Community discussions

MikroTik App

Search found 5102 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 18
by sindy
Fri Jun 05, 2020 3:32 pm
Forum: General
Topic: Issue with IPSec/IKEv2 tunnel disconnecting and not reconnecting
Replies: 2
Views: 250

Re: Issue with IPSec/IKEv2 tunnel disconnecting and not reconnecting

I am not very sure but i have noticed mikrotik will respond anyway if the other peer will try to reestablish the connection so the setting should be set on the remote peer to as Passive only maybe Correct, you can prevent the peer from actively initiating a connection by setting passive=yes , but t...
by sindy
Fri Jun 05, 2020 1:51 pm
Forum: General
Topic: two pppoe connections, question?
Replies: 6
Views: 661

Re: two pppoe connections, question?

You can use multiple uplinks, but the strategies of their use you can choose from depend on their properties. Bonding can only be used to group together L2-transparent interfaces, which is not the case of PPPoE. If I get you right, the PPPoE clients are running on the modem, so on each RJ45 port, th...
by sindy
Thu Jun 04, 2020 6:10 pm
Forum: General
Topic: Load Balancer with NAT rules
Replies: 11
Views: 1156

Re: Load Balancer with NAT rules

No. It returns to the first one only once the second one fails.

I still haven't understood whether you want each single request to be sent to both server's, or whether it is enough that odd requests are sent to one server and even ones to the other one.
by sindy
Wed Jun 03, 2020 9:04 pm
Forum: General
Topic: SXTsq_Lite2 with RB2011 setup [SOLVED]
Replies: 8
Views: 976

Re: SXTsq_Lite2 with RB2011 setup [SOLVED]

Post the current configurations of both devices (see the hint on anonymisation in my automatic signature below). What you want to do is simple, and I wouldn't recommend to move the firewall from the 2011 to the sxtsq lite, as the CPU of the sxtsq is just a tiny bit better whilst the RAM size is doub...
by sindy
Wed Jun 03, 2020 8:55 pm
Forum: General
Topic: How to exclude more then one Connection Mark in Firewall fasttrack rule?
Replies: 2
Views: 484

Re: How to exclude more then one Connection Mark in Firewall fasttrack rule?

As you probably want to exclude any marked connections from fasttracking, you can set connection-mark=no-mark in the action=fasttrack-connection rule, instead of connection-mark=!vpn-mark.
by sindy
Wed Jun 03, 2020 8:42 pm
Forum: General
Topic: hAP ac² - vlan port configuration [SOLVED]
Replies: 10
Views: 1072

Re: hAP ac² - vlan port configuration [SOLVED]

Add Interface switch vlan 102, include ether1,2,3,4 ... Set interface switch port ether1 vlan-mode=secure , vlan-header=add if missing, default vlan id=1 However I always lose connection as soon as I am done saving interface switch port ether1 settings. Am I missing something? I'd say yes, you do -...
by sindy
Wed Jun 03, 2020 8:34 pm
Forum: General
Topic: DHCP server - unexplained NAK after discover-offer-request
Replies: 2
Views: 382

Re: DHCP server - unexplained NAK after discover-offer-request

I'm afraid that the DHCPREQUEST from that box breaks RFC2131: DHCPREQUEST - Client message to servers either (a) requesting offered parameters from one server and implicitly declining offers from all others, (b) confirming correctness of previously allocated address after, e.g., system reboot, or (c...
by sindy
Wed Jun 03, 2020 6:38 pm
Forum: General
Topic: VLAN broadcast Traffic
Replies: 1
Views: 302

Re: VLAN broadcast Traffic

Without seeing the actual configuration it is hard to say. There are several reasons why this may happen. See my automatic signature for the next steps.
by sindy
Wed Jun 03, 2020 6:32 pm
Forum: General
Topic: hAP ac lite, RouterOS v6.45.8, vpn client problems
Replies: 12
Views: 1753

Re: hAP ac lite, RouterOS v6.45.8, vpn client problems

For the model, you can see it in the title of the post: hAP ac lite Sorry, missed that while writing. Any ideas? Yes. Most packets belonging to fasttracked connections bypass mangle rules and other firewall processing. So the connections initiated by clients in your 192.168.88.0/24 are set up via t...
by sindy
Wed Jun 03, 2020 2:31 pm
Forum: General
Topic: how to configure mikrotik ccr router to work as ntp server while using its time as source of time
Replies: 5
Views: 534

Re: how to configure mikrotik ccr router to work as ntp server while using its time as source of time

With a regular ntpd on Linux, you can configure a forged stratum value the daemon will send to peers/clients while on freerun, but on Mikrotik, this is not possible. So if one of the current clients is a Linux machine, you can make it a server and let the Mikrotik synchronize from there, otherwise n...
by sindy
Wed Jun 03, 2020 2:20 pm
Forum: General
Topic: Limit-at exceeds available bandwidth
Replies: 1
Views: 256

Re: Limit-at exceeds available bandwidth

The real available bandwidth is not known to the queue system - the uplink just drops packets which exceed the available bandwidth and provides no feedback about that, as no communication channel for such feedback is available. So the queues always act as if the sum of max-limits of the innermost qu...
by sindy
Wed Jun 03, 2020 2:09 pm
Forum: General
Topic: Traceroute problem in one LAN [SOLVED]
Replies: 3
Views: 409

Re: Traceroute problem in one LAN [SOLVED]

traceroute on Linux sends UDP packets in the forward direction (unless you explicitly ask it to use another protocol), only the "TTL expired" backward notifications are ICMP. Mikrotik's /tool traceroute uses ICMP packets also in the forward direction by default.
by sindy
Wed Jun 03, 2020 11:35 am
Forum: General
Topic: update hapac2
Replies: 3
Views: 376

Re: update hapac2

Have you chosen the same "channel" for upgrades on on both? It looks as if one had "stable" and the other one "long-term".
by sindy
Tue Jun 02, 2020 10:58 pm
Forum: General
Topic: VPN with GCP
Replies: 7
Views: 937

Re: VPN with GCP

The log from GCP side suggests that you use mode-config=request-only in the /ip ipsec identity at Mikrotik side, thus asking the GCP end to assign an IP address to the Mikrotik, but it doesn't have one on stock. Is requesting an address via mode-config required by their documentation?
by sindy
Tue Jun 02, 2020 10:25 pm
Forum: General
Topic: VPN with GCP
Replies: 7
Views: 937

Re: VPN with GCP

So let me understand that you are talking about that? /ip ipsec policy add dst-address=$here action=none place-before=0 ? $here is <mikrotik_public_IP> all current networks I have on mikrotik side (leftside) ? IPsec policies override all routes including those to connected subnets. So a 0.0.0.0/0 -...
by sindy
Tue Jun 02, 2020 9:25 pm
Forum: General
Topic: VPN with GCP
Replies: 7
Views: 937

Re: VPN with GCP

So I changed it to `use` but also it is required to set 0.0.0.0 src and dst in IPsec policy. When I do that I loose connectivity Could someone advise me how to proceed ? I'd prefer require to use for level , but that's minor. To prevent losing connectivity by setting policy's src and dst to 0.0.0.0...
by sindy
Tue Jun 02, 2020 8:32 pm
Forum: General
Topic: ipsec + ipip unstable
Replies: 3
Views: 575

Re: ipsec + ipip unstable

My advice is to do the following at both ends: /system logging add topics=ipsec,!packet disable the identity items run /log print follow-only file=ipsec-log-siteX where topics~"ipsec" enable the identities wait until the issue happens stop the /log print ... download the files and start reading them...
by sindy
Tue Jun 02, 2020 7:49 pm
Forum: General
Topic: No Ping Across IKEv2 VPN
Replies: 12
Views: 1792

Re: No Ping Across IKEv2 VPN

The workaround regarding setting a private local-address doesn't seem relevant anymore, as I do receive his pings and I send replies. Correct? Wrong. The purpose of the workaround is to avoid sending bare ESP which some of the ISPs on the path may block intentionally or by mistake. The UDP is prove...
by sindy
Mon Jun 01, 2020 9:45 pm
Forum: General
Topic: is this ROS speed bug?
Replies: 10
Views: 1336

Re: is this ROS speed bug?

maybe wait mikrotik can or can't fix my advertise problem..... To get a reaction from Mikrotik, you must send the problem description along with a supout.rif file to support@mikrotik.com. This is just a peer help forum and Mikrotik staff doesn't necessarily read every single topic, so they may not ...
by sindy
Mon Jun 01, 2020 8:00 pm
Forum: General
Topic: /28 WAN subnet and ip assignment
Replies: 6
Views: 882

Re: /28 WAN subnet and ip assignment

To react at your PM, I've missed that you have the /28 assigned directly as the WAN subnet, rather than having it routed to you via some interconnection subnet. In this case, you must set arp=proxy-arp on the WAN interface. This will make Mikrotik respond to the ARP requests sent by the ISP's gatewa...
by sindy
Mon Jun 01, 2020 5:44 pm
Forum: General
Topic: /28 WAN subnet and ip assignment
Replies: 6
Views: 882

Re: /28 WAN subnet and ip assignment

Since you can ping the CCR from the MAC, the backward route on the Mikrotik does exist on the CCR. So the most likely reason why you cannot ping anything behind the CCR (from the perspective of the Mac) are firewall rules on the CCR. At this stage, I'll need the export of your current configuration....
by sindy
Mon Jun 01, 2020 5:24 pm
Forum: General
Topic: Load Balancer with NAT rules
Replies: 11
Views: 1156

Re: Load Balancer with NAT rules

If you want that each query is sent to both external servers, then no, load balancing cannot do that. If you want that a certain share of queries is sent to one external server and the rest to the other one, then a load balancer is the right way.
by sindy
Mon Jun 01, 2020 5:00 pm
Forum: General
Topic: No Ping Across IKEv2 VPN
Replies: 12
Views: 1792

Re: No Ping Across IKEv2 VPN

Do I read you correct that between your Mikrotik which acts as an IPsec peer on a public address and the Ethernet socket provided by the ISP, there is another Mikrotik acting as edge router?

Regardless that, I have suggested a possible workaround in the last paragraph of post #2 above.
by sindy
Mon Jun 01, 2020 1:33 pm
Forum: General
Topic: is this ROS speed bug?
Replies: 10
Views: 1336

Re: is this ROS speed bug?

ether5 is a member port of a bridge, so it cannot be a dst , you must use Bridge as dst . In order to make queues work, you have to disable the action=fasttrack-connection rule in chain=forward of /ip firewall filter . The very essence of fasttracking is that most packets bypass most firewall proce...
by sindy
Mon Jun 01, 2020 12:51 pm
Forum: General
Topic: is this ROS speed bug?
Replies: 10
Views: 1336

Re: is this ROS speed bug?

Youtube is full of misleading videos. What is wrong about the explanation in the documentation?
by sindy
Mon Jun 01, 2020 11:55 am
Forum: General
Topic: is this ROS speed bug?
Replies: 10
Views: 1336

Re: is this ROS speed bug?

OK, nothing unusual in your configuration. I can only imagine that the switch chip tells the CPU to pause sending until it manages to deliver already received frames regardless the egress port (which may be a bug of RouterOS or a design limitation of the switch chip, I don't have any information abo...
by sindy
Sun May 31, 2020 10:05 pm
Forum: General
Topic: is this ROS speed bug?
Replies: 10
Views: 1336

Re: is this ROS speed bug?

What is your native language? It often makes sense to use Google or Microsoft translation from the native language to English and then back again, and if what you originally wrote in native language still makes the same sense after this double translation, the English version is comprehensible too. ...
by sindy
Sun May 31, 2020 9:50 pm
Forum: General
Topic: Problem to setup an IPSec IKEv2 tunnel [SOLVED]
Replies: 2
Views: 498

Re: Problem to setup an IPSec IKEv2 tunnel [SOLVED]

Looking at the configuration export here , I'd say your IPsec settings are correct (there, some corrections were necessary as compared to the configuration state in that post; that's not your case, you don't have those mistakes). As the log shows no response at all from the remote peer, whereas in t...
by sindy
Sun May 31, 2020 5:37 pm
Forum: General
Topic: ipsec + ipip unstable
Replies: 3
Views: 575

Re: ipsec + ipip unstable

Set the proper peer value for all /ip ipsec policy rows and try again. I suspect that the 4011 is trying to set up an SA for the policy which has no peer specified with the currently active peer (which rejects it). What means "unstable"? The second pair of SAs disappears and re-appears, or the IPIP ...
by sindy
Sun May 31, 2020 3:59 pm
Forum: General
Topic: not work bonding mod 802.3ad mikrotik
Replies: 2
Views: 297

Re: not work bonding mod 802.3ad mikrotik

RouterOS versions, configurations, what /interface bonding print shows while it "doesn't work" at both ends, are the CCRs interconnected by passive elements (copper/fiber cable) or is there some active equipment (other switches) between them...
by sindy
Sun May 31, 2020 3:55 pm
Forum: General
Topic: Vpn L2TP/IPSEC
Replies: 12
Views: 1547

Re: Vpn L2TP/IPSEC

Any chance? Little, because @Jotne asked you to post the complete export and you've chosen to post just a random part. See my automatic signature below regarding prevention of sensitive information from getting posted. Some thoughts: (not related to the L2TP/IPsec issue) - unless you've edited the ...
by sindy
Sun May 31, 2020 3:32 pm
Forum: General
Topic: hAP ac lite, RouterOS v6.45.8, vpn client problems
Replies: 12
Views: 1753

Re: hAP ac lite, RouterOS v6.45.8, vpn client problems

Sniffing is not a solution, sniffing is a tool to analyse what is going on. You've provided no result of the sniffing, just a conclusion based on a wrong assumpion. This type of configuration, where Mikrotik acts as a PPTP client, regularly works for other people (me included), so it is very likely ...
by sindy
Sat May 30, 2020 9:51 am
Forum: General
Topic: 2 public ips block /29 on 2 separate interfaces cannot ping between
Replies: 3
Views: 529

Re: 2 public ips block /29 on 2 separate interfaces cannot ping between

Please provide a drawing (a photo of a handmade one is sufficient, the contents is important, not the form) of how the three devices are physically interconnected and the export of their configuration, following the anonymisation hint in my automatic signature just below. Here, preserving the relati...
by sindy
Fri May 29, 2020 10:08 pm
Forum: General
Topic: Routing of live IP
Replies: 6
Views: 1135

Re: Routing of live IP

NAT rules are not for routing, maybe you mean for redirection? So you want a 1:1 nat between the public /27 and the private /27? Why you consider it better than to assign the public IPs to the clients directly? When you say you don't want a bridge but a single LAN port per each client, it sounds lik...
by sindy
Fri May 29, 2020 8:49 pm
Forum: General
Topic: Routing of live IP
Replies: 6
Views: 1135

Re: Routing of live IP

The goal is clear, the details are not. It seems that the ISP sends traffic for those public IPs to you via your WAN address in the 192.168.10.0/29. You haven't said whether they have configured this statically or whether you must advertise this public /27 to them using RIP or some other dynamic rou...
by sindy
Fri May 29, 2020 8:38 pm
Forum: General
Topic: Ipsec
Replies: 2
Views: 545

Re: Ipsec

You can use IPsec to encrypt any kind of connection. The price to pay is the CPU load (if the CPU is weak, this translates into "bandwidth reduction") and additional delay which also depends on the CPU throughput and whether encryption is supported in hardware by that CPU.
by sindy
Fri May 29, 2020 5:57 pm
Forum: General
Topic: packet sniffer missing outgoing ESP datagrams
Replies: 8
Views: 1283

Re: packet sniffer missing outgoing ESP datagrams

I just did, same result. Many more missing ESP UDP datagrams on the sending than on the receiving side.
If so, it looks like an overload of the device or a bug of the sniffer.
by sindy
Fri May 29, 2020 5:12 pm
Forum: General
Topic: packet sniffer missing outgoing ESP datagrams
Replies: 8
Views: 1283

Re: packet sniffer missing outgoing ESP datagrams

First fragments usually contain the L4 header (8 bytes UDP in this case), ip.flags.mf=1 and ip.offset=0. If ip.flags.mf is not set anywhere, no fragments will follow. This is correct. But what I am saying is that the sniffer filter only looks for complete packets if you ask it to match on protocol ...
by sindy
Fri May 29, 2020 3:42 pm
Forum: General
Topic: Block inter-vlan traffic in one direction
Replies: 2
Views: 510

Re: Block inter-vlan traffic in one direction

First, the firewall rules in your configuration block packets from one VLAN to another but do not protect the router itself from attacks via WAN. So if you get a public WAN address via PPPoE from your ISP, your router may have already have been infected by malware. Second, it depends on what you cal...
by sindy
Fri May 29, 2020 3:09 pm
Forum: General
Topic: packet sniffer missing outgoing ESP datagrams
Replies: 8
Views: 1283

Re: packet sniffer missing outgoing ESP datagrams

Of course there is no MF flag in packets which did make it to the capture. You are interested in those which didn't. As I've understood, you can see those "as-if-missing" packets at receiving side, what is their size there? Also, for the same reason as described (port numbers only present in the fir...
by sindy
Fri May 29, 2020 2:14 pm
Forum: General
Topic: SNTP vs NTP Clients [SOLVED]
Replies: 3
Views: 663

Re: SNTP vs NTP Clients [SOLVED]

It's not the same, but if you don't need that some other devices synchronize their time from the Mikrotik itself, you don't need to install the ntp package (and it is even better not to install it as the additional package doesn't accept fqdns as server names).
by sindy
Fri May 29, 2020 1:56 pm
Forum: General
Topic: packet sniffer missing outgoing ESP datagrams
Replies: 8
Views: 1283

Re: packet sniffer missing outgoing ESP datagrams

You filter on UDP and port number, but if IP packets are fragmented (which is likely the case here), the L4 addresses (ports) are only present in the first fragment, so the second fragment doesn't match the filter. But since the first fragment is not a complete packet, it doesn't make it to the snif...
by sindy
Fri May 29, 2020 1:45 pm
Forum: General
Topic: ping host on a different vlan
Replies: 2
Views: 448

Re: ping host on a different vlan

Although you may theoretically have selective firewall rules in place on the Mikrotik which permit RDP but not ICMP, it is more likely that it is the default setting of Windows firewall which ignores pings from anywhere but own subnet. To check that, open a command line window at the Mikrotik (in Wi...
by sindy
Fri May 29, 2020 1:10 pm
Forum: General
Topic: NAT on two different LAN
Replies: 6
Views: 921

Re: NAT on two different LAN

Ok but i want from the LAN 10.10.10.0/24 to connect to 192.168.1.8 It wasn't clear from your OP to that you want the client at the second Tik to connect to the address 192.168.1.8, it seemed to be sufficient that it reaches the server "somehow". So if you don't mind excluding 192.168.1.8 from use o...
by sindy
Fri May 29, 2020 12:37 pm
Forum: General
Topic: How Eth interface for DSL upstream access in PPPoE setup ?
Replies: 1
Views: 318

Re: How Eth interface for DSL upstream access in PPPoE setup ?

You just attach both an /ip dhcp-client row and an /interface pppoe-client row to the same Ethernet interface. If you have the default firewall rules in place, make only the PPPoE interface a member of /interface list named WAN. The ethernet interface itself should not be on this list. But it depend...
by sindy
Fri May 29, 2020 12:15 pm
Forum: General
Topic: NAT on two different LAN
Replies: 6
Views: 921

Re: NAT on two different LAN

every set-up should be only in first mikrotik? (192.168.1.3 / 10.10.10.4). No need to set anything to the second one?
Yes. The client on the second Mikrotik connects to 10.10.10.4 and all the handling needs to be done at the 10.10.10.4 'Tik.
by sindy
Thu May 28, 2020 11:39 pm
Forum: General
Topic: Think i'm being attacked
Replies: 16
Views: 2061

Re: Think i'm being attacked

It has to do with your "always on" VPN in terms that your PPTP server is listening, and some bot has found that while browsing the ner and is now trying to get in to your router by guessing usernames and passwords. The owner of those IP addresses is most likely unaware of this happening because the ...
by sindy
Thu May 28, 2020 11:02 pm
Forum: General
Topic: Blocking Internet access
Replies: 7
Views: 1144

Re: Blocking Internet access

The forward chain deals with everything that passes through the router; chain input deals with traffic to the router itself. So the block rule must be in the forward chain.
by sindy
Thu May 28, 2020 10:31 pm
Forum: General
Topic: Blocking Internet access
Replies: 7
Views: 1144

Re: Blocking Internet access

Hmm, I dont seem to have that, only "defconf: accept established,related,untracked" That's the one I had in mind. This rule accepts packets belonging to any already ongoing connection. So you need to place a selective action=drop one before it to break existing connections to/from the IP you want t...
by sindy
Thu May 28, 2020 10:02 pm
Forum: General
Topic: RB750G VPN not passing through
Replies: 1
Views: 439

Re: RB750G VPN not passing through

Follow the instruction in my automatic signature if you want to get any useful advice.
by sindy
Thu May 28, 2020 9:53 pm
Forum: General
Topic: RouterBOARD 750G r3 no HW Offload ?
Replies: 10
Views: 1349

Re: RouterBOARD 750G r3 no HW Offload ?

No more ideas then. There is nothing in the configuration which would explain that.
by sindy
Thu May 28, 2020 9:30 pm
Forum: General
Topic: RouterBOARD 750G r3 no HW Offload ?
Replies: 10
Views: 1349

Re: RouterBOARD 750G r3 no HW Offload ?

All the bridge ports but one are inactive... what happens if you connect another cable to one of the unused ports? The HW offload means forwarding of frames among ports by the switch chip itself.
by sindy
Thu May 28, 2020 8:38 pm
Forum: General
Topic: Can't configure NAT to provide access to HTTP server
Replies: 5
Views: 1001

Re: Can't configure NAT to provide access to HTTP server

Moving the rule down only causes less Mikrotik CPU to be spent on handling the packets. I wrote that the log you've posted shows that the Mikrotik firewall is not the reason why the server does not respond to requests coming from the internet and that you must look for the reason on the server itsel...
by sindy
Thu May 28, 2020 8:01 pm
Forum: General
Topic: Can't configure NAT to provide access to HTTP server
Replies: 5
Views: 1001

Re: Can't configure NAT to provide access to HTTP server

Your firewall filter rules are not the default ones (which accept all connections with connection-nat-state=dstnat , assuming that the actual filtering has been done by the action=dst-nat rules in NAT), but the rule chain=forward action=accept protocol=tcp in-interface=ether1 dst-port=80,443 log=yes...
by sindy
Thu May 28, 2020 6:44 pm
Forum: General
Topic: Run a script if a firewall rule is triggered
Replies: 8
Views: 1256

Re: Run a script if a firewall rule is triggered

Why would you a function like this? Whenever you MacGyver, i.e. use the Mikrotik as a standalone solution for a specific case. My examples: a customer wants to be alerted about a specific fault of some other equipment by flashes and whistles. OK, so you buy a signal tower from a renowned company wh...
by sindy
Thu May 28, 2020 5:25 pm
Forum: General
Topic: Blocking Internet access
Replies: 7
Views: 1144

Re: Blocking Internet access

It seems this isn't immediate when activating, not sure if i missed something You have missed that the default firewall is stateful, which in brief (and for several good reasons) means that if the first packet of a connection is accepted, all the rest of that connection is accepted too. To make sur...
by sindy
Thu May 28, 2020 2:44 pm
Forum: General
Topic: Help with AirPrint network printer over VPN on the same subnet
Replies: 6
Views: 815

Re: Help with AirPrint network printer over VPN on the same subnet

There may be, but it depends on how the iOS handles it, which an Apple forum might answer better than a Mikrotik one. If the only way to determine the IP address of the printer in iOS is via the autodiscovery, i.e. if you cannot manually add a printer with a given IP address, then your conclusion is...
by sindy
Thu May 28, 2020 12:30 pm
Forum: General
Topic: implicit firewal rules
Replies: 4
Views: 668

Re: implicit firewal rules

This is a philosophical question which had to be answered one way or the other when designing the product. Changing the approach now would cause a lot of headache. I agree with you that the default behaviour drop is the correct one for a firewall, but since the default firewall rules on SOHO devices...
by sindy
Thu May 28, 2020 11:02 am
Forum: General
Topic: Port forwarding to External OpneVPN Server [SOLVED]
Replies: 4
Views: 704

Re: Port forwarding to External OpneVPN Server [SOLVED]

Would that rule work? /ip firewall nat add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6 to-ports=33445 Add it just before or just after any already existing rules in chain=dstnat - it is for a particular port, so it is unlikely to get shadowed ...
by sindy
Thu May 28, 2020 10:46 am
Forum: General
Topic: Run a script if a firewall rule is triggered
Replies: 8
Views: 1256

Re: Run a script if a firewall rule is triggered

Unfortunately, no other solution than the one you've found out yourself is currently available. I miss a script to be linked to a change of an address-list too. Just beware, scripts can still see dynamic items of address lists for about 5 seconds after they time out.
by sindy
Thu May 28, 2020 10:38 am
Forum: General
Topic: Force Connections To Use Specific IP
Replies: 2
Views: 434

Re: Force Connections To Use Specific IP

If the two devices are in different subnets and you have some dst-nat rules in place, you have to add some more NAT rules, to make the packets from A to B get src-nated, so that B would see them as coming from some other IP than the real one. But depending on how the rest of your firewall is done, d...
by sindy
Wed May 27, 2020 11:04 pm
Forum: General
Topic: Mikrotik l2tp/IPsec
Replies: 3
Views: 696

Re: Mikrotik l2tp/IPsec

The complete configuration except sensitive information, as written in my automatic signature. If the issue was where you expect it to be, you would find it, so it must be somewhere else. That's why only complete configuration is useful.
by sindy
Wed May 27, 2020 9:28 pm
Forum: General
Topic: /28 WAN subnet and ip assignment
Replies: 6
Views: 882

Re: /28 WAN subnet and ip assignment

so the customers get /32 address, what gw do they need to use? I wrote that above - you have to choose some address which doesn't conflict with any address the client uses internally in their network. If you only use public IPs at your WAN, the safest choice is an address from the CGNAT range, 100....
by sindy
Wed May 27, 2020 9:06 pm
Forum: General
Topic: Mikrotik l2tp/IPsec
Replies: 3
Views: 696

Re: Mikrotik l2tp/IPsec

Because something is broken. As you haven't posted your configuration, this is the best response you can get. Check my automatic signature just below for a hint how to get a better one.
by sindy
Wed May 27, 2020 8:56 pm
Forum: General
Topic: CAN'T CONNECT TO SOPHOS FIREWALL THROUGH MY MIKROTIK
Replies: 8
Views: 1229

Re: CAN'T CONNECT TO SOPHOS FIREWALL THROUGH MY MIKROTIK

I suppose what fails many hops from your Mikrotik is a traceroute from that Mikrotik itself, correct? If so, I can see two possibilities: a traceroute from anywhere stops at that point, this sometimes happens if forwarding of ICMP is disabled there your public IP is blacklisted by the administrators...
by sindy
Wed May 27, 2020 8:26 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 4200

Re: Mikrotik + Movistar Fusión Empresas

This worked wonderfully!!! Right now I'm connected as it follows: ONT(new) --- Teldat --- Mikrotik, and it works. Great. Now as mentioned earlier, to get rid of the Teldat (not just for the fun of it, but to have yet another potential point of failure less), you would have to sniff the traffic betw...
by sindy
Wed May 27, 2020 5:53 pm
Forum: General
Topic: NAT on two different LAN
Replies: 6
Views: 921

Re: NAT on two different LAN

Hi I have a PC Client 192.168.1.8 that has gateway a mikrotik 192.168.1.3 (eth2) Mikrotik has on eth1 10.10.10.0/24 and has gateway another mikrotik 10.10.10.101 Mikrotik 10.10.10.101 uses on an interface the 192.168.1.0/24 network. Is there a way to access PC Client 192.168.1.8 from 10.10.10.0/24 ...
by sindy
Wed May 27, 2020 5:46 pm
Forum: General
Topic: distribute Two Wan that exist on same interface [SOLVED]
Replies: 19
Views: 2474

Re: distribute Two Wan that exist on same interface [SOLVED]

In a very simplified view, the /interface pppoe-client is a translator between an L2 interface (addressed by MAC) and the L3 (addressed by IP). The L3 end of this translator cannot be bridged with anything. The IP address is assigned to the /interface pppoe-client by the remote PPPoE server. So ther...
by sindy
Wed May 27, 2020 4:41 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 4200

Re: Mikrotik + Movistar Fusión Empresas

@msatter, 192.168.1.x and 192.168.10.x are different subnets, so no conflict there, you may have WAN address in 192.168.1.0/24 and LAN address in 192.168.10.0/24 and route between them. But the point is that in parallel to handing out addresses in 192.168.1.x dynamically, the Movistar gear seems to ...
by sindy
Wed May 27, 2020 4:33 pm
Forum: General
Topic: Backup / Restore [SOLVED]
Replies: 10
Views: 1115

Re: Backup / Restore [SOLVED]

You may have connected an USB-to-serial converter in the past so the configuration has been added. Just remove this block from the configuration and try to import the file without it.
by sindy
Wed May 27, 2020 3:21 pm
Forum: General
Topic: Backup / Restore [SOLVED]
Replies: 10
Views: 1115

Re: Backup / Restore [SOLVED]

I agree with your reasoning that if the problem was the format of the line, it would fail already on the first line with that same format. So either the import is too fast, or the line numbering is interpreted differently. I'd suggest to import the file manually by pasting it to the command line win...
by sindy
Wed May 27, 2020 3:06 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 3112

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

Now, lets get back to the question asked........ ;-P So you are saying it is worth it, or a waste of time......??.... OK, if you put it this way, then no, I don't see much value in using it. Most malware will attack public addresses anyway. Out of curiosity, you may add it an let it log, to see whe...
by sindy
Wed May 27, 2020 2:36 pm
Forum: General
Topic: Backup / Restore [SOLVED]
Replies: 10
Views: 1115

Re: Backup / Restore [SOLVED]

hAP ac lite is exactly one of the models where the script must be stored as flash/202005.rsc and you have to refer to it like this ( run-after-reset=flash/202005.rsc ). But as you seemingly have the router on the table, so you can access it even after using no-defaults=yes , you may then import the ...
by sindy
Wed May 27, 2020 2:29 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 3112

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

I saw this in best practices wiki, dont use it but do you see value in adding to the default setup..........?
This rule just prevents your uplink bandwidth from being wasted by ill-configured software or malware running on devices in your LAN.
by sindy
Wed May 27, 2020 2:02 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 3112

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

Is there a different mitigation for a "metered" (E.G. 4G subscription) versus an "unmetered" connection (E.G. DSL line, cable modem, FTH, ...) ? The ISP is mostly filtering already quite a lot on mobile connections. Nobody mentioned "tarpit" as protection: https://wiki.mikrotik.com/wiki/DoS_attack_...
by sindy
Wed May 27, 2020 1:49 pm
Forum: General
Topic: Backup / Restore [SOLVED]
Replies: 10
Views: 1115

Re: Backup / Restore [SOLVED]

So, what is the working OFFICIAL version, where i can back up all the settings and restore it to another hardware? The "official" version is to run system reset-configuration run-after-reset=path/to/the.exported.file.rsc (possibly with no-defaults and keep-users=yes ). The file must not disappear a...
by sindy
Wed May 27, 2020 1:05 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 4200

Re: Mikrotik + Movistar Fusión Empresas

I give up. The solution is so simple but no one wants to see it. Is it really? @Drageir has stated in his first post that he's tried exactly that, using vlan 20 instead of 6 and 21 instead of 3. If you are sure that no other option exists at Movistar than these two (data 6 / voip 3 and data 20 / vo...
by sindy
Wed May 27, 2020 12:56 pm
Forum: General
Topic: /28 WAN subnet and ip assignment
Replies: 6
Views: 882

Re: /28 WAN subnet and ip assignment

It is possible to use PPPoE (which works on all operating systems the same way) or you can use a direct ethernet connection to each customer, where each end has a /32 address, but the configuration differs per operating system. At the Mikrotik end, you add it this way: /ip address add address=some.p...
by sindy
Wed May 27, 2020 12:47 pm
Forum: General
Topic: Upgrade to HexS (RB760iGS) cannot get ultra fibre speed.
Replies: 18
Views: 1998

Re: Upgrade to HexS (RB760iGS) cannot get antra fibre speed.

The following link demonstrates that the hEX can do 900 Mbps
Yes, but without PPPoE, which already makes a difference, and without VPN which makes much more of a difference.
by sindy
Wed May 27, 2020 12:38 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 4200

Re: Mikrotik + Movistar Fusión Empresas

Hm, that's quite a difference :) Now the first thing is a backup of the current configuration: /system backup save name=before-changes-20200527 (maybe you need the name to be flash/before-changes-20200527 to survive a reboot, I don't know whether it is the case on the 750GL model). But download the ...
by sindy
Wed May 27, 2020 11:36 am
Forum: General
Topic: L2TP VPN doesn't work over WAN [SOLVED]
Replies: 4
Views: 410

Re: L2TP VPN doesn't work over WAN [SOLVED]

I have added those 2 lines, however, it didn't do any difference, in the firewall window (Winbox), I don't see any additional rules, then what I had before Sorry, the match protocol=icmp doesn't work this way. You have to do it the following way: /ip firewall filter add place-before=[find chain=inp...
by sindy
Wed May 27, 2020 11:14 am
Forum: General
Topic: L2TP VPN doesn't work over WAN [SOLVED]
Replies: 4
Views: 410

Re: L2TP VPN doesn't work over WAN [SOLVED]

thought additional rules will be created automatically if it's done via Winbox ? Nope. Can somebody please advise /ip firewall filter add place-before=[find chain=input protocol=icmp] chain=input protocol=udp dst-port=500,4500 in-interface-list=WAN action=accept add place-before=[find chain=input p...
by sindy
Wed May 27, 2020 10:45 am
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 4200

Re: Mikrotik + Movistar Fusión Empresas

The RouterOS version is v6.45.8. 6.45.8 would not be that bad, but the export you've posted doesn't match 6.45.8, because in 6.45.8, there is no master-port property of /interface ethernet any more. So maybe it is an export from the past (possibly saved on the device itself)? Would you mind doing /...
by sindy
Wed May 27, 2020 10:20 am
Forum: General
Topic: DHCP Client Script when provider renews lease
Replies: 8
Views: 1247

Re: DHCP Client Script when provider renews lease

I cannot see anything wrong in the script, nor can Mikrotik's syntax check, but that says nothing about runtime issues. The way to go is to log about every step on the path which does not work, to see whether the foreach works at all and what are the actual values of the variables. As the refreshdyn...
by sindy
Tue May 26, 2020 11:20 pm
Forum: General
Topic: Help with AirPrint network printer over VPN on the same subnet
Replies: 6
Views: 815

Re: Help with AirPrint network printer over VPN on the same subnet

You may be missing the fact that by using arp=proxy-arp you cannot make L3 point-to-point tunnels start transporting broadcast traffic, which is likely used to discover the printer on the LAN, as there is no such thing like broadcast traffic on L3 point to point tunnels. So you'd need an L2 tunnelin...
by sindy
Tue May 26, 2020 7:46 pm
Forum: General
Topic: distribute Two Wan that exist on same interface [SOLVED]
Replies: 19
Views: 2474

Re: distribute Two Wan that exist on same interface [SOLVED]

thank you .this config solved my problem . but i wanna know if there is another solution for my problem. Man, I understand that English is not your native language (same case at my end), but please use sentences which contain more information. What exactly is the "problem" you want to "solve anothe...
by sindy
Tue May 26, 2020 7:42 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 4200

Re: Mikrotik + Movistar Fusión Empresas

The configuration doesn't seem to fit to the description you gave before, especially because I can see no traces of this device itself acting as a VPN server. But that's for later. Can you tell me the RouterOS version there? It seems to me it is way outdated (older than 6.41). Also the Winbox port o...
by sindy
Tue May 26, 2020 7:10 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 4200

Re: Mikrotik + Movistar Fusión Empresas

Sorry for the aggressiveness. Yes, the last byte differ, my mistake. The address begins with 217.x.x.x. The technician told me that I must change the MikroTik's WAN to that addres so their firewall works. I think it's a GRE tunnel inside the Teldat. We will learn that in the next round. To get ther...
by sindy
Tue May 26, 2020 6:28 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 4200

Re: Mikrotik + Movistar Fusión Empresas

INTERFACE TIME NUM DI SRC-MAC DST-MAC VLAN SRC-ADDRESS ether1-gateway 3.74 12 <- 94:24:E3:3H:2J:FE 01:80:C2:00:00:00 ether1-gateway 3.782 13 -> 7D:6T:Y6:GF:8W:1G FF:FF:FF:FF:FF:FF 6 ether1-gateway 3.907 14 <- 94:24:E3:3H:2J:FE 00:54:ER:00:70:04 ether1-gateway 4.053 15 <- 00:G0:24:D4:8R:3R FF:FF:FF:...
by sindy
Tue May 26, 2020 4:07 pm
Forum: General
Topic: RB4011iGS No Internet available to hosts [SOLVED]
Replies: 7
Views: 868

Re: RB4011iGS No Internet available to hosts [SOLVED]

These are the default firewall rules which I've referred to, so yes, they do drop any connection to the router itself which is initiated from outside the LAN (except ICMP). It's the last rule in chain input which does that; the rule just before (above) it is the exception for ICMP (so the public IP ...
by sindy
Tue May 26, 2020 12:34 pm
Forum: General
Topic: RB4011iGS No Internet available to hosts [SOLVED]
Replies: 7
Views: 868

Re: RB4011iGS No Internet available to hosts [SOLVED]

Yes I prefer to keep it as "No" to be honest, not sure why the local dns doesn't work yet, I will retest again tomorrow I'm not sure you've got me right - to make the 4011 respond any DNS queries coming from outside (including from LAN), you must set allow-remote-requests to yes . There is nothing ...
by sindy
Tue May 26, 2020 11:17 am
Forum: General
Topic: RB4011iGS No Internet available to hosts [SOLVED]
Replies: 7
Views: 868

Re: RB4011iGS No Internet available to hosts [SOLVED]

Is it a bug or work as intended? It may be both but the latter is more likely. If allow-remote-requests under /ip dns is set to no , the DNS server doesn't respond to any DNS queries coming from outside the router, including from the LAN clients. It is only safe to change this setting to yes if you...
by sindy
Tue May 26, 2020 11:07 am
Forum: General
Topic: Connection Tracking
Replies: 2
Views: 459

Re: Connection Tracking

I'd say it is the best solution available, except that you cannot treat input and output chains separately - incoming responses to outgoing requests of the router itself are treated by chain input , so they would not be accepted by the accept established or related rule in input because the pass of ...
by sindy
Tue May 26, 2020 10:05 am
Forum: General
Topic: <issue> PPPOE WAN and L2TP/IPSEC VPN
Replies: 2
Views: 752

Re: <issue> PPPOE WAN and L2TP/IPSEC VPN

I can see that you've modified the /ppp profile row named default so it now contains a fixed value for local-address and a pool for remote-address . What I can not see, because you've only published the part of configuration which you assume to contain the issue, is any row in /ppp profile without l...
by sindy
Mon May 25, 2020 11:11 pm
Forum: General
Topic: distribute Two Wan that exist on same interface [SOLVED]
Replies: 19
Views: 2474

Re: distribute Two Wan that exist on same interface [SOLVED]

Hm, great, so there is a bug in the VRF handling of PPPoE interfaces... the default route is not being added with the proper routing-mark . So you will need to work this around using the following: /ppp profile add copy-from=default on-up="/ip route add gateway=\$interface routing-mark=shatel" on-do...
by sindy
Mon May 25, 2020 9:53 pm
Forum: General
Topic: distribute Two Wan that exist on same interface [SOLVED]
Replies: 19
Views: 2474

Re: distribute Two Wan that exist on same interface [SOLVED]

So the packets do arrive to the hEX but don't get further (even the requests don't). What does /ip route print detail show at the hEX?
by sindy
Mon May 25, 2020 9:48 pm
Forum: General
Topic: I Can't Port Forward
Replies: 33
Views: 3579

Re: I Can't Port Forward

So does it mean that the "this is only resolved by port forwarding port 60209" is not a result of your own research but you have read it on some forum? Yes That changes the whole perspecttve. I was wondering why that statement should be true, as a) on Mikrotik and most Linux based devices, dst-nat ...
by sindy
Mon May 25, 2020 8:38 pm
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2741

Re: Client IP over wan LINK host not REACHABLE

Show me the output of /ip dhcp-server network print from the main router. It is possible that you haven't delegated a proper netmask to the client.
by sindy
Mon May 25, 2020 8:21 pm
Forum: General
Topic: I Can't Port Forward
Replies: 33
Views: 3579

Re: I Can't Port Forward

A few posts above, you wrote When entering "netsh int teredo show stat" in cmd the NAT should be "cone" and mine is "symmetric(port)". This is only resolved by port forwarding port 60209. So does it mean that the "this is only resolved by port forwarding port 60209" is not a result of your own resea...
by sindy
Mon May 25, 2020 8:05 pm
Forum: General
Topic: I Can't Port Forward
Replies: 33
Views: 3579

Re: I Can't Port Forward

I have incoming traffic from the port on my device. What else can be at fault? It is a bit surprising to me that the port-forward on only the inner Mikrotik causes the detected NAT type to change from a symmetric one to cone, but let's leave this aside for the moment. But let's clarify that again -...
by sindy
Mon May 25, 2020 7:27 pm
Forum: General
Topic: I Can't Port Forward
Replies: 33
Views: 3579

Re: I Can't Port Forward

Update: Still does not work, even if I am connected directly to the 'Tik router. By device, you mean my computer where I want the port to be forwarded to? Yes, by device I had in mind the box behind the now-excluded other router, to see whether the port-forwarded packets really reach it or not. Wir...
by sindy
Mon May 25, 2020 7:25 pm
Forum: General
Topic: I Can't Port Forward
Replies: 33
Views: 3579

Re: I Can't Port Forward

I'm trying to connect to Xbox live servers from my PC and it uses teredo, and I need to port forward so that I can run a server through Xbox live. As I've said, my other router is pathetic and is very simplified. What I'll do is connect to the 'Tik router with my laptop and see if the port forwardi...
by sindy
Mon May 25, 2020 7:03 pm
Forum: General
Topic: I Can't Port Forward
Replies: 33
Views: 3579

Re: I Can't Port Forward

The IT guy doesn't know what port I want to listen to. So we're back where we started from - anything from the net can reach your apartment 'Tik, so effectively no firewall at all. ...shows the MAC addresses, sniffing pppoe-out1 did not (I'm just mentioning it). Sorry, my fault, no MAC addresses us...
by sindy
Mon May 25, 2020 6:39 pm
Forum: General
Topic: I Can't Port Forward
Replies: 33
Views: 3579

Re: I Can't Port Forward

It has returned with 10.0.x.x, what does it mean for it to have a 1:1 NAT, anything I can do? Nothing you'd need to do - the IT guy does forward the traffic to you, and doesn't change the port, so you get it. But that may mean that there is effectively no firewall between the internet and your Tik ...
by sindy
Mon May 25, 2020 6:24 pm
Forum: General
Topic: I Can't Port Forward
Replies: 33
Views: 3579

Re: I Can't Port Forward

Where do I find my WAN address? Is it the "IP Address" located in the QuickSet? Because the one located there is 10.0.xxx.xx. I'm trying to get Teredo to work. /ip address print where interface=pppoe-out1 . If it returns a 10.0.x.x, there may be a 1:1 NAT from the public IP to the private one. I th...
by sindy
Mon May 25, 2020 6:10 pm
Forum: General
Topic: Sorting issue in ssh
Replies: 1
Views: 286

Re: Sorting issue in ssh

No way unfortunately. You would have to sniff into a file and then use Wireshark to calculate the statistics per IP.
by sindy
Mon May 25, 2020 6:07 pm
Forum: General
Topic: I Can't Port Forward
Replies: 33
Views: 3579

Re: I Can't Port Forward

I have followed tutorials exactly and it does not work, so I believe it might be the estates Mikrotik which is not allowing my forwarding. What you can do to be really sure is to open a command line window on the 'Tik, make it as wide as your screen allows, run /tool sniffer quick interface=pppoe-o...
by sindy
Mon May 25, 2020 5:54 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 4200

Re: Mikrotik + Movistar Fusión Empresas

When I plug in a laptop directly to the Movistar' Switch I get the address 192.168.1.X, so it must be in router mode.
So what happens if you attach a DHCP client directly (no /interface vlan in between) to Mikrotik's ether1 rather than a fixed address? Does it get a dynamic one too?
by sindy
Mon May 25, 2020 5:52 pm
Forum: General
Topic: I Can't Port Forward
Replies: 33
Views: 3579

Re: I Can't Port Forward

BTW, since you've now got the PPPoE username and password, you should be able to connect your own router instead of the estate's Mikrotik. Which doesn't help much if the central router is filtering incoming connections. There are two drawbacks of a centralized firewall: if done properly, it prevents...
by sindy
Mon May 25, 2020 5:36 pm
Forum: General
Topic: I Can't Port Forward
Replies: 33
Views: 3579

Re: I Can't Port Forward

Im running v6.38.3 and I have my PPPoE via ether1 yes. Hmm... that's WAY outdated, many vulnerabilities have been discovered and patched since then. The IT guy really takes it easy there. OK, if your own router is secured enough, you may think you are safe yourself (against some types of attacks, o...
by sindy
Mon May 25, 2020 5:23 pm
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2741

Re: Client IP over wan LINK host not REACHABLE

OK. What is important is that the mode (tagged/tagless) of each VLAN was the same at both ends of each link between two adjacent devices. So if you want both VLANs to reach the "client AP" device, you must change the wireless interface mode there to station-bridge as I've suggested in my first post....
by sindy
Mon May 25, 2020 4:54 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 4200

Re: Mikrotik + Movistar Fusión Empresas

Yes, we have a VPN for some employees and a Exchange server too. We have the outsorced DNS and we will change it to the new public IP after we get conection. OK. In that case: configure one of the VPN clients to connect to the new public IP (rather than to the domain name if set like that), open a ...
by sindy
Mon May 25, 2020 4:41 pm
Forum: General
Topic: I Can't Port Forward
Replies: 33
Views: 3579

Re: I Can't Port Forward

So should I disable bridge1 and try to use wlan1 when setting up my NAT rules? NO - this would make the router inaccessible for you, wlan1 is a member port of the bridge, so by disabling the bridge you'd lock yourself out from the device. As you consider port forwarding, I guess you are getting a p...
by sindy
Mon May 25, 2020 3:04 pm
Forum: General
Topic: DHCP override [SOLVED]
Replies: 8
Views: 821

Re: DHCP override [SOLVED]

/ip dhcp-server network server=my_dhcp address=10.0.0.18/32 netmask=24 gateway=10.0.0.2 There is no explicit link to the server. And if you don't specify the DNS server, the common one will not be assigned to the client - or, better to say, those specified for Mikrotik itself in /ip dns settings wi...
by sindy
Mon May 25, 2020 2:33 pm
Forum: General
Topic: DHCP override [SOLVED]
Replies: 8
Views: 821

Re: DHCP override [SOLVED]

Not enough, you must add netmask=xx, where xx matches the netmask of the subnet from which you assign the address, otherwise the client would get a /32 mask and would not be able to connect anywhere, as even the gateway would be outside its own subnet.
by sindy
Mon May 25, 2020 1:38 pm
Forum: General
Topic: CGNAT performance
Replies: 1
Views: 272

Re: CGNAT performance

Processing-wise, there is no difference between CGNAT and NAT. It doesn't matter what the new source address which has to be changed in each packet is.
by sindy
Mon May 25, 2020 1:20 pm
Forum: General
Topic: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]
Replies: 13
Views: 2222

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]

It depends on whether there will be any traffic between the Cisco itself and the Mikrotik. The thing is that the routing-mark is respected for any traffic for which any matching route with such a routing-mark exists, hence an incoming from the Cisco itself (not coming via the Cisco, the source addre...
by sindy
Mon May 25, 2020 12:59 pm
Forum: General
Topic: Currently using Mangle rules for DUAL WAN setup. Now I want to add some QOS. Is it possible to integrate the QOS mangle
Replies: 4
Views: 478

Re: Currently using Mangle rules for DUAL WAN setup. Now I want to add some QOS. Is it possible to integrate the QOS man

Rule order does matter. Whether you set passthrough to yes or no does matter. You can only assign a single connection-mark to a connection at a time - the last assigned one replaces any previous ones. So you have to use composite connection marks, each expressing both the routing policy to be used a...
by sindy
Mon May 25, 2020 12:51 pm
Forum: General
Topic: DHCP override [SOLVED]
Replies: 8
Views: 821

Re: DHCP override [SOLVED]

You mean the gateway which the DHCP server instructs the client to use, correct? You can, if you make the lease for that client static (to convert a dynamically assigned one to a static one is the simplest way to do that), and for the address you lease to that client, you create a separate row under...
by sindy
Mon May 25, 2020 12:39 pm
Forum: General
Topic: Whitelisting whole domain
Replies: 12
Views: 1664

Re: Whitelisting whole domain

Is it possible that so different web services go to use same ip address servers ? In this case is a lost war from the beginning..... Yes. Large companies like Google of Facebook (sorry if I haven't mentioned your favourite one) use the same IP addresses for all of their services, so to try to selec...
by sindy
Mon May 25, 2020 7:35 am
Forum: General
Topic: RSTP status [SOLVED]
Replies: 3
Views: 680

Re: RSTP status [SOLVED]

I'm not aware of a way to see the STP status of individual ports. You can see the forwarding table using /interface bridge host print, but that's not the same (a port may be open but no MAC address may be learnt through it).
by sindy
Sun May 24, 2020 11:45 pm
Forum: General
Topic: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]
Replies: 13
Views: 2222

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]

OK. Now you may extend the src-address in the /ip route rule row from a /32 to the whole /27, it should extend the functionality to all the public IPs associated to DAISY.

However, I still don't get why the mangle rules did not work, as they seemed fine to me.
by sindy
Sun May 24, 2020 10:43 pm
Forum: General
Topic: CAN'T CONNECT TO SOPHOS FIREWALL THROUGH MY MIKROTIK
Replies: 8
Views: 1229

Re: CAN'T CONNECT TO SOPHOS FIREWALL THROUGH MY MIKROTIK

First of all, could it be that those two clients are using L2TP or PPTP, both connect to the same VPN server, and you NAT both of them to the same public IP address? If so, it cannot work due to the NAT, as in both cases, the server to which they connect is unable to distinguish the connections from...
by sindy
Sun May 24, 2020 10:13 pm
Forum: General
Topic: VPN Redundancy
Replies: 2
Views: 528

Re: VPN Redundancy

Where would that VPS run? If anywhere else than at the client PC, it would itself become the SPOF. All the VPN protocols are stateful, so even if you create a virtual router from a pair of 'Tiks using VRRP and let the clients connect to the virtual IP, as soon as the currently active 'Tik breaks and...
by sindy
Sun May 24, 2020 8:22 pm
Forum: General
Topic: DHCP Client Script when provider renews lease
Replies: 8
Views: 1247

Re: DHCP Client Script when provider renews lease

What does the script have to look like for it to work? The problem is that the variables accessible inside the script are not the same ones you can see using /ip dhcp-client print detail - very confusing. So your script has to look as follows: :if ($bound=1) do={ /system script run refreshdyndns :l...
by sindy
Sun May 24, 2020 7:09 pm
Forum: General
Topic: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]
Replies: 13
Views: 2222

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]

now we have WAN2 and DAISY. So any connection that comes in on DAISY goes back out on WAN2. So you actually don't need a rule to keep what came in via WAN2 on WAN2 but a rule to keep what came in via DAISY on DAISY. So go step by step now: open two command line windows run /tool sniffer quick inter...
by sindy
Sun May 24, 2020 4:57 pm
Forum: General
Topic: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]
Replies: 23
Views: 3112

Re: My MikroTik is Hacked!!! Found file 7wmp0b4s.rsc [SOLVED]

It was running OS version v6.37.1 and current firmware was 3.29. ... How did this happend? ... However, keep in mind i had a strong password. A number of vulnerabilities, including ones allowing to break in without knowing the password, has been fixed since 6.37.1, so this is the most likely reason...
by sindy
Sun May 24, 2020 1:14 pm
Forum: General
Topic: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]
Replies: 13
Views: 2222

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]

In the OP you say you have a problem that everything goes out via WAN1 (DAISY) no matter what and that you want that L2TP connections which came to pppoe-wan2 would be responded from there, but there is no /ip route rule row for this. Instead, there is such a rule, but for WAN1. Can you clarify? Als...
by sindy
Sun May 24, 2020 12:29 pm
Forum: General
Topic: Full access to LAN over VPN
Replies: 6
Views: 946

Re: Full access to LAN over VPN

I have no idea how the network discovery you have in mind works, but as I wrote, L3 VPNs do not transport broadcast packets or ARP packets, so you would most likely need an L2 VPN, and for that, you need to either write your own VPN application for Windows or to use another Mikrotik (such as mAP) to...
by sindy
Sun May 24, 2020 11:44 am
Forum: General
Topic: RSTP status [SOLVED]
Replies: 3
Views: 680

Re: RSTP status [SOLVED]

/interface bridge monitor your-bridge-name
by sindy
Sat May 23, 2020 11:14 pm
Forum: General
Topic: Full access to LAN over VPN
Replies: 6
Views: 946

Re: Full access to LAN over VPN

The last rule in chain=input of your /ip firewall filter says action=drop chain=input comment="defconf:drop all not coming from LAN" in-interface-list=!LAN (and for some reason, this rule is there three times, so remove the last two ones). Since the dynamically created interface representing the L2T...
by sindy
Sat May 23, 2020 10:27 pm
Forum: General
Topic: Mikrotik as an L2TP/IPSec client for Fortigate issues
Replies: 3
Views: 544

Re: Mikrotik as an L2TP/IPSec client for Fortigate issues

Try changing pfs-group value to none , as the Microsoft Windows' embedded VPN client uses that. If it does not help, try to gather more information from Fortigate's log regarding supported transforms (encryption algorithm, hash algorithm, pfs algorithm). If you have any other IPsec configuration in ...
by sindy
Sat May 23, 2020 9:47 pm
Forum: General
Topic: distribute Two Wan that exist on same interface [SOLVED]
Replies: 19
Views: 2474

Re: distribute Two Wan that exist on same interface [SOLVED]

You can't add both routes to the same routing table (i.e. give them the same routing-mark , none in this case, which is equal to explicitly stating main ) with the same distance and expect that by indicating the interface for :ping , the proper route matching that interface will be chosen. RouterOS ...
by sindy
Sat May 23, 2020 7:12 pm
Forum: General
Topic: Mikrotik as an L2TP/IPSec client for Fortigate issues
Replies: 3
Views: 544

Re: Mikrotik as an L2TP/IPSec client for Fortigate issues

What does the /ip ipsec proposal print where name=default show on the Mikrotik?
by sindy
Sat May 23, 2020 5:53 pm
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2741

Re: Client IP over wan LINK host not REACHABLE

Please me detailed the function at its level, Please take note that this is just summary of the problem i am facing implementing the design ... This is the focus of the problem To me, the most comprehensible description remains the picture. Even with your description above, I still understand that ...
by sindy
Sat May 23, 2020 5:05 pm
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2741

Re: Client IP over wan LINK host not REACHABLE

So what to fix, device-by-device, to make the VLAN 1000 transparent end-to-end: "main router": I cannot see any internet uplink configured there, so even once the VLAN1000 becomes transparent, the "Client Data" device will only get access to that router itself, not to internet. Please clarify. "swit...
by sindy
Sat May 23, 2020 3:58 pm
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2741

Re: Client IP over wan LINK host not REACHABLE

@Sindy... That for your swift suggestion i would have these issues fixed and would let you know if my problem is solved or not... Wait... I've completely misunderstood your setup as the order of your configuration exports doesn't match the order of the elements in the chain on the drawing, and the ...
by sindy
Sat May 23, 2020 2:54 pm
Forum: General
Topic: distribute Two Wan that exist on same interface [SOLVED]
Replies: 19
Views: 2474

Re: distribute Two Wan that exist on same interface [SOLVED]

after your guide i can add route to vlan1(192.168.222.10) but i cant ping 8.8.8.8 through that in 2011 What means "I can't ping through that"? From where do you ping? How do you enforce that the ping takes that route, and how did you verify that the ping actually did take that route? In addition to...
by sindy
Sat May 23, 2020 12:32 pm
Forum: General
Topic: Mikrotik + Movistar Fusión Empresas
Replies: 38
Views: 4200

Re: Mikrotik + Movistar Fusión Empresas

Since no one familiar with Movistar's habits seems to wander around, let me ask you a question, because to debug a blackbox is not easy even for a network specialist, leaving aside regular users. Should the static public IP be used to access some server in your premises remotely (web server, VPN con...
by sindy
Sat May 23, 2020 12:13 pm
Forum: General
Topic: Vlan not reaching Wan net [SOLVED]
Replies: 3
Views: 577

Re: Vlan not reaching Wan net [SOLVED]

My question is simpler, where is the export of /ip dhcp-server network? The thing is that if there is no row whose network prefix matches the leased IP address, the DHCP clients receive an IP address but no netmask, so they choose /32 and thus they cannot reach anything on L2 level.
by sindy
Sat May 23, 2020 12:07 pm
Forum: General
Topic: Traffic generated by the switch doesn't respect VRF segregation
Replies: 2
Views: 361

Re: Traffic generated by the switch doesn't respect VRF segregation

Traffic to and from own IP addresses of the device doesn't respect VRF. The routing-mark identifying the VRF instance is assigned as the traffic gets in via a VRF interface, but there is no in-interface for locally originated traffic. For incoming traffic to own addresses, the matching of the destin...
by sindy
Sat May 23, 2020 11:43 am
Forum: General
Topic: ECMP LoadBalancing
Replies: 15
Views: 1979

Re: ECMP LoadBalancing

@sindy Only the routing-mark differs and the destination address is in all four lines the same. Differing routing-mark means different routing table, so it always overrides distance as I wrote above. If no route with the required routing-mark matches, routing table main is used instead (unless you ...
by sindy
Sat May 23, 2020 11:08 am
Forum: General
Topic: ECMP LoadBalancing
Replies: 15
Views: 1979

Re: ECMP LoadBalancing

I am not a routing specialist but with distance and specific WAN you create a problem. The connection with the shortest distance gets priority to transport traffic but then only for WAN3 traffic leaving WAN2+3 to be catched by the last routing rule. @msatter, this is a misleading statement. The dis...
by sindy
Sat May 23, 2020 11:01 am
Forum: General
Topic: ECMP LoadBalancing
Replies: 15
Views: 1979

Re: ECMP LoadBalancing

Does it stop working for iperf running outside the router or you've only tried pinging from the router itself? Packets sent by the router itself do not pass through the prerouting path but through the output one. So if there is no other route to 172.31.19.0/24 (a default one would be sufficient) in ...
by sindy
Sat May 23, 2020 8:55 am
Forum: General
Topic: ECMP LoadBalancing
Replies: 15
Views: 1979

Re: ECMP LoadBalancing

@powiadamiacz, a statistics from just a few samples is no statistics at all. You'd have to create thousands of connections with different source an destination addresses and ports to see the actual evenness of their distribution across the rules/routes. The key here is how the 32-bit hash is generat...
by sindy
Sat May 23, 2020 8:36 am
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2741

Re: Client IP over wan LINK host not REACHABLE

@anav, in cases like this, I follow a simple rule - emergency to be resolved first. So I do/suggest the minimum needed to make it work "somehow", and once the service gets going, there is enough time to make it work "better" - more efficient, more elegant, whatever. Asking the OP to redo it from scr...
by sindy
Sat May 23, 2020 12:41 am
Forum: General
Topic: Hairpin nat issue [SOLVED]
Replies: 8
Views: 1623

Re: Hairpin nat issue [SOLVED]

I suspect that the issue is caused by /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes which is not compensated for. If you look at the log line you've quoted, it says in:bridge-hq(ether7-trunk-zolder) , whereas it should actually say in:hq-vlan10 . So the rule acts to...
by sindy
Fri May 22, 2020 11:51 pm
Forum: General
Topic: ECMP LoadBalancing
Replies: 15
Views: 1979

Re: ECMP LoadBalancing

Can You tell me how to do that ?
Have a look at this recent post. If it is not 100% clear from there, ask further questions here.
by sindy
Fri May 22, 2020 11:45 pm
Forum: Beginner Basics
Topic: Client IP over wan LINK host not REACHABLE
Replies: 24
Views: 2741

Re: Client IP over wan LINK host not REACHABLE

In the export of the configuration of the client (the 941), I can see /interface wireless set [ find default-name=wlan1 ] ssid=MikroTik which means that the mode is set to station (default settings are not shown in export ). But in mode=station , the header of the frames in the air only contains the...
by sindy
Fri May 22, 2020 5:44 pm
Forum: General
Topic: ECMP LoadBalancing
Replies: 15
Views: 1979

Re: ECMP LoadBalancing

Yes, but not using ECMP. ECMP does not look at port numbers, period.

So you need routing marks and mangle rules assigning them if you want to distribute the traffic with same src and dst addresses across multiple routes.
by sindy
Fri May 22, 2020 5:35 pm
Forum: General
Topic: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]
Replies: 13
Views: 2222

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]

We have tried routing-mark before without apparent success. Would prefer WAN2 to be the priority with WAN1 as fallback. The routing-mark is actually a name of a routing table , so you can use the distance parameter to prioritize routes in each routing table differently, and you can have the same ro...
by sindy
Fri May 22, 2020 3:26 pm
Forum: General
Topic: Deny config access from public IP
Replies: 3
Views: 614

Re: Deny config access from public IP

The firewall rules in the default configuration of SOHO models are a good starting point; as you can access configuration services via public IP, these seem to be unused - maybe because the router model is not a SOHO one so the defaults are different.
by sindy
Fri May 22, 2020 1:09 pm
Forum: General
Topic: Full access to LAN over VPN
Replies: 6
Views: 946

Re: Full access to LAN over VPN

Is it a firewall rule or a VPN configuration setting? Could anyone please help? As you've realized yourself, there may be many reasons why you cannot connect to the router itself via the VPN, depending on the particular VPN type you use and/or your firewall rules, so to get a useful advice, provide...
by sindy
Fri May 22, 2020 1:02 pm
Forum: General
Topic: Port Priority
Replies: 13
Views: 1808

Re: Port Priority

Okay. So first, the "beauty of this beast" (the Mikrotik) is that, unlike with most hardware-only switches, you may create several independent bridges, and the VLAN IDs are only relevant within each bridge, i.e. frames are not forwarded from one virtual bridge to another just because they carry a VL...
by sindy
Fri May 22, 2020 12:05 pm
Forum: General
Topic: Diagnosis suggestions
Replies: 9
Views: 1483

Re: Diagnosis suggestions

You were either sniffing on all interfaces simultaneously or on the LAN one in particular, as the DHCP traffic seen there shows your Mikrotik acting as a DHCP server for your LAN devices. I know I haven't replaced br-wan in the command by put-your-wan-interface-name-here :) You may consider removing...
by sindy
Fri May 22, 2020 11:45 am
Forum: General
Topic: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]
Replies: 13
Views: 2222

Re: Mikrotik Router - Dual WAN - Traffic always leaves via WAN1 [SOLVED]

Could anyone suggest a reason for this happening - I can share the config if that would be useful? Check this post first, start reading it from the last paragraph which explains the relationship to your scenario, and then read the previous posts in that topic to find out how to use the routing-mark...
by sindy
Fri May 22, 2020 11:37 am
Forum: Announcements
Topic: v6.46.6 [stable] is released!
Replies: 69
Views: 30025

Re: v6.46.6 [stable] is released!

Some people recommend to turn this the SIP helper off. I am one of those people, under specific circumstances - the helper is useful when individual phones are connected at the LAN side and the exchange is unable to deal with CPE-side NAT on its own. If the exchange is at the LAN side, whether the ...
by sindy
Thu May 21, 2020 10:07 pm
Forum: General
Topic: No Ping Across IKEv2 VPN
Replies: 12
Views: 1792

Re: No Ping Across IKEv2 VPN

It looks like I receive his ping and I reply to it. I also send a ping, but get no reply. Is that a correct interpretation? If you were both pinging simultaneously, then yes, it is a correct interpretation. The fact that you receive the ESP says that everything is OK with routes towards you and pol...
by sindy
Thu May 21, 2020 9:07 pm
Forum: General
Topic: distribute Two Wan that exist on same interface [SOLVED]
Replies: 19
Views: 2474

Re: distribute Two Wan that exist on same interface [SOLVED]

It depends on what you want to do :) The least complicated way forward from the current setup is is the following: On the hEX, add a VRF setup for Shatel: /ip route vrf add routing-mark=shatel interfaces=pppoe-Shatel,vlan1 On the 2011, routes through Parsian will stay as they are, and routes via Sha...
by sindy
Thu May 21, 2020 8:12 pm
Forum: General
Topic: NAT rules for L2TP Winbox connections
Replies: 1
Views: 366

Re: NAT rules for L2TP Winbox connections

NAT rules in particular are definitely not necessary. To get a more useful advice, you have to provide a more useful input, see my automatic signature below for a mini-howto. There are many ways how to implement a firewall and routing, so nothing less than a complete export from both the central dev...
by sindy
Thu May 21, 2020 7:32 pm
Forum: General
Topic: IPv6 conntrack issue [SOLVED]
Replies: 5
Views: 1090

Re: IPv6 conntrack issue [SOLVED]

If you look at the same in IPv4 conntrack, you'll see the same short timeouts appearing now and then, as they appear whenever a packet has not been acknowledged yet: [me@MyTik] > ip firewall connection tracking print ... tcp-established-timeout: 1d ... tcp-max-retrans-timeout: 5m tcp-unacked-timeout...
by sindy
Thu May 21, 2020 7:23 pm
Forum: General
Topic: How to reach address in routerOS openvon client
Replies: 2
Views: 520

Re: How to reach address in routerOS openvon client

Look at the server implementation of OpenVPN as at a separate router. Adding a route to the client's LAN subnet to the server's kernel routing table via an OpenVPN virtual interface just tells the kernel to send the packets for these addresses to OpenVPN, but you have to tell OpenVPN itself which su...
by sindy
Thu May 21, 2020 7:13 pm
Forum: General
Topic: Forwarding traffic over IPSec
Replies: 1
Views: 401

Re: Forwarding traffic over IPSec

The scenario you describe is nothing special, so the example in the manual should be sufficient? Or have I missed something in your description? Don't let the fact that the WAN interfaces in the example have private IPs, it works the same when they are public ones.
by sindy
Thu May 21, 2020 7:09 pm
Forum: General
Topic: Port Priority
Replies: 13
Views: 1808

Re: Port Priority

Port 1 = WAN Port 2 = Goes to my network switch and carries 6 VLANs and DCHP information for everyone Port 3 = Empty Port 4 & 5 = Members of streaming_bridge and VLAN 7 is assigned here with a DCHP server handling this traffic. As this description still hasn't removed the doubts, can you just follo...
by sindy
Thu May 21, 2020 6:46 pm
Forum: General
Topic: No Ping Across IKEv2 VPN
Replies: 12
Views: 1792

Re: No Ping Across IKEv2 VPN

Since you have both WAN routes active simultaneously, you are likely using policy routing (nothing to do with IPsec policies, it's just a common name of the setup in the Mikrotik world), i.e. you assign the routing-mark values using /ip route rule rows or /ip firewall mangle rules. When doing this, ...
by sindy
Thu May 21, 2020 6:06 pm
Forum: General
Topic: distribute Two Wan that exist on same interface [SOLVED]
Replies: 19
Views: 2474

Re: distribute Two Wan that exist on same interface [SOLVED]

unfortunately i don't have access to bridged radio So the first step to do is a test whether the radio is transparent for VLANs. the model of router is specified in the config well, the hEX is just a small bit more powerful than the 2011, so depending on the available WAN bandwidth, it might or mig...
by sindy
Thu May 21, 2020 5:09 pm
Forum: General
Topic: DNS traffic throught IPSec VPN
Replies: 1
Views: 391

Re: DNS traffic throught IPSec VPN

In the absence of any description of the network topology at the the HQ, it's nothing but guessing: if it's not a firewall rule blocking DNS queries coming in via WAN without an exception for these that come in via WAN but transported using bare IPsec, the next most likely thing to me is routing at ...
by sindy
Thu May 21, 2020 3:06 pm
Forum: General
Topic: distribute Two Wan that exist on same interface [SOLVED]
Replies: 19
Views: 2474

Re: distribute Two Wan that exist on same interface [SOLVED]

please show me what can i do with detail . thank you. To do so, I need exports of the current configurations of both routers and the radios (as they may theoretically be blocking VLAN traffic). My automatic signature right below suggests how to do that and how to anonymise the sensitive contents of...
by sindy
Thu May 21, 2020 2:37 pm
Forum: General
Topic: distribute Two Wan that exist on same interface [SOLVED]
Replies: 19
Views: 2474

Re: distribute Two Wan that exist on same interface [SOLVED]

If all the Mikrotik devices on the picture are under your control, you can use two VLANs to host two intermediate IP subnets on the link between the two routers, or you can even run the PPPoE clients on the bottom router if you use two VLANs to bridge the PPPoE frames between the two routers.
by sindy
Thu May 21, 2020 1:02 pm
Forum: General
Topic: Firewall Rule not work with Microsoft DHCP server
Replies: 11
Views: 1076

Re: Firewall Rule not work with Microsoft DHCP server

To add some optimism, you may use a managed switch, or the Mikrotik itself acting as such switch, and set up L2 filtering and/or port isolation to restrict traffic among hosts in the same IP subnet. Also, if you just wanted to test the firewall rules and your actual application case does not require...
by sindy
Thu May 21, 2020 12:55 pm
Forum: General
Topic: Port Priority
Replies: 13
Views: 1808

Re: Port Priority

Confirm once you start using mangle rules the router slows down (fasttrack has to be disabled in foreward fw rules) and if so by how much?? (What is the real effect)?? @anav, strictly speaking the router doesn't slow down but has to spend more effort to handle a single packet. So the traffic may sl...
by sindy
Thu May 21, 2020 12:30 pm
Forum: General
Topic: Port Priority
Replies: 13
Views: 1808

Re: Port Priority

We are broadcasting our stream to a company on the internet via the RTMP protocol. I do not believe that the unit requires any information back while streaming. All it does is send a MP4 compressed file via RTMP that gets rebroadcast. OK, so no need to worry about multiple streams occupying the dow...
by sindy
Thu May 21, 2020 11:53 am
Forum: General
Topic: Diagnosis suggestions
Replies: 9
Views: 1483

Re: Diagnosis suggestions

Questions: what exactly have you done two minutes after starting the sniff, and for how long had the connection been already down before you've started sniffing? was the /ip dhcp-client print detail taken before starting the sniff or after finishing it? The point is that during those first two minut...
by sindy
Wed May 20, 2020 11:56 pm
Forum: General
Topic: QinQ trunk port
Replies: 6
Views: 859

Re: QinQ trunk port

The service vlan needs to be applied in the first vlan only (100 and 200) right?
s-vlans need 802.1ad (service) tagging (hence use-service-tag=yes), c-vlans need 802.1Q (customer) tagging, hence use-service-tag=no.
by sindy
Wed May 20, 2020 11:53 pm
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

I can confirm that you cannot ping across networks. ... Now all I need to try and sort out is the encryption on the L2TP connection to Tinos. First I'd like to know that the SIP devices are doing fine with these rules at Malford. Then, I need to have a look at Tinos firewall rules. To do that, I'd ...
by sindy
Wed May 20, 2020 8:21 pm
Forum: General
Topic: l2tp max 8 hours timeout [SOLVED]
Replies: 4
Views: 1387

Re: l2tp max 8 hours timeout [SOLVED]

It's a Windows specific issue:

viewtopic.php?t=110761#p658121
by sindy
Wed May 20, 2020 8:17 pm
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

OK, so the stupidity was at my end, sorry for that. I should not do serious things in the evening. I've always placed the chain=something only to the first rule in each chain. And as you've added "input" to all rules, it could not work properly for forwarding. So a corrected version is here: /system...
by sindy
Wed May 20, 2020 7:47 pm
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

Yes. In the /export, you should see the rules in exactly the same form and order in which they appear in the script.
by sindy
Wed May 20, 2020 7:25 pm
Forum: General
Topic: No Ping Across IKEv2 VPN
Replies: 12
Views: 1792

Re: No Ping Across IKEv2 VPN

I cannot find a reference to the "ID" field in the ipsec manual at the Mikrotik wiki. Because there is a reference to "my-id" and "remote-id". But since the connection is established, it's not the reason why it does not transport data. I do see packets exiting the WAN interface going to xx.xx.2.126...
by sindy
Wed May 20, 2020 6:09 pm
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

I have just copied the rules from here (Firefox used - mark, copy, paste, no "select all") and pasted them into a PuTTY window, no corruption. Please do it that way. It seems that pasting to Winbox window has some negative effect.
by sindy
Wed May 20, 2020 5:37 pm
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

Can you copy-paste my script here exactly the same way how you have copy-pasted it to the Mikrotik? Because the resulting rules are not those in my script, something went totally wrong: add action=drop chain="add action=accept protocol=udp dst-port=53 in-interface-list=!WAN" connection-state=invalid...
by sindy
Wed May 20, 2020 3:38 pm
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

Did them manually in the end as I needed the isolation rules so, these are the active ones: No, you didn't need any extra isolation rules . I gave you firewall rules which drop everything except what I've explicitly stated will be permitted. You have actually not implemented my rules - according to...
by sindy
Wed May 20, 2020 2:55 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 61
Views: 25335

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

Will this solution work if there is more than just 2 Road Warriors L2TP/IPsec clients behind NAT? That's the very purpose of this solution. I have about 10 on a site and they use one central fibre line to connect to our main VPN server and from what I pick up is that it works as it gives one of the...
by sindy
Wed May 20, 2020 12:02 pm
Forum: General
Topic: Accessing external IP from LAN without hairpin NAT
Replies: 12
Views: 1221

Re: Accessing external IP from LAN without hairpin NAT

So essentially if I don't have the server in the same bridge as the LAN and keep them on different subnets I will be able to use the public IP of the server from the LAN? Correct, but same/different bridge is not actually relevant, only different subnets are necessary. You can have multiple subnets...
by sindy
Wed May 20, 2020 11:44 am
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

Don't the new rules make most of the old rules redundant? At the very least I would need to shift them higher up in the rankings? The rules you kindly wrote are now numbers 20 to 27. The last line of my script, /ip firewall filter remove [find comment~"the-old-rules"] should have removed those old ...
by sindy
Wed May 20, 2020 12:12 am
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

To run the script I just create a new Script with all policies checked, permissions uncheked, and then just save and run script. No. Log in using SSH (PuTTY) or connect using Winbox and open a terminal in it. Then, press Ctrl-X to get to Safe Mode in the text window, and then copy-paste the script ...
by sindy
Tue May 19, 2020 8:41 pm
Forum: General
Topic: VLAN confusion
Replies: 6
Views: 1080

Re: VLAN confusion

Please follow my automatic signature below. Your description of the configuration on the 2011 sounds suspicious, the export will give a clear picture. The hEX PoE configuration may also need modification but it seems just unusual to me so far.
by sindy
Tue May 19, 2020 7:29 pm
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

OK, so for the "local CCR" (Malford), the script below should make the firewall rules simple and efficient: devices in all LAN subnets will be able to set up connections to any servers in the internet (including the Tinos subnet accessing internet via Malford via the VPN link), devices in the primar...
by sindy
Tue May 19, 2020 6:42 pm
Forum: General
Topic: DSL Failover on wAP LTE kit [SOLVED]
Replies: 2
Views: 508

Re: DSL Failover on wAP LTE kit [SOLVED]

It is possible but it requires specific settings on the modem/router which may not be available. If the ISP connects you using PPPoE and you can place the modem into bridge mode, you can set up the PPPoE client on the wAP LTE, but you want to prevent any other than PPPoE frames from being sent to th...
by sindy
Tue May 19, 2020 6:07 pm
Forum: General
Topic: Accessing external IP from LAN without hairpin NAT
Replies: 12
Views: 1221

Re: Accessing external IP from LAN without hairpin NAT

@anav, you're turning the straight & plain topic into a spaghetti plate. /ip route rule is an instrument from the policy routing repertoir, where you need to use a specific set of routes for some devices, depending on the src-address or in-interface (or even more factors if you add mangle rules to t...
by sindy
Tue May 19, 2020 5:45 pm
Forum: General
Topic: SXT5ac managment VLAN
Replies: 3
Views: 655

Re: SXT5ac managment VLAN

Two things. You cannot attach an /interface vlan to a member interface of a bridge (ether1 in your case), you must attach the /interface vlan to the bridge itself instead. It works "somehow, sometimes" the way you've configured it, but it's not reliable. And second, you haven't attached any IP confi...
by sindy
Tue May 19, 2020 5:35 pm
Forum: General
Topic: Accessing external IP from LAN without hairpin NAT
Replies: 12
Views: 1221

Re: Accessing external IP from LAN without hairpin NAT

I have no problem opening up ports to the internet As long as it's to a DMZ. I don't want to open, lets say port 80, to a server on my LAN. That's the reason I want a DMZ to put my webserver here so it's isolated from the rest of the LAN. But I still want to be able to access www.example.com both f...
by sindy
Tue May 19, 2020 3:58 pm
Forum: General
Topic: No Ping Across IKEv2 VPN
Replies: 12
Views: 1792

Re: No Ping Across IKEv2 VPN

I believe the only relevant info you need (knowing the vpn is established) is: The issues tend to be in those parts of configuration you don't suspect to be relevant, that's why it is necessary to post a complete configuration except sensitive information (passwords, usernames, public IP addresses)...
by sindy
Tue May 19, 2020 3:36 pm
Forum: General
Topic: Accessing external IP from LAN without hairpin NAT
Replies: 12
Views: 1221

Re: Accessing external IP from LAN without hairpin NAT

You don't even need a hairpin NAT, it is enough to place the server and the client into different LAN subnets. Two WAN IPs on the same machine will cause the traffic to be routed directly, bypassing the physical uplink(s), so if your dst-nat rules refer to in-interface(-list) as they should, it woul...
by sindy
Tue May 19, 2020 3:03 pm
Forum: General
Topic: slow vpn connection two venues
Replies: 13
Views: 1283

Re: slow vpn connection two venues

Because you can't fast track and actually have to route and use encryption, for what you asked
But the configuration shows neither - fasttracking cannot speed up anything as the firewall is not there at all, and encryption is not used either.

Do I read it right that the main WAN is PPPoE?
by sindy
Tue May 19, 2020 2:48 pm
Forum: General
Topic: use static DNs in home network [SOLVED]
Replies: 10
Views: 1178

Re: use static DNs in home network [SOLVED]

/ip dhcp-server network set [find gateway~"10.0.0.1"] dns-server=10.0.0.1
by sindy
Mon May 18, 2020 10:58 pm
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

How can I check that nothing untoword can get through? You can't check. You can only set up firewall rules which will prevent that, but bear in mind that L3 firewall rules only prevent a certain kind of malware from actively connecting to your network; other kind of malware, which relies on downloa...
by sindy
Mon May 18, 2020 10:35 pm
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

Likely yes, but it won't be within hours.
by sindy
Mon May 18, 2020 10:31 pm
Forum: General
Topic: How to limit upload while downloading is at its maximum?
Replies: 15
Views: 2446

Re: How to limit upload while downloading is at its maximum?

So it is better to use the Global Parent, meaning all the Interfaces and mark egress packets accordingly for Download and Upload, right ? Better... it always depends on the particular setup required. Using the same packet-mark for both directions and letting the proper queue be chosen among those m...
by sindy
Mon May 18, 2020 10:08 pm
Forum: General
Topic: IKEv2 site-2-site: Lost connection after 30 minutes
Replies: 6
Views: 888

Re: IKEv2 site-2-site: Lost connection after 30 minutes

OP says phase 2 SA lifetime is 8h. Why would it rekey after just 30 minutes at all?
I haven't read carefully enough.
by sindy
Mon May 18, 2020 10:06 pm
Forum: General
Topic: Dumb question about Bridge mode in RouterOS
Replies: 3
Views: 606

Re: Dumb question about Bridge mode in RouterOS

Hard to say without seeing an export of the configuration just before you change the IP address. What makes me cautious is that you say that you set the address manually and at the same time you say that it acquires an IP address using DHCP.
by sindy
Mon May 18, 2020 8:51 pm
Forum: General
Topic: IKEv2 site-2-site: Lost connection after 30 minutes
Replies: 6
Views: 888

Re: IKEv2 site-2-site: Lost connection after 30 minutes

30 minutes sound like failed rekeying. If you have pfs-group other than none in /ip ipsec proposal row used, is the value the same at both ends, and is it the same like dh-group in /ip ipsec profile row?
by sindy
Mon May 18, 2020 8:12 pm
Forum: General
Topic: slow vpn connection two venues
Replies: 13
Views: 1283

Re: slow vpn connection two venues

Post the config of the 2011, some configuration optimizations may help a bit, but I am afraid it is simply too weak to handle a symmetric 600 Mbit/s link. See the hint on anonymisation in my automatic signature below.
by sindy
Mon May 18, 2020 6:43 pm
Forum: General
Topic: use static DNs in home network [SOLVED]
Replies: 10
Views: 1178

Re: use static DNs in home network [SOLVED]

but isn't the computer and all other dhco clients from the roouter first look at the dns static on the router? It depends on what IP address is set in dns-server item in the /ip dhcp-server network row. To let the clients use the Mikrotik as their DNS server, one of Mikrotik's own addresses must be...
by sindy
Mon May 18, 2020 3:38 pm
Forum: General
Topic: use static DNs in home network [SOLVED]
Replies: 10
Views: 1178

Re: use static DNs in home network [SOLVED]

Does the PC have the Mikrotik's IP address configured as the only DNS server, through static configuration or DHCP? If multiple DNS servers are configured, the PC only asks one of them; it only switches to the next address in the list if it gets no response at all, and if it switches, it sticks with...
by sindy
Mon May 18, 2020 3:18 pm
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2671

Re: Need help with firewall rules to prevent VLAN access to LAN

Using a managed switch I 'm able to access all the VLAN. How do I supposed to access IP on the ether5 MGMT port on the router? There is no IP address attached to the ether5-MGMT port as such, and in @anav's configuration suggestion, ether5's pvid is 1 like the bridge's own one, so calling the ether...
by sindy
Mon May 18, 2020 2:33 pm
Forum: General
Topic: How to limit upload while downloading is at its maximum?
Replies: 15
Views: 2446

Re: How to limit upload while downloading is at its maximum?

We did not choose an interface but global - that's not an interface Yes i know, am asking in general, how do we make the choice of an interface to be the upload or download one... Well, "download" and "upload" are not roles of interfaces but directions of traffic flow through the uplink as seen fro...
by sindy
Mon May 18, 2020 10:28 am
Forum: General
Topic: mangle problem [SOLVED]
Replies: 2
Views: 463

Re: mangle problem [SOLVED]

by sindy
Mon May 18, 2020 10:23 am
Forum: General
Topic: slow vpn connection two venues
Replies: 13
Views: 1283

Re: slow vpn connection two venues

What are the upload and download speeds of internet uplinks at sites A and B? If you connect from site A to internet via site B, each packet goes through site B's uplink twice. What is the ping response delay when you ping from site A to site B's public IP (no tunnel)? Long round-trip delays affect ...
by sindy
Mon May 18, 2020 10:06 am
Forum: General
Topic: Port Priority
Replies: 13
Views: 1808

Re: Port Priority

Well, to me it seemed most likely that it is actually the number of remote clients subscribed to the live "broadcast" that exhausts the uplink bandwidth during the service. If the guests run their own live broadcasts (or take videos and store them into cloud online, that's the same bandwidth-wise), ...
by sindy
Sun May 17, 2020 10:48 pm
Forum: General
Topic: Port Priority
Replies: 13
Views: 1808

Re: Port Priority

To answer your question: if, under /interface bridge settings , you set use-ip-firewall=yes , you can refer to in-bridge-port in the firewall rules used to mark packets for queueing. Or, if the traffic between LAN and WAN is routed, you may remove port 5 from the bride, create a dedicated subnet for...
by sindy
Sun May 17, 2020 9:14 pm
Forum: General
Topic: L2TP/IPSec site-to-portablesite BCP and RW clients? [SOLVED]
Replies: 2
Views: 576

Re: L2TP/IPSec site-to-portablesite BCP and RW clients? [SOLVED]

You can define multiple /ppp profile rows, and each /ppp secret row may refer to a different /ppp profile row. The profile to which the configuration of the L2TP server refers is always overridden by the one from /ppp secret.
by sindy
Sun May 17, 2020 8:56 pm
Forum: General
Topic: How to limit upload while downloading is at its maximum?
Replies: 15
Views: 2446

Re: How to limit upload while downloading is at its maximum?

This is what i mean, if the Download child uses the whole 50Mbits, what will then happen with the Upload? Since the Parent is limited to 50Mbit.. The Upload child will get the guaranteed limit wich is 1 Mbit but nothing more since the parent is on its limit... But that would not happen if the paren...
by sindy
Sun May 17, 2020 8:11 pm
Forum: General
Topic: Mangle Rule for change DSCP out interface
Replies: 21
Views: 2418

Re: Mangle Rule for change DSCP out interface

For most action values of firewall rules, the travel of the packet through a rule chain ends at the first matching rule in that chain. For some specific cases, this is not desired, hence it can be prevented by setting passthrough to yes . But for the last (or single) rule in the chain, the value of ...
by sindy
Sun May 17, 2020 7:30 pm
Forum: General
Topic: Mangle Rule for change DSCP out interface
Replies: 21
Views: 2418

Re: Mangle Rule for change DSCP out interface

/ip firewall mangle set [find action~"change-dscp" chain~"postrouting" new-dscp~"8" out-interface~"vlan20"] dscp=0
by sindy
Sun May 17, 2020 4:10 pm
Forum: General
Topic: Mangle Rule for change DSCP out interface
Replies: 21
Views: 2418

Re: Mangle Rule for change DSCP out interface

As the packet flow diagram shows, the postrouting chain follows after the output one. So if you want to prevent the rule in postrouting from rewriting any already assigned DSCP value (assuming that value 0 means that it has not been assigned yet), you have to add dscp=0 to it as a match condition to...
by sindy
Sun May 17, 2020 3:55 pm
Forum: General
Topic: queues with ECMP routes
Replies: 4
Views: 587

Re: queues with ECMP routes

First, sorry for mentioning additional routes and routing-mark at all, you obviously actually don't need them as you want to mark the connections only to assign packet-mark to let the correct queue handle the packet, and ECMP itself works thanks to a routing cache, so sends packets to the same desti...
by sindy
Sun May 17, 2020 3:27 pm
Forum: General
Topic: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH
Replies: 13
Views: 2376

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

You have no rules in /interface bridge filter or /ip firewall raw , so the ESP packets really do not arrive to your WAN (I suppose you tried to ping before posting the screenshot). To check that the Fortigate eventually does send the ESP packets but they do not arrive to Mikrotik, you may set the lo...
by sindy
Sun May 17, 2020 1:57 pm
Forum: General
Topic: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH
Replies: 13
Views: 2376

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

Try to add a chain=input action=accept protocol=ipsec-esp rule to /ip firewall filter , as the very first one in chain=input - it is not the right final place for it but it is to check what the issue may be. Since both devices have public IP addresses, they use ESP as transport protocol. The transpo...
by sindy
Sun May 17, 2020 1:17 pm
Forum: General
Topic: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH
Replies: 13
Views: 2376

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

What do the installed SA show under IP->IPsec?

There should be two per each remote subnet. If both count packets and bytes while you ping, the issue is at the Mikrotik end; if only the one from Mikrotik to Fortigate counts, it is an issue with IPsec itself or the firewall at the Fortigate end.
by sindy
Sun May 17, 2020 12:10 pm
Forum: General
Topic: Drop / Block Specific URL [SOLVED]
Replies: 1
Views: 331

Re: Drop / Block Specific URL [SOLVED]

With https, this is not possible, because only the domain part of the url (example.com) is transported in plaintext, the rest of the url is encrypted.
by sindy
Sun May 17, 2020 12:07 pm
Forum: General
Topic: queues with ECMP routes
Replies: 4
Views: 587

Re: queues with ECMP routes

You can use connection marking during handling of the first response packet. The ECMP chooses "randomly" one of the gateways for the initial packet of a LAN->WAN connection, and once the first response arrives, you assign a connection-mark to it, which you will be translating to routing-mark for sub...
by sindy
Sun May 17, 2020 11:41 am
Forum: General
Topic: How to get logs older than same day midnight? [SOLVED]
Replies: 4
Views: 557

Re: How to get logs older than same day midnight? [SOLVED]

There is nothing easy you've missed. The post referred to by @msatter gives an idea how to calculate "yesterday" from "now" so that you could generate a match pattern for searching the log for lines whose timestamp contains the date.
by sindy
Sun May 17, 2020 11:38 am
Forum: General
Topic: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH
Replies: 13
Views: 2376

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

If you use ipsec and need to access local resources, then set the Proxy-arp option for the Bridge interface.
This is only relevant when you assign to your VPN clients addresses which fit into your LAN subnets. That's not the case here.
by sindy
Sun May 17, 2020 11:25 am
Forum: General
Topic: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH
Replies: 13
Views: 2376

Re: IPSEC VPN ESTABLISHED BUT UNABLE TO PASS TRAFFIC THROUGH

The Tunnel is established, but can't ping. Unlike routes, the rules in firewall (and multiple other configuration branches) are matched in sequential order, not by best match. Hence you have to move the two action=accept rules in chain=srcnat of /ip firewall nat before (above) the action=masquerade...
by sindy
Sun May 17, 2020 10:06 am
Forum: General
Topic: OpenVPN with VLANs
Replies: 24
Views: 3491

Re: OpenVPN with VLANs

Is the OpenVPN client another Mikrotik or a Windows/Linux machine? You may have missed the point of what @tdw wrote - it is not enough to add the routes towards your Mikrotik LAN subnets to the routing table of the client machine's kernel, you also have to add them to the openvpn configuration file....
by sindy
Sun May 17, 2020 9:59 am
Forum: General
Topic: Multiple WAN IP, assign a lan device and l2tp clients to specific wan IP [SOLVED]
Replies: 2
Views: 395

Re: Multiple WAN IP, assign a lan device and l2tp clients to specific wan IP [SOLVED]

To ETH1-WAN1 gateway distance = 0, ETH3-WAN2 is 1 This is actually wrong, it should be 1 and 2, respectively, because distance 0 is reserved for connected routes (where no gateway IP address is necessary). So far RouterOS allows this wrong way so I didn't comment on that before. Also bear in mind t...
by sindy
Sun May 17, 2020 8:53 am
Forum: General
Topic: PPTP Can't access LAN devices, only MT through WinBox
Replies: 3
Views: 573

Re: PPTP Can't access LAN devices, only MT through WinBox

Will clicking apply on quickset not change all my current settings/scipt e.g ISP dial and PPPoE server? Sure it will, don't touch quickset if you have already done some settings some other way. Switching from PPTP to L2TP encrypted using IPsec can be done without using quickset, and it is easy, but...
by sindy
Sat May 16, 2020 11:07 pm
Forum: General
Topic: Solution needed: router PoE + WIreless
Replies: 6
Views: 1131

Re: Solution needed: router PoE + WIreless

All Mikrotik devices send out on PoE outputs the same voltage they get on their input. So with a 48 V power supply on a hEX PoE all outputs will give out 48 V the doorbells require (the cAP lite doesn't care much as it accepts from 10 to 60 V), but you have to obtain the 48 V power supply separately...
by sindy
Sat May 16, 2020 7:32 pm
Forum: General
Topic: IPSEC Fails beyond LAN interface
Replies: 6
Views: 938

Re: IPSEC Fails beyond LAN interface

Run /tool sniffer quick ip-protocol=icmp at both Mikrotiks while pinging in the failing direction. You should see whether the ping request makes it to the LAN interface at the responding side through the tunnel, whether the server really responds, and whether the response makes it to the requesting ...
by sindy
Sat May 16, 2020 4:16 pm
Forum: General
Topic: IPSec issues
Replies: 5
Views: 855

Re: IPSec issues

/ip ipsec policy add dst-address=192.168.178.0/24 ... peer=NSG50 ... src-address=172.20.0.0/16 ... So the remote network (on the ZyXEL end) is 192.168.178.0/24. Among the first rules in both input and forward chains, there are the following ones: action=drop chain=forward comment="Anti-Spoofing FOR...
by sindy
Sat May 16, 2020 3:41 pm
Forum: General
Topic: How to limit upload while downloading is at its maximum?
Replies: 15
Views: 2446

Re: How to limit upload while downloading is at its maximum?

Not sure if in this case forward or prerouting makes any difference though. It doesn't - rules in chain prerouting handle both the traffic from an external host to router's own addresses and the traffic to be forwarded by the router from one external host to another, chains input and forward deal s...
by sindy
Sat May 16, 2020 3:34 pm
Forum: General
Topic: How to limit upload while downloading is at its maximum?
Replies: 15
Views: 2446

Re: How to limit upload while downloading is at its maximum?

@sindy shouldn't the max limit of the Parent be the sum of the Child's max limit? If the Upload is 50Mbit and the Download 50Mbit as well then the Max limit of the Parent must be the sum of it... No. The names are a bit confusing. limit is actually the "guaranteed rate" which is granted to the queu...
by sindy
Sat May 16, 2020 1:47 pm
Forum: General
Topic: How to limit upload while downloading is at its maximum?
Replies: 15
Views: 2446

Re: How to limit upload while downloading is at its maximum?

[Does it mean if I create two parents (both with "global" parent) named " Download " and " Upload ", and then the children to them like important_ download and non_important_ download / important_ upload and non_important_ upload that I can't prioritize important_ download over non_important_ uploa...
by sindy
Sat May 16, 2020 12:04 pm
Forum: General
Topic: 2 WAN load balancing with recursive routes problem
Replies: 3
Views: 505

Re: 2 WAN load balancing with recursive routes problem

Your mangle rules are extremely detailed and complex, some of them are redundant, and there are even mistakes compensated by other mistakes. If you want to use WAN redundancy together with load distribution, I'd recommend to assign the connection marks only when processing packets coming in via WAN ...
by sindy
Sat May 16, 2020 10:41 am
Forum: General
Topic: IPSec issues
Replies: 5
Views: 855

Re: IPSec issues

The action=notrack rule in chain=prerouting of ip firewall raw excludes the matching packets from being processed by the connection tracking module, which means that they are never assigned any of the connection-state labels ( new , established , related , invalid ); instead, their connection-state ...
by sindy
Sat May 16, 2020 10:07 am
Forum: General
Topic: IPSEC Fails beyond LAN interface
Replies: 6
Views: 938

Re: IPSEC Fails beyond LAN interface

When posting, please do post complete configurations. It took me some time to find out that ether1 and ether5 are WAN interfaces at Mission and Sutter, respectively, especially as you've named the firewall chains hooked to them "customer". But my blind shot was correct. First a bit of theory - when ...
by sindy
Sat May 16, 2020 12:49 am
Forum: General
Topic: Duplicate IP addresses from dhcp server
Replies: 3
Views: 727

Re: Duplicate IP addresses from dhcp server

As you've found yourself - in contrary to popular belief, the DHCP server doesn't care about the source MAC address of the DHCPDISCOVER/DHCPREQUEST coming from the client, but about the Client-ID field in the DHCP part of the packet. This field is typically created from the client's MAC address, but...
by sindy
Fri May 15, 2020 11:47 pm
Forum: General
Topic: How to limit upload while downloading is at its maximum?
Replies: 15
Views: 2446

Re: How to limit upload while downloading is at its maximum?

I would say your only chance is to use global as a parent like you do, create a child queue of global with both limit and max-limit set to the sum of upload and download speed provided by your ISP, and two child queues inside that one, one for upload and one for download, where the download one has ...
by sindy
Fri May 15, 2020 10:33 pm
Forum: General
Topic: How to config 2 dhcp clients WAN to 2 LAN
Replies: 2
Views: 548

Re: How to config 2 dhcp clients WAN to 2 LAN

If you really want the two (WAN+LAN) groups to be totally separate, the simplest way is to use VRF (Virtual Routing and Forwarding) to use separate routing spaces. /ip route vrf add interfaces=ether2,ether4 routing-mark=vrf-e2-e4 This way, even though the two gateways assigned via DHCP will have the...
by sindy
Fri May 15, 2020 10:02 pm
Forum: General
Topic: Cannot ping router
Replies: 1
Views: 411

Re: Cannot ping router

It looks like a firewall issue in input or output chain. Maybe the devices which can access the Mikrotik get IP addresses from a range which is allowed to access the Mikrotik itself by a firewall rule, whereas the others get addresses from a range which is not?
by sindy
Fri May 15, 2020 10:00 pm
Forum: General
Topic: Need help with firewall rules to prevent VLAN access to LAN
Replies: 21
Views: 2671

Re: Need help with firewall rules to prevent VLAN access to LAN

If those rules are your only ones, no host in LAN will be able to set up a connection anywhere else than to the Mikrotik itself, because the first rule in forward chain permit packets belonging to already established connections, but there is no rule which would permit packets capable of initiating ...
by sindy
Fri May 15, 2020 3:57 pm
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

So if I get you right, the sole purpose of the two CCRs is to interconnect the two sites using a VPN, and no firewall functionality between internet and the LANs is required (if really not but devices in the LANs should have internet access, how else is protection of these networks provided, do you ...
by sindy
Fri May 15, 2020 2:26 pm
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

Is it normal to have this many firewall rules? It is normal to have as many rules as you really need. In absolute figures it may mean five or five thousand depending on the role of your router in the network. As it looked yesterday, the router could be managed from any device in one of its LAN subn...
by sindy
Fri May 15, 2020 12:23 pm
Forum: General
Topic: IPSEC Fails beyond LAN interface
Replies: 6
Views: 938

Re: IPSEC Fails beyond LAN interface

Firewall rules, nat rules, maybe ipsec policies... Hard to say. Logging rules in mangle postrouting will help you find out at which end the packets get dropped. My fast shot is that in the forward chain of filter, you drop everything that comes in via WAN without an exception for what came in via WA...
by sindy
Fri May 15, 2020 11:55 am
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

So I can happily deal with those 4 rules at the highest order, the 4 that stop traffic between segregated LANs. No. The accept established or related rule should be the very first one in the chain (except very specific cases), because it won't allow any packet not belonging to a connection (flow) w...
by sindy
Fri May 15, 2020 11:32 am
Forum: General
Topic: After mark routing enabled, VPN user can't see LAN pc's
Replies: 3
Views: 518

Re: After mark routing enabled, VPN user can't see LAN pc's

just a question, why not 192.168.0.0/22 but muss be /16??
It was just an example in the absence of information about your overall network topology. If all your subnets which are not reachable via the WANs fit into 192.168.0.0/22, that one is of course sufficient.
by sindy
Fri May 15, 2020 9:25 am
Forum: General
Topic: Unable to update CCR
Replies: 52
Views: 5117

Re: Unable to update CCR

you should insert these 3 rules at the right locations in their respective chains, ie. after the specific drops, but before the final drop in each of the 3 chains, if present: add action=accept chain=input connection-state=established,related add action=accept chain=output connection-state=establis...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 18