VLAN configuration doesn't work after 6.49 -> 7.2 update

abi · Thu Apr 07, 2022 4:16 pm

Hello,
I've tried to migrate from 6 stable to latest 7.x firmware several times, but always rolled back as I can't solve the issue with my VLANs.

Immediately after update, everything stops to work except management VLAN
- no DHCP from Mikrotik
- allowed inter-vlan traffic ceases to flow.
- gateway not available.

I've reviewed my setup several times, compared it to Mikrotik VLAN Wiki, but failed to see any flaws.
Physically, router has 2 trunk ports on eth1 and eth2, uplinks are eth4 and eth5 (disabled).

eth1 trunk receives bunch of VLANs from CRS switch, eth2 goes to server (VLAN4 and VLAN5).

/interface bridge
add fast-forward=no frame-types=admit-only-vlan-tagged ingress-filtering=yes name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] comment=Server
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=ether2 name=vlan-4 vlan-id=4
add interface=ether2 name=vlan-5 vlan-id=5
add interface=ether1 name=vlan-14 vlan-id=14
add interface=ether1 name=vlan-15 vlan-id=15
add interface=ether1 name=vlan-16 vlan-id=16
add interface=ether1 name=vlan-17 vlan-id=17
add interface=ether1 name=vlan-20 vlan-id=20
add interface=bridge name=vlan-80 vlan-id=80
/interface list
add name=CONTROL
add name=INSIDE
add name=WAN_BACKUP
add include=WAN_BACKUP name=WAN
/ip pool
add comment=Management name=vlan-80-pool ranges=10.0.80.100-10.0.80.200
add comment=Camera name=vlan-20-pool ranges=10.0.20.100-10.0.20.200
add comment=WiFi name=vlan-15-pool ranges=10.0.15.100-10.0.15.200
add comment="Guest WiFi" name=vlan-16-pool ranges=10.0.16.100-10.0.16.200
add comment=IOT name=vlan-14-pool ranges=10.0.14.100-10.0.14.200
add comment="Servers pool" name=vlan-4-pool ranges=10.0.4.100-10.0.4.200
add comment="Isolated Servers Pool" name=vlan-5-pool ranges=10.0.5.100-10.0.5.200
add comment="IOT VPN" name=vlan-17-pool ranges=10.0.17.100-10.0.17.200
/ip dhcp-server
add address-pool=vlan-80-pool disabled=no interface=vlan-80 lease-time=1h name=vlan-80-dhcp
add address-pool=vlan-20-pool disabled=no interface=vlan-20 lease-time=1h name=vlan-20-dhcp
add address-pool=vlan-15-pool disabled=no interface=vlan-15 lease-time=1h name=vlan-15-dhcp
add address-pool=vlan-16-pool disabled=no interface=vlan-16 lease-time=1h name=vlan-16-dhcp
add address-pool=vlan-14-pool disabled=no interface=vlan-14 lease-time=1h name=vlan-14-dhcp
add address-pool=vlan-4-pool disabled=no interface=vlan-4 lease-time=1h name=vlan-4-dhcp
add address-pool=vlan-5-pool disabled=no interface=vlan-5 lease-time=1h name=vlan-5-dhcp
add address-pool=vlan-17-pool disabled=no interface=vlan-17 lease-time=1h name=vlan-17-dhcp
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
add bridge=bridge interface=ether3 pvid=80
/ip settings
set allow-fast-path=no
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=ether3,ether4 vlan-ids=80
add bridge=bridge comment=camera tagged=ether1 vlan-ids=20
add bridge=bridge tagged=ether1 untagged=ether4 vlan-ids=15
add bridge=bridge tagged=ether1 vlan-ids=16
add bridge=bridge tagged=ether1 vlan-ids=14
add bridge=bridge tagged=ether2 vlan-ids=4
add bridge=bridge tagged=ether2 vlan-ids=5
add bridge=bridge comment="IOT VPN" tagged=ether1 vlan-ids=17
/interface list member
add interface=ether4 list=WAN
add interface=ether1 list=INSIDE
add interface=bridge list=CONTROL
add interface=ether5 list=WAN_BACKUP
/ip address
add address=10.0.80.222/24 comment="Management network" interface=vlan-80 network=10.0.80.0
add address=10.0.20.222/24 comment="Camera network" interface=vlan-20 network=10.0.20.0
add address=10.0.15.222/24 comment="WiFi network" interface=vlan-15 network=10.0.15.0
add address=10.0.16.222/24 comment="Guest WiFi network" interface=vlan-16 network=10.0.16.0
add address=10.0.4.222/24 comment="Servers network" interface=vlan-4 network=10.0.4.0
add address=10.0.14.222/24 comment="TV WiFi" interface=vlan-14 network=10.0.14.0
add address=10.0.5.222/24 comment="Isolated Servers" interface=vlan-5 network=10.0.5.0
add address=10.0.17.222/24 comment="IOT VPN" interface=vlan-17 network=10.0.17.0
/ip dhcp-client
add default-route-distance=10 disabled=no interface=ether5 use-peer-dns=no use-peer-ntp=no
add default-route-distance=20 disabled=no interface=ether4
/ip dhcp-server network
add address=10.0.4.0/24 comment="Servers DHCP" dns-server=10.10.1.1 domain=-snip- gateway=10.0.4.222 ntp-server=10.0.4.222
add address=10.0.5.0/24 comment="Isolated Servers DHCP" dns-server=208.67.222.222,208.67.220.220 domain=-snip- gateway=10.0.5.222
add address=10.0.14.0/24 comment="TV WiFi" dns-server=10.0.14.222 domain=-snip- gateway=10.0.14.222 ntp-server=10.0.14.222
add address=10.0.15.0/24 comment=WiFi dns-server=10.10.1.1 domain=-snip- gateway=10.0.15.222 ntp-server=10.0.15.222
add address=10.0.16.0/24 comment="Guest WiFi" dns-server=10.0.16.222 domain=-snip- gateway=10.0.16.222 ntp-server=10.0.16.222
add address=10.0.17.0/24 comment="IOT VPN" dns-server=208.67.222.222,208.67.220.220 gateway=10.0.17.222
add address=10.0.20.0/24 comment=Camera dns-server=10.0.20.222 domain=-snip- gateway=10.0.20.222 ntp-server=10.0.20.222
add address=10.0.80.0/24 caps-manager=10.0.80.222 comment=Management dns-server=10.10.1.1 domain=-snip- gateway=10.0.80.222 ntp-server=10.0.80.222
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input icmp-options=8:0-255 protocol=icmp src-address-list=local
add action=accept chain=input dst-port=53,123 protocol=udp src-address-list=local
add action=accept chain=input dst-address=10.0.80.222 dst-port=80,22 protocol=tcp src-address-list=management
add action=accept chain=input dst-address=10.0.80.222 dst-port=5246,5247 protocol=udp src-address-list=management
add action=accept chain=input dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=admin
add action=drop chain=input
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment=Ipsec ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward in-interface=vlan-5 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-14 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-15 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-16 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-17 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-15 out-interface=vlan-20
add action=accept chain=forward in-interface=vlan-15 out-interface=vlan-5
add action=drop chain=forward comment="Default drop" in-interface=vlan-20 out-interface-list=WAN
add action=drop chain=forward in-interface=vlan-80 out-interface-list=WAN
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set forwarding-enabled=both

The reason why management VLAN is operational is CPU (bridge) as tagged interface in bridge vlan settings. If I add bridge to any VLAN as tagged port, it immediately starts to work - DHCP, traffic - everything. The problem is that it should work without this, and as I said, everything works on 6.49. Maybe I'm using some outdated features?

I've tried 7.1 on my previous attempt to migrate to 7.x - it was the same issue.

Sob · Thu Apr 07, 2022 4:30 pm

When ether1 and ether2 are bridge ports, all VLAN interfaces should be on bridge, not on ether1 and ether2.

anav · Thu Apr 07, 2022 4:34 pm

Couple of things to try........

(1) Remove this from the actual bridge definition
frame-types=admit-only-vlan-tagged ingress-filtering=yes
so it looks like
/interface bridge
add fast-forward=no name=bridge vlan-filtering=yes

(2) CHANGE ALL VLANS to be members of the INTERFACE bridge (not the ports)

(3) Bridge ports are fine slight modification to ether3 and added ether4
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
add bridge=bridge interface=ether3 pvid=80 frame-types=admit-only-priority-and-untagged ingress-filtering=yes
add bridge=bridge interface=ether4 pvid=15 frame-types=admit-only-priority-and-untagged ingress-filtering=yes

OKAY you are confused. Ether4 is a problem.
It cannot be an access port for vlan15 if its already an access port for vlan80!!!
So will assume ether3 is in error and that ether 4 is strictly for vlan15
Also if ether1 and ether2 are carrying multiple vlans, aka trunk ports they should not have any untagged ports............

(4) Bridge vlans will take a while working on it.
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=ether3 vlan-ids=80
add bridge=bridge tagged=bridge,ether1 untagged=ether4 vlan-ids=15
add bridge=bridge tagged=bridge,ether1 vlan-ids=14,16,17,20
add bridge=bridge tagged=bridge,ether2 vlan-ids=4,5

(5) Not quite understanding your list members???
Firstly ether4 is associated with vlan 15 which is also coming through your trunk port ether1, not sure why its associated with WAN ?????
also Use the vlans not ports to create your interface lists...................

/interface list member
add interface=ether4 list=WAN
add interface=ether1 list=INSIDE
add interface=bridge list=CONTROL
add interface=ether5 list=WAN_BACKUP

add interface=vlans 14,15,16,17,20,80 list=INSIDE
add interface=vlan80 list=CONTROL
or something like that.

(6) OKAY after seeing this, its clear that ether4 is a WANPORT and thus remove from everything above bridge ports and vlans.........
add default-route-distance=20 disabled=no interface=ether4

Thus remove the line from bridge ports that contains ether4
Thus remove from bridge vlans and modify this line accordingly!
add bridge=bridge tagged=bridge,ether1 vlan-ids=14,15,16,17,20

(7) To ensure I understand , 10.0.80.222 is your WAN IP? because the input chain is not the place for destination nat type rules ???????????
add action=accept chain=input dst-address=10.0.80.222 dst-port=80,22 protocol=tcp src-address-list=management
add action=accept chain=input dst-address=10.0.80.222 dst-port=5246,5247 protocol=udp src-address-list=management

(8) Assuming you are SSH into the router due to this rule...........can you find a safer method?? Like wireguard!!
add action=accept chain=input dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=admin

(9) Also convinced there may be a better way to approach the firewall forward chain rules................. including the redundant one in orange since you already have a drop all rule at the end.
add action=accept chain=forward in-interface=vlan-5 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-14 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-15 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-16 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-17 out-interface-list=WAN
add action=accept chain=forward in-interface=vlan-15 out-interface=vlan-20
add action=accept chain=forward in-interface=vlan-15 out-interface=vlan-5
add action=drop chain=forward comment="Default drop" in-interface=vlan-20 out-interface-list=WAN
add action=drop chain=forward in-interface=vlan-80 out-interface-list=WAN
add action=drop chain=forward

mkx · Thu Apr 07, 2022 4:35 pm

(1) Remove this from the actual bridge definition
frame-types=admit-only-vlan-tagged ingress-filtering=yes

Why do you think these settings should be removed?

anav · Thu Apr 07, 2022 4:43 pm

Having fun Picking cherries and worried about the wrong syllable.......again! , I look at the whole config, and its non standard and no one has explained to me the effects or benefits of using those settings......
Feel free to but I am eliminating potential causes or complexity added that is NOT necessary and may contribute to problems.

abi · Thu Apr 07, 2022 4:58 pm

OKAY you are confused. Ether4 is a problem.

eth4 is a mistake. Probably, not an issue in this particular setup, as it's not a member of the bridge. eth4 is uplink port actually. The reason I missed it - it doesn't show in bridge vlan settings in web interface. Can be the root of the problem in 7.x, but I'm not sure. I'll definitely remove eth4 from there.

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 untagged=ether3 vlan-ids=80
add bridge=bridge tagged=bridge,ether1 untagged=ether4 vlan-ids=15
add bridge=bridge tagged=bridge,ether1 vlan-ids=14,16,17,20
add bridge=bridge tagged=bridge,ether2 vlan-ids=4,5

This will open CPU to all VLANS, not only management one.

(7) To ensure I understand , 10.0.80.222 is your WAN IP? because the input chain is not the place for destination nat type rules ???????????

I've stripped config here and there before posting it. I have issues with the basic connectivity, so I removed unnecessary parts. 80 is management VLAN.

mkx · Thu Apr 07, 2022 5:00 pm

... no one has explained to me the effects or benefits of using those settings......

It's been explained (perhaps not to you personally) multiple times. Those settings, when set on bridge, apply to bridge interface. They don't affect the packets bridged between bridge ports at all, those settings only affect the way device interacts with bridged traffic.

And no, I'm not cherry picking. You explicitly advised to remove them and I just asked as to why.

anav · Thu Apr 07, 2022 5:01 pm

@abi If you are using the device as only a switch I would agree with you however you are using the device as a ROUTER wan input.
You are using it to provide DHCP services.

So there is no way around it that I can see...........

@mkx or sob lol -- well too bad, obviously the explanation sucked because it didnt stick, and I am the perfect beginner, or your reality check

abi · Thu Apr 07, 2022 5:07 pm

When ether1 and ether2 are bridge ports, all VLAN interfaces should be on bridge, not on ether1 and ether2.

This looks like perspective advice. I rechecked WIKI and they do the same here https://wiki.mikrotik.com/wiki/Manual:I ... _Bridge.29

/interface vlan
add interface=bridge1 name=VLAN200 vlan-id=200
add interface=bridge1 name=VLAN300 vlan-id=300
add interface=bridge1 name=VLAN400 vlan-id=400

mkx · Thu Apr 07, 2022 5:11 pm

@mkx or sob lol -- well too bad, obviously the explanation sucked because it didnt stick, and I am the perfect beginner, or your reality check

You're not beginner, you're selfproclaimedfsckingllama, so you really should start paying some attention to what's written ... and the records show that sometimes you don't register things even if thrown right between the eyes. So I'm passing this sour cherry back to you

.

Sob · Thu Apr 07, 2022 5:14 pm

@abi: And @anav's tagged=bridge,etherX is needed too, I missed that.

@mkx: Devil's advocate, what is frame-types=admit-only-vlan-tagged ingress-filtering=yes on bridge interface good for? It shouldn't hurt, but probably not very useful either. On bridge ports it's useful, to control what comes from there. But there's no outside connection to bridge interface.

abi · Thu Apr 07, 2022 5:15 pm

@abi: And @anav's tagged=bridge,etherX is needed too, I missed that.

How can it be ? This will definitely opens CPU to all VLANs, isn't it ?

mkx · Thu Apr 07, 2022 5:21 pm

When ether1 and ether2 are bridge ports, all VLAN interfaces should be on bridge, not on ether1 and ether2.
This looks like perspective advice

To put what @sob wrote so condensed into some more words: physical interfaces (and others, but let's keep using ether ports as example to make things more clear) can be either used as logical interfaces for IP layer[*] or as bridge ports[**], but not both at the same time.
The same principle applies to all interfaces that can be made bridge ports (e.g. wireless interfaces or EoIP interfaces, etc.).

[*] this means adding IP address directly to physical interface (e.g. ether1) or use it as anchoring interface for vlan (pseudo)interface (as in /interface vlan add name=<vlan_interface_name> interface=<physical_interface_name> vlan-id=<VID>). As they say: one can only have one master (to accept orders from).

[**] bridge, in turn, has two personalities: 1) switch-like presonality which shifts packets between member ports according to L2 (ethernet) rules ... and 2) interface which allows higher layers to interact with traffic otherwise present on bridge (the switch-like personality)

Sob · Thu Apr 07, 2022 5:24 pm

I'm not sure what exactly you mean by "opens CPU to all VLANs", but if router has interfaces for those VLANs and should be able to communicate with connected devices, then it is (and must be) processed by CPU. When you'd use it only as switch like in this example:

https://wiki.mikrotik.com/wiki/Manual:I ... s_Ports.29

then those VLANs don't need to be tagged on bridge (and you wouldn't have VLAN interfaces for them either).

abi · Thu Apr 07, 2022 5:31 pm

I'm not sure what exactly you mean by "opens CPU to all VLANs", but if router has interfaces for those VLANs and should be able to communicate with connected devices, then it is (and must be) processed by CPU. When you'd use it only as switch like in this example:

https://wiki.mikrotik.com/wiki/Manual:I ... s_Ports.29

then those VLANs don't need to be tagged on bridge.

So, theoretically, every VLAN can access management console if I expose services like DCHP ? I thought I can have both DHCP and designated VLAN for management.

Sob · Thu Apr 07, 2022 5:43 pm

You already have that, if it's possible from those VLANs to access router's DHCP, DNS or NTP servers, it's possible to also access any other service on router from there. That's unavoidable. Unless it's blocked by firewall. You already have src-address-list=management, but if only management interface is used to access it, rather use in-interface=vlan-80 and it won't be possible to connect from any other interface.

abi · Thu Apr 07, 2022 5:59 pm

You already have that, if it's possible from those VLANs to access router's DHCP, DNS or NTP servers, it's possible to also access any other service on router from there. That's unavoidable. Unless it's blocked by firewall. You already have src-address-list=management, but if only management interface is used to access it, rather use in-interface=vlan-80 and it won't be possible to connect from any other interface.

Wow, I've totally missed that. Looks like my setup shouldn't work at all and that it's actually work somehow gave me wrong understanding of things around. Thanks!

anav · Thu Apr 07, 2022 6:45 pm

Yes an added points 8 and 9 to start addressing some of those items.
Your neighbours discovery interface-list entry should be CONTROL
Your tools mac server WINMAC SERVER interface-list entry should be CONTROL

anav · Thu Apr 07, 2022 6:47 pm

@mkx or sob lol -- well too bad, obviously the explanation sucked because it didnt stick, and I am the perfect beginner, or your reality check

You're not beginner, you're selfproclaimedfsckingllama, so you really should start paying some attention to what's written ... and the records show that sometimes you don't register things even if thrown right between the eyes. So I'm passing this sour cherry back to you .

Teehee, touched a nerve did I......(cooped up with Covid too long, eating poorly, not getting enough exercise)??. perhaps its time you take that vacation to the sunny beaches of Albania LOL.

anav · Thu Apr 07, 2022 6:51 pm

(1) In terms of access to the router from within the router.

add chain=input action=accept in-interface-list=CONTROL src-address-list=authorized dst-port=actual-winboxport
Firewall address list typically could consist of all the admins device, desktop, laptop, ipad, smartphone OR even wireguard IP coming through a wireguard connection (if wireguard interface is added to the CONTROL list.........
Many ways to skin the cat as rextended says!!!

(2) Can be synthesized to three rules!!!
add action=block chain=forward in-interface-list=NO-WWW out-interface-list=WAN
add action=accept chain=forward in-interface-list=INSIDE out-interface-list=WAN
add action=accept chain=forward in-interface=vlan15 out-interface-list=FROMV15
add action=drop chain=forward

where NO-WWW is AN INTERFACE LIST list comprised of vlans 4,20
Where FROMV15 is AN INTERFACE LIST comprised of vlans 5,20

mkx · Thu Apr 07, 2022 6:54 pm

Teehee, touched a nerve did I......

Nope. Just had to release some frusteation which built up by your (not so rare) excursions to the beginner mode (while blaming @sob and me for failing to educate you).

And, BTW, beaches in Albania are waaay better than beaches in Canada, so some day I might make that trip you're suggesting.

anav · Thu Apr 07, 2022 7:01 pm

Teehee, touched a nerve did I......

Nope. Just had to release some frusteation which built up by your (not so rare) excursions to the beginner mode (while blaming @sob and me for failing to educate you).

And, BTW, beaches in Albania are waaay better than beaches in Canada, so some day I might make that trip you're suggesting.

Not blaming just pointing out the facts LOL and Sob is patient and knows eventually I will crack and learn something........
Albania, not after watching TAKEN a few times................ although someone I know is very close to some Albanian folks and they remind me of my spanish roots, very European outlook on life.
Gotta luv our Babushka's, be they slavic or spanish or albanian.

Sob · Thu Apr 07, 2022 7:38 pm

I admit, there are some things that I didn't yet explain at least five times, which seems to be required minimum.

anav · Thu Apr 07, 2022 8:19 pm

I admit, there are some things that I didn't yet explain at least five times, which seems to be required minimum.

It does average out just like real life.......sometimes once sometimes 70 times.

Buckeye · Sat Apr 09, 2022 5:11 am

I admit, there are some things that I didn't yet explain at least five times, which seems to be required minimum.

That's one problem with forums as a place to learn. Because very likely a question has been asked and answered repeatedly, but finding the answer isn't always easy.

The advanced search in the forum could use some examples. For people in the USA, brackets means something different than what we call parenthesis.

Example:

Advanced Search query does not work.png

Advanced Search.png

Advanced Search query does not work 2.png

Advanced Search query does work.png

mkx · Sat Apr 09, 2022 11:00 am

The advanced search in the forum could use some examples. For people in the USA, brackets means something different than what we call parenthesis.

That's indeed a problem. Personally I've given up on forum search engines (not only Mikrotik's) long ago, I simply use my favourite internet search engine and instruct it to (primarily?) search through specific site.

And just to jump back to my post which somehow prompted @sob to respond: I expect that somebody with 7k+ posts reads at least as many and remembers some. Indeed I used a bit political incorrect language, but that user tends to do it a lot as well, I'm just adjusting to the friendly tone

anav · Sat Apr 09, 2022 2:58 pm

Naw,, I think it was the Xanax that helped ;-P

Sob · Sat Apr 09, 2022 8:05 pm

Sometimes I want to reply to a question with "check my posts, I wrote about this exact thing not long ago", but it wouldn't work. It takes even me some time to find it, and I have at least rough idea what I wrote and what words I used. It could help to build some index as I go, but that feels too much like work.

@mkx: I wouldn't worry about being a little rough when it comes to @anav. If you knew what goes through my mind when I find out that he slipped back in some area where I was sure that's no longer possible... On the upside, once he learns something and as long as it sticks, he can do lot of good. We just need to find a way how to optimize it. For example, explain to him that it's allowed to point out obvious mistakes without seeing whole config, that would make him more efficient too.

anav · Sat Apr 09, 2022 8:34 pm

Sometimes I want to reply to a question with "check my posts, I wrote about this exact thing not long ago", but it wouldn't work. It takes even me some time to find it, and I have at least rough idea what I wrote and what words I used. It could help to build some index as I go, but that feels too much like work.

@mkx: I wouldn't worry about being a little rough when it comes to @anav. If you knew what goes through my mind when I find out that he slipped back in some area where I was sure that's no longer possible... On the upside, once he learns something and as long as it sticks, he can do lot of good. We just need to find a way how to optimize it. For example, explain to him that it's allowed to point out obvious mistakes without seeing whole config, that would make him more efficient too.

Unfortunately, i have this requirements/engineering streak in me that demands context and mostly because I dont understand many complex scenarios due to my lack of experience and knowledge. Also, it is clear to me that many times the OPs lack of understanding on a basic rule in part X of a config, means there are probably multiple issues. Where I really miss the boat is someone who is experienced and is asking a specific question and provides enough info for that tidbit, that both you and mkx understand, but I am no where near close to that point........... but cannot wait forever for you to show up, so I just start the ball rolling. 'Check my posts' is why I started writing user articles, to ensure that I have a reference to remember/review and to be able to point to something..........
My apologies for causing both you and mkx the drinking problems or ulcers

If I ever make it to a MUM, I will be sure to ask Normis to setup a dunk tank, we can raise funds for Ukraine rebuild.......... and you can exorcise the ansgt........
https://www.youtube.com/watch?v=bcIAUvm0NnQ

Sob · Sat Apr 09, 2022 8:55 pm

@anav: I mean things like this, which is perfect example. If you read just first third of the post, then with your level of knowledge you should be pretty sure what's the problem. True, the next part about VPN is confusing, but following rule is very clear and it confirm initial suspicion.

anav · Sat Apr 09, 2022 9:08 pm

@anav: I mean things like this, which is perfect example. If you read just first third of the post, then with your level of knowledge you should be pretty sure what's the problem. True, the next part about VPN is confusing, but following rule is very clear and it confirm initial suspicion.

OMF LOL, Geez that rule aint right!!!!
when I looked at that the first time I saw okay hes port forwarding to a web server, (not that I think thats a good idea at all) and didnt notice the issue with the rule.
NO in-interface=ether1 and thus all traffic from everywhere was being sent to that IP regardless of source............

Now it makes sense LOL........

But ----> you knew there was going to be a BUT didnt you !!!!!!!!
Where there is one mistake (either due to carelessness or NOT understanding how the rules work) chances are there are others in the config, and why do anything half assed? and hence I would have still asked to see the rest of the config....... You are like the plumber who fixes one leak at a pipe and walks away, whereas I want to inspect the rest of the pipes, remind me NOT to call you when I have plumbing issues.

Heck, I might event start providing counselng as well as config recommendations while I am at it.....
Now dear Sob, please let me help you with your feelings of inadequacy when dealing with untrained mikrotik users!

Sob · Sat Apr 09, 2022 9:54 pm

I admire your enthusiasm. I prefer to just give pointers. If user asks about <X>, I'll give info about <X>. If I know that <Y> will be also needed, or if what's actually needed is <Z> and not <X>, I'll write that. If I see something very wrong in posted config, and the question wasn't about that, I'll mention it, but it's up to user to react and ask about it further (or not). Completely fixing everyone's configs is not only very time consuming, but sometimes it's complete waste of time, because not everyone is interested.

anav · Sat Apr 09, 2022 9:56 pm

I hear ya, many times I think, should I or shouldnt I............ but its like anything else, fixing errors sooner rather than later is always cheaper in the long run on resources be it time or money.

VLAN configuration doesn't work after 6.49 -> 7.2 update

VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Re: VLAN configuration doesn't work after 6.49 -> 7.2 update

Who is online