MikroTik

CZFan

... This is default config! Better option is to set IP to bridge? Thanks. If that is "default", then you have very old ROS version, then better you upgrade, then reset config to default and start again Yes, IP should not be attached to slave interface, should be on master, i.e. bridge int...

CZFan

couple other things incorrect, you have IPs assigned to slave interfaces on both sides, i.e on ether 2 which should be on the bridge interface

CZFan

See below re raw vs tagged

https://tools.ietf.org/html/rfc4448#section-4.4.1

CZFan

IIRC, you use tagged type when you make use of service tags inside VPLS cloud

more info below

https://tools.ietf.org/html/rfc4762#page-11

CZFan

Off the bat, have not tested it, etc. possible solutions might be:

1. Assign Vlans to a VRF and use the VRF, or maybe
2. In bridge port, you can select interface called "dynamic" and assign pvid there

CZFan

OP:

Just a word of warning, your public IP is visible on those screenshots, let me know if I am close :-)

EDIT: IP Removed

CZFan

without recursive routing, will be something like this (trying tp keep with your method of explanation): Route Rules: LAN1: SrcAdd(LAN1) Table(LAN1) LAN2: SrcAdd(LAN2) Table(LAN2) Routes: route 1 isp1 wan, route-mark LAN1 distance=1 route 2 isp2 wan, route-mark LAN1 distance=2 route 3 isp2 wan, rout...

CZFan

https://www.cdw.com/product/hpe-aruba-a ... nt/5520246

WoW, for that price, I will rather by 6 x RB4011s and place them all over where needed :-)

CZFan

Can this be done without mangling is the challenge?

Yes, by using route rules with routing mark/route table for each LAN/WAN combination.

Then create 2 rules for each routing table, one with distance of "1" and another "2", recursive routing will serve better here

CZFan

Without seeing the configs, your guess is as good as mine

CZFan

No, they probably have a ttl of 64 or 128, etc and decrement from there as they cross hops Let me rephrase, There is option in filter rules that you can check the TTL under advanced tab and then add src address to address list, but what I meant with the "No" is that they will most probabl...

CZFan

No, they probably have a ttl of 64 or 128, etc and decrement from there as they cross hops

CZFan

Have config at a WISP client of mine where I am using /31 between them and their upstream provider.

My client side is a MT and upstream prover side is Cisco, using the Cisco as GW

CZFan

@CZFan and what Clamp mss in EoIP does? Not sure if I understand the question correctly, but: OP did not mention EoIP tunnel MTU size in OP, so with that, if the tunnel MTU was set at 1500, then the "Clamp TCP MSS" in EoIP config will clamp the MSS at 1460, which might not be low enough. ...

CZFan

Clamp mss in EoIP will only clamp it based on tunnel mtu size, it doesn't know what the mss size is end to end

CZFan

Assign an admin MAC to the bridge interface, will probably drop you but then connect again, that should prevent dropping you changing bridge ports as the bridge wont change MAC address
Have not tested it

CZFan

I'm wondering if perhaps they do not intend to release a 6.49 (moving to v7 instead as the next stable release after 6.48) ...

I suspect there is a big push to get V7 out, hence the huge change released in Dec 2020, but suspect we will still get a couple V6 updates

CZFan

.... If i do keep it as is but put the WAP on NAT, yes, it works...but tripple NAT. I find it crazy the WAP cant do what a cheap $20 ethernet extender can do. The UBNT picostation does it fine, but lacks the connect list...but i guess will work if i setup some hacking way to do a connect list on it...

CZFan

From the export you provided, I cant see any reason why disabling that rule will drop VPN connections, unless the export is not all info

CZFan

All routing is done via CPU, firewall will see this traffic

CZFan

That looks like a fairly standard default Mikrotik firewall config, difficult to see details from screenshots, export much better If my assumption is correct above, it will mean that you typically allow DST NAT in the "Forward" chain, not "Input" chain, and as per example, you ar...

CZFan

With devices in the same subnet being on both sides of the router, I dont think ARP Proxy is going to help you here. Off the bat, the only other way I think this will work is, but sounds more of a mission than you already do: Assuming you are on the LAN side, add 192.168.1.254 on WAN side interface,...

CZFan

The only reason will be if a firewall is blocking connections from the outside, else those rules will redirect (NAT) anything with a destination port of 53 to 192.168.88.1 Also, you will still need to enable "Allow remote..." in DNS service on router, else the router will not respond to DN...

CZFan

"...they suspiciously look like the rules for port-forwarding..."

Reason is that is exactly what those rules are, they will just redirect (NAT) packets to which ever DNS server you point them to in the NAT rule, may it be your router or Google DNS servers, etc

CZFan

Not sure I follow.

Layer 2 is logically segregated right, that is one of the reasons for Vlan's?

To block comms between these on Layer 3, use firewall

CZFan

Ether1 does not apply to all routers for Netinstall,

For the CCR1009, I think it is ether7, check on the router, it will be marked "boot"

CZFan

Search Mikrotik wiki for EoIP or BCP (Bridge Control Protocol)

CZFan

Try 6.46.8 long term version

CZFan

I think you need to explane how you monitoring this, if it is watching the interfaces in Winbox, then it might possibly just be refresh rates, etc in Winbox

CZFan

You don't mention how you split the load a cross the 4 x WANs, so I can only assume: 1. Router sends the traffic across its DG with lowest distance. 2. You have configured DNS cache / proxy, so router does lookups on behalf of client devices, and follows point 1 above BTW, both your mangle rules are...

CZFan

Had same issue when I factory reset a customer of mines router, what resolved it was to add static IP address on my laptop (usually on DHCP)

CZFan

Why will you need full tables with only one peer?

CZFan

For Torch to see the traffic, you will need to disable "Hardware Offload" of the interfaces bridged in Menu-->Bridge-->Ports

Note: This will have a negative performance impact for traffic between interfaces in the bridge

CZFan

You mention cost and stability as reasons, here is your first lesson Mikrotik related, don't use "stable" version when you upgrade RouterOS, for stability reasons, use long term version

CZFan

I would just use below, that burst settings you have will bring no value

/queue simple
add disabled=no max-limit=16M/16M name="PC-LIMIT" target=ether1

Then make sure you have no fasttrack enabled in firewall or bypass fastrack for this device / target

CZFan

If I am reading this correctly, the Mikrotik is sending, so you will have to get access to the logs / packet capture on the other side to see what the problem is, maybe the packet never reaches it, etc

CZFan

You dont give much information to go on, i.e. sample of your config, but I am convinced the reason will be that your config is not complete, i.e. need to add switch-cpu interface in the switch vlan table for that vlan

CZFan

The solution url you quoted is to enable bi directional communication, and I am not sure if this is the same as "bridge" as per your requirement.
I don't have a device to test with, but suspect it might work for you, but like I said, can't test or verify it

CZFan

1. Does Zyxel belong to Sonicwall? Those screenshots looks extremely familiar last when I worked on Sonicwall in 2014. 2. I believe you are still showing the WAN address on the Zyxel side 3. Not sure if is your problem, but you have key group set on DH5 at Zyxel side, I believe this translates to 15...

CZFan

Duplicate post, but there is no dhcp client configured

CZFan

Apologies, @mkx correct, I quickly scanned over the config.

But I don't see a dhcp client line item in config and that is probably reason AP can't get IP from DHCP

CZFan

Add bridge as a tagged member/interface of management vlan in bridge vlan table

CZFan

Yes, you can route it further into your network

CZFan

The bridge has two sides to it, on is bridging interfaces, other is a interface itself which provides access to the CPU for accessing resources on device itself like DHCP, management of the device itself, etc. So like I mentioned earlier, to achieve above, you need to provide access to this in vlan ...

CZFan

You can use any method, but you have to give access to the Bridge / Switch CPU interface on that device in order to access resources, i.e. DHCP, Management, etc on it

CZFan

You have configured both methods, i.e. bridge vlan as well as switch vlan.

Should just be one or the other, and in neither did you configure access to the Bridge / Switch CPU interface

HINT: From URL you quoted:

add ports=ether1,switch1-cpu switch=switch1 vlan-id=99

CZFan

The steps you can take:
1. Drop L2TP that is not encrypted, explanation / sample config in wiki
2 use strong passwords
3 use RSA authentication

CZFan

Why is ether 1 mtu set at 1508?

CZFan

You don't want to test to/ from router anyway, as you will run into limitations of CPU, etc, so will not gain much. Best is to test "through" the router, and in that case, iperf is a good tool

CZFan

Only one sim slot can be active at a time

CZFan

If these were a "site to site" VPN, you can then make use of firewall rules to only allow from certain IPs, but as this is typically used for people to work remotely, i.e. today from home, tomorrow from coffee shop, etc. it is difficult to limit who can connect from where, etc. So best sol...

CZFan

Best will be to do packet capturing to see what is happening

CZFan

Can only have one mark.

What do you want to achieve, maybe another way of doing it?

CZFan

Hmmm, downgrade ROS version?

CZFan

Have you tried reading the wiki? See link below.

https://wiki.mikrotik.com/wiki/Manual:I ... Properties
Netmap is usually used with 2 x sets of ip addresses and will then create a static 1:1 between these 2 sets

CZFan

MSS is negotiated / agreed between end devices during the TCP handshake, so you cant change "incoming" from outside MSS values Possible reason your mangle rule is not working, is you probably have Fasttrack enabled which bypasses Mangle rules, if Fasttrack is required, you can exclude the ...

CZFan

Remove the below rules and add lte interface to WAN interface list

add action=accept chain=forward out-interface=lte1
add action=accept chain=forward in-interface=lte1

CZFan

You need to ask upstream provider to only annoince default route to you, then in routing filters, only accept default prefix and discard all others

CZFan

Seems they are labeled JB00 & 01, thinking 00 should be A and 01 B, but no guarantees :-)

CZFan

HAP AC2 does not use the flash for updates, only memory, so place the update .npk in the root, restart router and it will update just fine

CZFan

I would suggest resetting the first device as there are couple of settings that can cause slow performance, i.e. Ether1 (WAN) is set to half duplex, fast path s disabled and fasttrack needs this, etc

CZFan

Best will be to contact one closest to you, see below link

https://mikrotik.com/consultants

CZFan

What does log on Mikrotik device say when bulb trying to connect?

CZFan

CZFan

Above is posted in wrong topic header and should be under wireless .

Then as per your question, IIRC, CQI will only show when signal strength and quality is at acceptable levels

CZFan

I would think where the provider hands off the connection to you, the s tag is removed and you should only receive the 2 c tags from hand off

CZFan

Your description of your requirement is also not clear to me, all I can think of what you maybe want when saying "running through vlan 10" is possibly what is called qinq vlans, i.e. Tunneling a vlan inside another vlan

CZFan

If you are looking at sub 50ms, I doubt very much you will achieve this using scripts

CZFan

Great, now I know they reworked my article without even mentioning me... That's a bit depressing :)

Plagiarism much...

CZFan

There are various configuration items that can be optimized to improve performance on your CHR at the moment.

There are multiple posts here as well as Wiki articles, alternatively contact a certified consultant closest to you https://mikrotik.com/consultants

CZFan

Very limited info you provide, but if my understanding is correct, then there is a problem with your logic. i.e. you ping 8.8.8.8 from ether 2, if no response, you disable interface, with this interface disabled, you will not be able to ping from it. If reasons for doing this is dual WAN purposes, t...

CZFan

Also see

viewtopic.php?f=2&t=170769&p=835183#p835183

CZFan

Throughout this thread you mention you are using Windows as client devices and by default, Windows firewall blocks incoming packets not on local subnet.

Check widows firewall

CZFan

Let us see the whole config, provide results of /export file=filenameofyourchoice hide-sensitive

CZFan

With limited info available, it seems you are confusing VPN server between "Routed" and "Bridged"

As a start, for routed, remove below and test:
/ppp profile
add bridge=bridge local-address=192.168.87.1 name=OpenVPN remote-address=OpenVPN-Pool use-encryption=required

CZFan

You seem to have networking issues, can be locally or ISP, suspect more ISP side. I see many DNS requests and DNS retransmissions, but nothing coming back from 8.8.8.8 or 8.8.4.4. I suspect the reason it behaves better when using Router as DNS is router will cache the address for a while. Suggest yo...

CZFan

Queue Tree configuration seems inconsistent and might confuse the queue mechanism.

Parent queue max limit is set to 10M which is responsible for distributing bandwidth between leaf queues, but leaf queues max limits are set to 1024M (1Gb/s)

CZFan

where fast fail over is needed
How fast is fast?

With ERPS, they aiming at 50ms

CZFan

Should the qinq / provider bridge config not be done by the ISP?

CZFan

It is called ERPS, Ethernet Ring Protection Switching.

As far as I know Mikrotik does not support it "yet", will be cool though

CZFan

... If RouterOS can utilize round robin to provide fault tolerance for DoH then I'm a happy camper. If it cannot, then DoH feature in RouterOS is a toy that should be used in production with caution. I have not worked / looked into DNS in detail for a couple of years, but suspect it has not changed...

CZFan

Mikrotik Wiki Article on Bridge Vlan:
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

Herewith a good tutorial from a forum member:
viewtopic.php?f=13&t=143620&p=833307&hi ... an#p706996

CZFan

... Interestingly there is 12.7 of 16Mb in use now, so I'm not too optimistic I can easily install the next upgrade with so little space left. When I get a bit more comfortable with the router I can probably uninstall some of the packages to make room (like hotspot). Anyway, my issue is resolved an...

CZFan

Probably RSTP is enabled on the bridge, and as a result hw-offloading is disabled.

This should not really cause a major problem as the 4011 has 2,5Gb/s paths between each switch chip and CPU.

Suspect the problem is somewhere else

CZFan

... 0 DB name="vpls21" mtu=1500 l2mtu=1550 mac-address=02:2B:05:71:1C:78 arp=enabled arp-timeout=auto disable-running-check=no remote-peer=10.20.1.2 cisco-style=no cisco-style-id=0 advertised-l2mtu=1550 pw-type=raw-ethernet use-control-word=yes vpls=MGMT-VPLS You are using BGP signaled VP...

CZFan

You will add vlans the same way as you would with other interfaces.

Post your attempt with vlan config here and we can see where you going wrong and can try and assist you

CZFan

Remove current IPSec config, configure EoIP, enable IPSec in EoIP config and send vlan across this tunnel

CZFan

Yes I did unfortunatelly I did not see any read receipt nor any response yet. Something may have gone wrong. You could possibly use zeljko110465@gmail.com. Thank you

Done...

CZFan

Hi All, I am trying to configure Mikrotik CAP to provide limited wifi services through a set of firewall rules. I have been successful with Whatsapp and Be Safe (Local Covid19 registration App), however I could not get the Gmail going through even after enabling whole class IP addresses multiple se...

CZFan

Because software archaeology is not a popular hobby, so it would be too much effort spent on Mikrotik side just to satisfy you and the other two guys practising it :) I’ve always wondered why people who can’t contribute anything useful to the discussion have a need to write Hmmm,@sindy is in the to...

CZFan

best will be to make the Mikrotik a switch / bridge, i.e. bridge all ports, no routing on Mikrotik

CZFan

Because software archaeology is not a popular hobby, so it would be too much effort spent on Mikrotik side just to satisfy you and the other two guys practising it :) I’ve always wondered why people who can’t contribute anything useful to the discussion have a need to write Hmmm,@sindy is in the to...

CZFan

...
my esxi not free license dude

Dude is this way ---> https://wiki.mikrotik.com/wiki/Manual:The_Dude

CZFan

Your rule below allowing GE should be before the drop invalid rule, so you have 2 choices: add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=i...

CZFan

Just thinking here, haven't touched hotspot since 2015, also tired at the moment, but maybe use hotspot with radius eap authentication, assign them in relevant vlans dynamically

CZFan

I really wanted to help here, but sorry, my pc's mouse scroll wheel seized while looking through this post :-)

CZFan

You run BGP and don't understand how stateful / stateless firewalls work? I second the suggestion to get a consultant (though not the one above that is also a useless blacklist). You're clearly in over your head here. Using PSD just opens you to further attack when someone decides to spoof the IP o...

CZFan

Use winscp to create folder/sub folder?

CZFan

Bridge port hardware offloading remains disabled on hEX (RB750Gr3):
...

On hEX you need to disable STP on bridge for hardware offload, i.e. protocol-mode=none

CZFan

... Adding my configuration with L2TP /interface bridge add admin-mac=48:8F:5A:AA:4A:9C auto-mac=no comment=defconf name=bridge /interface wireless XXX /interface ethernet set [ find default-name=ether1 ] comment=WAN set [ find default-name=ether2 ] set [ find default-name=ether3 ] set [ find defau...

CZFan

... 8 Connected - it passed the credentials authorization but it hangs on connecting and wont connect - any ideas what i am missing? Image 8 http://neradi.cz/upload/vpn/08.png I sometimes get the same symptoms (With L2TP/IPSec, don't use PPTP) and is a bug in Windows, to get around this, connect vi...

CZFan

@mducharme: advertise-filters have been set, but still all addresses show up in the neigbor status page. Not a big issue, but I was just wondering whether this is normal behaviour or not.

You will have to disable / enable LDP interfaces or restart router for filters to take effect

CZFan

Hmmm, not sure I follow.

SVL - Single forwarding database for all Vlans
IVL - Forwarding Database for each vlan.

Use IVL when you want same MAC address in each vlan, how does same subnet come into this?

CZFan

Wait, do you really check the "packet loss" using only 1 ping result ?? ... No, I did a normal "ping" to 8.8.8.8, had lots of timeouts, just had this screenshot available to post at the time. ... I hope you know the LAST HOP in traceroute is proper for packet loss, all prev can ...

CZFan

You might get better performance with a K&N filter, I use it on my BMW :-P

CZFan

firewall rules is very much a "personal" thing and is your to configure as you feel fit for your environment Typically, one trusts the hosts in your LAN as they are under your administrative control, so allow full access out and related back in, but the hosts on the Internet (Evil) not so ...

CZFan

Thank you @SiB, also for assisting Mikrotik with these issues.

Call has been logged, SUP-34275

If you need any more info from my side, please do not hesitate

CZFan

Is this correct? ... I dont have full view of the environment you are doing this, but think it will be safe to say: 1. Remove src/dst ranges, you have in interface and the current src/dst ranges is for all anyway 2. I will not use interface list, but rather interface itself, you might have multiple...

CZFan

Hi, If anyone has upgraded their LTE devices to version R11e-LTE6_V026 from V20, please let me know if you experiencing problems. I upgraded 2 x RBLHGR devices last night, both at same location but using different LTE service providers. These devices has been installed and configured about 3 months ...

CZFan

Suggest you mark connections first, then packets of these connections

CZFan

I have googled the Internet and got only instructions for old RouterOs versions. I have recently bought a MikroTik router. I have installed the basic options with Quick Set. Now I want to bind MAC addresses to static IPs, just as I had in previous two routers. I tried to WebFig/ARP/Add New. However...

CZFan

Wondering,
Why do you put devices on separate VLANS when afterwards you want to connect them together on L2 (use discovery protocols)???
...

Cause, like we say in the shooting world, "it is tacticool" :-)

CZFan

Don't use quickset is Menu IP-->Address

CZFan

-my previous config was correctly spreading traffic equally with preference of one gateway (route marked as DAC with Pref.Source visible) I don't think so with the distance you have had before. You marked traffic equally, but it all went out on PPPOE1. Only if it failed it went to PPPOE2. Have you ...

CZFan

Thanks for the clarification, what about only one IP routing?

If you want to see all routes, including dynamic ones, OP can post results of /ip route print

CZFan

/tool sniffer quick port=44866 IN TIME NUM DI SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS AD 6.705 1 <- 198.199.98.246:46736 178.220.198.49:44866 br 6.705 2 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11 198.199.98.246:46736 10.10.10.10:44866 et 6.705 3 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11 198.199.98.24...

CZFan

I am sure you will also expect that if you connect an Ethernet interface with a token ring interface it should work...

CZFan

Please post configs in code brackets, I.e.

, you will find them on the button menu.
Yes, you will only see the one as the other is dynamic, I.e. DHCP client

CZFan

I probably don't understand what if there is no filter forward rules, shouldn't that mean that everything is "open"? Like if you don't set any filter input rules the router services are accessib yes, the default action in "accept" but you posted bits and pieces,so was not sure w...

CZFan

Using DHCP relay does not make sense to me, but have done it before between 2 Mikrotiks

Can you post config of both MT and Cisco, maybe we can figure something out

CZFan

You cant connect SFP+ to SFP, however you can put SFP module in SFP+ cage, then just disable auto negotiation and configure 1Gb/s both sides

CZFan

People I desactivate the fasttrack in IP Firewall and now it´s working when I define IP TARGET... but it still is not working when I define ETHER2 (example) target. I want to put a bandwidith in a port, and not in a IP. Can you help me? please? Thanks! Hmmm. is ether2 possibly part pf a bridge? If ...

CZFan

Thank you both!! Here is full config (vs posting the pieces of it) I only have single LAN (home) and my only port on the RB is either2 where LAN comes in. RouterBoard is a router that is setup as gateway for my internal devices (server, DHCP, DNS all handed elsewhere) I have ISP1 on either1 and ISP...

CZFan

for starters, you are trying to make ether2 a WAN connected to ISP2, so remove ether2 from bridge, Menu Bridge-->Ports

CZFan

You are missing some very important settings on the bridge interface, make sure you have a management vlan configured, alternatively, remove ether 5 from bridge so you can still access router if you lock yourself out. vlan-filtering=yes https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_V...

CZFan

from your post, it seems you don't have full grasp on firewall chains and seems you have deviated from the default firewall config, so: Input = To router Forward = Through router Output = From router itself Port forwarding works in the "Forward" chain. if you run the below in terminal wind...

CZFan

The first method works fine. But if I use the second method there is still the problem from my first post. "in/out-interface matcher not possible when interface (ether7) is slave - use master instead (bridge)" If ether7 is a master (I removed it from the bridge), the error in the firewall...

CZFan

what you looking for is called policy based routing

https://wiki.mikrotik.com/wiki/Policy_Base_Routing

CZFan

I think you have missed the point.

I reckon you missed my point...

Wish you all the best in your problem solving endeavours...

CZFan

to add to @sindy's comments, strange @anav has not jumped onto this yet :-) but you should change the below to your bridge interface

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0

CZFan

You can mark routing in mangle based on the destination port numbers coming from the app client and then route this via vpn

CZFan

" It sounds like you mixed up simp,e q and pc's config ." I would assume my post made no sense, damn autocarrot!! Anyway, what I was trying to say is you are trying to mix simple queues with PCQ, these are two different animals, and you should use one or the other, if PCQ, then you set the...

CZFan

It sounds like you mixed up simp,e q and pc's config.

Provide export of config on order for us to see how you config looks and can then suggest improvements / corrections

CZFan

Download the upgrade package manually from a pc's, copy this to the file section on routers, restart router

CZFan

Unfortunately, it seems the CRS109 switch chip does not support ACL https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches#Summary EDIT: I don't know which method will have the worst performance hit of below methods on the CRS109 device, but you can try both: 1. Bridge filter as per previo...

CZFan

Ist, I am sure the Mikrotik device is as confused as you are, you have Bridge Vlan and Switch Vlan config on the device. 2nd, You asking for help, but only posting part of the config Decide which way you want to go, and clean up / configure accordingly. There are many posts here which explains both ...

CZFan

what i want is: LAN1 can communicate with LAN2, not being on the same LAN.

Build a Site to Site VPN on the Mikrotiks, which sounds like you have already done.

Then check Windows firewalls, by default they will prevent access to device itself coming from a different subnet / prefix

CZFan

Probably cause its being offloaded to the switch chip, you can work around this by disabling "Hardware Offload" in bridge-->Ports, but that will cause a reduction in performance on those ports. Best then will be to configure a switch ACL / Filter rule, sorry, I don't have access to a CRS d...

CZFan

Look into bridge filter rules, might be what you need

CZFan

Speak to your ISP, they probably disabled the web service

CZFan

Have you tried any of the Mikrotik distributors in your area?

CZFan

Hmmmm, usually Mikroitik fails to upgrade with incorrect package types

Have you tried Netinstall to correct?

https://wiki.mikrotik.com/wiki/Manual:Netinstall

CZFan

Your ISP is probably providing TV services on a separate VLAN, hence insisting that it must be connected to their device

CZFan

sorry, I forgot to mention that my CSR112 is acting as CAP manager for 2 x CAP AC access points

CAPSMAN will not change the picture, but I really do not see the purpose of CAPSMAN with only 2 APs, adds unnecessary complication, if you had 10 x APs then maybe a different situation

CZFan

You will have to confirm if you ISP is using PON technology / fibre, if so, will not work directly connected to Mikrotik, will need an ONU / ONT

CZFan

If you want to telnet to the router itself at remote site, then add a firewall filter rule in chain=input, protocol=tcp dest port=23. Action=accept.
To telnet to a device behind the remote router, use chain=forward

CZFan

Configure the rbm33g as router and do all fireballing on it.

Configure crs112 as a switch device, i.e. Bridge all ports and no firewall etc

CZFan

Fast path and fasttrack is to allow accepted traffic through the router faster, this is not going to assis you in DDOS.

Rather Look into raw filter rules, route rules, etc to kill the DDOS connections faster

CZFan

Try /system resource print oid

CZFan

First two rules are for input chain, the 3rd, fasttrack is for forward chain and has nothing to do with first 2 rules.

Also not sure I understand your question?

CZFan

If you are getting a 10.x.x..x range on the LTE interface, then opening of any ports is not going to help as the packet will never reach your device when originated from outside. Compare the APN configuration between the old and new routers, maybe you had an "unrestricted" vs "restric...

CZFan

Change to "bridge-private" with same issue. Reboot MK, about 20 pings reply and than Request timed out. This is a local problem and not Routing / FW related on the Mikrotik. To confirm above, connect to end devices directly to the ports 2 - 5 on Mikrotik and test ping again. I suspect you...

CZFan

Check what IP you getting on the LTE, if it is a private (10.x.x.x/8, 172.16.x.x/12, 192.168.x.x/16) or CGNAT (100.64.x.x/10) address range, you will not be able to improve gaming NAT status unless you request a direct public IP from your LTE service provider

CZFan

Hi, I made some changes, configuration attached, but with the same issue.
Please help
BR
Ales
config-v2.txt

You still have not made changes suggested by @mkx and missed by @anav :-)

Below interface should point to interface "bridge-private"

incorrectiface.JPG

CZFan

Add a route filter for that peer and only allow default to it, something like:

/routing filter
add action=accept chain=BGP-Out prefix=0.0.0.0/0
add action=discard chain=BGP-Out

CZFan

... And if you do, is it even accessible from the outside? I've seen mobile operators assigning public IPs to LTE devices but NATing them to other public IPs anyway. Yup, had this with a customer of mine in Malawi, they were using public IPs belonging to some company in USA but NATed the connection...

CZFan

You cannot use subnets that are directly overlapped in different VRFs in RouterOS v6...this is fixed in RouterOSv7 Would you mind elaborating on above? I am interested what other challenges might be with my config as per below. I can access all VRF routers from outside as well as inside from R1, in...

CZFan

@bpwl, I suspect you might be onto something here, i.e. configs not cleaning up properly. I suspect it is more a "Winbox" issue. Was playing around with various configs re EoIP tunnel now in GNS 3 on CHR 6.45.9, had tunnel up, then made changes, tunnel down, then reverted the changes, tunn...

CZFan

There is a utility in Mikrotik Download archive called traffic counter.

It will count traffic going through the router, played with it little bit and seems cool, also suggested it to a customer of mine

MTArchive.JPG

CZFan

My understanding is that "fraggle attack" (UDP Broadcast) is a variant of "smurf Attack" (ICMP),

Did you not maybe had a loop somewhere and the Draytek possibly interpreted this as a "fraggle attack"?

CZFan

...
Also, I tried to download the firmware manually, but there is nothing to download on the product's home page https://mikrotik.com/product/css610_8g_2s_in

Wow, seriously?

See screenshot below on same link you quoted!!

mtsoftware.JPG

CZFan

...
Final comment, Dont use quotation marks for NAMES of anything. Quotes are used in MT to surround COMMENTS.
You are trying to hurt my brains and eyes with this approach

Quotation marks are necessary where names, comments, etc contains spaces

CZFan

Looks like a dons amplification attack,
Post full config ( between code tags [] in menu so we can see what is wrong

CZFan

I suspect more inefficiencies in your config.
Post results of /export file=filename hide-sensitive between code brackets

CZFan

That's very old, lots of security holes, metinstall is your friend

CZFan

You are not showing full config, so it makes it difficult to assist.

All I can assume at this stage is that possibly you don't have "use service tag" configured on the vlan interface

CZFan

Hi all, I usually drop all forwards as the last rule and allow only known tracked traffic. Now, I have an strange problem for creating a rule for allowing ping from one server to another. I should be able to do this using this rule: add action=accept chain=forward comment=Ping protocol=icmp src-add...

CZFan

..., I’d know how to set the MTU, which is max package size +32. When I do the same test from my hAP ac the value looks different, naturally.
...

Should be +28 (20 bytes IP Header + 8 bytes ICMP Header)

CZFan

Cant believe my friend recommended Mikrotik, "it's the best router" he said, "and if you have a problem they help you on forum"

what a bullshit.

Cry me a river...

CZFan

Connect via the serial port with a console cable, set IP address, etc and then continue as per normal

CZFan

Post anonomized output from /export file=yourfilename between code brackets so we can see config and assist where possible

CZFan

... My issue isn't really with invalid packets, but with private addresses leaking out. Supposedly they leak out because the packets are invalid, and so do not get srcnated. I want to either prevent anything that's not srcnated from going out on the WAN interface (which I thought would be doable us...

CZFan

Hi there I have been trying to resolve this issue for the past 15 days, reading through forums but no luck at all As you may know, in order for XBOX to work properly, it needs an Open NAT - so far it is only Strict According to the Microsoft XBOX's website https://support.xbox.com/en-US/help/hardwa...

CZFan

The solution to your problem

https://wiki.mikrotik.com/wiki/PCC_exemptions

CZFan

I dont use NAT right now. I just have. Mikrotik vpn server setup. People vpn first, grab a local ip, and co nect to internal servers. So if this is the case i should use ecmp? Then is what i currenctly have what i can have as the ideal setup? Where does VPN come into the picture now? Your config sh...

CZFan

The Torrent system on it's own is not illegal. Downloading copyrighted content is illegal. This is my understanding also, read an article yesterday that in Germany, some law firms are not so ethical (who would have thought) and sending very threatening letters to people to pay up, and the normal Jo...

CZFan

I think speedtest.net uses multiple connections for download. That is where i saw more than 50mbit. But yeah for the rest i get it. I just need help to change my config to pcc now. Can you help me with that please. I am not sure how to adapt my vlans and bridge to the pcc example Yes, speedtest.net...

CZFan

I suspect that video does not shoe the "full truth"

ECMP is based on per connection, so if src and dst address is same, you will only use one of the uplinks, it is not a "per packet" solution

CZFan

Yes, called the Dude

CZFan

Reset button has various functions depending how long you press it during reset process.

Something like 5 seconds for factory reset, 10 seconds for metinstall and 15 seconds for capsman, can't remember the details but all described in wiki article

CZFan

The problem is on your side, not the Mikrotik device Since the device pops up in netinstall, firewall, etc is ok and network connection profile also. copy the .npk file into same folder as netinstall.exe Make sure you laptop/pc doing netinstall from is in same IP range as per boot IP address in neti...

CZFan

in the BGP peer config enable "as-override"

bgpasoverride.JPG

CZFan

make sure you enter the user that created the backup correctly, below from wiki Warning: If password is not provided in RouterOS versions older than v6.43, then the backup file will be encrypted with the current user's password, except if the dont-encrypted property is used or the current user's pas...

CZFan

When you referring to the TP-Link's MAC address, are you referring to the 3011's bridge host table, the switch host table or ARP table?

Maybe a good idea to post config of the 3011 config here (between code brackets) and a packet capture file, maybe someone spots a problem

CZFan

parent queues is responsible for distributing the bandwidth, not limits if you are using PCQ, then you should not have child queues, the system will automatically create sub streams with limits for each client based on the pcq queue type configuration, here you can specify a limit for all sub stream...

CZFan

select net boot and set ip to 192.168.88.3 Don't follow the manual on this, it is completely wrong Set ip to 192.168.88.1 instead and netinstall will work Dont agree The netinstall is a bootp server and will assign range you configure. I have been using range 192.168.1.2 in bootp client config on n...

CZFan

I never tried this, but should not need another "default script", just straight netinstall should work

CZFan

suspect the problem is with detect internet configs, I usually disable this by:

/int detect-internet set detect-interface-list=none lan-interface-list=none wan-interface-list=none internet-interface-list=none

CZFan

From a 3011 point of view, the TP-Link will just be another network device, so suspect problem is on your TP-Link side. I actually did one of these exact setups for another customer of mine the other day, was not the Archer but was TP-Link. I had to configure the TP-Link as Access Point only, restar...

CZFan

$40 is half the suggested retail price.

As far as bad block, dont know, might be the beginning of the end or it can still last a while, that you will have to decide if the price tag is good enough for the gamble

CZFan

make sure you selected the package file (.npk)

I usually place the package file in same folder as netinstall.exe

CZFan

error means client device disconnected but connected again before the previous session was teared down in PPPoE service.

You should look why the client devices disconnect frequently, that problem can be anywhere between PPPoE Access Concentrator and client device

CZFan

try changing the rule below to:

/ip firewall filter add chain=forward action=accept protocol=tcp dst-address=192.168.50.5 in-interface=sfp1.120 out-interface=ether1.2150 port=2223

CZFan

You shouldn't need to Awesome. It's just that Mikrotik's own guide said to add it in, and I was like "But why?" I'll try just using the default bridge, given it offloads to the switch, so therefore should be "wire speed" and not done in software. Mikrotik (And other vendors) ass...

CZFan

Some things you should try to do yourself atleast, below is where you can change the default route distance on a DHCP client More than happy to do so and to learn but quite frankly had no idea how to change the default route distance on a DHCP client... Thanks for your help there ! Pleasure, glad y...

CZFan

you are still mixing pcq and other queue types...

CZFan

Believe me Normis " clearly labeled INTERNET " is not enough for tipical residential Customers ;-D Is some cases they are even not able to find out an electrical plug... ;-D Rgds Deployed a FTTh solution in a golf estate, first question sked when customers calls in and say they have no in...

CZFan

...
Next question is how do I achieve it ? Those automatic routes don't seem to be "editable", at least not from Winbox...

Some things you should try to do yourself atleast, below is where you can change the default route distance on a DHCP client

distance.JPG

CZFan

I have not worked much with usermanager, but maybe rather do a backup / export of usermanager data, clear database, move it and then restore / import from backup

CZFan

You are confusing queue leaf objects and PCQ in your config.

Either change the queue type in leaf queues to "default-small" which will work perfect for 2M queues, alternatively configure the PCQ queue types correct and assign this to the parent and remove the leave queues

Search found 1981 matches