Community discussions

Search found 3547 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 71
by sindy
Wed Jul 24, 2019 10:19 am
Forum: General
Topic: IPsec phase 2
Replies: 3
Views: 163

Re: IPsec phase 2

You seem to be another victim of my not enough sleep yesterday, I wonder who else is :( Probably due to that I have noticed the existence of NAT at your end (as it pops up at maybe 10 places in the OP) but not the other related misconfiguration of the policy - the sa-src-address must be locally mean...
by sindy
Tue Jul 23, 2019 11:44 pm
Forum: General
Topic: [ASK] FastTrack for SpeedTest
Replies: 6
Views: 285

Re: [ASK] FastTrack for SpeedTest

speedtest.net uses normal http port on many different servers so nothing to match on (port is not unique and neither DNS name nor IP address are predictable).

So this kind of cheating won't work.
by sindy
Tue Jul 23, 2019 11:22 pm
Forum: General
Topic: help to set ipv6 / 48
Replies: 31
Views: 1640

Re: help to set ipv6 / 48

Because according to RFC, a manually assigned link-local address can be used , but only in rare cases where automatic generation is not practical . Then it's clear (bold = important, italic = not important). In rare case when I decide that I need to remember my router's link-local address, I need i...
by sindy
Tue Jul 23, 2019 11:11 pm
Forum: General
Topic: help to set ipv6 / 48
Replies: 31
Views: 1640

Re: help to set ipv6 / 48

the only data the ISP gave me are: WAN: IP: FE80 :: 2A02: 2F0F: 1C2 GW: fe80 :: 1 LAN: 2A02: 2F0F: 1C2 :: 1/48 So the substitution was systematic (2A02:2F0F:1C2 ->1234:5678:123 everywhere) and they really do ask you to manually set the link-local address of your WAN so that its lowest 48 bits match...
by sindy
Tue Jul 23, 2019 10:53 pm
Forum: General
Topic: IPTV Lan Help.
Replies: 10
Views: 557

Re: IPTV Lan Help.

If you don't use internet and just watch TV, there should be almost no CPU load at all as the IPTV traffic bypasses the CPU completely: as vlan-mode at ether1 and ether5 is secure and switch1-cpu is not on the port list for vlan 20 in the switch chip, the IPTV frames tagged with VID 20 cannot get to...
by sindy
Tue Jul 23, 2019 10:44 pm
Forum: General
Topic: help to set ipv6 / 48
Replies: 31
Views: 1640

Re: help to set ipv6 / 48

In your first OP, you wrote: these are the data: ip wan fe80:: 1234:5678:123 GW: fe80::1 lan: 1234:5678:123 ::1/48 Did they really ask you that the first 48 bits of your /48 were used as the last 48 bits of your WAN IP's link-local address? Or you've chosen the 1234:5678:123 randomly as placeholders...
by sindy
Tue Jul 23, 2019 10:38 pm
Forum: General
Topic: Multiple SXT provider / separate DHCP servers
Replies: 13
Views: 1028

Re: Multiple SXT provider / separate DHCP servers

Da, video sam, but found it too complex to analyse in the time frame available at that time, and then I forgot about it. You are one of few people in the world who directly assign a gateway IP address rather than routing-mark using a mangle rule :) This part indicates you haven't understood the VLAN...
by sindy
Tue Jul 23, 2019 9:05 pm
Forum: General
Topic: help to set ipv6 / 48
Replies: 31
Views: 1640

Re: help to set ipv6 / 48

I'm confused. I had a feeling that the ISP asked you to set a particular IPv6 address on your side to be able to route your incoming traffic to you . If it is actually enough for their gear that you advertise your interface as a router to your network by means of Neighbor Discovery's Router Advertis...
by sindy
Tue Jul 23, 2019 7:20 pm
Forum: General
Topic: SSH forwarding after upgrade to 6.44 or higher
Replies: 2
Views: 146

Re: SSH forwarding after upgrade to 6.44 or higher

[me@MyTik] > ip ssh set forwarding-enabled=
both  local  no  remote
The old value yes translates into remote during configuration conversion during upgrade, which means Mikrotik doesn't fulfil client's requests to access ports through itself.
by sindy
Tue Jul 23, 2019 7:11 pm
Forum: General
Topic: How to allow an URL for a specific port
Replies: 4
Views: 209

Re: How to allow an URL for a specific port

When you open an url using a browser, the browser resolves the fqdn part of the url to an IP address, then initiates a TCP session to that address and port 80 (plaintext http) or 443 (tls-encrypted http - https). Before the TCP connection is established, the url doesn't appear in contents of any of ...
by sindy
Tue Jul 23, 2019 6:44 pm
Forum: General
Topic: Need to set up access to NAS openvpn
Replies: 40
Views: 2078

Re: Need to set up access to NAS openvpn

Assuming that you want the L2TP/IPsec to run on the NAS, the issue may be that the native VPN client of Microsoft Windows in default settings doesn't accept NAT at server side. An if you are trying from a recent upgrade of Win10, the L2TP/IPsec may not work at all. The issue with the default setting...
by sindy
Tue Jul 23, 2019 5:44 pm
Forum: General
Topic: connect to pptp VPN from pppoe ISP
Replies: 14
Views: 537

Re: connect to pptp VPN from pppoe ISP

This problem is very wired, because all other Mikrotiks that are not connected to ISP via PPPoE are working very well. This is the only one that does not works and it is the only one that is connected to ISP via PPPoE. I don't believe it is related, as if a route's gateway is just the interface, no...
by sindy
Tue Jul 23, 2019 5:36 pm
Forum: General
Topic: IPsec phase 2
Replies: 3
Views: 163

Re: IPsec phase 2

Your only /ip ipsec profile used by your only /ip ipsec peer says nat-traversal=no whereas the sa-src-address of the /ip ipsec policy is a private one, that's one point. Another point for later on is the src-port=500 in the policy - do you have any particular reason to only use the policy to transpo...
by sindy
Tue Jul 23, 2019 5:07 pm
Forum: General
Topic: connect to pptp VPN from pppoe ISP
Replies: 14
Views: 537

Re: connect to pptp VPN from pppoe ISP

What bothers me is the bgp-origin=igp attribute of your route to 192.168.1.0/24 via pptp-out1 . On my 6.43.4 machine, the same type of route doesn't show such attribute. 10 A S dst-address=192.168.229.0/28 gateway=pptp-out1 gateway-status=pptp-out1 reachable distance=1 scope=30 target-scope=10 Worse...
by sindy
Tue Jul 23, 2019 1:36 pm
Forum: General
Topic: connect to pptp VPN from pppoe ISP
Replies: 14
Views: 537

Re: connect to pptp VPN from pppoe ISP

which is not default route, because I added it manually and made comment for it ;;; vpn added by Stoyko Stoykov. is this that you mean to remove?). I have tried to change it to pppoe-out1, but it does not works. I should not analyze others' configurations after four hours of sleep :( I've missed th...
by sindy
Tue Jul 23, 2019 12:02 pm
Forum: General
Topic: separate internet access on one mikrotik; isp1 <-> lan1, isp2<-> lan2
Replies: 4
Views: 212

Re: separate internet access on one mikrotik; isp1 <-> lan1, isp2<-> lan2

If you need src-nat (or masquerade if the WAN address is dynamically changing), it is enough that the rules in chain=srcnat of /ip firewall nat match on out-interface . Unless you specify a routing-mark condition in them, they will act on a packet with any routing-mark . So it's not the same like ro...
by sindy
Tue Jul 23, 2019 11:51 am
Forum: General
Topic: IPTV Lan Help.
Replies: 10
Views: 557

Re: IPTV Lan Help.

look like it will use less CPU is there any way to be sure? Running /tool profile while watching TV should show you the difference in CPU load between the solutions. on @sindy solution /interface ethernet port set ether1,ether2,ether3,ether4,ether5,switch1-cpu vlan-mode=secure crashed my router boa...
by sindy
Tue Jul 23, 2019 10:58 am
Forum: General
Topic: connect to pptp VPN from pppoe ISP
Replies: 14
Views: 537

Re: connect to pptp VPN from pppoe ISP

I think it's all just a matter of routes. The default route added by /interface pppoe-client has distance=0 (which is incorrect as such and newer ROS releases wouldn't accept that, but that's not the main point here), so it beats the other, manually added, default route via pptp-out1 which has dista...
by sindy
Tue Jul 23, 2019 9:37 am
Forum: General
Topic: separate internet access on one mikrotik; isp1 <-> lan1, isp2<-> lan2
Replies: 4
Views: 212

Re: separate internet access on one mikrotik; isp1 <-> lan1, isp2<-> lan2

Rather than mangling I'd use VRF in this case. With VRF, the routing-mark is assigned based on the in-interface of the packet, without any /ip firewall mangle or /ip route rule rules, and there is also no fallback to routing table main if no route with that routing-mark is found. /ip route vrf add r...
by sindy
Tue Jul 23, 2019 9:17 am
Forum: General
Topic: connect to pptp VPN from pppoe ISP
Replies: 14
Views: 537

Re: connect to pptp VPN from pppoe ISP

which part, doubt that I have to /export and post everything That's the problem - since we don't know in which part of the configuration the mistake is, it is impossible to say which part to post. So you actually do have to post the full export, that's why my automatic signature contains a suggesti...
by sindy
Tue Jul 23, 2019 8:46 am
Forum: General
Topic: connect to pptp VPN from pppoe ISP
Replies: 14
Views: 537

Re: connect to pptp VPN from pppoe ISP

This is the maximum help anyone can provide given the information you have provided so far - to tell you what you have to do to get some real help, i.e to post your configuration. In most cases things don't work because there is a mistake in configuration, so this is always the first thing to check....
by sindy
Tue Jul 23, 2019 12:36 am
Forum: General
Topic: Possible to do ipsec + DHCP WAN + certificate ??
Replies: 4
Views: 216

Re: Possible to do ipsec + DHCP WAN + certificate ??

Hub: /ip ipsec mode-config add address=10.219.0.1 address-prefix-length=32 name=client-1 split-include=10.11.219.1/32 add address=10.219.0.2 address-prefix-length=32 name=client-2 split-include=10.11.219.1/32 /ip ipsec policy group add name=special /ip ipsec profile add dh-group=ec2n185 enc-algorith...
by sindy
Mon Jul 22, 2019 9:40 pm
Forum: General
Topic: Forward DNS/web site to a local IP
Replies: 6
Views: 516

Re: Forward DNS/web site to a local IP

There is a thing called DNS SRV record where a port is a part of the reply, but the question is whether your DDNS provider supports SRV records. Worse than that, browsers didn't when I've checked last time some years ago.
by sindy
Mon Jul 22, 2019 9:35 pm
Forum: General
Topic: NEED help with FORUM
Replies: 6
Views: 421

Re: NEED help with FORUM

Send this to support@mikrotik.com with a link to this topic. It is not guaranteed that Mikrotik support staff reads every single topic here multiple times.
by sindy
Mon Jul 22, 2019 9:33 pm
Forum: General
Topic: Possible to do ipsec + DHCP WAN + certificate ??
Replies: 4
Views: 216

Re: Possible to do ipsec + DHCP WAN + certificate ??

The title says IPsec, the body says OpenVPN. Which one you actually want? I know for sure that IKEv2 with certificate authentication does work beacuse I use it; I know that OpenVPN should work the same way but I don't use OpenVPN on Mikrotik due to the limits of Mikrotik's implementation.
by sindy
Mon Jul 22, 2019 1:53 pm
Forum: General
Topic: connect to pptp VPN from pppoe ISP
Replies: 14
Views: 537

Re: connect to pptp VPN from pppoe ISP

Can you help me please.
Of course we can. We need just one small thing, see my automatic signature below.
by sindy
Mon Jul 22, 2019 12:40 pm
Forum: General
Topic: IPTV Lan Help.
Replies: 10
Views: 557

Re: IPTV Lan Help.

A drawing will be even better than words. But let me suppose - you need LANs 10 and 20 to be both tagged on the uplink ethernet port to the ISP, one ethernet port to work as an access one to VLAN 20 to connect the STB, the PPPoE client acting as your WAN to acccess VLAN 10 Is that correct? If yes, i...
by sindy
Sun Jul 21, 2019 9:21 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 104
Views: 12983

Re: v6.45.2 [stable] is released!

Our OpenVPN setup worked perfectly fine BEFORE upgrading to 6.45.1/6.45.2. Any ideas?
Create a dedicated topic and post there configuration of the affected machine following the anonymisation hint in my automatic signature below.
by sindy
Sun Jul 21, 2019 6:13 pm
Forum: General
Topic: Need to set up access to NAS openvpn
Replies: 40
Views: 2078

Re: Need to set up access to NAS openvpn

Everyone can cheat these days with translator, but from other threads I get the impression that it's not your case.
I did cheat where Spanish was involved. I'm afraid that to choose the right translation of "site" cheating doesn't help, you need to know the language from regular professional use.
by sindy
Sun Jul 21, 2019 6:01 pm
Forum: General
Topic: IKE-IPSEC - request not routed through the IPSEC
Replies: 5
Views: 459

Re: IKE-IPSEC - request not routed through the IPSEC

It's not really easy or elegant. See Sob's posts in this thread.
by sindy
Sun Jul 21, 2019 5:56 pm
Forum: General
Topic: vpn questions
Replies: 1
Views: 177

Re: vpn questions

Is it a good way to do it? Another tutorial I've read said to make l2tp-in1 part of the local bridge, and enabling proxy arp... This way instead I do not need to make l2tp in the bridge and I don't need proxy arp, it works anyway. I can browse the local lan and connect to the web from there, seems ...
by sindy
Sun Jul 21, 2019 4:21 pm
Forum: Announcements
Topic: v6.45.2 [stable] is released!
Replies: 104
Views: 12983

Re: v6.45.2 [stable] is released!

I don't see where to download a zip file, only an npk file. I don't use Windows so I don't use winbox, which is how I assume you can upgrade individual packages? I don't see a way to do it on the command line. At https://mikrotik.com/download, download "extra packages", which is the .zip with all, ...
by sindy
Sun Jul 21, 2019 2:36 pm
Forum: General
Topic: Please help me understand how VLAN assignment works [SOLVED]
Replies: 3
Views: 288

Re: Please help me understand how VLAN assignment works [SOLVED]

What you actually do is that you tag the wireless frame as it comes in from the air, then untag it again because the tagged end of each /inteface vlan is connected to one of the two /interface wireless , and you deliver it to the bridge-guest tagless because the tagless end of /inteface vlan is a me...
by sindy
Sun Jul 21, 2019 1:42 pm
Forum: General
Topic: Need to set up access to NAS openvpn
Replies: 40
Views: 2078

Re: Need to set up access to NAS openvpn

Double-click that dst-nat rule in the table view and correct the to-addresses value there.
by sindy
Sun Jul 21, 2019 1:35 pm
Forum: General
Topic: Need to set up access to NAS openvpn
Replies: 40
Views: 2078

Re: Need to set up access to NAS openvpn

The GUI is a very misleading tool when it comes to firewall rules, as the table view only shows about 1/10 of all the parameters. The command line export shows that you do redirect port 1194 to a particular address: add action=dst-nat chain=dstnat dst-address-type=local dst-port=1194 protocol=udp to...
by sindy
Sun Jul 21, 2019 1:18 pm
Forum: General
Topic: Need to set up access to NAS openvpn
Replies: 40
Views: 2078

Re: Need to set up access to NAS openvpn

Looks like the LAN device using address 192.168.0.108 is downloading some torrents. As for the single header line in response to /ip arp print, it is not a bug this time, it simply means that the ARP record is not there. Grrrr... you redirect the web and FTP to 192.168.0. 108 , but you redirect the ...
by sindy
Sun Jul 21, 2019 12:30 pm
Forum: General
Topic: Need to set up access to NAS openvpn
Replies: 40
Views: 2078

Re: Need to set up access to NAS openvpn

The strange thing is that ftp port forwarding works. Also I have succesfully forwarded port to connect to the nas web interface. That's really strange. So what does /ip arp print where address~"192.168.0.8" say? So I'm afraid it will require a site visit to move forward. Which site? Do you mean NAS...
by sindy
Sun Jul 21, 2019 11:53 am
Forum: General
Topic: Need to set up access to NAS openvpn
Replies: 40
Views: 2078

Re: Need to set up access to NAS openvpn

From remote you cannot connect to a private IP, that's right, and you also cannot connect to the public one as only Winbox connection is permitted on the WAN side (which is not a good idea any more, as nowadays it sometimes looks as if the bad guys knew the Winbox interface of RouterOS better than i...
by sindy
Sun Jul 21, 2019 11:27 am
Forum: General
Topic: Need to set up access to NAS openvpn
Replies: 40
Views: 2078

Re: Need to set up access to NAS openvpn

The IP address 192.168.0.1/24 is attached to ether3 Where can I see it? On the setting card of the address where you've changed it from ether3 to bridge1. In the configuration export, it was in /ip address add address=192.168.0.1/24 comment=defconf interface= ether3 network=192.168.0.0 By the way, ...
by sindy
Sun Jul 21, 2019 10:46 am
Forum: General
Topic: Need to set up access to NAS openvpn
Replies: 40
Views: 2078

Re: Need to set up access to NAS openvpn

Your hEX configuration is simple: ether1 is WAN, don't touch it. ether2 through to ether5 are member ports of the same bridge. All ports of a bridge share the same IP configuration which must be attached to the bridge. In your case, the dhcp server is attached to the bridge (correct) but the IP addr...
by sindy
Sun Jul 21, 2019 9:48 am
Forum: General
Topic: Need to set up access to NAS openvpn
Replies: 40
Views: 2078

Re: Need to set up access to NAS openvpn

No, 192.168.0.8 is associated to ether3, so /tool sniffer quick interface= ether3 ip-address= 192.168.0.8 . When the packet passes through ether1, it still has the public IP as destination, not the private one. And don't forget to make the command line window as wide as your screen allows before iss...
by sindy
Sun Jul 21, 2019 9:09 am
Forum: General
Topic: cant ping the second subnet on vpn site to site
Replies: 1
Views: 152

Re: cant ping the second subnet on vpn site to site

Follow the hint in my automatic signature below (for both devices). So many things may have gone wrong that the guess list would be as long as the manual. You haven't stated even which VPN type you use.
by sindy
Sat Jul 20, 2019 11:17 pm
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 76
Views: 11859

Re: v6.44.5 [long-term] is released!

So the router tells you that it cannot install an enabled package (security) because it requires another package (dhcp) to work. It's not a nonsense - since 6.44, IKEv2 (from the security package) responder responds to DHCPINFORM messages from Windows clients which explains the dependency. So enable...
by sindy
Sat Jul 20, 2019 10:56 pm
Forum: General
Topic: Need to set up access to NAS openvpn
Replies: 40
Views: 2078

Re: Need to set up access to NAS openvpn

I'd still run /tool sniffer quick interface=the-expected-out-interface ip-address=ip.of.the.nas to make sure that the packets do leave towards the proper MAC address via the proper interface before finally concluding that the NAS ignores them.
by sindy
Sat Jul 20, 2019 10:40 pm
Forum: General
Topic: RSTP, when on lose ability to connect by IP to non root switch
Replies: 5
Views: 416

Re: RSTP, when on lose ability to connect by IP to non root switch

Sounds like a forgotten L2 (bridge or switch) filter rule, or port 2 missing in /interface bridge vlan rule for the native VLAN (as you say the IP is attached to the bridge interface itself), or ingress filtering set to yes with forbidden tagless frames on port 2 (you mention mac-telnet, not mac-win...
by sindy
Sat Jul 20, 2019 5:13 pm
Forum: General
Topic: Firewall killing NAT rule
Replies: 3
Views: 330

Re: Firewall killing NAT rule

If indeed the filter forward rule is applied after NAT,
@anav, have you ever bothered to look at the diagrams I've linked above?
by sindy
Sat Jul 20, 2019 9:08 am
Forum: Beginner Basics
Topic: Using RouterOS to VLAN your network
Replies: 80
Views: 15080

Re: Using RouterOS to VLAN your network

Can me anbody explain where my thinking fault is?
Create a new dedicated topic an post the complete config there. The few lines you've posted look fine as such so there is likely a firewall issue.
by sindy
Sat Jul 20, 2019 8:34 am
Forum: Announcements
Topic: v6.44.5 [long-term] is released!
Replies: 76
Views: 11859

Re: v6.44.5 [long-term] is released!

I can't update 6.43.16 to 6.44.5. Don't know why.
Does the beginning of /log print show anything after reboot with the new package downloaded? Typical reasons are .npk for a wrong architecture or a mythical malware preventing upgrade to protect itself.
by sindy
Fri Jul 19, 2019 11:15 pm
Forum: General
Topic: IKE-IPSEC - request not routed through the IPSEC
Replies: 5
Views: 459

Re: IKE-IPSEC - request not routed through the IPSEC

You have to insert an action=accept rule for the src and dst subnets into the srcnat chain of nat, yes. Regarding using the same router for L2TP/IPsec, you can with some limitations. When an initial packet from an ipsec initiator arrives to a Mikrotik listening as a responder, three fields are used ...
by sindy
Fri Jul 19, 2019 10:43 pm
Forum: General
Topic: Client can't connect VPN
Replies: 1
Views: 224

Re: Client can't connect VPN

Fix the image and provide configurations of both routers (see my automatic signature below). Without that, there is zero chance anyone could help you.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 71