MikroTik

k6ccc

You largely need a router to accomplish what you are trying to do. Here's the problem. When you put both VLANs onto a single port (the NAS for example), the data stream from the switch to the NAS will have all the traffic VLAN tagged. Since your NAS presumably is not capable (or at least not configu...

k6ccc

As for managed list, I tried it and got nowhere - bad password. I fear I played with ROMON in the past and I have an old password so locked out? So what should one do if one cannot remember whatever master password was set in winbox?? I have never used RoMON, and I do not have WinBox save passwords...

k6ccc

Are you trying to "find" the router by expecting it to show up in the neighbors list or did you save the IP in the Managed list? Personally I find that the neighbors list to be only slightly less useful than worthless. For example I opened it when I read this message. There are two Mikrotik routers ...

k6ccc

That is a very simple setup. Easiest way to explain it is to show you screen captures of one of mine. Assuming that this is a new install, I would assume it is a CSS106 running version 2.something firmware. First on the VLAN tab: http://extraphotos.info/mikrotik/CSS106-VLAN.PNG In this example, igno...

k6ccc

Input Chain only affects traffic that terminates in the router itself. Forward Chain affects traffic that passes through the router (what you are trying to do). Output chain affects traffic that originates in the router itself and is outbound to someplace else.. You can make all the rules in the wor...

k6ccc

Can't help you on the bonding part (never done that), but VLANs are a piece of cake in either RouterOS or SwitchOS. As for routing between VLANs, RouteOS will automatically do that unless you specifically exclude that in firewall rules.

k6ccc

That is easy, and fairly close to what I am doing with my CSS326 switch. First the VLAN tab: http://extraphotos.info/mikrotik/CSS_VLAN_for_gelcom.png I skipped a few ports so you would not need to figure out other stuff. Port 1 is my cable internet and gets assigned as VLAN 100. Port 9 is my DSL int...

k6ccc

When you are able to get into it, on the system tab, check the status of the first two lines: Address Acquisition, and Static IP Address. As I recall, by default it will come up looking for a DHCP address. If you can't get into it, check your router to see if it assigned an address to the switch. Th...

k6ccc

Start by spending a while reading the Wiki: https://wiki.mikrotik.com/wiki/Main_Page If we just tell you the answer, you don't learn. If you read the Wiki, most of your questions will get answered, and you learn what the answer means. When you can't figure out some specific detail, then ask. You may...

k6ccc

Thanks, might be helpful. I tried to change router to my old TP-link one. I was still unable to portforward although it's "easier" UI, its probably about my new ISP blocking something and I've reached out to them. Thanks a lot for your reply though, I'll make sure to post an update if it works once...

k6ccc

One other addition. Keep all the rules in a particular chain together rather than mixing input, forward, output, whatever else you might add later. It does not make any difference to the router, but it makes it FAR easier for us human beings to read.

k6ccc

NAT is actually very easy. Here is the command for NAT for my web server: add action=dst-nat chain=dstnat comment="Web Server on Jupiter." \ dst-address-type=local dst-port=80 protocol=tcp to-addresses=\ 192.168.101.11 to-ports=80 Then in Firewall rules, an accept for either that specific forward, o...

k6ccc

"VPN Access" checkbox the QuickSet window...

Step one - stop using QuickSet. QuickSet sort of can be used one time for an initial setup (ONLY IF YOU REALLY NEED TO), but as soon as you make ANY other change to the router config, then NEVER AGAIN touch QuickSet.

k6ccc

I agree with anav. Let the hex do all the routing and DHCP, and use the hAPs strictly as access points. Use different VLANs to keep things apart as needed.

k6ccc

You really should not have two DHCP servers that are supplying IP addresses to the same LAN. Two DHCP servers feeding different LANs (or VLANs) is expected, but not on the same LAN. If for some reason you REALLY think that you need two DHCP servers on the same LAN, make sure that their address pools...

k6ccc

(1) what firewall rules that I miss? All of them. You have absolutely zero operational firewall filter rules. That means (among other bad stuff), your router is fully accessible from the internet. At the absolute least, restrict access to the router itself from WAN port. Start by reading this secti...

k6ccc

Anav is right. Both your switches are SwitchOS only and therefore they are configured exclusively via the web GUI. BTW, I have several CSS326 and a CSS106 (and another of it's predecessor the RB260GS) and they work quite well as a managed VLAN switch.

k6ccc

I have the /30 setup correctly. Traffic moves through the router. On the other hand, I am not planning on using public IP addresses for everything. I want to have two separate lans eventually, each using a separate public IP address. With a /30 CIDR, you only have two available addresses - one is f...

k6ccc

Although not entirely what you describe, but most of my switches have one trunk port to somewhere else with all VLANs appearing tagged, and some number of untagged ports (in quite a few cases only one other port) on a particular VLAN. It works fine for me, but I have MAC learning turned on. In a VLA...

k6ccc

There already is "/tool ip-scan" which scans using ping, arp, snmp and netbios and does IP lookup in DNS. Maybe you can specify what other features you would want it to have? (like other services it should scan for, or to have a list of ports) There have been a bunch of various posts, but the origi...

k6ccc

Well, this one finally caught me last night. Below is a simplified drawing of the routers and switches here at home. I did not include any of the end user devices. I enabled the IPv6 package on router #1 and commanded the reboot. As far as I can tell, shortly after the reboot, I could not get into a...

k6ccc

Short answer is yes.

k6ccc

You need to give us a little more information. First of all, which router? Yes, the hardware makes a difference as different hardware has different capabilities. What version of ROS? Again, different versions have different capabilities. What are trying to accomplish? The only thing I can think of i...

k6ccc

WinBox is fine. Forward chain is a normal chain in the firewall rules - not on the NAT tab (which will normally be srcnat and dstnat).

k6ccc

Lookup hairpin NAT.

k6ccc

You gave us so little information that it is hard to help. For example, you showed that some pings worked - but no information on what was being pinged or from where. If you are allowing only untagged traffic on the test port, why are you allowing more than one LAN on that port?

k6ccc

Draw a circle on a piece of paper and you just got a pattern for the omnidirectional antenna.

k6ccc

You are making your life a bit more complex than it needs to be. Your rules 16 - 20 are completely un-needed because rule 21 is going to drop all of that anyway. As a general rule of thumb, most of us specifically allow what they want to allow and then drop everything else at the end of the chain. H...

k6ccc

Since you have changed things from your original screen capture, please post you current firewall rules.

k6ccc

Just an FYI, I have 19 Wyze cameras behind one of my Mikrotik Hex routers, and they work just fine. It really does not take anything special to get the Wyze cameras working. What works for your laptop or phone would work fine for the cameras. In my case, I have the cameras on my IoT network - which ...

k6ccc

Until my ISP changed things around on me, I was doing exactly what you want to do. On my DSL, I had eight static IP addresses. All were in the same subnet. Here are a couple code segments that should help. First create the addresses on both the DSL and each LAN (two of which had a physical port and ...

k6ccc

@dke, That thread is from four years ago and they are talking about the old RB260 that maxes out with 1.x firmware - NOT the current RB260 series (also known as the CSS106-5G-1S) which uses firmware versions 2.x. Yes, the current product with current firmware does as you describe (I have one), but w...

k6ccc

Can you ping 192.168.88.254 from site 1? I'm not at all familiar with the pfsense routers, so I don't know if they have the ability to be configured to not respond to pings.

k6ccc

As for getting a new IP from the DHCP server, assuming you are using DHCP reservations in the DHCP server, simply give the MAC for the switch a new IP. Next time that the switch requests a new IP, it will get the new address. Nothing to do in SwitchOS. Obviously this is not instantaneous, but the sw...

k6ccc

Yes, out of the box, all ports will talk to each other. To keep from using an IP address, you could give it a static IP outside your IP range. But are you REALLY that short of IP addresses on your LAN?

k6ccc

My first guess is that your forwarding rule is not specific enough. For example, if you forward all port 443 traffic to something, then ALL traffic including your outbound https traffic will go there. On the other hand, it you only forward port 443 traffic that is inbound on your WAN connection, the...

k6ccc

That's RouterOS, not SwitchOS.

k6ccc

I am running very similar at home. These screen captures were done on a CSS326 for a different purpose and are a little out of date, but might give you some ideas. Links page: http://extraphotos.info/mikrotik/CSS326_Links.png VLAN tab: http://extraphotos.info/mikrotik/CSS326_VLAN.png VLANs tab: http...

k6ccc

You need to give us a better idea of what you are trying to accomplish. Not enough information given.

k6ccc

For what it's worth, I just updated a CRS326-24G-2S+, two CSS326-24G-2S+, and a CSS106-5G-1S from 2.9 to 2.10 without incident. Watching pings to the CRS, I dropped three pings during the restart, and on both CSS326 switches, I dropped one ping during the restart.

k6ccc

What you are asking about is very similar to what I am doing. The only difference is that I am using my routers (a RB750r2 and a RB750Gr3) exclusively as routers - no switching at all. Each LAN or VLAN has only one port on the router (may be a dedicated LAN port, or may be a VLAN trunk port). All th...

k6ccc

Amm0 is correct. Essentially what I currently have is what dadoremix suggested. While that does allow VLAN 2 to communicate between ports 2 - 5, but that does not allow for the additional parts of the plan. I will be working with Amm0's suggestions shortly.

Thanks

k6ccc

Thanks for the reply. I had assumed that I needed to build a bridge, and played with that last night for a couple hours without any success. I can see the traffic coming in from the three AREDN nodes with Torch, but nothing going out. I'm sure it's easy for most people that have used a bridge in ROS...

k6ccc

This is likely an easy one, but I have EXCLUSIVELY used Mikrotik routers as routers and never as a switch. Each LAN or VLAN on the routers connects directly to a CSS326 switch. I have run into a situation where I have run out of ports on one of my CSS326 switches and have an immediate need for a cou...

k6ccc

Also, HIGHLY recommend putting some additional security on it. There are several things that can be done if you really insist on having a WebFig port directly accessed from the internet. For example, if able, restrict the source IPs that can access it to only the IPs that you want to have access. Fo...

k6ccc

I don't think this forum has a lot of professional web developers But it is impossible for users or designers Hotspot service does not know in the topics of page security! This is a forum for routers. Why are you even asking for html configuration help here? Take this to a forum for web designers. ...

k6ccc

I note that both alibloke and the chart that elbob2002 posted show the temperature stabilized at 58 degrees C. Makes me think that is what it is designed to do. I don't know what the specs for the CPU chips involved are, but as a comparison, the Raspberry Pi does not start throttling to control heat...

k6ccc

RouterOS does not support this method of working. It has been requested many times but it has not been implemented. (what you need is the capability to set a static DNS record for local.mesh with type NS and pointing to the nameserver for that domain) That is exactly correct. As RouterOS also does ...

k6ccc

Here is my situation. I have an RB-750Gr3 that has a WAN connection from my cable provider which provides DHCP and DNS services to the router. Ports 2, 3, & 5 are various LANs, and port 4 is a trunked port with several more VLANS. The trunked port connects to a managed switch where VLAN 5 (among oth...

k6ccc

Posting part of settings is not all that helpful.
/export config hide-sensitive file=yourconfigaug22
What am I doing wrong...see image below!

Screen Shot 2019-08-22 at 10.02.49 PM.png

Delete the word "config"
In other words: /export hide-sensitive file=your-config-22-Aug

k6ccc

A lot of that is personal preferences. I have a CRS326 that is being used exclusively as a managed switch. Other than about a half dozen VLANs, there is nothing fancy. I am running it under SwitchOS and always have. I also have two CSS326 switches - obviously running SwitchOS, plus two a CSS106-5G-1...

k6ccc

If you can access the router, you can either manually send the WOL command or type up a script and execute the script. By creating a scrpt in advance, you don't have to know the MAC of the target device. add dont-require-permissions=no name="Boot Old Family room PC on .101" owner=\ SuperMgr policy=t...

k6ccc

Search for "hairpin nat".

k6ccc

Stefan, what software version?

k6ccc

On this - add chain=forward action=accept in-interface=WAN \ connection-state=new nat-connection-state=dst nat Does/should the connection state need to be new? Or does it matter? It actually does not matter. Because there is a fastrack accept for established and related packets, the only time that ...

k6ccc

From the product page for the CRS328-24P-4S+RM:

PoE-Out is passed over mode B pins (4,5+)(7,8-).

That won't work on your 2 pair cable.

k6ccc

The very first rule in the Forward chain. Made it about as simple as I could: add action=passthrough chain=forward comment=\ "Counter for outbound to 188.172.217.0/24 - test for Teamviewer" \ connection-state="" dst-address=188.172.217.0/24 No connections listed to 188.172.217.xxx either.

k6ccc

So I did some digging and saw that TeamViewer Connect to a domain, 188.172.217.0/24 To test that, I created a passthrough firewall rule as a counter as the first rule in my forward chain. Any traffic to 188.172.217.0/24 should show up in the counter. There are two computers inside my firewall that ...

k6ccc

I would love to be able to block TeamViewer - but my situation is a little different. In my case, I am the TeamViewer user, but I want to be able to block TeamViewer unless I specifically allow it at the time - for example with a port knock to the router. For example, the computer at home can't norm...

k6ccc

I'm sorry, but I thought it was simple to understand that the two RB260 Ether1 are connected together with a 50cm patch cable, so where is the cable problem? It was not simple to understand because you did not tell that in your original post. For all we know, you were trying to run gigabit over a k...

k6ccc

You have given us almost no information to work with. What is this device doing? What's connected to it? How is it being used? Post your configuration.

k6ccc

I just wish that Mikrotik would standardize the interface between the different switches. I have one RB260, one CSS106, one CRS326 (running SwitchOS), and two CSS326s and it's annoying that the UI is so different between them.

k6ccc

I'm the same as all the rest here. All known DHCP clients are given a DHCP reservation outside of the IP Pool. Most of the pools are only 10 IPs (and in reality, I could normally get away with one or two).

k6ccc

I figured it out!! You have to specify the time and day or days that you want the rule to be applied and then you have to press reset all counters to reset everything and allow the new rule to be applied. I checked it 3-4 times and it worked fine. Thank you all!!!! I definitely did not have to rese...

k6ccc

Simple solution. I buy the Mikrotik SFPs that are specified to work with the device.

k6ccc

I have never had any time based firewall rules, but because of this thread, I created one for a test. The rule was a simple rule to drop all ICMP packets from the internet at the beginning of my Input chain with no time restriction. I am not at the location of this router, so my access is only via t...

k6ccc

Never used a bridge, so can't help you there. However your firewall rules look OK - I think.

k6ccc

Off hand, I don't see a way to specify a MAC on a specific port, but you can enable port lock which locks the port to the first MAC that is connected. See the Forwarding tab.

k6ccc

The check marks are the ports that the CAN be communicated with. For example, in your screen capture, port 1 can communicate with all other ports.

k6ccc

I still could not read your screen captures, but here are a couple of mine. Ports one and two are doing exactly what you want to do. Each of those is a Multi-SSID WiFi access point. Each is getting several VLANs that will each become a different SSID and also an untagged LAN that is used for cloud m...

k6ccc

I can’t read your images on my $&@#% iPhone, but I am doing exactly what you want to do on my CSS106. When I get to a computer, I’ll take a look.

Sent from a $&@#% iPhone using Tapatalk

k6ccc

I always upgrade mine.

k6ccc

It might be interesting to connect the two computers in question directly to each other. I would speculate that what you are seeing is more related to the performance of the computers involved and not the switches. Part of that statement is the difference in performance between upload and download. ...

k6ccc

Powered USB hubs usually don't draw power from upstream USB port ...

Correct. That's why I recommend them for fixed applications. Has solved many problems over the years.

k6ccc

I don't have an answer to your specific question, but my general recommendation is any time you are using a USB hub in a fixed situation, use a powered hub. That solves the current limit issue. Since you are proposing to use a USB hub connected to a router, I assume it will be in a fixed installatio...

k6ccc

This is likely more opinion rather than hard facts. There are some on the forum that hate SwitchOS and have nothing but problems, and there are some that have no issues with SwitchOS at all. Personally I am in the second camp. I have a CRS326-24G-2S, two CSS326-24G-2S, a CSS106-5G-1S, and a RB260GS ...

k6ccc

I clearly have no understanding of what he is trying to do. However I have never had any interest in on line gaming, so no idea how those kind of things work. I've never heard of a client / server type system where the server initiates the connection (which is why normal consumer routers work for mo...

k6ccc

It does not work that way. A NAT forwards to a target IP. However in most situations, if the game is talking to a server somewhere else, the client initiates the connection and the router will forward responses to the IP that originated the request. No special setup is normally required. If you are ...

k6ccc

You have given us so little information to go on. For starters, either give us more details on how your three routers are connected to each other, the internet, and your devices - or better yet, a drawing. Second, export your config on all three routers and post here so we can see what you are doing...

k6ccc

I see mkx beat me to the L2 vs L3 parts, so I'm not going to repeat that. You do not need to use bridges to create a DHCP server. However as noted above, IF an interface is a member of a bridge, then the DHCP server must be assigned to the Bridge - not the member interfaces. At least that's the way ...

k6ccc

Let's see if I have this right. Every single port will be a separate LAN with it's own DHCP server. So the router is being used exclusively as a router and not as a switch. If this is the case, why are you creating bridges? This is the way I use my routers. I have managed switches connected to the r...

k6ccc

I don't know anything about the TP Link equipment, but it sounds like you want the TP Link to operate only as a WiFi access point and NOT have any router functions. You likely can make this work by turning off the DHCP server functionality in the TP Link and then connecting one of the LAN ports (NOT...

k6ccc

You asked this question in the SwitchOS section of the forum and your subject specifies the CSS326 switch. However, since you are seeing an inter-VLAN issue, the problem almost certainly exists in the router and not the switch - since switches don’t route between VLANs. You did not give us much deta...

k6ccc

As for your DHCP servers, from your drawing, they are some device that is untagged. Simply put them on a switch port that is untagged on the correct VLAN. Same concept as my Cable Modem on port 1. In my case that is untagged on VLAN 100, but the concept is the same.

k6ccc

My first question is if the issue it with the SFP or the Ethernet per in the computer - it could be either one. Can you plug the Cat-6 into another port on the switch (such as one of the gig-E ports on the switch). Let the computer go to sleep and see if the problem happens in that configuration. Ot...

k6ccc

Here are some screen captures from one of CSS326 switches located in my family room. Most of the ports don't really matter, but I will point out a few. Along with a bunch of end devices in the house, both internet modems connect to this switch (port 1 for the cable and port 9 for the DSL). Port 3 is...

k6ccc

One other thing you could easily test. Configure a user PC port to VLAN 20 instead of VLAN 10 and confirm that the PC gets a DHCP address from DHCP server 2. That will confirm that your DHCP and switch to switch links are OK. Part two - Are you sure that your WiFi APs are configured properly for the...

k6ccc

Your configuration is really pretty simple. The trunks between the three switches needs to have VLANs 10 & 20. Assuming that the WiFi APs know that SSID 1 connects to VLAN 10 and SSID 2 connects to VLAN 20, then the switch ports connected to the three Unifi APs will be just like the switch to switch...

k6ccc

Why not just a set of firewall rules to catch port scanners. Those are well documented and work well. If the port scanner triggers, then the port knock never sees the triggers.

k6ccc

First guess is that you did not open a hole in the firewall for your NAT. Unlike many consumer routers, RouterOS does not do that automatically.

k6ccc

What you are doing is very similar to what I am doing and it's not at all complicated. I am curious why you want two VLANs if part of your statement is that devices on one VLAN can communicate with devices on the other VLAN. If everything on both VLANs can communicate with each other, why separate t...

k6ccc

I can absolutely assure you that the Wyze cameras do NOT require anything "special" to be opened on a reasonably normal router configuration. As long as a LAN device can get to the internet and responses get back to it, it will connect just fine. I have 13 Wyze cameras (2 Pans and 11 V2). Other than...

k6ccc

First of all, you are right - they don't respond to a ping. However that proves absolutely nothing since some network admins drop pings as some people consider it a security hole. If it really is on your end, please post your config, so we can see what you have. In order to export your config, follo...

k6ccc

I'm going to let someone else answer the setup in RouterOS as I have NEVER used a bridge in ROS. I know there are some particulars about setting up VLANs in a bridge, but I don't know details.

k6ccc

SwitchOS is strictly a switching OS whereas RouterOS is router OS that can play switch (but is optimized as a router). SwitchOS is far more limited, but if you only need switching, it works. There are a couple documented issues with the current version of SwitchOS - check out the SwitchOS section of...

k6ccc

I think sebus got your config incorrect. Please confirm that the CCR1009 has one link to the CRS125 and one link to the CRS326 (not that the two switches are daisy chained). Second, are you running the CRS125 and CRS326 in RouterOS or SwitchOS? What you are doing is easy, but we better need to under...

k6ccc

Just delete the lease and next time the device requests an address, it will get one from the regular pool.

k6ccc

I was not suggesting that you monitor it for them, but rather that they set up a free account with UpTimeRobot.com and UTR will notify them when something fails.

k6ccc

Yes. add action=src-nat chain=srcnat comment="Outgoing NAT from .201 LAN" \ disabled=no out-interface=E1-p10_DSL_Internet src-address=\ 192.168.201.0/24 to-addresses=208.127.104.77 add action=src-nat chain=srcnat comment="Outgoing NAT from .202 LAN" \ disabled=no out-interface=E1-p10_DSL_Internet sr...

k6ccc

@ivanobuffa
They were all part of a /24 network from my IP. I had eight addresses scattered through the range.
I will pull up my script later this evening. It was quite easy...

k6ccc

Does the switch have internet connectivity ?

Sent from a $&@#% iPhone using Tapatalk

k6ccc

@k6ccc So are you like a suburb of LA? Seems like your on the cusp of Mountains, must be beautiful and close to ski hills? (prevalent raging forest fires in that area)? Correct. Glendora is about 20 miles east and slightly north of downtown Los Angeles. The city moto is "Pride of the Foothills". Th...

k6ccc

I've been doing this for years. Until very recently my RB750r2 had one DSL connection with five static IPs. There were different LANs (mostly via VLAN) that each routed traffic out the same DSL, but via different IP addresses. All it takes is a simple outgoing NAT statement to get the outgoing traff...

k6ccc

There are two perspectives here. One is to have the router detect a failure and alert you. The other is to determine if the router is visible from the internet. For part two, I suggest UpTimeRobot.com They can monitor specific ports, a normal ping, a website, and various other things. They can notif...

k6ccc

Someone on the internet is trying to connect to presumably a web server on your internet address on port 8080. Why do you think this has anything to do with your DNS?

k6ccc

Instead of explicitly blocking each VLAN, Block everything with a not interface command (note the explanation point before the interface name): add action=drop chain=forward comment=\ "Block all interfaces except internet from VLAN 10" out-interface=\ !E1-p10_DSL_Internet in-interface=VLAN_10 You wo...

k6ccc

Allow what you specifically want allowed, then deny all. This is the last rule in the Forward chain. There is a similar one at the end of the Input chain.

add action=drop chain=forward comment=\
    "Drop any forward packets that get this far"

k6ccc

Yes you can. With RouterOS only though.
Hi, elbob2002. Do you mean I can run ospf in CRS326-24G-2S+RM only booted with RouterOS.

OSPF is a routing protocol. Requires a router. When run under SwitchOS, the CRS326 is functioning as a switch - not a router.

k6ccc

This thread is an interesting read. I have two CSS326-24G-2S+RM and one CRS326-24G-2S+RM that got updated to 2.9 a few days ago. Obviously no fan issues since the 326 doesn't have fans. I have not observed any problems - so far (64 1/2 hours). I will be watching however... I'll laugh my ass off if M...

k6ccc

I'm using the CSS326-24G-2S+RM and CSS106-5G-1S for exactly that purpose. Quite happy with them.

k6ccc

OK, now on a PC with a real keyboard instead of my #$%&* iPhone, so able to give a longer answer... The CSS326-24G-2S+RM can only run SwitchOS, whereas the CRS326-24G-2S+RM can be setup to boot into either RouterOS or SwitchOS. When the CRS326-24G-2S+RM boots into RouterOS it has full router functio...

k6ccc

The CSS is SwitchOS only. The CRS is dual boot. In my opinion, if you need a switch, buy a switch - if you need a router, buy a router. I have five MT devices running Switch OS and very happy with them.

Sent from a $&@#% iPhone using Tapatalk

k6ccc

There is something being missed here. Export your configuration and post it.
/export hide-sensitive

k6ccc

Two thoughts. First, do your firewall rules allow the port forwarding? If you have an "all all DST-NAT" rule in the forward chain, that would take care of it, but if you don't do that, you generally need to specifically allow the forward. This is not likely the case since port forwarding worked on p...

k6ccc

I am doing exactly that. Here are the settings: First setup your E-Mail server information. I am using a G-Mail account. /tool e-mail set address=smtp.gmail.com from="Router #2" password=Redacted port=587 \ start-tls=yes user=address@gmail.com Then the script that creates the files and sends them: #...

k6ccc

Assuming you have everything configured correctly on your managed switch, hooked to eth4 (DSL modem connected to access port for VLAN VID=200) it should work. And it shouldn't be necessary to have dial-on-demand=yes ... Yes, it is. Every VLAN shows up on that trunk port except 100 (the cable intern...

k6ccc

OK, first a little background. I have a cable based internet and a DSL based internet. The cable is a single DHCP address and until today my DSL was eight static IP addresses that connect to three separate MT routers. Today, my DSL was changed to a single DHCP addresses with PPPoE (the change was fo...

k6ccc

You could use the "nth" filter option to drop every nth packet. so for 10% every 10 packet should be dropped.

Just learned something new. Did not even know that existed, but sure enough - it's there...

k6ccc

Hello guys, it is possible to permit icmp but dropping 10 percentage of the packets ? As kiaunel said, I don't know of a way to drop a certain percentage of packets. However you can rate limit certain packets to some number. For example 5 packets per second. add action=accept chain=ICMP comment=\ "...

k6ccc

But with 199 days uptime You are running 2.8, right? I upgraded from 2.8 to 2.9 (CSS326), and saw the increase in Rx Overrruns and Tx Pauses. They are too frequent to my liking, but I don't think they have a real impact on network speed. At least, not for me. Truth be told, although I use a 10GB tr...

k6ccc

Not my experience. Just looked at one of mine which shows an uptime of 199 days. There is 1 RX Overrun and 0 TX pauses. As I said, nothing faster than 1Gb/s....

k6ccc

Same here! Lot of tx/rx overruns on 10G port (SFP+ to CRS317) or pauses when flow control is enabled. I'll wait till next SWoS release and if it is not fixed will throw away and will declare it as another cheap junk. You are welcome to send them to me. I have been very happy with my CRS326 (in SWOS...

k6ccc

I am having issues setting identity of RB260GS. I wanted to set: LOCATION - OFFICE - DEVICEn However, I get cut out, and SwOS version is added after the name. Is this normal, or a bug? Or maybe a browser thing? Tried to the switch, but it didn't work. I don’t remember for sure, but there is a limit...

k6ccc

That Wiki post lists a large number of various rules and settings. Many of which need to be customized to your situation. Therefore, without you posting your configuration, we would only be guessing. Export and post your configuration.

k6ccc

set [ find default-name=ether4 ] speed=100Mbps

You state you are connected on ether4 which you have locked to 100Mbps

k6ccc

Until you can find out who is messing with your router, you can also set the computer to a static IP, and then it never will look for a DHCP address at all.
But I agree with the others, you need to figure out who is changing your router configuration.

k6ccc

at the moment best router/price around 50-70euros is HAP AC 2. everything you need in this small magic box! it has also 2.4ghz/5ghz wifi. models you suggest dont have wifi. https://mikrotik.com/product/hap_ac2 If you need WiFi. I have WiFi, but it's not combined with my routers - nor would I want i...

k6ccc

I started out at my house with a RB750r2 and it worked fine for me - until I got cable based internet that supported 124 Mb/s download via a gigabit interface. Because of strange stuff I was doing, I had a ton of NAT forwarding, and firewall rules in place along with at least a half dozen VLANs and ...

k6ccc

I know this is a two year old thread, but I'm in the same boat. I added info log entries all over the place and remarked every line and ran the script. Obviously it ran fine with just the log full of the log entries. I then started at the top and removed the remarks one line at a time until it bombe...

k6ccc

Like anav said, post your config or else we are guessing.. With that said, you said "the DHCP server". You need to configure a separate DHCP pool and server per VLAN. What you are doing with the RB750 (the one playing router) is somewhat similar to what I am doing with mine. Each of mine has one WAN...

k6ccc

It looks like you are trying to do this in "Quick Set". Get out of Quick Set and NEVER touch it again. Quick Set is a fairly simple way to do a VERY basic setup for a MT router. Kinda like making it stupid like most "consumer" routers. If you are trying to do anything beyond the basics, you need to ...

k6ccc

Will the mail server be on the same LAN as the rest of your stuff at home or will be it be on a separate LAN? If it will be on a separate LAN, it's really easy.

k6ccc

Did you read the website briefly? There is no reason to worry if you are an Internet user without your own domain name. This change is affecting you only indirectly and you do not need to take any other steps. I did read it. I have three domains that run on my own server, but I get DNS from a comme...

k6ccc

For you experts out there, anything about this that I as a end user running MT routers to get to the internet need to do or look out for?
https://dnsflagday.net/

k6ccc

I agreed with pe1chl. Even minor differences in router types are going to create issues that you will have to manually fix. A while ago, I replaced a RB750r2 with a RB750Gr3. Pretty close - you would thing it would be pretty seamless. Nope. Ended up importing in VERY small chunks in order to get it ...

k6ccc

Just drop it? add action=drop chain=forward in-interface=vlan100 out-interface=vlan200 add action=drop chain=forward in-interface=vlan200 out-interface=vlan100 Thanks would this keep the internet access . Yes. And I would strongly suggest that you spend a while reading the firewall sections of the ...

k6ccc

Updated my CSS106-5G-1S from 2.8 and all appears to be working. However, after the upgrade, this is what the Upgrade page says: Firmware Current Installed Version 2.9 (built at Mon Jan 07 2019 03:04:37 GMT-0800 (GMT-08:00)) Latest Available Version 2.9 (built at Mon Jan 14 2019 02:29:12 GMT-0800 (GM...

k6ccc

You have to let WinBox sit on the neighbors tab for 5 to 10 minutes before the switches show up. By George, you are right. Took hours, but three of my five switches have appeared. The CSS106-5G-1S two CSS-326-24G-2S are showing but the RB-260GS and CRS326-24G-2S (running SwOS) along with my RG750Gr...

k6ccc

A SwOS device will appear in the neighbor list in Winbox but you cannot connect to it using winbox. As I said, I'll have to take your word on that - None of my five MT switches are seen on the neighbor list on WinBox 3.18. I don't even see all of my MT routers in the neighbor list. I even confirmed...

k6ccc

I’ll take your word on it, but my WinBox does not see any of my switches.

Jim

Sent from a $&@#% iPhone using Tapatalk

k6ccc

First of all, once it is in SwitchOS, you can’t connect via WinBox. Must connect via the web interface.

As for your DHCP address, does your DHCP server show an address assigned?

Sent from a $&@#% iPhone using Tapatalk

k6ccc

Only time I have had one of CSS326 switches hang is when I had a problem DSL modem. The modem would crash, and after power cycling it, the switch would shortly lock up. Replaced the DSL modem after we determined that it was having a problem. Never had a problem with the switch since. Currently it is...

k6ccc

Are you doing something? By that, I mean have you started making parameter changes? If yes, what are you changing? Also, what version of WinBox and RouterOS?

k6ccc

The CSS326 runs SwitchOS and does not have a DHCP server. Although I normally run all of my switches with static IPs, I remember when I first got them and they factory defaulted to DHCP with fallback, the DHCP client worked. What is the setting of the Address Acquisition on the System tab? Also, wha...

k6ccc

But if no one reports it as a bug, Mikrotik wont try to find it. Talking about here on a users forum does not constitute a trouble report.

k6ccc

I have two of them at home - one is a couple feet from me as I sit at my computer. There is a grill for a fan, but there isn't a fan mounted.

k6ccc

Why are you wanting to use the same IP range?

k6ccc

Kennethven,
This thread is almost 5 months old. Who are you even directing that to? And there is no PM capability on this forum.

k6ccc

don't understand your question. Note that switches don't have macs only network devices.

Wow! I'm going to have to tell all my switches that they don't really have a MAC. That will be a shock to them. How do you suppose layer two works without a MAC?

k6ccc

You have the WinBox port set to a non-standard 8219. Are you specifying the non-standard port when you try to connect? BTW, I also use a non-standard port for WinBox access to my routers.

k6ccc

No. No way to know which LAN a packet is part of if they are both I tagged.

Sent from a $&@#% iPhone using Tapatalk

k6ccc

I have five switches running SwitchOS (listed in my signature) without any problems at all. Only thing fancy I'm doing is VLANs, but all of them have over a dozen VLANs at my house...

k6ccc

Please assist, i am network support agent, i have come across where i need to add/make mac reservation, static IP Reserve. I have to two questions, 1. If MAC address doesn't show up on leases, can i add it or maybe i need to plug LAN cable from RouterBoard to PC before? 2. How is IP DHCP reservatio...

k6ccc

You did not list your firewall rules. I assume that there is either a rule that allows the specific NAT through the firewall, or all NATted packets through the firewall. Does that rule or rules specify the input being the WAN interface? That would stop NATTed packets that are coming in on one of the...

k6ccc

Thanks vecernik87 for the longer answer. My short answer was courtesy of needing to get to bed

k6ccc

If you are just wanting to block ICMP packets, simply do just that. Something like this:

add action=drop chain=input in-interface=e1_Internet protocol=icmp

Obviously you would have to edit this to have the in-interface = whatever your internet interface is (as opposed to my e1_internet).

k6ccc

For starters, please export and post your configuration so we have some idea what you are doing.

k6ccc

You're still not really telling us what you are trying to accomplish (we're not mind readers). Also, you are asking about this in the SwitchOS section of the forum. Can I assume you are doing this on your CRS317 operating in SwitchOS as opposed to RouterOS?

k6ccc

Not enough information. What are you trying to accomplish?

k6ccc

For whatever it's worth, both of my CSS326-24G-2S switches with 2.8 have 17 VLANs and working perfectly.

I don't have any CRS317 routers.

k6ccc

Not knowing the details of how upgrades are released, my speculation is that 2.9 is not really released yet. Maybe they were about to release it, so it got into the notes, but then an issue was found and the release halted. Just a guess....

k6ccc

Has the same problem, purchased two new css326-24g-2s+rm , cannot acess the web GUI through 192.168.88.1 on both switches

What IP is your computer?

k6ccc

Don't use Quick Set.
Quick Set is very limited in what it can do.

k6ccc

I have a switch with 802.1Q VLAN setup, where I want to use a mikrotik router for DHCP. If I have a DHCP server on a tagged VLAN interface, this should work fine going through the switch? Have an IP phone not picking up DHCP, I'll try a factory reset of the phone How is the iPhone getting to the ne...

k6ccc

I do use port knocking (among other things), and log any connection attempts. Of course for step one I see hits somewhat regularly due to random scans. I have NEVER seen a hit on step two if it was not me. As sob said, most of the attackers are simply going after the commonly used ports. I do also h...

k6ccc

I have two CSS326, one CRS326, one CSS106, and one RB260 that are all running SwitchOS, in addition to three RB750 routers running RouterOS. My general philosophy is that if you want a switch, buy a switch and run a switch OS. If you want a router, buy a router and run a router OS. I don’t mix the t...

k6ccc

2.9 does nothing for me, so I likely won't bother with this one...

k6ccc

I see SwOS 2.9 was released today. Who's gonna be brave and give it a test run? Where are you seeing that 2.9 was released? Not on the software download page and no announcements here on the forum. Ah, one of my switches shows that: Current Installed Version 2.8 (built at Fri Jul 13 2018 04:37:06 G...

k6ccc

right now i dont have a busy state in my IPs. what's the command to see this status? address=192.168.13.42 mac-address=00:E1:00:86:1E:34 client-id="1:0:e1:0:86:1e:34" address-lists="" server=defconf dhcp-option="" status=waiting last-seen=1w3d20h30m23s I normally use WinBox and there it's easy. Jus...

k6ccc

is it possible to have them take the lowest possible IP? No. ROS assigns IP addresses from the top of the pool. You have no control of that. My recommendation is that if you have devices that you want to have a specific address, let them connect (so they show up in the DHCP Leases list), and then c...

k6ccc

From the Wiki: Lease status: waiting - un-used static lease testing - testing whether this address is used or not (only for dynamic leases) by pinging it with timeout of 0.5s authorizing - waiting for response from radius server busy - this address is assigned statically to a client or already exist...

k6ccc

Ahh of course... after having this enabled for a long time one forgets that it is even there...

Yep! Same here...

k6ccc

This is the last rule in my input chain. There is a similar rule in the forward chain. add action=drop chain=input comment=\ "Drop any other input packets that get this far" log-prefix=\ "Dropped connection" Remember how rule processing works. It's top to bottom, and if a rule is not explicitly drop...

k6ccc

You can set the "Note" to anything you darn well please.

k6ccc

You have a bunch of rules that add addresses to the Port Scanners list, but you never drop them. Do you have a drop everything rule at the end of the Input and Forward chains? My opinion is that dropping pings from the internet creates more problems than it solves. I know some people firmly believe ...

k6ccc

Your question is in the Switch OS section of the forum and your subject title asks about the CSS326 switch. However the text of your question asks about two specific routers. Are you trying to control BW in SwitchOS or Router OS? No way to do that in SwitchOS Sent from a $&@#% iPhone using Tapatalk

k6ccc

You really need (R/M)STP to run on top of LACP bonding if you add the "Switch C" for the whole system to work (your lower picture). The LACP bonding itself will be treated like one physical port by RSTP - it can't disable only part of it. But if there is no other potential loops, and the LACP bondi...

k6ccc

I would say so.
If you have many switches use of rstp becomes obvious...

Yes, makes sense.

Thanks for your help. Sounds like I largely had it figured out, but fully admit that I only knew enough to be dangerous!

k6ccc

Here's what I do to make a port knock easier. I have bookmarks in my browser for each one. Click the first one, wait a second, click the second on, etc. Takes seconds. This works if we are only managing 1 or 2 devices, but I am managing 500 routers in the field and increasing. This bookmark feature...

k6ccc

But for your question, when LACP or static team active rstp doesn`t play any role as it simply puts port in edge mode.

So in a summary, RSTP in this case is only there to prevent you from doing something stupid (or cover your backsides if or when you do). Do I have that right?

k6ccc

Thank you for your all responses, I have a couple simple questions at first. One when you select code to add in what option are you picking ? I assume you mean where I included my code extract. It's the symbol to the left of the quotation marks. You can also just type "[ c o d e ]" and "[ / c o d e...

k6ccc

LACP is for link aggregation. 2 ports on switch A and 2 ports on switch B. 2GB link between them with LACP. If not using LACP or static team 2 ports connected between switches would create LOOP. This is what RSTP is for. To prevent loops and lear about topology changes: Right. Got that part. 1. So ...

k6ccc

As Sob said, what you're doing is not overly helpful. At first I thought you were doing a port knock until I read it. You would do better with a port knock. add action=add-src-to-address-list address-list="Long Knock-1" \ address-list-timeout=15s chain=input comment=\ "Long Port Knock setup step 1" ...

k6ccc

Well, now I'm back to confused. First of all, I fully understand how bad a loop can be. Last year at work on a microwave network that supports a large public safety radio 2-way radio system, we had a loop protection failure that resulted in a broadcast storm that took down the entire network. Really...

k6ccc

I also have a bunch of Chinese cameras at home. I created a dedicated VLAN for them that is firewalled so that they can get to the internet (required for remote viewing), and nothing else on my home networks.

k6ccc

Thanks again. You pretty well told me what I thought I already understood from reading, but I had been confused when some other guy in a different thread told me that I should always be using RSTP. It will be a while before I have time to bury another conduit between the house and garage, so I'm in ...

k6ccc

Thanks for the reply. I'm curious why I can't use RSTP. I've read the Wiki about a million times (OK, not really a million) and don't see why I could not use RSTP, and in a different thread where this topic came up, it was recommended that I should always use RSTP. From my own research, I had assume...

k6ccc

Maybe I'm missing something here, but the RB750Gr3 does not have WiFi.
Note: I am not using MikroTik for my WiFi - only for routers and switches. So I could be missing something.

k6ccc

Do you have DHCP Snooping enabled on the end device ports of the switch (ports 1, 7, 13, & 15 if I counted right)?

k6ccc

What software version is your CSS? My CSS106-5G-1S is version 2.8 and is configured quite different than yours. The SFP is a gigabit link from this switch to a CSS326-24G-2S in my family room. It is exclusively a tagged trunk port. The two Open Mesh ports are WiFi access points that have both a non-...

k6ccc

I use routers EXCLUSIVELY as routers and switches as switches. Each port of my routers is either a single LAN or a VLAN trunk port. The same exercise is needed when configuring RB running ROS if that RB is to be used as smart switch. Not that I would recommend that since HW offload is disabled and ...

k6ccc

Well, I for one am quite happy with my two CSS326-24G-2S and also the CRS326-24G-2S (running SwitchOS). I have not found any way in SwitchOS to determine the CPU load, so I can't tell you how much I'm loading them. Reality is likely not all that much. This is at my house and then also a MicroWave pa...

k6ccc

Nobody have anything?

k6ccc

Yes, thank you both for the education. I didn't really need it, but it was interesting. I have a different solution. I use routers EXCLUSIVELY as routers and switches as switches. Each port of my routers is either a single LAN or a VLAN trunk port. Never does any LAN or VLAN appear on more than one ...

k6ccc

i noticed that the winbox port has change ... what can be the reason ? Can I assume that you mean that when you connect via the MAC address, you are able to see that the service port for WinBox has changed. If that is the case, you would need to specify the non-standard port. In your case, that wou...

k6ccc

Just an FYI, about an hour ago I installed a S-RJ01 into a CSS326-24G-2S that has SwitchOS 2.8. It behaved exactly as I expected. Link showed as down with no cable plugged in. When I plugged in a cable to a RB260GS with a third party SFP, the link came right up and showed 1G. Pings to both the far e...

k6ccc

Use non-standard ports for WinBox access to the PTPs. Then it’s just standard NATting to get to them from the internet.

Sent from a $&@#% iPhone using Tapatalk

k6ccc

EdPa, thanks for the explanation. A couple suggestions to pass along to the software people. Any chance of making the VLAN and VLANs tabs look and operate the same between the CSS326 and the CSS106 & RB260GS. I have both types of switches and it is annoying to have to think quite differently between...

k6ccc

I don't believe that the WatchDog timer is for a specific link, but rather looking for internal process locking up. Hence, no IP to be pinging.

k6ccc

Taking your thought, I did a comparison of the Saturday night and Sunday night script files for both routers - before and after my updates Sunday morning. There were only two differences. First is that the software version was different. Well, it darn well better be! Second was a login script that w...

Search found 514 matches