MikroTik

humbfig

WG between both sites has to work, provided config is ok. But we never saw that ? Export config of both routers with wireguard configured. terminal /export file=anynameyouwish Remove serial number, public wanip, private keys, ... Post config of both devices separate between code quotes (easier to r...

humbfig

Why both ? Wg is already an encrypted vpn. Exactly. I think OP want's Layer2 bridging. So IMO, on a hEX/hEX-S, since EoIP+IPSec isn't possible here, and OP has WG so EoIP+WG seem like best fit. But OP running into issue with WG, so tried L2TP I think. Anyway, if the OP posted some diagram and/or sa...

humbfig

How I think it should be done: -You need to setup wireguard (only 1 side needs to have a real public IP) -Set an IP address on both ends of that connection -Use those 2 addresses to setup EOIP -Add EOIP to bridge on both ends Yup, if don't have two public IPs, then @holvoetn has it right. You'd wan...

humbfig

Hi Finally back from vacation, I tried the EoIP tunnel and could not make it work. As far as I understand I need 2 public IP's on both routers and one of the routers has a private address (DMZ) because the ISP router does not allow for bridge mode. I setup a l2tp connection instead, which works most...

humbfig

ok, it was cgnat after all. I was on the phone with my ISP, asked about the cgnat and they told me they “added” the “cgnat service” to my router but that it wouldn’t cost me anything more :lol: I told them I would change ISP if they didn’t “remove the service” and they said they would do it today. T...

humbfig

EoIP interface is layer-2. EoIP use the GRE protocol internally, but inside the GRE packet is an Ethernet frame. Mikrotik also has a different "GRE interface", but that is only Layer3/IP, so similar to L3 WireGuard in that it's an IP packet inside the tunnel. Both EoIP and GRE support the...

humbfig

To be clear, BTH treats your local router as a client and thus the router will send out a join request to the MT cloud and then the tunnel will be established. Remote clients reach your router through the cloud connection (aka relay) If you have a reachable public IP, then I think the BTH bypasses ...

humbfig

Not accepting or nothing is coming in ? Best bet if short on time, zerotier or BTH ... then you have 2 weeks to figure things out :D Well, something is coming in..... just not much.... Like I said, I try to connect to the wireguard and the counter doesn't increase. But when I try to connect to the ...

humbfig

Our providers are switching to CGNAT which causes these symptoms you are experiencing. Contact support (service provider, not MikroTik) and request a routable address. Check DHCP assigned addresses to be sure (10.x.y.z/100.x.y.z) I have a public address from my ISP. CGNAT implies a private address,...

humbfig

Check dmz settings and ip address rb got. And enable BTH and/or Zerotier. Easiest way out, I think. You should always have one option back in then. I did check DMZ and the router's IP (static). All fine. I don't know what BTH is. The NAS ovpn was the backup. I guess zerotier could work. Connections...

humbfig

Sounds like you should put your critical components on UPS? Power bumps/outages are not friendly on equipment. Did the ISP do something funky at their end?? I do have a UPS holding the net and the NAS... First I thought it must have been the ISP. But their router seems fine (very simple configurati...

humbfig

Hi Suddenly, I could no longer connect to my wireguard on my home router. Also, some services (also a ovpn backup) that are running in a NAS stopped working . When I came back home, after reseting the counters, I checked that most filter and nat counters are almost zero (shouldn't!). The counter for...

humbfig

I will try the route GRE + IPSEC Well, I'll buy the aspirin. Do think the secret is, well, ipsec-secret= set (either EoIP or WG) if Layer2 tunnel is what's needed and you have public IP at both ends. If only Layer3/IP, no argument with WG there ;) I might be confused. I thought GRE and EoIP were th...

humbfig

Hear you about IPSec, but for a Layer-2 tunnel the nice part about EoIP is that the IPSec stuff is really just a checkbox and setting a pre-shared key. Since you'd already need another protocol with WG to get ethernet. But WG + GRE is another option if you want keep wireguard but bridge a layer-2 L...

humbfig

As long as one end always has a public IP, normal WG is fine for Layer 3. To make it one LAN, you'd need to use GRE, EoIP (without IPSec) or VXLAN interface too to carry the Layer-2 ethernet traffic between the sites. Now if both sides have private/NAT address and without some DMZ option enabled......

humbfig

humbfig If the warehouse router was DMZ'd behind a GATEWAY (Modem+Router+WiFi), THAT HAS A PUBLIC IP ADDRESS... Yes that would work. I see now what you meant. Never crossed my mind that an ISP would assign you a private IP..... In my Country people call bad names to ISP's that don't provide bridge ...

humbfig

For Wireguard... Someone has to have a public address. We have the office, bosses home and warehouse. Office is behind carrier grade NAT from a Wisp. Home is behind starlink. Warehouse is the one with a public IP. Warehouse is set up as the server... The other sites connect to it. Road warriors als...

humbfig

Thanks to all answers. Been checking zerotier and I think it's not for me. Signing up? Closed source software to install on my devices? Relaying packets through some site? Warnings of slowness? The f__k? I'm leaning on wireguard (been using it as RW for my laptop and my phone), maybe I'll try EOIP o...

humbfig

Zerotier

I have not been down that road before. Never even installed the package. I might take a look, but I would prefer something more confortable for an "old tech" guy.....

humbfig

Hi I own two sites that I want to keep connected just like as if it was a single LAN (all devices in site1 can communicate with all devices in site2, maybe even share a single DHCP server and a single DNS server, though this is not necessary in case it's too much trouble). I have a few ideas on how ...

humbfig

Send it to me I will pay postage.

Sure thing.
Give me your address so I can get a quote for postage.
You will have to pay me for postage before I send it to you.... I'm sure you understand.....

humbfig

thanks for taking the time! To what port? If it is 5009 LAN then IP addresses will conflict, If it is 5009 WAN, DHCP will be OK, IP address will be in your LAN IP address range, but no one can enter through a WAN port. Well, I hadn't thought about that.... What IP address did you change in 3)? The L...

humbfig

Hi Just bought a new RB5009 to replace my hexS, which I need for something else, to serve as my home gateway. As far as I understand, the RB5009 looks pretty bricked by now. I will walk you through what I have done. Please bear in mind the word "winbox" is tabu..... I don't own a Windows c...

humbfig

I assume by "if I connect to a VPN (usually my workplace)" you mean that you're at home and connect to the workplace using the VPN, which redirects all connections of your PC, including the internet ones, via the workplace network. If so, I can imagine two possibilities: an MTU issue, whi...

humbfig

I have a subscription of F1TV. At home, with my MT router, I can't start the stream. I access the site, I press play, I wait a few moments and I get the previous page again, where I'm expected to press play. If I connect to a VPN (usually my workplace), I can start the stream with no issue. After th...

humbfig

Ok Oddly, I had no problem to login to the 260..... this time it didn't even ask for a password. As soon as I connected, I was in the switch...... :shock: So, right now, only one question pops on my mind. I've had 2 260GSP for more than a year. I'm using them as dumb switches. My configuration conce...

humbfig

I do have two more, a hap AC and another 260GSP. If I could get access with mac-telnet, what would I do?
Short celebration...

humbfig

No, something does not sound right here, especially if you say you had the same problem recently on a 260 I could not agree more... Me too!!!! Now, I have recovered my previous working LAN setup. I'm on full fibre network and I still have a wife and kid. If you are curious to understand what the he...

humbfig

No, something does not sound right here, especially if you say you had the same problem recently on a 260, which runs switchos and not ros. Make sure basics are correct, i.e. 1. Your reset procedure is correct 2. Your CAPS lock is not on, etc. 3. You are trying to access the correct device, 4. etc ...

humbfig

SSH with default credentials (admin/blank). Configuration can be done through cli easily. Browser option sounds possible, does Apple support InPrivcate browsing? Then you can just start an InPrivate tab. admin/blank also does not work in ssh either. Same thing as browser. Invalid user or pass..... ...

humbfig

Crazy idea, have you got any other RouterOS devices? Use Mac-Telnet from that to try and access the HexS. Did you connect the Hex to the web after resetting but before you logged in? May be hacker already gained access? I do have two more, a hap AC and another 260GSP. If I could get access with mac...

humbfig

Before that i would try to login with another computer...

hummm..... you think there might be something wrong with the browser? Some cached thingy?

humbfig

Can you try by using either SSH or Winbox?

I can try tonight the ssh (didn't think of that).
What would be the user/pass? root/blank?
If I can login, what do I do to to regain access to the web-config? (I have never used ssh to mikrotik devices....)

humbfig

Use netinstall...
Before that i would try to login with another computer...

Isn't netinstall a windows thing?

humbfig

I can't login to the hexS webpage after a reset. I know the reset went fine because the router GW is now the default 192.168.88.1 I load the webpage, but admin/blank doesn't work, neither the previous admin/pass (long shot, but I had to try!). Can someone help me solve this without running WinBox? I...

humbfig

As long as you press cancel after that, you are safe. But it's better to learn how to look for those things without entering quickset :) And by the way there are modes that do not have a WAN config: WISP AP, and then Configuration - Mode: Bridge. Well, I tried to start from the WISP AP mode bridge....

humbfig

Don’t ever use quickset after you made some changes from initial configuration. What if you don't use it but you check on it, just to know what your programming is "doing"? You find some red fields stating that you must write something. You find some working modes that you don't even know...

humbfig

Maybe there is a loop and RSTP disables your ports... Can't see how could there be a loop. Anyway, no ports are disabled. It's just that the port used as wan in the "quickset menu" pops out of the bridge. That kind of makes sense. But I try not to program anything in the quickset menu, ho...

humbfig

Did you put ether1 inside the bridge too? I guess that is the port that connects you with the main router... DHCP works in layer 2, if you bridged all your ports and connected any of them with your main router it should work without problems... Edit: now i saw you use the sfp port... if it shows di...

humbfig

You don't need DHCP relay. And remove all firewall at least temporarily.

I removed all filters and the nat masquerade. Tried it with and without the dhcp relay. Still can't get an ip.
I notice the sfp port in the bridge tab was disabled.....

humbfig

Hi, I have a home gateway router (hex S) connected to a hap AC to provide wireless network. So far, I've been using the hap AC as a dhcp server with a different subnet from the hex S. The problem is, I need the wifi clients to be in the same network as all the other devices due to dlna, wireless pri...

humbfig

There is no defined order for assignment of the addresses in a pool. It often starts from lowest but under some conditions it may assign higher addresses. And certainly when a device has had an address before, it will often ask "can I have this address again?" and they router will allow i...

humbfig

So the Barman says to the Hap AC, "hey, your IP address should have the CIDR notation, not your subnet mask" Something else, DHCP scope should not include X.x.x.31, that is the broadcast address for /27, and routeros typically assigns IPs from high to low, so maybe you were issued .31 IP ...

humbfig

Ok. Fair enough. So, a hap AC with Long Term 6.44.5 and a Macbook OS Mojave walk into a bar.... The hap AC has blank configuration. The Mac is connected to the hap switch. On the quick Set page I put an ip address (xxx.xxx.xxx.1) on the local network. A netmask (255.255.255.192/27) and a dhcp range ...

humbfig

Hi I believe I found an abnormal behavior in my Mikrotik. The support page in mikrotik.com seems to be interested only in vulnerabilities (not the case!) and kind of makes an effort to deter you from disturbing Mikrotik developers. Anyway, it's still an abnormal behavior and I believe someone up the...

humbfig

Let's get extended logging going so you can see more info: /system logging add topics=ipsec,!packet Thanks for your answer. I was already thinking this forum needed a secret cool handshake that I don't know... By now I've given up on L2TP/IPSec (also had given up on OpenVPN a few months ago!). I ma...

humbfig

192.168.1.0 is, I guess, now in the "network" field associated to the address; what is after the / in the "address" field itself?

Sorry, I don't know what I was thinking when I wrote the previous post. I just edited it.
Thanks for your help!

humbfig

You were right.
/ip arp did not show any mac address for this strange ip's and, for some reason, the netmask on the mikrotik wan was 255.0.0.0 (ISP router LAN is 192.168.1.0)
Changed it to 255.255.255.0 and have not yet seen any strange ip show up.
Thanks!

humbfig

It might just be my less than stellar understanding of networks, but I find it odd that the arp command on my mikrotik router shows, besides all my home devices connected to the bridge interface, connections from public ip's (usually starting with 192, somewhere from Canada and US) on the ether1 int...

humbfig

Let's get extended logging going so you can see more info: /system logging add topics=ipsec,!packet Thanks for your answer. I was already thinking this forum needed a secret cool handshake that I don't know... By now I've given up on L2TP/IPSec (also had given up on OpenVPN a few months ago!). I ma...

humbfig

Hi I have been trying for 2 weeks to setup a road warrior L2TP/IPSec server on my hap ac (RB962UiGS-5HacT2HnT ; v6.43.7) so I can connect my macbook Mojave (10.14.1). The Mikrotik stands behind my ISP Gateway router, which I can not discard due to a proprietary WAN authentication. Anyway, I'm pretty...

humbfig

Hi My home LAN has been 192.168.33.0/24 and my NAS has been 192.168.33.11 for some years. A week ago I installed a new hap ac router and configured everything, including ARP, pointing the usual IP addresses to the right MAC Addresses. Everything was working fine until today the Mikrotik decided the ...

Search found 52 matches