Community discussions

MikroTik App

Search found 1072 matches

by jvanhambelgium
Tue Jun 18, 2024 2:39 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 1668

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

OK, thanks for explaining it to me. I have only one doubt. When I banned the IP on the router firewall, the banned log says: banIP_ prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac XX:XX:XX:XX:XX:XX, proto TCP (SYN), 113.XXX.XXX.XXX:49987->[b][color=#FF0000]61.XXX.XXX.XXX:100...
by jvanhambelgium
Mon Jun 17, 2024 5:33 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 1668

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

Why does this request reach the server 192.168.0.3, when the router firewall should drop all new connections in forward except those to the ports set in NAT (80,443,2203)? Maybe the internet host found open port 2203 and is now trying to brute-force in? I've seen that as well ... one has to keep in...
by jvanhambelgium
Sun Jun 16, 2024 6:40 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 1668

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

Why do you think/state " ...upon analyzing the logs of the server 192.168.0.3, I've noticed continuous SSH brute force or scanning attempts (I'm not sure) on random ports (not the standard SSH port or my SSH port 2203) originating from an IP address in China: Apr 28 11:36:54 cloud sshd[28265]: ...
by jvanhambelgium
Sat Jun 15, 2024 1:42 pm
Forum: General
Topic: Bridge firewall [SOLVED]
Replies: 15
Views: 920

Re: Bridge firewall [SOLVED]

What product are you using ? I'm pretty sure hardware-offloaded stuff/config will not always behave as simple as you might think . Which then can explain what you are seeing. I've think I remember reading somewhere that you can only perform MAC-filtering in the forward-chain when HW Offloading is DI...
by jvanhambelgium
Sat Jun 15, 2024 12:26 pm
Forum: General
Topic: Bridge firewall [SOLVED]
Replies: 15
Views: 920

Re: Bridge firewall [SOLVED]

Limit the amount of broadcast you are sending out ? Where to ? Broadcasts will not pass the boundaries of the segment you are in anway. What problems are you encountering ? What product-type are you using? Without a detailed schematic (container interfaces/IP's etc) it is impossible to even comment ...
by jvanhambelgium
Fri Jun 14, 2024 12:00 am
Forum: General
Topic: Is there a way to set local ip-address of wireguard tunnel?
Replies: 4
Views: 404

Re: Is there a way to set local ip-address of wireguard tunnel?

what is "a bgp network" ?
Is 3.3.3.x/24 a pieces of your (public) PI-space ?
Is this "Internet" connected ?

Or is that 3.3.3.x prefix coming in via either ISP1 or ISP2
by jvanhambelgium
Thu Jun 13, 2024 11:14 pm
Forum: RouterBOARD hardware
Topic: HOT S-RJ10
Replies: 25
Views: 2815

Re: HOT S-RJ10

My S+RJ10 in my RB5009 has always been running about 65°C - 70°C since day 1 Anything special you did regarding cooling or airflow ? Mine gets to 95C within 15 minutes. Same RB5009, same RJ-10 :? Nope, no attachments/heatsinks added. RB5009 is mounted in small 19" cabinet against the wall. Per...
by jvanhambelgium
Thu Jun 13, 2024 8:27 pm
Forum: RouterBOARD hardware
Topic: HOT S-RJ10
Replies: 25
Views: 2815

Re: HOT S-RJ10

My S+RJ10 in my RB5009 has always been running about 65°C - 70°C since day 1
by jvanhambelgium
Wed Jun 12, 2024 6:43 pm
Forum: Beginner Basics
Topic: ISP Bridge Mode cause issue on RB5009 [SOLVED]
Replies: 21
Views: 963

Re: ISP Bridge Mode cause issue on RB5009 [SOLVED]

If you want anyone to seriously take a look at it you'll probably need to provide the *full* config. This is very weird, if you cannot even ping from the CLI there is something fundamentally wrong... You could also try the "Quickset" and setup the box first with default settings ? At least...
by jvanhambelgium
Wed Jun 12, 2024 6:18 pm
Forum: Beginner Basics
Topic: ISP Bridge Mode cause issue on RB5009 [SOLVED]
Replies: 21
Views: 963

Re: ISP Bridge Mode cause issue on RB5009 [SOLVED]

When on the CLI of the router, can you ping 1.1.1.1 for example ?
How does your routing-table look like ? (/ip/route/ print)
by jvanhambelgium
Wed Jun 12, 2024 2:31 pm
Forum: Beginner Basics
Topic: ISP Bridge Mode cause issue on RB5009 [SOLVED]
Replies: 21
Views: 963

Re: ISP Bridge Mode cause issue on RB5009 [SOLVED]

Best thing is to provide a FULL config-export on your box , minus sensitive stuff like serial-numbers or some bits of the public-IP itself. I assume your Win11 PC can ping its default-gateway ? (= the RB5009) From the RB5009-console, can you ping something like 8.8.8.8 ? Or not even that ? I can be ...
by jvanhambelgium
Wed Jun 12, 2024 2:05 pm
Forum: Beginner Basics
Topic: ISP Bridge Mode cause issue on RB5009 [SOLVED]
Replies: 21
Views: 963

Re: ISP Bridge Mode cause issue on RB5009 [SOLVED]

Again, it can be dozens of reasons. This could have been 1 ;-) It was worth trying.
You state traffic-counters are moving. Can you test if your issue is DNS-related or actual connectivity ?
Can you ping 8.8.8.8 from a connected PC ?
What DNS are you PC's on the LAN using ?

etc,etc ...
by jvanhambelgium
Wed Jun 12, 2024 1:43 pm
Forum: Beginner Basics
Topic: ISP Bridge Mode cause issue on RB5009 [SOLVED]
Replies: 21
Views: 963

Re: ISP Bridge Mode cause issue on RB5009 [SOLVED]

Remove the to-address value ??
by jvanhambelgium
Wed Jun 12, 2024 12:25 pm
Forum: General
Topic: [Routing Problem?] No Access to the Default Gateway from Any of the Interface from the VLANs
Replies: 6
Views: 593

Re: [Routing Problem?] No Access to the Default Gateway from Any of the Interface from the VLANs

# create bridge /interface bridge add protocol-mode=none ingress-filtering=yes name=bridge1 vlan-filtering=no Shouldn't that be vlan-filtering=yes ?? If you go now on your device in the CLI, type /interface/bridge and then "print" does that say "vlan-filtering=yes" on the config ?
by jvanhambelgium
Wed Jun 12, 2024 12:17 pm
Forum: Beginner Basics
Topic: Firewalls
Replies: 2
Views: 251

Re: Firewalls

If they added Fortinet ABOVE the Mikrotik, they need to get stuff fixed on the Fortinet first. Without detailed picture it is difficult to guess, things might have changed. (eg. before Fortinet public IP was on RB2011, after "slide-in" of the Fortinet the public-IP moved to the Fortinet et...
by jvanhambelgium
Tue Jun 11, 2024 7:06 am
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 4960

Re: No WAN access via Wireguard

Ahh...you did not even have a DNS server configured then for you Wireguard connection ??!!
Yeah ... that explains a lot...

Anyway, glad it works now.
You can disabled some logging now ;-)
by jvanhambelgium
Mon Jun 10, 2024 10:55 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 4960

Re: No WAN access via Wireguard

The thing is, you need SOME rule that get hit with packets having source-IP = 192.168.87.3 (eg. you phone) and wanting to go out on the Internet (once it arrives from the wireguard decapsulation/decrypt) So perhaps DO enable some logging on FORWARD rules to, even the ALLOWED ones regarding Wireguard...
by jvanhambelgium
Mon Jun 10, 2024 8:41 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 4960

Re: No WAN access via Wireguard

add action=accept chain=forward comment="WG to LAN" dst-address=\ 192.168.88.0/24 in-interface=wireguard Well this rule is not going to help you get to the internet! You are allowing to pass ONLY for traffic towards 192.168.88.x If you punch www.facebook.com on your mobile device obviously...
by jvanhambelgium
Mon Jun 10, 2024 8:26 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 4960

Re: No WAN access via Wireguard

add action=accept chain=forward comment="WG to LAN" dst-address=\ 192.168.88.0/24 in-interface=wireguard But your WG-client has 192.168.87.x config ? hm, i thought i should interpret it as traffic coming from wireguard interface should be forwarded to destination addressed (192.168.88.0/2...
by jvanhambelgium
Mon Jun 10, 2024 7:20 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 4960

Re: No WAN access via Wireguard

add action=accept chain=forward comment="WG to LAN" dst-address=\
192.168.88.0/24 in-interface=wireguard

But your WG-client has 192.168.87.x config ?
by jvanhambelgium
Tue Jun 04, 2024 4:19 pm
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 837

Re: cycle outgoing IP addresses

If customers purchase a so called "ip-pack" with us anyway, they get 5 adjacent/consecutive IP's.
depending on the config, that could 1 public fixed IP and the above 5-block routed to it for example.
by jvanhambelgium
Tue Jun 04, 2024 3:56 pm
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 837

Re: cycle outgoing IP addresses

Something like this ?

viewtopic.php?t=167814
by jvanhambelgium
Wed May 29, 2024 5:05 pm
Forum: General
Topic: Pretty unique Poe case. 3750x UPOE - mikrotik cube
Replies: 3
Views: 669

Re: Pretty unique Poe case. 3750x UPOE - mikrotik cube

Yeah...I've seen some strange stuff on C9300 too and had to play a lot with parameters to power some fancy doorphones (2N IP Style) Sure you are hitting no PoE bugs ? What release are you on ? I've seen 1 case where a Raspberry Pi with PoE would not boot on a C9300 with olde 16.12.x code. Worked fin...
by jvanhambelgium
Tue May 28, 2024 4:04 pm
Forum: RouterBOARD hardware
Topic: RB5009 performance issue
Replies: 7
Views: 724

Re: RB5009 performance issue

This router is not capable of 2.5Gbit/s. Not in real life condition With fasttrack and all optimizations tested it with iperf, PPPoE speed max 1.6Gbit/s because CPU Mhz/software limits speed. Cable-modems do not use PPPoE in general. Plain DHCP across the ethernet and that's it. So that is already ...
by jvanhambelgium
Tue May 28, 2024 8:45 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 289
Views: 79400

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

What would it take to be able to use the same $listname across different downloads ? I prefer working with 1 big list, and in the comments-section I provide info about the origin of that list. $update url=("https://" . "iplists.firehol.org/files/firehol_level3.netset") listname=D...
by jvanhambelgium
Tue May 28, 2024 8:25 am
Forum: RouterBOARD hardware
Topic: RB5009 performance issue
Replies: 7
Views: 724

Re: RB5009 performance issue

The only true testing is disconnect the ISP and put some testing-PC and perform iPerf *trough* the RB5009 or some other test-tool. I would not rule-out your ISP...."cable modem" is a shared medium and you never know exactly what happened. You also probably do not have performance guarantee...
by jvanhambelgium
Sun May 26, 2024 11:34 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1417

Re: VU+ ZERO 4K satellit receiver port forward

Well them simple perform 2 tasks 1) Create "address-list" and put the IP(s) in there that are allowed to "hit" the dstnat-rule https://youtu.be/WVxj9v4J3xM?si=uKyKTgVLo1UhNqKc (look around minute 2:15 for the access-list creation part) 2) Edit the NAT-rule and select the correct ...
by jvanhambelgium
Sun May 26, 2024 10:52 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1417

Re: VU+ ZERO 4K satellit receiver port forward

It depends on how you perform the NAT. If you also perform some snat on the packet then the SAT-receiver would only see a packing coming in from 192.168.88.1 (the IP of the bridge on Mikrotik) Without this extra snat the original source-IP is retained. This could make a difference in some scenario's...
by jvanhambelgium
Sun May 26, 2024 9:23 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1417

Re: VU+ ZERO 4K satellit receiver port forward

There is no protection on this Linux Sat-server that is does not accept incoming requests from IP's other then the LAN-range 192.168.88.x ?? You never know. I think the dstnat actually works, but I don't see why it should not work end2end. I have several of such dstnat and they just work, the only d...
by jvanhambelgium
Sun May 26, 2024 12:25 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1417

Re: VU+ ZERO 4K satellit receiver port forward

But what IS running on that port 82 ? Some web-interface ?
What happens if you connect from another 192.168.88.x device on your network to the IP on port 82 ?
by jvanhambelgium
Sat May 25, 2024 9:46 pm
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1417

Re: VU+ ZERO 4K satellit receiver port forward

Then I'm afraid the only option is to start capturing packets to effectively investigate if the packet is getting there. Looking at the counters it seems the DNAT does work and some packet is passing through the box on its way to 192.168.88.68 on port 82 If you go in Winbox to Tools -> Telnet -> and...
by jvanhambelgium
Sat May 25, 2024 9:32 pm
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1417

Re: VU+ ZERO 4K satellit receiver port forward

Can you disable the embedded webserver in the Mikrotik ?
Under "IP" -> "Services" and look for the "www"
by jvanhambelgium
Sat May 25, 2024 9:10 pm
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1417

Re: VU+ ZERO 4K satellit receiver port forward

Chain must be FORWARD in the "duplication rule"
It is about traffic GOING THROUGH THE BOX
by jvanhambelgium
Sat May 25, 2024 8:39 pm
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1417

Re: VU+ ZERO 4K satellit receiver port forward

These screenshots don't always tell the full picture or show all attributes clearly. A textual config is straight to the point...
I see some jumps to custom chains etc,etc.
by jvanhambelgium
Sat May 25, 2024 8:34 pm
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1417

Re: VU+ ZERO 4K satellit receiver port forward

Make a copy of Rule3 and place it just below Rule3 (you can never do harm like that) Then edit the rule and in "General" on the bottom make sure the "Connection NAT State" menu has selected "dstnat" flag. Clear all other flags that are on the "Connection State"...
by jvanhambelgium
Sat May 25, 2024 8:06 pm
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1417

Re: VU+ ZERO 4K satellit receiver port forward

The DNAT seems to hit, looking at the traffic-counters.
What are the Filter Rules in the FORWARD chain ? How do they look like ?
by jvanhambelgium
Sat May 25, 2024 9:48 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1417

Re: VU+ ZERO 4K satellit receiver port forward

Execute something like this on the CLI /export file=myconfig (minus router serial number and any public WANIP info, keys etc.. ) It will create a file and then you can get it off your router with Winbox for example and upload into the forum If you don't understand any of the above, I suggest you sta...
by jvanhambelgium
Sat May 25, 2024 9:23 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1417

Re: VU+ ZERO 4K satellit receiver port forward

Before anyone will jump in to support you, you'll be asked to provide your full config anyway. You might have broken things because of "I have done many things" Do you have a rule in the FORWARD chain to allow (valid) DNAT-traffic "trough" ? This should be part of the default fir...
by jvanhambelgium
Sat May 25, 2024 8:34 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1417

Re: VU+ ZERO 4K satellit receiver port forward

Do you have a public IP on "pppoe-out1" ? If you are behind NAT from your ISP this will never work.
So what "WAN" IP did you receive ? 100.64.0.0 to 100.127.255.255 ??
by jvanhambelgium
Mon May 20, 2024 10:27 pm
Forum: Beginner Basics
Topic: NFS Client Help
Replies: 3
Views: 842

Re: NFS Client Help

Same here, never could ROSE NFS work on my Synology NAS, while I only use NFS at home with all my Linux boxes etc.
Got various errors, including "unknown error" :)
SMB works immediately....
by jvanhambelgium
Thu May 16, 2024 10:48 am
Forum: Announcements
Topic: v7.15rc [testing] is released!
Replies: 343
Views: 109752

Re: v7.15rc [testing] is released!

OK, didn't know. But 50% CPU usage on DNS is clearly a bug. But I can imagine support answer: "dear user, while you can increase DNS cache size to a very high number, it is still limited by your device's physical capabilities. ROS gives you the freedom to set 512MB cache size but this does not...
by jvanhambelgium
Thu May 16, 2024 8:45 am
Forum: Announcements
Topic: v7.15rc [testing] is released!
Replies: 343
Views: 109752

Re: v7.15rc [testing] is released!

I assume that MT developed this feature for home users. Maximum 40k URL lists. Kind of grabbing low hanging fruits. The main thing is to be able to import adlists -> "we already have DNS". Where is this documented ? I can't find any such statement ? On the help-page it says ; Before confi...
by jvanhambelgium
Wed May 15, 2024 11:17 pm
Forum: Announcements
Topic: v7.15rc [testing] is released!
Replies: 343
Views: 109752

Re: v7.15rc [testing] is released!

I'm testing the DNS "Adlist" feature in 7.15.RC3 on my RB3011 I've increased the DNS-cache setting to 512MBytes !! value It seems things are going down the drain when I load a rather larget set. (> 2 million entries) When I remove 1 URL https://raw.githubusercontent.com/mkb2091/blockconver...
by jvanhambelgium
Wed May 15, 2024 11:01 pm
Forum: General
Topic: Advice on how to grow an ISP network
Replies: 11
Views: 1250

Re: Advice on how to grow an ISP network

"everything is connected by fiber" => So you have actual fiber-pairs coming in for each of your customers ??
Or you have some wholesale-service that you take from a larger ISP that does the last-mile to customers or something ?
by jvanhambelgium
Wed May 15, 2024 10:11 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 374
Views: 130196

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊

Jotne, Would it be possible to start looking into an extra addition on the the "DNS" section of your Splunk app ? Since 7.15RC3 there is the concept of "adlist" where you can put URL's to download filter-lists like a Pihole. Currently testing on my RB3011 and it seems to at least...
by jvanhambelgium
Sun May 12, 2024 4:06 pm
Forum: Wireless Networking
Topic: Why Androids keep disconnecting?
Replies: 5
Views: 707

Re: Why Androids keep disconnecting?

Hmm, did you see that yourself that it tried the gstatic.com domain ?
I've checked my Pihole that logs everything (and I block everything like DNS-over-TLS,DoH,Quic) and I cannot find any such lookup ?
Phone is a Samsung Galaxy S21
by jvanhambelgium
Sat May 11, 2024 1:04 am
Forum: General
Topic: Flexibel DHCP-client options
Replies: 4
Views: 446

Flexibel DHCP-client options

I'm looking into options to bypass my ISP devices and work directly on my RB5009. However for the TV-service of my ISP, they have published detailed specs what you need to be capable of. Apparently DHCPv4 Option spoofing: The following options provided on WAN side need to be provided to the TV decod...
by jvanhambelgium
Fri May 03, 2024 3:37 pm
Forum: RouterBOARD hardware
Topic: Cascading switches
Replies: 9
Views: 654

Re: Cascading switches

There are no benefits in disabling STP for sure and I was only looking at the uplink "line" not the different endpoints. Without some form of STP somebody could cause some havoc when connecting an endpoint the wrong way, having other switches introduced that you are not aware of and formin...
by jvanhambelgium
Thu May 02, 2024 8:20 pm
Forum: RouterBOARD hardware
Topic: Cascading switches
Replies: 9
Views: 654

Re: Cascading switches

Rapid Spanning Tree protocol (RSTP) -> The maximum allowed network diameter for the RSTP protocol is 40 switches.

But anyway, with only 1 fiber line I would disable any STP anyway since it is not relevant and of no value
by jvanhambelgium
Thu May 02, 2024 6:49 pm
Forum: RouterBOARD hardware
Topic: Cascading switches
Replies: 9
Views: 654

Re: Cascading switches

No real pitfalls to my knowledge.
Sure, such topology is a big single point of failure but apart from that it will work just fine, especially for such low flow of data.
There is no option to form some sort of "ring" ? Are these 21 buildings/switches really "in a line"
by jvanhambelgium
Mon Apr 29, 2024 10:50 am
Forum: General
Topic: Shaping 35Gbps
Replies: 4
Views: 521

Re: Shaping 35Gbps

I can't speak out of experience, but I see no reason why simple-queues for the sake or shaping would work differently on 35Gbps vs 1Gbps. What you need to try to find out is the impact on cpu & memory I guess. Shaping on IP-level like this using (simple) queues on 35Gbps is something you want to...
by jvanhambelgium
Mon Apr 29, 2024 10:00 am
Forum: General
Topic: Shaping 35Gbps
Replies: 4
Views: 521

Re: Shaping 35Gbps

You don't have an aggregation-layer where you terminate such (very high-speed) customers ? Straight onto your core switch doesn't sound like a very good plan to me. I don't know what CPU-power you have in your coreswitch-device, but perhaps you can iterate from 1Gbps shaping profiles to see howmuch ...
by jvanhambelgium
Thu Apr 25, 2024 9:53 am
Forum: Scripting
Topic: Is 8MB in a variable from a txt file is possible?
Replies: 54
Views: 3855

Re: Is 8MB in a variable from a txt file is possible?

Perhaps interesting for those collecting various sources to feed the scripts.

https://docs.paloaltonetworks.com/resou ... ng-service

Palo Alto also provides for free various curated lists like for M365,Azure,GCP,Zoom etc,etc

Imports work just fine with the current script.
by jvanhambelgium
Thu Apr 25, 2024 8:24 am
Forum: General
Topic: Security issue with DST NAT rules
Replies: 2
Views: 396

Re: Security issue with DST NAT rules

https://www.3cx.com/docs/manual/firewall-router-configuration/ Apparently for this SIP-provider there seems to be quite some stuff you need to open and they don't mention any of their public IP's / FQDN's of their SBC's.... I guess it depends on the SIP-provider. I have seen installations that only ...
by jvanhambelgium
Sat Apr 20, 2024 3:11 pm
Forum: RouterBOARD hardware
Topic: Infrastructure design help
Replies: 9
Views: 1034

Re: Infrastructure design help

What overkill ? VLAN is just label.
Only 350 VLAN's out of 4K standard available.
It DOES keep things very separated (if you want) and identifiable across the whole setup.

Depending on how the wireless is organized (authentication-wise) their devices can be mapped easily in the VLAN of the room.
by jvanhambelgium
Thu Apr 18, 2024 9:46 pm
Forum: RouterBOARD hardware
Topic: Infrastructure design help
Replies: 9
Views: 1034

Re: Infrastructure design help

What about 1 VLAN per room ? It is only 22 rooms/floor x 16 floors......
You can make a couple of nice interface-lists and group some stuff together at that level.
by jvanhambelgium
Sun Apr 07, 2024 1:35 pm
Forum: General
Topic: Up 200 CAP
Replies: 12
Views: 983

Re: Up 200 CAP

Installation & Config is 1 aspect, actual operational performance another.
What type of installation-environment ? Industrial ? School ? Stadium/venue ?
by jvanhambelgium
Sat Mar 30, 2024 7:47 pm
Forum: General
Topic: Bandwidth usage per IP
Replies: 28
Views: 18580

Re: Bandwidth usage per IP

Thank you for your work, it works perfect. When I try to save the report to a shared drive (runs on SMB raspberrypi) using :local reportpath ("smb://user:password@192.168.3.19/home/pi/MyNASA/BWbyIP/report-" . $yearmonth . ".html") either with or without the user/password failure...
by jvanhambelgium
Sat Mar 30, 2024 5:40 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 374
Views: 130196

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊

Hi, It seems a part of the script (v5.6) is giving me consistent error on 7.14.1 Screenshot from 2024-03-30 15-33-01.png the 5.6 script hits a system history print command which causes this error on my systems. You can reproduce this by entering the command "system history print" in a con...
by jvanhambelgium
Sat Mar 30, 2024 4:38 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 374
Views: 130196

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊

Hi, It seems a part of the script (v5.6) is giving me consistent error on 7.14.1 Screenshot from 2024-03-30 15-33-01.png It seems in the section where all the access-list are processed/counted, so the section below. Didn't change anything to the code, just copy-pasted into Winbox. The ACL "Azur...
by jvanhambelgium
Mon Feb 19, 2024 2:21 pm
Forum: RouterBOARD hardware
Topic: Locked Out
Replies: 12
Views: 1144

Re: Locked Out

Hopefully 1 ether port off-bridge or a serial port but that means local access. No so long ago locked myself out of my RB5009. I had "some sort of recent backup" and needed to factory-default it + restore that config. That part went OK Since then I have indeed 1 dedicated physical port &q...
by jvanhambelgium
Mon Feb 19, 2024 9:29 am
Forum: RouterBOARD hardware
Topic: Locked Out
Replies: 12
Views: 1144

Re: Locked Out

Where is this 192.168.121.0/24 range actually used then ? On 1 of these remote sites ?
Just get a working-PC on that range, teamviewer/RDP into it and from there Winbox/WebFig to your RouterOS boxes ?
by jvanhambelgium
Fri Feb 16, 2024 8:27 am
Forum: General
Topic: Container start-on-boot not working
Replies: 2
Views: 368

Re: Container start-on-boot not working

Did you create the container in CLI of via WebFIG/Winbox ? Do you have the "logging" flag enabled too ?
by jvanhambelgium
Sun Feb 11, 2024 5:59 pm
Forum: General
Topic: S-RJ01 - terribly unrelibable?
Replies: 4
Views: 484

Re: S-RJ01 - terribly unrelibable?

The S-RJ01 *itself* is OK I guess. I have one in my RB5009 and my ISP/Internet is coming in through there. Runs a little hot (66°C) but never any issues. But I have the impression it might be very dependent on which platform you plugin the module + RouterOS release. Vendor Revision : 2.16 Manufacter...
by jvanhambelgium
Wed Jan 31, 2024 9:42 am
Forum: General
Topic: Monitoring and Trafficflow
Replies: 9
Views: 1784

Re: Monitoring and Trafficflow

While not a complete solution (rather a collection of tools to build your solution around it), you may want to check pmacct http://www.pmacct.net/ I've been using it for well over a decade now, and once I integrated it into my stack, I've never had to touch it again. It just works. What plugins are...
by jvanhambelgium
Tue Jan 30, 2024 9:06 pm
Forum: General
Topic: Allow remote-logging input on ROS [SOLVED]
Replies: 12
Views: 1593

Re: Allow remote-logging input on ROS [SOLVED]

Yes, something like that might be an option, but that would still not bring all logging from my different ros devices into the one log of my main router. But thanks for the pointer, I will think a bit further on how to configure it to my liking. Offcourse it would ? All you ROS devices then simply ...
by jvanhambelgium
Tue Jan 30, 2024 2:36 pm
Forum: General
Topic: Allow remote-logging input on ROS [SOLVED]
Replies: 12
Views: 1593

Re: Allow remote-logging input on ROS [SOLVED]

You have a RouterOS box that supports containers ? Then you could deploy such a container and collect logs. Offcourse you need to store them somewhere, so at least some external USB would be a good idea...unless these are really few logs. This is not a fancy (web)GUI where you can browser through, i...
by jvanhambelgium
Mon Jan 29, 2024 9:29 pm
Forum: General
Topic: Wireguard and DMZ ISP
Replies: 2
Views: 405

Re: Wireguard and DMZ ISP

Sure, as long as your ISP does muck around with CGNAT and you have a public IP that you can "map" 1:1 to the inside.
by jvanhambelgium
Sat Jan 27, 2024 9:46 am
Forum: General
Topic: Recommended for IPS/IDS
Replies: 6
Views: 4723

Re: Recommended for IPS/IDS

Most of the above vendors are really, really in another league compared to Mikrotik. You must see Mikrotik RB as a ROUTER with network packet filter (and a lot of Swiss-army knife capabilities for sure!) I use Fortinet & Palo Alto in my professional work, very,very capable but I comes with a pri...
by jvanhambelgium
Tue Jan 23, 2024 3:59 pm
Forum: General
Topic: eth5 as dhcp client
Replies: 4
Views: 604

Re: eth5 as dhcp client

Take eth5 out of a bridge. Configure IP > DHCP-client and add "eth5" as DHCP-client. Be carefull and say "no" to "add default route" I think. I use the same approach and have a lab RB3001 connected as DHCP "client" on a RB5009 through some ethX port. Then offc...
by jvanhambelgium
Mon Jan 22, 2024 11:01 pm
Forum: General
Topic: Allowing a VLAN to Access WAN(Internet)
Replies: 3
Views: 556

Re: Allowing a VLAN to Access WAN(Internet)

What about any NAT/Masquerading config ? Can you export that ?
by jvanhambelgium
Sat Jan 20, 2024 10:13 am
Forum: Beginner Basics
Topic: packet marking for QoS
Replies: 7
Views: 914

Re: packet marking for QoS

Pre-routing chain ?
Try the "forward" chain and it will work I guess.

I've several marking-rules and they work fine as the traffic flows-through the Mikrotik (= forward chain)
by jvanhambelgium
Wed Jan 17, 2024 3:50 pm
Forum: General
Topic: Brute Force Attacks
Replies: 16
Views: 2562

Re: Brute Force Attacks

Strange, its not like you have some secret recipe for vodka ;-)
Perhaps the vodka market is drying out and they want to get into chocolate or beer :lol:
I could throw in a couple of Belgian Waffles :D :D
by jvanhambelgium
Tue Jan 16, 2024 7:37 pm
Forum: General
Topic: Brute Force Attacks
Replies: 16
Views: 2562

Re: Brute Force Attacks

Not entirely from the same source IP, but close ... IP 95.214.55.244 inetnum: 95.214.52.0 - 95.214.55.255 netname: PL-MEV-20181221 country: PL org: ORG-MSZO78-RIPE Some Polish operated IP-space. For the last 30 days, it is trying consistently these 4 destination ports on my frontdoor :D 8) Screensho...
by jvanhambelgium
Sun Jan 14, 2024 2:44 pm
Forum: Scripting
Topic: add succesfully connected rdp to whitelist
Replies: 6
Views: 990

Re: add succesfully connected rdp to whitelist

>I would like to add succesfully connected rdp connections to whitelist. And I have no clue how to detect if the connection is succesfully established or it is >just another brute force attempt. If it was a brute-force you would also see multiple times a new SYN arriving I think? You cannot keep try...
by jvanhambelgium
Sat Jan 13, 2024 6:21 pm
Forum: General
Topic: Firewall-dynamic firewall rules
Replies: 9
Views: 1212

Re: Firewall-dynamic firewall rules

Perhaps solve this issue with a port-knock sequence? So "client" first needs to hit a certain sequence of UDP/TCP ports before "the gate opens up" Offcourse then there is still the mandatory authentication, jus make sure you run an up-to-date RouterOS and do NOT use default "...
by jvanhambelgium
Mon Jan 08, 2024 5:45 pm
Forum: Wireless Networking
Topic: Solving 20km wireless link issues
Replies: 147
Views: 227523

Re: Solving 20km wireless link issues

Other than my company, customers can use a dish satellite company or a cell phone company data plan - both are very expensive if you move lots of data. On a sidenote ; you feel any business impact/disruption from eg. Starlink services ? Rather cheap I believe & moving a lot of data is not reall...
by jvanhambelgium
Sat Jan 06, 2024 11:35 am
Forum: RouterBOARD hardware
Topic: Zerotier version on RB5009UG+S+IN and L009UiGS-RM.
Replies: 3
Views: 1876

Re: Zerotier version on RB5009UG+S+IN and L009UiGS-RM.

Current version on the 7.13-stable is 1.10.3
by jvanhambelgium
Wed Jan 03, 2024 5:11 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 374
Views: 130196

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.9 (Graphing everything) 💾 🛠 💻 📊

I'm running Splunk on a Synology too, but as a VM under Ubuntu Linux, not containerized. Works OK in general, had 1 or 2 occasions where the 4GB assigned memory fell short and things fell apart ;-) >> After a while the logging to splunk stops ... Splunk generates a ton of logging messages that migh...
by jvanhambelgium
Sat Dec 30, 2023 10:26 am
Forum: Beginner Basics
Topic: Help with first home server
Replies: 2
Views: 681

Re: Help with first home server

That is going to be difficult , looking at your WAN-IP 100.67.x.x this is CGNAT-space (Carrier Grade NAT) so basically you do not have a public IP for yourself and therefore the world cannot "find" you if they want to initiate a connection to your server . YOU can offcourse initiate to th...
by jvanhambelgium
Tue Dec 26, 2023 12:02 am
Forum: General
Topic: Visualize Mikrotik logs
Replies: 1
Views: 710

Re: Visualize Mikrotik logs

Nope, SNMP will not provide you with that. User @Jotne has create a very nice solution using SPLUNK (Enterprise) and a script on the Mikrotik side forwarding information through SYSLOG. You can install it for free as long as you remain under 500MBytes/day logs This provides very nice information &am...
by jvanhambelgium
Mon Dec 25, 2023 10:59 am
Forum: General
Topic: mynetname.net DNS down?
Replies: 25
Views: 5356

Re: mynetname.net DNS down?

There is no such thing as ns1.mynetname.net or ns1.mynetname.net
The 2 authoritative NS listed for that domain are ns2.kissthenet.net. (159.148.172.251) and ns1.kissthenet.net. (159.148.147.201)
They both resolve on IPv4 and IPv6
by jvanhambelgium
Fri Dec 22, 2023 7:14 pm
Forum: RouterBOARD hardware
Topic: rb5009UG+S+IN
Replies: 12
Views: 2365

Re: rb5009UG+S+IN

In case you did not yet find these.

viewtopic.php?t=61007

So your product is NMEA-output support compliant ? Perhaps some fiddling with the baudrate ?

Offcourse all of this is RouterOS 6.x (old wiki)
by jvanhambelgium
Sun Dec 17, 2023 11:51 pm
Forum: Containers
Topic: sftpgo container
Replies: 4
Views: 3918

Re: sftpgo container

Installed it to test it .... extremely slow on my RB5009
Slow like in transferring 150Kbytes/sec across the LAN !!
The RB5009 was not really high in CPU
by jvanhambelgium
Fri Dec 15, 2023 8:28 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 276019

Re: v7.13 [stable] is released!

Upgraded without issues :

RB5009UG+S+
RB3011UiAS
by jvanhambelgium
Sat Dec 09, 2023 6:15 pm
Forum: Containers
Topic: Error when mounting adguard container
Replies: 41
Views: 5158

Re: Error when mounting adguard container

Why might this happen? I just recently started trying to set up a firewall and I don’t understand everything. For example, 172.29.45.251 is the address of your PI Hole? -> There are (Android) clients that I've seen that always contact 8.8.8.8 etc. And in case there is a client with hardcoded DNS se...
by jvanhambelgium
Sat Dec 09, 2023 11:14 am
Forum: Containers
Topic: Error when mounting adguard container
Replies: 41
Views: 5158

Re: Error when mounting adguard container

And you should "intercept" anyway classic DNS packets in case some client does not want to use the Adguard. See my example below (I use Pihole) Make sure you excluded the Adguard/Pi-hole itself using the appropriate src-address-list. /ip firewall nat add action=dst-nat chain=dstnat comment...
by jvanhambelgium
Wed Dec 06, 2023 5:21 pm
Forum: Containers
Topic: Error when mounting adguard container
Replies: 41
Views: 5158

Re: Error when mounting adguard container

Remove the container and re-create and provide the logging=yes from the beginning. You should see a bit more output when it downloads the various layers. I agree the logging is pretty ... basic .... and will probably not reveil WHY you have this issue. You specify as root-dir=adguard => This will wr...
by jvanhambelgium
Wed Dec 06, 2023 4:24 pm
Forum: Containers
Topic: Error when mounting adguard container
Replies: 41
Views: 5158

Re: Error when mounting adguard container

Add the logging=yes directive on the container-creation command and look in the logs. Might explain more about the error.
by jvanhambelgium
Sat Dec 02, 2023 5:16 pm
Forum: General
Topic: Wireguard tunnel - speed problem
Replies: 19
Views: 4299

Re: Wireguard tunnel - speed problem

AND the Wireguard AND the PPPoE overhead probably explains why your "only" get 300-350Mbits/sec CPU-profiler will give you insight. If you have a "spare" RB5009 you could perform a back2back test with a piece of ethernet-wire in between to see what the max is you can reach. You'l...
by jvanhambelgium
Wed Nov 29, 2023 10:51 pm
Forum: Containers
Topic: A question about ram-high Topic is solved
Replies: 5
Views: 7888

Re: A question about ram-high Topic is solved

Since this is a general setting, I would assume the total of all containers.
by jvanhambelgium
Fri Nov 24, 2023 12:21 pm
Forum: Beginner Basics
Topic: Block Intra VLAN Traffic
Replies: 7
Views: 1450

Re: Block Intra VLAN Traffic

As for using ACI instead of a single CRS326-46G-2S+ : It´s like suggesting a homeless person to move in to the royal castle. It would certainly solve his problems... :? Yep, it sure is. Totally different worlds. Good to know Mikrotik does support something like a PVLAN on certain models/chipsets so...
by jvanhambelgium
Fri Nov 24, 2023 9:39 am
Forum: Beginner Basics
Topic: Block Intra VLAN Traffic
Replies: 7
Views: 1450

Re: Block Intra VLAN Traffic

What you are looking for is called "PVLAN" constructuon in general (Private VLAN) and you would be using some form of "Isolated Ports" in a "Isolated VLAN" construction. So 2 devices in such PVLAN cannot directly talk to each other but must pass through a device connect...
by jvanhambelgium
Sun Nov 19, 2023 11:10 am
Forum: General
Topic: Remove internet-facing login
Replies: 5
Views: 2123

Re: Remove internet-facing login

Going into IP--> Services --> www and disabling port 80 unfortunately disables all web traffic to the router, including internal. So it stops router management. No need to disable it completely, but add the "Available From" values ? Eg. 192.168.x.y or multiple ranges that you want it to be...
by jvanhambelgium
Thu Nov 16, 2023 8:23 pm
Forum: General
Topic: VPN server like CIsco Asa Anyconnect
Replies: 6
Views: 1731

Re: VPN server like CIsco Asa Anyconnect

Howmany users ? 10 ? 500 ? 20000 ?
by jvanhambelgium
Mon Nov 13, 2023 7:20 am
Forum: Beginner Basics
Topic: Creating WAN-separated VLAN
Replies: 10
Views: 1725

Re: Creating WAN-separated VLAN

It depends on how the devices are wired on your local LAN. These Tuyas are *wireless* right, so their traffic is hitting your router through the port on which some AP is connected ? And your DNS is the Mikrotik itself at 192.168.99.1 looking at your config. If so, change the "chain" to INP...
by jvanhambelgium
Sun Nov 12, 2023 11:21 pm
Forum: Beginner Basics
Topic: Creating WAN-separated VLAN
Replies: 10
Views: 1725

Re: Creating WAN-separated VLAN

The DNS-blocking is going to be a bit harder if everything remains in the same "LAN". If you would be using an IoT-VLAN that would be easy to also restric "internal" traffic flowing between VLAN's anyway. Alternative could be you provide SPECIFIC DNS-servers through DHCP-options ...
by jvanhambelgium
Sun Nov 12, 2023 5:22 pm
Forum: Beginner Basics
Topic: Creating WAN-separated VLAN
Replies: 10
Views: 1725

Re: Creating WAN-separated VLAN

Do you have a a "Tuya" bridge or somethings ? (like a HUE-box)
Can't you "pair" the Tuya devices nativly with Zigbee to Home Assistant ? Offcourse you need a Zigbee "radio" for that in your HA.
by jvanhambelgium
Sun Nov 12, 2023 4:40 pm
Forum: Beginner Basics
Topic: Creating WAN-separated VLAN
Replies: 10
Views: 1725

Re: Creating WAN-separated VLAN

You don't need a separate vlan for that.
Just make sure your IoT devices get fixed IP's based on their MAC
Then block these IP on their way out.
by jvanhambelgium
Sat Nov 11, 2023 12:11 pm
Forum: Containers
Topic: Small iperf3 container
Replies: 36
Views: 9770

Re: Small iperf3 container

Could you guys as container specialists enlighten me why a container would not start if you installed it onto a SMB-share (on a RouterOS through ROSE-package) Such package is downloaded correct, container is created OK, "iperf" binary can be found on the NAS providing the SMB-share under t...
by jvanhambelgium
Sat Nov 11, 2023 11:04 am
Forum: General
Topic: problem with my routerboard 5009_no save graph after rebooot
Replies: 7
Views: 949

Re: problem with my routerboard 5009_no save graph after rebooot

apart from that ... why on earth are you rebooting daily anyway....
by jvanhambelgium
Fri Nov 10, 2023 2:49 pm
Forum: General
Topic: VPN server like CIsco Asa Anyconnect
Replies: 6
Views: 1731

Re: VPN server like CIsco Asa Anyconnect

Something like this ? I think the RB1100 AHx4 (ARM32) supports Wireguard. https://www.wiresock.net/ Note : The Cisco ASA Anyconnect Client is so much more then only "a vpn client" offering basic vpn-client,advanced vpn-client, endpoint-compliance,inspection service,enterprise acccess, thre...
by jvanhambelgium
Mon Nov 06, 2023 11:42 pm
Forum: Beginner Basics
Topic: VLAN and network segregation. So many questions.
Replies: 4
Views: 1312

Re: VLAN and network segregation. So many questions.

and QoS ... what contract/agreeement/service do you promise/sell ? You don't want 1 appartement to blast away all the bandwidth all the time. Some policing & shaping for sure needs to be done.
by jvanhambelgium
Mon Oct 30, 2023 6:38 pm
Forum: General
Topic: Manual DNS bypasses the Pihole - force redirect to pihole
Replies: 10
Views: 2069

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Ahhhh..good spotting @anav about the UDP/53 missing in the DNAT-rules. That might explain a lot.
by jvanhambelgium
Mon Oct 30, 2023 5:29 pm
Forum: General
Topic: Manual DNS bypasses the Pihole - force redirect to pihole
Replies: 10
Views: 2069

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Hi, place these before the masq entries, so re-order them. add action=dst-nat chain=dstnat comment=PiHole dst-port=53 in-interface-list=\ LAN protocol=tcp src-address-list=!excluded to-addresses=192.168.0.8 \ to-ports=53 add action=dst-nat chain=dstnat comment=PiHole dst-port=53 in-interface-list=\ ...
by jvanhambelgium
Sat Oct 28, 2023 11:59 pm
Forum: General
Topic: Case Study: Disabling NAT and Firewall on LAN Routers
Replies: 11
Views: 1375

Re: Case Study: Disabling NAT and Firewall on LAN Routers

east-west security simply means "horizontally". Can be within a datacenter, but also between different vlan's eg on a smaller scale. It is a generic wording. depending on the environment, often the security hazards are not coming "from the outside world" alone anymore but often i...
by jvanhambelgium
Sat Oct 28, 2023 7:38 pm
Forum: General
Topic: Case Study: Disabling NAT and Firewall on LAN Routers
Replies: 11
Views: 1375

Re: Case Study: Disabling NAT and Firewall on LAN Routers

Your IPv4 standard for sure should include "east-west" security these days.
By default each of the 3 LAN's can just chit-chat with each other and that is not really a good plan...

Next-generation networks (SDx) would be intent-driven with micro-isolation already at the switchport/host.
by jvanhambelgium
Sat Oct 28, 2023 4:46 pm
Forum: General
Topic: Case Study: Disabling NAT and Firewall on LAN Routers
Replies: 11
Views: 1375

Re: Case Study: Disabling NAT and Firewall on LAN Routers

Sure this is possible. Nothing out of the ordinary, but somewhat strange. I f the WAN router is some decent gear , it can do NAT for whatever is coming in from the LAN, be it through different physical interfaces, VLAN's, ranges whatever. The typical "consumer" Internet-router provided by ...
by jvanhambelgium
Wed Oct 25, 2023 5:29 pm
Forum: General
Topic: Multiwan setup with Starlink and ip/route check-gateway issue
Replies: 6
Views: 2009

Re: Multiwan setup with Starlink and ip/route check-gateway issue

Put the Starlink in a separate VRF and work from there?
You could issue some health-check to eg. 8.8.8.8 across the Starlink-vrf and make some decisions from there?
by jvanhambelgium
Tue Oct 24, 2023 8:55 am
Forum: General
Topic: RB5009 can't get automatic IP from WAN.
Replies: 4
Views: 1026

Re: RB5009 can't get automatic IP from WAN.

Did you poweroff/poweron the ISP modem ? Might also be something "MAC" related in the sense that the cable-modem expects the MAC of the hEX S. Apart from that, yes you need to configure "DHCP Client" on the RB5009 in order to obtain an ISP-address. Specify the correct "WAN&q...
by jvanhambelgium
Sun Oct 22, 2023 3:37 pm
Forum: General
Topic: Help with Configuration between ISP ---> Fortigate ---> Mikrotick --> LAN
Replies: 5
Views: 1338

Re: Help with Configuration between ISP ---> Fortigate ---> Mikrotick --> LAN

Why bother with the Mikrotik ? Fortinet can do the PPPoE to your ISP just fine and is a much more advanced solution then any Mikrotik when it comes to security.
by jvanhambelgium
Sat Oct 14, 2023 10:34 am
Forum: Beginner Basics
Topic: DNS usage in url
Replies: 4
Views: 1403

Re: DNS usage in url

Hello guys, i strugglin with one thing... My NAS using IP 192.168.88.200 i want to use xyz.xyz.com.pl in url but its not working, can you help me? Search the forum for "hairpin NAT" because that is what you are looking for. And post your config as requested below if you already attempted ...
by jvanhambelgium
Tue Sep 19, 2023 10:53 pm
Forum: Scripting
Topic: Update firewall list possible?
Replies: 4
Views: 1664

Re: Update firewall list possible?

The resolving of FQDN will follow the TTL-value of the zone applicable. No need to "force" to resolve this periodically. Go to /ip/dns/cache and "print" .The FQDN's should be there and you will see the TTL value countdown timer.... This works fine as I have some units for which I...
by jvanhambelgium
Thu Sep 14, 2023 8:46 pm
Forum: Beginner Basics
Topic: Plex "Indirect Connection" when connecting outside of network [SOLVED]
Replies: 7
Views: 6583

Re: Plex "Indirect Connection" when connecting outside of network [SOLVED]

Hmm, if your IP falls in the range 172.16.0.0 to 172.31.255.255 you DO NOT have a true public IP !
by jvanhambelgium
Thu Sep 14, 2023 8:37 pm
Forum: Beginner Basics
Topic: Beginner Question - 1 ISP two Routers
Replies: 4
Views: 1319

Re: Beginner Question - 1 ISP two Routers

>> We only have /31 range from our ISP to use. Nope, don't think so :lol: :lol: This ISP-link always has a cable that always needs to be inserted into something...and that will be your SPOF. With a /31 that does not leave much flexibility to have a robust/dynamic setup... You still can have 2 x CCR ...
by jvanhambelgium
Wed Sep 13, 2023 6:36 pm
Forum: Beginner Basics
Topic: Plex "Indirect Connection" when connecting outside of network [SOLVED]
Replies: 7
Views: 6583

Re: Plex "Indirect Connection" when connecting outside of network [SOLVED]

Beginning with 172.x.x.x MIGHT be OK ;-) Is the IP address on the range below ? If so, then you do not have a public IP. 172.16.0.0 to 172.31.255.255 Under "Settings" , then "Network" I also filled in the field where you put a URL that points back to you. In my case for example t...
by jvanhambelgium
Wed Sep 13, 2023 12:59 pm
Forum: Beginner Basics
Topic: Plex "Indirect Connection" when connecting outside of network [SOLVED]
Replies: 7
Views: 6583

Re: Plex "Indirect Connection" when connecting outside of network [SOLVED]

Are you sure it's a public IP ? And not something like 100.64.x.x ? Your screenshot with the blurred out IP says "0" as port-number and that is not correct. I have there nicely 32400 Try the "manually specify public port" setting and put 32400 in there + Apply. See what that does...
by jvanhambelgium
Fri Sep 08, 2023 8:37 am
Forum: General
Topic: Understanding why Minecraft Server won't connect [SOLVED]
Replies: 14
Views: 4698

Re: Understanding why Minecraft Server won't connect [SOLVED]

Well...try to refer to Interface address lists like the other (apparently working ones) ?? Why do you select "ether1" and not "WAN" ? You tried and it doesn't work ? You reference "ether1" for these Minecraft rules but that might be wrong. If you are using PPPoE for ex...
by jvanhambelgium
Tue Sep 05, 2023 7:47 am
Forum: General
Topic: Dealing with datacaps; can burst help?
Replies: 2
Views: 1037

Re: Dealing with datacaps; can burst help?

Interesting use-case, but I think everybody has moved to from stand-alone approaches (on the CPE itself) to centralized, API-driven solutions? So all devices would report their usage to keep track of accounting centrally and through API/remote-control the cap would be enforced on the device. Perhaps...
by jvanhambelgium
Sun Sep 03, 2023 9:29 am
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 374
Views: 130196

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.9 (Graphing everything) 💾 🛠 💻 📊

I am interested in the way you run splunk inside ubuntu, how did you get that working ? runnning syno virtual machine manager ? and than a plain ubuntu image ? and than a normal ubutu splunk install ? I am running latest DSM on a 920+ with enough resources Indeed, just like that. I'm running on 918...
by jvanhambelgium
Sat Sep 02, 2023 6:27 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 374
Views: 130196

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.9 (Graphing everything) 💾 🛠 💻 📊

I'm running Splunk on a Synology too, but as a VM under Ubuntu Linux, not containerized. Works OK in general, had 1 or 2 occasions where the 4GB assigned memory fell short and things fell apart ;-) >> After a while the logging to splunk stops ... Splunk generates a ton of logging messages that might...
by jvanhambelgium
Fri Sep 01, 2023 10:08 pm
Forum: General
Topic: F5 like pooling
Replies: 3
Views: 1085

Re: F5 like pooling

Ok, but you write it as if you want some mechanism of "load balancing". That is not gonna work. You can have 1 destination-NAT (so at *network* level) pointing to some backend (internal) IP and have this changed based if the backend is "up" For this to work you could have several...
by jvanhambelgium
Fri Sep 01, 2023 7:13 pm
Forum: General
Topic: F5 like pooling
Replies: 3
Views: 1085

Re: F5 like pooling

There are 2 parts to this question ; frontend & backend In the backend, you could with "Netwatch" tool have a "test" (eg. ping or http-get to backend servers and do things if they reply or not) So these would be your health-checks to the backend servers and you could enable/d...
by jvanhambelgium
Fri Sep 01, 2023 12:16 am
Forum: Containers
Topic: UniFi Controller container on RB5009 will not start after reboot
Replies: 6
Views: 4631

Re: UniFi Controller container on RB5009 will not start after reboot

Are you sure your USB-storage is still "usb1-part1" ? Don't know the release you are running, but I had the same with RB5009 on some where where each reboot the USB-drive/partition was named differently! This whole container thing on eg. RB5009 still is a bit "hit & miss" fo...
by jvanhambelgium
Sat Aug 26, 2023 11:26 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 4960

Re: No WAN access via Wireguard

That is why I have such separate rules masq-rules for anything that needs to go out on Internet coming from eg. Wireguard or ZeroTier "zone"
So at least this gives me logging & counters in case certain things do not work and it might be easier to "pick up" along the way.
by jvanhambelgium
Sat Aug 26, 2023 5:05 pm
Forum: Wireless Networking
Topic: WiFi for large RV park?
Replies: 12
Views: 3777

Re: WiFi for large RV park?

I would start by looking at the map of the RV-park and where the RV's are going to be stationed/clustered and work from there. Remember Wifi is 2-way, so the client also needs to communicate back. Some endpoint have better antenna's than others etc. But outdoor there is a lot of things to consider t...
by jvanhambelgium
Thu Aug 24, 2023 3:26 pm
Forum: Beginner Basics
Topic: Anyone ever have issues with Wireguard to mikrotik?
Replies: 10
Views: 3121

Re: Anyone ever have issues with Wireguard to mikrotik?

Best is to make packet-capture and spot for issues....this smells indeed MTU or alike. If you get authentication-box already etc then I doubt "settings" of Wireguard are at play here. Firewall-rules also seems OK at this point then, but that can be checked in the logs (if you enable loggin...
by jvanhambelgium
Thu Aug 24, 2023 8:49 am
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 4960

Re: No WAN access via Wireguard

logging - logging - logging

Enable logging on any rule that has a "drop" in there, and filter for you endpoint 10.180.5.2/32
There has to be some trace of a rule that seems to stop your packets from going out.
by jvanhambelgium
Sun Aug 20, 2023 10:01 pm
Forum: Containers
Topic: Container + ROSE-SMB storage
Replies: 4
Views: 4684

Re: Container + ROSE-SMB storage

The "pull" works fine. I see the folder being created (the first time after I alter the path) and I see a growing *.gz file while it is being downloaded...then suddenly everything stop and it removed from the NAS and it throws an "error". Usually 1 or 2 "layers" are pro...
by jvanhambelgium
Sun Aug 20, 2023 9:24 pm
Forum: Containers
Topic: Container + ROSE-SMB storage
Replies: 4
Views: 4684

Container + ROSE-SMB storage

Is there anyone that can explain me why the extraction of a container-image fails across a ROSE storage point ? Running the latest 7.11 on RB5009 So I've mapped an SMB on my NAS which is accessible fine (because I see files being created on it) Screenshot from 2023-08-20 20-17-12.png I've also adapt...
by jvanhambelgium
Sun Aug 20, 2023 11:21 am
Forum: Beginner Basics
Topic: Reporting a bug, or a suspected bug?
Replies: 8
Views: 2085

Re: Reporting a bug, or a suspected bug?

It is a bug for sure. Same with "Winbox"
On CLI, when doing a "print" of the vETH you get so see the IP address
On Winbox, it is 0.0.0.0 for every vETH
It was on 7.10 and now on 7.11 also.
by jvanhambelgium
Thu Aug 17, 2023 12:34 am
Forum: General
Topic: RB3011 - still a good choice?
Replies: 22
Views: 3076

Re: RB3011 - still a good choice?

I believe that the LCD screen is not supported on RouterOS 7. So, forget that the screen. LCD works just fine on my RB3011 on 7.11 But it is a gimmick for sure. Sometimes handy to see if some interface does traffic or so but in the end still a gimmick I have the RB3011 on a +- 100Mbps xDSL and it h...
by jvanhambelgium
Wed Aug 16, 2023 6:29 pm
Forum: Announcements
Topic: v7.11.2 [stable] is released!
Replies: 348
Views: 168652

Re: v7.11 [stable] is released!

Updated LAB RB3011 to 7.11 and all seems fine (for my limited use-cases ; basic PPPoE Internet, IPSEC-tunnel to RB5009 etc)
by jvanhambelgium
Wed Aug 16, 2023 4:48 pm
Forum: RouterBOARD hardware
Topic: "RouterOS on spare computer vs MikroTik device?
Replies: 10
Views: 4732

Re: "RouterOS on spare computer vs MikroTik device?

If you care about power-consumption a device like RB5009 uses much less power then "the average spare computer" When running 24x7 this might make some difference in yearly running cost. I think my RB5009 is about 9.5Watt if I look at my home-automation graphs. (because I use a SFP-module i...
by jvanhambelgium
Sun Aug 13, 2023 7:18 pm
Forum: General
Topic: Wireguard behind hotel wifi unable to establish connection to remote MT
Replies: 14
Views: 1863

Re: Wireguard behind hotel wifi unable to establish connection to remote MT

Rx counter remains at "0" on the "client" side ?
It should at least try from the hotel to reach the endpoint right ?
by jvanhambelgium
Thu Aug 10, 2023 9:29 am
Forum: General
Topic: VLANs Not Acting As Expected
Replies: 5
Views: 1079

Re: VLANs Not Acting As Expected

If you can ping it already that means that VLAN's are OK. Printers these days are quite flexibel, offer dozens of (printing) protocols to choose from. They can be configured with ACL to only allow printing from certain IP-ranges etc,etc. What does you logging say ? If you define a printer on a PC on...
by jvanhambelgium
Sun Aug 06, 2023 9:37 am
Forum: Beginner Basics
Topic: Two lans on one router
Replies: 13
Views: 2222

Re: Two lans on one router

Where do you want to forward port ? From Internet ? Internally between 192.168I.1.x and 192.168.2.x you do not need to forward ports, (under the NAT-tab in Firewall) you simply need to make firewall-rule to ALLOW it through. (and offcourse *above* the rules where you block all further communication...
by jvanhambelgium
Sun Aug 06, 2023 12:27 am
Forum: Beginner Basics
Topic: Two lans on one router
Replies: 13
Views: 2222

Re: Two lans on one router

Hmm, a lot of various rules, not perse "bad" but it doesn't make thing easy to follow. Some forum-member will tell you this is a very messy config ;-) Anyway your question was about flows between 192.168.2.x (home-network) and 192.168.1.x (homelab-server) that should be blocked right ? (in...
by jvanhambelgium
Sat Aug 05, 2023 5:19 pm
Forum: Beginner Basics
Topic: Two lans on one router
Replies: 13
Views: 2222

Re: Two lans on one router

Perhaps begin with posting you config here so things are more clear

/export file=anynameyouwish (minus router serial number and any public WANIP information)
by jvanhambelgium
Sat Aug 05, 2023 4:10 pm
Forum: Beginner Basics
Topic: Two lans on one router
Replies: 13
Views: 2222

Re: Two lans on one router

hmm...firewall rules ?
by jvanhambelgium
Mon Jul 31, 2023 4:45 pm
Forum: Containers
Topic: openspeedtest container error
Replies: 11
Views: 4264

Re: openspeedtest container error

I have similar issues on a RB5009. The USB-storage for sure is not super "stable" and after a few weeks often a container is completely trashed because the underlying USB-storage is gone. I need to unplug-replug etc. In the past I had to reformat completely. I tried USB3.0 stick directly i...
by jvanhambelgium
Fri Jul 28, 2023 10:44 am
Forum: Containers
Topic: import adguard dns container image problem Topic is solved
Replies: 61
Views: 20804

Re: import adguard dns container image problem Topic is solved

I'm still puzzled why "Adguard" is not showing any statistics *but* it seems to be working. My test-PC has hardcoded 1 single DNS pointing to the Adguard, dns-resolving works (I see exchange in a tcp-dump) but nothing in the logs or statistics-dashboard. Strange .. don't think its a permi...
by jvanhambelgium
Fri Jul 28, 2023 9:11 am
Forum: Containers
Topic: import adguard dns container image problem Topic is solved
Replies: 61
Views: 20804

Re: import adguard dns container image problem Topic is solved

Hi, Yep, seems to be a Winbox bug. On a RB3011 lab box, running the latest beta 7.11 BETA6 this "issue" is present. Winbox entries all give 0.0.0.0/0 but on console all is OK. Feel free to log a ticket on this with MT. /interface/veth> print Flags: X - disabled; R - running 0 R name="...
by jvanhambelgium
Thu Jul 27, 2023 7:25 pm
Forum: Containers
Topic: import adguard dns container image problem Topic is solved
Replies: 61
Views: 20804

Re: import adguard dns container image problem Topic is solved

Strange, Works fine here. The difference is during boot it clearly prints the veth-IP:3000 reference to login, and in your case it does not... Screenshot from 2023-07-27 18-21-54.png And I confirm the GUI works fine on my test-segment 192.168.3.4:3000 ...and after first install the GUI is available ...
by jvanhambelgium
Mon Jul 24, 2023 8:16 pm
Forum: Beginner Basics
Topic: SSH from WAN
Replies: 4
Views: 1446

Re: SSH from WAN

You use the interface-list "WAN". Are you sure the ingress interface is member of that ?
When you try and it does not work, what counter increases ? The "drop all not coming from LAN"
by jvanhambelgium
Mon Jul 17, 2023 7:25 am
Forum: General
Topic: Isolation of guests (wireless+wired)
Replies: 6
Views: 951

Re: Isolation of guests (wireless+wired)

This requirement ; - have guests being able to join the network on the Guest SSID and on the TP-Link without accessing the Normal network. - On the TP-link I just want to connect the Guest without thinking about what port. This cannot be done without 802.1x implementation on the switch-side. Your TP...
by jvanhambelgium
Sat Jul 15, 2023 8:38 am
Forum: General
Topic: ERSPAN with GRE-tunnel
Replies: 2
Views: 678

Re: ERSPAN with GRE-tunnel

The only option you have is start a packet-capture on a RouterOS device and "stream" this towards any IP endpoint further down the network. On the remote end you either have some Wireshark running or probably some tool will exist to then write a pcap-file locally. (eg. rpcapd.exe) Screensh...
by jvanhambelgium
Fri Jul 14, 2023 12:20 am
Forum: Beginner Basics
Topic: Performance: 10Gbps - VLANs, and WiFi
Replies: 12
Views: 1800

Re: Performance: 10Gbps - VLANs, and WiFi

What if, for example, "Untrusted" VLAN is 10.1.1.0/24,"Semi-Trusted" VLAN is 10.1.2.0/24, "Fully-Trusted" VLAN is 10.1.3.0/24, and the file server is 10.1.4.1/24. Untrusted and Semi-Trusted can access the File Server, but Untrusted, can't. How would I do that without n...
by jvanhambelgium
Thu Jul 13, 2023 9:05 pm
Forum: Beginner Basics
Topic: Performance: 10Gbps - VLANs, and WiFi
Replies: 12
Views: 1800

Re: Performance: 10Gbps - VLANs, and WiFi

Lil off topic - but still related to file-servers ... Take a look at TrueNAS I run a dozens of TrueNAS file servers. When configured correctly , they can be pretty fast. For example , I have a TrueNAS file-server with 1-TB RAM and about 256-TB of solid-stade SSD drives with 100-GIg network interfac...
by jvanhambelgium
Thu Jul 13, 2023 7:39 pm
Forum: Beginner Basics
Topic: Performance: 10Gbps - VLANs, and WiFi
Replies: 12
Views: 1800

Re: Performance: 10Gbps - VLANs, and WiFi

...and with a fileserver you also need to look at aspects like NFS ACL's or SMB User-accounts etc. Being able to "reach" your fileserver does not mean you can access it / use it. Depending on the file-server model/OS , you can also apply a IP-ACL to exclude the "Untrusted" IP-ran...
by jvanhambelgium
Sun Jun 25, 2023 8:14 am
Forum: General
Topic: This should be easy
Replies: 17
Views: 1687

Re: This should be easy

>WBut, the firewall is basic, and I want to give my servers additional protection ( I get various probing attempts / hacks / brute force log in attempts every >day). So the way I envisage it, I just need some sort of packet filter between my servers and the existing LAN. It would do things like: dro...
by jvanhambelgium
Fri May 19, 2023 10:47 pm
Forum: General
Topic: Send same income packets to different servers
Replies: 2
Views: 507

Re: Send same income packets to different servers

Please explain what *service* is behind the Windows machines ? What are you trying to accomplish ? Perhaps NLB between the 2 Windows servers might be a good approach. The MikroTik then can have a DNAT pointing to the NLB-VIP and NLB will sort it out. https://learn.microsoft.com/en-us/windows-server/...
by jvanhambelgium
Wed May 10, 2023 6:00 pm
Forum: Announcements
Topic: v7.9 [stable] is released!
Replies: 242
Views: 56755

Re: v7.9 [stable] is released!

I think there is an issue with ZeroTier on the 7.9-stable release. After 1-2 days the ZeroTier looses its LEAF & PLANET connections for some reason. Stopping & Starting resolved it and then you are good to go another 1-2 days. This on RB5009 system. Don't think a SUPOUT will do any good here...
by jvanhambelgium
Mon May 01, 2023 6:30 pm
Forum: RouterOS beta
Topic: 7.8beta2 adds new package ROSE-storage
Replies: 67
Views: 28048

Re: 7.8beta2 adds new package ROSE-storage

Try with NFS v3, that works for me...
Hmm, I can't really force that on the NAS. I can enable/disable NFSv4.1 , but other than that its "enable or disable" NFS as a whole.
Is there some command-flag on the ROSE package to force NFSv3 ? (doesn't like like it....)
by jvanhambelgium
Mon May 01, 2023 10:58 am
Forum: RouterOS beta
Topic: 7.8beta2 adds new package ROSE-storage
Replies: 67
Views: 28048

Re: 7.8beta2 adds new package ROSE-storage

Anyone using a Synology NAS and was able to mount a NFS-export onto a Mikrotik ? (I'm using RB3011-ARM here to test) It just won't work, getting "Protocol Not Supported" error ? (while I use the Synology with a bunch of mounts to other systems here, media-players etc. In-house I only do NF...
by jvanhambelgium
Sat Apr 29, 2023 9:40 am
Forum: General
Topic: Firewall
Replies: 3
Views: 603

Re: Firewall

Personally allowing access to a device on Internet through a "whitelisted" source-IP(s) is acceptable to me and we do that for customers across our projects. VPN is not always an option or sometimes overkill. Just make sure you have additional layers like (encrypted) authentication using c...
by jvanhambelgium
Wed Apr 26, 2023 1:12 pm
Forum: General
Topic: Natting Public Ip Over Wireguard [SOLVED]
Replies: 15
Views: 1369

Re: Natting Public Ip Over Wireguard [SOLVED]

It could be 10 things, without any config impossible to say. (could be nat, routing, ...) Did you "torch" on FW2 to see if the DNAT'ted packet arrives at that point ??? The "device" is exposed to Internet with a DNAT ? Or does this "public computer" also has Wireguard C...
by jvanhambelgium
Wed Apr 26, 2023 8:38 am
Forum: Beginner Basics
Topic: Web Proxy Doesnt Work?
Replies: 7
Views: 4320

Re: Web Proxy Doesnt Work?

So this is obsolete and not correct? In the link below "https" is not mentioned.

https://wiki.mikrotik.com/wiki/Manual:IP/Proxy

Not sure if it would insert X-Forwarded-For in the headers neither.
by jvanhambelgium
Wed Apr 26, 2023 12:43 am
Forum: Beginner Basics
Topic: Web Proxy Doesnt Work?
Replies: 7
Views: 4320

Re: Web Proxy Doesnt Work?

btw,
don't think any HTTPS will work.
the "proxy" module on Mikrotik supports HTTP only, and in 2023 only very few websites use HTTP.
by jvanhambelgium
Sat Apr 22, 2023 6:08 pm
Forum: General
Topic: Wireguard connections have no traffic, using Advanced Firewall
Replies: 16
Views: 2222

Re: Wireguard connections have no traffic, using Advanced Firewall

eh...just duplicate the rule just below and change accordingly ? Just for my own edification, if I did that it would still block my WG traffic would it not? That rule only allows traffic from one subnet and it wouldn't match that so it wouldn't matter if the next rule did. Am I misunderstanding? Ye...
by jvanhambelgium
Sat Apr 22, 2023 5:38 pm
Forum: General
Topic: Wireguard connections have no traffic, using Advanced Firewall
Replies: 16
Views: 2222

Re: Wireguard connections have no traffic, using Advanced Firewall

I found the issue. Rule 9 in the Raw table: add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address=!192.168.100.0/24 My WG connections(s) are 10.10.100.0/24 so not in the allowed IP range. Question: It seems I cant add...
by jvanhambelgium
Thu Apr 13, 2023 3:59 pm
Forum: Containers
Topic: RB5009 Hello World
Replies: 10
Views: 5268

Re: RB5009 Hello World

since I've inserted a USB 2.0 "hub" into the RB5009 and then my SDCARD in it the disk-id remains consistent across reboots. The problem was that sometimes the card is seen as USB 3.0 and sometimes USB 2.0 which results in differend "disk" ID's. At the moment I have 4 containers r...
by jvanhambelgium
Tue Apr 11, 2023 6:22 pm
Forum: General
Topic: Zerotier with Mikrotik
Replies: 1
Views: 354

Re: Zerotier with Mikrotik

I've had the same on 7.8 on my RB5009
Not often, but sometimes it was in a state "REQUEST CONFIG" or something. Stopping en starting ZeroTier services made it work again.
Now I've update to 7.9(rc2), which bumps the ZeroTier version also to a much newer release 1.10.3
by jvanhambelgium
Sun Apr 09, 2023 8:47 pm
Forum: Containers
Topic: Container "Traefik" (on RB5009)
Replies: 9
Views: 5954

Re: Container "Traefik" (on RB5009)

I couldn't get the Traefik container to work too. Therefore I decided to use nginx-proxy . How did you install it ? I tried to launch it via line below but it gives an error. add remote-image=jc21/nginx-proxy-manager:latest interface=veth4 root-dir=/usb3-part1/npm mounts=npm_data,npm_encrypt start-...
by jvanhambelgium
Sun Apr 09, 2023 8:06 pm
Forum: Containers
Topic: Container "Traefik" (on RB5009)
Replies: 9
Views: 5954

Re: Container "Traefik" (on RB5009)

I couldn't get the Traefik container to work too. Therefore I decided to use nginx-proxy.
Yes but this requires a DB in the backend. I have NPM also running on a Synology NAS combined with MariaDB where the config is stored for NPM ?
by jvanhambelgium
Sun Apr 09, 2023 12:26 pm
Forum: Containers
Topic: Container "Traefik" (on RB5009)
Replies: 9
Views: 5954

Container "Traefik" (on RB5009)

Anyone here has practical working container like "Traefik" operational ? (can serve as reverse-proxy) I've imported it and I can start it, but dash-board for example does not work. Also what about its config file "traefik.yml" ? I've shelled into the container but cannot find any...
by jvanhambelgium
Sun Apr 09, 2023 9:06 am
Forum: General
Topic: Using ISP for internet/Wifi but keep routing through Mikrotik due to hap ax3 bad wifi throughput/performance
Replies: 11
Views: 1028

Re: Using ISP for internet/Wifi but keep routing through Mikrotik due to hap ax3 bad wifi throughput/performance

Your wireless scenario is not possible unless you have an advanced ISP-router that you fully control.
Some "static routes" are not enough, this sound more like some policy-routing based on certain criteria.

The "wired" scenario is basic and will work.
by jvanhambelgium
Fri Apr 07, 2023 3:33 pm
Forum: General
Topic: CRS 354-48g-4s+2q+rm as a core router in a company
Replies: 6
Views: 764

Re: CRS 354-48g-4s+2q+rm as a core router in a company

Depends... What is the PPPoE link ? 100Mbit ? 1000MBits ?? If only a 100Mbits Internet link I would risk ik. Don't expect 500Mbps Internet performance or something... Your product is a SWITCH with a pretty weak CPU, so if you start using as a breakout-router to Internet don't expect a lot of perform...
by jvanhambelgium
Fri Apr 07, 2023 3:09 pm
Forum: General
Topic: I think my config looks correct, but operates incorrectly
Replies: 4
Views: 424

Re: I think my config looks correct, but operates incorrectly

TP-Link "management" (webgui) are always untagged packets, its not like a enterprise-grade switch where you can "dictate" which VLAN the Management should be. So, untagged frames will end up on the port "ether4" on the HEX Why would you think you'll get an IP from 192.1...
by jvanhambelgium
Tue Apr 04, 2023 11:58 pm
Forum: Announcements
Topic: v7.8 [stable] is released!
Replies: 425
Views: 143390

Re: v7.8 [stable] is released!

Anyone else having this thingy with USB storage that keeps changing with each reboot from usb1-part1 to usb2-part1 etc ? Basically breaking containers etc between reboots. Was it possible to refer to a "label" in the container-settings ? yes, add "slot=DATA" parameter to your di...
by jvanhambelgium
Sun Apr 02, 2023 8:57 pm
Forum: Beginner Basics
Topic: Which router model for Internet Cafe (150 PCs)?
Replies: 8
Views: 1655

Re: Which router model for Internet Cafe (150 PCs)?

i5 - 7400 , 16g ram? if you already have it available go with it, it will perform better than a rb4011/rb5009 Thank you Chechito. Is the i5-7400 better than CCR2004? Better? you only have 150 clients and 1Gbits at most. i5 is even overkill. RB4011 or RB5009 will serve your Internet Cafe without eve...
by jvanhambelgium
Sun Apr 02, 2023 11:15 am
Forum: General
Topic: Web Proxy
Replies: 5
Views: 679

Re: Web Proxy

Is there another way to log visited sites? You could always go down the DNS path (analyse resolved entries), but that will not give you granularity *what* has been exactly visited. And off course not all DNS-lookups lead to visited "websites" so no real 100% match for your requirements. I...
by jvanhambelgium
Sun Apr 02, 2023 10:10 am
Forum: General
Topic: Web Proxy
Replies: 5
Views: 679

Re: Web Proxy

Mikrotik should remove this "web proxy" module all together from RouterOS. It is only for HTTP and does not support HTTPS Most Internet traffic these days is HTTPS. To put in some numbers (from Netflow). The last 24h my router processed about 89.000 flows on port 443 , while "port 80&...
by jvanhambelgium
Sat Apr 01, 2023 11:45 am
Forum: Containers
Topic: RB5009 Hello World
Replies: 10
Views: 5268

Re: RB5009 Hello World

Last week I disabled my Pi-hole container on RB5009 and returned to the container on my Synology NAS where it used to work flawlessly for years. "Once it runs" it is quite stable, but I experienced things like ; cannot start container anymore after an update-only reboot helps, USB-storage ...
by jvanhambelgium
Mon Mar 27, 2023 12:18 am
Forum: Announcements
Topic: v7.8 [stable] is released!
Replies: 425
Views: 143390

Re: v7.8 [stable] is released!

Anyone else having this thingy with USB storage that keeps changing with each reboot from usb1-part1 to usb2-part1 etc ? Basically breaking containers etc between reboots. Was it possible to refer to a "label" in the container-settings ? /container mounts add dst=/etc/pihole name=etc_pihol...
by jvanhambelgium
Wed Mar 22, 2023 8:12 pm
Forum: General
Topic: Need some advice
Replies: 2
Views: 331

Re: Need some advice

What 6500-E chassis do you have ? 6503 / 6504 / 6506 / 6509 / 6513 ? What SUP's have you installed ? It all depends on the features & services that you use today on these chassis. Without knowing that its impossible to say of a Mikrotik switch would be capable to act as a replacement. The Cisco ...
by jvanhambelgium
Sun Mar 19, 2023 11:34 am
Forum: General
Topic: Network discovery over wireguard
Replies: 33
Views: 6077

Re: Network discovery over wireguard

Or an EOIP layer over wireguard. Even ROMON works then. Yes, but EoIP tunneling is bridging right ? So this means the user must "extend" his office LAN down to the home. What about the different VLAN's in the office. Let's say IPCAM VLAN in the office and IOT/MEDIA VLAN in the office, bot...
by jvanhambelgium
Sun Mar 19, 2023 9:35 am
Forum: General
Topic: Network discovery over wireguard
Replies: 33
Views: 6077

Re: Network discovery over wireguard

Please help me understand, is the reason that none of the devices at either end of the wireguard tunnel show up via network discovery because network discovery only works for devices on the same subnet? I'm going to base the next paragraph on this assumption. Depending in its implementation of this ...
by jvanhambelgium
Tue Mar 07, 2023 11:07 pm
Forum: General
Topic: How to use 3 DHCP for load balancing and Failover
Replies: 15
Views: 1756

Re: How to use 3 DHCP for load balancing and Failover

Ahhh..that is not going to work ;-) You cannot gain failover with regards to that aspect. If you have 1 "flat" network why not look at VRRP ? If you network is flat and you don't have Internet ... WHAT IS the gateway ? You need one ? Is any of these 3 routers a gateway to somewhere ?? Hi ...
by jvanhambelgium
Tue Mar 07, 2023 9:46 pm
Forum: General
Topic: How to use 3 DHCP for load balancing and Failover
Replies: 15
Views: 1756

Re: How to use 3 DHCP for load balancing and Failover

Hi. yes, its plain flat. the reason i am using 3x dhcp is frequent power cuts that can affect one or two routers...so at least one can serve the clients remaining. Question: the clients will not need a gateway? if an assign one, and its the one going down what happens? Thank you again for your time...
by jvanhambelgium
Tue Mar 07, 2023 10:45 am
Forum: General
Topic: How to use 3 DHCP for load balancing and Failover
Replies: 15
Views: 1756

Re: How to use 3 DHCP for load balancing and Failover

Since it is only "Intranet" you can deal with the failover/redudancy by using a larger scope and divide it across the 3 Eg. 172.16.0.0/16 , so this is a large IP-space, especially for only 300 devices. On all 3 , the "network" would be 172.16.0.0/16 , but the differences will be...
by jvanhambelgium
Tue Mar 07, 2023 9:44 am
Forum: General
Topic: How to use 3 DHCP for load balancing and Failover
Replies: 15
Views: 1756

Re: How to use 3 DHCP for load balancing and Failover

Since it is only "Intranet" you can deal with the failover/redudancy by using a larger scope and divide it across the 3 Eg. 172.16.0.0/16 , so this is a large IP-space, especially for only 300 devices. On all 3 , the "network" would be 172.16.0.0/16 , but the differences will be ...
by jvanhambelgium
Mon Mar 06, 2023 5:32 pm
Forum: Beginner Basics
Topic: trafic flow monitoring setup - PRTG
Replies: 3
Views: 784

Re: trafic flow monitoring setup - PRTG

Did you try to actually put something in the "Source Address" in the target config ? So in stead of 0.0.0.0 put 192.168.7.254 or whatever the IP on the MT side. thank you ! Yes, I did I'm using Netflow to (towards Splunk) and this just works. is there free edition of Splunk to use? Sure, ...
by jvanhambelgium
Sun Mar 05, 2023 10:53 pm
Forum: Beginner Basics
Topic: trafic flow monitoring setup - PRTG
Replies: 3
Views: 784

Re: trafic flow monitoring setup - PRTG

Did you try to actually put something in the "Source Address" in the target config ?
So in stead of 0.0.0.0 put 192.168.7.254 or whatever the IP on the MT side.

I'm using Netflow to (towards Splunk) and this just works.
by jvanhambelgium
Sun Mar 05, 2023 8:41 pm
Forum: General
Topic: Turn Mikrotik into a POWERFULL FireWall with BlackList Firehol [SOLVED]
Replies: 5
Views: 2467

Re: Turn Mikrotik into a POWERFULL FireWall with BlackList Firehol [SOLVED]

I've tried them on my RB5009 on the latest 7.8 and I do get *a lot* of errors where the list fails to update. Some even " script error: error - contact MikroTik support and send a supout file (10) " Screenshot from 2023-03-05 19-39-19.png On what platform did you test these scripts ? After...
by jvanhambelgium
Sun Mar 05, 2023 6:20 pm
Forum: General
Topic: Turn Mikrotik into a POWERFULL FireWall with BlackList Firehol [SOLVED]
Replies: 5
Views: 2467

Re: Turn Mikrotik into a POWERFULL FireWall with BlackList Firehol [SOLVED]

This is unnecessary, all input on the WAN side should be blocked by default. Sure, but you could also block OUTGOING traffic towards any of these IP's. This might indicate some internal compromise of some system. And IF you run any services (eg. webserver, VPN-server) you cannot just "all inpu...
by jvanhambelgium
Sun Mar 05, 2023 11:11 am
Forum: General
Topic: Backhaul Routing Failure
Replies: 2
Views: 374

Re: Backhaul Routing Failure

palantiacuteri-lotr.jpg
:-? :roll:
by jvanhambelgium
Thu Mar 02, 2023 10:00 pm
Forum: Beginner Basics
Topic: Firewall Filter tool is not efficent
Replies: 13
Views: 1956

Re: Firewall Filter tool is not efficent

I agree with you, Now give me the solution or recommend me another hardware or equipment which full fill my need Thanks in advance That is going to cost you vastly more ... Palo Alto FW, Checkpoint, Fortinet, etc (and dozens others) have the required power to identify applications and thus allow yo...
by jvanhambelgium
Tue Feb 28, 2023 8:44 pm
Forum: Announcements
Topic: v7.8 [stable] is released!
Replies: 425
Views: 143390

Re: v7.8 [stable] is released!

Updated my RB5009. No issues so far. The "flashing" SFP interface window in Winbox seems fixed and remains stable. My SFP S+RJ10 works just fine. Screenshot from 2023-02-28 19-43-00.png The only thing is this usb-drive mapping/naming. Now it became usb2-part1 (it was usb1-part1 on 7.7) so ...
by jvanhambelgium
Fri Feb 24, 2023 12:07 pm
Forum: RouterBOARD hardware
Topic: OOB Access to remote infrastructure
Replies: 5
Views: 2680

Re: OOB Access to remote infrastructure

This thing has serial ports ? Alternatively you can just use the "ethernet" ports no ? 1 cable to RB4011 en 1 ethernet to CRS328-24G-4S+ and make the appropriate IP-config.
by jvanhambelgium
Fri Feb 24, 2023 8:58 am
Forum: RouterBOARD hardware
Topic: OOB Access to remote infrastructure
Replies: 5
Views: 2680

Re: OOB Access to remote infrastructure

Small ARM/ARM6464-based MT-device and then a ZeroTier "OOB" network ?
No hassle with launching VPN's etc. Its always "connected" via the cloud-switch. (zerotier)
by jvanhambelgium
Fri Feb 03, 2023 3:38 pm
Forum: General
Topic: How to access Mikrotik behind Starlink (CGNAT) [SOLVED]
Replies: 50
Views: 13391

Re: How to access Mikrotik behind Starlink (CGNAT)

Install TeamViewer on a PC if that PC belongs to your or is from your company?
When you take over the PC, you can Winbox straight to the Mikrotik.
by jvanhambelgium
Fri Feb 03, 2023 11:29 am
Forum: Beginner Basics
Topic: redirecting friendly.url.com/whatever to a local.ip:port
Replies: 4
Views: 558

Re: redirecting friendly.url.com/whatever to a local.ip:port

Not possible with Mikrotik.
If your MT supports "containers" you can consider trying to get something like NGINX/Traeffix etc active and "redirect" from there.
You need a reverse-proxy of some sort for these functions and MT does not have it embedded.
by jvanhambelgium
Tue Jan 31, 2023 7:44 am
Forum: Beginner Basics
Topic: Docker? Does anybody use it?
Replies: 16
Views: 3705

Re: Docker? Does anybody use it?

Pi-hole works just fine here on my RB5009. Sure, it consumes quite some RAM, but performance is fine in my HOME scenario. Don't know if the container could be optimized to use even less. If you in Pi-hole GUI and check the utilization there ; Total CPU utilization: 0.2% Memory utilization: 1.9% Used...
by jvanhambelgium
Mon Jan 30, 2023 8:26 pm
Forum: RouterOS beta
Topic: 7.8beta2 adds new package ROSE-storage
Replies: 67
Views: 28048

Re: 7.8beta2 adds new package ROSE-storage

ZFS - probably more complicated Yeah, both BTRFS and ZFS are great choices but as the latter is a third party add-on (originated from Sun Microsystems) it would likely be harder to maintain. likely ? Look at for example the ZeroTier package ; MT released it at version 1.6.6 and it was never updated...
by jvanhambelgium
Sun Jan 29, 2023 12:30 pm
Forum: RouterOS beta
Topic: RB5009UPr+S+ Bandwidth Issue
Replies: 27
Views: 4981

Re: RB5009UPr+S+ Bandwidth Issue

The only test that I can think of is to disconnect the ONT/dumb-switch and effectively place a PC on your "WAN" port and "simulate" your Internet. If you also cannot push 1Gbit/sec through the RB5009 then the unit really is faulty, really. I can't imaging a "netinstall"...
by jvanhambelgium
Sat Jan 28, 2023 9:28 pm
Forum: General
Topic: RouterOS IP Firewall Filter Rules not working?
Replies: 7
Views: 1464

Re: RouterOS IP Firewall Filter Rules not working?

Are you using the Mikrotik as a DNS-server ?
Then it is normal that FORWARD chain will not deal with any traffic GENERATED by the Mikrotik (example ; upstream DNS queries) or RESPONSES back to the Mikrotik.
by jvanhambelgium
Sat Jan 28, 2023 8:34 pm
Forum: RouterOS beta
Topic: RB5009UPr+S+ Bandwidth Issue
Replies: 27
Views: 4981

Re: RB5009UPr+S+ Bandwidth Issue

So for my understanding, the "WAN" interface is configured just to obtain via DHCP a IP-address from the ISP, no PPPoE anymore right ? Really, really weird phenomena you have with RB5009. Did you reboot after setting the MTU back to default value ? Could you perform a complete factory-rese...
by jvanhambelgium
Sat Jan 28, 2023 11:39 am
Forum: RouterOS beta
Topic: RB5009UPr+S+ Bandwidth Issue
Replies: 27
Views: 4981

Re: RB5009UPr+S+ Bandwidth Issue

Reset the L2MTU value on the RB5009 again to default value and try again ?
What effect does this have ?
by jvanhambelgium
Fri Jan 27, 2023 9:35 pm
Forum: Beginner Basics
Topic: how to use multiple ip's from one wan?
Replies: 6
Views: 1131

Re: how to use multiple ip's from one wan?

Who said your ISP allows you to use anything else then 192.168.1.1 ?
It does not mean that if you see some /24 mask somewhere that you can use that whole block. Check with your ISP for confirmation.
by jvanhambelgium
Thu Jan 26, 2023 6:11 pm
Forum: Useful user articles
Topic: Configuration to block users that tries to access router on non open port(s)
Replies: 86
Views: 26443

Re: Configuration to block users that tries to access router on non open port(s)

As ISP I have mitigation center. If for some reason my network is under attack, the traffic instead of the usual 3ms latency go to 35/45ms because all is routed trough the cloudflare center than have power to filter any DDoS attack... I can't reveal other detail for N.D.A. but ask your ISP to use s...
by jvanhambelgium
Thu Jan 26, 2023 10:23 am
Forum: Announcements
Topic: v7.8beta [testing] is released!
Replies: 307
Views: 78919

Re: v7.8beta [testing] is released!

This will be my last post on this as it's getting off-topic, but ZeroTier is a pretty basic SD-WAN and is in no way equivalent to the capabilities, flexibility, and scalability of SD-WAN from vendors like Cisco-Viptela, Palo Alto-CloudGenix,VMware-VeloCloud, Fortinet SD-WAN, etc. mpvpn, meshvpn, sd...
by jvanhambelgium
Mon Jan 23, 2023 9:14 pm
Forum: Beginner Basics
Topic: Zerotier Site to Site LAN issue
Replies: 10
Views: 1589

Re: Zerotier Site to Site LAN issue

Perhaps you could torch/packet-capture on the RB5009 to see if packets destined for 10.128.64.0/24 are *effectively* arriving here ? I fired up my (lab) installation to check on the rules. Could you on the rb5009, create in the FORWARD chain a accept-rule that allows "in-interface" = BRIDG...
by jvanhambelgium
Mon Jan 23, 2023 5:49 pm
Forum: Beginner Basics
Topic: Zerotier Site to Site LAN issue
Replies: 10
Views: 1589

Re: Zerotier Site to Site LAN issue

As a test, could you add the "zerotier1" interface to the LAN interface LIST ?
Very weird that with all firewall-rules disabled (which should mean "allow any any") things don't seem to work in your setup.
by jvanhambelgium
Mon Jan 23, 2023 2:42 pm
Forum: Beginner Basics
Topic: Zerotier Site to Site LAN issue
Replies: 10
Views: 1589

Re: Zerotier Site to Site LAN issue

Did you effectively add a route in the ZeroTier admin-panel ? So something like 10.128.64.0/24 via 192.168.42.3 I have such a setup with both an RB5009 and RB3011 hooked into ZeroTier and I can access (from a PC on the RB5009-LAN) a server sitting behind the RB3011-LAN and you have to do the same i...
by jvanhambelgium
Mon Jan 23, 2023 1:37 pm
Forum: Beginner Basics
Topic: Zerotier Site to Site LAN issue
Replies: 10
Views: 1589

Re: Zerotier Site to Site LAN issue

Did you effectively add a route in the ZeroTier admin-panel ?
So something like

10.128.64.0/24 via 192.168.42.3

I have such a setup with both an RB5009 and RB3011 hooked into ZeroTier and I can access (from a PC on the RB5009-LAN) a server sitting behind the RB3011-LAN
by jvanhambelgium
Sun Jan 22, 2023 4:38 pm
Forum: General
Topic: Locked out!
Replies: 16
Views: 1986

Re: Locked out!

Then I guess it will be a 100 mile trip for you...not much other options it seems. Perhaps in the future try to use Winbox SAFE-MODE while making such modifications from a remote location... After that test the changes by initiating a new/fresh session Only when 100% sure perform the commit. https:/...
by jvanhambelgium
Sun Jan 22, 2023 10:01 am
Forum: General
Topic: Locked out!
Replies: 16
Views: 1986

Re: Locked out!

So no other local-device / server onsite that you might use as a jumphost (ssh is enough) ? Unless off course that change you made to a firewall-rule was significant enough to really block everything on the input-chain... If so, schedule a nice 100mile trip because there are no other remote "ba...
by jvanhambelgium
Wed Jan 18, 2023 7:16 pm
Forum: Beginner Basics
Topic: Help with logging
Replies: 1
Views: 371

Re: Help with logging

Yes that will work, but you might see other messages too which are "info" level messages.
As far as I know, you cannot make a specific FILTER based on the message-content itself ; that would be even more flexibel.
by jvanhambelgium
Wed Jan 18, 2023 6:17 pm
Forum: Beginner Basics
Topic: How to Whitelist IP
Replies: 5
Views: 752

Re: How to Whitelist IP

If you could obtain a config-extract from your customer you'll probably get some support here. However the question is ; does your customer even know how to login this Mikrotik and perform some basic things ?? If not, advise him to get in touch with some Mikrotik consultant who can perform this thin...
by jvanhambelgium
Wed Jan 18, 2023 5:16 pm
Forum: Beginner Basics
Topic: How to Whitelist IP
Replies: 5
Views: 752

Re: How to Whitelist IP

Hello, I work for a security company installing CCTV and Audio. I'm having issues with SIP registration from the speaker to our PBX server. From what I gathered from the speaker manufacturer a Pcap determined the firewall is blocking the data. Unfortunately I'm not an network expert and the custome...
by jvanhambelgium
Sat Jan 14, 2023 12:08 am
Forum: Announcements
Topic: v7.7 [stable] is released!
Replies: 357
Views: 116519

Re: v7.7 [stable] is released!

Are there any people with a broken ZeroTier setup in this release ?? ZT on my RB5009 is broken. Stuck in the state "Requesting_Configuration" it seems. Worked just fine on 7.6 My LAB-3011 was also upgraded (first) and ZT is working fine here, that's the strange thing. The "LEAF" ...
by jvanhambelgium
Fri Jan 13, 2023 12:14 am
Forum: Announcements
Topic: v7.7 [stable] is released!
Replies: 357
Views: 116519

Re: v7.7 [stable] is released!

Updated RB5009 with SFP module "S+RJ10" but see in Winbox some "flipping" behaviour, switching between 1G & 10G but the connection (on top of this interface my PPPoE runs) is just fine, 0 errors, maximum performance. So at this point I'm not sure if this a "Winbox" ...
by jvanhambelgium
Thu Jan 12, 2023 11:41 pm
Forum: Containers
Topic: openspeedtest mikrotik ready container Topic is solved
Replies: 18
Views: 14592

Re: openspeedtest mikrotik ready container Topic is solved

I've just performed the update to ROS 7.7 STABLE on the RB5009 and this container does not want to start anymore : Screenshot from 2023-01-12 22-39-51.png Any clue why this suddenly happens ? On 7.6 I never saw this. What is the fix for this ? It does not look like I can pass an ENV-variable forcing...
by jvanhambelgium
Tue Jan 10, 2023 9:58 pm
Forum: General
Topic: RouterOS can't use ingress port 53 [SOLVED]
Replies: 18
Views: 2759

Re: RouterOS can't use ingress port 53 [SOLVED]

Change the in-interface to "pppoe-out1" ?
by jvanhambelgium
Tue Jan 03, 2023 12:12 pm
Forum: General
Topic: Monitoring dropped packets [SOLVED]
Replies: 1
Views: 1069

Re: Monitoring dropped packets [SOLVED]

The Tx/Rx "drops" you refer to (at interface level) are NOT related to FIREWALL DROPS etc. These are drops at the eg. ethernet level due to mismatches,cable-problems (crc errors etc) and other transmission issues. So this "counter" should ideally be "0" You cannot moni...
by jvanhambelgium
Thu Dec 29, 2022 9:52 am
Forum: The Dude
Topic: A Cisco Stack probe
Replies: 1
Views: 2208

Re: A Cisco Stack probe

The stack will also report this by itself through SNMP (trap) and/or SYSLOG.
by jvanhambelgium
Sat Dec 17, 2022 8:24 am
Forum: General
Topic: Help about setting a wireguard client on routeros.
Replies: 6
Views: 1585

Re: Help about setting a wireguard client on routeros.

I'm even surprised this would work in China. Wireguard is rather easy for an advanced firewall to detect & filter....that might be the reason why you only see "Tx" traffic :(
by jvanhambelgium
Wed Dec 14, 2022 4:24 pm
Forum: Containers
Topic: How upgrade container?
Replies: 15
Views: 7166

Re: How upgrade container?

Updated my Pi-hole yesterday on the RB5009 and 30seconds later it was already back up & running with all config (because stored outside the container-image)
Can't be more simpel then this...
by jvanhambelgium
Wed Dec 14, 2022 9:00 am
Forum: Wireless Networking
Topic: 20 floors hotel WiFi scenario
Replies: 18
Views: 2586

Re: 20 floors hotel WiFi scenario

Guys,Hi! I want to share WiFi access for 20 floors hotel with 143 rooms. The building is high, not wide. I have rj45 cable with 1000mbps link on first floor. I want to be cable less scenario. (im not a pro) I want to have captive portal with login (codes or username+password) I want to make my own ...
by jvanhambelgium
Tue Dec 13, 2022 7:12 pm
Forum: RouterBOARD hardware
Topic: Please in the future remove DC Jack input...
Replies: 19
Views: 2461

Re: Please in the future remove DC Jack input...

But why would a professional installation ever use a dual power supply? Because we feed the device from 2 seperate UPS's or Incoming Circuit + ATS/Battery Backup to maximize uptime. Trust me you don't want to relive the CCR1036 days where it came with 1x psu and that psu came with a design flaw ......
by jvanhambelgium
Mon Dec 12, 2022 11:04 pm
Forum: Containers
Topic: How upgrade container?
Replies: 15
Views: 7166

Re: How upgrade container?

If you made folder-mappings / mounts on the Pihole container pointing to some USB-storage for eg. /etc/pihole I would thing there is no need to export/restore the config as it is not deleted when you delete the Pihole-container ? 1) Stop the container 2) Delete the container 3) Pull newest instance ...
by jvanhambelgium
Sat Dec 10, 2022 7:29 pm
Forum: General
Topic: Recommendations for linux-based software to read Traffic Flows and make Unifi-like pretty graphs
Replies: 2
Views: 666

Re: Recommendations for linux-based software to read Traffic Flows and make Unifi-like pretty graphs

Splunk is also an option, and then you can benefit from the contribution @Jotne made // see this topic https://forum.mikrotik.com/viewtopic.php?p=969505&hilit=Splunk#p888798 In addition, you can install the Netflow module on Splunk to also process Netflow data. But again, this requires quite som...
by jvanhambelgium
Sat Dec 10, 2022 11:14 am
Forum: General
Topic: Wireguard VPN could not connect VLAN clients on RB3011UiAS
Replies: 6
Views: 1109

AB

We'll, it seems that your VLAN setup works OK, as clients on these VLAN's can effectively go out to Internet etc It sounds also promising that from your wireguard-peers/clients you can already ping L3-VLAN IP's on the Mikrotik. Can you on the top of the "forward chain" , above the "dr...
by jvanhambelgium
Fri Dec 09, 2022 8:52 pm
Forum: General
Topic: Wireguard VPN could not connect VLAN clients on RB3011UiAS
Replies: 6
Views: 1109

Re: Wireguard VPN could not connect VLAN clients on RB3011UiAS

Are these clients all Windows PC's / servers ?
Sure there is no host-based firewall at play here ?

Remember, a Windows machine will drop pings if not sources from the local network-range. For sure 10.66.67.x is outside any 192.168..x.x range here.
by jvanhambelgium
Tue Dec 06, 2022 10:00 am
Forum: Containers
Topic: Looking for Docker container ideas for RouterOS
Replies: 121
Views: 33308

Re: Looking for Docker container ideas for RouterOS

For another, you will notice that the current implementation requires NAT, not allowing direct access to the host's bridge. That's a sensible default, though I hope MikroTik eventually lifts it, as there are services you can only provide when bound to real hardware. My AdGuardHome runs fine with an...
by jvanhambelgium
Sat Dec 03, 2022 1:43 pm
Forum: Beginner Basics
Topic: question about Encrypting DNS request using my mikrotik [SOLVED]
Replies: 5
Views: 1070

Re: question about Encrypting DNS request using my mikrotik [SOLVED]

I do not use any DoT/DoH functionality.
Reading the forums I think fore sure there are bugs depending on the release you run.

But anyway, If I go to dns.nextdns.io with my Chrome on Ubuntu all seems fine. No warnings. Certificate is valid.
Screenshot from 2022-12-03 12-42-23.png
by jvanhambelgium
Sat Dec 03, 2022 9:42 am
Forum: Beginner Basics
Topic: question about Encrypting DNS request using my mikrotik [SOLVED]
Replies: 5
Views: 1070

Re: question about Encrypting DNS request using my mikrotik [SOLVED]

The goal of the video was to make your Mikrotik a (secure) DNS "client" , so you see the certificate actions are on Mikrotik itself. All your clients on the LAN continue to keep using traditional DNS and must use the Mikrotik as their DNS. Upon receiving the regular DNS-traffic from your c...
by jvanhambelgium
Thu Dec 01, 2022 9:23 am
Forum: Scripting
Topic: Run script when ping on specific IP is detected [SOLVED]
Replies: 7
Views: 2800

Re: Run script when ping on specific IP is detected [SOLVED]

Why make a script ? "Netwatch" will do that for you... > Tools > Netwatch Then define some "targets" and what test you want to run (eg. regular ICMP or TCP-con or something) Then define "action" what to do when "Up" and/or "Down" (you can past a scri...
by jvanhambelgium
Sun Nov 27, 2022 9:39 pm
Forum: General
Topic: CHR 7.6 firewall issues
Replies: 5
Views: 847

Re: CHR 7.6 firewall issues

So, what is this rule suppose to do ? add action= accept chain= input comment="bruteforce ssh&winbox" disabled=yes \ dst-port=1026,8292 protocol=tcp src-address-list= !bruteforce_blacklist So you ARE allowing SSH + Winbox to your router if they are NOT the bruteforce_blacklist. Why not...
by jvanhambelgium
Sun Nov 27, 2022 1:35 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 374
Views: 130196

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.8 (Graphing everything) 💾 🛠 💻 📊

Thanks Jotne! for this new release. Both updated 5.1 script & 3.8 Splunk-app are working fine over here!
by jvanhambelgium
Mon Nov 21, 2022 12:39 am
Forum: Beginner Basics
Topic: RB5009 help to configure (Switch, VLANs) [SOLVED]
Replies: 39
Views: 4570

Re: RB5009 help to configure (Switch, VLANs) [SOLVED]

There is a rule to allow ICMP; Code: Select all add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp This rule allows ICMP to WAN from the Internet, I changed action to drop, and there is no option to PING WAN port from the Internet, but this blocked ping to the VLAN ...
by jvanhambelgium
Fri Nov 04, 2022 6:18 pm
Forum: Containers
Topic: Error in container (Pi-hole)
Replies: 7
Views: 6704

Re: Error in container (Pi-hole)

My Pihole is running for quite some time now on my RB5009
Are you using USB storage or the 5009's NAND?
USB-storage.
by jvanhambelgium
Thu Nov 03, 2022 5:14 pm
Forum: Containers
Topic: Docker + Snort ?
Replies: 7
Views: 4915

Re: Docker + Snort ?

Isn't pihole better suited for that ? From what I can see, Snort is more for network intrusion detection. OTOH if you need Snort for detecting network intrusion, your firewall may not be up to par :D True ;-) @anav, you did not specify the bigger context ; Offcourse "Snort" can run on/in ...
by jvanhambelgium
Thu Nov 03, 2022 12:00 pm
Forum: Containers
Topic: Docker + Snort ?
Replies: 7
Views: 4915

Re: Docker + Snort ?

User requirements? :lol:
8) 8) 8) 8) 8)
by jvanhambelgium
Tue Nov 01, 2022 11:25 pm
Forum: General
Topic: With issues understanding firewall rules with mikrotik, migrated to fortigate
Replies: 18
Views: 1728

Re: With issues understanding firewall rules with mikrotik, migrated to fortigate

For example, similar to Fortinet we use Palo Alto modules on 1 of our environments (services > 100k users, full UTM/SSL-decrypt/webproxy/... enabled) that cost 6-digit numbers in euros only for a single line-card.... What brand of switches are you using with your palo alto? just curious i personall...
by jvanhambelgium
Tue Nov 01, 2022 8:57 pm
Forum: General
Topic: With issues understanding firewall rules with mikrotik, migrated to fortigate
Replies: 18
Views: 1728

Re: With issues understanding firewall rules with mikrotik, migrated to fortigate

Indeed, fortigate is more appropriate for the uber web gurus. Well ... you cannot really compare a RouterOS box with a Fortinet in the Firewall/UTM area...its not a fair comparison in favor of Fortigate. (similar statement for example compared to Palo Alto) This is not about being more "approp...
by jvanhambelgium
Tue Nov 01, 2022 12:02 pm
Forum: Scripting
Topic: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?
Replies: 18
Views: 2295

Re: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?

So, on my own personal RB3011 in winbox i see this in the SFP interface. MODLUE PRESENT (TICK) RX LOSE TX Fault Followed by all the SFP info. This is for a BIDI module i have installed Surely if that was a duplex transceiver, surely there iwould be some way to have those first 3 checkboxes alert so...
by jvanhambelgium
Mon Oct 31, 2022 1:26 pm
Forum: General
Topic: VPN mynetname missing...!??? [SOLVED]
Replies: 4
Views: 2065

Re: VPN mynetname missing...!??? [SOLVED]

HI, I have a RB4011 i was looking to setup vpn but i notice that unlike in all the guides i have been through I dont have a mynetname address, it shows the routers ip address... why is this? Thank you for any input. You have a value in the "STATUS" field ? What does it say ? status (read-...
by jvanhambelgium
Mon Oct 31, 2022 1:00 pm
Forum: General
Topic: VPN mynetname missing...!??? [SOLVED]
Replies: 4
Views: 2065

Re: VPN mynetname missing...!??? [SOLVED]

You mean like this ? /ip/cloud> print ddns-enabled: yes ddns-update-interval: 1m update-time: yes public-address: XX.XX.XX.XX dns-name: XXXXXXX.sn.mynetname.net status: updated So this field "dns-name" empty ?? That can't be right ? Perhaps check with MT-support if there is something wrong...
by jvanhambelgium
Sun Oct 30, 2022 5:30 pm
Forum: General
Topic: Weird Wireguard subnet problem
Replies: 18
Views: 2140

Re: Weird Wireguard subnet problem

In theory you could have stumbled upon a bug or something, especially with these larger subnets. Your story makes sense. This 172.16.1.10 device that you are trying to ping, can you tell me something about it (Windows? Linux? custom appliance)? What is it ? Does it have a gateway set ? To where ? Ca...
by jvanhambelgium
Sun Oct 30, 2022 1:54 pm
Forum: General
Topic: Weird Wireguard subnet problem
Replies: 18
Views: 2140

Re: Weird Wireguard subnet problem

Small note, your Win10 Wireguard-config is not fully correct ; [Interface] PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXX Address = 192.168.32.2/24 DNS = 192.168.0.100 You need to specify a /32 here ! Each WG-endpoint receives a /32 (well ... not really "receives" off course but you get the picture...
by jvanhambelgium
Sat Oct 29, 2022 3:58 pm
Forum: Containers
Topic: Error in container (Pi-hole)
Replies: 7
Views: 6704

Re: Error in container (Pi-hole)

I see in your config-extract : RouterOS 7.1rc4
Please upgrade to 7.6 , make an export of Pihole // delete & re-install the container // import config and try again.
In the last 7.x release some fixing was done on permissions etc.

My Pihole is running for quite some time now on my RB5009
by jvanhambelgium
Sat Oct 29, 2022 1:38 pm
Forum: RouterOS beta
Topic: I have two Internet links. I wanted to use Link 1 first and then overflow traffic shift to Link 2.
Replies: 2
Views: 2936

Re: I have two Internet links. I wanted to use Link 1 first and then overflow traffic shift to Link 2.

I don't think this is possible with Mikrotik, unless perhaps with a great deal of hacking. Its not a SDWAN-product, where you can direct streams/flows to other WAN-links eg. if interfaces are loaded for 80% or so. If the Wiki is correct, following choices are possible ; https://help.mikrotik.com/doc...
by jvanhambelgium
Sat Oct 29, 2022 10:37 am
Forum: Scripting
Topic: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?
Replies: 18
Views: 2295

Re: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?

Hmm, for sure your use-case is pretty ... "a-typical" and I don't think you can ever really monetize it properly . Because you would need to have on each location also Internet connectivity yourself for getting these alarms out. 4G/5G/LTE will be challenging in basements etc. I you want to...
by jvanhambelgium
Fri Oct 28, 2022 4:30 pm
Forum: General
Topic: Wifi Calling
Replies: 6
Views: 1217

Re: Wifi Calling

I can only tell you I can make Wifi-calls on a standard Mikrotik setup (both RB3011/RB5009) with just regular rules like 1 NAT-rule to go out etc. My wireless is Unifi, not Mikrotik , so I can't comment on a "Mikrotik Wireless" do's or don'ts for Wifi-calling. (if they exist) Never had to ...
by jvanhambelgium
Fri Oct 28, 2022 3:33 pm
Forum: General
Topic: Wifi Calling
Replies: 6
Views: 1217

Re: Wifi Calling

https://www.t-mobile.com/support/covera ... m-t-mobile

Make sure all pre-reqs are covered.
IF you have working Internet at home with 2Mbps, this should work unless you do not meet minimum requirements.
by jvanhambelgium
Thu Oct 27, 2022 2:19 pm
Forum: Scripting
Topic: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?
Replies: 18
Views: 2295

Re: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?

SNMP will not do that for you. Sure it can report if actual interface are going down or up This required some "high intelligence" like a script to evaluate some aspects like Tx/Rx power. In theory, on Mikrotik, you could have a script running that evaluates the stats on an SFP-interface. (...