Go to Tools -> Packet Sniffer
Configure the Streaming options. Set the Server IP address to the computer you are running Wireshark on
Configure the Filter settings. Unless you want to stream everything from the router to your computer.
Make sure the TZSP is enabled in the “Enabled Protocols” Window. Either by going to “Analyze -> Enabled Protocols” or “Ctrl + Shift + E”
Run Wireshark.
Helpful links
Open up PPP and select L2TP Server. Set it to Enabled, set IPsec to yes, and set the IPsec secret.
Next go to PPP -> Profiles and modify the default-encryption one. You can setup an IP Pool to use for the VPN clients when they connect.
Next go to the PPP -> Secrets and configure the user to connect.
Setup your VPN client and connect.
Can look here to set a certificate up in Winbox
or here to configure from command line
To setup a OpenVPN server on a router there are a few things that need to be done.
Create an IP pool that clients can pull and address from when they connect
Modify the default-encryptoin Profile and specify the VPN IP pool.
Create new user, specify the default-encryptio profile
Enable the OVPN server. Specify the “Default Profile:” to be the default-encyption, specify the certificate to be the server-template, or whatever the name is of the certificate you created.
https://wiki.mikrotik.com/wiki/Manual:Create_Certificates
https://www.medo64.com/2016/12/simple-openvpn-server-on-mikrotik/
/certificate add name=ca-template common-name=myCa days-valid=3650 key-size=2048 key-usage=key-cert-sign,crl-sign /certificate add name=server-template common-name=server days-valid=3650 key-size=2048 key-usage=digital-signature,key-encipherment,tls-server
/certificate sign ca-template name=myCa /certificate sign server-template ca=myCa name=server
/certificate set myCa trusted=yes /certificate set server trusted=yes
Open up the Certificates window by going to /System -> Certificates. Hit the + to add a new certificate
First we are going to create a Certificate Authority template
Specify the key usage to “crl sign” and “key cert. sign” and apply
Now we are going to create a server template
We need to specify “Digital signature, key encipherment, and tls server” You may need to enable/disable more depending on your use case scenario. In this case we are setting it up for OpenVPN.
First we need to sign the ca-template by opening up the the Certificate and hitting Sign on the right hand side. Should get the little Sign window pop up.
Progress will show done when it is finished signing.
Next we need to sign the server-template. When Signing the server template, specify the ca-template in the CA: field. See below
Move all the VLANs under ether7 to ether6. Instead of an “=” sign, you can use a “~” to do a partial match.
foreach i in=[/interface vlan find where interface="ether7"] do={interface vlan set interface=ether6-master-local $i }
Move ip address from ether6 to ether7. Change 192.168.88.1/24 to the address and the find command will find it regardless of the port and assign it to ether6 or whichever port is specified.
ip address set interface=ether6-master-local [find address="192.168.88.1/24"]
You can add a delay before a command runs by specifying delay and then the time to wait.
delay 60
Use the ; to separate commands. Example below, wait 5 seconds then print the ip addresses.
delay 5 ; ip address print
The following command/s will wait 60 seconds then move all the VLANs on ether7 to ether6 and then move the 192.168.88.1/24 address to ether6.
delay 60 ; foreach i in=[/interface vlan find where interface="ether7"] do={interface vlan set interface=ether6-master-local $i } ; ip address set interface=ether6-master-local [find address="192.168.88.1/24"]
Sometime the following warning can show up in the log.
10:48:45 interface,warning ether2: bridge port received packet with own address as source address (74:4d:28:69:89:9d), probably loop
Check and verify that your interface MAC addresses are unique. VLANs look to be the exception as they should share the MAC address of the interface the VLAN is on.
More information in this thread.
https://forum.mikrotik.com/viewtopic.php?p=583064#p703228
Go to “Alerts -> Alert Rules” Then “Create rule from Collection”
Search for “Sensor under limit” and Select
Add another rule to limit to just the Voltage Sensors by using the “sensors.sensor_class = Voltage”
Select your Groups and Transports and Save.
You may get some alerts because there are some ports that do not have any any voltage on them. You can disable them on a per device basis by going to the “device -> Edit -> Health” and turning alerts off
https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN
VLAN successfully passes through regular Ethernet bridges
https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching
https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration
DHCP offering lease without success issue with Mikrotik on the far side of Ubiquiti device.
Make sure that radio does not have the VLAN configured on just the WAN interface. Easiest way would be to put it in bridge mode and use the management VLAN.
The default DSTNATed firewall rule keeps traffic from the WAN accessing LAN side IP addresses.
More info here
Printing the rules on a router with the default config should show the following.
;;; defconf: drop all from WAN not DSTNATed chain=forward action=drop connection-nat-state=!dstnat in-interface=ether1
If you are wanting to add the rule to a router, you can copy and past the following command. Replace in-interface=ether with your in interface.
/ip firewall add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface=ether1