MikroTik

CZFan

I am no scripting / coding expert, but to me it looks like there are some fundamental errors in your script

Should the $"bound" include the "s?
The above is referring to a variable, bot don't see where it is initialized
Then as far as I know, the "do {" should be "do={"

CZFan

I'm not entirely convinced your (CZFan) problem has anything to do with what is being discussed here. The config changes that were made by this bot to compromised routers were VERY small and VERY simple...3 "/ip firewall [filter/nat] add" commands and that's it. -- Nathan Probably right, think some...

CZFan

This topic so far: "I heard somebody got hacked"; "Me too"; "I have no firewall and use admin user". So please: - Use latest version (at least "long-term") - If you upgraded from a vulnerable older version, make a new user and new password, delete the old user - Do not use "admin" user, ever - Send...

CZFan

Hmmmm, when I updated my Hap ac2 to 6.45.5, I started getting all of a sudden lots of SSH timeout errors in log. On further investigation, all the firewall rules were broken as the in interface list item seems to have been deleted, so I suspect this started there already see topic https://forum.mikr...

CZFan

Is it dialup, i.e. ADSL or fiber connection? The ptoblem is going to be if the primary PPPoE (on router) is down, you will need L2 access to the secondary ISP for PPPoE to connect. On fiber, the ONT/ONU is usually configured for a specific ISP vlan, and if ADSL, the dialup will have to happen on mod...

CZFan

Sometimes I open 20 to 30 MAC Tel sessions, then make a mistake with entering password as example, then I have to close that session and search for the MAC again, so if it will allow 3 X login attempts it would be great, I.e Putty

CZFan

Would you mind sending the necessary support files / config to support@mikrotik.com and share the response here?

CZFan

Maybe first test with a pc's on each side of the 2011 before replacing

CZFan

Topic below might give you more insight

viewtopic.php?t=129048

CZFan

... I would like to ask for some feedback if you don't mind … --- Who and where-are-you to those who use the btest server ? --- Does the new IPv6 btest address appear to be working correctly ? --- And comments are always welcome …… North Idaho Tom Jones Hi Tom, From South Africa, I make use of this...

CZFan

You need to elaborate on what you mean "share" with your brother. If you want to share the bandwidth dynamically, i.e. when you not using, he gets 100% and vice versa, then all you need is the below: If you both use internet, then it will dynamically share, to test, start a speed test on both pc's a...

CZFan

You need to add switch1-CPU to the management vlan config, more info here

https://wiki.mikrotik.com/wiki/Manual:C ... s_examples

CZFan

What is the IP you get when using DHCP client, is it the same as what you configured statically?

The router further up might also have reply only on ARP, which will prevent you comms on network if not via DHCP

CZFan

The DHCP service must do the radius request

CZFan

IP addresses of the devices should be on bridge interface and not slave interface ether2.

What does Tools-->Profile show when you do transfers through the devices?

CZFan

can you share the full config?

CZFan

1. CRS devices are switches by design, and not routers, have low CPU specs.
2. You should test "through" these devices, and not from one to other
3. Depending on the configuration, i.e. firewall etc will also impact performance

CZFan

When you set interface in sniffer, do you use physical interface or PPPoE-out1 interface?

CZFan

Do not use interfaces as gateway, change this to the IP address of the gateway

CZFan

Then maybe it will s time to hire a certified consultant

CZFan

Have you applied at least 6.44.5 long term version?

6.40.9 is fairly old, and not sure why time is wasted on that

CZFan

/interface pppoe-server server remove [find where service-name="NameOfPPPoEService"]

CZFan

I suspect you problem is that you have 2 default gateways, one on each interface and due to the interface metrics, it is preferring the LAN.

Remove any gateway config from the DHCP service on the Mikrotik connecting the 2 NB's

CZFan

So why dont you just install 6.44.5 and test, inst5ead of "rolling" back to older version??

Also, you just post here "it is not working", not providing any configs, or packet captures, or anything. so you should not expect much in return

CZFan

without seeing the config, my guess would be there are no DHCP service running on VID 316

CZFan

It would work for a day or a week, but then it would start doing radius timeouts on new authentications. This was for a PPPoE server with about 50 sessions. Below a screenshot of active sessions on the 1036 as example, 91 active PPPoE sessions authenticated via Radius, device has been up for 58 day...

CZFan

very cool dashboard thingy

CZFan

Thx, geez, I would never have gotten to that

Why such a complicated way, bug?
Why does it just not work the same as "Not Equal", i.e. !=?

CZFan

I am trying to find devices in neighbor where ROS is "not like" 6.44.5, but cant get this working, tried various formats...

/ip neigh pri where version!~"6.44.5"

can anyone help me out please

CZFan

Has anything changed re Band Steering, I have a customer asking about this?

CZFan

I don't think OP asked about utilization of CPU etc, but port speeds. Depending on which CCR you have, you can change PPPoE to the SFP+ port which will give you 10Gb/s capacity, if you have the SFP only model, that will at least give you 1.25Gb/s for now. Else I think you need to split traffic from ...

CZFan

I am running 6.44.5 long term at various sites on different devices, i.e. 3011, 1009, 1036, etc. all accessing radius without any problems

CZFan

I am not sure you are allowed "advertising" on this forum

CZFan

https://wiki.mikrotik.com/wiki/Manual:I ... 8Q-in-Q.29

CZFan

I'm experiencing some peculiar issues on 6.40.9 (we haven't upgraded just yet. We definitely plan to.)

Surely the above should be the first step before asking help?

CZFan

He / I ....

CZFan

Seems to not work for me, goes into running state, but then nothing happens

Nterra Test.JPG

CZFan

The Capsman issue is cause you had the reset butted pressed for too long:
5 secs reset
10 secs Capsman mode
15 secs netinstall mode

CZFan

Either split DNS or hairpin NAT config will solve your problem

CZFan

If this device is directly connect the world wide web, I suspect you might have some bigger problems as the device might already be compromised. "jan/01/2002 22:14:02 by RouterOS 6.30.4"

Read up on netinstall, then apply at least 6.44.5 long term version with netinstall.

CZFan

I also have a need for this, so following...

CZFan

If you have no firewall rules, all traffic will be accepted

CZFan

Can also add a device each side of the wireless devices then use RSTP will a wireless bridge pass the xSTP related frames? To be honest, I dont know, never looked into it, according to Mikrotik, it seems possible, i.e. if bridged in Stations-WDS mode you can use RSTP, etc, so I suppose it will depe...

CZFan

or replace Hap AC Lite with Hap AC2?

CZFan

Sorry, should have stated, I never tested it, just popped in my head when I read the post, the concept is: cant draw as nice as @sindy :-) WL2---2GHz L2-----WL2 / \ ---RB1(With RSTP) RB2(With RSTP)----- \ / WL1----5GHz L2-----WL1 RB1 & 2 as a switch, i.e. all ports bridged

CZFan

Can also add a device each side of the wireless devices then use RSTP

CZFan

Mangle rules should be in pre-routing chain

CZFan

Hap AC lite only has fast Ethernet ports(100Mb/s), what port is on media converter?

CZFan

Not at laptop now, but the interfaces are just which is internal and which is external, i.e. In my case, PPPoE interface is external and bridge is internal

UPnP will dynamically create the relevant NAT rules, hence the warning, internal devices can open network access to the outside world

CZFan

couple of irregularities in your config, my suggestion will be for you to correct these before moving forward, e.g. 1. LAN Gateway IP address/network on router is a /24, but DHCP clients get issued a /8, routing is based on networks, no host info. 2. Instead of having 2 totally different IPs on the ...

CZFan

Then, time is now to post results of "/export hide-sensitive" here, (BETWEEN CODE BRACKETS)

CZFan

And I want receive ping result with percent and time sent=2 received=2 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms How can i do this? packet loss/success percent is easy to pull off: :local totalsent 10 :local success [/ping count=$totalsent x.x.x.x ] :put ($success * 100 / $totalsent) due t...

CZFan

@mrmut Thank you for such detailed feedback

CZFan

If info in post above is accurate, then you can't get 500 up as all interfaces of hex lite is 100 mbs

CZFan

You might have to do some src NATing on R1 side for WAN client in order for other side to return packets via R1

CZFan

No, I meant that does the 172 device know where to send packets destined for 192 range, i.e. DHCP range?

As a test, add nat rule below and test again from DHCP client
Add chain=srcnat action=masquerade out-interface=eth01_uplink

CZFan

What speed line did you get?

CZFan

Does the device 172.21.54.101 have a route back to the DHCP range?

CZFan

My first suggestion will be, make sure Winbox version is 3.19

Then it sounds like you are doing config via quickset, suggest you don't and do config manually

CZFan

Why change it, if it works and you get your full speed, leave it and allow them to monitor the link.

Then as to why, they probably have vlan config on the hex

CZFan

Are you sure you bought the correct model, I.e. There are 2 X SXT LTE models, supporting different LTE bands?

CZFan

I use my hAP AC Lite as travel router. Mostly using a wireless backhaul. Works perfectly, haven't had problems on connecting to any wireless network yet. So I fully disagree with @mkx (based on my experience). I suspect that is not the same thing what mkx is talking about, I suspect you are connect...

CZFan

You can still choose, if you want to do it for free, there is always No-IP DDNS service which is free. You might not be concerned re security, but the next person is, and his IT knowledge may not be up to scratch, then he will also blame Mikrotik, so where do you draw the line? I dont think there is...

CZFan

My son plays xbox with other players on www, only have Mikrotik in my house :-) The OPs problem is all the NATs along the path Can you post your settings for xbox as I cannot get my guest to play games against others over the internet :-( Also can you list which games specifically work? Have nothin...

CZFan

Not CapsMan as such, but crowded WiFi issue, see topic viewtopic.php?f=7&t=151772&p=748156#p748156

Still studying the doc and planning deployment...

CZFan

i think is better to wait the official announcement

Agree, they might want to withdraw the new version, etc

CZFan

Thank you for your kind answer. I hope one day MIkrotik may enable the name editing, like ASUS does already for its routers. I don't see reasons to don't let us do it..

As far as I know, ASUS, etc uses things like DynDns, etc, and you are welcome to use those also on Mikrotik

CZFan

Lets 1st setup management access for CRS (Using Vlan 123 as example) /interface bridge add fast-forward=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge1 vlan-filtering=yes /interface vlan add interface=bridge1 name=MGMT vlan-id=123 /ip address add address=10.1.2.3/24 interfac...

CZFan

Also keep in mind that should internet access fail over to USB LTE connection, you will lose incoming traffic such as port forwarding, VPN, etc

CZFan

This was posted as a reply to one of my wifi questions recently, might help you
https://mum.mikrotik.com/presentations/ ... 286214.pdf

CZFan

So the Barman says to the Hap AC, "hey, your IP address should have the CIDR notation, not your subnet mask"

Something else, DHCP scope should not include X.x.x.31, that is the broadcast address for /27, and routeros typically assigns IPs from high to low, so maybe you were issued .31 IP

CZFan

If you are the trying to ping from the CRS device, then the IP address must be on vlan123 and not the bridge

CZFan

My son plays xbox with other players on www, only have Mikrotik in my house

The OPs problem is all the NATs along the path

CZFan

Hello, I am making some progress …….. that is to say ….. I know what is going wrong …… I discovered IMHO a very obscure CRS behavoir. - I can ARP ping the other side (the gateway), using the ping tool (arp ping) and the test pc - but I can not (IP) ping the other side !! So level-2 is OK, but I can...

CZFan

You have not provided much info, and from what you have mentioned, I am not sure why L2 is a must. Both printing and VoIP can work across a L3 network. So I would use IPSec site to site (IKE) VPN between offices, configure the phones as an "External Extension", but routed across the VPN link, i.e. p...

CZFan

https://mum.mikrotik.com/presentations/ ... 286214.pdf

Above link should be of immense help in solving the WiFi issues.

Thx, some serious RF Knowledge there (Ron Touw)

CZFan

Sounds like one is screwed to provide a decent service per room at least wirelessly. ... It is a bit of a " damned if you do and damned if you don't " situation. The customers want to sit in their bedroom and get the full speed of the internet they pay for on wifi, so if you set settings accordingl...

CZFan

Hi, I need some help as per subject line. Have an estate where +- 1500 Mikrotik units are deployed at each Apartment / Flat, 99% of these Mikrotiks are Hap Lites with the odd Hap AC2 here and there. The problem is, some of these apartments/flats are very small, i.e. 1 bedroom units with only a singl...

CZFan

Do you have default gateway and / or DNS for client devices in DHCP?

CZFan

Personally, I would not use DHCP across the tunnel, if main site is down for long period, it will mean remote site internet access, local network printing, etc, will also be down.
Then issue DHCP from local routers and specify relevant gateway in scopes

CZFan

Upgraded Hap AC2 to 6.45.5 and getting ssh auth messages in log I did not get before 14:39:22 ssh,info auth timeout 14:39:23 ssh,info auth timeout 14:45:45 ssh,info auth timeout 14:46:37 ssh,info auth timeout 14:53:13 ssh,info auth timeout 14:53:13 ssh,info auth timeout 14:56:28 ssh,info auth timeo...

CZFan

Upgraded Hap AC2 to 6.45.5 and getting ssh auth messages in log I did not get before 14:39:22 ssh,info auth timeout 14:39:23 ssh,info auth timeout 14:45:45 ssh,info auth timeout 14:46:37 ssh,info auth timeout 14:53:13 ssh,info auth timeout 14:53:13 ssh,info auth timeout 14:56:28 ssh,info auth timeo...

CZFan

Upgraded Hap AC2 to 6.45.5 and getting ssh auth messages in log I did not get before 14:39:22 ssh,info auth timeout 14:39:23 ssh,info auth timeout 14:45:45 ssh,info auth timeout 14:46:37 ssh,info auth timeout 14:53:13 ssh,info auth timeout 14:53:13 ssh,info auth timeout 14:56:28 ssh,info auth timeou...

CZFan

2nd one seems to be routing out to the Internet, best will be to provide the full config of both routers "between code brackets"

CZFan

Thx sebastia, but it was more of a [sarcasm on][/sarcasm off] post for the people bashing Mikrotik for releasing security fixes, etc just to show bigger brands are not immune

CZFan

It did not make sense to me that a access port can be a member of mulipless VLAN's, so I just read up on d-links asymmetrical vlan, and all it is is a hybrid port, which Mikrotik already does. Or am I missing something? EDIT: Nevermind, found another article, and it sounds quite cool, in a nutshell,...

CZFan

https://threatpost.com/critical-cisco-b ... rs/147826/

CZFan

If the PCC and NAS are same vlan, then your config is wrong

CZFan

Where hybrid ports are possible, the "always strip" will only remove the tag that matches the pvid of the port, other tags will stay

CZFan

I have client devices that have their LAN address range as src-address, want to run a script that will remove / disable the src-address field and set the out interface as WAN interface list. I tired the following, but it tells me it needs an address range, which sounds logical, but how do I then rem...

CZFan

@SIB,

Thank you, looks like that "poll" error translates into a permissions problem, tested with admin user and worked.

CZFan

To provide more info, below is what works: :local UpdateFile {"Hap-Lite/ppp-6.44.3-smips.npk";"Hap-Lite/security-6.44.3-smips.npk";"Hap-Lite/tr069-client-6.44.3-smips.npk";"Hap-Lite/wireless-6.44.3-smips.npk";"Hap-Lite/advanced-tools-6.44.3-smips.npk";"Hap-Lite/dhcp-6.44.3-smips.npk";"Hap-Lite/syste...

CZFan

Switch off power to device, press and hold reset button and while doing this switch on power to device hold for approx 5 seconds , release reset button,

That should do the t

CZFan

Hi, I created 2 scripts, one to download ROS update files from another MT router and another to download a webfig skin json file, both via ftp The download of the package files work great, but using the exact same command for the json file fails with poll error. Is there anything special about the s...

CZFan

I don't think it is the device, but maybe the config or something in the environment. My suggestion will be go back to basics, the beginning, do factory default the device and test. Pending results, you should do further troubleshooting and keep support@mikrotik.com in the loop. Also post updates he...

CZFan

I think the firewall rules can be improved on, I.e order by moving established/related rules to top of chain

Have you tried by setting flow control to off?

CZFan

Electronic equipment like to run as cold as possible, when increasing the frequency/ clock speed, the chip will run hotter and shorten its life

CZFan

Use ether1 with ether2 or 4

CZFan

Use split DNS config or https://wiki.mikrotik.com/wiki/Hairpin_NAT

CZFan

Add routes on both sides for the other sides subnet

CZFan

Can't see your image

CZFan

You will not be able to access"All AP's" directly on port 443, i.e. Port Forwarding / Dst NAT.

Use VPN access, and then access APs via private IP:443

CZFan

Did not study config you posted, but will suggest you clean up the mangle rules, you have passthrough yes on all, and packets might change again with following mangle rule and results end up not as expected

CZFan

If you have hired a company to do the installation, then surely they must correct the problem / design of the network?

Alternatively, my suggestion will be to hire a Mikrotik Certified Consultant in your area. https://mikrotik.com/consultants

See above

CZFan

@Sob, my brain is tired, been fighting with L2 fiber provider all day for poor service, but just so I can follow, I can't see what is wrong in the webfig, it shows 1970k instead of 1970000, which seems to be correct according to my current tired brain?

CZFan

@pe1chl, also true

CZFan

Yes, I am aware of that, but how do the others do it, at train stations, airports ... ? a few weeks ago I set up a WLAN connection at the airport and I couldn't download any files. So there has to be a solution. I doubt they were able to block files download over an HTTPS connection. Only whole dom...

CZFan

Have not looked deep into this, but you can maybe try something like this: /ip firewall nat add action=src-nat chain=srcnat out-interface-list=WAN src-address=10.200.200.10-10.200.200.250 to-addresses=10.20.30.40 add action=src-nat chain=srcnat out-interface-list=WAN src-address=10.200.201.10-10.200...

CZFan

It sounds like a routing problem, so either the vpn client does not know where to send packets for dst 192.168.88.0/x or internal devices does not know where to send these back to, doubt it is the latter though as they should have a default gateway if they access the internet. Make sure you have a r...

CZFan

I suspect (R)STP packets, but best is sniff packets to be sure

CZFan

I suspect these devices were hacked, hence going offline due to the very old version.

My suggestion will to build a l2 link to the CRs, then connect these faulty ones to crs and do a netinstall across the l2 link

CZFan

https://mikrotik.com/consultants

CZFan

IIRC, RoS can inject routes if you connecting from a Mikrotik client, but don't think it can for Windows client. You will have to disable remote gateway and add routes manually to Windows clients for split tunneling.

For me personally routing all traffic via VPN while VPN is active is safer

CZFan

MNDP works on Layer 2, i.e. broadcast domain, cant cross Layer 3 network

CZFan

Change proxy-arp back to enable

On Windows 10 VPN client config, is "Use default gateway on remote network" enabled / ticked? if not, enable it and test again.

If still problems, post results of "tracert -d 10.0.0.1" from Windows client with VPN established

CZFan

I dont know if you are trying to setup L2TP manually over IPSec, but I don't see " ipsec-secret="My-Preshared-Secret" one-session-per-host=yes use-ipsec=required " in config line as per export: /interface l2tp-server server set authentication=mschap2 default-profile=VPN-L2TP enabled=yes \ keepalive-...

CZFan

My suggestion will then be place that SSID on a separate vlan, issue a different subnet via DHCP to those clients on the vlan and config routing for that subnet

CZFan

Not at laptop at the moment, will have deeper look into config tomorrow morning.

Off the bat I will change the 172.0.0.0/x IPs, these are outside the private IP range scope, use 172.16.x.x - 172.31.x.x instead

CZFan

If remote client is getting same IP range as per internal network where VPN server is, then you will need to enable proxy arp on LAN facing interface on VPN server.

Else post full export hide-sensitive here between code brackets

CZFan

Not sure if information missing, or maybe I don't fully understand requirements, but if you have an address list of source IPs, then these are already distinguished on the Mikrotik, why the need to complicate things with VLAN's? All then needed is policy based routing on source address list to go vi...

CZFan

Besides what @mkx said, I don't see where the client devices get DNS config from.

Add DNS server IPs under DHCP server networks

CZFan

Try downgrading to 6.44.5 long term version, suggest using netinstall to do downgrade

CZFan

Try version 6.44.5 long term

CZFan

Firstly, why incoming firewall rules for port 53? You are going to become a target for DNS amplification attacks.

Then read through below for SSTP config:

https://wiki.mikrotik.com/wiki/SSTP_step-by-step
https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP

CZFan

My suggestion will be for you to attend MTCNA training at an accredit Mikrotik trainer or hire services of a certified Mikrotik consultant

CZFan

https://mikrotik.com/consultants

CZFan

Dear all,

How to create new user who can't access ip>firewall in winbox not web. please suggest me.

Nazim Uddin

Don't think you can limit this with Winbox, only with webfig skin

CZFan

Personally I would rather connect a pc / laptop at each side and use something like iperf to test

CZFan

Start by providing the full config here between code brackets using command "export hide-sensitive" in Terminal

CZFan

This problem has been resolved, caused by a loop in the network

Thx to extremely knowledgeable forum member @sindy.

CZFan

SFP+ on 4011 broken. Please pull the update. I have had two switches go offline due to this update. Did you do the "Wireless Reset" as mentioned in previous version (6.45.1) change log? *) rb4011 - fixed MAC address duplication between sfp-sfpplus1 and wlan1 interfaces (wlan1 configuration reset re...

CZFan

So you say this rule in may router is the root cause? /ip firewall filter add action=drop chain=input comment="Drop ICMP on outside IF" in-interface=ether1 protocol=icmp But how come that one VLAN is ok and other is not? Why did a firmware upgrade solve the problem? That rule is on input chain, so ...

CZFan

Just following this really helpful thread as I have a similar configuration project for multiple L2tp users, however - /ppp secret set [find name=a1] remote-address=pg_A set [find name=a2] remote-address=pg_A set [find name=b1] remote-address=pg_B does not work on mine (version 6.44.5). It appears ...

CZFan

Start by getting routing only working first, I.e disable mangle and route marking rules.
Once routing is still not working, then troubleshoot from there, if working, then add mangle rules and see where it breaks

CZFan

Thx to both, selected Jotne's post as solution due to it being more "complete"

CZFan

Hi,

How can I check if an array is empty, e.g. I would like to:

If array is empty, do "Log Message 1"
else
do "Log Message 2"

CZFan

I forgot to add to my post, the speeds were via PPPoE->VLAN connection.

Maybe put config (export hide-sensitive) here, we can pick up a typo error or something

CZFan

The space issue is not a big thing, just download the separate packages and apply them. There is a thread that discussed that topic on this forum. Regarding speed issues, I have an install base of about 1200 Hap Lite's, speed I get through them is 100mb/s when connected wired, and between 60 and 65 ...

CZFan

Some experience i had with some other routers, the general setup is that if u have 2 networks, they wont see each other until you do routing. But Mikrotik for some reason does this for you. So to break this link all i did was: /ip route rule add action=drop dst-address=192.168.aa.0/24 src-address=1...

CZFan

2 Things:
1. I am not sure if someone here on this public forum is going to help you circumvent the laws of the country
2. Cant do / suggest anything if you do not provide more info, i.e. current config

CZFan

Trust you will make a quick and full recovery @sindy

CZFan

It shows on my CRS326 running 6.44.3

CZFan

I suspect your problem is due to what I call "The lazy mans" routing, i.e. NATing, packets are being src NATed one direction and gets to destination and back, but from destination routing is failing.

But as per @sindy, very difficult to say exactly where problem is without more info

CZFan

You should be looking at using a single bridge, then separating the staff and guest networks using VLAN's and firewall rules.

Below article should help
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

CZFan

try adding Routing-Mark=to_Wan2 to the route you are trying to add

CZFan

@sindy,
If you connect with me on Skype (ID under my profile), I can send the the packet capture file done on sfpplus2 to see if you can see anything strange

CZFan

i will get in touch with Mikrotik support
I'd neverteless like to see the config

As requested, see attached, info is a bit anonymized, so hope it makes sense

CZFan

No problem, will post it tomorrow

CZFan

Bump, anyone?

CZFan

@sindy, I don't know how to thank you, but again your posts have been extremely helpful and I learned a lot again! What you are saying about the CPU port makes a lot of sense and answered why I was seeing these frames (I keep forgetting the CPU is also seen as a "port") Yes, this ISP does have the b...

CZFan

Post the CRS config, maybe I can see something there (don't expect too much, though). And the output of /interface bridge port print.

I will be very surprised if there is something in the IT world that you can't resolve

CZFan

Will do that, but before I do that, my concern is not really why it is being sent to all clients from my CRS as ports going to client devices are trunk ports and contains all VLAN's of all ISPs, so it will make sense why from the CRS. But for some reason, these frames come in on the wire strange way...

CZFan

Host count shows just over 4200.

Not sure if this will help narrowing down where the problem is, but the interface directly connected to the ISP FP Rx count (Fast-Path?) shows exact same amount of traffic I see being "broadcast" to all devices.

CZFan

Post the results from "export hide-sensitive" here, someone will be able to look at any config problem

CZFan

I saw the keep alive responses being sent by the client device at the client device while the issue were present, i.e. I could see PPPoE session traffic to this client on other devices. What else I noticed short while ago, I looked at the MAC address of this client in host table in bridge, and notic...

CZFan

The CRS is a 326, max devices / MAC addresses inside the FTTh network is +- 2000. The concern I have is I have seen on the CPE management device these packets received sometimes reaches 80 - 90 Mb/s, this going all over the internal network not good, and it effectively becomes like a DDOS to custome...

CZFan

Apologies, I am providing L2 connectivity from clients behind OLTs to ISP's, the PPPoE AC is at the ISP. Yes, the dst MAC addresses belongs to customers behind the OLTs, traffic that I see, dst MACs changes every now and then, so it is not a specific customer behind OLTs whose traffic I see, but is ...

CZFan

@CZFan, @Anumrak's point of view made me review the whole thread and I've noticed I may be misunderstanding some points all the time. So 1) are the two clients whose traffic you could see to arrive to the "CPE management router" connected via your own OLTs or their MAC addresses are unrelated to yo...

CZFan

I am still experiencing the problem, and seeing these packets on ALL devices inside the FTTh network. Below screenshot from another customer device, seeing all these packets not meant for this device. I had something strange happen today, an not sure if I can replicate it again, but was trying to MA...

CZFan

I am not very au fait with Mikrotik Scripting, and not sure if the problem is with Scheduler in CHR or if script is incorrect, so if someone does not mind helping me out here it will be much appreciated. What I have is a script to backup Dude config and database (On CHR), but it seems to be creating...

CZFan

Thx all for the feedback.

@sindy, believe me when I say, your feedback carry way more weight than 2c's

CZFan

Thank you @Anumrak,

I will dig a bit further and chat again to ISP....

CZFan

PPP frames inside ethernet providing unique layer 2 tunnel based on unicast frames on session level. Why torch should show you destination IP, when PPP tunnel operates only with mac address? Not sure I understand your post, is your question directed at me? Well yeah. I thought you didn't get why ds...

CZFan

PPP frames inside ethernet providing unique layer 2 tunnel based on unicast frames on session level. Why torch should show you destination IP, when PPP tunnel operates only with mac address? Not sure I understand your post, is your question directed at me? Well yeah. I thought you didn't get why ds...

CZFan

For access to the device itself, i.e. Management ip and or access to services on device, i.e. DHCP, etc, you will have to provide access to the CPU using the "bridge port", so the command will be:

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether8 vlan-ids=10

CZFan

PPP frames inside ethernet providing unique layer 2 tunnel based on unicast frames on session level. Why torch should show you destination IP, when PPP tunnel operates only with mac address?

Not sure I understand your post, is your question directed at me?

CZFan

Ether1 is connected to crs switch.

I think what is happening is the device not storing end user device MAC address and broadcasting this PPPoE session packets on all ports?

CZFan

Anyone? It is happening again, same ISP but different customer in the FTTh network.

Reported to ISP again, but does not seem they know where the problem is, almost like vlan 501 leaking over to native vlan from their side?

Have pcap file if that will help, but I cant see anything funny in it?

CZFan

Yes there is, "/system reboot"

Maybe disable services that are not being used, i.e. Hotspot, routing, etc in System->Packages.

CZFan

Can the device you downloading to achieve more?

CZFan

Hi

Hint: next time export config with "/export hide-sensitive compact"

i am sure "export" defaults to compact?

CZFan

To ensure hardware offload on LAN ports, create first bridge and assign ports 1-4 and wifi to it. Create vlan interfaces and assign them to SFP interface. NATing, firewall rules, etc will need to be setup against relevant VLAN's, i.e. masquerade will need to go on out interface vlan 5. Create 2nd br...

CZFan

I had a situation today and want to understand why this will happen (Dont have much experience with PPPoE, etc) The environment is FTTh where customers connect to relevant ISP across Vlan & PPPoE, OLTs connects to CRS on Isolated Trunk (Vlan) Ports, then branches out to the relevant ISPs based on Vl...

CZFan

Is the VPN server a seperate device from Mikrotik? If so, you will have to tell the VPN server how to get to 192.168.1.x subnet

CZFan

Please under what circumstance can an interface on router got disabled automatically without manual disabling Your question is a bit vague, are you asking to disable an interface other ways besides doing it manually or did you have an experience where the interface got disabled and all the technici...

CZFan

????

Did you see the suggestion from @mkx posted 13 May?

CZFan

That does not look like the full export and without seeing firewall filter and mangle rules, it makes it difficult to make suggestions.

Read up on fasttrack, enable it and test again

CZFan

Hi, Not strictly a Mikrotik related question, but just want to see if you guys get the same. This started recently, can't ping any Google services with packets bigger than 92, if I do, packets gets corrupted. I get this from 2 locations which has nothing in common except using Mikrotik routers, diff...

CZFan

Have you followed below link?

https://wiki.mikrotik.com/wiki/Manual:C ... s_examples

If so, where you getting stuck?

CZFan

Start by upgrading to 6.44.3, then post results of "export hide-sensitive" here (between source code bracket so, see menu bot tons above)

CZFan

From your post, I ge the feeling there is a bigger picture / goal missing, anyway. Using info in your post, you do not need to do any config so on the chip level as it seems there will be no vlan switching. Then add the vlan to ether 5, add IP address to vlan interface, same with DHCP server. The si...

CZFan

Have you tried to connect with pc/laptop? Apple (iPhone, etc) have dropped support for pptp vpn a while ago due to pptp not being secure, not even allowing it on passthrough, maybe Samsung followed same process. Will be a good idea if you used another VPN type anyway, one that is more secure, i.e. L...

CZFan

Yes,

/interface vlan
add interface=bridge1 vlan-id=2 name=vlan2

/ip address
add address=192.168.2.1/24 interface=vlan2

Also see...
https://wiki.mikrotik.com/wiki/Manual:B ... witch_chip

CZFan

Besides admin users, IP addresses, for normal management, etc,you will have to configure the following as a minimum to get the link up:

1. Mode: "Bridge" or "Station Bridge" depending which one you replacing
2: SSID
3: SSID Password

CZFan

Not sure I understand correct, but there is only 1 Ethernet interface on these devices?

However, you can connect a switch on both sides of it

CZFan

Search for SXT passthrough

CZFan

I can't understand at all. That's pretty common here, I've reverted to guessing. Here in particular, I've guessed that "it's my Mikrotik" actually means "it's caused by some issue on my Mikrotik". Let's see whether the guess was correct. Must be a "bug" in the forum software, the crystal ball facil...

CZFan

The 866Mb/s is probably "Radio" speed, which will equate to approximately 50% of that for Data Throughput due to wireless overhead, etc. I recently replaced a Mikrotik LHG 5 AC wireless link with the Mikrotik 60GHz "Wireless Wire" product, end result is I have XBox / PS4 gamers on the other side of ...

CZFan

Yes, but it actually is a "Switch" by design, so not best performance if you have high speed routing requirements.

CZFan

I am not really sure you are successfully pinging the SXT (192.168.88.1) as both devices have that same IP config on ether1 interfaces, so your config seems totally incorrect . You already have a "router / firewall / DHCP / etc" in the SXT, why not make the Hap AC2 a "switch+AP" only device? See top...

CZFan

Suspect you have configured Proxy-Arp on interface(s).

CZFan

@sebastia,
I created a new "project" in gns3 today and again, one of the my routers mixed up the ether ports.

Would you mind sharing a bit more of your setup, i.e. Which version of gns3, using virtualbox, VMware player, workstation, etc?

CZFan

Took over client from another service provider, previous service provider created their own admin user / password and removed the default admin user. The equipment is now mounted on masts, etc, is there a way to get the default admin user / password from the device for record keeping purposes? Using...

CZFan

One bit of info missing, does the wireless link go down for 60 seconds before connects again? Reason I am asking is we have a wireless link, 2 x LHG 5ac's, short distance (about 700 meters) but sometimes takes up to 3 minutes to connect again if the wireless link dropped and reason seems to be takin...

CZFan

I'm trying to get CHR working on EVE-NG and it works but the interfaces dont seem to line up. I will put 192.168.1.1/24 on R1:ether1 and 192.168.1.2/24 on R2:ether1. I will make a connection from R1:ether1 and R2:ether1. I will then try to ping 192.168.1.2 from R1 with no success. I will move the I...

CZFan

I recently installed one of these Wireless Wire setups, straight from the supplier the 2 radios did not want to connect. After logging in on each device, I noticed both were in "Bridge" mode, changed the slave to "Station-Bridge" then it connected. Not sure if above is correct but my link is working...

CZFan

You will need to make use of firewall "fasttrack" rule.

Search the forum, many discussions re above, including on the 2011 router

CZFan

Your problems is that "Cisco Small Business" thingy

Just joking, have to echo what @anav said, without seeing config and / or more info on environment, very difficult to assist.

Maybe as a starting point provide full config (after deleting sensitive info) of 3011's and also a network diagram

CZFan

I figured it out!! You have to specify the time and day or days that you want the rule to be applied and then you have to press reset all counters to reset everything and allow the new rule to be applied. I checked it 3-4 times and it worked fine. Thank you all!!!! I suspect that you have a rule be...

CZFan

Don't quite understand your question, you say you have seen this configuration and state that it worked??? Anyway, to answer your question, yes, you mark the connection, then the packets of this connection, the "connection" is both "up" and "down" traffic. Then apply the queue tree config accordingl...

Search found 1396 matches