MikroTik

anav

Just one of them. One would be the main router, the other would solely be an AP switch.

anav

Still not enough detail, Please detail the relationship between every device in your diagram. Right now it looks like the laptop is directly connected to GWY1, which is directly connected to GWY2 Which is directly connected to the MANTBOX, which is directly connected toa wifi AP router which is dire...

anav

I would need to see complete config, MT os does not work in isolation.

/export file=anynameyouwish ( minus router serial number, any public IP information, keys etc.)

anav

Remove this rule.....
add action=reject chain=input in-interface-list=LAN log=yes log-prefix=\
rej_LAN reject-with=icmp-admin-prohibited

When you fixed the above items in the two posts and still cannot connect, then I will ahve someone else review the mangles as they look correct to me.

anav

Of course they cannot, The Entrys dont match....... In fact having a symbol before a quote mark is probably really bad........... add add-default-route=no comment=WAN1-ISP interface=ether1-WAN1 script="if (\$\ bound=1) do={\r\ \n:local gw \$\"gateway-address\"\r\ \n/ip route set [ fin...

anav

Well there are two approaches and the you wish will predicate the config option to go with. Question: do you want to know who the external IPs are at the M@ server ( identify them ) NO --> then source-nat all the traffic going into the wireguard tunnel at M1 --> advantage mangling not required you s...

anav

Probably firewall rules on your MT router dont allow it.

anav

What is expected, and what is actually being observed??

anav

@pe1chl Do you mean something like this at the start of mangle rules. /ip firewall mangle add action=accept chain=prerouting in-interface-list=LAN dst-address-list=MyWANS add action=accept chain=prerouting in-interface-list=LAN dst-address-type=local Where the first rule accepts traffic from any LAN...

anav

Ahh didnt realize that they were set to yes. That is better. Good catch.

anav

Regardless, whether the cgnat lands on the ax3 or the RB5009 you cannot use it for port forwarding, its not a public IP that is reachable.
The only thing you can do is port forward on the WAN1 which is public on the Ax3, from there you can point to the RB5009 and an available server.........

anav

Profile addition removed...

anav

I understand sorry, time delay to get questions answered. I will try to be patient

anav

No thanks, dont want to see that ugly looking set of firewall rules again.

Glad you got it sorted!

anav

Correct, The only difference without LBing would be the mangling for LBing. Remember the routes we creates were also to ensure some users went out wan1 and some out wan2 along with establishing orderly main table routes. Without loadbalancing we would still need all six routes. I would have routing ...

anav

Purpose of Wireguard, remote connection when away from home/business to access Router LAN, to access Router CONFIG, to go out Router internet?????

anav

Well you need to confirm something.
What is the wireguard IP address of the fritz --> ??
What is the subnet on the fritz trying to reach from MT -->??

anav

One could always terminate both on the Ax3 and then send a single LAN only to the 5009 and that becomes WAN for the 5009 with a fixed private IP.
The desired WAN is only used by that LAN.
Advantages Disadvantages?

anav

Okay lets break this down so it makes sense. You want to establish a wireguard connection from your LAPTOP to the MT MANTBOX. Does the mantbox have a public IP address associated with it, or is it connected to an ISP Router with a public IP and you can forward ports to the MANTBOX?? Then you want to...

anav

@erlindend! Mesh is not a marketing gimmick LOL, its a systems where only one WIFI device is wired to the router or ISP modem/router and the rest of them connect to each other over wifi.

anav

normis, you have a special Iphone LOL. I have the ax3 and dont get 800 but will go recheck now that you have made me curious.

anav

See my profile

anav

I could have gotten cute and used the fact that we made WAN1 primary ( as then vlan30 users would automatically go there ). However I chose simply to create the two WANS as is and use mangling to ensure connectivity as required. Dont be caught up on the fact that one wan is primary and another secon...

anav

Meanwhile while you provide the answers, here is a guide for four routers with two of them being publicly reachable.
viewtopic.php?p=1062502&hilit=Four+rout ... d#p1062502

anav

The question was simple WHICH ROUTER, has a reachable public IP. So far, you are batting zero. The reason I ask is the routers with public IP can be used as the Server for handshake in the wireguard network to be created. Since you four routers at play, I would advise Primary (with public IP) and th...

anav

The approach is problematic ( more interested in blocking traffic vice focusing on needed traffic and simply dropping all else, Your attempt to run RDP for clients is going to cause issues. First and foremost RDP is an old protocol not considered secure. Its been replaced by citrix type functionalit...

anav

Better to understand all the requirements BEFORE working on the config. As an overall approach is needed as many parts of the config are related.
Post your latest config for review.

anav

Very weird, so from one ISP, and one cable from ISP modem ( in bridge mode ), you get two public IP addresses. One static and one PPPOE dial dynamic. They both come in on vlan1501. Do they have the same gateway? etc.. So if you were to run both on the AX3, how would you do it. FOR STATIC>> /IP dhcp ...

anav

Well you need to confirm something.
What is the wireguard IP address of the fritz --> ??
What is the subnet on the fritz trying to reach from MT -->??

anav

Are both ends using MT routers? What does your client use?
Remember If WAN1 goes down, your wireguard will automatically switch to WAN2 with a slight delay.
The router will inform the client end that the endpoint address has changed.

anav

Is this router connected to the internet. If so unplug immediately as you have no firewall protection. You dont know how to setup wireguard but you removed the perfectly good default firewall rules protecting your network ????? You are missing the allowing of handshake rule in the input chain and ma...

anav

The question I have is WHY? As a backup? If you have wireguard setup on WAN1, and WAN1 fails and your router moves to using WAN2, your wireguard will also shift to WAN2 after some period of delay. If your purpose is to provide different access for different users, that starts to make a little sense ...

anav

Which Router(s) have a reachable public IP address, or can forward ports from upstream router.
Dont really care about NORDVPN, has nothing to do with what your asking.

anav

/ip route
add dst-address=10.3.1.0/24 gateway=wireguard1 routing-table=main

anav

Stated differently, MT devices cannot provide the answers you seek to comply with Govt Regulations.

anav

Without seeing your config, one is guessing..........rather work on facts......

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

anav

The difference between V6 and V7 (1) In V7 you need to separately create tables. /routing table add fib name=to-ISP1 add fib name=to-ISP2 (2) Mangle rules do not change, you still need new-routing-mark=to-ISPX (3) Ip Routes change - you do NOT use route-marking in IP route, instead you use routing-t...

anav

What are the subnets on the fritz that the users on your local MT devices need to visit?? They need to be accounted for on both allowed IPs and IP routes. Since you have 0.0.0.0/0 set as allowed IPs, which covers both the case of internet and subnets, you dont really need to adjust allowed IPs. Sinc...

anav

You cannot terminate A single ISP connection in two routers.
That being said, are you saying you get two separate WAN connections from ISP1 ??

anav

The IP address is incorrect From: add address=192.168.1.5 interface=wireguard1 network=192.168.1.0 TO: add address=192.168.1.5 /24 interface=wireguard1 network=192.168.1.0 Remove this static DNS setting /ip dns static add address=192.168.88.1 comment=defconf name=router.lan The most important questi...

anav

/ip firewall address-list add address=192.168.88.XX list= Authorized comment="admin desktop" add address=192.168.100.2 list=Authorized comment="admin remote phone" add address=192.168.100.2 list=Authorized comment="admin remote laptop" The question I have is the other ...

anav

Post your latest config with changes included please.

anav

Yes, this is necessary. add address=192.168.1.5 interface=wireguard1 network=192.168.1.0 The issue is the question I posed which you didnt answer. What is going out wireguard to the fritz, one user, all users etc...... Also can you confirm you have remote users hitting the fritz and needing then acc...

anav

That is one approach get rid of the offending diagram LOL. (1) Since you are queueing and mangling, we need to remove the fastrack rule from the forward chain. (2) Primary WAN for vlan30 is WAN1 (3) Primary WAN for one user on vlan10 is WAN2 --> 172.16.10.100 (4) All other users should share the ava...

anav

(1) Pre-shared key is not required, and is not normally used, so for troubleshooting purposes remove for now. /interface wireguard peers add allowed-address=0.0.0.0/0 endpoint-address=x2061.myfritz.net \ endpoint-port=59162 interface=wireguard1 persistent-keepalive=25s \ preshared-key="=" ...

anav

Glad its all working for you now.

anav

Not being clear, The MT you stated should be used as an AP. The PA you stated handles creation of vlans/subnets and handles DHCP. 1. On the MT AP 192.168.98.91 (assigned to ether2) should be just used for managing the MT AP. Understood that the IP address is assigned to the MT device and thus its on...

anav

Sorry very confusing..... Can you draw a network diagram please....... Not sure which ones still valid...... Step1 - NETWORK DIAGRAM Provide a network diagram of your setup with enough detail so that the subnets (vlans), devices and their relationships are clearly established. If able, on the same, ...

anav

Okay So compare the 62.x.x.x.x public IP you get via IP cloud, to your WANIP address you get in IP DHCP client. Are they the same?? It might show on your LTE settings ??? Or may show up as your gateway IP??? No need to show the numbers but if public they should all sorta lineup. Note even your IP cl...

anav

Not my problem your diagram does not match the first few lines of the config. Stopped me cold. Not going to waste my time on such blatant inconsistencies. If you had said ignore the etherport designations on the diagram, because they were wrong, then I would have been prepared Your response did not ...

anav

Fantastic!. Yes you can enable the IP DHCP client, and also select default-route= yes, and then remove the IP address and the manual route, comes to the same thing! However, you appear to be not listening, and keep running into a stone wall. Do you like the pain?? Please remove your bridge filter it...

anav

Sorry, but your not making sense. You want different vlans (at least two ) to enter the MT AP, so it can distribute them over WIFI. If one of the those two vlans is not a trusted subnet ( limited to trusted users aka home vice guest ) then one should have a separate management subnet but will leave ...

anav

Yes but that means you need equipment that can do DPI of encrypted traffic so that rules out most equipment unless you go high end Juniper etc with subscription services.

anav

Are you sure you get a public IP address from the ISP provider??

anav

Best to provide config after giving it a go.

anav

(1) Yes local interface created. Extra routing only required if visiting subnets at other end of tunnel and you need to tell router to get there you need to go through tunnel. (2) It means an error on your config. Remove ether1 from dhcp client, it has nothing to do with WAN (3) FW rules are not the...

anav

So the zyxel is a modem router or just a modem?? Will assume very little if any protection afforded by zyxel. Bridge Filter removed. No need to add a bridge. /ip dhcp-client add disabled= YES interface=ether2-UPLINK /ip firewall filter { order is important ! } add action=accept chain=input connectio...

anav

Nope, the fw rules and mangle rules are not as I put them so cannot really help much more.

anav

If you want to use it as an AP, configure it as an AP. The steps would be: Reset to default: https://wiki.mikrotik.com/wiki/Manual:Reset Select Home AP in QuickSet Config the wireless part He wants two different subnet for wifi, NOT subnets from the main router. Using the MT device as a router is t...

anav

I dont use ip forward, not familiar..... Also you state you would prefer not to use bridge, so what makes you think you can throw in a bridge filter ( advanced setting ) without any bridge ??? Lets stick to simple and what works please. (1) Get rid of bridge filter! (2) What is your intent for firew...

anav

This is straightforward you are simply using the hapAX3 as a AP.switch Thus I would expect the input port is a trunk port carrying all the vlans required for data and the management VLAN ( which may be considered an already existing trusted user vlan) So which vlans are coming into the hapax3? Which...

anav

Is the MT AP acting as a router?
Giving out dhcp, routing etc and the upstream router is solely being used as a WAN source, providing a private IP on its LAN to the MT device??

anav

Just looking at your etherports on the config, I get confused because your diagram and your wording are in conflict. Without consistency, there is no point in assessing config. The ports on your router ether1 and ether2 Go to WAN -- config text -- Check ether3 goes to Switch1 -- config text--- WRONG...

anav

Besides the main router how many APs are you controlling?

anav

That was the idea, yes.

anav

Not sure what you mean.
The govt blocks websites and you want to be able to access such websites?
The govt expects you to block websites as a private homeowner?

anav

Load balancing is fairly straight foward on RoS
I would get your money back, the device does not do DPI inspections ( of encrypted traffic ) and thus is a ripoff.

anav

VLANS are extremely useful in preventing groups of users from accessing each other and are recommended. For users within a VLAN, then firewall rules are useless. In the old way of WIFI one could use access lists ............... however all i can find on my hapax3 is clien-isolation. Here is a quote ...

anav

Without seeing the complete config, hard to say
/export file=anynameyouwish (minus router serial number, any public WANIP informaiton, keys )

anav

best to post your config thus far.

/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc )

anav

Dont waste your time.
Allow needed traffic
Drop all else.
If you are using VPN, you are fine.

anav

Will need to some mangling and routes and tables.

anav

The problem is not MT centric its more like you dont understand how to setup WG period. ROUTER WIREGUARD SERVER FRIZBOX [Interface] PrivateKey = yLLoDlrjI8fLdv8KxoSvP9tbla8KY2Sqglua+bshJUE= ListenPort = 59162 Address = 10.3.1.1 /24 [Peer] PublicKey = 1/po8VJryRbMhluUbH8IU725lKsToVohwrma4uFDYio= Pres...

anav

I still see iPV6 lists and firewall rules LOL (2) what is the purpose of this rule.......... Lets get rid of it for now (DISABLE) /ip dns static add address=192.168.30.5 name=srv.lan ???? Also add this /ip dns set allow-remote-requests=yes servers =1.1.1.1 { unless using ISP dns, if so ignore the ad...

anav

Overall dont see anything glaring. You have not made the changes I recommended in the first go around and I am not about to go through that again, suffice to say, they were not provided lightly and may help gain success. Once you fix those, then we can look at anything else that may be more obvious....

anav

We need to see the MT config and also understand how the users on the MT if any are being directed out the tunnel and why?
Requirements!! + Config, then we can assist on the proper config.

anav

It seems to me, through my presence in this forum, that some, but not all, are aggressive in a very annoying way when asking any question, either because the Mikrotik OS is new to them, or they are new members and have forgotten that they are in a forum and the main goal is to help each other and e...

anav

Wise advice!
If you need extra help..........
https://www.youtube.com/@MAICT

anav

(1) Why do you keep adding bridge to the interface lists....... its not required! /interface list member add interface=pppoe-wan list=WAN add interface=vlan1 list=LAN add interface=vlan2 list=LAN add interface=vlan3 list=LAN add interface=vlan99-work list=LAN add interface=vlan100-mgmt list=LAN add ...

anav

Yes, the issue is you have a CGNAT connection. If your device was an arm,arm64,tile architecture one could also use the BTH VPN wireguard functionality (which would allow you to deal with the CGNAT shortcoming). The only other option I know of, but have not implemented is using IPV6 to do so. Snippe...

anav

Without a network diagram for starters, your explanation makes little sense.
Would also need configs to understand where there are issues.

anav

Sure, I will direct you to the perfect spot to get support you need.
https://mikrotik.com/consultants

anav

Which interface is this that is giving you errors on the bridge??? add bridge=bridge interface=*9 THis rule makes no sense as configured, why is it set to DROP?? add action=drop chain=forward comment="port forwarding" connection-nat-state=\ dstnat Three options make sense. a. one if you wa...

anav

Post complete config for review as previous.

anav

The allowed IPs in the router setting ( for the peer windows client) is correct as is : /interface wireguard peers add allowed-address= 172.16.0.2/32 interface=wireguard1 public-key=\ "123123123123123123=" Concur on the client side device (windows10) allowed address should be: 192.168.1 .0...

anav

Ahh okay, so basically default forward just means NO BSS blocking. All wired clients within a WLAN ( same SSID ) can reach/see each other..

anav

So how is the user selecting the printer and printing???

anav

All port forwarding is ridiculous. All you need is the IP address of the printer and the main port(s) the printer uses....... Need one port forwarding rule in forward chain.... add chain=forward action=accept connection-nat-state=dstnat THen need dstnat rules something like add chain=dstnat action=d...

anav

Notepad ++ has the ability to compare two configs, very nice!!!

anav

It should its basically a wifi ethernet cable concept.

anav

Before I look at the config, what is the purpose of your management VLAN? If you want vlan10 and 99 to fully talk to each other drop vlan99 and keep vlan10. As for the other vlans, only the management vlan should really see all other vlans. All vlans should be able to access a shared printer. Do any...

anav

A whitelist to allow external WANIPs to connect to your wireguard port is not required. That is the purpose of the VPN connection. Only those with proper encrypted credentials will be able to connect and thus there is no need for a whitelist.

anav

Wrong. There is no whitelist created by the wireguard interface??????\ By creating a wireguard interface and a wireguard IP address, one setups the possibility of a working wireguard structure. You still need the input chain rule to allow the handshake of clients to reach the router. You still need ...

anav

Id rather not play what if I do this or that on a config.............useless. Instead state reality and requirements a. identify user(s)/device(s) and groups of users/devices including yourself as admin b. identify what traffic they need to accomplish. The config will fall out naturally from well th...

anav

For PTP I would look at --> https://mikrotik.com/product/wireless_w ... ifications --> gig link on 60Hz so no interference with other wifi.
MT does not make mesh systems for local distribution of wifi.

anav

You can do that by only manually assigning DHCP leases I thought. Make use of ARP list etc.

anav

Ammo are you saying that for PPPOE one cannot decline the default route and use manual routes ???
Also if that is true then how do you manage check-gateway=ping on the main route ( is that available on the PPOE DHCP client settings somewhere)???

anav

Can be improved by AI.............. Will have to be as soon the DDOS attach will be AI run.

anav

Sounds more like a PPPOE ISP problem, perhaps they are blocking ICMP.
Otherwise out of ideas, perhaps someone else can do bettter.

anav

Then cannot help you.
I thought we were discussing using the wireguard on the MT router.

anav

There are many ways to skin the cat as mkx and rextended say. :-) So yes, If you just have this, /ip firewall mangle add chain=prerouting src-address=192.168.X.X action=mark-routing new-routing-mark=WAN2 Any traffic from that LANIP should go out WAN2. That means ANY TRAFFIC!! Think about it. Also, Y...

anav

Only give the SSID password to those that need it for any particular Subnet WLAN

anav

Not a problem due to encryption and type of protocols used by modern sites, it is IMPOSSIBLE to do what you are asking. Cannot be done on APP basis. Thus for practical purpose I recommend have dedidcated subnets for such purposes. So you can have vlan10 wired for normal WAN traffic (WAN1) and vlan20...

anav

(1) The Management VLAN/SUBNET has no pool, no dhcp etc. Which makes sense if you are attempting to use the setup to config the router OFF the bridge and highly recommended. In this case, no VLAN is defined and ether 7 is NOT associated from the bridge. This is what I will show. (2) Dont need connec...

anav

This could be the error we were not seeing......... /ip address add address=172.16. 20 .1/16 comment=LAN interface=bridge-LAN network=\ 172.16. 0 .0 I think it should be: /ip address add address=172.16.20.1/16 comment=LAN interface=bridge-LAN network=\ 172.16.20.0 ???? I am not good with larger subn...

anav

Are you saying next dns provides wg services?

anav

Be advised RDP is not really concerned best practice as a security protocol.

anav

Your setup is confused. One bridge, use three vlans. The subnet you make the bridge use, just change into another vlan, so we are simplifying the config. For the management subnet, just assign it directly to whatever port is called management, it would appear this is simply a backup off bridge confi...

anav

I was going to visit Croatia, but I am afraid I will not see any of the people. They will all be inside their houses trying to fix capsman on their home routers. Who will serve beer???

anav

The test should not be Laptop on LAN going out wifi to same router, The test should be like cellular, from a separate WAN source, like a friends house etc.. to the router in his house. The problem is that he can connect to his router via WG from his iphone from any cellular connection but never when...

anav

Education is what you need, MT wont replace parenting.

anav

(1) Fix Interface List Members: /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=WAN1 list=WAN add interface=WAN2 list=WAN (2) Add some routing tables in case needed. /routing table add fib name=to-WAN1 add fib name=to-WAN2 (3) Why do you have IP DHC...

anav

or the corporation uses edge routers or other internal routers with IDS services ( with ability to look at encrypted data )

anav

Concur, it depends how many layers is 'enough' for the particular scenario.

anav

What I would do is keep ether5 for off bridge configuration of the router, No need for DHCP pools, etc, just keep the IP address only and ensure its part of managment interface and LAN interface. Then just plug in PC or laptop change nic card ipv4 settings to an address within the range and you have...

anav

Your speaking gibberish. Wifi is not a thing, you have a number of vlans, those are real. If you mean vlan30 smarthome etc........ then of course anyone on that network has no capability to access the config nor should they. Folks should be in the managment vlan to do so. So what you are really sayi...

anav

Okay so that is much clearer, thanks! Ether2 is for a third wan connection but not in the mix at the moment. Ether3,4 not used. Ether5, separate subnet NOT on the bridge but part of the LAN overall. Ether6-10 WHERE IT GOES WRONG. First you should not attempt to have the bridge trying to give out DHC...

anav

Why would you do anything on the bridge setup other than turn on vlan-filtering. Once you get cute you run into problems.
I see your routers are not for allowing traffic they are designed to block mac addresses primarily.

anav

Well your setup is wrong with regard to the LAN and vlans so PCC doesnt matter at all until the LAN is fixed. You are mixing up dhcp from bridge and then you have vlans going nowhere........ So Please be clear, What are your ports connected to. ether2 ( stand alone subnet not on the bridge )? ether3...

anav

Even better the config you make without capsman on the capac is IDENTICAL to the setup for the capsman AX, minor wifi setting difference but everything else the same. Copy and paste into terminal and go!

Oh my bad, you paid for the pain misery and frustration advice..... Enjoy!

anav

My TP LINK oldie AP cant hold a candle to the AX3 LOL.
But I am thinking of getting a zyxel wifi 7 device.,
Fast roaming not required. Im in my own home, anything I do for serious is on the PC.
I dont run around the house trying to lose signal .........you guys crack me up

anav

Try providing a detailed network diagram to attack more comments.

anav

You have found a bug, and should report it to MT.

anav

?????????????

bbox.jpg

anav

If you are authorized, should be able to connect through any interface I imagine...............
NO guarantees on anything when using unmanaged switch LOL.

anav

Awesome, good catch, I thought I had found that earlier and thought I had put it in an earlier post but I often get distracted.

add action=accept chain=input comment="Access for MGMT" in-interface-list=\
MGMT src-address-list=Authorize <---

anav

@PG, MT has been busy over the past (seems like a century) year or two, modernizing their WIFI setup in RoS and thus the transition for them to adopt WIFI7 should be relatively smooth.

anav

The day I enable capsman on any of my devices, means my brain has been taken over by fungi!
Vlan filtering works on any MT AP product just fine without out, and I still have all my hair!

anav

The beauty of simplicity, no capsman, works with any MT AP, the setup remains the SAME, regardless, ac, ax etc. !!
Gigabyte, I am just jealous of your capsman skills!

anav

Nothing I can see......

anav

Not until you post a complete config, dont work from snippets

anav

Yes freezing and thawing does wonders on ill constructed outdoor equip.

anav

Im thinking of the pro cubes myself for a later project on my property. Easy way to get internet and thus wifi to another location.

anav

You mean the same link from post #2 ?

anav

Have fun with capsman on this one LOL......... More hair pulled out, turned grey, whilst a non-capsman config is up and running in 15 minutes.

Heck i could probably do it in 10 minutes if drunk.

anav

yes that is required for third party vpn providers as they only expect to see at their end the IP address they gave you.
By using sourcenat all your users will have their IP converted to the wireguard IP when sent through the tunnel..

anav

Not correct. If you are on behind your router instead of mac address type in the interface address you are on: 192.168.10.1 : winboxport and you should gain access to the config. Open winbox see the available devices down below and the IP address shown. Use that IPaddress and the winbox port as per ...

anav

Well it should connect. Perhaps the AP is not recognizing the client wireguard address as being "allowed"?

anav

Why do you still have 0.0.0.0/0 , :00 Should be just 0.0.0.0/0 I meant the router config in code blocks LOL. Your wireguard should already be able to reach the router via winbox. Simply connect to the tunnel as you normally do. Then open winbox on the client device and at the top put the particulars...

anav

Not without the latest config

anav

Post your config again but use code tags around it. The black square with white brackets inside it, on the same line as Bold and Underline etc....

anav

Just 0.0.0.0/0 not sure what the other noise is after it.

Also missing persistent-keep-alive setting whatever it looks like on the client device.

anav

But you are not connecting MT CHR? That is for a cloud server. You have your own MT and the user is connecting directly to the router. In any case those are generic instructions, I have provided the same info. What You need to provide is the client wireguard settings. Post it all but just use KKKKKK...

anav

Best to listen to mkx the first time, will save you lots of grief LOL.

anav

Funny that, today I was watching one of my favourite youtube distractions, losing my self in the world of "Bald & Bankrupt" . Today I learned about Tajikistan! Good thing they left the USSR otherwise Voldemort would have pulled all the able bodied men to fight in Ukraine. https://www.y...

anav

Dont understand this comment, can you explain in more detail please. under network adapters WG client NIC doesn't have GW set The WG client device needs the following Create a WG interface and provide a public key ) this key will go in the allowed IPs on the mikrotik device for peer public key Will ...

anav

As I said, when you mess with standards ( trying to use an unmanaged switch for vlans ) results are not predictable and thus why I prefer not to get involved. Smarhome30 or vlan30 does not have internet because you didnt give it LAN membership!! /interface list member add interface=ether8-WAN-Static...

anav

@darknate: Resources: Engineering Management ( besides the academics of maths, physics, statistics-probability, electrical, programming, chemistry, drawing, thermodynamics etc...) All old text books circa 1980s LOL PRODUCTION/OPERATIONS MANAGEMENT : Concepts Structure & Analysis --> Richard J Te...

anav

(1) For Allowed IPs for your remote peer client remove the unecessary stuff should look like. /interface wireguard peers add allowed-address=10.10.20.2/32 interface=wireguard1 public-key="hidden" (2) At client peer (at the client device ) for DNS put the interface of wireguard 10.10.20.1 (...

anav

Without looking at your config, the problem I see is that your modem is giving you a private IP as a WAN address to the HEX, but then why do your LAN subnet devices have the same LAN structure??? modem=192.168. 2. 1 Hex WAN IP provided by modem is 192.168. 2 .5 makes sense! AppleTV=192.168. 2 .115 w...

anav

Well without looking at the config, the VLAN is created at the switch and is solely for the purposes of moving the connection from ether7 to ether8. At the RB one simply terminates vlan90 on the incoming port Simply assign a vlan to the interface and in IP DHCPclient use vlan90 as the interface. You...

anav

MODIFIED NAMES TO MAKE SENSE /interface ethernet set [ find default-name=ether1 ] comment="POE swith /wi-fi" name=ether1-LAN-Hybrid set [ find default-name=ether2 ] comment="proxmox" name=ether2-LAN-Hybrid set [ find default-name=ether3 ] comment="ABB IPS 2.1" name=ethe...

anav

Provide a config so we can see the state of the setup so far.
/export file=anynameyouwish ( minus router serial number, any public WANIP information )

anav

Yes distance is the easiest separator. One recommendation is to put the users and the servers on different subnets and then you simply need to use routing rules to force servers out WAN1. If not and they are all on one LAN subnet then you will need to mangle and use source-address lists to separate ...

anav

STOP in the name ov coding And to innkeeping with your outstanding direction why is so hard for you not to use code tags which makes far easier to follow each of your coded step ... then perhap the people you are helping would follow your direction by also using code tags for their code :D [/quote] ...

anav

Okay, so lets say the vlans are all visible on the unmanged switch, I can pretend that LOL. In any case the unmanaged switch needs to be passed as untagged and thus the port would have to be considered hybrid port. That is for ether1, what is the case for ether2 also appears to be asking for hybrid,...

anav

I cannot guarantee success when out of my element....... same with capsman, IPV6 etc..............

anav

Wow MT support has a help line for answering product questions?? Dont they normally say go talk to a dealer?

anav

I cannot help further as I dont support using an unmanaged switch for multiple vlans. Hopefully somebody else will.

anav

Why not!
Sounds like a good idea.....

anav

Check tp-link forums.

anav

Yes very easy. Make WAN2 Primary WAN, you can add wireguard to this so you can remote config the router. Can you confirm that WAN2 (gig) is a publicly reachable IP static or dynamic or the upstream router can port forward to it?? WAN1 will be secondary but the idea is to use routing rules to force t...

anav

Normis is correct the hexS should be fine. Expect wireguard connectivity at least in the 100-200 range.

anav

The fact that you have nothing at all that looks like the default firewall rules there are two possibilities a. you are very experienced and the rules are great and you dont need help b. you copied them from various places and really need lots of help. If it the latter case keep reading, if its a. t...

anav

What happens if wan1 or wan2 is not available. Do you want for example for users on WAN2 to have access to WAN1? What happens if wan1 is down? What type of VPN do you have to remotely configure the router ( if the router has a publicly reachable IP, or the upstream router does and you can port forwa...

anav

Best bet is 60HZ link. No interference from regular wifi. Its 1gig and just like an extended ethernet cable in function.
https://mikrotik.com/product/wireless_wire
https://mikrotik.com/product/wireless_wire_cube_pro

anav

Since your text does not match reality and the config is mixed up. What is connected to each port ether1 ( unmanaged switch / managed switch / dumb AP / smart AP, dumb device like PC )? ether2 ( unmanaged switch / managed switch / dumb AP / smart AP, dumb device like PC )? ether3 ( unmanaged switch ...

anav

What do you mean you............. Its the clients router so why do you need it for navigation?? by the way navigation means nothing to me, if you are asking about how to navigate in an airplane using the sun, moon or stars, that would make sense. :-) a. What does the client need in full detail. What...

anav

First thing to do is check with the department or persons responsible for both IT and security to ensure that its within the rules of the company.

anav

Did you try a laptop with a wireguard client as well using same wifi, that would really narrow it down to the phone.

anav

What you would like is not a valid requirement, what is valid is what traffic your users and yourself as admin need. Thus the Wireguard IP is a unique IP address structure. Through firewall rules you can decide which if any wireguard remote users have access to the router for config purposes and to ...

anav

Well if it works on 5G then you know your router and phone are setup correctly.
Wondering if one has to do something different on the phone when connecting via WIFI, dont think so?

anav

(1) This client peer allowed IPs settings makes little sense. As per the other remote users, there is no need for endpoint anything!! Assuming this is another router as you have the wireguard address and a subnet identified. Also the wireguard address in the allowed IPs for the remote router is wron...

anav

Sorry you cannot effectively trap websites for streaming traffic.
What you can do is dedicate a subnet for streaming traffic or an SSID if doing it over wifi.
Then you can mangle that subnet or associated vlan to a specific WAN.

anav

SKIP to 12 to fix your issue! or perhaps 4 is the problem? (1) The real crime in the nomenclature of your vlans, you have a,b,c but you assign them to vlans 10,30,20 lol, drive me nuts. :-) j/k (2) Problem here! You introduce two vlans that are NOT defined ??? They should be removed. /interface brid...

anav

A bridge port can express 3 use cases. - trunk port carrying multiple vlans ( all tagged ) - an access port carrying one vlan ( untagged ) - a hybrid port carrying one vlan (untagged) and one or more vlans (tagged). In the case of trunk or hybrid the receiving device must be able to handle both tagg...

anav

need to see full config

anav

1. Dont need check-gateway=ping for the additional routes ( non-main routes) 2. You have to provide more detail. Is there any traffic directly to either WAN ( aka like wireguard connection )? 3. Do you have any servers on the LAN side, that external users need to reach and if so by one WAN? both WAN...

anav

So in summary, the vlan1 thingy is normal and should be there. I have it in all my configs, not an issue. Dont try and get too fancy. :-) Your bridge vlan interface setup is not wrong, just not efficient as can be stated with less rules is all. Your real problem is that you need more wifi. You need ...

anav

Okay you forgot to make some changes plus some more modifications. We should at least add default rules but for now no rules = everything passes so not in the way of success. (1) Lets keep DHCP server-network standard. /ip dhcp-server network add address=10.1.0.0/24 dns-server=10.1.0.254 gateway=10....

anav

(1) Ether4 has an IP address and a Pool, but MISSING is dhcp server and dhcp-server network ????? (2) I gather you want all bridge traffic to go out internet on VPS. (3) On this note I would get rid of the static DNS setting and modify: from: /ip dns set allow-remote-requests=yes /ip dns static add ...

anav

The only thing required on the bridge is to give it a name other, than bridge, if so inclined, and at some point change vlan-filtering to yes ( aka get rid of frame type setting and leave that to bridge ports, as you have done!! ) For each bridge port setting I also add ingress-filtering=yes Interfa...

anav

probably running into hairpin nat.
Are local router users trying to reach the server via its LANIP address or by some DYNDNS URL ( aka the WANIP ).
Should not affect external users ( did you test like with cell phone via cellular )?

anav

The reason for six rules ( actually only 3 default type routes using table main, the other three are routes that could pertain to mangling or routing rules. In your case you only have two WANS, and really one WAN at a time. The VPN is not a WAN exactly but you force vlan9 out the tunnel vice the loc...

anav

Disagree because its mkx of course, if the WIreguard has access to the input chain, and not connected to the bridge in any way ( the main culprit in these things ), perhaps wireguard would not be affected.

anav

After you provide your config I can comment constructively.
/export file=anynameyouwish ( minus router serial #, any public WANIP information, keys etc.)

anav

All the control setup is done on the main router,
The second device acting solely as a swittch/AP has a minimal setup.

anav

create wireguard interface, any port can be chosen. if you are given a private key put in the private key here before generating the interface or hitting apply Add wireguard interface to WAN interface list Add allowed IPs = 0.0.0.0/0 name of wireguard interface and endpoint address and endpoint port...

anav

Ahh, single interface now thats challenging.......... But how is this different from any group of public IPs coming from a single provider over a single interface. Typically one uses one IP for the router and a second IP directly for a server for example. What to do if one wants to use them both for...

anav

For whole subnets ( probably vlans ) it may be easiest to use routing rules and tables. The routes already shown above. /routing table add fib name=useWAN1 add fib name=useWAN2 /routing rules add action=lookup-in-table min-prefix=0 routing-table=main comment="ensures local traffic is permitted&...

anav

The answer is not to make multiple bridges. Do you want subnets to equally access the available WANS, ( like in PCC load balance ) Do you want some subnets to go out WAN1 and some out WAN2 Do you have remote users coming in to LAN servers and if so over which WAN Do you have remote users coming in v...

anav

The input chain should not be open to the internet except for handshaking for a VPN. ONe does not directly acccess winbox aka the router (input chain) for config purposes, instead you make the tunnel connection via VPN and then allow that vpn interface or subnet etc access the input chain. In other ...

anav

What you are saying makes little sense to me. First off VPN is for remote clients coming in on a particlular WAN OR VPN is going outbound to a third party provider. So I have no clue about why you would have VPN between vlan1 and vlan2 -- use firewall rules. Also, why is vlan2 not part of the LAN? S...

anav

So no wireguard connectivity to the switch??

anav

config??

anav

sorry not familiar with ipv6 so cannot assist.

anav

suggest put shadowsocks into the Search window and hope for the best.

anav

Why does a server go down? Makes no sense.

anav

You need to go to IP DHCP client next.....
and select vlan 911 as the interface ( not vlanfiber! )

anav

Most mods/changed............. /interface vlan add interface=bridge-LAN name=vlanbridge vlan-id=5 add interface=bridge-LAN name=vlan10-Ospiti vlan-id=10 add interface=bridge-LAN name=vlan11-IoT vlan-id=11 add interface=bridge-LAN name=vlan13-Inaffidabile vlan-id=13 /interface pppoe-client add add-de...

Search found 19783 matches