MikroTik

k6ccc

What you are asking about is very similar to what I am doing. The only difference is that I am using my routers (a RB750r2 and a RB750Gr3) exclusively as routers - no switching at all. Each LAN or VLAN has only one port on the router (may be a dedicated LAN port, or may be a VLAN trunk port). All th...

k6ccc

Amm0 is correct. Essentially what I currently have is what dadoremix suggested. While that does allow VLAN 2 to communicate between ports 2 - 5, but that does not allow for the additional parts of the plan. I will be working with Amm0's suggestions shortly.

Thanks

k6ccc

Thanks for the reply. I had assumed that I needed to build a bridge, and played with that last night for a couple hours without any success. I can see the traffic coming in from the three AREDN nodes with Torch, but nothing going out. I'm sure it's easy for most people that have used a bridge in ROS...

k6ccc

This is likely an easy one, but I have EXCLUSIVELY used Mikrotik routers as routers and never as a switch. Each LAN or VLAN on the routers connects directly to a CSS326 switch. I have run into a situation where I have run out of ports on one of my CSS326 switches and have an immediate need for a cou...

k6ccc

Also, HIGHLY recommend putting some additional security on it. There are several things that can be done if you really insist on having a WebFig port directly accessed from the internet. For example, if able, restrict the source IPs that can access it to only the IPs that you want to have access. Fo...

k6ccc

I don't think this forum has a lot of professional web developers But it is impossible for users or designers Hotspot service does not know in the topics of page security! This is a forum for routers. Why are you even asking for html configuration help here? Take this to a forum for web designers. ...

k6ccc

I note that both alibloke and the chart that elbob2002 posted show the temperature stabilized at 58 degrees C. Makes me think that is what it is designed to do. I don't know what the specs for the CPU chips involved are, but as a comparison, the Raspberry Pi does not start throttling to control heat...

k6ccc

RouterOS does not support this method of working. It has been requested many times but it has not been implemented. (what you need is the capability to set a static DNS record for local.mesh with type NS and pointing to the nameserver for that domain) That is exactly correct. As RouterOS also does ...

k6ccc

Here is my situation. I have an RB-750Gr3 that has a WAN connection from my cable provider which provides DHCP and DNS services to the router. Ports 2, 3, & 5 are various LANs, and port 4 is a trunked port with several more VLANS. The trunked port connects to a managed switch where VLAN 5 (among oth...

k6ccc

Posting part of settings is not all that helpful.
/export config hide-sensitive file=yourconfigaug22
What am I doing wrong...see image below!

Screen Shot 2019-08-22 at 10.02.49 PM.png

Delete the word "config"
In other words: /export hide-sensitive file=your-config-22-Aug

k6ccc

A lot of that is personal preferences. I have a CRS326 that is being used exclusively as a managed switch. Other than about a half dozen VLANs, there is nothing fancy. I am running it under SwitchOS and always have. I also have two CSS326 switches - obviously running SwitchOS, plus two a CSS106-5G-1...

k6ccc

If you can access the router, you can either manually send the WOL command or type up a script and execute the script. By creating a scrpt in advance, you don't have to know the MAC of the target device. add dont-require-permissions=no name="Boot Old Family room PC on .101" owner=\ SuperMgr policy=t...

k6ccc

Search for "hairpin nat".

k6ccc

Stefan, what software version?

k6ccc

On this - add chain=forward action=accept in-interface=WAN \ connection-state=new nat-connection-state=dst nat Does/should the connection state need to be new? Or does it matter? It actually does not matter. Because there is a fastrack accept for established and related packets, the only time that ...

k6ccc

From the product page for the CRS328-24P-4S+RM:

PoE-Out is passed over mode B pins (4,5+)(7,8-).

That won't work on your 2 pair cable.

k6ccc

The very first rule in the Forward chain. Made it about as simple as I could: add action=passthrough chain=forward comment=\ "Counter for outbound to 188.172.217.0/24 - test for Teamviewer" \ connection-state="" dst-address=188.172.217.0/24 No connections listed to 188.172.217.xxx either.

k6ccc

So I did some digging and saw that TeamViewer Connect to a domain, 188.172.217.0/24 To test that, I created a passthrough firewall rule as a counter as the first rule in my forward chain. Any traffic to 188.172.217.0/24 should show up in the counter. There are two computers inside my firewall that ...

k6ccc

I would love to be able to block TeamViewer - but my situation is a little different. In my case, I am the TeamViewer user, but I want to be able to block TeamViewer unless I specifically allow it at the time - for example with a port knock to the router. For example, the computer at home can't norm...

k6ccc

I'm sorry, but I thought it was simple to understand that the two RB260 Ether1 are connected together with a 50cm patch cable, so where is the cable problem? It was not simple to understand because you did not tell that in your original post. For all we know, you were trying to run gigabit over a k...

k6ccc

You have given us almost no information to work with. What is this device doing? What's connected to it? How is it being used? Post your configuration.

k6ccc

I just wish that Mikrotik would standardize the interface between the different switches. I have one RB260, one CSS106, one CRS326 (running SwitchOS), and two CSS326s and it's annoying that the UI is so different between them.

k6ccc

I'm the same as all the rest here. All known DHCP clients are given a DHCP reservation outside of the IP Pool. Most of the pools are only 10 IPs (and in reality, I could normally get away with one or two).

k6ccc

I figured it out!! You have to specify the time and day or days that you want the rule to be applied and then you have to press reset all counters to reset everything and allow the new rule to be applied. I checked it 3-4 times and it worked fine. Thank you all!!!! I definitely did not have to rese...

k6ccc

Simple solution. I buy the Mikrotik SFPs that are specified to work with the device.

k6ccc

I have never had any time based firewall rules, but because of this thread, I created one for a test. The rule was a simple rule to drop all ICMP packets from the internet at the beginning of my Input chain with no time restriction. I am not at the location of this router, so my access is only via t...

k6ccc

Never used a bridge, so can't help you there. However your firewall rules look OK - I think.

k6ccc

Off hand, I don't see a way to specify a MAC on a specific port, but you can enable port lock which locks the port to the first MAC that is connected. See the Forwarding tab.

k6ccc

The check marks are the ports that the CAN be communicated with. For example, in your screen capture, port 1 can communicate with all other ports.

k6ccc

I still could not read your screen captures, but here are a couple of mine. Ports one and two are doing exactly what you want to do. Each of those is a Multi-SSID WiFi access point. Each is getting several VLANs that will each become a different SSID and also an untagged LAN that is used for cloud m...

k6ccc

I can’t read your images on my $&@#% iPhone, but I am doing exactly what you want to do on my CSS106. When I get to a computer, I’ll take a look.

Sent from a $&@#% iPhone using Tapatalk

k6ccc

I always upgrade mine.

k6ccc

It might be interesting to connect the two computers in question directly to each other. I would speculate that what you are seeing is more related to the performance of the computers involved and not the switches. Part of that statement is the difference in performance between upload and download. ...

k6ccc

Powered USB hubs usually don't draw power from upstream USB port ...

Correct. That's why I recommend them for fixed applications. Has solved many problems over the years.

k6ccc

I don't have an answer to your specific question, but my general recommendation is any time you are using a USB hub in a fixed situation, use a powered hub. That solves the current limit issue. Since you are proposing to use a USB hub connected to a router, I assume it will be in a fixed installatio...

k6ccc

This is likely more opinion rather than hard facts. There are some on the forum that hate SwitchOS and have nothing but problems, and there are some that have no issues with SwitchOS at all. Personally I am in the second camp. I have a CRS326-24G-2S, two CSS326-24G-2S, a CSS106-5G-1S, and a RB260GS ...

k6ccc

I clearly have no understanding of what he is trying to do. However I have never had any interest in on line gaming, so no idea how those kind of things work. I've never heard of a client / server type system where the server initiates the connection (which is why normal consumer routers work for mo...

k6ccc

It does not work that way. A NAT forwards to a target IP. However in most situations, if the game is talking to a server somewhere else, the client initiates the connection and the router will forward responses to the IP that originated the request. No special setup is normally required. If you are ...

k6ccc

You have given us so little information to go on. For starters, either give us more details on how your three routers are connected to each other, the internet, and your devices - or better yet, a drawing. Second, export your config on all three routers and post here so we can see what you are doing...

k6ccc

I see mkx beat me to the L2 vs L3 parts, so I'm not going to repeat that. You do not need to use bridges to create a DHCP server. However as noted above, IF an interface is a member of a bridge, then the DHCP server must be assigned to the Bridge - not the member interfaces. At least that's the way ...

k6ccc

Let's see if I have this right. Every single port will be a separate LAN with it's own DHCP server. So the router is being used exclusively as a router and not as a switch. If this is the case, why are you creating bridges? This is the way I use my routers. I have managed switches connected to the r...

k6ccc

I don't know anything about the TP Link equipment, but it sounds like you want the TP Link to operate only as a WiFi access point and NOT have any router functions. You likely can make this work by turning off the DHCP server functionality in the TP Link and then connecting one of the LAN ports (NOT...

k6ccc

You asked this question in the SwitchOS section of the forum and your subject specifies the CSS326 switch. However, since you are seeing an inter-VLAN issue, the problem almost certainly exists in the router and not the switch - since switches don’t route between VLANs. You did not give us much deta...

k6ccc

As for your DHCP servers, from your drawing, they are some device that is untagged. Simply put them on a switch port that is untagged on the correct VLAN. Same concept as my Cable Modem on port 1. In my case that is untagged on VLAN 100, but the concept is the same.

k6ccc

My first question is if the issue it with the SFP or the Ethernet per in the computer - it could be either one. Can you plug the Cat-6 into another port on the switch (such as one of the gig-E ports on the switch). Let the computer go to sleep and see if the problem happens in that configuration. Ot...

k6ccc

Here are some screen captures from one of CSS326 switches located in my family room. Most of the ports don't really matter, but I will point out a few. Along with a bunch of end devices in the house, both internet modems connect to this switch (port 1 for the cable and port 9 for the DSL). Port 3 is...

k6ccc

One other thing you could easily test. Configure a user PC port to VLAN 20 instead of VLAN 10 and confirm that the PC gets a DHCP address from DHCP server 2. That will confirm that your DHCP and switch to switch links are OK. Part two - Are you sure that your WiFi APs are configured properly for the...

k6ccc

Your configuration is really pretty simple. The trunks between the three switches needs to have VLANs 10 & 20. Assuming that the WiFi APs know that SSID 1 connects to VLAN 10 and SSID 2 connects to VLAN 20, then the switch ports connected to the three Unifi APs will be just like the switch to switch...

k6ccc

Why not just a set of firewall rules to catch port scanners. Those are well documented and work well. If the port scanner triggers, then the port knock never sees the triggers.

k6ccc

First guess is that you did not open a hole in the firewall for your NAT. Unlike many consumer routers, RouterOS does not do that automatically.

k6ccc

What you are doing is very similar to what I am doing and it's not at all complicated. I am curious why you want two VLANs if part of your statement is that devices on one VLAN can communicate with devices on the other VLAN. If everything on both VLANs can communicate with each other, why separate t...

k6ccc

I can absolutely assure you that the Wyze cameras do NOT require anything "special" to be opened on a reasonably normal router configuration. As long as a LAN device can get to the internet and responses get back to it, it will connect just fine. I have 13 Wyze cameras (2 Pans and 11 V2). Other than...

k6ccc

First of all, you are right - they don't respond to a ping. However that proves absolutely nothing since some network admins drop pings as some people consider it a security hole. If it really is on your end, please post your config, so we can see what you have. In order to export your config, follo...

k6ccc

I'm going to let someone else answer the setup in RouterOS as I have NEVER used a bridge in ROS. I know there are some particulars about setting up VLANs in a bridge, but I don't know details.

k6ccc

SwitchOS is strictly a switching OS whereas RouterOS is router OS that can play switch (but is optimized as a router). SwitchOS is far more limited, but if you only need switching, it works. There are a couple documented issues with the current version of SwitchOS - check out the SwitchOS section of...

k6ccc

I think sebus got your config incorrect. Please confirm that the CCR1009 has one link to the CRS125 and one link to the CRS326 (not that the two switches are daisy chained). Second, are you running the CRS125 and CRS326 in RouterOS or SwitchOS? What you are doing is easy, but we better need to under...

k6ccc

Just delete the lease and next time the device requests an address, it will get one from the regular pool.

k6ccc

I was not suggesting that you monitor it for them, but rather that they set up a free account with UpTimeRobot.com and UTR will notify them when something fails.

k6ccc

Yes. add action=src-nat chain=srcnat comment="Outgoing NAT from .201 LAN" \ disabled=no out-interface=E1-p10_DSL_Internet src-address=\ 192.168.201.0/24 to-addresses=208.127.104.77 add action=src-nat chain=srcnat comment="Outgoing NAT from .202 LAN" \ disabled=no out-interface=E1-p10_DSL_Internet sr...

k6ccc

@ivanobuffa
They were all part of a /24 network from my IP. I had eight addresses scattered through the range.
I will pull up my script later this evening. It was quite easy...

k6ccc

Does the switch have internet connectivity ?

Sent from a $&@#% iPhone using Tapatalk

k6ccc

@k6ccc So are you like a suburb of LA? Seems like your on the cusp of Mountains, must be beautiful and close to ski hills? (prevalent raging forest fires in that area)? Correct. Glendora is about 20 miles east and slightly north of downtown Los Angeles. The city moto is "Pride of the Foothills". Th...

k6ccc

I've been doing this for years. Until very recently my RB750r2 had one DSL connection with five static IPs. There were different LANs (mostly via VLAN) that each routed traffic out the same DSL, but via different IP addresses. All it takes is a simple outgoing NAT statement to get the outgoing traff...

k6ccc

There are two perspectives here. One is to have the router detect a failure and alert you. The other is to determine if the router is visible from the internet. For part two, I suggest UpTimeRobot.com They can monitor specific ports, a normal ping, a website, and various other things. They can notif...

k6ccc

Someone on the internet is trying to connect to presumably a web server on your internet address on port 8080. Why do you think this has anything to do with your DNS?

k6ccc

Instead of explicitly blocking each VLAN, Block everything with a not interface command (note the explanation point before the interface name): add action=drop chain=forward comment=\ "Block all interfaces except internet from VLAN 10" out-interface=\ !E1-p10_DSL_Internet in-interface=VLAN_10 You wo...

k6ccc

Allow what you specifically want allowed, then deny all. This is the last rule in the Forward chain. There is a similar one at the end of the Input chain.

add action=drop chain=forward comment=\
    "Drop any forward packets that get this far"

k6ccc

Yes you can. With RouterOS only though.
Hi, elbob2002. Do you mean I can run ospf in CRS326-24G-2S+RM only booted with RouterOS.

OSPF is a routing protocol. Requires a router. When run under SwitchOS, the CRS326 is functioning as a switch - not a router.

k6ccc

This thread is an interesting read. I have two CSS326-24G-2S+RM and one CRS326-24G-2S+RM that got updated to 2.9 a few days ago. Obviously no fan issues since the 326 doesn't have fans. I have not observed any problems - so far (64 1/2 hours). I will be watching however... I'll laugh my ass off if M...

k6ccc

I'm using the CSS326-24G-2S+RM and CSS106-5G-1S for exactly that purpose. Quite happy with them.

k6ccc

OK, now on a PC with a real keyboard instead of my #$%&* iPhone, so able to give a longer answer... The CSS326-24G-2S+RM can only run SwitchOS, whereas the CRS326-24G-2S+RM can be setup to boot into either RouterOS or SwitchOS. When the CRS326-24G-2S+RM boots into RouterOS it has full router functio...

k6ccc

The CSS is SwitchOS only. The CRS is dual boot. In my opinion, if you need a switch, buy a switch - if you need a router, buy a router. I have five MT devices running Switch OS and very happy with them.

Sent from a $&@#% iPhone using Tapatalk

k6ccc

There is something being missed here. Export your configuration and post it.
/export hide-sensitive

k6ccc

Two thoughts. First, do your firewall rules allow the port forwarding? If you have an "all all DST-NAT" rule in the forward chain, that would take care of it, but if you don't do that, you generally need to specifically allow the forward. This is not likely the case since port forwarding worked on p...

k6ccc

I am doing exactly that. Here are the settings: First setup your E-Mail server information. I am using a G-Mail account. /tool e-mail set address=smtp.gmail.com from="Router #2" password=Redacted port=587 \ start-tls=yes user=address@gmail.com Then the script that creates the files and sends them: #...

k6ccc

Assuming you have everything configured correctly on your managed switch, hooked to eth4 (DSL modem connected to access port for VLAN VID=200) it should work. And it shouldn't be necessary to have dial-on-demand=yes ... Yes, it is. Every VLAN shows up on that trunk port except 100 (the cable intern...

k6ccc

OK, first a little background. I have a cable based internet and a DSL based internet. The cable is a single DHCP address and until today my DSL was eight static IP addresses that connect to three separate MT routers. Today, my DSL was changed to a single DHCP addresses with PPPoE (the change was fo...

k6ccc

You could use the "nth" filter option to drop every nth packet. so for 10% every 10 packet should be dropped.

Just learned something new. Did not even know that existed, but sure enough - it's there...

k6ccc

Hello guys, it is possible to permit icmp but dropping 10 percentage of the packets ? As kiaunel said, I don't know of a way to drop a certain percentage of packets. However you can rate limit certain packets to some number. For example 5 packets per second. add action=accept chain=ICMP comment=\ "...

k6ccc

But with 199 days uptime You are running 2.8, right? I upgraded from 2.8 to 2.9 (CSS326), and saw the increase in Rx Overrruns and Tx Pauses. They are too frequent to my liking, but I don't think they have a real impact on network speed. At least, not for me. Truth be told, although I use a 10GB tr...

k6ccc

Not my experience. Just looked at one of mine which shows an uptime of 199 days. There is 1 RX Overrun and 0 TX pauses. As I said, nothing faster than 1Gb/s....

k6ccc

Same here! Lot of tx/rx overruns on 10G port (SFP+ to CRS317) or pauses when flow control is enabled. I'll wait till next SWoS release and if it is not fixed will throw away and will declare it as another cheap junk. You are welcome to send them to me. I have been very happy with my CRS326 (in SWOS...

k6ccc

I am having issues setting identity of RB260GS. I wanted to set: LOCATION - OFFICE - DEVICEn However, I get cut out, and SwOS version is added after the name. Is this normal, or a bug? Or maybe a browser thing? Tried to the switch, but it didn't work. I don’t remember for sure, but there is a limit...

k6ccc

That Wiki post lists a large number of various rules and settings. Many of which need to be customized to your situation. Therefore, without you posting your configuration, we would only be guessing. Export and post your configuration.

k6ccc

set [ find default-name=ether4 ] speed=100Mbps

You state you are connected on ether4 which you have locked to 100Mbps

k6ccc

Until you can find out who is messing with your router, you can also set the computer to a static IP, and then it never will look for a DHCP address at all.
But I agree with the others, you need to figure out who is changing your router configuration.

k6ccc

at the moment best router/price around 50-70euros is HAP AC 2. everything you need in this small magic box! it has also 2.4ghz/5ghz wifi. models you suggest dont have wifi. https://mikrotik.com/product/hap_ac2 If you need WiFi. I have WiFi, but it's not combined with my routers - nor would I want i...

k6ccc

I started out at my house with a RB750r2 and it worked fine for me - until I got cable based internet that supported 124 Mb/s download via a gigabit interface. Because of strange stuff I was doing, I had a ton of NAT forwarding, and firewall rules in place along with at least a half dozen VLANs and ...

k6ccc

I know this is a two year old thread, but I'm in the same boat. I added info log entries all over the place and remarked every line and ran the script. Obviously it ran fine with just the log full of the log entries. I then started at the top and removed the remarks one line at a time until it bombe...

k6ccc

Like anav said, post your config or else we are guessing.. With that said, you said "the DHCP server". You need to configure a separate DHCP pool and server per VLAN. What you are doing with the RB750 (the one playing router) is somewhat similar to what I am doing with mine. Each of mine has one WAN...

k6ccc

It looks like you are trying to do this in "Quick Set". Get out of Quick Set and NEVER touch it again. Quick Set is a fairly simple way to do a VERY basic setup for a MT router. Kinda like making it stupid like most "consumer" routers. If you are trying to do anything beyond the basics, you need to ...

k6ccc

Will the mail server be on the same LAN as the rest of your stuff at home or will be it be on a separate LAN? If it will be on a separate LAN, it's really easy.

k6ccc

Did you read the website briefly? There is no reason to worry if you are an Internet user without your own domain name. This change is affecting you only indirectly and you do not need to take any other steps. I did read it. I have three domains that run on my own server, but I get DNS from a comme...

k6ccc

For you experts out there, anything about this that I as a end user running MT routers to get to the internet need to do or look out for?
https://dnsflagday.net/

k6ccc

I agreed with pe1chl. Even minor differences in router types are going to create issues that you will have to manually fix. A while ago, I replaced a RB750r2 with a RB750Gr3. Pretty close - you would thing it would be pretty seamless. Nope. Ended up importing in VERY small chunks in order to get it ...

k6ccc

Just drop it? add action=drop chain=forward in-interface=vlan100 out-interface=vlan200 add action=drop chain=forward in-interface=vlan200 out-interface=vlan100 Thanks would this keep the internet access . Yes. And I would strongly suggest that you spend a while reading the firewall sections of the ...

k6ccc

Updated my CSS106-5G-1S from 2.8 and all appears to be working. However, after the upgrade, this is what the Upgrade page says: Firmware Current Installed Version 2.9 (built at Mon Jan 07 2019 03:04:37 GMT-0800 (GMT-08:00)) Latest Available Version 2.9 (built at Mon Jan 14 2019 02:29:12 GMT-0800 (GM...

k6ccc

You have to let WinBox sit on the neighbors tab for 5 to 10 minutes before the switches show up. By George, you are right. Took hours, but three of my five switches have appeared. The CSS106-5G-1S two CSS-326-24G-2S are showing but the RB-260GS and CRS326-24G-2S (running SwOS) along with my RG750Gr...

k6ccc

A SwOS device will appear in the neighbor list in Winbox but you cannot connect to it using winbox. As I said, I'll have to take your word on that - None of my five MT switches are seen on the neighbor list on WinBox 3.18. I don't even see all of my MT routers in the neighbor list. I even confirmed...

k6ccc

I’ll take your word on it, but my WinBox does not see any of my switches.

Jim

Sent from a $&@#% iPhone using Tapatalk

k6ccc

First of all, once it is in SwitchOS, you can’t connect via WinBox. Must connect via the web interface.

As for your DHCP address, does your DHCP server show an address assigned?

Sent from a $&@#% iPhone using Tapatalk

k6ccc

Only time I have had one of CSS326 switches hang is when I had a problem DSL modem. The modem would crash, and after power cycling it, the switch would shortly lock up. Replaced the DSL modem after we determined that it was having a problem. Never had a problem with the switch since. Currently it is...

k6ccc

Are you doing something? By that, I mean have you started making parameter changes? If yes, what are you changing? Also, what version of WinBox and RouterOS?

k6ccc

The CSS326 runs SwitchOS and does not have a DHCP server. Although I normally run all of my switches with static IPs, I remember when I first got them and they factory defaulted to DHCP with fallback, the DHCP client worked. What is the setting of the Address Acquisition on the System tab? Also, wha...

k6ccc

But if no one reports it as a bug, Mikrotik wont try to find it. Talking about here on a users forum does not constitute a trouble report.

k6ccc

I have two of them at home - one is a couple feet from me as I sit at my computer. There is a grill for a fan, but there isn't a fan mounted.

k6ccc

Why are you wanting to use the same IP range?

k6ccc

Kennethven,
This thread is almost 5 months old. Who are you even directing that to? And there is no PM capability on this forum.

k6ccc

don't understand your question. Note that switches don't have macs only network devices.

Wow! I'm going to have to tell all my switches that they don't really have a MAC. That will be a shock to them. How do you suppose layer two works without a MAC?

k6ccc

You have the WinBox port set to a non-standard 8219. Are you specifying the non-standard port when you try to connect? BTW, I also use a non-standard port for WinBox access to my routers.

k6ccc

No. No way to know which LAN a packet is part of if they are both I tagged.

Sent from a $&@#% iPhone using Tapatalk

k6ccc

I have five switches running SwitchOS (listed in my signature) without any problems at all. Only thing fancy I'm doing is VLANs, but all of them have over a dozen VLANs at my house...

k6ccc

Please assist, i am network support agent, i have come across where i need to add/make mac reservation, static IP Reserve. I have to two questions, 1. If MAC address doesn't show up on leases, can i add it or maybe i need to plug LAN cable from RouterBoard to PC before? 2. How is IP DHCP reservatio...

k6ccc

You did not list your firewall rules. I assume that there is either a rule that allows the specific NAT through the firewall, or all NATted packets through the firewall. Does that rule or rules specify the input being the WAN interface? That would stop NATTed packets that are coming in on one of the...

k6ccc

Thanks vecernik87 for the longer answer. My short answer was courtesy of needing to get to bed

k6ccc

If you are just wanting to block ICMP packets, simply do just that. Something like this:

add action=drop chain=input in-interface=e1_Internet protocol=icmp

Obviously you would have to edit this to have the in-interface = whatever your internet interface is (as opposed to my e1_internet).

k6ccc

For starters, please export and post your configuration so we have some idea what you are doing.

k6ccc

You're still not really telling us what you are trying to accomplish (we're not mind readers). Also, you are asking about this in the SwitchOS section of the forum. Can I assume you are doing this on your CRS317 operating in SwitchOS as opposed to RouterOS?

k6ccc

Not enough information. What are you trying to accomplish?

k6ccc

For whatever it's worth, both of my CSS326-24G-2S switches with 2.8 have 17 VLANs and working perfectly.

I don't have any CRS317 routers.

k6ccc

Not knowing the details of how upgrades are released, my speculation is that 2.9 is not really released yet. Maybe they were about to release it, so it got into the notes, but then an issue was found and the release halted. Just a guess....

k6ccc

Has the same problem, purchased two new css326-24g-2s+rm , cannot acess the web GUI through 192.168.88.1 on both switches

What IP is your computer?

k6ccc

Don't use Quick Set.
Quick Set is very limited in what it can do.

k6ccc

I have a switch with 802.1Q VLAN setup, where I want to use a mikrotik router for DHCP. If I have a DHCP server on a tagged VLAN interface, this should work fine going through the switch? Have an IP phone not picking up DHCP, I'll try a factory reset of the phone How is the iPhone getting to the ne...

k6ccc

I do use port knocking (among other things), and log any connection attempts. Of course for step one I see hits somewhat regularly due to random scans. I have NEVER seen a hit on step two if it was not me. As sob said, most of the attackers are simply going after the commonly used ports. I do also h...

k6ccc

I have two CSS326, one CRS326, one CSS106, and one RB260 that are all running SwitchOS, in addition to three RB750 routers running RouterOS. My general philosophy is that if you want a switch, buy a switch and run a switch OS. If you want a router, buy a router and run a router OS. I don’t mix the t...

k6ccc

2.9 does nothing for me, so I likely won't bother with this one...

k6ccc

I see SwOS 2.9 was released today. Who's gonna be brave and give it a test run? Where are you seeing that 2.9 was released? Not on the software download page and no announcements here on the forum. Ah, one of my switches shows that: Current Installed Version 2.8 (built at Fri Jul 13 2018 04:37:06 G...

k6ccc

right now i dont have a busy state in my IPs. what's the command to see this status? address=192.168.13.42 mac-address=00:E1:00:86:1E:34 client-id="1:0:e1:0:86:1e:34" address-lists="" server=defconf dhcp-option="" status=waiting last-seen=1w3d20h30m23s I normally use WinBox and there it's easy. Jus...

k6ccc

is it possible to have them take the lowest possible IP? No. ROS assigns IP addresses from the top of the pool. You have no control of that. My recommendation is that if you have devices that you want to have a specific address, let them connect (so they show up in the DHCP Leases list), and then c...

k6ccc

From the Wiki: Lease status: waiting - un-used static lease testing - testing whether this address is used or not (only for dynamic leases) by pinging it with timeout of 0.5s authorizing - waiting for response from radius server busy - this address is assigned statically to a client or already exist...

k6ccc

Ahh of course... after having this enabled for a long time one forgets that it is even there...

Yep! Same here...

k6ccc

This is the last rule in my input chain. There is a similar rule in the forward chain. add action=drop chain=input comment=\ "Drop any other input packets that get this far" log-prefix=\ "Dropped connection" Remember how rule processing works. It's top to bottom, and if a rule is not explicitly drop...

k6ccc

You can set the "Note" to anything you darn well please.

k6ccc

You have a bunch of rules that add addresses to the Port Scanners list, but you never drop them. Do you have a drop everything rule at the end of the Input and Forward chains? My opinion is that dropping pings from the internet creates more problems than it solves. I know some people firmly believe ...

k6ccc

Your question is in the Switch OS section of the forum and your subject title asks about the CSS326 switch. However the text of your question asks about two specific routers. Are you trying to control BW in SwitchOS or Router OS? No way to do that in SwitchOS Sent from a $&@#% iPhone using Tapatalk

k6ccc

You really need (R/M)STP to run on top of LACP bonding if you add the "Switch C" for the whole system to work (your lower picture). The LACP bonding itself will be treated like one physical port by RSTP - it can't disable only part of it. But if there is no other potential loops, and the LACP bondi...

k6ccc

I would say so.
If you have many switches use of rstp becomes obvious...

Yes, makes sense.

Thanks for your help. Sounds like I largely had it figured out, but fully admit that I only knew enough to be dangerous!

k6ccc

Here's what I do to make a port knock easier. I have bookmarks in my browser for each one. Click the first one, wait a second, click the second on, etc. Takes seconds. This works if we are only managing 1 or 2 devices, but I am managing 500 routers in the field and increasing. This bookmark feature...

k6ccc

But for your question, when LACP or static team active rstp doesn`t play any role as it simply puts port in edge mode.

So in a summary, RSTP in this case is only there to prevent you from doing something stupid (or cover your backsides if or when you do). Do I have that right?

k6ccc

Thank you for your all responses, I have a couple simple questions at first. One when you select code to add in what option are you picking ? I assume you mean where I included my code extract. It's the symbol to the left of the quotation marks. You can also just type "[ c o d e ]" and "[ / c o d e...

k6ccc

LACP is for link aggregation. 2 ports on switch A and 2 ports on switch B. 2GB link between them with LACP. If not using LACP or static team 2 ports connected between switches would create LOOP. This is what RSTP is for. To prevent loops and lear about topology changes: Right. Got that part. 1. So ...

k6ccc

As Sob said, what you're doing is not overly helpful. At first I thought you were doing a port knock until I read it. You would do better with a port knock. add action=add-src-to-address-list address-list="Long Knock-1" \ address-list-timeout=15s chain=input comment=\ "Long Port Knock setup step 1" ...

k6ccc

Well, now I'm back to confused. First of all, I fully understand how bad a loop can be. Last year at work on a microwave network that supports a large public safety radio 2-way radio system, we had a loop protection failure that resulted in a broadcast storm that took down the entire network. Really...

k6ccc

I also have a bunch of Chinese cameras at home. I created a dedicated VLAN for them that is firewalled so that they can get to the internet (required for remote viewing), and nothing else on my home networks.

k6ccc

Thanks again. You pretty well told me what I thought I already understood from reading, but I had been confused when some other guy in a different thread told me that I should always be using RSTP. It will be a while before I have time to bury another conduit between the house and garage, so I'm in ...

k6ccc

Thanks for the reply. I'm curious why I can't use RSTP. I've read the Wiki about a million times (OK, not really a million) and don't see why I could not use RSTP, and in a different thread where this topic came up, it was recommended that I should always use RSTP. From my own research, I had assume...

k6ccc

Maybe I'm missing something here, but the RB750Gr3 does not have WiFi.
Note: I am not using MikroTik for my WiFi - only for routers and switches. So I could be missing something.

k6ccc

Do you have DHCP Snooping enabled on the end device ports of the switch (ports 1, 7, 13, & 15 if I counted right)?

k6ccc

What software version is your CSS? My CSS106-5G-1S is version 2.8 and is configured quite different than yours. The SFP is a gigabit link from this switch to a CSS326-24G-2S in my family room. It is exclusively a tagged trunk port. The two Open Mesh ports are WiFi access points that have both a non-...

k6ccc

I use routers EXCLUSIVELY as routers and switches as switches. Each port of my routers is either a single LAN or a VLAN trunk port. The same exercise is needed when configuring RB running ROS if that RB is to be used as smart switch. Not that I would recommend that since HW offload is disabled and ...

k6ccc

Well, I for one am quite happy with my two CSS326-24G-2S and also the CRS326-24G-2S (running SwitchOS). I have not found any way in SwitchOS to determine the CPU load, so I can't tell you how much I'm loading them. Reality is likely not all that much. This is at my house and then also a MicroWave pa...

k6ccc

Nobody have anything?

k6ccc

Yes, thank you both for the education. I didn't really need it, but it was interesting. I have a different solution. I use routers EXCLUSIVELY as routers and switches as switches. Each port of my routers is either a single LAN or a VLAN trunk port. Never does any LAN or VLAN appear on more than one ...

k6ccc

i noticed that the winbox port has change ... what can be the reason ? Can I assume that you mean that when you connect via the MAC address, you are able to see that the service port for WinBox has changed. If that is the case, you would need to specify the non-standard port. In your case, that wou...

k6ccc

Just an FYI, about an hour ago I installed a S-RJ01 into a CSS326-24G-2S that has SwitchOS 2.8. It behaved exactly as I expected. Link showed as down with no cable plugged in. When I plugged in a cable to a RB260GS with a third party SFP, the link came right up and showed 1G. Pings to both the far e...

k6ccc

Use non-standard ports for WinBox access to the PTPs. Then it’s just standard NATting to get to them from the internet.

Sent from a $&@#% iPhone using Tapatalk

k6ccc

EdPa, thanks for the explanation. A couple suggestions to pass along to the software people. Any chance of making the VLAN and VLANs tabs look and operate the same between the CSS326 and the CSS106 & RB260GS. I have both types of switches and it is annoying to have to think quite differently between...

k6ccc

I don't believe that the WatchDog timer is for a specific link, but rather looking for internal process locking up. Hence, no IP to be pinging.

k6ccc

Taking your thought, I did a comparison of the Saturday night and Sunday night script files for both routers - before and after my updates Sunday morning. There were only two differences. First is that the software version was different. Well, it darn well better be! Second was a login script that w...

k6ccc

Funny you should bring this up today. This morning I updated both of my RB750s from 6.42.1 to 6.42.6 and updated the firmware on both from quite old to current. The upgrades went very well. I already have a scheduled script to do a daily backup and export, so I have a good baseline. I had not planne...

k6ccc

I had the same issue with some HP 2610-48s. Had to use HP SFPs.

k6ccc

Because it's the Cisco that is showing no link, I am guessing that it is the end that does not like the really cheap SFP. Just a guess however.

k6ccc

My first guess is that the SFP is not really compatible with one or both of the devices that they are plugged into. I have found with several equipment brands (MikroTik and others as well) that not all SFPs will work. In fact just this morning I found that none of my assorted pile of 1GigE SFPs woul...

k6ccc

What hardware?

k6ccc

Are you implying that SwOS will just tag unconditionally if a port is a member of multiple VLANs or something? Could be. I really don't know. I certainly don't claim to be the expert. In fact I just learned an hour ago that a setting in 2.7 did not work quite the way I expected for un-tagged ports....

k6ccc

You have to have VLAN tagging on the trunk port or else you would have both VLAN 2 & 3 untagged (and therefore no longer separate) on the trunk port.

k6ccc

As I recall, the NanoStation will happily pass VLAN traffic and is VLAN aware for the management interface, but I'm not aware of the ability to specify which VLAN to use for locally connected stations. Note that I am using them for a point to point link with a managed switch (CSS326-24G-2S) on each ...

k6ccc

It depends on what you are doing. I am not using a bridge on any of my routers. However, I am using my routers exclusively as routers. Each port is either a separate LAN or a trunk port with multiple VLANs. Everything is routed in between ports. Each port is connected to a different port of a manage...

k6ccc

Hopefully you have previously saved backups so after the net install, you can restore from your backup. If not, lesson learned - backup, backup, and off site backup.

Sent from a $&@#% iPhone using Tapatalk

k6ccc

This is an area where have no experience so looking for suggestions. My situation at home is as follows. In my Family room I have a CSS324-24G-2S with various computers, WiFi, lighting controls, and monitoring devices connected. Both my DSL and cable internet connections also come into the Family ro...

k6ccc

on my CSS326-24G-2S+ manual upgrade dont works. switch not accessible(web) after manual upgrade. to access the switch again, i had to boot backup SwOS. i tried upgrade from backup SwOS(2.0p) to 2.8, and reset configuration - but no success. Most likely the switch changed from a static IP to DHCP. C...

k6ccc

Here's another example of using stuff in the Output chain. I was recently troubleshooting a problem and I wanted to be able to verify that packets were going out on the interface that they should have been. So I created the following set of output chain rules that served only to count packets on eac...

k6ccc

Yes. The Input chain only affects traffic that will terminate on the router itself. The Forward chain affects traffic that will pass through the router. Note that you have an allow connected and related traffic in the Forward chain, that rule will allow responses to one of your users who connects to...

k6ccc

The problem is your dumb switch. Some dumb switches will pass 802.1Q VLAN traffic and some will not. I have no idea if your tplink will or not. Assuming that it won't, my suggestion would be to split it up. Have the tplink and the attached computers connected as they are now. Then run a separate con...

k6ccc

Thanks again Sindy! That was it, and yes, that was a leftover from old times. Confirmed that with an AutoCAD drawing from early last year. As soon as I changed the VLAN switch setting for that port, pings started working, and forwarding traffic started working properly. As this router is used exclus...

k6ccc

Thanks for the catch Sindy. Ether2 is not supposed to be a hybrid port at all. It should be all untagged traffic. I’m on a commuter train on my phone right now so I can’t look for a couple hours, but that was likely a leftover from time past. The .131 LAN is currently a VLAN on the 802.1q trunk on p...

k6ccc

I have managed to apparently do something stupid. I was moving one of my LANs from port ether3 to ether2 on an RB750r2. This router is being used exclusively as a router - there is no bridge and every port is a different LAN or trunk port with multiple VLANs. Should be simple enough and I've done th...

k6ccc

After upgrade to v2.8, switch goes from "static IP" to "DHCP with fallback", - looks like a bug.
so put DHCP server on top of swtich and use that dynamic assigned IP to back to Static IP

Not a bug. That's the way it's designed.

k6ccc

For your first part, I would assume that since you are looking for SwitchOS and not RouterOS, you should be getting the same SwitchOS as the CSS. That is the case with the CRS326, so I'm guessing it's the same with the CRS328. For your second part, depending on what version you upgraded from, very l...

k6ccc

I find it easy to believe that it does not work. You are mixing up your subnets. You are trying to get a 10.10.25.x device to talk on a router that has a port on the 192.168.10.x subnet. Can't get there. Now if you were to use very small subnets, and give the router an additional address on the WAN ...

k6ccc

Short comment would be: DUH! OK, now for the longer, more polite answer. Anyone who runs almost any type of server these days will see piles of attack attempts on a variety of ports. Yes, Telnet is one of the most common. I don't log them, but I do have firewall rules that drop and count packets. I ...

k6ccc

If you go to the software download page and select Winbox, the dropdown shows 3.17, but that results in a 404 error. Might want to fixed the webpage - either that or 3.17 is about to be released about the time I post this message

k6ccc

I'd argue to keep with the best practice and use STP or the new MSTP implementation. It's just good common sense loop protection. That said it looks like you're using the old way VLANs where done but not in a complete way. I'd urge you to migrate to the VLAN aware bridging approach. It's documented...

k6ccc

I imagine you're either running in the per-VLAN based mode or do not have STP correctly running. I haven't actually sniffed a link without an untagged VLAN defined to see if MikroTik hides this fault to keep networks working despite the best effort of their admins. Of course I know what Spanning Tr...

k6ccc

I don't know if this is an issue, but if I were doing it, the trunks between routers and switches would have nothing but VLAN tagged traffic - no untagged traffic. That's how I'm doing it at home with my three routers and five switches.

k6ccc

CRS+CSS: How many ports can be aggregated concurrently with LACP at maximum? Suggestion. If you are going to ask a question that is totally unrelated to the current topic, start a new post rather than ask in an unrelated thread. For one thing it makes finding the question and answer far easier when...

k6ccc

Happy I could help.

k6ccc

For me manual upgrade don't work. I only see "don't interrupt", switch reboted (I see it uptime on router in neigbord) Are you sure? I did take the time to do a manual update on my CSS106-5G-1S. Prior to the upgrade, I started a continuous ping to the switch from this PC. After starting the upgrade...

k6ccc

None of my switches see it as an available upgrade. Have not the time at the moment to try a manual upgrade yet.

k6ccc

SwitchOS 2.7 and below used 32 bits for the stats. Real easy to roll over. VERY likely what you are seeing. According to the release notes for 2.8 (just released) one of the changes:
*) use 64bit counters under Stats tab for byte accounting;

k6ccc

I would also say I am not an expert, but I have several and they are in daily production use. First one I got was a RB260GS. Depend on time of year, it has somewhere between three and all six ports in use (the sfp is an electrical gigabit interface). It is out in a brick column in my front yard so i...

k6ccc

Thanks mkx. That was what I thought...

k6ccc

Kind of related to this. In my case, both of my routers are used EXCLUSIVELY for routing. Each physical port is either a trunk carrying multiple VLANs to a smart switch, or a specific LAN that is going to a switch. Never does the same LAN appear on more than one physical port. Is there any reason un...

k6ccc

Depends on what you are trying to accomplish. I fully admit that this is not normal, but I have 15 VLANs at my house. With the exception of a few select situations, none of them talk to each other. I also have two active routers, and four switches (all smart devices) - then a microwave path 4.2 mile...

k6ccc

Throw away the RB, if it has been hit by a thunderstrike there's no software update that could solve the problem. P.S. if you update from version 5 to 6 you have to upgrade to bugfix version of 6, for example 5.25 check for updates makes download 6.40.8 bugfix. Please read my post. The Routerboard ...

k6ccc

Yes, the basic firewall configuration is that all is allowed unless specifically blocked by firewall. It's a router - it routes. The normal way to set it up is to explicitly allow what you want and then at the end of each chain, drop everything. That way only the traffic that you allow will get thro...

k6ccc

Did what you suggest, what happens is when I changed it to desired static ip outside the pool, the status is waiting. The machine itself didn't acquire the assigned IP I put. Remember that the machine in question does not get a new address as soon as you change it't static reservation. It has no wa...

k6ccc

Are you asking if the router can send a command to the AirFiber and then do something with the result?

k6ccc

Maybe I'm not understanding your request. How does the MikroTik have anything to do with the AirFiber (other than presumably riding on the ethernet path that the Air Fiber provides)?

Search found 474 matches