MikroTik

anav

Yeah use vlan filtering for the subnets, one bridge............
The bizarro approach to address, dhcp server pool,, if not for a specific needed reasons is cutsie crap for nothing.

viewtopic.php?t=14362

anav

Now lets get real and work on WIFI -7, that is where the meat is on the wifi BONE.

anav

viewtopic.php?t=143620

anav

RICH, please dont waste valuable mikrotik resources on an interim, dead before it goes out the door, 6E standard. TP link and other are rolling out Wi-Fi 7 already and even zyxel is heavily discounting (dumping its new 6E stock). Normis, do not pass go, do not collect $200, go straight to jail if yo...

anav

viewtopic.php?t=143620

anav

Also the requirement should be expressed in terms of user traffic required.
Mangling and routing rules are simply tools to use, for a purpose, and that purpose has not been communicated........

anav

PM me the exact config, sure..........
For all ip routes its best to use the correct gateway vice etherX........... ( exception that comes to mind is wireguard )
If nothing else to demonstrate that the routes are meant for Static IPs/gateways, whereas one would need s cripts for dynamic ones.

anav

As per your other post, (1) MISMATCH in address and gateway!! (2) Duplicate routes. /ip address add address=192.168.100.1/24 interface="LAN bridge" network=192.168.100.0 add address= 100. 90 . 8 0. 70 /29 interface=ether1 network=100.90.80.70 add address=110.100.90.80/30 interface=ether2 n...

anav

Also it would appear you have some duplicates.......... /ip route add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=100.80.90.70 pref-src="" routing-table=main scope=30 \ suppress-hw-offload=no target-scope=10 add check-gateway=ping disabled=no distance=2 dst-addr...

anav

Sure, took me a couple of secs to find the problem. /ip address add address=192.168.100.1/24 interface="LAN bridge" network=192.168.100.0 add address= 100. 90 . 80 . 70 /29 interface=ether1 network=100.90.80.70 add address=110.100.90.80/30 interface=ether2 network=110.100.90.80 add address...

anav

This is your basic default firewall ruleset with a focus on only identifying needed traffic and dropping everything else. /ip firewall-address list { using static dhcp leases mostly } add address=admin-IP1 list=Authorized comment="admin local desktop" add address=admin-IP2 list=Authorized ...

anav

Well what I recommend between two routers is Setting up WIREGUARD between the two, and if the server goes down, due to WAN1 failing, the client will regenerage the connection on WAN2 as I described. As the backup simply connect an easy MT to MT SSTP backup direct to WAN2. Thus you always have a seco...

anav

If one has coax between rooms --> moca, if one has modern wiring - powerline are both options.
MOCA adapters can go up to 2.5 gig
https://www.electronicshub.org/best-moca-adapters/

Powerline.......... https://www.techradar.com/news/the-best ... e-adaptors

anav

Maybe it doesnt work with the new wifiwave wave of products.
Or it was a big security risk?

anav

Hi Broderick, this already happens!! If you have a wireguard server on your Router and WAN1 is the primary, and it goes down the router switches to WAN2, the clients connecting to your WG server will lose connectivity and will try to reconnect and when the WANIP for the router becomes the second ISP...

anav

So you can enter the router via the USB device? Just curious, how do you type on the usb device? small keyboard?

anav

Not sure what it has to do with changing IP but okay.....

anav

NM , posted in error

anav

NM....

anav

What you can do is actually research a product before buying it. Too late now, but on the product page have a look at TEST RESULTS. The throughput one should expect to get with some basic filter rules is somewhere between 300-600Mbps. For 1 gig throughput your best bets are. a. hapax3 --> just over ...

anav

Well if they are static Ips, then that would be easier to deal with, you should confirm with your ISP that they are static!
Confirm you are paying for two separate 1 gig connections? and on each one you can get 1 gig at the same time......

anav

Well I dont understand this o ne...........
but within my LAN I need to allow access between all the VLANs.

Can you elaborate? If they all need access to each other why have separate vlans?

Can you confirm these are dynamic IPs that change BUT the gateway never changes??

anav

If your server does not have secure login (encrypted) then you shouldnt be using those servers. Assuming they are secure logins, consider a. src-address-list on your dst-nat rules ( everyone is comming from a public IP address, static or dynamic either directly or from their upstream ISP modem/route...

anav

Ahh okay one modem two WAN IPs, same gateway address............ Okay that makes sense, my bad.

anav

What are you talking about? The original OP stated he was getting the same IP gateway from two ISPs starlink and something else, aka gateway=192.168.1.1 What does that have to do with you having two 1gig connections? Are you saying you are using two ISP supplied modem routers in front of you and eac...

anav

Use wireguard instead!!!

anav

Word of advice, assign to an empty port an IP address and work safely from that port to do all your config initially and then later acts as an emergency access, besides lot of use of SAFE MODE!!
viewtopic.php?t=181718

anav

Once you provide the details on wireguard I will send an updated config, that gets rid of all the crap..............

anav

You really need to explain your wireguard setup . ITS STILL WRONG!!! Where is the server for VPN01 for handshake? if not this router then this router is the client for handshake? Where is the server for MGNT for handshake? if not this router then this router is the client for handshake? Server Devi...

anav

If its disabled on the config, I delete it when looking at it....... KISS I delete all capsman config entries for easier viewing, now the config is looking smaller LOL No problem for queues, I worked around that so you can user fastrack for everything else......... You forgot to add additional vlans...

anav

YOur three wans, in IP DHCP CLIENT did you enable default routes and if so did you put any script in there..........??

Right now there is no way to determine how you setup the WANs in terms of priority..........??

anav

Which subnets or list of individual devices should be getting NTP services from the router??? Where are the remote subnets coming from in this rule................?? add action=accept chain=forward comment=Accept_Remote_to_Company \ dst-address-list=COMPANY src-address-list=REMOTE Reminder........ a...

anav

This rule makes no sense to me...... add action=accept chain=input comment="Accept Radius" dst-port=3799,1812,1813 \ in-interface-list=!WAN protocol=udp src-address-list=FIREWAL WHere the only entry for firewall address list is the following add address=127.0.0.1 list=FIREWALL Another rule...

anav

Have you considered NOT using the starlink router and connect CGNAT direct to your router?
Your gateway in this case will be 100.64.0.1 ............ or something like that.

anav

I see the issue. The paragraph stood on its own and if you tried to correlate with the previous para, it would seem non-congruent. I have adjusted it so that confusion is removed. Much thanks!

anav

I will have a look. I am actually hoping that you are understanding the config better and learning as you go and gaining confidence in your own skills! Observations: 1. You have many vlans identified but not fully configured, assumed this was future plans and removed them from the config for the mom...

anav

Why, none of those things are required for port forwarding.

anav

Actually the RB4011 has two chips on it, so it kinda makes sense to split it into two bridges, but if my memory recalls only one of them will have Offload so in the end one bridge is best.

anav

First, thanks for reviewing and making suggestions!!

Not sure I follow?
The setting in red, is under the heading of
/ip dhcp-network server NOT /ip address ???

anav

Hmm, way better than my results 1gig to 1gig connection but that was using an RB4011 at one end and RGB450Gx4 at the other.

anav

Good common sense information here!!!
Should go in your 'article' Holvoe,,,,,,,,, when the move is done.

anav

I just may hire you to setup my wifi.................. I just cannot afford the postage and cost of envelope to send the cheque.

anav

I would say 300-350 is pretty decent wireguard speeds, I would not be complaining.

anav

In plain english, the setup for wifi on the device hosting capsman is different or separate from the wifi settings within capsman for the external devices.???

anav

Generally anything is possible but its best to detail all the requirements PRIOR to setting up a config. I would stick to source for PCC because of the banking requirements etc....... I would also contemplate using the # of WANS you need to distribute traffic and then perhaps a couple of dedicated W...

anav

Again, I dont understand the purpose. Showing someone combined WAN output is a useless exercise. Firstly unless you have a bonded setup with the SAME iSP you cannot ADD the throughput of ISP connection and do a speed test that shows the addition of all of them. What you do have is a larger total ban...

anav

Concur, ideally the Landlord isnt using the same LAN for all his devices, but it seems to be the case. Probably one flat LAN.
Is the landlords router actually the iSPs modem/router or is it his own separate router. If so does it get a public IP?

anav

Further this article addresses using any MT device as an AP/switch ( same same just without AP part).
viewtopic.php?t=182276

anav

You need to understand better the use and setup of allowed IPs........
Check this -->viewtopic.php?t=182340

anav

According to other experts here just stick to the defaults as much as possible....... and that its easy.
I beg to differ but check out some newer videos by MT for wifi, they will be helpful.

anav

This is a mikrotik forum, if you have windows questions, go to a windows forum or a wireguard forum where windows may be discussed.

anav

First of all, the router is NOT yours it belongs to the ISP so respect their wishes. However since their device is acting as an ISP/ROUTER and you get a private IP, it is very normal to ask: a. if they can forward ports on the router for you OR b. they can describe the steps you can take to forward ...

anav

RSC is not meant for exporting importing.
THe only function that does that is BACKUP and RESTORE and that is for the same device.
You can use an export to guide you manuallly configuring the new device,
and if you know what you are doing you can import chuncks of config via the TERMINAL CLI window.

anav

If their devices do not allow split tunneling, then perhaps its not possible?

anav

Your explanation is off. If you mean to say that your MT router is the server and the remote clients can connect and reach local router services that would make more sense. Further if the computers that the remote users have cannot reach their local resources that is an issue with the devices they a...

anav

Much easier not to use capsman for only one AP .....

For vlans, use this guide. viewtopic.php?t=143620

anav

Is this a planned exciting move, or a not so glad eviction notice?

anav

Personally I dont ping other users for a living, it is of zero value to me. Can users access the devices they need to access on the LAN and conduct work? Or are they blocked? It doesnt matter what port they are connected to if all ports are part of the same bridge. All to say is so far I do not see ...

anav

@normis--> suggest video how to use vlans with capsman.......... Basically the presenter should take this article viewtopic.php?t=143620
and 'bend it' as required for capsman.

anav

The article is meant for vlans primarily and is not intended for vlans under capsman.
I agree its sorely needed but that is best left to an article describing capsman setup and suggest you go bug holvoetn to make such an article

anav

Firewall rule guidelines 1. Single Subnets --> use dst-address or src-address 2. More than one subnet (whole subnets) --> use interface lists 3. If you have any list that includes a bunch of users (less than a subnet) or from different subnets (with or without whole subnets) then use firewall addres...

anav

This is an unusual rule, did you invent it yourself, or watch youtube from hell channel?? At least its disabled. At the moment I see no reason why users cannot see each other being all on the same subnet and visible at L2. If there are no issues between wired users but issues betwee wired and wired ...

anav

No that is too old for one thing and is not the link I provided for vlan setup. Dont run away from help LOL.

anav

1) If some users speed test will they receive the combined speed test result. If not can we make it so that they are able to achieve that result (this is just a requirement and i understand that LB is not for this) Do not understand the question? Conducting a speed test is not a valid user requirem...

anav

(1) By the way, using ether1, ether2, ether3 WORKS in your config as all your WANIPs are static. My example should reflect the IPs only, so as to not lead others astray. No need to change your config in that regard but I will change my example provided above. :-) (2) Also I may confuse people by usi...

anav

Would concur, wireguard does not scale (pun intended) like an enterprise VPN.
However, tailscale which depends however on a third party, may have some tools/functionality to support such a requirement.

https://tailscale.com/

anav

You clearly know where the problem lies, by NOT including your full config.

anav

Yes absolutely recommend wireguard for both connecting to proton and to host your own wireguard so you can remote into the router to config it or for LAN services or to use its internet or to be forwarded out protons internet.

anav

Because they are not necessary and are bloatware............ Instead stick to the defaults........... The defaults are safe for a single user and a single WAN and LAN subnet with no complexities. Once you go beyond that, its 99.999 percent of the time needed to start mucking about in the rules. The ...

anav

VLANS approach is best described here ---> https://forum.mikrotik.com/viewtopic.php?t=143620 We do one bridge approach here. Open VPN has varied success on MT gear. Recommend you replace your proton connetion to Wireguard. If your MT gets a public IP, or if you are behind and ISP modem/router and ca...

anav

Now for the ROUTES. We have the ones we created for the non-pcc mangles as show above...... /ip route add dst-address=0.0.0.0/0 gateway=100.100.100.90 table=useWAN1 add dst-address=0.0.0.0/0 gateway=110.110.110.100 table=useWAN2 add dst-address=0.0.0.0/0 gateway=192.168.10.1 table=useWAN3 Next we ne...

anav

Third Step lets do the PCC MANGLES. ( 6 mark connections and 6 route markings aka tables ) (using src-address ONLY not both) /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local \ in-interface=LAN-bridge new-connection-mark=WANA-B passthroug...

anav

Non-PCC MANGLE RULES, ensuring traffic entering a WAN exits the same WAN deals with any traffic to the router itself or to any servers on the LAN. These will not interfere with any normal traffic either. /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark \ in-int...

anav

First step Basic firewall rules. /ip firewall address-list { use static dhcp leases } add address=192.168.100.X list=Authorized comment="local admin desktop" add address=192.168.100.AB list=Authorized comment="local admin laptop" add address=192.168.100.CD list=Authorized comment...

anav

viewtopic.php?t=181718

anav

https://help.mikrotik.com/docs/display/ROS/Queues

https://www.youtube.com/watch?v=tnzxrt6 ... 1pa3JvdGlr

anav

For L2TP over WG --> viewtopic.php?t=182340
Check out para 10
(10) L2TP thru WIREGUARD for MTU Issues

anav

Quick Look Config 1. Listening port settings for the interface, on the client device, can be anything and do not have to match the ENDPOINT listening port and are basically random. In your case highly recommend to make them different. /interface wireguard add listen-port= 51820 mtu=1420 name=wiregua...

anav

Well in terms of requirements, routing ports is nonsensical. What is the user traffic that you are trying to execute. ex. users from LANA on router A need to access LANB on Router B ( via wireguar ) users from LANC on router A need to use internet available at Router B etc... If worded in terms of d...

anav

to make recommendations for the two WG, need to see config
/export file=anynameyouwish ( minus router serial #, any publicWANIP information, keys, long dhcp lease lists etc..)

anav

Also recommend you move to 7.12 once we have resolved the issue.

anav

I like the clear explanation, that to upgrade to beyond 7.12 you need to upgrade first to 7.12.

anav

Please post the latest config for me to look at.

anav

First you need to backup and make a coherent plan and before that read this --> https://forum.mikrotik.com/viewtopic.php?t=182340 You will quickly surmize that putting 0.0.0.0/0 at both ends is not the right approach. Once reading, you may make some changes to the config. Give it a try. If still not...

anav

(1) Your doing PCC, drop any queueing of WANS for the moment. (2) interface list members...... should be modified to the below /interface list member add interface=ether2-TW list=WAN add interface=ether1-PIE1 list=WAN add interface=ether3-PIE3 list=WAN add interface=ether4-LTE4 list=WAN add interfac...

anav

Why would you comment on such an old thread? Do you know the context, did you read the link?
MT at the time was having problems at their end............

anav

No silver spoons here, read!
https://www.wireguard.com/xplatform/
https://www.wireguard.com/papers/wireguard.pdf

anav

(1) YES, THAT IS THE WAY. (2) WHAT ARE YOU TALKING ABOUT SUBNET 16? Point #2 was pointing that your allowed Ip 10.10.9.X/32 was wrong..... The correct version is blue. (3) If you look at the config line its clearly an /ip address entry. Its disabled which is good, I am saying just get rid of it. (4)...

anav

Hmm good question.
Post your config.
/export file=anynameyouwish ( minus router serial number, public WANIP informaiton, keys, long dhcp lease lists etc.)

anav

Dont tell anyone, they might want them back LOL

Ahh confusion due to RAM vs Storage.......... I was looking at Storage.........
Capax hapax3 hapax2 have 1Gb of RAM.
hapac3 has 256Mb of RAM

perhaps your thinking hapac3 or hex devices........

anav

But the same specs page you linked above lists 128MB ... hmm. You ok?

Even the capax/hap ax3 have 128MB - meaning the 128MB is sufficient........
Edit. looking at storage not ram, my bad.

anav

Yes......... and https://help.mikrotik.com/docs/display/ROS/WireGuard https://www.youtube.com/watch?v=vn9ky7p5ESM&t=8s&pp=ygUSd2lyZWd1YXJkIG1pa3JvdGlr https://www.youtube.com/watch?v=OGBWSpl1Wik&t=103s&pp=ygUSd2lyZWd1YXJkIG1pa3JvdGlr https://www.youtube.com/watch?v=7F9LG7Qgpmg&pp...

anav

(1) Where is bridge vlan-filtering=yes ?? /interface bridge add name=BRIDGE priority=0x7000 (2) Allowed IPs is not quite right, fixed....... add allowed-address=\ 10.10.9 .0/24 ,192.168.254.0/24,192.168.155.0/24,192.168.249.0/24 \ comment=PeerStS_DIM disabled=yes endpoint-address=vpn.test.com \ endp...

anav

Id rather not Crokinole my way into the OPs head................. and will let the OP provided the actual information.

anav

Philosophy. The default rules come set for a simple user on the bridge via ether2 and wan setup to work on ether1. The traffic is safely protected but it allows all traffic and drops some key things for general safety. When we want to do more, add vlans and other things its much easier, as the confi...

anav

Sounds very doable. Basically server router - input chain rule for port both routers. define interface add ip address add peers, wireguard Ip and remote subnets ( see article for difference between client peer setting and server peer setttings ) add forward chain rules needed for traffic flow add ip...

anav

Before thinking about configurating, its best to understand the requirements and PLAN!!! identify users/devices, groups of users/devices, including admin identify what traffic they need. Do the devices have single WAN or dual WAN? Is there any port forwarding involved on the two devices? What two de...

anav

Since the need for VPN is not clear. Which users are coming to the OFFICE and for what purposes?? Why do you hide a private IP address, assuming the upstream router handles the WAN connection and your WAN input is basically a LAN address on the subnet of the ISP router? The other thing funky about t...

anav

Wireguard has generally better performance and easier to setup. Do you control both ends of the tunnel? ( what is at both ends?) Does at least one end have a publicaly reachable IP address ( not cgnat or natted behind another router )?? If natted behind lets say an ISP modem router, can you forward ...

anav

Firewall Rules Server Router; /ip firewall address-list { static dhcp leases or wireguard ip } add address=172.16.24.XX list= Authorized comment="admin local desktop" add address=172.16.24.AA list=Authorized comment="admin local laptop" add address=172.16.24.BB list=Authorized c...

anav

Client Router (1) It would appear you are trying to use srcnat masquerade to route traffic. This is the wrong approach. /ip firewall nat add action=masquerade chain=srcnat dst-address=172.16.24.0/24 out-interface=\ wireguard-oam src-address=192.168.13.0/24 All you need is....... add action=masquera...

anav

Any reason you chose L2TP vice wireguard??

anav

Need facts/evidence.
So latest configs of the routers please.

anav

Well, good to know, defining the requirements clearly is best done before applying a config. a. you have two WANs. b. there is no failover c. the LAN should use WAN1 only if wan1 goes down, no LAN traffic goes to WAN2 if wan2 goes down, no LAN traffic goes to WAN1 Wan 2 is a static fixed WANIP You h...

anav

You got me Holvoe, apologies to the OP. I know squat about L2TP so will bow out.

anav

Is this whining or asking for help?
Provide a network diagram and full config

/export file=anynameyouwish ( minus router serial# and any public WANIP information, keys etc...)

anav

have been fighting a starlink DNS issue. I know this sounds strange and I am hoping someone will point out why it is behaving this way. Sounds like your asking for help to me......but okay, maybe your not. What a switch has to do with router issues is a bit strange to interject and you have no clari...

anav

Just to clarify, my article uses untracked.........
viewtopic.php?t=180838

If you want me to look at your config, I will rip out anything that is not on those pages,,,,,,,,,
Not required, what I refer to as BLOAT.

anav

Hmm not really, you can setup PCC balancing to favour one over the other but thats hard wired into the config. The only thing I can say off the top is to make a vlan for WIFI in the house and basically route all the traffic from that wifi through the desired WAN. That way folks have a quick and dirt...

anav

The improvements to many functions and the ability to do wireguard are huge reasons to move ahead.
If this is a home no worries, 7.12.1 is decent enough.

anav

Find that hard to believe, wireguard was not possible on vers6
edit: I didnt consider wG on another device, mia culpa!!

anav

The friend is not exactly wrong,,,,,, just a tad misleading. EVERY SWITCH PORT when it comes Default has vlan1 assigned to the port. WE LEAVE THAT vlan1 alone. It works in the background and can basically be ignored. We dont change any vlan1 settings anywhere. EXCEPT.......... when we make a port an...

anav

SERVER Comments 1. This indicates an issue....... /interface list member add comment=defconf interface= *C list=LAN I suspect its because you have not identified any LAN list interface members and yet you have a list?? 2. This is wrong. .......... IF you have IP DHCP Client you should not have a se...

anav

Seems illogical to me.
What is the purpose of buying a MIKROTIK router of that power and using it as a switch??
What am I missing???

anav

Wait you are still on vers 6?? My configs are predicated on vers 7

anav

Do you have any port forwarding?
Do you have any VPNs........
Hoelve needs to learn to find all the requirements before planning a config ;-P

anav

Hi KAT,
There is no vlan1 in your config, in fact it looks like properly all the MT devices got an IP on the trusted 192.168.0.0/24 subnet. ( AKA VLAN100 )
Thus confused by the evidence in the configs contradicted by the diagram and your words??

anav

(1) Which Router is the one you are referring to in the diagram?????? I am assuming the 5009!! (2) What is with vlan1 between all the MT devices, I dont see that in the router config you have??? Assuming you meant on the diagram to put vlan100 which contains the 192.168.0.0/24 (3) So you have four V...

anav

ROUTER COMMENTS ( WOW, nice setup ) (1) Not sure what you mean by this line.............. add address=10.0.20.0/24 comment="the different DNS server is used to make th\ e router use the WireGuard VPN connection for DNS queries" dns-server=\ 208.67.222.222,208.67.220.220 gateway=10.0.20.1 F...

anav

Good day, The requirements are pretty good. Who needs access to the windows server, vlan10 and vlan20 Who needs access to vlan10, vlan20 does Who gets internet from wireguard, vlan20 does. +++++++++++++++++++++++++++++++++++++++++++++++++ Its the additional requirements that get a bit murky. a. vlan...

anav

Post your config here seeing as the OPs has solved his case and thus no interference.

/export file=anynameyouwish ( minus router serial number, public WANIP information, keys, long dhcp lease lists, any ipv6 info if not using ipv6 )

anav

1. Allowed IPs on the mikrotik side have nothing to do with routing. 2. Allowed IPs are a matching flltering function for leaving traffic and a filtering function for arriving traffic. 3. An automatic route is created for wireguard IPs by the wireguard router due to ccreating the interface IP addres...

anav

Concur, one bridge and three vlans is all that is required here. Unless the fortigate cannot handle vlans? What is the purpose of the fortigate in this setup? Edge Router with some subscription services?? interface list=building one vlans 11,12,13,14 Interface list=building two vlans 21,22,23,24 int...

anav

You came here looking for reasons to 'convince' the wife to spend money. Just wanted to help the cause by better understanding the scenario because what you initially presented was a very weak case. :-) Anything is possible between two MT routers. Use the concept provided in post #2. Trunk port betw...

anav

Concur network diagram gives us context!

In addition need to see complete config again. ( not just snippet of firewall rules )

anav

What is PPC................ In terms of requirements. a. identify all the user(s)/devices, groups of users and devices ( including admin and external users) b. identify all the traffic they require do accomplish. What is the purpose of the two WANS. Use a primary and have a secondary as backup? USE ...

anav

Firewall ideas -->viewtopic.php?t=180838
Vlan ideas -->viewtopic.php?t=143620

anav

Good you have surmized there is no problem with your config, thus no help required.

anav

@lostgone --> Start your own thread please.

@felipe Post your latest config

anav

(1) You dont understand firewall rules. Why make allow port 53 rules, but then later drop everything not coming from the LAN. In other words the port 53 rules are allowed by the rule above and thus not necessary in your setup. However, its not at all what I suggested. (2) These ones also are unnecce...

anav

firewall rules fixed Main issue is these rules which have been axed...... add action=drop chain=input comment="defconf: drop all coming from ha_ct" \ in-interface=pppoe_ha-ct add action=drop chain=input comment="defconf: drop all coming from ha_cu" \ in-interface=pppoe_ha-cu add ...

anav

Change the approach of at least the forward chain, to DROP ALL. In this regard all connections between different subnets are blocked unless explicitly stated in the firewall rules. {forward chain} add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=e...

anav

Same here. By using classic mangle rules such as: /ip firewall mangle add action=mark-connection chain=input connection-state=new in-interface=ether2-pppoe new-connection-mark="From WAN Telecom2" passthrough=yes add action=mark-routing chain=output connection-mark="From WAN Telecom2&...

anav

The above handles all the rules required.
Give that a shot and we will see how much progress is made!

anav

(1) Order of firewall rules fixed. (2) Its dumb to allow an entire subnet to configure the router and besides, 8291 is not a tcp protocol its udp! Created a firewall address list called authorized........ to solve.... (3) Got rid of unnecessary firewall address lists. (4) Removed logging on drop all...

anav

(1) Wrong order. ..... think through the logic. Will traffic from VPN subnet ever reach another local subnet with the order you have???? /routing rule add action=lookup-only-in-table disabled=no src-address=10.10.20.0/24 table=\ Proton_UK_WG add action=lookup-only-in-table disabled=no src-address=10...

anav

You didnt read that article very closely, where the EFF does it show the bridge doing any DHPC....... ALL VLANS So take your bridge subnet and assign it to a vlan. Then you need to actually turn on bridge vlan filtering=yes......... None of your bridge ports are assigned properly for access ports or...

anav

Then there is something else on your config that is blocking.
Please post FULL config

/export file=anynameyouwish ( minus router serial #, public WANIP information, keys, long dhcp lease lists, IPV6 anything if not using it)

anav

So assuming the SERVER is not third party, then the problem is also at the other end at the server end!! SeRVER CONSIDERATIONS : a. do you have 192.168.88.0/24 as allowed IPs at the server wg peer settings for router b?? b. do you have 192.168.100.2/32 as allowed IPs at the server wg peer settings f...

anav

What is the remote wireguard server - mikrotik or something else?? Concur lets fix that sourcenat mess..... (drop the crap rule) /ip firewall nat add action=src-nat chain=srcnat dst-address=192.168.100.0/24 dst-limit=\ 1,5,dst-address/1m40s limit=1,5:packet psd=21,3s,3,1 src-address=\ 192.168.88.0/2...

anav

(1) This default rule is now replaced and should be removed. add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new disabled=yes in-interface-list=WAN add action=accept chain=forward comment=Internet in-interfac...

anav

Need table /routing-table add name=useWAN2 Need route /ip route normal route ISP1 distance=2 check-gateway=ping table=main normal route ISP2 distance=4 table=main add dst-address=0.0.0.0/0 gateway=ISP2 routing-table=useWAN2 [/b] Need routing rules................. But be careful as a routing rule fo...

anav

Try these mangle rules. add chain=prerouting action=mark-connection connection-mark=no-mark \ in-interface=WAN2 new-connection-mark=incomingISP2 passthough=yes add chain=output action=mark-routing connection-mark=incomingISP2 \ new-routing-mark=useWAN2 passthough=no Dont forget the table. /routing t...

anav

Allowed peer should be 192.168.100.0/24, not 192.168.100.1/24

anav

The wirguard config is predicated upon the peer for a client to be the specific IP address as noted, which differentiates from the multiple peers possible.

The peer on the client or often remote device, should be the subnet and if a router then most definitely the subnet.

anav

Busy today but will look at i this weekend.

anav

How many machines?? You can use Routing rules for entire subnets - very easy, no mangles. You can use Routing rules for a few users - very easy, no mangles. Basically it comes down to you will need a routing rule per user so it depends how many rules you would like to make. add src-address=userX-IP ...

anav

Busy today, but if you post your latest config I will spend more time on it this weekend.

anav

One bridge..............
viewtopic.php?t=143620

anav

Too busy today to look at it, but I would scrap any mangle rules you have for wireguard.
What is required is mangle rules ensuring traffic coming in wanx, goes out wanx.

anav

I have a great idea, why dont you ask the people making vidoes for help........... The onus is ON YOU, to read the mikrotik docs and read as many threads as possible to learn. There are some decent videos out there by a few people the rest will lead you astray. Network Berg is good Network Trip is g...

anav

duplicate

anav

viewtopic.php?t=200602

anav

Try harder, and read more....... the answer are available......

anav

Sorry you still have not explained how you are using DNS to 'force' users through one WAN or the other.
What DNS records?

Forcing users out a specific WAN is accomplished via routing of some sort.

anav

?? Do you have a multitude of servers feeding many users........ Not sure what the need is for 10gigs? As for poe...... injectors are cheap....... https://www.amazon.ca/PoE-Injector/s?k=PoE+Injector Your not making a real case to keep the 5009 thus far......... , maybe you want to show the wife this...

anav

Sell the RB5009, there is no need to keep it when you get the chateau 5G AX. To me its pointless to keep both. Give the RB to family or donate to some organization, it would be wasted otherwise. There is nothing to be gained by keeping it. The same rules can be used on the Chateau as its the same RO...

anav

Sorry its you that doesnt understand, didnt ask for your configuration BS. . All I asked for is how to set the gateway for a vlan if there is more than just one wan-interface. I asked to explain what users and devices you had and what traffic requirements they had. The network diagram shows what equ...

anav

Dont understand what you are trying to accomplish. 1. The RB5009 is a better router in terms of routing it can actually handle a 2.5 gig ISP connection with firewall rules implemented. The latest chateau 5G AX cannot ( good for 1gig fiber ). 2. There is no need for the chateau to do routing if you h...

anav

The point being, a. you have associated the address pool with the bridge-lan via the dhcp-server. b. you associated the Ip address with two different etherports, that are also members of the bridge but NOT the bridge. and yet dont see the problem, means you either dont understand networking, or mikr...

anav

No word of a lie, but I was out running on friggin mountain in Spain recently when my bowels told me I was in a dire very dire short fused situation. I went off the beaten path to ensure isolation, just in case, and was just in time. What a relief,,,,,, However, I could have really used a BIG LEAF, ...

anav

Here is the scoop, makes two of us who dont get it, the diagram was a good start,
however you need to
a. identify all the user(s)/device(s) and groups of users/devices
b. what traffic they should be able to accomplish.

Do not use any config speak just actual users device and traffic required.

anav

(1) Why would I bother commenting the config linked is missing the wireguard information, I dont work on snippets. Besides lacking in firewall rules AND ROUTES. (2) Where is the sourcenat rule for outgoing information going out ether3.................. (3) Why is ether2 sourcnat have the associated ...

anav

Depends on the firewall rules........
How did you ensure the wireguard could reach the device and config it???

anav

Okay....... (1) Point 4, big risk learn Wireguard!! (2) Point 5, good for port forwarding to work properly from the LAN side, the new rules will work the default you had would not. (2) I don't understand your point about DNS in terms of deciding server routing can you elaborate/explain as I see noth...

anav

Another perspective........... Dont mess with the bridge, keep it at defaults and dont use it for any data traffic. KISS!! Managment vlan would be typically identified also as a member of the management INTERFACE LIST and used for neighbours discovery and mac-server winmac-server setting. All smart ...

anav

ON MT Server Router (1) You only have one wireguard peer not three as per the diagram. (2) The peer setting on the server do not require keep alive, that is something for the client end. (3) I do not see any subnets for the LAN under IP addresses?? (4) The IP address for the WG interface is not the ...

anav

/ip route add check-gateway=ping distance=11 dst-address=0.0.0.0/0 gateway=ether1 routing-table=main add check-gateway=ping distance=12 dst-address=0.0.0.0/0 gateway=ether2 routing-table=main add dst-address=0.0.0.0/0 gateway=ether2 routing-table=to_ether2 From this setup. all user originated traffi...

anav

Observations: (1) First problem is your interface lists, there is no reason to have two separate WAN LISTS. Should be just WAN and just LAN. Anything else only leads to confusion. The reason to create interface lists is when grouping of subnets makes sense for rules, OR you need to indicate a specif...

anav

Sorry still dont understand the config, (1) Why does the bridge not have an IP address assigned to it?? Why does ether 12 instead have an IP address?? Why not use something standard anyway like 10.0.0 .1 /24 Why does ether11 have some bizarro subnet assigned......?? /ip address add address= 10.0.0.7...

anav

I came from zyxel myself, and yes its more ProSumer, whereas MT is more IT based programming. For example zyxel has always had a loop back button. I never knew what it did or why it was there, but on MT you have to accomplish the same thing by understanding source nat and destination nat more comple...

anav

What needs to be clear are who/what are at each end of the wireguard connections.
What is server for handshake what is peer for handshake.
A network diagram would help.

anav

Wrong approach ldb..... What the OP needs to do is state the requirement of traffic flow based on a. identifying user(s)/device(s) and groups of users/devices including the admin b. identify the traffic flows they should have/be able to accomplish. Without any word of the config...... A network diag...

anav

https://www.wireguard.com/papers/wireguard.pdf

anav

I also dont think you have a clue about port forwarding with a rule like this..... Created a youtube/google monster.......... ( very disorganized rule order as well ) add action=accept chain=forward dst-address=10.0.0.144 dst-port=80,443 \ protocol=tcp When the rest of the config is cleaned up I wou...

anav

Dont name your bridge LAN, its very confusing to the reader and probably to the router. Name it something else like bridge-lan I have no idea what you are doing with this so called lan subnet, is it supposed to be attached to the bridge, ether12, ether11. You are very confused......... /ip dhcp-serv...

anav

The MT router will only provide one subnet to the APs. That subnet can be used for the main HOMELAN wifi and the two guest WLANS will be made by the APs. To make use of the Roaming capability of wifiwave2, you will need these APs --> https://mikrotik.com/product/cap_ax They are NOT mesh. Each needs ...

anav

Please post a real config in the standard format. That was a horrible abomination to look at.

/export file=anynameyouwish (minus router serial number and any public WANIP information, keys etc....)

anav

Nope! The MT has not wifi controls over non-MT wifi appliances. It can firewall, queue, etc like any other vlan.

anav

The reason for the suggestion of /29 mask was due to the following sentence (requirements driven). Quote: " I used wireguard for some time on my old RB2011 for connection to another Mikrotik router as well as for mobile connection [/b]. It worked very good. Now, with the CCR1009 I have some iss...

anav

Yes, give it a go, for all the suggestions, otherwise why ask for help?? As for the last point, hogwash. The MT device only creates routes automatically for local interfaces. Hence why in the route list you will see <dac> routes for local subnets and even the wireguard interface. Since the router is...

anav

viewtopic.php?t=180838

anav

Perhaps they block certain ports? WG can use any port you choose.

anav

What?, You didnt test for deserialize, like thats on page 1 of the Fetch Manual. :-)
Lest not forget at least the 10 references to that subject , in "Dummies Guide to Testing Scripts"

You guys kill me with real networking skills! We are not worthy.

anav

People can agree to disagree.
I don't agree

I agree with you completely

anav

Why ?
The discussion on itself remains civil.
People can agree to disagree.

There is no discussion, its someone concerned about pushing an ideology and not using their own brain.
We have enough of that crap in the world today. ( similar to rextended's comment on social media ).

anav

How do you identify VOIP traffic, source address? --> is it contained with a subnet, if so routing rules, --> is it contained within a few IPs, if so routing rules Destination address --> is it contained with a subnet, if so routing rules, --> is it contained within a few IPs, if so routing rules An...

anav

viewtopic.php?t=182340

anav

Your config seems off to me. Lets assume the CCR1009 is the WG server for the handshakes for both the other router and the mobile connection. (1) Not sure a /30 mask cuts it a /29 mask gives you six useable IPs, since you seem shy to use the standard /24. (2) The allowed IPs on the CCR1009 are missi...

anav

No point in responding, this has nothing to do with MT. The troll is here to talk about GPT in some bogus cultish form............ ( the measured opines of both MKX and rextended are refreshing and indicative of open, inquisitive and reasoning minds.) . I'm only sad that the admins have not locked t...

anav

Why do you post the same silly questions twice??? viewtopic.php?t=201645

anav

Concur, and the answer is still no. MT cannot create a mesh network besides the fact that mesh APs do not handle vlan tags. What business class APs, do, besides read vlan tags is they have some sort of controller which allows efficient roaming between the APs, be it TPLINK or other vendors. With AX3...

anav

I see nothing wrong on the config side. You have the right allowed peer, you have firewall settings that allow the traffic. Can you post your WIreguard settings on the laptop? If you want to access the 10 subnet from the laptop you would need to have allow IPS on the laptop on its peer settings: all...

anav

Concur its hard to find a home AP, mesh or not that handles vlans.
All brands be it tp link etc, have a business class AP that can handle vlan tags, but they dont come in a mesh variety.

anav

Post your latest config and I will have a look.

anav

Nope, the mikrotik has nothing to do with the internal shenanigans of the AP. What it sounds like its doing is within the AP taking your 192.168.88.0 traffic and sort of splitting into both subnets. What I dont know is if its taking an .88 address for each lease and then converting/giving it to .3 a...

anav

Just to have a sample practical, minimalist but secure (shortNsweet) firewall available for your perusal. Its based on allowing only authorized traffic and dropping everything else. The input chain rule allowed admin access is based on a firewall address list one create and which is comprised of loc...

anav

This is an excellent source to review and once you have a config to show
/export file=anynameyouwish (minus router serial number and any public WANIP information.)

viewtopic.php?t=143620

anav

Did you forget to upgrade the admins' firmware as well?

anav

Jaysen, just to be clear, I was ONLY talking about the connection-mark nomenclature for Mangle rules! There is no change to either the mangles routing-mark nomenclature or especially to any naming in the IP Routes . The mangle rules for marking routes should remain as is --> useWANX , as do the IP R...

Search found 18285 matches