Search the Community

Hey guys, i didn't know where to post this so i decided to post in off topic section. i need script for Mikrotik RouterOS to check specific ip port is open (192.168.8.25:7443 (NGINX installed)) if no then run another script if its open then do nothing. In destination ip only telnet is available, no ICMP,no SSH. i have RouterOS V6.49.7 netwatch tcp-conn is not available at V6.** version and i can't upgrade it to V7.**. could someone please help me with scripting ?

Hello LTT Forum, I'm very new to Unraid and most of the concepts that come with it. I've mostly been able to get things going myself with the help of Google and YouTube but am running into issues finding easy to digest information on this particular topic. Please keep in mind I'm still very ignorant to a lot of networking concepts and terminology. I've setup Nextcloud to be accessible outside my LAN with a custom domain and everything is working great. I want to limit the upload bandwidth that the Nextcloud docker has access to though, so any time someone downloads a large file I've shared it doesn't just wreck my internet. My understanding is I can do this with a static docker IP and "simple queues" in Mikrotik RouterOS. Can anyone point me in the right direction? I already have Nextcloud running on a custom docker net but have not assigned a static ip yet. Is there anything I should keep in mind when assigning one? Can it be literally anything? Are there any extra steps I need to take in Unraid to make it visible to Mikrotik router? More importantly I need someone familiar with Mikrotik to explain simple queues to me and how I would then use it to set an upload limit on the static IP assigned to Nextcloud. All the information on Router OS seems to expect you to already have advanced level network administration knowledge and I'm just starting out. I disabled the fasttrtack rule and currently have a simple queue for the IP of the Unraid server that seems to be working. As stated earlier though I'd like to be able to setup queues for individual dockers on the server. Appreciate any help!

Hello there, I really want to ask for an advise from more experienced users than myself abot L2TP internet speed. So I bought NetGear AX1800 RAX20 router (latest firmware already installed) and it seemed to work fine by delivering 100mb/s stable connection. However after I bought new xbox console I noticed that I am always getting disconnected from online gaming even though everything is connected directly by internet wires. After discussing this issue with my ISP I've been told that I need a vpn connection using L2TP which they can provide me with. After entering all the credentials in my router I got VPN L2TP connection and my console started to work just fine. However I didnt check my internet speed at that same moment. Lately I've noticed my internet speed is limited to 60mb/s while using VPN which is almost 50% less the amount I am paying for. If I turn L2TP option off - my speed comes to normal 100mb/s. As a solution my ISP offered me to try their own router (Mikrotik hap-lite 7442a-94125ND) which is significantly smaller and, on paper, less powerful. BUT using this router with L2TP my connection is basically 100mb/s. ISP explained to me that my routers CPU is not powerful enought to encrypt all the data so it limits the bandwidth. Another solution would be to turn L2TP encryption off, but I did not find this option in my router setting. Mikrotik router seems to handle this without any problem for some reason and I get 100mb/s stable connection. So the main question: is my NetGear router so bad (even though it costs 3 times as much) that it can not deliver 100mb/s bandwidth with L2TP connection or am I missing something? I would like to keep my NetGear router because it has so many features and controlling it with an app sometimes is really usefull, but this 60mb/s limitation really forces me to take Mikrotik router instead.

Good day First of all, I would like to mention that I have already read the Mikrotik Wiki, multiple configuration examples and read a lot of forum topics about QoS with configurations similar to what I want to achieve. I am also (very) new to networking, so I might have missed some important points. My setup looks like this: - Mikrotik wAP (model RBwAPG-5HacT2HnD) with RouterOS 6.45.9 is connected via its single LAN port to a Linux desktop. Mikrotik works in "ap bridge" mode. It is also set to the 2.4GHz B so that I can limit the physically available bandwidth to 10Mbit/s (in reality I get ~6Mbit/s). All interfaces are bridged. - A Linux Laptop is connected to the 2.4GHz channel of Mikrotik I wrote the simplest server-client C program to send ping-like message from client to server and back per TCP connection. What I want to do now is to guarantee at least 200kbit/s to the connection between my ping-like program, while iperf3 generates as much traffic as it can to saturate the link (read: prioritise my C programms traffic over iperf3). Desktop acts as client and sends a single „double“ over WiFi to laptop, which then increments the „double“ and sends it back. I want to achieve the desired „prioritisation“ of my ping-like traffic with help of Queue Trees. In order to do that, I configured the tree in following way: /queue tree add max-limit=10M name=to-fr-parent parent=global add limit-at=200k max-limit=10M name=to-fr-high-prio packet-mark=br-high-prio-to-fr parent=to-fr-parent priority=1 add limit-at=2M max-limit=10M name=to-fr-low-prio packet-mark=br-bulk-to-fr parent=to-fr-parent add max-limit=10M name=from-fr-parent parent=global add limit-at=200k max-limit=10M name=from-fr-high-prio packet-mark=br-high-prio-from-fr parent=from-fr-parent priority=1 add limit-at=2M max-limit=10M name=from-fr-low-prio packet-mark=br-bulk-from-fr parent=from-fr-parent This in theory must guarantee 200kbit/s to my ping-like traffic and 2Mbit/s to iperf and the rest will be distributed according to priorities. In my case the rest should go to iperf, because ping-connection takes something about 150kbit/s. In order to make the Queue Tree work, I need to mark the packets to allow their classification in the queue. Because my interfaces are all bridged, I decided to go with Bridge rules, but have also tried IP Firewall rules before. Rules work correctly and mark the desired traffic. I checked this by inspecting Log and Counters. /interface bridge filter add action=mark-packet chain=forward dst-address=192.168.88.254/32 dst-port=5150 ip-protocol=tcp log=yes mac-protocol=ip new-packet-mark=br-high-prio-to-fr add action=mark-packet chain=forward ip-protocol=tcp log=yes mac-protocol=ip new-packet-mark=br-high-prio-from-fr src-address=192.168.88.254/32 src-port=5150 add action=mark-packet chain=forward ip-protocol=tcp log=yes mac-protocol=ip new-packet-mark=br-bulk-from-fr src-address=192.168.88.254/32 src-port=!5150 add action=mark-packet chain=forward dst-address=192.168.88.254/32 dst-port=!5150 ip-protocol=tcp log=yes mac-protocol=ip new-packet-mark=br-bulk-to-fr By inspecting the counters in the Queue Tree tab I can see, that the traffic is marked correctly and is increasing appropriate counters als oin Queue Trees. But here is the problem: When I run iperf3 and then start my ping-like client, it does not become the guaranteed 2Mbit/s and gets delayed a lot (RTT is ~500ms). (He does not even get the actually required 150kbit/s) If I run only ping-like client without iperf traffic I get RTT ~3-6ms. RTT measurement is implemented on the client side. Does anyone see an error in my configuration? What is lacking in my config? P.S. Again, I am very new to networking, so the obvious stuff for you might not be so obvious for me:) P.S.S. Here is the whole config of the router: https://pastebin.com/yXix5fwb

So, I have got no clue why, but when I use my mikrotik router (RB941-2nD) the internet connection becomes very weird. I am very confused so some diagnostic tips would really help. When I play CS:GO it quite regularly starts to jitter. This happens all the time with discord and other web calling apps. This does not happen when I connect the ISPs cable directly to the motherboard. Could it be because of the fact that my connection to the internet is 300Mbit but the router supports only 100Mbit networking? I did not nortice this for quite a while (a few months), maybe it showed up after I updated the firmware.

Hello all, I've been running a small IT shop for about a year and a half now. I got started installing UniFI dream machine pro's and the more I use them the more I seem to have issues with them not giving me accurate information in the uniFi console. I was also drawn to them for the "all in one" solution and now that I'm getting better at my networking skills, I'm noticing and being annoyed more and more with the software bugs, lack of strong community support, and more prosumer attitude towards product rollout. I'm thinking of jumping ship now before I get into bed further with them (i.e. buying and installing more products.). I'm not okay with the idea of paying the ridiculous licensing fees of Meraki and the like. I remember watching Linus's video on the MikroTik 10g switch and have started doing preliminary research into them. I need someone with more experience to tell me I am or am not headed in the right direction. is UniFI a necessary evil? I'm due for a network upgrade at my office/home so I'm thinking of installing the first new brand installation at my house so I can learn/teach myself/etc... Thoughts? -Morgan

Hello all! New member here but long time viewer of LTT on YouTube. I was wondering, and cannot wrap my head around a doubt. I have surfed through multiple forums but cannot find a credible enough answer, so I decided to try here as well. Basically, my setup includes but is not limited to: 1 MikroTik router, multiple vlans, one unraid server (with the usuals for movies, tv series and torrent handler. Will not go into detail, but if you know, you know). And finally two ISPs. I have failover configured and it works properly. What I want to know is this: 1. Will the VPN tunnel to Windscribe, in this particular case, leak packets (of the torrents) out of the tunnel if I configure ECMP on the router to bind both ISP speeds? 2. Do commercial VPNs connect from one origin IP (let's say, ISP1) to their VPN servers on whatever city, and country it might be? 3. Should I just route torrent traffic through one ISP and forget about torrenting through ECMP and do a kill switch configuration on the router when failover? This would be considering that ECMP will be configured but torrenting will just go through one ISP with marked packets. Please, I'm requesting everybody's knowledge come into play in this one post. If additional information is needed to clear doubts, say no more and I'll provide what I have and what I do know. Thanks all .

I have a Miktrotik CSS326 and a CRS305 with a 10gb fiber line between them, I've had it operational since January of this year, but ever since yesterday the connection no longer works, I can still remote into each switch with devices on their sides of the network, the only way I can get them to transfer data between each other is by changing which SFP+ ports the transceivers go in, and even then it only works for about 2-5 minutes. For love of god please help, i've been trying to fix this for the past 7 hours.

So I'm trying to forward some ports (minecraft (25565)), but every time I fail. Right now I'm very confused due to the fact that: -I have a mikrotik LHG-LTE6 antenna - going to TP-LINK Archer C1200 (running in AP mode) Things I've tried so far - "/ip firewall nat add chain=dstnat protocol=tcp dst-port=25565 in-interface=lte1 action=dst-nat to-address=192.168.88.244 to-ports=25565" "/ip firewall filter add chain=forward dst-address=192.168.88.244 protocol=tcp dst-port=25565 action=accept"

Guys i have a pair of the devices at home and want to set up a connection to another house. Upon connecting each device to my laptop i can see they come pre-configured and they communicate on their own network (smth like 192.168.88.2 and 192.168.88.3). Does it matter if they are in the different range than what i use at home? (192.168.100.0/24) Also they are set in Bridge mode, does that affect or i need to change their whole configuration? Anyone with more expertise in this field can offer advise, i never used RouterOS, i just tried it with WinBox.

Hi, I have problem with my pptp VPN. Bellow there is my config that worked but doesen't work anymore. /ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=Kancl in-interface=bridge1 new-routing-mark=Kancl passthrough=yes src-address-list=XPS /ip firewall nat add action=masquerade chain=srcnat dst-address-list=Kancl out-interface=Kancl src-address-list=XPS add action=masquerade chain=srcnat /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Kancl pref-src="" routing-table=Kancl scope=30 suppress-hw-offload=no target-scope=10 /routing table add disabled=no fib name=Kancl /interface pptp-client add connect-to=XXX.XXX.XXX.XXX disabled=no name=Kancl user=XXXX /ip firewall address-list add address=192.168.88.254 comment=LAN list=XPS add address=192.168.88.241 comment=WIFI list=XPS add address=92.62.0.0/16 list=Kancl (public IPs) add address=100.64.0.0/10 list=Kancl (public IPs) add address=10.0.0.0/8 list=Kancl (private IPs that is why I am using the VPN) It looks like that the FW rules works based on these graphs. The router is RB5009 on v7.6 (it worked on V7 before) And yes, the VPN is conected 16:39:12 pptp,ppp,info Kancl: authenticated 16:39:12 pptp,ppp,info Kancl: connected 16:39:12 pptp,ppp,info Kancl: using encoding - MPPE128 stateless It just stopped working without any changes. I even looked in my backup from november and the config is same and it worked before and there shoudnt be problem on the end. I can connect via VPN on my PC to that and it works fine. The FW should be OK too (this is not my standart firewall, I reduced it to bare minimum): /ip firewall filter add action=fasttrack-connection chain=forward comment="Fasttrack UDP" dst-port=53 hw-offload=yes in-interface=ether1 protocol=udp add action=fasttrack-connection chain=forward comment="Fasttrack TCP" dst-port=53 hw-offload=yes in-interface=ether1 protocol=tcp add action=accept chain=input comment="accept established,related" connection-state=established,related add action=accept chain=input comment="allow ICMP" in-interface=ether1 protocol=icmp add action=accept chain=input comment="allow SSH" in-interface=bridge1 port=22 protocol=tcp add action=accept chain=input comment="allow Winbox 8291" in-interface=ether1 port=8291 protocol=tcp src-address-list=allowed_to_router add action=accept chain=input comment="CAPSMANAGER Discovery" in-interface=bridge1 port=5246,5247 protocol=udp add action=accept chain=input comment=OpnVPN-PASS dst-port=1194 in-interface=ether1 protocol=tcp add action=drop chain=input in-interface=ether1 I think that the rules are working based on those graphs but it doesent want to go through the nat. I thought that FastTrack could be the problem but removing it doesn't help. If I use the pptp client it doesn't work and I can't even access these IPs 92.62.0.0/16 (public range) and 100.64.0.0/10 even though they are public IPs (these IPs are blocked for some reason). I even tried to disable the FW and that didn't work too.

Is there any way to disable via The Dude SSH, Telnet, Web Interface etc, only leave Winbox on multiple MikroTik devices at once.

Hey everyone, I want to buy a MikroTik RouterBOARD RB2011UiAS-RM but I need to have some ports open for my servers. My dad however needs a secure network for business reasons. I was wondering if I could configure it, and if so how, to have two separate networks with my server network having open ports and the house network protected. I don't want to buy another firewall and was wondering if anyone knew how to do this. Thanks -The_Auditor

So, I wake up one morning and get ready for work. Get to work and log on to my router (Mikrotik RB2011UiAS) and server at home, hop on to the logs and found that someone in the Netherlands is trying to log on to my server! I go into overdrive and start putting in a rule to block the IP and block RDP to the servers in question. They start to ping my router to see if it responds but it won't, so it seems that they gave up after that. Looking through my logs it's interesting to see what accounts they tried to use (XEROX, USER, USER1, SCANS, RECEPTION, even KEVIN of all people!) and how many tries they did with each account. I've now gone in and blocked the whole country now so I won't get any more requests from them now. My question to the people; what type of firewall rules/security do you run? How strict are you? Going through what I have now it seems that I need to make some revisions on the rules to prevent this from happening again.

Hi everyone, is there any way to enable fasttrack (like on MikroTik https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack) or something similar on OpenWRT? Thanks!

I just want to now is it totally possible to hack mikrotik router's username and password without brute force attack?

Hello guys, Need a help. I have cameras installed, I have access from WAN:port to cameras and LAN:port when I am on lan. I want to access cameras from LAN but with WAN ip and port. [admin@MikroTik] > /ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; defconf: masquerade chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none 2 ;;; DAHUA chain=dstnat action=dst-nat to-addresses=192.168.100.222 to-ports=XXXX protocol=tcp in-interface=all-ethernet dst-port=XXXX log=no log-prefix="" 3 ;;; PELCO chain=dstnat action=dst-nat to-addresses=192.168.100.223 to-ports=XXXX protocol=tcp in-interface=ether1 dst-port=XXXX log=no log-prefix="" [admin@MikroTik] > These both are cameras. Two different systems. P.S. I have done Hairpin NAT but it doesn't work. Mikrotik router

Hello guys, I have a question about isolating Mikrotik RB750Gr3 ports. Here is what I have: port1=WAN port2=LAN 192.168.100.0/24 port3=disabled port4=Servers 192.168.10.0/24 port5=Management 10.1.0.0/24 I have used these firewall rules ( chain=forward action=drop in-interface=ether2 out-interface=ether4 and chain=forward action=drop in-interface=ether4 out-interface=ether2 ) It drops between devices. example: ping from 192.168.100.156 - 192.168.10.11 but I want to drop from device to gateway : ping from 192.168.100.156 - 192.168.10.1 This doesn't drop. 192.168.10.11 to 192.168.100.1 doesn't drop. Any suggestions ?

Hey Everyone, first of, hope you're having a wonderful day! I'm looking to try and set up a fiber backbone that will realistically be able to do 10Gb today and if possible move to 40Gbe+ later on down the line. current infrastructure is 2 servers, one for vm's /plex provider(unraid), the other acting as both high speed nas and longterm HDD storage (timemachine backups and the like)(freenas). on the network we typically see 15 devices at the low point with a maximum of around 40. everything from phones to laptops to proper workstations, networked receivers etc. Everything is currently running 1gbe rj45, except for workstations which are a combination of 2 or 4 1gbe links bonded few things: reason for fiber backbone is that the total length of the space is 100' by 50' 2 floors, not to mention that we'd be able to upgraded the receivers down the line if/when the need or opportunity arrises for a network upgrade. my current thinking for the network is to deploy Mikrotik switches because of their support for 4*10Gb SFP+ on inexpensive switches (crs305 and crs309). For router was thinking going for the RB 4011 since it has fiber and ethernet, and if I go Mikrotik for the AP's the 4011 is afforded with a 4*4 MU-MIMO on 5GHz and 3*3 on the 2.4 band. Thoughts? Proposed set up is as such, from top down view https://imgur.com/a/O5l8bKV For AP's I'm fairly open. Was thinking either Unify or mikrotik,

Hi, main question is: RouterOS or pfSense. Both solutions have their advances, but there's not much data about compering directly these two solutions. I've worked for 6 years with Mikrotik devices and about two ears with pfSense. Now it's time for an upgrade so... Any opinions :)?

Hey guys, I'll keep it simple. I recently got a MikroTik RouterBoard 1100AH. . . I'm not a fan of the MikroTik OS and and was wondering about flashing it. Preferably I would like to stick with pFsense as that is what I'm running at the moment and it's brilliant, I love it. But from what I gather, pfsense doesn't support MIPS architecture? Any other OS you would recommend? Any possible way in getting pfsense to run on this router? I really would love to use the physical aspects of the router but hate the OS.

Still any Mikrotik users out there ? I just exchanged my RB2011UiAS-2HnD-IN for the MikroTik RB4011iGS+5HacQ2HnD-IN I am using a RB962UiGS-5HacT2HnT hAP ac as a secundary accesspoint for the far end of the house. I am using a MikroTik Cloud Smart Switch 326-24G-2S+RM to connect most of my hardware (with my desktop and my unraid server connected via SFP+ DAC cables from FS.COM. This is really amazing hardware.. Would be very nice to see one reviewed. There is a small learning curve (ahum), but if you get thru it you basically understand network a whole lot better then you used to..

Hey everyone! I'm trying to pull more from my FreeNAS Box to maximize performance. My development box which also hosts my FreeNAS install is running 2 Xeons, 144GB Ram, 256GB NVME L2arc, 3*3TB Z1 My client device is a 2014 MacBook Pro retina 15 inch with DGPU. It has 2 thunderbolt 2 ports and 2 usb3.0 gen 1 ports. Since Thunderbolt 2 gear is wicked expensive, I was thinking of using the USB ports for networking, and with the advent of 802.3BZ adding support for 5Gb/s and 2.5Gb/s being able to hit 5gbit on my laptop. My thinking is I could connect the server via SFP+ to the crs305 (a 4 port SFP+, 1 gigabit rj45 switch ), use an RJ45->SFP+ converter to connect to my current cat6A cabling, then terminate at the laptop with a 5G Ethernet to USB3.0 adaptor. I was wondering if anyone was aware if the CRS 30X (in my case I'm looking at the 305) supports the 802.3bz specification for 5G and 2.5G. Otherwise, if the adaptor supports auto negotiation with the usb to ethernet adaptor, do I have to care about the switch supporting it? Would it essentially just see the other device as a slow 10G device? More than happy to provide clarification, other data Felix CLC

Hey guys, can someone tell me why the hack i didnt get full 10 gbit speed? Fibers are clean with very loss rx and tx loss. BLVCKRIPPER

So. I'v watched this video: https://www.youtube.com/watch?v=aGq8uJSco1o Just from that i can tell that they've go a lot of trouble managing their network. Im not trying to say that Anthony is bad. I think that for a company that size and for company that basically does'nt work without their network running at 100% all the time it would be nice to have someone who is really familiar with the hardware they're running and should be able to configure it from his memory. I'm suggesting that they should try some of Mikrotik's hw. I am a networking student. I have some experience wit Mikrotik and would recommend it over other brands. For example: I think that Ubiquity is meh hardware but very nice and organized sw. BUT. It has SO few abilities. Cisco... oh boy. That is some high quality hw. BUT. The software is terrible. I mean that it does the routing, vLANing and overall working with packets very good, but the configuration is soooo terrible. And on that note, I would recommend Mikrotik. They have selection from home small unpowerful router to high-end enterprise 10 Gig networking and more. Their sw is veeery good. The configuration is done perfectly. When you youse ther winbox program you have it done in a moment. Winbox is a windows only gui configurator of ther RouterOS(OS that runs on Mikrotik devices) that makes it very easy. Also RouterOS provides all, but really all of the features, that LMG would need. PfSence is not bad, but again, the configuration is unclear in most parts and not understandable. For example this: https://mikrotik.com/product/CCR1072-1G-8Splus It's kinda pricy, but nothing in comparison woth cisco. I am using this particular model in my lab in school and damn it's powerful.