L2 Ethernet, VXLAN

Thanks, this is what I wanted.

Hi all, two MT devices connected over the Internet by Wireguard, all working fine. I have some vlans on Router1, I want Router2 to use, what is the accepted way of doing this? Was thinking of an EOIP tunnel but looking for other, possibly better ideas? Wanting to use Capsman across the WG link also ...

This post started as a request for help but ended up solving it myself so adding her in case it helps someone else. First time using CAPSMAN and now its working I really like it. This maybe a bug? Found one post with the same issue and no answer: Configured CAPSMAN and it was all working successfull...

Hey Dave, really sorry to hear you are shutting down but completely understand. Just like to thank you for the script and for me personally, I used it on multiple devices with multiple customers and it must have saved me more than a few times from bad things happening. I used to monitor the firewall...

Simplest solution is to NAT the PPPOE connection.

Google "Mikrotik NAT PPPOE"

Use Ether1 for the PPPOE connection and Ether2-5 for the internal network

You need to go to the wireless menu item and then the interfaces tab and enable the wireless and setup SSID and password etc.

Since you have multiple networks, you should start by ensuring you can ping from a server to router 2. Once that is done, ping from router 2 to the same server. This should be resolved mostly by adding routes. Once the above is resolved, do some port forwarding to expose services to the internet via...

Maybe try to swap the power supplies on the Mikrotiks or do a factory reset on the Mikrotik that does not work and try again.

If the VOIP phones were on a different IP range than everything else, you could simply add a filter on the firewall to deny all traffic except the VOIP range.

A good place to see these attacks visually is under the connections tab on firewall. Knowing the total number of connections under normal use is a good way to spot abnormal traffic. As an example, on my home router, I know that anything over 5 or 600 connections means something weird is happening. W...

You can create minimal rules to allow traffic out to the internet and provide basic protection from the internet but the more complex your network is, the more rules you will have to create.

There is no need.

IP > DNS > Static

create new static record:
name www.mywebpage
Address 10.10.0.3

ok, turns out I wasnt being impatient :) I copied the schedules from the start of this thread and there are a couple of issues. 1. The schedule names are the same and this causes the import of the second schedule to fail, solution is to rename the second schedule 2. The run command differed in both ...

Yes, I have that but doesnt seem to work :( i'll try to troubleshoot, thanks /system scheduler add interval=1d name=updateBlacklist on-event="/system script run updateBlacklist" policy=read,write,test start-time=startup add interval=1d name=UpdateBlackList on-event="/system script run...

great script, I am seeing lots of hits against the listed IP's.

On reboot, is there a way to load the script automatically or do we have to wait for the scheduled update time?

A ping wants to go through the network to the target device and then back out through the network to the device who asked for the ping. Looks like your ping cant get back to 10.80.8.1 might need a route on the mikrotik 2 - 192.168.50.235 network so the ping traffic has a path back to the destination...

Some good advice Normis, thanks, moved my rule down the line as suggested changed the filter rule to only include traffic on port 80 /ip firewall add action=tarpit chain=forward comment="Wordpress xmlrpc.php hack" dst-address=192.168.0.57 dst-port=80 in-interface=ISPLink layer7-protocol=aa...

A webserver I look after was getting pounded heavily from multiple external addresses with the xmlrpc.php wordpress attack. Since it was from multiple sources, a blacklist was not helpful and I ended up using a L7 rule to stop all the attacks. You will see this in your apache access.log Notice them ...

This will happen if the IP range is the same on each end of the network. IP range MUST be different on each end. It may be a route issue, look in IP route and see where the default traffic is going. You have done the hardest part by connecting the VPN. What does a tracert to the other site show you?

this is actually easy to get working once you know how. I do agree with you, getting it to work the first time is difficult. First, setup the main router that is connected to the internet and get that all working. -next is to get the wireless working on the same router. -now go into the wireless set...

you can use the MT DNS server and add static host entries there instead of on the PC. This requires the VPN clients using the MT as their DNS

ip > dns

You can only graph the interfaces on the MT device. SO in your case you can graph the port that the switch is plugged into and grab the total traffic passing through the port but not individual. The IP information on the graph man page refers to who can view the graphs page ie its a permissions thin...

Thanks for the answer, this didnt quite work as expected but I was able to do something very similar to get it working. - created a wan or dmz bridge - added ports 4 and 5 to the wan bridge - assigned an internet IP out of the 5 spare to the wan bridge to act as a gateway (for ports 4 and 5) - assig...

In winbox GUI

IP > services > winbox

add IP address of management LAN

whats in the pub dir under files?

We have heaps of these in the field and they never give any trouble. Having said that, I dont have any with 6.1 some thoughts ... - do a factory reset and reconfigure - turn on more logging and try to find the issue - roll back to a previous OS none of these are difficult and wont take long. I would...

Hi, we have a router using PPPOE and 5 extra wan addresses, everything is working (I can ping the IP addresses on the router) Want to put one of the WAN addresses directly onto a server and plug the server into port 5 so it is completely exposed to the internet without NAT etc. How to do this? thanks

/ip firewall filter add chain=forward connection-state=established action=accept add chain=forward connection-state=related action=accept add chain=forward protocol=tcp dst-port=5900 dst-address=192.168.1.100 action=accept add chain=forward out-interface=!WAN action=drop Dragging up an old thread b...