Mikrotik RouterOS – VLAN notes

https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN

VLAN successfully passes through regular Ethernet bridges

https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching

https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration

DHCP offering lease without success issue with Mikrotik on the far side of Ubiquiti device.

DHCP error offering lease

Make sure that radio does not have the VLAN configured on just the WAN interface. Easiest way would be to put it in bridge mode and use the management VLAN.

Mikrotik RouterOS – “drop all from WAN not DSTNATed”

The default DSTNATed firewall rule keeps traffic from the WAN accessing LAN side IP addresses.

More info here

Printing the rules on a router with the default config should show the following.

;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-nat-state=!dstnat in-interface=ether1

If you are wanting to add the rule to a router, you can copy and past the following command. Replace in-interface=ether with your in interface.

/ip firewall add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface=ether1

Check if Mikrotik is an Open DNS Resolver

https://www.openresolver.com

You can test if a router is acting as an open DNS resolver by running the following command from a Linux terminal. If you need to install dig, refer to here for Debian/Ubuntu and here for RPM/CentOS/Fedora Distros.

Replace 192.168.88.1 with the host you want to test against.

dig +short test.openresolver.com TXT @192.168.88.1

If you receive the following

"open-resolver-detected"

The router is acting as an open resolver.

If you get

;; connection timed out; no servers could be reached

Then you are unable to use that router to resolve DNS.

Example running the command against a Mikrotik router with Remote DNS turned on Then adding a firewall rule to block unwanted request.

bob@localhost:~$ dig +short test.openresolver.com TXT @192.168.88.1
"open-resolver-detected"
bob@localhost:~$ 
<<-- Put firewall rule on router -->>
bob@localhost:~$ dig +short test.openresolver.com TXT @192.168.88.1
;; connection timed out; no servers could be reached  
bob@localhost:~$ 

Extra notes

If you have firewall rules allowing your IP address to use the router for DNS, then the above command to test will show it as an Open Resolver. Ideally you would want a connection from the outside to test. Or you can use this link and test it from the website. https://www.openresolver.com

Mikrotik Safe Mode

Safe Mode is a configuration fail safe for Mikrotik routers. If enabled and you make a change that disconnects your session to the router, whatever changes were made will be rolled back, which should let you get back in the router.

If your in WinBox you can hit the Safe Mode button at the top left

If your in a telnet or ssh session just hit

ctrl + x

You should see the following to let you know that safe mode is active

[Safe Mode taken]

Hit ctrl + x again to release Safe Mode

Mikrotik RouterOS view and set Simple Queue speeds

list all simple queues

queue simple print 

Print queue that matches part of name

queue simple print where name~"John"

Example results

Flags: X - disabled, I - invalid, D - dynamic 
0 name="John Smith" target=192.168.1.3/32 parent=none packet-marks="" priority=8/8 queue=sfq-up/sfq-down limit-at=0/0
max-limit=1M/10M burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s bucket-size=0.1/0.1 total-queue=default

Change max speed on queue for client name. The Upload is specified first.

queue simple set max-limit=10M/100M "John Smith"

Setup SNMP v3 on Mikrotik Router

Setting up SNMP via WinBox is straight forward, the following commands are how to set it up from the command line with some troubleshooting info at the end.

Setup SNMPv3

Setup Community (Change v3Private,encpass, and authpass to their respective names or passwords)

snmp community add name=v3Private encryption-protocol=DES encryption-password=encpass authentication-password=authpass security=private

Enable and set SNMP community (Trap Community needs to match the above command.  Change contact and the location as needed.)

snmp set contact=admin@incredigeek.com location=DeviceLocation trap-community=V3Private

Troubleshooting

Sometimes, for no apparent reason it seems, routerOS will have issues using the default community.  Work around is to create and use a new community.

Cannot connect with AES encryption

AES doesn’t always seem to work reliably.  Seems to work on some and not other.  Work around is to use DES.

Log shows Permission Denied

Double check the allowed from addresses, user, and passwords