r/mikrotik

Hey, I'm trying to set up a wireguard tunnel to connect to my home network from the outside. Here are the commands I used:

/interface wireguard
    add listen-port=24814 mtu=1420 name=Wg_Home
/interface wireguard peers
    add allowed-address=192.168.110.3/32 client-address=192.168.110.3/32 \
    client-allowed-address=0.0.0.0/0 client-dns=9.9.9.9 client-endpoint=\
    x.x.x.x:24814 interface=Wg_Home name=Phone \
    public-key="xxx="

I create the wireguard profile using the QR code and paste the phone's public key to peer options. The connection doesn't work and I believe it is because of the firewall or NAT:

/ip firewall filter
    add action=accept chain=input comment="Accept wireguard home connections " \
    dst-port=24814 in-interface-list=WAN protocol=udp
/ip firewall nat
    add action=dst-nat chain=dstnat dst-port=24814 in-interface-list=WAN \
    protocol=udp to-addresses=192.168.110.2 to-ports=24814

I have the wireguard firewall rule above the default WAN drop rule but it's not getting any matches when I try connecting. The NAT rule however gets a match everytime I try to connect. I'm not sure what is the problem here, if I should provide more information please tell me what. Thanks a lot

Wireguard interface IP=192.168.110.2

Just wondering if there's a limit to the number of connections/tunnels I can run simultaneously? I'm hoping to set up PBR and then set up different devices and PCs connecting to different VPNs.

Hello to the network specialists.

I'm currently struggling with a setup that looks like this:

Magenta 5G Outdoor Router -> Mikrotik CRS326 -> Clients, NAS, ...

The Magenta modem is set to bridge mode, and I'm also obtaining a public IP via DHCP on the Mikrotik (/30 network; business connection).

The MT326 has only the following configuration:

• DHCP client with public IP from the modem (route to 0.0.0.0/0 set automatically)
• All other ports are on a bridge
• DHCP server on the bridge
• SRCNAT Masquerate Outgoing via WAN port

Internet access works without any issues on the clients. What doesn’t work is a PING from the MT directly to, for example, 1.1.1.1 if the packet is <60 bytes. So everything between 60 and 1500 bytes works.

A PING from the outside to the public IP, which should actually terminate directly at the MT, also fails, regardless of the data packet size.

Magenta denies that anything is being blocked or restricted on the modem, but I don’t really believe them.

Has anyone else encountered this issue before?

Power went out mid upgrade, which corrupted the firmware.

Well alright, so I was going to netinstall, but notice the device turns off when a cable is connected directly between it and a PC. It doesn't happen when connected to a different MikroTik, only to a PC. tested with 2 cables and 2 PCs. It simply completely powers off, even if the PC has no power.

Has anyone had something like this happen before? Is there a way I can still somehow netinstall without the need of plugging it to a PC?

I can't get it working anymore.

RB5009, plain vanilla, defconf. Activate B2H.

It works ONCE, to set itself up, then will never ever work again.

B2H app connects, but it's totally dead air - I can ping, cannot connect to anything. The app can't even log into the router itself to modify/access shares/etc.

Anyone else running into this issue?

(Before anyone goes "dump a config" -- it's *defconf*. Literally a factory reset unit followed immediately by setting up B2H.)

Any recommendations?

Hi all,

Forgive me for what might be a stupid question, but i'm still getting to grips with these topics.

I am in the process of setting up a home server / lab environment to host services and apps for my family and for other experimentation. the usual story i guess, and the goal is to be able to easily and safely reach those services.

I have an RB5009 with a more or less standard config at the moment.

From what ive read on the internet the general recommendation is (or was) to use your router for DHCP > Pihole for DNS > Reverse Proxy for access to services.

However seeing as now RouterOS has both adlists and local / static DNS configuration options, i'm wondering if there are any other benefits to using Pihole.

Does Pihole do anything RouterOS can't ?or is is simply ease of use? or more only a benefit for users who's routers don't offer those functionalities?

Thanks in advance, feel free to let me know i'm an idiot if i'm way of base with my understanding of these topics!

Hi all. I have heard that Mikrotik is not the greatest in Wi-Fi, but I didn't need the greatest, I needed something inexpensive to replace my Plume pods. We have 300 Mbps Internet service.

I bought some hAP ax S units, and have been testing one. High Wi-Fi throughout seems to really hammer the CPU. Is this the way on all Mikrotik APs, or just the new AX S?

I'm seeing what I assume are some driver issues as well, where high Wi-Fi throughout causes the Wi-Fi to stop responding. But so far if I'm not running a speed test to my internal server, regular traffic seems to flow okay.

Spent a few hours diagnosing this today and want to see if others are hitting it.

**Symptom:** Excel 365 on Windows 11 throws the "We couldn't copy the content to the clipboard because it's in use by another application" popup constantly during normal copy/paste work. Happens many times an hour during heavy Excel use.

**Setup:**

- Windows 11 Enterprise 23H2

- Excel 365 (current channel)

- WinBox 4.1 on Windows (the Qt-based cross-platform build)

- typically 4-8 WinBox windows open simultaneously for management work

**Diagnostic approach:** Wrote a PowerShell polling script using `GetOpenClipboardWindow()` that logs which process holds the clipboard every 50ms. Ran it during normal work for a few hours.

**What I found:** WinBox 4.1 dominates the clipboard-hold log. Each open WinBox window appears to install its own clipboard listener (Qt's `QClipboard` behavior) that briefly opens the clipboard whenever anything system-wide changes. With multiple WinBox sessions open, the listeners race each other and race Excel.

Example collision pattern from my log (timestamps in HH:MM:SS.ms):

```

09:24:35.249 EXCEL.EXE grabs clipboard

09:24:35.427 WinBox grabs it 178ms later

```

```

09:26:46.023 EXCEL.EXE

09:26:46.123 WinBox 100ms later

09:26:46.391 explorer

09:26:46.544 WinBox (different PID)

```

Excel writes multiple clipboard formats sequentially (text, RTF, HTML, biff, OLE). When WinBox's Qt listener interrupts mid-write, Excel can't complete the write atomically and throws the popup.

**Confirmation:** Closing all WinBox windows eliminates the errors immediately. Reopening multiple WinBox sessions brings them back.

**Things I ruled out first** (so people don't suggest them):

- Not malware (Bitdefender + Malwarebytes scans clean)

- Not Logi Options+ (disabled, errors persist with WinBox running)

- Not StreamFab clipboard monitor (disabled)

- Not Excel Live Preview (disabled)

- Not Adobe Acrobat COM add-in (disabled)

- Not the known Windows 11/Office 365 Microsoft bug alone — that contributes baseline residue, but WinBox is the proximate trigger for my specific high-rate failures

**Workaround:** Close WinBox windows when doing heavy Excel work. Not great when you're managing a fleet.

**Questions for the community:**

1. Anyone else on a seeing this with WinBox 4.1?

2. Workarounds beyond "close WinBox"?

Will post the PowerShell diagnostic script in a comment if anyone wants to verify on their setup.

*Edit: also reporting this on forum.mikrotik.com for visibility with MT staff.*

Hello,

I currently have Mikrotik hEX connected to ISP modem to act as main firewall.

Since hEX does not have WIFI, I added another OpenWRT wifi router in AP mode to create WIFI, while doing so i seperated the subnet for WIFI and the rest.

I disabled IPv6 on hEX since my ISP does not provide any IPv6 functionality, but left the IPv6 settings default on OpenWRT which seems to allow wifi devices to assign themselves IPv6 address. This situation is somewhat desirable? since I do have Matter over Thread iot devices running and those require IPv6

Now for my questions:

1. is it safe to assume that wifi devices that have IPv6 addresses are "isolated" and "local only"? since hEX is not routing any IPv6 there should not be any concern of outside direct access to devices with IPv6?

2. I left the default firewall for IPv6 on hEX alone and it has some rules in it without any traffic logged. I am guessing that is expected outcome since every device that has IPv6 is only "talking" and visible to each other on OpenWRT side?

Hi first time posting here.

I am running two Router-OS instances. One HAP AX S and one Cloud Hosted Router (VPS). Both are running 7.22.3(stable) and are connected over wireguard as S2S VPN with each other.
CHR - wg1 - 192.168.15.1/24
HAP - wg1 - 192.168.15.2/24

In generell the tunnels are up and connected with a keepalive configured 00:00:25.

When I just ping from the cloud-router towards the homerouter I get between 20-30% packet-loss.
When I ping from the home-router towards the cloudrouter I get 0% packet-loss.

Things I already tried:
- ping 192.168.15.2 do-not-fragment size=1200 (1000) > same result of packet-loss
- disable FastTrack rule on Homerouter > same result (CHR does not have FastTrack)
- disable DROP rule for invalid and untracked connections (forward and input)
- also checked CPU on both devices and on both devices it is just on idle between 1-5% usage
- AI suggested to check IP > Settings > RP Filter > no (was already set on both sites)
- I have a Masquerade configured on the hap ax s site (src: 192.168.15.0/24 dst-address-list: !ALL_LAN action: masquerade

If anybody has some additional ideas what else to check it is highly appriciated. I am out of ideas.

Thanks in advance.

Im not aure how much it should be able to route, but i find that at 350mbps, cpu usage is at 100% even with wireguard all disabled, with all my wireguard enabled 280-310mbps max, is that as far as it can do ? Or is it just a bad config ? Everything looked right to me, maybe im missing something

Export with some redacted info and some interface name edited so if theres discrepancy on interface name its not a misconfig just bad edit, but ip addresses and everything else is unedited

https://pastebin.com/Nv5F56u8

Hi,

Deployed 1 cAP AX and 3 cAP AC with capsman in RB5009 ROSv7. cAP AX using driver wifi-qcom, and cAP AC using wifi-qcom-ac. The topology:

RB5009
| -> trunk

Switch
|-------------|---------------|---------------| -> trunk
cAP AC1 cAP AX cAP AC2 cAP AC3

Firmware version:

RB5009: ROS 7.20.8

All cAP: ROS 7.19.6

3 vlan, 3 SSID, with the last SSID on 2G only. Privisioning works. CAP AX works well, but the 5G radio on all 3 cAP AC is disabled with error no available channel, even when I assigned static channel. Provision detail here. Is this firmware thing? Please help. Thank you

https://preview.redd.it/2bhw92heqv1h1.png?width=1396&format=png&auto=webp&s=0dee0b586021f7a50af78f50548080a4bd75292a

I have around $100 to spend on it, I have knowledge required to set it up (school exam, more on it later). I don't need much - 1 gigabit LAN, basic VLANs, QoS, good Wi-Fi (the house is small, one floor); maybe WireGuard, but that's a new thing to me. I thought about hAP ac^2, but 16MB Flash is too small. I don't need containers (I own raspberry pi's, so if anything comes up I can do it on them).

About that school exam - it will be on Router OS 6, with the old GUI (web). Is older WinBox connected to the new Router OS similar enough? Of course I will practice in school, but I would like to have something at least similar in home.

I appreciate any answer, I'm asking because there's no good source regarding this topic - every information contradicts, and LLMs are LLMs - I prefer to check the answer.

For the past year, I have been running an EoIP tunnel over a Wireguard Site-to-Site (S2S) VPN to extend one of my VLANs to my parents' house. Both devices are MikroTik routers. The EoIP tunnel was configured using local and remote addresses within the Wireguard /30 subnet.

The issue is that when I created the input firewall rule to allow GRE traffic, I forgot to specify the Wireguard interface in the in-interface field. This means I have left that rule wide open to the entire internet for a year. Should I be worried about my network security? Thanks

Hello, I'm designing small home 10gig network since we are getting our link upgraded to 8Gbps. I'm stuck between MikroTik CRS312-4C+8XG-RM which apparently has better connectivity options (both ethernet and SFP+) but it's much slower and has worse switching and RAM stats than Mikrotik CRS309-1G-8S+IN. But this one doesn't have ethernet ports. According to a website S+RJ10 adapters can only be used with actively cooled switches. What would you do in my situation. We still don't know if the network will end up as copper or fiber to the clients, so it would be nice to have both options available. Also link to the router will be DAC since there are only SFP+ in there. Will RJ45 adapters get ungodly hot in pasively cooled switch?