MikroTik

sindy

In the LAN behind the router 192.168.88.1 is an LAN-connected device PC with the address 192.168.88.254. Is there a way to check whether port 502 is open on PC by RouterOS means? Open two commandline windows to routerOS. In one of them, run tool sniffer quick ip-address=192.168.88.254 ip-protocol=i...

sindy

/interface list add name=PPTP /ppp profile add copy-from=default-encryption name=pptp interface-list=PPTP /ppp secret set the-name-of-the-client profile=PPTP /ip firewall nat add out-interface-list=PPTP action=masquerade Move away from PPTP if you want to remain the only administrator of your devic...

sindy

The action=none policy addresses the case when a packet sent by the LAN client is too large to fit to the WAN if encapsulated into IPsec transport packet and needs to be made smaller (by sending a smaller portion of the TCP buffer). So it addresses an issue with local client's PMTU discovery on the ...

sindy

Redundant parts would be better than missing ones, so far so good. If we split the above into points which are fixed and which can be addressed in multiple ways, we get the following: fixed: the ISP uplink must be physically connected to the 750 all the client devices are physically connected to the...

sindy

Looks like there is a memory leak in 6.48 beta(s)

A clear disadvantage of having a hAP ac² with 256 MB RAM - with the standard 128 you'd notice that much sooner :) Send the supout.rif to support@mikrotik.com to help them identify the process which leaks.

sindy

If you are interested in a particular connection, you can use match conditions (src-address~"ip.add.re.ss:port", protocol~"icmp" etc.) even with interval.

sindy

Post the configuration export and the actual ping command.

sindy

I've never had this issue (and tested again right now on 6.46.7). Are you sure there is no src-nat (or masquerade) rule which replaces the source address set using the src-address parameter of ping?

sindy

I believe it was the same with the addition of an entry in the "Out Bridge Port List", which I believe was set to all LAN. I will need to check that next time I am down there. If the action=masquerade rule is set to match on the WAN port and on a list of LAN bridge ports at the same time, it cannot...

sindy

Think about what happens if you add a rule somewhere between the existing ones. How would your script learn the new number of the rule it works with? The line numbers are intended solely as a help for the human administrator when modifying the configuration, so that the find would not be necessary f...

sindy

The rule numbers are associated dynamically by the print command, and only remain valid until the next print of the same table. So to specify a rule for modification within a script, use /ip firewall filter disable [find chain=... action=... ...] to specify the rule. Test the proper conditions in ad...

sindy

Maybe you missed it, but this is a lab setup , not a production one. ... I do agree that the 2 input rules I have are useless. Keby nebolo tých dvoch pravidiel, vôbec by ma nenapadlo uvažovať o inej variante. But most of all it nicely cleared up my confusion when and what to tag. I need to think mo...

sindy

Leave the default IP's as is (88.1). Turn off DHCP and NAT from QS. ... All is well after reset. Repeating my steps above, I lose Internet when I turn off the DHCP server. DHCP client still sees the ISP and can release/renew OK. Pings from connected machine don't work (obviously). The connected mac...

sindy

Have you read @anav's automatic signature carefully? It's worth it. The point with CAPsMAN configuration is the following: if the datapath row indicates local-forwarding=no , the bridge indicated on that row refers to a bridge on the CAPsMAN device. All frames received from the air by the cAP device...

sindy

Two points. as I've suggested earlier, action=return in a built-in chain has the same effect like action=accept . You've made me test it :) From security perspective this is a much better outcome than the other one, which I was afraid of - that the iOS would retry connections via internet if connect...

sindy

So, some questions: What baseline should I be starting from? Factory defaults Router? Factory defaults Bridge? Or no defaults at all (which I have not tried due to many nightmare stories of folks who had to use a serial cable to recover from that)? "Factory defaults -> home CPE" is a good start. "N...

sindy

At first ,i`m using simple one bridge which name is bridge1. And all of the bonding interfaces and sfpplus17 added to bridge1 and hardware offload is enabled. i saw H flag is on every ports in bridge1. But i only got 4.6Gbps total throughput for download and upload got only 2mbps . This is the only...

sindy

My fault, I forgot the modifier detail in the print command. The problem with screenshots is that in many cases they show less than a commandline print detail ; in this particular case (ipsec policy list) the screenshot shows almost everything (only the proposal and ipsec transport protocol are miss...

sindy

why would ARP care about IP routes when it's below IP @mkx, this is the essence of the answer I would have written if I stayed up so late like you and Sob yesterday. The IP to MAC translation is part of adaptation of the IP layer to the link layer on shared media (point-to-multipoint) interfaces, s...

sindy

If somebody could steer me in the right direction, i would be really grateful. I've tried already, see my previous post. From what you wrote now instead of explicitly answering my question, I deduct that you've configured the IPsec settings for L2TP manually, rather than allowing RouterOS to create...

sindy

I'll have to trust you on that. Don't trust me (I dare to quote 71-Hour Ahmed on that topic: "Ye gods, no! My mother is a D'reg! She would be terribly offended if I trusted her."). Instead, trust the machine: [me@myTik] > ip arp print where address in 192.168.6.0/24 Flags: X - disabled, I - invalid...

sindy

Can you explain what is this "move *ffffff destination=0" doing? I don't know what was @msatter's setup in which he has moved the last policy (*ffffffff) to the beginning (top) of the list, but in your case, I don't understand the place-before= 1 . The action=none policy exempting packets for the L...

sindy

And my modem i see mac address of my router board but ip difference

Create a dedicated topic in General. This topic is reserved for issues specifically related to 6.46.7.

sindy

How does MT in this case handle the reply? Does it pollute ARP cache (with 192.168.1.1 now pointing to B's MAC) or it rather notices it received request through different ether port (and ARP cache is per port?). Or does it simply ignore sender's IP address because dstMAC of ARP response packet is a...

sindy

I have to ask, what is the purpose of two modems from the same ISP? It's not two modems from the same ISP. It's two modems from different ISPs, but both using the same LAN subnet, which the customer cannot change on either of the two modems. I kinda followed the explanation Sindy, but not knowing d...

sindy

But the thing here is that the OP does not do port translation but port based redirection to another address . That's why the incoming connection to dst port 88, which gets dst-nated, is then handled in forward whereas the incoming connection to dst port 2222, which does not get dst-nated, is handle...

sindy

The fact that neither the Mikrotik nor the Apple can connect indicates an issue at Windows server end. How have you configured the L2TP/IPsec client at Mikrotik side? Using use-ipsec=yes and setting ipsec-secret to the PSK value configured on the server on the /interface l2tp-client row, or have you...

sindy

To justify the budget for security is always complicated, as the damage feels abstract and unreal to the CFO until the company gets actually hit. In simple words, Layer 7 analysis does more or less the same like an anti-virus running on the endpoint: it scans the application data flowing through it ...

sindy

@ahmet82, assuming it is not a completely other setup than the one you deal with in your other topic , you'll have to resolve a conflict between the scriptless failover based on recursive next-hop search and the setup recommended by @bpwl where same gateway IP is used on two WANs so you have to conf...

sindy

even though I have logging enabled on the RAS Server there is no log entry. This sounds almost as if you were connecting somewhere else for some reason (maybe a dst-nat rule on the path between the client and the server). I do have separate rules enabling UDP 500 and 4500 on the Windows Server. Do ...

sindy

So is using VLANs with EOIP a. possible, and b. recommended? a. yes, you can use the EoIP tunnel the same way as if it was just an unusually long section of an Ethernet cable b. any L2 tunnel is a trade-off. It wastes your bandwidth for the broadcast traffic (ARP and other), and even for unicast tr...

sindy

Interesting!! Lets debate the issue. The dst-nat rule matches only on dst-port=88 . Hence packets towards the WAN IP:88 get dst-nated, and packets towards the WAN IP:2222 don't. So those to :88 have got a new destination address after the dst-nat operation. And the decision whether the packet is fo...

sindy

Thanks for correcting me.

A big black point to whoever has decided to disable PM again a few days ago, I'd have used it instead if that was still possible.

sindy

3) GRE tunnel is a virtual L2 connection and since VLAN is "L2.5" thre's no reason why VLAN tags couldn't pass GRE tunnel to the remote end. If you are going that way, I suggest you to go with bridge VLAN way, because example configuration I showed in answer to question #2 would get even more compl...

sindy

Can you post the actual rows from the log? In a CLI window (available via [Terminal] button in Winbox or WebFig), use /log print and copy-paste the beginning of the output if it still contains those lines. If they are not there any more, repeat the procedure to see them again. How did you obtain the...

sindy

I don't have any LTE to test with I do. It's a terrible mess. If we let alone the "serial modem" mode, depending on (possibly) RouterOS versions and/or LTE modem models and/on firmware versions, you can get a dynamically added DHCP client (for which you cannot configure a lease script), or you may ...

sindy

Is there any way to accomplish both dst-nat and saving to address list then? Of course. Two ways: place the action=add-src-to-address-list rule to filter/input for port 2222 and to filter/forward for port 88 (with additional conditions respecting the direction and destination) place the action=add-...

sindy

Is this possible? Of course it is. For this purpose, you'll have 4 routing tables: two for local subnet 1, with the following order of preference of the WANs: a: 1,2,3,4 b: 2,1,4,3 two for local subnet 2, with the following order of preference of the WANs: c: 3,4 d: 4,3 And two pairs of PCC rules, ...

sindy

Sorry, I've missed the dst-nat part.

nat/dstnat happens before filter, so as you have redirected the traffic incoming to port 88 to a private address in dstnat, it became a transit one (from one router interface to another), and therefore it is handled by filter/forward, not by filter/input.

sindy

Does it work if you put there port 88 alone (rather than 88,2222)?
If you make a copy of that rule and just replace action=add-src-to-address-list by action=passthrough, does that added rule count packets with destination port 88? It is possible that the packets to port 88 actually don't arrive.

sindy

Show me the actual firewall rules you use, please. It makes little sense this way.

sindy

If set up properly, there is no reason why EoIP shouldn't work across a NAT, as EoIP looks like GRE from outside. If EoIP doesn't work, you can use L2TP with BCP for L2 tunneling instead - since you have EoIP, I guess you have a Mikrotik at both ends. Show the complete configuration exports from bot...

sindy

Anyone that runs "SMB" on a router/firewall AND has it exposed to Internet should be thrown into the darkest dungeon of mount Doom! I'm afraid this statement is valid even without the "AND has it exposed to Internet" part... I suppose the vulnerability was being exploited from the LAN side, from an...

sindy

I'd have to see the configs of both OFFICE and HOME machines to be able to suggest something. The difference between ping handling and TCP handling may be that you have placed the permissive rule for the TCP to a wrong place in the firewall. Also, the "PC" is what? A client trying to access the came...

sindy

Go check Shodan for your public IP space to see what they've discovered. Enter your public IP into the search form field and press the magnifying glass. It will tell you what ports are open there and how far it could get trying to connect to them. Without an account, you've got just a few queries p...

sindy

From what you've posted and what you haven't, it sounds like two distinct issues. First, to redirect (dst-nat) the initial request packet from the client somewhere in the internet to the tunnel towards HOME at OFFICE, and then use another redirection at HOME to the actual device, is just one part of...

sindy

Is the VoIP "device" a phone or a PBX?

sindy

Stop using PPTP if you want to remain the only administrator of your router. It takes three clicks more to configure L2TP over IPsec which is way more secure.

sindy

1. create a topic dedicated to your issue instead of piggy-backing a loosely related one 2. post the configuration export of the Mikrotik in that new topic (supposing the issue is the same with all 40 of them), see my automatic signature below on how to prevent leaking any sensitive information 3. e...

sindy

As a matter of interest, would this have any kind of interaction (which may result in a bypass) of a blackhole route for when VPN is down? I suspect not, but just curious as to if there is anything else behind the scenes here The action=none policy has dst-address=your.lan.sub.net . So it can only ...

sindy

Have you noticed the requirement for certificate validity not to be longer than 800 days? I hazily remember hitting exactly your issue, where the Mikrotik was seeing the peer as active but the iOS reported authentication failure. Maybe with the new iOS version the requirement is even stronger and e....

sindy

Ether1 cannot be removed from switch as you see on screenshot. Of course, that's what I said before, all the Ethernet interfaces are in fact ports of the switch chip, it only depends on the rest of the configuration whether the switch is allowed to forward traffic between them autonomously or wheth...

sindy

1. duplicated IP address required on bridge and eth2 port (if disabled for ethernet port, then router cant connect to network) This one sounds most puzzling to me. The WAN interface of the router is on ether1, so why should the IP address assignment to the bridge and/or to ether2 have any relations...

sindy

A few months ago tested an OpenVPN Tunnel with the Mikrotik hEX S RB760iGS and did a few speed test. 1st I ran a test with the Hex S configured as a router behind a router with out an OpenVpn connection, and I was able to get an Iperf transfer at 936 mbits. Since you've mentioned almost 10 VLANs/su...

sindy

You dont need to guess topology, here it is. RB951Ui-2nD, ether1 as WAN, and ether1-ether5 in SWITCH mode togoether with switch1-cpu. On other end ( x86 device ) All ports from port0-port9 in bridge mode and cable connected to RB951Ui-2nD. I dont have SWITCH option in winbox for x86 device. Is it p...

sindy

Is it possible for you to review the screenshot below? We have a management vlan. The switch in the image does not participate in this vlan. But there are 2700 registered macs. If I turn off the administrator vlan on the main router, the number of macs drops to 400. We may be getting somewhere. You...

sindy

The phones are full featured desk ip phones that have openvpn clients built in them. Do you think Router OS 7 would solve a lot of these issues? Depends on what you call an issue. ROS 7 supports UDP as OpenVPN's transports protocol, which has an impact on the possible issues with delay (but maybe p...

sindy

I've understood your OP the way that a mere change of the way how the internal addresses are assigned to the clients has made it impossible for you to connect to the client routers. As you've shown private address ranges for both business clients and home clients (it is hard to guess where's the typ...

sindy

Is there a better way for me to go about establishing a openvpn server? How would you handle this requirement? Hard to answer not knowing the priorities of the requirements. If OpenVPN is a must, I'd use OpenWRT on a device supporting it, but don't expect the L2 setup to be any easier. If L3 is eno...

sindy

you can use the existing address-list feature, you can add as many individual addresses, ranges, or prefixes to the same address-list (same list value), and the rule then matches if the IP address matches any of the records on that list. one of parameters of a DHCP lease is address-lists . So whene...

sindy

Several points. First, it is just a "best current practice" to use a dedicated (V)LAN for each IP subnet, but there is no technical barrier preventing you from using multiple subnets in the same VLAN, and in specific cases, you may need to use the same IP subnet in multiple (V)LANs. Therefore, "I ne...

sindy

My ISP provides an ONR (Optical Network Router), it has 4 port, LAN1 for Internet and LAN2 for Network TV. Currently the LAN1 is connected to my Mikrotik CHR and LAN2 is connected to my Ubiquiti USG. Both of them obtained different WAN public IP by the same ISP. I tested both of them able to access...

sindy

If no DHCP server is set up on a Mikrotik acting as a mere bridge (i.e. also use-ip-firewall=no ), and there are no bridge filter/nat rules, there is no reason why Office 365 should be affected selectively. So it looks like either a more generic problem which you have only noticed when connecting to...

sindy

The network value same as the address value looks weird but as the gateway in the routes is the interface name, it should still be OK. Even ping 8.8.8.8 from the router itself doesn't work? What does interface lte firmware-upgrade lte1 upgrade=no say?

sindy

My guess would be that you haven't reflected the change from previous IP on ether1 to new IP on PPPoE via ether1 in the firewall. As ether1 is not an IP interface any more, the IP firewall cannot see any pacpets coming in via ether1, and the pppoe-out1 is not added to the interface list WAN. If this...

sindy

The thing is, the input packet does hit the firewall. If I create a filter rule on the input chain with an action of “log” I can see the packet come into the router. If I modify the rule to apply to the output chain though, I see that no response is generated. There was a similar topic about a year...

sindy

The IPsec standard requires that packets which reverse-match the traffic selector of any existing IPsec policy and did not arrive via the SA associated to that policy be dropped. So RouterOS silently drops them before they reach any firewall rule.

sindy

The issue is not to know what the message means - it means exactly what it says. Some frame sent with the source MAC address of that port has somehow made it back to it. The real issue is to guess the topology of the rest of your network to find out why it happens :) The loop can exist anywhere in t...

sindy

The principle of that solution is that the topmost recursive routes are only active if the destination address of the bottommost one is available via its "physical" gateway. If the rest of the configuration is correct, which cannot be seen from just a list of routes, disconnection of one WAN (or its...

sindy

There is nothing bad as such about getting a /32 address. It depends on the internal interface of the LTE modem what is the address assignment mode. What does /ip route print say? And what exactly "doesn't work"? Have you tried to swap the SIMs between the devices? This is my output with yet another...

sindy

Stop. We're most likely hunting for a ghost here. Hardware "acceleration" is enabled at both ports, so the traffic between them is forwarded by the switch chip, bypassing the CPU, hence the CPU cannot sniff it. The frames you can see in the sniffer output are there because they are either sent by th...

sindy

Just for the case, I'd disable also the row in /interface bridge port which makes the LAG a member of the bridge (someone here had an issue with a disabled EoIP affecting the MTU of the bridge, so disabling the membership should be a safer way). Other than that, your export suggests that you have th...

sindy

Mikrotik's firewall uses a "sip helper" (under /ip firewall service-port ), which is good when the phones are connected to the LAN of Mikrotik, but cannot handle phones connecting from the internet to a PBX behind Mikrotik. No SIP proxy as such is supported by RouterOS. If your PBX itself cannot be ...

sindy

Assuming you want the traffic to be forwarded between sfp-sfpplus3 and the LAG tagged, the record for vlan-ids=200 in /interface bridge vlan must have the ports on the tagged list, not on the untagged one.

sindy

Did you observe the issue to be present while taking the captures? Because your initial screenshot from torch shows that majority of the frames seen were PPPoE ones, and there is not a single PPPoE frame in either of your two capture files. If the issue was there while you were sniffing, was any sni...

sindy

It's not just the IP address, the interfaces bonded together should have no individual configuration on themselves at all. This is especially critical when using LACP, as the LACP PDUs are VLAN-agnostic since they are intended for link layer control. As you do not use LACP, it is possible, and break...

sindy

It seems you have some gaps in understanding how the firewall works. chain input handles packets whose destination is the router itself. Chain forward is for packets which transit through the router from one interface to another. action=return does not return the packet to the sender as you might ex...

sindy

If I add the rule as you noted in the other thread, I don't see any changes to my NAT ... If you mean the policy as I noted in the other thread, it won't change the dynamically added NAT rule no matter whether that rule matches on the connection-mark or the src-address-list as set on the mode-confi...

sindy

action=src-nat replaces the source address of the connection being handled with an address from the to-addresses range or subnet (both variants are possible). example: /ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32-192.168.143.47 results in the sam...

sindy

Most, if not all, the LTE modems use the USB lines on the miniPCIe, not the PCIe ones. I have no idea about the LoRa module in this regard. But my main concern was regarding using the USB port on the RBM33G for GPS as the port may be 3.0 only (it's inside the case, I can't check right now whether it...

sindy

viewtopic.php?t=157048

sindy

the price will be higher than the RBM33G + Chassis. It depends on the price of the GPS (which is part of the LtAP) and the price of weather protection of the RBM33G+chassis - I assume at least the GPS and LoRa antennas will be outdoors, and antenna cables shold be ASAP (S=short in this case). Btw, ...

sindy

strange is , than disabled interface can do somtething like this :( I agree with you*), however, this is a fellow user forum, so just complaining about things here won't change anything. To get issues resolved, you have to file a ticket at Mikrotik's ticketing system . *) on the other hand, you've ...

sindy

Strongswan has "Split tunneling custom subnets", but it does not generate all policies, there is only one, first one configured in mode configs. It looks to me as a mismatch of concepts. The StrongSwan acting as initiator only requests a single traffic selector, 0.0.0.0/0->0.0.0.0/0, even if you co...

sindy

It's due to the different handling of split-include . Windows ignore split-include prefixes in the mode-config data (or maybe Mikrotik doesn't even attempt to send them if it finds out that the peer is a Windows machine, no idea) and negotiate a policy with 0.0.0.0/0 at remote side; then, they use a...

sindy

Have you seen (and tried) this?

Since you say you have a problem with sending from the local devices (if I got you right), it is a likely cause and solution.

sindy

Sorry, this was a useless question. The button may be broken, but it cannot be tested during runtime.
What does system routerboard settings print show?

sindy

What happens if you press the reset button while the router is running? Does it cause a restart?

sindy

Why do you need the ":any"?

sindy

Can you try WebFig or ssh instead of Winbox? Or have you disabled those protocols?

EDIT: sorry, you've mentioned you cannot find it in WebFig. Click Interfaces in the left hand menu, and the [Detect Internet] button is above the list of interfaces, next to the [Add New] one.

sindy

The 80 range is a VSAT 550ms+ range. The sniffer says the response from the 80.3 arrives 40-60 ms after the request is sent in the opposite direction. But as you mention there's a VSAT link in the path, 40-60 ms is mission impossible, so could it actually be 1040-1060 ms (i.e. response to request N...

sindy

I seem to recall in another thread, you suggested setting the blackhole route distance to 20. Any merit of doing that in this usecase? Well, there's a type=blackhole route, and there's a route with gateway=bridge-interface-named-blackhole , and each of these is used with a different VPN type. The t...

sindy

I can even open the NMS on 80.3 without an issue but cannot ping it.
...
Sniffer also get response from 80.3

Do I read you right that the sniffer shows an ICMP response from the 80.3 but the client cannot see it? I.e. the response doesn't make it through the Mikrotik to the client?

sindy

It's strange, as everything looks fine in your configuration. The routes are there, the masquerade rule is there (it could be more selective but it doesn't cause any trouble as-is given the rest of the configuration). So try pinging something in the 192.168.80.0/24 range that you know to respond, fr...

sindy

The quality of an answer depends on the quality of the question. So to get any useful advice, post your configuration in text form, following the anonymisation hint in my automatic signature right below. Screenshots are useless for any analysis, and yours in particular just show that it doesn't work...

sindy

I am still not sure why the blackhole config I added, stopped me getting access You've answered yourself already: because you've put the rule to mangle chain output , which handles packets sent by the router itself. As the router's own IP address is also covered by the subnet you've set as address ...

sindy

/interface detect-internet set detect-interface-list=none

sindy

viewtopic.php?t=157048

sindy

The order of rules matters, and if there is an "action=accept connection-state=established,..." rule in the input chain of the filter before (above) your new permissive rule for the Winbox access, that new rule will only count for a newly established connection, not for an already existing one. Also...

sindy

How to do part 2 you wrote? It may be difficult in your case as part of the network is not under your administration. Your configuration export only shows the VPN settings facing your IKEv2 clients. Static IPsec policies that include remote peer's internal address in their dst-address range divert ...

sindy

try Nth 3-1 2-1 - which is the same as 3-1 3-2 3-3 and I think, less processor intensive. Nth 3,1 - 2,1 is likely not the same as Nth 3,1 - 3,2 - 3,3 and if I remember correctly from some MikroTik presentation files, it has to be in that order for either PCC/Nth where 2 means two WAN, 3 means 3 WAN...

sindy

What do you think is the proper way to use Nth for per-connection distribution (implying mark connection)? The way I did originally? Yes, that way was fine for per-connection distribution. All that confusion came just from the fact that you declared that it does per-packet distribution. Earlier you...

sindy

If there's no difference between PCC and Nth in per-connection distribution, then what exactly is this paper talking about? https://www.ijcnis.org/index.php/ijcnis/article/view/4340 Let me quote myself from post #16: "the apparently best dynamic load distribution method (nth) gives astounding 101.5...

sindy

It still smells like an MTU problem - ping are small packets, ssh are small packets most of the time, but http and RDP are large ones. Any VPN eats some bytes of the MTU for its ovehead, so the payload packets must be smaller to fit. I can see you are forcing the MSS to 1350, but it may still be too...

sindy

I've edited my post reacting to your edited one accordingly. I've expressed my opinion earlier - in an environment with NAT, the impact of per-packet traffic distribution is always negative (except connections which consist of a single request packet and a single response one as @Sob has pointed out...

sindy

EDIT: to prevent 80,443 from being packet-marked, add dst-port=!80,443 to the two rules above (translating connection-mark to routing-mark ) or to the mark-packet ones. I've missed that the mark-packet ones aren't selective either. It's always better to check the result than to just hope. If everyt...

sindy

The last paragraph of post #32 suggests multiple ways how to do that. Any of them is sufficient.

sindy

Why not use Port isolation in the switch chip settings ?

Not every Mikrotik device has a switch chip, and not every switch chip supports rules.

sindy

With multi-thread (or multi-session, whatever) download, you have to be extremely unlucky not to get the aggregated bandwidth, because each thread = TCP session = tracked connection is treated separately by per-connection traffic distribution. So the fact that you get aggregate bandwidth with multi-...

sindy

OK, so let me present another idea how to explain it. When I say "per connection distribution of traffic", it does not mean the same as "traffic distribution controlled by per-connection-classifier ". It simply means that all packets of the same connection use the same WAN, no matter what rule or ma...

sindy

There is no L2 on the PPPoE interface itself, hence no ARP and even no broadcast. Even for the address assignment, PPP's IPCP is used, not DHCP. L2 is the transport for PPPoE, but the payload is only L3. To be absolutely precise, all PPP-based protocols can also do L2 tunneling using BCP, but ISPs o...

sindy

Yeah, the packet counters are a good idea by the way. Reset the counters on both the nth rules which assign packet-marks and the rules which translate packet-mark into routing-mark , then run some traffic eligible for nth handling, and compare the counters after that. They should be equal (every pac...

sindy

What is your native language? I feel as if you do not attempt to understand what I write. You believe you only use connection-mark for 80 and 443, but the reality is that you use it for all connections, most likely because you still can't understand how the connection-mark actually works. With the r...

sindy

Anyway i'm using another port for IPv4 entering the box switch. This is the bit I was missing. On the diagram you've posted a few posts above, you can see that the "switch decision" is only taken if hardware "offload" is permitted, and I'm afraid that the "switch decision" includes the processing o...

sindy

PPPoE creates an L3 tunnel, and tunnel establishment and IP address assignment cannot be separated. Hence the (double) dst-nat is the only way in your configuration - the public IP will be up at the Mikrotik, and whatever arrives to it from the internet will be forwarded to the other device's privat...

sindy

Check this . For your purpose, it is sufficient to just revert the usage logic. Instead of taking an action when the "rogue" (=other) DHCP server is detected, take an action (activate the local dhcp server) when the other one disappears from the unknown-server list (i.e. when the list becomes empty)...

sindy

I wonder which part of the firewall handling you are missing or misunderstand that prevents you from seeing the logic: do you realize that once you assign a connection-mark to a connection while handling any of that connection's packets, regardless the direction, this connection-mark is then automat...

sindy

It seems that there is no Ingress filter available for traffic coming from a switch-cpu port. As you mention this, I can recall there was an issue with switch rules on the CPU port on the 8237 chip, as I could only match frames by MAC addresses there, but not by higher level headers. I suspect that...

sindy

So look into the firewall rules, and if you find nothing there, use /tool sniffer quick ip-address=ip.of.the.remote to see whether the router sends the response anywhere at all when you try to connect from outside to its public IP on uplink #2, or even whether the request from outside actually arriv...

sindy

Imagine that in this code the missing "n" is correct OK. In this case, I suspect that the router doesn't actually respond to incoming packets which get the connection-mark Link2-Conn , or that it has no route to the sender of those packets in the routing table main . In the first case, something in...

sindy

a modification in the IPsec process (IPsec is in kernel mode isn't it ?) could probably be done to reject input traffic when there is no peer available. Err, which traffic in particular? As long as we talk about statically configured policies, these prevent packets from leaking anywhere simply beca...

sindy

I am confused by your reaction. Are you saying that the connection mark value set in the rule in chain output is actually correct (Link2-Conn), but nevertheless the rule doesn't match on any packet? And that the missing n in the post before is just a copy-paste error?

sindy

So how do we make it per-packet when I'm already using mark-parket+Nth? Since it is only needed for a test, just add dst-port=80,443 or packet-mark=no-mark to the two rules which assign a routing-mark based on connection-mark - i.e. the action=mark-routing chain=prerouting connection-mark=ISPx_conn...

sindy

If i disable this bridge interface in the discover list, then mndp leaking stop. If so, the bridge filter rule is either incorrect or affected by the endianness issue. Can you show the rule? I tried to filter it with a switch rule without success neither. That is even more strange. This should work...

sindy

No wonder that your "Mark Link2 Out" rule never counts, as you refer to connection-mark=Link2-Co n (single n in the end) in that rule, while the rule assigning the connection-mark to the traffic coming in via in-interface=PPPoE-Ampernet assigns a connection mark Link2-Co nn (double n in the end).

sindy

The blackhole bridge as a gateway for the traffic which must not leak is a safer way than any dynamically added/enabled firewall rule, as the packet processing in kernel is faster than any firewall rule modifications (which are done from userspace), so a few packets could often leak before the rule ...

sindy

So how does the above give aggregated bandwidth in downloads/uploads? I see doubled bandwidth across the board. Like any other dynamic load distribution method. If you make a throughput test using a single session (=connection), it will show a single uplink bandwidth. speedtest.net, as well as othe...

sindy

What I'm missing in your shopping list are two cables (pigtails) U.FL to SMA (ACSMAUFL), to "convert" the U.FL connector on the R11e-LTE6 board into a SMA female peeking out from the CA433U case, two SMA male-SMA male cables (SMASMA) to connect the LTE antenna (they are not bundled with the mANT LTE...

sindy

So I'm still confused as to how there's no packet-loss, broken config. Even traceroutes from LAN to remote sites works fine and shows their corresponding routes based on whichever ISP was assigned. I use MTR and see 0 packet loss. And gaming, works!? What? So what happens is the following (tracking...

sindy

I suspect MNDP may be sent directly from the member interfaces rather than from the bridge, which is why bridge filter cannot catch it (leaving aside that there were some endianness-related issues with bridge filter on some CPU architectures). Check which interface-list is configured as discover-int...

sindy

With hAP ac, hardware offloading on switch chip can only handle traffic between devices in the same VLAN. If routing , rather than bridging , is necessary between the WAN link and the LAN devices (i.e. if WAN and LAN use different IP subnets), the only devices which support hardware offload of routi...

sindy

I had indeed tried before to add a policy "add src-address=172.20.23.0/28 dst-address=172.20.23.1 action=none place-before=0", but it hadn't worked. Now I replaced that with "add src-address=172.20.23.0/28 dst-address=172.20.23.0/28 action=none place-before=0" and it results OK. Of course, because ...

sindy

Regarding the Nth everywhere thing, well I'm not suggesting the whole world to use it, now am I? Did I? Ever? No I did not. I've announced in advance I'm going to be a bit emotional ;) So the neutral form of the same statement would have been that the results haven't proven any significant advantag...

sindy

Well, 24V / 0.8 A would still be sufficient (with a narrow margin) for the 4011 variant without the wireless part which you seem to have (as the wireless-equipped one comes with a 2.5 A power adaptor), but the age of the power supply may be the issue. The electrolytic capacitors inside these units g...

sindy

it couldnt be a problem with cable or so because we have this problem on many devices and on different locations or backbones. Well, if the same person was crimping all the cables, or the same lot of super-cheap connectors was used, or the same super-cheap crimping tool was used, it can still be a ...

sindy

Well, as this topic was a bit emotional throughout its history, let me be a bit emotional too. Yes, this other paper is much better, but still there are two points: the apparently best dynamic load distribution method ( nth ) gives astounding 101.5% of the download throughput of the apparently worst...

sindy

The best way out is to switch to IKEv2. You can implement this workaround to allow multiple L2TP/IPsec clients to connect from behind the same NAT, but it only makes sense if you really need the L2TP/IPsec for some reason. The reasons why IKEv2 is a better choice are mentioned in that topic too. Reg...

sindy

sometimes it likes to lose connection and unstable speed. That's too vague a description, so I'd exclude one of the WANs at a time and see whether the other one is not unstable on its own. Regarding "what's the best", I gave my opinion in the topic which @anav has referred above. None of the approa...

sindy

This is not so unusual, and it typically happens when both routers are directly on public IPs, or when the IPsec nat-traversal extension is disabled for the peer, and incoming "connections" are not permitted for the ESP protocol (which carries the encrypted payload) at the end from which the ping do...

sindy

The exchange-mode value main-l2tp has been removed because it wasn't actually necessary, plain main is sufficient. The Win XP embedded VPN client is likely to use older=weaker ciphers so they may not be permitted in the /ip ipsec profile and /ip ipsec proposal items you use. Mikrotik log will show y...

sindy

@DarkNate, I'm afraid there may be just some confusion of terms. First, know your audience - many people here deal only with the typical "home router with two ISPs" case, where the ultimate public IP on each WAN is different, so a real per-packet (means per- mid-connection -packet) load distribution...

sindy

This mean that you can use VLAN 1 tagged on some ports, and on the same ports use untagged traffic from another VLAN. Mikrotik would not allow this Nope. It is quite normal also on Mikrotik to have some ports set as access ones for VLAN N (and possibly trunk ones for other VLANs), and other ports s...

sindy

In that case, it sounds like a hacked router, corrupt password storage, or corrupt configuration - since you can see the machine in the Winbox list of neighbors but cannot log in, either the password must have changed one way or the other, or the management services must have been disabled (even mac...

sindy

Prerouting and filter rules do not affect IPsec policy matching. You can add an /ip ipsec policy row with action=none for the dst-address ranges you want to exclude from the tunneling before (above) the policies with action=encrypt ; policy matching works the same way like firewall rule matching, fi...

sindy

According to the test i did it's not possible to use tagged traffic with vlan ID = 1 in a bridge using a VLAN filter setup. It is conflicting with untagged traffic that is using VLAN ID = 1 internally. ... Wouldn't it be possible to use VLAN ID = 0 for untagged traffic, instead of ID = 1 ?[/b] It's...

sindy

First, have you fixed the mismatch between routing-mark values used in routes and mangle rules, and does load distribution work now?

sindy

If it is difficult to talk with the ISP, the other possibility is not to say "neither of the suggested solutions worked" but to post the complete configuration which didn't work for analysis. Both suggestions do work if the actual situation on the uplink is what we expect - already your original pos...

sindy

To get a working routed setup you need 2 prefixes. Can't the ISP router just use the link-layer address of the OP's WAN (which it has got from the DHCP request for the prefix) as a gateway to the /64 it has assigned to the OP's router? I.e. is the interconnection subnet at the WAN side absolutely n...

sindy

The routing-mark you assign identifies a routing table; each of these routing tables only contains a default route. Routes to the locally connected clients only exist in routing table main (which consists of routes with no routing-mark assigned), so they are not used for packets with any routing-mar...

sindy

Below is nothing, but first of all, are you sure those clients do not use dynamically changing MAC addresses as recently added to most mobile devices' operating system?

sindy

Does the Mikrotik get a public IP address from the ISP? Public addresses are other than 10.0.0.0-10.255.255.255, 100.64.0.0-100.127.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255.

sindy

Sure there is, but if I understood right what you're asking, you need VPN tunnels between the Mikrotik on that "one place" and all of those remote networks; if some of those remote networks use overlapping IP subnets, it adds an extra layer of complexity to the task. To get a more useful answer, ple...

sindy

Which part of the related manual page is not clear? No device that generates some considerable amount of heat on its own can measure the ambient temperature using an on-board sensor, you always need an external sensor for that, to be placed far enough from both the device itself and other heat sourc...

sindy

It looks like I got a little carried away with testing what's possible. But if you want to use whole file name without any advanced changes and only read it from some directory, then if you leave req-filename blank, it seems to work like this: /ip tftp add ip-addresses=192.168.7.0/24 real-filename=...

sindy

also can i assign the same ipv6 range /64 to the lan and wan of the mikrotik device but use the EUI64 to avoid conflict ip addresses? You cannot, it would be equivalent to assigning the same /24 in IPv4 to both - each side would work on its own but the router would not route between them. And if yo...

sindy

I'd suggest to report this to Mikrotik, via mailto:support@mikrotik.com or via the web interface of the ticketing system - as you say you've used multiple browsers, I'd assume browser cache not to be related, and you say that in Winbox it works allright, so it seems to be a cler bug of the WebFig co...

sindy

You are right that PCC can be used for any ratio, I must have had a brain eclipse when writing it can only be used for 1:1 distribution. However, 6/6 won't work with PCC - for 5:2 distribution, you have to use 7/0 to 7/6 (the number to the left of the slash is the divider, the number to the right is...

sindy

I cannot see anything wrong in your configuration (except that I've read somewhere that aggressive mode is not considered secure any more, but I'm no crypto expert, and it's off-topic anyway), so the only issue I can imagine is a bug associated to IKE(v1)'s policy negotiation (or specifically to agg...

sindy

I thought that the to-address thing was to tell the NAT where to send all the traffic, but masking it as the IP that I have in ip-address declared in the bridge, at least that is how I have always used it to redirect internet ports to the local network , did not know this function What you wrote lo...

sindy

Could you please create another script which will contain only the /ip ipsec installed-sa print file=ipsec append part and nothing else, run that new one twice, and see whether the file ipsec.txt is there and what is it contents?

sindy

there should be somefilename.txt if you followed my suggestion literally... what exact command did you type?

sindy

What I can see is that you use underscore (via _ wan1) in the routing-mark values set on the routes, but in the mangle rules, you assign values with a dash (via - wan1). It means that all the routing-mark values assigned by mangle are unknown to the routing, so it falls back to routing table main (c...

sindy

i tried to make like this :set time [/system clock get time] :local file [/ip ipsec installed-sa print] <--- this fills a (string) variable called file with the output of the print command :local contents [/file get $file contents] <--- this tries to extract the contents of a file whose name is the...

sindy

Unfortunately I`ve already reset the setting since I couldn't make it work. but if you really need to see the configuration I can do it again(Since I have done it few times) and send it here. Knowledge of the current configuration (without the changes you've reverted) is necessary to give a detaile...

sindy

What you experience is nothing specific to Mikrotik. Think also about the routing back, not just the routing forward. On the 'Tik, you need a route to 221.35.12.0/24 (plus routes to other destinations which should be accessed via 172.200.1.17), but the network in the main branch must also know which...

sindy

Bare IKEv2 is not an official name - I use that to emphasize that it is not "some-tunneling-protocol over IPsec", but the tunneling is provided by IPsec alone. This currently means that no virtual interface is created, and instead of routing the traffic for the remote peer to such a tunnel interface...

sindy

I only knew it was working and I had a look to the existing configuration which was working. So now I've tested the following: /ip tftp add ip-addresses=192.168.88.0/24 real-filename="disk1/\\0" req-filename="6863i\\.st" add ip-addresses=192.168.88.0/24 real-filename="disk1/\\1.\\2" req-filename="(6...

sindy

It works, except that in the example, there is the leading slash (/) in the real-file-name value, which is wrong. And I haven't noticed the possibility to use the \0 (a reference to the whole req-filename) so I haven't tried that.

sindy

/ip firewall filter print stats interval=1s where chain=forward action=drop ...other match conditions of the rule if needed...

sindy

Depending on the other traffic of your router and your uplink bandwidth, disabling the fasttracking rule may have pushed the router beyond its limits. You can use /tool profile to visualize the difference between the fasttracking rule being first disabled and then enabled while the average traffic i...

sindy

@tabate47, do I assume right that the ultimate goal is to make sure that the ubnt boxes would use a different network path (starting by a different gateway) than the other traffic, regardless what the current IP number of the controller is? If that is the case, the generic mechanism for this is call...

sindy

First, is there an action=fasttrack-connection rule in chain=forward of /ip firewall filter ? If yes, disable it and try again with a new test connection from the MacOS (already existing connections will not be affected by the change). If that helps, come back for an instruction how to exempt only t...

sindy

It's just the Linux machine showing the nexthop address in wrong byte order in this case. See a similar topic.

sindy

The local cAPs connect to the local CAPsMAN via local loop interface, whose existence is however hidden in RouterOS, using the localhost address 127.0.0.1: [me@MyTik] > ip firewall connection print where src-address~"^127" Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F...

sindy

I'd use policy routing - create a dynamic address list: /ip firewall address-list add address=cloud.mikrotik.com list=mikrotik-cloud add address=cloud2.mikrotik.com list=mikrotik-cloud An address-list configured this way is automatically updated with dynamic entries representing all the IP numbers t...

sindy

Is it possible the ISP was blocking the tunnel? All my assumptions were based on the fact that you wrote that you could ping between routers' internal private addresses, and that only communication between LAN subnets didn't work. If I've understood that part correctly, blocking by ISP could not ha...

sindy

A scalable solution with load distribution is always better than replacing one all-in-one-box by another single one with more horsepower. The highest step to cross is the one between "one" and "more than one"; whether "more than one" is actually two or twenty doesn't matter much. Both PPPoE and DHCP...

sindy

Here the mode config [/code] OK, so you offer /32s to the RWs, fine. or you can dedicate a sub-subnet on site A for the warriors, and make corresponding more precise action=none policies to prevent communication within the remaining sub-subnets from being "stolen" What do you mean with "stolen" ? I...

sindy

I've seen reversed stuff in ROS before..... Yeah, me too, but what I strongly suspect is that the reverse printout is limited to the error message, not to the actual matching of the SPI to the list of known ones. So a minor issue, not the root cause. What pulls my eyes to outside the Tik is that th...

sindy

In that case, you can either use the NAT approach (road warriors will be able to connect to servers at site B but the requests will come with IP address of Site A) or you can dedicate a sub-subnet on site A for the warriors, and make corresponding more precise action=none policies to prevent communi...

sindy

Of course it is not. But as you say that it only happens sometimes, the sniff is very important to find out where to complain - in Riga or in Redmond. So nothing to do but wait until it happens again. But it may also be that only the log message swaps the order, and in reality the difference is bigg...

sindy

A brief google search has found this: https://www.netxms.org/documentation/adminguide/ssh-monitoring.html One of the first paragraphs says that the default ssh configuration is used by default, but that you can specify a dedicated configuration file for the ssh client. So you can enable the older ci...

sindy

So, from the mikrotik's point of view, the destination could be a single host that lies beyond the server 1 and 2, it doesn't know that the servers re-route the packets to themselves. But that's the very point. The Mikrotik feels free to use any of the two gateways, because it cannot even dream abo...

sindy

Hence my description above has to be used. Three distinct subnets - the road warriors' one, Site A LAN subnet, Site B LAN subnet. The split-include for warriors must contain both Site A LAN subnet and Site B LAN subnet. Between A and B, one policy must cover Site A LAN subnet to Site B LAN subnet co...

sindy

Bandwidth enforcement is CPU intensive, so you'll have to pour in more CPU. There is no way to optimize the current setup without affecting its behaviour (pcq per each individual user simply must create as many virtual queues as there are users). And yes, it will require a reconfiguration of the top...

sindy

So do the road warriors need to connect to the subnet of the peer to which they are connected at all? If not, the policy for the remote peer is sufficient for them. And if the LANs of the two static peers don't need to talk to each other, a single policy between them is sufficient too, between the r...

sindy

The road warriors should get addresses in none of the two subnets, otherwise you'll have this kind of problems all the time. In mode-config for the road warriors, set the split-include to both subnets (of the local server and the remote server). The road warriors will create two policies each, one p...

sindy

Do you assign addresses from the LAN subnet to the road warriors?

sindy

So then the second part of my message applies - nothing else can be done a Mikrotik side at user level. This is a forum of users which Mikrotik staff only monitors, not an official input channel to Mikrotik product development. So to have the list of supported ciphers augmented at Mikrotik side, you...

sindy

For every combination of "local" and "remote" address which have to talk to each other via the tunnel, there must be a corresponding policy at both peers. The "local" address must fit into the src-address of that policy's traffic selector, the "remote" one must fit into its dst-address . The policie...

sindy

You have to create an exemption IPsec policy action=none src-address=the.lan.sub.net/mask dst-address=the.lan.sub.net/mask and put it before (above) the one which causes the problems. If the actual policy is created from a template, the exemption policy must be placed before the template.

sindy

Set strong-crypto to yes as I wrote above and try again.

sindy

If you have strong-crypto under /ip ssh set to yes , there's nothing more you could do at RouterOS side through configuration. So you have to see whether you can enable a weaker key suite at the NetXMS end. I don't know whether the ssh poll uses the settings from /etc/ssh/ssh_config or whether it us...

sindy

I've also seen other glitches in IPsec after some months of continuous operation on other RouterOS versions... sniff the traffic while the issue occurs, generate the supout.rif and send both to support. Then first just disable the peer and re-enable it, and if that doesn't help, reboot the router.

sindy

Leaving aside the weak security of PPTP in particular while it's equally simple (or complex) to set up like L2TP/IPsec, there is always the possibility to use the on-up and on-down scripts of the /ppp profile row. You can link the /ppp secret row to a dedicated /ppp profile row. So instead of adding...

sindy

what is wrong in my configuration I've posted above? I can confirm that I haven't found anything wrong in your firewall rules. You do have the action=notrack rules in raw , you do have the "accept untracked" rule in chain=forward of filter , your policies do not overlap in any way, and reception of...

sindy

Also i am confused why there are so many vlan in RouterOS. It must be that the vlan in the switch is hardware related while the bridge vlan is the Software and in the interface vlan idk. Correct. The switch chip is quite a separate entity, and if you don't need hardware forwarding between its ports...

sindy

My wild guess - could it be that the AP has the channels that may conflict with radars enabled and therefore hasn't started the 5 GHz radio yet? Can you run /interface wireless scan at the Metal and see whether it can see any networks at all around you? No idea where you are located, so there may or...

sindy

Routing cache has been removed from newer linux kernels as it turned out to be a kind of security risk. So the full cache may be a consequence of some kind of an attack targeting that aspect, or of merely a too diverse traffic running through the device (or of a bug of course). I have never encounte...

sindy

For some reason, when dst-address-type=!local is used. Things stop working as well. This is a popular misunderstanding, likely powered by a no less popular wishful thinking. dst-address-type=local (or src-address-type=local ) matches when the address is question is any of the router's own addresses...

Search found 5983 matches