Community discussions

MikroTik App

Search found 10917 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 37
by sindy
Wed Nov 13, 2024 9:34 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 22
Views: 805

Re: Cant get Wireguard client to work

So I've made a test on 7.16.1 and no, the rule with action=lookup-only-in-table table=main min-prefix=0 does not remove the default routing table choice, so if the packet whose destination address only matches the default route in main does not match to the second rule and thus it doesn't get routed...
by sindy
Wed Nov 13, 2024 5:32 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 43
Views: 1256

Re: Mikrotik as Wireguard client behind NAT, loosing connection

BTW I have torched the wan interface in the past and packets do arrive on that port and no handshake is done. The fact that @dcavni has stated he did not see the packets from the client to arrive to the server, whilst he did see other UDP packets to arrive from the client, is what made me conclude ...
by sindy
Wed Nov 13, 2024 2:15 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 43
Views: 1256

Re: Mikrotik as Wireguard client behind NAT, loosing connection

It is indeed necessary to set the scheduler interval to 1d, sorry, I forgot to state that. But if you have removed the connection manually and it did not help (provided that the server side port was 13231 at that time, as otherwise the "manual removal" may not have succeeded), chances are ...
by sindy
Wed Nov 13, 2024 10:57 am
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 25
Views: 834

Re: VRRP with single WAN and Single LAN Address

RTR 1 Flags: X - DISABLED; F - FAILURE Columns: NAME, INTERFACE, MAC-ADDRESS, VRID, PRIORITY, INTERVAL, VERSION, V3-PROTOCOL, SYNC-CONNECTION-TRACKING # NAME INTERFACE MAC-ADDRESS VRID PRIORITY INTERVAL VERSION V3-PROTOCOL SYNC-CONNECTION-TRACKING ;;; LAN 0 F vrrp1 ether1 00:00:5E:00:01:31 49 254 1...
by sindy
Wed Nov 13, 2024 10:44 am
Forum: General
Topic: Help with NAT
Replies: 6
Views: 269

Re: Help with NAT

on the Judah MK, the meter of 10.116.12.134/22 will be plugged directly into ether2 and 10.116.12.135/22 will be plugged directly into ether3. OK. So the 10.116.12.0/22 is not known to the Judah hEX yet, but for some reasons, you want the two flowmeters you plan to ultimately place in Judah to have...
by sindy
Tue Nov 12, 2024 11:14 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 25
Views: 834

Re: VRRP with single WAN and Single LAN Address

Here are the two test routers I have set up.
OK, no firewall filter rules at all so VRRP packets from the other router can definitely get in if they make it through the LAN.

With these configurations, what does /interface/vrrp/print where name=vrrp1 show at both test routers?
by sindy
Tue Nov 12, 2024 10:40 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 22
Views: 805

Re: Cant get Wireguard client to work

No. When I say the new rule should be added as a third one, I mean it literally. The description before gives the reasons.
by sindy
Tue Nov 12, 2024 10:37 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 101
Views: 18089

Re: Multi-WAN Load Balancing Starlink issue

How did it end up going?
We finally made it work. What's your current issue with that setup, and what do you need to achieve besides the basic load distribution?
by sindy
Tue Nov 12, 2024 10:32 pm
Forum: Beginner Basics
Topic: Cant get Wireguard client to work
Replies: 22
Views: 805

Re: Cant get Wireguard client to work

At some point, Mikrotik has added the min-prefix parameter to routing rules, but the explanation in Mikrotik manual just refers to the name of the feature as used in general Linux, and references I could find are also not very verbose regarding "side effects" (putting that in quotes as tho...
by sindy
Tue Nov 12, 2024 9:36 pm
Forum: General
Topic: Help with NAT
Replies: 6
Views: 269

Re: Help with NAT

If some specific conditions are met, you can, but here both ends happen to have one.
by sindy
Tue Nov 12, 2024 8:21 pm
Forum: General
Topic: Help with NAT
Replies: 6
Views: 269

Re: Help with NAT

I must admit I am a bit confused. You state that the LAN subnets on the two sites overlap, but it's actually not the case - in Judah configuration, there is address=10.118.1.2/28 so the subnet spans 10.118.1.0-10.118.1.15, whilst in Stebbins, there's address=10.116.12.6/22 , so the range is 10.116.1...
by sindy
Tue Nov 12, 2024 7:23 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 25
Views: 834

Re: VRRP with single WAN and Single LAN Address

Sorry the existing router I took the export from is the Live router that is currently handling the traffic. ... Hope that clarifies things some more. Sorry if I am not explaining things very well. That's the point - you have experienced the issue on the test pair of CHRs but you have posted an expo...
by sindy
Tue Nov 12, 2024 6:46 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 25
Views: 834

Re: VRRP with single WAN and Single LAN Address

The datacenters are Cisco UCS/FI stacks being uplinked to our MPLS network through a pair of Cisco Nexus 9k and ASR 9ks for the MPLS ring. Ah, for me a "datacenter" normally means something provided by a 3rd party :D So I figure the two ASRs use BGP to advertise the public subnet where th...
by sindy
Mon Nov 11, 2024 9:11 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 25
Views: 834

Re: VRRP with single WAN and Single LAN Address

I have a problem to wrap my head around a scenario where you've got two georedundant datacenters between which a single IP address may freely migrate on an L2 segment (presumably a VxLAN) - in my understanding of networking, it would mean that there is a router in each of the datacenters that is abl...
by sindy
Mon Nov 11, 2024 6:42 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 25
Views: 834

Re: VRRP with single WAN and Single LAN Address

I do not understand what a "mirrored datacenter" means. VRRP uses specific MAC addresses so the physical machines running the CHRs have to be interconnected on L2 level so that a single public address could migrate between them using VRRP (there are L3 methods that do not require L2 interc...
by sindy
Sun Nov 10, 2024 10:03 pm
Forum: General
Topic: IPv6 WAN (LTE USB stick) troubles
Replies: 4
Views: 243

Re: IPv6 WAN (LTE USB stick) troubles

Hehe. Did you tell the DHCPv6 client to ask for both a prefix and an address and got neither?
by sindy
Sun Nov 10, 2024 6:54 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 43
Views: 1256

Re: Mikrotik as Wireguard client behind NAT, loosing connection

More than that - as far as the Wireguard stack on the client can tell, the local port it is bound to does not change at all :) Initial state - no tracked connection exists, the server is idle, the client is disabled. No connection exists in our connection tracking. The ISP doesn't see any connection...
by sindy
Sun Nov 10, 2024 5:21 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 496

Re: Periodic connectivity issues to external WinBox

if I understand things correct, if L3 hashing policy is used by them, the problem depends on Winbox having single or multiple simultaneous connections Even if there are simultaneous connections, each of them is a separate TCP session, and within the same TCP session, even L3+L4 hashing always choos...
by sindy
Sun Nov 10, 2024 5:06 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 43
Views: 1256

Re: Mikrotik as Wireguard client behind NAT, loosing connection

are we sourcenatting the source port, the destination port and what are we changing the uknown port TO???? Since we cannot change the dst-port I am assuming that we changed the src port from 15678 to some random port betweeen 40000 and 59999 Indeed, a src -nat rule changes the source address and/or...
by sindy
Sun Nov 10, 2024 1:52 pm
Forum: General
Topic: Any issues in this config? SIP phone problems :(
Replies: 1
Views: 884

Re: Any issues in this config? SIP phone problems :(

Have you resolved this?
by sindy
Sun Nov 10, 2024 12:35 pm
Forum: General
Topic: Datasheet for new improved hEX?
Replies: 66
Views: 5755

Re: Datasheet for new improved hEX?

do any of ARM devices have IPsec acceleration working yet? It's not just a matter of the CPU architecture. There are ARM devices that do (hAP ac²) and that don't (CRS310-8G+2S+IN, wAP ax), and there are ARM64 devices that do (hAP ax²) and that don't (CRS304-4XG-IN). So as you said the particular So...
by sindy
Sun Nov 10, 2024 11:17 am
Forum: General
Topic: Datasheet for new improved hEX?
Replies: 66
Views: 5755

Re: Datasheet for new improved hEX?

Then why are ipsec features listed as being tied to mt7621 on MT Help pages related to IPSEC ? Because back in the days MT7621 was referring to a single SoC with a single particular switch block and a single particular CPU. Now, for lack or anything more distinctive, it is used also to refer to the...
by sindy
Sun Nov 10, 2024 10:52 am
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 496

Re: Periodic connectivity issues to external WinBox

Wow. 25 0.593357 IPs Removed TCP 396 8291 → 55024 [PSH, ACK] Seq=86 Ack=196 Win=64256 Len=342 26 0.593360 IPs Removed TCP 396 [TCP Retransmission] 8291 → 55024 [PSH, ACK] Seq=86 Ack=196 Win=64256 Len=342 27 0.839975 IPs Removed TCP 396 [TCP Retransmission] 8291 → 55024 [PSH, ACK] Seq=86 Ack=196 Win=...
by sindy
Sun Nov 10, 2024 10:29 am
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 43
Views: 1256

Re: Mikrotik as Wireguard client behind NAT, loosing connection

So Sindy are you saying that its not a problem with either Router but something at the ISP end. Indeed (save a 0.5 % margin that the client somehow starts calculating one of the checksums wrong after the time, causing the packet to get dropped due to that, but then why hasn't anyone else fallen to ...
by sindy
Sun Nov 10, 2024 9:55 am
Forum: General
Topic: IPv6 WAN (LTE USB stick) troubles
Replies: 4
Views: 243

Re: IPv6 WAN (LTE USB stick) troubles

My idea is that IPv6 can be made to work on the Mikrotik with that modem and SIM but that won't give you access to the whole internet as not all web sites support IPv6, so you might need to set up a tunnel to some device that has both IPv6 and IPv4 connectivity. Does it still make sense to you to de...
by sindy
Sun Nov 10, 2024 9:46 am
Forum: General
Topic: RB5009 - IPSEC Help
Replies: 2
Views: 209

Re: RB5009 - IPSEC Help

It is hard to guess which settings are missing if we don't know which are already present, but the way you describe it, a rule chain=input protocol=ipsec-esp src-address=public.ip.of.zyxel action=accept seems to be missing in /ip firewall filter on the 5009. But since the mutual order of the rules i...
by sindy
Sat Nov 09, 2024 11:13 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 496

Re: Periodic connectivity issues to external WinBox

I'm not using any mangling on CHR side tho
I forgot again that you cannot set MSS in prerouting or input, so yes, might make sense to set it in output on the CHR as well. The most likely bottleneck is the ISP end of the PPPoE tunnel so it should not be necessary to do that, but who knows.
by sindy
Sat Nov 09, 2024 10:40 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 496

Re: Periodic connectivity issues to external WinBox

I am pretty sure that if you sniff at both ends filtering on ip-protocol=tcp ip-address=ip.of.the.other.device, you'll see the CHR to try sending several times a large packet that will not reach the physical Tik.
by sindy
Sat Nov 09, 2024 10:35 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 43
Views: 1256

Re: Mikrotik as Wireguard client behind NAT, loosing connection

This sniffing part already exceeds my capabilities. You've already managed to sniff on the client and server Mikrotiks themselves, so you can sniff on yet another Mikrotik configured as bridge with hardware switching disabled as well. You can store the results of sniffing to a file on the router (a...
by sindy
Sat Nov 09, 2024 10:03 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 496

Re: Periodic connectivity issues to external WinBox

Well, IPv6 may be routed totally differently than IPv4 so you can't base conclusions regarding IPv4 on IPv6 behavior (and vice versa). As you already have the MSS clamping rules in place, try adjusting them to force something really defensive, like 1380 bytes, in both directions and see whether that...
by sindy
Sat Nov 09, 2024 9:25 pm
Forum: General
Topic: Periodic connectivity issues to external WinBox
Replies: 15
Views: 496

Re: Periodic connectivity issues to external WinBox

In cases like this the first thing to check are MTU issues - as the CHR shows a successful login, the communication must have been bi-directional at least for a while. Only one of the multiple possible paths between your home router and the CHR may be affected, which would explain why it only happen...
by sindy
Sat Nov 09, 2024 9:11 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 43
Views: 1256

Re: Mikrotik as Wireguard client behind NAT, loosing connection

The same behavior on different telecom operators. ... Also client behind double NAT. Completly different devices, different operators and the same behaviour. Since you can see the client to send the packets to the server but cannot see them to arrive (the source port may get changed by the NAT at c...
by sindy
Sat Nov 09, 2024 8:47 pm
Forum: General
Topic: qinq
Replies: 5
Views: 283

Re: qinq

Sorry, I did not understand from your OP that the link between the two 4011 was an active one, i.e. that the two 4011s are not connected just by dark fiber but there is some other equipment between them. If so, it depends on your contract with the service provider what type of traffic you can send t...
by sindy
Sat Nov 09, 2024 6:43 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 43
Views: 1256

Re: Mikrotik as Wireguard client behind NAT, loosing connection

I tried with sniffer and i see, that client is sending packets to correct ip adress but server never responds or recieves anything. If i try with sniffer on server, nothing shows up. [daniel@MikroTik] > /tool sniffer quick port=13231 Columns: INTERFACE, TIME, NUM, DIR, SRC-MAC, DST-MAC, SRC-ADDRESS...
by sindy
Sat Nov 09, 2024 6:08 pm
Forum: General
Topic: qinq
Replies: 5
Views: 283

Re: qinq

Are there multiple VLANs on the bridges currently interconnected using EoIP? If yes, it indeed does make sense to use an additional VLAN tag instead of EoIP, as that requires less overhead than EoIP both byte-wise and CPU-wise. If the "access" ports of the routers that are interconnected u...
by sindy
Sat Nov 09, 2024 3:13 pm
Forum: General
Topic: Why DNS servers are knocking port 5678 of pppoe-out1 interface?
Replies: 8
Views: 1069

Re: Why DNS servers are knocking port 5678 of pppoe-out1 interface?

From what you observe, I would assume that the detect internet sends the DNS requests it uses for the detection directly from the PPPoE interface, bypassing the firewall rules, whereas it lets the responses of the DNS servers reach the firewall; since the connection tracking has not seen the queries...
by sindy
Sat Nov 09, 2024 2:45 pm
Forum: General
Topic: Mikrotik as Wireguard client behind NAT, loosing connection
Replies: 43
Views: 1256

Re: Mikrotik as Wireguard client behind NAT, loosing connection

Nothing seems plainly wrong in your config, but I have spotted complaints here on the forum regarding what happens (or rather does not happen) if the peer address changes - not sure whether they are still relevant for 7.16.1. So apart from a mere implementation bug (as in "something does not wo...
by sindy
Sat Nov 09, 2024 11:44 am
Forum: General
Topic: letsencrypt on port 1115 RouterOS v7
Replies: 3
Views: 229

Re: letsencrypt on port 1115 RouterOS v7

Let's use the approach of the character from "A guide to boating for Ofelia" and decompose the problem into sub-problems so tiny that they are no problems at all. For DuckDNS, you have to use a script to update the record once the address changes, whereas RouterOS itself takes care of that...
by sindy
Thu Nov 07, 2024 10:45 pm
Forum: General
Topic: Configured remote access via VPS does not work for some things [SOLVED]
Replies: 5
Views: 700

Re: Configured remote access via VPS does not work for some things [SOLVED]

As I have assumed, there is no policy routing on your Mikrotik, so what I've described before is the most likely reason why it doesn't work. If it is the case, you can fix that multiple ways: using a -j SNAT --to-source=12.10.0.2 rule at the right place on the Linux box. This way is the simplest one...
by sindy
Thu Nov 07, 2024 8:51 pm
Forum: General
Topic: Configured remote access via VPS does not work for some things [SOLVED]
Replies: 5
Views: 700

Re: Configured remote access via VPS does not work for some things [SOLVED]

but I feel that there is still something I don't know about Mikrotik... You're not alone - we also do not know enough about your Mikrotik as you forgot to post an anonymized export of its configuration. Also, if the iptables rules you have shown are the only ones, the initial packet from x.x.x.x:X ...
by sindy
Thu Nov 07, 2024 11:47 am
Forum: General
Topic: how to block youtube shorts?
Replies: 10
Views: 498

Re: how to block youtube shorts?

Still want the regular youtube but block the yourtube shorts. RouterOS can only classify traffic using IP addresses and ports. This is not sufficient to distinguish between normal videos and shorts - to tell them from one another, you have to analyse the traffic on application level. Since youtube ...
by sindy
Wed Nov 06, 2024 8:28 pm
Forum: General
Topic: 1 Packet over Multiple Routs?
Replies: 14
Views: 1183

Re: 1 Packet over Multiple Routs?

OK, so let's take it more seriously. The broadcast mode of bonding indeed works well as for multiplication of the packets, but it does nothing at all regarding "tossing the late ones". The reason is that while broadcasting, the sending end does not add any information to the packets that w...
by sindy
Wed Nov 06, 2024 11:33 am
Forum: General
Topic: GPS is not override on VPN tunnel (iphone and android)
Replies: 2
Views: 167

Re: GPS is not override on VPN tunnel (iphone and android)

There are applications for Android that allow to imitate any geolocation you wish, not only per GPS data but also the WiFi list. You have to enable developer mode and allow this imitation there. Google it up, I could find it earlier this year, and it indeed worked.
by sindy
Sun Nov 03, 2024 9:42 pm
Forum: General
Topic: TiVo => EoIP => TiVo ... fail
Replies: 15
Views: 1224

Re: TiVo => EoIP => TiVo ... fail

I'm not sure TTL be changed since bridged... Rest assured it is not, bridging does not touch the contents of the Ethernet frame being transported. But another point, what is the value of dont-fragment in the EoIP settings? Does Wireshark show any packets between the devices that has this IP header ...
by sindy
Sun Nov 03, 2024 1:04 am
Forum: General
Topic: IPv6 propagate address to clients behind router
Replies: 10
Views: 767

Re: IPv6 propagate address to clients behind router

Your export says /ipv6 address add from-pool=IPv6-pool interface=bridge This means that you have set address=:: , so the resulting address is a "subnet router anycast address", which I believe cannot be assigned as an individual unicast address of an interface. So try changing that to the ...
by sindy
Sat Nov 02, 2024 9:05 pm
Forum: General
Topic: IPv6 propagate address to clients behind router
Replies: 10
Views: 767

Re: IPv6 propagate address to clients behind router

Please post the complete export of your configuration (minus all the passwords and usernames, public addresses etc.). If you have indeed sniffed on the bridge, not on the ethernet interface, it looks really weird, as if you had some bridge filter rule there or an IPsec policy.
by sindy
Sat Nov 02, 2024 6:06 pm
Forum: General
Topic: IPv6 propagate address to clients behind router
Replies: 10
Views: 767

Re: IPv6 propagate address to clients behind router

The only rule I've added was add action=accept chain=input in-interface-list=LAN protocol=udp to accept UDP coming from LAN. Since the default behavior of the firewall filter in Mikrotik is accept, your rule will not change the overall behavior of the filter, as the "drop everything else"...
by sindy
Sat Nov 02, 2024 3:22 pm
Forum: General
Topic: IPv6 propagate address to clients behind router
Replies: 10
Views: 767

Re: IPv6 propagate address to clients behind router

What should I do make my MT propagate IPv6 addresses to clients? Strictly speaking nothing as MT does not propagate them. It just reveals its own address upon request, which is enough for the host to create its own address, combining the prefix provided by the router and locally provided suffix - s...
by sindy
Sat Nov 02, 2024 12:16 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 1450

Re: Lets Encrypt

As said I have zero experience with Unifi's internals, but in general purpose Linux distributions, things are done as simple as possible - the TLS stack is too lazy to look for the intermediate certificates here and there, and wants you to merge the own certificate and all the intermediate ones (mor...
by sindy
Sat Nov 02, 2024 11:41 am
Forum: General
Topic: Static route to dynamic IP?
Replies: 13
Views: 607

Re: Static route to dynamic IP?

It's not so much of a performance issue as a memory issue as the router has to store thousands of 12-byte values indexed by 4-byte ones, probably in some b-tree to facilitate a fast search-through. As for a static ARP record, I've thought about it too and I did test it in some weird scenarios, but t...
by sindy
Sat Nov 02, 2024 1:12 am
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 1450

Re: Lets Encrypt

I try it on my Mikrotik router using your script:
The thing is that the choice between R10 and R11 is random, so the fact that your certificate is signed using R10 doesn't mean that @josephny's one will be too; actually, it even doesn't mean that your next one will be signed using R10.
by sindy
Sat Nov 02, 2024 12:30 am
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 1450

Re: Lets Encrypt

@Lokamaya, how do you know it is r10 in particular and not r11? I can't see that in the error message.
by sindy
Fri Nov 01, 2024 11:13 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 1450

Re: Lets Encrypt

We call it "best practices," as in 'we're doing our best and practicing until we get it right'. Nice, I'll use that if you don't mind :) One little detail, GlenR has earned the status, respect, and reputation on the UI forums similar to what you, Amm0, anav, jaclaz, holvoetn, and a handfu...
by sindy
Fri Nov 01, 2024 10:57 pm
Forum: General
Topic: Split traffic then merge [SOLVED]
Replies: 121
Views: 24235

Re: Split traffic then merge [SOLVED]

I'm no cryptoanalyst, so I must trust those who are and say it is secure. But somehow all cryptographic algorithms used to be perceived as safe until someone broke them; that's why all other security-related protocols (SSH, TLS, OpenVPN, IPsec) include a possibility to relatively easily plug in new ...
by sindy
Fri Nov 01, 2024 9:35 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 1450

Re: Lets Encrypt

And the message is due the certificates YOUR computer is lacking the "root" certificate authority for your connection. Couldn't it be caused simply by the fact that the UDM did not send the certificate of the intermediate CA, probably because the magic script does not add it to the .crt f...
by sindy
Fri Nov 01, 2024 9:32 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 1450

Re: Lets Encrypt

OK, I finally got it. From your description I have understood that you had trouble accessing Mikrotik from the UDM. The script is huge, but what makes it even more special is that it downloads other scripts from the author's web. No wonder the bad guys are so successful - you've literally just downl...
by sindy
Fri Nov 01, 2024 5:39 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 1450

Re: Lets Encrypt

Do I need to allow 443 to the router to have a working cert? No, currently only port 80 is used to renew the certificate. Other than that - not just on Mikrotik, the very same code processes the contents of the HTTP requests that come to port 80 and of those that come to port 443. The security of H...
by sindy
Fri Nov 01, 2024 3:57 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 1450

Re: Lets Encrypt

Looks like only 1 certificate: That's what I have suspected, which means that only the certificate requested using the last /certificate enable-ssl-certificate command will be updated automatically, and that the web server will present only that certificate (and its corresponding chain of trust) to...
by sindy
Fri Nov 01, 2024 12:07 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 1450

Re: Lets Encrypt

Is this correct now? Looks fine to me. I have never tried to request two certificates for the same machine, what does /ip/service/print detail where name=www-ssl show? I previously watched a video and there was no mention of needing an intermediate CA cert. It depends on a lot of factors. The backg...
by sindy
Fri Nov 01, 2024 8:53 am
Forum: General
Topic: Static route to dynamic IP?
Replies: 13
Views: 607

Re: Static route to dynamic IP?

the proxy arp trick is not seeming like it wants to work. I've set it on ether2 and then changed my route to point to "ether2" but I then get host unreachable from my WAN IP (currently 41.145.2.219) You would have to activate proxy-arp on the LTE router connected to ether2, not on ether2 ...
by sindy
Fri Nov 01, 2024 8:48 am
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 1450

Re: Lets Encrypt

I don't know what the "R10 and R11 intermediate CA certificates" are or how to install them. I assume that is not done with the /certificate enable-ssl-certificate dns-name=XXXXXXXXX.dyndns.org command? Indeed this command only applies for and installs the own certificate. The intermediat...
by sindy
Fri Nov 01, 2024 12:09 am
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 1450

Re: Lets Encrypt

Or does the code above provide the necessary security? The mangle rule in the code above adds the WAN address of the MT for a minute to an address list named acme-client whenever said MT router sends a packet to an IP address to which acme-v02.api.letsencrypt.org resolves. This happens when said ro...
by sindy
Thu Oct 31, 2024 11:00 pm
Forum: General
Topic: Lets Encrypt
Replies: 40
Views: 1450

Re: Lets Encrypt

While not perfect, this might work if the MT device were connected to the Internet. There is a setup that "will work until it stops", which is based on the fact that the certificate renewal requests are currently sent to acme-v02.api.letsencrypt.org ; as RouterOS sends them automatically,...
by sindy
Thu Oct 31, 2024 10:45 pm
Forum: General
Topic: Significantly higher latency between GRE tunnels
Replies: 6
Views: 317

Re: Significantly higher latency between GRE tunnels

It cannot be excluded that GRE takes another path between the public addresses than ICMP, ISPs sometimes have funny ideas on their own, and if some government requirements get added to the mix, weird things may happen. Out of curiosity, is the behavior about the same if you use IPIP instead of GRE? ...
by sindy
Thu Oct 31, 2024 9:21 pm
Forum: General
Topic: Significantly higher latency between GRE tunnels
Replies: 6
Views: 317

Re: Significantly higher latency between GRE tunnels

Honestly I don't understand the output. Both time and numbers columns increase by 1 integer on each polling: I have picked only the interesting groups of packets and removed the MAC address columns for easier reading. INTERFACE TIME NUM DIR SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU GRE_TO_BRANCH 33...
by sindy
Thu Oct 31, 2024 6:46 pm
Forum: General
Topic: Static route to dynamic IP?
Replies: 13
Views: 607

Re: Static route to dynamic IP?

Why would it do that? The thing is that if you make an L2 port a gateway of a route, the router sends an ARP request down that port, asking for the MAC address of the actual destination IP address. Some routers (like Cisco by default) respond to such an ARP request with their own MAC address if the...
by sindy
Thu Oct 31, 2024 4:55 pm
Forum: General
Topic: Significantly higher latency between GRE tunnels
Replies: 6
Views: 317

Re: Significantly higher latency between GRE tunnels

What does /tool sniffer quick ip-protocol=icmp,gre ip-address=public.ip.of.remote,gre.ip.of.remote show on both routers while pinging with default size (hence small) packets?
by sindy
Thu Oct 31, 2024 3:31 pm
Forum: General
Topic: Static route to dynamic IP?
Replies: 13
Views: 607

Re: Static route to dynamic IP?

From what I read I am confused - in Mikrotik configuration, an interface name is perfectly fine as a gateway of a route, except that it depends on additional factors whether such a route actually works or not, but that's apparently not the issue you deal with as you say " it does not like it&qu...
by sindy
Thu Oct 31, 2024 11:18 am
Forum: General
Topic: Cannot ping default gateway on one of WAN interfaces [SOLVED]
Replies: 10
Views: 457

Re: Cannot ping default gateway on one of WAN interfaces [SOLVED]

Why have you configured the MAC address for ether2 manually? Does it not clash with another MAC address in the system? What is its first byte?

When you make ether2 a member port of the bridge, the MAC address of the bridge is used for IP traffic that goes via ether2.
by sindy
Thu Oct 31, 2024 10:42 am
Forum: General
Topic: Cannot ping default gateway on one of WAN interfaces [SOLVED]
Replies: 10
Views: 457

Re: Cannot ping default gateway on one of WAN interfaces [SOLVED]

The fact that you cannot ping the default gateway 192.168.11.1 may be caused by some funny setting of the TP-link, so first of all, what does /ip arp print where address=192.168.11.1 show? If nothing, run :ping 192.168.11.1 arp-ping=yes interface=ether2 and if you get responses, run the previous com...
by sindy
Thu Oct 31, 2024 10:00 am
Forum: General
Topic: TiVo => EoIP => TiVo ... fail
Replies: 15
Views: 1224

Re: TiVo => EoIP => TiVo ... fail

Q: Can I use Torch to see what is going on in my remote NE location? A: You can but I'd strongly advise against that. /tool sniffer is much more useful in terms that it both shows the actual direction of individual packets if used alone like Torch and it saves the captured packets in pcap format in...
by sindy
Thu Oct 31, 2024 8:51 am
Forum: General
Topic: DUAL WAN into one connection use
Replies: 10
Views: 456

Re: DUAL WAN into one connection use

I would not mind trying to get that to work, but cost-wise, and where would such a router be placed, per say? It should be placed in some VPS provider datacenter "netwographically" close to your ISP (as in "the one with shortest ping response time from your on-site router no matter t...
by sindy
Wed Oct 30, 2024 9:38 pm
Forum: General
Topic: DUAL WAN into one connection use
Replies: 10
Views: 456

Re: DUAL WAN into one connection use

I thought the Mikrotik router in the middle could do something like packet splitting between the two active links to and from the ISPS and then merge them all together when sent to my local network for consumption. First, a packet cannot be split in terms that its first half would use one link and ...
by sindy
Wed Oct 30, 2024 8:03 pm
Forum: General
Topic: Wi-fi endpoint is not accessible
Replies: 2
Views: 204

Re: Wi-fi endpoint is not accessible

i - catch non-running state in wifi1 interface Not sure what exactly you test. If no wireless client is connected, it is normal that an AP wireless interface is shown (and treated by routing) as not running, could it be as simple as that? when i change location (plug in/out to different ethernet ho...
by sindy
Wed Oct 30, 2024 5:05 pm
Forum: General
Topic: RouterOS 7 VLAN access problem on PPC architecture
Replies: 15
Views: 4064

Re: RouterOS 7 VLAN access problem on PPC architecture

Have supout bug reports been sent to MT, on these issues??
Look at viewtopic.php?p=980927#p980927
by sindy
Wed Oct 30, 2024 5:02 pm
Forum: Beginner Basics
Topic: Issues with hEX RB750Gr3 - VPN and Reconnect
Replies: 9
Views: 703

Re: Issues with hEX RB750Gr3 - VPN and Reconnect

I would suggest to avoid doing too many changes at a time. So my course of action would be to reset the router to defaults change the LAN addresses to match the existing ones set up the single port forwarding rule you need to make OpenVPN work again try connecting to the L2TP server in the company (...
by sindy
Wed Oct 30, 2024 4:33 pm
Forum: General
Topic: DUAL WAN into one connection use
Replies: 10
Views: 456

Re: DUAL WAN into one connection use

This is theoretically possible, but with a lot of "ifs" and "provided thats". The key is that any remote server in the internet will send its response to any incoming request to the address from which the request has arrived. So if two physical paths are available, the sending si...
by sindy
Tue Oct 29, 2024 10:11 pm
Forum: General
Topic: Load Balancing and High Availability Setup Without NAT via L2TP
Replies: 1
Views: 731

Re: Load Balancing and High Availability Setup Without NAT via L2TP

Is this still a thing almost two months later?
by sindy
Tue Oct 29, 2024 5:20 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 558

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

You can put a list of two peers to a policy. If you do that, you only need scripting if you want to make sure that the traffic returns to the primary peer once it recovers. But I agree that a separate topic is a better place to discuss that should it prove necessary.
by sindy
Tue Oct 29, 2024 4:08 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 558

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

Please do, although the way you describe it, you did it correctly. Other than that, do you intend to use the Axis tunnel to connect to the whole internet or "only" to a bunch of subnets on their end? And will initiators/clients on the remote end of the tunnel connect to responders/servers ...
by sindy
Tue Oct 29, 2024 3:48 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 558

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

That makes no sense to me :shock: A policy with action=none just prevents any subsequent policy from picking the packet, so connections that do not need IPsec should not be affected. Maybe I have misunderstood something in your requirements? Or maybe you had dst-address and src-address right but the...
by sindy
Tue Oct 29, 2024 3:07 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 558

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

Sorry, I have missed that the dst-address and src-address of the added action=none policy for the public IP were swapped. 0.0.0.0/0 must be dst-address and xxx.xxx.xxx.147/32 must be src-address.
by sindy
Tue Oct 29, 2024 2:21 pm
Forum: Beginner Basics
Topic: Issues with hEX RB750Gr3 - VPN and Reconnect
Replies: 9
Views: 703

Re: Issues with hEX RB750Gr3 - VPN and Reconnect

The existing firewall rules only deal with the traffic the router forwards between WAN and LAN, but they allow anyone to connect to the router itself. It has to be fixed ASAP, but it has nothing to do with the L2TP/IPsec issue. However, I don't understand the purpose of the following rule in NAT: ac...
by sindy
Mon Oct 28, 2024 7:03 pm
Forum: Beginner Basics
Topic: Issues with hEX RB750Gr3 - VPN and Reconnect
Replies: 9
Views: 703

Re: Issues with hEX RB750Gr3 - VPN and Reconnect

My setup is almost identical to the video, but if more specific information is needed, Indeed, only the actual configuration is helpful - mistakes happen, differences considered negligible may actually have an impact etc. is there a guide on how to export a configuration file from my router while k...
by sindy
Mon Oct 28, 2024 6:31 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 558

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

That's strange. Please post the complete config export, obfuscating the public addresses by replacing their first three bytes using find&replace to prevent losing the consistence of the information. Don't forget to obfuscate also serial numbers, MAC addresses, and usernames for external services...
by sindy
Mon Oct 28, 2024 4:52 pm
Forum: General
Topic: 2 x Mikrotik CRS326-24G-2S+RM, one as router, other as a switch
Replies: 8
Views: 403

Re: 2 x Mikrotik CRS326-24G-2S+RM, one as router, other as a switch

Do they support the IEEE 1905.1 protocol? They don't, but that should not matter for your use case, as the topology the switches will form up will not provide multiple paths to choose from (or, if you use two DAC cables, it will provide just a plain ring where the length of both paths from a port o...
by sindy
Mon Oct 28, 2024 4:07 pm
Forum: General
Topic: IKE2 IPSec VPN: Windows11 shows disconnected?
Replies: 4
Views: 275

Re: IKE2 IPSec VPN: Windows11 shows disconnected?

Defining some local IP ranges in split-include results my Android client not reaching anything else than those IP ranges. Is this intended/known? Shall I create different mode-configs, profiles, etc for Android and Windows in case this type of split-tunnel is needed? Unfortunately, each IPsec imple...
by sindy
Mon Oct 28, 2024 1:47 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 558

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

they don't support split tunneling, so it's everything or nothing There is still some manoeuvring space between split tunneling and 0.0.0.0/0<->0.0.0.0/0, but not knowing what you actually need to tunnel them it is hard to guess whether you can actually use that space. In any case, policy based tra...
by sindy
Mon Oct 28, 2024 1:27 pm
Forum: General
Topic: prerouting & forwarding rule
Replies: 2
Views: 224

Re: prerouting & forwarding rule

On Mikrotik, the PREROUTING and POSTROUTING chains in table nat have been renamed to dstnat and srcnat , respectively. So using the Mikrotik syntax, your iptables commands look as follows: /ip firewall nat add chain=dstnat in-interface=lan protocol=tcp dst-port=8001 action=dst-nat to-addresses=1.2.3...
by sindy
Mon Oct 28, 2024 1:06 pm
Forum: General
Topic: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled
Replies: 15
Views: 558

Re: IPSec/IKEv2/ESP - DSTNAT not accepting traffic when IPSec enabled

1. I've tried using Mode Configs to specify certain devices to route through this IPSec Tunnel, however when I add a Mode Config to the Identity the Profile never completes Phase2 The purpose of Mode Config is similar to DHCP - the initiator may ask the responder to assign it an IP address and a li...
by sindy
Mon Oct 28, 2024 12:09 pm
Forum: General
Topic: IPv6 issues with Telegram [SOLVED]
Replies: 12
Views: 545

Re: IPv6 issues with Telegram [SOLVED]

I am however not willing to dig deeper into this honestly. That's alright, it's a legitimate approach of a seasoned support technician who doesn't have enough time to care about the artistic impact of the fix, knowing that it has no substantial side effect. In your particular case, the only thing t...
by sindy
Mon Oct 28, 2024 11:44 am
Forum: General
Topic: IKE2 IPSec VPN: Windows11 shows disconnected?
Replies: 4
Views: 275

Re: IKE2 IPSec VPN: Windows11 shows disconnected?

There are two directions to dig in. First, the operating systems check reachability of internet by sending requests that can only be responded if internet is reachable, such as DNS requests to servers running on public addresses, but I've never managed to find any details. So the question is whether...
by sindy
Sun Oct 27, 2024 11:54 pm
Forum: General
Topic: IPv6 issues with Telegram [SOLVED]
Replies: 12
Views: 545

Re: IPv6 issues with Telegram [SOLVED]

Setting this manually on the Linux box to 1492 makes the curl succeed every time. As @eworm has stated, this should not be necessary if everything worked the way it should. There is that thing called Path MTU Discovery (PMTUD) that allows the sender of a packet to get notified that at some place on...
by sindy
Sun Oct 27, 2024 7:19 pm
Forum: General
Topic: Port Forwarding FROM CHR [SOLVED]
Replies: 9
Views: 522

Re: Port Forwarding FROM CHR [SOLVED]

I apologize if I expressed myself badly, but what Sindy indicated made the difference. With so many occurrences of "the X/Y problem" phenomenon, @anav prefers to have a complete description of the functional requirements from the user perspective and then offer the simplest solution from ...
by sindy
Sun Oct 27, 2024 6:59 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 57
Views: 16835

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

First, it makes the posts better readable if you post the configurations between [ code] and [ /code] tags (one way to get them is to press the </> button in the editing toolbar). Next, what you posted is not a complete export of the actual configuration but rather a recording of the configuration s...
by sindy
Sun Oct 27, 2024 5:09 pm
Forum: General
Topic: Port Forwarding FROM CHR [SOLVED]
Replies: 9
Views: 522

Re: Port Forwarding FROM CHR [SOLVED]

The idea is fine, what kills it is that the action=mark-routing rule does not care about packet direction. So the first packet that comes in via the WG tunnel from the client gets routed to the 192.168.170.2 via LAN and after routing it causes the connection to get marked with wg-conn. the response ...
by sindy
Sun Oct 27, 2024 4:57 pm
Forum: General
Topic: NAT ipsec port forwarding
Replies: 1
Views: 287

Re: NAT ipsec port forwarding

i think we should use prerouting chain for reverse traffic from 100.65.1.5, because we need that this flow transmit to ipsec-tunnel. or we should use srcnat rule for reverse....i dont understand((( If an initial packet of a connection hits a dst-nat rule, not only that particular packet gets dst-na...
by sindy
Sun Oct 27, 2024 4:19 pm
Forum: General
Topic: IKEV2 IPSEC breach attempts
Replies: 3
Views: 712

Re: IKEV2 IPSEC breach attempts

It seems that it is an attack that exploits some vulnerability in some particular IPsec stack (DH group 0 looks strange and only unknown encodings in the proposal seem strange too). This log is insufficient to determine whether the device got compromised or not, but if all the attacker gets in respo...
by sindy
Sun Oct 27, 2024 4:05 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 57
Views: 16835

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

OK, so the certificate contents is correct but the fact that the public IP is dynamic makes the configuration more complicated. As for the registry change - as said I have never tried that with IKEv2, so I'm not sure whether the embedded Windows VPN client indeed has an issue with a NATed responder ...
by sindy
Sun Oct 27, 2024 3:47 pm
Forum: General
Topic: IPv6 issues with Telegram [SOLVED]
Replies: 12
Views: 545

Re: IPv6 issues with Telegram [SOLVED]

You can sniff on the VLAN interface and on the PPPoE interface simultaneously as lists can be used in the filter (as in interface=vlanX,pppoe-out1 ); if there is NAT, the "local side" addresses will differ so Wireshark will show to separate TCP sessions. If you configure the sniffer itself...
by sindy
Sun Oct 27, 2024 3:37 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 57
Views: 16835

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

UDP port 50 and IP protocol 50 are not the same thing, and too many people who don't have a clue post authoritative statements on the internet. IP protocol 50 indeed is ESP, and ESP indeed gets encapsulated into UDP if there is NAT between the peers, but not using port 50. ESP itself has no notion o...
by sindy
Sun Oct 27, 2024 3:21 pm
Forum: General
Topic: Multiple Vlan for ISP router
Replies: 5
Views: 364

Re: Multiple Vlan for ISP router

With vlan-filtering=yes , it is an overcomplication to use three bridges. There are two possible ways: the "standard" one is to use a single bridge with vlan-filtering=yes and just make both ether1 and ether2 tagged members of the telephony VLAN 20, ether1 a member (tagged or untagged depe...
by sindy
Sun Oct 27, 2024 2:53 pm
Forum: General
Topic: IPv6 issues with Telegram [SOLVED]
Replies: 12
Views: 545

Re: IPv6 issues with Telegram [SOLVED]

At this stage, a "know your tools" issue obfuscates the actual one, so you have to fix that first. When sniffing on the Mikrotik itself, you did not filter by interface name, so each packet is captured at three interfaces (my guess without studying your config is that these are the physica...
by sindy
Sun Oct 27, 2024 2:30 pm
Forum: General
Topic: Setting up IKEv2 VPN Server behind NAT [SOLVED]
Replies: 57
Views: 16835

Re: Setting up IKEv2 VPN Server behind NAT [SOLVED]

Your description suggests that Windows have the same default behavior when acting as an IKEv2 initiator like when acting as an L2TP/IPsec client, i.e. to terminate the connection if the responder/server is behind a NAT. There are two ways to address this - you can use regedit to change this behavior...
by sindy
Tue Oct 15, 2024 12:03 pm
Forum: General
Topic: Can wireguard tunnel listen on an VRRP address? (Want redundant VPN)
Replies: 3
Views: 828

Re: Can wireguard tunnel listen on an VRRP address? (Want redundant VPN)

The principle of VRRP operation is that the address is up only on the current master. The current master responds with the virtual MAC address to incoming ARP requests regarding the virtual IP address, and sends frames with that virtual MAC address as source. Therefore, a packet for a VRRP IP addres...
by sindy
Sat Oct 12, 2024 8:39 pm
Forum: General
Topic: Queue tree help needed, limit not applied on parent queue...
Replies: 5
Views: 458

Re: Queue tree help needed, limit not applied on parent queue...

Have you set both limit and max-limit for the root parent queue?
by sindy
Mon Oct 07, 2024 4:59 pm
Forum: General
Topic: Need a forward rule
Replies: 25
Views: 1725

Re: Need a forward rule

Do I understand correctly then that the best way would be to create different subnets for 2ghz and 5ghz guest networks? I cannot see a reason for that. I am just saying that I don't think there is a way to make a particular wireless device keep its IP address when it moves from a 2.4 GHz network to...
by sindy
Mon Oct 07, 2024 3:46 pm
Forum: General
Topic: Need a forward rule
Replies: 25
Views: 1725

Re: Need a forward rule

I think I understand the problem with the ax3's 2 routes to the same destination, but I don't know how to fix it. As I wrote above, on the hAP ax³, the best way would be to create a "br-guest" bridge as I wrote above: " Either use a different subnet for each of the two guest WiFi int...
by sindy
Mon Oct 07, 2024 1:59 pm
Forum: General
Topic: Need a forward rule
Replies: 25
Views: 1725

Re: Need a forward rule

Is the fact that there are 2 routes with 0.0.0.0/0 destinations a problem? Two routes with the same destination may be both a desired setup or a wrong one - it depends on circumstances. E.g. if you had two WANs, two default routes could be a desired setup, as the ultimate destination would be the s...
by sindy
Sun Oct 06, 2024 10:03 pm
Forum: General
Topic: Need a forward rule
Replies: 25
Views: 1725

Re: Need a forward rule

Your complete export has revealed that there is a DHCP client attached to ether1 of the 5009 that is allowed to add a dedault route. So which port of the 5009 is connected to FIOS, ether1 or some other one? What does /ip route print detail show on the 5009?
by sindy
Sat Oct 05, 2024 8:41 pm
Forum: General
Topic: Need a forward rule
Replies: 25
Views: 1725

Re: Need a forward rule

I removed what I believe are the non-relevant sections. In general, doing so is actually a bad idea - more often than not, the issue is caused by something in those parts of the configuration that one deems irrelevant. Does anything look the routing or gateway is misconfigured? I don't understand h...
by sindy
Sat Oct 05, 2024 7:47 pm
Forum: General
Topic: Can firewall rules slow down bandwidth test?
Replies: 8
Views: 450

Re: Can firewall rules slow down bandwidth test?

Every single packet passes through the raw table, no matter whether it is an initial one of a connection or a mid-connection one. The issue here is that raw stands before connection tracking on the path, so the connection-state attribute is not yet known as the packet is being matched against the ru...
by sindy
Sat Oct 05, 2024 4:55 pm
Forum: General
Topic: Need a forward rule
Replies: 25
Views: 1725

Re: Need a forward rule

that is such a fantastic explanation and analysis! [...] It sure seems like it is your #2 explanation: timed out connection resulting in connection-state=new Unfortunately, your conclusion suggests that the explanation wasn't as fantastic as I would like it to be :) Let me reiterate - since the sou...
by sindy
Sat Oct 05, 2024 2:36 pm
Forum: General
Topic: Can firewall rules slow down bandwidth test?
Replies: 8
Views: 450

Re: Can firewall rules slow down bandwidth test?

Sir, you complain about getting generic info but you actually did the same - there is no point in referring to an example, even a specific one. You may have had to modify it to adjust it to your environment, you may have made a mistake when copying it, there may be a traffic in your environment that...
by sindy
Sat Oct 05, 2024 2:08 pm
Forum: General
Topic: bridge setting ip filter problem
Replies: 3
Views: 247

Re: bridge setting ip filter problem

The use-ip-firewall setting under interface/bridge/settings is used to force also packets that are bridged (forwarded at L2 level) from one port of a bridge to another port of the same bridge (like your NVR and your camera) through the IP firewall. The original purpose of this setting is to allow Qo...
by sindy
Sat Oct 05, 2024 12:33 pm
Forum: General
Topic: Need a forward rule
Replies: 25
Views: 1725

Re: Need a forward rule

To be precise, it actually is a problem, but for sure adding a permissive rule would not be a solution to it. As in IPv4, the majority of user endpoints have private addresses, there are not many useful scenarios where endpoints in the internet would initiate connections to them, as they could only ...
by sindy
Fri Oct 04, 2024 8:53 pm
Forum: General
Topic: IPSEC VPN slow behind Mikrotik Router
Replies: 1
Views: 190

Re: IPSEC VPN slow behind Mikrotik Router

The first thing to come to my mind is increased packet rate due to fragmentation of the IPsec transport packets, so whilst the bit rate increases only up to, say, 10 % as compared to the amount of the payload traffic of the IPsec connection, the packet rate almost doubles; if, on top of that, some o...
by sindy
Fri Oct 04, 2024 8:29 pm
Forum: General
Topic: multiple devices whit one wireguard client
Replies: 6
Views: 489

Re: multiple devices whit one wireguard client

The only practical use case I can imagine from your description is to share an account on some paid "VPN" service among multiple people to save money. Leaving aside whether it is in accord with the terms of use, such an approach requires coordination of the use (as in, only one person can ...
by sindy
Fri Oct 04, 2024 7:27 pm
Forum: General
Topic: LTE Modem Firmware Upgrade - Has anyone got any troubleshooting tips?
Replies: 8
Views: 10620

Re: LTE Modem Firmware Upgrade - Has anyone got any troubleshooting tips?

Once I download the file - and get it via winbox to the routerboard - how do I then run the upgrade? If the LTE modem does support the local upgrade, interface lte firmware-upgrade firmware-file=xyz upgrade=yes should execute the upgrade. But as @Amm0 says, why do you need to do it this way? Is tha...
by sindy
Sun Sep 29, 2024 5:28 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 65
Views: 13630

Re: Router OS 7 on UEFI

Somehow, I would expect gentlemen in Riga to provide either "BIOS CHR" and "UEFI CHR" images or a "universal CHR" image off the shelf rather than offloading that task to volunteers. I am still not sure why I had to use the UEFI-compatible image for the recent lot of CHR...
by sindy
Sat Sep 28, 2024 8:00 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 65
Views: 13630

Re: Router OS 7 on UEFI

@jaclaz, you're the boss - 7.17.beta2 mangled using your gdisk magic made Vultr happy.
by sindy
Thu Sep 26, 2024 11:29 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 65
Views: 13630

Re: Router OS 7 on UEFI

as soon as Sindy will be able to (hopefully) report success in the environment(s) he uses, the matter should be pseudo-solved. Sorry, it was neither soon nor 100% success. Both the pre-cooked images from @Amm0 I've tried, i.e. chr-7.16.uefi-fat.raw and chr-7.16.uefi-fat-kriszos.raw, work both in Pr...
by sindy
Wed Sep 25, 2024 5:32 pm
Forum: General
Topic: Wireguard slow between LAN hosts but fast when testing speed between routers.
Replies: 8
Views: 1428

Re: Wireguard slow between LAN hosts but fast when testing speed between routers.

The exports should have been placed between [ code] and [ /code] tags (using the </> button above the edit form). You may prefer to "un-post" the usernames for the pppoe services (and maybe some other logins to external services). Both can be fixed by editing the post. You do not use actio...
by sindy
Wed Sep 25, 2024 11:42 am
Forum: General
Topic: Wireguard slow between LAN hosts but fast when testing speed between routers.
Replies: 8
Views: 1428

Re: Wireguard slow between LAN hosts but fast when testing speed between routers.

A blind shot as you haven't posted the configurations: you may be using mangle rules to choose traffic that has to go via Wireguard and haven't prevented that traffic from hitting the action=fasttrack rule in filter. If it's not this, post the configuration exports from both routers - check the othe...
by sindy
Tue Sep 24, 2024 9:27 pm
Forum: General
Topic: Routing Btw subnets same router
Replies: 1
Views: 422

Re: Routing Btw subnets same router

What you are missing is that from the perspective of Server 1, the addres of Server 2 (38.x.x.10) is within its own subnet (38.x.x.0/23). So when it wants to send a packet to it, it sends an ARP request "who has 38.x.x.10", but since Server 2 is in another L2 segment, the ARP request does ...
by sindy
Tue Sep 24, 2024 9:05 pm
Forum: General
Topic: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved
Replies: 102
Views: 91439

Re: Multiple Road Warrior L2TP/IPsec clients behind NAT - solved

I'm not sure what kind of reaction you actually expect from me :) A failed Phase 2 indeed means that the L2TP transport packets carrying your payload, which are supposed to get encrypted using that very Phase 2 SA, are not delivered - when an IPsec policy is in place, it intercepts matching packets ...
by sindy
Mon Sep 23, 2024 11:44 pm
Forum: General
Topic: "Routing Rules" vs "Mangle Route Rule"
Replies: 11
Views: 1170

Re: "Routing Rules" vs "Mangle Route Rule"

So now as the basic issue has been resolved, we can come back to the ones that popped up in the process. My full config looks like the following (with both mangle and routing rules): The only chain where an action=fasttrack-connection makes any actual sense is forward . If RouterOS itself is an endp...
by sindy
Mon Sep 23, 2024 11:22 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 65
Views: 13630

Re: Router OS 7 on UEFI

Thinking about it, it is entirely possible as the overlap is only on the last sector of the two partitions Just to be sure, did you actually mean that the last sector of one partition overlaps with the first sector of the following one, as in "the first one is one sector larger than it should ...
by sindy
Mon Sep 23, 2024 7:46 pm
Forum: General
Topic: v6 IPSEC problems
Replies: 12
Views: 1140

Re: v6 IPSEC problems

For me it does (7.14.3), so it must be something else.
by sindy
Mon Sep 23, 2024 10:13 am
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 65
Views: 13630

Re: Router OS 7 on UEFI

I also convert the result to raw as I use ceph on Proxmox that does not support qcow2, so the difference in disk image format is not the magic that saves things. Still using version #3 (I will get to the other ones later), I haven't seen any complaints of gdisk in the log, except the one regarding t...
by sindy
Sun Sep 22, 2024 10:15 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 65
Views: 13630

Re: Router OS 7 on UEFI

Tested at Proxmox. With 7.15.3 as a base and your gdisk script #3, after some time of black screen, it said: ERROR: could not find disk! Please attach it somewhere else. I have tried to emulate both SCSI and IDE, no difference. Since this was my first ever attempt to UEFI-boot a CHR on Proxmox, the ...
by sindy
Sun Sep 22, 2024 8:56 pm
Forum: General
Topic: "Routing Rules" vs "Mangle Route Rule"
Replies: 11
Views: 1170

Re: "Routing Rules" vs "Mangle Route Rule"

My full config looks like the following (with both mangle and routing rules): OK, so the difference from the configuration I have used to test it that causes the two to yield different results is that in yours, 123.123.123.123 is an own address of the router whereas in mine it wasn't. This has a hu...
by sindy
Sun Sep 22, 2024 4:39 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 65
Views: 13630

Re: Router OS 7 on UEFI

In this context, I cannot see any benefit in testing 50 incremental scenarios just to find the one that makes it work with the minimum number of changes. The amount of CPU that has to be spent on a Linux machine to make the resulting layout "the most correct one" is not a limiting factor h...
by sindy
Sun Sep 22, 2024 2:33 pm
Forum: Virtualization
Topic: Help in setting up CHR version 7.x on Gcore Labs VPS
Replies: 1
Views: 1007

Re: Help in setting up CHR version 7.x on Gcore Labs VPS

/dev/vda2 is just a partition on /dev/vda whereas the .img file contains an image of a complete disk including the MBR, so you have to use of=/dev/vda in step 3. If you did and it crashes nevertheless, how exactly does the "crash" look in the console window? Maybe those new machines only ...
by sindy
Sun Sep 22, 2024 12:06 pm
Forum: General
Topic: "Routing Rules" vs "Mangle Route Rule"
Replies: 11
Views: 1170

Re: "Routing Rules" vs "Mangle Route Rule"

I have noticed this train of thought on the forum recently and I don't get it. Why presence of a route to a given destination (or even less logically, of a default route) in the main table should be a mandatory pre-requisite for a route to that destination to work in another table?
by sindy
Sun Sep 22, 2024 11:57 am
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 65
Views: 13630

Re: Router OS 7 on UEFI

Is there a free environment where the image bootability can be tested? It depends on the local meaning of the symbolic address "there" :D On Proxmox, you can choose between BIOS and UEFI boot. According to the OP, a "Gen2" machine in Hyper V means that UEFI boot is used; strictl...
by sindy
Sun Sep 22, 2024 11:41 am
Forum: General
Topic: "Routing Rules" vs "Mangle Route Rule"
Replies: 11
Views: 1170

Re: "Routing Rules" vs "Mangle Route Rule"

Since the result is different on my 7.15.3 in terms that both ways the packet for "123.123.123.123" does reach "192.168.9.9", something in your overall setup must be different from mine. Without seeing the obfuscated export of your configuration, there is no way to identify that ...
by sindy
Sun Sep 22, 2024 10:16 am
Forum: General
Topic: Switch rules
Replies: 4
Views: 877

Re: Switch rules

Ah, sorry - new-dst-ports=switch1-cpu is what you need. I forgot that you only needed to drop traffic from one external port to another.
by sindy
Sat Sep 21, 2024 2:55 pm
Forum: General
Topic: Switch rules
Replies: 4
Views: 877

Re: Switch rules

As-is, the rule does not drop the matching frames but redirects them to CPU. To actually drop them, you should use new-dst-ports="" instead of redirect-to-cpu=yes.
by sindy
Sat Sep 21, 2024 2:05 pm
Forum: General
Topic: :find vs. find
Replies: 3
Views: 725

Re: :find vs. find

The full tutorial is the manual , but the TL;DR is: :find can be used to find a position of an element in an array or a position of a substring in a string: :local myArray {"127";"226";"313"} ; put [:find $myArray "226" 0] ; put ($myArray->1) 1 226 :local mySt...
by sindy
Sat Sep 21, 2024 1:29 pm
Forum: General
Topic: Unlock different country in ax3
Replies: 2
Views: 618

Re: Unlock different country in ax3

Devices purchased in the U.S. or Canada cannot be unlocked to use WiFi regulations from other countries, otherwise FCC would not allow them to be sold on those markets.
by sindy
Sat Sep 21, 2024 9:23 am
Forum: General
Topic: Exclude 1 MAC address from logging
Replies: 14
Views: 1205

Re: Exclude 1 MAC address from logging

It is indeed not possible to filter the messages on their way to be logged by contents, nor to tell the processes generating them (dhcp, wireless in your case) to filter them by some parameters of the object being processed. You can only filter them when watching the log.
by sindy
Sat Sep 21, 2024 9:05 am
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 65
Views: 13630

Re: Router OS 7 on UEFI

The good news for those who don't want to dive that deep (respect, @jaclaz!) is that an upgrade of an already installed CHR apparently doesn't affect the boot partition. So installing an image of 7.14.3 that has been made acceptable for UEFI using the script (whichever part of it is the actual reaso...
by sindy
Fri Sep 20, 2024 10:28 pm
Forum: General
Topic: Can wireguard tunnel listen on an VRRP address? (Want redundant VPN)
Replies: 3
Views: 828

Re: Can wireguard tunnel listen on an VRRP address? (Want redundant VPN)

As of current, Wireguard listens on all the addresses of the router and the VRRP ones are no exception; what may require some additional measures is that it would use the VRRP address as the source one of the packets it sends . To ensure that, it may be necessary to use techniques similar to one of ...
by sindy
Thu Sep 19, 2024 11:46 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 65
Views: 13630

Re: Router OS 7 on UEFI

Do I understand correclty that I can take a regular x86 PC, put a few NICs in it and run a virtualized instance of ROS making the entire box a router (or firewall)? Indeed. Mikrotik recommends exactly this approach (a virtualization platform and a CHR on it even if the CHR would be the only VM runn...
by sindy
Thu Sep 19, 2024 10:45 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 65
Views: 13630

Re: Router OS 7 on UEFI

CHR is intended for deployment as a virtual machine - where you need a virtualized router you are familiar with rather than a bare Linux for production, or where you need to simulate some complicated setups, or where you just need a Mikrotik router running on a public IP for some training, which was...
by sindy
Thu Sep 19, 2024 9:32 pm
Forum: Virtualization
Topic: Router OS 7 on UEFI
Replies: 65
Views: 13630

Re: Router OS 7 on UEFI

Bellow is a script to correct this issues. Huge thanks. It helped me out as I've just hit some improvement at a cloud provider where only UEFI boot became possible since I've installed a CHR there the last time. Even better, I've installed CHR 7.14.3 using the script and the console works just fine.
by sindy
Thu Sep 19, 2024 7:25 pm
Forum: General
Topic: DCCP, H.323, IRC, PPTP, RTSP, SCTP, SIP, TFTP, and UPDLite Service Ports
Replies: 1
Views: 696

Re: DCCP, H.323, IRC, PPTP, RTSP, SCTP, SIP, TFTP, and UPDLite Service Ports

It depends on what your Mikrotik is used for. If you do not use any of those protocols across NAT (i.e. your LAN side clients do not use them to connect to servers in the internet nor vice versa), it is OK to disable all of them. PPTP is an exception in terms that even if you do not use PPTP as such...
by sindy
Thu Sep 19, 2024 7:10 pm
Forum: General
Topic: Mangle and Queue
Replies: 1
Views: 518

Re: Mangle and Queue

It's not this simple. A rule with the same conditions you use to assign the connection-mark may be used to assign the packet-mark directly if you only need packets in that direction to get the packet-mark. If you need to assign the packet-mark (also) to packets in the other direction than where you ...
by sindy
Thu Sep 19, 2024 7:03 pm
Forum: General
Topic: VRRP with VLANs and redundant topology [SOLVED]
Replies: 5
Views: 1123

Re: VRRP with VLANs and redundant topology [SOLVED]

Indeed the mst-override is what you need, you have to set the internal-path-cost to be higher on the port to which the "wrong" switch for that VLAN (corresponding to the vlan group identifier) is connected and lower for the one to which the "correct" switch is connected - lower p...
by sindy
Wed Sep 18, 2024 9:07 pm
Forum: General
Topic: Can anyone help me understand what is going on with my сAP ac
Replies: 4
Views: 676

Re: Can anyone help me understand what is going on with my сAP ac

for the last 2-3 years ap has been running from a poe switch and I have tried changing ports and using with the adapter and power supply from the kit and the behaviour persists.
Given the above, I agree with the below.
Well, it seems it's time to switch to ax
by sindy
Wed Sep 18, 2024 5:17 pm
Forum: General
Topic: Can anyone help me understand what is going on with my сAP ac
Replies: 4
Views: 676

Re: Can anyone help me understand what is going on with my сAP ac

How long in weeks/months is "long time"? The way you describe it it looks like an overheating problem, but in general, the first thing to degrade always used to be the electrolytic capacitors in the power adaptors (nothing specific to Mikrotik), so if you can try a newer one which matches ...
by sindy
Tue Sep 17, 2024 10:24 am
Forum: General
Topic: VRRP with VLANs and redundant topology [SOLVED]
Replies: 5
Views: 1123

Re: VRRP with VLANs and redundant topology [SOLVED]

If you want each of the two USW switches to only handle a single VLAN, they cannot be connected to the same bridges on the CHRs, or you must use MSTP that can handle a separate spanning tree for each group of VLANs. Since the configuration exports suggest that there are some other switches in your t...
by sindy
Mon Sep 16, 2024 11:32 pm
Forum: General
Topic: Multiple PPP clients over RS-485
Replies: 1
Views: 477

Re: Multiple PPP clients over RS-485

PPP stands for Point-to-Point Protocol, which gives a hint that it does not include any support for Point-to-Multipoint channels, i.e. it does not contain any Media Access Control address allowing to indicate for which of the devices on the RS485 bus the packet is intended, or from which of them it ...
by sindy
Mon Sep 16, 2024 11:16 pm
Forum: General
Topic: How to prioritize packets to/from LAN IP
Replies: 9
Views: 1974

Re: How to prioritize packets to/from LAN IP

Indeed, in order to give some packets a higher priority, the most important thing is to queue all the other packets that have to "give way" to the priority ones. Any packets that need to be queued must not be fasttracked (except some specific case mentioned in the manual, which is not rele...
by sindy
Mon Sep 16, 2024 10:41 pm
Forum: Announcements
Topic: v7.15.3 [stable] is released!
Replies: 655
Views: 260331

Re: v7.15.3 [stable] is released!

What else should I change?
The topic, please. This one is not the right place for discussing this, create a new one.
by sindy
Mon Sep 16, 2024 6:06 pm
Forum: Announcements
Topic: v7.15.3 [stable] is released!
Replies: 655
Views: 260331

Re: v7.15.3 [stable] is released!

Is here anyone with working Netwatch/Fetch? Anyone know how to solve it? I do send Telegram notifications using /tool/fetch in 7.15.3 and I do not suffer from this kind of problems: /tool fetch url="https://api.telegram.org/$botId:$botPwd/sendMessage\?chat_id=$chatId&text=$message&pars...
by sindy
Mon Sep 16, 2024 4:11 pm
Forum: General
Topic: May you recomend me an SSTP VPN service?
Replies: 9
Views: 1143

Re: May you recomend me an SSTP VPN service?

Have you checked your mailbox recently?
by sindy
Mon Sep 16, 2024 2:01 pm
Forum: General
Topic: IPSec - routing problem
Replies: 11
Views: 4732

Re: IPSec - routing problem

The issue you describe is definitely not "normal" so it is either a misconfiguration or some issue between the Mikrotik's and Ubiquiti's implementations of IPsec. So as the first step, post the export of the Mikrotik configuration (after proper obfuscation - serial numbers, public addresse...
by sindy
Mon Sep 16, 2024 12:05 pm
Forum: General
Topic: Masquerade on interface with multiple public IPs addresses [SOLVED]
Replies: 4
Views: 959

Re: Masquerade on interface with multiple public IPs addresses [SOLVED]

Use action=src-nat to-addresses=the.chosen.ip.address instead of action=masquerade. It will only work if the.chosen.ip.address is static.
by sindy
Mon Sep 16, 2024 12:01 pm
Forum: General
Topic: May you recomend me an SSTP VPN service?
Replies: 9
Views: 1143

Re: May you recomend me an SSTP VPN service?

No one (except maybe the forum administrators) can respond to you by e-mail as the e-mail address you have entered when registering to the forum is not shown to other users and Personal Messages only worked for several brief periods. You can use the approach from this post if you generate your own k...
by sindy
Mon Sep 16, 2024 10:59 am
Forum: General
Topic: Masquerade on interface with multiple public IPs addresses [SOLVED]
Replies: 4
Views: 959

Re: Masquerade on interface with multiple public IPs addresses [SOLVED]

I understand I do not answer your question, but why do you insist on use of masquerade if you assign the addresses manually anyway? The purpose of masquerade is to handle a single dynamically changing address and remove connections src-nated to that address if it disappears.
by sindy
Mon Sep 16, 2024 10:54 am
Forum: General
Topic: Cannot ping from console VETH interface in containers bridge
Replies: 4
Views: 723

Re: Cannot ping from console VETH interface in containers bridge

This (address not responding while container is down) was the first thing to come to my mind when @lpetrov posted the question, because it would be a logical behavior as you've pointed out. But the behavior I observe in 7.15.3 is not logical - the veth interface is "running", the /interfac...
by sindy
Mon Sep 16, 2024 10:47 am
Forum: General
Topic: IPv6 for SSH Tunnel Server
Replies: 17
Views: 1677

Re: IPv6 for SSH Tunnel Server

It did not come to my mind, but indeed - if you cannot identify traffic generated by the router itself, you may instead identify the one that was not . So if you don't mind setting a connection-mark or a packet-mark to the initial packets of any forwarded traffic in chain forward in mangle , you can...
by sindy
Sun Sep 15, 2024 10:33 pm
Forum: General
Topic: Identity selection when Mikrotik working as initiator in ipsec
Replies: 1
Views: 442

Re: Identity selection when Mikrotik working as initiator in ipsec

1. can the same identity be shared among several peer configurations? I read somewhere that it can, but from what I see the peer=xxx field is mandatory in identity. It may be a misinterpretation. Multiple "peers" as in "remote devices" can indeed match (hence "use") th...
by sindy
Sun Sep 15, 2024 8:55 pm
Forum: General
Topic: send-initial-contact v.s passive parameters of peer configuration in ipsec
Replies: 3
Views: 914

Re: send-initial-contact v.s passive parameters of peer configuration in ipsec

Can you be more clear? ... How this parameter works if it is used by initiator? and how does it work if used by responder? ... Do I understand correctly, that: if Mikrotik is used as a responder than send-initial-contact is simply ignored, and will not be used (meaning that Mikrotik always drops ex...
by sindy
Sun Sep 15, 2024 7:17 pm
Forum: General
Topic: Letting an LGTV in other VLAN "castable"?
Replies: 1
Views: 530

Re: Letting an LGTV in other VLAN "castable"?

What about moving the action=add-src-to-address-list rule from chain forward in /ip/firewal/filter to chain prerouting in /ip/firewall/raw or /ip/firewall/mangle?
by sindy
Sun Sep 15, 2024 6:19 pm
Forum: General
Topic: need help with ip redirection
Replies: 9
Views: 732

Re: need help with ip redirection

In an hour at the earliest. If you don't want to reveal your contact information publicly, you can use the method described here.
by sindy
Sun Sep 15, 2024 6:06 pm
Forum: General
Topic: need help with ip redirection
Replies: 9
Views: 732

Re: need help with ip redirection

right :)
by sindy
Sun Sep 15, 2024 5:50 pm
Forum: General
Topic: Mikrotik <-> Cisco IPsec IKEv2 VPN
Replies: 77
Views: 10880

Re: Mikrotik <-> Cisco IPsec IKEv2 VPN

Reading RFCs is often helpful. Also, I would swear I have seen somewhere the INITIAL_CONTACT to cause connections from the same address to be dropped as written above, but today I could only find in both RFC 5996 and RFC 4306 that it is related to connections authenticated using the same credentials...
by sindy
Sun Sep 15, 2024 5:44 pm
Forum: General
Topic: need help with ip redirection
Replies: 9
Views: 732

Re: need help with ip redirection

->
by sindy
Sun Sep 15, 2024 5:43 pm
Forum: General
Topic: send-initial-contact v.s passive parameters of peer configuration in ipsec
Replies: 3
Views: 914

Re: send-initial-contact v.s passive parameters of peer configuration in ipsec

The Mikrotik documentation often assumes the reader is familiar with the standards regarding the protocol and only explains the particular ways how that protocol is implemented on Mikrotik. Plus, like other vendors, Mikrotik sometimes uses shorter keywords to express the behavior. So passive should ...
by sindy
Sun Sep 15, 2024 5:24 pm
Forum: General
Topic: need help with ip redirection
Replies: 9
Views: 732

Re: need help with ip redirection

Unless you use bare IPsec, the following rule in the dstnat chain of /ip firewall nat should be sufficient: chain=dstnat in-interface=name-of-the-vpn-interface protocol=xyz port=xyz action=dst-nat to-addresses=192.168.2.200 But that rule alone does not address the need that the PC has to send the re...
by sindy
Sun Sep 15, 2024 5:15 pm
Forum: General
Topic: Cannot ping from console VETH interface in containers bridge
Replies: 4
Views: 723

Re: Cannot ping from console VETH interface in containers bridge

I would expect that the address you define for vethN only responds if the container linked to that veth is up and listening on that address, but on 7.12.1, the address linked to a veth responds even if no container has ever been using it, let alone being currently attached to it. On 7.15.3, it doesn...
by sindy
Sun Sep 15, 2024 4:42 pm
Forum: General
Topic: need help with ip redirection
Replies: 9
Views: 732

Re: need help with ip redirection

Sorry, you'll have to express the setup and issue using a drawing (a photo of a hand-drawn sketch is normally enough) as it is not really clear (at least to me) what the issue is. I did understand that you've got multiple sites where the ISP modem provides the same LAN subnet, and I assume I have un...
by sindy
Sun Sep 15, 2024 3:03 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1424

Re: Bridging VLAN and EoIP

Is my statement (at high level) correct?
If the intention is to get the same behavior like a single VLAN-aware hardware switch, then yes.
by sindy
Sun Sep 15, 2024 1:28 pm
Forum: General
Topic: My new hAP ax lite LTE6 looses its lte after a few days
Replies: 27
Views: 1744

Re: My new hAP ax lite LTE6 looses its lte after a few days

I'll check it once it fails again, if its gone form there I just wanted to be sure that the router uses USB to talk to this particular modem model. So do check whether the row is still there once it fails, but after you do that, try /system/routerboard/usb/power-reset duration=20s . If it asks for ...
by sindy
Sun Sep 15, 2024 12:50 pm
Forum: General
Topic: My new hAP ax lite LTE6 looses its lte after a few days
Replies: 27
Views: 1744

Re: My new hAP ax lite LTE6 looses its lte after a few days

I'm not sure how it the LTE modem is connected on hAP ax lite LTE6 - what does /system/resource/usb/print show when the LTE interface is present in the configuration?
by sindy
Sun Sep 15, 2024 12:47 pm
Forum: General
Topic: User manager et mikhmon accès à distance
Replies: 3
Views: 573

Re: User manager et mikhmon accès à distance

Whilst my personal opinion is that it is better to post in the original language than to post already machine-translated text (as posting in original language prevents information loss), other forum users may have a different opinion. But more important - it is not clear to me whether you want the t...
by sindy
Sun Sep 15, 2024 12:15 pm
Forum: General
Topic: Issues when connectin is routed in/out same interface
Replies: 5
Views: 622

Re: Issues when connectin is routed in/out same interface

I would say that like in many other cases, sniffing is your friend here. If a router finds out that the out-interface is the same like in-interface for a packet towards a given destination, it does forward the packet, but it also sends an ICMP message to the original sender, informing it that a bett...
by sindy
Sat Sep 14, 2024 9:37 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1424

Re: Bridging VLAN and EoIP

VLAN virtual interfaces Does a virtual VLAN interface react only to packets tagged with the specific VLAN ID? What happens when a properly tagged packet reaches a virtual VLAN interface? Does it get "untagged" by the interface, or does it preserve the 4bytes for VLAN identifier? What happ...
by sindy
Sat Sep 14, 2024 5:05 pm
Forum: General
Topic: Route wireguard peers through vxlan
Replies: 12
Views: 1605

Re: Route wireguard peers through vxlan

As for the cross DHCP offers, I have enabled DHCP Snooping on the bridge and made the VXLAN port untrusted, is there still a problem? I'm not sure the treatment of DHCP packets on a VLAN-enabled bridge is any more useful than matching by IP address in bridge filter rules, you have to try - the manu...
by sindy
Thu Sep 12, 2024 9:36 am
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1893

Re: VPN 2 Sites With Mikrotik But only one has public ip

Many things may be set up differently on both the Mikrotiks and the Windows PCs. Since the pinging between the bridge addresses of the Mikrotiks themselves works, and even some connection between the two PCs does (the VNC one), it means that Wireguard itself and the associated routes are OK. Unless ...
by sindy
Thu Sep 12, 2024 9:30 am
Forum: General
Topic: IPSEC VPN Multiples Subnets
Replies: 7
Views: 916

Re: IPSEC VPN Multiples Subnets

If I configured more that one subnet on the polices and the nat settings, but only one subnet has communication end to end.
Set the level of all the policies you've added to unique. If that does not help, post the configuration exports from both devices.
by sindy
Wed Sep 11, 2024 10:02 pm
Forum: General
Topic: Odd LTE issue
Replies: 13
Views: 1032

Re: Odd LTE issue

In easy things to try... setting the mode to "IPv4" instead "auto" in the APN is worth a shot.
Somehow there is an IPv6 DNS query that got responded in the sniff above... so I wonder what the mode setting is actually worth :D
by sindy
Wed Sep 11, 2024 9:35 pm
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1893

Re: VPN 2 Sites With Mikrotik But only one has public ip

and how if i want to access the windows service such smb or windows sharing ? No idea, I'm not that deep into Windows so I have no idea what is the default behavior for their various proprietary protocols. right now i can access VNC PC B from PC A and vice versa, so how can i access windows share o...
by sindy
Wed Sep 11, 2024 11:13 am
Forum: General
Topic: How to tell current config file name
Replies: 3
Views: 440

Re: How to tell current config file name

Or export the current config and compare it using diff on an external computer with all the other ones.
by sindy
Wed Sep 11, 2024 11:11 am
Forum: General
Topic: IPv6 for SSH Tunnel Server
Replies: 17
Views: 1677

Re: IPv6 for SSH Tunnel Server

You can src-nat to any address you want but in order that the response could reach your router, the routers on the return path must send it to your router, and if L2 network is used between your router and the neighbor, your router must respond to ARP or ND messages for that address. However, the th...
by sindy
Wed Sep 11, 2024 10:53 am
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1893

Re: VPN 2 Sites With Mikrotik But only one has public ip

As written above - Windows by default would not respond to ping requests that arrive from outside its local subnets, i.e. where the ping response would have to be sent via a gateway. So you have to change the Windows firewall settings, use some other method to determine that the PC is alive, or use ...
by sindy
Wed Sep 11, 2024 10:44 am
Forum: General
Topic: Where can I find GOOD documetation of IPSEC in Mikrotik?
Replies: 6
Views: 734

Re: Where can I find GOOD documetation of IPSEC in Mikrotik?

Do you mean, that a Peer field in Policy itself will be used? and the policies are reverse matched to peer? Indeed. A manually configured policy must refer to one or two peer objects and if the actually connected remote initiator proposes a traffic selector, only the manually configured policies th...
by sindy
Tue Sep 10, 2024 10:22 pm
Forum: General
Topic: VoIP no incoming calls
Replies: 18
Views: 1902

Re: VoIP no incoming calls

Did you actually used udp for that? Rest assured I did :D Maybe the missing dstnat EINAT rule is the problem? Indeed. It did not come to my mind that filtering might be controlled by a rule in dstnat chain, although now as you've pushed my nose into it I can imagine the mechanism behind. OK, I will...
by sindy
Tue Sep 10, 2024 9:24 pm
Forum: General
Topic: Where can I find GOOD documetation of IPSEC in Mikrotik?
Replies: 6
Views: 734

Re: Where can I find GOOD documetation of IPSEC in Mikrotik?

I can't give you a link to a better documentation that the Mikrotik one, but I can help you in question-and-anwer mode :) First answer: Phase 1 proposal parameters are aggregated on rows of /ip/ipsec/profile , Phase 2 proposal parameters are aggregated on rows of /ip/ipsec/proposal . Second answer: ...
by sindy
Tue Sep 10, 2024 9:09 pm
Forum: General
Topic: Passthrough Network Via Mikrotiks
Replies: 14
Views: 1299

Re: Passthrough Network Via Mikrotiks

Apparently I was reading too diagonally today :) My impression from your OP was that R3 was a wireless client of R2. Since it is not, there is no need to configure its wireless interface(s) to station-bridge mode. Just two AP mode interfaces, one master and one slave, each linked to another VLAN. As...
by sindy
Tue Sep 10, 2024 4:48 pm
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1893

Re: VPN 2 Sites With Mikrotik But only one has public ip

The routes and allowed-address items seem fine to me. Windows devices by default only respond to pings coming from the own subnet of the interface, could it be this simple?
by sindy
Tue Sep 10, 2024 4:44 pm
Forum: General
Topic: Passthrough Network Via Mikrotiks
Replies: 14
Views: 1299

Re: Passthrough Network Via Mikrotiks

If the question was for me - if R1 presents 192.168.1.0/24 and the path to the PPPoE server on the same physical interface, then indeed the PPPoE client has to be connected to the VLAN interface on the common bridge. If there are two separate interfaces on R1, one for LAN and another one for the PPP...
by sindy
Tue Sep 10, 2024 1:28 pm
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1893

Re: VPN 2 Sites With Mikrotik But only one has public ip

Both ways are possible, each Wireguard interface may have multiple peers, that's how it is designed.
by sindy
Tue Sep 10, 2024 11:54 am
Forum: General
Topic: Passthrough Network Via Mikrotiks
Replies: 14
Views: 1299

Re: Passthrough Network Via Mikrotiks

I think the above would be unnecessarily complicated. I would set the master wireless interface of R3 to station-bridge mode, make it a trunk port for multiple VLANs, and use the "single common bridge with vlan-filtering=yes for all VLANs" mode also on R2, so that its WAN would be yet anot...
by sindy
Tue Sep 10, 2024 11:17 am
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1893

Re: VPN 2 Sites With Mikrotik But only one has public ip

I'm not sure I understand properly, but the fact that it works for the road warrior means that the port 13231 on site A is reachable from the internet. So in order to add the site-to-site functionality, return the /interface/wireguard/peer row representing site b (with allowed-address=192.168.90.0/2...
by sindy
Tue Sep 10, 2024 8:56 am
Forum: General
Topic: v6 IPSEC problems
Replies: 12
Views: 1140

Re: v6 IPSEC problems

The other address comes by SLAAC and is the one MT's DDNS reports. Ah... as you have to force Mikrotik to use SLAAC when configured as a router, I never went that way. The SA's correctly go out the AT&T side, so there is no encapsulation. You mean IKE/IKEv2 here. Both Phase 1 (IKE, IKEv2) and P...
by sindy
Tue Sep 10, 2024 8:41 am
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1893

Re: VPN 2 Sites With Mikrotik But only one has public ip

1. should Set keepalive on site b to 30s, but not on site A or on both site ? site b only. 2. should i add ip address for both wireguard interface? and add route for both interface? Only add the routes corresponding to allowed-address at the same device. There is no need to attach an interface to t...
by sindy
Mon Sep 09, 2024 10:22 pm
Forum: General
Topic: Tagged packets simply do not match any longer in srcnat chain for packets tagged in output chain!
Replies: 2
Views: 540

Re: Tagged packets simply do not match any longer in srcnat chain for packets tagged in output chain!

Other packets are accepted in filter established rule That's not true. The individual stages (tables) of the firewall are passed independently and accept in filter is only relevant for filter . It's the first packet because the following ones go to connection tracking. But honestly, I am still a li...
by sindy
Mon Sep 09, 2024 9:12 pm
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1893

Re: VPN 2 Sites With Mikrotik But only one has public ip

how can i check if there was successfull handshake ? The last-handshake column as mentioned above is completely absent if no successful handshake took place yet. If the column is present but the time shown is longer than 2 minutes, it is also suspicious. There is a moment in your exports that I don...
by sindy
Mon Sep 09, 2024 6:48 pm
Forum: General
Topic: Odd LTE issue
Replies: 13
Views: 1032

Re: Odd LTE issue

I did not ask for results of torch , I asked for results of sniffer , and there was a reason to it. Recently I have seen a situation where the traffic from the router to the LTE modem went from a more or less normally looking MAC address but the LTE modem was sending the responses to MAC address 00:...
by sindy
Mon Sep 09, 2024 11:45 am
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1424

Re: Bridging VLAN and EoIP

We have to go step by step. So far I still have no other idea than fragmentation issues (the EoIP transport packets carrying a 1514-byte Ethernet frame are far bigger than 1500 bytes, so they have to be fragmented in order to pass through paths with L3 MTU of 1500, and if something is miscofnigured ...
by sindy
Mon Sep 09, 2024 10:59 am
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1893

Re: VPN 2 Sites With Mikrotik But only one has public ip

how can i get the configurtaion ?
Here's why and how.

how can i check if the wireguard connection was working ?
/interface/wireguard/peers/print detail shows items like current-endpoint-address, current-endpoint-port, rx, tx, last-handshake.
by sindy
Sun Sep 08, 2024 10:54 pm
Forum: General
Topic: VPN 2 Sites With Mikrotik But only one has public ip
Replies: 19
Views: 1893

Re: VPN 2 Sites With Mikrotik But only one has public ip

can anyone give me some guide to solve this ? It "should" work so the best course of action is to post the exports of the configuration of both devices (after removing any serial numbers, logins to external services, and replacing the prefixes of public addresses in such a way that the re...
by sindy
Sun Sep 08, 2024 10:34 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1424

Re: Bridging VLAN and EoIP

They are not untagged by the bridge, they get from ether2 to the tagged end of the VLAN20 pipe still tagged. It's the passage through VLAN20 that removes the tag. In the opposite direction, the tagless frame that arrives via eoip-tunnel1 passes through Bridge_VLAN to the tagless end of the VLAN20 pi...
by sindy
Sun Sep 08, 2024 10:20 pm
Forum: General
Topic: v6 IPSEC problems
Replies: 12
Views: 1140

Re: v6 IPSEC problems

my understanding is that Starlink does randomly change the prefix. Sometimes every day, other times it may stay for weeks. My own experience was that the /56 did not change for months (until the Ethernet adaptor finally broke so it wasn't possible to use the bypass mode any more without an addition...
by sindy
Sun Sep 08, 2024 9:59 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1424

Re: Bridging VLAN and EoIP

It's not adding the tagless end of VLAN20 as a member port of the bridge, it's rooting the tagged end of VLAN20 in the bridge whose member port is ether2 . So the frames tagged with VID 20 that ingress via ether2 will get to the tagged end of VLAN20 via bridge bridge and egress there, get untagged, ...
by sindy
Sun Sep 08, 2024 9:45 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1424

Re: Bridging VLAN and EoIP

You have posted only the export from the "local" end, so some information is missing; however, what is definitely wrong is that the VLAN interface VLAN20 is hooked to ether2 whilst ether2 is a member port of bridge bridge . Such an arrangement is incorrect and known to cause issues, so you...
by sindy
Sun Sep 08, 2024 9:07 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1424

Re: Bridging VLAN and EoIP

Show me the configuration exports, that indeed sounds strange, unless the addresses are from the same subnet.
by sindy
Sun Sep 08, 2024 8:42 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1424

Re: Bridging VLAN and EoIP

If so, try attaching a DHCP client with add-default-route set to no to the bridge that joins the EoIP with the Ubnt-facing VLAN interface and try pinging the IP attached to the remote end of the EoIP tunnel with size=1500. Do you get responses?
by sindy
Sun Sep 08, 2024 8:24 pm
Forum: General
Topic: Bridging VLAN and EoIP
Replies: 19
Views: 1424

Re: Bridging VLAN and EoIP

If you can ping even public addresses through the EoIP tunnel, it sounds like an MTU issue (if you haven't forced the MTU of the EoIP interfaces to 1500, which is what the wireless clients probably expect) or a reassembly issue (if you have forced the MTU of the EoIP interfaces to 1500, so the size ...
by sindy
Sun Sep 08, 2024 3:49 pm
Forum: General
Topic: PPPoE connection losses - more detailed logging? [SOLVED]
Replies: 8
Views: 1192

Re: PPPoE connection losses - more detailed logging? [SOLVED]

Even in debug, the logging typically shows only control traffic and omits the packets carrying only payload. So sniffing may show you e.g. long periods of silence in one direction and corresponding retransmissions in the other one. Less important, my personal experience is that people tend to accept...
by sindy
Sun Sep 08, 2024 3:08 pm
Forum: General
Topic: PPPoE connection losses - more detailed logging? [SOLVED]
Replies: 8
Views: 1192

Re: PPPoE connection losses - more detailed logging? [SOLVED]

I can only suggest sniffing on the underlying Ethernet interface. As the sniffing has to record all the traffic right before the disconnect, the amount of sniffed data will be proportional to your total traffic on that PPPoE interface. So unless your router has a USB port and you can sniff to a file...
by sindy
Sun Sep 08, 2024 11:05 am
Forum: General
Topic: Untagged VLAN1, tagged VLAN10 and untagged VLAN10 on the same bonding interface
Replies: 6
Views: 619

Re: Untagged VLAN1, tagged VLAN10 and untagged VLAN10 on the same bonding interface

There are very few Mikrotik products whose switch chips support VLAN ID manipulation using rules, and I do not happen to own one of these so I cannot test it, hence the following is just a theoretical suggestion. The switch chip rules handle the frames as they ingress, so the rule you have used, /in...
by sindy
Sun Sep 08, 2024 9:08 am
Forum: General
Topic: multiple wireguard listening ports for the same interface [SOLVED]
Replies: 1
Views: 813

Re: multiple wireguard listening ports for the same interface [SOLVED]

You can use a dst-nat rule to forward a list of ports or port ranges to the one where the Wireguard instance listens, but in countries where this is a concern, those "someones" typically use DPI to filter wireguard and other VPN types by packet contents rather than by port numbers.
by sindy
Sun Sep 08, 2024 9:01 am
Forum: General
Topic: v6 IPSEC problems
Replies: 12
Views: 1140

Re: v6 IPSEC problems

I added 4500 and 500 (maybe that one's not necessary since I have NAT traversal set on the office side?) accept rules on the office side, and esp rules on both sides. Support of NAT traversal is an optional extension in case of IKE (v1); in IKEv2, it is part of the standard so there is no need to e...
by sindy
Sat Sep 07, 2024 11:29 pm
Forum: General
Topic: Wireguard with relay [SOLVED]
Replies: 6
Views: 1161

Re: Wireguard with relay [SOLVED]

Just for the case - if you activate the bypass mode on Starlink, you get a static global /56 on the LAN side of the Starlink dish (in addition to the CGNAT IP address). But assuming you have your reasons to stick with IPv4, if by "relay" you mean a device on a public address that both the ...
by sindy
Sat Sep 07, 2024 10:55 pm
Forum: General
Topic: WierGuard not working [SOLVED]
Replies: 10
Views: 1217

Re: WierGuard not working [SOLVED]

At this stage I've got no other idea than checking one more time that there is no typo in the settings of the .2 and .3 peers in the central site configuration, as .2 may shadow the .3 due to a typo in the mask (e.g. /3 1 instead of /3 2 ) and the .3 may be just wrong (something similar to 20.99.9 8...
by sindy
Sat Sep 07, 2024 9:01 pm
Forum: General
Topic: WierGuard not working [SOLVED]
Replies: 10
Views: 1217

Re: WierGuard not working [SOLVED]

Grrr... I've got it in front of my eyes all the time. The mistake are the /24 masks in the allowed-address lists on the "hub" device. Change 20.99.99.1/24 to 20.99.99.1/32, 20.99.99.2/24 to 20.99.99.2/32 and so on and you'll be good. The thing is that when the virtual Wireguard router rece...
by sindy
Sat Sep 07, 2024 6:28 pm
Forum: General
Topic: WierGuard not working [SOLVED]
Replies: 10
Views: 1217

Re: WierGuard not working [SOLVED]

Strictly speaking both 20.99.99.254/30 and 20.99.99.254/24 are incorrect ways to express the 30-bit prefix 20.99.99.252 and the 24-bit prefix 20.99.99(.xx), respectively, but the Wireguard configuration is apparently not that picky and accepts these formats, treating them the same like the formally ...
by sindy
Sat Sep 07, 2024 4:20 pm
Forum: General
Topic: WierGuard not working [SOLVED]
Replies: 10
Views: 1217

Re: WierGuard not working [SOLVED]

Sorry for gramer. No need to say sorry, I was just explaining where my uncertainty regarding what is the actual issue comes from. In your OP, you've mostly used 2 0.99.99.x , now you show to be pinging 1 0.99.99.x . Could it be as simple as having a typo on the first two peers? I have seen a manual...
by sindy
Sat Sep 07, 2024 3:36 pm
Forum: General
Topic: Node Red on MIPSBE, possible?
Replies: 3
Views: 478

Re: Node Red on MIPSBE, possible?

I'm not sure what you have in mind, running a container with NodeRed on a Mikrotik device? Containers can only run on arm, arm64, and x86_64 devices, so anything *mips* is out of question. And an external disk is a must for containers, otherwise you'll kill your internal flash in weeks even if it is...
by sindy
Sat Sep 07, 2024 3:23 pm
Forum: General
Topic: WierGuard not working [SOLVED]
Replies: 10
Views: 1217

Re: WierGuard not working [SOLVED]

Wireguard is up, there is tunnel betwen server and all 4 peer Based on what have you concluded this? The wireguard interfaces are always shown as R unning, even if no peers are configured. So it requires sniffing to determine whether the communicaton between the peers has indeed been established. F...
by sindy
Sat Sep 07, 2024 12:27 pm
Forum: General
Topic: Odd LTE issue
Replies: 13
Views: 1032

Re: Odd LTE issue

First, what do /interface/lte/monitor lte1 duration=1s and /ip/address/print where interface=lte1 show (obfuscate a public IP if you get one)? Second, can you ping 8.8.8.8 from the router itself? Third, if not, open a command line window, make it as wide as your screen allows, run /tool sniffer quic...
by sindy
Sat Sep 07, 2024 10:44 am
Forum: General
Topic: Forward all local traffic for all IPs to certain gateway [SOLVED]
Replies: 6
Views: 1068

Re: Forward all local traffic for all IPs to certain gateway [SOLVED]

Assuming that neither Router C itself nor any client connected to it use 10.0.0.1, on Router C, you can add a route to 10.0.0.1/32 via the address of Router B in 10.20.x.x, and then you can make Router C selectively respond with its own address only to 10.0.0.1 using /ip arp add address=10.0.0.1 int...
by sindy
Sat Sep 07, 2024 10:13 am
Forum: General
Topic: v6 IPSEC problems
Replies: 12
Views: 1140

Re: v6 IPSEC problems

First, is my assumption correct that currently both devices have a public IP address on their WAN, so IPsec does not have to encapsulate ESP packets into UDP? Second, there is nothing in chain input of your firewall filter rules that would permit the Main Office router to accept incoming IKEv2 conne...
by sindy
Sat Sep 07, 2024 9:53 am
Forum: General
Topic: v6 IPSEC problems
Replies: 12
Views: 1140

Re: v6 IPSEC problems

You may want to revisit the configuration of the Main Office router and improve the obfuscation.
by sindy
Sat Sep 07, 2024 9:38 am
Forum: General
Topic: Forward all local traffic for all IPs to certain gateway [SOLVED]
Replies: 6
Views: 1068

Re: Forward all local traffic for all IPs to certain gateway [SOLVED]

configure it so that it replies to ALL possible IPs with it's own MAC and forwards all traffic to router C, say, 10.20.0.1. I figure you mean all possible IPs within 10.0.0.0/24, as that is all it ever gets any traffic for from Router A, is that a correct assumption? The key here is the proxy-arp f...
by sindy
Fri Sep 06, 2024 10:56 pm
Forum: General
Topic: IPv6 for SSH Tunnel Server
Replies: 17
Views: 1677

Re: IPv6 for SSH Tunnel Server

right? right. Is there any special settings required for CHR1? None I would be aware of. If you can telnet to port 80 on the global IP of CHR2 from CHR1 (in terms that the TCP connection gets established) and ssh forwarding is enabled ( forwarding-enabled: both ) on CHR1, it should work also via th...
by sindy
Fri Sep 06, 2024 9:31 pm
Forum: General
Topic: IPv6 for SSH Tunnel Server
Replies: 17
Views: 1677

Re: IPv6 for SSH Tunnel Server

... couldn't get any traffic over IPv6, which I guess is due to the fact that there are some configs and setting missing on my routeros end which I don't know of :( ... proxy forwarding without any additional settings on Linux itself ... I have just tested the suggestion of @mkx with PuTTY where I'...
by sindy
Fri Sep 06, 2024 9:13 pm
Forum: General
Topic: VoIP no incoming calls
Replies: 18
Views: 1902

Re: VoIP no incoming calls

I have to test how exactly the endpoint-independent-nat works before commenting on the case when there is no manually configured dst-nat rule but the action of the rule in srcnat is the endpoint-independent-nat one, so I won't speculate here until then. Did you already investigated on this? So I've...
by sindy
Thu Sep 05, 2024 10:05 pm
Forum: General
Topic: Route wireguard peers through vxlan
Replies: 12
Views: 1605

Re: Route wireguard peers through vxlan

OK, so indeed ether2-clientB is an access port to VLAN 88 on bridge1 , same like vxlan2-home . But in that case, the topic actually changes from "why is the packet for (presumably) 192.168.189.x that came in via ether2-ClientB routed using a 'wrong' route" to "why is the packet that c...
by sindy
Thu Sep 05, 2024 9:08 pm
Forum: General
Topic: Seperate multiple public IPs to different devices [SOLVED]
Replies: 10
Views: 1835

Re: Seperate multiple public IPs to different devices [SOLVED]

If the router was offline for long enough that the lease has expired (or if the interface to which the DHCP client is attached went down), a new lease is requested rather than the previous one being renewed, and therefore the script does get invoked.
by sindy
Thu Sep 05, 2024 8:39 pm
Forum: General
Topic: Route wireguard peers through vxlan
Replies: 12
Views: 1605

Re: Route wireguard peers through vxlan

Since VxLAN is normally used for L2 tunneling, I did not study your config too deeply at first and assumed that the issue was with routing of the VxLAN transport packets (the UDP ones carrying the payload L2 frames inside), sorry for this lack of concentration. However, when looking at it with more ...
by sindy
Thu Sep 05, 2024 8:03 pm
Forum: General
Topic: Multiple L2TP/IPSEC clients dropping over Starlink
Replies: 2
Views: 503

Re: Multiple L2TP/IPSEC clients dropping over Starlink

The explanation why this happens and the solution if you insist on L2TP/IPsec is here ; further in the discussion there are some suggestions what else to use, but in my case, I use SSTP clients on the remote Mikrotiks to manage them remotely. Be aware that using SSTP without at least a server-side c...
by sindy
Wed Sep 04, 2024 9:48 pm
Forum: General
Topic: SSTP VPN issue -certificate fails Terminated in root
Replies: 1
Views: 414

Re: SSTP VPN issue -certificate fails Terminated in root

One possible cause of this is that some security appliance on the path between the client and the server inspects the payload of the TLS connections using a MITM techniques, i.e. it behaves as a client towards the server and presents an ad-hoc certificate signed by its own root CA to the client. Fro...
by sindy
Wed Sep 04, 2024 9:38 pm
Forum: General
Topic: Seperate multiple public IPs to different devices [SOLVED]
Replies: 10
Views: 1835

Re: Seperate multiple public IPs to different devices [SOLVED]

There is a script item of the dhcp client, which is invoked each time the DHCP asignment changes (address is lost, address is obtained, address is changed); it is not invoked if the lease is renewed without any change. So instead of scheduling the scripts for a periodical run, you can just set this ...
by sindy
Wed Sep 04, 2024 9:27 pm
Forum: General
Topic: disable logging on ip tunnels
Replies: 5
Views: 677

Re: disable logging on ip tunnels

i use ipip tunnels from each side , i don't see any passive options That's the case I have anticipated above - you've told RouterOS to create the IPsec configuration providing the IPsec encryption for the IPIP tunnel for you automatically, by setting ipsec-secret parameter of the row of /interface/...
by sindy
Wed Sep 04, 2024 9:12 pm
Forum: General
Topic: Route wireguard peers through vxlan
Replies: 12
Views: 1605

Re: Route wireguard peers through vxlan

I'm still missing something because the return traffic is routed using the catchall route to the WAN interface where its getting lost obviously. I've reviewed the post I've linked and it indeed does not deal with anything but the mangle rules, assuming that the reader already understands the rest o...
by sindy
Wed Sep 04, 2024 8:00 pm
Forum: General
Topic: IPv6 for SSH Tunnel Server
Replies: 17
Views: 1677

Re: IPv6 for SSH Tunnel Server

Can you elaborate on how you connect via the ssh "tunnel"? Do you configure forwarding to a particular address:port combination (or a list of them) or you use the proxy mode tunneling?
by sindy
Wed Sep 04, 2024 5:17 pm
Forum: General
Topic: Mikrotik Vlan
Replies: 2
Views: 416

Re: Mikrotik Vlan

Most likely yes if you post the export of your configuration (go to command line, use /export hide-sensitive file=somenicename , then download somenicename.rsc , open it using a text editor, obfuscate public addresses and other sensitive information and post the result here between [ code] and [ /co...
by sindy
Wed Sep 04, 2024 4:16 pm
Forum: General
Topic: IPSEC between 2 Mikrotik behind ISP modem
Replies: 1
Views: 387

Re: IPSEC between 2 Mikrotik behind ISP modem

Such a setup is indeed possible. Post exports of both Mikrotik devices to get to the root cause of that "no Phase 2". When obfuscating public IP addresses, take care so that all occurrences of the same public subnet are aliased the same, i.e. that the obfuscation does not break the relatio...
by sindy
Mon Sep 02, 2024 9:45 pm
Forum: General
Topic: disable logging on ip tunnels
Replies: 5
Views: 677

Re: disable logging on ip tunnels

One of the parameters of an /ip ipsec peer item is passive ; if you set it to yes , the device will only act as a responder for that peer, i.e. it will not try to establish a connection to it actively (i.e. act as an initiator). With passive set to no , which is the default, it does both. If you use...
by sindy
Mon Sep 02, 2024 9:37 pm
Forum: General
Topic: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wrong
Replies: 20
Views: 2821

Re: HELP Tried the PCC load balancing from mikrotik YouTube vid but it doesn't work for me I might be doing something wr

As was explained to me, Ping is checking to see if if something is UP or ON, while ARP is checking if something is down or OFF. Reverse viewpoint same results...... Nope. Just some devices choose to respond only at protocols and ports they like, so they may ignore even pings from their connected su...
by sindy
Mon Sep 02, 2024 9:31 pm
Forum: General
Topic: Simple failover on dhcp server
Replies: 19
Views: 1453

Re: Simple failover on dhcp server

The example Sindy posted, making use of the scheduler, runs every x time so it needs both a check and a conditional execution inside the script. The only reason why I prefer scheduled scripts to netwatch is that netwatch can monitor only a single host, so if that host becomes unreachable (and I hav...
by sindy
Mon Sep 02, 2024 9:22 pm
Forum: General
Topic: Seperate multiple public IPs to different devices [SOLVED]
Replies: 10
Views: 1835

Re: Seperate multiple public IPs to different devices [SOLVED]

Sounds like my skill issue :D "Skill" and "experience with the oddities of various ISPs" are not the same thing :) I'd suggest to disable just the routing rule and try the same ping again - if that prevents the pings from getting responded, we can be sure that the ISP indeed che...
by sindy
Sun Sep 01, 2024 10:42 pm
Forum: General
Topic: Route wireguard peers through vxlan
Replies: 12
Views: 1605

Re: Route wireguard peers through vxlan

I would expect the traffic to return the same way it came in. That's exactly what does not happen automatically. The basic routing only takes into account the destination address. If you want the route to be chosen according to any additional criteria, like the source address, protocol, source and/...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 37