Do not block via MAC address; they can be changed. Instead, set the ARP option of the interface where the DHCP server is running to 'reply-only' so that people who set their network interface to static IP address will not have any route to the router at all.

Hi all Sifus and Mikrotik Expert,

Would like assistance / advice on enable firewall, so that I can access my Synology via DDNS. I'm use to be able to access the Synology before changing to Mikrotik router. The following information or steps that I have perform, but still not accessible.

- DDNS register via Synology system





- Firewall NAT open configurations





- The other thing I notice is that when I put "In Interface = Unifi-Internet" there is no Bytes / Packets count, but when I leave it blank it do. Why I use the In Interface as this guides around mentioned to choose that options (try both options, still the same, can't access)

- I use direct WAN IP, same problem.

- When I key in the hostname, it brings me to the RouterOS web login. When I put in the hostname:5001, it will mentioned that "The server is taking too long to respond"

Please let me know what am I missing that needed to be configure to able to access to the webpage. I'm using the same Firewall NAT settings for my Synology Torrent to open port and it is able to work.

This post has been edited by KidsCode: Jan 1 2014, 05:41 PM

your synology port is 5001 ???

Yup, I set Synology Web Access via HTTPS as default 5001

Your port forwarding config seems fine..

1. Within your LAN, can you access https://192.168.88.150:5001 ?

2. What does http://canyouseeme.org/ say when you enter 5001 as the test port?

You can't really test port forwarding by connecting to your WAN IP from within the same network unless you've setup a specific configuration.. use an external host to verify.

If directly key in IP using LAN is possible

Hairpin NAT might be the issue

Direct IP (WAN IP) same issue.

Hmm, Hairpin NAT. Not very knowledgeable on this but will preform research on this. Thanks

There are several ready script you can use in the Mikrotik Wiki

You can also try this

http://networkingforintegrators.com/2013/0...-or-externally/

Thanks alot Amirsubhi, will study and understand the link. Will feedback after i test around.

hi all...

been awhile.. how's your mikrotik with unifi..

all working well, smooth and problem less ?

So far no problem with my Mikrotik. The RB1100AHx2 fan are noisy.

using for office or home ?? those are "Racked" should be kept in a server room.. with closed door lol

JinXXX, home use. I installed a resistor to slow down the fan speed from 6300rpm to 4000rpm, still noisy.

My current home setup



This post has been edited by ldragon: Jan 12 2014, 04:04 PM

nice , talk about overkill for equipment

hi all, haha new to here, its good to see so many mikrotik expert over here.

i have a question, may i know is that possible to directly use the Unifi fiber connect to the mikrotik (with SFP), so that i can remove the whole TM thingy?

I don't think it's possible at the moment.. not unless you can find a fully implemented GPON ONU on an SFP matching your current ONU vendor. You would also need the GPON password for your current device and maybe some reconfiguration on the TM side to get it to authenticate.

^- ic. thanks, was just a wishful hope

all sifu here, i was set my mikrotik router each ethernal port to different subnet. i on the unifi network. i was set correctly address , dhcp pool and dns server , both can access internet no problem but why i still can ping other ip and see them in workgroup? any idea can block to communicate between them?

here is my setup :

device : RB751U-2HnD
ether1 (master_port): Hwawei ONU
ether2 (slave): connect to switch
ether3 (slave): connect to wifi router
ether4 (slave): no plug anything yet
ether5 : connect to another switch

* ether2,3,4 was set to 192.168.1.0/24 with pool 192.168.1.20-192.168.1.199 (gateway 192.168.1.1)
* ether5 was set to 192.168.0.0/24 with pool 192.168.0.100-192.168.0.199 (gateway 192.168.0.1)

both ip range can ping to other ip range in cmd , and can see other in workgroup also. anyway firewall rule can make them drop fail to ping each other ip range?

and , any guide can make firewall for mac address grouping blocking? very tired if 1 by 1 create new the firewall rule for each pc mac address

This post has been edited by gahkin: Feb 20 2014, 12:50 AM

The easiest way is to add firewall to block communication between subnet

/ip firewall filter add chain=forward action=drop src-address=192.168.1.0/24 dst-addresss=192.168.0.0/24
/ip firewall filter add chain=forward action=drop src-address=192.168.0.0/24 dst-addresss=192.168.1.0/24

this setting will affect their own internet access?