Statistics: Posted by Hellothere — Thu Apr 11, 2024 12:19 am
Statistics: Posted by anav — Thu Apr 11, 2024 12:15 am
Statistics: Posted by moorezilla — Thu Apr 11, 2024 12:02 am
Statistics: Posted by Amm0 — Wed Apr 10, 2024 11:57 pm
The issue really come up ONLY in multi-WAN where both WG and BTH variant can run into SAME trouble if mangle rules are used for multiwan routing.I do Agree with you that you have discovered a BTH bug …. Traffic originating on wan2 should return to wan2 ….. surprised that MikroTik have not commented on this behavior…. RouterOS must honor WireGuard Routing Behavior….
Statistics: Posted by Amm0 — Wed Apr 10, 2024 11:23 pm
Statistics: Posted by nkourtzis — Wed Apr 10, 2024 11:19 pm
Statistics: Posted by vbn2020 — Wed Apr 10, 2024 11:10 pm
add action=drop chain=forward log-prefix=IPV6
/ipv6 firewall filteradd action=accept chain=forward comment="allow listBridge to internet" in-interface-list=listBridge out-interface-list=WAN
add action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !listBridge
Statistics: Posted by CGGXANNX — Wed Apr 10, 2024 11:04 pm
Statistics: Posted by anav — Wed Apr 10, 2024 10:45 pm
Statistics: Posted by YourWordIsTruth — Wed Apr 10, 2024 10:45 pm
Statistics: Posted by vbn2020 — Wed Apr 10, 2024 10:44 pm
Statistics: Posted by leepipp — Wed Apr 10, 2024 10:41 pm
Statistics: Posted by vbn2020 — Wed Apr 10, 2024 10:33 pm
Statistics: Posted by valyno — Wed Apr 10, 2024 10:28 pm
Statistics: Posted by YourWordIsTruth — Wed Apr 10, 2024 10:25 pm
Statistics: Posted by StokkiesA — Wed Apr 10, 2024 10:22 pm
Statistics: Posted by bpwl — Wed Apr 10, 2024 10:14 pm
Statistics: Posted by loloski — Wed Apr 10, 2024 10:14 pm
Statistics: Posted by mozerd — Wed Apr 10, 2024 10:10 pm
Statistics: Posted by ips — Wed Apr 10, 2024 10:04 pm
Statistics: Posted by infabo — Wed Apr 10, 2024 9:57 pm
/interface wireless connect-list add interface="wifi_interface" connect=no mac-address="mac_address"
/interface wifi access-list add mac-address="mac_address" action=reject
Statistics: Posted by TheCat12 — Wed Apr 10, 2024 9:46 pm
Statistics: Posted by loloski — Wed Apr 10, 2024 9:46 pm
Statistics: Posted by rprandini01 — Wed Apr 10, 2024 9:45 pm
{ "detail": "not enough permissions (9)", "error": 500, "message": "Internal Server Error"}
But at first I didn't see the detail as I was using Comfortclick's http driver to test it and it only said Internal server error... I needed to add policy=local,reboot,read,write,policy,test,api,rest-api policies too, then it worked.Statistics: Posted by JDF — Wed Apr 10, 2024 9:43 pm
Statistics: Posted by mkx — Wed Apr 10, 2024 9:36 pm
[admin@Router-10] > /ip firewall nat printFlags: X - disabled, I - invalid, D - dynamic 0 chain=dstnat action=dst-nat to-addresses=10.10.1.1 to-ports=22 protocol=tcp dst-port=10022 1 chain=srcnat action=src-nat to-addresses=10.10.5.50 src-address=10.10.1.0/24 out-interface=ether5
[admin@Router-10] > /ip firewall filter printFlags: X - disabled, I - invalid, D - dynamic 0 chain=forward action=drop connection-state=new connection-nat-state=!dstnat src-address=10.10.5.0/24
Statistics: Posted by Hellothere — Wed Apr 10, 2024 9:32 pm
Statistics: Posted by llamajaja — Wed Apr 10, 2024 9:02 pm
Statistics: Posted by dazzaling69 — Wed Apr 10, 2024 9:00 pm
Statistics: Posted by loloski — Wed Apr 10, 2024 8:55 pm
Statistics: Posted by vingjfg — Wed Apr 10, 2024 8:45 pm
Statistics: Posted by UkRainUa — Wed Apr 10, 2024 8:42 pm
Statistics: Posted by liviu2004 — Wed Apr 10, 2024 8:36 pm
Statistics: Posted by Nene — Wed Apr 10, 2024 8:34 pm
Statistics: Posted by marisalv53 — Wed Apr 10, 2024 8:23 pm
Statistics: Posted by llamajaja — Wed Apr 10, 2024 8:09 pm
Statistics: Posted by xrlls — Wed Apr 10, 2024 8:08 pm
Statistics: Posted by pmh — Wed Apr 10, 2024 8:06 pm
Statistics: Posted by llamajaja — Wed Apr 10, 2024 8:02 pm
Statistics: Posted by Amm0 — Wed Apr 10, 2024 8:02 pm
ffois@gmail.com (10.5.50.254): login failed: RADIUS server is not responding
and insert the email address into a local variable. Considering that there could also be 2/3 similar messages with different email addresses every 30 seconds.ffois@gmail.com (10.5.50.254): login failed: RADIUS server is not respondingabc@hotmail.com (10.5.50.250): login failed: RADIUS server is not respondingefg@live.it (10.5.50.251): login failed: RADIUS server is not responding
:set $user1 "ffois@gmail.com":ser $user2 "abc@hotmail.com":set $user3 "efg@live.it"
Statistics: Posted by abbio90 — Wed Apr 10, 2024 7:55 pm
Statistics: Posted by llamajaja — Wed Apr 10, 2024 7:53 pm
Statistics: Posted by Amm0 — Wed Apr 10, 2024 7:51 pm
Statistics: Posted by Meltto — Wed Apr 10, 2024 7:46 pm
Statistics: Posted by TheCat12 — Wed Apr 10, 2024 7:44 pm
Statistics: Posted by Amm0 — Wed Apr 10, 2024 7:37 pm
Statistics: Posted by TheCat12 — Wed Apr 10, 2024 7:32 pm
Statistics: Posted by UkRainUa — Wed Apr 10, 2024 7:26 pm
Statistics: Posted by llamajaja — Wed Apr 10, 2024 7:24 pm
Statistics: Posted by Meltto — Wed Apr 10, 2024 7:22 pm
Yes and the new way of doing this in UNIX/Linux, not using back tics chars. is like this.
Use dollar sign and regular parentheses.Code:$(cat /etc/passwd)
Statistics: Posted by Amm0 — Wed Apr 10, 2024 7:18 pm
# software id = 8MS4-GGM7## model = RB2011iL# serial number = HE508PC94SW/ip pooladd name=VPN_PORT5 ranges=192.168.10.2-192.168.10.50add name=Red_Taller ranges=192.168.20.10-192.168.20.100add name=DHCP2 ranges=192.168.1.150-192.168.1.200/interface list memberadd comment=defconf interface=bridge list=LANadd comment=Vegafibra interface=WAN1 list=WANadd comment=Telfy interface=WAN2 list=WANadd comment="Red conexiones VPN" interface=Red_VPN_Port5 list=LANadd comment="Red privada taller" interface=RED_Taller list=LAN/ip addressadd address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0add address=192.168.120.5/24 interface=WAN2 network=192.168.120.0add address=192.168.100.2/24 interface=WAN1 network=192.168.100.0add address=192.168.10.1/24 interface=Red_VPN_Port5 network=192.168.10.0add address=192.168.20.1/24 interface=RED_Taller network=192.168.20.0/ip firewall filteradd action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yesadd action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" connection-state=invalidadd action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WANadd action=accept chain=input comment="allow IPsec NAT" disabled=yes dst-port=4500 protocol=udpadd action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 protocol=udpadd action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 protocol=udpadd action=accept chain=input comment="allow pptp" dst-port=1723 in-interface=WAN2 protocol=tcpadd action=accept chain=input comment=sstp disabled=yes dst-port=443 in-interface=WAN1 protocol=tcpadd action=accept chain=input disabled=yes dst-port=1723 in-interface=WAN2 protocol=tcp/ip firewall mangleadd action=accept chain=prerouting dst-address=192.168.100.0/24 in-interface=bridgeadd action=accept chain=prerouting dst-address=192.168.120.0/24 in-interface=bridgeadd action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN1 new-connection-mark=WAN1_connadd action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yesadd action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=WAN1_conn \ per-connection-classifier=both-addresses:2/0add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=WAN2_conn passthrough=\ yes per-connection-classifier=both-addresses:2/1add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=bridge new-routing-mark=to_WAN1 passthrough=yesadd action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=bridge new-routing-mark=to_WAN2 passthrough=yesadd action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2add action=passthrough chain=preroutingadd action=passthrough chain=forwardadd action=passthrough chain=postrouting/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=WAN1 src-address-type=""add action=masquerade chain=srcnat out-interface=WAN2 src-address-type=""/ip routeadd check-gateway=ping distance=1 gateway=192.168.100.1 routing-mark=to_WAN1add check-gateway=ping distance=1 gateway=192.168.120.1 routing-mark=to_WAN2add check-gateway=ping distance=1 gateway=192.168.100.1add distance=2 gateway=192.168.120.1/ip route ruleadd dst-address=192.168.100.0/24 routing-mark=to_WAN1 table=to_WAN1add dst-address=192.168.120.0/24 routing-mark=to_WAN2 table=to_WAN2
The thing is that I can't get the VPN to work. I have seen in another post that you cannot have both things working at the same time but it seems very strange to me. The vpn i tried is pptp but anyone else is worth it to me except the sstp because i need 443 port for other serviceStatistics: Posted by AlejandroRh — Wed Apr 10, 2024 7:18 pm
Statistics: Posted by robmaltsystems — Wed Apr 10, 2024 7:11 pm
Statistics: Posted by loloski — Wed Apr 10, 2024 7:03 pm
Statistics: Posted by K0NCTANT1N — Wed Apr 10, 2024 7:01 pm
Statistics: Posted by ToTheCLI — Wed Apr 10, 2024 6:58 pm
Totally agree winbox being open is likely not a best practices for sure. And with BTH or plain WG, or zerotier are all pretty easy VPN options, that avoid it.4. Big Security NO NO, winbox should not be open to the internet..................REMOVE!
Statistics: Posted by Amm0 — Wed Apr 10, 2024 6:57 pm
Statistics: Posted by holvoetn — Wed Apr 10, 2024 6:54 pm
Statistics: Posted by alexioma — Wed Apr 10, 2024 6:52 pm
Statistics: Posted by holvoetn — Wed Apr 10, 2024 6:50 pm
add action=drop chain=forward log-prefix=IPV6
/system/default-configuration/print without-paging
/interface list member add list=LAN interface=bridge comment="defconf"/interface list member add list=WAN interface=ether1 comment="defconf"
/interface list member add list=LAN interface=bridge comment="defconf"/interface list member add list=WAN interface=ether1 comment="defconf"/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"/ip firewall { filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid" filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP" filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)" filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN" filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy" filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy" filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack" filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked" filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid" filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"}/ipv6 firewall { address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address" address-list add list=bad_ipv6 address=::1 comment="defconf: lo" address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local" address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped" address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat" address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only " address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation" address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID" address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone" filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid" filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6" filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute" filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation." filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE" filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH" filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP" filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy" filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN" filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid" filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6" filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6" filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1" filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6" filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP" filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE" filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH" filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP" filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy" filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"}
Statistics: Posted by CGGXANNX — Wed Apr 10, 2024 6:50 pm
Statistics: Posted by dazzaling69 — Wed Apr 10, 2024 6:48 pm
Statistics: Posted by loloski — Wed Apr 10, 2024 6:44 pm
Statistics: Posted by Hellothere — Wed Apr 10, 2024 6:43 pm
Statistics: Posted by llamajaja — Wed Apr 10, 2024 6:16 pm
Statistics: Posted by sirbryan — Wed Apr 10, 2024 6:11 pm
Statistics: Posted by Hellothere — Wed Apr 10, 2024 6:05 pm
If you know Linux/UNIX, the [] are similar to `` backtick to run a command and replace result in-place.I didn't even think about the use (), i'm kind new to scripting, thanks for the hint!
$(cat /etc/passwd)
Statistics: Posted by patrikg — Wed Apr 10, 2024 5:56 pm
Statistics: Posted by llamajaja — Wed Apr 10, 2024 5:51 pm
Statistics: Posted by Amm0 — Wed Apr 10, 2024 5:44 pm
/ip firewall filteradd action=accept chain=input comment="allow access for RB5009" dst-port=\ 23231 protocol=udp src-address=123.456.789.1
Statistics: Posted by MTNick — Wed Apr 10, 2024 5:41 pm
Statistics: Posted by Webnetism — Wed Apr 10, 2024 5:40 pm
Statistics: Posted by Meltto — Wed Apr 10, 2024 5:36 pm
Statistics: Posted by dazzaling69 — Wed Apr 10, 2024 5:27 pm
Statistics: Posted by Nene — Wed Apr 10, 2024 5:23 pm
I would think so. If you look at command history, it looks the same if its run from Winbox or from terminal.Does WinBox effectively issue CLI commands to get/set changes?
Statistics: Posted by pe1chl — Wed Apr 10, 2024 5:21 pm
Statistics: Posted by araqiel — Wed Apr 10, 2024 5:19 pm
/routing tableadd disabled=no fib name=WAN1add disabled=no fib name=WAN2/ip firewall connection trackingset enabled=yes udp-timeout=10s/ip settingsset accept-redirects=yes accept-source-route=yes allow-fast-path=no \ tcp-syncookies=yes/interface pppoe-server serveradd disabled=no interface=ether5 one-session-per-host=yes service-name=\ service1/ip dhcp-clientadd !dhcp-options interface=ether1 use-peer-dns=no use-peer-ntp=noadd default-route-distance=2 !dhcp-options interface=ether2 use-peer-dns=no \ use-peer-ntp=no/ip dnsset servers=8.8.8.8,1.1.1.1/ip firewall mangleadd action=mark-connection chain=prerouting connection-mark=no-mark \ connection-state=new in-interface=ether1 new-connection-mark=ToWAN1 \ passthrough=yesadd action=mark-routing chain=output connection-mark=ToWAN1 new-routing-mark=\ WAN1 passthrough=noadd action=mark-connection chain=prerouting connection-mark=no-mark \ connection-state=new in-interface=ether2 new-connection-mark=ToWAN2 \ passthrough=yesadd action=mark-routing chain=output connection-mark=ToWAN2 new-routing-mark=\ WAN2 passthrough=noadd action=mark-connection chain=prerouting connection-mark=no-mark \ connection-state=new in-interface-list=ppp new-connection-mark=ToWAN1 \ passthrough=yes per-connection-classifier=src-address:2/0add action=mark-routing chain=prerouting connection-mark=ToWAN1 \ in-interface-list=ppp new-routing-mark=WAN1 passthrough=noadd action=mark-connection chain=prerouting connection-mark=no-mark \ connection-state=new in-interface-list=ppp new-connection-mark=ToWAN2 \ passthrough=yes per-connection-classifier=src-address:2/1add action=mark-routing chain=prerouting connection-mark=ToWAN2 \ in-interface-list=ppp new-routing-mark=WAN2 passthrough=no/ip firewall natadd action=masquerade chain=srcnat out-interface-list=WAN/ip routeadd disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ether1 \ routing-table=WAN1 scope=30 suppress-hw-offload=no target-scope=10add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=ether2 \ routing-table=WAN2 scope=30 suppress-hw-offload=no target-scope=10
Statistics: Posted by ToTheCLI — Wed Apr 10, 2024 5:18 pm