Community discussions

MikroTik App

Search found 1174 matches

by Anumrak
Fri Feb 21, 2020 4:38 pm
Forum: RouterOS beta
Topic: Who can use ipv6 normally?
Replies: 11
Views: 7338

Re: Who can use ipv6 normally?

Hey. Unfortunately, ROS used to use IPv6 RA only to advertise DNS servers for IPv6 hosts. DHCPv6 not working as I know. Win 10 doesn't understand IPv6 RA to grab DNS dynamically. So, you should just write them by hand.
by Anumrak
Wed Feb 19, 2020 2:16 pm
Forum: General
Topic: How to announce routes from one peer to anothjer
Replies: 1
Views: 1112

Re: How to announce routes from one peer to anothjer

I'd like to know this also.
by Anumrak
Tue Feb 18, 2020 12:22 pm
Forum: General
Topic: Routing Loops [SOLVED]
Replies: 3
Views: 3743

Re: Routing Loops [SOLVED]

Hey. There is no any picture attached. And RSTP is layer 2 protocol, its about switching, not routing.
by Anumrak
Thu Jan 30, 2020 10:49 am
Forum: General
Topic: Shapping vs IPv6 not working
Replies: 4
Views: 1382

Re: Shapping vs IPv6 not working

Try to put ipv6 /64 prefix per LAN in simple queue. I'll try it later.
by Anumrak
Mon Jan 27, 2020 3:50 pm
Forum: General
Topic: PPTP vpn reconnect questions
Replies: 3
Views: 2494

Re: PPTP vpn reconnect questions

Yeah, that happens with ROS ppp packets with "Compression" enabled in ppp profile pptp/pppoe tunnels using. So just disable it in ppp profile.
by Anumrak
Fri Jan 24, 2020 4:11 pm
Forum: General
Topic: Ping is timeout !
Replies: 8
Views: 6775

Re: Ping is timeout !

Try to ping another point with source command of ping module.
by Anumrak
Wed Jan 22, 2020 2:10 pm
Forum: Beginner Basics
Topic: Cant get access to internet. [SOLVED]
Replies: 3
Views: 3078

Re: Cant get access to internet. [SOLVED]

Hi, so don't judge, I am a newbie, just started learning Mikrotik. So I am setting up an ethernet for my school's assembly hall mixer and other stuff. So I managed to get access locally for everything. But when I connect to internet port, I cant get access to the internet. So the system is followin...
by Anumrak
Tue Jan 21, 2020 3:39 pm
Forum: General
Topic: Firewall Filter [SOLVED]
Replies: 3
Views: 3335

Re: Firewall Filter [SOLVED]

Hey. Just use firewall filter with rules you want your network behave.
by Anumrak
Tue Jan 21, 2020 3:32 pm
Forum: General
Topic: Graphical button is absent on forum
Replies: 7
Views: 2105

Re: Graphical button is absent on forum

Thank you! :)
by Anumrak
Mon Jan 20, 2020 3:27 pm
Forum: General
Topic: Graphical button is absent on forum
Replies: 7
Views: 2105

Re: Graphical button is absent on forum

User is probably referring to the incomplete breadcumb in the page header.

Not a button, but a link to the current forum section is missing and maybe a link to the current topic as well.
Yes!
by Anumrak
Mon Jan 20, 2020 1:34 pm
Forum: General
Topic: Graphical button is absent on forum
Replies: 7
Views: 2105

Re: Graphical button is absent on forum

Where is the button? :?
by Anumrak
Fri Jan 17, 2020 2:53 pm
Forum: General
Topic: Route not going unreachable !!!
Replies: 17
Views: 3670

Re: Route not going unreachable !!!

I do not use interface name as a gateway, but using next hop ip as gateway,

IP addresses are configured on interface vlan,
As I thought. In order to vlan interface goes down the bound ethernet interface(or interfaces) has to go down first.
by Anumrak
Fri Jan 17, 2020 2:47 pm
Forum: Beginner Basics
Topic: Routing ping traffic to laptop behind router
Replies: 2
Views: 1872

Re: Routing ping traffic to laptop behind router

And the gateway has no idea about this network. route add 192.168.88.0 mask 255.255.255.0 192.168.88.62 Router does has an idea about his own LAN2 without a static route. 192.168.0.0 and 192.168.88.0 are directly connected subnets. With standart firewall filter you can forward ICMP without problems...
by Anumrak
Fri Jan 17, 2020 1:28 pm
Forum: Beginner Basics
Topic: Blok interface ports for other machines
Replies: 3
Views: 1872

Re: Blok interface ports for other machines

I have disabled all unused interfaces. But now I want to prevent people from plugging the network cable into enabled ports and then connecting their PC or laptop. So I want to enter the MAC address for the device that can connect to the router. Can that be done? I thought about the bridge filter, b...
by Anumrak
Thu Jan 16, 2020 2:02 pm
Forum: General
Topic: Graphical button is absent on forum
Replies: 7
Views: 2105

Re: Graphical button is absent on forum

Ub.
by Anumrak
Thu Jan 16, 2020 12:48 pm
Forum: General
Topic: Can't browse through VRF
Replies: 14
Views: 3618

Re: Can't browse through VRF

What is your channel bandwidth from ISP?
by Anumrak
Thu Jan 16, 2020 12:46 pm
Forum: General
Topic: Route not going unreachable !!!
Replies: 17
Views: 3670

Re: Route not going unreachable !!!

Just updated the ROS version to latest stable one, but issue persist. :?
What interface type do you use for primary route?
by Anumrak
Thu Jan 16, 2020 12:41 pm
Forum: General
Topic: GRE tunnel established, ping ok, but no traffic
Replies: 16
Views: 7473

Re: GRE tunnel established, ping ok, but no traffic

Yes it is. There is a route for my destination address using pppoe interface "vdsl-orange-ether1" /ip route add check-gateway=ping distance=1 dst-address=eee.fff.ggg.hhh/32 gateway=vdsl-orange-ether1 There is a src-nat rule for this interface : /ip firewall nat add action=masquerade chain...
by Anumrak
Thu Jan 16, 2020 8:37 am
Forum: Wireless Networking
Topic: no access to mikrotik clients within the same lan network...help me!
Replies: 2
Views: 2027

Re: no access to mikrotik clients within the same lan network...help me!

Hey. Do you have an ARP records of these hosts? After you pinged them.
by Anumrak
Wed Jan 15, 2020 2:51 pm
Forum: General
Topic: Route not going unreachable !!!
Replies: 17
Views: 3670

Re: Route not going unreachable !!!

@CZFan Router OS version is 6.42.7. @Zacharias Yes it can be simply 1 and 2 but nothing wrong with 5 or 50 as well. Secondly it was all working fine with same configuration, so nothing wrong with config either, what I suspect is I have been using it for more complex network then it is supposed to w...
by Anumrak
Wed Jan 15, 2020 2:00 pm
Forum: General
Topic: Graphical button is absent on forum
Replies: 7
Views: 2105

Re: Graphical button is absent on forum

Up.
by Anumrak
Tue Jan 14, 2020 2:14 pm
Forum: General
Topic: Route not going unreachable !!!
Replies: 17
Views: 3670

Re: Route not going unreachable !!!

Hey. What distances values does you primary and secondary routes have? Are you sure interface itself is going down or it's just traffic stops behind that interface?
by Anumrak
Tue Jan 14, 2020 1:59 pm
Forum: Beginner Basics
Topic: Best practice for multiple offices interconnection
Replies: 2
Views: 3724

Re: Best practice for multiple offices interconnection

Hey. My advise is to use EoIP tunnels over IPsec(do not merge them in a hub) and run OSPF on loopback interfaces on each office router. Then configure iBGP from each loopback and make server's traffic exchange via iBGP with even prefix filtering from wherever point you want.
by Anumrak
Tue Jan 14, 2020 1:54 pm
Forum: General
Topic: Bridge Split-Horizon usage
Replies: 4
Views: 3086

Re: Bridge Split-Horizon usage

if you wanna block them from each other, this is correct settings :)
by Anumrak
Tue Jan 14, 2020 1:24 pm
Forum: General
Topic: Can't browse through VRF
Replies: 14
Views: 3618

Re: Can't browse through VRF

Better wait for devs respons I think.
by Anumrak
Tue Jan 14, 2020 1:16 pm
Forum: General
Topic: Graphical button is absent on forum
Replies: 7
Views: 2105

Graphical button is absent on forum

Dear moders, I'd like you return the "RouterOS" button on subforums up top, it disappeared few days ago. This button has to have this url "viewforum.php?f=11". Thank you :)
by Anumrak
Tue Jan 14, 2020 1:12 pm
Forum: Beginner Basics
Topic: Networking beginner with packet forwarding issues
Replies: 1
Views: 1119

Re: Networking beginner with packet forwarding issues

Hey. Try to nmap your tcp/udp port from outside, does your nat rule's counters incrementing? If yes, look for a running process on a server and it's firewall. If not - possibly this port been blocked before your router.
by Anumrak
Tue Jan 14, 2020 1:07 pm
Forum: General
Topic: Can't browse through VRF
Replies: 14
Views: 3618

Re: Can't browse through VRF

Seems like it's a forwarding bug. Do you have stable ROS packages or long-term? What is cpu utilization of a router?
by Anumrak
Tue Jan 14, 2020 1:00 pm
Forum: RouterOS beta
Topic: Feature Request NAT-PMP
Replies: 18
Views: 11737

Re: Feature Request NAT-PMP

by Anumrak
Tue Jan 14, 2020 12:53 pm
Forum: General
Topic: Bridged port VLAN's on a single interface - mode=?
Replies: 1
Views: 783

Re: Bridged port VLAN's on a single interface - mode=?

On a bridge port that has 40+ Vlan's on a single interface, what is the recommended mode setting
(1) mode = none
(2) mode = rstp
none
by Anumrak
Tue Jan 14, 2020 12:47 pm
Forum: General
Topic: Can't browse through VRF
Replies: 14
Views: 3618

Re: Can't browse through VRF

But there is has to be a lookup in a main table or vrf import of global routes in that vrf (route leak) otherwise you can't go to Internet via this vrf.
by Anumrak
Tue Jan 14, 2020 12:39 pm
Forum: General
Topic: securing a current home network
Replies: 5
Views: 1560

Re: securing a current home network

You can try to add ethernet interface you want and add a vlan to this interface and see if there is no hardware offloading or it's there.
by Anumrak
Tue Jan 14, 2020 12:28 pm
Forum: General
Topic: Bridge Split-Horizon usage
Replies: 4
Views: 3086

Re: Bridge Split-Horizon usage

Hey. Depends of how you want to block L2 traffic to your users. Split horizon is just a L2 filter/limiter for the same horizon group number.
by Anumrak
Tue Jan 14, 2020 12:24 pm
Forum: General
Topic: Can't browse through VRF
Replies: 14
Views: 3618

Re: Can't browse through VRF

Hey. Try to add "ip rotue rule" for you vrf to lookup global dst address you want in main table.
by Anumrak
Mon Jan 13, 2020 3:49 pm
Forum: Forwarding Protocols
Topic: OSPF+MPLS+VPLS
Replies: 4
Views: 2873

Re: OSPF+MPLS+VPLS

Are you sure you have LDP enabled on every LSR between LER's?
by Anumrak
Mon Jan 13, 2020 3:23 pm
Forum: General
Topic: Locked myself out of WinBox - Help Requested
Replies: 7
Views: 3397

Re: Locked myself out of WinBox - Help Requested

Hopefully you got a backup config file, then you can just reset it and upload the config. And if it's your "main router" you gotta have a backup for it!
by Anumrak
Mon Jan 13, 2020 2:45 pm
Forum: General
Topic: Controlled Multicast-Routing
Replies: 2
Views: 1568

Re: Controlled Multicast-Routing

Hey. Feature you looking for is called igmp snooping which control multicast flow only for ports you choose.

https://wiki.mikrotik.com/wiki/Manual%3 ... P_Snooping
by Anumrak
Mon Jan 13, 2020 2:22 pm
Forum: Beginner Basics
Topic: TCP port forward doesnt work
Replies: 16
Views: 5939

Re: TCP port forward doesnt work

don't listen to noobs, you no need add public ip to nat rule.

you need add firewall rule:
accept
forward
dst.address=your internal ip
protocol=tcp
dst.port=your internal port
Well, I think every ISP well know private networks of their users, don't they? :))
by Anumrak
Mon Jan 13, 2020 2:21 pm
Forum: Beginner Basics
Topic: TCP port forward doesnt work
Replies: 16
Views: 5939

Re: TCP port forward doesnt work

Thanks for the replies but it doesn't work. I installed nginx on my computer, the welcome page is available at http://localhost, and http://192.168.88.251/ . I entered this rule: /ip firewall nat add chain=dstnat dst-address="your-public-IP" dst-port=55555 action=dst-nat protocol=tcp to-a...
by Anumrak
Mon Jan 13, 2020 9:48 am
Forum: General
Topic: securing a current home network
Replies: 5
Views: 1560

Re: securing a current home network

Hey. To control traffic between devices use firewall filter with drop rules filtered by source addresses. To launch traffic of different networks via single interface use switch before hap ac2 or vlans on machines to start tagged traffic from PC and VMs and stripp tags on hap ac2.
by Anumrak
Mon Jan 13, 2020 9:41 am
Forum: General
Topic: automatic port forwarding
Replies: 1
Views: 1010

Re: automatic port forwarding

Hey. UPNP is a tool to open ports automaticly, but only for LAN device relative to UPNP router. Your problem is, that your LAN router is Nokia, but UPNP router is Tik - Tik will UPNP for his only one LAN device - Nokia :) So put Tik for your LAN. P.S.: it is better to open ports manually, because wi...
by Anumrak
Mon Jan 13, 2020 9:24 am
Forum: Forwarding Protocols
Topic: OSPF Networks
Replies: 2
Views: 2323

Re: OSPF Networks

Hey. Nope, you can't. OSPF can advertise networks on router's links only and only thing you can do is summarize them in order to not write them all. But you will advertise only real networks.
by Anumrak
Fri Jan 10, 2020 4:38 pm
Forum: Beginner Basics
Topic: Change network name [SOLVED]
Replies: 9
Views: 12156

Re: Change network name [SOLVED]

The SSID is for wireless network, not for cable network
Oh, true. Sorry :) You can try to do this here in regedit:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\ProfileName
by Anumrak
Fri Jan 10, 2020 4:34 pm
Forum: RouterOS beta
Topic: ipv6 disable on 7b4
Replies: 7
Views: 16432

Re: ipv6 disable on 7b4

I think it is better to disable the package, for now.
ipv6 is a part of the main system package in ROS v7
Didn't know that. Interesting :)
by Anumrak
Fri Jan 10, 2020 4:32 pm
Forum: Forwarding Protocols
Topic: VPLS traffic shaping
Replies: 14
Views: 4327

Re: VPLS traffic shaping

Create a queue tree with parent set to the VPLS interface with the limit you want, matching packets with "no-mark". You will need to do this on the routers on both ends of the tunnel, because it does this limit only on egress traffic.
Will try :) Thanks!
by Anumrak
Fri Jan 10, 2020 4:31 pm
Forum: Forwarding Protocols
Topic: VPLS traffic shaping
Replies: 14
Views: 4327

Re: VPLS traffic shaping

Sorry I didnt get it. What is TS?
Topic starter :)
by Anumrak
Fri Jan 10, 2020 3:36 pm
Forum: Beginner Basics
Topic: Change network name [SOLVED]
Replies: 9
Views: 12156

Re: Change network name [SOLVED]

Hey. I believe this SSID name. And it can be changed in a router settings in WiFi section.
by Anumrak
Fri Jan 10, 2020 3:34 pm
Forum: General
Topic: GRE tunnel established, ping ok, but no traffic
Replies: 16
Views: 7473

Re: GRE tunnel established, ping ok, but no traffic

Hey. Does your destination address is behind interface through which source NAT rule apply?
by Anumrak
Fri Jan 10, 2020 3:25 pm
Forum: Forwarding Protocols
Topic: VPLS traffic shaping
Replies: 14
Views: 4327

Re: VPLS traffic shaping

Join to TS. Is there a simple way to create an analog of qos-profile in Huawei VRP?
by Anumrak
Fri Jan 10, 2020 1:31 pm
Forum: RouterOS beta
Topic: ipv6 disable on 7b4
Replies: 7
Views: 16432

Re: ipv6 disable on 7b4

I think it is better to disable the package, for now.
by Anumrak
Fri Jan 10, 2020 1:28 pm
Forum: Beginner Basics
Topic: Help tracking users internet activity
Replies: 1
Views: 1229

Re: Help tracking users internet activity

Hey! Just sniff dayly traffic from source IP address of this users to .pcap file. Read it in wireshark. Judge him :)
by Anumrak
Fri Jan 10, 2020 1:24 pm
Forum: General
Topic: vpn on natted public ip
Replies: 5
Views: 1457

Re: vpn on natted public ip

my public ip wan not pingable and give me ttl expired. i made a bridge and then in ip addrees i gave public ip to the bridge. and now i can ping my public ip and i can make vpn but i want another way without making bridge There are two ways: 1) You have private IP from ISP and they NATting you - yo...
by Anumrak
Thu Jan 09, 2020 2:09 pm
Forum: General
Topic: vpn on natted public ip
Replies: 5
Views: 1457

Re: vpn on natted public ip

Hey. It's not possible without ISP management. You need public IP for this.
by Anumrak
Thu Jan 09, 2020 1:29 pm
Forum: RouterOS beta
Topic: ipv6 disable on 7b4
Replies: 7
Views: 16432

Re: ipv6 disable on 7b4

Hey. I don't thinjk you can really disable IPv6 via this optin you've wrote. There is no such command. Best option to secure your network is to use native ipv6 firewall filter.
by Anumrak
Thu Jan 09, 2020 1:03 pm
Forum: Beginner Basics
Topic: Newbie and the vlans
Replies: 2
Views: 1403

Re: Newbie and the vlans

Hey. Yes, it is possible.Just add vlans youwant in a bridge and add interfaces you want to vlans.
by Anumrak
Tue Dec 31, 2019 10:06 am
Forum: Beginner Basics
Topic: Can I change RB951Ui-2HnD Router admin port 80?
Replies: 4
Views: 3436

Re: Can I change RB951Ui-2HnD Router admin port 80?

I believe ip services are for router itself only.
What you want is to create a custom dstnat rule: destination port - 8080, to ports: 80.
by Anumrak
Tue Dec 31, 2019 9:43 am
Forum: Beginner Basics
Topic: TCP port forward doesnt work
Replies: 16
Views: 5939

Re: TCP port forward doesnt work

It still doesn't work but I see the packet count increase when I try to connect to the port.
Then your NAT rule works correctly. Troubleshoot the server side.
by Anumrak
Tue Dec 31, 2019 9:42 am
Forum: Beginner Basics
Topic: TCP port forward doesnt work
Replies: 16
Views: 5939

Re: TCP port forward doesnt work

Hey. First of all: do you really have an application that listening that port? Because port forwarding via nat doesn't mean port will be opened from Internet just out of nowhere. And second - you need to assign destination address, explicitly public one or assign an input interface which has that a...
by Anumrak
Tue Dec 31, 2019 9:41 am
Forum: Beginner Basics
Topic: TCP port forward doesnt work
Replies: 16
Views: 5939

Re: TCP port forward doesnt work

/ip firewall nat add chain=dstnat dst-address="your-public-IP" dst-port=55555 action=dst-nat protocol=tcp to-address=192.168.88.251 to-port=55555 Thanks but I don't think I can add my public IP since my ISP assigns that dynamically so it is always different. Use dyndns or write a script w...
by Anumrak
Tue Dec 31, 2019 9:37 am
Forum: General
Topic: Automatic MTU/MRU for the PPPoE Client
Replies: 12
Views: 15066

Re: Automatic MTU/MRU for the PPPoE Client

Anumrak, If I set the pppoe server side to 1492 (MRU and MTU) and set the clients to 1492 as well, there is no packet fragmentation. CZfan, Then why the Ubiquiti ONUs follow the Mikrotik pppoe server side for MTU and MRU without having to set anything on them? I assume the default mtu of the ubquit...
by Anumrak
Mon Dec 30, 2019 3:51 pm
Forum: General
Topic: Automatic MTU/MRU for the PPPoE Client
Replies: 12
Views: 15066

Re: Automatic MTU/MRU for the PPPoE Client

Hey. I believe not. It's just default PPP mtu.
The optimal value is the MTU of the interface the tunnel is working over reduced by 20 (so, for 1500-byte Ethernet link, set the MTU to 1480 to avoid fragmentation of packets)
https://wiki.mikrotik.com/wiki/Manual%3 ... operties_2
by Anumrak
Mon Dec 30, 2019 3:15 pm
Forum: General
Topic: creating l2tp server
Replies: 17
Views: 10845

Re: creating l2tp server

You just pasted 1000 lines of log file ? Who is going to read that ?
Instead you can share your L2TP server configuration by exporting your config with hide-sensitive...
+1
by Anumrak
Mon Dec 30, 2019 3:11 pm
Forum: General
Topic: Possible to reach Mikrotik DynDNS behind NAT? (through upnp or something else?)
Replies: 30
Views: 8173

Re: Possible to reach Mikrotik DynDNS behind NAT? (through upnp or something else?)

To connect all links with public addresses. This is the only way.
by Anumrak
Mon Dec 30, 2019 3:04 pm
Forum: General
Topic: Cannot Access mikrotik.com
Replies: 1
Views: 987

Re: Cannot Access mikrotik.com

Hey. This is a good questions that has to be addressed to your ISP.
by Anumrak
Mon Dec 30, 2019 1:39 pm
Forum: General
Topic: DHCP Lease not showing up in DHCP Leases
Replies: 4
Views: 3251

Re: DHCP Lease not showing up in DHCP Leases

ROS version you use?
by Anumrak
Mon Dec 30, 2019 1:11 pm
Forum: General
Topic: Mikrotik Security Protocols
Replies: 3
Views: 1191

Re: Mikrotik Security Protocols

That's a story :) From a scratch, you'll need a good topology project and firewall in a front of your network with good inbound and outbound policy. Then you need a good layer 2/3 network security features that Tik's have. Try to throw forces in this direction. This subject is too big to talk about ...
by Anumrak
Mon Dec 30, 2019 1:03 pm
Forum: Forwarding Protocols
Topic: OSPF PTP link showing 0 Neighbors
Replies: 4
Views: 3030

Re: OSPF PTP link showing 0 Neighbors

I am trying to change over a link between two routers form NBMA to PTP as the link is handled by a PTP radio. when I change the Network type on each router to PTP, both show 1 neighbor for a few seconds then one goes to showing 0 neighbours. Routers are a 3011 at 10.10.8.249 and a hEX POE at 10.10....
by Anumrak
Mon Dec 30, 2019 12:58 pm
Forum: Forwarding Protocols
Topic: OSPF PTP link showing 0 Neighbors
Replies: 4
Views: 3030

Re: OSPF PTP link showing 0 Neighbors

is there anything from the attached screenshots I'm doing wrong.
Yes, posting stupid screenshots instead of config. exports.
There is no need to be rude.
by Anumrak
Mon Dec 30, 2019 12:38 pm
Forum: General
Topic: Mikrotik Security Protocols
Replies: 3
Views: 1191

Re: Mikrotik Security Protocols

Hey. What you wrote is a basic network security. All vendors have that. What Tik created is winbox app with encryption connection, that's it.
by Anumrak
Mon Dec 30, 2019 10:49 am
Forum: General
Topic: BGP - a lot of updates
Replies: 5
Views: 1872

Re: BGP - a lot of updates

I'd use torch+sniffer.
by Anumrak
Mon Dec 30, 2019 10:40 am
Forum: Beginner Basics
Topic: Block all request from wan to lan
Replies: 1
Views: 4144

Re: Block all request from wan to lan

Hey. Make sure you using default firewall filter rules Disable services in IP - Services which you ain't using Untick in IP - DNS "Allow remote requests" Add your IP address in System - Users for you login. Also read this before: https://wiki.mikrotik.com/wiki/Manual%3ASecuring_Your_Router
by Anumrak
Mon Dec 30, 2019 10:30 am
Forum: Beginner Basics
Topic: how many client can connect to my router [SOLVED]
Replies: 6
Views: 4404

Re: how many client can connect to my router [SOLVED]

Hey. If your clients are common fttb clients then I believe 24*4=96 with 100 mb/s tariffs max. 4 Gigs for switches and 1G uplink. And queues configured off course. And you can use 100M or 1G from thos 4 for WiFi AP.
by Anumrak
Mon Dec 30, 2019 8:51 am
Forum: Beginner Basics
Topic: How do I redirect from one IP to another?
Replies: 10
Views: 14628

Re: How do I redirect from one IP to another?

Thank you very much, but I thought that dstnat chain is used for incoming connections (that is from internet to the natted network), is this incorrect? I tried to add an srcnat rule `chain=srcnat action=netmap to-addresses=yy.yy.yy.yy dst-address=xx.xx.xx.0/24 out-interface-list=WAN` But that does ...
by Anumrak
Fri Dec 27, 2019 4:15 pm
Forum: Beginner Basics
Topic: TCP port forward doesnt work
Replies: 16
Views: 5939

Re: TCP port forward doesnt work

Hey. First of all: do you really have an application that listening that port? Because port forwarding via nat doesn't mean port will be opened from Internet just out of nowhere. And second - you need to assign destination address, explicitly public one or assign an input interface which has that ad...
by Anumrak
Fri Dec 27, 2019 12:54 pm
Forum: General
Topic: One-to-one NAT not work
Replies: 3
Views: 1230

Re: One-to-one NAT not work

Hey. And what about your route table?
by Anumrak
Wed Dec 25, 2019 3:12 pm
Forum: General
Topic: Probably loop
Replies: 1
Views: 1068

Re: Probably loop

Hey. Since RouterOS v6.41 there is no such feature like master and slave ports. All these thing were change to simple bridge and hardware interfaces in it with hardware offloading: https://wiki.mikrotik.com/wiki/Manual:Master-port I think you should make an audit of your interfaces connected to a br...
by Anumrak
Wed Dec 25, 2019 2:50 pm
Forum: Beginner Basics
Topic: NAT configuration for traffic with OpenVPN Server
Replies: 1
Views: 4346

Re: NAT configuration for traffic with OpenVPN Server

Hey. Just route traffic via tunnel without NAT. First of all you want ping that server from open vpn client side, then you could try to connect to it. Your Android device have to have default route to VPN gateway or you should write by yourself a specific route to the server via VPN gateway as nexth...
by Anumrak
Tue Dec 24, 2019 12:56 pm
Forum: Beginner Basics
Topic: WAN Link aggregation
Replies: 3
Views: 1874

Re: WAN Link aggregation

Hey. What is CPU usage of Mikrotik while surfing or smthg?
by Anumrak
Tue Dec 24, 2019 12:52 pm
Forum: Beginner Basics
Topic: how to limit website video stream
Replies: 2
Views: 3175

Re: how to limit website video stream

Hey. I recommend to use simple queue with target ip as your LAN device subnet and dst address as dns A record of web resource. And don't queue your traffic on layer 7, take pity on the router.
by Anumrak
Tue Dec 24, 2019 12:46 pm
Forum: Beginner Basics
Topic: New router config problem - no LAN to WAN trafic
Replies: 7
Views: 2690

Re: New router config problem - no LAN to WAN trafic

Hey. I think your NAT rule is fine. How about default route on your LAN devices? Or if you using dhcp server for them, do you managed it correctly?
by Anumrak
Tue Dec 24, 2019 12:40 pm
Forum: Beginner Basics
Topic: 2 vpn on same device
Replies: 2
Views: 1778

Re: 2 vpn on same device

Hey. I think you can not, because your L2TP/IPSec server side listening 500 UDP port to terminate IPSec session as your side to side IPSec vpn. So... maybe you will win if source IP of one of connections will be different.
by Anumrak
Tue Dec 24, 2019 12:35 pm
Forum: Beginner Basics
Topic: Noob trying to play ISP.
Replies: 2
Views: 1318

Re: Noob trying to play ISP.

1) /ip address add address=10.10.10.0/24 - you should add an address iteself instead of network 0 address; 2) Change empty space to default firewall rules as minimum security; 3)And why you keep switching 4th octet of gateways forward? :) Just set it to 1 and do not forget to exclude them from dhcp ...
by Anumrak
Tue Dec 24, 2019 9:35 am
Forum: Wireless Networking
Topic: VLAN "probably loop" log message
Replies: 11
Views: 4322

Re: VLAN "probably loop" log message

from the core router /interface bridge host print I notice there is some enteries with Age in excess of 1 min, is this normal
Depends on vendor. Pretty normal.
Interface - Bridge

ageing-time (time; Default: 00:05:00) - How long a host's information will be kept in the bridge database.
by Anumrak
Tue Dec 24, 2019 9:12 am
Forum: Forwarding Protocols
Topic: Announce IPv6 Class from other ASN
Replies: 3
Views: 2608

Re: Announce IPv6 Class from other ASN

Just configure bgp with ipv6 addresses. It's better to understand how it works in general that write few commands and it'll work.

https://lms.onnocenter.or.id/wiki/index ... GP_Example
by Anumrak
Tue Dec 24, 2019 8:57 am
Forum: General
Topic: A lot of TCP Retransmission and TCP Dup ACK
Replies: 4
Views: 4501

Re: A lot of TCP Retransmission and TCP Dup ACK

+1 to CZFan.
by Anumrak
Mon Dec 23, 2019 1:12 pm
Forum: General
Topic: A lot of TCP Retransmission and TCP Dup ACK
Replies: 4
Views: 4501

Re: A lot of TCP Retransmission and TCP Dup ACK

Hey. Search for a CPU and ethernet interface load on a server side, also CRC errors on lines, check transit equipment, it's availability with icmp, udp. Is there any loss of traffic? What is the traffic and why it exists?
by Anumrak
Mon Dec 23, 2019 11:35 am
Forum: Beginner Basics
Topic: LAN has ping to Mikrotik and Mikrotik has ping to WAN but LAN computer can't ping WAN
Replies: 3
Views: 1889

Re: LAN has ping to Mikrotik and Mikrotik has ping to WAN but LAN computer can't ping WAN

Hey. Wrong chain in NAT rule: its should be "srcnat", not "forward". Also you should set exact outbound interface based on exact route, not just "everything, everywhere".
by Anumrak
Mon Dec 23, 2019 11:29 am
Forum: Wireless Networking
Topic: Apple devices experiencing packet loss
Replies: 6
Views: 3986

Re: Apple devices experiencing packet loss

I got this too. Nothing helps. I believe it's apple wi-fi module specific.
by Anumrak
Fri Dec 20, 2019 3:59 pm
Forum: General
Topic: Mikrotik reboot loop with EOIP
Replies: 4
Views: 1578

Re: Mikrotik reboot loop with EOIP

Hey. Looks like a bug. Try long-term version.

P.S.: why don't you use just EoIP ver IPSec without L2TP?
by Anumrak
Fri Dec 20, 2019 3:54 pm
Forum: Wireless Networking
Topic: VLAN "probably loop" log message
Replies: 11
Views: 4322

Re: VLAN "probably loop" log message

This info on the core logs only appeared when I updated almost all the network to 6.45.7 + Interface port Isolation + Bridge port PVID "Ingress filtering" "admit only VLAN tagged"
Hey. It's long-term or stable ver? Try degrade to long-term.
by Anumrak
Fri Dec 20, 2019 3:34 pm
Forum: Beginner Basics
Topic: Firewall [SOLVED]
Replies: 2
Views: 2249

Re: Firewall [SOLVED]

Hey. You see this in IP - Firewall - Connections. It's totally depends on your network load. These can be tens and/or hundreds for a home router. It's ok. Just make sure you have a standart firewall and your Internet interface added in WAN address list. And only IP you using added in System - Users ...
by Anumrak
Fri Dec 20, 2019 3:30 pm
Forum: Forwarding Protocols
Topic: Announce IPv6 Class from other ASN
Replies: 3
Views: 2608

Re: Announce IPv6 Class from other ASN

Hey. I believe you want to advertise connected ipv6 prefix with iv6 prefix filter toward your peer. Well, just do it :)
by Anumrak
Fri Dec 20, 2019 2:20 pm
Forum: General
Topic: how to close all UDP ports on mikrotik?
Replies: 1
Views: 1107

Re: how to close all UDP ports on mikrotik?

Hey, all UDP ports for the first UDP packets are closed by standart firewall rules, except UDP 53 and those services that uses UDP ports in "IP - Services". In order to close your UDP 53 port you need to untick "allow remote requests" in "IP - DNS" settings. "Reged...
by Anumrak
Fri Dec 20, 2019 10:33 am
Forum: Beginner Basics
Topic: Translate Router IP address to workstations (PC) [SOLVED]
Replies: 10
Views: 3380

Re: Translate Router IP address to workstations (PC) [SOLVED]

I don't have routes for the remote server local subnet(s).

How can I do that?
Hey. Just add static routes to them over IPSec to endpoint nexthops.
by Anumrak
Wed Dec 18, 2019 3:29 pm
Forum: Beginner Basics
Topic: Default firewall rules and connecting using PPPoE
Replies: 6
Views: 4811

Re: Default firewall rules and connecting using PPPoE

Hey. It depends on your interfaces in LAN and WAN interface lists which you using in rules.
by Anumrak
Wed Dec 18, 2019 3:19 pm
Forum: Beginner Basics
Topic: FW rules for begginers
Replies: 6
Views: 2221

Re: FW rules for begginers

Hi and thanks for replay. Answering my ether1 is my WAN configured as static. I did not open those ports. they are open by default. In IP Service list I have deselected all services except winbox. I was afraid that by deselecting winbox I will not be able to control router at all even from LAN. I w...
by Anumrak
Wed Dec 18, 2019 2:46 pm
Forum: Beginner Basics
Topic: FW rules for begginers
Replies: 6
Views: 2221

Re: FW rules for begginers

Hey. Merry Xmas to you too :) First of all: are you sure your Internet interface is ether1 hardware port? Not interface vlan or pptp or pppoe? I'd rather choose action=drop that reject with tcp, because you force your router to send tcp reset to every trash tcp syn in the world. UDP - drop too. Also...
by Anumrak
Wed Dec 18, 2019 1:35 pm
Forum: General
Topic: Subnetting in one network
Replies: 4
Views: 1656

Re: Subnetting in one network

Hi everyone, I have some question on subnet network as I have read about it on net. They said subnet is make our network secure and good network perfomance. EX: I have Network: 10.10.10.0/24 1. 2 servers I subnet 10.10.10.0/26 => Netmask: 255.255.255.192 2. 25 client I subnet 10.10.10.64/27 => Netm...
by Anumrak
Wed Dec 18, 2019 1:00 pm
Forum: Beginner Basics
Topic: Is Native VLAN0 or VLAN1? Confused.
Replies: 7
Views: 7397

Re: Is Native VLAN0 or VLAN1? Confused.

There is no zero id in standart.

Not an actual VLAN 0, no. But a dot1q frame header with 0 as the VLAN ID is perfectly valid; it just means a priority-tagged frame without a VLAN ID.
It is just will be without vlan id at all with all other fields.
by Anumrak
Wed Dec 18, 2019 12:47 pm
Forum: Beginner Basics
Topic: Is Native VLAN0 or VLAN1? Confused.
Replies: 7
Views: 7397

Re: Is Native VLAN0 or VLAN1? Confused.

There is no such vlan id in 802.1Q Ethernet standart. So it's just Switch OS interpretation of untagged vlan traffic. https://en.wikipedia.org/wiki/IEEE_802.1Q P.S.: "A 12-bit field specifying the VLAN to which the frame belongs. The hexadecimal values of 0x000 and 0xFFF are reserved. All othe...
by Anumrak
Wed Dec 18, 2019 12:44 pm
Forum: Beginner Basics
Topic: Is Native VLAN0 or VLAN1? Confused.
Replies: 7
Views: 7397

Re: Is Native VLAN0 or VLAN1? Confused.

So basicly, vlan 0 should be a frame without 802.1Q header. Not exactly. Frame with 802.1Q header which is there explicitly because of using other fields - QoS/priority, but without intent of using VLANs, will have field VID set to 0. Which essentially makes it VLAN-untagged frame. Or in ROS langua...
by Anumrak
Tue Dec 17, 2019 4:25 pm
Forum: General
Topic: i want to port forward
Replies: 1
Views: 2714

Re: i want to port forward

Hey. Just use dstnat chain with dst-nat action. Dst address - your Internet IP address(or you can choose "in interface" without IP address) Protocol - UDP Dst port - 27015 Chain - dstnat Action - dst-nat to address 192.168.1.16 to ports - 27015. Thats it :) In order to forward this traffic...
by Anumrak
Tue Dec 17, 2019 3:44 pm
Forum: Wireless Networking
Topic: Bridge protocol
Replies: 17
Views: 7077

Re: Bridge protocol

It's better safe mode. Scheduler will apply changes without rollback.
by Anumrak
Tue Dec 17, 2019 2:22 pm
Forum: Beginner Basics
Topic: Is Native VLAN0 or VLAN1? Confused.
Replies: 7
Views: 7397

Re: Is Native VLAN0 or VLAN1? Confused.

There is no such vlan id in 802.1Q Ethernet standart. So it's just Switch OS interpretation of untagged vlan traffic. https://en.wikipedia.org/wiki/IEEE_802.1Q P.S.: "A 12-bit field specifying the VLAN to which the frame belongs. The hexadecimal values of 0x000 and 0xFFF are reserved. All other...
by Anumrak
Tue Dec 17, 2019 1:16 pm
Forum: Beginner Basics
Topic: ping with 2 default routes and vlan
Replies: 1
Views: 684

Re: ping with 2 default routes and vlan

Hey. First - these are not default routes, but directly connected. Default route is like 0.0.0.0/0. About your vlan 10 network routing: did you do source NAT for it?
by Anumrak
Tue Dec 17, 2019 12:27 pm
Forum: General
Topic: IPv6 issues via HE tunnel
Replies: 29
Views: 6320

Re: IPv6 issues via HE tunnel

LAN interface MTU is 1500, true. In IPv6, ND MTU is set to 1280 for all interfaces. I'm trying to connect servers within Hungary such as the biggest news portal (6ms ping on IPv4, 0% packet loss). Thanks for your effort! In order to try it to others with ipv6 connectivity, you can print here its dn...
by Anumrak
Mon Dec 16, 2019 11:04 pm
Forum: General
Topic: IPv6 issues via HE tunnel
Replies: 29
Views: 6320

Re: IPv6 issues via HE tunnel

Hey folks. So, answer of remote side about 1220 MSS is correct. First syn of 1440 is correct for ipv6. And I have no such huge amount of retransmissions like you. So you need to try your connections to other ipv6 resources as much closest to you as you can. If your client sends tcp syn with 1440 - i...
by Anumrak
Mon Dec 16, 2019 4:52 pm
Forum: Beginner Basics
Topic: L2TP Server doesn't give a default gateway to the client - why?
Replies: 29
Views: 26343

Re: L2TP Server doesn't give a default gateway to the client - why?

Hey. I succeeded in getting routes from dhcp server with specific option via pptp server which was tunneled in strongSwan on ubuntu server. And I don't know how to export routes by ROS... If you see some sence in this, try to read forums about dhcp via pptp on ubuntu.
by Anumrak
Mon Dec 16, 2019 4:39 pm
Forum: Beginner Basics
Topic: VPN PPTP [SOLVED]
Replies: 6
Views: 2515

Re: VPN PPTP [SOLVED]

Hey! Congratulations! :) Have you enabled PPTP server, added user, configured local and remote addresses?
by Anumrak
Mon Dec 16, 2019 4:22 pm
Forum: Forwarding Protocols
Topic: OSPFv2 over GRE over IPsec transport results in no OSPF routes installed in routing table
Replies: 1
Views: 2589

Re: OSPFv2 over GRE over IPsec transport results in no OSPF routes installed in routing table

Hey. All link advertisements has to be installed before links outage from both neighbors. Do you see them simultaneously? Print here ospf section from both sides and router-id's.
by Anumrak
Mon Dec 16, 2019 4:08 pm
Forum: Wireless Networking
Topic: Bridge protocol
Replies: 17
Views: 7077

Re: Bridge protocol

So most CCR's don't have a switch chip? how is port isolation achieved! Only with vlan isolation i believe: https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table But it better be a good switch chip. Try to figure out how to use these switch ports to make an organized isolated network. I was readi...
by Anumrak
Mon Dec 16, 2019 3:44 pm
Forum: Beginner Basics
Topic: Bridge WAN to LAN
Replies: 1
Views: 1143

Re: Bridge WAN to LAN

Hey. Try to find something useful here

https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table
by Anumrak
Mon Dec 16, 2019 3:12 pm
Forum: General
Topic: IPv6 issues via HE tunnel
Replies: 29
Views: 6320

Re: IPv6 issues via HE tunnel

I will try to catch my tcp exchange today on normal web serfing via ipv6, but for now I think it is high delay between ack segments in your exchange. Try to sniff that on ipv4(if your server has ipv4), will you find the difference? Also you have spur retransmissions, which means that you've already ...
by Anumrak
Mon Dec 16, 2019 12:44 pm
Forum: Wireless Networking
Topic: Bridge protocol
Replies: 17
Views: 7077

Re: Bridge protocol

So most CCR's don't have a switch chip?
how is port isolation achieved!
Only with vlan isolation i believe:

https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table

But it better be a good switch chip. Try to figure out how to use these switch ports to make an organized isolated network.
by Anumrak
Mon Dec 16, 2019 12:36 pm
Forum: General
Topic: IPv6 issues via HE tunnel
Replies: 29
Views: 6320

Re: IPv6 issues via HE tunnel

Hey again. Did you try to connect to another web sites?
by Anumrak
Fri Dec 13, 2019 9:39 am
Forum: Wireless Networking
Topic: Bridge protocol
Replies: 17
Views: 7077

Re: Bridge protocol

As I am dealing with Live production devices, I am trying not to cause service outages ! I picked a section of the network that is giving very issues and applied to the AP's bridge RSTP and on the RB960 added Port-Isolation + switch rules /interface ethernet switch port-isolation set ether3 forward...
by Anumrak
Fri Dec 13, 2019 9:23 am
Forum: General
Topic: IPv6 issues via HE tunnel
Replies: 29
Views: 6320

Re: IPv6 issues via HE tunnel

ah, sorry, it seems I attached configuration when I really disabled IPv6 address advertisement. IPv6 advertisement was on on the vlan-local interface where IPv6 address itself is now disabled to avoid full internet outage at the clients. I have tried to add IPv6 DNS servers and enable MAC and DNS a...
by Anumrak
Thu Dec 12, 2019 4:26 pm
Forum: General
Topic: IPv6 issues via HE tunnel
Replies: 29
Views: 6320

Re: IPv6 issues via HE tunnel

Hey. You should advertise your IPv6 /64 prefixes in your LAN. And in IPv6 - ND you should enable advertise mac address and DNS. Also you should write ipv6 dns servers in ip - dns. You don't have them either.
by Anumrak
Thu Dec 12, 2019 3:50 pm
Forum: Wireless Networking
Topic: Bridge protocol
Replies: 17
Views: 7077

Re: Bridge protocol

Last night I switched a number of AP+PtP to RSTP on their bridges and this morning i find in the core router (CCR1009) interface, warning logs with several entries "VlanXXXX bridge port received packet with own address as slave address ( XX.XX.XX.XX.XX.XX ), probably loop" I switched back...
by Anumrak
Thu Dec 12, 2019 3:45 pm
Forum: Forwarding Protocols
Topic: PPPoE over EOIP - better switch to VPLS?
Replies: 20
Views: 11232

Re: PPPoE over EOIP - better switch to VPLS?

VPLS is always better.
by Anumrak
Wed Dec 11, 2019 6:13 pm
Forum: Wireless Networking
Topic: Bridge protocol
Replies: 17
Views: 7077

Re: Bridge protocol

Thanks for the reply! Just reading https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Port_isolation I am unclear as I am also using VLAN's if I should use both (1) /interface ethernet port switch port-isolation (forwarding-override) (2) /interface ethernet switch vlan This isolation works ...
by Anumrak
Wed Dec 11, 2019 4:16 pm
Forum: Wireless Networking
Topic: Bridge protocol
Replies: 17
Views: 7077

Re: Bridge protocol

Hey. Without any isolation you should use RSTP. But better option is layer 2 isolation on router or on a switch between these ethernet interfaces without any of STP.

https://wiki.mikrotik.com/wiki/Manual:S ... _isolation
by Anumrak
Fri Nov 29, 2019 10:18 am
Forum: General
Topic: Advice for routing traffic over VPN
Replies: 2
Views: 970

Re: Advice for routing traffic over VPN

Hey. If they have a default route from l2tp server and can ping their vpn gateway and other router's interfaces, try to check their source addresses in firewall nat rules, maybe their addresses are abscent.
by Anumrak
Fri Nov 29, 2019 10:08 am
Forum: Beginner Basics
Topic: DNS requests through vpn tunnel
Replies: 6
Views: 4892

Re: DNS requests through vpn tunnel

Hey. Did you add a static route to your dns server through the tunnel?
by Anumrak
Thu Nov 28, 2019 2:24 pm
Forum: General
Topic: Fairly new with mikrotik
Replies: 3
Views: 1056

Re: Fairly new with mikrotik

Can i do that that and just block from hosts in Eth5 to just Eth2,3 but leave it open for Eth4? Hey. Create a bridge interface and add eth 2,3,4 in that bridge. To block IP access from hosts behind Eth 5 to hosts from eth 2,3,4 use firewall filter with source and destination IP addresses or subnets...
by Anumrak
Thu Nov 28, 2019 1:35 pm
Forum: General
Topic: Fairly new with mikrotik
Replies: 3
Views: 1056

Re: Fairly new with mikrotik

Hey. Create a bridge interface and add eth 2,3,4 in that bridge. To block IP access from hosts behind Eth 5 to hosts from eth 2,3,4 use firewall filter with source and destination IP addresses or subnets by action=drop.
by Anumrak
Thu Oct 31, 2019 3:47 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

I have issue with IPv6 in DHCP and PPPoE, Im not able to get gateway and DNS for clients.

May i Know how it will be come on PPPoE and DHCP.

Mikrotik CCR1036-12G-4S
Use IPv6 dns servers in IP - DNS settings and distribute IPv6 prefixes to your clients via SLAAC solicitation.
by Anumrak
Fri Oct 25, 2019 2:28 pm
Forum: General
Topic: GRE over IPsec [SOLVED]
Replies: 13
Views: 5639

Re: GRE over IPsec [SOLVED]

Hey. Try to start with errors logging these tunnels. Maybe some of ISP's blocking GRE headers. Are you sure all 3 IP's are public ones? Thank you for quick reply. Yes, those 3 are definitely public IPs. I enabled the IPsec logging, but how can I troubleshoot GRE tunnels? I do not see a GRE option i...
by Anumrak
Fri Oct 25, 2019 1:38 pm
Forum: General
Topic: Block all wesites except one
Replies: 19
Views: 4519

Re: Block all wesites except one

Let the topic starter choose one of the options and then he can apply again if he wants to complicate his scheme.
by Anumrak
Fri Oct 25, 2019 1:27 pm
Forum: Beginner Basics
Topic: RB750G VLAN no internet connection
Replies: 2
Views: 1261

Re: RB750G VLAN no internet connection

Hey. Can you ping gateways from any of your VMs? Do your PC has different subnet than VMs? If so, can you ping VMs?
by Anumrak
Thu Oct 24, 2019 5:17 pm
Forum: General
Topic: GRE over IPsec [SOLVED]
Replies: 13
Views: 5639

Re: GRE over IPsec [SOLVED]

Hey. Try to start with errors logging these tunnels. Maybe some of ISP's blocking GRE headers. Are you sure all 3 IP's are public ones? Thank you for quick reply. Yes, those 3 are definitely public IPs. I enabled the IPsec logging, but how can I troubleshoot GRE tunnels? I do not see a GRE option i...
by Anumrak
Thu Oct 24, 2019 5:13 pm
Forum: General
Topic: Problem: Routing from a load sharing between two ISP [SOLVED]
Replies: 12
Views: 3066

Re: Problem: Routing from a load sharing between two ISP [SOLVED]

Hey. What you meant when you sad that users are connected to different ISP? First of all they are connected to your LANs with or without VLANs. They are on your router even without ISPs. Your router is well aware of all routing info of all of 3 networks connected to him directly. So he knows how to ...
by Anumrak
Thu Oct 24, 2019 5:03 pm
Forum: General
Topic: GRE over IPsec [SOLVED]
Replies: 13
Views: 5639

Re: GRE over IPsec [SOLVED]

Hey. Try to start with errors logging these tunnels. Maybe some of ISP's blocking GRE headers. Are you sure all 3 IP's are public ones?
by Anumrak
Thu Oct 24, 2019 4:57 pm
Forum: General
Topic: Block all wesites except one
Replies: 19
Views: 4519

Re: Block all wesites except one

Yes, you can resolved domain names, but the original poster is asking about allowing a specific path on that domain (a URL). This will not work. RouterOS can't do that.
i want to block all internet browsing except to that one site
I think he meant blocking Internet browsing pretty clearly.
by Anumrak
Thu Oct 24, 2019 4:13 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

After some time static Router going unreachable ... so ipv6 down no wan ping no lan ping ... from world ... have to reboot router to make it alive again ...
Hmmm... What public IP do you got from your ipv4 ISP?
by Anumrak
Thu Oct 24, 2019 11:38 am
Forum: General
Topic: DoS Protection [Question]
Replies: 11
Views: 3848

Re: DoS Protection [Question]

It's a mistake. Tik's are not supposed to be the DDoS shield, so you better to buy special equipment from DDoS protection ISP and be free from these fears. Or just transfer your service to cloud ddos protected server. I see. I though it could have been. Nonetheless, that wiki was prepared long ago....
by Anumrak
Wed Oct 23, 2019 4:43 pm
Forum: General
Topic: PPPoE Server - Customers = 0.0.0.0
Replies: 2
Views: 1302

Re: PPPoE Server - Customers = 0.0.0.0

Hey. Try to set "max-sessions" option equal to your address space.
by Anumrak
Wed Oct 23, 2019 3:28 pm
Forum: Beginner Basics
Topic: [Vlan] Internal Mikrotik router to Internet Mikrotik Router
Replies: 3
Views: 1488

Re: [Vlan] Internal Mikrotik router to Internet Mikrotik Router

Hey. What you mean you disabled dhcp on ether1? You disabled dhcp client on a managment vlan after 2nd flat's router receive IP address?
by Anumrak
Wed Oct 23, 2019 3:08 pm
Forum: Beginner Basics
Topic: Multiple switches with DHCP setup
Replies: 1
Views: 901

Re: Multiple switches with DHCP setup

Wow wow wow... First things first - switch has to do nothing about layer 3 routing of layer 4 dns requests. It's about layer 2 only, except management IP. So place a router before and after your switches and terminate these data on them, not on switches.
by Anumrak
Wed Oct 23, 2019 3:04 pm
Forum: General
Topic: DoS Protection [Question]
Replies: 11
Views: 3848

Re: DoS Protection [Question]

Hi, Checking the wiki, I have some doubts: https://wiki.mikrotik.com/wiki/DoS_attack_protection First: In the SYN FIltering part, it says to have disabled the first rule. Is this necessary or it's a mistake? Second: Is this the best approach in RouterOS to protect against DoS attacks? It's a mistak...
by Anumrak
Tue Oct 22, 2019 4:57 pm
Forum: General
Topic: Users has to wait for about 30secs to get connection [SOLVED]
Replies: 16
Views: 5257

Re: Users has to wait for about 30secs to get connection [SOLVED]

Oh ya, forgot to mention this happened on both dynamic and static client
Try to test your wired connection. Then wireless.
by Anumrak
Tue Oct 22, 2019 3:27 pm
Forum: General
Topic: Block all wesites except one
Replies: 19
Views: 4519

Re: Block all wesites except one

Hey. You can create address list with a domain name. The IP addresses will appear after domain name resolves in your address list as a dynamic records. Use this address list name with a "logical not" function of firewall. Like: ip firewall filter add action=drop chain=forward in-interface=...
by Anumrak
Tue Oct 22, 2019 3:11 pm
Forum: General
Topic: Users has to wait for about 30secs to get connection [SOLVED]
Replies: 16
Views: 5257

Re: Users has to wait for about 30secs to get connection [SOLVED]

Hey. What is your lease time on dhcp server? 04:00:00, 4 hours Change it to 1 hour and observe for a day. Not good? Change it for 10 minutes. How much clients do you have on this router and what subnet range do you have on dhcp server? Perhaps your server suffering from address space starvation. Fe...
by Anumrak
Tue Oct 22, 2019 1:32 pm
Forum: General
Topic: Users has to wait for about 30secs to get connection [SOLVED]
Replies: 16
Views: 5257

Re: Users has to wait for about 30secs to get connection [SOLVED]

Hey. What is your lease time on dhcp server?
by Anumrak
Fri Oct 18, 2019 1:49 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

I believe that /48 was assign to your LAN side from tunnel broker(Hurricane Electric?). And he supposed to assign point to point /64 from another prefix. Thats all I think. Reread address space delegated to you in your accounting page. First thing: point to point /64 prefix has to be reachable from ...
by Anumrak
Thu Oct 17, 2019 5:47 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

Static ipv6 is present ... Many first wave ip6 routers from tplink have such interface newest has ipv6 dhcp/slaac auto option but i dont have it to test ... 80 procent ipv6 real routers has such interface that im described old ipv6 Support. Ive test emulator it works for me. There is no none addres...
by Anumrak
Thu Oct 17, 2019 4:40 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

There is no such option https://emulator.tp-link.com/Archer_C7/Index.htm (hardware version v1) and tplink 940v3 such interface and 840n
Looks like this emulator is broken. You have to have an option to add any static address here. Try another router with ipv6 support just for test.
by Anumrak
Thu Oct 17, 2019 4:19 pm
Forum: Beginner Basics
Topic: IPSec Tunnel with specific encryption Domain [SOLVED]
Replies: 4
Views: 2263

Re: IPSec Tunnel with specific encryption Domain [SOLVED]

I meant that, for example, you have 172.17.0.0/24 LAN with router's IP 172.17.0.1 on 1st side and 172.17.1.0/24 LAN with router's IP 172.17.1.1. So you have to add static routes beween these two subnets like: ip route add dst-address=172.17.1.0/24 gateway=192.168.250.2 distance=1 add dst-address=172...
by Anumrak
Thu Oct 17, 2019 3:51 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

I cant write here anything ... Just defaults :: If write here ip of mikrotik at vlan100 it gives an error 51000 at change it back to :: Okay. LAN is OK. Try to choose delegated prefix on WAN interface? You have to receive IPv6 address and gateway address from Tik via router advertisment message. WA...
by Anumrak
Thu Oct 17, 2019 3:40 pm
Forum: Forwarding Protocols
Topic: OSPF - distribute static route to selective neighbor instead of all neighbors
Replies: 4
Views: 3077

Re: OSPF - distribute static route to selective neighbor instead of all neighbors

I don't believe it's possible (Mikrotik or not) to implement filters per neighbor in OSPF...

Use BGP. That's one way to solve your issues.
It's not about filter per neighbor, it's about filtering subnets in LSA in inbound direction.
by Anumrak
Thu Oct 17, 2019 3:30 pm
Forum: Forwarding Protocols
Topic: OSPF - distribute static route to selective neighbor instead of all neighbors
Replies: 4
Views: 3077

Re: OSPF - distribute static route to selective neighbor instead of all neighbors

Hey. In office B try to use ospf-in filter like:

/routing filter add chain=ospf-in prefix=192.168.11.0/24 action=discard

This way you can receive this subnet in office A only.
by Anumrak
Thu Oct 17, 2019 3:12 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

And what routes do you have on TP-Link router to Mikrotik side?
by Anumrak
Thu Oct 17, 2019 2:27 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

Yes.
Can you ping ipv6 address of your ISP from your router? Can you ping 2001:4860:4860::8888 from your router?
by Anumrak
Thu Oct 17, 2019 2:15 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

Ive bind [*]2a01:xx:xxxx:1000::73 to WAN of Client Router at vlan 100 2a01:xx:xxxx:1000::1 Mikrotik Router vlan100 2a01:xx:xxxx:1001::/64 to LAN of client Router i've add Static Router 2a01:xx:xxxx:1001::/64 gateway vlan100 Mikrotik can ping 2a01:xx:xxxx:1000::73 for 1-2 min then timeout .... but C...
by Anumrak
Wed Oct 16, 2019 5:25 pm
Forum: General
Topic: VPN L2TP site to client windows
Replies: 1
Views: 636

Re: VPN L2TP site to client windows

Hosts and gateway on the same subnet? If yes, allow icmp requests to host machines and make sure that you not source natting their replies. If no - add a route to 192.168.0.200 host's subnet on the client side.
by Anumrak
Wed Oct 16, 2019 5:13 pm
Forum: General
Topic: Weird IP Spoofing Ddos Attack [Need Help]
Replies: 2
Views: 1038

Re: Weird IP Spoofing Ddos Attack [Need Help]

The only one idea is eBGP peering with several ISP + firewall box from cyber security company with license including their support. There is no way you can reflect or stop UDP DDoS with Tik whatever box.
by Anumrak
Wed Oct 16, 2019 5:04 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

And yeah, Ripper, if you will configure same /64 subnet on WAN and LAN sides, it'd be the same as 195.100.50.0/29 on WAN and 195.100.50.0/29 on LAN: your router won't route your traffic to same network via different interfaces, so grab /64 subnet from /60 "special ptp prefix" and grab /56 ...
by Anumrak
Wed Oct 16, 2019 3:35 pm
Forum: Beginner Basics
Topic: IPSec Tunnel with specific encryption Domain [SOLVED]
Replies: 4
Views: 2263

Re: IPSec Tunnel with specific encryption Domain [SOLVED]

Hey. Yes, you can. Just add static routes from each side and create action=accept NAT rules for local address space before normal source nat rule.
by Anumrak
Wed Oct 16, 2019 2:20 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

IPv6 is native IP rpotocol for Windows OS, IPv4 is secondary one. My advice is this one for your clients: https://wiki.mikrotik.com/wiki/Manual:H ... e_for_Home

Otherwise - static routing which is pain in the ass...
by Anumrak
Wed Oct 16, 2019 2:15 pm
Forum: General
Topic: [help] Cannot ping pptp client
Replies: 1
Views: 896

Re: [help] Cannot ping pptp client

Hey. Try not to NAT pptp clients private addresses with upper NAT rules with accept action. Also check your firewall filter rules before main forwarding rule.
by Anumrak
Wed Oct 16, 2019 1:54 pm
Forum: Beginner Basics
Topic: Routing on one interface do not work
Replies: 1
Views: 748

Re: Routing on one interface do not work

Hey. Just add a bridge interface and assign each ethenet interface to it to determine tagged and untagged traffic.

Read more here https://wiki.mikrotik.com/wiki/Manual:S ... s_Ports.29 and here https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table
by Anumrak
Wed Oct 16, 2019 1:30 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

It's not really practical to give to users prefixes for static configuration. Try to find newest firmware for TP-Link routers with IPv6 SLAAC config.
by Anumrak
Wed Oct 16, 2019 11:00 am
Forum: Wireless Networking
Topic: Best practices for "guest" wireless networks
Replies: 3
Views: 2059

Re: Best practices for "guest" wireless networks

Also DHCP server with dynamic arp bindings to each host with arp reply only function on wifi interface.
by Anumrak
Wed Oct 16, 2019 10:55 am
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

At many TP-link routers 1-2 year old with ipv6 support no SLAAC option just DHCPv6, PPPoE, Tunnel 6to4 and STATIC IP... So as I've understand I have to declarate /56 for each end user router ? As I don’t have SLAAC option at router I have to use Static V6 ip configuration I've enter IPv6 Address: I...
by Anumrak
Mon Oct 14, 2019 5:02 pm
Forum: Beginner Basics
Topic: port forward not working for me
Replies: 9
Views: 1798

Re: port forward not working for me

its a remote site so users needs site2site vpn and security needs port forward to access alarm from iphone on wan i dont think that i am using "same dst port in the same two ports but different hosts." host 1= port 1234 host 2= port 2345 add action=dst-nat chain=dstnat disabled=no dst-por...
by Anumrak
Mon Oct 14, 2019 3:45 pm
Forum: Beginner Basics
Topic: port forward not working for me
Replies: 9
Views: 1798

Re: port forward not working for me

I think problem is that you try to establish second TCP session with different destination port. And you need the same as the first one. And why you using NAT while you using openvpn? Just make static route from source to destination on your Tik without NAT. You can't dst NAT same dst port in the sa...
by Anumrak
Mon Oct 14, 2019 3:33 pm
Forum: Beginner Basics
Topic: port forward not working for me
Replies: 9
Views: 1798

Re: port forward not working for me

Can you ping both of them from a gateway?
by Anumrak
Mon Oct 14, 2019 3:30 pm
Forum: General
Topic: VPN cant be established - Mikrotik using internal IP
Replies: 1
Views: 713

Re: VPN cant be established - Mikrotik using internal IP

Hey. Use DynDNS service to map your global IP to static DNS A record. Or just remember your global IP and establish connection by IP without DNS at all. And dstNAT layer 4 ports from modem to Tik of course.
by Anumrak
Mon Oct 14, 2019 3:17 pm
Forum: Beginner Basics
Topic: port forward not working for me
Replies: 9
Views: 1798

Re: port forward not working for me

Both hosts are PCs?
by Anumrak
Fri Oct 11, 2019 3:02 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

That's what I mentioned as second option. :)
I thought you talk about TP-Link's LAN, not uplink. Topic starter talked about his LAN.
by Anumrak
Fri Oct 11, 2019 2:58 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

But how does TP-Link get prefix from upstream?
Router won't receive the prefix, but he can route /48 with /64 static net that ISP have to provide.
by Anumrak
Fri Oct 11, 2019 2:21 pm
Forum: Beginner Basics
Topic: IPv6 how to use it right
Replies: 68
Views: 18193

Re: IPv6 how to use it right

Hey. TP-Link router have to support IPv6 SLAAC with RFC4941, so your windows and Linux machine does. You dont need dhcpv6 server.
by Anumrak
Thu Oct 10, 2019 1:19 pm
Forum: General
Topic: Allow access to devices from other network
Replies: 8
Views: 8969

Re: Allow access to devices from other network

Hey. Just configure a static routing on device behind WAN port. Also make sure that you have reverse route on hAP router.
by Anumrak
Thu Oct 10, 2019 10:58 am
Forum: General
Topic: Slow connection via mikrotik
Replies: 18
Views: 8390

Re: Slow connection via mikrotik

What you got on IP layer? Print here ping and traceroute diagnostics from your PC to 8.8.8.8 with Tik in the middle.
by Anumrak
Tue Oct 08, 2019 5:07 pm
Forum: General
Topic: intervlan routing
Replies: 13
Views: 2391

Re: intervlan routing

70 and 40 mb/sec are running simultaneously or by one?
by Anumrak
Tue Oct 08, 2019 4:43 pm
Forum: General
Topic: intervlan routing
Replies: 13
Views: 2391

Re: intervlan routing

Every red line = 1000MF. LACP = 4Gb/s. ISP 100 Mb/s upload and 20Mb/s send.
I 'm using UTP5e.
Okay. You mean 100 mb/sec upload and 20 mb/sec download? 100 from you to Internet and 20 from Internet to customers?
by Anumrak
Tue Oct 08, 2019 3:32 pm
Forum: General
Topic: intervlan routing
Replies: 13
Views: 2391

Re: intervlan routing

What is your ISP link bandwidth?
What is your LACP Link bandwidth between Swicth and Tik? Which links of which media do you use in this bundle? Do you have some phy errors between any of links in a bundle?
by Anumrak
Tue Oct 08, 2019 3:20 pm
Forum: Beginner Basics
Topic: Dual Wan config on my router
Replies: 21
Views: 14684

Re: Dual Wan config on my router

Hey. Why you want 2 LAN IPs for your WANs? Just use your single LAN for both WAN with different route distance, and create address list, for example "WAN", to add both interfaces there and use source NAT with masquerade action for your LAN. That's it.
by Anumrak
Tue Oct 08, 2019 3:15 pm
Forum: General
Topic: Slow connection via mikrotik
Replies: 18
Views: 8390

Re: Slow connection via mikrotik

Hello. Everyone I'm new here. I have a hard time with mikrotik model: RB2011UiAS-2HnD I Have a router with internet connection (8Mb). We set configure to have internet using the mikrotik as DHCP, DNS, hotspot on the router internet is speed, but through mikrotik (connected alone), it's disappointin...
by Anumrak
Tue Oct 08, 2019 3:12 pm
Forum: General
Topic: intervlan routing
Replies: 13
Views: 2391

Re: intervlan routing

I made intervlan routing ( to only one host): add action=masquerade chain=srcnat disabled=yes dst-address=10.1.4.21 \ src-address=10.1.64.0/18 add action=masquerade chain=srcnat disabled=yes dst-address=10.1.4.21 \ src-address=10.1.128.0/18 add action=masquerade chain=srcnat disabled=yes dst-addres...
by Anumrak
Tue Oct 08, 2019 3:07 pm
Forum: Beginner Basics
Topic: ISP Setup
Replies: 9
Views: 3108

Re: ISP Setup

You should keep DHCP Server hardware in centralized place far away from each branch. Use L3 only of branch routers and use "ip helpers" to redirect dhcp discover packets from your clients. PADI can be terminated on branch routers.
by Anumrak
Tue Oct 08, 2019 2:57 pm
Forum: General
Topic: Router's default Address after Custom Configured [SOLVED]
Replies: 2
Views: 1702

Re: Router's default Address after Custom Configured [SOLVED]

Hey. It's DNS flood from outside, perhaps from your ISP. So just disable your DNS "allow-remote-requests" option. If it's already disabled, then relax. Every router in the world drops so many trash you can't imagine.
by Anumrak
Tue Oct 08, 2019 2:50 pm
Forum: Beginner Basics
Topic: Connect Many Router
Replies: 1
Views: 771

Re: Connect Many Router

Hey. And why office 1 is up and running? What's the difference between 1 and 2?
by Anumrak
Mon Oct 07, 2019 5:14 pm
Forum: Forwarding Protocols
Topic: MPLS bug?
Replies: 5
Views: 4283

Re: MPLS bug?

Hey. Did you fix this? If yes, then how? If no, have you tried OSPF process reset?
by Anumrak
Thu Sep 12, 2019 5:10 pm
Forum: General
Topic: Redundant routers/switches
Replies: 11
Views: 3882

Re: Redundant routers/switches

You have to use VRRP on sw1 and sw2 via sw3 to track uplinks from sw1 to sw3 and from sw2 to sw3.
by Anumrak
Thu Sep 12, 2019 5:03 pm
Forum: Beginner Basics
Topic: How to change source IP to destination network
Replies: 10
Views: 6921

Re: How to change source IP to destination network

This is what I tried:
/ip firewall nat
add action=src-nat chain=srcnat dst-address=172.21.0.0/24 to-addresses=172.21.2.33
But this does not seem to work. Is this the right way to accomplish this? How do I test this?
Also, specify outbound interface to understand what you are doing.
by Anumrak
Thu Sep 12, 2019 4:38 pm
Forum: Beginner Basics
Topic: 2nd WAN issue, unable to ping internet from Mikrotik itself [SOLVED]
Replies: 5
Views: 3478

Re: 2nd WAN issue, unable to ping internet from Mikrotik itself [SOLVED]

Does the address of router is up to NAT rules?
by Anumrak
Thu Sep 12, 2019 4:32 pm
Forum: General
Topic: Experiencing this issue
Replies: 1
Views: 788

Re: Experiencing this issue

You can resolve this issue with experiments! :) Unplug all cables and plug them one by one to find the problem interface. If you inside card damaged after lightning hit, there is nothing you can do about it.
by Anumrak
Thu Sep 12, 2019 4:30 pm
Forum: General
Topic: Load Balance and IP Public
Replies: 2
Views: 1222

Re: Load Balance and IP Public

Follow your routing tables and firewall filters.
by Anumrak
Thu Sep 12, 2019 4:22 pm
Forum: Scripting
Topic: Know connected MAC-Adress
Replies: 9
Views: 10066

Re: Know connected MAC-Adress

Hi, I have a microtik router that gives DHCP and I would like to know the MAC of connected devices. The following script tells me if a device is connected to the microtic by Wlan: :local iPhone [/int wire reg find mac-address="A8:9C:ED:CD:F8:12"]; But I want to know dhcp clients. In IP / ...
by Anumrak
Thu Sep 12, 2019 4:18 pm
Forum: General
Topic: Redundant routers/switches
Replies: 11
Views: 3882

Re: Redundant routers/switches

There is nothing to be confused about, use VRRP :)
by Anumrak
Thu Sep 12, 2019 4:12 pm
Forum: Beginner Basics
Topic: Router on a Stick
Replies: 6
Views: 4941

Re: Router on a Stick

Hey. What address space in a LAN network are you using for Internet access? Private ones with NAT function or global ones?
by Anumrak
Thu Sep 12, 2019 4:09 pm
Forum: Beginner Basics
Topic: IPv6 not working with a static /48 prefix
Replies: 7
Views: 2086

Re: IPv6 not working with a static /48 prefix

Hey. You should set your default route to ISP's global address, not link-local.

And yeah, you better obtain static /48 prefix from them. Not by dhcpv6.
by Anumrak
Mon Sep 09, 2019 5:52 pm
Forum: Beginner Basics
Topic: BGP and advertising
Replies: 1
Views: 800

Re: BGP and advertising

Hey. Try to use "deny all" rule in output filter.
by Anumrak
Mon Sep 09, 2019 5:40 pm
Forum: Beginner Basics
Topic: 1 router for 3 networks
Replies: 1
Views: 861

Re: 1 router for 3 networks

Hey. Without VLANs, one interface - one ip network - one dhcp server. You can bind several ethernet interfaces to one network, but not vice versa(only if your switch support 802.1Q protocol and you know how to configure the switch and the main mikrotik router). Your Wi-Fi repeater or router connecte...
by Anumrak
Mon Sep 09, 2019 5:29 pm
Forum: Beginner Basics
Topic: Unable to ping/trace from lan
Replies: 7
Views: 2112

Re: Unable to ping/trace from lan

How about to disable your PC firewall for a short period of time and try again?
by Anumrak
Mon Sep 09, 2019 5:23 pm
Forum: General
Topic: BGP-safety issue
Replies: 2
Views: 1434

Re: BGP-safety issue

Can confirm this behavior. I would go a bit further and ask for the out filter to be required when configuring a new peer.
Nice suggestion.

MichaelHallager, does this behavior occur in a 6.44.5?
by Anumrak
Thu Sep 05, 2019 8:51 am
Forum: General
Topic: dhcp1 offering lease!
Replies: 2
Views: 1305

Re: dhcp1 offering lease!

Hey. The client can't receive IP address from your dhcp server for some reason. B0:48:7A:BF:C5:C5 is TP-link hardware, possibly router, but I'm not sure. Your goal is: 1) Understand what is this hardware near you or your house; 2) Which interface of Mikrotik router dhcp client want to receive IP add...
by Anumrak
Fri Aug 23, 2019 3:34 pm
Forum: Forwarding Protocols
Topic: OSPF Network Statement [SOLVED]
Replies: 3
Views: 10869

Re: OSPF Network Statement [SOLVED]

Hey. It will send only network based advertisments.
by Anumrak
Fri Aug 23, 2019 3:31 pm
Forum: Forwarding Protocols
Topic: OSPF down problem
Replies: 11
Views: 10427

Re: OSPF down problem

Hey. Check your router-id's on all routers. Are they unique?
by Anumrak
Wed Aug 21, 2019 11:53 am
Forum: General
Topic: New to mikrotik, forward chain help needed
Replies: 3
Views: 1294

Re: New to mikrotik, forward chain help needed

Hey. Default firewall filter for ipv4 and for ipv6 are pretty safe. You can backup your config to your PC, then do this https://wiki.mikrotik.com/wiki/Manual:Reset copy filter rules to notepad, recover your config, understand the logic of these rules and insert rules you need.
by Anumrak
Wed Aug 21, 2019 11:45 am
Forum: General
Topic: Playstation NAT issues on 6.45.3
Replies: 3
Views: 2416

Re: Playstation NAT issues on 6.45.3

Hey

1) Do you have globaly routable IP address from your ISP? Not from 10.0.0.0/8, 100.64.0.0/10, 172.16.0.0./12, 192.168.0.0/16 ranges.
2) I would manually configure destination NAT rules.
by Anumrak
Tue Aug 20, 2019 5:58 pm
Forum: General
Topic: IPv6 accept-ra bug
Replies: 2
Views: 1678

Re: IPv6 accept-ra bug

I have a few RB951G's which act as APs/bridges (not routers). They have this configuration: /ipv6 settings set accept-router-advertisements=yes forward=no This kind of works, because the devices indeed accept RAs and self-assign IPv6 addresses and default routes, but there are two problems with it:...
by Anumrak
Mon Aug 12, 2019 5:35 pm
Forum: General
Topic: Allow traffic between isolated subnets? [SOLVED]
Replies: 10
Views: 8861

Re: Allow traffic between isolated subnets? [SOLVED]

Hey. If you will shut the drop rule off, will the traffic forward between networks? If no, try to check the firewalls on PCs, if yes - try to set the input interface in upper rule.
by Anumrak
Fri Aug 09, 2019 5:49 pm
Forum: Beginner Basics
Topic: IPv6 Tunneling
Replies: 5
Views: 1614

Re: IPv6 Tunneling

Hello, Thanks for the reply Yeah I just notice it since My IPv6 will only work when the router still enables the IPv4 address. Are there any references that I can read about this matter? books or papers? IPv4 connectivity as a box and your brand new IPv6 addresses as a items in the box. No box, no ...
by Anumrak
Fri Aug 09, 2019 5:16 pm
Forum: General
Topic: Routing users on MikroTik
Replies: 1
Views: 1105

Re: Routing users on MikroTik

On one MikroTik router, I want to divide my users to two groups and assign each group to a separate network (two networks). How do I do that? Any Suggestion ? Thank you. Via one ethernet interface with vlan 2 and 3 networks 192.168.0.0/24 and 192.168.1.0/24 Via 2 interfaces same networks, but witho...
by Anumrak
Fri Aug 09, 2019 5:00 pm
Forum: General
Topic: Port forward for a PPTP VPN user
Replies: 2
Views: 991

Re: Port forward for a PPTP VPN user

Heya All! How do I open a port for a PPTP vpn user? I tried different solution online but it didn't worked. I mean that PPTP VPN user can use a service on that port. Local Address: 192.168.1.251 Remote Address: 192.168.1.250 Target Port: 7268 Thanks! Hey. Can you rephrase a sentance? PPTP server li...
by Anumrak
Wed Jul 17, 2019 10:33 am
Forum: Forwarding Protocols
Topic: OSPF Interface all passive
Replies: 9
Views: 5968

Re: OSPF Interface all passive

Not as easy when you have a few hundred vlans. Not bad to script but would be nice to have a simple checkbox to automatically have all interfaces as passive and then add the ones you want. /routing ospf interfaces add interface=all area=backbone passive=yes Exactly :) https://wiki.mikrotik.com/wiki...
by Anumrak
Tue Jul 16, 2019 11:06 am
Forum: Forwarding Protocols
Topic: OSPF Interface all passive
Replies: 9
Views: 5968

Re: OSPF Interface all passive

I wish there was a simple way to mark all instances as passive except the ones we add manually.
Its easy enough with winbox software as a GUI.
by Anumrak
Tue Jul 16, 2019 11:01 am
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 84413

Re: v6.44.5 [long-term] is released!

I wish the "long-term" channel would only have releases with bugfixes and security fixes, not a bunch of new features and underlying changes that need to be tested before I can apply the update to fix a security vulnerability. IMO, "long-term" channel should stay in 6.43.x branc...
by Anumrak
Mon Jul 15, 2019 4:25 pm
Forum: Forwarding Protocols
Topic: PPPoE over VPLS Tunnel - Client Ping mac server pppoe but it does not connect
Replies: 6
Views: 3553

Re: PPPoE over VPLS Tunnel - Client Ping mac server pppoe but it does not connect

When you do ping, its travel via IP protocols with ospf support. Try to look at your mpls LSP to your pppoe server.
by Anumrak
Mon Jul 15, 2019 4:18 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 84413

Re: v6.44.5 [long-term] is released!

I wish the "long-term" channel would only have releases with bugfixes and security fixes, not a bunch of new features and underlying changes that need to be tested before I can apply the update to fix a security vulnerability. IMO, "long-term" channel should stay in 6.43.x branc...
by Anumrak
Thu Jul 11, 2019 5:38 pm
Forum: Beginner Basics
Topic: Network isolation using VRF?
Replies: 8
Views: 2245

Re: Network isolation using VRF?

I ended up just making a routing rule that drops between both networks.

Seems to me the cleanest way to do this.
or just firewall drop rule(s)

but in general, I agree.
by Anumrak
Thu Jul 11, 2019 4:09 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 100
Views: 84413

Re: v6.44.5 [long-term] is released!

Installed with a first attempt on hAP lite without any problem unlike 6.45.1.
by Anumrak
Wed Jul 03, 2019 8:15 pm
Forum: General
Topic: PPPoE Session packets being broadcast?? [SOLVED]
Replies: 41
Views: 8852

Re: PPPoE Session packets being broadcast?? [SOLVED]

1) It will help alot, especially if both clients in the same broadcast domain. They could interact with one another directly. It's not about direction of traffic. It's about misconfiguration of topic starter and abusing the "network hole" by someone in same vlan. I'm not sure we talk abou...
by Anumrak
Wed Jul 03, 2019 4:23 pm
Forum: General
Topic: PPPoE Session packets being broadcast?? [SOLVED]
Replies: 41
Views: 8852

Re: PPPoE Session packets being broadcast?? [SOLVED]

My two cents: the target PPPoE client device doesn't send anything in its uplink direction so the ISP gear starts to broadcast frames for it after the record for that MAC in its forwarding table expires (this normally takes minutes after it has seen the last frame with client's MAC as source), wher...
by Anumrak
Wed Jul 03, 2019 3:43 pm
Forum: General
Topic: Hairpin NAT not working as expected
Replies: 5
Views: 3262

Re: Hairpin NAT not working as expected

For hairpin NAT you need 3 rules, not just one. Common rule for Internet interface with destiantion nat from public to private for inbound interface Destination nat from public to private with your source for inbound local interface Masquerade nat from your source to private destination for outbound...
by Anumrak
Wed Jul 03, 2019 11:39 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 415
Views: 195527

Re: v6.45.1 [stable] is released!

spacex - We will look into this problem; Anumrak - Yes, hAP lite and similar routers are designed to run RouterOS bundle package and can be upgraded without any problems, as long as you do not store anything else on your router that might fill up the storage. If there is not enough space on the dis...
by Anumrak
Tue Jul 02, 2019 5:19 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 415
Views: 195527

Re: v6.45.1 [stable] is released!

Hey. What about low capacity of space in hAP lite? Watever I did, it says not enough space. Every time.
Try uninstall additional packages, then update. After update install packages.
This is abnormal behavior. I'll wait for a fix for this.
by Anumrak
Tue Jul 02, 2019 2:34 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 415
Views: 195527

Re: v6.45.1 [stable] is released!

Everyone who is experiencing problems with Winbox authorization - we will release a new Winbox loader with a fix for this problem as soon as possible. We are very sorry for any inconvenience caused. Hey. What about low capacity of space in hAP lite? Watever I did, it says not enough space. Every ti...
by Anumrak
Tue Jul 02, 2019 9:46 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 415
Views: 195527

Re: v6.45.1 [stable] is released!

Impossile to upgrade hAP lite. Please fix this. All unnecessary features were disabled. It's not working.
by Anumrak
Thu Jun 27, 2019 3:34 pm
Forum: Forwarding Protocols
Topic: OSPF Interface all passive
Replies: 9
Views: 5968

Re: OSPF Interface all passive

When setting ospf interface "all" as passive is it normal that state is "Down" 1 P interface=all cost=10 priority=1 authentication=none authentication-key="" authentication-key-id=1 network-type=broadcast instance-id=0 retransmit-interval=5s transmit-delay=1s hello-int...
by Anumrak
Thu Jun 27, 2019 9:49 am
Forum: General
Topic: Mikrotik DHCP with redundant links.
Replies: 4
Views: 1465

Re: Mikrotik DHCP with redundant links.

Hey. You can practice with HSRP in Cisco Packet Tracer. And with VRRP in MikroTik world. There is nothing to practice both vrrp and hasrp brings in to the same problem thats why i dont want to put dhcp on L3 switches on cisco both vrrp and hsrp is supported. What problem do you have with it?
by Anumrak
Thu Jun 27, 2019 9:41 am
Forum: General
Topic: IPv6 DHCP Server Not Leasing IP
Replies: 13
Views: 13321

Re: IPv6 DHCP Server Not Leasing IP

Should this work now in RouterOS v6.44.3? It's not working for me. I get an /48 range from Hurrican Electric ipv6 Tunnel. Everything works, but not the DHCP Server. I have set the address advertise=yes. But the firewall shows in the logs that there is no other traffic than ICMP. No DHCP traffic or ...
by Anumrak
Thu Jun 27, 2019 9:31 am
Forum: Forwarding Protocols
Topic: OSPF Loopback + MPLS Loopback
Replies: 7
Views: 4020

Re: OSPF Loopback + MPLS Loopback

To have two loopback addresses on a router (ospf + mpls) or will the ospf loopback do for mpls?
You need only one loopback address. You might need second one for second ospf process, but in correct network design you don't need second one.
by Anumrak
Wed Jun 26, 2019 5:06 pm
Forum: Forwarding Protocols
Topic: Combination of Static Routing and Dynamic!
Replies: 3
Views: 2572

Re: Combination of Static Routing and Dynamic!

@Anumrak Thanks for your reply! On re-reading my question I will have to rephrase, Static routing for L2 bridged and Dynamic for OSPF, I want the options that if static routing is unreachable that OSPF dynamic routing will take over until static is reachable? Of course! =) Just manage administrativ...
by Anumrak
Wed Jun 26, 2019 3:03 pm
Forum: General
Topic: PPPoE Session packets being broadcast?? [SOLVED]
Replies: 41
Views: 8852

Re: PPPoE Session packets being broadcast?? [SOLVED]

Now I think I get it. I think the only way it's possible in ISP network is mac address learning of legit client on your ether1 port. Somehow. or it's a bug in ROS that allows you to see PADI frames with 8863 ethernet protocol numbers like 8864. Few months ago I saw a bug that prevent to watch data w...
by Anumrak
Wed Jun 26, 2019 2:02 pm
Forum: Forwarding Protocols
Topic: Combination of Static Routing and Dynamic!
Replies: 3
Views: 2572

Re: Combination of Static Routing and Dynamic!

Of ourse it can. it's all about administrative distance of a static route over ad dynamic one. For example, AD of OSPF is 110 and exernal EIGRP has 170. You can "win" both with only 1 to increment. For example you can manage reserve static route for ospf with 111 and 171 with eigrp.
by Anumrak
Wed Jun 26, 2019 1:24 pm
Forum: General
Topic: PPPoE Session packets being broadcast?? [SOLVED]
Replies: 41
Views: 8852

Re: PPPoE Session packets being broadcast?? [SOLVED]

PPP frames inside ethernet providing unique layer 2 tunnel based on unicast frames on session level. Why torch should show you destination IP, when PPP tunnel operates only with mac address? Not sure I understand your post, is your question directed at me? Well yeah. I thought you didn't get why ds...
by Anumrak
Tue Jun 25, 2019 7:20 pm
Forum: General
Topic: PPPoE Session packets being broadcast?? [SOLVED]
Replies: 41
Views: 8852

Re: PPPoE Session packets being broadcast?? [SOLVED]

PPP frames inside ethernet providing unique layer 2 tunnel based on unicast frames on session level. Why torch should show you destination IP, when PPP tunnel operates only with mac address?
by Anumrak
Tue Jun 25, 2019 5:14 pm
Forum: General
Topic: Mikrotik DHCP with redundant links.
Replies: 4
Views: 1465

Re: Mikrotik DHCP with redundant links.

Hey. You can practice with HSRP in Cisco Packet Tracer. And with VRRP in MikroTik world.
by Anumrak
Thu May 30, 2019 5:39 pm
Forum: General
Topic: Zen Internet IPv6 example?
Replies: 4
Views: 2311

Re: Zen Internet IPv6 example?

Hey. Have you seen info on Mikrotik wiki?
by Anumrak
Wed May 29, 2019 5:36 pm
Forum: Beginner Basics
Topic: Blocking a mac address from getting internet [SOLVED]
Replies: 4
Views: 1711

Re: Blocking a mac address from getting internet [SOLVED]

IP > Firewall uses IP addresses, not MAC addresses. If you want to block a MAC address the interface will have to be in a bridge, then use Bridge > Filter The ! means NOT - for example !192.168.1.42 means 'any address except 192.168.1.42' Actually, IP - Firewall - Filter can block mac addresses, al...
by Anumrak
Wed May 15, 2019 2:01 pm
Forum: Beginner Basics
Topic: Direct specific content through VPN
Replies: 4
Views: 1455

Re: Direct specific content through VPN

Hey. It is better by IP addresses, because you deal with a router, not specific hardware. Content is a layer 7, so it can be done, but it's very hard to do on a CPU. You should google for topics "layer 7 filtering/marking on mikrotik".
by Anumrak
Wed May 15, 2019 1:58 pm
Forum: Beginner Basics
Topic: Bruteforce login prevention doesn't work
Replies: 1
Views: 801

Re: Bruteforce login prevention doesn't work

Hey. Are you sure that all 5 rules added to your firewall section in right order? Like drop, blcklst, s3,2,1. Drop on the top and the stage 1 on the bottom.
by Anumrak
Wed May 15, 2019 11:38 am
Forum: Beginner Basics
Topic: A little help to configure a NAT
Replies: 3
Views: 1041

Re: A little help to configure a NAT

Why just don't use VRRP or VRRP+OSPF?
by Anumrak
Wed May 15, 2019 11:29 am
Forum: Beginner Basics
Topic: VPN PPTP Passthrough Problem
Replies: 4
Views: 3151

Re: VPN PPTP Passthrough Problem

Hello, i have a rather simple setup here with a Mikrotik router, and a SBS 2008 with a PPTP vpn server. I'm trying to get pptp vpn passthrough to work, but it doesn't seem to work. Port 1723 forwarding seems to work, but data doesn't seem to pass through. I've seen many references to a PPTP helper,...
by Anumrak
Wed May 15, 2019 11:26 am
Forum: General
Topic: facebook and instagram problem..
Replies: 1
Views: 1955

Re: facebook and instagram problem..

Aaaand...a tech diag?
by Anumrak
Wed May 15, 2019 11:18 am
Forum: General
Topic: dst-nat with changing port
Replies: 23
Views: 8779

Re: dst-nat with changing port

We're all here to help ;)
by Anumrak
Wed May 15, 2019 11:12 am
Forum: Beginner Basics
Topic: Open all ports on all devises [SOLVED]
Replies: 6
Views: 2571

Re: Open all ports on all devises [SOLVED]

It does not work that way. A NAT forwards to a target IP. However in most situations, if the game is talking to a server somewhere else, the client initiates the connection and the router will forward responses to the IP that originated the request. No special setup is normally required. If you are...
by Anumrak
Wed May 15, 2019 10:48 am
Forum: General
Topic: dst-nat with changing port
Replies: 23
Views: 8779

Re: dst-nat with changing port

You should check availability of your changed port from outside, for example, on some web site that can check it. If it closed then your ISP just filtering unknown ports. Also you have to have a global unique IP address, not from private range.
by Anumrak
Wed May 15, 2019 10:08 am
Forum: Beginner Basics
Topic: [solved] VLAN-subnet over 3 devices / routing? switching?
Replies: 3
Views: 1117

Re: VLAN-subnet over 3 devices / routing? switching?

Hey. If your routers are far from each other, then maybe you will need EoIP + OSPF. You can use iBGP too, but you really need to think first, why do you need that. In order to reach other host on layer 2, all you need is create vlan interface and tag it with appropriate vlan, also choose correct eth...
by Anumrak
Wed May 15, 2019 10:00 am
Forum: General
Topic: RB750GR3 for a 30 PCs Gaming event?
Replies: 11
Views: 3282

Re: RB750GR3 for a 30 PCs Gaming event?

Nope, Gr3 won't do. Since you want ot balance, you'll need to skip FastTrack. Without it gr3 won't be able to cope with bandwidth.

You need more power. 4011 will do for example
I don't get why you think hEX won't handle it.
by Anumrak
Tue Apr 30, 2019 2:00 pm
Forum: Beginner Basics
Topic: Gateway Issue
Replies: 1
Views: 667

Re: Gateway Issue

by Anumrak
Fri Apr 26, 2019 5:02 pm
Forum: Forwarding Protocols
Topic: MPLS does not mark anything in the table
Replies: 3
Views: 2388

Re: MPLS does not mark anything in the table

Did you enable mpls on interfaces?
by Anumrak
Fri Apr 26, 2019 4:27 pm
Forum: Beginner Basics
Topic: Forward traffic to another router
Replies: 4
Views: 1642

Re: Forward traffic to another router

I don't understand how you directly connect 1.10 and 1."something" on server second interface. Because your router doesn't have any 1.0 ip address on ether4 interface. And second note - server from 2.0 network can not interact with 1.0 without a route(specific or default one). You need fix...
by Anumrak
Fri Apr 26, 2019 3:53 pm
Forum: Beginner Basics
Topic: Forward traffic to another router
Replies: 4
Views: 1642

Re: Forward traffic to another router

Hey. Paste your ipv4 route list here pls :)

Does your pfSense server have a default route?
by Anumrak
Fri Apr 26, 2019 3:49 pm
Forum: General
Topic: WinBox memory consumption
Replies: 1
Views: 664

Re: WinBox memory consumption

:O have to check out my consumption :)