MikroTik

anav

(1) Where is bridge vlan-filtering=yes ?? /interface bridge add name=BRIDGE priority=0x7000 (2) Allowed IPs is not quite right, fixed....... add allowed-address=\ 10.10.9 .0/24 ,192.168.254.0/24,192.168.155.0/24,192.168.249.0/24 \ comment=PeerStS_DIM disabled=yes endpoint-address=vpn.test.com \ endp...

anav

Id rather not Crokinole my way into the OPs head................. and will let the OP provided the actual information.

anav

Philosophy. The default rules come set for a simple user on the bridge via ether2 and wan setup to work on ether1. The traffic is safely protected but it allows all traffic and drops some key things for general safety. When we want to do more, add vlans and other things its much easier, as the confi...

anav

Sounds very doable. Basically server router - input chain rule for port both routers. define interface add ip address add peers, wireguard Ip and remote subnets ( see article for difference between client peer setting and server peer setttings ) add forward chain rules needed for traffic flow add ip...

anav

Before thinking about configurating, its best to understand the requirements and PLAN!!! identify users/devices, groups of users/devices, including admin identify what traffic they need. Do the devices have single WAN or dual WAN? Is there any port forwarding involved on the two devices? What two de...

anav

Since the need for VPN is not clear. Which users are coming to the OFFICE and for what purposes?? Why do you hide a private IP address, assuming the upstream router handles the WAN connection and your WAN input is basically a LAN address on the subnet of the ISP router? The other thing funky about t...

anav

Wireguard has generally better performance and easier to setup. Do you control both ends of the tunnel? ( what is at both ends?) Does at least one end have a publicaly reachable IP address ( not cgnat or natted behind another router )?? If natted behind lets say an ISP modem router, can you forward ...

anav

Firewall Rules Server Router; /ip firewall address-list { static dhcp leases or wireguard ip } add address=172.16.24.XX list= Authorized comment="admin local desktop" add address=172.16.24.AA list=Authorized comment="admin local laptop" add address=172.16.24.BB list=Authorized c...

anav

Client Router (1) It would appear you are trying to use srcnat masquerade to route traffic. This is the wrong approach. /ip firewall nat add action=masquerade chain=srcnat dst-address=172.16.24.0/24 out-interface=\ wireguard-oam src-address=192.168.13.0/24 All you need is....... add action=masquera...

anav

Any reason you chose L2TP vice wireguard??

anav

Need facts/evidence.
So latest configs of the routers please.

anav

Well, good to know, defining the requirements clearly is best done before applying a config. a. you have two WANs. b. there is no failover c. the LAN should use WAN1 only if wan1 goes down, no LAN traffic goes to WAN2 if wan2 goes down, no LAN traffic goes to WAN1 Wan 2 is a static fixed WANIP You h...

anav

You got me Holvoe, apologies to the OP. I know squat about L2TP so will bow out.

anav

Is this whining or asking for help?
Provide a network diagram and full config

/export file=anynameyouwish ( minus router serial# and any public WANIP information, keys etc...)

anav

have been fighting a starlink DNS issue. I know this sounds strange and I am hoping someone will point out why it is behaving this way. Sounds like your asking for help to me......but okay, maybe your not. What a switch has to do with router issues is a bit strange to interject and you have no clari...

anav

Just to clarify, my article uses untracked.........
viewtopic.php?t=180838

If you want me to look at your config, I will rip out anything that is not on those pages,,,,,,,,,
Not required, what I refer to as BLOAT.

anav

Hmm not really, you can setup PCC balancing to favour one over the other but thats hard wired into the config. The only thing I can say off the top is to make a vlan for WIFI in the house and basically route all the traffic from that wifi through the desired WAN. That way folks have a quick and dirt...

anav

The improvements to many functions and the ability to do wireguard are huge reasons to move ahead.
If this is a home no worries, 7.12.1 is decent enough.

anav

Find that hard to believe, wireguard was not possible on vers6
edit: I didnt consider wG on another device, mia culpa!!

anav

The friend is not exactly wrong,,,,,, just a tad misleading. EVERY SWITCH PORT when it comes Default has vlan1 assigned to the port. WE LEAVE THAT vlan1 alone. It works in the background and can basically be ignored. We dont change any vlan1 settings anywhere. EXCEPT.......... when we make a port an...

anav

SERVER Comments 1. This indicates an issue....... /interface list member add comment=defconf interface= *C list=LAN I suspect its because you have not identified any LAN list interface members and yet you have a list?? 2. This is wrong. .......... IF you have IP DHCP Client you should not have a se...

anav

Seems illogical to me.
What is the purpose of buying a MIKROTIK router of that power and using it as a switch??
What am I missing???

anav

Wait you are still on vers 6?? My configs are predicated on vers 7

anav

Do you have any port forwarding?
Do you have any VPNs........
Hoelve needs to learn to find all the requirements before planning a config ;-P

anav

Hi KAT,
There is no vlan1 in your config, in fact it looks like properly all the MT devices got an IP on the trusted 192.168.0.0/24 subnet. ( AKA VLAN100 )
Thus confused by the evidence in the configs contradicted by the diagram and your words??

anav

(1) Which Router is the one you are referring to in the diagram?????? I am assuming the 5009!! (2) What is with vlan1 between all the MT devices, I dont see that in the router config you have??? Assuming you meant on the diagram to put vlan100 which contains the 192.168.0.0/24 (3) So you have four V...

anav

ROUTER COMMENTS ( WOW, nice setup ) (1) Not sure what you mean by this line.............. add address=10.0.20.0/24 comment="the different DNS server is used to make th\ e router use the WireGuard VPN connection for DNS queries" dns-server=\ 208.67.222.222,208.67.220.220 gateway=10.0.20.1 F...

anav

Good day, The requirements are pretty good. Who needs access to the windows server, vlan10 and vlan20 Who needs access to vlan10, vlan20 does Who gets internet from wireguard, vlan20 does. +++++++++++++++++++++++++++++++++++++++++++++++++ Its the additional requirements that get a bit murky. a. vlan...

anav

Post your config here seeing as the OPs has solved his case and thus no interference.

/export file=anynameyouwish ( minus router serial number, public WANIP information, keys, long dhcp lease lists, any ipv6 info if not using ipv6 )

anav

1. Allowed IPs on the mikrotik side have nothing to do with routing. 2. Allowed IPs are a matching flltering function for leaving traffic and a filtering function for arriving traffic. 3. An automatic route is created for wireguard IPs by the wireguard router due to ccreating the interface IP addres...

anav

Concur, one bridge and three vlans is all that is required here. Unless the fortigate cannot handle vlans? What is the purpose of the fortigate in this setup? Edge Router with some subscription services?? interface list=building one vlans 11,12,13,14 Interface list=building two vlans 21,22,23,24 int...

anav

You came here looking for reasons to 'convince' the wife to spend money. Just wanted to help the cause by better understanding the scenario because what you initially presented was a very weak case. :-) Anything is possible between two MT routers. Use the concept provided in post #2. Trunk port betw...

anav

Concur network diagram gives us context!

In addition need to see complete config again. ( not just snippet of firewall rules )

anav

What is PPC................ In terms of requirements. a. identify all the user(s)/devices, groups of users and devices ( including admin and external users) b. identify all the traffic they require do accomplish. What is the purpose of the two WANS. Use a primary and have a secondary as backup? USE ...

anav

Firewall ideas -->viewtopic.php?t=180838
Vlan ideas -->viewtopic.php?t=143620

anav

Good you have surmized there is no problem with your config, thus no help required.

anav

@lostgone --> Start your own thread please.

@felipe Post your latest config

anav

(1) You dont understand firewall rules. Why make allow port 53 rules, but then later drop everything not coming from the LAN. In other words the port 53 rules are allowed by the rule above and thus not necessary in your setup. However, its not at all what I suggested. (2) These ones also are unnecce...

anav

firewall rules fixed Main issue is these rules which have been axed...... add action=drop chain=input comment="defconf: drop all coming from ha_ct" \ in-interface=pppoe_ha-ct add action=drop chain=input comment="defconf: drop all coming from ha_cu" \ in-interface=pppoe_ha-cu add ...

anav

Change the approach of at least the forward chain, to DROP ALL. In this regard all connections between different subnets are blocked unless explicitly stated in the firewall rules. {forward chain} add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=e...

anav

Same here. By using classic mangle rules such as: /ip firewall mangle add action=mark-connection chain=input connection-state=new in-interface=ether2-pppoe new-connection-mark="From WAN Telecom2" passthrough=yes add action=mark-routing chain=output connection-mark="From WAN Telecom2&...

anav

The above handles all the rules required.
Give that a shot and we will see how much progress is made!

anav

(1) Order of firewall rules fixed. (2) Its dumb to allow an entire subnet to configure the router and besides, 8291 is not a tcp protocol its udp! Created a firewall address list called authorized........ to solve.... (3) Got rid of unnecessary firewall address lists. (4) Removed logging on drop all...

anav

(1) Wrong order. ..... think through the logic. Will traffic from VPN subnet ever reach another local subnet with the order you have???? /routing rule add action=lookup-only-in-table disabled=no src-address=10.10.20.0/24 table=\ Proton_UK_WG add action=lookup-only-in-table disabled=no src-address=10...

anav

You didnt read that article very closely, where the EFF does it show the bridge doing any DHPC....... ALL VLANS So take your bridge subnet and assign it to a vlan. Then you need to actually turn on bridge vlan filtering=yes......... None of your bridge ports are assigned properly for access ports or...

anav

Then there is something else on your config that is blocking.
Please post FULL config

/export file=anynameyouwish ( minus router serial #, public WANIP information, keys, long dhcp lease lists, IPV6 anything if not using it)

anav

So assuming the SERVER is not third party, then the problem is also at the other end at the server end!! SeRVER CONSIDERATIONS : a. do you have 192.168.88.0/24 as allowed IPs at the server wg peer settings for router b?? b. do you have 192.168.100.2/32 as allowed IPs at the server wg peer settings f...

anav

What is the remote wireguard server - mikrotik or something else?? Concur lets fix that sourcenat mess..... (drop the crap rule) /ip firewall nat add action=src-nat chain=srcnat dst-address=192.168.100.0/24 dst-limit=\ 1,5,dst-address/1m40s limit=1,5:packet psd=21,3s,3,1 src-address=\ 192.168.88.0/2...

anav

(1) This default rule is now replaced and should be removed. add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new disabled=yes in-interface-list=WAN add action=accept chain=forward comment=Internet in-interfac...

anav

Need table /routing-table add name=useWAN2 Need route /ip route normal route ISP1 distance=2 check-gateway=ping table=main normal route ISP2 distance=4 table=main add dst-address=0.0.0.0/0 gateway=ISP2 routing-table=useWAN2 [/b] Need routing rules................. But be careful as a routing rule fo...

anav

Try these mangle rules. add chain=prerouting action=mark-connection connection-mark=no-mark \ in-interface=WAN2 new-connection-mark=incomingISP2 passthough=yes add chain=output action=mark-routing connection-mark=incomingISP2 \ new-routing-mark=useWAN2 passthough=no Dont forget the table. /routing t...

anav

Allowed peer should be 192.168.100.0/24, not 192.168.100.1/24

anav

The wirguard config is predicated upon the peer for a client to be the specific IP address as noted, which differentiates from the multiple peers possible.

The peer on the client or often remote device, should be the subnet and if a router then most definitely the subnet.

anav

Busy today but will look at i this weekend.

anav

How many machines?? You can use Routing rules for entire subnets - very easy, no mangles. You can use Routing rules for a few users - very easy, no mangles. Basically it comes down to you will need a routing rule per user so it depends how many rules you would like to make. add src-address=userX-IP ...

anav

Busy today, but if you post your latest config I will spend more time on it this weekend.

anav

One bridge..............
viewtopic.php?t=143620

anav

Too busy today to look at it, but I would scrap any mangle rules you have for wireguard.
What is required is mangle rules ensuring traffic coming in wanx, goes out wanx.

anav

I have a great idea, why dont you ask the people making vidoes for help........... The onus is ON YOU, to read the mikrotik docs and read as many threads as possible to learn. There are some decent videos out there by a few people the rest will lead you astray. Network Berg is good Network Trip is g...

anav

duplicate

anav

viewtopic.php?t=200602

anav

Try harder, and read more....... the answer are available......

anav

Sorry you still have not explained how you are using DNS to 'force' users through one WAN or the other.
What DNS records?

Forcing users out a specific WAN is accomplished via routing of some sort.

anav

?? Do you have a multitude of servers feeding many users........ Not sure what the need is for 10gigs? As for poe...... injectors are cheap....... https://www.amazon.ca/PoE-Injector/s?k=PoE+Injector Your not making a real case to keep the 5009 thus far......... , maybe you want to show the wife this...

anav

Sell the RB5009, there is no need to keep it when you get the chateau 5G AX. To me its pointless to keep both. Give the RB to family or donate to some organization, it would be wasted otherwise. There is nothing to be gained by keeping it. The same rules can be used on the Chateau as its the same RO...

anav

Sorry its you that doesnt understand, didnt ask for your configuration BS. . All I asked for is how to set the gateway for a vlan if there is more than just one wan-interface. I asked to explain what users and devices you had and what traffic requirements they had. The network diagram shows what equ...

anav

Dont understand what you are trying to accomplish. 1. The RB5009 is a better router in terms of routing it can actually handle a 2.5 gig ISP connection with firewall rules implemented. The latest chateau 5G AX cannot ( good for 1gig fiber ). 2. There is no need for the chateau to do routing if you h...

anav

The point being, a. you have associated the address pool with the bridge-lan via the dhcp-server. b. you associated the Ip address with two different etherports, that are also members of the bridge but NOT the bridge. and yet dont see the problem, means you either dont understand networking, or mikr...

anav

No word of a lie, but I was out running on friggin mountain in Spain recently when my bowels told me I was in a dire very dire short fused situation. I went off the beaten path to ensure isolation, just in case, and was just in time. What a relief,,,,,, However, I could have really used a BIG LEAF, ...

anav

Here is the scoop, makes two of us who dont get it, the diagram was a good start,
however you need to
a. identify all the user(s)/device(s) and groups of users/devices
b. what traffic they should be able to accomplish.

Do not use any config speak just actual users device and traffic required.

anav

(1) Why would I bother commenting the config linked is missing the wireguard information, I dont work on snippets. Besides lacking in firewall rules AND ROUTES. (2) Where is the sourcenat rule for outgoing information going out ether3.................. (3) Why is ether2 sourcnat have the associated ...

anav

Depends on the firewall rules........
How did you ensure the wireguard could reach the device and config it???

anav

Okay....... (1) Point 4, big risk learn Wireguard!! (2) Point 5, good for port forwarding to work properly from the LAN side, the new rules will work the default you had would not. (2) I don't understand your point about DNS in terms of deciding server routing can you elaborate/explain as I see noth...

anav

Another perspective........... Dont mess with the bridge, keep it at defaults and dont use it for any data traffic. KISS!! Managment vlan would be typically identified also as a member of the management INTERFACE LIST and used for neighbours discovery and mac-server winmac-server setting. All smart ...

anav

ON MT Server Router (1) You only have one wireguard peer not three as per the diagram. (2) The peer setting on the server do not require keep alive, that is something for the client end. (3) I do not see any subnets for the LAN under IP addresses?? (4) The IP address for the WG interface is not the ...

anav

/ip route add check-gateway=ping distance=11 dst-address=0.0.0.0/0 gateway=ether1 routing-table=main add check-gateway=ping distance=12 dst-address=0.0.0.0/0 gateway=ether2 routing-table=main add dst-address=0.0.0.0/0 gateway=ether2 routing-table=to_ether2 From this setup. all user originated traffi...

anav

Observations: (1) First problem is your interface lists, there is no reason to have two separate WAN LISTS. Should be just WAN and just LAN. Anything else only leads to confusion. The reason to create interface lists is when grouping of subnets makes sense for rules, OR you need to indicate a specif...

anav

Sorry still dont understand the config, (1) Why does the bridge not have an IP address assigned to it?? Why does ether 12 instead have an IP address?? Why not use something standard anyway like 10.0.0 .1 /24 Why does ether11 have some bizarro subnet assigned......?? /ip address add address= 10.0.0.7...

anav

I came from zyxel myself, and yes its more ProSumer, whereas MT is more IT based programming. For example zyxel has always had a loop back button. I never knew what it did or why it was there, but on MT you have to accomplish the same thing by understanding source nat and destination nat more comple...

anav

What needs to be clear are who/what are at each end of the wireguard connections.
What is server for handshake what is peer for handshake.
A network diagram would help.

anav

Wrong approach ldb..... What the OP needs to do is state the requirement of traffic flow based on a. identifying user(s)/device(s) and groups of users/devices including the admin b. identify the traffic flows they should have/be able to accomplish. Without any word of the config...... A network diag...

anav

https://www.wireguard.com/papers/wireguard.pdf

anav

I also dont think you have a clue about port forwarding with a rule like this..... Created a youtube/google monster.......... ( very disorganized rule order as well ) add action=accept chain=forward dst-address=10.0.0.144 dst-port=80,443 \ protocol=tcp When the rest of the config is cleaned up I wou...

anav

Dont name your bridge LAN, its very confusing to the reader and probably to the router. Name it something else like bridge-lan I have no idea what you are doing with this so called lan subnet, is it supposed to be attached to the bridge, ether12, ether11. You are very confused......... /ip dhcp-serv...

anav

The MT router will only provide one subnet to the APs. That subnet can be used for the main HOMELAN wifi and the two guest WLANS will be made by the APs. To make use of the Roaming capability of wifiwave2, you will need these APs --> https://mikrotik.com/product/cap_ax They are NOT mesh. Each needs ...

anav

Please post a real config in the standard format. That was a horrible abomination to look at.

/export file=anynameyouwish (minus router serial number and any public WANIP information, keys etc....)

anav

Nope! The MT has not wifi controls over non-MT wifi appliances. It can firewall, queue, etc like any other vlan.

anav

The reason for the suggestion of /29 mask was due to the following sentence (requirements driven). Quote: " I used wireguard for some time on my old RB2011 for connection to another Mikrotik router as well as for mobile connection [/b]. It worked very good. Now, with the CCR1009 I have some iss...

anav

Yes, give it a go, for all the suggestions, otherwise why ask for help?? As for the last point, hogwash. The MT device only creates routes automatically for local interfaces. Hence why in the route list you will see <dac> routes for local subnets and even the wireguard interface. Since the router is...

anav

viewtopic.php?t=180838

anav

Perhaps they block certain ports? WG can use any port you choose.

anav

What?, You didnt test for deserialize, like thats on page 1 of the Fetch Manual. :-)
Lest not forget at least the 10 references to that subject , in "Dummies Guide to Testing Scripts"

You guys kill me with real networking skills! We are not worthy.

anav

People can agree to disagree.
I don't agree

I agree with you completely

anav

Why ?
The discussion on itself remains civil.
People can agree to disagree.

There is no discussion, its someone concerned about pushing an ideology and not using their own brain.
We have enough of that crap in the world today. ( similar to rextended's comment on social media ).

anav

How do you identify VOIP traffic, source address? --> is it contained with a subnet, if so routing rules, --> is it contained within a few IPs, if so routing rules Destination address --> is it contained with a subnet, if so routing rules, --> is it contained within a few IPs, if so routing rules An...

anav

viewtopic.php?t=182340

anav

Your config seems off to me. Lets assume the CCR1009 is the WG server for the handshakes for both the other router and the mobile connection. (1) Not sure a /30 mask cuts it a /29 mask gives you six useable IPs, since you seem shy to use the standard /24. (2) The allowed IPs on the CCR1009 are missi...

anav

No point in responding, this has nothing to do with MT. The troll is here to talk about GPT in some bogus cultish form............ ( the measured opines of both MKX and rextended are refreshing and indicative of open, inquisitive and reasoning minds.) . I'm only sad that the admins have not locked t...

anav

Why do you post the same silly questions twice??? viewtopic.php?t=201645

anav

Concur, and the answer is still no. MT cannot create a mesh network besides the fact that mesh APs do not handle vlan tags. What business class APs, do, besides read vlan tags is they have some sort of controller which allows efficient roaming between the APs, be it TPLINK or other vendors. With AX3...

anav

I see nothing wrong on the config side. You have the right allowed peer, you have firewall settings that allow the traffic. Can you post your WIreguard settings on the laptop? If you want to access the 10 subnet from the laptop you would need to have allow IPS on the laptop on its peer settings: all...

anav

Concur its hard to find a home AP, mesh or not that handles vlans.
All brands be it tp link etc, have a business class AP that can handle vlan tags, but they dont come in a mesh variety.

anav

Post your latest config and I will have a look.

anav

Nope, the mikrotik has nothing to do with the internal shenanigans of the AP. What it sounds like its doing is within the AP taking your 192.168.88.0 traffic and sort of splitting into both subnets. What I dont know is if its taking an .88 address for each lease and then converting/giving it to .3 a...

anav

Just to have a sample practical, minimalist but secure (shortNsweet) firewall available for your perusal. Its based on allowing only authorized traffic and dropping everything else. The input chain rule allowed admin access is based on a firewall address list one create and which is comprised of loc...

anav

This is an excellent source to review and once you have a config to show
/export file=anynameyouwish (minus router serial number and any public WANIP information.)

viewtopic.php?t=143620

anav

Did you forget to upgrade the admins' firmware as well?

anav

Jaysen, just to be clear, I was ONLY talking about the connection-mark nomenclature for Mangle rules! There is no change to either the mangles routing-mark nomenclature or especially to any naming in the IP Routes . The mangle rules for marking routes should remain as is --> useWANX , as do the IP R...

anav

@Sir Bryan sounds fascinating! Any chance we could see how you setup OSPF+BDF in RoS 7 for this to work?? An examples of the type of network arrangement your espousing may be of great potential use by the OP as an alternative approach to engineer in slow time, and of utmost interest to me as well. [...

anav

(1) Personally recommend you dont use the same entry names for connection marks and routing marks. It gets terribly hard to read. For instance. For the initial set of rules use connection marks incoming-WAN1 ( reflect traffic is originating from outside the router ) For the PCC traffic use connectio...

anav

Get an expensive router with expensive services and use their APP Patrol/control

anav

Personal choice. All my switches/APs get an IP from the managment VLAN but they are set fixed upon lease or I do it manually via mac address. Having all MTs on the same network makes IP neighbours discovery set to the interface List which I make and only contains the managment VLAN, I can see all my...

anav

On the 5009 basic math, 4 vlans, 4 addresses, but ONLY 3 pools, 3 dhcp servers, and 3 dhcp-server networks!! ( assuming either base or managment is not really being used ?? ) Plus bridge port should look like this, personal preference: /interface bridge port add bridge=bridge interface=ether2 ingres...

anav

AndyM1988, what everyone was asking is that you provide the relevant configuration snippets. Anyway ... On the RB5009, if you look at the hosts on the bridge (/interface bridge host print), do you see entries in the different VLANs? If your computer is connected to the CRS326, do you see its MAC ad...

anav

One cannot block apps with MT............

anav

Nope, the rules are not in order and you have mixed things up... Cleaned up ... /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yes add action=accept chain=forward comment=\ "defconf: acce...

anav

No goinag yours is a different problem. Failure to apply wireguard rules properly. Admin error!

anav

(1) I personally like to use a different connection mark for the PCC LAN traffic, then what I used for the WANS, just for ease of readings, but thats personal preference. I personally do not understand what are the ramifications, if any, by having the first set of mangle rule group for routing marks...

anav

If its not in config format not going to look at it.

Or as TDW was trying to say ;-PPPP facts/evidence please..........

anav

You said the need was to isolate devices.............. My reply is that you cannot easily isolate devices if in the same subnet L2, aka a normal subnet or vlan. One should isolate devices in layer2 by putting them in their own subnet, makes things easy. You can put each one in a different subnet or ...

anav

I'm too sexy for youtube video ;-PP { he did a decent job of reading the teleprompter which was slightly to the left of the camera, above is better LOL ) Nothing major but without discussing really what the heck his purpose was for putting distances on the routes......... Assuming some sort of very ...

anav

It is much harder to isolate devices at L2, and thus if you have untrustworthy devices keep them in their own subnet period.
You can always drill L3 holes to allow one way communication to such devices.

anav

FWIW the PCC youtube vid made by MT is quite good. https://www.youtube.com/watch?v=nlb7XAv57tw Used it again to clean up an AC3 LTE setup for PCC sharing across VDSL and LTE. Only, THIS time I disabled the subtitles which all of a sudden made me see a couple of important things I missed the previou...

anav

That cat needs some exercise and less treats. Why does it have chicken/turkey looking legs LOL

anav

Think of allowed IPs on any device as a separate mini firewall. There are two flows of traffic - exiting the tunnel at the local device (inbound/incoming to the local LAN). - entering the tunnel at the local device (outbound/leaving the router) Therefore for the first case, the wireguard code looks ...

anav

The wireguard subnet should be different from the LAN subnets!

Please read here for more info on wireguard as to making guesses: viewtopic.php?t=182340

anav

(1) Question about your settings here... what is vlan10? [/color]? Point of personal preference i prefer to manually untag bridge ports on the config so they show up on the export and can follow the Admin/s logic. /interface bridge vlan add bridge=bridge tagged=bridge vlan-ids= 10 add bridge=bridge ...

anav

Nice explanation!

anav

Full config
/export file=anynameyouwish ( minus router serial number and any public WAN IP information )

anav

Its normal to isolate users by vlans because the vlans do it as they are L2 constructs and we ensure the firewall rules do the same at L3. Whats NOT normal is your requirement to isolate wifi users from themselves within the same subnet or isolate wifi users from lan users in the same subnet. That t...

anav

I cant see anything but a big grey blob in the middle ????

anav

Next item, people keep messing up on. They keep a bridge address and pool and add addresses for the vlans but FORGET about pools, dhcp server etc for the VLANS. Please add a paragraph that says, NO need for bridge to do DHCP once you have vlans make all subnets vlans for a clean, consistent approach...

anav

Lets get real here you didnt read the first reference at all!! How else can you explain this...... TWO VLANS and only one pool and one dhcp server and they are not for either vlan ???? /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 /ip dhcp-server add address-pool=default-dhcp i...

anav

Much appreciated on a very detailed answer. I expected to get grilled for my shiet firewall rules, keep that grilling, please. 1) I assume you are talking about my External Peer 1? b) Yes the second peer is for my external device (in this case my phone), keepalive removed. Also, what two other peer...

anav

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=eth11-WAN-2 new-connection-mark=MARK-WAN-2 passthrough=yes
/ip firewall mangle add action=mark-routing chain=output connection-mark=MARK-WAN-2 new-routing-mark=WAN-2 passthrough=no

anav

Router2 1. ALLOWED IPs. a. The first peer config line is from the client MT2, to the server MT1 - All looks good to me, just not sure why you used 172.16.0.0/30 vice the standard 172.16.0.0 /24 ?? b. The second peer is from the server MT2 to the client (laptop?). Why is there a persistent keep aliv...

anav

gotsprings looks like your trying to put mikrotik wan solutions under the bus LOL. Here I am trying to figure out optimal failover WAN approaches and it turns out I just need to use BigLeaf.....................
Please send $$$$

anav

para B. --> viewtopic.php?t=191442

anav

IMO documentation is pretty decent, specially if you compare it to some documentation, originating in China. For a trained IT network engineer, concur. For a fly by night DYI its woefully inadequate but since everything is based on logic and rules, no mountain is too high and there is always some s...

anav

Yes, the key is the firewall rules.......

anav

Ahh reading this ......... seems to indicate its a manual perpetual thing LOL. CHR License Levels License levels described until now do not apply to Cloud Hosted Routers (CHRs). CHR is a RouterOS version intended for running as a virtual machine. It has its own 4 license levels as well as trial wher...

anav

P1, limited upgrades? next renewal is later on today previous deadline march 2023..

Is there some sort of process where you have to hit the renewal button or something and before this deadline thingy.. So weird.

anav

Like I said, delete this thread its a farce from the get go.

anav

Thats a good sign as it looks like you are getting at least the correct IP address. There may be an issue with your windows wireguard client did you get the client from the wireguard website (if so good, if from a MS windows site, not good). Ensure you have no blocking firewall or AV on windows side...

anav

Well done sir!!

anav

Almost there I think. -- > BTH --> https://help.mikrotik.com/docs/display/ROS/Back+To+Home

anav

Someone change the title... since this about obtaining the GPL source. Nobody is asking $45 USD to get GPL covered source. In fairness, I think the software license agreement does list $45 duplication fee. To get a CD with the corresponding source code for the GPL-covered programs in this distribut...

anav

Typically if one has a primary / failover scenario and folks want some devices to go out WAN2 then one uses routing rules. Routing rules are great for whole subnets or a few users, however if you have many users, one has two choices, a.. make as many rules as per users. b. mangle by firewall address...

anav

MT is getting better and releasing youtube videos that are helpful case in point, althought doesnt necessarily answer your migration question is a step in the right direction!
https://www.youtube.com/watch?v=37aff6d14Xk&t=485s

anav

Other than the insightful comments by justin, and factual comments by Mrz and Normis, the rest of this thread is Fake News and annoying whining. Rather than being insighful, the author of this thread is trying to incite some anger for a nothing-burger. Yawn!! Please Delete this thread, I could have ...

anav

Since the MT router is the server for handshake, there is no NEED for KEEP ALIVE on the peer setting for the laptop. Looking at the config, it would appear you should be able to do both. /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WA...

anav

anav

The only difference between 6 and 7, is that you need to add a table, and the extra route reflects the table not the routing mark. Otherwise those two rules help ensure traffic that comes into WAN2 goes out WAN2. Not sure why you think it wont.......... You could also try adding (if a static wanip) ...

anav

Not sure why you have three rules it should be the first rule and one more............. combo of the other two. /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=eth11-WAN-A1 new-connection-mark=MARK-WAN-A1 passthrough=yes /ip firewall mangle add ac...

anav

Q: why do you use Canadian country settings when you are based in Kiev ?

Everything is better in Canada!!

anav

Those are dogsled miles

Your second point lost its train of thought........
the reason why..... if that even if........................... ??????

anav

Set up SSTP between the two routerboards and run the VOIP through that vice wireguard?? Its quick and easy to set this up using mchap2 no certificates. Just for giggles on the routerboard that is client for handshake. set up this mangle rule which helps if there are any MTU issues...... If it was a ...

anav

Please put code blocks at start/end of config, the black square with white square brackets above, on the same line as bold and underline!!

Did you read --> viewtopic.php?t=179343

anav

Tx Normis!!

anav

(1) Found this rule in your NAT rules LOL, should be in forward chain. add action=accept chain=forward comment="internet traffic" in-interface-list=\ LAN out-interface-list=WAN src-address=!10.10.0.0/24 (2) No idea why the redirect rules are not working, hopefully someone with better eyes ...

anav

Wont get 1gig via wifi until maybe WIFI7, so hold off on buying new APs till then.

anav

(1) Set internet detect to NONE,having it up sometimes causes issues.... (2) Yes all the users from the MT router going out WG to the ubuntu server will have as source address the wireguard IP address allocated to the MT router. There is nothing wrong with this as the MT router upon return traffic e...

anav

Typically to ensure WAN traffic goes out proper WAN you need: 1. Sourcenat Masquerade for that interface. Normally addressed by the default rule. add chain=srcnat action=masquerade out-interface-list=WAN 2. Mangle Rules: To ensure incoming on WANX goes out WANX add chain=prerouting action=mark-conne...

anav

If the admin URL entry was consistent across all containers then I concur it should be noted, but if its solely pi-hole centric, for you to expect MT to put tailor made solutions in their docs, for your particular scenario is a stretch.

anav

Network diagram would be helpful to understand what devices are involved etc. config to see the routing and mangling parts and firewall rules in context..... Also what is the problem of manually creating a standard route for the WANs.............. this will not get in the way of anything?? If for ex...

anav

You didn't hookup the spark plugs?
No gas in the car.
Dont know how to use the key? Its a push button stewpid.......
..........
...........
..........

anav

TP Link / Zyxel etc......... 2024 LOL

anav

CHR : Why if the license block in SYSTEM shows P1 and yet in the IP CLOUD menu there is the warning in red: CHR trial licence expired NOTE in DOCS P1 (perpetual-1) license level allows CHR to run indefinitely. It is limited to 1Gbps upload per interface. All the rest of the features provided by CHR...

anav

So the alternative is Zabbix ?? ( not the $$$$$ PRTG of course )

anav

Why do you need upnp, its like old insecure protocol..........

anav

Not sure if thats a yes or no answer LOL

anav

I hope MT skips any notion of 6E and goes straight to 7.
Cap BE LOL................... On a few android phones and coming to apple phones in 2024.

anav

No you cannot configure one based on the other at least NEVER using backup , you can try to copy chunks of script across. Nothing wrong with the TP links depending upon model............. there business APs read vlan tags just fine. I have EAP245, EAP660HD and EAP610 myself and they all work fine wi...

anav

You may have misconfigured one of the devices..............
Unfortunately, my ouiji board is out for servicing...........

anav

(1) Draw a diagram of your network. (2) post config /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, etc. ) Read through this --> https://forum.mikrotik.com/viewtopic.php?t=191442 Then read the script below and attempt to understand what each line means. ...

anav

I note that there is no DUDE manual or documentation at the newer MT DOCUMENTS SITE ????

anav

Looking way back at the comparison table, Virtual Links Supported ( ospf yes / is-is NO ). Isnt that a plus for OSPF?

anav

IF a user on casa net or domus net is bypassing PI, then perhaps its the browser using a DNS bypass ??

anav

(1) Missing last rule of input chain add chain=input action=drop comment="Drop All Else" add action=accept chain= input comment=PiHole dst-port=53 in-interface-list=\ LAN protocol=tcp ======== goes here ============= add action=accept chain= forward comment="defconf: accept in ipsec p...

anav

I only comment on full config not snippets

anav

You need to create the interface list...... a bit tricky but select INTERFACES in winbox, then SELECT TAB "Interface List" Below this Select the word lists ( on the same line as the + symbol ) You should get a popup that allows you to add a list. Hit the + symbol to add: Enter in name TRUS...

anav

Post your request in its own thread and provide a network diagram and the full config.......
/export file=anynameyouwish (minus router serial number, public WANIP information, keys, long lease lists etc...)

anav

Hi Jaysen, fair question as I had not defined what that was anywhere. Since it was not clear to me which LAN side entities were getting PCCd so to speak I left it as an new interface list. It has nothing to do with the WANS.... So once you define what subnets will be included in the PCC you can add ...

anav

my apologies jaysen, the information I provided is at the edge of my scope of expertise, the rest is a tad over my head.

anav

It was my bad LOL......... Basic stupid, went the wrong way on the Netmask bar. the first routing rule should be add dst-address=192.168.0.0 /22 action=lookup-only-in-table routing-table=main ++++++++++++++++++++++++++++++++++++++++++ What is t his route for?? You dont need it!! add comment="u...

anav

Wish I could help, dont have the networking acumen, all I can see is stuffing cooked spaghetti noodles up a straw.

anav

Sweet, without VRF, there appears to be anarchy in the wireguard world, I support getting rid of anarchy, with chaos

anav

Okay you have other issues. Your way of separating users and use of vlans and bridge is very confusing. You have only one pool but then many addresses, whats going on. Looks like you should have 3 vlans, subscribers group1, subscribers group2 and servers. One bridge-lan is fine, assign the three vla...

anav

The good news is that they are not polluting the internet.
I dont log noise myself, just insure the config is properly setup/secured.

anav

The main table is where the router looks to sort out which routes are active, is my understanding. It doesnt necessarily use that route depending upon admin policies/rules. I dont know what happens exactly, between router and ISP, in terms of whether or not the route in the main table is required to...

anav

Cloud flare Teething problems and pale in comparison (pun intended) to devastating solar flares.

https://www.dw.com/en/can-solar-flares- ... o-64663358

anav

@AMMO --> They dont want to feel the wrath of the llama and thus are doing everything to appease........... I guess next up is cloudflare zero trust tunnel in an options package LOL

anav

Think about it. You either have default routes from ppoe or IP DCHP client because on checked the box for default routes. OR You have to create them manually. ++++++++++++++++++++++++++++ If one was adding a private IP address for the WANIP directly again you would then have to add a corresponding d...

anav

@ MT STAFF -- >what MT ROS should do is parse JSON. The cheap hack of parsing text is a fragile approach.

Search all forums for JSON and see what you find!!

anav

You have made changes, so you say

, repost config so we can work from facts/evidence!

anav

No need for capsman controller for wifi as your other APs are not MT. One bridge, as many vlans as you need for isolated networks. Best reference for vlan setup - https://forum.mikrotik.com/viewtopic.php?t=143620 Firewall advice --> https://forum.mikrotik.com/viewtopic.php?t=180838 Configuring safel...

anav

I have white clothes on, not diving in LOL

anav

(1) Only see two subnets being directed to the pi (veth)...... so the rest are not supposed to is that correct?? add address=192.168.0.0/24 dns-server= 192.168.55.55 gateway=192.168.0.1 \ netmask=24 add address=192.168.240.0/24 dns-server= 192.168.55.55 gateway=192.168.240.1 \ netmask=24 (2) Allow t...

anav

recommend adding this mangle rule to help with third party VPN MTU issues that seem to crop up. No harm to put this in. /ip firewall mangle add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard-inet passthrough=ye...

anav

Still need some more work on FORWARD CHAIN FW RULES a. order is wrong, fastrack rule should be first, b. duplicate rule , should be deleted. We already have the rule allowing wg interface to the LAN. c. modify rule to be clearer (not an error though), we need to give access for 1.1 subnet to jellyfi...

Search found 19553 matches