MikroTik

makp

Hi, I have RB 1100 set up with multiple DHCP servers and VLANs, 2 UniFi NanoHD different floors and a UniFi Mesh outside they are connected too RB1100 via UniFi Though Switch (POE). For the WiFi I hat 2 SSID (2,4G and 5) one for the house (VLAN 125) and one for guest (VLAN 150), when setting up IOT ...

makp

Mikrotik RouterOS [hr] CVE-2016-85005 A long standing problem in the Mikrotik RouterOS is the default username and password. All versions including the 6.34 release have default user of “admin” with no password. While some folks change this, many devices are compromised within the first few hours o...

makp

http://forum.mikrotik.com/viewtopic.php?f=13&t=108774 the last post

makp

/ip firewall nat add action=dst-nat chain=dstnat disabled=no dst-port=12000 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.10 to-ports=12000 add action=dst-nat chain=dstnat disabled=no dst-port=8888 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.10 to-ports=8888 With traf...

makp

I think your firewall rules where the real culprits dropping traffic and when that was fixed the Hairpin was needed. Remember: add chain=input connection-state=established,related ... New rules goes in here. .. add action=drop chain=input And your are not the only one getting gray hair when reading ...

makp

I dont realy know about the bridge thing. But of course if port is a slave its the master you use. add chain=srcnat src-address=192.168.1.0/24 dst-address=192.168.1.103 protocol=tcp dst-port=8082 out-interface=ETHERPORTWITHWEBSERVER action=masquerade the out-interface is the port you have the webser...

makp

I have no mobile to check with. Can you look above a few posts for my response to sob re: hairpin? I tried it and it didn't help but I wasn't 100% clear on what interface to specify.

Give me a moment.

makp

I haven't seen any PM funktion

But if you client is on the same subnet you need the hairpin.

Have you tried with your mobile phone, that was my approach until I got the correct filters.

makp

Your webserver is that on same subnet as the client your using, if so you have to check:

http://wiki.mikrotik.com/wiki/Hairpin_NAT

I have my webserver on a different subnet, and I have enabled the DNS in my RB just for the webserver, to keep traffic LAN traffic inside.

makp

Sorry I edited my posting when you posted. OK maybe its because you are missing the "action=accept" If you dont have any use of the forward rules you made disable them. Only have these 2 rules enable: chain=input action=accept connection-state=established,related log=no log-prefix="&q...

makp

Maybe have a look at your Firewall filter. As a newbie I am I would start to log firewall rules, and then see if it is the firewall filter. We have a similar setup I have my webserver on 80, my firewall is - thanks to ZeroByte: 0 chain=input action=accept connection-state=established,related log=no ...

makp

The solution shown above is the correct one: allow established/related, allow certain internal IP's, drop everything else. Unfortunately the default MikroTik setting is to drop only what comes in on the ether1-gateway interface which is presumed to be the internet interface. However when you add an...

makp

This part is scared to me, cause my company that I work with, They will buy Mikrotik device and I'll have to look after it. lol Thanks for info and solution makp. Just remember to set password og change/add user BEFORE connecting to internet, its not RouterOS that is the culprit, the culprit is err...

makp

I got the same in my log after setup, I could see from the IPs they where "local" and originated from my ISP, but I stopped services I didn't need and made "stupid" firewall filters that solved the login attempts, I did as you describe find solution for a specific issue hence mak...

makp

I started with configuring my broadband as bridge, leaving all the nice config to RB.

Then I went here

http://wiki.mikrotik.com/wiki/MikroTik_RouterOS
http://wiki.mikrotik.com/wiki/Manual:TOC

And google for specific questions like https://www.youtube.com/watch?v=wBVqzYYnAJ8

And know I am here

makp

Not a fan of Ubnt at all. But at this point... capsmanager is pretty far behind UniFi in the tools department.

Says alot as UniFi doesn't give you so much - AP wise.

makp

As pe1chl writes VLAN. I have 2 Ubiquiti APs on same ether with two SSID (home and guest) they are configured with VLAN, in the AP I have assigned the VLAN and they get appropriate IPs from DHCP servers I have configured - I have also set max and up and download speed on the APs so guest is limited ...

makp

With INPUT everything works [najs]: 0 chain=input action=accept connection-state=established,related log=no log-prefix="" 1 ;;; Adgang til Router fra Interne IP chain=input action=accept src-address-list=Interne_IP log=no log-prefix="" 2 ;;; Disable ICMP chain=input action=drop p...

makp

You should add a new rule and move it to the very beginning of the input chain: connection-state=established,related action=accept Then add a new rule to the end of the input chain: action=drop (no rules - just drop) Disabled my own copy paste rules. Added the two rules top and bottom, no name reso...

makp

Level 4 is necessary to whatever wireless device you want it to act as Ap with more than one client. It has no special relationship with the capsman other than you can control only those wlans that are on the devices with at least level 4 license to be able to work as access points. OK and thank yo...

makp

If you're using the default dhcp client, then there's a default-drop-all rule for interface ether1-gateway, which works and protects the DNS proxy from being hijacked, but unfortunately, there are many users who need to use pppoe, and the common thing is for them to go into the pppoe configuration ...

makp

These rules definitely work. Probably your WAN interface doesn't have a default drop rule for it, because you shouldn't need to exclusively drop DNS traffic. I.e. - what _else_ is reaching your router from the WAN side? ssh? webfig? If your WAN interface is pppoe1-out (for example) then make sure t...

makp

And you don't need to specify 'new' because you usually have a very early rule in the chain which allows established,related. This means that only invalid and new connection states are left by the time the router is checking any rules in the chain after that rule. You don't want either of these typ...

makp

The only benefit I can imagine is the capsman. Otherwise I would not invest into such huge change unless I would plan some huge development or expect some other advantage that is measurable in money. If you have money for it and just want to play there is nothing against... Does capsman work with a...

makp

Would there be any benefits in adding MikroTik ACs to my network ? At the moment I have 2 x RB1100AHx2 -> 2 x Ubiquiti ThoughSwitch -> 2 x Ubiquiti AC PRO (I also has some older HP and Cisco POE switch and MSM AC but that is collecting dust) Unifi controller cant control ThoughSwitch which I am usin...

makp

Give some print from your configuration.

And what are you pinging internal address' external submarines

makp

I'm having a similar problem with this. I can ping things...sometimes. It'll go through 5 times then request timeout the next 5. I can get on the internet but it's obviously pretty slow. Any ideas? I dont think we have similar issue, I could not ping another subnet at anytime. But I guess you shoul...

makp

Heh - facepalm moment. ;) I never set the mask explicitly because it seems to me that it learns properly from the network prefix itself (unless I'm going mad and remembering things all wrong). Good job catching it - stupid netmask being wrong on the clients. . . I think the mistake was I started up...

makp

post a diagram of your network. (if possible, do it at the VLAN layer because I suspect that you've got layer-2 issues) Really frustrated I read all the post I already had read in here, I saw a post where a guy ha same issue with no ping, but his error was in the ip adresses where he did funny stuf...

makp

If you don't have policy routing, then the most likely culprit is your forward chain in IP firewall. I have tried disabling all rules no changes. I have now moved from hyper-V to a Atom based, but still cant ping 192.168.0.0 net. I have putted in an extra NIC a dual port GIG, the onboard NIC 192.16...

makp

Are you doing any policy routing, such as load balancing multiple ISPs? If so, then add all of your local ranges to IP route rules with action set to lookup-in-specified-table table=main It could be other things, but this is common among load-balance users... Also, you only need the hairpin srcnat/...

makp

Just for fun and testing I setup a CentOS webserver (192.168.0.2) behind RB1100AHx2 on a HyperV, but I cant connect to it from LAN but WAN no problem. First I tried with Hairpin NAT but that didn't solve it, so I got the idea to ping the server but I get a Destination host unreachable. Router can pi...

makp

I think I got it. The issue with lost connection, I guess it was my old Netgear GS110TP i used for POE to my Unifi AP-AC Pro - before changing to RB1100 i used the POE injectors from Ubiqiti. Ubiquti writes AP-AC Pro uses max 9W but i guess its more than that, GS110TP delivers max 16,7W per port i d...

makp

Hi all, Have a strange issue with my Routerboard (6.35), it randomly drops connection LAN/WAN and as you can see from log I am logged in and it takes some time to logon again, internet connection also down - just from last hour and "logged out" is when the connection drops: 11:07:19 system...

Search found 34 matches

DHCP on VLAN issues

Re: Winbox says Wrong User Name or Password (RB750GL)

Re: Feature Request: Netinstall via MikroTik

Re: Port forwarding does not work!

Re: [yet another] simple port forwarding doesn't work?

Re: [yet another] simple port forwarding doesn't work?

Re: [yet another] simple port forwarding doesn't work?

Re: [yet another] simple port forwarding doesn't work?

Re: [yet another] simple port forwarding doesn't work?

Re: [yet another] simple port forwarding doesn't work?

Re: [yet another] simple port forwarding doesn't work?

Re: Someone to login my Mikrotik

Re: Someone to login my Mikrotik

Re: Someone to login my Mikrotik

Re: setting mikrotik

Re: Mikrotik AC vs Ubiquiti - RB 1100AHx2

Re: How to isolate two networks from same ether

Re: High traffic

Re: High traffic

Re: Mikrotik AC vs Ubiquiti - RB 1100AHx2

Re: High traffic

Re: High traffic

Re: High traffic

Re:

Mikrotik AC vs Ubiquiti - RB 1100AHx2

Re: help with a little project

Re: SOLVED! Subnets different ports cannot connect/ping

Re: Subnets different ports cannot connect/ping

Re: Subnets different ports cannot connect/ping

Re: Subnets different ports cannot connect/ping

Re: Subnets different ports cannot connect/ping

SOLVED! Subnets different ports cannot connect/ping

Re: Loses all connections RB1100AHx2

Loses all connections RB1100AHx2