MikroTik

sindy

You seem to be another victim of my not enough sleep yesterday, I wonder who else is :( Probably due to that I have noticed the existence of NAT at your end (as it pops up at maybe 10 places in the OP) but not the other related misconfiguration of the policy - the sa-src-address must be locally mean...

sindy

speedtest.net uses normal http port on many different servers so nothing to match on (port is not unique and neither DNS name nor IP address are predictable).

So this kind of cheating won't work.

sindy

Because according to RFC, a manually assigned link-local address can be used , but only in rare cases where automatic generation is not practical . Then it's clear (bold = important, italic = not important). In rare case when I decide that I need to remember my router's link-local address, I need i...

sindy

the only data the ISP gave me are: WAN: IP: FE80 :: 2A02: 2F0F: 1C2 GW: fe80 :: 1 LAN: 2A02: 2F0F: 1C2 :: 1/48 So the substitution was systematic (2A02:2F0F:1C2 ->1234:5678:123 everywhere) and they really do ask you to manually set the link-local address of your WAN so that its lowest 48 bits match...

sindy

If you don't use internet and just watch TV, there should be almost no CPU load at all as the IPTV traffic bypasses the CPU completely: as vlan-mode at ether1 and ether5 is secure and switch1-cpu is not on the port list for vlan 20 in the switch chip, the IPTV frames tagged with VID 20 cannot get to...

sindy

In your first OP, you wrote: these are the data: ip wan fe80:: 1234:5678:123 GW: fe80::1 lan: 1234:5678:123 ::1/48 Did they really ask you that the first 48 bits of your /48 were used as the last 48 bits of your WAN IP's link-local address? Or you've chosen the 1234:5678:123 randomly as placeholders...

sindy

Da, video sam, but found it too complex to analyse in the time frame available at that time, and then I forgot about it. You are one of few people in the world who directly assign a gateway IP address rather than routing-mark using a mangle rule :) This part indicates you haven't understood the VLAN...

sindy

I'm confused. I had a feeling that the ISP asked you to set a particular IPv6 address on your side to be able to route your incoming traffic to you . If it is actually enough for their gear that you advertise your interface as a router to your network by means of Neighbor Discovery's Router Advertis...

sindy

[me@MyTik] > ip ssh set forwarding-enabled=
both  local  no  remote

The old value yes translates into remote during configuration conversion during upgrade, which means Mikrotik doesn't fulfil client's requests to access ports through itself.

sindy

When you open an url using a browser, the browser resolves the fqdn part of the url to an IP address, then initiates a TCP session to that address and port 80 (plaintext http) or 443 (tls-encrypted http - https). Before the TCP connection is established, the url doesn't appear in contents of any of ...

sindy

Assuming that you want the L2TP/IPsec to run on the NAS, the issue may be that the native VPN client of Microsoft Windows in default settings doesn't accept NAT at server side. An if you are trying from a recent upgrade of Win10, the L2TP/IPsec may not work at all. The issue with the default setting...

sindy

This problem is very wired, because all other Mikrotiks that are not connected to ISP via PPPoE are working very well. This is the only one that does not works and it is the only one that is connected to ISP via PPPoE. I don't believe it is related, as if a route's gateway is just the interface, no...

sindy

Your only /ip ipsec profile used by your only /ip ipsec peer says nat-traversal=no whereas the sa-src-address of the /ip ipsec policy is a private one, that's one point. Another point for later on is the src-port=500 in the policy - do you have any particular reason to only use the policy to transpo...

sindy

What bothers me is the bgp-origin=igp attribute of your route to 192.168.1.0/24 via pptp-out1 . On my 6.43.4 machine, the same type of route doesn't show such attribute. 10 A S dst-address=192.168.229.0/28 gateway=pptp-out1 gateway-status=pptp-out1 reachable distance=1 scope=30 target-scope=10 Worse...

sindy

which is not default route, because I added it manually and made comment for it ;;; vpn added by Stoyko Stoykov. is this that you mean to remove?). I have tried to change it to pppoe-out1, but it does not works. I should not analyze others' configurations after four hours of sleep :( I've missed th...

sindy

If you need src-nat (or masquerade if the WAN address is dynamically changing), it is enough that the rules in chain=srcnat of /ip firewall nat match on out-interface . Unless you specify a routing-mark condition in them, they will act on a packet with any routing-mark . So it's not the same like ro...

sindy

look like it will use less CPU is there any way to be sure? Running /tool profile while watching TV should show you the difference in CPU load between the solutions. on @sindy solution /interface ethernet port set ether1,ether2,ether3,ether4,ether5,switch1-cpu vlan-mode=secure crashed my router boa...

sindy

I think it's all just a matter of routes. The default route added by /interface pppoe-client has distance=0 (which is incorrect as such and newer ROS releases wouldn't accept that, but that's not the main point here), so it beats the other, manually added, default route via pptp-out1 which has dista...

sindy

Rather than mangling I'd use VRF in this case. With VRF, the routing-mark is assigned based on the in-interface of the packet, without any /ip firewall mangle or /ip route rule rules, and there is also no fallback to routing table main if no route with that routing-mark is found. /ip route vrf add r...

sindy

which part, doubt that I have to /export and post everything That's the problem - since we don't know in which part of the configuration the mistake is, it is impossible to say which part to post. So you actually do have to post the full export, that's why my automatic signature contains a suggesti...

sindy

This is the maximum help anyone can provide given the information you have provided so far - to tell you what you have to do to get some real help, i.e to post your configuration. In most cases things don't work because there is a mistake in configuration, so this is always the first thing to check....

sindy

Hub: /ip ipsec mode-config add address=10.219.0.1 address-prefix-length=32 name=client-1 split-include=10.11.219.1/32 add address=10.219.0.2 address-prefix-length=32 name=client-2 split-include=10.11.219.1/32 /ip ipsec policy group add name=special /ip ipsec profile add dh-group=ec2n185 enc-algorith...

sindy

There is a thing called DNS SRV record where a port is a part of the reply, but the question is whether your DDNS provider supports SRV records. Worse than that, browsers didn't when I've checked last time some years ago.

sindy

Send this to support@mikrotik.com with a link to this topic. It is not guaranteed that Mikrotik support staff reads every single topic here multiple times.

sindy

The title says IPsec, the body says OpenVPN. Which one you actually want? I know for sure that IKEv2 with certificate authentication does work beacuse I use it; I know that OpenVPN should work the same way but I don't use OpenVPN on Mikrotik due to the limits of Mikrotik's implementation.

sindy

Can you help me please.

Of course we can. We need just one small thing, see my automatic signature below.

sindy

A drawing will be even better than words. But let me suppose - you need LANs 10 and 20 to be both tagged on the uplink ethernet port to the ISP, one ethernet port to work as an access one to VLAN 20 to connect the STB, the PPPoE client acting as your WAN to acccess VLAN 10 Is that correct? If yes, i...

sindy

Our OpenVPN setup worked perfectly fine BEFORE upgrading to 6.45.1/6.45.2. Any ideas?

Create a dedicated topic and post there configuration of the affected machine following the anonymisation hint in my automatic signature below.

sindy

Everyone can cheat these days with translator, but from other threads I get the impression that it's not your case.

I did cheat where Spanish was involved. I'm afraid that to choose the right translation of "site" cheating doesn't help, you need to know the language from regular professional use.

sindy

It's not really easy or elegant. See Sob's posts in this thread.

sindy

Is it a good way to do it? Another tutorial I've read said to make l2tp-in1 part of the local bridge, and enabling proxy arp... This way instead I do not need to make l2tp in the bridge and I don't need proxy arp, it works anyway. I can browse the local lan and connect to the web from there, seems ...

sindy

I don't see where to download a zip file, only an npk file. I don't use Windows so I don't use winbox, which is how I assume you can upgrade individual packages? I don't see a way to do it on the command line. At https://mikrotik.com/download, download "extra packages", which is the .zip with all, ...

sindy

What you actually do is that you tag the wireless frame as it comes in from the air, then untag it again because the tagged end of each /inteface vlan is connected to one of the two /interface wireless , and you deliver it to the bridge-guest tagless because the tagless end of /inteface vlan is a me...

sindy

Double-click that dst-nat rule in the table view and correct the to-addresses value there.

sindy

The GUI is a very misleading tool when it comes to firewall rules, as the table view only shows about 1/10 of all the parameters. The command line export shows that you do redirect port 1194 to a particular address: add action=dst-nat chain=dstnat dst-address-type=local dst-port=1194 protocol=udp to...

sindy

Looks like the LAN device using address 192.168.0.108 is downloading some torrents. As for the single header line in response to /ip arp print, it is not a bug this time, it simply means that the ARP record is not there. Grrrr... you redirect the web and FTP to 192.168.0. 108 , but you redirect the ...

sindy

The strange thing is that ftp port forwarding works. Also I have succesfully forwarded port to connect to the nas web interface. That's really strange. So what does /ip arp print where address~"192.168.0.8" say? So I'm afraid it will require a site visit to move forward. Which site? Do you mean NAS...

sindy

From remote you cannot connect to a private IP, that's right, and you also cannot connect to the public one as only Winbox connection is permitted on the WAN side (which is not a good idea any more, as nowadays it sometimes looks as if the bad guys knew the Winbox interface of RouterOS better than i...

sindy

The IP address 192.168.0.1/24 is attached to ether3 Where can I see it? On the setting card of the address where you've changed it from ether3 to bridge1. In the configuration export, it was in /ip address add address=192.168.0.1/24 comment=defconf interface= ether3 network=192.168.0.0 By the way, ...

sindy

Your hEX configuration is simple: ether1 is WAN, don't touch it. ether2 through to ether5 are member ports of the same bridge. All ports of a bridge share the same IP configuration which must be attached to the bridge. In your case, the dhcp server is attached to the bridge (correct) but the IP addr...

sindy

No, 192.168.0.8 is associated to ether3, so /tool sniffer quick interface= ether3 ip-address= 192.168.0.8 . When the packet passes through ether1, it still has the public IP as destination, not the private one. And don't forget to make the command line window as wide as your screen allows before iss...

sindy

Follow the hint in my automatic signature below (for both devices). So many things may have gone wrong that the guess list would be as long as the manual. You haven't stated even which VPN type you use.

sindy

So the router tells you that it cannot install an enabled package (security) because it requires another package (dhcp) to work. It's not a nonsense - since 6.44, IKEv2 (from the security package) responder responds to DHCPINFORM messages from Windows clients which explains the dependency. So enable...

sindy

I'd still run /tool sniffer quick interface=the-expected-out-interface ip-address=ip.of.the.nas to make sure that the packets do leave towards the proper MAC address via the proper interface before finally concluding that the NAS ignores them.

sindy

Sounds like a forgotten L2 (bridge or switch) filter rule, or port 2 missing in /interface bridge vlan rule for the native VLAN (as you say the IP is attached to the bridge interface itself), or ingress filtering set to yes with forbidden tagless frames on port 2 (you mention mac-telnet, not mac-win...

sindy

If indeed the filter forward rule is applied after NAT,

@anav, have you ever bothered to look at the diagrams I've linked above?

sindy

Can me anbody explain where my thinking fault is?

Create a new dedicated topic an post the complete config there. The few lines you've posted look fine as such so there is likely a firewall issue.

sindy

I can't update 6.43.16 to 6.44.5. Don't know why.

Does the beginning of /log print show anything after reboot with the new package downloaded? Typical reasons are .npk for a wrong architecture or a mythical malware preventing upgrade to protect itself.

sindy

You have to insert an action=accept rule for the src and dst subnets into the srcnat chain of nat, yes. Regarding using the same router for L2TP/IPsec, you can with some limitations. When an initial packet from an ipsec initiator arrives to a Mikrotik listening as a responder, three fields are used ...

sindy

Fix the image and provide configurations of both routers (see my automatic signature below). Without that, there is zero chance anyone could help you.

Search found 3547 matches