MikroTik

Kamaz

Or you could exclude from logging all "info" data

Looks like I'll use your suggestion an will disable logging with "info" level. Thanks.

Kamaz

Hello everybody. I have a problem with type-c LAN card of one of my laptops - it's not going to sleep mode with laptop. It's not an issue for me but it generates a looooot of logs like ether2-LAN link down ether2-LAN link up (speed 1G, full duplex)" every 5 seconds. Is it possible to delete the...

Kamaz

For the https://family.cloudflare-dns.com/dns-query you should use DigiCert Global Root G2:
https://cacerts.digicert.com/DigiCertGl ... G2.crt.pem

Yeh, it works, thank you!

Kamaz

First, the second rule should be 192.168.1 .0 /24 The first thing I want to say "thank you" for your help during this year! And looks like this is my typo. I have 3 routers with similar configuration and I spent last days reading about routing and trying various things. I can see needing ...

Kamaz

Hello everybody. Can somebody please help me with my problems. Here is my config /ip dhcp-client set WAN use-peer-dns=no /ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53 comment="Redirect port 53" /ip firewall nat add chain=dstnat action=redirect protocol=udp dst-...

Kamaz

And one more thing. Can you please share a little bit of additional info how routing works in current conditions. In a simple words if it's possible. You have currently created the required components for WG. /routing rule add action=lookup src-address=192.168.33.0/24 table=use-WG-table /routing tab...

Kamaz

We use a similar rule in case a third party provider is giving issues........ wasnt expecting that from your VPS. Called mSS clamping /ip firewall mangle add action=change-mss chain=forward comment="Clamp MSS to PMTU for Outgoing packets" new-mss=clamp-to-pmtu out-interface=wireguard1 pas...

Kamaz

OMG!!! I found the issue! https://forum.mikrotik.com/viewtopic.php?t=184115 https://help.mikrotik.com/docs/display/ROS/Mangle#Mangle-ChangeMSS Change MSS It is a known fact that VPN links have a smaller packet size due to encapsulation overhead. A large packet with MSS that exceeds the MSS of the VP...

Kamaz

As per conversation with MikroTik support I have changed tcp-mss value to 1360 and MTU on WG interface to 1400. That didn't work so then I remembered that long time ago I've set MTU to 9000 and txqueuelen to 10000 on Debian running WG server. Changing back to 1500 and 1000 in conjunction with MT Su...

Kamaz

Hello again. The previous configuration was working fine during last year, thank you again. But users behind Mikrotiks are facing a very strange issue with some well-known web sites like Github, Duckduckgo, Iherb, Aliexpress. It was not important during this time but it's not good for now. Chrome g...

Kamaz

just for giggles here is you config, cleaned up
...............................

Hi, sorry for the late response. Thank you so much for the help, now it work like a charm!

Kamaz

However I hope we will see the current DoH implementation (and fetch tool?) to be updated to use HTTP3, which then includes Quic for layer 4 transport.

Do you mean this news?
https://security.googleblog.com/2022/07 ... droid.html

Kamaz

/ipv6 firewall filter
add chain=forward action=drop

I have a question, but not completely sure is this correct topic.
How can I disable ipv6 on MT with ROS 7.3 ? I want to block it totally (in, out, forwarding packets).

Kamaz

So lets talk about what you are using L2TP VPN with PPP for ???? SSH for ??? You are using wireguard and it appears RDP over wireguard which is much better than RDP by itself!!! I don't have such possibility to use L2tp/ipsec because of the restrictions of my ISP. It was MT<>MT VPN. So now I change...

Kamaz

/interface bridge settings set use-ip-firewall=yes (2) The second thing I would get rid of is IP filter strict...................... its use is definitely not compatible with dual wans and again, rarely used. /ip settings set rp-filter=strict Done, both disabled. LOOSE TRACKING is NOT SELECTED Done...

Kamaz

Yeah that is my mistake, the fib needs to come after the add. SO /routing table add fib name=xxxxxxx OR /routing table add name=xxxxxx fib Hi. Here is the commands I used /routing table add name=use-WG-table fib /routing rule add src-address=192.168.33.0/24 action=lookup table=use-WG-table /ip rout...

Kamaz

(1) The IP address for the mikrotik client should be as follows: /ip/address add address=10.8.0.2 /24 interface=WG_to_VPS the windows clients being single entities should be /32 (2) Assuming you want the MT Client router to provide/force VPS internet for MT client users - hence the 0.0.0.0/0 allowe...

Kamaz

1, 2, 3, and 4 https://forum.mikrotik.com/viewtopic.php?t=182340 3 https://forum.mikrotik.com/viewtopic.php?t=182072 Hi. Thank you for useful links, I'll read them tomorrow. Here is a small update: 1) Was done. 2) One missed route for Mikrotik. Fixed, done. 3) Working on that. 4) srcnat + port forw...

Kamaz

Hi there. I have a VPS running WireGuard server. And it's possible to connect there from my Windows PC using WireGuard client. All traffic is going through my Wireguard server. That's ok. And my first goal. But the problem is in fact, that I can't redirect all traffic from my network via Mikrotik vi...

Kamaz

In the /ppp profile you can use the session-timeout parameter...
https://wiki.mikrotik.com/wiki/Manual:PPP_AAA

Thank you! You saved me!

Kamaz

Hi there. Can anybody help me with script creation? I'd like to limit L2TP session time as 8 hours. So the idea is to get time when user connected to VPN and drop it's connection in a 8 hours. The only idea I have is to pars logs and get connection time from there. Or from connection itself. TO star...

Kamaz

How does Oblivious DNS over HTTPS (ODoH) work? ODoH is an emerging protocol being developed at the IETF. ODoH works by adding a layer of public key encryption, as well as a network proxy between clients and DoH servers such as 1.1.1.1. The combination of these two added elements guarantees that only...

Kamaz

This is now suffering the log messages on default configuration script we had in testing before: system;error;critical error while running customized default configuration script: expected end of command (line 1337 column 53) This happens without wireless package only. HEX with latest firmware and ...

Kamaz

Any news about WPA3 ?

Kamaz

+1 for PATCH method

Kamaz

+1 for WPA3

Kamaz

+1 for TCP/UDP scanner

Kamaz

Hi, I'm facing with such errors DNS warning DoH max concurrent queries reached, ignoring query and DNS error DoH server connection error: Network is unreachable mikro.png Mikrotik ac2, ROS 6.47 Once per day or two, router drops down L2TP connection because it can't resolve L2TP server's name. Any id...

Kamaz

Hi,
I have same router and want to figure out one thing. What is Radio name? What value should it has? Should it be equal to MAC address?

Kamaz

+1 for DoT.

Kamaz

VTI +1
XAuth +1

Kamaz

+1 for Wireguard support

Kamaz

+1 for WireGuard

Kamaz

Guys does anyone have step-by-step instruction how to configure L2TP+IPSEC client in OpenWRT 18?
There is a L2TP+IPSEC server (Mikrotik) with various clients but I can't find any manual how properly configure L2TP+IPSEC client in OpenWRT 18.

Kamaz

Here is solution of our problem
https://github.com/Onoro/Mikrotik

Kamaz

+1 for WPA3

Kamaz

Did you create dhcp_wifi-guests pool in Mikrotik?

Kamaz

How to assign PPTP user in Freeradius with Mikrotik's adress-list ? I'm using Mysql+Freeradius. I've tried to add data to radreply INSERT INTO radius.radreply (username, attribute, op, value) VALUES ('user1', 'Mikrotik-Address-List', ':=', 'remote_managers'); but I can see in Log that Mikrotik get M...

Kamaz

Previous question was resolved by configuring Default gateway on client side, so everything fine. Next problem is how to assign PPTP user's IP or name (user1 = 10.11.1.145 in my case) with Mikrotik's firewall group ? Because Firewall groups helps to deal with rules. I've tried to add record to radre...

Kamaz

Yes, I believe there are many people interested in this topic. Any response would be pleased. "We plan to implement" or "We don't plan to implement" would be sufficient .

+1

Kamaz

Thank you so much for help. But how to assign ip with mask, dns, gateway, and route to client correctly? I need a schema for remote connection to my network for using inner resources but default route shouldn't be modified. All traffic should flow through user's internet channel except 10.10.5.0/24 ...

Kamaz

Thank you for your response, my problem becomes more clear!
As far as I understood, the only thing I need is to add record to Radreply table. And that's all? 0_o

Kamaz

Additional information: I've done my task, Freeradius woks as it should, and wifi and pptp auth works fine to. But now I'm faced with problem when I have to connect every username in Freeradius database with user's IP or pool. I've found such information: https://wiki.freeradius.org/guide/Ippool%20a...

Kamaz

Kamaz

Google provides DNS-over-TLS https://developers.google.com/speed/pub ... s-over-tls from January 2019,
also it provides DNS-over-HTTPS https://developers.google.com/speed/pub ... over-https from September 2018.

Kamaz

Hello everyone. I need some help with configuration of VPN(l2tp) and WiFi authorization via freeradius. My goal is to configure one point for authorizing all connections. There is no Windows server in my company, so I have to use Linux. Additional information: \ ROS version is 6.42.7 /radius add add...

Kamaz

+1 for DNSSec/DNSCrypt

Kamaz

Any updates?

Kamaz

I want to hide my activity to, so it would be great to make such functionality like DNS over HTTPs, DNS over TLS.

Kamaz

Any records in log while you trying to connect? Are counters working during your connection to l2tp? (On front of your allowing rules) Try to disable all portscan and port knocking protection + allow ping on wan interface and to try to connect to your vpn again. En example of rules for l2tp permissi...

Kamaz

Is it possible to ping some domain or address via ROS console?

Kamaz

Thank you for answer, but I've done instructions below and they didn't helped me.
BUT now I can see traffic in queue preferences. Maybe it need some time or reboot router to start to work? 0_o

Kamaz

Maybe someone can help me with the same problem. I have Mikrotik hex (6.41.2) and I want to shape traffic speed on port #4. My first attempt was to set tx speed in interface configuration menu, but it told me that "couldn't change interface <> not supported on this interface". The second a...

Kamaz

It's sad but I haven't enough time for that task. I'll resume my experiments in a week)

Kamaz

There are is records in router's system journal about my problem: tftp, error Error code: 0 string: permission denied! Looks like problem with filesystem permissions. Any thoughts? I found those topics, but I can't realize where is my mistake. https://forum.mikrotik.com/viewtopic.php?t=36036 https:/...

Kamaz

Hello everybody. I want to ask for help with my task. I can't configure network boot via TFTP on Mikrotik. I tried various instruction but result is the same, I can't boot PC via PXE on Mikrotik. Here is my configuration: Mikrotik RB3011, ROS 6.39.2, SeliconPower USB 2.0 drive 16Gb Bootloader - pxel...

Kamaz

I found an option how to protect my VPN https://github.com/Onoro/Mikrotik
looks like it work.

Kamaz

Thank you for the quick answer. No need to search links and software, I understood the main idea of your schema. The problem was I didn't know about port-knocking software for Android and IOS)

Kamaz

Hi, settecplus. You configuration is quite right but I suggest you to do couple additional revisions: -to change standard ports 22, 80, 443 and 8291 to something unusual like 45967 end so on. -to use https instead of http -to modify "brutforce prevention" chain adding winbox port to it. -t...

Kamaz

I'm using l2tp + IPSec and there are is a lot of inscriptions on Log like:

aug/20/2017 04:12:00 216.218.206.70 failed to get valid proposal.
aug/20/2017 bla-bla-bla....... 216.218.206.66, wrong password.

How can I get thus IP's from Log to block them via firewwall?
Can I use ordinary regex?

Kamaz

How are you using such schema on client side? And which type of clients do you have? I mean Windows, Mikrotik or something else.

Kamaz

Hi everyone, I'm a newbie in ROS but I hope that my message would be helpful for someone. To protect L2TP I'm using such rules: /ip firewall filter add action=drop chain=input comment="L2TP brutforce IP drop" connection-state=new \ dst-port=1701 protocol=udp src-address-list=l2tp-brutforce...

Search found 62 matches