I have a EOIP tunnel set up between two MT routers on LAN: it's between two buildings that are connected with fiber cable that goes through a 3rd party switch. The tunnel itself is a basic one. On MT01: /ip address add address=10.10.10.1/24 interface=ether2 network=10.10.10.0 /interface eoip add loc...

You didnt quite grasp the concept of drop all else............( all other rules save invalid traffic need only be accept ). You forgot to use drop all in forward chain??? Yeah, well, I kind of did, kind of didn't, it seems. I get the basic idea under all that: allow what's needed, drop everything e...

In theory, an IPsec vpn will be enough. It will be more correct this way and let's not forget about the Forward section :) Took me a while, as I was busy with other matters. Anyway, taking into consideration what you have said, I came with this final (?) sollution: /ip firewall filter # input add c...

Hi. So, I'm switching from RB2011UiAS to CCR2004-16G-2S+ and, since my RB2011 firewall config is a mess I wanted to "rewrite it" and came up with this (only input chain): /ip firewall filter add action=drop chain=input in-interface-list=WAN comment="permanently DENIED ips" src-ad...

Setting hw=yes vs. hw=no only affects traffic between wired ports. If there's traffic between two ports (e.g. between ether1 and wifi2) and any if those ports doesn't have hw=yes, then traffic is not offloaded. Since wireless interfaces don't get HW ofgloaded, you didn't hit the bug. I see. Thank y...

This is correct configuration. I don't have an ax3, but I seem to remember other forum threads mentioning bugs in some recent ROS versions regarding bridge HW offload on IPQ-6010 devices. So you may want to disable HW offload on all wired ports (including the ether1 trunk) by setting "hw=no&qu...

Hi, Long story short. My previous setup was RB2011iL + 2x hAP AC3. It was working fine with AC3 as CAP and RB2011iL as main router and CAPsMAN with two subnets (people and iot) configured via datapaths. I got hAP Ax3 to replace AC3 but it turned out RB2011 CAPsMAN was unable to control Ax3, so I got...

So I've browsed through the topic and could not find a similar configuration. The manager will be RB2011UiAS and the the AP wAP ac. There is one bridge on the RB2011 and no DHCP server. The AP will not be connected directly to any of the RB2011's ports so I cannot assign a DHCP to a specific port. T...

I maybe have enough time in my life to be proficient in one product line. If I had to handle two, I'd just be a dilettante in each of them. An all-MikroTik network gives you a lot of capabilities that you don't otherwise have. With ROMON, you can examine any device on the network from any place ins...

Hi, As of now I'm a happy user of a MT hap ac lite router which is enough to cover my whole apartment with wifi signal. Things are about to change as I'm moving to a two floor house and I got a bit puzzled. I've set up a similar thing at my friends house with MT as a router and Ubiquiti UniFi APs an...

Now that is odd. I have three ipsec polices (X'es used to mask IPs): [itpasja@MikroTik] /ip ipsec policy> print Flags: T - template, X - disabled, D - dynamic, I - inactive, * - default 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes 1 ;;; ZWIK src-ad...

and also you made mistake by giving ip to ether2. you must set the ip in bridge interface cause ether 2 is already part of bridge and dhcp server is run on bridge as well. Sent from my SM-N910C using Tapatalk Now that is funny because that was set by mikrotik QuickSet plus I have no problems with D...

Your policy is seriously wrong, it tells the router to encrypt all traffic from anywhere to everywhere! Bloody idiot I am... copy/pasted the policy from a tutorial without actually checking the IPs. anyway, this needed one more thing: a script I found here http://gregsowell.com/?p=1290 that sets sa...

Hi, I have RouterBoard RB952Ui-5ac2nD-TC hAP ac Lite Tower Case at home and am trying to set up an IPSEC site-to-site tunnel with RB2011UiAS-RM at the office. I have a static IP at the office and dynamic one at home. Before getting hte hap ac lite I used Cisco RV130W at home and had the IPSEC tunnel...

I did get the ipsec tunnel to run properly (including RDP to win server machine). Here's what I did: I marked vpn packets with: mangle print Flags: X - disabled, I - invalid, D - dynamic 0 chain=input action=mark-packet new-packet-mark=vpn passthrough=yes protocol=udp dst-port=4500 log=no log-prefix...

I have another MT (rb750r2 hex lite) with an almost mirror configuration to this RB2011, with some minor differences: 1. on both I have the same ISP, but RB2011 uses static IP while hex uses pppoe to access internet. 2. i run ipsec tunnels on both, using the same configuration (apart from addresses ...

I have an IPSEC site-to-site tunnel beetween my mikrotik RB2011UiAS and my clients router (ZYXEL). Both phases are fine, the connection is established and I can see packets on my firewall going through accept rules. However they have to use RDP to one of my MS-Windows Server 2003 machines, but canno...