MikroTik

anav

But of course, any OP STORY is pure conjecture, hearsay and usually wrong and the only thing that really counts is evidence aka the config. Even harder is getting the true requirements. If I read one more time I cant ping between subnets, i will reply, THEN GO MARRY THE FUCKING SUBNETS, pinging has ...

anav

A diagram would help because you failed to describe a switch which seems central to your setup, hiding information is not helpful. Since you didnt disclose the switch I will ignore it. Put all vlans on bridge, not on ether1 and forget switch.......... Furthermore what are these half done dst nat rul...

anav

State the requirement more clearly, mangling is a tool it is not a reason.
A config pops from requirements not the other way round.
What is the traffic issue you are facing.

anav

1. Devolo Magic 2 WiFi 6

anav

Wow I would be happy with 500Mbps speeds based on their test results, you are doing better then they did.
(512 bytes are real world, ignore the other columns)

anav

Im confused, are these both just one flat network. All users are on the same subnet?? If there were vlans per subnet that would make sense ( for example one could have a trusted subnets with two SSIDs, 2.4 and 5ghz and the rest different vlans for diff purposes, guest wlan 5ghz, iot 2ghz, media 2ghz...

anav

CONFIG?

/export file=anynameyouwish ( minus router serial number and public wanip information )

anav

Why the LAG construct??? I dont know what is the correct way to approach bridge and vlans.??? Why not just push the vlans on a single trunk port to a switch......... In any case these /interface bridge vlan entries dont do anything..... add bridge=bridge1 comment="VLAN 16 - FAMILY" vlan-id...

anav

sounds good so APs it is.

A network diagram is helpful as is seeing the current stat of the config
/export file=anynameyouwish ( minus router serial number and any public WANIP information)

As per viewtopic.php?p=908118

anav

Good day............. It looks like both of your routers do not have public IP so thats not a good start. Can you access the ISP modem on the open wrt router side and forward ports to the openwrt router from the ISP router? As for the MT behind the LTE device, can you get a custom APN for a private ...

anav

/export file=anynameyouwish (minus router serial number and any public WANIP Info )

anav

YOu have to decide whether you want vlans or just assign etheports directly. The problem may be you dont know what you want yet. Vlans are necessary when you want to send more than one subnet on any given port....................in your case doesnt seem to apply? They are extremely flexible to apply...

anav

THe default name for an etherport is ether5 Many people change the name to suit their purposes....... or keep the default. /interface ethernet set [ find default-name=ether2 ] set [ find default-name=ether3 ] set [ find default-name=ether4 ] name="ether3 - Fiber to Store 02" set [ find def...

anav

viewtopic.php?p=908118
Step2

anav

and the reason not to provide the config/evidence on RB4011 is?????

anav

Yeah, now I can read this thread again.......... my firefox knew it was bad news the rest of you do not have as smart as a fox as I do........

Seeing as you didnt fix the issues I brought up NO COMMENT this round. Try again.

anav

1. You can only use one subnet assigned to a bridge is my understanding. Once you want more then vlans is the way! 2. Alternatively you dont need a bridge and can assigne each etherport a subnet. Its clean and simple to use vlans. PS. I also find it very confusing to use /26 and all IP addresses see...

anav

In general --> https://forum.mikrotik.com/viewtopic.php?t=182373 New Poster --> https://forum.mikrotik.com/viewtopic.php?p=908118 Basically a diagram speaks volumes Config of all three devices required /export file=anynameyouwish ( minus router serial number and any publicWANIP information ) However...

anav

Easy, One bridge ( no dhcp on bridge ) All vlans with interface bridge Forward chain last rule add action=drop chain=forward. ++++++++++++++++++++++++++++++++++++++++++ Then rules above last rule are simple --> only what you allow allow all vlans to internet allow A to C allow C to A NO rules requir...

anav

Where did you see that Holve... WifiWave2 FULLY replaces old wifi. Its one or the other not both. As for RB4011 turn wifi off and get a capax ;-P

anav

anav

Well my firefox is zippier and all thread works except that one.......................

anav

That doesnt explain why every other thread works fine including this one....... will try
...

badthread.JPG

anav

Your personal issues have nothing to do with MT functionality!

Seriously my condolences for the 'family situation', its easy to forget not everyone is so lucky.

anav

I can enter any thread and add posts etc, but this post locks up my computer, anyone else have this issue??
Sometimes the thread is half visible, and certainly cannot enter any new posts.

viewtopic.php?t=194837

anav

Because, one doesnt have to expose ones's public IP on the internet to host servers........ THEREFORE ITS intrinsically more secure IT avoids all the users with so many useless firewall traps to try to stop people hitting on servers etc......... Clean, efficient and secure. Effects I would say conse...

anav

Start on post 8, 28, 29 and further down. Various solutions have been presented to circumvent this problem (until they finally solve it in ROS itself, where it should be solved) AMEN TO THAT BROTHER, I already put in a request and nothing, so the more people that do...............the better chance ...

anav

There is nothing funny and nothing to hate but your own stupidity if made bad decisions knowing full well the limitations of older gen WIFI, after your first foray into mt wifi. I learned my lesson on capac and ended up with 3 thinking I was on top of the world.........wrongo, so yes, hate but hate ...

anav

Step 1 - take a port of the bridge to use for configuration purposes give it an IP address liek 192.168.55.1/24 and add it to a management interface list, give your laptop an iPV4 address such as 192.168.55.5 and you are in. That way smooth sailing during bridge and vlan changes!! https://forum.mikr...

anav

Note to pe1chl and ammo........... dont forget your ABCs......
viewtopic.php?p=908118

Or NOT, if you like playiing whackamole and guessing games. ;-P

anav

Without the config of each CAP, should I use my crystal ball ???
Duplicate mac address??

anav

Updated it last night so some changes.

anav

Like I said, care little how you handle ISp1 or ISp2 in terms of table and scheduling.
You simply need the first routing rule to be dst-address for the wireguard subnet and your windows laptop should be able to now receive the return traffic from device on .42 and .30

anav

Are you using hotspot functionality?

anav

However, you do have two exceptions which need to go out to the internet and thus we need to tweak these rules...... FROM /routing rule add action=lookup-only-in-table dst-address=172.11.2.0/24 table=main { ensures wireguard return traffic will get back into the tunnel } add action=lookup-only-in-ta...

anav

Okay I understand now ISp1 and ISp2 are simply for access of linksys to get internet. Thats fine, and schedule works two, but not sure how that works..... The rules I have implemented ensure ether1 is primary and ether2 is secondary. Since it doesnt really matter and you have a way of alternating th...

anav

OKAY lets fix your setup. Assuming ether1 is priority. If ether2 is the priority reverse the gateways. By priority I mean all MT traffic 192.168.30.0/24, and 192.168.42.0/24 would follow the routes. Local traffic will deviate because you also create 'forcing' routing rules. /ip route add distance=5 ...

anav

Okay let me get this straight. One you are connected to the www in three different ways and have no firewall rules ??? On the mikrotik router you have two fixed WANIPs to two different providers ether1 and ether2. On the mikrotik you have two LANS, one for users 192.168.42.0/24 on ether5, and one to...

anav

Will adjust article accordingly!!

anav

As long as a. you have a proper formatted dst-nat rule b. have the default firewall rule blocking all WAN traffic except for dst-nat or own rule allowing dst-nat OR no firewall rules (meaning all is permitted). It should work. If it does not then it would seem you are stuck and need to contact ISP f...

anav

/export file=anynameyouwish ( minus serial number and any public WANIP information )

anav

Concur!

anav

I wish it were true. If I wanted set to defaults and that was it, I wouldnt buy MT for wifi. MT for wifi should provide the ability for the user to setup the config optimized for ones particular scenario. The structure and presentation should lead to a logical setup methodology. So far all I see is ...

anav

Sending you a cat gif......... Cause you are so patient and helpful that I want to give you a................. https://media.tenor.com/fRIfg-otefcAAAAC/kith-cat.gif

anav

As stated, a diagram well labelled for context and full config to marry up words and pictures with actual evidence.
/export file=anynameyouwish ( minus router serial number and any public WANIP information )

anav

Too much water will have to pass under the bridge before there is only IPv6...

Translation: No need to wait for IPV6, you are welcome anytime and the sooner the better and yes Belgium, Slovenia and Czechia pale in comparison!!

anav

Time to move on to IPv6! Agree.... Be careful what you wish for! I am barely grasping ipv4 fundamentals. If they switch to IPV6, I hope you have a spare bed in your house because I will be there for intensive training, oh and perhaps a little sampling of the fine foods and beverages ........ :-) My...

anav

To get it straight. Ether5 is the main LAN subnet and is 192.168.42.0/24 Ether3 is a LAN subnet to the Linksys Router where the Linksys Router gets its WANIP from ( and how the linksys gets its VPN connection ). Ether4 is WHAT , purpose etc...??? You have a wireguard server on the router for handsha...

anav

Yes, you would create a wireguard for the third party provider. I would keep a separate one for your own needs AKA remote into your router when travelling etc. You can always use the third party one for internet while remote as well. The latter question not so easy. In most VPN providers you get one...

anav

Sure you do,,,,,,,, get a wireguard account with a third party vpn provider just like you have on the linksys.
ExpressVPN doesnt have wirguard yet? ..... many others do.

You are making your config needlessly complex.

anav

When you want to use one bridge and you want to use the TPLINK as a proper vlan switch not port based, will help.

anav

email me check my profile.

anav

What is this for?? /ip dhcp-server network add address=0.0.0.0/24 dns-server=0.0.0.0 gateway=0.0.0.0 netmask=24 Why do you have this set to your bridge??? Remove it. /ip dhcp-client add comment=defconf interface=bridgeLocal The WAN is your WiFI not the bridge................. add interface=wlan1 lis...

anav

from ether3 on Mikrotik router there is a LAN interface go t o the VPN router -(to WAN interface on VPN Router)- That is my point what VPN router? You only have two connections to the internet. Where is this VPN router located and what make or model is it? Then you have a link back to the mT on eth...

anav

I think so, your idea is the correct one for sure......

anav

A hybrid ether4 setup. /interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ether2 pvid=20 add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ether3 pvid=20 add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged...

anav

Completely useless link, This one seems better --> https://cdn.cnetcontent.com/63/39/6339b2d6-cdfa-4913-9ef9-94aade99d29a.pdf However it would appear HP has quite an involved process which I trust you have mastered. There should be three vlans going to the HP VLAN99 to give it an IP address on the b...

anav

Yes completely normal. Every trunk port be it MT, DSTINK, NETCRAP, TP-SHTINK has the native vlan1 set on every port. Its transparent and in the background. The only time it changes is if one sets a pvid, access port which replaces vlan id 1. The MT is configured properly suggest you figure out what ...

anav

Quick Look. 1. Decide on etherport type as an ACCESS port ( add pvid ) or TRUNK Port and change frame types. /interface bridge port add bridge=bridge comment=defconf frame-types=\ admit-only-untagged-and-priority-tagged interface=ether2 pvid=missing 2. Same issue with etherport 10......................

anav

Hehehe your attention to detail is lousy........ Whey did you keep pvid on a Trunk port, remove please. /interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ether2 pvid=20 add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ...

anav

Yeah, its hard to know with such an old version of firmware.

anav

Yes if you are honest with the information provided. Are you saying the RB2011 is NOT a router here, but simply acting as an AP.Switch behind an upstream router that is handing out DHCP??? If now you are actually stating that the WAP should get both vlan20 and vlan10 tagged then of course it wont wo...

anav

Sounds like its the cable, what else would cap it suspiciously just under 100mbps ?

anav

Maybe para 5 ( which at the bottom has a link to another solution ). - viewtopic.php?t=194646

anav

Since the device is not under your control, I dont see how you expect to be able to do anything from the MT side............... The only advice I would say is start charging based on usage vice connection and that will allow you to make money regardless if one, two , 10 users are sharing a single vi...

anav

The evidence, that matters is the lastest config, not picture...........

anav

Then clearly you had not only a mismatch between /interface bridge ports and /interface bridge vlan but also both had errors. Remember an ACCESS port strips tags on the way out for the identified PVID and puts them back on for returning traffic. A Trunk port carries the vlans to the other side. A Hy...

anav

NO, you have setup ether4 to strip the vlan tag when leaving the port ( access port pvid=XX ) and then adding the tag back in when the data from the AP comes back into the router port. If your intention was to send tagged data to the AP, then this assumes the AP is a smart AP??? What are you sending...

anav

Next time please dont use verbose unless requested LOL> Sorry for not picking this up the first go around! Here it is......... /ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254 add name=GREEN_POOL ranges=192.168.10.50-192.168.10.254 add name=BASE_POOL ranges= 192.168.0.254-192.168.88.10 Shoul...

anav

For posters here........... Do not mind Darknate's lack of personal communication skills (probably why he has more dates with large networks than real people ;-) ) and of course the rampant narcissism. He has a lot of experience with many large networks that is invaluable to other large network user...

anav

Looks good so far........ 1. Minor point even though you have a correct config for /interface bridge vlans it doesnt really communicate well so always do it manually so to crosscheck easily the bridge ports. /interface bridge vlan add bridge=BR1 tagged=BR1 vlan-ids=10 add bridge=BR1 tagged=BR1 vlan-...

anav

I dont understand your network probably because I dont understand the use cases, you mix up users and config in such a way its not readable. Thus forget the config for now and concentrate on use cases. a. Identify all users/devices or group of users/device (including admiin) b. Identify where they a...

anav

Of course I can, because I can see through the internet with my spy camera and see your config. Access port or Router: --> . untag data upon leaving device tag data upon renentering device. Trunk port on Router --> leave tags on as traffic going to smart device which returns tagged traffic. Suspect ...

anav

Yeah get rid of the bridge giving out dhcp and stick to all vlans, much cleaner............

anav

Sounds like you will have to start from scratch (push reset button) to put it back to defaults. Funny the route rule you put in, should not have done that by the way. Since the MT configs for home devices comes standard with a bridge where all ports are connected ( save ether1 which is usually autos...

anav

Interesting thread! Good to use to check similar work done here --> viewtopic.php?t=194646
Where Solution 5 addresses mDSN and at the bottom of the post I linked to this thread.
The diagram is very nice!

anav

Vlans are cheap put the IOT device that is the problem in its own vlan.
Maybe one you experts can figure out a vxlan solution LOL.

anav

Yes and thats why they are on their own VLAN on any sane configuration.

So I guess this means that this addresses the USE CASE OF.........
MT device coupled with stewpid AP? as anyone with a smart AP would never combine guests wiith iot with family on the same SSID and same VLAN.

anav

Not sure of your added complexity, but the idea I have for discovery is to ensure all MT devices can be easily disovered for the purpose of winbox discover. In that vein they should all get the same IP from the same Base or Management or Trusted Subnet. That subnet should be listed on a specific pur...

anav

How would I apply a firewall rule for each VLAN? To allow/block traffic between a VLAN to itself. This makes little sense to me? Do you have a use case? Why would you want to filter some vlan users from other vlan users in the same vlan. The whole purpose of VLANS is to segregate a group of users/d...

anav

Hi MKX I think you have a typo........ But when one enables IP firewall for VLAN traffic, this is sort of extension of firewall functionality (because normally firewall ................. Did you actually mean But when one enables Bridge IP firewall for VLAN traffic, this is sort of extension of fire...

anav

There are smart people with brains and there are smart people with no brains. What do I mean? Some people know HOW to do things. Some know WHY to do things. Majority aren't in the latter, that's not my duty to fix, visit a shrink for medical treatment. Luckily I am not so smart and thus can save my...

anav

And you too pcunite!!

anav

The first one no clue how to formulat a rule, beyond my scope or understanding
The second one,,,,,,,,,,, I think your saying..

add chain=prerouting action=drop in-interface-list=LAN dst-address=WANIP ???

but we dst-address WANIP for dstnat rules???

anav

So there is alignment on RAW RULE 1 BLOCK ANYTHING FROM WAN WITH SAME SUBNETS ON ROUTER RAW RULE 2 BLOCK ANYhTING FROM WAN WITH DESTINATION OF PRIVATE SUBNETS RAW RULE 2 BLOCK ANYTHING NOT FROM LOCAL SUBNETS COMING FROM LAN. No IP Routes with black hole make sense in home setting or SOHO setting. /i...

anav

If the connection you had was from a vpn connection to an external host, there is no reason why reverse traffic is not possible. Its transparent to the starlink at that point. I have not used zerotier, the link I gave you and the MT DOCS are your best resources. ( https://help.mikrotik.com/docs/disp...

anav

Probably because they are dynamic WANIps?? or likely using in-interface is NOT a valid approach so my error!!

In the xample I was following they didnt use in-interface, they used dst-add =
Will have to think how to mimic that so it works.

anav

To clarify. Standard VPN functionality requires you to have a publicly accessible IP, not the case with Starlink. Thus you cannot use your router as the HOME BASE for VPN like wireguard Therefore you have to use an external HOME Base for the VPN, it could be another location (relative, friends house...

anav

I am stiill waiting for a response on Blackhole. Its clearly an accessible option on the routes menu. Rextended succintly pointed out its not worth it in most cases, perhaps he meant the home user. I was hoping darknate could explain why its used in business or if not really applicable there either....

anav

No need to dissect the VLAN config oriented approach for your focused firewall questions. Its simple, ONLY the ADMIN needs access TO THE ROUTER for config. Users ONLY need access to ROUTER SERVICES> CAPICHE? How you want to set that up for your own device is up to you. A simple approach that works i...

anav

ukvpn is a bridge, just so that I can organise a dhcpd for connected devices on ether{4,5} I presume what you are trying to do is get the devices on ether4 and ether5 to go online through the wireguard VPN whereas everything else should go online the normal way. Is this correct? If so, you need to ...

anav

Well, I admit that I must have really expressed myself extremely clumsily if it was perceived that it should have been done ALREADY! 😘 But as I said, "someone" should consider a bump to v1.10.6 as soon as possible to avoid angry Android and ipv6 users. Otherwise it looks like a grand upda...

anav

When we upgraded to version 1.10.3 it was the latest one. We can't upgrade and release on the same day. We need to test it too : ) So true, LARSA look at post #16 :-) My impatient vampire mouse. That is why I am not clamouring for the ZeroTrust Cloudlfare Tunnel options package (for all mt users) o...

anav

MTU clueless here so cannot help............ but here is the link to the user article based on this thread....... https://forum.mikrotik.com/viewtopic.php?t=194646 Comments welcome. 1. UNIFI Controller to UNIFI APs - via Wireguard and EOIP. - https://forum.mikrotik.com/viewtopic.php?p=990837#p990836...

anav

Awesome it would be nice to have a summary post where you state here is what I wanted to accomplish and here is the final config.......

anav

Wireguard is probably faster.

anav

I will look at this sorry thread later but its clear that HAVING SAFELY SETUP SERVERS is a very important consideration for many many mikrotik users.

Thus Mikrotik MUST PROVIDE the Zerotrust Cloudflare tunnel in an options package for all users!!!

anav

Wireguard doesn't work with a bridge-lan is a ridiculous statement that means nothing! Wireguard is a peer to peer layer3 construct. If you want to connect subnets at layer 2 then a. use zerotier b. eiop over wg c. vxlan over wg. etc. I will connect Two routers, with bridge-LANS using WG . EASY PEA...

anav

Impressive amount of work done here, regardless if what anyone specifically wanted didnt get done. The paperwork alone is not trivial, just imagine the testing and integration involved. Kudos to the dev team and test team.

anav

see the rest of my reply in the above post.

anav

Mangle rules........ /ip firewall mangle add action=accept chain=prerouting in -interface=Eth2-WAN1 add action=accept chain=prerouting in -interface=eth3-WAN2 TRY add action=accept chain=prerouting out -interface=Eth2-WAN1 add action=accept chain=prerouting out -interface=eth3-WAN2 NEXT: Wyy are you...

anav

(1) Why is your DHPC network not using the same subnet as the rest of the config. /ip dhcp-server network add address= 10.0.0.0/8 dns-server= 8.8.8.8 gateway=10.100.1.1 Why not use the routers DNS caching ability with external dns servers?? /ip dhcp-server network add address= 192.168.100.0/24 dns-s...

anav

Doing it wrong, There is one rule only for port forwarding required in the FORWARD CHAIN. The concept is different from most other routers I have used. WE dont make a forward rule for each port forward. We use the dst nat chain to do each rule. Check out - https://forum.mikrotik.com/viewtopic.php?t=...

anav

Hi Ammo, I deal in the management of software bugs and believe me its not hard for them to get buried or stuck.
Suggest resubmit the issue as a new one.............

anav

Well you will need to provide a diagram because servers dont initiate/originate traffic, they respond to incoming requests?
I have no clue of what VPN you are using and how it actually works as your words are more confusing then enlightening.

anav

Priceless quote1: " Go to Wireless menu, then click Access List tab " Priceless quote2: " mkx which threads are you referring to? AFAIK hAP ax2 works like a charm. I use it personally too. If you have no specific report made, don't spread such false info then. " Yup everything i...

anav

Look at the example........ - viewtopic.php?t=182276

anav

Maybe they should assign more resources at MT to finish products instead of releasing them as beta software or at least produce a transparent road map for completion of feature sets.

anav

A server does not open a tunnel as its the server for other users aka the destination address. Im assuming you mean users come into the router via the tunnel to access the server and not via its public WAN IP. Thus you must ensure the return information from the server goes back into the tunnel. So ...

anav

Page 53-55 in the discher pdf https://www.khanacademy.org/computing/computer-science/cryptography/modarithmetic/a/what-is-modular-arithmetic Putting Items In Random Groups Suppose you have people who bought movie tickets, with a confirmation number. You want to divide them into 2 groups. What do you...

anav

The OP has a point. There is an ACCESS LIST Tab on wifi wave 2 and that seems to be to enter in each item individually with some ability to assign radius and other things............ HOWEVER, there is no single TAB or entry that would allow DISABLE all access list or ENABLE all access list. Further,...

anav

Possibly due to no recent graduates from computer software engineering in Latvia..........OR
Cheap assed owners who dont want to hire the necessary staff to make MT really shine and sing!!

anav

Good, like the practical thinking!! So Darknates first rule should be the same as his second rule (in terms of list of local subnets) RAW RULE 1 BLOCK ANYTHING FROM WAN WITH SAME SUBNETS ON ROUTER (instead of bogon list) RAW RULE 2 BLOCK ANYTHING NOT FROM LOCAL SUBNETS COMING FROM LAN So no reason t...

anav

Read para I - viewtopic.php?t=182373

anav

Sorry words are not clear.
a. provide a diagram for context and
b. full config for actual evidence of what is setup.
/export file=anynameyouwish ( minus router serial number and any actual public WANIP information )

anav

Your problems are not solved by hardware LOL

Just configure the MT as a basic switch iaw viewtopic.php?t=182276

just go look at the example.

anav

So your saying the only entry on your ADDRESS LIST is 192.0.0.0/24 ? AND these are no longer valid to put on that source address list to block incoming 'bad' incoming on WAN? Netblock Description 0.0.0.0/8 "This" network 10.0.0.0/8 Private-use networks 100.64.0.0/10 Carrier-grade NAT 127.0...

anav

The value in quickset is to be able to select the generic mode of wifi the router applies, after that, dont visit quick set again.

anav

Why would you replace a router with a wifi router, the 4011 has a WIRED only version and better anyway for the same price point is the RB5009?

anav

Stop drinking 2xbottles of Italian wine at at time - we know its so good, but the errors, the errors.........

anav

Okay so you want 3:1 sessions type ratio (not 3:1 computers) via PCC.
Read these articles........

https://mum.mikrotik.com/presentations/US12/steve.pdf
https://mum.mikrotik.com/presentations/ ... schoff.pdf
https://mum.mikrotik.com/presentations/US12/tomas.pdf

anav

FIOS is an internet provider,
an internet provider provides an internet connection
an internet connection requires at some point a router.
Can an MT router handle FIOS gig connection --->YES
+++++++++++++++++++++++++++++++++++++++++++++

A switch has nothing to do with the above.

anav

Use Wireguard or zerotier

anav

Like I said, WG is a peer to peer construct, so no issue connecting the three cities to NY router to router . Like I said, no issues connecting disparate subnets such as 10.0.1 and and 10.0.2 from satellite office to 10.0.1 at MAIN branch. But you cannot connect subnets 10.0.0 from satellite to 10.0...

anav

Getting a modern router with horsepower is certainly recommended.
Unaware of any method to avoid mangling in this case.

anav

Yup........
viewtopic.php?t=180838

anav

Not enough info
Network diagram gives context
Describing user requirements without any config speak is essential
identify users/devices groups of users/devices and their traffic flow requirements
Finally config of devices at both ends of tunnel

anav

If MT wifi products had decent documentation, clear paths to setup, and users could understand all the available features and setup the APs with relative ease and they worked and provided consistent stable throughput, perhaps nOrmands you would have a leg to stand on to "get aggressive with mkx...

anav

Sorry no capiche, I understand users or LAN subnets wanting to go out specific WANs, WAn1, Wan2, Wan3. Wans1-3 may be from the same or different ISPs. They may have different connection types, standard cable, wifi, PPPOE, or starlink for example. So your explanation does nothing to provide any fidel...

anav

Yes I was trying to convey that on my last post, use the existing bridge!!
Glad it worked!!

anav

I attempted to run mDSN discovery over wireguard but at two DIFFERENT LOCATIONs..........
Feel free to test it, to make sure it works..............academic at this point.
viewtopic.php?p=990840#p990840

anav

The best way is probably zerotier where you can put two routers lans together as if they were on the same switch etc..... Best done with an ARM64 for example. You may get away with one ARM64 device at source (where the cameras actually are) and people can load zerotier on their laptops, cellphones e...

anav

Without a config and a network diagram hard to say.........

anav

So your using the RB5009 as a switch ??? Thats crazyee, let me send you a switch and you can send me the RB5009 :-) Why are you creating vlans on the router?? They should all be defined on the pFSENSE. So your using this as a full router with double NAT ??? Why not just use the RB5009 and throw the ...

anav

Suggest you use a proper firewall appliance, I have no interest in looking at pfsense logs. Curl that!

anav

anav

Not sure how this would be done as the same commands dont translate directly but there are ways to achieve almost anything.
Zerotier functionality would create it such that you could put any two vlans on the same virtual switch to achieve the same effect I believe.

anav

separate wg interface.

anav

Look at the timelines rextended. He was probably reading the original post and drafting a reply when you added your input. Imagine he went to get a coffee or take a piss............ comes back finishes his post, hits send and then both his and yours appears on the refresh. No harm no foul, just the ...

anav

viewtopic.php?p=911961&hilit=two+factor ... on#p911961

anav

When ready to not use ipv6, as stated can help troubleshoot.
In the meantime checkout PARA 7 and PARA 9 (D) -- viewtopic.php?t=182340

anav

If you want to to span the same subnet over wireguard be clear about it. One does not span data transfer using wireguard addresses.
Your best bet is using zerotier first.

anav

Is your network ipv6? if so cannot help as not fluent in such language.

anav

I have 3 layers of firewalls in the user article, https://forum.mikrotik.com/viewtopic.php?t=180838 NOVICE --> raw beginner newbie NOVICE + MODIFIED --> Beginner with some experience APPRENTICE --> Beginner with confidence/knowledge/understanding Nothing else is really required............. PS Dont ...

anav

This is a safe starting point. add action=accept chain=input in-interface-list=LAN add action=accept chain=input comment="Allow DNS to local" dst-port=53 \ in-interface-list=LAN protocol=udp add action=accept chain=input comment="Allow DNS to local" dst-port=53 \ in-interface-lis...

anav

Its simple for both chains a few default rules a few user rules drop all No need to get cute............ allow Admin to router allow users to needed services drop all else allow subnets to WAN ************** allow port forwarding drop all else **** any other needed traffic like to a shared printer f...

anav

Interesting, I have always set RP filter to loose for multiple reasons but I dont have syn cookies checked, should I? Interesting link, seems like a valid checkbox to use. But I must check with my Tarot Cards. There is no point to using tcp syn cookies checkbox. Its only useful for targetted atacks ...

anav

Take the EOIP R1 Office router settings Router One /interface bridge ports add bridge=bridge interface=ether4-MainR1 add bridge=bridge interface=eoip-to-TWO pvid=20 /interface bridge vlan add bridge=bridge tagged=bridge untagged=eiop-to-TWO,ether4-MainR1 vlan-ids=20 The bridge already exists ether4 ...

anav

I am a believe in simplify for both clarity and troubleshooting issues. Therefore. A. ONE BRIDGE B. VLANS for all subnets ( bridge just does bridging ) C. Capsman for one AP - COMPLETE WASTE of time and clutters up clean config. I had three at one time and you couldnt pay me to use capsman. In this ...

anav

WARNING FOR ABOVE CONFIGS< not quite right yet, I have not removed vlans but there is a possibility I may not have too.......... investigating.

anav

I didnt post the configs for POSSIBILITIES 2 and 3 so done here....... POSSIBLITIES 2 & 3 ( covers both methods eoip and vxlan ) - -> single bridge specifically for one spanned subnet at Satellite Office Note: The difference in POSSIBILITY 3, is that there is at least one other bridge for the ot...

anav

TO RECAP, There are four possibilities: (1) USE WIREGUARD --> Single Subnet at Satellite: The configuration provided should work with all existing hardware with ONE internet connection provided by the MAIN office. No extra work is required to change any /interface bridge nat settings. This is predic...

anav

@retom
@Montecri

If you two [*****.***] actually read the thread..........
viewtopic.php?p=991310#p923407

This one is recommended:
**** FOR ADVANCED USERS ------- Courtesy of Sob/Dave ( called elegant by Chupaka even )

anav

Sure, and take your electric bicycle using major highways from LA to NY.......... dont be ridonkulous

anav

Why do you talk about ROUTER when you picked a switch???? We want to use the MikroTik CRS326-24G-2S+RM, I picked this one because it has 24 ports + 2 sfp ports. Right now we have 2 switches (24 ports), 1 for voip phones and 1 for the pcs. I was thinking about connecting all pcs straight to the route...

anav

USING Wireguard to SPAN One Subnet Assumptions - One DCHP Server , Subnet Uses Main Office For Internet . SOLUTION METHOD ONE: EOIP OVER WIREGUARD a. create wireguard connectivity as per normal and then b. create the EOIP tunnel within the WG tunnel ( EOIP never concerns its self ever with local WA...

anav

Dont give up me yet LOL. Can I ask if the offices have one local subnet aka on a bridge or MULTIPLE LOCAL subnets ?? Was the intention to have MAIN office internet for the single Subnet or try to use local WAN for internet at local router OR NO internet at all?? With this information a plausible sol...

anav

did you report that as a bug or do you get a spanking?? I was gonna comment your statement, but the comnent would probably be rated as PG18 :wink: Plus I only found this out the other day. Days of v6 in my home network are counted, so why should I bother to report ... And it's not a security proble...

anav

Lucky for you Toto, just looking at this subject. ( okay so KC is in MO, but thats a ridonkulous proposition ) BUT why did you use old routers for a new purchase, an RB5009 would have been more appropriate, especially since ZEROTIER would have fixed your issues SO SO easily and with the right horsep...

anav

did you report that as a bug or do you get a spanking??

anav

Just received an additional response: the wording of release notes is wrong. It should be AX2 for US and Europe. But AX3 / Chateau AX only for Europe is supported as well. (because of the FCC limitation on external antenna, they are excluded for US, I understand that) What If I choose some backward...

anav

In plain Italian
NTP is a router service.
a. enable NTP client settings to get ntp from www
b. enable NTP server settings to give to downstream devices
c. enable input chain rule for such LAN devices to reach router on port 123.

anav

Okay but only for RB4011 correct.

Well, OP's ap.rsc mentions it's from RB4011 ... hence my post is highly relevant in this thread.

Yes, but it was not in my applicable useful article yet AP SWITCH SETUP, so it couldnt be true. Now that its added, I believe you. ;-PP
...

rb4.JPG

anav

My apologies to the OP. This should work. /interface bridge vlan add bridge=bridge-vlan tagged=ether1-trunk, bridge-vlan untagged=wifi1,wifi2,ether2-pc,ether3-dockingstation,ether4-nas,ether5-laptop,ether6,ether9 vlan-ids=10 add bridge=bridge-vlan tagged=ether1-trunk, bridge-vlan untagged=wifi-guest...

anav

It's been explained that when they first implemented L2 HW offload, they implemented it so that CPU-switch interconnect will only pass VLANs of which bridge interface is member (either tagged or untagged). And it worked perfectly because those devices were wired-only devices with single switch chip...

anav

Wait, so you are saying that both switch chips need the bridge to be tagged for every vlan?? and what does switch chip have to do with WIFI Bridge ports ur killen me............ In that case, it explains why the OP had success tagging when it seemed illogical. MKX I could kiss you, well you know wha...

anav

(1) Remove bridge1 /interface bridge add ingress-filtering=no name=bridge-vlan protocol-mode=none vlan-filtering=yes add name=bridge1 (2) Confirm the iot and guest WIRED gets addresses ( ether8 and ether7) . If they DO then (4) is correct. If they do not then perhaps (5) is the answer. (3) Add to th...

anav

That would be a start!

anav

NO FIREWALL RULES REQUIRED Going to assume you get an IP address on the 192.168.8.0/24 and will fix it to 192.168.88.2 It would appear that the above device is not getting fed from a trunk port # software id = F7Y9-BEGS # # model = C52iG-5HaxD2HaxD # serial number = {removed for security reasons} /i...

anav

Nice of you to mention that now LOL, but now that I read it you did say homeAP................ Its still a completely hosed setup. As I said get rid of datapath and vlans in wifi, keep wifi to wifi settings!!, and you only define the management vlan! FINALLY WHAT IS THE MANAGEMENT VLAN or subnet ???...

anav

If its whole subnets, dont use mangling. If its a few users, dont use mangling Instead use routing rules ( and I wont use your example of lan subnets somehow being in the same structure as each WAN subnet ;-PPP ) Consists of 3 steps {add tables} /routing table add fib name= useWAN1 /routing table ad...

anav

When you decide to have one bridge, and all subnets on vlans, I can help.

anav

First of all why do you use such a twisted rule?? defconf: drop all not coming from LAN rule in the firewall. Basically it is an input drop !LAN Much better and clearer to simply say accept all coming from LAN drop all else This leads to the logical next step, which you may have not noticed with the...

anav

TWO THINGS to fix. (1) FIX the interface bridge vlan rules --> only the BASE vlan, where the AP/Switch gets its IP address from (.99) needs the bridge to be tagged !! From /interface bridge vlan add bridge=bridge-vlan tagged=ether1-trunk, bridge-vlan untagged=wifi1,wifi2,ether2-pc,ether3-dockingstat...

anav

Would also agree with the previous poster that your rules are a bit funny to have worked well in the past......... Agree with your approach using firewall address lists as you state its not just whole subnets but subnets plus or minus a number of folks that may change from time to time. Much easier ...

anav

I see nothing wrong with your setup; but would change the sourcenat rules as its not clear which WAN they refer to and thus not sure if they would work right. From: /ip firewall nat add action=masquerade chain=srcnat src-address=192.168.1.0/24 add action=masquerade chain=srcnat src-address=192.168.4...

anav

My script!

add chain=input action=drop
add chain=forward action=drop

That was easy.

anav

Hoping you get your MT wifi6 soon bpwl, cannot wait for the 'blessed' configuration that works!!

anav

Because there is tons of traffic on the WWW always hitting routers, nothing unusual. You are simply in effect logging it now by showing what is dropped. For a starting firewall this is ideal........... /ip firewall filter {Input Chain} add action=accept chain=input comment="defconf: accept esta...

anav

Depends................ firewall rules, vlans many ways...........

anav

FIXED: /ip firewall filter add action=accept chain=input comment="default configuration" \ connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input protocol=icmp add action=...

anav

/ip route add check-gateway=ping disabled= yes distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.2 pref-src="" routing-table=isp2 scope=30 suppress-hw-offload=no target-scope=10 add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 pref-src=0.0.0.0 routing-table=isp1 scope=...

anav

Okay lets see if I have it correctly you have two wifi interfaces on the LAN side (not 1, not 3 not 4 etc,) vWLAN1 - ALL internet traffic goes out local uplink internet (even 1.2.3.4) vWLAN2 - All internet traffic goes out local uplink internet EXCEPT for one single WANIP 1.2.3.4 that must use Wireg...

anav

Sorry makes no sense to me (diagram useless in adding additional info) You either have a regular (local) path to the internet via the uplink on the router to whatever is providing you internet. OR You have a wireguard path to the internet via another router somewhere (friend, your own, third party p...

anav

Please be clear........... Do you want to connect to the internet via the wireguard connection if so /interface bridge port add bridge=br1 interface=wifi1 add bridge=br1 interface=vWLAN-two add bridge=br1 interface=vWLAN-three /routing rule add action=lookup interface=vWLAN-two table=useWG /routing ...

anav

Outside my scope! jajaja (pun intended)

anav

Modified my post, I had an idea!!
see if that works,
it should be quick to try!!

anav

Well thats silly.............. No way to isolate guest from family, or iOT devices etc. At least assign different subnets to the WLANs............. and dont use a bridge OR create vlans and assign to bridge. If your happy with one flat network then you will have to decide the complexity. How many pe...

anav

viewtopic.php?p=908118

anav

Yes you are just telling the router where to go by matching the script comment entry with the existing comment entry!

In other words we use the comment block as a tool to create an entry that is unique and found by router during script.

anav

Its all here at the original link I gave you LOL one or two threads ago!

viewtopic.php?t=182340

Checkout (4) Configuring IP address
Checkout (9) C. UNDERSTANDING THE CRYPTO KEY ROUTING PROCESS (CKRP)

anav

Yes............ How do you assign traffic (from internet/uplink) to users on multiple virtual wlans? (Assuming one MAIN WLAN and then several vWLANS using main WLAN as master) If via vlans then this becomes simple as you only need to do three things for a subnet lets say vlan10-Users which is 192.16...

anav

This is my understanding of why this works: Non-212 endpoints have peer configs for 212 that have 10.10.100.0/24; doing this tells the other side (212) that 212 should route all 10.10.100.0/24 to it. NEGATIVE!!! FOR TWO REASONS. a. (outgoing) to be able to ping from a client device to any other dev...

anav

Config makes no sense to me, can you draw a diagram of intentions.
There is no need for vlans if you are only using two ports.
Otherwise create one bridge and any subnet becomes a vlan on the bridge.

anav

If you want 4x4 mu-mimo, and wifi6, look no further than the Chateau 5G AX.

Caveat: The 4x4 mu-mimo is only for the Cellular LOL.

anav

Strange behaviour is what is absolutely expected due to the admins STRANGE configuration. The router is just following commands. :-0 Where did you get the config advice from ( which link )? 1. Thats because no one in their right mind assigns a vlan1 to the bridge. 2. Why are you using vlans in wifi ...

anav

The errors have been explained many times....................
As I said, if you want me to teamviewer in, and do it myself, am willing.
Advice here is not getting through.

anav

rextended, first rule of discipline is that when you say end of help, it really means end of help

Dont write any childrens books..........

anav

Check out this, fresh out of the box........
viewtopic.php?p=990947#p990947

anav

Sorry no capiche. Do not use wireguard as a LAN subnet on routers. Clearly for single devices, the wireguard address is its address. For users on routers, they dont have a wireguard address and the subnet of wireguard on the router is to be able to ping devices, and create routes etc... So again its...

Search found 15585 matches