MikroTik

sindy

I am not very sure but i have noticed mikrotik will respond anyway if the other peer will try to reestablish the connection so the setting should be set on the remote peer to as Passive only maybe Correct, you can prevent the peer from actively initiating a connection by setting passive=yes , but t...

sindy

You can use multiple uplinks, but the strategies of their use you can choose from depend on their properties. Bonding can only be used to group together L2-transparent interfaces, which is not the case of PPPoE. If I get you right, the PPPoE clients are running on the modem, so on each RJ45 port, th...

sindy

No. It returns to the first one only once the second one fails.

I still haven't understood whether you want each single request to be sent to both server's, or whether it is enough that odd requests are sent to one server and even ones to the other one.

sindy

Post the current configurations of both devices (see the hint on anonymisation in my automatic signature below). What you want to do is simple, and I wouldn't recommend to move the firewall from the 2011 to the sxtsq lite, as the CPU of the sxtsq is just a tiny bit better whilst the RAM size is doub...

sindy

As you probably want to exclude any marked connections from fasttracking, you can set connection-mark=no-mark in the action=fasttrack-connection rule, instead of connection-mark=!vpn-mark.

sindy

Add Interface switch vlan 102, include ether1,2,3,4 ... Set interface switch port ether1 vlan-mode=secure , vlan-header=add if missing, default vlan id=1 However I always lose connection as soon as I am done saving interface switch port ether1 settings. Am I missing something? I'd say yes, you do -...

sindy

I'm afraid that the DHCPREQUEST from that box breaks RFC2131: DHCPREQUEST - Client message to servers either (a) requesting offered parameters from one server and implicitly declining offers from all others, (b) confirming correctness of previously allocated address after, e.g., system reboot, or (c...

sindy

Without seeing the actual configuration it is hard to say. There are several reasons why this may happen. See my automatic signature for the next steps.

sindy

For the model, you can see it in the title of the post: hAP ac lite Sorry, missed that while writing. Any ideas? Yes. Most packets belonging to fasttracked connections bypass mangle rules and other firewall processing. So the connections initiated by clients in your 192.168.88.0/24 are set up via t...

sindy

Yes, exactly.

sindy

With a regular ntpd on Linux, you can configure a forged stratum value the daemon will send to peers/clients while on freerun, but on Mikrotik, this is not possible. So if one of the current clients is a Linux machine, you can make it a server and let the Mikrotik synchronize from there, otherwise n...

sindy

The real available bandwidth is not known to the queue system - the uplink just drops packets which exceed the available bandwidth and provides no feedback about that, as no communication channel for such feedback is available. So the queues always act as if the sum of max-limits of the innermost qu...

sindy

traceroute on Linux sends UDP packets in the forward direction (unless you explicitly ask it to use another protocol), only the "TTL expired" backward notifications are ICMP. Mikrotik's /tool traceroute uses ICMP packets also in the forward direction by default.

sindy

Have you chosen the same "channel" for upgrades on on both? It looks as if one had "stable" and the other one "long-term".

sindy

The log from GCP side suggests that you use mode-config=request-only in the /ip ipsec identity at Mikrotik side, thus asking the GCP end to assign an IP address to the Mikrotik, but it doesn't have one on stock. Is requesting an address via mode-config required by their documentation?

sindy

So let me understand that you are talking about that? /ip ipsec policy add dst-address=$here action=none place-before=0 ? $here is <mikrotik_public_IP> all current networks I have on mikrotik side (leftside) ? IPsec policies override all routes including those to connected subnets. So a 0.0.0.0/0 -...

sindy

So I changed it to `use` but also it is required to set 0.0.0.0 src and dst in IPsec policy. When I do that I loose connectivity Could someone advise me how to proceed ? I'd prefer require to use for level , but that's minor. To prevent losing connectivity by setting policy's src and dst to 0.0.0.0...

sindy

My advice is to do the following at both ends: /system logging add topics=ipsec,!packet disable the identity items run /log print follow-only file=ipsec-log-siteX where topics~"ipsec" enable the identities wait until the issue happens stop the /log print ... download the files and start reading them...

sindy

The workaround regarding setting a private local-address doesn't seem relevant anymore, as I do receive his pings and I send replies. Correct? Wrong. The purpose of the workaround is to avoid sending bare ESP which some of the ISPs on the path may block intentionally or by mistake. The UDP is prove...

sindy

maybe wait mikrotik can or can't fix my advertise problem..... To get a reaction from Mikrotik, you must send the problem description along with a supout.rif file to support@mikrotik.com. This is just a peer help forum and Mikrotik staff doesn't necessarily read every single topic, so they may not ...

sindy

To react at your PM, I've missed that you have the /28 assigned directly as the WAN subnet, rather than having it routed to you via some interconnection subnet. In this case, you must set arp=proxy-arp on the WAN interface. This will make Mikrotik respond to the ARP requests sent by the ISP's gatewa...

sindy

Since you can ping the CCR from the MAC, the backward route on the Mikrotik does exist on the CCR. So the most likely reason why you cannot ping anything behind the CCR (from the perspective of the Mac) are firewall rules on the CCR. At this stage, I'll need the export of your current configuration....

sindy

If you want that each query is sent to both external servers, then no, load balancing cannot do that. If you want that a certain share of queries is sent to one external server and the rest to the other one, then a load balancer is the right way.

sindy

Do I read you correct that between your Mikrotik which acts as an IPsec peer on a public address and the Ethernet socket provided by the ISP, there is another Mikrotik acting as edge router?

Regardless that, I have suggested a possible workaround in the last paragraph of post #2 above.

sindy

ether5 is a member port of a bridge, so it cannot be a dst , you must use Bridge as dst . In order to make queues work, you have to disable the action=fasttrack-connection rule in chain=forward of /ip firewall filter . The very essence of fasttracking is that most packets bypass most firewall proce...

sindy

Youtube is full of misleading videos. What is wrong about the explanation in the documentation?

sindy

OK, nothing unusual in your configuration. I can only imagine that the switch chip tells the CPU to pause sending until it manages to deliver already received frames regardless the egress port (which may be a bug of RouterOS or a design limitation of the switch chip, I don't have any information abo...

sindy

What is your native language? It often makes sense to use Google or Microsoft translation from the native language to English and then back again, and if what you originally wrote in native language still makes the same sense after this double translation, the English version is comprehensible too. ...

sindy

Looking at the configuration export here , I'd say your IPsec settings are correct (there, some corrections were necessary as compared to the configuration state in that post; that's not your case, you don't have those mistakes). As the log shows no response at all from the remote peer, whereas in t...

sindy

Set the proper peer value for all /ip ipsec policy rows and try again. I suspect that the 4011 is trying to set up an SA for the policy which has no peer specified with the currently active peer (which rejects it). What means "unstable"? The second pair of SAs disappears and re-appears, or the IPIP ...

sindy

RouterOS versions, configurations, what /interface bonding print shows while it "doesn't work" at both ends, are the CCRs interconnected by passive elements (copper/fiber cable) or is there some active equipment (other switches) between them...

sindy

Any chance? Little, because @Jotne asked you to post the complete export and you've chosen to post just a random part. See my automatic signature below regarding prevention of sensitive information from getting posted. Some thoughts: (not related to the L2TP/IPsec issue) - unless you've edited the ...

sindy

Sniffing is not a solution, sniffing is a tool to analyse what is going on. You've provided no result of the sniffing, just a conclusion based on a wrong assumpion. This type of configuration, where Mikrotik acts as a PPTP client, regularly works for other people (me included), so it is very likely ...

sindy

Please provide a drawing (a photo of a handmade one is sufficient, the contents is important, not the form) of how the three devices are physically interconnected and the export of their configuration, following the anonymisation hint in my automatic signature just below. Here, preserving the relati...

sindy

NAT rules are not for routing, maybe you mean for redirection? So you want a 1:1 nat between the public /27 and the private /27? Why you consider it better than to assign the public IPs to the clients directly? When you say you don't want a bridge but a single LAN port per each client, it sounds lik...

sindy

The goal is clear, the details are not. It seems that the ISP sends traffic for those public IPs to you via your WAN address in the 192.168.10.0/29. You haven't said whether they have configured this statically or whether you must advertise this public /27 to them using RIP or some other dynamic rou...

sindy

You can use IPsec to encrypt any kind of connection. The price to pay is the CPU load (if the CPU is weak, this translates into "bandwidth reduction") and additional delay which also depends on the CPU throughput and whether encryption is supported in hardware by that CPU.

sindy

I just did, same result. Many more missing ESP UDP datagrams on the sending than on the receiving side.

If so, it looks like an overload of the device or a bug of the sniffer.

sindy

First fragments usually contain the L4 header (8 bytes UDP in this case), ip.flags.mf=1 and ip.offset=0. If ip.flags.mf is not set anywhere, no fragments will follow. This is correct. But what I am saying is that the sniffer filter only looks for complete packets if you ask it to match on protocol ...

sindy

First, the firewall rules in your configuration block packets from one VLAN to another but do not protect the router itself from attacks via WAN. So if you get a public WAN address via PPPoE from your ISP, your router may have already have been infected by malware. Second, it depends on what you cal...

sindy

Of course there is no MF flag in packets which did make it to the capture. You are interested in those which didn't. As I've understood, you can see those "as-if-missing" packets at receiving side, what is their size there? Also, for the same reason as described (port numbers only present in the fir...

sindy

It's not the same, but if you don't need that some other devices synchronize their time from the Mikrotik itself, you don't need to install the ntp package (and it is even better not to install it as the additional package doesn't accept fqdns as server names).

sindy

You filter on UDP and port number, but if IP packets are fragmented (which is likely the case here), the L4 addresses (ports) are only present in the first fragment, so the second fragment doesn't match the filter. But since the first fragment is not a complete packet, it doesn't make it to the snif...

sindy

Although you may theoretically have selective firewall rules in place on the Mikrotik which permit RDP but not ICMP, it is more likely that it is the default setting of Windows firewall which ignores pings from anywhere but own subnet. To check that, open a command line window at the Mikrotik (in Wi...

sindy

Ok but i want from the LAN 10.10.10.0/24 to connect to 192.168.1.8 It wasn't clear from your OP to that you want the client at the second Tik to connect to the address 192.168.1.8, it seemed to be sufficient that it reaches the server "somehow". So if you don't mind excluding 192.168.1.8 from use o...

sindy

You just attach both an /ip dhcp-client row and an /interface pppoe-client row to the same Ethernet interface. If you have the default firewall rules in place, make only the PPPoE interface a member of /interface list named WAN. The ethernet interface itself should not be on this list. But it depend...

sindy

every set-up should be only in first mikrotik? (192.168.1.3 / 10.10.10.4). No need to set anything to the second one?

Yes. The client on the second Mikrotik connects to 10.10.10.4 and all the handling needs to be done at the 10.10.10.4 'Tik.

sindy

It has to do with your "always on" VPN in terms that your PPTP server is listening, and some bot has found that while browsing the ner and is now trying to get in to your router by guessing usernames and passwords. The owner of those IP addresses is most likely unaware of this happening because the ...

sindy

The forward chain deals with everything that passes through the router; chain input deals with traffic to the router itself. So the block rule must be in the forward chain.

sindy

Hmm, I dont seem to have that, only "defconf: accept established,related,untracked" That's the one I had in mind. This rule accepts packets belonging to any already ongoing connection. So you need to place a selective action=drop one before it to break existing connections to/from the IP you want t...

sindy

Follow the instruction in my automatic signature if you want to get any useful advice.

sindy

No more ideas then. There is nothing in the configuration which would explain that.

sindy

All the bridge ports but one are inactive... what happens if you connect another cable to one of the unused ports? The HW offload means forwarding of frames among ports by the switch chip itself.

sindy

Moving the rule down only causes less Mikrotik CPU to be spent on handling the packets. I wrote that the log you've posted shows that the Mikrotik firewall is not the reason why the server does not respond to requests coming from the internet and that you must look for the reason on the server itsel...

sindy

Your firewall filter rules are not the default ones (which accept all connections with connection-nat-state=dstnat , assuming that the actual filtering has been done by the action=dst-nat rules in NAT), but the rule chain=forward action=accept protocol=tcp in-interface=ether1 dst-port=80,443 log=yes...

sindy

Why would you a function like this? Whenever you MacGyver, i.e. use the Mikrotik as a standalone solution for a specific case. My examples: a customer wants to be alerted about a specific fault of some other equipment by flashes and whistles. OK, so you buy a signal tower from a renowned company wh...

sindy

It seems this isn't immediate when activating, not sure if i missed something You have missed that the default firewall is stateful, which in brief (and for several good reasons) means that if the first packet of a connection is accepted, all the rest of that connection is accepted too. To make sur...

sindy

There may be, but it depends on how the iOS handles it, which an Apple forum might answer better than a Mikrotik one. If the only way to determine the IP address of the printer in iOS is via the autodiscovery, i.e. if you cannot manually add a printer with a given IP address, then your conclusion is...

sindy

This is a philosophical question which had to be answered one way or the other when designing the product. Changing the approach now would cause a lot of headache. I agree with you that the default behaviour drop is the correct one for a firewall, but since the default firewall rules on SOHO devices...

sindy

Would that rule work? /ip firewall nat add action=dst-nat chain=dstnat dst-port=33445 in-interface-list=WAN protocol=udp to-addresses=10.0.0.6 to-ports=33445 Add it just before or just after any already existing rules in chain=dstnat - it is for a particular port, so it is unlikely to get shadowed ...

sindy

Unfortunately, no other solution than the one you've found out yourself is currently available. I miss a script to be linked to a change of an address-list too. Just beware, scripts can still see dynamic items of address lists for about 5 seconds after they time out.

sindy

If the two devices are in different subnets and you have some dst-nat rules in place, you have to add some more NAT rules, to make the packets from A to B get src-nated, so that B would see them as coming from some other IP than the real one. But depending on how the rest of your firewall is done, d...

sindy

The complete configuration except sensitive information, as written in my automatic signature. If the issue was where you expect it to be, you would find it, so it must be somewhere else. That's why only complete configuration is useful.

sindy

so the customers get /32 address, what gw do they need to use? I wrote that above - you have to choose some address which doesn't conflict with any address the client uses internally in their network. If you only use public IPs at your WAN, the safest choice is an address from the CGNAT range, 100....

sindy

Because something is broken. As you haven't posted your configuration, this is the best response you can get. Check my automatic signature just below for a hint how to get a better one.

sindy

I suppose what fails many hops from your Mikrotik is a traceroute from that Mikrotik itself, correct? If so, I can see two possibilities: a traceroute from anywhere stops at that point, this sometimes happens if forwarding of ICMP is disabled there your public IP is blacklisted by the administrators...

sindy

This worked wonderfully!!! Right now I'm connected as it follows: ONT(new) --- Teldat --- Mikrotik, and it works. Great. Now as mentioned earlier, to get rid of the Teldat (not just for the fun of it, but to have yet another potential point of failure less), you would have to sniff the traffic betw...

sindy

Hi I have a PC Client 192.168.1.8 that has gateway a mikrotik 192.168.1.3 (eth2) Mikrotik has on eth1 10.10.10.0/24 and has gateway another mikrotik 10.10.10.101 Mikrotik 10.10.10.101 uses on an interface the 192.168.1.0/24 network. Is there a way to access PC Client 192.168.1.8 from 10.10.10.0/24 ...

sindy

In a very simplified view, the /interface pppoe-client is a translator between an L2 interface (addressed by MAC) and the L3 (addressed by IP). The L3 end of this translator cannot be bridged with anything. The IP address is assigned to the /interface pppoe-client by the remote PPPoE server. So ther...

sindy

@msatter, 192.168.1.x and 192.168.10.x are different subnets, so no conflict there, you may have WAN address in 192.168.1.0/24 and LAN address in 192.168.10.0/24 and route between them. But the point is that in parallel to handing out addresses in 192.168.1.x dynamically, the Movistar gear seems to ...

sindy

You may have connected an USB-to-serial converter in the past so the configuration has been added. Just remove this block from the configuration and try to import the file without it.

sindy

I agree with your reasoning that if the problem was the format of the line, it would fail already on the first line with that same format. So either the import is too fast, or the line numbering is interpreted differently. I'd suggest to import the file manually by pasting it to the command line win...

sindy

Now, lets get back to the question asked........ ;-P So you are saying it is worth it, or a waste of time......??.... OK, if you put it this way, then no, I don't see much value in using it. Most malware will attack public addresses anyway. Out of curiosity, you may add it an let it log, to see whe...

sindy

hAP ac lite is exactly one of the models where the script must be stored as flash/202005.rsc and you have to refer to it like this ( run-after-reset=flash/202005.rsc ). But as you seemingly have the router on the table, so you can access it even after using no-defaults=yes , you may then import the ...

sindy

I saw this in best practices wiki, dont use it but do you see value in adding to the default setup..........?

This rule just prevents your uplink bandwidth from being wasted by ill-configured software or malware running on devices in your LAN.

sindy

Is there a different mitigation for a "metered" (E.G. 4G subscription) versus an "unmetered" connection (E.G. DSL line, cable modem, FTH, ...) ? The ISP is mostly filtering already quite a lot on mobile connections. Nobody mentioned "tarpit" as protection: https://wiki.mikrotik.com/wiki/DoS_attack_...

sindy

So, what is the working OFFICIAL version, where i can back up all the settings and restore it to another hardware? The "official" version is to run system reset-configuration run-after-reset=path/to/the.exported.file.rsc (possibly with no-defaults and keep-users=yes ). The file must not disappear a...

sindy

I give up. The solution is so simple but no one wants to see it. Is it really? @Drageir has stated in his first post that he's tried exactly that, using vlan 20 instead of 6 and 21 instead of 3. If you are sure that no other option exists at Movistar than these two (data 6 / voip 3 and data 20 / vo...

sindy

It is possible to use PPPoE (which works on all operating systems the same way) or you can use a direct ethernet connection to each customer, where each end has a /32 address, but the configuration differs per operating system. At the Mikrotik end, you add it this way: /ip address add address=some.p...

sindy

The following link demonstrates that the hEX can do 900 Mbps

Yes, but without PPPoE, which already makes a difference, and without VPN which makes much more of a difference.

sindy

Hm, that's quite a difference :) Now the first thing is a backup of the current configuration: /system backup save name=before-changes-20200527 (maybe you need the name to be flash/before-changes-20200527 to survive a reboot, I don't know whether it is the case on the 750GL model). But download the ...

sindy

I have added those 2 lines, however, it didn't do any difference, in the firewall window (Winbox), I don't see any additional rules, then what I had before Sorry, the match protocol=icmp doesn't work this way. You have to do it the following way: /ip firewall filter add place-before=[find chain=inp...

sindy

thought additional rules will be created automatically if it's done via Winbox ? Nope. Can somebody please advise /ip firewall filter add place-before=[find chain=input protocol=icmp] chain=input protocol=udp dst-port=500,4500 in-interface-list=WAN action=accept add place-before=[find chain=input p...

sindy

The RouterOS version is v6.45.8. 6.45.8 would not be that bad, but the export you've posted doesn't match 6.45.8, because in 6.45.8, there is no master-port property of /interface ethernet any more. So maybe it is an export from the past (possibly saved on the device itself)? Would you mind doing /...

sindy

I cannot see anything wrong in the script, nor can Mikrotik's syntax check, but that says nothing about runtime issues. The way to go is to log about every step on the path which does not work, to see whether the foreach works at all and what are the actual values of the variables. As the refreshdyn...

sindy

viewtopic.php?t=59973#p672664

sindy

You may be missing the fact that by using arp=proxy-arp you cannot make L3 point-to-point tunnels start transporting broadcast traffic, which is likely used to discover the printer on the LAN, as there is no such thing like broadcast traffic on L3 point to point tunnels. So you'd need an L2 tunnelin...

sindy

thank you .this config solved my problem . but i wanna know if there is another solution for my problem. Man, I understand that English is not your native language (same case at my end), but please use sentences which contain more information. What exactly is the "problem" you want to "solve anothe...

sindy

The configuration doesn't seem to fit to the description you gave before, especially because I can see no traces of this device itself acting as a VPN server. But that's for later. Can you tell me the RouterOS version there? It seems to me it is way outdated (older than 6.41). Also the Winbox port o...

sindy

Sorry for the aggressiveness. Yes, the last byte differ, my mistake. The address begins with 217.x.x.x. The technician told me that I must change the MikroTik's WAN to that addres so their firewall works. I think it's a GRE tunnel inside the Teldat. We will learn that in the next round. To get ther...

sindy

INTERFACE TIME NUM DI SRC-MAC DST-MAC VLAN SRC-ADDRESS ether1-gateway 3.74 12 <- 94:24:E3:3H:2J:FE 01:80:C2:00:00:00 ether1-gateway 3.782 13 -> 7D:6T:Y6:GF:8W:1G FF:FF:FF:FF:FF:FF 6 ether1-gateway 3.907 14 <- 94:24:E3:3H:2J:FE 00:54:ER:00:70:04 ether1-gateway 4.053 15 <- 00:G0:24:D4:8R:3R FF:FF:FF:...

sindy

These are the default firewall rules which I've referred to, so yes, they do drop any connection to the router itself which is initiated from outside the LAN (except ICMP). It's the last rule in chain input which does that; the rule just before (above) it is the exception for ICMP (so the public IP ...

sindy

Yes I prefer to keep it as "No" to be honest, not sure why the local dns doesn't work yet, I will retest again tomorrow I'm not sure you've got me right - to make the 4011 respond any DNS queries coming from outside (including from LAN), you must set allow-remote-requests to yes . There is nothing ...

sindy

Is it a bug or work as intended? It may be both but the latter is more likely. If allow-remote-requests under /ip dns is set to no , the DNS server doesn't respond to any DNS queries coming from outside the router, including from the LAN clients. It is only safe to change this setting to yes if you...

sindy

I'd say it is the best solution available, except that you cannot treat input and output chains separately - incoming responses to outgoing requests of the router itself are treated by chain input , so they would not be accepted by the accept established or related rule in input because the pass of ...

sindy

I can see that you've modified the /ppp profile row named default so it now contains a fixed value for local-address and a pool for remote-address . What I can not see, because you've only published the part of configuration which you assume to contain the issue, is any row in /ppp profile without l...

sindy

Hm, great, so there is a bug in the VRF handling of PPPoE interfaces... the default route is not being added with the proper routing-mark . So you will need to work this around using the following: /ppp profile add copy-from=default on-up="/ip route add gateway=\$interface routing-mark=shatel" on-do...

sindy

So the packets do arrive to the hEX but don't get further (even the requests don't). What does /ip route print detail show at the hEX?

sindy

So does it mean that the "this is only resolved by port forwarding port 60209" is not a result of your own research but you have read it on some forum? Yes That changes the whole perspecttve. I was wondering why that statement should be true, as a) on Mikrotik and most Linux based devices, dst-nat ...

sindy

Show me the output of /ip dhcp-server network print from the main router. It is possible that you haven't delegated a proper netmask to the client.

sindy

A few posts above, you wrote When entering "netsh int teredo show stat" in cmd the NAT should be "cone" and mine is "symmetric(port)". This is only resolved by port forwarding port 60209. So does it mean that the "this is only resolved by port forwarding port 60209" is not a result of your own resea...

sindy

I have incoming traffic from the port on my device. What else can be at fault? It is a bit surprising to me that the port-forward on only the inner Mikrotik causes the detected NAT type to change from a symmetric one to cone, but let's leave this aside for the moment. But let's clarify that again -...

sindy

Update: Still does not work, even if I am connected directly to the 'Tik router. By device, you mean my computer where I want the port to be forwarded to? Yes, by device I had in mind the box behind the now-excluded other router, to see whether the port-forwarded packets really reach it or not. Wir...

sindy

I'm trying to connect to Xbox live servers from my PC and it uses teredo, and I need to port forward so that I can run a server through Xbox live. As I've said, my other router is pathetic and is very simplified. What I'll do is connect to the 'Tik router with my laptop and see if the port forwardi...

sindy

The IT guy doesn't know what port I want to listen to. So we're back where we started from - anything from the net can reach your apartment 'Tik, so effectively no firewall at all. ...shows the MAC addresses, sniffing pppoe-out1 did not (I'm just mentioning it). Sorry, my fault, no MAC addresses us...

sindy

It has returned with 10.0.x.x, what does it mean for it to have a 1:1 NAT, anything I can do? Nothing you'd need to do - the IT guy does forward the traffic to you, and doesn't change the port, so you get it. But that may mean that there is effectively no firewall between the internet and your Tik ...

sindy

Where do I find my WAN address? Is it the "IP Address" located in the QuickSet? Because the one located there is 10.0.xxx.xx. I'm trying to get Teredo to work. /ip address print where interface=pppoe-out1 . If it returns a 10.0.x.x, there may be a 1:1 NAT from the public IP to the private one. I th...

sindy

No way unfortunately. You would have to sniff into a file and then use Wireshark to calculate the statistics per IP.

sindy

I have followed tutorials exactly and it does not work, so I believe it might be the estates Mikrotik which is not allowing my forwarding. What you can do to be really sure is to open a command line window on the 'Tik, make it as wide as your screen allows, run /tool sniffer quick interface=pppoe-o...

sindy

When I plug in a laptop directly to the Movistar' Switch I get the address 192.168.1.X, so it must be in router mode.

So what happens if you attach a DHCP client directly (no /interface vlan in between) to Mikrotik's ether1 rather than a fixed address? Does it get a dynamic one too?

sindy

BTW, since you've now got the PPPoE username and password, you should be able to connect your own router instead of the estate's Mikrotik. Which doesn't help much if the central router is filtering incoming connections. There are two drawbacks of a centralized firewall: if done properly, it prevents...

sindy

Im running v6.38.3 and I have my PPPoE via ether1 yes. Hmm... that's WAY outdated, many vulnerabilities have been discovered and patched since then. The IT guy really takes it easy there. OK, if your own router is secured enough, you may think you are safe yourself (against some types of attacks, o...

sindy

OK. What is important is that the mode (tagged/tagless) of each VLAN was the same at both ends of each link between two adjacent devices. So if you want both VLANs to reach the "client AP" device, you must change the wireless interface mode there to station-bridge as I've suggested in my first post....

sindy

Yes, we have a VPN for some employees and a Exchange server too. We have the outsorced DNS and we will change it to the new public IP after we get conection. OK. In that case: configure one of the VPN clients to connect to the new public IP (rather than to the domain name if set like that), open a ...

sindy

So should I disable bridge1 and try to use wlan1 when setting up my NAT rules? NO - this would make the router inaccessible for you, wlan1 is a member port of the bridge, so by disabling the bridge you'd lock yourself out from the device. As you consider port forwarding, I guess you are getting a p...

sindy

/ip dhcp-server network server=my_dhcp address=10.0.0.18/32 netmask=24 gateway=10.0.0.2 There is no explicit link to the server. And if you don't specify the DNS server, the common one will not be assigned to the client - or, better to say, those specified for Mikrotik itself in /ip dns settings wi...

sindy

Not enough, you must add netmask=xx, where xx matches the netmask of the subnet from which you assign the address, otherwise the client would get a /32 mask and would not be able to connect anywhere, as even the gateway would be outside its own subnet.

sindy

Processing-wise, there is no difference between CGNAT and NAT. It doesn't matter what the new source address which has to be changed in each packet is.

sindy

It depends on whether there will be any traffic between the Cisco itself and the Mikrotik. The thing is that the routing-mark is respected for any traffic for which any matching route with such a routing-mark exists, hence an incoming from the Cisco itself (not coming via the Cisco, the source addre...

sindy

Rule order does matter. Whether you set passthrough to yes or no does matter. You can only assign a single connection-mark to a connection at a time - the last assigned one replaces any previous ones. So you have to use composite connection marks, each expressing both the routing policy to be used a...

sindy

You mean the gateway which the DHCP server instructs the client to use, correct? You can, if you make the lease for that client static (to convert a dynamically assigned one to a static one is the simplest way to do that), and for the address you lease to that client, you create a separate row under...

sindy

Is it possible that so different web services go to use same ip address servers ? In this case is a lost war from the beginning..... Yes. Large companies like Google of Facebook (sorry if I haven't mentioned your favourite one) use the same IP addresses for all of their services, so to try to selec...

sindy

I'm not aware of a way to see the STP status of individual ports. You can see the forwarding table using /interface bridge host print, but that's not the same (a port may be open but no MAC address may be learnt through it).

sindy

OK. Now you may extend the src-address in the /ip route rule row from a /32 to the whole /27, it should extend the functionality to all the public IPs associated to DAISY.

However, I still don't get why the mangle rules did not work, as they seemed fine to me.

sindy

First of all, could it be that those two clients are using L2TP or PPTP, both connect to the same VPN server, and you NAT both of them to the same public IP address? If so, it cannot work due to the NAT, as in both cases, the server to which they connect is unable to distinguish the connections from...

sindy

Where would that VPS run? If anywhere else than at the client PC, it would itself become the SPOF. All the VPN protocols are stateful, so even if you create a virtual router from a pair of 'Tiks using VRRP and let the clients connect to the virtual IP, as soon as the currently active 'Tik breaks and...

sindy

What does the script have to look like for it to work? The problem is that the variables accessible inside the script are not the same ones you can see using /ip dhcp-client print detail - very confusing. So your script has to look as follows: :if ($bound=1) do={ /system script run refreshdyndns :l...

sindy

now we have WAN2 and DAISY. So any connection that comes in on DAISY goes back out on WAN2. So you actually don't need a rule to keep what came in via WAN2 on WAN2 but a rule to keep what came in via DAISY on DAISY. So go step by step now: open two command line windows run /tool sniffer quick inter...

sindy

It was running OS version v6.37.1 and current firmware was 3.29. ... How did this happend? ... However, keep in mind i had a strong password. A number of vulnerabilities, including ones allowing to break in without knowing the password, has been fixed since 6.37.1, so this is the most likely reason...

sindy

In the OP you say you have a problem that everything goes out via WAN1 (DAISY) no matter what and that you want that L2TP connections which came to pppoe-wan2 would be responded from there, but there is no /ip route rule row for this. Instead, there is such a rule, but for WAN1. Can you clarify? Als...

sindy

I have no idea how the network discovery you have in mind works, but as I wrote, L3 VPNs do not transport broadcast packets or ARP packets, so you would most likely need an L2 VPN, and for that, you need to either write your own VPN application for Windows or to use another Mikrotik (such as mAP) to...

sindy

/interface bridge monitor your-bridge-name

sindy

The last rule in chain=input of your /ip firewall filter says action=drop chain=input comment="defconf:drop all not coming from LAN" in-interface-list=!LAN (and for some reason, this rule is there three times, so remove the last two ones). Since the dynamically created interface representing the L2T...

sindy

Try changing pfs-group value to none , as the Microsoft Windows' embedded VPN client uses that. If it does not help, try to gather more information from Fortigate's log regarding supported transforms (encryption algorithm, hash algorithm, pfs algorithm). If you have any other IPsec configuration in ...

sindy

You can't add both routes to the same routing table (i.e. give them the same routing-mark , none in this case, which is equal to explicitly stating main ) with the same distance and expect that by indicating the interface for :ping , the proper route matching that interface will be chosen. RouterOS ...

sindy

What does the /ip ipsec proposal print where name=default show on the Mikrotik?

sindy

Please me detailed the function at its level, Please take note that this is just summary of the problem i am facing implementing the design ... This is the focus of the problem To me, the most comprehensible description remains the picture. Even with your description above, I still understand that ...

sindy

So what to fix, device-by-device, to make the VLAN 1000 transparent end-to-end: "main router": I cannot see any internet uplink configured there, so even once the VLAN1000 becomes transparent, the "Client Data" device will only get access to that router itself, not to internet. Please clarify. "swit...

sindy

@Sindy... That for your swift suggestion i would have these issues fixed and would let you know if my problem is solved or not... Wait... I've completely misunderstood your setup as the order of your configuration exports doesn't match the order of the elements in the chain on the drawing, and the ...

sindy

after your guide i can add route to vlan1(192.168.222.10) but i cant ping 8.8.8.8 through that in 2011 What means "I can't ping through that"? From where do you ping? How do you enforce that the ping takes that route, and how did you verify that the ping actually did take that route? In addition to...

sindy

Since no one familiar with Movistar's habits seems to wander around, let me ask you a question, because to debug a blackbox is not easy even for a network specialist, leaving aside regular users. Should the static public IP be used to access some server in your premises remotely (web server, VPN con...

sindy

My question is simpler, where is the export of /ip dhcp-server network? The thing is that if there is no row whose network prefix matches the leased IP address, the DHCP clients receive an IP address but no netmask, so they choose /32 and thus they cannot reach anything on L2 level.

sindy

Traffic to and from own IP addresses of the device doesn't respect VRF. The routing-mark identifying the VRF instance is assigned as the traffic gets in via a VRF interface, but there is no in-interface for locally originated traffic. For incoming traffic to own addresses, the matching of the destin...

sindy

@sindy Only the routing-mark differs and the destination address is in all four lines the same. Differing routing-mark means different routing table, so it always overrides distance as I wrote above. If no route with the required routing-mark matches, routing table main is used instead (unless you ...

sindy

I am not a routing specialist but with distance and specific WAN you create a problem. The connection with the shortest distance gets priority to transport traffic but then only for WAN3 traffic leaving WAN2+3 to be catched by the last routing rule. @msatter, this is a misleading statement. The dis...

sindy

Does it stop working for iperf running outside the router or you've only tried pinging from the router itself? Packets sent by the router itself do not pass through the prerouting path but through the output one. So if there is no other route to 172.31.19.0/24 (a default one would be sufficient) in ...

sindy

@powiadamiacz, a statistics from just a few samples is no statistics at all. You'd have to create thousands of connections with different source an destination addresses and ports to see the actual evenness of their distribution across the rules/routes. The key here is how the 32-bit hash is generat...

sindy

@anav, in cases like this, I follow a simple rule - emergency to be resolved first. So I do/suggest the minimum needed to make it work "somehow", and once the service gets going, there is enough time to make it work "better" - more efficient, more elegant, whatever. Asking the OP to redo it from scr...

sindy

I suspect that the issue is caused by /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes which is not compensated for. If you look at the log line you've quoted, it says in:bridge-hq(ether7-trunk-zolder) , whereas it should actually say in:hq-vlan10 . So the rule acts to...

sindy

Can You tell me how to do that ?

Have a look at this recent post. If it is not 100% clear from there, ask further questions here.

sindy

In the export of the configuration of the client (the 941), I can see /interface wireless set [ find default-name=wlan1 ] ssid=MikroTik which means that the mode is set to station (default settings are not shown in export ). But in mode=station , the header of the frames in the air only contains the...

sindy

Yes, but not using ECMP. ECMP does not look at port numbers, period.

So you need routing marks and mangle rules assigning them if you want to distribute the traffic with same src and dst addresses across multiple routes.

sindy

We have tried routing-mark before without apparent success. Would prefer WAN2 to be the priority with WAN1 as fallback. The routing-mark is actually a name of a routing table , so you can use the distance parameter to prioritize routes in each routing table differently, and you can have the same ro...

sindy

The firewall rules in the default configuration of SOHO models are a good starting point; as you can access configuration services via public IP, these seem to be unused - maybe because the router model is not a SOHO one so the defaults are different.

sindy

Is it a firewall rule or a VPN configuration setting? Could anyone please help? As you've realized yourself, there may be many reasons why you cannot connect to the router itself via the VPN, depending on the particular VPN type you use and/or your firewall rules, so to get a useful advice, provide...

sindy

Okay. So first, the "beauty of this beast" (the Mikrotik) is that, unlike with most hardware-only switches, you may create several independent bridges, and the VLAN IDs are only relevant within each bridge, i.e. frames are not forwarded from one virtual bridge to another just because they carry a VL...

sindy

You were either sniffing on all interfaces simultaneously or on the LAN one in particular, as the DHCP traffic seen there shows your Mikrotik acting as a DHCP server for your LAN devices. I know I haven't replaced br-wan in the command by put-your-wan-interface-name-here :) You may consider removing...

sindy

Could anyone suggest a reason for this happening - I can share the config if that would be useful? Check this post first, start reading it from the last paragraph which explains the relationship to your scenario, and then read the previous posts in that topic to find out how to use the routing-mark...

sindy

Some people recommend to turn this the SIP helper off. I am one of those people, under specific circumstances - the helper is useful when individual phones are connected at the LAN side and the exchange is unable to deal with CPE-side NAT on its own. If the exchange is at the LAN side, whether the ...

sindy

It looks like I receive his ping and I reply to it. I also send a ping, but get no reply. Is that a correct interpretation? If you were both pinging simultaneously, then yes, it is a correct interpretation. The fact that you receive the ESP says that everything is OK with routes towards you and pol...

sindy

It depends on what you want to do :) The least complicated way forward from the current setup is is the following: On the hEX, add a VRF setup for Shatel: /ip route vrf add routing-mark=shatel interfaces=pppoe-Shatel,vlan1 On the 2011, routes through Parsian will stay as they are, and routes via Sha...

sindy

NAT rules in particular are definitely not necessary. To get a more useful advice, you have to provide a more useful input, see my automatic signature below for a mini-howto. There are many ways how to implement a firewall and routing, so nothing less than a complete export from both the central dev...

sindy

If you look at the same in IPv4 conntrack, you'll see the same short timeouts appearing now and then, as they appear whenever a packet has not been acknowledged yet: [me@MyTik] > ip firewall connection tracking print ... tcp-established-timeout: 1d ... tcp-max-retrans-timeout: 5m tcp-unacked-timeout...

sindy

Look at the server implementation of OpenVPN as at a separate router. Adding a route to the client's LAN subnet to the server's kernel routing table via an OpenVPN virtual interface just tells the kernel to send the packets for these addresses to OpenVPN, but you have to tell OpenVPN itself which su...

sindy

The scenario you describe is nothing special, so the example in the manual should be sufficient? Or have I missed something in your description? Don't let the fact that the WAN interfaces in the example have private IPs, it works the same when they are public ones.

sindy

Port 1 = WAN Port 2 = Goes to my network switch and carries 6 VLANs and DCHP information for everyone Port 3 = Empty Port 4 & 5 = Members of streaming_bridge and VLAN 7 is assigned here with a DCHP server handling this traffic. As this description still hasn't removed the doubts, can you just follo...

sindy

Since you have both WAN routes active simultaneously, you are likely using policy routing (nothing to do with IPsec policies, it's just a common name of the setup in the Mikrotik world), i.e. you assign the routing-mark values using /ip route rule rows or /ip firewall mangle rules. When doing this, ...

sindy

unfortunately i don't have access to bridged radio So the first step to do is a test whether the radio is transparent for VLANs. the model of router is specified in the config well, the hEX is just a small bit more powerful than the 2011, so depending on the available WAN bandwidth, it might or mig...

sindy

In the absence of any description of the network topology at the the HQ, it's nothing but guessing: if it's not a firewall rule blocking DNS queries coming in via WAN without an exception for these that come in via WAN but transported using bare IPsec, the next most likely thing to me is routing at ...

sindy

please show me what can i do with detail . thank you. To do so, I need exports of the current configurations of both routers and the radios (as they may theoretically be blocking VLAN traffic). My automatic signature right below suggests how to do that and how to anonymise the sensitive contents of...

sindy

If all the Mikrotik devices on the picture are under your control, you can use two VLANs to host two intermediate IP subnets on the link between the two routers, or you can even run the PPPoE clients on the bottom router if you use two VLANs to bridge the PPPoE frames between the two routers.

sindy

To add some optimism, you may use a managed switch, or the Mikrotik itself acting as such switch, and set up L2 filtering and/or port isolation to restrict traffic among hosts in the same IP subnet. Also, if you just wanted to test the firewall rules and your actual application case does not require...

sindy

Confirm once you start using mangle rules the router slows down (fasttrack has to be disabled in foreward fw rules) and if so by how much?? (What is the real effect)?? @anav, strictly speaking the router doesn't slow down but has to spend more effort to handle a single packet. So the traffic may sl...

sindy

We are broadcasting our stream to a company on the internet via the RTMP protocol. I do not believe that the unit requires any information back while streaming. All it does is send a MP4 compressed file via RTMP that gets rebroadcast. OK, so no need to worry about multiple streams occupying the dow...

sindy

Questions: what exactly have you done two minutes after starting the sniff, and for how long had the connection been already down before you've started sniffing? was the /ip dhcp-client print detail taken before starting the sniff or after finishing it? The point is that during those first two minut...

sindy

The service vlan needs to be applied in the first vlan only (100 and 200) right?

s-vlans need 802.1ad (service) tagging (hence use-service-tag=yes), c-vlans need 802.1Q (customer) tagging, hence use-service-tag=no.

sindy

I can confirm that you cannot ping across networks. ... Now all I need to try and sort out is the encryption on the L2TP connection to Tinos. First I'd like to know that the SIP devices are doing fine with these rules at Malford. Then, I need to have a look at Tinos firewall rules. To do that, I'd ...

sindy

It's a Windows specific issue:

viewtopic.php?t=110761#p658121

sindy

OK, so the stupidity was at my end, sorry for that. I should not do serious things in the evening. I've always placed the chain=something only to the first rule in each chain. And as you've added "input" to all rules, it could not work properly for forwarding. So a corrected version is here: /system...

sindy

Yes. In the /export, you should see the rules in exactly the same form and order in which they appear in the script.

sindy

I cannot find a reference to the "ID" field in the ipsec manual at the Mikrotik wiki. Because there is a reference to "my-id" and "remote-id". But since the connection is established, it's not the reason why it does not transport data. I do see packets exiting the WAN interface going to xx.xx.2.126...

sindy

I have just copied the rules from here (Firefox used - mark, copy, paste, no "select all") and pasted them into a PuTTY window, no corruption. Please do it that way. It seems that pasting to Winbox window has some negative effect.

sindy

Can you copy-paste my script here exactly the same way how you have copy-pasted it to the Mikrotik? Because the resulting rules are not those in my script, something went totally wrong: add action=drop chain="add action=accept protocol=udp dst-port=53 in-interface-list=!WAN" connection-state=invalid...

sindy

Did them manually in the end as I needed the isolation rules so, these are the active ones: No, you didn't need any extra isolation rules . I gave you firewall rules which drop everything except what I've explicitly stated will be permitted. You have actually not implemented my rules - according to...

sindy

Will this solution work if there is more than just 2 Road Warriors L2TP/IPsec clients behind NAT? That's the very purpose of this solution. I have about 10 on a site and they use one central fibre line to connect to our main VPN server and from what I pick up is that it works as it gives one of the...

sindy

So essentially if I don't have the server in the same bridge as the LAN and keep them on different subnets I will be able to use the public IP of the server from the LAN? Correct, but same/different bridge is not actually relevant, only different subnets are necessary. You can have multiple subnets...

sindy

Don't the new rules make most of the old rules redundant? At the very least I would need to shift them higher up in the rankings? The rules you kindly wrote are now numbers 20 to 27. The last line of my script, /ip firewall filter remove [find comment~"the-old-rules"] should have removed those old ...

sindy

To run the script I just create a new Script with all policies checked, permissions uncheked, and then just save and run script. No. Log in using SSH (PuTTY) or connect using Winbox and open a terminal in it. Then, press Ctrl-X to get to Safe Mode in the text window, and then copy-paste the script ...

sindy

Please follow my automatic signature below. Your description of the configuration on the 2011 sounds suspicious, the export will give a clear picture. The hEX PoE configuration may also need modification but it seems just unusual to me so far.

sindy

OK, so for the "local CCR" (Malford), the script below should make the firewall rules simple and efficient: devices in all LAN subnets will be able to set up connections to any servers in the internet (including the Tinos subnet accessing internet via Malford via the VPN link), devices in the primar...

sindy

It is possible but it requires specific settings on the modem/router which may not be available. If the ISP connects you using PPPoE and you can place the modem into bridge mode, you can set up the PPPoE client on the wAP LTE, but you want to prevent any other than PPPoE frames from being sent to th...

sindy

@anav, you're turning the straight & plain topic into a spaghetti plate. /ip route rule is an instrument from the policy routing repertoir, where you need to use a specific set of routes for some devices, depending on the src-address or in-interface (or even more factors if you add mangle rules to t...

sindy

Two things. You cannot attach an /interface vlan to a member interface of a bridge (ether1 in your case), you must attach the /interface vlan to the bridge itself instead. It works "somehow, sometimes" the way you've configured it, but it's not reliable. And second, you haven't attached any IP confi...

sindy

I have no problem opening up ports to the internet As long as it's to a DMZ. I don't want to open, lets say port 80, to a server on my LAN. That's the reason I want a DMZ to put my webserver here so it's isolated from the rest of the LAN. But I still want to be able to access www.example.com both f...

sindy

I believe the only relevant info you need (knowing the vpn is established) is: The issues tend to be in those parts of configuration you don't suspect to be relevant, that's why it is necessary to post a complete configuration except sensitive information (passwords, usernames, public IP addresses)...

sindy

You don't even need a hairpin NAT, it is enough to place the server and the client into different LAN subnets. Two WAN IPs on the same machine will cause the traffic to be routed directly, bypassing the physical uplink(s), so if your dst-nat rules refer to in-interface(-list) as they should, it woul...

sindy

Because you can't fast track and actually have to route and use encryption, for what you asked

But the configuration shows neither - fasttracking cannot speed up anything as the firewall is not there at all, and encryption is not used either.

Do I read it right that the main WAN is PPPoE?

sindy

/ip dhcp-server network set [find gateway~"10.0.0.1"] dns-server=10.0.0.1

sindy

How can I check that nothing untoword can get through? You can't check. You can only set up firewall rules which will prevent that, but bear in mind that L3 firewall rules only prevent a certain kind of malware from actively connecting to your network; other kind of malware, which relies on downloa...

sindy

Likely yes, but it won't be within hours.

Search found 5102 matches