So, it works. 1. Create reject rule. Do not specify MAC, just in SSID REGEX write this regex and specify interfaces - dynamically created ^NETWORKNAME$ 2. Add your exceptions with MAC + SSID REGEX mentioned above and interfaces - dynamically created, but with accept 3. Now you have filter list that ...

No needed for high speeds, couple of sensors for alarms and depending on the connection eventually 1-2 video cameras Do you have any idea how much bandwidth 2 cameras require? A plain 2MP IP security camera requires at least 4Mbps(with h264 enabled). 2 cameras and sensors, etc. - minimum 10Mbps.And...

It is interesting that I have 4 CAPs connected to CAPSMAN with create dynamic, only two configs and it automatically created two networks on both my 2.4Ghz and 5Ghz radios. CAPs are in CAP mode, interfaces dynamically created, caps dynamically added. I never specified the 2.4 and 5ghz radios specifi...

You just need to do something like this: (^YOURSSID$) include the brackets.

But will this work, just specifying SSID and not specifying interfaces? Or it requires both specifying interface and SSID?

no, the reject are /caps-man access-list add action=reject disabled=no interface=cap-office without any mac address do not confuse mac-address with mac-mask The issue is that interfaces are dynamically created. I connect my CAP-s using CAP mode of the AP and interfaces are dynamically created. That...

Set signal strength parameter and check the actual RSSI of the clients, who are complaining about this. Wireless roaming works this way... If the signal is poor and there is AP, which provides much better signal - computers switch to this AP.

I have a certain number of Mikrotik AC CAP-s, which are connected to my main mikrotik router. I've created 2 VLANs on the interface, where these CAP-s are connected to the Mikrotik router. Then I have two DHCP servers, one is office, the other is guest hotspot/configured hotspot separately using Use...

If you're able to install a CA certificate on all computers in your network, then you can use something like the Fortigate firewall. Because you've installed the CA certificate on all computers, it can re-sign all encrypted connections. This gives it the ability to transparently inspect the content...

That is so true... when the boss wants to keep the employees at work by blocking facebook and youtube, there must be something else going wrong there. Either the employees do not really want to work there, or the boss is assuming something that is not really going on. ...Imposing such limitations o...

There IS no permanent, always-working, way to block websites. It will always fail after some time. And the measures you have implemented may have or develop side-effects that you notice only after some time.QUIC is one thing, but encryption of the plaintext hostname in TLS setup is already running ...

You need to do that in some other way. Like with agreements, rules and enforcement thereof. ("using the company network to follow your facebook page is not allowed, and when we catch you doing it the punishment is: [fill in what is legally allowed]") I highly doubt that leaving a door wid...

This particular one doesn't - there's also the dst-port=80,443 which restricts the match to the client->server packets. But I'm tired asking you to post the complete firewall filter. I was reluctant to post a complete an export of the Firewall rules, because of the fact that I had much to edit. We ...

only handles the packets in the client->server direction, whereas the subsequent "drop youtube" one acts on packets in both directions - the layer7-protocol matching stores the complete contents of the first few packets of each connection and searches for the pattern in all of them, regar...

I'd have to see the complete filter rules to understand why it is happening.. These are the rules. add action=drop chain=forward comment=SiteRestrictions dst-address-list=blocklist src-address-list=!allowedlist Blocklist is a list of sites that are blocked. Before it I have L7 REXEXP blocking. /ip ...

So are you saying you want to extend the single action=drop rule currently matching on src-address-list=!allowedlist layer7-protocol="DisableYoutube" with yet another match condition, which would prevent it from dropping packets sent from a "youtubeonly" address although such pa...

I am sure you understand what you mean by the above, but I don't. Can you show the above three variants in the form of firewall filter rules exported from the Mikrotik? Okay.I am trying to get specific IP not part of the allowedlist to be able to open youtube. I can make a second list with every IP...

I have L7 filter rule that blocks Youtube. It's hard to block it via IP filter because Google uses multiple addresses and this affects the use of other sites, like Gmail or Google Seach. The problem is that my filter rule is REGEXP. I apply it for all IPs that are not part of the Allowed users IP-s....

Other than that, you may save some CPU by rearranging your firewall rules - the "accept related, established" should be the topmost one One more question. I had numerous attacks from the WAN side, trying to log in via SSH/TELNET/WinBox and Webfig. I just disabled the service ports and for...

Yes, PH2 count shows the number of currently established SA pairs as I wrote above. You can have multiple SAs between the same pair of peers: So, PH count is the number of currently established SA-s, not total number. And If they disconnect, the Mikrotik tries to establish new PH2 without waiting t...

But nor do you need the one with src-address=150.100.0.0/16 - it should be showing 0 packet count in the srcnat chain. Well, the rule accept 150.100.0.0/16 says 78 packets matching and about 4KB traffic. If they initiate the VPN on demand, shouldn't I be able to see some number in PH2 count? And if...

Because if they can really connect to a resource on a private IP inside your LAN, there must be some tunnel somewhere - possibly on the external equipment (between Mikrotik's ether1 and the internet). If they sent a packet towards 192.168.8.0/22 via internet, it would not reach the Tik. They say th...

Without that missing rule, the packets from 192.168.8.0/22 to 150.100.0.0/16 get src-nated to the WAN IP of ether1, and thus the policy ignores them.

What kind of rule I need? And they try to connect and access resources. So then, isn't it true that they initiate connection to me?

The action=accept rule in chain=srcnat should actually read action=accept src-address=192.168.8.0/22 dst- address=150.100.0.0/16 . You've got the 150.100.0.0/16 as src- address there, which is wrong. Why is wrong to accept the traffic from 150.100.0.0/16 in both ways? With the rule I intended to al...

.... /interface bridge add admin-mac=********* auto-mac=no comment=defconf name=bridge /interface ethernet set [ find default-name=ether1 ] comment="WAN " set [ find default-name=ether2 ] comment=LAN set [ find default-name=ether10 ] poe-out=off /interface list add comment=defconf name=WA...

In that case, I need to see the complete config export.

What do you need me to export?

So is the policy which doesn't come up configured statically or should it be dynamically created from a template once the IPsec "session" comes up? It's static policy. Not created from template. I have accept srcnat 150.100.100.100/16 before masquerade. NAT traversal=disabled. About the c...

There is no "tunnel" without an SA. So as written above - either the traffic matches some other policy and uses it, or the policy for this traffic has some problem not related to shadowing by another one, and then the traffic may bypass IPsec completely. I have other IPSec policy, but wit...

Hello, I have some questions about IPSec tunnel, that I need to make work. I have created IP sec tunnel src = 10.20.10.20 dst= 150.100.100.105 My local net is 192.168.10.10/22 I have accept srcnat 150.100.100.100/16 rule in IP-NAT I also have forward rule in IP-Filter rules accept forward 150.100.10...