MikroTik

anav

viewtopic.php?t=203123#p1061713

anav

The issue is not resolved, that is one approach to avoid the issue which shouldnt occur regardless. ( work around, but not a fix to the bug )

anav

Lesson learned --> smart adapters wait for 7.XX.1 or 7.XX.2, they never jump on 7.XX.0

anav

I'm blushing!! In the meantime, you should help the dude in this thread, he has issues with fastrack and queues. https://forum.mikrotik.com/viewtopic.php?t=205474 Why dont you come up with a way to solve that issue. .. I mean it should just work without any need for additional steps............... N...

anav

Known issues, read the thread on 7.14 in announcements.

anav

Single NAT Router 1 incoming on WAN port ---> dstnat to LAN server Double NAT Router1 incoming on WAN port ----> dstnat to LANIP of next router Router2 incoming on fixed IP WAN port ----> dstnat to LANIP of server TRIPLE NAT Router1 incoming on WAN port ----> dstnat to LANIP of next router Router2 ...

anav

What are the requirements for traffic flow that describes all users, devices, cherry picking a port is almost useless to give advice on,,,, configs are integrated animals.
A network diagram will help as well.

anav

I disagree, he inventing a problem thats not a problem. There are working solutions. Add to the list the million of suggestions to make life easier for users................. While you all mull it over obsessively, I will continue to help others and stop by once in a while, to refute anything stated...

anav

Is it working now??

anav

Program the CRS3 line with bridge vlan filtering as described here.

https://www.youtube.com/watch?v=YLtGQAQ8iS0&t=82s

anav

Could improvements be made, sure! Can we implement working configs now, yes! +++++++++++++++++++++++++++++++++++++++++++++ Yep, that sounds about right! The whole exercise has currently resulted in two different issues: No they have not. There is nothing new in this discussion and the first item is ...

anav

Well its not a fix, its simply using the tools available properly (already posted in detail ) By the way in a three WAN scenario where 1 fails to 2, fails to 3. If the wireguard is set to look for WAN1 to establish an initial handshake connection, and does so, then WG will gracefully handle any comb...

anav

@ AMMO , I did not know you were a fiction writer. ;-P I think the issue is other side also knows about the 3 WANs – it's not a smartphone/desktop wanting VPN access. It's the far-end wants to steer some traffic down a particular WAN(s), that may not be the "primary"*. I don't think DDNS/...

anav

I dont understand the diagrams but my short answer is YES.

anav

Would love to but have no idea what your network looks like or what the problem is from your description. Perhaps a diagram will help.

anav

The WG crypto routing engine is not detailed in the flow diagrams. THere is no issue with dynamic IPs for WANs, as a persons dyndnsURL will keep the WANIP relevant if it changes and I believe the crypto routing process will keep the client peer in step with the new WANIP........... Also take a scena...

anav

The question is far to general. Could the sky be blue? Sure if its daytime and not obscured by clouds ???

There is no one size fits all approach.
Depends....... mostly on the DETAILED requirements for desired traffic flow for users/devices.

anav

Sorry WB, not a clue why you are showing logs of I dunno what. As for Larsa, If I connect to a WAN interface with distance 3, without any other rules setup, there will be no tunnel established. The only thing that using an improperly configured setup accomplishes is that the peer client will reach t...

anav

1. By the way, why do you have winbox exposed to the internet???

/ip firewall filter
add action=accept chain=input comment="Allow WinBox from WAN" dst-port=8291 \
protocol=tcp

2. The time sometimes doesnt sync right away.......???

anav

Just need two rules for sourcenat. Sourcenat is not a firewall function or a routing function!!! add action=masquerade chain=srcnat out-interface=ether2 add action=masquerade chain=srcnat out-interface=ether1 alternatively you could add action=masquerade chain=srcnat out-interface-list=WAN Where bot...

anav

Concur sounds like an OSPF+BDF exercise to detect drops and to direct traffic to remaining connection.
Not having used zerotier that may be much easier,,,,,albeit through third party technically.

anav

Yup, of course if its dynamic, extra work is required, but remember pppoe dynamic, a script is not normally required, pppoe-out1 suffices !!! The router is working as designed. Mangling ( marking connections and marking routes ) works just fine for Wireguard handshakes. Please join the borg! It woul...

anav

Concur with points above, as erlinded indicated once finished setting up all the vlan related settings go back to bridge and set vlan-filtering to YES. As far as /interface bridge vlan settings its much better to put in the untaggings and thus one can more easily distinguish if the OP understands th...

anav

Yes its your config, which we know nothing about and thus cannot comment on

anav

I had a long entry that somehow disappeared on me..........
When I get more energy will try to repost.

anav

The only thing I can think of is accept that you have to manually divy up the subnets in your head. Treat the local WAN as one WAN with 2/3s of the available BW and the wirguard interface as a second WAN and give it 1/3 of the BW. This really sucks because the beauty of queues parent/child etc.........

anav

Wireguard handshake is a completely different animal, in this case the return traffic is NOT coming from LAN servers but from the router itself. However the same logic applies, if the WG initiates a handshake on WAN3, with WAN1 being primary.................then the handshake will fail. Again easily...

anav

Let me just start by stating, that in general, DSTNAT ( normal port forwarding), in your simple case works quite the opposite. Incoming traffic to a LAN server on WAN3, via DYNDNS URL (or Ip itself) where WAN1 is the primary WAN will fail. The return traffic will go out WAN1, the original sender wil...

anav

Well not sure what you are trying to do. Typically queues are used so that not one user or not one subnet etc, uses all the available WAN bandwidth for its connections..................... So if you have subnets A,B going out WAN interface, and subnet C going out Wireguard interface ( but clearly th...

anav

Probably a bug, the keys should not change once established!
I dont know how BTH works, but I suspect the keys do not change.

anav

So this is MT's excuse not to listen to opinions on this forum? I said quite the opposite. I said we listen to all users, not just the forum In what language? What you said was very clear, and you made no mention of listening to all users. In fact, it seemed to be, if anything, stating that home us...

anav

I guess I dont understand your point then, wish I could help but its beyond my knowledge scope.

anav

Glad its working for you.

anav

The private key that proton gives you to insert will create a different public key if you already have one generated by the router. This is normal. Much better is to hit the + symbol to generate your wireguard interface on the mikrotik and DONT hit apply. First enter in the private key that Proton g...

anav

Perhaps you should use more standard terminology vice the magical language you learn at Santa HQ. Your question has been answered, its only you that remains in the dark. I have no problems mangling to ensure Wireguard connections respond appropriately. As a matter of fact even in a failover situatio...

anav

Its open season on orange tabbys

anav

out-interface=LAN is not required.

anav

1. /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=lte1 list=WAN add interface=ether1 list=WAN Should be /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface =pppoe-out1 list=WAN 2. Why do you have two a...

anav

No mkx, I demand that new posters continue to baffle us with minimalist approaches and lack of information. Why do you want to take the pain out of reading posts. Remember, this is Normis' personal torture chamber for supporters !!! /export file=anynameyouwish ( minus router serial number, any publi...

anav

The question erlinden, is AFTER READING THE EXCELLENT article --> https://forum.mikrotik.com/viewtopic.php?t=143620 WHY DID THE OP THEN USE THIS CONFIG LINE?? /interface bridge add name=bridge-all pvid=100 vlan-filtering=no I would like the OP to go through his/her thinking as to the construction of...

anav

Yes, with proper config........
https://help.mikrotik.com/docs/display/ROS/NAT
https://help.mikrotik.com/docs/display/ ... HairpinNAT

anav

Oh my bad I thought you were showing off your excellent logging. ( also there was no request, comment, question, I dont answer pictures ) If you download new software the first things you should do is read the thread on the new software as users will report issues there. Have a read, https://forum.m...

anav

It is not clear what scenario you are talking about, no diagram?? no config ?? Seriously, what do you mean when a passive peer receives its initial handshake. What do you mean by passive? What do you mean by peer? The wireguard peer ( client for handshake) aggressivelyy sends out a wireguard handsha...

anav

Fixed! Thanks..........

anav

You have really good logging!

anav

Nope, that simply means MT has to fix winbox.

anav

Fixed all changes capture by bold or colour, except firewall rules were removed and proper ones added. /interface bridge add name=brd priority=0x9000 /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n country=italy disabled=no \ frequency=2452 mode=ap-bridge ssid=chateau12lte24ghz w...

anav

Does either router get a public IP (static or dynamic) or do both get private IPs from the upstream device.

anav

Haha, no I meant threads, all good. Glad its working for you.

anav

You want queueing to access the available WAN bandwidth. Such that the 57 houses if ALL online, share the available bandwidth equally. 1- user = 500Mbps per 2-users= 250Mbps per etc.... First queue - Parent queue -->Max limit 500Mbps up and down. ( assuming your speed is symetrical ) USE PCQ-RATE=0 ...

anav

I wouldnt hold my breath on 7.14, at least for BTH its giving people some issues so expect an update sooner rather than later.

anav

1. Why does HAP T have any ports for UNIFI, your diagram shows them on the HAP B ??? 2. Your HAP B bridge port for unifi are wrong!! If the mangement port is base vlan then that is the vlan 99 that should be pvid to the unifi (hybrid port with management subnet untagged) If the unifi is setup so tha...

anav

1. Based on looking at the diagrams, are you sure the connections to the uNIFI APs are trunks? Default setup on them is to be hybrid, expecting vLANBASE untagged and the rest of the data vlans tagged. They can be modified to be like other smart APs and receive all vlans tagged ( aka a trunk port ). ...

anav

There appears to be a problem with the latest version 7.14 with excessive logging AND/OR handshake attempts.
Suggest wait for 7.14.1

or go back to 7.13.5

anav

Interesting write up. I like some of it and would word things differently for MT users but overall its reasonable for overall understanding.
Concur with DarkNate's input as well.

anav

Yup, it is the active interface!

anav

Great ref video................. indeed, nice camera setup and yes, thats what a friend of mine does, resets the camera Ip to be on the subnet he wants it to be. Alternatively, you could add another subnet on your router just for NVR stuff and make it the default subnet the cameras are default given...

anav

Hi there, so you are saying that failover is working fine?
Now is the PCC working as well, when both WANs are up is traffic being distributed as desired?

anav

What makes you think bad actors done use botnets is other countries. So for example if I was to attempt hacking I would do it from benign countries like Canada LOL.
My IP would not be north korea........

anav

Annoyingly you have two running wireguard at the same time.......... keeping it in one spot is usually better ......
Keys dont change so the alternative is a bug in the software which should be reported.

anav

Wrong in every thought.......
and by not posting your config from the very beginning, how was anyone supposed to know you for example you had improper formats for wireguard
keys dont change magically either........

anav

Can anyone tell me, what has happened to @anav and "The DEFACTO DEFAULT FIREWALL Setup"? A couple of new posters didnt like tough love. :-) In any case they were not that wrong as my tone at times was not exemplary. However, any exasperation was due to the continual day in day out, month ...

anav

Which one is Mr. Hyde?

anav

https://help.mikrotik.com/docs/display/ROS/WireGuard The tricky part as noted is to generate the interface at both routers and then use the public KEY provided by each in the settings of the other Routers Peer Settings. Your mothers wireguard IP should be something like 172.16.1.1/24, yours 172.16.1...

anav

I never understand why people want free professional consultancy work or even vendor consultancy work on forums. In that vein, how do I get a hold of you for a basic 7.13.3 OSPF-BDF setup. It would seem another poster is looking something similar recently. CHR connected to MT router via two ISP con...

anav

My confusion is the statement.......... "but if the webservers try to go out themselves". That is not the function of web servers?? What you are really getting at is that what is happening is users are reaching the web servers externally ( probably by dydns url unless you have a static IP ...

anav

There is no reason for PCC not to be working. The full 3Mbits/sec less overhead and some losses should be available for connections. Suspect a config setup issue???

anav

MKX loved your explanation para, but it was like being stuck in mud. Can you state it in plainer english. Take the hexS as an example. ether1 is from ISP and ports 2-4 are bridge ports, a mix of one trunk port and 3 access ports and a trunk port on the last SFP port. Using pcunites vlan methodology ...

anav

For the longest time I thought the same as you, but over time, it was clear that it was my lack of networking knowledge and Ros Principals that was keeping me from unlocking the flexibility. There are many ways to skin a cat [ as mkx & rextended would say ;-) ] with RoS, and that leads to many w...

anav

6.49.10, for version 6 is the most stable............
If using 7.13.3, then suggest try and find optimizations in your config.......... Remove any potential bloat.

anav

Well, nothing in your evidence shows that the IP of the asus is 192.168.8.253 but I assume it is.
Secondly your two ports should be the same as your dst-port or blank ( as the router will assume its the same with no entry).
What is in there now 0-6535 is incorrect.

anav

The first config, you have all the vlans assigned to vlan2, and thus your bridge ports should NOT include ether2 ??? Typically following this excellent article: https://forum.mikrotik.com/viewtopic.php?t=143620 The idea is one bridge, and all vlans associated to the bridge, and thus either remove br...

anav

I will agree that since there is no real effort to improve the 'question quality', its no surprize the 'answer quality' is not optimal. Overuse of the word powerful in the explanation, flexible would be more apropos. Recommend to a friend: Not unless they were tinkerers, otherwise the ISP provided r...

anav

Start your own thread, provide network diagram, list the user requirements ( what user and devices you ahve and what traffic they need) and provide your current config
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)

anav

Well if the MT is solely acting as a switch it should have nothing to do with L3 access.

anav

Dont understand why you have two bridges. Its best in most cases to use a one bridge approach, unless its got two separate switch chips in the router. If you have dynamic WANIPs, the hardest part is ensuring the routes are handled appropriately. In most cases this means running scripts to ensure the...

anav

This way means nothing to me, do you want it to act as a router and handle its own subnet or act like an AP, and passthrough router subnets to the wlans .............

anav

Of course it works, the air is so pure in UTAH

anav

viewtopic.php?p=1050875#p1050875

anav

Rhyme Disease '=)

anav

NETINSTALL MT VIDEO --> https://www.youtube.com/watch?v=gzlLbIf3Db MT DOCS --> https://help.mikrotik.com/docs/display/ROS/Netinstall Sage tips/advice on NetInstall if having difficulties ( USE ETHER1 OR the port named BOOT ) ...... a. Regarding Etherboot for all devices, the most error-free method i...

anav

Dont worry, Darknate has a thick skin, not concerned with wall flowers.........

But how insenstive of you mkx to imply the oP may have purchased the wrong product jajaja

anav

Nice!!

anav

No worries, just send $$$ kidding!!

anav

Yes, you can have single bridge spanning both port groups. With potential performance hit mentioned by @anav. There was a bug in how ROS configures VLAN offload to switch chips ... on devices with two switch chips it was necessary to add bridge port as tagged member of all VLANs which span both swi...

anav

Not a chip expert but wouldnt creating the same vlan to cross the two chips be self defeating as this then involves the CPU. In concept, the idea is to maximize wire traffic between ports on the same chip and thus as you surmize, bridge the ports on one chip and the other ports on the other chip for...

anav

QUOTE: vingjfg ( from other thread on same topic )
Hi Macosoft,

Can you provide the output of the following commands?

I may need a larger subset of the configuration later but I want to start with the minimum.

/routing/export
/ip/firewall/address-list/export
/ip/route/print

[/quote]

anav

Please do not create multiple threads for the same issue.

anav

My question is, are you sure you want it to be a Router? By assigning the guest network on the AP, you are really introducing added router functionality and complexity that may not be required. For example why cannot the main router provide the network DHCP etc, and then send at least two vlans in a...

anav

No worries, --> no not a selection for trusted, trusted meaning in concept, different thing! As far as trusted, subnet or vlan yes, and NOT a trusted port (that gets into physical security which is a whole other entity). A trusted subnet (home) or management subnet (business), is the subnet where al...

anav

1. Dont use vlan1 for data, if you have a home subnet, make it vlan11 for example. Vlan1 works in the background on a bridge, no need to make it a vlan. 2. I am not so sure opnvvpn can be a LAN interface, like wireguard and thus would definitely ensure forward chain rules permit traffic. 3. Why are ...

anav

1. How do you know its an attack from the outside.
a. do you have open servers?
b. is traffic to the router itself not protected?
c. did you check with your ISP as DDOS external is something they should be dealing with

anav

Sure I can look, and will respect your wishes to have separate bridges etc............. 1. I'm kinda org freak so moved rules around per bridge basis for easy understanding. :-) 2. The biggest error I see is not tagging the bridge..... as per --> https://forum.mikrotik.com/viewtopic.php?t=143620 3. ...

anav

https://www.vultr.com/pricing/#cloud-compute/

$6 gets you a newer server and I believe another $1.20 or so gets you a backup Service.

anav

The HEX is not capable of accommodating a 1gig ISP connection.
Suggest you look at the hapax3 ( wifi router ) or RB5009 router.
Check the specs --> TEST Results for 512 bytes packet size and 25 filter rules for real world results Mbps.

anav

Still not getting it.
So the MT device is connected to an ISP modem? and gets a private IP? and is acting fully as a router.
What ISP provider?

anav

rextended you see more with one eye, than most with two eyes............

anav

Then the guide provided is excellent and all you need is one port from the MT to one port on the Edge (both trunk ports carrying all the VLANs).

anav

Lacking context, is this device connected to an upstream router and is simply acting as an AP getting a private address on the LAN of the upstream router. The confusion stems from the fact that you state its an AP but then you create a subnet and pool etc, for users and thus you are really wanting a...

anav

Sounds good, an in the meantime I will keep looking for other possibilities.

anav

If by that you mean you wish to have a separate subnet but attached to ether5.
1. take ether5 off the bridge.
2. give it what a subnet needs, IP pool, IP address, dhcp-server, dhcp-server network
etc..

anav

It is not clear ( no diagram) what your network looks like, how the Mikrotik or where the Mikrotik fits, where is the ISP............... etc etc.
For vlans
This is the best guide --> viewtopic.php?t=143620

anav

Regarding official test results One more detail... the official specs also use V6, not V7. If you're not using any V7 features, there might be some merit with latest V6 on a HEX S. Or at least testing it. I beg to differ, I originally bought the hex because the specs for 25 filter rules was easily ...

anav

You should publish all the rule after you implement the suggestion, would not surprize me that something else your doing is getting in the way or is incorrect/
/export file=anynameyouwish ( minus router serial number, public WANIP info, keys, long assed dhpc lease lists )

anav

Ahh, fixed to old mac address or something.
No worries we actually prefer to be blinded by information, its all good info and since many parts are interrelated its important to figuring out the issues.

anav

I would imagine its all very doable but before I wrap my head around it, WHY? You can access your synology locally, do dont see the logic in creating a more complex config to achieve what you wish.??? Besides the direct obvious route, you want to connect to the LTE from your phone while behind the C...

anav

CHR is a onetime lifetime cost. Try VULTR hosters they are very cheap for a 1 gig connection shared CPU Cloud computing 1 vCPU - $5 a month using older generation devices. More like 6 or 7$ for newer amd and intel devices. https://www.vultr.com/features/datacenter-locations/ https://help.mikrotik.co...

anav

Quote: " What have I missed " Answer: Dont know as you only provided a miniscule part of your config..................... You have been inflicted by the new posters disease!! ;-) I dont know what the problem but I think I know enough not to provide my configuration :-) Please provide full ...

anav

Not sure if there is any real gain by doing that. If you dont trust the VPN, there is nothing to be gained by putting the tunnel behind another router. You have firewall rules on the local MT router for most other things. Better security would not to use nordvpn LOL. Set up a CHR in a VPS and have y...

anav

n/m duplicate post, apologies.

anav

Well adding new elements is confusing for sure. Before we get to vlan 50 1. DId you add a router for LTE in the main table either through IP DHCP client or manually with distance=5. This will ensure that the router alway chooses the CGNAT connection for local traffic first. 2. I am assuming that the...

anav

+1 For a long term stable Vers 7.12.1 variant!

anav

I understand your confusion. You only have one external main route for WAN traffic and thus all your local traffic should use that route. I think the problem is that you dont have a regular route for the LTE WAN setting. Either Accept default route in IP DHCP client but set a distance of 5 or someth...

anav

Less significant, means it doesnt fit into the business planning ( aka profit models and future product planning ). Any change requires resources and those are tightly controlled. @normis I agree with Pe1chl, 7.12.2? whatever was the last one, may be an excellent candidate for long term stable.

anav

Notes: 1. One bridge get rid of wan bridge (sometimes needed but rare" EDIT UNDERSTOOD FRANCE ORANGE REQUIREMENT ] 2. Remove admit only vlan tagged from bridge setting. If you need to apply frame types do so on the /interface bridge ports for standard results. 3. Understood ether8 off the bridg...

anav

Interesting setup. The requirement is not quite clear as you have not said a more directed statement such as: I would l like to be able to, from my home WORK VLAN, access the OVPN tunnel, without having to move my laptop ethernet cable around. It does seem as though you want to also reconfigure thei...

anav

To flesh out the wifi options:
discussion:
viewtopic.php?t=202578

MT docs page:
https://help.mikrotik.com/docs/display/ ... s+packages

anav

Senje can you provide a bit more detail on how you solved the issue.
Did you create a vpn tunnel and then use static routes?

anav

My bad, I thought you were wanting how to setup zerotier.............. If you mean you need to learn how to setup containers ?? https://help.mikrotik.com/docs/display/ROS/Container?searchId=5FV4ZUOBG https://help.mikrotik.com/docs/display/ROS/Container+-+mosquitto+MQTT+server 3 Part MT videos on con...

anav

If by the video you mean setting up hybrid ports on MT routers, piece of cake! The ether port is simply pvid for the port you wish to pass untagged in /interface bridge ports, and in /interface bridge vlan settings, simply tag the same etherport port for all vlan-ids needing to be sent tagged and fo...

anav

Good idea MKX, I have SSH setup as a backup on some devices and mainly use WG to access and between two MT devices I use simple SSTP.

anav

Forward chain... simplified /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,re...

anav

Sound like misconfiguration on the regular routes.

anav

No worries, thought so, it seemed out of character for you so go to know!

anav

Hi there, thanks for the feedback. I am actually more interested not in the mechanics but WHY? Is it a useful thing, or an extra that most dont need? The 2116 is a POWERFUL router so its not like you have to save CPU cycles. I usually focus on what traffic is needed for my users and devices, I dont ...

anav

If you look at the specs [ TEST RESULTS } for the router, 512 byte sized packets at Mbps speed, with about 25 filter rules provides the most realistic view into what one should get for real world speeds it looks like No rules - 1820 Mbps 25 queue rules - 735 Mbps 25 filter rules - 385.4 Mbps Conclus...

anav

If all else fails, use Netinstall to get where you want to be..... /export your config first, so you know what you will need to put back in afterewards via winbox or CLI interface commands.

viewtopic.php?p=1050175&hilit=netinstall#p1050175

anav

viewtopic.php?t=195492
viewtopic.php?t=183424

anav

Get rid of the ideas of using vlan1 for a vlan, turn it into vlan11 for example, and carry one.

anav

Good catch, seems like a new search filter/feature not tested, weird.

anav

Now lets say on ether5 for example you have a legitimate requirement to pass a hybrid vlan ( be it voip device or a unifi vlan with controller and Aps etc..) Then its simple. FROM smart device to hybrid device, create a hybrid port at both ends. ON MT /interface bridge port ---> PVID the SINGLE vlan...

anav

Hi there, No you do not need to make any configuration for vlan1, the router handles that transparently and dynamically in the background. The admin focus should be on the data vlans! :-) Thus I have no clue why you would wish to use or pass VLAN1 carrying data to any device??? For example I connect...

anav

Hi there,
No you do not need to make any configuration for vlan1, the router handles that transparently and dynamically in the background.
The admin focus should be on the data vlans!

anav

/ip firewall address-list add address=IP1 list=Admin (desktop) add address=IP2 list=Admin (laptop) add address=IP3 list=Admin (smartphone) add address=IP4 list=Admin (wireguard IP - assuming MT is a wg server for handshake) /interface list name=WAN name=LAN name=Manage /Interface list members add i...

anav

so what's the point of not supporting other architectures like mmips, taking into account the huge number of devices out there? Business Decisions: LIST OF POTENTIAL ACTION ITEMS BUDGET AVAILABLE THIS YEAR PRIORITIZED LISTS weighting factors - which devices can gain functionality without hardware c...

anav

1. Looks great, I would also consider changing the default port on wireguard to something else, 15496 etc..... 2. you can get rid of this default setting which is often hard to find ( DNS static settings ). /ip dns static add address=192.168.88.1 comment=defconf name=router.lan 3. I tend to put all ...

anav

Your forward chain firewalls have become messy with needless duplications and you are missing THREE DEFAULT RULES>. The rule in red, is open ended ( not a good security practice in general ) and should be removed to clarify requirements..... add action=accept chain=forward comment="Allow IPSec ...

anav

Suffice to say, I was unable to get to the DNS questions, as other issues need to be resolved first, but in that vein, can you explain what you are doing in DNS?
It seems you have two local IPs for DNS, please explain.
10.10.0.5
10.10.0.7

anav

Going back to first principles........... Dont mix apples and oranges, when you vlans, do all vlans, no bridge dhcp etc. As per the article --> https://forum.mikrotik.com/viewtopic.php?t=143620 ADD: /interface vlan add comment=HoM interface=BR1 name=VL10-HoM vlan-id=10 /interface list members add in...

anav

In simple terms, if passing vlans from one smart device to another, this is done normally via a TRUNK PORT at both ends. There should be no PVID assigned which basically tells the router untag the traffic leaving the port and tag the traffic entering the port with this vlan. Not relevant between two...

anav

Sorry, I know very little about hotspots, other than people also setup Usermanager (radius server functionality) along with the hotspot. https://help.mikrotik.com/docs/pages/viewpage.action?pageId=56459266' https://help.mikrotik.com/docs/display/ROS/Hotspot+customisation https://help.mikrotik.com/do...

anav

What kind of traffic do you want to delete/block? Specifically 67-68 port? It can also be locked in the RAW section. It is not necessary to use Bridge-filter. Are you using default firewall settings? Is there a need to block such traffic? I haven,t seen in many configs, with this type of ruleset so...

anav

Good day. 1. According to this page there is not a Routerboard 750? https://mikrotik.com/products/group/routerboard Perhaps you were thinking about A ROUTER of the 750 series.... known as the HEX lineup. All start with RB750xxx(x) and the xxx tells us which model it is. I provided links to two of th...

anav

Whats your point McGremlin? I am reading mixed messaging here. First, you clearly found rextended's post amusing...... (even a smiley face). EDIT: Just find out that it's an old thread so it was a waste of time for me writing this post... But your's reply was really nice, rextended :D Then here you ...

anav

I would suggest posting your config as it might simply be an error your not seeing. ( less router serial number, public WANIP info, keys etc.)
You can use the code quotes above so the post is short (black square with white square brackets (on the same line as B and U for example)

anav

Really a straightforward setup for the most part, the question I have is why do you have TWO ethernet ports going to the hypervisor on the left?? You only need one port going to a smart switch for example if it was there instead of the hyper visor. Thus I would need to understand what the hypervisor...

anav

A network diagram would be helpful to explain your network, not quite getting it..........

anav

As per the link, time to have a reread, you will see that the bridge should do no DHCP, and its all vlans! Therefore you create vlans for all your subnets and they have interface bridge. The vlans get ip pool, address, dhcp-server, dchp-server network The vlans are part of the lan interface list the...

anav

Awesome! The effort now will be worth it in the long run.

anav

Glad its working for you!!

anav

Regardless, keep the firewall rules as is, if you are happy with performance. However, the multiple bridge approach is really not used anymore, if it ever was. Please use the linked article to reduce your bridges to one. It reduces complexity of the config so that any errors are easier to spot. ( sa...

anav

I'm hungry already!

anav

Even better, a free trip to a resort with at least one overnight stay included, the Mrs Bpwl, can enjoy a trip too I'm sure!!

anav

Another thing in my Ros devices which are faily hard locked (students on holiday press reset and do power off/on sequences as they learned this somewhere as universal problem solving) is using a mode and reset button sequence to activate some script that will open the door for management access (in...

anav

Well holvoe, since now you say its true, bpwl and I can put away our dart and ouji boards, these anal plucks we come up with, just for fun, can be nerve rattling, of course until proven true.

anav

IMHO the config is a bloated mess, more concerned with stopping traffic than simply only allowing needed traffic.
The first place to start though is a one bridge concept and all vlans, bridge does no dhcp.

viewtopic.php?t=143620

anav

n/a wrong thread.....

anav

Courtesy of Sob , (the problem): "- user client 192.168.88.5 wants to connect to www.myserver.net, resolves hostname, gets 47.123.12.89 and sends initial packet to it - client doesn't have any idea where 47.123.12.89 is, as far as it knows, it can be on the other side of planet - dstnat rule c...

anav

Interesting, with my limited knowledge would never have seen that coming.
I certainly would have not posted after you noted the possibility.
I have reported the post as well.

Hopefully, there is a clean explanation as the script is interesting nonetheless.

anav

So basically, the OP asked for a way to deceive the service providers mechanism to prevent abuse of his internet connection? I thought it was a simple case like my own fibre dynamic IP provider, when the IP changes so does the gateway but the gateway used in my Routing Rules does not get updated, an...

anav

In a nutshell, a. you use a third party VPN provider for one or more subnets going out wireguard. b. you also have servers on the LAN that (i) internal users use Q1. How do you prefer internal users access server ( by direct LANIP ?) (ii) external users use Q2 . How do external users access the serv...

anav

One should note that neighbour discovery is the helpful key to making this work really well across multiple MT devices on the trusted Subnet ( aka ensure that trusted subnet is in interface list and that interface list is in neighours discovery). I believe the default is LAN, but as soon as multiple...

anav

Curious, is it monetized if you dont hit subscribe??
Agree, if you have the fix just state it and one can refer to more detail in the video.

anav

Yes of course! Just set it up more like a switch aka no need for dhcp, firewall rules etc.... This should help with VLAN work............ https://forum.mikrotik.com/viewtopic.php?t=143620 and also the pointers given at this post highlight the main points to consider for this Switch device. https://f...

anav

Clearly one has to let at least two years go by before stating thanks for the reply.
I thought it was funny, but I have a sense of humour.

anav

Not a bad improvisation! I am still curious as there has not really been a handshake at all, just two clients somehow connected and maintaining a connection. I wonder what the underlying virtual structure laid down looks like. Also what happens when one end loses communications? In a typical lost co...

anav

Geez another handsome and wise poster, but I still give a slight edge to BPWL ( on which attribute I wont say )

anav

Follow the smartphone if you want to follow the market.. As of Dec 21 2023 --> https://gsm.cool/blog/article-wifi7 / https://www.epey.co.uk/phone/wi-fi-bands/wi-fi-7-802-11-a-b-g-n-ac-ax-be/ What I am tracking though: Rumours of Apple 16Pro with wifi chip 2024, Apple17PRO with first time APPLE WIFI ...

anav

Already did, see above for firewall rules applicable to the OPs post. Oops I actually assumed you read the thread. ;-PP

anav

My usual line is once you go vlan, go all vlans and not have the bridge do anything but bridging (no dhcp). The issue is the bridge is handing out traffic and a LAN and yet you have a vlan doing the same thing on ports you connected to the bridge. Also you are missing the required /interface bridge ...

anav

You Sir, are wise and handsome!

anav

https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608 Failover (WAN Backup) This is a basic failover guidance document, where no other traffic is involved or discussed ( no LAN servers, no VPN etc....) just two wans and a LAN. I see two major problems on this doc: 1. Why does MT bring...

anav

If I had my choice, any person caught using chapgpt should be banned for life LOL, but in the case when chapGPT rules our lives I wont say boo, for fear of being persecuted by ones and zeros. Did you ask GPT about the official mikrotik documenation as well? Just curious LOL. In any case, you other a...

anav

1.Organization of FW rules by chain is personal preference, much easier to read and spot errors. 2. Order of rules within a chain is CRITICAL 3. No issues, safe to use DNS service of router, that is what it is there for. I often include, in the input chain an interface LAN rule for NTP but also add ...

anav

Learning curve: Many things will work somewhat in MT even when configured non-optimally. Doesn't mean you wont run into issue at sometime. 1. You have two options for WAN2. A. the neighbour, on his router, has a way to ensure you always get the same IP address ( set it statically on the lease, like ...

anav

Not off the top of my head, not a big network sysadmin guy but I would certainly check out winboxremote, now called Admiral for a paid solution.

anav

My experience was otherwise, often I would have to go through bridge vlan filtering=yes four or five times (using winbox, mac, safemode etc...)
I didnt come up with a safer method, just for the fun of it LOL.
Provided through experience!! Your mileage my vary.

anav

Adding: if such a user has Safe Mode active and then the bridge burps kicking each connection out ... he's back at where he started. Sounds like have discovered the infinite loop ;-) Yes safe mode is good practice when mucking about in the config, for the bridge configuration the best approach IMHO...

anav

Some advice, quickset --> avoid! I'm assuming that you have need of multiple SSID/WLANS due to different types of users. - secure home users - untrustworthy IOT devices - vid Cameras - guest users. All which may or may not require different subnets. If they are on their own subnet then they probably...

anav

Hi AMMO, there is a reason its OFF at the start and ON at the end, and also a reason why I often suggest doing any bridge config OFF bridge from an etherport direct. The bridge burps the router kicks out and the OP is left confused and frustrated. Its not quite the reason given in documentation,,,,,...

anav

Knowing what the ISp1 defaults to, would consider moving to a different subnet architecture for the main LAN subnet. One of the reasons, recursive failover is helpful, is that if one cannot reach the external IP DNS IP address, the router moves to the other WAN. It is really useful for when the ISP ...

anav

Yes, nothing like a short video showing how the electrons are moving about, with some appropriate IPs, and text, would make it crystal clear, but I dont have those skill sets. I relied on explanations from others like MKX, to help understand. Its not something that sticks and have to relearn every t...

anav

There we disagree,
add chain=srcnat action=src-nat dst-address=SubnetofServer src-address=SubnetofServer

Is tres simple!! In zyxel speak, there was a checkbox called loopback to enable. Never knew what it was for until I started using MT devices.

anav

When you do and run into issues, the best thing to do is export the full config
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc...)

LLU

anav

So you are using an application to do this???? Me is confused. My impression then was incorrect. I thought you were using a. mynetname or some other dyndns URL when external to the router to access your server AND b. you were able to construct an internal URL of sorts ( a way of pointing to the inte...

anav

Larsa, I could kiss you but for fear of catching something dreadful, I will not. :-) Yes, frustration and the like is but a symptom of not having enough process and structure at the beginning of a posters experience here. I am trying to address root causes and not focus on symptoms. I listed all the...

anav

PCUNITE:::::::::: Looking at a forum post, it was clear to me that we need to add something in the main body text, making it clear that bridge vlan filtering YES NO, needs to be explained. I only found the functionality shown in the scripts. An OP looking at the scripts may see the top initial setti...

anav

Good advice holvoe............ ;-) Something like an off bridge access to config the router and emergency access anytime the bridge burps eh!! Looking at the article I can now understand the question on bridge vlan-filtering setting. No where in the article does it clearly state this requirement, at...

anav

Basically I cannot picture how hole punching would work with WG (and not in the docs)

This especially. How would the cloud instance create a hole to two entities that have no public IP aka CGNAT, then faciliate a direct connection without relay???
Perhaps MT has discovered true magic. :-)

anav

3) using hole punching. this means relay only helps to find both ends, but traffic will go direct. I guess now I have questions... Under what conditions does it use hole punching? Does that require the BTH app, or can a normal WG use "hole punched" BTH too? Basically I cannot picture how ...

anav

Tangent, I am interested in your internal host name solution as it may be an approach worthy of more discussion. Typically my response has always been WHY are you sending internet users to your server by DYDDNS URL or mynetname (aka thru WANIP), instead of just using the direct LANIP. Seems foolish ...

anav

Your configuration is incorrect and there may be multiple compounding errors.

anav

Without seeing the config, its hard to know where you went wrong. In general, MT device gets IP from the trusted VLAN, This is the only vlan that will have the bridge tagged in /interface bridge vlans The rest of the vlans are tagged on the incoming trunk port and either tagged out another trunk por...

anav

To put it simply, MT devices accept trunk ports, access ports and hybrid ports without issues, regardless of vendor.
Internally, this is the best guide for at least routers... viewtopic.php?t=143620

anav

Perhaps you should make use of Mozerds most excellent service, light years ahead of the game in the DIY category......

anav

But then you would need french beurre and Canadian Maple Syrup.

anav

Strange, its not like you have some secret recipe for vodka

anav

Thanks for the feedback! Good catch.
For knowledge, what would be a good use for switch1-cpu switch filtering USE CASE ??

anav

Nothing better then finding the issue oneself.......... Often by trying to explain a config one sees the problem!!

anav

Its cold in St Louis, perhaps time has also frozen.

Search found 19553 matches