MikroTik

anav

Hi Mozerd, I attempted to rejig the Wireguard GUI in winbox 4 and supplied the advice to MT as you can see here. https://forum.mikrotik.com/viewtopic.php?t=215684: The response I got was not enthusiastic as the peer page was too busy etc. So I resubmitted a simplified approach. SEE post #7 for simpl...

anav

A good network diagram will help planning as well....

anav

The example provided is a bit confusing. - why include ports 5 through spf-sfpplus2 if not relevant (not being used) - then I see sfp-sfpplus1 is being used but no indication its a trunk port ( frame types or comment missing ) which is inconsistent from the other entries........ - why are you missin...

anav

https://www.spiceworks.com/tech/networking/articles/network-switch-vs-router/ Clues to you are routing. -DHCP -WAN and LAN -NAT -all subnets have an address -need firewall rules (layer3) Switch..... Single Ip address provided to switch setup is primarily about vlan traffic only management or trusted...

anav

I would go a step further, why are people making excuses for a chap thats willing to spend $600 without research and where the nomenclature NEVER stated cloud router. Go to the switch section of mikrotik, pull up the applicable switch page and I bet you wont find mention of cloud router!!!. Would as...

anav

Since you didnt bother to post config, Im outta here good luck. Others have more patience than I.

anav

Yeah much too busy for me to look at in any detail and wont bother until cleaned up. I did note that this is wrong. add allowed-address= 0.0.0.0/0 client-address=10.194.91.2/32 client-endpoint=xx.xx.xx.xx client-keepalive=10s \ client-listen-port=13834 interface= wireguard_1 name= public-key="&...

anav

I have a 650 myself but plugged into a socket using the adapter ( luckily my wall mount is close to an electrical outlet on the other side of the wall.) I have used injectors with no issue on other tplink and MT access points. https://www.canadacomputers.com/en/power-injector/188906/tp-link-tl-poe16...

anav

While waiting for the diagram, if you have users in the same subnet as the servers and they are attempting to reach the server via domainname/url then the easy fix is a. change server or users to a different subnet otherwise b. need a hairpin nat rule /ip firewall nat add chain=srnat action=masquera...

anav

Would need to see MT config
/export file=anynameyouwish (minus router serial number, any public WANIP information, vpn keys )

The wireguard info you were given to connect to the remote wireguard site.
( minus endpoint address, keys )

Diagram of how all the pieces are connected would be useful.

anav

If your considering WIFI as a factor then get a hex refresh (or better router) and tplink or zyxel wifi7 APs. No point IMHO of going anything less than wifi7 at this point. By the time MT figures out the dogs breakfast of wifi packages and capsman, wifi8 will be out. In other words, dont tie your ro...

anav

seppuku may be less painful

anav

Hi Ammo, Im assuming the distinction was soley at the LAB Rb 5009 regarding changing the Bridge settings ( and not the CRS326 which I am assuming are set at vlan-tagged only on bridge itself ) .... romon.jpg The admins work around was to ignore the ethernet connection and connect to an AP behind the...

anav

Truth be told you are brave and I am a coward......... when it comes to capsman implementation.
Also, you didnt learn anything from me as I dont know anything, but I have successfully passed on information other 'real' experts provide.

anav

Well based on the avatar, I guess that post could be considered a dud! ;-)) So what is the summary on why RoMON does not work here? I lost track of the conversation. The OP was trying to use romon from on a PC behind a second rb5009 (that was giving the lab 5009) a WANIP on its flan LAN, to reach t...

anav

There is nothing about setting up a router for security that is different at home or if travelling.
So ensure on your PC you use vpn for internet and if not at least VPN on the browser or AV software.

anav

Well the problem could still be the config, which you have refused to provide. There may be some collision with the box protocols and the MT config for example.

anav

When you get tired of capsman, I can help get it working....... Its more pain that its worth IMHO. In fact it takes over the config like effing egg plant in a garden.

anav

Well based on the avatar, I guess that post could be considered a dud!

)

anav

Maybe the separate box, does not follow protocols properly?? Bad cables??

anav

Hi Sindy, I dont think the OP has a problem using ROMON when behind the LAB 5009 to reach the connected CRS326 also part of the lab network. The OP, although didnt provide the pertinent information or the pertinent config, only disclosed the fact that he was actually behind another 5009, that provid...

anav

Sure/
--> https://help.mikrotik.com/docs/spaces/R ... 211299/NAT
---> https://www.youtube.com/results?search_ ... airpin+nat
---> search.php?keywords=hairpin+nat

anav

There are many factors involved here. a. how often does the main internet go down? b. what throughput or level of Cellular performance is good enough c. what level of wifi connectivity is good enough..... What is shocking to me is that as the IT person of this network, states that that there was a f...

anav

I would have a home MT router, and use the travel router to use the MT router internet via a wireguard tunnel. There is no special sauce be it on the road or at home to keep the traffic as secure as possible. A layered approach works, so if you dont vpn into home use a vpn on the connected devices, ...

anav

Hard to day without seeing your 5009 config
/export file=anynameyouwish ( minus router serial number, and any public IP information)

The router should be transparent to the device and its connectivity through the internet to office site using the office vpn.

anav

We are going to connect the PC on the master router to the lab router directly on vlan32. So ensure vlan32 is associated with ether1 as well, on the lab router. To facilitate the idea, lets say on the master 5009, its etherport YY that you have connected to the lab5009. Further, you have our pc on t...

anav

Only stating there was a second 5009 at play at such a late stage, and that the Romon issue stemmed from the first one to the Switch was a criminal omission. Consider yourself flogged

Your punishment is having to eat the entire plate of smoked meat served at Katz's.

anav

According to CGX, there were no shortcomings to using bridge itself vlan tagged, so I hesitate to completely swallow the information provided by AMMO and maybe in-between is a more accurate answer???? It would appear to me that any data from a PC trying to talk ROMON that is assumed to be on the man...

anav

Who told you this............... ??????
I need Romon to access the CRS

its clear that even though ROMON should not be affected by vlan tag settings on the bridge itself, they are, so avoid its use is my advice.

anav

So what is now on ether7?? What is the conflict? I am having difficulty identifying the conflict. ether7 is the CRS. The config paints a conflicted story? set [ find default-name= sfp-sfpplus1 ] comment= CSS326 Hard to find ether7 tagged for any vlans going to CRS326 ??? /interface bridge vlan add ...

anav

I access all my downstream devices, ax3 ap, hex switch, etc via neighbours discovery not ROMON (via winbox)

anav

Perhaps "smart"dns was just a marketing ploy?

anav

What are you using ROMON for,,,,,,,,,that is not available through neighbours discovery?

anav

ROUTER You have a disconnect and duplication when I noted on your trusted listed you had three ports ( vice just one trusted offbridge port ) identified. The fallout of that is 1. a. in ethernet interface settings you identify ether5 as the hapax upstairs, and on /interface bridge ports ( athough m...

anav

SWITCH Why are you treating the switch like a router? The only address on the switch is the one given to the switch over the management vlan32 ??? Bridge is not involved............ reminder to look at switch example: https://forum.mikrotik.com/viewtopic.php?t=143620 There is only need of ONE inter...

anav

For a secure connection suggest wireguard, assuming you have at least on public IP available at one of the routers, or the ISP router in front is capable of forwarding ports.
Alternatively use Zerotier.

anav

CGX nailed it........
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 should be pppoe-out1
WINBOX
IP menu firewall -->NAT

Sorry dont know the CLI commands to change.

anav

RoS is very for giving, many of the default settings are ALLOW by default, so unless you define what is allowed, everything is allowed.

anav

Here is one problem........ The termination of the ISP connection is done through pppoe, so the ip address entry for ether1 is incorrect, should be removed. /ip address add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0 add address=cc.220.222.dd/24 interface=ether1 network=91.220.222...

anav

What does a duck do on the router? quackNat quacknat quacknat quacknat.

fixed it for ya

anav

1. Typically the recommendation here is loose , not strict! /ip settings set rp-filter= strict 2. Lack of decent set of firewall rules, plus should be organized together in chains and in a coherent order. PLUS security infraction, one does not access winbox from external as you are attempting. Only ...

anav

/export file=anynameyouwish ( minus router serial number, any public WANIP information ) It should be quick to find the issue! also. a. confirm you are using LANIP of server to reach from LAN? b. confirm you have a public IP address (static or dynamic) OR you have an ISP router that has a public IP ...

anav

Can you post your latest config on both routers.
/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys. )

anav

I do not believe DHCP in general works over wireguard but there may be ways..........
Check out VXLANs and EOIP as two possibilities ( running over wireguard or L2TP to keep the traffic secure ).

anav

Would need to see the complete config, but it sounds like you want the users on your subnets to use wireguard for specific WANIPs that exist, and where they are not static but dynamic WANIPs. First, please do not use the same name for different RoS funcitonalites, aka the name of the list being the ...

anav

How you sussed that out from the information presented boggles my mind. Glad you are here LOL However, the weak point being, how does the router know that 10.72.22.200 should be assigned to the device ( assuming its now in a VLAN of that subnet structure )?? THe router knows that that address might ...

anav

I probably missed the intent entirely but why not something as simple as: If I have a device with LANIP 192.168.0.X and I want it to go out over wireguard but as 10.10.100.Y address add chain=srcnat action=src-nat src-address=192.168.0.97 to-address=10.72.22.200 AND for return traffic..................

anav

What are your qualifiers in the PCC mangle rules??

anav

Normis, massina seems to have experience with migrations, and that at least should be made aware to the admins in their deliberations. Thanks for your feedback in this thread, its really good to see!

anav

To clarify the source nat address part is STILL required. I think he is saying
add action=dst-nat chain=dstnat connection-mark=wg-wan2 to-addresses=10.20.30.40
add action=src-nat chain=input connection-mark=wg-wan2 to-addresses=10.20.30.40

anav

Interesting, as long as there is no downside, narrowing down the frame type at the bridge, is then viable would be my conclusion. Assuming you mean this is valid for both routers and switches CR3 types when using vlan filtering??? Just to be clear this does not interfere with any situations where a....

anav

The first error. 1. is quoting from your config in post #18 EDIT : and is USER OPTIONAL ( without frame limitations vlan-id1 is shown as a dynamic entry but not a concern, as well limit frame types on all bridge ports/wlans - I guess either way is acceptable! 2. is quoting from your confing in post ...

anav

Yup sounds familiar and as CGX pointed out we only need to use one LO address/interface to accomplish same.......... no need for bridge!!
/ip address
add address=10.20.30.40 interface=lo network=10.20.30.40

anav

re: ... Anyway, whatever they end up doing... I do hope they host it on their RDS ROSE server(s) as proof-point they work in the real-world. ... If I hosted this server , I would go with Proxmox hypervisors Xeon , 40-Gig or 100-Gig network cards , NFS mounts from a TrueNAS ( 512-Gig Ram or 1-TB-Ram...

anav

Looking at the diagram it would appear you have three separate networks/locations. The laptop is a remote device could be anywhere a true remote peer. The MT device is a fixed remote device. The Server is the local wireguard in this discussion. All three are not connected but all three have access t...

anav

https://www.discourse.org/about
Nice!!

Example of a forum running discourse as the engine
https://meta.discourse.org/c/data-reporting/148

anav

Speed is not all its cracked up to be, taking ones time mostly results in greater satisfaction,.......... Besides there is an error before that..... and many many after LOL 1. /interface bridge add admin-mac=F4:1E:57:2C:BE:98 auto-mac=no comment=defconf frame-types=\ admit-only-vlan-tagged name=brid...

anav

How does it relate to the input chain rule then?? add chain=input action=accept dst-address=127.0.0.1 and you are saying Then 10.20.30.40 can be used instead of both your 172.16.10.1 and 172.16.10.2. Does this mean the following. /ip firewall nat add action=dst-nat chain=dstnat connection-mark=wg-wa...

anav

Please draw a diagram, I have no clue how everything is hooked up together and to the internet

anav

Hi CGX...
What the heck is lo LOL, an existing interface on the router that is there all the time??

anav

I see no reason to use PCC, if ECMP is ensuring fair usage of all WANs ( they have to be equalish in throughput ). Maybe ECMP circa 7.18, the brewmasters finally got right....................... Better than PCC is actually load balancing which add a layer of additional mangling but you can do it bas...

anav

Well HA does not use DHCP Option codes, must have coders from the dark ages. In any case you could try something like this simple DNS pointing. IOT Subnet on R2 - 192.168.55.0/24 IP of server on R1 - 10.10.10.15 ON R2 /ip dhcp-server network add address=192.168.55.0/24 dns-server=192.168.55.1 domain...

anav

Never said it was, but to think up such trickery, you are on the spectrum somewhere ;-P You have answered my question, there is no rhyme or reason, it is not controllable and thus the faux bridge approach is STILL required even in ECMP. Thus, the answer is dont have multiple WANS, ;-) Good, so you h...

anav

What?? Well the physical port ether1 is a trunk port carrying multiple vlans to the local device. Why would you not think that vlan32 should be allowed to ingress in ether1?? A. its on the trunk port leaving the upstream device. B. its noted as a tagged vlan id on ether1 in /interface bridge vlan s...

anav

You miss the point entirely, The two options presented DHCP and DNS are to inform the iot device, what is the IP address of the HA server, not to change the local subnet IP the iot device is using. And how would DHCP or DNS be used to inform the IoT device the address of the HA server? I stated it ...

anav

I am saying I have 3 ISPs all different all relatively 1gig connections. I load balance via ECMP /ip route ( main table ) add dst-address=0.0.0.0/0 gateway=gatewayIP-wan1 routing table=main add dst-address=0.0.0.0/0 gateway=gatewayIP-wan2 routing table=main add dst-address=0.0.0.0/0 gateway=gatewayI...

anav

Hahaha, I thought it was simply my browser, I keep forgetting they use a haplite to run their website, the free schnapps in the web lounge is not helping work output either.

anav

You miss the point entirely,
The two options presented DHCP and DNS are to inform the iot device, what is the IP address of the HA server, not to change the local subnet IP the iot device is using.

anav

Sorry I meant EMP of course. Does it work during a nuclear blast in the atmosphere??? Of course I meant ECMP, you know this feature --> Equal Cost Multi-Path...... My question is germane, not dry (german), because we are not sure of how the router decides which interface/route it decides to use on t...

anav

Maybe, home assistant appears to be a dogs breakfast with differing information wherever you look. One place says the server scans the network for devices...................

anav

So lurker did you test like 3 WANS with ECMP load balancing
Basic mangle rule in wan3 out wan3 generic all traffic to WAN back out same WAN.
What does the wireguard process choose for source address in this case, alway the correct WAN?? ( regardless if you put wireguard on wan1, wan2, or wan3 )

anav

By the way, Home Assistant devices typically obtain IP addresses from the Home Assistant server through the network's DHCP server, which is usually the router, rather than directly from the Home Assistant server itself. This sounds much like the UNIFI approach where one can use a. create dhcp option...

anav

@lurker888, does EOIP really have the same handshake issue as WG, like I described above?

Since when does EOIP have a handshake, I use EOIP within a wireguard tunnel LOL, not outside of it.

anav

Not your concern mkx, its hard to keep straight incomplete questions without context................

anav

Rereading your first post, BOLLOCKS..... Prerequisites A Mikrotik router running RouterOS v7.x A Linux system (e.g., Debian) to retrieve necessary keys An active NordVPN subscription Why?? NordVPN will give you the private key to use on the Mikrotik Router Interface creation. That creates a public k...

anav

I have a better idea, why not just live in my office I have a spare chair and desk and I can setup a tent outside, winter is almost over.
Payment in good food and beer LOL

anav

Sure, the default setup is quite good, in that it is safe to connect ether1 to you internet connection and use ports 2-5 for internet. If you need more than one network on your home you will need bridge vlan filtering.. This is the best article to read --> https://forum.mikrotik.com/viewtopic.php?t=...

anav

https://www.zyxel.com/us/en-us/products ... 915-series

anav

I have seeing lots of timezones in shared configs, that also may expose your location.
And of course wifi country settings.

Good point, the somali gang members probably dont want people to know they are in Sweden.,.........shhhhh its a secret.

anav

Kid control is not really intuitive.

Have you notifed MT by a suggestion on their support website.
If not, get on with it.

anav

Why would a frame tagged with VID=32 ingressing to ether1 be accepted? What?? Well the physical port ether1 is a trunk port carrying multiple vlans to the local device. Why would you not think that vlan32 should be allowed to ingress in ether1?? A. its on the trunk port leaving the upstream device....

anav

The point being, silly goose is that Jaclaz is talking about a. the items in the config that are not already removed by RoS ( RoS removes passwords and ipsec stuff for example ) b. the items you added or router added, NEEDED not whimsically added, to make the config work, be it public IP address, ga...

anav

No worries there Larsa, no I have not tested the hard down theory, but I trust Larsa has, as he seems to be a testing machine, highly motivated. I am starting to think he is an AI brain attached to an MT network. I sent a suggestion to MT to fix the issue based on the fact that 'fwmark' already exis...

anav

BartoszP aka devil colours would be more appropriate

But please answer my questions here --> viewtopic.php?t=215918#p1137048

anav

If Joseph you are asking a different question, can one see all the routers at one time via winbox, via wireguard, in order to select for configuring, the answer is no. Those protocols dont go over wireguard.

anav

duplicate.

anav

Yes /export file=anynameyouwish ( minus serial number, any public WANIP information, wireguard keys ). WHich mean a. serial number one entry at beginning of config b. WANIP information, so removed any PUBLIC wan ip information --> could be in IP DHCP Client text, IP route text ( public IP address or...

anav

Bartosz you make me laugh................. this is a non-paid gig, dont complain about playing consultant for free. ;-P
Your stamina is commendable.

anav

I assumed as always, that you are short of time and thus want to getter done. If you have time to read novels, that is a different story '=)
Wait till you hit the chapters on VRRP VXLAN and BGP.

anav

Mimiko read this post please --> viewtopic.php?p=1136686#p1136996

anav

It may or may not be applicable for what you are trying to do.
My question is why do you need split DNS for the IOT subnet?
Do you have different IOT devices on the same subnet?
Are there are other ways to target those specific IOT devices......

anav

RIGHT, you proved me right again thank Bartosz........ A config is based on a set of established requirements, not vapour future wishes. If the op wants efficiency, the shortest path to get his 10 routers up and running as they are now, DNS is stewpid. If the op wants to tinker with DNS, which is mo...

anav

The problem with Sindys excellent approach is that it relies on the dstnat rule to un-dst the WAN1 IP to the WAN2IP so that the source of the response traffic leaving the router is correct. The mangle is fine and working as the route chosen is still good. The crux of the problem is how the router de...

anav

Somewhere along the line MT must have changed the default to YES, hard on us ole-timers LOL

anav

THis is the most interesting part about your post. The packet is annotated with the connection mark in the conntrack phase. Until then, there is no associated connection mark. (On normal linux, wg interfaces have a property fwmark, which allows all packets emitted by wg to be marked on creation - th...

anav

(I see what you are doing with wireguard just dont agree with it. There is no case where both sides of a connection need 50.0/24 that I can see.) Regarding the contrack and wireguard and dual WAN etc......... I approached it from a different angle so it makes sense to me. The initial problem before ...

anav

My bad that is valid, but this is assuming the remote router is an MT router. ( client peer for handshake) ........ makes sense, so other peers connecting to the local router can easily re-enter the tunnel and reach the remote router via the local router, so to speak. The local router needs allowed ...

anav

All a waste of time. Simply input chain last rule drop all else Simply forward chain last rule drop all else WInbox services, include all subnets that are TRUSTED, management vlan, offbridge port, and any other subnet where you may be coming from to access winbox and the router (like wireugard subne...

anav

viewtopic.php?t=143620

anav

They like blinking lights?

anav

My problem is not properly understanding connection tracking, Nothing more you can do LOL.
At least I kind of grasp your use of faux bridge and how traffic gets there, its after, the response traffic and mangle and routing that eludes me completely.

anav

It goes to root reason. As I stated, WAN1 being primary WAN2 secondary wanting to use WAN2 for wireguard. We only need to mangle for WAN2 and the problem was the router was sending return traffic via WAN1........ Thus we dsnatted to fool router to send traffic back out WAN2....... You pointed out th...

anav

Well the drop all rule will certainly cut out non trusted vlan access to winbox, since the interface list allows only trusted vlans, but without the drop all rule, nothing is really blocked, mac-server winbox-mac-server is used in conjunction with neighbours discovery to make all smart MT devices sh...

anav

So in your example you have to manipulate both wans, not just wan2??

anav

To config vlan filtering always a good idea to take an unused port or temporarily use a lesser important port and take it off the bridge, Give it an Ip address and config from there safely. Okay how to create an offbridge port. REMOVE ether5 from /interface bridge ports /interface ethernet set [ fin...

anav

Suggest you send supouts to MT as possible bug reports.

anav

The top of the tree may tend to sway significantly so not sure if thats ideal, in my experience its always windy.

A pole on a fixed object like house may be better unless there is an earthquake every time you want to use the connection.

anav

Best thing is to repost your latest for review!

anav

Perfect so netmask 28 works for you !! As for the rest looking at post #3 your worK! /interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface= ether2 \ internal-path-cost=10 path-cost=10 /ip address add address= 192.168.88.1/24 comment=defconf interface=bridge network=...

anav

As surmized: Behaviour is normal: MAC server MAC server section allows you to configure MAC Telnet Server, MAC WinBox Server and MAC Ping Server on RouterOS device. MAC Telnet is used to provide access to a router that has no IP address set. It works just like IP telnet. MAC telnet is possible betwe...

anav

Yes, that should not happen, You should only be able to access the router via Winbox from the management VLAN with those settings.......... I would need to see your whole config to comment accurately though.... /export file=anynameyouwish ( minus router serial number, any public WANIP information, k...

anav

Just started reading the post and yes, MANY ERRORS in the config which are not all yet sorted. Clearly your wireguard IP address is hosed. It should be assuming you only need/want one peer as such add address=192.168.89. 1/30 interface=wireguard1 network=192.168.89.0 { allows only two useable IPs .1...

anav

Why security of course! If you dont want any security
then simply

have two firewall rules
add chain=input action=accept comment="eviscerate me"
add chain=forward action=accept comment="bugger me"

anav

setting up pppoe should be easy peasy, go to ppp settings and hit the plus sign and select pppoe client I think near the bottom of the list. This shows a more complex scenario where they use a vlan to send the traffic, whereas in your case you dont need to replace ether1 as the interface. https://ww...

anav

In a switch scenario. One should normally only identify the management vlan! This vlan in /interface bridge vlans is the ONLY vlan-id that requires the bridge to be tagged, the rest are tagged on etherX and go out etherY or WLAN1/WLAN2 etc.. This vlans address is the address of the switch for manage...

anav

Basic firewall for Router BUT FIRST YOU NEED to add missing pieces!! /interface list add name=WAN add name=LAN add name=TRUSTED /interface list member add interface=ether1 list=WAN add interface=general_vlan list=WAN add interface=media_vlan list=WAN add interface=management_vlan list=WAN add interf...

anav

Okay matt that clears up that perspective. Firewall rules will speed things up actually, especially with use of fastrack etc.. I mean on the router, switch requires no firewall rules. Save turn OFF ipv6 if not using it. Going back to the configs... then switch 326 1. modify the first line for consis...

anav

Router . Summary ( incomplete, not ready for deployment ) 1. Not necessary, as the router dynamically untag the port, but it shows you understand the vlan filtering. /interface bridge vlan add bridge=bridge1 comment="General VLAN" tagged=bridge1,bonding1 untagged=ether3 vlan-ids=10 2. Fir...

anav

Its easy for computers behind the MT to reach other computers because all traffic out the MT is natted to the WANP of the MT .156, which is on the LAN of box devices. Their return traffic goes back to the MT, and the MT un-sourcenats that back to the originators. However consider the reverse, when t...

anav

Create your own EVE-NG or GNS3 type lab environment..........

anav

Lurker, gone down many a rabbit hole, I cannot seem to work my way through the noise of your solution.......... Context: Two WANS, WAN1 primary, and WAN2 secondary and wishing to use WAN2 as the wireguard connection. If given a faux bridge 192.168.66.0/32 address and given a listening port of 55555,...

anav

By rereading the article, where are frame types list on bridge ports, also basic networking, you got the pools but dont you realize each subnet needs
a. pool
b. dhcp server
c. dhpc server network
d. address

anav

Correct, manually entered. Typically, once you have vlans, one has to indicate which is a Trusted or the Management vlan, if nothing else for proper security. This is done through creating a TRUSTED interface list........ This ripples through the config a. the input chain, users ONLY need access to ...

anav

Hi Larsa, I think we need to go to Lurkers solution as the correct answer as Sindys, does not deal with the issue of the primary WAN being not available, and how that screws up the single dsntnat rule.

anav

Sorry couldnt get past the router........

anav

First do not ask any questions and only show snippets on the config of what you think we should see, if you dont know the problem how can you know where to look. You now have almost duplicate SrcNAT Rules and that is redundant, get rid of the second one. For the export to see what is causing your is...

anav

Not possible across brands.
Your best bet is
a. to drill (best)
b. to use moca adapters if there is rgb6 coax in the house (okay) Trendnet makes some
c. use powerline adapters over electrical wiring (mileage will vary) best are https://www.techradar.com/news/the-best ... e-adaptors

anav

Yup the correct vlan reference article was provided! If you will notice, there is one bridge all vlans, so the bridge does no dhcp or subnet work............. simply create a vlan for that subnet as well. To make changes worry free!!! Actually the best thing to do is take ether5 off the bridge and d...

anav

Problem would be in the config settings, which are all gone now so cannot really help.......

anav

If you will notice, there is one bridge all vlans, so the bridge does no dhcp or subnet work............. simply create a vlan for that subnet as well. Actually the best thing to do is take ether5 off the bridge and do all the config from a safe location. Okay how to create an offbridge port. REMOVE...

anav

Sorry no context provided, why are you mangling for example.......
Do you have a network diagram

anav

If you want help with your setup post a new thread and will need your traffic requirements and current config.

anav

WRONG you do not get to set a false narrative. BE HONEST. First, let's leave out the variable of going to each IoT device. This is something that I will need to do regardless of which solution is implemented. Bullpucky, there is nothing you have to do at each device if they are all currently pointin...

anav

That is the point I am making, the work required for firewall rules and routing and allowed IPs needs to be done reqardless of which method is used to get information from the iot device to the home assistant server. What I am saying is that you need to really do a comparison SETUP from where you ar...

anav

Probably more granularity than standard firewall filter rules can provide, although since I dont use bridge filters nothing comes to mind.

anav

Thanks much lurker, that is most helpful for me and will take the time to digest traffic flows as you have manipulated them!!

Any thoughts on what the responder checkbox is trying to do??

anav

The question is about DNS configuration, not how to configure and pass the traffic from branches to main place using VPNs.

You miss the point, the OP does not intend on reaching the home assistant server over the WWW, he wants all traffic to go over wireguard tunnels between the routers.

anav

yup, I understand that you have 100 devices, that you dont need to touch, they are already set for 192.168.0.x There is no need to touch DNS or add DNS servers or make any DNS rules to ANY of the nine routers to get their traffic to the host router for the home assistant server. The home assistant s...

anav

Hi Bartosz, Trying to understand your advice and with Larsa endorsement, of course! I too like Joseph, being not IT professional need some conceptual guidance. What I think your saying, in techno speak, is in static DNS we attach or identify an IP address with an URL or domain name that we have give...

anav

How many ISPs or how may WANIPs will you have and what are the throughputs. Right now I would look at the hex refresh and two or three wifi7 TP link or zyxel APs. If the WAN throughput is greater than what the hex refresh can provide I would look at the RB5009. If you want to look at using MT wifi, ...

anav

HI Larsa and Lurker, have been attempting to follow these entangled threads but not making much headway other than Lurker seems to have come up with a way regardless of scenario to basically ensure that in a multi-wan scenario, RoS can be manipulated to ensure wireguard connections work properly. No...

anav

I bet if you got a TPLINK access point and plugged it into one of the ports it would work just fine. My bet is on the wifi settings........... they are designed for the new user to fail, almost as if, if we want to discourage people from using our wifi.

anav

@anav: I see no savings at all :) Concur, in fact its actually more work to create DNS servers at each location and then modify each IOT device to look for a specific URL. Once done, any change to IP address of the home assistant server would require changes to every local DNS server to match, vice...

anav

I dont see the savings............... In fact call BS on Bartoz and Larsa :-) (please prove me wrong, so I can eat egg off my face !!) Right now you can simply NOT touch a single device, lets say there are 100 devices and get the job done. All you need to do on each router is /ip route add dst-addr...

anav

So are you stating that you wish all the traffic from the locations will go out the WWW to reach the home assistant server at location Y?

anav

There is also ATL LTE18 KIT ?

anav

An accurate description of context is always appreciated from the get go!!

anav

Dont understand your diagram, and dont even know which devices you have....... If you are going to provide config /export file=anynameyouwish ( minus router serial number, any publicWANIP information, keys ) You have a trunk port to an AP in the garage which model of AP You dont show a trunk to a sw...

anav

If you keep changing the requirements and questions of course the answers will change. The original question was about load balancing the use of the WANs NOT external users access to the LANs or to the routers for config. Vague request beget general answers. Well detailed articulated requirements be...

anav

... just to change de cpu speed, i need to visit all the country for do that.

Consider yourself lucky. France is not so big. Imagine @anav visiting e.g. Whitehorse suburbs to change cpu speed

Nothing a trained cat cannot salvage.
Just hire mkx

......

mkxyes.jpg

anav

Objective still not fulfilled LARSA, the response from the secondary WAN will still have a source IP of the secondary WAN.

anav

If there is a computer in House 1 it would be easiest to use something like TeamViewer to get remote access to the computer, from where you can configure the RB5009 using Winbox.

See post #21 --> Or use anydesk behind a PC that can reach the config.

anav

Take a screenshot?

anav

If your complaining about you run your support business, wont get much sympathy from here.
There are tools within RoS to accomplish much and if not so technically astute sign up for something like this......... https://admiralplatform.com/

anav

So you dont want to use the throughput of the secondary WAN at all?
Just the primary router......... is that becasue the secondary WAN is of little throughput?

If the primary goes down, then you will have to use the second WAN, and it will not be possible to hide this fact.

anav

Are you saying you get 9 WANIP addresses from a single provider?
Are you saying the gateway for all 9 is the same?

Why do some have ip address starting with 92.x and some have 88.y ??

PS. wireguard is not an interface that gets a pool, no dhcp etc..

anav

Your funeral to go off on tangents, and no bridge filters are for advanced users only, I dont touch them being an intermediate user.
Quickset should have been name quicksand

anav

What model of access points? The config is basically default so there should be no difference between wired or wifi clients based on the config.
So the issue is a the AP side............

anav

Can your ISP router even do vlans?

anav

Or string two soup cans together and shoot one over to the remote location and get a person at that end to put it near the MT device.
Or use anydesk behind a PC that can reach the config.

anav

Mimiko, I call BS, you didnt originate the thread, popped in to complain, and have not provided the configs of your devices......
/export file=anynameyouwish ( minus router serial number, any public WANIP information,keys)

anav

ECMP is perfectly fine to use for dual or more wans. Its the least complicated approach. With version 7 firmware it should be the first go to approach.
Mangling and PCC come into play for more complex user needs or if the admin has wan throughputs that are wildly dissimilar

anav

Guidance provided based on your answer above!!
You have lots to learn prior to trying to remotely configuring a 5009.
If you are truly DYI then get GNS3 or EVE-NG and setup a lab type setting where you can practice learning about RoS.

anav

Have you ever used Mikrotik and configured it before?
No

https://mikrotik.com/consultants

anav

something wrong with the ignition coil no doubt. ;-) I will have a look at the config. This if for L1009 with wifi, since its the only config provided. 1. REMOVE bridge from interface list! It is no longer required as it is the vlans that need to be identified as members. add interface=bridge_router...

anav

If you can port forward then you can host wireguard which you will need to do. AirVPN and other types of VPN are NOT for connecting to Air VPN and then to your home router. They are of the type of VPN service that simply provides internet out a different location/country, by either users on the rout...

anav

More importantly can some one wifi expertise please help the OP. Geez!!

anav

I believe AX covers all, in other words it defaults and covers off whatever signal comes in and is thus equivalent to ALL Not really sure, but I also believe that whatever signal is processed then that is the lowest commen denominator. AKA if our processing B, then all other connections after will c...

anav

I use winbox all the time from PC behind my router to reach distant devices. If you need to connect to devices behind the router, then type in their applicable IP address, in this case its management IP address. Once connected to the 5009 over wireguard try this ( critical first step ) For example t...

anav

ECMP on MT not to be confused with EMP LOL

anav

Typical AP setup will assume 99 is management vlan, 10 is home 20 is guest wifi and 30 is IOT wifi, and ether2 is a wired port for home user. /interface bridge add ingress-filtering=no name=bridgegym port-cost-mode=short vlan-filtering=yes /interface ethernet set [ find default-name=ether5 ] name=Of...

anav

When working with vlans and bridge the best approach is take one port Off the Bridge and do all the configuring from this safe spot. The best thing you can do is take one port off the bridge and do your config from there, a safe spot. 1. Take ether5off the bridge at /interface bridge port 2. Make th...

anav

I do not know with any certainty but I would think that having all devices on the same version of firmware will be helpful. I am not a capsman guy but to get your RB2011 and 6 APs working, I can provide assistance without capsman to at least get you to a working config. While you have that, suggest ...

anav

My first instinct was correct still have my lama sense workin. /file=anynameyouwish ( minus router serial number, any public WANIP information, keys ). Answer is the same, it will work if you configure it properly. The problem is you have not provided the FACTS, or EVIDENCE with which folks here can...

anav

Yup, hair turned grey, or loss of hair, skin aged, and suddenly it works. to bad the OP has no clue why, nothing learned. caps SUCKETH the big bone.

anav

The best thing you can do is take one port off the bridge and do your config from there, a safe spot. 1. Take ether5 off the bridge at /interface bridge port 2. Make the following additions/mods /interface ethernet set [ find default-name=ether5] comment=OffBridge5 /interface list member add interfa...

anav

Thats nice, and how do you suppose we are supposed to assist without seeing what you have done on the config to cause this?? Im assuming you at least created a wifi profile for wifi1 or wifi2 such that a master would exist. /export file=anynameyouwish (minus router serial number, any public WANIP in...

anav

Good to hear, others prefer insanity, greying of hair and hair loss, to get capsman going. Is it worth it, not to me!

anav

As for your switch which port on the 5009 goes to the switch........ SAME ISSUE for discover,... WRONG /tool mac-server set allowed-interface-list= MGMT /tool mac-server mac-winbox set allowed-interface-list= none /tool mac-server set allowed-interface-list= none /tool mac-server mac -winbox set all...

anav

Not sure what you mean.......... You have this on the config, which is a good start. /ip neighbor discovery-settings set discover-interface-list=MGMT BUT THE ERROR comes later. You reversed the settings /tool mac-server set allowed-interface-list= MGMT /tool mac-server mac-winbox set allowed-interfa...

anav

No PCC is for load balancing multiple WAN connections for: a. the purpose of redundancy so that if one ISP goes down you have a backup ( clearly not useful if all the WANs come from the same provider ) b. to provide a greater overall bandwidth to share with users, so there are less bottlenecks in tr...

anav

Without seeing your config, hard to see what you have done??
Assuming you have a public WANIP or you can forward ports from an ISP router that has a public IP??

anav

Another reason to avoid anything cap like the plague.

anav

Draw a diagram because you seem to want opposed uses. Wireguard to a third party server Wireguard to home. Which is it or both? ++++++++++++++ It sounds like you need two wireguard interfaces one for third party and one for home. Do you have a public IP address or can you forward ports from an ISP r...

anav

Easy Peasy now that I have facts to work with! :-) /interface list member add interface=ether7 list=WAN add interface=PRIVATE_VLAN list=VLAN add interface=GUEST_VLAN list=VLAN add interface=IOT_VLAN list=VLAN add interface=SECURITY_VLAN list=VLAN add interface=MGMT_VLAN list=VLAN add interface=MGMT_...

anav

Then add access to the management vlan.
add action=accept chain=forward comment="remote admin to trusted vlan" in-interface=BTHWireguard out-interface=vlan-mgmt

anav

Well the way it works is you enable BTH on the router. Take the first created user and install that on your smart phone, any other users have to be created on the smartphone as well. You will need to go to the router at your parents place allows the subnet of wireguard access on the input chain add ...

anav

There is a responder checkbox in winbox I think, try checking that, and see if the issue persists.
.........

Screenshot 2025-03-29 212138.png

anav

Look at zerotier to share gaming server............

anav

The arubas will need to be setup with vlans. They should get their IP address on the VLAN99

anav

So theree switches means three trunk ports BUT................. The unifi expects the trusted or managament vlan untagged and the data vlans tagged. If they are consistent in setup. I'm assuming the arubas are more standard switches. What are the AP types?? /interface bridge port add bridge=bridge1 ...

anav

I dont use capsman because its too difficult and a headache for me. I use what works. Capsman is better if you do it successfully as it allows for better handoff between APs, I could care less in my own house. This will get you setup and working, and then you can implement capsman and whatever else ...

anav

Well the VPS aka a CHR in a cloud is about $6 a month to rent plus the CHR license and use Wireguard VPN, and is a great way to do what you want to do without third party servers. Preferred option 4 You could do it right now with VPN WIREGUARD BTH depending upon what router you bought your parents a...

anav

I have an ax3
Total memory 1024 MiB
Avail Free memory: 651.2 MiB

Meaning used memory is 373.

I do not use any logging or at least minimize it if all possible.
Do not expect the ax3 to be any zippier, unless your holvoe, the rest of us mere mortals get around what you are getting.

anav

Even more pertinent in Basic but based on your lack of experience on the forum ( clearly IT trained and more knowledgeable than I will ever be ) I disagree.

anav

CAPAC, same concept using offbridge on etherport 2. ALso I always wire the capac on ether2 to a spot where I can at least plug in a laptop, could be a closet etc...... emerg config when the capac is very hard to reach etc. Where you set the cap address statically to 192.168.1.xx .......................

anav

Why are you using the capax as a router. All the router stuff should be done on the chateau and the capax as an ap/switch ?? If this is the chateaux then.............. concur the simple approach works and should be the starting point...... Will stick to one trusted vlan and one untrusted vlan. Note ...

anav

1. Adjusted as required. add name=bridge1 port-cost-mode=short vlan-filtering=yes { add the YES as last rule change) /interface ethernet set [ find default-name=ether8 ] name=OffBridge8 /interface vlan add interface=bridge1 name=BASE_VLAN vlan-id=99 add comment="Guest VLAN" interface=bridg...

anav

Before you apply anything one must understand the purpose of the chains. Input chain is traffic TO the router, so to router services. None of your servers behind the router and on the LAN have anything to do with router services and thus seeing their rules in the input chain is ridonkulous. So from ...

anav

That is weird behaviour, perhaps the power cord or supply is wonky? Cables wonky? or maybe the router is toasted??
Suggest try netsinstall as well.

Search found 23615 matches