Replies: 18
Views: 1984

Re: Access to my LAN from external network.

Doesn't look like you have your firewall blocking any forwarding which is unsecure, but wouldn't cause any problems with doing this. The TP-LINK though would block any incoming connections with the SPI. Might be able to use the Access Control section to allow your network in, but I have no experienc...
by skuykend
Tue Sep 19, 2017 10:44 pm
Forum: Beginner Basics
Topic: Access to my LAN from external network.
Replies: 18
Views: 1984

Re: Access to my LAN from external network.

Do an '/ip firewall filter print' Most firewalls default to blocking all incoming connections that aren't initiated from inside your network. AND all this needs to be checked an replicated (with the opposite IP's and gateways) on the neighbors router. I don't read Russian, but sounds like he has a T...
by skuykend
Tue Sep 19, 2017 3:02 pm
Forum: Beginner Basics
Topic: Access to my LAN from external network.
Replies: 18
Views: 1984

Re: Access to my LAN from external network.

As far as I see, you've never stated the neighbors internal IP subnet. If must be different than yours. To exclude from src-natting you could insert a src-nat rule above the other src-nats with an 'accept' statement and filtered for the neighbors subnet. If your neighbor had 10.2.0.0/24 for instance...
by skuykend
Mon Sep 18, 2017 12:01 am
Forum: RouterBOARD hardware
Topic: CRS317-1G-16S+RM - VLans not configurable [SOLVED]
Replies: 16
Views: 5111

Re: CRS317-1G-16S+RM - VLans not configurable [SOLVED]

Hmmm, have one on pre-order here in the US and was looking forward to it.

Have either of you tried SwOS or do you need the L3 capabilities? From what I've read only SwOS supports hardware LACP at the moment, I don't know about other features.
by skuykend
Sun Sep 17, 2017 11:21 pm
Forum: Beginner Basics
Topic: Access to my LAN from external network.
Replies: 18
Views: 1984

Re: Access to my LAN from external network.

Are you src-nating? Or does the ISP do that for you? If you're on the same subnet and have a src-nat, you'll may need to exclude his subnet in your dst-address, as well as having your static routes on both routers. Otherwise you may just need to put an accept of the neighbors subnet into your filter...
by skuykend
Sat Apr 22, 2017 3:59 am
Forum: General
Topic: Feature requests
Replies: 1159
Views: 204121

Re: Feature requests

During an Export of /Interface/Ethernet/Switch/Ports it would be nice to have it use a [ find default-name=xxxxx ] like the /interface ethernet export instead just the set#.
by skuykend
Fri Apr 21, 2017 6:26 pm
Forum: Beginner Basics
Topic: VLAN tagging (trunk allowed vlan)
Replies: 10
Views: 9196

Re: VLAN tagging (trunk allowed vlan)

MikroTik has recently changed how they do RSTP to be more standards compliant and doesn't seem to work correctly yet on the small switch chips. I would leave it disabled. That shouldn't hurt performance unless something else is wrong or you have a loop. Make sure the VLAN 9 interface for the managem...
by skuykend
Fri Apr 21, 2017 11:06 am
Forum: Beginner Basics
Topic: VLAN tagging (trunk allowed vlan)
Replies: 10
Views: 9196

Re: VLAN tagging (trunk allowed vlan)

I don't actually have a RB3011, but a RB2011 which is close. You haven't mentioned how your connecting to the RB3011 for management (which VLAN? or console?) so this will be a little incomplete and you may lose access if not careful. Any management IP should be set on a vlan interface added under th...
by skuykend
Thu Apr 20, 2017 11:03 pm
Forum: Beginner Basics
Topic: [SOLVED]How to setup VLAN at CRS125-24G-1S (QCA-8513L chip)?
Replies: 2
Views: 910

Re: How to setup VLAN at CRS125-24G-1S (QCA-8513L chip)?

MikroTik uses two different switching 'methods'.

The link you referred to is for the basic 5-6 port switch chips.

For the CRS which has many more switching features, you need to look at:
https://wiki.mikrotik.com/wiki/Manual:CRS_features
and
https://wiki.mikrotik.com/wiki/Manual:CRS_examples
by skuykend
Thu Apr 20, 2017 10:40 pm
Forum: Beginner Basics
Topic: VLAN tagging (trunk allowed vlan)
Replies: 10
Views: 9196

Re: VLAN tagging (trunk allowed vlan)

With the RB3011, what you have is basically two separate managed switches hooked up to a two port router. You'll still need some bridge(s), but not every port individually, just the master-port, (or vlans off the master-port) of each switch group. Without knowing your WAN/LAN setup I can't really gi...
by skuykend
Thu Apr 20, 2017 11:21 am
Forum: Beginner Basics
Topic: VLAN tagging (trunk allowed vlan)
Replies: 10
Views: 9196

Re: VLAN tagging (trunk allowed vlan)

Part of the switch setup.
https://wiki.mikrotik.com/wiki/Manual:S ... p_Features

You'll have to set up the VLAN table and then set the switch port vlan mode to something other than 'disabled'.
by skuykend
Sun Apr 16, 2017 9:54 am
Forum: Forwarding Protocols
Topic: Port Forwarding - LAN
Replies: 1
Views: 469

Re: Port Forwarding - LAN

I'm guessing your problems is that the server see's the traffic, but that the Server and/or OpenWrt router is trying to send the responses out it's WAN instead of routing back to the MikroTik. You may need use a src-nat masquerade so the Server thinks it's coming from the Mikrotik router (not the gr...
by skuykend
Sun Apr 16, 2017 4:21 am
Forum: General
Topic: RB1100 - Merge switch2 and switch1 using VLANs
Replies: 5
Views: 1153

Re: RB1100 - Merge switch2 and switch1 using VLANs

You need to add the vlan interface on the 'Master Port' of each switch group and bridge them. You may also need to set up the swtich cpu-port to allow vlan 10. This would use fastpath for any communication between switch groups and be limited to 1Gps, so try and group the ones that talk to each othe...
by skuykend
Sat Apr 15, 2017 8:58 am
Forum: Beginner Basics
Topic: 951G-2HnD config
Replies: 7
Views: 855

Re: 951G-2HnD config

Got to admit I don't use quickset, nor WebFig much. The 'Mode' column and setting when you click on Wireless, should be 'ap bridge'.
by skuykend
Fri Apr 14, 2017 10:17 pm
Forum: Beginner Basics
Topic: Ping Problems
Replies: 5
Views: 1668

Re: Ping Problems

If I understand correctly, you're using the Ping tool from the router, out the LAN Bridge (which has no default gateway) to try and ping yahoo, google and such? That's not going to go anywhere, just the L2 segment of your LAN and WLAN and none of the devices on them are going to respond to a ping of...
by skuykend
Fri Apr 14, 2017 10:12 am
Forum: Beginner Basics
Topic: 951G-2HnD config
Replies: 7
Views: 855

Re: 951G-2HnD config

Mode should be "AP Bridge".
by skuykend
Fri Apr 14, 2017 2:57 am
Forum: Beginner Basics
Topic: Ping Problems
Replies: 5
Views: 1668

Re: Ping Problems

add address=192.168.20.2/24 interface=ether2 network=192.168.20.0 This is wrong in two different ways. You shouldn't have an IP assigned to an interface that is part of a bridge, just assign it to the Bridge "LAN" like you do before it. Also, don't have two IP's for the same subnet on different int...
by skuykend
Fri Apr 14, 2017 12:58 am
Forum: Beginner Basics
Topic: Cannot ping to Mikrotik from LAN
Replies: 4
Views: 4302

Re: Cannot ping to Mikrotik from LAN

Your top mangle marks all incoming packets from your local subnet to ToWan2 even if it's going to the router. Once its marked and looks at the routing table ToWan2 it only sees a default route. It does not see the main routing table with your local subnets. So it sends the ping out to 88.146.96.1 Ei...
by skuykend
Thu Apr 13, 2017 12:24 am
Forum: Beginner Basics
Topic: Cannot ping to Mikrotik from LAN
Replies: 4
Views: 4302

Re: Cannot ping to Mikrotik from LAN

Take a look at your mangle rules. You may be marking the packets with a route-mark too often and therefore using a routing table without the 192.168.100 subnet.
by skuykend
Sat Apr 08, 2017 11:49 pm
Forum: Beginner Basics
Topic: Cant get to local Webserver
Replies: 25
Views: 2416

Re: Cant get to local Webserver

This isn't a router you can get a Staples that can just do one subnet and maybe a guest wireless. It is a full featured industrial router with many more options that can be configured in millions of different ways and therefore has to be correctly setup for your unique situation, Hairpins are not al...
by skuykend
Sat Apr 08, 2017 6:08 pm
Forum: Beginner Basics
Topic: FTP out not working
Replies: 6
Views: 653

Re: FTP out not working

how do i do that? can i print a list of the NAT rules or do you need to see the firewall rules? That would be part of the firewall 'filter' rules, not NAT. By default, it's part of the first FastTrack and Accept forward rules. But if you're getting connection timeouts with specifying port 21 via te...
by skuykend
Sat Apr 08, 2017 5:17 am
Forum: Beginner Basics
Topic: FTP out not working
Replies: 6
Views: 653

Re: FTP out not working

Do your filter forward rules include accepting 'related' connections as well as 'established'?
by skuykend
Wed Apr 05, 2017 9:34 pm
Forum: Beginner Basics
Topic: DNS zone transfer behind NAT
Replies: 9
Views: 1506

Re: DNS zone transfer behind NAT

I agree with Sob, definitely need to lock rule #0 down more and figure out the cause for the Outlook failure and fix it separately. As it is now, any device on your networks is going to see outside initiated traffic as coming from the local router interface IP instead of their real IP, including the...
by skuykend
Wed Apr 05, 2017 12:55 am
Forum: Beginner Basics
Topic: DNS zone transfer behind NAT
Replies: 9
Views: 1506

Re: DNS zone transfer behind NAT

What are the condition filters on the masquerade? Out-interface?
by skuykend
Tue Apr 04, 2017 12:29 am
Forum: Beginner Basics
Topic: CRS Config - Vlans
Replies: 2
Views: 2339

Re: CRS Config - Vlans

MikroTik switches/routers are very configurable, and thus very confusing. You want basically two things: Switch based-port vlans: https://wiki.mikrotik.com/wiki/Manual:CRS_examples#Port_Based_VLAN A management IP for configuration/management: https://wiki.mikrotik.com/wiki/Manual:CRS_examples#Manage...
by skuykend
Sat Apr 01, 2017 6:14 am
Forum: Beginner Basics
Topic: CRS Throughput Bottleneck
Replies: 8
Views: 1171

Re: CRS Throughput Bottleneck

Then any traffic on those bridge ports to each other are being sent thru the cpu and not switched, eating up bandwidth/cpu usage that could be utilized for routing. Unless there's a need to throttle/prioritize/filter traffic between those ports and not just the WAN, a proper switch setup with master...
by skuykend
Fri Mar 31, 2017 11:06 pm
Forum: Beginner Basics
Topic: CRS Throughput Bottleneck
Replies: 8
Views: 1171

Re: CRS Throughput Bottleneck

The CRS125 has the same CPU as the 2011, I have the wireless CRS125 and it can definitely do better than 100... over 700 using Fasttrack in a single tcp connection.. mutliple users and queue would surely slow it down. As it's mainly a switch there's only a single 1GB connection to the CPU, so if you...
by skuykend
Fri Mar 31, 2017 8:58 pm
Forum: Beginner Basics
Topic: DNS zone transfer behind NAT
Replies: 9
Views: 1506

Re: DNS zone transfer behind NAT

Sounds like it may be hitting a srcnat rule as well. Check them and make sure incoming traffic to the DNS doesn't match on it.
by skuykend
Thu Mar 23, 2017 8:03 pm
Forum: Beginner Basics
Topic: intra vlan routing on a single IP
Replies: 2
Views: 376

Re: intra vlan routing on a single IP

You just need a firewall filter to drop packets between vlans, but with an extra accept rule before to allow that specific ip combination.
by skuykend
Tue Mar 14, 2017 12:41 am
Forum: Beginner Basics
Topic: rb951G only supports up to 50MB
Replies: 4
Views: 506

Re: rb951G only supports up to 50MB

With ~1500 byte packets and utilizing fastpath/fasttrack, you can probably route about 850mbps (~90MBps) single stream tcp.

Anything more than simple routing (IPSec, VPN, etc) will bring it down quite a bit.
by skuykend
Thu Feb 09, 2017 10:05 pm
Forum: Beginner Basics
Topic: Setup assitance with Information RB3011
Replies: 5
Views: 1035

Re: Setup assitance with Information RB3011

Glad you're off and running. Proxy will take up resources on the router, plus can put lots of wear on the internal flash storage, so I wouldn't use it unless you have another need for it.... and then set up a separate disk. VLANS, trunking and switches can be a little tricky to initially learn, espe...
by skuykend
Thu Feb 09, 2017 8:31 pm
Forum: Beginner Basics
Topic: Setup assitance with Information RB3011
Replies: 5
Views: 1035

Re: Setup assitance with Information RB3011

Your dst-nat's to 192.168.1.12 are too broad. They have no filter other than tcp & port. So all traffic through the router with dst port 80 or 6036 is being redirected there. Need to specify incomming interface, dst-addr, dst-addr-type or a combination of those to narrow the dst-nat.
by skuykend
Wed Feb 08, 2017 11:01 pm
Forum: Beginner Basics
Topic: vlan and separate port on bridge
Replies: 3
Views: 604

Re: vlan and separate port on bridge

Same way you set an IP on any other interface. Either from the IP/Address menu or IP/DHCP Client. Just select the bridge as the interface instead of a specific Ethernet port.
by skuykend
Tue Feb 07, 2017 6:33 am
Forum: General
Topic: [RB2011 as Switch] Asymmetrical Traffic....
Replies: 2
Views: 523

Re: [RB2011 as Switch] Asymmetrical Traffic....

Hard to see from this anything abnormal.

Is someone complaining?

Otherwise, maybe something more go damaged due to the discharge.
by skuykend
Tue Feb 07, 2017 6:19 am
Forum: Beginner Basics
Topic: vlan and separate port on bridge
Replies: 3
Views: 604

Re: vlan and separate port on bridge

Assuming the pi is the only thing attached to eth5 and the pi's interface isn't tagged. You would create a bridge with member ports as eth5 and a vlan interface you create or already have on eth2 with the correct vlan-id. An ip only needs to be assigned if you want the router to route that segment, ...
by skuykend
Thu Feb 02, 2017 1:35 am
Forum: General
Topic: Am i expecting too much?
Replies: 2
Views: 469

Re: Am i expecting too much?

Use fast track of you dont, and turn off the LCD display, it can eat up 10-20% cpu.
by skuykend
Thu Dec 29, 2016 1:09 am
Forum: General
Topic: How to configure this IP firewall rule?
Replies: 8
Views: 1185

Re: How to configure this IP firewall rule?

how about if you put the src-port and dst-port in one line and drop on the next line? like below: /ip firewall filter chain=input action=accept protocol=udp src-port=1812,1813 dst-port=3799 /ip firewall filter chain=input action=drop protocol=udp That would make an AND situation. The dst port would...
by skuykend
Thu Dec 29, 2016 12:52 am
Forum: General
Topic: Adding a second guest wifi bridge.
Replies: 5
Views: 906

Re: Adding a second guest wifi bridge.

Thanks! I'm not that much of an expert. Why is it not a good idea? And when you say strip the tag in the switch, what does switch refer to - is there any example you could point to? http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features I'm interested also, as I've seen this mentioned on another...
by skuykend
Tue Dec 27, 2016 10:54 pm
Forum: General
Topic: CRS - why so hard?
Replies: 1
Views: 392

Re: CRS - why so hard?

Can't see anything wrong there.

To be sure (can't be sure just from the interface naming), do you have ether1 and ether24 in the same switch group (master-port in common)?

I take it the CRS is just doing switching no routing?
by skuykend
Fri Dec 23, 2016 10:38 pm
Forum: General
Topic: RB3011 Switch Chip and Frustration with Support
Replies: 4
Views: 1335

Re: RB3011 Switch Chip and Frustration with Support

I don't think I'm getting the entire picture. Is VLAN 2 on the same subnet as the untagged traffic you want it switching with (I'd assume not, but)? That's the only time the switch would take over for wirespeed, otherwise if a different subnet, it would have to be routed through the cpu port anyway,...
by skuykend
Mon Dec 19, 2016 6:48 am
Forum: General
Topic: Tagged VLAN on one port to untagged on another
Replies: 3
Views: 437

Re: Tagged VLAN on one port to untagged on another

The CRS switch chip only tags traffic for vlans if in the egress-vlan-tag table, otherwise it will strip the tag. The VLAN table controls what VLANS are allowed on what ports. So if you have a port in the VLAN table, but not the egress-vlan-tag table, it's allowed on the port, but stripped. Normally...
by skuykend
Mon Dec 19, 2016 6:16 am
Forum: General
Topic: RB2011UiAS two switches vlan trunk
Replies: 3
Views: 602

Re: RB2011UiAS two switches vlan trunk

It appears that you have VLAN mode disabled in the ports section for cpu_ports which will strip all vlan tags even if in vlan table. Don't know if that's the only issue.

http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features
by skuykend
Fri Dec 16, 2016 8:01 pm
Forum: General
Topic: Tagged VLAN on one port to untagged on another
Replies: 3
Views: 437

Re: Tagged VLAN on one port to untagged on another

Yes, just have to have vlan 3999 in the vlan table for ether3 (and 1 & 2), but not in the egress-vlan-tag table for port 3, just port 1 & 2.
by skuykend
Fri Dec 16, 2016 7:46 pm
Forum: General
Topic: RB3011 VLAN config problem
Replies: 5
Views: 932

Re: RB3011 VLAN config problem

The switch chip is stripping the vlan tag. Default is to treat packets with a tag that isn't in the vlan table as not being tagged (fallback). Add vlan 7 and 1 to the switch vlan table for the ports needing it or change the mode on the ports to check. http://wiki.mikrotik.com/wiki/Manual:Switch_Chip...
by skuykend
Fri Dec 16, 2016 1:19 am
Forum: General
Topic: RB2011UiAS two switches vlan trunk
Replies: 3
Views: 602

Re: RB2011UiAS two switches vlan trunk

That's the basic config for a 2011. Both master ports bridged. Once you start adding settings to the switch chip, you have to do it right though. All vlans you want passed need to have access to the cpu ports.
by skuykend
Fri Dec 16, 2016 1:09 am
Forum: General
Topic: RB3011 VLAN config problem
Replies: 5
Views: 932

Re: RB3011 VLAN config problem

Don't set the PPPoe client to a slave interface. Either set it to the bridge or remove ether5-vlan7 from the bridge.
by skuykend
Wed Nov 23, 2016 11:53 pm
Forum: Announcements
Topic: v6.37.2 [current] is released!
Replies: 50
Views: 13478

Re: v6.37.2 [current] is released!

In 6.37.2 the ether-interfaces are missing for dhcp-client.

I'm simply using a LAN-Bridge containing ether1
You should set it on the bridge, never a slave interface. They fixed that bug.
by skuykend
Thu Nov 10, 2016 8:27 pm
Forum: RouterBOARD hardware
Topic: SFP+ Switch
Replies: 2
Views: 558

Re: SFP+ Switch

Unfortunately nothing with more than two sfp+ ports.
by skuykend
Thu Nov 10, 2016 6:36 pm
Forum: General
Topic: Can you help me in failed ping ?
Replies: 4
Views: 576

Re: Can you help me in failed ping ?

One problem I've had is that if a windows machine isn't part of an active directory domain, the default firewall will not allow ping responses to other subnets.
Hard to find, and I love it when MS protects you from nothing.
by skuykend
Wed Nov 09, 2016 1:04 am
Forum: Beginner Basics
Topic: [SOLVED]Port Forwarding problem.
Replies: 21
Views: 9556

Re: Port Forwarding problem.

You can use a domain in the newer RoS versions. Add the domain to an address list and use dst-address-list instead of dst-address.
by skuykend
Wed Nov 09, 2016 1:00 am
Forum: Beginner Basics
Topic: [SOLVED]Port Forwarding problem.
Replies: 21
Views: 9556

Re: Port Forwarding problem.

Hmm, were you in the '/ip firewall nat' menu?
by skuykend
Tue Nov 08, 2016 11:57 pm
Forum: Beginner Basics
Topic: [SOLVED]Port Forwarding problem.
Replies: 21
Views: 9556

Re: Port Forwarding problem.

The main problem here is the ether1 filter on the dstnats. This needs to work for the hairpin too. Since that traffic comes in from the bridge it won't work and has to be opened back up. Either by a dst-address=<wan ip> or dst-address-type=local. The problem with dst-address = IP is it's dynamic or ...
by skuykend
Tue Nov 08, 2016 10:29 pm
Forum: Beginner Basics
Topic: [SOLVED]Port Forwarding problem.
Replies: 21
Views: 9556

Re: Port Forwarding problem.

You won't be able to access WebFig from the WAN that way, but the LAN IP should still get you in. Correct on access from local LAN. Look up MikroTik NAT hairpin if you need to access it from the inside LAN via the WAN IP. Assuming your local bridge is named "bridge", something like: add action=masqu...
by skuykend
Tue Nov 08, 2016 8:46 pm
Forum: Beginner Basics
Topic: [SOLVED]Port Forwarding problem.
Replies: 21
Views: 9556

Re: Port Forwarding problem.

Normally either a dst-address or in-interface or dst-address-type=local will do. All depends on your situation, if you're going to set up a hairpin nat, etc.
by skuykend
Tue Nov 08, 2016 8:20 pm
Forum: Beginner Basics
Topic: [SOLVED]Port Forwarding problem.
Replies: 21
Views: 9556

Re: Port Forwarding problem.

Not what you want. All traffic on ports 80 and 443 will get redirected. Even from local going to Google.com!
by skuykend
Tue Nov 08, 2016 8:08 pm
Forum: Beginner Basics
Topic: [SOLVED]Port Forwarding problem.
Replies: 21
Views: 9556

Re: Port Forwarding problem.

Your dstnats have no filter other than port 80 and 443, so they are going to forward all traffic to those ports to ip 192.168.0.254.
Is that ip on a mikrotik router?
Add a dst-address or something else to the filter to limit it.
by skuykend
Sat Nov 05, 2016 5:32 pm
Forum: Beginner Basics
Topic: Urgent help please (Hairpin NAT)
Replies: 17
Views: 1220

Re: Urgent help please (Hairpin NAT)

I think the only real solution if you want to log the actual IP of local users is split DNS. Where outside users get the external IP and internal users get the local IP for the same DNS name. Otherwise, that's what a Hairpin will do.
by skuykend
Sat Nov 05, 2016 2:26 am
Forum: Beginner Basics
Topic: Wifi not Assigning Correct IP
Replies: 1
Views: 312

Re: Wifi not Assigning Correct IP

Have you checked if someone else is trying to spoof your ssid and grabbing your clients?

Otherwise, export your configuration with hide-sensitive and post it so we have a chance to help.
by skuykend
Wed Nov 02, 2016 3:08 am
Forum: Beginner Basics
Topic: Correct way to assign IPv6 address to wAP ac?
Replies: 4
Views: 571

Re: Correct way to assign IPv6 address to wAP ac?

Under IPv6 Addresses you add an IPv6 address. Select the IPv6 pool you set up. Just put something like ::3/64 in the address field. It will grab the prefix from the pool and combine the two to make your IPv6 address.
by skuykend
Tue Nov 01, 2016 12:23 am
Forum: General
Topic: Why do I have this bottleneck with RB951Ui-2Hnd
Replies: 3
Views: 408

Re: Why do I have this bottleneck with RB951Ui-2Hnd

Sounds like your trying to switch and bridge the same ports. If you have ether3, 4 & 5 as master-port 2 then just Ether2 should be added to the bridge.
by skuykend
Sat Oct 29, 2016 2:27 am
Forum: General
Topic: Routing problem
Replies: 18
Views: 1407

Re: Routing problem

If it's a home version Windows pc you're trying to ping, the default Windows firewall doesn't allow ping responses to other subnets. Try temporarily disabling the firewall.
by skuykend
Fri Oct 28, 2016 1:54 am
Forum: General
Topic: Problem with IP Firewall on Bridge
Replies: 8
Views: 1358

Re: Problem with IP Firewall on Bridge

The In-Bridge-Port and Out-Bridge-Port aren't set in that case. Interface will still be set, but to the incoming/outgoing bridges (or actual interfaces if they're not bridged.)
by skuykend
Fri Oct 28, 2016 1:21 am
Forum: General
Topic: Problem with IP Firewall on Bridge
Replies: 8
Views: 1358

Re: Problem with IP Firewall on Bridge

If that particular traffic is routed at all by that router and not just passing through the bridge, it would do that.
by skuykend
Fri Oct 28, 2016 12:09 am
Forum: General
Topic: Problem with IP Firewall on Bridge
Replies: 8
Views: 1358

Re: Problem with IP Firewall on Bridge

Been a while since I've done a filtered bridge. Maybe try and do a simple filter by just ip with logging and see what the log says the ports are, then go from there.
by skuykend
Thu Oct 27, 2016 11:40 pm
Forum: General
Topic: Problem with IP Firewall on Bridge
Replies: 8
Views: 1358

Re: Problem with IP Firewall on Bridge

In bridge settings did you set the option to force bridge traffic through the firewall?
by skuykend
Thu Oct 27, 2016 9:22 pm
Forum: General
Topic: Bridging one VLAN, routing the rest
Replies: 4
Views: 520

Re: Bridging one VLAN, routing the rest

Would be much more efficient to learn the switch setup and configure the internal switch with vlan 100 on both ports and let it do the work. With your current bridge setup the cpu is being hit by all the tv traffic.
by skuykend
Thu Oct 27, 2016 3:57 am
Forum: Beginner Basics
Topic: Unable to connect to Microtik router (2011UAS-2HnD-IN)
Replies: 1
Views: 253

Re: Unable to connect to Microtik router (2011UAS-2HnD-IN)

Have you tried to connect by mac address with WinBox? (The Neighbors tab?) Mac address isn't routed so make sure you're plugged into the LAN bridge.

Other option is if you have a Cisco style RJ45-to-Serial port cable and a serial port you can get to the CLI via serial terminal.
by skuykend
Thu Oct 27, 2016 12:20 am
Forum: Beginner Basics
Topic: trouble forwarding ports to server
Replies: 5
Views: 1002

Re: trouble forwarding ports to server

If you're trying to test this from inside your network it won't work without setting up a hairpin nat. Do a search. Also you have no ip destination or local dst-address filters on your dst nats so ALL traffic passing through the router with those dst ports will be redirected to 20.21. Such as outbou...
by skuykend
Sun Oct 16, 2016 9:27 am
Forum: General
Topic: VPN Connectivity : Very Degraded Throughput
Replies: 17
Views: 3290

Re: VPN Connectivity : Very Degraded Throughput

Many posts here on that.

Running btest directly on the router(s) you're testing will not give proper test results.
by skuykend
Sat Oct 15, 2016 12:35 am
Forum: RouterBOARD hardware
Topic: Ethernet port faulty?
Replies: 4
Views: 734

Re: Ethernet port faulty?

1G does use all 8 wires where 100M uses only 4. Take a flashlight and see if one of the wires in port 5 is 'off track" of dirty. Otherwise something may be burned out for one of those wire paths for that port and can't be fixed economically.
by skuykend
Fri Oct 14, 2016 4:17 am
Forum: General
Topic: CRS Tagged and Untagged loop
Replies: 2
Views: 625

Re: CRS Tagged and Untagged loop

For one, it looks like port Ether1 is messed up, you're tagging the output of all your vlans to Ether1 (even though most aren't in the vlan table for Ether1), but also have an igress rule to mark incoming untagged to vlan 2001. Outgoing 2001 is still tagged though, so something is bound to get confu...
by skuykend
Thu Oct 13, 2016 9:28 pm
Forum: General
Topic: high cpu usage 1 pc
Replies: 2
Views: 552

Re: high cpu usage 1 pc

It seems you're part of a DNS DoS attack. You need to enable the firewall input chain drops for port 53 from the WAN or turn off DNS resolving.
by skuykend
Thu Oct 13, 2016 3:43 am
Forum: General
Topic: High packet loss switching UDP traffic
Replies: 3
Views: 2525

Re: High packet loss switching UDP traffic

Looks like some routers and switches may use a pause frame which was created for another issue, and can have some negative issues as well. This could explain why some routers/switches don't seem to have as many dropped packets. https://en.wikipedia.org/wiki/Ethernet_flow_control Try turning on flow ...
by skuykend
Thu Oct 13, 2016 12:30 am
Forum: General
Topic: High packet loss switching UDP traffic
Replies: 3
Views: 2525

Re: High packet loss switching UDP traffic

UDP is a connectionless, unreliable protocol. It's supposed to work that way. There is no flow control mechanism, so other than buffering a very few packets for a few miliseconds, all it can do is drop them. 1gig to 100mbps your going to drop around 90%.
by skuykend
Thu Oct 06, 2016 1:55 am
Forum: General
Topic: Bug rb2011uia rm FIX!!!!
Replies: 2
Views: 681

Re: Bug rb2011uia rm FIX!!!!

Could at least tell us what RoS version(s) you're running and/or have tried. Number of firewall rules, any L7 filters?

I only get a small performance hit on my rb2011, but if you're already pushing it close to it's limit with other features then that might push it over the limit.
by skuykend
Mon Oct 03, 2016 8:56 pm
Forum: Beginner Basics
Topic: Problems with adding ports to bridges
Replies: 3
Views: 487

Re: Problems with adding ports to bridges

5-8 are not part of the switch. They will show inactive in bridge until you plug something into the port.
by skuykend
Sat Oct 01, 2016 9:06 pm
Forum: Beginner Basics
Topic: Mikrotik RB2011UiAS + UniFi AP configuration problem
Replies: 2
Views: 536

Re: Mikrotik RB2011UiAS + UniFi AP configuration problem

You need to either disable the Fasttrack filter rule, or create a system where the marked routes are not Fasttracked. Fasttrack bypasses filters and mangles after the first few packets and then will get routed out the default route table causing havoc with connection tracking, etc. If you still want...
by skuykend
Fri Sep 30, 2016 11:06 pm
Forum: General
Topic: Routerboard RB951 as firewall only
Replies: 1
Views: 342

Re: Routerboard RB951 as firewall only

by skuykend
Fri Sep 30, 2016 8:11 pm
Forum: General
Topic: Routing blackhole
Replies: 13
Views: 7440

Re: Routing blackhole

I've been doing that with a metric of 5 to avoid routing any 192.168. that doesn't have a lower value metric route without problem.
by skuykend
Fri Sep 30, 2016 7:01 pm
Forum: Beginner Basics
Topic: Activate routing on Mikrotik RB750r2
Replies: 1
Views: 253

Re: Activate routing on Mikrotik RB750r2

If these are Windows devices, their default firewall blocks pings repies when on a different network. For Windows devices not in an Active directory anyway. Disable the Windows firewalls temporarily and try again.
by skuykend
Thu Sep 29, 2016 4:06 am
Forum: Beginner Basics
Topic: Problem with FTP server port forwarding
Replies: 18
Views: 5175

Re: Problem with FTP server port forwarding

Yeah, I forgot about the dynamic ports on the ftp data channel, need to open that up. Glad you got things going!
by skuykend
Thu Sep 29, 2016 2:42 am
Forum: Beginner Basics
Topic: Problem with FTP server port forwarding
Replies: 18
Views: 5175

Re: Problem with FTP server port forwarding

Looks pretty close for your last two NAT rules: If you have a dynamic WAN IP (so you don't have to update the IP every time): add action=dst-nat chain=dstnat comment="FTP TCP" dst-port=20-21 \ protocol=tcp dst-address-type=local \ to-addresses=192.168.0.3 to-ports=20-21 add action=masquerade chain=s...
by skuykend
Thu Sep 29, 2016 12:04 am
Forum: Beginner Basics
Topic: Problem with FTP server port forwarding
Replies: 18
Views: 5175

Re: Problem with FTP server port forwarding

Did you try my suggestions above? If so do an export of your filter and nat rules and post.
by skuykend
Wed Sep 28, 2016 6:14 am
Forum: Beginner Basics
Topic: Problem with FTP server port forwarding
Replies: 18
Views: 5175

Re: Problem with FTP server port forwarding

Either use dst-address-type=local on the dst-nat,rule which will catch 20-21 for all ip addresses assigned to any router interface, or use dst-address = <your WAN IP> if you need to also use the FTP server on the router itself.
by skuykend
Wed Sep 28, 2016 5:10 am
Forum: Forwarding Protocols
Topic: MikroTik closes ports randomly then reopens them.
Replies: 3
Views: 759

Re: MikroTik closes ports randomly then reopens them.

The router may be recording the port closing, but that doesn't mean its the one closing the port. How have you verified this? Do you have two LANs going to the same ISP and only one is periodically losing connection? Or two separate ISPs? Sounds like its not just a NAT port closing, but losing conne...
by skuykend
Tue Sep 27, 2016 6:10 am
Forum: Beginner Basics
Topic: CCR1072 coper module
Replies: 1
Views: 356

Re: CCR1072 coper module

Should work, but according to the Wiki you will have to manually set the port to 1GB/s.

http://wiki.mikrotik.com/wiki/MikroTik_ ... lity_table
by skuykend
Tue Sep 27, 2016 5:51 am
Forum: General
Topic: Trunk + Access Ports same RB
Replies: 11
Views: 1566

Re: Trunk + Access Ports same RB

Is it correct to assume when working with VLANs using the switch instead of bridges, is the best practice in terms of performance? When using the switch like I did, we are using the ASIC chip, and the processor is more "free" to work with routes, QoS, etc? and if use bridges, the VLANs workload pas...
by skuykend
Tue Sep 27, 2016 3:45 am
Forum: General
Topic: Trunk + Access Ports same RB
Replies: 11
Views: 1566

Re: Trunk + Access Ports same RB

Did that and now it is working! But what's means placing this "switch1-cpu" inside de vlans? What's the logic that I should understand? I consider it two separate devices.... 6 port switch and one port router... hooked up by virtual Ethernet... on the switch side as swith1-cpu and the router side a...
by skuykend
Mon Sep 26, 2016 10:13 pm
Forum: General
Topic: Trunk + Access Ports same RB
Replies: 11
Views: 1566

Re: Trunk + Access Ports same RB

Did you add the switch1-cpu to the vlan tab as well as the ports tab?
by skuykend
Fri Sep 23, 2016 12:55 am
Forum: General
Topic: InterVLAN Routing on CRS [SOLVED]
Replies: 4
Views: 1152

Re: InterVLAN Routing on CRS [SOLVED]

Consider the switch menu separate from the rest of RouterOS. Once you set a master port(s), they become the virtual interface you're talking about in RoS interfaces menu. In the switch all master ports hook directly to switch1-cpu port. The physical Ether2 port (whatever master ports) is then define...
by skuykend
Mon Sep 19, 2016 3:05 am
Forum: Beginner Basics
Topic: guest wifi via VLAN
Replies: 13
Views: 2162

Re: guest wifi via VLAN

You have to torch on the master-port and get all packets for the group.
by skuykend
Sat Sep 17, 2016 9:06 pm
Forum: RouterBOARD hardware
Topic: RB2011, RB3011 - Fasttrack + VPN problem
Replies: 6
Views: 2250

Re: RB2011, RB3011 - Fasttrack + VPN problem

Each packet has to be marked individually by mangle for the routing mark to be added. The routing mark is not part of connection tracking. Route doesn't work by connection marks, but by packet routing mark. When FastTrack is set not all TCP packets bypass the firewall. Ones that establish/breakdown ...
by skuykend
Sat Sep 17, 2016 8:52 pm
Forum: Beginner Basics
Topic: Routing Pc to certain Gateway Question
Replies: 14
Views: 1250

Re: Routing Pc to certain Gateway Question

You probably have fasttrack enabled which bypasses mangle.

Take a look at this thread:
http://forum.mikrotik.com/viewtopic.php?f=3&t=112235
by skuykend
Sat Sep 17, 2016 8:08 pm
Forum: General
Topic: VLANs on 750G2 with no bridge help sought
Replies: 3
Views: 506

Re: VLANs on 750G2 with no bridge help sought

1. Not if you do it right. 2. Yes, they have to be set up under both. Yes, this can be really confusing at first. You need to consider the switch and rest of the router as two separate devices. A five port switch (six, but Ether/WAN has no master-port set in your config and is handled separately) an...
by skuykend
Sat Sep 17, 2016 12:13 pm
Forum: Beginner Basics
Topic: New CRS125-24G-1S, new Mikrotik user, Vlan isolation
Replies: 15
Views: 1614

Re: New CRS125-24G-1S, new Mikrotik user, Vlan isolation

SA Learning is source address learning which is the basic difference between a switch and a hub. Without SA learning turned on the switch doesn't know which port in a switch group a device is on and has to send it out to all of them. Normally if you don't set up anything in the vlan tables the switc...
by skuykend
Sat Sep 17, 2016 9:53 am
Forum: RouterBOARD hardware
Topic: RB2011, RB3011 - Fasttrack + VPN problem
Replies: 6
Views: 2250

Re: RB2011, RB3011 - Fasttrack + VPN problem

FastTrack is a feature to reduce CPU overhead on the router by flagging certain connections to almost completely bypass the firewall and queues after the first few packets. This includes filters and mangles. No mangle no route marks on the following packets and they don't get routed properly. So not...
by skuykend
Sat Sep 17, 2016 2:46 am
Forum: RouterBOARD hardware
Topic: How to utilize SFP for attaching a managed switch?
Replies: 3
Views: 1301

Re: How to utilize SFP for attaching a managed switch?

My knowledge of SFP is limited too, but from my experience so far... A lot of SFP/SFP+ ports will limit what modules they accept to their own brand or just a few, but DAC cables seem to be much more widely compatible than other SPF modules. I'd stick with 1GB SFP DAC's though or risk incompatibility...
by skuykend
Sat Sep 17, 2016 1:42 am
Forum: Beginner Basics
Topic: webfig not working with dynu.com !!
Replies: 7
Views: 1006

Re: webfig not working with dynu.com !!

Well you only said you had 1- port open 8291 for winbox.

Like I said Webfig uses http port 80, you you'll have to set up the same firewall rules for port 80 as 8291 to open it up.
by skuykend
Sat Sep 17, 2016 1:16 am
Forum: Beginner Basics
Topic: guest wifi via VLAN
Replies: 13
Views: 2162

Re: guest wifi via VLAN

Do you currently have two master ports set up? One for main and another for guest? I'd set up with only one. Create two virtual vlans under the master port for main and guest. Then configure the switch to do the tagging/untagging. Add the valid ports for each vlan in the switch vlan table. Set up vl...
by skuykend
Fri Sep 16, 2016 10:42 pm
Forum: General
Topic: VLANs on 750G2 with no bridge help sought
Replies: 3
Views: 506

Re: VLANs on 750G2 with no bridge help sought

Yes, you just have to configure the switch. Pay special attention to the bottom part on Management IP configuration as you'll be using that for routing, etc.

http://wiki.mikrotik.com/wiki/Manual:Sw ... p_Features
by skuykend
Fri Sep 16, 2016 10:18 pm
Forum: Beginner Basics
Topic: webfig not working with dynu.com !!
Replies: 7
Views: 1006

Re: webfig not working with dynu.com !!

Just not really sure, I don't think WebFig sends too much data unencrypted and it uses Java, but I really don't know how strong that encryption is. http://forum.mikrotik.com/viewtopic.php?t=53524 If you trust the ISP's and datalinks in between you go for it. I would at least make the external port d...
by skuykend
Fri Sep 16, 2016 9:20 pm
Forum: Beginner Basics
Topic: webfig not working with dynu.com !!
Replies: 7
Views: 1006

Re: webfig not working with dynu.com !!

Webfig is http port 80. Pretty unsecure though for WAN.
by skuykend
Fri Sep 16, 2016 6:46 pm
Forum: Beginner Basics
Topic: Question about VLAN
Replies: 5
Views: 777

Re: Question about VLAN

You need the internal virtual vlan set up and cpu authorized any time you want the vlan to send/receive information from the router..... like dhcp assignments.

If you're just routing the vlan through the switch and out another physical port, then there's no need for the virtual interface.
by skuykend
Fri Sep 16, 2016 8:46 am
Forum: Beginner Basics
Topic: New CRS125-24G-1S, new Mikrotik user, Vlan isolation
Replies: 15
Views: 1614

Re: New CRS125-24G-1S, new Mikrotik user, Vlan isolation

Sorry didn't see that line.

Untagged vlans would have to be authorized as well in the vlan table, use vlan-id 0 for untagged authorization.

Edit: That's if you're not tagging them all, which it looks like you are as vlan 1.

Otherwise what you have should isolate them.
by skuykend
Fri Sep 16, 2016 7:57 am
Forum: Announcements
Topic: Winbox 3.5 released!
Replies: 20
Views: 9336

Re: Winbox 3.5 released!

On CRS226 - Can not set 'Ingress Mirror To' and 'Egress Mirror To' on any of the Switch Ports Interfaces. Label shows in Red and none of the three options will allow you to hit OK.

Reverted to winbox 3.4 and is working fine.
by skuykend
Fri Sep 16, 2016 4:18 am
Forum: RouterBOARD hardware
Topic: RB2011, RB3011 - Fasttrack + VPN problem
Replies: 6
Views: 2250

Re: RB2011, RB3011 - Fasttrack + VPN problem

Are you using Mangle on the packets to the VPN? If so you'll have to exclude those connections from the Fasttrack rule. I do that by only fastracking established/related connections with connection mark "no-mark" (I mark the connections in mangle before I mark the packet) and are in the "main" routi...
by skuykend
Fri Sep 16, 2016 4:04 am
Forum: Beginner Basics
Topic: New CRS125-24G-1S, new Mikrotik user, Vlan isolation
Replies: 15
Views: 1614

Re: New CRS125-24G-1S, new Mikrotik user, Vlan isolation

Once you get things set up in the VLAN tables, etc. you need to make sure you set forward-unknown-vlans to off, or set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports to the ports you want to isolate. If you don't have vlans set up properly you may lose access to router and need to reset and...
by skuykend
Fri Sep 16, 2016 2:16 am
Forum: Beginner Basics
Topic: Question about VLAN
Replies: 5
Views: 777

Re: Question about VLAN

You setup the switch menu VLAN to be able to talk to the cpu port as well as the physical ports it needs, then create the same vlan# under interfaces menu for the 'master port' of the switch. Assign that vlan interface to the dhcp server. Check out Management IP configuration in this link: http://wi...
by skuykend
Sun Sep 11, 2016 2:19 am
Forum: General
Topic: NTP Server if it possible
Replies: 3
Views: 1145

Re: NTP Server if it possible

The NTP client is built in, but the server is a separate download. First upgrade to 6.36.3 to get current and match the download link without going to archives. Go to the MikroTik download site, download Extra Packages for MIPSBE matching your version, extract the NTP package file from the ZIP file ...
by skuykend
Thu Mar 24, 2016 2:58 am
Forum: Beginner Basics
Topic: VLAN configuration issue
Replies: 22
Views: 2407

Re: VLAN configuration issue

Two questions - what is the set forward-unknown-vlans=no going to do? And what is the benefit as if I understand correctly, the VLAN table already limits where the packet can go? Not from my experience. From the CRS examples wiki: Unknown/Invalid VLAN filtering VLAN membership is defined in the VLA...
by skuykend
Wed Mar 23, 2016 5:39 pm
Forum: Beginner Basics
Topic: VLAN configuration issue
Replies: 22
Views: 2407

Re: VLAN configuration issue

Where is the 4095 suddenly coming from?
That's a dynamic VLAN channel that Mikrotik uses to talk to the switch. It's normal.
by skuykend
Wed Mar 23, 2016 2:50 am
Forum: Beginner Basics
Topic: VLAN configuration issue
Replies: 22
Views: 2407

Re: VLAN configuration issue

Could you advise what exactly I need to do and in which sequence? :) Well I don't know if I have all the info I would need so you'll have to tweak. Looks like the switch is not doing any routing just switching. If routing, all vlans will need access to switch1-cpu port, otherwise just the managemen...
by skuykend
Tue Mar 22, 2016 9:30 pm
Forum: Beginner Basics
Topic: VLAN configuration issue
Replies: 22
Views: 2407

Re: VLAN configuration issue

Ok, that is a bit confusing for me - are you saying that any VLAN traffic gets automatically untagged and just goes to all of the other ports? How come that I was not seeing any other conflicts from the other subnets? (the ones that are always tagged from the router via port 5). Not every packet. G...
by skuykend
Tue Mar 22, 2016 7:18 pm
Forum: Beginner Basics
Topic: VLAN configuration issue
Replies: 22
Views: 2407

Re: VLAN configuration issue

My assumption is that yes, it may have been possible for untagged packets to go out of port 7 but any replies should be automatically tagged 610 and should not make it back to the untagged ports, is that not correct? They get tagged but then can get untagged when they go out other ports that aren't...
by skuykend
Tue Mar 22, 2016 8:34 am
Forum: General
Topic: How do I bypass fasttrack for one connection
Replies: 12
Views: 2466

Re: How do I bypass fasttrack for one connection

add action=mark-connection chain=prerouting new-connection-mark=lowttl ttl=less-than:60
Awesome! You can probably optimize this statement by adding connection-state=new as it just needs to mark the connection once at startup.
by skuykend
Tue Mar 22, 2016 5:05 am
Forum: Beginner Basics
Topic: VLAN configuration issue
Replies: 22
Views: 2407

Re: VLAN configuration issue

I think that other untagged traffic is still allowed out to your ether7 and that you need to disallow vlan0 (default untagged) traffic on ether7 and just allow vlan 610. http://wiki.mikrotik.com/wiki/Manual:CRS_features http://wiki.mikrotik.com/wiki/Manual:CRS_examples What is the relation of the VL...
by skuykend
Tue Mar 22, 2016 1:54 am
Forum: Beginner Basics
Topic: VLAN configuration issue
Replies: 22
Views: 2407

Re: VLAN configuration issue

Show us what your VLAN table looks like. "/interface Ethernet switch vlan print"

That controls what vlan traffic is allowed on what ports.
by skuykend
Mon Mar 21, 2016 8:14 am
Forum: General
Topic: How do I bypass fasttrack for one connection
Replies: 12
Views: 2466

Re: How do I bypass fasttrack for one connection

I do some alternate routing marks via pre-routing that don't work well with fast-track and make sure that I only fast-track connections with connection-mark=no-mark and routing-table=main. Maybe you can add another mangle before your other mangle setting a connection mark (and passthrough) and then ...
by skuykend
Mon Mar 21, 2016 7:37 am
Forum: General
Topic: How do I bypass fasttrack for one connection
Replies: 12
Views: 2466

Re: How do I bypass fasttrack for one connection

Is the connection always initiated from the lan side?

If you have port forwards and the connection is incoming you may need to use dst-address as the filter on the fast-track.

Also, when you change the rule, any current connections will still be fast-tracked until they drop off.
by skuykend
Mon Mar 21, 2016 7:24 am
Forum: Beginner Basics
Topic: make switch problem
Replies: 2
Views: 452

Re: make switch problem

That CCR doesn't have a switch all ports have a direct connection to the cpu, therefore you can't (and don't need to) set a master-port.

Edit: You probably just want to set up the ports in a bridge and make sure fast-path is set on.
by skuykend
Wed Feb 17, 2016 7:13 pm
Forum: General
Topic: Swithing Without Master port
Replies: 13
Views: 1292

Re: Swithing Without Master port

Can be done, but MIkroTik warns that some functionality will be lost with multiple master ports. Unfortunately they don't specify what is lost though.
by skuykend
Sun Feb 14, 2016 4:09 am
Forum: Beginner Basics
Topic: Can I have many IP addresses be on the same interface?
Replies: 6
Views: 2317

Re: Can I have many IP addresses be on the same interface?

Nothing wrong with multiple IP's on the same interface.
Can only have one default route unless you do policy routing, but otherwise you're fine.
by skuykend
Sat Feb 13, 2016 2:48 am
Forum: Beginner Basics
Topic: Weird routing loop in logs but there isn't one.
Replies: 61
Views: 8970

Re: Weird routing loop in logs but there isn't one.

I've had these messages pop up on CRS switches, only happened on the master port for a switch group when that physical port was being used. It was a false message that MikroTik finally fixed in one of the 6.32 bug fixes for the CRS. What version are you running? Maybe they have a similar problem wit...
by skuykend
Sat Feb 13, 2016 2:06 am
Forum: Beginner Basics
Topic: CRS and RB2011 vlan configuration
Replies: 10
Views: 1147

Re: CRS and RB2011 vlan configuration

[root@MikroTik_Switch] /interface ethernet switch ingress-vlan-translation> print Flags: X - disabled, I - invalid, D - dynamic 0 ports=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether11,ether12, ether13,ether14 service-vlan-format=any customer-vlan-format=any new-customer-vid=...
by skuykend
Sat Feb 13, 2016 12:31 am
Forum: General
Topic: Issues after upgrading ROS + Firmware on CRS226
Replies: 1
Views: 317

Re: Issues after upgrading ROS + Firmware on CRS226

Haven't noticed anything like that on my CRS226 with v6.34.1.
I'm just using it as a switch with a bunch of VLANS and one management IP.
by skuykend
Fri Feb 12, 2016 10:26 am
Forum: General
Topic: v6.33rc release candidate (final testing)
Replies: 203
Views: 36721

Re: v6.33rc release candidate (final testing)

skuykend - Please send supout.rif file to support@mikrotik.com. Make sure that supout file is generated after you have experienced issue and fixed it with renew. http://wiki.mikrotik.com/wiki/Manual:Support_Output_File http://www.mikrotik.com/support.html Sent. [Ticket#2015110366000181] What is the...
by skuykend
Wed Jan 27, 2016 10:48 am
Forum: Beginner Basics
Topic: ether2 port only 100mbs on my RB2011LS
Replies: 8
Views: 748

Re: ether2 port only 100mbs on my RB2011LS

Maybe some wires are broken or weak contact on this port ? Gigabit uses all four pairs of wires, so you can look at the outer two pair on each side of ether2 on the outside and see if one is out of it's 'channel'. I've had one that I was able to fix before (not MikroTik). Otherwise I don't know if ...
by skuykend
Sun Jan 24, 2016 5:10 am
Forum: Beginner Basics
Topic: Port forwarding I am lost in here , please help
Replies: 2
Views: 794

Re: Port forwarding I am lost in here , please help

RESULT: Accessing from SMB://MYPUBLIC IP does not work FTP does the handshake but directory listing times out, so in at the end does not work Most ISP's block SMB ports, so that's most likely your problem there. Like Revolution alluded to, your DSTNAT is too generic and will match any traffic the r...
by skuykend
Sat Jan 23, 2016 5:25 am
Forum: General
Topic: Forward rule doe not work
Replies: 15
Views: 918

Re: Forward rule doe not work

Can anyone help me to figure out what's going on ?? I have activated log on my rules but the only traffic i see is SYN
Any other rules higher up in the filter section that would block it?

Do an "/ip firewall export" and post it.
by skuykend
Sat Jan 23, 2016 4:49 am
Forum: General
Topic: Halting performance with CRS226
Replies: 3
Views: 428

Re: Halting performance with CRS226

/interface ethernet switch ingress-vlan-translation add new-customer-vid=42 ports=ether2-slave-local,ether24-slave-local add new-customer-vid=100 ports="ether3-slave-local,ether4-slave-local,ether5-s\ lave-local,ether6-slave-local,ether7-slave-local,ether8-slave-local,ether1\ 2-slave-local" Nice sw...
by skuykend
Wed Jan 20, 2016 4:44 am
Forum: General
Topic: 1 GB Internet Speed not working
Replies: 7
Views: 1371

Re: 1 GB Internet Speed not working

no more than 120mb /110 mb
Sounds like you're stuck at fast Ethernet. Could be you're adding a CAT cable to make this work that doesn't have all 8 wires?

Check in Winbox or Webfig to check your connection rate on the ports to ensure they're negotiating to 1Gbps.
by skuykend
Wed Jan 20, 2016 3:37 am
Forum: General
Topic: Bug in /system reset-configuration (ROS 6.33.5 on RB951Ui-2HnD)
Replies: 10
Views: 2497

Re: Bug in /system reset-configuration (ROS 6.33.5 on RB951Ui-2HnD)

Didn't realize that. I wonder if it just happens to specific models. Yes, my RB2011 without wireless reset's fine. I'm guessing they're constantly adding/changing features that require changes to CLI commands that will sometimes cause script errors with certain hardware specific devices. Sometimes ...
by skuykend
Mon Jan 18, 2016 8:04 pm
Forum: General
Topic: VLAN setup question
Replies: 2
Views: 483

Re: VLAN setup question

Will I achieve my goals with this setup?
You don't want to set up vlans on your ether4-6 as they're untagged. Just bridge the ports directly with the appropriate subnets.
by skuykend
Fri Jan 15, 2016 3:25 am
Forum: General
Topic: Bug in /system reset-configuration (ROS 6.33.5 on RB951Ui-2HnD)
Replies: 10
Views: 2497

Re: Bug in /system reset-configuration (ROS 6.33.5 on RB951Ui-2HnD)

Was happening in at least 6.33.3 as well for the RB951G.
by skuykend
Thu Jan 14, 2016 4:21 am
Forum: General
Topic: crs125g and nas4free lacp not working
Replies: 7
Views: 1263

Re: crs125g and nas4free lacp not working

:( well..but in that case, why is that device advertised as switch.. lacp is a basic function of managed switches Pretty sure that currently the CRS switch chip's only supports static bonding in the switch, not LACP. I believe the intent is to make them capable, but for some reason it doesn't seem ...
by skuykend
Wed Jan 06, 2016 11:12 am
Forum: RouterBOARD hardware
Topic: Newbie CRS226-24G-2S+IN Setup
Replies: 15
Views: 2544

Re: Newbie CRS226-24G-2S+IN Setup

Since it has an IP address setup for admin purposes, will it flag as a duplicate IP when I connect my second CRS as a switch? Winbox can connect though MAC address as well, no IP needed. But yes, you should either change the IP to another unused static IP or remove it and add a dhcp-client to the s...
by skuykend
Sat Jan 02, 2016 9:01 pm
Forum: General
Topic: The Best way to "export" all settings from rb2011 to rb3011
Replies: 4
Views: 2749

Re: The Best way to "export" all settings from rb2011 to rb3011

Using Winbox copy your export (check for mac addresses in export file!) to the 3011, go to system reset, and mark the option to 'No Default Configuration' and then select the script in 'Run after Reset'.

If the script has errors/incompatibilities it will stop at the error line and not continue on.
by skuykend
Fri Jan 01, 2016 2:43 am
Forum: Beginner Basics
Topic: CRS125-24G-1S-RM degrades performance when connected to 100MBit Extender
Replies: 2
Views: 489

Re: CRS125-24G-1S-RM degrades performance when connected to 100MBit Extender

Almost sounds like it's operating as more of a hub?
What RoS version are you using? Have you tried upgrading to the stable or current versions?

You said no other configurations, but I know I've had the mine start acting like a hub if the switch section is misconfigured.
by skuykend
Fri Jan 01, 2016 2:21 am
Forum: Beginner Basics
Topic: is this config too complicated???
Replies: 12
Views: 1506

Re: is this config too complicated???

In the switch menu switch1-cpu represents the master-port in the rest of RoS. You'll need to give it access to the vlan as well and may need to set the vlan mode on switch1-cpu to something other than disabled.
by skuykend
Fri Jan 01, 2016 2:09 am
Forum: Beginner Basics
Topic: is this config too complicated???
Replies: 12
Views: 1506

Re: is this config too complicated???

I use my RB2011 as a switch with a management ip obtained thru dhcp-client from vlan3. So it uses all ports as a swtich in two groups bridged with the sfp port being my trunk. It's also my master-port, but doesn't have to be the same. It should give you a decent example of how to set up the switch t...
by skuykend
Fri Jan 01, 2016 1:39 am
Forum: Beginner Basics
Topic: Basic ip addressing use and bridge setup
Replies: 22
Views: 3686

Re: Basic ip addressing use and bridge setup

anyone that can still help me getting this to work ? Martin A CRS without wireless with the default config will have all ports switched and the master-port should be ether1, not ether2. A default IP address of 192.168.88.1 should also be assigned to ether1, but no dhcp, etc. http://wiki.mikrotik.co...
by skuykend
Thu Dec 31, 2015 11:42 pm
Forum: Beginner Basics
Topic: is this config too complicated???
Replies: 12
Views: 1506

Re: is this config too complicated???

Yes, fasttrack can make quite an improvement. My rule doesn't disable it for most traffic, just for connections that are being mangled. Oddly while the 'normal' fasttrack rule didn't seem to completely break all my mangled connections, it did seem to slow them down quite a bit and incoming were even...
by skuykend
Thu Dec 31, 2015 10:41 pm
Forum: Beginner Basics
Topic: is this config too complicated???
Replies: 12
Views: 1506

Re: is this config too complicated???

its an rb2011 Don't know about too complicated. Depends on what all your needs are. A couple things I might recommend: You're using bridging on most of your ports even when they can be done in a switch group with less cpu usage and full wire speed. The 2011 has two switches, ports 1-5 & sfp are on ...
by skuykend
Thu Dec 31, 2015 9:48 am
Forum: Beginner Basics
Topic: is this config too complicated???
Replies: 12
Views: 1506

Re: is this config too complicated???

What device is this? RB2011 or 3011?

I don't see any switch setup which could handle VLANs much more efficiently.
by skuykend
Thu Dec 24, 2015 11:54 pm
Forum: Beginner Basics
Topic: Basic CRS Question
Replies: 2
Views: 841

Re: Basic CRS Question

It seems once you start with some switch VLAN settings on the CRS you need to setup at least VLAN tagging as well. First make sure you checked/set SA learning on for the ingress you added. Next you can try just adding VLAN tagging entries for VLAN10 & 20 with the proper tagged ports, including CPU i...
by skuykend
Tue Dec 22, 2015 9:21 am
Forum: General
Topic: Preformance issues on RB750
Replies: 5
Views: 813

Re: Preformance issues on RB750

Have i simply reached the limit of what my RB can do? Or is there something i am missing in respect to configuration. Do you have FastTrack enabled and is it working? Depending on what RB750 model you have (assuming it's not the plain as that's 10/100 only) you might be hitting the limit without Fa...
by skuykend
Tue Dec 22, 2015 1:31 am
Forum: Beginner Basics
Topic: failure: master-port has master-port itself
Replies: 3
Views: 1120

Re: failure: master-port has master-port itself

So by default are all the ports bonded to ether1?
A CRS without wireless defaults to all ports in one switch group.
Not bonded. Bonding is a different thing, done from the switch menu.
by skuykend
Mon Dec 21, 2015 10:23 pm
Forum: Beginner Basics
Topic: failure: master-port has master-port itself
Replies: 3
Views: 1120

Re: failure: master-port has master-port itself

It's saying that ether5 and ether3 are already slaves to another master port (and ether2-slave on your last example). They can't be nested.

Unset the master-port for ether3 and ether5 first.
by skuykend
Mon Dec 21, 2015 10:07 pm
Forum: Beginner Basics
Topic: Mangle rule doesn't appear to be marking all packets it should
Replies: 1
Views: 464

Re: Mangle rule doesn't appear to be marking all packets it should

Once a connection is FastTracked it will bypass mangles, filters, etc. and packets will not be marked properly.

Either don't fasttrack those particular connections or disable the FastTrack rule completely if most of your traffic needs mangling and wouldn't benefit anyway.
by skuykend
Fri Dec 18, 2015 6:15 am
Forum: General
Topic: QUESTION: CCR1016-12G and VLAN
Replies: 3
Views: 993

Re: QUESTION: CCR1016-12G and VLAN

With default CRS226 configuration vlans would be available on all ports as well.
by skuykend
Fri Dec 18, 2015 3:57 am
Forum: Beginner Basics
Topic: CRS125 as in-house switch
Replies: 2
Views: 593

Re: CRS125 as in-house switch

You can connect with WinBox, do a system/reset configuration and check 'No default configuration'. After it reset's connect via WinBox again via Mac address and set the master port for Ethernet interfaces 2-24 and sfp to Ether1. (May disconnect temporarily) If you want a management ip for WinBox, We...
by skuykend
Tue Dec 15, 2015 9:55 am
Forum: RouterBOARD hardware
Topic: Newbie CRS226-24G-2S+IN Setup
Replies: 15
Views: 2544

Re: Newbie CRS226-24G-2S+IN Setup

It will work as a basic switch out of the box with all vlans being available on all ports, just the way they come in. If you're just using it as a switch with no routing then just concentrate mainly on the port based vlan section of the CRS example. If you're using as a gateway as well, then you'll ...
by skuykend
Fri Dec 11, 2015 7:11 pm
Forum: Beginner Basics
Topic: /ip adress Adresses keep disapearing
Replies: 6
Views: 970

Re: /ip adress Adresses keep disapearing

I checked it and that option is disabled. It's also a default configuration (preset from when RB2011 was new). Should i delete that? Hmmm, sorry it seems disabled=yes is the default for export on dhcp-client and doesn't show unless it's not disabled. So no need to delete it except for clarity. Wish...
by skuykend
Fri Dec 11, 2015 9:23 am
Forum: General
Topic: VLAN & CPU load on CRS-112-8G-4S-IN
Replies: 2
Views: 1527

Re: VLAN & CPU load on CRS-112-8G-4S-IN

You need to configure the switch for vlans instead of using cpu bridging.

http://wiki.mikrotik.com/wiki/Manual:CRS_features
http://wiki.mikrotik.com/wiki/Manual:CRS_examples
by skuykend
Fri Dec 11, 2015 8:35 am
Forum: Beginner Basics
Topic: /ip adress Adresses keep disapearing
Replies: 6
Views: 970

Re: /ip adress Adresses keep disapearing

Can you tell me where is this set?
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
by skuykend
Fri Dec 11, 2015 6:14 am
Forum: General
Topic: [ASK] Firewall Filter Rules
Replies: 5
Views: 411

Re: [ASK] Firewall Filter Rules

i use 104 firewall filter rules in my mikrotik RB951Ui-2nd its to many or just fine? I would say it depends on a couple things: Are you getting the throughput you want/need and is it getting too complicated for you to manage/maintain? If you use custom chains/jumps and order the rules properly then...
by skuykend
Fri Dec 11, 2015 5:54 am
Forum: Beginner Basics
Topic: /ip adress Adresses keep disapearing
Replies: 6
Views: 970

Re: /ip adress Adresses keep disapearing

Why are you both setting a static IP for ether1-gateway and trying to get one through dhcp-client?
by skuykend
Wed Dec 09, 2015 9:30 am
Forum: Beginner Basics
Topic: Access to WAN IP from LAN
Replies: 20
Views: 17308

Re: Access to WAN IP from LAN

You'll need both the port forward (dstnat) rule and hairpin rule(srcnat, masquerade) to work together. dstnat: Make sure your port forward/dstnat does NOT use an in-interface filter from WAN otherwise hairpin will not work as you are comming from bridge-local (or whatever your LAN is). Instead use t...
by skuykend
Mon Dec 07, 2015 10:30 am
Forum: Beginner Basics
Topic: Performance from CRS125 -24G-1S-2HnD-IN
Replies: 2
Views: 712

Re: Performance from CRS125 -24G-1S-2HnD-IN

Looks like you have all ports setup to switch including WAN. WAN needs to be take out. Plus you have Layer7 filters, which if active will kill all speed on that CRS.
by skuykend
Sat Dec 05, 2015 2:38 am
Forum: General
Topic: Vlan tagging not working
Replies: 4
Views: 519

Re: Vlan tagging not working

that should work right ? then do i need to add vlan10 to a bridge interface to route the packets or does vlan10 do the job by itself ? The IP address on the vlan interface will get things routing without a bridge. You'll need to setup a bridge if you need to bridge the same subnet (IP range) to ano...
by skuykend
Fri Dec 04, 2015 10:19 pm
Forum: General
Topic: Vlan tagging not working
Replies: 4
Views: 519

Re: Vlan tagging not working

Not sure if the older 5.24 RoS isn't printing it, or if it's new, but there is a default-vlan-id setting on /interface Ethernet switch port which will need to be set for untagged ingress assignment. http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features You don't have any vlan interfaces assigned...
by skuykend
Thu Dec 03, 2015 8:00 pm
Forum: Beginner Basics
Topic: Clients get IP addresses from DHCP, but cannot access internet
Replies: 4
Views: 742

Re: Clients get IP addresses from DHCP, but cannot access internet

I think your accept filter for new connections is incorrectly checking for in interface=bridge, but you're comming in from the vlan interfaces at this point.
by skuykend
Thu Dec 03, 2015 6:38 am
Forum: Beginner Basics
Topic: Open port
Replies: 2
Views: 579

Re: Open port

A couple things: You've set your internal server ip in the 'dst address' field. This needs to be in the 'To Address'. Dst Address would need to be your WAN IP at this point, but unset it and instead set Dst. Address Type to 'local'. This means any IP address bound to the router which will allow hair...
by skuykend
Thu Dec 03, 2015 5:28 am
Forum: RouterBOARD hardware
Topic: Home network
Replies: 8
Views: 1382

Re: Home network

CRS125 might be a better option as it runs the same processor as the RB2011 and works pretty well with fast-track (I've gotten ~850mbps with NAT via iperf3). The other CRS's run at 400mhz and seem to eat cpu faster. Seems like switch statistics management takes a quite toll on cpu, with the LCD taki...
by skuykend
Wed Dec 02, 2015 11:25 pm
Forum: Beginner Basics
Topic: Can ping WAN IP's but websites don't open
Replies: 3
Views: 555

Re: Can ping WAN IP's but websites don't open

Remove the to-address on your srcnat masqurade
by skuykend
Wed Dec 02, 2015 10:08 pm
Forum: Beginner Basics
Topic: Desperately need help on RB2011UI vlans (taggged and untagged)
Replies: 4
Views: 676

Re: Desperately need help on RB2011UI vlans (taggged and untagged)

Different ways to do it, but if the VLAN's are basically the same on both switches you can simply bridge the two master ports and move the vlan interfaces to the bridge. Then just make sure the switch2 setup including switch2-cpu is setup correctly. Another way is to create duplicate vlan interfaces...
by skuykend
Wed Dec 02, 2015 9:29 am
Forum: Beginner Basics
Topic: second bridge on same board wont forward packets.
Replies: 1
Views: 331

Re: second bridge on same board wont forward packets.

I think one problem is the ip address assigned to your wifi bridge is /32 and should be /16.
by skuykend
Wed Dec 02, 2015 4:56 am
Forum: Beginner Basics
Topic: Desperately need help on RB2011UI vlans (taggged and untagged)
Replies: 4
Views: 676

Re: Desperately need help on RB2011UI vlans (taggged and untagged)

Seems to be a couple things slightly off, here are a few of my observations: /interface ethernet switch vlan vlan-id 20 will need to be able to have access to eth2 and switch1-cpu as well as eth5 vlan-id 30 will need to be able to have access to eth3 and switch1-cpu as well as eth5 switch1-cpu is th...
by skuykend
Sat Nov 28, 2015 8:13 pm
Forum: General
Topic: pls help newbies port forward not work .
Replies: 2
Views: 519

Re: pls help newbies port forward not work .

You have the 'NOT' on your in-interface filter from ppoe checked. I'd just remove it personally since you have the dst-type=local, but a least uncheck the NOT.
by skuykend
Thu Nov 26, 2015 6:47 pm
Forum: General
Topic: Hairpin NAT whith two local subnets
Replies: 1
Views: 959

Re: Hairpin NAT whith two local subnets

You'll have to remove the in-interface filter from your dstnat's as hairpin doesn't come thru the WAN interface and won't match. You already have dst-address and dst-address-type filters so it will still work properly. I also don't put a dst-address filter on my hairpin rule, so I'm not sure if that...
by skuykend
Wed Nov 25, 2015 2:54 am
Forum: Beginner Basics
Topic: Trunk on SFP+ ports when connected to CISCO switch in switchport mode trunk
Replies: 3
Views: 1096

Re: Trunk on SFP+ ports when connected to CISCO switch in switchport mode trunk

You need to add your ip address to the vlan interface and not the physical sfp port. Right now 99.1 is untagged by being on the sfp port.
by skuykend
Tue Nov 17, 2015 12:10 am
Forum: Beginner Basics
Topic: Hairpin NAT
Replies: 10
Views: 1577

Re: Hairpin NAT

Switch rule 1 (hairpin rule) back to how you had it originally. It's the dstnat forwards that needs the removal of in-interface filter and add dst-address-type=local or dst-address in its place.
by skuykend
Mon Nov 16, 2015 10:47 am
Forum: Beginner Basics
Topic: Hairpin NAT
Replies: 10
Views: 1577

Re: Hairpin NAT

Remove in-interface filter from your dstnat and add dst-address-type=local in its place. Your hairpin traffic does not come in thru the WAN interface. dst-address-type=local will forward any traffic with an ip address assigned to any of the router interfaces. If you also use webfig on port 80 you'll...
by skuykend
Mon Nov 16, 2015 10:37 am
Forum: General
Topic: Port forward issue - is this hairpin NAT?
Replies: 3
Views: 1142

Re: Port forward issue - is this hairpin NAT?

If it's to the same host and protocol (tcp/udp) you can specify multiple port numbers with either a comma or dash for ranges.
by skuykend
Sat Nov 14, 2015 10:37 am
Forum: General
Topic: Port forward issue - is this hairpin NAT?
Replies: 3
Views: 1142

Re: Port forward issue - is this hairpin NAT?

Yes, that's what hairpin NAT is for. You need to remove the in-interface filter from your dstnat and put in dst-address-type=local instead. This is because your hairpin traffic won't be actually coming in the PPPoE interface. Then add a second hairpin rule to fix certain tcp reply's: /ip firewall na...
by skuykend
Fri Nov 13, 2015 2:38 am
Forum: Beginner Basics
Topic: Port Forward Nightmare
Replies: 15
Views: 2074

Re: Port Forward Nightmare

I'm using 6.33 with port forwarding just fine. Don't think an older version will help you. You can use tools/packet sniffer to try and capture packets for short bursts, setting up a filter on your WAN port. Have you tried checking from a port check website like portchecker.co to get a second opinion...
by skuykend
Wed Nov 11, 2015 9:44 pm
Forum: General
Topic: 6.34 release candidate version topic!
Replies: 201
Views: 42794

Re: 6.34 release candidate version topic!

Upgraded from 6.33 to 6.34rc3 and lost my ipv6 dhcp-client config. (no entry)

Reverted to 6.33, but still had to add back the client entry.
by skuykend
Thu Nov 05, 2015 9:06 pm
Forum: General
Topic: Fasttrack on CCR 1009-8G-1S-1S+
Replies: 9
Views: 1519

Re: Fasttrack on CCR 1009-8G-1S-1S+

Ah, OK, I'm using Queue trees and Mangle to QoS our VoIP traffic.
So I suppose this is why it's not active?
That'll do it.
by skuykend
Thu Nov 05, 2015 4:00 am
Forum: General
Topic: Fasttrack on CCR 1009-8G-1S-1S+
Replies: 9
Views: 1519

Re: Fasttrack on CCR 1009-8G-1S-1S+

Mine's working on my CCR-1009 using the 6.33rc's, but don't see much if any speed improvement with the 1009's speed and my low volume. My CRS125 and RB2011 see a vast improvement. They've been steadily improving when fast-track can be enabled, but if you have certain things active/running fast-track...
by skuykend
Wed Nov 04, 2015 3:47 am
Forum: General
Topic: Issue with dst-nat
Replies: 8
Views: 587

Re: Issue with dst-nat

If you put in a single accept of connection-nat-state=dstnat in your filters forward chain you won't have to duplicate every dstnat port in the filters section.
by skuykend
Tue Nov 03, 2015 9:37 am
Forum: General
Topic: v6.33rc release candidate (final testing)
Replies: 203
Views: 36721

Re: v6.33rc release candidate (final testing)

skuykend - Please send supout.rif file to support@mikrotik.com. Make sure that supout file is generated after you have experienced issue and fixed it with renew.
http://wiki.mikrotik.com/wiki/Manual:Su ... utput_File
http://www.mikrotik.com/support.html
Sent. [Ticket#2015110366000181]
by skuykend
Mon Nov 02, 2015 10:24 pm
Forum: General
Topic: v6.33rc release candidate (final testing)
Replies: 203
Views: 36721

Re: v6.33rc release candidate (final testing)

Upgraded to 6.33rc36 on CCR1009. IPv6 dhcp-client does not initially get bound on reboot. 'Error' shows in Status column, no info in log. Do a disable and enable on the dhcp-client and it get's bound properly until next reboot. IPv6 still not working properly. rc37 now shows bound IPv6 on bootup/re...
by skuykend
Sat Oct 31, 2015 1:02 am
Forum: General
Topic: Issue with dst-nat
Replies: 8
Views: 587

Re: Issue with dst-nat

Think you should be using action=dst-nat instead of netmap.
Make sure you're not dropping or are explicitly forwarding connection-nat-state=dstnat in your filters forward chain.
by skuykend
Fri Oct 30, 2015 8:00 am
Forum: Beginner Basics
Topic: How do I get closer to wire speed with my RB2011?
Replies: 10
Views: 1193

Re: How do I get closer to wire speed with my RB2011?

I'm not talking about wifi. I'm talking about two hard-wired clients plugged into eth2 and eth3 separated by 50' of cat5e cable. Talking directly to each other you're not even going through the ip filters, everything is happening in the switch chip and you should be getting wire speed. One or both ...
by skuykend
Fri Oct 30, 2015 3:44 am
Forum: General
Topic: CRS DHCP Snooping (Port Level Isolation) not working (SOLVED)
Replies: 7
Views: 1551

Re: CRS DHCP Snooping (Port Level Isolation) not working

Not an expert on this, but the wiki doesn't show setting the isolation-leakage-profile-override on the 'true' dhcp server port.

Also, I'll assume you disabled your second rule because it wasn't working for you.
by skuykend
Fri Oct 30, 2015 12:57 am
Forum: Beginner Basics
Topic: How do I get closer to wire speed with my RB2011?
Replies: 10
Views: 1193

Re: How do I get closer to wire speed with my RB2011?

If you're LAN to LAN on the same subnet and same switch you should be able to get close to wire speed. One of your test PC's may not be able to saturate the link. For routing and NAT, I've been able to ~900mbps with the RB2011 with fast-track and a simple firewall setup. If you have both your fast-t...
by skuykend
Thu Oct 29, 2015 9:04 am
Forum: RouterBOARD hardware
Topic: hEX nand size ONLY 16MB !!!!
Replies: 61
Views: 16704

Re: hEX nand size ONLY 16MB !!!!

and upgrade is done in RAM anyway
Is that just with the online packages upgrade process?

What is the recommended process for offline upgrading without working direct connection to the internet? I would usually drag the upgrade file into winbox, but doesn't that copy to the flash in this case.
by skuykend
Thu Oct 29, 2015 3:12 am
Forum: General
Topic: v6.33rc release candidate (final testing)
Replies: 203
Views: 36721

Re: v6.33rc release candidate (final testing)

Upgraded to 6.33rc36 on CCR1009.
IPv6 dhcp-client does not initially get bound on reboot. 'Error' shows in Status column, no info in log.

Do a disable and enable on the dhcp-client and it get's bound properly until next reboot.
by skuykend
Wed Oct 28, 2015 2:36 am
Forum: RouterBOARD hardware
Topic: hEX nand size ONLY 16MB !!!!
Replies: 61
Views: 16704

Re: hEX nand size ONLY 16MB !!!!

Wow, that can't be right.
You don't even have enough free space to do an upgrade!

Hopefully it's just being reported wrong.
by skuykend
Tue Oct 27, 2015 7:09 am
Forum: Beginner Basics
Topic: First attempt at making VLANs work in Router OS
Replies: 14
Views: 1494

Re: First attempt at making VLANs work in Router OS

You should probably upgrade to 6.32.3.
There was a bug where the switch settings that drop invalid vlans wouldn't be retained after a reboot. That could have caused your leakage, so recheck if those settings are now blank.
by skuykend
Mon Oct 26, 2015 7:48 pm
Forum: Beginner Basics
Topic: How to get 5 VLAN working
Replies: 5
Views: 733

Re: How to get 5 VLAN working

First thing I see is the dhcp servers are on the wrong interfaces. Should be with their respective ips on the vlan interfaces.
by skuykend
Wed Oct 21, 2015 6:55 pm
Forum: Beginner Basics
Topic: Internal hairpin security issues
Replies: 5
Views: 876

Re: Internal hairpin security issues

I have a lot of port forwards so I use some custom chains and jumps in mine: (simplified version, change your interfaces, ip's and port's) /ip firewall nat add action=masquerade chain=srcnat out-interface=wan add action=jump chain=srcnat comment="jump Hairpins" dst-port=443,5001 jump-target=hairpin ...
by skuykend
Wed Oct 21, 2015 7:27 am
Forum: Beginner Basics
Topic: First attempt at making VLANs work in Router OS
Replies: 14
Views: 1494

Re: First attempt at making VLANs work in Router OS

Oh, and should add the cpu so it can talk to vlan30 as well:

May need to put in entries for vlan-id 0 as well for the untagged if you decide to secure the other ports as well.
/interface ethernet switch vlan
add ports=ether24,switch1-cpu vlan-id=30
by skuykend
Wed Oct 21, 2015 7:22 am
Forum: Beginner Basics
Topic: First attempt at making VLANs work in Router OS
Replies: 14
Views: 1494

Re: First attempt at making VLANs work in Router OS

Think you just need to tag vlan 30 back to the cpu.
/interface ethernet switch egress-vlan-tag
add tagged-ports=switch1-cpu vlan-id=30
The RB2011 uses different switch programming (more simplistic) but supports VLAN's just fine.
by skuykend
Wed Oct 21, 2015 3:08 am
Forum: Beginner Basics
Topic: Cant connect to MAC with Winbox
Replies: 2
Views: 818

Re: Cant connect to MAC with Winbox

Winbox 3 RC seems to handle multiple NIC cards better with MAC connections.
by skuykend
Tue Oct 20, 2015 11:50 pm
Forum: Beginner Basics
Topic: how to configure firewall rule for 2 target-IPs
Replies: 8
Views: 679

Re: how to configure firewall rule for 2 target-IPs

You can add other columns to winbox tables with the down arrow at the end of the columns. No I believe you can just enter a list name (1) in the dst address list field. There are a few fields that can take multiple entries, like the filter dst. port and srt. port fields, but not too many can take mu...