MikroTik

BrandonSk

This time more serious issue. At least for me (both macOS and also Windows version) for devices that use VLAN offloading via switch chip features - all tabs are missing! Example for CRS109: In Windox 4 I go to Switch -> VLAN ... a new window appears, where I can only click New -> new window -> and s...

BrandonSk

Hello and thanks for native macOS and Linux support. Comparing to other issues, this is perhaps minor: WakeOnLan window -> closes after clicking the WOL button. Can we keep it open? (macOS 15.1.1) + a feature request (already mentioned above by spippan): In DHCP-SERVER -> Leases, can we have a right...

BrandonSk

OK. I mark this thread as solved. Thank you @mkx and @jaclaz for your inputs. @mkx - SPF connection is no-go for me, as the infrastructure is already buried in the walls. But I plan to run bonds, so I will eventually move to that solution. As for the trusted ports part, turns out that I needed to tu...

BrandonSk

So the above post SOLVES original post. But I have one final question I have indicated in the first post, which I wanted to deal with once VLANs work... I will add (perhaps unrelated) additional questions, because I am also experiencing some strange behavior on some ports (e.g. look at CSS326 port 1...

BrandonSk

Thank you both for taking time to respond. It's now much clearer and I guess a lot of original questions do not need answers anymore. Although some for general knowledge would still be nice to have :) As a follow-up for future readers, here is the revised configuration: Forum-topology2.png What has ...

BrandonSk

Native VLAN doesn't necessarily mean VLAN1, do you mean that your ISP is using VLAN1 as "native"? Well, I'm not sure how to check that. When I was trying to find out which VLANs they use, I simply ran a torch on input interface to see which VLANs appear there. Now, since I have a switchOS...

BrandonSk

Oh, I see your question now... That refers to this part of the introduction at the beginning of my original post: "ISP provides internet (native vlan), IPTV (vlan), VOIP (vlan). The tv-boxes, despite broadcast being on iptv vlan, apparently also require native vlan connection , which ISP uses f...

BrandonSk

I have also proposed alternative solution in my #3 above. So if I am not to use VLAN 1 in this way, that means the yellow ports cannot be in strict mode, but must be in optional (or enabled?) mode. In that case, green and blue remain strict = there should be no native VLAN appearing on these ports,...

BrandonSk

Re: #4 Does your ISP provide the service over VLAN1 or in any other ways forces you to use it? I might have missed where you explained how you were forced - with a gun pointed at your head - to use VLAN1. The usual advice is to NOT use VLAN1, unless it is really-really needed because the consequenc...

BrandonSk

Dear friends, Very long post, but trust me, there are questions at the end :D After playing (and posting around this forum) with VLANs on “baby” equipment (CRS1xx series) I finally listened to wise people saying I should get real switches and moved on to the 3xx series, buying CRS326 and CSS326, and...

BrandonSk

If you are connecting to the internet just fine and users are not complaining, then why open up your router to garbage. Drop all is fine. Near identical is not identical and one rule can make a huge difference. Sorry to bring this up after 3 years, but I think the original aim of the question may s...

BrandonSk

Follow-up for whoever might find this useful. Disabling ipsec at Site 1 got it working in the direction Site 3 to Site 1. But for some reason I still was getting the pref-src="" for the route 192.168.100.0/24 and I could not get rid of it. So instead I decided to specify the preferred sour...

BrandonSk

SOLVED (almost) Hi, well, the thing about the routes I mentioned in previous post got me thinking... why there is pref-src=""? (in my translation Mikrotik is saying I don't know which source to use... so there must be more than one...) Well, it turns out that turning off the ipsec at Site ...

BrandonSk

Hello, below are the "full" configs. I redatcted actual public IPs. I also removed parts: /system/scheduler /system/script and /tool/email (all information in those section relates to the auto-update and backup script you can find here ) Site 1: # 2024-02-11 14:34:51 by RouterOS 7.13.2 # s...

BrandonSk

Hello. Thanks for looking at my setup. Instead of quoting, let me just comment on your points: (1) Fixed - removed the input rules at Site 2 and Site 3. (2) Please clarify what you mean by "shares" (devices?). I do want devices from LANs to access devices at different Site. Particularly, I...

BrandonSk

Hello. I am switching from ipsec to wireguard. But for some reason one branch can communicate with the main location while the other branch not. Configs seem to me identical, but maybe I am missing something. Sites overview Site 1 - main site: Public IP: 1.1.1.1 Local networks: 10.201.22.0/24, 10.20...

BrandonSk

Hello, I thought it might be a good idea to leave the latest configuration here, since I marked the thread as solved. How we got here: The original idea was to have incoming connection from ISP (Untagged internet, and tagged IPTV and VOIP) to RB4011 and from there pass the traffic tagged traffic via...

BrandonSk

Thank you mkx. Although I have a 1 Gbit up & down, I think that the hw should handle that. Now I only need to find time to actually do it and if I run into issues, I will come back to this thread.
Thanks again,
B.

BrandonSk

There's still some errors in VLAN config: you configured some ports with pvid set in /interface bridge port (so you intend them to be access ports for that VLAN) but you set them as tagged members of same VLAN under /interface bridge vlan which creates asymmetry (port expects untagged frames on ing...

BrandonSk

CRS1xx/2xx devices do not support any hardware offloading when the bridge has vlan-filtering=yes . The bridge itself should be set to no and then configure the switch chip directly under /interface ethernet switch ... - see https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841835 and h...

BrandonSk

Hello, my ISP is delivering Internet on native VLAN, and then IPTV and VOIP on specific 2 VLANs. I created a lab environment to fine-tune the configuration before I go to the real network. Goal is to split the traffic at router (will be RB4011, but for the Lab I am using CRS109) and then connect via...

BrandonSk

Beeyev, Would it be possible to also add an option to ftp along with email? Also, is there a way to remove the backups created on the router itself? Thanks! Here is a fork of the script which supports FTP, SFTP and also email: https://github.com/BrandonSk/Mikrotik-RouterOS-automatic-backup-and-upda...

BrandonSk

If this router is attached to the internet and these are the fw filter rules the OP has put in, then there is no point in fixing any capsman or vlans until the OP understands the purpose of the firewall and how to put in a safe config (default for starters is good). Gentlemen, thank you for caring ...

BrandonSk

Thanks again for responses. I'd say you have naming clash: on CRS in capsman configuration you set datapath.bridge=bridge while bridge on RB952 is named bridge 1 ... and with local forwarding enabled datapath.bridge refers to bridge on CAP device, not on capsman device. I renamed the bridge on the C...

BrandonSk

Thank you everyone for the replies. I realize that my original post was perhaps too broad, but I wanted to get a feeling "IF it is possible" and HOW to go about it. I will continue trying step by step and slowly expanding my lab, until I get it right :) Speaking of which - I have a little ...

BrandonSk

Hello, I am a bit confused about VLAN implementation options. While individual cases are quite clear to me (meaning using either built-in switch chip capable of VLANs, or using bridge for VLANs, ...), I am not quite sure if those different methods can coexists in one setup. Therefore I would like to...

BrandonSk

OK, I think I finally got it working thanks for the tips above and info from this thread . The problem was missing essential firewall rules, which allow mikrotik-to-mikrotik communication between gre endpoints via ipsec tunnel. That being said, maybe it's obvious for experts, but for the rest of us ...

BrandonSk

Your ipsec policy matches traffic 192.168.200.2/32 <->192.168.200.1/32, but it should match traffic between GRE local and remote addresses 1.1.1.1 <->2.2.2.2 As these are your WAN IPs, ipsec policy also should match GRE traffic.....or tunneled traffic might re-enter the tunnel endlessly. A way arou...

BrandonSk

Excellent. Thank you very much. It's a pity this is not documented somewhere.
Cheers,
B.

Sorry, spoke too soon. I did not realize I had openVPN running at the same time when doing the ping :-\
So no, unfortunately, enabling NAT traversal did not solve the problem.

BrandonSk

As the devices are 1:1 nated,

/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 nat-traversal=no

nat-traversal on the default policies needs to be enabled.

Excellent. Thank you very much. It's a pity this is not documented somewhere.
Cheers,
B.

BrandonSk

Dear all, I've been trying to get secured GRE site-to-site going, but after exhausting all tips and tricks, hints and workarounds I found either here or on internet, I must ask for help. The setup: Location 1 Public IP: 1.1.1.1 LAN: 10.201.1.0/24 Assigned IP to GRE interface: 192.168.200.1/30 Locati...

BrandonSk

Miracle solved (?). Turned out that my ISP at site B assigned me two addresses from private range (172.... and also 10.24...) + of course the 1:1 NATed public IP. I just added the other private IP address to ether1. Suddenly things started to work. But with my knowledge, I am still not sure whether ...

BrandonSk

Hello all, I have encountered a very strange problem and either I am missing something obvious or it's a miracle :( I have two sites A and B. Site A: Public IP - 1.1.1.1 LAN 10.201.1.0/24; LAN gateway (mikrotik) 10.201.1.1 Site B: Public IP - 2.2.2.2 LAN 10.201.2.0/24; LAN gateway (mikrotik) 10.201....

BrandonSk

OK, so it turns out to be a linux quoting issue rather than mikrotik related one. So for anyone coming across the smae thing, here is how to get it working with comments containing spaces as well. As I am running the line from a shell script, I defined variable for the command part (note that commen...

BrandonSk

Hello all, I am trying to enable a firewall rule via ssh, but for some reason this is not working. What I have: -> a user who can ssh into the mikrotik box (let's call him autobot) -> the user uses ssh key for authentication (passwordless, because it's run from script) -> for testing purposes the au...

BrandonSk

Well, what do you know... Mea culpa. I hate coincidences. The 10.201.1.151 host turns out to be hooked up to another switch (ZyXel router in a switch mode) which aparently discard the VLAN info. Since I work remotely on that network, I couldn't have known. I used that host because it was always on a...

BrandonSk

OK ZeroByte, went setp-by-step through your instructions and: eth1 -> has wan ip assigned (as you suggest) local-bridge -> has the 10.201.1.1/24 as you expected (DMZ virtual port has 10.201.11.1/24 assigned if it matters) And answer to your question is: I need the VLAN to communicate between virtual...

BrandonSk

Thanks ZeroByte, I will have to digest your answer and go slowly line by line experimenting. In the meanwhile I was watching traffic with torch and maybe found where the problem is, but don't know what is the fix :) I am pinging from VM 10.201.11.6 (in XenServer) to a regular PC connected to Mikroti...

BrandonSk

Thanks Dirk for the suggestion. Maybe I am using wrong terminology - yes, I am using the switch functionality. After examining the router based on your input, the situation is as follows: eth2 and Bond are already bridged together on "bridge-local" eth3 & eth4 -> they do not have Maste...

BrandonSk

OK, here is an update. I have a small progress. My VLAN clients now can reach the internet. The problem was that when client (VM) had more than 1 interface, I was assigning multiple gateways. And since my NAT is not VLAN based, it is routing any subnet I throw at it. So that works. Last piece missin...

BrandonSk

Hello, thanks for the reply. Yes, I have the NAT setup and it's working fine for several months now. That's also a reason I was not touching the "original" 10.201.1.0/24 network. The WAN interface is on eth1-gateway. I'll try to describe interfaces: eth1-gateway -> wan interface, on the LA...

BrandonSk

Hello folks, I have setup VLANs on my Mikrotik router, clients get addresses and can see each other, but from VLANs I cannot reach internet. I am obviously missing something, but my attempts with creating additional bridges etc. did not lead to success. Hence, I am hoping you can help me troubleshoo...

BrandonSk

Hello, gui allows for an easy NAT rule to add ip to an address list, but not to remove it (expiration time is not what I am looking for). My idea is to implement port-knocking where different services use different port sequence. I would have a shell script on linux, which would easily via menu allo...

BrandonSk

Well, whatever happened, the pictures are reshuffled and do not correspond to the actual steps (I am sure I inserted them correctly). Anyway, it is still valid, just match the picture (filename below the picture) to the correct step. The filename always starts with the step number - e.g. 0-..., 1-.....

BrandonSk

...continues Step 3 - Define IPSEC peers 3-IPSEC-peer.png Step 4 - Make sure your proposals are the same 4-IPSEC-proposal.png Notes 1) Adjust your WAN and Public IPs appropriately to your situation 2) The tunnel does not come automatically up. Try pinging from device in Lan1 to device in Lan 2 and ...

BrandonSk

Well, no response means (1) impossible to solve; (2) I've asked something dumb... Anyway, I think I solved it myself. In fact, the above setup is a correct one. I found out by accident, thanks to playing with packet mangling. I tried packet mangling, but that yielded no results. So I returned to pre...

BrandonSk

Hello everyone. I am more and less successfully coping with site-to-site ipsec tunnel where both routers have non-routable address on the WAN side, but have a public IP NATed to them. I have started with basic setup from Greg's website http://gregsowell.com/ , which (as expected) did not work rigth ...

Search found 47 matches