MikroTik

tdw

Configs posted there dont have dhcp client and gateway settings. No info what ip6 address was set for starlink interface.

As said before the WAN address and default gateway are obtained from Router Advertisments and the Mikrotik does not display these. Post your IPv6 configuration.

tdw

And logically, server address (gateway) cannot be accessible from provided prefix pool, because gateway must be somewhere in a provided prefix, usually this is 1st host. No. The prefix is a completely separate block of addresses to the 'WAN' connection from the provider. Some providers do steal the...

tdw

In IPv6 the roles and capabilities of a router and host are separated much more strictly than in IPv4, and also DHCP works slightly differently. You can only acquire an address with the DHCPv6 client if the provider supports it. DHCPv6 has no concept of a default gateway, the Add Default Route optio...

tdw

Post your configurations from /export hide-sensitive in a terminal window, after redacting serial number, public IPs, etc., in a code block for readbility (the '[]' icon in the menu above the text box when posting).

tdw

I don't think the bridge firewall rules have the necessary functionality.

Using MAC addresses to control access is very dated and easily spoofed, there are more modern approaches it may be worth considering. e.g. 802.1X, LLDP voice VLAN or vendor specific DHCP options.

tdw

The CPU on the CRS isn't capable of handling 10Gb, use suitably powerful external devices for bandwidth testing.

tdw

I tried using a single bridge, as suggested here https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841836#CRS1xx/2xxseriesswitchesexamples-Example2(TrunkandHybridPorts) but the problem is to assign different DHCP servers to different VLANs ( I cannot find a way to bind DHCP Server to V...

tdw

I suspect that the L2 tunnel is just triggering an underlying issue. The VRRP configuration is incorrect - the VRRP interface should have a /32 netmask with services bound to the main (not VRRP) interface, DHCP pools on the main and backup routers should not overlap as there is no lease synchronisat...

tdw

So it looks like the {{sfp-sfpplus4}} needs to be a hybrid port? No, it is just that you cannot specify the same vlan-ids multiple times under /interface bridge vlans , you have to specify all of the interfaces for a particular ID at the same time. Be aware that the default bridge spanning tree set...

tdw

There is no problem in having multiple src-nat rules on one router so outgoing traffic from each LAN subnet appears from a different public IP address. The question of one or more routers is more down to other things such as: Segregating managment, e.g. do the users of one LAN need management access...

tdw

To expand on post #6 you can import a CA and any intermediates generated elsewhere plus the server certificate and key. The CA and any intermediates should have the T flag, the server certificate should have the T & K flags. You can't duplicate the inbuilt certificate generation from one Mikroti...

tdw

The datapath.client-to-client-forwarding setting only applies to clients connected to the same CAP. With your settings: 1. Client A and Client B connected to the same CAP with SSID 'Mikrotik' can communicate 2. Client A and Client B connected to the same CAP with SSID 'Mikrotik Guest' cannot communi...

tdw

I have read many guides with wrong setups, without your help I would not have succeeded. Unfortunately many third-party guides and videos are incomplete or just wrong, often using outdated methods which are not applicable to newer firmware releases. The official Mikrotik help pages and old wiki pro...

tdw

Quickset should only be used for the initial configuration. You probably want CPE with Configuration Bridge and Bridge All LAN Ports as a starting point, then change settings with Winbox or Webfig. There are limitations in the 802.11 wireless protocol, these typically prevent true layer 2 bridging b...

tdw

You haven't specified which bridge the CAP should attach interfaces to, the main wireless network only works because the interfaces are (incorrectly) added to the bridge. /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add ...

tdw

If your provider is only issuing a single /64 you are stuck with having to resort to NAT, you need multiple subnets to route IPv6. If you have an IPv4 address which does not block IP protocol 41 you could use a free Hurricane Electric tunnel. They even support dynamic IPv4, you just need a script to...

tdw

There isn't one, the SSH server listens on all interfaces. Default firewall rules have changed over time, currently they include 'drop input not from LAN interface list' which as you have found prevents access via VPN without additional rules or changes to the 'LAN' interface list. An earlier versio...

tdw

Offhand I'm not sure if multiple tunnels between the same public IP addresses will work with IPsec, the generated policies may interfere with each other so it would need testing. If you only used IPsec for the IPIP tunnel and established the EoIP tunnel between some internal IP addresses then the Eo...

tdw

Use GRE, IPIP or other IP tunnel plus routing for any subnets which are unique to a site. For any subnets which are shared across sites you are stuck with EoIP and a single gateway.

tdw

Your original question It is posible create something like split traffic? I mean that default gateway for the devices at branch offices would be the mikrotik in that office and send only internal company traffic over EoIP and Because if I need the same network on both branches are not compatible. To...

tdw

Firstly for the Mikrotik to pick up the default route you need /ipv6 settings set accept-router-advertisements=yes Note the learnt default route does not appear in the IPv6 routing table. I'm not sure why you have non-default ND parameters, perhaps from earlier versions. The current defaults for tho...

tdw

Random blogs and videos on the Internet are often incomplete, less than optimal, or just wrong. 'Managed Address Configuration' is incorrect, it should only be enabled if you have a DHCPv6 server. 'Add Default Route' is incorrect but sometimes works, using Router Advertisments is the correct method....

tdw

Whilst the certificates and keys are stored in the .backup they will only be fully restored on the original hardware. The keys will not be restored on other hardware, even if it an identical model. (Whilst restoring a .backup on other devices is not officially supported it mostly works - you can res...

tdw

No, there is a single DNS server instance which listens on all local interface addresses.

tdw

It would have been helpful if you had posted the complete configuration with sensitive data redacted at the start. The issue is you have two bridges and CRS3xx only supports hardware offloading on one bridge. Ideally remove Mgmt-Bridge and configure an IP address directly on ether1 for local managem...

tdw

The add bridge=BR_VLAN ingress-filtering=no interface=sfp-sfpplus3 pvid=10 is incorrect as the interface is a member of the bond AE2. Other than that not all VLANs are distributed to all of the interfaces/bonds, you have: AE1 - 1u AE2 - 1u AE3 - 1u AE4 - 1u, 30t, 50t, 60t, 70t, 80t AE5 - 1u, 10t AE6...

tdw

What is the output of the commands /interface bridge port print and /interface bridge vlan print detail?

tdw

This should all be happening at L2 only In which case you do not need any /interface vlan entries - these provide the link between tagged VLANs in the bridge and services on the Mikrotik itself, via the implicit bridge-to-CPU port. These, plus the bridge ports having tagged=External-Bridge,... will...

tdw

No. There are some things you can infer from SNMP such as IP addresses, routes, etc. but there is no way to determine others including firewall rules, IPsec/PPP secrets, etc.

tdw

All I needed to do to the above was change the WAN and LAN interface names. IPv6 interface lists would be nice :) Interface lists know nothing of higher level protocols, they can be used in IPv4 and/or IPv6 firewall rules. For info: DHCPv6 has no mechanism to obtain or provide a default gateway. Th...

tdw

Anyway, ARP doesn't exist as such for IPv6, as I understand it, as it is all done with ND. Yes. It appears the ISP has attached the /56 subnet directly to their end of the link, rather than routing it via a /64. Whilst it can be worked around with ND proxy or unnumbered links on equipment which sup...

tdw

Ubiquiti devices transmit minimal LLDP information on all interfaces, UISP uses this for the topology diagram generated data links. You can't turn it off.

tdw

There is no scripting needed, with only-one=yes a user cannot establish more than one connection.

tdw

If you set only-one=yes in the PPP profile used by a PPPoE or VPN server then only one connection can be established.

tdw

I suspect some ISPs enforce the requirement of DHCP requests having a specific 802.1Q priority to prevent any other devices a client has from acquiring an address if misconnected directly to the WAN. Requiring a specific DHCP option in the request would be a more friendly way of them achieving this ...

tdw

This has nothing to do with Mikrotik specifically, the same would be seen using a router from any other network vendor. It is well known that most Microsoft network drivers strip VLAN tags on ingress, so any tagged broadcast/multicast packets will also be delivered to the network stack rather than b...

tdw

No directly. As mentioned before Mikrotik builds an index whilst enumerating interfaces - each new interface is assigned a sequentially increasing value which does not change. It is odd that the ethernet interfaces are not sequential as they would be discovered after a factory reset and cannot be re...

tdw

The UI interface index is not the same, see what you get from /interface print oid - the final octet of the OIDs are the SNMP interface index.

tdw

SNMP typically reports an interface index provided by the underlying OS, or from how it has built its index whilst enumerating the interfaces. There is no mechanism with SNMP to change this.

tdw

You can configure the switch chip to make a subset of VLANs available on the ethernet ports and handle untagging, there isn't much you can do for the SFP port - maybe bridge filters. The CPU in the original hAP AC isn't great so you will only get wirespeed port-to-port throughput using the switch, i...

tdw

The default IPv6 settings include forward=yes and accept-router-advertisements=yes-if-forwarding-disabled so if you are forwarding you need to set accept-router-advertisements=yes , otherwise forward=no if the Mikrotik is just an endpoint rather than router. Received router advertisments are not dis...

tdw

Ethernet bonding is not the same as PPPoE MultiLink. Likely you want this https://wiki.mikrotik.com/wiki/Manual:M ... iple_links

tdw

Per my previous post you have to explicitly add tagged port membership in /interface bridge vlan , just changing frame-types is insufficient. The switch only has tagged VLANs on combo2 . Why are you adding VLAN interfaces with an ID of 1 to various ports, it is unusual and not recommended unless you...

tdw

If clients in the same subnet can't ping each other when connected via an unmanaged switch it has nothing to do with the Mikrotik, most likely client firewall rules.

tdw

Set the cAP bridge vlan-filtering=no, any tagged VLANs arriving via eth1 will be available to the dynamic wlan interfaces.

tdw

A port can only be a member of one bridge.

Your description seems inconsistent, you say ether1 and ether2 are bridged but ether1 is the WAN, ether2 and ether3 have the same subnet.

tdw

Is there anything else I would need to do on the switch to allow VLAN 100 to leave via the trunk? The /interface bridge vlan settings should include the interface in the tagged= list for the VLAN (assuming it's a CRS3xx using a VLAN aware bridge, CRS1xx/2xx use a different setup for hardware-offloa...

tdw

1 - Yes. Use a hybrid port which supports untagged and one or more tagged VLANs, an access port is untagged only. 2 - It depends on how your public IPs are delivered. If they are a routed subnet separate from the WAN transit, or the WAN connection is PPPoE, you can simply have a public LAN/VLAN and ...

tdw

Disabling Winbox completely would remove remote access. Rather than leaving accessible to the entire internet it is good practice to restrict access from a set of known addresses and/or setting up a VPN server on the Mikrotik so a VPN connection has to be established before a Winbox session can be s...

tdw

Your firewall rules will drop any new incoming connections other than those from the local LAN, you need to permit connections from the WAN(s) where connection-nat-state=dstnat in addition to the dstnat rule. The firewall rules are less than optimal, ideally they should be ordered so the most freque...

tdw

priority which is part of the STP "Bridge port ID" is the least significant of the selectors in the election process, "Root port path cost" is the most significant calculated from the sum of the path-cost values and usually the simplest adjustment to make to influence the active...

tdw

Don't use add bridge=bridge interface=all on the station. Add the wlan60-1 and wlan1 interfaces explicitly and set the spanning tree path cost to favour the 60G interface, also make sure that the AP itself or something upstream is the root bridge.

tdw

It varies depending on the Mikrotik device architecture. On CSS devices the ports are always part of the bridge. You can either assign two or more ports as a static link aggregation group or use LACP, either active or passive. From the help pages CSS610 use L2 hash https://help.mikrotik.com/docs/dis...

tdw

Does the modem support bonding and have you enabled it? AFAIK only some do, others support 2.5Gb on one of the ethernet interfaces instead.

tdw

CRS1xx/2xx devices do not support any hardware offloading when the bridge has vlan-filtering=yes . The bridge itself should be set to no and then configure the switch chip directly under /interface ethernet switch ... - see https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841835 and ht...

tdw

It is, if the client does not verify the server certificate chain then you are open to man-in-the-middle attacks.

tdw

On the UDMSE WAN port, define the same tagged and untagged VLAN IDs that you did on the MikroTik router. You can't. On Ubiquiti gateway devices the WAN port is just a WAN port, you can't bridge other VLANs to the LAN ports. In a case where I needed to get an incoming WAN to a port on a Ubiquiti swi...

tdw

ah, the Rx Loss is indeed checked, but i'm unable to uncheck it, because it's grayed out. How can i uncheck this? It is a read-only value which reports the status from the SFP, you can't uncheck it. For a GPON SFP which only provide a management interface when active you have to connect it to the f...

tdw

See viewtopic.php?t=173692

tdw

It is expected behaviour, fastpath and mangle are not compatible.

tdw

Mangle and queues both require handling by the CPU so are not compatible with fasttrack or L3 hardware offload.

tdw

CRS devices have low performance CPUs as they were intended as wire-speed layer 2 switches with minor use of the layer 3 services provided by the CPU, they were never intended to be high performance routers. With RouterOS 7 some CRS3xx/CRS5xx devices can now use the switch chip layer 3 hardware offl...

tdw

You are setting some interfaces to be both untagged with pvid=10 and pvid=20 under /interface bridge port and also tagged with tagged= under /interface bridge vlan - a bridge port should be either tagged or untagged for any particular VLAN ID. Why are you specifying a relay= setting for the DHCP ser...

tdw

Printing a few sections of the settings doesn't provide much useful information, post the output of /export after redacting any identifying information (serial number, public IPs, etc.)

tdw

This is strange. The Ingress filtering box is checked already: The default in RouterOS v7 is ingress-filtering=yes , but in v6 is ingress-filtering=no (I always thought it was an odd choice as in almost all cases filtering is good). As with many other settings the default values do not appear in /e...

tdw

You are missing the bridge itself (i.e. the intrinsic bridge-to-CPU port) as a tagged member for the new VLANs, without these there is no connection between the /interface bridge vlan IDs on trunk/access ports and the /interface vlan connected to the bridge. So in this case: /interface bridge vlan a...

tdw

See https://help.mikrotik.com/docs/display/ ... ANandVLANs for VLAN setup examples on RB260 / CSS devices running SwOS.

The link you posted refers to setup on RB / CRS devices running RouterOS.

tdw

You are missing the bridge itself (i.e. the intrinsic bridge-to-CPU port) as a tagged member for all the VLANs except your base VLAN. Without these there is no connection between the other /interface bridge vlan IDs on trunk/access ports and the /interface vlan connected to the bridge. /interface br...

tdw

It doesn't work like that. If you wish to isolate clients layer 2 / ethernet traffic you need to look at bridge horizon or port isolation, and disabling client-to-client traffic on any wireless APs. As this at the ethernet level the isolation applies to all packets, including IP - it cannot be diffe...

tdw

The only annoying part of that is you seem to have to make a special remote pool of one and Burn an IP for the PPPOE server itself. I tried not having a PPPOE server local address but it wouldn't work .. I am guessing you have to do something fancy without it. The local PPPoE server address can be ...

tdw

According to the wiki, the Mikrotik 3011 has no VLAN filtering. Or am I wrong? Where do I have to configure the 3011 untagged? /interface bridge port ? or here /interface ethernet switch vlan? It has no hardware-offloaded VLAN-aware bridge support. This is only an issue if you have significant traf...

tdw

The /interface bridge vlan section, plus the pvid and vlan filtering settings under /interface bridge port , have no effect unless the bridge has vlan-filtering=yes . Do not attempt to use a VLAN-aware bridge and switch chip at the same time, and given the issues with hardware VLAN switching on devi...

tdw

There do not appear to be any valid bridge ports, are you using this purely as a router? If so, leave the switch settings at their default values and just attach the IP address to the bond interface: /interface vlan add interface=LAG10 name="vlan1 - Legacy" vlan-id=1 ... /interface etherne...

tdw

Post your configuration

tdw

You can only have LACP to multiple switches if they implement MLAG. Not available in SwOS, but CRS3xx/CRS5xx/CCR2x16 devices running RouterOS 7 do https://help.mikrotik.com/docs/display/ ... tion+Group

tdw

If the majority of the traffic will undergo NAT or routing then the additional CPU load of VLAN-aware bridging is minimal. Using the switch chips only has a benefit for traffic between ports in the same VLAN, e.g. between a PC and NAS, other than on the very recent models which support L3 hardware o...

tdw

It looks as though when @pcunite reworked the Router-Switch-AP config some errors crept in as # L3 switching so Bridge must be a tagged member /interface bridge vlan set bridge=BR1 tagged=BR1 [find vlan-ids=80] set bridge=BR1 tagged=BR1 [find vlan-ids=90] only works if the bridge VLANs already exist...

tdw

The Mikrotik VLAN setup does have a steep learning curve, and it isn't helped by various changes which have been made to RouterOS over the years - historically you had to use a bridge per network/VLAN until VLAN-aware bridges were introduced. The main issue with your setup is you have configured the...

tdw

When sorting out your switch take note that CRS1xx/2xx do not support hardware-offload with a VLAN-aware bridge (i.e. where the bridge has vlan-filtering=yes ) You can use a VLAN-aware bridge but the performance will not be good, an example of the correct method to keep hardware offload is https://w...

tdw

Scripts are not needed, create a PPP profile including an address-list= property. Client addresses will be added to the list when the session is established, and also removed when the session terminates.

tdw

Without seeing the configuration it is impossible to say what is wrong, post the output of /export hide-sensitive after redacting any other information such as public IP addresses. From the symptoms most likely firewall rules, VPN DNS settings. Using multiple bridges is generally not optimal as hard...

tdw

Which service, as Mikrotik can use RADIUS for dhcp, dot1x, hotspot, ipsec, login, ppp and wireless. Likely you are running into a fundamental issue with RADIUS which typically needs either the credentials to be transmitted in plaintext secured by some other mechanism (e.g. TLS), or the credentials s...

tdw

As others have said you can only have a single bridge with hardware offload on your device. The D indicates the port is added dynamically, in this case from /interface bridge port add bridge=B-1 interface=static . This is generally not a good idea, add each port explicitly to the bridge. The only me...

tdw

I'm surprised the hotspot works at all as that configuration points to a folder which doesn't exist, given what you have posted it should have html-directory=DH-HOTSPOT for the hotspot server to use your uploaded files.

tdw

If the VPN client uses an address which overlaps with the local subnet you have to enable proxy-arp so the Mikrotik replies to ARP requests from local devices on behalf of the VPN client. However, as you say you can SSH from the client on 10.1.1.200 (the VPN connection) to the server at 10.1.1.10 (o...

tdw

Hopefully that .backup isn't from the hEX S and been applied to the 4011 - restoring a backup from a different model often results in odd behaviour. What files are there in the DH-HOTSPOT folder, and what is HTML Directory set to under IP > Hotspot > Server Profiles (or html-directory= setting from ...

tdw

The default hotspot directory path is hotspot for devices with larger NAND, and flash/hotspot for smaller NOR storage. I wouldn't expect having the hotspot directory set to flash/hotspot to work on devices which don't present a flash directory unless there is a hidden symbolic link in the filesystem.

tdw

From that error likely the same MAC address used at both sites. Post your configuration.

tdw

I used https://www.ncsc.gov.uk/guidance/using-ipsec-protect-data as a reference several years ago, the legacy profile being more than suffcient for the data involved. /ip ipsec profile set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 /ip ipsec proposal set [ fin...

tdw

There is certainly no problem using the default VLAN 1 untagged, e.g. if you have a working setup based on the intital configuration and then add some additional tagged VLANs on top. Using VLAN 1 tagged however is full of traps for the unwary, and a number of vendors hard-code VLAN 1 to be 'untagged...

tdw

You can only acquire an address with the DHCPv6 client if the provider supports it. The most common mechanism is to use received router advertisments (RA) which unfortunately are not displayed by RouterOS, as discussed in other forum posts, and was completely broken in earler releases of RouterOS v7...

tdw

See https://help.mikrotik.com/docs/display/ ... HairpinNAT. Static DNS so internal and external lookps return corresponding internal and external addresses as an alternative should be fine too.

tdw

See https://forum.mikrotik.com/viewtopic.php?p=936148#p936148 * Dropped Input SYN from INPUT Those are probably normal. My guess is it comes mostly from scanners examples: ``` input: in:telekom-pppoe out:(unknown 0), proto TCP (SYN), 14.135.120.222:53950->my.public.ip:195, len 52 input: in:telekom-p...

tdw

Do you mean forward error correction? Yes There are comments in the Ubiquiti forums suggesting it is always enabled on their devices, e.g. https://community.ui.com/questions/Feature-Request-Ability-to-adjust-FEC-settings-on-SFP28-ports/fc21e071-c832-461b-b696-e19986d4b714 There appears to be nothin...

tdw

During testing I tried setting values on both sides by disabling auto negotation, setting the ports speed manually, enabling, disabling flow control, etc. Nothing worked. Was that just speed autonegotiation? SFP28 introduced FEC to detect and correct link errors, it needs to be the same at both ends.

tdw

It is somewhat unusual to configure DHCP to hand out a DNS server address in a different subnet when the Mikrotik is also the gateway for those subnets, nothing immediately obvious but could be something in the firewall rules. Does the Mikrotik obtain DNS addresses from the PPPoE client? They should...

tdw

Pools are as the name suggests are a pool / list of addresses. When an item is allocated from the pool it cannot be used by anything else until released. There are address lists and interface lists which can be used in place of hard-coded addresses or interfaces, but only in certain places such as f...

tdw

MNDP is broadcast to UDP port 5678, so tcpdump -i myinterfacename -s 0 -X broadcast and udp and dst port 5678 It consists of a number of TLVs, type and length are both 16-bit network byte order, i.e. big endian. I'm not aware of any official documentation, the Wireshark dissector code https://gitlab...

tdw

MNDP is broadcast so visible to everything within the layer 2 network, it doesn't provide information as to where it is within the network. LLDP requires special handling as each port on a device has to transmit different information, as it includes the port identity, and the device must not forward...

tdw

Probably due to using using local-address=pool_router in the PPP profiles - as the pool only contains one address the pool is them empty for subsequent connections. Use local-address=192.168.1.1 instead. Pools should not overlap, it would be wise to delete pool_router , pool_local and dhcp_pool1

tdw

Along the lines of my earlier post, the JumpCloud RADIUS Server documentation says: Device or service endpoint that supports RADIUS and either EAP-TTLS/PAP or EAP-PEAP/MSCHAPv2 authentication methods. Simple PAP may also be used, but we highly recommend you use a more secure authentication protocol ...

tdw

Not that I am aware of. I don't imagine any other network switch would pass them either if the packets have an invalid CRC.

tdw

If the clients are not behind the same public IP address it should just work. Use /export hide-sensitive for RoS v6 or just /export for RoS v7, copy the output, remove any other sensitive or personal information (such as serial number, static public IP addresses, credentials in scripts), and post in...

tdw

Likely you do not have /ip dns set allow-remote-requests=yes , without this the Mikrotik will only use any supplied DNS servers to resolve requests from itself and ignore requests from anything else. Generally it is best to post the actual configuration from the device rather than the script you app...

tdw

For devices with Atheros/Qualcomm switch chips you have to use a non-VLAN-aware bridge, otherwise hardware offload / switching is disabled, and then use switch rules - see https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-RuleTable . There are specific issues with th...

tdw

It is odd that the sniffer is not picking up the ICMP activity. If you use an online traceroute tool, instead of ping, how far does the trace reach?

tdw

As the VPN client uses an address from the LAN you have to enable proxy ARP on that interface (bridge1). This is so the Mikrotik can answer ARP requests from devices connected to the local LAN ethernet on behalf of the VPN client. You may wish to change your IPsec secret not having redacted it, and ...

tdw

Nothing immediately obvious. If you use any online IPv6 web tools to ping AA:BB:CC:6b0::1 do you see anything with the packet sniffer on ether1 RX?

tdw

I was referring to the IPv6 address being added to the LAN (interface=bridge) from the pool, not the WAN (interface=ether1) address.

If ICMP works but other traffic doesn't it suggests a firewall issue. Post the output of /ipv6 export after redacting any public IP addresses, etc.

tdw

Of note is the IP assigned to the ether1 interface is not from the same /64. The pool handed out via DHCPv6 is AA:BB:CC:6b0::/64, but the IP automatically assigned when I turned on RA in the settings is AA:BB:CC:6af:DD:EE:fe05:3a04/64. When I run ping from the router it shows up as from AA:BB:CC:6a...

tdw

Is the subnet routed to you? Do you have proxy-ARP enabled on any interfaces? An export of the configuration would help.

tdw

There is nothing incorrect with using VLAN 1, you just need to take care as it is the default PVID on Mikrotik bridges and bridge ports so does not appear in the export which defaults to compact . The main issues with your original config are having use-service-tag=yes , which selects an ethernet ty...

tdw

In the last posted configuration the interface to the switch, and onward to the WAN connections, is not in a bridge. Should be something like /interface bridge ... add name=bridge protocol-mode=none /interface bridge port add bridge=bridge interface=sfp2 /interface vlan ... add interface= sfp2 bridg...

tdw

See https://help.mikrotik.com/docs/display/ ... NFiltering

tdw

A single VLAN-aware bridge on each Mikrotik. Individiual physical, logical(LACP/bond) and tunnel (EoIP) interfaces as bridge ports with PVID settings and bridge port vlan membership as required. Unless you really need layer 2 connectivity between sites, which has performance implications as the traf...

tdw

What is your use case, do you really need layer 3 hardware offload? CRS devices have low performance CPUs as they were intended as wire-speed layer 2 switches with minor use of the layer 3 services provided by the CPU. With RouterOS 7 some CRS3xx/CRS5xx devices can now use the switch chip layer 3 ha...

tdw

It can be confusing with both the CAPsMAN and CAP on the same device. Under /caps-man datapath the bridge= setting is only used for CAPsMAN forwarding. If using local forwarding you have to set bridge= under /interface wireless cap , as this is missing it is using the manually added bridge ports for...

tdw

No, the page you linked to and quoted says Bridge HW vlan-filtering was added in the RouterOS 7.1rc1 (for RTL8367) and 7.1rc5 (for MT7621) versions - this only provides layer 2 / ethernet hardware offloading on a VLAN-aware bridge (previous RouterOS on these models only supported hardware offloading...

tdw

You have too many bridge port members. The wlan interface membership will be added automatically by CAPsMAN. The VLAN interfaces are already connected to the bridge, they should not added as ports. /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=de...

tdw

DHCP servers cannot be attached to child/slave interfaces but VLAN interfaces are fine, in this case the DHCP servers should be attached to the VLAN interfaces on the CAPsMAN controller. Post your current configurations - in a terminal window use /export hide-sensitive for RoS v6 or just /export for...

tdw

Use a single bridge on both the CAPsMAN controller and CAPs. Configure the datapaths for each SSID with a VLAN. Add /interface vlan to the CAPsMAN controller bridge for the corresponding VLAN IDs used in the datapath, these provide access from the bridge VLANs to services provided by the Mikrotik CP...

tdw

The switch connfiguration looks incorrect as VLAN 1 should not be set to untagged on ports 1, 2 or 3. You can only have one untagged VLAN on a port, not all devices enforce this in their settings so you can configure invalid setups. All three PPPoE clients are shown as running. Just creating multipl...

tdw

Under /interface ethernet switch vlan switch1-cpu passes traffic from the switch chip to the CPU, only required for VLANs connected to services provided by the CPU such as IP address, routing, DHCP server and software-based interfaces (tunnels, wireless). Under /interface ethernet switch port use vl...

tdw

If I remember correctly that model has no user interface, all of the device control is by way of the pushbutton and PoE on/off switch. You may be able to communicate with them using the Qualcomm open-source PLC utilites, although there is no real need to.

tdw

WiFi authentication is not the issue here. The OP wanted to authenticate logins to the Mikrotik itself which requires the RADIUS server to support plain MS-CHAPv2, not encapsulated EAP

tdw

There will be little difference in performance between the old-style multiple bridges and a single VLAN-aware bridge, so whilst configuring the switch chip would improve performance it may not be necessary. It is certainly possible to migrate from the old-style multiple bridges to a single bridge wi...

tdw

Winbox will run under Wine on Linux and macOS. Open a terminal session/window (you can either SSH to the Mikrotik or use New Terminal in Winbox, I can't remember if the web interface has an equivalent). The command /export hide-sensitive (for RouterOS 6, or just /export in RouterOS 7) generates a te...

tdw

If you have more than one WAN you need mangle rules for IPv4 if doing anything other than active-backup failover. It is currently not possible have more than one IPv6 WAN connection (see the numerous form posts). If the ISP doesn't assign a fixed IP it would be unusual to be able to force one by set...

tdw

Draytek modems support DSL connections, not cable which is typically DOCSIS. PPPoA is only applicable to ADSL variants as VDSL uses PTM framing instead of ATM cells. You should not have to specify the WAN address, it will be assigned during link negotiation. There are many posts in the forum regardi...

tdw

You have an incomplete mix of old-style bridge-per-vlan and new-style VLAN-aware bridge. Use a single VLAN aware bridge, see the section https://help.mikrotik.com/docs/display/ ... NFiltering in the documentation

tdw

They can be configured standalone or with the controller, there are various manuals and guides on the TP-Link support website. You may be able to use their app to configure the device directly, otherwise connect it to a regular untagged network which has a DHCP server, find the IP address of the TP-...

tdw

Bridges have an implicit bridge-to-CPU port which provides access from all of the other bridge ports to IP resources (e.g. DHCP, routing, etc.) on the Mikrotik itself, see https://forum.mikrotik.com/viewtopic.php?t=173692 You need to include this port in the bridge VLAN membership /interface bridge ...

tdw

You can, but it introduces a layer of NAT so you have to configure port forwarding on both the Mikrotik and Synology routers. For example if the Hex S is using its default LAN of 192.168.88.1/24 and the RT2600AC has a "WAN" address of 192.168.88.2/24, set either statically or by DHCP reser...

tdw

You could either use hybrid instead of trunk ports with management VLAN untagged + all WiFi VLANs tagged, or set the EAP660 to use a VLAN for management as shown in https://static.tp-link.com/upload/manua ... 110_UG.pdf on page 83.

tdw

So on your CCR /ip address add address=10.101.1.1/32 interface=sfp12 network=RR.SS.TT.UU which will automatically add the /32 route And if the other device were a Mikrotik /ip address add address=RR.SS.TT.UU/32 interface=ether1 network=10.101.1.1 /ip route add comment="default gateway" dis...

tdw

Neither of those links show the correct method, they may luckily work for those particular users setups and ISPs. You should not have a DHCPv4 client as the DS-Lite is not set up that way, and you certainly should not be setting a tunnel address which overlaps with your WAN. The DS-Lite standard (se...

tdw

Mikrotiks and various other devices support /32, you can use any local address on the Mikrotik for the CCR end and one of your spare public addresses for the machine end. If the public addresses are attached to a layer 2 network you will have to enable proxy ARP.

tdw

As the supplicant ends up in the authenticated state it must be mostly working. If the Mikrotik cannot log the unencrypted payload of the EAPOL-Packet EAP-Request/EAP-Response messages then whatever logs/debugging that the Cisco ISE provides may shed some light. Bridging another interface such as a ...

tdw

Configured with a single bridge having vlan-filtering=no so VLAN tags are not treated differently to any other ethertypes? On the bridge vlan-filtering is enabled. This was with reference to your statement about the CRS, but you posted the CCR configuration. That looks fine except /interface bridge...

tdw

Any hints of how to force the dot1x module to do the additional MSCHAPv2 Auth? Or do you suspect it's doing MSCHAPv2 here, encapsulated by the PEAP tunnel, with the log only showing details about the PEAP tunnel? Yes. From the help pages eap-peap actually means PEAPv0/EAP-MSCHAPv2. When I remove EA...

tdw

Here I am running CAPSMan using VLANs on the CCR with the "bridge" method. Do you mean local forwarding mode? On the CRS328 switches I am not doing anything in the VLAN sections. Configured with a single bridge having vlan-filtering=no so VLAN tags are not treated differently to any other...

tdw

The configuration appears to contain random bits and pieces taken from bad examples. Firstly the IPv6 setup is incorrect: DHCPv6 has no mechanism to obtain or provide a default gateway. The Mikrotik DHCPv6 client add-default-route=yes is a hacky bodge, it uses the address of the DHCPv6 server from w...

tdw

There are limitations with wireless connections, especially if AP & station are not from the same vendor. See https://wiki.mikrotik.com/wiki/Manual:W ... tion_Modes

tdw

It depends if the switch firmware provides any access to the switch chip FDB management.

tdw

Depending on how the D-Link and TP-Link switches are connected to the rest of your infrastructure it may be switch FDB entries have to age out, this can be as much as 5 minutes depending on the make/model and/or settings where configurable.

tdw

The PPPoE client is an IP interface, not an ethernet interface, so you cannot add it to a layer 2 bridge.

tdw

Hopefully that isn't connected directly to the internet, not having any rules protecting it from external access. As written the masquerade rules will act on all traffic, including between subnets, not just externally. It may be that, although the forward chain is processed before srcnat so the rule...

tdw

There are a number of issues with using multiple bridges with VLANs
…for devices with switch chips.

No, there can be an number of issues when using switch chips or not. In this case the Bridged VLAN on physical interfaces scenario is likely to cause problems.

tdw

All of those VLANs (3500, 3508, 3510, 3518, 3520, 2528) will be tagged on egress/ingress on the physical interfaces. There are a number of issues with using multiple bridges with VLANs, see https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration , a single VLAN-aware bridge is the preferr...

tdw

That provides no useful information.

As other have said post the output of /export hide-sensitive (RouterOS 6) or /export (RouterOS 7) after redacting any other potentially sensitive information (serial number, public IP addresses, scripts containing credentials)

tdw

For some reason the network is still reachable from VLAN31 to VLAN32. Setting firewall rules did not have any effect. Any idea why? Order of the rules is important, post all of the configuration not just small extracts. Also do you know why bridge-local has to be added as tagged in /interface bridg...

tdw

It depends on how you configure the interfaces on the devices. You can have all VLANs tagged only (sometimes referred to as a trunk interface or port), or one untagged and the remainder tagged (sometimes referred to as a hybrid interface or port).

tdw

No. The default forward policy is allow, you have to explicitly add rules to drop inter-VLAN traffic.

tdw

That has nothing to do with the VLANs being tagged or untagged, inter-VLAN access is determined by firewall rules on the Mikrotik.

tdw

If you are using the UniFi controller default network, which is always untagged, for management just attach the Staff network SSID to that. You do not need a network defined for VLAN 31, only VLAN 32 & 33 to be able to link SSIDs to those. Configure the Mikrotik port connected to the AP with VLA...

tdw

You want to pick a channel that isn't in the DFS block (radar sensing ones)

That is impossible in any country subject ETSI regulations, all channels permitted for outdoor operation mandate DFS.

tdw

It was not clear in the original description that they were different bridges, so that is fine.

The EoIP interface should have mtu=1500 per the documentation, a lesser value will break things in odd ways. Then the sfp28-1 interface should have a MTU to accommodate the encapsulation and encryption.

tdw

No, the connection tracking handles replies. The dstnat rules are for the inbound port forwarding, the srcnat rules are for any outbound connections from the servers e.g. package updates. Rule order is important, any specific srcnat rules must appear before the generic srcnat/masquerade rule which h...

tdw

Assuming the servers have private IP addresses all you need is both addresses added to a single WAN interface and appropriate srcnat / dstnat rules, routing marks/tables and mangling are not required, e.g. /ip address add address=x.x.150.227/28 interface=ether1 add address=x.x.150.232/28 interface=e...

tdw

MAJOR CHANGES IN v6.43:
!) radius - use MS-CHAPv2 for "login" service authentication;

tdw

Why have you added the SFP interfaces to the bridge? The ethernet traffic will be encapsulated by the EoIP interface and routed across the /30 subnet between the SFP interfaces at either end. I'm surprised you do not have a broadcast storm by having both the EoIP and SFP interfaces in the same bridg...

tdw

You can't do it the new way it won't work on most hardware as the port is neither pure access or trunk. That is completely incorrect - VLAN-aware bridges support untagged only (access), 1 or more tagged only (trunk), or untagged with 1 or more tagged (hybrid) on any bridge port. The only devices wh...

tdw

There is no mechanism to open a TCP connection and send arbitrary data on Mikrotiks. Implementing only read-holding-registers is an odd choice as these are typically device outputs or settings, if only a single Modbus command was going to be implemented read-input-registers would have been a better ...

tdw

Using multiple bridges is the old way of connecting multiple VLANs between ports and/or the Mikrotik services, and has many pitfalls https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration . The suggested configuration has multiple faults, a single VLAN-aware bridge with appropriate confi...

tdw

The default firewall rules have add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN so VPN connections would be blocked by default. Ping works due to the rule before this add action=accept chain=input comment="accept ICMP" protocol=icmp . You...

tdw

There are two separate functions: A Modbus TCP server to serial port gateway: /iot modbus set which takes parameters disabled , hardware-port , tcp-port , timeout . A Modbus client: /iot modbus read-holding-registers which takes parameters ip , port , num-regs , reg-addr , slave-id , timeout (plus t...

tdw

I guess some scripting is needed? No. From the top of the help article "The feature allows KNOT to act as a TCP bridge and read data from Modbus-supported devices connected to a 2-pin terminal block on the board. Modbus clients (slaves) can access the data from the Modbus server (master - KNOT...

tdw

if using ppp then you maybe need to "interface/pppoe-client/set add-default-route=no ..."

Unlikely. add-default-route=yes is OK on point-to-point connections such as PPPoE, the usual misconfiguration is to also enable add-default-route in the IPv6 DHCP client.

tdw

I configure 2406:xxx::1/64 to ethernet1 and 2406:xxx::2/64 to a laptop. When I try to traceroute to Internet, it doesn't go beyond 2406:xxx::1. Please help.

How are things connected together as ether1 is usually the WAN connection?

tdw

The VLAN membership of the Netgear only shows 1 VLAN at a time so I'll post here what it is. As for Port PVID, all ports I put in VLAN 99. VLAN Membership of switch is as follows Port 1 has all VLANS tagged As with the Mikrotik you are mixing untagged and tagged operation for the same VLAN ID. Any ...

tdw

You have /interface bridge port add bridge=bridge comment=defconf interface=ether5 # with default pvid=1 but /interface bridge vlan add bridge=bridge tagged=bridge,ether3,ether4 untagged=ether5 vlan-ids=99 so mixing tagged on ingress and untagged on egress for VLAN 99. You haven't shown the Netgear ...

tdw

Screenshots rarely provide all the information, posting the configuration (from running /export in a terminal window) after redacting any public IP addresses, serial number, etc. provides the exact setup, in this case /ipv6 export is probably sufficient. You appear to have disabled IPv6 forwarding s...

tdw

You are manually setting an ARP entry which conflicts with the DHCP lease entry:

/ip arp
add address=192.168.1.10 interface=bridge1 mac-address=00:25:90:4B:6B:4B
and
/ip dhcp-server lease
add address=192.168.1.10 client-id=1:e4:35:c8:7e:37:ee mac-address=E4:35:C8:7E:37:EE server=dhcp1

tdw

Oops yes, I misread the section. But as you say the gateway=0.0.0.0 and gateway=0.0.0.1 entries make no sense for the DHCP server and should be removed.

tdw

There should be no need to change the MTU of either the base ethernet interface (Fiber) or the VLAN on top of it (Telenor VLAN101) as this only affects layer 3 IPoE packets, PPPoE is layer 2 and easily fits within the L2MTU of 1594. With providers supporting RFC4638 this certainly works on 6.48.6 an...

tdw

You do not add IP addresses to bridge members. To make ether4 untagged reachable with IP: /interface vlan add interface=bridge1 name=vlan_prod vlan-id=28 ... /interface bridge vlan add bridge=bridge1 tagged= bridge1, ether1_trunk untagged=ether4_prod vlan-ids=28 ... /ip address add address=10.36.8.1...

tdw

Additionally the configuration has more than one of these https://wiki.mikrotik.com/wiki/Manual:L ... figuration, use a single VLAN-aware bridge.

use-ip-firewall=yes impacts performance, it is not necessary in most use cases.

tdw

The change-tcp-mss=yes setting in the default and default-encryption PPP profiles will sort out MSS clamping on the PPPoE connection (PPPoE client interfaces default to the default profile). The PPPoE client MRU/MTU should be adjusted to best fill any segmentation imposed by the WAN technology, ofte...

tdw

Unfortunately you cannot, it is an annoying omission from RouterOS.

tdw

What do you mean by mapp? There are tunnel interfaces - 6to4 which encapsulates IPv6 packets for transport across an IPv4-only network, and ipipv6 which encapsulates IPv4 packets for transport across an IPv6-only network. It is impossible for IPv4 clients to access IPv6 hosts. There are transition m...

tdw

You only need to mark connections in the input chain for traffic arriving via the backup interface, plus the usual mark routing from connection mark and a routing table with a default route via the backup gateway. Either a whitelist and/or using a VPN server on the Mikrotik to gain access to Winbox ...

tdw

It is standard UK Openreach drop wire which can run upto 68 metres unsupported overhead. Thick UV resistant polythene sheath, ripcord, three steel strength members (one uninsulated, two with cream insulation) and a single signal pair coloured orange & white, either Dropwire 11 with 0.5mm diamete...

tdw

I believe these work in order of operation - and if that rule is first it will catch-all and try give a gateway of 0.0.0.0 - which will never work. M ove the 10.0/24 rule (the 3rd one) to the top of the list so it matches first and the client is given 192.168.10.1 as gateway - as then it'll at leas...

tdw

No, fasttrack is a connection tracking attribute.

tdw

When the Mikrotik connection tracking sees the end of a TCP conversation (FIN -> ACK+FIN -> ACK) the tracking entry is removed. Any repeated or unsolicited invalid transmissions from a client, e.g. FIN+ACK, RST+ACK or RST will not create a new connection tracking entry so no NAT will be applied. Thi...

tdw

Try adding a firewall rule add action=drop chain=forward connection-state=invalid after the accept established/related.

tdw

It may have been unintentional. If you make a .backup on one device and restore it on another (not officially supported but works if the two devices are the same model) various things, including the original MAC addresses, are cloned. These can be reset - in Winbox if you open an interface one of th...

tdw

also test-ipv6.com gives me this message: Your browser has a real working IPV6 address but is avoiding using it. If you are using Windows then IPv4 is favoured over IPv6 ULA C:\>netsh interface ipv6 show prefixpolicies Querying active state... Precedence Label Prefix ---------- ----- --------------...

tdw

And don't use all-zeros for the host part of the address, it is reserved. Use add address=::1/64 from-pool=private-pool interface=... or add eui-64=yes from-pool=private-pool interface=...

tdw

You can't remove it but it can be disabled /ipv6 settings set disable-ipv6=yes

tdw

hAP ac2 has gigabit ethernet interfaces, hAP lite has fast ethernet interfaces. As #3 works I suspect your PC also has fast ethernet rather than gigabit. Less expensive media converters do not support different rates on the copper and optical interfaces, or it may be a poor design which advertises c...

tdw

Changes along the lines of: ... /interface bridge add arp=proxy-arp name=bridge-lan # proxy ARP is not required ... /interface sstp-server add name=sstp-in1 user=name # name should match the PPP secret username ... /ip firewall nat add action=masquerade chain=srcnat out-interface=bridge-wan add acti...

tdw

My boss would like to Ping the ISP 1 devices while connected to VPN client and vice versa. I told him that with my knowledge its not possible and the local subnet for one ISP should be different. He keeps insisting that a simple firewall rule will do the trick. The issue is that each mikrotik has a...

tdw

For the route, yes. I suspect updates worked because the DNS entry was cached, add 192.168.3.1 as a DNS server too.

RouterOS can be rather a steep learning curve, it is basically linux underneath with a custom user interface on top.

tdw

The power line interface should behave as any other ethernet-like layer2 interface, so the example https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#VLAN_Example_#1_(Trunk_and_Access_Ports) should work with pwr-line1 as the trunk and an ethernet interface as an access port. Unless you really ne...

tdw

You can add a default route under IP > Route and a DNS server under IP > DNS. Alternatively if the router you are connecting this Mikrotik to supports static DHCP leases you could assign an address that way.

tdw

Why are you manually handing out/assigning FE80:: addresses? This seems wrong.. Is it a static /48? I strongly suggest you use that instead.. IPv6 prefixes.. IPv6-Pool and IPv6-DHCP-Server on your central router. It is nothing to do with the user configuration or global unicast (GUA) / unique local...

tdw

As the Mikrotik is responding with ICMP host unreachable that suggests the issue is with the Mikrotik - AnyNode connection. If the ARP table entry expires and is not refreshed for some reason the Mikrotik would send that response.

tdw

It is already open by way of the connection tracking shown in post #5.

Getting ICMP host unreachable responses points to something more complex, hence the requests to see a packet trace of the registration process.

tdw

Does the Mikrotik DHCP client have use-peer-dns=yes? Is the DHCP server configured to send DNS server(s) (option 6) if requested by a client?

Search found 1850 matches