Community discussions

MikroTik App

Search found 5983 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 20
by sindy
Mon Oct 26, 2020 3:25 pm
Forum: General
Topic: Device in LAN - check open port by RouterOS
Replies: 3
Views: 97

Re: Device in LAN - check open port by RouterOS

In the LAN behind the router 192.168.88.1 is an LAN-connected device PC with the address 192.168.88.254. Is there a way to check whether port 502 is open on PC by RouterOS means? Open two commandline windows to routerOS. In one of them, run tool sniffer quick ip-address=192.168.88.254 ip-protocol=i...
by sindy
Mon Oct 26, 2020 1:04 pm
Forum: General
Topic: Permanent NAT interface
Replies: 1
Views: 51

Re: Permanent NAT interface

/interface list add name=PPTP /ppp profile add copy-from=default-encryption name=pptp interface-list=PPTP /ppp secret set the-name-of-the-client profile=PPTP /ip firewall nat add out-interface-list=PPTP action=masquerade Move away from PPTP if you want to remain the only administrator of your devic...
by sindy
Mon Oct 26, 2020 12:46 pm
Forum: General
Topic: understanding and fixing MTU/MSS/PMTU with IPsec
Replies: 25
Views: 9024

Re: understanding and fixing MTU/MSS/PMTU with IPsec

The action=none policy addresses the case when a packet sent by the LAN client is too large to fit to the WAN if encapsulated into IPsec transport packet and needs to be made smaller (by sending a smaller portion of the TCP buffer). So it addresses an issue with local client's PMTU discovery on the ...
by sindy
Mon Oct 26, 2020 12:00 pm
Forum: General
Topic: Bonding questions
Replies: 20
Views: 913

Re: Bonding questions

Redundant parts would be better than missing ones, so far so good. If we split the above into points which are fixed and which can be addressed in multiple ways, we get the following: fixed: the ISP uplink must be physically connected to the 750 all the client devices are physically connected to the...
by sindy
Mon Oct 26, 2020 8:54 am
Forum: Announcements
Topic: v6.48beta [testing] is released!
Replies: 132
Views: 51437

Re: v6.48beta [testing] is released!

Looks like there is a memory leak in 6.48 beta(s)
A clear disadvantage of having a hAP ac² with 256 MB RAM - with the standard 128 you'd notice that much sooner :) Send the supout.rif to support@mikrotik.com to help them identify the process which leaks.
by sindy
Sun Oct 25, 2020 10:42 pm
Forum: General
Topic: Freezing ip/firewall/connection screen scrolling?
Replies: 1
Views: 78

Re: Freezing ip/firewall/connection screen scrolling?

If you are interested in a particular connection, you can use match conditions (src-address~"ip.add.re.ss:port", protocol~"icmp" etc.) even with interval.
by sindy
Sun Oct 25, 2020 10:20 pm
Forum: General
Topic: Old bug, PING SRC-ADDRESS does not work
Replies: 6
Views: 185

Re: Old bug, PING SRC-ADDRESS does not work

Post the configuration export and the actual ping command.
by sindy
Sun Oct 25, 2020 10:13 pm
Forum: General
Topic: Old bug, PING SRC-ADDRESS does not work
Replies: 6
Views: 185

Re: Old bug, PING SRC-ADDRESS does not work

I've never had this issue (and tested again right now on 6.46.7). Are you sure there is no src-nat (or masquerade) rule which replaces the source address set using the src-address parameter of ping?
by sindy
Sun Oct 25, 2020 10:07 pm
Forum: General
Topic: Bonding questions
Replies: 20
Views: 913

Re: Bonding questions

I believe it was the same with the addition of an entry in the "Out Bridge Port List", which I believe was set to all LAN. I will need to check that next time I am down there. If the action=masquerade rule is set to match on the WAN port and on a list of LAN bridge ports at the same time, it cannot...
by sindy
Sun Oct 25, 2020 9:55 pm
Forum: General
Topic: enable/disable a Firewall rule in terminal or script
Replies: 6
Views: 192

Re: enable/disable a Firewall rule in terminal or script

Think about what happens if you add a rule somewhere between the existing ones. How would your script learn the new number of the rule it works with? The line numbers are intended solely as a help for the human administrator when modifying the configuration, so that the find would not be necessary f...
by sindy
Sun Oct 25, 2020 9:28 pm
Forum: General
Topic: enable/disable a Firewall rule in terminal or script
Replies: 6
Views: 192

Re: enable/disable a Firewall rule in terminal or script

The rule numbers are associated dynamically by the print command, and only remain valid until the next print of the same table. So to specify a rule for modification within a script, use /ip firewall filter disable [find chain=... action=... ...] to specify the rule. Test the proper conditions in ad...
by sindy
Sun Oct 25, 2020 8:25 pm
Forum: General
Topic: VLAN switch and bridge combination - advice please [SOLVED]
Replies: 16
Views: 512

Re: VLAN switch and bridge combination - adwise please [SOLVED]

Maybe you missed it, but this is a lab setup , not a production one. ... I do agree that the 2 input rules I have are useless. Keby nebolo tých dvoch pravidiel, vôbec by ma nenapadlo uvažovať o inej variante. But most of all it nicely cleared up my confusion when and what to tag. I need to think mo...
by sindy
Sun Oct 25, 2020 7:32 pm
Forum: General
Topic: Bonding questions
Replies: 20
Views: 913

Re: Bonding questions

Leave the default IP's as is (88.1). Turn off DHCP and NAT from QS. ... All is well after reset. Repeating my steps above, I lose Internet when I turn off the DHCP server. DHCP client still sees the ISP and can release/renew OK. Pings from connected machine don't work (obviously). The connected mac...
by sindy
Sun Oct 25, 2020 3:49 pm
Forum: General
Topic: VLAN switch and bridge combination - advice please [SOLVED]
Replies: 16
Views: 512

Re: VLAN switch and bridge combination - adwise please [SOLVED]

Have you read @anav's automatic signature carefully? It's worth it. The point with CAPsMAN configuration is the following: if the datapath row indicates local-forwarding=no , the bridge indicated on that row refers to a bridge on the CAPsMAN device. All frames received from the air by the cAP device...
by sindy
Sun Oct 25, 2020 2:57 pm
Forum: General
Topic: IPSec IKEv2 RoadWarrior - ping works, https not
Replies: 14
Views: 561

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Two points. as I've suggested earlier, action=return in a built-in chain has the same effect like action=accept . You've made me test it :) From security perspective this is a much better outcome than the other one, which I was afraid of - that the iOS would retry connections via internet if connect...
by sindy
Sun Oct 25, 2020 11:24 am
Forum: General
Topic: Bonding questions
Replies: 20
Views: 913

Re: Bonding questions

So, some questions: What baseline should I be starting from? Factory defaults Router? Factory defaults Bridge? Or no defaults at all (which I have not tried due to many nightmare stories of folks who had to use a serial cable to recover from that)? "Factory defaults -> home CPE" is a good start. "N...
by sindy
Sun Oct 25, 2020 10:47 am
Forum: General
Topic: Problem Hardware Offload on CRS326-24G-2S+
Replies: 6
Views: 1132

Re: Problem Hardware Offload on CRS326-24G-2S+

At first ,i`m using simple one bridge which name is bridge1. And all of the bonding interfaces and sfpplus17 added to bridge1 and hardware offload is enabled. i saw H flag is on every ports in bridge1. But i only got 4.6Gbps total throughput for download and upload got only 2mbps . This is the only...
by sindy
Sun Oct 25, 2020 10:02 am
Forum: General
Topic: understanding and fixing MTU/MSS/PMTU with IPsec
Replies: 25
Views: 9024

Re: understanding and fixing MTU/MSS/PMTU with IPsec

My fault, I forgot the modifier detail in the print command. The problem with screenshots is that in many cases they show less than a commandline print detail ; in this particular case (ipsec policy list) the screenshot shows almost everything (only the proposal and ipsec transport protocol are miss...
by sindy
Sun Oct 25, 2020 9:27 am
Forum: General
Topic: Two wan with in the same subnet
Replies: 19
Views: 623

Re: Two wan with in the same subnet

why would ARP care about IP routes when it's below IP @mkx, this is the essence of the answer I would have written if I stayed up so late like you and Sob yesterday. The IP to MAC translation is part of adaptation of the IP layer to the link layer on shared media (point-to-multipoint) interfaces, s...
by sindy
Sat Oct 24, 2020 11:30 pm
Forum: General
Topic: L2TP/IPSec INVALID-ID-INFORMATION no Phase 2
Replies: 12
Views: 654

Re: L2TP/IPSec INVALID-ID-INFORMATION no Phase 2

If somebody could steer me in the right direction, i would be really grateful. I've tried already, see my previous post. From what you wrote now instead of explicitly answering my question, I deduct that you've configured the IPsec settings for L2TP manually, rather than allowing RouterOS to create...
by sindy
Sat Oct 24, 2020 11:23 pm
Forum: General
Topic: Two wan with in the same subnet
Replies: 19
Views: 623

Re: Two wan with in the same subnet

I'll have to trust you on that. Don't trust me (I dare to quote 71-Hour Ahmed on that topic: "Ye gods, no! My mother is a D'reg! She would be terribly offended if I trusted her."). Instead, trust the machine: [me@myTik] > ip arp print where address in 192.168.6.0/24 Flags: X - disabled, I - invalid...
by sindy
Sat Oct 24, 2020 9:03 pm
Forum: General
Topic: understanding and fixing MTU/MSS/PMTU with IPsec
Replies: 25
Views: 9024

Re: understanding and fixing MTU/MSS/PMTU with IPsec

Can you explain what is this "move *ffffff destination=0" doing? I don't know what was @msatter's setup in which he has moved the last policy (*ffffffff) to the beginning (top) of the list, but in your case, I don't understand the place-before= 1 . The action=none policy exempting packets for the L...
by sindy
Sat Oct 24, 2020 8:40 pm
Forum: Announcements
Topic: v6.46.7 [long-term] is released!
Replies: 43
Views: 9235

Re: v6.46.7 [long-term] is released!

And my modem i see mac address of my router board but ip difference
Create a dedicated topic in General. This topic is reserved for issues specifically related to 6.46.7.
by sindy
Sat Oct 24, 2020 5:13 pm
Forum: General
Topic: Two wan with in the same subnet
Replies: 19
Views: 623

Re: Two wan with in the same subnet

How does MT in this case handle the reply? Does it pollute ARP cache (with 192.168.1.1 now pointing to B's MAC) or it rather notices it received request through different ether port (and ARP cache is per port?). Or does it simply ignore sender's IP address because dstMAC of ARP response packet is a...
by sindy
Sat Oct 24, 2020 4:21 pm
Forum: General
Topic: Two wan with in the same subnet
Replies: 19
Views: 623

Re: Two wan with in the same subnet

I have to ask, what is the purpose of two modems from the same ISP? It's not two modems from the same ISP. It's two modems from different ISPs, but both using the same LAN subnet, which the customer cannot change on either of the two modems. I kinda followed the explanation Sindy, but not knowing d...
by sindy
Sat Oct 24, 2020 4:15 pm
Forum: General
Topic: Add to address list and nat rule
Replies: 14
Views: 450

Re: Add to address list and nat rule

But the thing here is that the OP does not do port translation but port based redirection to another address . That's why the incoming connection to dst port 88, which gets dst-nated, is then handled in forward whereas the incoming connection to dst port 2222, which does not get dst-nated, is handle...
by sindy
Sat Oct 24, 2020 4:06 pm
Forum: General
Topic: L2TP/IPSec INVALID-ID-INFORMATION no Phase 2
Replies: 12
Views: 654

Re: L2TP/IPSec INVALID-ID-INFORMATION no Phase 2

The fact that neither the Mikrotik nor the Apple can connect indicates an issue at Windows server end. How have you configured the L2TP/IPsec client at Mikrotik side? Using use-ipsec=yes and setting ipsec-secret to the PSK value configured on the server on the /interface l2tp-client row, or have you...
by sindy
Sat Oct 24, 2020 2:10 pm
Forum: General
Topic: Network config help on HEX S & Cisco Switches.
Replies: 32
Views: 956

Re: Network config help on HEX S & Cisco Switches.

To justify the budget for security is always complicated, as the damage feels abstract and unreal to the CFO until the company gets actually hit. In simple words, Layer 7 analysis does more or less the same like an anti-virus running on the endpoint: it scans the application data flowing through it ...
by sindy
Sat Oct 24, 2020 1:54 pm
Forum: General
Topic: Two wan with in the same subnet
Replies: 19
Views: 623

Re: Two wan with in the same subnet

@ahmet82, assuming it is not a completely other setup than the one you deal with in your other topic , you'll have to resolve a conflict between the scriptless failover based on recursive next-hop search and the setup recommended by @bpwl where same gateway IP is used on two WANs so you have to conf...
by sindy
Fri Oct 23, 2020 10:50 pm
Forum: General
Topic: L2TP/IPSec INVALID-ID-INFORMATION no Phase 2
Replies: 12
Views: 654

Re: L2TP/IPSec INVALID-ID-INFORMATION no Phase 2

even though I have logging enabled on the RAS Server there is no log entry. This sounds almost as if you were connecting somewhere else for some reason (maybe a dst-nat rule on the path between the client and the server). I do have separate rules enabling UDP 500 and 4500 on the Windows Server. Do ...
by sindy
Fri Oct 23, 2020 10:39 pm
Forum: General
Topic: VLAN switch and bridge combination - advice please [SOLVED]
Replies: 16
Views: 512

Re: VLAN switch and bridge combination - adwise please [SOLVED]

So is using VLANs with EOIP a. possible, and b. recommended? a. yes, you can use the EoIP tunnel the same way as if it was just an unusually long section of an Ethernet cable b. any L2 tunnel is a trade-off. It wastes your bandwidth for the broadcast traffic (ARP and other), and even for unicast tr...
by sindy
Fri Oct 23, 2020 10:26 pm
Forum: General
Topic: Add to address list and nat rule
Replies: 14
Views: 450

Re: Add to address list and nat rule

Interesting!! Lets debate the issue. The dst-nat rule matches only on dst-port=88 . Hence packets towards the WAN IP:88 get dst-nated, and packets towards the WAN IP:2222 don't. So those to :88 have got a new destination address after the dst-nat operation. And the decision whether the packet is fo...
by sindy
Fri Oct 23, 2020 10:03 pm
Forum: General
Topic: VLAN switch and bridge combination - advice please [SOLVED]
Replies: 16
Views: 512

Re: VLAN switch and bridge combination - adwise please [SOLVED]

Thanks for correcting me.
A big black point to whoever has decided to disable PM again a few days ago, I'd have used it instead if that was still possible.
by sindy
Fri Oct 23, 2020 9:54 pm
Forum: General
Topic: VLAN switch and bridge combination - advice please [SOLVED]
Replies: 16
Views: 512

Re: VLAN switch and bridge combination - adwise please [SOLVED]

3) GRE tunnel is a virtual L2 connection and since VLAN is "L2.5" thre's no reason why VLAN tags couldn't pass GRE tunnel to the remote end. If you are going that way, I suggest you to go with bridge VLAN way, because example configuration I showed in answer to question #2 would get even more compl...
by sindy
Fri Oct 23, 2020 9:37 pm
Forum: General
Topic: RB2011UiAS-2HnD-IN
Replies: 2
Views: 167

Re: RB2011UiAS-2HnD-IN

Can you post the actual rows from the log? In a CLI window (available via [Terminal] button in Winbox or WebFig), use /log print and copy-paste the beginning of the output if it still contains those lines. If they are not there any more, repeat the procedure to see them again. How did you obtain the...
by sindy
Fri Oct 23, 2020 8:58 pm
Forum: General
Topic: "Holy war" against masquerade and ike2 dynamic ip address on your wan interface
Replies: 8
Views: 344

Re: "Holy war" against masquerade and ike2 dynamic ip address on your wan interface

I don't have any LTE to test with I do. It's a terrible mess. If we let alone the "serial modem" mode, depending on (possibly) RouterOS versions and/or LTE modem models and/on firmware versions, you can get a dynamically added DHCP client (for which you cannot configure a lease script), or you may ...
by sindy
Fri Oct 23, 2020 8:03 pm
Forum: General
Topic: Add to address list and nat rule
Replies: 14
Views: 450

Re: Add to address list and nat rule

Is there any way to accomplish both dst-nat and saving to address list then? Of course. Two ways: place the action=add-src-to-address-list rule to filter/input for port 2222 and to filter/forward for port 88 (with additional conditions respecting the direction and destination) place the action=add-...
by sindy
Fri Oct 23, 2020 7:46 pm
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1058

Re: Using most available bandwidth wan

Is this possible? Of course it is. For this purpose, you'll have 4 routing tables: two for local subnet 1, with the following order of preference of the WANs: a: 1,2,3,4 b: 2,1,4,3 two for local subnet 2, with the following order of preference of the WANs: c: 3,4 d: 4,3 And two pairs of PCC rules, ...
by sindy
Fri Oct 23, 2020 4:03 pm
Forum: General
Topic: Add to address list and nat rule
Replies: 14
Views: 450

Re: Add to address list and nat rule

Sorry, I've missed the dst-nat part.

nat/dstnat happens before filter, so as you have redirected the traffic incoming to port 88 to a private address in dstnat, it became a transit one (from one router interface to another), and therefore it is handled by filter/forward, not by filter/input.
by sindy
Fri Oct 23, 2020 2:32 pm
Forum: General
Topic: Add to address list and nat rule
Replies: 14
Views: 450

Re: Add to address list and nat rule

Does it work if you put there port 88 alone (rather than 88,2222)?
If you make a copy of that rule and just replace action=add-src-to-address-list by action=passthrough, does that added rule count packets with destination port 88? It is possible that the packets to port 88 actually don't arrive.
by sindy
Fri Oct 23, 2020 1:53 pm
Forum: General
Topic: IPSec IKEv2 RoadWarrior - ping works, https not
Replies: 14
Views: 561

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Show me the actual firewall rules you use, please. It makes little sense this way.
by sindy
Fri Oct 23, 2020 1:47 pm
Forum: General
Topic: EOIP not working behind 1:1 nat
Replies: 2
Views: 122

Re: EOIP not working behind 1:1 nat

If set up properly, there is no reason why EoIP shouldn't work across a NAT, as EoIP looks like GRE from outside. If EoIP doesn't work, you can use L2TP with BCP for L2 tunneling instead - since you have EoIP, I guess you have a Mikrotik at both ends. Show the complete configuration exports from bot...
by sindy
Thu Oct 22, 2020 9:46 pm
Forum: General
Topic: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.
Replies: 18
Views: 1018

Re: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.

Anyone that runs "SMB" on a router/firewall AND has it exposed to Internet should be thrown into the darkest dungeon of mount Doom! I'm afraid this statement is valid even without the "AND has it exposed to Internet" part... I suppose the vulnerability was being exploited from the LAN side, from an...
by sindy
Thu Oct 22, 2020 9:10 pm
Forum: General
Topic: Tuneling between 2 MTs [SOLVED]
Replies: 6
Views: 207

Re: Tuneling between 2 MTs [SOLVED]

I'd have to see the configs of both OFFICE and HOME machines to be able to suggest something. The difference between ping handling and TCP handling may be that you have placed the permissive rule for the TCP to a wrong place in the firewall. Also, the "PC" is what? A client trying to access the came...
by sindy
Thu Oct 22, 2020 8:49 pm
Forum: General
Topic: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.
Replies: 18
Views: 1018

Re: PSA: Trickbot is using compromised Mikrotik devices. Secure your routers reachable from the internet.

Go check Shodan for your public IP space to see what they've discovered. Enter your public IP into the search form field and press the magnifying glass. It will tell you what ports are open there and how far it could get trying to connect to them. Without an account, you've got just a few queries p...
by sindy
Thu Oct 22, 2020 8:24 pm
Forum: General
Topic: Tuneling between 2 MTs [SOLVED]
Replies: 6
Views: 207

Re: Tuneling between 2 MTs [SOLVED]

From what you've posted and what you haven't, it sounds like two distinct issues. First, to redirect (dst-nat) the initial request packet from the client somewhere in the internet to the tunnel towards HOME at OFFICE, and then use another redirection at HOME to the actual device, is just one part of...
by sindy
Thu Oct 22, 2020 4:38 pm
Forum: General
Topic: 750g setup voip
Replies: 1
Views: 109

Re: 750g setup voip

Is the VoIP "device" a phone or a PBX?
by sindy
Thu Oct 22, 2020 12:04 pm
Forum: General
Topic: VPN client to access the router
Replies: 5
Views: 211

Re: VPN client to access the router

Stop using PPTP if you want to remain the only administrator of your router. It takes three clicks more to configure L2TP over IPsec which is way more secure.
by sindy
Thu Oct 22, 2020 12:01 pm
Forum: General
Topic: VOIP and NAT
Replies: 19
Views: 16838

Re: VOIP and NAT

1. create a topic dedicated to your issue instead of piggy-backing a loosely related one 2. post the configuration export of the Mikrotik in that new topic (supposing the issue is the same with all 40 of them), see my automatic signature below on how to prevent leaking any sensitive information 3. e...
by sindy
Thu Oct 22, 2020 11:55 am
Forum: General
Topic: Certain devices not working via hAP Lite & VPN [SOLVED]
Replies: 7
Views: 290

Re: Certain devices not working via hAP Lite & VPN [SOLVED]

As a matter of interest, would this have any kind of interaction (which may result in a bypass) of a blackhole route for when VPN is down? I suspect not, but just curious as to if there is anything else behind the scenes here The action=none policy has dst-address=your.lan.sub.net . So it can only ...
by sindy
Wed Oct 21, 2020 11:05 pm
Forum: General
Topic: IKEv2 IOS - Cannot Connect [SOLVED]
Replies: 21
Views: 3295

Re: IKEv2 IOS - Cannot Connect [SOLVED]

Have you noticed the requirement for certificate validity not to be longer than 800 days? I hazily remember hitting exactly your issue, where the Mikrotik was seeing the peer as active but the iOS reported authentication failure. Maybe with the new iOS version the requirement is even stronger and e....
by sindy
Wed Oct 21, 2020 11:00 pm
Forum: General
Topic: Mikrotik Router OS switch
Replies: 7
Views: 411

Re: Mikrotik Router OS switch

Ether1 cannot be removed from switch as you see on screenshot. Of course, that's what I said before, all the Ethernet interfaces are in fact ports of the switch chip, it only depends on the rest of the configuration whether the switch is allowed to forward traffic between them autonomously or wheth...
by sindy
Wed Oct 21, 2020 9:58 pm
Forum: General
Topic: IKEv2 to IPSEC tunnel routing with NAT problem
Replies: 1
Views: 155

Re: IKEv2 to IPSEC tunnel routing with NAT problem

1. duplicated IP address required on bridge and eth2 port (if disabled for ethernet port, then router cant connect to network) This one sounds most puzzling to me. The WAN interface of the router is on ether1, so why should the IP address assignment to the bridge and/or to ether2 have any relations...
by sindy
Wed Oct 21, 2020 7:45 pm
Forum: General
Topic: Network config help on HEX S & Cisco Switches.
Replies: 32
Views: 956

Re: Network config help on HEX S & Cisco Switches.

A few months ago tested an OpenVPN Tunnel with the Mikrotik hEX S RB760iGS and did a few speed test. 1st I ran a test with the Hex S configured as a router behind a router with out an OpenVpn connection, and I was able to get an Iperf transfer at 936 mbits. Since you've mentioned almost 10 VLANs/su...
by sindy
Wed Oct 21, 2020 7:00 pm
Forum: General
Topic: Mikrotik Router OS switch
Replies: 7
Views: 411

Re: Mikrotik Router OS switch

You dont need to guess topology, here it is. RB951Ui-2nD, ether1 as WAN, and ether1-ether5 in SWITCH mode togoether with switch1-cpu. On other end ( x86 device ) All ports from port0-port9 in bridge mode and cable connected to RB951Ui-2nD. I dont have SWITCH option in winbox for x86 device. Is it p...
by sindy
Wed Oct 21, 2020 6:46 pm
Forum: General
Topic: Unknown traffic source
Replies: 10
Views: 496

Re: Unknown traffic source

Is it possible for you to review the screenshot below? We have a management vlan. The switch in the image does not participate in this vlan. But there are 2700 registered macs. If I turn off the administrator vlan on the main router, the number of macs drops to 400. We may be getting somewhere. You...
by sindy
Wed Oct 21, 2020 5:22 pm
Forum: General
Topic: Network config help on HEX S & Cisco Switches.
Replies: 32
Views: 956

Re: Network config help on HEX S & Cisco Switches.

The phones are full featured desk ip phones that have openvpn clients built in them. Do you think Router OS 7 would solve a lot of these issues? Depends on what you call an issue. ROS 7 supports UDP as OpenVPN's transports protocol, which has an impact on the possible issues with delay (but maybe p...
by sindy
Wed Oct 21, 2020 3:12 pm
Forum: General
Topic: PPOE access LAN devices
Replies: 5
Views: 232

Re: PPOE access LAN devices

I've understood your OP the way that a mere change of the way how the internal addresses are assigned to the clients has made it impossible for you to connect to the client routers. As you've shown private address ranges for both business clients and home clients (it is hard to guess where's the typ...
by sindy
Wed Oct 21, 2020 3:05 pm
Forum: General
Topic: Network config help on HEX S & Cisco Switches.
Replies: 32
Views: 956

Re: Network config help on HEX S & Cisco Switches.

Is there a better way for me to go about establishing a openvpn server? How would you handle this requirement? Hard to answer not knowing the priorities of the requirements. If OpenVPN is a must, I'd use OpenWRT on a device supporting it, but don't expect the L2 setup to be any easier. If L3 is eno...
by sindy
Wed Oct 21, 2020 2:16 pm
Forum: General
Topic: Feature request: named addresses and lists in firewall rules
Replies: 1
Views: 110

Re: Feature request: named addresses and lists in firewall rules

you can use the existing address-list feature, you can add as many individual addresses, ranges, or prefixes to the same address-list (same list value), and the rule then matches if the IP address matches any of the records on that list. one of parameters of a DHCP lease is address-lists . So whene...
by sindy
Wed Oct 21, 2020 1:59 pm
Forum: General
Topic: Network config help on HEX S & Cisco Switches.
Replies: 32
Views: 956

Re: Network config help on HEX S & Cisco Switches.

Several points. First, it is just a "best current practice" to use a dedicated (V)LAN for each IP subnet, but there is no technical barrier preventing you from using multiple subnets in the same VLAN, and in specific cases, you may need to use the same IP subnet in multiple (V)LANs. Therefore, "I ne...
by sindy
Wed Oct 21, 2020 12:44 pm
Forum: General
Topic: HOWTO: Dual WAN PCC with Dynamic IP from same ISP
Replies: 3
Views: 285

Re: HOWTO: Dual WAN PCC with Dynamic IP from same ISP

My ISP provides an ONR (Optical Network Router), it has 4 port, LAN1 for Internet and LAN2 for Network TV. Currently the LAN1 is connected to my Mikrotik CHR and LAN2 is connected to my Ubiquiti USG. Both of them obtained different WAN public IP by the same ISP. I tested both of them able to access...
by sindy
Wed Oct 21, 2020 12:01 pm
Forum: General
Topic: Mikrotik block access to Microsoft Outlook 365 account
Replies: 8
Views: 401

Re: Mikrotik block access to Microsoft Outlook 365 account

If no DHCP server is set up on a Mikrotik acting as a mere bridge (i.e. also use-ip-firewall=no ), and there are no bridge filter/nat rules, there is no reason why Office 365 should be affected selectively. So it looks like either a more generic problem which you have only noticed when connecting to...
by sindy
Wed Oct 21, 2020 10:43 am
Forum: General
Topic: Problem with R11e-LTE modem
Replies: 4
Views: 234

Re: Problem with R11e-LTE modem

The network value same as the address value looks weird but as the gateway in the routes is the interface name, it should still be OK. Even ping 8.8.8.8 from the router itself doesn't work? What does interface lte firmware-upgrade lte1 upgrade=no say?
by sindy
Wed Oct 21, 2020 10:23 am
Forum: General
Topic: PPOE access LAN devices
Replies: 5
Views: 232

Re: PPOE access LAN devices

My guess would be that you haven't reflected the change from previous IP on ether1 to new IP on PPPoE via ether1 in the firewall. As ether1 is not an IP interface any more, the IP firewall cannot see any pacpets coming in via ether1, and the pppoe-out1 is not added to the interface list WAN. If this...
by sindy
Tue Oct 20, 2020 11:27 pm
Forum: General
Topic: IPSec Asymmetric Routing
Replies: 5
Views: 186

Re: IPSec Asymmetric Routing

The thing is, the input packet does hit the firewall. If I create a filter rule on the input chain with an action of “log” I can see the packet come into the router. If I modify the rule to apply to the output chain though, I see that no response is generated. There was a similar topic about a year...
by sindy
Tue Oct 20, 2020 10:13 pm
Forum: General
Topic: IPSec Asymmetric Routing
Replies: 5
Views: 186

Re: IPSec Asymmetric Routing

The IPsec standard requires that packets which reverse-match the traffic selector of any existing IPsec policy and did not arrive via the SA associated to that policy be dropped. So RouterOS silently drops them before they reach any firewall rule.
by sindy
Tue Oct 20, 2020 10:05 pm
Forum: General
Topic: Mikrotik Router OS switch
Replies: 7
Views: 411

Re: Mikrotik Router OS switch

The issue is not to know what the message means - it means exactly what it says. Some frame sent with the source MAC address of that port has somehow made it back to it. The real issue is to guess the topology of the rest of your network to find out why it happens :) The loop can exist anywhere in t...
by sindy
Tue Oct 20, 2020 6:10 pm
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1058

Re: Using most available bandwidth wan

The principle of that solution is that the topmost recursive routes are only active if the destination address of the bottommost one is available via its "physical" gateway. If the rest of the configuration is correct, which cannot be seen from just a list of routes, disconnection of one WAN (or its...
by sindy
Tue Oct 20, 2020 5:44 pm
Forum: General
Topic: Problem with R11e-LTE modem
Replies: 4
Views: 234

Re: Problem with R11e-LTE modem

There is nothing bad as such about getting a /32 address. It depends on the internal interface of the LTE modem what is the address assignment mode. What does /ip route print say? And what exactly "doesn't work"? Have you tried to swap the SIMs between the devices? This is my output with yet another...
by sindy
Tue Oct 20, 2020 5:35 pm
Forum: General
Topic: CRS3xx VLAN configuration
Replies: 6
Views: 261

Re: CRS3xx VLAN configuration

Stop. We're most likely hunting for a ghost here. Hardware "acceleration" is enabled at both ports, so the traffic between them is forwarded by the switch chip, bypassing the CPU, hence the CPU cannot sniff it. The frames you can see in the sniffer output are there because they are either sent by th...
by sindy
Tue Oct 20, 2020 1:51 pm
Forum: General
Topic: CRS3xx VLAN configuration
Replies: 6
Views: 261

Re: CRS3xx VLAN configuration

Just for the case, I'd disable also the row in /interface bridge port which makes the LAG a member of the bridge (someone here had an issue with a disabled EoIP affecting the MTU of the bridge, so disabling the membership should be a safer way). Other than that, your export suggests that you have th...
by sindy
Tue Oct 20, 2020 1:24 pm
Forum: General
Topic: proxy for voip
Replies: 1
Views: 119

Re: proxy for voip

Mikrotik's firewall uses a "sip helper" (under /ip firewall service-port ), which is good when the phones are connected to the LAN of Mikrotik, but cannot handle phones connecting from the internet to a PBX behind Mikrotik. No SIP proxy as such is supported by RouterOS. If your PBX itself cannot be ...
by sindy
Tue Oct 20, 2020 12:44 pm
Forum: General
Topic: CRS3xx VLAN configuration
Replies: 6
Views: 261

Re: CRS3xx VLAN configuration

Assuming you want the traffic to be forwarded between sfp-sfpplus3 and the LAG tagged, the record for vlan-ids=200 in /interface bridge vlan must have the ports on the tagged list, not on the untagged one.
by sindy
Tue Oct 20, 2020 11:59 am
Forum: General
Topic: Unknown traffic source
Replies: 10
Views: 496

Re: Unknown traffic source

Did you observe the issue to be present while taking the captures? Because your initial screenshot from torch shows that majority of the frames seen were PPPoE ones, and there is not a single PPPoE frame in either of your two capture files. If the issue was there while you were sniffing, was any sni...
by sindy
Tue Oct 20, 2020 11:11 am
Forum: General
Topic: Bonding questions
Replies: 20
Views: 913

Re: Bonding questions

It's not just the IP address, the interfaces bonded together should have no individual configuration on themselves at all. This is especially critical when using LACP, as the LACP PDUs are VLAN-agnostic since they are intended for link layer control. As you do not use LACP, it is possible, and break...
by sindy
Tue Oct 20, 2020 11:05 am
Forum: General
Topic: IPSec IKEv2 RoadWarrior - ping works, https not
Replies: 14
Views: 561

Re: IPSec IKEv2 RoadWarrior - ping works, https not

It seems you have some gaps in understanding how the firewall works. chain input handles packets whose destination is the router itself. Chain forward is for packets which transit through the router from one interface to another. action=return does not return the packet to the sender as you might ex...
by sindy
Tue Oct 20, 2020 8:36 am
Forum: General
Topic: Certain devices not working via hAP Lite & VPN [SOLVED]
Replies: 7
Views: 290

Re: Certain devices not working via hAP Lite & VPN [SOLVED]

If I add the rule as you noted in the other thread, I don't see any changes to my NAT ... If you mean the policy as I noted in the other thread, it won't change the dynamically added NAT rule no matter whether that rule matches on the connection-mark or the src-address-list as set on the mode-confi...
by sindy
Mon Oct 19, 2020 11:53 pm
Forum: General
Topic: NETMAP vs SRCNAT
Replies: 1
Views: 143

Re: NETMAP vs SRCNAT

action=src-nat replaces the source address of the connection being handled with an address from the to-addresses range or subnet (both variants are possible). example: /ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32-192.168.143.47 results in the sam...
by sindy
Mon Oct 19, 2020 3:23 pm
Forum: General
Topic: RBM33G with LTE, LoRa and GPS
Replies: 9
Views: 1023

Re: RBM33G with LTE, LoRa and GPS

Most, if not all, the LTE modems use the USB lines on the miniPCIe, not the PCIe ones. I have no idea about the LoRa module in this regard. But my main concern was regarding using the USB port on the RBM33G for GPS as the port may be 3.0 only (it's inside the case, I can't check right now whether it...
by sindy
Mon Oct 19, 2020 1:18 pm
Forum: General
Topic: RBM33G with LTE, LoRa and GPS
Replies: 9
Views: 1023

Re: RBM33G with LTE, LoRa and GPS

the price will be higher than the RBM33G + Chassis. It depends on the price of the GPS (which is part of the LtAP) and the price of weather protection of the RBM33G+chassis - I assume at least the GPS and LoRa antennas will be outdoors, and antenna cables shold be ASAP (S=short in this case). Btw, ...
by sindy
Mon Oct 19, 2020 1:03 pm
Forum: General
Topic: EiOP in Bridge -TCP problem [SOLVED]
Replies: 3
Views: 188

Re: EiOP in Bridge -TCP problem [SOLVED]

strange is , than disabled interface can do somtething like this :( I agree with you*), however, this is a fellow user forum, so just complaining about things here won't change anything. To get issues resolved, you have to file a ticket at Mikrotik's ticketing system . *) on the other hand, you've ...
by sindy
Mon Oct 19, 2020 12:44 pm
Forum: General
Topic: IPSec IKEv2 RoadWarrior - ping works, https not
Replies: 14
Views: 561

Re: IPSec IKEv2 RoadWarrior - ping works, https not

Strongswan has "Split tunneling custom subnets", but it does not generate all policies, there is only one, first one configured in mode configs. It looks to me as a mismatch of concepts. The StrongSwan acting as initiator only requests a single traffic selector, 0.0.0.0/0->0.0.0.0/0, even if you co...
by sindy
Mon Oct 19, 2020 10:38 am
Forum: General
Topic: IPSec IKEv2 RoadWarrior - ping works, https not
Replies: 14
Views: 561

Re: IPSec IKEv2 RoadWarrior - ping works, https not

It's due to the different handling of split-include . Windows ignore split-include prefixes in the mode-config data (or maybe Mikrotik doesn't even attempt to send them if it finds out that the peer is a Windows machine, no idea) and negotiate a policy with 0.0.0.0/0 at remote side; then, they use a...
by sindy
Mon Oct 19, 2020 9:31 am
Forum: General
Topic: Certain devices not working via hAP Lite & VPN [SOLVED]
Replies: 7
Views: 290

Re: Certain devices not working via hAP Lite & VPN [SOLVED]

Have you seen (and tried) this?

Since you say you have a problem with sending from the local devices (if I got you right), it is a likely cause and solution.
by sindy
Sun Oct 18, 2020 9:07 pm
Forum: General
Topic: RB951G-2HnD reset issue
Replies: 10
Views: 366

Re: RB951G-2HnD reset issue

Sorry, this was a useless question. The button may be broken, but it cannot be tested during runtime.
What does system routerboard settings print show?
by sindy
Sun Oct 18, 2020 4:34 pm
Forum: General
Topic: RB951G-2HnD reset issue
Replies: 10
Views: 366

Re: RB951G-2HnD reset issue

What happens if you press the reset button while the router is running? Does it cause a restart?
by sindy
Sun Oct 18, 2020 12:31 pm
Forum: General
Topic: BUG: (another one) ipsec policy netmask
Replies: 5
Views: 966

Re: BUG: (another one) ipsec policy netmask

Why do you need the ":any"?
by sindy
Sat Oct 17, 2020 10:22 pm
Forum: General
Topic: Detect-internet causing internal packet loss
Replies: 17
Views: 4959

Re: Detect-internet causing internal packet loss

Can you try WebFig or ssh instead of Winbox? Or have you disabled those protocols?

EDIT: sorry, you've mentioned you cannot find it in WebFig. Click Interfaces in the left hand menu, and the [Detect Internet] button is above the list of interfaces, next to the [Add New] one.
by sindy
Sat Oct 17, 2020 9:01 pm
Forum: General
Topic: PPPoE and L2TP Connection/Routing Issue [SOLVED]
Replies: 9
Views: 314

Re: PPPoE and L2TP Connection/Routing Issue [SOLVED]

The 80 range is a VSAT 550ms+ range. The sniffer says the response from the 80.3 arrives 40-60 ms after the request is sent in the opposite direction. But as you mention there's a VSAT link in the path, 40-60 ms is mission impossible, so could it actually be 1040-1060 ms (i.e. response to request N...
by sindy
Sat Oct 17, 2020 8:42 pm
Forum: General
Topic: Rookie Error - Lost management access while attempting to set up blackhole routing [SOLVED]
Replies: 7
Views: 294

Re: Rookie Error - Lost management access while attempting to set up blackhole routing [SOLVED]

I seem to recall in another thread, you suggested setting the blackhole route distance to 20. Any merit of doing that in this usecase? Well, there's a type=blackhole route, and there's a route with gateway=bridge-interface-named-blackhole , and each of these is used with a different VPN type. The t...
by sindy
Sat Oct 17, 2020 8:32 pm
Forum: General
Topic: PPPoE and L2TP Connection/Routing Issue [SOLVED]
Replies: 9
Views: 314

Re: PPPoE and L2TP Connection/Routing Issue [SOLVED]

I can even open the NMS on 80.3 without an issue but cannot ping it.
...
Sniffer also get response from 80.3
Do I read you right that the sniffer shows an ICMP response from the 80.3 but the client cannot see it? I.e. the response doesn't make it through the Mikrotik to the client?
by sindy
Sat Oct 17, 2020 8:14 pm
Forum: General
Topic: PPPoE and L2TP Connection/Routing Issue [SOLVED]
Replies: 9
Views: 314

Re: PPPoE and L2TP Connection/Routing Issue [SOLVED]

It's strange, as everything looks fine in your configuration. The routes are there, the masquerade rule is there (it could be more selective but it doesn't cause any trouble as-is given the rest of the configuration). So try pinging something in the 192.168.80.0/24 range that you know to respond, fr...
by sindy
Sat Oct 17, 2020 7:47 pm
Forum: General
Topic: PPPoE and L2TP Connection/Routing Issue [SOLVED]
Replies: 9
Views: 314

Re: PPPoE and L2TP Connection/Routing Issue [SOLVED]

The quality of an answer depends on the quality of the question. So to get any useful advice, post your configuration in text form, following the anonymisation hint in my automatic signature right below. Screenshots are useless for any analysis, and yours in particular just show that it doesn't work...
by sindy
Sat Oct 17, 2020 7:43 pm
Forum: General
Topic: Rookie Error - Lost management access while attempting to set up blackhole routing [SOLVED]
Replies: 7
Views: 294

Re: Rookie Error - Lost management access while attempting to set up blackhole routing [SOLVED]

I am still not sure why the blackhole config I added, stopped me getting access You've answered yourself already: because you've put the rule to mangle chain output , which handles packets sent by the router itself. As the router's own IP address is also covered by the subnet you've set as address ...
by sindy
Sat Oct 17, 2020 5:25 pm
Forum: General
Topic: Detect-internet causing internal packet loss
Replies: 17
Views: 4959

Re: Detect-internet causing internal packet loss

/interface detect-internet set detect-interface-list=none
by sindy
Sat Oct 17, 2020 12:22 pm
Forum: General
Topic: Which rule is a connection matching
Replies: 3
Views: 265

Re: Which rule is a connection matching

The order of rules matters, and if there is an "action=accept connection-state=established,..." rule in the input chain of the filter before (above) your new permissive rule for the Winbox access, that new rule will only count for a newly established connection, not for an already existing one. Also...
by sindy
Sat Oct 17, 2020 12:11 pm
Forum: General
Topic: IPSec IKEv2 RoadWarrior - ping works, https not
Replies: 14
Views: 561

Re: IPSec IKEv2 RoadWarrior - ping works, https not

How to do part 2 you wrote? It may be difficult in your case as part of the network is not under your administration. Your configuration export only shows the VPN settings facing your IKEv2 clients. Static IPsec policies that include remote peer's internal address in their dst-address range divert ...
by sindy
Sat Oct 17, 2020 11:45 am
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

try Nth 3-1 2-1 - which is the same as 3-1 3-2 3-3 and I think, less processor intensive. Nth 3,1 - 2,1 is likely not the same as Nth 3,1 - 3,2 - 3,3 and if I remember correctly from some MikroTik presentation files, it has to be in that order for either PCC/Nth where 2 means two WAN, 3 means 3 WAN...
by sindy
Fri Oct 16, 2020 11:13 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

What do you think is the proper way to use Nth for per-connection distribution (implying mark connection)? The way I did originally? Yes, that way was fine for per-connection distribution. All that confusion came just from the fact that you declared that it does per-packet distribution. Earlier you...
by sindy
Fri Oct 16, 2020 10:26 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

If there's no difference between PCC and Nth in per-connection distribution, then what exactly is this paper talking about? https://www.ijcnis.org/index.php/ijcnis/article/view/4340 Let me quote myself from post #16: "the apparently best dynamic load distribution method (nth) gives astounding 101.5...
by sindy
Fri Oct 16, 2020 10:16 pm
Forum: General
Topic: IPSec IKEv2 RoadWarrior - ping works, https not
Replies: 14
Views: 561

Re: IPSec IKEv2 RoadWarrior - ping works, https not

It still smells like an MTU problem - ping are small packets, ssh are small packets most of the time, but http and RDP are large ones. Any VPN eats some bytes of the MTU for its ovehead, so the payload packets must be smaller to fit. I can see you are forcing the MSS to 1350, but it may still be too...
by sindy
Fri Oct 16, 2020 9:47 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

I've edited my post reacting to your edited one accordingly. I've expressed my opinion earlier - in an environment with NAT, the impact of per-packet traffic distribution is always negative (except connections which consist of a single request packet and a single response one as @Sob has pointed out...
by sindy
Fri Oct 16, 2020 9:33 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

EDIT: to prevent 80,443 from being packet-marked, add dst-port=!80,443 to the two rules above (translating connection-mark to routing-mark ) or to the mark-packet ones. I've missed that the mark-packet ones aren't selective either. It's always better to check the result than to just hope. If everyt...
by sindy
Fri Oct 16, 2020 8:25 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

The last paragraph of post #32 suggests multiple ways how to do that. Any of them is sufficient.
by sindy
Fri Oct 16, 2020 7:25 pm
Forum: General
Topic: Client isolation and proxy-arp
Replies: 12
Views: 445

Re: Client isolation and proxy-arp

Why not use Port isolation in the switch chip settings ?
Not every Mikrotik device has a switch chip, and not every switch chip supports rules.
by sindy
Fri Oct 16, 2020 6:49 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

With multi-thread (or multi-session, whatever) download, you have to be extremely unlucky not to get the aggregated bandwidth, because each thread = TCP session = tracked connection is treated separately by per-connection traffic distribution. So the fact that you get aggregate bandwidth with multi-...
by sindy
Fri Oct 16, 2020 5:02 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

OK, so let me present another idea how to explain it. When I say "per connection distribution of traffic", it does not mean the same as "traffic distribution controlled by per-connection-classifier ". It simply means that all packets of the same connection use the same WAN, no matter what rule or ma...
by sindy
Fri Oct 16, 2020 4:36 pm
Forum: General
Topic: PPPoE to a internal device
Replies: 3
Views: 189

Re: PPPoE to a internal device

There is no L2 on the PPPoE interface itself, hence no ARP and even no broadcast. Even for the address assignment, PPP's IPCP is used, not DHCP. L2 is the transport for PPPoE, but the payload is only L3. To be absolutely precise, all PPP-based protocols can also do L2 tunneling using BCP, but ISPs o...
by sindy
Fri Oct 16, 2020 4:22 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

Yeah, the packet counters are a good idea by the way. Reset the counters on both the nth rules which assign packet-marks and the rules which translate packet-mark into routing-mark , then run some traffic eligible for nth handling, and compare the counters after that. They should be equal (every pac...
by sindy
Fri Oct 16, 2020 3:26 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

What is your native language? I feel as if you do not attempt to understand what I write. You believe you only use connection-mark for 80 and 443, but the reality is that you use it for all connections, most likely because you still can't understand how the connection-mark actually works. With the r...
by sindy
Fri Oct 16, 2020 2:36 pm
Forum: General
Topic: Cannot drop mndp on a bridge port
Replies: 9
Views: 360

Re: Cannot drop mndp on a bridge port

Anyway i'm using another port for IPv4 entering the box switch. This is the bit I was missing. On the diagram you've posted a few posts above, you can see that the "switch decision" is only taken if hardware "offload" is permitted, and I'm afraid that the "switch decision" includes the processing o...
by sindy
Fri Oct 16, 2020 1:38 pm
Forum: General
Topic: PPPoE to a internal device
Replies: 3
Views: 189

Re: PPPoE to a internal device

PPPoE creates an L3 tunnel, and tunnel establishment and IP address assignment cannot be separated. Hence the (double) dst-nat is the only way in your configuration - the public IP will be up at the Mikrotik, and whatever arrives to it from the internet will be forwarded to the other device's privat...
by sindy
Fri Oct 16, 2020 11:03 am
Forum: General
Topic: Check DHCP Server Status [SOLVED]
Replies: 2
Views: 189

Re: Check DHCP Server Status [SOLVED]

Check this . For your purpose, it is sufficient to just revert the usage logic. Instead of taking an action when the "rogue" (=other) DHCP server is detected, take an action (activate the local dhcp server) when the other one disappears from the unknown-server list (i.e. when the list becomes empty)...
by sindy
Fri Oct 16, 2020 9:45 am
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

I wonder which part of the firewall handling you are missing or misunderstand that prevents you from seeing the logic: do you realize that once you assign a connection-mark to a connection while handling any of that connection's packets, regardless the direction, this connection-mark is then automat...
by sindy
Fri Oct 16, 2020 9:05 am
Forum: General
Topic: Cannot drop mndp on a bridge port
Replies: 9
Views: 360

Re: Cannot drop mndp on a bridge port

It seems that there is no Ingress filter available for traffic coming from a switch-cpu port. As you mention this, I can recall there was an issue with switch rules on the CPU port on the 8237 chip, as I could only match frames by MAC addresses there, but not by higher level headers. I suspect that...
by sindy
Thu Oct 15, 2020 11:59 pm
Forum: General
Topic: Mangle problems after update 6.46.7
Replies: 7
Views: 511

Re: Mangle problems after update 6.46.7

So look into the firewall rules, and if you find nothing there, use /tool sniffer quick ip-address=ip.of.the.remote to see whether the router sends the response anywhere at all when you try to connect from outside to its public IP on uplink #2, or even whether the request from outside actually arriv...
by sindy
Thu Oct 15, 2020 11:29 pm
Forum: General
Topic: Mangle problems after update 6.46.7
Replies: 7
Views: 511

Re: Mangle problems after update 6.46.7

Imagine that in this code the missing "n" is correct OK. In this case, I suspect that the router doesn't actually respond to incoming packets which get the connection-mark Link2-Conn , or that it has no route to the sender of those packets in the routing table main . In the first case, something in...
by sindy
Thu Oct 15, 2020 11:19 pm
Forum: General
Topic: Dynamic firewall filter rule added when IPsec peer is down to avoid unencrypted LAN leaking.
Replies: 5
Views: 210

Re: Dynamic firewall filter rule added when IPsec peer is down to avoid unencrypted LAN leaking.

a modification in the IPsec process (IPsec is in kernel mode isn't it ?) could probably be done to reject input traffic when there is no peer available. Err, which traffic in particular? As long as we talk about statically configured policies, these prevent packets from leaking anywhere simply beca...
by sindy
Thu Oct 15, 2020 10:51 pm
Forum: General
Topic: Mangle problems after update 6.46.7
Replies: 7
Views: 511

Re: Mangle problems after update 6.46.7

I am confused by your reaction. Are you saying that the connection mark value set in the rule in chain output is actually correct (Link2-Conn), but nevertheless the rule doesn't match on any packet? And that the missing n in the post before is just a copy-paste error?
by sindy
Thu Oct 15, 2020 10:46 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

So how do we make it per-packet when I'm already using mark-parket+Nth? Since it is only needed for a test, just add dst-port=80,443 or packet-mark=no-mark to the two rules which assign a routing-mark based on connection-mark - i.e. the action=mark-routing chain=prerouting connection-mark=ISPx_conn...
by sindy
Thu Oct 15, 2020 10:31 pm
Forum: General
Topic: Cannot drop mndp on a bridge port
Replies: 9
Views: 360

Re: Cannot drop mndp on a bridge port

If i disable this bridge interface in the discover list, then mndp leaking stop. If so, the bridge filter rule is either incorrect or affected by the endianness issue. Can you show the rule? I tried to filter it with a switch rule without success neither. That is even more strange. This should work...
by sindy
Thu Oct 15, 2020 10:23 pm
Forum: General
Topic: Mangle problems after update 6.46.7
Replies: 7
Views: 511

Re: Mangle problems after update 6.46.7

No wonder that your "Mark Link2 Out" rule never counts, as you refer to connection-mark=Link2-Co n (single n in the end) in that rule, while the rule assigning the connection-mark to the traffic coming in via in-interface=PPPoE-Ampernet assigns a connection mark Link2-Co nn (double n in the end).
by sindy
Thu Oct 15, 2020 10:17 pm
Forum: General
Topic: Dynamic firewall filter rule added when IPsec peer is down to avoid unencrypted LAN leaking.
Replies: 5
Views: 210

Re: Dynamic firewall filter rule added when IPsec peer is down to avoid unencrypted LAN leaking.

The blackhole bridge as a gateway for the traffic which must not leak is a safer way than any dynamically added/enabled firewall rule, as the packet processing in kernel is faster than any firewall rule modifications (which are done from userspace), so a few packets could often leak before the rule ...
by sindy
Thu Oct 15, 2020 9:23 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

So how does the above give aggregated bandwidth in downloads/uploads? I see doubled bandwidth across the board. Like any other dynamic load distribution method. If you make a throughput test using a single session (=connection), it will show a single uplink bandwidth. speedtest.net, as well as othe...
by sindy
Thu Oct 15, 2020 9:12 pm
Forum: General
Topic: RBM33G with LTE, LoRa and GPS
Replies: 9
Views: 1023

Re: RBM33G with LTE, LoRa and GPS

What I'm missing in your shopping list are two cables (pigtails) U.FL to SMA (ACSMAUFL), to "convert" the U.FL connector on the R11e-LTE6 board into a SMA female peeking out from the CA433U case, two SMA male-SMA male cables (SMASMA) to connect the LTE antenna (they are not bundled with the mANT LTE...
by sindy
Thu Oct 15, 2020 8:16 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

So I'm still confused as to how there's no packet-loss, broken config. Even traceroutes from LAN to remote sites works fine and shows their corresponding routes based on whichever ISP was assigned. I use MTR and see 0 packet loss. And gaming, works!? What? So what happens is the following (tracking...
by sindy
Thu Oct 15, 2020 6:30 pm
Forum: General
Topic: Cannot drop mndp on a bridge port
Replies: 9
Views: 360

Re: Cannot drop mndp on a bridge port

I suspect MNDP may be sent directly from the member interfaces rather than from the bridge, which is why bridge filter cannot catch it (leaving aside that there were some endianness-related issues with bridge filter on some CPU architectures). Check which interface-list is configured as discover-int...
by sindy
Thu Oct 15, 2020 6:18 pm
Forum: General
Topic: HAP AC Wired and Wireless VLAN CPU optimisation
Replies: 8
Views: 352

Re: HAP AC Wired and Wireless VLAN CPU optimisation

With hAP ac, hardware offloading on switch chip can only handle traffic between devices in the same VLAN. If routing , rather than bridging , is necessary between the WAN link and the LAN devices (i.e. if WAN and LAN use different IP subnets), the only devices which support hardware offload of routi...
by sindy
Thu Oct 15, 2020 6:14 pm
Forum: General
Topic: Inverse Split Tunneling MikroTik
Replies: 3
Views: 227

Re: Inverse Split Tunneling MikroTik

I had indeed tried before to add a policy "add src-address=172.20.23.0/28 dst-address=172.20.23.1 action=none place-before=0", but it hadn't worked. Now I replaced that with "add src-address=172.20.23.0/28 dst-address=172.20.23.0/28 action=none place-before=0" and it results OK. Of course, because ...
by sindy
Thu Oct 15, 2020 6:09 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

Regarding the Nth everywhere thing, well I'm not suggesting the whole world to use it, now am I? Did I? Ever? No I did not. I've announced in advance I'm going to be a bit emotional ;) So the neutral form of the same statement would have been that the results haven't proven any significant advantag...
by sindy
Thu Oct 15, 2020 1:33 pm
Forum: General
Topic: Port flapping (ether6 link down/up) on RB3011UiAS-RM
Replies: 33
Views: 20610

Re: Port flapping (ether6 link down/up) on RB3011UiAS-RM

Well, 24V / 0.8 A would still be sufficient (with a narrow margin) for the 4011 variant without the wireless part which you seem to have (as the wireless-equipped one comes with a 2.5 A power adaptor), but the age of the power supply may be the issue. The electrolytic capacitors inside these units g...
by sindy
Thu Oct 15, 2020 11:05 am
Forum: General
Topic: Ethernet Connection Error
Replies: 3
Views: 219

Re: Ethernet Connection Error

it couldnt be a problem with cable or so because we have this problem on many devices and on different locations or backbones. Well, if the same person was crimping all the cables, or the same lot of super-cheap connectors was used, or the same super-cheap crimping tool was used, it can still be a ...
by sindy
Thu Oct 15, 2020 10:49 am
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

Well, as this topic was a bit emotional throughout its history, let me be a bit emotional too. Yes, this other paper is much better, but still there are two points: the apparently best dynamic load distribution method ( nth ) gives astounding 101.5% of the download throughput of the apparently worst...
by sindy
Wed Oct 14, 2020 11:25 pm
Forum: General
Topic: l2tp/ipsec issues
Replies: 1
Views: 143

Re: l2tp/ipsec issues

The best way out is to switch to IKEv2. You can implement this workaround to allow multiple L2TP/IPsec clients to connect from behind the same NAT, but it only makes sense if you really need the L2TP/IPsec for some reason. The reasons why IKEv2 is a better choice are mentioned in that topic too. Reg...
by sindy
Wed Oct 14, 2020 11:07 pm
Forum: General
Topic: Best Setup 2 Internet Line from same ISP
Replies: 19
Views: 664

Re: Best Setup 2 Internet Line from same ISP

sometimes it likes to lose connection and unstable speed. That's too vague a description, so I'd exclude one of the WANs at a time and see whether the other one is not unstable on its own. Regarding "what's the best", I gave my opinion in the topic which @anav has referred above. None of the approa...
by sindy
Wed Oct 14, 2020 11:02 pm
Forum: General
Topic: Site to site VPN
Replies: 2
Views: 155

Re: Site to site VPN

This is not so unusual, and it typically happens when both routers are directly on public IPs, or when the IPsec nat-traversal extension is disabled for the peer, and incoming "connections" are not permitted for the ESP protocol (which carries the encrypted payload) at the end from which the ping do...
by sindy
Wed Oct 14, 2020 10:56 pm
Forum: General
Topic: Windows XP via L2TP/Ipsec
Replies: 2
Views: 149

Re: Windows XP via L2TP/Ipsec

The exchange-mode value main-l2tp has been removed because it wasn't actually necessary, plain main is sufficient. The Win XP embedded VPN client is likely to use older=weaker ciphers so they may not be permitted in the /ip ipsec profile and /ip ipsec proposal items you use. Mikrotik log will show y...
by sindy
Wed Oct 14, 2020 10:36 pm
Forum: Forwarding Protocols
Topic: NTH load balancing
Replies: 63
Views: 1620

Re: NTH load balancing

@DarkNate, I'm afraid there may be just some confusion of terms. First, know your audience - many people here deal only with the typical "home router with two ISPs" case, where the ultimate public IP on each WAN is different, so a real per-packet (means per- mid-connection -packet) load distribution...
by sindy
Wed Oct 14, 2020 8:30 pm
Forum: General
Topic: Bridge VLAN Filter : not possible to use tagged traffic with VLAN ID = 1
Replies: 10
Views: 348

Re: Bridge VLAN Filter : not possible to use tagged traffic with VLAN ID = 1

This mean that you can use VLAN 1 tagged on some ports, and on the same ports use untagged traffic from another VLAN. Mikrotik would not allow this Nope. It is quite normal also on Mikrotik to have some ports set as access ones for VLAN N (and possibly trunk ones for other VLANs), and other ports s...
by sindy
Wed Oct 14, 2020 8:16 pm
Forum: General
Topic: RB3011 system error critical
Replies: 5
Views: 269

Re: RB3011 system error critical

In that case, it sounds like a hacked router, corrupt password storage, or corrupt configuration - since you can see the machine in the Winbox list of neighbors but cannot log in, either the password must have changed one way or the other, or the management services must have been disabled (even mac...
by sindy
Wed Oct 14, 2020 8:09 pm
Forum: General
Topic: Inverse Split Tunneling MikroTik
Replies: 3
Views: 227

Re: Inverse Split Tunneling MikroTik

Prerouting and filter rules do not affect IPsec policy matching. You can add an /ip ipsec policy row with action=none for the dst-address ranges you want to exclude from the tunneling before (above) the policies with action=encrypt ; policy matching works the same way like firewall rule matching, fi...
by sindy
Wed Oct 14, 2020 7:52 pm
Forum: General
Topic: Bridge VLAN Filter : not possible to use tagged traffic with VLAN ID = 1
Replies: 10
Views: 348

Re: Bridge VLAN Filter : not possible to use tagged traffic with VLAN ID = 1

According to the test i did it's not possible to use tagged traffic with vlan ID = 1 in a bridge using a VLAN filter setup. It is conflicting with untagged traffic that is using VLAN ID = 1 internally. ... Wouldn't it be possible to use VLAN ID = 0 for untagged traffic, instead of ID = 1 ?[/b] It's...
by sindy
Wed Oct 14, 2020 7:08 pm
Forum: General
Topic: Best Setup 2 Internet Line from same ISP
Replies: 19
Views: 664

Re: Best Setup 2 Internet Line from same ISP

First, have you fixed the mismatch between routing-mark values used in routes and mangle rules, and does load distribution work now?
by sindy
Wed Oct 14, 2020 6:17 pm
Forum: General
Topic: Secondary Public Ip Problem
Replies: 5
Views: 621

Re: Secondary Public Ip Problem

If it is difficult to talk with the ISP, the other possibility is not to say "neither of the suggested solutions worked" but to post the complete configuration which didn't work for analysis. Both suggestions do work if the actual situation on the uplink is what we expect - already your original pos...
by sindy
Tue Oct 13, 2020 11:49 pm
Forum: General
Topic: single ipv6 /64 range
Replies: 21
Views: 654

Re: single ipv6 /64 range

To get a working routed setup you need 2 prefixes. Can't the ISP router just use the link-layer address of the OP's WAN (which it has got from the DHCP request for the prefix) as a gateway to the /64 it has assigned to the OP's router? I.e. is the interconnection subnet at the WAN side absolutely n...
by sindy
Tue Oct 13, 2020 11:42 pm
Forum: General
Topic: Client Access Link Problem [SOLVED]
Replies: 2
Views: 161

Re: Client Access Link Problem [SOLVED]

The routing-mark you assign identifies a routing table; each of these routing tables only contains a default route. Routes to the locally connected clients only exist in routing table main (which consists of routes with no routing-mark assigned), so they are not used for packets with any routing-mar...
by sindy
Tue Oct 13, 2020 8:56 pm
Forum: General
Topic: Re: Query on mikrotik DSCP/TOS confioguration
Replies: 2
Views: 660

Re: Randomly getting login page for hotspot user

Below is nothing, but first of all, are you sure those clients do not use dynamically changing MAC addresses as recently added to most mobile devices' operating system?
by sindy
Tue Oct 13, 2020 8:20 pm
Forum: General
Topic: How to create VPN from pppoe ISP
Replies: 1
Views: 139

Re: How to create VPN from pppoe ISP

Does the Mikrotik get a public IP address from the ISP? Public addresses are other than 10.0.0.0-10.255.255.255, 100.64.0.0-100.127.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255.
by sindy
Tue Oct 13, 2020 7:09 pm
Forum: General
Topic: Mikrotik network
Replies: 1
Views: 404

Re: Mikrotik network

Sure there is, but if I understood right what you're asking, you need VPN tunnels between the Mikrotik on that "one place" and all of those remote networks; if some of those remote networks use overlapping IP subnets, it adds an extra layer of complexity to the task. To get a more useful answer, ple...
by sindy
Tue Oct 13, 2020 7:02 pm
Forum: General
Topic: Hex Router Temperature Script
Replies: 3
Views: 207

Re: Hex Router Temperature Script

Which part of the related manual page is not clear? No device that generates some considerable amount of heat on its own can measure the ambient temperature using an on-board sensor, you always need an external sensor for that, to be placed far enough from both the device itself and other heat sourc...
by sindy
Tue Oct 13, 2020 6:49 pm
Forum: General
Topic: routerboard as TFTP server
Replies: 11
Views: 447

Re: routerboard as TFTP server

It looks like I got a little carried away with testing what's possible. But if you want to use whole file name without any advanced changes and only read it from some directory, then if you leave req-filename blank, it seems to work like this: /ip tftp add ip-addresses=192.168.7.0/24 real-filename=...
by sindy
Tue Oct 13, 2020 6:31 pm
Forum: General
Topic: single ipv6 /64 range
Replies: 21
Views: 654

Re: single ipv6 /64 range

also can i assign the same ipv6 range /64 to the lan and wan of the mikrotik device but use the EUI64 to avoid conflict ip addresses? You cannot, it would be equivalent to assigning the same /24 in IPv4 to both - each side would work on its own but the router would not route between them. And if yo...
by sindy
Tue Oct 13, 2020 6:03 pm
Forum: General
Topic: Unable to Release/Renew IP
Replies: 2
Views: 406

Re: Unable to Release/Renew IP

I'd suggest to report this to Mikrotik, via mailto:support@mikrotik.com or via the web interface of the ticketing system - as you say you've used multiple browsers, I'd assume browser cache not to be related, and you say that in Winbox it works allright, so it seems to be a cler bug of the WebFig co...
by sindy
Tue Oct 13, 2020 4:47 pm
Forum: General
Topic: Best Setup 2 Internet Line from same ISP
Replies: 19
Views: 664

Re: Best Setup 2 Internet Line from same ISP

You are right that PCC can be used for any ratio, I must have had a brain eclipse when writing it can only be used for 1:1 distribution. However, 6/6 won't work with PCC - for 5:2 distribution, you have to use 7/0 to 7/6 (the number to the left of the slash is the divider, the number to the right is...
by sindy
Tue Oct 13, 2020 4:37 pm
Forum: General
Topic: Dynamic IPSec policy isn't created
Replies: 4
Views: 289

Re: Dynamic IPSec policy isn't created

I cannot see anything wrong in your configuration (except that I've read somewhere that aggressive mode is not considered secure any more, but I'm no crypto expert, and it's off-topic anyway), so the only issue I can imagine is a bug associated to IKE(v1)'s policy negotiation (or specifically to agg...
by sindy
Tue Oct 13, 2020 4:27 pm
Forum: General
Topic: NAT with a specific IP external
Replies: 8
Views: 309

Re: NAT with a specific IP external

I thought that the to-address thing was to tell the NAT where to send all the traffic, but masking it as the IP that I have in ip-address declared in the bridge, at least that is how I have always used it to redirect internet ports to the local network , did not know this function What you wrote lo...
by sindy
Tue Oct 13, 2020 1:38 pm
Forum: General
Topic: tunnel troubleshoot
Replies: 23
Views: 726

Re: tunnel troubleshoot

Could you please create another script which will contain only the /ip ipsec installed-sa print file=ipsec append part and nothing else, run that new one twice, and see whether the file ipsec.txt is there and what is it contents?
by sindy
Tue Oct 13, 2020 1:14 pm
Forum: General
Topic: tunnel troubleshoot
Replies: 23
Views: 726

Re: tunnel troubleshoot

there should be somefilename.txt if you followed my suggestion literally... what exact command did you type?
by sindy
Tue Oct 13, 2020 12:39 pm
Forum: General
Topic: Best Setup 2 Internet Line from same ISP
Replies: 19
Views: 664

Re: Best Setup 2 Internet Line from same ISP

What I can see is that you use underscore (via _ wan1) in the routing-mark values set on the routes, but in the mangle rules, you assign values with a dash (via - wan1). It means that all the routing-mark values assigned by mangle are unknown to the routing, so it falls back to routing table main (c...
by sindy
Tue Oct 13, 2020 12:33 pm
Forum: General
Topic: tunnel troubleshoot
Replies: 23
Views: 726

Re: tunnel troubleshoot

i tried to make like this :set time [/system clock get time] :local file [/ip ipsec installed-sa print] <--- this fills a (string) variable called file with the output of the print command :local contents [/file get $file contents] <--- this tries to extract the contents of a file whose name is the...
by sindy
Tue Oct 13, 2020 11:50 am
Forum: General
Topic: Need help to Setup Dual Gateway
Replies: 12
Views: 437

Re: Need help to Setup Dual Gateway

Unfortunately I`ve already reset the setting since I couldn't make it work. but if you really need to see the configuration I can do it again(Since I have done it few times) and send it here. Knowledge of the current configuration (without the changes you've reverted) is necessary to give a detaile...
by sindy
Mon Oct 12, 2020 9:08 pm
Forum: General
Topic: Need help to Setup Dual Gateway
Replies: 12
Views: 437

Re: Need help to Setup Dual Gateway

What you experience is nothing specific to Mikrotik. Think also about the routing back, not just the routing forward. On the 'Tik, you need a route to 221.35.12.0/24 (plus routes to other destinations which should be accessed via 172.200.1.17), but the network in the main branch must also know which...
by sindy
Mon Oct 12, 2020 6:06 pm
Forum: General
Topic: L2TP client and IPSEC on RouterBOARD hAP Lite
Replies: 8
Views: 1274

Re: L2TP client and IPSEC on RouterBOARD hAP Lite

Bare IKEv2 is not an official name - I use that to emphasize that it is not "some-tunneling-protocol over IPsec", but the tunneling is provided by IPsec alone. This currently means that no virtual interface is created, and instead of routing the traffic for the remote peer to such a tunnel interface...
by sindy
Mon Oct 12, 2020 5:55 pm
Forum: General
Topic: routerboard as TFTP server
Replies: 11
Views: 447

Re: routerboard as TFTP server

I only knew it was working and I had a look to the existing configuration which was working. So now I've tested the following: /ip tftp add ip-addresses=192.168.88.0/24 real-filename="disk1/\\0" req-filename="6863i\\.st" add ip-addresses=192.168.88.0/24 real-filename="disk1/\\1.\\2" req-filename="(6...
by sindy
Mon Oct 12, 2020 8:40 am
Forum: General
Topic: routerboard as TFTP server
Replies: 11
Views: 447

Re: routerboard as TFTP server

It works, except that in the example, there is the leading slash (/) in the real-file-name value, which is wrong. And I haven't noticed the possibility to use the \0 (a reference to the whole req-filename) so I haven't tried that.
by sindy
Mon Oct 12, 2020 7:40 am
Forum: General
Topic: Possible to Torch firewall rule [SOLVED]
Replies: 4
Views: 306

Re: Possible to Torch firewall rule [SOLVED]

/ip firewall filter print stats interval=1s where chain=forward action=drop ...other match conditions of the rule if needed...
by sindy
Sun Oct 11, 2020 11:53 am
Forum: General
Topic: IKEv2 very slow transfer [SOLVED]
Replies: 4
Views: 256

Re: IKEv2 very slow transfer [SOLVED]

Depending on the other traffic of your router and your uplink bandwidth, disabling the fasttracking rule may have pushed the router beyond its limits. You can use /tool profile to visualize the difference between the fasttracking rule being first disabled and then enabled while the average traffic i...
by sindy
Sun Oct 11, 2020 11:47 am
Forum: General
Topic: Static DNS Route with Dynamic Address
Replies: 13
Views: 381

Re: Static DNS Route with Dynamic Address

@tabate47, do I assume right that the ultimate goal is to make sure that the ubnt boxes would use a different network path (starting by a different gateway) than the other traffic, regardless what the current IP number of the controller is? If that is the case, the generic mechanism for this is call...
by sindy
Sun Oct 11, 2020 10:37 am
Forum: General
Topic: IKEv2 very slow transfer [SOLVED]
Replies: 4
Views: 256

Re: IKEv2 very slow transfer [SOLVED]

First, is there an action=fasttrack-connection rule in chain=forward of /ip firewall filter ? If yes, disable it and try again with a new test connection from the MacOS (already existing connections will not be affected by the change). If that helps, come back for an instruction how to exempt only t...
by sindy
Sat Oct 10, 2020 3:33 pm
Forum: General
Topic: icmp redirect host with wrong byte order.. how can this happen?
Replies: 1
Views: 136

Re: icmp redirect host with wrong byte order.. how can this happen?

It's just the Linux machine showing the nexthop address in wrong byte order in this case. See a similar topic.
by sindy
Sat Oct 10, 2020 3:29 pm
Forum: General
Topic: RB4011 as CAP does not join 'localhost' CAPSMAN
Replies: 2
Views: 146

Re: RB4011 as CAP does not join 'localhost' CAPSMAN

The local cAPs connect to the local CAPsMAN via local loop interface, whose existence is however hidden in RouterOS, using the localhost address 127.0.0.1: [me@MyTik] > ip firewall connection print where src-address~"^127" Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F...
by sindy
Sat Oct 10, 2020 1:31 pm
Forum: General
Topic: Mikrotik cloud, choose IP interface to update
Replies: 1
Views: 203

Re: Mikrotik cloud, choose IP interface to update

I'd use policy routing - create a dynamic address list: /ip firewall address-list add address=cloud.mikrotik.com list=mikrotik-cloud add address=cloud2.mikrotik.com list=mikrotik-cloud An address-list configured this way is automatically updated with dynamic entries representing all the IP numbers t...
by sindy
Sat Oct 10, 2020 12:47 pm
Forum: General
Topic: Problems with traffic (only one way works) in IPSEC tunnel
Replies: 17
Views: 2078

Re: Problems with traffic (only one way works) in IPSEC tunnel

Is it possible the ISP was blocking the tunnel? All my assumptions were based on the fact that you wrote that you could ping between routers' internal private addresses, and that only communication between LAN subnets didn't work. If I've understood that part correctly, blocking by ISP could not ha...
by sindy
Sat Oct 10, 2020 11:04 am
Forum: General
Topic: How to reduce CPU utilization when do Bandwidth control [SOLVED]
Replies: 5
Views: 434

Re: How to reduce CPU utilization when do Bandwidth control [SOLVED]

A scalable solution with load distribution is always better than replacing one all-in-one-box by another single one with more horsepower. The highest step to cross is the one between "one" and "more than one"; whether "more than one" is actually two or twenty doesn't matter much. Both PPPoE and DHCP...
by sindy
Fri Oct 09, 2020 5:03 pm
Forum: General
Topic: IPSec in the IP range of LAN - Lan problem
Replies: 14
Views: 454

Re: IPSec in the IP range of LAN - Lan problem

Here the mode config [/code] OK, so you offer /32s to the RWs, fine. or you can dedicate a sub-subnet on site A for the warriors, and make corresponding more precise action=none policies to prevent communication within the remaining sub-subnets from being "stolen" What do you mean with "stolen" ? I...
by sindy
Fri Oct 09, 2020 4:38 pm
Forum: General
Topic: IKEv2: ipsec SPI [...] not registered for [...]
Replies: 8
Views: 397

Re: IKEv2: ipsec SPI [...] not registered for [...]

I've seen reversed stuff in ROS before..... Yeah, me too, but what I strongly suspect is that the reverse printout is limited to the error message, not to the actual matching of the SPI to the list of known ones. So a minor issue, not the root cause. What pulls my eyes to outside the Tik is that th...
by sindy
Fri Oct 09, 2020 3:48 pm
Forum: General
Topic: IPSec in the IP range of LAN - Lan problem
Replies: 14
Views: 454

Re: IPSec in the IP range of LAN - Lan problem

In that case, you can either use the NAT approach (road warriors will be able to connect to servers at site B but the requests will come with IP address of Site A) or you can dedicate a sub-subnet on site A for the warriors, and make corresponding more precise action=none policies to prevent communi...
by sindy
Fri Oct 09, 2020 3:29 pm
Forum: General
Topic: IKEv2: ipsec SPI [...] not registered for [...]
Replies: 8
Views: 397

Re: IKEv2: ipsec SPI [...] not registered for [...]

Of course it is not. But as you say that it only happens sometimes, the sniff is very important to find out where to complain - in Riga or in Redmond. So nothing to do but wait until it happens again. But it may also be that only the log message swaps the order, and in reality the difference is bigg...
by sindy
Fri Oct 09, 2020 3:26 pm
Forum: General
Topic: SSH error "can't agree on KEX algorithms"
Replies: 9
Views: 368

Re: SSH error "can't agree on KEX algorithms"

A brief google search has found this: https://www.netxms.org/documentation/adminguide/ssh-monitoring.html One of the first paragraphs says that the default ssh configuration is used by default, but that you can specify a dedicated configuration file for the ssh client. So you can enable the older ci...
by sindy
Fri Oct 09, 2020 3:08 pm
Forum: General
Topic: ECMP balancing sometimes breaks TCP connection
Replies: 9
Views: 404

Re: ECMP balancing sometimes breaks TCP connection

So, from the mikrotik's point of view, the destination could be a single host that lies beyond the server 1 and 2, it doesn't know that the servers re-route the packets to themselves. But that's the very point. The Mikrotik feels free to use any of the two gateways, because it cannot even dream abo...
by sindy
Fri Oct 09, 2020 2:31 pm
Forum: General
Topic: IPSec in the IP range of LAN - Lan problem
Replies: 14
Views: 454

Re: IPSec in the IP range of LAN - Lan problem

Hence my description above has to be used. Three distinct subnets - the road warriors' one, Site A LAN subnet, Site B LAN subnet. The split-include for warriors must contain both Site A LAN subnet and Site B LAN subnet. Between A and B, one policy must cover Site A LAN subnet to Site B LAN subnet co...
by sindy
Fri Oct 09, 2020 1:23 pm
Forum: General
Topic: How to reduce CPU utilization when do Bandwidth control [SOLVED]
Replies: 5
Views: 434

Re: How to reduce CPU utilization when do Bandwidth control [SOLVED]

Bandwidth enforcement is CPU intensive, so you'll have to pour in more CPU. There is no way to optimize the current setup without affecting its behaviour (pcq per each individual user simply must create as many virtual queues as there are users). And yes, it will require a reconfiguration of the top...
by sindy
Fri Oct 09, 2020 1:13 pm
Forum: General
Topic: IPSec in the IP range of LAN - Lan problem
Replies: 14
Views: 454

Re: IPSec in the IP range of LAN - Lan problem

So do the road warriors need to connect to the subnet of the peer to which they are connected at all? If not, the policy for the remote peer is sufficient for them. And if the LANs of the two static peers don't need to talk to each other, a single policy between them is sufficient too, between the r...
by sindy
Fri Oct 09, 2020 12:50 pm
Forum: General
Topic: IPSec in the IP range of LAN - Lan problem
Replies: 14
Views: 454

Re: IPSec in the IP range of LAN - Lan problem

The road warriors should get addresses in none of the two subnets, otherwise you'll have this kind of problems all the time. In mode-config for the road warriors, set the split-include to both subnets (of the local server and the remote server). The road warriors will create two policies each, one p...
by sindy
Fri Oct 09, 2020 12:23 pm
Forum: General
Topic: IPSec in the IP range of LAN - Lan problem
Replies: 14
Views: 454

Re: IPSec in the IP range of LAN - Lan problem

Do you assign addresses from the LAN subnet to the road warriors?
by sindy
Fri Oct 09, 2020 11:57 am
Forum: General
Topic: SSH error "can't agree on KEX algorithms"
Replies: 9
Views: 368

Re: SSH error "can't agree on KEX algorithms"

So then the second part of my message applies - nothing else can be done a Mikrotik side at user level. This is a forum of users which Mikrotik staff only monitors, not an official input channel to Mikrotik product development. So to have the list of supported ciphers augmented at Mikrotik side, you...
by sindy
Fri Oct 09, 2020 11:47 am
Forum: General
Topic: Trying to create a IPSEC VPN Server
Replies: 7
Views: 404

Re: Trying to create a IPSEC VPN Server

For every combination of "local" and "remote" address which have to talk to each other via the tunnel, there must be a corresponding policy at both peers. The "local" address must fit into the src-address of that policy's traffic selector, the "remote" one must fit into its dst-address . The policie...
by sindy
Fri Oct 09, 2020 11:28 am
Forum: General
Topic: IPSec in the IP range of LAN - Lan problem
Replies: 14
Views: 454

Re: IPSec in the IP range of LAN - Lan problem

You have to create an exemption IPsec policy action=none src-address=the.lan.sub.net/mask dst-address=the.lan.sub.net/mask and put it before (above) the one which causes the problems. If the actual policy is created from a template, the exemption policy must be placed before the template.
by sindy
Fri Oct 09, 2020 11:22 am
Forum: General
Topic: SSH error "can't agree on KEX algorithms"
Replies: 9
Views: 368

Re: SSH error "can't agree on KEX algorithms"

Set strong-crypto to yes as I wrote above and try again.
by sindy
Fri Oct 09, 2020 9:28 am
Forum: General
Topic: SSH error "can't agree on KEX algorithms"
Replies: 9
Views: 368

Re: SSH error "can't agree on KEX algorithms"

If you have strong-crypto under /ip ssh set to yes , there's nothing more you could do at RouterOS side through configuration. So you have to see whether you can enable a weaker key suite at the NetXMS end. I don't know whether the ssh poll uses the settings from /etc/ssh/ssh_config or whether it us...
by sindy
Thu Oct 08, 2020 10:30 pm
Forum: General
Topic: IKEv2: ipsec SPI [...] not registered for [...]
Replies: 8
Views: 397

Re: IKEv2: ipsec SPI [...] not registered for [...]

I've also seen other glitches in IPsec after some months of continuous operation on other RouterOS versions... sniff the traffic while the issue occurs, generate the supout.rif and send both to support. Then first just disable the peer and re-enable it, and if that doesn't help, reboot the router.
by sindy
Thu Oct 08, 2020 10:26 pm
Forum: General
Topic: PPTP - Dynamic Route with mark [SOLVED]
Replies: 2
Views: 164

Re: PPTP - Dynamic Route with mark [SOLVED]

Leaving aside the weak security of PPTP in particular while it's equally simple (or complex) to set up like L2TP/IPsec, there is always the possibility to use the on-up and on-down scripts of the /ppp profile row. You can link the /ppp secret row to a dedicated /ppp profile row. So instead of adding...
by sindy
Thu Oct 08, 2020 6:35 pm
Forum: General
Topic: Problems with traffic (only one way works) in IPSEC tunnel
Replies: 17
Views: 2078

Re: Problems with traffic (only one way works) in IPSEC tunnel

what is wrong in my configuration I've posted above? I can confirm that I haven't found anything wrong in your firewall rules. You do have the action=notrack rules in raw , you do have the "accept untracked" rule in chain=forward of filter , your policies do not overlap in any way, and reception of...
by sindy
Thu Oct 08, 2020 1:06 pm
Forum: General
Topic: Cannot access Access Points GUI when Arp Reply-only is Set in Hotspot
Replies: 12
Views: 655

Re: Cannot access Access Points GUI when Arp Reply-only is Set in Hotspot

Also i am confused why there are so many vlan in RouterOS. It must be that the vlan in the switch is hardware related while the bridge vlan is the Software and in the interface vlan idk. Correct. The switch chip is quite a separate entity, and if you don't need hardware forwarding between its ports...
by sindy
Wed Oct 07, 2020 10:31 pm
Forum: General
Topic: Metal 52 ac - stuck "searching for network"
Replies: 5
Views: 262

Re: Metal 52 ac - stuck "searching for network"

My wild guess - could it be that the AP has the channels that may conflict with radars enabled and therefore hasn't started the 5 GHz radio yet? Can you run /interface wireless scan at the Metal and see whether it can see any networks at all around you? No idea where you are located, so there may or...
by sindy
Wed Oct 07, 2020 7:57 pm
Forum: General
Topic: Problem with route cache in RB2011
Replies: 1
Views: 356

Re: Problem with route cache in RB2011

Routing cache has been removed from newer linux kernels as it turned out to be a kind of security risk. So the full cache may be a consequence of some kind of an attack targeting that aspect, or of merely a too diverse traffic running through the device (or of a bug of course). I have never encounte...
by sindy
Wed Oct 07, 2020 7:49 pm
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1058

Re: Using most available bandwidth wan

For some reason, when dst-address-type=!local is used. Things stop working as well. This is a popular misunderstanding, likely powered by a no less popular wishful thinking. dst-address-type=local (or src-address-type=local ) matches when the address is question is any of the router's own addresses...
by sindy
Wed Oct 07, 2020 1:55 pm
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1058

Re: Using most available bandwidth wan

Okay, so print shows that differently from export , and the reason for the quotes is that there is the space in the name. Why the ! is shown inside the quotes rather than outside is a different point but it works the expected way (on my test CHR, that is). So no idea again. With "my" rules disabled,...
by sindy
Wed Oct 07, 2020 12:23 pm
Forum: General
Topic: R11e-LTE Passthrough to Cisco 4321 not working.
Replies: 12
Views: 671

Re: R11e-LTE Passthrough to Cisco 4321 not working.

If I've got @SiB's suggestion properly, you can use Winbox via MAC address to get to the machine where the R11e-LTE is plugged in without need to reset the machine to defaults. If you cannot use Winbox for whatever reason, use another Mikrotik and mac-telnet from there. If you don't have another Mik...
by sindy
Wed Oct 07, 2020 12:00 pm
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1058

Re: Using most available bandwidth wan

How did you manage to get in-interface-name="!WAN" (with quotes)???

I am unable to do this, neither from commandline nor from winbox, so I don't know how that rule behaves in such case.

It is impossible to debug a configuration I cannot see - you have posted a working one, not the broken one.
by sindy
Wed Oct 07, 2020 8:27 am
Forum: General
Topic: Weird traffic
Replies: 6
Views: 333

Re: Weird traffic

It's odd that you are seeing it from devices with static addresses. Using the packet sniffer rather than torch may reveal more. It's broadcast traffic, so it is clear that it is visible also at interfaces with static IP addresses. Notice that the understanding of source and destination in torch is ...
by sindy
Tue Oct 06, 2020 4:04 pm
Forum: General
Topic: Internet sharing in a VLAN
Replies: 1
Views: 157

Re: Internet sharing in a VLAN

1. I don't get how your Option 1 differs from the previous state (where there is NAT between the VLAN uplink and any other device, so only the CRS itself has an address from the ISP). 2. CRS are primarily switches with some weak routing capability, but 0.2 Mbit/s cannot be explained by weak CPU unle...
by sindy
Tue Oct 06, 2020 2:42 pm
Forum: General
Topic: Connection NAT state srcnat?
Replies: 9
Views: 437

Re: Connection NAT state srcnat?

Yes, only the initial packet of a connection is matched by the rule chains in /ip firewall nat . All the rest of packets belonging to the connection inherits the NAT behavior from the first one, as the handling of the first packet is rmembered in the connection tracking and applied appropriately to ...
by sindy
Tue Oct 06, 2020 2:25 pm
Forum: General
Topic: L2TP/IPSec user access works but blocked Tx connection
Replies: 3
Views: 210

Re: L2TP/IPSec user access works but blocked Tx connection

If you haven't created supout.rif before removing the secret2, Mikrotik will not be able to see the issue and thus won't be able to fix it. So if it happens next time, don't forget to create the .rif, at best one while the user is connected and cannot send packets, and another one while the user is ...
by sindy
Tue Oct 06, 2020 12:41 pm
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1058

Re: Using most available bandwidth wan

To me too. Do the mangle rules count (/ip firewall mangle print stats where action~"mark-routing")? They should, as otherwise they couldn't break anything :)
So post the complete config, not just the pieces you deem relevant.
by sindy
Tue Oct 06, 2020 10:46 am
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1058

Re: Using most available bandwidth wan

Show me /interface list member print.
by sindy
Tue Oct 06, 2020 9:02 am
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1058

Re: Using most available bandwidth wan

All I have to do is to have this on my mangle, and remove existing records. Nope, if you should have removed the existing mangle rules, I would have said that. You cannot remove the ones added based on the video (mangle chains input and output ) because this would prevent your VPN server from worki...
by sindy
Mon Oct 05, 2020 10:35 pm
Forum: General
Topic: [VLAN] Set a port to untagged using switch chip
Replies: 17
Views: 762

Re: [VLAN] Set a port to untagged using switch chip

I don't get the difference. On my hAP ac², I've got the following: /interface bridge add name=bridge ... vlan-filtering=yes pvid=3 ... /interface bridge port add bridge=bridge interface=ether1 pvid=3 hw=no /interface ethernet switch vlan ... add independent-learning=yes ports=switch1-cpu,ether1,ethe...
by sindy
Mon Oct 05, 2020 9:47 pm
Forum: General
Topic: L2TP/IPSec user access works but blocked Tx connection
Replies: 3
Views: 210

Re: L2TP/IPSec user access works but blocked Tx connection

I'm not sure I get you right, so double-checking: when you mention a secret , you have in mind a row in the /ppp secret table, correct? when you say that "testuser - secret2" works, it means that the testuser uses the same username and password as employee2 , so he lands at the same /ppp secret row?...
by sindy
Mon Oct 05, 2020 8:29 pm
Forum: General
Topic: Not pingable within a bridge
Replies: 3
Views: 217

Re: Not pingable within a bridge

If I read you right, the default load balance option "original port base" means that each virtual NIC connected to the vswitch is systematically linked to a particular physical NIC (as long as the physical one is up). So on the physical switch, the MAC addresses of various virtual NICs are bound to ...
by sindy
Mon Oct 05, 2020 7:17 pm
Forum: General
Topic: R11e-LTE Passthrough to Cisco 4321 not working.
Replies: 12
Views: 671

Re: R11e-LTE Passthrough to Cisco 4321 not working.

So does passthrough use NAT on these devcies to hide the public IP from the inside device? If it did, it wouldn't be a passthrough. Post the config of the Mikrotik. The modem has no reason to assign an address from 192.168.88.0/24, it must be the Mikrotik itself what is doing it. The whole trick is...
by sindy
Mon Oct 05, 2020 7:09 pm
Forum: General
Topic: Hiarpin NAT
Replies: 10
Views: 447

Re: Hiarpin NAT

Ideally I'd want to use connection-nat-state=dstnat, to match only dstnatted connections, but it's not supported in /ip firewall nat. At some place I don't remember I am assigning a connection-mark based on connection-state=dstnat somewhere between chain=dstnat and chain=srcnat to deliver the info ...
by sindy
Mon Oct 05, 2020 7:04 pm
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1058

Re: Using most available bandwidth wan

I have many vlans and a bridge. I am not sure how to apply the PCC example on mikrotik wiki. The per-connection-classifier just provides always the same result (match or mismatch) for all the packets belonging to the same connection, because it calculates a hash from source address, source port, de...
by sindy
Mon Oct 05, 2020 6:44 pm
Forum: Beginner Basics
Topic: load balance three lines
Replies: 8
Views: 338

Re: load balance three lines

I'm afraid @sindy won't as @sindy doesn't like the tone (it even has a short history).
by sindy
Mon Oct 05, 2020 4:23 pm
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1058

Re: Using most available bandwidth wan

Is that VPN only for connection to company LAN or the VPN users can connect to something in the internet via the VPN? If only for LAN, there is no need to distribute the load using ECMP or PCC, as the WAN uplink is chosen already by the user which connects to one or the other public IP.
by sindy
Mon Oct 05, 2020 4:19 pm
Forum: General
Topic: tunnel troubleshoot
Replies: 23
Views: 726

Re: tunnel troubleshoot

Yes, the mature ones are in use. And yes, you need one per direction. The dying ones should not exist for more than a couple of seconds, so if they do, it is already weird (or the traffic volume is so low - the dying SA is normally there after a rekey until the first packet arrives through the new S...
by sindy
Mon Oct 05, 2020 4:13 pm
Forum: General
Topic: Bridging 2 hAP ac2 over ethernet + wireless? [SOLVED]
Replies: 6
Views: 319

Re: Bridging 2 hAP ac2 over ethernet + wireless? [SOLVED]

the router complains, that only a regulatory domain mode is allowed for the country. Now what does this mean? That you must change the frequency-mode from manual-txpower to regulatory-domain in the same command where you set the country name. The meteoradars are terribly sensitive (they have to be)...
by sindy
Mon Oct 05, 2020 1:37 pm
Forum: General
Topic: Change the winbox loging port
Replies: 1
Views: 156

Re: Change the winbox loging port

Just put :the-other-port-number after the IP address in the Connect To field (ex: 192.168.88.1:28291)
by sindy
Mon Oct 05, 2020 1:26 pm
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1058

Re: Using most available bandwidth wan

So is the recommended approach to abandon ECMP and instead use PCC? As for me, yes. But it will cost you a bit of CPU power, as mangling is incompatible with fasttracking (which is only used for forwarded packets, not for connections to/from the router itself). So depending on your Mikrotik model, ...
by sindy
Mon Oct 05, 2020 1:02 pm
Forum: General
Topic: tunnel troubleshoot
Replies: 23
Views: 726

Re: tunnel troubleshoot

i cant ping from mikrotik because vlans are on the cisco below mikrotik, not on router itself. How can you forward traffic using IPsec if the Mikrotik isn't configured as a gateway, i.e. if it doesn't have an IP address in the sender's subnet? The 'Tik must first receive the packet in order to matc...
by sindy
Mon Oct 05, 2020 12:09 pm
Forum: General
Topic: Bridging 2 hAP ac2 over ethernet + wireless? [SOLVED]
Replies: 6
Views: 319

Re: Bridging 2 hAP ac2 over ethernet + wireless? [SOLVED]

If you want to avoid issues with ČTÚ, I'd definitely recommend to set the country. It causes no real harm, except that some 5 GHz channels are subject to DFS (the minutes-long listening-only gap before using the channel), so you may want to prevent them from being used.
by sindy
Mon Oct 05, 2020 12:02 pm
Forum: General
Topic: tunnel troubleshoot
Replies: 23
Views: 726

Re: tunnel troubleshoot

it looks like a mission impossible so, what we can do than? Maybe the best start is to switch on logging of the IPsec and to run a netwatch pinging through the tunnel which will log failures ( on-down={:log warning message="ping through tunnel down"} ) to see in the logs whether the issue is correl...
by sindy
Mon Oct 05, 2020 11:30 am
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1058

Re: Using most available bandwidth wan

I'm not sure what strategy it uses. I followed the instructions on https://www.youtube.com/watch?v=DDMD1GVg84M It just seemed to work. When I do curl ifconfig.me several times, I get returned different ips. It almost alternates between ISP1 and ISP2 Ips evenly. My config is below This setup uses EC...
by sindy
Mon Oct 05, 2020 10:17 am
Forum: General
Topic: Using most available bandwidth wan
Replies: 35
Views: 1058

Re: Using most available bandwidth wan

You cannot learn what are the limitations of your upload bandwidth at ISP side or further in the network. You can use Mikrotik's queues to actively limit the upload bandwidth of different classes of uplink traffic generated in your LAN (and by the router itself) according to your preferences as it l...
by sindy
Mon Oct 05, 2020 9:48 am
Forum: General
Topic: How I use command get ip address from address-lists?
Replies: 1
Views: 107

Re: How I use command get ip address from address-lists?

:put [/ip firewall address-list get [find list=emule_IPaddress] address]

But this works only if there is exactly one row like this. If there can be more, it's

:foreach item in=[/ip firewall address-list find list=emule_IPaddress] do={:put [/ip firewall address-list get $item address]}
by sindy
Sun Oct 04, 2020 11:54 pm
Forum: General
Topic: tunnel troubleshoot
Replies: 23
Views: 726

Re: tunnel troubleshoot

Razmišljam da nebi bio razgovor po telefonu mnogo brži... What do you mean by "lower are L2" So this MikroTik have a tunnel between PfSense from another HQ and on that PfSense is created openvpn servers which are remote shops connection (they are using mikrotiks also, but smaller ones, not CCR). And...
by sindy
Sun Oct 04, 2020 10:54 pm
Forum: General
Topic: Strange DNS queries over PPTP VPN
Replies: 11
Views: 515

Re: Strange DNS queries over PPTP VPN

Yes, features added due to RouterOS upgrade are configured with default settings, and this censored is enabled by default.
by sindy
Sun Oct 04, 2020 10:37 pm
Forum: General
Topic: Problems with traffic (only one way works) in IPSEC tunnel
Replies: 17
Views: 2078

Re: Problems with traffic (only one way works) in IPSEC tunnel

Why would e default dynamic route created for an interface on the bridge (which goes nowhere) would impair the IPSEC tunnel functionality for the main subnets? Because in order to get matched by an IPsec policy, a packet first needs to pass through the "normal" routing and firewall. Matching of pac...
by sindy
Sun Oct 04, 2020 9:14 pm
Forum: General
Topic: Problems with traffic (only one way works) in IPSEC tunnel
Replies: 17
Views: 2078

Re: Problems with traffic (only one way works) in IPSEC tunnel

Look at this post. If it doesn't help you find the issue, post the configuration of both machines, anonymized as per the hint in my automatic signature here below.
by sindy
Sun Oct 04, 2020 8:21 pm
Forum: General
Topic: Cannot access Access Points GUI when Arp Reply-only is Set in Hotspot
Replies: 12
Views: 655

Re: Cannot access Access Points GUI when Arp Reply-only is Set in Hotspot

I am very confused about with vlan rn... and still trying to understand it.
VLAN implementation on Mikrotik or VLAN as a concept? Have you seen the @pcunite's textbook on that already?
by sindy
Sun Oct 04, 2020 7:47 pm
Forum: General
Topic: Cannot access Access Points GUI when Arp Reply-only is Set in Hotspot
Replies: 12
Views: 655

Re: Cannot access Access Points GUI when Arp Reply-only is Set in Hotspot

What was the question you forgot to add to you delaration? What do you mean? In the post to which I've replied this, you've provided the information about the current topology, but you wrote nothing that would require any reaction. So I was assuming that, once you've shown the topology, there was s...
by sindy
Sun Oct 04, 2020 7:34 pm
Forum: General
Topic: Cannot access Access Points GUI when Arp Reply-only is Set in Hotspot
Replies: 12
Views: 655

Re: Cannot access Access Points GUI when Arp Reply-only is Set in Hotspot

This way, the clients can access the management interface of the APs if they manually assign themselves addresses from 192.168.5.0/24, and the arp=reply-only cannot prevent that, as ARP is only used when routing is necessary to deliver a packet, which is not the case to a client associated to one of...
by sindy
Sun Oct 04, 2020 6:08 pm
Forum: General
Topic: Help with OVPN and pfSense
Replies: 17
Views: 590

Re: Help with OVPN and pfSense

Tell me what country you live in via PM, maybe I'll be visiting it one day :)
by sindy
Sun Oct 04, 2020 6:06 pm
Forum: General
Topic: Best Setup 2 Internet Line from same ISP
Replies: 19
Views: 664

Re: Best Setup 2 Internet Line from same ISP

- wlan1 50M/50M - wlan2 4M/20M if 20 is the download limit and 4 is the upload limit, and you mostly download, then it's best to use nth rules to spread the connections in a 5:2 ratio (or, in another words, 2 of each 7 to be sent via wlan2 with the 20M bandwidth, and the rest via wlan1): /ip firewa...
by sindy
Sun Oct 04, 2020 4:30 pm
Forum: General
Topic: Best Setup 2 Internet Line from same ISP
Replies: 19
Views: 664

Re: Best Setup 2 Internet Line from same ISP

Well, so I suppose that the router with PPPoE uplink either links each PPPoE uplink to another SSID or it restricts the bandwidth per connected wireless client, but that's not important for the setup at your end. The key is that you can use an IP address along with an interface name as a gateway of ...
by sindy
Sun Oct 04, 2020 4:09 pm
Forum: General
Topic: Strange DNS queries over PPTP VPN
Replies: 11
Views: 515

Re: Strange DNS queries over PPTP VPN

On both routers, there's /interface detect-internet set detect-interface-list=all Unless you really need this brand-new (since about a year) hi-tech feature, change that to detect-interface-list=none and the mystery should be gone. And be thankful to whatever entity you believe in that you haven't e...
by sindy
Sun Oct 04, 2020 3:56 pm
Forum: General
Topic: Help with OVPN and pfSense
Replies: 17
Views: 590

Re: Help with OVPN and pfSense

OK, in that case, changing that rules' action from masquerade to accept should resolve the issue. You have to stop the ping and let the connection time out (10 seconds are enough) before trying again after changing the rule - the s which stands for src-nat should not be shown, and the reply-dst-addr...
by sindy
Sun Oct 04, 2020 3:52 pm
Forum: General
Topic: Best Setup 2 Internet Line from same ISP
Replies: 19
Views: 664

Re: Best Setup 2 Internet Line from same ISP

Wait, the IP addresses are assigned directly to wlan1 and wlan2, so PPPoE is not related to the IP address assignment (unless you've renamed PPPoE interfaces to wlan1 and wlan2). Can post an export of the whole configuration (see my automatic signature below for hints), and if the PPPoE is on some o...
by sindy
Sun Oct 04, 2020 3:46 pm
Forum: General
Topic: Bridging 2 hAP ac2 over ethernet + wireless? [SOLVED]
Replies: 6
Views: 319

Re: Bridging 2 hAP ac2 over ethernet + wireless? [SOLVED]

The wireless repeater mode is always worse in terms of throughput as each packet must be received and then transmitted again in a half-duplex environment and on the same frequency channel. So yes, the simplest way is to set the hAP ac² acting as the secondary AP to a factory default configuration, t...
by sindy
Sun Oct 04, 2020 3:22 pm
Forum: General
Topic: Help with OVPN and pfSense
Replies: 17
Views: 590

Re: Help with OVPN and pfSense

OK, so you've started from scratch, good. In this configuration, change the action in the action=masquerade chain=srcnat dst-address=10.0.0.0/15 log=yes log-prefix=teste src-address=10.2.26.0/24 rule in /ip firewall mangle to accept and you should be fine. Even if it is not sufficient, doing this is...
by sindy
Sun Oct 04, 2020 1:47 pm
Forum: General
Topic: Best Setup 2 Internet Line from same ISP
Replies: 19
Views: 664

Re: Best Setup 2 Internet Line from same ISP

Do you have two IP addresses on the same physical interface at your router or do you have each uplink on a separate interface? Is there PPPoE, DHCP, manually configured IP? Without knowledge of the physical and logical topology, no useful suggestion can be made. If you have two modems/routers from t...
by sindy
Sun Oct 04, 2020 1:30 pm
Forum: General
Topic: Strange DNS queries over PPTP VPN
Replies: 11
Views: 515

Re: Strange DNS queries over PPTP VPN

I did what you suggested: ... So yes it seems to me that the packets incoming already have 84.116.46.22&3 as destination. And now also 1.1.1.1 and 8.8.8.8 (I did not see those yesterday). I don't think site B is doing this (right?), but I also cannot see something strange on site A: Well, it is eve...
by sindy
Sun Oct 04, 2020 12:33 pm
Forum: General
Topic: Cannot access Access Points GUI when Arp Reply-only is Set in Hotspot
Replies: 12
Views: 655

Re: Cannot access Access Points GUI when Arp Reply-only is Set in Hotspot

So are there any workaround in this? In our culture, mentalism has no real tradition, so I can't see your network setup clearly. So what I assume is that you run the 192.168.5.0/24 and the 10.0.0.0/24 in the same (V)LAN, and you want to keep the arp=reply-only behavior in place for the hotspot clie...
by sindy
Sun Oct 04, 2020 12:16 pm
Forum: General
Topic: tunnel troubleshoot
Replies: 23
Views: 726

Re: tunnel troubleshoot

Firewall od the other router are the same, it has just more src or dst nat there, so rules which are for us interesting are the same. But now at this point, tunnel is established thorugh pfsense and there is no much rules on the WAN side except one that we are using for internal purpoeses What tunn...
by sindy
Sat Oct 03, 2020 10:36 pm
Forum: General
Topic: Strange DNS queries over PPTP VPN
Replies: 11
Views: 515

Re: Strange DNS queries over PPTP VPN

OK, in that case, I suppose some dst-nat rule at site B is hyperactive. Since the source port is 5678, which is the port of Mikrotik Neighbor Discovery Protocol, I suppose that the router at site A actually sends UDP packets from port 5678 to port 5678 (the MNDP ones), and as they emerge from the tu...
by sindy
Sat Oct 03, 2020 8:41 pm
Forum: General
Topic: Strange DNS queries over PPTP VPN
Replies: 11
Views: 515

Re: Strange DNS queries over PPTP VPN

The add-default-route parameter of the /interface pptp-client row on the router at site A is probably set to the default value *) yes . /ip route export shows the static configuration; /ip route print shows the actual state of the routing table, including routes generated dynamically (by DHCP client...
by sindy
Sat Oct 03, 2020 6:45 pm
Forum: General
Topic: ipv6 issue behind modem router.
Replies: 23
Views: 838

Re: ipv6 issue behind modem router.

One more idea, try to set rapid-commit to no on the /ipv6 dhcp-client rows on the Mikrotik.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 20