MikroTik

anav

I will look at this sorry thread later but its clear that HAVING SAFELY SETUP SERVERS is a very important consideration for many many mikrotik users.

Thus Mikrotik MUST PROVIDE the Zerotrust Cloudflare tunnel in an options package for all users!!!

anav

Wireguard doesn't work with a bridge-lan is a ridiculous statement that means nothing! Wireguard is a peer to peer layer3 construct. If you want to connect subnets at layer 2 then a. use zerotier b. eiop over wg c. vxlan over wg. etc. I will connect Two routers, with bridge-LANS using WG . EASY PEA...

anav

Impressive amount of work done here, regardless if what anyone specifically wanted didnt get done. The paperwork alone is not trivial, just imagine the testing and integration involved. Kudos to the dev team and test team.

anav

see the rest of my reply in the above post.

anav

Mangle rules........ /ip firewall mangle add action=accept chain=prerouting in -interface=Eth2-WAN1 add action=accept chain=prerouting in -interface=eth3-WAN2 TRY add action=accept chain=prerouting out -interface=Eth2-WAN1 add action=accept chain=prerouting out -interface=eth3-WAN2 NEXT: Wyy are you...

anav

(1) Why is your DHPC network not using the same subnet as the rest of the config. /ip dhcp-server network add address= 10.0.0.0/8 dns-server= 8.8.8.8 gateway=10.100.1.1 Why not use the routers DNS caching ability with external dns servers?? /ip dhcp-server network add address= 192.168.100.0/24 dns-s...

anav

Doing it wrong, There is one rule only for port forwarding required in the FORWARD CHAIN. The concept is different from most other routers I have used. WE dont make a forward rule for each port forward. We use the dst nat chain to do each rule. Check out - https://forum.mikrotik.com/viewtopic.php?t=...

anav

Hi Ammo, I deal in the management of software bugs and believe me its not hard for them to get buried or stuck.
Suggest resubmit the issue as a new one.............

anav

Well you will need to provide a diagram because servers dont initiate/originate traffic, they respond to incoming requests?
I have no clue of what VPN you are using and how it actually works as your words are more confusing then enlightening.

anav

Priceless quote1: " Go to Wireless menu, then click Access List tab " Priceless quote2: " mkx which threads are you referring to? AFAIK hAP ax2 works like a charm. I use it personally too. If you have no specific report made, don't spread such false info then. " Yup everything i...

anav

Look at the example........ - viewtopic.php?t=182276

anav

Maybe they should assign more resources at MT to finish products instead of releasing them as beta software or at least produce a transparent road map for completion of feature sets.

anav

A server does not open a tunnel as its the server for other users aka the destination address. Im assuming you mean users come into the router via the tunnel to access the server and not via its public WAN IP. Thus you must ensure the return information from the server goes back into the tunnel. So ...

anav

Page 53-55 in the discher pdf https://www.khanacademy.org/computing/computer-science/cryptography/modarithmetic/a/what-is-modular-arithmetic Putting Items In Random Groups Suppose you have people who bought movie tickets, with a confirmation number. You want to divide them into 2 groups. What do you...

anav

The OP has a point. There is an ACCESS LIST Tab on wifi wave 2 and that seems to be to enter in each item individually with some ability to assign radius and other things............ HOWEVER, there is no single TAB or entry that would allow DISABLE all access list or ENABLE all access list. Further,...

anav

Possibly due to no recent graduates from computer software engineering in Latvia..........OR
Cheap assed owners who dont want to hire the necessary staff to make MT really shine and sing!!

anav

Good, like the practical thinking!! So Darknates first rule should be the same as his second rule (in terms of list of local subnets) RAW RULE 1 BLOCK ANYTHING FROM WAN WITH SAME SUBNETS ON ROUTER (instead of bogon list) RAW RULE 2 BLOCK ANYTHING NOT FROM LOCAL SUBNETS COMING FROM LAN So no reason t...

anav

Read para I - viewtopic.php?t=182373

anav

Sorry words are not clear.
a. provide a diagram for context and
b. full config for actual evidence of what is setup.
/export file=anynameyouwish ( minus router serial number and any actual public WANIP information )

anav

Your problems are not solved by hardware LOL

Just configure the MT as a basic switch iaw viewtopic.php?t=182276

just go look at the example.

anav

So your saying the only entry on your ADDRESS LIST is 192.0.0.0/24 ? AND these are no longer valid to put on that source address list to block incoming 'bad' incoming on WAN? Netblock Description 0.0.0.0/8 "This" network 10.0.0.0/8 Private-use networks 100.64.0.0/10 Carrier-grade NAT 127.0...

anav

The value in quickset is to be able to select the generic mode of wifi the router applies, after that, dont visit quick set again.

anav

Why would you replace a router with a wifi router, the 4011 has a WIRED only version and better anyway for the same price point is the RB5009?

anav

Stop drinking 2xbottles of Italian wine at at time - we know its so good, but the errors, the errors.........

anav

Okay so you want 3:1 sessions type ratio (not 3:1 computers) via PCC.
Read these articles........

https://mum.mikrotik.com/presentations/US12/steve.pdf
https://mum.mikrotik.com/presentations/ ... schoff.pdf
https://mum.mikrotik.com/presentations/US12/tomas.pdf

anav

FIOS is an internet provider,
an internet provider provides an internet connection
an internet connection requires at some point a router.
Can an MT router handle FIOS gig connection --->YES
+++++++++++++++++++++++++++++++++++++++++++++

A switch has nothing to do with the above.

anav

Use Wireguard or zerotier

anav

Like I said, WG is a peer to peer construct, so no issue connecting the three cities to NY router to router . Like I said, no issues connecting disparate subnets such as 10.0.1 and and 10.0.2 from satellite office to 10.0.1 at MAIN branch. But you cannot connect subnets 10.0.0 from satellite to 10.0...

anav

Getting a modern router with horsepower is certainly recommended.
Unaware of any method to avoid mangling in this case.

anav

Yup........
viewtopic.php?t=180838

anav

Not enough info
Network diagram gives context
Describing user requirements without any config speak is essential
identify users/devices groups of users/devices and their traffic flow requirements
Finally config of devices at both ends of tunnel

anav

If MT wifi products had decent documentation, clear paths to setup, and users could understand all the available features and setup the APs with relative ease and they worked and provided consistent stable throughput, perhaps nOrmands you would have a leg to stand on to "get aggressive with mkx...

anav

Sorry no capiche, I understand users or LAN subnets wanting to go out specific WANs, WAn1, Wan2, Wan3. Wans1-3 may be from the same or different ISPs. They may have different connection types, standard cable, wifi, PPPOE, or starlink for example. So your explanation does nothing to provide any fidel...

anav

Yes I was trying to convey that on my last post, use the existing bridge!!
Glad it worked!!

anav

I attempted to run mDSN discovery over wireguard but at two DIFFERENT LOCATIONs..........
Feel free to test it, to make sure it works..............academic at this point.
viewtopic.php?p=990840#p990840

anav

The best way is probably zerotier where you can put two routers lans together as if they were on the same switch etc..... Best done with an ARM64 for example. You may get away with one ARM64 device at source (where the cameras actually are) and people can load zerotier on their laptops, cellphones e...

anav

Without a config and a network diagram hard to say.........

anav

So your using the RB5009 as a switch ??? Thats crazyee, let me send you a switch and you can send me the RB5009 :-) Why are you creating vlans on the router?? They should all be defined on the pFSENSE. So your using this as a full router with double NAT ??? Why not just use the RB5009 and throw the ...

anav

Suggest you use a proper firewall appliance, I have no interest in looking at pfsense logs. Curl that!

anav

anav

Not sure how this would be done as the same commands dont translate directly but there are ways to achieve almost anything.
Zerotier functionality would create it such that you could put any two vlans on the same virtual switch to achieve the same effect I believe.

anav

separate wg interface.

anav

Look at the timelines rextended. He was probably reading the original post and drafting a reply when you added your input. Imagine he went to get a coffee or take a piss............ comes back finishes his post, hits send and then both his and yours appears on the refresh. No harm no foul, just the ...

anav

viewtopic.php?p=911961&hilit=two+factor ... on#p911961

anav

When ready to not use ipv6, as stated can help troubleshoot.
In the meantime checkout PARA 7 and PARA 9 (D) -- viewtopic.php?t=182340

anav

If you want to to span the same subnet over wireguard be clear about it. One does not span data transfer using wireguard addresses.
Your best bet is using zerotier first.

anav

Is your network ipv6? if so cannot help as not fluent in such language.

anav

I have 3 layers of firewalls in the user article, https://forum.mikrotik.com/viewtopic.php?t=180838 NOVICE --> raw beginner newbie NOVICE + MODIFIED --> Beginner with some experience APPRENTICE --> Beginner with confidence/knowledge/understanding Nothing else is really required............. PS Dont ...

anav

This is a safe starting point. add action=accept chain=input in-interface-list=LAN add action=accept chain=input comment="Allow DNS to local" dst-port=53 \ in-interface-list=LAN protocol=udp add action=accept chain=input comment="Allow DNS to local" dst-port=53 \ in-interface-lis...

anav

Its simple for both chains a few default rules a few user rules drop all No need to get cute............ allow Admin to router allow users to needed services drop all else allow subnets to WAN ************** allow port forwarding drop all else **** any other needed traffic like to a shared printer f...

anav

Interesting, I have always set RP filter to loose for multiple reasons but I dont have syn cookies checked, should I? Interesting link, seems like a valid checkbox to use. But I must check with my Tarot Cards. There is no point to using tcp syn cookies checkbox. Its only useful for targetted atacks ...

anav

Take the EOIP R1 Office router settings Router One /interface bridge ports add bridge=bridge interface=ether4-MainR1 add bridge=bridge interface=eoip-to-TWO pvid=20 /interface bridge vlan add bridge=bridge tagged=bridge untagged=eiop-to-TWO,ether4-MainR1 vlan-ids=20 The bridge already exists ether4 ...

anav

I am a believe in simplify for both clarity and troubleshooting issues. Therefore. A. ONE BRIDGE B. VLANS for all subnets ( bridge just does bridging ) C. Capsman for one AP - COMPLETE WASTE of time and clutters up clean config. I had three at one time and you couldnt pay me to use capsman. In this ...

anav

WARNING FOR ABOVE CONFIGS< not quite right yet, I have not removed vlans but there is a possibility I may not have too.......... investigating.

anav

I didnt post the configs for POSSIBILITIES 2 and 3 so done here....... POSSIBLITIES 2 & 3 ( covers both methods eoip and vxlan ) - -> single bridge specifically for one spanned subnet at Satellite Office Note: The difference in POSSIBILITY 3, is that there is at least one other bridge for the ot...

anav

TO RECAP, There are four possibilities: (1) USE WIREGUARD --> Single Subnet at Satellite: The configuration provided should work with all existing hardware with ONE internet connection provided by the MAIN office. No extra work is required to change any /interface bridge nat settings. This is predic...

anav

@retom
@Montecri

If you two [*****.***] actually read the thread..........
viewtopic.php?p=991310#p923407

This one is recommended:
**** FOR ADVANCED USERS ------- Courtesy of Sob/Dave ( called elegant by Chupaka even )

anav

Sure, and take your electric bicycle using major highways from LA to NY.......... dont be ridonkulous

anav

Why do you talk about ROUTER when you picked a switch???? We want to use the MikroTik CRS326-24G-2S+RM, I picked this one because it has 24 ports + 2 sfp ports. Right now we have 2 switches (24 ports), 1 for voip phones and 1 for the pcs. I was thinking about connecting all pcs straight to the route...

anav

USING Wireguard to SPAN One Subnet Assumptions - One DCHP Server , Subnet Uses Main Office For Internet . SOLUTION METHOD ONE: EOIP OVER WIREGUARD a. create wireguard connectivity as per normal and then b. create the EOIP tunnel within the WG tunnel ( EOIP never concerns its self ever with local WA...

anav

Dont give up me yet LOL. Can I ask if the offices have one local subnet aka on a bridge or MULTIPLE LOCAL subnets ?? Was the intention to have MAIN office internet for the single Subnet or try to use local WAN for internet at local router OR NO internet at all?? With this information a plausible sol...

anav

did you report that as a bug or do you get a spanking?? I was gonna comment your statement, but the comnent would probably be rated as PG18 :wink: Plus I only found this out the other day. Days of v6 in my home network are counted, so why should I bother to report ... And it's not a security proble...

anav

Lucky for you Toto, just looking at this subject. ( okay so KC is in MO, but thats a ridonkulous proposition ) BUT why did you use old routers for a new purchase, an RB5009 would have been more appropriate, especially since ZEROTIER would have fixed your issues SO SO easily and with the right horsep...

anav

did you report that as a bug or do you get a spanking??

anav

Just received an additional response: the wording of release notes is wrong. It should be AX2 for US and Europe. But AX3 / Chateau AX only for Europe is supported as well. (because of the FCC limitation on external antenna, they are excluded for US, I understand that) What If I choose some backward...

anav

In plain Italian
NTP is a router service.
a. enable NTP client settings to get ntp from www
b. enable NTP server settings to give to downstream devices
c. enable input chain rule for such LAN devices to reach router on port 123.

anav

Okay but only for RB4011 correct.

Well, OP's ap.rsc mentions it's from RB4011 ... hence my post is highly relevant in this thread.

Yes, but it was not in my applicable useful article yet AP SWITCH SETUP, so it couldnt be true. Now that its added, I believe you. ;-PP
...

rb4.JPG

anav

My apologies to the OP. This should work. /interface bridge vlan add bridge=bridge-vlan tagged=ether1-trunk, bridge-vlan untagged=wifi1,wifi2,ether2-pc,ether3-dockingstation,ether4-nas,ether5-laptop,ether6,ether9 vlan-ids=10 add bridge=bridge-vlan tagged=ether1-trunk, bridge-vlan untagged=wifi-guest...

anav

It's been explained that when they first implemented L2 HW offload, they implemented it so that CPU-switch interconnect will only pass VLANs of which bridge interface is member (either tagged or untagged). And it worked perfectly because those devices were wired-only devices with single switch chip...

anav

Wait, so you are saying that both switch chips need the bridge to be tagged for every vlan?? and what does switch chip have to do with WIFI Bridge ports ur killen me............ In that case, it explains why the OP had success tagging when it seemed illogical. MKX I could kiss you, well you know wha...

anav

(1) Remove bridge1 /interface bridge add ingress-filtering=no name=bridge-vlan protocol-mode=none vlan-filtering=yes add name=bridge1 (2) Confirm the iot and guest WIRED gets addresses ( ether8 and ether7) . If they DO then (4) is correct. If they do not then perhaps (5) is the answer. (3) Add to th...

anav

That would be a start!

anav

NO FIREWALL RULES REQUIRED Going to assume you get an IP address on the 192.168.8.0/24 and will fix it to 192.168.88.2 It would appear that the above device is not getting fed from a trunk port # software id = F7Y9-BEGS # # model = C52iG-5HaxD2HaxD # serial number = {removed for security reasons} /i...

anav

Nice of you to mention that now LOL, but now that I read it you did say homeAP................ Its still a completely hosed setup. As I said get rid of datapath and vlans in wifi, keep wifi to wifi settings!!, and you only define the management vlan! FINALLY WHAT IS THE MANAGEMENT VLAN or subnet ???...

anav

If its whole subnets, dont use mangling. If its a few users, dont use mangling Instead use routing rules ( and I wont use your example of lan subnets somehow being in the same structure as each WAN subnet ;-PPP ) Consists of 3 steps {add tables} /routing table add fib name= useWAN1 /routing table ad...

anav

When you decide to have one bridge, and all subnets on vlans, I can help.

anav

First of all why do you use such a twisted rule?? defconf: drop all not coming from LAN rule in the firewall. Basically it is an input drop !LAN Much better and clearer to simply say accept all coming from LAN drop all else This leads to the logical next step, which you may have not noticed with the...

anav

TWO THINGS to fix. (1) FIX the interface bridge vlan rules --> only the BASE vlan, where the AP/Switch gets its IP address from (.99) needs the bridge to be tagged !! From /interface bridge vlan add bridge=bridge-vlan tagged=ether1-trunk, bridge-vlan untagged=wifi1,wifi2,ether2-pc,ether3-dockingstat...

anav

Would also agree with the previous poster that your rules are a bit funny to have worked well in the past......... Agree with your approach using firewall address lists as you state its not just whole subnets but subnets plus or minus a number of folks that may change from time to time. Much easier ...

anav

I see nothing wrong with your setup; but would change the sourcenat rules as its not clear which WAN they refer to and thus not sure if they would work right. From: /ip firewall nat add action=masquerade chain=srcnat src-address=192.168.1.0/24 add action=masquerade chain=srcnat src-address=192.168.4...

anav

My script!

add chain=input action=drop
add chain=forward action=drop

That was easy.

anav

Hoping you get your MT wifi6 soon bpwl, cannot wait for the 'blessed' configuration that works!!

anav

Because there is tons of traffic on the WWW always hitting routers, nothing unusual. You are simply in effect logging it now by showing what is dropped. For a starting firewall this is ideal........... /ip firewall filter {Input Chain} add action=accept chain=input comment="defconf: accept esta...

anav

Depends................ firewall rules, vlans many ways...........

anav

FIXED: /ip firewall filter add action=accept chain=input comment="default configuration" \ connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input protocol=icmp add action=...

anav

/ip route add check-gateway=ping disabled= yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 pref-src="" routing-table=isp2 scope=30 suppress-hw-offload=no target-scope=10 add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=0.0.0.0 routing-table=isp1 scope=...

anav

Okay lets see if I have it correctly you have two wifi interfaces on the LAN side (not 1, not 3 not 4 etc,) vWLAN1 - ALL internet traffic goes out local uplink internet (even 1.2.3.4) vWLAN2 - All internet traffic goes out local uplink internet EXCEPT for one single WANIP 1.2.3.4 that must use Wireg...

anav

Sorry makes no sense to me (diagram useless in adding additional info) You either have a regular (local) path to the internet via the uplink on the router to whatever is providing you internet. OR You have a wireguard path to the internet via another router somewhere (friend, your own, third party p...

anav

Please be clear........... Do you want to connect to the internet via the wireguard connection if so /interface bridge port add bridge=br1 interface=wifi1 add bridge=br1 interface=vWLAN-two add bridge=br1 interface=vWLAN-three /routing rule add action=lookup interface=vWLAN-two table=useWG /routing ...

anav

Outside my scope! jajaja (pun intended)

anav

Modified my post, I had an idea!!
see if that works,
it should be quick to try!!

anav

Well thats silly.............. No way to isolate guest from family, or iOT devices etc. At least assign different subnets to the WLANs............. and dont use a bridge OR create vlans and assign to bridge. If your happy with one flat network then you will have to decide the complexity. How many pe...

anav

viewtopic.php?p=908118

anav

Yes you are just telling the router where to go by matching the script comment entry with the existing comment entry!

In other words we use the comment block as a tool to create an entry that is unique and found by router during script.

anav

Its all here at the original link I gave you LOL one or two threads ago!

viewtopic.php?t=182340

Checkout (4) Configuring IP address
Checkout (9) C. UNDERSTANDING THE CRYPTO KEY ROUTING PROCESS (CKRP)

anav

Yes............ How do you assign traffic (from internet/uplink) to users on multiple virtual wlans? (Assuming one MAIN WLAN and then several vWLANS using main WLAN as master) If via vlans then this becomes simple as you only need to do three things for a subnet lets say vlan10-Users which is 192.16...

anav

This is my understanding of why this works: Non-212 endpoints have peer configs for 212 that have 10.10.100.0/24; doing this tells the other side (212) that 212 should route all 10.10.100.0/24 to it. NEGATIVE!!! FOR TWO REASONS. a. (outgoing) to be able to ping from a client device to any other dev...

anav

Config makes no sense to me, can you draw a diagram of intentions.
There is no need for vlans if you are only using two ports.
Otherwise create one bridge and any subnet becomes a vlan on the bridge.

anav

If you want 4x4 mu-mimo, and wifi6, look no further than the Chateau 5G AX.

Caveat: The 4x4 mu-mimo is only for the Cellular LOL.

anav

Strange behaviour is what is absolutely expected due to the admins STRANGE configuration. The router is just following commands. :-0 Where did you get the config advice from ( which link )? 1. Thats because no one in their right mind assigns a vlan1 to the bridge. 2. Why are you using vlans in wifi ...

anav

The errors have been explained many times....................
As I said, if you want me to teamviewer in, and do it myself, am willing.
Advice here is not getting through.

anav

rextended, first rule of discipline is that when you say end of help, it really means end of help

Dont write any childrens books..........

anav

Check out this, fresh out of the box........
viewtopic.php?p=990947#p990947

anav

Sorry no capiche. Do not use wireguard as a LAN subnet on routers. Clearly for single devices, the wireguard address is its address. For users on routers, they dont have a wireguard address and the subnet of wireguard on the router is to be able to ping devices, and create routes etc... So again its...

anav

I'm not paid enough for such novel thinking, however if MT added a zerotrust cloudflare options package for all MT devices, I would probably be inspired to recommend MT switches.

anav

Can you clarify Router2. It seems you want it to be able to go out internet via 3 locations, local, vps and Router 0. Do you mean different subnets on Router2 or the same single subnet? If the latter this will not be possible I dont think. If router2 requests internet, its first peer to peer link wi...

anav

I think the problem is locally, any attempt to have a destination address in the same subnet will never see the light of day of an L3 rule. My grasp of fundamentals is weak so that is just a guess as sourcenat seems to come as a last step in traffic flow. Why not change device needing access to a di...

anav

You need to do this on the pfsense router and cisco switch so wrong forum.

anav

read para I - viewtopic.php?t=182373

See recursive routing and two rules of thumb.

anav

With the help of some friends, as I am not worthy or capable.
@HighTechLab This should solve your request!
viewtopic.php?p=990840#p990840

anav

I was hoping for...... Got it all working now I want to expand my wireguard network such that client devices on Server Router 212 are A, B, C, D, E, where E is router 312 - where E is going to act as a Server going to the following peers, Server for clients M, N, O, P - TWO relay points LOL, get a d...

anav

(1) From /interface list members TO: /interface list member add interface=pppoe-out1 list=WAN add interface=vlan10 list=WAN add interface=BASE_VLAN list=VLAN add interface=BLUE_VLAN list=VLAN add interface=GREEN_VLAN list=VLAN add interface=RED_VLAN list=VLAN add interface=BASE_VLAN list=BASE [/size...

anav

I dont believe its possible or more accurately I dont think its stable if you do........... Even in the same subnet its very tricky to get right.

anav

Its simple, At initial connection, the handshake there is between one client and one server. In your case you have many clients and thus each will undergo an initial handshake with 212. You ONLY have peer to peer networks between each client and the Server. There is no direct peer to peer connection...

anav

Good thread! ZEROTIER is the clear answer both being arm devices. @OP, to be clear the person requiring access to devices at work lives at home so its HOME TO WORK flow? @ UpRunTech, were the subnets you connected via EOIP, different. My understanding is that spanning has to be to the same subnet?? ...

anav

Read this.......
https://mum.mikrotik.com/presentations/US12/steve.pdf
and this
https://mum.mikrotik.com/presentations/US12/tomas.pdf
and this.
https://mum.mikrotik.com/presentations/ ... schoff.pdf

anav

If 212 is the only main server for handshakes, I pointed out why its not working and the fixes.
Ensure you do them and post again for any additional refinements...........

anav

And to the point, if it aint vlans ( and one or more bridges ) not interested.

anav

isnt there kids home function on router??

anav

Hahaha, like I said, wireguard is included on RoS, no need for any additional complexity............ can lead a horse to water........

anav

HEX212: The only two things noted on 212 are below, so dont really see a show stopper here....... (1) Your laptop etc is missing persistent-keep-alive setting on the peer for 212. (2) Why do you have keep alive set on the HEX for all the client peers that are routers except the one discussed at (2)...

anav

(1) The IP address of your LAN network should be interface bridge !!! /ip address add address=192.168.1.1/24 comment=defconf interface= ether2 network=\ 192.168.1.0 (2) DISABLE or remove THIS rule as your internet is done through pppoe /ip dhcp-client add comment=defconf interface=ether1 (3) You for...

anav

Its probably due to the default firewall rules which pretty much are safe but allow LAN to LAN traffic at layer 3. To confirm would need to see your config to adjust the firewall.......... /export file=anynameyouwish ( minus router serial number or any public WAN IP information ). [Since it looks li...

anav

Regular Servers dont originate traffic..............So why does this one? --> Does it stream for example

YOu have to ensure traffic is routed out the appropriate WAN or ensure the WAN being used has source nat associated.

anav

Yes but AMMO clearly MT and others are pushing the idea of a separate bridge just for containers but I prefer a separate VLAN for each service/functionality.

anav

Yeah, use wireguard, faster, easier better supported by RoS.

anav

Why do you have the private LANs identical behind both routers that can get confusing fast and not a good idea generally.

anav

Lets forget Pi-hole its so yesterday (betamax). Either discuss adguard or blocky for example.

anav

Okay so you want it as a dumb switch which tells me you only have one subnet coming into it and its feeding a bunch of dumb devices on one subnet. In other words, as always I never trust what people say/write, I only go by the evidence and your diagrams and config support the fact that the RB4011 is...

anav

sorry no images are being shown, and do you have a config on the MT to show?

anav

(1) I can understand you making changed to the forward chain, aka to refine access but what I dont understand is the BS rules you add in the input chain. /ip firewall filter add action=accept chain=input comment="established, related, untracked" \ connection-state=established,related,untra...

anav

So the AX3 is your main router and the RB4011 is WHAT? Supposed to be a AP/Switch or another router ( do you really want double NAT )???

anav

Nothing is clear, network diagram needed!
Is RB4011 main router attached to internet and switch is behind the router
OR
is RB4011 simply a switch within a nework etc......

anav

nework diagram please, are both acting as routers, where is internet, etc.......

anav

Hi there, so you use containers for some functionality, but use the DOH on the router itself. Q1. Did the solution you found to your issue, mean that the Container bypasses DOH for DNS and goes to the router to DND and then out to the internet? Q2. If not, how did you get the containers traffic to t...

anav

Thats fine but I have a single bridge with multiple VLANS.
So you are saying create a separate vlan for the docker??

anav

(1) This can be shortened. If using bridge and not vlans, the two bridges suffices for LAN interface list members! Also I see no purpose to the VPN list ?????? /interface list member add comment=defconf interface=bridge list=LAN add interface=lte_play list=WAN add interface=wg_biuro_lux list=VPN ???...

anav

If one does go down the route of using some sort of DNS protection there are many options. 1. USE IPV4 servers from DNS providers that have some decent functionality against ads etc. These seem to work well but do not provide any granularity into whats is happening with clients etc..... no dashboard...

anav

Normally its a good idea to solve issues before piling on new stuff LOL.

anav

Your theories only hurt us practical guys LOL

anav

Why is this required?? You already have on the /interface bridge ports, ingress-filtering=yes and frame-types identified ????? ####################################### # Turn on VLAN mode ####################################### /interface bridge set BR1 vlan-filtering=yes frame-types=admit-only-vlan-...

anav

Yes but this is the first time you mention you already have the router I was suggesting the 2116 LOL.. Good to go then.

The only router you pointed out was the 2004, which we know now, since you actually provided useful information, is NOT hooked up to fiber but to the 2116.

anav

No LOL, I mean YOU are paying for 10gig fibre connection. 1. You have customer A, who wants to pay you for 5gigs for throughput 2. You may need some throughput for your own needs in same location (unknown , no context) 3. You are looking for other customers at location B,C,D that may want 1gig servi...

anav

You missed my point completely sippan, he should adjust for his fibre throughput not the throughput to the client............

anav

Highly recommend that all those using your server provide you with their fixed static WANIP or their WANIP via a dyndns name. No excuses there are plenty of free providers. Then you make up an address list of those users..................... add chain=dstnat action=dst-nat dst-address-list=MYWANIP d...

anav

Some routers are for home owners, plugNplay. MT is for those who are willing to learn how traffic flows in devices and then have to program the router accordingly. If you expect to read an article without any understanding of ROS and make complete sense of it, then you are mistaken Its called experi...

anav

Hi Angel, the logic escapes me? You have a 10Gigabit Fibre line you are paying for. You have one customer that is asking for 5gb, Solution: Get a router that can handle 5gb only ?? Test result for queues and filters show a throughput of between 5-8gigs Better Solution: Get a router that can handle 1...

anav

ith NTP server on 6.49.7 is that even if it synchronizes properly, it's not accepted by NTP client on ROS 7.8. ROS 7.8 server is fine for other 7.8 clients though. @anav: you're risking of getting a special badge: "zerotrust spammer of the month" :wink: There are two truths in life! Ukrai...

anav

Even my cat knows you can preconfigure netinstall............ (with script).

"When using the Configure script option, it is suggested to introduce a delay before configuration execution."
https://help.mikrotik.com/docs/display/ROS/Netinstall

anav

(1) FROM /interface bridge add arp=proxy-arp frame-types=admit-only-vlan-tagged name=bridge \ vlan-filtering=yes TO /interface bridge add arp=proxy-arp name=bridge vlan-filtering=yes (2) INGRESS-FILTERING=YES missing from all /interface bridge port settings. (3) WG info, good clarity on requirements...

anav

The second rule ( mark routing ) change to passthrough=no! and where are the rules to ensure same same for second WAN? The same approach can be applied to wireguard, think about it. The initial handshake has to come in and out of the same WAN. So by using the endpoint or server address dyndns name e...

anav

Okay got it. Dont worry about how incoming users get to a particular WAN Just be concerned that we ensure same in same out. Basic concept ip route add route for WAN1 table=main add route for WAN2 table=main add route for WAN1 table= isp1-out add route for WAN2 table = ISP2-OUT Preroute mangle new co...

anav

So far dont see why....... (1) Set this to NONE as mac-server by itself is not a secure access method! /tool mac-server set allowed-interface-list= listBridge (2) I am not a bond expert so the bridge ports look fine, was just wondering if the non-slave port needs to be the one on the bridge and not ...

anav

I will leave RDP to you LOL. I personally dont like to use it, its either wireguard in and access device or use Teamviewer LOL I was thinking about this last night. There is no issue with having a base VLAN if you want all smart devices to be on a separate VLAN. You can certainly add a fixed DHCP IP...

anav

Very understandable spyghost, I entered the thread, calm descended and problems magically got solved.
Now only if mikrotik could weave a little magic AND PROVIDE

Zerotrust Cloudflare tunnel as an options package for all MT devices!!!!

anav

A reminder that without evidence, aka full config, any OP input is an "opinion at best". When the OP is hostile or refuses to provide evidence, I move on. There is paid support (consultants) for that level of arrogance/stupidity. In my work I have provided MT with feedback/issues and they ...

anav

I would say you have some minor errors that need fixing.
Provide full export
/export file=anynameyouwish (minus router serial number and any public WANIP information )

anav

Are the routers all acting as routers in one connected setup or at different locations and connected by internet?

It seems your needs only need firewall rules at ROS1 if all connected, and for the latter just use wireguard or zerotier.

anav

(1) You define 4 VLANS to BR1 but only have 3 pools? 3 DHCP Servers? 3 DHCP-Server Networks? This leads me to believe you dont really have a BASE VLAN................. Thus I will assume you actually have a trusted VLAN on the BLUE vlan and I get rid of 99 (2) All bridge ports are trunk ports, I wou...

anav

Yeah you guys lost me long ago. Do you have a story that can be told that is easier to grasp. The way I understood is that the peer initiates a connection (single handshake with the endpoint device) and the two communicating devices send traffic back and forth as required during a session. When no t...

anav

Excellent diagram!!! 1) Bridge itself, Remove frame-types=admit-only-vlan-tagged name=bridge pvid=50 \ and reset the vlan to default=1 (2) Confused as to why you have 5 vlans identified but magically 7 IP addresses??? /interface vlan add interface=bridge name="VLAN10(Cameras)" vlan-id=10 ...

anav

You know Normis, I would bet that the User in IRAN could share stuff with the world or each other on servers if they had............. An options package for ZERO TRUST Cloudflare Tunnel, available for all MT devices.................. ++++++++++++++++++++++++++++++++++++++++++++ When I said "Get...

anav

(1) You do not need to create a route for wireguard on the router. ( Get rid of the one you made ) When you add the ip address add address=10.0.2.1/24 interface=wireguard1 network=10.0.2.0 this automatically creates a route for you. <dac> dst-address=10.0.2.0/24 gateway=wireguard1 routing-table=main...

anav

There is also another way to deal with mangling in fastrack depending upon the complexity of the scenario. See if you can spot it?? /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-mark=no mark connection-state=established,related ...

anav

Correct, distance has no bearing on that non main table entry.

anav

No thats your wrong assumption. You use the same WG interface on the Main router. You have to be far more clearer in your intentions. IS IT a. RW warrior connects to Main router via wireguard and then connects to branch office via ISPEC OR b. RW connects all the way to Branch Office via wireguard by...

anav

Wouldnt this work and avoids marking/mangling.... Firewall rule/ routing table/ ip route / routing rules /ip firewall filter add action=forward chain=accept in-interface=wirequard dst-address= 192.168.2.2 /routing table add fib name=useOP /ip route add dst=0.0.0.0./0 gwy=192.168.2.4 table=useOP /rou...

anav

Try putting your config in code blocks to shorten it. Highlight your text with them, the black square with white square brackets on the same line as BOLD, Underline etc.

anav

1. The relationship between WAN1 and WAN2. ( assuming two different providers correct?) Is one Primary, to be used by all users and the other secondary only if WAN1 fails. 2. How are external users directed to WAN2 for example, DYDNS name if dynamic, or BY WANIP if fixed/static? All servers on WAN2 ...

anav

As I said you dont have WG settings on branch office.......... 1/2 done

anav

Set up a wireguard tunnel and you will easily have the connectivity you desire.
See para F. - viewtopic.php?t=182373

anav

Dont guess, be articulate. (diagram is great by the way) For example you have used 0.0.0.0/0 at both client devices on the allowed address for peer settings to the router. Assuming you want a. access to internet via router. b. for client 8.3 it appears you also want to be able to reach mail server o...

anav

You need to read again..............RAW occurs before any conntrack is done........... therefore fastrack which comes after never sees the packets that match to the raw filter rules.

Look at the fifth diagram labelled: Packet Flow Chains
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow

anav

My understanding is that there is no interaction between RAW filter firewall rules and fastrack. Raw happens before any connection tracking etc.
Mangling, queues etc are a different story and one has to consider fastrack in the configuration.

anav

What is so special about openwrt that the traffic needs to go from wireguard through MT router and then not directly to WAN? I dont get it?
What is is that the MT router cannot do??

anav

Perhaps this a ChatGPT invasion LOL

anav

Techsystem, if you didnt understand what was done and why it works, then the config might work, but the effort from my perspective is a fail.

anav

Now I understand where my logic failed...... There is a substantial difference between blocking in RAW packets leaving the LAN that are not from LAN subnets existing on the router. and RBH which is predicated on removing any traffic from the LAN to private IP addresses ( or non-valid public IPs ). S...

anav

R0 - Three items ( table, route, routing rule) /routing table add fib name=useVPS [/i] /ip route add dst--address=0.0.0.0./0 gateway=RO-WAN table=main add dst-address=0.0.0.0/0 gateway=wireguard-interface table=useVPS /routing rule add action=lookup src-address=172.16.20.0/24 table=useVPS Note1: If...

anav

Good to know, we can probably dispense with any mangling!! Any issues with pinging is at your VPS see below! (1) As indicated you need to ensure you have an equivalent rule on VPS add action=accept chain=forward in-interface=wireguard-interface out-interface=wireguard-interface (2) Route to all subn...

anav

Impossible to tell, you didnt provide your config!!

anav

WINNER WINNER TURKEY DINNER - Marino! SOLUTION METHOD FOUR - PREFERRED Option USE DNS ONLY a. create wireguard connectivity as per normal and then b. create the IP DNS SETTINGS and DHCP SERVER SETTINGS on Router 2. c. modify configs to allow Access Points via Wireguard (L3 traffic) to route to Unifi...

anav

3) Make alternative recommendations even if it includes somehow telling the Unifi Controller to go "look" for LAN B 0.X via client interface tunnel WG connected on 2.X ps : I know I can re-enroll/adopt the Unifi equipment and connect them to the controller on LAN A easy enough, but I don'...

anav

I only make the configs, I have no use for them personally LOL, so have no clue when the rubber meats the road!!

anav

Why do you send wg to openwrt??? what is GFW???

Are the users coming into the router via WG and then NOT going out the local WAN but out a remote WAN via an openwrt tunnel ????

anav

What are your qualifications, general IT knowledge or actual Mikrotik Certifications???
If this is your company business, it sounds like you need to hire a consultant.............
https://mikrotik.com/consultants

anav

So are you saying you define vlans elsewhere (other devices) but they need to traverse this router enroute somewhere else be it internet or other devices on the network????

anav

To manage the configuration and possible burps with bridge and/or vlan configuration, I prefer to create an off-bridge port. Lets say ether5, ensure its off the bridge. create an IP address for it. 192.168.55.1/24 interface=ether5 network=192.168.55.0 Done! Now you can plug in a laptop to ether5 set...

anav

If your intent was to never learn MT ROS, and thus enter the router, you should replace with TPLINK router.

anav

Not interested, if all your doing is copying shit without an iota of attempt to learn.

anav

(1) Are you accessing internet of network from wireguard clients or just subnets and the router/devices for config purposes? (2) Why are you marking wireguard traffic? (3) Why are your source nat rules SO OBTUSE. and I dont even see a default rule??? (4) Are you attempting to run your own DNS server...

anav

Stick to (conspiracy) theories ;-) Reading on the always 100% accurate internet........ "I've tunneled VXLAN over Wireguard on Linux. In my setup, my WAN's MTU was 1500 bytes, and my Wireguard tunnel's MTU was 1550, with the VXLAN's MTU being 1500. Surprisingly, traffic and iperf3 tests going o...

anav

Your requirements are poorly worded and thus have no clue what you want to do. Provide a network diagram, that often helps. OR Provide a clear set of user requirements for wireguard specific traffic 1. Identify and Define user/device X needs for flow of traffic. To reach user/device Y or groups of u...

anav

Thanks nichy I will review................... I thought the vni had to be duplicated................ like EOIP code etc......... Confirmed think of vni as the Group code for all members on the same vxlan. In terms of the port setting, what I was instructed is that they do not need to be identical, b...

anav

Because I deal only in home networks, I need simple talk.

Is the problem that you cannot get your wireguard users 'pad/notebook' to use the local DNS server at device .2.3 ??

Aka what is the problem in clearer terms

anav

I asked ChatGPT how to best setup a server on MT, do you know what the response was?

Not possible until Mikrotik adds zerotrust cloudflare tunnel as an options package for all MT routers, and then Mikrotik will be the safest server option on the market!

anav

Always on.? ................... that is why there is a persistent keep alive setting on the wireguard client side................... assuming the client device (router) is always on, the tunnel is always up.

anav

the full config not snippets is better ( minus router serial number and any public wanip information )
why are you port forwarding to the IP address of the LAN subnet 192.168.88.1 vice the IP address of the server 192.168.88.XY

anav

EASY WAY TO DO THIS - avoids mangling Step1 - create routes /ip route distance=5 dst-address=0.0.0.0/0 gwy=ISP1-gatewayIP table=main check-gateway=ping distance=10 dst-address=0.0.0.0/0 gwy=ISP2-gatewayIP table=main From this alone, you have ALL USERS going to ISP1 and if that is not available the r...

anav

(1) So many vlans but you only really define 4 of them.............. (2) you can shorten up your /interface bridge vlan /interface bridge vlan add bridge=bridge tagged=bridge,sfp-sfpplus1-CRS328-1 untagged="ether4 - CMM P\ C,ether5 - Living Room,ether3 - Google Wifi,ether6 - Chris Work laptop&q...

Search found 19572 matches