MikroTik

Frederick88

Currently running a RB4011 (router/DHCP/DNS), hAP AX3 for wifi & a 3rd party WiFi AP.. Have just purchased a wAP AX to replace the 3rd party WiFi AP, so my wifi network will be served using wAP AX and hAP AX3. Looking to setup CAPsMAN as part of this - with the key feature being able to roam my ...

Frederick88

viewtopic.php?t=185996

Some key things you'll need to add/change;

Routing > Rules
Routing > Tables
IP > Routes
Interfaces > Interface List
IP > Firewall > NAT
IP > Firewall > Filter Rules

Frederick88

turns out Certificate issue.

see viewtopic.php?p=1047487&hilit=DOH#p1047487

Frederick88

actually it seems I have DoH DNS issue..

DoH server connection error: SSL: ssl: no trusted CA certificate found (6) [ignoring repeated messages]

this just started happening earlier before I attempted to update...

Frederick88

I found answer and tried deleting original post, but loads a blank page after I click delete?

anyway, for anyone else wondering the same thing, create a static DNS A record
upgrade.mikrotik.com > 159.148.147.204
update
remove A record

Frederick88

I'm on 7.13 stable.

what's the easiest way to update to 7.13.1 since the internal dns is broken with 7.13 ?

(considering the bug present in 7.13, I would have thought this info would be readily available on the announcement page along with 7.13.1 update?)

Thanks

Frederick88

https://support.apple.com/en-us/HT203068

Frederick88

updated hAP ax3 to 7.10 stable. WiFI seems a lot better. No "authentication" related errors, and no 5GHz radio malfunctions yet. I also noticed that my laptop picks up the SSID from the hAP instantly now, whereas <7.10 the SSID took a lot longer to show compared to other wifi APs in the ar...

Frederick88

/ip address
add address=10.1.1.2/24 interface=WGinterface

is it not possible to use /32 here instead, since traffic is masqueraded anyway? i’ve always felt using smallest possible subnet is better, more efficient and secure?

Frederick88

Could be a case of cheap Android trash?

To help eliminate some possibilities,
Have you tried removing TP-Link switch from the equation and connect directly to MT?
Have you tried disconnecting connection from TV and connect to another device, such as laptop. Does it experience same issue?

Frederick88

I was searching for blocky with MikroTik , and came across this topic... I wanted to use blocky over PiHole due to blocky's native DoH support, whereas PiHole needs an additional binary (CloudFlared) for DoH (and probably not possible on the MT?)... Regardless - it seems like running either blocky o...

Frederick88

Instead of trying to bond two completely different connections such as a fixed PPPoE and wireless cellular connection, you may want to consider using pre-routing and mangle rules instead, whereby you have a VPN connection from each WAN with rules about what traffic goes over what connection... Other...

Frederick88

@rextended I feel as though using standard DNS as a failover for DoH, defeats the purpose of using DoH in the first place...? @anav once you've imported the cert into RouterOS, it stays there until it expires, regardless of reboot... not sure what you mean by "you will need to put it back in&qu...

Frederick88

RE: DoH Server Settings I'm successfully using DoH without Server= defined. /ip/dns/set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes Therefore I don't believe you need to define the standard (non DoH) DNS server. (even if I clear DNS cache, DoH will still w...

Frederick88

Thanks guys. I discovered it's something Plex Media Server on the Synology is doing. Nothing in PMS logs suggest what exactly, and everything within PMS is turned off (including DLNA).. maybe some weird combination of Synology & PMS... I'll also look into some blackhole rules to further harden t...

Frederick88

Any more info on the new radio/reg-info console command?

/interface/wifiwave2/radio/reg-info country=Greenland number=???????????

Frederick88

I noticed this under ip/firewall/connection, and wondering how it's possible: WTF_169.jpg SETUP Synology NAS ether1 - Connected to network with DHCP IP 172.17.88.200 (LAN interface VLAN88home ) Synology NAS ether2 - PHYSICALLY NOT CONNECTED - Synology self assigned IP 169.254.34.120 Firewall rules: ...

Frederick88

hAP ax3 has POE out on ethr1. You can do WAN from another ether.
Why they made ether1 POE IN AND OUT, I don't understand ...

not to mention on the 2.5Gb port as well.

i can’t see any other logic for it other than cost saving.

Frederick88

i was considering doing similar to avoid CPU, but after reading this thread, i’m going to stay with the one bridge.

good read, thanks.

Frederick88

Sorry to dig up old thread, but I'm wondering very similar... /system/resource/pci> print detail 0 device="00:00.0" name="SFP+ 10G Ethernet Adapter (rev: 1)" vendor="Annapurna Labs Ltd." category="Ethernet controller" vendor-id="0x1c36" device-id=&qu...

Frederick88

no need to double NAT.

just create two LANs, one for each property.

eg
property 1 uses VLAN 111
property 2 uses VLAN 222

you can present vlan 222 as an untagged native port for the wireless point to point

viewtopic.php?p=781603

Frederick88

what’s the advantage of
reject-with=icmp-admin-prohibited
vs sending traffic black hole?

will devices on LAN stop trying UPnP if they receive the icmp prohibited message?

Frederick88

i think you either need a second WAN external IP,
OR you put one router behind the other.

with only one external WAN IP, and two routers in the network, you’re gonna have to double NAT at some point….

Frederick88

you can create second peers on each MikroTik Wireguard interface.

viewtopic.php?p=920105
Scenario 4 - (MEDIUM) Peer to Peer tunnelling with one Wireguard interface & Use of IP addresses for Wireguard interfaces.

Frederick88

OVERVIEW RB4011 running ROS 7.8. Gaming Console that requires open ports for internet related gaming features. Gaming Console (with static IP) on its own network VLAN90, connected directly to RB4011 ether3 (untagged port, PVID90). GOAL Provide necessary open ports for Gaming Console, with as little...

Frederick88

Frederick88

what spec refers to channel width 80MHz?

nothing I can see explicitly mentions channel width specification/limitation.

Frederick88

VST should work without too much hassle... From existing router, trunk VLANs to ESXI host. Configure VST accordingly, ensuring it includes the physical NIC that the trunk is connected too... The vSwitch/vmkernel NIC should then hand off each VLAN's network tot he guestOS as untagged native traffic. ...

Frederick88

also in Winbox, the GUI doesn't show option for 160MHz.. another reason I'm thinking it's not supported? [admin] /interface/wifiwave2> export # RouterOS 7.8 # removed I've tried with removing Country as well. I use frequency 5490-5650, which covers channel 100 to 128. . [admin] /interface/wifiwave2>...

Frederick88

yes sorry, increase latency - diminish was a poor choice of word. . MSS is computed per tcp connection, not per packet. so once tcp connection has been established and MSS calculated/computed, is there still ongoing compute each time it "pre-fragments" the ongoing packets within the establ...

Frederick88

LAN and WAN are separate networks, regardless if they're on different VLAN / no VLAN. Even if both WAN and LAN are no NO VLAN (native, untagged), that's still not the reason why LAN can send and receive traffic out of WAN... The routing table is what does this, see IP Routes.. this is based on IP ne...

Frederick88

Recently purchased hAP ax3 - trying to set 802.11ax with 160MHz channel width - says "unable to find suitable channel", even if I set channel frequency wide enough for 160MHz... The more I look into it, the more I'm beginning to think the ax3 doesn't support 160MHz channel width, 802.11ax ...

Frederick88

Does MSS Clamping cause much overhead on the router - or rather, does it diminish your WAN latency in any way, and negate any potential advantages of using larger MTU within the LAN to begin with?

Frederick88

This thread has been an interesting read leading me to look into MTU... PMTUD does its job and correctly sends packets/frames in correct size based on the path. We've never had any fragmentation in the networks I deployed large MTU on. This has me wondering, if I change my computers NIC to Jumbo MTU...

Frederick88

i think instead of trying to understand all the possibilities and ways it can be done - what is your goal and requirements…. explain what you’re trying to achieve and why.. based on this. we can minimise your options and provide a clearly list of examples how it could be done, along with the pros an...

Frederick88

well i think you have quite a few different options and ways you can do this… i guess first question is, how much “control” or influence you have over the whole network, from ISP connection to you…? if you have freedom to do anything you want, it might be worth considering bridging your ISP modem/ro...

Frederick88

thanks guys... I think I've been trying to overcomplicate things instead of keeping it a bit more KISS... my original thought for doing this was to minimise VLAN routing latency (ie. avoiding CPU as much as possible) to the computers connected directly to hAP... but I now realise traffic has to go t...

Frederick88

how does wifiwave2 affect things if the hAP is the one responsible for routing?

Frederick88

This might sounds like a silly idea... but in any case, I'm interested how it would be possible, if possible... Objective: assign hAP ax3 as router, using the internet connection "bridged" through RB4011.. and on the same ethernet connection, trunk back LANs from hAP to RB4011. Is it possi...

Frederick88

depends what you want responsible for the routing of the “private network” within the ESXI host… if it’s your ISP router, you need to trunk from router to ESXI host and then assign each vlan network to your guest OSes. otherwise you could virtualise a router within the ESXI host, create virtual inte...

Frederick88

i think each wg connection will need its own peer. and each peer needs its own address.

eg
wgpeer1 192.168.85.2/24
wgpeer2 192.168.85.3/24
wgpeer3 192.168.85.4/24

Frederick88

No need, In fact you should be able to ping the gateway of any vlan from any vlan device and the wg interface. The reason is that interfaces on the MT are considered Router interfaces and thus if one has connectivity to the router, then one should be able to ping the interfaces. As you already disc...

Frederick88

(1) For VLAN separation at Layer3, firewall rules apply. Easiest is to drop all at the end of the forward chain. I added the drop all. Can't ping devices on other VLANs, however I can ping the address of wireguard interface. Example, I'm on VLAN89 and can ping 10.140.35.150 (wireguard51 interface I...

Frederick88

@anav Much appreciate your previous configuration, works like a charm on a recently purchased hAP ax3... I used the fresh default config of the hAP ax3 and added wireguard and VLAN configuration as you outlined previously, with the addition of another wireguard interface and LAN.. Massive help, than...

Frederick88

It's been a while, so to summarise: 2 LANs on MikroTik: vlan1 : routes via standard ISP WAN only vlan5 : routes via WireGuard VPN connection only EDIT: Can i send you the actual WireGuard configuration file with private key for you to try, assuming you have a test environment? Might be easier than t...

Frederick88

WireGuard VPN Configuration file (wg-vpn-server_UDP.conf) from the VPN Server Provider: [Interface] Address = 10.75.178.228/10 PrivateKey = blahPrivateKeyblahblah= DNS = 10.64.0.1 [Peer] PublicKey = blahPublicKeyblahblah= PresharedKey = blahPresharedKeyblahblah= Endpoint = endpoint.vpnserver.address...

Frederick88

Im astonished that the VPN provider would give you over 4,000 addresses for internet access vice ONE! are you sure thats correct??? Yeah I thought a /10 was quite a lot as well, but I've double checked config and that's what they've given me... From my understanding, this just means that their side...

Frederick88

Appreciate your help, you've got me past a few hurdles I was stuck on and it's all making a bit more sense now, especially with firewall rules which I've cleaned up as you've suggested.. Cheers - I am used to working with all vlans if working with any vlans, anything else gets confusing right quick....

Frederick88

is what I'm trying to achieve, possible with RouterOS 7?

Frederick88

Luv to help when you explain WTF vlan0 is?? Also unable to assist without the config? /export file=anynameyouwish Thanks and sorry for bad terminology - by "vlan0" I mean the default LAN, which I guess should be called "vlan1"... LAN 192.168.88.1/24 | native on ports eth2 to 10 ...

Frederick88

I have read https://forum.mikrotik.com/viewtopic.php?t=182340&sid=884e4039a8973770ded8fdbc61032f3d which was very well written and detailed, thank you. However I'm still having trouble trying to set up a WG connection and isolate one of my LANs to use this gateway only. Example of what I'm tryin...

Frederick88

Hi, I'm fairly new to routerOS after purchasing a new 4011... I must say, the learning curve is a little more than I expected, but I'm enjoying it for the most part... My current set up is ISP > routerOS ether1 (WAN) LAN network = 192.168.88.1/24 I'm looking at creating another LAN, say, 192.168.70....

Frederick88

so I keep reading how UPnP can be a security risk... I have Xbox connected to ether9, WAN via ether1. If I enable UPnP for just external port=ether1 and internal port=ether9, would it still be considered a security risk since UPnP is only enabled for the xbox and therefore can't effect any other LAN...

Search found 53 matches