MikroTik

anav

What makes sense is specific to your location. How is the printer connected to the router, via ethernet jack at specific location, are there managed switches in between etc etc...... Clearly if all users are in vlan10, why put it on its own vlan. If untrusted users are allowed to use the printer, no...

anav

Washingstate, Maine, Oregon etc. are more than welcome to Join Canada.
Was going to included California, but its dealing with real issues.

I am likely to replace my TPLink products with this.
https://www.tp-link.com/us/business-net ... da-eap770/

anav

All employees have a cell phone......
Send mass text message - internet out restoration time est XX:XX Hrs.

anav

You can put another router like hex refresh between ISP router and first 60HZ device.

anav

Fresh Questions: Observation: One only needs the APP to create the first user ( the smartphone itself ). It automatically turns on BTH VPN, and creates the first two entries! I had thought one needed to manually turn on BTH VPN in ip cloud first. 1. When creating the the tunnel from the phone it wou...

anav

the idea is that 192.168.77.1/30 means only two usable IP addresses 192.168.77.1 and 192.167.77.2 hence plug in your laptop to ether24 and ensure 192.168.77.2 is set manually on the laptops IPV4 settings. This creates a safe spot to do vlan configs on any mikrotik device. You can disable the port af...

anav

Only management vlan has bridge tagged in /interface bridge vlan. .... model = CRS328-24P-4S+ # serial number = /interface bridge add ingress-filtering=no name=Bridge vlan-filtering=yes /interface ethernet set [ find default-name=ether24 ] name=OffBridge24 /interface vlan add comment="\"MG...

anav

# model = RB952Ui-5ac2nD # serial number = /interface bridge add name=bridge1 /interface list add name=WAN add name=LAN /interface list member add interface=ether1 list=WAN add interface=wg1 list=WAN add interface=bridge1 list=LAN /ip pool add name=bridge-pool ranges=192.168.88.2-192.168.88.254 /ip ...

anav

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

anav

If WAN1 is primary,,,,, /routing table add fib name=via-WAN2 /ip firewall mangle add chain=input action=mark-connection connection-mark=no-mark in-interface=WAN2 \ new-connection-mark=incoming-wan2 passthrough=yes add chain=output action=mark-routing connection-mark=incoming-wan2 \ new-routing-mark=...

anav

You cannot successfully take one configuration from one model and import it into another. The best case is copying bits of the config at a time from the /export file and pasting into the new router. Your subnet is all over the map 192.168.88 or 192.168.3 or 192.168.2 LOL Enable your fricken firewall...

anav

Can you post a link to wireguard peer generator. I was unaware that MT had such a tool??
OR
Are you talking about BTH WG vpn??

anav

Without seeing any config, no facts, no evidence, impossible to advise further.

anav

add a firewall address list
add src-address-list=Name of firewall list above to the dsntnat rul

anav

In the case of Primary WAN1 and Secondary or Backup WAN2: In this case all traffic exits the router via WAN1 and one thinks primarily of LAN traffic. However, any external originated traffic arriving at the router will go in the appropriate WAN ( by IP address or dyndns url) but will exit WAN1. To e...

anav

I dont understand the need for step 6. Router B in both BTH and normal wireguard is the client for handshake never the server ????

anav

Okay, repost config if any issues, bound to be few as changes often take few iterations, ops normal.

anav

Config of both required if not resolved ( model of switch )

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc.)

anav

Find the appropriate switch example: viewtopic.php?t=143620
Decent video: https://www.youtube.com/watch?v=YLtGQAQ8iS0

anav

Why vlan1 on the unifi? Unifi typically accepts whatever traffic is coming to it untagged as the trusted or management vlan and the tagged vlans as data vlans. Therefore on the MT suggest you use three vlans and forget about using vlan1 for anything ( it works in the background ) vlan10 - home ( wir...

anav

IMHO quickset should be removed until its actually stable, intuitive and useful.

anav

Brand/Model of Access point?
Config of MT router ( and ap if mt)
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

anav

I suspect you may need the MT to act as a router vice switch/bridge?

anav

Attempt5: " Damn, I forgot the keys in the car! "
Attempt6: " I wonder if these glasses make me look smarter? "

anav

Concur with jaclaz, its a waste of time for us to chase what ifs. Post your latest config that is not working, then we will provide suggestions. If that doesnt work, post that config with the latest config and we will work from that. We can best work from accurate facts presented....... and after re...

anav

Hi Whussup..... I review the config from top to bottom and thus its what I noticed first off. Concur it doesnt effect any of the wifi settings. However since you do have those port in /interface bridge ports, it still appears to the reader/reviewer to be in error for them to be disabled! I know for ...

anav

Rule of Thumb: Use quickset at your own peril.

anav

Yeah nervous that some giant Chinese company will buy MT out and start adding all those nifty features you desire, and of course a hidden back door to the red army.

anav

Mikrotik does not block any outgoing LAN to WAN traffic by default, so why are you assuming the MT is the problem? Further how is one supposed to provide any advice on your configuration if its not provided. /export file=anynameyouwish (minus router serial number, any public WANIP information, passw...

anav

I am confident you will find the problem then. GLuck.

anav

1. Wouldnt call my Bridge "LAN" as LAN is already used on the router for standard nomenclature. Personal choice but at least make it bridge-LAN etc. 2. Why do you have two IP pools but only one subnet ( aka the one you attach to the bridge-LAN )? 3. Highly recommend you set this to NONE< a...

anav

/interface ethernet set [ find default-name=ether1 ] name=ether1-WAN set [ find default-name=ether2 ] disabled= yes name=ether2-LAN set [ find default-name=ether3 ] disabled= yes name=ether3-LAN set [ find default-name=ether4 ] disabled= yes name=ether4-LAN set [ find default-name=ether5 ] disabled...

anav

Where is the full config, firewall rules etc............ Your diagram is confusing is this all on one device the router, or do you show it being attached to a switch (you state uplink and bonding but to what etc...) If connecting to a switch is it an MT switch? Normally one uses a single trunk port ...

anav

I was referring ONLY to the display vlan1, where you only change the port from U to Nothing (no affiliation) for any ports that are untagged (access ports for other vlans). In addition you would need to change the pvid of that port from1 to the untagged port vlan id. For review post pages for each v...

anav

Yes. /ip firewall address-list add address=DYNDNSURL (like mynetname.net) list= MyWAN /ip firewall nat add chain=dstnat action=dst-nat dst-address-list=MyWAN \ dst-port=xxxxx protocol=abc to-address=ServerIP Check for yourself, in the IP firewall address list. you will see it automatically creates a...

anav

MKX you need to watch the psychedelic videos from Viktors!!

anav

What ranges are you getting and speeds, and how does it hold up with heavy rain or snow??
Is the 5ghz backup good, what range??

anav

Do not have or endorse this product but looking at the product page it may be the quick and easy solution. https://mikrotik.com/product/wireless_wire_cube_pro Powering it at the far side will be the challenge but you seem to have some ideas. What I dont like is that within the same website they prov...

anav

But I had 0 problems with new wAP ax so far. They are rock solid

Just to be clear, you are not using them as paperweights?

anav

I am more curious as to what Normands is thinking.....

Attempt1: I forgot my schnapps in the car.........
Attempt2: I always have my hand in my pocket to protect my manhood.....
Attempt3: Where is the bathroom?
Attempt4: Why did I volunteer to attend this event for Viktors......

anav

Why would you want to hinder progress on cloudflare ????

anav

Ahh that makes sense! Understand good plan still to netinstall fresh firmware 7.16.2 prior to do anything else. Then install a basic firewall setup. Then connect to the internet. On the router, in the wireguard setting, establish a listening port ( this is an accurate word in the case of the device ...

anav

The only times that one needs to use a hybrid port is if the offending attached device a. accepts ONLY the untagged data for the main connection and a tagged connection for other connections. ( an internet phone where the untagged data is for the phone and the tagged data is for a connected PC ) b. ...

anav

To be picky its the hap ax lite LTE6

What do you have at home? MT router? Public IP, or ISP router that can forward port to MT router??

anav

Wireguard does not support multicast, and mDNS needs multicast... so not possible. The mDNS support in 7.16 is just an "mDNS repeater", so the resulting "repeated" multicast can not be forwarded over WG. And why I've long argued that /ip/dns should act as mDNS/DNS-SD "Disco...

anav

One bridge,
identify all the data vlans required and one management vlan ( unless you intend to use one of the data vlans as a trusted vlan)

viewtopic.php?t=143620

anav

viewtopic.php?t=143620

anav

Corporate IT should be able to assist.

anav

To setup vlan filtering on both RB4011 and CAP products use this guide: --> https://forum.mikrotik.com/viewtopic.php?t=143620 Recommend for each MT device you do the config from a safe location, namely an off bridge port. So in case of Caps, use ether2 off bridge, on RB4011 use ether8 and remove fro...

anav

Read the reference again and watch the video again.......
viewtopic.php?t=143620
https://www.youtube.com/watch?v=YLtGQAQ8iS0

Devices (switches APs) should only get IP addresses from the trusted vlan ( for their own IP )

anav

Maybe there are two admins??? So you have an unknown VPN on your router??
I would disconnect from the internet and netinstall the latest firmware to be on the safe side.

anav

In plain english, the recursive checks if you can actually reach the WWW.
We have to go through the closest hop as that is what we know. what in between is immaterial.
The key is can the route reach the www, if not switch to WAN2 etc....

anav

Seems okay on a quick look. what is not currently working???

anav

Well if you ever need me to ping your router and let you know its not available let me know LOL
Just make sure to give me a non-MT dyndns URL LOL, seems like the MT ecosystem is vulnerable to shenanigans.

anav

Tongue in cheek Chaos, of course you guys (real IT and not homeowners) are stuck with dealing with such stupid setups such as below: A use-case for such functionality would be for example when having two uplinks (eg DSL modem/routers) with conflicting IPs, that you cannot control/change their subnet...

anav

Was just poking you in the eye LOL.

anav

Hi Mozerd, I believe that is what the OP has done in fact. Each pair of routers A,B A,C A,D A,E and A,F have their own wireguard connection but are able to initiate a connection in both directions so each has endpoint address, endpoint port and keep alive set. I would assume each of the interfaces h...

anav

Well the default setup out of the box is secure so, its not a matter of not locking it down you undid something that caused the router then become open. I hope you used netinstall to put 7.16.2 on the router, and if not, not interested in assisting until a clean version of firmware is installed in t...

anav

I would ditch Bruno and simply use Wireguard on the MT device. Its adding a layer of complication for no reason.

anav

Okay AMMO how does your router send you an email when your WAN goes down ;-PP

anav

masquerade rule already exists above with out-interface-list=WAN. You do not need another masquerade rule is the point, unless you have a specific VPN outgoing that needs to be masqueraded. ONLY the to-port can be removed if same as dst-port. ( the dst-port is mandatory LOL, the router reads the dst...

anav

BTW: No one is more astounded, perplexed, and disoriented by the persistence of NYC's desireability than me (lifelong, multi-generational NYC'er). That's my soap-box response to your coffee comment. That is to say, coffee (and everything) is much better elsewhere. Nonetheless, anytime you're in the...

anav

What type of ISP connection is the primary......... Recursive allows one to verify www connectivity General format: /ip route add checkgateway=ping distance=1 dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=main scope=10 target-scope=12 add checkgateway=ping distance=2 dst-address=0.0.0.0/0 gate...

anav

Hosting your own mail server is a very bad idea......I suspect that may the cause of people getting shut down by their ISPs abuse on port 25. Port 25 is often used to spam email and ISPs shut it down. Work arounds, dont attempt to be everything. Have your mail server set to something else..............

anav

So brand up wifi AP up top ( is it smart or dumb, brand/model )
Switch to far right ( managed??? brand/model )
wifi bridge device bottom (brand/model)
wifi APs very bottome smart or dumb (brand/model)

anav

Note: Routing rules works well for a small group of IPs........... or entire subnets,
however if the number grows to big, then mangling will be used to replace routing rules.

anav

Sure thats very logical. THe problem is how to do that depends on the current setup. If it was connect to router A via wireguard and then over existing tunnels go to any other device or any other LAN on any device is TOO easy. This assumes device A is the server for handshake, and device B,C,D,E,F a...

anav

Well it all depends doesnt it. Do you wish to be able to reach all devices by accessing one MT device in particular, or do you want to be able to reach all the configs when connecting to any device. The hub and spoke method you didnt use, makes connecting to all device stupid simple as one connects ...

anav

Thx for the clarification. By the way, could you find a smart way to add rules such add chain=dstnat action=dstnat src-address=192.168.88.5 dst-port=53 protocol=udp to-address=198.18.0.1 add chain=dstnat action=dstnat src-address=192.168.88.5 dst-port=53 protocol=tcp to-address=198.18.0.1 But inste...

anav

Other routers?? Can you provide a network diagram to see what is in play!

anav

post the latest config, so that one can investigate.

anav

Because its a function of ensuring the path through the 3rdparty provider from the single PC to the Www is working properly MTU wise. Nothing to do with bridge. Also note an improvement on the schema already provided:\ /ip nat add chain=dstnat action=dstnat src-address=192.168.88.5 dst-port=53 proto...

anav

Can you forward a port from the ISP router to the mikrotik.

anav

Your answer is too vague to be of any use.

Describe the traffic,
USER A,USER B, USERC< from external wants to do what!!
Identify users and describe traffic needed.

- config 750
- config RB5009
- reach servers on LAN of 750
- reach servers on LAN of RB5009

anav

To prevent leaking is difficult as the rest of the router goes out the normal local WAN. To accomplish no leaking try this.......... Option1: If 3rd party provided a DNS address to use........ /ip nat add chain=dstnat action=dstnat src-address=192.168.88.5 dst-port=53 protocol=udp to-address=198.18....

anav

Can you confirm what the 3rd party provider gave you for information Apparently besides endpoint address and endpoint port and private key to use ( so same public key is generated for their end etc...) Specifically ip address of 100.96.1.09 was given, DID they provide anything else? I see you have n...

anav

What is the purpose of the LAN on the CHR?? Are you using the CHR as WAN2 for the RB750 ??? Are you port forwarding to servers on the RB via the CHR connection ( through the wireguard tunnel between the two devices ) Are you using the wireguard tunnel to remotely connect to both RB750 and RB5009 for...

anav

Concur jac, that learning is important. If the OP takes the time to understand each line of the completed config and what it does, the learning will come. 1. In terms of the config the offbridge settings are in three places ( plus remove from bridge ) a. name the ethernet port ( OffBridge4 ) b. add ...

anav

As per my recent post above, cat, was working on it this morning and got caught up doing other things... I am avoiding using the prefix thing for several reasons. a. there is a bug when you do modifications after the fact to the prefix rules that do not actually stick on the router ( what is shown i...

anav

What is the purpose of Wireguard? Is it for your remote devices to access the router and LAN while away or are you connecting to some third party vpn to access internet somewhere else.?? Will assume the latter case!! Fixes: 1. EDIT, nm this is okay 2. These rules make no sense the first rule says --...

anav

This is basic vlan filtering........ Read the bible (has examples for both switch and router) --> https://forum.mikrotik.com/viewtopic.php?t=143620 A decent video for switch -- > https://www.youtube.com/watch?v=YLtGQAQ8iS0 I will hold you responsible for reading and applying the above knowledge. :-)...

anav

Can you forward ports from ISP modem/router to the mikrotik??
What is at the other end of the VPN connection? You have some unknown local brun device whatever it is handling some sort of VPN behind the MT.
Is it a router, or what? what kind of VPN does it have.

anav

It would appear the zerotier network assumes default port number which does not appear changeable as that may be set on zerotier servers?? However they also communicate on two other ports, a random high number port based somewhat on zerotier address and also another high random port number if you pe...

anav

1. Establish basic requirements a. one subnet for HOME b. one subnet for HOME wifi c. one subnet for IOT (such devices should be separate from home users ) d. one subnet for guest wifi (obviously should be isolated from rest )' It would appear that you need three vlans ( as home wired and home wifi ...

anav

Hi Cat, Sort of, note that one should be accurate when possible and for example for traffic to the router we dont even use prerouting --> input chain and output chain PCC traffic is coming from the LAN marking connections (forward chain) THe mark routing is YES, prerouting chain Similar to traffic t...

anav

Fixed thanks! ALso this: I only want to access those ports from lan, not for internet where I didn't make an entry, for example samba share. You still need the same structure as the rest of the dstnat rules! If you want to limit to LAN only, then add a qualifier. add chain=dstnat action=dst-nat dst-...

anav

post your config if you want it reviewed/improved /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. ) The reference is good follow it for success. One other thing I do for configuring vlans and bridge is to take a port off bridge lets say ether8 /inter...

anav

Well I took a look at the config and your dstnat rules are all over the place. If you are using a DYNDNS name to describe your WANIP, why not use mynetname from IP cloud. In any case if using a DYNDNS name one does NOT also use in-interface-list=WAN ( one or the other ) a. in much of the dstnat rule...

anav

Note the config added in post #10. Look at the entire config first, then go line by line and write down any questions you have for posting. I am not 100% sure of the syntax for the IP static DNS... The idea being that anyone putting www.schoolweb.com in their browser would get directed to the server...

anav

That is how MT works.
Any port forwarding will show up on scans but will have status as closed. ( NORMAL! )
Any port forwarding with also a source address or source address limitation on the dstnat config will be invisible on scans.

anav

Hmmm,,,,,,,, I suppose as long as the config contains the endpoint address and endpoint port for the Cloud relay. Manual in any case.

anav

You cannot. The BTH feature is for individual devices only ( smartphones, ipads, laptops, PCs ) If you have two wireguard devices that you wish to connect together, then, a. change one of the ISPs so that you can get a public IP either on the MT itself or at least on the ISP modem/router where it ca...

anav

MikroTik is just acting as a switch between router and the AP. No wifi on the MikroTik itself. I tried to follow the configuration in the reference post and it just turns off internet access on all the ports so that's why my configuration is the way it is now. Just that the access point is only abl...

anav

Remove router serial number and switch serial number from posts made of configs. SWITCH model = CRS328-24P-4S+ # serial number = DNACHSOS4 /interface bridge add admin-mac=08:55:31:20:4A:06 auto-mac=no comment=defconf \ ingress-filtering=yes name=bridge vlan-filtering=yes /interface vlan add interfac...

anav

ROUTER: model = RB4011iGS+ In summary sort out why the subnets you use in various places dont match the address subnets ???] Not sure why you show ether2 being tagged for both vlans, You never noted what is connected to ether2 ???? I will asssume for now its some other kind of smart device and not a...

anav

The switch should tag the traffic coming from comcast on a single vlan and carry it through to the trunk port to the router. The router simply needs to terminate this vlan on the WAN settings be it DHCP server, or pppoe etc.... On the trunk port between them are also a. the management or trusted sub...

anav

What do you mean ether4 is connected to LAN, one port serves the whole school, every cable spliced off a single cable???
Or is LAN a brand name for a managed switch??

anav

Due to the lack of network diagram and overall clarity. Is the mikrotik device simply between the main router and the AP. ( a switch only, no WIFI) So the mikrotik gets a trunk port on the router with lets say 3 vlans, managment, homewifi guest wifi etc... Or is it doing wifi as well. THere should b...

anav

Really for proper security they can OPT IN, and in a few easy steps compared to all other methods have access to the internal school info while at home or NOT and have to go to school to access. WHat router is it that you will have for real ( model, firmware )............ how many ports? What is eth...

anav

Well from a security perspective http is a very bad idea. In that at some point you have to login...... then you probably have a simple username and password login which in 2025 is not the way to go. So it depends if you have third party authentication etc........... How that is done, is the key. ??...

anav

Some clarification required. f. Is it one office PC that needs to be static or one printer that needs to be static. And the reason give doesnt make sense, 'due to scanning of printer' Do you mean the printer is also a scanner? Do you meant the printer initiates a search?? Do you mean the printer nee...

anav

As noted, if its a switch why are you configuring it like a router ( no pools required )
The only vlan that needs to be defined is the management or trusted vlan where the mT gets its IP address from.
Find the appropriate example here --> viewtopic.php?t=143620

anav

Its not a matter of like or dislike, its a matter of meeting requirements.

anav

There is no need to use hybrid ports unless dealing with ubiquiti etc.. Classic error, once you go vlans, DONT mix bridge with DHCP. Whatever subnet you have there just assign it as a vlan and then complete the config. Ingress filtering should be yes on every port and frame types be either vlan tagg...

anav

You need to disconnect from the internet and implement at least the default firewall ASAP because now you're an open door to the world. After that we can talk about port forwarding (allowing access to internal service through public IP) That is the intent of CO-PILOT, to CO-OPT every mikrotik new u...

anav

Very doable we help users all the time achieve success, As noted, please post config for starters. /export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, long assed dchp lease lists etc.) I would not comment further also without knowing the requirements in more...

anav

Three other considerations. Do you want the guest users on 2.4 to see other guest users on 2.4 Do you want the guest users on 5ghz to see other guest users on 5 ghz Do you wan the guest users on 2.4 to see guest users on 5ghz. IF NO. a. on wifi create datapath1 and check client isolation. then on wi...

anav

Changes to your config. 1. You have guest wifi but no subnet for the guest network so that has been added. 2. Recommend to not use bridge filters to control traffic, use standard ip firewall filter rules (bridge filters are for advanced users for niche cases). 3. So the solution is one of two choice...

anav

I would not comment on a config without knowing the requirements a. identify all the devices/users, groups of users, external and internal users including the admin b. identify the traffic they all require c. be sure to cover any port forwarding or VPN traffic. d. detail WAN setup, how many type ( s...

anav

You can also ask Admiral for support they are supposed to be expert at applying their platform on mikrotik appliances.

anav

No there is a little pull out tab on the ax3 if I recall correctly.

anav

This --> You can even combine the approaches, where rules in raw drop packets whose source address matches an address list, and rules in other tables populate that address list Speaks to creating lists of addresses to block. I prefer knowing the incoming source address but you did give me additional...

anav

I think you are confused...... Either the item is a switch or a router MAKE UP YOUR MIND. If its a switch the only thing the device can do is point to the gateway of the trusted vlan to get NTP itself, the MT device. Getting Time to devices on vlans is the responsibility of the main router. Do you h...

anav · Re: Trunking a vlan ,,,,,,,,,,,,,, Screenshot 2025-01-03 122746.jpg

,,,,,,,,,,,,,,

Screenshot 2025-01-03 122746.jpg

anav

What do you mean exactly?? ETher1 is simply capturing the internet traffic stuffing the untagged traffic into vlan187 through the hex and bringing it to your router to be terminated as vlan187 traffic. VLAN 18 is your managment subnet and also your main subnet. The hex gets its address from here. Yo...

anav

Why, network better -- dont create overlapping subnets............
Wireguard works just fine, if done properly.
(caveat home user, dont support real work)

anav

I agree nichky, seems like people just dont know how to use wireguard properly

Truth be told I havent used VRF but I think thats a BGP issue. Attempting to use BGP and wireguard VPN .........

As to my first statement, dont use overlapping subnets ;-PPP

anav

Draw a diagram of what you wish to achieve! There are so many what ifs in your description, its hard to pick out facts from fiction.

anav

If you can point out where the mistakes were or where the corrections were made it will help others.

anav

sure if you do it thru the router, will take you to 7.12 first, if you do it manually go to 7.12 first, then 7.16.2.

anav

I only know so much, more to learn.

anav

cat12 are you better than AI>>> COpilot copying does not equal learning!!

anav

We cannot change how RoS works..... As for filtering the forward chain typically should have a rule like. add chain=forward action=accept comment="port forwarding" connection-nat-state=dstnat There is no security settings done typically in dstnat rules. However, if you wish to limit extern...

anav

Remove serial number from your posted config!! Ether3 has to be a trunk port carrying all vlans between hex switch and Router. Ether1 and Ether5 are access ports, untagged as required when leaving the port. I dont understand this nomenclature add address=10.87.2.28 /28 interface=MGMT_VLAN network=10...

anav

You have yet to respond??? As this made no sense to me I had to assume some NAT on the fortigate and thus the config of the two mikrotiks will link the two fortigates as you requested. Its simply a matter of proper configuration of the two Fortigates to ensure the traffic arriving at the Fortigates ...

anav

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

anav

Sure, get the AX3 router and use the hex as a switch, or if just looking for an AP only choose between capax (indoor) and wapax (indoor or outdoor).
If you want wifi7, keep the hex and look at tplink wifi7 products.

anav

Clearly the OP wants some degree of separation between the subnets and a way of accessing the APs from a management perspective.
I am of course leaning towards vlans to do so.

Before going down any path, are these smart or dumb APs.......... ( brand and model )

anav

Yup there are going to be some hicckups along the way for sure.........
Now time to go to 7.16.2 LOL

anav

Before fixing the config, Is the ISP giving you two WANIPs ??? WHY the second router doing pppoe. ( why do you need it, all could be done via hex for example ) Is the hex acting as a switch or router? I am thinking without a proper understanding of the setup and your intent, this could be a chasing ...

anav

At least they had the decency of NOT calling it "Mikrotik 365" :wink: . Luv it! If I was a betting man, I would say its been orchestrated by Cloudflare, for what purpose I do not know, but I swear I did not bribe them to do so, in order to get MT to capitulate and put zerotrust cloudflare...

anav

It’s a lucky dip if it’s online when I come on here. Brings a bit of excitement and variation to my day.

Did you buy a boat yet............ I hear all the excitement one needs is the free water Brits are getting.

anav

Actually mostly asking cause it pains me to see Sindy guessing. ;-) @sjoram has been around for a while, so I figure he enjoys the journey as much as the goal, so I play along. Yes, thats why I thought a round of jousting would be entertaining. But not around for that long, the lad looks to be abou...

anav

It was asked nicely to see the full config to make a proper assessment using facts and evidence. Like it or not, MT config elements are interrelated. No one is asking to see anything revealing. /export file=anynameyouwish (minus router serial number, any public WANIP information, keys, long assed dh...

anav

Still could help to have a look at that topic.

Amen to that brother, a vlan is a vlan except when using RoS and then mysteriously people get confused.

anav

As usual, without the context of the config, and often a detailed network diagram, the chap from essex wants to play whackamole. Perhaps being waterlogged has clouded the approach! /export file=anynameyouwish ( minus router serial number, any public WANIP info, keys etc.) ( for BOTH mt devices ) Act...

anav

Simplify, have main router provide all vlans and rules etc. Use wapAX simply as a switch AP, the objective of giving one branch of office isolated access to internet is accomplished. This simply means a vlan only for them and the MT device gets an IP address from the trusted vLAN. ONE BRIDGE, rest ...

anav

I could try but do not understand your setup. What seems to be true is that there is an upstream ISP modem/router that provides you with a private IP address. For some strange reason you are feeding a cisco switch instead of the RB5009 directly. Not sure why you are having multiple links from the sw...

anav

Perhaps never expire is not an option??

anav

Copying is not learning, but glad you have success.

anav

sounds like bad scripts,,,,,,
Do what rextended recommended

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, long dhcp leases etc. )

anav

Not required, all the support I can provide has been given.

anav

As long as your not in a rush, I may be able to assist, via discord, or skype and anydesk etc...
Just contact anav_ds on discord,

anav

That is correct, what you did was employ loopback NAT or hairpin NAT. This can be solved by simply moving users or server to a different subnet/vlan. Since these cost nothing, it something I would certainly do. LIke a shared printer, I put those on their own vlan for best security. However, the rule...

anav

Sindy is the expert, I am just learning.
However, his level of genius is not always needed for basic config issues.
I am searching for the big lump of cow poop in the haystack, his eyes are trained to look for needles....... He might not even notice the cow poop LOL
Unless its very fresh

)

anav

I think the firewall rules are fine because other files, even bigger, are working and I have more or less the default/factory firewall rules. Any hints to help me? The answer is the same as always, you can think what you like and give an opinion but we need the facts...........(evidence - aka FULL ...

anav

First of all why the heck are you paying for and using managed switches if you just have one vlan, aka one flat network. Big waste of money and time configuring................... and even have a second CRS326............... In any case not interested in supporting such a whacko concept, but will pr...

anav

In a vlan filtering scenario, when a device is acting as a switch or AP switch only the trusted or base vlan needs to be tagged in /interface bridge vlan settings. As for untaggings, technically nothing needs to be untagged if the pvid has been entered on the port in /interface bridge port settings ...

anav

Why dont you ask on the gigafast forums, this is a mikrotik forum ( note there are no gigafast specific settings on MT devices ).

anav

Sure, based on the evidence presented, buy a new 5009 and it should work out of the box. Dont touch anything after as it seems you have the kiss of death.
Will send you a prepaid package for the 5009 to my address.

anav

p.s. my guess about previous problems is that UniFi AP be need to connected to BASE LAN, not BLUE as I do at first. Stated clearly in post 6 of this thread............ First: Please remove router serial number from your post! Second: Config is incomplete, the base subnet is missing typical networki...

anav

Glad you found the issue and its resolved and also to re-affirm for the gazillionth time that the config is interrelated and relevant to review.

anav

Yes! One create as many vlans as required. For management or base vlan you can use a trusted home vlan or a separate one. The CRS will get an IP address on this trusted vlan For vlan setup check out the appropriate example here --> CRS326-24G-2S+RM For decent vid on the topic --> https://www.youtube...

anav

Nice to know at the last minute that the server is directly connected to the ONT. That is a slap upside your head moment. So besides two bizarro connections from the MT to the ISP device, you have a third ISP connection directly to the Server. Suggestion, remove connection directly to the ISP device...

anav

I believe he is just reposting...from here............. should keep it to one thread!!!
viewtopic.php?t=213562

anav

Sindy is extremely factual and kind.
I am neither ( more like logical and blunt ), it is plain arrogant of you to assume you know what or what shouldn't be presented ref the config.
If you were so prescient there would be no need to come here and ask for help would there ??

anav

edit: duplicate removed

anav

Please use [ code ] tag under </> button in the editor instead of quote one. If you use forum theme like "silver" one then your posts are more than half a meter/several screens long :). Code tags do the job for every theme. You can always do cut out most of the quote and leave the crucial...

anav

When you post full config on both
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)
I will gladly address some of the errors shown.

anav

One option: use source address list on dstnat rule to make ports appear closed on scans and of course limits access........ ( external wanips can be spoofed ) Second option: have users wireguard in to the router and then access servers Third option: Future case when Mikrotik adds zerotrust cloudflar...

anav

Purpose of your wireguard network??
Only one end needs to act as client SERVER for handshake.......... which one?

anav

Well when you have a real network, I may be of assistance. Not going to chase fake GNS3 musings.

anav

Suggest full config for review is optimal, not into guessing.
/file=anynameyouwish (minus router serial number, any public WANIP information, keys etc. )

anav

1. The first problem I see is that you have both an IP address for WAN on ether1 AND a dhcp client on ether1. It cannot be both!!! If your certain about the IP address disable the dhcp client. 2 Suggest changing this default rule to three rules which are clearer as to the functionality and a bit mor...

anav

Is this CHR in a cloud somewhere or local to you???

anav

If CHR, you are probably safe removing firewall rules at least on the forward chain, I would keep all the input chain rules. already provided the idea of only allowing Admin relate IP addresses to access the router for config purposes.............. how you want to move forward is up to you. Just don...

anav

What I would do is use vlans from the getgo on the first MT. Trunk POrt to AX lite ( acting as an ap/switch ) Ax lite ether1 - trunk from MT router ether2 -Access port to dumb switch one which feeds PC1 LINUS and PC2 ether3 - Access port to dumb switch two which feeds Wifi Server and PC3 OFF BRIDGE ...

anav

Should be good as is, will take a quick peek. Yup all secure! 1. Not wrong but I prefer to be clear about all settings /interface bridge vlan add bridge=Bridge-LAN tagged=Bridge-LAN untagged=ether2-LAN,ether3-LAN,ether4-LAN,ether5-LAN,Wifi1-5ghz,Wifi2-2.4ghz vlan-ids=10 add bridge=Bridge-LAN tagged=...

anav

Late to the game but I see you need rescuing LOL Assumes the management subnet is being sent to the MT as vlan and I am using vlan11. Ether8 is not the managment subnet is the same subnet so taking this as an offbridge safe place to do the config etc. DCHP client should be disabled!! ..................

anav

Does the Mikrotik get a public IP??
Are both switches, managed (smart devices)? If so what brand?
Why do you have the AX lite acting as router instead of an AP/Switch ???

anav

Everything looks decent so will focus on firewall rules....... Keep it simple............ Also missing entirely any forward chain rules!! EDIT: Also noted, nowhere do you assign a local IP address to the VPN ????? One should keep rules in a proper order and for organization purposes and easy trouble...

anav

Use wireguard if you have access to a public IP, or can get a port forwarded from upstream router with public IP.

Oopsie, of course one would have to upgrade the router firmware out of the stone age.

anav

Main Router: You have no LAN structure for bridgecast and thus I dont expect any traffic on ports 3,4,5. Why do you keep putting full info on the wireguard settings?? PLUS THE ONE FOR THE DEVICE IS WRONG........ the only source IP coming from the device is its wireguard IP address!!!! On the server...

anav

Post both configs
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc. )

anav

Mozerd I think your saying one wireguard interface and simply use two IP addresses for each purpose with same interface name.

anav

Thats why I put separate names so that you can see if all four are being seen.
It must be something else in the config, will look at it later when I have time.

anav

Routes are incorrect...... From /ip route add check-gateway=ping comment=WAN1 dst-address=0.0.0.0/0 gateway=192.168.18.1 routing-table=main scope=10 target-scope=12 add check-gateway=ping comment=WAN2 distance= 2 dst-address=0.0.0.0/0 gateway=81.134.176.1 routing-table=main scope=10 target-scope=12 ...

anav

Cannot help further without some context. Draw a diagram showing the devices at both ends of the tunnel. Also the full config of the MT and the second device if MT and if not at least the wireguard settings minus any actual public WANIP information or keys. /export file=anynameyouwish ( minus router...

anav

First thing I would do is take ether2 off the bridge, give it a unique IP address add it to trusted interface list and then plug in laptop to ether2 with 192.168.56.2 set on IPV4 settings and then do all the config from there, a safe spot. example: .................... # model =MTwifi /interface bri...

anav

Can your mikrotik access a public IP, or get a port forwarded to it from the upstream ISP router? Additionally what is the flow direction of the VPN?? External customers from everywhere to reach machines? External router to reach machines? Local Machines to go out internet of another router? Local M...

anav

You should really prescribe to vlan filtering but will focus on other things for now. 1. You have three bridges but only use two, so get rid of LAN-Bridge! 2. The second MCAST bridge has no structure, IP address, pool etc........but will ignore that as well. 3. You do not understand how wireguard wo...

anav

Okay so WAN1 works as is.... Suspect for WAN2 you will need the same thing. So see if this works........ a. a similar script to capture the change of IP address ---> find comment=\ "PPOE-Wan \ b. put the current pppoe gateway in on the config so it would look like... /ip route { main table rout...

anav

if you want help post the config not snippets or jpegs
/export file=anynamwyouwish ( minus router serial number, any public WANIP information, keys etc. )

anav

To be blunt, doing what you propose would be plain dumb. If you have a public IP address ( or can forward a port from the upstream ISP router ) you can use normal wireguard. If you get a private IP and no other options BTH wireguard by MT is an excellent option as noted. How do you wish to proceed. ...

anav

I was sticking as close as possible to the budget margin of the OP!

anav

Still confusing. If the Foritgates have no NAT, then how does it get an IP address from the MT, and yet have other subnets behind it???? I think the idea is to push the data to the fortigates and let them deal with it. So Removed the Port forwarding (dstnat) and doing it through firewall rules and r...

anav

Good questions! I believe this should address the dynamic nature of the WAN1 gateway as per your script!! When installing the config the for wan1 use the actual current gateway IP . The script you made will keep the routes up to date. /ip route { main table routes recursive } add check-gateway=ping ...

anav

First: Please remove router serial number from your post! Second: Config is incomplete, the base subnet is missing typical networking items, ip pool etc..... THird: remove or set to NO the ip bridge firewall settings! This is an advanced menu that is normally not needed. Fourth: Normally "allow...

anav

Post both configs full
/export file=anynameyouwish (minus router serial number, any public WANIP information, keys etc. )

anav

My question is on these devices with bridge vlan filtering, is what will the performance of vlan to vlan traffic be, when typically access between vlans is done at Layer 3. So for example with the CRS309 what will be: a. the speed from user on ether4 to user on ether5 if both are on same vlan. b. th...

anav

Jaclaz helped me figure out that ROS is actually being written in "WHOVILLE" and Normis is actually The GRINCH!!

anav

The reference is excellent. ONE BRIDGE Once you go vlans, dont have the bridge handle anything (no dhcp) so whatever subnet you had on the bridge assign it a vlan...... Advice; Take one port off the bridge (at least temporarily) give it an IP address and do all the configuration from there for vlans...

anav

I would get another hex as I dont really like the 260GS, the other option seems very cagey.......

anav

Post your config for review
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc.)

anav

THere is no need to provide two wireguard connections...... Simply use WAN1 and if WAN1 fails wireguard has the capacity to move traffic to WAN2 for any current connection. HOwever if someone attempts to establish a tunnel while WAN1 is down, then having the backup is a decent option but let them kn...

anav

Why is CHR necessary just for Wireguard peer? It can be setup on Linux running on cloud server and save some money for CHR licence. Once setup on Linux is created, image can be made of it for reuse. Initially some time will be spent to create setup, but later it should be more faster and charge mor...

anav

All the best to you and your loved ones in 2025 there AtomD.

anav

Diagram and requirements needed to assess if your config actually works a. identify all users and devices , external and internal, including admin b. identify all traffic flow required. c. detail WAN situation public private, static dynamic etc......... Would not even look at your config without kno...

anav

To be clear, what comes directly out of the ISP router. a. a public IP to terminate on the MT b. a private IP on the ISP router LAN ( seems to be the case, and if so what IP has been given to the MT router ) c. What is the purpose of the switch?? Do you control the switch? Type of switch....what els...

anav

Most excellent. The work needs to be done at his/her end to some extent. Basically on the CHR /ip firewall nat add chain=srcnat action=masquerade out-interface=wireguard-interface-name add chain=dstnat action=dst-nat dst-address=CHR-IP-ADDRESS dst-port=ServerPort protocol=??? to-address=ServerLAN-IP...

Search found 22337 matches