MikroTik

PrimeYeti

I've got a CCR1009 (obviously no standalone Wireless or Wave2 package installed by default) that's on v7.12.1. I've setup CAPsMAN and any devices that use legacy wireless (not Wave2) are being seen in remote CAP but Wave2 devices are not. Based on some research it seems like CAPsMAN should pick up l...

PrimeYeti

Wasn't able to get a clear answer online and I couldn't immediately see from a PCAP so would someone be able to tell me what protocol is used when logging into a Mikrotik device via Winbox? And if it differs when logging in via MAC or via IP? My first assumption was MAC Telnet for MAC address and so...

PrimeYeti

I've got an address list setup that has all my private ranges on it and a firewall rule that states anything with a src or dst of that address list, drop it. This is to stop routing between local subnets. I've found something weird that it is also dropping traffic within a subnet (10.102.100.0/22)? ...

PrimeYeti

Thanks for the replies! That's fair, I don't really need it to work it just came up while I was working on something else and I realised I've never really thought about it. I always just assumed it just did the first address configured on the interface.

PrimeYeti

Wasn't sure about this and not in a position to test myself. Out of interest, if I have 3 different IPs on a WAN interface and I apply a src-nat, masquerade, out=WAN interface rule, would traffic just be masqueraded as the first IP I applied to the interface? Or is there a system that the router use...

PrimeYeti

Real quick one; can you still only use SLAAC to hand out addresses? Or is there a way to use a DHCPv6 Server to hand out addresses not just prefixes? General consensus is no but I wasn't sure if that had changed at all since the forum posts I had been reading.

PrimeYeti

Forgot to say I think I found the reason. I didn't have the CPU port (bridge) tagged in Bridge VLAN Filtering for each VLAN on the CAPsMANager. Thanks for the help!

PrimeYeti

Thanks for the advice, Erlinden. I've managed to get it working but I'm not entirely sure how? Main thing I've changed is adding the bridge port as tagged in Bridge VLAN Filtering for all VLANs on the CAPsMAN router. Although when i remove it it doesn't seem to make a difference in Torch (everything...

PrimeYeti

All the resources I have seen state to 'Use Tag' on wireless interfaces which dynamically adds them as tagged in the Bridge VLAN Table of the router. I don't think Mikrotik would assume that every device connecting to a wireless network would be VLAN aware, seems like a massive oversight. But yeah s...

PrimeYeti

To confirm, when you say the CAPSMAN master interfaces, do you mean the master wireless interfaces? If so when someone connects to them they appear in the Bridge VLAN Table of my CAPSMAN router as Current Tagged for their relevant VLANs so this seems correct to me. If you mean the interface that lea...

PrimeYeti

RB4011: v7.10.1
CAp AC: 6.49.7

Where would I confirm the wireless driver?

PrimeYeti

This is the CAPsMAN config for the SSID I am testing on. Also any config on the CAP that wasn't configured by CAPsMAN has been removed (Bridge VLAN Filtering). channel.band=2ghz-b/g/n country="united kingdom" datapath.bridge=bridge1 \ .local-forwarding=no .vlan-id=41 .vlan-mode=use-tag mod...

PrimeYeti

I am currently struggling with something which, based on the Mikrotik wiki and various other resources, should work fine. I'll explain the setup below but the crux of my issue is that when a device connects to an SSID it isn't getting an IP address that corresponds to the DHCP server of a VLAN. The ...

PrimeYeti

After a while of searching it doesn't look like it's possible but just wanted to see if I was missing something. Or if it could be done by scripts? Basically just want to make it so that someone is auto logged out of Winbox/WebGUI after 15 minutes (inactivity or not). I've seen a few posts from like...

PrimeYeti

Managed to work this out but I appreciate the confirmation! I think my confusion came from the fact that you can have as many active communities as you want but you can only have a single trap community active. That still seems strange to me but I've got what I need. Thanks!

PrimeYeti

So with Mikrotik will all communities be v1 or v2 unless the Auth and Encryption details are entered?

Further to this, that makes more sense, but still how can you have multiple active Communities if you have multiple collectors? And if you can't what would be the best way of achieving this?

PrimeYeti

Say if I wasn't using traps in that case, how would I set it up so that both collectors can use V3? Because as far as I can tell you can only set the SNMP version under Trap Version. And in doing so you can only define authentication and encryption with a Trap Community.

PrimeYeti

You can add multiple source IPs though this is sort of what confuses me. So from my understanding if I wanted to have two separate collectors I would need them to both have the exact same setup which seems strange and somewhat insecure.

PrimeYeti

Yeah you can create as many communities as you want but when actually putting them in use under IP > SNMP > Trap Community you can only have 1 active at a time.

PrimeYeti

I have a device that we monitor that another company also wants to collect information from via SNMP. My immediate thought was to create another Community for the other company and have both active but ofcourse this isn't possible. Is the only way to do it on a Mikrotik to have both agents use the s...

PrimeYeti

@mkx thanks for the reply. How would you recommend configuring it so that the Mikrotik receives an IP address from a management VLAN without using hybrid ports? As mentioned the only other way I can think of is creating a VLAN interface at the Switch end of the trunk for the management VLAN and stic...

PrimeYeti

The only reason in this day and age to even discuss hybrid ports is the DUMB Twats at unifi and maybe some others*** that setup the management interface to be untagged as default. Therefore, if one is not able to change the default setup, one has to hybrid into the moronic device with the managemen...

PrimeYeti

I was under the impression that having having all your VLANs tagged over your trunk and then your management as untagged VLAN over that same port was the done thing since that's how you would send traffic for multiple VLANs over the trunk but also tell your switch at the other end "you should h...

PrimeYeti

I did some further testing on this and it seems as if setting the PVID on the bridge as whatever your management VLAN is is a reallyyy good idea from a security perspective (as Nichky kindly mentioned) as I can then only access it from interfaces with the same PVID (e.g. the interface my PC is on). ...

PrimeYeti

What does setting the PVID against the bridge rather than just the individual bridge ports do? What are the situations when you would use this? I understand that PVIDs tag untagged traffic on ingress to a port but I can't quite wrap my head around what implications this has when setting the PVID on ...

PrimeYeti

That makes a lot more sense. I get what you mean.

Thanks for clarifying!

PrimeYeti

Thanks for the reply mkx. I’ve just tested this and it seems to work the way I want it to (e.g. allows 192.168.2.0 through the router but not 192.168.1.0). My question is though why does it work? Since the above rule is essentially saying the source address must be and must not be 192.168.1.0 for th...

PrimeYeti

If I create a firewall rule as such: Accept - Forward - Src Address !192.168.1.0/24 - src Address-List LAN Address List LAN: 192.168.1.0/24 192.168.2.0/24 This would accept forward from 192.168.2.0/24 but not 192.168.1.0/24 right? My next question is why? Would the firewall rule go off specificity? ...

PrimeYeti

Note: To-Ports is only required if doing port translation (aka the incoming port hitting the WAN has to be different from when it hits the device). So if To-ports is left blank, the port on the local side doesn't change right? So if the Dst Port was 1234 and the To Port was blank, that traffic woul...

PrimeYeti

If I put the below rule in my NAT table to DstNAT port 1234 from my public address to my local address: Chain Dstnat Dst address: 1.1.1.1 Dst port: 1234 Action Dstnat Dst address: 192.168.1.1 Is that just going to forward to internal port 1234 since the external port is 1234, even though I haven't s...

PrimeYeti

That's a good point, if the WAN goes down then DHCP isn't the end of the world but if the router dies then that's going to be...interesting to say the least.

I think I'll have to go back to the drawing board for that one. Thanks for the help!

PrimeYeti

Image is attached. I didn't attach one originally since, as you can see, it's not a complicated setup in the slightest. Also apologies for my drawing. I don't do network drawings often :lol: I think Amm0 hit the nail on the head. Since posting this I have tested it myself and I think the way I'm goi...

PrimeYeti

Had a request from a customer so I have been brainstorming and just wanted to get some input :) would like to know if what I'm thinking below will work for the purpose and if anyone has any thoughts on optimising. So I will be managing a router that will connect to the customer's LAN. That LAN will ...

PrimeYeti

Thanks guys, I kind of assumed what Kentzo was saying is the case so in this situation I think it's the customer's problem more than mine. Last thing I can think of is that the "Default" policy is enabled so I'll disable that and see what happens.

Thanks everyone for the input!

PrimeYeti

Oh really? Whereabouts would this be configured? Just to make sure I've made the setup clear there's an external IPSec server that connects to the IPSec client which is behind my managed Mikrotik. So the Mikrotik shouldn't be interfering at all in an ideal scenario it should just pass it straight th...

PrimeYeti

Thanks both for the response! It's IP based dstnat. I also haven't checked their IPSec config but (stupidly of me) I would assume they had NAT traversal enabled on the tunnel. I will double check this with them. There is only a single WAN so shouldn't be an issue of it coming in one WAN and attempti...

PrimeYeti

I manage a Mikrotik that sits in front of a customer's firewall in which we dstNAT all traffic from the router to their firewall. The client side of the IPSec site to site is on the customer's firewall. Even though all traffic is being forwarded it won't seem to establish. I even tried accepting any...

PrimeYeti

So is it possible to have multiple prefixes on my main router in that case? Or can I only have my /48 on my breakout router and then other smaller subnets on routers downstream? Seems wrong to me but I'm new to IPv6!

PrimeYeti

That is very helpful thank you. I understand the use of the From Pool feature in addresses now :D Maybe you could enlighten me as to why the pools in the below config overlap? They've got different prefixes so I'm not sure what I'm missing... My WAN pool has been assigned by my ISP via DHCPv6 as (fo...

PrimeYeti

Hopefully a quick one; I got a /48 from my ISP and want to create a /64 prefix pool on my router specifically for the LAN. Everytime I do this I get an error stating that two prefixes cannot overlap. Is it actually possible two have multiple separate pools for this situation? Or do I just need to gi...

PrimeYeti

I know, that's my point. But still no one has told me what AL2 firmware is and where to get it?

PrimeYeti

Ok no problem I can give it a go. I know the Architecture is ARM but the firmware type definitely shows as al2. Weird.

PrimeYeti

I was going to install with the latest on Mikrotik's website anyway so should be ok. Any idea what the AL2 firmware is though and/or where I can get it from?

PrimeYeti

Not sure if I'm missing something simple but I'm trying to Netinstall my RB4011 and on another RB4011 I have it says it uses firmware al2 but this architecture doesn't appear on Mikrotik's website? Anyone able to let me know what I'm missing please? If it helps the revision on this router (that I do...

PrimeYeti

I have just done some more research and think I realise where my confusion is coming from. PCC from what I understand is used for the actual load balancing part of this config (divying up connections between links). The part that I am trying to get the hang of is before actually setting up the load ...

PrimeYeti

That is exactly what I'm saying...which is why I want to work out how to do it.

The video provided uses PCC which I'm not adverse to using, but I just want to know how to do it only using mangle rules.

PrimeYeti

I just want to have incoming on both WANs going out the same WAN it came in on.

This is what I want which is a part of the load balancing, as if I had connections going out of random WANs then it's likely going to cause some issues for example with certain banking websites.

PrimeYeti

I am attempting to set this up with Mangle rules but it seems as if every solution I look at uses different rules and different amounts of rules to the next? I tried just doing a mark-connection forward rule and then a mark-routing prerouting rule for the aforementioned connection mark but when I se...

PrimeYeti

I know there are benefits to using Bridge VLAN filtering for VLANs rather than setting them up via the switch or by using multiple bridges and vice versa. For example using bridge VLAN filtering is a lot tidier than having a bridge per interface and I also know that Hardware Offloading is only possi...

PrimeYeti

I am hoping someone can confirm this and I am not going mental. Today I was attempting to disable neighbor discovery (all protocols) on only certain interfaces so I created an interface list called TestList which included eth8. Eth8 is currently showing in neighbor discovery. I went into neighbor di...

PrimeYeti

PVID is a standards based term. It is in the IEEE 802.1Q specs. "native vlan" and "access vlan" are not; those are "Cisco" terms, and Cisco has two names for untagged vlans, depending on whether the port is a trunk (what MikroTik would call a Hybrid port) (native vlan)...

PrimeYeti

moderator action - removed unnecessary quote I did read the article and watch the video both of which were very helpful, so thanks for that. Although it didn't seem to help in answering my original query regarding frames tagged with a VLAN coming in on the WAN not being seen on the LAN. The reason ...

PrimeYeti

Does two things: Creates a new interface that an ip address can be applied to. In the above example, ether1 is the base interface, and the created interface named ether1.100 and it is associated with vlan 100 tagged traffic on ether1. Removes tag in ingress into the routing engine and adds it to pa...

PrimeYeti

So I understand that PVID isn't an industry wide technology as Cisco uses simply 'Untagged' to identify what VLAN a port is part of (ingress and egress) so why has Mikrotik separated it into Untagged (VLAN on egress at an access port) and PVID (VLAN on ingress at an access port)? Is there a benefit ...

PrimeYeti

Hi MKX, I understand the theory behind encapsulation and decapsulation, the part that I am not fully getting in this scenario is how traffic tagged with VLAN 100 isn't passed on traffic received on my WAN to my LAN. I'm not fully understanding this because there is no untagged port to necessarily re...

PrimeYeti

In both cases the VLAN associated with the ISP stops at the appropriate client ending. After that, traffic from the LAN utilizing the WAN connection is predicated on a. firewall rules allowing traffic through the router (and out the WAN) Forward Chain b. Routes, telling the router where to send tra...

PrimeYeti

Having a bit of a brain fart here. I have a WAN connection that the ISP insists needs to have a VLAN tag of 100 in order to function which is fair enough and it is all working. The reason I feel that I am having a brain fart is because none of my LAN interfaces are untagging VLAN 100 but surely all ...

PrimeYeti

Hi There,

Based on what I have seen from some Googling, Mikrotik don't currently have the software support to allow you to change EEE (802.3az) settings. Is this still the case? The latest of the sources I found was back in 2019.

PrimeYeti

What I mean is I would want a setup that goes: R1 > Tunnel > R2 > Tunnel > R3 So my question is if I had a policy setup on R1 to encrypt traffic with src of 1.1.1.1/24 (R1 LAN) and dst of 2.2.2.2/24 (R2 LAN), could I then setup another traffic on R2 that passes it to R3 with a policy that has src 1....

PrimeYeti

In the classic policy-based IPsec there is no such thing as "IPsec interface". But even if there were such thing, it would have been a peer-to-peer connection interface, and so MAC address would not make much sense there. The outgoing ESP traffic is originated from your VPN endpoint (your...

PrimeYeti

Damn that's annoying. Failing that then, is anyone just able to tell me whether the ESP traffic will show src MAC of IPSec interface or WAN interface? I would assume it's WAN but would be good to get confirmation.

PrimeYeti

Yes I am well aware that the frame will be reincapsulated when being transmitted between routers. What I am trying to find out is what the src MAC should be when the frame leaves one end of the IPSec tunnel. This is why I am using ping but for whatever reason the packet sniffer will not show ICMP ec...

PrimeYeti

If I look in a packet trace though those ESP packets still have src and dst MACs.

Also not sure if this is just me setting something up wrong but I can still see ICMP when it should be going over the IPSec tunnel. Should this not be encrypted and show as ESP?

PrimeYeti

Basically a client has asked me what the src MAC address will be of any traffic going over this tunnel and I've come to the conclusion that it will either be the MAC of the "WAN" interface, or the MAC of the LAN interface that the IP range is configured on... WAT? IPsec (as even the name ...

PrimeYeti

Not sure what I'm missing here so any assistance would be appreciated! Basically I've got an IPSec tunnel between two routers internally (for testing purposes), so one has a "public IP" of 192.168.88.1/24 on its "WAN" and the other has a "public IP" of 192.168.89.1/24 o...

Search found 65 matches