Community discussions

MikroTik App

Search found 249 matches

by vingjfg
Sat Apr 13, 2024 9:00 pm
Forum: General
Topic: ROS7 forwarding drop packets
Replies: 2
Views: 433

Re: ROS7 forwarding drop packets

Seems like a mtu issue, see viewtopic.php?t=155014
by vingjfg
Fri Apr 12, 2024 8:35 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 834

Re: forwarding incoming UPD traffic addressed to the router itself

Last one for today. If that doesn't work, I will make a lab tomorrow: can you give the 10.0.40.10 ip to your pc and check again?
by vingjfg
Fri Apr 12, 2024 7:27 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 834

Re: forwarding incoming UPD traffic addressed to the router itself

That's uncanny. Can you post the whole config (remove the private bits)?
by vingjfg
Fri Apr 12, 2024 6:51 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 834

Re: forwarding incoming UPD traffic addressed to the router itself

Well, paint me green and call me a pickle ... Columns: TIME, INTERFACE, SRC-ADDRESS, DST-ADDRESS, IP-PROTOCOL, SIZE, CPU # TIME INTERFACE SRC-ADDRESS DST-ADDRESS IP-PROTOCOL SIZE CPU 0 6.192 wifi8 192.168.2.6:35454 192.168.2.1:1234 udp 42 3 1 6.192 bridge 192.168.2.6:35454 192.168.2.1:1234 udp 46 3 ...
by vingjfg
Fri Apr 12, 2024 6:44 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 834

Re: forwarding incoming UPD traffic addressed to the router itself

What might play is if the ethernet interface on the router (the one with IP 10.0.40.254) is itself down because of link-down. Can you connect something to it, like a mini-switch or anything that will make the link go up?

For the non-existent host, my gut feeling is no, but I am about to do a test.
by vingjfg
Fri Apr 12, 2024 5:42 pm
Forum: Beginner Basics
Topic: Very slow internet speed
Replies: 9
Views: 368

Re: Very slow internet speed

Nope, you are right - my mistake.

You should upgrade to 7 first, then install the qcom driver.
by vingjfg
Fri Apr 12, 2024 5:39 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 834

Re: forwarding incoming UPD traffic addressed to the router itself

That is ... weird. I created a test rule - Flags: X - disabled, I - invalid; D - dynamic 0 X ;;; defconf: masquerade chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 1 ;;; Test chain=dstnat action=dst-nat to-addresses=172.29.0.1 protocol=udp src-address=192.168.2.0/24 dst-...
by vingjfg
Fri Apr 12, 2024 5:23 pm
Forum: Beginner Basics
Topic: Very slow internet speed
Replies: 9
Views: 368

Re: Very slow internet speed

From the configuration you sent, you have RouterOS 6.49.14. Try:

https://cdn.mikrotik.com/routeros/6.49. ... .49.14.zip
by vingjfg
Fri Apr 12, 2024 3:46 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 834

Re: forwarding incoming UPD traffic addressed to the router itself

That is correct - the to-address will not affect the matching of the rule. If the counters are not incrementing, it means something is getting in the way earlier than the rule. To confirm, because you had an input rule that said 3260 and not 1234: The source address is 10.0.10.10 The destination add...
by vingjfg
Fri Apr 12, 2024 3:14 pm
Forum: Beginner Basics
Topic: Very slow internet speed
Replies: 9
Views: 368

Re: Very slow internet speed

Hello there! Can you share the configuration of one of your wAP AC devices? do not forget to put the configuration between code tags (see: viewtopic.php?p=1051702&hilit=forum#p1051702 for more info).
by vingjfg
Fri Apr 12, 2024 2:24 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 834

Re: forwarding incoming UPD traffic addressed to the router itself

Ha HA! You wrote initially: ... The machine IP address is 10.0.10.10 The machine does not have a gateway. The router IP address on that interface is 10.0.10.1, which is also the destination IP address of the UDP packages. The destination port is 1234 I can see the incoming traffic using the /tool/to...
by vingjfg
Fri Apr 12, 2024 2:08 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 834

Re: forwarding incoming UPD traffic addressed to the router itself

Note that you can print all the rules for a given chain by using where=<chain to display> in your print statement. For example all the rules in the input chain: /ip/firewall/filter/print where chain=input The dst-nat arrives before the firewall - so as you change the destination for a non-local addr...
by vingjfg
Fri Apr 12, 2024 12:05 pm
Forum: Beginner Basics
Topic: forwarding incoming UPD traffic addressed to the router itself
Replies: 26
Views: 834

Re: forwarding incoming UPD traffic addressed to the router itself

Hi there! The nat rule you sent seems correct. What I cannot say is whether it is high enough to avoid the traffic being matched by another rule. Can you edit it to add the src-address so it looks like the following line, and move it above whatever other dstnat you may have in place. Also, consider ...
by vingjfg
Fri Apr 12, 2024 11:35 am
Forum: General
Topic: dst-address-list negation do not work in firewall rule
Replies: 3
Views: 272

Re: dst-address-list negation do not work in firewall rule

That should be the way. Just to be sure, the address-list exists, correct?

Can you provide the error message? And the version of ROS?
by vingjfg
Fri Apr 12, 2024 11:20 am
Forum: Beginner Basics
Topic: Can't ping with firewall (nat)
Replies: 9
Views: 434

Re: Can't ping with firewall (nat)

As mkx said, you didn't really fix it, you simply changed it to something that happens to work most of the time. In the second packet capture you joined, you see something that will put you on the path: your PC send arp requests for 10.10.5.50 but gets no answer. Here is a discussion that should giv...
by vingjfg
Fri Apr 12, 2024 11:09 am
Forum: General
Topic: LLDP broken?
Replies: 6
Views: 462

Re: LLDP broken?

Fixed in Observium. Thanks for your support.
Glad to hear it! Please mark this as solved if you get a chance.
by vingjfg
Thu Apr 11, 2024 11:37 am
Forum: Beginner Basics
Topic: Can't ping with firewall (nat)
Replies: 9
Views: 434

Re: Can't ping with firewall (nat)

IP adress config from your Mikrotik router.

PCAP is a packet capture. You said you took one.

I am interested in seeing the icmp and arp packets.
by vingjfg
Thu Apr 11, 2024 7:11 am
Forum: Beginner Basics
Topic: Can't ping with firewall (nat)
Replies: 9
Views: 434

Re: Can't ping with firewall (nat)

Can you share the ip address config?

Also, can you share a pcap?
by vingjfg
Wed Apr 10, 2024 8:45 pm
Forum: Beginner Basics
Topic: IP not present in lease table on RouterboardOS
Replies: 3
Views: 238

Re: IP not present in lease table on RouterboardOS

The MAC 00:00:00:00:00:00 indicates a conflict: likely the Mikrotik attempted to hand out the IP 192.168.80.222, but its check determined that IP is already on the network, so Mikrotik blocks it in the pool. As Holvoetn says, it could be a static IP on the Ruckus. Other possibilities I can see: The ...
by vingjfg
Wed Apr 10, 2024 5:12 pm
Forum: General
Topic: LLDP broken?
Replies: 6
Views: 462

Re: LLDP broken?

I tried a snmpwalk with the top of the LLDP OID tree and I get the info.
snmpwalk [...] -m MIKROTIK-MIB -m LLDP-MIB 192.168.2.1 1.0.8802.1.1.2
If you haven't, can you download the Mikrotik MIB and add it to your tool?

https://mikrotik.com/download
by vingjfg
Tue Apr 09, 2024 9:47 pm
Forum: General
Topic: VPN LAN to LAN Help
Replies: 1
Views: 184

Re: VPN LAN to LAN Help

Wow, you didn't make it easy for you! The issue I see is that the packet goes in the VPN from the central site to the remote site, is put on the local network, arrives at the windows server .., which tries to reply to 192.168.1.0/24 on the local network. In order for this to work, you will have to p...
by vingjfg
Tue Apr 09, 2024 9:36 pm
Forum: General
Topic: LLDP broken?
Replies: 6
Views: 462

Re: LLDP broken?

Hi there, There is a support portal: Support portal. Regarding lldp and the sending interface, that should be the property interface-name . [admin@********] > /ip/neighbor/print detail 0 interface=wifi3,bridge mac-address=XX:XX:XX:XX:XX:XX identity="*****" platform="" version=&qu...
by vingjfg
Sun Feb 11, 2024 10:19 am
Forum: General
Topic: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunnel?
Replies: 9
Views: 806

Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne

No worries. Regarding your NAT rule, taking one at random: /ip firewall nat ... add action=accept chain=srcnat comment=ISW_Endpoints dst-address=\ 172.x.x.11 log=yes log-prefix=ISW src-address=105.x.x.19 ... This means "For connections coming from a.b.c.19 and going to 172.x.x.11, do not change...
by vingjfg
Sun Feb 11, 2024 9:39 am
Forum: General
Topic: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]
Replies: 15
Views: 953

Re: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]

It looks like the two certificates from letsencrypt actually have different key size: Screenshot from 2024-02-10 21-13-28.png 2048 (MT) vs 4096 (pfsense) I don't know - in the logs with the failure, the certificate status is found as "good", which would indicate that the certificate is ac...
by vingjfg
Sat Feb 10, 2024 8:32 pm
Forum: General
Topic: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]
Replies: 15
Views: 953

Re: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]

My mistake, I missed the sha256 in the config. Your pfsense has pfs in phase 1, the MT config says none. Can you try setting one?

Nope, nothing obvious I see.
by vingjfg
Sat Feb 10, 2024 7:35 pm
Forum: General
Topic: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]
Replies: 15
Views: 953

Re: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]

If I read this correctly, your ikev2 p1 has only sha1 defined. Can you add sha256?
by vingjfg
Sat Feb 10, 2024 4:47 pm
Forum: General
Topic: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunnel?
Replies: 9
Views: 806

Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne

For the formatting, please enclose the configuration or config statements between code tags. Looking at your config ... there are severe issues, for example you have the WAN and ISW interfaces parts of the same bridge, while ISW and LAN are part of the same interface group. This begs the question of...
by vingjfg
Sat Feb 10, 2024 1:48 pm
Forum: General
Topic: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]
Replies: 15
Views: 953

Re: Strange problem with Strongswan/RockyLinux: Signature validation failed, looking for another [SOLVED]

Can you check the IKE p1 proposal on the MT? From the last excerpt, it works with SHA-2 384.
by vingjfg
Sat Feb 10, 2024 10:52 am
Forum: General
Topic: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunnel?
Replies: 9
Views: 806

Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne

Sure, add the /32 to the tunnel domain on both sides and a nat rule on the server side.

Send the anonymity configs if you want.
by vingjfg
Sat Feb 10, 2024 9:46 am
Forum: General
Topic: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunnel?
Replies: 9
Views: 806

Re: How to configure Mikrotik to route traffic from a public IP address through an existing IPsec site-to-site VPN tunne

Could you post a diagram with this?

X.x.x.19 - you wrote "... assigned to a dedicated private server ..." Do you mean it has a private ip and nat? Or directly the public ip?
by vingjfg
Wed Feb 07, 2024 1:16 pm
Forum: General
Topic: Ways to change NAS-Identifier in RADIUS requests?
Replies: 8
Views: 645

Re: Ways to change NAS-Identifier in RADIUS requests?

Would changing the Radius server be possible?
by vingjfg
Wed Feb 07, 2024 12:23 pm
Forum: General
Topic: Bonding disconnect every 1 min
Replies: 10
Views: 741

Re: Bonding disconnect every 1 min

This is a bit of a feature that is becoming a bug: "protocol-mode=none" not only disables spanning-tree but results in all L2 multicast frames being forwarded to all ports as well. As a result, the switch was forwarding the LACPDU from one ethernet port to another, resulting in the Cisco s...
by vingjfg
Tue Feb 06, 2024 9:54 am
Forum: Beginner Basics
Topic: Bridge filter rules not working
Replies: 26
Views: 1886

Re: Bridge filter rules not working

Hmm... a summary read of your logs shows only broadcasts and multicasts.
by vingjfg
Tue Feb 06, 2024 7:29 am
Forum: General
Topic: Bonding disconnect every 1 min
Replies: 10
Views: 741

Re: Bonding disconnect every 1 min

For the bridge, could you change the "protocol-mode" to "rstp" and see if it changes something?
by vingjfg
Mon Feb 05, 2024 9:06 pm
Forum: General
Topic: Bonding disconnect every 1 min
Replies: 10
Views: 741

Re: Bonding disconnect every 1 min

No worries.

Can you send the output of the following commands?
/interface/bonding/print
/interface/bridge/port print
/interface/bridge/print detail
by vingjfg
Mon Feb 05, 2024 9:02 pm
Forum: Beginner Basics
Topic: Apache on public IP ( Forwarding )
Replies: 9
Views: 576

Re: Apache on public IP ( Forwarding )

As @mesquite and @mkx said plus:

Let's check from the server out.

On the server, can you get the output of the following?
ip addr
ip route list
by vingjfg
Mon Feb 05, 2024 12:32 pm
Forum: Beginner Basics
Topic: Apache on public IP ( Forwarding )
Replies: 9
Views: 576

Re: Apache on public IP ( Forwarding )

Thanks for posting here. Note that you haven't posted all I asked. Regarding your test, I suspect you are trying from the same network as your server is on. This cannot work as is, as this needs hairpin NAT. For all to work correctly, your NAT rule should look like this. Replace <PUBLIC IP> with you...
by vingjfg
Mon Feb 05, 2024 11:32 am
Forum: General
Topic: Bonding disconnect every 1 min
Replies: 10
Views: 741

Re: Bonding disconnect every 1 min

If I understand you correctly: if you pick two ports that don't include gi7 on the Cisco it works fine?
by vingjfg
Sun Feb 04, 2024 10:03 am
Forum: Beginner Basics
Topic: Apache on public IP ( Forwarding )
Replies: 9
Views: 576

Re: Apache on public IP ( Forwarding )

First, please post the images here instead of on an external site. The rule states an inbound interface whose name is "all wire..." - is that your internal (LAN) or external (WAN) interface? Given that the masquerade rule has an outgoing interface of "pppoe-...", I suspect the in...
by vingjfg
Sun Feb 04, 2024 9:31 am
Forum: General
Topic: Bonding disconnect every 1 min
Replies: 10
Views: 741

Re: Bonding disconnect every 1 min

Hi there! As far as I know and unless you changed the defaults, the LACPDUs are sent every 30s, so that could be something else. However! What LACP mode did you set on the Cisco side? Did you enforce the same load-balancing algo on both ends? Still on the Cisco side, can you look at the interface co...
by vingjfg
Fri Feb 02, 2024 7:50 am
Forum: General
Topic: VLANs Not Talking
Replies: 9
Views: 615

Re: VLANs Not Talking

Glad to hear you figured it out! Regarding spanning tree prio, your itnetwrk-core01 looks like a good candidate for getting prio 0.
by vingjfg
Thu Feb 01, 2024 2:20 pm
Forum: Beginner Basics
Topic: VLAN tagged/untagged on same router
Replies: 6
Views: 606

Re: VLAN tagged/untagged on same router

Ok, so supposing your bridge is called "bridge" and: ether0: tagged port on vlan 10 ether1: tagged port on vlan 20 ether2: untagged port on vlan 10 ether3: untagged port on vlan 20 ether4: trunk port with vlan 10,20 The following should be close to what is needed. /interface bridge set [br...
by vingjfg
Thu Feb 01, 2024 1:59 pm
Forum: Beginner Basics
Topic: VLAN tagged/untagged on same router
Replies: 6
Views: 606

Re: VLAN tagged/untagged on same router

Can you send the output of
/interface bridge export
by vingjfg
Thu Feb 01, 2024 1:56 pm
Forum: General
Topic: VLANs Not Talking
Replies: 9
Views: 615

Re: VLANs Not Talking

Here are a few corrections. WARNING WARNING WARNING Potential for cutting yourself out of the network. Consider taking one of the interfaces out of the bridges and assigning it an IP directly should you need to rescue the device without too much trouble. WARNING WARNING WARNING # Mikrotik side # Fix...
by vingjfg
Thu Feb 01, 2024 12:37 pm
Forum: General
Topic: VLANs Not Talking
Replies: 9
Views: 615

Re: VLANs Not Talking

A few things - Bridge vlan-bridge is not set for vlan-filtering but you are using 802.1q (vlan) subinterfaces on it Bridge br0 , vlan 25, you are using service-tags. Any reason? The Cisco config you sent has the wrong name (CISCO-SW04) and not what should be ITNETWRK-SW-02. The IP is correct but is ...
by vingjfg
Thu Feb 01, 2024 12:10 pm
Forum: Beginner Basics
Topic: Mikrotik with Pfsense firewall [SOLVED]
Replies: 9
Views: 1587

Re: Mikrotik with Pfsense firewall [SOLVED]

Now we are getting somewhere. Add this to your running Mikrotik. This will permit access from the internet to your server on TCP/8080. Of course replace <your public IP> with the actual IP address. /ip/firewall/nat add chain=dstnat in-interface-list=WAN action=dst-nat to-addresses=192.168.70.1 dst-p...
by vingjfg
Wed Jan 31, 2024 9:24 pm
Forum: Beginner Basics
Topic: Find Mc Address modem bridge
Replies: 1
Views: 292

Re: Find Mc Address modem bridge

It depends. If that's a pure modem, i.e. your Mikrotik is getting a public IP, you may have some chance sniffing the traffic and finding some RFC1918 (aka "private") IP addresses that may be the modem management interface. If the Voo device is also a wifi router and things, then you may ha...
by vingjfg
Wed Jan 31, 2024 9:15 pm
Forum: Beginner Basics
Topic: Mikrotik with Pfsense firewall [SOLVED]
Replies: 9
Views: 1587

Re: Mikrotik with Pfsense firewall [SOLVED]

So we ironed out the 70.54/70.254 one - one to go.

Yes for the password. Do that as soon as you can.

Can you send me the NAT rules from the PFSense?
by vingjfg
Wed Jan 31, 2024 11:46 am
Forum: Beginner Basics
Topic: Mikrotik with Pfsense firewall [SOLVED]
Replies: 9
Views: 1587

Re: Mikrotik with Pfsense firewall [SOLVED]

I redrew the schematic with the information you gave. Let me know if that matches. The switch has been removed as it is L2 and won't change a thing (for now). mt-pfsense.drawio.png Note that you wrote the default gateway on the PFSense is 192.168.70.254 and that the MT has 192.168.70.54. So you alre...
by vingjfg
Tue Jan 30, 2024 2:21 pm
Forum: Wireless Networking
Topic: Hotpspot Connected But No Internet
Replies: 4
Views: 444

Re: Hotpspot Connected But No Internet

The point is that having two bridges is not needed and creates unneeded complexity. However that is not the problem. At least not the main one. Or ones. One of the problems is ... that you have twice the same IP on different interfaces. /ip address add address=192.168.88.1/24 comment=defconf interfa...
by vingjfg
Tue Jan 30, 2024 1:57 pm
Forum: Wireless Networking
Topic: Hotpspot Connected But No Internet
Replies: 4
Views: 444

Re: Hotpspot Connected But No Internet

You have two bridges, could you rework the configuration to have a single bridge with vlan-filtering and VLANs to separate the hotspot?
by vingjfg
Tue Jan 30, 2024 12:49 pm
Forum: Wireless Networking
Topic: access-list + radius not working.
Replies: 10
Views: 832

Re: access-list + radius not working.

I am reading the page on interface/wireless, specifically the section on Radius MAC authentication RADIUS MAC authentication Note: RADIUS MAC authentication is used by access point for clients that are not found in the access-list, similarly to the default-authentication property of the wireless int...
by vingjfg
Tue Jan 30, 2024 11:49 am
Forum: Wireless Networking
Topic: access-list + radius not working.
Replies: 10
Views: 832

Re: access-list + radius not working.

Can you modify your ACL to the following? This means that the clients with signal -65..0 are accepted but when the signal dips under -65, they are disconnected. /interface wireless access-list add signal-range=-65..0 add authentication=no forwarding=no signal-range=-120..-66 The way your ACL was wri...
by vingjfg
Tue Jan 30, 2024 11:13 am
Forum: Wireless Networking
Topic: access-list + radius not working.
Replies: 10
Views: 832

Re: access-list + radius not working.

That's ... not a lot.

Is your ACL set to reject the clients with signal in the range -85..-120?

I created one (using wifi, not wireless) - here is what it looks like.
/interface wifi access-list
add action=reject disabled=no signal-range=-85..120
The second "add", is it an ACL?
by vingjfg
Tue Jan 30, 2024 10:58 am
Forum: Wireless Networking
Topic: access-list + radius not working.
Replies: 10
Views: 832

Re: access-list + radius not working.

Can you post your ACL configuration?
by vingjfg
Mon Jan 29, 2024 10:13 pm
Forum: General
Topic: To xSTP...or not [SOLVED]
Replies: 4
Views: 666

Re: To xSTP...or not [SOLVED]

The short answer is "unless you really have something against it, it costs nothing to enable it." I would make the case that in a Mikrotik environment, it is actually better to have something rather than "none": during a recent troubleshooting (LLDP), someone pointed that protoco...
by vingjfg
Mon Jan 29, 2024 9:12 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1507

Re: Can't ssh from router to LInux server?

That's interesting. Adding a private key is one of the tests I did and I did not lose the password access to the Linux machine. It could be that I did not log off from my session when I added the key. Could be. I will try when I get my test equipment. That aside, glad you made it work. And yeah, it ...
by vingjfg
Mon Jan 29, 2024 11:53 am
Forum: General
Topic: currently-untagged contradicts untagged [SOLVED]
Replies: 11
Views: 703

Re: currently-untagged contradicts untagged [SOLVED]

Can you post the output of the following command?
/interface/bridge/port/print where interface=ether3-green
by vingjfg
Mon Jan 29, 2024 9:08 am
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 913

Re: OpenVPN DCO problem with ROS v7.13.1

Well, I was using AES 256 CBC SHA1 for w long time with no issues on mikrotik routers, including this device. But, considering depreciated CBC cipher in OpenVPN Community and much much faster connection time using AES GCM, with ROS v7 I can use this cipher. As I already mentioned, I don't have prob...
by vingjfg
Sun Jan 28, 2024 11:46 am
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 913

Re: OpenVPN DCO problem with ROS v7.13.1

Before diving into the guts of the openvpn server, I want to make sure that there is no network issue. From the page you sent, the RB850Gx2 platform supports AES in CBC mode, at least for the devices whose SN starts with 5 or 7. It may be worth giving it a try and see whether that solves the issue -...
by vingjfg
Sun Jan 28, 2024 9:34 am
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 913

Re: OpenVPN DCO problem with ROS v7.13.1

Regarding your input rules, can you send the full set? There is some reorganization possible that may help with the issue. With the rules related to the interface WAN you sent, I would reorder in the following way. Note that without having the full input chain, I may just be duplicating existing ent...
by vingjfg
Sat Jan 27, 2024 11:03 pm
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 913

Re: OpenVPN DCO problem with ROS v7.13.1

Because anyone sending udp datagrams with source port 53 or 123 can reach any udp port on your device.

Nat rule is ok. I will have a closer look tomorrow.
by vingjfg
Sat Jan 27, 2024 10:41 pm
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 913

Re: OpenVPN DCO problem with ROS v7.13.1

Are these all your input rules? Also, no nat that would interfere?

If ok, can you export all the input and nat rules?

I will have a closer look tomorrow. First thing is your dns_ntp rule is dangerous.
by vingjfg
Sat Jan 27, 2024 9:30 pm
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 913

Re: OpenVPN DCO problem with ROS v7.13.1

Can you check that your input rules allow traffic to tcp and udp 1194 on your Mikrotik?
by vingjfg
Sat Jan 27, 2024 7:18 pm
Forum: General
Topic: OpenVPN DCO problem with ROS v7.13.1
Replies: 12
Views: 913

Re: OpenVPN DCO problem with ROS v7.13.1

Can you add
disable-dco
To the client config?
by vingjfg
Sat Jan 27, 2024 11:21 am
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1507

Re: Can't ssh from router to LInux server?

Here is my defaults for /ip/ssh (7.13.2):. always-allow-password-login is already "no". forwarding-enabled: no always-allow-password-login: no strong-crypto: no allow-none-crypto: no host-key-size: 2048 host-key-type: rsa Changing "strong-crypto" doesn't prevent me from ssh-ing o...
by vingjfg
Fri Jan 26, 2024 7:48 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1507

Re: Can't ssh from router to LInux server?

Seems so. I will try tomorrow.

BTW, what's your version?
by vingjfg
Fri Jan 26, 2024 8:30 am
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1507

Re: Can't ssh from router to LInux server?

Yes and we now know that the server is not sending the client packing but the client disconnects (type 1) after a message "USERAUTH FAILURE" (type 51) ( https://www.ietf.org/rfc/rfc4250.txt ) The stanza to debug SSH is the following. Be warned: that's verbose. /system/logging/add topics=ss...
by vingjfg
Fri Jan 26, 2024 12:00 am
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1507

Re: Can't ssh from router to LInux server?

OK. Let's try LogLevel at DEBUG3. I will have a look tomorrow morning.

That is weird.
by vingjfg
Thu Jan 25, 2024 11:56 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1507

Re: Can't ssh from router to LInux server?

Hmmm ...
Jan 25 15:28:49 zoidberg sshd[275510]: debug2: input_userauth_request: try method none [preauth]
After this one it should try another method - do you have "PasswordAuthentication yes" in /etc/ssh/sshd_config ?
by vingjfg
Thu Jan 25, 2024 11:25 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1507

Re: Can't ssh from router to LInux server?

ok ... can you set the loglevel to DEBUG2, restart the daemon and try another connection?

Stupid question: clocks synchronized on both devices?
by vingjfg
Thu Jan 25, 2024 10:08 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1507

Re: Can't ssh from router to LInux server?

OK, that's the general "something went wrong somewhere" type of messages. Could be a number of things: If your server is a bit dated and the client a lot more recent, it may disconnect as it doesn't find something in common (but usually it says so) Are you trying key authentication? If so,...
by vingjfg
Thu Jan 25, 2024 9:50 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1507

Re: Can't ssh from router to LInux server?

Ok. That was worth a shot.

On the linux server - can you get the SSH entries?
sudo journalctl -xr -u ssh
by vingjfg
Thu Jan 25, 2024 9:38 pm
Forum: General
Topic: Can't ssh from router to LInux server?
Replies: 23
Views: 1507

Re: Can't ssh from router to LInux server?

Hi there!

Can you try the following?
/system ssh user=<some non root user on the linux server> 192.168.4.5
by vingjfg
Thu Jan 25, 2024 1:50 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

:thumb up:

I saw the other post, if you haven't already, I will create a bug report.
by vingjfg
Thu Jan 25, 2024 1:34 pm
Forum: Beginner Basics
Topic: NTP Time server
Replies: 7
Views: 1054

Re: NTP Time server

That is why I think you can just remove it and it will use bc address for local subnet, eks 178.118.85.255 (if its a c net) I just tried: if you set broadcast=yes without specifying any broadcast-addresses , nothing happens. It doesn't work with 255.255.255.255 . My local subnet is 192.168.2.0/24, ...
by vingjfg
Thu Jan 25, 2024 11:56 am
Forum: Beginner Basics
Topic: NTP Time server
Replies: 7
Views: 1054

Re: NTP Time server

Also and to check, what is the IP of your RBM11G on that network? You mention the .2 but that would make it right in your DHCP pool.
by vingjfg
Thu Jan 25, 2024 10:59 am
Forum: Beginner Basics
Topic: NTP Time server
Replies: 7
Views: 1054

Re: NTP Time server

/system/ntp/server> print enabled: yes broadcast: yes multicast: yes manycast: yes broadcast-addresses: 178.118.85.2 vrf: main use-local-clock: yes local-clock-stratum: 3 auth-key: none Can you double check the broadcast-address? It doesn't look like a broadcast address at all.
by vingjfg
Wed Jan 24, 2024 9:42 pm
Forum: Beginner Basics
Topic: Mikrotik with Pfsense firewall [SOLVED]
Replies: 9
Views: 1587

Re: Mikrotik with Pfsense firewall [SOLVED]

The easiest, as far as I can see is something along the lines of the following. This simply takes whatever arrives to the interfaces in the WAN list and translates it to the PFSense's address. /ip/firewall/nat add chain=dstnat in-interface-list=WAN action=dst-nat to-addresses=192.168.70.1 By default...
by vingjfg
Tue Jan 23, 2024 10:24 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

I can confirm, enabling RSTP or MSTP stop link layer MAC addresses to be forwarded. One issue down, 99 to go! As a side note, i loose connectivity with my switches if i enable STP (this is strange, i have no loops), but i was able to test using RSTP and MSTP. I guess the first thing to look would b...
by vingjfg
Tue Jan 23, 2024 5:13 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

Some observations might be explained with disabled (R/M)STP on the bridge. It is expected to forward reserved multicast MACs 01:80:C2:00:00:0X (LLDP, BPDU, etc.) when using " protocol-mode=none " setting. Wow, yup! I tested and that's indeed the case. As FIPTech said that its bridge had S...
by vingjfg
Tue Jan 23, 2024 2:02 pm
Forum: Wireless Networking
Topic: Wifi WPA-PSK with MAC auth over radius
Replies: 9
Views: 1295

Re: Wifi WPA-PSK with MAC auth over radius

Thanks! Yes, I have defined Radius for wireless. It works for WPA-EAP, in the logs I see the radius requests go out and the reply come back. I am not using capsman yet. I can try with capsman, but shouldn't it work without as well? I guess that's the $2^20 question - should it work without a /capsm...
by vingjfg
Tue Jan 23, 2024 1:44 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

I connected another auxiliary router for packet capture, and i did first discover something abnormal : LLDP announcement from every devices connected to the ports of the other router bridge are visible. This indicates that LLDP is switched and broadcasted between ports. I suspect that it's a bug. N...
by vingjfg
Mon Jan 22, 2024 8:29 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

OK. So you see the same when you change the VLAN of the port as I do when I set the discovery on the VLAN interface. I have the feeling that there is something I am missing but I can't quite point it. Can we do the following? With the discovery as it is, port with PVID1 and additional VLAN (4000) ta...
by vingjfg
Mon Jan 22, 2024 6:38 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

Nope, not working. Ticket open: SUP-141451.
by vingjfg
Mon Jan 22, 2024 6:22 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

I configured LLDPD on my computer with a network policy, which got advertised immediately. The fact that my Mikrotik is not advertising the MED extension kind of tells me there could be a bug. As a last try, I will reboot my device and see if that changes something. I found a post from mid-2023 that...
by vingjfg
Mon Jan 22, 2024 5:24 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

I got curious and tried with my workstation on VLAN1 and VLAN10 - same result, I do not get an advertisement for LLDP-MED, but my workstation doesn't advertise itself as Voice or Phone. I think I may have an app somewhere for that.
by vingjfg
Mon Jan 22, 2024 5:01 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

I do. I will test later today with VLAN1 and VLAN10 to see if there is a difference.

Meanwhile, if you issue "/ip/neighbor/print" to check that you see neighbors?
by vingjfg
Mon Jan 22, 2024 12:44 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

Knock on wood!

I suspect that the device tried to tag the LLDP traffic ... which cannot be encapsulated, so while the physical interfaces received and sent the LLDPDU, the LLDP process itself did not receive them.

Hopefully, this will solve it. Let me know how it goes.
by vingjfg
Mon Jan 22, 2024 11:02 am
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

I think I found something - setting the list to LAN, I got LLDP announcements on my workstation but the router did not get my announcements. Nor did I get the VLAN. > /ip/neighbor/print I then configured a second list that has the bridge member interface > /interface/list/member/print Columns: LIST,...
by vingjfg
Mon Jan 22, 2024 10:46 am
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

I still see LLDPDU. I will install an LLDP responder on my computer to see that I can get the Voice VLAN. > /ip/neighbor/discovery-settings/print discover-interface-list: LAN lldp-med-net-policy-vlan: 11 protocol: cdp,lldp,mndp mode: tx-and-rx 20240122 LLDP Wireshark 2.png
by vingjfg
Mon Jan 22, 2024 10:14 am
Forum: Forwarding Protocols
Topic: BGP connecting but not forwarding after ros6 to ros7 update
Replies: 5
Views: 1138

Re: BGP connecting but not forwarding after ros6 to ros7 update

Hi Macosoft, You already asked that question in https://forum.mikrotik.com/viewtopic.php?t=203438 . Can you provide the output of the following commands? I may need a larger subset of the configuration later but I want to start with the minimum. /routing/export /ip/firewall/address-list/export /ip/r...
by vingjfg
Mon Jan 22, 2024 10:00 am
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

I did some tests with my equipment (7.13.2 on ARM), here is my configuration > /ip/neighbor/discovery-settings/print discover-interface-list: LAN lldp-med-net-policy-vlan: disabled protocol: cdp,lldp,mndp mode: tx-and-rx > /interface/list/member/print Columns: LIST, INTERFACE # LIST INTERFACE 0 LAN ...
by vingjfg
Sun Jan 21, 2024 11:18 pm
Forum: Wireless Networking
Topic: Wifi WPA-PSK with MAC auth over radius
Replies: 9
Views: 1295

Re: Wifi WPA-PSK with MAC auth over radius

Yo. I will try to help. There is more in two heads and stuff.

Radius server - you have set it for wireless service as well, correct? https://help.mikrotik.com/docs/display/ROS/RADIUS

Capsman aaa - you have a definition? https://help.mikrotik.com/docs/display/ROS/CAPsMAN
by vingjfg
Sun Jan 21, 2024 10:45 pm
Forum: General
Topic: LLDP MED not working if port PVID is not 1 ? (no, other bug found, see summary thread)
Replies: 32
Views: 1855

Re: LLDP MED not working if port PVID is not 1

Hi FIPTech,

That's strange. Can you send your discovery settings and the interface lists members?

Also and to confirm - your bridge is configured with vlan-filtering=yes, correct?
/ip/neighbor/discovery-settings/print
/interface/list/member/print
by vingjfg
Sun Jan 21, 2024 4:01 pm
Forum: Beginner Basics
Topic: Need some config help
Replies: 5
Views: 722

Re: Need some config help

Here is. Let me know if you have any questions. Comments: If the Public IP One to Five are in the same network, then the addresses with the netmask /32 are to be fixed. Or replace the additional addresses by host routes (my preferred version but that's personal). For the NAT configuration, there are...
by vingjfg
Sun Jan 21, 2024 10:05 am
Forum: Scripting
Topic: Questions about generating valid random MAC? [SOLVED]
Replies: 17
Views: 1513

Re: Questions about generating valid random MAC? [SOLVED]

Thank you for your answer. The script I am currently using is fixed 0E: 11:22:33:44:55 at the first byte, with 0E at the beginning and random generation at the end. However, I think the range is still not large enough Hi Rosa, I don't know how you generate the MAC addresses but if you feel that the...
by vingjfg
Sat Jan 20, 2024 5:58 pm
Forum: Scripting
Topic: Questions about generating valid random MAC? [SOLVED]
Replies: 17
Views: 1513

Re: Questions about generating valid random MAC? [SOLVED]

Hi Rosa, Regarding the structure of a MAC address, the 2 constraints are: The LSB ("bit 0") of the first byte is 0 for a unicast address, 1 for a multicast address The next bit ("bit 1") of the first byte is 0 for a globally unique address and 1 for a locally administered address...
by vingjfg
Sat Jan 20, 2024 4:35 pm
Forum: General
Topic: /ip/firewall/filter/export - discrepancy with the where clause
Replies: 3
Views: 596

/ip/firewall/filter/export - discrepancy with the where clause

Hi all, I noticed that when I use /ip/firewall/filter/export where chain=... I get only one rule, and when I use /ip/firewall/filter/export , I have several rule in the chain. For example: > /ip/firewall/filter/export where chain=input # 2024-01-20 15:31:51 by RouterOS 7.13.2 ... /ip firewall filter...
by vingjfg
Sat Jan 20, 2024 10:18 am
Forum: Beginner Basics
Topic: Need some config help
Replies: 5
Views: 722

Re: Need some config help

Hi there!

Can you post here the output of the following commands after having replaced the public IP (for example by public1 ... public4)?
/ip/address/export verbose
/ip/firewall/nat/export
/ip/firewall/filter/export
by vingjfg
Sat Jan 20, 2024 9:20 am
Forum: Beginner Basics
Topic: Slow network speeds with Pi-Hole as DNS
Replies: 9
Views: 992

Re: Slow network speeds with Pi-Hole as DNS

Something to check: you wrote that with the old switch (1Gb/s), it was fine. The new one has 2.5Gb/s capability, so I am wondering whether that could wreak havoc. Could you replace the ether1 with the name of the interface on the CRS310-8G+2S+IN that goes to the deco and see the rates advertised and...
by vingjfg
Thu Jan 18, 2024 10:24 pm
Forum: General
Topic: Help me - make script change ip adress every rto
Replies: 11
Views: 1058

Re: Help me - make script change ip adress every rto

Something like this should do the job. Please review before running as it hasn't been fully tested. Also, know that you are using it under your own responsibility. /system script add name=change-ip-on-rto source={ # Is google pingable? :local pingResult [/ping 8.8.8.8 count=3]; if ($pingResult = 0 )...
by vingjfg
Thu Jan 18, 2024 4:42 pm
Forum: Forwarding Protocols
Topic: BGP Filters translate from ros6 to ros7 not working
Replies: 9
Views: 1434

Re: BGP Filters translate from ros6 to ros7 not working

Macosoft, I think your last 3 rules should be: ... I tried with your modified rules but with no luck. When I disable this rule: chain=from_telekom disabled=no rule="if (dst == 0.0.0.0/0) { set bgp-weight 100; set bgp-local-pref 120; accept; }" I dont have internet on the router either. Se...
by vingjfg
Wed Jan 17, 2024 10:26 pm
Forum: Beginner Basics
Topic: Vpn ikeV2
Replies: 3
Views: 610

Re: Vpn ikeV2

For mikrotik, did you enable the logging with the following command?
/system/logging/ add action=memory prefix=ipsec topics=ipsec
If so, can you share the output when you try?

Reading the site you sent (translated in English, as I can read some Czech but not Polish, unfortunately).
by vingjfg
Wed Jan 17, 2024 10:18 pm
Forum: Scripting
Topic: Variable not being referenced by ":find" command? [SOLVED]
Replies: 3
Views: 781

Re: Variable not being referenced by ":find" command? [SOLVED]

Hi @ghostinthenet, I got it working - in my case the issue was that the variable immediateGateway was an array. Here is my code: { :local immediateGateway [/ip/route get [/ip route find where 8.8.8.8 in dst-address and active and routing-table=main] value-name=immediate-gw] :put [:typeof $immediateG...
by vingjfg
Wed Jan 17, 2024 9:19 pm
Forum: Beginner Basics
Topic: Vpn ikeV2
Replies: 3
Views: 610

Re: Vpn ikeV2

Hi @pasin, The x.509 alternative name is an extension field to indicate other possible names or identities for the machine, for example if it has multiple names or if you want to be able to address the machine by name or by IP. Regarding the issue you have, here is a link for you to review: https://...
by vingjfg
Wed Jan 17, 2024 9:13 pm
Forum: General
Topic: Help me - make script change ip adress every rto
Replies: 11
Views: 1058

Re: Help me - make script change ip adress every rto

Hi @ johndol, I am not entirely sure what you are asking, for example I do not understand what you want to change. Your ISP assigns the external interface of your router an IP address, in the range 10.130.0.0/17, and that IP changes quite often. When the IP changes. what do you want to modify? You m...
by vingjfg
Wed Jan 17, 2024 8:57 pm
Forum: General
Topic: Brute Force Attacks
Replies: 16
Views: 2408

Re: Brute Force Attacks

Perhaps the vodka market is drying out and they want to get into chocolate or beer :lol: I could throw in a couple of Belgian Waffles :D :D It will be below -15°C tomorrow so I could do with waffles (des gaufres de Liège s.v.p!) and some hot chocolate. Beer? In het stoofvlees! The following IP addr...
by vingjfg
Tue Jan 16, 2024 10:53 pm
Forum: Beginner Basics
Topic: Firewall jump rules - for better performance?
Replies: 2
Views: 555

Re: Firewall jump rules - for better performance?

Conceptually, that is correct: your first jump rule would match everything going to vlan10, if not, it would skip directly to the second jump rule ... etc, adding one evaluation for the rules to vlan10, 2 evaluations but removing a 100 evaluations for the rules to vlan20, and 3 evaluations but remov...
by vingjfg
Tue Jan 16, 2024 11:44 am
Forum: Beginner Basics
Topic: Help i couldn't Login page
Replies: 4
Views: 964

Re: Help i couldn't Login page

Peayeon, Are you saying you suspect that someone broke into your device and made unauthorized changes? If you have evidence of that or suspect that, I would suggest you immediately factory-reset the device, reinstall the updates, and reapply your last known-good configuration as you don't know what ...
by vingjfg
Tue Jan 16, 2024 11:10 am
Forum: Forwarding Protocols
Topic: BGP Filters translate from ros6 to ros7 not working
Replies: 9
Views: 1434

Re: BGP Filters translate from ros6 to ros7 not working

Macosoft, I think your last 3 rules should be: add chain=from_rds disabled=no rule="if (dst-len>-1) {set distance 50; accept}" add chain=to_rds disabled=no rule="if (dst-len>-1) {reject}" comment="Should not be needed - default is to reject" add chain=to_telekom disable...
by vingjfg
Tue Jan 16, 2024 10:39 am
Forum: Scripting
Topic: Can the content written to the file be added? [SOLVED]
Replies: 17
Views: 1793

Re: Can the content written to the file be added? [SOLVED]

/file print file=result.txt /file set [find name="result.txt"] contents=[/interface pppoe-client get [find name=pppoe-out1] password] ------------------------------------------------------------------------------------------------------------------------------------------------------- A s...
by vingjfg
Mon Jan 15, 2024 12:00 am
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2711

Re: DDoS help

Interesting that it was missing the last rule. Do you see it when you use winbox or webfig? Do you have the same missing last rule for /ip firewall filter/print chain=forward?
by vingjfg
Sun Jan 14, 2024 11:55 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2711

Re: DDoS help

OK. For wireguard, I suggest you open a different thread as this will fork off this discussion. My experience - purely on Linux as the client and server - is that even if the UDP datagrams don't go through, the client will still report that everything is fine. It's just that it will never receive a ...
by vingjfg
Sun Jan 14, 2024 11:08 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2711

Re: DDoS help

Actually, can you post here the output of the following command? That will show if any rule have been dynamically inserted.
/ip/firewall/filter/print chain=input
by vingjfg
Sun Jan 14, 2024 10:58 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2711

Re: DDoS help

Reading the configuration. For Wireguard, not certain: I see in your rules you have it in two places, the input and the raw/prerouting chains. Does the counter of the input chain increment when you connect? For the traffic not going through, you likely need to set a firewall rule in the forward chai...
by vingjfg
Sun Jan 14, 2024 5:19 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2711

Re: DDoS help

I hope things are slowly getting back to normal. If you'd like, can you post the export of your config after all the changes?
by vingjfg
Sun Jan 14, 2024 3:10 pm
Forum: Beginner Basics
Topic: Communication between VLANs [SOLVED]
Replies: 20
Views: 1553

Re: Communication between VLANs [SOLVED]

Let's say it is an educated guess ... OP's posts might show complete config but they also might (more likely) show only what he deems relevant for the problem (and thus all the default firewall rules might follow in which case the whole problem might be solved by properly reordering the rules). Tha...
by vingjfg
Sun Jan 14, 2024 2:38 pm
Forum: Beginner Basics
Topic: Communication between VLANs [SOLVED]
Replies: 20
Views: 1553

Re: Communication between VLANs [SOLVED]

Let's say it is an educated guess ...
I tried adding another rule so now it becomes:
#0: Chain: forward, Action: accept, In Interface: vlan20, Out Interface: vlan30
#1: Chain: forward, Action: drop, In Interface: vlan30, Out Interface: vlan20
by vingjfg
Sun Jan 14, 2024 12:58 pm
Forum: Beginner Basics
Topic: Communication between VLANs [SOLVED]
Replies: 20
Views: 1553

Re: Communication between VLANs [SOLVED]

I was about to say that it seems he removed all the rules.
by vingjfg
Sun Jan 14, 2024 12:12 pm
Forum: RouterOS beta
Topic: BGP problem after updating from V6.49 to 7.6
Replies: 10
Views: 3383

Re: BGP problem after updating from V6.49 to 7.6

Same for rule 1.
by vingjfg
Sun Jan 14, 2024 12:09 pm
Forum: RouterOS beta
Topic: BGP problem after updating from V6.49 to 7.6
Replies: 10
Views: 3383

Re: BGP problem after updating from V6.49 to 7.6

Rule 3 in the screenshot should be in the form

If (condition) {actions;}
by vingjfg
Sat Jan 13, 2024 9:26 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2711

Re: DDoS help

Then the last rule of the input chain I suggested will take care of it.

Btw, are things getting better?
by vingjfg
Sat Jan 13, 2024 8:35 pm
Forum: General
Topic: Assistance Needed with Multicast Configuration for MDNS Print Server over GRE Tunnel
Replies: 9
Views: 898

Re: Assistance Needed with Multicast Configuration for MDNS Print Server over GRE Tunnel

Bridging over your tunnel, a pair of openwrt with a tunnel and mdns reflectors, or a container with the mdns reflector.

Don't think pim will help, mdns is a link-local multicast.
by vingjfg
Sat Jan 13, 2024 6:46 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2711

Re: DDoS help

The chain=input rulebase misses all the bits for fasttrack, established, invalid, related and so forth, and doesn't have a global drop for the WAN. This drops anything coming directly at the router from the identified DDoSers. Likely redundant with the ACL in the raw prerouting, but could catch stuf...
by vingjfg
Sat Jan 13, 2024 6:33 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2711

Re: DDoS help

My comments: The fasttrack , invalid , and established in the chain=forward should come on top, then the rules for the new packets. The rule with the connection-nat-state=dstnat accepts everything coming from any network, as long as a dstnat was done. Consider changing it to reflect the NAT (source,...
by vingjfg
Sat Jan 13, 2024 5:42 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2711

Re: DDoS help

I saw you posted earlier. Having a look.
by vingjfg
Sat Jan 13, 2024 5:41 pm
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2711

Re: DDoS help

Can you post you ip firewall config, with the sensitive bits removed?
by vingjfg
Sat Jan 13, 2024 11:03 am
Forum: Beginner Basics
Topic: DDoS help
Replies: 42
Views: 2711

Re: DDoS help

T-Mobile has indeed a feature for DDoS protection. A paid feature. Their reluctance is simply that they don't want to provide it for free, even if that means that you are being disconnected due to the attack. Yes, ISP have a nasty tendency to leave people in a lurch. One issue I see is that port tcp...
by vingjfg
Sat Jan 13, 2024 10:44 am
Forum: Beginner Basics
Topic: Difference between Native vs explicit VLAN while interVLAN routing? [SOLVED]
Replies: 1
Views: 810

Re: Difference between Native vs explicit VLAN while interVLAN routing? [SOLVED]

Hello, I cannot talk about the Mikrotik internal specifics as I don't know them. For another vendor whose name starts with C, VLAN 1 is the default VLAN for the management protocols and you can't change or delete it. Note that VID 0 is a special case and means "no tagging information, just a pr...
by vingjfg
Sat Jan 13, 2024 10:20 am
Forum: General
Topic: Assistance Needed with Multicast Configuration for MDNS Print Server over GRE Tunnel
Replies: 9
Views: 898

Re: Assistance Needed with Multicast Configuration for MDNS Print Server over GRE Tunnel

Alas, mDNS is a link-local multicast ( RFC6762 ), this means that routers are not supposed to pass them across subnets. This includes not passing over GRE tunnels. To pass them across subnets, you need a mDNS reflector: it basically takes the advertisements on one subnet and republish them on a diff...
by vingjfg
Fri Jan 12, 2024 11:20 am
Forum: General
Topic: Mikrotik rb750gr3 internet speed is slow
Replies: 11
Views: 1025

Re: Mikrotik rb750gr3 internet speed is slow

Please redo the test from a wired client AND share the details on how your wifi connects to your router.
by vingjfg
Fri Jan 12, 2024 7:45 am
Forum: Beginner Basics
Topic: Issue getting IP Address
Replies: 3
Views: 687

Re: Issue getting IP Address

Can you share the Mikrotik config?
by vingjfg
Thu Jan 11, 2024 8:32 pm
Forum: General
Topic: dst-nat port forwarding not working
Replies: 8
Views: 1324

Re: dst-nat port forwarding not working

Is the source also on 192.168.10.0/24? By the look of your config, it seems so.
by vingjfg
Wed Jan 10, 2024 10:38 pm
Forum: Wireless Networking
Topic: Mikrotik + Pfsense as captive portal
Replies: 6
Views: 1712

Re: Mikrotik + Pfsense as captive portal

Aren't the 2 subnets supposed to be served by the pfense to make mDNS work. Your system sounds like router behind router. Well, they are, and not in the way the OP thinks of it. I redrew slightly based on the explanation, the OP's diagram being wrong and misleading. So technically, once Avahi is in...
by vingjfg
Tue Jan 09, 2024 7:01 pm
Forum: Wireless Networking
Topic: Mikrotik + Pfsense as captive portal
Replies: 6
Views: 1712

Re: Mikrotik + Pfsense as captive portal

Pfsense has an mdns reflector, in the package avahi.
by vingjfg
Tue Jan 09, 2024 6:59 pm
Forum: Wireless Networking
Topic: Mikrotik + Pfsense as captive portal
Replies: 6
Views: 1712

Re: Mikrotik + Pfsense as captive portal

First issue is the local routing: from 192.168.0/24, you likely go to the default gateway before going to the pfsense in order to reach 192.168.50.0/24. That works but depending on rules and conn tracking and things, this can result in delays. To try, add a route to 192.168.50.0/24 via the pfsense 1...
by vingjfg
Tue Jan 09, 2024 4:14 pm
Forum: Wireless Networking
Topic: Mikrotik + Pfsense as captive portal
Replies: 6
Views: 1712

Re: Mikrotik + Pfsense as captive portal

Can you post a network diagram and your MT config?

Regarding network discovery, what protocol is used?
by vingjfg
Sun Jan 07, 2024 3:31 pm
Forum: General
Topic: DNS not resolving some domains
Replies: 23
Views: 2832

Re: DNS not resolving some domains

Interestingly, there seems to be some variance between the replies from 9.9.9.9 <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> ANY whitehouse.gov @9.9.9.9 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19722 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORIT...
by vingjfg
Sun Jan 07, 2024 3:17 pm
Forum: General
Topic: DNS not resolving some domains
Replies: 23
Views: 2832

Re: DNS not resolving some domains

8.8.8.8 and 9.9.9.9 respond, see below for the full response which is identical between 8.8.8.8 and 9.9.9.9. The other 3 I tried don't respond (1.1.1.1, 208.67.222.222, 193.110.81.9). As you correctly indicated in your earlier message, the error is "NOTIMP." All of these are public resolve...
by vingjfg
Sun Jan 07, 2024 2:33 pm
Forum: General
Topic: DNS not resolving some domains
Replies: 23
Views: 2832

Re: DNS not resolving some domains

Ticket open - SUP-139658
by vingjfg
Sun Jan 07, 2024 2:21 pm
Forum: General
Topic: DNS not resolving some domains
Replies: 23
Views: 2832

Re: DNS not resolving some domains

Yup, I agree: lots of negativity. On the other hand, the forum is full of messages of people demanding help and of "consultants" asking for help but really having the members of the forum doing their jobs . Nothing more pleasant than seeing a guy whose credentials are obviously "was a...
by vingjfg
Sun Jan 07, 2024 1:00 pm
Forum: General
Topic: Recommended for IPS/IDS
Replies: 6
Views: 2817

Re: Recommended for IPS/IDS

Ha! Deep packet inspection, application awareness, L7 inspection, whatever name it has today. The hallmark of the modern firewall. But that's not a function Mikrotik devices have natively. In essence, you are paying someone to maintain a database of IP addresses, domain names and signatures that ena...
by vingjfg
Sun Jan 07, 2024 12:47 pm
Forum: General
Topic: Under DNS Amplification attack, network unusable with Mikrotik routers
Replies: 12
Views: 2392

Re: Under DNS Amplification attack, network unusable with Mikrotik routers

So, I assume (maybe I shouldn't) that you already rebooted the device. What you may see is the effect of the ongoing attack plus some return traffic. Has it died off? If not you may try to ask the ISP to drop all traffic going to then external address, destination port 53. As you had left an open re...
by vingjfg
Fri Jan 05, 2024 6:47 pm
Forum: General
Topic: Simple hairpin not working
Replies: 17
Views: 1751

Re: Simple hairpin not working

I think you meant SERVER!
Correct, server not router.
by vingjfg
Fri Jan 05, 2024 2:14 pm
Forum: General
Topic: Simple hairpin not working
Replies: 17
Views: 1751

Re: Simple hairpin not working

/ip firewall nat add action=masquerade chain=srcnat comment="Hairpin NAT" connection-mark="Hairpin NAT" log-prefix="Hairpin NAT Masquerade" add action=masquerade chain=srcnat comment="Default NAT Masquerade" out-interface=ether1.12 (VLAN for my ONT) add actio...
by vingjfg
Fri Jan 05, 2024 1:44 pm
Forum: General
Topic: Local IP Addressed leased but no internet.
Replies: 7
Views: 2119

Re: Local IP Addressed leased but no internet.

Yes I do not use vlan filtering on the router, all vlan process on the switch CRS326, only tagged traffic to eth10 sent to the switch and it will process it all. The connection most of the PC is ok but sometime for some reason it decide not to go online even local IP has been leased. Then you may c...
by vingjfg
Thu Jan 04, 2024 5:54 pm
Forum: Beginner Basics
Topic: Problem NAT Server, Client's Public IP Not Show in log [SOLVED]
Replies: 4
Views: 1686

Re: Problem NAT Server, Client's Public IP Not Show in log [SOLVED]

This is the cause:
/ip firewall nat
chain=srcnat action=masquerade log=no log-prefix="" 
Everything that crosses the firewall has its source IP changed to the router's exit interface.
by vingjfg
Thu Jan 04, 2024 12:17 pm
Forum: General
Topic: Simple hairpin not working
Replies: 17
Views: 1751

Re: Simple hairpin not working

Hi, Your dstnat rules need to be changed (Hairpin isn't coming in from a WAN port) add action=dst-nat chain=dstnat comment=https dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.0.14 to-ports=443 instead of using in-interface-list=WAN, perhaps use dst-address-type=local Be caref...
by vingjfg
Wed Jan 03, 2024 11:02 pm
Forum: General
Topic: Local IP Addressed leased but no internet.
Replies: 7
Views: 2119

Re: Local IP Addressed leased but no internet.

Your rules are seriously messed up and do not contain the usual elements (established, fasttrack...) however they don't end in drop all so everything is accepted (hint: bad). Reading your configurations: I do not see any definition for the vlans in the bridge (/interface bridge vlan) of your RB4011,...
by vingjfg
Tue Jan 02, 2024 10:34 pm
Forum: General
Topic: DNS not resolving some domains
Replies: 23
Views: 2832

Re: DNS not resolving some domains

I hardly think that RFC1918 IP addresses are a security problem. Keep these where they are and remove the public ones, as well as the keys, usernames and hashes, and serial numbers when you post the full config. What is the problem in the excerpt you posted is that the query is received from 255.255...
by vingjfg
Tue Jan 02, 2024 9:46 pm
Forum: General
Topic: Wireguard Peers can't access IPs on VLANs
Replies: 32
Views: 3470

Re: Wireguard Peers can't access IPs on VLANs

The RSC configuration the OP attached. Did not even look at the recommended changes as the OP's design is fundamentally bad.
by vingjfg
Tue Jan 02, 2024 9:18 pm
Forum: General
Topic: DNS not resolving some domains
Replies: 23
Views: 2832

Re: DNS not resolving some domains

If 192.168.1.1 is your Mikrotik, what is this then?
/ip address add address=192.1.1.1/24 interface=bridge network=192.1.1.0
/ip dns set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB servers=8.8.8.8
/ip firewall address-list add address=192.1.1.0/24 list=intern
by vingjfg
Tue Jan 02, 2024 8:57 pm
Forum: General
Topic: Wireguard Peers can't access IPs on VLANs
Replies: 32
Views: 3470

Re: Wireguard Peers can't access IPs on VLANs

If I understand your configuration, and that's a real pig's breakfast, your issue is that the hosts on 192.168.2.0/24 have no idea where to forward the return packets for your wireguard network. A possible workaround would be to NAT all that subnet behind the Hex's IP. I'm afraid that it would just ...
by vingjfg
Tue Jan 02, 2024 12:32 pm
Forum: General
Topic: Local IP Addressed leased but no internet.
Replies: 7
Views: 2119

Re: Local IP Addressed leased but no internet.

Do you have an input rule from your LAN to the Mikrotik? Looking at your rule base, that doesn't seem to be the case. Can you post the outputs of the following commands? /ip firewall/filter/print where chain=input /ip firewall/filter/print where chain=forward /ip firewall/filter/print where chain=ou...
by vingjfg
Tue Jan 02, 2024 7:45 am
Forum: Beginner Basics
Topic: Loadbalancing issues
Replies: 3
Views: 1063

Re: Loadbalancing issues

Please export your config, remove the sensitive bits, and post here.
by vingjfg
Sun Dec 31, 2023 7:20 pm
Forum: Beginner Basics
Topic: still same problem and same issue please help!
Replies: 8
Views: 2480

Re: still same problem and same issue please help!

Please export and post your config.
by vingjfg
Fri Dec 22, 2023 4:55 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1817

Re: Some websites don't work [SOLVED]

Thanks, same to you.

You still have several things to fix on this Mikrotik thouhg. Don't forget about them.
by vingjfg
Fri Dec 22, 2023 3:48 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1817

Re: Some websites don't work [SOLVED]

Sorry, I found the issue. I couldn't use the command that switched the position: /ip firewall nat/move numbers=1 destination=0 It shows: expected command name (line 1 column 17) So, I made the change manually, putting the accept rule first and then the masquerade rule. By reversing the sequence, th...
by vingjfg
Fri Dec 22, 2023 2:35 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1817

Re: Some websites don't work [SOLVED]

You are running version 6, I am checking against version 7 so some things are a bit different. I do not understand what you mean by: When I removed that old rule, the specific websites that weren't working before stopped working again. I didn't quite understand the 'add the permit at the bottom' par...
by vingjfg
Fri Dec 22, 2023 9:57 am
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1817

Re: Some websites don't work [SOLVED]

And as usual, when you have the changes implemented, send an updated configuration. I will need to know how you connect to this device, whether that is from the LAN or from the WAN.
by vingjfg
Thu Dec 21, 2023 10:35 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1817

Re: Some websites don't work [SOLVED]

Are you certain you issued all the commands? Some are not showing in the config you sent and some of the items that should have been removed are still there. No idea what the issue with the phone system can be. Blocked where? 1060 is not a standard port for SIP. Anyway, third wave of config changes....
by vingjfg
Thu Dec 21, 2023 7:33 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1817

Re: Some websites don't work [SOLVED]

Here is the second wave. More optional stuff but still important.
# Set the identity
/system identity
set name=mtrouter01

# Configure NTP to update the time
/system ntp client
set enabled=yes
/system ntp client servers
add address=br.pool.ntp.org
by vingjfg
Thu Dec 21, 2023 7:22 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1817

Re: Some websites don't work [SOLVED]

Here is the first wave. Review, implement and provide the export once you are done. Please also provide the output of "/ip/firewall/filter export" and "/ip/firewall/nat export" # New addressing scheme # 192.168.0.1 - 19 - static IP and leases # 192.168.0.20 - 254 - dynamic IP # F...
by vingjfg
Thu Dec 21, 2023 5:10 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1817

Re: Some websites don't work [SOLVED]

I will have a look at the configuration you posted later. Please learn how to use the /export function.
by vingjfg
Thu Dec 21, 2023 9:51 am
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1817

Re: Some websites don't work [SOLVED]

You didn't need to speak so poorly; I know the settings are terrible. I wouldn't be doing this if I weren't forced to. It's outside my area of expertise, but it was requested, and I need to deliver because support won't be called this year. I made these settings based on videos I watched. I'm also ...
by vingjfg
Wed Dec 20, 2023 4:10 pm
Forum: Beginner Basics
Topic: Some websites don't work [SOLVED]
Replies: 24
Views: 1817

Re: Some websites don't work [SOLVED]

Your configuration makes my eyes bleed - some chosen bits: add name=dhcp_pool3 ranges=\ 192.0.0.1-192.168.0.12,192.168.0.14-192.255.255.254 /ip address add address=192.168.0.13/8 interface=ether5 network=192.0.0.0 /ip firewall filter add action=accept chain=input src-address="" Not to ment...
by vingjfg
Wed Dec 20, 2023 1:53 pm
Forum: General
Topic: RouterOS 7.13 DNS issue
Replies: 7
Views: 1181

Re: RouterOS 7.13 DNS issue

The A record is for the canonical name. Actually, the only requirement is that the last CNAME be resolvable. For example, this is contrived but valid: /ip dns static add cname=foo.example.com name=bar.example.com ttl=1w type=CNAME add cname=stuff.example.com name=foo.example.com ttl=1w type=CNAME ad...
by vingjfg
Wed Dec 20, 2023 12:42 pm
Forum: General
Topic: RouterOS 7.13 DNS issue
Replies: 7
Views: 1181

Re: RouterOS 7.13 DNS issue

For the the A record for the CNAME, the canonical entry needs to be resolvable: Resolvable canonical name: /ip/dns/static/add name=bar.example.com type=CNAME ttl=1w cname=www.google.com $ dig @192.168.2.1 bar.example.com ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> @192.168.2.1 bar.example.com ; ...
by vingjfg
Wed Dec 20, 2023 12:35 pm
Forum: General
Topic: RouterOS 7.13 DNS issue
Replies: 7
Views: 1181

Re: RouterOS 7.13 DNS issue

Could you check the last example? It seems you interrogated 192.168.2.1 instead of 192.168.1.1.
by vingjfg
Wed Dec 20, 2023 11:54 am
Forum: General
Topic: RouterOS 7.13 DNS issue
Replies: 7
Views: 1181

Re: RouterOS 7.13 DNS issue

You need a A record for the CNAME. On Mikrotik: /ip/dns/static/add name=bar.example.com type=CNAME ttl=1w cname=foo.example.com Resolution: $ dig @192.168.2.1 bar.example.com ; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> @192.168.2.1 bar.example.com ; (1 server found) ;; global options: +cmd ;; Go...
by vingjfg
Wed Dec 20, 2023 10:11 am
Forum: Scripting
Topic: Environment in Script List [SOLVED]
Replies: 3
Views: 1246

Re: Environment in Script List [SOLVED]

Likely because MT considers "7.1", "7.0.1" and "7.0.0.1" to be IP addresses.

Remember, there is no float in the scripting language.
by vingjfg
Wed Dec 20, 2023 9:36 am
Forum: Beginner Basics
Topic: Bridge: 100 Mb or 1 G?
Replies: 8
Views: 2281

Re: Bridge: 100 Mb or 1 G?

Can you do the following: Disconnect ether5. Remove ether5 from the bridge. Connect ether5. Wait 2-3 seconds Issue the following commands: "/interface/ethernet/print detail", "/interface/ethernet/print stats-detail", and "/interface/ethernet/monitor ether5 once". Discon...
by vingjfg
Tue Dec 19, 2023 8:44 pm
Forum: Beginner Basics
Topic: Bridge: 100 Mb or 1 G?
Replies: 8
Views: 2281

Re: Bridge: 100 Mb or 1 G?

It is better to leave it in auto-negotiate on both sides: for 10 and 100Mb/s you would end in half-duplex and most of the time with more errors than frames. But the most important is that if you disable auto-negotiate on any side, you also disable the MDI-X, the detection of cross/non-cross connecti...
by vingjfg
Tue Dec 19, 2023 5:15 pm
Forum: General
Topic: RouterOS 6.49.10 DNS issue
Replies: 12
Views: 1094

Re: RouterOS 6.49.10 DNS issue

Yup, forgot that it was the original setting.

At this point, I think this would be worth creating a support ticket for, as it seems to be a bug.
by vingjfg
Tue Dec 19, 2023 2:47 pm
Forum: General
Topic: RouterOS 6.49.10 DNS issue
Replies: 12
Views: 1094

Re: RouterOS 6.49.10 DNS issue

OK.

Other way around: can you set the TTL to 4 hours?
by vingjfg
Tue Dec 19, 2023 2:14 pm
Forum: General
Topic: RouterOS 6.49.10 DNS issue
Replies: 12
Views: 1094

Re: RouterOS 6.49.10 DNS issue

Just to test, can you try to set the TTL for the FWD entry to 1s?
by vingjfg
Tue Dec 19, 2023 12:14 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2194

Re: Help with simple static routing [SOLVED]

/ip/firewall/nat add action=masquerade chain=srcnat comment="To management server" out-interface-list=VPN src-address=172.1.2.0/24
by vingjfg
Tue Dec 19, 2023 12:03 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2194

Re: Help with simple static routing [SOLVED]

Your question was about routing, everything until now was about routing and you have not mentioned NAT before.

If you want NAT, create a NAT rule:
/ip/firewall/nat add action=masquerade chain=srcnat comment="To management server" out-interface-list=VPN in-interface-list=LAN
by vingjfg
Tue Dec 19, 2023 11:51 am
Forum: General
Topic: RouterOS 6.49.10 DNS issue
Replies: 12
Views: 1094

Re: RouterOS 6.49.10 DNS issue

The Wireshark capture, can you do it server side to see if the server always replies correctly? I made different test: set DNS server - AD DNS And always get full response With mikrotik - not That I guessed. My question is whether it works when MT is querying the DNS, and not working when MT is res...
by vingjfg
Tue Dec 19, 2023 10:36 am
Forum: General
Topic: RouterOS 6.49.10 DNS issue
Replies: 12
Views: 1094

Re: RouterOS 6.49.10 DNS issue

The Wireshark capture, can you do it server side to see if the server always replies correctly?
by vingjfg
Tue Dec 19, 2023 10:27 am
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2194

Re: Help with simple static routing [SOLVED]

If the nain-router doesn't know where 172.1.2.0/24 is, it can't reply.

So fix that, prove me you fixed it and we can continue.
by vingjfg
Tue Dec 19, 2023 9:14 am
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2194

Re: Help with simple static routing [SOLVED]

Reading the zerotier documentation, you need a ZT managed route.
by vingjfg
Tue Dec 19, 2023 7:39 am
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2194

Re: Help with simple static routing [SOLVED]

Main-router has no return route for 172.1.2.0/24.

On main-router, add a route for 172.1.2.0/24 via 10.147.18.4. You also need to check your zerotier and make sure that network is defined.
by vingjfg
Mon Dec 18, 2023 10:46 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2194

Re: Help with simple static routing [SOLVED]

Send me the routing table from both router. That will be easier. "/ip/route/print detail"
by vingjfg
Mon Dec 18, 2023 10:01 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2194

Re: Help with simple static routing [SOLVED]

Not what I said: I said that it seems you do not have a route for 172.1.2.0/24 on the main-router/router2.

main-router/router2, post here the output of the following command.
/ip/route/print detail
by vingjfg
Mon Dec 18, 2023 9:20 pm
Forum: General
Topic: RouterOS 6.49.10 DNS issue
Replies: 12
Views: 1094

Re: RouterOS 6.49.10 DNS issue

There is an issue in the regexp - regexp="*\\.example\\.com" -> regexp=".*\\.example\\.com"
by vingjfg
Mon Dec 18, 2023 9:03 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2194

Re: Help with simple static routing [SOLVED]

Seems you don't have a route back for 172.1.2.0/24 in main-router/router2.

Can't tell if your ZeroTier is correctly configured.
by vingjfg
Mon Dec 18, 2023 3:43 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2194

Re: Help with simple static routing [SOLVED]

That's because you have to do an export, not a backup.

In the terminal/CLI, issue the following. You have to do it on each router.
/export file=<whatever name>
And download the file using winbox or webfig.

Remove all the sensitive information and post here.
by vingjfg
Mon Dec 18, 2023 2:33 pm
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2596

Re: Confused about VLANs

Then that's pretty easy: Proxmox : trunk your VLANs to the interface connecting to your Mikrotik switch Mikrotik : enable vlan-filtering (careful not to cut yourself off), add the relevant ports as pvid 1, create all the VLANs and add all the relevant ports as "tagged", edit VLAN1 and add ...
by vingjfg
Mon Dec 18, 2023 2:27 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2194

Re: Help with simple static routing [SOLVED]

Can you post the exports here, instead of on an external site?

Thank you
by vingjfg
Mon Dec 18, 2023 7:21 am
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2194

Re: Help with simple static routing [SOLVED]

Have you checked the firewall rules? The routing on the second router?

Please, config.
by vingjfg
Sun Dec 17, 2023 10:12 pm
Forum: Beginner Basics
Topic: Help with simple static routing [SOLVED]
Replies: 24
Views: 2194

Re: Help with simple static routing [SOLVED]

Can be a number of things.

Can you send the configurations for both routers?
by vingjfg
Sun Dec 17, 2023 6:17 pm
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2596

Re: Confused about VLANs

Can you use draw.io to make a diagram of what you plan to have, with for each link what vlan are present?
by vingjfg
Sun Dec 17, 2023 5:14 pm
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2596

Re: Confused about VLANs

Exactly: without vlan-filtering , all VLANs defined on the bridge are passed to all attached ports as these VLANs exist on the switch: pvid for the bridge in untagged, everything else is tagged. No. Without vlan-filtering there is no such thing as pvid. Period. You are right, I misexpressed myself:...
by vingjfg
Sun Dec 17, 2023 4:32 pm
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2596

Re: Confused about VLANs

Not at all, but a few things. Without VLAN-filtering each port gets VLAN 1 untagged and all the other VLANs tagged. Without vlan-filtering enabled ROS device doesn't touch 802.1q (a.k.a. VLAN) headers ... and that includes those with VLAN ID 1. It'd hard to figure VLAN 1 as most vendors treat VLAN ...
by vingjfg
Sun Dec 17, 2023 4:19 pm
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2596

Re: Confused about VLANs

Exactly that: an interface that is not part of any bridge and has an IP address directly assigned to it. Don't forget to adapt the firewall rules. Just realized my "won't" became "want" in the post. Why shouldn't the interface be part of any bridge ? To prevent "backfeed&qu...
by vingjfg
Sun Dec 17, 2023 10:33 am
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2596

Re: Confused about VLANs

[...] Shouldn't I just add the "bridge" (AKA "Management Interface" or "CPU") ONLY to the Management VLAN as "Tagged" rather ? And ALL other Interfaces (sfp-sfpplus1...16 etc) TAGGING ALL other VLANs as well ? I do not know the exact details yet - I am now us...
by vingjfg
Sun Dec 17, 2023 9:51 am
Forum: General
Topic: Security of ptp links
Replies: 3
Views: 1132

Re: Security of ptp links

I'll start by saying that if your manager said that "anyone can guess it", this likely means your manager is used to picking weak passwords such as "yourcompanyname01!" or "Winter2023!". If the PSK is or are really random, for example you generated them with a password ...
by vingjfg
Sun Dec 17, 2023 9:24 am
Forum: General
Topic: Confused about VLANs
Replies: 28
Views: 2596

Re: Confused about VLANs

Not at all, but a few things. Without VLAN-filtering each port gets VLAN 1 untagged and all the other VLANs tagged. I know, this is weird, but I learned the hard way. Do not forget to add the bridge as a tagged member of all the VLANs other than 1. The test you did with eno1/eno1.100 (Is this the co...
by vingjfg
Sun Dec 17, 2023 7:45 am
Forum: General
Topic: Some Linux Disros interference the network
Replies: 6
Views: 1707

Re: Some Linux Disros interference the network

Can you give some more info? The config? The IP of the linux host when you got the issue? A packet capture?
by vingjfg
Sun Dec 17, 2023 7:28 am
Forum: Forwarding Protocols
Topic: Set pref-src on ospf in ROS 7.12.1 [SOLVED]
Replies: 3
Views: 1949

Re: Set pref-src on ospf in ROS 7.12.1 [SOLVED]

What happens if you invert accept and set prf-src in the rule?
/routing filter rule
add chain=ospf-IN disabled=no rule=\
"if(dst in 0.0.0.0/0){set pref-src 10.10.100.1; accept;}"
by vingjfg
Sat Dec 16, 2023 4:31 pm
Forum: General
Topic: HAIRPIN NAT NOT WORK
Replies: 3
Views: 1090

Re: HAIRPIN NAT NOT WORK

My apologies, the export in your original message did not show when I read it first. This one is almost correct - remove the to-addresses . You do not need to masquerade behind the public IP, just behind the local IP of the router. /ip firewall nat add action=masquerade chain=srcnat comment=TEST-HAI...
by vingjfg
Sat Dec 16, 2023 1:03 pm
Forum: General
Topic: HAIRPIN NAT NOT WORK
Replies: 3
Views: 1090

Re: HAIRPIN NAT NOT WORK

Config export, please.
by vingjfg
Wed Dec 13, 2023 9:21 am
Forum: Beginner Basics
Topic: Need help with NAT for home server(s)
Replies: 12
Views: 2701

Re: Need help with NAT for home server(s)

Some rules that I find strange - add action=src-nat chain=srcnat comment="SMTP za Monolith" dst-address=192.168.88.112 dst-port=25 protocol=tcp to-addresses=192.168.88.1 to-ports=0-65535 to-ports is not needed Trying from the Internet, I see the following. Can you check on the server that ...
by vingjfg
Wed Dec 13, 2023 8:55 am
Forum: Beginner Basics
Topic: Need help with NAT for home server(s)
Replies: 12
Views: 2701

Re: Need help with NAT for home server(s)

You are doing hairpin NAT, that's often an issue but a casual review shows this is fine. I see that the HTTPS rule for Monolith is disabled. DId you enable it when you had disabled the other rules? The test you mention, does it run from the inside or from the outside? I will read the config in detai...
by vingjfg
Sun Dec 10, 2023 9:14 am
Forum: Beginner Basics
Topic: Blocking DNS traffic
Replies: 6
Views: 1995

Re: Blocking DNS traffic

And remove the dns rules from the output chain. The only thing you achieved is preventing the router itself from being able to resolve anything. And for reference, the documentation on the firewall: https://help.mikrotik.com/docs/display/ROS/Filter Key elements: input is for connection to the device...
by vingjfg
Sat Dec 09, 2023 11:23 pm
Forum: Beginner Basics
Topic: Blocking DNS traffic
Replies: 6
Views: 1995

Re: Blocking DNS traffic

Second input rule.
by vingjfg
Sat Dec 09, 2023 10:38 am
Forum: General
Topic: WireGuard access
Replies: 13
Views: 2394

Re: WireGuard access

@andrew162, Can you post a diagram with the L3 information? Currently, it is impossible to tell what goes where. Also, can you post a status of wireguard on the client and the routing table just after the connection? On Linux that is achieved with the following. sudo wg show ip route Lastly, what ar...
by vingjfg
Fri Dec 08, 2023 12:27 pm
Forum: General
Topic: RDP not working in lan
Replies: 7
Views: 2035

Re: RDP not working in lan

Please post the output of the following commands on the notebook
netsh advfirewall firewall show rule name=all
netstat -an
by vingjfg
Fri Dec 08, 2023 11:55 am
Forum: General
Topic: Having issues with DHCP client over trunk [SOLVED]
Replies: 6
Views: 2202

Re: Having issues with DHCP client over trunk [SOLVED]

Cool and you're most welcome.
by vingjfg
Fri Dec 08, 2023 10:32 am
Forum: Forwarding Protocols
Topic: Question about OSPF route filtering
Replies: 6
Views: 1755

Re: Question about OSPF route filtering

That did not work either.

I guess a support ticket is in order.
by vingjfg
Fri Dec 08, 2023 10:21 am
Forum: Forwarding Protocols
Topic: Question about OSPF route filtering
Replies: 6
Views: 1755

Re: Question about OSPF route filtering

Confirmed - I was able to reproduce this.

The OSPF instance has an interface-template for 192.168.0.0/16 which matches several local interfaces on my router, a filter out to remove one of them does not work.

I am looking into the select rules.
by vingjfg
Thu Dec 07, 2023 10:43 pm
Forum: Forwarding Protocols
Topic: Question about OSPF route filtering
Replies: 6
Views: 1755

Re: Question about OSPF route filtering

Thanks for the feedback. I will play with this tomorrow
by vingjfg
Thu Dec 07, 2023 6:54 pm
Forum: Forwarding Protocols
Topic: Question about OSPF route filtering
Replies: 6
Views: 1755

Re: Question about OSPF route filtering

Something else to try ... I don't know if Mikrotik likes "naked statements" - does this work? /routing/filter/rule> pr where chain=ospf-out Flags: X - disabled, I - inactive 0 chain=ospf-out rule="if (dst in 10.255.255.0/24 && dst-len == 32) { accept; }" 1 chain=ospf-out ...
by vingjfg
Thu Dec 07, 2023 6:37 pm
Forum: Forwarding Protocols
Topic: Question about OSPF route filtering
Replies: 6
Views: 1755

Re: Question about OSPF route filtering

If you add an explicit rule before the catch-all reject such as
chain=ospf-out rule="if (dst in 10.242.99.0/24 && dst-len == 32) { reject; }" 
Does it work as intended?
by vingjfg
Thu Dec 07, 2023 5:45 pm
Forum: General
Topic: MAC address jumping around on MLAG interfaces (Bridge Hosts table)
Replies: 5
Views: 2585

Re: MAC address jumping around on MLAG interfaces (Bridge Hosts table)

Can you send a diagram of how things are connected?

From your explanations, it is not clear how the Fortigate connect to the CRS317, how the CRS317 are connected together and how the CRS317 connect to the CRS326.

(Just noted the question is from 2022 ... unlikely to be relevant anymore)
by vingjfg
Thu Dec 07, 2023 5:37 pm
Forum: General
Topic: switch filter: can a single rule be used for the same TCP and UDP dst-port?
Replies: 7
Views: 1607

Re: switch filter: can a single rule be used for the same TCP and UDP dst-port?

True. A feature I would really love to see is the possibility to create a "service group", for example to say that DNS is (tcp/53, udp/53) and be able to create a rule that refers to that "service group", without the need to specify udp or tcp in the rule. Or at least the ability...
by vingjfg
Thu Dec 07, 2023 10:07 am
Forum: General
Topic: Having issues with DHCP client over trunk [SOLVED]
Replies: 6
Views: 2202

Re: Having issues with DHCP client over trunk [SOLVED]

This configuration matches neither the router nor the switch in the diagram you showed. You created 3 switches, any reason? I suspect you are missing vlan-filtering (Careful - potential for losing access to the device if you are not careful), which is required if you want to have untagged ports in a...
by vingjfg
Tue Dec 05, 2023 10:25 am
Forum: Beginner Basics
Topic: IoT question - wifi
Replies: 4
Views: 1601

Re: IoT question - wifi

This may also be possible using access-list though I have not been able to use them to set a different datapath in CAPSMAN yet.
by vingjfg
Tue Dec 05, 2023 9:37 am
Forum: Beginner Basics
Topic: Nat rules
Replies: 1
Views: 1263

Re: Nat rules

So I understand that you want to use the same name both inside and outside your local network, is that correct? If not, can you send your current configuration, with sensitive bits redacted? You can use an address list in your rules, something like this one (example for the WAN interfaces). Don't fo...
by vingjfg
Mon Dec 04, 2023 7:57 pm
Forum: Wireless Networking
Topic: Audience is not setting itself up as Mesh client [SOLVED]
Replies: 22
Views: 2671

Re: Audience is not setting itself up as Mesh client

If you have only a few links, use ap bridge/ station bridge and don't bother with the mesh.

Do not forget to add the interface wifi3 in the bridge. IIRC, you are using vlan 1 so pvid 1 on both the hap and audience.
by vingjfg
Mon Dec 04, 2023 1:02 pm
Forum: Wireless Networking
Topic: WiFi for sports hall?
Replies: 3
Views: 1398

Re: WiFi for sports hall?

Possible? The answer is yes. Here is a presentation of 2 large scale deployments.

https://mum.mikrotik.com/presentations/ ... 945321.pdf
by vingjfg
Mon Dec 04, 2023 7:26 am
Forum: Wireless Networking
Topic: Triband device? [SOLVED]
Replies: 2
Views: 1947

Re: Triband device? [SOLVED]

That's sad as the concept was pretty neat.
by vingjfg
Sun Dec 03, 2023 5:49 pm
Forum: Wireless Networking
Topic: Audience is not setting itself up as Mesh client [SOLVED]
Replies: 22
Views: 2671

Re: Audience is not setting itself up as Mesh client

gotsprings correct, no mesh with wave2 on the audience. During my tests, I have found that the mesh with the old drivers is at best unreliable. What is still possible is ap/station bridge, which works fine. I tried wave2 but as I use vlan and needed the vlan-filtering, I had to go back to the old d...
by vingjfg
Sun Dec 03, 2023 11:44 am
Forum: Wireless Networking
Topic: Audience is not setting itself up as Mesh client [SOLVED]
Replies: 22
Views: 2671

Re: Audience is not setting itself up as Mesh client

ojnab , the first problem I see is one of the devices is Wifiwave2, the other is not. Can you at least install the wifiwave2 package on the Audience and try again? A second potential issue is you are trying to setup the CAP connection on an interface managed by CAP. Not sure that works. CowboyChris...
by vingjfg
Sun Dec 03, 2023 10:10 am
Forum: Wireless Networking
Topic: Triband device? [SOLVED]
Replies: 2
Views: 1947

Triband device? [SOLVED]

Morning all,

Beside the aging Audience, is there another Mikrotik device that has three bands (1x2.4GHz and 2x5GHz) or at least two 5GHz radio? I looked at the hardware list on the site and did not find anything.

//JF
by vingjfg
Sun Dec 03, 2023 10:00 am
Forum: Wireless Networking
Topic: WiFi for sports hall?
Replies: 3
Views: 1398

Re: WiFi for sports hall?

Would that be a mix of indoors and outdoors APs? Do you envision them on walls? On ceilings? Do you plan to manage everything centrally with CAPSMAN?

Can you tell a bit more about how this will be set up?
by vingjfg
Thu Nov 23, 2023 9:31 am
Forum: Beginner Basics
Topic: Blocking discord using address list
Replies: 9
Views: 1833

Re: Blocking discord using address list

If the "address list" requirement can be relaxed, I see a couple more options. With the built-in DNS, it is possible to create domains that will return "NXDOMAIN", and this can be applied to all subdomains. This will prevent resolution of all the discord URLs. With the built-in p...
by vingjfg
Tue Nov 21, 2023 7:29 am
Forum: Wireless Networking
Topic: Cap AX: Windows Clients: "Can't connect to this network"
Replies: 18
Views: 2622

Re: Cap AX: Windows Clients: "Can't connect to this network"

The only thing I can see is there is no use-tag for vlan30 and 60 in your datapath. Can you try adding it to one and test if that makes a difference? Not sure it will though. /interface wifiwave2 datapath add bridge=bridgeLocal comment=defconf disabled=no name=capdp add bridge=bridgeLocal name=VLAN3...
by vingjfg
Sat Nov 18, 2023 12:07 pm
Forum: Beginner Basics
Topic: Problem with VLAN Setup
Replies: 10
Views: 1361

Re: Problem with VLAN Setup

AndyM1988, what everyone was asking is that you provide the relevant configuration snippets. Anyway ... On the RB5009, if you look at the hosts on the bridge (/interface bridge host print), do you see entries in the different VLANs? If your computer is connected to the CRS326, do you see its MAC add...
by vingjfg
Sat Nov 18, 2023 11:46 am
Forum: Beginner Basics
Topic: Long identyfing network in Win
Replies: 11
Views: 2145

Re: Long identyfing network in Win

As rplant says, this could be STP: the configurations are very vanilla and most is default, meaning you get the default blocking time of 30s.

Try this on one of the hAP and sees if it makes things better:
/interface bridge set [find name=br_lan] protocol-mode=rstp
by vingjfg
Sat Nov 18, 2023 8:07 am
Forum: Wireless Networking
Topic: WifiWave2 OWE authentication fails with Linux client using iwd
Replies: 4
Views: 1419

Re: WifiWave2 OWE authentication fails with Linux client using iwd

Which tells nothing else than "can't connect."

I found this: https://bbs.archlinux.org/viewtopic.php?id=278571, which I guess you did too. Just to confirm: dh group is 19 on the mikrotik? If not, can you give it a try?
by vingjfg
Wed Nov 15, 2023 1:34 pm
Forum: Wireless Networking
Topic: WifiWave2 OWE authentication fails with Linux client using iwd
Replies: 4
Views: 1419

Re: WifiWave2 OWE authentication fails with Linux client using iwd

Can you take a capture of the traffic when you connect to your guest network with OWE enabled?
by vingjfg
Wed Nov 15, 2023 9:46 am
Forum: Beginner Basics
Topic: Hairpint NAT between two mikrotiks
Replies: 5
Views: 1463

Re: Hairpint NAT between two mikrotiks

As Ca6ko wrote, it is a bit difficult to create a config without more elements. First: /ip firewall nat add action=masquerade chain=srcnat comment="NAT HAIRPIN" dst-address=192.168.1.3 out-interface=br1.lan protocol=tcp src-address=192.168.130.0/24 to-addresses=192.168.1.3 Remove this as i...
by vingjfg
Mon Nov 13, 2023 7:38 am
Forum: Wireless Networking
Topic: Mikrotik topology - Too many clients error
Replies: 2
Views: 1020

Re: Mikrotik topology - Too many clients error

I assume you use disc-list and disc-lite5 for the same device.

What is the connection between disc-lite5 and the sxt? Ethernet or wireless? If wireless, what is the mode on the disc-lite5?

Can you share the configuration excerpts after sanitizing?
by vingjfg
Sun Nov 12, 2023 1:09 pm
Forum: Forwarding Protocols
Topic: OSPF: two areas for two routing tables
Replies: 2
Views: 1313

Re: OSPF: two areas for two routing tables

My 2 cents: if it works for what you do and does what you want, then it is okay. Now, do I think this is overengineered for a WAN failover? Absolutely. For a "simple" WAN monitoring, I would likely use the "check-gateway" option with a single router and two uplinks. If you got /2...
by vingjfg
Sun Nov 12, 2023 12:58 pm
Forum: Beginner Basics
Topic: Hairpint NAT between two mikrotiks
Replies: 5
Views: 1463

Re: Hairpint NAT between two mikrotiks

Thinking of the configuration you sent and your explanations, I think the issue is not a hairpin NAT. But first, does this accurately represent what you have? ft1.drawio (1).png If so, you do not have a hairpin NAT issue but most likely an ACL issue. The interface with IP 192.168.130.1 on mikrotik 1...
by vingjfg
Sat Nov 11, 2023 7:05 pm
Forum: Beginner Basics
Topic: Hairpint NAT between two mikrotiks
Replies: 5
Views: 1463

Re: Hairpint NAT between two mikrotiks

Can you post a diagram? That will be easier to understand.
by vingjfg
Sat Oct 28, 2023 4:40 pm
Forum: Wireless Networking
Topic: Mesh configuration - pulling my hair! [SOLVED]
Replies: 6
Views: 2713

Re: Mesh configuration - pulling my hair! [SOLVED]

More tests. The configuration of the WDS master interface has a field to select the default switch in which the WDS interfaces are put. Interestingly enough (is it an incorrect name?), there is no switch statement for a specific WDS interface, which prompts the question "why then calling this a...
by vingjfg
Wed Oct 25, 2023 9:01 pm
Forum: Wireless Networking
Topic: Mesh configuration - pulling my hair! [SOLVED]
Replies: 6
Views: 2713

Re: Mesh configuration - pulling my hair! [SOLVED]

This is symmetric: pinging from R1 to R2 continuously and the MAC associated with the vlan.10 interface in R2 goes to the "unknown" state on the mesh. Pinging from R2 to R1 and that is the MAC from the vlan.10 interface on R1 that goes to the "unknown" state on the mesh. Removing...
by vingjfg
Wed Oct 25, 2023 7:55 pm
Forum: Wireless Networking
Topic: Mesh configuration - pulling my hair! [SOLVED]
Replies: 6
Views: 2713

Re: Mesh configuration - pulling my hair! [SOLVED]

Notes: I tried setting one of the devices with mesh-portal but that does not change the behavior. Pinging the tagged (vlan 10) or untagged (vlan 1) interfaces does not work BUT they have the same MAC address. This may indicate that the MAC information is passed on the mesh outside of the tagged con...
by vingjfg
Wed Oct 25, 2023 7:47 pm
Forum: Wireless Networking
Topic: Mesh configuration - pulling my hair! [SOLVED]
Replies: 6
Views: 2713

Re: Mesh configuration - pulling my hair! [SOLVED]

More tests ... Neither hwmp-prep-lifetime nor ageing-time changed a thing but I saw something that could be a bug. Aging seems to work differently between ARP/switchport MAC table and Mesh-learned MAC. For ARP and switch port MAC, an entry is purged after aging, that is that the association ARP/IP o...
by vingjfg
Tue Oct 24, 2023 11:21 pm
Forum: Wireless Networking
Topic: Mesh configuration - pulling my hair! [SOLVED]
Replies: 6
Views: 2713

Re: Mesh configuration - pulling my hair! [SOLVED]

"In a fashion" as this is unstable: it stays up for about 5 minutes, then "timeout", then disappears for 5 minutes. Something is clearly having a value of 300s. It could be hwmp-prep-lifetime , ageing-time , or something else I have not found. I found that on my Audience, if I do...
by vingjfg
Tue Oct 24, 2023 10:18 pm
Forum: Wireless Networking
Topic: Mesh configuration - pulling my hair! [SOLVED]
Replies: 6
Views: 2713

Re: Mesh configuration - pulling my hair! [SOLVED]

OK. I think I got it working. In a fashion. Mikrotik Audience, RouterOS 6.49.10 CAUTION - I cut myself out a couple of times. After that, I assigned a L3 address to a physical interface to avoid shooting myself in the foot. Mesh /interface mesh add name="inter-ap" auto-mac=yes admin-mac=18...
by vingjfg
Fri Oct 20, 2023 2:00 pm
Forum: Wireless Networking
Topic: Mesh configuration - pulling my hair! [SOLVED]
Replies: 6
Views: 2713

Mesh configuration - pulling my hair! [SOLVED]

Hi all, New Mikrotik user here. I am trying to do a simple configuration: SW/AP1 <- mesh -> SW/AP2 On SW/AP1, VLAN10: SSID1, Ether1, Int10 (VLAN interface for IP and DHCP) VLAN20: SSID2 and Ether2, Int20 (VLAN interface for IP and DHCP) VLAN30: SSID3, Int30 (VLAN interface for IP and DHCP) All 3 SSI...