Since the business is closed at Night, capture all the mac addresses, being used over a couple of nights and weekend, then block them all starting monday. Then do the same thing the following weekend and probably one more weekend. Use access lists in wifi settings I think. Thinking three weekends to...
Config of hex, config of second hex please, the 305 I will assume has trunk port from HEX with internet and a trunk port going to hex switch. Assuming there is management vlans where the 305 and hex switch get their IP address from. /export file=anynameyouwish ( minus router serial number, public W...
I have no idea what you are trying to do................... but the setup I gave you should enable HW offloading on the bridge, its done. Intervlan routing is something that is foreign to me. Either the unit is a switch or a router in terms of setup............. it can or cannot have hw offloading. ...
As for your setups. If 317 is a router, where are the router settings? Make up your mind! If the RB5009 is just for internet then you need to have double nat and make up all the subnets on the switch. The switch will get a private IP as its WAN ( private IP from 5009 default subnet I guess ) If the ...
I disagree with MKX, cannot recommend, in general, a switch for routing.
The CRS317, can route up to about 400Mbps but thats it, so depending upon your internet connectivity????????
The RB50009 is designed to router and would be my first choice and then feed one of the switches with the SFP+ port.
Actually the learning point is dont change anything from defaults if you dont understand all possible ramifications.
So glad the MT documentation makes it crystal clear NOT, with gobblity gook speak...........
YOu have to have clear requirements and an understanding of the role of the device you are using. For example it would appear the hex is to be used as a switch and is not connected to an ISP? Identify all users/devices Identify all traffic flows they need (external/internal) Then a config can be des...
Its an excellent link if NOT using capsman controller concept. Setting up the Capacs for the link above is easy and fast. Setting up the off bridge access and doing the configuring from there is recommended. just put something like 192.168.36.3 into the ipv4 settings of your laptop and you are in......
Okay, no worries. Unfortunately that makes no sense to me as it shouldnt happen. As you can see by firewall rules, they are blocked at layer 3 by firewall rules
and the vlan structure blocks any level 2 traffic. so there is no logic
Before doing any configuring lets make sense of what you are doing. A. All connections to the smart devices ( capac, and assuming smart switches ), means that you should have a managment subnet where all smart devices get their IP address from and are connected and accessible only by admin. One can ...
Complete config required for analysis ( minus router serial number, public WANIP information, keys etc.. )
From the displayed information separate the two dns by distance, so the cloudflar ones should both be disttance=2
What is vrf-doing on wan interfaces ???
Why the RB1100, its old news. The RB5009 is cheaper and very capable. However the real question is what are the Throughputs of your Three ISP connections? ISP1 up/down ISP2 up/down ISP3 up/down NOW and planned. If all three are 1gig, then even the 5009 is getting pushed. If you plan on any 2.5 gig c...
Thats what I thought, as the go to rule, that I provided earlier at post #3, does that, but the OP reported issues with it ???? / ip firewall mangle add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 passthrou...
Okay to recap before I look at the monster and by the way, how one would expect to grasp that in bits and pieces of posts etc is amusing.......... You have three WANS and two ROUTERs in the mix. - The Stormshield router gets WAN2 and provides DHCP for the following vlans: 102,106,108,109,111 - The R...
Not a sweet Fing clue. I just saw it writtng somewhere but my guess is this allows the router to match what its detecting on a given connection ( very flexible) for optimal results.
try laptops on both sides of RB5009 and both sides of HAPAX3.... just give both routers a fixed private WANIP address of 192.168.55.5 ( gateway 192.168.55.1) and the laptop on the router side 192.168.55.2 and run IPERF, then you will get a good sense of the throughput on each router wan to lan and l...
I would caveat that with enough detail that shows where all the WANs are comming from and which vlans are going to which device over which ports!! ( to which devices )
According to the current rule setup. This is the only traffic we are allowing. a. anyone on the source address list Authorized should be able to ping and access any vlan user/device. b. wg user1 has access to vlan300 c. wg user2 has access to vlan 600 d. wg user3 has access to vlan 700 From my under...
Please verify that a user from one vlan can access a device on another vlan ( OTHER THAN those allowed ) in other words if a user can ping a user, do the next step access the user device. One should normally be able to ping the gateway of any vlan but I dont think you should be able to ping from use...
None of your vlans are identified, so how can 354 be the router ??? etc.....
So my request for network diagram, but ignored, does not let me progress any further.
you have wan and lan list but dont see any IP DHCP client or route etc................
Detailed network diagram and current config, and i will have it fixed in a jiffy pop.
What always puts the icing on the cake, if you understand your own planning is also.
a. identifying all the users/devices
b. identifying all the traffic they need to accomplish.
Now to answer your question directly
Do this /interface list member
add comment=defconf interface=bridge list=LAN add interface=wireguardInterfaceX list=LAN
add interface=wireguardInterfaceY list=LAN
etc...
add comment=defconf interface=ether1 list=WAN
If anyone complains about your long list of code, they should look inwards for not supporting my recommendation for a first post process !!! Now for the OP...... (1) WIREGUARD is not a local SUBNET, so you only assign an IP address, nothing else!! (2) Get rid of this default setting, its on the stat...
CRS326 1. Same thing, get rid of pvid 999 on bridge itself. 2. Still cannot add :-), you show 4 APs 6-8. Well not quite, you show two AP6s LOL so should be 6-9. How many ports do you use/state for this answer=ports 8-12 ( which is 8,9,10,11,12) 5 ports ???? ( will assume you have five APs for config...
1. No need to set pvid on bridge, its not the usual way. 2. No mention of port 23 so I made it another untagged access port for mngt, like ether24. 3. Speaking of ether24, unless its to a smart switch which you didnt indicate it should not be tagged on /interface bridge vlans 4. Ether22 is off bridg...
Okay, strange but if you can reach by mac you have access.
As far as packets, as long as your browsing experience is okay I wouldnt worry too much.
The extra rule is designed to ensure browsing performance is the best it can be.
In general one should set the Router ( assuming server for handshake ) the wireguard interface as part of the LAN interface, that then usuallly, through fw rules, allows RWs to access internet via FW rules and DNS services via input chain rules. However your request is to config the router, and in t...
1. You have three sourcenat rules, get rid of the first one, its incomplete and is just noise. /ip firewall nat add action=masquerade chain=srcnat add action=masquerade chain=srcnat out-interface-list=WAN add action=masquerade chain=srcnat out-interface=wireguard1 2. well it kinda makes sense, since...
For me your missing some glue.
All smart devices should get an IP address on a managment vlan, or at least a trusted vlan like home vlan.
Also I would separate out media devices, from home camera device, from guest wifi, from iot devices, from home trusted vlan
I would like to know what you are doing here --> *) route - rework of route attributes; Can you post sample text or something, sounds ominous!!! Also, what is meant by: *) wireguard - added option to mark peer as responder only (CLI only); [/i] Is this followup work to this improvement that maybe wa...
Drats, I though this one had gotten buried in the sands of time LOL. The first item I think responds to EFFECTS created via BTH and having both client and server devices being able to try and poke holes through non-public IPs using the BTH code and MT provided cloud hole poking server. ( think this ...
Before I can make sense of bridge ports and vlans you have to get your story straight on diagrams, not sure if intentionally aim to confuse :-) You claim APS 1-5 by your diagram and in orang text seem to indicate they are on ports 10-18 (9 etherports) carrying vlan100,200 So which is it FIVE APS on ...
1. If you think about it, the subnet gateways are considered ROUTER interfaces and thus are normally reachable. However no actual users or devices should be pingable/reachable. 2. Also be aware the 354 is switch and thus routing throughput will be limited. 3. Don't know why you are assigning any PVI...
Why doesnt MT have a return policy for such a device, customer pays for shipping back of defective unit and gets a free replacement or something reasonable etc...
Sorry I have no experience with the CRS1xx series. The only thing I can tell you is the concepts are the same. There will be a trunk port carrying all the data vlans and management vlan from CRS326 to CRS1XX. What will change is how to setup vlans but the rest of the noise should be similar. The bes...
you will find out when you need them LOL.
Describe the requirements you have and the design will fall out gracefully
a. identify users/devices
b. identify the traffic they require
c. provde network diagram detailing devices being used, internet connections and intended subnet usage.
The CRS112 has to be programmed differently...................... There are probably videos on it to be found..... Also the MT docs should discuss - https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841836 CRS1xx VLAN Example #############################################################...
He is using recursive sort of, but also netwatch (vice check-gateway=ping) His problem may be linked to the fact that he used distance=1 for the WAN2-dns vice distance=2 ( main route traffic for same WAN should be same distance) ( dont believe its shown in the pic though, I happen to be clairvoyant ...
The proof is in the config for sure. Strange though all things being equal the config should work as the only change is dhcp client. Perhaps there is an overlap in that the private LAN of the upstream device is the same subnet as the LAN subnet behind the MT ??
Yes, some requirements I can chew on. All good info, and I would add that my approach would be an interesting deviation. PRIMARY IS WAN1 if WAN1 fails, BACKUP goes to BOTH WAN2 and WAN3 doing PCC load balancing for standard traffic that was using WAN1. However you have provided good info in that WAN...
Those are locked features. For $$$ they can be unlocked. ;-) You seem convinced that code is already in the OS, I am not so easily convinced. We have no idea what MT ported across............ Maybe its true and one can only port the entire BLOCK and not partial bits and thus one could say that hooks...
Glad its working for you now! (1) Incomplete # add pppoe and lte to WAN /interface list member add interface=pppoe-alpha list=WAN add interface=lte1 list=WAN (2) If what I suspect src-address-list=office is public WANIPs, then you should consider a different approach to reach the router for config p...
If you do acquire more staff, I vote for coders and testers. I think you already have a great marketing team and from all outward appearances a strong supportive group of colleagues.
On topic: I can observe growing memory usage as well. Under Linux on Wine but it started off by about 80MB and now after a few hours it is 112M. So slightly growing. But as said: I suspect they are going to fix or hunt down such issues anymore. MT apparently has a "new" WinBox in developm...
Okay, the easy explanation is that your ping hits the LTE connection and reaches the router but the router responds via the other WAN as the fiber WAN is primary in terms of routes. To ensure your traffic for WAN2 is responded to via WAN2, you need to mangle. There is no need to do this for WAN1 as ...
Hmm you didnt change allowed IPs on router2............ and there is no need for persistent keep alive on the unit that is server for handshake. Should be (R2) : /interface wireguard peers add allowed-address=10.0.0 .1 /32,10.2.1.0/24 interface=wireguard1 \ public-key="R1 PUBLIC KEY " I no...
Well you have no firewall rules so all should be permitted......... On R2 try adding add chain=input action=accept comment="wg handshake" dst-port=13231 protocol=udp FACEPALM, - we forgot routes ON R1 Add add dst-address=10.1.1.0/24 gateway=wireguard1 routing-table=main comment="route...
You didnt provide your IP DHCP setup for WAN3 ???? Is isp2 public IP??? Also its not clear why you are mangling. Reasons to mangle. Ensure VPN going to a specific WAN leaves the same WAN ( aka proper router services handling ) Ensure external users going to a server on a specific WAN have their traf...
1.'Each RW should have a setup such that you have...' means what? All the devices that are peers ( clients for handshank require basically the same setup ) they need endpoint address, endpoint port, public key of MAIN Router, persistent-keep alive. As for allowed IPs, depends what the needs are ......
kevinds ( quite the opposite actually too ) Im reminded of some sayings.... "The price of inaction is far greater than the cost of making a mistake" "In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing yo...
Nope, no firewall rules are required. The idea of accepting the bridge default protocol mode of RTSP and setting ports to EDGE, should ensure no possible cross talk between WAN ports ( and of course the vlan isolation as well ).
You will not be able to maximize your throughputs as the hex will be one bottleneck and the cable between the two devices the other bottleneck. Suggest you configure ether5 off the bridge first to setup the hex as per the below. Then connect to the hex when behind the RB4011 via ether4, and then mod...
Weird setup?
I see two WANs but are there any users or devices behind the router??
More weirdly trying to create a third WAN via VRF......... as noted I have no clue of the requirements for traffic flow here.
Very logical and well presented holvoe. Concur 100%.
Also I would recommend getting a CHR, one can get a cheap virtual router in the sky to connect all devices, via wireguard and thus all accessible right away.
SSTP as backup since MT to MT can be done easily without certificates
UTP cable of what standard ?
What are the throughputs of each ISP??
What is your plan
Use 1, the other 2 are backup. OR . PCC all three used all the time. ??
Very confusing setup.
You need to select which one is the server for handshake...........
Also why are your LAN subnets the same behind each router, make them different.
Okay thanks for the clarification, by the way if you dont want to mention private subnets, then dont put them in the config or diagram, otherwise terribly confusing. I prefer seeing it all and understanding what you have in mind ref; a. identify all users/devices b. identifying all traffic flows the...
Yeah I thought that might be the reason. On the hAP ax3 though, the PoE port is also the only 2.5 gigabit port. Would this port normally be used as the WAN port or to connect an AP? I wouldn't use the fastest port on router to connect towards ISP ... But that's me, my ISP only offers 1000/100Mbps s...
The use of the VRFs is there for a different reason: both ISP1 and ISP2 routers have the same IP i.e. 192.168.1.1 Use of VRFs is warranted if if each router is serving different subnets. VRF is NOT warranted for distribution to the same LAN ( regardless of number of subments ) The simple method pre...
Unless you post your config, I am unable to comment
/export file=anyname youwish ( minus router serial number, public WANIP info, keys, long dhcp lease lists etc.)
yeah full config. things are not clear. /export file=anynameyouwish ( minus router serial number, any public WANIP info, keys, long dhcp lease lists etc.) Assuming d st-address-list= MyWANIP is a firewall address list entry of either your dyndns URL service, or the iP Cloud service on the router. Th...
In terms of firewall rules I prescribe to only allowing traffic and the dropping all else. I also dont think its prudent that all users have access to config the router when they only need access for DNS services. Looking at rules, I have no clue why in heck you are port forwarding wireguard ????? I...
Each RW should have a setup such that you have client device generated public key, ==>>>> this gets inserted onto the router on the routers peer settings for the specific RW device IP address ---> as we assigned in the peers settings on the router allowed addresses....... a. if the user also require...
In general, one allows traffic to go from client devices to router server ( once a connection is established its peer to peer, really good for two routers, not so significant to a single device........) Therefore its at the router where you want to use firewall rules in the forward chain to state wh...
Does the LTE provide you with a public IP. Does the ISP block ICMP pinging. 1. you can remove this default static setting /ip dns static add address=192.168.88.1 comment=defconf name=router.lan 2. Is bufferbloat that bad.......... its not something to use right away as you can no longer use fastrack...
The AXE3 by far is the best router ( with or without using wireless ) for its price point and features. The RB5009 is by far the best router in its price range of any vendor. However, your approach is all wrong, who gives a flying..........how it looks, does it do the job at a price you can afford. ...
Too passive for me, state it clearly, and ask for better info up front. Dont be shy............ After all, he is asking before spending and thus deserves clarity............
NEGATIVE, that is not required in the least!!! Most times sourcenat is required if going out a third party VPN where they only accept one IP at their end!!! (1) set this to NONE< known to cause issues /interface detect-internet set detect-interface-list= NONE (2) You have RED entries which is not a...
Well I am surprized because you went down the rabbit hole of a very complex VRF config on one hand, but then seemingly want to avoid like the plague a KISS solution ???
In any case, if there is no issue requiring solving I will move on.
AXE3, with or without wifi enabled ( aka as a router ) its the best bang for the buck.
Depending upon usage, pair it with capax.
In other words, you could have an AX3 as a central node and run many CAPAXs connected to it. However your stated requirements are sub-optimal to get a decent response.
Just to be clear the RB4001 r2 is acting as a router and has its own SUbnets with DHCP. Your router settings for the ISPs make no sense to me. Why are you using vlans? Why is there only one IP DHCP client when you said all three get assigned that way. why is your single IP DHCP client have v100 mgmt...
Well if its working for you great.
Its not apparent to me how you send two vlans through an access port to dumb devices...........
The diagram does not show smart switches accepting the vlans so its either correct or the config wrong or the diagram is incorrect and the config is okay.
Without a diagram I have no clue what you are trying to do. Any explanation of requirements to date IS NOT user traffic based only, and is confused with config speak, a no no for communicating requirements. Short story, no diagram no user traffic requirements, no diagram, cannot help. Furthermore, w...
The mangle was recommended, not a random suggestions LOL. It does NO HARM to your setup and one never knows what particular website, through the thirdparty VPN, will give the router shits and giggles. So its a good safety net to keep. To improve your setup you can setup both failover on the main WAN...
Man do I have to state it in writing, your SCOPES are wrong!! LOL The config I gave works, its your config that is broken if it doesnt. I cannot read a winbox jpeg unless its very clealry delineated An RSC script I can read in seconds................... its just a story about requirements I cannot m...
The switch comes in handy for any traffic within the same vlan from user to another.
The router comes into play between user and internet and traffic between different vlans.
Well obviously I thought we were dealing with a router not an access point, which all radio setups have mac-filtering setup for layer2 traffic control ( NOT fw rules )
Again, i should have read more closely, glad you got it sorted.
1. Sorry my bad on the TYPO, WG1 is the correct entry on the routing rule to match the routing-table defined. 2. put IP address on your router for wireguard1 as add address=192.168.32.20/24 interface=wireguard1 network=192.168.32.0 3. As long as both WAN interfaces are interface list members of the ...
Your routing setup follows nothing of what I suggested. so cannot help you there.
You seem to forget that the handshake starts on your router.........
Best of luck..............
Hello, help me. I can't use the forum to ask questions. What do I have to do to be able to do them? As for example in this post it says "It is only visible until the moderator decides. Its a neaderthal approach to ensure your post is not spam, inflammatory etc.................. After a few day...
As I stated, thus far no reason to use VRF has been provided and as a matter of fact it would seem NOT appropriate in this case. Further, your recursive is incorrect. Simple solution works: /ip address add address=192.168.1.241 interface=ether1 network=192.168.1.1 add address=192.168.1.242 interface...
Proper config of the router. It would appear the hacker is not getting into your router but manipulating the traffic reaching his router. The fact that other traffic can reach his device, id indicative of a leaky setup. Post your config /export file=anynameyouwish ( minus public IP address info, any...
NM................ There are bigger issues to solve first. 1. WHAT THE HECK is your WAN. You state: am setting up a config for a MT router which is behind NAT a. you have a static WANIP set up for ether1 which bares no resemblance to any of the VLANS. The static IP makes sense but not the subnet?? b...
Simple question what if one was to use this in routes..... /ip route add distance=2 dst-address=0.0.0.0/0 gateway= 192.168.1.1%ether1 routing-table=main comment="RouteStarlink" add distance=3 dst-address=0.0.0.0/0 gateway= 192.168.1.1%ether2 routing-table=main comment="RouteOrange&quo...
Well if you consider mikrotik is walking on your network, I suppose tread fits!! ( 'trademark' ). Concur, it seems that we are seeing an incomplete software process or maybe not. First, I blame the beta users, working for free and doing a lousy job of detecting all the new beta firmware problems ;-P...
As the question asks.......
What is the point at which losing fastrack and throughput is worth it, vis-a-vis tackling bufferbloat??? ( queueing actually not required )
The question I have is why are you mangling or queueing at all...... You have nothing different in either direction.......... all incoming traffic goes to entire LAN, all outgoing traffic comes from entire LAN. Okay! Its about bufferbloat. For me I would have to weigh any advantage of bufferebloat o...
Allowed IPs on the router is wrong....................... You need a separate peer line for each peer, on the router you dont need client endpoint............ /interface wireguard peers add allowed-address=192.168.40.5/32 comment=ChromeBook interface=wireguard1 public-key=**ELIDED** add allowed-addr...
Or time for a trip, sooner or later having remote devices means a trip. With wireguard and ver7 software probably soon.
It should be a built in plan to any IT equipment anyway.
For all your switches, only the manag3ment vlan need be identified..... (assuming its 192.168.251.0/24) I would take one port off bridge and use it as an emerg access like give it an IP address of 192.168.55.1/24 and then any pc with IPV4 settings set to 192.168.55.5 for example and your in! /interf...
Not possible with the MT device, there are too many ways around the programming.
You need to get a router that does DPI $$$, and then pay their subscription service more $$$$.
Assuming for example vlan3 gateway is 192.168.33.1 (1) Why do you assign a PVID on the trunk port?? Remove it. add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 pvid=3 (2) You can add to each bridge port ingress-filtering=yes (3) There is no need set dhcp client, this is a privat...
Here is one link to such an approach - https://forum.mikrotik.com/viewtopic.php?t=194842 and another. Discovery Between Two Locations SOLUTION METHOD ADD A CONNECTING SUBNET/INTERMEDIARY - EOIP OVER WIREGUARD a. create wireguard connectivity as per normal and then b. create the EOIP tunnel within th...
Good question. Trying to think conceptually. Assuming you have one common cable over which to do this work, I would probably use two different VLANS. At each Router, one of the vlans would be an incoming WAN connection from the other Router. Via a private subnet. on ETHERPORT XY. At each Router the ...
You are not alone, the documentation makes one believe its all there but............. its hiding well!!!! +++++++++++++++++++++++++++++++++++++++++ Planned QoS implementation phases: QoS Marking. QoS profile matching by ingress packet headers, then egress header alternation according to the assigned...
/export file=anynameyouwish ( minus PUBLIC IP information, KEYS, long dhcp lease lists, etc..) There should be relatively little else to scrub ( possibly some names you give to things, comments etc..... ) Use code block to limit visible length and improved readability ( on same line as Bold and Unde...
Okay so you want it to be an access point switch, not sure why that is so hard to say. In that case, the default config is rather simple Nothing much other than bridge, WIFI settings bridge ports ( assuming ether1 is connected to the UDM ) /interface bridge port add bridge=bridge comment=defconf int...
There is no such feature .............its actually called something else! To gain access to this function you have to really mean to do it, aka hard to do by accident. Its not clear how you managed to do this but not understand the ramifications are surprising. What there is are two relatively newis...
Yes it will be a problem to have two dhcp servers on the same network. Remove the UDM router it serves no purpose and only use the HAPAX3. The reason being that for all layer3 needs, the devices will go to the UDM and not to the hapax3. So you need to decide. Will the hapax simply act as a switch/AP...
The diagram labelling needs work. How do vlans 1920,1930 just popup out of the blue ( actually red and orange) for example. They should be traceable back to the 750. Its also not clear what is the management VLAN ( the vlan where every smart device should get its IP address from ). It would appear t...
The point being, the OP should have provided his complete config on the first post........................
Another waste of a chasing thread because there is no first post process....... thankyou MT.
WAIT ONE - do you mean your hapax is only acting as a switch?? The below advice presumed that your hapax3 was connected to the internet via a modem and received a public IP. Do you actually mean your connected to an upstream router which provides a private LAN in the range 10.10.10.X ??? ++++++++++...
Who said you cannot use the hapax3 in bridge mode? I have the hapax3 and am using vlan-filtering with hardware offload.
This is a very capable router!!
Concur, the setup process and menu selections are not intuitive and its easy to get lost, ( especially how there are hidden defaults etc. ) I am not a fan of how they have chosen to give flexibility, or more accurately how clear it is to the admin, what is actually configured. Dont feel bad, you are...
Not sure about latest renditions of WIFI, but most devices probably have a useful limit of around 20-30 active devices. Some devices are specifically made for larger numbers but that is a niche market.(ruckus comes to mind). With newer technologies mu-mimo and latest 6e and 7 technology, dont know. ...
Any RoS device should be able to function as a capsman controller was my understanding. Requirements Any RouterOS device can be a controlled wireless access point (CAP) as long as it has at least a Level 4 RouterOS license CAPsMAN server can be installed on any RouterOS device, even if the device it...
Isnt the first non code block config and wont be the last........... you can thank Normis for ensuring the resulting the first posting experience of new users and those supporting them
Not clear enough, do you mean each customer, each public IP should see approx 1gig up and down, or do they share a 1 gig pipe??
If just an edge type router the RB5009 should do fine 4x1 gig, throughput is well north of 4gigs in this scenario.
Unplug router from internet. Netinstall latest stable firmware Put back config WITHOUT any port forwarding. a. think about having ONLY a server with a secure login process b. think about limiting in source address list which public IPs can access server. c. even better use wireguard and have people ...
Okay now you have me thinking perhaps repace my AX3s with these bad boys. https://www.amazon.ca/Portable-Antenna-Dual-Band-Omnidirectional-Router/dp/B08LZHV83P/ref=sr_1_7?crid=2LK4POLSJPVAY&dib=eyJ2IjoiMSJ9.d7o75FpnshnrVKGe5-c-B68HFFzp0iKhzPKsakuKGUIZn-erRPTYVZjKSuecgvF_aAxk649CL4RzmR20jM6Qn8jXN...
It should be similar on MT router. I am no multi-WAN guru, but basically from what I have seen, A block of IPs is given to the admin, One IP address is used for the router itself, ( nat or no nat, depends on what the op wants to provide on this router ), the rest of the WANIPs can be netmapped to do...
One bridge............., chalk this up to another poster child for Normis' inaction on first posting process.... And they will keep coming day after day after day..................
Yes, but one cannot hang onto betamax forever..............
Heck even my mother in law, is sticking to CABLE TV vice streaming lets say over my appletv.......
Guess what, she upgraded her TV service and they are using android TV boxes LOL.
jargon voor afval, Sorry Loop, disagree! The 1009 2.5 port is a mystery to me as its real world WAN throughput is 300-400Mbps whereas the old hex will get you 400-500 Mbps. Both have two cores.......... The AX3 will get you over 1Gbps and has 4 cores and double the RAM of the L1009, its no contest, ...
Nicely worded statement to induce confusion :-). Wired and then point to point. Do you mean you need a router to terminate a land line connection and then equipment to take that signal over the airwaves in a point to point wifi type setup back to another wired device ????????? Request is too vague, ...
What is preventing the CGNAT LTE (second link) from being used recursively on your home router??
All devices can connect to your home router through the public IP, no need for CHR again.
Diagram and included detail is helpful. However this statement needs to be broken down AS requested - it makes zero sense as stated...... Now, I want to create a simple load balancer on e.g. 192.168.35.1/16 for these machines so LAN for LAN, WAN is no matter in this scheme Identify users/devices Ide...
What your missing is that each smart device should get an IP from a management vlan. Data vlans 17 and 89 are carried forward to each smart device as well. Assuming that the ROUTER has its own internal LAN, wheras, the receiver/txitter are acting solely as AP/switches and do not need an internal LAN...
(1) I am not a queue user but there must be an easier way to do queues than what your config shows................. It would seem like you manually attributed queues on a per IP basis?? (2) Set this to none, as this setting has been known to cause weird issues and is not really needed. /interface de...
As holvoe noted, lets say take ether5 off the bridge. give it an Ip address add address=192.168.55.1/24 interface=ether5 network=192.168.55.0 Ensure ether5 is part of LAN LIST on interface members. Then to complete the config do it by connecting your PC to ether5 and give the pc an IPV4 address stat...
(1) slight mod to dns.. /ip dns set allow-remote-requests=yes servers=1.1.1.1 REMOVE the following default.......... /ip dns static add address=192.168.88.1 comment=defconf name=router.lan (2) Take this default rule and create three new rules......... Clearer and better security. add action=drop cha...
The config was not really what I was asking for but since you did post it your routes are hosed/incorrect. More on that later. So the script finds the new IP for WAN1 and WAN2 locally on the router, and sends it to the dyndns website and updates it............. ?? To confirm, though it would appear ...
To be honest I agree with holvoe, whatever market your trying to satisify it must be rather niche. It makes little sense to me to pair LTE with CCR2XXX products. Instead for CPE boxes look more at the chateau lineup. If you need outdoor antennas look at the ATL LTE 18 kit....... You would have to as...
You need to clarify....
a. who or what has a script?
b. where is this script aimed at.
c. what is the current configuration of your router ( vis-a-vis WAN setup ).
Know very little about LTE and routers, but if its like wifi, then LTE is probably best handled separately a. you can place LTE device where best suited, b. separate device can have a wide variety of antennae and type configurations c. can more easily change and or upgrade device without affecting r...
No idea what you are doing now LOL......... I was strictly looking at the IPs to Routers work. You want each RX to send traffic from its assigned IP, You want each RX to only respond to arp requests for itself. ( maybe blocking arp requests to any other address than the allotted one is a better appr...
Without understanding how your rules are currently setup, it would be presumptive to come up with any solution as it would be guessing . One should realize that rules are integrated and can affect other rules and thus the flow of traffic. Others waste all our time by such frivolous attempts and quit...
Quick set should be avoided for sure........... The idea of the bridge filter rules was to ensure the assignment sticks ( wan1 to R1 etc.........). My guess is that intended traffic between WANIPs, should not affected as the traffic would go to the ISP provider and then return, vice attempt to conne...
Typically a dyndns link to a public IP, is to ONE public IP not two and more specifically to the primary ACTIVE wanip.
If you have two active WANIPs, then you need two dyndns URLs to access them.
Not sure if that answers your question.
Amazing work................. both AMMO and rextended seem more comfortable with syntax than most are with adding a vlan to a pppoe interface...........
Understood but it was material, one should not have floating unused ports on any configuration unless one knows that they will be used in the future. Thus if the OP had stated 4 now and possibly more WANS later, all the power to you, otherwise, its junk and security wise poor design. Caveat I have n...
To your first post --> https://help.mikrotik.com/docs/display/ROS/MAC+server Since there is no problem or issue you need rectified but are seeking knowledge. Suggest start by reading the appropriate documentation applicable to your area of interest. - https://help.mikrotik.com/docs/display/ROS/Route...
No worries, If not useful so be it. @tangent, did you read the first line of the OPs first post?? have a CRS310-8G+2S that needs to go between my fiber modem and 4 routers to split the WAN connection between the routers (technical requirement). Our current He goes on to state in another line ether4-...
I see this similarly (except using basic math if you have four routers you need four ports 4,5,6,7 [ including port 8 would make 5 there tangent ;-) ] I will take a stab at this for grins and giggles......... Not an expert so it could be useless. a. the switch is connected to the network via the man...
A clear set of requirements will lead to an optimal design a. identify all users/devices that will interact on the network ( internal, external including admin) b. identify all traffic flows they require draw a diagram of what you wish to accomplish, identifying devices, WAN, vlans etc. post your co...
Sertik, most of the angst caused is a cumulative thing. When like rextended, one has answered, day in day out, post after post that has zero quality control its very hard to remain patient and one justs gets to the point directly!! ( you have heard of RSI (injury)). Over the years, having been invol...
I think I understand how it works now and am asking pe1chl to confirm, if I have it right, partially right or wrong.
It certainly wasn't a question posed to you, but if you are happy to answer....... ( or trying to pad posting stats LOL )
Sure was, I hope I dont get interviewed by Hur,,,,, guess I'm too old to run for president.
( note probably at that instance I didnt understand what the fix entailed regarding traffic flow and just assumed it would work )
Bananas are yellow, spewing forth a fact doesnt explain the supposed traffic flow. What you seem to have suggested is.. ROUTER sends out a WAN signal to an existing NTP server with dst-port 123 BUT ALSO source port 123??? The router sourcenats that outbound to port 12300, so that at the NTP site, th...
Must be your config at the office MT.
What MT router do you have at home as well ( if attempting to connect on a PC at home ) and its config may also be a problem.
Hahah, Yes I will eat humble pie, I only looked at the example on the first page of the article........ Where it says to create the bridge and its very simple and notes add vlan-filtering=yes at the end. /interface bridge add name=bridge1 It later shows this setup as follows: /interface bridge set b...
The EERO lineup am familiar with as a family member just got some and they are rated at 6E. https://eero.com/shop/eero-pro-6e Yes they talk to each other over wifi if required or you can wire them directly but to take full advantage of their 6E speed, 2.5 gig ports are best. After reviewing these pr...
Glad you understand MKX can you explain what is going on. It would appear that a. the Router has a public IP and is the DHCP server etc.. b. Op has a dyndns URL that he uses for identifying the router ( not using Ip cloud ) c. He wants to reach a server on the LAN d. The server requires port 8.8.8.8...
I prefer the routing table method as it provides more flexibility and functionality. I dont presume that all users must use tunnel 100% of the time. More often than nought, the admin will want to retain the ability for one IP (one of his) to be able to access the local WAN Then there is the scenario...
Read the 7.14 thread............... https://forum.mikrotik.com/viewtopic.php?t=205097 or do forum search for like issue......... https://forum.mikrotik.com/viewtopic.php?t=203123#p1061713 Lots of problems with wg and logging etc..... /system/logging/set 0 topics=info, ! wireguard action=memory
Sorry but your explanations are more confusing then clarifying. I have no clue at all what you are doing or have attempted and I am getting tired of waiting for decent information. Let see if we can make sense of it. What make is router 2? ( assuming its in a separate location in the house and gets ...
AP/Switch approach: In terms of the switch, the main difference is a. only need to create and identify the management vlan on the switch b. only the management vlan is tagged to the bridge in /interface bridge vlans c. only need single MGMT interface list and the only member is the management vlan (...
Hi pe1chl
How will the source nat fix the problem....
If the router goes out to a website and the website sees port 12300 wont it just drop the traffic as its not the usual NTP port???
Not responding, may be in jail :-) In terms of the switch, the main difference is a. only need to create and identify the management vlan on the switch b. only the management vlan is tagged to the bridge in /interface bridge vlans c. only need single MGMT interface list and the only member is the ma...
MT Docs, first line: The RouterOS backup feature allows cloning a router configuration in binary format, which can then be re-applied on the same device. https://help.mikrotik.com/docs/display/ROS/Backup
Thats a downgrade..... going from a multi-core TILE with amazing throughput of 12gigs, which also easily handles your cumulative 7gigs of throughput. So you have to be clear on the reason for upgrade?? Must be due to the lack of 2.5,5,10 or more gig ports available........................ One move y...
Please draw a diagram of what you speak as what you wrote makes little sense to me.
Also try not to speak of any solution config ideas for the following:
a. identify all the users/devices requiring traffic flow
b. identify all the traffic flows each device/user needs.
(1) Its perfectly valid to put the NTP server on each DHCP interface but its really not required if you have input chain rules in the format of add chain=input action=accept in-interface-list=LAN dst-port=53,123 protocol=udp comment="allow users to DNS/NTP services" add chain=input action=...
MT is very forgiving in that it allows you to setup stuff in many ways, and not necessarily the optimal or right way. As for are reading you missed the fact that your entry is not in the reference. /interface bridge add f rame-types=admit-only-vlan-tagged name=bridge1 vlan-filtering=yes Dont need et...
Hairpin via dns.................. Not a clue what it does though, assuming 192.168.88.68 is the IP of the server..... 3. DNS METHOD - AVOID NAT – REDIRECT LAN REQUEST VIA DNS Create the following rule! /ip dns static add address=192.168.88.68 regexp="(^| www \\.) myserver \\. net \$" ttl=5m
The ineptitude of support thus far is to much to let go........... From: /interface wireguard peers add allowed-address=192.168.69. 10 /24 disabled =yes endpoint-address=xx.xx.xx.xx \ endpoint-port=51001 interface=wire-aws persistent-keepalive=25s \ public-key="osi1xxxxxxxxxxxxxxxxxxxxxxxxxxxxx...
The only thing i would consider adding is the following................... but should not make any difference. /ip dns
set allow-remote-requests=yes servers=1.1.1.1
Can you confirm you are accessing the SPFPLUS WAN, and have you tried from your cellphone??
Please use this as a basis for setting up vlans on your router. https://forum.mikrotik.com/viewtopic.php?t=143620 The switch is similar but only need to identify the management vlan and its the only vlan tagged with the bridge on /interface bridge vlan settings! on both do not invoke any other rules...
Accessing the server from your other WAN connection is of course going to be problematic....... Think of the logic......... You come in WAN2 ( not the primary WAN ) lets say you reach the server, the response will go out WAN1 the primary WAN. The return will be coming from a different source address...
Other than adding in-interface-list=LAN on the dstnat rule for completeness, there seems to be no reason at all for not reaching the server from the outside.
- Are you sure you have a publicly reachable IP address??
- Are you sure the server doesnt have its own firewall settings ( like if on a PC ).
Lot of rectal plucks here fellas, get facts before making stories. a. What device is the main router? ( is it MT or something else ) b. Where is the config for review of the cAPAX. c. network diagrams help d. detailing requirements for optimal design (i) identify all users/devices that require traff...
and how many times will you do this in your lifetime jacklaz, LOL............ Tis where a first post process simply works! @OP - a network diagram helps show which devices, which subnets, internet source and overall intentions. The config as noted shows us where you are at currently trying to implem...
Do you mean, knowing the actual traffic flow requirements and perhaps a network diagram would help.............. gee....... where have I heard that before? Certainly not in th non-existent First Post Process LOL.
Okay so basically it would appear that the MT is behind another device and getting a. private IP and associated subnet incoming on ethernet cable as untagged traffic ( assumption is this is the LANIP of the MT on the upstream router LAN and thus also the WANIP of the MT ) b. tagged vlan66 which is W...
Keep chains together and order is important overall. One should have a source originating traffic and an endpoint destination for that traffic. Traffic that is port forwarded should not normally be placed in forward chain but in dstnat chain. The fw forward chain only needs a general rule allowing p...
Never noticed that, anything L3 interfacish doesnt show up on interface list ( wg, ipip,gre etc...). Which limits your options...... perhaps two routers is the only way.
Is the VPN terminated on the MT router or on a server on the LAN? a. If the former then you need to ensure traffic coming in ISP2 goes out WAN2 when the router responds.......... b. If the latter you need to ensure traffic coming in ISP2 goes out WAN2 when the LAN device responds....... In either ca...