MikroTik

Eduardo

Hi, I want to put a small MikroTik device inbetween a home ISP router and one specific PC. So port 1 goes to the existing router, and port 2 goes to the PC. The point is to block certain traffic. I want to for instance only allow TCP port 80 and 443 (+DHCP and DNS of course) from that PC. Can someon...

Eduardo

Yes I did. But shouldn't the code from the original post still work?

Eduardo

Downgrading to current firmware 6.40.3 fixed this issue.

Eduardo

Hi, My CRS125 setup is very simple: /interface bridge add name=bridge-guest add name=bridge-main add name=bridge-uplink /interface ethernet set [ find default-name=ether1 ] name=01-UPLINK-modem set [ find default-name=ether2 ] name=02-pfSense set [ find default-name=ether3 ] name=03-UbiquitiAP set [...

Eduardo

Hi guys, I have a problem with my MikroTik CRS125 that I can't figure out... My pfsense router has only one network card, and is connected to port 2 of the MikroTik (vlan9=uplink,untagged=normal network,vlan200=guest nw). My PPPoE modem is on port 1 of the MikroTik (untagged) My Ubiquiti Access Poin...

Eduardo

On CRS125 VLANs still have to be configured in "/interface ethernet switch" menu to keep hw-offload working. If they are configured in "/interface bridge vlan", the hw-offload will turn off. Beginners question: I am not using VLANs on CRS125, but was using masterport. Can I stil...

Eduardo

Hi,

Who can explain a beginner the purpose of an IPsec policy template?

Secondly, IPsec/Peers: what does the "Generate Policy" option mean? (no, port override, port strict)

It's not clear to me, even after reading the documentation...

Thanks!

Eduardo

OK, thanks for the info!

So, if all traffic would be tagged (*), it would be possible? Does Hybrid means tag+untagged, or also tag1+tag2 ?

(*) say all currently untagged traffic would be VLAN100 (so port 2 = VLAN100+VLAN200, port 3=VLAN100 untagged, port 4=VLAN200 untagged)

Eduardo

I'm sorry, but this doesn't work...

Eduardo

Thanks,it worked, with this config: /interface bridge add name=bridge-guest add name=bridge-main /interface vlan add interface=ether2 mac-address=xx:xx:xx:xx:xx:xx name=vlan200-P2 vlan-id=200 /interface bridge port add bridge=bridge-main interface=ether2 add bridge=bridge-main interface=ether3 add b...

Eduardo

Who can help me with the following (simple) config: - RB941-2nD acting as a switch (no wireless, no routing) - port 2 is the input port: untagged traffic + tagged VLAN200 traffic - this traffic should be split up: untagged traffic to port 3, and VLAN200 traffic (but now untagged) to port 4 I tried a...

Eduardo

Thanks for all the suggestions, guys. I tried all these things, but I can't get it to work... :-( Is there any way to monitor the VLAN tags? Because I start to wonder if my Ubiquiti Unifi is really sending anything on VLAN25... (I just clicked in the guest wifi settings on vlan and entered 15). I tr...

Eduardo

Hi, For a typical home use with very few basic firewall rules: which is the cheapest Routerboard model that would suffice for a 100 Mbps/10 Mbps Internet connection? All the devices behind it will be on a separate switch (or in the integrated switch chip, if it has any) - so not to worry about that....

Eduardo

Anyone please?

Eduardo

It's a CRS125, which is listed under "switches" on their routerboard.com website. That is why I called it a switch. It's not clear to me when we should create a virtual VLAN interface, or when we can just use the switch VLAN settings. Can someone clearify this for me? For instance in examp...

Eduardo

Let's say you have a Mikrotik switch with several VLANs inside of it (VLAN100, 200 and 300). How can you put a DHCP server on a specific VLAN? There is no VLAN setting in the DHCP server. Same thing with a bridge... can you connect a bridge to a specific VLAN that is present in the switch? Probably ...

Eduardo

Hi, I have a CRS125. Port 1 is the masterport for all the other ports, so it's working at wire speed. Now I have one device that is using multiple VLANs, and I need to connect it to the CRS125 at port 8. However, only VLAN25 should connect to the switch, all the other VLANs on that network cable sho...

Eduardo

I am sorry, but I still need more guidance to get this working :-/ Ports 2-10 are the switch of the main bridge Ports 11-14 are the switch of the guest bridge Port 15 goes to my WAP. Untagged traffic from the WAP goes to the main bridge (working fine). But VLAN15 traffic from the WAP needs to go to ...

Eduardo

and set appropriate routes for the remote subnets. Unfortunately, I can't get this to work... Site A has subnet 10.10.100.0/24, router at 10.10.100.254 Site B has subnet 10.10.200.0/24, router at 10.10.200.254 There is a working IPsec VPN link between them Let's say I am on Site A, and I want to ro...

Eduardo

Audio works in both directions, thanks.

Eduardo

Just a follow-up for people with the same problem: I finally got this solved by lowering the lifetime to 1 hour. Don't ask me why though... I just tried this because the newly created SA's always had a 1 hour lifetime (from the Fritz!BOX) ...

Eduardo

It's really strange that there is no error generated when a script contains a syntax error...

Eduardo

I still have the same problem... Now I found out that when the IPsec connection is not working, there is an extra SA visible (*), even before the lifetime expires (but it could be that the Fritz!BOX is requesting this, we can't see its settings). Shouldn't the original SA be removed when there is a ...

Eduardo

Wow, indeed, after disabling this SIP entry, both devices have SACF in the IP/Firewall/Connections!

Thanks!

Eduardo

Fantastic, it's working now!

Thanks!

Eduardo

Thanks for your reply. I did also try url and path, but couldn't get it to work. And your URL needs a filename, you can't request the whole site. Now that is a problem, because there is no filename. The "whole site" is actually just 2 characters ("OK"). So there is no way to requ...

Eduardo

I have two SIP devices connecting via their own VPN connection to my CRS125. In IP/Firewall/Connection I can see them indeed connecting to my SIP server via UDP on port 5060. However, one of them shows "SACF" flags, while the other one only shows "C". I found that S = seen-reply,...

Eduardo

Unfortunately, even with your settings, the VPN connection keeps interrupting regularly. I created a scheduled script to check if I can still ping the Fritz!BOX on the remote site, and if not, kill all connections (yes, dirty way, I know - but at least then the connection (usually) restores itself)....

Eduardo

Nobody? :-/
I just need a command to open a website...

Thanks

Eduardo

Thanks a lot, great info. I will try this, and see if it is more stable. Just a few questions: - is there any reason why you set your proposal lifetime to 8 hours? I don't see any lifetime in the Fritz!BOX setup - you didn't put any pfs-group in the proposal; I thought the Fritz!BOX uses modp-1024 ?...

Eduardo

What are the recommended "IP/IP Settings" for normal "home router" usage?

I read http://wiki.mikrotik.com/wiki/Manual:IP/Settings but that seems outdated (some items are missing), and doesn't help me much, unfortunately...

Thanks!

Eduardo

Hi, I am using Cloudns.com for my dynamic DNS. Updating the dynamic DNS consists of a very simple (fixed) URL that needs to be openend. However, I can't get it to work from my CRS125... Even a simple /tool fetch address="https://www.google.com" mode=https keep-result=no gives invalid value...

Eduardo

Thanks, works great!

Eduardo

This is so that you'll be able to access the router from inside your own network. If you don't put such a rule, then a default-deny rule at the end of the input chain would also block management from the LAN interface as well. Thanks. So where in my firewall rules on http://forum.mikrotik.com/viewt...

Eduardo

Things you want to accept:
in-interface=LAN

What do you mean with this?

Thanks for helping.

Eduardo

You should put correct wan interface into rule 3.

Can you please explain why ether1 is not the correct one?

Eduardo

Hi, I've set up an IPsec VPN between my CRS125 at home, and a Fritzbox in another location. This works (after a lot of trying), but is not very stable. The connection always breaks, somewhere between 20 min to 2 hours later... The Fritzbox is more closed than Mikrotik, so I can't see all of the IPse...

Eduardo

Right! Rule 6 has the "connection state: established", and rule 7 the "connection state: related" condition.

Thanks, also for the rule 4 correction. So all the rest is safe like this?

Eduardo

Hi, When using Quick Set to setup the CRS125 as a "Home AP", I get these default firewall filter rules: firewall_default.JPG (I am using a PPPoE connection to my ISP via port1) Question 1: Why are rules 6 and 7 identical? Question 2: Are these fine? Or should I add more or different rules ...

Eduardo

The VLAN tagging and untagging has to be done by the CPU?
The switch chip can't do this?

Thanks!

Eduardo

Add a vlan 15 slave interface to it and use this as the guest network port. So easy. Thanks, I will try it tonight. And I don't need to worry about tagging? EDIT: should I add the slave interface to the masterport? Not to the port, going to the WAP? I only want this specific port to be able to acce...

Eduardo

Thanks for your reply. Thanks for your concern, but speed is not an issue, since my guest network has low traffic. But I could setup two masterports, yes. But can you help me with my question? I assume the router+switch that you are suggesting can also be done with the CRS, of course probably slower...

Eduardo

Hi, Currently I have two bridges on my CRS125: main and guest. Both have their own DHCP server, IP range, and a NAT to my Internet Provider. The main bridge goes to most of the ethernet ports (via a masterport), and for two ports I use the guest bridge (for some devices that are completely separate ...

Eduardo

When setting up a site-to-site VPN (via IPSec), it is apparently not necessary to open the firewall?
How can this be explained?

Thanks...

Eduardo

Hi, Can someone please give an explanation how I can achive the following? House A has an internet connection to provider X with Routerboard 1. House B has an internet connection to provider Y with Routerboard 2. I would like to have: Routerboard 1 port 2 = provider X Routerboard 1 port 3 = provider...

Search found 45 matches