MikroTik

CZFan

I am not really sure you are successfully pinging the SXT (192.168.88.1) as both devices have that same IP config on ether1 interfaces, so your config seems totally incorrect . You already have a "router / firewall / DHCP / etc" in the SXT, why not make the Hap AC2 a "switch+AP" ...

CZFan

Suspect you have configured Proxy-Arp on interface(s).

CZFan

@sebastia,
I created a new "project" in gns3 today and again, one of the my routers mixed up the ether ports.

Would you mind sharing a bit more of your setup, i.e. Which version of gns3, using virtualbox, VMware player, workstation, etc?

CZFan

Took over client from another service provider, previous service provider created their own admin user / password and removed the default admin user. The equipment is now mounted on masts, etc, is there a way to get the default admin user / password from the device for record keeping purposes? Using...

CZFan

One bit of info missing, does the wireless link go down for 60 seconds before connects again? Reason I am asking is we have a wireless link, 2 x LHG 5ac's, short distance (about 700 meters) but sometimes takes up to 3 minutes to connect again if the wireless link dropped and reason seems to be takin...

CZFan

I'm trying to get CHR working on EVE-NG and it works but the interfaces dont seem to line up. I will put 192.168.1.1/24 on R1:ether1 and 192.168.1.2/24 on R2:ether1. I will make a connection from R1:ether1 and R2:ether1. I will then try to ping 192.168.1.2 from R1 with no success. I will move the I...

CZFan

I recently installed one of these Wireless Wire setups, straight from the supplier the 2 radios did not want to connect. After logging in on each device, I noticed both were in "Bridge" mode, changed the slave to "Station-Bridge" then it connected. Not sure if above is correct bu...

CZFan

You will need to make use of firewall "fasttrack" rule.

Search the forum, many discussions re above, including on the 2011 router

CZFan

Your problems is that "Cisco Small Business" thingy :-) Just joking, have to echo what @anav said, without seeing config and / or more info on environment, very difficult to assist. Maybe as a starting point provide full config (after deleting sensitive info) of 3011's and also a network d...

CZFan

I figured it out!! You have to specify the time and day or days that you want the rule to be applied and then you have to press reset all counters to reset everything and allow the new rule to be applied. I checked it 3-4 times and it worked fine. Thank you all!!!! I suspect that you have a rule be...

CZFan

Don't quite understand your question, you say you have seen this configuration and state that it worked??? Anyway, to answer your question, yes, you mark the connection, then the packets of this connection, the "connection" is both "up" and "down" traffic. Then apply th...

CZFan

@deepmedia
As a side note, I assume the 1.1.1.1, etc addresses are loopback addresses, anyway, personally I will stay away from them as they are routable on internet

CZFan

...

How in the world are you going to specify flow direction in the "Queue Tree" ? The Flow Direction is done in mangle with packer marking and then used as an input in the "Queue Tree".
...

QtreeIface.JPG

CZFan

Hy I'm also confused. How can CZFan's example work? The mangle uses src-address-list, meaning "Download" traffic from a bunch of IPs. How can those packet marks be used in Queue trees for uploads? ... the mangle uses src-address-list, for the device starting the connection, in this case i...

CZFan

... So long this did the trick, but i had the assumption that what ever you put into Connection marking follows the Packet marking if you use "Connection marking" as input ? This had me fighting for a very long time and i hope it help others as well. Also this proves that almost every Tut...

CZFan

It will block ssh, but as sftp runs over ssh session, it will also block sftp

CZFan

Under queue tree, for VPN:IN, change parent to LAN interface, i.e. Bridge or what ever you called it

CZFan

Not at my pc at the moment, but below with you doing some reading on wiki should get you there.

You should not specify interfaces in mangle rules, then in queue tree config, specify the interface / queue as required, i.e. Bridge interface for download and PPPoE interface for upload

CZFan

Traffic flow is used for network statistics.

I think it will be better if you define "intercept" and what actually needs to happen to the frames / packets once intercepted in order for us to get a better unde standing of a our requirements and provide better suggestions.

CZFan

Hmmmm, there is no reason why the action drop rule should be in the RAW firewall filter and NOT the input chain. As the rhyme goes. I would like to slap the peepee of the person that wrote the wikee. Slow day. ;-) Highly recommend you read through this thread for some sage advice! https://forum.mik...

CZFan

Re firewall, also ensure you block DNS from outside on input chain

CZFan

It never came to my mind to try to push VLANs through a L2TP tunnel in bridge mode, but I've expected it would be enough to configure the /interface bridge port and /interface bridge vlan items also for the L2TP interfaces. However, it seems RouterOS is not ready for this (at least as of 6.44.3). W...

CZFan

@macgaiver: Here you go, but be warned, once you see it, you can't unsee it.

Do you and @sindy visit each other in The Matrix for drinks

CZFan

Sindy=genius!!!
You should write a routerOS book, I will pre-order buy it now!

Yes, indeed, that he should do, will also order before publication.
His method of reaching or explains is excellent

CZFan

Toggle on or off by clicking on "#"

CZFan

Are the subnets consecutive? If so, aggregate / summarize the subnets

CZFan

Target should point to internal subnet, rest looks good

CZFan

I think it is time you pride the config, in terminal window,
Export file=YourFileName hide-sensitive and either attach the file here or copy and paste the contents between source code brackets

CZFan

On Stock in Germany

Same in South Africa

CZFan

... The way Google Fiber and the OP's ISP use of the CoS field in the VLAN tag is rather a misuse to me, because normally it is used to convey the information about frame priority, not that it would have to contain a single mandatory value. But I have no idea what weakness of their system they had ...

CZFan

... 3. While I've only worked on one RB4011 I don't recall all the switch menu options being set like this. But I won't know until this week when it's back up online at a the customer site to double check but wasn't there when I was doing the initial setup. ... The RB4011 has a RTL8367 switch chip ...

CZFan

@sindy & @anav, while your little spat is cute you both have failed to notice some glaring errors in this config. 1. bridgePrio6 is the one that is supposed to filter this WAN VLAN stuff. So why is it a _member_ of the default bridge?! That's a no no. 2. There is nothing that shows bridgePrio6 ...

CZFan

Have you tried accessing the device with ssh and then run command?

CZFan

Personally, I would use Domain Controller as DNS (and DHCP) for internal clients, DNS should already be installed on DC Server as that is one of the requirements for AD to work properly

CZFan

Think it will be something like

/tool ip-scan address=12.34.56.78 interface=ether1

CZFan

...
Then the client will send mails out, either directly to your hosted mail server or alternative Skype server.
...

Suppose to be SMTP Server, Apple IOS auto correct

CZFan

@Anav, IIRC, you are using an email client with mail server hosted our side your network. Then the client will send mails out, either directly to your hosted mail server or alternative Skype server. The mail coming in, is being "pulled" by the mail client, so connection is into initiated f...

CZFan

I am struggling to understand what you are looking for here, the "drop invalid" rule is the built in solution

CZFan

Based on the limited information you provided, this should be sufficient:

Create / run a script to pick up active wan IP

CZFan

RouterOS uses routes from "/ip route" to decide where to send packets. It doesn't automatically send replies back the same way from where the request came. So you have incoming connection on WAN2, but default route uses WAN1, so response packets are sent there and of course it doesn't wor...

CZFan

@anav I already did it (viewtopic.php?f=13&t=145144), but I got no answers... l don’t know what to do.

You now have an answer...

CZFan

If you have hired a company to do the installation, then surely they must correct the problem / design of the network?

Alternatively, my suggestion will be to hire a Mikrotik Certified Consultant in your area. https://mikrotik.com/consultants

CZFan

What will you do that concerns you about the memory.
Hap ac2 has 4 cpu and that memory is more than sufficient

CZFan

6344.JPG

CZFan

...

I can't seem to downgrade it to 6.34.4 Mikrotik seems to have deleted the firmware from there website

...

https://mikrotik.com/download/archive

CZFan

Add a simple queue with target of CCTV IP and set rate limits required

CZFan

As far as I can recall, Hap Mini and Lite has exactly the same specs, only difference is mini has 3 ether ports and Lite has 4 ether ports

CZFan

My main concern is to make sure the antennas are aligned, my thinking is does not matter settings you play with, if alignment is out, you will never have a stable / good link. but seems for some reason, no one here wants to comment on if the alignment tool in Winbox still works. I have set the chann...

CZFan

Yup, that will also work as OpenVPN on MT is TCP Based.

I just prefer SSTP over O-VPN as SSTP uses port 443, less chance of ISP's blocking it.

CZFan

One suggestion will be to not use NATing between proxy / ASA / MT, but rather routing and only NAT out on MT

CZFan

You can use certs with SSTP between MT's, but it is not required. My point was you can quickly test it without creating certs etc. if it works better, then implement with certs

CZFan

UDP not good for unstable links, maybe try a TCP based site to site VPN, i.e. SSTP bwteen MT's, don't need certs in this case

CZFan

Thx for your response, and I might very well be wrong and please correct me if I am wrong My understanding is that it is 897Mb/s air rate (radio) and should be able E to get 450 - 500 Mb/s data rate. I did some more reading, and it seems like with the equipment used for the link and due to short dis...

CZFan

Bump, anyone, please?

CZFan

Hi Have a PTP link (2 x LHG 5ac's) connected but not too happy re performance which I am sure is due to my limited knowledge on wireless and asking for some help. The distance between the devices is about 500m with clear line of sight, both devices are on ROS 6.44.1. I if I can get the link to push ...

CZFan

cause your rules are incorrect: Forward chain, you have dst address list which should work ok, but should really be src address list input chain, again you have dst address list, this will never work as you should not have any China IPs as per address list on your router, so should also be src addre...

CZFan

I want mind to grind coffee beans. They should call it the cAPpuccinoAC

CZFan

https://support.microsoft.com/en-gb/hel ... in-windows

CZFan

If you coming with a Windows client behind a NAT and L2TP/IPSec server is also behind a NAT, have a look at this, it solved my problem:

https://support.microsoft.com/en-gb/hel ... in-windows

CZFan

Would you use a Mini to transport the local school rugby / soccer team to a game?

The Hex S is a SOHO device, that is an acronym for "Small Office / Home Office", do you think what you are trying to do fits in there?

CZFan

Hi Emils,

Is this fix related to recent vulnerability issue that were going to go public on 9 April?

CZFan

Is this functionality still working? I have 2 lhg 5ac devices, link is up in bridged ptp config currently syncing at 400Mbps, but when I try this, I get nada. no sounds on station side, no info in Winbox on station side. All I get is customer screaming at me every time I do this as the link between ...

CZFan

Thx @mkx, @pe1chl for the info. Have over 1000 of these deployed in user homes (FTTx Deployment), so if things go wrong, not easy to get physical access to these plus user / client downtime. There was a time when I still had hair, when all jumped ship from Novell (had a very soft spot for Novell) to...

CZFan

IIRC, MT does not support dynamic VLAN's

CZFan

uninstall tr069 package, remove everything from /files, upgrade only routeros, after suiccessful upgrade install tr069 again Yes, if it was a device at my home, no issues, but now I must go do that on over 1000 devices at client site? WTF is it even necessary to do that, I am a patient person, been...

CZFan

@CZFan, @gdelacruz: is there anything in the log about upgrading (or its failure)? When I try to uninstall the packages that are disabled, I get error, cant uninstall bundled package Have over 1000 of these devices deployed at 1 client only Log info after trying to upgrade: 23:46:30 system,info ins...

CZFan

unfortunately my MT is not upgrading to 6.44 from 6.43.12. i am using the upgrade tool from winbox. downloading and reboot but it does not change at all... pls. advise .. using RB952Ui-5ac2nD.. thanks Having the same problem on 1 device, trying to upgrade from 6.43.8 to 6.44.1, it downloads it, reb...

CZFan

Hi all,
I noticed since 6.44 and now 6.44.1 some neighbors are displayed without their IP address.. is there a solution?

My guess will be those devices do not have an IP on the interface reported on.

CZFan

Updated hAP AC2 and CCR1009 from 6.44 to 6.44.1 I am seeing a lot of dropped Forwarded packets as INVALID. These are packets that should have hit the New connection from a local device in the address list. But are getting dropped. Also ... Updated my Hap AC^2, also getting lots of invalids dropped,...

CZFan

upgrade ≠ reset configuration

On upgrade system files are replaced with new ones.

You are using the wrong symbol to explain to IT people, should use "!=" instead, then they will better understand

CZFan

So I missed this thread when it was new, but it's not too late to disagree now - hairpin NAT is awesome! ;) Ok, that was just to even things out a little. Reality is that haipin NAT should be unnecessary and by long time obsolete hack from old IPv4 + NAT times that were supposed to end years ago. U...

CZFan

Will have to configure routing, make sure FW's do not block this traffic between sites and ensure your syslog server accepts from these IP's, that should be all

CZFan

Hi Since the last update we have had multiple clients complaining about existing sites where VoIP experiences issues, from de-registration, no audio, one way audio. Currently we downgrading the clients back to 6.43.8 which works. I've sent multiple supouts and support tickets to Support with no fee...

CZFan

Trafic that you are trying to avoid in your ping command is not for the forward chain, is for the input chain. If you do not want users on vlanx communicate with the interface of the VLANy on the router , you need to block the traffic on the input chain. Regards. What you said makes no sense to me....

CZFan

Just thinking, I have a CRS326, up time currently reported as 51d12h, have zero downtime / flaps on SFP+ port.

Are the flaps not maybe caused by the other side?

CZFan

Add accept rules for guest subnet before fasttrack rule

CZFan

I think it will be best for you to engage with a Mikrotik Consultant in your local area

https://mikrotik.com/consultants

CZFan

For the Qs to correctly match both directions you need to add the following rule before fast track rule:

chain=forward action=accept connection-state=established,related dst-address-list=alist_to_s-queue log=no log-prefix=""

CZFan

I had to change the link sync to manual with every SFP module in SFP+ ports, this was on CCR1036, CCR1072 & CRS326 IIRC

Also, I think they do state that in the manual

CZFan

If I may ask, what device is this ISP modem, make, model, etc?

CZFan

Maybe you should approach your ISP?

CZFan

I am monitoring about 40 devices using the Dude. Have 3 devices that are across a bridged wireless PTP link. For any devices on the other side of this wireless link, I get every now and then (intermittent) SNMP timeouts and with that false notifications. Have done the normal checks, etc, i.e. CPU lo...

CZFan

It's almost like Mikrotik should run one

Please forward the bandwidth test link for Cisco, Juniper, Huawei, Zyxel, TP-Link, ....

CZFan

Yes, the wireless radios draw quit a bit of power.

It sounds as if the CRS109 meets your requirements, if that is the case, and it was me, I will buy the correct power supply, add a virtual WLan and voila, you have 2 x SSIDs

CZFan

You need to remove WLAn from bridge and add L2TP interface to bridge on L2TP client side, i.e. on your AP, the server side should be done dynamically of configured correctly. You DHCP client should also be bound to L2TP client interface i need wifi clients to get ip from dhcp server from ether2 Ok,...

CZFan

Topic below might get you started:

viewtopic.php?t=135504

CZFan

You need to remove WLAn from bridge and add L2TP interface to bridge on L2TP client side, i.e. on your AP, the server side should be done dynamically of configured correctly.
You DHCP client should also be bound to L2TP client interface

CZFan

... But... Before making this upgrade I've made another observation: when my phones are turned off and my laptop is docked (networ connection via ethernet port) - everything works seamlessly. I've transferred over 10GB of data and nothing happened. As soon as I've turned on my phone and played some...

CZFan

Well done, glad I could help. FYI, IIRC, that is exactly what I achieved with my 2011, 812Mb/s The link you posted to the firewall config, I just did a quick scan through it and off the bat it looks over complicated for many environments, I will also be weary of the following 2 rules as generally yo...

CZFan

And here I thought SBC = Small Business Community :-) Yes, run the device in Router OS, not Switch OS Depend on what you want to do when accessing the devices, the easiest will be to use VPN, then you become part of the internal network and can access the devices. I do not think using different DNS ...

CZFan

Generic, home use FW rules for me are: (With fwd chain rules first) 1. Drop invalid, fwd chain 2. accept Fastrack, fwd chain, est, rel 3. accept fwd chain, est, rel 4.allow new from lan, fwd chain 5. allow dst nat, in wan, connection new, fwd chain 6. drop all fwd chain Then use similar for Input ch...

CZFan

Back in the times I had a 1Gb internet, my one son (Serious gamer) was living with us and he paid for the link. This is not the case anymore, he has moved out, moved the 1Gb link with him, so now I have a measly 40/20 fibre link so will not prove anything anymore unfortunately.

CZFan

Thanks pe1chl for clarifying. I wish there is a way to like a reply when someone provides a solution or the correct answer.
..

There is, click the "Accept this answer" (green tick) on post that provided solution

CZFan

I think for 100Mb internet link, CRS328-4C-20S-4S+RM will suffice, but also note that the CRS328-4C-20S-4S+RM is mainly a Fibre switch, i.e. mainly for connecting fibre cables. It does have 4 x combo ports and you will need to buy modules for these ports in order to use UTP. From your explanation, a...

CZFan

I think the more relevant question is why do you want to make a "Router" do "Switching" function?

To use another analogy, there is a difference between cars and buses for specific reasons.

CZFan

I have managed to get ~ 850Mb/s with RB2011, using NAT (No PPPoE). About a year ago, the RB2011 retired to my lab area and has been replaced with a HAP AC2 and I no longer have a 1Gb/s Internet link.

Why do you not start by providing your full config, and we can make suggestions?

CZFan

You dont have to spend all that money for a 4011, just keep the CRS109 as a "switch only" and add a Mikrotik hEX for the "Routing".

CZFan

Based on limited info in this thread, it seems you have gone the wrong way around purchasing hardware before understanding what is available and what will meet your requirements. It will be difficult to answer accurately without knowing what your internet link size / speed, what routing protocols ar...

CZFan

Hi all, Last night I purchased CRS328-4C-20S-4S+RM switch. .... My intention is to drop ISP router at some point as I manage to grasp sufficient knowledge with this device. ... Thank you kindly Please keep in mind, this device is a switch, with some routing capabilities. So depending on your intern...

CZFan

... But... Before making this upgrade I've made another observation: when my phones are turned off and my laptop is docked (networ connection via ethernet port) - everything works seamlessly. I've transferred over 10GB of data and nothing happened. As soon as I've turned on my phone and played some...

CZFan

Will it not be easier to allow SIP traffic only to the SIP providers you / building management approves of with Address Lists?

CZFan

I suspect the problem is not on your router config, but higher up the chain.

Do a trace route (Tools-->Traceroute) to 8.8.8.8 to see where it times out

CZFan

If I understand the OP correctly, the closest you will get to this is called hybrid vlan config. This is where you have a port configured for vlan trunking i.e. tagged vlan (vlan 10 as ex) and same port also configured as an access port for vlan 20 untagged

CZFan

Intra-Vlan is 2 hosts communicating on same Vlan (layer 2) Inter-Vlan is 2 hosts communication on different Vlans (Layer 3) Apologies, I just recalled sindy's post re vlan filtering disables HW Offload, hence you need to use switch vlan config in this case The point I was trying to make is that irre...

CZFan

I suspect there is no difference between Switch Chip Vlan config and Bridge Vlan config (Have not tested it though). My reason for thinking this is: When you have 2 ports in the same vlan on bridge vlan config, you will have HW Offload active and full port based (switched) speed between these ports,...

CZFan

Hi, I'm afraid to say this, but DON'T buy any hardware from Mikotik, NO SUPPORT AT ALL. For more than a year problem with Mikrotik WAPac and WiFi clients with broadcom chipset. Emailed a lot, given all necessary info, no results, last emails don't have any response! Have you tried Cisco's free supp...

CZFan

You should absolutely not push to control DNS in a Windows Active Directory environment. Not sure why you would want the headache. DNS is very important for Outlook clients for example. Do you know how to setup the resolution for Autodiscover? There are other topics no doubt too that we don't under...

CZFan

IIRC, I tested this on my 2011 a while back, with a single bridge, HW offload was active / enabled

CZFan

I have not worked in detail on DNS servers for a good couple of years now, (+- 10), but IIRC do not think you can specify port numbers in DNS.

Think you will have to enter the 2nd port number i.e. 81 as part of the URL e.e. http://www.yourdnsrecord.sub-domain.domain:81

CZFan

Yes, that is working as per design. The public DNS will tell the world what address to use to get to your network. The router on your network edge then translates this to for port 80 in this case to your internal web server address as per the NAT rule you configured. So that is all the router knows ...

CZFan

From reading OP, should just work, as you will have DAC routes added dynamically.which should allow comms between these

Best is provide the output of: /export file=myconfig hide-sensitive and pas this here between the code brackets

CZFan

If speed varies, then I doubt it is ethernet syc related. Majority of problems experienced with MPLS, etc is usually MTU related, but what I would suggest is go and have a cup of coffee with the client, then test from his connection and capture / sniff some packets to see if any excessive fragmentat...

CZFan

Hello, can the hAP ac² act as a router instead of an access point? I want it to act as a DHCP server and use firewall nat rules.

Exactly what it is designed for

CZFan

Can you provide a diagram of network, note on drawing where client is and where data is that he is downloading?

Just want to see where the possible problem areas might be

CZFan

Have you checked the client's Ethernet sync speed?

CZFan

DHCP broadcast, request, etc is layer 2, firewall is layer 3 of OSI model
dhcp protocol is in UDP, based on IP, and using broadcast ip's when necessary.
See https://en.wikipedia.org/wiki/Dynamic_H ... n_Protocol

True, wasn't thinking it through properly

CZFan

DHCP broadcast, request, etc is layer 2, firewall is layer 3 of OSI model

CZFan

Typically used when you have like lots of users / devices behind a NAT to prevent running out of port numbers (PAT) for a single IP NAT but not typically for 100 users/devices, never tested, but maybe: There a wiki for that ;-) https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#1:1_mapping Not r...

CZFan

Typically used when you have like lots of users / devices behind a NAT to prevent running out of port numbers (PAT) for a single IP NAT but not typically for 100 users/devices, never tested, but maybe: /ip firewall nat add action=src-nat chain=srcnat out-interface-list=WAN src-address=192.168.88.0/2...

CZFan

I think you should reset device to default, test again...

CZFan

Had this before on a 951G when I did an update wrong, late, on a Friday afternoon

Netinstall saved me

CZFan

What is the purpose of below in your config?
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1 src-address=192.168.88.2-192.168.88.253

CZFan

Or, maybe I just had the post open on web browser for a long period before posting....

CZFan

^^^^
You can pay me what you want, you will not get me on that tower

CZFan

It sounds like you have duplicate MACs or IPs connected to the switch.

Will it be possible to post config of all 3 Mikrotiks here:
/export file=MT1 hide-sensitive
/export file=MT2 hide-sensitive
...

CZFan

might be a good idea, so you can see exactly which version/model/year the device is which you found in the back of the storeroom under all the dust or when buying a 2nd hand one

CZFan

I have a chain Cisco 4900M - Dlink DGS3620-28SC - Mikrotik RB951G. And i can ping from Cisco to Dlink's address(from RB subnet) with 1700 and df-bit, so i don't think that it is Dlink problem. Is it possible that in that RB installed old chip that doesn't support some functions? CPU Ar9344 v3.33 Up...

CZFan

Look at IP-->Firewall, Connections tab

CZFan

Personally I see the 4011 as a SOHO device, my minimum suggestion will be CCR1009.

CZFan

.... The "read only" account does have some unexpected restriction (like can't initiate a ping, etc), .
...

If I recall correctly, think I got around this last time by adding "Test" to the read only user policy

CZFan

thx CZFan !!!!

it was the missing "add distance=1 dst-address=192.168.10.0/24 gateway=172.22.22.1"

regards, richard

Pleasure, glad I could help

CZFan

the 4011 doesn’t have 2 sfp+ ports, but you can squeeze out way more than 1gbps. and it has no fans. there is one thing i don’t quite understand: 10Gbps internet connnectivity for home? this is quite an overkill square! but let’s assume you need this bw, but why’d you place the router into your liv...

CZFan

I am experiencing this on a CCR1036-12G-4S-EM, when I disable SNMP, it goes away so think it is SNMP related.

Have upgraded a couple of versions already since I originally noticed it and currently running 6.43.8 but still the same

CZFan

I think the reason for your problem firewall is not allowing L2TP/IPSec ports before the " add action=drop chain=input in-interface=pppoe-out1 " rule, which is kind off a "Drop All" rule, but only for incoming from the WAN/Internet. You need to add accept rules on input chain for...

CZFan

Mikrotik is not designed for this and should not be used for this.

Look into products like Sonicwall, which can inspect encrypted data and is designed for things like this

CZFan

I was able to resolve this on our workstations, it seems to be a difference in how Winbox is writing session files. If you delete the "%userprofile%\appdata\roaming\mikrotik\winbox\sessions" directory, then it all works fine again and correct link down dates are shown. We've confirmed tha...

CZFan

Use Netinstall to reformat and install ROS.

https://wiki.mikrotik.com/wiki/Manual:Netinstall

CZFan

What I don't see in the instructions on link you posted is installing of the client cert on Windows, you will need both CA and Client Cert. Look at the links below, maybe it will be of some help https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP https://wiki.mikrotik.com/wiki/Manual:Create_Certifi...

CZFan

Is this a site-to-site VPN or road warrior (Traveling users) VPN? If road warrior setup, depending on your firewall rules, but generally there should not be any changes required on the router, but on the clients to point to new IP / FQDN. Provide full export /export file=whateverfilename hide-sensit...

CZFan

Not sure if mentioned in this thread / topic yet, but upgraded CHR with Dude running couple of days ago. Tonight I had to do some maintenance on network equipment and but could not disable notifications in the Dude. Untick all in notifications, click apply, then OK. as soon as I bounced the first ne...

CZFan

Have a read through below article:

https://wiki.mikrotik.com/wiki/Advanced ... _Scripting

CZFan

With a "Default Drop" Rule, you will typically also need to allow "new" from LAN. If you are using the router as DNS server, the the below rule should be removed as that will prevent the router from doing DNS lookups successfully and the symptom will be there is no internet acces...

CZFan

Default IP range is 192.168.88.1/24, you can use 192.168.88.10/24

CZFan

No issues, no drops nothing, the 2011 is a little workhorse

CZFan

Are you using IPSec? If so, forward ports 500, 1701 & 4500

Also remember to open these ports in firewall of destination device

CZFan

Those temperatures are very normal. When I was using 2011, mine was constantly around +- 40, except when I did big downloads at 100 Mb/s using wifi the temp will go up to 65.

CZFan

Yes, use port forwarding (Destination NAT) to point to new server / ip

CZFan

below is rules i use to allow mails to / from gmail. #first create address list /ip firewall address-list add address=smtp.gmail.com list=Gmail-SMTP /ip firewall filter add action=accept chain=forward comment="G-Mail SMTP" dst-address-list=Gmail-SMTP dst-port=587 out-interface-list=WAN pro...

CZFan

With some routers you need to place the upgrade file .npk in the /flash folder, not the root. If placed in root, it will be deleted during restart

CZFan

Maybe pay for a consultant? Usually when you pay for a service, you can expect faster response times.

CZFan

The description in the OP is also a bit confusing to me. But why not place the Cisco Meraking inside the LAN of the Miktoik router users gateway points to the Meraki, go through the Meraki to the MT Router where things get routed and NATed. Just open the necessary ports on the MT in order for the Mr...

CZFan

"...Because the Mikrotik replaces the source MAC address of outbound traffic with its own..."

This is not Mikrotik, but how IP & routing works

CZFan

Below might be reason for your problem

/tool mac-server mac-winbox set [ find default=yes ] disabled=yes

CZFan

113MB/s equates to approx 1Gb/s, and that is the interface limit

CZFan

Also check PC Firewall. Connection Profile might be public instead of private then windows firewall will be more restrictive

CZFan

Yes, you will have to tell the Garage router where 192.168.10.x network is, i.e. add route like below on Garage router

add distance=1 dst-address=192.168.10.0/24 gateway=172.22.22.1

CZFan

First thing you should do is update your router, 6.40.6 is fairly old and many security loopholes

CZFan

Packet sniffer disables a coupe of things, one of them is fasttrack, so try and disable fasttrack firewall rule if you have this enabled, reboot or clear all connections in firewall connections tab and test again without packet sniffer. If it resolves the problem, I will suggest you look at your fir...

CZFan

What is up with these posts, someone trying to build up post count or is forum hacked?

CZFan

Not sure I understand OP explanation, but this might guide you in the right way

https://wiki.mikrotik.com/wiki/Advanced ... _Scripting

CZFan

There is a difference in way Vlans are configured pre and post 6.41, read below, there are also some examples which include both pre and post 6.41 config

https://wiki.mikrotik.com/wiki/Manual:S ... ivate_VLAN

CZFan

First, you should update RouterOS, 6.34 is very old and many security loopholes. Then, there are different chains in the firewall, input, forward and output. The ones you want to focus is input (to the router) and forward (through the router) Below samples of "Drop All" rules for input and...

CZFan

Agree, at time of typing my previous post, I thought that there might be a misunderstanding between us.

CZFan

The Child Q's are created dynamically Through what feature - DHCP? Hotspot? PPP? Can you execute "/queue simple print" and show the output? Printing the list will include all dynamic queues as separate items. Through "Simple Queues". Printing only shows the parent Q, see below s...

CZFan

The Child Q's are created dynamically

CZFan

I don't agree with below, else what is the use of using PCQ? Also, the queue type setting for the parent will not have any effect if the parent has children. It looks like you have a PCQ queue set on the parent, which won't do anything. If you wish to use PCQ it has to be set on the child queues, no...

CZFan

You can remove the below line:
/interface bridge vlan
add bridge=bridge-iptv tagged=ether1-gateway untagged=ether10-IPTV vlan-ids=6

Then remove ether3 from bridge-local and add it to bridge-iptv.

That should be all you need to do

CZFan

The CRS can do wirespeed Switching, All routing (Incl Inter Vlan Traffic) goes via CPU and limited by that

CZFan

/interface bridge port add bridge=bridge1 frame-types=admit-all ingress-filtering=yes interface=sfp2 pvid=111 add bridge=bridge1 frame-types=admit-all ingress-filtering=yes interface=sfp3 pvid=111 add bridge=bridge1 frame-types=admit-all ingress-filtering=yes interface=sfp4 pvid=111 add bridge=brid...

CZFan

Good to hear. Note: you might want to run script by name, so you won't brake it in future
/system run script <name>

/system script run <name>

CZFan

Yes, cause 0x2^0 + 1 x 2^1 = 2

CZFan

This is my understanding if you change from UAA to LAA: Convert the first octet from Hex to Bin, then change the 2nd-least-significant bit to 1, then convert back to Hex, i.e. B8 :69:F4:00:00:00 = 1011 1000, then change to 1011 10 1 0 back to Hex and the LAA MAC will then be BA :69:F4:00:00:00

CZFan

Yes,

You can read all about it here: https://wiki.mikrotik.com/wiki/Manual:T ... et_Sniffer

CZFan

Look into hairpin nat

https://wiki.mikrotik.com/wiki/Hairpin_NAT

CZFan

What I explained is not to remove your AS, but the downstream private AS. i.e. Client (AS65500) ---- ISP (AS200) ---- Global Net At the ISP, they will strip the "Private AS" by using "Remove-Remote-AS" and only advertise aggregate. Anyway, seems this is only related to "Priv...

CZFan

I am confused about the internet access port / vlan 112 part. Usually you will tag traffic going out, not coming in.

Can you elaborate a bit more what you are trying to achieve here, maybe confirm with the service provider how you are suppose to access internet services?

CZFan

I am new to BGP, so take with a pinch of salt. This is usually used where an ISP (Upstream provider) needs to remove clients "private AS", and one of the requirements I understand is that the client then needs to have the same routing policy as the ISP. It is a setting called "Remove-...

CZFan

... Of course people throw in drop invalid traffic and other things but if you have a drop everything else rule they will all be caught. .... My personal opinion the above is debatable, the last I checked part of the reason for dropping invalid was due to reasons that the packet might not be NATed ...

CZFan

Is internet provided as a layer 2 or layer 3 service? Currently you have it configured as layer 2.

Maybe add a diagram so we an clearly see how things are connected

Just to confirm, are you sure the CCR1009 has a switch chip, it is my understanding that only fairly old CCR1009's have switch chips

CZFan

I highly doubt the above was the solution.

The queue types you mention there only changes the the queue "buffer" size, i.e. how many packets it will queue

CZFan

IP address is assigned to ether2 directly, should be assigned to bridge that ether2 is a member of

CZFan

Some Examples, but must use what makes sense to you,i.e.
Trusted Zone = LAN Zone
Untrusted Zone = WAN / Internet Zone
Semi Trusted Zone = DMZ Zone
etc

CZFan

I use a mixture of both.

As you mentioned, Interface List is like "Zone" based, "trusted", "untrusted", etc. but sometimes need to be more granular, then I use Address Lists, etc

CZFan

The only place I can see where the 3011 trumps the 4011 is you can do Vlan config in "software only " on 4011.

So the 4011 is a way better device, but will depend on what you planning to do with Vlans

CZFan

Can one subnet provide addressing for many vlans without 1:1 natting? I want one vlan per customer's CPE router, but instead of each vlan having its own /30, just one /25 is used across all vlans. The reason I want to do it this way is to avoid the use of PPPoE but still keep customer's traffic sepa...

CZFan

Any news about this feature ?

Bump

CZFan

Hi, I have configured several Subnets on my RB3011. All Subnets cannot see each other, it is disabled by FW-Rule. Now I would like to configure some exceptions. I have a local SIP Server on Subnet1 with IP: 192.168.1.10. Client on Subnet1 can connect correctly to the Server, but Clients on Subnet2(...

CZFan

NTP = Network Time Protocol makes use of port 123

CZFan

Ask ISPs to add route on CPEs to be our LAN range via the RB960.

CZFan

You mention "On the modem I have configured VPN passthrough - IPSec and PPTP" but trying to configure L2TP, I would assume you will need to configure L2TP passthrough on the modem, if it is not there, then it is not supported on the modem and will not work

CZFan

With my RB2011, when I changed from a 20/2 Mbps DSL link to 1000/100 Mbps fibre link, had the same issue. I added fasttrack and improved on my firewall rules and got ~850/97 Mbps through my RB2011. In my case the config was using DHCP client and not PPPoE on my router, but think with PPPoE you shoul...

CZFan

You dont need to complicate things with Vlans, just use separate subnets and block with firewall

CZFan

Why complicate things with VLAN's, just create your IPs on each interface

CZFan

And more LTE products with old and slow cat4 modems...I dont understand how can anyone even get more than 100mbit from this, i cant get more than 30mbit sitting next to tower, while anything else from super old mobile phone(6-7 years) to 2x cheaper routers achieve at least 2x speed if not more.. Wh...

CZFan

It is your router, telling the mail server that the host (Girlfriend Cell Phone) is not reachable, i.e. she has left the building

CZFan

Minimum will be 2 rules, combine rules 1 and 2

CZFan

Don't need any bridges then, best way is to simply configure the gateway ip on each port

CZFan

Remove all bridges, then add the VLAN's directly to ether 1, then create first bridge for ports 2-4 and wlan.
Then create another bridge, put eth5 and vlan14 in it

CZFan

Do you need routed access between sites or must the be on same layer 2 network?

If routed, look at SSTP tunnel with one side that does not have public IP as a client and dial into the other site.

If you need layer 2, then look at bridge control protocol over SSTP

CZFan

you mean something like below?

/ip firewall filter
add chain=forward in-interface=<WAN interface> dst-address=a.a.a.2 protocol=tcp port=!80,443 action=drop

Search found 2104 matches