Why is MTU on your mikrotik set to 1380?? Shouldnt change it from defaults at either MT device. So the sole purpose of wireguard is so that you can remote in to your vlans and your Router for config purposes...... No traffic goes out VPS for internet etc...?? ORDER within firewall is screwed up fixe...
What does your IP routes table show.......covering up enough of public IPs so not known...... Assuming in default routes in ip DHCP you have wan1 a lower distance than WAN2, so that from the get go most traffic will go to WAN1. Not convinced routing rules will not work. One needs to ensure the route...
You didnt answer my question, why do you have these three rules in the config?? What is the purpose of these three rules?? add action=accept chain=prerouting in-interface=ISP1 add action=accept chain=prerouting in-interface=ISP2 add action=accept chain=prerouting in-interface=ISP3 As stated add mark...
Your setup is way to complex for me to understand? In general, what you need to do is mangle connections via the PREROUTING chain, coming in each ISP and then mark route to the appropriate IP route based on OUTPUT chain. something like add chain=prerouting action=mark-connection in-interface=bridge1...
Keep in mind you wont get aggregation, just more bandwidth to share amongst users and redundancy maybe if your ISPs are different. Dont like that video, his WAN2 is not working, mangling for PCC is very easy if your WAN ISPs are fixed/static IPs, ( or pppoe assigned IPs), otherwise you need complex ...
Quite clearly its designed as a switch! .. waddautink.jpg .. Expect routing WAN throughput between 100-200 Mbps, this is a fantastic choice with up to a 115.2K beebop dial-up modem. :-) ............. notarouter.jpg The only reason a person would get this device for routing is if they stole it. :-)
No you cannot do this with MT equipment. In your case dual wan gives your users to overall access more bandwidth to share but one cannot combine the bandwidths in a single session. You also gain redundancy/backup in case one wan fails and starlink wont hold up in a heavy downpour and probably not a ...
Okay so the request concern incoming vpn clients to your VPN server, each client coming in a different WAN.. That has nothing to do with PCC of the LAN outbound though. So to be able to start planning a config, the requirements must be fully understood. a. identify all users(s)/device(s) / groups of...
This AM i upgraded my CCR1009 from version 7.12.1 to version 7.13 now getting the following error when running a script Download from https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv to RAM FAILED: Fetch failed with status 206 The same script was working fine under 7.12.1 and earli...
Do not understand. Are these L2TP VPN clients coming in on three different WANS? Are these three LT2PVN clients suppose to share outbound to internet three different WANs are the three different WANS all static fixed IPs? are the three different WAns from teh same provider? Is this the only LAN traf...
Yup should work for you and if it doesnt then need to see config.
/export file=anynamwyouwish ( minus router serial number, any public WANIP information keys etc.).
Suggest ensuring you are not using old version 7 firmware, this was fixed by 7.11 something..............
If you are using 7.12 or 7.13 then its a problem with your config.
Strange to ask here but okay, Its part of the new BTH design, or the give a client a setup design (export).
Just makes sure its not part of the real config come play time as the regular allowed IPs is what is critical.
Makes no sense to me?? a. you have a perfectly legitimate Source NAT rule that covers all LAN to WAN traffic. add action=masquerade chain=srcnat comment="defconf: masquerade" \ out-interface-list=WAN b. the wireguard is part of the lan interface list add interface=wireguard1 list=LAN c. Yo...
Remove wireguard as part of the WAN list, it makes little sense, LAN is fine and makes sense!! Persistent keep alive on the router (server for handshake) is NOT required and should be removed. Where are your firewall rules and routes ??? Partial config is useless for assistance. You need keep alive ...
If the wireguard is setup properly, including allowed IPs to or from remote IP subnets, then the showstopper typically are
a. routes to remote subnets via wireguard interface
b. firewall routes allowing traffic from to wireguard with src and dst addresses
True dat, got mixed up with another thread......... Yes, there is no need for different interfaces. All the peers connecting to the same server can and normally all are on the same subnet at the server device peer1 10.10.10.2/32 peer2 10.10.10.3/32 etc.... At the peer devicesm their settings typical...
Assuming Site A is the wireguard server for handshake, then putting keep alive on any peers is a waste of time so drop the keep alive on site A. Also at site A, the peer setting for peer B should be 192.168.32.2/32 To be clear also site A needs an ip route /ip route add dst-address=10.10.0.0/24 gate...
I asked you a question and you didnt answer it, also you ignored my warning about having two peers on the router with 0.0.0.0/0 for allowed Ips.
Plus you fail to have keep alive at either end.,
Holvoe is bang on, the best thing is to identify a complete set of requirements before tackling the config. - any external traffic coming TO the router ( wireguard vpn?) - any external traffic coming TO the LAN ( servers ). - WAN1 and WAN2, which is primary overall and which is secondary. - Will the...
None, the config looks correct. Double check the public IP from OPSense, on the peer setting in the router is correct and the public IP from the MT, on the peer setting in OPsense is correct.
Well somethings need a little gagging, dont you think ;-) Specifically, and get your mind out of the gutter, I am referring to things like: "where is that damn set static lease setting anyway", or the infamous, "where the heck is that damned static DNS setting", thats on every co...
@unlikely, two points regarding external traffic reaching the Router. 1. The first case is external traffic to the Router such as VPN handshake. There are two options to handle that a. if there is no mangling on the device and one wants to avoid the mangling then simply use routing rules ( predicate...
Private Address "hopping" is required when one wants to do nested recursive routing. It is not essential but can be more efficient in certain cases.
There is nothing wrong with sticking to standard "Flat" recursive routing
Not there to see what you are doing, just pointing out that connecting to the router and then going out a ROUTER point to point tunnel to the WG servers is NOT the same as iphone going out cellular direct to Wireguard Server on a separate tunnel. The only way your iphone would go to wireguard if on ...
1. YOu have a strange input rule setup for DNS, I would still add in-interface-list=LAN-list and scrap your RFC address list approach.
Its only DNS requests from the LAN that need to be allowed.
Other than that I cannot find where the issue may be.......
Observations. 1. Mangle rules All good up to and including the pCC connection marks. a. allow prerouting traffic from LAN to router CHECK b. allow prerouting traffic between LAN local subnets not required CHECK c. Jump chain rule for no-marks traffic d. mark routes to ensure external traffic hits se...
I a bit confused, how is that you have fixed IP addresses but have both IP address entry for WANIP but also have IP DHCP client entered for wans 2-5 ??
The config will work if your gateway IP addresses are fixd and DO NOT CHANGE.
Sorry, but the only way you should test you phone via wireguard is via cellular and not through your MT router.
Based on what I see, the problem is your phone and the mikrotik router are interfering with each other.
They cannot have the same wireguard IP and should have proper keys set in both.
Okay, one should label their pictures so one knows what one is looking at...but a. the first one is an iphone or phone connection to the OPsense WG server. WHY does your phone connection have the same IP as the MT router? If this is your phone, then you have a conflict right there, each will have di...
If 13231 is the default wg port number then yes chnge it to something else 15689 and perhaps that will help. The rest is config issues not WG related I dont think
Hi! I have made site-to-site between 2 routers on different wan locations. both have public IP. The traffic is being seen on firewall rule from office 1, but no traffic from office 2? Wierd I use 0.0.0.0/0 for "allowed IP" from both sites , but I can't ping och get connections to devices ...
There is no such thing as vlan1 for data when it comes to useful setups on the MT product line. IF you have a trunk port from the main router to the MT router, then its a trunk port carrying all DATA VLANS. Which VLAN is the trusted or managment VLAN where the MT gets its IP address. This is the onl...
Okay looking at the diagram you have 1. AN ISP providing you with a private IP address 10.10.1.2 So you do not have a public IP address.? Can the ISP router forward the wireguard port to your router?? 2. You have no firewall rules WHY?? 2. You have three pools listed and this doesnt match the vlans ...
Looking at that last diagram was that from your PHONE?? The GUI picture????
Reason is there is an address that doesnt fit on it what is........ 192.168.77.2/24
Which device is that?
To be clear ITS NOT EVEN THE WIREGUARD ADDRESS schema ??????????
So your phone connects with no issues to the OPsense wireguard server. WHere is this server located (cloud)? The MT router is unable to successfully link to OPsense wireguard server is the problem. 1. MT router has wireguard IP address --> add address=10.10.140.63/24 interface=wireguard-client netwo...
In many cases its the rules that are inefficient, for example just make a firewall address list of all those individual addresses and then its one forward chain rule.
For any load balancing of your dynamic ISP connections you will need scripts to ensure the correct gateway is used in IP routes ( unless they are pppoe client connections).
I dont have a clue what you are doing with bridge filters and trying to use one flat network but split into different WLANs. I would be able to understand using different vlans for each WLAN. That being said the only comments I would make A. the wireguard rule for masquerade is good but there is NO ...
No one believes opinion, evidence is provided by the config,
/export file=anynamewyouwish ( minus router serial number, any pubic WANIP information etc...)
Apparently you can use the pppoe-interface name in your routes and that will pick up changes in gateway IP and thus a script is not needed only for the IP DHCP client.
Hi Normis, 1. As an admin or helper admin, I can go to the local site and quickly setup a vpn connection which I can use later when remote. 2. What about the opposite, I want to send my brother the ability to connect to my MT wireguard router a. from his device directly (no mt router), be it windows...
Much thanks Normis, its slowly getting clearer. Basically the process is a. at home or office router setup BTH. b. then any user can connect to this VPN c. if the BTH is using a public IP, no relay service is used d. If the BTH is used behind a cgnat or non port forwarding capable ISP, then relay se...
Way ahead of me gotsprings. I am thinking of using a CHR cloud router and connecting a ground site to it via multiple ISPs Then using L2TP plain over transparent wireguard to connect the ground site to the CHR ( L2Tp allows mrru adjustment for packet fragmentation). THEN using OSPF and BFD to monito...
(1) This rule is no longer required in the input chain.......... add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN (2) You made the same error in the forward chain, you DIDNT get rid of the old rule that we replaced. Get rid of it!! add ac...
Why dont you pull the crystall ball out of your ass then and provide the config on the MT router please.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
Why would you want to bridge all ports............... That is not a requirement its an attempt, maybe legit, or maybe wrong, to design a config for some reason. We care about the reason because the WHOLE CONFIG is often integrated and thus having the complete picture helps point towards development ...
1. If its a fixed IP you can use either routing rules or mangling. 2. What version of RoS are you using?? MANGLE For vers6 as you have done...... /ip firewall mangle add chain=prerouting dst-address=example.com action=mark-routing new-routing-mark=example_route /ip route add dst-address=0.0.0.0/0 ga...
Dear Sir Holvoe, I have written many times of MTs unwritten agenda to move all users to newer ARM products, its called the 'obsolescence - death by 1000 cuts product strategy' Just so I can get this straight the difference then between BTH and normal wireguard, and the power/allure of BTH, is that M...
Yes, setup a VPN network on the fortigate and seek advice on a fortigate forum. Once you have all the information and setup complete on the other router. Modify the configs on the MT routers with the correct parameters. https://help.mikrotik.com/docs/display/ROS/IPsec Search on Youtube, seem to be m...
(1) It makes zero sense to send a hybrid port to a managed switch. Get off the drugs! All vlans should be tagged to the managed switch on the trunk port. /interface bridge port add bridge=vlan-bridge comment=defconf interface=ether2 ingress-filtering=yes frame-types=admit-only-vlan-tagged add bridge...
I really thing asking about adding stuff to a bridge is the WRONG WAY to think. Instead a. identify all user(s)/device(s) / groups of users/devices including the admin b. identify all the traffic the above users/devices require to accomplish. Draw a network diagram of the plan, detailing where the m...
Okay got it, The MAIN ROUTER acts as the server for handshakes on TWO separate wireguard networks. It connects to two other routers acting as clients which initiate the handshake. Once connected the wireguard network is established between routers, users from all devices behind the routers, should b...
Clearly there is a problem on the config, but I cannot quite put my finger on it. Try anything. Try nothing, maybe like magic it will fix itself. House owner to plumber: I turned on the knob and no water is coming out. Please tell me how to fix it. Plumber: Did you pay your water bill? :-) Plumber: ...
Very confusing why do you have this flow:
internet --->MT ROUTER---> drayket modem ---> network
IT should be
internet--->draytek modem ---> L009 ----> network
This statement is problematic........... The WIREGUARD_IT01 = VPN from the customer to us, via site to site. There should be server and client on both sides. Should I assume you mean, that the customer are clients connecting to your WIreguard Server? The other site cannot be a client and server for ...
Yup, it makes me cringe when I see people deviate from the defaults and dont know what they are doing. (1) Why in gods earth would you allow port 80 to the router from the internet side. I would guess that using ether1 probably wont work as traffic is actually via the interface name in pppoe. (2) Th...
Mangles for 4 WAN PCC - 12 additional tables, 12 pcc mangles, 24 routes. The concept being that each table is getting 1/12 of the traffic and each WAN has 3 tables associated with it. So each WAN is getting 1/4 of the traffic which makes sense as we have four WANs in PCC. Thus when lets say WAN2 fai...
8. Your sourcenat rule does not define an out interface and Its not clear to me why you are delineating any source addresses??? /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ src-address-list="All IP" Why not: add action=masquerade chain=srcna...
1. add the surfshark interface to the WAN list, not the LAN list. There is no incoming traffic to your LAN and thus not appropriate. However, all the users going surfshark from your LAN need to be sourcenatted to the single surfshark IP address you have been given ( per connection, aka separate priv...
If afraid of getting kicked by vlan-filtering=yes........ you have a valid concern,, what I do is take an unused port and stick an IP address on it and do all my initial configuring from there safely. https://forum.mikrotik.com/viewtopic.php?t=181718 As to the other points.... 4. Incorrect, the swit...
Interrupt away LOL. To the OP. it not a matter of deciding how to config it, its you getting clarity on the requirements. a. Identify all the user(s)/device(s) and groups of users/devices including the admin b. Identify all the traffic the above users and devices need to execute. With that clarity a...
Zach, you are indeed correct for 2/3 models of 2004, unfortunately I grabbed the one to compare which has a CPU frequency of 1.2 GHz ( Amazon Annapurna Labs Alpine v2 CPU with 4x 64-bit ARMv8-A Cortex-A57 cores. While this CPU is running at 1.2 GHz, the router can be 3x as fast than the previous gen...
(1) Turn on vlan-filtering=yes (2) WHY DO YOU HAVE A mgm-vlan bridge??? GET RID OF THIS, its not needed. (3) WHAT THE HECK is the comment here add name=dhcp_pool2 ranges=" ISP provided wan IP" What does internal LAN or VLAN pool have anything to do with the WAN side ????????????? Why are t...
Okay so basically WAN1 not included in PCC. WANS 2-5 PCC. Does each WAN (in 2 thru 5 ) have basically the same throughput? Are the WANS 2-5 from the same provider? The reason I ask is that if there is an issue with a provider it is likely that all internet from that provider will not be available. O...
I dont care about the config first, I care about the requirements. What is your intent with the WANS.................. Do you want user to be able to share all the available WANS? Do you want some subnets to use only WANS. If you dont know what your plan is, I am not going to waste time helping a mo...
There is something wrong with your MT peer settings. /interface wireguard peers add allowed-address=192.168.100.0/24,192.168.146.0/24 client-address=\ 192.168.100.2/32 client-dns=1.1.1.1 interface=wireguard1 public-key=\ "-------------------------------------------=" As far as I know there...
Why do you ask this question in a forum that is designed to point out useful information for folks. " USEFUL USER ARTICLE" Try beginner or general. Did you search hotspot in the search window? Did you search hotspot in youtube "Mikrotik hotspot" Did you check out MT documents? ht...
Note that if you want to allow any traffic from vlanX to vlanY it would go here on the above config ************************************** For example: /ip firewall address-list ( using static DHCP leases!! ) add address=user1-IP-address =PERMITTED comment="user1 to vlan301" add address=us...
Do not understand?? You have two vlans, WTF is this.......... add address=10.201.1.1/24 interface=ProductionNetwork network=10.201.1.0 add address=10.201.2.1/24 interface=vlan2-TheMiddle network=10.201.2.0 add address=10.201.131.0/24 interface=vlan301-AJPT_QLAN network=10.201.131.0 You have no DHCP ...
Thus it should look like this and can be shortened too. /interface bridge vlan add bridge=bridge1 tagged=bridge1,ProductionNetwork vlan-ids=2,301 You have an empty list member entry and should remove it... /interface list member add interface=ProductionNetwork list=WAN add list=LAN add interface=vla...
Two things. 1. Forget config speak if you want to talk requirements. a. identify all user(s)/device(s) and groups of users and devices, including the admin. b. identify all traffic they are supposed to have... Provide your config so far /export file=anynameyouwish (minus router serial number, public...
Why do you have a LANPOOL?? Why are you using bridge filters?? This bridge port makes no sense, you set it up as an access port with pvid ( or even a hybrid port ) and yet limit traffic to vlans.................. illogical!! /interface bridge port add bridge=bridge frame-types= admit-only-vlan-tagge...
There are many threads for failover did you do a search on the forums. Since both your ISPs provide dynamic WANIP addresses you will need to add distance in your client settings....... The IP DHCP client one defaults to a distance of 1, so if that is your primary then leave it ( looked under the Adv...
Confusing post. Do you have two mikrotik routers you are trying to connect, one with a public IP and one without? OR Do you have two WAN connections and neither one seems to work to setup wireguard. Please also confirm you are using your MT as a wireguard server for the initial handhake and all the ...
Your post is confusing. Are you trying to RDP from a remote location into your desktop? If so stop right there, RDP is not a secure protocol, use Wireguard instead. If I am wrong and its RDP within the LAN network of the MT, as noted by others, nothing is blocking that. Your mangle rules are suspect...
1. You have two sets of recursive going on, aka check google and if google is possibly not available, then check cloudflare. You should differentiate the two by distance like so.... add comment="TAG: eth1_wan1 ROUTE GOOGLE" distance=1 dst-address=0.0.0.0/0 gateway=8.8.4.4 scope=10 target-s...
Sent you necessary changes. As noted all IP routes should have actual Gateway IPs.
Prerouting marking rules for WAN1,2,3 only required if hosting servers, the output chain rules are for ensuring traffic to router comes out the right WAN.
All mark routing rules should have passthrough=no
You need a script that takes the newly assigned gateway in IP DHCP client and put it physically in your routing rules.g an easy way is to put a comment in each applicable route could be comment=FIXME Easy to use find command. ;-) Not sure if this is a good script but one that I just saw......... htt...
Concur, the Wireguard specs for Routers would be great, I was just comparing the 5009 to 2004 to 2116 vs TPLINK ER8411, and they do parse out wireguard on their specs.
I dont like how they tout 1518 bytes, standard vice the more real 512 bytes....... but WG is stated as 1400Mpbs,
Nope, you want the throughput, ......... any other router of same ilk will cost far more. Trying to find an alternative, the best TPLINK ER8411 is on par with the 5009 (matches 1518 byte throughput approx 9k Mbps throughput) but it does have amuch higher VPN throughput but at easily double the price...
No idea what it looks like on fortigate but on the MT it would be simple. /ip route add dst-address=wireguardsubnet gateway=LANIPof MIkrotik. so lets say wg 10.10.10.0/24 and lanip of MT is 192.168.5.5 /ip route add dst-address=10.10.10.0/24 gateway=192.168.5.5 Be advised that on the fortigate you n...
IF the fortigate blow up, then your wireguard connection ( via wan1 or wan2 ) is gone, so I guess your plan is not good. If you want to wireguard regardless, then you have two options. a. put in a static route on the fortigate pointing to the LANIP of the MT (on fortigate subnet - also the wanip of ...
I would buy a cheap managed switch from TPLINK for the TV, the CSS610 10gig switch for the office .
For Wifi if the AX3 is not adequate then get a couple of Capaxs
1xAX3
2xCapax ( if needed )
xcheapswitch tplink for tv room and
1 css610 for office
I suggest a proper router, the L1009 wont even handle a full 1gig fiber network, aka no future growth. Please confirm you can run cat6 or fiber between all rooms? Not sure what you meant by one UTP cable.............. Also if there is coax between all rooms you can get 2.5gib through them with adapt...
Perhaps its something I dont understand about multiple WANIPs via the same gateway, or perhaps the OP really means a netmap is needed from the IP to the subnet............ in any case, source nat does not grab or do anything in terms of routing. It states, when the traffic is routed ( by some other ...
The source address you noted has no bearing on routing, it has bearing for what is sourcenatted out that WAN, it does not move traffic :-) Let me rephrase........ based on OPs comments: (Goal is to have all external-bound traffic from vlan23 (10.10.23.0/24) to be sourced with public IP 76.xxx.xxx.10...
Post your config to show what you have setup so far......
/export file=anynameyouwish (minus router serial number, public WANIP information, keys etc.)
Firewall raw rules have nothing to do with policy routing.
You cannot direct traffic for applications using the mikrotik router
You can direct users, subnets, vlans etc
You can elect to share all wans or some with some users etc......
If you looked at the config provided its a very simple addition....... focus on the user rules......... {forward chain} (default rules to keep) add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defc...
Hi Kev, The sourcenat rule makes sense The ip route makes sense, BUT how do you ensure the specific vlan traffic goes out that route OR CONVERSELY how do you ensure all other vlan traffic does NOT go out that route. Suggesting a routing rule............ /routing table add fib name=useISPX /routing r...
Yeah use vlan filtering for the subnets, one bridge............
The bizarro approach to address, dhcp server pool,, if not for a specific needed reasons is cutsie crap for nothing.
RICH, please dont waste valuable mikrotik resources on an interim, dead before it goes out the door, 6E standard. TP link and other are rolling out Wi-Fi 7 already and even zyxel is heavily discounting (dumping its new 6E stock). Normis, do not pass go, do not collect $200, go straight to jail if yo...
Also the requirement should be expressed in terms of user traffic required.
Mangling and routing rules are simply tools to use, for a purpose, and that purpose has not been communicated........
PM me the exact config, sure..........
For all ip routes its best to use the correct gateway vice etherX........... ( exception that comes to mind is wireguard )
If nothing else to demonstrate that the routes are meant for Static IPs/gateways, whereas one would need s cripts for dynamic ones.
Also it would appear you have some duplicates.......... /ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=100.80.90.70 pref-src="" routing-table=main scope=30 \ suppress-hw-offload=no target-scope=10 add check-gateway=ping disabled=no distance=2 dst-addr...
This is your basic default firewall ruleset with a focus on only identifying needed traffic and dropping everything else. /ip firewall-address list { using static dhcp leases mostly } add address=admin-IP1 list=Authorized comment="admin local desktop" add address=admin-IP2 list=Authorized ...
Well what I recommend between two routers is Setting up WIREGUARD between the two, and if the server goes down, due to WAN1 failing, the client will regenerage the connection on WAN2 as I described. As the backup simply connect an easy MT to MT SSTP backup direct to WAN2. Thus you always have a seco...
Hi Broderick, this already happens!! If you have a wireguard server on your Router and WAN1 is the primary, and it goes down the router switches to WAN2, the clients connecting to your WG server will lose connectivity and will try to reconnect and when the WANIP for the router becomes the second ISP...
What you can do is actually research a product before buying it. Too late now, but on the product page have a look at TEST RESULTS. The throughput one should expect to get with some basic filter rules is somewhere between 300-600Mbps. For 1 gig throughput your best bets are. a. hapax3 --> just over ...
Well if they are static Ips, then that would be easier to deal with, you should confirm with your ISP that they are static!
Confirm you are paying for two separate 1 gig connections? and on each one you can get 1 gig at the same time......
If your server does not have secure login (encrypted) then you shouldnt be using those servers. Assuming they are secure logins, consider a. src-address-list on your dst-nat rules ( everyone is comming from a public IP address, static or dynamic either directly or from their upstream ISP modem/route...
What are you talking about? The original OP stated he was getting the same IP gateway from two ISPs starlink and something else, aka gateway=192.168.1.1 What does that have to do with you having two 1gig connections? Are you saying you are using two ISP supplied modem routers in front of you and eac...
Word of advice, assign to an empty port an IP address and work safely from that port to do all your config initially and then later acts as an emergency access, besides lot of use of SAFE MODE!! viewtopic.php?t=181718
You really need to explain your wireguard setup . ITS STILL WRONG!!! Where is the server for VPN01 for handshake? if not this router then this router is the client for handshake? Where is the server for MGNT for handshake? if not this router then this router is the client for handshake? Server Devi...
If its disabled on the config, I delete it when looking at it....... KISS I delete all capsman config entries for easier viewing, now the config is looking smaller LOL No problem for queues, I worked around that so you can user fastrack for everything else......... You forgot to add additional vlans...
Which subnets or list of individual devices should be getting NTP services from the router??? Where are the remote subnets coming from in this rule................?? add action=accept chain=forward comment=Accept_Remote_to_Company \ dst-address-list=COMPANY src-address-list=REMOTE Reminder........ a...
This rule makes no sense to me...... add action=accept chain=input comment="Accept Radius" dst-port=3799,1812,1813 \ in-interface-list=!WAN protocol=udp src-address-list=FIREWAL WHere the only entry for firewall address list is the following add address=127.0.0.1 list=FIREWALL Another rule...
Have you considered NOT using the starlink router and connect CGNAT direct to your router?
Your gateway in this case will be 100.64.0.1 ............ or something like that.
I will have a look. I am actually hoping that you are understanding the config better and learning as you go and gaining confidence in your own skills! Observations: 1. You have many vlans identified but not fully configured, assumed this was future plans and removed them from the config for the mom...
Actually the RB4011 has two chips on it, so it kinda makes sense to split it into two bridges, but if my memory recalls only one of them will have Offload so in the end one bridge is best.
In plain english, the setup for wifi on the device hosting capsman is different or separate from the wifi settings within capsman for the external devices.???
Generally anything is possible but its best to detail all the requirements PRIOR to setting up a config. I would stick to source for PCC because of the banking requirements etc....... I would also contemplate using the # of WANS you need to distribute traffic and then perhaps a couple of dedicated W...
Again, I dont understand the purpose. Showing someone combined WAN output is a useless exercise. Firstly unless you have a bonded setup with the SAME iSP you cannot ADD the throughput of ISP connection and do a speed test that shows the addition of all of them. What you do have is a larger total ban...
Concur, ideally the Landlord isnt using the same LAN for all his devices, but it seems to be the case. Probably one flat LAN.
Is the landlords router actually the iSPs modem/router or is it his own separate router. If so does it get a public IP?
According to other experts here just stick to the defaults as much as possible....... and that its easy.
I beg to differ but check out some newer videos by MT for wifi, they will be helpful.
First of all, the router is NOT yours it belongs to the ISP so respect their wishes. However since their device is acting as an ISP/ROUTER and you get a private IP, it is very normal to ask: a. if they can forward ports on the router for you OR b. they can describe the steps you can take to forward ...
RSC is not meant for exporting importing.
THe only function that does that is BACKUP and RESTORE and that is for the same device.
You can use an export to guide you manuallly configuring the new device,
and if you know what you are doing you can import chuncks of config via the TERMINAL CLI window.
Your explanation is off. If you mean to say that your MT router is the server and the remote clients can connect and reach local router services that would make more sense. Further if the computers that the remote users have cannot reach their local resources that is an issue with the devices they a...
Personally I dont ping other users for a living, it is of zero value to me. Can users access the devices they need to access on the LAN and conduct work? Or are they blocked? It doesnt matter what port they are connected to if all ports are part of the same bridge. All to say is so far I do not see ...
@normis--> suggest video how to use vlans with capsman.......... Basically the presenter should take this article viewtopic.php?t=143620
and 'bend it' as required for capsman.
The article is meant for vlans primarily and is not intended for vlans under capsman.
I agree its sorely needed but that is best left to an article describing capsman setup and suggest you go bug holvoetn to make such an article
Firewall rule guidelines 1. Single Subnets --> use dst-address or src-address 2. More than one subnet (whole subnets) --> use interface lists 3. If you have any list that includes a bunch of users (less than a subnet) or from different subnets (with or without whole subnets) then use firewall addres...
This is an unusual rule, did you invent it yourself, or watch youtube from hell channel?? At least its disabled. At the moment I see no reason why users cannot see each other being all on the same subnet and visible at L2. If there are no issues between wired users but issues betwee wired and wired ...
1) If some users speed test will they receive the combined speed test result. If not can we make it so that they are able to achieve that result (this is just a requirement and i understand that LB is not for this) Do not understand the question? Conducting a speed test is not a valid user requirem...
(1) By the way, using ether1, ether2, ether3 WORKS in your config as all your WANIPs are static. My example should reflect the IPs only, so as to not lead others astray. No need to change your config in that regard but I will change my example provided above. :-) (2) Also I may confuse people by usi...
Would concur, wireguard does not scale (pun intended) like an enterprise VPN.
However, tailscale which depends however on a third party, may have some tools/functionality to support such a requirement.
Yes absolutely recommend wireguard for both connecting to proton and to host your own wireguard so you can remote into the router to config it or for LAN services or to use its internet or to be forwarded out protons internet.
Because they are not necessary and are bloatware............ Instead stick to the defaults........... The defaults are safe for a single user and a single WAN and LAN subnet with no complexities. Once you go beyond that, its 99.999 percent of the time needed to start mucking about in the rules. The ...
VLANS approach is best described here ---> https://forum.mikrotik.com/viewtopic.php?t=143620 We do one bridge approach here. Open VPN has varied success on MT gear. Recommend you replace your proton connetion to Wireguard. If your MT gets a public IP, or if you are behind and ISP modem/router and ca...
Now for the ROUTES. CAUTION: In your actual implementation use GATEWAY IPS, the use of ether1,2 etc.. is for expediency only. We have the ones we created for the non-pcc mangles as show above...... /ip route add dst-address=0.0.0.0/0 gateway=100.100.100.90 table=useWAN1 add dst-address=0.0.0.0/0 gat...
Third Step lets do the PCC MANGLES. ( 6 mark connections and 6 route markings aka tables ) (using src-address ONLY not both) /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local \ in-interface=LAN-bridge new-connection-mark=WANA-B passthroug...