MikroTik

rplant

Perhaps ip firewall nat chain=srcnat out-interface="WG1" action=masquerade Alternate to above: If config is based on default config, can just add WG1 as a WAN interfaces (Which has advantage of firewalling as well as Natting it) /interface list member add interface WG1 list=WAN Then use a ...

rplant

ip routes/routes
Noticed you can no longer create a blackhole route in winbox.
Also no obvious column to indicate it is a black hole.

rplant

Hi, Thanks for the Winbox (IP) route updates in Beta4. In the IP Route Tab, now can show (and lets you set) the Routing Table being used, And there is a Tables tab :) Unfortunately, the Tables tab doesn't currently provide an item to set if table is in Fib or not. Not quite sure what difference it c...

rplant

Hi,

All VM interfaces on PC have been disabled?

Also, worth while going for a coffee after doing the power up with reset held down (for the while)
with netinstall running.
Just leave netinstall and hapac2 sitting there turned on.

rplant

1. Perhaps a new counting queue type, that has no packet/frame storage, immediately puts packets onto its parent. To provide a low overhead facility to count traffic (average rates, total bytes up/down, etc) Max Limit may need to be set, but has no effect. Can be graphed. 2. Option to store simple q...

rplant

pppoe-passthrough-2.png One use case, pppoe pass through, previously a common option on consumer home routers, probably less so now when pppoe is less used. Nice when your ISP would allow you to connect more than once using your credentials. Your PC could (when necessary) get a routable IP on it di...

rplant

You can already do it ... using another bridge.

Cool, I hope...

Though I have now attempted to do this, and it is not obvious how I can join them.
Do you have an example?

Thanks

rplant

Hi, Could you perhaps implement a ethernet joiner object to join 2 separate bridges together. Object has 2 interfaces (similar but different to a vlan object) Ideally its only option would be maximum frame size. With bridge filtering being used to limit what is allowed between the 2 lan segments. So...

rplant

perhaps also

/interface list
add interface=WG list=LAN

rplant

FYI, HapAC2 ros V7.1Beta3 I was initially having some issues with openvpn trying to send longish packets. While troubleshooting found that generally pinging things (normal, no openvpn) with slightly long packets (behind NAT) was broken. ping -l 1500 192.168.1.1 wouldn't work. But ping -l 1800 192.16...

rplant

Hi, Perhaps try the following. /ip firewall nat add action=masquerade chain=srcnat src-address=10.0.0.0/24 out-interface=bridge-local And probably change where the local network ip address is placed (on bridge-local rather than ether2) ** Probably not exactly this (would need to remove/disable exist...

rplant

Looking at Wireguard, Happy to see the peer endpoints appear to be stay at what I set them, Peer by DNS looks to mostly work. Both maybe seem a little bit fragile, time will tell. Thanks :) However, I now notice that it is all a bit opaque, (for a Mikrotik) There is not much monitoring currently ava...

rplant

A keepalive on the control channel.

So when I put the wrong value in, and it starts sending piles of UDP at me,
filling the link, and I can't talk to it any more.

The control channel will break, and stop all the associated connections sending within a minute or so.

rplant

Cool, Thank you, I will try that. I was hoping to try it yesterday, but that didn't quite happen. Finally, after a bit of effort I got it to work ok. I initially wanted to use the password as a selector which didn't work. After a bit of thought I realized that this was probably not possible. And act...

rplant

Hi, Can Some implementation of Multiple Pre Shared Key be added (good if in V6.x as well), I assume (hope) it can be done in wpa/wpa2. My use case would be one SSID and a few different groups possibly pushed to different vlans depending on the password used. Without requiring a radius server, or EAP...

rplant

Hi,

The following post might get you close.

viewtopic.php?f=1&t=165248&sid=51e92041 ... a9#p813884

rplant

I thought chateau was only ros v7?

rplant

It would be nice if it were possible to change multiple columns visibility at once. rather than having to choose show columns, move to required column in list, click on it, (List then closes), show columns, move to next required column, click on it... Perhaps right clicking columns could change thei...

rplant

Hi, Simple Queues, Simple Queue Graphs, and Interface Graphs can do some of the basics. Note: The following refers to V6, I haven't tested it much in V7, the script runs so I assume it is still good. By setting up a bunch of simple Queues I have 1 Parent, then 1 per internal IP address as well as on...

rplant

You should probably explain in more details what's the problem. I'm trying to understand it, but no luck so far. Yes, fair enough. Hopefully the following makes some sense. With reference to the image below which is similar (simplified) to the one I am using. If the client attempts to connect via a...

rplant

One issue with wireguard. ... Actually, on further review, its only when the output needs to go via a non default route. (route marking needed), and also happens with Openvpn (and perhaps others) sstp (tcp) using the same connection and route marking works correctly. Perhaps an alternative to chang...

rplant

One issue with wireguard. Sometimes It doesn't seem to keep its connection mark on output The input to wg is coming in with a connection mark, but the output sometimes has no connection mark. Actually, on further review, its only when the output needs to go via a non default route. (route marking ne...

rplant

Wireguard implementation seems to have gone pretty smoothly.

I don't suppose a backport to V6 is possible :)

rplant

I've been wondering is it possible to generate keys on mikrotik for wireguard peers?

You can make a second wireguard interface, and copy the private and public key out of it.
Then delete it.

rplant

Minor SFTP issue

winscp logging into router (hapac^2)
The top level directories (/flash, /disk1) show as broken links.
I can't click on them and go there.
I can type in /flash into winscp's open directory menu and that works fine.

rplant

My Suggestion would be at least initially to set the wireguard1 interface on host B routerOS to be a wan interface. So the outgoing traffic is natted, and looks to be coming from 10.77.77.2. Perhaps remove the route marking stuff. If this works, it is likely the problem is at the other end. Perhaps ...

rplant

Can the Winbox file list please have expandable folders. so I don't have to see every file on the file system. Could you make an option to store the graphing graphs/data in external storage. (especially useful for hex with lots of simple queues) A configurable option to allow me to access (or not) t...

rplant

Minor issue with Wireguard
Mostly seems great, quite impressed with it, I have not used wireguard before.

If I don't set the peer address, so any address can connect, when a peer does connect to it
it seems to set the peer address/port itself in its config :(

I would also like DNS connect
Thanks

rplant

Some more stuff (V7.1beta1), In winbox, the Routing table (ip route) doesn't refresh very well. Often I find if I know it has changed, I need to select another tab and then go back to the Route List to get it to show all the new and changed routes. It would perhaps be good if connection marks could ...

rplant

Hi, When doing an export, Routing rules are not exported. Also It would be good if print in /ip route would do a (left) join with the /routing table and display the table it is using. Currently I am putting a comment in the route, to match the route to a table (and it's creation statement) add comme...

rplant

The hAP ac2 CPU already has Hardware support for AES-CTR and AES-CBC (128 and 256).
Thus, AES256-CBC would be a much better fit.

Yes ok, I'll have that please :)

rplant

Beta5 minor assorted things. Hap AC^2 Could disable a static route via script. Couldn't reenable it. policy routes seem dubious, Eventually was able to get one created following the instructions in the Forums. But was unable to get it to actually work. (I possibly gave up early though) Backup/Restor...

rplant

I thought I would post this stuff here, as it seems somewhat on topic. Hap AC^2 OpenVPN UDP. Seems mostly good, seems a nice way of connecting to devices through NAT. As mentioned elsewhere, push routes would be nice. **Hardware encryption support would be great** Perhaps AES-128/256-GCM I was able ...

rplant

I had a look at one of the Leo Bodnar NTP server's, it is rather cool, but way beyond what I need. Thanks :) On thinking about it I doubt I actually need anything better than 0.5 to 1 second accuracy. (I would like 10-50mS) The main reason I want GPS, is because of the very rare occasion when I find...

rplant

Hi, I had a bit of a further trial with this, (behind some src-nat, which put me on the right port), it seems to work ok. I quite like that you can specify the Local Clock Stratum. I would like it if it continued to use the specified stratum when you enabled the NTP Client, (Perhaps with a warning w...

rplant

ROSV7 Beta 5 HAPAC2, In bridge mode, (all ports bridged, bridge interface marked as LAN) The NTP server response to the client seems likely to always be port 123 Trace below is from (userland client) from port 55188 to server on port 123 Server sends response to client but with destination port of 1...

rplant

Hi, A bit late, but perhaps useful for people finding this thread later. Current Mikrotiks have a Bucket Size option in their Queue Settings. We had this problem and were able to fix it using this option. We set it to a small value 0.005, 0.01 also seemed ok in our instance See https://wiki.mikrotik...

Search found 37 matches

Re: Wireguard tunnel internet traffic issues

Re: Routing rules/tables minor issues, feature request

Routing rules/tables minor issues, feature request

Re: Bricked hAP AC2 after flashing 7.1beta4

simple queue/queue graph enhancements

Re: Feature Request: Bridge Joiner

Re: Feature Request: Bridge Joiner

Feature Request: Bridge Joiner

Re: Wireguard on Ac2 behind Ac3

updated bridge MTU (Caused OpenVPN problem)

Re: Wireguard on Ac2 behind Ac3

Re: v7.1beta3 [development] is released!

Feature Request: Keep alive for btest server

Re: Feature Request: Wifi MPSK

Feature Request: Wifi MPSK

Re: Wireguard between Mikrotik and Mullvad

Re: Wireguard not working behind internet facing router with DSTNAT v7.1beta2

Winbox Request Show Columns Upgrade

Re: Feature Request: Data usage

Re: Possible Feature Request Output NAT Reconnect

Possible Feature Request Output NAT Reconnect

Re: v7.1beta2 [development] is released!

Re: v7.1beta2 [development] is released!

Re: v7.1beta2 [development] is released!

Re: v7.1beta2 [development] is released!

Re: Wireguard VPN - routing issues

Feature Request: Storage Updates

Re: v7.1beta2 [development] is released!

Re: Routing Rule Export in V7.1beta1 (and 6.47.1)

Routing Rule Export in V7.1beta1 (and 6.47.1)

Re: UDP OpenVPN tunnel same speed as TCP

Beta5 minor assorted things

Re: UDP OpenVPN tunnel same speed as TCP

Re: NTP server Issue

Re: NTP server Issue

NTP server Issue

Re: Queues Cisco > Mikrotik