VLAN successfully passes through regular Ethernet bridges. Note that as VLAN is not a full tunnel protocol i. In other words, while wireless clients may participate in VLANs put on wireless interfaces, it is not possible to have VLAN put on a wireless interface in station mode bridged with any other interface.
It is a standardized encapsulation protocol that defines how to insert a four-byte VLAN identifier into Ethernet header. Each VLAN is treated as a separate subnet. It means that by default, a host in a specific VLAN cannot communicate with a host that is a member of another VLAN, although they are connected in the same switch.
So if you want inter-VLAN communication you need a router. VLAN priorities may also be used and manipulated. When the VLAN extends over more than one switch, the inter-switch link has to become a 'trunk', where packets are tagged to indicate which VLAN they belong to.
A trunk carries the traffic of multiple VLANs; it is like a point-to-point link that carries tagged packets between switches or between a switch and router. Original If any packet is sent over 'vlan2' interface, two vlan tags will be added to ethernet header - '11' and '12'.
Note: MTU should be set to bytes same as on Ethernet interfaces. In this situation MTU can be used, but note that this will cause packet fragmentation if larger packets have to be sent over interface. At the same time remember that MTU may cause problems if path MTU discovery is not working properly between source and destination.
There are multiple possible configurations that you can use, but each configuration type is designed for a special set of devices since some configuration methods will give you the benefits of the built-in switch chip and gain larger throughput. Make sure you have not use any known Layer2 misconfigurations. Lets assume that we have several MikroTik routers connected to a hub. Remember that a hub is an OSI physical layer device if there is a hub between routers, then from L3 point of view it is the same as an Ethernet cable connection between them.
For simplification assume that all routers are connected to the hub using ether1 interface and has assigned IP addresses as illustrated in figure below.
Then on each of them the VLAN interface is created. If pings are timing out then VLANs are successfully isolated. For this reason we must use the router that is working as a gateway for each VLAN. Without a router, a host is unable to communicate outside of its own VLAN. VLAN configuration on most switches is straightforward, basically we need to define which ports are members of the VLANs and define a 'trunk' port that can carry tagged frames between the switch and the router.
There are 2 routers RouterA and RouterB where each is part of networks Jump to: navigationsearch. Navigation menu Personal tools Log in. Namespaces Manual Discussion. Views Read View source View history. Navigation Main Page Recent changes.
This page was last edited on 19 Octoberat Layer2 MTU.Most likely than not, you will need a "level 6" license for the device. Most resellers will provide the hardware and the license in a single package and pre-installed as with any other router in the market, all you need is to make sure you are getting the right license level. All RouterOS routers can be configured using a web portal like many other routers.
If you are in a Windows machine, MikroTik provides a configuration tool Winbox which is way faster than accessing the web interface to change any configuration. All the steps in this guide are performed using Winbox. These changes won't stop any of the other MikroTik features from working.
Normally the port 1 in a Mikrotik Router will be connected to your internet provider cable, while the rest of the ports will serve your internal network.
Once you router is installed and you have internet access from your internal network you can then follow this guide. This is a basic an general diagram of how a Mikrotik device may be placed in your existing network. Hotspot is how MikroTik routers call the authentication portals which will control access to the internet.
You will need a hotspot with some modified HTML pages allowing to relay the authentication to our servers, as this is where all the check-in and member information will be. The Mikrotik hotspot requires only one user.
The user's profile needs to allow shared users. We normally set it up to and used admin as the shared user. Do not create a new user profile.
Wireless Client and Wireless Access Point Manual
You can do this using the "Files" feature in WinBox. Important: after creating the hotspot folder, copy all the files from the default folder to this new folder. Then replace the 3 files in that folder with the ones you downloaded from your Nexudus Spaces account. The best way to do this may be to drag the default folder to your local computer and then drag them back to the new folder.
Those files already have all the required configurations from your account settings, so you only need to move them to the right folder and copy the scripts as we explain below. Lastly, you need to create some Walled garden IP entries so members can actually browse your site. In case they need to buy access to the space, manage their account and login.
Click on the image to make it larger. When hitting the hotspot, users are automatically redirected to us, so they will see something like this:. Unless we know who they are based on their mac address, in which case they see something like this:. Next you will need to use the scripts provided in the zip file. Make sure the script has, at least, the "write", "read" and "test" policies enabled.
Pages Blog. Space shortcuts How-to articles Frequently asked questions F. Page tree.The bridge feature allows the interconnection of hosts connected to separate LANs using EoIP, geographically distributed networks can be bridged as well if any kind of IP network interconnection exists between them as if they were attached to a single LAN.
As bridges are transparent, they do not appear in traceroute list, and no utility can make a distinction between a host working in one LAN and a host working in another LAN if these LANs are bridged depending on the way the LANs are interconnected, latency and data rate between hosts may vary. Network loops may emerge intentionally or not in complex topologies. Without any special treatment, loops would prevent network from functioning normally, as they would lead to avalanche-like packet multiplication.
Each bridge runs an algorithm which calculates how the loop can be prevented. All other alternative connections that would otherwise form loops, are put to standby, so that should the main connection fail, another connection could take its place. This algorithm exchanges configuration messages BPDU - Bridge Protocol Data Unit periodically, so that all bridges are updated with the newest information about changes in network topology.
R STP selects a root bridge which is responsible for network reconfiguration, such as blocking and opening ports on other bridges. The root bridge is the bridge with the lowest bridge ID. To combine a number of networks into one bridge, a bridge interface should be created later, all the desired interfaces should be set up as its ports.
One MAC address will be assigned to all the bridged interfaces the MAC address of first bridge port which comes up will be chosen automatically. Warning: Changing certain properties can cause the bridge to temporarily disable all ports.
This must be taken into account whenever changing such properties on production environments since it can cause all packets to be temporarily dropped.
Such properties include vlan-filteringprotocol-modeigmp-snoopingfast-forward and others. RouterOS bridge interfaces are capable of running Spanning Tree Protocol to ensure a loop-free and redundant topology. For small networks with just 2 bridges STP does not bring much benefits, but for larger networks properly configured STP is very crucial, leaving STP related values to default may result in completely unreachable network in case of a even single bridge failure.
To achieve a proper loop-free and redundant topology, it is necessary to properly set bridge priorities, port path costs and port priorities. This can cause incompatibility issues between devices that does not support such values. To avoid compatibility issues, it is recommended to use only these priorities: 0,, Depending on needs, either one of them can be used, some devices are able to run some of these protocols using hardware offloading, detailed information about which device support it can be found in the Hardware Offloading section.
There are a lot of considerations that should be made when designing a STP enabled network, more detailed case studies can be found in the Spanning Tree Protocol section. There might be certain situations where you want to limit STP functionality on a single or multiple ports.
Below you can find some examples for different use cases. In this example BPDUs will not be sent out through ether1. In case the bridge is the root bridge, then loop detection will not work on this port. If another bridge is connected to ether1then the other bridge will not receive any BPDUs and therefore might become as a second root bridge. You might want to consider blocking received BPDUs as well. Note: You can use Interface Lists to specify multiple interfaces.
In this example all received BPDUs on ether1 are dropped.MikroTik Tutorial 1 - Getting Started Basic Configuration
This will prevent other bridges on that port becoming a root bridge. A root bridge always sends out BPDUs and under normal conditions is waiting for a more superior BPDU from a bridge with a lower bridge IDbut the bridge must temporarily disable the new root-port when transitioning from a root bridge to designated bridge.
If you have blocked BPDUs only on one side, then a port will flap continuously. In this example if ether1 receives a BPDU, it will block the port and will require you to manually re-enable it. Note: In case you want to assign Simple Queues Simple QoS or global Queue Trees to traffic that is being forwarded by a bridge, then you need to enable the use-ip-firewall property.
Without using this property the bridge traffic will never reach the postrouting chain, Simple Queues and global Queue Trees are working in the postrouting chain. Starting with RouterOS v6.GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Instead of relying on complex passwords for client certificates that usually get written somewhere this image provides support for two factor authentication with OTP devices. The most common app that provides OTP generation is Google Authenticator iOS and Android you can download it and use this image to generate user configuration. Generate authentication configuration for your client. It will also show a shell QR code in terminal you can scan with the Google Authenticator application.
It also provides a link to a google chart url that will display a QR code for the authentication. Do not share QR code or generated url with anyone but final user, that is your second factor for authentication that is used to generate OTP codes. Here's an example QR code generated for an hypotetical user example. On connection it will prompt for user and password.
Enter your username and a 6 digit code generated by Authenticator app and you're logged in. In this configuration the auth part of PAM flow is managed by OTP codes and the account part is not enforced because you're likely dealing with virtual users and you do not want to create a system account for every VPN user.
In this way when you take a backup OTP users are included as well. Finally it will enable the openvpn plugin openvpn-plugin-auth-pam. If you configured everything correctly you should get authenticated by entering a OTP code from the app. Skip to content. This repository has been archived by the owner. It is now read-only. Permalink Dismiss Join GitHub today GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign up. Branch: master. Find file Copy path. Raw Blame History. Using two factor authentication for users Instead of relying on complex passwords for client certificates that usually get written somewhere this image provides support for two factor authentication with OTP devices.
Usage In order to enable two factor authentication the following steps are required. Do not share QR code or generated url with anyone but final user, that is your second factor for authentication that is used to generate OTP codes Here's an example QR code generated for an hypotetical user example. You signed in with another tab or window.
Reload to refresh your session. You signed out in another tab or window.Document revision: 2. It is most commonly used to enable multiple host on a private network to access the Internet using a single public IP address.
Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. Hosts behind a NAT-enabled router do not have true end-to-end connectivity.
Therefore some Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP, can be disrupted.
Redirect is similar to the regular destination NAT in the same way as masquerade is similar to the source NAT - masquerade is a special form of source NAT without need to specify to-addresses - outgoing interface address is used automatically. The same is for redirect - it is a form of destination NAT where to-addresses is not used - incoming interface address is used instead.
Note that to-ports is meaningful for redirect rules - this is the port of the service on the router that will handle these requests e. Information about translation of addresses including original dst address is kept in router's internal tables. Transparent web proxy working on router when web requests get redirected to proxy port on router can access this information from internal tables and get address of web server from them.
If you are dst-natting to some different proxy server, it has no way to find web server's address from IP header because dst address of IP packet that previously was address of web server has changed to address of proxy server. If there is no such header older HTTP version on clientproxy server can not determine web server address and therefore can not work.
It means, that it is impossible to correctly transparently redirect HTTP traffic from router to some other transparent-proxy box.
Only correct way is to add transparent proxy on the router itself, and configure it so that your "real" proxy is parent-proxy. In this situation your "real" proxy does not have to be transparent any more, as proxy on router will be transparent and will forward proxy-style requests according to standard; these requests include all necessary information about web server to "real" proxy.
If you want to "hide" the private LAN The masquerading will change the source IP address and port of the packets originated from the network To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration:. All outgoing connections from the network No access from the Internet will be possible to the Local addresses.
If you want to allow connections to the server on the local network, you should use destination Network Address Translation NAT. If you want to link Public IP Also if you want allow Local server to talk with outside with given Public IP you should use source address translation, too. Add rule allowing the internal server to talk to the outer networks having its source address translated to If you want to link Public IP subnet All rights reserved.
Other trademarks and registered trademarks mentioned herein are properties of their respective owners. NAT Document revision: 2. This type of NAT is performed on packets that are originated from a natted network. A reverse operation is applied to the reply packets travelling in the other direction. This type of NAT is performed on packets that are destined to the natted network. It is most comonly used to make hosts on a private network to be acceesible from the Internet.
A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network. No action is taken, i. This is most frequently used for services that expect the same client address for multiple connections from the same client src-nat - replaces source address of an IP packet to values specified by to-addresses and to-ports parameters.Together they provide means for authentication of hosts and automatic management of security associations SA.
Most of the time IKE daemon is doing nothing. There are two possible situations when it is activated:. There is some traffic caught by a policy rule which needs to become encrypted or authenticated, but the policy doesn't have any SAs.
IKE daemon responds to remote connection. In both cases, peers establish connection and execute 2 phases:. Note: There are two lifetime values - soft and hard. When SA reaches it's soft lifetime treshold, the IKE daemon receives a notice and starts another phase 2 exchange to replace this SA with fresh one. If SA reaches hard lifetime, it is discarded.
Warning: Phase 1 is not re-keyed if DPD is disabled when lifetime expires, only phase 2 is re-keyed. To force phase 1 re-key, enable DPD. Warning: PSK authentication was known to be vulnerable against Offline attacks in "aggressive" mode, however recent discoveries indicate that offline attack is possible also in case of "main" and "ike2" exchange modes.
General recommendation is to avoid using PSK authentication method. IKE can optionally provide a Perfect Forward Secrecy PFSwhich is a property of key exchanges, that, in turn, means for IKE that compromising the long term phase 1 key will not allow to easily gain access to all IPsec data that is protected by SAs established through this phase 1.
It means an additional keying material is generated for each phase 2. Generation of keying material is computationally very expensive. Exempli gratia, the use of modp group can take several seconds even on very fast computer. It usually takes place once per phase 1 exchange, which happens only once between any host pair and then is kept for long time. PFS adds this expensive operation also to each phase 2 exchange. Diffie-Hellman DH key exchange protocol allows two parties without any initial shared secret to create one securely.
More on standards can be found here. The same way packets with UDP destination port that are to be delivered locally are not processed in incoming policy check. Warning: Ipsec is very sensitive to time changes. If both ends of the IpSec tunnel are not synchronizing time equally for example, different NTP servers not updating time with the same timestamptunnels will break and will have to be established again. AH is a protocol that provides authentication of either all or part of the contents of a datagram through the addition of a header that is calculated based on the values in the datagram.
What parts of the datagram are used for the calculation, and the placement of the header, depends whether tunnel or transport mode is used. The presence of the AH header allows to verify the integrity of the message, but doesn't encrypt it.
Thus, AH provides authentication but not privacy. Another protocol ESP is considered superior, it provides data privacy and also its own authentication method.
In transport mode AH header is inserted after IP header. IP data and header is used to calculate authentication value.Powerful 10xGigabit port router with a Quad-core 1. Best price and best performance on the market — this 48 port switch will rock any setup, including 40 Gbps devices! Outdoor 5GHz Dual chain 5GHz system with Gigabit Ethernet and Dual chain Dual chain 5GHz integrated Triple chain 5GHz integrated In-wall Dual Concurrent 2. Dual-Concurrent 2.
Dual-band 2. Small dual-band 2. Dual concurrent triple chain 2. Small weatherproof Dual Band 2. A heavy-duty 2. Tri-band one 2. Low loss cable assembly, soldered on both ends, with silver plated copper and less than 0. A simple solution for mounting the RB in public locations to avoid accidental unplugging of cables. Option range. Wireless standards.
Operating system. Ethernet routers. LDF 2 Dual chain 2. LHG 2 Dual chain 18dBi 2. Groove 52 2. LHG 5 Dual chain GrooveA 52 2. OmniTIK 5 7. BaseBox 2 2. LHG 5 ac Dual chain GrooveA 52 ac 2.