Community discussions

MikroTik App
 
microtikgroup
newbie
Topic Author
Posts: 36
Joined: Mon Aug 23, 2021 11:03 am
Location: SF CA or BGC PH
Contact:

Something must be really wrong on my configuration. Needs real help here!  [SOLVED]

Tue Sep 07, 2021 12:16 pm

I am configuring my hex 750Br3 with;
EN2 with an unmanange switch where I have my UAP AP and all my cctv and IoT devices outdoors.
EN3 with another netgear unmanaged switch with all the employees LAN PCs/Macs, and an UAP AP indoor.
EN4 where I have another LAN devices and PPPoE connection to a UAP AP and Radius/Userman.
EN5 to have a PPPoE Connection to a another device located next door at the LAB.

I have not configured no bridges on any of the EN ports, having read a few posts to avoid it since the hex ports but EN1 & 2 are all slaves. I can not figure out how to make them divorced from it coz there aint no dialog on the form to do so nor am not aware what to do, so I tried my way to get my config going.

Now, right in the middle where I was doing the DHCP Servers, the address list, DHCP servers, Routes all went RED and Routes told me all but 2 are unreachable. I am still can not figure out why and being a newbie, but maybe I haven't plug my cables yet on en 3-5 coz am doing this at the lab?

Can someone assist me or slam my head with the right scripts or a window to fix my little hex? I am out of juice already and it seems my paycheck will never come this month LOL.

I am hoping this friendly forum can help.
Thank you,
You do not have the required permissions to view the files attached to this post.
Last edited by microtikgroup on Fri Sep 10, 2021 11:45 am, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Tue Sep 07, 2021 12:34 pm

/export hide-sensitive file=anynameyouwish
 
microtikgroup
newbie
Topic Author
Posts: 36
Joined: Mon Aug 23, 2021 11:03 am
Location: SF CA or BGC PH
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Tue Sep 07, 2021 12:50 pm

/export hide-sensitive file=anynameyouwish
Thank you. I will. let me export in a few. am just a few mins away from my workstation.

the storm took all my time yesterday and today the clean up and a take the tree out of my yard/terrace. sorry for not getting back quickly but first thing first before I lose my mind!! gracias!
Last edited by microtikgroup on Thu Sep 09, 2021 1:03 am, edited 2 times in total.
 
microtikgroup
newbie
Topic Author
Posts: 36
Joined: Mon Aug 23, 2021 11:03 am
Location: SF CA or BGC PH
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Tue Sep 07, 2021 12:56 pm

/export hide-sensitive file=anynameyouwish
here you go. I missed the quotes, am totally new to this, mean routerOS mikrotik. it can be exhilirating and exhausting.thank you.
# sep/07/2021 17:26:39 by RouterOS 6.48.3
# software id = W1JP-EHJP
#
# model = RB750Gr3
# serial number = CC220D0F73DA
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_cctvIoT-pool1 ranges=192.168.88.30-192.168.88.199
add name=dhcp_LAN-pool2 ranges=192.168.2.50-192.168.2.199
add name=dhcp_Radius_pool3 ranges=172.16.0.10-172.16.0.254
add name=dhcp_PPPoE_pool4 ranges=10.0.2.10-10.0.2.254
add name=dhcp_pool5 ranges=10.0.2.10-10.0.2.254
/ip dhcp-server
add address-pool=dhcp_cctvIoT-pool1 disabled=no interface=ether2 lease-time=\
    1h name=dhcp_ccctvIoT
add address-pool=dhcp_LAN-pool2 disabled=no interface=ether3 lease-time=1h \
    name=dhcp_LAN
add address-pool=dhcp_Radius_pool3 disabled=no interface=ether4 lease-time=1h \
    name=dhcp_Radius
add address-pool=dhcp_pool5 disabled=no interface=ether5 lease-time=1h name=\
    dhcp_pppoe
/ppp profile
set *0 local-address=172.16.0.1
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface list member
add interface=ether1 list=WAN
add comment="UAP AP cctv-IoT" interface=ether2 list=LAN
add comment="LAN Mac/PCs" interface=ether3 list=LAN
add comment="UAP AP Radius/Userman" interface=ether4 list=LAN
add comment="PPPoE connectiion" interface=ether5 list=LAN
/interface pppoe-server server
add disabled=no interface=ether4 service-name=service_pppoe
/ip address
add address=192.168.88.1/24 comment="IoT cctv" interface=ether2 network=\
    192.168.88.0
add address=192.168.2.1/24 comment="LAN pool2" interface=ether3 network=\
    192.168.2.0
add address=10.0.2.1/24 comment="PPPoE pool4" interface=ether5 network=\
    10.0.2.0
add address=172.16.0.1/24 comment="LAN Radius pool3" interface=ether4 \
    network=172.16.0.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.2.0/24 dns-server=10.0.2.1 gateway=10.0.2.1
add address=172.16.0.0/24 dns-server=172.16.0.1 gateway=172.16.0.1 netmask=24
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 \
    netmask=24
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.88.0/24 comment="LAN Ether2" list=LANen2
add address=192.168.2.0/24 comment="LAN Ether3" list=LANen3
add address=172.16.0.0/24 comment="LAN Ether4" list=LANen4
add address=10.0.2.0/24 comment="LAN Ether5" list=LANen5
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
set accept=yes
/system clock
set time-zone-name=Asia/Manila
/system identity
set name=01RB750Br3
/tool user-manager database
set db-path=flash/user-manager
Last edited by microtikgroup on Sun Sep 12, 2021 10:34 am, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3279
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Something must be really wrong on my configuration. Needs real help here!

Tue Sep 07, 2021 2:01 pm

I do not see any bridge configuration.

Suggest you start over with a new fresh default configuration and then add your stuff to it.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Tue Sep 07, 2021 2:17 pm

The bridge is not needed. Each port has it's own network...
 
microtikgroup
newbie
Topic Author
Posts: 36
Joined: Mon Aug 23, 2021 11:03 am
Location: SF CA or BGC PH
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Tue Sep 07, 2021 3:16 pm

I do not see any bridge configuration.

Suggest you start over with a new fresh default configuration and then add your stuff to it.
the config started fresh no default config and like I said above, aint no bridge. its a hex and all ports but 1 and 2 are slaves. theyre all on their own ether ports and devices.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Tue Sep 07, 2021 8:26 pm

(1) There is a disconnect on the config.....
You have five pools but only four dhcp servers etc.....

ip pools for
cctv-iot
lan-pool2
radius
ppoe
pool5

BUT dhcp servers for
cctv-iot -ETHER2
lan-pool2- ETHER3
radius -ETHER4
pool5 - PPOE -ETHER5

Which leads me to believe you have a duplicate in the pools (in that ppoe and pool 5 are for the same purpose).

(2) Set your firewall rules to default, not sure what you made up there (from what sources) but its not efficient or well structured.
(other than your special torrent rules which I guess are there for a purpose and should stay.

(3) The first NAT rule is fine, not sure you need the following three???
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Tue Sep 07, 2021 8:33 pm

Firewall rules........ FORWARD CHAIN DEFAULT RULES sort of........

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow Port Forwarding"\ (can be removed or disabled if not doing any port forwarding.)(
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=forward comment=\

Now you have a forward chain that drops all traffic from LAN to LAN, LAN to WAN and WAN to LAN.
If you wish to ENABLE any traffic then you have to add the rules where the +++++++ line is located (before the drop all else rule as the end)

For example if you wish to allow all your subnets to the internet
add chain=forward action=accept in-interface-list=LAN out-interface-list=WAN ***
*** You would put your two torrent rules right before this rule!!

For example if you wish to allow LAN3 one way connectivity (unsolicited) to IOT-CCTV
add chain=forward action=accept in-interface=ether3 out-interface=ether2
Last edited by anav on Tue Sep 07, 2021 8:47 pm, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Tue Sep 07, 2021 8:46 pm

Firewall rules INPUT Chain.

add action=accept chain=input comment="defconf: accept established,related,untracked"\
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface=ethernet3 *********
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp

DO NOT ADD THIS LAST RULE AT THE BOTTOM UNTIL YOU ARE SURE YOU HAVE ADMIN ACCESS !!!! **********
add action=drop chain=input comment="Drop All Else"


************** Basically the idea here is the same as the forward chain, you want to lock down any traffic to and from the router itself and then only allow traffic required.
The most important thing to do is to ensure ONLY the admin has FULL access to the router. The rest of the users DO NOT and thus we typically give FULL access only to the ethernet port (or VLAN(s)) the admin will be using to access/config the router. The rest of the users typically only need DNS services from the router (sometimes NTP).

Caution: However if you put the block all rule first and do not have an admin access rule already in place you will lock yourself out of the router.

One last thing, if you have a bunch of users on the same ethernet port (LAN) and you want to tighten down access just to you............. easily done with a firewall source address list.
In this case you ensure you have statically assigned your device(s) in dchp server leases
for example admin desktop PC, admin laptop, admin Ipad, admin smartphone to a list called admin access then the rule becomes
add chain=input action=accept in-interface=ethernet3 source-address-list=adminaccess
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Something must be really wrong on my configuration. Needs real help here!

Tue Sep 07, 2021 8:56 pm

A clear mistake I can see is that you've set

/ip address
...
add address=10.0.2.0/24 comment="PPPoE pool4" interface=ether5 network=10.0.2.0


(own address of an interface must never be the same like the network address). Whether this causes also ether3 and ether4 subnets to become unreachable is out of my knowledge, it would have to be due to some bug.

What I don't understand at all is why there is "PPPoE conn" at ether5 and "PPPoE Radius Userman" at ether4 on the drawing, but in the configuration, PPPoE server is attached to ether4 rather than ether5.

Are remote PPPoE clients actually supposed to connect to a PPPoE server listening at ether5? If so, you've misunderstood how PPPoE works, as you've assigned a DHCP server to ether5 - it can be done but the DHCP server will not assign addresses to PPPoE clients, it will assign them to DHCP clients connected to ether5.
 
microtikgroup
newbie
Topic Author
Posts: 36
Joined: Mon Aug 23, 2021 11:03 am
Location: SF CA or BGC PH
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Wed Sep 08, 2021 3:40 am

(1) There is a disconnect on the config.....
You have five pools but only four dhcp servers etc.....

ip pools for
cctv-iot
lan-pool2
radius
ppoe
pool5

BUT dhcp servers for
cctv-iot -ETHER2
lan-pool2- ETHER3
radius -ETHER4
pool5 - PPOE -ETHER5

Which leads me to believe you have a duplicate in the pools (in that ppoe and pool 5 are for the same purpose).

(2) Set your firewall rules to default, not sure what you made up there (from what sources) but its not efficient or well structured.
(other than your special torrent rules which I guess are there for a purpose and should stay.

(3) The first NAT rule is fine, not sure you need the following three???

Thank you Anav.
Like I said, I am completely a newbee here. Did you mean one NAT is enough to get all the dhcp servers ip translated? even PPPoE on Radius?

I went thru your replies early today but because of the heavy rains here, I will have to make the changes later so I can attend to the damages outside the house. I will dig in later and make the appropriate changes where possible.

Ether5 connx does not exist yet, its awaiting funding, will strip them out later.

My intention was only me/admin and a few specific mac addresses that belong to support staff will have full access rights. so,
All are prohibitted on ether2,3,4,5 access to each other device/s but the specific local servers.
Ether2 only has cctv monitors, IoT, cctv cams with its own UAP AP. The intent is to keep them from the outside and block the space from the internet.
Ether3 is only for intra/ternet for companystaffs , servers, LAN and for their guests mobile devices a UAP AP to access only the internet.
Ether4 is only for all users on that LAN and and has is own UAP AP. All in that space must use Radius to authenticate and also access intra/ternet.
Etner5 is for the LAB PPPoE connection but it does NOT exist yet waiting for space assignment, funding, construction and AP.
 
microtikgroup
newbie
Topic Author
Posts: 36
Joined: Mon Aug 23, 2021 11:03 am
Location: SF CA or BGC PH
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Wed Sep 08, 2021 3:49 am

A clear mistake I can see is that you've set

/ip address
...
add address=10.0.2.0/24 comment="PPPoE pool4" interface=ether5 network=10.0.2.0


(own address of an interface must never be the same like the network address). Whether this causes also ether3 and ether4 subnets to become unreachable is out of my knowledge, it would have to be due to some bug.

What I don't understand at all is why there is "PPPoE conn" at ether5 and "PPPoE Radius Userman" at ether4 on the drawing, but in the configuration, PPPoE server is attached to ether4 rather than ether5.

Are remote PPPoE clients actually supposed to connect to a PPPoE server listening at ether5? If so, you've misunderstood how PPPoE works, as you've assigned a DHCP server to ether5 - it can be done but the DHCP server will not assign addresses to PPPoE clients, it will assign them to DHCP clients connected to ether5.
Thank you Cindy. I've corrected that .0 on ether5 (its a lab waiting) but deleted that entry earlier since it does not exist yet. FYI, There is a PPPoE on Ether4 to a UAP AP with a Usernman/Radius and its on the script above, but uncabled at this time, ether 3 also is not cabled up coz the hEX is in the lab and i was thinking yesterday right in the middle of the storm that the red errors probly were from the unterminated ether ports, hence the "unreachable" routes.
Last edited by microtikgroup on Thu Sep 09, 2021 1:24 am, edited 1 time in total.
 
microtikgroup
newbie
Topic Author
Posts: 36
Joined: Mon Aug 23, 2021 11:03 am
Location: SF CA or BGC PH
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Thu Sep 09, 2021 1:14 am

The bridge is not needed. Each port has it's own network...
if you may, amigo. how do I get rid of hEX ports 3-5 from slavery? is there a special script to convert them to nothing or something away and send them to their freedom? this is 2021 for heavens!
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Thu Sep 09, 2021 1:22 am

Usually I do not drink when I drive or when I have electronic devices near to me...
Last edited by rextended on Thu Sep 09, 2021 3:20 am, edited 1 time in total.
 
microtikgroup
newbie
Topic Author
Posts: 36
Joined: Mon Aug 23, 2021 11:03 am
Location: SF CA or BGC PH
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Thu Sep 09, 2021 1:49 am

uhm! and how did this happen? like hands free vision technology?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Thu Sep 09, 2021 2:52 am

I think he is saying that the red wine floweth freely this evening. :-)
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: Something must be really wrong on my configuration. Needs real help here!

Thu Sep 09, 2021 2:55 am

The bridge is not needed. Each port has it's own network...
if you may, amigo. how do I get rid of hEX ports 3-5 from slavery? is there a special script to convert them to nothing or something away and send them to their freedom? this is 2021 for heavens!
If they are not part of a bridge port - then open the interface properties and there might/should be a 'master port' option - this is typical on ports in same switch chip to bridge them via hardware (Essentially) - but I thought they got rid of this when moving to hardware offloading in the bridge itself - might be a hold-over. Set the master port to 'none' and you should be good to go.

If you are really stuck - DM me and I'd be happy to anydesk in and help
 
microtikgroup
newbie
Topic Author
Posts: 36
Joined: Mon Aug 23, 2021 11:03 am
Location: SF CA or BGC PH
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Thu Sep 09, 2021 6:20 am

Firewall rules INPUT Chain.

add action=accept chain=input comment="defconf: accept established,related,untracked"\
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface=ethernet3 *********
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp

DO NOT ADD THIS LAST RULE AT THE BOTTOM UNTIL YOU ARE SURE YOU HAVE ADMIN ACCESS !!!! **********
add action=drop chain=input comment="Drop All Else"


************** Basically the idea here is the same as the forward chain, you want to lock down any traffic to and from the router itself and then only allow traffic required.
The most important thing to do is to ensure ONLY the admin has FULL access to the router. The rest of the users DO NOT and thus we typically give FULL access only to the ethernet port (or VLAN(s)) the admin will be using to access/config the router. The rest of the users typically only need DNS services from the router (sometimes NTP).

Caution: However if you put the block all rule first and do not have an admin access rule already in place you will lock yourself out of the router.

One last thing, if you have a bunch of users on the same ethernet port (LAN) and you want to tighten down access just to you............. easily done with a firewall source address list.
In this case you ensure you have statically assigned your device(s) in dchp server leases
for example admin desktop PC, admin laptop, admin Ipad, admin smartphone to a list called admin access then the rule becomes
add chain=input action=accept in-interface=ethernet3 source-address-list=adminaccess
just fixed my yard and removed the fallen tree and now, I just started to work on this. First of I fixed the unroutables, and the dupe dhcp server pool coz ether5 devices are non existent right now. So, it all seems clean and I see no more red errors and I moved my MacMIni where my camera footage and IoT AP access.

Next, I will go thru Anan's recommendations, revisit the script and start it from there. Hopefully, I will gain a better understanding of this hEX.
Thanks,
 
microtikgroup
newbie
Topic Author
Posts: 36
Joined: Mon Aug 23, 2021 11:03 am
Location: SF CA or BGC PH
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Thu Sep 09, 2021 10:11 am



if you may, amigo. how do I get rid of hEX ports 3-5 from slavery? is there a special script to convert them to nothing or something away and send them to their freedom? this is 2021 for heavens!
If they are not part of a bridge port - then open the interface properties and there might/should be a 'master port' option - this is typical on ports in same switch chip to bridge them via hardware (Essentially) - but I thought they got rid of this when moving to hardware offloading in the bridge itself - might be a hold-over. Set the master port to 'none' and you should be good to go.

If you are really stuck - DM me and I'd be happy to anydesk in and help
I been lookin for that but my hEX aint have that option. v6.48.2 fw. maybe i can do it from the terminal. say, whats the command if you go it my friend? Gracias !
 
microtikgroup
newbie
Topic Author
Posts: 36
Joined: Mon Aug 23, 2021 11:03 am
Location: SF CA or BGC PH
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Thu Sep 09, 2021 10:25 am

Firewall rules INPUT Chain.

add action=accept chain=input comment="defconf: accept established,related,untracked"\
connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" in-interface=ethernet3 *********
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp

DO NOT ADD THIS LAST RULE AT THE BOTTOM UNTIL YOU ARE SURE YOU HAVE ADMIN ACCESS !!!! **********
add action=drop chain=input comment="Drop All Else"


************** Basically the idea here is the same as the forward chain, you want to lock down any traffic to and from the router itself and then only allow traffic required.
The most important thing to do is to ensure ONLY the admin has FULL access to the router. The rest of the users DO NOT and thus we typically give FULL access only to the ethernet port (or VLAN(s)) the admin will be using to access/config the router. The rest of the users typically only need DNS services from the router (sometimes NTP).

Caution: However if you put the block all rule first and do not have an admin access rule already in place you will lock yourself out of the router.

One last thing, if you have a bunch of users on the same ethernet port (LAN) and you want to tighten down access just to you............. easily done with a firewall source address list.
In this case you ensure you have statically assigned your device(s) in dchp server leases
for example admin desktop PC, admin laptop, admin Ipad, admin smartphone to a list called admin access then the rule becomes
add chain=input action=accept in-interface=ethernet3 source-address-list=adminaccess
Okidokie! So far so good. I dont see no errors no more and it seems its coming along well. I used all your recommendations and added to the Firewall, removed my original entries, the 3 other NATs, the address list related to those removed firewall scripts

So far so good, but I had to disable the traffic bet all subnets coz my browser froze. I need an entry to allow me as admin anywhere. My Mac is on ether2/LAN2 and it has the cctv footage and thats when it happened.

As far as your warnings/notes, I put them all on "disabled" till needed including the warning on "drop all else".
Last edited by microtikgroup on Sun Sep 12, 2021 10:03 am, edited 2 times in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Thu Sep 09, 2021 4:03 pm

Nope, not willing to chase tails.
You keep chanigng the requirements and that may impact the overall design..........
Thus I go back to
'a. network diagram
b. latest config
and the most important of all.
c. set of requirements listing what you want users/device to be able to do, and what they shouldnt be able to do, without using any words of configuration or routers switches etc......

When you have it straight in you mind what you want to have accomplished in terms of users and devices, write it down and post it here.
Then we can play, but I wont chase moving requirements...........
 
microtikgroup
newbie
Topic Author
Posts: 36
Joined: Mon Aug 23, 2021 11:03 am
Location: SF CA or BGC PH
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Thu Sep 09, 2021 4:37 pm

The diagram hasnt change. It always is. Apologized if it ticked you off. The only things I asked were a few things cant figure out coz I got locked out, i missed the fact that the cctv footage’ on ether2 LAN2 where my computer is at that got the cctv service out of commission for a minute.
And to be able to selectively add to an address lists sort of Blacklist and Whitelist using mac addresses to allow/ban user/s from accessing a particular subnet if its even possible by MAC address.

Never thought a newbie on routeros cud be that firm!

Will get to the bottom of it in a few hopefully
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Something must be really wrong on my configuration. Needs real help here!

Thu Sep 09, 2021 6:50 pm

Like I said,
Please list a full set of requirements and then useful suggestions can be made.

Individual devices (ex server)
(use cases)

Individual users (ex PC user)
(use cases)

Group users (on same vlan) (subnet, home lan, guest wifi)
(use cases)

Group Devices (on same vlan) (Iot devices media, cctv)
(use cases)

There should be no EXTRA surprized, like OH I need this and this, and also this.
Put it in all the use cases so there is a coherent picture for planning and config.
This is what any plan should look like, new to mT or not, has nothing to do with good planning :-)

Who is online

Users browsing this forum: Google [Bot], rplant and 70 guests