MikroTik

CZFan

If you followed the correct factory reset procedure, i.e. Power down router, press and hold reset button while powering up router until usr light starts flashing (about 5 to 7 seconds) release reset button. Then make sure you do not connect to ether1 of the router, but any other ether ports as there...

CZFan

Post output of "/export hide-sensitive" between code brackets, I.e.

CZFan

IIRC, you have VLAN's in your environment, should not use RSTP then, but MSTP instead

CZFan

Sounds like it might be a fragmentation problem, change PPPoE MTU back to 1480, test again

CZFan

1.
Change subnet on one of the sites, then use whatever routing you want to
Or
2.
Bridge the sites using EOIP tunnel and merge them into the same broadcast domain. What out for duplicate IPs, etc

CZFan

@OP:
First question, what speed internet do you have?

CZFan

Parent Q max limit=10Mb
Child Q's:
Pc1 limit at 5Mb max limit 10Mb
Pc2 same as above.

This way, they each guaranteed 5Mb, if there is spare bandwidth, it will be used which ever device requested it and if only 1 device active, it will have full 10Mb available to it

CZFan

Sounds like MTU problem in network

CZFan

CZFan

I know this is not directly Mikrotik related, but did post on Splynx forum but not getting any response, so hope someone here can assist me. I followed the link below in order to provide Splynx API user permissions on Mikrotik but Splynx consultant insists that it requires "full admin permissions". ...

CZFan

Is / has anyone else experience intermittent PPPoE drops with this version? I have a customer which is a fairly large ISP which and experiencing this. Besides for 1 router at a high site where the uplink ethernet interface goes up/down intermittently, the network is stable. I have pointed out the in...

CZFan

Can possibly be two scenarios, one is a register change if any of the devices are behind NAT.

Other is you need to connect using start->settings->VPN->the VPN you want to connect and click on connect there

CZFan

Depending on your network architecture, equipment, etc. the other option is to go OSPF/MPLS with VPLS

CZFan

https://mum.mikrotik.com//presentations/US08/janism.pdf

CZFan

Is there also an exam and a certificate as part of this effort, or is this just the training material...........

Mikrotik policy is you have to attend class based training to qualify for test / exam

CZFan

Can you repost the picture, can't access it

CZFan

https://wiki.mikrotik.com/wiki/Manual:Queues_-_PCQ

https://wiki.mikrotik.com/wiki/Manual:Q ... Q_Examples

CZFan

... i am looking at the data specs and it states that for 25 simple queues max troughput is just 4xx mbps which i think its very litle... ... I am not sure how you are reading the data specs, but the way I read it, for 25 simple queues, the max throughput is 9,792 Gb/s . You can probably expect a b...

CZFan

3cx has a packet capture facility, do a packet capture on 3cx server, view in wireshark to make sure correct port numbers are received by 3cx server from Mikrotik, if yes, then log call with 3cx, if no, come back here with packet capture details

CZFan

...
Update:
Tested it. Used
set 1 = ether 1
set 2 = ether 2
set 11 = switch1-cpu
...

Above is correct, the export seems to be screwed up in 6.46.4.

Apply as per my last post, then provide a full config, maybe there is a firewall rule or something preventing access.

use "export hide-sensitive"

CZFan

Was playing with vlan on switch chip config, did an export, and some of the export config will be confusing for someone looking at it and not have access to the device, this was on a RB2011 /interface ethernet switch port set 1 vlan-header=add-if-missing vlan-mode=secure set 2 default-vlan-id=1 vlan...

CZFan

Not fully tested, but this seems to work on rb2011, which has the same switch chip /interface bridge add name=bridge1 protocol-mode=none /interface vlan add interface=bridge1 name=vlan1 vlan-id=1 /interface ethernet switch port set 1 vlan-header=add-if-missing vlan-mode=secure set 2 default-vlan-id=...

CZFan

IIRC, under /interface ethernet switch port you need to use vlan-header=leave-as-is on the Hap AC², etc

CZFan

Have you tried reading the Mikrotik Wiki?

CZFan

I'm in love with new Log window

Ditto

CZFan

winbox64 is always opnening in a small window.....see picture

I am not experiencing the same, Windows 10 version 1803

CZFan

To access the Mikrotik from Internet, you should not look under nat / mangle rules, but filter rules, and then look for chain=Input

CZFan

Measure the gate in imperial, then convert the numbers to metric and build a new gate based on the metric figures, voila

Just joking, add a diagram, will make understanding what you want better

CZFan

If the old configuration were to contain some script, that sets passwords in your router and disables reinstall, it could do this before you run reset. @normis, Thank You, makes sense. Had a case where I suspected devices has been infected, did a netinstall but never checked if "keep old config" wa...

CZFan

I suggest to follow all MikroTik related news, this issue was fixed in April already. Please read instructions here: https://blog.mikrotik.com/security/winbox-vulnerability.html @normis, If I do a netinstall of an infected router, but "keep old configuration" is enabled, do an factory reset immedia...

CZFan

Is it normal for OSPF to drop / reload when only adding a comment on the OSPF
Try ro use CLI, i found that using
set comment="my comment" does not reset the session

I tested in CLI on GNS3 / CHR after the original incident, and did the same

CZFan

Sounds like you have a MTU problem on your network

CZFan

Also make sure you have a NAT/Masquerade rule to Internet for the VPN Subnet

CZFan

Wow, thx, did not expect that and dropped +- 1000 PPPoE connections earlier, ouch

CZFan

Take note that proxy will not work with HTTPS traffic, which is 90% of web traffic these days

CZFan

Is it normal for OSPF to drop / reload when only adding a comment on the OSPF Interface?

RoS and Firmware 6.45.8 Long Term.

CZFan

just had a case on a Hap AC2 where the 2,4 GHz wlan1 stopped running, nothing in the log file. Created supout file but when I restarted device to see if it solves the problem, the supout file created during the problem was deleted. (Supout file should be created in "/flash" if it exists by default) ...

CZFan

@anav,

Ports 9000 - 10999 is rtp ports, required for the voip audio, need 2 per voip conversation so nothing wrong there

CZFan

For PPTP you will also need the helper, i.e.

/ip firewall service-port
set pptp disabled=no

CZFan

This is more a question for 3cx forum

CZFan

You can setup an EOIP tunnel between office and home and access camera on dvr via via the tunnel

CZFan

The correct way will be to configure VLAN's for each subnet in a single bridge, alternative, you can remove ether4 from the current bridge and create the 2nd DHCP on ether4

CZFan

Just noticed the same thing, deployed OSPF for a customer Wednesday this week, the default route was being distributed at the time, checking this morning, it was not being distributed. Running 6.45.8 long term Changing distribute-default=always-as-type-1 to "never" and back to "always-as-type-1" cor...

CZFan

There is a way to bind a route to the VPN interface, late here now, had my sleeping pill already, so maybe try google, if you don't come right, come back here

CZFan

Here is my problem with this, you are asking someone to help you break the laws of the country, and that on a public forum?

CZFan

What you are looking for is called hybrid vlan, see:

https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

CZFan

You seem to have multiple instances of BGP, see below. BGP weights, etc will not work between instances i.e.: " /routing bgp instance set default disabled=yes add as=65100 name=LDC router-id=10.15.155.2 add as=65100 name=VDC router-id=10.15.155.6 " Change this to be in the same instance, i.e. defaul...

CZFan

Sorry, have not played with IPv6 on RouterOS yet, and see there is no "NAT" in IP6 firewall.

I assumed that NAT, i.e. changing of a source address, etc, will still be there.

Best maybe is to see why your IP6 is not working properly on RouterOS, posting copy of config here and someone might assist

CZFan

Have you tried a source NAT rule to the Mikrotik FTP server?

CZFan

Date.JPG

CZFan

It should be simple: - bridge all ports together - bridge itself is your untagged LAN - give PVID 2 to bridge port ether1 - add VLAN interface with id 2 on bridge - VLAN interface is your new WAN - configure VLAN assigment on bridge (in Bridge->VLANs), add VLAN 2 as untagged on ether1 and tagged on...

CZFan

So they are choosing wireless pollution and high latency? I suppose the problem here is that the current copper cabling infrastructure is so old and causing lots and lots of problems. To make that worse, the copper cabling theft here is huge, Telkom or the electricity companies will replace a cable...

CZFan

... In the past I even bought a SFP VDSL modem for it, to replace the Draytek 130 VDSL modem I use at home. But that never really worked, mostly because RouterOS does not include support for it to readout the line parameters and MikroTik apparently isn't interested in VDSL (I can understand they do...

CZFan

Start by looking at the cable between the CCR and netgear device, replace if necessary

CZFan

not sure I understand correctly, but Mikrotik ping has source address attribute / switch?

CZFan

@vortex,

Yes, I hear you and agree,but for a 25Mb/s internet connection, the RB2011 is over priced as that can be achieved with a hap mini.

Should the RB2011 had 10 x 1Gb/s ports, I can see a longer life time

CZFan

@pe1chl, yes, you are right, I think the typical networks these days and types fast FTTh connections users have at home, it is maybe time for this little "work horse" to retire

To me, the RB2011 is like Novell, still have a very soft spot for it but times have moved on and so should we

CZFan

Wow, for once, I can maybe assist @Sob, For "Provider Bridge" config, you don't need to add a vlan sub interface which is probably reason your config failed, the bridge (new bridge vlan filtering way) looks at ether type, and will add the SVID based on the pvid value of the customer facing "access p...

CZFan

I max out my 500/50 connection with the 2011 but I don't use queues.

Agree, I use to get +- 850 with my RB2011 on a 1000/100 Mb/s FTTh link. Had about 15 Firewall rules, no PPPoE though, was DHCP assigned IP. Latency was also super slow, my son use to kill the others while gaming

CZFan

Have you tried with:

/interface bridge settings
set use-ip-firewall=no

CZFan

you looking for something like this?

:local mydate ([:pick [/system clock get date] 4 6] . [:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 7 11]);

CZFan

The s-tag side needs to be confirmed as usually that is done on the ISP switch and commonly known as "provider bridge" config. With this, customers can then pass through any vlans they want. If above is correct, then all you have to do is standard vlan config on Hex. Confirm above first and post bac...

CZFan

Where is internet break out for site B?

CZFan

Sorry, don't like problems just thrown over the wall hoping someone will catch it and do it for you.

What have you tried so far, export of config what you tried?

CZFan

You should only need "read" & "write" permissions

Try and add below before the script name in the scheduler

/system script run <NameOfScript>

CZFan

Not necessarily the correct way, but with the limited information you provide, NATing everything out the bridge interface should give internet access to all devices behind the CCR

CZFan

can you provide results of below command in CLI?

/export hide-sensitive

CZFan

Look at your firewall rules, start with the ones on client devices

CZFan

Not sure if you noticed, but this is Mikrotik forum, not Microsoft / Windows.

Anyway, the way you have added the route it will not survive a restart, you have to use the "persistent" switch.

Best way will be to enable using the default gateway on remote network when you configure the VPN client.

CZFan

hi
I want to create a PPPoE server but I have a poor concept about firewall so I want to set firewall rules for my users. so I need some standard firewall rules for PPPoE server.
...

https://wiki.mikrotik.com/wiki/Manual:TOC
Alternatively
https://mikrotik.com/consultants

CZFan

Do you have fasttrack enabled? Either disable it or do more specific configuration for fasttrack

CZFan

@OP, please be more specific, is the 160Mb/s via LAN cable or wifi?

CZFan

Contact one closest to you:
https://mikrotik.com/consultants

CZFan

first need to understand your problem properly, broadcasts should not be able to cross vlans, so when you are saying you sending a broadcast and want to get this on another vlan, what exactly do you mean / doing?

CZFan

I think the answer to your question is point 2 in the quoted URL.

The route engine received the first path from the default BGP instance, and does not see the path from the other instance as "better" since the distance is 20 for both, hence it keeps the first path received

CZFan

Davis , Yes, I'm using IPSec in an L2TP tunnel on my router. After removing the NTP packet, the reboots stopped for 2 days. Then I installed this package again, turned off watchdog, and after 38 hours the router crashed without showing any signs of life. Now I have enabled watchdog and removed the ...

CZFan

... My question only applies to the firewall on the bridge. LAN is unstable when I disable "Use IP Firewall" option. It works fine also, when that option is disabled, and Torch is enabled for checking traffic in that interfaces. Only on ether, that have the same MAC address like bridge interface wo...

CZFan

If you are sending broadcasts, you should not see it in any other vlan. If you do, you config is wrong and the limited information about config supplied is not sufficient to help

CZFan

...
Do we really need to change the brand ?

Not sure if I am in a bad mood today, but when someone comes here and asks for help, and then puts a comment like above in their post, I am loath to even attempt to assist

CZFan

Search for hairpin nat

CZFan

Very good point, changed pool to only .250 and modified all the tunnels, still seems the EoIP doesn't want to come up... EoIP over internet directly, is it secure? M Secure? you were making use of PPTP, which is not secure at all! EoIP has IPSec option built in to encrypt data travelling across tun...

CZFan

... but I'm too afraid of having the wrong settings in the MikroTik.

Regards,
Martijn

I am afraid, you will then never learn networking. To learn / understand networking, especially in the beginning, there will always be lots of breaks, research, fix, rinse and repeat cycles

CZFan

Why use EOIP on top of PPTP? Just use EOIP straight

CZFan

I have not checked compatibility table, but try and disable auto negotiation and set speed / duplex to 1Gb/Full on both devices

CZFan

Can work, suggest make use of Vlans between the router and switch to logically separate the private traffic from public traffic

CZFan

I am not a gamer, but IIRC, to get "open" on the console, it must be directly connected to the Internet. One way of achieving this I suppose is to route a /29 to the customer, then at customer side, bridge 2 ports for the WAN. One port used for actual WAN and other for the console, then configure on...

CZFan

See post #2

CZFan

Lol, I think you have 2 choices:
1. Do a netinstall to correct it.
2. Send a supout file to Mikrotik support and ask for a favor if they can see how you got into this and how to get out of it.

Then please do tell

CZFan

To add to what @Zacharias said, also try and remove NAT on your CCR

CZFan

5GHz has a multitude of channels to scan, try and reduce this with scan lists and see if it helps

CZFan

...
it's a regular firmware (6.45.7 in our case) plus bugfixes and improvements only, without adding new functionality

I suspect the long term version does include new functionality, but only once it has been vetted via the stable release

CZFan

I’ve just received an answer from MikroTik: Thank you for the report. There is a known problem with enabled connection tracking and fragmented packets. If OSPF packet is being fragmented, then connection tracking passes it to OSPF twice, causing an error. Currently as a workaround I can suggest to ...

CZFan

...
sorry, mistyped, it not CSS but CRS326-24G-2S+RM as the main router

Same applies as per @Zacharias, rather get an additional device for the routing, i.e. Hex

CZFan

"Backup" utility is only meant for using between exactly same device for exactly these reasons, i.e. something went corrupt in software / config, then you use the backup to apply to the same device you made the backup from. They way to use between different devices is to "export" config, then edit a...

CZFan

You don't need to set switch-cpu as tagged, the bridge interface is the switch CPU port.

You seem to have configured VLAN's via switch and bridge config. Set ether5 under switch vlan menu back to defaults and test again

CZFan

Remove the client device in wireless registration table via CLI, i.e. /interface wireless registration-table remove numbers=?,?,? or /interface wireless registration-table remove [find where comment="Client1"] or /interface wireless registration-table remove [find where comment~"ient1"] or /interfac...

CZFan

Depends on your requirements, but typically, read default, it is off

CZFan

What is client IP address when ping from downstream, suspect that radio does not have route to client ip hence sending the packet upstream via gateway instead of back to client device

CZFan

My understanding is that it is suppose to add MACs from DHCP clients dynamically to ARP table, then you can prevent people using static IP config by setting interface ARP mode to reply only.

Have not tested it myself yet, but IIRC, read a couple of posts saying it does not work

CZFan

I think you need to re read the wiki info, based on the info in diagram you posted, it looks totally wrong and setting up EoIP is not rocket science stuff

CZFan

Have you tried with baud rate = 9600

CZFan

Contact one closest to you for this and other Mikrotik problems you are experiencing

https://mikrotik.com/consultants

CZFan

.... And of course you must be able to reach internet from the device. So in Tools->Ping try to ping 8.8.8.8. That must work. When not, fix it first. (check IP->Routes etc) It is much better to check ping mikrotik.com as it checks not only Internet access but also a DNS resolver. No, you need to pi...

CZFan

This very much depends on your environment, and there is not a one size fits all.

Suggestion will be to contact a certified consultant closes to you

https://mikrotik.com/consultants

CZFan

Sounds like a loop in the network, but the timing of 30 minutes is confusing me a bit.

I have seen people reporting that disabling neighbor discovery solves the problem, also (R)STP, but that might just hide an actual problem. With the various vlans, maybe configure MSTP if not already done

CZFan

restart your router to get new IP
Did he say he was on a dynamic address?
No. So it's not the most sensible suggestion.

Did he say he is on static? So you can take you comment and shove it

CZFan

Looks more like a SYN flood, restart your router to get new IP

CZFan

I dont think it can be done in one rule, just create an accept rule for the community one, then another for the no community one before your discard rule

CZFan

Maybe Audience is the better choice for what you want

https://i.mt.lv/cdn/rb_files/audience-1574152081.pdf

CZFan

You can also look into L2TP/IPSec, IKE/IKEv2 VPNs

CZFan

Client device's Wi-Fi data rate will not exceed 54 Mbps when wired equivalent privacy (WEP) or temporal key integrity protocol (TKIP) encryption is configured. The IEEE* 802.11n prohibits using high throughput with WEP or TKIP as the unicast cipher. If you use these encryption methods, your data ra...

CZFan

If device has been compromised, they might have disabled these services, then the only way to recover device is by netinstall, but you will lose current config though.

CZFan

@mozerd, Thx, my post was not to question / dispute what you said, I have little radio frequency technical knowledge and have a natural inquiring mind when it comes to technical stuff and like to understand why, how, etc. to learn more I understand that encryption using CPU will tax the CPU, but did...

CZFan

I understand that tkip is old technology and deprecated and fully anderstand that it can have a huge performance impact on devices like hap lite or even RB2011.
Now the hap ac2 is not a beast, but this CPU runs circles around the 2011. So my question is why such a big performance hit on hap ac2?

CZFan

can you post a redacted / sanitized version of "/export hide-sensitive" so we can have a look?

CZFan

...
SO I can see the Mac Mini from the Plex. But not vice versa.

If this is the result after setting bridge protocol mode to none, then you might possibly have a loop in your network causing the problems

CZFan

The device was probably compromised before you did software update, the ONLY way to correct that is to do a Netinstall

CZFan

That route, although it says reachable via ether6, will not be used by the router as the route is not "Active"

What you seeing might be a Winbox refresh thing, do you see the same when doing a /ip route print in cli?

CZFan

That article seems to be from the year 2012. Many security enhancements in Mikrotik since then.

Make sure you run at least the latest long tern version of ROS, have secure passwords and not allowing services to be open directly to Internet

CZFan

@mkx, no way that you will know, but fyi, Cool Ideas is the ISP's name so ether1 is the WAN

Also had a brief look through config, and besides what you mentioned, dont see anything else wrong and my suspicion is that problem is downstream to the other devices / switches

CZFan

@mkx, yes, you are correct, should have worded my post better, was more related to @cdiedrich's post re CPU going nuts with horizon config

CZFan

I dont see in OP what model the switch is and or topology, but what about switch port isolation?

CZFan

LeftyTs, the downloaded files are no longer visible in /files section when using Package Updater. You can still reboot the device and it will upgrade. Or use /sys pac upd cancel to free the storage.

Is this mentioned in the change details? Documented in Wiki?

CZFan

First question, which ROS version?

CZFan

Totally agree with @cdiedrich, but if you insist, and to expand on what @Zacharias said, you will need to configure proxy-arp on the LAN facing interface, may it be physical, bridge or vlan If that does not work, then you might have other network problems, i.e. firewall rules, routing issues, etc an...

CZFan

" how to “connect” the bridge to WAN? .. sorry im very much a noob at this"

This will be the "routing" part, so based on the IP configuration, etc, it will route from the bridge to WAN

CZFan

configure CRS port as a trunk port for the relevant vlans, then do tagging on the phone for phone and pc.

FYI, Grandstream support is this way ---->

CZFan

NATed traffic do go via firewall. In default config there is a rule that accepts Dst NATed packets.

If you want more control, change / remove this rule

CZFan

That is "DEFCON", and not "DEFCONF"

CZFan

or contact a certified Mikrotik consultant to physically meet you onsite and look at your network

https://mikrotik.com/consultants

CZFan

Maybe start with posting the config of the devices, failing that, maybe contact a certified Mikrotik consultant to physically meet you onsite

https://mikrotik.com/consultants

CZFan

@CZFan, name tab does the same...

Not disagreeing with you, I just always used the "#" header

CZFan

BTW, not only that relative time format is ugly and non-informative, ...

Maybe I am just getting old and becoming more resistive to change, but I agree with above

CZFan

Can you disable DHCP package? When I disable DHCP package, after restart it is enable again.

I read a while ago that DHCP package is now a prerequisite for the security package, so maybe that is reason it enables when restart

CZFan

No, something does not sound right here, especially if you say you had the same problem recently on a 260, which runs switchos and not ros.

Make sure basics are correct, i.e.
1. Your reset procedure is correct
2. Your CAPS lock is not on, etc.
3. You are trying to access the correct device,
4. etc

CZFan

What does your ISP use, DHCP or PPPoE?

CZFan

left click on "#" column header

q1.JPG

q2.JPG

CZFan

My assumption is they want to configure what they call these day "DMZ", i.e. forward all ports to the private IP of your router (In my view, term DMZ in this config is not the correct terminology)

CZFan

by using various electronic setups, i.e. voltage doubler circuits, etc

CZFan

The confusing bit for me is that most switches talk Watts not Volts and most are af standard but not af/at?
...

They all really talk the same language.

Power (W) = Volts(V) x Amperes(A)

So if a device gets 12V and draws 3A, Power(W) will be 36 Watts

CZFan

Your config seems wrong, hence I posted the links. i.e. you have 2 routes with a scope of 10, so how must the recursive route decide which route to use?

CZFan

https://wiki.mikrotik.com/wiki/Manual:I ... hop_lookup
https://wiki.mikrotik.com/wiki/Manual:U ... attributes

CZFan

Have you thought of making use of services offered by Mikrotik certified consultants?

CZFan

Best will be to post a copy of the configuration here, BETWEEN code brackets please.
Run "export hide-sensitive" in cli interface and post results here, then someone might spot a problem and advise

CZFan

The gateway of 0.0.0.0 is the gateway for the VPN connection, and I'd as per design.
0.0.0.0, in IP means this network, the VPN is a point to point connection, with the gateway 0.0.0.0 behing the gateway for this network, hope it makes sense

CZFan

Suspect the problem is due to limited disk space on hap lite.
Do selective package upgrade method or netinstall as suggested in post above

CZFan

With my old RB2011, I got around 100Mb down sitting about 3-5 meters from router. That was actual throughput. So what you getting is probably on par.

CZFan

First thing that comes to mind with you saying you had to enable fasttrack rules is probably firewall rule order.
Where is the fasttrack rule currently? Move to higher up, i.e. First or second rule as example, depending you firewall rule config

CZFan

Post a packet capture of where it is not working

CZFan

Not that it will matter, but you say guest is 192.168.68.1/24 but in queue you have a /23?

What does the ques say, do they show traffic / counters?

Have you tested 1 machine on its own, can it get full speed, may they cant and hence load is spread?

CZFan

I hope no one replies him back... He will just keep on being offensive and rude... I have already reported his post where he verbally attacks me...

To be honest, I don't give a flying F^&%%$ what he thinks, posts etc

CZFan

I see no reason to "admit I am wrong". Everything I have written here is correct. End of discussion.

So enlighten us why you say it will not work? Then we can also learn something not be so dumb

CZFan

Does it work when you connect to ports 6 - 10 on the RB2011?

CZFan

If you mean that Windows PC would have the role of router and MT router would be connected behing it as client, then yes, Windows can do it. You can find it it network adapter's properties, it's called something like "internet connection sharing". All I remember about it was that it worked, but it ...

CZFan

It looks like both of you are too dumb to understand that any usage of RoMon is not an option to solve the OP's problem of managing a router that is on a remote network behind another router doing NAT. I did not imagine that people could get that dumb, but apparently it is possible! Oh well... And ...

CZFan

I would assume I read it exactly the way you did. BUT: Nowhere did anyone say RoMon IS the solution, it is an OPTION. Maybe you know the OP personally and know what is within his power, but I suspect @Zacharias don't, and I definitely don't. So if this is so important to the OP, and it is within his...

CZFan

If you want to add sfp8 as a tagged (Trunk) port, use below

"/interface bridge vlan add bridge=BR1 tagged=sfp-sfpplus8 vlan-ids=62"

For management of device, you must set the bridge also as a tagged port

CZFan

Let me add, RoMon itself does not work over L3, BUT, if all devices are Mikrotik and running RoMon, you can access all devices over a L3 network via the RoMon agent. If configured as per above, it will create a RoMon network, similar to what OSPF does for L3 routing So if all OPs devices were Mikrot...

CZFan

I guess it will be something like

/ip firewall raw
Add chain=pre-routing dst-address-type=!local action=notrack

CZFan

So if you are coding a system, why do you want to make things complicated and add areas that can cause problems / errors, i.e. If this changed, restart service, if that changed, don't restart service, etc the list can go on and on... With a PPPoE user, I will agree with way it is, if anything change...

CZFan

MT PPPoE server only sends out MRU as option during discover / session stage

CZFan

RoMon works very good on a routed / L3 network, not wise the expose to Internet for obvious reasons

CZFan

@mkx,
I disagree, if one understands how DHCP / Lease, etc works, then "removing / deleting" the lease make 100% sense.

CZFan

In short, if you get a ping reply (via VPN connection), the routing is working, and if you can ping the name and get a reply (Via VPN connection), name resolution is also fine.

Then you need to look at firewall rules that might possibly block ports 80/443, etc

CZFan

.... A button that simply carried out the command would make a lot of noobs much more comfortable and save a lot of time with many people having to ask the question and wait for answers.

That button is there already!!

RemoveLease.JPG

CZFan

if you can ping the IP address, but not browse, then you probably have a name resolution problem, can be tested by using ping www.google.com or trace route to same url. Suggest you remove the mangle, etc rules created for the policy based routing, ensure the VPN is working 100%. Then follow below ex...

CZFan

what is the problem you are experiencing, total lack of internet access, i.e. unable to ping / trace route to a public IP like 8.8.8.8 or name / domain resolution?

CZFan

The info you provided is very limited. With that said, my first suggestion will be to check if you have NAT rule for the VPN connection.
Also noticed you have passthrough as yes, if there are other rout mark rules after that rule, packet might be remarked and not following correct route

CZFan

The channel width is 20, to use 40MHz channel, you make use of extension channel

CZFan

I was just trying to go with OVPN because its obviously more secure and newer. "obviously more secure"? I don't think so! Don't listen to those kiddies that claim their VPN pet project is the best, before you know you are in those queues here that always want the next VPN protocol to be added to Ro...

CZFan

Does not seem to be duplicate packets, as per screenshot, the sequence numbers changes. so I suspect packet loss between devices

CZFan

IIRC, there are steps to use the dual sim facility switching between sim cards using a script, then all you have to do is create a schedule to run the script at times you want to change between sims, search for this in Mikrotik Wiki and apply accordingly to your situation /application

CZFan

channel width = 20

CZFan

on 2011, hybrid vlan config is only supported on ports 1-5

CZFan

Only suggestion I can make is that you will have to record some packet traces to see where problem might be.

Below might help you start.

https://forums.developer.apple.com/thread/45283
https://forums.developer.apple.com/thread/45210

CZFan

@Sob, Thx, makes more sense again. Think what threw me out was 2 things: 1. I could successfully ping 192.168.200.14 from my Windows command prompt.This makes sense as the conn and routing is marked for table WAN2 before routing decision. 2. When I tried to ping from inside to outside, even when spe...

CZFan

Sounds like you have a loop in the network

CZFan

https://wiki.mikrotik.com/wiki/Manual:PCC

CZFan

Hi, I am trying to configure Dual WAN with mangle rules. The problem is access to the router itself. Attached is sample config from a lab I have setup, and cant seem to get access to the router once IP is disabled that provides default gateway and would have thought that PBR using mangle would have ...

CZFan

You can use POSIX regular expressions, with some exceptions.

Cool, thank you

CZFan

Or using filter by address and not by address list name: /ip firewall address-list print where address ~"46" /ip firewall address-list print where address ~"192.168.1.[8]" /ip firewall address-list print where address ~"55.[1]" very cool, learned something new again, the [] part, thank you for shar...

CZFan

check power supply

CZFan

fist step will be is "What has changed", i.e. last change made

CZFan

Just found on mikrotik wiki another piece of puzzling information: Warning: Only one L2TP/IpSec connection can be established through the NAT. Which means that only one client can connect to the sever located behind the same router. That's kind of limiting usefulness of VPN is not it? I mean rotuer...

CZFan

It's insantiy to use PPPoE in gigabit speeds, what are people thinking... I don't think the RB2011 can handle 1000Mbps PPPoE traffic. that's a lot of re-framing/fragmentation that needs to be handled in software. For pure IPv4 routing it surly can to much more. Maybe the RB4011 can handle it. Yup, ...

CZFan

I thinks OPs network is too small to be concerned about broadcasts, etc. Splitting up is just going to add unnecessary complication, and if you asking that type of questions, then I suspect the knowledge is not there yet, rather just KISS

CZFan

I am really struggling to understand what you asking, but anyway, the ip subnet in firewall rule is not the connection, but it is a subnet manually entered in firewall rule as one of the rules conditions

CZFan

Dont see any config for ether1 (Trunk to MK1) under bridge vlan on MK2

CZFan

Maybe better to post full config, maybe we can spot a typo error or something

CZFan

I am not sure I understand what you are trying to determine here, but my 2c's 1. RB951G is a SOHO device, 50 - 70, or even using up a /24 subnet, is not a SOHO environment. 2. As per your topology, LAN - LAN packets / frames should not touch the router. 3. I think the capacity of the router should b...

CZFan

https://wiki.mikrotik.com/wiki/Manual:W ... tion_Modes

CZFan

I used The Dude for this

CZFan

Technically speaking, that is not setting up a point to point link, that process is that extend your wifi...

CZFan

How do you mark traffic in Mikrotik?

Do a search for policy based routing

CZFan

Did you configure routes?

IPSec is interface less. Policy plays the game.

Not a "pure" IPSec site to site VPN, it is a L2TP Site to Site VPN, so normal routing applies

CZFan

With the limited info provided, my guess will be you probably have 2 DR/Master fighting over who should be DR/Master

CZFan

If you can ping from a pc one side to a printer other side and vice versa, then routing is working.

Then problem is probably due to Windows firewall as they drop connections coming in from different subnet than LAN address by default

CZFan

Nothing has changed, RB750r2 only has 16MB storage

https://mikrotik.com/product/RB750r2

CZFan

I tried to pair a tplink with Mikrotik using wds couple of years ago, did not go well

CZFan

The obvious question will be, have you tried a long term / stable version instead of a beta version?

Search found 1647 matches