MikroTik

sindy

It would be nice to see such things in changelogs or somewhere in wiki like 'package dependencies'.

Look again, it is there (in the changelog of the release which has introduced this dependency) and it has also been mentioned multiple times in these "x.xx.x has been released" topics.

sindy

After upgrading from 6.44.1 to 6.45.6 it's not possible to disable dhcp package. RouterBOARD 750G r3. Why?

Because since 6.45.whatever, package security requires package dhcp to provide a route list to windows IKEv2 clients.

sindy

What does /log print say after reboot? What does /system package print show?

sindy

I'd really love to understand how an MTU issue can cause much lower speed but otherwise working connections. Okay, each packet occupying the whole MTU gets broken into two thanks to IPsec processing which adds extra bytes to it, but that should cause half the speed at worst. And if they didn't get t...

sindy

With fasttracking disabled, complexity and bad order of your firewall rules could theoretically cause a slowdown. Other than that, bad choice of encryption and/or authentication alogorithms in /ip ipsec proposal could be the reason, where "bad" means "not supported in hardware". So once the tunnel i...

sindy

I don't see any scripts that I haven't done and my logs are ok. Malware scripts and enabled services are just the visible top of the iceberg. More advanced malware lives below the RouterOS wrapper of linux so it remains invisible from the RouterOS level in both configuration and logs. By netinstall...

sindy

I won't open my laptop right now just to study your configuration, but if FTP and telnet are accessible from internet, you must have ignored my suggestions given earlier regarding how to build the firewall (drop everything except what you absolutely need to be accessible from the internet). Telnet a...

sindy

I think we discussed this earlier. It is not enough to disable access to management and/or file transfer services (SSH, telnet, http, FTP) only from the WAN side but also from the LAN side of your router devices, leaving them accessible only via dedicated physical interfaces and from dedicated sourc...

sindy

... Block 1 = 189.xxx.xx2.90/30 Block 2 = 201.xxx.xx9.124/30 Both IPs are sent on one single fiber connection direclyt from ISP provider to my mikrotik. ... i know i can create a bridge on Mikrotik1 and public both "block1 and block2" IP/addresses on that Bridge Ports but would be only on Mikrotik1...

sindy

All my needs is to have alternative route if it is possible through ADSL for my public IPs when leased line goes down for the same ISP Without his intervention .since there is route for these Public IPs from ISP side to Leased line IP /30 that configured in our router interface with MPLS modem. The...

sindy

I have also the same issue What exactly is the "same issue" in your case? This topic was dealing with multiple ones throughout its history - first, how to set up RIP to fulfil ISP's requirements so that they could send traffic for your public IP subnet to you, and later how to set up the firewall s...

sindy

I added GRE in firewall and it`s works! The reason is that EoIP is one of possible applications using GRE as transport. The very idea of GRE is to allow tunneling different types of payload (G = generic). So what we are used to call a GRE tunnel is actually an "IP over GRE" one, whilst EoIP is an "...

sindy

there would be some way for MikroTik to offer user-contributed plugins when they run in a sandbox environment e.g. as a user process. I may be old-fashioned but I still perceive Mikrotik as a router, not an application server. So I can imagine e.g. a more flexible DNS process running in a sandbox, ...

sindy

Also interested by some community driven plugins. That's against the idea of RouterOS. If you want 3rd party plugins, go OpenWRT (which is available even for some Mikrotik hardware) and forget about manufacturer's responsibility. If you want manufacturer's responsibility for the product, stay Route...

sindy

I think it's because IKE2 IPsec doesn't create separate virtual interface. Yes, this changes a lot. This is my FW and IPsec VPN configuration, basically everything is router default Screenshots are not a good method of presenting configuration for analysis. See my automatic signature below regardin...

sindy

Where were the certificates generated? In my experience, MT generated certificates don't work with the Windows OVPN desktop client (maybe they do now, I haven't tested recently). Certificates generated by MT CHR, but I won’t say exactly which version, it was a year or two ago. It was definitely ver...

sindy

Don't mess with VLANs using /interface ethernet switch until you grasp them under /interface bridge . First, you cannot attach IP configuration (address, DHCP servers, DHCP clients) to a member port of a bridge. The IP configuration must be attached to the bridge itself or to /interface vlan using t...

sindy

I have sent you an e-mail message a few hours after you've posted your previous post, have you ever received it?

sindy

Look at this page . For received packets, dst-nat handling takes place before routing, i.e. before taking the decision whether the packet is for the router itself or to be forwarded outwards. So once dst-nat rule diverts the received packet from its original dst-address (of the WAN interface) to the...

sindy

This is the error log: initiate new phase (Identity Protection): 172.0.0.1[500]<=>172.0.0.2[500] phase1 negotation failed due to send error. 172.0.0.1[500]<=>172.0.0.2[500] xxxxxxxxxx As soon as I remove IPSec policy matcher (in-interface=pppoe-out1) the connection is up and running. Example: The l...

sindy

I just wanna make sure of this point: do i have to set an ip subnet based on vlan interface for the CRS ( or RB2011 in my case that will do the vlan switching traffic) in order to get full wire speed regarding the point-to-point link with the edge router ? I mean what if i just configure an ip subn...

sindy

Well, to my understanding vlan filtering and bridge port isolation are more or less orthogonal features, so there is no reason why you could not use both at the same time if that makes sense. So e.g. each AP connected to its own port on the switch, three SSIDs, each of them on all APs and in its own...

sindy

I think the first thing is to understand why the APs should be isolated from each other, as it is an unusual requirement. What @mkx says is important - by having all APs (or same SSIDs on all APs) in same VLAN, you let the clients roam from AP to AP without losing their IP addresses, which is how mo...

sindy

There is no bug. It just got fixes some Versions ago. "The accuracy of your information could be sucessfully questioned". You are right that the bug consisting in having the firewall too open for GRE was fixed, but bundled with this fix came another bug - the very first GRE packet of a new tunnel i...

sindy

If I understand correctly, this is a solution if you have 2 L2TP/IPsec connections from the same network, that connect to the same public ip . Not exactly but maybe it's just wrong wording. There is no problem if multiple clients connect to the same server (listening at a public IP); the problem wh...

sindy

I don't know any Mikrotik model on which frames between wireless and Ethernet interface would not go through the CPU, regardless whether vlan-filtering is activated or not. Other than that, there is a table on the wiki regarding bridge (I'm writing from a mobile, you'll have to find the exact page o...

sindy

Sorry, a busy day today.

If you haven't figured out yourself yet, add a rule chain=input src-address=127.0.0.0/8 dst-address=127.0.0.0/8 action=accept before the final chain=input action=drop one and you should be good.

sindy

I'm afraid this may be because one process on the Mikrotik wants to connect to another process (most likely, Radius). To check that, place an action=log chain=input before the last action=drop one, keep the drop one in place and see what the log one catches /log print where topics~"firewall" . Then ...

sindy

As the ethernet ports are marked as S (laves) in the tables, I would assume that they are member ports of bridges and "hardware acceleration" is enabled (the value of hw in the respective rows of /interface bridge port is set to yes ). So any frames which pass through these ports to other ports of t...

sindy

It's too late down here so that I could analyse it completely, however as you can ping when you set the src-address manually, you can as well add dedicate routes with pref-src to do this automatically for any traffic towards the remote IPs: /ip route add dst-address=10.20.10.1/32 pref-src=10.20.10.2...

sindy

And this is it. The VPN does add a default route via the tunnel, but as your LAN subnet on the PC is 192.168.1.0/24 as well, packets for 192.168.1.0/24 never get to the 750 as they end up on local LAN. 3: wlp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 li...

sindy

Yes, replace the public address and the mac addresses and post it. And yes, I don't need you to re-post the config you've withdrawn.

sindy

to eliminate unique and/or personally identifiable info. I hope it meets your standards for that. You haven't sanitized at least the ip dhcp-server network part so the public IP addresses of the whole /22 are visible. Your firewall is quite leaky so it is probably quite easy to drain your monthly q...

sindy

I performed Key Generation using puttygen utility, as a result I received 2 keys, one imported into Mikrotik and tied it to the user. I specify the second when connecting via ssh in putty. the two key files have unambiguous names representing their roles in the scheme: the one the client uses to au...

sindy

https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(DSA_key_login) What may not be obvious: the client (where you run the /system ssh ... command) always uses the key of the user under which the command was issued, so in your case, of the user under which the script is running the server sea...

sindy

My VPN is a simple PPtP one with server running on the Mikrotik (I know, I need to change to something more secure - that's on my list). Client machine running Ubuntu and Gnome Connection Manager for CLI work. Local address for the VPN is 192.168.0.235, remote is 192.68.0.236. I also tried 192.168....

sindy

the network in question is a 7 hour drive away and whenever I do any remote config I try to be really, really sure that I don't knock it offline. Maybe Safe Mode would be an option here. Of course safe mode is a must no matter how risky or routine the configuration being done is, as at least typos ...

sindy

It should not be unless there's a bug. You can try to create an /interface bridge name=br-wan protocol-mode=none , then switch on safe mode, and send the following line: /interface bridge port add bridge=br-wan interface=ether1 ; /interface vlan set [find name~"openfiber"] interface=br-wan This will...

sindy

or is there other step(s) that must be taken?

You must add the 192.168.1.1/24 address to ether1-gateway as well, keeping the other IP address it has (or the /ip dhcp-client attached to it) in place.

sindy

I remember I was doing a throughput test on the hAP ac² and it could reach 900 Mbit/s while routing between LAN and PPPoE client as WAN with NAT. So the hardware as such is fine, the question is why the throughput is so limited in your particular configuration. What does /interface ethernet monitor ...

sindy

They are pingable on ether1-gateway with the Winbox PING tool. ... I tried reaching them from a web browser when VPN'd into the network with no success. ... I didn't get the feeling from your response that after changing these addresses I still need to assign 192.168.1.1/24 in parallel with the exi...

sindy

Yes, same like in Winbox, you have two possibilities - to click the [Terminal] button to get a command line window, or to go System -> Scripts and edit just the script body itself in the form. But if the script has to output something, run it from the command line window.

sindy

My issue was from my firewall rules. I had the VPN issue an IP from a dhcp pool that was managed by bridge rules, but obviously the ipsec connection is not an interface and not attached to a bridge. I had to add a new rule for the IP subnet. Yes, the payload packets coming via an IPsec SA are seen ...

sindy

I'm afraid I'm still a bit lost on what is the actual problem. Are you saying that the subnet on the 750's LAN is the same (192.168.0.0/24) like the subnet you've chosen to place the management addresses of the wireless devices at WAN side into, whereas the own IP of the WAN of the 750 is from anoth...

sindy

Now I need to figure out why this difference behavior between iOS and Windows. If you mean the difference at Tik side, it is because iOS does send ID-R while Windows don't. Also, I still need to fix the routing issue as windows does not get any gateway set up. Have you specified any list of network...

sindy

I'm afraid @McSee might have in mind the own ID at Mikrotik side, which it uses to match the ID-R received from the initiator. So double-check that you have my-id in the identity row set to auto . I've tested here and I have no issue although the log shows that the Windows client sends, like in your...

sindy

Are you absolutely positive that the "black box router" is transparent regarding udp ports 500 and 1701? Just a technical one, for L2TP over IPsec, access to UDP port 1701 need not be permitted on intermediate routers because the L2TP transport packets towards port 1701 are transported encrypted, i...

sindy

From your description it is not really clear what the actual problem is, but the firewall rules in the default configuration do not allow access to management of the router via WAN, so if you need it, you have to add your own rules permitting such access for authorized source addresses. If the WAN a...

sindy

In your particular case, the scheme with bridging where only 4 hosts would be in the 10.0.0.0/x network is fine, as there won't be much broadcast traffic between these hosts.

sindy

For starters I would like to test that for example - Mikrotik router A should be getting only tagged VLAN packets for two Vlan's ID=1010 and 1020, then router B should be getting tagged VLAN packets for another two vlan's ID= 2010 and 2020 ? First of all think about how the switching and bridging w...

sindy

PPTP is not actually secure these days, so I assume you have strong reasons to use it anyway. Normally it is sufficient add a rule permitting incoming connections to TCP port 1723 into chain=input of /ip firewall filter if the default firewall rules are in place. The default firewall settings accept...

sindy

EoIP tunnels have IDs and the same ID cannot be used twice on the same machine. If all three machines have IPv6 addresses or all three have public IPv4 addresses, there should be no issue with termination of two tunnels on the central machine. To make the L2 segment span all three machines, there ha...

sindy

In another words: post the complete export of your firewall rules if you want a relevant analysis rather than a guess.

sindy

Is it still a thing? i mean if i have l2tp/ipsec vpn and i want to connect roadwarriors - i still have to do all this? Only if you need several road warriors connected from the same LAN at the same time, which often means that the sessions come to the server from the same public address. But i hone...

sindy

At place-before=right after the "accept established,related" rule it gives me a syntax error, and I'm not sure if I'm supposed to change anything in this line? Sure you are. The whole text right after the "accept established,related" rule has to be replaced with a rule number; however, you have to ...

sindy

[*]it is a bad idea to have overlapping IP address pools (the one for dhcp and the one for ppp clients), I'm not sure how the machine coordinates leases from different pools I had to do it in order to "see" my routers. Also, I had to activate Proxy-Arp in LAN. [*]it is better not to assign to PPP c...

sindy

The script body would say something like if [/ip route get [find dst-address=0.0.0.0/0 gateway=ip.of.WAN1.recursive.gw] active] do={ /ip firewall connection remove [find srcnat and connection-mark=via-WAN1 and reply-dst-address~"the.ip.of.wan2"] } It assumes that you use e.g. the recursive next-hop ...

sindy

Given that there is no standard way to force SIP phones (or PBXes) to re-register when you need them to do so (which is each time when the uplink migrates to another WAN), the question is whether the script is sufficient to resolve your headache. So one possibility is to configure the phones to re-r...

sindy

After upgrading RB3011 from 6.44.3 to 6.45.3, all my PPTP has stopped working, inbound and outbound. Search back in the 6.45.x topics for the fix of GRE handling in firewall and the bug introduced by that fix and how to deal with it. And although PPTP can be fixed easily, think about its drawbacks ...

sindy

Yeah, but that's a manual arp record per each individual IP... so you'd need the on-up/on-down scripts in /ppp profile to add/remove it, or to add it once for each address from the pool used for ppp clients, so a source of headache if you extend the pool and forget to add arp records, or even worse ...

sindy

I did everything suggested but it is not working properly. Some routers (Openwrt) receive their leases fine but the following happens. I can ping them a few seconds after the Tik reboots but I get timeouts after a few seconds of receiving the lease. Openwrt receive default VRRP gateway and DNS fine...

sindy

In the masquerade rule, use dst-address instead of dst-address-list, I doubt 172.../24 is the name of the list?

sindy

If the policy (or policies) are marked as Active at Mikrotik side, the phase 2 negotiation was successful. So the next things to check would be that at Mikrotik side you don't NAT connections towards the destination subnet at Oracle side to the WAN IP, that a firewall at Oracle side doesn't drop pin...

sindy

Both the gateway and the dns-server in the /ip dhcp-server network shall also be set to the virtual address 10.50.10.3 so that nothing changes from the client's perspective when the virtual address migrates between the physical devices.

sindy

If the Tik was behind an external firewall, it's OK, no need to netinstall. The rest remains - add the last drop rule in input after checking that the one permitting management access from a dedicated interface with a dedicated subnet counts packets. It will count just one packet per each connection...

sindy

Well, as you've stated you could not access internet after you've added the forward rules without the "accept established or related" one, it means you did connect the router to internet before securing the management access to it using the input rules. So it can be compromised by now as it has spen...

sindy

Your mangle rule action=mark-routing chain=prerouting new-routing-mark=WAN-1 passthrough=no src-address-list=WAN-1 assigns routing-mark=WAN-1 to packets coming from OpenVPN client(s) because you've put 172.16.1.0-172.16.1.254, of which the /ip pool pool-OVPN is a subrange, to address list WAN-1. And...

sindy

Seems fine to me. However: - if you haven't yet, don't add the last drop rule in the input chain before you check that the rule allowing management access counts your connection attempts (I don't know which of the management protocol you use out of ssh / https / winbox); on the other hand, you shoul...

sindy

So what you actually want is a pppoe server and its client on the same router. Well, it is possible as you've checked yourself, however it will not help you reach your goal because both the server's and client's IP address will be up on the same device, so the IP stack will take the shortcut instead...

sindy

I'm afraid you expect too much from the failover. As your two uplinks use src-nat (masquerade in your case), ongoing connections will fail whenever the uplink they use fails, and they have to be re-established. The reason is that the remote party doesn't recognize packets coming from another address...

sindy

I have noticed the VLAN as uplink, but I haven't noticed that you haven't added interface Safaricom as a member of interface list WAN. Failing to add it to interface list WAN causes anything what comes in via that interface to be forwarded, not only dst-nated connections, as the rule add action=acce...

sindy

If the configuration in post #5 is complete (except the changes in post #7), the firewall is so leaky that it cannot be the reason why devices in VLAN cannot access internet. If these devices do get the dhcp lease and can ping 10.10.10.1, can they ping 8.8.8.8 too or not? If not, can you open a CLI ...

sindy

Your capture shows that the DNS responses do not contain the Authoritative Nameservers and Additional Records sections, i.e. so far the same issue which turned out to cause the trouble in the topic linked above can still be the explanation of yours. Now the question is why the DNS responses don't co...

sindy

To post a configuration export and expect someone to find out what was wrong with the missing part is an interesting approach :? So how it SHOULD have looked like if ether3 should have been an access port to VLAN 2: /interface vlan add vlan-id=2 interface=bridge1 name=bridge1.2 /interface bridge por...

sindy

TS is Traffic Selector. The (src-address,dst-address[,protocol[,src-port,dst-port]]) tuple (which is the Traffic Selector itself) of a policy at one peer must match the (dst-address,src-address[,protocol[,dst-port,src-port]]) tuple of the policy at the other peer. If they don't match exactly, no SA ...

sindy

The problem was that some devices renewed on the 450 (even though this last one was disconnected) and some others on the 750. Even waiting for the leases to be renown. That was a mess. I didn't understand why some devices kept waiting for the 450 and not liking to the then active 750. Attach the DH...

sindy

It is often useful to search the forum before creating a new topic. See viewtopic.php?t=131475#p663143.

sindy

Phase 1: Encryption: AES-256-cbc , AES-192-cbc, AES-128-cbc , Authentication algorithm: SHA-384, SHA-256, SHA1 (also called SHA or SHA1-96), Diffie-Hellman group: group 5 , group 2, group 1 , IKE session key lifetime: 28800 seconds (8 hours) => /ip ipsec profile add name=oracle enc-algorithm=aes-25...

sindy

chain=forward action=accept in-interface-list=!WAN out-interface-list=WAN chain=forward action=drop The above rule separates the zones > If I understand the rule, it only allows all interfaces internet connection and drops everything else. OFFICE clients can connect to each other? Clients in the sa...

sindy

I had hoped it would be possible to separate the networks at the hardware level without involving the CPU, but as soon as IP firewall is in play that won't be the case. I don't think it is anything worth fearing. All the routing, including routing between the subnets in the VLANs, is done by the CP...

sindy

The possible reasons you've googled may be related both to Windows acting as server and to Windows acting as client so not all of them may be relevant. Unless Windows need something specific, the normal requirements are the following: to be able to prove its own identity to the remote party, each lo...

sindy

does not let android client to connect to 192.168.8.0/23 subnets if i do as you suggested. however works w/o split-include with system-dnes enabled. any specific disadvantage of this? In that case it seems that Android ignores the split-include information completely. The only disadvantage of not u...

sindy

When I tried to create rule, you just suggested, on the slave, I get the following error message: Couldn't add New NAT Rule - incoming interface matching not possible in output and postrouting chains (6) I keep forgetting about this :) OK, replace in-interface=Ether01_LAN_US by src-address=!192.168...

sindy

@little_strawberry, separation of VLANs at L2 level works fine in your setup. What you actually need is a set of IP firewall rules to drop traffic between IP subnets living in the distinct VLANs - or, even better, a set of firewall rules dropping all traffic which is not explicitly allowed. So rough...

sindy

Post the configuration export - see my automatic signature below.

sindy

i removed split because android and iOS client only take 1st subnet from split-include. enabling system-dns in mode-config solved it for me. thanks.

Check my suggestion above - you can set 192.168.8.0/23 as split-include which spans both 192.168.8.0/24 and 192.168.9.0/24.

sindy

I verified that from another laptop I can ping the workstation without problems (from the same vlan/subnet) hence I assume any firewall issues are ootq? I don't understand why no reply packets are seen... Assuming that the other laptop is in the same subnet/vlan like the workstation, the issue may ...

sindy

On a fast glance, I can see that you've disabled the Mikrotik's DNS server list to be sent using mode-config (by setting system-dns=no ) and haven't defined any other one, but at the same time you've also removed the split-include from the mode-config so the IKEv2 clients use the VPN as a default ro...

sindy

need one clarification: Why disable DHCP servers from both routers? Where will the clients obtain an IP address? Sorry for ambiquity. I wrote "including the DHCP server" in the context of "remove everything related to 192.168.2.0/24", of course the DHCP server for 192.168.1.0/24 must stay. And as t...

sindy

I agree with you about see no point in running the innner 2011 as a router at all . Your how-to would be appreciated. Given that the two machines are interconnected using an external wireless link which is transparent at L2, the howto is quite simple: on the Slave, /ip address add address=192.168.1...

sindy

First to the actual topic: As the inner ("slave") router has no firewall rules at all, they cannot interfere with the functionality you desire. However, the current dst-nat rule on the outer ("master") router, add action=dst-nat chain=dstnat comment="WiFI AP Access" dst-port=50021-50024 in-interface...

sindy

No NAT and no firewall rules are different things. Post export of both routers (see anonymization hints in my automatic signature below). If there was nothing in the inner router's firewall, the single dst-nat rule in the outer one would be sufficient.

sindy

Oh, sorry, I didn't realize the double router part was also problem as you seemed to have the internal routing solved and transparent.. If the inner router's WAN (internet-facing) interface has a firewall on it preventing incoming connections via WAN, you have to set some rules on it too, but as you...

sindy

What I can see is that you now only deal with the static leases (as the parameter address-pool of /ip dhcp-server is set to the default value static-only ), so the fact that the pools for dynamic leases are the same at both routers does not cause any trouble now. But I can see that on the 450, the d...

sindy

Just bear in mind that while this rule port-forwards connections initiated from anywhere, connections initiated from LAN will not work properly, you have to test from outside. Look for "hairpin NAT" for explanation why.

sindy

That's a correct one. If you otherwise use the default firewall configuration, it should be enough. If not, post the export.

sindy

There is no fixed time, the address-list is renewed each time the TTL of the DNS response expires.

sindy

Who do you get 0xc0a81301c0a82101 from 192.168.19.1 & 192.168.33.1 ?

0x means that the rest is in hexadecimal
c0 = 192 in hexadecimal
a8 = 168 in hexadecimal
etc.
No separator is needed, as each address takes exactly 4 bytes.

sindy

I forgot to mention that the workstation (a windows 10 machine with its firewall disabled) can be pinged from both the HAP-AC as the CCR. That's not surprising because both the hAP ac and the CCR have an interface in the subnet/vlan "10" so no routing is necessary when you ping the workstation in t...

sindy

It is not clear from your question whether you want to set this up on a Mikrotik or on some other DHCP server. On Mikrotik, the embedded help tells you what to do: [me@MyTik] > ip dhcp-server network add address=192.168.115.0/24 dns-server=[?] Server ::= Address[,Server] (max 100 times) Address ::= ...

sindy

There is just one port 443 on one public IP 41.x.x.x, so you can have just one AP accessible via that single port. But you can use port-forwarding rules in the firewall, so that e.g. port 21443 on the public IP will be forwarded to port 443 on the private IP of AP 1, port 22443 to port 443 of the pr...

sindy

To know which part of the configuration to ask for, we would have to know where the problem is. So post the complete export (check my automatic signature below first), just don't forget to use the [ code] and [ /code] tag around the configuration exports of both machines. You have posted only the br...

sindy

Post the current configuration of both the Mikrotiks.

sindy

Too late down here to think anything deep, but: I'd definitely wallgarden static equipment like seccams using a dedicated subnet+VLAN (+SSID if they are wireless) rather than hotspot, using their own dedicated zone. As for too many zones on one device - I'd use the primary ISP for everything and the...

sindy

I cannot, PMs don't work here, but if you post the TVw ID and one-time password, it should be safe enough given that it is one-time (and hopefully I'll be the first one to use it

)

sindy

I start thinking of Teamviewer as I cannot see anything suspicious in the configuration any more, and I'd do some dynamic observations if it was my case already days ago :) Basically you should see the /ip ipsec installed-sa to increase packet count when you try to ping the 10.10.10.2x, but if there...

sindy

I meant with "hold connection" to be able to surf without problems (within 3-5 seconds after unplugging the Master MK) straight internet access. OK, so not in the sense that you wouldn't have to re-establish the TCP connections. I'm using my router with wireless DumbAP so clients go straight to MK....

sindy

I managed to make my PC hold connection but not in my table or cellphone. Now wait. What means "hold connection", and what means "table" - a VoIP phone or a desktop PC? If the cellphone is connected using wireless as I suppose, there is not just the DHCP and gateway part, there is also the wireless...

sindy

OpenVPN used to work before we added the second WAN. Before you added the second WAN or before you added the mangle rules ;) ? Just a rhetoric question, of couse you did both in the same step. Intuitively I feel that the packets coming in via the OpenVPN interface and with the destination addresses...

sindy

Thank you sindy & krafg for your responses. I have to keep the RB450G models because that is what the OEM installed at this site and I cannot change the model. Have you tried to replace only the power adaptors as I've suggested? I wanted to give you some detailed information. The OEM uses a VBScrip...

sindy

i am going to go with upgrading the RB450G up to release 6.43.12. is the routeros-mipsbe.npk the file I should use to upgrade the RB450G? dumb question, do i use the stable or long term release? For any RB4xx except RG450Gx4, mipsbe is the correct architecture, so yes, routeros-mipsbe-v.vv.vv.npk i...

sindy

as still unsure how to have access ports and tagged ports (vlan native trunk). Ie: untagged vlan and a tagged vlan on same port(s) with using the switch menu vlan setup. The bridge vlan filtering method makes it easy. also I know that anytime put vlan's into a bridge port - they're untagged. So may...

sindy

I use to always do link aggregation (802.3ad) to a single switch hanging off the MT, but not much benefit for these SMB networks. well, link aggregation is always done in software unless we talk about CRS (maybe even CRS3xx). And if the member links are 1 Gbit/s ones, the only benefit is redundancy...

sindy

@anav, So with a single bridge and vlans, its all software not hardware???? A single bridge and VLANs can still use hardware forwarding if you don't need to tag and untag the frames or filter them by VLAN ID as they ingress and egress. So if the same VLAN is untagged on all ports and you don't mind ...

sindy

I'm afraid you expect too much from VRRP. It provides nothing more than redundancy on a network segment where two (or more) physical devices can provide to other devices in the same network segment and IP subnet the service of a gateway (or other services which the clients need to contact on a stati...

sindy

Could you further elaborate? Are you mentioning this fact if one was to use the interface switch config (switch chip config method?). Or in regards to the new bridge vlan config way? I am mentioning this fact because "hardware acceleration" of L2 forwarding actually means letting the switch chip do...

sindy

Well, I did that. Export the Master backup, restore that backup using import from PC. Both RBs show their respective MAC addresses at Winbox. You can do either an import of .rsc file (which is a plaintext script) or a restore of .backup file (which is a compressed and ciphered binary file). If you ...

sindy

If you have really restored a backup rather than imported an export, you have cloned also the MAC addresses, so this is the first point to clarify.

sindy

block diagram shows HW acceleration... is this ONLY for IPSec, or this mean HW acceleration on ethernet for wirespeed? If so, perhaps the RB4011 is an upgrade path over RB2011. The switch chips used in the 4011 are not VLAN-aware and don't support hardware rules so if you need L2 traffic to be hard...

sindy

I am sure it is something simple, but I am not sure where to look. Two points: unrestricted fasttracking is incompatible with use of mangle rules because most packets belonging to fasttracked connections skip a big deal of firewall processing. Few don't, which means that the connections via the non...

sindy

I think I've got it, I've got confused by the src-address=0.0.0.0/0 in your policy template on the 951, whereas in the mode-config there is split-include , so the actual policies created dynamically are 192.168.8.0/24<->10.10.10.2x and 192.168.9.0/24<->10.10.10.2x (please confirm, use /ip ipsec poli...

sindy

Post the configuration. Does the 213.x.x.x/28 have any external gateway to access the internet or is only accessible from outside via the 87.x.x.x?

sindy

6.43.12 and master port in one sentence? I am confused. Post the export, I didn't get what are you trying to achieve and what doesn't work.

sindy

I got to put in firewall rules to separate the vlan from the office. Can you give me direction? A firewall provides the best protection if it drops everything by default and only lets through exceptions you want to let through. The firewall rules provided in the default configuration of the hXX pro...

sindy

I made a rough drawing indicating the current scenario so hope that sheds some light ... It hasn't changed my understanding of what the topology is and what are the goals, but it has neither dissolved the concerns I've expressed before :) If the client's L2TP client is not another Mikrotik or anoth...

sindy

Hope not to bother much longer... So far it's OK, I'm more concerned that you haven't written whether you managed to get there to the correct address after all :) I am aware of site to site would be better option for direct connection of two mikrotiks, but I need also rw clients such as phones and ...

sindy

I also turned on vlan filtering > under bridge > double-click bridge tab and it works, but will uncheck for the rest of my config is done. vlan-filtering requires more settings to be done to work properly, as @pcunite explains here . For your scenario it is not actually needed unless the Ethernet p...

sindy

Don't do serious things late in the evening (unless you're an owl like @Sob) - you've properly added the firewall rules but you've totally ignored the other part of my post, saying that you have to ping/connect to 10.10.10.2x, not to 192.168.2.1, because the network 192.168.2.0/24 is invisible to th...

sindy

Well, except the pvid=10 in the /interface bridge port row for ether4 (which is harmless until you eventually set vlan-filtering to yes), everything seems fine regarding VLANs. However, there is neither any hotspot configuration nor a regular IP configuration attached to /interface vlan vlan-id=10, ...

sindy

The rule blocking invalid packets here is the first one, and without log. If I see packets in log, they should be blocked by the last rule ( drop all the rest) Sounds logical. So how can I target those packets? Just above the rule "drop all" but how? Finding about the 3-4 addresses often logged and...

sindy

Guessing from your description what may be wrong: you can have one tagless and as many as you want tagged VLANs directly on an Ethernet interface, but if you do it this way, you cannot add the interface itself to a bridge (I mean, you can but the tagged VLANs won't work). So if you want ether4 to be...

sindy

No visible image, just a text "image". When you say you cannot connect to the Tik behind NAT, to which IP address are you trying to connect, 192.168.2.1 or 10.10.10.2x? And from where, directly from a device in your LAN (192.168.9.x) or from the 951 itself? There are two points: you have to connect ...

sindy

Messy ... yeah I really need to do my MTCRE already :lol: Well, maybe just "so unusual that a mere mortal cannot understand it without having additional context". Details below. On the onsite router I have an L2 connection from the bridge to a Mikrotik router at our office as well as a L2 server fo...

sindy

1. Firstly, can I bypass VPN Express and roll my own somehow for less than $6.67 US p/m? If you can place your own router in each country of interest, and at least one of them will have a public IP address (or all of them will have IPv6 addresses which are all public), then yes. Whether the total e...

sindy

For example, in the other thread you mentioned converting from "master port" to "bridge" . I have no idea what that is about. I don't remember whether this came in 6.40 or 6.41, but the old way of allowing frames to be forwarded within a group of Ethernet ports by the switch chip, bypassing any CPU...

sindy

Look at EoIP tunnel (/interface eoip). Set one between the two Mikrotiks, remove one Ethernet port on each Tik from the main bridge, create a dedicated bridge on each Tik, and make that Ethernet port released from the main bridge and the /inteface eoip members of this new bridge. Done.

sindy

First I don't get from where the wlan3, wlan4 pops up. Second, if you paste the very same lines into the terminal window manually, do they have the expected effect or not? The answer determines whether the issue is that you run the script too early (i.e. use it as a run-after-reset parameter of /sys...

sindy

OK, so your configuration seems a little bit messy to me. The L2TP server's profile is configured to create both an L2 tunnel locally connected to the LAN bridge and an L3 tunnel; is the L2TP client another Mikrotik device or Linux so that you could really use the L2 tunnel? If you do, and if there ...

sindy

Should we update those three incrementally? Say update first to 6.20 then to 6.44.5?

A part of this post gives my opinion on this.

sindy

chain=input handles connection attempts to your Tik itself. chain=forward handles transit traffic (between two interfaces of the router). And yes, "block everything but few exceptions" is the best firewall concept in my opinion. Only allow access to services which are secure by themselves (VPNs but ...

sindy

If you use Winbox, it's drag and drop. If you use WebFig, press the [Download] button in the file list. If you use command line, use scp from your PC to download the file.

sindy

No changes can be made during import. So you have to do them before, using an external text editor because Mikrotik scripting cannot parse files, or after, using Mikrotik scripting on the already imported address lists. If there are no duplicate entries between those lists, the command is simple: ip...

sindy

To learn how the firewall works is one way to solve it. Posting a complete export of your configuration (see my automatic signature below on how to prevent sensitive information from leaking) is another way if you need to do it just once and you have some more important areas to spend your time on d...

sindy

I have several of these units that were all installed 3 years ago and 2 of them are failing. It seems that when they handle heavy network traffic the leds on the ports go out and eventually the unit reboots and works again, does this sound like bad capacitors? Definitely try replacing just the powe...

sindy

Given that SSH access was possible with ROS 5.something, in 6.9 it may only be an issue due to a version-specific bug. But the first question is what ssh client do you use? Because with newer ROS releases, /ip ssh set strong-crypto=yes prevents connection to or from older systems which use older=wea...

sindy

I'd start from https://download.mikrotik.com/routeros/ ... 6.44.5.npk - RB4xx is still listed among supported models.

sindy

I suppose we are talking about devices connected to the LAN side of your router, not other devices connected to client's router LAN side where your router's WAN side is connected. If so, post the export of the configuration of your router, it will be just a matter of modifying the rules in chain=for...

sindy

When vlan-mode on switch port is set to secure , frames tagged for VLANs which are not permitted on that port are dropped at ingress. So on all ports of the switch except the CPU one and the one used for connection with the other Tik, either only the LAN frames or only the ITV frames can get in. Onl...

sindy

As you mention PoE, does your switch provide power to the SXTs via PoE? if so, is it a Mikrotik switch (such as hEX PoE lite or the same hardware in different mechanical case called PowerBox) providing "passive PoE", or some other vendor's switch providing the 802.3af or at PoE? If it is a Mikrotik'...

sindy

if you get your WAN address from your ISP via DHCP, it usually means you get it via an L2 network where you are not alone. So other clients of your ISP renew their DHCP leases, and if they do not get a response for some reason, they send the DHCPDISCOVER messages to the broadcast address 255.255.255...

sindy

OK, but unless you put the interface representing the tunnel into a zone, only the default rules apply, which say REJECT for forward. The zone concept just simplifies the rules - traffic between all interfaces in the same zone is unrestricted, whereas the rules for forwarding from any interface in o...

sindy

Well, unless you've asked it to do otherwise, the ping goes once per second, so if this message was a symptom of a problem with delivering the ping response, it should also be logged once per second, which is not the case. So as Jorge has already said, check the firewall configuration on the Teltoni...

sindy

Hello Jorge, For the "server2" certificate I didn't select tls server in key usage For the client certificate I didn't select tls client in key usage Shall I regenerate them ? As Jorge seems to be busy, here is my answer instead: since you could ping the remote end via the tunnel, neither end cares...

sindy

I'm afraid you need rather QoS (queues and possibly mangle rules) handling to limit the uplink bandwidth per LAN device. Load balancing of connections can distribute each device's connections among several uplinks but cannot prevent a single device from clogging the whole bandwidth of a given uplink...

sindy

Given that the "MELI" and "MikroTik" devices are visible as neighbors at two interfaces each, and as these interfaces are probably member ports of the same bridge, the loop may actually be there, but you've provided too little information. So a configuration export (see my automatic signature below ...

sindy

Even longer answer to 2) - both Mikrotik and Teltonika support L2 tunneling mode (called TAP on Teltonika side and ethernet at Mikrotik side), so it is technically possible to bridge the two LANs using OpenVPN in TAP/ethernet mode. But it is not recommended for multiple reasons. One is security (you...

sindy

those 3rd world WISP customers won't ask for it I'd say it's not so much a matter of 3rd world as of ISPs as such, why on earth should an ISP do things like policy routing or even static routing on the NNI - they have redundancy mechanisms for their own network and BGP for peering and that should b...

sindy

As there is never 193.248.32.7:80 (port 80 on your public IP) as source or destination socket, but always some high port number is attached to 193.248.32.7 and port 80 is attached to the remote address, these connections are NATed connections of your LAN clients to remote http servers. So either tal...

sindy

I would not claim that... Yeah... what (censored) me most is that one of the largest resellers keeps declaring full support of IPv6 to be available on Tik. Needed a DHCPv6 server for end hosts, ended up with OpenWRT :( However, with or without Mikrotik - unless you had NAT in IPv6, I can't imagine ...

sindy

sorry, it's ip-protocol=tcp.

sindy

In this situation I suspect that your ISP is blocking access to port 80. Open a command line window as wide as your screen allows, run /tool sniffer quick interface=ether1 protocol=tcp port=80 in it and try to open the public address of your Tik in a web browser from outside. Or is the issue the sam...

sindy

OK, so let's take the way with tagless LAN between the Tiks, I hope it will work. But do every step with safe mode on; if you don't get locked out during 30 seconds after the change, disable and re-enable safe mode to store the progress gained so far and be safe for the next step. If you get locked ...

sindy

If you don't insist that the LAN goes tagged between the Tiks, it might be much easier to handle the ITV VLAN by switch chips. The point is that the switch chip can tag frames on ingress but not on egress, so to have VLAN 7 frames tagged at ether1, they have to get tagged already at ether2..ether4 a...

sindy

Netinstall is a tricky thing even if done locally so I wouldn't make any conclusions on problems with netinstall alone unless you have a lot of experience using it. Power surprises should normally only affect the power adaptors, not the devices behind them. But what does happen regularly is that the...

sindy

I will incorporate the firewalls once I get the Tik hotspot working on the vlan. If ether1 gets a public IP, the machine may have already been compromised. >Where do you add DNS server address to hotspot clients on the dhcp-server? /ip dns - My server now is 8.8.8.8 and 8.8.4.4 >I ticked "allow-rem...

sindy

If you don't have one such line in the log for each and every packet received, it should not be a big deal. Record the packet traffic on the interface through which the VPN clients connect to the Tik into a file using /tool sniffer , download the file to a PC and open it using Wireshark. If you find...

sindy

I'm afraid that the responder ID can be ignored only in some authentication setups. Can you post your complete configuration? See my automatic signature below for hints on anonymisation.

sindy

First, I haven't opened your previous config so I haven't noticed your firewall is widely open; in contrary to popular belief, NAT alone is not sufficient as a protection against all attacks which can come in via WAN, and it doesn't protect the router itself at all. So have a look at the default fir...

sindy

There is no point in having VLAN 20 out of the bridge, it can stay there. At the cAP, set both the "local" and "guest" wireless interfaces along with ether1 as member ports of the only bridge, remove any /interface vlan , and configure the guest wireless interface with vlan-id=20 vlan-mode=use-tag ....

sindy

To me it doesn't seem to be a matter of ROS configuration. If you look closely at the leases, you'll see that the DHCP client running on the W2012 machine uses a unique Client ID field when applying for each lease, which makes ROS' DHCP server treat them independently, hence you end up with multiple...

sindy

What can happen if I just remove the rule dropping invalid packets? As I wrote just one post above - removing the drop invalid rule doesn't make the invalid packets miraculously be accepted by the accept established,related one. So if your firewall chains don't end with drop the rest rules, removin...

sindy

Post the current configuration (see my automatic signature below) as you did some changes since you've posted it before, there must be something else wrong. Other than that, I would first disable everything related to the hotspot (and set some password for the guest SSID on the AP) to check whether ...

sindy

The /interface vlan for hotspot must be attached to the bridge, not to its particular member port. And the IP address, DHCP server, and hotspot configuration for the guest network must all be attached to that /interface vlan , whilst the IP address and DHCP server for the "insider" network stays att...

sindy

Have a look at /ip firewal layer7-protocol. But bear in mind that it will only work for plaintext http, not for https.

sindy

The distance parameter only matters when several routes have exactly the same dst-address - otherwise a more narrow dst-address prefix matching the destination address of the packet always beats any wider one(s) also matching it. I didn't get from your description whether the client can reach 10.179...

sindy

I'm afraid there is a difference between the "default configuration" (which is just a template of user configuration, and you can prevent it from getting loaded) and "built-in configuration" which is there even if you remove any user configuration using reset-configuration with no-defaults=yes . The...

sindy

I have checked load on both routers, it is near idle while watching TV. For example CPU usage never gets higher than 5%. I suppose this is not an issue. That's quite surprising, but as you say that sound is unaffected and only the video became an SSTV one, it seems as if there was no packet loss al...

sindy

Your configuration prints don't show any /interface ethernet switch settings and you handle the VLAN tagging and untagging using a dedicated bridge for each VLAN, which means that the IPTV traffic is handled by the CPU. So have a look at /tool profile at both your Tik machines while watching TV, at ...

sindy

Not sure about your (@nethor's) setup, but in the OP from 2016, Router B's interface facing towards the SSH client was in the same subnet like the client. So while the request packets from the client went to Router A (because 192.168.10.1 was configured as the gateway of the default route or at leas...

sindy

or RoS evolved enough to tag them correctly

I hazily remember this is the case and that it did not take long after we've discussed it here.

sindy

I am running 6.45.1 and if I try to update to 6.45.3 I get an error : "ERROR: not enough disk space, 7.3MiB required and only 7.3MiB is free." ... I have no files on the device. The upgrade package is downloaded to ramdisk, which may be occupied also by hidden files, so try rebooting just before th...

sindy

and I replaced the public IP with "removed" the Mikrotik is sitting on a public IP and is NOT behind NAT then the mikrotik has a VPN pool to NAT the VPN Clients If the Tik sits on public IP, then the restriction of the policy template's src-address to 10.222.22.1 is a nonsense, as the policy needs ...

sindy

Port strict and NAT are unrelated. What is related is that at least Microsoft VPN client needs to be tweaked in registry to accept an L2TP server listening on a private address behind a NAT. But it can also be done without tweaking the registry using the method described here . But as you stubbornly...

sindy

Just remove the src-address-list from the rules permitting access to UDP ports 500 and 4500

sindy

Have you added the log topic I have suggested? Because if you did, you have to see tons of ipsec,info messages. How exactly did you set the debug?

sindy

The failed to bind message is a cosmetic issue as you have disabled IPv6, it's not the reason why it doesn't work. Set /system logging print add topics=ipsec,!packet and see whether the log shows anything when the client tries to connect.

sindy

OK. So you ask RouterOS to generate the settings for L2TP for you using the default profile , proposal , and template in the default policy group by setting use-ipsec=required in /interface l2tp-server server , but at the same time you have created a peer and identity on your own, so there may be a ...

sindy

In the L2TP part, you forgot to post the /interface l2tp-server server part. That's why it always better to post the complete export and just obfuscate the sensitive information (see the hint in my automatic signature below). So either do that or post at least /interface l2tp-server export verbose h...

sindy

Is there some other procedure I should be following?

Yes, firmware is not automatically upgraded together with RouterOS. You have to do /system routerboard upgrade, and once it succeeds (it takes less than three seconds), reboot the machine.

sindy

Basically you have to determine the IP addresses of the servers you need to access via the LTE and set static routes via the dongle to these addresses. A more specific route always wins over a more generic one, so it seems simple. However, depending on the properties of the dongle, RouterOS uses one...

sindy

You cannot simplify it the way you suggest, think about the frames carrying the response packets, which need to get tagged with the correct VID on their way to the wireless clients.

sindy

A supercharged introduction into how firewall works is here . In your case, the rules in chain=forward of /ip firewall filter would use in-interface(-list) and src-address(-list) matching to restrict which local users can use the LTE, and dst-address(-list) to restrict which remote destinations may ...

sindy

I confirm that 6.45.3 initiator doesn't show the N flag in print (I've got no 6.45.3 responder up at the moment) - exchange-mode=ike2 on peer , auth-method=eap on identity . An initiator in 6.45.2 ( exchange-mode=ike2 , auth-method=digital-signature ) does show it. ESP cannot be handled even by prop...

sindy

What @cdiedrich has proposed can be described more in detail, maybe you have missed it? set add-arp=yes on all dhcp servers make all the current dhcp leases which you recognize (most important, the PC from which you configure the machine) static make the address-range of all ip pool items used by dh...

sindy

There is a way, however a terrible one. On the bridge, the common subnet would live, with DHCP server etc. On the ethernet facing towards the non-Mikrotik AP (say, etherX ), you'd set up an /interface vlan vlan-id=99 interface=etherX name=ssid-99 (i.e. having that ethernet as carrying interface). Bu...

sindy

If by "this rule" you mean the two rules on the responder with comment "VPN ikev2 allow", then not exactly, these are in chain forward and to access the Tik itself, you need a rule in chain input . So a rule like chain=input action=accept in-interface-list=WAN ipsec-policy=in,ipsec before the final ...

sindy

I think that statement like "!somthing" is not good... in any iptables on so on firewalls...

Why? For security or for CPU load reasons?

sindy

If there is a PC and someone able to use it, Teamviewer is a way to connect to the remote Mikrotik from the LAN side.

sindy

I can see nothing in the config of this side that would explain it, so most likely chain=input of /ip firewall filter on the remote Tik has to be modified to accept incoming connections via the IPsec SA. So until you manage to get there and post its configuration, there is no way to move forward.

sindy

GRE fixed? What exactly do you have in mind? The incorrect flagging of actually new GRE packets as invalid ? If so, then no, this is not fixed in 6.45.3, but it can be worked around by adding protocol=!gre to the action=drop connection-state=invalid rules in the default firewall, or several other e...

Search found 3814 matches