MikroTik

k6ccc

The port is a slave because it is a member of the Bridge. To make it not a slave (of the Bridge), remove the port from the Bridge.

k6ccc

Noted. I don't do anything in switching or bridging in any of my routers - just routing. All switch function is done in separate switches.

k6ccc

Said in another way: if I need to block port X for both TCP and UDP, I need to use two rules or can I simply use one rule without specifying the protocol? Yes, you need to specify the protocol for each. However, as a general rule of thumb, a better way to set up your firewall rules is to explicitly...

k6ccc

Can you explain what you mean by "Make sure your computer has an IP address on that network"?

I mean, make sure your computer has an IP in the 192.168.88.0/24 address range.

k6ccc

First of all, once the router is set up, NEVER EVER use Quick Setup again. Most likely the router is back to the default IP address of 192.168.88.1. Make sure your computer has an IP address on that network. You mentioned double NAT. Sounds like there is other devices involved. Please describe your ...

k6ccc

Never seen that one...
I don't normally have a LAG on any of my CSS326 switches, but when I have had one, the connected devices correctly showed up in the hosts table on the correct ports.
What version of SwitchOS?

k6ccc

How many devices?
any special capabilities needed.

k6ccc

Too busy to look in detail. Maybe someone else can give some insight.

k6ccc

Just FYI, the code examples I gave earlier are from a router running 6.49.10.

k6ccc

Another doubt. In addition to the ".backup" file, can you email an encrypted ".rsc" export file? I E-Mail a backup, Export and a Version text file every night. I addition messages extracted from the log when someone logs in or out, or a port knock sequence completes. Additionall...

k6ccc

OK, I took a quick look at the two Mikrotik references. My guess was correct, one is for the older RB260 and the other is the newer RB260 (aka CSS106-5G-1S).

k6ccc

I have not looked at your collection of links in the first post (not taken the time), but I have several RB260 switches using a SFP as a trunk port. Is this on one of the "old" RB260s that are limited to SwitchOS 1.x or one of the "new" ones also known as a CSS106-5G-1S that uses...

k6ccc

Post your configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you crea...

k6ccc

Subnet mask most likely should be 255.255.255.0 - or if you prefer /24. See Networks tab.

k6ccc

Posting screen captures or WebFig or WinBox is a DREADFUL way of showing configurations. Learn how to at lest basicly read and enter commands. However here it is in WinBox (very similar to WebFig)

k6ccc

Each of my routers sends multiple E-Mails per day via G-Mail. Here is my E-mail setup: /tool e-mail set address=smtp.gmail.com from="RB4011iGS+ Router" password=mypasswordhere \ port=587 start-tls=yes user=userid@gmail.com And here is an extract from a script that uses the E-Mail to send a...

k6ccc

Add a new IP Pool and assign that new pool to the new DHCP server. For example here are two of my networks. .101 has a physical interface on the router, whereas the .102 is on a VLAN out of the router. /ip pool add name=".101 DHCP pool" ranges=192.168.101.201-192.168.101.219 add name="...

k6ccc

@helipos Are you talking about what I circled in red?

If that's he case, note that every command that is longer than one line has everything except the first line indented 4 characters. Makes it a hell of a lot easier to read.

k6ccc

On the VLAN tab in SwitchOS, here is the way I do it for VLAN tagged trunks (assuming no need for untagged traffic). VLAN mode = Strict, VLAN Receive = Tagged only, and Default VLAN ID = some unused number ( I normally use 970 + the port number ). If the port needs to also have untagged traffic, the...

k6ccc

Re #2. I end ALL chains with a drop everything rule. The one before it is not needed.

k6ccc

I don't see any major issues with your configuration. I do have an old recollection about LAGs having issues in some situations with VLANs. As a test, drop one of the connections in the LACP and see if that changes anything - you may need to remove the LACP, not just kill one of the ports.
.

k6ccc

Let me make sure I understand your problem. You have a router that has multiple IP addresses, The router NTP client is sending NTP requests either from some address that does not belong to the router or more likely from the wrong address based on what interface the packet is going out on. I just loo...

k6ccc

Confirming that the ONT is expecting that all traffic between it and whatever connected device is VLAN tagged with VLAN 201. Also confirm that the VLAN 200 is simply a dummy number that does not exist anywhere (except SwitchOS requires you to put SOMETHING there). I do that on ports that are VLAN tr...

k6ccc

One more note. I just checked on my RB750Gr3 and it updated from 6.49.8 to 7.12
So, yes, the update site is working...

k6ccc

Agreed. Mikrotik wireless is not their strong suit. Routers and to a slightly less extent switches is where they shine.
Personally I have a bunch of Mikrotik routers and switches at home, but the WiFi is Meraki.

k6ccc

In response to your query, I happen to be connected to one of my routers (an RB750r2), so I did a check for updates. It immediately found that that there was an update (stable channel) from 6.49.8 to 6.49.10. The router was able to download the update just fine.

k6ccc

Does the Client 2 computer know that 192.168.10.2 is it's gateway?

k6ccc

I found that css610 does not supports "independent vlan learning", so when router connect wan an lan to the same switch, there are two ports using same mac address.Eventhough they are in separated vlans, but sharing the same table which leads the communication issues. I changed the ax6000...

k6ccc

What device and RouterOS version to start with?

k6ccc

Also, find your Shift key and give it some love. It's lonely.

Love it!

k6ccc

Your first drawing and posted configuration do not match (IP addresses). Getting one to work should be very simple. As long as the PC knows that the router is it's gateway, it will just work. Remember, it's a router - it routes unless you tell it not to. Getting three devices with the same IP to wor...

k6ccc

I am doing similar at home. All ports on the router connect to different VLANs on the same switch. Works fine. Couple comments. First is I HIGHLY recommend NOT using VLAN 1. Although SwitchOS has no issues with it, a lot of devices treat VLAN 1 as "special". Often with undocumented or poor...

k6ccc

I don't recall that you can. I have always set static IPs on network elements.

k6ccc

Post your config. Otherwise we are just guessing. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click...

k6ccc

Agreed. QuickSet should never be used on anything except a brand new device and once touched, never used again.

k6ccc

I don't do any WiFi on Mikrotik, so not much help there, but as a general rule of thumb avoid using VLAN 1 unless absolutely required. Too many devices treat VLAN 1 as "special" and often don't behave as you might expect.

k6ccc

Yes, because 217.147.160.48/28 is an internal subnet with 217.147.160.63 being a broadcast address. Why would you be using a public address range for your internal subnet? Far better to use one of the private lan spaces: Class A: 10.0. 0.0 to 10.255. 255.255. Class B: 172.16. 0.0 to 172.31. 255.255...

k6ccc

On Saturday, I rebooted my RB5009 after months of continuous usage - and now all my graphing data is gone
I can't get it - why is this happening?

As I recall, the usage data is all in volatile storage. So it is lost on reboot - as you observed.

k6ccc

Yes, VLANs are a very good solution to what you are trying to do. I am doing exactly the same at home. VLAN 201 - 192.168.201.0/24 "Normal" home LAN. Wired devices only. VLAN 202 - 192.168.202.0.24 Guest WiFi. Internet access only. VLAN 203 - 192.168.203.0.24 "Private" WiFi. Know...

k6ccc

What is the point of the switch - as opposed to just running the ISP connection into the router? Now, I am doing something similar however. My router (RB4011) is in my garage data cabinet. My fiber ISP drops into the garage data cabinet and there is a Ethernet connection directly from the ONT into t...

k6ccc

Can a switch running Router OS be used as an L2 Switch and what is the difference between SwitchOS and SwitchOS Lite? On he first part, yes. That what a Bridge in RouterOS does (simple answer) For the second part, some of the hardware uses SwitchOS and some uses the lite version. Can't be mixed. Sw...

k6ccc

Interesting concept. I use WinBox almost exclusively for configuration of my routers. On more than one occasion, I have looked at my daily exports in order to figure out the CLI structure for some change that I did the day before (the router creates backup and export files every night).

k6ccc

I had missed that you have IVL turned on. That's another one of those to leave off unless you really understand what it does. Glad you caught it. Not really sure why IVL would have caused what you were seeing however...

k6ccc

What version of SwitchOS? I can tell you that it's not likely a SwitchOS bug - the hosts tab works fine for me with lots of VLANs. Your config looks OK, except on the VLANs tab I would turn off Port Isolation unless you really understand what that does ON THAT TAB. Normally in my case on untagged po...

k6ccc

You can also add a simple web server on a computer (your preferred flavor of OS), or even a RaspBerry Pi on the LAN and port forward via NAT so it can be reached from the Internet.

k6ccc

Hey @k6ccc, stop talking BS. All information was already given, you just lack to read it.
Apply some logic instead of brute-force idiocy.

Only in your mind. Damn near no useful information was given.

I'm done with you.

k6ccc

And a tiny piece of information leaks out - that there is an upstream router. We're not mind readers. We can only go on the information that YOU supply. We still don't know what kind of router you have, what version of RouterOS you are using, or any network layout (other than now there is a FritzBox...

k6ccc

Yes, it could be something starting from a device on your LAN. However until you post your configuration, we are only guessing.

k6ccc

First guess is that you have something you don't think you have. Export your config and post it. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish&quo...

k6ccc

You did not specify, but from your description, it sounds like you are using RouterOS - not SwitchOS. You would do better to post this in the General or Beginner Basics sections of this forum. This section of the forum is specifically intended for SwitchOS use. Far better chance that someone will an...

k6ccc

If that's a non-air conditioned room, that is pretty normal. I just looked at mine (same switch type) and they vary from about 50 (in an air conditioned data cabinet) up to 72 (in my not air conditioned family room - currently 27C). Also varies a little depending on what SFPs you have plugged in. Th...

k6ccc

Glad you got ti working. I have been using SwitchOS for years and every switch has VLAN trunks (between switches or between a router and a switch), and most also have hybrid ports for my managed WiFi access points that use untagged traffic for management and different VLANs for each WiFi SSID. Any o...

k6ccc

Can you post the System tab. The secret to why you get locked out is likely there. Get the lockout issue resolved BEFORE you do the rest or else you will likely get locked out again. On the VLAN tab, I would change all the untagged ports to either disabled or strict and set them to untagged only. On...

k6ccc

60 GHz is highly affected by rain. Can you split the path into two shorter paths?

k6ccc

Your network drawing and screen captures look fine. The only thing I would do different is uncheck "Port Isolation" on all ports - unless you really understand what that does on that page.

k6ccc

A lot more information please. Are you trying to access from an internal LAN, or the Internet? Is xyz.xyz.com.pl your domain? What router and software version? You will likely need to post your configuration To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), op...

k6ccc

For switches, I MUCH Prefer SwitchOS. The cost difference has essentially nothing to do with my purchase decision.

k6ccc

you can consider to use the passthrough so that the LHG is used only as modem and the public IP is assigned directly to the WAN interface of the HEX. In this way you avoid double NAT. Great idea. I don't use Mikrotik RF devices at all, so did not know they could do that. Learn something new every d...

k6ccc

Just to make sure I am clear on the concept, you have two routers involved. First is your microwave radio LHG and then that is feeding the RB750. That means your NAT needs to be NATTed in both routers. Instead of screen captures (which only give partial information, please export your configuration ...

k6ccc

It's easy to do - done it myself. I generally leave the management pretty unrestricted until I have a switch completely set up and the save a backup to the PC before restricting access. That way if I mess it up and lock myself out, there is a backup from just before I locked myself out. Generally re...

k6ccc

Yes, it would be nice to have a human readable export from SwitchOS.

k6ccc

I am doing exactly what the original poster is trying to do - except in my case my R4011 is generating the WoL packets. From there via untagged LAN to CSS326 then tagged VLAN trunk (VLAN 201) to another CSS326 and then untagged LAN to the family room PC. Works perfect every time. Does not matter if ...

k6ccc

In order toaccess it from your LAN via the public IP, you need to have a hairpin NAT set up. TONS of forum posts about that here.
See what happens when your your friend tries it.

k6ccc

Assuming you corrected: add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \ in-interface=bridge protocol=tcp to-addresses=192.168.88.31 to-ports=\ 25565 to: add action=dst-nat chain=dstnat comment=Minecraft dst-port=25565 \ in-interface=ether1 protocol=tcp to-addresses=192.168.88.31 t...

k6ccc

Yes, it works fine. Because your RB4011 cooperates as it's flexible enough to take necessary config without womiting. Not all routers are as flexible. Or are flexible but configured in a non-compatible way (by ISP). Hence my question about ability to configure the "black box" router on di...

k6ccc

What he is doing is in a way similar to what I am doing. My cable internet terminates in my family room and connects to a CSS326 switch (where it gets encapsulated on VLAN 100). That CSS326 has a trunk to another CSS326 in my garage data cabinet. One port of the garage CSS326 is VLAN 100 (untagged) ...

k6ccc

I am gathering that both switches are configured exactly the same (except presumably they have a different IP address). I am also gathering that the unnamed device on the left is the router. Since laptop to laptop is working properly, I'm not sure this is a switch problem, but rather a router proble...

k6ccc

I am going to post three screen captures of one of my CSS326 switches. This will likely answer most of your questions. I'm noticing that this is a really old capture, and I'm not sure why I cut the VLAN and Links tabs off after port 21... I'm going to point our a few specific ports that have various...

k6ccc

Sounds like a fairly simple setup. SwitchOS works very well for switch functions. I use SwitchOS for all of my switches here at the house and am very happy with it. I have been using SwitchOS for years, so if you have any questions, feel free to ask. And yes, you will likely get people commenting th...

k6ccc

I have a half dozen SwitchOS devices and DHCP on VLANs works just fine, so you have something amiss. I am not able to connect to my switches right now, but when I get back to the home network, I will poke around. In the mean time, there screen captures might help you get started: These are all from ...

k6ccc

If I understand your question, no. As I understand your question, if someone pings your domain that will get to your RouterBoard, you want a fake IP address returned. The initial IP shown in the ping command is based on the DNS lookup and is before ever sending a ping to you. In the ping command sho...

k6ccc

Never heard of Goodwe. How are the inverter and router connected to each other (example, USB, wired IP, WiFi, smoke signals)?

k6ccc

I know it's recommended to not use vlan-id=1, but this is a lab not a real setup in which the instructions said to do so. The recommendation is not so much about production environment, it's about sink holes planted inside ROS if one wants to use VID 1 ... I'm not saying it's not possible, but one ...

k6ccc

Without knowing your configuration, we are guessing. Please post a network drawing (or at least a GOOD description of what it connected to what), and a configuration export. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (wi...

k6ccc

Also, what version of WinBox? Older versions of WinBox won't work right with newer versions of RouterOS.

k6ccc

You might want to take a look at this thread regarding using Splunk for this purpose:
viewtopic.php?t=179960

k6ccc

That is what I'm doing with my RB4011. Router only performs routing / DHCP functions. All switching is done in separate managed switches (CSS326 in my case). No bridge in the router.

k6ccc

@en1gm4 I'm kind of in the same boat. My main router here at home is a RB4011iGS+ that is running 6.49.8. I have been watching ROS 7 for about a year, but currently have no real NEED to upgrade to it. I also would like to play with WireGuard, but it's not a need for me. I will be off work for the ne...

k6ccc

Finally getting back to this thread. Had fairly major surgery 8 days ago and have not really been doing much on the computer. Sort of getting there. Somewhat humorous Amm0 that you had a power outage. We had the end of Hurricane Hilary come though here over the weekend. Not really much of a problem ...

k6ccc

Your router has no clue how to find the192.168.88.nnn network. It has no addresses on that network, and no route statement to know how to reach it. Second - and I know only enough about bridges in ROS to be dangerous so take this with caution. You have one IP address assigned to one of the ports on ...

k6ccc

In 2023, IPv6 is the norm, IPv4 the exception, telling a RB5009, release this year, can route 10Gb/s of traffic is a lie.

I don't know how true that statement is. I have both fiber and cable based internet here in the Los Angeles metro area, and neither of my ISPs is making IPv6 available.

k6ccc

OK, so you don't follow instructions. You did not include a network drawing or at least a good detailed description of the network. You did not post your complete configuration (minus sensitive data), and you did not post it within code blocks as instructed. Lastly you state that you're not wanting ...

k6ccc

test-connection takes about 15 seconds to time out on each ping, and there's no way to control that. So I set the timeout to 30 to leave a little wiggle room. You don't have to wait for the test connection to time out (unless whatever you are using to generate the knock is too stupid). I have some ...

k6ccc

There are so many issues here, let me see what I can start with. 1) Get rid of the cable between ports 13 & 15 - that is NOT how to get two diverse networks to communicate! That is the router's job. 2) Since you are trying to run two networks from the CCR to site B, you have two choices. Either ...

k6ccc

Not really sure what you are asking or telling us. You gave us no information on equipment, software, or configuration. But yes, the Mikrotik router may or may not be able to provide local DNS service - depending mostly on configuration. ssh routerName.local:21 Why are you trying to ssh to the ftp p...

k6ccc

Start off with posting a network drawing so we know what you are trying to do. Next is post your configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filena...

k6ccc

To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download i...

k6ccc

Do not use VLAN 1 for anything - unless there is a specific requirement to do so for some attached device. Too many devices that treat VLAN 1 "special" - and most will not tell you that.

k6ccc

It's obvious that SwitchOS is a low priority for Mikrotik. Even SwOS lite for the couple of switches it uses keeps getting updates, but full SwitchOS seems to be getting ignored. As far as moving to RouterOS, I personally find that for pure switch functions, SwitchOS is FAR easier to use. I also hav...

k6ccc

For starters, your input chain is essentially wide open. So is your forward chain. Generally recommended procedure is to specifically allow what you want and then have a drop everything rule at the end of the chain (which you don't have). You want this for both the input and forward chains - maybe o...

k6ccc

Start off with a network description - or better yet and network drawing.

k6ccc

Are you are testing from the Internet or testing from a computer on your LAN? A Google search will generally tell you what things use those ports. Sounds like you have some things open that you are not expecting. Without your configuration, we would be guessing. Post your configuration please. To ex...

k6ccc

Your description and minimal config does not really give enough useful information. Please post a network drawing and export your configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/expo...

k6ccc

I'd like to re-purpose the "shark-fin" style antenna enclosure that's already on the roof of the car if I can. That way I don't have to come up with another antenna mounting locaiton. If you don't mind spending some money, you can get custom (or semi-custom) antennas that replace the fact...

k6ccc

I work in a city radio shop. We have hundreds of vehicles with various radio services - GPS, Wifi, cellular, and of course the two way radios. I can absolutely assure you that getting the antenna outside the steel box known as your car will SUBSTANTIALLY improve radio performance. Best bet is an ant...

k6ccc

I sometimes use 24V battery packs on either PoE injector or as the DC IN, with the battery charge always plugged in to the grid. No AC/DC conversion and Mikrotik's don't really use all that much power, so $50-100 battery pack is often longer lasting/cheaper than APC-like AC UPS. The 24V lithium pac...

k6ccc

Thanks. These monitoring tips are great. For me the most important one would be the temperature - sometimes AC units fail in server rooms and then things can get toasty. You're welcome. Yep, temperature and power issues are high on the monitoring priority list. I was maybe thinking building my own,...

k6ccc

About 25% need the WAN set statically. We remote in (Teamviewer); log into Router and go to set WAN IP and then we get disconnected (We need to set DNS next I assume?) I'm curious how you are getting to it via TeamViewer (which I use regularly and am very familiar with). I assume you remote into a ...

k6ccc

Thanks for info. Out of curiosity, how do you solve monitoring and reporting of MIkroTik systems and external sensors/batteries and such? There are a couple things that I am doing. For environmental monitoring, I have a box called a Watchdog 1000 from IT Watchdogs (now owned by Vertiv). It has mult...

k6ccc

Let me know if you have any more questions. I'm one of the people here that uses and really likes SwitchOS (I have seven switches that I manage).

k6ccc

#2 Jesus. ... Don't you think that s a bit of an overkill? Only a little. Think of it as public safety grade. I run a large regional public safety 2-way radio system for a living. We operate with the understanding that under the wrong set of circumstances, failure of the radio system can result in ...

k6ccc

So you chose an option to have external dedicated poe backup. Correct I am thinking about this too, in a way that I would have a separate injector and an adapter for each device if I wont find a way to configure excess PoE switch ports to be redundancies. I don't have POE switches, so that is not a...

k6ccc

I am doing exactly what you are wanting to do on a RB4011, RB750Gr3, and RB750r2 routers, and two CSS326 switches in my data cabinet. It works very well. All of these devices use passive (or dumb) POE input on port 1. In the case of the RB4011 it is getting 48V POE and the others are getting 24V POE...

k6ccc

OK Cube4d, welcome to the forum. A couple of comments. Assuming that port 2 is being used as a VLAN trunk (as opposed to a Hybrid mode). All of your devices EXCEPT the router connection on port 2 are NOT VLAN aware (or at least not operating as a VLAN connection). 1) DO NOT use VLAN 1. Any other num...

k6ccc

Routing between networks is what a router does. You have no firewall rules to prevent routing between LANs so that is exactly what it will do. Remember in RouterOS, at the end of a firewall chain there is am implied accept. So the general plan is to specifically accept what you want to allow and the...

k6ccc

Can't do this with a dynamic address, but with DHCP reservations (what Mikrotik calls static), but put a comment on the item.

k6ccc

In an almost default configuration the VLANs should communicate just fine - that's what a router does. Beyond that, please post your configuration so we're not guessing. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (withou...

k6ccc

Glad you got it resolved.

k6ccc

What Radius server are you using?

k6ccc

The screen captures above are from the Family room switch. Port 1 is the trunk between the Family room switch and the Garage switch. You can see in the VLANs tab that essentially every VLAN is included on that trunk. That allows everything to be able to flow between the two switches. As far as keepi...

k6ccc

Without knowing your configuration, we would only be guessing. Please export and post your configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you...

k6ccc

Interesting, but pretty much a non-issue since it requires the actor to be logged in with full admin privilege anyway...

k6ccc

It sounds like you are in a double NAT situation. From the Internet, the Draytek needs to NAT the required ports from it WAN to it's LAN. This sounds like it is working (although needs to be edited to point the NAT destination to the Mikrotik rather than the individual cameras. Then in the Mikrotik ...

k6ccc

I have Cisco SG500,
(Mistakenly I wrote SA500)
Sorry

I did not catch the difference in the screen capture either...

In any case, from the screen capture, it DOES appear that your SG500 is a VLAN aware managed switch. So go back to my earlier post with suggestions.

k6ccc

Your description says that the Cisco SA-500 is unmanaged, but the drawing and screen capture shows that the SA-500 is a managed switch. I don't speak Cisco, and it's not my intent to look it up for you. So I am going to with the SA-500 being a managed switch. Run a single VLAN trunk between the MT r...

k6ccc

I don't use a VPN to access my switches, but every time I access any of them it is from a different LAN and therefore is routed. Works fine. Nothing special required in the router.

k6ccc

There's MSTP which does know about VLANs and you should be using it. I don't have any SwOS drvice so I don't know if SwOS supports MSTP or not.

No, SwitchOS does not support MSTP. I was just setting up an RSTP link last night in SwitchOS, so STP capability is fresh in my mind...

k6ccc

I am using https://www.dynu.com/ and am happy with their free service. Been using them for only a few months. Prior to that I was using a DSL with static IPs. Moved to cable based internet with a dynamic IP address. I am using a Windows application that I run on my server, but they also have a scri...

k6ccc

Where is the PC that you are using connected to? By that I mean are you connected to a LAN on Router 1, Router 2, something else? If you physically plug into the router that you can't access (rather than accessing across the tunnel), does it work? What version of WinBox are you using? Are you trying...

k6ccc

Your description and drawing don't match so it's really hard to know what you are trying to do. You state that you don't want to use VLANs and then have VLANs running all over the place. Your dashed lines with "no contact" is meaning less. I assume you mean "out of band" for OOB....

k6ccc

When I have run a LAG under SwitchOS (on a VLAN trunk), I have set the VLAN and VLANs tabs to match each other for the two ports that are part of the LAG - it worked that way. I have never tried any other way and there is no setting on either the LAG or VLAN tabs to reflect that a specific VLAN is o...

k6ccc

Sounds like you have messed up something in the config. It absolutely SHOULD work 100% of the time (it does on my RB4011 with multiple WANs). Export and post your config. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (witho...

k6ccc

Start with the configurations of each of the devices. Export and post each configuration and post them here so we have a clue what you have done to break it. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes...

k6ccc

Yes it is possible that the Allen Bradley switches are intentionally dumbed down - of that I have no information. Mikrotik switches running SwitchOS also have no ability to specify a gateway, but they will just send packets back to whatever the switch received the packet from - whether that is a dir...

k6ccc

Here's one of mine. Lease time on this one is 3 hours.

/ip dhcp-server
add address-pool=".101 DHCP pool" authoritative=after-2sec-delay disabled=no \
    interface=E02-pB4_101 lease-time=3h name=".101 DHCP server"

k6ccc

While DHCP protocol does define way for client to release the address, it's seldomly (if ever) used. Some (a few) devices will initiate a release - I have observed some devices do so on my network. Trying to remember which devices will release a DHCP lease when shut down. Not sure, but it may be th...

k6ccc

Simply set a fairly short lease time in the DHCP server setting.

k6ccc

I have set up L2TP server with IP pool 10.8.0.2-10.8.0.254 . I see that when users connect , it starts assigning them IPs starting from 10.8.0.254 , 10.8.0.253 and etc... Correct. Mikrotik DHCP server starts at the high end of the range. My question is what happens after all the IPs are used ? I un...

k6ccc

Are these enough to block all outgoing traffic (output & forward) from all sources to those IP ranges I mentioned ? /ip firewall filter add action=drop chain=output dst-address=141.101.78.0/23 add action=drop chain=output dst-address=173.245.48.0/20 add action=drop chain=forward dst-address=141...

k6ccc

I disabled all input rules and output in hoping that i won't be able to browse the internet but i am. Traffic passing through the router does not go through the Input nor Output chain. It goes through the Forward chain. The Input chain is for traffic that has the router as it's destination (your Wi...

k6ccc

Your image is unavailable to us. Also, without your configuration, we would be guessing. Please export and post your configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensi...

k6ccc

Or did you read my statement that there are 7 free (unused) ports to mean that I was connecting the two switches with 7 connections? Yes, that's what I understood from your post. I am not native English speaker so forgive me... :D I can assure you that your English is better than my ability to spea...

k6ccc

Not an option for me since all three switches in this reference are CSS326. And for switches, I really prefer SwitchOS...

k6ccc

hAP ac lite is a nice device, but the WiFi is rather limited primarily due to only internal antennas. I have two of them (although they are running a ham radio software called AREDN).
Firmware updates on most of the Mikrotik devices is pretty reliable.

k6ccc

Confirming when you are making these tests, you have the working LAG from the CRS-309 to the XG-7100, and the second LAG from the CRS-309 to the CRS-328 causes the storm (the CRS-305 is not yet into the picture). Also, confirm that there is no connection from the CRS-328 to the CRS-305? You did not ...

k6ccc

So the OP wants the Mikrotik to ONLY function as a WiFi access point. No "router" functions. That should be fairly straight forward (but I don't do WiFi in ROS so I'm no help there). And suntchi56, please tell us what hardware you have. Also, I would recommend updating the ROS version. 6.3...

k6ccc

Despite all of that I still don't get why you didn't interconnect switches with at least 1 x 10 Gb twinax cable instead of 7 x 1 GbE interfaces... Where did you get the idea that I am connecting the two switches with 7 x 1 GbE connections? They are connected with a single 1 GigE connection - which ...

k6ccc

Tying the two CSS326 switches together is easy. However they are still entirely treated as two separate switches from a management perspective. The other part is bigger. When there was just one switch in the data cabinet, it had a single 1GigE connection to another CSS326 in my family room. Eventual...

k6ccc

I honestly cannot see many real uses for it, aside from ticking a box on a design spec. With the 100gb switch not listed in supported (maybe it does work and the document is old) you really limited on real throughput. My data cabinet at home now has two CSS326-24G-2S switches. I have two in there b...

k6ccc

Unless there is some compelling reason not to, put them on the same subnet.
Broadcasts stay local to the subnet.

k6ccc

I have no idea what fqdn means or how to use it?

Fully Qualified Domain Name
https://en.wikipedia.org/wiki/Fully_qua ... omain_name

k6ccc

Particularly becuase there are things that don't apply to switches but they still show up and are not grayed-out. Do you mean in RouterOS or SwitchOS? If the latter, please give examples. If the former, I largely agree. Has a lot to do with why I am using routers exclusively as routers and switches...

k6ccc

Holvoetn had exactly the same thought as I did - Nice writeup. Not anything that I have a need for, but interesting to read. Thanks for posting that. I'm sure it will be useful to some people...

k6ccc

I have the 179 rule in and see traffic on it. The 23 rule does not have any traffic, but if I disable that rule (23) my BGP goes down. It's very strange.

Sounds like something is there that you are not expecting. Post your config and the answer likely will reveal itself.

k6ccc

BTW, newer version of SwitchOS allow you to name the VLANs on the VLANs tab so it is easier to remember what is what. Also, the checkboxes are colored so they are easier to see. My screen captures were from several years ago and an earlier version of SwitchOS.

k6ccc

my plan is to ONLY use VLAN 1 for the management of the switches on the network.

Use something other than VLAN 1. VLAN 99 seems to be a commonly used on, but there is nothing magic about that number.

k6ccc

which fiber transceivers sound the best.

It’s the ones with the oxygen-free copper traces…

You did say that you were this guy here demonstrating the Retro Encabulator? https://www.youtube.com/watch?v=RgaKjVXK0KA

k6ccc

Easiest way to do this is include two screen captures of one of my CSS326 switches. BTW, in my collection of Mikrotik devices I have a CRS326 that I have running in SwitchOS. Most of everything you will do will be on the VLAN and VLANs tabs. First is the VLAN tab. I will point out a few lines. Port ...

k6ccc

Unless you REALLY have to, avoid VLAN 1. Many devices handle VLAN 1 strangely. You may find traffic on that VLAN that you did not intend.
And yes, there are some devices that do not give you a choice (I have a couple).

k6ccc

Part two is a single WiFi access point for a 2500 square foot home is likely going to be pushing it. Might work, but likely will have some dead/marginal spots. I would be looking at multiple wired access points.

k6ccc

In your proposed drawing, you are intending to use fiber from the Mikrotik to a media converter, only to turn it back to a wired 1G ethernet connection. Why not just run a wired Ethernet connection from the router to the DAC? Unless your house dimensions are measured in acres, you are not likely goi...

k6ccc

One quick note since you used QuickSet. Once you make ANY other change to the router config, NEVER EVER use QuickSet again. Doing so will blow away any other changes that you make.

k6ccc

<snip>
very limited capabilities beyond L4 (i.e. handling UDP/TCP packets). And "redirecting a subdomain" is an L7

What? You mean that whole OSI 7 layers thing actually means something?

Amazing how many people don't understand that...

k6ccc

The question to ask your ISP is if they can put their modem into bridge mode. Some will and some will not. If the ISP will put their device into bridge mode, that means your router will be truly public IP facing, so it gets (or you assign) the public IP addresses. For what it's worth, I have two int...

k6ccc

i used /ip firewall nat add action=dst-nat chain=dstnat in-interface-list=WAN to-addresses=192.168.1.99 and it creates a perfect dmz but now i am locked out of winbox that uses port 8291 how can i exempt port 8291 from above rule? That should only be a problem if you are attempting to access WinBox...

k6ccc

Was it between 11:35 and 11:40 at the time? Any other time it will show as inactive time.

k6ccc

No useful information. What hardware? What software version? What WinBox version? Screen capture of what you're talking about. And this should have been in the "Beginner Basics" section of the forum. Maybe a moderator can move it. Edit - Thanks to whichever moderator moved this to the Begi...

k6ccc

I have never created a time of day based firewall rule, so I tried a simple one. This rule only operates from 11:35:00 - 11:40:40 every day, and is a passthrough rule so it's just a packet counter - counting packets on my fiber internet connection. Worked fine. add action=passthrough chain=forward c...

k6ccc

Certainly. Set ETH1 as a DHCP client, and if you will not be using DHCP at all on your local LAN, you can delete (or disable) the router's DHCP server.

k6ccc

You're going to have to explain what you are trying to do better. A network drawing would help.

k6ccc

...especially since I'd say its a "best practice" to NOT use "admin" as a login name, but it being default only encourages it ;). Agreed. I don't use "admin" or "administrator" (with or without a capital A) as an admin UserID on anything where I have a choice...

k6ccc

So much for my educated guess....

k6ccc

Port from 0 to 32767 and 65535 are reserved or not used.
is this still true today ? about the only ports being used for nat are 32767 ?

No. That was a nine year old post.

You can use any port you like from 1 to 65534 for a NAT.

k6ccc

That is most likely happening in your browser, not in WebFig.
Just an educated guess as I never use WebFig.

k6ccc

Really hard to follow what you are saying. Please provide a network drawing and your configuration. Otherwise, we're guessing. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export file=any-filena...

k6ccc

As tangent said, you gave us almost nothing to go on. Tell us what is connected to what - or better yet, a network drawing. And export your configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) &...

k6ccc

I have not poked through your config, but I can tell you that on my RB4011 that has ROS 6.49.6, the System > Clock display is correct, as is the Dashboard Date & Time in WinBox. Also, log entries are showing correct date and time. In my case, I am using my own Stratum-1 time server. I don't norm...

k6ccc

Please supply a drawing that shows what is connected to what. Also export the config for the Mikrotik router and post it here. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive ...

k6ccc

did you do any windows update before this happened?

Yes, a Windows 10 update did come out some time or another in the past week. I don't remember exactly when, but every one of my Win 10 computers and my Server 2019 had updates recently. I don't have anything running Windows 11.

k6ccc

Not an expert in this field, but my initial thought is if ports 3 and 8 are in the same bridge. Off hand, I would think that having both the mirrored port and mirror target in a bridge would cause essentially a feedback loop.

k6ccc

Step 1 - eliminate the USB-C adapter to make sure that is not the problem.

k6ccc

It has been massively discussed here on the forum.

Short answer is: document the password and make sure you know where you retain the information.

k6ccc

Is there a reason you can't just select "Remove" from the screen you are on?
I hardly ever use the CLI, so can't help you on that part...

k6ccc

I almost exclusively use WinBox, so this was tailored to look good in WinBox. I use a bunch of chains, and most of them end with a "Drop everything" rule. I follow that with one more rule that never sees any packets (since the previous rule is a drop everything) that has a really long comm...

k6ccc

Piece of cake using a CSS326 using SwitchOS. You can segment it either with VLANs or Port Isolation. Either is very easy to set up.

k6ccc

As I understand it, the CSS326 will operate at higher speeds when set to Auto AND the other end is forcing the higher speed. However as Okes said, the RB2011 is Gig only, so it certainly won't force 10G speed.

k6ccc

Thanks. I have never use github for anything other than one project that I beta which test uses github for bug reports - just writing comments. I'm doing this on a Windows server, so I assume the extract from the zip should go into C:\Program Files\Splunk. The root of the zip is MikroTik-main with t...

k6ccc

Never use VLAN 1. "Never" is a strong word ... but then there are 4093 other values which one can use, so the actual need to use VID 1 is 1 in 4093 :wink: OK, Never use VLAN 1 unless there is some very specific reason that you MUST use VLAN 1. I actually had one of those until recently. A...

k6ccc

Never use VLAN 1.

k6ccc

Am I correct in my understanding?
Yes?

Use external syslog or external USB device, if possible.

That's was what I thought, but wanted to be sure. And of course, no external USB slot on the RB4011...
Working on a Splunk install on my server.

k6ccc

Just download the app from GIT and copy the folder mikrotik to %SplunkHome%/etc/apps and restart splunk.

I'm looking at: https://github.com/Jotne/MikroTik
What am I supposed to download?

k6ccc

Am I correct in my understanding?

k6ccc

Sanity check something for me. Log on my RB4011iGS+ (ROS 6.49.6 at the moment) writes between 1000 and 2000 log entries per day. The vast majority of those only write to memory with a much smaller number writing to disk. My understanding of the way different types of memory work is that writing that...

k6ccc

I had to look at the CSS610 series manual to figure out what you were talking about. All my switches are CSS326 or CSS106 series and they don't have that indication.
However, with that said, it should not really matter as far as I know.
.

k6ccc

I don't think this is gonna be fixed ever. This kind of make the activity led completely useless. (CSS don't have this issue for example) That last part is not correct. Watching one of my CSS326 switches with SwitchOS 2.13, the port LEDs wink off about every half second if there is activity, but al...

k6ccc

What SFP module are you using?

k6ccc

Is the switch and your computer on the same IP subnet? Check your DHCP server and see if the switch got an IP address from the DHCP server. If not, a factory new switch should be 192.168.88.1. Make sure your computer is on the same subnet. Other option is to directly connect a computer to the switch...

k6ccc

I'm trying to get around a 3rd-party firewall that blocks non HTTP traffic. I have a mAP installed on the customer's network and I typically have such devices connect to my server via Wireguard - but the traffic is blocked by their firewall. And I'm having difficulties working with the corporate fi...

k6ccc

From the Wiki for scheduler: startup - execute the script 3 seconds after the system startup. There is no option in the scheduler to add a different delay for a schedule based on startup. Just wroted..... :delay 20s (for example) That's what I get for believing the manual. Neither the old nor the n...

k6ccc

From the Wiki for scheduler: startup - execute the script 3 seconds after the system startup.
There is no option in the scheduler to add a different delay for a schedule based on startup.

k6ccc

As I recall, when I set that up years ago, I tried a couple of delay times, and once I found what worked, I doubled that for the permanent script.

k6ccc

For example, I had scheduled the sending of a notification email when my router restarted, but it was never sent... I also have a startup script that sends me E-Mail notifications. The scheduler starts the script at start-time=startup. The script writes a log entry and then has a delay 00:00:20 bef...

k6ccc

Without knowing how your router is configured, we would be guessing. Please post your configuration. To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish...

k6ccc

Update - specifically for Rextended... It's working now, and I don't know why. All three routers working perfectly. The last step (after getting the ftp all working) was to add a .cmd file on the server that added the date on all nine files every night after the ftp uploads completed - easier to tha...

k6ccc

mkx beat me to it while I was typing... Unless I missed something (certainly possible), you have a firewall rule to allow the server LAN to access the internet, but nothing to allow the Internet to access the server LAN. The common way to accomplish that is something like this: /ip firewall filter a...

k6ccc

As I understand what you say your problem is, all devices on your LAN can ping the Mikrotik, but the Mikrotik can't ping the ISP gateway. My answer was based on that assumption. The firewall rule you posted relates to your client devices on your LAN being able to ping the Mikrotik. That has nothing ...

k6ccc

It's always the possibility that the gateway is set up to not respond to pings. Some people thing that's the way to go...

k6ccc

If I understand what you are trying to do, the answer is maybe. The limiting factor is if the switch in the DSL modem will pass VLAN traffic. Some switches will and some will not. If the switch that is part of the DSL modem will pass VLAN traffic, then the connection between the DSL modem and router...

k6ccc

Now that you have explained the situation a little better, I can see that changing passwords would not work well for this situation, and the password essentially is publicly posted. That only leaves signal. Best suggestion would be using access points that have external antennas so that you can plac...

k6ccc

And one offtopic question, because I can't find a clear answer, and that's just about the number of trunks. In my small network - max 4 VLANs and max around 50 network devices running at any one time, do I need more than one trunk? That entirely depends on traffic. I'm weird and have six switches o...

Search found 1470 matches