MikroTik

k6ccc

Here's my script that does exactly that. Note the time delay at the beginning. E-Mail has to already be set up. In scheduler, there is an event that runs this script with a start time of "Startup" :log info "Starting System Startup script" :delay 00:00:20 :log info "Sending ...

k6ccc

Correct. IPv4 and IPv6 firewalls are separate. If you are looking at WinBox, IPv4 and IPv6 are separate items and therefore the firewalls are separate. If you are using rules in a bridge or switch chip, I can't help you.

k6ccc

Simple answer is that you need a port forwarding NAT. However do as Anav said and export your configuration.

k6ccc

For starters, you gave us almost zero useful information. Is this a URL on your LAN, something out there on the web, something else???

k6ccc

I found something that at least my search in this tread has not been addressed. The DHCP Server Leases tab absolutely refused to let me assign a specific address to to a DHCP assignment that I had made "static". Details: Winbox 4.0beta17 on a Windows 10 computer communicating with a RB4011...

k6ccc

OK, BartoszP - I LOVE the zip ties holding it together. I know it was a temp test, but I loved it.

k6ccc

A lot of non-VLAN aware devices will successfully pass VLAN traffic just fine - however some will not. You really have to test non-VLAN aware devices to make sure. I am using a non-VLAN aware dumb switch for some VLAN traffic and it works just fine. As for power line network adapters - don't get you...

k6ccc

the dialog will let you TYPE above 64Kb into the edit box... it just doesn't save that part. Interesting. On my RB4011iGS+ with 6.49.15 and WinBox 3.41 the editor would completely stop accepting new characters typed or pasted once it hit 32K. Sounds like 64K is the limit in WinBox 4. The script I a...

k6ccc

As a little followup to the script size limit I was running into, I ran into this issue again. Confirmed Winbox 3.41 with a RB4011iGS+ / 6.49.15 would let me add characters after 32K. Downloaded WinBox 4.0 beta 17 and tried it. No problem editing and saving a script that exceeded 32K. So good news f...

k6ccc

Deleted (except it won't let me delete it)...

k6ccc

Also, as a general rule of thumb, avoid using VLAN 1. A lot of devices treat VLAN 1 as special and will sometimes do unpredictable things with it. Best to just avoid using VLAN 1 unless you have some device that requires it.

k6ccc

My problem is that I'm never on a network that is not VPN'd to the original.

Take your laptop to your local Starbucks or other establishment that has public WiFi and use that. Do make sure your laptop is properly firewalled so it does not pick something up...

k6ccc

Most important is that if you have EVER made any config changes to the router (and it sounds like you did long ago), NEVER EVER use QuickSet ever again. Quickset pretty much assumes you have a factory default configuration. If it's not in a factory default configuration, the results will be somewhat...

k6ccc

First problem I see is that you are showing 10.0.0.4 as the gateway, but there is no 10.0.0.4 device on your network drawing.

k6ccc

Splunk
See: viewtopic.php?t=179960

k6ccc

Correct, SwitchOS is GUI only, and looking at my only dual boot device that is SwitchOS 2.17, there is no checkbox for that.

k6ccc

FWIW, limit is 64KB in V7. But even in 7.17, /system/script/edit will only view up to first 32KB files, while both winbox and webfig will let you use the "full" 64KB allowed. Thanks. Note that I'm on 6.49.15 and Winbox 3.41. I was no where near 64KB, but could have hit 32K. If I have time...

k6ccc

If I am understanding your question, you are setting up the RTSP streams incorrectly in the router. The IP > Firewall > Service ports is services provided by the router itself. Webcam streams are not provided by the router, but rather by the camera. Should be NAT forwarding.

k6ccc

For future reference, when posting a help request, putting something useful in the subject makes it far more likely that you will get some help, and it makes the issue far easier to find in a search. For example, instead of "Assistance Needed ASAP", something more useful might be "Nee...

k6ccc

Export and post the config of the hAP. without that, we're guessing. Also confirm your error (or typo) that TheCat12 mentioned. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive...

k6ccc

I have 32KB script and it is not possible to add/edit it over Winbox, crashes it on save, but over WebFig works.

Interesting. Sounds like it's a Winbox issue, not a script limit.
I'm on Winbox 3.41 in case that makes any difference.

k6ccc

Well, I did a little clean up and made it far easier to just use a :if to skip the desired parts. However I ran into a situation I could not find in the Wiki. I hit the maximum size if a script. I did not know there was a maximum size, but the script editor in Winbox would not allow adding any more ...

k6ccc

Convert that section on one function and call it only when is needed. Easy.

Not quite so easy. Each time the script would have to call a different function (several dozen) because each section is different.
Possible? Yes. Easy? No.

Sounds like I just stay with another layer of :if

k6ccc

In a RouterOS script is there an equivalent to a GoTo statement in Basic? What I'm trying to accomplish is if a certain variable is some value, I want to skip a section of the script (about 30 lines). I can at least sort of do it with a :if, but it can be a bit convoluted. This will be repeated many...

k6ccc

Is the wired management computer getting a DHCP address from the Router? If so, the problem is almost certainly with the AP or the interface between the switch and the AP. Not knowing how the AP is configured, I would wonder if the issue is because you are sending untagged traffic to the AP from the...

k6ccc

Is this a very new router?
Check System > RouterBoard and see what the factory firmware version is. You can't downgrade to anything lower than that version.

k6ccc

As I recall, the Starlink app will give you a lot of information on the Starlink portion of the hop. Start with that.
No, I do not have Starlink, but a couple friends do and I have seen them showing off the app.

k6ccc

The RJ10 SFP produces a huge amount of heat. Best solution if you can do it is to swap to fiber modules instead.

k6ccc

Are you trying to access the forwarded ports from the Internet or from your own LAN? Second is post your configuration - otherwise we're guessing. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/ex...

k6ccc

I think what you are asking is if you can have the same IP subnet on the WAN connection as on your LAN. If that's the question, the answer is no.

k6ccc

So why not CSS318?

I thought of that one too. I wish it had come out a month earlier. would have been perfect for a task I have. Ended up with a CSS326 - which I have several of already.

k6ccc

Sounds like you need a switch. Your thought to use a RB260GS (also known as a CSS106-5G-1S) is a fine suggestion - I have several of them. They will give you five Gig-E ports plus an SFP if you need one more port. SwitchOS is quite different from RouterOS, but once you get the hang of it, it's fairl...

k6ccc

Glad you found the issue. At least it was easy.

Merry Christmas.

k6ccc

Confirming that all the other tabs work correctly?

k6ccc

First educated guess is that you had your router hacked. Look up NetInstall. Then rebuild the config. DO NOT reload a backup as that file has likely been compromised. If you have an export, you can start with that - again, DO NOT simply load that. Verify every line of code in the export to make sure...

k6ccc

Another option is the CRS326 is dual boot, so it can be configured to use SwitchOS. Makes a great fully managed switch.

k6ccc

I'd like to share a 10Gbit Internet Connection with 6 neighbours over 1Gbit fibre.

One thing to be cautious of is your ISP may not be very happy with you sharing your internet with other potential customers of theirs. May very well flat out violate your terms of service. I know it would for me.

k6ccc

<snip> My plan is to enable the QuickSet VPN access option <snip> No one mentioned this unless I missed it. For any Mikrotik router, if you have done ANY configuration on that router, NEVER use QuickSet ever again. Doing so may well break whatever config you have already done. QuickSet should only ...

k6ccc

customer cancel their internet access they don't always send back the router with the sheet with the default password. You gave the customer GOD access to the router? Why would you do that? Keeping track of the different default password is too bothersome Should just be part of your inventory manag...

k6ccc

using a strong password ... and a length of 9 characters.

No offense intended, but those two statements barely belong in the same sentence.

k6ccc

I've tried the Private/Incognito tab and my switch [CSS326-24G-2S+RM] still wouldn't upgrade, even thou it's going through the motions. And can't find the manual FW file on the download page on the website. https://mikrotik.com/download Expand the section for SwitchOS. Near the bottom of the list.

k6ccc

You ask about the WiFi device, but give absolutely zero information about it or what is powering it. And I hope the config of your router was not the complete config.

k6ccc

Flat out - wrong tool for the job. You want an FTP server, pick your favorite and put it on whatever computer type that FTP server runs on. Let your router be a router...

k6ccc

Nope.
Would be nice.

k6ccc

Or sit at your computer on the couch and order it online. Lots of sources for the CSS106-5G-1S I mentioned earlier.

k6ccc

As far as I know, there is no way to do that (I could be wrong on that). However what you could do is make the port to the couch a VLAN trunk and put a simple VLAN aware managed switch at the couch. Set that up so one port (to the rest of your network) is the VLAN trunk, and two of the other ports a...

k6ccc

Do NOT " only " disable admin, set to the admin one random long password, create one empty group with no privileges (policies) and assign it to admin.... Any particular reason for that as opposed to what I have done and completely delete the admin user ID? I have a completely different Us...

k6ccc

VLANs are easy once you get the hang of it. I am a little odd that I don't use a bridge in my router at all. However the router is not doing any switch functions - every port is a different LAN or VLAN trunk. All switch functions are done in separate managed switches (CSS326 running SwitchOS).

k6ccc

Do you mean Cat3 telephony wires ? I'm actually running an ethernet connection over Cat-3 telephone cable. I found I needed to lock it to 10Mb/s because if I allowed it to go faster, the retries were so bad that the overall throughput was lower. For the application, a connection at 10 Kilobit would...

k6ccc

The problem here is that most internal DC power supplies use Linier power supplies ( not switching power supplies ). North Idaho Tom Jones Where did you come up with that one? Almost nothing uses linear power supplies any more. Switching regulator chips are easier to come by and in many cases are c...

k6ccc

I made the same decision several years ago (when the 5009 was very new). At that time, ROS 7 was not really ready for prime time, and the 5009 requires ROS 7. I went with the 4011 mostly because of the ROS 7 requirement with the 5009. I have been very happy with my 4011 and yes, it's still running R...

k6ccc

All I can tell you is that NetInstall can be VERY picky. Make sure there is only one network connected to the computer - directly to the router you are trying to NetInstall. Make sure to turn off Wifi if that computer has it.

k6ccc

As Anav said, hard to tell without context, but remember in RouterOS, any packet that gets to the end of the whatever chain it is going through (usually Input or Forward) is accepted. So you really need a drop everything rule at the end of each chain. The rule you pointed out sort of accomplished th...

k6ccc

That makes no sense as described. However without your config, we're guessing. Please post your configuration and either a drawing of what is connected to what, or a detailed description of the same. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a ter...

k6ccc

You might be surprised at some of the things you lose by booting into SwOS. It’s rarely worth it, IMO. I read your piece tangent. You do have some valid points, and it was obvious that your objective is to show how much better RouterOS even for a switch - and I respect your opinions. Several of you...

k6ccc

How about telling us some useful information. First of all, what the heck is a HDHomeRun tuner? What model and software version of the Mikrotik switch? What is connected to what and how?
There will be more questions, but this is a good start.

k6ccc

If you plan to use a remotely operated power switch, make sure that with the router shut down that you will be able to access the power switch. It would not work well to use a remote power switch that is operating on the LAN from the router that is shut down...

k6ccc

What's your physical network arrangement? By that I mean are the various devices plugged into a separate LAN switch, or are they plugged into different ports on the same router? If going into the router (I presume into ports on a bridge), export and post your configuration. To export and paste your ...

k6ccc

My ISP so far is not making IPv6 available - which does not bother me at all. I have my main router setup as a IPv6 DHCP client and I look every once in a while to see if it is able to get an address. Otherwise I have "drop all" rules in both Input and Forward chains. I also have packet co...

k6ccc

Lookup Hairpin NAT in the docs or here on the forum.

k6ccc

What are you doing that you need to be actively making changes to that many routers at the same time?
Personally I don't think i have ever needed more than two open at the same time.

k6ccc

Reading your firewall rules was making my head explode. Do yourself (and the rest of us) a favor and move your firewall rules around so that all the rules in each chain are together. In other words, all the Input chain, then all the forward chain, etc. Does not make any difference to the router, but...

k6ccc

Unless I am completely not understanding your question - we have no clue what YOUR un-named ISP does. Ask them.

k6ccc

Updated three CSS326-24G-2S+ and one CRS326-24G-2S+ without issue.
As expected, no update available for my two CSS106 switches.

k6ccc

Interesting, I have a couple CSS106-5G-1S switches (not the r2) and they updated fine. I wonder what's up with the r2 version???

k6ccc

Agree with never using QuickSet. However, your you have a backup from before you used QuickSet? If not, you hopefully just learned something. Always make sure you have a backup before making major changes. Backup and Export is even better. Safe Mode would likely also have saved your bacon. None of t...

k6ccc

Lots of us here do use a Dynamic DNS service. Personally I have used Dynu DNS ( https://www.dynu.com/ ) for years. They have a free level and several paid levels - depending on what services you need. I am using their lowest paid level, although I have also used their free service. They have small c...

k6ccc

I THINK so - don't guarantee that however.

k6ccc

There is a couple of new releases since you posted

Only one. 2.16 was released on 23 Feb. 2024
SwitchOS lite has had a couple, but that only works on a few products.

k6ccc

You really use VLAN 1 for tagging?

Yes, he is using this for a ham radio application and the device being connected uses VLAN 1 and VLAN 2 and untagged traffic on the same port for one of the purposes and is not changable.

k6ccc

Sounds like a real need of understanding how subnetting works. A network does not simply start at whatever arbitrary address you want. There are specific breaks that can not be changed for an address and CIDR. Do a Google search for something like "How subnetting works" and do some reading...

k6ccc

I have to use VLAN 1 an my management VLAN as all my devices are on VLAN1. RouterOS must have some way out to use VLAN1 a management. RouterOS handles VLAN 1 just fine - but LOTS of other devices do not. Hence the recommendation to not use VLAN 1. In many cases other devices treat VLAN 1 as special...

k6ccc

Anything in your own config that would be blocking WinBox? Best bet is post your configuration - else we're mostly guessing.

k6ccc

For the most part, if you have multiple devices on the same LAN segment (which sounds like your situation), traffic between them never goes through your router, and therefore the router can't modify the traffic. If that is not the case please provide a network description (or better yet a network dr...

k6ccc

Clearly you need more whiskey.
Pass the Jack Daniels please...

Sorry, couldn't resist...

k6ccc

Did that configuration work in an earlier version of ROS? I just looked at my E-Mail settings in my RB4011 which is running 6.49.15 (so, a much earlier version). The only difference is that I am using TLS = Yes. Also, did you set up an application specific password in your G-Mail account settings fo...

k6ccc

SwitchOS or RouterOS? I would assume SwirchOS since you asked in that section of the forum - but you know what you get by assuming...

What software version?

k6ccc

When you post your configuration, please use a Code block. Makes it easier to read. In your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from t...

k6ccc

Remember that these days the default Windows configuration is to NOT allow the PC to be pinged. That is set in the Windows firewall.
Obviously I don't know what your .254 device is since you did not state it, but if it's a Windows PC, something to check.

k6ccc

Also, as a general rule of thumb, it can be an issue using VLAN 1. Although for your specific application it should not be a problem, but many other devices treat VLAN 1 as "special" and do various undesired things with it. Best just to avoid it.

k6ccc

A trick I have used for port knocking is to set the ports as bookmarks in Firefox (or whatever browser you use). You only need to let it try to connect for a second - and of course it will fail, so don't wait for it. So select the first bookmark, wait a second and click the X to cancel the attempt. ...

k6ccc

Why???????????

Use wireguard!!

Doing it from a work computer where I can't install Wireguard.

k6ccc

As a general statement, if you have an Internet facing port for very long you WILL be port scanned and have attempts on many of the common ports. You ISP will either laugh in your face, or at least laugh at you after ending the phone call if you ask them to fix that "problem". You need to ...

k6ccc

To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download i...

k6ccc

I didn't know that, I learn something new every day, thank you. Next time I'll be much more careful about safety, Safety is not so much the issue - although there are a few things not to make public. The far bigger issue is that trying to read a bunch of screen captures is very often hard to read a...

k6ccc

Thank you very much. Sometimes it's the obvious. I deleted the extra IP and the script worked correctly so you were right on the money. I will give your second suggestion a try. I understand exactly what it is all doing with one exception. Can you explain what the meaning or purpose of the "->0...

k6ccc

The VLAN should be as follows: VLAN 1 - 10.1.0.0/8 (Router and Switch / Cameras) DHCP 1 - 10.1.0.1-10.1.0.254 VLAN 2 - 10.2.0.0/8 (All connections from Switch) DHCP 2 - 10.2.0.1-10.2.0.254 VLAN 3 - 10.3.0.0/8 (Wi-Fi Devices / Mobiles) DHCP 3 - 10.3.0.1-10.3.0.254 VLAN 4 - 10.4.0.0/8 (Wi-Fi devices ...

k6ccc

Winbox is fine for setting up VLANs. Strongly suggest avoiding VLAN 1. Many devices treat VLAN 1 as something special (usually without telling you). Please don't post screen captures to show your configuration. Export and post your configuration. To export and paste your configuration (and I'm assum...

k6ccc

add action=accept chain=input comment=winbox dst-port=8291 protocol=tcp

You are still allowing unrestricted WinBox access from the Internet - VERY dangerous. Anav gave you a correction earlier.

k6ccc

Ding! Ding! Ding!! Totally forgot that I had in fact give the WAN interface a static 192.168.100.0/24 address because that is the local management address for the ONT. Simple solution will be to remove that address... Always look to what the tech did last - or in this case two steps ago... Thank you.

k6ccc

I have a dynamic public IP from my ISP. For years I have had a script that checks the address and sends some E-Mails if the IP has changed. Most of the script was right off the Wiki. My IP seldom changes, but when it would change, the script always worked. However it appears that when I updated the ...

k6ccc

You are posting this in the SwitchOS section of the forum. If you are running the CRS326 on SwitchOS, there is no ftp functionality.

k6ccc

I understood your layout, I was and still am surprised that you are getting a private IP range from your ISP. However with that said, in order to troubleshoot, please export and post your configuration. Else we are guessing. To export and paste your configuration (and I'm assuming you are using WebF...

k6ccc

Are you really getting 192.168.27.1 from your ISP?

k6ccc

I always considered this to be the basic functionality of VLAN.

Not something normally done. What is your use case for this?

k6ccc

One other note since your first Screen capture was showing you using QuickSet.

Once you make ANY changes to any RouterOS device, NEVER use QuickSet every again. You may very well end up losing any changes and also in a unpredictable configuration.

k6ccc

Using a BACKUP config from a different radio should not be expected to work. Backup is only to be used on the EXACT same device. Second, look at the factory firmware. You can never downgrade firmware to anything lower than the factory firmware. You would likely be better off upgrading the 7.12.1 rad...

k6ccc

Don't feel stupid. It actually would make sense to use the port number if there is no name. I put names on every port because it helps me remember stuff. Also useful on the VLANs page where the name will show up when you rest the cursor over a checkbox. Helps avoid clicking the wrong box.

k6ccc

For whatever it's worth, My RB4011 is directly connected to two different CSS326 switches and then there is one more CSS326 in the house. All the switches have been running 2.16 since within a day or two of 2.16 coming out. No problems at all.

k6ccc

The port listed is the port name - not the port number. Do you by chance have no name listed on the "Link" page? Here is one of my CSS326 switches with SwOS 2.16 http://k6ccc.org/Mikrotik/Hosts_listing.png In the event that the image does not imbed, here is a direct link to it: http://k6cc...

k6ccc

Post your configuration. Without that, we would be guessing. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and ...

k6ccc

I agree with holvoetn on not using the 10GB electrical SFPs. Use fiber SFPs. As for the POE, you may be limited to what kind of POE you actually need. If it's active POE (802.3af or 802.3at) the requirements are different than if it's passive POE, and at what voltage. So you need to see what your ca...

k6ccc

Also note that once you make ANY changes to the router, NEVER touch QuickSet ever again.

k6ccc

You are showing an interval of 00:00:00 instead of the required 1d 00:00:00. Note, you can enter that as 24:00:00 and ROS will translate that if desired.

k6ccc

Just an educated guess here. Since the clients with static IP addresses can reach the router, but DHCP clients can not, this sounds like an IP, not an arp issue. Go to one of the non working PCs and open a command prompt and execute: ipconfig /all Confirm that the computer received an IP address, an...

k6ccc

I agree with the suggestion to put comments that mean something to you for each firewall rule. Makes it far easier to remember a year down the road what you were doing.

k6ccc

Better and easier can be quite much anti-correlated. And easier can be subjective ... e.g. I've never practically used SwOS, so I guess ROS would be easier for me :wink: And I fully admit that I'm just the opposite. I have never done switching in RouterOS. Each port on every router is a separate LA...

k6ccc

I think if you better must go for a CRS switch which can offer much better management features because works using RouterOS, is worth the price increase Switching is SOOOO much easier to deal with in SwitchOS... specially on few ports devices like rb260. Dont forget we are talking about sub 60 USD ...

k6ccc

1. Ability to change the login from the standard "admin" Would be nice, but IMHO not overly needed. 2. Ability to set a password of 32 characters or more Do you really need over a 32 character password? There does need to be a limit from a coding standpoint. At least it's not limiting to ...

k6ccc

Export and post your configuration. Without that, we're guessing. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section...

k6ccc

For starters, export and post the config of both routers - otherwise, we're guessing. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then op...

k6ccc

For only a 20 meter span, can you at least temporarily run a cable either overhead on a messenger cable or even in a piece of conduit laying on the ground? Optical would be preferred over copper to avoid noise / ground voltage differences / etc. Obviously not a long term solution, but would that be ...

k6ccc

In my case, originally I did it because I was running two instances of a ham radio linking system. Each had (at that time) to be on a separate pubic IP address. So one was on on LAN that used one of my public IP addresses and the other instance was on a different LAN that used one of the other publi...

k6ccc

I did exactly what you are trying to do for years. Each LAN or VLAN used a different public IP on my DSL. This was ROS 5 and early 6, so Anav's information is far more current. Very easy and worked great.

k6ccc

Arm based devices must use v7, there is no option for them.

I don't think so...
From the Mikrotik download page, v6.49.15 is available for both ARM and ARM 64 devices.
And my RB4011iGS+RM (currently 6.49.8) shows that it is available for upgrade from the Packages page in WinBox
.

k6ccc

There are many reasons for server to go down ... one is that it emits smoke. I actually had that happen once - although it was running as a server (and a server OS) it was actually a dell tower. Everything after that that was running as a server was a "real" server machine. The first of w...

k6ccc

I have not played with ROS 7 yet except my old RB750Gr3 router that's sole purpose will be to provide a WireGuard VPN (have not tried that) so I can learn how to set up WireGuard.
My primary RB4011 router that does everything is still 6.49.8.

One of these days...

k6ccc

It's been several years since I did this and it was ROS 6 something. My DSL gave me up to eight static IP addresses. I had each local LAN use a different public IP. As I recall, I just had to specify the Preferred source in the IP > Routes table. I don't THINK I had to do anything else - but as I sa...

k6ccc

instead research your network neighbourhood, select a couple if NTP servers you trust and configure your router with them. Or if you really want control of it, go buy your own NTP server hardware and configure your router to use that. There are several ntp server products for not all that much mone...

k6ccc

This is a good example case of why .rsc exports could be a preferred option over binary .backup for most day-to-day backup tasks Or both export and binary - each has their advantages. I have a script in each of my routers that creates new export and binary files every night and then sends those fil...

k6ccc

Can't help you on the RouterOS side as I don't use a bridge in my router. However on the SwitchOS end, in addition to what mkx said, on the trunk port on the VLAN tab, set Egress to "Add if Missing". Also, although your drawing shows VLAN 99, you do not have it defined on the VLANs tab. La...

k6ccc

How are you measuring that? I have a RB4011 as my primary router that is directly connected to my fiber ONT via a Gig-E connection. If I test with the speedtest in the router using the high speed test facility generously hosted by TomjNorthIdaho, I consistently get 975 - 990 Mb/s. If I test via my d...

k6ccc

Without seeing your configuration, we are guessing. Export and post your configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then ...

k6ccc

I have not had any failures - for whatever that's worth. I'm not trying to power anything from any of my hAPs however.

Have you actually measured the current draw - as opposed to just reading specs?

k6ccc

Please note when you post the config, please include your config in a code block. The code block is the 7th icon on the row of icons above the text entry box. It looks like a square with a blob in the middle. When your press that, it will produce a beginning and ending code block. Past your config t...

k6ccc

+1 on NOT using VLAN 1. Although the Mikrotik will handle it fine, LOTS of other devices treat VLAN 1 as something special - often unpredictably.

k6ccc

Interesting on the Chinese SFPs. I am also using non-Mikrotik 10G optical SFPs in my CSS326 switches, and they are working great - and were A LOT less expensive then the Mikrotik SFPs. It is well known that the electrical SFPs get hot. I think that the 10G optical SFPs are running cooler than the 1G...

k6ccc

but how would I restrict management to one port in switchos? Or I guess how would I limit management to a vlan in switchos? On the System tab, there is a row of checkboxes for "Allow from ports". That is the ports of the switch from which switch management is allowed. Below that is "...

k6ccc

Confirm if you are doing this under RouterOS or SwitchOS? I ask because of your statement that if it was a router, it would be trivial. If you are using RouterOS, it would still be trivial. If you are using SwitchOS, the way I would do it is to create two VLANs. One would be your VLAN 200 Management...

k6ccc

Did you really mean that LAN B should have no access to LAN B? Did you really mean no access B to A? If I understand what you are trying to do, it is possible, but without your configurations, we would be guessing. Please post both configurations. To export and paste your configuration (and I'm assu...

k6ccc

Or reboot the client. Or disconnect the LAN cable to the client and then re-connect it. Or wait a while.

Changing the IP to static or changing that IP address on the server does NOT force an immediate IP change on the client. The IP will change next time the client requests an address.

k6ccc

I was able to recreate the issue by just adding the management vlan, that is if I try the upgrade from vlan tagged network it will fail... That's interesting. All five of my switches are accessed via a Management VLAN that is one of the VLANs on a trunk port. All originally were 2.13 and upgraded w...

k6ccc

Watching this thread. I am still running 6.49.8 on my RB4011iGS+, but expecting to move to ROS 7 one of these days...

k6ccc

This is copied from WinBox because in my opinion it's easier to read than an export. If you want the export version, just ask. The first part creates the backup, export and version files. Next is to send some of those files via E-Mail. Last is to use ftp to transfer the files to my file server. My s...

k6ccc

As a followup, I upgraded all three CSS326-24G-2S switches from 2.13 to 2.16 about 14 hours ago and the upgrades went smooth and no issues seen since. I am holding off on updating the CRS326-24G-2S for a while because it's at a remote radio site that I can't physically get to because I recently had ...

k6ccc

My RB4011 with a small DHCP pool (10 or 20 IPs) for each LAN and a large number of static reservations, assigns from the top of the pool (on the rare occasions that an unknown device connects). All regularly known devices have static reservations.

k6ccc

Upgraded my CSS106-5G-1S and CSS106-1G-4P-1S without issue. Both are fairly non-critical. I will wait a while and then update the three CSS326-24G-2S+ and the CRS326-24G-2S+.

k6ccc

You need a HairPin NAT.
https://help.mikrotik.com/docs/display/ROS/NAT (about a quarter of the way down the page)

Edit: I misread the question (that's what I get for doing it FAST), so this answer is not likely what you need... sorry.

k6ccc

If I get what you're asking, it doesn't. You need something that will function as a Syslog Server. Lots of them available from very simple to very complex.

k6ccc

Post a screen capture of the VLAN and VLANs tabs on the switch.

k6ccc

In one of untagged ports I have switch (just bridge over all ports, nothing else). Do I need to setup vlan also on this switch, or it will work, since port is untagged? It does not work in my case, but I want to know theory first, to be able to better find cause (wrong router configuration or switc...

k6ccc

I agree with Jotne. In my case, every night, I have a script that ftp the log files to my file server (along with the config export and backup files).
One of these days I will work on Splunk...

k6ccc

It's a simple manner to change the IP range on the Mikrotik so there is no conflict. As gigabyte091 said, please post your configurations. Since you are new, I will tell you how to do that. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal wind...

k6ccc

1) Once in a while - usually just use <Own>
2) Loads a saved layout after Winox connects.
3) No opinion
4) It's OK.
5) Nothing yet.

k6ccc

Thanks mkx. Although I have seen that before, I figured it was a good one to bookmark.

k6ccc

To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download i...

k6ccc

The Hairpin is used so that you can access the server from your local LAN using the public IP address or URL. To get port 80 to forward to the server you need a Destination NAT add action=dst-nat chain=dstnat comment="Web Server on Jupiter." \ dst-port=80 in-interface=E10_Fiber_Internet pr...

k6ccc

You gave us almost no information to go on. Start off by exporting and posting your config. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". T...

k6ccc

The rule as shown is in the Input chain. Needs to be in the Forward chain.

k6ccc

One could easily replace the port knocking with my cell phone connecting to wireguard ( logged ) and script uses that for WOL. :-) Food for thought. Assuming you has already thought of that but its not so easy maybe.... Not with S6. Although my two "secondary purpose" routers are 7.13, th...

k6ccc

@k6ccc

we know the theory behind of input/output give us e.g. for that, so we can see it

Read post #2. I gave examples of each.

k6ccc

How does a port knocking affect a wake on LAN for PCs....... not sure how I see that would work. The port knock completion writes an entry in the log. A script checks for that log entry every minute. When it sees the correct text in the log, it executes the WOL. Took a while to come up with that on...

k6ccc

what is the right number of ports 3,456?? The answer to that likely depends on how import that security is. I have several port knock sequences that vary from 2 step to 6 step. Some of them are pretty low importance - for example, two of them trigger a Wake On LAN in order to boot up one of two com...

k6ccc

Let's start off with what router, what router software version, and confirm you mean in IP > Addresses? If that is the case, no - never seen that problem. Are the addresses in question static or dynamically assigned? If we get very far, you will need to post your configuration, so to avoid the rush,...

k6ccc

If you don't need anything pacific you can just use action, input , accept to allow everything. Actually, at the end of any chain in the router, there is an implied accept. In other words, if there are no rules in a chain, that chain will accept every packet. One general rule of thumb is to specify...

k6ccc

The common three chains are: Input: Packets that are destined to the router itself. For example your packets to a Winbox or terminal session; or someone pinging you. Output: Packets that originate from the router itself. For example the packets that Winbox generates back to you; or responses to the ...

k6ccc

No. Not happening.

k6ccc

Make sure that the laptop that can't be pinged has it's Windows Firewall set to allow ICMP traffic. Default is to not allow ICMP traffic.

k6ccc

Agree with mkx. Here are the VLAN and VLANs tabs for one of my CSS106-5G-1S (RB260GS) switches. Note that I do not use Optional, but rather "Strict" on the VLAN mode and "Only tagged" or "Only Untagged" on the VLAN Receive mode - UNLESS it is a Hybrid port (as the two O...

k6ccc

But speaking of rebooting, is it a good practice to reboot the router periodically, say, once a week?

You should not need to. The only time I reboot any of mine is when they get a firmware update. I just looked, my primary home router has an uptime of 159 days 16 hours.

k6ccc

Yes, that is better. The original problem is that your NAT rule was forwarding ALL port 21 traffic to your own FTP server. Kind of a problem when you were trying to reach some external FTP server.

k6ccc

Lots of devices (not just Mikrotik) do strange things with VLAN 1. Best to NEVER use VLAN 1 unless you have a specific use case that requires it (I do). That's worth knowing. What kind of strange things? Treat it as a management VLAN (often without telling you that). Treat it as a VLAN that you hav...

k6ccc

I will be the first person to tell you that I am terrible a RouterOS scripts. Most of the ones I have originated from someone elses script that I modified a bit to meet my purposes. However when I have needed to troubleshoot a script, a couple things that can help. Start by adding a bunch of info lo...

k6ccc

Not number of filters themselves would account for resource hunger, but their "weight" - amount of parameters to check inside each As I understand it, that is a very good summary. Personally I use a number of jumps to some other chain. For example I have four Raspberry Pis that each can b...

k6ccc

Lots of devices (not just Mikrotik) do strange things with VLAN 1. Best to NEVER use VLAN 1 unless you have a specific use case that requires it (I do).

k6ccc

Go into your browser and set an exemption to allow non-secured access on the IP for your switch.

k6ccc

Let me do this in my best Rod Serling voice: Little did you know that you were living in the Twilight Zone....

k6ccc

The port is a slave because it is a member of the Bridge. To make it not a slave (of the Bridge), remove the port from the Bridge.

k6ccc

Noted. I don't do anything in switching or bridging in any of my routers - just routing. All switch function is done in separate switches.

k6ccc

Said in another way: if I need to block port X for both TCP and UDP, I need to use two rules or can I simply use one rule without specifying the protocol? Yes, you need to specify the protocol for each. However, as a general rule of thumb, a better way to set up your firewall rules is to explicitly...

k6ccc

Can you explain what you mean by "Make sure your computer has an IP address on that network"?

I mean, make sure your computer has an IP in the 192.168.88.0/24 address range.

k6ccc

First of all, once the router is set up, NEVER EVER use Quick Setup again. Most likely the router is back to the default IP address of 192.168.88.1. Make sure your computer has an IP address on that network. You mentioned double NAT. Sounds like there is other devices involved. Please describe your ...

k6ccc

Never seen that one...
I don't normally have a LAG on any of my CSS326 switches, but when I have had one, the connected devices correctly showed up in the hosts table on the correct ports.
What version of SwitchOS?

k6ccc

How many devices?
any special capabilities needed.

k6ccc

Too busy to look in detail. Maybe someone else can give some insight.

k6ccc

Just FYI, the code examples I gave earlier are from a router running 6.49.10.

k6ccc

Another doubt. In addition to the ".backup" file, can you email an encrypted ".rsc" export file? I E-Mail a backup, Export and a Version text file every night. I addition messages extracted from the log when someone logs in or out, or a port knock sequence completes. Additionall...

k6ccc

OK, I took a quick look at the two Mikrotik references. My guess was correct, one is for the older RB260 and the other is the newer RB260 (aka CSS106-5G-1S).

k6ccc

I have not looked at your collection of links in the first post (not taken the time), but I have several RB260 switches using a SFP as a trunk port. Is this on one of the "old" RB260s that are limited to SwitchOS 1.x or one of the "new" ones also known as a CSS106-5G-1S that uses...

k6ccc

Post your configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you crea...

k6ccc

Subnet mask most likely should be 255.255.255.0 - or if you prefer /24. See Networks tab.

k6ccc

Posting screen captures or WebFig or WinBox is a DREADFUL way of showing configurations. Learn how to at lest basicly read and enter commands. However here it is in WinBox (very similar to WebFig)

k6ccc

Each of my routers sends multiple E-Mails per day via G-Mail. Here is my E-mail setup: /tool e-mail set address=smtp.gmail.com from="RB4011iGS+ Router" password=mypasswordhere \ port=587 start-tls=yes user=userid@gmail.com And here is an extract from a script that uses the E-Mail to send a...

k6ccc

Add a new IP Pool and assign that new pool to the new DHCP server. For example here are two of my networks. .101 has a physical interface on the router, whereas the .102 is on a VLAN out of the router. /ip pool add name=".101 DHCP pool" ranges=192.168.101.201-192.168.101.219 add name="...

k6ccc

@helipos Are you talking about what I circled in red?

If that's he case, note that every command that is longer than one line has everything except the first line indented 4 characters. Makes it a hell of a lot easier to read.

k6ccc

On the VLAN tab in SwitchOS, here is the way I do it for VLAN tagged trunks (assuming no need for untagged traffic). VLAN mode = Strict, VLAN Receive = Tagged only, and Default VLAN ID = some unused number ( I normally use 970 + the port number ). If the port needs to also have untagged traffic, the...

k6ccc

Re #2. I end ALL chains with a drop everything rule. The one before it is not needed.

k6ccc

I don't see any major issues with your configuration. I do have an old recollection about LAGs having issues in some situations with VLANs. As a test, drop one of the connections in the LACP and see if that changes anything - you may need to remove the LACP, not just kill one of the ports.
.

k6ccc

Let me make sure I understand your problem. You have a router that has multiple IP addresses, The router NTP client is sending NTP requests either from some address that does not belong to the router or more likely from the wrong address based on what interface the packet is going out on. I just loo...

k6ccc

Confirming that the ONT is expecting that all traffic between it and whatever connected device is VLAN tagged with VLAN 201. Also confirm that the VLAN 200 is simply a dummy number that does not exist anywhere (except SwitchOS requires you to put SOMETHING there). I do that on ports that are VLAN tr...

k6ccc

One more note. I just checked on my RB750Gr3 and it updated from 6.49.8 to 7.12
So, yes, the update site is working...

k6ccc

Agreed. Mikrotik wireless is not their strong suit. Routers and to a slightly less extent switches is where they shine.
Personally I have a bunch of Mikrotik routers and switches at home, but the WiFi is Meraki.

k6ccc

In response to your query, I happen to be connected to one of my routers (an RB750r2), so I did a check for updates. It immediately found that that there was an update (stable channel) from 6.49.8 to 6.49.10. The router was able to download the update just fine.

k6ccc

Does the Client 2 computer know that 192.168.10.2 is it's gateway?

k6ccc

I found that css610 does not supports "independent vlan learning", so when router connect wan an lan to the same switch, there are two ports using same mac address.Eventhough they are in separated vlans, but sharing the same table which leads the communication issues. I changed the ax6000...

k6ccc

What device and RouterOS version to start with?

k6ccc

Also, find your Shift key and give it some love. It's lonely.

Love it!

k6ccc

Your first drawing and posted configuration do not match (IP addresses). Getting one to work should be very simple. As long as the PC knows that the router is it's gateway, it will just work. Remember, it's a router - it routes unless you tell it not to. Getting three devices with the same IP to wor...

k6ccc

I am doing similar at home. All ports on the router connect to different VLANs on the same switch. Works fine. Couple comments. First is I HIGHLY recommend NOT using VLAN 1. Although SwitchOS has no issues with it, a lot of devices treat VLAN 1 as "special". Often with undocumented or poor...

k6ccc

I don't recall that you can. I have always set static IPs on network elements.

Search found 1637 matches