Community discussions

MikroTik App

Search found 2036 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 7
by CZFan
Thu Aug 05, 2021 2:16 am
Forum: Beginner Basics
Topic: Create a PPTP VPN
Replies: 1
Views: 76

Re: Create a PPTP VPN

You will have to ask ISP to configure port forwarding for PPTP on their router pointing to your router address.
by CZFan
Tue Aug 03, 2021 7:40 pm
Forum: General
Topic: bug with edit Access List in Mikrotik Pro mobile app
Replies: 6
Views: 158

Re: bug with edit Access List in Mikrotik Pro mobile app

That should not happen, create a support ticket by sending details to support@mikrotik.com
by CZFan
Tue Aug 03, 2021 3:15 pm
Forum: General
Topic: bug with edit Access List in Mikrotik Pro mobile app
Replies: 6
Views: 158

Re: bug with edit Access List in Mikrotik Pro mobile app

Can be, will have to wait for OP to clarify, but to quote OP:

the WiFi connection is broken and the changes made are reset before the apply button is pressed!
by CZFan
Tue Aug 03, 2021 3:07 pm
Forum: General
Topic: bug with edit Access List in Mikrotik Pro mobile app
Replies: 6
Views: 158

Re: bug with edit Access List in Mikrotik Pro mobile app

This is true for all configuration methods. Changes to access list will restart the wifi interface. Do this only from a wired connection, or simply be aware of this limitation
Understand that wifi interface will restart, but why is changes not applied?
by CZFan
Wed Jul 28, 2021 6:59 pm
Forum: General
Topic: Two providers. Unstable behavior. [SOLVED]
Replies: 9
Views: 401

Re: Two providers. Unstable behavior. [SOLVED]

@BlackRat, the setting you highlited is IMO invalid. It's not logical to have address with network address set to same value....
It is a /32 address, and usually used for loopback interfaces
by CZFan
Mon Jul 26, 2021 9:31 pm
Forum: RouterBOARD hardware
Topic: Adding a cooling fan to CRS326
Replies: 49
Views: 10217

Re: Adding a cooling fan to CRS326

Alright. I see we have a few "gaming" home PC builders here. Firstly, the "rules of thumb" of gaming PC building do not apply to switches. Even if they did, a lot of people spread dumb "rules" out of ignorance in the PC gaming communities. ... I removed their special r...
by CZFan
Mon Jul 26, 2021 4:04 pm
Forum: Beginner Basics
Topic: Port Forwarding from VPN to Client on Ethernet [SOLVED]
Replies: 4
Views: 423

Re: Port Forwarding from VPN to Client on Ethernet [SOLVED]

It can differ a bit depending your exact config, but if the IP of the VPN client is static, it can look something like below: /ip firewall nat add chain=dstnat dst-address=10.8.0.2 port=8081 action=dst-nat to-addresses=192.168.123.1 to-ports=80 Instead of dst-address, you can also use in-interface/l...
by CZFan
Mon Jul 26, 2021 1:34 pm
Forum: Beginner Basics
Topic: Hex vs Hex S [SOLVED]
Replies: 22
Views: 864

Re: Hex vs Hex S [SOLVED]

"Getting fibre" means nothing to me, i.e. here we have soooooo many people on fibre with packages 5Mb/s - 50Mb/s

Something in between the hEX and 4011 series, is also the hAP AC², very nice little router
by CZFan
Thu Jul 01, 2021 11:58 pm
Forum: General
Topic: ASK [ port-isolation?]
Replies: 1
Views: 260

Re: ASK [ port-isolation?]

Applied it successfully on a CRS326 a couple of years ago
by CZFan
Thu Jul 01, 2021 11:08 pm
Forum: Beginner Basics
Topic: Mangle L2TP vpn [SOLVED]
Replies: 10
Views: 1379

Re: Mangle L2TP vpn [SOLVED]

I suspect your problem is you don't have a route via the backup ISP, add a default route to this with distance of 3 and test
by CZFan
Tue Jun 22, 2021 2:00 pm
Forum: RouterBOARD hardware
Topic: CCR2004 real routing performance?
Replies: 3
Views: 1114

Re: CCR2004 real routing performance?

Had an incident with a client of mine recently where they peer with a Internet Exchange at data centre routing +- 200Mb/s on a 2004. The Internet Exchange route server sends constant route updates in BGP which causes the 2004 CPU to spike to 30% utilization every +- 45 seconds, when this happen, any...
by CZFan
Fri Jun 18, 2021 5:05 pm
Forum: General
Topic: Cant Open Ports
Replies: 9
Views: 567

Re: Cant Open Ports

Is this the "full" config, i.e. there is no Firewall Filter rules?

If not full config and there are firewall filter rules, then make sure you have a rule that allows Destination NAT
by CZFan
Thu Jun 17, 2021 9:11 pm
Forum: Forwarding Protocols
Topic: Setting OSPF interface cost by speed
Replies: 2
Views: 970

Re: Setting OSPF interface cost by speed

You can manually calculate costs using formula below to get similar costs like Cisco

Cost = 100000000/bw in bps.
by CZFan
Mon May 31, 2021 1:11 am
Forum: General
Topic: Packet Loss on Router Ping
Replies: 15
Views: 1259

Re: Packet Loss on Router Ping

Post current config after changes made
by CZFan
Mon May 31, 2021 1:07 am
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 15
Views: 1019

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

...But i ve seen other posts too with problems configuring a /31 subnet between two Mirkotiks
official word from MT Support is that ROS does not support /31, have to use /30 or alternatively ptp addressing /32
by CZFan
Thu May 27, 2021 4:06 pm
Forum: Beginner Basics
Topic: RB 3011 Firewall
Replies: 5
Views: 512

Re: RB 3011 Firewall

Yep but default Firewall Rules are not useable when i'll try to reach a network via VPN and everything is block by an deafult firewall rule which blocks everything not coming from lan... Next Time i use safe mode till then reset and reconfigure is what i have to do :) What you can do is add interfa...
by CZFan
Thu May 27, 2021 2:51 pm
Forum: General
Topic: Packet Loss on Router Ping
Replies: 15
Views: 1259

Re: Packet Loss on Router Ping

First, thanks for have spent your time to do the graph. ... To add to this extensive list of incorrect configs on your device, you also have ether 2 as a slave port of the bridge, but have IP config 192.168.1.0/24 directly on the slave port which can possibly be the issue. If ether 2 should be part...
by CZFan
Fri May 14, 2021 6:34 pm
Forum: Beginner Basics
Topic: Queue tree + pcq no working for me
Replies: 10
Views: 858

Re: Queue tree + pcq no working for me

Hello friends, what I will ask here is that it is duplicated in many forums but I cannot find something that can help me and I have configured it in the possible ways. I have a mikrotik 4011 in production with 200 clients, I manage them by pppoe with plans of 5 and 15mb, configure queue tree + pcq ...
by CZFan
Wed May 05, 2021 12:15 pm
Forum: General
Topic: IPsec Site to SIte behind NAT
Replies: 10
Views: 667

Re: IPsec Site to SIte behind NAT

Look at PC firewall settings, Windows firewall by default drops packets for "new" connections not from local subnet
by CZFan
Wed Apr 21, 2021 8:50 pm
Forum: General
Topic: IPIP vs GRE [SOLVED]
Replies: 7
Views: 815

Re: IPIP vs GRE [SOLVED]

... I just tried ... and IPsec works just fine without setting local address. Seems it automatically takes local IP address of interface used when routing towards peer. For most users that'll be interface used by default route. Hmmm, Yup, just tested and seems you are correct. I guarantee this was ...
by CZFan
Tue Apr 20, 2021 8:11 pm
Forum: General
Topic: IPIP vs GRE [SOLVED]
Replies: 7
Views: 815

Re: IPIP vs GRE [SOLVED]

In what cases do I need to specify addresses for both ends of the IPIP-tunnel, and in what cases it is not necessary?
I tried a IPIP-tunnel without addresses - everything works fine.
When you enable IPsec encryption you will need to specify a local address
by CZFan
Fri Apr 09, 2021 2:06 pm
Forum: General
Topic: ac2 vs ac3 wifi not over 200Mb
Replies: 13
Views: 1325

Re: ac2 vs ac3 wifi not over 200Mb

If both devices are on the desk, then maybe get some more space between them, as the radios are probably screaming at each other and causes noise
by CZFan
Fri Apr 09, 2021 12:37 pm
Forum: Forwarding Protocols
Topic: BGP Load balance over two routers [SOLVED]
Replies: 6
Views: 2017

Re: BGP Load balance over two routers [SOLVED]

I think the best in a case for above is to contact a certified Mikrotik Consultant in your area.

These guys pay big money to ensure they have knowledge and skills and are there for things like this to assist

https://mikrotik.com/consultants
by CZFan
Tue Apr 06, 2021 9:59 pm
Forum: Wireless Networking
Topic: set PVID of WDS dynamic interface? and wireless clients with a vlan-aware bridge
Replies: 6
Views: 1662

Re: set PVID of WDS dynamic interface? and wireless clients with a vlan-aware bridge

No, we dont use wds right now, but wanted. We need to avoid the "disconnection" and "reconnection" everytime a device changes from AP to AP in our wireless enviroment, avoiding the need to get a new IP address. We have 2 SSIDs in Virtual APs, ("Corp" and "Guest&qu...
by CZFan
Thu Apr 01, 2021 1:22 am
Forum: Beginner Basics
Topic: Multiple VLAN on Single Port
Replies: 6
Views: 1172

Re: Multiple VLAN on Single Port

You are missing the bridge interface under bridge vlan table for vlan 999, need to add bridge as tagged interface
by CZFan
Mon Mar 29, 2021 7:30 pm
Forum: Forwarding Protocols
Topic: EOIP vs VPLS, less packet loss with EOIP?
Replies: 5
Views: 1229

Re: EOIP vs VPLS, less packet loss with EOIP?

I would start by looking at MTU configs
by CZFan
Thu Mar 25, 2021 2:40 pm
Forum: General
Topic: DHCP Offering Lease Without Success
Replies: 83
Views: 52098

Re: DHCP Offering Lease Without Success

... Now, the client must send a REQUEST for that address and the DHCP server answers with a REPLY and at that point the address is bound to the client. ... Just for correctness sake, the server does not answer with a REPLY message, but with an ACK, aka Acknowledge. Process is is called DORA, i.e. D...
by CZFan
Thu Mar 25, 2021 1:20 pm
Forum: Beginner Basics
Topic: Date & Time from NTP Server [SOLVED]
Replies: 14
Views: 1307

Re: Date & Time from NTP Server [SOLVED]

2 things:

1. If you installed the "ntp" package, it changes the look/feel of the ntp client, and you will have to use scripts to make use of the FQDNs

2. If not, then see screenshort below for using FQDNs with ntp client
mtntpclient.JPG
by CZFan
Wed Mar 24, 2021 6:07 pm
Forum: Beginner Basics
Topic: Date & Time from NTP Server [SOLVED]
Replies: 14
Views: 1307

Re: Date & Time from NTP Server [SOLVED]

Tell Google that; it's time1.google.com. Yes, .0 is a perfectly legal address, depending on the netmask.
Snap!!! :-)
by CZFan
Wed Mar 24, 2021 5:49 pm
Forum: Beginner Basics
Topic: Date & Time from NTP Server [SOLVED]
Replies: 14
Views: 1307

Re: Date & Time from NTP Server [SOLVED]

216.239.35.0...
I know for sure that is not an NTP server.

Not sure I understand your reasoning, but an IP ending with .0 is a perfectly legal IP Address. Seems also it is Google Time server
googlentp.JPG
by CZFan
Fri Mar 19, 2021 6:44 pm
Forum: Wireless Networking
Topic: LTE Unregistered Status Codes
Replies: 3
Views: 1931

Re: LTE Unregistered Status Codes

Please read at start wiki about LTE
...

@SiB,

Would you mind posting an URL for what you refer to above, I am also currently struggling with LTE connection and looking for same info as per OP but cant find any info, been googling for last 2 hours
by CZFan
Fri Mar 19, 2021 6:09 pm
Forum: Wireless Networking
Topic: LTE Status / Error codes
Replies: 1
Views: 618

LTE Status / Error codes

Does anyone know where I can get LTE status / error code descriptions.

Trying to connect a Mikrotik LTE router with a private APN SIM Card, but get message "not registered, state 3" message but cant find any info on this
by CZFan
Fri Mar 19, 2021 12:03 pm
Forum: The Dude
Topic: Unable to get Function / Probe working [SOLVED]
Replies: 1
Views: 1640

Re: Unable to get Function / Probe working [SOLVED]

Solved, seems it does not like the "-" in the function name
by CZFan
Thu Mar 18, 2021 5:40 pm
Forum: The Dude
Topic: Unable to get Function / Probe working [SOLVED]
Replies: 1
Views: 1640

Unable to get Function / Probe working [SOLVED]

I am trying to create a function / probe but just not getting any results. The function is suppose to report the interface utilization. Below is the Function "In-Utilization" code: if(oid("1.3.6.1.2.1.31.1.1.1.6.13"),round(rate(diff64(oid("1.3.6.1.2.1.31.1.1.1.6.13"))*8...
by CZFan
Wed Mar 17, 2021 5:19 pm
Forum: General
Topic: Mutiple SSTP servers
Replies: 4
Views: 355

Re: Mutiple SSTP servers

If I may interject here, Will be good to understand what exactly the OP wants to achieve, but SSTP is a "service" on the router, and will accept from any IP Address configured on the router depending firewall rules. You dont bind SSTP to a specific IP per se. With SSTP and Road Warrior con...
by CZFan
Wed Mar 17, 2021 11:39 am
Forum: Wireless Networking
Topic: LtAP LTE 6 kit + R11e-LTE6 + External Antenna [SOLVED]
Replies: 4
Views: 1092

Re: LtAP LTE 6 kit + R11e-LTE6 + External Antenna [SOLVED]

Thank you @mkx, appreciate your response/feedback
...
Just to be sure modem doesn't emit smoke...

I did run the "no-smoke.bat" file, so all should be ok :-) (Giving my age away here again)
by CZFan
Tue Mar 16, 2021 8:22 pm
Forum: Beginner Basics
Topic: Two mikrotik routers conflict in same network, why???
Replies: 19
Views: 1593

Re: Two mikrotik routers conflict in same network, why???

STP is the symptom, and is behaving as per design, i.e. block/disable ports where there are network loops.

This is more to do with physical connections than config...
by CZFan
Tue Mar 16, 2021 10:17 am
Forum: General
Topic: No thermal pads with R11e-LTE6
Replies: 6
Views: 702

Re: No thermal pads with R11e-LTE6

Analogy, to build a wall you can stack the bricks on top op each other, or "Optionally" use cement mix between the bricks Wonder which is the correct way??? another thing, these thermal pads seems to be fairly difficult to get hold of, i.e. I have to do a round trip of 100km from where I a...
by CZFan
Mon Mar 15, 2021 10:00 pm
Forum: Beginner Basics
Topic: Two mikrotik routers conflict in same network, why???
Replies: 19
Views: 1593

Re: Two mikrotik routers conflict in same network, why???


Yes, problem was with stp! Somebody can elaborate why stp was problem and is only solution to disable it?
I don't think the problem is STP, I rather think you have a loop in your network
by CZFan
Mon Mar 15, 2021 9:45 pm
Forum: General
Topic: No thermal pads with R11e-LTE6
Replies: 6
Views: 702

Re: No thermal pads with R11e-LTE6

hmmm, and everyone will go and read that?
by CZFan
Mon Mar 15, 2021 5:50 pm
Forum: General
Topic: No thermal pads with R11e-LTE6
Replies: 6
Views: 702

No thermal pads with R11e-LTE6

@normis et al A customer of mine bought 2 x LtAP LTE6 kits and 2 x R11e-LTE6 modems and dropped off by me to install for him. Following the instructions as per Mikrotik, thermal pads needs to be used on the 2nd modem installed in the router. My question is why is the thermal pads not supplied with t...
by CZFan
Mon Mar 15, 2021 1:06 pm
Forum: Wireless Networking
Topic: LtAP LTE 6 kit + R11e-LTE6 + External Antenna [SOLVED]
Replies: 4
Views: 1092

LtAP LTE 6 kit + R11e-LTE6 + External Antenna [SOLVED]

Have the following, "LtAP LTE 6 kit + R11e-LTE6 + External Antenna" but have a couple of questions if someone does not mind to assist. 1. As per attached pic, the "tabs" that can be broken off to provide place for cables/connectors/etc, the ones on inside (white plastic) does not...
by CZFan
Sat Mar 13, 2021 11:05 pm
Forum: General
Topic: Hetzner Subnet on Mikrotik CHR
Replies: 4
Views: 618

Re: Hetzner Subnet on Mikrotik CHR

You will need to enable proxy arp on the internal facing interface
by CZFan
Sat Mar 13, 2021 4:07 pm
Forum: General
Topic: Having issues with NAT mapping
Replies: 8
Views: 755

Re: Having issues with NAT mapping

Yes, relevant routes needs to be in place, depending on the public IPs / setup, you do not have to have multiple routes, i.e. lets say the ISP issues (Not routed to you) a /29 range, 1 address will be used for the next hop gateway with 1 default route, you can then assign the other 5 on your WAN int...
by CZFan
Fri Mar 12, 2021 11:24 pm
Forum: Beginner Basics
Topic: Bypass school proxy for internet access on smart tv's
Replies: 2
Views: 398

Re: Bypass school proxy for internet access on smart tv's

Why don't you do it the right way, i.e. Log a call with whoever does the IT and explain the problem so it be dealt with
by CZFan
Fri Mar 12, 2021 5:16 pm
Forum: General
Topic: blocking port 53 incoming from WAN ports, block tons of packets
Replies: 9
Views: 814

Re: blocking port 53 incoming from WAN ports, block tons of packets

.. Is DNS attack by bots , I guess You are not "really" being attacked, but are being used to attack some other internet user If this packets are not dropped, it will have an impact on your upstream link as well as use additional resources on your router though. Will be better to drop the...
by CZFan
Thu Mar 11, 2021 10:57 pm
Forum: General
Topic: SIP Packets dropped unless Torch running
Replies: 11
Views: 888

Re: SIP Packets dropped unless Torch running

...SIP packets falling foul of MNDP.

I had a search of the forums but couldn't find the post you mentioned
viewtopic.php?f=21&t=171035&p=840920&hi ... dp#p840552
by CZFan
Thu Mar 11, 2021 4:38 pm
Forum: General
Topic: SIP Packets dropped unless Torch running
Replies: 11
Views: 888

Re: SIP Packets dropped unless Torch running

@networquk, pleasure, glad I could be of some assistance

@sindy, you are a blessing to the Mikrotik community, thank you and also thanks for the explanation, makes more sense to me now
by CZFan
Thu Mar 11, 2021 4:34 pm
Forum: Beginner Basics
Topic: RB 2011iL does not get Gib traffic
Replies: 19
Views: 1626

Re: RB 2011iL does not get Gib traffic

In 2016, when I had 1Gb/s fibre at my place, I used a 2011 and could get speeds of +- 850Mb/s to speedtest.net. +- 15 devices on the LAN/WLAN and approximately 15 FW rules + NAT, fasttrack enabled. Was not on a PPPoE connection but DHCP with the ISP. Only other difference was the WLAN was not part o...
by CZFan
Wed Mar 10, 2021 7:03 pm
Forum: General
Topic: Having issues with NAT mapping
Replies: 8
Views: 755

Re: Having issues with NAT mapping

As a minimum, you should have the following: /ip firewall nat add chain=srcnat src-address=LANIP1 action=src-nat to-addresses=WANIP1 out-interface-list=WAN add chain=dstnat dst-address=WANIP1 action=dst-nat to-addresses=LANIP1 in-interface-list=WAN nat add chain=srcnat src-address=LANIP2 action=src-...
by CZFan
Wed Mar 10, 2021 5:40 pm
Forum: General
Topic: NAT action SAME behaves just like NETMAP?
Replies: 7
Views: 740

Re: NAT action SAME behaves just like NETMAP?

My understanding is as follow:

Netmap - Maps IPs 1:1, so must be 1000 IPs to 1000IPs, i.e. a /22 to a /22
Same - You might have 1000 IPs mapping to 255 IPs, so the NAT will try and use the same NAT IP map per src/dst address pair, if src and or dst is different, it might use another IP to map/NAT to
by CZFan
Wed Mar 10, 2021 5:35 pm
Forum: General
Topic: SIP Packets dropped unless Torch running
Replies: 11
Views: 888

Re: SIP Packets dropped unless Torch running

Did you restart the router after disabling fast track? if not, the fasttracked connections in connection tracking table will stay active till timeout, and if active traffic on these connections can stay active indefinitely. Your firewall accepts established related packets, so should the phone initi...
by CZFan
Tue Mar 09, 2021 11:52 pm
Forum: General
Topic: Radius + Hotspot setup
Replies: 1
Views: 334

Re: Radius + Hotspot setup

The setup script adds a NAT rule automatically
by CZFan
Tue Mar 09, 2021 11:45 pm
Forum: General
Topic: SIP Packets dropped unless Torch running
Replies: 11
Views: 888

Re: SIP Packets dropped unless Torch running

Without seeing your config, it is just a guessing game. Torch disables a couple of things while running, i.e. Fasttrack, so if you have perhaps mangle rules for the phones and have fasttrack enabled, disable it, restart router and test If it does not solve the problem, post your config between code ...
by CZFan
Tue Mar 09, 2021 11:10 pm
Forum: General
Topic: NAT action SAME behaves just like NETMAP?
Replies: 7
Views: 740

Re: NAT action SAME behaves just like NETMAP?

Have you tried reading the Mikrotik wiki to understand how Same and Netmap works and what the difference is?
by CZFan
Fri Mar 05, 2021 2:50 pm
Forum: Beginner Basics
Topic: Two mikrotik routers conflict in same network, why???
Replies: 19
Views: 1593

Re: Two mikrotik routers conflict in same network, why???

... This is default config! Better option is to set IP to bridge? Thanks. If that is "default", then you have very old ROS version, then better you upgrade, then reset config to default and start again Yes, IP should not be attached to slave interface, should be on master, i.e. bridge int...
by CZFan
Fri Mar 05, 2021 10:34 am
Forum: Beginner Basics
Topic: Two mikrotik routers conflict in same network, why???
Replies: 19
Views: 1593

Re: Two mikrotik routers conflict in same network, why???

couple other things incorrect, you have IPs assigned to slave interfaces on both sides, i.e on ether 2 which should be on the bridge interface
by CZFan
Tue Mar 02, 2021 11:40 pm
Forum: General
Topic: ASK [vpls PW]
Replies: 8
Views: 575

Re: ASK [vpls PW]

by CZFan
Tue Mar 02, 2021 1:24 pm
Forum: General
Topic: ASK [vpls PW]
Replies: 8
Views: 575

Re: ASK [vpls PW]

IIRC, you use tagged type when you make use of service tags inside VPLS cloud

more info below

https://tools.ietf.org/html/rfc4762#page-11
by CZFan
Wed Feb 24, 2021 10:08 am
Forum: General
Topic: PVID for BGP VPLS interface on a bridge
Replies: 5
Views: 1554

Re: PVID for BGP VPLS interface on a bridge

Off the bat, have not tested it, etc. possible solutions might be:

1. Assign Vlans to a VRF and use the VRF, or maybe
2. In bridge port, you can select interface called "dynamic" and assign pvid there
by CZFan
Tue Feb 23, 2021 3:04 pm
Forum: General
Topic: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71
Replies: 10
Views: 674

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

OP:

Just a word of warning, your public IP is visible on those screenshots, let me know if I am close :-)

EDIT: IP Removed
by CZFan
Mon Feb 22, 2021 9:27 pm
Forum: Beginner Basics
Topic: Playing with Routes.
Replies: 4
Views: 500

Re: Playing with Routes.

without recursive routing, will be something like this (trying tp keep with your method of explanation): Route Rules: LAN1: SrcAdd(LAN1) Table(LAN1) LAN2: SrcAdd(LAN2) Table(LAN2) Routes: route 1 isp1 wan, route-mark LAN1 distance=1 route 2 isp2 wan, route-mark LAN1 distance=2 route 3 isp2 wan, rout...
by CZFan
Fri Feb 19, 2021 9:52 pm
Forum: Wireless Networking
Topic: MİkroTik Wireless Gig+ Test
Replies: 14
Views: 1536

Re: MİkroTik Wireless Gig+ Test


WoW, for that price, I will rather by 6 x RB4011s and place them all over where needed :-)
by CZFan
Fri Feb 19, 2021 9:28 pm
Forum: Beginner Basics
Topic: Playing with Routes.
Replies: 4
Views: 500

Re: Playing with Routes.

Can this be done without mangling is the challenge?

Yes, by using route rules with routing mark/route table for each LAN/WAN combination.

Then create 2 rules for each routing table, one with distance of "1" and another "2", recursive routing will serve better here
by CZFan
Fri Feb 12, 2021 4:40 pm
Forum: General
Topic: IPIP, GRE and IPsec tunnel is not working.
Replies: 6
Views: 613

Re: IPIP, GRE and IPsec tunnel is not working.

Without seeing the configs, your guess is as good as mine
by CZFan
Thu Feb 11, 2021 10:26 am
Forum: General
Topic: Is there any way to add src-adress to a list which ttl is greater than 2 or as i wish
Replies: 4
Views: 401

Re: Is there any way to add src-adress to a list which ttl is greater than 2 or as i wish

No, they probably have a ttl of 64 or 128, etc and decrement from there as they cross hops Let me rephrase, There is option in filter rules that you can check the TTL under advanced tab and then add src address to address list, but what I meant with the "No" is that they will most probabl...
by CZFan
Wed Feb 10, 2021 11:04 pm
Forum: General
Topic: Is there any way to add src-adress to a list which ttl is greater than 2 or as i wish
Replies: 4
Views: 401

Re: Is there any way to add src-adress to a list which ttl is greater than 2 or as i wish

No, they probably have a ttl of 64 or 128, etc and decrement from there as they cross hops
by CZFan
Wed Feb 10, 2021 10:51 pm
Forum: General
Topic: 31 subnet - Not finding an answer to default gateway.
Replies: 21
Views: 6929

Re: 31 subnet - Not finding an answer to default gateway.

Have config at a WISP client of mine where I am using /31 between them and their upstream provider.

My client side is a MT and upstream prover side is Cisco, using the Cisco as GW
by CZFan
Wed Feb 10, 2021 12:43 pm
Forum: Beginner Basics
Topic: EoIP Tunnel Clamp TPC MSS
Replies: 7
Views: 819

Re: EoIP Tunnel Clamp TPC MSS

@CZFan and what Clamp mss in EoIP does? Not sure if I understand the question correctly, but: OP did not mention EoIP tunnel MTU size in OP, so with that, if the tunnel MTU was set at 1500, then the "Clamp TCP MSS" in EoIP config will clamp the MSS at 1460, which might not be low enough. ...
by CZFan
Tue Feb 09, 2021 10:40 pm
Forum: Beginner Basics
Topic: EoIP Tunnel Clamp TPC MSS
Replies: 7
Views: 819

Re: EoIP Tunnel Clamp TPC MSS

Clamp mss in EoIP will only clamp it based on tunnel mtu size, it doesn't know what the mss size is end to end
by CZFan
Tue Feb 09, 2021 8:45 pm
Forum: General
Topic: CRS354 remove interface=all from bridge
Replies: 3
Views: 340

Re: CRS354 remove interface=all from bridge

Assign an admin MAC to the bridge interface, will probably drop you but then connect again, that should prevent dropping you changing bridge ports as the bridge wont change MAC address
Have not tested it
by CZFan
Wed Feb 03, 2021 11:38 am
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 324
Views: 76056

Re: v6.48 [stable] is released!

I'm wondering if perhaps they do not intend to release a 6.49 (moving to v7 instead as the next stable release after 6.48) ...
I suspect there is a big push to get V7 out, hence the huge change released in Dec 2020, but suspect we will still get a couple V6 updates
by CZFan
Tue Feb 02, 2021 8:17 pm
Forum: General
Topic: Still no luck with simple Bridge
Replies: 12
Views: 1029

Re: Still no luck with simple Bridge

.... If i do keep it as is but put the WAP on NAT, yes, it works...but tripple NAT. I find it crazy the WAP cant do what a cheap $20 ethernet extender can do. The UBNT picostation does it fine, but lacks the connect list...but i guess will work if i setup some hacking way to do a connect list on it...
by CZFan
Tue Feb 02, 2021 8:05 pm
Forum: Beginner Basics
Topic: Block Connection to router
Replies: 4
Views: 634

Re: Block Connection to router

From the export you provided, I cant see any reason why disabling that rule will drop VPN connections, unless the export is not all info
by CZFan
Tue Feb 02, 2021 8:03 pm
Forum: Beginner Basics
Topic: hAP ac3 - VLAN & inter-VLAN
Replies: 20
Views: 1376

Re: hAP ac3 - VLAN & inter-VLAN

All routing is done via CPU, firewall will see this traffic
by CZFan
Tue Feb 02, 2021 7:42 pm
Forum: General
Topic: Why doesn't a DNS dstnat rule create an open resolver?
Replies: 6
Views: 595

Re: Why doesn't a DNS dstnat rule create an open resolver?

That looks like a fairly standard default Mikrotik firewall config, difficult to see details from screenshots, export much better If my assumption is correct above, it will mean that you typically allow DST NAT in the "Forward" chain, not "Input" chain, and as per example, you ar...
by CZFan
Tue Feb 02, 2021 7:35 pm
Forum: General
Topic: Same IP Address on two separate bridges
Replies: 2
Views: 380

Re: Same IP Address on two separate bridges

With devices in the same subnet being on both sides of the router, I dont think ARP Proxy is going to help you here. Off the bat, the only other way I think this will work is, but sounds more of a mission than you already do: Assuming you are on the LAN side, add 192.168.1.254 on WAN side interface,...
by CZFan
Tue Feb 02, 2021 7:19 pm
Forum: General
Topic: Why doesn't a DNS dstnat rule create an open resolver?
Replies: 6
Views: 595

Re: Why doesn't a DNS dstnat rule create an open resolver?

The only reason will be if a firewall is blocking connections from the outside, else those rules will redirect (NAT) anything with a destination port of 53 to 192.168.88.1 Also, you will still need to enable "Allow remote..." in DNS service on router, else the router will not respond to DN...
by CZFan
Tue Feb 02, 2021 6:57 pm
Forum: General
Topic: Why doesn't a DNS dstnat rule create an open resolver?
Replies: 6
Views: 595

Re: Why doesn't a DNS dstnat rule create an open resolver?

"...they suspiciously look like the rules for port-forwarding..."

Reason is that is exactly what those rules are, they will just redirect (NAT) packets to which ever DNS server you point them to in the NAT rule, may it be your router or Google DNS servers, etc
by CZFan
Tue Feb 02, 2021 4:42 pm
Forum: SwOS
Topic: Split Horizon
Replies: 1
Views: 1042

Re: Split Horizon

Not sure I follow.

Layer 2 is logically segregated right, that is one of the reasons for Vlan's?

To block comms between these on Layer 3, use firewall
by CZFan
Tue Feb 02, 2021 4:20 pm
Forum: General
Topic: Netinstall and CCR1009 [SOLVED]
Replies: 2
Views: 595

Re: Netinstall and CCR1009 [SOLVED]

Ether1 does not apply to all routers for Netinstall,

For the CCR1009, I think it is ether7, check on the router, it will be marked "boot"
by CZFan
Fri Jan 29, 2021 12:23 am
Forum: Forwarding Protocols
Topic: Broadcast bridging to ptpp vpn
Replies: 1
Views: 534

Re: Broadcast bridging to ptpp vpn

Search Mikrotik wiki for EoIP or BCP (Bridge Control Protocol)
by CZFan
Fri Jan 29, 2021 12:04 am
Forum: Beginner Basics
Topic: Speed issue with Mikrotik CCR2004
Replies: 5
Views: 711

Re: Speed issue with Mikrotik CCR2004

Try 6.46.8 long term version
by CZFan
Fri Jan 29, 2021 12:01 am
Forum: Beginner Basics
Topic: Internet drops to 0 kbps for 1-2 seconds
Replies: 4
Views: 428

Re: Internet drops to 0 kbps for 1-2 seconds

I think you need to explane how you monitoring this, if it is watching the interfaces in Winbox, then it might possibly just be refresh rates, etc in Winbox
by CZFan
Thu Jan 28, 2021 11:32 pm
Forum: General
Topic: DNS Traffic with Multi WAN Routers
Replies: 1
Views: 269

Re: DNS Traffic with Multi WAN Routers

You don't mention how you split the load a cross the 4 x WANs, so I can only assume: 1. Router sends the traffic across its DG with lowest distance. 2. You have configured DNS cache / proxy, so router does lookups on behalf of client devices, and follows point 1 above BTW, both your mangle rules are...
by CZFan
Thu Jan 28, 2021 11:19 pm
Forum: General
Topic: New Winboxes can`t connect older RoS via L2
Replies: 6
Views: 768

Re: New Winboxes can`t connect older RoS via L2

Had same issue when I factory reset a customer of mines router, what resolved it was to add static IP address on my laptop (usually on DHCP)
by CZFan
Thu Jan 28, 2021 11:06 pm
Forum: General
Topic: Hardware choice for BGP+OSPF 1/2/10G
Replies: 4
Views: 505

Re: Hardware choice for BGP+OSPF 1/2/10G

Why will you need full tables with only one peer?
by CZFan
Thu Jan 28, 2021 8:25 pm
Forum: General
Topic: How can I see connections in LAN
Replies: 3
Views: 376

Re: How can I see connections in LAN

For Torch to see the traffic, you will need to disable "Hardware Offload" of the interfaces bridged in Menu-->Bridge-->Ports

Note: This will have a negative performance impact for traffic between interfaces in the bridge
by CZFan
Tue Jan 26, 2021 11:32 pm
Forum: Beginner Basics
Topic: New to RouterOS and need some beginner's help.
Replies: 5
Views: 598

Re: New to RouterOS and need some beginner's help.

You mention cost and stability as reasons, here is your first lesson Mikrotik related, don't use "stable" version when you upgrade RouterOS, for stability reasons, use long term version
by CZFan
Tue Jan 26, 2021 5:13 pm
Forum: Beginner Basics
Topic: RB4011 - Simplest Way to Rate Limit One Interface
Replies: 1
Views: 316

Re: RB4011 - Simplest Way to Rate Limit One Interface

I would just use below, that burst settings you have will bring no value
/queue simple
add disabled=no max-limit=16M/16M name="PC-LIMIT" target=ether1
Then make sure you have no fasttrack enabled in firewall or bypass fastrack for this device / target
by CZFan
Tue Jan 26, 2021 3:22 pm
Forum: Beginner Basics
Topic: IP sec negociation error
Replies: 6
Views: 656

Re: IP sec negociation error

If I am reading this correctly, the Mikrotik is sending, so you will have to get access to the logs / packet capture on the other side to see what the problem is, maybe the packet never reaches it, etc
by CZFan
Tue Jan 26, 2021 12:38 pm
Forum: Beginner Basics
Topic: Switch chip
Replies: 9
Views: 1057

Re: Switch chip

You dont give much information to go on, i.e. sample of your config, but I am convinced the reason will be that your config is not complete, i.e. need to add switch-cpu interface in the switch vlan table for that vlan
by CZFan
Tue Jan 26, 2021 12:32 am
Forum: Beginner Basics
Topic: CRS3xx flexible Vlan Translation
Replies: 3
Views: 508

Re: CRS3xx flexible Vlan Translation

The solution url you quoted is to enable bi directional communication, and I am not sure if this is the same as "bridge" as per your requirement.
I don't have a device to test with, but suspect it might work for you, but like I said, can't test or verify it
by CZFan
Tue Jan 26, 2021 12:15 am
Forum: Beginner Basics
Topic: IP sec negociation error
Replies: 6
Views: 656

Re: IP sec negociation error

1. Does Zyxel belong to Sonicwall? Those screenshots looks extremely familiar last when I worked on Sonicwall in 2014. 2. I believe you are still showing the WAN address on the Zyxel side 3. Not sure if is your problem, but you have key group set on DH5 at Zyxel side, I believe this translates to 15...
by CZFan
Sat Jan 23, 2021 11:04 pm
Forum: General
Topic: Access Point with VLANS does not get an IP Address / Can't Access The Internet
Replies: 1
Views: 278

Re: Access Point with VLANS does not get an IP Address / Can't Access The Internet

Duplicate post, but there is no dhcp client configured
by CZFan
Sat Jan 23, 2021 10:45 pm
Forum: General
Topic: Mikrotik VLAN with Access Point Configuration [SOLVED]
Replies: 7
Views: 822

Re: Mikrotik VLAN with Access Point Configuration [SOLVED]

Apologies, @mkx correct, I quickly scanned over the config.

But I don't see a dhcp client line item in config and that is probably reason AP can't get IP from DHCP
by CZFan
Sat Jan 23, 2021 10:20 pm
Forum: General
Topic: Mikrotik VLAN with Access Point Configuration [SOLVED]
Replies: 7
Views: 822

Re: Mikrotik VLAN with Access Point Configuration [SOLVED]

Add bridge as a tagged member/interface of management vlan in bridge vlan table
by CZFan
Sat Jan 23, 2021 12:01 am
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 834

Re: invalid dhcp server on vlan interface

The bridge has two sides to it, on is bridging interfaces, other is a interface itself which provides access to the CPU for accessing resources on device itself like DHCP, management of the device itself, etc. So like I mentioned earlier, to achieve above, you need to provide access to this in vlan ...
by CZFan
Fri Jan 22, 2021 3:14 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 834

Re: invalid dhcp server on vlan interface

You can use any method, but you have to give access to the Bridge / Switch CPU interface on that device in order to access resources, i.e. DHCP, Management, etc on it
by CZFan
Fri Jan 22, 2021 2:58 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 834

Re: invalid dhcp server on vlan interface

You have configured both methods, i.e. bridge vlan as well as switch vlan.

Should just be one or the other, and in neither did you configure access to the Bridge / Switch CPU interface

HINT: From URL you quoted:

add ports=ether1,switch1-cpu switch=switch1 vlan-id=99
by CZFan
Wed Jan 20, 2021 12:06 am
Forum: Forwarding Protocols
Topic: Limit access VPN
Replies: 3
Views: 788

Re: Limit access VPN

The steps you can take:
1. Drop L2TP that is not encrypted, explanation / sample config in wiki
2 use strong passwords
3 use RSA authentication
by CZFan
Tue Jan 19, 2021 11:32 pm
Forum: Beginner Basics
Topic: Slower performance when connected directly to router!
Replies: 12
Views: 1178

Re: Slower performance when connected directly to router!

Why is ether 1 mtu set at 1508?
by CZFan
Mon Jan 18, 2021 11:29 pm
Forum: General
Topic: iperf3
Replies: 3
Views: 848

Re: iperf3

You don't want to test to/ from router anyway, as you will run into limitations of CPU, etc, so will not gain much. Best is to test "through" the router, and in that case, iperf is a good tool
by CZFan
Mon Jan 18, 2021 11:13 pm
Forum: Beginner Basics
Topic: Two SIMS in one modem.
Replies: 5
Views: 794

Re: Two SIMS in one modem.

Only one sim slot can be active at a time
by CZFan
Mon Jan 18, 2021 11:03 pm
Forum: Forwarding Protocols
Topic: Limit access VPN
Replies: 3
Views: 788

Re: Limit access VPN

If these were a "site to site" VPN, you can then make use of firewall rules to only allow from certain IPs, but as this is typically used for people to work remotely, i.e. today from home, tomorrow from coffee shop, etc. it is difficult to limit who can connect from where, etc. So best sol...
by CZFan
Sun Jan 17, 2021 11:06 pm
Forum: Beginner Basics
Topic: udp 500 and 4500 forwarding from Mikrotik to fortigate
Replies: 7
Views: 1043

Re: udp 500 and 4500 forwarding from Mikrotik to fortigate

Best will be to do packet capturing to see what is happening
by CZFan
Sun Jan 17, 2021 11:02 pm
Forum: Forwarding Protocols
Topic: double mangle marking and routing mark
Replies: 3
Views: 771

Re: double mangle marking and routing mark

Can only have one mark.

What do you want to achieve, maybe another way of doing it?
by CZFan
Sun Jan 17, 2021 10:49 am
Forum: General
Topic: help
Replies: 7
Views: 705

Re: help

Hmmm, downgrade ROS version?
by CZFan
Sat Jan 16, 2021 11:53 pm
Forum: Beginner Basics
Topic: netmap vs dst-nat
Replies: 1
Views: 492

Re: netmap vs dst-nat

Have you tried reading the wiki? See link below.

https://wiki.mikrotik.com/wiki/Manual:I ... Properties
Netmap is usually used with 2 x sets of ip addresses and will then create a static 1:1 between these 2 sets
by CZFan
Sat Jan 16, 2021 2:22 pm
Forum: General
Topic: FTP Server w/ Small MTU
Replies: 5
Views: 548

Re: FTP Server w/ Small MTU

MSS is negotiated / agreed between end devices during the TCP handshake, so you cant change "incoming" from outside MSS values Possible reason your mangle rule is not working, is you probably have Fasttrack enabled which bypasses Mangle rules, if Fasttrack is required, you can exclude the ...
by CZFan
Thu Jan 14, 2021 11:39 pm
Forum: Beginner Basics
Topic: ICMP PING timeout outside LAN
Replies: 1
Views: 610

Re: ICMP PING timeout outside LAN

Remove the below rules and add lte interface to WAN interface list
add action=accept chain=forward out-interface=lte1
add action=accept chain=forward in-interface=lte1
by CZFan
Tue Jan 12, 2021 11:20 pm
Forum: Forwarding Protocols
Topic: BGP FIRT
Replies: 2
Views: 665

Re: BGP FIRT

You need to ask upstream provider to only annoince default route to you, then in routing filters, only accept default prefix and discard all others
by CZFan
Mon Jan 11, 2021 8:30 pm
Forum: General
Topic: On a LTAP, how do I tell which wifi antenna connector is A and which is B?
Replies: 6
Views: 623

Re: On a LTAP, how do I tell which wifi antenna connector is A and which is B?

Seems they are labeled JB00 & 01, thinking 00 should be A and 01 B, but no guarantees :-)
by CZFan
Sat Jan 09, 2021 10:58 pm
Forum: General
Topic: Full disk on empty router hAP ac^2
Replies: 4
Views: 567

Re: Full disk on empty router hAP ac^2

HAP AC2 does not use the flash for updates, only memory, so place the update .npk in the root, restart router and it will update just fine
by CZFan
Thu Jan 07, 2021 11:14 pm
Forum: Beginner Basics
Topic: hAP ac poor performance
Replies: 3
Views: 526

Re: hAP ac poor performance

I would suggest resetting the first device as there are couple of settings that can cause slow performance, i.e. Ether1 (WAN) is set to half duplex, fast path s disabled and fasttrack needs this, etc
by CZFan
Wed Jan 06, 2021 10:43 pm
Forum: General
Topic: Unbreakable Internet
Replies: 3
Views: 459

Re: Unbreakable Internet

Best will be to contact one closest to you, see below link

https://mikrotik.com/consultants
by CZFan
Wed Jan 06, 2021 10:30 pm
Forum: Beginner Basics
Topic: Trying to add Smart Light Bulb
Replies: 1
Views: 418

Re: Trying to add Smart Light Bulb

What does log on Mikrotik device say when bulb trying to connect?
by CZFan
Mon Jan 04, 2021 1:02 am
Forum: Scripting
Topic: (6.48) CQI has disappeared from /interface lte info
Replies: 2
Views: 705

Re: (6.48) CQI has disappeared from /interface lte info

Above is posted in wrong topic header and should be under wireless .

Then as per your question, IIRC, CQI will only show when signal strength and quality is at acceptable levels
by CZFan
Wed Dec 30, 2020 11:25 pm
Forum: General
Topic: qinq - stripping outer vlan with hardware offloading
Replies: 3
Views: 497

Re: qinq - stripping outer vlan with hardware offloading

I would think where the provider hands off the connection to you, the s tag is removed and you should only receive the 2 c tags from hand off
by CZFan
Tue Dec 29, 2020 11:26 pm
Forum: General
Topic: Guest Wifis for two separate VLANs
Replies: 10
Views: 768

Re: Guest Wifis for two separate VLANs

Your description of your requirement is also not clear to me, all I can think of what you maybe want when saying "running through vlan 10" is possibly what is called qinq vlans, i.e. Tunneling a vlan inside another vlan
by CZFan
Tue Dec 29, 2020 11:15 pm
Forum: General
Topic: L2 ring redundancy protocol support?
Replies: 16
Views: 1591

Re: L2 ring redundancy protocol support?

If you are looking at sub 50ms, I doubt very much you will achieve this using scripts
by CZFan
Thu Dec 17, 2020 3:33 pm
Forum: Useful user articles
Topic: Advanced Routing Failover without Scripting
Replies: 168
Views: 40024

Re: Advanced Routing Failover without Scripting

Great, now I know they reworked my article without even mentioning me... That's a bit depressing :)

Plagiarism much...
by CZFan
Thu Dec 17, 2020 12:35 pm
Forum: Virtualization
Topic: high load CPU for a CHR working QT
Replies: 7
Views: 1689

Re: high load CPU for a CHR working QT

There are various configuration items that can be optimized to improve performance on your CHR at the moment.

There are multiple posts here as well as Wiki articles, alternatively contact a certified consultant closest to you https://mikrotik.com/consultants
by CZFan
Thu Dec 17, 2020 10:08 am
Forum: Scripting
Topic: Disable and Enable interface
Replies: 17
Views: 2632

Re: Disable and Enable interface

Very limited info you provide, but if my understanding is correct, then there is a problem with your logic. i.e. you ping 8.8.8.8 from ether 2, if no response, you disable interface, with this interface disabled, you will not be able to ping from it. If reasons for doing this is dual WAN purposes, t...
by CZFan
Wed Dec 16, 2020 11:41 pm
Forum: General
Topic: VPN with TUN interface [SOLVED]
Replies: 13
Views: 1713

Re: VPN with TUN interface [SOLVED]

Throughout this thread you mention you are using Windows as client devices and by default, Windows firewall blocks incoming packets not on local subnet.

Check widows firewall
by CZFan
Wed Dec 16, 2020 11:17 pm
Forum: General
Topic: Question about VPN, pools and subnets [SOLVED]
Replies: 11
Views: 921

Re: Question about VPN, pools and subnets [SOLVED]

Let us see the whole config, provide results of /export file=filenameofyourchoice hide-sensitive
by CZFan
Wed Dec 16, 2020 8:44 pm
Forum: General
Topic: Question about VPN, pools and subnets [SOLVED]
Replies: 11
Views: 921

Re: Question about VPN, pools and subnets [SOLVED]

With limited info available, it seems you are confusing VPN server between "Routed" and "Bridged"

As a start, for routed, remove below and test:
/ppp profile
add bridge=bridge local-address=192.168.87.1 name=OpenVPN remote-address=OpenVPN-Pool use-encryption=required
by CZFan
Fri Dec 11, 2020 9:32 pm
Forum: General
Topic: DNS problem - with Kasa smart plugs
Replies: 29
Views: 2263

Re: DNS problem - with Kasa smart plugs

You seem to have networking issues, can be locally or ISP, suspect more ISP side. I see many DNS requests and DNS retransmissions, but nothing coming back from 8.8.8.8 or 8.8.4.4. I suspect the reason it behaves better when using Router as DNS is router will cache the address for a while. Suggest yo...
by CZFan
Thu Dec 10, 2020 9:29 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 3202

Re: Queue tree not working as expected

Queue Tree configuration seems inconsistent and might confuse the queue mechanism.

Parent queue max limit is set to 10M which is responsible for distributing bandwidth between leaf queues, but leaf queues max limits are set to 1024M (1Gb/s)
by CZFan
Thu Dec 10, 2020 12:11 am
Forum: General
Topic: L2 ring redundancy protocol support?
Replies: 16
Views: 1591

Re: L2 ring redundancy protocol support?

where fast fail over is needed
How fast is fast?

With ERPS, they aiming at 50ms
by CZFan
Thu Dec 10, 2020 12:09 am
Forum: General
Topic: Sending multiple VLAN's through an EVC - Configuration
Replies: 2
Views: 378

Re: Sending multiple VLAN's through an EVC - Configuration

Should the qinq / provider bridge config not be done by the ISP?
by CZFan
Wed Dec 09, 2020 11:52 pm
Forum: General
Topic: L2 ring redundancy protocol support?
Replies: 16
Views: 1591

Re: L2 ring redundancy protocol support?

It is called ERPS, Ethernet Ring Protection Switching.

As far as I know Mikrotik does not support it "yet", will be cool though
by CZFan
Wed Dec 09, 2020 3:40 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 1807

Re: DNS over HTTPS, round robin support

... If RouterOS can utilize round robin to provide fault tolerance for DoH then I'm a happy camper. If it cannot, then DoH feature in RouterOS is a toy that should be used in production with caution. I have not worked / looked into DNS in detail for a couple of years, but suspect it has not changed...
by CZFan
Wed Dec 09, 2020 3:10 pm
Forum: Forwarding Protocols
Topic: VLAN over VPLS Link
Replies: 9
Views: 1178

Re: VLAN over VPLS Link

Mikrotik Wiki Article on Bridge Vlan:
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

Herewith a good tutorial from a forum member:
viewtopic.php?f=13&t=143620&p=833307&hi ... an#p706996
by CZFan
Wed Dec 09, 2020 11:41 am
Forum: General
Topic: hEX POE RB960PGS not saving settings (solved: no disk space left)
Replies: 4
Views: 457

Re: hEX POE RB960PGS not saving settings

... Interestingly there is 12.7 of 16Mb in use now, so I'm not too optimistic I can easily install the next upgrade with so little space left. When I get a bit more comfortable with the router I can probably uninstall some of the packages to make room (like hotspot). Anyway, my issue is resolved an...
by CZFan
Wed Dec 09, 2020 11:34 am
Forum: Beginner Basics
Topic: Slow LAN transfer speeds through RB4011. [SOLVED]
Replies: 5
Views: 647

Re: Slow LAN transfer speeds through RB4011. [SOLVED]

Probably RSTP is enabled on the bridge, and as a result hw-offloading is disabled.
This should not really cause a major problem as the 4011 has 2,5Gb/s paths between each switch chip and CPU.

Suspect the problem is somewhere else
by CZFan
Wed Dec 09, 2020 9:54 am
Forum: Forwarding Protocols
Topic: VLAN over VPLS Link
Replies: 9
Views: 1178

Re: VLAN over VPLS Link

... 0 DB name="vpls21" mtu=1500 l2mtu=1550 mac-address=02:2B:05:71:1C:78 arp=enabled arp-timeout=auto disable-running-check=no remote-peer=10.20.1.2 cisco-style=no cisco-style-id=0 advertised-l2mtu=1550 pw-type=raw-ethernet use-control-word=yes vpls=MGMT-VPLS You are using BGP signaled VP...
by CZFan
Wed Dec 09, 2020 12:40 am
Forum: Forwarding Protocols
Topic: VLAN over VPLS Link
Replies: 9
Views: 1178

Re: VLAN over VPLS Link

You will add vlans the same way as you would with other interfaces.

Post your attempt with vlan config here and we can see where you going wrong and can try and assist you
by CZFan
Tue Dec 08, 2020 11:47 pm
Forum: Beginner Basics
Topic: Vpn Site To Site With Vlan
Replies: 8
Views: 899

Re: Vpn Site To Site With Vlan

Remove current IPSec config, configure EoIP, enable IPSec in EoIP config and send vlan across this tunnel
by CZFan
Mon Dec 07, 2020 11:04 am
Forum: Beginner Basics
Topic: Limited Wifi Services
Replies: 7
Views: 581

Re: Limited Wifi Services

Yes I did unfortunatelly I did not see any read receipt nor any response yet. Something may have gone wrong. You could possibly use zeljko110465@gmail.com. Thank you

Done...
by CZFan
Mon Dec 07, 2020 10:43 am
Forum: Beginner Basics
Topic: Limited Wifi Services
Replies: 7
Views: 581

Re: Limited Wifi Services

Hi All, I am trying to configure Mikrotik CAP to provide limited wifi services through a set of firewall rules. I have been successful with Whatsapp and Be Safe (Local Covid19 registration App), however I could not get the Gmail going through even after enabling whole class IP addresses multiple se...
by CZFan
Fri Dec 04, 2020 10:18 am
Forum: General
Topic: Very old ROS versions
Replies: 14
Views: 1153

Re: Very old ROS versions

Because software archaeology is not a popular hobby, so it would be too much effort spent on Mikrotik side just to satisfy you and the other two guys practising it :) I’ve always wondered why people who can’t contribute anything useful to the discussion have a need to write Hmmm,@sindy is in the to...
by CZFan
Thu Dec 03, 2020 9:13 pm
Forum: General
Topic: Routing all traffic from network port to another router
Replies: 4
Views: 434

Re: Routing all traffic from network port to another router

best will be to make the Mikrotik a switch / bridge, i.e. bridge all ports, no routing on Mikrotik
by CZFan
Thu Dec 03, 2020 8:51 pm
Forum: General
Topic: Very old ROS versions
Replies: 14
Views: 1153

Re: Very old ROS versions

Because software archaeology is not a popular hobby, so it would be too much effort spent on Mikrotik side just to satisfy you and the other two guys practising it :) I’ve always wondered why people who can’t contribute anything useful to the discussion have a need to write Hmmm,@sindy is in the to...
by CZFan
Wed Dec 02, 2020 9:26 pm
Forum: General
Topic: more cpu core
Replies: 10
Views: 1029

Re: more cpu core

...
my esxi not free license dude
Dude is this way ---> https://wiki.mikrotik.com/wiki/Manual:The_Dude
by CZFan
Wed Dec 02, 2020 9:55 am
Forum: General
Topic: unable to configure GREv6 on latest stable ROS v6.47
Replies: 2
Views: 314

Re: unable to configure GREv6 on latest stable ROS v6.47

Your rule below allowing GE should be before the drop invalid rule, so you have 2 choices: add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=i...
by CZFan
Tue Dec 01, 2020 11:46 pm
Forum: General
Topic: Any way to have a private network inside a single SSID?
Replies: 2
Views: 352

Re: Any way to have a private network inside a single SSID?

Just thinking here, haven't touched hotspot since 2015, also tired at the moment, but maybe use hotspot with radius eap authentication, assign them in relevant vlans dynamically
by CZFan
Tue Dec 01, 2020 11:01 pm
Forum: Beginner Basics
Topic: Can not ping 8.8.8.8 from VLAN. no internet. New to Vlan's Help
Replies: 13
Views: 1226

Re: Can not ping 8.8.8.8 from VLAN. no internet. New to Vlan's Help

I really wanted to help here, but sorry, my pc's mouse scroll wheel seized while looking through this post :-)
by CZFan
Tue Dec 01, 2020 10:21 pm
Forum: General
Topic: Port scanner filling up connection tracking
Replies: 21
Views: 1457

Re: Port scanner filling up connection tracking

You run BGP and don't understand how stateful / stateless firewalls work? I second the suggestion to get a consultant (though not the one above that is also a useless blacklist). You're clearly in over your head here. Using PSD just opens you to further attack when someone decides to spoof the IP o...
by CZFan
Mon Nov 30, 2020 11:38 pm
Forum: Scripting
Topic: Super-Easy script to create dir
Replies: 8
Views: 1203

Re: Super-Easy script to create dir

Use winscp to create folder/sub folder?
by CZFan
Sun Nov 29, 2020 10:07 am
Forum: Announcements
Topic: v6.47.8 [stable] is released!
Replies: 56
Views: 16045

Re: v6.47.8 [stable] is released!

Bridge port hardware offloading remains disabled on hEX (RB750Gr3):
...
On hEX you need to disable STP on bridge for hardware offload, i.e. protocol-mode=none
by CZFan
Fri Nov 27, 2020 2:08 pm
Forum: Beginner Basics
Topic: PPTP Server won't work [SOLVED]
Replies: 21
Views: 1948

Re: PPTP Server won't work [SOLVED]

... Adding my configuration with L2TP /interface bridge add admin-mac=48:8F:5A:AA:4A:9C auto-mac=no comment=defconf name=bridge /interface wireless XXX /interface ethernet set [ find default-name=ether1 ] comment=WAN set [ find default-name=ether2 ] set [ find default-name=ether3 ] set [ find defau...
by CZFan
Fri Nov 27, 2020 8:45 am
Forum: Beginner Basics
Topic: PPTP Server won't work [SOLVED]
Replies: 21
Views: 1948

Re: PPTP Server won't work [SOLVED]

... 8 Connected - it passed the credentials authorization but it hangs on connecting and wont connect - any ideas what i am missing? Image 8 http://neradi.cz/upload/vpn/08.png I sometimes get the same symptoms (With L2TP/IPSec, don't use PPTP) and is a bug in Windows, to get around this, connect vi...
by CZFan
Thu Nov 26, 2020 10:05 am
Forum: Forwarding Protocols
Topic: MPLS neighbour addresses 'leaking'?
Replies: 4
Views: 899

Re: MPLS neighbour addresses 'leaking'?

@mducharme: advertise-filters have been set, but still all addresses show up in the neigbor status page. Not a big issue, but I was just wondering whether this is normal behaviour or not.

You will have to disable / enable LDP interfaces or restart router for filters to take effect
by CZFan
Thu Nov 26, 2020 8:53 am
Forum: General
Topic: Shared VLAN Learning (SVL)
Replies: 14
Views: 1454

Re: Shared VLAN Learning (SVL)

Hmmm, not sure I follow.

SVL - Single forwarding database for all Vlans
IVL - Forwarding Database for each vlan.

Use IVL when you want same MAC address in each vlan, how does same subnet come into this?
by CZFan
Tue Nov 24, 2020 8:32 pm
Forum: Wireless Networking
Topic: RBLHGR - R11e-LTE6_V026 - Packet loss
Replies: 6
Views: 762

Re: RBLHGR - R11e-LTE6_V026 - Packet loss

Wait, do you really check the "packet loss" using only 1 ping result ?? ... No, I did a normal "ping" to 8.8.8.8, had lots of timeouts, just had this screenshot available to post at the time. ... I hope you know the LAST HOP in traceroute is proper for packet loss, all prev can ...
by CZFan
Tue Nov 24, 2020 12:55 pm
Forum: RouterBOARD hardware
Topic: Torturing an old CCR1036
Replies: 2
Views: 624

Re: Torturing an old CCR1036

You might get better performance with a K&N filter, I use it on my BMW :-P
by CZFan
Fri Nov 20, 2020 5:06 pm
Forum: Beginner Basics
Topic: Should LAN firewall be more specific? [SOLVED]
Replies: 4
Views: 459

Re: Should LAN firewall be more specific? [SOLVED]

firewall rules is very much a "personal" thing and is your to configure as you feel fit for your environment Typically, one trusts the hosts in your LAN as they are under your administrative control, so allow full access out and related back in, but the hosts on the Internet (Evil) not so ...
by CZFan
Fri Nov 20, 2020 3:14 pm
Forum: Wireless Networking
Topic: RBLHGR - R11e-LTE6_V026 - Packet loss
Replies: 6
Views: 762

Re: RBLHGR - R11e-LTE6_V026 - Packet loss

Thank you @SiB, also for assisting Mikrotik with these issues.

Call has been logged, SUP-34275

If you need any more info from my side, please do not hesitate
by CZFan
Fri Nov 20, 2020 2:34 pm
Forum: General
Topic: Mangle rules for all download and upload speed
Replies: 6
Views: 1390

Re: Mangle rules for all download and upload speed

Is this correct? ... I dont have full view of the environment you are doing this, but think it will be safe to say: 1. Remove src/dst ranges, you have in interface and the current src/dst ranges is for all anyway 2. I will not use interface list, but rather interface itself, you might have multiple...
by CZFan
Fri Nov 20, 2020 2:06 pm
Forum: Wireless Networking
Topic: RBLHGR - R11e-LTE6_V026 - Packet loss
Replies: 6
Views: 762

RBLHGR - R11e-LTE6_V026 - Packet loss

Hi, If anyone has upgraded their LTE devices to version R11e-LTE6_V026 from V20, please let me know if you experiencing problems. I upgraded 2 x RBLHGR devices last night, both at same location but using different LTE service providers. These devices has been installed and configured about 3 months ...
by CZFan
Thu Nov 19, 2020 11:52 pm
Forum: General
Topic: Mangle rules for all download and upload speed
Replies: 6
Views: 1390

Re: Mangle rules for all download and upload speed

Suggest you mark connections first, then packets of these connections
by CZFan
Thu Nov 19, 2020 8:17 pm
Forum: General
Topic: Binding IP and MAC
Replies: 11
Views: 2097

Re: Binding IP and MAC

I have googled the Internet and got only instructions for old RouterOs versions. I have recently bought a MikroTik router. I have installed the basic options with Quick Set. Now I want to bind MAC addresses to static IPs, just as I had in previous two routers. I tried to WebFig/ARP/Add New. However...
by CZFan
Thu Nov 19, 2020 8:03 pm
Forum: Beginner Basics
Topic: Mikrotik, subnet, YouTube,Netflix App, SmartTv discovery
Replies: 10
Views: 957

Re: Mikrotik, subnet, YouTube,Netflix App, SmartTv discovery

Wondering,
Why do you put devices on separate VLANS when afterwards you want to connect them together on L2 (use discovery protocols)???
...

Cause, like we say in the shooting world, "it is tacticool" :-)
by CZFan
Thu Nov 19, 2020 12:43 am
Forum: Beginner Basics
Topic: Unable to change IP in Quick set
Replies: 1
Views: 227

Re: Unable to change IP in Quick set

Don't use quickset is Menu IP-->Address
by CZFan
Wed Nov 18, 2020 11:08 pm
Forum: Beginner Basics
Topic: Dual PPOE WAN, strange connection mark misshandling [SOLVED]
Replies: 9
Views: 823

Re: Dual PPOE WAN, strange connection mark misshandling [SOLVED]

-my previous config was correctly spreading traffic equally with preference of one gateway (route marked as DAC with Pref.Source visible) I don't think so with the distance you have had before. You marked traffic equally, but it all went out on PPPOE1. Only if it failed it went to PPPOE2. Have you ...
by CZFan
Sun Nov 15, 2020 10:27 am
Forum: Beginner Basics
Topic: Dual WAN - Stuck in process. Please help
Replies: 13
Views: 765

Re: Dual WAN - Stuck in process. Please help

Thanks for the clarification, what about only one IP routing?

If you want to see all routes, including dynamic ones, OP can post results of /ip route print
by CZFan
Sun Nov 15, 2020 10:18 am
Forum: Beginner Basics
Topic: Yet another port forward issue
Replies: 15
Views: 780

Re: Yet another port forward issue

/tool sniffer quick port=44866 IN TIME NUM DI SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS AD 6.705 1 <- 198.199.98.246:46736 178.220.198.49:44866 br 6.705 2 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11 198.199.98.246:46736 10.10.10.10:44866 et 6.705 3 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11 198.199.98.24...
by CZFan
Sun Nov 15, 2020 12:57 am
Forum: Beginner Basics
Topic: RB4011 SFP Port as WAN
Replies: 10
Views: 1263

Re: RB4011 SFP Port as WAN

I am sure you will also expect that if you connect an Ethernet interface with a token ring interface it should work...
by CZFan
Sun Nov 15, 2020 12:54 am
Forum: Beginner Basics
Topic: Dual WAN - Stuck in process. Please help
Replies: 13
Views: 765

Re: Dual WAN - Stuck in process. Please help

Please post configs in code brackets, I.e. , you will find them on the button menu.
Yes, you will only see the one as the other is dynamic, I.e. DHCP client
by CZFan
Sun Nov 15, 2020 12:49 am
Forum: Beginner Basics
Topic: Yet another port forward issue
Replies: 15
Views: 780

Re: Yet another port forward issue

I probably don't understand what if there is no filter forward rules, shouldn't that mean that everything is "open"? Like if you don't set any filter input rules the router services are accessib yes, the default action in "accept" but you posted bits and pieces,so was not sure w...
by CZFan
Sun Nov 15, 2020 12:03 am
Forum: General
Topic: DHCP Relay over GRE
Replies: 2
Views: 282

Re: DHCP Relay over GRE

Using DHCP relay does not make sense to me, but have done it before between 2 Mikrotiks

Can you post config of both MT and Cisco, maybe we can figure something out
by CZFan
Sat Nov 14, 2020 9:01 pm
Forum: Beginner Basics
Topic: RB4011 SFP Port as WAN
Replies: 10
Views: 1263

Re: RB4011 SFP Port as WAN

You cant connect SFP+ to SFP, however you can put SFP module in SFP+ cage, then just disable auto negotiation and configure 1Gb/s both sides
by CZFan
Sat Nov 14, 2020 8:57 pm
Forum: Beginner Basics
Topic: Bandlimit I tried but it is not working
Replies: 9
Views: 659

Re: Bandlimit I tried but it is not working

People I desactivate the fasttrack in IP Firewall and now it´s working when I define IP TARGET... but it still is not working when I define ETHER2 (example) target. I want to put a bandwidith in a port, and not in a IP. Can you help me? please? Thanks! Hmmm. is ether2 possibly part pf a bridge? If ...
by CZFan
Sat Nov 14, 2020 8:52 pm
Forum: Beginner Basics
Topic: Dual WAN - Stuck in process. Please help
Replies: 13
Views: 765

Re: Dual WAN - Stuck in process. Please help

Thank you both!! Here is full config (vs posting the pieces of it) I only have single LAN (home) and my only port on the RB is either2 where LAN comes in. RouterBoard is a router that is setup as gateway for my internal devices (server, DHCP, DNS all handed elsewhere) I have ISP1 on either1 and ISP...
by CZFan
Sat Nov 14, 2020 7:56 pm
Forum: Beginner Basics
Topic: Dual WAN - Stuck in process. Please help
Replies: 13
Views: 765

Re: Dual WAN - Stuck in process. Please help

for starters, you are trying to make ether2 a WAN connected to ISP2, so remove ether2 from bridge, Menu Bridge-->Ports
by CZFan
Sat Nov 14, 2020 7:43 pm
Forum: Beginner Basics
Topic: Vlan from router to managed swicth
Replies: 18
Views: 1095

Re: Vlan from router to managed swicth

You are missing some very important settings on the bridge interface, make sure you have a management vlan configured, alternatively, remove ether 5 from bridge so you can still access router if you lock yourself out. vlan-filtering=yes https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_V...
by CZFan
Sat Nov 14, 2020 7:06 pm
Forum: Beginner Basics
Topic: Yet another port forward issue
Replies: 15
Views: 780

Re: Yet another port forward issue

from your post, it seems you don't have full grasp on firewall chains and seems you have deviated from the default firewall config, so: Input = To router Forward = Through router Output = From router itself Port forwarding works in the "Forward" chain. if you run the below in terminal wind...
by CZFan
Sat Nov 14, 2020 6:34 pm
Forum: General
Topic: Firewall filter by Interfaces
Replies: 7
Views: 609

Re: Firewall filter by Interfaces

The first method works fine. But if I use the second method there is still the problem from my first post. "in/out-interface matcher not possible when interface (ether7) is slave - use master instead (bridge)" If ether7 is a master (I removed it from the bridge), the error in the firewall...
by CZFan
Sat Nov 14, 2020 6:24 pm
Forum: Beginner Basics
Topic: VPN for a single app on a single device  [SOLVED]
Replies: 4
Views: 493

Re: VPN for a single app on a single device [SOLVED]

what you looking for is called policy based routing

https://wiki.mikrotik.com/wiki/Policy_Base_Routing
by CZFan
Sat Nov 14, 2020 6:20 pm
Forum: General
Topic: Simple Queue priority
Replies: 5
Views: 476

Re: Simple Queue priority

I think you have missed the point.
I reckon you missed my point...

Wish you all the best in your problem solving endeavours...
by CZFan
Sat Nov 14, 2020 6:12 pm
Forum: General
Topic: L2TP LAN access problem
Replies: 8
Views: 664

Re: L2TP LAN access problem

to add to @sindy's comments, strange @anav has not jumped onto this yet :-) but you should change the below to your bridge interface

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
by CZFan
Fri Nov 13, 2020 11:56 pm
Forum: Beginner Basics
Topic: VPN for a single app on a single device  [SOLVED]
Replies: 4
Views: 493

Re: VPN for a single app on a single device [SOLVED]

You can mark routing in mangle based on the destination port numbers coming from the app client and then route this via vpn
by CZFan
Thu Nov 12, 2020 8:17 pm
Forum: General
Topic: Simple Queue priority
Replies: 5
Views: 476

Re: Simple Queue priority

" It sounds like you mixed up simp,e q and pc's config ." I would assume my post made no sense, damn autocarrot!! Anyway, what I was trying to say is you are trying to mix simple queues with PCQ, these are two different animals, and you should use one or the other, if PCQ, then you set the...
by CZFan
Wed Nov 11, 2020 11:52 pm
Forum: General
Topic: Simple Queue priority
Replies: 5
Views: 476

Re: Simple Queue priority

It sounds like you mixed up simp,e q and pc's config.

Provide export of config on order for us to see how you config looks and can then suggest improvements / corrections
by CZFan
Wed Nov 11, 2020 11:42 pm
Forum: General
Topic: Issues with updating RB951Ui-2nD to 6.46.7 / 6.47.4
Replies: 2
Views: 1045

Re: Issues with updating RB951Ui-2nD to 6.46.7 / 6.47.4

Download the upgrade package manually from a pc's, copy this to the file section on routers, restart router
by CZFan
Wed Nov 11, 2020 4:00 pm
Forum: General
Topic: Firewall filter by Interfaces
Replies: 7
Views: 609

Re: Firewall filter by Interfaces

Unfortunately, it seems the CRS109 switch chip does not support ACL https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches#Summary EDIT: I don't know which method will have the worst performance hit of below methods on the CRS109 device, but you can try both: 1. Bridge filter as per previo...
by CZFan
Wed Nov 11, 2020 2:24 pm
Forum: General
Topic: CRS125-24G-1S VLAN problem
Replies: 8
Views: 489

Re: CRS125-24G-1S VLAN problem

Ist, I am sure the Mikrotik device is as confused as you are, you have Bridge Vlan and Switch Vlan config on the device. 2nd, You asking for help, but only posting part of the config Decide which way you want to go, and clean up / configure accordingly. There are many posts here which explains both ...
by CZFan
Wed Nov 11, 2020 2:07 pm
Forum: Forwarding Protocols
Topic: Routing Advices
Replies: 7
Views: 1169

Re: Routing Advices

what i want is: LAN1 can communicate with LAN2, not being on the same LAN.

Build a Site to Site VPN on the Mikrotiks, which sounds like you have already done.

Then check Windows firewalls, by default they will prevent access to device itself coming from a different subnet / prefix
by CZFan
Wed Nov 11, 2020 12:05 pm
Forum: General
Topic: Firewall filter by Interfaces
Replies: 7
Views: 609

Re: Firewall filter by Interfaces

Probably cause its being offloaded to the switch chip, you can work around this by disabling "Hardware Offload" in bridge-->Ports, but that will cause a reduction in performance on those ports. Best then will be to configure a switch ACL / Filter rule, sorry, I don't have access to a CRS d...
by CZFan
Tue Nov 10, 2020 11:38 pm
Forum: General
Topic: Firewall filter by Interfaces
Replies: 7
Views: 609

Re: Firewall filter by Interfaces

Look into bridge filter rules, might be what you need
by CZFan
Tue Nov 10, 2020 11:03 pm
Forum: Beginner Basics
Topic: I can't access the admin page
Replies: 1
Views: 224

Re: I can't access the admin page

Speak to your ISP, they probably disabled the web service
by CZFan
Mon Nov 09, 2020 11:50 pm
Forum: General
Topic: Where can I get rackmount kits for CRS326 models
Replies: 1
Views: 219

Re: Where can I get rackmount kits for CRS326 models

Have you tried any of the Mikrotik distributors in your area?
by CZFan
Mon Nov 02, 2020 3:11 pm
Forum: General
Topic: bad upgrade of my mikrotik router
Replies: 1
Views: 246

Re: bad upgrade of my mikrotik router

Hmmmm, usually Mikroitik fails to upgrade with incorrect package types

Have you tried Netinstall to correct?

https://wiki.mikrotik.com/wiki/Manual:Netinstall
by CZFan
Mon Nov 02, 2020 3:04 pm
Forum: General
Topic: Randomized MACs on TV Box
Replies: 5
Views: 502

Re: Randomized MACs on TV Box

Your ISP is probably providing TV services on a separate VLAN, hence insisting that it must be connected to their device
by CZFan
Mon Nov 02, 2020 2:18 pm
Forum: Beginner Basics
Topic: ethernet router + lte router - please advise configuration
Replies: 5
Views: 630

Re: ethernet router + lte router - please advise configuration

sorry, I forgot to mention that my CSR112 is acting as CAP manager for 2 x CAP AC access points

CAPSMAN will not change the picture, but I really do not see the purpose of CAPSMAN with only 2 APs, adds unnecessary complication, if you had 10 x APs then maybe a different situation
by CZFan
Mon Nov 02, 2020 2:13 pm
Forum: Beginner Basics
Topic: Get internet
Replies: 7
Views: 901

Re: Get internet

You will have to confirm if you ISP is using PON technology / fibre, if so, will not work directly connected to Mikrotik, will need an ONU / ONT
by CZFan
Sun Nov 01, 2020 11:15 pm
Forum: Beginner Basics
Topic: MKT VPN IPSEC RULES NAT FOR TELNET
Replies: 2
Views: 314

Re: MKT VPN IPSEC RULES NAT FOR TELNET

If you want to telnet to the router itself at remote site, then add a firewall filter rule in chain=input, protocol=tcp dest port=23. Action=accept.
To telnet to a device behind the remote router, use chain=forward
by CZFan
Sun Nov 01, 2020 11:03 pm
Forum: Beginner Basics
Topic: ethernet router + lte router - please advise configuration
Replies: 5
Views: 630

Re: ethernet router + lte router - please advise configuration

Configure the rbm33g as router and do all fireballing on it.

Configure crs112 as a switch device, i.e. Bridge all ports and no firewall etc
by CZFan
Sat Oct 31, 2020 12:51 am
Forum: General
Topic: Fastpath vs Fasttrack DDOS
Replies: 3
Views: 444

Re: Fastpath vs Fasttrack DDOS

Fast path and fasttrack is to allow accepted traffic through the router faster, this is not going to assis you in DDOS.

Rather Look into raw filter rules, route rules, etc to kill the DDOS connections faster
by CZFan
Sat Oct 31, 2020 12:31 am
Forum: General
Topic: Need OIDs for monitoring a few parameters
Replies: 1
Views: 363

Re: Need OIDs for monitoring a few parameters

Try /system resource print oid
by CZFan
Sat Oct 31, 2020 12:16 am
Forum: General
Topic: are this rules on the top mandatory?
Replies: 62
Views: 3741

Re: are this rules on the top mandatory?

First two rules are for input chain, the 3rd, fasttrack is for forward chain and has nothing to do with first 2 rules.

Also not sure I understand your question?
by CZFan
Fri Oct 30, 2020 3:50 pm
Forum: Beginner Basics
Topic: Strict NAT type problem
Replies: 9
Views: 1274

Re: Strict NAT type problem

If you are getting a 10.x.x..x range on the LTE interface, then opening of any ports is not going to help as the packet will never reach your device when originated from outside. Compare the APN configuration between the old and new routers, maybe you had an "unrestricted" vs "restric...
by CZFan
Fri Oct 30, 2020 2:53 pm
Forum: Beginner Basics
Topic: Can't access LAN devices
Replies: 9
Views: 707

Re: Can't access LAN devices

Change to "bridge-private" with same issue. Reboot MK, about 20 pings reply and than Request timed out. This is a local problem and not Routing / FW related on the Mikrotik. To confirm above, connect to end devices directly to the ports 2 - 5 on Mikrotik and test ping again. I suspect you...
by CZFan
Fri Oct 30, 2020 1:11 pm
Forum: Beginner Basics
Topic: Strict NAT type problem
Replies: 9
Views: 1274

Re: Strict NAT type problem

Check what IP you getting on the LTE, if it is a private (10.x.x.x/8, 172.16.x.x/12, 192.168.x.x/16) or CGNAT (100.64.x.x/10) address range, you will not be able to improve gaming NAT status unless you request a direct public IP from your LTE service provider
by CZFan
Fri Oct 30, 2020 1:02 pm
Forum: Beginner Basics
Topic: Can't access LAN devices
Replies: 9
Views: 707

Re: Can't access LAN devices

Hi, I made some changes, configuration attached, but with the same issue.
Please help
BR
Ales
config-v2.txt

You still have not made changes suggested by @mkx and missed by @anav :-)

Below interface should point to interface "bridge-private"
incorrectiface.JPG
by CZFan
Wed Oct 28, 2020 5:42 pm
Forum: Forwarding Protocols
Topic: BGP default originate
Replies: 2
Views: 769

Re: BGP default originate

Add a route filter for that peer and only allow default to it, something like:
/routing filter
add action=accept chain=BGP-Out prefix=0.0.0.0/0
add action=discard chain=BGP-Out
by CZFan
Tue Oct 27, 2020 10:58 am
Forum: General
Topic: GRE Tunnel with Hap ac3 LTE
Replies: 11
Views: 752

Re: GRE Tunnel with Hap ac3 LTE

... And if you do, is it even accessible from the outside? I've seen mobile operators assigning public IPs to LTE devices but NATing them to other public IPs anyway. Yup, had this with a customer of mine in Malawi, they were using public IPs belonging to some company in USA but NATed the connection...
by CZFan
Mon Oct 26, 2020 8:45 pm
Forum: Forwarding Protocols
Topic: VRF and overlapped IPs
Replies: 3
Views: 912

Re: VRF and overlapped IPs

You cannot use subnets that are directly overlapped in different VRFs in RouterOS v6...this is fixed in RouterOSv7 Would you mind elaborating on above? I am interested what other challenges might be with my config as per below. I can access all VRF routers from outside as well as inside from R1, in...
by CZFan
Fri Oct 23, 2020 3:31 pm
Forum: General
Topic: Best way to configure multi-SSID-AP with VLAN-breakout
Replies: 12
Views: 990

Re: Best way to configure multi-SSID-AP with VLAN-breakout

@bpwl, I suspect you might be onto something here, i.e. configs not cleaning up properly. I suspect it is more a "Winbox" issue. Was playing around with various configs re EoIP tunnel now in GNS 3 on CHR 6.45.9, had tunnel up, then made changes, tunnel down, then reverted the changes, tunn...
by CZFan
Thu Oct 22, 2020 8:49 pm
Forum: General
Topic: IP address / device based volume stats
Replies: 3
Views: 329

Re: IP address / device based volume stats

There is a utility in Mikrotik Download archive called traffic counter.

It will count traffic going through the router, played with it little bit and seems cool, also suggested it to a customer of mine
MTArchive.JPG
by CZFan
Thu Oct 22, 2020 6:40 pm
Forum: General
Topic: Best way to configure multi-SSID-AP with VLAN-breakout
Replies: 12
Views: 990

Re: Best way to configure multi-SSID-AP with VLAN-breakout

My understanding is that "fraggle attack" (UDP Broadcast) is a variant of "smurf Attack" (ICMP),

Did you not maybe had a loop somewhere and the Draytek possibly interpreted this as a "fraggle attack"?
by CZFan
Thu Oct 22, 2020 6:33 pm
Forum: SwOS
Topic: CSS610-8G-2S+IN - no firmware to download?
Replies: 10
Views: 3722

Re: CSS610-8G-2S+IN - no firmware to download?

...
Also, I tried to download the firmware manually, but there is nothing to download on the product's home page https://mikrotik.com/product/css610_8g_2s_in

Wow, seriously?

See screenshot below on same link you quoted!!
mtsoftware.JPG
by CZFan
Thu Oct 22, 2020 5:47 pm
Forum: Beginner Basics
Topic: Adding cAP AC to my network [SOLVED]
Replies: 52
Views: 3404

Re: Adding cAP AC to my network [SOLVED]

...
Final comment, Dont use quotation marks for NAMES of anything. Quotes are used in MT to surround COMMENTS.
You are trying to hurt my brains and eyes with this approach

Quotation marks are necessary where names, comments, etc contains spaces
by CZFan
Tue Oct 20, 2020 3:59 am
Forum: Beginner Basics
Topic: help with denial of service internet minecraft server
Replies: 21
Views: 1464

Re: help with denial of service internet minecraft server

Looks like a dons amplification attack,
Post full config ( between code tags [] in menu so we can see what is wrong
by CZFan
Tue Oct 13, 2020 12:40 am
Forum: General
Topic: Slow connection speed with „fasttrack” switched off.
Replies: 2
Views: 320

Re: Slow connection speed with „fasttrack” switched off.

I suspect more inefficiencies in your config.
Post results of /export file=filename hide-sensitive between code brackets
by CZFan
Tue Oct 13, 2020 12:28 am
Forum: General
Topic: Updating from 6.28
Replies: 4
Views: 411

Re: Updating from 6.28

That's very old, lots of security holes, metinstall is your friend
by CZFan
Mon Oct 12, 2020 3:57 pm
Forum: General
Topic: Having troubles with Q-in-Q on CRS305
Replies: 4
Views: 504

Re: Having troubles with Q-in-Q on CRS305

You are not showing full config, so it makes it difficult to assist.

All I can assume at this stage is that possibly you don't have "use service tag" configured on the vlan interface
by CZFan
Mon Oct 12, 2020 1:56 pm
Forum: General
Topic: Strange Tracking Problem on Mikrotik Filter rules
Replies: 8
Views: 583

Re: Strange Tracking Problem on Mikrotik Filter rules

Hi all, I usually drop all forwards as the last rule and allow only known tracked traffic. Now, I have an strange problem for creating a rule for allowing ping from one server to another. I should be able to do this using this rule: add action=accept chain=forward comment=Ping protocol=icmp src-add...
by CZFan
Sun Oct 11, 2020 6:52 pm
Forum: Beginner Basics
Topic: MTU LAN vs WAN
Replies: 6
Views: 813

Re: MTU LAN vs WAN

..., I’d know how to set the MTU, which is max package size +32. When I do the same test from my hAP ac the value looks different, naturally.
...
Should be +28 (20 bytes IP Header + 8 bytes ICMP Header)
by CZFan
Sun Oct 11, 2020 6:38 pm
Forum: Beginner Basics
Topic: need help with VLAN guest wireless on router and ap
Replies: 7
Views: 614

Re: need help with VLAN guest wireless on router and ap

Cant believe my friend recommended Mikrotik, "it's the best router" he said, "and if you have a problem they help you on forum"

what a bullshit.

Cry me a river...
by CZFan
Thu Oct 08, 2020 1:54 pm
Forum: Beginner Basics
Topic: How to get connected without any assigned IP to device?
Replies: 3
Views: 380

Re: How to get connected without any assigned IP to device?

Connect via the serial port with a console cable, set IP address, etc and then continue as per normal
by CZFan
Thu Oct 08, 2020 12:23 am
Forum: General
Topic: Having troubles with Q-in-Q on CRS305
Replies: 4
Views: 504

Re: Having troubles with Q-in-Q on CRS305

Post anonomized output from /export file=yourfilename between code brackets so we can see config and assist where possible
by CZFan
Wed Oct 07, 2020 12:57 pm
Forum: General
Topic: Connection NAT state srcnat?
Replies: 9
Views: 764

Re: Connection NAT state srcnat?

... My issue isn't really with invalid packets, but with private addresses leaking out. Supposedly they leak out because the packets are invalid, and so do not get srcnated. I want to either prevent anything that's not srcnated from going out on the WAN interface (which I thought would be doable us...
by CZFan
Tue Oct 06, 2020 7:16 pm
Forum: General
Topic: XBOX and MikroTik RouterOS v6.47 (stable) NAT | UPDATE: VPN
Replies: 16
Views: 1244

Re: XBOX and MikroTik RouterOS v6.47 (stable) NAT

Hi there I have been trying to resolve this issue for the past 15 days, reading through forums but no luck at all As you may know, in order for XBOX to work properly, it needs an Open NAT - so far it is only Strict According to the Microsoft XBOX's website https://support.xbox.com/en-US/help/hardwa...
by CZFan
Mon Oct 05, 2020 3:48 pm
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1860

Re: Using most available bandwidth wan

I dont use NAT right now. I just have. Mikrotik vpn server setup. People vpn first, grab a local ip, and co nect to internal servers. So if this is the case i should use ecmp? Then is what i currenctly have what i can have as the ideal setup? Where does VPN come into the picture now? Your config sh...
by CZFan
Mon Oct 05, 2020 2:26 pm
Forum: Scripting
Topic: Torrent blocking working in y2020
Replies: 34
Views: 12156

Re: Torrent blocking working in y2020

The Torrent system on it's own is not illegal. Downloading copyrighted content is illegal. This is my understanding also, read an article yesterday that in Germany, some law firms are not so ethical (who would have thought) and sending very threatening letters to people to pay up, and the normal Jo...
by CZFan
Mon Oct 05, 2020 2:17 pm
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1860

Re: Using most available bandwidth wan

I think speedtest.net uses multiple connections for download. That is where i saw more than 50mbit. But yeah for the rest i get it. I just need help to change my config to pcc now. Can you help me with that please. I am not sure how to adapt my vlans and bridge to the pcc example Yes, speedtest.net...
by CZFan
Mon Oct 05, 2020 11:35 am
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1860

Re: Using most available bandwidth wan

I suspect that video does not shoe the "full truth"

ECMP is based on per connection, so if src and dst address is same, you will only use one of the uplinks, it is not a "per packet" solution
by CZFan
Mon Oct 05, 2020 1:01 am
Forum: General
Topic: any tool like UNMS for mikrotik hw?
Replies: 1
Views: 458

Re: any tool like UNMS for mikrotik hw?

Yes, called the Dude
by CZFan
Mon Oct 05, 2020 12:28 am
Forum: Beginner Basics
Topic: router not starting
Replies: 10
Views: 838

Re: router not starting

Reset button has various functions depending how long you press it during reset process.

Something like 5 seconds for factory reset, 10 seconds for metinstall and 15 seconds for capsman, can't remember the details but all described in wiki article
by CZFan
Sun Oct 04, 2020 9:55 pm
Forum: Beginner Basics
Topic: router not starting
Replies: 10
Views: 838

Re: router not starting

The problem is on your side, not the Mikrotik device Since the device pops up in netinstall, firewall, etc is ok and network connection profile also. copy the .npk file into same folder as netinstall.exe Make sure you laptop/pc doing netinstall from is in same IP range as per boot IP address in neti...
by CZFan
Sun Oct 04, 2020 7:33 pm
Forum: Forwarding Protocols
Topic: BGP NO-PREPEND REPLACE-AS ON CCR
Replies: 1
Views: 644

Re: BGP NO-PREPEND REPLACE-AS ON CCR

in the BGP peer config enable "as-override"
bgpasoverride.JPG
by CZFan
Fri Oct 02, 2020 8:55 pm
Forum: General
Topic: BIG FAIL restore
Replies: 5
Views: 561

Re: BIG FAIL restore

make sure you enter the user that created the backup correctly, below from wiki Warning: If password is not provided in RouterOS versions older than v6.43, then the backup file will be encrypted with the current user's password, except if the dont-encrypted property is used or the current user's pas...
by CZFan
Fri Oct 02, 2020 8:30 pm
Forum: Beginner Basics
Topic: RB3011UIAS-RM and TPLink C5400 Access Point [SOLVED]
Replies: 4
Views: 414

Re: RB3011UIAS-RM and TPLink C5400 Access Point [SOLVED]

When you referring to the TP-Link's MAC address, are you referring to the 3011's bridge host table, the switch host table or ARP table?

Maybe a good idea to post config of the 3011 config here (between code brackets) and a packet capture file, maybe someone spots a problem
by CZFan
Fri Oct 02, 2020 8:12 pm
Forum: General
Topic: Parent Queue Limits do not apply.
Replies: 8
Views: 863

Re: Parent Queue Limits do not apply.

parent queues is responsible for distributing the bandwidth, not limits if you are using PCQ, then you should not have child queues, the system will automatically create sub streams with limits for each client based on the pcq queue type configuration, here you can specify a limit for all sub stream...
by CZFan
Fri Oct 02, 2020 7:42 pm
Forum: Beginner Basics
Topic: router not starting
Replies: 10
Views: 838

Re: router not starting

select net boot and set ip to 192.168.88.3 Don't follow the manual on this, it is completely wrong Set ip to 192.168.88.1 instead and netinstall will work Dont agree The netinstall is a bootp server and will assign range you configure. I have been using range 192.168.1.2 in bootp client config on n...
by CZFan
Fri Oct 02, 2020 6:59 pm
Forum: General
Topic: Unbrick a HAP AC2 [SOLVED]
Replies: 3
Views: 488

Re: Unbrick a HAP AC2 [SOLVED]

I never tried this, but should not need another "default script", just straight netinstall should work
by CZFan
Fri Oct 02, 2020 6:55 pm
Forum: Beginner Basics
Topic: RB3011 Re-plugging WAN losing INTERNET
Replies: 3
Views: 430

Re: RB3011 Re-plugging WAN losing INTERNET

suspect the problem is with detect internet configs, I usually disable this by:
/int detect-internet set detect-interface-list=none lan-interface-list=none wan-interface-list=none internet-interface-list=none
by CZFan
Fri Oct 02, 2020 6:43 pm
Forum: Beginner Basics
Topic: RB3011UIAS-RM and TPLink C5400 Access Point [SOLVED]
Replies: 4
Views: 414

Re: RB3011UIAS-RM and TPLink C5400 Access Point [SOLVED]

From a 3011 point of view, the TP-Link will just be another network device, so suspect problem is on your TP-Link side. I actually did one of these exact setups for another customer of mine the other day, was not the Archer but was TP-Link. I had to configure the TP-Link as Access Point only, restar...
by CZFan
Fri Oct 02, 2020 6:26 pm
Forum: Beginner Basics
Topic: How much bad blocks is too much bad blocks?
Replies: 1
Views: 301

Re: How much bad blocks is too much bad blocks?

$40 is half the suggested retail price.

As far as bad block, dont know, might be the beginning of the end or it can still last a while, that you will have to decide if the price tag is good enough for the gamble
by CZFan
Fri Oct 02, 2020 6:21 pm
Forum: Beginner Basics
Topic: RB fail install in netinstall
Replies: 2
Views: 260

Re: RB fail install in netinstall

make sure you selected the package file (.npk)

I usually place the package file in same folder as netinstall.exe
by CZFan
Fri Oct 02, 2020 6:02 pm
Forum: Beginner Basics
Topic: Please Help . PPPoE Terminating
Replies: 3
Views: 640

Re: Please Help . PPPoE Terminating

error means client device disconnected but connected again before the previous session was teared down in PPPoE service.

You should look why the client devices disconnect frequently, that problem can be anywhere between PPPoE Access Concentrator and client device
by CZFan
Wed Sep 30, 2020 4:22 pm
Forum: Beginner Basics
Topic: [CCR1009-7G-1C-1S+] version 6.46.4 | forward ssh from outside to internal server
Replies: 2
Views: 306

Re: [CCR1009-7G-1C-1S+] version 6.46.4 | forward ssh from outside to internal server

try changing the rule below to:

/ip firewall filter add chain=forward action=accept protocol=tcp dst-address=192.168.50.5 in-interface=sfp1.120 out-interface=ether1.2150 port=2223
by CZFan
Wed Sep 30, 2020 4:06 pm
Forum: Beginner Basics
Topic: hw=yes not showing as hw offload?
Replies: 8
Views: 908

Re: hw=yes not showing as hw offload?

You shouldn't need to Awesome. It's just that Mikrotik's own guide said to add it in, and I was like "But why?" I'll try just using the default bridge, given it offloads to the switch, so therefore should be "wire speed" and not done in software. Mikrotik (And other vendors) ass...
by CZFan
Wed Sep 30, 2020 3:10 pm
Forum: Beginner Basics
Topic: A routing conundrum
Replies: 10
Views: 931

Re: A routing conundrum

Some things you should try to do yourself atleast, below is where you can change the default route distance on a DHCP client More than happy to do so and to learn but quite frankly had no idea how to change the default route distance on a DHCP client... Thanks for your help there ! Pleasure, glad y...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7