MikroTik

anav

The doc shows it but your config still not correct. /interface bridge port add bridge=br-dcwifi ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=9 add bridge=br-dcwifi ingress-filtering=yes frame-types=admit-priority-and-untagged i interface=ether4 pvid=8 add bridg...

anav

Decent! Observations (1) One doesnt make port forwarding rules in the forward chain thus get rid of this .... The only thing that should be in the forward chain is one rule allowing dstnat. All port forwarding details are put in the dstnat chain rules. Also its in the wrong order if it was to be in ...

anav

I thought I had a solution but then ran up against the MAIN ISSUE. I see conflict in attempt to tell the R1 router how to route traffic headed towards theR2 subnet. a. L2TP for R1 subnet to R2 subnet b. Wireguard for remote users to same R2 subnet. Why not send R1 Subnet users ALSO over wireguard to...

anav

For mangle rules you dont need the first sets of rules................... Not explained properly by the video author, why he has the first set of rules which dont apply YET in your simple case. Start here for required rules........ You dont need both new and no-mark, no-mark is a better option norma...

anav

Sure, first I would update the firmware to the lastest stable update, 7.8 and earlier 7 versions had issues. Just to confirm you DON'T WANT primary/failover you want PCC/failover. The difference is that in primary/failover, only one ISP is providing connections. In PCC both ISPs are used at the same...

anav

https://mikrotik.com/consultants

anav

Yes but your assuming AmmO can find the other thread.

anav

Dont look at me

. You need the expert and prompt advice of the perps Ammo and Holvoe to the rescue!!

anav

Edit: Please ensure you let folks know your router is behind another router, especially with unsafe configs as per below!! Even still I would only allow VPN to the router and then access config/subnets. /ip firewall filter add action=accept chain=input comment= "Router Access Remotely " ds...

anav

Read through this article and pay close attention to /interface bridge ports and /interface bridge vlans to find your error

viewtopic.php?t=143620

anav

No point in showing you dont know how to config the router just yet. Please attempt the readings and then come back and post a complete config. Understanding is more important then copy and paste at this juncture /export file=anynameyouwish ( minus router serial number and any public WANIP informati...

anav

Sounds like a scenario for double nat. Modem, to MT Router, then to TPLINK router (for vpn mostly).
The hex need not route as my earlier post and can be connected to the AX as a switch.

anav

Ahh okay, I see you only have one subnet and are using a vlan for that. A bit unusual but perfectly fine.
My question is, where are your firewall rules?
Where is your internet connection??

anav

Have some reading to do!!

viewtopic.php?p=908118

viewtopic.php?t=191442

Only after you have gone over the above.....
viewtopic.php?t=179343

anav

Any devices connected to your bridge ports should be able to see each other as you only have one flat network at L2. The firewall rules are for L3 traffic and they couldnt block same lan to same lan traffic anyway. Config looks okay on quick look. A. Either all are connected to PCs with strict firew...

anav

One bridge, dont uses vlan1 (use any other for data), recommended NOT to use bridge for dhcp...........
viewtopic.php?t=143620

anav

If the modem passed the internet to you within a vlan then you need to set the vlan also on the router in most cases.
There is no harm to set the vlan in the router.

/interface vlan
add interface=etherY name=vlan-WAN vlan-id=XXXXX
/ip dhcp client
add interface=vlan-WAN

anav

I have no time for guesses, this is not a circus but you sir are a clown............. If you need to work on your imagination, go read a book.

anav

Maybe?, dont you even know what you have???
In any case, no need for TPLINK router at all

anav

No need for vlan if the router gets a public IP and everything works in bridge mode.
If it does not then set vlan on modem and set vlan on router.

anav

BUT... I'd really recommend just start again with a new config... I personally think the default firewall is very well-calibrated (e.g. generally modifying the interface-list to add an WANs should be needed for 99% of CPE use cases). Disagree, not just a new config, NETINSTALL first , then new conf...

anav

I cant wait for holvoe to provide the necessary information!!!

anav

First, this is not a TPLINK forum and second, there is no such model TP link er650. There is however a wifi-extender (NOT A ROUTER) called the TP link RE650. This can be connected by ethernet to one of your routers to act as an access point. However its a dumb access point that cannot read vlans. At...

anav

Awesome, glad its working for you now.

anav

Nothing broken in Wireguard, simply MT has added in additional setting for BTH Wireguard and it can get a tad confusing is all.

anav

Lastly, and again sharing Anav's point of view leaving an open resolver is not best practice, and in all cases, not something any client should pay a consultant/service provider for. Find out who was responsible for those configs if provided by your company and if they are not gone, they should be ...

anav

A default config should not slow the performance. As intimated, its probably residual blocking going on from leaving DNS open...... Note here how DNS is allowed ONLY from the LAN, and in fact is the only thing LAN users should have access to on the router itself and perhaps NTP (for certain devices)...

anav

That's nice. Now how do you expect us to help with practically no useful information.
What are you connecting to for example, third party VPN service???

Need config
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)

anav

Okay, your diagram ONLY shows you getting a private IP from the ISP modem/router. Is there another diagram showing you getting a public IP from the ISP modem if so show that instead with fake numbers for example on the diagram. THe LANs will stay the same behind the MT. OR, can you on the ISP modem/...

anav

Sounds like YOU are the problem! :-) Lets look at the config. 1. Why do you slovenia telekom as your DNS server. If you want ISP provider DNS you can set that in the IP DCHP settings or pppoe settings for example (dial out). Most folks use something like 1.1.1.1 or 8.8.8.8 for external servers.........

anav

Different vendor.............. You will pay through the nose for a higher end device that can still provide the throughput required with IDS services applied and by the way those IDS... DPI services are not native to the router, you then additionally have to buy subscription services to activate them.

anav

Sorry your requirement makes no sense. Dont care about what you want to try on the config...... illogical What are the traffic requirements from the user perspective? What equipment do you have and what is the network design.....? ROUTER to MT acting as a switch?? OR ROUTER to MT acting as a ROUTER?...

anav

Classic error of trying to keep the bridge doing DHCP. If you need another subnet take the one you kept on the bridge and make it vlan10.... or something.
Many other errors as well.
Suggest you read....
viewtopic.php?t=143620

anav

Trust me, when attemtping to diagnose errors on my own config and a million other peoples config, its much easier to spot firewall errors when chains are grouped together. Of course, it doenst matter which chain is in which order, but it does matter within a chain the order. Ordering the chains them...

anav

Wojo........... If you are familiar with OSPF Looking to do something for failovers. Imagine 2 WAN inputs to MT router............. and a CHR on a VPS in the cloud. What I want to do is connect the two WANS via wireguard and L2TP (plain -->best way to handle packet fragmentation), [from MT router to...

anav

Well I have mine listed but that is because they are on the same network and same subnet for IP address.
ROMON is s tool that allows that sort of thing I think

anav

Awesome, glad its worked out for you........ Ive done many dumb things when it comes to MT, and most due to my lack of understanding of basic networking.

anav

Then please post full config, there is something else on the config p erhaps.

/export file=anynameyouwish ( minus router serial number and any public WANIP information, keys etc.)

anav

Please post full config so I can see what is going on. please.
/export file=anynameyouwish ( minus router serial number and any public WANIP information )

anav

Wrong approach gig.......... You know better.
You dont plan and start the config without knowing all the requirments and attempt to totally change the requirements at the end.
Is all traffic working as expected.............

anav

Only a fool thinks firewall rules need not be considered in wireguard traffic. I wont even look at the config until its one bridge and all vlans (bridge does no dhcp).
viewtopic.php?t=143620

anav

It also sounds as you have not turned off all router services either......... post complete config

anav

Yes, I now can ignore everything in orange becauses its nonsensical. Between these two locations is Wireguard P2P tunnel it's on same ISP provider , so I use internal IP addresses and it not go through internet, only through ISP LAN network in same city ). Whether or not the two ISP connections are ...

anav

Very good question, I have been asking Normis for clarification on the BTH thread in Announcement to get at the heart of these matters.
Thus far, disappointing answers.

anav

I think the issue is the smartphone blocking, as none of the changes above would necessarily block anything.

anav

Really well done for the most part....... dst address needs to be gone, and needs to be enabled! Modify this /routing rule add action=lookup-only-in-table comment="MY SMARTPHONE TO WG VM16 DOCKER" disabled=yes dst-address=0.0.0.0/0 \ src-address=10.2.1.197/32 table=_wg_vm16_docker TO /rout...

anav

NOT correct, for example this are bogus nonsensical entries for bridge ports. add bridge=onebr interface=vlan200 add bridge=onebr interface=vlan800 add bridge=onebr interface=vlan900 Vlan200 is NOT a LAN member has nothing to do with local hex.......... Similarly client-list is not a WAN, its was a ...

anav

What I would do is create a Wireguard tunnel between the VPS and the mikrotik router. The server and files would be hosted on the Mikrotik Router. On the CHR I would port forward inquiries coming in externally from USers or in this case just the admin, to the VPS public IP or domain name/url etc.......

anav

I am sorry, do not understand the architecture?
I have two connections locally to the same ISP, but each connection gets a different public WANIIP from the provider. Two different accounts.
I connect them via Wireguard as well.
What you describe does not computer for me, so unable to help.

anav

Well stated vinfgjfg!! ( all that info was on the link provided, not sure how mangling got into the mix either ) The only issue is your last sentence has a typo...... Lastly, You may opt to isolate the router on its own subnet. In that case, only the dstnat is needed as you are no longer doing a hai...

anav

> Next post intimates that it doesnt work with different Winbox Ports?? only the BTH app (!) needs the default port. To set it up. We might fix that, but then again, if you have custom ports and whatnot, might as well just use winbox > how to setup the Mikrotik manually, when using your relay point...

anav

Wish I had more info for you on BTH, but normands was on vacation today and didnt answer my BTH questions LOL.

anav

https://www.zabbix.com/forum/

anav

Yup, they were not required if doing recursive on the main routing table.
As stated full config, no more part configs..........

anav

https://www.youtube.com/watch?v=nlb7XAv57tw&t=26s
https://mum.mikrotik.com/presentations/US12/steve.pdf

anav

Yeah, if you have a fixed/static WANIP, then you need to delete that first rule, its getting in the way. The fourth rule below is just a duplicate of the second rule, and should be removed as well. You should only need two rules. Question: Is there a reason on the SOURCENAT RULE, why you feel the ne...

anav

My opinion is yes, you should be able to maximize your 2.5 gig throughput as its rated to approx 3gig with 25 IP filter rules.
It is a new ARM64 product so the support should be good for many years.

anav

Yes, Normands, most interested in the manual setup. My question is regarding how to setup the Mikrotik manually, when using your, for want of better word, cloud touch relay point. Its not a full blown WG server, but a connection point that allows users to reach the MT regardless (no public IP and IS...

anav

You keep changing the story. Yes, it is common to use wireguard, as a safe method, for external originated traffic to reach a server or to config the router. PROTON VPN is not for this, its for traffic originated on the router heading outbound . Two different cases. You don't seem to grasp that exte...

anav

Just to be clear, the upstream router belongs to house owners and the hex belongs to you a tenant, and they dont have any wifi but would like to use your wifi?? Now yes you can setup your hex router as a router (double nat) and thus have your own subnets/vlans You can provide guest vlans that they c...

anav

https://www.youtube.com/watch?v=YLtGQAQ8iS0

anav

What the hex is Ampere..... MT sold with a tazer ??

Assuming its like a new Cloud virtual computer or something not linux, not windows but something else VPS???
https://amperecomputing.com/

Is it software is it hardware.... seems rather vague to me.

anav

Yes ISPs can be ornery too, we have a bell fibre ISP that blocks ICMP ping as a normal function of their provided modem/routers and it cannot be changed by the home owner.

anav

Just because things work for a limited test set, doesn't necessarily mean the config is correct LOL. MT can be misleading in that regard. The errors will bite you sooner or later.

When you think you have a near finished final product post again.......

anav

Not sure why you are continuing with off bridge setup?
You dont have enough ports ( with 5 on hex ), you need 1 for client on Main WIFI router subnet, 2 for 1790, 3,4 for switches and 5 from wifi router???

In terms of vlans, read this.
viewtopic.php?t=143620

anav

If its not working then I need to see full config as answering any more questions requires complete understanding.
/export file=anynameyouwish (minus router serial number, public wanip information, keys etc..)

anav

Rule in forward chain needs to be add chain=forward action=accept connection-nat-state=dstnat The old default rule can be deleted but you need to add two more rules. THis one above it....... add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN comment="internet traffic&q...

anav

Nobody likes chasing a moving story.
Right down all the requirements.

a. identify all the user(s)/device(s) and groups of users/devices
b. identify all the traffic flow they need.

Also, do you control the upstream router or does the ISP.aka and ISP modem router.

anav

In Brazil you have a different plan LOL.
You have to plan for theft replacement. If it aint locked down and you are not paying the police, it gets disappeared.

But yes, typically at home, use it till its not fixable or no longer does the job required.

anav

Its impossible to block or control DNS from an encrypted methodology to my knowledge.
In other words there are limits to what one can do with adguard/piehole/doh etc..... if the user is savvy enough.

anav

So just internet COAX cable to ISP modem router and you get private IP from ISP modem router LAN.

Just plug one cable into your MIKROTIK ROUTER and then all users plugged into mikrotik router.
One bridge, create as many different vlans as you need to separate users, servers, iot equipment etc.

anav

One bridge.
How every many vlans you need to have separate subnets.
One vlan for Servers, one vlan for trusted LAN users, one vlan for guests, one vlan for iot equipment etc...

anav

Okay so you have a port forwarding requirement but no external traffic TO THE ROUTER ( aka no vpn services etc. no wireguard ). In which case you dont need the output chain set of rules But YOU ARE MISSING THE MARK ROUTES FOR THE RETURN due to PORT FOWARDING via PREROUTING!!!! A small note if you di...

anav

Concur, also because ARM products are more fully supported going forward.

anav

(7) NO. The purpose of the rule is to allow subnets from r1 coming in on wireguard ( in this case one subnet) to access r2 single subnet and of course the remote admin users. If you had multple subnets on r2, its doubtful that the local subnets/vlans would require access to each other at all, hence ...

anav

Hi Mozerd, how do you distinguish on a single computer, a different queue for gaming, and for NAS server access (file access), torrenting, streaming etc...............

Can you provide that fidelity or is it all, ONE IP, one queue applies ??

anav

To be clear, you have to communicate more accurately.
What device do you have,
Provide a network diagram.

It may very well be that you are talking about a switch not a router and I was giving advice thinking it was a router etc...........

anav

Don't you have this built into your obsolensce budget planning for 1,2,5,10,15 years down the line ;-) EVERY X years change TV (10) EVERY Y years change CAR (12 ish) EVERY Z years change IPHONE. (3 ish) EVERY A years change WIFI devices ( often coincides with IPHONE ) (3-5ish) EVERY B years change r...

anav

Hi there, The table is required because that is what we are creating, an independent new routing table, so that we can tell the router where to send traffic, separately from the Main Table. Mangling is a method of identifying traffic with some specificity, in order to apply routes as required. I hav...

anav

Assuming I had it wrong all along and you need to pass the MAIN WIFI subnet to other devices behind the managed switches. I have modified the CHR script below. I also noted my handling of 1790 was not quite right, it needs to be defined as an interface, but no other place.... I also do not see the r...

anav

Correct. Each remote subnet must be a separate entry. The purpose is so that if local lan users need to reach remote subnets, the router knows where to send the local users!! The purpose is also so that remote users coming in to access local servers or use the local WAN, have their return traffic go...

anav

To be clear are you trying the SAME configuration on both devices for testing purposes?? Yes, you may have errors if you relied on scripts as the config has changed significantly so the rest of the config will have to be modified as required. (1) Why do you still have the incorrect setting for wireg...

anav

MIKROTIK is not the answer either, that is if you are intent on content based control. MT does not have APPLICATION CONTROLS or deep packet inspection so it may not work for you. MT is a user based and by that I mean IP: based firewall router. So put users into vlans and subnets and then you can con...

anav

Post your config and I will have a look. Also an update to what I posted I was not entirely accurate. 1. The output chain rules ensure that external traffic TO THE ROUTER ( aka services like wireguard handshake ) that comes in WANX goes out WANX 2. One still needs prerouting chain rules to ensure th...

anav

R1 (1) Why did you use firewall address list=VPN, its not correct technically as you have one local address on the list which has nothing to do with wireguard, 192.168.100.92 The list is more accurately called Admin or Authorized. Confusing to call it VPN when its not. Yes it includes two wireguard...

anav

You can use code commands to encapsulate your config! ( black square with white square brackets on the same line as Bold Underline etc.......) Typically when first setting up bridge vlan filtering and later on if I screw something up on the bridge, I setup an off bridge access. Makes life much easie...

anav

ISP Device: Is it a modem/router or just router? Does it provide TV or telephone services or just internet?

anav

I provided a much simpler, cleaner config, so cannot comment further.

anav

Ah okay, I think of that as NAT RULE, as opposed to a MANGLE rule as opposed to filter rules (forward and input chain).
All other IP firewall. LOL.

anav

https://www.amazon.ca/TP-Link-USB-Ether ... C87&sr=8-5

anav

As the article states. If you have USERS within the same SUBNET as the SERVER, and the users are not accessing the server by the server LAN IP address directly, but by the roundabout method of using the Domain Name/url/dyndns type name. then yes you need the hairpin nat rule. If you move the users o...

anav

It is not clear what firewall rule you are talking about??

anav

Well will focus on DNS related rules........ In general the Device acting as DNS server has to have access to the internet to get DNS itself. EVEn a DOH servers needs some unencrypted DNS access to make the initial connection to an encrypted DOH server. So in general, one has to look at DNS servers ...

anav

viewtopic.php?t=179343

anav

Well the only changes I see are in the forward chain are two rules. Difference in Green! FROM add action=accept chain=forward comment="allow internet traffic" \ in-interface-list=LAN out-interface-list=WAN add action=accept chain=forward comment="allow Smart Home access" \ dst-ad...

anav

Three things. a. good to include diagram very helpful as we are not in your head. b. form follows function so a clear set of requirements will dictated a useful config. So need the following (i). identify users/groups of users including you as the admin (ii). identify the traffic they need to accomp...

anav

Hard to say as the OP thinks he knows better by not providing the evidence and information to make an accurate diagnosis.

anav

Caution that I have seen RECENTLY folks using these rules and not putting a SOURCE part of the rule. (in interface lan) IF you dont then anyone on the internet will start using your pi server!! I note the original link at the top of the thread showed this dangerous config and its from an old no long...

anav

Negative, to ports is implied to be the same as dstports if not entered. To-Ports is this really used when doing port translation. What is important is such sweeping rules in-interface-list=LAN is to ensure you exclude the pI LAN address or any other subnets not being subjegated to PI. /ip nat add a...

anav

Which configuration, the OPs? If you look at the suggested config, all traffic from 800 and 900 vlans AND WIREGUARD, go through the WAN side of the router aka via ether5 and since there is a masquerade rule. all such traffic is already natted and gets a source IP of 192.168.2.2. That problem no long...

anav

YES it can, just not through PROTON. You could host a CHR on VPS for example ( cloud server ) or linux OS etc............. (1) All users would go directly to the public IP of the CHR vice your public IP to connect to a server. (2) The CHR would then port forward that traffic INTO a wireguard TUNNEL ...

anav

In R1 the config is clear. We only allow select users on wireguard to access the LAN side. We allow remote users to come in on wireguard to go back out wireguard ( does not allow anything else ). Thus we ensure control of what occurs by making clear rules. add action=accept chain=forward in-interfac...

anav

The painting company should be charged for $gas money and time for your to fix the situation at a minimum. The company will only make changes if it causes them to lose some of their profit.............. Sadly, pride and ethical behaviour not so much. The relay rule should be clearly stated.............

anav

Suggest your review line by line to digest all changes. No mangling required, no vlan for WAN needed. Tried to keep it clean and simple. Access to the router is safely done via Ether1 using 192.168.55.5 set in laptop ipv4 settings etc..... Setup so that you can access the router when sitting on the ...

anav

Okay so to recap and make sure on same page. 1. VDSL Modem/Wifi Router is where internet terminates. The modem gets the public IP. It provides a flat network of 192.168.2.0/24 where the modem router is the gateway 192.168.2.1 2. HEX is a second router with NAT, its WANIP for all intensive purposes i...

anav

You cannot do that with the MT router it does not bond two connections such that one session can use both connections at the same time.
There may be some software you put on a PC or something that does that for torrenting, but there is no such config on the router itself.

anav

Well there is physical security and access on-site, and there is stupidity. a. for disconnecting a piece of equipment and then on top not plugging it back in. Be it dishonest or stupid, the employee has to go. I note the evil attempt by the OP to confuse me by putting R2 prior to R1.............. ;-...

anav

https://mikrotik.com/consultants

anav

Just so I understand you have a hapax3 that gets a public IP......... If so you dont need Proton VPN for incoming, you can use your own router with wireguard to let remote users access home assistant. Even if its not a public IP ( behind an ISP router ) if you can forward a port on the ISP modem/rou...

anav

Observations (1) The vlan7 you assigned to combo1 is all very nice but where is it in your pppoe connection?? /interface pppoe-client add add-default-route=yes disabled=no interface=combo1 max-mru=1400 max-mtu=1480 name=Telekom-DSL profile=telekom user= If indeed the ISP is providing pppoe over vlan...

anav

(1) You have two rules and the second one is redundant on input chain. add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN { allows all VLANS full access to the ROUTER } add action=accept chain=input comment="Allow main VLAN Full Access" \ { allows main VLAN...

anav

Do not understand about DHCP requests........... The Cap is not acting as a router solely as an AP switch and has no Firewall rules, no DHCP functionality...... or anything...... Since you use pi for DNS, assuming that you direct your users to PI already so why did you deviate on the setup provided?...

anav

The only thing I can recommend is a newer model ( AKA newer ARM product )
hapax3, first choice hapax2 second choice, and then you can RUN wireguard via BTH and will be able to remotely connect to your network from anywhere.

anav

PLEASE CONFIRM ASAP that you get a private IP address from the ISPs device. If you get a public IP then you need to unplug your router immediately and perhaps netinstall it because you HAVE NO protection because you have NO firewall rules at all. All traffic is permitted. Which means hackers have f...

anav

If your MT device is setup properly, why are you here? Try a debian forum! If you want help then provide the config and we can decide, based on EVIDENCE not opinion, that there is nothing amiss on your config. /export file=anynameyouwish ( minus router serial number, public WANIP information, keys, ...

anav

Blocking ping on wan side seems pointless............ its actually useful and not a security risk.

anav

I think your mixing up form and function. The MT Device is a switch and you clearly stated you have an upstream firewall that takes care of firewall rules etc. so not sure what the issue is?? Its a switch so Wire Speed should be a given. Security wise are you asking what additional security function...

anav

(1) The advice is to have a separate VLAN for users and a separate VLAN for managment if you need it. The concept of a management vlan is mostly so that all smart devices on the network are configured and reachable on this network that nobody else has access too. If you have a trusted subnet then yo...

anav

Mikrotik model?

anav

It would appear you dont have a public IP directly its handled by the modem/router and not passed to your router.
Can you access the ISP modem/router and forward ports to the MT router?
Which MT device do you have?

anav

when?? using back to home wireguard, regular wireguard, something else......... again no context, we are not inside your head nor have any inkling of what network we are looking at etc...

anav

SURE YOU DID YOU ADDED THIS RULE AND ITS STILL THERE> add action=drop chain=forward comment="drop Everything else in VLAN" \ in-interface-list=VLAN /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ estab...

anav

@OP When you say static IP in the US, do you mean you get a public fixed IP, or fixed private IP ( like 192.168.1.X ) @Hey noob, what drugs are you on? The Hex is old and very under powered for the typical connections in US. Dont know about Mexico. The hex can be expected to get around 400-500Mbps o...

anav

(you dont need the vlan restricted list anymore by the way) The interface list VLAN-InternetAccess should not have quotes in your rule, remove them!! ( otherwise the rule is good ) add action=accept chain=forward comment="allow Internet access" \ connection-type="" in-interface-l...

anav

Seems okay, you keep screwing up the order of rules though..... (1) /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked ----> move up, and put the invalid rule, the icmp rule and the lo...

anav

NAT PMP, is nothing to do with MT. So lets get the facts. You have a third party VPN connecting your router (as a client ) to the PROTON wireguard server. Typically this is NOT for incoming originated requests, this is designed for sending some subnets or all subnets out the proton site for internet...

anav

Yes but that has nothing to do with mangling or whatever. Connect ISP1s modem or modem router to ether1 for example. Then if its pppoe connection assign the parameters in the PPP menu. IF its a ISP assigned dhcp scenario, add the parameters in IP DHCP. IF its a Static Public IP assigned, you can do ...

anav

Well I am not sure you handled vlans correctly, and in fact, once you start using vlans I recommend you turn the bridge affiliated subnet INTO a vlan and then your errors with the other vlans will become clearer. My sense is that is the root of your problems not the firewall. Suggest you read this t...

anav

(1) This open ended nonsense sourcenat rule is from the default rules........ ?? /ip firewall nat add action=masquerade chain=srcnat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN (2) No idea what you are doing with these see...

anav

Is it possible to connect multiple Wireguard peers with Mikrotik at the same time? And use it for VPN service in an Organization instead of L2TP or SSTP? Have you used wireguard? Its not an enterprise solution where 1000s of employees need to VPN into work............ However yes, one can have many...

anav

Did somebody else noticed ping increase and drop in speed ?

Your post has no context. Do you mean if you are drinking a cup of coffee while running on the treadmill??

anav

I am not familiar with LTE products, dont worry many are. If you have two internet connections, LTE and skydish direct? Then you have two main possibilities. a. USE BOTH at the same time and provide the full available bandwidth b. USE ONE as a PRIMARY, and the other as SECONDARY (backup), so that if...

anav

Pinging gateway IPs, is reaching the router as they are local interfaces, does not mean you can actually reach users..... Lets look at the config......... (1) INPUT CHAIN, clearly you want reasonable security and thus I am assuming you want limited access to those that config the router. Hence allow...

anav

First, this is a USEFUL ARTICLES FORUM.
You should post your question in Beginner Forum or GENERAL FORUM.
So please open a new thread there and close this one and when you do, please post a network diagram as what you have stated is NOT clear.

anav

Perhaps I was imagining it because the first times I opened it the router stated was a 5009. When I do it today its now on the HEX> Looking at your diagram, can you confirm you use three different ether ports on the WIFI Router to connect three different vlans to three ports on the HEX??? What I was...

anav

The requirement is not clear. The router provides services such as wireguard server for handshake, and there are ways to ensure that if traffic coming on WANX for that purpose goes out WANX. Its not clear to me thats what you mean?? It is rare to see input chain in mangling as that is traffic to the...

anav

The default rules from MT already add such a rule in the forward chain.
I agree 100% that its common and thus why I suggested that Mikrotik add Zerotrust cloudflare tunnel as an options package for all devices.

anav

Really, so no datpaths and vlans in capsman, they took it out, how nice!! About time to remove vlans from wifi configs.........

anav

Kitty has claws, do not mess with it, even with only one eye open you will get hurt, thinking your script knowledge is somehow better, such a comedian. You do know that cat is just Yoda in disguise.

anav

The 5009 should have no issues handling this throughput.

anav

Just because your willing to sell your soul to cloudflare, some of use prefer not relying upon third party providers. :-P However, if port forwarding is in the mix, then cloudflare is a viable compromise, and for this case, it should be available on all MT devices, as a package, not hidden in contai...

anav

All good, now we both know we are not going insane

( in my case more insane )

anav

L2TP windows client does not connect to wireguard, suggest you have to connect to an L2TP server.............. '=P As noted, your config is likely wrong and the fact that you havent posted a.. your complete config b. network diagrams Is completely absurd as this is not your fist post. You know very ...

anav

Holvoe, that link is TOTALLY USELESS for those wanting to setup capsman and datapaths and VLANS.

Either make one (user article -as I have requested numerous times or stop suggesting something that doesnt fit.......

anav

As pointed out you supplied a config for an RB5009. You have not stated where this router fits. You have not provided a hex config. Explain more how the upstream router works.......... does it provide an IP address on a private local subnet to the hex. You mention, NATing, please expound. A network ...

anav

Too many unanswered details.
What is the throughput of each WAN.
Are the ISPs for all six different?

How many users are anticipated.
What kind of traffic will they be using,.......

Network diagram to show what happens after RB5009, switches APs etc.....

anav

I would look at wireguard as the way to go.
One could have all devices on the same wireguard subnet easily reachable from the office or if away remotely.

anav

R2 that I posted is the last config on R2 because after that i lost connection

Too funny. By the way since its dirt easy to establish an SSTP connection between two MT routers, I always do one as a backup to WG.

anav

without evidence, its all opinion.

/export file=anynameyouwish ( minus router serial number, any public WANIP information )

anav

Dont use vlan1 to pass data, its gets confusing especially as you are mixing devices. The MT uses it in the background.. If you are using vlans then go all vlans. If the HAPAC is simply acting as an AP/Switch the below works............ Hence a TRUNK Port carrying all vlans from pfsense to MT. The M...

anav

Hence why I asked if you had actually tried to reach a device, not just pinging............ ( in post #10 )

anav

holvoe, you missed the memo, he is using the same device with two separate access points, one gets him very good speeds and the L0009 crap. Suspect the testing device is not the issue but who knows......... @haha Did the OP try the 20/40 setting?? @haha DISABLE THIS RULE AND SEE if there is a differ...

anav

@Verylab 1. The client device has nothing to do with accepting an incoming handshake, the request to join wireguard comes from the client device and is outbound traffic. The router wireguard service is hosted on the Server device at the incoming handshake and thus needs the input chain rule TO the r...

anav

In general marketing speeds are misleading, use the 1/3 rule. Basically they typically combine up and down so already one is at 50% and then there are losses due to propagation interference from other access points, walls electrical circuits etc.. So realistically would look at around 180 Mbps as a ...

anav

Ahh okay so your not using vlans........... and only want to send one flat subnet to the CAPAC ?? /interface bridge add ingress-filtering=no name=bridge /interface ethernet set [ find default-name=ether2 ] name=emergaccess /interface list add name= management /interface wireless AS REQUIRED assuming...

anav

Yes, I am all out of ideas, there is no logical reason I see that its not working. I would try two things myself personally first, grasping at silly straws....... a. change dns servers such that it looks like /ip dhcp-server network add address=10.0.10.0/24 dns-server= 10.0.10.1 gateway=10.0.10.1 ad...

anav

Yes admit all is the default. Other than that missing the issue. Did you try a reboot of the router after making those changes?? If after a reboot still no joy try adding this rule to the forward chain above the drop all rule. add chain=forward action=accept src-address=192.168.2.0/24 dst-address=10...

anav

1. Who told you to put only vlan tagged on the bridge settings............... mostly just need to enable vlan filtering only.??? Remove it!!! This is your issue. /interface bridge add frame-types=admit-only-vlan-tagged name=Main_Bridge protocol-mode=none \ vlan-filtering=yes 2. Personal preference I...

anav

I dont guess LOL< when I see two udpated configs, I can look at the evidence.

anav

Your firewall rules seem fine and yes, the rule does exactly that. Remember we modify the default rule into three rules and thus change the concept of allow everything except wan to lan traffic without dst nat rules TO block everything and only allow traffic we specifically state is permitted aka la...

anav

CPU usage for no gain. Simply dont log it. Out of sight out of mind.

anav

Observations (1) DO NOT USE VLAN-ID=1. Its already used by the router in the background and should not be used to carry data, it can cause weird things down the line. Instead just switch that to VLAN-ID=99 for example because its actually called vlan99_BASE, why you assigned 1 is beyond me.............

anav

What you mean redundant via VRRP. What is the part you are concerned about?? You have a mickrotik device with two WAN sources. Either both are up, one is up or both are down. How is VRRP going to help you here?? A network diagram may clear up the mystery. Ahh. reread the first post, have two HEXES d...

anav

I will have a look and see what I can figure out................... The funny thing about MT, it can allow some traffic if the config is almost there, but eventually any errors will reach up and grab you by the nuts.........

anav

Hmm, not sure what you are doing,,,,, but whats wrong with 2 or three vlans for subnets, one bridge and then doing PCC as needed. As well the deviation from default firewall rules ( aka the mess and utter garbage) makes the overall situation far more complex than it needs to be. Can you state simply...

anav

Sweet performance!

anav

WHy not considering using WIFI ethernet also known as 60hz wifi. Basically creates a 1 gig connection between two points that acts like an ethernet cable and called wireless wire. You can put whatever you want at the other end, switch access point etc.... You can pass as many vlans as you like ........

anav

This is a perfect case for BTH! In this case we will establish a VPN tunnel from the router to the BTH mikrotik relay server and then all remote users will have a pathway to reach the router. In this regard AT LEAST, you can access your router and LAN securely and get rid of the bogus access you hav...

anav

Just showing that nature is more powerful than technology.
Also note that If Turn around quickly enough I can light my own flatulence.

anav

As per my post, the best way to do this is add a list of static LOCAL IPs and wireguard IPs, ( including the off bridge IP ) into a SOURCE ADDRESS LIST. These are the only users allowed to the router. The LAN users get access to DNS services, the only ones they need.......... This rule you had 5 cha...

anav

This is how I setup my capac ( as an AP/switch) ( sorry no capsman ).
viewtopic.php?t=182276

anav

I trust you to apply an excellent config for a specific purpose. However, this is not the case, you have invented a requirement not requested, likely to never be requested and it only ends up confusing people trying to learn. The bottom line is the output chain rule is not needed here. For anybody r...

anav

THe easy way to do this is to modify the concept of the default firewall setup which is allow everything block a few things, to Block everything and allow only needed traffic. Hence this ( and in the right order ) : ( default rules to keep in the right order ) add action=fasttrack-connection chain=f...

anav

Maybe he doesn't trust a cat wielding a chainsaw.... '=P

anav

Good opportunity to stop trying to copy and start trying to learn! Print off the config and then start adding from winbox one config line at a time. You will quickly find out that you cannot enter certain settings unless others are already setup................. let the learning begin!! @holvoe, you...

anav

Yes, that is the rule removed that did you in. Since your kicking yourself, go back to post 7 to reread,

anav

Now your making up crap..... There is no need in this scenario, and no clear future need for the output chain in a future scenario from incoming Wireguard traffic from the other Device. If one was to have WG incoming to this router perhaps............ So instead of exiting gracefuly from this thread...

anav

Not familiar with other tools someone might use, I am strictly referring to the performance provided by the MT config.
If there is aggregation wrt to a single session, some other device/software is performing this not the MT.

anav

The hex is basically acting as a switch. It does not need any addresses other than the trusted network and assuming this as vlan200 subnet Post config of hex /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc..). Edit: See config now at bottom of your po...

anav

/export file=anynameyouwish ( minus router serial number, and any public WANIP information )

anav

Nope the best you can hope for, on any one sessions, is the maximum throughput of the ISP the user is connected to. The total amount of bandwidth is greater to share. So instead of 50 users sharing 500Mbps of throughput, they are sharing 1Gbps throughput, so each user has more opportunity for a bigg...

anav

I am sure it will the first and LAST time LOL.

anav

Sounds unnecessarily complex.
What is the requirement for you the admin or a user.........
In plain english without any protocol or config speak.........

anav

Disagree, the traffic being discussed is very specific, its outside user, port forwarded at VPS into the tunnel to servers on MT device. There is no user that will be coming into VPS on a public IP (not in tunnel) being directed to the MT config aka to the router itself. Magic mushrooms for xmas?? W...

anav

Then post your complete config here. /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc..). Ensure you discuss any port forwardings or VPNs in the mix. Any subnets not involved in PCC ( if any ). Other special traffic flows you need........... Did you pl...

anav

I'm shocked, MKX forgot to state after the advice, reset to deafaulst and THEN USE QUICKSET????

anav

So Holvoe, the config is correct and thus you can impart ROMON wisdom. Do pray tell while I show you how to actually review a config, what value does ROMON provide in this scenario...............I would like to know as I probably could use it too. Observations (1) There is no point in having ether5,...

anav

Ahh so MT configuration is your hobby, full time clown '=P

anav

Thank god for peer reviews in science, is all I can say....... In any case, now readers will know that your 'solution' is slightly flawed and an explanation is provided as to why and the correct config has been provided. Not about you or me, quite correct, its about others also looking for assistance.

anav

I knew you guys belonged to the same wifi masochist club!
Just waiting for the updated User article on how to setup vlans with new wifi and capsman......... ???

anav

Not sure what you are doing, a poorly worded explanation is useless. A. provide a network diagram B. provide full config /export file=anynameyouwish ( minus router serial number, public WANIP information, etc.. ) C. Clearly state the requirements. - identify all users - identify traffic they need to...

anav

Would have been easy to spot if you had provided the config.
/export file=anynameyouwish ( m inus router serial number, public WANIP information, keys etc..)

Glad you got it sorted!

anav

YOur configs are not complete and do not show firewall rules or interface list / members etc.. So cannot comment on the rest of the config. In your case, it would have been simpler not to mangle anything on RB -table add fib name=useWG -Ip route add dst-address=0.0.0.0/0 gateway=wireguard1 routing-t...

anav

Self solving is rather arrogant. Allowed IPs on Router A works but the moment you add any peers like remote users that need access RA or RB remotely, the error will show itself more clearly. In other words the Allowed IP settings on Router A ( the server ) would be better served as follows; peer RB ...

anav

Unfortunately I cannot comment as I dont use or are familiar with vlans using datapaths and capsman.
I will say that bridge vlan filtering does not seem to be turned on, and I dont see any /interface bridge vlan settings.........

anav

Sorry I dont see tunnel within a tunnel at all............ All the more reason for network diagram LOL Okay Can you confirm the source address coming on wireguard is not limited to. a. single wireguard source addresses ( like from individual WG users ) b. private subnets from another device connecte...

anav

add chain=output connection-mark=wg-conn action=mark-routing new-routing-mark=wg I was with you till you posted the output chain rule......... There is no traffic from the router itself we need to be concerned with ??? I came up with two other variations, for fun but they dont add much in this case...

anav

Without a network diagram Im a tad lost. Using linux at the VPS is of no help either............ He wants to see originating IP address at the VPS or at the MT device??? Thus port forwards the traffic from there with destination address to his servers which are actually at the MT. So he needs port f...

anav

A network diagram would allow us to better see through the fog of your explanation and the missing pieces which should have been provided up front.

anav

Not understanding the additional complexity. a. need route back into tunnel created automatically on MT router by the use of the ip address of the wireguard on the router creates a DAC route. Thus any incoming traffic from a source with wireguard IP, already has a route back........ b. Need a firewa...

Search found 19524 matches