MikroTik

grumpazoid

For me the kill switch is not working. It stops all VPN users traffic no matter if the VPN is up or not. If I disable the killswitch routing rule everything works again. Maybe because I am using VLANs on the bridge? For now I have implemented a killswitch by excluding VPN users from the NAT masquera...

grumpazoid

Thanks for pointing out that DNS information. I would much rather have a static DNS in as well, so I believe my only option is therefore to define DNS in the client. At this point I only need one client to use the VPN - a TV streaming device. DNS is not manually configurable. My solution for this: A...

grumpazoid

Thanks for your guide. I am testing a similar setup but using the settings for keepsolidvpn as per their page https://www.vpnunlimited.com/help/manuals/mikrotik-ikev2-setup . I have it working but I can only pass the dns test at ipleak.net by manually assigning dns to the clients. A dynamic DNS serv...

grumpazoid

I just tried this today and the same error is still on their instructions. Luckily I thought it looked wrong and it was a quick fix.

grumpazoid

Also just seen this issue. Can confirm a reboot of the router has tidied up the device list and the extra IP addresses.

grumpazoid

Thanks. Seems I need a way to actually detect failed logins. I will keep searching.

grumpazoid

That is True.
Maybe there is a way to detect only unsucessful logins? Would be glad to hear of any alternative solutions.

grumpazoid

Ok Managed to solve this by adapting the second rule set in the Mikrotik Wiki. On each IPSEC connection 2 packets are seen on port 500 so I've made use of the Nth rule to take this into account. Also removed connection-state=new as this prevented seeing any packets after the first attempt. These rul...

grumpazoid

I have seen on another post that someone was able to adapt the rules from https://wiki.mikrotik.com/wiki/Bruteforce_login_prevention So far I have: add chain=input protocol=tcp dst-port=500 src-address-list=vpn_blacklist action=drop \ comment="drop ipsec brute forcers" But I am stuck with ...

grumpazoid

Just setup the Dude Server on a spare Mikrotik and have discovered the same issue.
So I can't monitor my routers because I choose to use a different port for winbox. Seems like a major oversight.

grumpazoid

Well looks like I just need to give it a try...here goes.

grumpazoid

I have an existing Mikrotik based network consisting of a few VLANS that I now wish to monitor. My thinking is to set the hAP AC2 up with a trunk port connecting it to one of the existing switches, and then install the dude server on it for complete network moniotoring? Would this work? Is there a b...

grumpazoid

Well, there were still problems after this. I have now isolated it to a problematic port on the switch. When any machine is plugged in to this particular port everything goes weird (slow) for other connected machines. Seems worse when traffic crosses VLANs

Anyone heard of this happening before?

grumpazoid

OK think I may have got to the bottom of this.

There was a new misconfigured server on the network which was effectively joinging two VLANS together. Will just need to test a biot more but hopefully that was it.

Thanks for the help

grumpazoid

Thanks. changes made as suggested. My laptop on VLAN100 could still not ping machine A on VLAN 200 but could ping machine B One again I changed to anothe VLAN 100 port and I could now ping machine A but not machine B I tried another laptop in place of mine and it can ping all machines on VLAN200. Pu...

grumpazoid

Thanks. Just to check I should run these commands on the CRS2xx switch (whose config I posted) and not the Cloud Core Router?

grumpazoid

The problem is happening again. I am losing connection to other networked machines intermittently and connections can be slow. Today I was unable to ping a device on VLAN200 from my PC ON VLAN100. I could ping from the router directly. Other VLAN 200 devices were pinging OK. Even though I could not ...

grumpazoid

Thanks for the quick reply and confirming all is OK.

Today, with no changes, all seems to be working fine. I have connected my PC back to ether1 and I can now ping and access the device on VLAN200 all OK.
I will keep an eye on the situation.

grumpazoid

I have tried to implement the changes (via winbox) but trunk1 is not available as an option in either /interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports OR /interface bridge port ? The documentation at https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_VLANs_with_Tr...

grumpazoid

Many thanks - this is much appreciated advice.

I will make the changes at the next opportunity (end of next week) and report back.

grumpazoid

Please see below. Everything had been working fine.....but today : Intermittent connection when accessing VLAN200 devices from VLAN100 (Allowed in firewall rules) Also weird problem that I could not ping a certain host on VLAN200 with my PC plugged into ether1 of switch. Moved to another port on VLA...

grumpazoid

I have a CRS226 configured with 3 VLANS and am having a few weird problems with inter VLAN communications. I used the guidance at https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_series_switches_examples and https://wiki.mikrotik.com/wiki/Manual:CRS1xx/2xx_VLANs_with_Trunks One slight difference is ...

grumpazoid

The first time nothing happened and the reboot button did not appear. Second attempt all worked as per the instructions on the wiki.

grumpazoid

Thanks all. Netinstall completed with new credentials

grumpazoid

Thanks. I am aware 5678 UDP is legit.
Someone was adding 5678 TCP at the top of my input chain and had set up L2TP client as documented in the aforementioned post.
Router OS has been kept up to date. I run a L2TP server so maybe compromised that way?

grumpazoid

I had been hacked - same as here viewtopic.php?f=2&t=172091&p=841272&hil ... tp#p841272

Although My router OS was more up to date. Big concern - Reset Time

grumpazoid

If the second is not udp, someone do incomplete work.

Please could you elaborate?

grumpazoid

I have a CCR1016 and it has been running 6.48.1 - now updated to 6.48.3 I have noticed two identical entries entries appearing on the input chain at the top: add action=accept chain=input disabled=no dst-port=5678 protocol=tcp I also have two mikrotik CRS switches on the network. Any reason for this...

grumpazoid

If you're desperate for something newer, try Zabbix.

I'm just getting started with Zabbix. First tried to install on docker but it wouldn't play so have just got running on a Debian VM.
There are some Mikrotik templates. Now got to learn how to use!

grumpazoid

[/quote] If Apple doesn't want L2TP be compatible with other's products, you also don't have to want L2TP compatible. If you use Apple products, respect Apple's rules and don't pretend to have your own thoughts. Apple thinks for you what you need to do with HIS products that YOU have paid for. [/quo...

grumpazoid

I have L2TP/IPSEC VPN server setup on 6.48.1. It works perfectly with Windows and Android but not with IOS 14.5. Have also tried an older machine on IOS 10. I am using split tunnelling so only LAN traffic goes over the VPN. If I turn off route all traffic across VPN switch on the ipad connectivity i...

grumpazoid

I have CCR with CRS configured with VLANs

I would like to prevent people being able to turn up and plug their machine into a port on the switch and have have internet/Lan acces.
I can see plenty of information on setting up wifi mac filtering but what would be the best approach on wired connections?

grumpazoid

Thanks for reply. Yes OK makes sense.

grumpazoid

On my Cloud Core Router I have the last firewall rule on input chain to drop everything. It is getting a lot of broadcast packets from LAN hosts on ports such as 137 (Netbios) and from other mikrotiks on port 5678 (discovery). Questions: 1. Is this to be expected? 2. Should I allow these broadcasts ...

grumpazoid

Documentation about switch trunks, supported by CRS1xx/CRS2xx, is slightly scarce, but judging from configuration example shown in this document it is possible to assume it's similar to bonding with layer2-and-3 transmit policy. And with this kind of bonds pair of hosts (same pair of MAC addresses ...

grumpazoid

So I set up port trunking today as per the guide - I am using two ports on each device I have tested client to client speed across VLANS by running iperf. I get an average of about 940Mbps. Interestingly if I remove one of the trunk cables. the speed stays the same? Why does in not decrease? This im...

grumpazoid

@tdw - thanks, very good point about the client machines gateway. I think things could get messy quite quickly if I start configuring firewall rules and routes on the CSR.
The link aggregation looks good. I will study the wiki page you have listed and try and implement that.

grumpazoid

I have this set up and working now. I can connect into the desired VLAN port on the switch and receive an appropriate DHCP address for that VLAN. As it stands now I have router on a stick. CCR does all the routing with a single trunk to CRS acting as a switch. Now I want to make sure I can get maxim...

grumpazoid

And now, probably the reason for your VLAN subnets not working: netmask is not defined for VLAN-bound IP addresses (and implicitly it's taken to be /32): /ip address add address=10.242.1.1/24 comment="VLAN 1 - Default" interface=bridge network=10.242.1.0 # this one was correct add address...

grumpazoid

I have succeed to block selected clients from communication on the same VLAN (Sorry for being very off topic from my original question) Solution was to use a combination of bridge filtering and wireless access list To stop communication across devices on the same radio/AP block device with Wireless ...

grumpazoid

Ok I have added the mac address of my phone in the bridge filter of the main router action=drop Testing across the same VLAN Pings are blocked when the phone and endpoint are connected via different devices. e.g. phone via router, endpoint via AP Pings succeed when phone and other device are both co...

grumpazoid

This is going to be interesting and make my head hurt I think.
I have a second Mikrotik as an AP with a trunk connecting the two. I will do some testing with my phone as I can wander around and connect it both routers.

grumpazoid

I will experiment. I have an IOT VLAN. I want to allow some wireless clients to communicate (MQTT etc) but block some completely apart from internet access

grumpazoid

DHCP works because the DHCP server is "closer to the wire" than the firewall (but nevertheless the packets are seen by the firewall). In another words, dropping DHCP packets from client to server using IP firewall has no effect as it is done too late. Where you really need to block DHCP f...

grumpazoid

Thanks mkx

I will allow 67 although DHCP somehow manages to work without. I use separate DNS server so should be ok there.
It's quite scary how many connections my phone tries to make to the router when it connects to wifi including quite a few ICMP requests.

grumpazoid

I had my input chain to block everything apart from clients on my main VLAN - Similar to the securing your router wiki page. I have noticed that clients from other VLANS try to access the router using ports such as 67,68 (DHCP), NETBIOS related and various other ports like 37942, 59838, 57621 the li...

grumpazoid

Thanks for the all the advice. I am indeed testing on a small setup with 3 VLANS just to test and get to know it. I then hope to deploy on a CCR1016 once I know what I'm going.
Still bewildered it has worked this time!

grumpazoid

I don't believe it.
I did exactly the same thing as the previous n times so I could post the log. This time is has worked and the dude is there. Bizarre!
About 2 or 3 attempts ago I removed NTP server and then any backups in the flash.

grumpazoid

RouterOS is also 6.48.1

grumpazoid

That is what I have been trying.
On reboot - nothing

grumpazoid

Fantastic. All makes sense now. Thanks everybody.

grumpazoid

I don't understand what you are trying to do with the USB stick. The upgrade/install process does not work from an USB stick. you need to put the file dude-6.48.1-arm.npk in the /files directory and reboot to install it From this page https://wiki.mikrotik.com/wiki/Manual:The_Dude_v6/Installation N...

grumpazoid

I have read the other posts regarding this and the answer was to insert USB memory stick and upload dude server npk to the router so it is not in the flash. This is not working for me. After reboot there is nothing there. I have tried both ext3 and FAT32 on a 4GB memory stick. I have uninstalled NTP...

grumpazoid

I have watched the video. It is a nice and straightforward, but there are a couple of differences to my setup: 1. In the video he just sets up the router with port based VLAN. I will be using bridge VLAN filtering as this is now the recommended way? 2. His switch configuration is nice and simple but...

grumpazoid

Thanks sindy.

Looks like I need to be a bit more chatty :)

grumpazoid

I've been on here for 2 years and still have just joined status. How do I fix that?

grumpazoid

AFAIK that refers to private VLANs which are different to 802.1Q virtual LANs, the latter are what most people are referring to VLANs. The switch chip in CRS1xx/2xx devices can be programmed to do either, and also protocol or MAC-based VLANs neither of which are particularly common these days. Than...

grumpazoid

Thanks for the replies and clarification. I had noticed that YouTube video before so will spend some time on it now I can use it. So the wiki states "For more complex setups (for example, VLAN filtering) you should use the port isolation feature instead." I assume that means I can follow t...

grumpazoid

I plan to set up VLANS on these and would be interested to hear the recommended method. The CCR will handle routing and a trunk to CRS with approx. 3 VLANS I have previously used the excellent forum guide https://forum.mikrotik.com/viewtopic.php?t=143620 with my HAP devices. Should I still be using ...

grumpazoid

Also can not install the Dude. I have attached 4gb usb stick, formatted it to ext3, put dude npk to router, but after reboot got the same error that not enough space. Please advice! Same here with dude-6.48.1-arm.npk. I have a blank 4GB memory stick attached and formatted to ext3. I have made sure ...

grumpazoid

@anav Thanks. Good to know I hadn't missed something.

grumpazoid

Thank you for an excellent guide. With the help of this and some help forum members I have been able to extend my network with VLANs. I have one question. In the first example, router & switch, where would the admin plug a PC in to connect to the base VLAN? All ports on the switch are set for re...

grumpazoid

With hAP ac, hardware offloading on switch chip can only handle traffic between devices in the same VLAN. If routing , rather than bridging , is necessary between the WAN link and the LAN devices (i.e. if WAN and LAN use different IP subnets), the only devices which support hardware offload of rout...

grumpazoid

Thank you for the replies. I had not subscribed to my own topic so only just seen them ! I will check out the other hardware suggestions and thanks for the confirmation it is better to use hAP AC2 as router. All my wired clients are indeed on the same VLAN so I think the switch chip option is still ...

grumpazoid

With the help and advice given on this thread I now have VLANS with bridge filtering. (Diagram below) I have a few wired clients and when they download from the WAN at the maximum speed of my connection (110Mbps), my hAP AC cpu reaches 100%. All the configuration so far is based upon this forums exc...

grumpazoid

Just an update. Found some time today and after some successful testing on a hex RB I took the plunge and changed my config on the hAP AC as per the guide at https://forum.mikrotik.com/viewtopic.php?f=13&t=143620 . So I now have VLAN set ready for the next step to create a trunk port to an AP. A...

grumpazoid

cAP AC has the same MSRP... But I often find them for less than the hAP AC2. Something about sellers thinking of it as a WAP rather than the same unit with less switching ports. Good tip thanks. AC2 currently £68 on amazon which seems to be way better value then the £110 for hAP AC unless I am miss...

grumpazoid

Thank you for this mkx. I now know - 1) what I want to do is possible and 2) know which method to use in order to get there.

I didn't realise HAP AC Lite was only 100Mbps. Looks like I may be getting another HAP AC then unless there are any other cheaper alternatives.

grumpazoid

@mkx Ok thanks for that. The HAP AC is my main router
I think I will just have to get the HAP AC lite and use that to experiment with. What I want to do is something like this:
Current setup is just separate bridges each on it's own subnet. No VLAN.

grumpazoid

"if caps-man could only control a good radio..." I type it here all the time. When it comes to wireless... I am going to go with another vendor. After reading the docs, I seem to be going round in circles. For my HAP AC, it has a switch chip, so the suggestion from the wiki is to use it a...

grumpazoid

@mkx thanks for the detailed advice. Lots to think about there. A simple diagram has already been scrawled! At the moment my RB is working quite happily with no VLAN and three wifi subnets. However as I want to extend this setup using another RB acting as an access point, separation via VLAN seems t...

grumpazoid

VLAN is base of MTUNA :-) Ha, if that's what I think it is, I have embarked upon my journey towards certification, having now spent most of today getting confused over the various ways to implement VLAN. So far I think I need to bin off my existing bridges, combine everything apart from WAN into on...

grumpazoid

Your setup sounds good. Hopefully this can be done without any managed switches as I don't really have many devices that need to be on another vlan.
Unfortunately VLAN was not part of the MTCNA so time for some self study !!

grumpazoid

I don't recommend capsman. Its like adding another OS to routerOS, with some overhead and worse complication. Thanks. Ok clearly my original idea is not the way forward. I am glad I posted on here first. Hopefully I can do something like show in the docs with my existing setup of 3 subnets, giving ...

grumpazoid

Thank you for the replies. I referred to CAPsMAN because, when searching this and other forums before posting, it seemed to come up as the recommended solution. So from what I understand, with a small network consisting of 2x routerboards I would be better off configuring manually and using VLAN? I ...

grumpazoid

Hi. I have am a newbie to capsman so just wanted to check what I want to do is possible before I purchase another routerboard to use as an AP. My network consists of 3 SSID and each one is on it's own subnet. The two extra are for guest and IOT which do not have access to other subnets apart from IO...

grumpazoid

Router OS 6.44.6 on hapAC For testing I have set up two simple Queues, each one targets a specific client by IP address on the same subnet. Max limit works as expected. However what I want to do is give priority to client1 if both machines try to download at once. So I set "Limit at" on cl...

Search found 77 matches