MikroTik

k6ccc

Different log on accounts for the computer that is running WinBox?

What are you trying to accomplish?

k6ccc

It will involve setting up a bridge, but I don't use any bridges in my routers, so I can't help you much. The Ethernet port and the WLAN need to be in a bridge, but that's about my limit on bridges.

k6ccc

I can't help you at all with your problem, but for future reference, a more useful message subject would be helpful. For example: I need help with VMware esxi

k6ccc

If I'm understanding your question, it is doing what it's supposed to. From the Wiki:

The configuration restore can be used for restoring the router's configuration, exactly as it was at the backup creation moment, from a backup file.

k6ccc

Hmmm, interesting. You are right, not there..

k6ccc

Both methods work. The one accept all DST-NATted is certainly the easy route, but I wanted him to know why his rules did not work right - in other words, he might learn something. The other part is that there are times where you have a need to either not use the one accept rule, or to not use it for...

k6ccc

However, there is a major bug with the current release version of swOS not working with VLANS properly, which makes them unviable for anything except a lab setting. I would advise waiting until 2.13 is officially released. Oh really? Don't tell my six Mikrotik switches that are all running 2.12, an...

k6ccc

Two of your code segments. The first is you DST Nat rules. I am going to assume that the first one (the port 80 TCP) is really like the port 80 UDP, but got mangled in the export and paste. Assuming that is true, those rules are fine. add action=dst-nat chain=dstnat comment="NGINX Proxy Port Fo...

k6ccc

And to answer part two of your original question, yes the default firewall rules are fairly good for most purposes. If you are replacing a consumer grade router with a Mikrotik, the default configuration will work just fine. When you want to allow other stuff (such as your SSH question) is where the...

k6ccc

That's a fairly old version of RouterOS. Just a stab in the dark. Update to a current version of RouterOS and see if the command to switch to SwitchOS is there.

k6ccc

There is traffic from my PC. So let's check the browser page. (Chrome has the developers tools built in).
And the browser is checking upgrade.microsoft .com to fill in this page. The switch is not initiating a request.

Ain't that interesting...

k6ccc

The only thing with this "answer with src IP and src MAC as destination" mechanism is that the switch cannot initiate a connection to something outside the own subnet, as it does not have a clue on the gateway to use. But I see no process that initiates a connection from the switch (like ...

k6ccc

I have not found a situation where I could not access any of my switches. At the very least, the computer is on a different VLAN than the switch is listening on, so traffic is going through a router or two to get there and it always finds its way back. This computer has an IP on my .101 LAN. Althoug...

k6ccc

I have several of those and have not had any fail - for whatever that's worth...

k6ccc

If you are happy with the CSS326-24G-2S+, I would get another one. Extra ports are always useful. Amazing how ports can get used in the future. In full disclosure, I have two of them (with rack ears) here at home plus a CRS326-24G-2S+RM that is running SwitchOS up at a local radio site and I am very...

k6ccc

That was going to be my guess - old version of WinBox.
Glad you got it resolved.

k6ccc

iPhones are doing the same thing with a recent update. At least on the iPhone you can turn it off for a specific WiFi connection. If the Lenova has the same option, you could set up a rate limit so that if someone is not using one of your DHCP reservation IP addresses, they get limited to slow speed...

k6ccc

Yeah, seems like I'll have to give up on this idea. I'd hoped to just jam the coax to my ethernet plug, and maybe punch in some PPPoE credentials manually or something, but yeah I'm forgetting that there's more to it than just whether it fits in the slot or not. That would be about like thinking yo...

k6ccc

I group all my chains together. As noted before, the router does not care, but it makes it far easier for the poor human being that has to read it - that would be me. You can also create any other chains that you want. Speeds up processing if you can jump to a different chain for one certain type of...

k6ccc

...without saving the host in the Managed list (for security reasons) What's your issue with using the managed list? Only someone who logs onto your PC with your account will see your list, and as Normis pointed out, the file is encrypted if you use the Master password. Keep in mind that the IP of ...

k6ccc

I would agree, configure the EeroMesh device that has a wired connection simply as an access point, an let the MT handle the router functions.

k6ccc

God, I hope so! I am running VLANs on every one of my Mikrotik switches. I have five MT switches here at home, and lots of VLANs. I would hate to find that what I have been doing for years doesn't work :)

k6ccc

Not following what you are trying to accomplish. Can you draw a picture of what you want to do?

k6ccc

Keep in mind that really the only thing you would do via MAC Winbox is to enable proper ways of accessing the router. Think of it as an "Ah crap, I messed up, let me fix my screwup".

k6ccc

The 100Mb/s sounds suspicious. Check the connection speed on the laptop. Could be a cable issue. Gigabit normally requires all four pairs whereas 10Base-T and 100Base-T only uses two of the pairs.

k6ccc

I am doing essentially what you are trying to do with a RB750Gr3 (Hex) with my normal internet as port 1, and a ham radio network as a second WAN when happens to be a VLAN on port 4. Works fine. Does require a little care in routing tables, and of course firewall rules to keep the intended traffic s...

k6ccc

I lost my lain text .rsc files for the router config For future use, automatically produce a new (current) .rsc file on a regular basis. I have a script that produces the binary .backup and a plain text .rsc files and sends them to me via E-Mail. That scrip is run via the scheduler every night. Now...

k6ccc

How about asking a question. The subject is so vague, and other than that, you don't tell us what you are trying to do, or what you need help with.

k6ccc

Not in SwitchOS.

k6ccc

I changed my laptop's IP to static 192.168.88.2, and was able to log into the switch, but as soon as I tried to change switch IP to 192168.1.58, I lost connection. That would be correct. As soon as you changed the IP on the switch to 192.168.1.58, your PC can no longer access the switch until you c...

k6ccc

It is a bug/shortcoming in RouterOS. When you add a new package, the default configuration for that package is not applied. Workaround: always enable IPv6 as first thing when you receive a new router, then update to the newest RouterOS version, and then reset to factory defaults. When you do the re...

k6ccc

Nope. Doing so would likely release the magic smoke that makes all electronics work. Combining transmitters into a single antenna can be done, but it's not something that is plug and play - or inexpensive.

k6ccc

Can I assume "Big Sur" is a name for a recent Mac OS? I don't speak Mac.

If that is the case, don't hold your breath. Mikrotik has never supported Mac OS, and appears that they have no interest in doing so.

k6ccc

I use switches exclusively as switches and I use routers exclusively as routers - the two functions do not cross. In fact, the only reason I have one CRS326 is that I ordered a CSS326 and the vendor incorrectly sent me a CRS326. When I contacted them about it, they said it was not worth the effort a...

k6ccc

There's a version of OS available which has everything you want. It's called ROS. Yes, ROS device can be configured as a switch, doesn't have to be router. That does not help with switch only devices (see my list below). And for managing switches, SwitchOS works very well. With that said, it would ...

k6ccc

Beats me, but I concur that unless it's well hidden, there is no way to join.

k6ccc

If it is still on a factory config, it will be 192.168.88.1. If you changed it, you need to point your browser to the address that you changed it to. If you changed it to DHCP, whatever device is operating as a DHCP server should be able to tell you what address it is using. If you can't not find it...

k6ccc

Look at ACL rules. I've never used them so I can't give you examples, but MAC filtering is in the options.

k6ccc

The only aspect I don't like, is the fact that you lose access to the switch from any port that is not routed by the specified VLAN (10 in my scenario). Because if my upstream router dies or is misconfigured, I also lose access to the switch. I guess that my next purchase will have a console port ;...

k6ccc

Can you hook up the switch to something that will provide a DHCP address (usually your router). Then look at the DHCP server to see what address was assigned. Then try to go to that address.with a web browser.

k6ccc

I don't have that switch, but am very familiar with SwitchOS. What you are reporting does not make a lot of sense. BTW, I suspect you typoed something in your description because the DHCP range for VLAN 2 does not include the switch management address. However, I suspect that was a fat finger item.....

k6ccc

That is one of my pet peeves - We won't tell you what the password requirements are - but there are requirements. Unfortunately that is VERY common!

k6ccc

Is this on Amazon AWS? If not, why are you using their IP addresses? it's private ip , so why don't use Highly recommend that you don't use a public address on your private network. There are private IP ranges for a reason. Using someone elses address range wiil come back to haunt you if you every ...

k6ccc

I had not really paid attention to the model of switch that you are using. Apparently that is a very new product and the software download page has not been updated with the new model. As this is a user forum, you might be better off sending a message to support@mikrotik.com That will get directly t...

k6ccc

Go to the Mikrotic downloads page: https://mikrotik.com/download
Download the appropriate file and do a manual upgrade (near the bottom of the Upgrade tab).

k6ccc

You are not giving us much info on your configuration. Are you trying to access the switch via one of the trunks or have you designated a specific non-tagged port as your "management" port? As xvo said, you need to tell the switch what port or ports and what VLAN management access is allow...

k6ccc

Like the others who have posted, I have very very issues with WinBox (what I normally use for most purposes). I find it easy to work with. It is FAR better than the GUI for the Juniper routers we have at work. I use my MT routers strictly as routers (no switch functionality, but lots of VLANs), so t...

k6ccc

You did not tell us what fiber SFPs you are using. You did specify that the ones having problems are using multi-mode FO cable. Makes me wonder if there is a mismatch between multi-mode and single-mode - either with the jumper cables or with the SFPs. From what you said, I am gathering that you are ...

k6ccc

I can confirm it as well in 3.27 64 bit version. However, you are going to need to put something in that field regardless of what defaults there, so this is not really much of an issue. Note that this is on the Bridge VLAN page as shows above and not the interface VLAN page (where the default is 1 -...

k6ccc

if any of the hosts have open ports (a web, ftp, or mail server for example), you can send tcp pickets to those ports and get a response. Most monitoring services can check for all sorts of ports. And this approach makes a lot of sense, because a response to a ping tells you nothing more than that ...

k6ccc

Nope. icmp does not have ports (unlike udp and tcp), so all you get is IP. If you have multiple public IPs, you can have each public IP NAT to a different host, but if you only have one public IP, you only get one. Now with that said, if any of the hosts have open ports (a web, ftp, or mail server f...

k6ccc

Yep. If you have only one public IP, you can only ping one host.

k6ccc

I just set this up on one of my routers. This is working fine. Note that if you don't have a forward rule to allow anything DST-NATted, you will need to build a specific rule to accept these packets. http://extraphotos.info/mikrotik/ICMP-NAT-1.png http://extraphotos.info/mikrotik/ICMP-NAT-2.png Also...

k6ccc

You are almost there. Add the In Interface, and on the Action tab, set for DST NAT and tell what IP to send it to.

k6ccc

Correct, icmp does not have ports.

k6ccc

You're not giving a lot of information. It looks OK on the CSS326 as long as the other end is configured to initiate the LACP.
Also, what SwOS version are you running?

k6ccc

No different than any other NAT except the Protocol is icmp instead of the more common tcp or udp - I ran one for a specific purpose a while back.

k6ccc

I don't remember seeing any mention of it in any updates. Push really comes to shove, I likely could test in here.

k6ccc

Same here. My password was invalid - it said. Used the "I forgot my password" link. "reset" my password to what it has been before - 4 capital letters, 4 lower case letters, 7 special characters, and 1 number - cryptic crap generated by my password manager.

k6ccc

update to version 2.12 and I deleted the Mac Address and the Series. Any solution? I don't understand your statement. What do you mean that you deleted the MAC and the series (or was that supposed to be Serial?). You as a user do not have the ability to change either of those fields from the GUI, a...

k6ccc

Make sure that you have either a firewall rule that allows that port in the forward chain or a rule that allows anything DSTNAT forwarded to be accepted in the forward chain.
Creating a port forward does NOT automatically allow that through the firewall (unless you have a allow anything DSTNAT rule).

k6ccc

Good grief, I just downloaded 3.25 yesterday.. Anyway with 3.27 (64 bit version), file list and log are working on my RB750Gr3 and RB750r2. Good grief, do you not check for updates at least twice daily?? I know you are largely just being funny anav... Actually I check this forum fairly regularly, a...

k6ccc

Can't replicate that on my RB750r2 with 6.47.1. Worked fine.

k6ccc

Good grief, I just downloaded 3.25 yesterday..

Anyway with 3.27 (64 bit version), file list and log are working on my RB750Gr3 and RB750r2.

k6ccc

On the VLANs tab, For each VLAN, check the boxes for the ports that will access that VLAN.
To add VLANs to the VLANs tab, press the APPEND button at the bottom. Then edit the VLAN number and ports.

k6ccc

Here are a couple screen shots from my CSS326 that should help. BTW, I posted this and then realized that the screen captures were quite dated. I edited the post with new captures, so if you looked at this within the first 5 minutes after I posted it, the images changed. If you see this this text, y...

k6ccc

As far as I know, you are the first person to report this lockup under ROS. This entire thread has been about SwOS.

k6ccc

Use WinBox, not WebFig, and in addition to the above suggestions, use non-standard ports.

k6ccc

6.47.1 is working fine with WinBox on both my routers. Did you change anything?

k6ccc

Coming up on 36 days and still good on both of mine..

k6ccc

Not enough detail. What are you trying to accomplish?

k6ccc

I only looked at a few of them, but it looks like you have set up a NAT with logging enabled. In that case, there will be a log entry for every packet. Turn off logging on your NAT.

k6ccc

Let me see if I have this right. You add firewall rules to detect and stop port scanners, then you complain that it does exactly what you asked it to do (stop a port scanner). If you want to do a port scan to see what might be open, yes, you will need to disable your port scanner blocker rules while...

k6ccc

I don't believe that is correct. Optional will allow either untagged or tagged packets, but you still need to tell the switch what VLANs are on which port. At least that is my understanding (and my observation for ports that I have set to optional). I just did a test. I have WiFi access points that ...

k6ccc

You are only showing one firewall rule in the input chain - and that is a drop everything. Based on that, there must be more to it that you are not showing us, else nothing into the router would work at all - including your ability to communicate with the router. If you want our help, you need to pr...

k6ccc

My strong suspicion is that the IPTV is using a VLAN and the "normal" computer internet is untagged. That way, if you plug a computer into it, it understands the untagged traffic. The TV box is set up to look for a VLAN so it is happy too. Assuming that is the case, you will need to set up...

k6ccc

Knowing virtually nothing about IPTV (other than what I have read on this forum), are all four ports on the ISP router usable for either internet or TV, or are there specific ports for each?

k6ccc

We need to see what his configuration looks like. Until we see that, we are guessing.

k6ccc

Most dumb switches will handle VLAN tagged traffic because they will simply ignore the VLAN tagging, and pass them along. Most smart switches understand what a VLAN tag is and process them, and then handle them as such. Sorry for the torch reference - I had RouterOS in mind when you said you were ru...

k6ccc

If I were to hazard a guess, the IPTV is likely using a VLAN for connectivity. Using Torch on the ports that the TV boxes are on may shed some light.

k6ccc

You are wanting to operate very similar to my RB750Gr3 - it is strictly used as a router and all switch functions are handled by a separate switch (CSS326-24G-2S in my case). I have never had a bridge on any of my routers. By default a router will route traffic between LANs, so you must put in firew...

k6ccc

Additionally, once you have made any config changes to your router, you should NEVER use QuickSet. QuickSet will happily overwrite your changes for you.

k6ccc

I don't run hotspot, so I can't help, but I get the idea.

k6ccc

You are really close. As soon as a new device sends a packet, the switch learns the MAC of that device and stores that and what port it was on in it's hosts table. As long as the device does not move to another port it will remember where it is (it should have a timeout in there). As long as the MAC...

k6ccc

If you look my first screen capture, under Open Mesh #1, you will see that VLAN receive mode is set to "Any", and the default VLAN ID is set to "201". That means that port 1 will receive either VLAN tagged or untagged traffic, and that inbound untagged traffic will be assigned to...

k6ccc

By default, a Mikrotik router will router whenever it can. In other words, unless you block it with a firewall rule, it will happily route between VLANs. In each chain, the router will start at the top of the firewall rules in that chain, and keep processing rules until it finds a rule that matches,...

k6ccc

WAY not enough information. What are you talking about?

k6ccc

I am in the exact same situation with my WiFi nodes, and I have two of them fed from a CSS106-5G-1S (proper name for the current RB260GS). Here are a couple screen captures: http://extraphotos.info/mikrotik/CSS106-VLAN.PNG Open Mesh #1 uses VLAN 201 as it's untagged management LAN, and Open Mesh #2 ...

k6ccc

I use SwitchOS quite a bit, but I have never needed to use ACL. My suggestion would be to play with the options and see what works. Then post it here so maybe someone else will know too...

k6ccc

Hey everyone, we have several CSS326-24G-2S+ and updated them to 2.12 today. On each of our switches all used ports are flashing sinchronal and we are wondering if that behaviour is normal? The switches work fine as far as we can judge. Could be. I'm not home right now, but one of my CSS326 switche...

k6ccc

Anyone running the new firmware notice any issues? How's it working?

My two CSS326-24G-2S+RM are working fine on 2.12 - so far.

k6ccc

Or someone has plugged in another router on your LAN without you knowing it. Most likely they were looking for switching only, but left the DHCP server enabled.

k6ccc

Check your DHCP pool or pools. sounds like you have two DHCP pools with the first one set for 30 addresses with a Next Pool set to another address pool. The DHCP pools on one of my routers as seen in WinBox showing most of the pools have only 10 or 20 available addresses and none of the pools have a...

k6ccc

That is very similar to what I am doing. I am using my routers (RB750r2 & RB750Gr3) exclusively as routers. The different LAN ports connect to managed switches that handle ALL switching function. I don't know if you will have any downstream switches, or will each port be connected to a single de...

k6ccc

For a small number of IPs that you want to check, you can create a passthrough fire wall rule that does not do anything except count packets. I have a bunch of those rules - although generally most are disabled except when I am doing some specific test that requires that particular rule. This would ...

k6ccc

For lag config you would set both sides to active to have them participate in the group. One of the changes in this version was to allow lag to work with only one member active. While there could be an issue with how much membership traffic is sent, this is really a config issue on your end. I did ...

k6ccc

I don't see anything that jumps out at me that would cause the problem that you are seeing. About the only config change you may want to try (although it should not matter) is to change the NVR and FO connections on the VLAN tab to VLAN Mode = Disabled and VLAN Receive = Untagged Only. May also try ...

k6ccc

Several of your answers were non-answers (such as asking which of two options were you using and your answer was "no"). However, I think I largely figured out what you are trying to do. As far as I can tell, you are really only using the CSS106 on the 172.16.x.x network as a dumb switch an...

k6ccc

Here is mine. Feel free to adapt for your own purposes... # Policies needed: ftp, read, policy, sensitive, test # Policies NOT needed: password, reboot, write, sniff, romon :log info "Starting daily backup"; /system backup save name=RB750Gr3-1_Daily /export file RB750Gr3-1_Daily /system pa...

k6ccc

If all you want to do is create a binary backup, but leave it on the router, you don't need to allow that for your limited user group. Create a script to create the file and then a schedule that runs the script at whatever interval that you want. You can also have your script send the file somewhere...

k6ccc

Still not enough detail. For the moment, I am going to assume that you are trying to access the NVRs from the 192.168.0.x side of the drawing (or from the internet), and that you can successfully access the NVR, but the NVR can not see the cameras. Is that correct? Or are you directly trying to acce...

k6ccc

SwOS version 2.12 on CSS106-5G-1S do not work with VLAN on trunk port in state "enable" or "strict". Work only in "optional". I access to switch throw this trunk port. Allow From VLAN set for number VLAN that exist in VLANs and trunk port set "leave as is" (i...

k6ccc

A little more details on config. For starters, how are you subnetted? Is there a router involved in the equation? All on one VLAN or more than one?
That's a good start...

k6ccc

Followup. Great news. I have now performed both my LACP test and enabled IPv6 which caused both switches to crash earlier this year. Here is a simplified drawing of my LAN. http://extraphotos.info/mikrotik/LAN_simplified_drawing.png Last April, I had enabled IPv6 on router #1 and essentially instant...

k6ccc

My initial tests are looking good for 2.12. I repeated my April test by enabling IPv6 in an attached router, and both switches are working just fine.

k6ccc

Two major improvements for me. First is the intermittent lockup issue that has plagued SwitchOS for quite a few releases. I will be repeating the test that I did back in April that caused both switches to lock up almost instantly. The other major improvement for me is that LACP will now work properl...

k6ccc

I'm sure that this has not been fixed because it is such a odd situation that causes it to happen. That makes it hard to replicate. As far as I know, I have only had it happen when I enabled IPv6 in the Mikrotik router that is attached to the garage switch. My arrangement is that my internet service...

k6ccc

how do I add secured addresses to the list?

Firewall rules to allow access or allowed addresses to log on - or both.

k6ccc

Sorry, duplicate post...

k6ccc

I have only done an import once - when I upgraded a RB750r2 with a RB750Gr3. I found the same thing. Had to break up the file into a bunch of small pieces to get it all to work. Like you, stuff was in the wrong order, and stuff in the default config conflicted with what I was trying to import. Ended...

k6ccc

Sorry, duplicate post

k6ccc

You gave us no useful information to work with.
What system? What equipment? What firmware? What is the network configuration? What is the problem? Anything else that might tell us (we're not mind readers)?

k6ccc

Thanks.
I wonder if I had discovered and forgotten about that sometime in the past. When I looked at my router 2, both mac-winbox and mactel interface lists had all interfaces, but when I looked at my newer router 1, only the local LAN was listed for both.

k6ccc

I am taking it that you mean that it is logging you back out of the router as soon as you log in. Can you connect to the node via WebFig or a terminal window and look at the log and see if that gives a clue what is happening?

k6ccc

OK, I have never given that any thought because I have never used MAC WinBox. How do you block MAC WinBox - either completely or selectively? Since it's not IP, the IP firewall and ports rules do not apply.

k6ccc

When the whole concept of SFPs came about, the concept was that they would be universally compatible. However reality is that some work and some do not. This is not at all unique to Mikrotik. Simple answer it to buy the SFPs that the device manufacturer recommends. They have tested them and know wha...

k6ccc

Originally you were trying to forward to a different address in addition to a different port. DST-NAT would be appropriate for that. However as sutrus said, it's different if you are only changing ports.

k6ccc

Your action should be DST-NAT - not Netmap.

k6ccc

I'm a little curious how many routes you have, that it can't display in WinBox. I just looked at my RB750 and there are 29 routes of which 12 are static.

k6ccc

There are several ways that vary in convenience and security. Preface: I DO NOT RECOMMEND the first couple!!! The absolute simplest is to allow WinBox or WebFig access via your internet connection <-- NOT RECOMMENDED A couple things you can do that somewhat improve the security of that. Use of a non...

k6ccc

First of all, what chain does what. Traffic that is destined to something on the router itself (Winbox, SSH to the router, etc) is affected by the INPUT chain. Traffic that is destined to something other than the router but has to be routed through the router (A PC accessing a web page, etc) is affe...

k6ccc

Dot1x is used when we have mikrotik switch .

Can you clarify that. Do you really mean mikrotik SWITCH or ROUTER?
I don't see anything in SwitchOS to support 802.1x

k6ccc

On my moderately quick read, my initial suspicion appears to be right. Your source NAT is specifying that all outbound traffic from the LAN to the internet use the .140 address. For the one service that is destination NATed using the .141 address, when your server replies, it is also going out via t...

k6ccc

Glenn, I have a script that does essentially exactly what you want. I fully admit that I got most of the script from a post here several years ago and modified it for my own purposes. In my case, I am checking for login, logout, login failure, and several port knock conditions. The script writes a c...

k6ccc

Based on the rather limited information that you gave, it would appear that all you outbound traffic is going to use your .140 address. That would mean that traffic to your .141 address is going come back to the origination from a different address (the .140 address), so the external source is going...

k6ccc

I had to Google "Private VLAN" to see what you were talking about - never heard that term before. The thread on VLAN setup likely does not mention "Private VLAN" because PVLAN really has nothing to do with VLANs. A so called PVLAN is using switch port isolation in order to sort o...

k6ccc

Honest opinion, do it in firewall rules rather than your route rule. The reason is that one of these days, you are going to want to allow something to get between LANs. For example you may want that one PC on one network to be able to communicate with one device on the other network. Much easier to ...

k6ccc

duplicate post (sorry).

k6ccc

I'm going to preface this with I am not the expert here as I do not do any switch functions in my routers (routers only route, and switches do all the switching). However, If I followed it right, you are sending VLAN tagged traffic to the printers and they have no idea what to do with VLAN tags.

k6ccc

You largely need a router to accomplish what you are trying to do. Here's the problem. When you put both VLANs onto a single port (the NAS for example), the data stream from the switch to the NAS will have all the traffic VLAN tagged. Since your NAS presumably is not capable (or at least not configu...

k6ccc

As for managed list, I tried it and got nowhere - bad password. I fear I played with ROMON in the past and I have an old password so locked out? So what should one do if one cannot remember whatever master password was set in winbox?? I have never used RoMON, and I do not have WinBox save passwords...

k6ccc

Are you trying to "find" the router by expecting it to show up in the neighbors list or did you save the IP in the Managed list? Personally I find that the neighbors list to be only slightly less useful than worthless. For example I opened it when I read this message. There are two Mikroti...

k6ccc

That is a very simple setup. Easiest way to explain it is to show you screen captures of one of mine. Assuming that this is a new install, I would assume it is a CSS106 running version 2.something firmware. First on the VLAN tab: http://extraphotos.info/mikrotik/CSS106-VLAN.PNG In this example, igno...

k6ccc

Input Chain only affects traffic that terminates in the router itself. Forward Chain affects traffic that passes through the router (what you are trying to do). Output chain affects traffic that originates in the router itself and is outbound to someplace else.. You can make all the rules in the wor...

k6ccc

Can't help you on the bonding part (never done that), but VLANs are a piece of cake in either RouterOS or SwitchOS. As for routing between VLANs, RouteOS will automatically do that unless you specifically exclude that in firewall rules.

k6ccc

That is easy, and fairly close to what I am doing with my CSS326 switch. First the VLAN tab: http://extraphotos.info/mikrotik/CSS_VLAN_for_gelcom.png I skipped a few ports so you would not need to figure out other stuff. Port 1 is my cable internet and gets assigned as VLAN 100. Port 9 is my DSL int...

k6ccc

When you are able to get into it, on the system tab, check the status of the first two lines: Address Acquisition, and Static IP Address. As I recall, by default it will come up looking for a DHCP address. If you can't get into it, check your router to see if it assigned an address to the switch. Th...

k6ccc

Start by spending a while reading the Wiki: https://wiki.mikrotik.com/wiki/Main_Page If we just tell you the answer, you don't learn. If you read the Wiki, most of your questions will get answered, and you learn what the answer means. When you can't figure out some specific detail, then ask. You may...

k6ccc

Thanks, might be helpful. I tried to change router to my old TP-link one. I was still unable to portforward although it's "easier" UI, its probably about my new ISP blocking something and I've reached out to them. Thanks a lot for your reply though, I'll make sure to post an update if it ...

k6ccc

One other addition. Keep all the rules in a particular chain together rather than mixing input, forward, output, whatever else you might add later. It does not make any difference to the router, but it makes it FAR easier for us human beings to read.

k6ccc

NAT is actually very easy. Here is the command for NAT for my web server: add action=dst-nat chain=dstnat comment="Web Server on Jupiter." \ dst-address-type=local dst-port=80 protocol=tcp to-addresses=\ 192.168.101.11 to-ports=80 Then in Firewall rules, an accept for either that specific ...

k6ccc

"VPN Access" checkbox the QuickSet window...

Step one - stop using QuickSet. QuickSet sort of can be used one time for an initial setup (ONLY IF YOU REALLY NEED TO), but as soon as you make ANY other change to the router config, then NEVER AGAIN touch QuickSet.

k6ccc

I agree with anav. Let the hex do all the routing and DHCP, and use the hAPs strictly as access points. Use different VLANs to keep things apart as needed.

k6ccc

You really should not have two DHCP servers that are supplying IP addresses to the same LAN. Two DHCP servers feeding different LANs (or VLANs) is expected, but not on the same LAN. If for some reason you REALLY think that you need two DHCP servers on the same LAN, make sure that their address pools...

k6ccc

(1) what firewall rules that I miss? All of them. You have absolutely zero operational firewall filter rules. That means (among other bad stuff), your router is fully accessible from the internet. At the absolute least, restrict access to the router itself from WAN port. Start by reading this secti...

k6ccc

Anav is right. Both your switches are SwitchOS only and therefore they are configured exclusively via the web GUI. BTW, I have several CSS326 and a CSS106 (and another of it's predecessor the RB260GS) and they work quite well as a managed VLAN switch.

k6ccc

I have the /30 setup correctly. Traffic moves through the router. On the other hand, I am not planning on using public IP addresses for everything. I want to have two separate lans eventually, each using a separate public IP address. With a /30 CIDR, you only have two available addresses - one is f...

k6ccc

Although not entirely what you describe, but most of my switches have one trunk port to somewhere else with all VLANs appearing tagged, and some number of untagged ports (in quite a few cases only one other port) on a particular VLAN. It works fine for me, but I have MAC learning turned on. In a VLA...

k6ccc

There already is "/tool ip-scan" which scans using ping, arp, snmp and netbios and does IP lookup in DNS. Maybe you can specify what other features you would want it to have? (like other services it should scan for, or to have a list of ports) There have been a bunch of various posts, but...

k6ccc

Well, this one finally caught me last night. Below is a simplified drawing of the routers and switches here at home. I did not include any of the end user devices. I enabled the IPv6 package on router #1 and commanded the reboot. As far as I can tell, shortly after the reboot, I could not get into a...

k6ccc

Short answer is yes.

k6ccc

You need to give us a little more information. First of all, which router? Yes, the hardware makes a difference as different hardware has different capabilities. What version of ROS? Again, different versions have different capabilities. What are trying to accomplish? The only thing I can think of i...

k6ccc

WinBox is fine. Forward chain is a normal chain in the firewall rules - not on the NAT tab (which will normally be srcnat and dstnat).

k6ccc

Lookup hairpin NAT.

k6ccc

You gave us so little information that it is hard to help. For example, you showed that some pings worked - but no information on what was being pinged or from where. If you are allowing only untagged traffic on the test port, why are you allowing more than one LAN on that port?

k6ccc

Draw a circle on a piece of paper and you just got a pattern for the omnidirectional antenna.

k6ccc

You are making your life a bit more complex than it needs to be. Your rules 16 - 20 are completely un-needed because rule 21 is going to drop all of that anyway. As a general rule of thumb, most of us specifically allow what they want to allow and then drop everything else at the end of the chain. H...

k6ccc

Since you have changed things from your original screen capture, please post you current firewall rules.

k6ccc

Just an FYI, I have 19 Wyze cameras behind one of my Mikrotik Hex routers, and they work just fine. It really does not take anything special to get the Wyze cameras working. What works for your laptop or phone would work fine for the cameras. In my case, I have the cameras on my IoT network - which ...

k6ccc

Until my ISP changed things around on me, I was doing exactly what you want to do. On my DSL, I had eight static IP addresses. All were in the same subnet. Here are a couple code segments that should help. First create the addresses on both the DSL and each LAN (two of which had a physical port and ...

k6ccc

@dke, That thread is from four years ago and they are talking about the old RB260 that maxes out with 1.x firmware - NOT the current RB260 series (also known as the CSS106-5G-1S) which uses firmware versions 2.x. Yes, the current product with current firmware does as you describe (I have one), but w...

k6ccc

Can you ping 192.168.88.254 from site 1? I'm not at all familiar with the pfsense routers, so I don't know if they have the ability to be configured to not respond to pings.

k6ccc

As for getting a new IP from the DHCP server, assuming you are using DHCP reservations in the DHCP server, simply give the MAC for the switch a new IP. Next time that the switch requests a new IP, it will get the new address. Nothing to do in SwitchOS. Obviously this is not instantaneous, but the sw...

k6ccc

Yes, out of the box, all ports will talk to each other. To keep from using an IP address, you could give it a static IP outside your IP range. But are you REALLY that short of IP addresses on your LAN?

k6ccc

My first guess is that your forwarding rule is not specific enough. For example, if you forward all port 443 traffic to something, then ALL traffic including your outbound https traffic will go there. On the other hand, it you only forward port 443 traffic that is inbound on your WAN connection, the...

k6ccc

That's RouterOS, not SwitchOS.

k6ccc

I am running very similar at home. These screen captures were done on a CSS326 for a different purpose and are a little out of date, but might give you some ideas. Links page: http://extraphotos.info/mikrotik/CSS326_Links.png VLAN tab: http://extraphotos.info/mikrotik/CSS326_VLAN.png VLANs tab: http...

k6ccc

You need to give us a better idea of what you are trying to accomplish. Not enough information given.

k6ccc

For what it's worth, I just updated a CRS326-24G-2S+, two CSS326-24G-2S+, and a CSS106-5G-1S from 2.9 to 2.10 without incident. Watching pings to the CRS, I dropped three pings during the restart, and on both CSS326 switches, I dropped one ping during the restart.

k6ccc

What you are asking about is very similar to what I am doing. The only difference is that I am using my routers (a RB750r2 and a RB750Gr3) exclusively as routers - no switching at all. Each LAN or VLAN has only one port on the router (may be a dedicated LAN port, or may be a VLAN trunk port). All th...

k6ccc

Amm0 is correct. Essentially what I currently have is what dadoremix suggested. While that does allow VLAN 2 to communicate between ports 2 - 5, but that does not allow for the additional parts of the plan. I will be working with Amm0's suggestions shortly.

Thanks

k6ccc

Thanks for the reply. I had assumed that I needed to build a bridge, and played with that last night for a couple hours without any success. I can see the traffic coming in from the three AREDN nodes with Torch, but nothing going out. I'm sure it's easy for most people that have used a bridge in ROS...

k6ccc

This is likely an easy one, but I have EXCLUSIVELY used Mikrotik routers as routers and never as a switch. Each LAN or VLAN on the routers connects directly to a CSS326 switch. I have run into a situation where I have run out of ports on one of my CSS326 switches and have an immediate need for a cou...

k6ccc

Also, HIGHLY recommend putting some additional security on it. There are several things that can be done if you really insist on having a WebFig port directly accessed from the internet. For example, if able, restrict the source IPs that can access it to only the IPs that you want to have access. Fo...

k6ccc

I don't think this forum has a lot of professional web developers But it is impossible for users or designers Hotspot service does not know in the topics of page security! This is a forum for routers. Why are you even asking for html configuration help here? Take this to a forum for web designers. ...

k6ccc

I note that both alibloke and the chart that elbob2002 posted show the temperature stabilized at 58 degrees C. Makes me think that is what it is designed to do. I don't know what the specs for the CPU chips involved are, but as a comparison, the Raspberry Pi does not start throttling to control heat...

k6ccc

RouterOS does not support this method of working. It has been requested many times but it has not been implemented. (what you need is the capability to set a static DNS record for local.mesh with type NS and pointing to the nameserver for that domain) That is exactly correct. As RouterOS also does ...

k6ccc

Here is my situation. I have an RB-750Gr3 that has a WAN connection from my cable provider which provides DHCP and DNS services to the router. Ports 2, 3, & 5 are various LANs, and port 4 is a trunked port with several more VLANS. The trunked port connects to a managed switch where VLAN 5 (among...

k6ccc

Posting part of settings is not all that helpful.
/export config hide-sensitive file=yourconfigaug22
What am I doing wrong...see image below!

Screen Shot 2019-08-22 at 10.02.49 PM.png

Delete the word "config"
In other words: /export hide-sensitive file=your-config-22-Aug

k6ccc

A lot of that is personal preferences. I have a CRS326 that is being used exclusively as a managed switch. Other than about a half dozen VLANs, there is nothing fancy. I am running it under SwitchOS and always have. I also have two CSS326 switches - obviously running SwitchOS, plus two a CSS106-5G-1...

k6ccc

If you can access the router, you can either manually send the WOL command or type up a script and execute the script. By creating a scrpt in advance, you don't have to know the MAC of the target device. add dont-require-permissions=no name="Boot Old Family room PC on .101" owner=\ SuperMg...

k6ccc

Search for "hairpin nat".

k6ccc

Stefan, what software version?

k6ccc

On this - add chain=forward action=accept in-interface=WAN \ connection-state=new nat-connection-state=dst nat Does/should the connection state need to be new? Or does it matter? It actually does not matter. Because there is a fastrack accept for established and related packets, the only time that ...

k6ccc

From the product page for the CRS328-24P-4S+RM:

PoE-Out is passed over mode B pins (4,5+)(7,8-).

That won't work on your 2 pair cable.

k6ccc

The very first rule in the Forward chain. Made it about as simple as I could: add action=passthrough chain=forward comment=\ "Counter for outbound to 188.172.217.0/24 - test for Teamviewer" \ connection-state="" dst-address=188.172.217.0/24 No connections listed to 188.172.217.xx...

k6ccc

So I did some digging and saw that TeamViewer Connect to a domain, 188.172.217.0/24 To test that, I created a passthrough firewall rule as a counter as the first rule in my forward chain. Any traffic to 188.172.217.0/24 should show up in the counter. There are two computers inside my firewall that ...

k6ccc

I would love to be able to block TeamViewer - but my situation is a little different. In my case, I am the TeamViewer user, but I want to be able to block TeamViewer unless I specifically allow it at the time - for example with a port knock to the router. For example, the computer at home can't norm...

k6ccc

I'm sorry, but I thought it was simple to understand that the two RB260 Ether1 are connected together with a 50cm patch cable, so where is the cable problem? It was not simple to understand because you did not tell that in your original post. For all we know, you were trying to run gigabit over a k...

k6ccc

You have given us almost no information to work with. What is this device doing? What's connected to it? How is it being used? Post your configuration.

k6ccc

I just wish that Mikrotik would standardize the interface between the different switches. I have one RB260, one CSS106, one CRS326 (running SwitchOS), and two CSS326s and it's annoying that the UI is so different between them.

k6ccc

I'm the same as all the rest here. All known DHCP clients are given a DHCP reservation outside of the IP Pool. Most of the pools are only 10 IPs (and in reality, I could normally get away with one or two).

k6ccc

I figured it out!! You have to specify the time and day or days that you want the rule to be applied and then you have to press reset all counters to reset everything and allow the new rule to be applied. I checked it 3-4 times and it worked fine. Thank you all!!!! I definitely did not have to rese...

k6ccc

Simple solution. I buy the Mikrotik SFPs that are specified to work with the device.

k6ccc

I have never had any time based firewall rules, but because of this thread, I created one for a test. The rule was a simple rule to drop all ICMP packets from the internet at the beginning of my Input chain with no time restriction. I am not at the location of this router, so my access is only via t...

k6ccc

Never used a bridge, so can't help you there. However your firewall rules look OK - I think.

k6ccc

Off hand, I don't see a way to specify a MAC on a specific port, but you can enable port lock which locks the port to the first MAC that is connected. See the Forwarding tab.

k6ccc

The check marks are the ports that the CAN be communicated with. For example, in your screen capture, port 1 can communicate with all other ports.

k6ccc

I still could not read your screen captures, but here are a couple of mine. Ports one and two are doing exactly what you want to do. Each of those is a Multi-SSID WiFi access point. Each is getting several VLANs that will each become a different SSID and also an untagged LAN that is used for cloud m...

k6ccc

I can’t read your images on my $&@#% iPhone, but I am doing exactly what you want to do on my CSS106. When I get to a computer, I’ll take a look.

Sent from a $&@#% iPhone using Tapatalk

Search found 643 matches