Community discussions

MikroTik App

Search found 2104 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 8
by CZFan
Thu Feb 09, 2023 10:30 am
Forum: Beginner Basics
Topic: wifi limit 20 mbps
Replies: 3
Views: 706

Re: wifi limit 20 mbps

sounds like you might have "tkip" ciphers enabled in security profile
by CZFan
Mon Nov 28, 2022 6:45 pm
Forum: General
Topic: QinQ not working
Replies: 8
Views: 1162

Re: QinQ not working

...
however, I still have no communication with the other party.
Reason above did not work is you added:

add bridge=bridge1 interface=sfp-sfpplus16 pvid=2500 tag-stacking=yes
by CZFan
Mon Nov 28, 2022 5:46 pm
Forum: General
Topic: QinQ not working
Replies: 8
Views: 1162

Re: QinQ not working

My config: add ether-type=0x88a8 name=bridge1 protocol-mode=none vlan-filtering=yes /interface bridge port add bridge=bridge1 interface=sfp-sfpplus16 pvid=2500 add bridge=bridge1 interface=sfp-sfpplus1 /interface bridge vlan add bridge=bridge1 tagged=sfp-sfpplus1,sfp-sfpplus16 vlan-ids=2500 from th...
by CZFan
Tue Oct 11, 2022 8:15 pm
Forum: General
Topic: Hmmm, no IPSec offload on AX devices....
Replies: 8
Views: 874

Re: Hmmm, no IPSec offload on AX devices....

not talking about "Test Results"

is announced in a video, which tells me it should be available, the video did not say "we will "try" and add IPSec HW Offload in future releases..." See below for the ac³ device
by CZFan
Mon Oct 10, 2022 7:35 pm
Forum: General
Topic: Hmmm, no IPSec offload on AX devices....
Replies: 8
Views: 874

Re: Hmmm, no IPSec offload on AX devices....

1. Not all have time like you available to sit and watch videos all day.
2. It was a "Tongue in cheek / devils advocate" type post so that Mikrotik can sort out their documentation, although I doubt it achieved that

:-)
by CZFan
Mon Oct 10, 2022 2:55 pm
Forum: General
Topic: Bridge two VLAN's
Replies: 5
Views: 651

Re: Bridge two VLAN's

You can add vlan 258 and a second pppoe service on that vlan, alternatively, vlan translation
by CZFan
Mon Oct 10, 2022 12:14 pm
Forum: General
Topic: Hmmm, no IPSec offload on AX devices....
Replies: 8
Views: 874

Hmmm, no IPSec offload on AX devices....

Bit disappointed, seems no IPSec hardware offload on the hAP ax² and ax³ devices.....
by CZFan
Sat Oct 08, 2022 8:32 pm
Forum: Forwarding Protocols
Topic: BGP Route distribution
Replies: 8
Views: 2960

Re: BGP Route distribution

... I am not sure what else is needed at this point. The documentation is lacking for v7 and 90% of the info out there is for v6 BGP. For a router that touts BGP performance, the lacking documentation and bugs is concerning. This is not a Mikrotik issue, but the way iBGP/eBGP protocol works. Mikrot...
by CZFan
Tue Oct 04, 2022 12:15 am
Forum: General
Topic: VRF vs Routing-Tables
Replies: 2
Views: 922

Re: VRF vs Routing-Tables

VRFs come more into play when you have a big network, something like an ISP/WISP, etc that provides branch to branch connectivity for clients as example, many times there can be overlapping of these clients internal IPs, and to isolate them to route them accordingly, you use VRFs
by CZFan
Sun Sep 25, 2022 12:59 pm
Forum: General
Topic: Regex search - Finding exact match [SOLVED]
Replies: 1
Views: 1226

Regex search - Finding exact match [SOLVED]

Hi, Hope someone can help me here, I am trying to do a print in firewall connection for a specific port number, but not getting results I expected. I tried all the below commands, the first one returns all with 500 in it, i.e. 500, 50018, etc, the last 2 seems to be not "supported" by Mikr...
by CZFan
Wed Sep 21, 2022 11:30 pm
Forum: Beginner Basics
Topic: Can connect to SSTP VPN but can't interact with Windows Server
Replies: 11
Views: 2390

Re: Can connect to SSTP VPN but can't interact with Windows Server

Post full configuration export, screen shots shows only part of config But there 2 things you really need to look at after separating the subnets. One being that the vpn subnet is allowed in relevant chains in firewall on mikrotik, and second is you will need to add the vpn subnet on the windows fir...
by CZFan
Wed Sep 21, 2022 1:20 pm
Forum: Beginner Basics
Topic: Can connect to SSTP VPN but can't interact with Windows Server
Replies: 11
Views: 2390

Re: Can connect to SSTP VPN but can't interact with Windows Server

They way your config is at the moment, i.e. vpn and LAN on same subnet, you will need proxy arp, which I do not suggest.

Rather give your vpn a separate subnet to the LAN, and then route / firewall between these
by CZFan
Fri Aug 19, 2022 5:59 pm
Forum: Beginner Basics
Topic: RB450 VLAN - access port not working [SOLVED]
Replies: 11
Views: 1440

Re: RB450 VLAN - access port not working [SOLVED]

Which model do you have, RB450G or RB450Gx4?

Two different chips and needs to be configured differently
by CZFan
Fri Aug 12, 2022 7:33 pm
Forum: General
Topic: Managing local bandwith doesn't work
Replies: 8
Views: 780

Re: Managing local bandwith doesn't work

You should review the conn/pkt mark and queue tree config, you typically use the "leaving" interface for this, i.e. outgoing traffic on the internet facing interface for upload traffic limits, and outgoing traffic leaving the "bridge" interface towards LAN devices for download tr...
by CZFan
Thu Aug 11, 2022 8:24 pm
Forum: General
Topic: Managing local bandwith doesn't work
Replies: 8
Views: 780

Re: Managing local bandwith doesn't work

without seeing full config / connection diagram, it is difficult to suggest any fixes. As mentioned already, data transfers in local network should not go via the router and should not affect the transfer. There is possible 3 reasons why local traffic will cause limitations via the router: 1, Separa...
by CZFan
Thu Aug 11, 2022 7:46 pm
Forum: Wireless Networking
Topic: Internet block on wlan but avoid android disconnection?
Replies: 1
Views: 554

Re: Internet block on wlan but avoid android disconnection?

Devices such as Android tries to access "special servers" to see if it has internet connection or not and if it is behind a captive portal setup, i.e. http://connectivitycheck.gstatic.com/generate_204 http://www.google.com/gen_204 https://www.google.com/generate_204 So you could possibly a...
by CZFan
Thu Aug 04, 2022 5:04 pm
Forum: Forwarding Protocols
Topic: BGP Speed Issues
Replies: 7
Views: 1362

Re: BGP Speed Issues

in routing filters, in in filter, set prepend on backup link, although this does not always work so well anymore, then "set bgp weight" for the primary / backup links, i.e. set it to 10 for backup and 15 for primary You could also just set bgp weight for primary to 10 as example, default i...
by CZFan
Wed Aug 03, 2022 5:28 pm
Forum: RouterBOARD hardware
Topic: hAP ax² dual band Wi-Fi 6 (802.11ax)
Replies: 287
Views: 66213

Re: hAP ax² dual band Wi-Fi 6 (802.11ax)

also like the antenna gain

Wireless antenna max gain 2.4 GHz (4.5 dBi), 5 GHz (4 dBi)

Looking to be a good performer in a "standard" house
by CZFan
Wed Aug 03, 2022 1:30 pm
Forum: Beginner Basics
Topic: Why does disabling 'bridge' make it impossible to connect to my router?
Replies: 24
Views: 8957

Re: Why does disabling 'bridge' make it impossible to connect to my router?

Never tested it, but I suspect it will not disable the ethernet interfaces in that bridge/switch group, but will disable any bridging/switching so you will lose connection to other devices, and also disables this CPU access via the ports in that bridge, hence reason you will not be able to access de...
by CZFan
Wed Aug 03, 2022 1:16 pm
Forum: RouterBOARD hardware
Topic: hAP ax² dual band Wi-Fi 6 (802.11ax)
Replies: 287
Views: 66213

Re: hAP AX2 (WiFi 6)

Eish!!!! And I just upgraded from AC2 to AC3 a couple of months ago, now I have to buy a new one :-(

But glad it is eventually here though
by CZFan
Fri Jul 29, 2022 4:06 pm
Forum: Beginner Basics
Topic: Foward NTP
Replies: 6
Views: 1785

Re: Foward NTP

try something like if NTP server is mikrotik itself:
/ip firewall nat
add action=redirect chain=dstnat dst-port=123 in-interface-list=LAN protocol=udp
by CZFan
Fri Jul 22, 2022 8:52 pm
Forum: Beginner Basics
Topic: Need help with port forwarding
Replies: 11
Views: 1699

Re: Need help with port forwarding

For a Dahua NVR at one of my clients, I had to forward the following only:

TCP 443,554,37777
UDP 37778

Maybe check your NVR requirements again?
by CZFan
Fri Jul 22, 2022 8:34 pm
Forum: General
Topic: Hotspot and PPPoE
Replies: 1
Views: 381

Re: Hotspot and PPPoE

By making use of vlans.
For cabled, you will have to do the vlan tagging from client devices, on wireless, you can create 2 separate SSIDs and tag these accordingly
by CZFan
Tue May 31, 2022 9:10 pm
Forum: Beginner Basics
Topic: Load balancing with RB2011UiAS-2HnD-IN and RouterOS 6.49.6
Replies: 14
Views: 2084

Re: Load balancing with RB2011UiAS-2HnD-IN and RouterOS 6.49.6

Change add check-gateway=ping distance=1 gateway=192.168.1.1 to

add check-gateway=ping distance=2 gateway=192.168.1.1
by CZFan
Fri Apr 22, 2022 2:11 am
Forum: Announcements
Topic: v6.48.6 [long-term] is released!
Replies: 126
Views: 273629

Re: v6.48.6 [long-term] is released!

I really am struggling to understand why Mikrotik does not list all changes made in updates, I.e. as I just found out changes were made in Bridge filtering....
@Normis, can you please respond on this?
by CZFan
Thu Feb 24, 2022 11:24 pm
Forum: Announcements
Topic: v7.1.3 is released!
Replies: 251
Views: 55666

Re: v7.1.3 is released!

Oh, thank you so much!, its possibe to disable or remove? thanks
Why?
Proof again you can't please all, everytime
by CZFan
Fri Feb 11, 2022 1:29 pm
Forum: General
Topic: Ports open and allowing "Internet" access to Webfig. Shodan.io report.
Replies: 48
Views: 4204

Re: Ports open and allowing "Internet" access to Webfig. Shodan.io report.

...that last part about copy-pasting from txt editor was just rude.

Seriously?????
by CZFan
Sat Jan 15, 2022 10:14 pm
Forum: General
Topic: L2TP/IPsec Issues with Windows 11 update - kb5009566
Replies: 29
Views: 22743

Re: L2TP/IPsec Issues with Windows 11 update - kb5009566

....
I am still able to connect successfully to Mikrotiks running 6.47.9 and 6.47.10 from Windows 10 with KB5009543 installed...

I was unable to connect with L2TP/IPSec VPN to any of my clients, ROS ranging from 6.45.9 LT to 6.47.10 LT
by CZFan
Wed Dec 29, 2021 8:29 pm
Forum: RouterBOARD hardware
Topic: The big CCR2004 reboot thread (was 2004 hardware issues?)
Replies: 458
Views: 146159

Re: The big CCR2004 reboot thread (was 2004 hardware issues?)

Anyone seen an issue with the CCR2004 on ROS V6.49.1 where there is packet loss each time BGP needs to converge its routes? If the routes from the remote peer are stable, then there is no packet loss across any interfaces. As soon as the CCR2004 needs to converge received or withdrawn routes, CPU g...
by CZFan
Wed Dec 29, 2021 7:44 pm
Forum: General
Topic: Connection-State: established
Replies: 5
Views: 3287

Re: Connection-State: established

connection oriented or connectionless protocols have nothing to do with this, this only comes in between the two end devices.

This is only relevant to firewalls, connection tracking uses both src and dst addresses with the src and dst ports to decide of it is a new connection, established, etc
by CZFan
Tue Dec 28, 2021 5:10 pm
Forum: RouterOS beta
Topic: Very high CPU usage on PCC Loadbalancing with 7.x
Replies: 22
Views: 11274

Re: Very high CPU usage on PCC Loadbalancing with 7.x

My understanding is that there is no "Route Caching" in ROS7, hence the jump in CPU utilization from V6 to V7.
by CZFan
Mon Dec 06, 2021 7:44 pm
Forum: General
Topic: Speedtest.net stuck on Finding optimal server... [SOLVED]
Replies: 7
Views: 26261

Re: Speedtest.net stuck on Finding optimal server... [SOLVED]

i use RouterOS v6.49.2 and some days ago...
But V6.49.2 was only released today????

I think you have sort of isolated where problem is yourself, i.e. look at your firewall rules
by CZFan
Tue Nov 30, 2021 6:06 pm
Forum: Wireless Networking
Topic: cAP vs cAP XL
Replies: 31
Views: 15146

Re: cAP vs cAP XL

The Ubiquiti WIFI U6 Pro is cheaper than the TPLINK eap660HD by about $80 and thus may be excellent value IF, IF it can be configured in a stand alone mode.
Last I checked, this is a Mikrotik forum?
by CZFan
Wed Nov 03, 2021 7:38 pm
Forum: General
Topic: Queue problem for PPPoE traffic originated from a routed subnet
Replies: 8
Views: 2403

Re: Queue problem for PPPoE traffic originated from a routed subnet

I think your best option is going to send copies of config / supout file to MT support
by CZFan
Tue Nov 02, 2021 11:13 am
Forum: General
Topic: ASK [Love-Vlans :)]
Replies: 8
Views: 1169

Re: ASK [Love-Vlans :)]

assuming ether2 is the downlink, you seem to be missing uplink in bridge port/vlan config
by CZFan
Sun Oct 31, 2021 12:18 am
Forum: Beginner Basics
Topic: OpenVPN Client Issues
Replies: 9
Views: 5503

Re: OpenVPN Client Issues

I read about a month ago that ROS does not support Cert only authentication, not sure if this applies to your situation .
If this has changed since, I can't say either
by CZFan
Thu Oct 28, 2021 1:58 pm
Forum: Wireless Networking
Topic: I'll say it again... MikroTik, your wifi is ATROCIOUS [SOLVED]
Replies: 19
Views: 7036

Re: I'll say it again... MikroTik, your wifi is ATROCIOUS [SOLVED]

This comment tells me you don't understand how MikroTik works as a company. Without specifics nothing will change. If all you want to do is share your frustration and anecdotal results with the WiFi performance, no big deal, but it doesn't really benefit anyone. +1 Where is the "Like" but...
by CZFan
Wed Oct 27, 2021 1:24 am
Forum: General
Topic: Maybe a bug,when device behind bonding that can not Port mapping
Replies: 2
Views: 611

Re: Maybe a bug,when device behind bonding that can not Port mapping

You give no description re symptoms why it is not working!!!
It seems you are making ssinf some attributes in your port forwarding rule, name destination address and or in interface / list
by CZFan
Wed Oct 27, 2021 12:55 am
Forum: General
Topic: Queue problem for PPPoE traffic originated from a routed subnet
Replies: 8
Views: 2403

Re: Queue problem for PPPoE traffic originated from a routed subnet

Communicated with you re this topic on FB, want to test in lab environment before I can give further comments, just have not had time to test in lab...
by CZFan
Mon Oct 25, 2021 4:29 pm
Forum: General
Topic: Notify when route changes [SOLVED]
Replies: 2
Views: 1524

Re: Notify when route changes [SOLVED]

You can play around with logging rules, i.e.
/system logging
add topics=route action=memory prefix="Route Changes"
by CZFan
Mon Oct 25, 2021 3:55 pm
Forum: General
Topic: I need help converting pot forward to floating WAN [SOLVED]
Replies: 10
Views: 1605

Re: I need help converting pot forward to floating WAN [SOLVED]

B) Dst. Address → your WAN (Public) IP

You can use "in-interface/list" instead
by CZFan
Fri Oct 15, 2021 1:04 pm
Forum: General
Topic: 1:1 NATting of /29 subnet
Replies: 3
Views: 1054

Re: 1:1 NATting of /29 subnet

To add to what @sindy said, the other IPs in that prefix might not be available to you, i.e. might belong to devices on the link to you, etc...
by CZFan
Tue Oct 12, 2021 11:16 pm
Forum: Beginner Basics
Topic: Router on a stick and two gateways. Is that possible?
Replies: 1
Views: 867

Re: Router on a stick and two gateways. Is that possible?

1. The firewall rules on the Mikrotik seems to be as per default, so firewall probably dropping the packet coming in on WAN interface . 2. Have not tested your scenario, but suspect if you resolve point 1 above, the Mikrotik is going to send an icmp redirect packet back to the laptop telling it to u...
by CZFan
Mon Oct 11, 2021 4:43 pm
Forum: Announcements
Topic: v6.49 [stable] is released!
Replies: 219
Views: 95214

Re: v6.49 [stable] is released!

...If i remember previous version was 6.37

That is a "massive" jump between versions, I suspect there might be config problems on your side
by CZFan
Fri Oct 08, 2021 5:53 pm
Forum: General
Topic: Problem with Public IP in migration from RB4011 to CCR1009 [SOLVED]
Replies: 8
Views: 1095

Re: Problem with Public IP in migration from RB4011 to CCR1009 [SOLVED]

1st point will be for you to define "backup"

Backup is there only to restore to the existing / same hardware device, for others you need to do export of config, reset new device and import config
by CZFan
Wed Oct 06, 2021 9:53 pm
Forum: General
Topic: vlans not working
Replies: 11
Views: 1323

Re: vlans not working

IP Address should be attached to Vlan interface, not ether interface
by CZFan
Wed Oct 06, 2021 8:50 pm
Forum: Scripting
Topic: Script Error
Replies: 23
Views: 7040

Re: Script Error

... I would like to use this script, would you mind changing it to monitor 2 devices on innerweb, i.e. ping both 8.8.8.8 and 1.1.1.1 and if both fails, then take action? Nevermind, think I have it working... :global ltestatus :if ([:typeof $ltestatus] = "nothing") do={:set ltestatus "...
by CZFan
Wed Oct 06, 2021 7:49 pm
Forum: Scripting
Topic: Script Error
Replies: 23
Views: 7040

Re: Script Error

Too much strict, someting can fill the connection and reboot the device without reason...
Agree, but it is what he asked.

I would like to use this script, would you mind changing it to monitor 2 devices on innerweb, i.e. ping both 8.8.8.8 and 1.1.1.1 and if both fails, then take action?
by CZFan
Wed Oct 06, 2021 7:36 pm
Forum: Scripting
Topic: Script Error
Replies: 23
Views: 7040

Re: Script Error

@pigsfoot, I think what you looking for is:
[:ping 8.8.8.8 count=3] = 0
This will send 3 ping requests, if all 3 fails, then do what is required...

If not, you will have to elaborate on your requirement
by CZFan
Wed Oct 06, 2021 6:17 pm
Forum: Scripting
Topic: Script Error
Replies: 23
Views: 7040

Re: Script Error

I would rather reboot the "modem" instead of the router, that way you still keep the logs, etc below amended script from @rextended: :global ltestatus :if ([:typeof $ltestatus] = "nothing") do={:set ltestatus "offline"} /interface lte :if ([:len [find]] > 0) do={ :if ([...
by CZFan
Wed Oct 06, 2021 6:02 pm
Forum: RouterBOARD hardware
Topic: hEX-S and hardware VLAN switching
Replies: 18
Views: 5536

Re: hEX-S and hardware VLAN switching

Yes, it does actually. ...

Not sure if above refers to my post saying hEX S switch chip does not support Vlan tables...
by CZFan
Wed Oct 06, 2021 5:40 pm
Forum: General
Topic: Help to restore Original MAC Address
Replies: 1
Views: 1063

Re: Help to restore Original MAC Address

/interface ethernet reset-mac-address ether1,ether2,...
by CZFan
Wed Oct 06, 2021 5:23 pm
Forum: Scripting
Topic: filtering for one ip
Replies: 13
Views: 2580

Re: filtering for one ip

Not sure exactly what you want to achieve, and will probably just cause a lots of retransmits of packets in your network, but maybe below is a starting point which you can expand / amend to your liking with additions like connection marking, etc. /ip firewall filter add action=drop chain=input nth=5...
by CZFan
Wed Oct 06, 2021 2:28 pm
Forum: General
Topic: Trunk/VLAN on PTP Wireless brigde with CISCO
Replies: 20
Views: 3088

Re: Trunk/VLAN on PTP Wireless brigde with CISCO

The VLans are assigned to the the bridge in PORTS How a trunk port is made in mikrotik then... The interface directly connected to CISCO ( which is ether1) will create a trunk Clearly you have not read the link from @sindy!!! Your config is based on the "old Mikrotik Vlan" method and not ...
by CZFan
Wed Oct 06, 2021 1:45 pm
Forum: RouterBOARD hardware
Topic: hEX-S and hardware VLAN switching
Replies: 18
Views: 5536

Re: hEX-S and hardware VLAN switching

With lack of complete view, I am failing to understand why you think the >25Mb/s multicast will kill the hEX S?

If you need to change this, this is where the trusty old RB2011 will shine
by CZFan
Wed Oct 06, 2021 1:35 pm
Forum: RouterBOARD hardware
Topic: hEX-S and hardware VLAN switching
Replies: 18
Views: 5536

Re: hEX-S and hardware VLAN switching

hEX S switch chip does not support Vlan tables
by CZFan
Wed Oct 06, 2021 1:12 pm
Forum: General
Topic: hap mini - not enough space
Replies: 13
Views: 3462

Re: hap mini - not enough space

..
ppp, mpls, and routing are the usual candidates for disabling.
Personally, I would leave ppp, as this might be needed for VPN / PPPoE. I typically remove/uninstall the following on small client CPEs:
  • hotspot
  • ipv6
  • mpls
  • routing
I also remove wireless if not required
by CZFan
Tue Oct 05, 2021 6:52 pm
Forum: General
Topic: hap mini - not enough space
Replies: 13
Views: 3462

Re: hap mini - not enough space

this has been discussed "ad nausea", try the search facility some times...

Options are:
1. Netinstall, or
2. Only install "services" that is required
by CZFan
Tue Oct 05, 2021 4:05 pm
Forum: General
Topic: winbox can't work correctly if "users" folder moved from disk C:
Replies: 16
Views: 3235

Re: winbox can't work correctly if "users" folder moved from disk C:

link, not icon???
That will depend on you age I suppose :-)
by CZFan
Mon Oct 04, 2021 8:06 pm
Forum: General
Topic: winbox can't work correctly if "users" folder moved from disk C:
Replies: 16
Views: 3235

Re: winbox can't work correctly if "users" folder moved from disk C:

Silly question, but you did update any existing icon properties to reflect new folder?
by CZFan
Mon Oct 04, 2021 7:57 pm
Forum: General
Topic: Block between hosts/VLAN
Replies: 2
Views: 573

Re: Block between hosts/VLAN

...
Since the setup is created as only 1 NIC --> Could I create the VLAN1 og VLAN2 - and create the same VLAN on the NIC in VMware - and split it that way instead
...
Yes, segregating the connections using Vlans is good to go
by CZFan
Sun Sep 19, 2021 3:50 pm
Forum: General
Topic: Is my hAPac^2 dead?
Replies: 17
Views: 2557

Re: Is my hAPac^2 dead?

Actually repeating the same process with the same netinstall version made no difference.. so that was not the case... In the case i described the router was showing fine in the list... pressing the install button made no progress... I 've come to this situation just 2-3 times with the same laptop t...
by CZFan
Thu Sep 02, 2021 9:28 pm
Forum: Announcements
Topic: v6.48.4 [stable] is released!
Replies: 68
Views: 72252

Re: v6.48.4 [stable] is released!

/int bri por is expanded to /interface bridge port-controller for some reason.. just don't abbreviate cli commands, they are suspected to change anyway.
...
Yes, that will explain it, thx, tested and that is the case
by CZFan
Thu Sep 02, 2021 5:39 pm
Forum: Announcements
Topic: v6.48.4 [stable] is released!
Replies: 68
Views: 72252

Re: v6.48.4 [stable] is released!

On 2011, trying to print bridge ports, I get the following:
bridge-port.JPG
When I export, get below:
bri-exp.JPG
by CZFan
Tue Aug 31, 2021 12:04 pm
Forum: General
Topic: Who has the biggest uptime ?
Replies: 22
Views: 4807

Re: Who has the biggest uptime ?

Not Mikrotik related, but uptime related :-) Went to a client in approx 1997/98, it was a bakery baking high volumes of breads for shops. The callout was for to setup / connect a new user to their network. The Novell 3.x server used as a F&P server, dust, backing powder, etc all over the server,...
by CZFan
Fri Aug 27, 2021 4:10 pm
Forum: Beginner Basics
Topic: tag-stacking problem , can't get my config to work
Replies: 1
Views: 1420

Re: tag-stacking problem , can't get my config to work

Looking at your config, it seems you have not reviewed the wiki article, see ink below:

https://wiki.mikrotik.com/wiki/Manual:B ... g_Stacking

Welcome to come back if still experiencing problems after following article above
by CZFan
Thu Aug 26, 2021 3:28 pm
Forum: General
Topic: L2TP/IPsec web browser location result issue
Replies: 24
Views: 2923

Re: L2TP/IPsec web browser location result issue

IIRC, in Google Chrome you can set your geolocation to something you specify manually, this is not the case?
by CZFan
Thu Aug 26, 2021 2:45 pm
Forum: General
Topic: L2TP/IPsec web browser location result issue
Replies: 24
Views: 2923

Re: L2TP/IPsec web browser location result issue

...
The above l2tp-out go to the CCR1009.
...
How is your VPN connections to 1009 working?

client-->L2TP/IPSec-->CCR1009
or
client-->hEX-->L2TP/IPSec-->CCR1009
by CZFan
Thu Aug 26, 2021 1:24 pm
Forum: General
Topic: L2TP/IPsec web browser location result issue
Replies: 24
Views: 2923

Re: L2TP/IPsec web browser location result issue

I dont see how this is possible, your local public IP should not be routed to remote country via the internet, so you must be breaking out locally and not using the VPN when you think you do.

Best will be to post config of both devices, also check routing on client devices
by CZFan
Thu Aug 19, 2021 10:46 pm
Forum: General
Topic: 2 X WAN Default Routes with VLAN and/or specific IP ranges
Replies: 1
Views: 666

Re: 2 X WAN Default Routes with VLAN and/or specific IP ranges

Post results (between code brackets) of 2 commands below

/ip firewall mangle export
/ip route export
by CZFan
Thu Aug 19, 2021 10:28 pm
Forum: General
Topic: [URGENT] How to block site on MikroTik
Replies: 23
Views: 2813

Re: [URGENT] How to block site on MikroTik

CZfan should the OP look at the new 5009 its in the same ballpark $wise but seems to be more powerful ???

For me personally, the jury is not out yet on the 5009, so for a production box, with only ROS 7 which is not out yet either, don't think so
by CZFan
Thu Aug 19, 2021 7:28 pm
Forum: General
Topic: Translate VPN address to Local [SOLVED]
Replies: 2
Views: 950

Re: Translate VPN address to Local [SOLVED]

/ip firewall nat add chain=srcnat src-address=10.10.10.10 dst-address=192.168.30.150 out-interface=<WhatEverInterfaceIsConnectedToTP-Link> action=masquerade
by CZFan
Thu Aug 19, 2021 6:18 pm
Forum: General
Topic: [URGENT] How to block site on MikroTik
Replies: 23
Views: 2813

Re: [URGENT] How to block site on MikroTik

I public department, we spend less than U$20 per 1Gbps link, but we don’t have money to buy lots of CCR, I live in Brazil, one CCR costs the same as an good car..

You dont really need a CCR, a RB4011 will run circles around the CRS125 without breaking a sweat
by CZFan
Thu Aug 05, 2021 2:16 am
Forum: Beginner Basics
Topic: Create a PPTP VPN
Replies: 1
Views: 748

Re: Create a PPTP VPN

You will have to ask ISP to configure port forwarding for PPTP on their router pointing to your router address.
by CZFan
Tue Aug 03, 2021 7:40 pm
Forum: General
Topic: bug with edit Access List in Mikrotik Pro mobile app
Replies: 6
Views: 1287

Re: bug with edit Access List in Mikrotik Pro mobile app

That should not happen, create a support ticket by sending details to support@mikrotik.com
by CZFan
Tue Aug 03, 2021 3:15 pm
Forum: General
Topic: bug with edit Access List in Mikrotik Pro mobile app
Replies: 6
Views: 1287

Re: bug with edit Access List in Mikrotik Pro mobile app

Can be, will have to wait for OP to clarify, but to quote OP:

the WiFi connection is broken and the changes made are reset before the apply button is pressed!
by CZFan
Tue Aug 03, 2021 3:07 pm
Forum: General
Topic: bug with edit Access List in Mikrotik Pro mobile app
Replies: 6
Views: 1287

Re: bug with edit Access List in Mikrotik Pro mobile app

This is true for all configuration methods. Changes to access list will restart the wifi interface. Do this only from a wired connection, or simply be aware of this limitation
Understand that wifi interface will restart, but why is changes not applied?
by CZFan
Wed Jul 28, 2021 6:59 pm
Forum: General
Topic: Two providers. Unstable behavior. [SOLVED]
Replies: 9
Views: 1278

Re: Two providers. Unstable behavior. [SOLVED]

@BlackRat, the setting you highlited is IMO invalid. It's not logical to have address with network address set to same value....
It is a /32 address, and usually used for loopback interfaces
by CZFan
Mon Jul 26, 2021 9:31 pm
Forum: RouterBOARD hardware
Topic: Adding a cooling fan to CRS326
Replies: 61
Views: 27786

Re: Adding a cooling fan to CRS326

Alright. I see we have a few "gaming" home PC builders here. Firstly, the "rules of thumb" of gaming PC building do not apply to switches. Even if they did, a lot of people spread dumb "rules" out of ignorance in the PC gaming communities. ... I removed their special r...
by CZFan
Mon Jul 26, 2021 4:04 pm
Forum: Beginner Basics
Topic: Port Forwarding from VPN to Client on Ethernet [SOLVED]
Replies: 4
Views: 3176

Re: Port Forwarding from VPN to Client on Ethernet [SOLVED]

It can differ a bit depending your exact config, but if the IP of the VPN client is static, it can look something like below: /ip firewall nat add chain=dstnat dst-address=10.8.0.2 port=8081 action=dst-nat to-addresses=192.168.123.1 to-ports=80 Instead of dst-address, you can also use in-interface/l...
by CZFan
Mon Jul 26, 2021 1:34 pm
Forum: Beginner Basics
Topic: Hex vs Hex S [SOLVED]
Replies: 22
Views: 10803

Re: Hex vs Hex S [SOLVED]

"Getting fibre" means nothing to me, i.e. here we have soooooo many people on fibre with packages 5Mb/s - 50Mb/s

Something in between the hEX and 4011 series, is also the hAP AC², very nice little router
by CZFan
Thu Jul 01, 2021 11:58 pm
Forum: General
Topic: ASK [ port-isolation?]
Replies: 1
Views: 651

Re: ASK [ port-isolation?]

Applied it successfully on a CRS326 a couple of years ago
by CZFan
Thu Jul 01, 2021 11:08 pm
Forum: Beginner Basics
Topic: Mangle L2TP vpn [SOLVED]
Replies: 10
Views: 4071

Re: Mangle L2TP vpn [SOLVED]

I suspect your problem is you don't have a route via the backup ISP, add a default route to this with distance of 3 and test
by CZFan
Tue Jun 22, 2021 2:00 pm
Forum: RouterBOARD hardware
Topic: CCR2004 real routing performance?
Replies: 5
Views: 4267

Re: CCR2004 real routing performance?

Had an incident with a client of mine recently where they peer with a Internet Exchange at data centre routing +- 200Mb/s on a 2004. The Internet Exchange route server sends constant route updates in BGP which causes the 2004 CPU to spike to 30% utilization every +- 45 seconds, when this happen, any...
by CZFan
Fri Jun 18, 2021 5:05 pm
Forum: General
Topic: Cant Open Ports
Replies: 9
Views: 1553

Re: Cant Open Ports

Is this the "full" config, i.e. there is no Firewall Filter rules?

If not full config and there are firewall filter rules, then make sure you have a rule that allows Destination NAT
by CZFan
Thu Jun 17, 2021 9:11 pm
Forum: Forwarding Protocols
Topic: Setting OSPF interface cost by speed
Replies: 2
Views: 4010

Re: Setting OSPF interface cost by speed

You can manually calculate costs using formula below to get similar costs like Cisco

Cost = 100000000/bw in bps.
by CZFan
Mon May 31, 2021 1:11 am
Forum: General
Topic: Packet Loss on Router Ping
Replies: 15
Views: 9020

Re: Packet Loss on Router Ping

Post current config after changes made
by CZFan
Mon May 31, 2021 1:07 am
Forum: General
Topic: Point to Point Addressing /32 or /31 Default Route [SOLVED]
Replies: 18
Views: 5066

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

...But i ve seen other posts too with problems configuring a /31 subnet between two Mirkotiks
official word from MT Support is that ROS does not support /31, have to use /30 or alternatively ptp addressing /32
by CZFan
Thu May 27, 2021 4:06 pm
Forum: Beginner Basics
Topic: RB 3011 Firewall
Replies: 5
Views: 1229

Re: RB 3011 Firewall

Yep but default Firewall Rules are not useable when i'll try to reach a network via VPN and everything is block by an deafult firewall rule which blocks everything not coming from lan... Next Time i use safe mode till then reset and reconfigure is what i have to do :) What you can do is add interfa...
by CZFan
Thu May 27, 2021 2:51 pm
Forum: General
Topic: Packet Loss on Router Ping
Replies: 15
Views: 9020

Re: Packet Loss on Router Ping

First, thanks for have spent your time to do the graph. ... To add to this extensive list of incorrect configs on your device, you also have ether 2 as a slave port of the bridge, but have IP config 192.168.1.0/24 directly on the slave port which can possibly be the issue. If ether 2 should be part...
by CZFan
Fri May 14, 2021 6:34 pm
Forum: Beginner Basics
Topic: Queue tree + pcq no working for me
Replies: 10
Views: 2304

Re: Queue tree + pcq no working for me

Hello friends, what I will ask here is that it is duplicated in many forums but I cannot find something that can help me and I have configured it in the possible ways. I have a mikrotik 4011 in production with 200 clients, I manage them by pppoe with plans of 5 and 15mb, configure queue tree + pcq ...
by CZFan
Wed May 05, 2021 12:15 pm
Forum: General
Topic: IPsec Site to SIte behind NAT
Replies: 10
Views: 1343

Re: IPsec Site to SIte behind NAT

Look at PC firewall settings, Windows firewall by default drops packets for "new" connections not from local subnet
by CZFan
Wed Apr 21, 2021 8:50 pm
Forum: General
Topic: IPIP vs GRE [SOLVED]
Replies: 7
Views: 4102

Re: IPIP vs GRE [SOLVED]

... I just tried ... and IPsec works just fine without setting local address. Seems it automatically takes local IP address of interface used when routing towards peer. For most users that'll be interface used by default route. Hmmm, Yup, just tested and seems you are correct. I guarantee this was ...
by CZFan
Tue Apr 20, 2021 8:11 pm
Forum: General
Topic: IPIP vs GRE [SOLVED]
Replies: 7
Views: 4102

Re: IPIP vs GRE [SOLVED]

In what cases do I need to specify addresses for both ends of the IPIP-tunnel, and in what cases it is not necessary?
I tried a IPIP-tunnel without addresses - everything works fine.
When you enable IPsec encryption you will need to specify a local address
by CZFan
Fri Apr 09, 2021 2:06 pm
Forum: General
Topic: ac2 vs ac3 wifi not over 200Mb
Replies: 13
Views: 3453

Re: ac2 vs ac3 wifi not over 200Mb

If both devices are on the desk, then maybe get some more space between them, as the radios are probably screaming at each other and causes noise
by CZFan
Fri Apr 09, 2021 12:37 pm
Forum: Forwarding Protocols
Topic: BGP Load balance over two routers [SOLVED]
Replies: 6
Views: 6527

Re: BGP Load balance over two routers [SOLVED]

I think the best in a case for above is to contact a certified Mikrotik Consultant in your area.

These guys pay big money to ensure they have knowledge and skills and are there for things like this to assist

https://mikrotik.com/consultants
by CZFan
Tue Apr 06, 2021 9:59 pm
Forum: Wireless Networking
Topic: set PVID of WDS dynamic interface? and wireless clients with a vlan-aware bridge
Replies: 6
Views: 2432

Re: set PVID of WDS dynamic interface? and wireless clients with a vlan-aware bridge

No, we dont use wds right now, but wanted. We need to avoid the "disconnection" and "reconnection" everytime a device changes from AP to AP in our wireless enviroment, avoiding the need to get a new IP address. We have 2 SSIDs in Virtual APs, ("Corp" and "Guest&qu...
by CZFan
Thu Apr 01, 2021 1:22 am
Forum: Beginner Basics
Topic: Multiple VLAN on Single Port
Replies: 6
Views: 3041

Re: Multiple VLAN on Single Port

You are missing the bridge interface under bridge vlan table for vlan 999, need to add bridge as tagged interface
by CZFan
Mon Mar 29, 2021 7:30 pm
Forum: Forwarding Protocols
Topic: EOIP vs VPLS, less packet loss with EOIP?
Replies: 5
Views: 2858

Re: EOIP vs VPLS, less packet loss with EOIP?

I would start by looking at MTU configs
by CZFan
Thu Mar 25, 2021 2:40 pm
Forum: General
Topic: DHCP Offering Lease Without Success
Replies: 119
Views: 127626

Re: DHCP Offering Lease Without Success

... Now, the client must send a REQUEST for that address and the DHCP server answers with a REPLY and at that point the address is bound to the client. ... Just for correctness sake, the server does not answer with a REPLY message, but with an ACK, aka Acknowledge. Process is is called DORA, i.e. D...
by CZFan
Thu Mar 25, 2021 1:20 pm
Forum: Beginner Basics
Topic: Date & Time from NTP Server [SOLVED]
Replies: 14
Views: 5094

Re: Date & Time from NTP Server [SOLVED]

2 things:

1. If you installed the "ntp" package, it changes the look/feel of the ntp client, and you will have to use scripts to make use of the FQDNs

2. If not, then see screenshort below for using FQDNs with ntp client
mtntpclient.JPG
by CZFan
Wed Mar 24, 2021 6:07 pm
Forum: Beginner Basics
Topic: Date & Time from NTP Server [SOLVED]
Replies: 14
Views: 5094

Re: Date & Time from NTP Server [SOLVED]

Tell Google that; it's time1.google.com. Yes, .0 is a perfectly legal address, depending on the netmask.
Snap!!! :-)
by CZFan
Wed Mar 24, 2021 5:49 pm
Forum: Beginner Basics
Topic: Date & Time from NTP Server [SOLVED]
Replies: 14
Views: 5094

Re: Date & Time from NTP Server [SOLVED]

216.239.35.0...
I know for sure that is not an NTP server.

Not sure I understand your reasoning, but an IP ending with .0 is a perfectly legal IP Address. Seems also it is Google Time server
googlentp.JPG
by CZFan
Fri Mar 19, 2021 6:44 pm
Forum: Wireless Networking
Topic: LTE Unregistered Status Codes
Replies: 3
Views: 2762

Re: LTE Unregistered Status Codes

Please read at start wiki about LTE
...

@SiB,

Would you mind posting an URL for what you refer to above, I am also currently struggling with LTE connection and looking for same info as per OP but cant find any info, been googling for last 2 hours
by CZFan
Fri Mar 19, 2021 6:09 pm
Forum: Wireless Networking
Topic: LTE Status / Error codes
Replies: 1
Views: 1409

LTE Status / Error codes

Does anyone know where I can get LTE status / error code descriptions.

Trying to connect a Mikrotik LTE router with a private APN SIM Card, but get message "not registered, state 3" message but cant find any info on this
by CZFan
Fri Mar 19, 2021 12:03 pm
Forum: The Dude
Topic: Unable to get Function / Probe working [SOLVED]
Replies: 1
Views: 7484

Re: Unable to get Function / Probe working [SOLVED]

Solved, seems it does not like the "-" in the function name
by CZFan
Thu Mar 18, 2021 5:40 pm
Forum: The Dude
Topic: Unable to get Function / Probe working [SOLVED]
Replies: 1
Views: 7484

Unable to get Function / Probe working [SOLVED]

I am trying to create a function / probe but just not getting any results. The function is suppose to report the interface utilization. Below is the Function "In-Utilization" code: if(oid("1.3.6.1.2.1.31.1.1.1.6.13"),round(rate(diff64(oid("1.3.6.1.2.1.31.1.1.1.6.13"))*8...
by CZFan
Wed Mar 17, 2021 5:19 pm
Forum: General
Topic: Mutiple SSTP servers
Replies: 4
Views: 1155

Re: Mutiple SSTP servers

If I may interject here, Will be good to understand what exactly the OP wants to achieve, but SSTP is a "service" on the router, and will accept from any IP Address configured on the router depending firewall rules. You dont bind SSTP to a specific IP per se. With SSTP and Road Warrior con...
by CZFan
Wed Mar 17, 2021 11:39 am
Forum: Wireless Networking
Topic: LtAP LTE 6 kit + R11e-LTE6 + External Antenna [SOLVED]
Replies: 4
Views: 2680

Re: LtAP LTE 6 kit + R11e-LTE6 + External Antenna [SOLVED]

Thank you @mkx, appreciate your response/feedback
...
Just to be sure modem doesn't emit smoke...

I did run the "no-smoke.bat" file, so all should be ok :-) (Giving my age away here again)
by CZFan
Tue Mar 16, 2021 8:22 pm
Forum: Beginner Basics
Topic: Two mikrotik routers conflict in same network, why???
Replies: 19
Views: 3968

Re: Two mikrotik routers conflict in same network, why???

STP is the symptom, and is behaving as per design, i.e. block/disable ports where there are network loops.

This is more to do with physical connections than config...
by CZFan
Tue Mar 16, 2021 10:17 am
Forum: General
Topic: No thermal pads with R11e-LTE6
Replies: 6
Views: 1546

Re: No thermal pads with R11e-LTE6

Analogy, to build a wall you can stack the bricks on top op each other, or "Optionally" use cement mix between the bricks Wonder which is the correct way??? another thing, these thermal pads seems to be fairly difficult to get hold of, i.e. I have to do a round trip of 100km from where I a...
by CZFan
Mon Mar 15, 2021 10:00 pm
Forum: Beginner Basics
Topic: Two mikrotik routers conflict in same network, why???
Replies: 19
Views: 3968

Re: Two mikrotik routers conflict in same network, why???


Yes, problem was with stp! Somebody can elaborate why stp was problem and is only solution to disable it?
I don't think the problem is STP, I rather think you have a loop in your network
by CZFan
Mon Mar 15, 2021 9:45 pm
Forum: General
Topic: No thermal pads with R11e-LTE6
Replies: 6
Views: 1546

Re: No thermal pads with R11e-LTE6

hmmm, and everyone will go and read that?
by CZFan
Mon Mar 15, 2021 5:50 pm
Forum: General
Topic: No thermal pads with R11e-LTE6
Replies: 6
Views: 1546

No thermal pads with R11e-LTE6

@normis et al A customer of mine bought 2 x LtAP LTE6 kits and 2 x R11e-LTE6 modems and dropped off by me to install for him. Following the instructions as per Mikrotik, thermal pads needs to be used on the 2nd modem installed in the router. My question is why is the thermal pads not supplied with t...
by CZFan
Mon Mar 15, 2021 1:06 pm
Forum: Wireless Networking
Topic: LtAP LTE 6 kit + R11e-LTE6 + External Antenna [SOLVED]
Replies: 4
Views: 2680

LtAP LTE 6 kit + R11e-LTE6 + External Antenna [SOLVED]

Have the following, "LtAP LTE 6 kit + R11e-LTE6 + External Antenna" but have a couple of questions if someone does not mind to assist. 1. As per attached pic, the "tabs" that can be broken off to provide place for cables/connectors/etc, the ones on inside (white plastic) does not...
by CZFan
Sat Mar 13, 2021 11:05 pm
Forum: General
Topic: Hetzner Subnet on Mikrotik CHR
Replies: 4
Views: 1756

Re: Hetzner Subnet on Mikrotik CHR

You will need to enable proxy arp on the internal facing interface
by CZFan
Sat Mar 13, 2021 4:07 pm
Forum: General
Topic: Having issues with NAT mapping
Replies: 8
Views: 1445

Re: Having issues with NAT mapping

Yes, relevant routes needs to be in place, depending on the public IPs / setup, you do not have to have multiple routes, i.e. lets say the ISP issues (Not routed to you) a /29 range, 1 address will be used for the next hop gateway with 1 default route, you can then assign the other 5 on your WAN int...
by CZFan
Fri Mar 12, 2021 11:24 pm
Forum: Beginner Basics
Topic: Bypass school proxy for internet access on smart tv's
Replies: 2
Views: 773

Re: Bypass school proxy for internet access on smart tv's

Why don't you do it the right way, i.e. Log a call with whoever does the IT and explain the problem so it be dealt with
by CZFan
Fri Mar 12, 2021 5:16 pm
Forum: General
Topic: blocking port 53 incoming from WAN ports, block tons of packets
Replies: 9
Views: 3348

Re: blocking port 53 incoming from WAN ports, block tons of packets

.. Is DNS attack by bots , I guess You are not "really" being attacked, but are being used to attack some other internet user If this packets are not dropped, it will have an impact on your upstream link as well as use additional resources on your router though. Will be better to drop the...
by CZFan
Thu Mar 11, 2021 10:57 pm
Forum: General
Topic: SIP Packets dropped unless Torch running
Replies: 11
Views: 2060

Re: SIP Packets dropped unless Torch running

...SIP packets falling foul of MNDP.

I had a search of the forums but couldn't find the post you mentioned
viewtopic.php?f=21&t=171035&p=840920&hi ... dp#p840552
by CZFan
Thu Mar 11, 2021 4:38 pm
Forum: General
Topic: SIP Packets dropped unless Torch running
Replies: 11
Views: 2060

Re: SIP Packets dropped unless Torch running

@networquk, pleasure, glad I could be of some assistance

@sindy, you are a blessing to the Mikrotik community, thank you and also thanks for the explanation, makes more sense to me now
by CZFan
Thu Mar 11, 2021 4:34 pm
Forum: Beginner Basics
Topic: RB 2011iL does not get Gib traffic
Replies: 19
Views: 2918

Re: RB 2011iL does not get Gib traffic

In 2016, when I had 1Gb/s fibre at my place, I used a 2011 and could get speeds of +- 850Mb/s to speedtest.net. +- 15 devices on the LAN/WLAN and approximately 15 FW rules + NAT, fasttrack enabled. Was not on a PPPoE connection but DHCP with the ISP. Only other difference was the WLAN was not part o...
by CZFan
Wed Mar 10, 2021 7:03 pm
Forum: General
Topic: Having issues with NAT mapping
Replies: 8
Views: 1445

Re: Having issues with NAT mapping

As a minimum, you should have the following: /ip firewall nat add chain=srcnat src-address=LANIP1 action=src-nat to-addresses=WANIP1 out-interface-list=WAN add chain=dstnat dst-address=WANIP1 action=dst-nat to-addresses=LANIP1 in-interface-list=WAN nat add chain=srcnat src-address=LANIP2 action=src-...
by CZFan
Wed Mar 10, 2021 5:40 pm
Forum: General
Topic: NAT action SAME behaves just like NETMAP?
Replies: 8
Views: 3227

Re: NAT action SAME behaves just like NETMAP?

My understanding is as follow:

Netmap - Maps IPs 1:1, so must be 1000 IPs to 1000IPs, i.e. a /22 to a /22
Same - You might have 1000 IPs mapping to 255 IPs, so the NAT will try and use the same NAT IP map per src/dst address pair, if src and or dst is different, it might use another IP to map/NAT to
by CZFan
Wed Mar 10, 2021 5:35 pm
Forum: General
Topic: SIP Packets dropped unless Torch running
Replies: 11
Views: 2060

Re: SIP Packets dropped unless Torch running

Did you restart the router after disabling fast track? if not, the fasttracked connections in connection tracking table will stay active till timeout, and if active traffic on these connections can stay active indefinitely. Your firewall accepts established related packets, so should the phone initi...
by CZFan
Tue Mar 09, 2021 11:52 pm
Forum: General
Topic: Radius + Hotspot setup
Replies: 1
Views: 684

Re: Radius + Hotspot setup

The setup script adds a NAT rule automatically
by CZFan
Tue Mar 09, 2021 11:45 pm
Forum: General
Topic: SIP Packets dropped unless Torch running
Replies: 11
Views: 2060

Re: SIP Packets dropped unless Torch running

Without seeing your config, it is just a guessing game. Torch disables a couple of things while running, i.e. Fasttrack, so if you have perhaps mangle rules for the phones and have fasttrack enabled, disable it, restart router and test If it does not solve the problem, post your config between code ...
by CZFan
Tue Mar 09, 2021 11:10 pm
Forum: General
Topic: NAT action SAME behaves just like NETMAP?
Replies: 8
Views: 3227

Re: NAT action SAME behaves just like NETMAP?

Have you tried reading the Mikrotik wiki to understand how Same and Netmap works and what the difference is?
by CZFan
Fri Mar 05, 2021 2:50 pm
Forum: Beginner Basics
Topic: Two mikrotik routers conflict in same network, why???
Replies: 19
Views: 3968

Re: Two mikrotik routers conflict in same network, why???

... This is default config! Better option is to set IP to bridge? Thanks. If that is "default", then you have very old ROS version, then better you upgrade, then reset config to default and start again Yes, IP should not be attached to slave interface, should be on master, i.e. bridge int...
by CZFan
Fri Mar 05, 2021 10:34 am
Forum: Beginner Basics
Topic: Two mikrotik routers conflict in same network, why???
Replies: 19
Views: 3968

Re: Two mikrotik routers conflict in same network, why???

couple other things incorrect, you have IPs assigned to slave interfaces on both sides, i.e on ether 2 which should be on the bridge interface
by CZFan
Tue Mar 02, 2021 11:40 pm
Forum: General
Topic: ASK [vpls PW]
Replies: 8
Views: 1859

Re: ASK [vpls PW]

by CZFan
Tue Mar 02, 2021 1:24 pm
Forum: General
Topic: ASK [vpls PW]
Replies: 8
Views: 1859

Re: ASK [vpls PW]

IIRC, you use tagged type when you make use of service tags inside VPLS cloud

more info below

https://tools.ietf.org/html/rfc4762#page-11
by CZFan
Wed Feb 24, 2021 10:08 am
Forum: General
Topic: PVID for BGP VPLS interface on a bridge
Replies: 6
Views: 2605

Re: PVID for BGP VPLS interface on a bridge

Off the bat, have not tested it, etc. possible solutions might be:

1. Assign Vlans to a VRF and use the VRF, or maybe
2. In bridge port, you can select interface called "dynamic" and assign pvid there
by CZFan
Tue Feb 23, 2021 3:04 pm
Forum: General
Topic: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71
Replies: 10
Views: 4682

Re: too many packet per second with this outpu input: in:ether1 out:(unknown 0), src-mac , proto UDP, ->ip:53, len 71

OP:

Just a word of warning, your public IP is visible on those screenshots, let me know if I am close :-)

EDIT: IP Removed
by CZFan
Mon Feb 22, 2021 9:27 pm
Forum: Beginner Basics
Topic: Playing with Routes.
Replies: 4
Views: 1015

Re: Playing with Routes.

without recursive routing, will be something like this (trying tp keep with your method of explanation): Route Rules: LAN1: SrcAdd(LAN1) Table(LAN1) LAN2: SrcAdd(LAN2) Table(LAN2) Routes: route 1 isp1 wan, route-mark LAN1 distance=1 route 2 isp2 wan, route-mark LAN1 distance=2 route 3 isp2 wan, rout...
by CZFan
Fri Feb 19, 2021 9:52 pm
Forum: Wireless Networking
Topic: MİkroTik Wireless Gig+ Test
Replies: 14
Views: 3052

Re: MİkroTik Wireless Gig+ Test


WoW, for that price, I will rather by 6 x RB4011s and place them all over where needed :-)
by CZFan
Fri Feb 19, 2021 9:28 pm
Forum: Beginner Basics
Topic: Playing with Routes.
Replies: 4
Views: 1015

Re: Playing with Routes.

Can this be done without mangling is the challenge?

Yes, by using route rules with routing mark/route table for each LAN/WAN combination.

Then create 2 rules for each routing table, one with distance of "1" and another "2", recursive routing will serve better here
by CZFan
Fri Feb 12, 2021 4:40 pm
Forum: General
Topic: IPIP, GRE and IPsec tunnel is not working.
Replies: 6
Views: 1186

Re: IPIP, GRE and IPsec tunnel is not working.

Without seeing the configs, your guess is as good as mine
by CZFan
Thu Feb 11, 2021 10:26 am
Forum: General
Topic: Is there any way to add src-adress to a list which ttl is greater than 2 or as i wish
Replies: 4
Views: 926

Re: Is there any way to add src-adress to a list which ttl is greater than 2 or as i wish

No, they probably have a ttl of 64 or 128, etc and decrement from there as they cross hops Let me rephrase, There is option in filter rules that you can check the TTL under advanced tab and then add src address to address list, but what I meant with the "No" is that they will most probabl...
by CZFan
Wed Feb 10, 2021 11:04 pm
Forum: General
Topic: Is there any way to add src-adress to a list which ttl is greater than 2 or as i wish
Replies: 4
Views: 926

Re: Is there any way to add src-adress to a list which ttl is greater than 2 or as i wish

No, they probably have a ttl of 64 or 128, etc and decrement from there as they cross hops
by CZFan
Wed Feb 10, 2021 10:51 pm
Forum: General
Topic: 31 subnet - Not finding an answer to default gateway.
Replies: 23
Views: 13268

Re: 31 subnet - Not finding an answer to default gateway.

Have config at a WISP client of mine where I am using /31 between them and their upstream provider.

My client side is a MT and upstream prover side is Cisco, using the Cisco as GW
by CZFan
Wed Feb 10, 2021 12:43 pm
Forum: Beginner Basics
Topic: EoIP Tunnel Clamp TPC MSS
Replies: 16
Views: 7162

Re: EoIP Tunnel Clamp TPC MSS

@CZFan and what Clamp mss in EoIP does? Not sure if I understand the question correctly, but: OP did not mention EoIP tunnel MTU size in OP, so with that, if the tunnel MTU was set at 1500, then the "Clamp TCP MSS" in EoIP config will clamp the MSS at 1460, which might not be low enough. ...
by CZFan
Tue Feb 09, 2021 10:40 pm
Forum: Beginner Basics
Topic: EoIP Tunnel Clamp TPC MSS
Replies: 16
Views: 7162

Re: EoIP Tunnel Clamp TPC MSS

Clamp mss in EoIP will only clamp it based on tunnel mtu size, it doesn't know what the mss size is end to end
by CZFan
Tue Feb 09, 2021 8:45 pm
Forum: General
Topic: CRS354 remove interface=all from bridge
Replies: 3
Views: 813

Re: CRS354 remove interface=all from bridge

Assign an admin MAC to the bridge interface, will probably drop you but then connect again, that should prevent dropping you changing bridge ports as the bridge wont change MAC address
Have not tested it
by CZFan
Wed Feb 03, 2021 11:38 am
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 295
Views: 126854

Re: v6.48 [stable] is released!

I'm wondering if perhaps they do not intend to release a 6.49 (moving to v7 instead as the next stable release after 6.48) ...
I suspect there is a big push to get V7 out, hence the huge change released in Dec 2020, but suspect we will still get a couple V6 updates
by CZFan
Tue Feb 02, 2021 8:17 pm
Forum: General
Topic: Still no luck with simple Bridge
Replies: 12
Views: 2034

Re: Still no luck with simple Bridge

.... If i do keep it as is but put the WAP on NAT, yes, it works...but tripple NAT. I find it crazy the WAP cant do what a cheap $20 ethernet extender can do. The UBNT picostation does it fine, but lacks the connect list...but i guess will work if i setup some hacking way to do a connect list on it...
by CZFan
Tue Feb 02, 2021 8:05 pm
Forum: Beginner Basics
Topic: Block Connection to router
Replies: 4
Views: 2215

Re: Block Connection to router

From the export you provided, I cant see any reason why disabling that rule will drop VPN connections, unless the export is not all info
by CZFan
Tue Feb 02, 2021 8:03 pm
Forum: Beginner Basics
Topic: hAP ac3 - VLAN & inter-VLAN
Replies: 20
Views: 4315

Re: hAP ac3 - VLAN & inter-VLAN

All routing is done via CPU, firewall will see this traffic
by CZFan
Tue Feb 02, 2021 7:42 pm
Forum: General
Topic: Why doesn't a DNS dstnat rule create an open resolver?
Replies: 6
Views: 1172

Re: Why doesn't a DNS dstnat rule create an open resolver?

That looks like a fairly standard default Mikrotik firewall config, difficult to see details from screenshots, export much better If my assumption is correct above, it will mean that you typically allow DST NAT in the "Forward" chain, not "Input" chain, and as per example, you ar...
by CZFan
Tue Feb 02, 2021 7:35 pm
Forum: General
Topic: Same IP Address on two separate bridges
Replies: 2
Views: 819

Re: Same IP Address on two separate bridges

With devices in the same subnet being on both sides of the router, I dont think ARP Proxy is going to help you here. Off the bat, the only other way I think this will work is, but sounds more of a mission than you already do: Assuming you are on the LAN side, add 192.168.1.254 on WAN side interface,...
by CZFan
Tue Feb 02, 2021 7:19 pm
Forum: General
Topic: Why doesn't a DNS dstnat rule create an open resolver?
Replies: 6
Views: 1172

Re: Why doesn't a DNS dstnat rule create an open resolver?

The only reason will be if a firewall is blocking connections from the outside, else those rules will redirect (NAT) anything with a destination port of 53 to 192.168.88.1 Also, you will still need to enable "Allow remote..." in DNS service on router, else the router will not respond to DN...
by CZFan
Tue Feb 02, 2021 6:57 pm
Forum: General
Topic: Why doesn't a DNS dstnat rule create an open resolver?
Replies: 6
Views: 1172

Re: Why doesn't a DNS dstnat rule create an open resolver?

"...they suspiciously look like the rules for port-forwarding..."

Reason is that is exactly what those rules are, they will just redirect (NAT) packets to which ever DNS server you point them to in the NAT rule, may it be your router or Google DNS servers, etc
by CZFan
Tue Feb 02, 2021 4:42 pm
Forum: SwOS
Topic: Split Horizon
Replies: 1
Views: 3905

Re: Split Horizon

Not sure I follow.

Layer 2 is logically segregated right, that is one of the reasons for Vlan's?

To block comms between these on Layer 3, use firewall
by CZFan
Tue Feb 02, 2021 4:20 pm
Forum: General
Topic: Netinstall and CCR1009 [SOLVED]
Replies: 2
Views: 3281

Re: Netinstall and CCR1009 [SOLVED]

Ether1 does not apply to all routers for Netinstall,

For the CCR1009, I think it is ether7, check on the router, it will be marked "boot"
by CZFan
Fri Jan 29, 2021 12:23 am
Forum: Forwarding Protocols
Topic: Broadcast bridging to ptpp vpn
Replies: 1
Views: 986

Re: Broadcast bridging to ptpp vpn

Search Mikrotik wiki for EoIP or BCP (Bridge Control Protocol)
by CZFan
Fri Jan 29, 2021 12:04 am
Forum: Beginner Basics
Topic: Speed issue with Mikrotik CCR2004
Replies: 5
Views: 1316

Re: Speed issue with Mikrotik CCR2004

Try 6.46.8 long term version
by CZFan
Fri Jan 29, 2021 12:01 am
Forum: Beginner Basics
Topic: Internet drops to 0 kbps for 1-2 seconds
Replies: 4
Views: 1900

Re: Internet drops to 0 kbps for 1-2 seconds

I think you need to explane how you monitoring this, if it is watching the interfaces in Winbox, then it might possibly just be refresh rates, etc in Winbox
by CZFan
Thu Jan 28, 2021 11:32 pm
Forum: General
Topic: DNS Traffic with Multi WAN Routers
Replies: 1
Views: 621

Re: DNS Traffic with Multi WAN Routers

You don't mention how you split the load a cross the 4 x WANs, so I can only assume: 1. Router sends the traffic across its DG with lowest distance. 2. You have configured DNS cache / proxy, so router does lookups on behalf of client devices, and follows point 1 above BTW, both your mangle rules are...
by CZFan
Thu Jan 28, 2021 11:19 pm
Forum: General
Topic: New Winboxes can`t connect older RoS via L2
Replies: 6
Views: 1252

Re: New Winboxes can`t connect older RoS via L2

Had same issue when I factory reset a customer of mines router, what resolved it was to add static IP address on my laptop (usually on DHCP)
by CZFan
Thu Jan 28, 2021 11:06 pm
Forum: General
Topic: Hardware choice for BGP+OSPF 1/2/10G
Replies: 4
Views: 1032

Re: Hardware choice for BGP+OSPF 1/2/10G

Why will you need full tables with only one peer?
by CZFan
Thu Jan 28, 2021 8:25 pm
Forum: General
Topic: How can I see connections in LAN
Replies: 3
Views: 1009

Re: How can I see connections in LAN

For Torch to see the traffic, you will need to disable "Hardware Offload" of the interfaces bridged in Menu-->Bridge-->Ports

Note: This will have a negative performance impact for traffic between interfaces in the bridge
by CZFan
Tue Jan 26, 2021 5:13 pm
Forum: Beginner Basics
Topic: RB4011 - Simplest Way to Rate Limit One Interface
Replies: 1
Views: 802

Re: RB4011 - Simplest Way to Rate Limit One Interface

I would just use below, that burst settings you have will bring no value
/queue simple
add disabled=no max-limit=16M/16M name="PC-LIMIT" target=ether1
Then make sure you have no fasttrack enabled in firewall or bypass fastrack for this device / target
by CZFan
Tue Jan 26, 2021 3:22 pm
Forum: Beginner Basics
Topic: IP sec negociation error
Replies: 6
Views: 2031

Re: IP sec negociation error

If I am reading this correctly, the Mikrotik is sending, so you will have to get access to the logs / packet capture on the other side to see what the problem is, maybe the packet never reaches it, etc
by CZFan
Tue Jan 26, 2021 12:38 pm
Forum: Beginner Basics
Topic: Switch chip
Replies: 9
Views: 1928

Re: Switch chip

You dont give much information to go on, i.e. sample of your config, but I am convinced the reason will be that your config is not complete, i.e. need to add switch-cpu interface in the switch vlan table for that vlan
by CZFan
Tue Jan 26, 2021 12:32 am
Forum: Beginner Basics
Topic: CRS3xx flexible Vlan Translation
Replies: 3
Views: 960

Re: CRS3xx flexible Vlan Translation

The solution url you quoted is to enable bi directional communication, and I am not sure if this is the same as "bridge" as per your requirement.
I don't have a device to test with, but suspect it might work for you, but like I said, can't test or verify it
by CZFan
Tue Jan 26, 2021 12:15 am
Forum: Beginner Basics
Topic: IP sec negociation error
Replies: 6
Views: 2031

Re: IP sec negociation error

1. Does Zyxel belong to Sonicwall? Those screenshots looks extremely familiar last when I worked on Sonicwall in 2014. 2. I believe you are still showing the WAN address on the Zyxel side 3. Not sure if is your problem, but you have key group set on DH5 at Zyxel side, I believe this translates to 15...
by CZFan
Sat Jan 23, 2021 11:04 pm
Forum: General
Topic: Access Point with VLANS does not get an IP Address / Can't Access The Internet
Replies: 1
Views: 628

Re: Access Point with VLANS does not get an IP Address / Can't Access The Internet

Duplicate post, but there is no dhcp client configured
by CZFan
Sat Jan 23, 2021 10:45 pm
Forum: General
Topic: Mikrotik VLAN with Access Point Configuration [SOLVED]
Replies: 7
Views: 2443

Re: Mikrotik VLAN with Access Point Configuration [SOLVED]

Apologies, @mkx correct, I quickly scanned over the config.

But I don't see a dhcp client line item in config and that is probably reason AP can't get IP from DHCP
by CZFan
Sat Jan 23, 2021 10:20 pm
Forum: General
Topic: Mikrotik VLAN with Access Point Configuration [SOLVED]
Replies: 7
Views: 2443

Re: Mikrotik VLAN with Access Point Configuration [SOLVED]

Add bridge as a tagged member/interface of management vlan in bridge vlan table
by CZFan
Sat Jan 23, 2021 12:01 am
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 3113

Re: invalid dhcp server on vlan interface

The bridge has two sides to it, on is bridging interfaces, other is a interface itself which provides access to the CPU for accessing resources on device itself like DHCP, management of the device itself, etc. So like I mentioned earlier, to achieve above, you need to provide access to this in vlan ...
by CZFan
Fri Jan 22, 2021 3:14 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 3113

Re: invalid dhcp server on vlan interface

You can use any method, but you have to give access to the Bridge / Switch CPU interface on that device in order to access resources, i.e. DHCP, Management, etc on it
by CZFan
Fri Jan 22, 2021 2:58 pm
Forum: General
Topic: invalid dhcp server on vlan interface
Replies: 10
Views: 3113

Re: invalid dhcp server on vlan interface

You have configured both methods, i.e. bridge vlan as well as switch vlan.

Should just be one or the other, and in neither did you configure access to the Bridge / Switch CPU interface

HINT: From URL you quoted:

add ports=ether1,switch1-cpu switch=switch1 vlan-id=99
by CZFan
Wed Jan 20, 2021 12:06 am
Forum: Forwarding Protocols
Topic: Limit access VPN
Replies: 3
Views: 1468

Re: Limit access VPN

The steps you can take:
1. Drop L2TP that is not encrypted, explanation / sample config in wiki
2 use strong passwords
3 use RSA authentication
by CZFan
Tue Jan 19, 2021 11:32 pm
Forum: Beginner Basics
Topic: Slower performance when connected directly to router!
Replies: 12
Views: 2123

Re: Slower performance when connected directly to router!

Why is ether 1 mtu set at 1508?
by CZFan
Mon Jan 18, 2021 11:29 pm
Forum: General
Topic: iperf3
Replies: 3
Views: 9248

Re: iperf3

You don't want to test to/ from router anyway, as you will run into limitations of CPU, etc, so will not gain much. Best is to test "through" the router, and in that case, iperf is a good tool
by CZFan
Mon Jan 18, 2021 11:13 pm
Forum: Beginner Basics
Topic: Two SIMS in one modem.
Replies: 5
Views: 1914

Re: Two SIMS in one modem.

Only one sim slot can be active at a time
by CZFan
Mon Jan 18, 2021 11:03 pm
Forum: Forwarding Protocols
Topic: Limit access VPN
Replies: 3
Views: 1468

Re: Limit access VPN

If these were a "site to site" VPN, you can then make use of firewall rules to only allow from certain IPs, but as this is typically used for people to work remotely, i.e. today from home, tomorrow from coffee shop, etc. it is difficult to limit who can connect from where, etc. So best sol...
by CZFan
Sun Jan 17, 2021 11:06 pm
Forum: Beginner Basics
Topic: udp 500 and 4500 forwarding from Mikrotik to fortigate
Replies: 7
Views: 3249

Re: udp 500 and 4500 forwarding from Mikrotik to fortigate

Best will be to do packet capturing to see what is happening
by CZFan
Sun Jan 17, 2021 11:02 pm
Forum: Forwarding Protocols
Topic: double mangle marking and routing mark
Replies: 3
Views: 1564

Re: double mangle marking and routing mark

Can only have one mark.

What do you want to achieve, maybe another way of doing it?
by CZFan
Sun Jan 17, 2021 10:49 am
Forum: General
Topic: help
Replies: 7
Views: 1313

Re: help

Hmmm, downgrade ROS version?
by CZFan
Sat Jan 16, 2021 11:53 pm
Forum: Beginner Basics
Topic: netmap vs dst-nat
Replies: 1
Views: 4025

Re: netmap vs dst-nat

Have you tried reading the wiki? See link below.

https://wiki.mikrotik.com/wiki/Manual:I ... Properties
Netmap is usually used with 2 x sets of ip addresses and will then create a static 1:1 between these 2 sets
by CZFan
Sat Jan 16, 2021 2:22 pm
Forum: General
Topic: FTP Server w/ Small MTU
Replies: 5
Views: 1145

Re: FTP Server w/ Small MTU

MSS is negotiated / agreed between end devices during the TCP handshake, so you cant change "incoming" from outside MSS values Possible reason your mangle rule is not working, is you probably have Fasttrack enabled which bypasses Mangle rules, if Fasttrack is required, you can exclude the ...
by CZFan
Thu Jan 14, 2021 11:39 pm
Forum: Beginner Basics
Topic: ICMP PING timeout outside LAN
Replies: 1
Views: 3432

Re: ICMP PING timeout outside LAN

Remove the below rules and add lte interface to WAN interface list
add action=accept chain=forward out-interface=lte1
add action=accept chain=forward in-interface=lte1
by CZFan
Tue Jan 12, 2021 11:20 pm
Forum: Forwarding Protocols
Topic: BGP FIRT [SOLVED]
Replies: 2
Views: 2038

Re: BGP FIRT [SOLVED]

You need to ask upstream provider to only annoince default route to you, then in routing filters, only accept default prefix and discard all others
by CZFan
Mon Jan 11, 2021 8:30 pm
Forum: General
Topic: On a LTAP, how do I tell which wifi antenna connector is A and which is B?
Replies: 6
Views: 1301

Re: On a LTAP, how do I tell which wifi antenna connector is A and which is B?

Seems they are labeled JB00 & 01, thinking 00 should be A and 01 B, but no guarantees :-)
by CZFan
Sat Jan 09, 2021 10:58 pm
Forum: General
Topic: Full disk on empty router hAP ac^2
Replies: 4
Views: 1277

Re: Full disk on empty router hAP ac^2

HAP AC2 does not use the flash for updates, only memory, so place the update .npk in the root, restart router and it will update just fine
by CZFan
Thu Jan 07, 2021 11:14 pm
Forum: Beginner Basics
Topic: hAP ac poor performance
Replies: 3
Views: 1074

Re: hAP ac poor performance

I would suggest resetting the first device as there are couple of settings that can cause slow performance, i.e. Ether1 (WAN) is set to half duplex, fast path s disabled and fasttrack needs this, etc
by CZFan
Wed Jan 06, 2021 10:43 pm
Forum: General
Topic: Unbreakable Internet
Replies: 3
Views: 793

Re: Unbreakable Internet

Best will be to contact one closest to you, see below link

https://mikrotik.com/consultants
by CZFan
Wed Jan 06, 2021 10:30 pm
Forum: Beginner Basics
Topic: Trying to add Smart Light Bulb
Replies: 1
Views: 984

Re: Trying to add Smart Light Bulb

What does log on Mikrotik device say when bulb trying to connect?
by CZFan
Mon Jan 04, 2021 1:02 am
Forum: Scripting
Topic: (6.48) CQI has disappeared from /interface lte info
Replies: 2
Views: 1628

Re: (6.48) CQI has disappeared from /interface lte info

Above is posted in wrong topic header and should be under wireless .

Then as per your question, IIRC, CQI will only show when signal strength and quality is at acceptable levels
by CZFan
Wed Dec 30, 2020 11:25 pm
Forum: General
Topic: qinq - stripping outer vlan with hardware offloading
Replies: 4
Views: 2197

Re: qinq - stripping outer vlan with hardware offloading

I would think where the provider hands off the connection to you, the s tag is removed and you should only receive the 2 c tags from hand off
by CZFan
Tue Dec 29, 2020 11:26 pm
Forum: General
Topic: Guest Wifis for two separate VLANs
Replies: 10
Views: 1206

Re: Guest Wifis for two separate VLANs

Your description of your requirement is also not clear to me, all I can think of what you maybe want when saying "running through vlan 10" is possibly what is called qinq vlans, i.e. Tunneling a vlan inside another vlan
by CZFan
Tue Dec 29, 2020 11:15 pm
Forum: General
Topic: L2 ring redundancy protocol support?
Replies: 16
Views: 4258

Re: L2 ring redundancy protocol support?

If you are looking at sub 50ms, I doubt very much you will achieve this using scripts
by CZFan
Thu Dec 17, 2020 3:33 pm
Forum: Useful user articles
Topic: Advanced Routing Failover without Scripting
Replies: 268
Views: 134170

Re: Advanced Routing Failover without Scripting

Great, now I know they reworked my article without even mentioning me... That's a bit depressing :)

Plagiarism much...
by CZFan
Thu Dec 17, 2020 12:35 pm
Forum: Virtualization
Topic: high load CPU for a CHR working QT
Replies: 7
Views: 7367

Re: high load CPU for a CHR working QT

There are various configuration items that can be optimized to improve performance on your CHR at the moment.

There are multiple posts here as well as Wiki articles, alternatively contact a certified consultant closest to you https://mikrotik.com/consultants
by CZFan
Thu Dec 17, 2020 10:08 am
Forum: Scripting
Topic: Disable and Enable interface
Replies: 17
Views: 13575

Re: Disable and Enable interface

Very limited info you provide, but if my understanding is correct, then there is a problem with your logic. i.e. you ping 8.8.8.8 from ether 2, if no response, you disable interface, with this interface disabled, you will not be able to ping from it. If reasons for doing this is dual WAN purposes, t...
by CZFan
Wed Dec 16, 2020 11:41 pm
Forum: General
Topic: VPN with TUN interface [SOLVED]
Replies: 13
Views: 6910

Re: VPN with TUN interface [SOLVED]

Throughout this thread you mention you are using Windows as client devices and by default, Windows firewall blocks incoming packets not on local subnet.

Check widows firewall
by CZFan
Wed Dec 16, 2020 11:17 pm
Forum: General
Topic: Question about VPN, pools and subnets [SOLVED]
Replies: 11
Views: 2382

Re: Question about VPN, pools and subnets [SOLVED]

Let us see the whole config, provide results of /export file=filenameofyourchoice hide-sensitive
by CZFan
Wed Dec 16, 2020 8:44 pm
Forum: General
Topic: Question about VPN, pools and subnets [SOLVED]
Replies: 11
Views: 2382

Re: Question about VPN, pools and subnets [SOLVED]

With limited info available, it seems you are confusing VPN server between "Routed" and "Bridged"

As a start, for routed, remove below and test:
/ppp profile
add bridge=bridge local-address=192.168.87.1 name=OpenVPN remote-address=OpenVPN-Pool use-encryption=required
by CZFan
Fri Dec 11, 2020 9:32 pm
Forum: General
Topic: DNS problem - with Kasa smart plugs
Replies: 29
Views: 4430

Re: DNS problem - with Kasa smart plugs

You seem to have networking issues, can be locally or ISP, suspect more ISP side. I see many DNS requests and DNS retransmissions, but nothing coming back from 8.8.8.8 or 8.8.4.4. I suspect the reason it behaves better when using Router as DNS is router will cache the address for a while. Suggest yo...
by CZFan
Thu Dec 10, 2020 9:29 pm
Forum: General
Topic: Queue tree not working as expected
Replies: 42
Views: 6814

Re: Queue tree not working as expected

Queue Tree configuration seems inconsistent and might confuse the queue mechanism.

Parent queue max limit is set to 10M which is responsible for distributing bandwidth between leaf queues, but leaf queues max limits are set to 1024M (1Gb/s)
by CZFan
Thu Dec 10, 2020 12:11 am
Forum: General
Topic: L2 ring redundancy protocol support?
Replies: 16
Views: 4258

Re: L2 ring redundancy protocol support?

where fast fail over is needed
How fast is fast?

With ERPS, they aiming at 50ms
by CZFan
Thu Dec 10, 2020 12:09 am
Forum: General
Topic: Sending multiple VLAN's through an EVC - Configuration
Replies: 2
Views: 762

Re: Sending multiple VLAN's through an EVC - Configuration

Should the qinq / provider bridge config not be done by the ISP?
by CZFan
Wed Dec 09, 2020 11:52 pm
Forum: General
Topic: L2 ring redundancy protocol support?
Replies: 16
Views: 4258

Re: L2 ring redundancy protocol support?

It is called ERPS, Ethernet Ring Protection Switching.

As far as I know Mikrotik does not support it "yet", will be cool though
by CZFan
Wed Dec 09, 2020 3:40 pm
Forum: General
Topic: DNS over HTTPS, round robin support
Replies: 19
Views: 3500

Re: DNS over HTTPS, round robin support

... If RouterOS can utilize round robin to provide fault tolerance for DoH then I'm a happy camper. If it cannot, then DoH feature in RouterOS is a toy that should be used in production with caution. I have not worked / looked into DNS in detail for a couple of years, but suspect it has not changed...
by CZFan
Wed Dec 09, 2020 3:10 pm
Forum: Forwarding Protocols
Topic: VLAN over VPLS Link
Replies: 9
Views: 3559

Re: VLAN over VPLS Link

Mikrotik Wiki Article on Bridge Vlan:
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

Herewith a good tutorial from a forum member:
viewtopic.php?f=13&t=143620&p=833307&hi ... an#p706996
by CZFan
Wed Dec 09, 2020 11:41 am
Forum: General
Topic: hEX POE RB960PGS not saving settings (solved: no disk space left)
Replies: 4
Views: 1264

Re: hEX POE RB960PGS not saving settings

... Interestingly there is 12.7 of 16Mb in use now, so I'm not too optimistic I can easily install the next upgrade with so little space left. When I get a bit more comfortable with the router I can probably uninstall some of the packages to make room (like hotspot). Anyway, my issue is resolved an...
by CZFan
Wed Dec 09, 2020 11:34 am
Forum: Beginner Basics
Topic: Slow LAN transfer speeds through RB4011. [SOLVED]
Replies: 5
Views: 1613

Re: Slow LAN transfer speeds through RB4011. [SOLVED]

Probably RSTP is enabled on the bridge, and as a result hw-offloading is disabled.
This should not really cause a major problem as the 4011 has 2,5Gb/s paths between each switch chip and CPU.

Suspect the problem is somewhere else
by CZFan
Wed Dec 09, 2020 9:54 am
Forum: Forwarding Protocols
Topic: VLAN over VPLS Link
Replies: 9
Views: 3559

Re: VLAN over VPLS Link

... 0 DB name="vpls21" mtu=1500 l2mtu=1550 mac-address=02:2B:05:71:1C:78 arp=enabled arp-timeout=auto disable-running-check=no remote-peer=10.20.1.2 cisco-style=no cisco-style-id=0 advertised-l2mtu=1550 pw-type=raw-ethernet use-control-word=yes vpls=MGMT-VPLS You are using BGP signaled VP...
by CZFan
Wed Dec 09, 2020 12:40 am
Forum: Forwarding Protocols
Topic: VLAN over VPLS Link
Replies: 9
Views: 3559

Re: VLAN over VPLS Link

You will add vlans the same way as you would with other interfaces.

Post your attempt with vlan config here and we can see where you going wrong and can try and assist you
by CZFan
Tue Dec 08, 2020 11:47 pm
Forum: Beginner Basics
Topic: Vpn Site To Site With Vlan
Replies: 8
Views: 4917

Re: Vpn Site To Site With Vlan

Remove current IPSec config, configure EoIP, enable IPSec in EoIP config and send vlan across this tunnel
by CZFan
Mon Dec 07, 2020 11:04 am
Forum: Beginner Basics
Topic: Limited Wifi Services
Replies: 7
Views: 1057

Re: Limited Wifi Services

Yes I did unfortunatelly I did not see any read receipt nor any response yet. Something may have gone wrong. You could possibly use zeljko110465@gmail.com. Thank you

Done...
by CZFan
Mon Dec 07, 2020 10:43 am
Forum: Beginner Basics
Topic: Limited Wifi Services
Replies: 7
Views: 1057

Re: Limited Wifi Services

Hi All, I am trying to configure Mikrotik CAP to provide limited wifi services through a set of firewall rules. I have been successful with Whatsapp and Be Safe (Local Covid19 registration App), however I could not get the Gmail going through even after enabling whole class IP addresses multiple se...
by CZFan
Fri Dec 04, 2020 10:18 am
Forum: General
Topic: Very old ROS versions
Replies: 14
Views: 2183

Re: Very old ROS versions

Because software archaeology is not a popular hobby, so it would be too much effort spent on Mikrotik side just to satisfy you and the other two guys practising it :) I’ve always wondered why people who can’t contribute anything useful to the discussion have a need to write Hmmm,@sindy is in the to...
by CZFan
Thu Dec 03, 2020 9:13 pm
Forum: General
Topic: Routing all traffic from network port to another router
Replies: 4
Views: 1955

Re: Routing all traffic from network port to another router

best will be to make the Mikrotik a switch / bridge, i.e. bridge all ports, no routing on Mikrotik
by CZFan
Thu Dec 03, 2020 8:51 pm
Forum: General
Topic: Very old ROS versions
Replies: 14
Views: 2183

Re: Very old ROS versions

Because software archaeology is not a popular hobby, so it would be too much effort spent on Mikrotik side just to satisfy you and the other two guys practising it :) I’ve always wondered why people who can’t contribute anything useful to the discussion have a need to write Hmmm,@sindy is in the to...
by CZFan
Wed Dec 02, 2020 9:26 pm
Forum: General
Topic: more cpu core
Replies: 10
Views: 1858

Re: more cpu core

...
my esxi not free license dude
Dude is this way ---> https://wiki.mikrotik.com/wiki/Manual:The_Dude
by CZFan
Wed Dec 02, 2020 9:55 am
Forum: General
Topic: unable to configure GREv6 on latest stable ROS v6.47
Replies: 2
Views: 695

Re: unable to configure GREv6 on latest stable ROS v6.47

Your rule below allowing GE should be before the drop invalid rule, so you have 2 choices: add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=i...
by CZFan
Tue Dec 01, 2020 11:46 pm
Forum: General
Topic: Any way to have a private network inside a single SSID?
Replies: 2
Views: 711

Re: Any way to have a private network inside a single SSID?

Just thinking here, haven't touched hotspot since 2015, also tired at the moment, but maybe use hotspot with radius eap authentication, assign them in relevant vlans dynamically
by CZFan
Tue Dec 01, 2020 11:01 pm
Forum: Beginner Basics
Topic: Can not ping 8.8.8.8 from VLAN. no internet. New to Vlan's Help
Replies: 12
Views: 2245

Re: Can not ping 8.8.8.8 from VLAN. no internet. New to Vlan's Help

I really wanted to help here, but sorry, my pc's mouse scroll wheel seized while looking through this post :-)
by CZFan
Tue Dec 01, 2020 10:21 pm
Forum: General
Topic: Port scanner filling up connection tracking
Replies: 21
Views: 3313

Re: Port scanner filling up connection tracking

You run BGP and don't understand how stateful / stateless firewalls work? I second the suggestion to get a consultant (though not the one above that is also a useless blacklist). You're clearly in over your head here. Using PSD just opens you to further attack when someone decides to spoof the IP o...
by CZFan
Mon Nov 30, 2020 11:38 pm
Forum: Scripting
Topic: Super-Easy script to create dir
Replies: 11
Views: 5283

Re: Super-Easy script to create dir

Use winscp to create folder/sub folder?
by CZFan
Sun Nov 29, 2020 10:07 am
Forum: Announcements
Topic: v6.47.8 [stable] is released!
Replies: 54
Views: 31103

Re: v6.47.8 [stable] is released!

Bridge port hardware offloading remains disabled on hEX (RB750Gr3):
...
On hEX you need to disable STP on bridge for hardware offload, i.e. protocol-mode=none
by CZFan
Fri Nov 27, 2020 2:08 pm
Forum: Beginner Basics
Topic: PPTP Server won't work [SOLVED]
Replies: 21
Views: 6010

Re: PPTP Server won't work [SOLVED]

... Adding my configuration with L2TP /interface bridge add admin-mac=48:8F:5A:AA:4A:9C auto-mac=no comment=defconf name=bridge /interface wireless XXX /interface ethernet set [ find default-name=ether1 ] comment=WAN set [ find default-name=ether2 ] set [ find default-name=ether3 ] set [ find defau...
by CZFan
Fri Nov 27, 2020 8:45 am
Forum: Beginner Basics
Topic: PPTP Server won't work [SOLVED]
Replies: 21
Views: 6010

Re: PPTP Server won't work [SOLVED]

... 8 Connected - it passed the credentials authorization but it hangs on connecting and wont connect - any ideas what i am missing? Image 8 http://neradi.cz/upload/vpn/08.png I sometimes get the same symptoms (With L2TP/IPSec, don't use PPTP) and is a bug in Windows, to get around this, connect vi...
by CZFan
Thu Nov 26, 2020 10:05 am
Forum: Forwarding Protocols
Topic: MPLS neighbour addresses 'leaking'?
Replies: 4
Views: 1596

Re: MPLS neighbour addresses 'leaking'?

@mducharme: advertise-filters have been set, but still all addresses show up in the neigbor status page. Not a big issue, but I was just wondering whether this is normal behaviour or not.

You will have to disable / enable LDP interfaces or restart router for filters to take effect
by CZFan
Thu Nov 26, 2020 8:53 am
Forum: General
Topic: Shared VLAN Learning (SVL)
Replies: 14
Views: 3334

Re: Shared VLAN Learning (SVL)

Hmmm, not sure I follow.

SVL - Single forwarding database for all Vlans
IVL - Forwarding Database for each vlan.

Use IVL when you want same MAC address in each vlan, how does same subnet come into this?
by CZFan
Tue Nov 24, 2020 8:32 pm
Forum: Wireless Networking
Topic: RBLHGR - R11e-LTE6_V026 - Packet loss
Replies: 6
Views: 1430

Re: RBLHGR - R11e-LTE6_V026 - Packet loss

Wait, do you really check the "packet loss" using only 1 ping result ?? ... No, I did a normal "ping" to 8.8.8.8, had lots of timeouts, just had this screenshot available to post at the time. ... I hope you know the LAST HOP in traceroute is proper for packet loss, all prev can ...
by CZFan
Tue Nov 24, 2020 12:55 pm
Forum: RouterBOARD hardware
Topic: Torturing an old CCR1036
Replies: 2
Views: 1025

Re: Torturing an old CCR1036

You might get better performance with a K&N filter, I use it on my BMW :-P
by CZFan
Fri Nov 20, 2020 5:06 pm
Forum: Beginner Basics
Topic: Should LAN firewall be more specific? [SOLVED]
Replies: 4
Views: 1213

Re: Should LAN firewall be more specific? [SOLVED]

firewall rules is very much a "personal" thing and is your to configure as you feel fit for your environment Typically, one trusts the hosts in your LAN as they are under your administrative control, so allow full access out and related back in, but the hosts on the Internet (Evil) not so ...
by CZFan
Fri Nov 20, 2020 3:14 pm
Forum: Wireless Networking
Topic: RBLHGR - R11e-LTE6_V026 - Packet loss
Replies: 6
Views: 1430

Re: RBLHGR - R11e-LTE6_V026 - Packet loss

Thank you @SiB, also for assisting Mikrotik with these issues.

Call has been logged, SUP-34275

If you need any more info from my side, please do not hesitate
by CZFan
Fri Nov 20, 2020 2:34 pm
Forum: General
Topic: Mangle rules for all download and upload speed
Replies: 6
Views: 5281

Re: Mangle rules for all download and upload speed

Is this correct? ... I dont have full view of the environment you are doing this, but think it will be safe to say: 1. Remove src/dst ranges, you have in interface and the current src/dst ranges is for all anyway 2. I will not use interface list, but rather interface itself, you might have multiple...
by CZFan
Fri Nov 20, 2020 2:06 pm
Forum: Wireless Networking
Topic: RBLHGR - R11e-LTE6_V026 - Packet loss
Replies: 6
Views: 1430

RBLHGR - R11e-LTE6_V026 - Packet loss

Hi, If anyone has upgraded their LTE devices to version R11e-LTE6_V026 from V20, please let me know if you experiencing problems. I upgraded 2 x RBLHGR devices last night, both at same location but using different LTE service providers. These devices has been installed and configured about 3 months ...
by CZFan
Thu Nov 19, 2020 11:52 pm
Forum: General
Topic: Mangle rules for all download and upload speed
Replies: 6
Views: 5281

Re: Mangle rules for all download and upload speed

Suggest you mark connections first, then packets of these connections
by CZFan
Thu Nov 19, 2020 8:17 pm
Forum: General
Topic: Binding IP and MAC
Replies: 11
Views: 18736

Re: Binding IP and MAC

I have googled the Internet and got only instructions for old RouterOs versions. I have recently bought a MikroTik router. I have installed the basic options with Quick Set. Now I want to bind MAC addresses to static IPs, just as I had in previous two routers. I tried to WebFig/ARP/Add New. However...
by CZFan
Thu Nov 19, 2020 8:03 pm
Forum: Beginner Basics
Topic: Mikrotik, subnet, YouTube,Netflix App, SmartTv discovery
Replies: 10
Views: 2074

Re: Mikrotik, subnet, YouTube,Netflix App, SmartTv discovery

Wondering,
Why do you put devices on separate VLANS when afterwards you want to connect them together on L2 (use discovery protocols)???
...

Cause, like we say in the shooting world, "it is tacticool" :-)
by CZFan
Thu Nov 19, 2020 12:43 am
Forum: Beginner Basics
Topic: Unable to change IP in Quick set
Replies: 1
Views: 570

Re: Unable to change IP in Quick set

Don't use quickset is Menu IP-->Address
by CZFan
Wed Nov 18, 2020 11:08 pm
Forum: Beginner Basics
Topic: Dual PPOE WAN, strange connection mark misshandling [SOLVED]
Replies: 9
Views: 2199

Re: Dual PPOE WAN, strange connection mark misshandling [SOLVED]

-my previous config was correctly spreading traffic equally with preference of one gateway (route marked as DAC with Pref.Source visible) I don't think so with the distance you have had before. You marked traffic equally, but it all went out on PPPOE1. Only if it failed it went to PPPOE2. Have you ...
by CZFan
Sun Nov 15, 2020 10:27 am
Forum: Beginner Basics
Topic: Dual WAN - Stuck in process. Please help
Replies: 13
Views: 1621

Re: Dual WAN - Stuck in process. Please help

Thanks for the clarification, what about only one IP routing?

If you want to see all routes, including dynamic ones, OP can post results of /ip route print
by CZFan
Sun Nov 15, 2020 10:18 am
Forum: Beginner Basics
Topic: Yet another port forward issue
Replies: 15
Views: 1789

Re: Yet another port forward issue

/tool sniffer quick port=44866 IN TIME NUM DI SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS AD 6.705 1 <- 198.199.98.246:46736 178.220.198.49:44866 br 6.705 2 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11 198.199.98.246:46736 10.10.10.10:44866 et 6.705 3 -> D4:CA:6D:6A:91:51 BC:5F:F4:60:4D:11 198.199.98.24...
by CZFan
Sun Nov 15, 2020 12:57 am
Forum: Beginner Basics
Topic: RB4011 SFP Port as WAN
Replies: 10
Views: 3197

Re: RB4011 SFP Port as WAN

I am sure you will also expect that if you connect an Ethernet interface with a token ring interface it should work...
by CZFan
Sun Nov 15, 2020 12:54 am
Forum: Beginner Basics
Topic: Dual WAN - Stuck in process. Please help
Replies: 13
Views: 1621

Re: Dual WAN - Stuck in process. Please help

Please post configs in code brackets, I.e. , you will find them on the button menu.
Yes, you will only see the one as the other is dynamic, I.e. DHCP client
by CZFan
Sun Nov 15, 2020 12:49 am
Forum: Beginner Basics
Topic: Yet another port forward issue
Replies: 15
Views: 1789

Re: Yet another port forward issue

I probably don't understand what if there is no filter forward rules, shouldn't that mean that everything is "open"? Like if you don't set any filter input rules the router services are accessib yes, the default action in "accept" but you posted bits and pieces,so was not sure w...
by CZFan
Sun Nov 15, 2020 12:03 am
Forum: General
Topic: DHCP Relay over GRE
Replies: 2
Views: 636

Re: DHCP Relay over GRE

Using DHCP relay does not make sense to me, but have done it before between 2 Mikrotiks

Can you post config of both MT and Cisco, maybe we can figure something out
by CZFan
Sat Nov 14, 2020 9:01 pm
Forum: Beginner Basics
Topic: RB4011 SFP Port as WAN
Replies: 10
Views: 3197

Re: RB4011 SFP Port as WAN

You cant connect SFP+ to SFP, however you can put SFP module in SFP+ cage, then just disable auto negotiation and configure 1Gb/s both sides
by CZFan
Sat Nov 14, 2020 8:57 pm
Forum: Beginner Basics
Topic: Bandlimit I tried but it is not working
Replies: 9
Views: 1222

Re: Bandlimit I tried but it is not working

People I desactivate the fasttrack in IP Firewall and now it´s working when I define IP TARGET... but it still is not working when I define ETHER2 (example) target. I want to put a bandwidith in a port, and not in a IP. Can you help me? please? Thanks! Hmmm. is ether2 possibly part pf a bridge? If ...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 8