MikroTik

senseivita

I'm aware that VRF allows to have conflicting address spaces on a routers interfaces, that's cool and all, but what if they weren't conflicting and you just wanted to split a router so it would act like if it were two routers, each side would have its own WAN and possibly connect to a remote single ...

senseivita

C'est à dire:

Why? (and thanks.)

senseivita

In a router-on-a-stick, I set up a number of VLANs, each with its own DHCP server, plus another for the untagged traffic matching the PVID — AKA VLAN 0, or native VLAN, usually VLAN 1 in most networks — of the [trunk] port to the neighboring switch. After pasting the reservations and other settings ...

senseivita

I'd like for any single user that has multiple devices to be able to sign in their [single] user account while each of their devices gets its own static set (v4+v6) of IP addresses. I know it's possible to assign pools of addresses to a group, or even to a user; however, to effectively target device...

senseivita

I'm getting concerned about this, I think it might be related to VRRP because of the L2 address, but that's as far as I've gotten. No other host with active lease is doing that, only this one and what I think must be the other router… (…) Screen Shot 2023-09-22 at 11.49.15.png Screen Shot 2023-09-22...

senseivita

Sorry, for the hold up. Yeah, I know the VRF thing was a bad example. I think it did convey the message though :) I know about inline scripts, but that's what I'm trying to avoid. I was/am hoping for something like a glob expression. Also, I've exported data entered on winbox before, it's useful but...

senseivita

I'm setting up a new firewall, hopefully Mikrotik's but to do so I need to be able to filter traffic by DNS but not in DNS itself (filter layer 3 without being the resolver) as well as by whole ASNs, similar to pfBlockerNG on pfSense or IP sets on OpenWRT , but I've been just staring at winbox for a...

senseivita

Sometimes you need to pick several items from a list or enter several items and to apply them to an entry, or both. i.e; 1:many, many:1, many:many; e.g; We'd like to set the winbox service available on VRF red, green, and blue; /ip/service/set winbox vrf= ? I tried: /ip/service/set winbox vrf=R,G,B ...

senseivita

Could you explain in the simplest way you can how VLAN/port/interface assignments work on bridges? I know how to do this on Linux — Distributed Switch Architechture — on Cockpit and on the command line, on VyOS, and on other platforms and but on Mikrotik's software I find it so confusing. Screen Sho...

senseivita

Thanks chechito, ( heh, that sounds funny--is that Spanish? ) But that's actually the source of my confusion. :/ I've gone through all of that, plus the old docs. There are at least four management tools but not one is fully, and non-ambiguously documented. I always and the same amount of answers an...

senseivita

While attempting to make sense of bridges I was resetting addreses on VLAN interfaces and suddenly I got disconnected and now it refuses connections. The interface I connect to on the router is not participating on anything I'm doing, it's just there solely to have a safeguard for lockouts., i.e; it...

senseivita

I'm attempting to move out of DHCP to RADIUS for address assignment. wired, wireless, virtual, and VLANs. So I'm piecing up the components, rules, what can I do and what can't I. There are hosts in the network that are multihomed with same network adapter, i.e, same MAC address. There are users in t...

senseivita

I'm trying to set up DHCP's option 121. In the docs I learn about variable "NETWORK_GATEWAY", unfortunately it appears to not adapt itself to context/requesting subnet. So the next best thing would be the subnet ID since the gateways are available on each of the subnets involved at the sam...

senseivita

That (sort of) is what I've been trying. But unless I add them one by one without relation to one another, it won't work, check this out (in the pic below) the server (in hexa) should match second (and third) octet of the address (in decimal), it's pretty straightforward. Instead it assigns addresse...

senseivita

I remember there was a place in winbox to set multiple addresses/static leases per client (it's been a while), and each consecutive address was added clicking on those ↓ buttons. When a client came online, it would sort things out and pick the address matching the network automatically. I'm trying t...

senseivita

There have been constant attempts to login on my router by the generic user "admin" (which doesn't exist). My router is nowhere near the edge of the network, but it is accessible from every subnet and currently has no firewall rules. In turn, access to the network is guarded by RADIUS, DHC...

senseivita

I think I might be just Mikrotik's target audience, and I think I'd thread carefully in its place. Something like the UniFi Controlller is pretty to look at but it ain't very useful. It's slow, it's got so many problems with from adoption, to disconnections, to being unable to handle consecutive (no...

senseivita

I'm trying to set up a CHR with a bridge instead of individual VLANs on an ethernet interface; all seems to go well until the moment I enable VLAN filtering, then I'm cut off. The router has two intefaces, a trunk (VLAN 4095 — vSphere) and the second one is on a single VLAN from which I could access...

senseivita

I was re-reading https://help.mikrotik.com/docs/display/ROS/RADIUS and there this sentence which made me think I should clarify. The sentence reads "The MikroTik RouterOS has a RADIUS client that can authenticate for HotSpot, PPP, PPPoE, PPTP, L2TP, and ISDN connections." . These are all s...

senseivita

I've read the documentation, old and new but I can't find a straight answer to this. Can the User Manager module/pkg (or the built-in Users module at least) augment accounts (i.e; provide missing or override attributes such as IP address, VLAN, etc) for accounts sourced either via a live queried or ...

senseivita

For tasks that are too cumbersome on Winbox tome some dummy value as reference then write a "script" (not really) and feed it line by line via SSH. It works as long as I have a blank slate to work with. This means I still need to use Winbox to wipe all entries and hopefully, and depending ...

senseivita

I can't make IPv6 work in CHR. In the past routing platform which was also virtualized it worked fine, if I turn on that VM it still works fine which obviously indicates I'm doings thngs wrong in CHR. Thinking it might be multicast-related and since all those options appear to be there, I redid the ...

senseivita

Okay..oh man! It's a lot. So I went back on this haphazard log I had been keeping of what I'm setting up, tweaking, a few screenshots: at some point I that RFC1919 was in the next column i.e. destination , after posting though I focused away from this a bit since things were online it could wait. So...

senseivita

The configuration posted and screenshots don't correspond exactly, however the rules are working as expected - in the image 'Screen Shot 2021-08-04 at 04.33.00.png' the traffic source address is 10.0.0.32 which will match src-address-list 'rfc1918' referenced in rule #1 and be accepted, so never re...

senseivita

Lets recap. You have configured: 20 vlans on ether1 that is renamed to z0001/trunk every vlan has a 10.x.y.y network, with x as the number of den VLAn interface (not Vlan ID) you have ipv4-dhcp server for some VLANs, eg interface 0009 you have ipv6-dhcp server for some VLANs and /ipv6 nd prefix set...

senseivita

Is very hard to follow any reasoning if you have all interface and items numbered like 0011. I lost all context of every instruction. You have configured the device, you know that. The export is a rebus full of thing to remember at memory. Even the screenshots without context they make it appear as...

senseivita

There's no bridge, it's a router. :) It's not a device either, it's a CHR. It seems not to obey the firewall at random or something; I just blocked myself and I still can communicate out. Screen Shot 2021-08-04 at 04.33.00.png I have full access to what shouldn't be allowed--everything outside of RF...

senseivita

Oh man, I'm sorry, I'm still learning the rules around here. I attached the file now. If it's all scarily open it's because it sits behind other firewalls, IDS/IPS and proxies already. I promise I'm not that reckless. :D This will be the "distribution" firewall, so to speak, it'll filter o...

senseivita

I'm trying to pass all traffic entering an interface (rule #3) but it's catching nothing: Screen Shot 2021-08-02 at 00.58.03.png Instead all traffic is caught by the later rule (rule #6) which just like the intended one, doesn't specify src.addr . Why specifying the interface breaks the otherwise id...

senseivita

Hey all, :) I'm setting up CHR as the edge device but I need to route traffic in and out to several devices. It was suggested to me that I used VRF but that seems to capture everything (a default route) and I still have to direct X to Y , part of X to Z both internally and over multiple Internet-fac...

senseivita

My [CHR] license expired but it said in the box next renewal was in two days. I went to my account and I had the option (button) to renew but it had a little red flag next to it. I didn't trust the conflicting messages specially since the documentation says that I absolutely need to reinstall — whic...

senseivita

I found my answer! :D On article Manual:IP/DHCP Server I had missed: relay (IP; Default: 0.0.0.0) The IP address of the relay this DHCP server should process requests from: 0.0.0.0 - the DHCP server will be used only for direct requests from clients (no DHCP relay allowed) 255.255.255.255 - the DHCP...

senseivita

I failed for the fouth or fifth time to migrate to CHR again, but the good thing is that I just used another firewall at the edge and this I'm I have no firewall rules to recreate. I want to keep the DHCP server though, make it the master, I liked it that like Windows Server's DHCP it can be edited ...

senseivita

Thanks for answering, that's such a relief. I already set it up halfway --routes are not enforced yet-- I only need to figure out a way to enforce traffic within the chain if, say, another device that introduces traffic in the middle of the line this traffic continues right on line but this device i...

senseivita

I think I can solve it using Mangle rules to mark traffic on an interface and then the rules section in IP/Routes to match the traffic and force it to a gateway. The only problem is that since router has visibility at every point I'm afraid on the way back it might skip the gateways altogether and s...

senseivita

I use several network appliances in the network to do what Mikrotik can't or just is too cumbersome to do, I'm sure it'll get easier with time and some of these will disappear. Meanwhile though, I have this devices chained routing from one to the next and I'd like to reorganize this into a pseudo st...

senseivita

I'm setting up CHR but the ruleset plus policy routing (which I don't know how to do), tunneling stuff, IDS/IPS and reverse proxy is so complicated (and basic, i.e; tunneling) that I' used a couple of pfSense instances chained in front of it instead with static rules to avoid NAT. If I delete all th...

senseivita

I'm attempting to move to CHR from pfSense/OPNsense but I'm having a hard time dealing with firewall rules. In pfSense filtering is only done on the inbound direction of each interface. While filtering can be done on the outbound too it's rarely used, mostly by traffic shaping or a package that can ...

Search found 38 matches

Can VRF be used to "split" a router?

OSPF routes are received by the router but they aren't brought up

How do I configure DHCP on a bridge and bridgeport's VLAN 0 (zero)?

[Augmented] Single user, multiple-entry

Router is requesting (and ignoring) IP address leases from itself, very fast. Why?

Re: How do I list items in the CLI entry?

Filtering L3 based on DNS, ASN

How do I list items in the CLI entry?

Quick bridge VLAN filtering review--please!

Re: I can't winbox using IP after changing bridging settings

I can't winbox using IP after changing bridging settings

Can I use caller-id to assign multiple devices to a single user?

Network ID variable or similar

Re: How do I configure multiple static leases per client in a single location?

How do I configure multiple static leases per client in a single location?

Endless winbox login attempts on own interfaces

Re: MikroTik Devices Controller

CHR - VLAN Filtering on bridge kills access

Re: Can User Manager augment accounts from remote sources? [SOLVED]

Can User Manager augment accounts from remote sources? [SOLVED]

Use of ranges in the CLI

Help understanding VLANs under a bridge

Re: Why interfaces don't work for firewall rules?

Re: Why interfaces don't work for firewall rules?

Re: Why interfaces don't work for firewall rules?

Re: Why interfaces don't work for firewall rules?

Re: Why interfaces don't work for firewall rules?

Re: Why interfaces don't work for firewall rules?

Why interfaces don't work for firewall rules?

Advice for routing internally with multiple WANs

CHR trial license expired, got new ID. Can I purchase?

Re: How to create multiple DHCP servers in the same interface

How to create multiple DHCP servers in the same interface

Re: Policy Routing/FIB

Re: Policy Routing/FIB

Policy Routing/FIB

How do I disable (allow all) the firewall completely?

Switching from pfSense to CHR -- Firewall rules