MikroTik

panisk0

this is correct in ROS
enabled services listen on all L3 interfaces
to limit this use firewall

panisk0

The QoS rule works like this: first, you create a main queue where you define the link parameters, and then in subqueues, you can shape the traffic. In the subqueues, there must always be one that handles the remaining traffic , which usually has the lowest priority and the worst parameters. Without...

panisk0

https://en.wikipedia.org/wiki/TZSP

full encapsulated

for zeek it may be necessary to use
https://github.com/thefloweringash/tzsp2pcap

panisk0

remove relay from dhcp-server config /ip address add address=192.168.22.1/24 interface=bridge1 network=192.168.22.0 add address=10.0.10.1/24 interface="vlan guest" network=10.0.10.0 add address=10.0.11.1/24 interface="vlan iot" network=10.0.11.0 add address=10.0.12.1/24 interface...

panisk0

What is happening is correct, which is why I wrote that macvlan is unnecessary. For this configuration, policy routing would be required. It will be simpler to give up on macvlan, use DHCP to get one address, and set the second manually.

panisk0

@anav
viewtopic.php?t=185419

panisk0

routing policy code /ip a add address=115.146.0.2/30 comment="WAN_isp1" interface=e1_WAN_isp1 /ip a add address=124.106.0.2/30 comment="WAN_isp2" interface=e2_WAN_isp2 /ro ta add disabled=no fib name=to_WAN_isp1 /ro ta add disabled=no fib name=to_WAN_isp2 /ip ro add dst-address=0...

panisk0

MACVLAN is unnecessary set pref-src to use 10.3.33.11 by default /ip ro add dst-address=0.0.0.0/0 gateway=10.3.33.1 pref-src=10.3.33.11 add network nat rules to proper ip /ip fi na add action=src-nat chain=srcnat src-address=192.168.1.0/25 to-addresses=10.3.33.11 /ip fi na add action=src-nat chain=s...

panisk0

You could use mange rule:

/interface/bridge/settings/set use-ip-firewall=yes
/ip/firewall/mangle add action=sniff-tzsp chain=forward in-interface=bridge sniff-target=10.10.10.10 sniff-target-port=37006

panisk0

 /ip dhcp-server set dhcp1_LAN interface=bridge1_LAN

panisk0

try using dude

panisk0

try another method
https://help.mikrotik.com/docs/spaces/R ... singWinBox

panisk0

The QoS rule works like this: first, you create a main queue where you define the link parameters, and then in subqueues, you can shape the traffic. In the subqueues, there must always be one that handles the remaining traffic, which usually has the lowest priority and the worst parameters. why QUEU...

panisk0

general
https://help.mikrotik.com/docs/spaces/R ... cy+Routing

similar case
viewtopic.php?p=1122340

panisk0

if you want to use 0.0.0.0/0 policy, add on top exclusions for local networks

/ip ipsec policy add action=none src-address=11.11.11.0/24 dst-address=22.22.22.0/24 
/ip ipsec policy add action=none src-address=11.11.11.0/24 dst-address=192.168.1.0/24

etc...

panisk0

change this port and check the rule counters, if it counts there may be a problem somewhere else /ip firewall nat add action=dst-nat chain=dstnat comment="DST-NAT2WWW" \ dst-address=192.168.x.5 dst-port=8000 in-interface=WAN protocol=tcp \ src-address=1.1.1.1 to-addresses=10.x.x.10 to-port...

panisk0

ad 1. contrack
ad 2. no but you can use routing policies to direct traffic to the main table --> /routing/rule
https://help.mikrotik.com/docs/spaces/R ... cy+Routing

panisk0

I bet the problem lies with the routing...
...for s2s links use ipip / ipsec
...wireguard uses an algorithm without hardware support

panisk0

this is because in the 4g table you do not have the 192.168.1.0/24 network

/ip ro add dst-address=192.168.1.0/24 gateway=bridge routing-table=4g

panisk0

Currently, networks are more likely to be segmented than consolidated.

panisk0

routing = IP - no addresses on map & config
crs = switch - why routing there?
pfsense = default gw?

try to draw it again in: https://app.diagrams.net/

panisk0

chenge: 0/24 to 1/24 /ip address add address=10.0.10.0/24 interface=vlan10 network=10.0.10.0 add address=10.0.20.0/24 interface=vlan20 network=10.0.20.0 add address=10.0.30.0/24 interface=vlan30 network=10.0.30.0 add address=10.0.40.0/24 interface=vlan40 network=10.0.40.0 /ip dhcp-server network add...

panisk0

yep you have to make changes manually on both routers

#add a reminder on both
/system/note> set note="caution vrrp enabled \r\n gw1 - 10.10.133.1 \r\n gw2 - 10.10.133.2"

panisk0

Looks like we got a 'man of the pen' here ;P

panisk0

must support TCP Client Mode

panisk0

probably all nport

panisk0

2x mikrotik can't be rs232 bridge via ethernet or vpn
you can use moxa & mikrotik via rfc2217 or raw

pc rs232 --> moxa --- ethernet rfc2217 --- mikrotik <-- rs232 inverter

panisk0

https://help.mikrotik.com/docs/spaces/R ... al+Console

panisk0

and this too:

chain=output action=drop packet-mark=philips_packet log=no log-prefix=""

change

chain=forward action=drop packet-mark=philips_packet log=no log-prefix=""

panisk0

Make test rule:

/ip firewall mangle add action=add-dst-to-address-list address-list=al_WEB_philips chain=prerouting layer7-protocol=philips

& look to /ip/firewall/address-list
It might explain this to you.

panisk0

You mixed everything up, you classify the traffic by DNS string, so it always marks your connections to the DNS server. It's easier to do this through the local DNS cache. /ip dns set allow-remote-requests=yes /ip dns static add address=127.0.0.1 name=philips.com type=A /ip firewall nat add action=r...

panisk0

add 100.100.0.0/16 in routing table as blachole & redistribute via bgp static

/ip route add blackhole dst-address=100.100.0.0/16
/routing/bgp/connection/set output.redistribute=static

panisk0

@ kubiko look here: https://forum.mikrotik.com/viewtopic.php?p=1122351 table main /routing table add fib name=to_WAN_main /ip route add dst-address=0.0.0.0/0 gateway="20.30.40.49" routing-table=to_WAN_main /routing rule add routing-mark=to_WAN_main table=to_WAN_main add src-address=20.30.4...

panisk0

https://help.mikrotik.com/docs/spaces/R ... cy+Routing

panisk0

in my opinion:
-any s2s link via wireguard need create new interface
-roadwarrior clients can use one interface

panisk0

Which router os version are you using? There have been many changes in DNS lately. On my 7.16.2 it works fine. What's new in 7.17.2 (2025-Feb-06 11:10): *) dns - do not show warning messages for DNS static entries when they are not needed; What's new in 7.17.1 (2025-Jan-30 12:29): *) resolver - fixe...

panisk0

Your router is properly configured, I bet on research error.
Use nslookup on dhcp client to check dns reply ...

nslookup
>server 10.0.0.1
viacore.local

panisk0

on internet router add

/ip route add dst-address=192.168.20.0/24 gateway=192.168.88.238

panisk0

/system logging add topics=ipsec

add on to firewall

 
/ip fi fi add action=accept chain=input dst-address=177.94.253.250 protocol=ipsec-esp src-address=201.55.165.210
/ip fi fi add action=accept chain=input dst-address=177.94.253.250 dst-port=500 protocol=udp src-address=201.55.165.210

panisk0

/routing table add fib name=to_WAN_lte
/routing rule add action=lookup src-address=10.10.10.10/32 table=to_WAN_lte
/ip route add dst-address=0.0.0.0/0 gateway=lte1 routing-table=to_WAN_lte

panisk0

https://wiki.mikrotik.com/Manual:IP/Settings <-- only applies to the asymmetry of your device

/ip/settings set rp-filter=strict

the entire internet is asymmetric
you can use TTL to test this but only if you administer on both sides

panisk0

/ip addr add address=10.10.10.10 interface=lte1
/ip proxy src-address=10.10.10.10
/ip firewall nat add action=masquerade chain=srcnat src-address=10.10.10.10

panisk0

Looking at your setup, it looks like you should probably do some training... Router: create bridge interface LAN add local interfaces to bridge assign LAN ip address to bridge dhcp-server assign to bridge 1x nat is enough ??? /ip arp add address=xxxxx interface=sfp-sfpplus1 mac-address=xxxxx - what ...

panisk0

I have the same symptom as you write when I use winbox from behind fortigate with SSL deep inspection enabled

panisk0

it will be easier to use profiles in ppp for this

viewtopic.php?t=183108

panisk0

https://help.mikrotik.com/docs/spaces/R ... classifier

panisk0

https://mikrotik.com/certificateSearch
or login on account:
https://mikrotik.com/client/

panisk0

to handle dynamic ip use

/ip cloud set ddns-enabled=yes

& add a CNAME record for your domain

panisk0

someone in transit is making limits for udp like: /ip firewall raw add action=accept chain=prerouting dst-limit=10000,1000,src-address/1m protocol=udp /ip firewall raw add action=drop chain=prerouting protocol=udp try using other ports start with 53 ;P /interface/wireguard/set listen-port=53 to simu...

panisk0

0/0 icmp is accepted:

Chain ufw-before-input (1 references)
[b]571K 34M[/b] ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8

do ping on mikrotik from: 10.205.0.1 to: 10.202.10.13

on zabbix

tcpdump icmp and host 10.205.0.1

panisk0

log on zabbix...

first

root@vmzabbix:/home/administrator# ip ro

root@vmzabbix:/home/administrator# ufw status numbered

&next

root@vmzabbix:/home/administrator# tcpdump icmp

...and bring it to me

panisk0

if the ISP uses VRRP, it can also issue a roaming IP from the WAN side, then you will connect Wireguard to this IP

panisk0

/ip fi co tr pr

panisk0

on switch: /ip/settings/set ip-forward=no /ip/firewall/connection/tracking/set enabled=no generally: /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh port=20022 set api disabled=yes set winbox port=28291 set api-ssl disabled=yes /tool mac-server set allowed-inter...

panisk0

look at: rx/tx p/s in interface menu

/ip fi fi pr co

panisk0

@mdd you are right IPIP will be a good solution for you.
Typically this is configured with IPSEC on a /30 link with a BGP neighborhood...

panisk0

remove: /ip address add address=192.168.1.2 comment="ether2" interface=ether2-pc1 network=192.168.1.0 add address=192.168.1.3 comment="server ether3" interface=ether3-SERVER network=192.168.1.0 add address=192.168.1.4 comment="POS ether4" interface=ether4-pc2 network=19...

panisk0

I also add routing mark for firewall mangle (not required in 7.x) /routing rule add routing-mark=to_WAN_pppoe2 table=to_WAN_pppoe2 and adds a WAN connection address to handle outgoing connections via the backup (example, isp gw: 2.2.2.1 mikrotik ip: 2.2.2.2) /routing rule add src-address=2.2.2.0/30 ...

panisk0

then what's this for? since * = main in the to_WAN_pppoe2 table you change the src-address /routing rule add action=lookup-only-in-table dst-address="LAN_subnet" table=main @TheCat12 - do you think this is enough? /routing table add fib name=to_WAN_pppoe2 /ip route add dst-address=0.0.0.0/...

panisk0

why are you logging this? This is normal traffic on the Internet /ip firewall filter add action=drop chain=input comment="Block Admin from WAN" dst-port=\ 21,22,23,80,443,8291,8728,8729 in-interface-list=WAN log-prefix=\ Block-Admin protocol=tcp add a jump for WAN to the top of the firewal...

panisk0

How should it be to handle the default gateway in the to_WAN_pppoe2 table?

/ip route
add dst-address=0.0.0.0/0 gateway="backup_PPPoE_interface"

/ip route
add dst-address=0.0.0.0/0 gateway="backup_PPPoE_interface" routing-table=to_WAN_pppoe2

panisk0

@TheCat12 <- you created a to_WAN_pppoe2 table that doesn't have a default gateway
He wrote that failover was working properly, I believe that the main table is ok.

/ip route
add dst-address=0.0.0.0/0 gateway="backup_PPPoE_interface" routing-table=to_WAN_pppoe2

panisk0

/ip/arp/print
/interface/bridge/host/print

panisk0

you need to build an additional routing table to support both routes at the same time https://help.mikrotik.com/docs/spaces/ROS/pages/59965508/Policy+Routing full version for both links: /routing table add disabled=no fib name=to_WAN_pppoe1 add disabled=no fib name=to_WAN_pppoe2 /ip route add dst-ad...

panisk0

base que on IP make at least 3 que 1 main, 2 parrent local, 1 sub local_all before local_all add services as you wish do the same with internet access example in attachment & code below /queue simple add max-limit=1G/1G name=q100_Main queue=default/default target=10.0.0.0/8 add dst=10.0.0.0/8 ma...

panisk0

what transmission medium are you connecting to the ISP:
CU?
FX?
GPON?
DAC?

maybe it will help:
https://help.mikrotik.com/docs/spaces/R ... ansceivers

panisk0

remove port ether49 from bridge

panisk0

If something doesn't work after disabling NAT, it's a routing problem.
You should know the IP address of the portal and check what traffic the VPN carries. To recognize this Use /tool/torch on the vpn interface when it is running...

panisk0

policy routing if you want to use both routes at the same time
https://help.mikrotik.com/docs/spaces/R ... cy+Routing

or more simply set priority:
ip ro add dst-address 45.66.88.1 gateway 192.168.1.1 distance=1
ip ro add dst-address 45.66.88.1 gateway 192.168.2.1 distance=2

panisk0

You are probably using a very old version of RouterOS, in new versions all logins are displayed as winbox. At the firewall level it is not possible to distinguish between winbox/dude applications. There are scripts that periodically monitor the local event log and add entries to: /ip/firewall/addres...

panisk0

use the address from the network you have added to /ip/ipsec/policy
probably: 10.205.0.1

log on zabbix & show me: iptables -L -n -v

next check: tcpdump icmp

I think zabbix is not responding or has the wrong route set...

panisk0

/tool/torch

/tool/sniffer/set file-name=somefile.pecap
&
https://www.wireshark.org/

panisk0

/ip fi ma add action=log chain=input dst-address=192.168.1.1 dst-port=8291 log-prefix=Winbox_x1 protocol=tcp
/ip fi ma add action=log chain=input dst-address=192.168.1.2 dst-port=8291 log-prefix=Winbox_x2 protocol=tcp

panisk0

viewtopic.php?t=214095

set on route correct pref-src=

panisk0

probably a NAT problem on office1 /ip ro add dst-address=192.168.10.0/24 gateway=172.10.20.1 pref-src=192.168.20.1 /ip fi na add action=accept chain=srcnat dst-address=192.168.10.0/24 on office2 /ip ro add dst-address=192.168.10.0/24 gateway=172.10.30.1 pref-src=192.168.30.1 /ip fi na add action=acc...

panisk0

use
/tool/netwatch set up-script=.... down-script=.....
&
/ping interface=ether......

panisk0

try
/interface/ethernet set sfp-rate-select=low sfp-sfpplus1

panisk0

https://wiki.mikrotik.com/Manual:Switch ... _isolation

panisk0

you probably want to do: https://help.mikrotik.com/docs/spaces/R ... cy+Routing /routing table add disabled=no fib name=to_WAN_main add disabled=no fib name=to_WAN_sec /ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1 routing-table=to_WAN_main add dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-tabl...

panisk0

I think you are writing about this enables source validation / prevents asymmetric routing https://wiki.mikrotik.com/Manual:IP/Settings /ip settings rp-filter=strict what you probably want to do: https://help.mikrotik.com/docs/spaces/ROS/pages/59965508/Policy+Routing /routing table add disabled=no f...

panisk0

L2 tunnels:
https://help.mikrotik.com/docs/spaces/R ... 7937/VXLAN
https://help.mikrotik.com/docs/spaces/R ... 05521/EoIP

panisk0

Try using TheDude...

panisk0

leave
action=drop chain=input comment="Drop Wireguard traffic from local Wi-Fi" dst-port=51820 protocol=udp src-address=192.168.1.0/24

in the wireguard client configuration change
[Peer]
AllowedIPs = 0.0.0.0/0

to example:

[Peer]
AllowedIPs = 192.168.0.0/16

panisk0

you don't need an additional bridge https://wiki.mikrotik.com/Manual:MPLSVPLS#Split_horizon_bridging or add filter rule on bridge /interface bridge filter add action=drop chain=forward in-interface=ether2 out-interface=ether3 or enable IP firewall usage on bridge /interface bridge settings set use-i...

panisk0

https://help.mikrotik.com/docs/spaces/R ... cy+Routing

panisk0

https://en.wikipedia.org/wiki/LoRa
https://mikrotik.com/products/group/iot-products
https://www.aliexpress.com/w/wholesale- ... -bell.html

panisk0

/ip/hotspot
/ip/hotspot/user/set limit-...

...and probably at the end
https://help.mikrotik.com/docs/spaces/R ... imitations

panisk0

this device does not have a switch chip you can use multiple bridges if you do not use STP. This configuration will be closer to what you're using. example: /interface ethernet set [ find default-name=sfp-sfpplus1 ] name=sp1_WAN_myisp set [ find default-name=sfp-sfpplus7 ] name=sp7_UPLNK_sw1 set [ f...

panisk0

You have a hotspot limit of one session per user. Blocking the 169.254.0.0/16 in raw will solve this problem... ...repair dhcp, it will be easier. --- 08:31:51 hotspot,account,info,debug d5oy3ace (169.254.14.91): logged in 08:33:53 hotspot,info,debug d5oy3ace (192.168.17.132): login failed: simultan...

panisk0

Set global variable

:global latest-version "7.16.2"

/system/script/environment print

look at:
https://help.mikrotik.com/docs/spaces/R ... /Scripting

panisk0

https://en.wikipedia.org/wiki/Link-local_address

probably the pool in dhcp has run out and windows connects with link-local addresses

panisk0

I guess, probably because of the VLAN filtering enabled on the bridge, you need to add:

/interface bridge vlan
add bridge=Main tagged=sfp-sfpplus1 vlan-ids=2

For testing, you can disable VLAN filtering.

panisk0

ping 172.16.0.1 src-address=172.17.0.1 reply? if you want to use 2x bridge on your router you should: add /interface/vlan and interface /interface/vxlan and then add them to a separate bridge... like this: /interface vlan add interface=ether2 name=v6e2_LNK_vxv vlan-id=6 /interface vxlan add local-ad...

panisk0

Switch is ok

On router change:
/interface vlan
add interface=sfp-sfpplus1 name=vlan2 vlan-id=2
and remove all vlan2 config from bridge

future: The router configuration should be changed to have one bridge

Mikrotik sometimes has trouble applying VLAN changes, I recommend restart...

panisk0

1. via dhcp-server you have to send the IP of your router in LAN /ip dhcp-server network set dns-server=192.168.88.1 domain=name.local 2. open port for DNS in firewall /ip/firewall/filter add action=accept protocol=udp port=53 3. allow remote requests /ip dns set allow-remote-requests=yes 4. add sta...

panisk0

/ipv6 firewall raw add action=drop chain=prerouting

panisk0

try another way On Up: :log warning "user: $"user" connected at: $[/system clock get date] $[/system clock get time] from: IP wan: $"caller-id" IP vpn: $"remote-address"" /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark c...

panisk0

this takes several steps, start with the correct configuration of the policy routing: /routing table add disabled=no fib name=to_WAN_main add disabled=no fib name=to_WAN_bkp /routing rule add action=lookup disabled=no src-address=1.1.1.0/30 table=to_WAN_main add action=lookup disabled=no routing-mar...

panisk0

does the HMI ask for time?

add rule
/ip fi ma add action=log chain=prerouting dst-port=123 protocol=udp
see logs when packages appear

panisk0

@canada
What is a floor for one person may be a ceiling for another ;P

panisk0

@martimk - if you know better, why do you ask?

on the computer do arp -a
you will see an entry for 192.168.10.1
but not for: 192.168.10.2

you can divide the /24 network into 2x /25 then it will work L3

panisk0

You need to base your routing on IP addresses.
Draw a diagram and I'll try to help...

panisk0

to answer your question:
Why does the computer connected to port vlan10-eth1 not see the computer in vlan10-eth2 and ping to address 192.168.10.2 does not work ?

ARP <-- without layer 2 there is no layer 3 / simple logic

panisk0

Ask your operator to send you only its own prefixes.

panisk0

everything is wrong, start from:
https://help.mikrotik.com/docs/spaces/R ... +switching

panisk0

it's easier to disable initialization on the firewall

/ip fi fi
add action=drop chain=input connection-state=new dst-port=500,4500 protocol=udp
add action=drop chain=input connection-state=new protocol=ipsec-esp

panisk0

for real network separation as you described you should use VRF
https://help.mikrotik.com/docs/spaces/R ... ding+-+VRF

panisk0

remove entry from NAT
show routing tables

add entry to routing policies, like:

/routing table add fib name=to_WAN_wg
/routing rule add action=lookup-only-in-table src-address=192.168.0.0/24 table=to_WAN_wg
/ip route add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-table=to_WAN_wg

panisk0

remove destination address from redirect rule dst-address=192.168.1.105 destination address is the WAN address obtained from dhcp-client /ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.1.105 dst-port=12349 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.105 to-ports=12...

panisk0

no script needed, dude has it by default

panisk0

For draft 2 rstp/mstp is the best solution.
I'm afraid the implementation problem is due to UBI, in a similar environment ubi with cisco I wasn't able to run it correctly.
too many blinking iscons in this ubiquity

panisk0

/interface vxlan

panisk0

LAN configuration is incorrect, if you want to use the /24 mask you have to make a bridge and assign it an IP /interface ethernet set [ find default-name=ether2 ] set [ find default-name=ether3 ] /interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 interface=ether2 add bridge...

panisk0

/interface/ipip

panisk0

imagine that each VRF instance is a separate physical router, would you then add routes?

panisk0

add to top in firewall /ip firewall filter add action=jump chain=forward comment="Forward DNS_test" dst-port=53 jump-target=Forward_DNS_test protocol=udp add action=return chain=Forward_DNS_test out-interface=e1_WAN # <-- your correct interface add action=return chain=Forward_DNS_test log=...

panisk0

you have a bug in mangle that's why it works after disconnecting WAN2 add to these rules dst-address=!10.0.0.0/16 /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark \ connection-state=new dst-address-type=!local in-interface="Local Network" \ new-connec...

panisk0

If for example in vlan3 your ip is 2.1.71.230 and your client has 2.1.71.229 and you do not have the correct entry in ARP on your router then you have a problem with L2. Check the the vlan configuration on the switches. + you also need to summarize the network to at least /24 to be able to publish i...

panisk0

you didn't write what hardware you are using?

what type queue is cake? (this section is missing in the configuration)

creating so many queues you should have a parent for them

panisk0

you probably don't have the correct networks added on the client side

/interface wireguard peers
add allowed-address=.........

or a convergent community in snmp
/snmp community
add addresses=....

panisk0

/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add

read logs
after error check resource utilization

panisk0

on #1 #remove ether1-ether4 from bridge create bonding if /interface bonding add mode=802.3ad name=bond1_LNK_sw2 slaves=ether1,ether2 /interface bonding add mode=802.3ad name=bond2_LNK_linux slaves=ether3,ether4 add bond if to bridge /interface bridge port add bridge=bridge1_LAN interface=bond1_LNK_...

panisk0

ensures 1<-->2 site connection via ipsec witch azure networks policies, and then use NAT on router site2 like: EXAMPLE-1 /ip route add dst-address=10.10.10.0/24 (network azure) gateway=1.1.1.1 (ISP GW) pref-src=192.168.1.1 (LAN mikrotik ip/site2) routing-table=main /ip firewall nat add action=masque...

panisk0

on site 1 router you nead add ipsec policy witch dst net of azure and the reverse to site 2
nat it is not necessary if you set correct routing in azure

panisk0

RB5009UG+S+ v7.4

v6 code
:put [/system health get temperature]

v7 code
:put ([/system health get 0]->"value")

panisk0

/ip route
add distance=1 dst-address=123.123.123.123/32 gateway=10.199.199.1 routing-mark=to_SMTP
/ip route rule
add action=lookup-only-in-table dst-address=123.123.123.123/32 table=to_SMTP

panisk0

make 2 if conditions

:local condition
:global informed

:if (($informed="YES") && ($condition>$example)) do={
:set informed YES
} else {
:set informed NO
}

panisk0

Hi all
is there anyone who has CRS317-1G-16S + RM and can check if these switches support the MAC address limit per ports like series CRS1xx/2xx

/interface ethernet switch port
set ether6 learn-limit=1
set ether7 learn-limit=1

or how to do it differently but not statically

panisk0

/ip proxy access add redirect-to="abc.com" dst-host="123.com" action=allow

/p

panisk0

I had the same, mikrotik support considered this to be a L2 loop but I only have p2p links with ospf. the problem was solved by one rule in the firewall ;-) add action=jump chain=input comment="Input Links MO" in-interface-list=LNK_mo jump-target=Input_LNK_mo add action=accept chain=Input_...

panisk0

I use ospf on dynamic links in wide area networks only to provide a loopback address for the bgp protocol. I would be pleased if there was a simple method to prevent this.

/p

panisk0

I'm using sstp to connect two networks. I noticed that if some time the operator link flaps, the sstp client does not want to connect even if the link starts working correctly. The solution is to remove the sstp client and add a new one with identical parameters or restart the client's router. Appea...

panisk0

explore it: /tool netwatch

/p

panisk0

/system routerboard usb power-reset duration=5

/p

panisk0

Many gsm operators have a problem with nat for the gre protocol. I use sstp on lte links.

panisk0

MT_cap_cl.png

end of the topic

panisk0

I will ask differently, how to reparse the text:
172.16.14.14/28
to receive:
172.16.14.0/28

/p

panisk0

Use ospf with bfd support.

https://wiki.mikrotik.com/wiki/Manual:OSPF-examples

/p

panisk0

I have no problem in L2 only in L3. I need to create an ACL in a firewall. It can be based on a list of interfaces. I will wait for a new firmware ...

/p

panisk0

This is a normal situation, read about Policy Base Routing

https://wiki.mikrotik.com/wiki/Policy_Base_Routing

/p

panisk0

I have two different authentication methods on two ssid networks. I do not know the mac addresses of these clients. As part of the same bridge, one dhcp server works. I need for customers in ssid: ABC use a different ACL than in ssid: DEF, that's all.

panisk0

I need to add to the /ip firewall address-list the network address that has been recved from dhcp client.

:global ipaddress [/ip dhcp-client get [/ip dhcp-client find where interface=e1_WAN] address]
result: 172.16.14.14/28
i need: 172.16.14.0/28

any ideas?

panisk0

What's new in 6.42rc39 (2018-Mar-07 07:01):

*) capsman - added support for "interface-list" in Access List and Datapath entries;

/p

panisk0

Is it possible on MT to use, for example, filters to prevent asymmetric routing? Without manual control of the cost parameter.

/p

panisk0

for many reasons, it has configurations as below |ssid: ABC---autch EAP -- user group_1 ---dhcp_server---brifge_1---| |ssid: CDE----autch PSK --user group_2 Both WLAN networks operate within one bridge with the same IP addresses I would like to be able to distinguish who connected to which SSID. May...

panisk0

On multiple-access routers I have a common problem with SSTP tunnels where I can not specify the source address. The solution is the mangle array, but it complicates the configurations. Please add the local address option as in ipsec per.

/p

panisk0

foR consideratioN 1. netwatch checks the availability of several hosts 2. the script examines netwatch results and changes routing 3. rest is a patch for routing /system scheduler add interval=11s name=Failover-sns on-event="/system script run Failover-sns" policy=read,write,policy,test,ro...

panisk0

I use the dude as a syslog server. I want to save log files in subdirectories for easier viewing.

panisk0

please add option in provisioning section bind on interface. currently caps connected to all interfaces or vlans can assign configuration via l2

Search found 149 matches