Community discussions

MikroTik App

Search found 1150 matches

by jvanhambelgium
Sun Jan 05, 2025 8:35 pm
Forum: General
Topic: PPPoE client on XGS-PON
Replies: 4
Views: 793

Re: PPPoE client on XGS-PON

So this is my RB5009 example on PPPoE 2Gbit/s speedtest. If it's a single thread exaplain to me CPU loads : PPPoE encapsulation/decapsulation is only 1 part in the chain. If you are receiving 2Gbits/sec, that traffic, after PPPoE framing is removed is going through FW-rules etc so it might incur ad...
by jvanhambelgium
Wed Jan 01, 2025 9:56 pm
Forum: General
Topic: Blocking a non-paying customer
Replies: 6
Views: 1022

Re: Blocking a non-paying customer

What routerOS/platform are we talking about ? So in essence everything starts with how you are identifying such "insolvent client" then ? You are running PPPoE servers ? Using AAA (RADIUS) I assume ? 1) Go non-technical and simply block access. Customer will make a call to support "wh...
by jvanhambelgium
Sat Dec 28, 2024 10:38 pm
Forum: Scripting
Topic: Per device bandwidth monitoring with Zabbix
Replies: 1
Views: 584

Re: Per device bandwidth monitoring with Zabbix

Nah you probably have to make a graph, put different datasets in there and then have some "sum" operation to count totals.
But then again, it does not make any sense to have a "per device bandwith" parameters ? How could that be interesting ?
by jvanhambelgium
Sat Dec 28, 2024 8:37 pm
Forum: General
Topic: dstnat doesn't work on L009UiGS-RM Router [SOLVED]
Replies: 40
Views: 2669

Re: dstnat doesn't work on L009UiGS-RM Router [SOLVED]

Is the target host a Windows machine ?
No host-firewall issues ?

If a Linux, can you do a quick "tcpdump" to see what actually ARRIVES there ?
If a Windows, perhaps quickly install "Wireshark" or something for a test.
by jvanhambelgium
Sat Dec 28, 2024 6:56 pm
Forum: Beginner Basics
Topic: Any hardware recommendations for proxmox cluster with 20GBit/s inter-VLAN ip filtering?
Replies: 3
Views: 1572

Re: Any hardware recommendations for proxmox cluster with 20GBit/s inter-VLAN ip filtering?

Dear Team, I am facing some issue with CCR-1072 loading kernel... OK setting up elf image... OK jumping to kernel code (0,0) hv_panic: msh3: detected uncorrectable memory error on rank 0 (H) System halted. (6,1) hv_panic: got read error response on RDN interrupt: PC 0xffff_fffc_0003_8e88, ICS/PL 0x...
by jvanhambelgium
Thu Dec 19, 2024 10:01 pm
Forum: General
Topic: Help needed: Choosing an alternative for CCR2216
Replies: 22
Views: 2345

Re: Help needed: Choosing an alternative for CCR2216

Then why use RouterOS / CCR-box ? do this on native Linux ?
Get yourself some 25/40/100Gbps NIC's and perform some tuning.

https://fasterdata.es.net/host-tuning/l ... 0g-tuning/
by jvanhambelgium
Wed Dec 18, 2024 8:55 pm
Forum: Beginner Basics
Topic: netflow V5 not working
Replies: 3
Views: 671

Re: netflow V5 not working

Along the different versions of RouterOS I also found some weirdness in some of the netflow-config, but that was more in the v9/IPFIX templating.
Made a quick test on my v5/Netflow on RB5009 v7.16 using Wireshark and it works fine. Wireshark detects as CFLOW v5 and I'm seeing flows in there.
by jvanhambelgium
Wed Dec 18, 2024 7:54 pm
Forum: Beginner Basics
Topic: netflow V5 not working
Replies: 3
Views: 671

Re: netflow V5 not working

Did you analyze what is "not working" ??
RouterOS is not sending anything to the target collector ? Or is information plain wrong/missing ?
Are you limited to v5 for some reason and not able to try v9/IPFIX or something?
by jvanhambelgium
Wed Dec 18, 2024 2:03 pm
Forum: General
Topic: Traffic Accounting
Replies: 7
Views: 941

Re: Traffic Accounting

No, "Kid Control" will only provide nummeric values but Yes on a "client" (IP) basis. It is up to you to extract the data from RouterOS and do something with it. Through scripting you can transmit SYSLOG messages containing this "accounting" info and load them into some...
by jvanhambelgium
Wed Dec 11, 2024 11:32 pm
Forum: Beginner Basics
Topic: Share 10Gb Internet connection ccr2004-1G-12S+2XS
Replies: 7
Views: 1186

Re: Share 10Gb Internet connection ccr2004-1G-12S+2XS

Exactly like you mentioned ; 1/ Configure 6 ports, put 192.168.x.254/24 on each of the interfaces.(eg 192.168.1.x , 192.168.2.x , 192.168.3.x and so on) 2/ Configure DHCP for each of theses ranges, make sure you hand out DNS (eg. 1.1.1.1 or 8.8.8.8) and gateway 3/ Configure Firewall-policies where y...
by jvanhambelgium
Sat Dec 07, 2024 3:25 pm
Forum: General
Topic: Droping packets base on mac address is not working
Replies: 5
Views: 768

Re: Droping packets base on mac address is not working

>> For me this should prevent everyconnection, but I still can access the video so ... it's not working How do access the video-feed ? Are you using app on your smartphone on the local WIFI-network ? Are you testing externally with your phone on 4G/5G? Is the REOLINK cabled directly into the Mikroti...
by jvanhambelgium
Sat Dec 07, 2024 10:34 am
Forum: General
Topic: Droping packets base on mac address is not working
Replies: 5
Views: 768

Re: Droping packets base on mac address is not working

Works fine on my RB5009 (tested with my Internet radio) but your problem probably is the position of the rule in the forward chain!
Move it up!
You can always temporary enable logging and check the output.
by jvanhambelgium
Tue Nov 26, 2024 8:51 pm
Forum: Beginner Basics
Topic: Why can I not use static ip_
Replies: 13
Views: 1496

Re: Why can I not use static ip_

Still confused but the very first post states ; If I change to Automatic and use a DHCP Client, then it gets the static IP and works fine. So at this point, you've enabled "DHCP Client" on the Mikrotik, you get an IP (public) and Internet works ?? Through DHCP you normally (can) get DNS,De...
by jvanhambelgium
Tue Nov 26, 2024 12:38 pm
Forum: Beginner Basics
Topic: VPN redundancy
Replies: 1
Views: 587

Re: VPN redundancy

Simply make different tunnels (eg. across different ISP) and have on top indeed a routing protocol take care of that. Some of the tunnels will be mostly "idle" (except for some routing-protocol traffic across it) so it will not really impact your device. IF your device is already strugglin...
by jvanhambelgium
Tue Nov 26, 2024 8:42 am
Forum: Beginner Basics
Topic: Why can I not use static ip_
Replies: 13
Views: 1496

Re: Why can I not use static ip_

Perhaps your interpretation is just wrong ;-) Don't overthink it.... A ISP provider providing you a "static" non-changing public IP *does not* mean you mandatory have to configure an actual STATIC IP on your interfaces ! This non-changing public IP is/can-be delivered through DHCP-mechanis...
by jvanhambelgium
Mon Nov 25, 2024 9:28 pm
Forum: Wireless Networking
Topic: Mini ISP Setup, help needed
Replies: 9
Views: 1008

Re: Mini ISP Setup, help needed

Given the bandwidth constraints & managing an equal share for everyone you are going to have to perform some bandwidth management too. (queuing etc). Now in theory you still have a wireless part where you can slow down stuff on the radio-link(s) I guess. I tend to agree that a 4011 or 5009 would...
by jvanhambelgium
Sat Nov 23, 2024 4:46 pm
Forum: General
Topic: Configuring Two Internet Providers
Replies: 1
Views: 438

Re: Configuring Two Internet Providers

Create a FW-rule in the FORWARD-chain and play with the "Connection NAT State" values ? This value can be "srcnat" "dstnat" "ein-snat" or "ein-dnat" So basically you could configure to only pass traffic that have a valid "src-nat" mark ?? J...
by jvanhambelgium
Sat Nov 23, 2024 12:29 pm
Forum: General
Topic: AWS Wireguard Slow
Replies: 21
Views: 1895

Re: AWS Wireguard Slow

Below the specs of a t3.micro instance. vCPUs 2 Memory (GiB) 1.0 Memory per vCPU (GiB) 0.5 Physical Processor Intel Skylake E5 2686 v5 Clock Speed (GHz) 3.1 CPU Architecture x86_64 The 5 Gbps is probably the BEST CASE ( up to 5Gbps of NETWORKING performance, 0 guarantees) => do not confuse "wir...
by jvanhambelgium
Fri Nov 22, 2024 3:14 pm
Forum: General
Topic: How to Secure Ether8 Port for AP Without Disrupting Wi-Fi Clients on Mikrotik
Replies: 4
Views: 540

Re: How to Secure Ether8 Port for AP Without Disrupting Wi-Fi Clients on Mikrotik

You should first fix physical access. On the eth8 nobody should be able to pull the cable out. On the AP-side, depending on brand, it can be made very difficult to pull out the cable. The only option is : -> Have any wireless end-user drop in a separate vlan-id + subnet being different from the &quo...
by jvanhambelgium
Fri Nov 22, 2024 9:44 am
Forum: General
Topic: Mikrotik traffic mystery
Replies: 6
Views: 1479

Re: Mikrotik traffic mystery

Do you have the same results when graphing using an external application & using SNMP or something? Perhaps because of the different RouterOS 6 <> 7 Things related to some fast-path stuff what that certain things are "less visible" to RouterOS 7 ? Mikrotik must provide insight on how &...
by jvanhambelgium
Thu Nov 21, 2024 9:41 pm
Forum: General
Topic: Radius and DHCP
Replies: 7
Views: 1855

Re: Radius and DHCP

If you configure each of these routers 10.1.1.254, 10.2.1.254 etc with some "helper" address (on the customer-facing side) to relay the broadcast-request they see coming in the client-side and deliver it in unicast to your DHCP you'll have no issue to map it to a correct pool I guess. So y...
by jvanhambelgium
Tue Nov 19, 2024 5:41 pm
Forum: General
Topic: block all internet traffic except few
Replies: 2
Views: 450

Re: block all internet traffic except few

The problem is very often that "a website" these days has all sort of content fetched from different sources. So you would allow 1 domain or IP, but your client will fail fetching dozen of content items along the way.

It will be very much "trial & error" ;-)
by jvanhambelgium
Mon Nov 18, 2024 10:47 pm
Forum: General
Topic: Traffic Shapping from ISP
Replies: 7
Views: 1355

Re: Traffic Shapping from ISP

> We not using an SFP port. just using ether1 for WAN and ether2 for LAN so i could be an issue with the grouping? Sure it could be that, try moving "ether2" for example to port 6/7/8/9/10 and see what happens. I'm pretty sure throughput will for sure increase as you have a 1Gbps "lin...
by jvanhambelgium
Sun Nov 17, 2024 3:56 pm
Forum: General
Topic: Public IP High Availability
Replies: 7
Views: 1573

Re: Public IP High Availability

Not a very clear story. So you have ISP1 , which delivers 1 public IP using L2TP terminated onto a CCR You have ISP2, that delivers also 1 public IP using L2TP terminated onto a CCR So is ISP1 providing you with the primary FTTH link and ISP2 with similar FTTH-link ? If the above assumptions are cor...
by jvanhambelgium
Sun Nov 17, 2024 9:44 am
Forum: General
Topic: Separate YouTube, Facebook, Instagram, and Netflix traffic or IPs (CDN of ISP)
Replies: 9
Views: 1024

Re: Separate YouTube, Facebook, Instagram, and Netflix traffic or IPs (CDN of ISP)

Next-Generation Firewalls like a Palo Alto can easily do this based on App-ID signatures. They recognize A LOT of applications and you can do something with that (allow, deny, traffic shape etc) Below a list of applications in their library. https://applipedia.paloaltonetworks.com/ Very expensive b...
by jvanhambelgium
Sun Nov 17, 2024 9:08 am
Forum: General
Topic: Traffic Shapping from ISP
Replies: 7
Views: 1355

Re: Traffic Shapping from ISP

How is the cabling done ? Do you use the SFP slot ? Remember the RB3011 has an architecture where both groups of ports are interconnected to CPU-cores using a 1Gbits/sec channels. (1 for each CPU-core) When you do queuing I'm pretty sure the CPU is involved so if you use 2 adjacent ports your probab...
by jvanhambelgium
Sun Nov 17, 2024 8:54 am
Forum: General
Topic: Separate YouTube, Facebook, Instagram, and Netflix traffic or IPs (CDN of ISP)
Replies: 9
Views: 1024

Re: Separate YouTube, Facebook, Instagram, and Netflix traffic or IPs (CDN of ISP)

Next-Generation Firewalls like a Palo Alto can easily do this based on App-ID signatures. They recognize A LOT of applications and you can do something with that (allow, deny, traffic shape etc) Below a list of applications in their library. https://applipedia.paloaltonetworks.com/ Very expensive bo...
by jvanhambelgium
Wed Nov 13, 2024 1:38 pm
Forum: Beginner Basics
Topic: How to firewall when behind ISP modem
Replies: 13
Views: 1270

Re: How to firewall when behind ISP modem

> How can I "secure" my router? What are the must-have/suggested firewall rules? Focus on adding rules to the INPUT-chain. These are packets targetting the RouterOS itself. Securing the router would mean ; -> you want to filter out crap hitting the INPUT-chain, eg coming on from your WAN a...
by jvanhambelgium
Tue Nov 12, 2024 9:40 pm
Forum: General
Topic: Communication problem between LANs
Replies: 2
Views: 437

Re: Communication problem between LANs

Packets routed by the UDM-Pro will hit the 192.168.0.x directly on the WAN-interface. What is the gateway on these servers ?? Do you have a static route on each server for the 192.168.128.0/22 pointing back to the UDMP-PRO (*.241) or do you default to the RouterOS box and have a static route on that...
by jvanhambelgium
Mon Nov 11, 2024 9:51 am
Forum: Beginner Basics
Topic: How does (my) firewalling/routing work? [SOLVED]
Replies: 14
Views: 1634

Re: How does (my) firewalling/routing work? [SOLVED]

Where is your default-drop (eg. on your forwarding-chain) ? As you move sequentially through the rules top-bottom finally the packet will be allowed unless explicitly blocked. I don't see that in your rules. Mine looks like this. So no references to any interfaces, just across the whole forwarding-c...
by jvanhambelgium
Sat Nov 09, 2024 10:48 pm
Forum: RouterBOARD hardware
Topic: RB3011 really broken?
Replies: 8
Views: 1230

Re: RB3011 really broken?

Isn't that the same display which can cause performance problems ?? Yeah I remember some threads about that ;-) Back on the days of 6.x releases I think. This machine was my lab-router. I've moved to RB5009 some years ago as my main home-router now. I think the time has come to lay the RB3011 perma...
by jvanhambelgium
Sat Nov 09, 2024 4:04 pm
Forum: RouterBOARD hardware
Topic: RB3011 really broken?
Replies: 8
Views: 1230

Re: RB3011 really broken?

True, the RB3011 really looks bad ass with its LCD-display :lol:
by jvanhambelgium
Sat Nov 09, 2024 11:25 am
Forum: RouterBOARD hardware
Topic: RB3011 really broken?
Replies: 8
Views: 1230

RB3011 really broken?

Hi, For many years I have a RB3011 in my lab, but some weeks ago suddenly it would not boot anymore. I've tried netinstall-cli on my Linux but it does not really complete. RouterBOOT booter 7.16beta7 RouterBOARD 3011UiAS CPU frequency: 1400 MHz Memory size: 1 GiB NAND size: 128 MiB Press Ctrl+E to e...
by jvanhambelgium
Tue Oct 29, 2024 11:22 pm
Forum: General
Topic: Throughput issues with PPPoE over 10Gbit XGS-PON
Replies: 11
Views: 3201

Re: Throughput issues with PPPoE over 10Gbit XGS-PON

Bottleneck is probably because PPPoE is a single-threaded process stuck on 1 CPU-core (out of 16) when it comes to encapsulation/decapsulation and therefore you are probably hitting its limit.
by jvanhambelgium
Sun Oct 27, 2024 12:46 pm
Forum: General
Topic: Business case Mikrotik...
Replies: 6
Views: 1499

Re: Business case Mikrotik...

Starlink for sure is a quite disruptive player and I admire the technological concepts & roll-out. I"ve only seen a few cases where customers deploy Starlink in favor or (our own owned & operated) 4G/5G/MPLS solutions. Offcourse we do not merely act as an ISP, because the connectivity-a...
by jvanhambelgium
Sun Oct 06, 2024 9:32 pm
Forum: General
Topic: DHCP works, but NO Internet [SOLVED]
Replies: 17
Views: 1050

Re: DHCP works, but NO Internet [SOLVED]

I understood earlier in your posts that your "ether1" is your ISP "uplink" AND if you pull out the cable out of your Mikrotik router and put it on a PC it receives via DHCP a 192.168.88.x IP and Internet works. ---------------------- PC connected to Mikrotik via ether2 and ether1...
by jvanhambelgium
Sun Oct 06, 2024 7:30 pm
Forum: General
Topic: Problem to connect to ISP via PPPOE
Replies: 18
Views: 1378

Re: Problem to connect to ISP via PPPOE

Perhaps time to actually DEBUG the situation. So go into winbox and go to "System" > "Logging" en then add 1 "rule" Select topic "pppoe" and set "Action" to "memory" Now watch your logging-screen in Winbox ... perhaps there is something int...
by jvanhambelgium
Sun Oct 06, 2024 7:08 pm
Forum: General
Topic: Problem to connect to ISP via PPPOE
Replies: 18
Views: 1378

Re: Problem to connect to ISP via PPPOE

The hint on the MAC-address is also something to check?
In my case, I have explicitly on my PPP-profile
Screenshot from 2024-10-06 18-07-21.png
Screenshot from 2024-10-06 18-07-31.png
by jvanhambelgium
Sun Oct 06, 2024 1:12 pm
Forum: General
Topic: Problem to connect to ISP via PPPOE
Replies: 18
Views: 1378

Re: Problem to connect to ISP via PPPOE

Credentials are correct, I use them every day, and I can open a connection with them creating a windows pppoe connection as described above On the PPPoE-client settings, what do have selected for authentication protocols ? pap / chap ? did you select mschap1/2 ? You have a PPP-profile associated wi...
by jvanhambelgium
Sun Oct 06, 2024 1:05 pm
Forum: General
Topic: DHCP works, but NO Internet [SOLVED]
Replies: 17
Views: 1050

Re: DHCP works, but NO Internet [SOLVED]

What about that DNS .
Is see 192.168.1.75 assigned as DNS-server ?? Where is it ?
Try to assign 1.1.1.1 (or 8.8.8.8) in the DHCP-settings for clients to start with.
Can you perform a basic lookup ?
So open CMD-prompt, and try "ping www.youtube.com" ?? What does it do / say ???
by jvanhambelgium
Sun Oct 06, 2024 1:03 pm
Forum: General
Topic: DHCP works, but NO Internet [SOLVED]
Replies: 17
Views: 1050

Re: DHCP works, but NO Internet [SOLVED]

>Does it matter if Gateway in DHCP is 192.168.4.1 or 192.168.4.2? It shouldn't be the same as Address on the Adress list or not.: >https://hizliresim.com/qa7p63a Offcourse this matter. This is KEY. The value of gateway must be the same as the IP of the interface ! So in your case 192.168.4.1 Otherwi...
by jvanhambelgium
Sun Oct 06, 2024 9:07 am
Forum: General
Topic: DHCP works, but NO Internet [SOLVED]
Replies: 17
Views: 1050

Re: DHCP works, but NO Internet [SOLVED]

192.168.88.1 is OK as next-hop.
The Mikrotik will find it.
So correcting the mentioned 192.168.4.x on the INTERFACE itself combined with a correct static-route should get it working I guess.
by jvanhambelgium
Sat Oct 05, 2024 8:21 pm
Forum: General
Topic: DHCP works, but NO Internet [SOLVED]
Replies: 17
Views: 1050

Re: DHCP works, but NO Internet [SOLVED]

IP route print: Code: Select all DST-ADDRESS GATEWAY DISTANCE DAc 192.168.4.0/24 ether4 0 DAc 192.168.88.0/24 ether1 0 You do not have a static default-route and that is the reason why it does not work. Add a static route 0.0.0.0/0 pointing to the next hop "192.168.88.1" across interface e...
by jvanhambelgium
Wed Oct 02, 2024 12:24 pm
Forum: Beginner Basics
Topic: [RB5009 v7.16] I cannot make 2.5Gbps port work with a specific device (NAS)
Replies: 4
Views: 750

Re: [RB5009 v7.16] I cannot make 2.5Gbps port work with a specific device (NAS)

There are A LOT of posting about the 2.5G implementation on RB5009, and most of them not in a positive way. It is quite possible some bugs exist in RouterOS on this, or the "interoperability" with other vendors is not rock solid. Some users seems to have a stable working 2.5G setup with a ...
by jvanhambelgium
Tue Oct 01, 2024 10:52 pm
Forum: General
Topic: Problem with 10 gigabit network
Replies: 2
Views: 295

Re: Problem with 10 gigabit network

1 I have a switch CRS317-1G -16S + 2 Three servers 3 Everywhere installed network card Intel X 520AD 4 cable SFP/SFP+ MikroTik XS+DA0001 When I run the utility iperf3 in single-threaded mode. I have a speed of only 3.5 Gbps. But the problem is that veeam works in single-threaded mode and the speed ...
by jvanhambelgium
Tue Oct 01, 2024 8:58 pm
Forum: Beginner Basics
Topic: [RB5009 v7.16] I cannot make 2.5Gbps port work with a specific device (NAS)
Replies: 4
Views: 750

Re: [RB5009 v7.16] I cannot make 2.5Gbps port work with a specific device (NAS)

Are you sure the NAS supports 2.5 ?
Perhaps it is strictly a 1/10G port ?

Exactly what model of NAS is it ?
by jvanhambelgium
Sat Sep 28, 2024 11:39 am
Forum: Beginner Basics
Topic: I am a software engineer who is new to all these
Replies: 6
Views: 1019

Re: I am a software engineer who is new to all these

> how do I see the "internet connection" for each user? Depending on what Mikrotik & version of RouterOS the "Kid Control" function provides some "insight" on this. In Winbox : "IP" > "Kid Control" where you can see the amount of data processed f...
by jvanhambelgium
Sat Sep 28, 2024 11:26 am
Forum: Beginner Basics
Topic: DNS provider with malicious blocking
Replies: 3
Views: 939

Re: DNS provider with malicious blocking

You can use CloudFlare resolvers ? (I use them "upstream" for the requests my Pihole makes to the outside world) IPv4 Malware Blocking OnlyPrimary DNS: 1.1.1.2 Secondary DNS: 1.0.0.2 Malware and Adult ContentPrimary DNS: 1.1.1.3 Secondary DNS: 1.0.0.3 IPv6 Malware Blocking OnlyPrimary DNS:...
by jvanhambelgium
Tue Sep 24, 2024 7:10 pm
Forum: Announcements
Topic: v7.16.2 [stable] is released!
Replies: 506
Views: 223763

Re: v7.16 [stable] is released!

Updated my RB5009 & RB3011
No issues, all my basic services work fine.
by jvanhambelgium
Sun Sep 22, 2024 8:45 pm
Forum: General
Topic: Too many winboxes
Replies: 11
Views: 1499

Re: Too many winboxes

Another tip : do not use the "admin" username. (valid for any product)
It will increase security by not using the default administrative-login user.
by jvanhambelgium
Fri Sep 20, 2024 11:32 pm
Forum: General
Topic: Networking Advice
Replies: 11
Views: 1320

Re: Networking Advice

Howmany megabit/sec is each camera doing ? 2Mbps ? 4Mbps ? 6Mbps In *theory* you can "split" your CAT6 cable into 2 sets of connection, but limited to 100Mbps !! However this *might* not be a problem is you have 4-6Mbps per cam and 12 cams < 100Mbps. The other 100Mbps "channel" c...
by jvanhambelgium
Sat Sep 14, 2024 9:41 am
Forum: Beginner Basics
Topic: Dual WAN between RB5009 and ONR
Replies: 3
Views: 1025

Re: Dual WAN between RB5009 and ONR

The correct setup is to ask your ISP for an appropriate ONT/ONR which would have a 10GBase-T interface or something.
Give 'm call.
by jvanhambelgium
Sun Aug 11, 2024 11:47 pm
Forum: General
Topic: Mangling Wireguard handshakes through another tunnel
Replies: 20
Views: 2288

Re: Mangling Wireguard handshakes through another tunnel

So what is your use case ? You state " Now I have a task to hide WG service packets " . Are you doing all of this effort in order to hide from an advanced UTM-firewall that would "detect" Wireguard application and block it for example ? Or is this some academic hack-a-thon thing ...
by jvanhambelgium
Wed Aug 07, 2024 6:37 pm
Forum: Beginner Basics
Topic: Port Fowarding on Internal Network
Replies: 8
Views: 1349

Re: Port Fowarding on Internal Network

Simple make the webserver perform the redirect ;-)
It can sent a HTTP 302 code to tell your Windows client that.
by jvanhambelgium
Fri Jul 26, 2024 2:11 pm
Forum: General
Topic: How to limit an IP address to a local IP [SOLVED]
Replies: 10
Views: 5134

Re: How to limit an IP address to a local IP [SOLVED]

Interesting, I always assumed that if you would physically have 2 different physical ports/interfaces (even under the same bridge) you could at least filter traffic between them by referring to the appropriate "ethernetX" port on your rule. but, now that I'm thinking about it ... these por...
by jvanhambelgium
Fri Jul 26, 2024 1:47 pm
Forum: General
Topic: How to limit an IP address to a local IP [SOLVED]
Replies: 10
Views: 5134

Re: How to limit an IP address to a local IP [SOLVED]

They may be in the same subnet IF you can connect each of the devices/servers onto a different physical port of your Mikrotik. (and these interfaces are members of the same bridge) Depends on the model you have then. Then simply adjust your (forward chain) firewall rule to include the "in-inter...
by jvanhambelgium
Sat Jul 20, 2024 12:16 pm
Forum: General
Topic: Connection To Internet Not Working Correctly
Replies: 10
Views: 1614

Re: Connection To Internet Not Working Correctly

Agree, your setup should be easy-peasy actually and this is very strange behaviour.
I would :

1) Save your complete config a file
2) Completely erase and start over and fix the basics! Then start building on top with the things like VLAN's, IPSEC-tunnels, fancy mangle-rules etc,etc
by jvanhambelgium
Fri Jul 19, 2024 9:08 pm
Forum: General
Topic: Connection To Internet Not Working Correctly
Replies: 10
Views: 1614

Re: Connection To Internet Not Working Correctly

From the terminal on the Mikrotik, can you ping 8.8.8.8 or something like www.mikrotik.com ??
I can ping your public IP 135.x.x.x (IF that your real one) but looking at your config I tried SSH/Web but no luck.
(you should probably not allow any public IP to connect to your router....)
by jvanhambelgium
Fri Jul 19, 2024 2:44 pm
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 307
Views: 91287

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

I think that is going to burn more cpu-cycles. I used these blacklists for both INBOUND & OUTBOUND blocking. For egress, you could easily blackhole each of these prefixes to "nowhere" But what about ingress traffic coming FROM these IP's ? Then we are talking about some policy-based-ro...
by jvanhambelgium
Thu Jul 18, 2024 7:21 am
Forum: General
Topic: Block 4 websites version 7.14
Replies: 11
Views: 1230

Re: Block 4 websites version 7.14

Create a static dns entry that catch all fb/yt dns name and return 127.0.0.1 I do block dns from lans to wan. Only resolvers is mkt. the only way to bypass is for client use it's own hosts file with real ip. So i added forward deny rules with dst address list that contains identified dns names. I'v...
by jvanhambelgium
Tue Jul 16, 2024 3:23 pm
Forum: General
Topic: Block 4 websites version 7.14
Replies: 11
Views: 1230

Re: Block 4 websites version 7.14

I wonder if you not better look to handle this at CLIENT/ENDPOINT level. There are various endpoint-security clients available with things like webfilter-control policies etc. Is this 100% Windows 10/11 environment ? Things like Microsoft Defender for Endpoints etc. ...not everything can (or should)...
by jvanhambelgium
Tue Jul 16, 2024 6:42 am
Forum: General
Topic: Block 4 websites version 7.14
Replies: 11
Views: 1230

Re: Block 4 websites version 7.14

Perhaps the best alternative is that you control the DNS. Then you can also do some serious blocking. If your Mikrotik is capable of running containers you can look for something like Adblock or Pihole and simply block on that. Off course you will have a tough time blocking "leaking dns" c...
by jvanhambelgium
Sat Jul 13, 2024 6:03 pm
Forum: Beginner Basics
Topic: 2.5gb out of rb5009?
Replies: 1
Views: 860

Re: 2.5gb out of rb5009?

It CAN depending on all the whistles & bells you activate on the RB5009 and the type of ISP-connection. I really doubt it will deliver 2.5Gbps over a PPPoE connection. PPPoE encap/decap is not a multi-thread process and will be bound to a single CPU-core I think. If your ISP delivers Internet ac...
by jvanhambelgium
Sat Jul 13, 2024 5:59 pm
Forum: General
Topic: How to monitor global internet traffic and its source? need help
Replies: 8
Views: 1336

Re: How to monitor global internet traffic and its source? need help

Why is "your global traffic limited" ? Who limits this traffic ? This is not a concept we know here or in Belgium, but in some parts of the world an ISP limits the amount (or bandwidth) of traffic that is going outside the local area. So you could e.g. have "unlimited" traffic t...
by jvanhambelgium
Sat Jul 13, 2024 3:56 pm
Forum: General
Topic: How to monitor global internet traffic and its source? need help
Replies: 8
Views: 1336

Re: How to monitor global internet traffic and its source? need help

We have connected several windows web servers to mikrotik router. This router has WAN interface which obviously connects to local as well as to global networks. In our case the global traffic is limited, and because of this our global clients experience connectivity issues. So we need to investigat...
by jvanhambelgium
Fri Jul 12, 2024 11:48 pm
Forum: General
Topic: How to monitor global internet traffic and its source? need help
Replies: 8
Views: 1336

Re: How to monitor global internet traffic and its source? need help

No you cannot do this on Mikrotik itself. You need to look at something like a Netflow collector or Splunk setup. Depending on your level of expertise this might be pretty simple to setup or very hard... There is very nice Splunk-app developed by forum user complete with all install-instructions etc...
by jvanhambelgium
Sun Jun 30, 2024 2:15 pm
Forum: General
Topic: Load Balancing
Replies: 4
Views: 467

Re: Load Balancing

"Load Balancing" is something different then "HA (High Availability)"
On the LAN-facing side, you could build some HA using VRRP indeed. Then further upstream towards "Internet" you can also build something with Mikrotik for both HA and load-balancing/distribution.
by jvanhambelgium
Sun Jun 30, 2024 9:14 am
Forum: General
Topic: Restricting Internet Access to Specific Servers
Replies: 4
Views: 542

Re: Restricting Internet Access to Specific Servers

Both "Yes" and "Not really", because you need to define first " without access to the entire internet " Sure you can allow LOCAL users to be allowed to 1 specific (your) SERVER on Internet and BLOCK everything else (=NO Internet) Within Mikrotik there is no concept of e...
by jvanhambelgium
Wed Jun 26, 2024 5:35 pm
Forum: General
Topic: Wireguard DNS Not Working as Expected
Replies: 22
Views: 3426

Re: Wireguard DNS Not Working as Expected

add action=dst-nat chain=dstnat comment=\ "Force any UDP DNS queries that aren't to pihole to go to pihole" \ dst-address=!172.17.0.2 dst-port=53 in-interface="Local Bridge" protocol=\ udp src-address=!172.17.0.2 to-addresses=172.17.0.2 add action=dst-nat chain=dstnat comment=\ &...
by jvanhambelgium
Mon Jun 24, 2024 6:04 pm
Forum: General
Topic: RB5009 Power consumption
Replies: 3
Views: 561

Re: RB5009 Power consumption

Sure but RB5009 is not a CCR.
I guess the sensors are not there on the RB5009 board, they need to cut costs somewhere ;-)
The CCR1072 is slightly more "enterprise/datacenter" than a RB5009 which I consider "home user" or "small enterprise" grade equipment.
by jvanhambelgium
Mon Jun 24, 2024 5:12 pm
Forum: General
Topic: RB5009 Power consumption
Replies: 3
Views: 561

Re: RB5009 Power consumption

You cannot check internally, only with external powerplug with measurement capabilities.
My RB5009 does about +- 9W (50% of all ports used, 1 SFP+ inserted (type S+RJ10)
by jvanhambelgium
Mon Jun 24, 2024 4:50 pm
Forum: Beginner Basics
Topic: Isolate a single ethernet interface from the rest of the LAN [SOLVED]
Replies: 11
Views: 4461

Re: Isolate a single ethernet interface from the rest of the LAN [SOLVED]

>Thanks, so if I connect my LAN port to his WAN port and configure independent DHCP / routing on his router for his use, can I just set up rules to prevent >routing between that LAN port (that his WAN connects to) and the rest of my LAN? Sure, you can craft some FW-rules based on different parameter...
by jvanhambelgium
Mon Jun 24, 2024 4:29 pm
Forum: Beginner Basics
Topic: Isolate a single ethernet interface from the rest of the LAN [SOLVED]
Replies: 11
Views: 4461

Re: Isolate a single ethernet interface from the rest of the LAN [SOLVED]

That will be hard to avoid (the double-NAT) unless you have extra public IP's and can ROUTE some traffic up to his WAN-port. OPTIONAL -> If you & the neighbor can agree a on IP-subnet he can disable NAT on his router and ROUTE all the traffic. You would be responsible for the NAT action then. eg...
by jvanhambelgium
Mon Jun 24, 2024 4:14 pm
Forum: Beginner Basics
Topic: Isolate a single ethernet interface from the rest of the LAN [SOLVED]
Replies: 11
Views: 4461

Re: Isolate a single ethernet interface from the rest of the LAN [SOLVED]

Take 1 interface out of the bridge and put a small subnet on it (eg /30) ? Then have the cable run to the neighbor and let him config the correct IP on his "WAN" interface. Secure what needs to be secured with some FW-rules (eg. make sure the "connection subnet" /30) cannot conne...
by jvanhambelgium
Mon Jun 24, 2024 3:41 pm
Forum: General
Topic: Securing Wireguard setup
Replies: 19
Views: 2000

Re: Securing Wireguard setup

Your input is way overkill here and I disagree with it on top LOL. Interface usage is common and efficient, especially if users are going to go out the local WAN ( lan to wan and dns rules) and the use of firewall rules provides the requirement amount of security for individual user access. Let's a...
by jvanhambelgium
Mon Jun 24, 2024 8:53 am
Forum: General
Topic: Securing Wireguard setup
Replies: 19
Views: 2000

Re: Securing Wireguard setup

I consider "Wireguard" or "ZeroTier" as different "zones". So these interfaces are not part of the LAN interface-list or something. So I have a set of firewall rules allowing WG-peer(s) to access what they need to action (eg. Plex, HomeAssistant, my home Splunk etc) So ...
by jvanhambelgium
Sat Jun 22, 2024 5:54 pm
Forum: RouterBOARD hardware
Topic: Which router for ~100 clients
Replies: 69
Views: 8787

Re: Which router for ~100 clients

The requested config is relatively easy. I would expect this to be done between 1/2 day - 1 day by somebody who is juggling with RouterOS on a daily basis (and probably has his set of example config snippets etc for these types of basic things) Offcourse all info must be there (info on the 2 ISP cir...
by jvanhambelgium
Tue Jun 18, 2024 2:39 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 2877

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

OK, thanks for explaining it to me. I have only one doubt. When I banned the IP on the router firewall, the banned log says: banIP_ prerouting: in:ether1 out:(unknown 0), connection-state:invalid src-mac XX:XX:XX:XX:XX:XX, proto TCP (SYN), 113.XXX.XXX.XXX:49987->[b][color=#FF0000]61.XXX.XXX.XXX:100...
by jvanhambelgium
Mon Jun 17, 2024 5:33 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 2877

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

Why does this request reach the server 192.168.0.3, when the router firewall should drop all new connections in forward except those to the ports set in NAT (80,443,2203)? Maybe the internet host found open port 2203 and is now trying to brute-force in? I've seen that as well ... one has to keep in...
by jvanhambelgium
Sun Jun 16, 2024 6:40 pm
Forum: General
Topic: Firewall doesn't drop new connections in forward (or did I do something wrong?)
Replies: 16
Views: 2877

Re: Firewall doesn't drop new connections in forward (or did I do something wrong?)

Why do you think/state " ...upon analyzing the logs of the server 192.168.0.3, I've noticed continuous SSH brute force or scanning attempts (I'm not sure) on random ports (not the standard SSH port or my SSH port 2203) originating from an IP address in China: Apr 28 11:36:54 cloud sshd[28265]: ...
by jvanhambelgium
Sat Jun 15, 2024 1:42 pm
Forum: General
Topic: Bridge firewall [SOLVED]
Replies: 15
Views: 2130

Re: Bridge firewall [SOLVED]

What product are you using ? I'm pretty sure hardware-offloaded stuff/config will not always behave as simple as you might think . Which then can explain what you are seeing. I've think I remember reading somewhere that you can only perform MAC-filtering in the forward-chain when HW Offloading is DI...
by jvanhambelgium
Sat Jun 15, 2024 12:26 pm
Forum: General
Topic: Bridge firewall [SOLVED]
Replies: 15
Views: 2130

Re: Bridge firewall [SOLVED]

Limit the amount of broadcast you are sending out ? Where to ? Broadcasts will not pass the boundaries of the segment you are in anway. What problems are you encountering ? What product-type are you using? Without a detailed schematic (container interfaces/IP's etc) it is impossible to even comment ...
by jvanhambelgium
Fri Jun 14, 2024 12:00 am
Forum: General
Topic: Is there a way to set local ip-address of wireguard tunnel?
Replies: 4
Views: 732

Re: Is there a way to set local ip-address of wireguard tunnel?

what is "a bgp network" ?
Is 3.3.3.x/24 a pieces of your (public) PI-space ?
Is this "Internet" connected ?

Or is that 3.3.3.x prefix coming in via either ISP1 or ISP2
by jvanhambelgium
Thu Jun 13, 2024 11:14 pm
Forum: RouterBOARD hardware
Topic: HOT S-RJ10
Replies: 25
Views: 5568

Re: HOT S-RJ10

My S+RJ10 in my RB5009 has always been running about 65°C - 70°C since day 1 Anything special you did regarding cooling or airflow ? Mine gets to 95C within 15 minutes. Same RB5009, same RJ-10 :? Nope, no attachments/heatsinks added. RB5009 is mounted in small 19" cabinet against the wall. Per...
by jvanhambelgium
Thu Jun 13, 2024 8:27 pm
Forum: RouterBOARD hardware
Topic: HOT S-RJ10
Replies: 25
Views: 5568

Re: HOT S-RJ10

My S+RJ10 in my RB5009 has always been running about 65°C - 70°C since day 1
by jvanhambelgium
Wed Jun 12, 2024 6:43 pm
Forum: Beginner Basics
Topic: ISP Bridge Mode cause issue on RB5009 [SOLVED]
Replies: 21
Views: 5123

Re: ISP Bridge Mode cause issue on RB5009 [SOLVED]

If you want anyone to seriously take a look at it you'll probably need to provide the *full* config. This is very weird, if you cannot even ping from the CLI there is something fundamentally wrong... You could also try the "Quickset" and setup the box first with default settings ? At least...
by jvanhambelgium
Wed Jun 12, 2024 6:18 pm
Forum: Beginner Basics
Topic: ISP Bridge Mode cause issue on RB5009 [SOLVED]
Replies: 21
Views: 5123

Re: ISP Bridge Mode cause issue on RB5009 [SOLVED]

When on the CLI of the router, can you ping 1.1.1.1 for example ?
How does your routing-table look like ? (/ip/route/ print)
by jvanhambelgium
Wed Jun 12, 2024 2:31 pm
Forum: Beginner Basics
Topic: ISP Bridge Mode cause issue on RB5009 [SOLVED]
Replies: 21
Views: 5123

Re: ISP Bridge Mode cause issue on RB5009 [SOLVED]

Best thing is to provide a FULL config-export on your box , minus sensitive stuff like serial-numbers or some bits of the public-IP itself. I assume your Win11 PC can ping its default-gateway ? (= the RB5009) From the RB5009-console, can you ping something like 8.8.8.8 ? Or not even that ? I can be ...
by jvanhambelgium
Wed Jun 12, 2024 2:05 pm
Forum: Beginner Basics
Topic: ISP Bridge Mode cause issue on RB5009 [SOLVED]
Replies: 21
Views: 5123

Re: ISP Bridge Mode cause issue on RB5009 [SOLVED]

Again, it can be dozens of reasons. This could have been 1 ;-) It was worth trying.
You state traffic-counters are moving. Can you test if your issue is DNS-related or actual connectivity ?
Can you ping 8.8.8.8 from a connected PC ?
What DNS are you PC's on the LAN using ?

etc,etc ...
by jvanhambelgium
Wed Jun 12, 2024 1:43 pm
Forum: Beginner Basics
Topic: ISP Bridge Mode cause issue on RB5009 [SOLVED]
Replies: 21
Views: 5123

Re: ISP Bridge Mode cause issue on RB5009 [SOLVED]

Remove the to-address value ??
by jvanhambelgium
Wed Jun 12, 2024 12:25 pm
Forum: General
Topic: [Routing Problem?] No Access to the Default Gateway from Any of the Interface from the VLANs
Replies: 6
Views: 1020

Re: [Routing Problem?] No Access to the Default Gateway from Any of the Interface from the VLANs

# create bridge /interface bridge add protocol-mode=none ingress-filtering=yes name=bridge1 vlan-filtering=no Shouldn't that be vlan-filtering=yes ?? If you go now on your device in the CLI, type /interface/bridge and then "print" does that say "vlan-filtering=yes" on the config ?
by jvanhambelgium
Wed Jun 12, 2024 12:17 pm
Forum: Beginner Basics
Topic: Firewalls
Replies: 2
Views: 647

Re: Firewalls

If they added Fortinet ABOVE the Mikrotik, they need to get stuff fixed on the Fortinet first. Without detailed picture it is difficult to guess, things might have changed. (eg. before Fortinet public IP was on RB2011, after "slide-in" of the Fortinet the public-IP moved to the Fortinet et...
by jvanhambelgium
Tue Jun 11, 2024 7:06 am
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 8171

Re: No WAN access via Wireguard

Ahh...you did not even have a DNS server configured then for you Wireguard connection ??!!
Yeah ... that explains a lot...

Anyway, glad it works now.
You can disabled some logging now ;-)
by jvanhambelgium
Mon Jun 10, 2024 10:55 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 8171

Re: No WAN access via Wireguard

The thing is, you need SOME rule that get hit with packets having source-IP = 192.168.87.3 (eg. you phone) and wanting to go out on the Internet (once it arrives from the wireguard decapsulation/decrypt) So perhaps DO enable some logging on FORWARD rules to, even the ALLOWED ones regarding Wireguard...
by jvanhambelgium
Mon Jun 10, 2024 8:41 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 8171

Re: No WAN access via Wireguard

add action=accept chain=forward comment="WG to LAN" dst-address=\ 192.168.88.0/24 in-interface=wireguard Well this rule is not going to help you get to the internet! You are allowing to pass ONLY for traffic towards 192.168.88.x If you punch www.facebook.com on your mobile device obviously...
by jvanhambelgium
Mon Jun 10, 2024 8:26 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 8171

Re: No WAN access via Wireguard

add action=accept chain=forward comment="WG to LAN" dst-address=\ 192.168.88.0/24 in-interface=wireguard But your WG-client has 192.168.87.x config ? hm, i thought i should interpret it as traffic coming from wireguard interface should be forwarded to destination addressed (192.168.88.0/2...
by jvanhambelgium
Mon Jun 10, 2024 7:20 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 8171

Re: No WAN access via Wireguard

add action=accept chain=forward comment="WG to LAN" dst-address=\
192.168.88.0/24 in-interface=wireguard

But your WG-client has 192.168.87.x config ?
by jvanhambelgium
Tue Jun 04, 2024 4:19 pm
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 1363

Re: cycle outgoing IP addresses

If customers purchase a so called "ip-pack" with us anyway, they get 5 adjacent/consecutive IP's.
depending on the config, that could 1 public fixed IP and the above 5-block routed to it for example.
by jvanhambelgium
Tue Jun 04, 2024 3:56 pm
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 1363

Re: cycle outgoing IP addresses

Something like this ?

viewtopic.php?t=167814
by jvanhambelgium
Wed May 29, 2024 5:05 pm
Forum: General
Topic: Pretty unique Poe case. 3750x UPOE - mikrotik cube
Replies: 3
Views: 775

Re: Pretty unique Poe case. 3750x UPOE - mikrotik cube

Yeah...I've seen some strange stuff on C9300 too and had to play a lot with parameters to power some fancy doorphones (2N IP Style) Sure you are hitting no PoE bugs ? What release are you on ? I've seen 1 case where a Raspberry Pi with PoE would not boot on a C9300 with olde 16.12.x code. Worked fin...
by jvanhambelgium
Tue May 28, 2024 4:04 pm
Forum: RouterBOARD hardware
Topic: RB5009 performance issue
Replies: 8
Views: 3417

Re: RB5009 performance issue

This router is not capable of 2.5Gbit/s. Not in real life condition With fasttrack and all optimizations tested it with iperf, PPPoE speed max 1.6Gbit/s because CPU Mhz/software limits speed. Cable-modems do not use PPPoE in general. Plain DHCP across the ethernet and that's it. So that is already ...
by jvanhambelgium
Tue May 28, 2024 8:45 am
Forum: Scripting
Topic: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)
Replies: 307
Views: 91287

Re: Address lists downloader (DShield, Spamhaus DROP/EDROP, etc)

What would it take to be able to use the same $listname across different downloads ? I prefer working with 1 big list, and in the comments-section I provide info about the origin of that list. $update url=("https://" . "iplists.firehol.org/files/firehol_level3.netset") listname=D...
by jvanhambelgium
Tue May 28, 2024 8:25 am
Forum: RouterBOARD hardware
Topic: RB5009 performance issue
Replies: 8
Views: 3417

Re: RB5009 performance issue

The only true testing is disconnect the ISP and put some testing-PC and perform iPerf *trough* the RB5009 or some other test-tool. I would not rule-out your ISP...."cable modem" is a shared medium and you never know exactly what happened. You also probably do not have performance guarantee...
by jvanhambelgium
Sun May 26, 2024 11:34 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 2146

Re: VU+ ZERO 4K satellit receiver port forward

Well them simple perform 2 tasks 1) Create "address-list" and put the IP(s) in there that are allowed to "hit" the dstnat-rule https://youtu.be/WVxj9v4J3xM?si=uKyKTgVLo1UhNqKc (look around minute 2:15 for the access-list creation part) 2) Edit the NAT-rule and select the correct ...
by jvanhambelgium
Sun May 26, 2024 10:52 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 2146

Re: VU+ ZERO 4K satellit receiver port forward

It depends on how you perform the NAT. If you also perform some snat on the packet then the SAT-receiver would only see a packing coming in from 192.168.88.1 (the IP of the bridge on Mikrotik) Without this extra snat the original source-IP is retained. This could make a difference in some scenario's...
by jvanhambelgium
Sun May 26, 2024 9:23 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 2146

Re: VU+ ZERO 4K satellit receiver port forward

There is no protection on this Linux Sat-server that is does not accept incoming requests from IP's other then the LAN-range 192.168.88.x ?? You never know. I think the dstnat actually works, but I don't see why it should not work end2end. I have several of such dstnat and they just work, the only d...
by jvanhambelgium
Sun May 26, 2024 12:25 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 2146

Re: VU+ ZERO 4K satellit receiver port forward

But what IS running on that port 82 ? Some web-interface ?
What happens if you connect from another 192.168.88.x device on your network to the IP on port 82 ?
by jvanhambelgium
Sat May 25, 2024 9:46 pm
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 2146

Re: VU+ ZERO 4K satellit receiver port forward

Then I'm afraid the only option is to start capturing packets to effectively investigate if the packet is getting there. Looking at the counters it seems the DNAT does work and some packet is passing through the box on its way to 192.168.88.68 on port 82 If you go in Winbox to Tools -> Telnet -> and...
by jvanhambelgium
Sat May 25, 2024 9:32 pm
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 2146

Re: VU+ ZERO 4K satellit receiver port forward

Can you disable the embedded webserver in the Mikrotik ?
Under "IP" -> "Services" and look for the "www"
by jvanhambelgium
Sat May 25, 2024 9:10 pm
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 2146

Re: VU+ ZERO 4K satellit receiver port forward

Chain must be FORWARD in the "duplication rule"
It is about traffic GOING THROUGH THE BOX
by jvanhambelgium
Sat May 25, 2024 8:39 pm
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 2146

Re: VU+ ZERO 4K satellit receiver port forward

These screenshots don't always tell the full picture or show all attributes clearly. A textual config is straight to the point...
I see some jumps to custom chains etc,etc.
by jvanhambelgium
Sat May 25, 2024 8:34 pm
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 2146

Re: VU+ ZERO 4K satellit receiver port forward

Make a copy of Rule3 and place it just below Rule3 (you can never do harm like that) Then edit the rule and in "General" on the bottom make sure the "Connection NAT State" menu has selected "dstnat" flag. Clear all other flags that are on the "Connection State"...
by jvanhambelgium
Sat May 25, 2024 8:06 pm
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 2146

Re: VU+ ZERO 4K satellit receiver port forward

The DNAT seems to hit, looking at the traffic-counters.
What are the Filter Rules in the FORWARD chain ? How do they look like ?
by jvanhambelgium
Sat May 25, 2024 9:48 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 2146

Re: VU+ ZERO 4K satellit receiver port forward

Execute something like this on the CLI /export file=myconfig (minus router serial number and any public WANIP info, keys etc.. ) It will create a file and then you can get it off your router with Winbox for example and upload into the forum If you don't understand any of the above, I suggest you sta...
by jvanhambelgium
Sat May 25, 2024 9:23 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 2146

Re: VU+ ZERO 4K satellit receiver port forward

Before anyone will jump in to support you, you'll be asked to provide your full config anyway. You might have broken things because of "I have done many things" Do you have a rule in the FORWARD chain to allow (valid) DNAT-traffic "trough" ? This should be part of the default fir...
by jvanhambelgium
Sat May 25, 2024 8:34 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 2146

Re: VU+ ZERO 4K satellit receiver port forward

Do you have a public IP on "pppoe-out1" ? If you are behind NAT from your ISP this will never work.
So what "WAN" IP did you receive ? 100.64.0.0 to 100.127.255.255 ??
by jvanhambelgium
Mon May 20, 2024 10:27 pm
Forum: Beginner Basics
Topic: NFS Client Help
Replies: 6
Views: 2600

Re: NFS Client Help

Same here, never could ROSE NFS work on my Synology NAS, while I only use NFS at home with all my Linux boxes etc.
Got various errors, including "unknown error" :)
SMB works immediately....
by jvanhambelgium
Thu May 16, 2024 10:48 am
Forum: Announcements
Topic: v7.15rc [testing] is released!
Replies: 340
Views: 122274

Re: v7.15rc [testing] is released!

OK, didn't know. But 50% CPU usage on DNS is clearly a bug. But I can imagine support answer: "dear user, while you can increase DNS cache size to a very high number, it is still limited by your device's physical capabilities. ROS gives you the freedom to set 512MB cache size but this does not...
by jvanhambelgium
Thu May 16, 2024 8:45 am
Forum: Announcements
Topic: v7.15rc [testing] is released!
Replies: 340
Views: 122274

Re: v7.15rc [testing] is released!

I assume that MT developed this feature for home users. Maximum 40k URL lists. Kind of grabbing low hanging fruits. The main thing is to be able to import adlists -> "we already have DNS". Where is this documented ? I can't find any such statement ? On the help-page it says ; Before confi...
by jvanhambelgium
Wed May 15, 2024 11:17 pm
Forum: Announcements
Topic: v7.15rc [testing] is released!
Replies: 340
Views: 122274

Re: v7.15rc [testing] is released!

I'm testing the DNS "Adlist" feature in 7.15.RC3 on my RB3011 I've increased the DNS-cache setting to 512MBytes !! value It seems things are going down the drain when I load a rather larget set. (> 2 million entries) When I remove 1 URL https://raw.githubusercontent.com/mkb2091/blockconver...
by jvanhambelgium
Wed May 15, 2024 11:01 pm
Forum: General
Topic: Advice on how to grow an ISP network
Replies: 11
Views: 1944

Re: Advice on how to grow an ISP network

"everything is connected by fiber" => So you have actual fiber-pairs coming in for each of your customers ??
Or you have some wholesale-service that you take from a larger ISP that does the last-mile to customers or something ?
by jvanhambelgium
Wed May 15, 2024 10:11 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 410
Views: 157885

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊

Jotne, Would it be possible to start looking into an extra addition on the the "DNS" section of your Splunk app ? Since 7.15RC3 there is the concept of "adlist" where you can put URL's to download filter-lists like a Pihole. Currently testing on my RB3011 and it seems to at least...
by jvanhambelgium
Sun May 12, 2024 4:06 pm
Forum: Wireless Networking
Topic: Why Androids keep disconnecting?
Replies: 5
Views: 1312

Re: Why Androids keep disconnecting?

Hmm, did you see that yourself that it tried the gstatic.com domain ?
I've checked my Pihole that logs everything (and I block everything like DNS-over-TLS,DoH,Quic) and I cannot find any such lookup ?
Phone is a Samsung Galaxy S21
by jvanhambelgium
Sat May 11, 2024 1:04 am
Forum: General
Topic: Flexibel DHCP-client options
Replies: 4
Views: 1296

Flexibel DHCP-client options

I'm looking into options to bypass my ISP devices and work directly on my RB5009. However for the TV-service of my ISP, they have published detailed specs what you need to be capable of. Apparently DHCPv4 Option spoofing: The following options provided on WAN side need to be provided to the TV decod...
by jvanhambelgium
Fri May 03, 2024 3:37 pm
Forum: RouterBOARD hardware
Topic: Cascading switches [SOLVED]
Replies: 9
Views: 2529

Re: Cascading switches [SOLVED]

There are no benefits in disabling STP for sure and I was only looking at the uplink "line" not the different endpoints. Without some form of STP somebody could cause some havoc when connecting an endpoint the wrong way, having other switches introduced that you are not aware of and formin...
by jvanhambelgium
Thu May 02, 2024 8:20 pm
Forum: RouterBOARD hardware
Topic: Cascading switches [SOLVED]
Replies: 9
Views: 2529

Re: Cascading switches [SOLVED]

Rapid Spanning Tree protocol (RSTP) -> The maximum allowed network diameter for the RSTP protocol is 40 switches.

But anyway, with only 1 fiber line I would disable any STP anyway since it is not relevant and of no value
by jvanhambelgium
Thu May 02, 2024 6:49 pm
Forum: RouterBOARD hardware
Topic: Cascading switches [SOLVED]
Replies: 9
Views: 2529

Re: Cascading switches [SOLVED]

No real pitfalls to my knowledge.
Sure, such topology is a big single point of failure but apart from that it will work just fine, especially for such low flow of data.
There is no option to form some sort of "ring" ? Are these 21 buildings/switches really "in a line"
by jvanhambelgium
Mon Apr 29, 2024 10:50 am
Forum: General
Topic: Shaping 35Gbps
Replies: 4
Views: 693

Re: Shaping 35Gbps

I can't speak out of experience, but I see no reason why simple-queues for the sake or shaping would work differently on 35Gbps vs 1Gbps. What you need to try to find out is the impact on cpu & memory I guess. Shaping on IP-level like this using (simple) queues on 35Gbps is something you want to...
by jvanhambelgium
Mon Apr 29, 2024 10:00 am
Forum: General
Topic: Shaping 35Gbps
Replies: 4
Views: 693

Re: Shaping 35Gbps

You don't have an aggregation-layer where you terminate such (very high-speed) customers ? Straight onto your core switch doesn't sound like a very good plan to me. I don't know what CPU-power you have in your coreswitch-device, but perhaps you can iterate from 1Gbps shaping profiles to see howmuch ...
by jvanhambelgium
Thu Apr 25, 2024 9:53 am
Forum: Scripting
Topic: Is 8MB in a variable from a txt file is possible?
Replies: 57
Views: 7157

Re: Is 8MB in a variable from a txt file is possible?

Perhaps interesting for those collecting various sources to feed the scripts.

https://docs.paloaltonetworks.com/resou ... ng-service

Palo Alto also provides for free various curated lists like for M365,Azure,GCP,Zoom etc,etc

Imports work just fine with the current script.
by jvanhambelgium
Thu Apr 25, 2024 8:24 am
Forum: General
Topic: Security issue with DST NAT rules
Replies: 2
Views: 518

Re: Security issue with DST NAT rules

https://www.3cx.com/docs/manual/firewall-router-configuration/ Apparently for this SIP-provider there seems to be quite some stuff you need to open and they don't mention any of their public IP's / FQDN's of their SBC's.... I guess it depends on the SIP-provider. I have seen installations that only ...
by jvanhambelgium
Sat Apr 20, 2024 3:11 pm
Forum: RouterBOARD hardware
Topic: Infrastructure design help
Replies: 9
Views: 2562

Re: Infrastructure design help

What overkill ? VLAN is just label.
Only 350 VLAN's out of 4K standard available.
It DOES keep things very separated (if you want) and identifiable across the whole setup.

Depending on how the wireless is organized (authentication-wise) their devices can be mapped easily in the VLAN of the room.
by jvanhambelgium
Thu Apr 18, 2024 9:46 pm
Forum: RouterBOARD hardware
Topic: Infrastructure design help
Replies: 9
Views: 2562

Re: Infrastructure design help

What about 1 VLAN per room ? It is only 22 rooms/floor x 16 floors......
You can make a couple of nice interface-lists and group some stuff together at that level.
by jvanhambelgium
Sun Apr 07, 2024 1:35 pm
Forum: General
Topic: Up 200 CAP
Replies: 12
Views: 1399

Re: Up 200 CAP

Installation & Config is 1 aspect, actual operational performance another.
What type of installation-environment ? Industrial ? School ? Stadium/venue ?
by jvanhambelgium
Sat Mar 30, 2024 7:47 pm
Forum: General
Topic: Bandwidth usage per IP
Replies: 37
Views: 25923

Re: Bandwidth usage per IP

Thank you for your work, it works perfect. When I try to save the report to a shared drive (runs on SMB raspberrypi) using :local reportpath ("smb://user:password@192.168.3.19/home/pi/MyNASA/BWbyIP/report-" . $yearmonth . ".html") either with or without the user/password failure...
by jvanhambelgium
Sat Mar 30, 2024 5:40 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 410
Views: 157885

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊

Hi, It seems a part of the script (v5.6) is giving me consistent error on 7.14.1 Screenshot from 2024-03-30 15-33-01.png the 5.6 script hits a system history print command which causes this error on my systems. You can reproduce this by entering the command "system history print" in a con...
by jvanhambelgium
Sat Mar 30, 2024 4:38 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 410
Views: 157885

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊

Hi, It seems a part of the script (v5.6) is giving me consistent error on 7.14.1 Screenshot from 2024-03-30 15-33-01.png It seems in the section where all the access-list are processed/counted, so the section below. Didn't change anything to the code, just copy-pasted into Winbox. The ACL "Azur...
by jvanhambelgium
Mon Feb 19, 2024 2:21 pm
Forum: RouterBOARD hardware
Topic: Locked Out
Replies: 12
Views: 2348

Re: Locked Out

Hopefully 1 ether port off-bridge or a serial port but that means local access. No so long ago locked myself out of my RB5009. I had "some sort of recent backup" and needed to factory-default it + restore that config. That part went OK Since then I have indeed 1 dedicated physical port &q...
by jvanhambelgium
Mon Feb 19, 2024 9:29 am
Forum: RouterBOARD hardware
Topic: Locked Out
Replies: 12
Views: 2348

Re: Locked Out

Where is this 192.168.121.0/24 range actually used then ? On 1 of these remote sites ?
Just get a working-PC on that range, teamviewer/RDP into it and from there Winbox/WebFig to your RouterOS boxes ?
by jvanhambelgium
Fri Feb 16, 2024 8:27 am
Forum: General
Topic: Container start-on-boot not working
Replies: 2
Views: 528

Re: Container start-on-boot not working

Did you create the container in CLI of via WebFIG/Winbox ? Do you have the "logging" flag enabled too ?
by jvanhambelgium
Sun Feb 11, 2024 5:59 pm
Forum: General
Topic: S-RJ01 - terribly unrelibable?
Replies: 4
Views: 584

Re: S-RJ01 - terribly unrelibable?

The S-RJ01 *itself* is OK I guess. I have one in my RB5009 and my ISP/Internet is coming in through there. Runs a little hot (66°C) but never any issues. But I have the impression it might be very dependent on which platform you plugin the module + RouterOS release. Vendor Revision : 2.16 Manufacter...
by jvanhambelgium
Wed Jan 31, 2024 9:42 am
Forum: General
Topic: Monitoring and Trafficflow
Replies: 9
Views: 3356

Re: Monitoring and Trafficflow

While not a complete solution (rather a collection of tools to build your solution around it), you may want to check pmacct http://www.pmacct.net/ I've been using it for well over a decade now, and once I integrated it into my stack, I've never had to touch it again. It just works. What plugins are...
by jvanhambelgium
Tue Jan 30, 2024 9:06 pm
Forum: General
Topic: Allow remote-logging input on ROS [SOLVED]
Replies: 12
Views: 3011

Re: Allow remote-logging input on ROS [SOLVED]

Yes, something like that might be an option, but that would still not bring all logging from my different ros devices into the one log of my main router. But thanks for the pointer, I will think a bit further on how to configure it to my liking. Offcourse it would ? All you ROS devices then simply ...
by jvanhambelgium
Tue Jan 30, 2024 2:36 pm
Forum: General
Topic: Allow remote-logging input on ROS [SOLVED]
Replies: 12
Views: 3011

Re: Allow remote-logging input on ROS [SOLVED]

You have a RouterOS box that supports containers ? Then you could deploy such a container and collect logs. Offcourse you need to store them somewhere, so at least some external USB would be a good idea...unless these are really few logs. This is not a fancy (web)GUI where you can browser through, i...
by jvanhambelgium
Mon Jan 29, 2024 9:29 pm
Forum: General
Topic: Wireguard and DMZ ISP
Replies: 2
Views: 626

Re: Wireguard and DMZ ISP

Sure, as long as your ISP does muck around with CGNAT and you have a public IP that you can "map" 1:1 to the inside.
by jvanhambelgium
Sat Jan 27, 2024 9:46 am
Forum: General
Topic: Recommended for IPS/IDS
Replies: 6
Views: 10484

Re: Recommended for IPS/IDS

Most of the above vendors are really, really in another league compared to Mikrotik. You must see Mikrotik RB as a ROUTER with network packet filter (and a lot of Swiss-army knife capabilities for sure!) I use Fortinet & Palo Alto in my professional work, very,very capable but I comes with a pri...
by jvanhambelgium
Tue Jan 23, 2024 3:59 pm
Forum: General
Topic: eth5 as dhcp client
Replies: 4
Views: 744

Re: eth5 as dhcp client

Take eth5 out of a bridge. Configure IP > DHCP-client and add "eth5" as DHCP-client. Be carefull and say "no" to "add default route" I think. I use the same approach and have a lab RB3001 connected as DHCP "client" on a RB5009 through some ethX port. Then offc...
by jvanhambelgium
Mon Jan 22, 2024 11:01 pm
Forum: General
Topic: Allowing a VLAN to Access WAN(Internet)
Replies: 6
Views: 1322

Re: Allowing a VLAN to Access WAN(Internet)

What about any NAT/Masquerading config ? Can you export that ?
by jvanhambelgium
Sat Jan 20, 2024 10:13 am
Forum: Beginner Basics
Topic: packet marking for QoS
Replies: 7
Views: 1224

Re: packet marking for QoS

Pre-routing chain ?
Try the "forward" chain and it will work I guess.

I've several marking-rules and they work fine as the traffic flows-through the Mikrotik (= forward chain)
by jvanhambelgium
Wed Jan 17, 2024 3:50 pm
Forum: General
Topic: Brute Force Attacks
Replies: 16
Views: 2994

Re: Brute Force Attacks

Strange, its not like you have some secret recipe for vodka ;-)
Perhaps the vodka market is drying out and they want to get into chocolate or beer :lol:
I could throw in a couple of Belgian Waffles :D :D
by jvanhambelgium
Tue Jan 16, 2024 7:37 pm
Forum: General
Topic: Brute Force Attacks
Replies: 16
Views: 2994

Re: Brute Force Attacks

Not entirely from the same source IP, but close ... IP 95.214.55.244 inetnum: 95.214.52.0 - 95.214.55.255 netname: PL-MEV-20181221 country: PL org: ORG-MSZO78-RIPE Some Polish operated IP-space. For the last 30 days, it is trying consistently these 4 destination ports on my frontdoor :D 8) Screensho...
by jvanhambelgium
Sun Jan 14, 2024 2:44 pm
Forum: Scripting
Topic: add succesfully connected rdp to whitelist
Replies: 6
Views: 1913

Re: add succesfully connected rdp to whitelist

>I would like to add succesfully connected rdp connections to whitelist. And I have no clue how to detect if the connection is succesfully established or it is >just another brute force attempt. If it was a brute-force you would also see multiple times a new SYN arriving I think? You cannot keep try...
by jvanhambelgium
Sat Jan 13, 2024 6:21 pm
Forum: General
Topic: Firewall-dynamic firewall rules
Replies: 9
Views: 2079

Re: Firewall-dynamic firewall rules

Perhaps solve this issue with a port-knock sequence? So "client" first needs to hit a certain sequence of UDP/TCP ports before "the gate opens up" Offcourse then there is still the mandatory authentication, jus make sure you run an up-to-date RouterOS and do NOT use default "...
by jvanhambelgium
Mon Jan 08, 2024 5:45 pm
Forum: Wireless Networking
Topic: Solving 20km wireless link issues
Replies: 150
Views: 247282

Re: Solving 20km wireless link issues

Other than my company, customers can use a dish satellite company or a cell phone company data plan - both are very expensive if you move lots of data. On a sidenote ; you feel any business impact/disruption from eg. Starlink services ? Rather cheap I believe & moving a lot of data is not reall...
by jvanhambelgium
Sat Jan 06, 2024 11:35 am
Forum: RouterBOARD hardware
Topic: Zerotier version on RB5009UG+S+IN and L009UiGS-RM.
Replies: 3
Views: 2679

Re: Zerotier version on RB5009UG+S+IN and L009UiGS-RM.

Current version on the 7.13-stable is 1.10.3
by jvanhambelgium
Wed Jan 03, 2024 5:11 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 410
Views: 157885

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.9 (Graphing everything) 💾 🛠 💻 📊

I'm running Splunk on a Synology too, but as a VM under Ubuntu Linux, not containerized. Works OK in general, had 1 or 2 occasions where the 4GB assigned memory fell short and things fell apart ;-) >> After a while the logging to splunk stops ... Splunk generates a ton of logging messages that migh...
by jvanhambelgium
Sat Dec 30, 2023 10:26 am
Forum: Beginner Basics
Topic: Help with first home server
Replies: 2
Views: 804

Re: Help with first home server

That is going to be difficult , looking at your WAN-IP 100.67.x.x this is CGNAT-space (Carrier Grade NAT) so basically you do not have a public IP for yourself and therefore the world cannot "find" you if they want to initiate a connection to your server . YOU can offcourse initiate to th...
by jvanhambelgium
Tue Dec 26, 2023 12:02 am
Forum: General
Topic: Visualize Mikrotik logs
Replies: 1
Views: 1005

Re: Visualize Mikrotik logs

Nope, SNMP will not provide you with that. User @Jotne has create a very nice solution using SPLUNK (Enterprise) and a script on the Mikrotik side forwarding information through SYSLOG. You can install it for free as long as you remain under 500MBytes/day logs This provides very nice information &am...
by jvanhambelgium
Mon Dec 25, 2023 10:59 am
Forum: General
Topic: mynetname.net DNS down?
Replies: 25
Views: 9360

Re: mynetname.net DNS down?

There is no such thing as ns1.mynetname.net or ns1.mynetname.net
The 2 authoritative NS listed for that domain are ns2.kissthenet.net. (159.148.172.251) and ns1.kissthenet.net. (159.148.147.201)
They both resolve on IPv4 and IPv6
by jvanhambelgium
Fri Dec 22, 2023 7:14 pm
Forum: RouterBOARD hardware
Topic: rb5009UG+S+IN
Replies: 12
Views: 3089

Re: rb5009UG+S+IN

In case you did not yet find these.

viewtopic.php?t=61007

So your product is NMEA-output support compliant ? Perhaps some fiddling with the baudrate ?

Offcourse all of this is RouterOS 6.x (old wiki)
by jvanhambelgium
Sun Dec 17, 2023 11:51 pm
Forum: Containers
Topic: sftpgo container
Replies: 4
Views: 8034

Re: sftpgo container

Installed it to test it .... extremely slow on my RB5009
Slow like in transferring 150Kbytes/sec across the LAN !!
The RB5009 was not really high in CPU
by jvanhambelgium
Fri Dec 15, 2023 8:28 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 896
Views: 305693

Re: v7.13 [stable] is released!

Upgraded without issues :

RB5009UG+S+
RB3011UiAS
by jvanhambelgium
Sat Dec 09, 2023 6:15 pm
Forum: Containers
Topic: Error when mounting adguard container
Replies: 41
Views: 10304

Re: Error when mounting adguard container

Why might this happen? I just recently started trying to set up a firewall and I don’t understand everything. For example, 172.29.45.251 is the address of your PI Hole? -> There are (Android) clients that I've seen that always contact 8.8.8.8 etc. And in case there is a client with hardcoded DNS se...
by jvanhambelgium
Sat Dec 09, 2023 11:14 am
Forum: Containers
Topic: Error when mounting adguard container
Replies: 41
Views: 10304

Re: Error when mounting adguard container

And you should "intercept" anyway classic DNS packets in case some client does not want to use the Adguard. See my example below (I use Pihole) Make sure you excluded the Adguard/Pi-hole itself using the appropriate src-address-list. /ip firewall nat add action=dst-nat chain=dstnat comment...
by jvanhambelgium
Wed Dec 06, 2023 5:21 pm
Forum: Containers
Topic: Error when mounting adguard container
Replies: 41
Views: 10304

Re: Error when mounting adguard container

Remove the container and re-create and provide the logging=yes from the beginning. You should see a bit more output when it downloads the various layers. I agree the logging is pretty ... basic .... and will probably not reveil WHY you have this issue. You specify as root-dir=adguard => This will wr...
by jvanhambelgium
Wed Dec 06, 2023 4:24 pm
Forum: Containers
Topic: Error when mounting adguard container
Replies: 41
Views: 10304

Re: Error when mounting adguard container

Add the logging=yes directive on the container-creation command and look in the logs. Might explain more about the error.
by jvanhambelgium
Sat Dec 02, 2023 5:16 pm
Forum: General
Topic: Wireguard tunnel - speed problem
Replies: 19
Views: 6870

Re: Wireguard tunnel - speed problem

AND the Wireguard AND the PPPoE overhead probably explains why your "only" get 300-350Mbits/sec CPU-profiler will give you insight. If you have a "spare" RB5009 you could perform a back2back test with a piece of ethernet-wire in between to see what the max is you can reach. You'l...
by jvanhambelgium
Wed Nov 29, 2023 10:51 pm
Forum: Containers
Topic: A question about ram-high Topic is solved
Replies: 5
Views: 17818

Re: A question about ram-high Topic is solved

Since this is a general setting, I would assume the total of all containers.
by jvanhambelgium
Fri Nov 24, 2023 12:21 pm
Forum: Beginner Basics
Topic: Block Intra VLAN Traffic
Replies: 7
Views: 1685

Re: Block Intra VLAN Traffic

As for using ACI instead of a single CRS326-46G-2S+ : It´s like suggesting a homeless person to move in to the royal castle. It would certainly solve his problems... :? Yep, it sure is. Totally different worlds. Good to know Mikrotik does support something like a PVLAN on certain models/chipsets so...
by jvanhambelgium
Fri Nov 24, 2023 9:39 am
Forum: Beginner Basics
Topic: Block Intra VLAN Traffic
Replies: 7
Views: 1685

Re: Block Intra VLAN Traffic

What you are looking for is called "PVLAN" constructuon in general (Private VLAN) and you would be using some form of "Isolated Ports" in a "Isolated VLAN" construction. So 2 devices in such PVLAN cannot directly talk to each other but must pass through a device connect...
by jvanhambelgium
Sun Nov 19, 2023 11:10 am
Forum: General
Topic: Remove internet-facing login
Replies: 5
Views: 2737

Re: Remove internet-facing login

Going into IP--> Services --> www and disabling port 80 unfortunately disables all web traffic to the router, including internal. So it stops router management. No need to disable it completely, but add the "Available From" values ? Eg. 192.168.x.y or multiple ranges that you want it to be...
by jvanhambelgium
Thu Nov 16, 2023 8:23 pm
Forum: General
Topic: VPN server like CIsco Asa Anyconnect
Replies: 6
Views: 2710

Re: VPN server like CIsco Asa Anyconnect

Howmany users ? 10 ? 500 ? 20000 ?
by jvanhambelgium
Mon Nov 13, 2023 7:20 am
Forum: Beginner Basics
Topic: Creating WAN-separated VLAN
Replies: 10
Views: 2130

Re: Creating WAN-separated VLAN

It depends on how the devices are wired on your local LAN. These Tuyas are *wireless* right, so their traffic is hitting your router through the port on which some AP is connected ? And your DNS is the Mikrotik itself at 192.168.99.1 looking at your config. If so, change the "chain" to INP...
by jvanhambelgium
Sun Nov 12, 2023 11:21 pm
Forum: Beginner Basics
Topic: Creating WAN-separated VLAN
Replies: 10
Views: 2130

Re: Creating WAN-separated VLAN

The DNS-blocking is going to be a bit harder if everything remains in the same "LAN". If you would be using an IoT-VLAN that would be easy to also restric "internal" traffic flowing between VLAN's anyway. Alternative could be you provide SPECIFIC DNS-servers through DHCP-options ...
by jvanhambelgium
Sun Nov 12, 2023 5:22 pm
Forum: Beginner Basics
Topic: Creating WAN-separated VLAN
Replies: 10
Views: 2130

Re: Creating WAN-separated VLAN

Do you have a a "Tuya" bridge or somethings ? (like a HUE-box)
Can't you "pair" the Tuya devices nativly with Zigbee to Home Assistant ? Offcourse you need a Zigbee "radio" for that in your HA.
by jvanhambelgium
Sun Nov 12, 2023 4:40 pm
Forum: Beginner Basics
Topic: Creating WAN-separated VLAN
Replies: 10
Views: 2130

Re: Creating WAN-separated VLAN

You don't need a separate vlan for that.
Just make sure your IoT devices get fixed IP's based on their MAC
Then block these IP on their way out.
by jvanhambelgium
Sat Nov 11, 2023 12:11 pm
Forum: Containers
Topic: Small iperf3 container
Replies: 36
Views: 16108

Re: Small iperf3 container

Could you guys as container specialists enlighten me why a container would not start if you installed it onto a SMB-share (on a RouterOS through ROSE-package) Such package is downloaded correct, container is created OK, "iperf" binary can be found on the NAS providing the SMB-share under t...
by jvanhambelgium
Sat Nov 11, 2023 11:04 am
Forum: General
Topic: problem with my routerboard 5009_no save graph after rebooot
Replies: 7
Views: 1126

Re: problem with my routerboard 5009_no save graph after rebooot

apart from that ... why on earth are you rebooting daily anyway....
by jvanhambelgium
Fri Nov 10, 2023 2:49 pm
Forum: General
Topic: VPN server like CIsco Asa Anyconnect
Replies: 6
Views: 2710

Re: VPN server like CIsco Asa Anyconnect

Something like this ? I think the RB1100 AHx4 (ARM32) supports Wireguard. https://www.wiresock.net/ Note : The Cisco ASA Anyconnect Client is so much more then only "a vpn client" offering basic vpn-client,advanced vpn-client, endpoint-compliance,inspection service,enterprise acccess, thre...
by jvanhambelgium
Mon Nov 06, 2023 11:42 pm
Forum: Beginner Basics
Topic: VLAN and network segregation. So many questions.
Replies: 4
Views: 1676

Re: VLAN and network segregation. So many questions.

and QoS ... what contract/agreeement/service do you promise/sell ? You don't want 1 appartement to blast away all the bandwidth all the time. Some policing & shaping for sure needs to be done.
by jvanhambelgium
Mon Oct 30, 2023 6:38 pm
Forum: General
Topic: Manual DNS bypasses the Pihole - force redirect to pihole
Replies: 10
Views: 2628

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Ahhhh..good spotting @anav about the UDP/53 missing in the DNAT-rules. That might explain a lot.
by jvanhambelgium
Mon Oct 30, 2023 5:29 pm
Forum: General
Topic: Manual DNS bypasses the Pihole - force redirect to pihole
Replies: 10
Views: 2628

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Hi, place these before the masq entries, so re-order them. add action=dst-nat chain=dstnat comment=PiHole dst-port=53 in-interface-list=\ LAN protocol=tcp src-address-list=!excluded to-addresses=192.168.0.8 \ to-ports=53 add action=dst-nat chain=dstnat comment=PiHole dst-port=53 in-interface-list=\ ...
by jvanhambelgium
Sat Oct 28, 2023 11:59 pm
Forum: General
Topic: Case Study: Disabling NAT and Firewall on LAN Routers
Replies: 11
Views: 1633

Re: Case Study: Disabling NAT and Firewall on LAN Routers

east-west security simply means "horizontally". Can be within a datacenter, but also between different vlan's eg on a smaller scale. It is a generic wording. depending on the environment, often the security hazards are not coming "from the outside world" alone anymore but often i...
by jvanhambelgium
Sat Oct 28, 2023 7:38 pm
Forum: General
Topic: Case Study: Disabling NAT and Firewall on LAN Routers
Replies: 11
Views: 1633

Re: Case Study: Disabling NAT and Firewall on LAN Routers

Your IPv4 standard for sure should include "east-west" security these days.
By default each of the 3 LAN's can just chit-chat with each other and that is not really a good plan...

Next-generation networks (SDx) would be intent-driven with micro-isolation already at the switchport/host.
by jvanhambelgium
Sat Oct 28, 2023 4:46 pm
Forum: General
Topic: Case Study: Disabling NAT and Firewall on LAN Routers
Replies: 11
Views: 1633

Re: Case Study: Disabling NAT and Firewall on LAN Routers

Sure this is possible. Nothing out of the ordinary, but somewhat strange. I f the WAN router is some decent gear , it can do NAT for whatever is coming in from the LAN, be it through different physical interfaces, VLAN's, ranges whatever. The typical "consumer" Internet-router provided by ...
by jvanhambelgium
Wed Oct 25, 2023 5:29 pm
Forum: General
Topic: Multiwan setup with Starlink and ip/route check-gateway issue
Replies: 6
Views: 2555

Re: Multiwan setup with Starlink and ip/route check-gateway issue

Put the Starlink in a separate VRF and work from there?
You could issue some health-check to eg. 8.8.8.8 across the Starlink-vrf and make some decisions from there?
by jvanhambelgium
Tue Oct 24, 2023 8:55 am
Forum: General
Topic: RB5009 can't get automatic IP from WAN.
Replies: 4
Views: 1184

Re: RB5009 can't get automatic IP from WAN.

Did you poweroff/poweron the ISP modem ? Might also be something "MAC" related in the sense that the cable-modem expects the MAC of the hEX S. Apart from that, yes you need to configure "DHCP Client" on the RB5009 in order to obtain an ISP-address. Specify the correct "WAN&q...
by jvanhambelgium
Sun Oct 22, 2023 3:37 pm
Forum: General
Topic: Help with Configuration between ISP ---> Fortigate ---> Mikrotick --> LAN
Replies: 5
Views: 1756

Re: Help with Configuration between ISP ---> Fortigate ---> Mikrotick --> LAN

Why bother with the Mikrotik ? Fortinet can do the PPPoE to your ISP just fine and is a much more advanced solution then any Mikrotik when it comes to security.
by jvanhambelgium
Sat Oct 14, 2023 10:34 am
Forum: Beginner Basics
Topic: DNS usage in url
Replies: 4
Views: 1572

Re: DNS usage in url

Hello guys, i strugglin with one thing... My NAS using IP 192.168.88.200 i want to use xyz.xyz.com.pl in url but its not working, can you help me? Search the forum for "hairpin NAT" because that is what you are looking for. And post your config as requested below if you already attempted ...
by jvanhambelgium
Tue Sep 19, 2023 10:53 pm
Forum: Scripting
Topic: Update firewall list possible?
Replies: 4
Views: 1948

Re: Update firewall list possible?

The resolving of FQDN will follow the TTL-value of the zone applicable. No need to "force" to resolve this periodically. Go to /ip/dns/cache and "print" .The FQDN's should be there and you will see the TTL value countdown timer.... This works fine as I have some units for which I...
by jvanhambelgium
Thu Sep 14, 2023 8:46 pm
Forum: Beginner Basics
Topic: Plex "Indirect Connection" when connecting outside of network [SOLVED]
Replies: 7
Views: 14204

Re: Plex "Indirect Connection" when connecting outside of network [SOLVED]

Hmm, if your IP falls in the range 172.16.0.0 to 172.31.255.255 you DO NOT have a true public IP !
by jvanhambelgium
Thu Sep 14, 2023 8:37 pm
Forum: Beginner Basics
Topic: Beginner Question - 1 ISP two Routers
Replies: 4
Views: 1481

Re: Beginner Question - 1 ISP two Routers

>> We only have /31 range from our ISP to use. Nope, don't think so :lol: :lol: This ISP-link always has a cable that always needs to be inserted into something...and that will be your SPOF. With a /31 that does not leave much flexibility to have a robust/dynamic setup... You still can have 2 x CCR ...
by jvanhambelgium
Wed Sep 13, 2023 6:36 pm
Forum: Beginner Basics
Topic: Plex "Indirect Connection" when connecting outside of network [SOLVED]
Replies: 7
Views: 14204

Re: Plex "Indirect Connection" when connecting outside of network [SOLVED]

Beginning with 172.x.x.x MIGHT be OK ;-) Is the IP address on the range below ? If so, then you do not have a public IP. 172.16.0.0 to 172.31.255.255 Under "Settings" , then "Network" I also filled in the field where you put a URL that points back to you. In my case for example t...
by jvanhambelgium
Wed Sep 13, 2023 12:59 pm
Forum: Beginner Basics
Topic: Plex "Indirect Connection" when connecting outside of network [SOLVED]
Replies: 7
Views: 14204

Re: Plex "Indirect Connection" when connecting outside of network [SOLVED]

Are you sure it's a public IP ? And not something like 100.64.x.x ? Your screenshot with the blurred out IP says "0" as port-number and that is not correct. I have there nicely 32400 Try the "manually specify public port" setting and put 32400 in there + Apply. See what that does...
by jvanhambelgium
Fri Sep 08, 2023 8:37 am
Forum: General
Topic: Understanding why Minecraft Server won't connect [SOLVED]
Replies: 14
Views: 8063

Re: Understanding why Minecraft Server won't connect [SOLVED]

Well...try to refer to Interface address lists like the other (apparently working ones) ?? Why do you select "ether1" and not "WAN" ? You tried and it doesn't work ? You reference "ether1" for these Minecraft rules but that might be wrong. If you are using PPPoE for ex...
by jvanhambelgium
Tue Sep 05, 2023 7:47 am
Forum: General
Topic: Dealing with datacaps; can burst help?
Replies: 2
Views: 1117

Re: Dealing with datacaps; can burst help?

Interesting use-case, but I think everybody has moved to from stand-alone approaches (on the CPE itself) to centralized, API-driven solutions? So all devices would report their usage to keep track of accounting centrally and through API/remote-control the cap would be enforced on the device. Perhaps...
by jvanhambelgium
Sun Sep 03, 2023 9:29 am
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 410
Views: 157885

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.9 (Graphing everything) 💾 🛠 💻 📊

I am interested in the way you run splunk inside ubuntu, how did you get that working ? runnning syno virtual machine manager ? and than a plain ubuntu image ? and than a normal ubutu splunk install ? I am running latest DSM on a 920+ with enough resources Indeed, just like that. I'm running on 918...
by jvanhambelgium
Sat Sep 02, 2023 6:27 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 410
Views: 157885

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.9 (Graphing everything) 💾 🛠 💻 📊

I'm running Splunk on a Synology too, but as a VM under Ubuntu Linux, not containerized. Works OK in general, had 1 or 2 occasions where the 4GB assigned memory fell short and things fell apart ;-) >> After a while the logging to splunk stops ... Splunk generates a ton of logging messages that might...
by jvanhambelgium
Fri Sep 01, 2023 10:08 pm
Forum: General
Topic: F5 like pooling
Replies: 3
Views: 1218

Re: F5 like pooling

Ok, but you write it as if you want some mechanism of "load balancing". That is not gonna work. You can have 1 destination-NAT (so at *network* level) pointing to some backend (internal) IP and have this changed based if the backend is "up" For this to work you could have several...
by jvanhambelgium
Fri Sep 01, 2023 7:13 pm
Forum: General
Topic: F5 like pooling
Replies: 3
Views: 1218

Re: F5 like pooling

There are 2 parts to this question ; frontend & backend In the backend, you could with "Netwatch" tool have a "test" (eg. ping or http-get to backend servers and do things if they reply or not) So these would be your health-checks to the backend servers and you could enable/d...
by jvanhambelgium
Fri Sep 01, 2023 12:16 am
Forum: Containers
Topic: UniFi Controller container on RB5009 will not start after reboot
Replies: 6
Views: 8904

Re: UniFi Controller container on RB5009 will not start after reboot

Are you sure your USB-storage is still "usb1-part1" ? Don't know the release you are running, but I had the same with RB5009 on some where where each reboot the USB-drive/partition was named differently! This whole container thing on eg. RB5009 still is a bit "hit & miss" fo...
by jvanhambelgium
Sat Aug 26, 2023 11:26 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 8171

Re: No WAN access via Wireguard

That is why I have such separate rules masq-rules for anything that needs to go out on Internet coming from eg. Wireguard or ZeroTier "zone"
So at least this gives me logging & counters in case certain things do not work and it might be easier to "pick up" along the way.
by jvanhambelgium
Sat Aug 26, 2023 5:05 pm
Forum: Wireless Networking
Topic: WiFi for large RV park?
Replies: 12
Views: 4110

Re: WiFi for large RV park?

I would start by looking at the map of the RV-park and where the RV's are going to be stationed/clustered and work from there. Remember Wifi is 2-way, so the client also needs to communicate back. Some endpoint have better antenna's than others etc. But outdoor there is a lot of things to consider t...
by jvanhambelgium
Thu Aug 24, 2023 3:26 pm
Forum: Beginner Basics
Topic: Anyone ever have issues with Wireguard to mikrotik?
Replies: 10
Views: 4079

Re: Anyone ever have issues with Wireguard to mikrotik?

Best is to make packet-capture and spot for issues....this smells indeed MTU or alike. If you get authentication-box already etc then I doubt "settings" of Wireguard are at play here. Firewall-rules also seems OK at this point then, but that can be checked in the logs (if you enable loggin...
by jvanhambelgium
Thu Aug 24, 2023 8:49 am
Forum: General
Topic: No WAN access via Wireguard
Replies: 29
Views: 8171

Re: No WAN access via Wireguard

logging - logging - logging

Enable logging on any rule that has a "drop" in there, and filter for you endpoint 10.180.5.2/32
There has to be some trace of a rule that seems to stop your packets from going out.
by jvanhambelgium
Sun Aug 20, 2023 10:01 pm
Forum: Containers
Topic: Container + ROSE-SMB storage
Replies: 4
Views: 9245

Re: Container + ROSE-SMB storage

The "pull" works fine. I see the folder being created (the first time after I alter the path) and I see a growing *.gz file while it is being downloaded...then suddenly everything stop and it removed from the NAS and it throws an "error". Usually 1 or 2 "layers" are pro...
by jvanhambelgium
Sun Aug 20, 2023 9:24 pm
Forum: Containers
Topic: Container + ROSE-SMB storage
Replies: 4
Views: 9245

Container + ROSE-SMB storage

Is there anyone that can explain me why the extraction of a container-image fails across a ROSE storage point ? Running the latest 7.11 on RB5009 So I've mapped an SMB on my NAS which is accessible fine (because I see files being created on it) Screenshot from 2023-08-20 20-17-12.png I've also adapt...
by jvanhambelgium
Sun Aug 20, 2023 11:21 am
Forum: Beginner Basics
Topic: Reporting a bug, or a suspected bug?
Replies: 8
Views: 4487

Re: Reporting a bug, or a suspected bug?

It is a bug for sure. Same with "Winbox"
On CLI, when doing a "print" of the vETH you get so see the IP address
On Winbox, it is 0.0.0.0 for every vETH
It was on 7.10 and now on 7.11 also.
by jvanhambelgium
Thu Aug 17, 2023 12:34 am
Forum: General
Topic: RB3011 - still a good choice?
Replies: 22
Views: 5453

Re: RB3011 - still a good choice?

I believe that the LCD screen is not supported on RouterOS 7. So, forget that the screen. LCD works just fine on my RB3011 on 7.11 But it is a gimmick for sure. Sometimes handy to see if some interface does traffic or so but in the end still a gimmick I have the RB3011 on a +- 100Mbps xDSL and it h...
by jvanhambelgium
Wed Aug 16, 2023 6:29 pm
Forum: Announcements
Topic: v7.11.2 [stable] is released!
Replies: 348
Views: 181627

Re: v7.11 [stable] is released!

Updated LAB RB3011 to 7.11 and all seems fine (for my limited use-cases ; basic PPPoE Internet, IPSEC-tunnel to RB5009 etc)
by jvanhambelgium
Wed Aug 16, 2023 4:48 pm
Forum: RouterBOARD hardware
Topic: "RouterOS on spare computer vs MikroTik device?
Replies: 10
Views: 6065

Re: "RouterOS on spare computer vs MikroTik device?

If you care about power-consumption a device like RB5009 uses much less power then "the average spare computer" When running 24x7 this might make some difference in yearly running cost. I think my RB5009 is about 9.5Watt if I look at my home-automation graphs. (because I use a SFP-module i...
by jvanhambelgium
Sun Aug 13, 2023 7:18 pm
Forum: General
Topic: Wireguard behind hotel wifi unable to establish connection to remote MT
Replies: 14
Views: 2197

Re: Wireguard behind hotel wifi unable to establish connection to remote MT

Rx counter remains at "0" on the "client" side ?
It should at least try from the hotel to reach the endpoint right ?
by jvanhambelgium
Thu Aug 10, 2023 9:29 am
Forum: General
Topic: VLANs Not Acting As Expected
Replies: 5
Views: 2181

Re: VLANs Not Acting As Expected

If you can ping it already that means that VLAN's are OK. Printers these days are quite flexibel, offer dozens of (printing) protocols to choose from. They can be configured with ACL to only allow printing from certain IP-ranges etc,etc. What does you logging say ? If you define a printer on a PC on...
by jvanhambelgium
Sun Aug 06, 2023 9:37 am
Forum: Beginner Basics
Topic: Two lans on one router
Replies: 13
Views: 2979

Re: Two lans on one router

Where do you want to forward port ? From Internet ? Internally between 192.168I.1.x and 192.168.2.x you do not need to forward ports, (under the NAT-tab in Firewall) you simply need to make firewall-rule to ALLOW it through. (and offcourse *above* the rules where you block all further communication...
by jvanhambelgium
Sun Aug 06, 2023 12:27 am
Forum: Beginner Basics
Topic: Two lans on one router
Replies: 13
Views: 2979

Re: Two lans on one router

Hmm, a lot of various rules, not perse "bad" but it doesn't make thing easy to follow. Some forum-member will tell you this is a very messy config ;-) Anyway your question was about flows between 192.168.2.x (home-network) and 192.168.1.x (homelab-server) that should be blocked right ? (in...
by jvanhambelgium
Sat Aug 05, 2023 5:19 pm
Forum: Beginner Basics
Topic: Two lans on one router
Replies: 13
Views: 2979

Re: Two lans on one router

Perhaps begin with posting you config here so things are more clear

/export file=anynameyouwish (minus router serial number and any public WANIP information)
by jvanhambelgium
Sat Aug 05, 2023 4:10 pm
Forum: Beginner Basics
Topic: Two lans on one router
Replies: 13
Views: 2979

Re: Two lans on one router

hmm...firewall rules ?
by jvanhambelgium
Mon Jul 31, 2023 4:45 pm
Forum: Containers
Topic: openspeedtest container error
Replies: 11
Views: 8741

Re: openspeedtest container error

I have similar issues on a RB5009. The USB-storage for sure is not super "stable" and after a few weeks often a container is completely trashed because the underlying USB-storage is gone. I need to unplug-replug etc. In the past I had to reformat completely. I tried USB3.0 stick directly i...
by jvanhambelgium
Fri Jul 28, 2023 10:44 am
Forum: Containers
Topic: import adguard dns container image problem Topic is solved
Replies: 61
Views: 33234

Re: import adguard dns container image problem Topic is solved

I'm still puzzled why "Adguard" is not showing any statistics *but* it seems to be working. My test-PC has hardcoded 1 single DNS pointing to the Adguard, dns-resolving works (I see exchange in a tcp-dump) but nothing in the logs or statistics-dashboard. Strange .. don't think its a permi...
by jvanhambelgium
Fri Jul 28, 2023 9:11 am
Forum: Containers
Topic: import adguard dns container image problem Topic is solved
Replies: 61
Views: 33234

Re: import adguard dns container image problem Topic is solved

Hi, Yep, seems to be a Winbox bug. On a RB3011 lab box, running the latest beta 7.11 BETA6 this "issue" is present. Winbox entries all give 0.0.0.0/0 but on console all is OK. Feel free to log a ticket on this with MT. /interface/veth> print Flags: X - disabled; R - running 0 R name="...
by jvanhambelgium
Thu Jul 27, 2023 7:25 pm
Forum: Containers
Topic: import adguard dns container image problem Topic is solved
Replies: 61
Views: 33234

Re: import adguard dns container image problem Topic is solved

Strange, Works fine here. The difference is during boot it clearly prints the veth-IP:3000 reference to login, and in your case it does not... Screenshot from 2023-07-27 18-21-54.png And I confirm the GUI works fine on my test-segment 192.168.3.4:3000 ...and after first install the GUI is available ...
by jvanhambelgium
Mon Jul 24, 2023 8:16 pm
Forum: Beginner Basics
Topic: SSH from WAN
Replies: 4
Views: 1896

Re: SSH from WAN

You use the interface-list "WAN". Are you sure the ingress interface is member of that ?
When you try and it does not work, what counter increases ? The "drop all not coming from LAN"
by jvanhambelgium
Mon Jul 17, 2023 7:25 am
Forum: General
Topic: Isolation of guests (wireless+wired)
Replies: 6
Views: 1333

Re: Isolation of guests (wireless+wired)

This requirement ; - have guests being able to join the network on the Guest SSID and on the TP-Link without accessing the Normal network. - On the TP-link I just want to connect the Guest without thinking about what port. This cannot be done without 802.1x implementation on the switch-side. Your TP...
by jvanhambelgium
Sat Jul 15, 2023 8:38 am
Forum: General
Topic: ERSPAN with GRE-tunnel
Replies: 2
Views: 932

Re: ERSPAN with GRE-tunnel

The only option you have is start a packet-capture on a RouterOS device and "stream" this towards any IP endpoint further down the network. On the remote end you either have some Wireshark running or probably some tool will exist to then write a pcap-file locally. (eg. rpcapd.exe) Screensh...
by jvanhambelgium
Fri Jul 14, 2023 12:20 am
Forum: Beginner Basics
Topic: Performance: 10Gbps - VLANs, and WiFi
Replies: 12
Views: 2124

Re: Performance: 10Gbps - VLANs, and WiFi

What if, for example, "Untrusted" VLAN is 10.1.1.0/24,"Semi-Trusted" VLAN is 10.1.2.0/24, "Fully-Trusted" VLAN is 10.1.3.0/24, and the file server is 10.1.4.1/24. Untrusted and Semi-Trusted can access the File Server, but Untrusted, can't. How would I do that without n...
by jvanhambelgium
Thu Jul 13, 2023 9:05 pm
Forum: Beginner Basics
Topic: Performance: 10Gbps - VLANs, and WiFi
Replies: 12
Views: 2124

Re: Performance: 10Gbps - VLANs, and WiFi

Lil off topic - but still related to file-servers ... Take a look at TrueNAS I run a dozens of TrueNAS file servers. When configured correctly , they can be pretty fast. For example , I have a TrueNAS file-server with 1-TB RAM and about 256-TB of solid-stade SSD drives with 100-GIg network interfac...
by jvanhambelgium
Thu Jul 13, 2023 7:39 pm
Forum: Beginner Basics
Topic: Performance: 10Gbps - VLANs, and WiFi
Replies: 12
Views: 2124

Re: Performance: 10Gbps - VLANs, and WiFi

...and with a fileserver you also need to look at aspects like NFS ACL's or SMB User-accounts etc. Being able to "reach" your fileserver does not mean you can access it / use it. Depending on the file-server model/OS , you can also apply a IP-ACL to exclude the "Untrusted" IP-ran...
by jvanhambelgium
Sun Jun 25, 2023 8:14 am
Forum: General
Topic: This should be easy
Replies: 17
Views: 1870

Re: This should be easy

>WBut, the firewall is basic, and I want to give my servers additional protection ( I get various probing attempts / hacks / brute force log in attempts every >day). So the way I envisage it, I just need some sort of packet filter between my servers and the existing LAN. It would do things like: dro...
by jvanhambelgium
Fri May 19, 2023 10:47 pm
Forum: General
Topic: Send same income packets to different servers
Replies: 2
Views: 605

Re: Send same income packets to different servers

Please explain what *service* is behind the Windows machines ? What are you trying to accomplish ? Perhaps NLB between the 2 Windows servers might be a good approach. The MikroTik then can have a DNAT pointing to the NLB-VIP and NLB will sort it out. https://learn.microsoft.com/en-us/windows-server/...
by jvanhambelgium
Wed May 10, 2023 6:00 pm
Forum: Announcements
Topic: v7.9 [stable] is released!
Replies: 242
Views: 61822

Re: v7.9 [stable] is released!

I think there is an issue with ZeroTier on the 7.9-stable release. After 1-2 days the ZeroTier looses its LEAF & PLANET connections for some reason. Stopping & Starting resolved it and then you are good to go another 1-2 days. This on RB5009 system. Don't think a SUPOUT will do any good here...
by jvanhambelgium
Mon May 01, 2023 6:30 pm
Forum: RouterOS beta
Topic: 7.8beta2 adds new package ROSE-storage
Replies: 67
Views: 30068

Re: 7.8beta2 adds new package ROSE-storage

Try with NFS v3, that works for me...
Hmm, I can't really force that on the NAS. I can enable/disable NFSv4.1 , but other than that its "enable or disable" NFS as a whole.
Is there some command-flag on the ROSE package to force NFSv3 ? (doesn't like like it....)
by jvanhambelgium
Mon May 01, 2023 10:58 am
Forum: RouterOS beta
Topic: 7.8beta2 adds new package ROSE-storage
Replies: 67
Views: 30068

Re: 7.8beta2 adds new package ROSE-storage

Anyone using a Synology NAS and was able to mount a NFS-export onto a Mikrotik ? (I'm using RB3011-ARM here to test) It just won't work, getting "Protocol Not Supported" error ? (while I use the Synology with a bunch of mounts to other systems here, media-players etc. In-house I only do NF...
by jvanhambelgium
Sat Apr 29, 2023 9:40 am
Forum: General
Topic: Firewall
Replies: 3
Views: 644

Re: Firewall

Personally allowing access to a device on Internet through a "whitelisted" source-IP(s) is acceptable to me and we do that for customers across our projects. VPN is not always an option or sometimes overkill. Just make sure you have additional layers like (encrypted) authentication using c...
by jvanhambelgium
Wed Apr 26, 2023 1:12 pm
Forum: General
Topic: Natting Public Ip Over Wireguard [SOLVED]
Replies: 15
Views: 1755

Re: Natting Public Ip Over Wireguard [SOLVED]

It could be 10 things, without any config impossible to say. (could be nat, routing, ...) Did you "torch" on FW2 to see if the DNAT'ted packet arrives at that point ??? The "device" is exposed to Internet with a DNAT ? Or does this "public computer" also has Wireguard C...
by jvanhambelgium
Wed Apr 26, 2023 8:38 am
Forum: Beginner Basics
Topic: Web Proxy Doesnt Work?
Replies: 7
Views: 6733

Re: Web Proxy Doesnt Work?

So this is obsolete and not correct? In the link below "https" is not mentioned.

https://wiki.mikrotik.com/wiki/Manual:IP/Proxy

Not sure if it would insert X-Forwarded-For in the headers neither.
by jvanhambelgium
Wed Apr 26, 2023 12:43 am
Forum: Beginner Basics
Topic: Web Proxy Doesnt Work?
Replies: 7
Views: 6733

Re: Web Proxy Doesnt Work?

btw,
don't think any HTTPS will work.
the "proxy" module on Mikrotik supports HTTP only, and in 2023 only very few websites use HTTP.
by jvanhambelgium
Sat Apr 22, 2023 6:08 pm
Forum: General
Topic: Wireguard connections have no traffic, using Advanced Firewall
Replies: 16
Views: 3328

Re: Wireguard connections have no traffic, using Advanced Firewall

eh...just duplicate the rule just below and change accordingly ? Just for my own edification, if I did that it would still block my WG traffic would it not? That rule only allows traffic from one subnet and it wouldn't match that so it wouldn't matter if the next rule did. Am I misunderstanding? Ye...
by jvanhambelgium
Sat Apr 22, 2023 5:38 pm
Forum: General
Topic: Wireguard connections have no traffic, using Advanced Firewall
Replies: 16
Views: 3328

Re: Wireguard connections have no traffic, using Advanced Firewall

I found the issue. Rule 9 in the Raw table: add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address=!192.168.100.0/24 My WG connections(s) are 10.10.100.0/24 so not in the allowed IP range. Question: It seems I cant add...
by jvanhambelgium
Thu Apr 13, 2023 3:59 pm
Forum: Containers
Topic: RB5009 Hello World
Replies: 10
Views: 10548

Re: RB5009 Hello World

since I've inserted a USB 2.0 "hub" into the RB5009 and then my SDCARD in it the disk-id remains consistent across reboots. The problem was that sometimes the card is seen as USB 3.0 and sometimes USB 2.0 which results in differend "disk" ID's. At the moment I have 4 containers r...
by jvanhambelgium
Tue Apr 11, 2023 6:22 pm
Forum: General
Topic: Zerotier with Mikrotik
Replies: 1
Views: 419

Re: Zerotier with Mikrotik

I've had the same on 7.8 on my RB5009
Not often, but sometimes it was in a state "REQUEST CONFIG" or something. Stopping en starting ZeroTier services made it work again.
Now I've update to 7.9(rc2), which bumps the ZeroTier version also to a much newer release 1.10.3
by jvanhambelgium
Sun Apr 09, 2023 8:47 pm
Forum: Containers
Topic: Container "Traefik" (on RB5009)
Replies: 11
Views: 12607

Re: Container "Traefik" (on RB5009)

I couldn't get the Traefik container to work too. Therefore I decided to use nginx-proxy . How did you install it ? I tried to launch it via line below but it gives an error. add remote-image=jc21/nginx-proxy-manager:latest interface=veth4 root-dir=/usb3-part1/npm mounts=npm_data,npm_encrypt start-...
by jvanhambelgium
Sun Apr 09, 2023 8:06 pm
Forum: Containers
Topic: Container "Traefik" (on RB5009)
Replies: 11
Views: 12607

Re: Container "Traefik" (on RB5009)

I couldn't get the Traefik container to work too. Therefore I decided to use nginx-proxy.
Yes but this requires a DB in the backend. I have NPM also running on a Synology NAS combined with MariaDB where the config is stored for NPM ?
by jvanhambelgium
Sun Apr 09, 2023 12:26 pm
Forum: Containers
Topic: Container "Traefik" (on RB5009)
Replies: 11
Views: 12607

Container "Traefik" (on RB5009)

Anyone here has practical working container like "Traefik" operational ? (can serve as reverse-proxy) I've imported it and I can start it, but dash-board for example does not work. Also what about its config file "traefik.yml" ? I've shelled into the container but cannot find any...
by jvanhambelgium
Sun Apr 09, 2023 9:06 am
Forum: General
Topic: Using ISP for internet/Wifi but keep routing through Mikrotik due to hap ax3 bad wifi throughput/performance
Replies: 11
Views: 1260

Re: Using ISP for internet/Wifi but keep routing through Mikrotik due to hap ax3 bad wifi throughput/performance

Your wireless scenario is not possible unless you have an advanced ISP-router that you fully control.
Some "static routes" are not enough, this sound more like some policy-routing based on certain criteria.

The "wired" scenario is basic and will work.
by jvanhambelgium
Fri Apr 07, 2023 3:33 pm
Forum: General
Topic: CRS 354-48g-4s+2q+rm as a core router in a company
Replies: 6
Views: 959

Re: CRS 354-48g-4s+2q+rm as a core router in a company

Depends... What is the PPPoE link ? 100Mbit ? 1000MBits ?? If only a 100Mbits Internet link I would risk ik. Don't expect 500Mbps Internet performance or something... Your product is a SWITCH with a pretty weak CPU, so if you start using as a breakout-router to Internet don't expect a lot of perform...
by jvanhambelgium
Fri Apr 07, 2023 3:09 pm
Forum: General
Topic: I think my config looks correct, but operates incorrectly
Replies: 4
Views: 504

Re: I think my config looks correct, but operates incorrectly

TP-Link "management" (webgui) are always untagged packets, its not like a enterprise-grade switch where you can "dictate" which VLAN the Management should be. So, untagged frames will end up on the port "ether4" on the HEX Why would you think you'll get an IP from 192.1...
by jvanhambelgium
Tue Apr 04, 2023 11:58 pm
Forum: Announcements
Topic: v7.8 [stable] is released!
Replies: 425
Views: 152876

Re: v7.8 [stable] is released!

Anyone else having this thingy with USB storage that keeps changing with each reboot from usb1-part1 to usb2-part1 etc ? Basically breaking containers etc between reboots. Was it possible to refer to a "label" in the container-settings ? yes, add "slot=DATA" parameter to your di...
by jvanhambelgium
Sun Apr 02, 2023 8:57 pm
Forum: Beginner Basics
Topic: Which router model for Internet Cafe (150 PCs)?
Replies: 8
Views: 2534

Re: Which router model for Internet Cafe (150 PCs)?

i5 - 7400 , 16g ram? if you already have it available go with it, it will perform better than a rb4011/rb5009 Thank you Chechito. Is the i5-7400 better than CCR2004? Better? you only have 150 clients and 1Gbits at most. i5 is even overkill. RB4011 or RB5009 will serve your Internet Cafe without eve...
by jvanhambelgium
Sun Apr 02, 2023 11:15 am
Forum: General
Topic: Web Proxy
Replies: 5
Views: 893

Re: Web Proxy

Is there another way to log visited sites? You could always go down the DNS path (analyse resolved entries), but that will not give you granularity *what* has been exactly visited. And off course not all DNS-lookups lead to visited "websites" so no real 100% match for your requirements. I...