MikroTik

anav

Sounds like shooting oneself in the foot.......

anav

Not true. I user whats app on my home wifi without any special settings for it. The mikrotik router is not app centric ( cannot block solely apps ) Your firewall rules are a bloated mess and probably have something to do with the issues. However, one needs to see the full config to asses what the fi...

anav

If truly DDOS then its the responsibility of your ISP and their upstream providers to counter an attack.
Your router is not equipped to do so.

anav

A couple of pointers on the last post. 1. The dst-nat rule does not require dst-address-type=local . 2 The general hairpin nat rule that will cover all servers in a subnet, or if just one............ one rule. add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address= Local.Serv...

anav

Two ways, use of routing rules or use of mangles,
Either way you will need to add a table and an IP route.

anav

Yes, gre is set as protocol. On remote router i left src address. I was lazy...

Showing the config or pertinent parts thereof would be nice!

anav

Do you set GRE protocol or not?

anav

Being of the drop all ilk at end of chains, I would prefer forward accept source-address=list=xxx out-interface-list=WAN disabled forward accept source-address-list=xxx out-interface-list=LAN disabled and let the admin decide if the users need one or the other or both. one could argue EQUALLY that p...

anav

To RECAP. Hex is a router behind an upstream Router. The WAN IP for the hex is also its LANIP on the main subnet on the upstream router. The upstream router also has a guest subnet. The main subnet comes in on ether5 and we tag it with vlan200 The guest subnet comes in on ether2 and we tag it with v...

anav

Okay, great feedback, not sure whats going on between hex and CHR......... but lets stick with hex reality.

Quick question. What IP addresses do the switches get ( from 900 vlan [( aka hex ) , or 200 vlan ( aka upstream router lan )] ??

anav

The CHR has no LAN subnets may be the case?? The first rule allows all users coming in on wireguard to access all interfaces (subnets) listed in LAN. You may wish to provide limitations as to which subnets they have access to, or which wireguard users can access all subnets or even further which sub...

anav

Have a read of para H. for ideas. --> viewtopic.php?p=906567#p906567

anav

2116 seems to have the specs you need.

anav

a. Why does the BTH config on the MT create a firewall rule blocking remote client to local LAN interface? Mine is empty. Not sure how the "back-to-home-lan-restricted-peers" address-list in firewall gets populated actually. So rule does nothing in my case. b. Why does the BTH config on t...

anav

Connecting via WG to remote?
Too much missing info.
Post full configs on both routers
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)

anav

Okay, so this is all good information to know prior to looking at the config. The config is a story and the story is starting to make sense. Will have a relook at the config with a more informed context. :-) To be clear, a. do you get two public IPs from your ISP provider and sending one to Other lo...

anav

Only when I get my wifi7 smartphone which is what vendors should be aiming for in the home market.

anav

Fair enough, good thing my internet traffic is clean and doesn't need extra filtering

Hopefully someone else will pop-in.

anav

You need two reachable ip addresses on both devices. They need to see each other, as a matter of speaking. But you got it all backwards. You may want to start with describing user requirements, drawing of your network setup and export of all related devices :lol: Glad to see the brainwashing is wor...

anav

Sweet, I will be adding a remote RB4011 via WG to a ROMON list next week. For now, I want to try it locally. I have an RB450G attached to my main router but natted and it doesnt show up on my winbox list and I would like it to!!! No wg just Main ROUTER LAN to RB450G with local LAN address also the W...

anav

Now someone is finally providing useful information with which to discuss further. a. Why does the BTH config on the MT create a firewall rule blocking remote client to local LAN interface? b. Why does the BTH config on the MT create an input chain rule - because the router is still responsible for ...

anav

How are you having users connect to the device on vlan10? Direct LANIP address or some sort of DYNDNS name/url? Are users coming in Primary WAN1 or Secondary WAN2 ?? MANY MAJOR ISSUES: 1. Only two of the vlans have full networks, not sure what your expectations are for vlans 88 and 100 (where are th...

anav

Just put it down as a business loss, sending you postage to send to my location. :-) Its not something I would consider funny. https://forum.mikrotik.com/viewtopic.php?t=160561&start=300 I read the thread, couldnt find one single mention of supout report let alone the 100s I expected to see. Al...

anav

Hard to have sympathy reading this thread as Rextended alluded to ........ where are the 1000s supout reports..........???

anav

Firstly a better and original source for that documentation is found here..... https://forum.mikrotik.com/viewtopic.php?t=143620 Where you will find its best not to use vlan1 for data vlans. Also that when you change to using vlans on the bridge its wiser to go all vlans and have the bridge just do ...

anav

I dont follow.
So your configuration is based on fear and not facts??

What leakage are you talking about??
If I have a WAN or two, and a LAN with one flat subnet or multiple vlans in subnets.

YOU DECIDE in firewall rules (L3) where traffic is allowed to go.

?????????

anav

Just put it down as a business loss, sending you postage to send to my location.

anav

Good point, my bad, that rule got left out for some reason and I didnt notice. Its a standard default rule that should always be there, good pickup!
Added to the above to ensure accuracy.

anav

Sounds like an infestation of bloated firewall rules, which always cause unforeseen issues, especially by the copy whatever they see on youtube videos disease.

anav

Ahh okay, you are talking switches, I thought this was a Router discussion.
THus far you are talking gibberish, please give a practical example of what traffic you wish to flow through the ports or not flow through the ports.

anav

Oh you mean the version with WIFI7 and zerotrust cloudflare as an options package for all Devices.

anav

Yeah but ... if your IP setup is somehow bust, you're a dead fish too. No IP access anymore. Romon will still allow you to access those devices then via EOIP over wireguard (provided that channel is still operational). Zerotier will work as well for the same reason (L2 access). I have a different f...

anav

Its called blissful peace of mind. I dont log

While your worrying, I am reading a great big book about how to help people with networking anxiety.
Apparently you can hit them over the head with a book, or tell them not to log.

anav

anav, before I answer. Have you used the BTH app and understand what it's purpose is? It enables Wireguard in router. That is all. No, I have not set it up yet because I dont understand how it works and likely not to unless I understand the role of the router is it a server for handshake - seems li...

anav

In view of learning something new, how does this relate to traffic from user to user, user to internet, internet to user, user to device, device to user.
What traffic are you
a. trying to allow?
b. afraid of that you need to block?

anav

Funny I log into all my routers via winbox over wireguard without ROMON.
I am not so lazy LOL. Just type in the IP address and winbox port at the top............. EOIP not required ;-PP

anav

Observations. 1. Remove IP DHCP client settings, your WAN connections are handled in the PPP menu. /ip dhcp-client add comment=defconf interface= *12 2. MAIN REASON is that you botched the mangles . YOur mangle rules are a large mess. I provided the short and sweet config needed........................

anav

Ahh so you are at work Normands, still waiting for the detailed response to this post ( you can use email if you prefer ) viewtopic.php?p=1046445#p1046445

anav

So you are starting from scratch and want to be spoon fed without an ounce of effort, good luck with that.

Try here --> https://mikrotik.com/consultants

anav

Correct, and thus the linked article was not followed, all good now I will bet.

anav

In IP DHCP client one clicks on the particular WAN connection and then looks at STATUS tab.

anav

You could reset to default or practice modifying the rules USING SAFE MODE. Not my partship to do....

anav

Correct, I prefer to manually insert the untagging as a visual crosscheck to make sure my bridge ports and bridge interfaces line up.
Also the untagging doesnt show up when exporting a config........

anav

My apologies, there was no indication that the router was behind another router......... Still a good practice to encrypt to the router and then visit the LAN or the config, especially if already using WG.
Good luck with L2TP issue, not an L2TP expert.

anav

Last post........ You didnt modify the firewall rules and your port forwarding destination nat rules are worse.
Good luck!

anav

Okay so your concern is what if the server Router is removed from the picture. The main reason why a tunnel would fail is if WAN connection was stopped or the router broke. a. If the traffic failed on Server Router1 for handshake (either router1 failure or internet failure at R1) routers 2,3 would n...

anav

1. You dont need to create two wireguard interfaces to isolate users. There are two easy options. a. Use firewall rules at R1, simply do not create an allow rule from one wg peer to the other wg peer..... b. Assign two different WG addresses on R1, one address schema for WG USER SN and another addre...

anav

Okay glad you got it sorted, will provide what I did next just for your viewing pleasure LOL.

anav

The doc shows it but your config still not correct. /interface bridge port add bridge=br-dcwifi ingress-filtering=yes frame-types=admit-priority-and-untagged interface=ether2 pvid=9 add bridge=br-dcwifi ingress-filtering=yes frame-types=admit-priority-and-untagged i interface=ether4 pvid=8 add bridg...

anav

Decent! Observations (1) One doesnt make port forwarding rules in the forward chain thus get rid of this .... The only thing that should be in the forward chain is one rule allowing dstnat. All port forwarding details are put in the dstnat chain rules. Also its in the wrong order if it was to be in ...

anav

I thought I had a solution but then ran up against the MAIN ISSUE. I see conflict in attempt to tell the R1 router how to route traffic headed towards theR2 subnet. a. L2TP for R1 subnet to R2 subnet b. Wireguard for remote users to same R2 subnet. Why not send R1 Subnet users ALSO over wireguard to...

anav

For mangle rules you dont need the first sets of rules................... Not explained properly by the video author, why he has the first set of rules which dont apply YET in your simple case. Start here for required rules........ You dont need both new and no-mark, no-mark is a better option norma...

anav

Sure, first I would update the firmware to the lastest stable update, 7.8 and earlier 7 versions had issues. Just to confirm you DON'T WANT primary/failover you want PCC/failover. The difference is that in primary/failover, only one ISP is providing connections. In PCC both ISPs are used at the same...

anav

https://mikrotik.com/consultants

anav

Yes but your assuming AmmO can find the other thread.

anav

Dont look at me

. You need the expert and prompt advice of the perps Ammo and Holvoe to the rescue!!

anav

Edit: Please ensure you let folks know your router is behind another router, especially with unsafe configs as per below!! Even still I would only allow VPN to the router and then access config/subnets. /ip firewall filter add action=accept chain=input comment= "Router Access Remotely " ds...

anav

Read through this article and pay close attention to /interface bridge ports and /interface bridge vlans to find your error

viewtopic.php?t=143620

anav

No point in showing you dont know how to config the router just yet. Please attempt the readings and then come back and post a complete config. Understanding is more important then copy and paste at this juncture /export file=anynameyouwish ( minus router serial number and any public WANIP informati...

anav

Sounds like a scenario for double nat. Modem, to MT Router, then to TPLINK router (for vpn mostly).
The hex need not route as my earlier post and can be connected to the AX as a switch.

anav

Ahh okay, I see you only have one subnet and are using a vlan for that. A bit unusual but perfectly fine.
My question is, where are your firewall rules?
Where is your internet connection??

anav

Have some reading to do!!

viewtopic.php?p=908118

viewtopic.php?t=191442

Only after you have gone over the above.....
viewtopic.php?t=179343

anav

Any devices connected to your bridge ports should be able to see each other as you only have one flat network at L2. The firewall rules are for L3 traffic and they couldnt block same lan to same lan traffic anyway. Config looks okay on quick look. A. Either all are connected to PCs with strict firew...

anav

One bridge, dont uses vlan1 (use any other for data), recommended NOT to use bridge for dhcp...........
viewtopic.php?t=143620

anav

If the modem passed the internet to you within a vlan then you need to set the vlan also on the router in most cases.
There is no harm to set the vlan in the router.

/interface vlan
add interface=etherY name=vlan-WAN vlan-id=XXXXX
/ip dhcp client
add interface=vlan-WAN

anav

I have no time for guesses, this is not a circus but you sir are a clown............. If you need to work on your imagination, go read a book.

anav

Maybe?, dont you even know what you have???
In any case, no need for TPLINK router at all

anav

No need for vlan if the router gets a public IP and everything works in bridge mode.
If it does not then set vlan on modem and set vlan on router.

anav

BUT... I'd really recommend just start again with a new config... I personally think the default firewall is very well-calibrated (e.g. generally modifying the interface-list to add an WANs should be needed for 99% of CPE use cases). Disagree, not just a new config, NETINSTALL first , then new conf...

anav

I cant wait for holvoe to provide the necessary information!!!

anav

First, this is not a TPLINK forum and second, there is no such model TP link er650. There is however a wifi-extender (NOT A ROUTER) called the TP link RE650. This can be connected by ethernet to one of your routers to act as an access point. However its a dumb access point that cannot read vlans. At...

anav

Awesome, glad its working for you now.

anav

Nothing broken in Wireguard, simply MT has added in additional setting for BTH Wireguard and it can get a tad confusing is all.

anav

Lastly, and again sharing Anav's point of view leaving an open resolver is not best practice, and in all cases, not something any client should pay a consultant/service provider for. Find out who was responsible for those configs if provided by your company and if they are not gone, they should be ...

anav

A default config should not slow the performance. As intimated, its probably residual blocking going on from leaving DNS open...... Note here how DNS is allowed ONLY from the LAN, and in fact is the only thing LAN users should have access to on the router itself and perhaps NTP (for certain devices)...

anav

That's nice. Now how do you expect us to help with practically no useful information.
What are you connecting to for example, third party VPN service???

Need config
/export file=anynameyouwish ( minus router serial number, public WANIP information, keys etc.)

anav

Okay, your diagram ONLY shows you getting a private IP from the ISP modem/router. Is there another diagram showing you getting a public IP from the ISP modem if so show that instead with fake numbers for example on the diagram. THe LANs will stay the same behind the MT. OR, can you on the ISP modem/...

anav

Sounds like YOU are the problem! :-) Lets look at the config. 1. Why do you slovenia telekom as your DNS server. If you want ISP provider DNS you can set that in the IP DCHP settings or pppoe settings for example (dial out). Most folks use something like 1.1.1.1 or 8.8.8.8 for external servers.........

anav

Different vendor.............. You will pay through the nose for a higher end device that can still provide the throughput required with IDS services applied and by the way those IDS... DPI services are not native to the router, you then additionally have to buy subscription services to activate them.

anav

Sorry your requirement makes no sense. Dont care about what you want to try on the config...... illogical What are the traffic requirements from the user perspective? What equipment do you have and what is the network design.....? ROUTER to MT acting as a switch?? OR ROUTER to MT acting as a ROUTER?...

anav

Classic error of trying to keep the bridge doing DHCP. If you need another subnet take the one you kept on the bridge and make it vlan10.... or something.
Many other errors as well.
Suggest you read....
viewtopic.php?t=143620

anav

Trust me, when attemtping to diagnose errors on my own config and a million other peoples config, its much easier to spot firewall errors when chains are grouped together. Of course, it doenst matter which chain is in which order, but it does matter within a chain the order. Ordering the chains them...

anav

Wojo........... If you are familiar with OSPF Looking to do something for failovers. Imagine 2 WAN inputs to MT router............. and a CHR on a VPS in the cloud. What I want to do is connect the two WANS via wireguard and L2TP (plain -->best way to handle packet fragmentation), [from MT router to...

anav

Well I have mine listed but that is because they are on the same network and same subnet for IP address.
ROMON is s tool that allows that sort of thing I think

anav

Awesome, glad its worked out for you........ Ive done many dumb things when it comes to MT, and most due to my lack of understanding of basic networking.

anav

Then please post full config, there is something else on the config p erhaps.

/export file=anynameyouwish ( minus router serial number and any public WANIP information, keys etc.)

anav

Please post full config so I can see what is going on. please.
/export file=anynameyouwish ( minus router serial number and any public WANIP information )

anav

Wrong approach gig.......... You know better.
You dont plan and start the config without knowing all the requirments and attempt to totally change the requirements at the end.
Is all traffic working as expected.............

anav

Only a fool thinks firewall rules need not be considered in wireguard traffic. I wont even look at the config until its one bridge and all vlans (bridge does no dhcp).
viewtopic.php?t=143620

anav

It also sounds as you have not turned off all router services either......... post complete config

anav

Yes, I now can ignore everything in orange becauses its nonsensical. Between these two locations is Wireguard P2P tunnel it's on same ISP provider , so I use internal IP addresses and it not go through internet, only through ISP LAN network in same city ). Whether or not the two ISP connections are ...

anav

Very good question, I have been asking Normis for clarification on the BTH thread in Announcement to get at the heart of these matters.
Thus far, disappointing answers.

anav

I think the issue is the smartphone blocking, as none of the changes above would necessarily block anything.

anav

Really well done for the most part....... dst address needs to be gone, and needs to be enabled! Modify this /routing rule add action=lookup-only-in-table comment="MY SMARTPHONE TO WG VM16 DOCKER" disabled=yes dst-address=0.0.0.0/0 \ src-address=10.2.1.197/32 table=_wg_vm16_docker TO /rout...

anav

NOT correct, for example this are bogus nonsensical entries for bridge ports. add bridge=onebr interface=vlan200 add bridge=onebr interface=vlan800 add bridge=onebr interface=vlan900 Vlan200 is NOT a LAN member has nothing to do with local hex.......... Similarly client-list is not a WAN, its was a ...

anav

What I would do is create a Wireguard tunnel between the VPS and the mikrotik router. The server and files would be hosted on the Mikrotik Router. On the CHR I would port forward inquiries coming in externally from USers or in this case just the admin, to the VPS public IP or domain name/url etc.......

anav

I am sorry, do not understand the architecture?
I have two connections locally to the same ISP, but each connection gets a different public WANIIP from the provider. Two different accounts.
I connect them via Wireguard as well.
What you describe does not computer for me, so unable to help.

anav

Well stated vinfgjfg!! ( all that info was on the link provided, not sure how mangling got into the mix either ) The only issue is your last sentence has a typo...... Lastly, You may opt to isolate the router on its own subnet. In that case, only the dstnat is needed as you are no longer doing a hai...

anav

> Next post intimates that it doesnt work with different Winbox Ports?? only the BTH app (!) needs the default port. To set it up. We might fix that, but then again, if you have custom ports and whatnot, might as well just use winbox > how to setup the Mikrotik manually, when using your relay point...

anav

Wish I had more info for you on BTH, but normands was on vacation today and didnt answer my BTH questions LOL.

anav

https://www.zabbix.com/forum/

anav

Yup, they were not required if doing recursive on the main routing table.
As stated full config, no more part configs..........

anav

https://www.youtube.com/watch?v=nlb7XAv57tw&t=26s
https://mum.mikrotik.com/presentations/US12/steve.pdf

anav

Yeah, if you have a fixed/static WANIP, then you need to delete that first rule, its getting in the way. The fourth rule below is just a duplicate of the second rule, and should be removed as well. You should only need two rules. Question: Is there a reason on the SOURCENAT RULE, why you feel the ne...

anav

My opinion is yes, you should be able to maximize your 2.5 gig throughput as its rated to approx 3gig with 25 IP filter rules.
It is a new ARM64 product so the support should be good for many years.

anav

Yes, Normands, most interested in the manual setup. My question is regarding how to setup the Mikrotik manually, when using your, for want of better word, cloud touch relay point. Its not a full blown WG server, but a connection point that allows users to reach the MT regardless (no public IP and IS...

anav

You keep changing the story. Yes, it is common to use wireguard, as a safe method, for external originated traffic to reach a server or to config the router. PROTON VPN is not for this, its for traffic originated on the router heading outbound . Two different cases. You don't seem to grasp that exte...

anav

Just to be clear, the upstream router belongs to house owners and the hex belongs to you a tenant, and they dont have any wifi but would like to use your wifi?? Now yes you can setup your hex router as a router (double nat) and thus have your own subnets/vlans You can provide guest vlans that they c...

anav

https://www.youtube.com/watch?v=YLtGQAQ8iS0

anav

What the hex is Ampere..... MT sold with a tazer ??

Assuming its like a new Cloud virtual computer or something not linux, not windows but something else VPS???
https://amperecomputing.com/

Is it software is it hardware.... seems rather vague to me.

anav

Yes ISPs can be ornery too, we have a bell fibre ISP that blocks ICMP ping as a normal function of their provided modem/routers and it cannot be changed by the home owner.

anav

Just because things work for a limited test set, doesn't necessarily mean the config is correct LOL. MT can be misleading in that regard. The errors will bite you sooner or later.

When you think you have a near finished final product post again.......

anav

Not sure why you are continuing with off bridge setup?
You dont have enough ports ( with 5 on hex ), you need 1 for client on Main WIFI router subnet, 2 for 1790, 3,4 for switches and 5 from wifi router???

In terms of vlans, read this.
viewtopic.php?t=143620

anav

If its not working then I need to see full config as answering any more questions requires complete understanding.
/export file=anynameyouwish (minus router serial number, public wanip information, keys etc..)

anav

Rule in forward chain needs to be add chain=forward action=accept connection-nat-state=dstnat The old default rule can be deleted but you need to add two more rules. THis one above it....... add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN comment="internet traffic&q...

anav

Nobody likes chasing a moving story.
Right down all the requirements.

a. identify all the user(s)/device(s) and groups of users/devices
b. identify all the traffic flow they need.

Also, do you control the upstream router or does the ISP.aka and ISP modem router.

anav

In Brazil you have a different plan LOL.
You have to plan for theft replacement. If it aint locked down and you are not paying the police, it gets disappeared.

But yes, typically at home, use it till its not fixable or no longer does the job required.

anav

Its impossible to block or control DNS from an encrypted methodology to my knowledge.
In other words there are limits to what one can do with adguard/piehole/doh etc..... if the user is savvy enough.

anav

So just internet COAX cable to ISP modem router and you get private IP from ISP modem router LAN.

Just plug one cable into your MIKROTIK ROUTER and then all users plugged into mikrotik router.
One bridge, create as many different vlans as you need to separate users, servers, iot equipment etc.

anav

One bridge.
How every many vlans you need to have separate subnets.
One vlan for Servers, one vlan for trusted LAN users, one vlan for guests, one vlan for iot equipment etc...

anav

Okay so you have a port forwarding requirement but no external traffic TO THE ROUTER ( aka no vpn services etc. no wireguard ). In which case you dont need the output chain set of rules But YOU ARE MISSING THE MARK ROUTES FOR THE RETURN due to PORT FOWARDING via PREROUTING!!!! A small note if you di...

anav

Concur, also because ARM products are more fully supported going forward.

anav

(7) NO. The purpose of the rule is to allow subnets from r1 coming in on wireguard ( in this case one subnet) to access r2 single subnet and of course the remote admin users. If you had multple subnets on r2, its doubtful that the local subnets/vlans would require access to each other at all, hence ...

anav

Hi Mozerd, how do you distinguish on a single computer, a different queue for gaming, and for NAS server access (file access), torrenting, streaming etc...............

Can you provide that fidelity or is it all, ONE IP, one queue applies ??

anav

To be clear, you have to communicate more accurately.
What device do you have,
Provide a network diagram.

It may very well be that you are talking about a switch not a router and I was giving advice thinking it was a router etc...........

anav

Don't you have this built into your obsolensce budget planning for 1,2,5,10,15 years down the line ;-) EVERY X years change TV (10) EVERY Y years change CAR (12 ish) EVERY Z years change IPHONE. (3 ish) EVERY A years change WIFI devices ( often coincides with IPHONE ) (3-5ish) EVERY B years change r...

anav

Hi there, The table is required because that is what we are creating, an independent new routing table, so that we can tell the router where to send traffic, separately from the Main Table. Mangling is a method of identifying traffic with some specificity, in order to apply routes as required. I hav...

anav

Assuming I had it wrong all along and you need to pass the MAIN WIFI subnet to other devices behind the managed switches. I have modified the CHR script below. I also noted my handling of 1790 was not quite right, it needs to be defined as an interface, but no other place.... I also do not see the r...

anav

Correct. Each remote subnet must be a separate entry. The purpose is so that if local lan users need to reach remote subnets, the router knows where to send the local users!! The purpose is also so that remote users coming in to access local servers or use the local WAN, have their return traffic go...

anav

To be clear are you trying the SAME configuration on both devices for testing purposes?? Yes, you may have errors if you relied on scripts as the config has changed significantly so the rest of the config will have to be modified as required. (1) Why do you still have the incorrect setting for wireg...

anav

MIKROTIK is not the answer either, that is if you are intent on content based control. MT does not have APPLICATION CONTROLS or deep packet inspection so it may not work for you. MT is a user based and by that I mean IP: based firewall router. So put users into vlans and subnets and then you can con...

anav

Post your config and I will have a look. Also an update to what I posted I was not entirely accurate. 1. The output chain rules ensure that external traffic TO THE ROUTER ( aka services like wireguard handshake ) that comes in WANX goes out WANX 2. One still needs prerouting chain rules to ensure th...

anav

R1 (1) Why did you use firewall address list=VPN, its not correct technically as you have one local address on the list which has nothing to do with wireguard, 192.168.100.92 The list is more accurately called Admin or Authorized. Confusing to call it VPN when its not. Yes it includes two wireguard...

anav

You can use code commands to encapsulate your config! ( black square with white square brackets on the same line as Bold Underline etc.......) Typically when first setting up bridge vlan filtering and later on if I screw something up on the bridge, I setup an off bridge access. Makes life much easie...

anav

ISP Device: Is it a modem/router or just router? Does it provide TV or telephone services or just internet?

anav

I provided a much simpler, cleaner config, so cannot comment further.

anav

Ah okay, I think of that as NAT RULE, as opposed to a MANGLE rule as opposed to filter rules (forward and input chain).
All other IP firewall. LOL.

anav

https://www.amazon.ca/TP-Link-USB-Ether ... C87&sr=8-5

anav

As the article states. If you have USERS within the same SUBNET as the SERVER, and the users are not accessing the server by the server LAN IP address directly, but by the roundabout method of using the Domain Name/url/dyndns type name. then yes you need the hairpin nat rule. If you move the users o...

anav

It is not clear what firewall rule you are talking about??

anav

Well will focus on DNS related rules........ In general the Device acting as DNS server has to have access to the internet to get DNS itself. EVEn a DOH servers needs some unencrypted DNS access to make the initial connection to an encrypted DOH server. So in general, one has to look at DNS servers ...

anav

viewtopic.php?t=179343

anav

Well the only changes I see are in the forward chain are two rules. Difference in Green! FROM add action=accept chain=forward comment="allow internet traffic" \ in-interface-list=LAN out-interface-list=WAN add action=accept chain=forward comment="allow Smart Home access" \ dst-ad...

anav

Three things. a. good to include diagram very helpful as we are not in your head. b. form follows function so a clear set of requirements will dictated a useful config. So need the following (i). identify users/groups of users including you as the admin (ii). identify the traffic they need to accomp...

anav

Hard to say as the OP thinks he knows better by not providing the evidence and information to make an accurate diagnosis.

anav

Caution that I have seen RECENTLY folks using these rules and not putting a SOURCE part of the rule. (in interface lan) IF you dont then anyone on the internet will start using your pi server!! I note the original link at the top of the thread showed this dangerous config and its from an old no long...

anav

Negative, to ports is implied to be the same as dstports if not entered. To-Ports is this really used when doing port translation. What is important is such sweeping rules in-interface-list=LAN is to ensure you exclude the pI LAN address or any other subnets not being subjegated to PI. /ip nat add a...

anav

Which configuration, the OPs? If you look at the suggested config, all traffic from 800 and 900 vlans AND WIREGUARD, go through the WAN side of the router aka via ether5 and since there is a masquerade rule. all such traffic is already natted and gets a source IP of 192.168.2.2. That problem no long...

anav

YES it can, just not through PROTON. You could host a CHR on VPS for example ( cloud server ) or linux OS etc............. (1) All users would go directly to the public IP of the CHR vice your public IP to connect to a server. (2) The CHR would then port forward that traffic INTO a wireguard TUNNEL ...

anav

In R1 the config is clear. We only allow select users on wireguard to access the LAN side. We allow remote users to come in on wireguard to go back out wireguard ( does not allow anything else ). Thus we ensure control of what occurs by making clear rules. add action=accept chain=forward in-interfac...

anav

The painting company should be charged for $gas money and time for your to fix the situation at a minimum. The company will only make changes if it causes them to lose some of their profit.............. Sadly, pride and ethical behaviour not so much. The relay rule should be clearly stated.............

anav

Suggest your review line by line to digest all changes. No mangling required, no vlan for WAN needed. Tried to keep it clean and simple. Access to the router is safely done via Ether1 using 192.168.55.5 set in laptop ipv4 settings etc..... Setup so that you can access the router when sitting on the ...

anav

Okay so to recap and make sure on same page. 1. VDSL Modem/Wifi Router is where internet terminates. The modem gets the public IP. It provides a flat network of 192.168.2.0/24 where the modem router is the gateway 192.168.2.1 2. HEX is a second router with NAT, its WANIP for all intensive purposes i...

anav

You cannot do that with the MT router it does not bond two connections such that one session can use both connections at the same time.
There may be some software you put on a PC or something that does that for torrenting, but there is no such config on the router itself.

anav

Well there is physical security and access on-site, and there is stupidity. a. for disconnecting a piece of equipment and then on top not plugging it back in. Be it dishonest or stupid, the employee has to go. I note the evil attempt by the OP to confuse me by putting R2 prior to R1.............. ;-...

anav

https://mikrotik.com/consultants

anav

Just so I understand you have a hapax3 that gets a public IP......... If so you dont need Proton VPN for incoming, you can use your own router with wireguard to let remote users access home assistant. Even if its not a public IP ( behind an ISP router ) if you can forward a port on the ISP modem/rou...

anav

Observations (1) The vlan7 you assigned to combo1 is all very nice but where is it in your pppoe connection?? /interface pppoe-client add add-default-route=yes disabled=no interface=combo1 max-mru=1400 max-mtu=1480 name=Telekom-DSL profile=telekom user= If indeed the ISP is providing pppoe over vlan...

anav

(1) You have two rules and the second one is redundant on input chain. add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN { allows all VLANS full access to the ROUTER } add action=accept chain=input comment="Allow main VLAN Full Access" \ { allows main VLAN...

anav

Do not understand about DHCP requests........... The Cap is not acting as a router solely as an AP switch and has no Firewall rules, no DHCP functionality...... or anything...... Since you use pi for DNS, assuming that you direct your users to PI already so why did you deviate on the setup provided?...

anav

The only thing I can recommend is a newer model ( AKA newer ARM product )
hapax3, first choice hapax2 second choice, and then you can RUN wireguard via BTH and will be able to remotely connect to your network from anywhere.

anav

PLEASE CONFIRM ASAP that you get a private IP address from the ISPs device. If you get a public IP then you need to unplug your router immediately and perhaps netinstall it because you HAVE NO protection because you have NO firewall rules at all. All traffic is permitted. Which means hackers have f...

anav

If your MT device is setup properly, why are you here? Try a debian forum! If you want help then provide the config and we can decide, based on EVIDENCE not opinion, that there is nothing amiss on your config. /export file=anynameyouwish ( minus router serial number, public WANIP information, keys, ...

anav

Blocking ping on wan side seems pointless............ its actually useful and not a security risk.

anav

I think your mixing up form and function. The MT Device is a switch and you clearly stated you have an upstream firewall that takes care of firewall rules etc. so not sure what the issue is?? Its a switch so Wire Speed should be a given. Security wise are you asking what additional security function...

anav

(1) The advice is to have a separate VLAN for users and a separate VLAN for managment if you need it. The concept of a management vlan is mostly so that all smart devices on the network are configured and reachable on this network that nobody else has access too. If you have a trusted subnet then yo...

anav

Mikrotik model?

anav

It would appear you dont have a public IP directly its handled by the modem/router and not passed to your router.
Can you access the ISP modem/router and forward ports to the MT router?
Which MT device do you have?

anav

when?? using back to home wireguard, regular wireguard, something else......... again no context, we are not inside your head nor have any inkling of what network we are looking at etc...

anav

SURE YOU DID YOU ADDED THIS RULE AND ITS STILL THERE> add action=drop chain=forward comment="drop Everything else in VLAN" \ in-interface-list=VLAN /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ estab...

anav

@OP When you say static IP in the US, do you mean you get a public fixed IP, or fixed private IP ( like 192.168.1.X ) @Hey noob, what drugs are you on? The Hex is old and very under powered for the typical connections in US. Dont know about Mexico. The hex can be expected to get around 400-500Mbps o...

anav

(you dont need the vlan restricted list anymore by the way) The interface list VLAN-InternetAccess should not have quotes in your rule, remove them!! ( otherwise the rule is good ) add action=accept chain=forward comment="allow Internet access" \ connection-type="" in-interface-l...

anav

Seems okay, you keep screwing up the order of rules though..... (1) /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked ----> move up, and put the invalid rule, the icmp rule and the lo...

anav

NAT PMP, is nothing to do with MT. So lets get the facts. You have a third party VPN connecting your router (as a client ) to the PROTON wireguard server. Typically this is NOT for incoming originated requests, this is designed for sending some subnets or all subnets out the proton site for internet...

anav

Yes but that has nothing to do with mangling or whatever. Connect ISP1s modem or modem router to ether1 for example. Then if its pppoe connection assign the parameters in the PPP menu. IF its a ISP assigned dhcp scenario, add the parameters in IP DHCP. IF its a Static Public IP assigned, you can do ...

anav

Well I am not sure you handled vlans correctly, and in fact, once you start using vlans I recommend you turn the bridge affiliated subnet INTO a vlan and then your errors with the other vlans will become clearer. My sense is that is the root of your problems not the firewall. Suggest you read this t...

anav

(1) This open ended nonsense sourcenat rule is from the default rules........ ?? /ip firewall nat add action=masquerade chain=srcnat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN (2) No idea what you are doing with these see...

anav

Is it possible to connect multiple Wireguard peers with Mikrotik at the same time? And use it for VPN service in an Organization instead of L2TP or SSTP? Have you used wireguard? Its not an enterprise solution where 1000s of employees need to VPN into work............ However yes, one can have many...

anav

Did somebody else noticed ping increase and drop in speed ?

Your post has no context. Do you mean if you are drinking a cup of coffee while running on the treadmill??

anav

I am not familiar with LTE products, dont worry many are. If you have two internet connections, LTE and skydish direct? Then you have two main possibilities. a. USE BOTH at the same time and provide the full available bandwidth b. USE ONE as a PRIMARY, and the other as SECONDARY (backup), so that if...

anav

Pinging gateway IPs, is reaching the router as they are local interfaces, does not mean you can actually reach users..... Lets look at the config......... (1) INPUT CHAIN, clearly you want reasonable security and thus I am assuming you want limited access to those that config the router. Hence allow...

anav

First, this is a USEFUL ARTICLES FORUM.
You should post your question in Beginner Forum or GENERAL FORUM.
So please open a new thread there and close this one and when you do, please post a network diagram as what you have stated is NOT clear.

anav

Perhaps I was imagining it because the first times I opened it the router stated was a 5009. When I do it today its now on the HEX> Looking at your diagram, can you confirm you use three different ether ports on the WIFI Router to connect three different vlans to three ports on the HEX??? What I was...

anav

The requirement is not clear. The router provides services such as wireguard server for handshake, and there are ways to ensure that if traffic coming on WANX for that purpose goes out WANX. Its not clear to me thats what you mean?? It is rare to see input chain in mangling as that is traffic to the...

anav

The default rules from MT already add such a rule in the forward chain.
I agree 100% that its common and thus why I suggested that Mikrotik add Zerotrust cloudflare tunnel as an options package for all devices.

anav

Really, so no datpaths and vlans in capsman, they took it out, how nice!! About time to remove vlans from wifi configs.........

anav

Kitty has claws, do not mess with it, even with only one eye open you will get hurt, thinking your script knowledge is somehow better, such a comedian. You do know that cat is just Yoda in disguise.

anav

The 5009 should have no issues handling this throughput.

anav

Just because your willing to sell your soul to cloudflare, some of use prefer not relying upon third party providers. :-P However, if port forwarding is in the mix, then cloudflare is a viable compromise, and for this case, it should be available on all MT devices, as a package, not hidden in contai...

anav

All good, now we both know we are not going insane

( in my case more insane )

anav

L2TP windows client does not connect to wireguard, suggest you have to connect to an L2TP server.............. '=P As noted, your config is likely wrong and the fact that you havent posted a.. your complete config b. network diagrams Is completely absurd as this is not your fist post. You know very ...

anav

Holvoe, that link is TOTALLY USELESS for those wanting to setup capsman and datapaths and VLANS.

Either make one (user article -as I have requested numerous times or stop suggesting something that doesnt fit.......

anav

As pointed out you supplied a config for an RB5009. You have not stated where this router fits. You have not provided a hex config. Explain more how the upstream router works.......... does it provide an IP address on a private local subnet to the hex. You mention, NATing, please expound. A network ...

anav

Too many unanswered details.
What is the throughput of each WAN.
Are the ISPs for all six different?

How many users are anticipated.
What kind of traffic will they be using,.......

Network diagram to show what happens after RB5009, switches APs etc.....

anav

I would look at wireguard as the way to go.
One could have all devices on the same wireguard subnet easily reachable from the office or if away remotely.

anav

R2 that I posted is the last config on R2 because after that i lost connection

Too funny. By the way since its dirt easy to establish an SSTP connection between two MT routers, I always do one as a backup to WG.

anav

without evidence, its all opinion.

/export file=anynameyouwish ( minus router serial number, any public WANIP information )

anav

Dont use vlan1 to pass data, its gets confusing especially as you are mixing devices. The MT uses it in the background.. If you are using vlans then go all vlans. If the HAPAC is simply acting as an AP/Switch the below works............ Hence a TRUNK Port carrying all vlans from pfsense to MT. The M...

anav

Hence why I asked if you had actually tried to reach a device, not just pinging............ ( in post #10 )

anav

holvoe, you missed the memo, he is using the same device with two separate access points, one gets him very good speeds and the L0009 crap. Suspect the testing device is not the issue but who knows......... @haha Did the OP try the 20/40 setting?? @haha DISABLE THIS RULE AND SEE if there is a differ...

Search found 19572 matches