Community discussions

MikroTik App

Search found 1016 matches

by jvanhambelgium
Sun Apr 07, 2024 1:35 pm
Forum: General
Topic: Up 200 CAP
Replies: 12
Views: 757

Re: Up 200 CAP

Installation & Config is 1 aspect, actual operational performance another.
What type of installation-environment ? Industrial ? School ? Stadium/venue ?
by jvanhambelgium
Sat Mar 30, 2024 7:47 pm
Forum: General
Topic: Bandwidth usage per IP
Replies: 28
Views: 16512

Re: Bandwidth usage per IP

Thank you for your work, it works perfect. When I try to save the report to a shared drive (runs on SMB raspberrypi) using :local reportpath ("smb://user:password@192.168.3.19/home/pi/MyNASA/BWbyIP/report-" . $yearmonth . ".html") either with or without the user/password failure...
by jvanhambelgium
Sat Mar 30, 2024 5:40 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 362
Views: 123786

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊

Hi, It seems a part of the script (v5.6) is giving me consistent error on 7.14.1 Screenshot from 2024-03-30 15-33-01.png the 5.6 script hits a system history print command which causes this error on my systems. You can reproduce this by entering the command "system history print" in a con...
by jvanhambelgium
Sat Mar 30, 2024 4:38 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 362
Views: 123786

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊

Hi, It seems a part of the script (v5.6) is giving me consistent error on 7.14.1 Screenshot from 2024-03-30 15-33-01.png It seems in the section where all the access-list are processed/counted, so the section below. Didn't change anything to the code, just copy-pasted into Winbox. The ACL "Azur...
by jvanhambelgium
Mon Feb 19, 2024 2:21 pm
Forum: RouterBOARD hardware
Topic: Locked Out
Replies: 12
Views: 984

Re: Locked Out

Hopefully 1 ether port off-bridge or a serial port but that means local access. No so long ago locked myself out of my RB5009. I had "some sort of recent backup" and needed to factory-default it + restore that config. That part went OK Since then I have indeed 1 dedicated physical port &q...
by jvanhambelgium
Mon Feb 19, 2024 9:29 am
Forum: RouterBOARD hardware
Topic: Locked Out
Replies: 12
Views: 984

Re: Locked Out

Where is this 192.168.121.0/24 range actually used then ? On 1 of these remote sites ?
Just get a working-PC on that range, teamviewer/RDP into it and from there Winbox/WebFig to your RouterOS boxes ?
by jvanhambelgium
Fri Feb 16, 2024 8:27 am
Forum: General
Topic: Container start-on-boot not working
Replies: 2
Views: 330

Re: Container start-on-boot not working

Did you create the container in CLI of via WebFIG/Winbox ? Do you have the "logging" flag enabled too ?
by jvanhambelgium
Sun Feb 11, 2024 5:59 pm
Forum: General
Topic: S-RJ01 - terribly unrelibable?
Replies: 4
Views: 444

Re: S-RJ01 - terribly unrelibable?

The S-RJ01 *itself* is OK I guess. I have one in my RB5009 and my ISP/Internet is coming in through there. Runs a little hot (66°C) but never any issues. But I have the impression it might be very dependent on which platform you plugin the module + RouterOS release. Vendor Revision : 2.16 Manufacter...
by jvanhambelgium
Wed Jan 31, 2024 9:42 am
Forum: General
Topic: Monitoring and Trafficflow
Replies: 9
Views: 1245

Re: Monitoring and Trafficflow

While not a complete solution (rather a collection of tools to build your solution around it), you may want to check pmacct http://www.pmacct.net/ I've been using it for well over a decade now, and once I integrated it into my stack, I've never had to touch it again. It just works. What plugins are...
by jvanhambelgium
Tue Jan 30, 2024 9:06 pm
Forum: General
Topic: Allow remote-logging input on ROS [SOLVED]
Replies: 12
Views: 1295

Re: Allow remote-logging input on ROS [SOLVED]

Yes, something like that might be an option, but that would still not bring all logging from my different ros devices into the one log of my main router. But thanks for the pointer, I will think a bit further on how to configure it to my liking. Offcourse it would ? All you ROS devices then simply ...
by jvanhambelgium
Tue Jan 30, 2024 2:36 pm
Forum: General
Topic: Allow remote-logging input on ROS [SOLVED]
Replies: 12
Views: 1295

Re: Allow remote-logging input on ROS [SOLVED]

You have a RouterOS box that supports containers ? Then you could deploy such a container and collect logs. Offcourse you need to store them somewhere, so at least some external USB would be a good idea...unless these are really few logs. This is not a fancy (web)GUI where you can browser through, i...
by jvanhambelgium
Mon Jan 29, 2024 9:29 pm
Forum: General
Topic: Wireguard and DMZ ISP
Replies: 2
Views: 366

Re: Wireguard and DMZ ISP

Sure, as long as your ISP does muck around with CGNAT and you have a public IP that you can "map" 1:1 to the inside.
by jvanhambelgium
Sat Jan 27, 2024 9:46 am
Forum: General
Topic: Recommended for IPS/IDS
Replies: 6
Views: 2786

Re: Recommended for IPS/IDS

Most of the above vendors are really, really in another league compared to Mikrotik. You must see Mikrotik RB as a ROUTER with network packet filter (and a lot of Swiss-army knife capabilities for sure!) I use Fortinet & Palo Alto in my professional work, very,very capable but I comes with a pri...
by jvanhambelgium
Tue Jan 23, 2024 3:59 pm
Forum: General
Topic: eth5 as dhcp client
Replies: 4
Views: 534

Re: eth5 as dhcp client

Take eth5 out of a bridge. Configure IP > DHCP-client and add "eth5" as DHCP-client. Be carefull and say "no" to "add default route" I think. I use the same approach and have a lab RB3001 connected as DHCP "client" on a RB5009 through some ethX port. Then offc...
by jvanhambelgium
Mon Jan 22, 2024 11:01 pm
Forum: General
Topic: Allowing a VLAN to Access WAN(Internet)
Replies: 3
Views: 476

Re: Allowing a VLAN to Access WAN(Internet)

What about any NAT/Masquerading config ? Can you export that ?
by jvanhambelgium
Sat Jan 20, 2024 10:13 am
Forum: Beginner Basics
Topic: packet marking for QoS
Replies: 7
Views: 802

Re: packet marking for QoS

Pre-routing chain ?
Try the "forward" chain and it will work I guess.

I've several marking-rules and they work fine as the traffic flows-through the Mikrotik (= forward chain)
by jvanhambelgium
Wed Jan 17, 2024 3:50 pm
Forum: General
Topic: Brute Force Attacks
Replies: 16
Views: 2408

Re: Brute Force Attacks

Strange, its not like you have some secret recipe for vodka ;-)
Perhaps the vodka market is drying out and they want to get into chocolate or beer :lol:
I could throw in a couple of Belgian Waffles :D :D
by jvanhambelgium
Tue Jan 16, 2024 7:37 pm
Forum: General
Topic: Brute Force Attacks
Replies: 16
Views: 2408

Re: Brute Force Attacks

Not entirely from the same source IP, but close ... IP 95.214.55.244 inetnum: 95.214.52.0 - 95.214.55.255 netname: PL-MEV-20181221 country: PL org: ORG-MSZO78-RIPE Some Polish operated IP-space. For the last 30 days, it is trying consistently these 4 destination ports on my frontdoor :D 8) Screensho...
by jvanhambelgium
Sun Jan 14, 2024 2:44 pm
Forum: Scripting
Topic: add succesfully connected rdp to whitelist
Replies: 6
Views: 895

Re: add succesfully connected rdp to whitelist

>I would like to add succesfully connected rdp connections to whitelist. And I have no clue how to detect if the connection is succesfully established or it is >just another brute force attempt. If it was a brute-force you would also see multiple times a new SYN arriving I think? You cannot keep try...
by jvanhambelgium
Sat Jan 13, 2024 6:21 pm
Forum: General
Topic: Firewall-dynamic firewall rules
Replies: 9
Views: 916

Re: Firewall-dynamic firewall rules

Perhaps solve this issue with a port-knock sequence? So "client" first needs to hit a certain sequence of UDP/TCP ports before "the gate opens up" Offcourse then there is still the mandatory authentication, jus make sure you run an up-to-date RouterOS and do NOT use default "...
by jvanhambelgium
Mon Jan 08, 2024 5:45 pm
Forum: Wireless Networking
Topic: Solving 20km wireless link issues
Replies: 147
Views: 221773

Re: Solving 20km wireless link issues

Other than my company, customers can use a dish satellite company or a cell phone company data plan - both are very expensive if you move lots of data. On a sidenote ; you feel any business impact/disruption from eg. Starlink services ? Rather cheap I believe & moving a lot of data is not reall...
by jvanhambelgium
Sat Jan 06, 2024 11:35 am
Forum: RouterBOARD hardware
Topic: Zerotier version on RB5009UG+S+IN and L009UiGS-RM.
Replies: 3
Views: 1655

Re: Zerotier version on RB5009UG+S+IN and L009UiGS-RM.

Current version on the 7.13-stable is 1.10.3
by jvanhambelgium
Wed Jan 03, 2024 5:11 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 362
Views: 123786

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.9 (Graphing everything) 💾 🛠 💻 📊

I'm running Splunk on a Synology too, but as a VM under Ubuntu Linux, not containerized. Works OK in general, had 1 or 2 occasions where the 4GB assigned memory fell short and things fell apart ;-) >> After a while the logging to splunk stops ... Splunk generates a ton of logging messages that migh...
by jvanhambelgium
Sat Dec 30, 2023 10:26 am
Forum: Beginner Basics
Topic: Help with first home server
Replies: 2
Views: 655

Re: Help with first home server

That is going to be difficult , looking at your WAN-IP 100.67.x.x this is CGNAT-space (Carrier Grade NAT) so basically you do not have a public IP for yourself and therefore the world cannot "find" you if they want to initiate a connection to your server . YOU can offcourse initiate to th...
by jvanhambelgium
Tue Dec 26, 2023 12:02 am
Forum: General
Topic: Visualize Mikrotik logs
Replies: 1
Views: 598

Re: Visualize Mikrotik logs

Nope, SNMP will not provide you with that. User @Jotne has create a very nice solution using SPLUNK (Enterprise) and a script on the Mikrotik side forwarding information through SYSLOG. You can install it for free as long as you remain under 500MBytes/day logs This provides very nice information &am...
by jvanhambelgium
Mon Dec 25, 2023 10:59 am
Forum: General
Topic: mynetname.net DNS down?
Replies: 25
Views: 4224

Re: mynetname.net DNS down?

There is no such thing as ns1.mynetname.net or ns1.mynetname.net
The 2 authoritative NS listed for that domain are ns2.kissthenet.net. (159.148.172.251) and ns1.kissthenet.net. (159.148.147.201)
They both resolve on IPv4 and IPv6
by jvanhambelgium
Fri Dec 22, 2023 7:14 pm
Forum: RouterBOARD hardware
Topic: rb5009UG+S+IN
Replies: 12
Views: 2193

Re: rb5009UG+S+IN

In case you did not yet find these.

viewtopic.php?t=61007

So your product is NMEA-output support compliant ? Perhaps some fiddling with the baudrate ?

Offcourse all of this is RouterOS 6.x (old wiki)
by jvanhambelgium
Sun Dec 17, 2023 11:51 pm
Forum: Containers
Topic: sftpgo container
Replies: 4
Views: 3521

Re: sftpgo container

Installed it to test it .... extremely slow on my RB5009
Slow like in transferring 150Kbytes/sec across the LAN !!
The RB5009 was not really high in CPU
by jvanhambelgium
Fri Dec 15, 2023 8:28 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 263898

Re: v7.13 [stable] is released!

Upgraded without issues :

RB5009UG+S+
RB3011UiAS
by jvanhambelgium
Sat Dec 09, 2023 6:15 pm
Forum: Containers
Topic: Error when mounting adguard container
Replies: 41
Views: 4390

Re: Error when mounting adguard container

Why might this happen? I just recently started trying to set up a firewall and I don’t understand everything. For example, 172.29.45.251 is the address of your PI Hole? -> There are (Android) clients that I've seen that always contact 8.8.8.8 etc. And in case there is a client with hardcoded DNS se...
by jvanhambelgium
Sat Dec 09, 2023 11:14 am
Forum: Containers
Topic: Error when mounting adguard container
Replies: 41
Views: 4390

Re: Error when mounting adguard container

And you should "intercept" anyway classic DNS packets in case some client does not want to use the Adguard. See my example below (I use Pihole) Make sure you excluded the Adguard/Pi-hole itself using the appropriate src-address-list. /ip firewall nat add action=dst-nat chain=dstnat comment...
by jvanhambelgium
Wed Dec 06, 2023 5:21 pm
Forum: Containers
Topic: Error when mounting adguard container
Replies: 41
Views: 4390

Re: Error when mounting adguard container

Remove the container and re-create and provide the logging=yes from the beginning. You should see a bit more output when it downloads the various layers. I agree the logging is pretty ... basic .... and will probably not reveil WHY you have this issue. You specify as root-dir=adguard => This will wr...
by jvanhambelgium
Wed Dec 06, 2023 4:24 pm
Forum: Containers
Topic: Error when mounting adguard container
Replies: 41
Views: 4390

Re: Error when mounting adguard container

Add the logging=yes directive on the container-creation command and look in the logs. Might explain more about the error.
by jvanhambelgium
Sat Dec 02, 2023 5:16 pm
Forum: General
Topic: Wireguard tunnel - speed problem
Replies: 19
Views: 3403

Re: Wireguard tunnel - speed problem

AND the Wireguard AND the PPPoE overhead probably explains why your "only" get 300-350Mbits/sec CPU-profiler will give you insight. If you have a "spare" RB5009 you could perform a back2back test with a piece of ethernet-wire in between to see what the max is you can reach. You'l...
by jvanhambelgium
Wed Nov 29, 2023 10:51 pm
Forum: Containers
Topic: A question about ram-high Topic is solved
Replies: 5
Views: 5251

Re: A question about ram-high Topic is solved

Since this is a general setting, I would assume the total of all containers.
by jvanhambelgium
Fri Nov 24, 2023 12:21 pm
Forum: Beginner Basics
Topic: Block Intra VLAN Traffic
Replies: 7
Views: 1283

Re: Block Intra VLAN Traffic

As for using ACI instead of a single CRS326-46G-2S+ : It´s like suggesting a homeless person to move in to the royal castle. It would certainly solve his problems... :? Yep, it sure is. Totally different worlds. Good to know Mikrotik does support something like a PVLAN on certain models/chipsets so...
by jvanhambelgium
Fri Nov 24, 2023 9:39 am
Forum: Beginner Basics
Topic: Block Intra VLAN Traffic
Replies: 7
Views: 1283

Re: Block Intra VLAN Traffic

What you are looking for is called "PVLAN" constructuon in general (Private VLAN) and you would be using some form of "Isolated Ports" in a "Isolated VLAN" construction. So 2 devices in such PVLAN cannot directly talk to each other but must pass through a device connect...
by jvanhambelgium
Sun Nov 19, 2023 11:10 am
Forum: General
Topic: Remove internet-facing login
Replies: 5
Views: 1927

Re: Remove internet-facing login

Going into IP--> Services --> www and disabling port 80 unfortunately disables all web traffic to the router, including internal. So it stops router management. No need to disable it completely, but add the "Available From" values ? Eg. 192.168.x.y or multiple ranges that you want it to be...
by jvanhambelgium
Thu Nov 16, 2023 8:23 pm
Forum: General
Topic: VPN server like CIsco Asa Anyconnect
Replies: 6
Views: 1453

Re: VPN server like CIsco Asa Anyconnect

Howmany users ? 10 ? 500 ? 20000 ?
by jvanhambelgium
Mon Nov 13, 2023 7:20 am
Forum: Beginner Basics
Topic: Creating WAN-separated VLAN
Replies: 10
Views: 1517

Re: Creating WAN-separated VLAN

It depends on how the devices are wired on your local LAN. These Tuyas are *wireless* right, so their traffic is hitting your router through the port on which some AP is connected ? And your DNS is the Mikrotik itself at 192.168.99.1 looking at your config. If so, change the "chain" to INP...
by jvanhambelgium
Sun Nov 12, 2023 11:21 pm
Forum: Beginner Basics
Topic: Creating WAN-separated VLAN
Replies: 10
Views: 1517

Re: Creating WAN-separated VLAN

The DNS-blocking is going to be a bit harder if everything remains in the same "LAN". If you would be using an IoT-VLAN that would be easy to also restric "internal" traffic flowing between VLAN's anyway. Alternative could be you provide SPECIFIC DNS-servers through DHCP-options ...
by jvanhambelgium
Sun Nov 12, 2023 5:22 pm
Forum: Beginner Basics
Topic: Creating WAN-separated VLAN
Replies: 10
Views: 1517

Re: Creating WAN-separated VLAN

Do you have a a "Tuya" bridge or somethings ? (like a HUE-box)
Can't you "pair" the Tuya devices nativly with Zigbee to Home Assistant ? Offcourse you need a Zigbee "radio" for that in your HA.
by jvanhambelgium
Sun Nov 12, 2023 4:40 pm
Forum: Beginner Basics
Topic: Creating WAN-separated VLAN
Replies: 10
Views: 1517

Re: Creating WAN-separated VLAN

You don't need a separate vlan for that.
Just make sure your IoT devices get fixed IP's based on their MAC
Then block these IP on their way out.
by jvanhambelgium
Sat Nov 11, 2023 12:11 pm
Forum: Containers
Topic: Small iperf3 container
Replies: 36
Views: 8495

Re: Small iperf3 container

Could you guys as container specialists enlighten me why a container would not start if you installed it onto a SMB-share (on a RouterOS through ROSE-package) Such package is downloaded correct, container is created OK, "iperf" binary can be found on the NAS providing the SMB-share under t...
by jvanhambelgium
Sat Nov 11, 2023 11:04 am
Forum: General
Topic: problem with my routerboard 5009_no save graph after rebooot
Replies: 7
Views: 888

Re: problem with my routerboard 5009_no save graph after rebooot

apart from that ... why on earth are you rebooting daily anyway....
by jvanhambelgium
Fri Nov 10, 2023 2:49 pm
Forum: General
Topic: VPN server like CIsco Asa Anyconnect
Replies: 6
Views: 1453

Re: VPN server like CIsco Asa Anyconnect

Something like this ? I think the RB1100 AHx4 (ARM32) supports Wireguard. https://www.wiresock.net/ Note : The Cisco ASA Anyconnect Client is so much more then only "a vpn client" offering basic vpn-client,advanced vpn-client, endpoint-compliance,inspection service,enterprise acccess, thre...
by jvanhambelgium
Mon Nov 06, 2023 11:42 pm
Forum: Beginner Basics
Topic: VLAN and network segregation. So many questions.
Replies: 4
Views: 1165

Re: VLAN and network segregation. So many questions.

and QoS ... what contract/agreeement/service do you promise/sell ? You don't want 1 appartement to blast away all the bandwidth all the time. Some policing & shaping for sure needs to be done.
by jvanhambelgium
Mon Oct 30, 2023 6:38 pm
Forum: General
Topic: Manual DNS bypasses the Pihole - force redirect to pihole
Replies: 10
Views: 1789

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Ahhhh..good spotting @anav about the UDP/53 missing in the DNAT-rules. That might explain a lot.
by jvanhambelgium
Mon Oct 30, 2023 5:29 pm
Forum: General
Topic: Manual DNS bypasses the Pihole - force redirect to pihole
Replies: 10
Views: 1789

Re: Manual DNS bypasses the Pihole - force redirect to pihole

Hi, place these before the masq entries, so re-order them. add action=dst-nat chain=dstnat comment=PiHole dst-port=53 in-interface-list=\ LAN protocol=tcp src-address-list=!excluded to-addresses=192.168.0.8 \ to-ports=53 add action=dst-nat chain=dstnat comment=PiHole dst-port=53 in-interface-list=\ ...
by jvanhambelgium
Sat Oct 28, 2023 11:59 pm
Forum: General
Topic: Case Study: Disabling NAT and Firewall on LAN Routers
Replies: 11
Views: 1316

Re: Case Study: Disabling NAT and Firewall on LAN Routers

east-west security simply means "horizontally". Can be within a datacenter, but also between different vlan's eg on a smaller scale. It is a generic wording. depending on the environment, often the security hazards are not coming "from the outside world" alone anymore but often i...
by jvanhambelgium
Sat Oct 28, 2023 7:38 pm
Forum: General
Topic: Case Study: Disabling NAT and Firewall on LAN Routers
Replies: 11
Views: 1316

Re: Case Study: Disabling NAT and Firewall on LAN Routers

Your IPv4 standard for sure should include "east-west" security these days.
By default each of the 3 LAN's can just chit-chat with each other and that is not really a good plan...

Next-generation networks (SDx) would be intent-driven with micro-isolation already at the switchport/host.
by jvanhambelgium
Sat Oct 28, 2023 4:46 pm
Forum: General
Topic: Case Study: Disabling NAT and Firewall on LAN Routers
Replies: 11
Views: 1316

Re: Case Study: Disabling NAT and Firewall on LAN Routers

Sure this is possible. Nothing out of the ordinary, but somewhat strange. I f the WAN router is some decent gear , it can do NAT for whatever is coming in from the LAN, be it through different physical interfaces, VLAN's, ranges whatever. The typical "consumer" Internet-router provided by ...
by jvanhambelgium
Wed Oct 25, 2023 5:29 pm
Forum: General
Topic: Multiwan setup with Starlink and ip/route check-gateway issue
Replies: 6
Views: 1718

Re: Multiwan setup with Starlink and ip/route check-gateway issue

Put the Starlink in a separate VRF and work from there?
You could issue some health-check to eg. 8.8.8.8 across the Starlink-vrf and make some decisions from there?
by jvanhambelgium
Tue Oct 24, 2023 8:55 am
Forum: General
Topic: RB5009 can't get automatic IP from WAN.
Replies: 4
Views: 994

Re: RB5009 can't get automatic IP from WAN.

Did you poweroff/poweron the ISP modem ? Might also be something "MAC" related in the sense that the cable-modem expects the MAC of the hEX S. Apart from that, yes you need to configure "DHCP Client" on the RB5009 in order to obtain an ISP-address. Specify the correct "WAN&q...
by jvanhambelgium
Sun Oct 22, 2023 3:37 pm
Forum: General
Topic: Help with Configuration between ISP ---> Fortigate ---> Mikrotick --> LAN
Replies: 5
Views: 1215

Re: Help with Configuration between ISP ---> Fortigate ---> Mikrotick --> LAN

Why bother with the Mikrotik ? Fortinet can do the PPPoE to your ISP just fine and is a much more advanced solution then any Mikrotik when it comes to security.
by jvanhambelgium
Sat Oct 14, 2023 10:34 am
Forum: Beginner Basics
Topic: DNS usage in url
Replies: 4
Views: 1306

Re: DNS usage in url

Hello guys, i strugglin with one thing... My NAS using IP 192.168.88.200 i want to use xyz.xyz.com.pl in url but its not working, can you help me? Search the forum for "hairpin NAT" because that is what you are looking for. And post your config as requested below if you already attempted ...
by jvanhambelgium
Tue Sep 19, 2023 10:53 pm
Forum: Scripting
Topic: Update firewall list possible?
Replies: 4
Views: 1500

Re: Update firewall list possible?

The resolving of FQDN will follow the TTL-value of the zone applicable. No need to "force" to resolve this periodically. Go to /ip/dns/cache and "print" .The FQDN's should be there and you will see the TTL value countdown timer.... This works fine as I have some units for which I...
by jvanhambelgium
Thu Sep 14, 2023 8:46 pm
Forum: Beginner Basics
Topic: Plex "Indirect Connection" when connecting outside of network [SOLVED]
Replies: 7
Views: 4869

Re: Plex "Indirect Connection" when connecting outside of network [SOLVED]

Hmm, if your IP falls in the range 172.16.0.0 to 172.31.255.255 you DO NOT have a true public IP !
by jvanhambelgium
Thu Sep 14, 2023 8:37 pm
Forum: Beginner Basics
Topic: Beginner Question - 1 ISP two Routers
Replies: 4
Views: 1242

Re: Beginner Question - 1 ISP two Routers

>> We only have /31 range from our ISP to use. Nope, don't think so :lol: :lol: This ISP-link always has a cable that always needs to be inserted into something...and that will be your SPOF. With a /31 that does not leave much flexibility to have a robust/dynamic setup... You still can have 2 x CCR ...
by jvanhambelgium
Wed Sep 13, 2023 6:36 pm
Forum: Beginner Basics
Topic: Plex "Indirect Connection" when connecting outside of network [SOLVED]
Replies: 7
Views: 4869

Re: Plex "Indirect Connection" when connecting outside of network [SOLVED]

Beginning with 172.x.x.x MIGHT be OK ;-) Is the IP address on the range below ? If so, then you do not have a public IP. 172.16.0.0 to 172.31.255.255 Under "Settings" , then "Network" I also filled in the field where you put a URL that points back to you. In my case for example t...
by jvanhambelgium
Wed Sep 13, 2023 12:59 pm
Forum: Beginner Basics
Topic: Plex "Indirect Connection" when connecting outside of network [SOLVED]
Replies: 7
Views: 4869

Re: Plex "Indirect Connection" when connecting outside of network [SOLVED]

Are you sure it's a public IP ? And not something like 100.64.x.x ? Your screenshot with the blurred out IP says "0" as port-number and that is not correct. I have there nicely 32400 Try the "manually specify public port" setting and put 32400 in there + Apply. See what that does...
by jvanhambelgium
Fri Sep 08, 2023 8:37 am
Forum: General
Topic: Understanding why Minecraft Server won't connect [SOLVED]
Replies: 14
Views: 4172

Re: Understanding why Minecraft Server won't connect [SOLVED]

Well...try to refer to Interface address lists like the other (apparently working ones) ?? Why do you select "ether1" and not "WAN" ? You tried and it doesn't work ? You reference "ether1" for these Minecraft rules but that might be wrong. If you are using PPPoE for ex...
by jvanhambelgium
Tue Sep 05, 2023 7:47 am
Forum: General
Topic: Dealing with datacaps; can burst help?
Replies: 2
Views: 1018

Re: Dealing with datacaps; can burst help?

Interesting use-case, but I think everybody has moved to from stand-alone approaches (on the CPE itself) to centralized, API-driven solutions? So all devices would report their usage to keep track of accounting centrally and through API/remote-control the cap would be enforced on the device. Perhaps...
by jvanhambelgium
Sun Sep 03, 2023 9:29 am
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 362
Views: 123786

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.9 (Graphing everything) 💾 🛠 💻 📊

I am interested in the way you run splunk inside ubuntu, how did you get that working ? runnning syno virtual machine manager ? and than a plain ubuntu image ? and than a normal ubutu splunk install ? I am running latest DSM on a 920+ with enough resources Indeed, just like that. I'm running on 918...
by jvanhambelgium
Sat Sep 02, 2023 6:27 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 362
Views: 123786

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.9 (Graphing everything) 💾 🛠 💻 📊

I'm running Splunk on a Synology too, but as a VM under Ubuntu Linux, not containerized. Works OK in general, had 1 or 2 occasions where the 4GB assigned memory fell short and things fell apart ;-) >> After a while the logging to splunk stops ... Splunk generates a ton of logging messages that might...
by jvanhambelgium
Fri Sep 01, 2023 10:08 pm
Forum: General
Topic: F5 like pooling
Replies: 3
Views: 1066

Re: F5 like pooling

Ok, but you write it as if you want some mechanism of "load balancing". That is not gonna work. You can have 1 destination-NAT (so at *network* level) pointing to some backend (internal) IP and have this changed based if the backend is "up" For this to work you could have several...
by jvanhambelgium
Fri Sep 01, 2023 7:13 pm
Forum: General
Topic: F5 like pooling
Replies: 3
Views: 1066

Re: F5 like pooling

There are 2 parts to this question ; frontend & backend In the backend, you could with "Netwatch" tool have a "test" (eg. ping or http-get to backend servers and do things if they reply or not) So these would be your health-checks to the backend servers and you could enable/d...
by jvanhambelgium
Fri Sep 01, 2023 12:16 am
Forum: Containers
Topic: UniFi Controller container on RB5009 will not start after reboot
Replies: 6
Views: 4254

Re: UniFi Controller container on RB5009 will not start after reboot

Are you sure your USB-storage is still "usb1-part1" ? Don't know the release you are running, but I had the same with RB5009 on some where where each reboot the USB-drive/partition was named differently! This whole container thing on eg. RB5009 still is a bit "hit & miss" fo...
by jvanhambelgium
Sat Aug 26, 2023 11:26 pm
Forum: General
Topic: No WAN access via Wireguard
Replies: 16
Views: 3348

Re: No WAN access via Wireguard

That is why I have such separate rules masq-rules for anything that needs to go out on Internet coming from eg. Wireguard or ZeroTier "zone"
So at least this gives me logging & counters in case certain things do not work and it might be easier to "pick up" along the way.
by jvanhambelgium
Sat Aug 26, 2023 5:05 pm
Forum: Wireless Networking
Topic: WiFi for large RV park?
Replies: 12
Views: 3611

Re: WiFi for large RV park?

I would start by looking at the map of the RV-park and where the RV's are going to be stationed/clustered and work from there. Remember Wifi is 2-way, so the client also needs to communicate back. Some endpoint have better antenna's than others etc. But outdoor there is a lot of things to consider t...
by jvanhambelgium
Thu Aug 24, 2023 3:26 pm
Forum: Beginner Basics
Topic: Anyone ever have issues with Wireguard to mikrotik?
Replies: 10
Views: 2743

Re: Anyone ever have issues with Wireguard to mikrotik?

Best is to make packet-capture and spot for issues....this smells indeed MTU or alike. If you get authentication-box already etc then I doubt "settings" of Wireguard are at play here. Firewall-rules also seems OK at this point then, but that can be checked in the logs (if you enable loggin...
by jvanhambelgium
Thu Aug 24, 2023 8:49 am
Forum: General
Topic: No WAN access via Wireguard
Replies: 16
Views: 3348

Re: No WAN access via Wireguard

logging - logging - logging

Enable logging on any rule that has a "drop" in there, and filter for you endpoint 10.180.5.2/32
There has to be some trace of a rule that seems to stop your packets from going out.
by jvanhambelgium
Sun Aug 20, 2023 10:01 pm
Forum: Containers
Topic: Container + ROSE-SMB storage
Replies: 4
Views: 4301

Re: Container + ROSE-SMB storage

The "pull" works fine. I see the folder being created (the first time after I alter the path) and I see a growing *.gz file while it is being downloaded...then suddenly everything stop and it removed from the NAS and it throws an "error". Usually 1 or 2 "layers" are pro...
by jvanhambelgium
Sun Aug 20, 2023 9:24 pm
Forum: Containers
Topic: Container + ROSE-SMB storage
Replies: 4
Views: 4301

Container + ROSE-SMB storage

Is there anyone that can explain me why the extraction of a container-image fails across a ROSE storage point ? Running the latest 7.11 on RB5009 So I've mapped an SMB on my NAS which is accessible fine (because I see files being created on it) Screenshot from 2023-08-20 20-17-12.png I've also adapt...
by jvanhambelgium
Sun Aug 20, 2023 11:21 am
Forum: Beginner Basics
Topic: Reporting a bug, or a suspected bug?
Replies: 8
Views: 1996

Re: Reporting a bug, or a suspected bug?

It is a bug for sure. Same with "Winbox"
On CLI, when doing a "print" of the vETH you get so see the IP address
On Winbox, it is 0.0.0.0 for every vETH
It was on 7.10 and now on 7.11 also.
by jvanhambelgium
Thu Aug 17, 2023 12:34 am
Forum: General
Topic: RB3011 - still a good choice?
Replies: 22
Views: 2655

Re: RB3011 - still a good choice?

I believe that the LCD screen is not supported on RouterOS 7. So, forget that the screen. LCD works just fine on my RB3011 on 7.11 But it is a gimmick for sure. Sometimes handy to see if some interface does traffic or so but in the end still a gimmick I have the RB3011 on a +- 100Mbps xDSL and it h...
by jvanhambelgium
Wed Aug 16, 2023 6:29 pm
Forum: Announcements
Topic: v7.11.2 [stable] is released!
Replies: 348
Views: 164356

Re: v7.11 [stable] is released!

Updated LAB RB3011 to 7.11 and all seems fine (for my limited use-cases ; basic PPPoE Internet, IPSEC-tunnel to RB5009 etc)
by jvanhambelgium
Wed Aug 16, 2023 4:48 pm
Forum: RouterBOARD hardware
Topic: "RouterOS on spare computer vs MikroTik device?
Replies: 10
Views: 4177

Re: "RouterOS on spare computer vs MikroTik device?

If you care about power-consumption a device like RB5009 uses much less power then "the average spare computer" When running 24x7 this might make some difference in yearly running cost. I think my RB5009 is about 9.5Watt if I look at my home-automation graphs. (because I use a SFP-module i...
by jvanhambelgium
Sun Aug 13, 2023 7:18 pm
Forum: General
Topic: Wireguard behind hotel wifi unable to establish connection to remote MT
Replies: 14
Views: 1766

Re: Wireguard behind hotel wifi unable to establish connection to remote MT

Rx counter remains at "0" on the "client" side ?
It should at least try from the hotel to reach the endpoint right ?
by jvanhambelgium
Thu Aug 10, 2023 9:29 am
Forum: General
Topic: VLANs Not Acting As Expected
Replies: 5
Views: 1053

Re: VLANs Not Acting As Expected

If you can ping it already that means that VLAN's are OK. Printers these days are quite flexibel, offer dozens of (printing) protocols to choose from. They can be configured with ACL to only allow printing from certain IP-ranges etc,etc. What does you logging say ? If you define a printer on a PC on...
by jvanhambelgium
Sun Aug 06, 2023 9:37 am
Forum: Beginner Basics
Topic: Two lans on one router
Replies: 13
Views: 1972

Re: Two lans on one router

Where do you want to forward port ? From Internet ? Internally between 192.168I.1.x and 192.168.2.x you do not need to forward ports, (under the NAT-tab in Firewall) you simply need to make firewall-rule to ALLOW it through. (and offcourse *above* the rules where you block all further communication...
by jvanhambelgium
Sun Aug 06, 2023 12:27 am
Forum: Beginner Basics
Topic: Two lans on one router
Replies: 13
Views: 1972

Re: Two lans on one router

Hmm, a lot of various rules, not perse "bad" but it doesn't make thing easy to follow. Some forum-member will tell you this is a very messy config ;-) Anyway your question was about flows between 192.168.2.x (home-network) and 192.168.1.x (homelab-server) that should be blocked right ? (in...
by jvanhambelgium
Sat Aug 05, 2023 5:19 pm
Forum: Beginner Basics
Topic: Two lans on one router
Replies: 13
Views: 1972

Re: Two lans on one router

Perhaps begin with posting you config here so things are more clear

/export file=anynameyouwish (minus router serial number and any public WANIP information)
by jvanhambelgium
Sat Aug 05, 2023 4:10 pm
Forum: Beginner Basics
Topic: Two lans on one router
Replies: 13
Views: 1972

Re: Two lans on one router

hmm...firewall rules ?
by jvanhambelgium
Mon Jul 31, 2023 4:45 pm
Forum: Containers
Topic: openspeedtest container error
Replies: 11
Views: 3930

Re: openspeedtest container error

I have similar issues on a RB5009. The USB-storage for sure is not super "stable" and after a few weeks often a container is completely trashed because the underlying USB-storage is gone. I need to unplug-replug etc. In the past I had to reformat completely. I tried USB3.0 stick directly i...
by jvanhambelgium
Fri Jul 28, 2023 10:44 am
Forum: Containers
Topic: import adguard dns container image problem Topic is solved
Replies: 61
Views: 17397

Re: import adguard dns container image problem Topic is solved

I'm still puzzled why "Adguard" is not showing any statistics *but* it seems to be working. My test-PC has hardcoded 1 single DNS pointing to the Adguard, dns-resolving works (I see exchange in a tcp-dump) but nothing in the logs or statistics-dashboard. Strange .. don't think its a permi...
by jvanhambelgium
Fri Jul 28, 2023 9:11 am
Forum: Containers
Topic: import adguard dns container image problem Topic is solved
Replies: 61
Views: 17397

Re: import adguard dns container image problem Topic is solved

Hi, Yep, seems to be a Winbox bug. On a RB3011 lab box, running the latest beta 7.11 BETA6 this "issue" is present. Winbox entries all give 0.0.0.0/0 but on console all is OK. Feel free to log a ticket on this with MT. /interface/veth> print Flags: X - disabled; R - running 0 R name="...
by jvanhambelgium
Thu Jul 27, 2023 7:25 pm
Forum: Containers
Topic: import adguard dns container image problem Topic is solved
Replies: 61
Views: 17397

Re: import adguard dns container image problem Topic is solved

Strange, Works fine here. The difference is during boot it clearly prints the veth-IP:3000 reference to login, and in your case it does not... Screenshot from 2023-07-27 18-21-54.png And I confirm the GUI works fine on my test-segment 192.168.3.4:3000 ...and after first install the GUI is available ...
by jvanhambelgium
Mon Jul 24, 2023 8:16 pm
Forum: Beginner Basics
Topic: SSH from WAN
Replies: 4
Views: 1290

Re: SSH from WAN

You use the interface-list "WAN". Are you sure the ingress interface is member of that ?
When you try and it does not work, what counter increases ? The "drop all not coming from LAN"
by jvanhambelgium
Mon Jul 17, 2023 7:25 am
Forum: General
Topic: Isolation of guests (wireless+wired)
Replies: 6
Views: 820

Re: Isolation of guests (wireless+wired)

This requirement ; - have guests being able to join the network on the Guest SSID and on the TP-Link without accessing the Normal network. - On the TP-link I just want to connect the Guest without thinking about what port. This cannot be done without 802.1x implementation on the switch-side. Your TP...
by jvanhambelgium
Sat Jul 15, 2023 8:38 am
Forum: General
Topic: ERSPAN with GRE-tunnel
Replies: 2
Views: 599

Re: ERSPAN with GRE-tunnel

The only option you have is start a packet-capture on a RouterOS device and "stream" this towards any IP endpoint further down the network. On the remote end you either have some Wireshark running or probably some tool will exist to then write a pcap-file locally. (eg. rpcapd.exe) Screensh...
by jvanhambelgium
Fri Jul 14, 2023 12:20 am
Forum: Beginner Basics
Topic: Performance: 10Gbps - VLANs, and WiFi
Replies: 12
Views: 1685

Re: Performance: 10Gbps - VLANs, and WiFi

What if, for example, "Untrusted" VLAN is 10.1.1.0/24,"Semi-Trusted" VLAN is 10.1.2.0/24, "Fully-Trusted" VLAN is 10.1.3.0/24, and the file server is 10.1.4.1/24. Untrusted and Semi-Trusted can access the File Server, but Untrusted, can't. How would I do that without n...
by jvanhambelgium
Thu Jul 13, 2023 9:05 pm
Forum: Beginner Basics
Topic: Performance: 10Gbps - VLANs, and WiFi
Replies: 12
Views: 1685

Re: Performance: 10Gbps - VLANs, and WiFi

Lil off topic - but still related to file-servers ... Take a look at TrueNAS I run a dozens of TrueNAS file servers. When configured correctly , they can be pretty fast. For example , I have a TrueNAS file-server with 1-TB RAM and about 256-TB of solid-stade SSD drives with 100-GIg network interfac...
by jvanhambelgium
Thu Jul 13, 2023 7:39 pm
Forum: Beginner Basics
Topic: Performance: 10Gbps - VLANs, and WiFi
Replies: 12
Views: 1685

Re: Performance: 10Gbps - VLANs, and WiFi

...and with a fileserver you also need to look at aspects like NFS ACL's or SMB User-accounts etc. Being able to "reach" your fileserver does not mean you can access it / use it. Depending on the file-server model/OS , you can also apply a IP-ACL to exclude the "Untrusted" IP-ran...
by jvanhambelgium
Sun Jun 25, 2023 8:14 am
Forum: General
Topic: This should be easy
Replies: 17
Views: 1621

Re: This should be easy

>WBut, the firewall is basic, and I want to give my servers additional protection ( I get various probing attempts / hacks / brute force log in attempts every >day). So the way I envisage it, I just need some sort of packet filter between my servers and the existing LAN. It would do things like: dro...
by jvanhambelgium
Fri May 19, 2023 10:47 pm
Forum: General
Topic: Send same income packets to different servers
Replies: 2
Views: 480

Re: Send same income packets to different servers

Please explain what *service* is behind the Windows machines ? What are you trying to accomplish ? Perhaps NLB between the 2 Windows servers might be a good approach. The MikroTik then can have a DNAT pointing to the NLB-VIP and NLB will sort it out. https://learn.microsoft.com/en-us/windows-server/...
by jvanhambelgium
Wed May 10, 2023 6:00 pm
Forum: Announcements
Topic: v7.9 [stable] is released!
Replies: 242
Views: 55043

Re: v7.9 [stable] is released!

I think there is an issue with ZeroTier on the 7.9-stable release. After 1-2 days the ZeroTier looses its LEAF & PLANET connections for some reason. Stopping & Starting resolved it and then you are good to go another 1-2 days. This on RB5009 system. Don't think a SUPOUT will do any good here...
by jvanhambelgium
Mon May 01, 2023 6:30 pm
Forum: RouterOS beta
Topic: 7.8beta2 adds new package ROSE-storage
Replies: 67
Views: 27221

Re: 7.8beta2 adds new package ROSE-storage

Try with NFS v3, that works for me...
Hmm, I can't really force that on the NAS. I can enable/disable NFSv4.1 , but other than that its "enable or disable" NFS as a whole.
Is there some command-flag on the ROSE package to force NFSv3 ? (doesn't like like it....)
by jvanhambelgium
Mon May 01, 2023 10:58 am
Forum: RouterOS beta
Topic: 7.8beta2 adds new package ROSE-storage
Replies: 67
Views: 27221

Re: 7.8beta2 adds new package ROSE-storage

Anyone using a Synology NAS and was able to mount a NFS-export onto a Mikrotik ? (I'm using RB3011-ARM here to test) It just won't work, getting "Protocol Not Supported" error ? (while I use the Synology with a bunch of mounts to other systems here, media-players etc. In-house I only do NF...
by jvanhambelgium
Sat Apr 29, 2023 9:40 am
Forum: General
Topic: Firewall
Replies: 3
Views: 573

Re: Firewall

Personally allowing access to a device on Internet through a "whitelisted" source-IP(s) is acceptable to me and we do that for customers across our projects. VPN is not always an option or sometimes overkill. Just make sure you have additional layers like (encrypted) authentication using c...
by jvanhambelgium
Wed Apr 26, 2023 1:12 pm
Forum: General
Topic: Natting Public Ip Over Wireguard [SOLVED]
Replies: 15
Views: 1222

Re: Natting Public Ip Over Wireguard [SOLVED]

It could be 10 things, without any config impossible to say. (could be nat, routing, ...) Did you "torch" on FW2 to see if the DNAT'ted packet arrives at that point ??? The "device" is exposed to Internet with a DNAT ? Or does this "public computer" also has Wireguard C...
by jvanhambelgium
Wed Apr 26, 2023 8:38 am
Forum: Beginner Basics
Topic: Web Proxy Doesnt Work?
Replies: 7
Views: 3084

Re: Web Proxy Doesnt Work?

So this is obsolete and not correct? In the link below "https" is not mentioned.

https://wiki.mikrotik.com/wiki/Manual:IP/Proxy

Not sure if it would insert X-Forwarded-For in the headers neither.
by jvanhambelgium
Wed Apr 26, 2023 12:43 am
Forum: Beginner Basics
Topic: Web Proxy Doesnt Work?
Replies: 7
Views: 3084

Re: Web Proxy Doesnt Work?

btw,
don't think any HTTPS will work.
the "proxy" module on Mikrotik supports HTTP only, and in 2023 only very few websites use HTTP.
by jvanhambelgium
Sat Apr 22, 2023 6:08 pm
Forum: General
Topic: Wireguard connections have no traffic, using Advanced Firewall
Replies: 16
Views: 1978

Re: Wireguard connections have no traffic, using Advanced Firewall

eh...just duplicate the rule just below and change accordingly ? Just for my own edification, if I did that it would still block my WG traffic would it not? That rule only allows traffic from one subnet and it wouldn't match that so it wouldn't matter if the next rule did. Am I misunderstanding? Ye...
by jvanhambelgium
Sat Apr 22, 2023 5:38 pm
Forum: General
Topic: Wireguard connections have no traffic, using Advanced Firewall
Replies: 16
Views: 1978

Re: Wireguard connections have no traffic, using Advanced Firewall

I found the issue. Rule 9 in the Raw table: add action=drop chain=prerouting comment="defconf: drop local if not from default IP range" in-interface-list=LAN src-address=!192.168.100.0/24 My WG connections(s) are 10.10.100.0/24 so not in the allowed IP range. Question: It seems I cant add...
by jvanhambelgium
Thu Apr 13, 2023 3:59 pm
Forum: Containers
Topic: RB5009 Hello World
Replies: 10
Views: 4751

Re: RB5009 Hello World

since I've inserted a USB 2.0 "hub" into the RB5009 and then my SDCARD in it the disk-id remains consistent across reboots. The problem was that sometimes the card is seen as USB 3.0 and sometimes USB 2.0 which results in differend "disk" ID's. At the moment I have 4 containers r...
by jvanhambelgium
Tue Apr 11, 2023 6:22 pm
Forum: General
Topic: Zerotier with Mikrotik
Replies: 1
Views: 332

Re: Zerotier with Mikrotik

I've had the same on 7.8 on my RB5009
Not often, but sometimes it was in a state "REQUEST CONFIG" or something. Stopping en starting ZeroTier services made it work again.
Now I've update to 7.9(rc2), which bumps the ZeroTier version also to a much newer release 1.10.3
by jvanhambelgium
Sun Apr 09, 2023 8:47 pm
Forum: Containers
Topic: Container "Traefik" (on RB5009)
Replies: 6
Views: 4995

Re: Container "Traefik" (on RB5009)

I couldn't get the Traefik container to work too. Therefore I decided to use nginx-proxy . How did you install it ? I tried to launch it via line below but it gives an error. add remote-image=jc21/nginx-proxy-manager:latest interface=veth4 root-dir=/usb3-part1/npm mounts=npm_data,npm_encrypt start-...
by jvanhambelgium
Sun Apr 09, 2023 8:06 pm
Forum: Containers
Topic: Container "Traefik" (on RB5009)
Replies: 6
Views: 4995

Re: Container "Traefik" (on RB5009)

I couldn't get the Traefik container to work too. Therefore I decided to use nginx-proxy.
Yes but this requires a DB in the backend. I have NPM also running on a Synology NAS combined with MariaDB where the config is stored for NPM ?
by jvanhambelgium
Sun Apr 09, 2023 12:26 pm
Forum: Containers
Topic: Container "Traefik" (on RB5009)
Replies: 6
Views: 4995

Container "Traefik" (on RB5009)

Anyone here has practical working container like "Traefik" operational ? (can serve as reverse-proxy) I've imported it and I can start it, but dash-board for example does not work. Also what about its config file "traefik.yml" ? I've shelled into the container but cannot find any...
by jvanhambelgium
Sun Apr 09, 2023 9:06 am
Forum: General
Topic: Using ISP for internet/Wifi but keep routing through Mikrotik due to hap ax3 bad wifi throughput/performance
Replies: 11
Views: 922

Re: Using ISP for internet/Wifi but keep routing through Mikrotik due to hap ax3 bad wifi throughput/performance

Your wireless scenario is not possible unless you have an advanced ISP-router that you fully control.
Some "static routes" are not enough, this sound more like some policy-routing based on certain criteria.

The "wired" scenario is basic and will work.
by jvanhambelgium
Fri Apr 07, 2023 3:33 pm
Forum: General
Topic: CRS 354-48g-4s+2q+rm as a core router in a company
Replies: 6
Views: 691

Re: CRS 354-48g-4s+2q+rm as a core router in a company

Depends... What is the PPPoE link ? 100Mbit ? 1000MBits ?? If only a 100Mbits Internet link I would risk ik. Don't expect 500Mbps Internet performance or something... Your product is a SWITCH with a pretty weak CPU, so if you start using as a breakout-router to Internet don't expect a lot of perform...
by jvanhambelgium
Fri Apr 07, 2023 3:09 pm
Forum: General
Topic: I think my config looks correct, but operates incorrectly
Replies: 4
Views: 407

Re: I think my config looks correct, but operates incorrectly

TP-Link "management" (webgui) are always untagged packets, its not like a enterprise-grade switch where you can "dictate" which VLAN the Management should be. So, untagged frames will end up on the port "ether4" on the HEX Why would you think you'll get an IP from 192.1...
by jvanhambelgium
Tue Apr 04, 2023 11:58 pm
Forum: Announcements
Topic: v7.8 [stable] is released!
Replies: 425
Views: 139976

Re: v7.8 [stable] is released!

Anyone else having this thingy with USB storage that keeps changing with each reboot from usb1-part1 to usb2-part1 etc ? Basically breaking containers etc between reboots. Was it possible to refer to a "label" in the container-settings ? yes, add "slot=DATA" parameter to your di...
by jvanhambelgium
Sun Apr 02, 2023 8:57 pm
Forum: Beginner Basics
Topic: Which router model for Internet Cafe (150 PCs)?
Replies: 8
Views: 1081

Re: Which router model for Internet Cafe (150 PCs)?

i5 - 7400 , 16g ram? if you already have it available go with it, it will perform better than a rb4011/rb5009 Thank you Chechito. Is the i5-7400 better than CCR2004? Better? you only have 150 clients and 1Gbits at most. i5 is even overkill. RB4011 or RB5009 will serve your Internet Cafe without eve...
by jvanhambelgium
Sun Apr 02, 2023 11:15 am
Forum: General
Topic: Web Proxy
Replies: 5
Views: 648

Re: Web Proxy

Is there another way to log visited sites? You could always go down the DNS path (analyse resolved entries), but that will not give you granularity *what* has been exactly visited. And off course not all DNS-lookups lead to visited "websites" so no real 100% match for your requirements. I...
by jvanhambelgium
Sun Apr 02, 2023 10:10 am
Forum: General
Topic: Web Proxy
Replies: 5
Views: 648

Re: Web Proxy

Mikrotik should remove this "web proxy" module all together from RouterOS. It is only for HTTP and does not support HTTPS Most Internet traffic these days is HTTPS. To put in some numbers (from Netflow). The last 24h my router processed about 89.000 flows on port 443 , while "port 80&...
by jvanhambelgium
Sat Apr 01, 2023 11:45 am
Forum: Containers
Topic: RB5009 Hello World
Replies: 10
Views: 4751

Re: RB5009 Hello World

Last week I disabled my Pi-hole container on RB5009 and returned to the container on my Synology NAS where it used to work flawlessly for years. "Once it runs" it is quite stable, but I experienced things like ; cannot start container anymore after an update-only reboot helps, USB-storage ...
by jvanhambelgium
Mon Mar 27, 2023 12:18 am
Forum: Announcements
Topic: v7.8 [stable] is released!
Replies: 425
Views: 139976

Re: v7.8 [stable] is released!

Anyone else having this thingy with USB storage that keeps changing with each reboot from usb1-part1 to usb2-part1 etc ? Basically breaking containers etc between reboots. Was it possible to refer to a "label" in the container-settings ? /container mounts add dst=/etc/pihole name=etc_pihol...
by jvanhambelgium
Wed Mar 22, 2023 8:12 pm
Forum: General
Topic: Need some advice
Replies: 2
Views: 293

Re: Need some advice

What 6500-E chassis do you have ? 6503 / 6504 / 6506 / 6509 / 6513 ? What SUP's have you installed ? It all depends on the features & services that you use today on these chassis. Without knowing that its impossible to say of a Mikrotik switch would be capable to act as a replacement. The Cisco ...
by jvanhambelgium
Sun Mar 19, 2023 11:34 am
Forum: General
Topic: Network discovery over wireguard
Replies: 33
Views: 4707

Re: Network discovery over wireguard

Or an EOIP layer over wireguard. Even ROMON works then. Yes, but EoIP tunneling is bridging right ? So this means the user must "extend" his office LAN down to the home. What about the different VLAN's in the office. Let's say IPCAM VLAN in the office and IOT/MEDIA VLAN in the office, bot...
by jvanhambelgium
Sun Mar 19, 2023 9:35 am
Forum: General
Topic: Network discovery over wireguard
Replies: 33
Views: 4707

Re: Network discovery over wireguard

Please help me understand, is the reason that none of the devices at either end of the wireguard tunnel show up via network discovery because network discovery only works for devices on the same subnet? I'm going to base the next paragraph on this assumption. Depending in its implementation of this ...
by jvanhambelgium
Tue Mar 07, 2023 11:07 pm
Forum: General
Topic: How to use 3 DHCP for load balancing and Failover
Replies: 15
Views: 1515

Re: How to use 3 DHCP for load balancing and Failover

Ahhh..that is not going to work ;-) You cannot gain failover with regards to that aspect. If you have 1 "flat" network why not look at VRRP ? If you network is flat and you don't have Internet ... WHAT IS the gateway ? You need one ? Is any of these 3 routers a gateway to somewhere ?? Hi ...
by jvanhambelgium
Tue Mar 07, 2023 9:46 pm
Forum: General
Topic: How to use 3 DHCP for load balancing and Failover
Replies: 15
Views: 1515

Re: How to use 3 DHCP for load balancing and Failover

Hi. yes, its plain flat. the reason i am using 3x dhcp is frequent power cuts that can affect one or two routers...so at least one can serve the clients remaining. Question: the clients will not need a gateway? if an assign one, and its the one going down what happens? Thank you again for your time...
by jvanhambelgium
Tue Mar 07, 2023 10:45 am
Forum: General
Topic: How to use 3 DHCP for load balancing and Failover
Replies: 15
Views: 1515

Re: How to use 3 DHCP for load balancing and Failover

Since it is only "Intranet" you can deal with the failover/redudancy by using a larger scope and divide it across the 3 Eg. 172.16.0.0/16 , so this is a large IP-space, especially for only 300 devices. On all 3 , the "network" would be 172.16.0.0/16 , but the differences will be...
by jvanhambelgium
Tue Mar 07, 2023 9:44 am
Forum: General
Topic: How to use 3 DHCP for load balancing and Failover
Replies: 15
Views: 1515

Re: How to use 3 DHCP for load balancing and Failover

Since it is only "Intranet" you can deal with the failover/redudancy by using a larger scope and divide it across the 3 Eg. 172.16.0.0/16 , so this is a large IP-space, especially for only 300 devices. On all 3 , the "network" would be 172.16.0.0/16 , but the differences will be ...
by jvanhambelgium
Mon Mar 06, 2023 5:32 pm
Forum: Beginner Basics
Topic: trafic flow monitoring setup - PRTG
Replies: 3
Views: 682

Re: trafic flow monitoring setup - PRTG

Did you try to actually put something in the "Source Address" in the target config ? So in stead of 0.0.0.0 put 192.168.7.254 or whatever the IP on the MT side. thank you ! Yes, I did I'm using Netflow to (towards Splunk) and this just works. is there free edition of Splunk to use? Sure, ...
by jvanhambelgium
Sun Mar 05, 2023 10:53 pm
Forum: Beginner Basics
Topic: trafic flow monitoring setup - PRTG
Replies: 3
Views: 682

Re: trafic flow monitoring setup - PRTG

Did you try to actually put something in the "Source Address" in the target config ?
So in stead of 0.0.0.0 put 192.168.7.254 or whatever the IP on the MT side.

I'm using Netflow to (towards Splunk) and this just works.
by jvanhambelgium
Sun Mar 05, 2023 8:41 pm
Forum: General
Topic: Turn Mikrotik into a POWERFULL FireWall with BlackList Firehol [SOLVED]
Replies: 5
Views: 2025

Re: Turn Mikrotik into a POWERFULL FireWall with BlackList Firehol [SOLVED]

I've tried them on my RB5009 on the latest 7.8 and I do get *a lot* of errors where the list fails to update. Some even " script error: error - contact MikroTik support and send a supout file (10) " Screenshot from 2023-03-05 19-39-19.png On what platform did you test these scripts ? After...
by jvanhambelgium
Sun Mar 05, 2023 6:20 pm
Forum: General
Topic: Turn Mikrotik into a POWERFULL FireWall with BlackList Firehol [SOLVED]
Replies: 5
Views: 2025

Re: Turn Mikrotik into a POWERFULL FireWall with BlackList Firehol [SOLVED]

This is unnecessary, all input on the WAN side should be blocked by default. Sure, but you could also block OUTGOING traffic towards any of these IP's. This might indicate some internal compromise of some system. And IF you run any services (eg. webserver, VPN-server) you cannot just "all inpu...
by jvanhambelgium
Sun Mar 05, 2023 11:11 am
Forum: General
Topic: Backhaul Routing Failure
Replies: 2
Views: 363

Re: Backhaul Routing Failure

palantiacuteri-lotr.jpg
:-? :roll:
by jvanhambelgium
Thu Mar 02, 2023 10:00 pm
Forum: Beginner Basics
Topic: Firewall Filter tool is not efficent
Replies: 13
Views: 1760

Re: Firewall Filter tool is not efficent

I agree with you, Now give me the solution or recommend me another hardware or equipment which full fill my need Thanks in advance That is going to cost you vastly more ... Palo Alto FW, Checkpoint, Fortinet, etc (and dozens others) have the required power to identify applications and thus allow yo...
by jvanhambelgium
Tue Feb 28, 2023 8:44 pm
Forum: Announcements
Topic: v7.8 [stable] is released!
Replies: 425
Views: 139976

Re: v7.8 [stable] is released!

Updated my RB5009. No issues so far. The "flashing" SFP interface window in Winbox seems fixed and remains stable. My SFP S+RJ10 works just fine. Screenshot from 2023-02-28 19-43-00.png The only thing is this usb-drive mapping/naming. Now it became usb2-part1 (it was usb1-part1 on 7.7) so ...
by jvanhambelgium
Fri Feb 24, 2023 12:07 pm
Forum: RouterBOARD hardware
Topic: OOB Access to remote infrastructure
Replies: 5
Views: 2551

Re: OOB Access to remote infrastructure

This thing has serial ports ? Alternatively you can just use the "ethernet" ports no ? 1 cable to RB4011 en 1 ethernet to CRS328-24G-4S+ and make the appropriate IP-config.
by jvanhambelgium
Fri Feb 24, 2023 8:58 am
Forum: RouterBOARD hardware
Topic: OOB Access to remote infrastructure
Replies: 5
Views: 2551

Re: OOB Access to remote infrastructure

Small ARM/ARM6464-based MT-device and then a ZeroTier "OOB" network ?
No hassle with launching VPN's etc. Its always "connected" via the cloud-switch. (zerotier)
by jvanhambelgium
Fri Feb 03, 2023 3:38 pm
Forum: General
Topic: How to access Mikrotik behind Starlink (CGNAT) [SOLVED]
Replies: 50
Views: 11620

Re: How to access Mikrotik behind Starlink (CGNAT)

Install TeamViewer on a PC if that PC belongs to your or is from your company?
When you take over the PC, you can Winbox straight to the Mikrotik.
by jvanhambelgium
Fri Feb 03, 2023 11:29 am
Forum: Beginner Basics
Topic: redirecting friendly.url.com/whatever to a local.ip:port
Replies: 4
Views: 503

Re: redirecting friendly.url.com/whatever to a local.ip:port

Not possible with Mikrotik.
If your MT supports "containers" you can consider trying to get something like NGINX/Traeffix etc active and "redirect" from there.
You need a reverse-proxy of some sort for these functions and MT does not have it embedded.
by jvanhambelgium
Tue Jan 31, 2023 7:44 am
Forum: Beginner Basics
Topic: Docker? Does anybody use it?
Replies: 16
Views: 3440

Re: Docker? Does anybody use it?

Pi-hole works just fine here on my RB5009. Sure, it consumes quite some RAM, but performance is fine in my HOME scenario. Don't know if the container could be optimized to use even less. If you in Pi-hole GUI and check the utilization there ; Total CPU utilization: 0.2% Memory utilization: 1.9% Used...
by jvanhambelgium
Mon Jan 30, 2023 8:26 pm
Forum: RouterOS beta
Topic: 7.8beta2 adds new package ROSE-storage
Replies: 67
Views: 27221

Re: 7.8beta2 adds new package ROSE-storage

ZFS - probably more complicated Yeah, both BTRFS and ZFS are great choices but as the latter is a third party add-on (originated from Sun Microsystems) it would likely be harder to maintain. likely ? Look at for example the ZeroTier package ; MT released it at version 1.6.6 and it was never updated...
by jvanhambelgium
Sun Jan 29, 2023 12:30 pm
Forum: RouterOS beta
Topic: RB5009UPr+S+ Bandwidth Issue
Replies: 27
Views: 4540

Re: RB5009UPr+S+ Bandwidth Issue

The only test that I can think of is to disconnect the ONT/dumb-switch and effectively place a PC on your "WAN" port and "simulate" your Internet. If you also cannot push 1Gbit/sec through the RB5009 then the unit really is faulty, really. I can't imaging a "netinstall"...
by jvanhambelgium
Sat Jan 28, 2023 9:28 pm
Forum: General
Topic: RouterOS IP Firewall Filter Rules not working?
Replies: 7
Views: 1253

Re: RouterOS IP Firewall Filter Rules not working?

Are you using the Mikrotik as a DNS-server ?
Then it is normal that FORWARD chain will not deal with any traffic GENERATED by the Mikrotik (example ; upstream DNS queries) or RESPONSES back to the Mikrotik.
by jvanhambelgium
Sat Jan 28, 2023 8:34 pm
Forum: RouterOS beta
Topic: RB5009UPr+S+ Bandwidth Issue
Replies: 27
Views: 4540

Re: RB5009UPr+S+ Bandwidth Issue

So for my understanding, the "WAN" interface is configured just to obtain via DHCP a IP-address from the ISP, no PPPoE anymore right ? Really, really weird phenomena you have with RB5009. Did you reboot after setting the MTU back to default value ? Could you perform a complete factory-rese...
by jvanhambelgium
Sat Jan 28, 2023 11:39 am
Forum: RouterOS beta
Topic: RB5009UPr+S+ Bandwidth Issue
Replies: 27
Views: 4540

Re: RB5009UPr+S+ Bandwidth Issue

Reset the L2MTU value on the RB5009 again to default value and try again ?
What effect does this have ?
by jvanhambelgium
Fri Jan 27, 2023 9:35 pm
Forum: Beginner Basics
Topic: how to use multiple ip's from one wan?
Replies: 6
Views: 1031

Re: how to use multiple ip's from one wan?

Who said your ISP allows you to use anything else then 192.168.1.1 ?
It does not mean that if you see some /24 mask somewhere that you can use that whole block. Check with your ISP for confirmation.
by jvanhambelgium
Thu Jan 26, 2023 6:11 pm
Forum: Useful user articles
Topic: Configuration to block users that tries to access router on non open port(s)
Replies: 86
Views: 25021

Re: Configuration to block users that tries to access router on non open port(s)

As ISP I have mitigation center. If for some reason my network is under attack, the traffic instead of the usual 3ms latency go to 35/45ms because all is routed trough the cloudflare center than have power to filter any DDoS attack... I can't reveal other detail for N.D.A. but ask your ISP to use s...
by jvanhambelgium
Thu Jan 26, 2023 10:23 am
Forum: Announcements
Topic: v7.8beta [testing] is released!
Replies: 307
Views: 75617

Re: v7.8beta [testing] is released!

This will be my last post on this as it's getting off-topic, but ZeroTier is a pretty basic SD-WAN and is in no way equivalent to the capabilities, flexibility, and scalability of SD-WAN from vendors like Cisco-Viptela, Palo Alto-CloudGenix,VMware-VeloCloud, Fortinet SD-WAN, etc. mpvpn, meshvpn, sd...
by jvanhambelgium
Mon Jan 23, 2023 9:14 pm
Forum: Beginner Basics
Topic: Zerotier Site to Site LAN issue
Replies: 10
Views: 1429

Re: Zerotier Site to Site LAN issue

Perhaps you could torch/packet-capture on the RB5009 to see if packets destined for 10.128.64.0/24 are *effectively* arriving here ? I fired up my (lab) installation to check on the rules. Could you on the rb5009, create in the FORWARD chain a accept-rule that allows "in-interface" = BRIDG...
by jvanhambelgium
Mon Jan 23, 2023 5:49 pm
Forum: Beginner Basics
Topic: Zerotier Site to Site LAN issue
Replies: 10
Views: 1429

Re: Zerotier Site to Site LAN issue

As a test, could you add the "zerotier1" interface to the LAN interface LIST ?
Very weird that with all firewall-rules disabled (which should mean "allow any any") things don't seem to work in your setup.
by jvanhambelgium
Mon Jan 23, 2023 2:42 pm
Forum: Beginner Basics
Topic: Zerotier Site to Site LAN issue
Replies: 10
Views: 1429

Re: Zerotier Site to Site LAN issue

Did you effectively add a route in the ZeroTier admin-panel ? So something like 10.128.64.0/24 via 192.168.42.3 I have such a setup with both an RB5009 and RB3011 hooked into ZeroTier and I can access (from a PC on the RB5009-LAN) a server sitting behind the RB3011-LAN and you have to do the same i...
by jvanhambelgium
Mon Jan 23, 2023 1:37 pm
Forum: Beginner Basics
Topic: Zerotier Site to Site LAN issue
Replies: 10
Views: 1429

Re: Zerotier Site to Site LAN issue

Did you effectively add a route in the ZeroTier admin-panel ?
So something like

10.128.64.0/24 via 192.168.42.3

I have such a setup with both an RB5009 and RB3011 hooked into ZeroTier and I can access (from a PC on the RB5009-LAN) a server sitting behind the RB3011-LAN
by jvanhambelgium
Sun Jan 22, 2023 4:38 pm
Forum: General
Topic: Locked out!
Replies: 16
Views: 1915

Re: Locked out!

Then I guess it will be a 100 mile trip for you...not much other options it seems. Perhaps in the future try to use Winbox SAFE-MODE while making such modifications from a remote location... After that test the changes by initiating a new/fresh session Only when 100% sure perform the commit. https:/...
by jvanhambelgium
Sun Jan 22, 2023 10:01 am
Forum: General
Topic: Locked out!
Replies: 16
Views: 1915

Re: Locked out!

So no other local-device / server onsite that you might use as a jumphost (ssh is enough) ? Unless off course that change you made to a firewall-rule was significant enough to really block everything on the input-chain... If so, schedule a nice 100mile trip because there are no other remote "ba...
by jvanhambelgium
Wed Jan 18, 2023 7:16 pm
Forum: Beginner Basics
Topic: Help with logging
Replies: 1
Views: 335

Re: Help with logging

Yes that will work, but you might see other messages too which are "info" level messages.
As far as I know, you cannot make a specific FILTER based on the message-content itself ; that would be even more flexibel.
by jvanhambelgium
Wed Jan 18, 2023 6:17 pm
Forum: Beginner Basics
Topic: How to Whitelist IP
Replies: 5
Views: 587

Re: How to Whitelist IP

If you could obtain a config-extract from your customer you'll probably get some support here. However the question is ; does your customer even know how to login this Mikrotik and perform some basic things ?? If not, advise him to get in touch with some Mikrotik consultant who can perform this thin...
by jvanhambelgium
Wed Jan 18, 2023 5:16 pm
Forum: Beginner Basics
Topic: How to Whitelist IP
Replies: 5
Views: 587

Re: How to Whitelist IP

Hello, I work for a security company installing CCTV and Audio. I'm having issues with SIP registration from the speaker to our PBX server. From what I gathered from the speaker manufacturer a Pcap determined the firewall is blocking the data. Unfortunately I'm not an network expert and the custome...
by jvanhambelgium
Sat Jan 14, 2023 12:08 am
Forum: Announcements
Topic: v7.7 [stable] is released!
Replies: 357
Views: 113933

Re: v7.7 [stable] is released!

Are there any people with a broken ZeroTier setup in this release ?? ZT on my RB5009 is broken. Stuck in the state "Requesting_Configuration" it seems. Worked just fine on 7.6 My LAB-3011 was also upgraded (first) and ZT is working fine here, that's the strange thing. The "LEAF" ...
by jvanhambelgium
Fri Jan 13, 2023 12:14 am
Forum: Announcements
Topic: v7.7 [stable] is released!
Replies: 357
Views: 113933

Re: v7.7 [stable] is released!

Updated RB5009 with SFP module "S+RJ10" but see in Winbox some "flipping" behaviour, switching between 1G & 10G but the connection (on top of this interface my PPPoE runs) is just fine, 0 errors, maximum performance. So at this point I'm not sure if this a "Winbox" ...
by jvanhambelgium
Thu Jan 12, 2023 11:41 pm
Forum: Containers
Topic: openspeedtest mikrotik ready container Topic is solved
Replies: 18
Views: 11476

Re: openspeedtest mikrotik ready container Topic is solved

I've just performed the update to ROS 7.7 STABLE on the RB5009 and this container does not want to start anymore : Screenshot from 2023-01-12 22-39-51.png Any clue why this suddenly happens ? On 7.6 I never saw this. What is the fix for this ? It does not look like I can pass an ENV-variable forcing...
by jvanhambelgium
Tue Jan 10, 2023 9:58 pm
Forum: General
Topic: RouterOS can't use ingress port 53 [SOLVED]
Replies: 18
Views: 2381

Re: RouterOS can't use ingress port 53 [SOLVED]

Change the in-interface to "pppoe-out1" ?
by jvanhambelgium
Tue Jan 03, 2023 12:12 pm
Forum: General
Topic: Monitoring dropped packets [SOLVED]
Replies: 1
Views: 885

Re: Monitoring dropped packets [SOLVED]

The Tx/Rx "drops" you refer to (at interface level) are NOT related to FIREWALL DROPS etc. These are drops at the eg. ethernet level due to mismatches,cable-problems (crc errors etc) and other transmission issues. So this "counter" should ideally be "0" You cannot moni...
by jvanhambelgium
Thu Dec 29, 2022 9:52 am
Forum: The Dude
Topic: A Cisco Stack probe
Replies: 1
Views: 2031

Re: A Cisco Stack probe

The stack will also report this by itself through SNMP (trap) and/or SYSLOG.
by jvanhambelgium
Sat Dec 17, 2022 8:24 am
Forum: General
Topic: Help about setting a wireguard client on routeros.
Replies: 6
Views: 1464

Re: Help about setting a wireguard client on routeros.

I'm even surprised this would work in China. Wireguard is rather easy for an advanced firewall to detect & filter....that might be the reason why you only see "Tx" traffic :(
by jvanhambelgium
Wed Dec 14, 2022 4:24 pm
Forum: Containers
Topic: How upgrade container?
Replies: 15
Views: 6547

Re: How upgrade container?

Updated my Pi-hole yesterday on the RB5009 and 30seconds later it was already back up & running with all config (because stored outside the container-image)
Can't be more simpel then this...
by jvanhambelgium
Wed Dec 14, 2022 9:00 am
Forum: Wireless Networking
Topic: 20 floors hotel WiFi scenario
Replies: 18
Views: 2502

Re: 20 floors hotel WiFi scenario

Guys,Hi! I want to share WiFi access for 20 floors hotel with 143 rooms. The building is high, not wide. I have rj45 cable with 1000mbps link on first floor. I want to be cable less scenario. (im not a pro) I want to have captive portal with login (codes or username+password) I want to make my own ...
by jvanhambelgium
Tue Dec 13, 2022 7:12 pm
Forum: RouterBOARD hardware
Topic: Please in the future remove DC Jack input...
Replies: 19
Views: 2290

Re: Please in the future remove DC Jack input...

But why would a professional installation ever use a dual power supply? Because we feed the device from 2 seperate UPS's or Incoming Circuit + ATS/Battery Backup to maximize uptime. Trust me you don't want to relive the CCR1036 days where it came with 1x psu and that psu came with a design flaw ......
by jvanhambelgium
Mon Dec 12, 2022 11:04 pm
Forum: Containers
Topic: How upgrade container?
Replies: 15
Views: 6547

Re: How upgrade container?

If you made folder-mappings / mounts on the Pihole container pointing to some USB-storage for eg. /etc/pihole I would thing there is no need to export/restore the config as it is not deleted when you delete the Pihole-container ? 1) Stop the container 2) Delete the container 3) Pull newest instance ...
by jvanhambelgium
Sat Dec 10, 2022 7:29 pm
Forum: General
Topic: Recommendations for linux-based software to read Traffic Flows and make Unifi-like pretty graphs
Replies: 2
Views: 591

Re: Recommendations for linux-based software to read Traffic Flows and make Unifi-like pretty graphs

Splunk is also an option, and then you can benefit from the contribution @Jotne made // see this topic https://forum.mikrotik.com/viewtopic.php?p=969505&hilit=Splunk#p888798 In addition, you can install the Netflow module on Splunk to also process Netflow data. But again, this requires quite som...
by jvanhambelgium
Sat Dec 10, 2022 11:14 am
Forum: General
Topic: Wireguard VPN could not connect VLAN clients on RB3011UiAS
Replies: 6
Views: 1072

AB

We'll, it seems that your VLAN setup works OK, as clients on these VLAN's can effectively go out to Internet etc It sounds also promising that from your wireguard-peers/clients you can already ping L3-VLAN IP's on the Mikrotik. Can you on the top of the "forward chain" , above the "dr...
by jvanhambelgium
Fri Dec 09, 2022 8:52 pm
Forum: General
Topic: Wireguard VPN could not connect VLAN clients on RB3011UiAS
Replies: 6
Views: 1072

Re: Wireguard VPN could not connect VLAN clients on RB3011UiAS

Are these clients all Windows PC's / servers ?
Sure there is no host-based firewall at play here ?

Remember, a Windows machine will drop pings if not sources from the local network-range. For sure 10.66.67.x is outside any 192.168..x.x range here.
by jvanhambelgium
Tue Dec 06, 2022 10:00 am
Forum: Containers
Topic: Looking for Docker container ideas for RouterOS
Replies: 121
Views: 31047

Re: Looking for Docker container ideas for RouterOS

For another, you will notice that the current implementation requires NAT, not allowing direct access to the host's bridge. That's a sensible default, though I hope MikroTik eventually lifts it, as there are services you can only provide when bound to real hardware. My AdGuardHome runs fine with an...
by jvanhambelgium
Sat Dec 03, 2022 1:43 pm
Forum: Beginner Basics
Topic: question about Encrypting DNS request using my mikrotik [SOLVED]
Replies: 5
Views: 918

Re: question about Encrypting DNS request using my mikrotik [SOLVED]

I do not use any DoT/DoH functionality.
Reading the forums I think fore sure there are bugs depending on the release you run.

But anyway, If I go to dns.nextdns.io with my Chrome on Ubuntu all seems fine. No warnings. Certificate is valid.
Screenshot from 2022-12-03 12-42-23.png
by jvanhambelgium
Sat Dec 03, 2022 9:42 am
Forum: Beginner Basics
Topic: question about Encrypting DNS request using my mikrotik [SOLVED]
Replies: 5
Views: 918

Re: question about Encrypting DNS request using my mikrotik [SOLVED]

The goal of the video was to make your Mikrotik a (secure) DNS "client" , so you see the certificate actions are on Mikrotik itself. All your clients on the LAN continue to keep using traditional DNS and must use the Mikrotik as their DNS. Upon receiving the regular DNS-traffic from your c...
by jvanhambelgium
Thu Dec 01, 2022 9:23 am
Forum: Scripting
Topic: Run script when ping on specific IP is detected [SOLVED]
Replies: 7
Views: 2310

Re: Run script when ping on specific IP is detected [SOLVED]

Why make a script ? "Netwatch" will do that for you... > Tools > Netwatch Then define some "targets" and what test you want to run (eg. regular ICMP or TCP-con or something) Then define "action" what to do when "Up" and/or "Down" (you can past a scri...
by jvanhambelgium
Sun Nov 27, 2022 9:39 pm
Forum: General
Topic: CHR 7.6 firewall issues
Replies: 5
Views: 787

Re: CHR 7.6 firewall issues

So, what is this rule suppose to do ? add action= accept chain= input comment="bruteforce ssh&winbox" disabled=yes \ dst-port=1026,8292 protocol=tcp src-address-list= !bruteforce_blacklist So you ARE allowing SSH + Winbox to your router if they are NOT the bruteforce_blacklist. Why not...
by jvanhambelgium
Sun Nov 27, 2022 1:35 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 362
Views: 123786

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.8 (Graphing everything) 💾 🛠 💻 📊

Thanks Jotne! for this new release. Both updated 5.1 script & 3.8 Splunk-app are working fine over here!
by jvanhambelgium
Mon Nov 21, 2022 12:39 am
Forum: Beginner Basics
Topic: RB5009 help to configure (Switch, VLANs) [SOLVED]
Replies: 39
Views: 4262

Re: RB5009 help to configure (Switch, VLANs) [SOLVED]

There is a rule to allow ICMP; Code: Select all add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp This rule allows ICMP to WAN from the Internet, I changed action to drop, and there is no option to PING WAN port from the Internet, but this blocked ping to the VLAN ...
by jvanhambelgium
Fri Nov 04, 2022 6:18 pm
Forum: Containers
Topic: Error in container (Pi-hole)
Replies: 7
Views: 6319

Re: Error in container (Pi-hole)

My Pihole is running for quite some time now on my RB5009
Are you using USB storage or the 5009's NAND?
USB-storage.
by jvanhambelgium
Thu Nov 03, 2022 5:14 pm
Forum: Containers
Topic: Docker + Snort ?
Replies: 7
Views: 4423

Re: Docker + Snort ?

Isn't pihole better suited for that ? From what I can see, Snort is more for network intrusion detection. OTOH if you need Snort for detecting network intrusion, your firewall may not be up to par :D True ;-) @anav, you did not specify the bigger context ; Offcourse "Snort" can run on/in ...
by jvanhambelgium
Thu Nov 03, 2022 12:00 pm
Forum: Containers
Topic: Docker + Snort ?
Replies: 7
Views: 4423

Re: Docker + Snort ?

User requirements? :lol:
8) 8) 8) 8) 8)
by jvanhambelgium
Tue Nov 01, 2022 11:25 pm
Forum: General
Topic: With issues understanding firewall rules with mikrotik, migrated to fortigate
Replies: 18
Views: 1635

Re: With issues understanding firewall rules with mikrotik, migrated to fortigate

For example, similar to Fortinet we use Palo Alto modules on 1 of our environments (services > 100k users, full UTM/SSL-decrypt/webproxy/... enabled) that cost 6-digit numbers in euros only for a single line-card.... What brand of switches are you using with your palo alto? just curious i personall...
by jvanhambelgium
Tue Nov 01, 2022 8:57 pm
Forum: General
Topic: With issues understanding firewall rules with mikrotik, migrated to fortigate
Replies: 18
Views: 1635

Re: With issues understanding firewall rules with mikrotik, migrated to fortigate

Indeed, fortigate is more appropriate for the uber web gurus. Well ... you cannot really compare a RouterOS box with a Fortinet in the Firewall/UTM area...its not a fair comparison in favor of Fortigate. (similar statement for example compared to Palo Alto) This is not about being more "approp...
by jvanhambelgium
Tue Nov 01, 2022 12:02 pm
Forum: Scripting
Topic: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?
Replies: 18
Views: 2081

Re: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?

So, on my own personal RB3011 in winbox i see this in the SFP interface. MODLUE PRESENT (TICK) RX LOSE TX Fault Followed by all the SFP info. This is for a BIDI module i have installed Surely if that was a duplex transceiver, surely there iwould be some way to have those first 3 checkboxes alert so...
by jvanhambelgium
Mon Oct 31, 2022 1:26 pm
Forum: General
Topic: VPN mynetname missing...!??? [SOLVED]
Replies: 4
Views: 1781

Re: VPN mynetname missing...!??? [SOLVED]

HI, I have a RB4011 i was looking to setup vpn but i notice that unlike in all the guides i have been through I dont have a mynetname address, it shows the routers ip address... why is this? Thank you for any input. You have a value in the "STATUS" field ? What does it say ? status (read-...
by jvanhambelgium
Mon Oct 31, 2022 1:00 pm
Forum: General
Topic: VPN mynetname missing...!??? [SOLVED]
Replies: 4
Views: 1781

Re: VPN mynetname missing...!??? [SOLVED]

You mean like this ? /ip/cloud> print ddns-enabled: yes ddns-update-interval: 1m update-time: yes public-address: XX.XX.XX.XX dns-name: XXXXXXX.sn.mynetname.net status: updated So this field "dns-name" empty ?? That can't be right ? Perhaps check with MT-support if there is something wrong...
by jvanhambelgium
Sun Oct 30, 2022 5:30 pm
Forum: General
Topic: Weird Wireguard subnet problem
Replies: 18
Views: 2026

Re: Weird Wireguard subnet problem

In theory you could have stumbled upon a bug or something, especially with these larger subnets. Your story makes sense. This 172.16.1.10 device that you are trying to ping, can you tell me something about it (Windows? Linux? custom appliance)? What is it ? Does it have a gateway set ? To where ? Ca...
by jvanhambelgium
Sun Oct 30, 2022 1:54 pm
Forum: General
Topic: Weird Wireguard subnet problem
Replies: 18
Views: 2026

Re: Weird Wireguard subnet problem

Small note, your Win10 Wireguard-config is not fully correct ; [Interface] PrivateKey = XXXXXXXXXXXXXXXXXXXXXXXX Address = 192.168.32.2/24 DNS = 192.168.0.100 You need to specify a /32 here ! Each WG-endpoint receives a /32 (well ... not really "receives" off course but you get the picture...
by jvanhambelgium
Sat Oct 29, 2022 3:58 pm
Forum: Containers
Topic: Error in container (Pi-hole)
Replies: 7
Views: 6319

Re: Error in container (Pi-hole)

I see in your config-extract : RouterOS 7.1rc4
Please upgrade to 7.6 , make an export of Pihole // delete & re-install the container // import config and try again.
In the last 7.x release some fixing was done on permissions etc.

My Pihole is running for quite some time now on my RB5009
by jvanhambelgium
Sat Oct 29, 2022 1:38 pm
Forum: RouterOS beta
Topic: I have two Internet links. I wanted to use Link 1 first and then overflow traffic shift to Link 2.
Replies: 2
Views: 2669

Re: I have two Internet links. I wanted to use Link 1 first and then overflow traffic shift to Link 2.

I don't think this is possible with Mikrotik, unless perhaps with a great deal of hacking. Its not a SDWAN-product, where you can direct streams/flows to other WAN-links eg. if interfaces are loaded for 80% or so. If the Wiki is correct, following choices are possible ; https://help.mikrotik.com/doc...
by jvanhambelgium
Sat Oct 29, 2022 10:37 am
Forum: Scripting
Topic: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?
Replies: 18
Views: 2081

Re: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?

Hmm, for sure your use-case is pretty ... "a-typical" and I don't think you can ever really monetize it properly . Because you would need to have on each location also Internet connectivity yourself for getting these alarms out. 4G/5G/LTE will be challenging in basements etc. I you want to...
by jvanhambelgium
Fri Oct 28, 2022 4:30 pm
Forum: General
Topic: Wifi Calling
Replies: 6
Views: 1154

Re: Wifi Calling

I can only tell you I can make Wifi-calls on a standard Mikrotik setup (both RB3011/RB5009) with just regular rules like 1 NAT-rule to go out etc. My wireless is Unifi, not Mikrotik , so I can't comment on a "Mikrotik Wireless" do's or don'ts for Wifi-calling. (if they exist) Never had to ...
by jvanhambelgium
Fri Oct 28, 2022 3:33 pm
Forum: General
Topic: Wifi Calling
Replies: 6
Views: 1154

Re: Wifi Calling

https://www.t-mobile.com/support/covera ... m-t-mobile

Make sure all pre-reqs are covered.
IF you have working Internet at home with 2Mbps, this should work unless you do not meet minimum requirements.
by jvanhambelgium
Thu Oct 27, 2022 2:19 pm
Forum: Scripting
Topic: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?
Replies: 18
Views: 2081

Re: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?

SNMP will not do that for you. Sure it can report if actual interface are going down or up This required some "high intelligence" like a script to evaluate some aspects like Tx/Rx power. In theory, on Mikrotik, you could have a script running that evaluates the stats on an SFP-interface. (...
by jvanhambelgium
Thu Oct 27, 2022 9:43 am
Forum: General
Topic: First Time config not working as intended
Replies: 4
Views: 543

Re: First Time config not working as intended

Firewall active on Proxmox ?
Check that first. When you ping FROM Proxmox (initiated) the return packets are probably allowed in...
If you ping remotely TO the Proxmox, they might be blocked immediately...
by jvanhambelgium
Thu Oct 27, 2022 9:37 am
Forum: Scripting
Topic: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?
Replies: 18
Views: 2081

Re: Can a Tik be used to monitor SFP RX power and create alerts when rx pwr dies?

Even if you insert this close to the splitter, whenever your "light drops" that doesn't mean there is fibercable-cut anyway! There is also the equipment from the Telco in the GPON-chain that uses your deployed DARK FIBER and lights it up! Suppose the Telco (using your deployed cables) has ...
by jvanhambelgium
Sun Oct 23, 2022 9:50 am
Forum: General
Topic: Firewall does not drop incoming multicast packets (224.0.0.252)
Replies: 6
Views: 1058

Re: Firewall does not drop incoming multicast packets (224.0.0.252)

Not really, except that my understanding of "raw" means it sits very close to the interface itself at the point where dropping various stuff is not consuming much resources (eg. no connection tracking etc) Firewall RAW table allows to selectively bypass or drop packets before connection tr...
by jvanhambelgium
Sat Oct 22, 2022 2:48 pm
Forum: Wireless Networking
Topic: SIM card solutions for WISP
Replies: 2
Views: 576

Re: SIM card solutions for WISP

Probably they won't tell you for whatever reason, commercially or perhaps they are bending regulatory rules.
I mean, its just a tariff-plan...no fancy technical solution of some sort.
by jvanhambelgium
Sat Oct 22, 2022 2:34 pm
Forum: General
Topic: flow problem in pppoe
Replies: 29
Views: 3299

Re: flow problem in pppoe

moderator nite: no need to quote whole preceding post. Just use "Post Reply" button. True about the statement that todays customers are "complicated" and indeed the first thing they do IS fire up a speedtest.com :lol: :lol: You should just be careful with this 1Gbits/sec that yo...
by jvanhambelgium
Sat Oct 22, 2022 10:28 am
Forum: General
Topic: flow problem in pppoe
Replies: 29
Views: 3299

Re: flow problem in pppoe

moderator nite: no need to quote whole preceding post. Just use "Post Reply" button. Are these 1Gbits/sec commercial offerings you have for your customers guaranteed ?! Or are we speaking about UP TO 1Gbits/s Is there no over-subscription at some point ? Can customer pump 1Gbits/sec 24/7/...
by jvanhambelgium
Sat Oct 22, 2022 9:58 am
Forum: General
Topic: flow problem in pppoe
Replies: 29
Views: 3299

Re: flow problem in pppoe

moderator nite: no need to quote whole preceding post. Just use "Post Reply" button. Interesting approach ;-) Overclocking to 1800Mhz (in stead of the 1400Mhz nominal) will give you indeed more performance and that's all nice for a home-lab / environment. If you are an ISP that would be d...
by jvanhambelgium
Sat Oct 22, 2022 9:47 am
Forum: General
Topic: WireGuard on Dual WAN scenario
Replies: 15
Views: 4598

Re: WireGuard on Dual WAN scenario

Something "a bit similar" like this one no ?
This should be possible I would think, "same interface out" as where the packets arrived.

viewtopic.php?t=82761
by jvanhambelgium
Fri Oct 21, 2022 3:57 pm
Forum: General
Topic: flow problem in pppoe
Replies: 29
Views: 3299

Re: flow problem in pppoe

With your 4011 you might be hitting a limit yes in a PPPoE-client setup if you want to exceed 1Gbps... It's not exact science and various variables influence the result. My ISP here for example, for home (fiber) "GPON" subscriptions, PPPoE is not used anymore ... using DHCP and ethernet-fr...
by jvanhambelgium
Fri Oct 21, 2022 9:36 am
Forum: General
Topic: flow problem in pppoe
Replies: 29
Views: 3299

Re: flow problem in pppoe

I'm pretty sure several other products with the hardwar-design (= generic CPU/same clockspeeds, no ASIC's) face the same with PPPoE (client) setups. This is not limited to Mikrotik only. Your test of using PPPoE on a 10Gbits/sec link is really not a good "realworld example". Nobody in the ...
by jvanhambelgium
Fri Oct 21, 2022 8:12 am
Forum: General
Topic: flow problem in pppoe
Replies: 29
Views: 3299

Re: flow problem in pppoe

My 2 cents, Your observation is very correct, PPPoE activities are done on 1 CPU-core. Always have, and probably always will. (not only on RouterOS but eg. OpenWRT, BSD too etc) So you would benefit from a very high-clock rate to further increase this. On these more 1Gbps (and up) links ... move awa...
by jvanhambelgium
Wed Oct 19, 2022 11:49 pm
Forum: Containers
Topic: Looking for Docker container ideas for RouterOS
Replies: 121
Views: 31047

Re: Looking for Docker container ideas for RouterOS

I've updated my RB5009 to 7.6 and running 1 "pihole" container in production. As some reported earlier, I'm not really convinced about good "memory management" here (read : looks like a memory leak?) I'm going to evaluate for the coming days...luckily an RB5009 has 1Gbytes so the...
by jvanhambelgium
Wed Oct 19, 2022 3:04 pm
Forum: General
Topic: Installing pihole in a container - hAP ac^2
Replies: 6
Views: 2495

Re: Installing pihole in a container - hAP ac^2

keep in mind RB 3011 has 1GByte of RAM Memory, while hAP ac^2 only has 128MB (some scarce and rare units have 256mb) I notice this too. I don't think "pihole" will ever fly well on hAP ac^2 ! Both my RB5009 & RB3011 have 1Gbyte of RAM and starting the pihole container consumes more th...
by jvanhambelgium
Tue Oct 18, 2022 10:58 pm
Forum: Announcements
Topic: v7.6 [stable] is released!
Replies: 279
Views: 142882

Re: v7.6 [stable] is released!

Updated my RB5009 from 7.5 to 7.6 (both RouterOS + firmware)
No issues in my setup.
by jvanhambelgium
Tue Oct 18, 2022 9:05 am
Forum: General
Topic: Mikrotik with Squid Proxy
Replies: 2
Views: 1615

Re: Mikrotik with Squid Proxy

Yeah, it doesn't work (so simple) like that in this scenario.
Did you configure your Squid as TRANSPARANT proxy ? (and not standard "explicit")

https://linuxtechlab.com/squid-transpar ... iguration/
by jvanhambelgium
Mon Oct 17, 2022 7:04 pm
Forum: General
Topic: To MT: Keep accounting (v7.x)
Replies: 50
Views: 17000

Re: To MT: Keep accounting (v7.x)

I want to monitor the internet usage of all my clients in the network Per IP. Since IP/Acounting has been removed from v7, is there any solution for that? which tool can I use except splunk ? You could use the "Kid Control" and recycle parts of the script Jotne has provided. With the diff...
by jvanhambelgium
Mon Oct 17, 2022 1:41 pm
Forum: General
Topic: Mikrotik Wireguard
Replies: 21
Views: 2087

Re: Mikrotik Wireguard

Don't tell me you started from an EMPTY config (NOTHING in it) and only added the lines above ?
:shock: :lol: 8)
by jvanhambelgium
Sun Oct 16, 2022 9:28 pm
Forum: Beginner Basics
Topic: Wireguard - clients cannot complete handshake [SOLVED]
Replies: 18
Views: 4958

Re: Wireguard - clients cannot complete handshake [SOLVED]

Like in your config, the INPUT-chain must have 1 rule to allow UDP/xxxxx (whatever you run WG on) on the WAN-interface. Now all depends on the config, but my FORWARD chain also has 2 rules to allow traffic FROM/TO the "peers" (eg. a peer that needs to connect to my Plex-server on LAN etc) ...
by jvanhambelgium
Sun Oct 16, 2022 8:05 pm
Forum: Beginner Basics
Topic: Chateau 5G prot forwarding - help needed [SOLVED]
Replies: 5
Views: 1072

Re: Chateau 5G prot forwarding - help needed [SOLVED]

Thank you, very interesting and educative post, unfortunately does require a bit of time as it should. Will try to figure it out. Long story short from what I've figured out steps 5 and 6 are related for providing access for dynamic WAN IP addresses. Step 5 got me thinking I might not have a public...
by jvanhambelgium
Sun Oct 16, 2022 2:14 pm
Forum: Beginner Basics
Topic: Wireguard - clients cannot complete handshake [SOLVED]
Replies: 18
Views: 4958

Re: Wireguard - clients cannot complete handshake [SOLVED]

Hmm, then I guess I've missed something and interpreted your config wrong. Indeed it should just be (only) that On the phone the peer points to the public-key of the MT-device. On MT-device "peer" subconfig, the public key should match the "interface" section on the phone. You ar...
by jvanhambelgium
Sun Oct 16, 2022 10:57 am
Forum: Beginner Basics
Topic: Wireguard - clients cannot complete handshake [SOLVED]
Replies: 18
Views: 4958

Re: Wireguard - clients cannot complete handshake [SOLVED]

/interface wireguard peers add allowed-address= 0.0.0.0/0 comment=xxx endpoint-address="" interface=\ wireguard1 public-key="bMZ<...>" The allow-address field on the Mikrotik must not be 0.0.0.0/0 but the remote peer IP ! Also ... the public key does not match ? The key "bMZ...
by jvanhambelgium
Sun Oct 16, 2022 10:36 am
Forum: General
Topic: Starlink experience
Replies: 20
Views: 5767

Re: Starlink experience

Good to hear. It would not have surprised me if they would lock it down so only approved Starlink-terminal/gear could be used. Too bad the power consumption on the Starlink kit is pretty high from what I read. (due to the heated-dish to melt snow). Or can you disable ? (or does it regulate this auto...
by jvanhambelgium
Thu Oct 13, 2022 9:20 pm
Forum: General
Topic: CLOUD address changed
Replies: 16
Views: 1396

Re: CLOUD address changed

Strange. Is that cloud link is specific of each device right? so If i say change this router for the same, the address will be different and the old one would not allow to access that router, correct? :) Yes, each device has a unique serial-number so distinct FQDN "XXXX.sn.mynetname.net" ...
by jvanhambelgium
Thu Oct 13, 2022 10:40 am
Forum: General
Topic: CLOUD address changed
Replies: 16
Views: 1396

Re: CLOUD address changed

Hi all! I have registered my cloud address on my hosting by creating a record for easy remembering and accessing my router. So you created a CNAME-record on your own domain referring to the standardised XXXXX.sn.mynetname.net Or what "record" did you create? Do mean that if you lookup XXX...
by jvanhambelgium
Sat Oct 08, 2022 9:12 am
Forum: General
Topic: Access IP ln Lan outside usual range
Replies: 25
Views: 1719

Re: Access IP ln Lan outside usual range

Dang. Even the "Non-Cache URL's" cache control doesn't work. Lots of online griping about GD in this regard. Will need to research how to force the page to insist on a new image every reload. The usual stuff in the page code: Dang, again. This would be a great solution only if... Like men...
by jvanhambelgium
Sat Oct 08, 2022 9:02 am
Forum: General
Topic: Access IP ln Lan outside usual range
Replies: 25
Views: 1719

Re: Access IP ln Lan outside usual range

How would that be easy ? I have a ZT network created, I need to manually ALLOW you to join that network through the admin-interface on my.zerotier.com Sure if you create a "public" network all you need is the network-ID to join and you are connected. Think about the trojan horse. I was sa...
by jvanhambelgium
Fri Oct 07, 2022 9:54 pm
Forum: General
Topic: Access IP ln Lan outside usual range
Replies: 25
Views: 1719

Re: Access IP ln Lan outside usual range

So these camera's effectively serve screenshot by making a request to the camera itself OR do these device perform some FTP "upload" every X time for a still picture? Can you talk about the "entrypoint" in terms of Internet. You speak about an "external website" (do you...
by jvanhambelgium
Fri Oct 07, 2022 8:25 pm
Forum: General
Topic: Access IP ln Lan outside usual range
Replies: 25
Views: 1719

Re: Access IP ln Lan outside usual range

I have found several examples of using VPN's to access one camera at a time, but none (so far, still looking) for simultaneous multiple cams. Any thoughts? Well ... are these camera's located on different sites ? Or multiple camera's on 1 location ? Or a combination ? Do you have a consistent IP-nu...
by jvanhambelgium
Fri Oct 07, 2022 11:58 am
Forum: General
Topic: Access IP ln Lan outside usual range
Replies: 25
Views: 1719

Re: Access IP ln Lan outside usual range

The "problem" with zerotier is it is easy for someone to create unauthorized remote access with it, since it is the thing that "opens" the connection to the outside. If you watched the Tom Lawrence video, you can see that he didn't open up the firewall or forward any ports to al...
by jvanhambelgium
Fri Oct 07, 2022 8:34 am
Forum: General
Topic: Access IP ln Lan outside usual range
Replies: 25
Views: 1719

Re: Access IP ln Lan outside usual range

I hadn't heard of ZeroTier. I am currently using RealVNC to get inside to do network chores as it *seems* to be pretty secure. I'll start research ZT. Do you have an opinion on one vs. the other? ZT is pretty neat. Look at it like "a / your own switch in the cloud" . No "centralised&...
by jvanhambelgium
Thu Oct 06, 2022 11:15 pm
Forum: General
Topic: Access IP ln Lan outside usual range
Replies: 25
Views: 1719

Re: Access IP ln Lan outside usual range

The question then is : what are you going to do next.... You might have to make sure the prefix 92.168.0.x/24 get into your global routing ? Because you want to establish connection to this device to adapt is config ? Can you do this through "telnet" or "ssh" so from the Mikrotik...
by jvanhambelgium
Thu Oct 06, 2022 11:11 pm
Forum: General
Topic: Access IP ln Lan outside usual range
Replies: 25
Views: 1719

Re: Access IP ln Lan outside usual range

Should be OK to my knowledge. That additional IP would go under the same as the existing 192.168.0.1 interface indeed. I've just tried it on my RB3011-LAN on the LAN/Bridge side, I've added an IP to my brdige. [jvanham@GATEWAY] /ip/address> print detail Flags: X - disabled, I - invalid, D - dynamic ...
by jvanhambelgium
Thu Oct 06, 2022 10:00 pm
Forum: General
Topic: Access IP ln Lan outside usual range
Replies: 25
Views: 1719

Re: Access IP ln Lan outside usual range

Add a "secondary" IP address on that LAN interface / Bridge ?
To my knowledge you can have multiple IP's
So put 92.168.0.254/24 as an additional IP on the Mikrotik/Bridge side ?
by jvanhambelgium
Thu Oct 06, 2022 9:01 pm
Forum: Beginner Basics
Topic: wireguard on android
Replies: 34
Views: 5983

Re: wireguard on android

add action=accept chain=forward in-interface=wireguard2 out-interface=ether1 What is this supposed to do ? Adapt this rule, remove the "out-interface" critera to start. You have a generic "masquerading" rule that will NAT everything going out via "ether1" , so I don't u...
by jvanhambelgium
Thu Oct 06, 2022 8:14 pm
Forum: Beginner Basics
Topic: wireguard on android
Replies: 34
Views: 5983

Re: wireguard on android

Hello Mr jvanhambelgium..! so clearly enough it seems that i have a DNS problem in my config and i don't know in which side..so please can you clarify more what you mean by this sentence "make sure your Mikrotik is configured correctly then to allow this Wireguard-client to make DNS-lookups,&q...
by jvanhambelgium
Thu Oct 06, 2022 11:28 am
Forum: General
Topic: urgent help
Replies: 49
Views: 13454

Re: urgent help

So I'm just curious.. How do they block wireguard? Isn't it a completely encrypted tunnel ? There is nothing difficult about that. (well, probably there is initially to dissect the protocol) Modern UTM-firewalls can recognize certain applications based on several parameters (including some signatur...
by jvanhambelgium
Tue Oct 04, 2022 5:26 pm
Forum: Beginner Basics
Topic: wireguard on android
Replies: 34
Views: 5983

Re: wireguard on android

0.0.0.0/0 is fine, I also have it on my Android phone. (meaning = everything is pushed through the tunnel) but remember, make sure your Mikrotik is configured correctly then to allow this Wireguard-client to make DNS-lookups, make sure it has NAT-config to access internet if the range of wireguard-p...
by jvanhambelgium
Tue Oct 04, 2022 4:49 pm
Forum: Beginner Basics
Topic: wireguard on android
Replies: 34
Views: 5983

Re: wireguard on android

Works fine here.
In your screenshots I see counters on both Rx / Tx and "last handshake values so it seems a connection WAS established.
I would think THE CONNECTION itself is working, but perhaps DNS not working ?

What do you mean "I don't have a connection" ?
by jvanhambelgium
Sat Oct 01, 2022 11:21 am
Forum: Beginner Basics
Topic: IP Cloud in v7 not working
Replies: 4
Views: 2291

Re: IP Cloud in v7 not working

On your screenshot in the box it states "Router is behind a NAT. Remote connection might...." If you have a NAT "upstream" (your ISP) that you cannot control, inbound connections might not be possible, nothing related to 6.x or 7.x Your rule is exactly like mine, I run 7.5 at th...
by jvanhambelgium
Fri Sep 30, 2022 5:57 pm
Forum: Beginner Basics
Topic: IP Cloud in v7 not working
Replies: 4
Views: 2291

Re: IP Cloud in v7 not working

On your screenshot in the box it states "Router is behind a NAT. Remote connection might...." If you have a NAT "upstream" (your ISP) that you cannot control, inbound connections might not be possible, nothing related to 6.x or 7.x Your rule is exactly like mine, I run 7.5 at the...
by jvanhambelgium
Sat Sep 10, 2022 1:29 pm
Forum: General
Topic: How to block IPV6 from ISP
Replies: 32
Views: 9839

Re: How to block IPV6 from ISP

It can always be that any device on your network sets up a IPv6-over-IPv4 tunnel and uses it to access IPv6. It can even forward IPv6 traffic for others. Sure, dozens of possibilities to still slip/sneek through since no Mikrotik has no true UTM/IDP-capabilities that could detect & block variou...
by jvanhambelgium
Sat Sep 10, 2022 12:42 pm
Forum: General
Topic: How to block IPV6 from ISP
Replies: 32
Views: 9839

Re: How to block IPV6 from ISP

Every advice here is missleading and gives the impression to the reader that by disabling ipv6 in mikrotik or by dropping the packets in firewall you are blocking the ipv6 = WRONG. If there is a connected router in then network OTHER than mikrotik and this rogue router has enabled RA advertising al...
by jvanhambelgium
Fri Sep 09, 2022 7:07 pm
Forum: General
Topic: iOS Wireguard access to home network [SOLVED]
Replies: 13
Views: 3985

Re: iOS Wireguard access to home network [SOLVED]

Only one problem I still have: next rule shows 0 connection add action=accept chain=input comment="allow Wireguard traffic" src-address-list=10.0.10.0/24,10.0.0.0/24 And when I enable wireguard tunnel on iPhone - I can not open any external resources on iPhone, for example open google.com...
by jvanhambelgium
Fri Sep 09, 2022 6:36 pm
Forum: General
Topic: iOS Wireguard access to home network [SOLVED]
Replies: 13
Views: 3985

Re: iOS Wireguard access to home network [SOLVED]

Only one problem I still have: next rule shows 0 connection add action=accept chain=input comment="allow Wireguard traffic" src-address-list=10.0.10.0/24,10.0.0.0/24 And when I enable wireguard tunnel on iPhone - I can not open any external resources on iPhone, for example open google.com ...
by jvanhambelgium
Wed Sep 07, 2022 6:53 pm
Forum: Announcements
Topic: v7.6beta [testing] is released!
Replies: 226
Views: 62368

Re: v7.6beta [testing] is released!

What's new in 7.6beta6 (2022-Sep-07 12:06): *) container - added "start-on-boot" parameter for automatic container startup; Installed on RB3011. This function does not work consistent. I've 2 containers (Pihole & Adguard) and only Adguard "auto-boots" Both have the correct f...
by jvanhambelgium
Tue Sep 06, 2022 5:54 pm
Forum: Containers
Topic: Looking for Docker container ideas for RouterOS
Replies: 121
Views: 31047

Re: Looking for Docker container ideas for RouterOS

Yeah I made the same wrong assumption some time ago.
And with the different vETH's , you have full flexibility with things like DNAT etc if you want to expose to the outside world etc.
by jvanhambelgium
Tue Sep 06, 2022 5:06 pm
Forum: Containers
Topic: Looking for Docker container ideas for RouterOS
Replies: 121
Views: 31047

Re: Looking for Docker container ideas for RouterOS

How did you miss this ? It's precisely the same thing as "docker create --publish 80:80". Then what do you do with two containers both using port 80? They're both on the same VETH. 1 vETH for EACH container! The IP's of the containers can be in the same subnet or use different subnets. vE...
by jvanhambelgium
Sat Sep 03, 2022 11:23 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 362
Views: 123786

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.7 (Graphing everything) 💾 🛠 💻 📊

no need to quote preceding post - use "Post Reply"
True, I've added it manually so no problem for me. I know its just cosmetic thing.
Indeed I've started seeing it since running Splunk 9.x release.
by jvanhambelgium
Sat Sep 03, 2022 5:44 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 362
Views: 123786

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.7 (Graphing everything) 💾 🛠 💻 📊

@Jotne,
Can you include in your next release the version-tag ?
Screenshot from 2022-09-03 16-42-38.png
by jvanhambelgium
Sat Sep 03, 2022 2:22 pm
Forum: Useful user articles
Topic: 📌 Tool: Using Splunk to analyse MikroTik logs 4.0 (Graphing everything) 💾 🛠 💻 📊
Replies: 362
Views: 123786

Re: 📌 Tool: Using Splunk to analyse MikroTik logs 3.7 (Graphing everything) 💾 🛠 💻 📊

I have not testet on 7.4.1 but on 7.2.3 and other version it works fine. Here I did download a 1GB file from here: https://speed.hetzner.de/ and the result looks great. . 1GB.png It may be fail in config or maybe your device? Not seen other complains about this. Could it be some like fasttrack enab...
by jvanhambelgium
Thu Sep 01, 2022 1:42 pm
Forum: Announcements
Topic: v7.5 [stable] is released!
Replies: 219
Views: 69452

Re: v7.5 [stable] is released!

Yep, RB3011 went OK.
Only 1 PPPoE to ISP , no complex setup, no routing-protocols etc. Typical home-usage.
by jvanhambelgium
Thu Sep 01, 2022 8:23 am
Forum: General
Topic: RB3011 does not work google drive desktop
Replies: 7
Views: 859

Re: RB3011 does not work google drive desktop

If PPPoE is used towards the provider it could be MTU-related, but that would also affect other HTTPS sites. I've been using a RB3011 for many years and I've seen my share of weirdness from time to time after updates, but some thinkering on PPPoE/MTU then solved it etc. But with only this kind of in...
by jvanhambelgium
Wed Aug 31, 2022 4:54 pm
Forum: Announcements
Topic: v7.5 [stable] is released!
Replies: 219
Views: 69452

Re: v7.5 [stable] is released!

Updated RB3011 from 7.5RC2 to 7.5 "Stable" , no imminent issues ;-) for now.
by jvanhambelgium
Tue Aug 30, 2022 11:32 pm
Forum: Containers
Topic: v7.1rc3 adds container support
Replies: 493
Views: 162490

Re: v7.1rc3 adds Docker (TM) compatible container support

No difference after I delete everything, including mountpoints-folder and recreate everything.
Adguard will not start and throws the well known permission errors.
Screenshot from 2022-08-30 22-31-12.png
by jvanhambelgium
Tue Aug 30, 2022 11:22 pm
Forum: Containers
Topic: v7.1rc3 adds container support
Replies: 493
Views: 162490

Re: v7.1rc3 adds Docker (TM) compatible container support

Same story no ? Upgrade my RB3011 to 7.5RC2 (including firmware) Deleted existing Adguard and re-created from scratch. Then unmounted USB-stick and checked on my machine. Strange that there is still August 19 on these items ? I've re-created container, it pulled it fresh from Github so why isn't eve...