doh-timeout=1h23m20s ???????? Who got up in the morning and wrote that b–t? You wait 1 hour and more for a DoH reply? Your ruouter act as DDoS server... Default parameters: address-list-extra-time=0s allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB doh-max-concurrent-queries=50 doh-max...

Hello, I have the same problem with Cloudflare Family. I get this message very frequently in logs. DoH max concurrent queries reached, ignoring query [ignoring repeated messages] This is DNS Client config. /ip dns set allow-remote-requests=yes doh-max-concurrent-queries=10 doh-max-server-connections...

Yes an No. VLANs prevent devices from communicating directly (via switch alone). So you have a router ... and router will pass traffic between any pair of its interfaces unless configured not to (either routing rules or some kind of firewall). So yes, you need FW rules blocking traffic. But it migh...

@Jotne Mikrotik default filters are active I don't believe it. And even if it did, you probably changed something else that made it not work. The firewall an the nat are full of useless rules, and the default drop-all-at-the-end are deleted... <put wireguard rule here> add chain=input action=drop i...

As these rules are not really needed right now, I've deleted them add action=accept chain=forward comment="Allow traffic from iot-network to main-network" dst-address=192.168.33.0/25 log=yes log-prefix=iot-to-main src-address=\ 192.168.44.0/27 add action=accept chain=forward comment="...

Please post your lastest config so that we can apply fresh thinking to the issue. Full config /interface bridge add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge-lan /interface ethernet set [ find default-name=ether1 ] comment=ether1-isp name=ether1-isp rx-flow-control=auto tx...

Well. I've added the missing rule and reset all counters. add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN" I removed: add action=drop chain=input comment="Block DNS from WAN UDP/53" dst-port=53 in-interface-list=WAN protocol=udp a...

Secondly your config is hosed, You cannot have two dhcp servers to same interface, as you should have noted, you can use multiple bridges (not recommended) multiple vlans (recommended) Hello. I'm quite confused now. I don't understand why you say I have 2 DHCP servers, are you referring to this par...

@HoracioDos Post your FW config.

I don't want to hijack this thread. You can find it here
viewtopic.php?p=1123054&hilit=admin+services#p1123054
Last post #16
Thanks!

Only service that that you like to have open should be open, all other blocked. That you need to block 53 tells me that your fw are wrongly setup.

@Jotne Mikrotik default filters are active

Try blocking port 53 especially on internet side...

Done! Thanks @bratislav

Hello. Since I've installed version 7.17.2 on a RB5009 router, I'm getting this message in the log:
'possible SYN flooding on tcp port 53'
There is no other sign of SYN flooding apart from this message. I have TCPSynCookies=yes

Hello. I finally had time to upload the config file.
I'm still migrating some devices from my old LAN to the new main LAN segment, and this week I replaced a dumb switch with a managed one. Now I can start defining VLANs for the Guest WiFi network, the IoT LAN segment, and some other stuff.
Thanks!

I'll try to upload the full config today but I will change all IP segments and individual IP addresses for each device

Nobody asked for just part of your config..........geez So guess what I have to make up shit ..........thats fun Hi Anav, I truly appreciate the help, but put yourself in my position. I'm caught between accepting help from people offering their knowledge selflessly and exposing my entire router con...

Thank you for your detailed response. I have carefully read your recommendations and I think I understand your point of view. I will wait for other people's opinions to finally decide which path I will take. I really appreciate the time you have dedicated to responding. Very grateful! I equally appr...

Not trying to be abrasive, but your firewall rules are kind of a mess. It's very typical of what newcomers produce on their first try, so if you're willing to learn, you'll get there. Just keep up trying/learning/reading. Just be careful: there are *lots* of "tutorials" on youtube and oth...

Thanks for the quick response.
I've trimmed the config file a bit and also changed the IP segments, but everything makes sense.
Thanks again

Hello. I am experiencing a situation where my router is being continuously flooded with external attempts to connect to admin services. My logs are completely full of entries like this, occurring every second: Block-Admin input: in:ether1-isp out:(unknown 0), connection-state:new src-mac 28:52:61:f0...

All true. Now there is also narrowband LTE, which KNOT supports, and those SIM are pretty cheap monthly since it limited data. Also, there also LoRaWAN for these types of notification, which KNOT/LtAP/etc support. Certainly more setup, hardware, config, scripting... Anyway, always some solution if ...

Hello Amm0 I agree that not reaching cloud.mikrotik.com might not represent a full internet access problem and the service could just be limited or degraded. According to documentation, there are currently only two possible states (internet and wan), but MikroTik could change this behavior at any ti...

:local ms [:pick $ifaceRTT 9 12];
:if ([:len $ms] = 0) do={
:set ms "No RTT";
}
:set ifaceRTT ($ms . "ms");

could be just:

Code: Select all

:set ifaceRTT "$[([:tonsec $ifaceRTT]/(1000*1000))]ms"

DONE!!

Thank you again for your time
Regards
H

Thank you Amm0 for such a detailed answer. I started using "detect internet" instead of Netwatch with a ping to Google or Cloudflare because this feature is already built-in and I wanted to take advantage of it. I've read in the manual that "detect internet" could take some autom...

Hello. This is my first script to detect internet connection. Please be kind. Any comments about how to improve it are very welcome. First I've setup internet detection like this: /interface detect-internet set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=LAN wan-interfac...