MikroTik

tangram

try to disable keepalives

tangram

Just add your comments to user data. This is a snippet from cloudformation:

UserData:
Fn::Base64:
!Sub |
/system identity set name=gw1

tangram

I have a lot on 109s with 8ports, they don't come with rack ears.

This is for about half rack in the same enclosure - I assume shielding will not be an issue.

Can anyone confirm if these:
https://mikrotik.com/product/k_65
Would fit RB2011UiAS-2HnD-IN ?

tangram

Uhm..I was looking for a "cleaner" way than powered usb-hub with a bunch of serial to usb adapters - that's why i'm considering woobm. The alternative would be serial switch but costs would be too high. :lol: Would be nice to have a rack-mountable wireless device - like crs or a rb2011 cha...

tangram

Hi,

What's the behavior of the console port when woobm is plugged in ? Do you still have console connection over rj port ?
Since woobm can't follow the full boot cycle of the device, you'd use console port up to a point and then woobm ?

tangram

About questions from tangram : The QSFP+ interfaces are as follows: qsfpplus1-1 qsfpplus1-2 qsfpplus1-3 qsfpplus1-4 qsfpplus2-1 qsfpplus2-2 qsfpplus2-3 qsfpplus2-4 The ports can be configured as you wish, for example you could connect Q+BC0003-S+ to 4 different CCR's, and just bridge the 4 interfac...

tangram

Hi,

About the Q+BC0003-S+. It says you can connect this to 4 other devices. How do the interfaces look like on the CRS326-24S+2Q+RM
when you connect this to 4 other routers ? The 40G ports acts like a switch? How would you set this up ?

tangram

You set a script on ppp user's profile to assign the interface to the vrf when it comes up and remove it on down.

tangram

any idea how to do this when you have multiple isps to get address of all providers ? mine are set with different distance in routes and mangle input/output to specific routing tables. so all traffic goes out the main isp, but the router can be reached over all isps. i tried with src-address but i a...

tangram

How about this ?

:put ([/tool fetch url="https://api.ipify.org/" mode=http dst-path=ipcheck output=user as-value]->"data")

tangram

Side question, could I also dstnat traffic towards WAN instead srcnat every single network towards WAN ? We also have static public IP. You can do masq over the wan interface, so that you don't have to list every network behind it. You can't do dst-nat 'cause your changing the src not the dst :lol: ...

tangram

Buy/rent a public ip subnet depending on your needs and buy/rent an AS number - usually from a LIR: https://www.ripe.net/manage-ips-and-asns/resource-management/faq/independent-resources/phase-three/what-is-a-local-internet-registry-lir Something like this: https://apps.db.ripe.net/db-web-ui/#/query...

tangram

!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);

Holy Jumpin' Jesus !

tangram

No because you are not using public IPs. As long as you stick to RFC1918 you will need nat on your border.
Recommended would be to get some public IPs and set up peering with your providers on Mikrotik - which will handle routing - and keep nat on your firewall.

tangram

Hi,

Can you try with /29 instead of /30 ? And use /32 on the vrrp interface?

tangram

viewtopic.php?f=2&t=146794

tangram

Mikrotiks do not support VRRP owner, the virtual IP cannot be the same as the real IP, and are unlike other manufacturers implementations in that the mask on IPv4 VRRP interface should be /32. The /32 mask caught me out when I first set up VRRP, with /24 (matching the real IP mask) it worked most o...

tangram

use scripting on the ppp profile to update the lists. you can add on-up and on-down scripts.
dynamic interfaces can seem difficult to work with, on the server side, but once you set the right scripts everything works well

tangram

But how do I tell the router to give one computer/cable one pppoe connection and the other computer/cable the other pppoe connection ? It depends a lot on what you're trying to achieve. You could do load-balacing - but in your case I don't think it would help. I mean you're using the same provider,...

tangram

I had the same issue after update from 6.42.9 to 6.42.12.
Regenerating ssh fixed it. Thanks guys !

tangram

Hi, I'm really struggling to install RouterOS on OpenVZ and failing :lol: What I did was trying to adjust the script I used for other vps(e.g. DigitabOcean), downloading raw, convert, resize take ip and routes, writing to mounted image, etc. I've read on various topic about people that got this work...

tangram

https://forum.mikrotik.com/viewtopic.php?t=87786 https://forum.mikrotik.com/viewtopic.php?t=122469 Also since this is a widely used protocol: https://community.cisco.com/t5/switching/vrrp-with-multiple-vlans/td-p/2986626 In practice i used it like this and it worked as advertised :) You can test th...

tangram

Afaik VRRP works per interface - physical or virtual. So if you have 135 vlans and you want vrrp for the gateway in them, you'd have to set 135 vrrp instances, one for every vlan. Don't know how this plays if you have multiple ips per interface, never tried it. Now to the question, if you lose a rou...

tangram

I'd go for router redundancy. Configure both the same and use vrrp.

You'd need this on the wan side, which doubles the count of links or requires some switch there. Else you're back at moving cables by hand -> downtime.

tangram

Do you think i need to consider putting 1 redundant router in the middle doing : PCC/Failover, PCQ, DNS DHCP, Hotspot etc and will be the failover of the 2 others ? I'm not aware of any physical Mikrotik device that can stack, albeit something can be achieved with some scripting you still need to m...

tangram

Target : Deploy free wifi to everybody -> 2 Hotspot server radius (radiusdesk, coovachili) (hardware dell : r610) (2 hardware servers for redundancy) Hi, I'm not too familiar with this kind of event, but if you are providing free access why do you need radius/hs and so much hardware? Just for a lan...

tangram

Sold single, so you can purchase any number of them, depending on what you plan to build. Hi Normis, I've previously used the ones that work in pairs, but don't really understand how do these connect to each other. If you have 5 you'd be able to add 3 of them in a bridge and 2 in another or ... ? T...

tangram

using 2 mikrotiks, i'd bond the links together with balance-rr. if you want hardware redundancy you would need 4 routers, do a full mesh between them with vrrp on the switch side. If you need routing ospf would work great, else you can use spanning tree - if it's the same subnet in A and B. although...

tangram

Hi,

Check with you ISP or try to set the Huawei HG8245H in bridge mode. Will save you a lot of trouble.

tangram

Got me laughing so hard

Thanks !

tangram

I get it why you would think of this...Mikrotik's switches and routers fill only a small portion of what is considered usable rack space when it comes to size. As others have pointed out, I don't think this design would be feasible in a standard rack. You could build your own cabinets, but that woul...

tangram

Only if you have these devices under the same network map, where you can select auto-discovery for specific services.

tangram

you're missing nat/masquerade over the wan connection or for the ip pool that you assign to your clients.

also, on client, make sure "use default gateway" box is checked under ipv4 advanced.

tangram

whoever has a vertical screen resolution of 768 and below is faced with the No scroll issue. CLI is a work around, but it is still an issue in winbox

+1 - this is very annoying, please help.

tangram

not for wired users. for wireless you have 802.1q. See this https://wiki.mikrotik.com/wiki/802.1q_T ... s_P2P_Link

tangram

Why does the ? disappear when you paste in terminal ? /tool fetch "https://api.telegram.org/botblablabla/sendMessage?chat_id=-1111111111&text=thissatest" keep-result=no turns to /tool fetch "https://api.telegram.org/botblablabla/sendMessagechat_id=-1111111111&text=thissatest&q...

tangram

However, the computer (at different site) connecting using SmartVPN services, those are under 192.168.0.0/16.

Replace smartvpn with l2tp or something else and connect them to mikrotik ? or move smartvpn behind mikrotik ?

tangram

tangram

You just nat traffic over the link between mikrotik and cisco. That's what he currently does and obviously isn't happy about it. He's stated that he needs transparent routing between "legacy" and "new" parts of the network, and that doesn't work with the NAT in between the two. ...

tangram

If I understand correctly, cisco belongs to the ISP and you have no control over it. If so, why does it matter if you can't access 10.0.x.x or whatever you have behind mikrotik from cisco?
You just nat traffic over the link between mikrotik and cisco.

tangram

first you need to implement this:
https://mum.mikrotik.com/presentations/US12/tomas.pdf

when you get to the way the traffic is split, you choose the criteria that matches wot e.g. ports and source ip

tangram

Do you use latest winbox version?

Thank you, I was using 3.11. In 3.12 problem is fixed.

tangram

Hi,

I don't know if it's a winbox or routeros bug, but it's easy to reproduce. Connected with winbox, if you have a script open for editing and you delete that script from script list the session is dropped.
Oh and it generates autosupout

tangram

I currently use graylog to monitor logs(syslog and netflow) for a couple hundred mikrotik devices. If you tinker a little with it, it doesn't require that much resources but it's a lot more than a service on a router.Hardware needs depend a lot on the number of generated messages. There are lots of ...

tangram

don't aggregate the ports on the switch in any way. just configure them as regular switchports and assign them to the vlan that you want(same vlan for both of course).
there's no loop, try it

tangram

use bond interface with balance-rr and no configuration on the switch.
lacp never exceeds the traffic speed of the interface. you can't get over 1g no matter how many interfaces you bond, but you can get more times 1g at the same time for different hosts. it's just the way lacp works.

tangram

nope, because your failover router would also try to establish tunnel to your peer.
i guess you could use a script to have disable the whole ipsec config and enable it when the main router goes down.

tangram

You can't do this with site-to-site. It's doable with ppp or ovpn.
Else you need 2 tunnels, to each peer, which renders vrrp useless.

tangram

Easiest way that I can think of is just let it split the traffic :) 2 ;;; Load-Balancing here // Split 1/2 chain=prerouting action=mark-routing new-routing-mark=RDS_Route passthrough=yes src-address-list=LAN connection-mark=LAN_WAN per-connection-classifier=both-addresses:2/1 log=no log-prefix="...

tangram

also you can run "/system script print" to do a syntax debug.

tangram

Hi,

Try channel-group mode on on switch and balance-rr on mikrotik.

tangram

For a long time, Cisco switches have only supported PAgP or LACP, so whatever the above poster did with his Cisco 2960g it is not compatible with balance-rr. If you want to be compatible between a MikroTik and any "enterprise" level switch you have to use LACP on both ends. Otherwise, I b...

tangram

The network statement is required in order to activate an interface with RIP. It works like OSPF's network list, NOT like BGP's network list. In other words, interfaces whose IP addresses fall within a network=x.x.x.x/m range will become active in RIP. Just because you're seeing RIP packets in the ...

tangram

So why does it work when using ssh or winbox/terminal ?

tangram

Because it is the wrong way to do operations with items in scripts.
Proper way is to use find command to get internal IDs and work with those IDs.

What do you mean by internal ID ? Is 32 in the example above internal id ?
If so, then /ip firewall filter move X Y doesn't work either in a script.

tangram

After some VERY frustrating experiences with this task i stumbled upon this: https://gryzli.info/2015/01/18/mikrotik-managing-firewall-by-cli/ You MUST do /ip firewall filter print before actually moving the rule. Useless to say it's annoying when running batches with dsh or putty. So you rsc would ...

tangram

This still doesn't work. If you try to change position with move or place-before the script returns no such item or similar error.
Both commands work in winbox, ssh, etc. It's just a problem on running them from scripts.

tangram

Why do you need load-sharing on 2 RB1100 when one device could easily handle this setup? You can use the second in active/passive setup, with vrrp, and achieve what you need.
You can always bond interfaces, even if you get another uplink and want to move over 2Gb I think one 1100 can handle that.

tangram

Use bridge mode, find your public ip, change the ipsec peers and policies to match that.
You need a static public IP for ipsec.

tangram

do you use any kind of bond interfaces ?

tangram

I use 3 x wapAC/floor at an office building with around 150 devices/floor for a total of around 500 devices.
We have various brands of notebooks among android and ios phones.
No issues so far.

Mikrotik is not what you call consumer grade, don't assume similar level of knowledge will suffice.

tangram

The problem is balance-rr itself. If TCP packets are coming out of order, congestion control system will kick in by retransmiting segments.
If you have the cpu power 802.3ad would do a better job in your case.

tangram

Maybe you can use this to authenticate both user categories vs different matching policies.
I use this on windows domain with nps to match versus 2 groups. If policy for group A doesn't match then it checks for group B.

tangram

IIRC crossing vlans means cpu not switch-chip. Considering the cpu in the crs I don't think you'll be able too. If you had all 3 PCs in the same vlan that would've worked for sure.

tangram

Why would you think that the LTE modems are different than other interfaces? I do load balancing over 2 ethernet interfaces and a 3g modem. The only difference is the weight associated to distribution of traffic. Everything else works the same.

tangram

In firewall connection tracking there are some timeouts you can play with. Talking about udp stream, timeout is at 3 mins and generic timeout at 10 min. Try to lower the stream timeout to let them "expire" faster. Maybe you'll find a "sweet spot" that you're happy with so that ot...

tangram

If you restart the modem from telekom instead of the mikrotik does it work ?

tangram

drop input chain with dst port 53 protocol udp on outside interface.

and the generic approach drop input chain in outside interface not established.

tangram

on what chain did you configured the IMPLICIT_DENY firewall rule ?

tangram

I had this problem too. In my case I've just added more servers and one of them finally synchronized. I've noticed that the ones added with ip don't always work, but between all of them you can get one to sync. /system ntp client set enabled=yes primary-ntp=98.175.203.200 secondary-ntp=66.219.116.14...

tangram

Would it be possible to do it the other way around ? I mean use main for management and vrf for everything else ?

tangram

Hi,

just a thought, if i remember correctly you need at least one route in main routing table in order for the other routing tables to be active. Add something to populate the routing table, or try to connect using mac address.

tangram

Thank you, that would definitely work. I wish that a more 'elegant' approach would exist..like ->set-find-where-something-replace but whatever works

tangram

Hi guys, How do you edit a script from another script, without copy/paste the whole source ? For example, in the script below how could I change the value from +1 to +5 or whatever from another script? \n\t:if (\$PingFailCountISP2 < (\$FailTreshold+2)) do={\r\ \n\t\t:set PingFailCountISP2 (\$PingFai...

tangram

https://wiki.mikrotik.com/wiki/Failover_Scripting

I'm using this script with a scheduler running every 10s. It's very good

It's not cisco but with a little work you can get the job done.

tangram

I have syslog and netflow connected to graylog plus prtg with snmp. The problem is that i'm not getting the data I need. And if you take into account there are a few hundreds of devices, ssh-ing into them every minute or so doesn't look like the optimal approach. Of course you can have a file to log...

tangram

Hi, I need to get some information for wireless devices in range of a mikrotik. The output i need is this: /interface wireless snooper snoop wlan1-wifi Flags: A - active, N - access-point # FREQ ADDRESS SIG SNR OF-FREQ OF-TRAF BW SSID 0 AN A0:F3:C1:C6:0D:3D -67 28 2% 12.3% 18.6kbps Hotspot 1 AN 50:6...

tangram

After upgrade from 6.39.2 to 6.40.4 i get this in environment variables(in all of my routers): /system script environment print # NAME VALUE 0 lteDhcp 0 It doesn't seem to be harmful but could you shed some light over this ?

tangram

Hi,

post configuration from hotspot ( server, profiles, etc) and post from logs the address assignment process.

Check this post, maybe you have the same issue:
viewtopic.php?f=2&t=125642

tangram

Under OVPN server settings - change netmask to 32. Hi, I also had an email exchange with Emils about this issue and after looking more carefully, he's right. Before 6.40 the netmask setting there didn't work or at least not as it should. I left it at default (/24) always and it worked like a /32 ev...

tangram

TLS failure is usually certificate related. Make sure your cert on client has KT(import crt and key) and that cipher and encryption match.

tangram

Hi, I have a big problem updating from 6.39.2 to 6.40.3. I use ovpn to connect locations and after upgrade in don't see correct local/remote addresses and routes are not installed: Because of this dynamic routing fails and network breaks down. Addresses look like this: 6 D 10.91.21.254/24 10.91.21.0...

tangram

Hi, Setup is as follows: - 2 SSIDs, both open, both using hotspot - SSID1, local auth, generic user (admin/admin) for customers or whatever - hostpot profile - pool A, subnet A(192.168.168.0/25) - SSID2, radius auth - hostpot-secure profile - pool B, subnet B(192.168.168.128/25) So 2 SSIDs, 2 server...

tangram

what are your dns servers ? you use dhcp or static ?

tangram

As pukkita pointed out, that presentation is very good for your problem.

You need to isolate the traffic from lan to vpn and not pass it through your mangle rules.
Easiest way: mangle - prerouting src lan class - dst vpn class, set to accept.

tangram

Try 6.39.2 - on server and on a few cpe. See how it handles.
I only have experience with the cpe side and things have gotten a lot better with the latest releases.
Check changelogs for the improvements to ppp.

tangram

Hi, I haven't managed to do this remotely. When I have direct access to device I use the rsc way. Reset, clear the default config and import the rsc. The rsc uses a lot of set [ find where...] for replacing default values and you can edit it with site specific parameters. Works great and it's fast ...

tangram

Hi,

firmware version of this device please.

tangram

Hi, I haven't managed to do this remotely. When I have direct access to device I use the rsc way. Reset, clear the default config and import the rsc. The rsc uses a lot of set [ find where...] for replacing default values and you can edit it with site specific parameters. Works great and it's fast t...

tangram

I've found the issue: add action=mark-routing chain=output comment=A-ISP1-RT connection-mark=\ M-ISP1-ROS new-routing-mark=ISP1_Route passthrough=yes add action=mark-routing chain=output comment=A-ISP2-RT connection-mark=\ M-ISP2-ROS new-routing-mark=ISP2_Route passthrough=yes Connection mark should...

tangram

I've managed to replicate this issue. The way load balancing was configured in 6.37 doesn't work in 6.39.2. Using https://mum.mikrotik.com/presentations/US12/steve.pdf leads to the same issue. How can I fix this so both WANs are accessible. If I change the distance for default route of ISP1 from 1 t...

tangram

Hi, I upgraded from 6.37.3 to 6.39.2 and I have some problems. I'm load balancing 2 ISPs, before update I could ping both wan ips, after update only the primary works. If i disconnect ISP1 then ISP2 replies to ping. Connections from LAN->WAN balance over both ISPs and traceroute,ping work ok from LA...

tangram

Hi, I have a hub and spoke network, spokes connected with ovpn to hub and rip configured. Each spoke has 3 connected networks that are advertised to the hub. The problem is that there are hundreds of spokes and there's some flapping going on - either spokes that get disconnected or interfaces that g...

tangram

I've been using Mikrotik for just a year but I wouldn't choose Cisco, or other vendors for that matter, if I find the device I need in Mikrotik products. To be clear, if i need a 48port switch, poe switch, an ids or advanced firewall I wouldn't go Mikrotik just because they don't have these - btw Mi...

tangram

It's fixed now. I set the switch to static aggregation or whatever the hp equivalent term for cisco's etherchannel is. The bond interface works in balance-rr and there are no mac errors. Also I removed the bogus macs that I've previously set on mikrotik. To others, please be advised that bridge and ...

tangram

I'm doing some more testing meanwhile. CRS109-8G with cisco 2960g switch and 6.39.2 works with balance-rr and there are no errors. I'm setting the cisco with etherchannel though..i'll try more tinkering with the other switch( hp 2410-24g)

tangram

I saw after i posted and changed that one too, but still no joy. I'll send the supout, thanks.

tangram

I don't have the setup to test full throughput but i get beyond the speed of one link. I download from a storage with around 1.3 gb and the traffic is balanced over the 2 interfaces in balance-rr mode. LACP works too but your limited per data flow at interface speed. I get max around 850mb per file ...

tangram

Post a /interface print detail where !dynamic This is to double check there's no duplicated mac address. If there's no duplicated mac, I'd generate a supout while the problem is happening and email it to support. You were right, the bridge get's the bond interface's mac: 0 RS name="SFP-LANSwit...

tangram

Thank you for explaining this

tangram

hi, i still don't get the /32. Now i have 2 vrrps over the same interface configured on two routers. IPs are 1,10 for vrrp and 253,254 for the ethernet interfaces. 1 is held by one router and 10 by the other as master. Both work ok with addresses set as /24, I don't see abnormal cpu usage or traffic...

tangram

ROS version and firmware version? post an export so that all details can be taken into account. May not have anything to do with this, but FYI from 6.39.2 changelog: *) bonding - do not add bonding interface if "could not set MTU" error is received; ROS is 6.39.2 firmware is 3.35 I've nar...

tangram

Hi, I'm trying to have ethernet ports and a balance-rr bonding interface in the same bridge but it doesn't seem to work - i get a message that the bond interface is receiving same mac on different port. The device is a rb3011, I have the sfp and ether1 in the bonding interface connected to a smartsw...

tangram

You can also set in-interface to your wan interface if you have dynamic ip. There are a lot of options in configuring the firewall. Actually I DID have both the destination IP and In-Interface when I had the traffic coming into my static DSL internet connection. However as part of moving stuff over...

tangram

You can also set in-interface to your wan interface if you have dynamic ip. There are a lot of options in configuring the firewall.

tangram

Hi, You first make 3-way load balancing over the 3 interfaces and in your mangle, where you split the traffic from lan you do this: add chain=prerouting dst-address-type=!local in-interface=SALES-LAN per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=IS...

tangram

Hi, I used this tutorial but there are a lot more out there: https://aacable.wordpress.com/2011/11/29/howto-save-mikrotik-logs-to-remote-syslog-server/ You can use elastic search and other tools based on that: https://www.digitalocean.com/community/tutorials/how-to-centralize-logs-with-rsyslog-logst...

tangram

I only got it working with reversible encryption, sorry. But now i face another issue: i can't open a terminal. It requires login and if i input the radius credentials again it does not work. I can alter any other settings, except opening a terminal in winbox. Any ideas ?

tangram

Ok, i think i got it working. If you click the error, the compatibility check from windows appears and running with the recommended settings seems to do the job. So select windows xp service pack 2 mode

tangram

Hi, I get error during netinstall discovery phase. I'm guessing it's when the router makes the request. Error states: bind tftp general failed: Only one usage of each socket address (protocol/network address/port) is normally permitted - 10048. There's no service using tftp ports, I run the program ...

tangram

Hi,

Post the ppp secret and ppp profile parts of the config.

tangram

Hi,

Drop any dns requests using l7 list.

;;; Drop Blacklist - DNS
chain=forward action=drop layer7-protocol=blacklist protocol=udp dst-port=53

If they don't use ip instead of name you're covered.

tangram

You need routes for the main table. If you want load balancing or stuff like that, use magle. For starters do something like this: add distance=1 gateway=192.168.178.1 add distance=2 gateway=192.168.2.1 add distance=1 gateway=192.168.178.1 routing-mark=to_WAN-DSL add distance=1 gateway=192.168.2.1 ...

tangram

. I create a rule like IP_WAN_BOND:88->IP_LAN:80. This rule not working.
If I disable BOND interface that rule works without problem.

Try setting rule with interface like bond:88->ip_lan:80

tangram

You need routes for the main table. If you want load balancing or stuff like that, use magle. For starters do something like this: add distance=1 gateway=192.168.178.1 add distance=2 gateway=192.168.2.1 add distance=1 gateway=192.168.178.1 routing-mark=to_WAN-DSL add distance=1 gateway=192.168.2.1 r...

tangram

Hi, If you set route with interface as gateway it's normal that the source does arp for all destinations out that interface. Intefaces with dhcp-client act like this. So, as stated by others, there are a couple of ways to make things working: 1. your dhcp-server has proxy-arp so all those destinatio...

tangram

[ So you are connecting a 48v power supply to a router that requires 24v? Why are you expecting it to work when it's clearly not going to? You have been told 3 times already that the RB3011 requires a 24v power supply like the adapter that is included with it provides. You can buy a PoE adapter if ...

tangram

Try ping clients from mikrotik with source ip 192.168.0.10, check ip arp table and if possible post configuration.

tangram

Hi, what power injector is compatible with this router ? Anything 24v passive such as the MT gigabit one and UBNT ones. You mean this one: RBGPOE-CON-HP - MikroTik 48 to 24V Gigabit PoE Converter I'm asking because I have a 802.3af/at injector and it doesn't work. I tried crossover cable too - the ...

tangram

Hi, what power injector is compatible with this router ?

tangram

I don't use timed pushes, I do it manually. Sure you could can use cron or something to do that. This being said I have created a user with rsakey attached on each managed device and so i can log in without prompts. This tutorial was very useful: https://bl0gg.ruberg.no/2014/02/securely-managing-mul...

tangram

Shouldn't you have routes for 192.168.117.0/24 and 192.168.118.0/24 with gw 192.168.2.254 on client 1 and 2 ? There's something else i don't understand: 5 ADC 192.168.118.0/24 192.168.118.1 bridge1 0 and 0 192.168.118.1/24 192.168.118.0 ether2-master The ip isn't suppose to go on interface bridge1 i...

tangram

Have you checked the server? Maybe there's a route missing to your second site - 192.168.117.0/24.

Do traceroutes from both sites, compare and see last hop where it get's stuck.

tangram

As a principle of course you are right but my users don't have access to change the hosts file - i doubt they even know about it.
You adapt to your target audience, if you expect "resistance" buy a more advanced or specialized device

))

tangram

You guys are great, I got it working by filtering dns traffic and using the l7. Requests are blocked so you can't resolve sites not included in the regexp.

tangram

I will test this regarding the first packets. It's true I've set the filter on dst port 80/443 - i'll try to filter others protocol too and see how that goes. Tbh dns would work too because if you can't resolve you can't access by name

Thank you guys.

tangram

Winbox is much easier to use when you have only a couple of them because, to me, it's much faster and intuitive. When the device number rises ssh is the way to go because you can use tools like dsh to push command or run scripts on all devices in the same time. i usually test on 1-2 devices, make a ...

tangram

I've had issues importing a backup on the same hardware. For instance i had a lot of rb951 and on restore the wifi interface would be disabled and it's settings would get screwed up, among other things. That is because on source the interface would be wlan5 and on restore wlan2 or anything else. I f...

tangram

Can you post the routing table of both routers ?

tangram

Hi, I'm trying to set up access to a bunch of sites and deny all others. I've gone the layer7 route, created the list and it kinda works. What I mean by that is if in filter rules i set drop traffic things work, and no sites on that list are allowed. But if i check inverse match (!) nothing works - ...

tangram

I just tested on Windows 7 with the same setup and the session doesn't drop. Tested PPTP with w10 and this works.
I knew windows 10 is still buggy, but this...

Also tried with w10 1511 / 10586 still no luck.

tangram

Hello, I've set-up a L2TP server on RB1100AHx2, router OS 6.37.1. with radius authentication. Everything works fine except that my tunnel drops after a couple of minutes. I'm connecting from Win10 1607 build 14393.447. The logs from mkt show only terminating..hung-up. I tried changing the keepalive,...

Search found 132 matches