Community discussions

Search found 45 matches

by Eduardo
Sat Sep 16, 2017 1:43 pm
Forum: Beginner Basics
Topic: Small firewall question
Replies: 2
Views: 507

Small firewall question

Hi, I want to put a small MikroTik device inbetween a home ISP router and one specific PC. So port 1 goes to the existing router, and port 2 goes to the PC. The point is to block certain traffic. I want to for instance only allow TCP port 80 and 443 (+DHCP and DNS of course) from that PC. Can someon...
by Eduardo
Sat Sep 16, 2017 1:38 pm
Forum: Beginner Basics
Topic: DHCP doesn't reach guest network
Replies: 4
Views: 749

Re: DHCP doesn't reach guest network

Yes I did. But shouldn't the code from the original post still work?
by Eduardo
Sat Sep 16, 2017 12:12 am
Forum: Beginner Basics
Topic: DHCP doesn't reach guest network
Replies: 4
Views: 749

Re: DHCP doesn't reach guest network

Downgrading to current firmware 6.40.3 fixed this issue.
by Eduardo
Sun Sep 10, 2017 10:28 pm
Forum: General
Topic: Problem with latest release candidate firmware
Replies: 0
Views: 476

Problem with latest release candidate firmware

Hi, My CRS125 setup is very simple: /interface bridge add name=bridge-guest add name=bridge-main add name=bridge-uplink /interface ethernet set [ find default-name=ether1 ] name=01-UPLINK-modem set [ find default-name=ether2 ] name=02-pfSense set [ find default-name=ether3 ] name=03-UbiquitiAP set [...
by Eduardo
Sat Aug 26, 2017 7:06 pm
Forum: Beginner Basics
Topic: DHCP doesn't reach guest network
Replies: 4
Views: 749

DHCP doesn't reach guest network

Hi guys, I have a problem with my MikroTik CRS125 that I can't figure out... My pfsense router has only one network card, and is connected to port 2 of the MikroTik (vlan9=uplink,untagged=normal network,vlan200=guest nw). My PPPoE modem is on port 1 of the MikroTik (untagged) My Ubiquiti Access Poin...
by Eduardo
Sat Jul 29, 2017 5:52 pm
Forum: Announcements
Topic: v6.41rc [release candidate] is released! New bridge implementation!
Replies: 561
Views: 123895

Re: v6.41rc [release candidate] is released! New bridge implementation!

On CRS125 VLANs still have to be configured in "/interface ethernet switch" menu to keep hw-offload working. If they are configured in "/interface bridge vlan", the hw-offload will turn off. Beginners question: I am not using VLANs on CRS125, but was using masterport. Can I still use this masterpor...
by Eduardo
Wed Nov 23, 2016 2:09 pm
Forum: Beginner Basics
Topic: IPsec policy template
Replies: 0
Views: 419

IPsec policy template

Hi,

Who can explain a beginner the purpose of an IPsec policy template?

Secondly, IPsec/Peers: what does the "Generate Policy" option mean? (no, port override, port strict)

It's not clear to me, even after reading the documentation...

Thanks!
by Eduardo
Mon Oct 17, 2016 9:50 pm
Forum: Beginner Basics
Topic: Help with config
Replies: 7
Views: 1036

Re: Help with config

OK, thanks for the info!

So, if all traffic would be tagged (*), it would be possible? Does Hybrid means tag+untagged, or also tag1+tag2 ?

(*) say all currently untagged traffic would be VLAN100 (so port 2 = VLAN100+VLAN200, port 3=VLAN100 untagged, port 4=VLAN200 untagged)
by Eduardo
Sat Oct 15, 2016 8:06 pm
Forum: Beginner Basics
Topic: Help with config
Replies: 7
Views: 1036

Re: Help with config

I'm sorry, but this doesn't work...
by Eduardo
Sat Oct 15, 2016 1:33 pm
Forum: Beginner Basics
Topic: Help with config
Replies: 7
Views: 1036

Re: Help with config

Thanks,it worked, with this config: /interface bridge add name=bridge-guest add name=bridge-main /interface vlan add interface=ether2 mac-address=xx:xx:xx:xx:xx:xx name=vlan200-P2 vlan-id=200 /interface bridge port add bridge=bridge-main interface=ether2 add bridge=bridge-main interface=ether3 add b...
by Eduardo
Wed Oct 12, 2016 10:21 pm
Forum: Beginner Basics
Topic: Help with config
Replies: 7
Views: 1036

Help with config

Who can help me with the following (simple) config: - RB941-2nD acting as a switch (no wireless, no routing) - port 2 is the input port: untagged traffic + tagged VLAN200 traffic - this traffic should be split up: untagged traffic to port 3, and VLAN200 traffic (but now untagged) to port 4 I tried a...
by Eduardo
Sun Sep 18, 2016 10:29 pm
Forum: Beginner Basics
Topic: guest wifi via VLAN
Replies: 13
Views: 2198

Re: guest wifi via VLAN

Thanks for all the suggestions, guys. I tried all these things, but I can't get it to work... :-( Is there any way to monitor the VLAN tags? Because I start to wonder if my Ubiquiti Unifi is really sending anything on VLAN25... (I just clicked in the guest wifi settings on vlan and entered 15). I tr...
by Eduardo
Sun Sep 18, 2016 10:27 pm
Forum: Beginner Basics
Topic: Which router model?
Replies: 1
Views: 379

Which router model?

Hi, For a typical home use with very few basic firewall rules: which is the cheapest Routerboard model that would suffice for a 100 Mbps/10 Mbps Internet connection? All the devices behind it will be on a separate switch (or in the integrated switch chip, if it has any) - so not to worry about that....
by Eduardo
Fri Sep 16, 2016 2:28 pm
Forum: Beginner Basics
Topic: guest wifi via VLAN
Replies: 13
Views: 2198

Re: guest wifi via VLAN

Anyone please?
by Eduardo
Fri Sep 16, 2016 12:48 pm
Forum: Beginner Basics
Topic: Question about VLAN
Replies: 5
Views: 802

Re: Question about VLAN

It's a CRS125, which is listed under "switches" on their routerboard.com website. That is why I called it a switch. It's not clear to me when we should create a virtual VLAN interface, or when we can just use the switch VLAN settings. Can someone clearify this for me? For instance in example 2 of th...
by Eduardo
Thu Sep 15, 2016 10:57 pm
Forum: Beginner Basics
Topic: Question about VLAN
Replies: 5
Views: 802

Question about VLAN

Let's say you have a Mikrotik switch with several VLANs inside of it (VLAN100, 200 and 300). How can you put a DHCP server on a specific VLAN? There is no VLAN setting in the DHCP server. Same thing with a bridge... can you connect a bridge to a specific VLAN that is present in the switch? Probably ...
by Eduardo
Wed Sep 14, 2016 8:50 pm
Forum: Beginner Basics
Topic: Simple VLAN question
Replies: 1
Views: 405

Simple VLAN question

Hi, I have a CRS125. Port 1 is the masterport for all the other ports, so it's working at wire speed. Now I have one device that is using multiple VLANs, and I need to connect it to the CRS125 at port 8. However, only VLAN25 should connect to the switch, all the other VLANs on that network cable sho...
by Eduardo
Sun Sep 11, 2016 11:45 pm
Forum: Beginner Basics
Topic: guest wifi via VLAN
Replies: 13
Views: 2198

Re: guest wifi via VLAN

I am sorry, but I still need more guidance to get this working :-/ Ports 2-10 are the switch of the main bridge Ports 11-14 are the switch of the guest bridge Port 15 goes to my WAP. Untagged traffic from the WAP goes to the main bridge (working fine). But VLAN15 traffic from the WAP needs to go to ...
by Eduardo
Sun Sep 11, 2016 11:36 pm
Forum: Beginner Basics
Topic: Connection between 2 houses
Replies: 4
Views: 810

Re: Connection between 2 houses

and set appropriate routes for the remote subnets. Unfortunately, I can't get this to work... Site A has subnet 10.10.100.0/24, router at 10.10.100.254 Site B has subnet 10.10.200.0/24, router at 10.10.200.254 There is a working IPsec VPN link between them Let's say I am on Site A, and I want to ro...
by Eduardo
Thu Sep 08, 2016 11:05 pm
Forum: Beginner Basics
Topic: Meaning of firewall connection flags
Replies: 4
Views: 1871

Re: Meaning of firewall connection flags

Audio works in both directions, thanks.
by Eduardo
Thu Sep 08, 2016 11:03 pm
Forum: Beginner Basics
Topic: IPsec site-to-site troubleshooting
Replies: 9
Views: 5976

Re: IPsec site-to-site troubleshooting

Just a follow-up for people with the same problem: I finally got this solved by lowering the lifetime to 1 hour. Don't ask me why though... I just tried this because the newly created SA's always had a 1 hour lifetime (from the Fritz!BOX) ...
by Eduardo
Tue Sep 06, 2016 4:51 pm
Forum: Beginner Basics
Topic: Newbie simple script does apparently nothing
Replies: 3
Views: 516

Re: Newbie simple script does apparently nothing

It's really strange that there is no error generated when a script contains a syntax error...
by Eduardo
Tue Sep 06, 2016 4:27 pm
Forum: Beginner Basics
Topic: IPsec site-to-site troubleshooting
Replies: 9
Views: 5976

Re: IPsec site-to-site troubleshooting

I still have the same problem... Now I found out that when the IPsec connection is not working, there is an extra SA visible (*), even before the lifetime expires (but it could be that the Fritz!BOX is requesting this, we can't see its settings). Shouldn't the original SA be removed when there is a ...
by Eduardo
Sat Sep 03, 2016 11:34 pm
Forum: Beginner Basics
Topic: Meaning of firewall connection flags
Replies: 4
Views: 1871

Re: Meaning of firewall connection flags

Wow, indeed, after disabling this SIP entry, both devices have SACF in the IP/Firewall/Connections!

Thanks!
by Eduardo
Fri Sep 02, 2016 3:04 pm
Forum: Beginner Basics
Topic: Problem opening URL with fetch command
Replies: 5
Views: 1481

Re: Problem opening URL with fetch command

Fantastic, it's working now!

Thanks!
by Eduardo
Fri Sep 02, 2016 2:17 pm
Forum: Beginner Basics
Topic: Problem opening URL with fetch command
Replies: 5
Views: 1481

Re: Problem opening URL with fetch command

Thanks for your reply. I did also try url and path, but couldn't get it to work. And your URL needs a filename, you can't request the whole site. Now that is a problem, because there is no filename. The "whole site" is actually just 2 characters ("OK"). So there is no way to request this website?
by Eduardo
Fri Sep 02, 2016 12:41 pm
Forum: Beginner Basics
Topic: Meaning of firewall connection flags
Replies: 4
Views: 1871

Meaning of firewall connection flags

I have two SIP devices connecting via their own VPN connection to my CRS125. In IP/Firewall/Connection I can see them indeed connecting to my SIP server via UDP on port 5060. However, one of them shows "SACF" flags, while the other one only shows "C". I found that S = seen-reply, A = assured, C = co...
by Eduardo
Fri Sep 02, 2016 10:27 am
Forum: Beginner Basics
Topic: IPsec site-to-site troubleshooting
Replies: 9
Views: 5976

Re: IPsec site-to-site troubleshooting

Unfortunately, even with your settings, the VPN connection keeps interrupting regularly. I created a scheduled script to check if I can still ping the Fritz!BOX on the remote site, and if not, kill all connections (yes, dirty way, I know - but at least then the connection (usually) restores itself)....
by Eduardo
Fri Sep 02, 2016 12:11 am
Forum: Beginner Basics
Topic: Problem opening URL with fetch command
Replies: 5
Views: 1481

Re: Problem opening URL with fetch command

Nobody? :-/
I just need a command to open a website...

Thanks
by Eduardo
Fri Sep 02, 2016 12:10 am
Forum: Beginner Basics
Topic: IPsec site-to-site troubleshooting
Replies: 9
Views: 5976

Re: IPsec site-to-site troubleshooting

Thanks a lot, great info. I will try this, and see if it is more stable. Just a few questions: - is there any reason why you set your proposal lifetime to 8 hours? I don't see any lifetime in the Fritz!BOX setup - you didn't put any pfs-group in the proposal; I thought the Fritz!BOX uses modp-1024 ?...
by Eduardo
Thu Sep 01, 2016 9:04 pm
Forum: Beginner Basics
Topic: Recommende "IP/IP Settings"
Replies: 6
Views: 2129

Recommende "IP/IP Settings"

What are the recommended "IP/IP Settings" for normal "home router" usage?

I read http://wiki.mikrotik.com/wiki/Manual:IP/Settings but that seems outdated (some items are missing), and doesn't help me much, unfortunately...

Thanks!
by Eduardo
Wed Aug 31, 2016 11:27 pm
Forum: Beginner Basics
Topic: Problem opening URL with fetch command
Replies: 5
Views: 1481

Problem opening URL with fetch command

Hi, I am using Cloudns.com for my dynamic DNS. Updating the dynamic DNS consists of a very simple (fixed) URL that needs to be openend. However, I can't get it to work from my CRS125... Even a simple /tool fetch address="https://www.google.com" mode=https keep-result=no gives invalid value for argum...
by Eduardo
Wed Aug 31, 2016 11:13 pm
Forum: Beginner Basics
Topic: IPsec site-to-site troubleshooting
Replies: 9
Views: 5976

Re: IPsec site-to-site troubleshooting

Thanks, works great!
by Eduardo
Tue Aug 30, 2016 11:15 pm
Forum: Beginner Basics
Topic: 53 port incoming connection
Replies: 26
Views: 3543

Re: 53 port incoming connection

This is so that you'll be able to access the router from inside your own network. If you don't put such a rule, then a default-deny rule at the end of the input chain would also block management from the LAN interface as well. Thanks. So where in my firewall rules on http://forum.mikrotik.com/viewt...
by Eduardo
Tue Aug 30, 2016 5:43 pm
Forum: Beginner Basics
Topic: 53 port incoming connection
Replies: 26
Views: 3543

Re: 53 port incoming connection

Things you want to accept:
in-interface=LAN
What do you mean with this?

Thanks for helping.
by Eduardo
Tue Aug 30, 2016 5:41 pm
Forum: Beginner Basics
Topic: 53 port incoming connection
Replies: 26
Views: 3543

Re:

You should put correct wan interface into rule 3.
Can you please explain why ether1 is not the correct one?
by Eduardo
Tue Aug 30, 2016 5:27 pm
Forum: Beginner Basics
Topic: IPsec site-to-site troubleshooting
Replies: 9
Views: 5976

IPsec site-to-site troubleshooting

Hi, I've set up an IPsec VPN between my CRS125 at home, and a Fritzbox in another location. This works (after a lot of trying), but is not very stable. The connection always breaks, somewhere between 20 min to 2 hours later... The Fritzbox is more closed than Mikrotik, so I can't see all of the IPse...
by Eduardo
Mon Aug 22, 2016 11:58 pm
Forum: Beginner Basics
Topic: Default firewall filter rules
Replies: 3
Views: 1639

Re: Default firewall filter rules

Right! Rule 6 has the "connection state: established", and rule 7 the "connection state: related" condition.

Thanks, also for the rule 4 correction. So all the rest is safe like this?
by Eduardo
Mon Aug 22, 2016 10:47 pm
Forum: Beginner Basics
Topic: Default firewall filter rules
Replies: 3
Views: 1639

Default firewall filter rules

Hi, When using Quick Set to setup the CRS125 as a "Home AP", I get these default firewall filter rules: firewall_default.JPG (I am using a PPPoE connection to my ISP via port1) Question 1: Why are rules 6 and 7 identical? Question 2: Are these fine? Or should I add more or different rules to be more...
by Eduardo
Mon Aug 22, 2016 10:30 pm
Forum: Beginner Basics
Topic: guest wifi via VLAN
Replies: 13
Views: 2198

Re: guest wifi via VLAN

The VLAN tagging and untagging has to be done by the CPU?
The switch chip can't do this?

Thanks!
by Eduardo
Mon Aug 22, 2016 4:15 pm
Forum: Beginner Basics
Topic: guest wifi via VLAN
Replies: 13
Views: 2198

Re: guest wifi via VLAN

Add a vlan 15 slave interface to it and use this as the guest network port. So easy. Thanks, I will try it tonight. And I don't need to worry about tagging? EDIT: should I add the slave interface to the masterport? Not to the port, going to the WAP? I only want this specific port to be able to acce...
by Eduardo
Mon Aug 22, 2016 4:11 pm
Forum: Beginner Basics
Topic: guest wifi via VLAN
Replies: 13
Views: 2198

Re: guest wifi via VLAN

Thanks for your reply. Thanks for your concern, but speed is not an issue, since my guest network has low traffic. But I could setup two masterports, yes. But can you help me with my question? I assume the router+switch that you are suggesting can also be done with the CRS, of course probably slower...
by Eduardo
Mon Aug 22, 2016 2:22 pm
Forum: Beginner Basics
Topic: guest wifi via VLAN
Replies: 13
Views: 2198

guest wifi via VLAN

Hi, Currently I have two bridges on my CRS125: main and guest. Both have their own DHCP server, IP range, and a NAT to my Internet Provider. The main bridge goes to most of the ethernet ports (via a masterport), and for two ports I use the guest bridge (for some devices that are completely separate ...
by Eduardo
Mon Aug 22, 2016 2:07 pm
Forum: Beginner Basics
Topic: Firewall for site-to-site VPN
Replies: 1
Views: 371

Firewall for site-to-site VPN

When setting up a site-to-site VPN (via IPSec), it is apparently not necessary to open the firewall?
How can this be explained? :-)

Thanks...
by Eduardo
Thu Aug 18, 2016 12:31 pm
Forum: Beginner Basics
Topic: Connection between 2 houses
Replies: 4
Views: 810

Connection between 2 houses

Hi, Can someone please give an explanation how I can achive the following? House A has an internet connection to provider X with Routerboard 1. House B has an internet connection to provider Y with Routerboard 2. I would like to have: Routerboard 1 port 2 = provider X Routerboard 1 port 3 = provider...