MikroTik

CZFan

Some experience i had with some other routers, the general setup is that if u have 2 networks, they wont see each other until you do routing. But Mikrotik for some reason does this for you. So to break this link all i did was: /ip route rule add action=drop dst-address=192.168.aa.0/24 src-address=1...

CZFan

2 Things:
1. I am not sure if someone here on this public forum is going to help you circumvent the laws of the country
2. Cant do / suggest anything if you do not provide more info, i.e. current config

CZFan

Trust you will make a quick and full recovery @sindy

CZFan

It shows on my CRS326 running 6.44.3

CZFan

I suspect your problem is due to what I call "The lazy mans" routing, i.e. NATing, packets are being src NATed one direction and gets to destination and back, but from destination routing is failing.

But as per @sindy, very difficult to say exactly where problem is without more info

CZFan

You should be looking at using a single bridge, then separating the staff and guest networks using VLAN's and firewall rules.

Below article should help
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

CZFan

try adding Routing-Mark=to_Wan2 to the route you are trying to add

CZFan

@sindy,
If you connect with me on Skype (ID under my profile), I can send the the packet capture file done on sfpplus2 to see if you can see anything strange

CZFan

i will get in touch with Mikrotik support
I'd neverteless like to see the config

As requested, see attached, info is a bit anonymized, so hope it makes sense

CZFan

No problem, will post it tomorrow

CZFan

Bump, anyone?

CZFan

@sindy, I don't know how to thank you, but again your posts have been extremely helpful and I learned a lot again! What you are saying about the CPU port makes a lot of sense and answered why I was seeing these frames (I keep forgetting the CPU is also seen as a "port") Yes, this ISP does have the b...

CZFan

Post the CRS config, maybe I can see something there (don't expect too much, though). And the output of /interface bridge port print.

I will be very surprised if there is something in the IT world that you can't resolve

CZFan

Will do that, but before I do that, my concern is not really why it is being sent to all clients from my CRS as ports going to client devices are trunk ports and contains all VLAN's of all ISPs, so it will make sense why from the CRS. But for some reason, these frames come in on the wire strange way...

CZFan

Host count shows just over 4200.

Not sure if this will help narrowing down where the problem is, but the interface directly connected to the ISP FP Rx count (Fast-Path?) shows exact same amount of traffic I see being "broadcast" to all devices.

CZFan

Post the results from "export hide-sensitive" here, someone will be able to look at any config problem

CZFan

I saw the keep alive responses being sent by the client device at the client device while the issue were present, i.e. I could see PPPoE session traffic to this client on other devices. What else I noticed short while ago, I looked at the MAC address of this client in host table in bridge, and notic...

CZFan

The CRS is a 326, max devices / MAC addresses inside the FTTh network is +- 2000. The concern I have is I have seen on the CPE management device these packets received sometimes reaches 80 - 90 Mb/s, this going all over the internal network not good, and it effectively becomes like a DDOS to custome...

CZFan

Apologies, I am providing L2 connectivity from clients behind OLTs to ISP's, the PPPoE AC is at the ISP. Yes, the dst MAC addresses belongs to customers behind the OLTs, traffic that I see, dst MACs changes every now and then, so it is not a specific customer behind OLTs whose traffic I see, but is ...

CZFan

@CZFan, @Anumrak's point of view made me review the whole thread and I've noticed I may be misunderstanding some points all the time. So 1) are the two clients whose traffic you could see to arrive to the "CPE management router" connected via your own OLTs or their MAC addresses are unrelated to yo...

CZFan

I am still experiencing the problem, and seeing these packets on ALL devices inside the FTTh network. Below screenshot from another customer device, seeing all these packets not meant for this device. I had something strange happen today, an not sure if I can replicate it again, but was trying to MA...

CZFan

I am not very au fait with Mikrotik Scripting, and not sure if the problem is with Scheduler in CHR or if script is incorrect, so if someone does not mind helping me out here it will be much appreciated. What I have is a script to backup Dude config and database (On CHR), but it seems to be creating...

CZFan

Thx all for the feedback.

@sindy, believe me when I say, your feedback carry way more weight than 2c's

CZFan

Thank you @Anumrak,

I will dig a bit further and chat again to ISP....

CZFan

PPP frames inside ethernet providing unique layer 2 tunnel based on unicast frames on session level. Why torch should show you destination IP, when PPP tunnel operates only with mac address? Not sure I understand your post, is your question directed at me? Well yeah. I thought you didn't get why ds...

CZFan

PPP frames inside ethernet providing unique layer 2 tunnel based on unicast frames on session level. Why torch should show you destination IP, when PPP tunnel operates only with mac address? Not sure I understand your post, is your question directed at me? Well yeah. I thought you didn't get why ds...

CZFan

For access to the device itself, i.e. Management ip and or access to services on device, i.e. DHCP, etc, you will have to provide access to the CPU using the "bridge port", so the command will be:

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether8 vlan-ids=10

CZFan

PPP frames inside ethernet providing unique layer 2 tunnel based on unicast frames on session level. Why torch should show you destination IP, when PPP tunnel operates only with mac address?

Not sure I understand your post, is your question directed at me?

CZFan

Ether1 is connected to crs switch.

I think what is happening is the device not storing end user device MAC address and broadcasting this PPPoE session packets on all ports?

CZFan

Anyone? It is happening again, same ISP but different customer in the FTTh network.

Reported to ISP again, but does not seem they know where the problem is, almost like vlan 501 leaking over to native vlan from their side?

Have pcap file if that will help, but I cant see anything funny in it?

CZFan

Yes there is, "/system reboot"

Maybe disable services that are not being used, i.e. Hotspot, routing, etc in System->Packages.

CZFan

Can the device you downloading to achieve more?

CZFan

Hi

Hint: next time export config with "/export hide-sensitive compact"

i am sure "export" defaults to compact?

CZFan

To ensure hardware offload on LAN ports, create first bridge and assign ports 1-4 and wifi to it. Create vlan interfaces and assign them to SFP interface. NATing, firewall rules, etc will need to be setup against relevant VLAN's, i.e. masquerade will need to go on out interface vlan 5. Create 2nd br...

CZFan

I had a situation today and want to understand why this will happen (Dont have much experience with PPPoE, etc) The environment is FTTh where customers connect to relevant ISP across Vlan & PPPoE, OLTs connects to CRS on Isolated Trunk (Vlan) Ports, then branches out to the relevant ISPs based on Vl...

CZFan

Is the VPN server a seperate device from Mikrotik? If so, you will have to tell the VPN server how to get to 192.168.1.x subnet

CZFan

Please under what circumstance can an interface on router got disabled automatically without manual disabling Your question is a bit vague, are you asking to disable an interface other ways besides doing it manually or did you have an experience where the interface got disabled and all the technici...

CZFan

????

Did you see the suggestion from @mkx posted 13 May?

CZFan

That does not look like the full export and without seeing firewall filter and mangle rules, it makes it difficult to make suggestions.

Read up on fasttrack, enable it and test again

CZFan

Hi, Not strictly a Mikrotik related question, but just want to see if you guys get the same. This started recently, can't ping any Google services with packets bigger than 92, if I do, packets gets corrupted. I get this from 2 locations which has nothing in common except using Mikrotik routers, diff...

CZFan

Have you followed below link?

https://wiki.mikrotik.com/wiki/Manual:C ... s_examples

If so, where you getting stuck?

CZFan

Start by upgrading to 6.44.3, then post results of "export hide-sensitive" here (between source code bracket so, see menu bot tons above)

CZFan

From your post, I ge the feeling there is a bigger picture / goal missing, anyway. Using info in your post, you do not need to do any config so on the chip level as it seems there will be no vlan switching. Then add the vlan to ether 5, add IP address to vlan interface, same with DHCP server. The si...

CZFan

Have you tried to connect with pc/laptop? Apple (iPhone, etc) have dropped support for pptp vpn a while ago due to pptp not being secure, not even allowing it on passthrough, maybe Samsung followed same process. Will be a good idea if you used another VPN type anyway, one that is more secure, i.e. L...

CZFan

Yes,

/interface vlan
add interface=bridge1 vlan-id=2 name=vlan2

/ip address
add address=192.168.2.1/24 interface=vlan2

Also see...
https://wiki.mikrotik.com/wiki/Manual:B ... witch_chip

CZFan

Besides admin users, IP addresses, for normal management, etc,you will have to configure the following as a minimum to get the link up:

1. Mode: "Bridge" or "Station Bridge" depending which one you replacing
2: SSID
3: SSID Password

CZFan

Not sure I understand correct, but there is only 1 Ethernet interface on these devices?

However, you can connect a switch on both sides of it

CZFan

Search for SXT passthrough

CZFan

I can't understand at all. That's pretty common here, I've reverted to guessing. Here in particular, I've guessed that "it's my Mikrotik" actually means "it's caused by some issue on my Mikrotik". Let's see whether the guess was correct. Must be a "bug" in the forum software, the crystal ball facil...

CZFan

The 866Mb/s is probably "Radio" speed, which will equate to approximately 50% of that for Data Throughput due to wireless overhead, etc. I recently replaced a Mikrotik LHG 5 AC wireless link with the Mikrotik 60GHz "Wireless Wire" product, end result is I have XBox / PS4 gamers on the other side of ...

Search found 1258 matches